Comments

Anders September 20, 2019 4:21 PM

Tallinn City Government / City Office got hit with
phishing attack.

Phishing e-mails appears to come from IT department
stating that e-mail access will be closed without
personal data update. Link headed to phishing site
where usernames and passwords were entered. Crooks
used those login names and passwords to access web
based e-mail and send from there more phishing e-mails.

Google Translate is your friend

hxxps: / / http://www.delfi.ee/news/paevauudised/eesti/tallinna-linnavalitsuse-tootajad-langesid-kuberkurjategijate-ohvriteks-tekitatud-kahju-pole-veel-selge?id=87467629

kIOKS September 20, 2019 6:40 PM

Now Kiosks with passport scanners and camera for facial recognition nearly do all the immigration and customs processing. If facial recognition comparisons of the image captured by the camera is a good match to the one the passport and have no customs duty to pay you fly by officers trying to sniff out those exhibiting tell-tale sign of smuggling, fraud or terrorism!

Wesley Parish September 21, 2019 3:20 AM

Spy-vs-Spy:

Supply chain actors agree that everyone’s a security risk – except themselves, of course
https://www.theregister.co.uk/2019/09/20/supply_chain_actors_agree_that_everyone_is_a_security_risk_except_themselves/

Much more fun was watching those in various supply chains point the finger at each other. A significant 39 per cent were concerned by the level of cyber risk posed to their organisations by their supply chain vendors. But when asked whether they themselves could be a risk to everyone else, only 19 per cent admitted they might.

Clive Robinson September 21, 2019 7:48 AM

@ Wesley Parish,

Supply chain actors agree that everyone’s a security risk – except themselves, of course

They are right, at the end of the day we hope others will not betray our trust now or in the future. But as we know with “short term thinking” fourty pieces of silver looks good today…

If we don’t trust we have no economy or science and engineering, thus early and painfull deaths for us all. So not trusting is not an option.

The only way to stop betrayal is to make the consequrnces so drastic that nobody will do it.

As we know setting up a system with those sorts of consequences causes others to behave in a way that is betrayal (NSA, CIA, etc etc etc).

That in turn can so offend others morality that they will despite the consequences make public those dirty little secrets the agencies hoped to keep hidden that have hurt us all.

It appears what ever we have tried betrayal or breach of trust is a certainty when there is reason for it to happen.

It’s why some argue transparancy is the only option. But a hundred thousand years or more of supposed “survival of the fittest” has taught us keeping secrets is the real way to survive. So much so it’s built into our “monkey brains” in a very fundemental way.

Scott September 21, 2019 9:11 AM

OK. Last time no one had an opinion on Chromebooks to use as secure devices in oppressive regimes. https://www.schneier.com/blog/archives/2019/09/massive_iphone_.html#c6798240

So let me ask you about a different OS: Trusted End Node Security. https://distrowatch.com/table.php?distribution=tens

Is it any good for the above scenario? How it can be secure if it doesn’t get any updates, browser patches, nothing? There is one new release about every 6 months to one year but between these sparse releases, nothing.

Clive Robinson September 21, 2019 9:24 AM

@ JF,

There are three underlying economic factors as to why this is happening, that are important but rarely make it into security analysis…

In the article you will see,

    rhodium and palladium, with gangs stripping the parts and selling them overseas. Rhodium is trading at double its price at the start of the year and more than eight times its 2016 value.

These the first problem is the excessive rise in fiscal value.

Thihs brings up the second problem of single supply. These are “Rare Earth Metals” which are generally only available from China for quite a number of reasons. Thus China tightening control on them for their own economic benifit has created shortages which have been worsened by US trade policy that in effect demands only the US treasury benifit[1].

Thirdly the lack of replacment parts is happening in the UK due to an economic balance adjusting deadline (Brexit) where there are now artificial shortages due to the imposed excessive conomic uncertainty[2].

Having got those out of the way it brings us onto the part technology plays, which is barely mentioned in the article and comes from within a Police Tweet,

    … was taken by relay attack.

Which brings us on to the way the crimes are fascilitated in being committed by RF techbology. Which is what you highlight in your comment of,

A kind of man-in-the-middle attack on car locks has gone big in the UK

The “RF Relay” method used in that attack has actually been known for over a decade, and the ideas behind it were first used during WWII. But for most of that decade or so economics was still in play as it was nowhere near being the “lowest hanging fruit”. This fourth economic factor is also generaly missed in security analyses…

However changes in technology have had two significantly further effects.

Firstly it’s very much reduced the cost and very much eased the ability to mount such attacks due to SoC’s for the likes of IoT, digital TV and radio, and childrens toys etc[3] becoming not just very inexpensive –tens of cents– but eaily and effectivelt anonymously available.

Secondly whilst the vehical manufacturers –like the hospitality industry– care way more about consumer convenience than security of their products because “conveniance” sells whilst “security” does not, have as a result made such crimes very more convenient.

So with the six causal effects I’ve mentioned we have in practice a “100year storm” effect, and consumers are left with a great deal of inconvenience…

All of which will, we hope, cause vehical manufactures to re think things so that this attack nolonger works.

That said however finding “distance limiting technology” that actually works at very low cost is kind of one of those “Holy Grail” quests currently. And it has been for around a quater of a century with no real end in sight yet.

Whilst their are “cross field” and “MIMO” systems that will do the range limiting they are very far from inexpensive, but also they are not sufficiently reliable to be convenient… This may well change quite quickly in a similar way to the integration of signalling that alowed DSL techbology to develop to the point it still make short runs of copper pair POTS land lines viable effectively decimating analog modems after they had been through a similar technological spurt.

[1] It’s a similar issue to that of oil and OPEC. The diference being the US and other nations Treasuries doubly exploit to their benifit. That is they tax the consumer heavily making the pump price excessively high using the broken idea that price will drive down demand (it does not). They also know that their outgoing petro dollars flow back in via export of the likes of high tech the OPEC nations can not manufacture. Thus the likes of the arms trade not only brings the petro dollars back it cross subsidies the cost of their own weapons procurement. Which is why they put up with OPEC but are railing against China as exports to China don’t realy cross subsidise things that certain interests require.

[2] That is UK suppliers are trying to import as much stock as they can prior to the expected Brexit at the end of october, and as normal they are trying to do it on credit. Overseas suppliers think the UK economy will tank after Brexit thus the GBP will significantly devalue. Some believe it will devalue against any potential profit, so they are holding back on supply which means according to basic economic theory the price should go up significantly, but due to “tied pricing” it won’t for a year or so.

[3] If you think about a baby monitor it is actually just a relay for digital audio through an RF link. It takes only a few seconds of thought to realise you can turn them around to make an RF detector with digital output that can then be sent to the other unit to be retransmitted on an entirely different radio frequency. With two such units you have you radio or RF relay for a very small amount of outlay and a little bit of specialised effort and a fair amount of specialised knowledge. It’not just baby monitors that you can use, those devices that relay your IR TV remote control into another room can be made into such a relay. But if you realy know what you are doing you can take a satellite TV Low Noise Block (LNB) and by turning the two devices in it around make an receiving X-Band to low UHF band transverter into a low UHF band to X-Band transmitting transvert thus make an easy “Microwave Link” that will go several Km line of sight. If you want to go further you can fairly easily get an X-Band doplar radar unit that are used in traffic lights and the like. These are easy to convert to an X-Band transmitter which when used with the satellite TV dish, LNB and UHF receiver will make either an audio or digital link good for 30Km or more line of sight. And if you replace the low power Gunn Diode in the doplar radar with a high power one you can get atleast a 100Km (which I’ve done in the past).

Scott September 21, 2019 11:19 AM

@Scott (sorry, I have to address myself)

Someone said some time ago that this community is about a decade ahead of the pack on cybersecurity issues. This may very well be true. And I know quite a few very knowledgeable folks gather around here. But I also noticed that the discussion moved forward to more about policies and political philosophies related to technology (see @Bruce’s byline) than the nitty-gritty geeky stuff of cybersecurity. With the added notion of advanced geeky topics I’m too novice to contribute to.

Don’t get me wrong, I enjoy the policy debates too, but personally I’d enjoy a little more of the cybersecurity discussion too, at my novice level. I’m saying this because through a time period I’ve asked some geeky security questions of my elevated interest, with zero answers. So I ask: keeping in mind that this may be one of the prime forums on cybersecurity on the Internet being a decade ahead of the pack, but with more focus on policy and philosophy than on the geeky nitty-gritty, perhaps you can recommend me another prime forum focusing on the latter?

It’s afternoon here on the European side and I know that you on the other side of the pond are just waking up, that’s one reason for the lack of answers to this particular question of mine, but I realized this pattern over a longer period of time around here.

Scott September 21, 2019 12:01 PM

@Hedley

I have to add that I feel odd about this comment section discussion in a way that I feel like I have to be in front of the keyboard at a given time to be part of the discussion. Compare it to a traditional bulletin board-style conversation where I’m at ease to answer whenever I have time.

And now I’m logging off for the evening, to connect to what I’m pointing to in the other thread. https://www.schneier.com/blog/archives/2019/09/a_feminist_take.html#c6799016

I’ll probably read a few of your answers from mobile, but I’ll be in read only mode while away from the keyboard, lol.

Anders September 21, 2019 1:59 PM

@Scott

Problem is that politics has hijacked cybersecurity
and therefore we have to talk about it too.

Politicians have their own agenda with it – total control.
For example here in Estonia where cybersecurity has been
declared a nation top priority, appointed govt cybersec
officials are often loyal pencil pushers who have never
ever even worked in the infosec field, no single day.
At the same time our ex president Ilves travels around the
world and preaches how Estonia is world cyber security leader.
This is almost the same joke as Crown Sterling…

Second reason is Ukraine where political means are fulfilled
with cyber attacks. So again, politics is involved, heavy time.

Politics is nasty business and it hijacks everything for it’s good.
To survive. To get valuable information. To change election.
To blackmail. Repression. Everything goes, the end justifies the means.

And yes, Estonia is no totalitarian country, but nevertheless
out police has purchased a LOT of Finfisher / Finspy licenses.
Makes you wonder…

vas pup September 21, 2019 2:09 PM

Why is the brain disturbed by harsh sounds?
https://www.sciencedaily.com/releases/2019/09/190920111349.htm

Alarm sounds, whether artificial (such as a car horn) or natural (human screams), are characterized by repetitive sound fluctuations, which are usually situated in frequencies of between 40 and 80 Hz. But why were these frequencies selected to signal danger? And what happens in the brain to hold our attention to such an extent? ”

“The sounds considered intolerable were mainly between 40 and 80 Hz, i.e. in the range of frequencies used by alarms and human screams, including those of a baby,” says Arnal. Since these sounds are perceptible from a distance, unlike a visual stimulus, it is crucial that attention can be captured from a survival perspective. “That’s why alarms use these rapid repetitive frequencies to maximise the chances that they are detected and gain our attention,” says the researcher. In fact, when the repetitions are spaced less than about 25 milliseconds apart, the brain cannot anticipate them and therefore suppress them. It is constantly on alert and attentive to the stimulus.

When the sound is perceived as continuous (above 130 Hz), the auditory cortex in the upper temporal lobe is activated. “This is the conventional circuit for hearing,” says Mégevand. But when sounds are perceived as harsh (especially between 40 and 80 Hz), they induce a persistent response that additionally recruits a large number of cortical and sub-cortical regions that are not part of the conventional auditory system. “These sounds solicit the amygdala, hippocampus and insula in particular, all areas related to salience, aversion and pain. This explains why participants experienced them as being unbearable,” says Arnal, who was surprised to learn that these regions were involved in processing sounds.

Sherman J September 21, 2019 3:51 PM

@Scott (warning harsh reality opinion ahead)

Linux is (mostly) developed and Carefully Monitored by an international community of people who largely care about privacy and security. A number of distro’s seem to care a lot about security. There are even Linux distro’s that are used for forensic testing of the security of systems. However, some distro’s DO NOT share the privacy and security values of that community.

And, as many on this blog have accurately pointed out, there is no such thing as perfect privacy and security. Even the TOR browser has flaws, vulnerabilities, weaknesses and its use may draw unwanted scrutiny of the user.

Chrome O/S and browser and Chromebooks are products of the massive spyware factory G000GLE. Who in their right mind would trust them with security? Also, that ‘massive spyware factory’ ripped-off open-source linux and created their own closed-source, private, for profit spyware products that only care about the security of that ‘massive spyware factory’. This, of course includes ‘Androiiid’.

Regarding TENS “The live CD is a product produced by the United States of America’s Department of Defence (sic) and is part of that organization’s Software Protection Initiative. ”
Do you trust the u.s. dept of offense to not have put ‘phone home spyware’ and a backdoor in this distro? If so, I have a bridge in N.Y. I’d like to sell you.

Keep asking questions and researching, that is the only way you will achieve any level of safety and security. Don’t be afraid, you’re not paranoid, they really are after you (really are after us all).

tds September 21, 2019 4:23 PM

Edward Snowden interviewed on NPR’s Fresh Air ( https://www.npr.org/programs/fresh-air ) (43:08 audio; transcript available). IMO a great interview, here’s how it starts, and phones are discussed at the end.

https://www.npr.org/templates/transcript/transcript.php?storyId=761918152

“DAVE DAVIES, BYLINE: Well, Edward Snowden, welcome to FRESH AIR. I want to begin with the suspicion that some have that you are a tool of the Russian government or collaborating with Russia. I know that you ended up in Russia stranded at the airport because you had released these documents to journalists in Hong Kong and had booked a flight to Quito. But after the first leg in Moscow, your passport was invalidated by the U.S. State Department, so you got stuck in Moscow. You met a Russian intelligence operative, you believe, at the airport that day in 2013. What was the conversation like?

EDWARD SNOWDEN: You have to remember that I worked for the Central Intelligence Agency. I’m very skeptical of every intelligence service at this point in my life. I’ve just worked with journalists to reveal mass surveillance. Now, I know – again, having been trained at the CIA, you know, how to get through customs, what an interdiction at passport control looks like – very much what to expect if anybody’s up to no good.

And so the main thing is to survive getting through Russia en route then to Cuba, Venezuela and onto Ecuador. You have to travel through non-extradition countries, build a kind of air bridge to get one destination to the other from Hong Kong because every direct flight from Hong Kong to Ecuador goes over U.S. airspace, right? So they can bring you down over California, which is a very problematic thing to be vulnerable to for a person in my position.

So what I wasn’t expecting was that the United States government itself, as you said, would cancel my passport. So I’m stopped at passport control. And there’s this – you know, the standard passport officer. And when I go through the line, he takes a little bit too long. He picks up the phone. He makes a call. And I realize it’s longer than everybody else. And suddenly he looks at me and just says, there is problem with passport. (Laughter) You know? Come with.

And so I’m led very quickly into this business lounge, (laughter) which is very much not standard. Normally you’d be taken off to a security area. And I go in, and it’s a room full of Russian guys in business suits. And unmistakably, there’s the old guy. He’s in charge. And he begins to make what the CIA would call a cold pitch. Now, this is where you have no history, but they try to just say, do you want to cooperate with us?

Now, this is a very unusual situation to be in for an intelligence officer because these kind of pitches, requests for cooperation, are almost always made clandestinely. They’re made in private where they can be denied. And the first thing I’m thinking about – because every alarm bell in my head is ringing – is, are they recording this? Are they using this to try to blackmail me, to coerce me? And so, immediately, I go, look, I worked for the CIA. I know what this is. I know what this – how this is supposed to go. This is not going to be that kind of conversation. I’m not going to cooperate. I don’t have any documentation with me.”

Winston Smith September 21, 2019 6:35 PM

Google claims operational quantum computer (reportedly 53 qubits and the white paper has been removed from nasa.gov for now… hmmm.)

https://fortune.com/2019/09/20/google-claims-quantum-supremacy/

Last year, Scientific American claimed something sophisticated enough to be truly practical was 10 years away:

https://www.scientificamerican.com/article/how-close-are-we-really-to-building-a-quantum-computer/

Some context from the artice above:

“When we run the Intel quantum simulator, it takes something like five trillion transistors to simulate 42 qubits. It will likely require one million or more qubits to achieve commercial relevance, but starting with a simulator like that you can build your basic architecture, compilers and algorithms. Until we have physical systems that are a few hundred to a thousand qubits, however, it’s unclear exactly what types of software or applications that we’ll be able to run.”

Rusty spoon September 21, 2019 8:29 PM

@tds/all,

When will we see all the Snowden slides? Where did they go? Bruce used to comment on them seemingly regularly.

As of late no one really has.

Why?

electronwrangler September 21, 2019 10:17 PM

@vas pup

Why is the brain disturbed by harsh sounds?
https://www.sciencedaily.com/releases/2019/09/190920111349.htm

This is a pretty dreadful description of the research paper. Read the original:
https://www.nature.com/articles/s41467-019-11626-7

I’m an audio engineer, and I can assure you that their test signals are very different from any real-world sound. From the paper:
“The second behavioural experiment (Exp. 2a) aimed at measuring subjective aversion as a function of the frequency of click trains. The same participants who participated in Exp. 1 also reported the aversion of click trains of varying frequencies on a 5-points Likert-like subjective scale ranging from tolerable (1) to unbearable (5). Click trains (1 s duration, with 100 ms sine ramping onset and offset; click rise/fall time of 0 ms, plateau time of 1 ms, presented at ~60 dB SPL) were presented at frequencies varying between 10 and 250 Hz.”

A spectrogram of that sound will bear little resemblance to a spectrogram of an alarm or a human scream, and it will sound quite different.

MarkH September 21, 2019 11:43 PM

@Winston Smith:

If Google’s quantum machine is capable of running Shor’s algorithm (unlike the D-Wave nonsense, which can not), then they should be able to factor semiprimes of 20 bits or more!

Maybe they’ll catch up to Crown Sterling … I’ll believe it when I see it.

Anders September 22, 2019 4:58 AM

@Rusty spoon

I guess it’s part of the deal – Snowden got asylum
(and Russia all the info) in exchange to not reveal
any more slides.

VinnyG September 22, 2019 6:28 AM

@ JF re: Guardian article – Your post mentioned car locks, but the article to which you pointed is on catalytic converter theft from hybrid vehicles?

CallMeLateForSupper September 22, 2019 6:54 AM

@Rusty spoon
“When will we see all the Snowden slides?”

Not anytime soon. You really should pose your question to the persons who possess, and therefore control access to, the slides.

@Anders
“I guess it’s part of the deal – Snowden got asylum
(and Russia all the info) in exchange to not reveal
any more slides.”

I think Snowden would disabuse you of both “the deal” and Russia getting “all the info”. Have we already forgotten that Snowden handed “all the info” to Poitras and Greenwald when the three of them rendezvoused in Hong Kong? Later, in Russia, he possessed nothing to reveal.

CallMeLateForSupper September 22, 2019 7:04 AM

Is this blog on Central time? My previous post is stamped 6:xx but all of my five clocks read 7:xx.

My email service inexplicably stamps everything with UTC (GMT or Zulu, to us old farts).

VinnyG September 22, 2019 7:10 AM

In 2017, reports surfaced of numerous Canadian and US diplomats suffering varying degrees of brain trauma while stationed at their respective embassies in Cuba. Speculation ran wild in the rabid, click-baiting media, on internet bulletin boards (including this one) and apparently in official circles, as well. It was the subject of much ill and uninformed speculation (mostly involving “sonic attacks”), accusations, and adversarial diplomatic actions at least on the part of the US. There was a study done in regard to the Canadian victims resulting in an analysis published on May 24, 2019 by the Brain Repair Center, Dalhousie University and Nova Scotia Health Authority, Halifax, NS by authors Drs. Alan Friedman, Cindy Calkin & Chris Bowen. The paper plausibly concludes that the symptoms are consistent with assimilation of toxic levels of insecticides of a type frequently used to control mosquitoes. At the time that the symptoms were first identified, Cuba was engaged in a campaign to control the spread of Zika, a mosquito-borne virus. For some reason, this paper was largely ignored by MSM until very recently. Perhaps there is a lesson to be taken here about leaping to biased conclusions on important subjects in the face of insufficient (or absent) evidence. First link below is to the paper on scribd, which controls sharing and printing in a variety of ways. I could read anonymously; I can’t guarantee that for you. The second link is to a recent MSM article that references the study.
https://www.scribd.com/document/426438895/Etude-du-Centre-de-traitement-des-lesions-cerebrales-de-l-Universite-de-Dalhousie#language
https://www.foxnews.com/world/sonic-weapon-diplomats-cuba-pesticide-study

JG4 September 22, 2019 9:02 AM

@vas pup – Two reasons. Low frequencies are associated with large predators, vulcanism, and large movements of earth and air. Things that were quite dangerous to our ancestors. May they rest in peace. I am frightened by such noises, but I associate them with large machinery that can squash you like a bug. It may be that the pre-existing neural circuitry has been repurposed, much as Matthew Weigand’s visual cortex was repurposed. I’m happy that my head wasn’t popped like a ripe melon during my time in the imperial forces. I was within a few hundred milliseconds. The dope fiends were most guilty, but good management saved the day and my life.

@Sherman J – It depends on your threat model. I think that a powerwashed Chromebook would be adequate for travel to an unfriendly place that doesn’t share too much data with .gov The interesting part to consider is how much of Spookwerks West data already are shared to those goverments in return for their licenses to operate. And how Spookwerks East signed off on all of this in return for something. Your point is spot on if your threat model includes .gov

https://www.nakedcapitalism.com/2019/09/links-9-22-19.html

Stress caused sleeplessness for the Victorians too – but they thought it only afflicted ‘brain-workers The Conversation

Big Brother IS Watching You Watch

The Private Surveillance System That Tracks Cars Nationwide Motherboard

WHY I DECIDED NOT TO DELETE MY OLD INTERNET POSTS Intercept. Edward Snowden.

I wasn’t just a brain in a jar London Review of Books

Cataract Surgery Could Confuse Biometric Identification The Wire

Patriot September 22, 2019 9:49 AM

@Anders

Indeed. The Russians switched to typewriters (which is exactly what they should have done to protect their critical information), and guess what?  The Iranians did too.  That is the best way to explain how the West can spend 1 Zillion dollars and get zilch intell.

The ripple effect of Ed's treachery is not yet over, and most people think that it will not effect them.  No worries, it is not going to hurt me.  Ed's a great guy. On the contrary...

There are two colossal intell failures waiting to bear evil fruit: first, the OPM leak; secondly, Ed.

What just happened in Saudi Arabia is an intelligence failure on the same level as 9-11.  Saudi Arabia's oil production is an artery for the global economy, and the Kingdom is looking a bit shaky as we speak.

Clive Robinson September 22, 2019 10:13 AM

@ Patriot

And the perpetrators had such excellent operations security that the U.S. cannot put its finger on who did it.

You are trying to draw a conclusion of “excellent operations security” on your assumption of “U.S. cannot put its finger on who did it”.

Even if it might be true your assumption does not support your conclusion.

The fact that drugs and people get smuggled on a daily basis across the Mexico-U.S. border should make you wary of making such statments of “excellent operations security” unless you wish to extend it to simple immigrants on foot?

Similar comment can be made about the much more heavily fortified Israely borders which also use U.S. technology amongst others. But still get breached regularly if the statments of the IDF and Israli Government are to be believed.

You also need to rule out the distinct possability that the U.S. looked the other way or similar for a number of reasons.

This is the part that really should get everyone’s attention.

The fact that the U.S. Might not have identified with any certainty who might have been behind the reported incident does not in the least supprise me. There is after all a reason for the oft touted phrase “the fog of war”. Also as has been known for atleast eight decades or more, small groups of combatants highly trained or otherwise can cause major damage and significant impact entirely disproportionate to their numbers in and behind active war zones.

There are also the deliberate machinations of other nations to consider as well. After all for a large part of your life time the U.S. and the old Soviet block either started or supplied much smaller nations to have proxie wars, so as not to give rise to a nuclear war.

It’s a matter of historic record that prior to the Soviet block getting effective nuclear deterant U.S. Military leaders did ask for and had every intention of using nuclear weapons against a nation where they had already killed something like a third of it’s civilian population with conventional and unconventional munitions and chrmical agents, and despite that were still loosing. What stopped the use of nuclear weapons was U.S. politicians, but what finally brought the U.S. and it’s alies to a halt and uneasy cease fire was that another Communist nation that had had the war dumped in their lap pointed out the logic behind why the U.S. could not win.

As for those who carried out the reported attack on the petrochemical fascilities and infrastructure you ask the question,

If they can do that, then what else can they do?

I assume that is to create a sense of the dramatic. Becaude you have already noted that those behind the reported attack have not been publicly identified, nor have you indicated any reason why anyone reading your comment should have any more information than the little you have presented. Thus why else would you ask a question that logically you know they can not answer?

You then go on with,

whoever did it learned a lot from Mr. Snowden, and that is a fact ladies and gentlemen.

No that at best is your conjecture or presupposition, and it is not in any way supported by the preceding part of your comment or any other verifiable source as far as I am aware.

To make such a comment be a “fact” you would have to supply quite a lot of supporting evidence you have indicated is not available. Further it would have to be supporting evidence that could be tested thus verified not assertions or assumptions. And I suspect that is something neither you nor anyone outside of the attackers can do, otherwise you or others would have done so by now.

Whilst making limited suppositions can under certain circumstances be a valid part of trying to assess a situation with limited resources. To present one or more suppositions as fact or even a hypothesis is not valid. It’s why we have the expression “spinning castles in the air”.

The fact the US has effectively done this a number of times and either failed to present evidence or have had to recant does not excuse others from making the same mistake.

For quite some time now I’ve made the point here and in other places that “attribution is hard”, I’ve even given reasons as to why that is so for Cyber-Attacks, including why such intelligence would not be admissable in court as evidence. But without going through it all again, put simply, gathering what might be called evidence is at best extreamly difficult using ElInt and SigInt methods in network only environments. What is actually needed is HumInt of various forms of reliability preferably “triply independently verified sources” which are considered about the best you can expect. However much less reliable HumInt such as real world surveillance footage is still considered usefull as it alowes other verification. Both the Israeli and Dutch SigInt organisations had developed ways to get some approximation to HumInt without “putting boots on the ground” that is “surveilance across the wire” to the cameras and microphones inside consumer computers apparently in use during attacks. We know of this because U.S. leaders for what are basically political reasons made it public and in effect “burned” those methods entirely.

The fact that the U.S. has a recent history of burning allied nations “methods and sources” has not just raised eyebrows, to some it’s been of more use than the partial Ed Snowden revelations that had come via Mr Greenwald. Who arguably might have stopped because of what most have seen done by the U.S. not just to Ed Snowden but Ms Manning and a fellow electronic journalist and non U.S. citizen Julian Asange).

Clive Robinson September 22, 2019 10:36 AM

@ MarkH,

Maybe they’ll catch up to Crown Sterling …

+1 🙂

As for believing it when you see it, personally I don’t think I’ll live that long[1]…

But the trouble with bleeding edge inovation is sometimes a tiny piece drops into place in a very timely fashion and we get one of those “Quantum Changes” or “existential threats” that some journalists like to breathlessly wax lyrical about…

[1] But you never know medical science might surprise me. I think that more likely though 😉

Clive Robinson September 22, 2019 10:51 AM

@ VinnyG,

Your post mentioned car locks, but the article to which you pointed is on catalytic converter theft from hybrid vehicles?

The “relay” attack is mentioned in there, but it was easy to miss, look in one of the police tweets. It’s about five words at the end of a sentence. I quoted it in my reply to @JF.

MarkH September 22, 2019 12:43 PM

@Clive,

My (metaphoric) heart hurts, when I think of the health burdens besetting you. Though my surmise is that you’re probably a child of the late 1950s as am I, my time horizon (statistically speaking) ought to be far longer … though one never knows!

Even if I’m around a quarter century hence (so the U.S. actuarial tables predict), I’m not expecting to see a quantum computer capable of making useful computations.

As you say, maybe something will drop into place. Scott Aaronson, the brilliant computer scientist who keeps a close watch on such matters, has long observed that most concepts for an “end run” around barriers of computational complexity actually run afoul of the laws of physics.

QC is the one exception: nobody knows how to do it, but nobody has proved it impossible.

It’s not provably impossible to entangle thousands of qubits for hundreds — or even thousands — of seconds without decoherence.

Nor (as far as I know) would a mirror violate laws of physics that reflected all but one billionth of incident light. But after centuries of mirror making, there’s no known way to construct such a mirror.

My intuition is that QC may be in a similar bind.

Who? September 22, 2019 12:57 PM

@ Rusty spoon, Anders, CallMeLateForSupper

The journalists that got the slides published anything that was valuable to them—all slides embarrasing the relation between the United States and its allies.

This one is the main difference between journalists and security researchers. Journalists got what they want, its goal was clearly not helping the world making or computing infrastructures more secure but damaging the public opinion about the United States.

I have said it multiple times on this forums and I stand fast.

Sherman Jay September 22, 2019 1:30 PM

And, for a little diversion:
Bruce and everyone, read about the Squid Wrangler (coffee anyone?):

h t t p s://www.gocomics.com/candorville/2019/09/22

SpaceLifeForm September 22, 2019 3:27 PM

@Anders

“This means also that without more
leaks US don’t know what Russia actually has.”

The reverse also holds.

@CallMeLateForSupper

In re timezone.

Your two posts are only 10 minutes apart with hour rollover. From what I see, you replied to @Rusty spoon at 2019-09-22 06:54, and then wondered about it at 2019-09-22 07:04.

Your clocks are off somewhere. Everything shoud be UTC. (GMT, ZULU)

Or you needed to get some sleep. 😉

vas pup September 22, 2019 3:32 PM

@electronwrangler
Thank you for the link provided.
I’ll read the article attentively.
Based on your expertise could you imagine application of such noise through skin utilizing Patrick Flanagan Neurophone?

@JG4
Baby cry is very disturbing. It could break your psycho in very short time of exposer. That is kind of room 101 (as in 1984)torture of 21 century.

Anders September 22, 2019 3:47 PM

Is this currently the best collection of
leaked material or is there some better?

hxxps: / / nsa.gov1.info/dni/

Clive Robinson September 22, 2019 7:32 PM

@ MarkH,

I’m not expecting to see a quantum computer capable of making useful computations.

It may not be possible at all, as you say nobody has proved it impossible. But they may yet do so.

I used to hang out with a bunch of physics researchers at UCL around the turn of the century who were doing QC. The last time I looked they had all moved on to doing different things.

One of them even back then was getting fed up of being in the “shutup and calculate club” that physics had turned into due to “quantum”. One of them when more than slightly the worse for wear one night the spirt turned as it often does from euphoric to maudlin and they confided in me that to them the maths of quantum physics realy made no sense and that it felt like they were building a tower of Babel. I must admit being a little the worse for ware myself I did not immediatly understand the refrence.

It was only later I remembered that Bable is the mispronounced Hebrew word for confusion or madness. In essence I was being told that as far as they were concerned because of the quantum physics “calculation club” physics had lost it’s way and become confused and fractured.

It was later that I to came to realise that the “shut up and calculate club” didn’t realy answer questions. In essence if you like it is a screen with millions of holes, it does not matter which hole you pick when you look through it you don’t see anything of any real use, however if you have an idea that drops through the screen then it has some chance of being right.

It appears that some physicists are trying to move behind the screen to usefully see what is on the other side. It would appear that some don’t thing quantum physics is the answer and that is why in many respects physics has stalled for a couple of lifetimes or so.

The point that makes me cautious is to do with randomness. Quite a few people claim that quantum effects are truly random and a number of theories rest on that point. But is it true? Well maybe not… You have to consider the thought experiment that gave rise to John Searle’s “Chinese Room Argument” from both sides of the door and in the negative. The thought experiment is, as a Chinese speaker outside the room you write a question in chinese on a piece of paper slip it “in” under the door, a few moments later another piece of paper comes “out” under the door. The out paper has a reply in Chinese, thus as the outsider you assume after several trials that there must be a Chinese person in the room. But is there? John Searle’s argument is that whilst there is a person in the room they can not speak Chinese they simply take the in piece of paper follow a set of rules to make the out paper which they then slip back under the door. As an argument it’s narrow interpretation is that the Turing test is insufficient as long as the rules in effect are a sufficiently comprahensive database.

Now consider it this way as an outsider you do not understand Chinese either. You simply code up messages by a set of rules and push them in under the door. You keep a copy and when a piece of paper comes out as the rules you have are “one way” you can only try and find correlations between what you put in to what you get out.

This is the same job a cryptanalyst does with a black box encryption system. You would expect that eventually the cryptanalyst would be able to build a mapping that would be the inverse of the rules. That is no matter how complex the outside rules are eventually you would build the equivalent of the rules and database inside the room.

Now if you negate this, such that no matter how long the cryptanalyst sends in messages the answers out statistically do not corelate does this mean that what is inside is truely random?

Well no, it’s easy to imagine a determanistic generator that simply generates output for ever and snipits of this endless output even though determanistic do not correlate to the input because the input never effects the determanistic generator.

As an example you have an algorithm that pushes out Pi, when input comes you take the next digit out of the Pi generator and use that to select the next N digits of the Pi generator output to use as the output.

As the cryptanalyst on the outside of the door logic dictates that no matter how long you go onfor you will never be able to build an inverse mapping.

Thus we have to accept that their can be determanistic processes that we can observe but can only conclude they are truley random.

Which in turn means that the notion of quantum randomness can not be proven to exist. Which has a number of implications, one of which is quantum computers will not work as expected…

Clive Robinson September 22, 2019 11:28 PM

@ SpaceLifeForm,

Yes there is something odd there. Not sure why I’ve given up trying to understand the workings of some of the minds over there.

@ All,

For those that want more info on Cryptovirology and keleptography you could try looking at Adam Young and Moti Yung’s website on the subject,

https://www.cryptovirology.com

MarkH September 23, 2019 2:25 AM

@Clive:

I appreciate the anecdotes about working physicists, who seem to have seen some greener grass.

It occurs to me that another parallel for QC may be nuclear fusion power plants.

There’s no question whether fusion can be made to happen at manageable power levels — it’s already been done. But progress toward (1) positive net power, and even harder (2) economic feasibility has been nearly stalled for decades.

If you look at analysis from people who aren’t fusion-power cheerleaders, the outlook is grim.

The plausible bounds of estimation for future viability of fusion power plants range from a generation or two hence … up to never.

Yes, on the chalkboard numbers can he computed be shown that it’s doable. But practically realizable? Maybe never.

At the sun’s core, under pressures and temperatures unimaginably greater than anything that can be sustained on Earth, the power density from fusion is less than 300 watts per cubic meter! Our own metabolisms exceed that …

As with enormous QC coherence times, there’s no guarantee that the canyon between “not theoretically impossible” and “actually achievable” will ever be bridged.

In the meantime, every person capable of any action or communication has a pretty nifty quantum computer lodged in their skull, which can sometimes be used to solve really tricky problems …

… and we have a powerful and stable fusion reactor humming along at a safe distance of about 150 million km. It’s already up and running, doesn’t cost a penny to operate, and incessantly showers Earth with abundant power.

Two Bits September 23, 2019 3:34 AM

Google’s Quantum Supremacy
If you are encrypting files right now using a 256-bit encryption algorithm, and then you decide to switch to 512-bit encryption, in a classical computing model, you have just increased the difficulty of breaking the encryption by 2^256, which is a very large number.

But with quantum computing applied to the problem, the difficulty of the original 256-bit encryption is merely doubled when it shifts to 512-bit encryption. In other words, quantum computing allows code breakers to tackle increasingly complex problems with a linear relationship to increased complexity rather than a logarithmic relationship.

Explained again, even if Bitcoin (for example) were to quadruple the number of bits used in its encryption from 256 to 1024, a quantum computer that breaks the 256-bit code in 1 second would only need 4 seconds to break the 1024-bit encryption (this is oversimplified, but roughly correct). The implications of this linear code breaking relationship are not realized by most people

Whoever achieves high-qubit quantum computing first will be able to achieve all the following:
• Spoofing all cryptocurrency transactions and effectively draining all crypto wallets, worldwide.
• Decoding all military communications. This is “Enigma” on steroids.
• Monitoring and spoofing nearly all banking and finance transactions. Full control over international wires.
• Reading all encrypted communications involving civilians, government and military. There will be no such thing as privacy, not even Pretty Good Privacy.
• Reading all encrypted hard drives, container files and other storage media, including those of the NSA and world governments. Too many secrets. Setec Atronomy.
naturalnews.com/2019-09-22-google-quantum-supremacy-the-end-of-encryption-security-for-cryptocurrency.html

This article is rather mind boggling. Is our world about to change??

name.withheld.for.obvious.reasons September 23, 2019 4:07 AM

Hope this posts, have missed the last three…

The sovereign conveys to government specific authorities, roles, and objectives in support of the Union, the only source of its authority and legitimacy. From the sovereign, and thus the state, the federal government is deliberately designed with a restrictive contour of authorities and roles. The formation of the federal government is designed such that is not permissive, implied or derived in law is not permitted outside of principal law. Examples of the depth and breadth that congress has afforded the federal government can be seen in the commerce clause and Supreme Court decisions to which no corner is remote to the federal government.

Anything can be described as “commerce” and is often a substitute for “convey”. “I carry a message for you sir.”, no matter the context, is commerce in expression—that is what they’d like you to believe. So dangerous is this path that it may cause theology, hypothesis, philosophy and simple contemplation to become servants to commercial domains. If you breath unconsciously you are outside this domain, but, if with priori, an established thesis about your breathing is developed, a case will be made that one is engaged in commerce. Or, the forethought of breathing is in competition with the function of commerce.

This is one of the flawed assumptions in libertarianism and in modern legal thinking—that all exercises are economic and there is no egalitarian light/rainbow/parade. Selfless acts are not selfless, for many, but not all. Martin Luther King is a contemporary example of this type of action and philosophy. So strong, this person, stood knowingly in the path of self diminishment—deliberately, defiantly, and unassumingly. Holding in is hand, not a gun or a sword, but an idea and a dream. Knowing full well that any fruits of his efforts would never touch his lips…but he persisted. His ideas persisted, and his accomplishments persisted.

This is a form of strength within the human spirit that has no equal. And to value, history has yet the tools to measure the “commerce” of this man. The econometrics of the day cannot give a weight to this persons “commerce”. Yet, we will insist that that political aspirations can be measured in coin. We are fools.

MarkH September 23, 2019 4:41 AM

@Two Bits:

  1. Perhaps you’ve mixed together RSA/DSA style encryption (theoretically vulnerable to Shor’s algorithm) and AES style symmetric encryption (theoretically vulnerable to Grover’s algorithm).
  2. Very roughly, Shor’s algorithm is expected to increase in runtime in the cube of the number of bits, so doubling key size not only requires doubling the number of qubits (which makes maintaining coherence more difficult), but also increases the runtime by a factor of roughly 8, so this elusive coherence must be held continuously for a much longer time.

In other words, building a QC to solve a 512 bit asymmetric cipher may be MUCH harder than one for 256 bits.

  1. Grover’s algorithm makes a square-root improvement in runtime … but even for a 128 bit symmetric cipher, the equivalence to 2^64 steps is likely to require coherence to persist for something like tens of thousands to perhaps a million seconds! This would be an epic achievement; but use of a 256 bit symmetric cipher would defeat even a perfect QC, which would nonetheless need multiples of a human lifespan to carry out the computation.

  2. For applications like Bitcoin, it’s perhaps feasible to substitute an exotic variant of elliptic curve crypto which is believed to be immune to Shor’s algorithm.

Clive Robinson September 23, 2019 7:12 AM

@ Name.withheld…

Yet, we will insist that that political aspirations can be measured in coin. We are fools.

America inherited the English legal system. Apart from the problem with it’s hoplessly adversarial setup that causes all sorts of abuses in the hands of tax pay funded entities, it also has a much deeper and fatal flaw.

There are two sides to law that is the criminal and the civil, and they both have ways of punishing an accused person who is found to have commited the acts that were laid against them. Traditionaly the ways were different. That is criminal sanctions were penal and civil sanctions financial or equivalent.

That is the law only had fines and forfiture for civil sanctions and thus everything got equated to money.

The desirability to raise revenue for the crown ment that civil sanctions of fines and forfiture got loaded onto criminal penal sanctions. This greed for money has given rise to a lot of bad laws.

But it gets worse, living people are hurt by penal actions, but artificial entities such as companies are not, the actual “directing minds” in such criminal behaviour get to walk away. This makes as much sense as locking up the weapon that killed a person whilst letting the hand and rest of the body holding the directing mind to walk away.

Thus the way to avoid penal sanction is to endevor to commit your crimes through one or more companies. We see this happen all the time in the construction industry where the excessive drive to profit means that worker saftey is diminished, a worker dies and often the company gets a fine that is small in comparison to what the worker would have expected to earn. Worse the company can further profit by the death by taking out hidden life insurance on the worker. That is the payout goes to the company not the workers estate…

A few hundred years ago an English writer had a character in one of their plays proclaim,

    Ere he shall lose an eye for such a trifle… For doing deeds of nature! I’m ashamed. The law is such an ass.

From English dramatist George Chapman’s “Revenge for Honour” published in 1654. The last sentance of the adove was later shortend and augmented and appeared much more famously in the book “Oliver Twist” written by Charles Dickens.

Thus as the law is a creation of man via the King and his parliment, I see no reason why it should not prefferentialy apply to them,

    “The law is a ass, an idiot.”

Something that appears even truer today than it has in the past.

Perhaps this is because what little sanity the legislators had, has been washed away by a tide of little green pieces of paper, that the near unpunishable people behind the entities of commerce have by the ocean full.

SpaceLifeForm September 23, 2019 2:19 PM

@Clive

Thank you for the Klep report.

I was worried that my observation may have created a quantum disturbance event. 😉

I think it is a canary.

Raffzer September 23, 2019 3:01 PM

ProtonMail / Public Prosecutor Stephan Walder Just Silened Its Critic

As I have learnt from trusted sources, Public prosecutor Stephan Walder just silenced lawyer Martin Steiger. Lawyer Steiger has taken down (was forced to take down) his article on ProtonMail from his website. The title of the article is

“ProtonMail Voluntarily Offers Assistance For Real-Time Surveillance”

and the archive URL for the article is as following:

http://archive.is/RQolG.

==>Shows, what dodgy methods our privacy focused friends from ProtonMail are employing.

Here the archive URLs of lawyer Steiger’s tweets (live tweet) [in German with responses in English]:

Prosecutor Stephan Walder explains that ProtonMail collaborates with the Canton Police Zurich and their cybercrime unit:

http://archive.is/3MYUA

ProtonMail surreptitiously changed the “Transparency” Report:

http://archive.is/q2gec

tds September 23, 2019 4:50 PM

https://www.emptywheel.net/2019/09/23/the-press-cannot-let-trump-pretend-he-gives-a-shit-about-corruption/

“one thing is crystal clear: the press is giving Trump way too much room to claim his actions [involving Ukraine] were driven by a concern about corruption, which is how Trump has been trying to justify this rather than deny it.

[…]

Every single report about this should start with a list of things Trump is doing to cover up his own corruption, starting with his numerous lawsuits to try to prevent anyone from reviewing his tax returns and his systematic effort to profit from the presidency.

If Trump claims it’s important to “speak to somebody about corruption,” that conversation should start with full transparency on his own corruption, and there should be no focus on his allegations about Hunter Biden [Joe Biden’s son] until he has come clean.”

tds September 23, 2019 4:59 PM

Consumer Reports recommends privacy tools: ProtonMail, DuckDuckGo and Signal.

https://www.consumerreports.org/privacy/privacy-tools-that-help-you-protect-your-personal-data/

“Facebook, Google, and other tech giants are so adept at tracking our every move via our electronic devices that it can be hard to imagine escaping their digital surveillance. But Americans are getting savvier about protecting their personal info, too.

According to a recent Consumer Reports survey,* 60 percent now bar mobile apps from accessing the camera, GPS data, and contact list on their phones. And half protect their online accounts with two-factor authentication.

If you’re ready to get serious about safeguarding your data, here are some privacy-friendly alternatives to Google’s search engine and Gmail, and Facebook’s WhatsApp messaging service.

[…]

Search Savvy: DuckDuckGo

[…]

Encrypted Email: ProtonMail

[…]

Better Messaging: Signal”

tds September 23, 2019 5:11 PM

@SpaceLifeForm

Might you elaborate?

“Looks like Wikipedia got an NSL, IMNSHO.

In re Klep.”

[…]

I think it is a canary.”

SpaceLifeForm September 23, 2019 8:38 PM

@tds

Pull up wiki article on kleptography.

Check the links.

Find those that loop-back when they should not.

Check via new tab so you keep it straight.

Mouse-over link to see where it should go.

David September 24, 2019 4:27 AM

@Belcat,

re:DuckDukGo

As far as I recall, its founders used to advertise the search engine via many online forum posts. At that time, the operation appeared to be very “low budget” and “raw”, so I did not pay much attention to it. This was right after many online sites like altavista went broke. Frankly, I’m very surprised it lasted this long.

Rem September 24, 2019 6:59 AM

Google Blocks Privacy Push at Web Standards Group

Google was ONLY World Wide Web Consortium (W3C) member to vote against privacy, while the 24 others approved!

Google was the only member of the World Wide Web Consortium to vote against the measure to expand the power of the organization’s internet privacy group

The two sides are still negotiating an alternative, but if they can’t make a decision the issue will pass to W3C director Tim Berners-Lee, one of the founders of the web.

Google’s Gobbledygook Rationalization
Bennett Cyphers, a staff technologist at the nonprofit Electronic Frontier Foundation, called Google’s plan “a mess” and said some of the ideas were actually bad for privacy.

By saying it was working for privacy but refusing to block cookies, Google was being disingenuous, argued Princeton University privacy researchers Jonathan Mayer and Arvind Narayanan.
https://www.bloomberg.com/news/articles/2019-09-24/google-blocks-privacy-push-at-the-group-that-sets-web-standards?srnd=technology-vp

Duped September 24, 2019 8:22 AM

@tds Consumer Reports Privacy

Summary: The CR web-site is one of the worst data-miners on the web. If you care about protecting your privacy then DON’T subscribe to Consumer Reports

‘CR uses use Google Analytics Advertising Features and its associated tracking technologies to help display CR ads you see on other sites, and to help us manage and optimize our digital advertising efforts.
Consumer Reports website uses Adobe Analytics and its associated cookies to help us understand how users engage with us so that we can improve and enhance our users’ experience.’
https://www.consumerreports.org/cro/customerservice/privacy-policy/choice-opt-out/index.htm

The fact is today subscribers are the primary product under review. All your product interest data is being shared or sold to third party advertisers.
CR’s articles on protecting consumer privacy are deeply disingenuous and hypocritical as Google is recording your every move to spew its own personalized advertising across all your devices.
They don’t recommend the most obvious solution of ad-blockers because (cough) their pages won’t load…
Their former comprehensive product ratings tables are replaced with a shallow superficial opinion of a few products.
This cheapening end result is when manufactures pay the bills (here through intermediary advertising-giant Google).

Sponsored ads (including paid reviews) at Amazon are also severely degrading product research too.
In summary excessive advertising surveillance destroys capitalism. Witness today where the foundations of our consumer society are in shambles as everything is manufactured for emotion induced clicks and ratings.
Compare this to Chinese manufactured goods which are independent of Wall St backed data-mining. They have the highest quality, best price and with zero advertising. Hmm!

Bottom line is consumers should sever connections to business which excessively data-mine. Eliminate these expensive deceptive price-raising middleman and search for quality alternatives.

Clive Robinson September 24, 2019 3:44 PM

@ Anders,

The report does not surprise me. The Chinese military and similar have not quashed many Tibetans. Nor does it appear they are succeeding against those in exile.

For those that have been around for a while will remember the findings of Ross J. Anderson and others from the UK Cambridge University Computer labs.

The fact it is apparently not getting the Chinese Government very far must be somewhat frustrating for them.

However it should serve as a warning to others, the Chinese are after something, for what we do not know. However the most likely is to find “targets of opportunity” such as friends, relatives of exiles or those they have business or political dealings with. Thus gain leverage via threats and blackmail or run disinformation campaigns against. Or worse people the Chinese government can imprison or execute as they have done on so many occasions.

Weather September 26, 2019 3:29 PM

Ha piglet was one of my user handles, anyway.
Global warming…
Sea water pumped through pipes to inland Australia to greenhouse that separate the salt and water, which are then pumped to 500ache areas, the evaporation from those areas will water other areas.
They can afford roads that span that distance, why not pipes, being the land mass were the world temperature was tropical but wet…

gordo September 27, 2019 10:07 AM

@ tds,

The emptyshill stuff does get tEdIOUs, eh? Why is that? Cuz it’s the same story over and over and over again: IC failure followed by Keystone Coppery…blah blah, blah, sprinkle some gossip, add a dash of profanity, whatever. Next . . .

vas pup September 27, 2019 1:26 PM

https://www.bbc.com/news/technology-49858048

Unveiling its purchase of CTRL-Labs, Facebook’s virtual reality chief Andrew Bosworth said: “We know there are more natural, intuitive ways to interact with devices and technology. And we want to build them.”

He said the company’s wristband could capture your intention, so that you could share a photo with a friend “just by, well, intending to”.

The whole article is interesting

donKEYKICK September 27, 2019 6:15 PM

:: “You might want to consider that pin the tail on the donkey doesn’t always work.”

As far as the future food supply, the bees might be also struggling from exitential distress, much like we are also. In addition to that, they are also suffering from various contaminants messing with their food supply before they consume it and even afterwards.

It’s not just overtly lethal toxins, it’s also those substances that overgrow within their guts as well.

This is relevant to security in terms of what does the digital stuff matter if we’re starving to death or poisoned to death or dying from stress…

https://i.postimg.cc/Dzx052NF/Othernice.png

tds October 1, 2019 2:57 PM

@Duped, Belcat, David, Raffzer

Re: DuckDuckGo and Protonmail

Some sites I respect have recommended those products.

I’ve tried Startpage, but DuckDuckGo is straight-forward to configure as a default search engine on Safari and Firefox.

Clive Robinson October 2, 2019 5:15 PM

@ tds,

…and poking around Clive’s link above I found,

It’s a long read but towards the end there is this paragraph from Moti Yung,

    There’s something about threats: always look for new possibilities of attacks. It’s very easy to come after the attack and say: “Ah, there was an attack.” The idea is to predict attacks 10 years before they occur and respond to them before they occur; not just be reactive. 0-day attacks – be ready for them if you can, if somebody told you. In everything around us: system, Internet and so on – attackers are getting more sophisticated, we need to be proactive.

Which fairly nicely reflects my thoughts for the better part of the past four decades.

Although some of us here have raised the subject on this blog many times in the past, and have had some discussions few others were even remotely interested in predicting future directions that attackers might take…

On another security blog from academics, they did not seem to be able to follow the simple logic of moneterizing “fire and forget” malware like ransomware… In fact many experts in the domain used to take the “If you mention the devil’s name he’s sure to appear” attitude to vulnerabilities, and in some cases will later blaim you when someone does get around to doing what you predicted what might happen….

The two things that got me quite annoyed in this respect were,

1, Lenovo abusing a BIOS mechanism from the 1970’s that Microsoft and other Commercial OS vendors actively support. Thus Lenovo was selling consumer computers with built in malware that could not be removed by normal computer techs and most security experts. Having designed IO cards for Apple ][ computers that originated the design flaw, that then ended up being duplicated by IBM for the PC-bus and AT-Bus that I also designed IO cards for, I was only to aware of just how big a hole this BIOS cludge was in security.

Likewise BadBIOS and high frequency sound both myself and @RobertT accurately described what was a likely mechanism in quite some depth on this blog. We could do this because back in the 1980’s before Ethernet was “cost viable” for most people we had both done professional development of low bandwidth data networking with near ultrasonic sound.

Just about everybody was saying BadBIOS was all impossible, for all sorts of quite irrelevant reasons. So I dug out some old IO cards I had lying around hacked some code together (also using the BIOS hole Lenovo used) to prove it could be done over a few hours in the weekend…

Well it was shortly after “impossible” had been debunked, accademic researches started doing their own follow up experiments and then publishing them… It was shortly after that, that the marketing malware developers realised the was great potential on near ultrasound…

So all stuff from the late 1970’s to do with building software drivers for IO cards that got put on a ROM on the IO card. That as the driver had to work not just at “boot time” but also carry on working during and after the OS was loaded. Which was an obvious and major security issue was still being a vulnerability in the second decade of this century nearly four decades later…

Oh and if you have the appropriate books on the PC BIOS from the 1980’s and 1990’s you will find there are still some other nice BIOS vulnerabilities still there waiting to be used for malware or the like…

It appears a major failing of the commercial computer security industry is “5years to amnesia”… That is it takes the industry about 5years minimum before it forgets something that is a major vulnerability, and stays so untill somebody makes a big noise over exploiting it two to four decades later…

As many have said before,

    Go figer that out…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.