Friday Squid Blogging: Fantastic Video of a Juvenile Giant Squid

It’s amazing:

Then, about 20 hours into the recording from the Medusa’s fifth deployment, Dr. Robinson saw the sharp points of tentacles sneaking into the camera’s view. “My heart felt like exploding,” he said on Thursday, over a shaky phone connection from the ship’s bridge.

At first, the animal stayed on the edge of the screen, suggesting that a squid was stalking the LED bait, pacing alongside it.

And then, through the drifting marine snow, the entire creature emerged from the center of the dark screen: a long, undulating animal that suddenly opened into a mass of twisting arms and tentacles. Two reached out and made a grab for the lure.

For a long moment, the squid seemed to explore the strange non-jellyfish in puzzlement. And then it was gone, shooting back into the dark.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Posted on June 28, 2019 at 4:11 PM75 Comments


Ronnie June 28, 2019 7:19 PM

Huawei enterprise network products full of vulnerabilities

The US-based IoT-security outfit said it analyzed more than 1.5 million files associated with 9,936 firmware images linked to 558 products in Huawei’s enterprise networking portfolio – and found them wanting. Its dataset consists of Huawei firmware over the past 14 years, up to April 2019.

Direct link to the report

I originally read this in another newspaper but the Register asks the same question I was thinking of:
How would this compare for other companies if you did a similar deepdive analysis of their product lines?

Track THIS Plus Plus June 28, 2019 9:02 PM

Adding an additional browser agent spoofing by generating unique and random browsing fingerprints per Track THIS page would simply add to the fun. Randomize the SSL cipher handshake as well for an additional vector of confusion. Write a short shell script and get a couple of Raspberry Pis in a cluster and launch the madness just for the fun of it. A sprinkle of TOR routing for added confusion over the IP network to seriously throw them off their radars.

Ismar June 29, 2019 5:41 AM

I stopped reading after this passage
“Let’s be clear, though. This will show you ads for products you might not be interested in at all, so it’s really just throwing off brands who want to advertise to a very specific type of person. You’ll still be seeing ads. ”
And then I just laughed and laughed

WhiskerInMenlo June 29, 2019 9:23 AM

This: “For a long moment, the squid seemed to explore the strange non-jellyfish in puzzlement. And then it was gone, shooting back into the dark.”

Is a total metaphor for the probing and poking that the internet is full of.
Viruses, criminals, law enforcement and more.. The attacks on routers and IOT devices
are mostly invisible then a whale washes up on shore — starvation, belly full of ru-bish

29 June 2019 00:00:00 June 29, 2019 9:57 AM

“Ajit Pai Is Working Hard to Make Broadband Users Dumb Again

The death of federal net neutrality protections in the United States didn’t only give ISPs license to penalize customers who don’t agree to buy their services. It also pointlessly mystified the process whereby consumers acquire the most basic, unsimplified details about their home internet’s price, speed, and capacity.

Case in point: In April 2016, the Federal Communications Commission (FCC) rolled out new labels for mobile and fixed broadband providers to help consumers find specifics about the price and performance of U.S. broadband companies. They mimicked the Nutrition Facts Label, to which consumers were already accustom. They were chiefly designed to help consumers make informed decisions about which broadband service best suited their needs.

In 2018, FCC Chairman Ajit Pai successfully overturned the the net neutrality rules, doing away with the easy-to-read label. It was replaced instead with a system that’s unfriendly to even the average user. Today, broadband providers are permitted indeed to choose where online to publish their own transparency reports. One option for the ISPs is to disclose on their own websites; not a terrible idea, at first blush. No doubt that’s where most people would first check. Invariably, though, any company given leeway to freestyle its own transparency reports will format them conveniently and place them somewhere remote.

AT&T links to it at the bottom of its home page. Comcast’s, which is buried among more than 40 other links, reads: “Xfinity Internet Broadband Disclosure.” Verizon’s is amusingly labeled “Open Internet.”

The details of Verizon’s network practices, unlike its major competitors, whose pages are excessive with text, are entombed under an over-sized ad, which praises its own “[commitment] to an open internet.”

AT&T’s “broadband information” site includes five separate pages, what seems to be nearly a hundred different links, and dozens of thick paragraphs full of irrelevant information; touting, for example, how much money the company spends managing its networks. One paragraph reads: “As you would expect, our network management practices and our service offerings have evolved over time to benefit our customers and take advantage of the billions we have spent to expand and augment our networks.

But advertising, of course, is not the purpose of these legally required transparency reports.

And here’s where it gets even worse…”

“Internet Providers Look to Cash In on Your Web Habits

Broadband operators mine customers’ internet-use data, which is valuable to advertisers

Internet providers know a lot about what their customers do on the web, including the news sites they read, health ailments they research and entertainment services they use. They often know where those customers shop and manage their finances, too.

Now, they are deciding whether to use that information to sell ads. Some industry titans are being more aggressive than others, even as regulators are pressuring Silicon Valley companies and broadband providers to explain how they use customer data.”

Younès June 29, 2019 10:01 AM

According to the two teenagers interviewed, half of the students in their middle school are present on the ICQ fence group and use the stolen credit cards to rent LIME scooters.
Recently, one of the scruffy teenagers asked the administrator of the ICQ fence group about the origin of the stolen credit cards. He replied that they came from a black market platform on the Internet: when he shares a stolen card for free, he also sends the link to his site, which allows him to advertise himself and attract other teens.
On this illegal site, which Libération Daily Newspaper was able to consult, it is indeed required to pay the sum of 100 euros to be able to register, which goes directly into the administrator’s pocket. It is easy to imagine that after using stolen credit cards offered to all, some of the 11,300 members of the group may be tempted to register on the site to obtain exclusivity on other credit cards.
Each time a card number is sent to the ICQ group, teenagers rush to the application to “buy credit”. Unlike other rental services, on Lime payment is not made on a race basis. You have to credit money on the application, which will be used to run it. When there is nothing left, you have to recharge. “When you receive a card, you have to be sharp. We start by putting 5 euros. If it works, we give 5 euros. Then 10, then 15, then 20…”, the two boys detail. The total amount can sometimes reach up to 600 euros. “On American Express, you can only pay 5 euros. The best are the Mastercards. When they work, you can go up to 300, 400 euros,” says Younès, who has become a banking expert.

Translated from ; partly based on

My personal guess: hidden among these rental transactions, someone uses the stolen credit cards to buy bitcoins to himself.

29 June 2019 00:00:00 June 29, 2019 10:09 AM

“A Fierce Domain – Documents on Key Events in Cyber History

In 2013, Jason Healey and Karl Grindal released A Fierce Domain, an edited volume covering major “wake-up calls” in cyber from 1986-2012. Thanks to a generous donation by Healey and Grindal, today [ 29 March ] the National Security Archive Cyber Vault is making available a collection of documents combining research from the “Realization” section of A Fierce Domain with previously released documents from the Eligible Receiver 97 exercise. This collection offers a combined 185 primary-source documents from critical moments in American cyber-security history. The events covered include:

1988 – The Morris Worm
1997 – Exercise Eligible Receiver
1998 – Solar Sunrise
1998/99 – Moonlight Maze”

VinnyG June 29, 2019 12:23 PM

@Ronnie re: (Huawei) …the Register asks the same question I was thinking of:
How would this compare for other companies if you did a similar deepdive analysis of their product lines?
Especially if the assessment goes back to firmware from 2005… I downloaded the FiniteState paper, but Acrobat Reader is telling me the file is broken. YMMV In related news, Trump evidently backed off Huawei sanctions at the G20 yesterday. Were those every anything beyond a bluff – who knows? Let’s now see if the extradition proceedings against Meng Wenzhou get dropped.

VinnyG June 29, 2019 12:32 PM

@ismar re: “new VPN technology” – You should supply some salient information about why the service should be of interest to readers of this blog. Otherwise, it tends to come across as a blatant shill…

Rachel June 29, 2019 3:28 PM

Is ‘Libra’ the final crack in the wall to regulate Facebook?

“…It’s hard to convey how incoherent and contradictory Facebook’s claims about its new payments pipe dream, Libra, are. The only reason I can fathom for Facebook touting such a obviously barmy idea was in this era of never-gonna-make-any-money unicorn darlings like Uber was that they figured there were enough true believers to give its flagging stock a desperately-sought-after shot of adrenaline.”

“… A DC insider called me the day Facebook presented its concept and said that “everyone” in government hated it, that he’d seldom seen so much unanimity.”

Alyer Babtu June 29, 2019 4:37 PM


regulate Facebook

I think it’s just an early round, not even their first salvo, in the current inevitable arc, viz. controlling profit in commercial exchange, of the arms race involving Big Tech.

Ismar June 29, 2019 6:54 PM


I am not trying to sell anything so not sure what to make of your comment? Also, don’t want to get into any argument here be it technical or not as there is plenty of info on that page about this open source project so let individuals decide if it is worth getting involved or not but I do think it is worth a mention on this blog.

Faustus June 29, 2019 9:01 PM

I can only understand this “Join Firefox” initiative as a coercive bid to get my identity and my data. Is there another explanation? Why would they care otherwise? It seems absurd embedded in propaganda about how they protect my privacy.

Chrome does the same, but I’d expect this sad crap from Google. But Firefox?

I went to look at a really neat 3D printer that prints in composite with continuous carbon fiber reinforcement. Stronger than aluminum. But you need to run everything you do through their servers. So basically after you pay the $20K you are still just borrowing the equipment. They control it and undoubtedly monetize every bit of data they can.

It seems like the world is converging on a single business model.

AL June 29, 2019 9:36 PM

While I haven’t used any cryptocurrencies, I don’t mind Libra even if governments do. When central banks are turning on the printing presses and printing money (called quantitative easing), I don’t mind options.

President Trump is specifically calling on the Federal Reserve to print money.

The European union is doing the same thing. The Japanese bank has printed so much money, they are now the largest ETF holder in the Japanese stock market.

This central bank stuff is uncharted territory. Cryptocurrencies is uncharted territory. With central bank madness, the more options, the merrier.

John June 29, 2019 10:55 PM

@AL wrote, “The Japanese bank has printed so much money, they are now the largest ETF holder in the Japanese stock market.”

Much of the current version of printing money to the rescue can be traced back to shortly after the financial meltdown a decade ago when helicopter Ben tripped the mark to market rules to allow the fed take on balance sheets.

The Japanese thought it was a good idea and followed suit, after been mired in their version of the “great depression” for the past three decades. The Japanese had a bigger problem they were running out of interest rates to cut. Thus, we’ve accustomed to accept negative interest rates as a norm for quite some time.

The newest trend in bringing the crypto to mass market is to “peg” them to a central bank issued currency instead of “printing” their own. Libra isn’t a first of its kind as we aleady have predaters in the US while in China using messengers to trade money was already common place for years.

While Libra and its kind are cryptocurrecy in technical terms, they aren’t playing its own inflation game, thus the central bankers are likley to approve its wide use.

Sherman Jay June 30, 2019 12:51 AM

YUP. I just noticed a (new?) little icon on the top of the firefox panel. When hovering over it, it says “firefox account”. When I look in the preferences screen under ‘synch’ is where they offer the “firefox account”, too. In that panel it is to ‘facilitate synching’ all your ‘smart’ devices through firefox. I’m running Firefox 67.0.2 32 bit ‘quantum’ for ‘ubuntu’ using linux from an optical disc.

Everyone wants to own us. Microsoft wants to ‘enhance your computing experience’ by hoovering up all your personal info. I’ve spent too many hours helping people at the free computer clinics I run ‘opt out’ of all the Win10 privacy stealing auto-opt-in options.

Wait, I’ll get back to you, my smart TV just told me I have to give them more personal info and run a manual virus scan on it. HA, HA, HA. So, what happens if I sign up for the TV with the Last Name: Orwell, First Name: George?

Gunter Königsmann June 30, 2019 1:25 AM

@Ronnie: when it was discovered that on my galaxy note there were no restrictions at all for writing to the raw device containing the internal flash they needed months before they posted an update that fixed this problem => security that isn’t up to date is state-of-the-art with most vendors… …and things get rapidly worse if you analyze products that are no more maintained.

Commoner, The June 30, 2019 2:05 AM

Crime Statistics of Significant Note:

Fun and Games Retrospect:

I had a recent breakthru studying USA homelessness statistics:

1) Looking at a map of numerical increases in homelessness by state, since 2017, the state differences are highlighted and the true issues are revealed. The states that seem like they are OK, might not be if the numbers are recently increasing a lot.

2) Certain states have extremely high numbers of homelessness for individuals while having much lower numbers for families.

3) Those who have been homeless before, are much more likely (in America) to be pushed further into homelessness, and denied support. The numbers back this up.

Meanwhile, there is way too much monoculture in USA. It afflicts the food supply, retail, job training, education, technology, and housing markets.

Seriously, we ought to be diversifying for strength, instead of reinforcing our own coffins as a society.

Point the stripes down, just like when you hold a weapon you don’t want to hurt someone.

Peace and goodwill to all.

RPM June 30, 2019 7:14 AM

Surveillance Scoring Using Unregulated Data Collection

Silicon Valley Surveillance Scoring is a new type of parasitic, big-data middleman which uses personalized customer data to raises prices. In the survey, prices were frequently lower for anonymous customers.

The FTC complaint highlights four areas in which companies are using surveillance scoring: pricing, customer service, fraud prevention, and housing and employment.

They found was that Walmart and Home Depot were offering lower prices on a number of products to the anonymous computer.

Companies are using these data points to decide what prices customers pay, the quality of customer service they receive or whether they can return items, according to the complaint. Some companies are even using data collected about users to decide whether they’ll be approved for housing or offered a job, according to the complaint.
This secretive Surveillance Scoring is a way for companies to discriminate against users based on income and wealth. All without them ever knowing or having recourse.

The (industry controlled) FTC held a workshop on the practice of what it called predictive scoring in 2014 but has done little to crack down on the practice in the years since. It’s far, far worse than when they looked at it in 2014!

Rosenfield said he believes that if regulators were to shine a light on the secretive world of data brokers, it could inspire the type of backlash that has prompted lawmakers around the world to go after Silicon Valley. This technological discrimination is in stealth mode at the moment,” he said. But if it comes to light, “I think there will be a public uproar.

Surveillance Scoring is closely related to Social Credit Scoring. Both systems seek widespread control of unsuspecting, uncaring and ignorant populations with paid-off politicians. It’s building for a massive governing power-grab with dictatorial leadership, using Facebooks IPO total-control template. In 2019 America, Wall profits always win over basic citizen freedom.

vas pup June 30, 2019 1:36 PM

@JG4: Thank you for links provided.
The first technology could also support the idea of distinguishing real skin of the face and latex mask as well as @The Pull is curious about.

vas pup June 30, 2019 2:00 PM

NATO looks to outer space as modern warfare evolves:

“The United States, China, Japan, Russia and most recently India have been honing their technological capabilities to shoot down enemy satellites. So far, no effective means of thwarting such attacks are known. This is one of the reasons NATO has now put space defense on the agenda.”

My take: foreign geostationary satellites should be primary targets to shoot down. This is like unknown drone permanently hovering over your backyard.

k15 June 30, 2019 2:09 PM

when you encounter a security flaw at a business, nonprofit, elections department, etc, who do you report it to?

Clive Robinson June 30, 2019 3:33 PM

@ vas pup,

My take: foreign geostationary satellites should be primary targets to shoot down.

You are not the only one to think so. In fact some in military circles are deeply worried.

The reason is “smart weapons” including soldiers and much else are reliant on GPS. Taking such satellites out would not exactly be difficult. If an enemy succeeds then many “smart weapons” will fail to function as “smart” and will have to revert to old fashioned dumb weapons. Thus the “stand-off arsenal” of “lob-n-glide” bombs etc will become way more inaccurate to the point in some cases of being effectively usless and hitting targets will have to go back to the hit and miss of saturation / carpet bombing which can require a hundred or more times the weight in “iron bomb” to achive a similar effect to a single 500lb hyperbaric weapon against bunker or tunnel entrance.

The funnier side of this are “SHTF Prepers” who assume GPS and Communications satellites will remain unhindered in the event of a major war. Whilst the likes of amateur radio “cub-sats” will probably be uneffected the bigger Mil-Com sats are likely to get “busted or fried” by either kinetic interceptors or wide volume EMP (small nuke) weapons.

There is only one reason not to destroy satellites in orbit and it is a form of “Mutually Assured Destruction” (MAD) by a chain reaction. Bot nuclear but kinetic and it’s called the Kessler syndrome,

That would deny space to all for years if not centuries to come…

Of course if your strategy does not require GPS or orbital platforms, then like with other forms of asymetric warfare you will have a significant advantage over those who are dependent on them…

The thing I keep pointing out which is “technology is agnostic to use” I think is slowly dawning on others, which makes you wonder how the strategic thinkers at the NRO and NSA feel…

Clive Robinson June 30, 2019 3:36 PM

@ Thoth,

Thanks for the links, I don’t know if @Nick P still reads this blog or not, he spends time over at the invite only these days.

JINXS June 30, 2019 4:44 PM

Thanks for the info. Space war within this messed up era of spoofed and faked competitors / frenemies puts us all at risk of extinction via provocateurs getting us to fight battles which never would have happened and which must NOT ever occur.

Guns don’t belong in the sky.

1&1~=Umm June 30, 2019 4:55 PM

Microsofts old tricks again

In an unsigned letter Microsodt are trying scare tactics / FUD to delay or stop ‘Right to Repair’,

Perhaps people should send their own letters in pointing out that not only is it FUD tactics by Microsoft it is also a compleate load of CRUD.

Because the biggest cause of insecurity in Microsoft’s products be they hardware or software has always been Microsoft, and the number of attack vectors they leave in their designs and resulting products.

VinnyG June 30, 2019 5:37 PM

@ismar re: link – No offense was meant. I was merely offering a well-intentioned observation about the possible interpretation of a post that contains only a link, preceded by a comment that effectively says no more than “Hey, check this out…” Would you recommend that we also blindly click on the “” links posted by “RONY” just to see what happens? If not, how would you expect a newcomer to this blog (or someone unfamiliar with your postings) to distinguish between the two examples?

1&1~=Umm June 30, 2019 5:37 PM

More Micro$haft tricks

Some may remember the irony of Amazon vanishing of George Orwell’s 1984 from e-book purchasers?

Well Micro$haft has decided to do the same to all their e-book customers, with all their e-books,

It’s the curse of DRM where you pay good money for goods, just to have someone snatch them away like a motorcycle stick up gang.

I’ve been asked a number of times why I don’t do ‘Online Media’ and my reply has always been ‘Not with DRM’ or all the tracking etc.

I guess the question is ‘How long before other people stop playing the stupid DRM game?’

But as Amazon hardware customers have found, IoT is just another version of ‘The Curse of DRM’. The devices are not ‘stand-alone’ they require to talk to software running on a server, if the server goes off line then your products become useless.

The same is happening with TV’s and other home electricals. Thus with the added fun of the FTC idiocy, how long will it be before your ISP can ‘Kill your Home’ because you are not paying them their Danegelt?

Issac Asimov in his ‘Foundation Series’ wrote of the new foundation wining against it’s enemies without firing a shot. Simply because they supplied all the little devices that made home life possible for the potential enemies elite, politicians, military and ordinary citizens.

This ‘dependency / control’ model of business is not new, drug dealers / suppliers in one for or another have been doing it for years. As an example look what the West did to China with the opium trade that was so lucrative in the Victorian era. It appears China might have take a leaf or two out of the Asimov books, along with Silicon Valley and Disney Corp et al.

Today’s ‘Digital bargin’ will make you tommorow’s ‘Digital Dependent’ thus ‘controled individual’ worse even than being a ‘Digital Addict’ you will be a ‘Digital Serf’…

JonKnowsNothing June 30, 2019 8:53 PM

The loss of LoS (Line of Sight) orbital systems would be a big relief to much of the world and a crying-binge for military systems.

iirc / which may not be too rc-ed

The US Drone Target and Delivery Systems are piloted out of the west coast of the USA with bomb targets in the places where we like to bomb things. (An old movie asked why anyone wanted to be a Seal/Ranger/JamesBond etc. The dialog answer was ’cause we like to blow S*** up.)

The game controllers and video links run over LoS satellites around the world with booster stations in places like Germany. The main problem is if the drone dips behind a large object (see Alps and Big Mountains and the curve of the earth) the signals from California won’t get to the drone and sets off a nasty set of drone delivery failures (eg the thing augers in or drops it’s payload in the wrong spot although the folks in the right spot are certainly happy about the failures).

The current row about the Chagos Islands and the “It’s Not There Diego Garcia Airport for the Renditioned” hosted by Her Majesty’s Governments are important link ups to the system. The system just installed in Australia is another backup for LoS (among other things).

If you lose the satellite uplinks – S*** happens but not in the intended direction.

Of course the new cell service system is already hacking into “weather satellites”. Maybe something of interest happening in that spectrum.

ht tps://
ht tps://
ht tps://
ht tps://

(url fractured to prevent autorun)

1&1~=Umm July 1, 2019 3:00 AM

What happens when you use Google as your Single Sign On service with 2FA and you get “SIM Swapped” by a criminal,

The shocking thing is just how much data some people effectively “back up” only in OnLine services that when the account is gone from their grasp, so is all that data which is words, images, thoughts, memories and history of their life…

Most of the pain would not have happened with an appropriately secure Password Manager.

But the big take away, is back in the 1990’s Two Factor Authentication through the Mobile Phone as a side Channel appeared a good idea. However the advent of Smart Phones and peoples lives becoming centered on them stopped the side channel being a secure side channel. When you get to the bottom of it though Mobile Phone Service Suppliers like T-Mobile are not set up to be secure but what they might call “Customer Focused”, thus having your “SIM Swapped” out from under you is very easily done.

Ergo Sum July 1, 2019 6:24 AM

@Sherman Jay…

The TOR browser removed Firefox Account option, or more accurately, disabled it.

You can do the same in Firefox:

  1. Type in the address bar: “about:config”
  2. In the “Search” window enter: “fxaccount”
  3. In the result window, look for the “identity.fxaccounts.commands.enabled”

Toggle the value to “false”. Doing so would prevent the Firefox Account module from starting without any impact to Firefox.

Alternatively, you could just compare the config options between Firefox and the TOR browser and adjust the config settings for Firefox.

I generally set all the “fxaccount” settings to false and leave the defined URI values blank.

JonKnowsNothing July 1, 2019 9:36 AM

@Ergo Sum

re: disabling modules

Disabling modules “hides” functionality but it does not “guarantee” that the functionality is not being used.

ex: look at all the apps abounding in cross slurping of data even when restrictions are toggled or set to Do No Use.

Like any “tick box”, just because you put a tick in the box doesn’t mean it’s disabled. All it means is you put a tick in the box. Dive deeper and you might find that tick boxes mean nothing.

The lack of tick box doesn’t mean the functionality isn’t there either. Turning on-off modules is a snap at some levels. You get it whether you want it or not.

There is no such thing as “reliability” or “verifiability” in systems from this form of “hacking”. All you can verify is what you have or can sort out from what’s in front of you. If there’s an elephant in the software or device you might never notice.

The Pull July 1, 2019 10:31 AM

@JG4, vas pup

Regarding the heartbeat detection, good article.

( )

However, thankfully, it does look like this would be impractical for, for instance, scanning a crowd and archiving their specific cardiac fingerprint, at this time. This is, though, bad news. The main concern I think everyone should have here, is protesters at lawful assemblies where merely protesting on a matter can get you into a database you don’t want to be in.

Still, going from there to identifying a person is unfeasible at this time. (Good news). Because they would have to fully buy into this technology and tie it into, for instance driver’s license records. Or employ it on everyone, say, at airports, tying in their passport/dl data with their heartbeat data.

That sounds unfeasible for anytime soon.

But, on the long run, I don’t see what prevents them from using this on everyone checking into security at airports. So, on the long run, if they decide to implement that, it is bad news.

They would have to probably literally have handheld scanners to do this, in regards to airports, however. It would be very difficult to do this automatically from people walking.

Targeting individual protesters in a crowd, however, they could use surveillance snipers. If they can get a clear “shot” of someone’s chest cavity.

The Pull July 1, 2019 10:41 AM


“when you encounter a security flaw at a business, nonprofit, elections department, etc, who do you report it to?”

I have only reported security vulnerabilities in software to companies, but keep up on related activities in the news. You can usually find a security@ email address on the vendors site, or otherwise find a place to report security vulnerabilities by digging through their website.

For physical security flaws, you have to be careful. You also have to be somewhat careful on software vulnerabilities. That later case depends on the country you are in.

IDK an easy way to report such a vulnerability, but usually a security@ email address found on their website will work. Usually reports of such vulnerabilities sent to IT Security or similar departments can get better routed from there.

You can get into legal trouble reporting vulnerabilities, if you are not careful. Don’t expect people to be reasonable. But, do report to them, and not disclose it publicly without doing so.

If you in anyway had to have what they may consider unlawful access, they will possibly use that against you. They may try and paint you as a malicious person who found something which no innocent person would find, as a means to evade blame. I have seen a lot of stories of companies doing this, over the years.

If it is big and deals with something critical, as you say, like election security, you may want to use a pseudonym and report it to a journalist. Hide your identity. (If at all possible. You can still be contacted via a pseudonym.)

If you are trying to advertise your security services and person, just be sure you did not do anything possibly illegal in finding the flaw. To CYA (cover your a**).

JonKnowsNothing July 1, 2019 12:39 PM

re: heartbeat detection

One of the problems NSA targeting has been to figure out who is holding the cell phone when they pass the coordinates to the drone bombing team. Sometimes it is no problem because the crater is so big that they kill everyone within the blast radius. They also kill wedding parties and funeral processions, little children (boys are labeled as legitimate military targets) and first responders, second responders and third responders (triple tap).

The advent of health monitoring systems makes it a lot easier along with other techs. It may not be practical in a huge crowd like tennis matches or inaugurations but it is good enough for the majority of their works.

Any rhythmic anomaly is a good enough pointer. Mr. Cheney is likely to be very well tracked from all points of the globe. Even in a huge crowd he could be picked out.

Heat maps of patterns from cell phones or I(di)OT systems feed back into the loop. If you want to track folks by heart rate there are some interesting side aspects of doing so and you don’t need a D-Pick to spot it.

You heart beat could kill you and not having one is a big clue.

ht tps://
ht tps://

(url fractured to prevent autorun)

JonKnowsNothing July 1, 2019 1:04 PM

re: “when you encounter a security flaw at a business, nonprofit, elections department, etc, who do you report it to?”

I would second the caution about what you find out and where you disclose this.

If you find something jaw dropping, it’s not likely to have been a “oh fudge” mistake. It’s there on purpose.

If you find something that looks like someone hacked your system you are going to be in for the long haul and it likely won’t just be a sticky note dropped on someone’s desk. (Cliff Stoll and the 3 cent discrepancy)

If what you discovery points to Big Deal Wheels, you might be in danger too. Folks who are employed to keep you from noticing them don’t like it much when you do.

If you want to see some terrified engineers when they discover their own personal details are being hoovered check out the following video and article.

When one is faced with ANY wrong or illegal activity, your personal sense of morality comes face front and it’s not so easy to say Do X or Don’t Do X. Depending on the scope and nature of what you find, it is a life changing event. It doesn’t have to be electronic fiddles, it can be human rights or abuses or everyday activities that triggers the dilemma. It’s at those times you make a choice and you live with it for the rest or your life and sometimes you family lives with it for generations.

It might be something grave like massive corporate fraud or something as simple as someone who has not enough money to buy a can of cheap soup.

It’s a problem as old as humanity and sometimes our humanity is wanting. Those $2.00 extra ATT fees didn’t end up on the bills auto-magically…

Treasure Map: The NSA Breach of Telekom and Other German Firms
By Andy Müller-Maguhn, Laura Poitras, Marcel Rosenbach and Michael Sontheimer spiegelonline
September 14, 2014 – 12:13 PM

ht tps://
(url fractured to prevent auto run)

A Serious Hypothetical July 1, 2019 2:47 PM


I have a very speculative question I’d like to hear discussed, and I’m hoping, by posing it in this forum, it will be received as just the RAND-type thought experiment that it is.

Does anybody anticipate a direct physical attack on Facebook, like the OKC bombing, or an assassination attempt on Zuckerberg himself?

Given the amount of control concentrated in Z himself, I would be certain plans to eliminate him are on the shelf of many nation-states’ security staff. And given the personal antipathy he inspires, a lone actor attacking him seems not far-fetched.

Just a gedankenexperiment. Any thoughts?

The Pull July 1, 2019 3:04 PM

@A Serious Hypothetical

No, I do not think it is likely a nation state would likely physically target to down FB or Zuckerberg. I do think they would be doing their job if they hacked facebook, even going so far as to physically penetrate the headquarters. Not because of Zuckerberg, but because Facebook has so much information they can use.

Just this week, for instance, it was reported Western intelligence agencies allegedly hacked Russia’s “Facebook”.

However, in FB’s case, they sell the data. So, that probably is an easier route for intelligence agencies. Zuckerburg has a long track record of not caring about privacy concerns.

On Zuckerberg, personally, I don’t think anyone cares about him in a negative way. He would likely be a target for influence operations, however. But, what value of such influence operations would provide… is hard to ascertain.

One likely motive would be: Nation state X wants to rely on propaganda through FB. Nation state X gets caught. FB starts to make a lot of manuevers to protect against such things. Or may release negative propaganda against Nation State X. Nation State X likely would want to get close to Zuckerberg and be a calming influence, or throw him in alternate directions.

The Pull July 1, 2019 4:00 PM

RDP (Remote Desktop Protocol) Bug Exploited By Sophos — Patch Now (though no exploit is yet given out in the wild, Sophos shows a video of it on webpage but did not release it)

A lot of systems are vulnerable to this, and as we know, a lot of these legacy systems won’t be patched for a long time.

Really cool vulnerability and video showing how anyone can login remotely to a system running RDP. Which should never be on the internet, only accessible via vpn, but you know how people are…

A Serious Hypothetical July 1, 2019 8:16 PM

@The Pull

I suppose the angle I was imagining was how vulnerable the value of Libra would be to an attack against Z sponsored by short-term currency speculators (who may also be, or at least have the resources of, a nation-state.)


Clive Robinson July 2, 2019 12:59 AM

@ A Serious Hypothetical, The Pull,

Given the amount of control concentrated in Z himself, I would be certain plans to eliminate him are on the shelf of many nation-states’ security staff.

To some nation states Zuckerburg is a “useful idiot” and by this I don’t just mean the US.

As he’s at best a sociopath he is unlikely to evaluate risk well and therefore may not evaluate his own personal safety or those around him sufficiently.

At some point he will certainly cross someone’s demarcation line and thus become a target of some form, if he has not already.

The question is do you have to harm him to “kill him” as an agent of control? And the answer is no, there are other ways to target and destroy him.

He has upset more than a few effective cartels and this idea he’s caling Libra is a nice little income earner. For instance it’s been reported that the first round of “partners” have had to pay a ten million non refundable joining fee and like as not the next round of partners will have to pay atleast that much if not more. His effective income from it if it succeeds is north of a billion just in joining fees alone, what else he will get for infrastructure running fees is anybody’s guess,

Supposedly this is for development and initial infrastructure. The interesting thing is if you look at it the money flows towards Zuckerburg, and the partners have to back the currancy where as Zuckerburg does not have to back anything… Thus in effect he’s running the printing press and supplying the cash machines, but has no real legal or financial risk that is carried by the partners.

Now Zuckerburg is also an out and out control freek as any FB shareholders will have by now realised. As this stratagem has worked well so far for him he is unlikely to change his behaviour.

So based on his history to date you can be sure of three things,

1, He will get the lions share of fees and similar income.
2, He will not carry risk of the currency.
3, He will have overall control through some non obvious mechanism.

But there is something else, he’s playing in ‘new waters’. He became an agent of disruption in a very small hi-tech pond and has maintained his ability to disrupt in that pond as it grew into a large lake simply because it was not mature and still growing. He is now trying to jumo into a very well established set of waters that are in effect the largest and most fiercely contested there are which are the worlds money markets and back end banking etc. There are some who for various reasons would not think twice about crushing him entirely as an agent of disruption and control.

One such quite lucrative market and the one that destroyed Bretton-Woods is the “bond market” if Zuckerburg does get it up and running and he does ensure he has control then he will be the world’s largest bond player…

That is almost certainly going to ruffle the feathers of more than a few people.

But it gets worse there is something you don’t get to hear about very often which is the value you gain by being the hand that controls the flow of the money supply of any currency. There is for instance the money earnt simply as the interest of notes in circulation (seniorage) then there is the ability to do such things as “quantative easing”. But also a long list of other non obvious but lucrative benifits, that nation states reserve unto themselves. Some are not likely to want to give that up whilst others will see it as an opportunity to create new fiscal weapons to use in damaging other nations National Security by economic sabotage etc.

Thus having a hand around Mr Zuckerburg’s throat may be seen as advantageous by some. Thus the question is how whilst retaining plausible debiability.

Well there are many ways that have been used over the past few centuries but we tend to know about those. So something new is what would be needed. Which I guess is time to mention what sounds like Science Fiction but is actually well along the path to becoming a reality.

But firsrly we need to consider that it’s said there are three basic ways we die,

1, By accident.
2, By long slow decent into increasing ill health and disease.
3, By a long mainly disease free life with a short but rapid decline in health that alows a viral or bacterial disease to rapidly develop and kill us.

That is physical accidents –which can almost always be viewed as suspicious– aside, it’s some form of disease that are viral or bacterial in origin originally that gets us in the end and generally it’s not in the slightest bit suspicious if it’s “something that’s going around”.

Due to viral or bacterial origins of the way we die bu disease, work is being done to find the cures for various types of disease by genetic specific methods just one of which is cancer.

Put simply if you could come up with a virus keyed specifically to genetic markers in cancer cells then you could destroy those without harming other cells. But like most technological ideas it’s agnostic to use. As you are probably aware every year we have some kind of flu epidemic that goes around the world. Some people won’t get it and others will be highly susceptible to it and may well die from it. That is the influenza virus is better keyed to some aspect of their genetics.

Whilst the technology might be agnostic to use the directing mind that controls it is far from agnostic. Thus the question of how long before somebody comes up with a virus that is for most just a bad cold whilst for a specific genetic line very bad if not fatal to those of that specific genetic line. It sounds Science Fiction but there is a lot of research into using viruses, and phages simply to attack bacteria which have become antibiotic tolerant.

The likes of the US Secret Service have apparently been worrying about the dark side of such technology and thus the “controling of presidential DNA” for some years now. After all if you could develop a specific genetic line biological weapon, that passed fairly easily from person to person but was mild in attacking those not of that specific genetic line. Ask yourself this, who would you need to infect to ensure it got to the intended target? And how much security does such a “patient zero” have? The answers are hundreds if not thousands of candidates for a patient zero and in most cases they have no security what so ever…

Worse it does not have to be fast acting like influenza, we know that some cancers are caused by viruses (cervical cancer and human papillomavirus or HPV for instance). In general it appears to be a two stage process, a pre-cancerous infection that may go away and not become cancer and some that do become cancer, thus the question of what the trigger mechanism might be arises. There is an increasing belief that other diseases might likewise have the same mechanism of infection then subsequent trigger (enteroviruses for instance are suspected in type I diabetes, but some argue it’s the causing agent whilst others argue it could be an immune strengthaning agent that prevents type I…).

For various reasons phage research was virtually non existant in the West, as being naturally occuring there would be little or nothing to patent to recover research and trials costs on. However research in other parts of the world were carried out and phages were used in Eastern European and Russian medicine during the cold war. Thus in some respects the West is playing a game of “catch up”. But advances in genetic modification has given rise to things that can be patented thus the West is now increasingly looking into the use of genetically modified viruses and bacteria.

So if some one like Mark Zuckerburg were to unfortunatly become very ill or even die of a bad cold or the flu or cancer, would we know if it was natural or manmade causes? Would we even be able to figure it out?

But as I noted you don’t have to “harm him” just find ways to discredit or criminalize him, as by and large his rise has been in effect a confidence trick. As they say of many relationthips “Once the magic is gone…”.

Rachel July 2, 2019 2:29 AM


I was reading somewhere that ‘the little Zucker’ has more recently engaged round the clock executive security detail. In response to the FB shin digs of the last few years – Cambridge Analytica and the rest of the rap sheet.
This tells me ‘the little Zucker’ can’t, or doesn’t, enjoy the pleasant activities we all enjoy every day. Such as leaving the house. Orw walking to the supermarket. Having a picnic in a park or a stroll by the river.
So, the question with ‘Libre’ we should all be asking, is why? Why do you need more? More money, more influence? Is it because there aren’t healthy happy relationships, people that love and enjoy him, creative pursuits, singing and dancing. A real life. In which case we should all be feeling the most terrible pity for such pathology incarnate.
There are however some very strong reasons why the project will never take flight. As one or both of the articles I posted explained, argued in more detail in their supporting comments: the proposal by FB is most incoherent.

Clive Robinson July 2, 2019 9:38 AM

@ Rachel,

I was reading somewhere that ‘the little Zucker’ has more recently engaged round the clock executive security detail.

Yes but is that going to be anywhere close to being sufficient?

Not being funny but ex soldier/cop “executive” body guards are usually not as sufficiently trained in the art of “bullet catching” as they could be.

But I would rate being a bullet magnet low on the risk list for the little Zucker.

As you may well know a certain Sillicon Valley face also owns the WashPo which employed Jamal Kashoggi as a journalist, who on the 2nd of Oct 2018 disappeared into a Saudi Consulate in Turkey never to be seen again. Several countries pointed the finger at the House of Saud in particular Crown Prince Mohammad bin Salman Al Saud (nicknamed MBS). Turkey drip fed the media with increasingly detailed information on those it said had “butchered” Jamal Kashoggi.

Well the powers that be in Saudi Arabia did not like the spotlight of international media played on them, and started to try and distance Crown Prince MBS from the butchery of Jamal Kashoggi. Unfortunatly the WashPo was not going to let that happen.

So first they tried economic attacks on other companies the Silicon Valley face owned, when that did not work they actually falsly started accusing him of being a Jew, and when that did not work they went further much much further. Thus all of a sudden the Silicon Valley face got his phone hacked by the Saudi’s using US supplied spyware run by US supposedly ex Mil / IC / NSA personnel and this “intelligence” was given over to a questionable journalist at the National Enquirer who just happened to be “supposadly” a good friend of the Current US President. Who in turn is supposed to be a good friend of Crown Prince MBS.

It is this sort of “death of image” that the little Zucker is more likely to face than medium velocity lead poissoning or kidnap.

If you think back to the disgraced head of the IMF who was alledged to have attacked etc a hotel maid. We have no idea nor does anyone else if the alledged incident ever took place. What we do know is he suffered “Death of Reputation” over it at a time when he was upsetting some fairly powerfull international interests.

It’s this sort of thing the little Zucker needs to take seriously, because to be honest FB appears to be a bit of a “stage set edifice” or if you prefer “house of cards”, that is it has a lot of front but actual backing substance? Quite a few would say “not a lot”.

A crack in that frontage could easily bring the whole edifice tumbling down with barely a gust of wind and just about everything else would fall into that implosion.

vas pup July 2, 2019 11:52 AM

Virginia bans ‘deepfakes’ and ‘deepnudes’ pornography

“Machine learning techniques have made it relatively easy to replace the face of an adult movie actor with that of another person.”[E.G. female POLITICIAN RUNNING FOR OFFICE or wife/daughter of male POLITICIAN RUNNING FOR OFFICE].

Yeah, try to catch guys who are in the countries no extradition agreement.

I hope we are prepared for such vector of attack, or as usually be just reactive thereafter.

vas pup July 2, 2019 12:11 PM

How you and your friends can play a video game together using only your minds:

“As in Tetris, the game shows a block at the top of the screen and a line that needs to be completed at the bottom. Two people, the Senders, can see both the block and the line but can’t control the game. The third person, the Receiver, can see only the block but can tell the game whether to rotate the block to successfully complete the line. Each Sender decides whether the block needs to be rotated and then passes that information from their brain, through the internet and to the brain of the Receiver. Then the Receiver processes that information and sends a command — to rotate or not rotate the block — to the game directly from their brain, hopefully completing and clearing the line.”

KEY for this blog posting:
“The researchers wanted to know if the Receiver would learn over time to trust one Sender over the other based on their reliability. The team purposely picked one of the Senders to be a “bad Sender” and flipped their responses in 10 out of the 16 trials — so that a “Yes, rotate the block” suggestion would be given to the Receiver as “No, don’t rotate the block,” and vice versa. Over time, the Receiver switched from being relatively neutral about both Senders to strongly preferring the information from the “good Sender.”

The team hopes that these results pave the way for future brain-to-brain interfaces that allow people to collaborate to solve tough problems that one brain alone couldn’t solve.”

Let say one or both senders are AI…

Sherman Jay July 2, 2019 1:00 PM

Larry Sanger left wikipedia in 2002, but is still involved in fighting IT/social media Corporations’ hoovering up of people’s personal data and massive influence (‘control’ in many instances) of people’s minds.

He is proposing a ‘social media strike on July 4 and 5 to “demand that giant, manipulative corporations give us back control over our data, privacy, and user experience.”‘

Larry Sanger outlined the proposal a post on his personal web site last week.

I don’t know how much this will accomplish, but I think it is important that people are aware of how they are being ‘shorn’ as ‘sheep’.

C U Anon July 2, 2019 2:50 PM

Superhuman is spyware

There is an email agent service called Superhuman[1] and it turns out they are doing some very bad things privacy wise,

If you use it I sugest you stop and use your money for more worthwhile things, and if you are getting email from it’s users I would suggest you “delete unread” or at the very least turn off loading of all images in your MUA (email reader app).

[1] A kind of fanboi review from Tech Crunch of Superhuman,

A Serious Hypothetical July 2, 2019 3:41 PM

@The Pull, @Clive, @Rachel,

Thanks for the rational thoughts on something that just struck me last week, the struck me as very plausible.

@Clive – I remember a minor book by Frank Herbert, “The White Plague”, about a gen-eng agent that was designed to target a chosen slice of the world population. The brilliant idea of the book was the distribution channel: the bio-warriors dusted the stuff on to bundles of currency and mailed the cash to ~1000 random people throughout the world (or maybe just N America) knowing most would say nothing and quickly distribute it as widely as possible. Genius.


curious July 2, 2019 7:33 PM

what’s this “autorun” of URLs you write about? I wasn’t able to find explanation via search. Do you mean the browsers’ pre-fetching feature?
Also, any conjectures on why URL in this post was edited to add square brackets? Is it about the search spiders?

VinnyG July 3, 2019 8:38 AM

@A Serious Hypothetical re: “The White Plague” That is one of my all-time favorite Herberts. Not nearly as ambitious in scope as the Dune novels, but very well thought out and written. I wonder if CRISPR tech will make the premise a bit less far-fetched. The concept has some superficial attractiveness in the sense that one could theoretically eliminate everyone with an attribute that one finds abhorrent, if one could find a reliable corresponding genetic fingerprint for it (e.g., eliminate everyone with a penchant for trying to control others – say “good night,” politicians ;>) but just the aspect of determining cause and effect reliability would be a treacherous problem, ntm the obvious moral implications.

Sed Contra July 3, 2019 10:21 AM

@vas pup

bans ‘deep …’

Perhaps everyone would be better served if this stuff were ignored instead of banned, since now everyone has solid plausible deniability.

It would be better to ban images of people’s faces.

Pictures in general prove nothing.

29 June 2019 ...... July 3, 2019 4:39 PM

“As cyber operations by both states [ Iran and US ] heat up, non-governmental actors may play pivotal roles, not just as potential victims and collateral damage from states’ actions, but also as accusers of states. Non-governmental actors have attributed previous cyberactivities to Iranian-government linked actors and played an important role in investigating the Stuxnet attack on Iranian nuclear centrifuges. As I discuss in an essay published last week in the American Journal of International Law Unbound, non-governmental parties play an important role in the current decentralized system of publicly attributing cyberattacks to states.”

A90210 July 3, 2019 7:44 PM

Regarding the ongoing Schulte [ Vault 7 ] case: filed today

“Joshua Adam Schulte (born September 25, 1988) is a former Central Intelligence Agency (CIA) employee who is suspected of being involved in a leak of classified documents to WikiLeaks, which some have called “the largest loss of classified documents in the agency’s history and a huge embarrassment for C.I.A. officials.”[1]”

Jay July 3, 2019 10:37 PM

@Clive Robinson wrote, “It’s this sort of thing the little Zucker needs to take seriously, because to be honest FB appears to be a bit of a “stage set edifice” or if you prefer “house of cards”, that is it has a lot of front but actual backing substance? Quite a few would say “not a lot”.

A crack in that frontage could easily bring the whole edifice tumbling down with barely a gust of wind and just about everything else would fall into that implosion.”

Fascinating theories. The reputation attacks on Flecebook had long gone under way despite Mr. Z pissing off quite a few, from all sides. To my knowledge, they wanted him to take 2016 election story to a whole new level which he did not as Flecebook chose to remain neutral in 2016 elections by taking no action. It would appear that he finally caved in which coincidentally happened after its stock took a massive beating.

What we know is that these Silicon faces though sometimes take sides they can choose a new position on a whim (very rarely). What Mr. Z is doing right again in my view is the adaption of payment transfer to “cryptocurrency” that runs on the back of our fiat system which ironically prolongs the fiat in a more adaptive form. Whether this can be done successfully remains to be seen, but the current paradigm seems to support its view with the fundings.

As for the Saudis, they know the move away from fossil is sitting on an accelerated path with recent breakthrus in electric utilities. We will eventually get there but will they be prepared or reasonably divested to sustain prosperity remains to be seen.

vas pup July 4, 2019 2:31 PM

How do you know your diamond isn’t fake?

“Engineers at Oxford were doing research around getting the highest possible resolution from telescopes, and compensating for fluctuations in the atmosphere.

And this turns out to produce answers that also apply to focusing lasers on targets that are very small.

So marks as small as one-thousandth of a millimeter can be made 0.15mm below a diamond’s surface in a trillionth of a second. The extremely high speed keeps the laser burst from heating up the stone.

Marks this small can’t be seen even with a jeweler’s magnifying glass, or loupe. You need a powerful microscope.

Opsydia has just sold it first machines to De Beers.

But once you can write things inside diamonds, “you can write electrical circuits; it takes you into science instrumentation and ultimately quantum computing,” says Mr Rimmer”

29 June 2019 ...... July 5, 2019 9:43 AM

DemocracyNow had an hour on Noam Chomsky today, which included:
and, without a free press, of course, we might not here about things like this:

"AMY GOODMAN: Can you share your analysis of President Trump? You have lived through so many presidents. Explain President Trump to us and assess the massive response to him.

NOAM CHOMSKY: Well, Trump is—you know, I think there are a number of illusions about Trump. If you take a look at the Trump phenomenon, it’s not very surprising. Think back for the last 10 or 15 years over Republican Party primaries, and remember what happened during the primaries. Each primary, when some candidate rose from the base, they were so outlandish that the Republican establishment tried to crush them and succeeded in doing it—Michele Bachmann, Herman Cain, Rick Santorum. Anyone who was coming out of the base was totally unacceptable to the establishment. The change in 2016 is they couldn’t crush him.

But the interesting question is: Why was this happening? Why, in election after election, was the voting base producing a candidate utterly intolerable to the establishment? And the answer to that is—if you think about that, the answer is not very hard to discover. During the—since the 1970s, during this neoliberal period, both of the political parties have shifted to the right. The Democrats, by the 1970s, had pretty much abandoned the working class. I mean, the last gasp of more or less progressive Democratic Party legislative proposals was the Humphrey-Hawkins Full Employment Act in 1978, which Carter watered down so that it had no teeth, just became voluntary. But the Democrats had pretty much abandoned the working class. They became pretty much what used to be called moderate Republicans. Meanwhile, the Republicans shifted so far to the right that they went completely off the spectrum. Two of the leading political analysts of the American Enterprise Institute, Thomas Mann, Norman Ornstein, about five or 10 years ago, described the Republican Party as what they called a “radical insurgency” that has abandoned parliamentary politics.

Well, why did that happen? It happened because the Republicans face a difficult problem. They have a primary constituency, a real constituency: extreme wealth and corporate power. That’s who they have to serve. That’s their constituency. You can’t get votes that way, so you have to do something else to get votes. What do you do to get votes? This was begun by Richard Nixon with the Southern strategy: try to pick up racists in the South. The mid-1970s, Paul Weyrich, one of the Republican strategists, hit on a brilliant idea. Northern Catholics voted Democratic, tended to vote Democratic, a lot of them working-class. The Republicans could pick up that vote by pretending—crucially, “pretending”—to be opposed to abortion. By the same pretense, they could pick up the evangelical vote. Those are big votes—evangelicals, northern Catholics. Notice the word “pretense.” It’s crucial. You go back to the 1960s, every leading Republican figure was strongly, what we call now, pro-choice. The Republican Party position was—that’s Ronald Reagan, George H.W. Bush, all the leadership—their position was: Abortion is not the government’s business; it’s private business—government has nothing to say about it. They turned almost on a dime in order to try to pick up a voting base on what are called cultural issues. Same with gun rights. Gun rights become a matter of holy writ because you can pick up part of the population that way. In fact, what they’ve done is put together a coalition of voters based on issues that are basically, you know, tolerable to the establishment, but they don’t like it. OK? And they’ve got to hold that, those two constituencies, together. The real constituency of wealth and corporate power, they’re taken care of by the actual legislation.

So, if you look at the legislation under Trump, it’s just lavish gifts to the wealth and the corporate sector—the tax bill, the deregulation, you know, every case in point. That’s kind of the job of Mitch McConnell and Paul Ryan, those guys. They serve the real constituency. Meanwhile, Trump has to maintain the voting constituency, with one outrageous position after another that appeals to some sector of the voting base. And he’s doing it very skillfully. As just as a political manipulation, it’s skillful. Work for the rich and the powerful, shaft everybody else, but get their votes—that’s not an easy trick. And he’s carrying it off."

Clive Robinson July 5, 2019 3:05 PM

@ Bruce, All,

A new security horizon, where all that is bad security wise appears to be SOP…

As discussed above by @vas pup and others on June 30th more Main Stream Tech Media is picking up on the Chatham House report as the above 2nd of july artical shows (yes you heard it here first, even if by a whisker 😉

It’s probably worth reading because the issues involved are way more general than most realise… That is your Utility Providers are, outside of their core systems just as bad, if not worse. As anyone who has done a “technical break down” on their remote sensor and actuator “street furniture” pods should well know, they lack both security and privacy (authentication / confidentiality) thus integrity.

Some years ago, which now feels like an eternity I was warning about the issues with engineers and technicians “designing for test and reliability” rather than “Securely designing for availability”[1].

The usual big failing being open communications interfaces which were designed for “human readable commands and responses” that were neither authenticated for security or encrypted for privacy.

The usuall excuses of “code space”, “CPU cycles” and similar lumped under “cost saving” or more correctly “profit saving” are getting trite to say the least. As are the designs that do not alow for upgradability[2].

Oh and we also see the same problems in medical electronics, anyone who knows anything about security and medical electronics should be worried when told by the medical proffession they need pacers, de-fibs, insulin pumps and even hearing aids…

Design engineers “need to get their 5h1t together” one both security and privacy so availability becomes of meaning.

[1] Hardware Reliability is just a small part of availability, yes it can increase the MTTF figure and with a little thought can reduce the MTTR figure substantialy but that is insufficient. Functioning hardware is of no use if a third party can read sensor readings to predict a good time to make an attack, such as opening or closing a switch/valve to initiate a cascade failure. Or the formware can be tampered with such that false sensor readings etc cause the central system to issue incorrect commands.

[2] Upgradability in a secure way (code signing is not enough) is essential in equipment with a quater to half century in the field life expectancy. Especially when we have yet to have software last a year without needing patches and well encryption algorithms, protocols and standards not lasting a quater of a century either. It’s why in the past I’ve suggested that NIST realy should get it’s act together on upgradable frameworks and legislators enact appropriate legislation / regulation to ensure such upgradability is built in as standard in a way where the costs are not just passed onto the consumer.

JonKnowsNothing July 5, 2019 6:47 PM

@Clive Robinson

I remember getting instructions to:

  • Stop designing upgrades or adding “future hooks” for the next phase of production.
  • Stop worrying about security. Someone else was doing it.
  • When the someone else did not appear to be a real person, they became a consultant or consulting firm.
  • When that consulting firm didn’t show up and the code clearly had “ahem issues” being told to Just Drop It.

It’s all fine and good to get things into testing and to market quickly but somewhere in the abbreviated process the customers, you know, the ones that pay $$$ for the product, get the worst of the worst.

The mantra of “We’ll fix it in the next release”… won every argument.

The bug databases grow bigger and bigger. The BIG bug fix is to: truncate anything more than 3/4/5 years old. That fixes soooo many problems with just an ENTER key.

I have not encountered any change in this Engineering Principle.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.