Friday Squid Blogging: On Squid Intelligence

Two links.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on May 17, 2019 at 4:13 PM • 55 Comments


IsmarMay 17, 2019 4:43 PM

Thought I take advantage of my geo-location and post first in this weeks Squid Blog.

This time is is something more personal and to do with a recent email exchange I had with Bruce (using the same email address provided while posting this entry).

Namely, immediately after exchanging an email with Bruce (which I have done numerous times over the years) and asking him for some assistance (which he was happy to provide despite his very busy schedule) I got locked out of my email account.
Message received from my email provider was that my email might have been used in a spamming attempt and it was therefore locked.

I have since managed to rectify and unlock my email using a combination of 2FA and additional verification mechanisms but the question remains if my email was indeed hacked and used to spam or are there other ways of impersonating email senders which would appear legitimate to the anti-spaming engines and such can be used to lock people out of their accounts (at least for a while) ?

I am assuming here that Bruce did not simple report me (that would not make sense based on the exchange we had at the time) for smapping him :-) .

Any comments are more then welcome ...

SteveMay 17, 2019 5:27 PM

Some email systems have the ability to lock accounts after X number of failed login attempts.

Also, gmail will use the IP address location as an indicator. gmail has issues when people use VPNs - well - google has issues when people use VPNs. A VPN doesn't help them track you and your data in the way they like.

My email server watches these attempts and after 3 failed attempts, we block the source IP, which is almost always from a country known for nefarious internet activities. We are aggressive with outside IPs, but also watch normal corporate LAN locations for failed attempts. We just don't block those IPs. Occasionally, one of our real users gets impacted by this policy. They have to connect through a VPN to regain access to their account.

PDRMay 17, 2019 5:52 PM

Gmail in the Crosshairs
Google tracks a lot of what you buy, even if you purchased it elsewhere, like in a store or from Amazon.

Google's privacy page says that only you can view your purchases. But it says "Information about your orders may also be saved with your activity in other Google services " and that you can see and delete this information on a separate "My Activity" page.

Except you can't. Google's activity controls page doesn't give you any ability to manage the data it stores on Purchases.

Instead of Breaking up Facebook/Google, the EU May Force it to Share its Data
Margrethe Vestager, the EU’s competition commissioner, thinks competition has to be preserved for innovation to thrive, and that unregulated markets are prone to forming monopolies.
Vestager, whose directorate recently slapped Google with a $1.7 billion fine for alleged unfair practices in the online advertising market, thinks there’s a better way: She says it could be much more powerful and direct if tech titans like Facebook were required to give other companies access to important data [1].

“We think much more about access to data when it comes to, for instance, misuse of position of a monopoly,” she said. ”If you have no access to data, you won’t be able to make it in the market because you cannot access potential customers.”

[1] Yes! Open SensorVault data

The Love of Tariffs
The World’s most powerful man does not like The World’s richest man. In fact, to be blunt, the two hate each other.
The daily barbs at the Washington Post only exasperate the feud.
The latest 25% tariffs are also aimed to pester Amazon. Yet the subject goes unreported.

In response monopoly Amazon insists its small business owners largely eat the tax by only raising the price Amazon pays by a meager 3%. Fair is fair right?

India: Data is a National Asset
Others say India's objective is more far-reaching: to create a "China-like situation" where the barriers to foreign players "progressively become higher," said Nikhil Pahwa, a technology expert who has written extensively on Indian government policy.

The government sees "data as a national asset and control of the Internet economy as a nationalistic objective," he said.

WeatherMay 17, 2019 6:26 PM

Back in the day you could login to a email server and send mail as them, but not really wanting to look further up the link.
Now you can get other sites to do the forwarding,
Yes a diff email address was me.

Gunter KönigsmannMay 18, 2019 1:31 AM

@Ismar: My mail addresses ended up on blacklists several times. Once because I mentioned 1000000$ and perhaps another typical spam subject on a mailing list which in turn sent the same mail to many dormant mail accounts, all of this being red flags. Once because someone spoofed my email address, once because someone sharing the mail server with me actually sent spam. Once because my computer used a non-resolvable domain name and once because a big telecommunications firm had a fight with my domain hosted. And once because I used an pre-alpha version of a mail client that did things you would expect from this mail client but that some spam checker knew my mail client wouldn't do. Normally it is this kind of thing that puts you on a blacklist. Wow... as I expect not all blacklists to tell why they list you I guess I got lucky to always have hit the right ones...

sad worldMay 18, 2019 2:52 AM

Sorry it's not about security but rather squid safety: Octopus farming is ‘unethical and a threat to the food chain’: 'The group, led by Professor Jennifer Jacquet of New York University, argues that octopuses are highly intelligent, curious creatures. Farming them intensively would probably cause large numbers of deaths from stress. “We can see no reason why, in the 21st century, a sophisticated, complex animal should become the source of mass-produced food,”...'

The PullMay 18, 2019 8:54 AM

florida election systems hacked in 2016 and fbi didn't report it to anyone, and they can not say if the databases were messed with or not


severe and really cool hack of some upscale cisco routers
mentions red balloon who are quickly gaining a reputation for being bad asses
remote root vulnerability, and they compromise trust anchor using fpga exploit
well worth a read if you are into bad asses hacks

Router bugs, of course, are so scary partially because if you compromise the router, you compromise everything downstream which is not encrypted (and everything poorly encrypted)

new details in AV hack, trend micro admits it was hacked

Clive RobinsonMay 18, 2019 12:01 PM

@ The Pull,

Security researchers figured out how to remote control plans

Made me smile ;-)

More seriously Software Defined Radio (SDR) gave the EU regulators a very nasty turn back in the 1990's.

Up untill then they had assumed that the RT&TTE Directive and the regulatory framework it evolved gave them all the control they realy wanted. The premise being using weird modulation modes would keep the likes of scanners that had come to the fore in the couple or so decades preceading firmly under control.

The first knock to their confidence was the "Digital IF and Demodulator" in the 1980's. That alowed the complex IF to be brought down close to baseband where even 8bit microcontrolers like the Z80 could digitally decode many very specialized narrow band modulation schemes.

For instance I was involved with the design of one[1] to use with the Diplomatic Wireless Services "Piccolo six tone" modems. The commercial equivalent from Racal (LA1117) was part of a 6U rack code named "Kaynard"[2] using several higher end 68K processors and weighing in at a struggle for a couple of fit soldiers and a lot of bashed up tables and door frames. The Z80 version we designed was tiny in comparison (see fig 6.b in [1]) as it was designed for "stay behind brick" teams usage not temporary Diplomatic Missions.

Shortly there after similar small low cost add ons were getting attached to scanners and other wide spectrum receivers.

However the real shocker was the Digital Radio Mondial (DRM) Show when a couple of students demoed a board that was both a fully compliant receiver and also transmitter as well as several other modes including wide band FM Stereo not just for the 88-108Mhz "Band II" standard but various different TV systems.

Since then as far as the CEPT baseband standards are concerned it's a cheap microcontroler board and a fast upload of software...

From now onwards even very broadband modulation systems are fair game for a cheap micro board. You can find on the Internet several "Web-SDR" systems that cover from under 2MHz all the way up well into the bottom of the centemetric microwave bands, for six or more simultanious users.

So any modulation system no matter how complex unless it has Crypto Secure (CS) Grade Authentication is going to be fair game for spoofing.

The problem is way to few communications systems designers realy grock what "CS Grade" realy means in terms of "the whole system".



The PullMay 18, 2019 4:57 PM

@Clive Robinson

Oh, I am all for thwarting people's remote control plans. ;-)

Just what I do...

I have a cheapo SDR system, and a more expensive one, which is portable and runs something like from 70mhz to 7 ghz -- been awhile, but has been very fun. Have thought up all sorts of projects, but never ended up putting much into usage.

Grew up with police scanners, then in the 90s enjoyed the time when everyone's phone was open and available. (I am horrible, I know, but what a golden age.) (Was similar to the golden age of hacking where you could just compromise anyone, my app: )

I have thought about either creating a fuzzing system for my SDR system, or a privacy enhancing tool. Also experimented around with some surveillance projects.

Some stuff that sounds cool is a jamming system for privacy, what do you think about that? Illegal as heck, but would be nice to make your own privacy bubble when you wanted to talk to someone out in a field.


PS Thanks for sharing your experience, you are a Serious OG (Old Gangster).

19 May 2019 00:00:00May 19, 2019 11:07 AM

First House Republican to "flip" on Trump regarding conspiracy or obstruction

"Here are my principal conclusions:
1. Attorney General Barr has deliberately misrepresented Mueller’s report.
2. President Trump has engaged in impeachable conduct.
3. Partisanship has eroded our system of checks and balances.
4. Few members of Congress have read the report."

19 May 2019 00:00:00May 19, 2019 11:25 AM

From comments "OldTulsaDude says:
May 17, 2019 at 1:44 pm

With impeachment and removal impossible due to a complicit Senate, the best strategy for a Democratic contender for the WH [white house] may be a promise of criminal prosecution for the deeds of Individual-1 [President Trump] once he is out of office. It is about time someone in a blue jersey makes the actions and consequences personal.

bmaz says:
May 17, 2019 at 1:53 pm

For the nine millionth time, the question is NOT about actual articles of impeachment being voted on and sent to the Senate for trial. That is now, and has been all along absolutely BOGUS disinformation.

The issue is merely opening an impeachment inquiry in order to solidify the House investigatory power with a direct Constitutional underpinning. When people, whether here or anywhere else, talk about the “impossibility” of removal by the Senate, they do the public and the Constitution a severe disservice. PLEASE stop doing this.
pjb says:
May 17, 2019 at 3:03 pm

Aren’t there really two important reasons for beginning a formal impeachment inquiry? One is clearly as you say, to “solidify the House investigatory power with a direct Constitutional underpinning” for purposes of maximizing the House’s position in Court to enforce its subpoenas. The other is to educate the electorate who cannot or will not read a 445 page single-spaced report or follow the ins-and-outs of emoluments cases, security clearance overrules or other of this President’s manifold abuses of office? People like to watch good tv shows, like impeachment hearings can be. Who knows, if done correctly, it might ultimately sway public opinion to the extent a Senate vote on removal might become feasible (even if that’s not the issue today)? Or soften Trump’s seemingly monolithic support within his party to encourage a primary challenge?
bmaz says:
May 17, 2019 at 3:42 pm

Oh, absolutely. But with the complete refusal of the Administration to comply with any oversight whatsoever, it is imperative to get that power immediately.
OldTulsaDude says:
May 17, 2019 at 4:52 pm

I agree that an impeachment inquiry is necessary, and the sooner the better. Regardless, political realities still apply.
bmaz says:
May 17, 2019 at 5:06 pm

I am of the opinion that the oath of office to defend the Constitution is not for only when it is politically expedient. Since the start of this Union, men and women have died to defend the Constitution..."

FaustusMay 19, 2019 12:24 PM

This boing boing post points to an interesting paper on how the source of a leaked "The Hateful 8" trailer was tracked down:

What strikes me is the paper's application of postmodern theory-speak to the subject of counter forensics.

Although I find Theory to be an interesting way to reveal hidden contradictions and hidden motives in cultural artifacts in service of freeing us from subtle control strategies (Monsieur Teste: "He had killed his puppet!"), in this case Theory doesn't seem to add much except the option of publishing in a Theory oriented journal.

JG4May 19, 2019 1:16 PM

@Faustus - A nice recipe for unobtrusive steganography. The threat model is that most of the mathematics PhDs in North America are actively working to defeat anything you might choose to do.

Big Brother IS Watching You Watch

Police Are Feeding Celebrity Photos into Facial Recognition Software to Solve Crimes Motherboard

Why parents should think twice about tracking apps for their kids Conversation

Big Brother Is Watching You Watch

Google uses Gmail to track a history of things you buy — and it’s hard to delete CNBC

Secret tracking device found in Navy email to Navy Times amid leak investigation raises legal, ethical questions Military Times

MarkHMay 19, 2019 1:38 PM

It will come as no surprise to regular readers of this blog, that Bluetooth is a rat's nest of security vulnerabilities.

Even so, I learned some interesting things from this Wired article.

1. The current standard is about 3,000 pages in length, and offers a bewildering variety of variants requested by manufacturers over the years.

Given that seemingly simple protocols from expert cryptographers, which can be described on one sheet of paper, have been found to have vulnerabilities, what can we expect? But ...

2. The God-awful complexity of the standard may have discouraged attackers so far, in a kind of Security By Obscurity.

The article offers an example:

... a smart padlock known as BoxLock. The device had been designed to use a Bluetooth Low Energy configuration called "Just Works Mode," which lets devices pair without any passwords or other cryptographic protections. As a result, McAfee researchers could connect to any lock, analyze the device's BLE commands, and discern which gave the unlock order. Further, BoxLock had configured this command to be in read/write mode, so once the attackers knew what to target, they could initiate an unlock. BoxLock has since patched the vulnerabilities.

Obviously, the product designers made dumb decisions. Even so, the complexity of Bluetooth made it easier for them to step into those holes.

A90210May 19, 2019 2:53 PM


"The Myth of Watergate ['The Watergate scandal was a major political scandal that occurred in the United States during 1972 to 1974, following a break-in by five men at the Democratic National Committee (DNC) headquarters at the Watergate office complex in Washington, D.C. on June 17, 1972, and President Richard Nixon's administration's subsequent attempt to cover up his involvement.' [1]] Bipartisanship" 2018

"Reporters and political commentators often express frustrated surprise at the steadfast support of President Trump from most Republicans in the House and Senate. But they shouldn’t — it has happened before. ..."


MartinMay 19, 2019 6:17 PM


President Trump was elected President of U.S.A. per the requirements of the constitution. After a $35,000,000 (cost was $10 / citizen) investigation was completed no legal charges have surfaced relating to how the election was conducted. He is the president. Please stop cluttering this security blog with your disappointment in the outcome of the election. To me it is not interesting or relevant. Thanks.

1&1~=UmmMay 19, 2019 9:31 PM


"After a $35,000,000 (cost was $10 / citizen)"

Hmm last time I looked the US population had passed 300 million...

MrCMay 20, 2019 1:41 AM


And last time I checked, the forfeitures from Manafort more than covered the cost of the investigation.

Clive RobinsonMay 20, 2019 8:48 AM

@ The Pull,

Some stuff that sounds cool is a jamming system for privacy, what do you think about that? Illegal as heck, but would be nice to make your own privacy bubble when you wanted to talk to someone

The problem with jamming systems is the power per Hertz of bandwidth. Put another way a jammer with 1KW output across 100Mhz is 10W/MHz or 10mW/Khz which is well below that of a Hand held Two (HT) way radio that you can pick up for $30 or less.

It's actually not that difficult these days to make a 1W Frequency Hopping transmitter that using appropriate digital techniques only uses around 1.2KHz bandwidth to give acceptable audio that jumps around a 100MHz block of the UHF band very easily.

With the likes of small drones and shotgun mikes talking in a field is nolonger the place to get privacy. Your best bet would be along the lines of a fairly deep hole in the ground. So meeting at a preagreed spot in the sewers or other underground tunnel system that does not have cables could be a better bet.

Another possibly better way might be to use "full head" motorcycle helmets with in ear cannal ear pieces, and no voice throat mikes. You can buy such equipment fairly cheaply for use as "Motorbike pillion intercom" currently so it dors not look out of place.

If you can not get throat or whisper mikes then you may need to add a random vibrator to the hard shell of the helmet. To stop the use of various types of laser mic etc to try and pick up the audio from the helmet hard shell, actually riding a motorbike down twisted lanes with over hanging trees, bridges, cables etc would also help.

Getting privacy is getting harder day by day as new technologies become available to those looking to invade it. As a result your tactics have to change to keep ahead.

As for jammers being "illegal" it's one of those awkward questions to answer. The actuall answer in the main is not only jurisdiction based but often not technical but boils down to "state of mind". For instance an old style car ignition coil and mechanical points, will if the capacitor becomes disconnected become a fairly effective very broadband noise transmitter... Likewise any equipment opperated inside your own property boarders is again likely to be not illegal.

As with many things where technology and law collide the legislation often makes little sense to anyone, thus the law has to be tested by argument and such arguments become guidence for the future. In the US the DoJ and FBI frequently play "tag team" to bend the legislation by bringing court cases where the degendent can not go through refuting leagle argument. It's most certainly an abuse of process and one many are aware of but look the other way...

The PullMay 20, 2019 9:28 AM

@Clive Robinson

Oooh, cool stuff, thank you for the tips. (I am not a spy, nor a criminal. But, if I was either, I would be a good guy, not bad.)

I can see where someone would have the wrong idea about me, though I do not work anywhere special, and my work is very boring and not interesting.

But, I have noticed some unusual flight maneuvers when I go outside my regular routine, such as going to see a movie, or going to a mall, or something.

So, this can be useful as a sanity check. To flush out surveillance, and to get some alone time.


PatriotMay 20, 2019 10:05 AM

@ Martin

You are exactly right: this is not the place for sour grapes about politics. If one wants to spew some vinegar, there are plenty of zoos to visit like the Washington Post's website. They make money from conflict; it's tiring to even watch.

I like the Cryptography Stack Exchange website, but that is not the place for personal opinions. This blog fills the void: if we have an opinion to voice about security, we can do it.

I don't have any security news tips this week, but my computer was hacked--a rootkit--and that was big security news to me. Using Fedora 29, rkhunter skipped a few tests, and I did some digging: deleted log files, privilege escalation, a hidden port, a packet sniffer.

Maybe the cryptography that I do raised some attention.

LomaxMay 20, 2019 11:01 AM

I'm certain Mr. Schneier must know about this already but other forumites might want to read this.

Online account hijackers received a taste of ironic punishment this week. KrebsOnSecurity has learned that hackers stole the database from the popular hijacker forum OGusers on May 12th, obtaining email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.

The story is on

albertMay 20, 2019 1:23 PM


"...Likewise any equipment opperated inside your own property boarders is again likely to be not illegal...."

Not true in the US. Any interference in regulated frequency bands*, whether intentional or not, is subject to action by the FCC, regardless of your location.

Old tech auto spark coils were fine broadband noise generators, especially with non-resistive spark plug cables:) Better results could be gotten by attaching long wires to a spark plug cable. NOTE: Illegal, only use in an emergency for a simple SOS transmitter (which may have happened, ICR).

* last I checked, below ~20Hz was OK, as well as above very high GHz ranges.
. .. . .. --- ....

MartinMay 20, 2019 3:42 PM


Yes "After a $35,000,000 (cost was $10 / citizen) investigation..." should have been typed as "After a $35,000,000 (cost was $.10 / citizen) investigation..."; decimals points are important and I screwed up. The $.10 is a round number assuming there are 329 million U.S.A. citizens.

"The current population of the United States of America is 328,818,145 as of Monday, May 20, 2019, based on the latest United Nations estimates." per

The point was the investigation was well funded and extensive.

The PullMay 20, 2019 4:52 PM

@Clive, @albert

"Not true in the US. Any interference in regulated frequency bands*, whether intentional or not, is subject to action by the FCC, regardless of your location."

I am aware of that.

Clive's advice on ways to break surveillance helped me, though. Let me know if you know any clever methods, Albert. :-)

I have seen some evidence I may be under surveillance. I have worked for the government, and been involved in some things which could cause another gov agency, or a foreign agency to target me. If I still worked for the gov, I would not be requesting outside assistance. Heh heh. :-)

Really, just need to do a sanity check. Something to force them to change methodologies and give me more visible evidence.

As noted, I have seen some seeming evidence when breaking my regular schedule and going to places like movie theaters or malls. Which seems maybe "more then just my imagination". Though, I can not fathom how anyone would spend resources on me.

I am all to happy to have them waste their time on me, and resources, if that is the case.

Just as long as they do not put a video camera in my bathroom, anyway. ;-) :P


albertMay 20, 2019 6:17 PM

@The Pull, @Clive,

I guess a Cone of Silence is out?

Any interference with regulated frequency allocations is illegal, so I wouldn't recommend it. I believe that the FBI (and probably other TLAs) have devices to block/interfere with cell phone traffic in certain localized 'emergency' 'incidents'.

As communications move toward the low infrared bands, signals begin to behave more like light, and less like radio waves. It's possible that that a maser-like system could collimate microwave beams to thwart interception. No doubt research has been done on this.

What you can do legally. Sweep the house and vehicles for tracking/spying devices as a first step. Cell phones can be tracked easily by LE, so use a burner. Those aren't illegal. It would be interesting to have a couple of friends follow you to see if you're being followed. Collecting license numbers would be a start. They wouldn't be breaking the law. If they were stopped, it wouldn't be by the trackers, that's for sure. It would be by regular uniformed police. If they haven't broken any traffic laws, it would be a dead giveaway.

Don't forget, it's not only the gov't that tracks people.

Perhaps it's only paranoia on your part.

Hopefully, it's not a case of what Paul Krassner calls "Reality Paranoia", "when you think people are out to get you, and they really are!"

P.S. I got paranoid and deleted several paragraphs :)
. .. . .. --- ....

PatriotMay 20, 2019 7:05 PM

@ The Pull @ albert

We must be very careful with jamming (denial), with monitoring or using certain frequency bands, and with sending encrypted radio messages, especially in and around Airstrip One (Great Britain) and the City on a Hill (U.S.A).

It is not just that some of this stuff is illegal in many countries: it can be a felony. For example, it is a mistake to buy a scanner in one country and stick it in your luggage to take back home. If that scanner sweeps unauthorized bands, then you may have just committed a felony, depending on where you live.

Tell people who want to have fun with RF to just go down to their local radio store and buy a scanner--it is likely to be compliant with local laws. And tell them to buy an engineering phone if they want to look at GSM towers, etc. (and the fake ones that pop up).

Anyone who does jamming for fun leaves a significant trail of metacontent, one way or another, and special law enforcement teams exist in many countries whose function is to find people who are jamming, transmitting, or collecting illegally.

The PullMay 20, 2019 8:35 PM


There's a few apps for android which can give you a ton of diagnostic cell tower info, which the android api gives access to. Forget the name of the app I used to use, but it would nicely plot out locations of all nearby cell towers and provide a lot of diagnostic info.

On legality of jamming, I was simply aware it is something the FCC would not like you to do, without the appropriate license.

And, yes, with my SDR kit, I can get some cell tower software going, but would also research the laws there, if I thought about doing so. I have some leeway in these matters being a verifiable "security researcher".


Yeah, in my case, I have had china fixate on me for a few reasons. I am in the States, so it is not legal for them to surveil me. Therefore, it is a non-stressor for me. More of a curiousity.

And, like I said, sanity check.

I think it would be funny if they were researching me, as I do absolutely nothing serious in my current job, nor in most of my former jobs.

The PullMay 20, 2019 8:48 PM


I should add, as a disclaimer, I am *not* up on all the laws and regulations, and obviously only intended to get lawful examples. I was thinking of a jammer as some sort of system that might be lawful to use in the country, or in a parking garage, etc sort of scenarios. (ie, where there shouldn't be anything sending and receiving, so you would not be blocking anything).

As I am lazy, Clive's suggestions for blocking such theoretical bugs and long distance mics I instantly grabbed onto as possibilities.

What is a cone of silence anyway? (Without me googling it...)

PatriotMay 21, 2019 2:35 AM

This latest climacteric in the conflict between the current U.S. administration and Huawei may bode well for news junkies. No matter which way it goes, there are huge security implications.

It's a very unwelcome escalation in the brewing hostilities between the two nuclear-armed states. It is as if the world will have a choice as to where its data will go for analysis: Maryland or Shanghai, Google or Huawei. Some people do not want to hear about the battle of civilizations, but here it is folks: there can only be one.

This is a big deal. This is a new stage in the Crypto War, the Meta Crypto War, a fight to see who gets to backdoor everything and snoop on you as you play Candy Crush or Chinese checkers. Let's see: Google follows U.S. pressure even with the open hostility between Google's executives and the current U.S. president. Google can kiss their influence and business in China good-bye. $o, how can thi$ be explained? How could Google, who are the $alt of the earth, give up their hope$ of leading in China?

I simply cannot wait for the leak to come about Google-Ft. Meade (if such collusion really exists--is water wet?). That would be a torpedo into Google's titanic and blithe control of the earth's data.

There are two sides to this story: yes, the security concerns about Huawei are genuine and substantial, but on the other hand we have a greedy vampire squid called Google that should not be given a freer hand to spy upon, and manipulate, so many people with such impunity.

PatriotMay 21, 2019 3:00 AM

Here is how Huawei's loss of Android is going to effect people.

WeChat just became more important. They run third-party apps inside Android, and these are widely used in the PRC, especially on phones such as the OPPO. Inside the PRC, people enjoy very nice services on WeChat, and basically everyone has it. It is how most people pay for things (via QR codes), how they communicate (audio, video, messages, share files), how they send money to each other (red packets or transfers), how they order food, and how they get a taxi or find their location on a map. WeChat is also used in South Korea and it is big in some smaller countries such as Laos.

This pressure on Huawei is unlikely to have much of an effect in the PRC, and that, of course, is a gigantic market.

PatriotMay 21, 2019 3:06 AM

Here is how Huawei's loss of Android is going to effect people.

WeChat just became more important. They run third-party apps inside Android, and these are widely used in the PRC, especially on phones such as the OPPO. Inside the PRC, people enjoy very nice services on WeChat, and basically everyone has it. It is how most people pay for things (via QR codes), how they communicate (audio, video, messages, sharing files), how they send money to each other (red packets or transfers), how they order food, and how they get a taxi or find their location on a map. And it is their social media. WeChat is also used in South Korea, and it is big in some smaller countries such as Laos.

This pressure on Huawei is unlikely to have much of an effect in the PRC. Most people in the PRC will probably not notice, but on the other hand this might be akin to the Tesco-Lotus crackdown that happened some time ago. One wonders if this will spread to Apple.

Apple does good business in the PRC; it has many shops. Many people are proud of their pricey Apple phone. I would not be surprised at all to see Apple get the axe in the PRC because of this attack on Huawei, which is how a lot of Chinese folks will see this.

1&1~=UmmMay 21, 2019 3:47 AM

@ Patriot:

"This pressure on Huawei is unlikely to have much of an effect in the PRC."

Huawei is the worlds second largest supplier of Android phones, after Samsung, to both companies the US market whilst important is not as significant as the US politicos like to think it is. However as you note China is an increasingly important market to US companies including Apple.

But perhaps less well known is the 'licencing' Huawei pay to a large number of US companies some of which are actually quite dependent on Huawei for income, which the US Gov has in effect chopped off from US companies...

If the US is not carefull it's going to start to paint it's self into a corner. When Trump and Co say 'Our way or no way' or the equivalent they are likely to find the 'No way' option will hurt them rather more than they expect.

Especially as it looks like Huawei have already taken steps to design out US technology, due to earlier rumblings,

One thing that keeps comming up with 5G is how the FCC are pushing the upper ends of the Microwave spectrum, yet other countries are not. Contrary to what the politicos might have been told about 'US leading edge research' at those frequencies, it does not matter. Those frequencies are not realy suitable for 'mobile' use. Which means a fall back to 3G/4G and LTE for the foreseeable future...

Whilst the US appears to be trying particularly hard for a Pyrrhic victory they are also becoming increasingly issolated. When 'the cows come home' on this in the US economy the current administration will not be there (two term rule).

But one thing you can be sure of is that other nations such as India are not going to sit idly by waiting for the dust to settle, they will out of self interest take steps that will result in the loss of more US jobs etc to them and not just in software.

A90210May 21, 2019 11:51 AM

@MrC, Martin, Patriot, 1&1~=Umm

As some of you may know, as of around 12 February 2019, the Mueller investigation was 'in the black'.

28,600,000 Approx. Fines, forfeitures, and restitutions
25,500,000 Mueller costs
03,100,000 (USD)

Of course, Mueller is still working for the USG. Perhaps on the Mystery Apellant or Roger Stone associate Andrew Miller stuff [1], but nobody, at least in public, seems to know what he is up to.

"From Courthouse News Service by Britain Eakin:

Challenging the lack of cooperation by former Roger Stone associate Andrew Miller, prosecutors told the D.C. Circuit Thursday that the grand jury that worked with special counsel Robert Mueller still needs Miller’s testimony.

Filed this morning by the U.S. Attorney’s Office for the District of Columbia, the government’s 21-page opposition brief [ ] indicates that the grand jury empaneled by Mueller is likely still working, and that more criminal charges related to Miller’s testimony are possible.

The grand jury working with Mueller had subpoenaed Miller in May 2018 for testimony concerning Stone’s relationship to WikiLeaks, its founder Julian Assange and Guccifer 2.0, a fake persona ..."

Misc. links:

Mueller Report (searchable) ; PDF, 150 MB, and somebody once said, AFAIK, perhaps read at least the two: Introductions, Conclusions and Executive Summaries (or search using your favorite keyword(s)) ; Mystery Appellant, February

FaustusMay 21, 2019 12:39 PM

@ Patriot

I am curious about your Fedora 29 hack. Have you identified the route of infection?

Do you load software outside of the main repos? Do you use security software like noscript and https everywhere on your browser? Do you use browser add-ons beyond these? Do you share usb drives between machines or with other people?

What port was the malware using? How did you determine there was a key logger?

I am always looking for new things to look for in my network security system. I appreciate any information you can share.

Sherman JayMay 21, 2019 2:19 PM

@ Patriot @ Faustus

I was concerned by the report of rootkits in Fedora 29. In checking other resources, it seems that rootkits, while not common, do attack Linux. Trying to be careful without jumping over the line into paranoid, I've changed my junker, air-gapped Internet computer. It now runs from an eccentric CD version of linux. When I turn it off, everything evaporates (I hope and believe).

We now truly seem to be besieged on all sides:

And, recently I've been getting more phishing phone calls about phony insurance premiums, phony first-responder non-profits I need to support (just give us your credit card number - to paraphrase the Crapital-One TV ad "who's in your wallet"), and 'Bill Gate$' called to warn me my Windows computer was infected over the internet. I'd laugh if it weren't so serious a threat to some 'less informed' people I've had at my clinics.

A90210May 21, 2019 5:28 PM

"... You devote a chapter to the formation of belief – how our genes, traits and experiences shape our views. Does this mean genes play a role in our political views, say whether we’re a leaver or a remainer?

Hannah Critchlow: There have definitely been studies that have looked at different brain profiles associated with ideology. People who are very conservative seem to have a much larger volume and a much more sensitive amygdala – the area of the brain that is involved in perceptions of fear. People who are more liberal seem to have a greater weighting on the region of the brain that is engaged in future planning and more collaborative partnerships. They don’t seem sensitive to immediate threats; instead, they are looking to the future. What we see in propaganda through the centuries is that if you heighten someone’s fear response using environmental manipulation, you are more likely to make them vote in a rightwing way.

So what does neuroscience tell us about how you might go about changing someone’s mind or winning an argument?

Hannah Critchlow: It’s very difficult. Once you have built up a perception of the world, you will ignore any information to the contrary. Your brain is already taking up about 20% of your energy, so changing the way that you think is going to be quite cognitively costly. And it might be quite socially costly too. ..."

A90210May 21, 2019 5:52 PM

"... [Representative] Amash joins more than 900 former federal prosecutors, from both Republican and Democratic administrations, who believe Trump’s behavior, as outlined by Mueller, would have resulted in “multiple felony charges for obstruction of justice” were he a private citizen and not the president of the United States. [1] Conservative law professor J.W. Verret, a former member of the Trump transition team, has written how the “elaborate pattern of obstruction” uncovered by the report is, at a minimum, enough “to get the impeachment process started. [2]”



"Thanks to Facebook, Your Cellphone Company Is Watching You More Closely Than Ever" ; Scahill 10 minutes
"Four Simple Steps the U.S. Media Could Take to [try to] Prevent a Trump War With Iran"

A90210May 21, 2019 6:02 PM

Does anybody have any thoughts, preferably security related, about elections: EU, Brexit, Austria, Australia, Philippines, India, or other?

name.withheld.for.obvious.reasonsMay 22, 2019 12:22 AM

Reviewing the documents from the most recent ACLU FIOA requests, Savage NYT FOIA Bates MCT Third Tranche [Part 1], suggests that the FBI or other LEA's have engaged in behavior that is clearly problematic and suggests that the FBI will do the right thing (Right!). In criminal cases, federal or otherwise, the review or monitoring of "privileged communication" between parties is supposedly honored by their claimed minimization procedures.

There are three interesting components of this clause; the word back up and back-up, and, the fact that deleted is not deleted, and, that retrieval of these communications can be allowed. This is troubling in that the government can suppress evidence that law enforcement officials may be in possession of privileged communications given that FISC orders are not subject to discovery. This is the subversion or independent counsel for individuals charged by the government in a legal proceeding. In short, the government reserves the right to cheat a citizen charged by the government. This is exactly what the framers were afraid of, the use of unlimited resources targeted at individuals makes the citizen a subject (ironic). The American Bar Association should be up in arms (and torches) about this legal subversion.

This seems highly suspect in that the following caveat is provided for (page 20, privileged communications minimization procedures):

"Any electronic versions of the privileged communications that are not available to any end user but are available to a systems administrator as an archival back-up will be restricted and destroyed in accordance with normal business practices and will not be made available to any other person expect as permitted by the FISC. In the event the FBI archival back up data is used to restore an electronic storage system, the FBI will ensure the previously deleted privileged communications will not be accessible to any user and will be deleted from any restored system: and"

name.withheld.for.obvious.reasonsMay 22, 2019 12:31 AM

These continuing convolution, convulsion, and contradiction of jurist prudence and legal efficacy, legal and court procedures, and the re-writing of basic concepts in law is down right depressing. My ability to remain hopeful that the government will engage the citizenry in an honest and faithful manner is waning. The primacy that government is claiming over the citizen is making a mockery of citizenship. The core legitimacy of governance relies on its citizenry, and when the citizen is no longer valued or honored, what is basis or claim government can make either to itself or the people to which they claim is governed?

Our republic, Mr. Franklin, is not recognizable--so we didn't keep it.

Clive RobinsonMay 22, 2019 4:20 AM

@ Sherman Jay,

Trying to be careful without jumping over the line into paranoid, I've changed my junker, air-gapped Internet computer. It now runs from an eccentric CD version of linux. When I turn it off, everything evaporates (I hope and believe).

The way things are going you have to start asking "Can you be paranoid enough to stay free?".

It's fairly clear that Gluegle are subverting not just browsers but internet standards, to make "collect it all" their primary mission. Then there is Peter Theil and Palantir with it's database on everyone. Whilst there was a lot of noise about Facebook and Cambridge Analytica, they were but one of many corporates recording not just every word you type, but in the case of some such as Glugle even the biometric of your typing cadence. Then there are the Internet Service Provoders, that are now not just recording but actively tagging your data packets...

There is a long list possibly including your employer spying on you before we even get to talk about SigInt agencies and Law Enforcment.

Many years ago before such spying started I realised that I could not keep up with the tricks malware writers and others were coming up with. Thus I decided to segregate all my personal work computers from any kind of publically available network. As WiFi became available, I decided not to play because as far as I was concerned, the fact you could monitor it on the street outside "made it public" some years later as we know Glugle cycled by recording all the WiFi ID's etc...

Looking back, I can see other areas where at the time I thought I was being a bit extream, but with hindsight I now know I was perhaps not paranoid enough. Esspecially since the old joke about a ton of concreate and the Challenger Deep in the Mariana Trench is now not sufficient. As you may have heard back in April Victor Vescovo achieved a new record descent to 10,928m) / 35,849ft becoming the first person to dive the Challenger Deep twice, thus it's now a "tourist spot" and people will be taking anything that's not nailed down, including that supposadly secure computer ;-)

The point being technology makes fools of us all given a little time and trying to stay even moderatly secure increasingly difficult. Especially when so many people think they can make a fortune out of any data they can grab.

It's the reason why I have no IoT in my property nor will I have for as long as there are other ways. Likewise "smart meters" and the like. After all do I realy need my data going more than half way around the world to China and back again?

GeorgeMay 22, 2019 4:53 AM

@Clive Robinson wrote, "It's fairly clear that Gluegle are subverting not just browsers but internet standards, to make "collect it all" their primary mission. Then there is Peter Theil and Palantir with it's database on everyone. Whilst there was a lot of noise about Facebook and Cambridge Analytica, they were but one of many corporates recording not just every word you type, but in the case of some such as Glugle even the biometric of your typing cadence. Then there are the Internet Service Provoders, that are now not just recording but actively tagging your data packets..."

Intersting revelations. There must be a list of pro's and con's of surveillance orchestrated from different perspectives.

As Facebook probably have concluded years ago, the most realistic profiles lies in our mobile computing usage. As the amount of bandwidth and data exponentially increases due to mobile innovations both technically and socially, the surveillance folks of various purposes may eventually run into a laws of physics problem. At the moment, tagging data packets appear to be the most future proof solution. IMHO

WiskersInMenloMay 22, 2019 5:39 AM

Is there a way to have secure voting and privacy?

A secret ballot by its nature is nearly impossible to audit.
Digital systems are opaque to audit by individuals without a CS degree.
Thus the ballot itself needs to be a physical thing that can be managed by humans. Yet like cash money transactions it is still hard. Chain of custody systems for evidence are a model for managing the physical media.

Tabulation of the ballots quickly, requires automated tools. Automation can be done by multiple reader systems for redundancy. Two teams, two vendors, single data source.

But how does voter Bob know his ballot was or was not in the ballot box?
How does a court prove tampering?

Should a reader at the polling site scan the ballot and print a cryptographic secure hash of the ballot? Should the ballot have random boxes the voter can mark to help generate a hash not reversible to votes cast. Can a check system then verify the hash at a later time?

Perhaps boxes spanning perforation lines so a set of pages is doubly linked to a ballot receipt. And none of the tiny #2 pencil tiny box marks of 50s tech ..

Ballot readers should be multiple purpose. i.e. reader and ballot design should be robust and simple enough for schools to use for routine multi choice tests.

Bingo card and Keno tickets are interesting hand mark on paper models .

Bob PaddockMay 22, 2019 7:06 AM


"If the US is not carefull it's going to start to paint it's self into a corner. When Trump and Co say 'Our way or no way' or the equivalent they are likely to find the 'No way' option will hurt them rather more than they expect."

Something overlooked by most everyone is that modern technology requires quantities of Rare Earth Oxides. China is the only source of these Oxides.

A recent issue of Coal Age magazine went in to the details:

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.