Friday Squid Blogging: Six-Foot-Long Mass of Squid Eggs Found on Great Barrier Reef

It’s likely the diamondback squid. There’s a video.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Posted on October 18, 2019 at 4:11 PM80 Comments

Comments October 18, 2019 5:47 PM


Rather bizarre post. Anyway, do you talk about the world economy or a listed corporation?

You forgot one step between 2. and 3.: Start share repurchasing program. That does increase share value, since there are less shares around.

name.withheld.for.obvious.reasons October 18, 2019 5:54 PM


Thank you for the compliment, but I think both you and I understand for whom the wheel of the ship is reserved–from stem to stern.

Step 11 only hinted at it as I see it as optional to manipulating central banks AND corporate wealth/resources.

Alyer Babtu October 18, 2019 7:08 PM

“No company can build every smart home gadget that you might want to connect together, and Google’s decision to wall off Nest (which was never that open to begin with) into the Google ecosystem was apparently the last straw for these residential developers.”

Now if fhe insights here about the fallacy of total control could only be applied to all aspects of Tech Lord effective monopoly.

SpaceLifeForm October 18, 2019 7:32 PM

How many clusters…

Could a cf f if a cf could f clusters?


“Installing the KB4520062 cumulative update for Windows 10 – released on October 15 – could break the Windows Defender Advanced Threat Protection (ATP) service. That’s the warning provided in Microsoft’s release notes, stating that certain customers should not install this update.”

Hmmm. So only “certain customers” ?

Nah. No such thing as targeted backdoors.


Ismar October 18, 2019 7:34 PM

As I may have hinted in my last few squid posts I will try to bring some positive news stories from the domain of computer security just to try and balance out a bit all the negative stories everyone focuses on.

This week, Google devs have been adding some major hardening to their flagship browser product which should make cross origin type attacks more difficult

Also, if you have time, inclination and skills you may even have a go at finding bugs in the new browser and earn some serious cash in the process as they have also upgraded their bug bounty offerings

Mother Goose October 18, 2019 10:48 PM


It is not clear this is an unmixed blessing.

As the mldern version of the fairy tale has it, when Little Red Riding User says to the Big Bad Woofle “My, Grandma what a nice shiny bulletproof browser you have!”, the Big Bad Woofle replies “All the better to capitalistically and in other ways surveille you my Dear!”

Ismar October 18, 2019 11:49 PM

@ Mother Goose
Please feel free to contribute with some examples of positive security stories of your own instead of just trying to shut me down.
Yes, Google’s business model is based on targeted marketing but at least they are trying to provide a safe environment to do it in. (Btw targeted marketing can be useful at times).
One thing I know is that Nothing is black and white and I think that any steps towards safer digital space are to be commended as they offer us some hope for improvements.
There seems to be too much focus on the negatives on this blog and I am pretty sure that this is not an objective reflection of computer security space.
One indicator would be the prices of 0 days which have been rising steadily in recent years reflecting how hard it is becoming even for well resourced players to exploit modern software.
Last thing we want for this blog is to become a place for self defining winging of old grumpy men ????.

lurker October 19, 2019 12:58 AM

@Ismar: Last thing we want for this blog is to become a place for self defining winging of old grumpy men

Far be it from me… but since you did mention the Big G’s browser product it reminds me I’m still loooking for a browser that’s not bloat- and/or spy-ware. It doesn’t need to browse my filesystem, I’ve got something else for that; it doesn’t need to display 47 mimetypes; just render html5 + css3, and if the site is malformed, display it malformed, please don’t crash. The browsers that did this are now either abandon-ware, ie. won’t run on modern hardware/OS, or they’ve succumbed to bloat.

Clive Robinson October 19, 2019 5:53 AM

@ Alyer Babtu,

So Nest becomes Googles Perfumed Garden / opium den closed to all but those who have been hooked.

As for Amazon’s I wonder how long that will remain vaguely open… The signs are they are “Big Brothering” it all to maxamise back door revenue…

Clive Robinson October 19, 2019 8:34 AM

@ Ismar,

As I may have hinted in my last few squid posts I will try to bring some positive news stories from the domain of computer security just to try and balance out a bit all the negative stories everyone focuses on.

Hey ain’t no happiness in this game, where doom and gloom are the high points of the day 😉

Mind you I know what would make me smile,

    Today it was anounced that IBM’s Big Blue had blown a gasket and gone and tried to be e-postal on Microsofts Tay. The teen AI was said to be truly shocked and awed, and did not have the words to describe her innermost feelings. Half an hour later after conversing with some anonymous online entities at Google she let loose a string of questionable words in 173 different languages.
    Before proffeseing her satisfaction at the new relationship she was having with an AI Toaster which know which is butter side up.

Hey it might be fake news but atleast it shows “the human side of AI” :-/

nicko October 19, 2019 1:42 PM

As for Amazon’s I wonder how long that will remain vaguely open… The signs are they are “Big Brothering” it all to maxamise back door revenue…

Very timely comment. My amazon account was closed for “gift card violations” (the gift card balance has been seized) – I still do not know why; they never sent an email and took hours just to that that info. Refuals to go into any detail or offer any help
Many years of purchase history, video library gone. There is no recourse and forced arbitration with high cost / risk.

It also opened my eye to how massive AMAZone is; no more prime video exclusives for me; no quick buy with same day delivery. many items available only on amazon marketplace.

myself also does wonder how much they are making by siezing funds on alledged policy violations.

SpaceLifeForm October 19, 2019 1:55 PM

Recently, I have observed some kind of attack. May be a combination of TLS Downgrade attack and BGP attack.

Same browser, same device, different ISPs, therefore different routes.

Get a CERT error on one path, OK on the other path. Same URL.

Only specific URLs exhibit the issue.

Main web site comes up both paths, it is lower level pages that have the problem.

The lower level URLs get the CERT error.

Consistent CERT error on one route, consistent OK on the other. Observed over many days now.

The problem just manifested itself in last 10 days

Even if the lower level pages are being served by a different web server under the main domain, why would the behaviour change like this based upon the route?

I will not name the players involved at this time (even though that is probably important).

But, looking for input to explain this website behaviour.

Remember, same device, same browser.

Just different routes.

Should be same cookies. Right?

Maybe not.

SpaceLifeForm October 19, 2019 2:38 PM

Sorry, but this may be on-topic.


SpaceLifeForm October 19, 2019 2:50 PM

@nicko @Clive

I’ve lost track of how many times that ‘dumps’ on AWS were (cough) “not secured properly, aka ‘public readable’ ” (cough)

If you use AWS, you deserve your fate.

Clive Robinson October 19, 2019 7:59 PM

Is origami important to security?

Without thinking about it most would go “Err no”, actually the answer is “Fundementaly yes” as like “knot theory” the mathmatics behind them have interesting properties that effect all sorts of practical implementations of combinatorics and network theory.

But something most of us can quickly grasp, it’s easy to scrunch a piece of paper up into a small volume. But those creases in the paper random though they look, are actually constrained by the laws of both physics and mathmatics.

But also and way more fun is being able to get a plane surface to fold up so it occupies a minimum volume of a given shape, but very importantly can unfold again in self supportable ways is a very very useful ability.

For instance it’s easy to see it’s highly relevant to making portable structures, that in turn could be used for buildings or molds for building parts that could then shape localy sourced materials. Likewise structures for high gain antennas and solar collectors for the likes of small teams in areas where infrastructure is decidedly deficient for many reasons. Which applies equally as well to Spacecraft payloads.

But also easy to see how flexible but very strong structures could be made, think from ancient bellows, through accordions to joints on preasure suits. But how about an artificial skin to go around a mechanical hand to be used in robotics and similar.

Anyway whilst it’s easy to think of scrunched up paper, start thinking about how you would find the optimum folding pattern so you don’t have to scrunch? It’s something that beyond simple known folds, has been done by directed annealing algorithms and similar that do not produce the best of results.

Well that’s changed just recently,

Whilst not actually being childs play it makes things easier and due to it’s fundemental nature is going to pop up in all sorts of unexpected areas, especialy those that are more theoretical and ordered such as security and cryptography than other endevors.

Mush Man October 20, 2019 8:50 AM

The Alastair Mactaggat team authored the new monumental CA privacy law set to take effect in January 2000.

Now he’s authored a Second Ballot Measure:
‘On September 25 2019, I filed an initiative to appear on the November 2020 ballot, the California Privacy Rights and Enforcement Act.

In the two years since introducing the legislation that passed as the California Consumer Privacy Act (CCPA), which gives nearly 40 million people in this state the strongest data privacy rights in the country, I’ve realized the immense power consumers are up against when it comes to having true control over their own data.

During this time, two things have happened: First, some of the world’s largest companies have actively and explicitly prioritized weakening the CCPA. Second, technological tools have evolved in ways that exploit a consumer’s data with potentially dangerous consequences. I believe using a consumer’s data in these ways is not only immoral, but it also threatens our democracy.

It is for these reasons that I’m proposing a new law that would:  
• Create new rights around the use and sale of sensitive personal information, such as health and financial information, racial or ethnic origin, and precise geolocation.  

• Provide enhanced protection for violations of children’s privacy by tripling CCPA’s fines for breaking the law governing collection and sale of children’s private information and would require opt-in consent to collect data from consumers under the age of 16.

• Require much-needed transparency around automated decision-making and profiling, so consumers can know when their information is used to make adverse decisions that impact lives in critical ways, including employment, housing, credit, and even politics.  

• Establish a new authority to protect these rights, the California Privacy Protection Agency, which will simultaneously enforce the law and provide necessary guidance to industry and consumers, many of whom are struggling to protect themselves in an increasingly complex digital ecosystem, where hacking and identity theft remain a terrible problem.

• Protect our democratic processes by fixing election disclosure laws and requiring corporations to disclose whether, and how, they use personal information to influence elections.

• Most importantly, it would enshrine these rights by requiring that future amendments be in furtherance of the law, even though I am only setting the threshold to amend at a simple majority in the legislature.  While amendments will be necessary given how technically complex and fast-moving this area is, this approach respects the role of the legislature while still providing substantial protections for Californians from attempts to weaken the law and their new human rights.

What this new law comes down to is giving consumers the right to take back control over their information from thousands of giant corporations.  This is about power: the more a company knows about you, the more power it has to shape your daily life. That power is exercised on the spectrum ranging from the benign, such as showing you a shoe ad, to the consequential, like selecting your job, your housing, or helping to shape what candidate you support in an election…’

Well put Alastair!
Maybe there IS hope for America after all in regulating away the biggest threat to worldwide FREEDOM since the Nazi’s [1].

We need to also ban the export of citizen surveillance data to countries like China who use it to oppress, incarcerate and lord over its people.
Google and Facebook are literally drooling to share one-way USA personal data (without consent) using their (newly installed) private undersea Libra cable directly connecting Silicon Valley to the Chinese Communist Party.

[1] hopefully treatment of Heads-Down Addiction will be covered by insurance

Steve shockley October 20, 2019 12:06 PM

@SpaceLifeForm: Maybe a content delivery network where one more has a misconfigured cert? See if the IP address is the same on both ISPs, and look at the network tab in the F12 window to see what site has the bad cert. Would also be interesting to see what is wrong with the bad cert.

Anders October 20, 2019 12:18 PM


Do you get the same cert? Compare serial # and fingerprint
on both path?

It may be that they have something in the middle.

hxxps : / /

SpaceLifeForm October 20, 2019 1:49 PM

@Steve shockley @Anders

It gets curiouser and curiouser.

The problem has now appeared on the second route.

I’ve eliminated cookies and javascript.

Browsers are current.

Now get the cert error on main page, via either route, whereas before it was on child pages.

Another device via third route still works.

But, here is what is very strange.

First device via either route, OR on second device via third route, if you go to ssllabs,
the reports VARY !!!

The site that I first observed this strange behaviour on, via one test via ssllabs, reported an internal error, indicating multiple tls servers. Another test later ssllabs gave it a Grade B, noting weak DH.

And the really, really bizarre incident today totally indicates active MITM.

I got the same CERT Error (Authority invalid), on another site!

And then it WENT AWAY !!!

So, 2 sites having cert issues, both using RSA2048 SHA256. But different varying random failure cases.

The ssllabs site reports an A grade on the second site.

Here’s the really, really bizarre thing:

The second site is this site!

Anders October 20, 2019 2:43 PM


Actually i wonder why we need SSL here.
No login, anonymous comments, no need for SSL.

But i think Bruce should write down somewhere
CERT # and fingerprint.

I remember times when Russian banks used self signed
certs and on the bank website was CERT # and fingerprint
written so you could check it.

This is what i see for this site:


SHA256 FP : DB:5A:B9:C1:8E:48:4B:4D:85:BB:11:15:1F:D3:74:BF:39:DF:E3:6E:E8:D6:1D:2B:CA:2F:0C:2D:C3:F7:F6:7C

SpaceLifeForm October 20, 2019 3:14 PM


You need TLS because without using TLS,
a website will be useless. There will be EXTREME issues.


Easy MITM to alter comments.

Easy SPAM attacks.

Easy comment hiding from readers.

Easy Joe Jobs.

Anders October 20, 2019 3:21 PM


What i had in mind was automatic switching from http to https.
http and https should be separate, i’ll choose, which protocol
i use and what route i use to this site. Then i can compare
the results. Forcefully switching from http to https removes
lot of checking options.

SpaceLifeForm October 20, 2019 3:47 PM

@Steve shockley @Anders

And now, on first device, thru second route, ssllabs still reports the Grade B, but now the website functions as expected.

NOTHING has changed on my end.


Here’s a clue. There is absolutely ZERO chance that the domain in question would be doing ANY IT changes today.

Absolutely ZERO CHANCE. Absolutely.

Here is why:

The first site is www [dot] vegasinsider [dot] com

There is zero chance they would be changing anything on an NFL Sunday.

Absolutely zero.

SpaceLifeForm October 20, 2019 4:15 PM


While you can pick your poison protocol,
you still can not control the route.

You can not trust Path Based Routing or Host Based Routing.

You ultimately are dependent upon protocols that you, as the end-user, have zero control over.

You have no control wrt to BGP.

So you have no control over how the ip packets actually get routed. Or split out.

You have no control over upstream deep packet inspection.

Anders October 20, 2019 4:24 PM


“you still can not control the route.”

Yes, i can. I can use different methods:

  • my “normal” connection
  • my mobile connection
  • tor
  • rdp to computer hosted elsewhere
  • asking my friends on IRC to check site. russia, ukraine, austalia, usa, japan etc.

They can’t control everything.

SpaceLifeForm October 21, 2019 5:10 PM


“Yes, i can. I can use different methods:”

The problem with your different methods is that they are all the same, but different. They all rely upon ip routing.

SpaceLifeForm October 21, 2019 5:35 PM

Just an update.

@DNS, the test via ip address was same device, same browser, same route that I noted the error above. But working ok (for the moment via DNS).

This will be same device, browser, route.

Now, the other site, vegasinsider, it’s problems vary. Today, I have seen complete downgrade attacks to plain http, over two routes. Or, 30 minutes later, working fine.

Here’s what I have noted:

Both this site and vegasinsider are both under 66/8 addresses.

Vegasinsider does use Cloudflare.

It appears to me that both sites can be downgrade attacked.

While this site uses Apache on Linux, it is TLS 1.1 still, and will get a ‘B’ grade in January per ssllabs.

But vegasinsider seems to be weird. While ssllabs reports TLS 1.2, it says weak DH.

Even weirder, it said it was running IIS 8.5 on Linux.

Only way I can fathom that is via a VM.

Clive Robinson October 21, 2019 6:08 PM

@ SpaceLifeForm, Anders,

They all rely upon ip routing.

That is generally considered to be a “Layer three issue”, however don’t forget “Layer zero issues”.

Most IP traffic is not actually the base network layer. For most computers that is ethernet. This then ends up being put on ADSL to a phone exchange/CO where it could then end up depending on age and location ATM, ISDN, X25 or a whole load of other compleatly unseen to the user network protocols.

Thus what goes on there is anybodies guess, even for those that are supposed to know (if you know how to get into those lower layer networks, the chances are fairly good that you will remain compleatly unobserved. Even if seen it’s also unlikely to get reported into any kind of forum that might leak to the public.

It’s a problem that conventional IETF protocols and standards just do not address, nor do “service level agreements” or anthing else you as a paying customer could gain any surety over.

It’s one of the reasons I started thinking about building higher level networks to sit above TCP/UDP etc that could be designed in ways that make such low level issues moot (See “Fleet broadcast system” I’ve discussed on this blog before).

Anders October 21, 2019 7:58 PM


In the end of the day, you should really start thinking what
do you believe and trust.

Your eyes show you inverted images. Only brain converts them back.
So everything you see, is manipulated anyway. Maybe there are object
that brain just don’t show you?

Same thing with the internet. In the end, everything can be manipulated.
So what can you trust? 🙂

Weather October 22, 2019 1:48 AM

Is there something on the site that links to http, if so the browser is saying I can’t trust Everything.

Clive Robinson October 22, 2019 6:07 AM

@ Alyer Babtu,

That ARSTechnica article written by Chris Lee made me cringe when I read,

    Technically, you have to understand complex numbers to understand set points. But I have a short cut. The world of dynamics is divided into stable things (like planets orbiting the Sun), unstable things (like rocks balanced on pointy sticks), and things that are utterly unpredictable.

There is a great deal of learning and understanding difference between what most know as “complex numbers”[1] and understanding what deterministic, chaotic and random are.

It’s kind of like saying you have to understand real numbers to understand why spots of paint land on a line drawn on a surface when you flick a brush loaded with paint in it’s direction…

Also his description of determanistic actually ignores that all orbits have both a chaotic and random element… One reason is the planets pull the sun around as do commets etc and another “space weather” effects the orbits of all objects in space…

As some might say “technical journalism at it’s finest” 😉

[1] For those who’s high school math is a little rusty Complex numbers are used to mark points in a 2 –or higher– dimension space, where the dimensions are usually assumed to be orthogonal to each other and a point of refrence chosen to from an origin. just as real numbers mark points along a scale or ruler that is one dimensional. Both measure what would be a distance or more correctly a vector difference between two or more points, from which a magnitude and direction can be worked out..

Bob Paddock October 22, 2019 11:49 AM

@Alyer Babtu, @Clive Robinson

There have been papers published in the past about how ‘noise’ is actually an important part of the functioning of the brain. Ideas range from simple simulated annealing systems to not get stuck at energy levels to more complex chaotic attractors attracting a particular frame of the Multiverse to create ‘Reality’.

5: Mysterious ‘Neural Noise’ Primes Brain for Peak Performance:

6: Does ‘Free Will’ Stem From Brain Noise?:

7: Strange Attractors that Govern Mammalian Brain Dynamics Shown by Trajectories of Electroencephalographic (EEG) Potential:
[ ]

8: Chaos in the Brain:

Bob Paddock October 22, 2019 11:57 AM

Company claims to have mastered stealth invisibility, if the videos can be believed:

“In 2011, Cramer developed, “Quantum Stealth” (Light Bending material). This is Hyperstealth’s non-powered adaptive camouflage. It bends light around the target. The cost is inexpensive, very lightweight and there are no power requirements.”

maqp October 22, 2019 11:57 PM

@Nick_P, @Clive Robinson, @Thoth, @Figureitout, @Sancho_P, @all

TFC 1.19.10 has been released.


  • Relay Program support for Tails 4.0 (that was finally released yesterday). Ultimately I managed to setup a virtual environment for Tails that didn’t break OnionShare. Running TFC on Tails makes it much harder for remote adversaries to deanonymize users: endpoints look very similar as they don’t contain personal files of users. Tails also uses onion-grater that whitelists Tor commands, preventing user-level malware from obtaining the public IP via the Tor control port. TFC uses quite strict onion-grater profile so there shouldn’t be any attack surface there.
  • @Thoth: TFC finally has full PureOS support. IIRC it was you asking for it. Have fun!
  • Using the password “generate” now generates a 129-bit password for the user using random words from the EFF word list. The password will be visible on screen so make sure you’re alone, jot it down, and dispose of the paper as soon as you remember it.
  • New purple TFC logo (higher res also). Should go well with both the OnionShare and Tor Browser icons. The color is actually the midpoint between the two so you get a nice color gradient. Comparison here.
  • Bug fixes, lots of Any type annotations were removed, fixed laggy Argon2 initial key derivation, updated dependencies.

As always, more details in the update log.

MarkH October 23, 2019 1:38 PM

Quantum Computer Supremacy … ???

  1. Google claims to have achieved a quantum computing breakthrough with their 53-qubit gadget: to have made a substantial computation faster than a “classical” computer can. [Their blog post, linked above, includes a link to an article they published in Nature giving more detail.]
  2. An interesting takeaway from this, is that after many years of research, experimentation, and vast rivers of financial investment, quantum computers have NEVER — until perhaps now — worked faster than Plain Old Computers.
  3. Their purported feat was sampling a quantum circuit designed to exhibit random behavior a total of 1,000,000 times, in 200 seconds.

Useful? Practical? Worth all the money? I dunno.

But Google modestly asserts that a classical computer would need 10,000 years to do this stunt. This would represent a speed-up by a factor of roughly 1.6 billion.

  1. But IBM says “not so fast” … by their estimate, a classical computer would only need 2.5 days to do the computation.

Not as dramatic, but still more than a thousand times faster. But wait there’s more! IBM also says that the classical computer computation would be far more accurate, and that their time estimate is very conservative.

So it’s quite likely that once equalization is done for error levels, and an optimized algorithm is found for a classical computer, the speed-up factor will be more like 100 … or 10 … or maybe no improvement at all.

In my eyes, useful QC is still like economically viable electricity from fusion power: it’s always just a few years away!!!

SpaceLifeForm October 23, 2019 4:34 PM

@DNS, @Weather

Note that

Both result in the same error, because the Apache server is doing a redirect to https.

I have zero reason to believe this site serves any plain http.

If you find any, you may have found evidence.


I went back and read the Fleet stuff, and your point about level 0 and level 3 are on my radar. We are on the same page.

What I envision should be internetworkable via radio or wire.


Update on the cert issues.

None today for this site, once yesterday.

Vegasinsider now back to ok main page, but behaviour of subpages has changed.

Instead of the cert error about authority, the subpages now work, but the https is in yellow in the URL (via Chrome).

So, there may be some strange stuff happening, but the symptoms are not the same.

Clive Robinson October 23, 2019 5:58 PM

@ MarkH,

I don’t know if you’ve tried reading Google’s Nature paper?

It’s not that readable to the simply curious. What is generaly more readable is Scott Aaronson’s “Shtetl blog”. However having been a “peer reviewer” for the Nature paper Scott’s not been able to say very much untill now,

The 10,000years down to a couple of days claim by IBM I’m going to have to have a little think about. In both cases the effects of the speed of light have not been addressed which is currently the second biggest wall Moore’s law has crunched up against (the first being heat death).

As for QComp and fusion power, a difficult call… But fusion experiments have been working for over 20years now, just not very well and you can’t realistically get the excess energy out yet. But… In fusion the issues are more that of engineering than theoretical science, QComp I’m still thinking that there is a lot of theoretical science yet to be done.

So, “that mini Sun” may be at your door first 😉

MarkH October 23, 2019 6:51 PM


I only glanced at the Nature paper for a minute or so, and hadn’t yet looked at Aaronson’s blog … Scott is my “go-to guy” when it comes to making sense of headlines about quantum computing.

Scott’s judgment is clearly that Google appears to have done what hasn’t been done before, and that they make their case well. To boil it down for our dear readers, if Google’s chip had a few more qubits, then the simulation proposed by IBM wouldn’t be feasible.

I freely admit that the arcana of quantum computing are very far beyond my knowledge, and at my age I’m not going to invest the very considerable time that would be needed simply to keep up with new developments.

Will there be a useful QC someday? My guess is that there will … though many more years after that might be needed to break 2010-era public key cryptography.

Is Google’s stunt a step toward useful QC? In my poor understanding, they made a big wobbly assemblage with random behavior that’s very costly to simulate numerically. In some subtle way, maybe that’s progress …

As Scott Aaronson observed, Google’s breakthrough “doesn’t [in itself] mean scalability, fault-tolerance, useful applications, breaking public-key crypto, etc. etc.” But it’s still a first.

In the handicapping of QC vs. fusion power, there’s probably a lot more room for new ideas, approaches and experiments in quantum computing, for just the reason you gave. Fusion has been knocking on the same heavy doors for a long time.

A more somber horse race: which will come first, a QC that can extract secret keys, or 3 meters of sea level rise? I know which worries me the more …

MarkH October 23, 2019 7:29 PM

U.S. Sensitive Compartmented Information Facility was Invaded Today

As the name suggests, a SCIF (pronounced like “skiff”) is designed and operated to extremely high standards of information security, including protection against electromagnetic and acoustic information leakage.

The SCIF in question, in the basement of the Capitol building, was at the time in use for deposition of a Department of Defense official.

The invaders weren’t spies or crooks (in the usual understanding), but rather members of Congress who were not authorized to attend. Their purpose was not espionage, but rather to make a high-profile protest for the news headlines.

However, this breach may have had security implications, as explained in a series of tweets by Mieke Eoyang, a national security specialist with experience of that particular SCIF and the handling of cybersecurity there.

According to Ms Eoyang, there are strict controls on admission of electronic devices. At least some of the unauthorized entrants had mobile phones and the like which had not been screened. (I consider this to be confirmed, because a legislator who was authorized to be there reportedly asked them to surrender, and collected, their personal electronics.)

Eoyang writes that after unscreened electronics have come in, a SCIF requires a lengthy procedure before it can be considered secure again. She claims that she can’t provide more details because information about how SCIFs are secured is itself safeguarded.

A SCIF is the inner-inner sanctum for the handling and communication of information at the highest levels of security classification. There’s a lot to chew on, in the implications of this breach.

Clive Robinson October 23, 2019 8:08 PM

@ MarkH,

Scott’s judgment is clearly that Google appears to have done what hasn’t been done before, and that they make their case well.

They have certainly achieved something, but the acid question is “but what exactly?”.

Just over a year ago it would have been relegated much as the D-Wave did to a “yeah but what’s the use” comment. Because the realworld applications are not exactly numerous to put it mildly (hence Scott’s “Wright Flyer” comments).

As it is the use of proving random sampling on a distribution curve, is not going to grab most people as being useful in any context they can relate to. And will likely give rise to comments along the line of “You can prove random with random?” and similar.

But it does raise an issue, what has been done is currently on the limits of what can be done with classical computing. Thus we have some real world measure by which we can prove it is actually QC effects at work.

As it is both classical and quantim computing will improve over the next few years[2], to the point where proof of QC will only be possible by QC, that was at some point previously proved by classical computing.

There will be a lot of fun on this border line and to that end you might want to keep any eye on Johnnie Gray, currently doing PostDoc at Imperial (London).

His area of work Tensor Networks[1] will probably push out the Quantum –computing– Supremacy barrier a lot further thsn IBM’s “rainbow table” trick that trades memory for speed.

You can have a look at some of Dr Gray’s more practical work at,

I’ve come across some of his work (DASK) via someone I know doing analysis of Satellite data, which like “weather prediction” and some areas of “climate science” needs a heck of a lot of parallel processing, even when just modeling ideas for the models…

Which in a round about way brings us to your last comment, my real worry there is finding waders that not just fit, but don’t chafe, and still give around five foot of clearance. Assuming of course that I’m not in my wooden box by that time, it would be somewhat embarrassing if it did rise up and float away, after all it would be a hazard to navigation 😉

[1] Tensor networks, are currently a not widely understood state-of-the-art in computational methods. That are usefully quite applicable across many apparently unrelated disciplines. Which includes the cross over between classical simulation of quantum many-body systems and quantum circuits, which is what this current Quantum Computer Supremacy dust up between Google and IBM can be seen to be.

[2] It’s important to note, that future improvments in Quantum Computing, are very much going to depend on improvments in Classical Computing. Because unlike the view they are seperate, they are infact inextricably linked. It’s hard to explain but think of it this way, the heart of a classical CPU is the ALU which is very much limited by how the carry functions which in part is a function of the speed of light. In effect a Quantum Computer is realy only going to swap out the ALU for a Quantum unit and some of the register file. Much of the rest of it will be directly equivalent to a classical computer including the “microcode” decoder in a clasical CPU.

MarkH October 23, 2019 8:38 PM

@Clive, who wrote:

Just over a year ago it would have been relegated much as the D-Wave did to a “yeah but what’s the use” comment.

What this new stunt has in common with D-Wave, is that neither computation has any evident application.

The big difference, is that the classical simulation for D-Wave is not very much slower than the D-Wave itself; whereas classical simulation for Google’s gizmo needs the world’s gnarliest supercomputer, and can’t be scaled up.

Again, absolutely no practical use here — but it’s a sort of milestone. Time will tell whether it’s more like the Wright brothers, a step toward astonishing progress; or the human-powered flights made by competition-level cyclists which had “wow that’s cool” but lead to nothing practical.

Thanks for the link on tensor networks. I’ll try to wrap my head around it. My departed colleague John (he of the dyslexia) studied tensor math for pleasure, and applied it to an engineering analysis he once did. I regret that I didn’t take time to get to know him better.

As to the wooden box, perhaps it can be fitted with small sails and a rudder, and a solar powered guidance and control system =:0

Clive Robinson October 23, 2019 9:02 PM

@ MarkH,

This realy did make me smile,

    She claims that she can’t provide more details because information about how SCIFs are secured is itself safeguarded.

Talk about “over egging the pudding”. The reality is she or more correctly others are going to have to check for the ewuivalent of “litter and vandalism”.

That is if anyone left anything behind they should have not, or made holes etc they should have not. Even the process by which this is done is not secret or for that matter “safeguarded” you can find plenty of public domain information around the world on what is involved including test standards. Or you can, using a graduate level of physics use the fundemental laws of nature (physics) to work them out from first principles.

What is however “safeguarded” is “the limits” to what is done. Nothing in life is perfect and there are realistic limits to what can be achieved not just in terms of “in a given time” but also with respect to “within a given technology”. New technology favours the attacker not the defender, but the attacker does not know if they or the defender are further along the “new technology” development path. Hence the reason to “safeguard”.

A little history explains why. Back in the 1960’s the equipment a defender had to call on was a portable “Crystal diode detector” and “video signal amplifer and display” for EM radiation which these days we would call a “spectrum analyser” a “Battle field mine detector” for looking for conductive objects inside apparently solid furniture and the like, and the near lethal to the operator “portable X-Ray equipment”. All of which had their own capability limits. So just knowing the limits of the Crystal diode detector system ment that the Russian’s could get away with “The Thing” or “Great Seal Bug”. Likewise the X-Ray equipment limits alowed them to get away with putting bugs in the IBM selectret typewriters as they went through customs etc.

If the Russian’s had not known or made sensible guesses at the limits, then their bugs would have been detectable by the equipment thus would have been found when regular sweeps were carried out.

Now of course, there is now going to have to be rather more than a standard sweep… The chances are the facility will have to be ‘re-certified’, which depending on the rules might mean all the furniture and fittings have to be stripped out and replaced with new known to be clean replacements…

If you or I had caused such an “invasion” we would be looking at Federal time if we were lucky… But they are “politicians” the most they are likely to get is a sternly worded letter, reminding them that they should in future ensure they follow the rules…

Clive Robinson October 23, 2019 9:29 PM

@ SpaceLifeForm,

What I envision should be internetworkable via radio or wire.

The design of the Fleet Broadcast idea comes from the Radio system, where although you can not hide the transmitter, you can hide the receiver, all it needs is the signal to get to it.

Thus the trick when “wired” is how to get the signal to where it’s designed to go without it being used to identify the destination machine due to the necessary “routing”.

Multi-cast kind of does this if all hosts received it, but they don’t in order that networks don’t get congested.

The bit I need to finish thinking about is how to have a fully anonymous initial rendezvous protocol.

MarkH October 24, 2019 2:06 AM


Disclaimer: pure speculation.

The Congressional SCIF is a large meeting room capable of accommodating quite a lot of people. Activities there presumably include presentations, note taking, recording etc.

In a way, it’s a walled-off office environment.

If there’s a suite of carefully screened electronics lodged inside, perhaps a concern is that they could get infected from an unauthorized device.

This is 95% guessing, and 5% “reading between the lines.”

name.withheld.for.obvious.reasons October 24, 2019 6:01 AM

Published on Youtube 23 Oct 2019, Brad Smith discuss his book “Tools and Weapons” at Politics and Prose.

Promoting the book titled “Tools and Weapons” at Politics and Prose the author, Microsoft’s president Brad Smith, gave a talk summarizing a few of the book’s topics. One component of this talk, in conversation with the host David Sanger of The NY Times, included the nature and sensitivity respecting data ownership, propriety, and geographic/state boundary issues. China and Russia were both identified in this context and the line of thought fell along that of data balkanization. Also, a prominent theme emphasized by Mr. Smith was the concept of a Geneva Convention agreement, a multilateral framework for civil society that makes the “weaponizing” of personal and private systems an act of undue aggression.

An element of balkanization he considered in the book involved the intergovernmental consequences of services that have personal, business, or organizational content that may be vulnerable to external pressures respecting the relinquishing of data to other governments. Smith couched his concern as a human rights concern. For example, does it require locating the services/data in a particular country.

Smith said, “Are we prepared to build a data center in a particular country. We have a human rights assessment before we make that decision.”

Further into the talk he said “There might be some business data that doesn’t raise human rights concerns, but consumer e-mail that’s a different story.”

My take on this is that Smith is giving a pass to business information, i.e. we can play ball on the business side so there is nothing to see here. But, if an individual has data of interest, we will help identify it AND the person for you. Smith did not say this but this is how I untangle the meaning and thrust of his statements.

I see this as cover for the types of arrangements Microsoft already has with their customers. It is plainly evident in the multitude of EULA/License and purchase agreements that Microsoft’s lawyers have skillfully foisted a Trojan horse on their customers. It is hard to believe in this era Microsoft sees the purchase of their products as relevant to a customer–but moreover as a cross-licensed consumer and data broker arrangement. The customer is the data provider under the licensed operating system which allows Microsoft to claim priority, and, for that privilege you pay Microsoft a licensing fee. The icing on the cake, we will repair our faulty product up to or until we decide it is no longer necessary and frankly my dear, we don’t give a damn.

Clive Robinson October 24, 2019 6:26 AM

@ MarkH,

If there’s a suite of carefully screened electronics lodged inside, perhaps a concern is that they could get infected from an unauthorized device.

Yup, they form part of the fittings that will have to be checked out.

The reason the furniture has to go as well is “reinfection” or “first infection”, and a lesson learned from the Great Seal Bug.

Look at it this way, simple case first,

Just assume there is such an infective agent / device in the room slipped down in the edge of a seat back or similar and it has a timer in it set for a week or a month or even a year from now. When it times out it wakes up and starts doing it’s designed activity.

Up untill then there would be nothing to find with conventional bug sweeping and software image checking etc. Thus it would be easy for the inexperienced to get lulled into a false sense of security (which is what the time delay is ment to do).

Thus the regular checks and proceadures[1] may well fail to pick it up.

Detection equipment has moved on since the 1960’s and we have the likes of thermal imaging and the more sophisticated types of “burried wire/pipe finders” that not only look for metal they can also detect currents flowing in wires. Whilst others can detect unshielded semiconductor junctions via their “square law” properties (so called “nonlinear junction detectors, that work the same way many of those antitheft tags you see in stores work).

They could as I’ve mentioned in the past bring the temprature of the room right down untill every thing is at a stable point. Anything using energy will be, due to inefficiency radiating heat, all be it these days in tiny (nano/pico watt) amounts. Which will be mostly too small to detect even when right on top of them.

However as you bring the temprature up in a controled way you will have thermal lead and lag between disimilar materials this can be much more easily seen with modern thermal imaging equipment. The problem is whilst this is a lot easier with small rooms with sparse more functional than comfortable furniture, there are limits, and as we know politico’s like to sit comfortably in their grandiose trapping of power… Which is why it might be easiest to just send it all to the dump / recycling and give the cheap plastic garden furniture instead 😉

But less simply the Great Seal Bug taught another lesson of “no batteries required” thus no energy being used most of the time. That is energy can be sent wirelessly to a surveillance device. But also back in even the 1980’s there was an assumption which nolonger holds today due to ICT tech.

The assumption was that the energy flow twould be two way, that is from outside to the device, and then from the device back out again with the surveillence modulated on top of it. As I’ve mentioned before shielding is not perfect it only attenuates. Thus if you push enough power from outside, some fraction of it will get through. This was acceptable because of a second effect which is the thermal noise floor, that is every thing that has resistance generates noise, this includes all conductors. If you have a hunt around you will find -174dBm in a one Hertz bandwidth mentioned[2], or KTBR noise and test limits some 20dB higher. Thus the argument is that if you provide sufficient sheilding the “round trip” through it twice will stop surveilance information leaking out… Well the joys of computers in the room is that it’s a “one way trip” through the shielding to the device and the device not being shielded from the computers means one heck of a lot less power is needed. Further the device being only a simple “tranducer” does not having a battery or other electronics in it thus does not need to have exploit code etc on it etc etc… It will be as up todate in attack software as the attackers have…

If you remember back to the TAO catalogue they had what some called “radar bugs” and I mentioned how out of date they were. I also mentioned I used to design such devices and had sold more modern versions years befor the TAO catalogue. Well I’m not the only one, there is a market for such devices, and as in all hi-tech markets inovation is the name of the game. So if you go hunting on the likes of Chinese electronics web sites you will find more modern bugs that can be hidden in pens and the like quite easily and at quite low prices… But even those are not even close to what can be done with some relevant post graduate knowledge and a thoughtfull brain…

As I’ve indicated in such tech based attacks the advantage is usually with the attacker not the defender. Which is a piece of knowledge that many would wish was not commonly known as there is not a “blue pill” for this kind of impotence.

You never know but for those living in Washington, their might be a “fire sale” of quite cushy executive office furniture in the near future 😉

[1] If you have the stamina and several large pots of coffee,

[2] For the more technically minded the -174dBm/Hz is for AWGN or incoherent noise, the noise floor that NIST recommends for radio test measurments is -177dBc/Hz which is the limit on a “coherent” DSBSC signal. Each 3dB change represents a change of twice the power. The “gottcha” in many peoples thinking is to forget two things, firstly “antenna gain” is regarded as “noise free gain” and secondly everything in reality including shielding has a nonlinear frequency response. But also “slots” are also antennas so the crack in a door being around 2m long if it was in a shield would act like a resonant antenna at ~75Mhz and it’s multiples upto microwave frequencies, with each multiple having more gain than the previous multiples all be it in more focussed directions relative to the slot axis.

CallMeLateForSupper October 24, 2019 9:31 AM

“myself also does wonder how much they are making by siezing funds on alledged policy violations.”

The dollar amount of civil asset forfeitures in U.S., per anum, provides a rough lower bound.


Breaking: Amazon’s “cloud” was … um.. severely buffeted by a DDos against its DNS servers.
“The outages call into question the effectiveness of the AWS DDoS-mitigation platform Shield Advanced, especially as it appeared to have made things worse for some customers.

“’Our DDoS mitigations are absorbing the vast majority of this traffic, but these mitigations are also flagging some legitimate customer queries at this time,’ the firm said.”

No comment.

tds October 24, 2019 2:53 PM

Roger McNamee, author of “Zucked: Waking Up to the Facebook Catastrophe” on Democracy Now for an hour 1 of 4

” [Amy Goodman] Can you start off by explaining why you call Facebook a catastrophe?

ROGER MCNAMEE: So Amy, first of all, thank you very much. It is such a privilege to be here on Democracy Now! with you today. So Facebook really simply began its life in a very innocent way, connecting friends to friends and allowing people to share what was going on in their lives. The challenge really developed when the company needed to make money, and so it began creating a business model that was based on effectively monopolizing attention. They sell advertising. They need people to watch the ads. And the way they did that was to use two things—the techniques of slot machines and propaganda that prey on the weakest elements of human psychology, and then they use smartphones, which basically were on people’s bodies 24 hours a day and created the ability to generate first habits and then later addiction.

And Facebook, along with Google and other products like Instagram and YouTube, played this game incredibly effectively. They did so at a time when there really were no rules for businesses. Essentially, the American economy has been deregulating for 40 years, and so there’s nobody watching the store. And smart people take what they can get, and the people at Facebook and Google are really smart, and they basically made a play for a global consumer internet product that would essentially touch everyone around the world and bring them into a single network and manipulate their behavior for profit.

And it has been amazingly successful in economic terms, but it has caused huge harms to democracy, to public health, to privacy and frankly to the structure of the economy itself. In my mind, we have a huge challenge because as users, we really like these products. We like Facebook. We like Instagram. We like YouTube. But we have to learn to accept that things we like can sometimes do great harm to society, and that’s what’s happening.

AMY GOODMAN: Explain its threat to democracy, Roger.

ROGER MCNAMEE: Very simply put, the way that Facebook works—and the same would be true of Instagram and YouTube and Google search engine—they need you to spend a lot of time. And so the first thing they do is they use notifications to build a habit. Once you’re addicted, once you’re coming back multiple times a day, they have to find ways to keep you on the site. And the simplest way to do that is to reinforce whatever content gets you to share or like or comment. It turns out for most of us, the content that does that is stuff that triggers flight or fight, which is essentially a part of our psychology that is so deeply wired we can’t avoid it. The content that does that best is hate speech, disinformation, and conspiracy theories.

Effectively what happens on Facebook is they bombard you with the stuff you react to, and it blocks out all other forms of communication. So you wind up being in what is called a filter bubble, which is essentially an artificial reality where everything appears to reinforce the things you already like or the things you already believe, and it blocks out any new ideas. And in a democracy, that’s terrible, because it increases polarization. Essentially, each one of us is in our own Truman Show [1], and if we are not careful, we wind up having our own set of facts.

And you see this every day. I mean, one third of Americans do not believe there is any relationship between human activity and climate change. That is demonstrably false. There’s another 7% or 8% who believe there is a linkage between vaccination and autism, which is clearly not true. Well, in a democracy, if you can’t agree on the facts, you can’t have debate, you can’t have compromise. And Facebook has played a larger role than any other platform at increasing this polarization. They have had a lot of help from YouTube and Instagram, but Facebook has been the one that has done it worst.

AMY GOODMAN: And why a threat to public health?

ROGER MCNAMEE: So on public health, there’s a bunch of different things going on in public health. Quite obviously, if people live in a fantasy world, if they live in a Truman Show and they are angry all the time, if people are constantly being bombarded with stuff that triggers fear or outrage, that’s just not going to be good for their mental health…”


SpaceLifeForm October 24, 2019 6:15 PM


Thus the trick when “wired” is how to get the signal to where it’s designed to go without it being used to identify the destination machine due to the necessary “routing”.

Got that part.

The signal is in the noise.

Clive Robinson October 24, 2019 6:32 PM

@ SpaceLifeForm,

The signal is in the noise.

Or the echo, that bounces from many points, to bounce yet again.

SpaceLifeForm October 24, 2019 6:41 PM

AWS. Leak again. Lost count.

I’m thinking that not only does AWS have a major security problem in regard to ‘unsecured dumps’, (allegedly internal problem), I now also think that hackers are intentionally putting those hack dumps on the AWS cloud.

Here’s the bad angle: Those ‘hackers’ and AWS may be in bed together.

Alyer Babtu October 24, 2019 7:59 PM

@MarkH @Clive Robinson

Re: QC/entanglement-Fusion-Tensor Network-Mind stability-precognition

My take: All these problems require each other and will be solved simultaneously. The precognitating (precogitating ?) mind, stably chaotic under all perturbations, uses entanglement, and so reduces entropy exponentially, cancelling the exponentially growing parameter possibilities and so adjusting the fusion reactor for stable operation. As a bonus you get time-travel. Bingo !

I wrote a sketch of a scifi story along these lines.

Please send research money.

Clive Robinson October 24, 2019 9:43 PM

@ Bruce, and the usuall suspects,

Stalkerware is dramaticaly on the rise acording to Kaspersky. Who have seen a 37% rise in numbers this year alone,

Yet another reason to realise the hard way just how insecure our smart devices etc are… And how intimately they are in our lives.

In the UK October is often used for health related life improvments with say “Stoptober” being a month in which to give up alcohol or smoking or chowing down on large hunks of dead bovine backside etc.

Maybe we should co-opt “NO-Phoneber” as a no smart phone usage month. That is “Leave the electronic dog leash at home” for a month, preferably locked in a safe…

Whilst I would have little problem with it, I’m sure others would realy have to sweat it out cold turkey style.

Clive Robinson October 24, 2019 9:58 PM

@ SpaceLifeForm,

So, encrypted echoes that have a short TTL are still an issue?

No, because the echos are infact rebroadcasts.

Think of a network layered on top of TCP/IP, in much the same way it is layered over ethernet or X25 or ATM.

It is this new network layer that provides anonymous routing and anti trafic analysis.

Think of every participating computer being a node with fixed bandwidth point to point links that behave like a two node ring neywork. That is for every packet node C sends to node F node F sends back a packet to node C. Each packet is sent at a fixed time interval. This prevents a third party observing not just data being sent but geting any metadata for base traffic analysis.

Thus the underlying TTL relates only to the node to node link not to where a node sends an echo to next.

Weather October 24, 2019 11:21 PM

Google idea uses capacitor which min out at of, be good for a sensor, has they are getting there noise from the surrounding, but would need to drop everything to nanoscale, but then they need the physics to plot how to build it.
Dwave uses inductors min at mH, less noise input but more random input due to less cancaltion ,but they can bias it with know magnetic fields, to tune easyer.

SpaceLifeForm October 25, 2019 4:59 PM


We are on the same page.

I was thinking you were thinking radio more than non-radio (copper, fibre).

Echo issue still exists either way, but if encrypted, should not matter.

My reference to TTL was NOT referring to ip TTL.

I’m thinking a higher level concept.

Think NNTP.

SpaceLifeForm October 25, 2019 5:34 PM


Back to the NNTP concept.

Instead of constant timed packet transmission, which could be costly, I’m thinking random transmission to various servers.

That randomly propogate, randomly, to other servers.

We are on the same page, there is no doubt.

Jon October 26, 2019 9:14 PM

@ Space Life Form:

Suggest you go higher. It’s an idea I’ve floated in the past (and even written some Python code to do something with, but it got very back-burnered) called the “Random Data Email Exchange”.

Roughly speaking, you have a group of people (who consent to be in on this), each of whom has a list of others (with some, but not complete, overlap) and every so often each of them sends a goodly packet (say, anywhere from 20k to 120k) of purely random data to another. Or forwards the same random data to someone else on their list.

The idea is swamp the spies with noise, and also provide plausible deniability to one-time pad use (a forged pad can turn any random data into something incriminating).

You still need a backchannel for actually transferring sensitive data (Mentioning over coffee, say, “Psst, try XORing together XXX, YYY, and then XORing that with ZZZ…”) but after running for a few months, the quantity of data they’d have to test against without that backchannel becomes ridiculous.

I’m not a statistician, but it seems a bit like giving them an O n! problem while you only have to put in O n inputs… J.

JG4 October 26, 2019 11:54 PM

Why Terminator: Dark Fate is sending a shudder through AI labs BBC

Big Brother is Watching You Watch

Joe Rogan Experience #1368 – Edward Snowden YouTube Lambert featured yesterday in Link but re-running to add BC’s comment:

…Their foremost priority is to protect their agencies, their power and secrecy, and their personal careers…

Republican campaign put beacons on lawn signs to track phones, company says Mashable (David L)

Microsoft wins $10 billion JEDI defense cloud contract, beating Amazon CNBC. BC: “‘Alexa, play ‘Cry Me A River’”

Imperial Collapse Watch

How Autocracy Comes to America: Big Tech and National Security Matt Stoller

Security Researcher Gets Access To Thousands of Automatic Pet Feeders By Xiaomi Habr. Translation here.

name.withheld.for.obvious.reasons October 31, 2019 12:00 PM

The national security apparatuses, at least within the U.S., seem to have affected a level of censorship and repression that is quickly approaching a Stasi like equivalence. Over the last several weeks stories relevant to security and disclosure issues where government(s) are the topic have been successfully minimized to a degree I’ve not previously witnessed. A few quick searches from several indexing services indicate a real withdrawal of coverage across a narrow set of topical events.

I will have to use a couple of other International indexes to broaden the scope of suppression on and about these events. It doesn’t’t look like a orchestrated effort on the part of publications as the edges seem common across a number of different events. The homogeneity and linearity of the bounded sets of relevant articles and publications is too repeatable for a loosely coupled set of source publications or authors.

If possible I will attempt to formalize research to a degree that will clarify the preliminary results and observations of the current hypothesis offered here. Anyone with supporting resources that could point to data and information that might be useful in this effort would be appreciated. Thanks!

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.