Friday Squid Blogging: New Species of Bobtail Squid

Euprymna brenneri was discovered in the waters of Okinawa.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on December 27, 2019 at 4:13 PM • 156 Comments

Comments

TatütataDecember 27, 2019 5:05 PM

Yup, it's that time of the year again!

The 36th Computer Chaos Club's annual congress opened today, 27 December, at the Leipzig congress center, and will run until 30 December inclusively.

They can be viewed here on real time live-streams, in English and German, and some are offered in several more languages. A new presentation is made combining the calendar and the conference halls (Ada, Borg, Clarke, Dijkstra, and Eliza. I get all the hackish references but Borg. What/who's that?)

The theme this year is "Resource Exhaustion".

The "processed" archive videos are trickling in further down the page.

A formal schedule is also available. There is a lot of fun and interesting stuff, "as usual".

SpaceLifeFormDecember 27, 2019 5:15 PM

FB: Your account and phone number have been correlated. (See Orwell)

hxxps://www.inputmag.com/tech/facebook-messenger-now-requires-a-facebook-account-to-join

"The company has stopped allowing new users to join using a phone number."

FB: “If you already use Messenger without a Facebook account, no need to do anything.”

Below AverageDecember 28, 2019 5:03 AM

Below Average@fireCreek.com

Auto Tracking
‘Five years ago, 20 automakers signed on to volunteer privacy standards, pledging to “provide customers with clear, meaningful information about the types of information collected and how it is used,” as well as “ways for customers to manage their data.” But when I called eight of the largest automakers, not even one offered a dashboard for customers to look at, download and control their data.’
https://www.washingtonpost.com/technology/2019/12/17/what-does-your-car-know-about-you-we-hacked-chevy-find-out/

GM - One of the first California Consumer Privacy Act of 2018 policies:
‘Inferences drawn from other personal information to create a profile about a consumer reflecting the
consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities or aptitudes.’ An auto manufacture data-mining then scoring human intelligence?
https://www.onstar.com/content/dam/tcps/us/20180501/privacy_statement.pdf

GM Marketing Communications Preference Dashboard
At GM’s privacy dashboard there are zero trackers even with Javascript enabled. No captcha verified login either...is there hope for mankind?
Just Imagine what a wonderful world would be without Google!
The new privacy law compels a clear easy to understand interface too:
https://www.gmcontactpreferences.com/

Medical Tracking
Hospitals have taken the cue from the worlds largest advertiser secretly taking control of 50 million patients medical records https://www.theguardian.com/technology/2019/nov/14/google-healthcare-data-ascension

Now other medical establishments have begun sharing our HIPAA ‘protected’ data with Silicon Valley. The facilities non-medical management simply has to classify the for-profit analytical data-miner as a business associate.

The trend is accelerating as patients are asked to sign a blanket HIPAA release for no known medical reason. One receptionist stated ‘just in case the doctor needs it’.

Circumventing HIPPA Privacy
Traditionally the new patients assume they are signing paperwork for beneficial and necessary medical treatment. Instead they are giving away their medical history, similar to the blind acceptance of terms and conditions on ‘smart’ phones.

So be prepared to battle during new patient and ER admitting, Here’s an example:
First refuse the inconvenient LCD screen and ask for paper instead. (Now its much easier to see the scope and comprehend and cross out parts you disagree with).
After reading one ambiguous, many paged consent document (to release my medical records to non-medical third parties) and arguing the terms with the sleazy admitting manager, I refused to sign. Only then did the hospital confess that signing was OPTIONAL. Such a painful lesson. Never again.

To avoid this emotionally draining distraction and huge violation of privacy, ask up-front if signing is required. Then if so, why? If they play dumb then ask for a manager.

The bottom line is due to immense industry pressure, patients today cannot trust medical providers including pharmacies. Be wary of ‘free’ tests as they again want you to sign a release NOT just for your test but to release your medical records for non-medical uses. Your signature makes it all legal.
Our families policy is to automatically decline to sign new or unfamiliar forms electronically. Print and review first.

Don’t count upon the receptionist being either knowledgeable or helpful. Recall Silicon Valley being fabulously successful playing dumb, lasting for a period of over 20 years. Get ahead of this latest medical scam to maintain your privacy.

As Clive states in 5 years the MSM will publish this privacy warning. But only after 95% of the population has been duped.

Gunter KönigsmannDecember 28, 2019 9:41 AM

About HIPAA releases: In an Italian hospital I have once seen a a sign saying you'll get - I believe it was 20%- off if at chexkin time you let them scan them your carta coop (paypal-like fidelity card that works similar to Payback). I wonder who offers them this much money for the data...

AndersDecember 28, 2019 9:48 AM

www.mindef.gov.sg/web/portal/mindef/news-and-events/latest-releases/article-detail/2019/December/21dec19_nr

tdsDecember 28, 2019 10:34 AM

Regarding CCC (AFAIK)

From 27 December, https://twitter.com/auerfeld/status/1210513088706994176

"Naomi Colvin @auerfeld

"Guten Morgen #36c3. Andy MM is talking about surveillance of Julian #Assange (and everyone in the near vicinity) at the Ecuadorian embassy [from 2012 to 2019] in about 20 mins. "There is no good news in this talk," he says."

Does anybody have a link for the video?

TatütataDecember 28, 2019 11:06 AM

@tds:

The talk you're interested in will be given on coming Monday at 12:30 MEZ.

https://fahrplan.events.ccc.de/congress/2019/Fahrplan/events/11247.html

The video can be seen live on the "Eliza" channel, or later (within 24h or so) on the archive page here:
https://media.ccc.de/c/36c3

The contents are uploaded as they are updated in various formats (languages, slides, resolution). You should revisit the page until you find what you want. It can take days, and in some rare cases, weeks, until the whole thing crystallises.

The general schedule is available here:
https://fahrplan.events.ccc.de/congress/2019/Fahrplan/index.html

@Anders: alas, no, but for many years the event was virtually on my doorstep, until it outgrew the venue. I now regret having missed it (I had heard of it, but doubted that I "qualified" for attending), but video is less tiring than an uncomfortable theater seat. :-)

AndersDecember 28, 2019 11:09 AM

@tds

All the presentations will be archived here:

media.ccc.de

There's already The Cuckoo's Egg related talk:

media.ccc.de/v/36c3-11031-the_kgb_hack_30_years_later

AndersDecember 28, 2019 12:04 PM

@tds

Meanwhile you can read this:

www.dw.com/en/spanish-security-firm-spied-on-julian-assange-for-cia-report/a-50617356

SpaceLifeFormDecember 28, 2019 1:51 PM

@ Clive

My parser keeps crashing because the canaries colour changed, and three new canaries appeared.

Who would the third party be, and why was that tidbit not applied to canaries 2 and 4?

Are there already third parties in place WRT to canaries 2 and 4?


Canary 3 should not be relevant to my question.

hxxps://www.techdirt.com/articles/20191220/23475043616/cloudflare-removes-warrant-canary-thoughtful-post-says-it-can-no-longer-say-it-hasnt-removed-site-due-to-political-pressure.shtml

JG4December 28, 2019 2:57 PM

Wishes everyone a Happy, safe and sane New Year. Whether or not they believe that 01 January is a boundary.

https://www.nakedcapitalism.com/2019/12/links-12-28-19.html
...

China electricity crackdown sparks concerns Asia Times (BC). A different aspect of “Bitcoin = prosecution futures”:

Pierse said the the recent raids do not indicate that Beijing is shutting down crypto mining operations per se, but merely going after illegal electricity users, AMBCrypto reported.

...

Bitcoin’s Purported Creator Says His Fortune May Remain Locked Bloomberg
...

Michael Tracey✔@mtracey
Tell me again that we're not in a New Cold War. And tell me again that US political culture is capable of dealing with this rationally
https://www.theguardian.com/world/2019/dec/27/russia-deploys-first-hypersonic-missiles-nuclear-capable
Russia deploys first hypersonic missiles
Avangard capable of carrying 2 megaton nuclear weapon at 27 times the speed of sound
243 likes | 4:44 PM - Dec 27, 2019
https://twitter.com/mtracey/status/1210677866809176065
155 people are talking about this

Internet cut off in parts of India as protests continue Financial Times
...

Big Brother is Watching You Watch

The Rise of Biometric Authentication – The Rewards and Risks Data Science Central (PJH). Oddly ignores the way just about every financial institution I speak to asks me to authorize taking a voice print….and readers have said JP Morgan takes one whether you agree or not.

Uninstall This Alleged Emirati Spy App From Your Phone Now Wired. Since I don’t do apps, I can afford to be blase…but explain to me why the UAE spying on me is more worrisome that Uber stealing my contacts as well as recording my rides (including taking a video in the car) or fitness apps sharing my data with Lord only knows who?

Amazon, Ring Face Class-Action Lawsuit Over Alleged Security Camera Hacks engadget

Why an internet that never forgets is especially bad for young people MIT Technology Review (David L)
...

CarlosDecember 28, 2019 2:58 PM

Here's an encryption question (sort of). I read a lot about new data privacy laws requiring encryption of data at rest, and like most of us Information Security professionals I thought "I get this...easy". But a question came up the other day that truly stumped me, so I'm reaching out to the learned crew that follow Bruce's squid blog. :-)

The question was: "Is data encrypted if the hard drive is spinning and the OS is active?" I'm sure you see where I'm going with this: if a hacker takes control of a server and dumps 100,000 records, can the company claim that the data was encrypted with bitlocker?

After hours of online research, I found one article that attempted to address this issue: "For a computer that is not booted, all the information encrypted by FDE [full disk encryption] is protected, assuming that pre-boot authentication is required. When the device is booted, then FDE provides no protection; once the OS is loaded, the OS becomes fully responsible for protecting the unencrypted information." But this sounds like one author's opinion and not an industry standard or legal precedent.

Any insight you can offer would be most gratefully accepted. Thanks! :-)

AndersDecember 28, 2019 3:00 PM

@Clive + @ALL
www.theguardian.com/business/2019/dec/19/hedge-funds-hacked-into-bank-of-england-briefings

SpaceLifeFormDecember 28, 2019 3:58 PM

@ Carlos

The only way your data can be possibly considered secure, whether in FLIGHT or at REST, is if *YOU* have the keys.

Data in RAM is left as an exercise for the reader.

SpaceLifeFormDecember 28, 2019 4:20 PM

@ Anders

Please venture into the mine, and read the link and understand my point.

The species and colour does not matter.

You will get out alive.

You may spot two dead canaries.

AndersDecember 28, 2019 4:54 PM

@SpaceLifeForm

OK, i had an impression that you had used some CanaryTokens
as well to reveal that your TLS was reverted.

Sometimes you write with lot of spaces, so i'll call you
now on 0x20LifeForm ;)

Clive RobinsonDecember 28, 2019 5:07 PM

@ SpaceLifeForm,

Aside from our little tweety friends down at the coal face, something else caught my eye.

I've occasionally mentioned that English as spoken and written has issues that are almost Escher like, that is you say something with one meaning and it is heard as a different meaning (like the opticall illusion of two faces that can be seen as a vase).

As an example this from Cloudflare,

In August 2019, Cloudflare terminated service to 8chan based on their failure to moderate their hate-filled platform in a way that inspired murderous acts.

The first part is clear, "Cloudflare terminated" 8chan for 8chan's "failure to moderate their hate-filled platform". So far so good, all in the past tense etc., but then it all goes wrong.

Cloudflare put "in a way" in their statment thus changed what they probably ment to say...

If they had said "failure to moderate their hate-filled platform that inspired murderous acts." Most would read from what comes after "moderate" as a single statment. However with the,"in a way" it breaks it into two statments which stops the comment on the reason for failure and instead flips the last part over to what 8chan should have done as remediation for the failure. That is Cloudflare are actually saying that 8chan failed to inspire "murderous acts" with their moderation. Which I assume is not what they wanted to say... but who knows for certain, Cloudflare's CEO does make odd public statments in this area as I picked up on back when he issued the statment on the first banning (Daily Stormer).

Electron 007December 28, 2019 5:25 PM

@Carlos

"For a computer that is not booted, all the information encrypted by FDE [full disk encryption] is protected, assuming that pre-boot authentication is required.

This is the opportunity to covertly install an "Evil Maid" bootloader, which will secretly record the passphrase next time the user or "owner" of the device boots it up, hopefully none the wiser.

When the device is booted, then FDE provides no protection; once the OS is loaded, the OS becomes fully responsible for protecting the unencrypted information."

The OS now has the burden of decrypting all data read from disk and encrypting all data written to disk. The OS of course must have access to the keys and unencrypted information as long as it is powered up and capable of doing anything at all useful with the data.

But this sounds like one author's opinion and not an industry standard or legal precedent.

We can, of course, get into a deep philosophical discussion of the value of a subjective truth versus an objective truth, but unfortunately neither industry standard nor legal precedent really has much bearing on the truth versus a lie, or on fact versus opinion.

It's all handcuffs and an orange jumpsuit in court and a long sentence in prison. There just isn't much of an answer to any of these questions other than that.

Sancho_PDecember 28, 2019 5:42 PM

@tds, Tatütata, Anders, ALL: re CCC (36c3)

The talk ”Andy MM is talking about surveillance of Julian #Assange ...”
was yesterday, 27th, but the download isn’t ready yet, may take another day:
https://media.ccc.de/v/36c3-11247-technical_aspects_of_the_surveillance_in_and_around_the_ecuadorian_embassy_in_london

For the full list of all downloads
(hot topics! E.g. https://media.ccc.de/v/36c3-10565-what_s_left_for_private_messaging)
see:
https://media.ccc.de/c/36c3

AndersDecember 28, 2019 6:16 PM

@Sancho_P

Thanks and don't worry.
The proper way here is just not to click links
but copy and paste them as a text.

On windows there's awesome tool : www.freeclipboardviewer.com
This shows the link in hex codes - what the url is exactly made of
and whether some wily unicode character is hiding there, rerouting
you somewhere else...

Electron 007December 28, 2019 7:10 PM

On windows there's awesome tool : www.freeclipboardviewer.com

Oh yeah, I got that spelled correctly, and I know the people who run that site, there's no funky Javascript stealing the contents of my actual copy-and-paste clipboard, the ads on it aren't going to funk up my web browser, I agree that I will support the authors and content creators by disabling my ad-blockers, that I will not support hate speech or spread conspiracy theories online, yadda yadda yadda.

Yes, yes, yes, you know www.annualcreditreport.com the one and only credit check tool ...

[/sarcasm snark snark OVERLOAD DETECTED]

AndersDecember 28, 2019 7:13 PM

@Tatütata

By any chance is there more info now about Karl Koch death?

en.wikipedia.org/wiki/Karl_Koch_(hacker)

Wesley ParishDecember 28, 2019 9:53 PM

Well, looks like the holidays have brought their usual share of problems. Let's start with the sublime:

https://edition.cnn.com/2019/12/27/us/couple-calls-911-for-robotic-vacuum-intruder-trnd/index.html
A couple called 911, thinking an intruder had entered their home. It was actually their robotic vacuum

A North Carolina couple was watching a movie in their bedroom when they suddenly heard loud noises coming from downstairs. Worried that it was an intruder, the two called 911.

Minutes after they called 911, police entered the home and began to search for an intruder. When the 911 operator told Milam to go downstairs to talk to the police, he said, the officers just had one question.

"Is this Roomba yours?" br>
Police had apprehended the suspect: the couple's brand new robotic vacuum.

So nice to know that even vacuum cleaners are burglary suspects these days!!! :) (At least the vacumm cleaner wasn't armed. Goodness knows how much he might've cleaned them out of ... :)

Government exposes addresses of new year honours recipients
https://www.theguardian.com/uk-news/2019/dec/28/government-exposes-addresses-of-new-year-honours-recipients

The accidental disclosure of the tranche of personal details is likely to be considered a significant security breach, particularly as senior police and Ministry of Defence staff were among those whose addresses were made public.

As Yahoo Serious explains in The young Einstein, "If you can't trust the politicians, who can you trust?

Singing 'Rule Britannia, Britannia waive the rules
Britons never never shall be

Married to mermaids at the bottom of the deep blue sea

Now we get into the interesting stuff:
Facebook’s Libra cryptocurrency project has failed in its current form, says Swiss president
https://www.cnbc.com/2019/12/27/swiss-president-says-facebooks-cryptocurrency-project-libra-failed.html

“I don’t think (Libra has a chance in its current form), because central banks will not accept the basket of currencies underpinning it,” Ueli Maurer, who is Switzerland’s finance minister and outgoing president, told Swiss broadcaster SRF.

Plans for the Facebook-led digital currency, which is to be issued and governed by the Geneva-based Libra Association, have raised concerns among regulators and politicians ranging from privacy to its potential to influence monetary policy and change the global financial landscape.

Very, very interesting article. If I wasn't the trustingly open gullible sod that I am, I would be inclined to suspect Facebook of trying to become too big to fail, which raises the question: how stupid does Zuckerberg think we all are? Considering that anyone with any sense would understand that too big to fail is almost by definition a proof of failure. A cursory examination of the giant monopolies of the past gives me that impression: maybe elephants can dance, but they usually need to lose a lot of weight before they can.

https://www.hyperbola.info/news/announcing-hyperbolabsd-roadmap/

Linux kernel being written without security and in mind. (KSPP is basically a dead project and Grsec is no longer free software)

Maybe Linus Torvalds and his band of merry men will sit up and take notice.

Now on to the ridiculous:

U.S. tests ways to sweep space clean of radiation after nuclear attack
https://www.sciencemag.org/news/2019/12/us-tests-ways-sweep-space-clean-radiation-after-nuclear-attack

Starfish Prime and similar Soviet tests might be dismissed as Cold War misadventures, never to be repeated. After all, what nuclear power would want to pollute space with particles that could take out its own satellites, critical for communication, navigation, and surveillance? But military planners fear North Korea might be an exception: It has nuclear weapons but not a single functioning satellite among the thousands now in orbit. They quietly refer to a surprise orbital blast as a potential “Pearl Harbor of space.”

It might be a good idea to encourage North Korea to use its ballistic missiles to launch satellites and bring in some much-needed revenue, under the premise that a carrot and a stick are better than a stick alone, but the policy wonks who make policy seem to be firmly sadomasochistic in this regard, and they'll beat themselves black-and-blue to hurt the North Koreans.

Scientists got a glimpse of a potential solution from NASA’s Van Allen Probes, which launched in 2012 and ducked in and out of Earth’s radiation belts until the mission ended last summer. It offered a deep dive into natural remediation processes, showing how radio waves resonate with high-energy electrons, scattering them down the magnetic field lines and sweeping them out of the belts. “Compared to 10 years ago, we just know so much more about how these wave-particle interactions work,” says Geoff Reeves, a space physicist at Los Alamos National Laboratory.
Need more knowledge.
The missions should help show which RBR system is most feasible, although an operational system may be years off. Whatever the technology, it could bring risks. A full-scale space cleanup might dump as much energy into the upper atmosphere as the geomagnetic storms caused by the Sun’s occasional eruptions. Like them, it could disrupt airplane navigation and communication. And it would spawn heaps of nitrogen oxides and hydrogen oxides, which could eat away at the stratospheric ozone layer. “We don’t know how great the effect would be,” says Allison Jaynes, a space physicist at the University of Iowa.
And wouldn't that be a coup, both feet in mouth and shooting oneself in the foot with a Vietnam War era minigun!

And of course, the piece de resistance.
Russia deploys first hypersonic missiles
https://www.theguardian.com/world/2019/dec/27/russia-deploys-first-hypersonic-missiles-nuclear-capable

Putin has said Russia had to develop the Avangard and other weapons systems because of US efforts to develop a missile defence system that he claimed could erode Russia’s nuclear deterrent. Moscow has scoffed at US claims that its missile shield isn’t intended to counter Russia’s missile arsenals.

Ford Prefect's dad magnanimously waving aside the clouds of suspicion that had inevitably settled around him!!!

camperDecember 28, 2019 10:16 PM

@Wesley Parish: "how stupid does Zuckerberg think we all are?"

Mark Zuckerberg doesn't have to concern himself with wondering how stupid we all are because our elected representatives in Congress have informed him already, "Pretty f***ing stupid, Sir", and they did it in their official capacity, and on TV (coincidentally where James Clapper was when he lied to Congress [and Congress merely rolled over in response]). As long as Congress continues to be stupid and to be (re-)elected anyway, nothing else matters to the likes of MZ. He's doing nothing more than riding a wave that Congress can't see, because just like the Boxing Day 2004 tsunami, the tide is still going out, and out, and out and they can't hear Greta shouting her warnings, even though she's shouting right in their ear.

Clive RobinsonDecember 28, 2019 10:53 PM

@ Anders,

Yup the HF traders will do just about anything to shave a micro second off delay times as that can mean hundreds of millions a year extra profit. This includes drilling a tunnel through a mountain rather that put a microwave ling on the top.

Therefore I can only guess what eight seconds advantage would be worth to them on the Bank of England feed.

It also brings up the question of "digital-v-Analog" delay.

As anyone in the UK who has both a DAB and an analog FM radio will know, tuning into an analog FM signal is upto three seconds faster than the DAB transmission. In part the delay increases the more "processing" is done. As the DAB market is effectively a cartel in the UK which few in the broadcast industry want, most stations try to buy minimum bit rate which means way more processing thus more delay and much lower quality.

It's an issue that not many consumers are aware off outside the industry but is known to those who use the "time signals".

DAB as somebody put it "Is an abomination that defies logic, reason and taste" what others have mentioned is the "political control, for censorship" it represents which is why most governments alow the cartel to exist.

So higher quality audio feeds would be expected to give lower latency and this variable delay a nightmare to control on any regulatory controled market place.

So I'm not surprised such "technology gaps" are happening, or that some (all?) are taking advantage of it. As HF trading is a "faux market" anyway, the best option would be to get rid of HF trading entirely, but with large quantities of money being involved I can not see that happening.

Clive RobinsonDecember 29, 2019 1:19 AM

@ Carlos,

Any insight you can offer would be most gratefully accepted. Thanks! :-)

The problem is that most people look at the problem the wrong way around and just about anything involving any kind of bureaucratic input just makes it worse. Hence you get a problem worse than the parable of the three blind men describing an elephant.

So I shall try and keep it simple which means the explanation will be longish. But the 20,000ft over view is,

    First look at the data and how it becomes information, secondly the threat model, then how encryption might or might not help. Understand that data is only in one of three states, 1) Being Stored, 2) Being Communicated, and 3) Being processed.

The first thing to grasp is "data" is not "information". Information consists of two parts, "a value and a meaning". But also a value likewise consists of two parts "bits and their meanings".

To see this you first have to realise that all data representation is in a container sometimes some what euphemistically called "A bag of bits" to make sense of it you first have to understand how to give those bits meaning as data values.

To all computers currently data is stored in ordered eight bit groups called bytes where mostly each bit has a meaning that is a power of two different from both the previous and next bits in the order. But which way is the direction of the order? Is the Least Significant Bit (LSB) first? Or is the first bit the Most Significant Bit (MSB). But direction has other meanings as well, as in "on the number line" thus how do you decide if the number is just a natural number or includes negative numbers as well and how you represent them. That is "One's Complement" or "Two's Complement" where the sign bit is. But more subtly how do you represent the magnitude or distance along the number line? That is, are the ordered number bits in "binary sequence" or some other sequence such as "gray code"? The reason it is called a "code" is because it forms a mapping from bit pattern to value, which is a form of simple substitution cipher. Importantly you won't find these mappings in the computer as tables or similar, because they are "built in implicitly".

But it gets worse, what happens when two or more bytes are needed to store larger data ranges or data types? The answer is "it's a mess" which is still in flux.

The classic example of this is "endian" behaviour and "network order". Some computers CPU's are "little endian" and some are "big endian". Thus values coded in bit patterns stored in a byte data container are one level of order issue the order the bytes are used is another level of order. So a value stored in one format will not make sense in the other format. Normally this does not cause the computer problems because the bits are stored and loaded into memory in the right order as the computer is in effect a closed environment. Untill that is you plug in a network cable to send data from one computer to another... Which is why the "network order" problem exists and why there are standards for sending the data. Again it is a form of code and built in implicitly.

But it gets worse as the values stored have other meanings or types such as for floating point numbers or alphabets or other more complex objects such as complex numbers.

Understanding how the bits have meaning within such an object as a bag of bits data container is the only way to give the bits meaning as data values. Obviously this problem gets worse as you move upwards from just the implicit data types. Eventually you have to give meaning to what the values represent. The easiest way to thing of this is in terms of a row of data in a database. Values in individual columns are all the same type but what they mean is given by the column definition. Thus a value could be the value in penies in a bank account, or a time in milliseconds since some epoch. In the case of the time the epoch could be one of many standard epochs or one unique to the database. Importantly when not being "processed" the order the columns are "stored" or "communicated" in does not matter as long as the implicit format is known for processing. Infact for communications you could load the columns into memory as an image, then as seen by a third party, read each byte apparently randomly and send it to a second party. As long as the first and second parties know what the order is they both can have the same data image in memory. In essence you are using a simple transposition cipher.

Information as data can be in one of three states, stored, communicated and processed. Each of these states has it's own threat models which can become very complex as you dig into what becomes possible. But whilst any form of encryption can be used for stored data and communicated data, currently that is not true for data being processed, in fact it's wise to assume data being processed is in plaintext not ciphertext format.

But the important question is what or where is data when being processed? And the answer realy depends on what you mean by being processed. Technically it's only being processed when it transitions through the ALU of the CPU. At all other times it's being communicated to or in a storage unit. The storage units being CPU registers, CPU cache, Core RAM, then the various forms of secondary and tertiary storage. Once outside of the ALU the data can be encrypted before it is stored. For various reasons whilst inside the CPU data is rarely encrypted, but encrypting it before it gets written to core RAM is becoming more common.

Thus encryption can be applied to individual "bags of bits" of any size from individual data types, through files and whole storage devices. That is the individual fields in database records can be individually encrypted or the records, or the coloumns depending on the database security requirments. Likewise user files can be individually encrypted or encrypted by individual applications and can be held in core RAM either in plaintext or ciphertext depending on the security requirments. A users files can be individualy encrypted in secondary storage under "file keys" or all their files encrypted under a "user key" with a users process space in core RAM encrypted under a "sesion key".

Which brings us to how the computer is set up, all core RAM could be encrypted under individual sesion keys, where even if a user can get to another users process space they can only see ciphertext. However if the computer usez a "system key" if one user can see another users process space it will see "plaintext" but if the computer core is squirted with liquid nitrogen and the CPU halted an attacker reading out the core RAM contents will only see ciphertext.

However in most modern "user" computers such as PC's don't encrypt core RAM so a liquid nitrogen attack will get the plaintext of data being used, unless the application encrypts the memory it uses, unfortunatly it is most likely that the encryption key being used will also be in core RAM... This is one of the reasons the threat model can become quite complicated.

Thus it's not just if data is encrypted or not, it's where the keys are stored and if they are in plaintext or ciphertext format.

From this point on you are talking about key issues for all secondary and tertiary storage. Once the key is known or the storage in use then plaintext becomes available to an attacker. It's why Full Disk Encryption is only of use when the disk is not in use, otherwise it's open to any user or user agent that has access permissions to use the storage device, or that can obtain the device key from core memory.

ChrisDecember 29, 2019 7:53 AM

New year approaching, and thinking about my resolutions for 2020

- No more windows machines allowed at home, one last machine left
- Only use port tcp 443 outgoing on border firewall and block the rest
- No more Javascript allowed
- No more Cloudflare allowed
(Wish someone could make a searchengine or plugin to Searx for this)
- Convert to Manjaro so that i can convert to Arch in 2021 :-)
- Cash only no creditcards
- Learn some more python

/Yeah 2020 here we come

ChrisDecember 29, 2019 9:30 AM

So I have been distro hopping for a week to try out some other Linux distros
been using Mint now since 2013 abt and nothing wrong with it i guess

But since i am into radiostuff i have one computer running Arch, since there are some lovely sofware that need new python modules and Arch it seems to handle it best, so one thing led to another and the final solution is Manjaro, and then slowly migrate towards Arch over the time, since it takes time to do Arch :-) and i have a lot of computers here...

Anyhow the squid question, i tried out another distro before i came to the conclusion of Manjaro, called Zorin and in that OS there was a package that i never seen before, and i just love it, i find out that the Zorin Connect that i am referring to also is compatible with KDE Connect which i installed on all my androids and all my Linux machines.
This software is so nice that i cant for my sake of it understand how i have managed to live without it ...

Anyhows, as long as i am home i guess its a happy day, it seems to communicate on port 1716 udp/tcp and i can remotely control my phone in some manners,
and vice versa, very very handy, but when it comes to the encryption part
i havent been able to find much, perhaps someone here knows, if this is a trojan horse of sorts, or if it can be made somewhat secure as well...
// Manjaro Squid

JonKnowsNothingDecember 29, 2019 9:36 AM

Garbage In Garbage Out (GIGO) becomes A More Refined Garbage (AMORGuE)

A report on analysis bias:

Meta-analysis study indicates we only publish positive results
Meta-analyses will only produce more reliable results if the studies are good.

But a meta-analysis only works its magic if the underlying data is solid. And a new study that looks at multiple meta-analyses ... suggests that one of those factors—our tendency to publish results that support hypotheses—is making the underlying data less solid than we like.

ht tps://arstechnica.com/science/2019/12/meta-analysis-study-indicates-we-only-publish-positive-results/
(url fractured to prevent autorun)


AndersDecember 29, 2019 9:43 AM

@Chris

First someone should tell Manjaro people to make their own web page accessible
without javascript : manjaro.org

I can't pass through their spinning logo.

Second - there's lot of reverse shells that work over https (port 443).

TatütataDecember 29, 2019 12:18 PM

@Sancho_P, Re Ecuador Embassy/Assange surveillance

You linked the still empty placeholder page for the schedule entry I provided. It may have been created on 27.12, but there is no video recording as the talk hasn't been held yet, as per the "Fahrplan".

The media server was offline for many hours, the production seemed to have had hiccups on Saturday, and some mirrors in the CDN are pretty damn slow, but things seem to be back on track. The result is nevertheless very impressive, in view of the number of versions and format made available, and the full use made of the capabilities of media container files.

@Anders, Re Karl Koch:

No, but the case of a fiery death has gone "cold", if you'll permit. There are more current and "burning" ones. :-(

The amateurish fumbling at the beginning of the KGB hack talk kind of put me off. For 80's nostalgia, the Acorn Archimedes talk was way more interesting.

In English, I found the conferences on Hong Kong and supply chain security particularly outstanding. There was an artist's presentation which included a Russian short film "2050" by Alexandra Lupashko about robots (skip to 44'), which featured inter alia a vintage Soviet cassette recorder as a prop. I looked it up out of curiosity, and came across a video about the Vesna 202 model, where someone explains in Estonian how he got it back to work. (I gather that all those electrolytics are dead).

Clive RobinsonDecember 29, 2019 12:21 PM

@ Chris,

- Learn some more python

Maybe, maybe not. Because Python is begining to show the signs of "going the way of Perl".

I'd look for a scripting language on the way up with vigour and a clear path it's following. Rather than on one apparently "having a mid-life crisis", and not knowing where to go other than on the start of it's way down to the retirement home...

There are too many differing interests all pulling in different directions and noses are being put out of joint all be it discreetly at the moment. Python can not be "all things to all men" or if you prefere "a jack of all trades but master of none" and either it gets a single captain back at the helm, or it's just going to go nowhere, not even fast.

The Python community still has time to sort it out, but the so did Perl...

As we know Perl has not sorted it's self out and spent the better part of two decades dicking about between Perl 5 and Perl 6 befor supposadly finally splitting. But... still the two intermingle showing no clear direction thus the future appears to be at the mercy of which ever way the wind blows, which is not good if you back the wrong horse.

A similar fate actually awaits Python. During the Perl dicking about two decades, Pyrhon showed strong direction thus people moved away from Perl and quite a few moved towards Python.

And much was done under Python 2.x then Python 3.x came about with it's incompatabilities. This caused quite a few problems, so much so that the End Of Life for Python 2.x was moved by half a decade, and there are very many scripts out there that still can not be moved or won't be moved to Python 3. But as is the nature of what some feel is betrayal these Python 2.x scripts will probably be switched in prefrence to the next up and comming scripting language, what ever it might be.

So you have a choice, rather than get caught clinging to the flotsam and jetsam in the currently eratic Python wake, it's possibly best to jump ship to another scripting language that shows a clear direction and steady course.

If you can show a good reason to learn Python 2.x or 3.x that is of benifit now then do so, but if not have a look around for a more profitable or long term scripting language.

Electron 007December 29, 2019 1:09 PM

My AT&T phone service is getting cut off after 25 days, because the monthly fee is only good for 28 days, and you have to pay your bills promptly ($45 every 25 days) to stay on the 28-day monthly service plan.

That's with a $150 used phone I had to buy after finding out that tethering to a laptop or other device was unavailable on the brand new "locked" phone, which I was able to return for money back.

IPv6 and Bluetooth tethering are still disabled and crippled even with a "unlocked" phone.

Unlocked phones are, in effect, more or less illegal to possess even after they have been lawfully unlocked by the original carrier after all the phone bills have been paid under the required service contract.

Not illegal in the sense that one is breaking the law, no, but definitely in the sense that one may be arbitrarily arrested and jailed on a warrant.

Part of the punishment they impose is the intentional waste of the user's time and money on legalistic terms and conditions and various arbitrary technical restrictions which are imposed to prevent consumers from making business or technical use of a consumer-level phone, or to enable them to charge more money for features that may or may not be unlocked or available to the user of a prepaid service.

AndersDecember 29, 2019 2:03 PM

@Tatütata

Danke!

Any info on that?

www.golem.de/news/encryption-software-german-bsi-withholds-truecrypt-security-report-1912-145552.html

FADecember 29, 2019 2:09 PM

@clive

> So you have a choice, rather than get caught clinging to the flotsam and jetsam in the currently eratic Python wake, it's possibly best to jump ship to another scripting language that shows a clear direction and steady course.

This, IMHO is pure FUD.

Please show me one scripted language that has the equivalents of numpy, scipy, and lots of other scientific libraries. Or just a tiny fraction of those. And I'm not even considering most of today's machine learning tools. Nor the thousands of other libraries.

Regarding the Py2 vs. Py3 question, I embraced Python 3 from the start (more than 10 years ago now IIRC), and haven't looked back. It's just superior in all ways.

SpaceLifeFormDecember 29, 2019 2:10 PM

@ Clive

I used to like perl. No interest in Python.

Any thoughts regarding LUA?

FADecember 29, 2019 2:17 PM

@Electron 007

> Unlocked phones are, in effect, more or less illegal to possess even after they have been lawfully unlocked by the original carrier after all the phone bills have been paid under the required service contract.
Not illegal in the sense that one is breaking the law, no, but definitely in the sense that one may be arbitrarily arrested and jailed on a warrant.

What exactly do you mean by this, and by some the similar paranoid and mostly off-topic drivel you have been posting here recently ?

The S/N ratio here has been going down steadily this year. I wouldn't mind more stringent moderation.

SpaceLifeFormDecember 29, 2019 2:35 PM

@ FA

Python is a headache.

*You* may have gotten by with Py3 for years, but likely, you have not encountered build tool problems when compiling from source.

When a build tool needs Py2, and Py3 will not work, you have a headache trying to build.

Build tools that require Python suck.

FADecember 29, 2019 3:04 PM

@SpaceLifeForm

> *You* may have gotten by with Py3 for years, but likely, you have not encountered build tool problems when compiling from source.

I have. The solution is very simple. I have both Py2 and Py3 installed and can
select which one is used for any job. And all of the stuff I write myself (including lots of C/C++ extensions using the C API directly, no toolset) will work with either of them OOTB.

That said, tools that after 10 years haven't switched to Py3 do indeed suck.
There's no excuse for such lazyness. One that waited until very recently was GNU Radio, which has other problems as well (lots of unnecessary dependencies).

SpaceLifeFormDecember 29, 2019 3:32 PM

@ Electron 007

This is the opportunity to covertly install an "Evil Maid" bootloader, which will secretly record the passphrase next time the user or "owner" of the device boots it up, hopefully none the wiser.


No need for the Evil Maid.

That is what Windows and firmware is for.

FDE is Security Theatre.

SpaceLifeFormDecember 29, 2019 3:50 PM

@ FA

"The solution is very simple. I have both Py2 and Py3 installed and can
select which one is used for any job."

OK, *YOU* know how to control $PREFIX, $DESTDIR and set your $PATH, etc.

How many newbies trying to ditch Windows are going to do the research, and understand?


ChrisDecember 29, 2019 3:55 PM

Ok gottago but wanted to chime in that i found some more on this Cloudflare thing
https://trac.torproject.org/projects/tor/ticket/24351
https://github.com/nym-zone/block_cloudflare_mitm_fx
https://searxes.eu.org/

Now that last searchpage has three vertical lines in the bottom of the page
clicking that tells you something in some lingo abt Cloudflare
and the whole page looks like its a modification of a searx engine
so someone somewhere has done this allready... wonder why it stopped

FADecember 29, 2019 4:38 PM

@SpaceLifeForm

> OK, *YOU* know how to control $PREFIX, $DESTDIR and set your $PATH, etc.

You don't need any of those to switch between between Py versions.

> How many newbies trying to ditch Windows are going to do the research, and understand?

I don't know. What I do know is that very few Linux newbies will install from source, nor do they need to unless they want very specialised stuff.

And IMHO those that do install from source should be prepared to learn a few basic things. You get great software for free. Those who created that software have probably invested a lot of time and effort. Just do you own *little bit*. If that is asking too much, stay with Windows.

Reader XDecember 29, 2019 5:31 PM

@Chris

1. It's not "searx" at all. It's meta-meta-search. (searx+other custom engines)
2. They're endorsing Tor. Most of contents are only available to Tor users. If you visit their Tor website, you'll notice huge difference.

SpaceLifeFormDecember 29, 2019 5:34 PM

@ Anders

bulletproof-hosting


Can you spot the security holes with CAs and DNS?

Are you sure the attribution is correct?

ChrisDecember 29, 2019 5:47 PM

@Reader-X
Hi Not a security "expert" but i dont like Cloudflare at all
thats why i have decided to block access to it, call me crazy
ive been experimenting couple of hours with some plugins ive found
as well ass iptables block lists, intresting results...

Ok i thought it was a modified Searx instance but i guess i was wrong
anyways, do you know, if it is blocking/not showing sites that are behind Cloudflare?
because thats what i am looking for as a next step.

Tor Site, do you have the URL ? for that, is there any sourcecode for this engine?
or is it proprietary

//Cheers

SpaceLifeFormDecember 29, 2019 5:47 PM

@ FA

"You don't need any of those to switch between between Py versions."

Ok, it's been some time since I encountered the python version problem when building other packages from source.

So, if you can, please elaborate.

Clive RobinsonDecember 29, 2019 6:07 PM

@ Tatütata,

I gather that all those electrolytics are dead

They all go in some way or another (just like rechargeable batteries). Some you can regenerate others blow their wad or can and have to be replaced.

I've got a Sony ICF2001 radio receiver[1] that was state of the art for it's time fourty years ago and still out performs many portable HF receivers today though small form factor[2] and battery life[3] appear to be overriding decision makers for modern intelligence agencies like the CIA NSA and Diplomatic corps.

The problem is after fourty years some of the electrolytics need replacing, as I doubt reforming/regeneration will work. This gives me a problem, as being a very low serial number unit it's not just of historic interest it's a collectors item, which I happen to use almost daily. Do I open it up and change the electrolytics so I can keep using it, or do I stop using it and restore it to "factory quality" and put it on display along with the rest of the historic spy radio stuff I have collected over the years?

Oh for those wondering what I use the Sony for, it's to put audio into a USB sound card and connect upto an ASUS Intel based netpad that runs software to decode very narrow band data signals used by Ham Radio and other operators, WeatherFAX and similar information usefull in doing propergation prediction and the like.

[1] The ICF2001 is the predecessor of the ICF2001D / ICF2010 and all of them were used by many intelligence services in many countries for use not just with "number stations" but for getting more general news coverage and the likes of "Some messages for our friends". You can read a little of their history at,

https://cryptomuseum.com/spy/icf2001d/index.htm

[2] As a matter of interest to some the US State Dept now buys the much inferior "countryman" version that does SSB but it also has a number of what I would consider "critical defects", such as improper internal grounding and shielding, thus not just hand desensing, but detuning as well making operation harder than it should be with weak or narrowband signals. However the Countryman is a lot smaller and lasts longer on batteries[3], especially rechargables.

[3] Battery life is one of the things that you don't often get to hear about as a "critical success factor" in peoples "Bug-out Kit" equipment. Whilst you will get to hear about buying ham radio HF trancievers the recommendations are usually wrong. 100watt RF output SSB units can draw as much as 4amps continuously off of a 12-13.8V supply even in receive only due to bias issues in the RF linear amplifier. Which means a 7amp/hour SLAB will only work for a little over an hour before it needs to be recharged[4]. Even QRP trancievers like the FT817-ND draw between 0.25 and 0.37 amps with a 11-13.8V supply whilst considerably better giving you upto 20hours off of a 7amp/hour SLAB it's still not even 24hours use. They are thus of little or no use for mainly listening operation which is what "stay behind" and similar semi or fully covert units do. Thus a radio that does 120 hours --five days-- continuously off of a pair of rechargable AA cells is what you want to be using.

[4] The State Dept also buys in a well known brand of "powerfilm" solar generators for their intelligence agencies like the CIA NSA and Diplomatic corps who might have to "field operate" for even moderate periods. Exactly the same brand are also being purchased in very large numbers by the US military for use by not just special forces. Whilst not entirely bullet proof unlike traditional solar cells that fail with any tiny damage or even a little shading, powerfilm solar pannels can and do work with one or two bullet holes and in the shade under cammo nets and the like. Also their surface is more mat than glassy thus they reflect a lot lot less which is kind of important when you are trying to stay covert.

Clive RobinsonDecember 29, 2019 6:39 PM

@ Steve,

Re : "Judge, Jury & Encryptioner" paper

I've not had the chance to do much more than a brief skim read, but as far as I can see it fails to address the most important aspect of warrants on private communications .

When the warrant process was in effect invented part of it was the acceptance that the person under suspicion "would be served" before access was obtained.

This is perhaps the most important and least talked about asspect of warrants, that is the person under suspicion bbecomes aware that they are under suspicion and can therefore usefully spend time defending themselves.

When you spy on a persons communications they have no knowledge that it is going on, thus it might go one for years untill the LEO's decide to arrest the person or even do nothing further. Thus robbing the person who has been spyed upon of time to start defending themselves, or the ability to force the issue into court so that they can stop any abuse by the LEO's.

Thus spying on people via backdoors no matter what the percieved social cost to LEO's is, is still a "stripping of rights" issue which is a very unpalatable form of abuse of individuals privacy, freedoms, and basic rights.

AndersDecember 29, 2019 6:55 PM

@Clive

The whole purpose of the radio is to work, to receive.
So you need to open it up and replace those capacitors.
What use is from the state of the art receiver if it doesn't
work? Just to gather dust?[*]

[*]Let's not talk about collectors and money and "untouched state".

+ @Wael

PS. as we talked about baud recently, this might be
interesting. Not all terminal clients are equal.
Some can do more. Like 3 000 000.

electronicmethods.blogspot.com/2018/03/test-js.html

Clive RobinsonDecember 29, 2019 7:10 PM

@ SpaceLifeForm,

Any thoughts regarding LUA?

It's been quite a while since I had cause to take a serious look at LUA (we went with TCL in the end as those at the sharp end decided it would be easier to make "bespoke" and "maintain").

So I'm not upto date with either the issues or methods enough to pass comment.

AndersDecember 29, 2019 7:19 PM

@Clive

But regarding bug out radio, that lasts on batteries -
China has massively started to produce dirt cheap DSP
radios.

swling.com/blog/2016/11/jon-reviews-the-vite-vt-111-receiver/

Clive RobinsonDecember 29, 2019 7:42 PM

@ FA,

Please show me one scripted language that has the equivalents of numpy, scipy, and lots of other scientific libraries. Or just a tiny fraction of those.

From what I remember Python has something aproaching a quater of a million libraries. Which is problematical to put it mildly. Especially in the partially shared functionality.

But more importantly is the side effects of so many libraries on developers, few will ever even read that many library names, nor will they ever be able to read let alone sufficiently understand what each library brings to the table that is usefull and that which is just space filler...

But that aside you and I obviously have differing opinions with regards Python. I simply regard it as a means to an end, which is to get work done, that is the only skin I have in the game.

However I've noticed warning signs with the way Python is being steered, which history sugests we may expect certain troubles and I've mentioned them. Your response is to cry "FUD", then offer up an issue that confirms one part of what concerns me.

This suggests you have more of an attachment to Python than most working code developers do.

Reader XDecember 29, 2019 7:55 PM

@Chris


> i have decided to block access to it, call me crazy

You're not crazy, I do block them in my router!

> not showing sites that are behind Cloudflare

CF sites are folded by default[1]. Search something and look below. (there's many options to configure)

> Tor Site, do you have the URL

If you read https://git.openprivacy.ca/cypherpunks/stop_cloudflare you'll find it.

[1] https://github.com/asciimoo/searx/wiki/Searx-instances/2fa034fa5f1575fbc59c8ab8742204a329354bf3

fsck INGDecember 29, 2019 10:44 PM

Professor Plum Can Dance

Just a few minutes ago, i discovered (using an audit tool) an extra and unwanted and not needed storage device hidden within my digital system. i had a hunch it was there; I always have a hunch about these types of things; it's been a concern for over a decade now. But today was different, I actually found obvious proof of it.

To be resilient, I change up my system on frequent whims. It's also a hobby of mine and I learn stuff that way. Also, I don't like being subservient to the blatently common. I'm still stuck with some mainstream behaviors and tools, but not for everything.

Anyhow, I had started a new system editing project, and after noticing what might have been either some OS design flaws or preliminary evidence of tampering, I started up my system.

After a while, I noticed some completely irrelevant storage activity that I had not initiated. Often these things coincide with proximity to certain annoying (and needlessly hostile) other people in the same room as me. Also, these issues have tended to coincide with wifi annoyances as well.

I'm well aware how premature my system is, yet I am waiting to fix it and make it more "mature" because I don't want to break it while it's delicate by forcing it too much. In the past, I didn't wait this long to fix stuff, and I would deliberately and routinely break some stuff off and throw it away to be sure of a slightly more minimal, more controllable system.

This session is also different because I've been forced to spend way too much time around hostile Americans who won't even attempt to resist their own pathetic pathological obsessive impulse control problems. This is relevant, because they aren't just addicted to hacking, some of them are addicted to theft, violence, damaging drugs, and other forms of sabotage. That's why their credibility is nil / nul. Every other nation attempting to get work and play done ought to take heed to that fact:

There's a surplus of American saboteur provacateurs who cause damages not just for work, but for play, and as a hobby, and as a habit, and out of curiousity, and when they're bored, and when they are angry, and when they are happy, and when they are sad, and when they want to affect others, and when they want to be noticed, and when they want to punish others, and when they want to leave a signature, and when they want to be ignored, and when they are in the news, and when they get new tools (such as VAULT 7).... I hope you get the idea.

So back to my anecdote.
I own my own gear legally, and I legally obtained my own gear, and I legally maintain my own gear.
The saboteurs have zero claims to my intellectual property and zero claims to my purchased and maintained property. They are simply invasive and destructive. Many aren't even in denial about their ill behavior; they simply really don't care; have they been 'radicalised'? Who knows? Maybe, or maybe they were groomed (damaged) from a young(er) age to be living disasgters.

Nonetheless, they don't seem to even care that they are severely depleting and destroying their own cultural and technological and social (re)sources. They are pretty much braindead sadistic sociopathological zombies who seem to be electro-conditioned to be nothing else but problems.

It means nothing to talk about their levels of proficiency; they are wired in; it's not any indication of intellect or character.
Make no mistake, these are not foreigners. I meet them in person quite often. They don't make efforts to completely hide themselves nor their sabotage behaviors. This is the "new normal" and they seem complacent if not content.

For those who know the correlations to the developmentally disabled, this is how they end up; not healed, not acculturated, simply trained to be pinned into a secularised, normalised status of perpetual exploitation of others.

That's the visible culture of a humongous quantity of malicious hackers and malware users. For them, it's as easy as a cross-referenced and indexed glance. All the work has already been done for theml; we would call them "script kiddies", yet they are even more brainless and baseless than that former era and culture. This new gen / set has no vested interests in much of anything, and they can't be reasoned with nor negotiated with, nor convinced to do anything differently. They won't even participate in communication.

At best, tell them that the DEFCON hacking competition for money will be in Las Vegas later this year, and hope to heavens that Las Vegas can handle all that mayhem so close to Los Alamos Labs and all that.

So what happened with the crypto "disk" I found in my system?
It was busy trying to log or read & write. So I temporarily disabled it. When I have the chance, I will locate it, and physically bludgeon it and remove it from existence and functionality, just like I intend to do to anybody I might catch attempting to physically touch me or my stuff again.

It's not that I'm running out of options, I'm losing patience because the saboteurs treat my property (and your property, and everyone's property) as if it's theirs. They didn't purchase any of it, it never belonged to them and still doesn't. They have zero rational claim to me or my stuff. I don't do "works made for hire" and I never have and never will.

I am legally protected and corroborated by every commonlaw, local, municipal, county, state, regional, federal, and international effort to reduce and prevent total degradation of everything of value and all peoples of valor. And I'm not anybody that important either. The saboteurs just have no clue.

When I can, i'll divest from all this "cyber" BS. But for now, I still was able to get a few things done and I'm not about to do anything serious on a piece of heavily compromised gear. It's the hacker smackers who will be severely disappointed. They anticipate reaping the benefits of covert surveillance, storage, broadcast, monitoring, and analysis. But they won't get anything.

Well, maybe they'll get something.
Arrangements can be made to get the perpetraitors locked up in federal prisons for long periods of time.
And I never surrender the possibility of turning them over to vigilantes or their most violence-prone sworn enemies or rambunctious competiTORs.

On a lighter note, KJU of the DPRK is not such a bad guy. Hear me out, please. When he's not being a tyrant he's wise enough to know that way too many Americans are provacateur saboteurs for all the wrong reasons at all the wrong times in all the wrong places. I'm a decent American citizen and I know these things about many Americans too. I'm not an immigrant. I was born and raised here. And I was abducted and assaulted and stolen from and deprecated here--always by other American citizens.

The "intelligence community" is overgrown. The Georgia Guide Stones are likely a forewarning to make sure that their demographic doesn't get too big and out of hand. (Yet it already did). The Guide Stones do not advocate for murder, Malthus was proven wrong and debunked a long time ago too. But they do seem to imply, that having too many cybernetic traversers is bad for civilization and ecology and that limits need to be set and maintained and honored. I agree. And I wouldn't miss the perpetraitors is they were mass exterminated either. That would be a play out of their cultural history anyhow.

They seem to think they need to live up to their NAZI transhuman origins of doom and disaster.
George W. Bush wasn't wrong to attempt to send them on a fool's errand out of the country. He was employing a last resort. They thrive on warfare and disease. And as odd as it seems to consider that they "hate freedom", it's somewhat true! They attack everything normally decent and true and helpful and natural and pleasant.

They are the same miscreants who set California ablaze as arson and as a hate crime. They think it's honorable to be dangerous and to cause loss. It's a normal ritual of theirs to slaughter and trim and spread toxic substances. They can't be persuaded otherwise even by their own neighbors, leaders, coworkers, friends, children, parents, teachers, educators, allies, enemies, idols, victims. They just don't care.

It's not even about their appetites. Whatever neurological brain tissue they have left, is already subservient to the same zero-day digital exploits that they spread like a pandemic.

For peace of mind, always remember: there are physical limits to everything.
There's a good reason why the "cult classic" zombie movies tend to culminate with the righteous needing to successfully pick up physical tools of any sort to hack their heads off if necessary. Zombies want brains and won't take "no" for an answer. Similarly, this current wave of VAULT 7 script "kiddies" wants all our "base" even though it belongs to us and not them. But they won't take "no" for an answer, and have almost no personality left to even contemplate their own spoils.

Peace be unto the righteously meek.
Take back what's yours.
With lethal force if they threaten your lives.

ChrisDecember 30, 2019 12:56 AM

@Reader X
- Ok thank you! I have to implement this now and read those links you sent.
- If you find some other approaches feel free to chime in on Schneier I think it could be apprechiated.

Personally what i hate most is the loop of endless Captchas when not using Javascript, and i have decided to make a try to really stop using javascript once and for all, it may cost some but i am done with it, i can see that its not going to succeed 100% so be it, but it will succeed perhaps 95% who knows, not too happy with Noscript so trying out "Disable Javascript" addon for Firefox to fix the exceptions.
Anyways it allways has a starting point and then some Continuous Improvement, thats the flowpath to tackle these sort of issues.

All and all I think its possible for a single user to do something, the problem is the masses of people, they dont know,understand have any idea of how to resist. Thats where i think a searchengine is a good alternative, let it be for TOR Users as a starting point, thats just fine, eventually it might get attention for the Jim and Joes out there too.

/Happy NY 2020/2563

Clive RobinsonDecember 30, 2019 3:50 AM

@ Anders,

China has massively started to produce dirt cheap DSP radios.

Yes they have, but...

They are mainly not SSB receivers just Broadcast AM and Wideband FM which immediately limits their usefullness immensely.

However, like other "consumer products" with limited market size, the producers might not "in house" manufacture or have sufficient quality control (something Japan learned the lessons of back in the 60's which as I've mentioned before is why we have ISO and similar quality standards).

But it gets worse a lot worse, and is an aspect that everyone should be aware of because it effects "basic security and safety"...

The ones I've tried have had quite bad build quality and the RF front end can be just a nightmare with desense and detune due to insufficient shielding and grounding (which is also a major safety concern). Even the best of them only become tolerable if used with an antenna tuning unit (ATU) or tuned mag-loop antenna at many times their price, which if they are "amplified" can also cause safety issues with these radios... Which cost and safety aside also means they are useless for people who lack sufficient radio-op training with weak signal monitoring (whilst it's easy enough to teach, you have to know someone who can teach you).

Also like the likes of BaoFeng UV-5R cheap Handheld Transceivers (HTs) they also suffer from extreamly variable performance on delivery, often being out of FCC or EC spec. So if you buy one it might be good, but buy a second and you might find you've got a "house brick" or worse "charcoal bricket" (yes some do indeed catch fire when connected to a mains supply). So you have to be carefull when reading reviews, because reviewers that get sent review units get those the manufacturer "hand picks" for quality of the manufacturing line and carefully distributes. Unlike purchase reviews where the reviewer has forked over money like any ordinary consumer who gets pot luck at the end of both the variable supply chain and dodgy delivery service, with cracked or broken cases or ratteling due to internal items comming adrift...

Also the software can be appaling, for instance one I purchased to test that had an alarm function to turn the radio on. Whilst in normal use with an old style radio you turn the radio on the first time and set the volume, and when you turn it on in future uses it retains the same volume setting as you would expect. Well this digital radio worked that way, except when the alarm function turned it on, then it reset the volume to full on, which is most definitely not what you want in a "traveling radio"... Other times the wrong country code boards go in the cases. Thus if you buy a "UK World Radio" but have a "German World Radio" inside you loose the bottom end of the HF spectrum --ie marine band-- and top end of the HF band --ie the 11m CB and 10m Ham bands etc-- which is not helpfull if those are the bands you want to listen to. Likewise Russian VHF broadcast radio for what was originally political reasons does not cover the frequencies used in Europe, US, Japan or other places you might want to go... It's at times like these you realy find out what the "returns policy" is all about...

Gerard van VoorenDecember 30, 2019 6:28 AM

@ Wesley Parish,

Linux kernel being written without security and in mind. (KSPP is basically a dead project and Grsec is no longer free software)

Linus always relied on his 100 eyes and that is a rather good solution but it's been a long time ago that I have heard about real and proper new security features in the kernel. And of course the kernel is bloated beyond any repair. I don't know but these days I put my hands in OpenBSD.

@ Chris,

This is my take on 2020:

- Deal with OpenBSD, I mean thoroughly.
- Learn i3wm and its gadgets
- Learn Vim
- Try to keep my servers up and running
- Learn Arduino
- Try some new non-traditional web clients, or try to getting rid of the web (read: try Gopher)

AndersDecember 30, 2019 8:09 AM

@Gerard van Vooren

That Gopher part in your take is very good!

gopher://gopher.viste.fr:70/1/OnlineTools/tictacgopher.cgi

Who?December 30, 2019 8:16 AM

@ Gerard van Vooren

Gopher? This protocol didn't take off. Gopher is mostly dead since mid-90's and was never considered secure. Think on it as a protocol developed at a time Internet security was not required, it was born at a time Internet was in most part a trusted world-wide network used by clever and honest people. Internet will never be the same again.

Clive RobinsonDecember 30, 2019 8:20 AM

@ Gerard van Vooren, Wesley Parish,

it's been a long time ago that I have heard about real and proper new security features in the kernel

The short answer as to why not is "why bother?".

Apparently nobody want's security, and the few that realy do know that the OS is to far up the computing stack to stop all the security vulnerabilities Intel and Co are quite deliberately building into the hardware layers, down below the ISA level which is as about as far as software such as the OS can effectively reach security wise.

Yes a more secure kernel is desirable and OpenBSD and Minix are probably the only way's you have available to you to get it these days.

However the only real security path you've got currently with these low down the computing stack hardware vulnerabilities is to come up with "sensible mitigations".

Of which only one mitigation makes any real sense, --if the only thing you have control on is the OS and Apps which can not help,-- is "segregation".

Or to put it another way, it does not matter how vulnarable your systems are if you can guarantee keeping attackers away by other means.

And realistically that's all you have left these days is "segregation" and that is now at the point where if microelectronics is involved it has to be "Energy Gapping" because you just can not tell what is tucked away inside SoC's or even SMD chips the size of a grain of rice...

For those that think their hardware will never get the attention of the SigInt agencies hiding stuff inside after intercepting the delivery, think again. Many years ago we had a battle over the "Fritz Chip" where the idea was,manufactures would be forced to put in DRM chips without exception into all electronics. We kind of won that battle but we are loosing the war. Why? Because we now have GPS chips in our mobile phones and other smart devices in the faux name of Health and Safety. But LEO's are not going to stop pushing for "backdoors" unless politicians make overwhelming push back against it every time the LEO's open their mouths to spout FUD and things they know to be either untrue or deliberately engineered / manipulated by them to get favourable corner cases.

Thus the old joke about,

    "The only computer that is secure is the one disconnected from all communications and power encased in tonnes of reinforced concrete and sunk in the deepest part ot the Mariana trench"

Wwould be comming true, if it were not for the fact we now have the technology to retrieve it and dig it out of the concrete...

That is physical means are nolonger enough against a determind attacker, we need properly thought out Crypto. Which unfortunatly means we realy have to understand how to do "segregation" and "energy gapping" properly not just for "data at rest" in turned off storage devices, or being communicated in and out of the system storage devices but also when the data is being processed inside the system as well.

As @Thoth keeps reminding us Intel's publicity about secure enclaves etc is realy nonsense. Intel's publicity is "Guarded Vault Door on a tent" where the guard is not alowed to look around the sides or back lest he sees the que of people waiting to go through the unlaced flap on the other end of the tent...

As we are unlikely to do crypto in microelectronics securely again the way things are blowing politically. We need to think about how to do secure crypto off of potentially backdoored microelectronics like Intel CPU chips... If we get that right then the machinations of LEO's becomes pointless for them and largely irrelevant to those who take a little care in what they do.

If a few more people thought about this as part of their "New Year Resolutions" then peoples privacy could take significant steps forward.

But people should keep in mind that trying to fight new battles with old tactics that have lost before, is not the best use of peoples time.

electrolytic capacitorDecember 30, 2019 10:10 AM

One day about ten years ago, I was working at a bench. A desktop PC that was used to run tests, it was plugged in but turned off, suddenly let out a big bank and a puff of smoke came out the back. Electrolytic capacitor in the power supply blew, and it took the motherboard with it. Incredible. I've never heard from anyone else over the years who had a power supply blow like that - plugged in but turned off and ruined the motherboard. Usually you think of that happening when it is turned on. But of course, those electrolytic capacitors are sitting across the mains with the rectifier and protection, regardless of whether the PC is on or off. The power switch is not really a power switch but more of an activation switch.

ThinkDecember 30, 2019 10:52 AM

@ Carlos

I would take a look at this page and then do your research accordingly as to what you'd like to understand afterwards.

https://en.wikipedia.org/wiki/TrueCrypt

As always, "standard in and standard out" are the best ways to capture your secrets - what are you typing, speaking, gesturing and what are you reading to and from your connected computing and storage device. What language is it in and what does it mean - the human brain is not so good at directly reading cipher text and transcoding what you see or hear into your native thinking language without significant training -- in order to hide your true intentions and share your true meanings only with those you want to understand you and no one else. (The thought police or whichever nation state does not agree with your ideology).

If I want to know what you are about, I monitor what you input into your thinking device and what you watch, read or listen to from the speakers and monitor -- standard in and standard out. Unless you are a code talker or share a language with someone like Voynish, it is easy to interpret individual actions. In the past there were not enough people to interpret others' actions. Today, we have massive data centers combing through exabytes of data using ML and AI.

For those interested, those that are hear to learn and do not already know:

https://en.wikipedia.org/wiki/Code_talker

https://en.wikipedia.org/wiki/Voynich_manuscript

Bruce covered a standard out monitoring tool years ago:

https://www.schneier.com/blog/archives/2014/03/ragemaster_nsa.html


Remember there is a cruel reality to being free - Freedom comes at a price - if "we" do not do the unthinkable, the unpalatable, the perceived impossible...our enemies will. I am free to write this by my fire place while observing my view of the snow on mountains to all that take their precious time to share and learn because of the sacrifices of those that have gone before.

Will the children of my country be able to do the same after I am gone depends on the actions of us today. It is unfortunate that the world's nations do not yet agree on the terms of peaceful coexistence.

The theories of Robert Carneiro and Henri Claessen come to mind.

An interesting read:

"The Axial Ages of World History : Lessons for the 21st Century"

https://www.bookdepository.com/Axial-Ages-World-History-Ken-Baskin/9781938158148


Mr. Peed OffDecember 30, 2019 11:55 AM

An editor at Ars Technica has promised an article sometime in 2020 on data gathering and surveillance by auto manufacturers. Should be interesting.

SpaceLifeFormDecember 30, 2019 12:14 PM

@ Gerard van Vooren

Your first lesson for VIM: Learn what the ESC key does.

Someone that knows VIM can get you using VIM in minutes. You will not learn all of the commands and variations immediately, but in a short time, you will be able to edit a file, and save your changes (or exit without saving if you messed up).

An experienced person got me productive in vi (before VIM), in about 10 minutes.

It took 10 minutes because I messed up and then I understood the modes and purpose of ESC. You will learn from the mistakes.

I also have no issues with Gopher.
There is no Javascript in Gopher.

SpaceLifeFormDecember 30, 2019 12:25 PM

@ electrolytic capacitor

It's not for certain 'off' unless you pull the power cord.

Which may be useful during lightning storms.

Gerard van VoorenDecember 30, 2019 1:00 PM

@ SpaceLifeForm,

Yes, I too did work a bit with vi and I really have to learn vim but I understand the ESC key. It's gonna take me a lot more than 10 minutes however ;-)

I also have no issues with Gopher. There is no Javascript in Gopher.

And that is the thing that I mean. The web does not only have JS, but also CSS, html5 and a lot of crap that you have to learn. And so much code laying around. I don't know but there is a lot wrong with the current web. And that is why I am gonna study Gopher.

@ Clive Robinson,

As always your reply is clarifying a lot. I don't really care about the hardware since that is out of my hands anyway (except for not buying them). So the best thing that I can do is to make sure that my systems are okay and I just don't think that Linux is the right answer anymore. Without sounding like NickP I also watched a movie about Redux, an OS written in Rust with a microkernel. I don't know about the future of Redux. It might as well die before it even arises. The problem with MINIX3 is of course that the funding ended and I am afraid it's dying slowly. That is a pity since they did create such quality software and with so many innovating ideas. But I think that the future of OpenBSD is gonna last for quite a while, and those guys they care about security.

SpaceLifeFormDecember 30, 2019 1:15 PM

I think it is time for AWS to seriously consider that they are pwned.

I've lost count of AWS dumps exposed.

Everytime, it was 'unsecured'. Doubtful.

hxxps://arstechnica.com/tech-policy/2019/12/surveillance-camera-company-wyze-confirms-leak-of-user-data/

Seattle-based Wyze, however, has extremely strong ties to Amazon and strongly denies the allegation that it uses the Alibaba Cloud. "Wyze does have official Wyze employees and manufacturing partners in China, but Wyze does not share user data with any government agencies in China or any other country," the company said.

SpaceLifeFormDecember 30, 2019 1:51 PM

@ Gerard van Vooren

If you used vi in the past, you are good.

VIM basically is a superset of vi. All of your knowledge of vi will work fine.

This is your refresher lesson. I'm done with you, such a great student! ;-)

Your brain will recall:

a, c, cw, i (all followed by ESC)

And

:x or :e! or :w or :w newfile

Or

:0,$ s/foo/bar/g

Or

:!ls -x

Electron 007December 30, 2019 1:54 PM

@SpaceLifeForm

I think it is time for AWS to seriously consider that they are pwned.

I've lost count of AWS dumps exposed.

Everytime, it was 'unsecured'. Doubtful.

People tend to run virtual machines and such on AWS with remote desktop or cockpit software for which stock exploits exist in the wild.

arstechnica.com/tech-policy/2019/12/surveillance-camera-company-wyze-confirms-leak-of-user-data/

Seattle-based Wyze, however, has extremely strong ties to Amazon and strongly denies the allegation that it uses the Alibaba Cloud. "Wyze does have official Wyze employees and manufacturing partners in China, but Wyze does not share user data with any government agencies in China or any other country," the company said.

Wyze has been around for a long time. If I remember right, it was a popular system to host back-end billing databases and accounting systems for hotels, motels, travel, and related services. Even in the old days, it was a juicy target for ex-spouses or divorcées with private investigators, news reporters, law enforcement, political enemies and corporate cutthroats digging up dirt on the attendees of various conferences and meetings.

vas pupDecember 30, 2019 2:39 PM

“Security without liberty is called prison.”

"It is the first responsibility of every citizen to question authority.”

“Without Freedom of thought there can be no such thing as wisdom; and no such thing as public liberty, without freedom of speech.”

“Be at war with your vices, at peace with your neighbors, and let every new year find you a better man.”

― Benjamin Franklin

Happy New Year all respected bloggers with good quotes above to follow!

vas pupDecember 30, 2019 2:46 PM

Researchers reconstruct spoken words as processed in nonhuman primate brains
https://www.sciencedaily.com/releases/2019/12/191213115412.htm

"Ultimately, the researchers hope, this kind of research could aid in developing neural implants the may aid in restoring peoples' hearing.

"The aspirational scenario is that we develop systems that bypass much of the auditory apparatus and go directly into the brain," Nurmikko said. "The same microelectrodes we used to record neural activity in this study may one day be used to deliver small amounts of electrical current in patterns that give people the perception of having heard specific sounds."

The research was supported by the U.S. Defense Advanced Research Projects Agency (N66001-17-C-4013) and a private gift to Brown."

Electron 007December 30, 2019 3:26 PM

@vas pup

"The aspirational scenario is that we develop systems that bypass much of the auditory apparatus and go directly into the brain," Nurmikko said.

What a F-ing Finn!

Do I need to tell you about Satanic cults in Finland that practice various forms of what they call sometimes call mentalism?

Yrjö Sakari Yrjö-Koskinen - 1893

Useat muut Uuden Testamentin paikat, jotka viittaavat ihmis-järjen kykenemättömyyteen, eivät tarkoita muuta kuin että luonnollinen järki on rajoitettu, rajoihinsa suljettu eikä siis pysty täydellisesti tunkeumaan hengen korkeampiin aloihin mutta sillä ei ole sanottu että nämä molemmat piirit seisovat ihan ulkopuolella toisistansa Päinvastoin sopii mielestäni sanoa että tuo avarampi äärettömyyteen ulottuva hengellinen piiri ympäröitsee ja sulkee sisäänsä myöskin ahtaamman järki piirin Henkimaailma on järkeä ja vielä lisäksi jotakin muuta jota ei pelkällä järjellä voida täydellisesti käsittää Niin muodoin uskonnon totuudet eivät seiso niin kaukana järkevästä käsityksestä ett'ei ihmis-järjen avulla voida niitä lähestyä niitä aavistaa niihin niinsanoakseni viittauntua Vaan epäilemättä niiden etsinnössä järki yksistään ei vie perille asti Raja on olemassa missä ihmis-järjen johto lakkaa missä korkeampi järki yksin vallitsee Jos ihmis-järki luonnollinen ihminen kuten raamatullinen lauseparsi kuuluu ei tätä rajoitustansa myönnä silloin syntyy tuo vastakohta ...

In those days, they read the Holy Bible, New Testament, whatever, but they go on and on about the human brain and the natural intellect of man and so on and so forth. They might have modern scientism or pseudoscience instead of the Scripture, but nothing else has changed about those awful Finnish psychiatric brain-cults in over 125 years.

SpaceLifeFormDecember 30, 2019 3:37 PM

@ Electron 007

So, I'm not sure if you agree or disagree on AWS being pwned (or not).

But, I think we can agree that there is a problem, right?

And, maybe people and corps should consider getting off of the cloud?

It's not like the end-user (person or corp) controls the silicon and the internal network.

AndersDecember 30, 2019 3:55 PM

@SpaceLifeForm

Problem is business model.

Look at GMAIL. Why it's free and so convenient?
So that people happily use it and give their data
away, freely.

Why is there cloud computing? So that govt and privileged
companies can get an easy access to that data.

How to get money from people more easily? Make something,
so that they freely and happily give the money away.
That's why card payment and now contactless NFC payment
was created.

Those cloud computing leaks you see in the media, is only
tip of the iceberg. Those are leftovers. Real leaks are
happened long ago.

Electron 007December 30, 2019 4:01 PM

venturebeat.com/2019/12/30/protonmail-takes-aim-at-google-with-an-encrypted-calendar/

protonmail.com/blog/protoncalendar-beta-announcement/

ProtonMail takes aim at Google with an encrypted calendar

Competing with Google, that's great for them if they're in it for the money, but I am no longer impressed with ProtonMail's Swiss-bank-style privacy and encryption claims. You just can't have your cake and eat it, too. Not like that, at any rate. Encryption and privacy simply do not and cannot co-exist with that lowest common denominator of locker-room jock-strap rick-roll internet advertising and desktop calendar collaboration.

That's like having a F-ing playboy calendar on the wall. They no longer offer even so much as a pretense of privacy with all that "adult" crap they keep pushing along with various related privacy-oriented "services."

@SpaceLifeForm

And, maybe people and corps should consider getting off of the cloud?

I mostly do agree with you. It's ideal to keep important stuff backed up off the cloud, for sure, and not to put really private stuff on the cloud, but for the time being there is no other practical competitive alternative to "the cloud" for the personal or small business website. For some of the reasons I just mentioned, I refuse to run an internet-accessible "server" in my home or on my private property. There's a whole flock of canaries crapping all over everything.

@Anders

Problem is business model.

Look at GMAIL. Why it's free and so convenient?

It's either a moral hazard or a moral catastrophe that has already taken place. There is too much money in your shorts, and they ain't letting you keep your dollars and cents to yourself no matter what.

Impossibly StupidDecember 30, 2019 4:08 PM

@FA

This, IMHO is pure FUD.

No, it's more likely the perspective of a person who has thoughtfully observed a number of technology hype cycles come and go. You just don't have to wait that long until you find some startup show up and push yet another "next big thing" which is held up as solving everyone's problem, only to find that it, too, has its own set of weaknesses that set it up to be the victim of the next hype cycle. In the best case scenario, everyone's just re-inventing things that worked well in past decades ("NoSQL databases are everywhere these days; we sure could use a standard way to extract, transform, and load data for all of them!). Worst case is that the replacements keep getting worse and worse until industries (and possibly entire societies) collapse. I can easily argue that we're closer to seeing the latter . . .

Please show me one scripted language that has the equivalents of numpy, scipy, and lots of other scientific libraries.

Cherry picking. The same arguments were long made in favor of Perl by referencing CPAN. I worked in a place a few years ago where everyone was R-happy because there were certain necessary statistical libraries available. The fundamental truth is that, from a computer science perspective, you must step back and assess what the various pieces (OS, libraries, languages, etc.) bring to a project and what they cost.

That cost factor is why (steering things back around to security) you still often see systems not being updated to use newer encryption or hash algorithms. Software architects too often make the mistake of over-specifying solutions, to the point where the implementation is a mess of brittle co-dependencies that can't be touched if you want it to keep working (leading to the containerization fad).

It's just superior in all ways.

Nobody with a depth of experience in a wide variety of technologies would ever come to that conclusion. Everything has trade-offs. Any proper scientific analysis contains experiments that can falsify the hypothesis. If you're sure you've found a silver bullet, odd are you haven't even read "The Mythical Man-Month".

SpaceLifeFormDecember 30, 2019 4:10 PM

@ vas pup

Insanity is contagious via audio (face to face conversation) for some.

Since it is DARPA, that's a tell.

Not everyone is going to be brainwashed via audio. Or Video.

But many are. Way too many.

I could write a Ph.D. Dissertation on this.

I have way, way, too much empirical evidence.

And I do not want to think about it.

I avoid insane people as much as possible.


vas pupDecember 30, 2019 4:16 PM

Attention respected bloggers:
On January, 21 2020 History Channel will start new season of 'Project Bluebook' based on UFO and government research.

Sorry, just recall - (bleeping) age:(

AndersDecember 30, 2019 4:18 PM

Here we go...geofencing!

www.reuters.com/article/us-usa-cyber-missiles/cia-devised-way-to-restrict-missiles-given-to-allies-researcher-says-idUSKBN1YY1BF

SpaceLifeFormDecember 30, 2019 4:33 PM

@ Electron 007, Anders, Impossibly Stupid

Good, Cheap, Fast - Pick 2

hxxps://medium.com/@devsociety_/good-cheap-fast-pick-two-and-how-ngos-can-play-the-triangle-like-a-pro-20d1380884a8

In a pinch, many go for Fast *AND* Cheap.

They go cloud.

Which means Good is not in the picture.


Electron 007December 30, 2019 4:56 PM

@SpaceLifeForm

Good, Cheap, Fast - Pick 2

hxxps://medium.com/@devsociety_/good-cheap-fast-pick-two-and-how-ngos-can-play-the-triangle-like-a-pro-20d1380884a8

In a pinch, many go for Fast *AND* Cheap.

They go cloud.

Which means Good is not in the picture.

That's 2/3 =~ 66.67%. Not a passing grade.

Better, cheaper, AND faster is the correct answer.

If one provider is not delivering it good enough, fast enough, or cheap enough, then I have to be able to go elsewhere.

If there is a cartel artificially restricting supply and establishing legalistic and regulatory barriers of entry to competitors, then I have no choice but to join the ongoing war against the cartel. They have taken our property away from us by force. By greater force and greater violence, we must take back from them what they have deprived us of. They leave us no alternative.

Those firms are neither hiring us to work for them nor allowing us to go in business ourselves to compete with them. They need to go to hell if they cannot offer to us _as_consumers_, what we reasonably need for our own business and private use, at a reasonable price, such as if a free and equitable market existed for the tech industry's proprietary products.

SaaS = lip. I'm the customer. I don't want it. I don't want my data held captive. I don't want to be forced to pay for crippled services or crippled software from which I cannot realize the full economic "consumer surplus" or beneficial use.

Clive RobinsonDecember 30, 2019 5:57 PM

@ Electrolytic capacitor,

I've never heard from anyone else over the years who had a power supply blow like that - plugged in but turned off and ruined the motherboard.

I've seen similar a number of times, and they all involved the capacitors of a certain Far Eastern manufacturer... DELL computers used the capacitors and had a run of their computers going pop in this way.

The simple fact is most electrolytic capacitors rely on the insulating properties of a very very thin layer of oxide or similar on the surface of a metal foil or metal particulate. If that breaks down then they become conductive in the electrolyte which being a liquid rises in temprature and eventually becomes a vapour with a significant "over preasure" and things go kinetic just like bullets do if there is not a way to release the pressure more safely.

When I was younger some four decades or so ago, as part of funding my way through education I had a part time job doing "goods inward test" on electronics for a major broadcasting organisation that designed it's own equipment but had it built by others.

A lot of this equipment was designed to fit into sub modules in 19 inch rack equipment. Thus it was generally an "open design" with a front pannel four extrusions that were also slide rails near the corners and a back pannel that had the connectors fuses and similar mounted on it. The PCB would sit between two extrusions and might have a semi rigid plastic insulator against the solder joint side (no surface mount back then) if high voltages were used.

One day I had a hundred power supplies to not just test but set up and calibrate. This involved adjusting potentiometers with a jewlers screwdriver to get the right values then putting a drop of a locking compound on them. Thus you had to look inside the unit when it was powered up...

The procedure was "visually inspect" first, then connect into the test jig and power it up, then adjust.

On one I did not see that a large electrolytic was the wrong way around and shortly there after it's can went past the side of my face and cut my ear in passing. Luckily I wore glasses, and the molten and burning electrolyte and foil splattered on them and my face giving a few small burns. Unfortunatly I did breath in some of the vapour/smoke which I've been told would have been rich in not just toxic materials but ones that are also carcinogenic...

Not a good, day but a lesson learned about the time delay on electrolytics exploding after power up the wrong way around.

On telling a close friend who was also power RF electronics mad about the shear explosive force, he revealed he had a box of twenty year old electrolytics that were no good. So we got a couple of car batteries and a four foot length of plastic water pipe the capacitors just fitted nicely into, being a little under an inch and a three quaters across and about three and a half inches long with screw connectors at the bottom. Well we screwed some leads on put a capacitor in the bottom of the pipe and connected it up the wrong way with around ~26V a short fraction of time later it exploded and the can went very much higher than the house and quite a distance away into a neighbours garden some eight houses down...

It did not take long to "get the range" up and accurate, we even got it to go over the house, across the road over the houses on the other side, over their gardens and into the gardens behind then where they landed.

All good fun, and it was not untill wearing the green that I improved on that using two thunder flashes. You would strike one drop it in the pipe wait a second or two strike the second and drop it on top. The first would explode flinging the second into the air where it would explode making a faily good imitation of a mortar attack. But we also went one better with "diver recalls" which are in effect thunderflashes that are electrically detonated and will quite happily be immursed in liquids without problems...

So take a large thick plastic container used in the catering industry for bulk delivery of vinegar and similar liquids. Throw a rope over the top of a tall tree[1] and tie it to the handle, pour in a pint or so of petrol / gas and about a third that of diesel / fuel oil optionally add about a half cup of sugar and give it a good shake to mix it up. Then wire up the diver recall drop it in and screw the top down tight pull the container as high into the tree as you can get it. Connect the wires from the diver recall to a drum of "Don 10" field telephone cable and get as far away from the tree as you can. Put on ear defenders and wait for signs of the "blue team".

When the blue team get about two hundred yards away press the switch... The result is a very large bang and a realy good mushroom cloud... Watch through binoculars to see if blue team do their NBC drills properly or not, when they are getting their gasperators on then hit them with simulated mortar fire... Few blue team members ever pass the test even the second time as it realy is mind numbing ;-)

It might sound cruel but, back in the 80's the cold war was still hot, and the use of battle field nukes or "suitcase nukes" by the Russian's was expected. Also as far as training went no where near as cruel as what we were told the Russians were doing. They apparently trained with real chemical weapons and would accept 10-12.5% real casualties during training, then punnish those who didn't die...

[1] Best done with a catapult and fishing line as a "leader line" to then pull the rope up, a skill learned from being involved with medium wave pirate radio... Apparently amoungst US Ham Radio operators getting a line over a tree has now become a fun mildly competitive sport, but there is always one...,

https://m.youtube.com/watch?v=RyC2g-5uMIo

Clive RobinsonDecember 30, 2019 7:06 PM

@ SpaceLifeForm, Electron 007, ALL,

And, maybe people and corps should consider getting off of the cloud?

No matter what you get told, even if you are the CIA, there is no guarentee of security or privacy with external "Cloud Solutions" for the simple reason your data / information has crossed out of your "Zone of Control" to a second or third parties "Zone of Control", thus you have neither control or auditability thus any real oversight on your data and it's security[1].

Thus you have to assume that the owner of the second / third party Zone of Control is going to,

1, Minimise their not your risk.
2, Minimise their not your liability.
3, Take up deceptive reporting to assure the first two points.

You thus must act accordingly to mitigate those points, and contracts or criminal liability just will not do it.

If you don't believe this look at the history of Certificate Authorities (CAs) and general security products like Secure Tokens. Or as other areas where history tells us that even significant sanctions such as prison time for directors do not realy change the points.

Thus the safe assumption is that the use of the cloud will cause a maximal privacy or other security failure and that you will have to pick up the risk and liability that goes with it. As it's a "when not if" situation you are putting your data into such extetnal operations.

And this is all before issues to do with "lock-in" and "data ownership". Whilst in theory it's your data what happens to your data when you leave the service? Will they return it to you? Will they secure erase it from their servers? (unlikely). How about the backups they have made, will they erase those? (very unlikely). What happens if they go bankrupt? How about if they get taken over? What about end of life or failed servers hard drives etc?

But then there is also the vexed question of how your data gets from your zone of control to their zone of control or third party zone of control? Remember Google with it's use of encryption on the public network from you to them, but importantly no encryption on their third party private networks between their various sites zones of control, which is where the NSA etc tapped the Google customers data on an industrial basis.

Thus you realy have to assess what the data is worth directly and indirectly to other parties especially if they can get at it in what is in effect as near real time as makes little difference in most cases (High Frequency Trading being one partial exception).

The old question of,

    Next quaters profits -v- company existance three or so quaters down the line.

Is a vexing one, after all you are supposed to have "the share holders" best interests at heart. But does that mean "short term" or "long term"? I'm sure it's not supposed to mean "Profits today, Total loss tommorow", but that's not the way a lot of execs apparantly play it.

Thus realistically only put data in the cloud that is in effect "public" anyway and that you keep good copies of. Which in most cases negates the use of the cloud due to lack of use cases.

[1] A point of view I assumed was obvious before the "X as a Service" trend got named. But even though I and others said as much, people and corps have jumped right in with no real or in many cases apparent consideration at all.

Clive RobinsonDecember 30, 2019 7:28 PM

@ SpaceLifeForm, ALL,

With regards the Wyze statment of,

    ... but Wyze does not share user data with any government agencies in China or any other country,"

Spot the loop hole?

Yup no mention of "private agencies" which many Govetnments put in as buffers or fire breaks.

Which as we know from both US and UK Govenment behaviour is a way to stop the likes of Freedom of Information requests and much else including gaining "plausable deniability" via "commercial confidentiality" of a legal entity. In the case of the UK this included killing people in large numbers...

Electron 007December 30, 2019 7:31 PM

gizmodo.com/the-chaos-of-californias-new-privacy-law-has-already-be-1840730477

The Chaos of California's New Privacy Law Has Already Begun

There is a pernicious attitude of "town hall policymaking" where experts make policy at various international conferences, which they then pass into law in some parochial jurisdiction or another, perhaps where some of the offending companies are headquartered.

https://www.archives.gov/founding-docs/constitution-transcript#toc-section-8-
The Congress shall have Power ... To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes; ...

Note, "The Congress." That is, the Congress of the United States. Not the legislature of the State of California. Not the assembly of some city or municipality somewhere.

I do not particularly oppose the privacy protections being enacted. What I oppose is the attitude and the dangerous, irremediable precedent that extends the reach of petty parochial legislation throughout the world without any limitations or security of rights for the accused who may reside in a foreign jurisdiction.

Amendment VI. In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defense.

I am dumbfounded by the attitude of parochial red-light district stupidity exemplified by the unwarrantable jurisdiction of state laws and regulations and by the widening chasm between the law and the enforcement of the law that has opened up in the United States.

Do whatDecember 30, 2019 9:20 PM

Is this from proton mail credible?

“Update required
Our developers regularly release software updates that improve the security, reliability, and user experience of ProtonMail. Most of these new versions are recommended but not strictly required.
On some occasions, however, we will release versions of our software that are required for all users. A required update means that any older versions of our apps will no longer work, and to continue using our service all users will have to update to the latest version at that time.
This article explains why required updates are necessary and how to complete an update when it is available.
Why we have required updates
We are constantly working to improve the ProtonMail web and mobile apps, adding new features and fixing bugs from previous versions. Many of these improvements are noticeable to users, while some are only apparent in the code that the apps are built on. Apart from this, operating systems and browsers are also being updated and improved. Over time, these updates can affect the ProtonMail software. This can sometimes mean that the app becomes slower or functions no longer work as expected.
Periodically, we release a version of ProtonMail that contains all the features and fixes up to that time, allowing us to discontinue old and unnecessary things. These required updates allow us to deliver new features, improvements, and security patches to everyone. ...

Do whatDecember 30, 2019 9:39 PM

Electron OO7

“Good, Cheap, Fast - Pick 2”

I thought you were tallking about dental work; good, fast, chepa and pain
Less

WeatherDecember 30, 2019 10:37 PM

@do what

our software that are required for all users. A required update means that any older versions of our apps will no longer work,
Try looking at the lines

WeatherDecember 30, 2019 10:40 PM

required for all users.

Or

apps will no longer work

Fear, authority etc, depends on witch way you lean

MarkHDecember 31, 2019 12:55 AM

@Electron:

experts make policy at various international conferences, which they then pass into law

To be clear, state and local laws in the U.S. are generally enacted by legislators or other officers elected by the people in their jurisdiction, who typically serve fairly short terms. Laws aren't passed by experts, unless those experts have managed to win election.

In the quotation from the U.S. constitution, a key phrase is "among the several States." The article is silent about the regulation of commerce WITHIN a state.

Further, consider the 10th Amendment:

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.

Because the U.S. constitution neither authorizes the federal government to regulate commerce inside a state (not explicitly, anyway), nor prohibits states from doing so, such regulation by a state does not violate the cited constitutional language.

The 6th Amendment refers specifically to "criminal prosecutions," and does not apply to any civil law. California's privacy law imposes (as far as I've read) only civil penalties in the form of monetary fines: no prosecution, no trial, no prison terms, no criminal record or other impairment of liberties.

Further, it would seem to me that only corporations will be liable for such penalties, not persons. And penalties can be avoided altogether by corrective action within 30 days. Criminal law doesn't usually work like that ...

HenkDecember 31, 2019 4:53 AM

"ProtonMail's Swiss-bank-style privacy"
"Swiss-bank-style privacy"
What does this mean?
Seems some posters live under a rock.

1&1~=UmmDecember 31, 2019 5:20 AM

@Henk :

"What does this mean?
Seems some posters live under a rock."

Whilst I don't know if you live under a rock or a bridge for that matter, the meaning is quite well known to many people.

So many in fact you can look up the 'Gnomes of Zürich', as Wikipedia has a page on their alleged behaviours, which hopefully you will then understand in relation to the behaviours of the organisation in question.

Oh and have a pleasent and peacefull new year.

FADecember 31, 2019 7:10 AM

@Impossibly Stupid

> No, it's more likely the perspective of a person who has thoughtfully observed a number of technology hype cycles come and go.

And so have I. Current ones are 'AI' and 'Cloud'.

Clive didn't give any rational argumentation at all for his opinion on Python, and that is why IMHO he's just spreading FUD.

> Cherry picking.

That could be said about any example. I choose numpy and scipy because they are toolsets, not just applications, being used daily by millions of scientists and engineers, along with similar tools for e.g. data analysis, visualisation, user interaction, sensor interfacing, etc. And these are just the generic tools, a lot more exist specifically for many branches of science or engineering.

Please show me an alternative scripting language which offers such tools and allows you to easily combine them. Most of the new ones are geared towards web development and little else.

> It's just superior in all ways.

As you should have known from the context, this referred to Py3 vs Py2, not to Python vs all the others. And in that context, it is simply true. There were good reasons for each of the incompatible changes that were made in Py3.

Anyway this is going way off-topic.

Best wishes to all for the next solar orbit.


Sherman JayDecember 31, 2019 11:23 AM

College students debt burdens are atrocious and exacerbated by the devos frauds, now to add injury to injury:

hxxps://www.techdirt.com/articles/20191226/12031843636/tracking-college-students-everywhere-they-go-campus-is-new-normal.shtml

hxxps://www.techdirt.com/articles/20190915/13384942992/university-alabama-is-using-location-tracking-app-to-punish-students-leaving-football-games-early.shtml

hxxps://www.washingtonpost.com/technology/2019/12/24/colleges-are-turning-students-phones-into-surveillance-machines-tracking-locations-hundreds-thousands/

If you don't have a 'smart' phone and allow the tracking do you get expelled?

The earlier comments: living under a bridge or a rock refer to possibly the only place people will be safe in 2020. And I remember a cartoon when Dilbert gave the pointy headed boss a new, fully secure 'laptop' and later the boss held it over his head shaking it and saying 'reboot' (it was actually an etch-a-sketch children's toy)

But, I hope for and wish all, a better 2020 than the year we experienced in 2019.

Sherman JayDecember 31, 2019 11:43 AM

In ~2003 the company I worked for bought a new 'white-box' computer built by a local company (it wasnt' a dell, although I believe Clive is right, many Dells of the same vintage suffered the same fate). By 2005 it simply ceased to boot. I opened the case: all the electrolytic capacitors had burst at the top and a white substance was oozing out. I looked into this and found that most motherboard manufacturers used capacitors that were made using an electrolyte paste from a single small company (in Japan, I think). And that that electrolyte was defective and millions? (huge numbers at least), of motherboards self-destructed a couple of years after manufacture.

Impossibly StupidDecember 31, 2019 12:21 PM

@FA

[Cherry picking] could be said about any example.

Exactly, which is why the onus is on you (not Clive or anyone else) to give that "rational argumentation" in favor of Python. The field of computer science is flush with languages that provide little more than syntactic differences. There are very few that offer deep semantic structures that truly allow us to effectively approach problems differently. If, for example, Python offered a way to more easily use the multi-core architectures at the heart of modern hardware, you might have a selling point. By not taking that sort of approach, you're simply not thinking scientifically about the issue.

Please show me an alternative scripting language which offers such tools and allows you to easily combine them.

I've already mentioned two (Perl and R). I mean, if memory serves, two decades ago Perl was the first language I heard of that offered a module to interface with a (simulated) quantum computer. Again, pretty much all languages do what you want, so I could create a very long list for you. The better approach is to look at a problem and ask "Why is Python (or Java or whatever) the best choice to implement the solution?" You've said nothing about your pet libraries that indicate they could not have just as easily been provided in another language. In my experience, 9 times out of 10 a language is chosen simply because it is the lone hammer in an inexperienced developer's toolbox.

As you should have known from the context, this referred to Py3 vs Py2, not to Python vs all the others.

It's all subsumed by the "reimplementation" issue. If someone has a working solution, anything you do that breaks it and forces them to re-do the work is not going to be eagerly adopted. Just because someone did something in Python 2 (whether it was 10 years ago or just yesterday) doesn't mean they're just itching to put in the effort to get it working in Python 3. To many, you're just acting like the "stop liking what I don't like" meme. Take a step back and see the bigger picture if you actually want to help make things better.

Anyway this is going way off-topic.

Not at all. It has direct application to the security field and highlights overall organizational momentum. Like I said, it's sheer naivety for people to act shocked when, say, a company gets hacked and we discover their accounts all still use MD5 has their underlying password hash. The fact is that there are many companies I've gone into wearing my normal Technology Consultant hat and seen things that would be critical issues if I were wearing my Security Consultant hat or even my general Business Analyst hat. But without authority to fix all the problems I see, all I can do is mention them as extraneous issues and focus on the job I was hired to do. Point being, a holistic approach means trying hard to see if something is related to the issue at hand before declaring it not.

AndersDecember 31, 2019 12:33 PM

@Sherman Jay

There is an official name for this, lot of big
brands were affected an also industrial espionage was
involved :)

read:


en.wikipedia.org/wiki/Capacitor_plague

MarkHDecember 31, 2019 12:35 PM

@Sherman Jay:

You misremembered it as Japan, and I misremembered it as the Peoples Republic of China ... according to wikipedia, it was Taiwan.

What I remembered correctly, is that the scandal reportedly stemmed from a few guys who had worked in the industry and decided to start their own company to make electrolytic caps ... but without a proper understanding of what made the good ones work.

Most of the major computer manufacturers were affected, including Apple. The cost was probably in the billions of dollars.

Most of the failures occurred between 2002 and 2005, so your experience was near the height of the tsunami ...

A "dirty secret" of electrolytics is that unlike most components in modern electronics, they "wear out" rather like incandescent lamps do. If they were well made -- and the design protects them from excessive temperatures -- they will almost always outlast the lifetime of the product they're part of.

But people who use or maintain old electronics, whether out of nostalgia or because of the continued use of legacy equipment, need to be aware that these capacitors may require replacement.

Electron 007December 31, 2019 12:59 PM

@Sherman Jay, Anders, MarkH

There's some urban legend of "capacitor plague" and it's so irremediably stupid that we've got to consult Urban Dictionary or Encyclopædia Dramatica for a true and correct definition in a court of law.

And that serves as full legal, business, and international trade union justification to

(a) pay big bucks to import inferior product from Asia to the United States

and

(b) step up enforcement of labor union, corporate, civil rights, managerial, environmental, worker safety and interstate commerce prohibitions, as well as local, state and municipal regulations that prohibit the manufacture and sales of any competing product within the United States.

Electron 007December 31, 2019 2:04 PM

Hackers on the forum? Cypherpunks? Please tell me what this is all about.

cointelegraph.com/news/secs-cryptomom-talks-new-rule-changes-and-meaning-for-crypto-with-cointelegraph

SEC’s Cryptomom Talks New Rule Changes and Meaning for Crypto With Cointelegraph

cointelegraph.com/news/digibyte-founder-jared-tate-talks-binance-listing-woes-dangers-of-the-status-quo

DigiByte Founder Jared Tate Talks Binance Listing Woes, Dangers of the Status Quo

Hester Peirce doesn't mind the “crypto mom” moniker she's garnered for the pro-cryptocurrency stance she's taken in her role on the Securities and Exchange Commission.vJul 16, 2019

beincrypto.com/binance-begins-shaking-down-projects-for-protection-money/

Binance Begins Shaking Down Projects for ‘Protection’ Money


Back in 2018, Binance overhauled its listing policy and released a statement claiming it would no longer be charging listing fees. However, if a recent tweet by Digibyte CEO Jared Tate is to be believed, this might not be strictly true.

According to the Digibyte founder, representatives at Binance tried to strong-arm the project into providing $300,000 plus 3% of all DGB in order to protect against hacks, thefts and other issues. It remains unclear exactly how the $300,000 would be used to accomplish this, though the entire move seems similar to requesting ‘protection money.’

Damn, these goodfellas are getting cute with other people's money. And how's that whole crypto-currency house-of-cards thing staying up? Siuslaw Finance out of Oregon? Funding from Asia?

What is with these people? Are they the ones who helped themselves to my bank accounts + all real property in my name and put out a side contract to have me civilly committed in the casino nuthouse way back when? I'm telling you, some of these fellas are going away for a long, long time in the fed pen, cuz I know I ain't ready to forgive and forget any of this stuff. Not in this life. Not when I have to hide out from these buggers and they have control of the banking system, the whole ABA schmeer + all the labor-union-local city cops on their side of the law, confiscating my mail, and seizing my checks.

Clive RobinsonDecember 31, 2019 2:58 PM

@ ALL,

With regards the "capacitor-plague" you might find this interesting,

https://www.theguardian.com/technology/blog/2010/jun/29/dell-problems-capacitors

By the way some court cases over this appear to be still rumbling on currently, so be cautious.

Oh and note the words of caution given in there article of,

Back in 2003, Dennis Zogbi, president of Paumanok Publications, an expert on the market for passive components, told me that the problem is that "People want Western quality at Chinese prices," he said. "Well, you can't have both."

Especially when people forget to thing about how defective components are easily "re-branded" and sold again under a different name back into the "grey market".

It's a reoccurring problem and the wheel appears to rotate every nine months or so on this, with some of those original bad caps still turning up even today. They have a habit of ending up on "none-in-house lines" that make first run of electronic toys and IoT devices.

So if you are going to go cheap electronic buying via "China markets" here is another piece of advice from people who wear the green, which is,

    One is none and two is one.

Put simply if you are going to buy on the likes of Chinese market places it's best to buy more than you need as some are guatenteed "DOA".

vas pupDecember 31, 2019 3:14 PM

Apple accused of crackdown on jailbreaking
https://www.bbc.com/news/technology-50956680

"Jailbreaking is a process by which Apple's operating systems are modified to remove restrictions and give greater control to the user.
It also allows users to install apps that haven't been approved by Apple, and gives the option to customize the interface in various ways."

Q: Why jailbreaking is illegal at first place?
If you can download application for PC from the developer of new applications without approval of developer of the operation system why same is not legal for smart phones?

SpaceLifeFormDecember 31, 2019 5:04 PM

When you can smell the stench over kilometres of fibre, thru many routers...

And you know the source of the stench without having to read the link...

Then, you know there is a serious problem.

A Major Serious Problem.

But, I read the link to confirm my suspicions.

hxxps://www.nbcnews.com/tech/internet/how-online-cloud-buckets-are-exposing-private-photos-other-sensitive-n1105056

Petbroker using AWS? Check.
Hellotech using AWS? Check.

AWS is pwned.


Electron 007December 31, 2019 5:19 PM

SNAIL MAIL HACKING

Can't rent P.O. Box. Quote verbatim from page.

Additional Services

The following services are included with your PO Box at no additional charge (Select each Additional Service you wish to use. See Customer Agreement for details).

[ ] Street Addressing - Your PO Box comes with a real street address so you can order online and receive packages from any shipper.

[ ] Signature on File - You don't have to go to the retail counter to pick up certain signature and insured items. (Priority Mail Express®, Signature Confirmation™, and Insured Mail greater than $500)

[Input contact details ...]

*denotes required field
You will be required to complete identity proofing at the Post Office™ to activate your PO Box after your online reservation is complete.
Please make sure the address listed below matches the address on your two acceptable forms of identification.

That is the language they use at the site usps.com.

"Identity proofing."

"Your two acceptable forms of identification."

That is grammatically presumptuous. Not even correct English. And it's all connected to a really nasty, poorly secured backend CRM system at salesforce.com.

This appears to be a hostile foreign takeover of the U.S. Post Office somehow mediated by striking American Postal Workers Union (apwu.org) employees.

AndersDecember 31, 2019 5:37 PM

@SpaceLifeForm

What's your TZ? Any 2020 already visible there?

Here at UTC+2 most certainly is!

and THANKS for ALL!

Electron 007December 31, 2019 5:55 PM

@Anders @SpaceLifeForm

I am dumbfounded.

hxxps://aws.amazon.com/featured-partners/salesforce/

AWS and Salesforce Your fastest path from idea to impact

As the #1 CRM and the most adopted Cloud Platform, Salesforce and AWS offer cloud services with strategic integrations based on a foundation of security and simplicity. With innovations in AI, voice, productivity, and cloud training, we are your fastest path from idea to impact.

USPS is on Salesforce, and Salesforce itself is on AWS.

It's all connected, and it is most definitely PwNed !!!

No wonder I can't get my snail mail.

Clive RobinsonJanuary 1, 2020 3:03 AM

@ ALL,

Two things,

Firstly a Happy New and prosperous Decade to all :-)

Secondly has anybody been hit by CISCO's Y2K02 issue of their self signed certs stopping?

Clive RobinsonJanuary 1, 2020 3:43 AM

@ SpaceLifeForm,

AWS is pwned.

As well as being owned by people who care not a jot about the problem, because it's not AWS's risk or liability as they have "externalized it".

You had to check it was AWS, obviously the reporter who wrote the article would have known it was AWS but for some reason did not mention it... Perhaps people should ask why the reporter did not mention it?

The problem with the big "X as a Service" suppliers is they now consider themselves like banks as being "too big to fail" but also not encumbered by any legislation traditional deposit takers are bound by.

I know people don't like the idea of legislation and regulation being applied to "information industries" but if "information is the new currancy" that people claim it is, then we should apply the hard lessons learned from history with traditional deposit taker legislation and apply it to information deposit takers.

I suspect that AWS's and other "cloud" providers overly paid lobbyists are already hard at work quashing such ideas as fast as they arise.

Clive RobinsonJanuary 1, 2020 5:18 AM

@ FA,

In your reply to @Impossibly Stupid, you said,

Clive didn't give any rational argumentation at all for his opinion on Python

Did you not read my comment at,

https://www.schneier.com/blog/archives/2019/12/friday_squid_bl_709.html#c6803421

Perhaps your definition of "rational" is different, but the near quater of a million libraries is a very real problem.

You might see it as a smörgasbord of choice, I see it from past experiance as a quagmire of orphaned code copying and augmentation and "interdependencies from hell" without a road map or as you get down close to it even faint paths to follow. Whilst some libraries have had the benifit of conscientious and academic / experienced / professional development, that does not apply to all, some of which are at best "hobby developments".

I could go on as could many others, but the serious point is that the majority of languages fail and die as nature intended because they can not evolve. Some can be augmented in various ways to go on C for instance had a number of problems that got resolved but there are others that will not. Whilst C is still popular for a whole host of reasons it has passed it's time, and has become the basis of other languages. C++ for instance added new types and needed enhancments to C but did not fix some of C's issues. The problem with C++ is as people are starting to realise is it's a quite awkward language with way to many libraries and other things (I'll leave the metaprograming issues to others to go into, but a language within a language bolted on at a later date is well...). The simple fact is C was designed for sequential programming and that's not the way the world works any longer much though many programmers hate to admit it.

Python likewise is a child of it's time but you can see all the issues we saw with C, C++, Perl5, Java and other languages that tried to stay relevant happening within Python as programming needs grow away from it with time. I have a bookshelf with a lot of Python books going back more time than I care to think about, but in then you can see how Python has tried to keep it's self relevant, to programers, but at the end of the day "that's following not leading". Further there is only so much you can carry before you get clumsy then unstable if you are not first crushed by the weight.

As has been noted by others "a hammer is a usefull tool" but if that is all you have in your toolkit you better hope all your problems involve hitting things. To many programmers only have one or two tools in their toolbox and whilst they might be more skilfull with them than others, it realy does limit what they are capable of doing effectively, efficiently, safely, or with useful, maintainable results. Due to a number of factors not least of which are the laws of physics programing is going to have to change majorly in the very near future if progress is going to be maintained. An appreciation of the history of toolmaking might help you get a wider perspective.

mostly harmfulJanuary 1, 2020 6:28 AM

Happy New Year to all.

Maybe somebody here will find this amusing:

@grauhut 30 Dec 2019 |

From my vast personal collection of slightly cursed items: Pants of truth Wonderous item +1 to Charisma. Should your character lie, they'll inflict 2d8 damage by catching fire. This will destroy the item. #DnD #pnp

( source: twitter.com/grauhut/status/1211661197403144192 . #DnD is clearly “Dungeons and Dragons”. But I do not know what #pnp is supposed to be. Best guess is “Paper and Pencil” games.)

The charisma modifier baffles me. For verisimilitude I think it should be a penalty, not a bonus.

electrolytic capacitorJanuary 1, 2020 10:14 AM

Paper: https://eprint.iacr.org/2019/1492.pdf

This paper is making it's rounds (no pun intended) and getting popular support, some saying that reducing the number of rounds is what IoT really needs (to save power, memory, etc.). Numerous references to Bruce Schneier. Paper claims original research to this end. Reading the paper myself, it does not seem so much like original research.

The column below by Prof. Bill Buchanan heralds the paper and actually calls it snake-oil - that symmetric encryption (aka block ciphers) needs all that many rounds (e.g. let's use AES256 w/10 rounds instead of 14).

https://medium.com/asecuritysite-when-bob-met-alice/jp-fighting-snake-oil-and-analysing-security-v-performance-analysed-attacked-wounded-and-9e799f32b93d

Not sure, but Matthew Green may be referring to this stuff in twitter thread "we’ve made downloading a single webpage literally 12,000x as expensive as HTML1.0 but by all means let’s play some risky-ass games with crypto to save a factor of 2x."

CuriousJanuary 1, 2020 1:24 PM

I just watched a "NASA 2020" promotional videon on youtube and apparently there is this brief segment touting a NASA drone traffic control project. No idea what that is, but it sort of sounds like it might be for well controlling drone traffic (video showing a generic small propeller drone).

AndersJanuary 1, 2020 2:11 PM

Now than 2020 is here, let's see...

www.techrepublic.com/article/google-cloud-charging-for-ipv4-but-proper-ipv6-support-is-still-missing-in-action/

Do whatJanuary 1, 2020 2:13 PM

@Weather, All

“Fear, authority etc, depends on witch way you lean“

I found this from Wikipedia:

“On 30 October 2019, ProtonMail open sourced its iOS app, releasing the code on github and publishing its audit results by SEC consulting.[26]“

AFAIK ProtonMail only has apps for Android and iOS.

I assume the iOS app is no less secure than using Safari w/javascript turned on to access ProtonMail

Might the iOS app be better than linux, unix, mac, or windows’ browser use to access ProtonMail?

Electron 007January 1, 2020 2:14 PM

@Clive Robinson • January 1, 2020 3:43 AM

@ SpaceLifeForm,
AWS is pwned.

As well as being owned by people who care not a jot about the problem, because it's not AWS's risk or liability as they have "externalized it".

No. They cannot "externalize" these problems.

The problem is excessive "capital deepening" https://corporatefinanceinstitute.com/resources/knowledge/economics/capital-deepening/

Capital deepening of course is intended to "increase the productivity of labor" in all that mercantilist jargon of land, labor and capital. But the general problem with it is that it's too late. They got in too deep by making uninformed promises and unalterable long-term plans, and forfeiting the agility of their business model in an environment of rapidly changing technology. They already invested too much money on false and unreasonable assumptions of security and convenience.

Too much money is invested in the "old way" for them to consider "new ways" of doing business. It's either the "old way" or bankruptcy.

The Sinaloa Cartel of Mexico and Southwestern United States faced the same problems of capital deepening. When that cartel got in too deep financially, the Jalisco New Generation Cartel took over much of their territory, with a fair amount of New Age philosophical rhetoric and a way of thinking that was not familiar to the old Sinaloa dealer networks.

SpaceLifeFormJanuary 1, 2020 3:22 PM

@ Electron 007, Anders, Clive

When I say AWS is pwned, it is not just in the traditional sense. Electron 007 and Clive allude to the other angle.

I most certainly believe AWS is pwned in the traditional sense. (But, not the 4 bogeymen, btw).

But, they are owned financially also.

Such is the problem of fascism.


SpaceLifeFormJanuary 1, 2020 4:15 PM

@ Do what

As Clive has explained, over and over,
you do not have endpoint security.

Even Snowden noted that.

ProtonMail is not a real solution.

You take your chances.

One must separate the encryption from the communications, in a non-leakable manner.

It is not trivial.

Electron 007January 1, 2020 5:00 PM

@SpaceLifeForm

@ Do what

As Clive has explained, over and over,
you do not have endpoint security.

Even Snowden noted that.

ProtonMail is not a real solution.

I don't think it's even being presented as one. It's creators or financiers went "mainstream" with it, and began presenting it as an alternative to Google.

You take your chances.

One must separate the encryption from the communications, in a non-leakable manner.

It is not trivial.

Chances and trivia pertain to the realm of vice and jeopardy.

Corporations, cartels, and labor-union solidarity enforcement create "circumstances" that force unnecessary risk of life and limb on the end user.

It is not possible to prevent all leakage of communication that is supposed to be encrypted. Some techniques such as chaffing and winnowing are necessary to sow disinformation to combat leaks.

"Endpoint security" needs to be held to a much, much higher standard for various reasons of general usefulness entirely apart from encrypted communications.

There's a lowest common denominator of browser (in)security ...

Clive RobinsonJanuary 1, 2020 5:00 PM

@ electrolytic capacitor,

I've had a quick scan of the paper.

The author clearly does not understand the "Attacks only get better..." quote and demonstrates muddled thinking in the example given.

Your comment about what Matt Green may have said is spot on the money.

It's another thing the author of the paper appears not to understand. Whilst reducing the number of rounds does produce a simple mostly marginal increase in speed, each round lost reduces the security by some significant power. It's actually a very bad trade off.

But... If you read the introduction and other parts of the paper you would be forgiven to think that it was written by multiple authors not one. There could be several reasons, but one is originally their were multiple authors but they have since withdrawn their names...

I guess at somepoint I'm going to have to do more than skim read it, but I get the feeling it will equate to a period of time I'm never going to get back for no gain...

SpaceLifeFormJanuary 1, 2020 5:24 PM

@ Electron 007, Clive

"It is not possible to prevent all leakage of communication that is supposed to be encrypted."

No. It is actually possible.

It's just not trivial.

It takes effort.

A person with a single cell phone is not even close to the level of effort involved.

Game over.

You need multiple computers to have a chance.


AndersJanuary 1, 2020 5:29 PM

Great writeup.

code610.blogspot.com/2019/12/postauth-rce-in-latest-nagiosxi.html

Learn! (and Patch!)

Electron 007January 1, 2020 6:52 PM

@Anders

Great writeup.

code610.blogspot.com/2019/12/postauth-rce-in-latest-nagiosxi.html

Learn! (and Patch!)

Nagios is big tech security firm. The exploit is very basic, taking advantage of unfiltered input sent straight to a shell command by php.

Such irremediable stupidity involves criminal culpability with inside help including a wink and a nod from management.

We need more intelligence, and it's not going to come willingly from those responsible.

Open source = own risk?

Not so much in this case. Those boys ride roughshod all over the market with their proprietary SaaS shite.

ThothJanuary 1, 2020 7:32 PM

@electrolytic capacitor, Clive Robinson, all

This paper might be the new ammunition that banks and FIs are finding so that they are going to use as excuse that DES and 2 Key DES are still fine and unbroken and refuse to move away.

Of course there's a big difference with block sizes and key sizes vs. rounds in a cipher but whatever that gives that kind of slight excuse, they would happily use it.

Also, not sure if @JP realizes that most MCUs and CPUs these days have crypto accelerators in their circuitry albeit not very powerful but sufficiently faster than implementing in code. One has to wonder why are there any developers bothering to look through the instructions sets and start calling the crypto accelerator engines. In case you are wondering what sort of crypto accelerators are baked into most MCUs and CPUs in the market these days, even a low end 32-bit ARM costing just a couple dollars or so (per chip) would already have access to at least an AES engine and the higher ends have RSA, SHA, DES and so on.

There are two things hindering crypto adoption and I have always pointed out at the two hindrances to not just crypto adoption but security adoptions...

1.) Education

2.) Government policies

3.) Proper toolkit construction, documentation and ease of use ...

I have added a third because it is related to the first point ...

It boils down to educating normal developers to know that there is something called data security and crypto and then you have to tell them that the chip instruction supports acceleration without having to hand code the entire AES from scratch. The next thing that is related is a usable library with proper, humanly readable documentations since developers need to read the docs just to know how to call the accelerators and if that's not enough, it is better that toolkits (i.e. NaCL/TweetSalt) is created to package all the functions so that developers don't need to know what's an IV or a Nonce and simply call for encrypt or decrypt and supply a password for the toolkit to unlock a software or hardware keystore.

Education is top priority (with a good toolkit that taps into the hardware accelerators and proper docs) so that normal developers would not shy away from using the already existing resources.

The next most important aspect is Govenrmental policies. If they keep telling us that cryptography are for child abusers and keep on iterating about the "nothing to hide if I am innocent" concept, the likelihood that developers are going to explore into that area is reduced.

I have been at security expos and conferences and up till now, I have a couple of people asking me about the legality of applying cryptography in a IT Security conference or expo !!!!

The Governments around the world have postured themselves not only to undermine the data security of child abusers but have effectively created a mindset in many people with the highly successful Nothing To Hide campaign and Crypto For Paranoid And Evil People mindset.

Even within the IT Security circle, I know of people within this small circle whom have thought that cryptography on personal level is crazy and paranoia and E2E comms and PGP are for paranoid and that our privacy are already eroded and WhatsApp is just as good and there's no need for E2E or strong security ..... and these are the people selling you smart cards, TPMs, eSE, HSMs, Intel SGX, ARM TZ, Secure Enclaves and what not ....

Even amongst the small circle of IT Security professionals, these diseases are rampant .........

You can imagine what you are getting and wonder why there are always so many high profile security breaches even in supposedly high security environments (stares at MINDEF/DOD/MOD :) ).

Is IT Security dead already ?

It depends ...

I thing it's just a matter of superb posturing and highly effective marketing the NSA et. al. have done.

In fact @Clive Robinson has made excellent statement that we have won part of the battle and lost the war ...

We already lost the war .............

Because even this industry itself is already acting in such a fashion ....

Note that the side effects of NSA et. al. marketing also have an impact on themselves. Look at the equipment they are using (lots of Intel Xeon with Intel SGX as Security Enclaves) and soft TPM (Intel fTPM v2.0) for sensitive information processing (mil-embedded) starting to take over the US sector and also spreading to UK, EU and around the world in the name of cost saving.

Finally, we have to look at the algorithms proposed themselves for ciphering and signing.

Most modern ciphers are built with 64 bit architecture in mind but most of the IoTs are not going to 64 bit anytime soon because it's still costly to embed 64 bit everywhere. In fact, most of them are 32 bit or even 8 or 16 bit MCUs.

ChaCha20 or any amount of round of ChaCha will at least need a 128 byte buffer for basic execution and that excludes the constants for rounds and other operations. Once you have factored all the necessary operations, you might be staring down at double the size (256 bytes) or so and if you are to unwind the round functions so that you avoid using a loops, you have say almost at least a 500 B of RAM space eaten.

500 B of RAM space is nothing right ? But if it's embedded computing, you may not have that much space in the SRAM unless you want to drive up the cost with external RAM and caches.

That is less of an issue versus Keccak/SHA3 in f1600 which already takes 1600 B buffer space just to store state data before you could do anything significant. That excludes code execution space for Keccak f1600.

Wonder why PBKDF2-SHA2 are still so widespread or even plain SHA2 hashes for password hashing ? BCRYPT requires a buffer space of 4 KB to simply store state data and SCRYPT ... I don't even need to go there.

There are so many IoT MCUs and small devices and most algorithms are designed with Intel/AMD with lots of external DRAM and powerful CPU in mind. Even the so-called lightweight ones are no better.

Most algorithms immediately assume 64-bit and they never did much to consider execution on IoT devices so the result is weak or non-existing support for IoT devices.

Cryptographers have to carefully consider that their designs will be implemented by developers and their designs should be simple and easy to understand by developers and they need to either specify the devices that their algorithms will support if they are device specific or if it is a general purpose algorithm, they need to consider the CPU architectures and buffer spaces of very tiny devices too.

Also an interesting note, I have updated my ChaCha20 engine for smart cards to run ChaCha10 (10 rounds) with RFC-7539 specs and it runs a almost 64 byte ciphering in 1 second and all those are coded on 32-bit smart cards (Java Card) by hand so you can imagine why not everyone is adopting ChaCha yet. Also a full blown ChaCha20 takes 3 seconds to encrypt 64 bytes or more.

The problem is with the round permutation and key scheduling functions occuring every 64 bytes of keystream being used. The XOR between the keystream and the data which is quite fast though.

@JP's approach is quite simplistic and not wholistic enough and would only work under the circumstance that attacks never gets better which is not true.

Electron 007January 1, 2020 8:51 PM

@Thoth

hindrances to not just crypto adoption but security adoptions...

1.) Education

2.) Government policies

3.) Proper toolkit construction, documentation and ease of use ...

I have added a third because it is related to the first point ...

It boils down to educating normal developers to know that there is something called data security and crypto 

Very good points. It is education and government policies, after all, that dictate what's proper at the corporate workplace.

cryptography are for child abusers and keep on iterating about the "nothing to hide if I am innocent" 

That's part and parcel of the college environment where you get all that education from. There's a fraternity and a sorority, respectively, and it's all very gender-appropriate, because you have all that Title-IX hats-off and doors-open for the ladies, and there's a dean or some university police department babysitting all the internet use at college, because, well, you know about all that low-IQ web surfing at the frat house, and the hostile environment it creates for the ladies, and the harassment lawsuits and the lowered standards of proof for rape, and the DNA samples they collect from all the men on campus, and so on and so forth.

Point being, that no, there's not going to be any crypto or security for the end user of any sort of computing device under the foregoing college-campus-cum-corporate-workplace policies.

It's an unfortunate reality that many people refuse even to acknowledge, let alone do anything about.

Clive RobinsonJanuary 2, 2020 4:59 AM

@ SpaceLifeForm, Electron 007,

No. It is actually possible. It's just not trivial. It takes effort.

Short answers : Yes, Yes, Yes, plus some thoughtfulness.

I've mentioned it befor with the "Fleet Communications" idea which @Thoth has thought some more on.

The longer answers require an understanding of the underlying arguments. The simplest of which is,

All communications reveal one bit of information, That is a communication is taking place.

It appears obvious but actually it's not when you start digging down far enough into the art and science of communications. At the bottom of things is "Noise" specifically "Thermal Noise" all molecules vibrate, those that have a charge will generate a signal[1]. Likewise charges moving in a conductor due to thermal energy. As thermal energy is usually not coherent the signal produced is likewise decoherent or "random" with an average power level.

Thus you have a signal source that is always on and it is random in nature, if quite low in average power. So if you can make your communications signal look random and at or below the noise floor at a receiver it will not reveal it's presence. This is the reasoning behind "Low Probability of Intercept (LPI) communications.

The other thing is it's a broadcast system that is anyone in range with the right information can find the signal, but within reason only those operating the receivers know where they are not those at the transmitter on any other receiver. Unlike modern cell phones and other routed systems

Which means at first look LPI does not Unfortunately work on most communications networks that are cabled and routed. So is their anything to learn from it, and the answer is yes quite a bit actually.

From traffic analysis it is known that the content of the message is not realy required if you can see the shape of the individual messages such as length, time and how many messages are being sent.

1, The message content can be hidden by it being effectively randomized (encryption)

2, A messages start can be hidden by hidden by sending it immediatly after another transmission with out a break.

3, A messages end can be hidden by sending another message immediately.

4, A messages length is unknown if it's start and finish are successfully hiden.

5, Not all messages need to carry information, they can be just random "noise" data.

So messages can be effectively hidden if the transmitter sends a randomized, continuous, fixed rate transmission. Because that hides any message start, end, or length, or the fact a message is being sent at all.

So the question the arises since the message can be hidden what about the messages origin and destination? In a traditional broadcast system the transmitter position is known but the receiver unknown unless it needs to respond. In a data network the direction of a transmission from one node to another is known.

Thus the problem is not hiding the position of transmitters and receivers, that can not be done in a cabled network system, but hiding the fact of which node is communicating with another node. The more nodes there are the less certain it is that any node is communicating with any other node. If each node sends a continuous rate and receives the same rate from another node then messages passed between them are not known. If each node talks to atleast two other nodes then provided care is taken to balance the data rates such that the total number of packets in match the total number of packets out then an attacker has no notion of how traffic arives or leaves a node.

The easiest way to do this is that each node sends and receives data from another node on a "fixed rate ring system". That is node one sends a packet to node 2 and node 3 sends a packet back. If this is done at a fixed rate with randomized packets then an observer learns only that a node is part of a network and the immediate nodes it is connected to.

The function of the nodes can be further obfuscated by also making them "store and forward" that is traffic can be priorotized with high priority "bursty" messages gettong padded with lower priority messages and so on.

Thus the nodes form a "circuit switched network" on top of any other underlying network topology. Provided each node uses "link based encryption" with seperate keys for each link, an observer will see no correlation between the links, only random packets in and out that always balance each other.

As for routing from node to node it is best that this also be obsficated thus point to point routing be used at the low level with Onion style routing at a higher level. And messages also application level encrypted.

There are other precautions that need to be taken but that should give the overall idea of a five level network ontop of an existing network. The levels being,

1, Application level encryption.
2, High level Onion routing.
3, Mesh network and routing.
4, Ring network link level.
5, Link level encryption.

The important thing to remember is that there is no distinction between computers used as clients, servers and nodes they are all nodes and they only communicate to other nodes.

There's a lot of other things that need to be done, but the above should atleast convince people it can be done.

[1] To understand this you need to understand the "Pithball experiment". A pithball is a very light organic material shaped into a ball around twice the radius of a pea. One of it's properties is that it can hold an electric charge without it leaking away, thus it gets used in "static electricity" or "charge" experiments. You can see it's charge with a "gold leaf electroscope", as if by magic bringing a charged pithball near it will cause the gold foil to move, even though there is no electrical connection. If you have a charged pithball on one end of a fine thread there is nowhere for the charge to go, but the charge effects any objects around the pithball (in theory out to infinity). If holding the other end of the thread and you spin the pithball around in a circle, you are putting work into moving the charge in a circular pattern. This creates an E field that moves, in turn this creats an H field that then in turn creates another E field and so on outwards. We call this an EM field and it's outward movment radiation, that as it radiates as a surface on a sphere the E field decreses in magnitude as 1/(r^2). Because we are spining the pithball in a circle the E field varies as a sinusoid with a frequency f directly related to the inverse of the length of time it takes the pithball to go around one compleat circle (hence the old expression for frequency being "cycles per second"). The important thing to note is that it is the movment of the charge that creates the field, and that the charge remains constant and does not leave the pithball. Thus the energy in the field comes from the motive force which is part of the energy in your arm and the length of the thread. Likewise it is the charge moving backwards and forwards on a length of wire --but again not leaving it-- that a communications transmitter uses to radiate out a signal. As with a guitar or piano string being plucked the length of wire has a resonant length related to the speed the charge can be moved up and down the wire, the speed is an appreciable fraction of the speed of light C. Hence the relation to frequency is the "wavelength" and is called lambda and in freespace it is given by C/f if there are other conductors or dialectrics near the wire the length of the wire is effectively changed by a constant. For insulated wire it is small but the ends of the wire effectively have capacitance with an air dielectric and if the wire is near the ground there is further capacitance to ground, which further reduces the length, which in total reduces the length of the wire by around 5% for a horizontal dipole a quaterwave above ground.

Clive RobinsonJanuary 2, 2020 5:29 AM

@ Thoth, ALL,

It boils down to educating normal developers to know that there is something called data security

Part of the,Governments drive is to turn the words related to "security" into words related to "secrecy" and thus "criminality" and we have let them get away with it for way to long.

Thus we need to stop using the word "security" and start using "privacy" or other socially accepted word, and turn those pushing the "you have nothing to..." attitude into something socially unacceptable such as "peepingtom" or worse much worse.

We also need to make fun of them and get people to laugh at them as dirty parasites etc. Few can command respect when people are laughing at them or see them as "dirty" or "slimey", "greasy", "fawning" etc.

For instance a cartoon drawing of Mr Barr up a tree with binoculars looking at a house with not quite closed upstairs curtains and a mothers voice calling up "time for bed, remember it's school tommorow" would help people get a perspective on what he and those beneath him are realy upto.

AndersJanuary 2, 2020 6:54 AM


@SpaceLifeForm

"Maybe, Gopher not so bad?"

I'm happy to use Gopher and i'm even have my
trusted client.

mateusz.viste.fr/software/ddwarf/

Now we need more Gopher servers. Know any good?

SpaceLifeFormJanuary 2, 2020 2:54 PM

@ Clive

Point zero you did not mention.

0. The encryption device must be separate from the communications device.

Preferably the encryption happens in a Faraday Cage.

And the ciphertext is hand carried from the cage to the communications point, preferably on paper.

Sherman JayJanuary 2, 2020 3:20 PM

@all re: capacitors,
I promise this is the last I'll post on this topic.

Yes, capacitors do wear electo-chemically. Many poorly designed and made of poor materials fail in a couple of years.

However, many last a very long time: A motherboard that I installed in a PC in 2010 boasted '5,000 hr VRM solid capacitors' (a claim probably to counter capacitor plague fears) and that motherboard is still in use today at over 15,000 power-on hours. Also, a friend has a 1997 dell 500 that is still running without any repairs needed.

When I design and build speaker crossover networks, I use oil-filled, metal can, non-electrolytic caps since they have full value at any voltage (up to rating) don't require a 'forming voltage' and don't leak or burst under normal use. I have some that were made in the 1960's and still show full value.

I think I'll look into 'gopher' and someone I know is setting up a Linux PC that will have server software running from a DVD (still not bullet-proof, but better than most).

Here's hoping for a 2020 that is better than 2019 for all.

Clive RobinsonJanuary 2, 2020 5:24 PM

@ SpaceLifeForm,

Point zero you did not mention.

Aww shucks, I've said it so often in the past you must be thinking I've "ghon see nile" ;-)

The reality is the post was getting too long as it was and I trimed out a lot of other stuff to do with key managment in the network. Now we are starting to take Quantum Computing a little more seriously it's amazing just how big a spanner it's thrown in the works the level of complexity on key management has jumped several orders of magnitude even with having a hierarchical symetrical key managment system in place which is a serious liability in many directions especialy in distributed mesh networking.

Then there are "rendezvous protocols" and node join/leave and link establishment protocols as well. Especially if your mesh includes orbiting satellites, aircraft and other vehicles.

It's a lot of work that could make a book with good secondary use as a doorstop :-(

SpaceLifeFormJanuary 2, 2020 5:47 PM

@ Clive

Aww shucks, I've said it so often in the past you must be thinking I've "ghon see nile" ;-)


Nope. I figured you were testing me to see if I was paying attention.

I *do* pay attention.

Keep moving. Full Speed Ahead.

G(hindsightfiles)


name.withheld.for.obvious.reasonsJanuary 7, 2020 10:53 PM

Beyond Kleptocracy?

Does anyone see the problematic issue currently in play? Warned by the framers of the U.S. Constitution; in multiple issues of the Federalist Papers, and the individual writings of Thomas Paine for example. Their reasoning came directly from their experience with the brutal rule of King George III.

An executive, with personal investments and interests of unknown scope, is directing military forces against various targets that are not "nation state" defined. There are only two instances by way of Article II authorities, none of which apply to the actions of late. This looks more like a bag job, not the reasoned action supporting state security one would think is rational.

Insurrection and Invasion, that's it; how is the assignation of a foreign figure fit into this? The wanton destruction of civilian infrastructure and innocent persons cannot sit well with those with a moral or even ethical center, can it?

What appears to be less well argued, is the absolute diminution of congress and a dereliction of duty and care to their oath and office. Never mind that the "Commander and Chief" has found it convenient to violate the law, in the way most feared by the framers, since all are feckless in the face of this crime.

THE U.S. Senate is an abomination before and to us all...and...

WE, CITIZENS, ARE ALL CULPABLE.

JonKnowsNothingJanuary 8, 2020 12:28 AM

@name.withheld.for.obvious.reasons

re: Beyond Kleptocracy?

Well, generically yes, we are globally culpable because we allowed things to get "Here" rather than "There". The main issue though is that we globally do not agree on what is "Here" and what is "There".

What we can or might agree on is:

The people who wrote the code, who built the drone, who made the bombs, who flew the drone, who used the satellites, who took the photos, who tracked the cars, who build the trackers, who made it possible in The House That Jack Built.


ht tps://en.wikipedia.org/wiki/This_Is_the_House_That_Jack_Built

It is a cumulative tale that does not tell the story of Jack's house, or even of Jack who built the house, but instead shows how the house is indirectly linked to other things and people, and through this method tells the story of "The man all tattered and torn", and the "Maiden all forlorn", as well as other smaller events, showing how these are interlinked.

(url fractured to prevent autorun)

Clive RobinsonJanuary 8, 2020 5:25 AM

@ Name.withheld...,

There is an important lesson in security involved and as with many things it starts with what has gone before and thus got codified into law.

In Traditional English law which US law is mainly based on you look for the "Directing Mind" for responsibility.

The reason is the chain of logic as applied to the real world.

So, though the bullet caused the fatal trauma, it was the powder that propelled it down the guns barrel, after the hammer struck the primer, under the force of the spring released by the ratchet mechanism actuated by the trigger that was tuned by the finger, that was pulled by the sinu that ran to the muscle in the forearm that had contracted from the impulse that came down the nerves in the spine, that started in the brain from it's assumed conscious therefore willfull state of mimd.

Thus what is judged is that state of mind and if required how it got in that state.

Prior to the US throwing it's weight around in Nuremberg solders were assumed to be in mortal fear of their leaders, because any order not followed was mutiny punishable by death, something the Americans certainly practiced during the First World War as did other allies. That is a soldier was in essence a mere finger not a mind.

More importantly soldiers were also assumed to not be in possession of all the information therefor they could not make valid judgment on orders they had been given. Similar logic applied up the chain of command.

Under that pre Nuremberg model it was the leaders that gave the orders to the soldiers via the chain of command that were the responsible minds. More importantly they were mere fingers for the "head of state" and their "Divine Right" because only the Gods are omnipresent to see and hear all... What the US did at Nuremberg was to deny the existance of God, the chain of command and the consequences of mortal imperfect knowledge to make individual soldiers responsible for vetting any orders to see if they were lawfull.

If you check you will find that the US legislators back home post Nuremberg passed legislation to in effect put US soldiers back in the pre Nuremberg state, but still leaving the leaders who issued orders not realy liable either, because they also act on incompleate information.

Thus all that is left is for congress to maybe decide if during the recess when they were on their seasonal jollies, if the US President userped their powers by exceading his own.

I think we will find that will get kicked into the long grass one way or another... After all it's what the electoral collages voted for, and they were voted for by the people along with the members of the two houses and all those others including judges, prosecutors, law officers, school boards and quite a few others on salary from the public purse.

Thus arguably the guilty people are the US citizens who mainly with imperfect knowledge voted for their salaried representatives in, long long before...

Collective responsibility is a funny animal when the collective judges it's self to see if it behaved responsibly or not....

The observation of Upton Sinclair of,

    It is difficult to get a man to understand something, when his salary depends on his not understanding it.

So maybe at the end of the day it's the US Dollar that is realy responsible.

SpaceLifeFormJanuary 9, 2020 5:31 PM

@ Clive

"Thus arguably the guilty people are the US citizens who mainly with imperfect knowledge voted for their salaried representatives in, long long before..."

Exactly.

'So maybe at the end of the day it's the US Dollar that is realy responsible."

Exactly.

They FAILED TO VOTE. Addicted to Facebook.

Convinced by faux noise.

More US voters *FAILED TO VOTE* than the number that voted for potus.


But, now they know. They have few dollars.

They *WILL* VOTE.

Trust me on this. Hindsight is 2020.

Electron 007January 9, 2020 5:53 PM

@SpaceLifeForm

FAILED TO VOTE. Addicted to Facebook.
Convinced by faux noise.
More US voters *FAILED TO VOTE* than the number that voted for potus.

But, now they know. They have few dollars.
They *WILL* VOTE.
Trust me on this. Hindsight is 2020.

No guns, no vote. All those women-and-children felony criminal charges for trespassing on the school district or the library or city hall or wherever it is the progressive democratic party labor-union local election for the most liberal candidate is being held.

But there's a Neil Armstrong issue.

"One small step for man" versus "One small step for a man."

People who "have few dollars" are poor. People who "have a few dollars" are rich but affecting some measure of modesty about their wealth. See what a difference that indefinite article can make.

name.withheld.for.obvious.reasonsJanuary 10, 2020 2:55 PM

WHAT WE ARE SEEING OUT OF THE WH & DOD
Other interests, not ahold of U.S. power in the past, have asserted themselves into the MIC. What Mike Lee and Rand Paul said after a pentagon briefing was illuminating. My hypothesis and speculation points elsewhere; a theocratic state has emerged, it is wielding the power of the U.S. to carry out actions aligned with fascistic elements to form a type of evangel-fascist cabal. It may not be in the open but the actors in this scenario are visible and acting. Look at the makeup of the cabinet and executive administrators and a common theme emerges.

The only "proof" available is around what those in the U.S. administration have said, they rapidity of their political and strategic alignments, and the actions that have occurred in the not too recent past. Hard evidence would have to come from inside...

The current Secretary of Defense is quite skilled at talking out both sides of the mouth. The Secretary of State is less skilled in this matter, clearly the Secretary speaks frequent from both sides of the mouth, and, from an anterior side of the body. The last sentence might not make it through editorial scrutiny, nonetheless--it is figuratively accurate (what is said, stinks).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.