Friday Squid Blogging: Possible New Squid Species

NOAA video.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on June 7, 2019 at 4:18 PM • 98 Comments

Comments

IrritatedJune 7, 2019 4:49 PM

Friend of mine recently mentioned that in order to sign up for electricty, had to give up the SSN for a credit check. Seriously? A credit check to get electricity? How many people, living near civilization, apart from the Amish, choose not to have electricity?

Fought this battle with an ISP. To add someone to the account and authorized to make changes, they wanted a SSN. Keep in mind the account hadn't been under contract for a long time. I refused - and won.

It's bullcrap if you ask me. I thought legislation was supposed to prevent using it for ID. I refused at a walk-in medical center. They said it wasn't necessary - that it just helped with insurance. Refused at a chiropractic office - oh, they said it wasn't needed. Then why have it on the form?!

JohnJune 7, 2019 5:47 PM

Goals
Prevent the California Consumer Privacy Act from Taking Effect Jan 2020
Enact American Social Credit System to harmonize with Chinese Social Credit System by 2025

Bait -The Rush to Regulate
It was recently posted Facebook stupidity[1] had reached an even higher outrageous level:
‘Two-faced Zuckerberg told shareholders that Facebook was becoming a “privacy-focused social platform.” Yet just hours before Zuckerberg reassured investors about Facebook’s commitment to privacy, his own lawyers argued in court that “there is no privacy” on Facebook. ‘

In reality this is a dastardly plan to rush through national loop-hole anti-privacy legislation before 2019 ends.
Previously Silicon Valley lobbyists authored self-serving legislation for Europe and India [2]. It now targets CA and Congress.

Their primary goal is to weaken and override the CA privacy law before it takes effect January 2020.
The longer it takes, the higher the risk of government intelligently legislating their core data-mining operations. If Mark's latest ploy is successful, no one will even have had time to read it!

Mark and Sheryl have successfully feigned stupidity for twenty years[3]. Enough is enough.
In spite of the former colleagues turned Lobbyists, Congress should take its time to study the CA law and also network with GDPR court cases and EU data regulators.

For the bipartisan effort to succeed, the overriding objective is to prevent Silicon Valley from enacting an dystopian American SOCIAL CREDIT SYSTEM [4][5][6].
Tech Giants Amass a 238 strong Lobbying Army for an Epic Washington Battle https://www.nytimes.com/2019/06/05/us/politics/amazon-apple-facebook-google-lobbying.html

Trump’s Big Tech Bluster
The administration’s chief antitrust enforcer is Silicon Valley’s champion. On top of granting tech platforms huge windfalls in his tax reform law, Mr. Trump appointed a friend of big tech, Makan Delrahim, to lead the Antitrust Division of the Department of Justice. Mr. Delrahim has consistently promoted the interests of the biggest tech companies.
https://www.nytimes.com/2019/03/06/opinion/trump-antitrust-laws.html

[1] Actually a brilliant, ruthless sociopath who always outsmarts adversaries. Ask Facebook investors how powerful they are. All Earthy power rests within Mark alone!
[2] Both Europe and India rejected as did China many years ago. China is now dropping security threat Windows
[3] However in testimony before Congress, Mark switched tactics making senators appear freshmen
[4] Those who disagree are welcome to vacation at the Chinese reeducation camps
[5] Mass surveillance kingpin Amazon is giving away free doorbell cameras to partner police departments who then demand access
[6] Amazon has begun data-mining precise body scans to complement facial scans

TõnisJune 7, 2019 6:33 PM

@Irritated,

"It's bullcrap if you ask me. I thought legislation was supposed to prevent using it for ID. I refused at a walk-in medical center. They said it wasn't necessary - that it just helped with insurance. Refused at a chiropractic office - oh, they said it wasn't needed. Then why have it on the form?!"


The worst offenders are state motor vehicle departments. I have correspondence in which I asked the legal counsel for the MA RMV to cite the statute which allows it to deny a driver's license to an applicant who does not have a Slave Surveillance Number (SSN) or which allows the RMV to require that the applicant obtain an SSN in order to get a driver's license. The lawyer responded that the RMV has the authority to do that and cited an amendment to the Social Security Act which, upon careful reading, merely authorized state RMV departments to use the number for identification purposes or to require an applicant who does have one to furnish that number to the RMV. Nowhere did the amendment authorize motor vehicle departments to deny a license to an applicant who does not have an SSN or to require that the applicant get an SSN as a condition of getting a driver license. The position of the lying tyrants at these bureaucracies is, "This is our policy, if you don't like it, sue us!" Most people don't have the means or perseverance to fight this kind of battle all the way to the Supreme Court.

James GettysJune 7, 2019 8:23 PM

Hmm. I have a Massachusetts driver's license and it does not have my SSN on it.

TõnisJune 7, 2019 8:34 PM

@James Gettys, the SSN is not on the driver's license (there is an "S" number on the license for your privacy), but be sure that the RMV has your SSN on file.

IrritatedJune 7, 2019 8:34 PM

@James Gettys

That is correct - that practice was abolished quite a while back by replacing SSNs with S numbers.

But I think Tõnis is arguing they shouldn't be forcing people to use SSNs at all in the process - applications, registrations, etc.

I think not long ago I type in the last 4 digits of my SSN to complete my registration renewal.

TõnisJune 7, 2019 8:37 PM

@Irritated, yes the Commonwealth introduced that S number on the face of licenses as a privacy measure, but a license applicant won't get a diver's license with an S number unless he gives the RMV an SSN.

IrritatedJune 7, 2019 8:40 PM

Yeah :(

I wonder what their track record is on security breaches.

TõnisJune 7, 2019 9:03 PM

@Irritated,

The problem is that the state government is requiring that driver's license applicants interact with the federal government as a condition of getting a state license. Social Security is a federal retirement program. It is not one's "identity." Participation is not mandatory. One doesn't even need reach any arguments about taxation. Consider the following hypothetical:

1. You are born into a rich family, and you're independently wealthy.
2. You decide to never work, or earn, rather you choose to simply spend your fortune over the course of your entire life.
3. You never apply for participation in the federal retirement plan called Social Security, and therefore you don't have an SSN.

The state will unlawfully refuse to issue you a driver's license. In order to obtain the state license, you would be forced to interface with the federal government (which happens to disgust you) and put yourself into its surveillance/tracking matrix by signing up for its Ponzi scheme retirement plan just so you can give the state an SSN when applying for a driver's license.

No OneJune 8, 2019 4:28 AM

I saw this interesting post on SHA-1 at StackExchange. I take it that the writer was trying to use an older version of GnuPG to omit the Modification Detection Code packet, but GnuPG would not even let him or her encrypt a plaintext without it. They only want you to have a plaintext that has been hashed with SHA-1, and that cryptographic hash function has collisions and isn't very big. I also wonder if it has been inverted. Something seems fishy, but I am not sure if people are concerned.

On certain sites, it's a faux pas to raise doubts about the security of currently recommended cryptographic primitives.

I noticed this on Cryptography StackExchange too, but I do not blame them at all. They pretty much stick to technical questions--very little that is not to the point about technical questions.

So, what's going on? Could these sites actually have people who are being paid to quash discussion?

And, by the way, how does one avoid sending ciphertext in GnuPG without having an SHA-1 hash of it going along for the ride?

Does a cryptographic hash having collisions make it more likely that it could be inverted?

To my mind, the way that GnuPG has not been strengthened significantly is real news, news of omission, and we should be talking about it.

JohnnyJune 8, 2019 6:39 AM

@Tonis wrote, "The problem is that the state government is requiring that driver's license applicants interact with the federal government as a condition of getting a state license."

Another problem you pointed out is the fact that US of A is in reality a "Confederation of States." Thus, each citizen must have separate confederal and state obligations identified by a unique identifier. A social security number is a given unique identifier not a secret password. The problem we fact stems from the fact that some institutions, private or public, uses SSN as a secret password.

TõnisJune 8, 2019 10:41 AM

@Johnny, it is true, the United States is a union of states, each like a country of its own, each with its own constitution. The states have ceded certain powers, and only certain powers, to the federal government through a federal constitution. The problem is that the federal government has been usurping power for a long time, sticking its nose in where it doesn't belong, within the borders of states. I live in a state. I want nothing to do with the federal government.

Denton ScratchJune 8, 2019 11:31 AM

@No One

The GPG crew have been talking down threats to crypto security for a long time now. I think they had a blog up explaining why it was fine to use RSA1024, until just a couple of years ago.

I think there are cogent arguments for eschewing RSA4096, though. AIUI, doubling the RSA key-length provides much less than double the security, at much more than double the cost in computation. I use RSA2048, but I understand it's not a lot more secure than RSA1024.

What with the RSA corp secretly collaborating with the USG over default ECDRBG options, I guess we need a new public/private crypto scheme rather urgently?

(/me is not a cryptographer, just an interested observer)

TatütataJune 8, 2019 2:32 PM

According to a heise.de report, the Bundesamt für Sicherheit in der Informationstechnik (BSI) (German Federal Office for IT security) has identified malware in several factory-fresh phones from China. Some of the models are specifically identified, others not.

Some, but not all, of the packages appear to be removable by a firmware update, and the BSI recommends to replace the affected devices.

No hint as to whether there are signs that the crap had been deliberately inserted by the manufacturers. I would have naively thought that the products would have been programmed with a blob produced from a clean build directly from sources, not some back alley in Shenzen.

Aw chuck. Well, at least it doesn't seem to be top-tier brands, but at least some of the listed models appear to be still readily available from online retailers.

peopleJune 8, 2019 8:01 PM

someone came up with an interesting thought recently and the general idea is that a big negative about the internet and modern communications is that the majority of people up to and including nation states are fighting a large costly and worthless battle for nothing really. the things like nation states are doing in order to have insight and a level of control of data is really a big bad waste. governments and similar entities will (realistically not) concede that average people are not fighting a tea party or considering a revolution anymore - more like who might possess and perhaps view a ridiculous video of themselves at a concert and continue to build endlessly strong barriers and controls to protect it. and that social security number in the usa - well anyone standing behind another person in line at the checkout will overhear it anyway. that is an interesting point of view in my opinion :)

No OneJune 8, 2019 10:35 PM

@ Denton Scratch

You are absolutely right: we need a new form of PGP, one that actually makes sense cryptographically.

As far as I know, we need:

-- to be able to choose between Key Derivation Functions (KDF) instead of only having one (s2K). S2K is getting old, and there are better ones available: Argon 2 comes to mind. The good KDFs better resist attack on the session key (from GPUs).

--choose which cryptographic hash we use for the digest of the session key

--get rid of the NIST curves that are known to be "vulnerable by design"

--we need Chacha20 and Poly1305

--allow for an increase in the --s2k-count

--allow for the input of one's own session key

--allow more non-NSA produced cryptographic hash functions

--get rid of SHA-1 by default, and make it an option for backwards compatibility

--get rid of the Modification Detection Code Packet and replace it by using a better method to insure integrity and provide authentication

--get rid of SHA-1, etc., and weak ciphers as fall-backs ciphers. Their presence strikes me as odd, and this excuse about backwards compatibility needs to come to a screeching halt.

--and the whole interface needs to change. It is too complex. And they need to update the RFC and explain things in detail.

But, you know what? It is never going to happen, and the charade is going to continue.

My personal opinion--and it is just that, an opinion--as that article said, is that OpenPGP is open indeed, and I don't like it. If we are going to have encryption in this world, it needs to work.

ALJune 8, 2019 11:36 PM

In the distant past, I was pulled over by local police in Massachusetts, and they asked me to produce my license. I had cut over to an S number once available, but still voluntarily. I told the officer I didn't have my license with me, but I have my social security card. He ran the social sec number and told me I have never had a drivers license in my life. And he told me "computers don't lie".

I was written up for driving without a license. The car was towed, but I could walk. What I was avoiding - driving after license suspended. That particular offense results in immediate arrest.

Every time a computer screws up, I tell the aggrieved person, "computers don't lie". 😜

JohnnyJune 9, 2019 1:59 AM

@Tõnis wrote, "I want nothing to do with the federal government."

We learned it the hard way more than a century ago that American exceptionism does not apply to Americans. While we advocate freeing of states from their mothership governments all over the world by populus vote, we Americans ourselves do not enjoy this priviledge back home.

ChuckJune 9, 2019 2:37 AM

@people wrote, "the things like nation states are doing in order to have insight and a level of control of data is really a big bad waste."

There is no such thing as "waste" in the present form of world economics, as long as you are doing a job and got paid for it or there is a benefit to another party. The fact that we've done away with tangible value and into the Fiat world of finance means all this of value are denominated by an intangible, elastic entity known as "money." We create "money" by issuing more debt, whether at the national root level or at the loan officer level, new money stems from more debt. Money is destroyed when debt is "repaid" in full.

Having that in mind, there is no "wasted" work as long as you are getting paid by someone and feeding the system. As a matter of fact, we must continue to create more available work to ensure that this bubble continue to inflate, and deflate, and inflate again.

TõnisJune 9, 2019 8:11 AM

@Johnny, Yes, states have the constitutional rights to secede, but when they do, a despot (like Abraham Lincoln) wages war on them.

@Chuck,

Money is destroyed if debt is repaid in full. If it's not, inflation becomes apparent.

"Having that in mind, there is no 'wasted' work as long as you are getting paid by someone and feeding the system. As a matter of fact, we must continue to create more available work to ensure that this bubble continue to inflate, and deflate, and inflate again."

Notice that the money to repay the interest is never created by the accounting tricks used to create the money. All interest is paid by human labor ... to those who pretend to lend the (created) money. Explains why they don't really want the principal back. Just keep paying the parasitic money changers their usury. They've been skimming for a long time. Keep it coming.

Alyer Babtu June 9, 2019 8:39 AM

@Tönis

constitutional rights to secede

Not constitutional, but derived in the Declaration, conditional and the extreme last resort, by natural law, and outside the written law. Lincoln respected the natural law and the Constitution. The problem today is more that neither the natural nor the Constitutional law is respected.

Alyer Babtu June 9, 2019 8:59 AM

To add to the above: some of the Amendments, e.g., the 17th weasled away the protection for the States originally in the Constitution.

TõnisJune 9, 2019 9:11 AM

@Alyer Babtu,

"Lincoln respected the natural law and the Constitution."

How so?

FaustusJune 9, 2019 10:00 AM

@ Tõnis

In the USA the Social Security Number does double duty as your Tax Id. Every adult is supposed to file yearly, even if they have no income, therefore we need one.

Anyhow, if we didn't have one, do you think it would slow surveillance? They would just generate another unique key. Or worse, one that isn't quite unique, tarring one person with another's problems.

@ Chuck

I just heard the "repaying debt destroys money" idea reading the new Delta-V by Daniel Suarez. His books are pretty good, especially the Daemon/Freedom series.

TõnisJune 9, 2019 10:08 AM

@Faustus,

"... Every adult is supposed to file yearly, even if they have no income …"

While I do usually enjoy your replies, this is complete and utter nonsense.

"Anyhow, if we didn't have one, do you think it would slow surveillance?"

Completely misses the point. The point was that state motor vehicle departments are requiring that license applicants interact with the federal government (apply for an SSN) to obtain a state driver's license. The part about surveillance was just an example of why a person might not want to do that, nor should he be conned into doing so.

vas pupJune 9, 2019 12:50 PM

Works by robot artist Ai-Da to go on display in Oxford:

https://www.bbc.com/news/av/uk-england-oxfordshire-48556654/works-by-robot-artist-ai-da-to-go-on-display-in-oxford?intlink_from_url=https%3A%2F%2Fwww.bbc.com%2Fnews%2Fscience_and_environment&link_location=live-reporting-map

Long link, but that is as bbc provided. Video is interesting.

@Faustus and all other respected bloggers involved:
Why do you need to provide SSN when opening bank account with NO interest? Just out of curiosity.

IrritatedJune 9, 2019 1:11 PM

@vas pup

My guess is that the Powers That Be's excuse is Know Your Customer laws and the Patriot Act

Sherman JayJune 9, 2019 1:57 PM

@Sed Contra

Thanks for the link to the squid Vid!. My cdLinux OS can't upgrade firefox. And, Youtube and Twitter seem to have changed their criteria and they both lock up on Firefox a couple of versions old. I've copied the URL and I'll view it using a newer Linux with a newer Firefox when I get the time to burn an ISO to DVD.

(soapbox alert)

I am so tired of big Abusive Corporations making everything obsolete in a couple of years and locking people out. What do you think people would do if Streets and Highways didn't allow people with a car over 4 years old to drive on them?

The 'information superhighway' is like that now.
I guess I need to continue my research on alternative safe browsers.

REF.: Johnny Deer tractor computers lockout owners and right to repair.

Sherman JayJune 9, 2019 2:08 PM

@vas pup,
In the u.s. banking regulations require the ability to record and/or report 'suspicious' activity such as cash withdrawals of $1000+ to the federal gov't 'allegedly' to 'only' prevent money laundering, etc. This is without any consideration of the need to report interest earned on savings accounts, etc. for the purposes of income tax.

and
@Tõnis and @Faustus,

"... Every adult is supposed to file yearly, even if they have no income …"

Generally true. But, there are thresholds. If one has income below the required reporting threshold, they are 'usually' not required to file. However, the IRS is 'happier' if they have a continuous record of annual filings even if there is no tax liabilty. That translates to: if you don't have to file in one year and do file in the next, that may send up an automated 'inquiry' or 'audit' flag on your IRS account.

ROFL: "siri? what's my neighbor's password?"

AlejandroJune 9, 2019 2:41 PM

@Irritated

Re: "give up the SSN for a credit check"

When I moved to a new state had to submit to a credit check for cable TV (told them I didn't want a loan, just cable TV, did no good), the propane vendor told me I had to be checked out by Homeland Security in order to rent a tank to keep the fireplace lit (turned out to be a lie btw), to get a drivers license you had to have a photo taken by the police, like a mugshot with no smile, straight ahead so it could be entered into the terrorism data base and when you register to vote your name, address AND phone number is published on the internet for all to see,...or whatever.

As near as I can tell, the majority of Americans think being treated like a criminal and a terrorist or having your personal data made available just to vote is all fine and dandy. Because: Security.

I think most of us have been brainwashed to accept this kind of abuse and intrusion. And, it won't end well.

A90210June 9, 2019 2:53 PM

https://www.washingtonpost.com/climate-environment/2019/06/08/white-house-blocked-intelligence-aides-written-testimony-saying-human-caused-climate-change-could-be-possibly-catastrophic

"White House blocked intelligence agency’s written testimony calling climate change ‘possibly catastrophic’
Officials sought to excise the State Department’s comments on climate science because they did not mesh with the administration’s stance

White House officials barred a State Department intelligence agency from submitting written testimony this week [ https://int.nyt.com/data/documenthelper/1103-rod-schoonover-testimony/9ea6b07179b17035421f/optimized/full.pdf (PDF; from USG State Department) ] to the House Intelligence Committee warning that human-caused climate change is “possibly catastrophic.” The move came after State officials refused to excise the document’s references to federal scientific findings on climate change.

The effort to edit, and ultimately suppress, the prepared testimony by the State Department’s Bureau of Intelligence and Research comes as the Trump administration is debating how best to challenge the fact that burning fossil fuels is warming the planet and could pose serious risks unless the world makes deep cuts in greenhouse gas emissions over the next decade. Senior military and intelligence officials have continued to warn climate change could undermine America’s national security — a position President Trump rejects.

Officials from the White House’s Office of Legislative Affairs, Office of Management and Budget, and National Security Council all raised objections to parts of the testimony that Rod Schoonover, who works in the Office of the Geographer and Global Issues, prepared to present on the bureau’s behalf for a hearing Wednesday.

The document lays out in stark detail the implications of what the administration faces in light of rising carbon emissions that the world has not curbed.

“Absent extensive mitigating factors or events, we see few plausible future scenarios where significant — possibly catastrophic — harm does not arise from the compounded effects of climate change,” the document said. ..."

FaustusJune 9, 2019 3:46 PM

@ Tonis

I don't know why you are p*ssy at me. I'm no big fan of most state and local government. Nobody seemed to note the SSN's use as tax ID, so I did.

Can we avoid interacting with the federal government? To what purpose? They already have all our data. They can crush us if they want to.

Are you from a place where county or state officials can shield you somewhat from the Feds? If so, good for you. I left the country to be free of Big Uncle so I understand the impulse. Before that I gave up driving to avoid being beholden to the Government. "Driving is a privilege" and other authoritarian BS. And also driving is the situation in which police are most likely to relieve themselves on your rights and privacy. I enjoyed driving a bmw sports car for five years and then opted out. No regrets.

Now I live in a country that doesn't have the money to waste on surveiling or harassing me. I employ people, train them and give scholarships and in return I am left alone in a natural paradise of Freedom.

The U.S. has money and weapons but dearly lacks intelligence and freedom and justice. And it is just getting worse. The solutions are all worse than the disease.

Clive RobinsonJune 9, 2019 4:07 PM

@ Sherman Jay,

Youtube and Twitter seem to have changed their criteria and they both lock up on Firefox a couple of versions old.

As does Glugles search engine.

The reason is a plan thought up by those in Silicon Valley to force people in Europe into abrogating their rights under the GDPR.

My view on the matter is two fold,

1, The software designers do themselves not just no favours but a lot od harm by associating with Glugle and Co. Worse the W3C is almost certainly "bought and paid for" so should lose their "standards setting rights".

2, Glugle and Co will not give up unless they are fined into non existance, thus the fines should start at 20% of turnover on the whole business and rise with the severity of their crimes. So say a thousand Euros per coerced individual in Europe.

Whilst I will kind of draw the line at "First up against the wall" type punishment, making all the officers bankrupt and forever incapable of holding a directorship or other senior roll within any organisation. As most are "security cleared" spending time in "Administrative Lockdown" for a decade or so might also serve as a warning to others.

As was noted several hundred years ago "Extraordinary crimes, require extraordinary punishment".

One side effect of the Silicon Valley run rampent, is that it will almost certainly result in the Internet getting "broken up" and the likes of Glugle getting replaced with more national systems. It probably won't stop the spying on users, in fact it's easy to see how it could make it worse under certain regimes, but it will change it.

This "Internet Balkanisation" very nearly happened in the UN ITU Doha meetup in 2014. I suspect next time due to certain changes not the least of which have been caused by US-Corp and US-Gov (FCC) the Balkanisation will start.

To be frank the rest of the world is getting tired of the US saying "Our way or No way" and the US is out of stock on Danegelt, and has not even shiny base metal as fairy gold to offer. Hence you have the master plan of people like John Bolton running around like "chicken little" demanding a war against Iran as North Korea did not pan out (and suprise suprise the sky has not fallen). We know these Administation war mongers do not behave as "Rational Actors", thus the question arises,

    Will it stop with "the little guys" or do they have desire to fight both China and Russia?

Lets face it John Bolton is an old man and has few years left to him, maybe he thinks going out in a blaze of nuclear radiation and fall out is the way to finally make his mark on the world... But does the rest of the US want to join him on the funeral pyre he is building to his glory?

It's a question those in the US realy should be considering as John Bolton's plans appear to be sufficiently short term that War will happen before the elections. Whilst I did not give much credence to some Journalists claiming that with a War Trump could avoid the Elections and remain indefinately in power... The possability of war certainly appears on the countdown clock and it is ticking away.

TõnisJune 9, 2019 4:17 PM

@Faustus, didn't mean for it to come across as personal. I do understand what you're saying and am actually happy for you, but for some of us who remain here the battle for individual liberty is ongoing. If I'm here, I won't adopt a "can't fight city hall" demeanor. But getting out is great option. What country are you in? It sounds great.

Denton ScratchJune 9, 2019 4:48 PM

@Faustus

You said back in February that you would be publishing a website, explaining your patentable method for making an AI system that can develop useful software, based on nothing more than examples (I think you spoke of "test-cases"). You said this would be published by the end of May, I think (but I can't find a record in the archive of this site that shows you making that remark; so perhaps I am wrong).

The end of May has passed. Hey - most software projects over-run - no blame. But is there any chance of an update on your ETA?

I was skeptical of your claims; I continue to believe that writing software requires real intelligence, and that "artificial intelligence" as currently construed doesn't cut the mustard. But I am not closed-minded, and that is why I am interested in learning about your work.

FaustusJune 9, 2019 6:47 PM

@ Tomis

I am intentionally ambiguous about my location. Anything I say is a security exposure so I only go so far. People hate you for escaping the cage, and free thought -- not to mention speech -- is less and less acceptable every day. Though I do like to wave on occasion and mention that there is an alternative.

@ Denton

My company launched on time, a month ago. I had a big launch party.

I have two programmers on staff. One is a great team leader. Four more interviews are scheduled over the next two weeks. I am spinning up a salesperson in Seattle. I have a person who builds super servers to spec and sources any materials I need. I have a woman moving into the role of human resources manager.

I have been working on communicating our work on a website. But I am more a technologist than a salesperson. After my reception on schneier.com I realized that people in general prefer to tear down than support. And I don't have the psychic armor of a salesperson. It affects me to deal with negativity. So I have decided to just keep elaborating my system and training my people and leave the PR to another moment.

The universe will deliver a true VP of Sales when it is ready.

I also have some legal issues around launching a corporation as a non-citizen. I can't fully spin up until I have a corporation to shield my personal assets.

So I am biding my time and doing the technical work that most feeds me anyhow while I slowly build a network of collaborators and get my team up to speed. The team is the best part. I get to work with highly motivated, intelligent people in my personal think tank. They recognize that they have a unique opportunity with me and they fully rise to the occasion (or they aren't around any more).

Clive RobinsonJune 9, 2019 7:20 PM

@ Alyer Babtu,

And maybe their internet

Or get it "re-routed" through China,

https://arstechnica.com/information-technology/2019/06/bgp-mishap-sends-european-mobile-traffic-through-china-telecom-for-2-hours/

It's interesting to note that China Telecom did not start the issue, who did is currently "unknown".

In essence the problems with BGP are such that anyone could have kicked the update off through "SwissCom". But... Various commentators hold not "SwissCom" responsible for propergating it but "ChiTel"...

Which again shows the usuall knee Jerk "Blaim current US Existrntial threat" from US Organisations who by now should know better.

The comment that "ChiTel" should join the "Mutually Agreed Norms for Routing Security" (MANRS) project is actually not a good one. A number of people see MANRS as the US Gov trying to gain more of a stranglehold on the Internet, and it's not to difficult to see why. So like the anouncment of China developing it's own OS it is unlikely to participate in what can be seen as the thin edge of a US Government wedge towards "Routing takeover".

What people tend to forget is the Internet traffic of most nations ends up being not just routed through the US but most likely also captured as part of "Grab it all".

As for who actually changed the routes that "SwissCom" then broadcast on to "ChiCom" we have several choices to make.

Firstly was it accidental or deliberate.

Secondly if deliberate who would gain the most by it?

The answer to the second question could easily be "Anyone with an axe to grind with China" Which lets face it could be anybody wishing to either stir up trouble for China, curry favour with the US or both...

As for China getting any benifit from the diverted packets, well it's "Limited time traffic" to make it believable as an argument you would have to show "Why that time range?" gave China some kind of advantage. Otherwise you are in the land of "unsupported guesstimations" which are usually unfounded and say more about the guesstimator than they do about any incident.

Clive RobinsonJune 9, 2019 7:27 PM

@ Faustus,

Good luck, I look forward to asking a few what if's at some point.

Oh with regards,

"I also have some legal issues around launching a corporation as a non-citizen. I can't fully spin up until I have a corporation to shield my personal assets."

That kind of narrows the "seek and find" range of countries ;-)

Denton ScratchJune 10, 2019 12:49 AM

@Faustus

OK, cool about the launch; best of luck. Really. A team of excellent people means everything.

I'm disappointed not to be able to learn more about what you've invented, though. Not even an ETA?

The EvidenceJune 10, 2019 7:13 AM

Despite the time-line evidence spanning several years, the Thirty Eyes Intelligence Agencies Continue to Allow China Telecom Data-Mining and Targeting

What’s the difference between China Telecom spying vs potential Huawei Telecom spying?
For Chinese citizens this Meta-data is ‘Enough to Get you Killed’
For the EU and USA the Meta-data is ‘Enough to Get you Targeted’

Chronic China Telecom BGP Data-Mining Continues Unabated
6-2019
For two hours, a large chunk of European mobile traffic was rerouted through China Telecom
https://arstechnica.com/information-technology/2019/06/bgp-mishap-sends-european-mobile-traffic-through-china-telecom-for-2-hours/

11-2018
For two hours Monday, internet traffic that was supposed to route through Google's Cloud Platform instead found itself in quite unexpected places, including Russia and China Telecom https://www.wired.com/story/google-internet-traffic-china-russia-rerouted/

University Study Findings - Asymmetric Warfare
China Telecom Well Placed within North America vs US Telecoms Blackballed from China
China Telecom (CT) entered North American networks at the beginning of the 2000s, and has since
grown to have 10 PoPs, eight in the US and two in Canada, spanning both coasts and all the major
exchange points in the US. Few other non-American ISPs has such a wide-spread presence on US
soil.

Using these numerous PoPs, CT has already relatively seamlessly hijacked domestic US and cross-
US traffic and redirected it to China over days, weeks, and months as demonstrated in the examples
below. The patterns of traffic revealed in traceroute research 7 suggest repetitive IP hijack attacks
committed by China Telecom.

2016 Canada to Korea – traffic to Government Site
2016 US to Italy – Banking and Money
2017 Scandinavia to Japan – News
2017 Italy to Thailand – ISPs

USA Telecoms Blackballed from China – No Reciprocity
China’s own national network is fairly isolated from the world, protecting it from foreign hijacking of its own domestic or transit traffic.

Policy of ‘Access Reciprocity’ to Curb Hijacks
Today China has ten POPs in North America (eight in the US and two in Canada) while the US has
none in China. That imbalance in access allows for opportunistic malicious behavior by China
through China Telecom at a time and place of its choosing, while denying the same to US and its
allies.
https://scholarcommons.usf.edu/mca/vol3/iss1/7/

Why not add Chinese telecoms data-mining as a form of IP theft? Add it to the tariffs list of issues?
Why can’t the White House at least raise awareness with a bold response on Twitter?

Space saved below for Chinese response!

Decay-Decay-Decay-Decay-Decay-Deee-LitefulJune 10, 2019 8:30 AM

re: https://www.zdnet.com/article/for-two-hours-a-large-chunk-of-european-mobile-traffic-was-rerouted-through-china/

Although I am not personally related to this info, after reading this and a quick self-briefing about IP spoofing and filtering (egress/ingress), my choice to pretty much start quitting as much of the mobile/"smart"/internet/web/wifi/LAN/WLAN/net as possible ASAP.

Also, a process of internet-sourced installationa I've done multiple times over the past several years which used to take anywhere from a few minutes to a few days of steady work has now exploded due to hackers/malwere/adware/spyware/thieves/hypocrites/bastards.

Now it takes weeks to months due to repeated attacks and data losses. The contiguous efforts to get up and running tend to get FUBAR'd way too fast. I used to be able to get up and running for a few years. Then it became a few months. Then it becames weeks, which coincided with personal attacks against me (theft, being assaulted, being drugged multiple times, being poisoned, victimization via sabotage and deliberate damages, etc. ) Then it became getting attacked within minutes of establishing any kinds of gains, even after some mild defensive measures.

The level of frustration this could cause a person could easily result in REVENGE KILLINGS if NOT YET checked actively and without DELIBERATE SELF-RESTRAINT.

Many of the attackers were in the same rooms as me, often right next to me; this is common. Yet, sometimes THERE WERE HONORABLE MITIGATORS who PREVENTED some of the WORST, thank goodness. They probably deserve protective rewards. And reweard protections.

Anyways, I'm going to do what it takes to remove myself from the "theatre of war", but it's not always that easy.
I can't control who stalks me, who talks to me, who I meet as a stranger, which contemporary necessary(?) organizational institutions force disadvantages upon me.

But on the plus side, I can say that because the WWW and Internet stuff as we know it are only about as old as the early 1990s, I can guarantee that there's a beautiful world waiting for us if we don't destroy this one with malware-triggered physical bombs, or online chemical/nuclear munitions being triggered or stolen via security breaches.

..And DARPA wants to us to plug our brains into chips and vice-versa?????!!!! (...uh, um, malware? adware? spyware? logic bombs? virues? trackers? loggers? data corruption? design flaws? interoperability conflicts? spoofs? unauthorized access? built-in obsolessence?) TO:DARPA, I wish I could say that you look so cute when you make such 'innocently naive' claims. Or, maybe you're just admitting your "hijinx" of the past? Sincerely, erm, just a person who doesn't want total cascade failure.

Now is a good time to PONDER LIMITS.

Clive RobinsonJune 10, 2019 10:21 AM

@ Who?,

Each time something like this happens I think "some state actor is testing an adversary network resilience."

Yes me too, but then comes that awkward moment of "Who?, By Whom?, And Why?"

It's easy to pick on the wrong pointers give them too much weight in your analysis, or conversely to little and end up chasing your own tail down the rabbit hole to the mad hatters tea party.

Unfortunatly what does not help is people coming out with the same old line of "It's der Butler wot dun it" or it's modern equivalent.

I guess it does not matter what happens because they will always say "XXX did it" where XXX is the latest exestential threat target created Orwelian style for the likes of them and they swallow it "hook line and sinker". As I've indicated in the past attribution is very very hard, in part because it's so easy to fake. The real problem of such slavish devotion to being "on message" is that the oportunites to make attribution not just more effective and reliable go down the drain with all the other "Lost Opportunity Costs"...

FaustusJune 10, 2019 11:10 AM

@ Denton, Clive

Thanks for the support. I will keep you guys in the loop. I am always open for challenges. Possibilities include finding closed form solutions of problems that can only be solved numerically, optimizations, fitting data over arbitrary function spaces, programming in hard to understand limited languages, or creating algorithms from examples.

Alex AJune 10, 2019 1:12 PM

@Faustus

As a regular reader hearing about your project for the first time, my interest is sufficiently piqued.

Looking forward to when you can share more details.

miltonJune 10, 2019 2:14 PM

@bttb or anyone else,

why did you use square brackets in the YouTube link in this post? Is this some counter-spider or counter-referrer measure? (i sometimes encounter this trick, but can't come up with the right search terms to use to learn more... )

On different subj: what's the current status of the censorship/circumvention arms race? Is "refraction networking"/ "tapdance" going anywhere? Does anyone else think blocking domain fronting by big tech should be made illegal by Western countries? -- after
all, they (big tech) only do it because of threats by hostile gov's...
Also, what's with this "squid" thing -- some inside joke?

Bob PaddockJune 10, 2019 3:13 PM

@Irritated

"Friend of mine recently mentioned that in order to sign up for electricity, had to give up the SSN for a credit check."

Gas company is the same.
As are doctors offices.

The reason they really want this is so they can turn the account over to a collection agency if you don't pay your bill.

Just because someone asks for the SSN doesn't mean they really must have it.
I always say "I've had problems with identity theft in the past and I do not give out my SSN". They usually end up filling in all zeros or all nines, which is on them, as I did not give them an invalid number, which is probably illegal.

I've had a eye and vision insurance companies make up numbers for my policies where they used the SSN as the ID. Again I was not the one that gave them an invalid number. I even pointed out what they were doing was probably illegal. They didn't care.

PaulJune 10, 2019 7:04 PM

@The Evidence wrote, "What’s the difference between China Telecom spying vs potential Huawei Telecom spying?"

That's why Huawei ban is likely caused by alleged incooperation or "unconforming" to western 5G standards. The US of A is likely not care whether a telecom provider "spies" or "not spy", they are more bothered when you use "non-standard" equipments. That is equipments not laddened with their backdoor or whatever esotteric "methods" come packaged as "standard." IMHO

ChuckJune 10, 2019 7:26 PM

@Tonis wrote, "Notice that the money to repay the interest is never created by the accounting tricks used to create the money. All interest is paid by human labor ... to those who pretend to lend the (created) money. Explains why they don't really want the principal back. Just keep paying the parasitic money changers their usury. They've been skimming for a long time. Keep it coming."

That is a correct answer. During deflation, what occurs is "money" can either shrink in value, destroyed (debt "repaid"), or both. However, when you have debt being "repaid" or "written off" (an accounting cheat) en masse, it becomes a "systematic meltdown." Like any type of air-inflated that may cause a "bubble" to burst thus explode, the best way to mitigate this phenomenon is thru a pro-longated "easing" process.

Having that in mind, in order for the scheme to continue, "money" must constantly seek new venues to "inflate" into. Thus, we create values over the decades using various forms of "metrics" to find value of intangibles. The most glaring examples of this include the various "marketing" metrics that apply to online world which created bohemeths like Grugle and Fracebook.

"Work" in its present simplist form (by an "economist") is work which prolong this abstract method of inflating the bubble in any possible way. Thus, there is no "wasted work" unless its done for free.

Clive RobinsonJune 10, 2019 9:29 PM

@ Paul,

unconforming" to western 5G standards

Technically and practically there are no 5G Standards that are "Western".

What is known is that bands higher then 3.5-4.5GHz are going to be problematic at best... With the USA talking 20-60GHz you'll be lucky if it will work across your sitting room.

There's a Linux and 47GHz hotspot video up on U-Tube, that shows 47GHz getting stopped dead by a couple of bits of cardboard or if your body gets in the way. It also does not work through interior doors, Stud&Plaster interior walls, cinderblock walls and brick walls. As for double glazing, sunlight has an easier time bouncing around and "lighting it up". Some of those frequencies will also dip out if you get a source of condensing steam between the TX and RX which could mean your cup of coffee could bring your data rate crashing down.

In Europe and other parts of the "West" outside of the USA they are taking back some of the spectrum allocated to Amateur Radio and the older broadcast bands, for good reason (it might just work to the lamp post closest to your front door).

For some reason the FCC / Administration has decided "to be different" and under current EU regulations any US proposed 5G handsets would most definitely be "Not placeable on the market" thus carry the risk of prosecution to use unless the country you were in had issued with a specific and currently individual licence to use...

Put simply 5G won't roam unless certain people climb down, which they are unlikely to do for purely ideological reasons. Which means a handset will have to fall back to LTE on 4G or 3G or as neither 4G-LTE or 3G-LTE networks exist in a lot of places the old 2G might be "your fallback of last resort".

Nearly a couple of decades ago the US managed to push through getting GPS put into the majority of cell phones made by major international manufacturers. Appart from the "spying on / tracking you" issues many manufacturers were considering GPS any way because it had real utility to customers in any part of the world. It also enabled the phone manufacturers to move in on the GPS Receiver market as they had done earlier on the low end digital camera market and even FM Radio broadcast receiver market.

The 20-60GHz bands actually have little utility for anyone currently and realisticaly are not likely to have either when just a falling leaf is all it takes to throw the envisaged bandwidth right into the dust.

So the US does not realy have a working 5G plan, and there is unlikely to be the demand outside the US for ten years if at all.

Which brings us back to the other part of your point,

That is equipments not laddened with their backdoor or whatever esotteric "methods" come packaged as "standard." IMHO

Some in the industry think that has rather more than just a germ of truth in it. Others put it down to "Rejected Grandpa syndrome". Put simply the first into a new market generally do not get a lasting hold on the market, whilst some second and quite a few third generation effectively get "The winner takes all" prize.

Untill that is a "disruptive technology" comes along. Neither 4G or 3G were from the users perspective "disruptive" thus arguably the US is "Grandpa in the cold" Motorola as was, put together an analog working Cell System over four decades ago but do people remember?

I had to go look up,

    The first handheld cellular mobile phone was demonstrated by John F. Mitchell and Martin Cooper of Motorola in 1973, using a handset weighing 2 kilograms (4.4 lb). The first commercial automated analog cellular network was launched in Japan by Nippon Telegraph and Telephone in 1979.

Neither system nor several others that followed out of the US and Japan survived. What did was the European "Group Special Mobile" (GSM) system for reasons neither the US or Japanes companies appeared to understand.

So some think it's Gramps-USA's "last hurah" to try and get control back. The problem is those in the US still appear not to get it, various key patents belong to Chinese Companies, they are only licensed royalty free for "5G" if and when the 5G standard is ratified. And in all honesty few think the US vision of 5G will get the required "kiss of approval". In which case those patents become a very real hurdle the US are going to have to either "go another way" or "Shut-up and pay-up" on the royalty front or be hypocritical IP infringing criminals...

It might just be still another three bowl of popcorn event, it's certainly been atleast one or two already. Oh and of course there are other patents the US needs to worry about. The way ZTE bowed out was lack of components due to the US Gov saying they can't have them. Has anyone asked the US what happens if certain Chinese originating patent licences get revoked?

There's one or two of the big Silicone Valley companies who have an idea... Which is one reason why Alphabet/Google are having talks with US Gov officials... Otherwise the electronics stores might be a bit empty for Xmas in the US. Also there is the effect on the US consumer economy to worry about.

From what I can see China has made a political decision to not just create a new OS and similar IP but also to push hard on the international patent front. Neither bodes at all well for the US in this pissing contest the current administration have started. Those that will end up paying for it at the end of the day is US voters, who are not going to see any benifit infact the exact opposit for some time to come...

The EvidenceJune 11, 2019 4:53 AM

@paul
That is equipments not laddened with their backdoor or whatever esotteric "methods" come packaged as "standard.”

Probably True as necessary for national security reasons.
Lets discuss the British engineers (like Clive) who are experts at testing complex telecom gear.

Huawei Gear Findings
Like the Australians and Americans, British security officials had concerns over China’s potential use of Huawei as a channel for conducting espionage. British security officials were becoming increasingly frustrated with what they viewed as Huawei’s failure to fix software flaws in its equipment, particularly discrepancies in the source code – the programs’ underlying set of instructions. This problem means the laboratory near Oxford set up to vet Huawei equipment can not even be sure that the code it is testing is exactly the same as the code Huawei deploys in its real-world equipment. This makes it difficult to provide safety assurances about the company’s gear.

British officials say the array of flaws could be exploited by China, as well as other malevolent actors. Ian Levy, a British security official who oversees the UK’s review of Huawei equipment, told Reuters the company’s software engineering is like something from 20 years ago. “The chance of a vulnerability with a Huawei piece of kit is much higher than other vendors,” he said.

This Hauwei Five Year ‘Promise’
The company said it has pledged to spend at least $2 billion “over the next FIVE years” to improve its software engineering capabilities.’
https://www.reuters.com/investigates/special-report/huawei-usa-campaign/

So here we have Huawei the WORLDS LEADER in 5G technology fitting software from like 20 years ago. What could be the motivation?

The Chinese Communist Party must think the Westerner’s are easily duped under the guise of saving a buck. Up until the Australian Signals sounding the alarm...

As proof The West completely fell for ‘free’ Facebook or Google services hook, line and sinker.
Only 20 years later do they now realize there is a cost for ‘free’ or reduced prices.

What started out as People are The Product is morphing into
People are the Controlled Product

This Huawei Five year promise is just like Facebook Promising Privacy

Has anyone thought the Huawei 5G plan as being instrumental is spreading the Chinese Social Credit System to The West?

The GDPR would be discarded as the Chinese seek total control of societies worldwide. All system go as Silicon Valley is infatuated with Social Control and re-education. They are moving away from ‘untrusted’ sources and religion too. Just Imagine!

The bottom line is Hauwei 5g technology is the secret sauce that will tie the East and West Social Control Systems together.

Once the Hauwei 5g hardware based Social Control System becomes operational, no government will be able to remove it without (China’s permission or risk) shutting down the nations infrastructure.
The central CCP will alone dictate (Hong Kong loss of human freedom) except far worse.

Did I say too much of the classified 2025 world domination plan?
The 5g choices today will affect whether coming generations live in freedom or under repression.

https://www.nakedcapitalism.com/2019/06/australia-is-at-war-with-itself-over-china.html

Bob PaddockJune 11, 2019 6:48 AM

For anyone interested in following 5G developments, this is the location of the Standard in development:

https://www.3gpp.org/ftp/Specs/latest/

Release dates are explained here:

https://www.3gpp.org/specifications/releases

The Specifications in general and the dating system (that just changed) are noted in the parent of that URL.

Last I looked, which was Release-15, the highest frequency 5G used was 28.375 GHz (n261).

Lots of people concerned about health effects from 5G, yet never seem concerned at all about the ~77 GHz signals coming from modern vehicles, as part of their RADAR Collision Avoidance System (TI and NXP make the parts).


AlejandroJune 11, 2019 6:49 AM

‘This is a bombshell’: Officials admit ‘malicious’ hackers stole US government facial recognition data'

https://www.alternet.org/2019/06/this-is-a-bombshell-officials-admit-malicious-hackers-stole-us-government-facial-recognition-data/

"Monday that a “malicious cyber attack” has resulted in photos of airport passengers and other personal data harvested by U.S. Customs and Border Patrol have been stolen by unknown actors."

But, of course!

The work around is to always keep your Guy Fawkes mask on when outside the safe confines of your basement.

A90210June 11, 2019 2:25 PM

@Alyer Babtu

I enjoyed Kurtis Blow's song The Breaks, and your lyrics.
With more work by you and or members of the SoS Blog and permission from Mr. Blow maybe another interesting version of The Breaks could be achieved.

https://www.schneier.com/blog/archives/2019/05/friday_squid_bl_678.html#c6793700

From 20 years earlier,

https://www.youtube.com/watch?v=JWVY-6q89v4
Jazz Corner of the World - Quincy Jones (1989) [with Lyrics]

https://www.youtube.com/watch?v=uqJ8X28V6sI
Quincy Jones ~ Back On The Block

above two from https://en.wikipedia.org/wiki/Back_on_the_Block


Clive RobinsonJune 11, 2019 3:36 PM

@ Alyer Babtu,

I’m lovin’ me some sidechannels

If you look back on this blog a little while ago you will find I predicted ECC memory and RowHammer would become a vulnerability.

Usually I'm years ahead on my predictions but hey I'm getting slow some days ;-)

Just so every one understands why you get a "time based side channel" with all the usuall implementations of "Error Correction" it's because to get data transfer speeds up the data is effectively already on the data bus whilst the checking for errors takes place. Thus the checking circuit needs to add an extra cycle or so to correct things.

It's why RowHammer and it's derivatives are so powerfull, they in effect do a "bubbling up attack" from below "Gate Level" on the computing stack thus they can be completely and utterly devistating, compleatly negating all security mechanisms in standard general purpose computers. Especially when due to mistakes in the chip layout and lower, unprivileged user processes such as javascript running in a browser window can "reach around" all the security preventions to activate the bubbling up attack.

Whilst there are ways you can implement secure designs to stop this attack that have been known for atleast a third of a century, they are far from "general purpose" computers and you have to make quite a number of speed / efficiency sacrifices to do it...

Clive RobinsonJune 11, 2019 5:09 PM

@ Bob Paddock,

Last I looked, which was Release-15, the highest frequency 5G used was 28.375 GHz (n261).

That's provisional at best. Frequency allocation is still officially up for grabs. With international discussions not going to happen till later this year at the "UN ITU World Radio Conference 19",

https://www.itu.int/en/ITU-R/conferences/wrc/2019/Pages/default.aspx

Where the discussions for additional spectrum in support of IMT-2020[1] compliant systems will take place.

Technically what the general public think of as "5G" is still in progress towards meeting the "International Mobile Telecommunications 2020" requirments. Whilst there is a provisional specification for "testing" (chicken and egg issue of standard-v-practical you get with nu-tec spectrum using developments) it is just provisional to do testing.

If WRC19 approves additional spectrum which is what it looks like the current US Administration appears to be pushing for, then that provisional specification hits file cabinate 13 fairly quickly and a whole new bunch of tests will have to be carried out. However even with out the ITU giving it's blessing to chunks in the 20-60GHz range, the US would still be free to decide to put 5G up there if it wished and force other phones to drop back to 4G-LTE which few users would actually notice (as I've remarked before). It would be upto the US to get "US-Use-Only" equipment manufactured. Which to echo another posters thoughts could also include all sorts of Utah "data back up" cloud storage options...

But this is where it gets all political... Because "the rumour on the vine" is the US has already got the testing done/ready up in those higher microwave frequences with a "nod and a wink" blessing or even "brown envelop funding" from the administation. In essence so the US can "steal a march" and stich up the chip market so as to favour the US.

I tend to be cautious with rumours of Governments and questionable if not illegal subsidies to home entities. Because although it's obviously done, sometimes very obviously, actually getting the level of evidence required is problematic at best.

[1] IMT-2020 requires support for,

1, "enhanced Mobile BroadBand" (eMBB).
2, Additionaly support for new ‘use cases’ requiring,
2a, "massive Machine-Type Communications (mMTC),
2b, "Ultra-Reliable Low Latency Communications" (URLLC)

What ever those may mean on the day you look them up... Because it appears there has been a lock step development between 5G and IMT-2020 requirments (often called "making it up as you go along" ;-)

Clive RobinsonJune 11, 2019 8:01 PM

@ The Evidence,

I was going to let it pass but scince you named me in the comment I have to say you are being disingenuous.

When you say,

Huawei Gear Findings

As GCHQ made it very bluntly clear at the NSC meeting that got leaked, it's an old problem and it is most definitely not a "Huawei only" problem. Which is why GCHQ had a mitigation strategy drawn up and ready to go long before various persons in the current US administration got into their very own "China Syndrome".

As GCHQ pointed out the network in general is not vulnerable to the sort of things people are speculating about. Only certain "key areas" have issues and the language used to the Prime Minister and others present was "ministerial speak" for "Use only our own kit there".

Also be honest whilst the US has been repeatedly caught with it's IC / SigInt agencies putting implants into kit being exported, you fail to mention it at all... Most unbalanced.

You then go on with,

British security officials were becoming increasingly frustrated with what they viewed as Huawei’s failure to fix software flaws in its equipment

There is a lot more behind that story than you might think. As industry insiders will tell you all telco equipment manufacturers are in that state. They unfortunately have to be to even remotely be competative, it's very far from desirable but it was Western Government behaviors that caused it back in the 1980's.

But there is one major difference, other companies have not agreed to alow a detached section of GCHQ that appears to many to be abusing the agreement to get it's own engineers "trained up for free". Also what are being reported back to the company is not what you would call a "bug report" more a sick joke. In essence they wave a hand in a general direction and say fix the problem with it. When the company engineers say "what problem" the effective reply is "Oh we can't tell you that just fix it"...

What that report actually shows is that those in that part of the UK government are detached from reality and that the Chinese Company is playing on a rigged pitch, because no other nations products are subjected to that level of scrutiny, and that's important when we get to you bringing up Australia.

Personally I think it should be a "level playing field" and that all the telcos tendering all have to go through an identical process. Then you realy would hear the truth of the matter there would be the rancid "squealings of a thousand stuck pigs" as you can be sure every other nation would demand "equal access to the source".

But also the report appears to have been somewhat of a "Put up Job". It talks of issues and makes them sound like they have been there forever, yet previous reports were different, have you stopped and asked yourself why?

Likewise the comment of,

“The chance of a vulnerability with a Huawei piece of kit is much higher than other vendors,”

It's actually not possible to determin because, firstly they don't put any other telco's through the same process. But secondly surprise surprise it's actually not quantafiable that way anyway as I've repeatedly explained in the past. Look at it this way if it was quantifiable we could use that as a tool to fix software errors so there were no errors... So at best the comment is unsupportable opinion at worst it's malicious hearsay...

As I keep warning people should not fall into the attribution game without verifiable evidence because they run the very real risk they will end up looking silly at a later date.

The problem with the report was it neatly falls into step with the latest "US Cyber-existential-thteat" nonsence which should bot just make you ask why? But also deeply suspicious.

Then you make this comment,

So here we have Huawei the WORLDS LEADER in 5G technology fitting software from like 20 years ago. What could be the motivation?

Tell me when did you last install an MS OS or Office?

You do know they have software from more than a quater of a century ago inside them don't you?

Some even goes back before Windows 3.11 and MSDOS and was not even original work by Microsoft, they just copied it in...

So tell me "What could be the motivation" for you fitting software like that on one of your systems?

Do you know that the code in question might actually be the same code Microsoft copied?

The fact it's twenty years old does not mean it has an increased negative impact on the reliability or security of the final product, in fact more likely the opposite.

As for the rest of your speculation why should it be given any more creadence than say the same pointed at the US-NSA and US-Cisco? Especially when they have actually been caught in the act?

The simple fact is you are just "Having a bash China" rant almost following the US Gov recomendations on such behaviours.

Which you then conflate again to come up with,

The bottom line is Hauwei 5g technology is the secret sauce that will tie the East and West Social Control Systems together.

Which as I noted GCHQ does not agree with. So how do you propose I reconcile the differences in your opinion and GCHQ's opinion?

But interestingly you provide a link to Australia. If you think back a little Australian Politicians are having sticky issues at the moment, they have because of their slavish behaviour to the Intel and LEO entities whims, lost the trust of the Australian people. But worse it got brought to world attention because of a stupid politician proving to the rest of the world they were stupid with their comment about the laws of Australia and the laws of mathmatics. Since then a lot of people in the rest of the world have been watching the Australian Comedy Noir play on with a certain degree of morbid fascination.

What some have come to realise is the "5G Game" was a set piece propaganda effort by the Intel Services.

Put simply the most damaging way to use 5G was assumed to be the starting point for the blue team. Then the red team no doubt using "information received" that originated in Bambary quickly exploited it to do maximal damage. Result as if on que "Shock Horror" chicken little is running around the political dives of Australia squawking "the sky's going to fall".

This sort of game is sometimes called a "fund raiser" because it is designed to scare the politicians into giving the Intel entities bigger empires. It's a similar game as the FBI setting up idiots as terrorists, so they can show what heros they are...

What you and everybody else need to realise is China is not the problem, it's your own governments have through stupid policy since the early 1980's done some very stupid things that have made their countries highly vulnerable to even a 14year old with a smart phone. Thus it does not matter a tinkers cuss what national agency or group of individuals exploit the situation created by your own government, because some one will that is the nature of the human condition.

As GCHQ know the actor is not important, it's how badly your home government has alowed the globe straddling communications technology to abuse the physical infrastructure and other structures.

If you don't want XXX blowing up YYY simply by a tap on a key then make sure all ZZZ assets are not directly or indirectly connected to a public network, it is after all plain old common sense...

So stop looking for "reds under the bed" or running another Cold War and the hardbit,

    Learn how to defend your self.

Alyer Babtu June 11, 2019 9:32 PM

@A90210

With more work

When, in later years, the history is written of the scintillating explosion of musical-computerological creativity that poured forth from the commenters of this blog, reference will, of course, have to be made to the prototype of the genre, the sublime “It’s All About the Pentiums” composed by dives “Weird” Al Yankovich.

A90210June 12, 2019 10:35 AM

https://www.nytimes.com/2019/06/11/magazine/universal-fire-master-recordings.html

"The Day the Music Burned

It was the biggest disaster in the history of the music business — and almost nobody knew. This is the story of the 2008 Universal fire.

[...]

In another confidential report, issued later in 2009, UMG [ Universal Music Group ] asserted that “an estimated 500K song titles” were lost. [ from multiple categories ]

[...]

In January 2016, Aronson lost his job at UMG. He had continued to direct the company’s vault operations following the fire, overseeing approximately 1.5 million master tapes that UMG maintained in storage facilities around the United States. He said he was never given a reason for his dismissal but chalks it up to differences of “archiving philosophy.” “I wasn’t speaking their language,” he said.

I sought out Aronson more than a year after learning about the vault fire. His account of events and knowledge of the vault’s contents confirmed the picture that had emerged from my review of legal documents and UMG’s internal records. Aronson admits he would not have consented to interviews were he still with UMG. But he insists he is not motivated by animus toward the company. He agreed to talk, he said, because he hopes the story of the fire will lead to a broader conversation about preservation. He expressed anxiety about his job prospects in light of his participation in this article. “I am a man of strong convictions on what I think is proper storage and preservation standards of music tape,” he wrote in an email in 2016. “I am also a 58-year-old man who is seeking employment with one of the few remaining music companies.”

There’s no mistaking Aronson’s strong convictions, and strong emotions, about the Universal fire. In dozens of conversations and email exchanges, he described the event as a personal trauma. “Sometimes I forget that there was life before the fire,” he said. “Even now, it gets me choked up, thinking about all those tapes.”"

A90210June 12, 2019 10:56 AM

https://www.nytimes.com/2019/06/02/world/middleeast/crown-prince-mohammed-bin-zayed.html
The Most Powerful Arab Ruler Isn’t M.B.S. [Saudi Arabia] It’s M.B.Z. [UAE]

https://theintercept.com/2019/06/10/trump-uae-businessman-spy/
UAE Enlisted Businessman to Spy On Trump White House

"In January 2017, three days before President Donald Trump’s inauguration, a businessman from the United Arab Emirates was invited to a lavish dinner planned by Trump’s longtime ally Thomas J. Barrack Jr., who was chair of the president’s inaugural committee. The guest list placed Rashid al-Malik, a onetime business associate of Barrack’s, amid more than 100 foreign diplomats and top members of the incoming administration. The president-elect himself made a surprise appearance at the gathering.

Al-Malik’s name later surfaced in connection with a federal probe into potential illegal donations to Trump’s inaugural fund and a pro-Trump Super PAC by Middle Eastern donors. Al-Malik was interviewed by members of special counsel Robert Mueller’s team and was “cooperating” with prosecutors, his lawyer told The Intercept last year. The New York Times recently reported that investigators are looking into “whether Mr. al-Malik was part of an illegal influence scheme,” although no details of that potential scheme have been made public."

vas pupJune 12, 2019 2:59 PM

How fish and shrimps could be recruited as underwater spies:
https://www.bbc.com/news/business-48515956

"The latest project from the US Defense Advanced Research Projects Agency (Darpa) aims to improve military intelligence by using a range of aquatic creatures - from large fish to humble single-celled organisms - as underwater warning systems.

"We're trying to understand what these organisms can tell us about the presence and movements of all kinds of underwater vehicles in the ocean," says Dr Lori Adornato, programme manager of the Persistent Aquatic Living Sensors (Pals) project.

Living creatures react in various ways to the presence of vehicles. One of the most familiar is the phenomenon of bioluminescence - some marine organisms glow with light when disturbed. This is the focus of one of Darpa's strands of research.
"If you have an organism like noctiluca present on the surface of the ocean and an underwater vehicle that's close to the surface, you will be able to see that from the air because of the bioluminescent trail," explains Dr Adornato.

But the Darpa team is hoping to gain a far more detailed picture of the movements of submarines and underwater drones.

"We want to understand if it is possible to distinguish the response of the organisms to natural versus manmade disturbances, or perhaps even certain types of manmade objects," says Vern Boyle, vice president of advanced programs, emerging capabilities at project participant Northrop Grumman.

"We'll be using advanced processing techniques, including machine learning, to analyze the signals and identify distinguishing features."

Behavior is an important indicator that potential sub-sea interlopers may be around.

Sea bass, for example, have been observed diving to the bottom of the sea when they hear a loud noise. Might they do the same, in a predictable manner, when encountering an underwater vehicle?
Behaviour is an important indicator that potential sub-sea interlopers may be around.

Sea bass, for example, have been observed diving to the bottom of the sea when they hear a loud noise. Might they do the same, in a predictable manner, when encountering an underwater vehicle?
Snapping shrimp, found all over the world in shallow water at latitudes less than about 40 degrees, continuously snap their claws together, creating a constant sound signal that bounces back off surrounding objects.

As with conventional sonar systems, measuring the time it takes for the sound signal to return, and its strength, can reveal the size, shape and distance of underwater objects.

"The concept doesn't rely on the shrimp changing its behaviour in any way when the vehicle approaches, it just uses the sound it creates," says Ms Laferriere.

This is important because you don't want your surveillance system to be detectable or to make its own noise that interferes with the sensors.

"It's a passive system," she adds. "It will be low-power and capable of detecting even the quietest vehicles."

How about squid?


No OneJune 12, 2019 8:14 PM

@ The Pull

I checked Jeremy Scahill's PGP key for its set up and overall quality:

1. It has expired.
2. It was not set up properly. They removed the certification key, but it still shows as available. This can lead to problems (according to some of the folks who wrote RFC 4880).

I am of the opinion that people should use separate keys for signing and encryption which are bound by a C key. And they need to have someone write a clear explanation and a step-by-step guide for contributors on how to communicate with a high expectation of privacy and anonymity.

It's quite surprising that The Intercept would not be more careful. I did not bother with the other details such as preferences and bit size.

They need someone who knows what they are doing to at least advise them.

The Intercept should be more responsible with the info they get, but they really do provide a valuable service to keep the U.S.A. from sinking into tyranny, of one sort or another. If something crazy happens--say, the Puzzle Palace is spying on the Supreme Court--and that info gets to The Intercept, then they can let everyone know. To my mind, that is why they exist: it is about keeping power in check, which is not a bad idea. That said, they need to think about the implications and immediate effects of the information they expose. They should make sure to play a positive role, and not do things to make the world less secure because of an unhappy employee, someone with an axe to grid, in or around D.C.

PaulJune 13, 2019 1:07 AM

@Clive Robinson wrote, "From what I can see China has made a political decision to not just create a new OS and similar IP but also to push hard on the international patent front. Neither bodes at all well for the US in this pissing contest the current administration have started. Those that will end up paying for it at the end of the day is US voters, who are not going to see any benifit infact the exact opposit for some time to come..."

Least the US of A still controls the vast democratic playing field of justice systems around the "free" world which "makes it right." First, though, the Chinese may have a few 5G patents but they certainly do not hold all of it. The Chinese 5G may be thwarted by other parties in a similar fashion if they choose to run on a patents platform.

I am not sure if things will bode well for US of A but we know that war creates profits and this trade war qualifies as a war. There are "profits" on both sides of the fences, on the negotiations, and on making amends. This is a reason "money" never runs out of venues/metrics to inflate into. Even in a cyber incident, there is a "cost" associated, as with trade wars. As long as "money" does not debase, the west will be just fine, IMHO.

The EvidenceJune 13, 2019 2:11 PM

@clive
Lets use a real-time example of the anxieties and fears of Hong Kong citizens losing freedoms through Chinese telecom gear:

‘Hong Kong's tech-savvy protesters are going digitally dark as they try to avoid surveillance and potential future prosecutions, disabling location tracking on their phones, buying train tickets with cash and purging their social media conversations.
Many of those on the streets are predominantly young and have grown up in a digital world, but they are all too aware of the dangers of surveillance and leaving online footprints.
Ben, a masked office worker at the protests, said he feared the extradition law would have a devastating impact on freedoms.

Many said they turned off their location tracking on their phones and beefed up their digital privacy settings before joining protests, or deleted conversations and photos on social media and messaging apps after they left the demonstrations.
There were unusually long lines at ticket machines in the city underground metro stations as protesters used cash to buy tickets rather than tap-in with the city's ubiquitous Octopus cards -- whose movements can be more easily tracked.

In a city where (Facebook) WhatsApp is usually king, protesters have embraced the encrypted messaging app Telegram in recent days, believing it offers better cyber protection and also because it allows larger groups to co-ordinate.

On Thursday Telegram announced it had been the target of a MAJOR CYBER ATTACK, with most junk requests coming from China. The company's CEO linked the attack to the city's ongoing political unrest.
While Hong Kongers have free speech and do not encounter the surveillance saturation on the mainland, SLIDING freedoms and a resurgent Beijing is fueling anxieties and fears.’
--
Substitute your country’s name for Hong Kong if your country’s myopic leaders are selecting risky Chinese Telecoms gear instead of safe European.

Unlike past wars don't expect the USA to save you this time. They have repeatedly warned the usually smart EU. Why is NATO silent on the all-to-real Chinese spying?
Is NATO defense useless against cyber-war and widespread infrastructure attacks?

Are the insightful articles and posts of a free, democratic society (espoused within this great blog) allowed within communist China? Or is Bruce already blacklisted by CCP?

https://news.abs-cbn.com/overseas/06/13/19/surveillance-savvy-hong-kong-protesters-go-digitally-dark

Note: I could not post a link to the South China Morning Post article because as I was forced to drop layers of my digital fingerprinting defenses, Google partner was revealed working in conjunction with other Chinese agent eavesdroppers. This stalemate prevented me from viewing the protest article. From Google and Facebook public behavior, they will do *anything* to partner with the CCP.

Clive RobinsonJune 13, 2019 5:05 PM

@ The Evidence,

Lets use a real-time example of the anxieties and fears of Hong Kong citizens losing freedoms through Chinese telecom gear:

Asside from the peculiar arrangement that is Hong Kong[1] the telecommunications issues apply to almost any supplier of equipment in any country of the world, something I've been pointing out for longer than these blog records go back.

In more recent times --as you can look up-- I've been quite vocal about not using secure messaging apps as they can not by their current design be made secure, none of them. I've actually said what needs to be done to remove the more obvious week links in the security chain but people are still buying into the "oh so secure app" nonsense. They will eventually pay the price for not thinking or listening. As they say "you can lead a horse to water...".

I got a fair amount of abuse when I started pointing out the obvious, funny I don't see anyone apologizing now I've been shown to be correct, so you will pardon me for being blunt it is after all for your own good.

What you appear to have trouble with is this is not a "China" or a "Chinese vendor" issue. It's actually an issues with "All Nations" and "All Vendors".

As I pointed out you could just as well say "USA" and "US-Cisco" because we know the NSA implant the equivalent of backdoors and malware on US-Vendor equipment as it is shipped.

As I said drop the China slant and open your eyes otherwise you are going to fall foul of the likes of the US Patriot Act or UK Regulation of Investigatory Powers Act or that whole raft Australian's got lumbered with by their Government not so long ago.

Get wise, because that is the way the Western World is turning, "Away from Democracy" and think about what that means for you your friends and your loved ones.

The fact much of the rest of the world, is as I've argued repeatedly in the past, due to the falling price and increasing capability of technology going the same way if not faster. What is going on in Hong Kong is happening all over the Middle East and a hundred more countries besides. What you don't get taught at school is that Democracy critically depends on the state being restricted in it's capabilities. Technology has unstoppered that bottle for good, and that political experiment that was democracy is comming to a close.

We in the West with our "arms trade" amongst other things have hastened that end, all due to "quick profit" "short term thinking" and it was all entirely predictable with many signs at the side of the road and red warning flags waving. Heck I've put up a few and waved a few of them myself, you can read some of them on this blog. However unlike many I've also said how to mitigate these issues, again you can read them in this blog and others for free.

But this increasing surveillance is after all also "old news" go back and read the various articles about the CIA/NSA getting inside the Greek Mobile Telephone network before, during and after the Greek Olympics. There was no Chinese or Chinese vendors involved there, just US and European vendors.

It's a very real and freedom/democracy wise existential problem but it's not unique to Australia, China, Europe, Israel, Russia or the USA. Nor is it unique to anyone of the vendors.

Most of those things the Hong Kong protestors are doing is not at all savey as some will no doubt find to their cost in the future. Switching one vulnerable app for another is like running under trees in a storm, you will get wet, and the chance you will suffer harm or die goes up. The time to start doing things is long before people start getting angry and it's something you and most of the readers on this blog should realy realy think about because it's heading your way.

One of my pieces of advice to people about privacy/security is that "just like charity it should begin at home" and likewise "be taught to the children".

My generation and perhaps the one after may be lucky enough to die before what we call freedom / privacy / democracy does. Unless the other generations take that on board and deal with it the dystopian futures we've read about will be pale shadows of the future reality. Why? because story writers imaginations are limited by their present, they can only guess where technology will go, and if history is any judge it will almost always be for the worse, which does not bode well even for dystopian stories.

[1] I lived through "the return of Hong Kong" and many in the UK felt that we had betrayed those living there. The reality was there was little or nothing the UK Government could do. Believe me if there was, the then Prime Minister Margaret Thatcher would probably have done so, as she did with Argentina and the Falkland Islands, because Hong Kong was way more strategically important at the time. But as was pointed out at the time China would not even have to "starve them out" because as they had shown on many previous occasions all they had to do was turn the water off (or worse poison it in some way). For better or worse Hong Kong belongs to China, the few extra freedoms it has from the negotiations of the hand back are what makes it different. The simple fact is the people of Hong Kong are on their own just as are many small nations around the South China Seas. If you feel like blaiming anyone, then how about all those companies that despite being warned outsourced work to China to make their economy stronger at the expense of their own economy.

No OneJune 13, 2019 9:56 PM

@ The Pull

Exactly. The hobbits at The Intercept are not fit for purpose.

If someone wants to escape the Eye and talk about Mordor's secrets with the elves, it is best not to put on the Ring of Power. As soon as a mere mortal puts it on, the Eye turns your way.

Unless, come to think of it, DIRNSA would put on the ring, and then the tower might really come down.

JerryJune 13, 2019 11:00 PM

@The Evidence wrote, "Many of those on the streets are predominantly young and have grown up in a digital world, but they are all too aware of the dangers of surveillance and leaving online footprints."

This is a chicken little mentality that unfortunately prevail among the milleniums when it comes to personal ideology. Like we discussed in the other thread about whistle blower protection, what they are doing is asking for protection while trying to make a martyr out of themselves. What makes "whistle blowers" stand out is not only the wits but also their courage in the act. Creating an imaginary "safe zone" for whistle blowers not only pollutes the act but marginalizes it with a set of guidelines.

The original tiananmen square protestors were intrepid and did not care if they were documented and photographed. That is what protest is all about. Shutting off your phones and deleting facebook whatsapp messages, even though they weren't really deleted anyways, does not give any rise nor any more legitimacy to the protest movement.

lurkerJune 14, 2019 12:01 AM

@ Clive

What some have come to realise is the "5G Game" was a set piece propaganda effort by the Intel Services.

Put simply the most damaging way to use 5G was assumed to be the starting point for the blue team. Then the red team no doubt using "information received" that originated in Bambary quickly exploited it to do maximal damage....

I've just got round to reading the Reuters story (Hobbling Huawei...) and this has got me puzzling:
The understanding of how 5G could be exploited for spying and to sabotage critical infrastructure changed everything for the Australians, ...

Mike Burgess, the head of the signals directorate, recently explained why the security of fifth generation, or 5G, technology was so important: It will be integral to the communications at the heart of a country's critical infrastructure - everything from electric power to water supplies to sewage, he said in a March speech at a Sydney research institute.

I'm a bit old, and slow on the uptake, but umm? If you've got a bunch of infrastructure that's critical to your civilization, and it's sort of working OK now without 5G, why is there a compulsion to connect everything to the 5G net? Is it part of the purchase contract on 5G kit? I get that script kiddies will enjoy getting your fridge to talk to the bathroom lightbulb 3 houses down the street, but they can do that now without 5G.

I feel a P.T.Barnum moment, all along I've been overestimating the intelligence of Australians...

1+1~=UmmJune 14, 2019 2:30 AM

De-Google Your Life Backlash.

I guess this has been building slowly, but the number of 'De-Google' articles are starting to grow since the EU GDPR and Alphabet/Googles seniors decided to play hardball, Oh and run to the US Government and do a 'China is steeling our cheese' sob sob story.

Here are a couple that my attention was drawn to during the day,

https://nrempel.com/de-googling-my-life/

https://restoreprivacy.com/google-alternatives/

If you have JavaScript off --which more are advising these days now Google is attacking add-blockers-- the first site does display a little warning but is still readable.

Hopefully the trend will continue because the 'On-Line Advertising' market is quite a dishonest one as almost any serious investigation shows up. Oh and apparently it has a very poor success rate, which is why spaming websites etc is still going on amongst other things.

14 June 2019 00:00:00June 14, 2019 6:06 AM

https://www.nytimes.com/2019/06/13/opinion/privacy-law-enforcment-congress.html

"I’m a [federal magistrate] Judge. Here’s How Surveillance Is Challenging Our Legal System.

Prosecutors have stepped into the void left by Congress’s failure to say how far the police can go in using investigative technology.

On most weekdays in the federal courthouse in Brooklyn, prosecutors will ask the magistrate judge on duty to issue lots of sealed orders authorizing them to use all sorts of investigative technologies or requiring technology companies to keep tech-based searches secret.

But that typically won’t happen when I’m the judge on duty. When it’s my turn, the docket gets awfully quiet as prosecutors wait for another judge. That’s not because the prosecutors or other judges are doing something they shouldn’t. It’s because prosecutors think they’ll stand a better chance of getting what they want from another judge. This waiting game is a symptom of how new surveillance technologies are challenging a legal system that hasn’t figured out how to handle them. (The views here are my own, not those of the federal courts.)

Congress is way behind in determining how far the police can go in using technology to invade people’s privacy, and many of the legal disputes arising from this collision have not reached the Supreme Court. For the public, as a practical matter, the rules of the road are being decided by prosecutors. Your privacy is not their highest priority ..."

The PullJune 14, 2019 10:05 AM

@No One

Hahahaha... protecting sources is the name of the game they are playing, and they are unaware of it. I really agree with you, they need someone to handle sources.

vas pupJune 14, 2019 12:30 PM

@judge's opinion:
"Congress is way behind in determining how far the police can go in using technology to invade people’s privacy, and many of the legal disputes arising from this collision have not reached the Supreme Court. For the public, as a practical matter, the rules of the road are being decided by prosecutors. Your privacy is not their highest priority ..."
Yes, that is true. LEAs/IC, prosecutors just opportunists utilizing vagueness or gap of law in their favor. The only option is to create legal environment by LEGISLATURE which put privacy as highest priority in clear laws and regulations. Same will prevent judges legislate from the bench - I guess.

A90210June 14, 2019 4:04 PM

https://mobile.twitter.com/KevinRothrock/status/1138659524708114433

"As promised, here's my translation of Ivan Golunov's Aug 2018 investigative report into Russia's corrupt funeral business. This is the journalism (plus a forthcoming part two) that got him arrested over the weekend and turned the country upside-down. [ https://meduza.io/en/feature/2019/06/12/coffins-graveyards-and-billions-of-dollars ]

Coffins, graveyards, and billions of dollars How gangsters and officials in the police, military,...
About two million people die in Russia, every year. In that time, the country’s funeral industry officially does about 60 billion rubles ($924.6 million) in business. According to estimates by the..."

A90210June 14, 2019 4:46 PM

@Ismar

"This week's raids, and any attempt at intimidation, is an outcome of a mindset that has snuck up on most Australians, largely under the cover of "keeping us safe" from terrorism, writes Laura Tingle."

https://www.democracynow.org/2019/6/11/press_freedom_australia_police_raid_journalists
"Press Freedom Under Attack: Australian Police Raid Network for Exposing War Crimes in Afghanistan"

https://www.democracynow.org/2019/6/14/national_security_laws_are_being_used
"National Security Laws Are Being Used as Excuse to Clamp Down on Press Across the Globe"

Clive RobinsonJune 14, 2019 10:43 PM

@ Lurker,

I'm a bit old, and slow on the uptake, but umm?

Not that I'd noticed, but then you might be in good company ;-) Im not exactly as sprightly as I once used to be :-(

If you've got a bunch of infrastructure that's critical to your civilization, and it's sort of working OK now without 5G, why is there a compulsion to connect everything to the 5G net?

Well the first thing to realise is that 5G is no more dangerous, than any of the other GSM specifications. It is effectively of European origin and the technological input is open to any who wish to contribute, and like most other Standards bodies there is a voting process in place. Thus anything obvious would, you would expect, get dropped early on.

The problem is that historically telecommunications standards committees tend to be full of "second hand spooks/wannabes". They want the telecommunications standards to have insecurities for their own snooping.

This goes back to atleast the 1980's to my direct knowledge, and based on others it goes back atleast another thirty or fourty years before that so from the very early 1950's if not earlier. So all Western SigInt agencies connected to the "Eyes" know what the game is and they tend to play tag amongst themselves to ensure they get what they want.

But since the Ed Snowden revelations and the NSA getting caught red handed in various skulduggery manipulating standards amongst other things the "spook club" has been more than obviously outed... Thus various other eyes of investigative journalists and trade press are peering in to the actions of such committees looking for a "finesse" or two in progress. Further not all those on those committees are part of the "spook club" and they are not just suspicious but voting away from the path laid down by the spook club managment. This has displeased a number of people greatly, who basically want the sheep to return to their fold and bleat for those faux "health and safety" and similar changes. Changes that let that chill wind in the "tradesmans entrance" giving rather more than just a sense of intrusion.

Thus the chances are the Huawei submissions to the standards bodies are probably amongst the least suspicious of the submissions to the committees. Why because you need to remember Huawei have that center in Banbury in Oxford where the UK's GCHQ get to see all their software...

Thus the "spook club" has a mainly unseen advantage, they get to see Huawei's code as it is developed and have done for a while. Which is rather more than they get from others who submit ideas etc to the standards committees.

Thus GCHQ could have tried the tactic of highlighting faults in Huawei's submissions. But if they tried that it appears not to have worked out on the standards committees. However GCHQ like the rest of the UK IC does have close links to the US IC, we know for instance money gets transfered out of the NSA budjet to the GCHQ budget. So you have to ask what that gets the US Government directly and indirectly.

That said the thing everyone should take on board is by far the majority of telecommunications networks including all the public access networks are totally insecure...

That's because they were never designed to be secure in the first place[1], just have high "availability" and more recently "interoperability". That is they are designed to be both robust and simple to work with. Which no one who has worked with secure communications networks could say of SecureComms because they are often neither simple nor robust in usage (speak to anyone who was in on the early days of IPv6-Sec to see more frown lines than you'd find furrows in a ten acre field).

As I've indicated GCHQ are well aware the networks are insecure and the security is decreasing with time and integration. They make this abundantly clear to the UK Gov this from time to time at NSC meetings, and the GCHQ view point is so well known in the industry it's not even classified at "restricted". However In one recent NSC briefing GCHQ informed the current UK executive of this and how they intended to deal with the problem by mitigation. Thus that Huawei could participate in UK networks as could any other supplier. However there were certain areas that were still security critical that would require secure equipment but did not specify what equipment or from which vendors. Again nothing unknown in this view point in the industry. However somebody decided to make political milage out of it to embarrass the current UK executive... So now the information should be known to all who can read a newspaper, read a web site or watch the TV news...

So "shock horror" all the networks you as a member of the public have access to are "insecure by design" in that no encryption or authentication is built in.

But this has been true since the first digital networks back in the 1960's if not a lot earlier if you consider the old Telex and Telegraph networks as digital.

Back then the security stratagem was public and private networks that were "air gapped" or kept entirely physically seperate. These secure networks were in effect "hard routed circuits" and to equipment at the consumer premises effectively four screw terminals on a block on the wall, just like any other fixed capacity "leased line". This alowed for "point to point" communications with encryption along the entire circuit as a single link. But in practice encryption was rarely used the security was by "trust" of the state owned telecommunications provider and one group of it's "secret squirrels" keeping it air gapped at all levels.

The 1980's however saw the deregulation of the telecommunications markets and the introduction of mobile phone[3] networks. Initially such networks were "laid over" the existing phone networks. It was realised fairly quickly that the existing phone networks were rapidly approaching if not had reached the end of their life. Thus the phone network got replaced with a data network thus both phone and data were carried not just together but thoroughly intermingled. Thus the likes of leased lines became virtual not physical and their effective "air gap" security had disappeared.

The other problem was deregulation brought multiple service operators all with access to the control side of the network. This control network (Signaling System 7) again was never designed for security, just simplicity and efficiency...

This integration of "services" and thus having just one future proof network is what 5G is the current aimed for culmination of. It is in a Tolkien way "One Network to Rule them All". And because of that it will almost certainly be the cause of a whole new class of security practice in the next few years.

To see why you need the simple realisation that whilst some security can be switched in via software, what can be switched in by legitimate users can be switched out again accidently or by design by both legitimate and illegitimate users. We see this happening all the time with the Boarder Gateway Protocol (BGP). We can expect it to become worse with 5G irrespective of who supplies the equipment because it's built in as a fundemental part of the design of ALL public communications networks currently.

Thus the outcome of that Australian experiment was well known even before it was thought of, hence it was a "chicken little" publicity stunt aimed at Australian press and politicians, to achive the expected outcome. Thus Australians should be asking which of the other Five-Eye nations thought it up and put the play in place?

It's a reasonable bet that the UK was involved technically, likewise the US politically.

With regards the issue of "critical infrastructure" being some how "air gapped" one old way used to be by using the radio spectrum. But mobile communications has put such a demand on the spectrum that governments are gleefully clawing it back from existing users and then auctioning it off at what they hope will be large sums that can then be used to bribe voters with come the next elections.

Thus due to politicians not making provision, critical infrastructure will have no choice but to use 5G networks as they are installed and existing networks removed.

Douglas Adams had a throw away gag line about a planet falling into economic suicide because of the proliferation of shoe shops. He called it the "Shoe event Horizon"[8] like that of a black hole event horizon, where once you have gone beyond it escape is not possible. Well telecommunications is kind of heading for it's own "event horizon" for basically the same reasons.

But it's not just commercial data communications, even Amateur Radio is heading that way in the US due to the ARRL. Put simply they want more members, thus they need to broaden their appeal. One way is to "Day Boat Skippers" and sailors. For various reasons you don't get much in the way of data comms at sea unless you pay large quantities of money to satellite service providers. However low bandwidth data comms that will alow text based Email will work "over the horizon" in the HF bands. There is a service available to day boat skippers and the like but it's not free and there are stringent data caps. Various people have pointed out that Amature Radio Operators use HF bands and have a very similar Email service some have set up[9], but it is free to use and has no data caps... Thus you see articles in sailing magazines and similar saying day boat skipers should get their Technician Class Licence and get data comms for free. Well if you look at the entire HF spectrum there is less bandwidth than you get out of an old ADSL line. But that does not stop the tale being told that the land of Amature Radio is paved with streets of very broad bandwidth. None of which is helped by the ARRL going into discussions with the FCC and others to change the current HF band plans to be all digital modes which would appear to fascilitate the day boat skippers dreams of free data comms...

[1] Designing an efficient secure communications network[2] is --beyond a couple of trivial examples,-- extreamly difficult[5]. Designing one with international public access to unknown data streams is effectively impossible and would not be alowed by most countries.

[2] Networks consist of links and nodes over which traffic needs to be optimally balanced. To simplify things in the past "circuit switched" networks were used, these make sense for continuous traffic that requires low latency but are not efficient even for that type of traffic especially with modern data encoding and compression algorithms. With computer data circuit switching is even less efficient so packet switching is used, but this requires each packet to carry an overhead of source and destination information so it can be routed. This means that the nodes need to see that information to route a packet towards it's destination. Therefore whilst you can encrypt all data on links you can't encrypt the routing meta-data through the nodes. Thus you end up with link encryption for the meta-data even if you youe end to end encryption for the payloaf/message data. Whilst you can use tricks such as Onion routing it does not scale particularly well and nore is it efficient because it is in effect a form of circuit switching that takes no account of network load thus balance.

[3] For those of us old enough telepones were once boxes that sat on a table or hung on a wall that had a "hook switch" that a corded handset hung off in various ways. Back in the 1960's with transistor technology, it became possible to do away with both the mechanical hook switch and the cord from the handset to the box on table or wall. These handsets thus became known as "cordless phones" for the obvious reason. Superficially to a user a cordless phone and a mobile phone look and behave the same around the home. However a cordless phone is tied to a fixed point on the Plain Old Telephone System (POTS) network just as the old box on table or wall were. Mobile phones however work to anyone of a number of available receiver sites with the radio network responsible for switching to the POTS trunk circuit. Cellular networks are a way of making mobile networks more efficient in operation by sharing not just frequency bands but individual channels in various ways. The "coverage" size of cells ranges from many square miles in rural areas down to less area than the old cordless phones had. In many ways there is little difference between such small cells and home WiFi access points (APs), which is why you can buy phones using VoIP via WiFi. In fact all smart phones should with an appropriate piece of software be capable of doing the same, but your "contract" provider obviously did not want you doing that whilst differentiation alowed increased profits[4].

[4] 5G is supposed to get rid of all such distinctions and present an open interface to the future. Thus you have sources of data and sinks of data that may or may not be connected together in various ways. As some services such as "mobile video conferences" require multiple streams of data to be sent to multiple users and remain synchronized there is quite a bit of complexity going on under the hood[5].

[5] Unfortunately in the general case where there is complexity, efficiency or both there are usually security issues with side channels, traffic analysis and other problems of the likes of key distribution. These can be designed out, in the specific if you know how and importantly what attacks you are preventing. Unfortunately though the SigInt and other IC agencies don't want you to be able to do that. So they try where possible to keep things secret "unto them selves"[6].

[6] This is what GCHQ means in part by it's mitigations. There are various suppliers of NATO CommSec equipment, the design of such equipment is built to various EmSec and other requirments. Often it is modular, such that a Secure Phone is designed by one manufacturer but the Crypto Unit it uses is designed by a different manufacturer and supplied in tamper proof&evident casing via a highly audited process. Again the Crypto Unit is built with chips that are supplied from another secure manufacturer by another highly audited process. The ovarall process is inordinately expensive[7], grossly inefficient and even with care still suffers from supply chain issues.

[7] Because of it's expense secure communications is a prime target for axe grinding politicians, who have in the past in the US --where these things are more visable-- forced the use of "consumer grade" systems onto government in general. Unsurprisingly as the consumer grade equipment has not been designed with security in mind specifically because secure design techniques have been kept largely secret from manufacturers by the SigInt and IC entities, the government has suffered all sorts of security issues just as commercial organisations and individuals have...

[8] http://www.thehistorialist.com/2017/05/so-long-and-thanks-for-all-shoe-stores.html

[9] Which is hardly supprising when you learn that the data communications protocols the expensive maratime service uses to give data comms to day boat skippers were originally developed by Amature Radio researchers and experimenters quite a few decades ago. As such they are not upto the same efficiency as other more modern protocols developed by Amatures some of which are way ahead of anything the industry is producing.

PaulJune 15, 2019 3:23 AM

@Clive Robinson wrote, "The problem is that historically telecommunications standards committees tend to be full of "second hand spooks/wannabes". They want the telecommunications standards to have insecurities for their own snooping. "

This may be plausible but it appears that the more advanced spooks such as USGov would want insecurities that can be exploited by themselves only, not available to all other participating operators. Hypothetically, this cannot be accomplished without forcing a set piece or two down the other partners throats because a vulnerability should be agnostic and indifferent of the perpetrator (or operator in this case). Thus, this remains a mystery to me as to how the US Gov will work a 5G network segregated from some parts of the world (such as those running Huawei equipments). However, I suspect this is a second-layer issue because the bigger battlefront as you have said is fought on the over-the-top secure comms front.

Clive RobinsonJune 15, 2019 6:13 AM

@ Paul,

This may be plausible but it appears that the more advanced spooks such as USGov would want insecurities that can be exploited by themselves only, not available to all other participating operators.

That is relatively modern and realy only possible with certain types of system where there is a high degree of redundancy.

If you have experience of mechanical ciphers and some early electromechanical and later electronic ciphers based on them you will know that if your opponent grabbed a copy then all was in effect visable to them. More importantly they could relatively easily duplicate them.

Thus if you had the mathmatics you could work out there were "weak keys" and "strong keys" in such systems unless you designed them out.

In tactical cipher systems which are the ones most likely to be captured by the opponent the actual strength of the cipher does not have to be great, just strong enough to make tactical battle plans visable to your troups whilst invisable to the opponent. Thus "ease of use" and just a few days security against somebody using pencil and paper upto around the mid 1950's were effectively the requirments for a field or tactical cipher.

Then somebody worked out there was a "knowledge gap"...

What if you had the mathmatics but your opponent did not, what advantages could you get from that?

Well lets say you designed a mechanical cipher system that had a large key space, but had a range of strength of keys from very weak through to very strong. If your opponent copied it what would that get you?

Well firstly remember a very large key space gives a lot of redundancy. So if the opponent did not have the mathmatics they would make their key selection process random "over the whole key space". They would on average have their messages encrypted by the proportion of key strengths. Whilst you with the mathmatics make your key selection process random "over only the strongest key space". Thus you only ever use strong keys because there is sufficient redundance in the key space to alow you to do so.

When backed up by the likes of the methods developed and refined at Bletchly during WWII of catalog building for probable plain text and traffic analysis to make the probable plain text selection more refined, breaking the opponents communications becomes almost trivially easy. You get "plain text" from their usage of weak keys which with traffic analysis makes the breaking of stronger keys easier and so on. Even if you don't read the messages they encrypt under the strongest keys as you have a high percentage of the messages any way, and traffic analysis will fill in the blanks in the oponents order of battle etc.

In the 1970's and early 80's the release of memoirs from those involved with the work of Bletchly made obvious to those who had not realised it before the strength of both catalogues and traffic analysis along with "weak key" usage.

Thus knowledge gap techniques exploitin redundancy in key space went away for a while.

With mathmatical ciphers it's come back again but now we have an open crypto community with intense academic rivalry. The easy gains against key space redundancy in RSA for instance have been realised[1] thus the knowledge gap between the SigInt agencies and the open community has collapsed a lot and in some cases the open community may well be ahead of the game. I certainly have reason to believe so.

But as we know the NSA,tried it on with the dual eliptic curve random geberator. Some were suspicious but let it go untill the NSA did a couple of stupid things. One was the behaviour of their chosen person on the NIST committee was so bad they drew deep suspicion on thrmselves and got called. Another was the payment to RSA to promote what was a very inefficient algorithm to be the default. This made some with suspicions look a little deeper and say things, which with the competitiveness in the open community had a snow ball effect and NIST ended up with the ignominy of withdrawing a standard. One result of which is the NSA representatives are treated with the highest suspicion currently. It also highlighted some of their earlier tricks with the AES competition which was much more proffessionaly "finessed" but still caught by the open community fairly quickly though it's taken an age for people to act on it.

But the story of exploitation of redundancy in random number generator did not die. If you remember it came back to life in Jupiter Networks source code for some reason that is still not satisfactorily explained. Thus yes I expect such NSA originated behaviour to continue. The flip side is that the fear of NOBUS in standards is making some people to "roll their own" which may be just as bad in the long run.

Which brings us around to Simon and Speck and the NSA goings on there. Whilst they did not make it into a standard they don't appear to die...

The recent paper has caused some controversy about the open crypto community. The question is was it just something odd or an actual attack on not just the open crypto community but on what the open crypto community has achieved.

For by far the majority of people we have to take what the open crypto community says on faith because we have our own knowledge gaps. If that faith gets attacked and broken then the likes of the NSA win, because it provides excuses for inaction by managment and developers. That is rather than heed a warning to replace or update algorithms, they have the "yeah well they got it wrong with XXX lets just wait, they've probably got it wrong this time". Thus things get delayed or worse left in as "backwards compatability" just in case...

There are a good deal of inventive minds still working on GS-pay they will always be looking not just for new attacks, but variations on old ones, or worse still waiting for us to forget.

One of the most shocking things about the ICT industry is just how quickly we forget things, thus attacks from a few years ago are in effect "as new"...

As has been noted, the price of freedom is eternal vigilance, and you can be sure that we the citizens are most definitely the new enemy in some peoples view.

[1] Have a look at the work of Adam Young and Moti Yung into hiding things in the redundancy of keys used in mathmatical ciphers.

lurkerJune 15, 2019 8:06 PM

@ Clive

This integration of "services" and thus having just one future proof network is what 5G is the current aimed for culmination of. It is in a Tolkien way "One Network to Rule them All"...

I was afraid that must have been the reason. Lucky I've still got a roll of copper wire in my cave. Now, is there anything left to connect it to...?

Clive RobinsonJune 16, 2019 1:33 AM

@ Lurker,

Lucky I've still got a roll of copper wire in my cave. Now, is there anything left to connect it to...?

Well yes, the antenna socket(s) of a portable amateur all band HF/VHF/UHF transceiver like a Yeasu FT817-ND...

A number of people are working on new networking and mesh communications systems for Amateur (Ham) Radio, that work in the HF through microwave bands at various speeds. Things have come along quite a bit since the Phil Kahn (KA9Q) NOS AX.25 software[1] for 286-486 MS-Dos 4 and above PC's. Whilst it would not be too difficult to get it up and running on pre 1995 hardware if you still have any (no Intel ME ;-) there is still a lot you can do with it. Just for fun years ago I got it running over SLIP using some modem chips that I connected up to a couple of X-Band Gunn Doppler radio units it worked quite well over a 10Km path.

It's also well within an Amateur or Maker's ability to find copies of the C source and do the same again. This time using ~1USD microcontroler chips from the likes of MicroChip and those ultra cheap Baoufung VHF/UHF hand sets. But your data rate would be down between 2100 and 9600 bits/sec and your range just a few miles.

But... Why build your own hardware these days when you can by stuff of the shelf very cheaply and get high bandwidth or intercontinental range?

Due to WiFi and OpenWRT some Have developed the "Amateur Radio Emergency Digital Network" AREDN which alows up to 54MB/s data transfer rates over 13cm radio systems to alow VoIP / Video / Data on what is the equivalent of a private LAN or mini internet...

https://m.youtube.com/watch?v=fkl5Nbnz24Y

Whilst I do get some amusement from the more outlandish "preper sites" (think a new version of "Reality TV") a few have done some interesting work using pre-made bits you can get hold of. One Ham operator who calls himself the Commspreper has done some practical stuff with AREDN and you might be surprised at what he has done with it. For instance this little mountain top experiment,

https://m.youtube.com/watch?v=4r4tM5llImU

Which is a bit more refined than his earlier experiments,

https://m.youtube.com/watch?v=rJmfpPdsD98

https://m.youtube.com/watch?v=ur0MxzUyvrU

You can search for "AREDN mesh networking" and come up with some interesting stuff. Basically anything you can do with a home Local Area Network(LAN), but then some more such as have a high bandwidth gateway to the UHF/microwave RF mesh Wide Area Network (WAN) that will "line of sight" upto 30KM using easily available kit that can then route traffic through a mesh network the length of continental America.

It will also "telnet" connection to a low bandwidth HF WinLink style Email mesh network that works across continents around the world,

https://m.youtube.com/watch?v=WRv9DbqnnDg

[1] https://en.m.wikipedia.org/wiki/KA9Q

PaulJune 16, 2019 10:09 PM

@Clive Robinson wrote, " Another was the payment to RSA to promote what was a very inefficient algorithm to be the default. This made some with suspicions look a little deeper and say things, which with the competitiveness in the open community had a snow ball effect and NIST ended up with the ignominy of withdrawing a standard. "

If I'm not mistaken, RSA has always been on heavy "defense" payroll as they also have office in the D.C. Having that in mind, I would not be surprisd if the "open crypto community" has been polluted in some way by government spooks. The practice of segregating knowledge, particular in the field of technology, is a tried and proven process for decades as the "government" must tap into the vast "research" academic field. When knowledge is segregated in any particular way, it tends to go off in all tangents and hypothetically the academics will get ahead by shear number. But even so, it takes a governmental eye to recognize such advancements because when you have idiots going off in all tangents they often dont know where they end up. It's been a known practice for such "government" entity to keep a keen eye out for "talents" not just for their achievements but projected potentials. In order to do so, they must set up a vast number of "eye" and development "criteria" for such scanning process which I can attest to. Thus, an easy way to look for such government "eye" is thru the development process and the people involved, their motives, and where the information end up.

k15June 18, 2019 3:41 PM

Questions for Bruce Schneier:
In the race between generating believable fakes and generating effective fake-detectors, do you think the 'detector' side will always come out ahead? If it doesn't, does that mean that a more limited range of kinds of societies will still be functional? (What kinds?)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Security.