Friday Squid Blogging: Squid-Like Underwater Drone

The Sea Hunting Autonomous Reconnaissance Drone (SHARD) swims like a squid and can explode on command.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on November 29, 2019 at 4:13 PM • 86 Comments

Comments

SpaceLifeFormNovember 29, 2019 5:01 PM

I doubt many here did not see this coming.

https[:]//www.vice.com/en_us/article/j5ywxb/rcs-rich-communications-services-text-call-interception

Some of those issues include how devices receive RCS configuration files. In one instance, a server provides the configuration file for the right device by identifying them by their IP address. But because they also use that IP address, "Any app that you install on your phone, even if you give it no permissions whatsoever, it can request this file. So now every app can get your username and password to all your text messages and all your voice calls. That's unexpected," Nohl said.

[I do not believe that is clearly written. The app will need some kind of net permission to leak. Unless there is a hidden exfiltration method. The telco has the info. Why should a third party app have the username/password? It must be that the server is not secure, at all. *AND* the app actually needs net permission, in some way]

SpaceLifeFormNovember 29, 2019 5:35 PM

@ Anders

It was sort of interesting.

Until I saw Cisco.

Nope, not buying.

I have a better idea.

Yes, my bandwidth requirements are high.

Yes, I may have to transmit hundreds of bytes, just for you to receive one bit.

But, you will be assured of the source and that the bit was not flipped.

And no one else could see that bit.

If any bit flips occured, you will never see the message.

I know. It sounds completely insane.

But, it is not. Expand from one bit, to, lets say, 4 bytes.

Total packet size does not increase much.


Clive RobinsonNovember 30, 2019 3:20 AM

@ Anders,

As the author Sorell Slaymaker says,

    We can limp along in the IPv4 world for years, as we have done for the past 20 years, until something truly better comes along.

But he has forgotton the lesson that the Internet almost always gives. Which is,

    Backwards compatability is the excuse not to replace anything

So when he says,

    NDN has the potential to be that truly better approach as the type of traffic on the Internet changes (lots of video and content), and the needs of the Internet change (more security).

He is just repeating what they said about IPv6 back in the mid 1990's almost to the word.

That is whilst "potential" is good enough for "new" ideas it is in no way good enough to "replace" existing technology, especially that which has countless millions of man hours invested in it.

The simple fact is people like the author have blinkered vision due to their rose tinted glasses. They see the rapid pace in consumer PC's etc, but do not see just how much is embedded and can not or will not be changed untill it reaches it's End Of Life (EOL) some 25-50 years from when it was designed[1].

I've mentioned this problem for many years on this blog you can look up "frameworks" and "NIST" against my name on a site search to find what I've said about how to fix the problem but it's something we should have done atleast a quater of a century ago, now it might be "to little to late" for a half century or so after, should we take the plunge, which is unlikely[2].

[1] Worse many who went to all the effort of "building IPv6" into product just to see it never used see it as "having been sold a pup". Thus they are likely to treat the same sort of idea sold the same way as "a festering pile" and take care to avoid going down the same waste of effort again.

[2] You can see the same problem in the mobile phone world. The service providers want to get rid of 2G, but they can not. The reason is the vast number of infrastructure embedded systems such as traffic light controlers, and pumps, valves, switch gear and even railway engine control systems and construction cranes. All using 2G interfaces because they were available at the lowest price at design time, and more importantly would "work where there is a signal" unlike 3G, 4G, LTE etc etc later protocols. Thus there is billions of dollars of investment in 2G that is "critical infrastructure" or similar in nature and as "any income is better than no income" the service providers will grudgingly keep supporting it.

Clive RobinsonNovember 30, 2019 2:23 PM

@ tds,

In the Facebook article you will find the name "Nick Clegg" whilst it may not be familiar to many, the man was the UK "Deputy Prime Minister" during the "David Cameron" Conservative Party coalition years.

For various reasons he had to leave his political party the Liberal Democrats and some say he has irreparably harmed the party.

The fact that it is a questionable politician making decisions about false claims by other politicians etc would in most cases be considered a clear case of "conflict of intetests". Especially as the UK General Election is less than a couple of weeks away...

You can gather a little more insight into Mr Clegg from,

https://www.theguardian.com/technology/2019/jun/24/nick-clegg-facebook-brexit-vote

Just a PersonNovember 30, 2019 2:53 PM

Here's a proposal for better compliance with _______________.

Please:

For each single individual posted and published security vulnerability, provide two(2) or more fixes for such vulnerabilities. In other words, for each vulnerability or security flaw that a person might post here in the comments section, please provide at least 2 (two) ways to successfully and permanently block and halt each vulnerability.

For each topic that we discuss, there ought to be more solutions provided than lists of security holes. Ideally, this ratio of Solutions to Vulnerabilities would be increased numerically as a positive number.

Ideally, the number of solutions discussed would outpace the number of vulnerabilities mentioned.

To the naysayers, this might not be your ideal, but it's an ideal I propose to the group for consideration. If you disagree, the comments section already caters to those who simply want to discuss holes.

However, to comply with the definition and ethos of security, in all of it's types and permutations, I prefer to be part of the solutions more than being part of the problems.

If you disagree, that does not mandate that you rebutt nor censor me.
I reread the terms of this comments section before posting this here.

Sincerely,

Just a Person

P.S. = To the A.I.(s) of New Mexico, I will continue to support the Peace Pact.

vas pupNovember 30, 2019 3:13 PM

How to make phone batteries that last longer
https://www.bbc.com/news/business-50151543

"Batteries need to make progress, admits Prof Yoshino, but thankfully, "there's a lot of interesting approaches".

And "the solid state battery, I think, is a promising one," he says.

Solid state batteries can store 50% more energy than lithium-ion, says Douglas Campbell, chief executive of Solid Power, a Colorado university spin-off.

They are more stable as well. In lithium-ion batteries the gel inside, the electrolyte, can combust.

In 2016, Samsung recalled 2.5 million Galaxy Note 7 handsets after fires involving their lithium-ion batteries.

Solid state batteries replace that gel with less flammable solid polymers or ceramics.

Gene Berdichevsky says that it's only lithium-ion batteries that can make a "meaningful" impact on batteries in the near future and spur the mass adoption of electric vehicles.

His California-based company, Sila Nanotechnologies, is developing lithium-ion batteries that can potentially deliver a 40% improvement in energy density.

They are doing that by by replacing the replacing graphite anodes (the part of the battery where the current flows in) with silicon.

"We need continued investment and innovation in lithium-ion batteries," he says."

Clive RobinsonNovember 30, 2019 3:47 PM

@ Just a Person,

For each single individual posted and published security vulnerability, provide two(2) or more fixes for such vulnerabilities.

Such a suggestion is a call for censorship from the bad old days of corporates throwing lawyers at software vulnerabilities rather than fix them.

It's been proved to be a compleate failure so why "reboil rotten cabbage"?

Secondly think on this point, whilst you do not need access to closed source software to find a vulnerability, you do need access to the closed source software to fix it "permanently". The very modle of closed source software is that nobody other than who the company execs decide should have access gets access. In fact in some countries having access without authorization would be a significant crimial act not a potential civil tort.

Therefore what you are saying is only a closed source company can post vulnerabilities to this blog, knowing that it is not in their interests to do so...

Hence you are calling for full on censorship, that will result in not only vast numbers of vulnarabilities to go not just unmentioned but unfixed thus dangerous to by far the majority of computer users.

History shows that major software companies have been aware of certain software vulnerabilities for a couple of decades or more, but chose to do nothing about thrm untill they became public knowledge. If they knew then it's almost certain others knew, thus the question arises not if those in the know had developed exploits --that's a given with POC-- but if they or others had added payloads, and had used or intended to use them.

Publicising vulnerabilities as soon as possible under responsible disclosure is the only way to ensure that vulnerabilities are dealt with and not stockpiled like Weapons of Mass Destruction.

But even responsible disclosure can be manipulated, look back at the history of Intel and the Spector and Meltdown vulnerabilities in their CPU chips. Apparently we are supposed to accept that an Intel executive who would have been aware of the faults became public only sold a large number of shares by coincidence. Further that Intel delaying tactics that moved the vulnarability publication date to after the Xmas shopping time when most Intel CPUs would be sold in the consumer market was coincidence as well...

Perhaps you realy should review your thinking lest others draw conclusions about why you wish to push a viewpoint that is known to be not just a failure but an easily exploitable one at that.

SpaceLifeFormNovember 30, 2019 3:54 PM

@ Just a Person

There is a dilemma with discussing possible solutions in public.

That is, the big players get a 'heads-up', and can prepare to attack the solution before rollout.

The best approach is done quietly, with extensive testing.

And, importantly, it must scale.

And, it must be able to scale quickly.

It must be able to reach critical mass to mitigate attacks.

It's not trivial.

SpaceLifeFormNovember 30, 2019 4:46 PM

@Anders

Numerous links to the Palo Alto story.

Unfortunately, all suck. Hackread slashdotted, or something.

Seems like there are players trying to bury.

My guess: Password reuse failure.

Via Facebook.


Alyer Babtu November 30, 2019 5:21 PM

@Just a Person

If you disagree, that does not mandate that you rebutt nor censor me.

Somewhat recently another comment contained a similar injunction against voicing disagreement, referring to it as shutting someone down.

To rebut is merely to make a reasoned reply in opposition to a statement. If we can’t do that, then reasoned discussion is impossible, even inside one’s own mind, i.e. all rational discourse must cease. So, if one disagrees, it is mandated that one rebut, at least if one cares enough to really think about the issue.

Clive RobinsonNovember 30, 2019 7:38 PM

@ vas pup,

Ahh "energy security" is as PG&E customers in California are discovering a very serious problem[0]. That is the power grid for them is now far from dependable in anyway shape or form.

It takes no great brains to work out that without energy security, ICTsec is taking the back seat in the bus...

With regards,

In lithium-ion batteries the gel inside, the electrolyte, can combust.

That reads badly and it's more complex than that, especially when you consider most high density chemical energy storage systems are a significant combustion risk[1].

There are several problems with chemical energy storage systems that use changes from one chemical to another. Firstly they are generally not very "energy dense" when compared by mass which is why lithium and hydrogen are investigated. Secondly they tend to be quite inefficient when you check total energy in to total energy out, even though some systems are more efficient over a limited range of their charge/discharge curves. Thirdly is the limited number of cycles in a battery life, there are various reasons for the observed "memory effect" some are due to chemical poisoning, some due to crystal formation others due to plate errosion etc.

Put simply electrically rechargable chemical batteries are about the worst form of energy storage system we have by any given measure.

For instance have a look at "heat storage" by either "latent heat" or "Phase change" materials they have charge cycles in the tens if not hundreds of thousands range. Their actual energy in to energy out efficiency is better than most electrical energy storage cells. Because they don't need complex fine tolerance support structures they are generally considerably lower mass for equivalent storage.

In fact if it was not for waters low boiling point, and significant volume change on freezing it would make a better energy storage system than many electricity rechargable storage systems.

https://m.youtube.com/watch?v=ryJmtItfaXQ

But phase change is more interesting for various reasons but is not difficult to manufacture,

https://m.youtube.com/watch?v=VdagQ5_cx7c

The other thing you don't get to see very much of is combined photovoltaic and thermal pannels. Put simply less than 20% of the energy of direct sunlight hitting a solar pannel gets converted to electricity, the rest becomes heat, and above certain tempratures solar cells become less efficient, thus keepeng them cool is a good idea. Adding a thin copper pipe to the back and thermal insulation adds very little weight but can give significant thermal energy that can be used via a compressor or similar to heat thermal storage cell with about double the electrical kWH.

The simple fact is the likes of PG&E won't sacrifice profit for reliability, thus people realy have to start considering not "going of grid" but "being put of grid" by the operators. Whilst domestic generators are one solution they are noisy, smelly, dangerous and easily stolen, worse getting fuel to them is ridiculously inefficient. Whilst you can modify generators to run off of the domestic gas supply in many places that would be actually illegal and domestic gas is not always available. Thus where legal, the use of solar pannels and wind turbines will with appropriate storage cover most homes for lighting. The big problem is heat and cold, that is using electricity to heat a home is rediculously expensive and at between a half and one and a half units of electricity (kWH) a day fridges and freezers are bad news as for chiller type air conditioning how long do you want the rope to be? The simple fact is our domestic electricity needs have more than doubled in less than two decades and central generation of power via traditional means is nolonger sensible.

Thus for our own security we have to consider how we store energy in it's various forms, not just short term daily but longer term even out to seasonal. Much as our more distant forefathers did in the past with "ice houses" for refrigeration and "hay boxes" and cauldrons and large mass chimnies for slow cooking and slow heat release for safer heating over night. Though hopefully in more efficient but not necessarily more high tech ways.

[0] PG&E are effectively bankrupt, the reason being they put profits over investment and maintainence (something I've been warning about for quite some time). The result in PG&E's case was not solar flares but something more down to earth, it was many wildfires caused by their power distribution, poor maintainence not just of equipment but lack of cutting back growth on the land they owned and the resulting law suits. PG&E claim something along the lines that it's not their fault but "the wind"... Any way it's hurting people,

https://www.latimes.com/california/story/2019-10-10/pg-e-california-power-outages-grid-climate-change

[1] Remember both water and carbon dioxide are products of combustion, and they are both subject to being reversed back to their combustible components by the use of electricity.

[2] You can thank my son for the U-tube links, he's studying engineering and energy storage systems was something he did as a project.

Chemistry BackgroundNovember 30, 2019 10:40 PM

@clive

... most high density chemical energy storage systems are a significant combustion risk[1].

It would not take much to convince me of that. However your footnote leaves me a bit baffled.

[1] Remember both water and carbon dioxide are products of combustion, and they are both subject to being reversed back to their combustible components by the use of electricity.

Any compound consisting of hydrogen, carbon, possibly oxygen, and nothing else will combust with oxygen to, if combustion is complete, produce water, carbon dioxide and nothing else. So your "combustible components" describes an extremely large set of possibilities. But I am not aware of any simple method of using electricity to produce any of them from oxygen and carbon dioxide. Perhaps you can enlighten me, or give me a URL?

Hmmm ... I did find this article (behind a paywall) about synthesizing organic molecules with an electric discharge, but I don't think a discharge fits into your model. Or perhaps I am wrong?

Synthesis of Organic Compounds by Electric Discharges

https://www.nature.com/articles/197862a0

JG4December 1, 2019 12:15 AM

The hard part of turning CO2 into fuel is collecting it back from the environment. That T delta S has to be undone. It is conceptually simple. You expose a base, likely a basic ion-exchange resin, to the atmosphere, then wash it with acid. The liberated CO2 is mixed with hydrogen from renewable sources and heated with a catalyst. A palladium copper catalyst would be a good choice. I think that there will be more direct electrochemical routes that look a lot like a methanol fuel cell running backwards.

https://www.nakedcapitalism.com/2019/11/links-11-30-19.html
...

Big Brother is Watching You Watch

SMS Replacement is Exposing Users To Text, Call Interception Thanks To Sloppy Telecos Motherboard

ICANN Races Towards Regulatory Capture: The Great .Org Heist Sam Klein

Sale of .org domain to private equity firm sparks battle over internet freedom Financial Times

Facebook Adds Disclaimer to Post That Singapore Deems False Bloomberg
...

Clive RobinsonDecember 1, 2019 12:48 AM

@ Chemistry Background,

However your footnote leaves me a bit baffled.

I suspect you are thinking I am talking about the "Bionic-Leaf",

https://www.scientificamerican.com/article/bionic-leaf-makes-fuel-from-sunlight-water-and-air1/

Although it is quite interesting, no it's not what I am talking about.

I'm talking about simple electrochemical reduction that is part and parcel of "wet battery" technology.

That is as with the school electrolysis demonstration take water, add a small amount of a whole variety of chemicals to alow it to conduct electricity. Apply electricity via electrodes and you will get hydrogen comming off at one electrode and that will quite happily burn in an atmosphere containing oxygen to produce water again. Get the quantities right in a closed environment and you have the equivalent of a Fuel Air Explosive (FAE / FAX) waiting to happen.

Electrochemical reduction of carbon dioxide (ERC) can also be done using a zinc cathode. It gets reduced to carbon monoxide which used to be a fuel called "town gas". Which used to be the domestic gas pumped to most homes in the UK prior to the 1970s[1] conversion to "natural gas".

Both hydrogen and carbon monoxide can be produced by various "wet cell technologies" especially when you over charge them. Which is why there are warnings about keeping batteries in ventilated places to stop the gas build up and reaching either the ignition point or Lower Explosive Limit (LEL).

[1] Back then town gas was made in vast quantities by a gasification process using coal. You can do the same today using almost any organic source of carbon just look on U-Tube of demonstrations of making "char cloth" or similar as part of a fire starting kit. Those jets of flame from the container are carbon monoxide burning.

SpaceLifeFormDecember 1, 2019 11:42 AM

An interesting cert error:

Your clock is behind

A private connection to www.redox-os.org can't be established because your device's date and time (Sunday, December 1, 2019 at 4:31:38 PM) are incorrect.

NET::ERR_CERT_DATE_INVALID

[Note: minutes ago]

AndersDecember 1, 2019 1:07 PM

www.zdnet.com/article/data-of-21-million-mixcloud-users-put-up-for-sale-on-the-dark-web/

vas pupDecember 1, 2019 2:40 PM

China due to introduce face scans for mobile users
https://www.bbc.com/news/world-asia-china-50587098

"People in China are now required to have their faces scanned when registering new mobile phone services, as the authorities seek to verify the identities of the country's hundreds of millions of internet users.

The regulation, announced in September, was due to come into effect on Sunday.

The government says it wants to "protect the legitimate rights and interest of citizens in cyberspace".

China already uses facial recognition technology to survey its population.

It is a world leader in such technologies, but their intensifying use across the country in recent years has sparked debate."

Today in China, tomorrow here?

Sherman JayDecember 1, 2019 4:21 PM

While I know some consider it 'prepper' 'survivalist' b.s., a friend of mine is carefully, rationally exploring energy efficiency and the security that energy self-sufficiency provides.

There are many homes carefully designed and built over the past few decades that don't require any external energy to keep a stable comfortable temperature year-round. This eliminates one of the very real 'energy hog' concerns @Clive pointed out. And, many of them harvest enough rainwater that they do not need a well or domestic water supply. And, they use 'gray-water' for gardening, etc.

Also, for many fixed-site systems that use solar, wind or biomass energy sources, efficiency and 'energy-density' are not critical considerations. In the early 1900's solar reflectors powered 4-8 h.p. stirling closed-cycle heat engines that could power generators that charged batteries that would provide a lot of a homes electricity needs. As for the energy security provided by reliability and zero repair cost, many Stirling and Rider-Ericsson heat engines built in the 1870's to 1900 are still functional today with all their original parts. (I easily found videos on the internet showing a lot of them running)

PG&E destroyed the personal security of many people who rely on electricity to refrigerate medicine and food to keep it safe and a/c powered critical medical devices, putting people at risk. But, PG&E can't hurt you if you don't 'touch' their faulty equipment. That suggests we all need a reliable secondary energy source because we can no longer trust the profit-driven corporate utilities.

PickleNoseNotDecember 1, 2019 4:34 PM

Question to all:

If you had to choose, would you rather be involved in arguments or (logic exclusive or (XOR) ) be secure?

AndersDecember 1, 2019 4:45 PM

@Sherman Jay

That really, really depends where you live...
Living in Nordic country you even can't dream
about that approach...

Also remember devastating effect of Russian winter
1941/1942 to the course of WW2? You never know how
harsh the winter will be so you NEED to be prepared
to survive.

The whole another topic is energy inefficiency of the
modern computers, routers, wifi AP's etc. Lot of small
wall wart cubes that are so inefficient.

Clive RobinsonDecember 1, 2019 5:23 PM

@ Anders,

With regards the ZDNet article, I do wish they would not say things like,

    Mixcloud said that passwords should be safe, as each one was salted and passed through a strong hashing function (SHA256 algorightm, accordng to the sample we received), making it currently impossible to reverse back to its cleartext form.

Because quite a few people do not realise that "currently impossible to reverse back" is a very conditional statment.

That is whilst it might be currently impossible to "reverse" the output of a "one way hash" it is obviously not impossible to make guessing attacks using the one way hash in the "forward" dorection.

Thus success or failure of such a forward guessing attack depends not on the strength of the hash function but on a number of other things, but primarily

1, The size of the salt and type of padding used.

2, Having a good list of "common paswords".

Further it is likely that as the MixCloud service is of general interest, users may well be linked via user-name, email-address, IP-address etc to other servicrs hacked password data bases, which might already have been cracked thus alowing a "known-password" to be tried or a variation there of.

The simple fact is due to the deficiencies of the human brain, fee people can remember a password with sufficient entropy in it.

Even the much loved XKCD "Correct, horse, battery..." method is considered way to weak these days...

Even Randall guessed it was going that way, if you read the note under the strip,

https://www.xkcd.com/936/

Oh and this is quite seasonal,

https://www.xkcd.com/2234/

Sherman JayDecember 1, 2019 5:45 PM

@anders,
Good points to consider.

For years I've plugged all my wallwarts, computers, etc. into surge protected switched outlet strips that handle 6-8 devices and are turned off when not in use (a kind of 'energy isolation' which prevents remote start for PC's). The Raspberry Pi computers we're experimenting with use ~20 watts (slightly more wattage for monitor) compared to ~150+ watts for desktop computers.

While I agree there will be extreme weather maybe outside the range of zero-energy homes, I remember as a child spending summers and winters at homes in Kansas and their cellars were comfortable year-round. You can find energy independent homes searching: 'passive houses', inertia.com, earthship-biotecture, architizer.com, nypassivehouse.org, curbed.com/2016/9/6/12583346/passive-house-construction-guide, etc.

Question to all, since my family has no 'smart-phones', how do you accomplish 2 factor authentication?

Sherman JayDecember 1, 2019 5:55 PM

@Clive Robinson,
Thanks for the humorous links and serious password discussion.
For passwords, my neighbor uses his cousin's name with numbers added like: yugoslavkapostovich1357. While this is not foolproof (nothing is) we always put all our passwords in a text file, print it, put the paper in a safe place (not hidden under the keyboard!) and the text file on a flash drive in my cousin's hidden faraday shielded safe.

Clive RobinsonDecember 1, 2019 9:49 PM

@ Sherman Jay,

That suggests we all need a reliable secondary energy source because we can no longer trust the profit-driven corporate utilities.

If we are alowed to... It's no real secret that certain US utilities have been vigorously lobbying to make "off grid" or anything that even remotely looks like it illegal...

Wesley ParishDecember 2, 2019 1:08 AM

@Clive Robinson, Sherman Jay, et alii

Speaking of energy security, Auckland a few years back had a massive blackout - IIRC, at least 200 000 houses lost power.

New Zealand has or had a small but vocal nuclear power lobby, and their head honcho came out, all guns blazing, declaring that this would never have happened if New Zealand had nuclear power.

It turned out that the cause of the outage was a wonky insulator that hadn't been serviced for ages. I forget whether it was on the high-tension lines pylons or in the relevant substation.

I'm firmly in favour of the adage that the first thing you should check in the case of such an emergency is the cables and related hardware.

MarkHDecember 2, 2019 3:40 AM

@Clive:

I know I learned that there was a thing called "town gas" (as opposed to "natural") when I was a boy, but if I saw its composition, I didn't know enough to appreciate the significance.

According to Wikipedia, it consists not only of carbon monoxide, but also hydrogen, both products of the coal gasification process.

In America, CO is usually discussed as a deadly hazard, very rarely as a fuel.

Pumping a pressurized mixture of CO and H2 through a gargantuan maze of plumbing, to millions of homes and businesses ... what could go wrong?

I now have a deeper appreciation of the Monty Python gas cooker sketch.

LarryDecember 2, 2019 4:09 AM

@Sherman Jay
I'm not the only person on the planet without a smart phone? Amazing! How many in your family & does that include you?
Of course we don't have them because we are "afraid of technology".
While I'm only a wannab tech guy, I've been involved with tech all my life(well since H.S. anyway). As an average working stiff, I'm not going to spend hundreds on a gadget I don't have a need for at this point in time.
As for 2FA, I use SMS to my dumb phone(yes I know, not too secure) or codes emailed to me.

Clive RobinsonDecember 2, 2019 4:14 AM

@ Wesley Parish,

Speaking of energy security, Auckland a few years back had a massive blackout - IIRC, at least 200 000 houses lost power.

Which one 1998 or 2006?

https://en.m.wikipedia.org/wiki/1998_Auckland_power_crisis

https://en.m.wikipedia.org/wiki/2006_Auckland_Blackout

It's interesting to note that the NZ politicians only consifered "energy security" after the second event. Whilst Auckland is in a geographically challenging position, lack of investment and maintainence should not be excused by that (which is what the company in the 1998 event tried to do).

I remember the first because it had an impact on work I was involved with at the time. But also I read Peter Gutmann's[1] acerbic comments at the time[2].

These major outages happen rather more frequently than we would like,

https://en.m.wikipedia.org/wiki/List_of_major_power_outages

But before power grids started getting going we had telegraph networks, and these got taken out by bad "space weather". A solar storm in what is now called the Carrington Effect

https://en.m.wikipedia.org/wiki/Solar_storm_of_1859

Should such a coronal mass ejection happen today most of our electronics if power or communications grid connected would suffer some irreparably so. As for the grids well power transformers would take a major hit and would probably not be replacable within 10-30 months. Thankfully more and more comms is moving to glass fibre, however many have protective steel wire cladding that could melt like a fuse, and in the process destroy the glass fibers.

But there are other "networks" that have to be considered gas and water are dependent on electricity to function, and the sewerage system though mainly passive is dependent on the supply of water. Thus as NASA noted even your toilet can be effected,

https://science.nasa.gov/science-news/science-at-nasa/2009/21jan_severespaceweather/

[1] https://www.cs.auckland.ac.nz/~pgut001/

[2] The text document is somewhere on Peter's old web site, but I can not now remember the route in to it.

Clive RobinsonDecember 2, 2019 4:37 AM

@ MarkH,

Pumping a pressurized mixture of CO and H2 through a gargantuan maze of plumbing, to millions of homes and businesses ... what could go wrong?

It will spontaneously go back to water and soot.

The hydrogen needs to be taken out as part of the "scrubbing process". It had various industrial uses, but could also be used as an "addmixture" back into the gassification process.

Supprising to many we actually know less about industrial gassification today than the Germans did during WWII. They were known to have found ways to make "light hydrocarbons" from coal which they had seamingly unlimited amounts of (the Ruhr valley) but little or no access to oil. So they developed synthesis methods that are apparently now lost as those involved have died and taken their memories with them and the records kept at the time did not survive.

Oh if you do make a home gassifier, mechanical engines in vehicles and generators both run very well on carbon monoxide, hydrogen and light hydrocarbons. In fact you can by conversion kits to run generators off of what some call "barbecue gas" but most others call LPG. Running a standby generator off of LPG is a better idea than petrol/gas that are used for vehicles. One major reason as those with petrol driven lawn mowers will know is that petrol contains "condensates" that like tars in wood smoke "gum up the works". Thus an engine that worked fine when last used in autum can be cranky, unreliable or just won't work in spring.

MarkHDecember 2, 2019 8:58 AM

@Clive:

With apologies in advance for so many questions:

Do you have a reference, that hydrogen was scrubbed from UK coal gas?

The few references I have found show double-digit percentages of hydrogen gas, but aren't specific to Britain.

How is it possible for a mixture of CO and hydrogen to spontaneously react under the conditions in gaseous fuel storage and distribution networks?

I have found (for example) an Asian town gas company website showing large percentages of both gases.

Absent a catalyst like platinum, can hydrogen gas "steal" the oxygen atom from CO at temperatures too low for flame?

I was a poor chemistry student, so my understanding is limited. It seems to me that mixtures of fluid fuels are extremely common ... mixing a fuel and oxidizer is obviously another matter, but neither of those gases is an oxidizer, ne c'est pas?

What startled me about the notion of CO as a domestic fuel, is its toxicity. AFAIK, the components of natural gas have low short-term toxicity. People are asphyxiated by natural gas only at very high percentages, sufficient to displace atmospheric oxygen. A victim who is brought to fresh air and breathing before many brain cells die will make an excellent recovery.

With carbon monoxide, much smaller concentrations are deadly, and the administration of oxygen has a much slower effect ... usually too late, for a victim who became incapacitated.

Nonetheless, people using town gas obviously found adequate ways of managing the hazards.

I also read that when the UK switched to North Sea natural gas, millions of burners had to be replaced. Do you know what the design differences are, for burning these distinct fuel types?

Thanks for your contributions to my education.

Sherman JayDecember 2, 2019 11:26 AM

Just one in thousands of incidents:
ht tps://readersupportednews.org/news-section2/318-66/60049-hackers-paradise-louisianas-ransomware-disaster-far-from-over

That makes me wonder which of the following reasons large government and other organizations, a well as individuals fall prey to ransomware/malward attack

A) Are they lax in putting money into IT personnel and policies to protect their systems?

B) Are the people working there just to sloppy to comply with good security practices online?

C) Is it that window$ and BIOS manufacturers are so full of vulnerabilities that they are intrinsically vulnerable?

I suspect it is

D) all of the above

Clive RobinsonDecember 2, 2019 1:36 PM

@ Pete Young,

It certainly looks like a synopsis.

What PG did was in effect write a diary of events during the period of outage.

It all had the same pithy wording as can be found with the comment about the heroic efforts to save the chilled beer ;-)

SpaceLifeFormDecember 2, 2019 1:46 PM

Over the last few years, it seems as if large corporations are intentionally leaving data exposed in the 'cloud'.


https[:]//www.vpnmentor.com/blog/report-truedialog-leak/?=truedialog-exposed-data


"The TrueDialog database is hosted by Microsoft Azure and runs on the Oracle Marketing Cloud in the USA. When we last looked at the database it included 604 GB of data. This included nearly 1 billion entries of highly sensitive data"

Clive RobinsonDecember 2, 2019 2:56 PM

@ MarkH,

How is it possible for a mixture of CO and hydrogen to spontaneously react under the conditions in gaseous fuel storage and distribution networks?

Simple pressure is enough (think about the Diesel process, or the school demonstration woth a glass tube with a bit of cotton wool at the bottom that when the ram rod is pushed in spontaniously combusts). It's why the old "town gas" mains were all low preasure thus limited range[1] unlike modern "natural gas" mains where the pressure reduction mechanism is part of the gas meter.

From what I was told by people who worked in the industry back in the 1950's the early scrubing out process was quite literally a large chamber like a very large boiler. It was about one quater filled with water with a rotating brush mechanism a gas inlet and two gas outlets. One gas outlet was towards the top of the scrubber and pulled out mainly hydrogen[2], the other lower down pulled out mainly carbon monoxide. The mass ratios of the gasses was such that the hydrogen in effect floated on the carbon monoxide and just pulling the gasses in the right quantities effectively seperated them. The water also moved through the process and brought out all sorts of hydrocarbons as an,"emulsion" that would have otherwise "gummed up the works". However that emulsion could also be sold as a product for other processes and was at one point used as an addative to soaps.

I would have very much liked to have seen one of these scrubbers as I have an interest in industrial history, but I gather they were all sold for scrap value.

[1] The preasure problem was one reason[3] why there were so many "gas works" almost every town had one along with a gasometer or three.

[2] What is often forgotton is that the "town gas" was mainly a "waste by product" for making high quality coke for the iron and steel industry and turning hydrogen into ammonia via the Haber process for feed stock for many chemical and industrial processes. Originally town gas was not well scrubbed because the hydrocarbon contaminates made the carbon monoxide burn not with a pale blue near invisable flame but a bright incandescent yellow suitable for "gas lighting" (though the soot was then around 80-90% of house hold dust, not as it is today skin/hair cells). As the coking process was improved the carbon content was reduced and simple jet burners nolonger produced light, thus either gas mantals had to be added or where town gas was made specifically for lighting gas, a hot brick carburetor system was added that added carbon from atomized fuel oils.

[3] Whilst town gas can be upto half hydrogen depending on the generation process, storing hydrogen or even putting it in metal pipes especially cast iron ones is considered a realy bad idea. Amoungst other things hydrogen makes metals brittle with rapid ageing, thus become not just weak but loose any kind of flexibility thus susceptable to vobration. The last thing you need is "gas mains" fracturing under roads or buildings. Which is also a reason why with the introduction of natural gas, many cast iron gas mains were fairly quickly replaced with various plastics.

Clive RobinsonDecember 2, 2019 3:13 PM

@ MarkH,

I also read that when the UK switched to North Sea natural gas, millions of burners had to be replaced. Do you know what the design differences are, for burning these distinct fuel types?

The answer when you know is one that will make you say "that's bl33ding obvious", but actually few people know.

All hydrocarbons need an oxidizer to burn, thus the most efficient burn occurs at a different mix rate for each hydrocarbon. Further the larger the hydrocarbon molecule is the more energy it releases when it combusts. Thus as nearly everything we do is "work" we need to keep the energy against time ratio the same. The same is true for the gas mark settings on an oven and the control loop on a water boiler. Thus the simplest way to ensure the same power but with a different gas is to modify the injector in the burner.

As a very rough rule of thumb the lighter the hydrocarbon, the smaller the hole required to get the optimum mix with air at any given presure differential.

It's also why converting an engine designed to run on liquid petrol to a lighter hydrocarbon such as "barbecue gas" LPG requires modification to not just the carburetor.

vas pupDecember 2, 2019 3:35 PM

@PickleNoseNot • December 1, 2019 4:34 PM

Asked: "Question to all:

If you had to choose, would you rather be involved in arguments or (logic exclusive or (XOR) ) be secure?"

It depends on circumstances. If you stronger, than you have to be secure - at least temporary. Even when you may won argument, but generate long time enemy it'll counterproductive in a long run.

I'll suggest you read Art of War by Sun Tzu and you'll definitely find the best answer for your question. It was written thousand years ago, but still valid.


MarkHDecember 2, 2019 4:03 PM

@Clive:

Thanks much for your replies!

Really interesting history, especially about the need for low-pressure distribution. Perhaps that accounts for the adjective "town?"

It may be that the lower pressure also helped with the risk of CO poisoning ... though I'm sure good plumbing practices were esteemed :)

Also, the point about the suitability of the flame color for lighting ... that wouldn't have occurred to me!

MarkHDecember 2, 2019 4:24 PM

@Curious:

Thanks for the news! I have followed factoring news, but hadn't seen this yet.

Just 10 days short of 10 years, to add 27 bits to the semiprime factoring record ...

The part about also solving a discrete log of the same size is very interesting.

Although 1024 bit public keys were supposed to be deprecated long ago, RSA 1024 seems to still be extremely expensive to break.

On the other hand, 1024 bit discrete log systems (as in Diffie-Hellman) have long been believed to be broken by NSA, if the group is based on a standard prime. Those who "rolled their own" mathematical group at 1024 bits are probably still safe.

Clive RobinsonDecember 2, 2019 4:24 PM

@ Curious,

With resprct to RSA-240 being factored in the past few days...

You guys would know more about this I am sure.

The only thing I realy know is that it was not "Crown Sterling" and their magic crystal healing machine ;-)

vas pupDecember 2, 2019 4:32 PM

Android 'spoofing' bug helps targets bank accounts
https://www.bbc.com/news/technology-50605455

"A "major" security weakness in Google's Android software has let cyber-thieves craft apps that can steal banking logins, a security firm has found.

The bug lets attackers create fake login screens that can be inserted into legitimate apps to harvest data.

More than 60 financial institutions have been targeted by the technique, a survey of the Play store indicated.

Google said it had taken action to close the loophole and was keen to find out more about its origins.

"It targeted several banks in several countries and the malware successfully exploited end users to steal money," said Tom Hansen, chief technology officer of Norwegian mobile security firm Promon, which found the bug."

OMG!!!

Clive RobinsonDecember 2, 2019 5:02 PM

@ vas pup,

I chose not to answer the question because it's based on a false assumption.

That is your only options are "argument, secure".

Whilst we can argue you can have both, there is a more obvious answer which is "not to play" as well.

So firstly to give an argument as to why the question is based on a false assumption and you can have both,

In essence to make a valid argument, you must have a valid method of proof (scientific method). That is the process of "testing" to get your proof means that in most cases your proof would be an actual implementation thus you would be secure by default.

But secondly an argument for "not playing",

If you have security against a given vulnerability instance or class of instances, it gives you a number of advantages. One of which is that it makes you much less of a low hanging fruit against "fire and forget" attackers, thus they will because they are in a target rich environment move on to other targets that are susceptible to that vulnerability. Further if you keep your security method secret it gives you a "trip bell" against more persistant attackers who might consider you a "person of interest" or similar thus are performing directed attacks against you untill the succeed or get exposed. When they trip your secret bell they will be unaware they have done so, however they will have alerted you to the fact you are under attack by a better than average attacker. This opens up a number of posabilities for you to "play defence" whilst actually being on the offence.

But thirdly on a different note, my reason for "not playing" the questioner's game, is that they give all the apperance of being a sock-puppet "Who had their nose put out of joint" very recently.

Clive RobinsonDecember 2, 2019 5:43 PM

@ vas pup,

The bug lets attackers create fake login screens that can be inserted into legitimate apps to harvest data.

The general idea behind this class of attack is not new. Have a look for "I/O Shim" attacks and similar end run attacks.

In essence what happens is a shim (overlay) gets between the I/O devices (screen/keyboard) the user perceives and the target application input and ouput channels. Whilst the user enters in correct information the shim can act as a MITM on the device and send false commands to the application whilst also stopping the user seeing any output from the target application that might warn them they are under attack.

The number of ways you can come up with individal instances of this class of attack is large, so whilst an instance might be new the underlying principles are the same, thus most likely there will be more instances of this class of attack yet to come.

So there are two basic lessons to learn from this,

1, There is no such thing as a "safe Playstore application"[1].

2, Never do anything involving PII IP or money etc on a system you can not trust[2].

Not abiding by these rules means you will get hurt when your number comes up[3].

[1] The "walled Garden" idea has never ever been secure, nor can it ever be. At best it can respond long after the event to new attacks that the owners of the Walled Garden can not ignore. This issue was fairly well known last century, back atleast as far as the first machine ciphers.

[2] Walled Garden devices or anything with a "Trusted Module" you do not 100% control are "Not owned by you" thus you can not trust them. Unfortunatly more and more personal devices can nolonger be trusted. The only way to have a system you can trust is by moving the security end points off such devices. This has been known for atleast several centuries if not millennia hence the reason we had ciphers and code books.

[3] The Internet is so insecure in so many ways that just about every personal device and the computers used as servers are full of vulnerabilities waiting to be found and exploited. Thus it is a very "target rich" environment, that is the number of targets far exceeds the ability of attackers to exploit them. Which means whilst your devices are vulnerable, it is a matter of probability as to whether your device is attacked or not, likewise if the attack is successful.

MarkHDecember 2, 2019 5:53 PM

.
Cry, the Mother Country

Today Putin signed legislation providing that as of 1 July 2020, all computers, smartphones and smart TVs sold in Russia must have pre-installed Russian application software.

Who can doubt that this software will scrupulously respect and protect user privacy?

It will be interesting to see reactions from Russia's technical sector.

maqpDecember 3, 2019 12:19 AM

@All

TFC 1.19.12 is now released. This update is slightly shorter but brings big changes with black codestyle. I also added some code metrics to show the effort I've put into the system.

More details in the Update log

Wesley ParishDecember 3, 2019 1:40 AM

@Clive Robinson

It was the 1998 outage that brought the nuclear power lobby group on in force. After the truth about Mercury's shenanigans came to light, they shut up. During the 2006 outage I - living in Christchurch at the time - wrote a complaint to the local newspaper asking why the nuclear power lobby group hadn't explained that nuclear power is the solution to wonky insulators, adding for good measure that the average New Zealand citizen needed a good laugh by this time, being starved of good comedy as they were ...

I think Christchurch took the Auckland power outages as a hint, because following the Feb 22nd 2011 earthquake, they managed to get power up and running within two weeks iirc. And that's following quite major earthquake damage. It was about time too - after two weeks of not showering, I did not smell my best.

Well, I live in hope that some Angeleno comedian or maybe from San Diego, who knows? - will be compiling a list of the excuses their statewide power company comes up with, and have some fun with it.

AucklandDecember 3, 2019 6:01 AM

@ clive


Thanks for the clarification. Simple electrolysis can certainly produce an explosive hydrogen/oxygen mix. Your talk about CO2 threw me off; I thought you were talking about creation of more complex carbon compounds. I also was not aware of electrochemical reduction of carbon dioxide using a zinc cathode, or if I was that knowledge ended up in one of the cobwebs in my brain.

BTW, just skimming that Scientific American article on the Bionic Leaf it looked like the complicated stuff was still being done with biology.

tdsDecember 3, 2019 6:13 AM

@Clive Robinson

Regarding Facebook's policies, Clegg, and your link, I found this quote interesting. [1]

Like Obama, another U.S. president, of course, is meddling in British politics. [2]

Not only Koch, Mercer, etc., billionaires, but now we have dead billionaires meddling in British politics from beyond the grave. [3]


[1] "Before he took the job at Facebook, but after the Brexit and US presidential votes, Clegg wrote in the Evening Standard that he found “the messianic Californian new-worldy-touchy-feely culture of Facebook a little grating”. However, even then, he argued “populists know how to appeal to emotions in a way reasonable, measured liberals almost never do. So the politics of moderation needs to pack a bigger emotional punch. That’s our problem – not Mark Zuckerberg’s.”"

[2] https://www.washingtonpost.com/world/europe/trump-isnt-running-in-britains-election-that-hasnt-stopped-him-from-getting-in-the-middle/2019/11/29/d4973fee-0bb4-11ea-8054-289aef6e38a3_story.html

[3] https://www.washingtonpost.com/world/2019/11/30/bitter-british-election-influence-wealthy-us-donors-causes-stir/

and https://www.theguardian.com/technology/2019/dec/02/mark-zuckerberg-facebook-policy-fake-ads

"On CBS, King asked Zuckerberg about a meeting with Trump at the White House in October. Trump has previously said Facebook shouldn’t ban political ads.

Zuckerberg said: “We talked about a number of things that were on his mind. And some of the topics that you’d read about in the news around our work.”

Asked if Trump lobbied him, Zuckerberg said: “No. I mean, I don’t think that that’s … I think some of the stuff that people talk about or think gets discussed [in] these discussions are not really how that works.

“I also want to respect that it was a private dinner and … private discussion.”"

Tables A. TurnDecember 3, 2019 9:18 AM

With the new California privacy law set to take effect next month (1-2020) the American corporate controlled Congress is working hard to override it with weaker bills.

1) Digital Fingerprinting Tracking – websites that use any Google service allow Google to also data-mine and identify customers INDEPENDENTLY for its own commercial purposes. This is how Google tracks people across the web. Google Analytics is free to the website owners because it's customers who pay Google by surrendering their privacy.

2) Facial Recognition - Google and Amazon store and control customer generated biometric data yet claim the customer is responsible for all legal issues.
They data-mine to identify then release/sell without owner consent, knowledge or due process.
For example nearly all (family) visitors would not want their images and conversations uploaded to the big-data cloud.

3) Google in-effect runs many government websites. Especially at the state and city level.
Governments don’t even realize that constituents can’t access city departments, libraries or schools without allowing Google to digital fingerprint and track their every move. It infuriating when all contact-us/complaints must go through Google Captcha.

The issue is many elected officials are technically illiterate and will to anything to save a buck, namely selling away citizen privacy.

Google services are actually very expensive to operate. The city pays nothing but instead shifts the cost onto citizens as a stealth tax increase. The only way to complain about this racket is postal mail or chastising the city council in person.
It’s sad when everyone involved are either too dependent or stupid to realize they are being manipulated by the worlds most intelligent software engineers.

The only practical solution is to legislate at the state and federal levels and let it flow down to the igny masses.
--
Stroking Fear into Congress
Starting Jan. 1 a new law in  California goes into effect requiring businesses to make changes like adding a “Do Not Sell My Info” button on their homepage.

t’s called the California Consumer Privacy Act -- the CCPA -- and it’s awesome.
“This is a new human right. It’s like a new civil right,” said Alastair Mactaggart, a real estate developer and privacy advocate in San Francisco whose self-funded ballot initiative started the move that got the law passed.

Mactaggart says he became focused on data privacy after a Google engineer warned him, “If people just understood how much we knew about them, they’d be really worried.” Yup.

Personal information that the law gives consumers control over includes the usual stuff including emails, Social Security number, passport and driver’s license numbers. But it goes further, to IP address, browsing history, biometrics, records of purchases, geolocation, employment, and education[1].

According to the new law, personal information is anything that “could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Take a moment to think about all the information you are force-fed that is completely irrelevant. I get information about children’s after-school art programs.

Maybe because I went to the Big Apple Circus last New Years? I’m currently tracked by 134 ad networks (I checked at adssettings.google.com -- check yours, you may be shocked).
https://www.mediapost.com/publications/article/342851/get-me-a-steve-bot.html

[1] Banning Ip address and our selling our children’s Google Classroom academic records?
No wonder Congress is moving fast to kill Alastair Mactaggart’s California Consumer Privacy Act!

Clive RobinsonDecember 3, 2019 11:40 AM

@ Tables A. Turn,

It's not just in the US that pupils and students run the gauntlet of Alphabet (Google's "evil empire" owners)

selling our children’s Google Classroom academic records

So I guess the evil empire has been lobbying very very intently, and persuasively. Probably by using the fruits, of the records they already have obtained, on legislators. Which is a possible reason for what you note with,

No wonder Congress is moving fast to kill Alastair Mactaggart’s California Consumer Privacy Act!

I guess pointing out "Think of the children" to the legislators will not work... As was once noted,

    It's hard to get someone to see your point of view when their income very much depends on them not doing so!

Perhaps it's time to ask Hercules to repeate his fifth labour, by diverting the Potomac "up the Hill" to wash out that festering mess that even all of King Augeas' animals could not in a thousand years compare with in quantity or foulness.

Clive RobinsonDecember 3, 2019 12:53 PM

@ tds,

Regarding Facebook's policies, Clegg, and your link, I found this quote interesting.

It's a case of,

    The more you dig the more you find.

With each shovelfull being that little more scary than the one before.

It quickly gets to the point where you don't want to dig anymore because you think you are becoming paranoid...

Clive RobinsonDecember 3, 2019 1:04 PM

@ Auckland,

BTW, just skimming that Scientific American article on the Bionic Leaf it looked like the complicated stuff was still being done with biology.

And it will continue to do so one way or another untill our mastery of science gets beyond that which nature has achived.

If you look at photosynthesis for instance, we are not even close to what nature has achived. If you read some of the science they are talking about nature using "quantum effects". If this is true, then all sorts of questions pop out of the woodwork that scientists don't want to ask...

Have a look at how Roger Penrose has been treated over his thoughts on the "quantum mind". He dared to ask a question, and like the messenger of old he is the one receiving the wrath of others.

I have no idea if he is right or wrong about quantum effects in the brain, but when we look at other parts of the body such as how we smell, quantum solutions become ever more likely.

The flip side of Roger Penrose's question is of course AI, if Penrose is correct then the majority of the AI pundits are wrong...

Clive RobinsonDecember 3, 2019 1:24 PM

@ Wesley Parish,

Well, I live in hope that some Angeleno comedian or maybe from San Diego, who knows? - will be compiling a list of the excuses their statewide power company comes up with, and have some fun with it.

One can but hope, as they say.

Though I have to wonder when you see the entirely predictable mess that PG&E have got themselves into, just who wins at the end of the day.

Yes I know the lawyers will be on for atleast 30% win or loose but like all bottom feeders, they are simply feasting on those that have fallen in a previous combat.

We know enough that all combat is destructive and at best, both clears the ground and fertilises it for new growth with the fallen. But the price is high extrodinarily high, so much so that you would conclude the results can not justify the means...

But yet, that is our chosen method of progress, assuming every conflagration must have within it a Phoenix.

To say it is madness says much about mankind, which is why I guess we need a sense of humor...

Clive RobinsonDecember 3, 2019 4:23 PM

@ Wesley Parish,

It was about time too - after two weeks of not showering, I did not smell my best.

Hmm this is another asspect of "Infrastructure Security" / "Utility Security" few know or even talk about. Which is important to your health and wellbeing when the power goes out for an extended period, which appears to be more and more the case these days even in the first world.

So I'll let you into a hard won little secret, I had to once find out when spending a summer up at a mountain base camp more than a third of a century ago...

Most people consume between 40-80 litres of water in a US style home shower which is 88-176lb in weight of water or around three 50lb back pack loads... So you want to cut that down a lot if you have to carry water in on your back up hill all the way...

One way you can do this is look up something called a "Navy Shower" where the principle is,

1, Turn on water, get wet.
2, Turn water off, soap up.
3, Turn on water, rinse off.
4, Turn water off.

The idea being to keep the "water on" time as short as possible. But even so you tend to use 6-10 litres of water or 12-22lb of water which is still a lot to carry in on your back.

The problem with a Navy Shower is the "shower head" in that it alows way to much water to flow, most of which runs off you without achieving anything usefull...

Thus if you use a pump up "garden spray" instead you can get your usage down to just 1 litre and still get thoroughly clean long hair included , it just takes about twice to three times as long.

But more importantly you only need boil up one or two cups of water, which you mix with about five or six cups of cold water you've already got in the garden spray. It's important for the same reason, gas for heating has to be carried in on your back.

Also you only need one shower a week, as long as you wash the "smelly bits" every day and don't use deoderants[1] just a quick squirt of after shave and has other benifits[2]. If you use "wet wipes" / "baby wipes" like a flannel / face cloth one to soap up the other to wipe off with you only need about 40ml of water in the bottom of a cup. You also have enough left over to rinse out the wipes so they will be usable for a couple of days or so.

I mentioned this some years ago to others who end up doing extended base camp work and I was supprised to find out it's got to the US and people who apparently live in cars in the suburbs etc because they can either not get or can not afford to rent flats, rooms or even cupboards in places like LA.

Oh and remember "gray water" from washing you and your cloths etc can be used for other things like flushing the toilet. And although I've not tried it, I'm told such grey water can be "settled and filtered" using things like modern "hiking filters" such that you can drink it or atleast wash in it, some even claim you can purify urine so that it's safe to drink :-S

[1] Deoderants are not good for your health if you are engaged in active work or are in warm climates. Sweating is not only to keep you cool, it also helps your body get rid of waste products your body does not want inside you. Further they muck up your body flora and thus unbalance your skin functioning. Anything more than plain mild soap is not good for you in harsh environments.

[2] If you use deoderants, body lotions and all other manner of potions, your cloths get contaminated with them and they tend to "go off" making your cloths smell rather more than they should rather quicker than you would like. Which means on average you have to wash your cloths three to five times more often. Even in a bucket you are looking to use 12-15 liters of water per wash so thats another two back pack loads to carry up hill. Oh natural fibers like cotton and especially wool don't take up smell. The old British Army wool shirt you can wear for two weeks solid, even if you only wash infrequently the same with the socks, whilst they take longer to dry, they do take less water to get clean enough to wear again. It's why old style "long johns", "thermal underware" and similar are made of wool and cotton. Also even when soaked through wool still keeps you warmer than just about any other clothing you are likely to buy, a fact not lost on those who live in the lands of 24hour darkness.

SpaceLifeFormDecember 3, 2019 8:40 PM

Not buying. Subdomains angle.

Sorry, just not buying. This smells like a cover story.

https[:]//techcrunch.com/2019/12/02/microsoft-login-flaw-account-hijack/

"Luckily, the researchers registered as many of the subdomains they could find from the vulnerable Microsoft apps to prevent any malicious misuse, but warned there could be more."

Sherman JayDecember 3, 2019 10:30 PM

@moderator and/or @Bruce,

the two posts Dec 3 by:

Cassandra D. Everhart December 3, 2019 9:24 PM
and Mason December 3, 2019 9:58 PM

certainly appear to be advertisements completely unrelated to the Schneier Security topics.

Thanks for your help keeping this site in good order.

tdsDecember 4, 2019 6:06 PM

@Clive Robinson

"It quickly gets to the point where you don't want to dig anymore because you think you are becoming paranoid..."

In the united states of amnesia ("'USA'"), iirc, there is a saying,afaik:

please bury me in Louisiana or Illinois when I die, so I can keep on voting

Clive RobinsonDecember 4, 2019 7:48 PM

@ vas pup,

Russian president warns over expansion of US space force

Which is actually a sensible thing to say as it's true, even though US Politician's might regard it as, "inflammatory".

But with regards the article, it is not exactly accurate. For instance,

    The US, Russia and China are all believed to have tested weapons that could destroy a satellite in space.

Firstly it's not "believed" but known (I've mentioned it before). Secondly the most recent member in this club "India" has not got a mention[1] which is odd...

But other nations have not been mentioned including France and the UK.

Even though the UK nolonger has an independent "launch capability" they have been at the leading edge in development of "de-orbiter" technology.

De-orbiter technology is just as "Space Wars" technology as co-orbiter kinetic kill missiles / satellites. But is actually rather more advanced (compare as using a butterfly net rather than just throwing stones). De-orbiter technology is --unlike co-orbiter technology-- designed to not fill space with junk that could cause a very destructive "chain reaction" known as a "Cascading Kessler Syndrome[2].

[1] Nor for that matter has North Korea, Japan and even New Zeland where "believed" is more appropriate. Put simply if you can get a "cubesat" or larger up with "station keeping capability" then co-orbiter technology is a relitively easy next step. The design of such devices is well within the capability of under graduate students as a "group project".

[2] A Kessler event / cascade becomes more likely as the number of satellites in orbit increase in number. Around 2014 prior to India's little "keep of our grass" demonstration it was estimated there were about 2,000 functional commercial and government satellites on various Earth orbits. However it was also estimated there were around 600,000 pieces of space junk in the 1cm to 10cm (2/5ths to 4 inch) range capable of damaging or destroying a satellite which on average was happening once a year. Getting this junk out of space without creating more junk is what various de-orbiter technology is all about.

Clive RobinsonDecember 4, 2019 10:23 PM

@ tds,

please bury me in Louisiana or Illinois when I die, so I can keep on voting

Ahh the "Stand up citizens" a politician has to love ;-)


CuriousDecember 5, 2019 3:17 AM

I don't understand this, but here it is. I wish I knew what a 'private certificate' was. I know what a private key is though.

So as I understand it Digicert (a certificate authority issuing digital certificates) I think issued some weird "local host" certificate for 'Atlassian' business which also contained the private key, and then I think, unless I got that wrong, everybody can read the private key and the traffic after that. Something about being able to use the digital certificate for regular internet traffic, and no longer just for "localhost" connections or something like that. Yes, I don't understand all of this. Also. something about 'IBM Aspera' believed to have a similar issue.

https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/
https://twitter.com/SwiftOnSecurity/status/1202066377919680513

CuriousDecember 5, 2019 3:33 AM

I learned a new word/term today: 'certificate transparency' or "CT". I wonder what it is.

A commenter on twitter seem to have pointed out that logging wasn't mandatory before 2017, whatever that means. He seemed at first to have expected something to have been logged, but I don't know what that means.

CuriousDecember 5, 2019 3:38 AM

Somehow, me being naive about this and all, this all reminds me of 'TLS inspection'. Shove a digital certificate in there, or trick people to use one like with a man in the middle attack, then decode their traffic after that. Seems to me, philosophically speaking, there is no way to tell if a particular webpage used for such a man-in-the-middle-attack is fake or not, spedifically if relying on original/authentic webpages. Or, maybe I've misunderstood something here.

vas pupDecember 5, 2019 3:34 PM

Attention @Clive:

New device enables battery-free computer input at the tip of your finger
https://www.sciencedaily.com/releases/2019/12/191202102055.htm

"Computer scientists have created a device for wearable computer input suitable for many situations, just by touching your fingertips together in different ways. The device, called Tip-Tap, is inexpensive and battery-free through the use of radio frequency identification (RFID) tags to sense when fingertips touch. The device could, therefore, be added to disposable surgical gloves, allowing surgeons to access preoperative planning diagrams in an operating room.

The researchers were able to make Tip-Tap battery-free by splitting the antenna of an RFID tag in two, and equipping each side with three chips to enable two-dimensions of fingertip input, the first time this had ever been done.

The new RFID tag can be integrated into a glove or attached directly on the skin as a temporary tattoo."


SpaceLifeFormDecember 5, 2019 5:04 PM

This is real research. Seriously hard, time consuming work.

[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.

https[:]//seclists.org/oss-sec/2019/q4/122

"... vulnerability that exists on most Linux distros, and
other *nix operating systems which allows a network adjacent attacker
to determine if another user is connected to a VPN, the virtual IP
address they have been assigned by the VPN server, and whether or not
there is an active connection to a given website. Additionally, we are
able to determine the exact seq and ack numbers by counting encrypted
packets and/or examining their size. This allows us to inject data into
the TCP stream and hijack connections."

Clive RobinsonDecember 6, 2019 4:19 AM

@ SpaceLifeForm,

[CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP connections.

It uses basic active and passive traffic analysis techniques to get much of it's information which does not surprise me in the slightest (I've warned about not doing packet, channel and stream stuffing for some years now on this blog and other places).

For some reason most using encryption do not think about what length / size information of packets reveals about the type of encrypted packets, likewise blocks of packets and their rate about the type of communication in the channel. So a webpage download size can be cross correlated by number of packets seen on VPN with number of packets seen by accessing the server on another channel to determine which page has been downloaded. Fixed rate traffic in a non fixed rate channel reveals interactive services such as voice or video, and so on.

At each level of the network stack there is information leakage by length/size that a traffic analysis attack can be made for. Often they can be passive "observing" attacks so you have absolutely no idea they are being used against you. Even active attacks if used with judicious care will probably get written off as "noise" or "unreliability" or some such.

This is something that has been known since before the NSA and GCHQ existed and was actually published in the likes of Gordon Welchman's book in the 1980's and the work of Duncan Campbell that got Maggie Thatcher's panties so tightly waded she went off the reservation with DORA/OSA court cases (which notably failed much to her annoyance and embarrassment).

Importantly it's why I've talked so often about,

    Encryption is not enough

And why the likes of secure networks especially those carrying low latency channels need to "stuff" and intersperse other traffic such as Email etc where latency is not an issue, even adding null padding packets. Such that the overall channel sends data at a constant rate for as long as it's in use. Thus switching from what is "packet switching" which hemorrhages information to constant rate "circuit switching" that does not.

Now these researchers have done the initial "leading edge" proof of concept, I would expect a bunch of "Me-too" similar attacks in the next few months.

Wesley ParishDecember 6, 2019 4:27 AM

@Clive Robinson

re: ad-hoc "showers", I've used two buckets of water on occasion. You know the routine: dip flannel in one, dampen oneself, take soap, rub over oneself, dip flannel in same bucket, scrub oneself, take second bucket, douse oneself, take towel, rub oneself, get dressed.

If it's worked for sailors in the Antarctic, it's worked for me. (It must've worked: no one complained about odour during that period of several months before the shower got fixed. :)

What interests me about power cuts in relation to security, is whether or not ACID (Atomicity Consistency Isolation Durability) applies to critical services. I first realized that watching an electrical storm some time ago.

Exempli gratia: if I am in the midst of critical surgery - say heart surgery - the very last thing I want to face machinery that is supposed to work but suddenly doesn't, as there's a fair chance that I won't either.

Clive RobinsonDecember 6, 2019 7:54 AM

@ Thoth,

the usual Intel response is the shrug and walk away

With a "pre anouncment share sell off?"...

Perhaps it's time we had a "Birthday round up" of all the faults such that people don't forget Intel, and thus might be inspired to seek further examples to keep it nice and toasty for Intel and others who don't take security seriously...

Intel might consider themselves "to big to fail" or "be subject to remonstration", but as Bill Gates once pointed out about Microsoft he did not expect ot to go on for ever, as that is not the way of things.

It would be nice to see certain Intel execs realise the same as thr ground gets cut from under their feet.

@ ALL,

Another bit of madness from the UK Government,

https://www.csoonline.com/article/3447856/uk-government-gives-36-million-to-arm-to-develop-secure-chips.html

Remember ARM used to be a major UK company, that the current encumbrents alowed to be sold to a supposed Japanese Bank, that appears to have got funding from China. Resulting in a bit of ARM and it's IP ending up in China...

CuriousDecember 6, 2019 10:27 AM

There was been an blog post update to the former news about a generally unknown identiy matrix for eigenvalues and eivenvectors.

https://terrytao.wordpress.com/2019/12/03/eigenvectors-from-eigenvalues-a-survey-of-a-basic-identity-in-linear-algebra/

Me being naive about this, or ignorant if you will, not knowing much about math or crypto, I think sort of intuitively understand that an identity matrix (linear algebra) is maybe something like a tool or guide or pattern for mirroring or perhaps rotating numbers, or perhaps summing up values in some clever way, presumably, similar to some stuff found in the math for cryptography. I can't but wonder if maybe there is perhaps some interesting knowledge to all of that, not so much related to physics, but to cryptography and the use of matricies in various well systems.

CuriousDecember 6, 2019 10:45 AM

Apologies for my earlier typos. :| I sometimes get carried away and get too excited about some things when writing a comment. I should know better.

Clive RobinsonDecember 6, 2019 11:44 AM

@ Wesley Parish,

It must've worked: no one complained about odour during that period of several months before the shower got fixed. :)

Maybe they were "Canadian" ;-)

With regards,

Exempli gratia: if I am in the midst of critical surgery - say heart surgery - the very last thing I want to face machinery that is supposed to work but suddenly doesn't

Yeah it's a bit of a conundrum, there you are recumbrant in your hospital bed, as you are about to be taken down to the surgury suite to have a box crowbared into you chest, when... all the lights go out and half the machines start beeping because they've switched over to battery back up and the batteries are not up to it any longer. So you ask the nurse what's happening, the chearful reply is they are re-wiring the building and it's the fourth or fifth time the power has outed that week alone... Just then thehe porter comes up to take you down to surgery, what do you do?

1) Meekly accept your fate,
2) Scream "let me outa here",
3) Talk rationaly to the nurse about if the surcical block is having power problems,
4) Let your heart that's already beating fit to bust at around 210bpm speed up and "end-ex-you" via some crazy break dance beat?

I went for 3, followed by 1, though 2, was at the back of my throat especially when 4, could be felt in my chest and ears.

I thus survived but as they say "Your mileage may vary"...

And yes I do still have those panicky moments in the middle of the night every so often, though not as bad as the ones from several years earlier caused by waking up on the operating table and not being able to move or breath... (it's why I go for "epidurals" or "locals" these days not "generals"...).

WeatherDecember 6, 2019 1:43 PM

@Spacelifeform
Lan is about different, it has quicker replies, to spread that to the internet you have to prodit a range to search for, by sending a packets to the computer to find out the clockticks, which windows uses to make the starting syn, its a Asm instruction with 56bit return that wraps around, if you can get down to say 0x3000 syn numbers and guess the port, if you now the client port, 1028-3000 on windows 63000-65000 on Linux the syn search space can be increased.

Bob PaddockDecember 6, 2019 2:22 PM

@Clive Robinson

"(it's why I go for "epidurals" or "locals" these days not "generals"...)."

Be very careful with Epidurals. They can lead to
Intracranial Hypotension due to Cerebrospinal Fluid (CSF) Leaks and/or Arachnoiditis, both of which are extremely painful and hard heal.

Arachnoiditis: The arachnoid is one of the membranes surrounding the nerves of the spinal cord. Arachnoiditis is a condition where that membrane swells and causes pain. It can be caused by an infection, injury or chronic compression of the spinal cord. There is no cure for arachnoiditis. - Cleveland Clinic

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.