A90210 July 5, 2019 4:33 PM

“Joshua Schulte Keeps Digging: His Defensible Legal Defense Continues to Make a Public Case He’s Guilty

To defend him against charges of leaking the CIA’s [ Vault 7 ] hacking tools to WikiLeaks, Sabrina Shroff has made it clear that Joshua Schulte is the author of the CIA’s lies about its own hacking.

In a motion to suppress all the earliest warrants against Schulte submitted yesterday, Shroff makes an unintentionally ironic argument. In general, Shroff (unpersuasively) argues some things the government admitted in a Brady letter sent last September are evidence of recklessness on the part of the affiant on those earliest warrants, FBI Agent Jeff Donaldson. She includes most of the items corrected in the Brady letter, including an assertion Donaldson made, on March 13, 2017, that Schulte’s name did not appear among those published by WikiLeaks: “The username used by the defendant was published by WikiLeaks,” the prosecutors corrected the record in September 2018. To support a claim of recklessness, Schroff asserted in the motion that someone would just have to search on that username on the WikiLeaks site to disprove the initial claim…”

Ismar July 6, 2019 2:22 AM

It is kind of ironic that the first implementation of quantum computers might be to generate truly random numbers , followed by the ability to dispose with the cryptography as we know it today.


“How does this get us to random numbers? Crucially, the 50-bit string sampled by the quantum computer will have a lot of entropy, a measure of disorder or unpredictability, and hence randomness. “This might actually be kind of a big deal,” said Scott Aaronson, a computer scientist at the University of Texas, Austin, who came up with the new protocol. “Not because it’s the most important application of quantum computers — I think it’s far from that — rather, because it looks like probably the first application of quantum computers that will be technologically feasible to implement.” ”


Today, that thinking needs to be revised thanks to the work of Craig Gidney at Google in Santa Barbara and Martin Ekerå at the KTH Royal Institute of Technology in Stockholm, Sweden. These guys have found a more efficient way for quantum computers to perform the code-breaking calculations, reducing the resources they require by orders of magnitude.

Clive Robinson July 6, 2019 6:01 AM

@ Taz,

Yes public VPN ownership is a curious labyrinth, but that’s also true of many non security related technologies as well.

From the article,

    Although the ownership of a number of VPN services by one company is not unusual, VPNpro is concerned that so many are based in countries with lax or non-existence privacy laws.

There is a flip side to privacy and where the companies are located.

Unfortunately countries with less lax laws are also the places with the “spy on citizen laws” that give you such things as lack of oversight court processes and National Security Letters or their equivalent.

It’s something @Nick P and myself discussed of and on several years ago on this blog.

So if you were chosing a country to found a privacy focused technology company in there are a number of things you would look for. From the privacy aspect three things would be high on your list are,

1, A country with no “snoop on the citizen” laws.
2, A country that is antagonistic to those countries with “snoop on the citizen” laws.
3, A country that you would try not to have clients in.

But from a user who want’s privacy aspect I would not use public VPNs as the currently are if I could avoid them, without using other technology to break their ability to do data snooping and metadata traffic analysis etc. One such thing is to lift the network stack up by using a “tunnel within a tunnel” as a new physical layer and create a “network on a network”.

If you think back to the early days of computing, what would happen is a branch office would use the equivalent of a “terminal concentrator” to multiplex numerous traffic streams into one traffic stream that went across a leased line to the main office where the streams were then demultiplexed and sent onwards. With IP networking you can do the same by having your “gateway router” shove all traffic into a Stunnel and send it over a “point to point” link where the Stunnel traffic is then stripped and fed into the upstream router. If the upstream router is in a private node with other routers that likewise use Stunnel to send on to their upstream routers you can fairly quickly build a private network on top of a public network in effect a “mix network” that you then need to strengthen in various ways.

Because the real issue is how do you deal with the problems of data and metadata. Data is in effect “plaintext” that would be inside the routing nodes or at the leaf nodes where you transition back to the public network. Metadata is the information to do with the traffic flow both rate and routing that makes traffic analysis possible.

Well you can use encryption to hide data, onion routing to hide routing information and null traffic padding to hide flow information. But the most important step is not to have leaf node transitions. That is all clients and servers remain properly part of the network ontop of the network.

Further as well as null traffic padding you can use the equivalent of a “Fleet Broadcast” system where individual packets get sent to multiple nodes such that whilst you might be able to tell which nodes have received a copy of a packet, you can not tell which of them it was intended for. That is a node will either forward the packet to the next router in the chain or use it instead of null traffic for padding purposes, where the next router might drop it or it’s self use it as a null packet to pad to the next node. To make this even more effective is to add uncertainty about if the packet is being forwarded on not to an observer. To do this requires also a “store and forward capability” thus the packet goes into the node, but when if at all the packet gets sent to the next node becomes difficult to impossible to determin. Whilst this is fine for certain non interactive traffic, it’s not for some types of traffic because of the undesirable effect of adding increased latency. However it is that latency that stops an observer following traffic by modulating packet delay.

There are other aspects to consider but hopefully you can see that getting privacy against a state level observer who has control of “choke points” is nowhere near as simple as just using a public VPN, as in practice it adds little if anything to privacy. But also shows that making statments as the article does is something you should take with a grain of salt, because otherwise it might cause you to make the mistake of not using a technology in an advantageous way.

Tatütata July 6, 2019 6:27 AM

When that collection of shrieking baboons called “humanity” will have finally erased itself into oblivion, the squids will still be around to squirt ink and laugh at us. The earth will be a sad place for a couple of million years while she licks her wounds, but on the geological scale that’s merely the bat of an eye.

Should some octopod evolve and take our place on land, it will find the remains of the nasty tin boxes on casters of which we were so proud of. The ferrous parts will be gone, but there would be enough lead, plastic, aluminium, glass, silicon, etc., to reconstruct the final sequence of events, and the beast’s nine brains will understand and heed this discovery as a warning.

So: no squid cars. They’re too smart for that.

CallMeLateForSupper July 6, 2019 8:12 AM

OpenPGP (speaking broadly) has been attacked. Miscreants spammed at least two certificates with many thousands of bogus “signatures”.

Should this kind of attack ever extend to e.g. the signing certificates of Linux distros, then we could find ourselves “living in interesting times”.

Robert J. Hansen, author of the linked paper and one of the affected parties, writes:
“In the last week of June 2019 unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, better known in the community as “rjh” and “dkg”). This attack exploited a defect in the OpenPGP protocol itself in order to “poison” rjh and dkg’s OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation in hard-to-debug ways.”

“SKS Keyserver Network Under Attack”

Winston Smith July 6, 2019 9:43 AM

Thoughts on as a VPN provider?

They offer a novel approach to managing the account: no user name/password, just a unique account number which is used to identify the account credited for payment.

Secondly, although I’m no expert on privacy policies, theirs presents more reasonable than many to the layman’s eye.

So… Where’s the catch? Subverted encryption to support a covert “honeypot” effort? I’m skeptical, overall. Security AND anonymity are almost mutually exclusive in the days of the panopticon.

You could implement pretty good operational security (with effort of course) to create your own home-based VPN, but you’d lack anonymity (or it would likely be more difficult to implement than using a third party in theory).

Does a VPN service such as what Mullvad purports to do actually exist for the average citizen?

Hmm. Still skeptical.

h2odragon July 6, 2019 10:33 AM

China leading in VPN providers makes sense, they had an early market for citizens who wanted to avoid the Great Firewall (remember that?) The first site documenting advanced routing in linux got crushed under Chineese traffic and regularly got DoS’d for a couple years from various SE Asian IP blocks.

Someone even sent in a samizdat translation of some of the documentation, which turned out to be half Scripture but it was a nice thought.

trout July 6, 2019 10:37 AM

regarding VPN’s – i rise one theoretical/practical question.
is it possible for VPN server admin to connect back to computer
using just established VPN tunnel and exploit some trivial bug
inside windows and run there arbitrary commands? VPN tunnel
is bi-directional. what i see is that whoever runs the VPN
service can connect back to any VPN client computer.

VinnyG July 6, 2019 1:47 PM

re: squidmobiles (Cephalo-Pods?) – Jalopnik missed an obvious conclusion that the vehicles would be jet-propelled. Also, the most popular professional vehicle race on the biggest annual cephalopod holiday might be named the “Squid Pro Go…”

Clive Robinson July 6, 2019 1:58 PM

@ VinnyG,

Squid Pro Go…

You know jokes like that in polite society could get you ostracized?

Keep up the good work 😉

Clive Robinson July 6, 2019 2:02 PM

@ Bruce,

What ever they might look like, there is one thing that’s almost certain about a squid car, it would not when on frosty roads fish tail.

Tatütata July 6, 2019 8:37 PM


I found that identifying VPN providers rather tricky. At the end of the day, what you’re really left with in most cases is a gut feeling.

I suspect that the exotic choice of locale of many providers to have more of a mundane basis than a nefarious one.

At typically 6-12 US$/month, the price of VPN services is manifestly way above what they actually cost to provide (as compared with, e.g., web hosting), and the multinational nature of the business provides one with plenty of opportunities to fudge. If you don’t have to bother too much with sales or income tax, then so much the better.

Rachel July 6, 2019 11:19 PM


Protonmails VPN service has a basic free option, and beyond that paid options offer an extensive range of security and privacy features. Considering this is VPN’s we’re talking about – it’s not so bad. Best of a bad bunch.
They charge EUR8 / USD8 / CHF8 per month

Another Mouse July 7, 2019 5:24 AM

@steve wouldn’t it be for cloudflare as the only dns provider i could see some benefits…

Tatütata July 7, 2019 7:54 AM

ProtonVPN: Thanks, I just checked them out.

The free plan is nearly useless, so I’ll just fuggadaboutit.

The 4$ and 8$ are competitive with what I currently use, and I will definitively check them out when my plan comes up for renewal.

I find it slightly silly that the price is the same whether in USD, CHF and EUR. The first two currencies are currently at par, but the Euro is worth 11% more.

“Minuspunkt”: Payment using PayPal and credit cards (both US dominated) are possible, but not by efficient bank transfers, which is surprising and annoying, as Switzerland is part of SEPA (Single European Payment Area). I won’t muck with BitCoins. I do have some Francs in an envelope somewhere, but that would be a one-off solution.

As to the respect of privacy in the Confoederatio Helvetica, I still have a vivid memory of a chilling report on TSR’s “Temps Présent” circa 25-30 years ago about how Swiss secret services eagerly compiled reports on citizens. Imagine a Stasi speaking in thick Zurich dialect instead of the classical Saxony singsong.

RG99 July 7, 2019 8:51 AM

Libertarian Trojan Horse
Beware of Silicon Valley 2019 hugely increased funding of traditional libertarian organizations with a goal to weaken GDPR/Ca privacy legislation.

Don’t let Silicon Valley rule by data over America superceeding our elected officials and ‘We The People’.

Proton Mail Compromises Security
Proton Admin on Enabling DOM Storage:
This procedure allows data to be stored in your browser while the browser is open.

Someone Wandering comments:
So that get more privacy by using ProtonMail I would have to enable which happens to be one the main tools for business etc to track me around the web. Odd.

Anonymous comments:
its not odd. its sick.

Proton Admin
Technologically, there isn’t a way around this.

Not true. ProtonMail CHOOSES not to implement a POP3 email server. This common email technique eliminates severely compromising your web browser from Big-data trackers.

Since Chrome has 66% of the browser marketplace their (ulterior motive) method is toward corralling citizens into using Google spyware. (Even the Raspbrain Pi switched from Firefox to Chrome).
Google Analytics is also lurking on Proton’s main page scooping all your data for its own purposes.

It’s rather embarrassing to counter simple security vulnerabilities here on a security forum.

The Pull July 7, 2019 10:48 AM

Supposed undersea cable tap war going on

I sometimes get passed youtube videos, and often dismiss them. But, this one seems like they may be onto something. They describe at sea incidents near underwater cables, and a technique being used to tap them. It is a two cut effect. Cut the cable initially, which blinds to further cuts. Then, cut it a second time, and put a tap on it. When they fix the initial cut it is too late.

One problem I see with this is end to end encryption very likely on the systems this video is talking about. But, who knows what flaws may be there. (Leaked codes is a common one). This does possibly explain motives to cut other cables, as well, and how they tap them when there is a lot of strongly vulnerable traffic.

The Pull July 7, 2019 10:52 AM


Really cool links, thanks for sharing. I don’t have comment on the technology, but follow it. Groundbreaking stuff. I did notice Google has coined a new law, like Moore’s Law, but dealing with quantum computers. Where the growth they have been seeing since January is exponential. Growth they say is not mirrored even in the natural world. (Exponential growth – Google claims – of their quantum computer and its’ growing ability to process data.)

Tatütata July 7, 2019 12:15 PM

@They Pull My Leg:

Bunk. Submarine cables can be assessed from BOTH ends using OTDRs, even with repeatered cables.

See this Anritsu application note.

In such systems, every EDFA repeater would typically provide a small loopback sampler, so you could stick an OTDR on either end of the cable. In those conditions, a second cut would also be noticed by a diligent operator. The second cut would also be detected at baseband by variations in the DC power supply, and supplementary alarms would occur is additional repeaters are cut off.

Even if the operator diagnosed his asset from one side only, how could you be sure that the second cut would be on the right side of the first one without insider knowledge?

(Even the earliest analog coax cables had comparable provisions to allow pinpointing faults, e.g., highly selective crystal filters in each repeater).

A more plausible scenario might look like this:

A typical span between repeater in a high capacity system (say, starting from 50-100Gb/s) is something like 40km. (You can get unrepeatered systems to work up to a few hundred kilometers).

A brand new single mode fiber @1550nm would have a loss of about 15dB, but the system would need to accommodate a large end-of-life attenuation caused by water absorption.

If you were to tap into a cable, a logical place to do this is mid-span, where the optical levels in both directions are about the same. You would then VERY carefully remove the armoured sheathing and expose the individual fibres without cutting them. By folding the fibres with a small enough radius you’d then cause some light to come out of them, which can be coupled into another fibre. The coupling ratio needn’t be very large, e.g., -30dB, which would result in a nearly imperceptible variation in transmission loss of 1:1000 or so. The coupled portion is then immediately fed into an EDFA, and the amplified signal is routed for decoding and processing. Since the cable is still relatively new, there would be enough budget margin to get away with this.

Another candidate point is right at a repeater, alleviating the signal budget considerations. You would encase one entirely, and skin the cable on both sides of it, providing maximum signal level. The immediate proximity of the repeater would make it harder to pick up any irregularities, but more work would be involved.

But even then, there are other problems to solve:

  • What I suggest requires very high skills;
  • Modern high capacity systems use complex QAM modulation.

How could you acquire or replicate a demodulator without attracting attention? Such systems usually contain a lot of proprietary details that limit their interoperability with competitors’ products.

Once you have acquired a modem, how do you install it on the ocean floor close to the tap? How do you power it? In that configuration, how do you extract the treasure you’re after out of the haystack, and send it on?

Or alternatively, how do you install an extension to a friendly shore without attracting attention, or leaving telltale evidence if you’re caught?

  • Optical polarisation is also controlled and used for diagnostic purposes.

That video is in the tinfoil hat league. What kind of traffic would be so inaccessible to make it worth the expense to get? If there is actually such traffic on the cable, then it would in all probability already be encrypted. This is no longer the 50’s and 60’s, and we no longer fear 10000 tanks rumbling down the Fulda gap tomorrow morning.

Plain sabotage is a more plausible scenario. Secrecy and mystery is also useful to cover up bungling and incompetence.

Tatütata July 7, 2019 12:21 PM


“Mozilla : ISPA Internet Villain”

The way this is formulated makes it sound like Mozilla is the villain, where in fact it is ISPA.

On the other hand, do we need yet another protocol? I had never heard of this one before.

During the Arab spring, there were graffiti in the Middle East that simply read “”. But ISPs learned to block or hijack such IP addresses. And can you trust “Do not evil” more that governments?

Tatütata July 7, 2019 12:43 PM

Re: VPN, Switzerland

The story I was referring to is the “affaire des fiches” or “Fichenskandal”, EN: “Secret file scandal“, from the late 1980s to the early 1990s. Federal and local police departments had compiled about 900.000 detailed profiles of generally innocent people, based on a network of informants (e.g.: bosses), out of a population of about 6 million people at the time.

A 24 minute long documentary in French from 1990 interviews citizens, lawyers, unionists who had been spied upon. Images of victims consulting their files anticipate by a couple of years those of East Germans doing exactly the same thing.

7 July 2019 00:00:00 July 7, 2019 1:32 PM

Regarding VPNs, recently Sofakinbd showed Disconnect VPN on sale for $50-$60 USD for a lifetime license for 5 devices. AFAIK that sale price is still valid.

IIRC Disconnect VPN has been rated well recently by the Washington Post and WSJ. For example, see the original post in the above link or below. IIRC Disconnect’s basic free browser extension, not VPN, also was favorably reviewed. alternative source

Feedback would be appreciated.

vas pup July 7, 2019 3:01 PM

@The Pull, @Tatütata:
“Plain sabotage is a more plausible scenario.”
May be tapping and sabotage are not mutual exclusive – just like something planted on a network could be data collector to the point (spy)and on command be activated as virus(agent of sabotage).
E.g. All critical cables are ‘mined’ for sabotage in several spots and dormant until activated simultaneously in the time of crisis.
Q: If cutting is done simultaneously by two coordinated small subs/drones as the best then it is still detectable as @Tatütata explained?
Anyway, thank you for the link and inputs.

vas pup July 7, 2019 3:07 PM

@Tatütata • July 6, 2019 6:27 AM
Recently on History Channel octopus (close cousin of squid) was analyzed in details.
It is amazing creature. No ancestor found in evolution, three brains spread along, could modify its own DNA (!!!), and has more complex genetic code than human!
They claimed he is visitor from the outer space, and could replace us (apes) under proper conditions. It did resonated with your post.

Rachel July 7, 2019 3:18 PM

During the Arab spring, there were graffiti in the Middle East that simply read “”. But ISPs learned to block or hijack such IP addresses. And can you trust “Do not evil” more that governments?

and for example OpenDNS was pwned, er I mean acquired by Cisco

public access points like libraries can often be configured to prevent access by default

vas pup July 7, 2019 3:29 PM

@Rachel: could they also redirect you to their own clone side (e.g. clone side of proton mail) and provide you a message that you enter wrong credentials. Then, when you do second try and credentials match the first attempt, they save them for their purposes(definitely not in your best interest), and redirect you to the right site with passing your credentials?

Let our respected bloggers with high expertise on subject clarify such possibility.

Clive Robinson July 7, 2019 4:12 PM

@ The Pull,

Supposed undersea cable tap war going on

Don’t make the mistake of thinking “undersea cable tapping” means “tapping going on underwater” it’s mostly not.

For historic, geograpical and maritime safety reasons undersea cables come up in very few places[1] and once the general location is known they are incredibly easy to find on nautical charts and large scale topological maps the information of which is nearly all available in the public domain and Google Maps aerial views will actually show you the buildings.

The point is in general you have a “routing building” which uses standard well known telecoms protocols, with a spur off to the cable head building. Where the standard telecoms prorocols are converted to the virtually bespoke cable head end protocols.

Thus as a general case if you were going to tap the cables the easiest place is after the head end equipment router that is one or posibly two steps upstream.

One way to do this is to rent space in the routing building and lay in your own back haul. You would then as the NSA / GCHQ and other 12-20 “Five-Eyes” countries do find some way via implant or APT to subvert other routers to get the cable traffic “Tee’d off and forwarded” to your router thus off down your backhaul to where ever your local or regional processing center is.

If you look at Cornwall in the far South West of the UK you will see lots and lots of cables come up as do Satellite down links a few miles up the road. It’s kind of an accepted fact that as this is a major “choke point” even for European traffic that GCHQ have compleatly owned the main telecoms routing buildings.

But if you look at the submarine cables map you will see something that might make your blood run a little colder. Your internet packets follow the “all roads lead to Rome” philosophy only the center of the hub/web is the US and the main inter country nodes are in those extended Five-Eyes countries, all due to history, pragmatism and profits

Since the shindig at the 2014 Doha ITU world conference where various proposals to change the Internet and take it out of Five-Eye hands got narrowly defeated, the topology of the subsea cable network and overland backhaul inter country trunk circuits have started to change…

But if you want a bit of entertainment to eat popcorn to, we are currently going through what you might call the preliminary rounds of the UN ITU 2019 world Telecoms event. There have already been some off the wall suggestions[2] to do with “security” from non Five-Eye nations and I expect many more.


[2] Perhaps the most off the wall suggestion so far comes from France, they have proposed taking the entire 2 meter (144MHz) Amateur Radio band away and giving it to drone operators supposadly for “non-security” activities. Whilst the 2meter band is very good for “land mobile/portable” and “aeronautical mobile” for maned planes (they have the 135MHz allocation already) it’s actually a very bad band for drones as the antenna will be too long and there is insufficient bandwidth for what the French propose it be used for… Oh and of course there are all those satellites up there using both the 2meter and 70cm Amature bands, and they can neither be moved or turned off for upto the next 25years or so. It’s why quite a few people have pointed out the proposal is probably down to the well known Parisian Political Corruption that is endemic and some corporate is trying it on for other reasons that have not yet surfaced.

Faustus July 7, 2019 4:42 PM

Ross Anderson has released a new chapter 8 on Economics for his new edition of Security Engineering.

It is excellent. I really helped my sense of helplessness vis a vis security to read such a clear and convincing roadmap of the forces that have led to our frustrating apparent inability to make secure systems, sans scapegoating and vituperation.

Clive Robinson July 7, 2019 5:43 PM

@ Bruce and the usual suspects,

Not sure if you’ve seen this from mid last month (there were other things in the news at the time),

Apparently the tractor manufacturer that most tractor owners hate the most for their DMCA attitude, has been doing some questionable if not illegal things themselves recently.

Basically they have been handing out what appear to be USB memory sticks at shows. Only they are not memory sticks, what they do are what any security proffessional would regard as the first steps of a malware attack (hence the generalised warnings against unknown USB devices not just memory sticks). That is the device contains a small very cheap microcontroller that behaves as an HID-compliant keyboard and takes over the computer without asking or informing the user of what it is doing (which is an illegal act even under US legislation). Then when it’s connected it detects not just what platform it is pluged into but the web browser. It then automatically sends a keyboard shortcut… Which could do anything the “payload loader” which this device is feels free to do without the average user being able to stop it. In this case apparently the “payload” in this case runs an unauthorized by the user command to launch the web browser and fire off a likewise unauthorised by the user URL.

Not that John Deere appear to care that what they are doing is obtaining unauthorized access to a computer and running an unauthorised set of commands as the user (all illegal acts). They appear to think that because it only loads up John Deere’s web pages that’s alright.

To quote the article, apparently Ken Golden, John Deere’s director of public affairs, who wrote in an email,

    “Deere is deeply committed to all aspects of data security and has never used a USB device to interfere with or monitor the use of any user’s personal computer or remove or observe any data or information on any user’s computer,”

It is mealy mouthed and misses several obvious points. The first is their web site might get hacked and thus some other much nastier things could happen. The second is that of “supply chain poisoning” as I’ve indicated this device is a purpose made malware payload loader, it would be all to easy for someone to slip extra command or two just to background load some APT, crypto-coin mining code, spam generating code, ransomware, backdoor to make the conputer part of a bot net, gain access to the computer users online banking etc etc, the list is long even of what has been done via other attacks all of which could be so easily done with this USB device…

- July 7, 2019 6:18 PM

@ Moderator,

The above from “Linda A. Elliott” (#c6795323) is highly undesirable link spam that also is being used to increase subscribers to a U-Tube channel

Rachel July 7, 2019 6:57 PM

Vas Pup

spoofing or MITM with Protonmail you describe – as you know, of course it could happen. I am sure Protonmail are the first to admit they are fallable. But just hold them up to the light in comparison with the other free email providers out there – that no one is complaining about, really – and just on ethics/committment alone they are impressive.

Protonmail introduced a seperate ToR only mail service with servers in an undisclosed location (Does ‘dark web/dark net’ phrase still apply here, I suppose by definition it does) I wouldn’t touch it.

For the email service time stamped ISP log is provided. Thats a small measure of relief from MITM attacks, retrospectively of course.

I am interested Tatütata, as someone with VPN expertise.Your assessment of the ProtonVPN technical claims?
Well described about the strange 8/8/8 pricing plan.
Considering how many plain envelopes filled with banknotes they would receive, hand addressed with a non-dominant hand and sealed with sticky tape, one would hope PM try a little harder for payment options.

For some light relief care of whats happening in the Wi Fi zeitgeist, care of the Guardian ‘ The newspaper that hates newspapers’ as Malcolm Tucker described it

Clive Robinson July 7, 2019 7:01 PM

@ Bruce,

As you used to write for The Guardian, and you have recently mentioned the shocking treatment of a reporter.

It might be of interest to you that two reporters one in the UK and one in the US have become targeted by the security services of a foreign nation.

It appears that the nation has been using not just US developed APT and similar computer attack tools but also using US personnel to do so.

So very much a “State Level Security Attack”.

Clive Robinson July 7, 2019 7:21 PM

@ All,

Another faux biometric-AI system to realy creep you out,

For instance, it mentions one system that uses “facial recognition” to detect intruders in a school. Sounds quite laudable untill you realise that it has to facialy recognise” every child, adolescent, teacher, admin staff, janitors etc as people who should be there. Which means everyone’s face is “in the system”, just as their fingerprints are for the food vending, library access etc, along with their parents financial details (many systems quite deliberatly will not take cash, just debit/credit card info etc)

Clive Robinson July 7, 2019 7:48 PM

@ All,

Five-Eyes attack Russian “google” Yandex.

Whilst the malware used is relatively old, which would normally make attribution less certain due to “false flag operation” usage. This appears to be an updated version with –probably– not seen before code in it.

Thus whilst there is the possability someone outside the Five-Eyes could have got the original malware and aigmented it themselves, the odds are more in favour of it being either the US NSA or UK GCHQ.

That said the way it was used to target certain members of Yandex staff indicates that espionarge is the more likely cause for attack.

Interestingly in the article the suggestion that the attacks might enable “back stories” to be built for field operatives, raises a point that few actually think about…

It’s been argued that the likes of social media would prevent cover ID’s been established for operartives because of the inability to build “On Line Back Stories”. This attack tends to suggest that the reasoning may not be true. That is a SigInt Entity could get into the back end systems of Social media site servers and modify the records such that cover stories can be built for field operatives.

Which with hindsight should be obvious, afterall a persistent worry since the last century is the “revision of history” that is a newspaper could for several reasons not all legal, chose at some point for an earlier story to be pulled, modified or augmented, and it would be difficult to show it had happened.

Rachel July 8, 2019 12:32 AM


I had a look, and contrary to your claim, there is no ‘google analytics lurking on the Proton main page’

The Proton mail blog has a variety of interesting responses to various current and long term mainstream privacy issues. The most recent two on the blog are kicking back against claims by google, and gmail.
This is not the first time either

I’ve disabled DOM storage, like many other people, and still use Protonmail as normal. Whatever their considerations for so far not having POP3 functionality, it’s certain not a zero-sum ‘big data tracking’ scenario as you claim.

I don’t even want to consider what your motivations for your claims are

@ ‘ 7 July 2019 00:00:00’

‘IIRC Disconnect VPN has been rated well recently by the Washington Post and WSJ.’

Read that sentence out loud, to yourself, very slowly

I looked into them some years ago and IMHO there is nothing particular substantial or superior about their assorted free and paid products. I believe one can do a great deal better

I have the impression you are the same person posting under a new date stamp for every post. Are you aware this against the policy for posting comments here as per our generous host Mr Schneier?

Gerard van Vooren July 8, 2019 2:46 AM

@ Rachel,

The thing that bothers me is the fact that it is pretty hard to set up an email server. Okay, there is OpenSMTPd that makes things a lot easier but still, it is hard, too hard if you ask me. So people rely on other men’s computers aka the cloud (think hotmail, gmail, protonmail).

IMO this should be a lot easier so that it is easy to create and manage your own mail server.

And the same counts for other servers such as setting up a nextcloud, mastodon, etc.

7 July 2019 ...... July 8, 2019 7:14 AM

A Washington Post headline

“DMV databases become part of unprecedented surveillance infrastructure

The FBI and ICE have turned state driver’s license databases into a facial-recognition gold mine, scanning through millions of Americans’ photos without their knowledge or consent, newly released documents show.”

7 July 2019 ...... July 8, 2019 7:34 AM

Is DNSCrypt still considered pretty good?

Might a Yubikey, or similar device, help protect either a ProtonMail Webmail account(“free” email) or ProtonMail Imap account. For “free” email might ProtonMail’s iOS app be better than using Safari (browser) access?


Thanks for the VPN link.

7 July 2019 ...... July 8, 2019 12:37 PM

From the first comment has this link:

“The shortlist
These five VPN providers have options which, according to their online documentation or support staff, meet the aforementioned recommended settings and features. Those options might not be available for every device or automatically activated right away, however. You may need to do some additional research to see if your specific device can support the aforementioned tech considerations and if there’s any additional steps you’ll need to take to switch features on, or make changes to them:

Private Internet Access

7 July 2019 ...... July 8, 2019 12:39 PM

“He [ Kassin ] also began to wonder how often those confessions were genuine, after he learned about the Reid interrogation technique, the near-universal method taught to police. Its training manual—now in its fifth edition—was first published in 1962 by John Reid, a former Chicago detective and lie detector expert, and Northwestern University law professor Fred Inbau. “I was horrified,” Kassin says. “It was just like Milgram’s obedience studies, but worse.”


That phase, with an authority figure applying psychological pressure, reminded Kassin of Milgram’s infamous experiments. But whereas Milgram got someone to “harm” another person, the Reid technique gets people to harm themselves by admitting guilt. Kassin suspected that the pressure might sometimes lead to false confessions.

To find out, he decided in the early 1990s to model the Reid technique in the lab, with student volunteers. In what Kassin called the computer crash paradigm, he had students take rapid-fire dictation on computers. He warned them that the system had a glitch and that hitting the Alt key would trigger a crash. That part was a fib: The computers were programmed to crash regardless of which keys were hit. The experimenter then accused the students of hitting the Alt key…”

keiner July 8, 2019 3:08 PM



..even accepts cash if you want. No storage of meta data (except in cases where police requires in individual cases, posteo lost a law case).

Rachel July 8, 2019 8:47 PM

Gerard van Vooren

Thankyou. Yes, running ones own server / email is an excellent thing. It’s a good discussion, one I haven’t seen much reference to here. As you say, it’s beyond the reach of many. Just as any technical skill requiring expertise

It would seem, with Protonmail, they set out with a fundamental premise, yet are subjet to the expectations and whims of their audience, demanding feature creep and convenienience.Like anyone in their situation, Protonmail need to make highly informed choices about enforcing boundaries on the scope of their project, and how best to allocate their limited time money and team, while still meeting the wishes of their community who partially fund their work. Plus acknowledging how the user experience can be in direct conflict with the stated aims ie security, privacy. I’d like to see a direct client interface bypassing the browswer altogether

Joe July 8, 2019 9:21 PM

@Clive Robinson wrote, “So if you were chosing a country to found a privacy focused technology company in there are a number of things you would look for. From the privacy aspect three things would be high on your list are,”

This is a moot point because no such country exists in the world. All of them have deep interest in listening in on all types of communications. The only distinction is at what scale they do it. By subscribing to such VPNs that are exclusively known for this purpose could also mean submitting oneself to a venetian fly trap because the “enforcers” are well adapted to setting up “sting operations” of various sorts in order to fascilitate or entrap would-be wrong doers.

The problem with most secure messengers systems is having to provide a “store and forward” feature, which may also become a hindrance in a “fleet broadcst.”

Gerard van Vooren July 9, 2019 3:48 AM

@ Rachel,

It would seem, with Protonmail, they set out with a fundamental premise, yet are subjet to the expectations and whims of their audience, demanding feature creep and convenienience.

Yes, that is true and also the part that I don’t like about. It’s all about making promises and I am pretty sure that they hired experts, but the problem is that they are the ones that create it, and that counts for any other “.com”. Still I am using it, simply because it is based in Switzerland (not the US). One day I am gonna create an email server…

I’d like to see a direct client interface bypassing the browswer altogether

The browser did create so much harm, that’s true. What are you saying exactly, are you willing to use thunderbird (or equivalent), because that is already possible in protonmail, or are you wanting to use a custom email browser software? If it’s the latter then you have to keep in mind that Microsoft already killed all text versions with their graphical email (yet another victim made by MS), so having a textual version without graphics, that is gonna be hard.

I really think that it’s a lot better to create a new standard than to let yourself into the current situation.

keiner July 9, 2019 10:26 AM


eMail? 😀

Maybe you should not hesitate to visit the homepage, it’s in English, French and German.

Tatütata July 9, 2019 11:06 AM

I am interested Tatütata, as someone with VPN expertise.Your assessment of the ProtonVPN technical claims?

A lawyer told me a long time a go: “At our firm, an expert is someone who has done something once”. In that sense I could be considered to have a smidgen of expertise, but not much beyond. Thanks for the compliment anyway. 🙂

I have been using VPNs for 10+ years. The first services I trid weren’t very reliable. Other choices included fly-by-nights and weirdos, i.e., one of them wasn’t content with my credit card info, and demanded an actual scan of both sides.

My main application, bandwidth wise, is to circumvent geolocation (not Netflix, but public broadcasters in three different countries), maybe once or twice a week.

For that you needn’t much beyond a good bandwidth, and a sufficiently large pool of IP addresses. (Occasionally an address won’t be accepted as belonging to the national domain).

If you fear your government, however, that wouldn’t be enough. ProtonVPNs “core network” appears to take a leaf from the Tor book, but with only one intermediate node, if I understand correctly. However, they control the entire infrastructure and you must therefore trust them.

Another use for VPNs is testing (I will sometimes loop back to my own machine). Comparing prices is often very instructive, some sites have widely varying offers depending where you access them from. You might also want to post sensitive material on forums with relative anonymity. Sock pupetting (god forbid) is yet another possible use.

If it is just hackers that you fear, or just want to circumvent geolocation for a single country, a cheaper and better solution that I’m currently considering would be to rent a VPS (Virtual Private Server) in a hosting centre for a few bucks a month. From the root account you’d then install openVPN, or (properly) configure an Apache proxy.

Plus side: you should be able to get better responsiveness than with a public VPN, and you would know exactly what is being logged, at least within the realm of your VM.

Minus side: it’s still not your machine, and there is no “safety in numbers” factor. Your server’s IP address uniquely identifies you.

Again, if you’re only concerned with the hacker threat, yet another possibility is to run a proxy server at home, if you have a good enough connection. An open-source router could provide you with VPN capability. Alternatively, a lovely Raspberry Pi with a 64GB memory would be ideal for running OpenVPN, and you would probably have enough oomph to run in parallel a mail server, Asterisk, bittorrent, Tor, and a couple of other nice things. A third party would have to physically seize your device to access its data. (Downside: a thieve would only need to swipe the tiny memory card).

With the home VPN you could also access your private network devices while you’re on the road.

But to make this work, you would have to invest a lot of time in learning and understanding security.

Another problem: your DSL connection will typically flip IP addresses every week or fortnight, much less frequently for cable. You’d need dynamic DNS (but IMO there are no good good and cheap options currently available). A solution might be to operate in conjunction with a rented VPS.

Running an e-mail server at home not only requires meddling with finicky server configurations, but also considerable effort to bring spam under control, if your e-mail addresses have been compromised. Your ISP might also rather inconveniently censor the mail ports. (My current one doesn’t). But if you can manage all that, the possibilities are endless.

At this time, I rent server space with CPanel configuration, which makes setting up E-mail and other services fairly easy. I mistrust less my local web hosting company that GMail and co. Downside: even though there are a lot of options and applications available, you don’t have root access, and you can’t install your custom applications.

An advantage to paying for, and controlling your own server is that you can generate e-mail aliases in seconds. I usually use a different alias to each service I register for. If things ever sour (e.g.: the address is compromised and spammed), I can always delete the alias. This proved useful many many times. I can also provide e-mail to a few friends and relatives.

But I might eventually move on from CPanel and “roll my own” when I’ll feel confident enough.

Regarding Posteo, they had their big push around 2013 after the Snowden scandal. Full encryption is optional, but they allow IMAP (and POP3) access. The web interface is a lot nicer and intuitive than ProtonMail’s. They cost a very reasonable 1€/month, which can be paid anonymously in cash or wire transfer.

I use it on the road, as it is much more convenient than CPanel’s “RoundCube” webmail interface. Posteo’s main selling point at the outset was SSL/TLS client access, which my other server at the time didn’t offer. I initially tried accessing them using a totally outdated but beloved client, which I tried to keep going by swapping DLLs and copying root certificates. This only worked for a while until they upgraded their TLS setup.

Clive Robinson July 9, 2019 3:03 PM

@ Tatütata,

Downside: a thieve would only need to swipe the tiny memory card

Err maybe not these days… apparently according to some blurd I saw the other day PXE-Boot has come to the Pi 4B.

Thus a *nix style NAS box up in your loft / roof space running off of even another Pi 4 in a nice little fire proof safe suitably alarmed (see discussions between @Nick P and myself a few years back on this blog) would more or less remove that option for all but “warranted” intruders.

I’ve recently been looking at what would be required to take a “back box” off of a slim line UK dual fronted “in wall” mounted mains socket and add another box on the back of it to hold a Raspberry Pi. I think it would make a fun little project.

I’ve had a Pi wired up in the past to the back of one of those “four RJ45 PoE port” network mini-switch face plates, not because I wanted to hide it in the wall at the time, it was just the quickest and least expensive way to get four PoE sockets at the time to do an Asterisk on Pi VoIP demo. But once you’ve done something, why not get a bit of “self education” (play time;-) with it. Thus you’ld be supprised just what you can do with PoE, I ended up using it to power a little HF transceiver and charge a SLA battery to give the current lift on TX. Also I had a couple of audio dongles and a serial port based CAT controler so it could be operated from anywhere on the local area network thus all safely tucked away in a large air tight plastic cake box up in the loft. These days however PoE has got complicated to put it mildly, there are about half a dozen “proper standards” and as many again “manufactures standards” and heaven help those that don’t know what they’ve got. One such “manufacturer standard” for PoE is from Ubiquity and it’s a very non standard 24V…

There is a reason many PoE standards are 48V and it goes back a hundred years or so ago to the big glass Lead Acid Accumulators used to power the “Plain Old Telephone Service” or POTS as it’s been commonly re-christened. The POTS voltage was 48V DC[1] “positive ground”[2] “Phantom Feed”[3] and the standard stuck, ending up being used for the likes of studio microphones. What people tend to forget is the “ring voltage” it has to withstand which is basically upto ~200V peak AC… I remember using a “wiremans phone” which had it’s own hand crank generator as a “mega” for testing as with an ordinary multi-meter you had to carry it as well as the phone and the mega weighed more than both of them put together so it was “The last straw…” so got dumped.

[1] The POTS 48V like the truck and boat 24V and car 12V are not the stated voltages. The reason is the Lead Acid Accumulators in your car which are “12V” can go from 13.8 when new and fully charged down to a low of 10V when safely fully discharged, thus 12V is kind of on the middle. The same applies to 24V of 27.6-20 whilst POTS could do 55.2-40… Oh the life time of Lead Acid accumulators is dependent on what viltage you discharge them to. Down to 10V gives you maybe 200-500 charges, only down to 11v 750-1500 charges, go below 10V and you damage the battery to the point it might not hold even 10% of it’s original charge capacity again… For Sealed Lead Acid Bateries (SLABs) that use a paste as the electrolyte the voltages are slightly different. However the “capacity is not the volts times current rating printed on the side. The sensible no lower than 11V discharge only gives about 60% of the capacity you might otherwise expect. So 12V@7A only gives 50Whours as opposed to the 84Whours you might feel entitled to.

[2] As we now know “electron current” is in the opposit direction to “normal/conventional curent” charge flow. Back in the early telephone days where everything was “electromechanical” it made not a jot of difference which polarity you decided to use as ground so +V was often rhe default. It was only with the advent of Valves / Tubes where you had “low tension” 4-12V DC for the “heaters” that had to be very close to the cathode of the more than lethal “high tension” 180-15,000V DC voltage that using -V as the ground started to make some kind of sense. And with electronic design unlike that of electromechanical design of POTS and transport vehicles the -V convention has stuck. So much so that car manufactures are “switching over” from +V “chasis return” to -V “Ground return”, and yes the name change has meaning as well as the likes of automotive data busses have stopped using the “chasis” with it’s mostly iron thus very high AC impedence to return current, they now use a proper copper ground wire to try to minimise the AC impedence to significantly reduce electrical noise and increase reliability.

[3] All twisted pair (UTP) ethernet signalling is “differential” and the standards require the use of “Pulse Transformers” or similar for “galvanic issolation”. Thus you can use one twisted pair to carry +V and the other -V and take the power out of the “primary winding center tap”. The problem is there is only so much DC current you can pull through the winding before you start getting problems with the tiny ferrite core. Likewise there is the I^2 R power loss in the CAT cables which gives rise to heating issues. Back with CAT3 and some CAT5 there were less problems as you had “spare pairs” you could carry DC on but did not also have to carry data. Unfortunatly daya speeds have gone up so all four pairs are required to carry data and the likes of “crossover” cables can realy ruin your day with PoE…

Tatütata July 9, 2019 4:28 PM

Err maybe not these days… apparently according to some blurd I saw the other day PXE-Boot has come to the Pi 4B.

Aaaaaargh! Any other good news? But according to this page, PXE booting must be enabled on the Pi 3, by flipping a single bit in a configuration somewhere. I would hope that the Pi 4 is compatible in that respect. But I would feel more confident with a DIP header or a switch…

One such “manufacturer standard” for PoE is from Ubiquity and it’s a very non standard 24V…

I know this problem first hand, I bought an WLAN access point alleging “PoE” on the package, but disappointingly incompatible with the actual PoE standard. 🙁 A special power supply is provided.

What people tend to forget is the “ring voltage” it has to withstand which is basically upto ~200V peak AC…

I would never dare connecting a telephone cable directly to the mains… (But I did run old teletypes with ~150V=, albeit with galvanic insulation)

I needed a wee amount (2-3 watts, IIRC) of mains power for an older model Omega Engineering temperature controller placed at a rather inconvenient location. I stepped down the mains voltage to 24V with a small transformer, and stepped it up to the mains voltage at the other end of a Cat 5 cable with another one. The two other pairs were used for the temperature signal and process control. It ain’t pretty, but the thing is still working like a charm.

I also used RJ45 connectors, and carefully selected the connections to avoid something nefarious from happening to an eventual accidental connection to an Ethernet cable.

Which brings me to a theory: Ethernet cable connections were chosen in the 1970s to avoid problems with accidental connections to telephone equipment. The Bell System had a crufty little interface for 202 and 212 modems calle a “data access arrangement”. It was a model 500 telephone set with an RJ45 connector for the ancillary equipment.

And this is why I hurt my eyes putting the [@#!@#] wires in the [@#!@#] right order when I crimp the [@#!@#] RJ45 connector.

EvilKiru July 9, 2019 5:08 PM

@Tatütata: My recent (last summer) solution to the RJ45 crimping problem was to stop making my own network cables.

Weather July 9, 2019 9:32 PM

12.4-11.8volt lead acid battery, the cellphone keyboard having problems again;)

David #2 July 9, 2019 11:08 PM


“Minus side: it’s still not your machine, and there is no “safety in numbers” factor. Your server’s IP address uniquely identifies you.”

You’ve covered many asspects of using a VPN or VPS to route traffic, but most of these services glue you down with credit card or payment information which irrevocably identifies yourself. The aforementioned methods would theoretically circumvent blocking at the transit layer but I dont see how they protect one’s identity.

Clive proposes a layered approach but the end of the day you need a free service to obfuscate an identity which most likely won’t provide enough bandwidth due to cost reasons.

Thus, the missing link appears to be two fronts as you would need either a free service or a method to obfuscate payments.

7 July 2019 ...... July 10, 2019 9:12 AM

The Freedom of the Press Foundation has a bunch of interesting guide links [ ] that include:

Protonmail like a pro
Your smartphone and you: A handbook to modern mobile maintenance
Verifying open source software

7 July 2019 ...... July 10, 2019 10:18 AM

“thaddeus e. grugq
‏ @thegrugq

thaddeus e. grugq Retweeted Jessica Contrera

So much to cover here, I’ll just do points:
• 30 yrs ago, this’d be a hard case to prove
• OPSEC, if you’re covering your face, “cover” your phone
• f?ck Nazis
• stupid edgelords
• when SIGINT closes a door it opens a window
• “going dark” AND “more data” can both be true

thaddeus e. grugq added,
Jessica Contrera
Verified account @mjcontrera

These white teens wore masks so they wouldn’t get caught committing a
hate crime.

Little did they know: When they snuck on campus to paint…” ; link may not work without tracking stuff: “? … appended”

” A black principal, four white teens and the ‘senior prank’ that became a hate crime

The students swore they weren’t racists. Now a Maryland judge would decide their fate.


Eventually they were told: The school’s WiFi system requires students to use individual IDs to get online. After they log in once, their phones automatically connect whenever they are on campus.

At 11:35 p.m. on May 23, the students’ IDs began auto-connecting to the WiFi. It took only a few clicks to find out exactly who was beneath those T-shirt masks. …”

Clive Robinson July 10, 2019 12:06 PM

@ Weather,


Not sure where you got that range from, but one figure appears to be from the C/10 discharge curve the other from the C/100 discharge curve.

A Lead Acid Battery (LAB) is generally quoted at a Max normal current[1] determined by the manufacturer to give minimum returns whilst still being attractive price wise. This value is often refered to as C, that’s the figure you see as around 7Amp Hours in SLABs 100Ah in automotive bateries and 350A and above in AGM batteries.

The average 12V deep cycle LAB has six cells, during final or “float charge” these get to a “float voltage” around 2.1 to 2.35 volts per cell in normal environmental temprature (0-50C, at 0 Celsius capacity is only 85% and drops dramatically as you go down). Or about 12.6-14.1 volts for a 12 volt battery depending on age and temprature and it’s gassing voltage which is often room temp quoted as 13.8. However float charging is very slow and only gets you to around 85% of the actuall capacity at the best of times. Thus constant current charging at C/10 or C/4 depending on the manufacturers recomendation is used untill the voltage gets to around 14.4V when the charger switches over to either float charging, or monitors the terminal voltage and blips constant current on from time to time. It’s marginally diferent for AGM and SLAB paste/gell units.

Part of this charging above the nominal 13.8 gassing voltage is to “de-sulfate the plates” and try to ensure as much of the acid returns into the electrolyte as reasonably possible to get as close to 100% capacity and a longer effective life.

Thus the battery voltage range is one of those things you have to be carefull with as an electronics designer. Because it’s unwise to design for the maximum voltage of the battery, you realy need to design for the maximum voltage of the battery under charger or the unloaded charger alone. Which with the batteries on charge is 15V. But the equipment still has to “function effectively” or satisfactorily down to the 0% charge voltage which is ~10V.

The discharge for both the liquid and gell cells is about the same when internal resistance is accounted for (unsuprising as the chemistry is very similar). However they have different temprature curves. So when you measure the voltage at the terminals you have to be very mindful of the current that is being drawn and at what temprature. Not just because of “internal resistance” drops but other effects.

The residual charge capacity of a LAB in use (discharge) can be approximately calculated by terminal voltage at a known discharge current usually given as C/n where n is the fraction of the rating. Obviously this varies quite a bit due to internal chemistry and physical make up. But the 0% charge voltage is usually 9.8-10.2V@C/5 alowing for temprature, rising to 11.7-12.0@C/100.

Until fairly recently the way considered most reliable to calculate the remaining capacity in a LAB was by measuring the electrolyte density (1.25 down to 1) “off load” and look it up on a chart against temprature supplied by the battery manufacturer.

However due to increasing use of gel-cell SLABs, very low power microelectronics can now use “charge/discharge” monitoring. In essence they measure the charge that goes in and the charge that goes out and calculates the remaining charge.

[1] The rating of LABs involves a bit of “specmanship” and it’s expected that you will not get “What it says on the tin”.

vas pup July 10, 2019 12:57 PM

This article have interesting content for your input as possible security angle of such technology:
Storing data in music

“Researchers have developed a technique for embedding data in music and transmitting it to a smartphone. Since the data is imperceptible to the human ear, it doesn’t affect listening pleasure. This could have interesting applications in hotels, museums and department stores.”

As you stated many time on this respected blog almost any technology could be used for good and for evil.

Clive Robinson July 10, 2019 1:20 PM

@ David #2,

most of these services glue you down with credit card or payment information which irrevocably identifies yourself.

It depends on which jurisdiction you are in. As far as I’m aware due to gambling legislation in the US you can not get “unverified” payment cards of any type other than some “gift cards”.

Some countries such as the UK alow there to be “unverified” “pre-pay with cash (via post office counter) cards from payment Card Issuers such as EVM. That in effect are anonymous or can be if you bend the rules slightly (some need a utility bill with the name you are using on it).

Though you need to watch out, some in the UK have massive monthly fees, others huge transaction fees and likewise top up fees, even when done from a traceable source such as a bank account.

There was a time when they did not have horrendous fees, and I looked into getting one to do Internet Shopping with… But the cost for most is unjustifiable these days.

Which kind of reminds me about the “If you make it illegal then only criminals will use it” we here in Crypto arguments. They have made pre-pay cards so expensive that it realy would only be of interest to criminals etc…

A90210 July 10, 2019 6:18 PM


“Android’s App permission system does not seem to work correctly:”

I don’t get why Android Afficionados (as opposed to Apple Fanbois, or whatever):

1) think buying a new phone/pad every 2-3 years to get security updates makes sense

2) seem to ignore security warnings about using Android devices (period) from security experts

3) expect anything but surveillance capitalism from Google. For example,

“Sheryl Sandberg, says Zuboff, played the role of Typhoid Mary, bringing surveillance capitalism from Google to Facebook.”

4) and so on

From your link above:

“More than 1,000 Android apps harvest data even after you deny permissions

The apps gather information such as location, even after owners explicitly say no. Google says a fix won’t come until Android Q.”

Hope springs eternal.

How stupid are we?

Shame on you, shame on me.

and so on

Clive Robinson July 10, 2019 6:47 PM

@ vas pup,

The Beeb artical on the Norwegian Prison service,

1, Points out that it is more expensive in a given time period.

Which as in the UK we bang two or more in a cell designed in the Victorian era for one for 96% of the time with the human wastes they generate in thst time. Understandably leads to not just significant stress, but bullying and consequential violance. And is all down to UK Politicians, especially the soon to be Ex PM.

What the Beeb also mentions is,

2, The rate of re-offending in the UK is more than twice that of Norway.

But what they fail to mention importantly is that,

3, UK prison terms are longer than those in Norway, and considerably more for re-offenders.

4, In Norway they do not lock people up for minor crimes, they prefer social schemes where the offenders “pay back” to society by expending effort in improving society, and they usually take care not to disrupt work or home life, of the offender.

5, Often the non Norwegian non custodial “pay back to society” contains an educative element as well as support for mental healrh and other things like addiction. Thus aim to inprove the offenders lot as well as getting them to “pay back to society”.

6, UK prisons unlike Norwegian prisons spend next to nothing on rehabilitation education, mental health or addiction problems especially on the lesser crimes.

Thus the impression the Beeb artical gives about such a penal service being more expensive is more than somewhat biased. I suspect over an offenders life time it actually costs less than half the UK system. Oh and speaking of “Offrnder life time” I’ll let others look up the differences in violance and suicides between the UK and Norwegian systems, because to be frank it’s shocking.

The UK system like the US system is an industrialized process to make society worse a lot worse and now make private organisations significant profit. The only thing such corporations care about is minimising their non asset costs and having long sentences and significant number of reoffenders because that has two benificial effects,

A, It makes them a lot more profit.

B, It gives politicians an easy subject to decry, thus keeps them happy which is also good for profit, as long as the directors remember to kick-back some of that money back into the political party coffers…

Sometimes it’s hard to tell who the real criminals actually are…

With regards,

This article have interesting content for your input as possible security angle of such technology: Storing data in music.

Music like images has a very large amoubt of redundancy in it thus a high degree of entropy is available.

Back in the early days of DSP one trick was to alter the phase of various signals in audio. The reason for this is two fold,

1, The human ear has a very poor response to phase of individual tones (though it is reasonable at phase difference to get directionaliry).

2, By adjusting phase the actual electrical dynamic range could be significantly reduced.

The second point might need a little explanation. The “average dynamic range” is “the root mean square” (RMS) of the signals. However the peak dynamic range needed is the sum of the signals.

So if you had four 1V signals the peak voltage when all their peaks are in phase is 4V however the average is only sqr(4) or 2. Whilst this does not appear to be so bad amplifiers are power based and power is related to V^2 thus the peak is 16 times an individual signal whilst the mean is only 4 times the power. Thus by carefull phase modulation you can eliminate the peak power.

Now the fun bit, if you split the audio band up into frequency bins via an FFT you can rotate the phase of the bins to get the music to sound considerably louder than it realy is. Which is why the VU meters on heavy Rock hardly move whilst for clasical the meter needles jump up and down like fleas in a hot pan.

Now if you understand the notion of “differential encoding” where the mean of the two signals is constant because whilst on goes up 20% the other goes down 20% you quickly realise that you can select frequency bins to encode data in without the human ear picking it up. Further if you change the frequency bins in a pre-aranged way, not only will a VU meter not show the data, but the human eye watching the output of either a frequency or parametric equalizer won’t see it either.

The above is just a simple system that would fail to a suitable “spectral waterfall” or “Sonogram”. However by nodulating the data the same way as you would for a Direct Sequence Spread Spectrum (DSSS) signal which used to be used in Low Probability of Intercept (LPI) secure comms systems you can understand why the DRM people got all excited about it in the late 1990’s for “Digital Watermarking”. Thus we have known how to effectively hide data in not just music but images for a couple of decades.

Now a little knowledge about how the human inner ear works. Put simply there is a coiled tube that looks like a multi turn snail shell. This is because the tube is tappered in a way that it has a logrthmic decrease in diameter and it is built as a spiral. The inside face of the tube is covered in special cells that have what are best described as “hairs that act as resonators” and they do like all resonators or tuned circuits store energy. If a pure tone is sent, a resonator close to that frequency will start to store the energy coherantly and it will build up. Other resonators will also pick up energy but due to the frequency differences the energy will quickly die down as the phase difference will quickly cause the energy to oppose that in the resonator. So afterva time period only the resonator close to the frequency will have a significant amount of energy stored in it.

Now comes the interesting bit all resonators have a bandwidth that is related to the resonators natural frequency and it’s “Q” or “Quality factor”. Thus two frequencies close together will fall within the resonators bandwidth or “frequency bin”. The result is their amplitudes will add together and as the frequency difference between them causes a phase shift the amplitude of the combined signal will in effect be envelop modulated (think AM signal) at the difference frequency. Now if you have two pairs of frequencies with identical frequency differences you get two envelop modulated signals aye the same modulation frequency, but with a phase diference you can control. Thus you can PSK modulate to your hearts content and the human ear is going to be very insensitive to it.

The problem is knowing where these pairs of frequencies are. If you remember back, it was this blog that made clear to the world that due to the types of piezo microphones and speakers in laptops the notion of the BadBIOS above ordinary human hearing waa not only possible, but also how a technical trick from the 1970’s that enabled ROM code on PC I/O cards to load drivers in persistently at boot time was still in the BIOS specifications and Microsoft amongst others still honoured it in their latest OSs of the time.

Well that “high frequency” signalling has sufficient bandwidth to identify when data is being sent and the aproximate frequency bin to look in.

Wrap that all together as has been sujested before and yes you can send data in music as effectively as you can DRM watermark it.

MarkH July 11, 2019 5:40 AM

WannaCry Saga

Here’s an interesting and entertaining account of the story of the WannaCry ransomware worm from techcrunch.

To refresh any reader’s memory, WannaCry is ransomware which (quite exceptionally) is very efficient at propagating itself from computer to computer, and infected a vast number of victims within a few hours, in May of 2017.

Two very young network security guys, Marcus Hutchins and Jamie Hankins, took on the challenge of fighting WannaCry in a marathon effort from their homes (in opposite hemispheres).

Assisted a little by luck, they set up an internet “kill switch” which effectively stopped the propagation.

One of the hardest hit victims was the UK’s National Health Service, which was unable to operate some of its hospitals, including emergency rooms.

As Hankins recalls, “Being responsible for this thing that’s propping up the NHS? F***ing terrifying.”

One challenge they had to contend with was that whoever controls the Mirai botnet tried to disable the kill switch by a DOS attack.

Fortunately, these young benefactors of internet security had hosted the kill switch on high-redundancy servers, though not without numerous difficulties.

A problem that persists, is that some people think the kill switch is a cause of WannaCry and not a remedy; one consequence of this was seizure by French police of some of their servers …

Nonetheless, the kill switch has operated without interruption since the early hours of the spread of WannaCry.

Despite all the time that has elapsed, and the easy availability of patches — since prior to the attack! — many computers and networks are still affected.

Last month, Cloudflare (which has kindly provided DOS protection for the kill switch) suffered an outage for several hours. Fortunately, the network of kill switch servers is sufficiently redundant that it hummed along … but during that short time, there were 220,000 attempted WannaCry executions, according to Hankins.

As many may be aware, Hutchins was arrested in the US for criminal malware work he did as a teen. He entered guilty pleas in April, and will be sentenced in a few weeks.

Apparently he faces a prison term of up to 10 years.

Probably one motivation for the article, was to remind the world of his service to the public. Personally, I hope that the court will take this into account.

JG4 July 11, 2019 9:35 PM

Another treasure trove of security issues.

“‘A white-collar sweatshop’: Google Assistant contractors allege wage theft” [Guardian]. “”It’s smoke and mirrors if anything,” said a current Google employee who, as with the others quoted in this story, spoke on condition of anonymity because they were not authorized to speak to the press. “Artificial intelligence is not that artificial; it’s human beings that are doing the work.”

News of the Wired

“Metallica to publish children’s book, The ABCs of Metallica” [Guardian]. • Is your child getting enough metal?

“Logan Co. man allegedly driving stolen vehicle filled with uranium, a rattlesnake, and Kentucky Deluxe” [Oklahoma News 4]. “Sgt. Gibbs said “[t]he uranium is the wild card in that situation.’ The uranium hasn’t resulted in charges. Guthrie police are still trying to figure out exactly what the suspects were going to use it for. There are no charges from the rattlesnake either. ‘It happens to be rattlesnake season at the time, so he can be in possession of this rattlesnake because he has a valid lifetime hunting and fishing license,’ Sgt. Gibbs said.” • A busy day for Sgt. Gibbs.

“Man ridicules Olive Garden’s demand letter over trademark dispute” [Ars Technica]. • Very funny, and I can’t think how I missed it at the time. “Mr. Forcements—may I call you Branden?”

7 July 2019 ...... July 12, 2019 8:42 AM

“Mobile threats
New FinSpy iOS and Android implants revealed ITW

FinSpy is spyware made by the German company Gamma Group. Through its UK-based subsidiary Gamma International Gamma Group sells FinSpy to government and law enforcement organizations all over the world. FinSpy is used to collect a variety of private user information on various platforms [ iOS and Android ]. Its implants for desktop devices were first described in 2011 by Wikileaks and mobile implants were discovered in 2012. Since then Kaspersky has continuously monitored the development of this malware and the emergence of new versions in the wild. According to our telemetry, several dozen unique mobile devices have been infected over the past year, with recent activity recorded in Myanmar in June 2019. Late in 2018, experts at Kaspersky looked at the functionally latest versions of FinSpy implants for iOS and Android, built in mid-2018. Mobile implants for iOS and Android have almost the same functionality. They are capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers.


The Android implant has functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. As for the iOS version, it seems that Gamma´s solution doesn’t provide infection exploits for its customers, as their product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. That might imply physical access to the victim in cases where devices are not already jailbroken. At the same time, multiple features that we haven’t observed before in malware designed for this platform are implemented.”

Clive Robinson July 12, 2019 11:55 AM

@ Bruce and the usual suspects,

It appears that the likes of Facebook and Google are going to be burning the midnight oil over Real Time Biding (RTB) end user targeted adverts.

There has not only been a complaint made to the UK Information Commissioners Office (ICO) but an interim progress report issued and it has basicslly lots of PII zooming off to hundreds of unacountable companies.

As we know these intermediate companies between the likes of Facebook and the publishers are frequently behaving criminally (fraud) or worse than many criminals. With those placing advertising revenue basically being bilked, with little or no revenue making it through the pipe line to the publishers, and Facebook and Co are very well aware of it and profiting greatly. Likewise there is strong reason to believe that they are not in many cases in any way compliant with data protection legislation.

7 July 2019 ...... July 12, 2019 2:08 PM


“Read that sentence out loud, to yourself, very slowly”

AFAIK Noam Chomsky still considers the Wall Street Journal (WSJ) a good source for facts (as opposed to its Opinion pages). In addition, the Washington Post, IMO, has done some good reporting, too.

Granted they take ads. That’s one reason I like .

As you know, threat modeling, is, of course, relevant in making hardware and software choices.

Clive Robinson July 12, 2019 3:33 PM

@ 7 July 2019 ……,

In addition, the Washington Post, IMO, has done some good reporting, too.

The problem is the WashPo appears to be following the bad habits of the New York Times.

The NYT has in effect created “fake news” by putting “Opinion pieces” in with “News reporting”.

This used to be a major “No No” in reputable newspapers.

But if you want a hint as to why,

Then look up Mark Thompson’s history at the BBC, quality it was not…

Mind you I guess Carlos Slim is not quite as happy,

MarkH July 12, 2019 6:32 PM

@Clive et al.

The operations of most major news organizations have many objectionable attributes.

Personally, I regret the mingling of news with opinion (though I mind it less when it is made very clear that that’s what’s going on). Not only does it dilute the presentation of facts (with no value added), but also gives cover for the culprits who dislike the factual truths being reported.

In the English language at least, the most neutral sources are the major “wire services” like Reuters and Associated Press.

However, New York Times and Washington Post have unique roles in the U.S.

If you strip out the opinionating (which though not enjoyable, is also not difficult), the factual claims* of those newspapers (and a few other major sources of U.S. reportage) have a very high accuracy rate, and are subject to published correction when found to be wrong.

Most importantly, they have resources to uncover information which other news organizations simply don’t have. Especially since the U.S. elected its own President Yanukovich, they have published numerous articles based on interviews with dozens of sources (in some cases more than 50 if I recall correctly) and sometimes requiring months of effort.

If speaking truth to power is a necessity for government responsive to the governed, then those papers are existential supports.

  • It’s important to distinguish between simple statements (so-and-so met on 19 April) and attributed statements (so-and-so said …), because the first category has been verified by the newspaper, and the second category was not practical to verify.

Both kinds are literally true (so-and-so DID say the quoted words), but the correspondence to fact of the represented matter is obviously different.

However, because these newspapers have access to large networks of sources, and a deep base of experience with many of them, they can assess the reliability of what is being said, the attributed stories are far more factual than not.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.