Friday Squid Blogging: T-Shirt

"Squid Pro Quo" T-shirt.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on November 22, 2019 at 4:19 PM • 77 Comments

Comments

Sherman JayNovember 22, 2019 4:54 PM

With each passing day, I feel like more of a target for these invasions of our personal security.

Recently there was:
hXXps://www.nakedcapitalism.com/2019/11/hhs-investigates-google-ascension-secret-medical-records-project-for-millions-of-patients-concrete-evidence-of-hipaa-violations.html

Now there is:
hXXps://www.nakedcapitalism.com/2019/11/us-medical-data-security-gets-worse-2-months-after-expose-of-hundreds-of-millions-of-images-related-patient-info-open-on-the-internet.html

At times, all these assaults on all of us makes me want to line my hat with foil and move to a fully isolated off-grid cabin with a well, a big garden greenhouse, photovoltaic panels and batteries. AAAAUUUUGGGHHH!

My physician just got swallowed up by a huge hospital corporation. Can't wait to see how many spying third-parties will soon have access to my medical records!

But, I do love the Squid pro quo Shirt!!!

AndersNovember 22, 2019 5:21 PM

Estonian important E-services were down this week.

Guess what was the reason?

Rats!

Rats damaged one (yes, you read right, just one) fiber
optic cable, just in right place.

In Estonian, use "G" translation

arileht.delfi.ee/news/uudised/rotid-narisid-riigivorku-augu-eestiee-ja-haigekassa-teenused-olid-mitu-tundi-rivist-valjas?id=88126529

AndersNovember 22, 2019 5:32 PM

Alright, our news agencies have made English version too :)

news.err.ee/1005241/e-services-inaccessible-after-rats-chew-through-wires

AlejandroNovember 22, 2019 7:43 PM

OnePlus Suffers a Data Breach (Again)
"No payment card or password information was stolen. But the hacker did get access to names, phone numbers, email addresses and shipping addresses on customer orders."

https://www.pcmag.com/news/372136/oneplus-suffers-a-data-breach-again


I don't understand why any business would store personal data which is accessible to the internet. What's the point? Either erase it if you don't need it, or put it on a machine locked in a safe with no internet connection whatsoever. Only allow limited trusted staff access.

It's common sense to me.

Clive RobinsonNovember 22, 2019 9:17 PM

@ Alyer Babtu,

I like it. Now I can have my own F-117.

The "Tesla CyberSuck-up"...

Yes, it does look like it's the love child of a Stealth Fighter and a sports car that,got a bad dose of the stressed out munchies and turned to the Cher school of plastic surgery for a nip and truck...

All jokes aside looks wise I could see it being popular for those manic dune buggy types, especially the volcano riders in Iceland. The problem is in reality rather than have 1000 raw horse power under the hood, it's probably got all the drive shaft power of a wet noodle.

But I guess the real "Elephant in the Room" question for this blog is,

    How much "Spy-ware technology" has Tesla has put in it?

To check you are not driving out of warranty...

Sherman JayNovember 22, 2019 11:00 PM

@Clive Robinson and @all,

I've done some research on BEV's (Battery Electric Vehicles) and I'd like to own one, maybe a 2017 Nissan Leaf (since I can't afford a new Tesla).

Like most electric motors, they have 'full torque at stall', so the full size Teslas typically go 0-60 mph in about 3 seconds. And, they have a driver initiated 'ludicrous speed' setting that allows them to leave almost any 'muscle car' on the road in the dust.

Tesla's have been shown pulling a semi-trailer rig out of a ditch.

BEV's typically can charge from 20% to full charge from your household garage charging station in 4-6 hours and Tesla supercharger stations give an 80+% charge in ~20 min.

Also, many people have used the battery pack in their BEV to power essential items in their homes during a utility power outage. (they use the main house breakers to disconnect the house to prevent grid 'backloading' dangers)

Yes, this new truck is not 'pretty' by any means. But, I've always been more interested in function than frills. And, even though Elon Musk is rather arrogant, Teslas have earned a great reputation.

Sherman JayNovember 22, 2019 11:07 PM

@Clive Robinson,

"But I guess the real "Elephant in the Room" question for this blog is,
How much "Spy-ware technology" has Tesla has put in it?"

I admit reading about all the remote patches and upgrades and 'telemetry', Tesla does keep close track of the vehicles. Teslas have a number of cameras that have helped owners identify vandals and even helped them and others in accidents.

However, 10's of thousands of Tesla owners have never reported any hacks, malware or inappropriate 'remote goings on'. They seem to be a rather tech saavy group and don't seem to feel the car is 'spying' on them.

Clive RobinsonNovember 22, 2019 11:47 PM

@ Sherman Jay,

At times, all these assaults on all of us makes me want to line my hat with foil and move to a fully isolated off-grid cabin with a well, a big garden greenhouse, photovoltaic panels and batteries. AAAAUUUUGGGHHH!

You are not the first to feel that way, and you almost certainly won't be the last.

Some believe rightly or wrongly that we are on the edge of the colapse of society as we currently know it. Thus if a person felt that way it would not be surprising if they started taking measures to mitigate the effect such a colapse will have on them.

The peoblem is, there are very distinct security issues involved, thus the saying,

    No man is an island.

That is you can never ever be truly independent of the world around you. There are many things that are hard for one person but much easier for two or more. Look up things like a Mennonite or Amish community "barn raising" to see what all of our ancestors did in one way or another. The only way mankind can progress is by utilising spare capacity, many think the Egyption Pyramids were raised by slave labour, well more modern historians think not. The reason was due to the nature of the Nile delta and it's seasons much of the Egyptian work force had time on it's hands for part of the year. Thus Pyramid building much like the later building of Christian Churches and their contents was a way for people to be "employed and out of trouble" along with fulfilling a basic human need to be part of something greater than themselves. It also importantly alowed for people to specialize in one "craft or trade" thus advance that domain. In time they would form master and apprentice relationships to pass along those skills. This specializing became more obvious with population density, which alowed groups of likeminded specialists to form Guilds that set standards and formalized both education and regulation as part of "reputation".

There is the proverb of,

    It takes a village to raise a child

In essence this captures the purpose of community to be not just greater than any individual but for otherwise disparate people to gain an identity and common outlook to form a society where there is mutual trust and mores, and importantly spare capacity in labour.

Many of those currently seeking to prepare for societal colapse don't appear to be cognizant of this, thus unless they learn it their future should there be a colapse will most probably be unpleasant, brutish, painfull, and short lived.

As you may have heard there is a current national security scare going on in China. Two people came to the densely populated Beijing and having become noticably very ill were diagnosed in hospital with "The Plague". Unlike the "black death" of medieval times that decimated Europe and brought about significant social change. What has presented is not Bubonic Plague but it's rather more infectious Pneumonic plague,

https://www.theguardian.com/world/2019/nov/13/two-people-diagnosed-with-pneumonic-plague-in-china

With modern medicine from a complex society pneumonic plague is more of a nuisance than an existential threat as it is fairly easily treated with modern antibiotics if diagnosed early. Thus the problem is the initial diagnosis as many respiratory illness present in very similar ways.

However as Madagascar found a couple of years ago, if not caught early it can get out of hand quickly,

https://www.nytimes.com/2017/10/06/health/madagascar-plague.html

But importantly Madagascar has a known problem hiding away, which is an "Anti-biotic resistant Y-Pestis strain" that can be easily spread by aerosol from coughs and sneezes or by simple contact.

Thus like Avian Bird Flu virus, the mutation of the Y-Pestis bacteria is seen as the potential start point of a pandemic that could spread the way the 1918 flu did which killed many millions of people.

Small societies do not have the spare capacity of labour to create modern medicines thus as with the bubonic plagues of the medieval and later times 60-100% of such a population will die from what is in most cases a treatable illness.

Thus there is a basic conflict, as the size of a society grows, a certain point is reached and a pandemic occuress and the society gets either wiped out or critically changed. As various studies have shown the society size is ~40,000. The only places larger population sizes occured were Japan and The UK, the reason for this we now know was that tea drinking was prevalent if not the norm there and it has certain antimicrobial properties.

Sherman JayNovember 23, 2019 12:38 AM

@Clive Robinson,

Thanks for your always insightful perspective regarding societal trends. I've read about the 'tons' of antibiotics used in raising various food animals and how that has been contributing to the rise of antibiotic resistant bugs. It makes me wonder about how selfish and shortsighted some (many) segments of society are.

And then there is the issue of the huge numbers of people who get deadly infections which are lurking in hospitals.

Maybe, one technique for increasing physical security and reducing the pandemics would be if instead of 'no man is an island' we should practice limited and disciplined physical contact in arenas where contagion would be hastened. Thus, 'every man should be an island' at appropriate times.

PetterNovember 23, 2019 2:56 AM

Another Squid…
But for surveillance.

Streamlined Quick Unfolding Investigation Drone (SQUID)
hxxps://arxiv.org/pdf/1911.05639.pdf
hxxps://youtu.be/sQuKJfllyRM

David LeppikNovember 23, 2019 9:53 AM

@Sherman Jay:

I've had a Nissan Leaf since 2015, and I love it. It's pure econo-car, but with rocket-like acceleration. It's the lowest trim level (S) which means I can't warm it up remotely, but neither can the rest of the Internet. (No cellular radio.)

I was right to be paranoid about security; turns out the remote control app. Turns out that at the time I bought my car, Nissan's remote control app connected to a web service that used the car's VIN to authenticate the app.

These days it's hard to find a car that isn't internet connected, so I don't think Tesla is distinctive in that regard. As far as I know, all new cars have a local network path between the cellular radio and the accelerator. Elon Musk, unlike other car CEOs, comes out of Silicon Valley and he seems to understand the risks better than the rest. He's tweeted that his worst-case scenario is a network-wide hack, for example that all Teslas simultaneously start driving to the same geographic location.

Anyway, I drive my Leaf in Minnesota, so if you have any questions about cold-weather driving, feel free to email me at david at leppik dot net.

JG4November 23, 2019 11:24 AM


https://www.nakedcapitalism.com/2019/11/links-11-23-19.html
...

The CIA’s Jack Ryan Series Is ‘Regime-Change’ Propaganda Aimed At Venezuela Mint Press (Chuck L)
...

Big Brother is Watching You Watch

Personal and Social information of 1.2 billion people Discovered in Massive Data Leak Data Viper. A less geeky version at Wired: 1.2 Billion Records Found Exposed Online in a Single Server

DOD Joins Fight Against 5G Spectrum Proposal, Citing Risks To GPS ars technica. Haha, this is getting fun!

NYC Creates a High-Level Position To Oversee Ethics In AI engadget. Why do I think this position was created for Cathy O’Neil (author of Weapons of Math Destruction)? Although they might want someone with more bureaucratic experience.
...

Clive RobinsonNovember 23, 2019 12:35 PM

@ Michael, ALL,

Signal users in China have a side-channel app installed 70% of the time, and Western journalists recruiting sources aren’t being clear about the risk.

The side-channel app concerned is an IME or "Input Method Editor" or software keyboard, that has an online spell checker or equivalent which is the side-channel that leaks the key strokes.

Software keyboards especially those with built in spell checkers are a known "End Run Attack Vector". That is some actually talk not to a spell check file on your device, but as with "Google's search input box with javascript enabled" it uses an online spell checker that can be used to "finger print" you via not just any spelling mistakes you make but also your typing cadence/tempo as well as specific key to key timings.

As it works on the "User Interface" side of the Signal app it matters not a jot how secure Signal is or is not or what fancy tricks it might use. I mentioned this issue with smart device keyboards with spell checkers on this blog quite a while ago as an idea. I then did some prototyping to confirm that the idea was valid (and it is).

Also because of the way it works anyone on the Internet who is at an upstream node of you can also see these spell check packets. Without the need of having to MITM attack your comms channel, or be on the server in some way. That is purely passive monitoring as in "collect it all" is more than sufficient. That is even though encryption is used the result is due to the timings effectively a "Simple substitution cipher"...

To be honest I've been waiting for graduate students to "pick up on this" and see how long it was before they experimented and an academic paper appeared out of the likes of the UK Cambridge labs or the Technion-Israel Institute of Technology and Tel Aviv University. Unless I've missed it, it's not yet happened...

That said I've been waving a red flag about this danger with end run attacks and ALL secure messaging apps for longer than Signal has been around. I've also indicated how you solve the problem (move the secure end points beyond the communications end points).

But as per usuall people get "Fanboi techno-junkie goggle-eyes that blinker their security vision". So badly they do not want to see their security is actually "non-existant". Which whilst it is tough for them it is much much worse for people who mistake the Fanboi "gushing nonsense" as valid security advice, which fairly obviously it is not. The result is I would be fairly sure is the Fanboi nonsense has been responsible for the deaths of people in represive and vindictive regimes...

Ad I keep pointing out,

    If your communications end point is beyond your security end point you don't have any security and are subject to easy end run attacks.

So peoples "Get wise or die" in lifes jungle, it's called evolution or "survival of the fittest", and Fanbois are a "prey species" fit only to be bitten upon savagely by those who hunt to kill, financially or for real.

Rj BrownNovember 23, 2019 12:59 PM

@vpt: Anyone who runs a vnc server on the internet is asking for trouble unless it runs in a tunnel, such as a port mapped ssh tunnel or other vpn-like arrangement.

SpaceLifeFormNovember 23, 2019 3:30 PM

@Rj Brown

"Anyone who runs a vnc server on the internet is asking for trouble unless it runs in a tunnel, such as a port mapped ssh tunnel or other vpn-like arrangement."


No, on the VPN.

Seriously. No VPN. No TOR. Just NO.

And, you are not going to be able to do the port mapping, unless you really, really control the end-points.

Which, in reality, you don't. MITM.

Did not MITM just come up recently?

Seriously. No VPN. No TOR.

You will stand out.


@Clive can explain this dilemma.

Oh, wait. He has. For decades.


CuriousNovember 24, 2019 5:59 AM

To add to what I wrote:

The authors of the pdf file above, doesn't simply list things as I alluded to, but apparently discusses various aspects.

CuriousNovember 24, 2019 6:41 AM

Here is a detail I thought was amusing, as read from their paper (re. my post above):

This is called a Duplicate Signature Key Selection (DSKS) attack [62, 257, 231]. It turns out that some (but not all) signature schemes secure in the Goldwasser-Micali-Rivest sense can fall victim to the DSKS attack. Interestingly, RSA with variable encryption exponent e is vulnerable, whereas RSA with fixed e is not. Although conventional wisdom says that randomness in parameter selection increases security — in which case RSA with e randomly generated for each user would be more secure than system-wide e = 3 or e = 65537 — the opposite is true if one needs protection from DSKS. Allowing more variability in key selection plays to the advantage of the DSKS adversary.

CuriousNovember 24, 2019 7:32 AM

In a super serious remark by the authors at the end of the paper (re. my post above), they make the point that they do believe in scientific progress, vs the idea of a "post-modern cryptography".

The way I see it, me being interested in philosophy: there would be no paradox, or rather, no dichotomy in this (read: believing or not believing in scientific progress). The general idea of something being 'post modern', is, and has imo always been something of a generalization and a characterization, and so, any notion about discounting 'scientific progress' as I see it, wouldn't really be a statement about scientific research as such, but a remark on the world at large being necessarily fallible, or rather, expected to be fallible because the world is after all inhabitated by what one could think of as generally dumb (read: idiosyncratic, stubborn, ignorant and perhaps hopelessly romantic) human beings.

SpaceLifeFormNovember 24, 2019 3:07 PM

LOL

"Stop using the internet. We can see you."

What is your point?

You are not telling me or anyone here any news.

turn off all spellcheckingNovember 24, 2019 4:30 PM

"inplied" is supposed to read as "implied" (implications of).
OTP mandate fails with typos

SpaceLifeFormNovember 24, 2019 4:56 PM

@ en ess eh tee eh oh


You may be legit, but the problem that you need to be looking at, is not me. You need to be looking *inside*

You are compartmented. You are not seeing the big picture.


JG4November 24, 2019 4:58 PM

https://www.nakedcapitalism.com/2019/11/links-11-24-19.html
...

Cryptoqueen: How this woman scammed the world, then vanished BBC. Former McKinsey consultant takes the punters for $4 billion with “OneCoin” cryptocurrency scheme. “The total worth of the cryptocurrency market has fallen to $139.7 billion – a staggering 80-percent-plus downswing compared to a $819 billion market cap in January 2018.” So 4 / 139.7 = 0.02863278453829635 or 2.9%. That’s impressive. As Yves has always said: Crypocurrencies are “prosecution futures” (2017). And, of course, Companies House! See our own Richard Smith here (also 2017).
...

Data Enrichment, People Data Labs and Another 622M Email Addresses Troy Hunt

Driverless car groups look past the engineering challenge FT. I’ll bet they do.

Amazon files lawsuit contesting Pentagon’s $10 billion cloud contract to Microsoft Reuters (Re Silc).
...

Defecting Chinese spy offers information trove to Australian government The Age but China says alleged spy in Australia is a fraudster FT

...[I've seen the claim that Pennsylvania suspended reporting of birth defects in the wake of the Three Mile Island accident, allegedly because of an alarming spike]

Pennsylvania To Spend $3M To Study Possible Link Between Fracking And Spike In Childhood Cancer KDKA
...

Clive RobinsonNovember 24, 2019 6:23 PM

@ JG4,

With regards "crypto-currencies",

    First Duck and Cover!

Before I say... They are at best a "Tulip market" or more likely a "South Sea" style securities fraud, the nature of which has been predictable for something like three centuries,

https://www.library.hbs.edu/hc/ssb/crimeandlaw/fraudsecurities.html

But oddly perhaps is,

Pennsylvania To Spend $3M To Study Possible Link Between Fracking And Spike In Childhood Cancer

It might link indirectly with the China GPS "grop circles" story.

What theu both have in common is "silica". That is with regards the China crop circles there is an assumption that it is the "Sand Mafia" and sand is a form of silica. But less well known and of considerable environmental and health concern is that many types of "Fracking" use a form of silica. The silica used has health warnings because if inhaled or injested it can cause problems due to the almost indestructable nature of the silica and the fact it is both hard and sharp (think microscopic shards of glass as an analogy).

Whilst it is known silica is involved with some biological processes scientists and doctors know next to nothing about what it's effects are. This is due to the difficulty of running control trials as silica is one of the more abundant chemicals in our environment and it's close to impossible to screen it out currently.

The other thing to note is Pennsylvania has a problem, it was a coal and uranium state. Two parts of the mining industry that have declined and thus created unemployment issues. Thus the state government has been looking at Fracking as a way to somewhat alleviate the economic depression. But...

https://www.desmogblog.com/2019/11/22/coal-pennsylvania-beaver-county-natural-gas-shell-plastics

We need to think carefully what our priorities are with regards economic security, shutting a CO2 belching Coal Fired power plant for a gas to plastic feed stock plant that belches out three times as much CO2 is not just bad environmentaly it's also shortsighted. Because that CO2 does damage not just to the environment but people as well, and at some point that damage will need to be sorted out and that could be extreamly costly in quite a number of ways, probably more so than the plastic feedstock plant will ever bring to the area.

SpaceLifeFormNovember 24, 2019 7:22 PM

@ en ess eh tee eh oh

I may be willing to entertain your gist.

But you need to throw me a tasty breadcrumb.

Or two. Prove yourself.

Until any TLA proves themselves worthy, none are trustable.


WeatherNovember 24, 2019 8:20 PM

Some black sand have rear earth minerals and titiuium. Maybe the markets are having a heckup with supply and demand, or extra storage for a short.
In lists and outliers it explained about fishery, this might just be out of bounds potchen, or to stabilize the market with fake end of month mined capacity.

MarkHNovember 25, 2019 6:09 AM

@JG4:

Years ago, when BitCoin was still a novelty, I heard that "prosecution futures" had become a common nickname for cryptocurrency among US federal prosecutors.

I suspect that the primary uses for cryptocurrencies are still financial speculation and facilitation of crime.

Clive RobinsonNovember 25, 2019 3:30 PM

@ vpt, SpaceLifeForm,

From the article,

    Initially, we located the Linux instance in a Romanian-hosted server. Unfortunately, we do not have further insights regarding the delivery vector used to deploy the Linux variant.

Which is becoming more the case day by day. Which is why I,

1, Have my private neywork "energy gapped".

2, Have both cookies and javascript turned off in the browsers I do use.

3, Do not put any PII or financial information or other "private" information on any machine that can be connected directly or indirectly to a communications system (even bluetooth, NFC, ZigBee, and the like).

@ ALL,

As some of the "usuall suspects" will confirm I've been saying this for several years, this is the absolute minimum you should consider if you want even a small modicum of privacy.

This sort of attack is just going to get worse with time not better, regardless of what commodity OS you use (Apple's offerings included).

We already know that IoT devices are more often thsn not some form of Trojan Horse, as are many low end network devices such as home routers etc.

Many people now Grock "no glove no love" as an anology to using ICT systems, however most "ICT gloves" have more holes than a cheese grater.

Thus your only safe way with this game is as was said back in 83 "not to play".

Whilst it used to sound like paranoia a decade or more ago, incrrasing numbers of people are realising, it's just "sensible behaviour" these days.

For those that think they might be smarter than a cracker, you might be right, but how about the tens of thousands of crackers world wide? The short answer is "no way" the numbers are against you.

AndersNovember 25, 2019 3:54 PM

@Clive

How do you do banking without PII & being online?

In some countries/regions even now online banking is the
only option because of local bank branch is closed down.
OK, nobody says that privacy should be cheap or convenient,
but still, banks are optimizing their costs, they choose
online model more and more and sooner or later this model
takes over and you have no option to use online banking to
make some payments.

For clarification - it's nearly impossible to operate only with
cash here in Estonia. There are some services that refuse to
accept cash and demand only bank transfer - one example
would be some government services - passport or ID card renewal
etc.

Hold_yOurs ~ = ~November 25, 2019 8:02 PM

Please do not fear, senorita.
Etnorias = Senorita.
~ = ~

really?
yes, really.

Q=Question(s)November 25, 2019 8:21 PM

I'm not Canadian, but there was once a famous Canadian who hypothesised that various famous internacional people were related to US Americans.

I tend to feel that certain people have been largely misunderstood and unfairly gossiped about...

https://i.postimg.cc/MKfWPVfF/uplifted.png

Sincerely,

I need to be done for a while...

( https://m.media-amazon.com/images/M/MV5BZDQ2MjE3NjQtNmNkMC00NTA5LWIyNDQtM2MyZDFmMzE0MmZkXkEyXkFqcGdeQXVyMTk2MzI2Ng@@._V1_.jpg ) ...therefore I will.

Clive RobinsonNovember 26, 2019 6:29 AM

@ Anders,

How do you do banking without PII & being online?

Well in London there are sufficient bank branches that you can still go to a counter and talk to a real person during working hours.

The question of PII can be side steped in a number of ways. Under EU law you will see the expression "Any person legal or natural" you as an individual come under "natural" any company, partnership or trust including "Limited Liability Partnerships" (LLPs) and "bearer bond companies" and a few others come under "legal".

These "legal" entities are assumed to be managed by other "persons" and at the distant end of the owbership chain a "natural" person with a "directing mind" will be found. Such chains/nets at the leaf ends are often called "shell companies". As with all technologies their use is "agnostic" that is they can be good or bad. Further the anonymity they can convey is not "criminal" though many would like to tell you it is especially the IRS etc. One "good use" is to prevent "harassment of owners", this came to a head in the UK some years ago with some "animal rights activists" harassing and terrorising people legaly going about their jobs simoly working at companies (see Huntigdon Life Sciences, that led to changes in law with regards access to company information and personnel details kept on public registers).

AndersNovember 26, 2019 10:39 AM

@Clive

OK, but what's the price difference between making transfer
via real teller and making the same transfer via internet
banking?

Here using real teller the fee is considerably higher.
Considering that the PII i use during bank transfer is
known to the government anyway i don't see any difference.
Bank knows my PII anyway and so does the ISP.

Whoever is capable to set up the MITM attack against me can
get those details about me a lot more easier and lot more of them,
if they already don't. ID card and passports are issued here by
Police - they have even everyone's fingerprints who ever applied
for new passport etc.

CurriousNovember 26, 2019 11:11 AM

Speaking of banks. It seems that my large national bank is basically lying to its customers in claiming that the bank is forced by the law to ask for existing customers ID to adhere to anti-money laundring rules, and also threatening closure of accounts and services. They say this on their website, and also send people SMS messages saying this. What the bank does apparently lie about, is demanding people to show a valid passpord when using BankID or have their bank account closed and services terminated by some stated deadline. A passport from the police, if you didn't have it already, will cost you something equal to $50 and some 10 days of delay. Now.. the financial government agency states on their webpage, that you only need to show a valid driver's licence. A passport is not required ID. So who is lying here? Surely the bank. The worst part of all of this is ofc, the theat of closing ones bank account and services. Presumably, the money laundring rules is based on US initiative. I've been wondering if maybe mass production of passports (that aren't even really needed) could be a security or privacy risk, but I don't know what to think of it. I guess, maybe if such data is given to other countries, than maybe they in turn can duplicate and abuse one's own passport to maybe have CIA agents running around with your passport, but, I don't really know if that makes much sense again. Another and perhaps more reasonable idea, is this notion of a global personal record. A record of everybody on Earth alive in some US database somewhere.

SpaceLifeFormNovember 26, 2019 12:41 PM

@ Anders, Curious

It's actually simple. You have to be rich, powerful, in position to blackmail, and then be able to get a fake passport.

JE had one (or more).

SpaceLifeFormNovember 26, 2019 1:22 PM

@ HP

What were you thinking?

Seriously, what were you thinking?

Or smoking?

Why? There is zero reason to do this.

No reason for a counting clock in the firmware. (I can see a reason for a clock, but not to track hours of operation)

That tracks hours and has a Y2k rollover problem at 32k hours.

This looks like criminal planned obsolescence.

If hard power down can not reset the counter, that makes it even more suspicious.

Which, then says the hour counter is being stored in flash, possibly in conjunction with a long-lived battery or cap, which means it is not a 'bug'.


https[:]//support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00092491en_us

Bulletin: HPE SAS Solid State Drives - Critical Firmware Upgrade Required for Certain HPE SAS Solid State Drive Models to Prevent Drive Failure at 32,768 Hours of Operation

...

The issue affects SSDs with an HPE firmware version prior to HPD8 that results in SSD failure at 32,768 hours of operation (i.e., 3 years, 270 days 8 hours). After the SSD failure occurs, neither the SSD nor the data can be recovered. In addition, SSDs which were put into service at the same time will likely fail nearly simultaneously.


AndersNovember 26, 2019 1:30 PM

@SpaceLifeForm

Currently even ordinary mechanical HDD's track operational time
to write down when the failure occurs. One example:

SMART Error Log Version: 1
ATA Error Count: 15 (device log contains only the most recent five errors)

/--/

Powered_Up_Time is measured from power on, and printed as
DDd+hh:mm:SS.sss where DD=days, hh=hours, mm=minutes,
SS=sec, and sss=millisec. It "wraps" after 49.710 days.

Error 15 occurred at disk power-on lifetime: 4348 hours (181 days + 4 hours)

vas pupNovember 26, 2019 2:03 PM

Huawei affair: German 'insult' on spying angers US
https://www.bbc.com/news/world-europe-50557876

"During a TV debate on Huawei on Sunday, Mr Altmaier recalled the 2013 scandal over US surveillance of Nato allies via the National Security Agency. It emerged that the NSA had even spied on Chancellor Angela Merkel.

Mr Altmaier said that "Germany still did not impose any boycott" on the US despite the NSA scandal.

"The US also demands from its companies that they pass on certain information needed to fight terrorism," he said.

His remark was an apparent riposte to US fears that Huawei, a world leader in new-generation mobile technology, would pass on sensitive data records to the Chinese government."

Clive RobinsonNovember 26, 2019 2:11 PM

@ Anders,

OK, but what's the price difference between making transfer via real teller and making the same transfer via internet banking?

To be honest I don't know, I personally try not to make transfers by the bank and the last one I made had no fee attached.

I try to be a strictly "cash only" shopper on the principle of "if you don't use it you loose it"

Thus you could say the cost I pay is not getting the likes of Amazon discounted pricing (but as the only time I tried to use Amazon they defrauded me, that was not a discount but a cost...).

But the real cost the majority of people in the UK make is not getting paid any kind of interest on the sums of money they pay into bank accounts. Even when interest is paid there is often some catch like you are not allowed to make withdrawals and the higher rate interest (slightly less than 2% rather than less than 0.01%) is only paid for a year. Then there were "Bank Charges" at ridiculously large rates (think 1000%) which caused even the UK Gov to be embarrassed and put some kind of cap on it.

But business banking in the UK is even more of a minefield and it's not been unknown for certain well known banks to drive small companies into bankruptcy then asset strip them via their own "receivers / administrators" making very large unwarranted fees in the process.

Thus in the UK, banks appear to work on the "push them into debt then fine them untill dead" model.

Then there are "credit cards" and "loyalty cards" with their own hidden profit mechanisms, which you might not see directly, but via merchants putting up their prices to cover.

SpaceLifeFormNovember 26, 2019 2:25 PM

Pure idiocy security fail.

No link needed.

"These three products used a weak encryption cipher (XOR) and hardcoded cryptographic keys to communicate with various FortiGate cloud services."

SpaceLifeFormNovember 26, 2019 2:40 PM

@Anders

As you pointed out, SMART wraps.

It handles the rollover.

It does not *BRICK* the drive.

AndersNovember 26, 2019 3:31 PM

@SpaceLifeForm

This was an example why they need time tracking.
If you see my example you see that wraps occur but time is still calculated
beyond those wraps.

49,7 days is 2^32 millisec
180 days is beyond that wrap.

However HP coders are legendary with their mistakes :)

ListrealNovember 26, 2019 5:31 PM

@vas pup

There is a link to crafting your own encryption:
".. researchers working on this study also tried to create resistant viruses in the lab to test whether the new antibody would still work."

Sounds an awful lot like "successfully" creating an uncrackable (by yourself) encryption.

It'd be nice if the flu were killed off, but I do wonder why nobody in hundred years managed to make a vaccine which targeted only the unchanging parts of the virus.
I'd guess that given sufficient exposure to this new vaccine, some variant of the influenza will adapt and survive, unfortunately.

If 2020 were the year influenza vanished off of the face of the planet, it'd be something, all right. Thanks for sharing, but I'm not holding my breath.


@HP SSD counter
Intel has had the same issue, some server ssd dies after 1700~ days without patch. Planned obsolescence in its latest incarnation, disguised as "honest mistake". It's a commonplace management decision to order the engineers to implement this.

AndersNovember 26, 2019 6:00 PM

This would be interesting to read after HP bug:

en.wikipedia.org/wiki/Time_formatting_and_storage_bugs

Amazingly many we have them!

Not Lacking ImaginationNovember 26, 2019 7:12 PM

*I*M*P*O*R*T*A*N*T*

Please abstain from encouraging the development of severely damaging (and potentially lethal) devices and procedures.

These topics aren't merely for entertainment nor folly nor intrigue nor as some kind of DADAist punk rock rebel ethos style. This site isn't depicted nor supported as a clearinghouse of doomsday devices nor weapons; that's not what this site is for.

Please take the time out to review from several (5 or more) independent sources and mediums what 'Security' means.

Also, I realise that many talented people in this field are drawn to it because of a need to manage or forget specific neurological injuries or addictions or profound behavioral disadvantages.

You have my empathy, really you do. However, it's still always in my interests to naturally discourage anyone and everyone that I may from accidentally or deliberately causing massive quantities of suffering and death.

Not everyone is able to extrapolate from information those kinds of very real risks and possible extreme damages. Unfortunately, culturally, a lot of the emotional "fun" and "enjoyment" is directly coupled to a kind of cognitive blindness or reluctance to know of the types of extreme risks and damages that most others unanimously avoid at almost all costs for the best of reasons.

Part of why I keep coming back to this site is similar to why I check up on any given incident on the spectrum from anomaly to tragedy; I prefer to have some kind of awareness of how bad (or not bad) items are so I am better prepared to decide how to respond or not respond and when.

Yes, this is still about Security. If anybody feels like maliciously chastising me on this topic, I welcome you to do so from the grave of your choice; I prefer safety, not violence. Those who are homocidal & therefore partially suicidal, go ahead and take yourselves out; your suicidal tendencies are your free choice; no need to involve anyone else; we don't stand in your way; the digital fascade doesn't inhibit your Thanatos.

More simply put, in the interests of Security; those who want to risk and diminish the safety of all other lives and minds to engage us in an induced delivery to them of their own suffering don't require us for that; they are mistaken; they can commit suicide in the simple ways and remove themselves from this world and it will be thus likely more safe and secure.

There's no shame in that for anyone.
And I've made similar comments several times in the past.
It's still a valid stance;

Q: Why wait for those with addiction to true danger to accomplish what safety lovers and security lovers and stability lovers never want?
A: We should not wait. We can help all groups and individuals involved and escort the danger lovers and damage lovers to the apterture of their end goal; we don't always need to kill them, but we shouldn't prevent them from killing themselves if it can be done such that no one else gets damaged nor hurt.

The primary serious caveat (exception) is that there have already been documented cases of previously peaceful and safety oriented people being radicalized by sadistic bullies to become self destructive and socially destructive and property destructive, even against their own will.

Think about it.
I think it's totally relevant.
Drill a hole into a boulder, and install a lock into that rock.
Then see who shows up to pick it.

vas pupNovember 27, 2019 4:44 PM

@Bruce and @Listreal • November 26, 2019 5:31 PM

Moderator sanitized(deleted) my posting related to virus and chain of postings related by @Clive and other respected bloggers, but forgot to delete @Listerial post related.

So, thank you for @Listreal • November 26, 2019 5:31 PM post and other respected bloggers. I even could read @Clive post and other posts related before they were sanitized.

Conclusion: you snooze you loose.

JG4November 27, 2019 10:02 PM

@Clive - Sorry to hear about your head injury.

https://www.nakedcapitalism.com/2019/11/links-11-27-19.html
...

Big Brother IS Watching You Watch

Apple says recent changes to operating system improve user privacy, but some lawmakers see them as an effort to edge out its rivals WaPo

Senate takes another stab at privacy law with proposed COPRA bill Ars Technica

Amazon's Ring Planned Neighborhood "Watch Lists" Built on Facial Recognition The Intercept
...

VNovember 28, 2019 4:21 AM

Thanksgiving greetings to @Bruce and all USAians here.

To all: don't buy any 'smart' things tomorrow.

Clive RobinsonNovember 28, 2019 5:11 AM

To all those folks that get a Thanksgiving, enjoy in peace and good will.

As for tommorow, best not to spend unless you have researched, rumor has it in the UK it's replaced Xmas Eve as the time when the high street culls those who haven't thought things through :-S

Clive RobinsonNovember 28, 2019 5:44 AM

@ JG4,

Sorry to hear about your head injury.

Thanks, it's not been easy in various ways.

Sadly though these things are on the rise (stabing last night in Greenwich London where I lived for a while, apparent the attack was for no reason[1], at least the victim is alive).

I guess it's a sign of the times and it does not bode well for all types of security the average citizen is interested in. All that gets put in place is at best "recording" (CCTV etc) not even reactive or proactive security.

Put simply as far as the purse string holders are concerned ignoring recordings, or reactively "hosing the blood down" whan it cannot be ignored is considerably cheaper than putting boots on the ground to make deterrent effective.

As long as the purse string holders and their loved ones are not effected they care not how many "workers, children or similar" get injured, maimed or killed.

Exactly the same attitude is seen in our industry ICTsec, after all, why spend money stopping other peoples details being stolen, theres no deterent being handed down to the "controling minds" so the ROI says "don't bother" even minimally "externalising the risk"...

It's why I pay cash where ever I can and I don't fill in warranty cards and the like. As for "cashback" offers that's just another way to commoditize people and not just reduced but destroy their privacy.

[1] http://news.met.police.uk/news/appeal-for-information-following-greenwich-stabbing-388415

Clive RobinsonNovember 28, 2019 5:24 PM

OK it's Thanksgiving, you have probably now got what feels like terminal indigestion from lunch. To make it worse now somebody not a million millimeters away from you is suggesting you might need a top off, with a late afternoon snack or if your close ancestors are Scottish a "High Tea"[1]...

Thus you need something else to be thankfull about...

So instead of a heavy duty snack, how about some lightweight reading on a past that might have been but most thankfully was not,

https://zipcon.net/~kestral/win95.html

[1] For those without close Scottish relatives a Scotish high tea can be a days food in it's own right. Not so long ago I had one just North of Edinburgh just over the other side of that wee babling brook they call the Forth. It started with a large pot of tea and a nice selection of sandwiches that would put even the best of office lunches to mortal shame. This was then followed by a "main meal" I chose a rice and curry, which would have rivaled any Saturday night Indian restaurant visit, especially as it came with a rather nice beer. But this was not the least of it, to follow was a fine selection of cream cakes including to my surprise scones clotted cream and a fine selection of preserves, again accompanied by a large pot of tea. All I can say is that I am thankfull to possess "hollow legs" ;-)

Clive RobinsonNovember 28, 2019 5:35 PM

For those that feel the need for a more substantial and serious read I offer,

https://eprint.iacr.org/2019/1336.pdf

It's authored by Neal Koblitz and Alfred Menezes, and is titled,

    Critical Perspectives on Provable Security: Fifteen Years of "Another Look" Papers.

Although 47 pages long, 13 of those are the refrences and it's an interesting read.

Clive RobinsonNovember 28, 2019 6:13 PM

Boeing blow up 777X in test

During a test of the new 777X Boeing managed to tear the hull explosively and blow a door out of the airframe,

https://www.seattletimes.com/business/boeing-aerospace/boeing-777xs-fuselage-split-dramatically-during-september-stress-test/

Disastrous as this sounds it was a very significant overstress test.

However the real problem is Boeing have been trying to play it down with some saying that Boeing have deliberately witheld the details of what they were upto and the results... Which some may take as being a sign Boeing are trying to hide something (probably not the case).

It is of course not helped by a comment by Transport Canada's manager of Aircraft Integration and Safety Assessment Jim Marko in an email. The comment about the leathal MCAS software was,

    "The only way I see moving forward at this point... is that the MCAS has to go”

The email was sent to US and UK regulators.

MarkHNovember 29, 2019 1:16 PM

@Clive:

I well remember that in the 90s, the 777 test fuselage failed at 154% of the design limit, the requirement being 150%.

I thought, "those structural engineers are wizards: they got it just strong enough with overdesigning."

This time, their light weight composite version failed at 148% ... no cigar.

I agree that they're probably not trying to hide anything, but at this stage it's very foolish of them to risk being perceived as covering up.

Experienced advisors in organizational crisis management offer 3 rules for public communication:

• tell it early
• tell it all
• tell it yourself

Clive RobinsonNovember 29, 2019 3:33 PM

@ MarkH,

Experienced advisors in organizational crisis management offer 3 rules for public communication

Yes, and they work, as several organisations can attest.

Hopefully what ever the problem is --if there actually is one[1]-- will be resolved fairly quickly. The workers at Boeing don't need any more issues if lay offs are to be avoided.

Boeing managment need to realise that they are walking on egg shells currently and act with care.

[1] From what has been said, the test actually carried out was over and above that required by the US authorities, so the airframe could actually have passed.

MarkHNovember 30, 2019 11:47 AM

@Clive:

If I understand correctly, the airframe did fail the test. Jet airliners are supposed to withstand any loading between -1.0 and +2.5 g.

The test incorporates a margin of safety of 1.5, so the certification test corresponds to 3.75 g, or 150% of the operating load limit.

[Note that +2.5 g is already pretty intense: a 200 lb man would feel as though six 50 lb sandbags were laid atop him.]

The airframe failed at 148% of the operating limit, or a little less than 99% of the certification requirement.

The load standard is already conservative, but on top of that the applied force must be sustained for at least 3 seconds.

And Boeing added extra conservatism, by pressurizing the hull more than would ever occur in flight.

The certification standards have worked well: it's extremely rare for people to die because aerodynamic loads broke an airliner.

The Seattle Times article you linked above is excellent, as per their usual; Boeing is an enormously important company in their region, and the newspaper has terrific access to aviation experts and insiders.

As they noted, the test airframe had millions of pounds of applied load -- and 9 meters of wingtip deflection -- by the time it failed.

WeatherNovember 30, 2019 1:17 PM

@MarkH
3.5gees is close to the stresses of a rocket launch. What I remember is from design they have 60% from what is design to the failed test, the fact Boeing added another 60% shows they understand chains, and also tested to failure shows there computer design are accurate.
But the metal weather steel aluminum or titanium manafucture addeds a buffer, so maybe for cheaper production costs they got a second tier producers, or they Assume its values.

Clive RobinsonNovember 30, 2019 1:42 PM

@ MarkH,

If I understand correctly, the airframe did fail the test.

It certainly failed the test Boeing engineers were carrying out. That is the airframe and door failed during a particular test.

But the question is was the test Boeing engineers were carrying out a valid certification test? Or something else?

As you've mentioned,

And Boeing added extra conservatism, by pressurizing the hull more than would ever occur in flight.

Depending on how the test is written up for certification the test carried out this way might well have been "An invalid test for certification purposes" anyway.

Which means it could have been an in house "engineering test" for the design team. In which case they may be alowed to take the test again without the "added extra conservatism" and pass.

I've had similar test issues with specialized high power radio equipment and likewise low power equipment. The tests mandate certain test fixture arangments and levels, some of which are absolute levels and some relative levels. When testing test houses tend to "over test" in certain ways and can and often do move test antennas to get "max signal" or synthesize a "max signal" from a number of readings. Both of which can give "false high readings" especially when Open Air Test Sites (OATS) are used. There are also issues with test equipment and it's protection mechanisms meaning test fixtures have to be very carefully designed and tested to ensure meaningfull tests. The solution if you are running a certification test rather than an engineering test is to check the test equipment correctly and run the tests again as per specification.

It's one of the reasons why I am being cautious, technically that "added extra conservatism" whilst very usefull for "in house testing" for design teams as all "test to destruction" tests can be, does not mean it's necessarily a certification test fail.

Further as I understand it the test failure is from a single undisclosed source who obtained photographs and test results after the test. Thus we don't know for certain if the test was "for engineering" or "for certification". The fact that the tests were augmented suggest it might be the former rather than the latter (or some one was trying to get two tests done for the price of one).

Thus we will have to wait and see what is said by the "official" spokes person.

But what ever the augmented test was, the fact Boeing has handled the leak of it's results not as well as they could/should have done at senior managment levels is cause for concern not just with shareholders but employees as well.

At the end of the day, like it or not Boeing is significant not just to the US economy but also to US National Defence. Either way makes it's health as a company a "US National Security" issue. Which will start raising questions as with the banks a decade back of "too big to fail mentality" and all that implies.

MarkHNovember 30, 2019 6:56 PM

@Clive:

What I was trying to say, is that I'm quite confident it was a certification test, and that it failed (as reported, anyway) the regulatory standard.

The good news for Boeing is that because it came so close to passing, modest design changes (perhaps an extra layer of carbon fiber in strategic spots?) accompanied by a mechanical engineering analysis are expected to be sufficient for approval without a retest.

If memory serves, only two airframes in the original 777 program were reserved for destructive testing: the one which suffered broken wings, and another which was subjected to 120,000 simulated takeoff/landing cycles for fatigue testing.

The first to leave the ground was eventually delivered to an airline.

The price tag for 777X is about 350 million dollars. I guess that even a completely stripped airframe for load testing is close to 100 million ... because of the cost, the company is highly incentivized (to put it mildly) to extract as much engineering data as needed for their own purposes, from the load test required for certification.

I suppose the extra cabin pressure -- which perhaps lost them a "clean pass" -- was based on their own safety philosophy.

As the MAX disaster has abundantly shown, the cost of (which may total to around 10 billion dollars) of killing people by getting the engineering wrong, puts the incentives in the right direction.

The cost of Infosec security is often accounted as pure loss, and the organizations responsible for security failure usually pay nothing, or find the penalties to be manageable.

In the airliner business, the shared understanding is that it's got to be right from alpha to omega.

Bob PaddockDecember 2, 2019 8:13 AM

@Clive Robinson

"With modern medicine from a complex society pneumonic plague is more of a nuisance than an existential threat as it is fairly easily treated with modern antibiotics if diagnosed early."

One must not assume that the treatment itself is safe.

The problem here is that the antibiotic most likely to be used for Plague will be one from the Fluoroquinolone family. Such as Cipro or generic Levaquin (Actual Levaquin is no longer being manufactured due to its side effects). Plague and Anthrax are what these antibiotics are for. They are not for the things doctors most commonly give them out for, acute bacterial sinusitis, acute bacterial exacerbation of chronic bronchitis and uncomplicated urinary tract infections (UTIs).

For Immediate Release July 26, 2016

Release: The U.S. Food and Drug Administration today approved safety labeling changes for a class of antibiotics, called fluoroquinolones, to enhance warnings about their association with disabling and potentially permanent side effects and to limit their use in patients with less serious bacterial infections.

“Fluoroquinolones have risks and benefits that should be considered very carefully,” said Edward Cox, M.D., director of the Office of Antimicrobial Products in the FDA’s Center for Drug Evaluation and Research. “It’s important that both health care providers and patients are aware of both the risks and benefits of fluoroquinolones and make an informed decision about their use.”

Fluoroquinolones are antibiotics that kill or stop the growth of bacteria. While these drugs are effective in treating serious bacterial infections, an FDA safety review found that both oral and injectable fluroquinolones are associated with disabling side effects involving tendons, muscles, joints, nerves and the central nervous system. These side effects can occur hours to weeks after exposure to fluoroquinolones and may potentially be permanent.

Because the risk of these serious side effects generally outweighs the benefits for patients with acute bacterial sinusitis, acute exacerbation of chronic bronchitis and uncomplicated urinary tract infections, the FDA has determined that fluoroquinolones should be reserved for use in patients with these conditions who have no alternative treatment options. For some serious bacterial infections, including anthrax, plague and bacterial pneumonia among others, the benefits of fluoroquinolones outweigh the risks and it is appropriate for them to remain available as a therapeutic option.

FDA-approved fluoroquinolones include levofloxacin (Levaquin), ciprofloxacin (Cipro), ciprofloxacin extended-release tablets, moxifloxacin (Avelox), ofloxacin and gemifloxacin (Factive). The labeling changes include an updated Boxed Warning and revisions to the Warnings and Precautions section of the label about the risk of disabling and potentially irreversible adverse reactions that can occur together. The label also contains new limitation-of-use statements to reserve fluoroquinolones for patients who do not have other available treatment options for acute bacterial sinusitis, acute bacterial exacerbation of chronic bronchitis and uncomplicated urinary tract infections. The patient Medication Guide that is required to be given to the patient with each fluoroquinolone prescription describes the safety issues associated with these medicines.

The FDA first added a Boxed Warning to fluoroquinolones in July 2008 for the increased risk of tendinitis and tendon rupture. In February 2011, the risk of worsening symptoms for those with myasthenia gravis was added to the Boxed Warning. In August 2013, the agency required updates to the labels to describe the potential for irreversible peripheral neuropathy (serious nerve damage).

In November 2015, an FDA Advisory Committee discussed the risks and benefits of fluoroquinolones for the treatment of acute bacterial sinusitis, acute bacterial exacerbation of chronic bronchitis and uncomplicated urinary tract infections based on new safety information. The new information focused on two or more side effects occurring at the same time and causing the potential for irreversible impairment. The advisory committee concluded that the serious risks associated with the use of fluoroquinolones for these types of uncomplicated infections generally outweighed the benefits for patients with other treatment options.

Today’s action also follows a May 12, 2016, drug safety communication advising that fluoroquinolones should be reserved for these conditions only when there are no other options available due to potentially permanent, disabling side effects occurring together. The drug safety communication also announced the required labeling updates to reflect this new safety information.

The EU version of the FDA:

European Medicines Agency’s (EMA) Pharmacovigilance Risk Assessment Committee (PRAC) has recommended restricting the use of fluoroquinolone and quinolone antibiotics

November 16 2018:

...Importantly, fluoroquinolones should generally be avoided in patients who have previously had serious side effects with a fluoroquinolone or quinolone antibiotic. They should be used with special caution in the elderly, patients with kidney disease and those who have had an organ transplantation because these patients are at a higher risk of tendon injury. Since the use of a corticosteroid with a fluoroquinolone also increases this risk, combined use of these medicines should be avoided...

– "Disabling and potentially permanent side effects lead to suspension or restrictions of quinolone and fluoroquinolone antibiotics" [ PDF ].

There are several other "Black Box" warnings such as mental aberrations.

Post-Ebola-Syndrome symptoms are identical to those of Fluoroquinolone poisoning. Due to Bayer donating millions of doses of Cipro during the Ebola outbreak.

As of this morning I'm now up to 44 people that have told me their own Intracranial Hypotension due to Cerebrospinal Fluid (CSF) Leaks started after taking a Fluoroquinolone. Something there is zero research on in the Medical literature; The Leak docs of the world are aware of the issue from my presntation at their first symposium.

While these antibiotics may very well save the person from death from Plague, they may very well wish for death if they experience any permanent disabling side effects from this class of medication. The effects are often delayed by weeks to months, so the person with the now devastated health does not associate it with the antibiotic they took sometime ago.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.