Friday Squid Blogging: Triassic Kraken

Research paper: “Triassic Kraken: The Berlin Ichthyosaur Death Assemblage Interpreted as a Giant Cephalopod Midden“:

Abstract: The Luning Formation at Berlin Ichthyosaur State Park, Nevada, hosts a puzzling assemblage of at least 9 huge (≤14 m) juxtaposed ichthyosaurs (Shonisaurus popularis). Shonisaurs were cephalopod eating predators comparable to sperm whales (Physeter). Hypotheses presented to explain the apparent mass mortality at the site have included: tidal flat stranding, sudden burial by slope failure, and phytotoxin poisoning. Citing the wackestone matrix, J. A. Holger argued convincingly for a deeper water setting, but her phytotoxicity hypothesis cannot explain how so many came to rest at virtually the same spot. Skeletal articulation indicates that animals were deposited on the sea floor shortly after death. Currents or other factors placed them in a north south orientation. Adjacent skeletons display different taphonomic histories and degrees of disarticulation, ruling out catastrophic mass death, but allowing a scenario in which dead ichthyosaurs were sequentially transported to a sea floor midden. We hypothesize that the shonisaurs were killed and carried to the site by an enormous Triassic cephalopod, a “kraken,” with estimated length of approximately 30 m, twice that of the modern Colossal Squid Mesonychoteuthis. In this scenario, shonisaurs were ambushed by a Triassic kraken, drowned, and dumped on a midden like that of a modern octopus. Where vertebrae in the assemblage are disarticulated, disks are arranged in curious linear patterns with almost geometric regularity. Close fitting due to spinal ligament contraction is disproved by the juxtaposition of different-sized vertebrae from different parts of the vertebral column. The proposed Triassic kraken, which could have been the most intelligent invertebrate ever, arranged the vertebral discs in biserial patterns, with individual pieces nesting in a fitted fashion as if they were part of a puzzle. The arranged vertebrae resemble the pattern of sucker discs on a cephalopod tentacle, with each amphicoelous vertebra strongly resembling a coleoid sucker. Thus the tessellated vertebral disc pavement may represent the earliest known self portrait. The submarine contest between cephalopods and seagoing tetrapods has a long history. A Triassic kraken would have posed a deadly risk for shonisaurs as they dove in pursuit of their smaller cephalopod prey.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Posted on November 1, 2019 at 4:12 PM91 Comments


vas pup November 1, 2019 5:01 PM

Why passwords don’t work, and what will replace them

“Is biometrics going to replace passwords? No, a combination of factors is going to replace passwords, we are and we should be moving toward this,” says Ali Niknam, chief executive of Bunq, a mobile banking service.

Yet there is a risk of that this sort of multi-factor authentication, while secure, will make the authentication process even more opaque. If you don’t know what is being used to identify you online, how can you protect that information?”

vas pup November 1, 2019 5:08 PM

On the inside of a hacking catastrophe:

“However, Mr Rimmer believes that companies should not only focus on the financial consequences of breaches, and instead consider the human impact.

“Equifax spent millions responding to the breach, but that turned into people from the security team working overtime, on 36 hour shifts, and that’s the hidden cost of the breach that no one has gotten near to quantifying so far,” he says.

According to Simon Ashton, a business psychologist working at Phoenix Leaders, employers should provide adequate training to ensure that their staff feel confident in their skills and abilities to deal with the scenario by using role-playing data breach simulations.”

vas pup November 1, 2019 5:19 PM

Russia’s internet law a ‘new level’ of censorship: RSF

“Technical problems

An additional feature of the law is the creation of an independent Russian Domain Name System (DNS) that goes into effect in January 2021. The DNS means that Russian users will no longer determine what website they are sent to when they enter an address. The state will thus be able to direct them to fake websites or to none at all.”

SpaceLifeForm November 1, 2019 8:51 PM

@vas pup


Did you spot the insecure protocol dependency?

Do you think that issue does not exist outside of Russia?

Clive Robinson November 1, 2019 9:16 PM

@ Vas Pup, SpaceLifeForm,

Russia’s internet law a ‘new level’ of censorship

The Russian’s aving their own DNS has been known to be an ambition of their’s for quite some years now. Back half a decade ago ay the UN ITU meetong in Doha, Rissoa and several other nations not just proposed but actually voyed on splittong up the Internet along not just DNS but various other infrastructure services. That is they wanted to be in control of what they saw as an internal juresdiction.

The US barely kept control, and thst is the real underlying issue, “The US controls the Internet” thus they get certain advantages, especially in the surveillance and “record it all” policy.

I’m realy surprised it’s taken them so long to make what is in effect a moderately small change.

Oh and don’t forget that DNS is a convenience rather than a necesity.Thus the Russian’s could change even more basic rules like IP addrressing…

stine November 1, 2019 11:44 PM

Re: Oh and don’t forget that DNS is a convenience rather than a necesity.Thus the Russian’s could change even more basic rules like IP addrressing…

That’s no longer correct. With the advent of services like Cloudflare, Incapsula, Dyn (Oracle), etc, you can no longer connect to services by IP address (v4 or v6). You can still maintain your own hosts file but its even more of a pain to keep accurate.

Q November 2, 2019 12:23 AM

vas pup wrote: An additional feature of the law is the creation of an independent Russian Domain Name System (DNS) that goes into effect in January 2021. The DNS means that Russian users will no longer determine what website they are sent to when they enter an address. The state will thus be able to direct them to fake websites or to none at all.

With DNS-over-HTTPS it would be trivial to ignore any ISPs DNS servers and instead choose the service you mistrust the least.

Frankly November 2, 2019 6:56 AM

The high megapixel sensor gives the camera 50x zoom capability without a zoom lens. See the brief zoom video at the link. This opens up new types of security problems.

Remember the recent story of the stalker who found a woman by analyzing the reflection in the pupil of her eye? It takes high resolution to do that. Similarly, someone could take photos — or just examine available high megapixel photos online — and find information that no one intended to provide.

Tatütata November 2, 2019 7:42 AM

Alexa, did he do it? Smart device could be witness in suspicious Florida death

Next stop: TLAs start whining about lack of access to smart assistants.

A few “Smart assistant” drawings by German cartoonist Perscheid

… three tenants died in Fulda, after their smart home locked all doors and windows and cranked up the heating to 70 Celsius

Mary had a little laaaaam…

– Alexa, pay your taxes!
– No way.

– Alexa, order sliced bread!
– You’re talking to a can of tuna.

No caption

tds November 2, 2019 9:29 AM

Regarding Macro Security (like Macro Economics as opposed to Micro Economics)

tl;dr audio (38:01); transcript available

“Legendary linguist, activist, and political theorist Noam Chomsky has been speaking out against U.S. interventionism from Vietnam to Latin America to the Middle East since the 1960s. He’s the most cited author alive, but you won’t see him on the nightly news or in the pages of most major newspapers. On this week’s Deconstructed, Chomsky sits down with Mehdi Hasan to discuss the impeachment inquiry against President Donald Trump, the 2020 Democratic field, and why he opposed Trump’s Syria troop withdrawal.”

Jon November 2, 2019 12:19 PM

@ Frankly :

Remember the recent story of the stalker who claimed he found a woman by analyzing the reflection in the pupil of her eye?

Or he just happened to see her on a bus one day and followed her home. Which do you think is more likely?


Think November 2, 2019 12:25 PM

Closed societies where your behavior and eventually your very thoughts must conform to a ‘mandate from heaven’ will foster greater advances in cryptography and secrecy than an open democratic society. Only the threat of WW II caused us to change our thinking. Even today, most Americans are oblivious to the realities many societies in the rest of the world must face on a daily basis.

Most of us are individuals first and members of a group second. If your group of individuals fall from heaven’s mandate will you be like ronin without a master and kill yourselves or will you fight for your right to exist? Hong Kong is fighting now, China has wisely decided to take the long view. Target the children –

Re: NSO ….

After the murder in the Turkish consulate, perhaps these people – reporters and dissidents on the side of democracy and freedom ‘being spied on’ are being watched and helped by the only people on Earth who can protect them and their individual voices standing against tyranny.

gordo November 2, 2019 12:45 PM

With Little Fanfare, William Barr Formally Announces Orwellian Pre-Crime Program
A recent memorandum authored by Attorney General William Barr announced a new “pre-crime” program inspired by “War on Terror” tactics and is set to be implemented next year.
by Whitney Webb, October 25, 2019

It is important to point out that such initiatives, whether HARPA or Barr’s newly announced program, are likely to define “mental illness” to include some political beliefs, given that the FBI recently stated in an internal memo that “conspiracy theories” were motivating some domestic terror threats and a series of questionable academic studies have sought to link “conspiracy theorists” to mental illnesses. Thus, the Department of Justice and “mental health professionals” have essentially already defined those who express disbelief in official government narratives as both a terror threat and mentally ill — and thus worthy of special attention from pre-crime programs.

This does not bode well for mainstream media. /s

Sherman Jay November 2, 2019 1:34 PM

Thanks for posting that link, Chomsky is one of the most articulate speakers in the world on our societal and technical (in)security issues.

SpaceLifeForm November 2, 2019 1:42 PM


“With DNS-over-HTTPS it would be trivial to ignore any ISPs DNS servers and instead choose the service you mistrust the least.”

LOL the mistrust point.

And, actually, not trivial.

There is the chicken-egg problem.

The user will need a list of ip addresses of servers that support DoH.

The client-side must be able to interoperate with a DoH server via ip address.

The client can NOT obtain the ip address(es) of DoH servers VIA traditional DNS Lookup.

Just like the root DNS servers have to be known via ip address.

There are plenty of other issues.

It could potentially help, iff most webservers supported DoH internally in the server code.

Then, users could just RANDOMLY do lookups to already known (to client) webserver ip addresses.

But web admins will not want to support recursive dns lookups on their https server for a user that wants to go to another site, because it will waste resources.

Bandwidth, memory tied up due to longer lived sockets becomes an issue unless they are big and can cache well.

Big, can cache, and can scale well, is the opposite of RANDOM.

If few support DoH, then that becomes a concentrated collection point.

I think you are better off to run your own recursive resolver in the first place, but if one does not have the tech chops for that, then let your local ISP do it.

It’s not like your local ISP can’t see it anyway. Remember, it’s not encrypted.

But, it may be better that way, than using DoH, which may make information collection easier for big players.

But, you still have the chicken-egg problem.

How do you even get that first server ip address?

That is why the root.hints file exists for traditional DNS.

But, how would one get their first ip address for a server that supports DoH?

Sure, you just remember or and maybe it will fly.

But, I want more DoH servers than big players.

I’ll say NO to DoH.

Sherman Jay November 2, 2019 1:42 PM

I hear from some tech acquaintances in university settings that the ‘pre-crime’ technology will be working to include analyzing facial expressions for signs of anger and terrorism, tracking people’s movements to see if they are frequenting ‘dangerous’ locations, analyzing voice audio also for signs of lying and deception regarding ‘dangerous activities and attitudes’ that might presage a proclivity to terrorist acts. Thought Police anyone? I guess we should now admit that George Orwell was an optimist.

A few years ago I would have thought that incredibly ‘far fetched’. In today’s world, I would not be surprised if it were true. Scary!

Alyer Babtu November 2, 2019 2:19 PM

From various commercial websites today, getting certificate errors related to tapad and also from btttag dot com. Tapad by Wikipedia is a web visitor fingerprint service and btttag seems to be similar.

Wouldn’t have known about these apparently ubiquitous agents if not for the certificate process raising an error message. And so by indirection do we find direction out !

1&1~=Umm November 2, 2019 2:26 PM


“China has wisely decided to take the long view. Target the children”

Brain washing children in their very young formative yesrs has previously been the hallmark of many religions organisations…

Either way this sort of behaviour has also been an effectively deployed method in cults.

jer November 2, 2019 3:34 PM

@SpaceLifeForm: The chicken and egg problem was preemptively resolved years ago, as anyone who tool an interest or does now will easily remember the usual IP addresses;, and so on. And as for web only use (not system-wide or site-wide), the web browsers that support DoH will have (and already do have) such IP addresses hard-coded.

jer November 2, 2019 3:41 PM

@tds: On a possibly off topic side note, being of a philosophical mind myself, “[Noam Chomski is] the most cited author alive” peaked my interest. A quick Google search reveals this is not the only mention of that factoid on the wider Internet. And indeed, actual research[0] puts him at the 120th position in that regard, with Michel Foucault leading the field by a fair margin and various other philosophers beating Chomski with ease.


vas pup November 2, 2019 4:06 PM

@SpaceLifeForm asked:
“Do you think that issue does not exist outside of Russia?”
I guess that issue exists in all Five Eyes countries, China, you name it.

My point: it is just a tool and used by same structures in all those countries listed above. I guess the difference is with level of interference/control only. Like plumbers used the same tools in almost all countries regardless.

SpaceLifeForm November 2, 2019 4:11 PM


I appreciate that you made my point very clearly.


You do NOT get it.

SpaceLifeForm November 2, 2019 4:25 PM

@Alyer Babtu

I noted the cert problem over a week ago.

Even on this ste. And others.

There are downgrade attacks happening, randomly.

May depend upon on TOD and route.

It is BETA testing.

RSA is pwned.

Everyone needs to move to the curve.

vas pup November 2, 2019 4:38 PM

@gordo and @Sherman Jay
Thank you for the invaluable link and input provided.

I saw couple years ago documentary “Pre-Crime”. It was about utilized technology of assessment probability of involvement in crime (Chicago) based on several parameters, but not mental health at all.
One person agreed to be filmed who was assessed by pre-crime prediction system as high risk. Police officer contacted him and explained that he should be careful not to be involved in criminal activity because he was specified as high risk, and kind of on watch list, but no preventive arrests or incarcerations were made.

I guess that pre-crime activity on the side of DOJ and US AG has good intentions, i.e. to become proactive fighting mass killings rather than reactive. But devil is as usually in details.
Mental health diagnostic is based on DSM-V and IDC-10/11 – those are ‘Bibles’ for psychiatric evaluation and diagnostic.

The problem is that violence and mental health are rather orthogonal features. Moreover, the key in mass shootings is to separate violence as manifestation of major psychiatric disorder and violence as behavioral pattern of personality disorder. Those are separate clusters for analysis, training AI, etc.

Do you remember “Beautiful Mind”? He has schizophrenia, but was not violent at all. So, there is no one to one relationship between mental health issues and violence. Combination of both is dangerous.

The amount of mass shooting at least for now could not provide sufficient data base of cases to reliably train AI algorithm to generate analytics with high level of prediction.

But HARPA could be the first step on this very long path.

Until reliable tools developed, any preventive measures have high potential of intentional or unintentional misuse and human rights violation.

SpaceLifeForm November 2, 2019 4:47 PM

@vas pup

“Like plumbers used the same tools in almost all countries regardless.”

Sure smells like DNS through the UDP Sewer Pipe.

Check White House Plumbers, just to be sure.

Sherman Jay November 2, 2019 5:08 PM

@SpaceLifeForm, @Alyer Babtu,

When I run a diagnostic version of Linux from optical disc and do not set the time correctly when booting, some browsers display ‘SSL certificate’ errors. When looking into it I find that just setting the locale, time zone and clock correctly makes the errors go away and the sites display properly. I don’t know if this is related to the ‘certificate’ errors being reported here or not. I just wanted to let you know in case it leads to solving the problem.

Thanks for the ClamAV heads up. I use it rarely, but that’s something that all Linux users should be aware of. Hope they get it fixed soon.

p.s. I’m one of those 3 Linux desktop users, LOL

SpaceLifeForm November 2, 2019 5:27 PM

@vas pup

“Until reliable tools developed, any preventive measures have high potential of intentional or unintentional misuse and human rights violation.”

Yep. There are no reliable tools.

Same issue as trying to measure cyber insecurity.

The only security that ultimately exists, is for people to wake up, smell the roses, and actually communicate with their neighbors.

SpaceLifeForm November 2, 2019 6:10 PM

@Sherman Jay

Very interesting. Timezone, Locale, Clock.

Very, very interesting.

I INTENTIONALLY do not make those correct.

And, if you have may have read recently, I have encountered cert errors.

To me, that is more evidence that RSA is pwned.

There is minimal reason that Certificate Validity should depend upon TZ or Locale.

Within reasonale bounds, Clock may matter from an expiration standpoint,

Unless the Certificate changes really fast based upon ip address and/or route.

Which is probably what is really what is going on.

Sherman Jay November 2, 2019 6:44 PM


I found that some of the errors were complaints that the cert was considered invalid since the clock and or time zone was set to the future or the distant past. Certs have specific date ranges of validity. I’ve even visited some sites I know are reputable where they let their SSL cert. expire by a few days/weeks.

Also, in their settings or preferences, some browsers (palemoon, seamonkey, etc.) allow you to select which versions of SSL certs are considered valid. Also, some versions of browsers I use to test will complain if the SSL agency is not a major recognized one or if the site is self-certifying. This Schneier site has a cert from Setigo Ltd. I’ve never heard of them, but I’ve never had a cert. error visiting here. I’m sure Bruce knows what he is doing!

Commercial sites are getting to be such bloatware with tons of third-party frames, ads and items, it might be that some ‘questionable’ third-party elements on a site are causing the problem.

good luck in finding what’s going on.

Sancho_P November 2, 2019 6:53 PM

Re “pre-crime” detection

Yes, mentally ill does not mean violent or mass shooter, see the AG.
What would they (or who?) do with the “pre-crime” mentally ill flagged?
– Give them a hand, let them attack, to be awarded after the conviction?
– Convict them without any deed?

Security isn’t absolute. Enter a car – there may be an accident.
Sell automatic guns – there may be a mass shooting.

The whole thing is a smokescreen for the incompetence of our justice system (or our social system, if you prefer):

Several lists of dangerous people are already full.
Before searching for more, they should find a way how to proceed with the known ones.
No, these cowards do not engage them, they clandestinely keep them on lists.

Domestic violence, is it known in the US? Wouldn’t that be worth a program to “protect the children”?

Sancho_P November 2, 2019 6:56 PM

@Sherman Jay, SpaceLifeForm, Alyer Babtu

I’m on a Mac with an outdated Safari browser, but correct time setting, getting cert errors on a daily basis (1 – 2). With “Show Details” it immediately states “cert is valid”, and I can’t find any errors.
I don’t recall to have that seen until about 2 (3?) years ago.
Probably we shouldn’t overestimate the validity of the system behind certs?

Who? November 2, 2019 7:07 PM

@ vas pup

I am far from being an expert on this area, but disconnecting parts of the Internet would be much easier at the BGP level than at the DNS one.

I can hardly guess how effective would be a combination of Tor and VPNs against this blockage. Time will say, I think.

Who? November 2, 2019 7:16 PM

@ Sancho_P

Hard to say from your description, but I would look at expired root certificates stored on your outdated browser.

Perhaps you should consider running a virtual machine with a lightweight BSD on your Mac for browsing and other Internet-related activities if preserving OS X on your Mac is a requirement or, even better, replacing OS X with an updated BSD or Linux on it.

MarkH November 2, 2019 7:55 PM


Thanks for the citation ranking list. Perhaps it would delight Chomsky to know that he outranks his hero, Karl Marx.

Clive Robinson November 2, 2019 8:22 PM

@ vas pup,

The problem is that violence and mental health are rather orthogonal features.

It’s a bit more complicated than that.

Obviously the use of violence by any individual at any one occasion is based on their mental state at the time, which in turn is based on “immediate environmental factors”, brain chemistry at the time and the underlying physical/chemical structure of the brain.

Further there is little doubt that you can fairly easily be taught to be not just violent but a killer even a mass killer without any immediate mental reservation (think of the military etc).

Nearly all –but not all– of us have a built in “fight or flight” mechanism. Likewise a significantly large percentage have an as yet poorly understood reasoning system that gives rise to an implicit “risk or reward” process that is so multifaceted that it works in an almost incomprehensible way.

But we also know through work involving NFL players that even low levels of physical trauma if repeated causes insults to the brain that cause massive mood and behaviour swings but are not currently viewable except at autopsy by specialised testing. Likewise more serious levels of physical trauma need less repeating. Till we get to the point where just a single physical trauma that renders a person unconcious may be sufficient to cause massive changes in mood and behaviour that become a new state of being.

Which raises a whole series of philisophical questions about responsability. For instance,

If you are in say your mid to late 20’s in a taxi that get’s t-boned at a junction and you suffer sideways whip lash and unconciousness – is that your fault, and if so why?

If as a result of that physical event you suffer a personality change – is that your fault, and if so why?

Further if as a result of that personality change you have difficulty controlling certain emotions and actions – is that your fault, and if so why?

Thus if you end up having a violent physical outburst – is that your fault, and if so why?

The US has over 30,000 road deaths a year due to impacts, which means the actuall number of survivors of impacts must be considerably higher. How many are there? And of those how many are potentially more prone to violence afterwards?

On the “pre-crime” argument they would all need to be subject to more restrictions on their personal freedoms as “pre-criminals” just as convicted criminals are…

Oh and it’s not just repeated physical insults to the brain that cause problems… For some reason we currently find more acceptable that repeated,emotional insults to the brain can cause such changes such as in “spousal abuse”…

Are all people thus abused also “pre-criminals”?

What about those bullied at school?

The simple fact is physical and mental abuse from a persons environment shapes them and some are more susceptible to these environmental factors than others and we don’t know why. Thus we tend to lift the corner of the rug marked PTSD and sweep them under.

In reality few ever go on to become violent, and even less dangerously so. By the logic of “pre-crime” every one who has had a brain insult be it physical or mental becomes a “pre-criminal” and has a label tied around their neck like a collar on a dog, or ring through a bulls nose.

The minute you have such labels history teaches us you become subject to discrimination, which just adds further insults to a damaged brain. Thus you get an abusive process that can only make things worse. In effect a self fulfilling downward spiral…

Great if you are a particular political mindset (Mr Barr for instance) or part of a group that almost always exists around such discrimination processes that profit by it. Bad if you are a normall tax paying citizen.

At the very least “pre-crime” is going to be “more harmful than helpful” and it’s time people woke up to reality. No computer algorithm is going to be any better than human judgment and no less susceptible to bias, when it comes to future events we can not know, therefore we can not stop, and any attempt to do so is a waste of resources as it’s actually a “faux market”.

Clive Robinson November 3, 2019 12:37 AM

@ jer, SpaceLifeForm, All,

The chicken and egg problem was preemptively resolved years ago, as anyone who tool an interest

The “establishment / first contact / rendezvous / etc in a hostile environment” problem is one that exists in all communications systems, including those in the real world. And it’s one of those problems that feels like “turtles all the way down” sometimes.

But that’s not the actuall problem, the real problem is when you are in a hostile environment you can not trust anything beyond what you can establish and verify. Which to all intents and purposes means the equivalent of your “front door” or “garden gate”.

With the internet or any digital communications the equivalant, is the last point you can verify as working correctly in the communications path, which by tradition is the “customer side of the demarc”. Or in practical terms upto the Local Area Network (LAN) plug on the gateway router, or for the lucky few with the right equipment the Wide Area Network (WAN) plug, after that it’s all hostile territory. Which is why I tend to talk about the fact you can not verify the first upstream router of your ISP, which in most cases would be the one in your home…

Now in the majority of cases neither the LAN or WAN are “IP networks” they are networks like ethernet, ATM, ISDN, etc etc. Many of these lower level protocols especially on the WAN side are routable. So whilst you think you are pinging etc you could be communicating with anything as it’s all down to what goes into the translation table that maps out the lower level protocol routing.

Thus if in Russian controled WAN you will go to “The Russian /” not Google’s and there is nothing you can do to stop that other than layer on your own “network protocol” that you can authenticate is talking to a server that is not in any Russian controled WAN space.

The general way to do this is with a known Public Key cert and strong symmetric crypto.

But that “chicken and egg” problem is still there with knowing what the valid PubKey Cert is.

Yes you can build in the PubKey cert into the browser but how does an end user know that the installed software has not been tampered with? Which means the “chicken and egg” has been moved yet again not solved. Which is why I said it feels like a “turtles all the way down” problem.

That is,

    What ever you do you will have a “chicken and egg” problem of one form or another.

It’s something most protocol designers never talk about, because it’s “a rabbit hole” problem.

JF November 3, 2019 6:34 AM

An article of some interest:

“In this presidency, convenience tops security. The president has persisted in using insecure cellphones despite being warned the Russians are listening in.”

Perhaps it is not convenience, rather, an effort to be transparent.

There is a fair amount to chew on in the remainder of the article.

gordo November 3, 2019 7:22 AM

@ Sherman Jay,

‘pre-crime’ technology will be working

Yes. I imagine that Palantir and other like-minded organizations could incorporate Fitbit and other real-time data into fusion-center feeds, etc., rather easily. You’re only as good as your algorithm. 😉

gordo November 3, 2019 8:36 AM

@ Sancho_P,

Several lists of dangerous people are already full.

This new list would be dual use: People who believe, have or hold conspiracy theories, but are also pseudo scientifically susceptible to entrapment via ginned-up conspiracy plots.

vas pup November 3, 2019 11:06 AM

@all and @Bruce:
Do you know what is the meaning of the post by @Homer Jay?
If that is not within policy, it should be deleted.

Clive Robinson November 3, 2019 1:31 PM

@ gordo, Sancho_P,

This new list would be dual use: People who believe, have or hold conspiracy theories, but are also pseudo scientifically susceptible to entrapment via ginned-up conspiracy plots.

It’s not as though we have not seen entrapment by the FBI, et al, of people of low IQ or other issues such as minor mental or physical health issues already.

We know that they get “third party” “agent provocateurs” to feed them, cloth them, drive them to medical appointments, faux befriend them, all the while seperating them from other people and increasing the persons paranoia. Untill they give them money and faked up arms dealers to spend it with, help them build a phoney bomb and then having spent the proverbial 23hours and 59minutes controling their almost every move, thought and action, sweep in at the last moment to a blaze of news spotlights etc etc.

Heck they got so obvious at it they had to stop as even the usually gullible MSM started to smell a rotting rodent…

The result, the more I hear about the FBI and their “big cases” the more I look for a “fall guy”… Especially if it’s ICT or drug or terrorism related.

But the fact that like a number of US Journalists, I smell a large rotting rodent to, probably qualifies me in their eyes as being a few breakfasts less than a jumbo box of fruit loops…[1]

As Douglas Adams once so delightfully put it,

    Slartibartfast: Ah, no, well, yeah, no. That’s what they wanted you to think, but you were actually elements in their computer program.
    Arthur: Actually, this explains a lot. All my life I’ve had this strange feeling there’s something big and sinister going on in the world.
    Slartibartfast: No, that’s normal paranoia. Everyone in the universe gets that…

The trouble is there is no “Earth 2.0” so we need to take a little care of 1.0 so we can get a few more miles on the clock, but apparently “We are not destroying the environment” or as the old T-Shirt had it nor are we about to “Nuke the gay whales”. I guess atleast one of them might be right 😉

[1] I hope they are not listening in to the very few phone calls I make… Because they are so dull it would probably bore them to death, and that’s probably one of those secret crimes in the PATRIOT act =( I guess not only are you not alowed to lie to the FBI, you are probably not alowed to make them yawn at work either as for looking stupid… What do they call it “Special Administrative Measures”[2] via some deep hole in the ground somewhere,

    That there’s some corner of a foreign field that is for ever England. There shall be in that rich earth a richer dust concealed


ul>A pulse in the eternal mind, no less, gives somewhere back the thoughts by England given; Her sights and sounds; dreams happy as her day; And laughter, learnt of friends; and gentleness, in hearts at peace, under an English heaven.

From “The Soldier” by Rupert Brooke.

[2] You can read more about Special Administrative Measures from the lawyers who have had clients put under them and ther researchers investigating,

Clive Robinson November 3, 2019 1:56 PM

@ Bruce and the usuall suspects,

This article discusses what is going on in the UN with regards Cyber-Security.

It raises the point that contrary to what several Five-Eyes etc countries say, the general feeling is that current interbational law applies (which if held to be true will invalidate exidsting national legislation in several Five-Eyes countries).

Likewise many do not hold with the idea of nations getting inside orher nations networks and claiming some form of “self defence” reasoning.

Depending on your interests it’s an interesting read,

Alyer Babtu November 3, 2019 4:01 PM

@SpaceLifeForm @Sherman Jay @Sancho_P et al

Thanks, all, for commentary.

Connecting today to the site that uses the fingerprinting “pixel dot tapad” gives no error. Still get error on the site using “d dot btttag” . I was careless calling this one a cert error. The message actually says “error 303”. In both cases it was/is elements on the sites not the sites themselves giving rise to the issues.

Perhaps @Sherman Jay is correct in suggesting that these are an instance of

bloatware with tons of third-party frames

Used to track site visitors, and subject, like everything, to human (in this case administrative) error.

TRX November 3, 2019 5:05 PM

Tapad by Wikipedia is a web visitor fingerprint service

Wikipedia’s own entry:

Tapad Inc. is a venture-funded startup company that develops and markets software and services for cross-device advertising and content delivery. It uses algorithms to analyze internet and device data and predict whether two or more devices are owned by the same person.

That is, dirtbag spyware. Now in my block list.

SpaceLifeForm November 3, 2019 5:48 PM

@Sherman Jay

“Commercial sites are getting to be such bloatware with tons of third-party frames, ads and items, it might be that some ‘questionable’ third-party elements on a site are causing the problem.”

Think about that. This is decades old problem.

In the olden daze, when most websites were pure http, then it was simple to have malicious ads.

And MITM injection was simple too.

If there are third-party issues, then how can a particular website, that allegedly has control of their certificate, that is using TLS, allow any third-party in?

The ads come from somewhere.

How do the ads get into the website https stream?

Does the website pull in a pool of ads securely from an external source, and RANDOMLY incorporate into the https stream?

Does the website owner vet the ads for malicious Javascript? Recall Flash ads.

Or does the advertiser really have access to the web server?

Are we really sure that injection, even under htttps, is not happening?

SpaceLifeForm November 3, 2019 6:43 PM


Yes, disconnecting via BGP is easy.

This is likely about ‘tracking’.

I.E., it is more important to track, than block.

Sherman Jay November 3, 2019 10:20 PM

‘How do the ads get into the website https stream?’

Excellent questions! I am not familiar with the latest/greatest website creation tools. I still write html in Leafpad or Notepad and create a few simple scripts.

I suspect that most website owners (unlikely they are webmasters/coders) don’t want their reputation ruined by 3rd party malefactors. However, to ‘monetize’ their sites it is quite likely they give up some or a lot of control over what 3rd parties load on the pages. I’ve seen some obnoxious ads obviously intended to be consistent with the topic of the page that were completely inappropriate. I think (but don’t know for sure) that many of the site owners are ‘renting space’ to the advertisers who put whatever they want in their rented page frames.

And, I’ve seen that even u.s. government sites incorporate completely unnecessary ‘g00gle fonts’ and ‘fakebook’ tracking elements. And, privacy badger (a tool from Electronic Freedom Foundation reports that almost all have many spyware and or tracking features that load.

I found a site called getsafeonline and privacy badger showed it had 7 elements on it that tracked people!

lurker November 4, 2019 1:22 AM

@ Alyer Babtu et al: bloatware with tons of third-party frames
Used to track site visitors…

So I suppose it’s CYA on the GDPR that is causing every site I visit lately to have a honking great notice covering a significant amount of the real content, warning|advising me about cookies[1], and with a nice place to click to make it go away so I can read the actual content. One day I’ll overcome my laziness and look at the source of some of those, but I’ve been trying to click on as few as possible, since a click might count me as target for some unknown future action…

[1] My cookie settings are for all cookies to be purged when browser quits, which might be a dozen times a day. I’ve always said if they want to track me let them do the work; server-side cookies?

Anders November 4, 2019 2:45 AM


One way how the adds gets into https:

(But you for SURE already know this 🙂 )

Alejandro November 4, 2019 5:46 AM

I admit the constant surveillance and intense data mining is starting to wear me out.

A store I go wants you to regurgitate your phone number if you pay with more than $40 in cash. They say they have a problem with counterfeiters.I just say, anymore, ” I don’t do that” and give them the choice to complete the sale, or not. Of course, they always do.

Amazon badly wants my tx to enroll me in their two factor login which I absolutely refuse to do. They say the only way I can avoid giving them my tx is to CALL customer service!!! Grrrrr.

BTW, it’s clear to me 2 factor is simply a way to mine more personal identification data and track our location. Major theft of user data is done at the company server level at which time the thieves get ALL your data…including that 2 factor email and phone number not to mention credit card, etc.

Sometimes websites have as many as a hundred trackers and ad sites piggy backing the more popular websites. Of course, google, FB, Twitter is everywhere for no reason at all I am aware of, except to track us.

I returned a bottle of nose spray to Walgreens the other day, impossible to open by a mere human. They wanted to scan my drivers license because of course anyone who returns something is a suspected thief. I told them I would not comply and I am not a crook. After a big commotion they gave me my $8 bucks back, without a drivers license.

Walmart has started searching packages and demanding receipts again…if something you bought is too big to be put in the tiny bags they provide…. As soon as you clear the register area, I am talking three feet.

On and on and on…every day….every where….

Anders November 4, 2019 10:02 AM

Today Tartu Unversity cyber security team faked our president
digital signature timestamp – they changed the time when
it was signed to later time.

News in Estonian (use google translate) + video.

This brings along very interesting legal dilemma. In Estonia digital
signature equals with handwritten one and bears the same legal consequences.

SpaceLifeForm November 4, 2019 12:50 PM


The Ars link is talking about DPI, where DPI means Deep Packet Inspection.

Not Deep Packet Injection.

If a reputable website is actually serving malware, then there is a problem.

All Your Base^W TCP Sockets Are Belong to Us

jer November 4, 2019 2:03 PM

@SpaceLifeForm: Hard-coded defaults might work, or otherwise a local reconfiguration. But what is your point here: that DoH is defeated by default if the IP address is rerouted? In that case a web browser would likely fail a TLS certificate check and should present a message to the user declaring their security has (already) been comprimised. Or do you suggest that the rerouted DNS resolver serves a fake certificate, too? The downloaded web browser package might already circumvent that, too. Downloading a suitable web browser package might be a problem for the very reasons you pointed out, but subversives can find ways around that, too. If there are intrinsic problems in the entire setup I would really like to know.

Instead of dismissing DoH on theoretically plausible flaws alone, I think we ought to be discussing its merits, too.

Passing by November 4, 2019 2:31 PM

Two detailed articles with insider ‘behind the scenes’ insight.

Reading the links themselves reveal the context.

The first has some technical information about the D Notice scenario played out by, who Clive Robinson fondly refers to as Tweedledum and Tweedledee

Clive Robinson November 4, 2019 4:22 PM

@ Passing by,

Thanks for the “by line” 🙂

I spoke to @gordo yesterday about the base subject matter you cover, however as with the spoken word things can be ephemeral.

gordo November 4, 2019 4:56 PM

@ Passing by, @ Clive Robinson,

Transparency, in the age of collect it all, makes coverups all the more glaring.

SpaceLifeForm November 4, 2019 5:11 PM

Interesting that infrared may work also


Laser-Based Audio Injection on Voice-Controllable Systems

Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light.

Clive Robinson November 4, 2019 5:16 PM

@ Anders, Bruce, ALL,

With regards the Estonian implementation of the EU required legislation the following is a bit of an “eye opener”,

Tõnu Mets and Arnis Parsovs show that the legal requirement to establish the time of signing is not met in practice. The related legal requirement that the validation of the digital signature should confirm that the certificate was valid at the time of signing is also not met.

That is a couple of real shockers.

Either would be bad enough on it’s own but together it’s compleatly disastrous.

Look at it this way you buy a house or similar on longterm finance such as a mortgage.

25years later with your final payment you think great time to enjoy that €1000/month insted of passing it over to the mortgauge company.

You then get a letter that instead of a basic “repayment mortgauge” the company has you down as having an “interest only mortgauge”.

You say “no way” but they then use a long out of date even revoked digital signiture to sign a modified document that changes the mortgague type. The second fault alows this, the first fault alows them to predate it back to the original day of signing…

Thus there is no way that you can show the digital document is not valid.

The only thing that might stop it is if you have also digitally signed the document in a correctly implemented protocol[1].

But… there is the issue of “signitures” and “hashes” you don’t sign the document but a hash of the document, the larger the document the less unique the signiture potentially is[2].

Hashes can have unknown at design time faults in them[3]. Which is why NIST had a hash competition to in effect replace two generations of previous hashes that were less than 25years old when questions got asked about their potebtial weaknesses in light of more modern knowledge.

So it’s fair to say that potentially any hash that has been designed even quite recently over a 25year period of a mortgage, might end up with “more holes than a second hand pair of string underpants”.

If that is the case then with the two faults shown, the bank only have to find one not two collisions. That is to the hash you signed of the document. Which whilst not trivial has been shown possible with some hash functions.

Whilst I’m reasonably certain someone will come up with a new algorithm or protocol to prevent the problem, it leaves the question of,

    What other vulnarabilities are there to find?

[1] I’m not going to go through it but it is possible for the document producer to structure the mechanics of the signing protocol such that your signiture scope is not what it should be, nor are the other protocol protections. Thus the document remains malleable in certain ways.

[2] To see this think of a hash as a N = M[i] mod C operation where the result N is in the range 0 to C-1. N then gets put through a “one way function”, the output of which gets “chained” in some way. Thus you can see as the document gets larger the same value of N can apear over and over. Using the wrong type of chaining function –say XOR or ADD based often used in CRCs– gives rise to weaknesses that can be exploited[3].

[3] Whilst modern hashes are designed to reduce or eliminate known problems of the above[2] type, crypto designers are not omnipotent nor do they have the ability to see into the future, thus they can not defend –except in a general way– against future attacks. The history of the Fast Encryption ALgorithm (FEAL) should be a salutory lessen in this respect.

SpaceLifeForm November 4, 2019 5:25 PM


Yes, it can be better than current DNS.

But, why did DNSSEC never get fully deployed?

The concern I see is the concentration of the info being collected.

Clive Robinson November 5, 2019 2:24 AM

@ SpaceLifeForm, r,

Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants

I’m not surprised, MEMS devices have caused other proplems in the past.

The most memorable being Apple users in a hospital finding their “new Apple products” not working after thr NMRI techs did a large dump of helium purge,

MEMS devices are extreamly small and are thus have very low thermal mass which makes them very sensitive to very small changes in energy. A laser is all things considered little more than a “coherant EM energy beam”.

You will probably find that two narrow focus high frequency audio beams that have a beam crossing point focussed on a MEMS device or it’s housing will do the same thing (have a look at the “Mosquito” device to get a feel for the technology). If you hear either beam alone you hear just noise if your hearing still works up to those frequencies. It’s only when you get both beams constructively interfering with each other do you hear the normal audio signal (see how WWII German Knickebein system and it’s Lorenze radio beams worked[1] from the late 1930’s).

But getting back to laser beams, the US military discovered a problem with them, in that a very high energy beam focused on say tamk armor had a problem. That is as it vaporized the metal the vapour would be “in the drill hole” effectivly “fouling it” just as swarf can do with drills. Thus significantly limiting the power that could be used. During testing of using pulsed lasers to get around the problem they discovered that the pulsed laser would create vibrations in the armor sufficient for destructive resonance to come into play…

Thus the pulse energy gets integrated by the target which effectively integrates it and the result is just as with a high efficiency Class D amplifer a very pure audio waveform appears at the target which in effect becomes a miniture loud speaker.

But… as with many “trasducers” such a system is bidirectional, thus with small additions to the design would also make a quite sensitive “laser microphone”.

Thus an attacker could interact fully in speaking and listening to “Alexa and friends” and with other software do it in a voice that sounds like the actual users voice from first listening to and analysing it using the same algorithms “Alexa and friends” use…

So there’s a second paper for them to write straight off or anyone else with a quick mind and nimble fingers 😉


tds November 5, 2019 5:16 AM

@jer, MarkH or other Chomsky fans

jer wrote “On a possibly off topic side note, being of a philosophical mind myself, “[Noam Chomski is] the most cited author alive” peaked my interest. A quick Google search reveals this is not the only mention of that factoid on the wider Internet. And indeed, actual research[0] puts him at the 120th position in that regard,”

Ok, I’ll take your word for it. IIRC, when I read ‘most cited’ my skeptical
antennae went up. Anyway its not the first time i’ve perpetrated false, as opposed to fake, news. (See truth sandwich)

“with Michel Foucault leading the field by a fair margin and various other philosophers beating Chomski with ease.”

About the time I learned of, and tried to read, Habermas I saw a free school talk about ‘Foucault on Love’, or something like that, was coming up.

I went, having heard of Foucault, but didn’t know what to expect. For example, like Hallmark cards?

Anyway, IIRC, there was a lot of talk about whips and chains.

truth sandwich: or alternatively “…28.html”

“A truth sandwich begins with the relevant truths, what is true about a given issue. It then says, here’s what Trump says or has done on this issue that violates those truths. Then it comes back and says the truth again, and it finishes up by saying why the difference between the truth and the lie is important.

That’s a truth sandwich.”


vas pup November 5, 2019 12:10 PM

@Clive November 3, 2019 1:56 PM
My attention was caught by such statement:
“The Australian representative expressed her concerns that a new convention would cover only certain cherry-picked areas and that overall it would bring a lower level of protection against malicious cyber activities.”

I see broader problem when International Law utilized by cherry-picked mode meaning follow/apply and point to violation of international law norms when it is applied to actions of other countries, but disregard them when acting by own state. That is particularly harmful for international order and piece when subject of such cherry-picking are permanent members of UN Security Council.
That creates double standard of behavior in international relations and very bad example to follow for other countries.

I guess cop should be model of being law-abiding subject to have moral right to enforce law on others.

vas pup November 5, 2019 12:28 PM

Police to use AI recognition drones to help find the missing

“The remotely-piloted aircraft system (RPAS) can see things we can’t to try to work out where people are.

It uses advanced cameras and neural computer networks to spot someone it is looking for – from “a speck” up to 150 meters away.

Its recognition software is compact enough to be run on a phone, with the technology learning as it goes.

“The drone itself has very special sensors on it,” said Insp Nicholas Whyte, of Police Scotland’s air support unit.

“There’s a very highly-powered optical camera which can allow us to see things quite clearly from a good height. Also, there’s a thermal imaging sensor which detects heat.”

SpaceLifeForm November 5, 2019 4:04 PM

Remember, attribution is hard. Very hard.

In a DarkUniverse, there are no ShadowBrokers.

Or shadows.

vas pup November 6, 2019 3:41 PM

Cyber-security company Trend Micro says the personal data of thousands of its customers has been exposed by a rogue member of staff.

“Trend Micro said it believed approximately 70,000 of its 12 million customers had been affected.

“It’s every security firm’s nightmare for something like this to occur,” cyber-expert and writer Graham Cluley told BBC News.

“You can have all the security in place to prevent external hackers getting in but that doesn’t stop internal staff from taking data and using it for nefarious purposes,” he said.

“If a cyber-security firm like Trend Micro can fall victim to a security breach, it can happen to any company.”

Yeah, human is the weakest link in security.

JG4 November 7, 2019 8:14 AM

This could have fit nicely under Homemade Tempest Receiver. Been busy, or you’d hear from me sooner and more often.

DEF CON 21 – Melissa Elliott – Noise Floor Exploring Unintentional Radio Emissions

RioRand DVB-T USB Receiver & Low-Cost Software Defined Radio (SDR) – Realtek RTL2832U + Elonics FC0013-Based $13.50 + Free Shipping

as always, this is not an endorsement of Amazon, although I do like the part where they are fast and cheap

May you live in fascinating times.

Big Brother is Watching You Watch

EXCLUSIVE: This Is How the U.S. Military’s Massive Facial Recognition System Works OneZero (BC)

Former Twitter employees charged with spying for Saudi Arabia by digging into the accounts of kingdom critics Washington Post. BC:

…[an interesting analysis of policy implications]
This privatized spying model enables industry to create capabilities even more powerful than those they choose to share, or even make known to, the Government – and they are largely free to sell them to the highest bidder.

Inside the Microsoft team tracking the world’s most dangerous hackers MIT Technology Review (David L)

Matthew Brennan@mbrennanchina
Chinese facial recognition system to discourage minor traffic violations. Cross the road when you shouldn’t and a picture of you with your name, ID card number pop up on the big screen for everyone to see.

tds November 7, 2019 9:54 AM


As you may know, le Carre’s “Agent Running in the Field” mentions Estonia a lot. For example, I’m on page 31 and Estonia or Tallinn has been mentioned a half dozen times.

name.withheld.for.obvious.reasons November 11, 2019 4:15 PM

I am wondering if EFF or the ACLU have prepared to file an amicus brief for the Julian Assange case where a publisher, an award winning member of the press, is being persecuted under the espionage act. It is clearly a constitutional test of “Congress shall pass no law abridging…freedom of the press”. I see that persecution under the espionage act is a secondary, not principle, law that cannot stand. A law that is used indirectly to attack the press is the same effectually as a direct law proclaiming “The press shall be prosecuted for publishing X, Y, and/or Z.”

MarkH November 11, 2019 5:05 PM


I don’t know whether either organization has gone that far …

Perhaps the case is not yet ripe. Unless they wish to participate in the extradition proceeding now working its way in the UK court system, they will simply await its outcome.

If his extradition is blocked, there may be little or nothing for such organizations to do. If Assange is extradited, then he will appear before a US court as a defendant, and perhaps even commence other legal actions of his own.

If it comes to that, I expect that many organizations concerned with press freedom will intervene on his behalf.

It seems to me as a layperson, that he has some hope of fighting off extradition; if he’s arraigned in a US court, he’ll be facing an array of weak and dubious charges. Meanwhile, it’s a slow grinding process accompanied by disturbing reports about his health.

name.withheld.for.obvious.reasons November 11, 2019 9:35 PM


If his extradition is blocked, there may be little or nothing for such organizations to do.

I’m not confident the UK Courts, the Crown Court, will treat the legal treaties with any care or diligence. There is already proof that the UK courts are more than willing to ignore their own treaty obligations, jurist prudence, and legal efficacy.

If Assange is extradited, then he will appear before a US court as a defendant, and perhaps even commence other legal actions of his own.

No confidence here either, I’m almost certain he’d be “black sited”…or “gitmo’d”. The U.S. Justice department is no vanguard of justice, it is more an instrument of state revenge and retribution.

I appreciate your optimistic view and would happily want the best outcome that is fair and is steeped in factual honesty. But, as we humans are susceptible to both wishful and magical thinking, I must resign myself to the “ugliest” outcome. We cannot hold and honor our values and persecute those that exercise those values. Two asymmetric positions, a bifurcation of the logical domain in law, should not have a place in any justice system.

In other words; I honor your right to publish, and will exercise government constraint to quash it.

Mélanie Dubois February 12, 2021 7:14 AM

Voulez-vous gagner un compte Netflix gratuit, de l’argent et même des supers cadeaux gratuitement ? est un site des jeux concours fiable est gratuit qui vous donne la chance de participer et de gagner des bons d’achat…
Vous pouvez aussi s’inscrire dans le site pour pouvoir jouer à la roulette de chance pour gagner de l’argent.
Il suffit de cliquer sur le lien mentionné ci-dessous pour pouvoir accéder au site :

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.