The headline gives the story: “An 80-Foot Steel Kraken Will Create an Artificial Coral Reef Near the British Virgin Islands.”
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
SpaceLifeForm • November 8, 2019 5:17 PM
Sorry Bruce, but this is important, so I am going to cut-and-paste some stuff before they disappear it.
This is the company that allegedly left their server dead for nine months, and why people just received messages from 2019-02-14.
I think you can smell the backdoors.
Have not found dots to CA, but I’ll bet they exist.
hxxps[:]//www.syniverse.com/products/mobile-messaging
Supports text messaging (SMS), multimedia messaging (MMS), Facebook Messenger, WeChat, voice calling, push notification, and chatbots
Proactively validates phone numbers in your contact database to reduce Telephone Consumer Protection Act (TCPA) risk exposure
Manages customer consent, including opt-in and opt-out tracking
Offers one-way and two-way capability
Provides message template customization based on business function
Translates to local languages
Features a use-case testing environment to shift ideas from proof-of-concept to production
Cascades message delivery based on customer responses
Integrates compliance and security features
Monitors messaging traffic to provide global, real-time, automated alerting
Expands into new channels such as Rich Communication Services (RCS)
P.S. Random cert errors again. To here.
Ismar • November 8, 2019 6:55 PM
Collecting data can be used for good too ????
deepview • November 9, 2019 12:45 AM
This is the company that allegedly left their server dead for nine months, and why people just received messages from 2019-02-14.
Maybe they needed that long to find a fresh 0day.
timecop • November 9, 2019 2:46 AM
Crown Sterling hacked. From https://pastebin.com/raw/gFs13y8r
It all started when our perp decided to go to blackhat and sue a bunch of
hackers. Little did he know that his AI had already violated T.E.C. code 40.8,
subsection 9: Time travel with intent to alter the future. Because his AI was
corrupting the continuum we had to dispatch a TEC agent to preserve the
Timeline! Our agent found all sorts of criminal activity and decided to publish
everything to corrupt the initial creation of the time AI causing the issue.
Our perp, “Robert Grant”, owns a variety of companies and subsidiaries. He has
a partial list of them which he makes available here:
https://strathspeycrown.com/subsidiary-companies-investments/
Having already seen a dismal future in which this conman succeeds play out,
agent Walker knew exactly which area to target. Our perp’s largest sins revolve
around his flagship company called “Evolus”, and his holdings company,
“Strathspey Crown”. Of course, the perp would never store evidence of his
crimes on servers so directly, but agent Walker knew the real evidence was
stored on a private forum called shoutMD. Not only did they discuss crimes, but
they even kept a FULL LEDGER on this forum in the members roster.
Cover Art (base64’d text art):
http://xs7fstnm22tkgpd5.onion/art.b64
Full data dump:
http://xs7fstnm22tkgpd5.onion/shoutmd/
0x0 – Security by decree
ShoutMD requires a health care provider ID to sign up and contains a rather
vicious terms of service threatening any physician who discloses any of the
records contained in the forum. Because there is search functionality which
discloses all valid provider ID’s and associated physician records, the only
actual barrier to entry into this forum is fear.
Once agent Walker got past his fear of the terms of service, he moved onto
gaining further access. Since the api to search members practically drooled
the permissions information for each user, he chose one and recovered his
password in the future, then sent it back to 2019.
No current exploits were used in the gathering of this information, only
exploits from the future. Does anyone even call that 0day?
0x1 – Scamming investors
Multiple scams were identified in the post content. Investors ask for their
actual shares (somehow he received money and didn’t distribute them), complain
about various doublespeak, and more.
After making a serious fuckup with fiduciary responsibility and lying to
investors, our Robert Grant realized he and his company could be sued for
investment fraud. For this reason, he tried to get all of his investors to sign
a release waiver preventing them from suing him in their next share
disbursement. Lo and behold, this did not go unnoticed.
Mark Pinsky notes this in post id 201446:
“SUBJECT: Significant Concerns about the Strathspey Crown Holdings, LLC-
Class X Unit Purchase Warrant
I have significant concerns about the Strathspey Crown Holdings, LLC-
Class X Unit Purchase Warrant:
Plenty of fiduciary debauchery continued to be discussed in that thread. Some
investors even decided to bail on Grant’s investment scam as recently as Sept
2019:
“Thought I’d float this out there… I invested long ago (2012/2013) and the
path to liquidity is ever so complex with nothing concrete on the horizon.
On this message board there is a perpetual optimism… I put $250k into a
group of four and have Lioncrown status… I also doubled down and put in
$100k for AA shares. So that’s what I’ve got. There seems to be no market
in which to trade these shares… so I thought I’d try here. Anyone
interested in acquiring my shares? If you’re interested please email me
and let’s talk.” – David Kaufman (post id 212815)
Having satisfied the need to obtain evidence of Robert Grant’s investor scams,
our agent moved onto something much more incriminating.
0x2 – Tax evasion
According to the SEC records for Strathspey Crown, the company took in about
$50,845,002 in investment and reported it using a Form D. This may not matter
much on its own, but adding all the investment amounts together from the ledger
equates to $136,422,195:
walker $ cat investors.csv | cut -d'”‘ -f3 | tr -d ” ,” | paste -sd+ | bc
136422195
All of the members and investors information have been included in the data
archive, including the ledger, for additional review. In post ID 201446, which
we quoted discussing the dirty agreement with shareholders, Grant even mentions
severe tax penalties that may happen to him if he upholds his agreement. Could
it be that grant never issued ownership units because he’d have to report the
investment amount to the SEC, and that had he done so been on the hook for
massive taxes which he was insolvent to pay?
In the thread about their investors call (post ID 196934) they discuss all the
mismanagement and how there will be no more investment. It is also discussed
that management’s biggest fear is “continued hard feelings”. Meanwhile, some
investors ask why they aren’t on the emailing list, and where their k1 forms
are. Allowing doctors to use this form to file their taxes would have certain
tax implications towards Strathspey Crown, which Robert would do nearly
anything to avoid. Robert Grant absolutely must be stopped in order to preserve
the timeline.
0x3 – Physician Cronies
This is where it gets interesting. While some of these physicians are clearly
victims of Robert’s serial scamming, others appear to help him actively
perpetuate the scam. They even offer each other tips on how to better execute
pricing scams on their customers (post ID 212031):
“I am pricing it at the same price I had priced Botox for the last five
years. But, I have now raised the price of Botox once I started using
Jeuveau. If you price it less than you have been charging for Botox patients
will view it as a cheaper product, which it is not. This way I have
increased my profit on both products but people will have a incentive to use
Jeuveau.
I tell my patients that the price of Botox went up because I’ve had multiple
price increases but did not want to increase their cost. Now that I have a
premium product to offer them that I can get for a little less than I paid
for Botox I can extend that discount to them.” -Lorrie Klein
“Increased the profit on both products” “it is not a cheaper product” “extend
that discount to them”. If it was not cheaper, selling it at the same price
would not increase the profit. If the profit has increased, there is no way
that a discount is being extended to customers. So here Lorrie has:
* Lied to the whole forum (it is not a cheaper product)
* Lied to all her customers (price of X went up, but here’s a discount)
* Encouraged others to do the same
Its interesting when a bunch of co-conspirators just sit around on a message
board confessing to their crimes using the veil of “security by decree” to get
away with it. Lucky for everyone, agent Walker was able to find further evils
perpetrated by some of these physician investors. Over 100 investors were found
to be promoting this product without disclosing their financial interests in
its success on social media. This is HIGHLY ILLEGAL, and agent Walker knew
exposing these cohorts would properly damage Robert Grant’s support network,
preventing Time AI from growing into an unstoppable force. Agent Walker’s
reports were constantly noting the fact that the AI could develop the ability
to evolve at any moment and begin fighting him back. Here at the TEC, we made
the decision to make the entire list of investors promoting without disclosure
on social media available in our trove of data (coi.txt).
0x4 – Outtro
We hope you enjoyed our mini-zine from the future. More to come, but we want
to give some shoutz to everyone calling out what kind of fraud this guy is.
Also shoutz to h0n0, el8, d1kl1ne, zf0, 4nt1s3c, etc. There is plenty more
evidence in our data dump, we just brought a few highlights to the surface.
Petre Peter • November 9, 2019 7:25 AM
A pilot may have accidentally typed 7500 on their transponder triggering a hijack alert in Amsterdam.
MarkH • November 9, 2019 12:50 PM
.
More Supply Chain Fraud
From NY Times (my italics added):
The surveillance cameras and other equipment that Aventura Technologies sold for years to the United States military looked like solid American products, packaged in boxes with “Made in the U.S.A.” labels and stars-and-stripes logos.
The items were installed throughout government agencies, including on aircraft carriers and a Department of Energy facility. Then last year, a service member on an Air Force base noticed that an Aventura body camera displayed Chinese characters on the screen.
On Thursday, federal prosecutors in Brooklyn said that the equipment had actually been made in China and was vulnerable to hacking, raising the possibility that American government agencies had installed software in their security networks that could be used for spying by China.
There seems to be no publicly available information as to whether any security breach occurred through these products.
A variety of intelligence organizations, if aware of the places where these gadgets were deployed, might well consider them hacking targets of exceptional value. One of the company’s products is “automated turnstiles” … hmmm.
Several employees of Aventura were arrested during the past week, on charges of falsely representing the country of origin. Their claim was that the products were manufactured in New York. Some government procurement requires products to be of US origin (whatever that means in the 21st century).
The firm appears to be run-of-the-mill fraudsters. Any security damage they might have facilitated is probably an incidental consequence of their greed, rather than intended.
Clive Robinson • November 9, 2019 4:13 PM
@ MarkH,
Some government procurement requires products to be of US origin (whatever that means in the 21st century).
It realy means very little, because the base components such as resistors, capacitors, inductors, transistors and many IC’s are nolonger made in the US.
This gets problematic when you build hardware around modern SoC IC’s because often the IO is “binary blob” only or subject to strong NDA’S… Even PCB’s purchased from US companies may have been subcontracted to Far Eastern manufacturers and just shipped back.
The simple fact is it’s nolonger possible to avoid foreign manufacturers, especially those in the Far East. Even when you think you are buying non-FE components “grey market techniques” can swap non-FE for FE and you have one heck of a mess arising…
vas pup • November 9, 2019 4:25 PM
The Chinese suicides prevented by AI from afar:
https://www.bbc.com/news/technology-50314819
“So how does the system work?
The Java-based program monitors several “tree holes” on Weibo and analyses the messages posted there.
A “tree hole” is the Chinese name for places on the net where people post secrets for others to read.
The name is inspired by an Irish tale about a man who confided his secrets to a tree.
The AI program automatically ranks the posts it finds from one to 10.
A nine means there is a strong belief a suicide attempt will be made shortly. A 10 means it is likely to be already under way.
In these cases, volunteers try to call the police directly and/or contact the person involved relatives and friends.
But if the ranking is below six – meaning only negative words have been detected – the volunteers normally do not intervene.”
MarkH • November 9, 2019 9:26 PM
@Clive:
Economic “globalization” has been a mighty success, and most manufactured goods incorporate components and sub-assemblies from numerous countries.
As far as information security is concerned, I suppose that the possibilities for “backdooring” a resistor or mounting screw are rather limited … in the context of a sound engineering design for the overall product, control of the software and a major subset of the ICs ought to be sufficient.
There are a still a lot of “fabs” operating in the U.S., though I regret to say that the one in my neighborhood seems to have fallen victim some years ago to acquisitions and mergers. So in principle, you could do quite a lot with U.S.-fabricated chips. I’m guessing that this is actually done for some critical systems (missile avionics and the like) where truckloads of money can be applied where needed.
But the penalty for sourcing all ICs in the U.S. must be really steep, in terms of calendar time, parts cost, losses in performance, and extra engineering effort.
There are always going to be subsidiary gadgets (like surveillance cameras for facility security) for which the safeguards are much less stringent.
What comes to my thoughts about this story, is the synergism between state-level surveillance policies and rampant white-collar crime.
If indeed some of the Chinese systems were backdoored in compliance with government policy (as opposed to the slovenly/accidental backdoors which pervade IoT), the Chinese government could hardly have known that they would end up in Department of Energy facilities.
And the sleazy fraudsters who palmed off Chinese goods as “made in USA” wouldn’t have known, or cared, about any security implications of their lust for money.
But in combination, the two might have created a juicy opportunity for intelligence gathering.
Clive Robinson • November 10, 2019 3:17 AM
@ MarkH,
But in combination, the two might have created a juicy opportunity for intelligence gathering.
That’s actually the problem that scared the Dept of Defence a decade or so ago, and they wanted to take steps to stop the possibility (possibly because as we now know the NSA were doing almost exactly that to the Chinese Government, hence the later Chinese legislation banning certain US products from use in various “national security” sensitive areas like banking etc).
As you highlight the “duplication of effort” to make US only components is quite expensive for such a limited customer base, which would mean much higher prices to US national security sensitive areas.
However short term view politicians just see a large cost in a budget line, whilst their advisors and lobbyists show a small cost for the same in corporate budgets. Thus the politicians then see cost as being the primary decision maker, not security. The result is then much as we see in corporations driven by those who see no “book value” in security other than minimal physical security of a shiney cap badge by the front door.
Eventually you end up with something like the Office of Personnel Managment (OPM) breach and much bull roaring and chest beating from the politicians. Then as the noise in the MSM dies down, it all goes back to the same game untill the next breach that becomes embarrassingly public…
All in all it’s a bit sad, because the US used to have a very healthy electronics industry across the board. But it got sold out by accountants and politicians, who now find themselves disadvantaged by their past choices…
Proving I guess that “Some turkeys do vote for thanksgiving”.
MarkH • November 10, 2019 5:15 AM
@Clive:
To make a somewhat tortured mix of metaphor and cliche, the turkeys have come home to roost …
Between “pull up the drawbridge” protectionism, and “pull out the stopper and drain the tub” off-shoring, there must be some better compromise.
Worship of money swung the needle pretty far in the direction of draining the tub. Perhaps the U.S. is more capable than any other country of home-brewing electronics (I’m guessing that China’s tremendous capacities still have some serious gaps) … but for every country manufacturing electronics, the dependence on imports is enormous.
Surely there’s nothing new under the sun. In the American civil war, swarms of manufacturers did their best to profit from selling shoddy goods to the Union army. Accountants don’t have a line-item for patriotism on their balance sheets.
Alejandro • November 10, 2019 11:08 AM
Supposedly, Russia detached it’s internet from the www on Nov. 1 pursuant to several new laws as a test of their closed system.
I noted in my logs some contacts on Nov.3, so maybe they didn’t. But, then until just yesterday there were none, zip, zero, scans or connection attempts noted on my logs. Good! But, it didn’t last. They are back again. So, did they actually do the “test”, or not? I have read there are technical problems corralling the internet for that vast country, technical people say it can’t be done. I don’t know one way or another.
I did like not having them knocking at the door for a week or so, though.
I know it’s not popular to say this, but I can see benefits from balkanization of the internet. Unfortunately that would interfere with the current system of tight control by the USA. Oh well.
New Russian Law Gives Government Sweeping Power Over Internet
https://www.npr.org/2019/11/01/775366588/russian-law-takes-effect-that-gives-government-sweeping-power-over-internet
Russia shutting off internet country-wide next week to test its own censored version
https://americanmilitarynews.com/2019/10/russia-shutting-off-internet-country-wide-next-week-to-test-its-own-censored-version/
vas pup • November 10, 2019 12:22 PM
@MarkH and other interested in US-China challenges
Presentation of new book (objective – one side BS):
https://www.c-span.org/video/?465505-1/after-words-newt-gingrich
vas pup • November 10, 2019 12:27 PM
France embraces facial recognition tech:
https://www.dw.com/en/france-embraces-facial-recognition-tech/a-51106489
“Civil rights groups worry France is taking a step toward a surveillance state. It is about to become the first European Union country to introduce facial recognition software for government services.
Jerome Letier is convinced the technology in his hands will take France into a new digital era. The head of the national agency for secure documents is holding a test smartphone with Alicem on it. This new government app, based on facial recognition software, will give users access to around 500 government websites.
“Alicem will allow citizens to access our services through a highly secure system without them having to go to a government office,” he said, smiling for the camera as the app made a video of his face.
That video is sent to a government server together with data Alicem has collected from the chip in the user’s biometric passport. The server compares the video with the passport photo, checks the document hasn’t been stolen and sends the user a code with which he can set up an online identity. Then, the video is erased from the server.
The app is still in a test phase and due to go live by the end of this or early next year.
JG4 • November 10, 2019 3:59 PM
Appreciate the ever-helpful discussion.
https://www.nakedcapitalism.com/2019/11/links-11-9-19.html
…
The fusion energy dream is inching toward planet-saving reality Washington Post (David L)
…
Big Brother is Watching You Watch
UAW-Ford contract gives green light for stepped up monitoring of workers WSWS
The Next Freakout: Foreign Spies in Surveillance Valley! Yasha Levine
Imperial Collapse Watch
The “Deep State” Is a Political Party New Republic (resilc)
…
Gone_Down_in_IT (tipsychrosangre gecko) • November 10, 2019 11:22 PM
Chaffing Preamble = disable postscript & ghostscript if you do not need them (along with zeitgeist and cups and bluetooth and apport and all those hundreds of fonts and whoopsie and gigolo and the chat programs and mugshot and onboard and those xfce extras and) yeah right linux doesn’t have any bloatware because this is neither sattire nor parody nor sarcasm nor 100% lies and this list is totally complete…. NOT!
bitwise sot
Happy Holiday. Please pass it on: Please stop asking if a person is a veteran; those questions are often irrelevant to many tasks and could still jeopardize continuing missions. We are not KIA’s, we are KIVA’s; PUT A VA IN IT.
https://youtube.com/watch?v=yaASViNhfeE
Please take a long look at the toy section, good ol’ friend.
bitwise eot
Clive Robinson • November 11, 2019 12:04 AM
@ Bruce,
More on Boeings 737 aircraft and the security or lack there of, of their design process in recent years.
Firstly more on why two MAX’s crashed and the rest grounded due to regulatory changes,
https://www.dcreport.org/2019/11/08/boeing-737-max-how-deregulation-kills-people/
Secondly there is the “new news” over the issue of cracks in critical air frame structure.
The cracks have been found in the “pickle fork” of close to 5% of 737 NGs (the MAX predecessor).
https://abcnews.go.com/US/faa-asks-airlines-inspect-boeing-737-ng-jets/story?id=65921868
Put simply the cracks have appeared in a place where the stresses at the root of the wings and fuselage are managed, and according to a retired areospace engineer there should never be cracks in that part “period”. Finding them indicates that the design is wrong and potentially unsafe.
As the FAA has noted the cracking,
Thus urgent inspections must be carried out which on such high utilisation aircraft could prove devastating not just for the airlines but the passengers as upto 4% of scheduled flights many will have to be canceled over the rest of this year…
Worse still, some estimates say that due to the fundemental nature of the issue, remedial action will require each aircraft to be taken out of service for just under 1/6th of a year.
Apparently Boeings share price dropped yet again in response to the news…
Ergo Sum • November 11, 2019 7:49 AM
@Clive Robinson…
The deregulation of the aircraft industry passed the congress under the Bush (twig) administration. The resulting self-approval of safety had been applied first under the Obama administration for the 737 MAX.
The aircraft industry isn’t the only one that had been deregulated, most of the transportation industries, oil companies, pharma, and others had been deregulated as well. There’s a bipartisan consensus in the congress in favor of deregulation for a long time and it unlikely to change.
https://www.npr.org/2019/04/04/709431845/faa-is-not-alone-in-allowing-industry-to-self-regulate
CallMeLateForSupper • November 11, 2019 9:38 AM
@All @Bruce
Just wondering: Did anyone else get absolutely nothing from the word-salad posted above by @Gone_Down_in_IT ?
A disjointed, incoherent rant about certain Linux programs did not exactly light a fire under me to follow the YooToob video link.
MarkH • November 11, 2019 11:57 AM
@Clive:
The 737-NG structural problem is in some ways both rather more and rather less than it will seem to most people who learn of it.
A metallurgist once explained to me that cracks in aircraft structures are quite common, and that in most cases the response to discovery of a crack is to establish a schedule for monitoring its propagation.
If I correctly understand the case of the “pickle fork” structures:
a) the observed cracks are small, and would have to grow for a substantial period of time in order to pose the risk of failure;
b) breakage of such a structure would not in itself doom the aircraft, though it would obviously increase stress on other components and reduce load margins; and
c) the cracking problem was discovered (as such things are supposed to be) by periodic inspections, and will be resolved so as to preserve continued safety of flight operations.
In sum, the safety implications of this problem are slight. However, the economic impact is signficant1. Because replacement of these structures requires a massive tear-down and rebuild of the aircraft, I expect that replacements (where needed) will be done as a part of periodic heavy maintenance, called a “D check” in the U.S.
D checks take up to 2 months anyway. For a 737 NG that was due for its D check, the extra cost probably won’t be severe. But if the plane wasn’t due for a few years, the cost and the fleet scheduling impact of its withdrawal from service will be painful for the airline.
This kind of problem is not so unusual for airframes, and probably wouldn’t be getting much public notice if it weren’t for the 737 MAX disaster.
The significance of this problem for the engineering process is difficult to evaluate. When I used to follow aviation business news religiously, similar stories (discovery of cracks in wing-related structures far earlier than their design lifetime) were pretty common for military planes.
Of course, the design, operation and certification of military aircraft has many differences from airliners. But in both contexts, the structures benefit from the best available design tools and process, materials chosen with great care, and rigorous manufacturing processes.
Why fatigue cracking continues to take engineers by surprise, and what can be done to improve the situation, are questions far outside my ken. Maybe the challenge will be obsoleted by the switch to plastic structures, without ever having been resolved.
1 The Three Mile Island nuclear accident in the U.S. was widely perceived as a public safety failure. It wasn’t really, because the extremely conservative safety design of the pressurized water reactor functioned as intended. Nonetheless, the reactor was completely destroyed for a 100% economic loss. TMI was a business failure much more than a safety failure; power companies took note of this, and enthusiasm for new reactor construction vanished.
Sherman Jay • November 11, 2019 2:27 PM
I know a number of people posting here regard FreeBSD as an excellent distro. However, the following article has made me uneasy. Corporate infiltration and takeover of systems has caused a dramatic compromise of security and privacy for users. Without some assurance (proof) that Netflix will not be abusive, I now have concerns for FreeBSD users.
http://distrowatch.org/weekly.php?issue=20191111
“People who use FreeBSD, particularly those who deal with large amounts of network traffic, will be pleased to know >>> Netflix has contributed improvements to FreeBSD’s networking code <<<< . Drew Gallatin of Netflix presented some of the work his company has put into FreeBSD which is widely used in Netflix’s data centres”
more info from others is welcomed.
Sherman Jay • November 11, 2019 2:34 PM
The change to ‘plastic’ aircraft structures is not a panacea. Carbon fiber laminates have dangerously de-laminated after repeated stress as shown by decades of experience. Other plastics exhibit tendencies to deteriorate in many different and often unpredictable ways. All structural metallic cracks will grow and not always in a linear or predictable manner. A few ‘hard landings’ or high stress maneuvers can cause dramatic and dangerous growth in fractures. All aircraft structures are designed to flex, some just are designed not to deteriorate as fast with that flexion.
If remembered correctly, amazingly, the DC-3 wing structure designed by J. Northrop was one that for over ~70 years had no structural failures.
Info above from a retired aerospace engineer.
Wael • November 11, 2019 2:51 PM
@Sherman Jay,
Netflix has contributed improvements to FreeBSD’s networking code
FreeBSD is still my OS of choice, for nostalgic reasons. I remember long ago when I used it with the Enlightenment Desktop. I recently crashed my drives (well not crashed, but trashed them.) Had an AMD system with four hard drives / several partitions each, with many operating systems, Clover EFI boot loader, …
Any way: it’s open source, go look at the code and see what “improvements” were added…
FreeBSD Unite • November 11, 2019 6:56 PM
an idea
why not freebsd developers create one great os
with the 1000 Chinese programmers going after linux, Free BSD needs to unite and create something that most people can use.
SpaceLifeForm • November 12, 2019 3:27 PM
Zombieload2
https[:]//zombieloadattack.com
[note: Since Intel now allegedly has microcode fix (ha!), I guess they revealed two days early, this being 2019-11-12]
With November 14th, 2019, we present a new variant of ZombieLoad that enables the attack on CPUs that include hardware mitigations against MDS in silicon. With Variant 2 (TAA), data can still be leaked on microarchitectures like Cascade Lake where other MDS attacks like RIDL or Fallout are not possible. Furthermore, we show that the software-based mitigations in combinations with microcode updates presented as countermeasures against MDS attacks are not sufficient.
[Not sufficient]
We disclosed Variant 2 to Intel on April 23th, 2019, and communicated that the attacks work on Cascade Lake CPUs on May 10th, 2019. On May 12th, 2019, the variant has been put under embargo and, thus, has not been published with the previous version of our ZombieLoad attack on May 14th, 2019.
SpaceLifeForm • November 12, 2019 3:47 PM
Just say NO to 5G
https[:]//techcrunch.com/2019/11/12/5g-flaws-locations-spoof-alerts/
“Worse, the researchers said some of the new attacks also could be exploited on existing 4G networks.”
[Note: existing 4G networks]
…
“It’s the second round of research from the academics released in as many weeks. Last week, the researchers found several security flaws in the baseband protocol of popular Android models — including Huawei’s Nexus 6P and Samsung’s Galaxy S8+ — making them vulnerable to snooping attacks on their owners.”
[Note: Android baseband]
SpaceLifeForm • November 12, 2019 4:11 PM
Welcome to The Twilight Zone
https[:]//www.zdnet.com/article/microsoft-to-apply-californias-privacy-law-for-all-us-users/
vas pup • November 12, 2019 4:13 PM
Is China gaining an edge in artificial intelligence?
https://www.bbc.com/news/business-50255191
“”China is betting on AI and investing in AI and deploying AI on a scale no other country is doing,” says Abishur Prakash, a futurist and author of books about the effect of artificial intelligence (AI) on geopolitics.
As developments in AI accelerate, some in the US fear that the ability of China’s powerful central government to marshal data and pour resources into the field will push it ahead.
The country has announced billions in funding for start-ups, launched programs to woo researchers from overseas and streamlined its data policies.
It has announced news-reading robots and AI-powered strategy for foreign relations. Perhaps most alarming to the US are its efforts to incorporate it into its military.”
https://time.com/5673240/china-killer-robots-weapons/
““These technologies could easily be a key component for autonomous weapons,” says Daan Kayser of PAX, a European peace organization. Once a robot can accurately identify a face or object, only a few extra lines of code would transform it into an automatic killing machine.
In addition to technology from commercial companies, the PLA has said it plans to develop new types of combat forces, including AI and unmanned — in other words autonomous or near-autonomous — combat systems.”
The country’s domestic arms industry has obliged. A few examples include manufacturer Ziyan’s new Blowfish A2 drone. The company boasts it can carry a machine gun, independently fly as a swarm group without human operators, and “engage the target autonomously.” On land, Norinco’s Cavalry, an unmanned ground vehicle with a machine gun and rocket launchers, advertises near autonomous features. And by sea, Chinese military researchers are building unmanned submarines. The 912 Project, a classified program, hopes to develop underwater robots over the next few years.”
The other frontier unbound by international law is space. Here, China sees some opportunities to leapfrog American technology. It’s also where Beijing believes the U.S. would be most vulnerable in any conflict because of its dependence on information technology such as GPS, which not only helps soldiers and civilians get around, but services like stock exchanges and ATMs.
The country’s Shiyan-7 satellite, able to maneuver and dock with larger space objects, would in theory, experts say, also be able to latch on to and disable enemy space assets. More recently, China has been testing satellite SJ-17. It moves around with precision at very high altitudes — 22,000 miles above Earth. Satellites in orbit fly at tens of thousands of miles per hour. They possess the kinetic potency to shatter anything in their path, essentially acting as kamikazes against another country’s satellite. The U.S. military worries this is what China has in mind when developing satellites that can move so unusually in space.
vas pup • November 12, 2019 4:21 PM
EU signs off on new joint defense projects — but to do what?
https://www.dw.com/en/eu-signs-off-on-new-joint-defense-projects-but-to-do-what/a-51215806
“The programs will be carried out under the EU’s joint weapons development structure, named PESCO.
There are now a total of 47 military collaborations developed by EU countries under PESCO, covering military hardware as well as a range of training and simulation schools and programs for both hardware and cyber defense.
Funding for the projects comes from the nations themselves, with PESCO providing a formal structure through which nations can collaborate.
Electronic warfare capability project
Germany is funding this project together with Czechia to look into improving cooperation between various countries’ electronic warfare military systems. The goal is to develop a potential electronic warfare military operations concept and could potentially lead to further integration of German-Czech electronic warfare training and military units in the future.”
Read the article for other projects.
LeeHamm • November 12, 2019 5:05 PM
This is a little late for last Friday and a little early for next…
Penetration testing contract maybe needs finer detail. Testers were arrested on site, after being hired for pen testing of IA municipal offices.
https://www.engadget.com/2019/11/12/iowa-coalfire-security-researchers-arrested/
SpaceLifeForm • November 13, 2019 2:39 PM
http[:]//tpm.fail
Note: https not working for me on that site, which may be the point. Just search for ‘tpm fail’, plenty to read.
But, from the link above:
“We discovered timing leakage on Intel firmware-based TPM (fTPM) as well as in STMicroelectronics’ TPM chip. Both exhibit secret-dependent execution times during cryptographic signature generation. While the key should remain safely inside the TPM hardware, we show how this information allows an attacker to recover 256-bit private keys from digital signature schemes based on elliptic curves.”
…
“A hacker can use these vulnerabilities to forge digital signatures.”
…
“We even show that these attacks can be performed remotely on fast networks, by recovering the authentication key of a virtual private network (VPN) server in 5 hours.”
SpaceLifeForm • November 13, 2019 4:05 PM
The tpm problem:
“Both exhibit secret-dependent execution times during cryptographic signature generation.”
Which tells you it is a NIST Curve.
It’s not Curve25519, which has flat execution timings. Curve25519 is designed to not leak based on timing.
It’s all about the ‘Intel Inside’
Curious. Why is MicroSoft patch tuesday the same day as Intel patch tuesday?
Clive Robinson • November 13, 2019 6:24 PM
@ SpaceLifeForm,
They should both know a lot lot better than that. Afterall timing side channel attacks against AES were known during as well as very publically after the AES contest.
But time based side channels leaking information from chips was a well known issue back in the days when “Smart Cards” were still viewed as some “Perversion peculiar to the French” getting on for four decades ago.
So they both should be acutely aware of “time based side channels leaking key bits” with both symmetric and asymmetric “real world” implementations of cryptographic algprithms.
Which makes me think,
It’s all about the ‘Intel Inside’
Should be,
<
ul>It’s all about the ‘NSA Inside’
It is way too coincidental to be coincidence if you know what I mean.
Sed Contra • November 13, 2019 8:19 PM
Nothing good can come of this
It’s getting a bit Rev13:17 around here
”And that no man might buy or sell, but he that hath the character, or the name of the beast, or the number of his name.”
Oh, wait – Fuudle says don’t be evil. Whew! False alarm. Had me going …
lurker • November 14, 2019 1:38 AM
@ All re FreeBSD
It seems Netflix have merely done some hacking to up the throughput of their servers. Under the BSD licence they’re free to do this, profit, and tell nobody. They seem to have accepted the spirit of “free” software and are feeding their patches back to the mother lode, who are not obliged at all to accept them. The patches could be good for other people’s servers too, but are unlikely to help BSD on the desktop.
see also: https://linux.slashdot.org/story/19/10/20/2227228/project-trident-ditches-bsd-for-linux
IMO not much can help BSD on the desktop. I’ve been looking at alternative OS for a new laptop, and everywhere I turn, wifi drivers, graphics drivers, the gossip on the net is don’t even think about FreeBSD if your hardware is less than seven years old. There are a few derivative BSD that claim to have an “enhanced” desktop experience, but three I tried flat out failed to recognize my Elan keyboard and touchpad. Perhaps Steve Jobs was the only man who could make BSD run a modern desktop on modern hardware…
Clive Robinson • November 14, 2019 2:18 AM
@ lurker,
I’ve been looking at alternative OS for a new laptop, and everywhere I turn, wifi drivers, graphics drivers, the gossip on the net is don’t even think about FreeBSD if your hardware is less than seven years old.
Similar applies to all OS’s that are not designed for a specific hardware platform. Even Microsoft can not write the drivers for all but a few very standardized types of hardware.
Thus the drivers tend to come from the hardware designers. Their managment look at the ROI on each market segment and they make a choice. The faster the designers turn products out, the more limited that choice, thus the less OS’s get supported by them.
Worse at a certain point in speeding up the turn out of new products, they don’t even support their product properly because they have “moved on before going to market”, or have purchased in code from chip manufacturers.
The real problem aside from flaky “Blur Screen of Death” style performance, is of course, that as with “binary blobs” you have no idea as to what they will do to your OS security now or in the future…
Writing I/O drivers for both security and stability is not something that is done at the press of a few keys. It requires all sorts of testing and this takes time. With product cycles getting less than the required test time, it’s not difficult to see the likely long term result irrespective of OS or their developers.
As has been observed as things speed up they tend to get hot, hence we have the expression “It’s getting hot” in marketing speak as an apparently good thing. However to an engineer unconstrained heating up is known as “thermal runaway” which engineers regard as a bad thing. Why? Because when things get hot enough they tend to either fail explosively or meltdown, neither of which is desirable. Likewise those effects in products and market places.
Me • November 14, 2019 1:25 PM
What are your thoughts on this electronic voting system?
https://www.propublica.org/article/the-way-america-votes-is-broken-in-one-rural-county-a-nonprofit-showed-a-way-forward#170741
From the description, it sounds solid, the voter verifies the vote on paper before it is deposited and counted.
Honestly, it sounds like the only way that an electronic voting system could feasibly work, like they took my rants on slashdot and made it a real thing.
SpaceLifeForm • November 14, 2019 1:32 PM
@Clive
Don’t forget _NSAKEY
They are all in bed together.
2 decades now.
SpaceLifeForm • November 14, 2019 1:58 PM
@Me
“From the description, it sounds solid, the voter verifies the vote on paper before it is deposited and counted.”
It’s a start, but still not enough.
One should always vote paper.
But, the flaw is that one can not verify that their votes were actually counted.
There needs to be a receipt, that has a hash of some type, that the voter provides a passphrase for, tied to their ballot.
The actual ballot must contain the hash.
The counting must become public.
The voter, via the hash receipt, should be able to verify, via a server, and the hash, that their vote was actually counted in the first place.
This idea is not foolproof by any measure.
But, if multiple voters can demostrate that their hash never shows up in the voting results database, then you know there is a problem.
vas pup • November 14, 2019 2:39 PM
DJI makes app to identify drones and find pilots
https://www.bbc.com/news/technology-50414108
“Drone maker DJI has demonstrated a way to quickly identify a nearby drone, and pinpoint the location of its pilot, via a smartphone.
The technique makes use of a protocol called “Wi-Fi Aware”, with which the drone essentially broadcasts information about itself.
The company said it would help prevent security threats and disruption, and give members of the public peace of mind.
But experts believe sophisticated criminals would still be able to circumvent detection.
“It’s going to be very useful against rogue drones,” said Elrike Franke, a policy fellow at the European Council on Foreign Relations, who studies the impacts of the drone industry.
Incoming regulation
All drone manufacturers will eventually need to adopt a system of remote identification in order to comply with upcoming regulation set to be put in place in different countries.
The US Federal Aviation Administration, along with the country’s Department of Transport, is expected to unveil proposed rules for mandatory remote drone ID next month – though that move as been repeatedly delayed.
Even once agreed upon, the measures could take more than a year to implement. The FAA has told drone makers to come up with their own solutions in the meantime.
DJI said it would roll out its Remote ID capabilities once its obligations were more clear. It could apply the changes to drone models dating back “several years”, it said.
Widespread adoption of the technology will also be held back somewhat by so-far limited inclusion of the “Wi-Fi Aware” protocol in popular smartphones, such as Apple’s iPhone, which currently does not support it.”
Bong-Smoking Primitive Monkey-Brained Spook • November 14, 2019 2:40 PM
@SpaceLifeForm; @Clive Robinson:
They are all in bed together. 2 decades now.
Forget security theatre! This’s a Security Orgy that produced three little bastard pigs: TSA, ___, ___ 🙂
vas pup • November 14, 2019 2:54 PM
https://www.bbc.com/future/article/20191031-when-should-you-follow-your-gut-instinct
“Intuition tends to get a bad reputation as something that’s flaky and based on no evidence. A careful analysis of all the options is surely more likely to give us the right answer? Not necessarily. Our gut instincts are not always as random as they seem. They can be based on a rapid appraisal of the situation. We might not always realize it, but the brain is constantly comparing our current situation with our memories of previous situations. So when a decision feels intuitive, it might in fact be based on years of experience.
The problem with fast thinking is the existence of dozens of different cognitive biases which can lead us towards the wrong answer: we tend to be over-optimistic; we prefer simple solutions; we notice and remember information that confirms what we already think; and we favor continuing down paths in we’ve already invested time or money in.”
That is good question in particular in security related activities.
@all input is highly appreciated.
upal • November 14, 2019 8:04 PM
1) Here is a deliberately delayed correction: “eigenface”, look up the term if you have an interest in biometric security; if you don’t already know the meaning, please abstain from making up silly gossip about the etymology.
2) Strange are those funny people in sales and customer service who make the obvious false claims that we are never hacked, they are never hacked, and that there are zero hack worries… such blatant lies those are.
3) Metabolically, do you have trouble thinking when near an active computer device? Perhaps the electronics have additional health hazards; I remember when it was prescribed that viewers needed to maintain a minimum distance of 1 yard away from monitor (TV, cathode ray) screens.
4) I suspect that all of our vain sufferings about false security might be culminating in both a biological and sociological study of all of us while also doubling as a hidden filesystem based upon our encryption outputs. One thing’s for sure: all this security theatre isn’t doing us any good! And what are we doing to our selves and each other!? It’s time to take a trip down history lane to study “CYBERNETICS”.
5) It’s NOT an attack; it’s never an attack; it’s an unauthorised browse.
SpaceLifeForm • November 15, 2019 5:05 PM
Security Orgy [Redactions don’t always work]
So, only three?
TSA, CBP, ICE
Are we sure?
SpaceLifeForm • November 16, 2019 12:54 PM
@ToBeAmouse
Not parsing your point.
Note, I was joking about the redactions.
What you observed maybe was not what I observed.
Such is the reality of quantum mechanics and the internet.
Bong-Smoking Primitive Monkey-Brained Spook • November 17, 2019 4:45 PM
@SpaceLifeForm:
Are we sure?
The first one: positive!
Travelers are a dangerous bundle;
All who grumble, oh TSA ensemble;
Shove’m in a backscatter;
Those Opt-outs that natter;
You shall spread out and fondle
ToBeAmouse • November 17, 2019 5:51 PM
SpaceLifeForm:
“Not parsing your point.”
I think that a modicum of illumination might be discerned from,
https://www.schneier.com/blog/archives/2019/11/fooling_voice_a.html#c6801757
Bong-Smoking Primitive Monkey-Brained Spook • November 18, 2019 8:26 AM
@ToBeAmouse:
Your capable poetic warm foot is worthy of praise!
ToBeAmouse • November 18, 2019 5:52 PM
Bong-Smoking Primitive Monkey-Brained Spook:
“is worthy of praise!”
Sad to say the tense has changed to past for both of us, thus “catch it whilst you can” is now the order of the day…
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Bill Stout • November 8, 2019 5:04 PM
If back in February you never got your SMS message from your authenticator, or paypal message, or password reset, or dinner date cancellation, and suddenly got those ghost messages last night, blame a text carrier gateway company called Syniverse. It surely would be confusing to get SMS love notes from someone you broke up with or requests from an ex-employer.
https://www.vice.com/en_us/article/8xwj9g/months-old-ghost-texts-were-sent-by-this-company-you-never-heard-of