Schneier on Security

Clive Robinson • November 30, 2019 3:20 AM

@ Anders,

As the author Sorell Slaymaker says,

We can limp along in the IPv4 world for years, as we have done for the past 20 years, until something truly better comes along.

But he has forgotton the lesson that the Internet almost always gives. Which is,

Backwards compatability is the excuse not to replace anything

So when he says,

NDN has the potential to be that truly better approach as the type of traffic on the Internet changes (lots of video and content), and the needs of the Internet change (more security).

He is just repeating what they said about IPv6 back in the mid 1990's almost to the word.

That is whilst "potential" is good enough for "new" ideas it is in no way good enough to "replace" existing technology, especially that which has countless millions of man hours invested in it.

The simple fact is people like the author have blinkered vision due to their rose tinted glasses. They see the rapid pace in consumer PC's etc, but do not see just how much is embedded and can not or will not be changed untill it reaches it's End Of Life (EOL) some 25-50 years from when it was designed[1].

I've mentioned this problem for many years on this blog you can look up "frameworks" and "NIST" against my name on a site search to find what I've said about how to fix the problem but it's something we should have done atleast a quater of a century ago, now it might be "to little to late" for a half century or so after, should we take the plunge, which is unlikely[2].

[1] Worse many who went to all the effort of "building IPv6" into product just to see it never used see it as "having been sold a pup". Thus they are likely to treat the same sort of idea sold the same way as "a festering pile" and take care to avoid going down the same waste of effort again.

[2] You can see the same problem in the mobile phone world. The service providers want to get rid of 2G, but they can not. The reason is the vast number of infrastructure embedded systems such as traffic light controlers, and pumps, valves, switch gear and even railway engine control systems and construction cranes. All using 2G interfaces because they were available at the lowest price at design time, and more importantly would "work where there is a signal" unlike 3G, 4G, LTE etc etc later protocols. Thus there is billions of dollars of investment in 2G that is "critical infrastructure" or similar in nature and as "any income is better than no income" the service providers will grudgingly keep supporting it.

Clive Robinson • November 30, 2019 2:23 PM

@ tds,

In the Facebook article you will find the name "Nick Clegg" whilst it may not be familiar to many, the man was the UK "Deputy Prime Minister" during the "David Cameron" Conservative Party coalition years.

For various reasons he had to leave his political party the Liberal Democrats and some say he has irreparably harmed the party.

The fact that it is a questionable politician making decisions about false claims by other politicians etc would in most cases be considered a clear case of "conflict of intetests". Especially as the UK General Election is less than a couple of weeks away...

You can gather a little more insight into Mr Clegg from,

https://www.theguardian.com/technology/2019/jun/24/nick-clegg-facebook-brexit-vote

Clive Robinson • November 30, 2019 3:47 PM

@ Just a Person,

For each single individual posted and published security vulnerability, provide two(2) or more fixes for such vulnerabilities.

Such a suggestion is a call for censorship from the bad old days of corporates throwing lawyers at software vulnerabilities rather than fix them.

It's been proved to be a compleate failure so why "reboil rotten cabbage"?

Secondly think on this point, whilst you do not need access to closed source software to find a vulnerability, you do need access to the closed source software to fix it "permanently". The very modle of closed source software is that nobody other than who the company execs decide should have access gets access. In fact in some countries having access without authorization would be a significant crimial act not a potential civil tort.

Therefore what you are saying is only a closed source company can post vulnerabilities to this blog, knowing that it is not in their interests to do so...

Hence you are calling for full on censorship, that will result in not only vast numbers of vulnarabilities to go not just unmentioned but unfixed thus dangerous to by far the majority of computer users.

History shows that major software companies have been aware of certain software vulnerabilities for a couple of decades or more, but chose to do nothing about thrm untill they became public knowledge. If they knew then it's almost certain others knew, thus the question arises not if those in the know had developed exploits --that's a given with POC-- but if they or others had added payloads, and had used or intended to use them.

Publicising vulnerabilities as soon as possible under responsible disclosure is the only way to ensure that vulnerabilities are dealt with and not stockpiled like Weapons of Mass Destruction.

But even responsible disclosure can be manipulated, look back at the history of Intel and the Spector and Meltdown vulnerabilities in their CPU chips. Apparently we are supposed to accept that an Intel executive who would have been aware of the faults became public only sold a large number of shares by coincidence. Further that Intel delaying tactics that moved the vulnarability publication date to after the Xmas shopping time when most Intel CPUs would be sold in the consumer market was coincidence as well...

Perhaps you realy should review your thinking lest others draw conclusions about why you wish to push a viewpoint that is known to be not just a failure but an easily exploitable one at that.

Clive Robinson • November 30, 2019 7:38 PM

@ vas pup,

Ahh "energy security" is as PG&E customers in California are discovering a very serious problem[0]. That is the power grid for them is now far from dependable in anyway shape or form.

It takes no great brains to work out that without energy security, ICTsec is taking the back seat in the bus...

With regards,

In lithium-ion batteries the gel inside, the electrolyte, can combust.

That reads badly and it's more complex than that, especially when you consider most high density chemical energy storage systems are a significant combustion risk[1].

There are several problems with chemical energy storage systems that use changes from one chemical to another. Firstly they are generally not very "energy dense" when compared by mass which is why lithium and hydrogen are investigated. Secondly they tend to be quite inefficient when you check total energy in to total energy out, even though some systems are more efficient over a limited range of their charge/discharge curves. Thirdly is the limited number of cycles in a battery life, there are various reasons for the observed "memory effect" some are due to chemical poisoning, some due to crystal formation others due to plate errosion etc.

Put simply electrically rechargable chemical batteries are about the worst form of energy storage system we have by any given measure.

For instance have a look at "heat storage" by either "latent heat" or "Phase change" materials they have charge cycles in the tens if not hundreds of thousands range. Their actual energy in to energy out efficiency is better than most electrical energy storage cells. Because they don't need complex fine tolerance support structures they are generally considerably lower mass for equivalent storage.

In fact if it was not for waters low boiling point, and significant volume change on freezing it would make a better energy storage system than many electricity rechargable storage systems.

https://m.youtube.com/watch?v=ryJmtItfaXQ

But phase change is more interesting for various reasons but is not difficult to manufacture,

https://m.youtube.com/watch?v=VdagQ5_cx7c

The other thing you don't get to see very much of is combined photovoltaic and thermal pannels. Put simply less than 20% of the energy of direct sunlight hitting a solar pannel gets converted to electricity, the rest becomes heat, and above certain tempratures solar cells become less efficient, thus keepeng them cool is a good idea. Adding a thin copper pipe to the back and thermal insulation adds very little weight but can give significant thermal energy that can be used via a compressor or similar to heat thermal storage cell with about double the electrical kWH.

The simple fact is the likes of PG&E won't sacrifice profit for reliability, thus people realy have to start considering not "going of grid" but "being put of grid" by the operators. Whilst domestic generators are one solution they are noisy, smelly, dangerous and easily stolen, worse getting fuel to them is ridiculously inefficient. Whilst you can modify generators to run off of the domestic gas supply in many places that would be actually illegal and domestic gas is not always available. Thus where legal, the use of solar pannels and wind turbines will with appropriate storage cover most homes for lighting. The big problem is heat and cold, that is using electricity to heat a home is rediculously expensive and at between a half and one and a half units of electricity (kWH) a day fridges and freezers are bad news as for chiller type air conditioning how long do you want the rope to be? The simple fact is our domestic electricity needs have more than doubled in less than two decades and central generation of power via traditional means is nolonger sensible.

Thus for our own security we have to consider how we store energy in it's various forms, not just short term daily but longer term even out to seasonal. Much as our more distant forefathers did in the past with "ice houses" for refrigeration and "hay boxes" and cauldrons and large mass chimnies for slow cooking and slow heat release for safer heating over night. Though hopefully in more efficient but not necessarily more high tech ways.

[0] PG&E are effectively bankrupt, the reason being they put profits over investment and maintainence (something I've been warning about for quite some time). The result in PG&E's case was not solar flares but something more down to earth, it was many wildfires caused by their power distribution, poor maintainence not just of equipment but lack of cutting back growth on the land they owned and the resulting law suits. PG&E claim something along the lines that it's not their fault but "the wind"... Any way it's hurting people,

https://www.latimes.com/california/story/2019-10-10/pg-e-california-power-outages-grid-climate-change

[1] Remember both water and carbon dioxide are products of combustion, and they are both subject to being reversed back to their combustible components by the use of electricity.

[2] You can thank my son for the U-tube links, he's studying engineering and energy storage systems was something he did as a project.

Clive Robinson • December 1, 2019 12:48 AM

@ Chemistry Background,

However your footnote leaves me a bit baffled.

I suspect you are thinking I am talking about the "Bionic-Leaf",

https://www.scientificamerican.com/article/bionic-leaf-makes-fuel-from-sunlight-water-and-air1/

Although it is quite interesting, no it's not what I am talking about.

I'm talking about simple electrochemical reduction that is part and parcel of "wet battery" technology.

That is as with the school electrolysis demonstration take water, add a small amount of a whole variety of chemicals to alow it to conduct electricity. Apply electricity via electrodes and you will get hydrogen comming off at one electrode and that will quite happily burn in an atmosphere containing oxygen to produce water again. Get the quantities right in a closed environment and you have the equivalent of a Fuel Air Explosive (FAE / FAX) waiting to happen.

Electrochemical reduction of carbon dioxide (ERC) can also be done using a zinc cathode. It gets reduced to carbon monoxide which used to be a fuel called "town gas". Which used to be the domestic gas pumped to most homes in the UK prior to the 1970s[1] conversion to "natural gas".

Both hydrogen and carbon monoxide can be produced by various "wet cell technologies" especially when you over charge them. Which is why there are warnings about keeping batteries in ventilated places to stop the gas build up and reaching either the ignition point or Lower Explosive Limit (LEL).

[1] Back then town gas was made in vast quantities by a gasification process using coal. You can do the same today using almost any organic source of carbon just look on U-Tube of demonstrations of making "char cloth" or similar as part of a fire starting kit. Those jets of flame from the container are carbon monoxide burning.

Clive Robinson • December 1, 2019 5:23 PM

@ Anders,

With regards the ZDNet article, I do wish they would not say things like,

Mixcloud said that passwords should be safe, as each one was salted and passed through a strong hashing function (SHA256 algorightm, accordng to the sample we received), making it currently impossible to reverse back to its cleartext form.

Because quite a few people do not realise that "currently impossible to reverse back" is a very conditional statment.

That is whilst it might be currently impossible to "reverse" the output of a "one way hash" it is obviously not impossible to make guessing attacks using the one way hash in the "forward" dorection.

Thus success or failure of such a forward guessing attack depends not on the strength of the hash function but on a number of other things, but primarily

1, The size of the salt and type of padding used.

2, Having a good list of "common paswords".

Further it is likely that as the MixCloud service is of general interest, users may well be linked via user-name, email-address, IP-address etc to other servicrs hacked password data bases, which might already have been cracked thus alowing a "known-password" to be tried or a variation there of.

The simple fact is due to the deficiencies of the human brain, fee people can remember a password with sufficient entropy in it.

Even the much loved XKCD "Correct, horse, battery..." method is considered way to weak these days...

Even Randall guessed it was going that way, if you read the note under the strip,

https://www.xkcd.com/936/

Oh and this is quite seasonal,

https://www.xkcd.com/2234/

Clive Robinson • December 1, 2019 9:49 PM

@ Sherman Jay,

That suggests we all need a reliable secondary energy source because we can no longer trust the profit-driven corporate utilities.

If we are alowed to... It's no real secret that certain US utilities have been vigorously lobbying to make "off grid" or anything that even remotely looks like it illegal...

Clive Robinson • December 2, 2019 4:14 AM

@ Wesley Parish,

Speaking of energy security, Auckland a few years back had a massive blackout - IIRC, at least 200 000 houses lost power.

Which one 1998 or 2006?

https://en.m.wikipedia.org/wiki/1998_Auckland_power_crisis

https://en.m.wikipedia.org/wiki/2006_Auckland_Blackout

It's interesting to note that the NZ politicians only consifered "energy security" after the second event. Whilst Auckland is in a geographically challenging position, lack of investment and maintainence should not be excused by that (which is what the company in the 1998 event tried to do).

I remember the first because it had an impact on work I was involved with at the time. But also I read Peter Gutmann's[1] acerbic comments at the time[2].

These major outages happen rather more frequently than we would like,

https://en.m.wikipedia.org/wiki/List_of_major_power_outages

But before power grids started getting going we had telegraph networks, and these got taken out by bad "space weather". A solar storm in what is now called the Carrington Effect

https://en.m.wikipedia.org/wiki/Solar_storm_of_1859

Should such a coronal mass ejection happen today most of our electronics if power or communications grid connected would suffer some irreparably so. As for the grids well power transformers would take a major hit and would probably not be replacable within 10-30 months. Thankfully more and more comms is moving to glass fibre, however many have protective steel wire cladding that could melt like a fuse, and in the process destroy the glass fibers.

But there are other "networks" that have to be considered gas and water are dependent on electricity to function, and the sewerage system though mainly passive is dependent on the supply of water. Thus as NASA noted even your toilet can be effected,

https://science.nasa.gov/science-news/science-at-nasa/2009/21jan_severespaceweather/

[1] https://www.cs.auckland.ac.nz/~pgut001/

[2] The text document is somewhere on Peter's old web site, but I can not now remember the route in to it.

Clive Robinson • December 2, 2019 4:37 AM

@ MarkH,

Pumping a pressurized mixture of CO and H2 through a gargantuan maze of plumbing, to millions of homes and businesses ... what could go wrong?

It will spontaneously go back to water and soot.

The hydrogen needs to be taken out as part of the "scrubbing process". It had various industrial uses, but could also be used as an "addmixture" back into the gassification process.

Supprising to many we actually know less about industrial gassification today than the Germans did during WWII. They were known to have found ways to make "light hydrocarbons" from coal which they had seamingly unlimited amounts of (the Ruhr valley) but little or no access to oil. So they developed synthesis methods that are apparently now lost as those involved have died and taken their memories with them and the records kept at the time did not survive.

Oh if you do make a home gassifier, mechanical engines in vehicles and generators both run very well on carbon monoxide, hydrogen and light hydrocarbons. In fact you can by conversion kits to run generators off of what some call "barbecue gas" but most others call LPG. Running a standby generator off of LPG is a better idea than petrol/gas that are used for vehicles. One major reason as those with petrol driven lawn mowers will know is that petrol contains "condensates" that like tars in wood smoke "gum up the works". Thus an engine that worked fine when last used in autum can be cranky, unreliable or just won't work in spring.

Clive Robinson • December 2, 2019 1:36 PM

@ Pete Young,

It certainly looks like a synopsis.

What PG did was in effect write a diary of events during the period of outage.

It all had the same pithy wording as can be found with the comment about the heroic efforts to save the chilled beer ;-)

Clive Robinson • December 2, 2019 2:56 PM

@ MarkH,

How is it possible for a mixture of CO and hydrogen to spontaneously react under the conditions in gaseous fuel storage and distribution networks?

Simple pressure is enough (think about the Diesel process, or the school demonstration woth a glass tube with a bit of cotton wool at the bottom that when the ram rod is pushed in spontaniously combusts). It's why the old "town gas" mains were all low preasure thus limited range[1] unlike modern "natural gas" mains where the pressure reduction mechanism is part of the gas meter.

From what I was told by people who worked in the industry back in the 1950's the early scrubing out process was quite literally a large chamber like a very large boiler. It was about one quater filled with water with a rotating brush mechanism a gas inlet and two gas outlets. One gas outlet was towards the top of the scrubber and pulled out mainly hydrogen[2], the other lower down pulled out mainly carbon monoxide. The mass ratios of the gasses was such that the hydrogen in effect floated on the carbon monoxide and just pulling the gasses in the right quantities effectively seperated them. The water also moved through the process and brought out all sorts of hydrocarbons as an,"emulsion" that would have otherwise "gummed up the works". However that emulsion could also be sold as a product for other processes and was at one point used as an addative to soaps.

I would have very much liked to have seen one of these scrubbers as I have an interest in industrial history, but I gather they were all sold for scrap value.

[1] The preasure problem was one reason[3] why there were so many "gas works" almost every town had one along with a gasometer or three.

[2] What is often forgotton is that the "town gas" was mainly a "waste by product" for making high quality coke for the iron and steel industry and turning hydrogen into ammonia via the Haber process for feed stock for many chemical and industrial processes. Originally town gas was not well scrubbed because the hydrocarbon contaminates made the carbon monoxide burn not with a pale blue near invisable flame but a bright incandescent yellow suitable for "gas lighting" (though the soot was then around 80-90% of house hold dust, not as it is today skin/hair cells). As the coking process was improved the carbon content was reduced and simple jet burners nolonger produced light, thus either gas mantals had to be added or where town gas was made specifically for lighting gas, a hot brick carburetor system was added that added carbon from atomized fuel oils.

[3] Whilst town gas can be upto half hydrogen depending on the generation process, storing hydrogen or even putting it in metal pipes especially cast iron ones is considered a realy bad idea. Amoungst other things hydrogen makes metals brittle with rapid ageing, thus become not just weak but loose any kind of flexibility thus susceptable to vobration. The last thing you need is "gas mains" fracturing under roads or buildings. Which is also a reason why with the introduction of natural gas, many cast iron gas mains were fairly quickly replaced with various plastics.

Clive Robinson • December 2, 2019 3:13 PM

@ MarkH,

I also read that when the UK switched to North Sea natural gas, millions of burners had to be replaced. Do you know what the design differences are, for burning these distinct fuel types?

The answer when you know is one that will make you say "that's bl33ding obvious", but actually few people know.

All hydrocarbons need an oxidizer to burn, thus the most efficient burn occurs at a different mix rate for each hydrocarbon. Further the larger the hydrocarbon molecule is the more energy it releases when it combusts. Thus as nearly everything we do is "work" we need to keep the energy against time ratio the same. The same is true for the gas mark settings on an oven and the control loop on a water boiler. Thus the simplest way to ensure the same power but with a different gas is to modify the injector in the burner.

As a very rough rule of thumb the lighter the hydrocarbon, the smaller the hole required to get the optimum mix with air at any given presure differential.

It's also why converting an engine designed to run on liquid petrol to a lighter hydrocarbon such as "barbecue gas" LPG requires modification to not just the carburetor.

Clive Robinson • December 2, 2019 4:24 PM

@ Curious,

With resprct to RSA-240 being factored in the past few days...

You guys would know more about this I am sure.

The only thing I realy know is that it was not "Crown Sterling" and their magic crystal healing machine ;-)

Clive Robinson • December 2, 2019 5:02 PM

@ vas pup,

I chose not to answer the question because it's based on a false assumption.

That is your only options are "argument, secure".

Whilst we can argue you can have both, there is a more obvious answer which is "not to play" as well.

So firstly to give an argument as to why the question is based on a false assumption and you can have both,

In essence to make a valid argument, you must have a valid method of proof (scientific method). That is the process of "testing" to get your proof means that in most cases your proof would be an actual implementation thus you would be secure by default.

But secondly an argument for "not playing",

If you have security against a given vulnerability instance or class of instances, it gives you a number of advantages. One of which is that it makes you much less of a low hanging fruit against "fire and forget" attackers, thus they will because they are in a target rich environment move on to other targets that are susceptible to that vulnerability. Further if you keep your security method secret it gives you a "trip bell" against more persistant attackers who might consider you a "person of interest" or similar thus are performing directed attacks against you untill the succeed or get exposed. When they trip your secret bell they will be unaware they have done so, however they will have alerted you to the fact you are under attack by a better than average attacker. This opens up a number of posabilities for you to "play defence" whilst actually being on the offence.

But thirdly on a different note, my reason for "not playing" the questioner's game, is that they give all the apperance of being a sock-puppet "Who had their nose put out of joint" very recently.

Clive Robinson • December 2, 2019 5:43 PM

@ vas pup,

The bug lets attackers create fake login screens that can be inserted into legitimate apps to harvest data.

The general idea behind this class of attack is not new. Have a look for "I/O Shim" attacks and similar end run attacks.

In essence what happens is a shim (overlay) gets between the I/O devices (screen/keyboard) the user perceives and the target application input and ouput channels. Whilst the user enters in correct information the shim can act as a MITM on the device and send false commands to the application whilst also stopping the user seeing any output from the target application that might warn them they are under attack.

The number of ways you can come up with individal instances of this class of attack is large, so whilst an instance might be new the underlying principles are the same, thus most likely there will be more instances of this class of attack yet to come.

So there are two basic lessons to learn from this,

1, There is no such thing as a "safe Playstore application"[1].

2, Never do anything involving PII IP or money etc on a system you can not trust[2].

Not abiding by these rules means you will get hurt when your number comes up[3].

[1] The "walled Garden" idea has never ever been secure, nor can it ever be. At best it can respond long after the event to new attacks that the owners of the Walled Garden can not ignore. This issue was fairly well known last century, back atleast as far as the first machine ciphers.

[2] Walled Garden devices or anything with a "Trusted Module" you do not 100% control are "Not owned by you" thus you can not trust them. Unfortunatly more and more personal devices can nolonger be trusted. The only way to have a system you can trust is by moving the security end points off such devices. This has been known for atleast several centuries if not millennia hence the reason we had ciphers and code books.

[3] The Internet is so insecure in so many ways that just about every personal device and the computers used as servers are full of vulnerabilities waiting to be found and exploited. Thus it is a very "target rich" environment, that is the number of targets far exceeds the ability of attackers to exploit them. Which means whilst your devices are vulnerable, it is a matter of probability as to whether your device is attacked or not, likewise if the attack is successful.

Clive Robinson • December 3, 2019 11:40 AM

@ Tables A. Turn,

It's not just in the US that pupils and students run the gauntlet of Alphabet (Google's "evil empire" owners)

selling our children’s Google Classroom academic records

So I guess the evil empire has been lobbying very very intently, and persuasively. Probably by using the fruits, of the records they already have obtained, on legislators. Which is a possible reason for what you note with,

No wonder Congress is moving fast to kill Alastair Mactaggart’s California Consumer Privacy Act!

I guess pointing out "Think of the children" to the legislators will not work... As was once noted,

It's hard to get someone to see your point of view when their income very much depends on them not doing so!

Perhaps it's time to ask Hercules to repeate his fifth labour, by diverting the Potomac "up the Hill" to wash out that festering mess that even all of King Augeas' animals could not in a thousand years compare with in quantity or foulness.

Clive Robinson • December 3, 2019 12:53 PM

@ tds,

Regarding Facebook's policies, Clegg, and your link, I found this quote interesting.

It's a case of,

The more you dig the more you find.

With each shovelfull being that little more scary than the one before.

It quickly gets to the point where you don't want to dig anymore because you think you are becoming paranoid...

Clive Robinson • December 3, 2019 1:04 PM

@ Auckland,

BTW, just skimming that Scientific American article on the Bionic Leaf it looked like the complicated stuff was still being done with biology.

And it will continue to do so one way or another untill our mastery of science gets beyond that which nature has achived.

If you look at photosynthesis for instance, we are not even close to what nature has achived. If you read some of the science they are talking about nature using "quantum effects". If this is true, then all sorts of questions pop out of the woodwork that scientists don't want to ask...

Have a look at how Roger Penrose has been treated over his thoughts on the "quantum mind". He dared to ask a question, and like the messenger of old he is the one receiving the wrath of others.

I have no idea if he is right or wrong about quantum effects in the brain, but when we look at other parts of the body such as how we smell, quantum solutions become ever more likely.

The flip side of Roger Penrose's question is of course AI, if Penrose is correct then the majority of the AI pundits are wrong...

Clive Robinson • December 3, 2019 1:24 PM

@ Wesley Parish,

Well, I live in hope that some Angeleno comedian or maybe from San Diego, who knows? - will be compiling a list of the excuses their statewide power company comes up with, and have some fun with it.

One can but hope, as they say.

Though I have to wonder when you see the entirely predictable mess that PG&E have got themselves into, just who wins at the end of the day.

Yes I know the lawyers will be on for atleast 30% win or loose but like all bottom feeders, they are simply feasting on those that have fallen in a previous combat.

We know enough that all combat is destructive and at best, both clears the ground and fertilises it for new growth with the fallen. But the price is high extrodinarily high, so much so that you would conclude the results can not justify the means...

But yet, that is our chosen method of progress, assuming every conflagration must have within it a Phoenix.

To say it is madness says much about mankind, which is why I guess we need a sense of humor...

Clive Robinson • December 3, 2019 4:23 PM

@ Wesley Parish,

It was about time too - after two weeks of not showering, I did not smell my best.

Hmm this is another asspect of "Infrastructure Security" / "Utility Security" few know or even talk about. Which is important to your health and wellbeing when the power goes out for an extended period, which appears to be more and more the case these days even in the first world.

So I'll let you into a hard won little secret, I had to once find out when spending a summer up at a mountain base camp more than a third of a century ago...

Most people consume between 40-80 litres of water in a US style home shower which is 88-176lb in weight of water or around three 50lb back pack loads... So you want to cut that down a lot if you have to carry water in on your back up hill all the way...

One way you can do this is look up something called a "Navy Shower" where the principle is,

1, Turn on water, get wet.
2, Turn water off, soap up.
3, Turn on water, rinse off.
4, Turn water off.

The idea being to keep the "water on" time as short as possible. But even so you tend to use 6-10 litres of water or 12-22lb of water which is still a lot to carry in on your back.

The problem with a Navy Shower is the "shower head" in that it alows way to much water to flow, most of which runs off you without achieving anything usefull...

Thus if you use a pump up "garden spray" instead you can get your usage down to just 1 litre and still get thoroughly clean long hair included , it just takes about twice to three times as long.

But more importantly you only need boil up one or two cups of water, which you mix with about five or six cups of cold water you've already got in the garden spray. It's important for the same reason, gas for heating has to be carried in on your back.

Also you only need one shower a week, as long as you wash the "smelly bits" every day and don't use deoderants[1] just a quick squirt of after shave and has other benifits[2]. If you use "wet wipes" / "baby wipes" like a flannel / face cloth one to soap up the other to wipe off with you only need about 40ml of water in the bottom of a cup. You also have enough left over to rinse out the wipes so they will be usable for a couple of days or so.

I mentioned this some years ago to others who end up doing extended base camp work and I was supprised to find out it's got to the US and people who apparently live in cars in the suburbs etc because they can either not get or can not afford to rent flats, rooms or even cupboards in places like LA.

Oh and remember "gray water" from washing you and your cloths etc can be used for other things like flushing the toilet. And although I've not tried it, I'm told such grey water can be "settled and filtered" using things like modern "hiking filters" such that you can drink it or atleast wash in it, some even claim you can purify urine so that it's safe to drink :-S

[1] Deoderants are not good for your health if you are engaged in active work or are in warm climates. Sweating is not only to keep you cool, it also helps your body get rid of waste products your body does not want inside you. Further they muck up your body flora and thus unbalance your skin functioning. Anything more than plain mild soap is not good for you in harsh environments.

[2] If you use deoderants, body lotions and all other manner of potions, your cloths get contaminated with them and they tend to "go off" making your cloths smell rather more than they should rather quicker than you would like. Which means on average you have to wash your cloths three to five times more often. Even in a bucket you are looking to use 12-15 liters of water per wash so thats another two back pack loads to carry up hill. Oh natural fibers like cotton and especially wool don't take up smell. The old British Army wool shirt you can wear for two weeks solid, even if you only wash infrequently the same with the socks, whilst they take longer to dry, they do take less water to get clean enough to wear again. It's why old style "long johns", "thermal underware" and similar are made of wool and cotton. Also even when soaked through wool still keeps you warmer than just about any other clothing you are likely to buy, a fact not lost on those who live in the lands of 24hour darkness.

Clive Robinson • December 4, 2019 7:48 PM

@ vas pup,

Russian president warns over expansion of US space force

Which is actually a sensible thing to say as it's true, even though US Politician's might regard it as, "inflammatory".

But with regards the article, it is not exactly accurate. For instance,

The US, Russia and China are all believed to have tested weapons that could destroy a satellite in space.

Firstly it's not "believed" but known (I've mentioned it before). Secondly the most recent member in this club "India" has not got a mention[1] which is odd...

But other nations have not been mentioned including France and the UK.

Even though the UK nolonger has an independent "launch capability" they have been at the leading edge in development of "de-orbiter" technology.

De-orbiter technology is just as "Space Wars" technology as co-orbiter kinetic kill missiles / satellites. But is actually rather more advanced (compare as using a butterfly net rather than just throwing stones). De-orbiter technology is --unlike co-orbiter technology-- designed to not fill space with junk that could cause a very destructive "chain reaction" known as a "Cascading Kessler Syndrome[2].

[1] Nor for that matter has North Korea, Japan and even New Zeland where "believed" is more appropriate. Put simply if you can get a "cubesat" or larger up with "station keeping capability" then co-orbiter technology is a relitively easy next step. The design of such devices is well within the capability of under graduate students as a "group project".

[2] A Kessler event / cascade becomes more likely as the number of satellites in orbit increase in number. Around 2014 prior to India's little "keep of our grass" demonstration it was estimated there were about 2,000 functional commercial and government satellites on various Earth orbits. However it was also estimated there were around 600,000 pieces of space junk in the 1cm to 10cm (2/5ths to 4 inch) range capable of damaging or destroying a satellite which on average was happening once a year. Getting this junk out of space without creating more junk is what various de-orbiter technology is all about.

Clive Robinson • December 4, 2019 10:23 PM

@ tds,

please bury me in Louisiana or Illinois when I die, so I can keep on voting

Ahh the "Stand up citizens" a politician has to love ;-)

Clive Robinson • December 6, 2019 4:19 AM

@ SpaceLifeForm,

[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.

It uses basic active and passive traffic analysis techniques to get much of it's information which does not surprise me in the slightest (I've warned about not doing packet, channel and stream stuffing for some years now on this blog and other places).

For some reason most using encryption do not think about what length / size information of packets reveals about the type of encrypted packets, likewise blocks of packets and their rate about the type of communication in the channel. So a webpage download size can be cross correlated by number of packets seen on VPN with number of packets seen by accessing the server on another channel to determine which page has been downloaded. Fixed rate traffic in a non fixed rate channel reveals interactive services such as voice or video, and so on.

At each level of the network stack there is information leakage by length/size that a traffic analysis attack can be made for. Often they can be passive "observing" attacks so you have absolutely no idea they are being used against you. Even active attacks if used with judicious care will probably get written off as "noise" or "unreliability" or some such.

This is something that has been known since before the NSA and GCHQ existed and was actually published in the likes of Gordon Welchman's book in the 1980's and the work of Duncan Campbell that got Maggie Thatcher's panties so tightly waded she went off the reservation with DORA/OSA court cases (which notably failed much to her annoyance and embarrassment).

Importantly it's why I've talked so often about,

Encryption is not enough

And why the likes of secure networks especially those carrying low latency channels need to "stuff" and intersperse other traffic such as Email etc where latency is not an issue, even adding null padding packets. Such that the overall channel sends data at a constant rate for as long as it's in use. Thus switching from what is "packet switching" which hemorrhages information to constant rate "circuit switching" that does not.

Now these researchers have done the initial "leading edge" proof of concept, I would expect a bunch of "Me-too" similar attacks in the next few months.

Clive Robinson • December 6, 2019 7:54 AM

@ Thoth,

the usual Intel response is the shrug and walk away

With a "pre anouncment share sell off?"...

Perhaps it's time we had a "Birthday round up" of all the faults such that people don't forget Intel, and thus might be inspired to seek further examples to keep it nice and toasty for Intel and others who don't take security seriously...

Intel might consider themselves "to big to fail" or "be subject to remonstration", but as Bill Gates once pointed out about Microsoft he did not expect ot to go on for ever, as that is not the way of things.

It would be nice to see certain Intel execs realise the same as thr ground gets cut from under their feet.

@ ALL,

Another bit of madness from the UK Government,

https://www.csoonline.com/article/3447856/uk-government-gives-36-million-to-arm-to-develop-secure-chips.html

Remember ARM used to be a major UK company, that the current encumbrents alowed to be sold to a supposed Japanese Bank, that appears to have got funding from China. Resulting in a bit of ARM and it's IP ending up in China...

Clive Robinson • December 6, 2019 11:44 AM

@ Wesley Parish,

It must've worked: no one complained about odour during that period of several months before the shower got fixed. :)

Maybe they were "Canadian" ;-)

With regards,

Exempli gratia: if I am in the midst of critical surgery - say heart surgery - the very last thing I want to face machinery that is supposed to work but suddenly doesn't

Yeah it's a bit of a conundrum, there you are recumbrant in your hospital bed, as you are about to be taken down to the surgury suite to have a box crowbared into you chest, when... all the lights go out and half the machines start beeping because they've switched over to battery back up and the batteries are not up to it any longer. So you ask the nurse what's happening, the chearful reply is they are re-wiring the building and it's the fourth or fifth time the power has outed that week alone... Just then thehe porter comes up to take you down to surgery, what do you do?

1) Meekly accept your fate,
2) Scream "let me outa here",
3) Talk rationaly to the nurse about if the surcical block is having power problems,
4) Let your heart that's already beating fit to bust at around 210bpm speed up and "end-ex-you" via some crazy break dance beat?

I went for 3, followed by 1, though 2, was at the back of my throat especially when 4, could be felt in my chest and ears.

I thus survived but as they say "Your mileage may vary"...

And yes I do still have those panicky moments in the middle of the night every so often, though not as bad as the ones from several years earlier caused by waking up on the operating table and not being able to move or breath... (it's why I go for "epidurals" or "locals" these days not "generals"...).