Scott February 14, 2020 4:35 PM

Guys and gals, I appreciate this place became busy discussing US domestic politics and this is important to your democracy and whatnot.

But in the spirit of how I come to know @Bruce and his blog, on topics like IT security, airport security, security theaters, terrorism (from a security, not political perspective!), let’s discuss this news from the classical security and security trade offs perspective, no politics as much as possible please, thank you!

MWC 2020 canceled over coronavirus health concerns

lurker February 14, 2020 5:29 PM

Huawei admits it put backdoors in its gear at the request of LEOs. Huawei makes the door and the lock and could open it if it wanted. Why is anybody surprised?

myliit February 14, 2020 5:38 PM

Voatz voting app 2/13/20

“MIT researchers identify security vulnerabilities in voting app

Mobile voting application could allow hackers to alter individual votes and may pose privacy issues for users….

In addition to its use in the 2018 West Virginia elections, the app was deployed in elections in Denver, Oregon, and Utah, as well as at the 2016 Massachusetts Democratic Convention and the 2016 Utah Republican Convention. Voatz was not used during the 2020 Iowa caucuses….

They found that an adversary with remote access to the device can alter or discover a user’s vote, and that the server, if hacked, could easily change those votes. “It does not appear that the app’s protocol attempts to verify [genuine votes] with the back-end blockchain,” Specter explains.

“Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you’re on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election. Worse, more aggressive attackers could potentially detect which way you’re going to vote and then stop the connection based on that alone.”

In addition to detecting vulnerabilities with Voatz’s voting process, Specter and Koppel found that the app poses privacy issues for users. As the app uses an external vendor for voter ID verification, a third party could potentially access a voter’s photo, driver’s license data, or other forms of identification, if that vendor’s platform isn’t also secure.”

Clive Robinson February 14, 2020 8:00 PM

@ Mr. Peed Off,

Huawei admits backdoor in kit.

Dr. Herb Lin, is either speaking outside his proffessional limits or being deliberately disingenuous. As I’ve seen this sort of behaviour repeatedly in the “Security field” I’m not exactly surprised.

I guess the real question is why Dr Lin has put his opinion in the way he has and I hope he shows up to explain…

Things you first need to know. There are three things needed for such a remote capability,

1, Fundemental Tee/Tap mechanism.
2, Software to use Tee/Tap.
3, Backhaul communications path.

If any one of those three parts are missing then remote spying is most definitely not going to happen.

The Tee/Tap mechanism is the method used to make a copy of the communications in progress and is why the Unix utility that does the same thing is called “tee”. One of the official names going back the better part of a century or more is “Operator listen in”. Back when POTS was the thing you could dial the operator and ask why you could not get through to a number and ask them to “check the line”. They would put you on hold and use “Operator listen in” to monitor the line. They would then disconnect from it and take you off hold and say either “Voices on the line” or “I’ll report that as a fault”. There was a further protocol by which you could identify yourself and get “operator break in” or in some cases the operator would give you remote listen in…

Well all of that got abused thus formalised by legislation. So now due to legislation all telephone exchange equipment and phones are required to have an “Operator listen in” feature that can “optionaly” be controled remotely from “outside” the network. This had been true for “Health and Safety” reasons from atleast the 1960’s onwards when digital exchanges started to become a reality. As I’ve mentioned a number of times here before, if you’ve had the misfortune to be involved with international communications standards committees you will have seen the various Five-Eye country representitives “FUDing and tag-teaming” these “spy on you” features in, if you dare to disagree they turn on you and try to make you sound like some kind of monster, just as politicos do with “think of the children” the process for the SigInt agencies is known as “finessing” (a term which comes from the playingcard game “Bridge” that tells you a lot about the background of such people from WWII onwards).

But in more modern times we have more direct and to the point legislation like CALEA, which requires exactly the same Tee/Tap “Operator listen in” but remotely without the use of an “opperator” for “Law Enforcement Assistance”.

Thus what the Huawei representative was saying is true not just for Huawei but ALL Telco Equipment suppliers, no iffs, no buts, no maybes, it’s an absolute requirment, the Tee/Tap fundemental mechanism has to be included in the switch by law.

We also know that the NSA and CIA have been exploiting this Tee/Tap requirment for years and sometimes it goes tragically wrong. See the Greek Olympics, Vodafone and Ericsson switches,

So if you ask a technical representative of any telco switch manufacture this question they would be lying if they said the fundemental capability to tap a phone data or metadata was not there… Because it has to be there by law.

The question now arises as to what a phone is or is not… Most of the worlds Telcos are “fully digital” from microphone to speaker. Thus every thing is digital, audio, modem sound, digital modems, the whole enchilada. Thus every thing you do via the telephone network is as far as the equipment at the lower layers are concerned “a phone” which means every thing you do is subject to the Tee/Tap technical asspects of “Operator listen in”. No matter who’s equipment you use. So everything you do on your phone POTS, Mobile, Smart Phone or other “Smart” device is capable of being listened into. It’s something people realy should understand applies across the board no iffs, no buts, no maybes.

So when the Huawei technical representitve –allegedly– says that usage “is extremely implausible and would be discovered immediately.” they are indeed telling the truth. It’s what the NSA and CIA are known to do every olympics to the host nation as an excuse to listen in on the countries politicians etc.

The NSA/CIA have got away with it with other telco switches around the world for quite some time now but the manufacturers of those switches are not subject to “oversight” in the way Huawei have voluntarily done with the UK’s GCHQ (who have cheated on the agreement).

Thus as the “Greek Olympic tragedy” made a glaring security hole obvious Huawei will have taken steps to close it, much to the anoyance of the US NSA and CIA, because Huawei switches have measures in place that make the loading of illicit software onto their switches very much more difficult, not impossible but “implausible” and almost certainly discovered and reported automatically to the switch operators as it would be flagged up in several ways (read the “Cuckoo’s egg” by Clifford Stoll ISBN 9780307819420 if you want to see the possabilities for that).

So having explained why the Tee/Tap has to legaly be there we come to the real bone of contention, the software that can control or get data from the Tee/Tap mechanism.

This is where life gets interesting, because you a mere mortal can get access to such data duplication mechanisms as a feature for multi-party calls for dial-in confrences etc. It’s the joy of “it’s all software” solutions…

Software is in essence a list of instructions that implement rules of how to move or transform data. Almost invariably the “rules” are written, discussed and reasoned about in a human language, not those instructions a computer CPU follows. Which means there is great opportunity for “Lost in translation” to happen “accidentally or by design” the less “oversight” there is the more likely both are to happen. Unlike any other Telco supplier Huawei voluntarily subjects it’s self to “oversight” from a world recognised expert organisation the UK’s GCHQ…

Think about the implications of that for a moment.

The process by which the oversight occurs is documented, and for there to be “deliberate backdoors” would require collusion between Huawei developers not in the UK and for the UK Governments SigInt agency… Or for the Huawei engineers to be decades in advance of GCHQ staff…

For there to be “accidental backdoors” they would have to be very subtle indeed. Because Huawei are putting their international reputation on the line with alowing GCHQ to look at their code, they are going to be way more carefull than other Telco equipment supliers not subject to oversight will be. The same applies to GCHQ it’s their reputation as well.

Thus the software is going to be better than average. But as a consequence so will other aspects of it such as ensuring tracability of code back to the original source by more than just “code signing”. Because the aim is not to prevent just “outsider attacks” but the much harder to stop “insider attacks”.

Have a thing about what that means in terms of “mechanism” and why it migh realy upset the likes of the NSA&CIA… Which brings me onto the “GCHQ cheating” the agrement Huawei had with GCHQ was not just for code review and security analysis, but also to train GCHQ staff not staff of foreign nations or alow foreign nations to see Huawei code. Well GCHQ have been stretching things and “US accents” have been heard. Put more simply representatives of the US Government have been pushing their “camel nose in the tent flap” and political preasure has come back “through other channels”.

So whilst Huawei have not been writing “back door” or “remote accces” code for their switches, a point they have quite rightly made a lot of noise about, we can say that the UK GCHQ and US NSA SigInt agencies at the very least have had a front row seat on the code review process.

Thus the question you have to consider is, if there is a “Chinese R.A.T.” or a mechanism by which one could be later added in the Huawei switches, how come two of the supposadly best SigInt agencies in the world have not found it or talked about it?

Which brings us onto the third part required for remote surveillance to be possible, the “backhaul”. From the Greek Olympic tragedy we know that the NSA/CIA evesdropped on around 100 Greek political and senior administrative persons. Greece is not a big country therefor you would be looking at many many more for other Western Nations. Even with the best technical tricks on the world that is a lot of bandwidth required. For telco providers “bandwidth is money” therefore they keep a fairly carefull eye on it. The reason the Greek Olympic Tragedy became known was because of “bandwidth is money” somebody did not keep up payments on the pre-pay mobile phones, which gave rise to the rest of what was going on unravelling very fast. As with Clifford Stoll it was a small financial discrepancy that gave rise to what was going on unravelling.

These bandwidth accounting methods are different for every Telco survice supplier, as it’s what their profitability rests on. You can be fairly sure that any unexpected imbalance in traffic at a switch with excess unaccountable traffic going off to China would be noticed and any spying would unravel.

The only reason the likes of the NSA getaway with the backhaul off of “collect it all” is that a group of people in the Telco Service provider are actually very much aware of it and are conspiring with the NSA to try and keep it secret (and as we know with AT&T failing to do so).

Which is another asspect the Huawei technical representative would know.

The thing about this “Huawei is bad” campaign is there is one heck of a lot of politically originated FUD with the MSN and supposed “experts” propergating it as it gets their names known. But you try finding any technical evidence against Huawei you run into problems. Because any allegation you make against Huawei applys way way more to all the other Telco equipment suppliers, many of whom have been caught out with dodgy software practices like Ericsson did over the Greek Olympics…

Thus anyone who brings up a technical argument and throws it at Huawei and not all the other Telco equipment suppliers, either does not know what they are talking about or they are being quite deliberately disingenuous…

Sed Contra February 14, 2020 8:40 PM

Re: squids comparable to dogs

I’ll believe it when I see them out on the lawn with handkerchiefs around their necks playing frisbee.

RealFakeNews February 14, 2020 11:45 PM

@Clive Robinson

What do you think the motives for hating on Huawei are?

IMHO, it’s a combination of politics and “not invented here” syndrome.

As you point out, US companies in this area are less than…clean.

Gunter Königsmann February 15, 2020 2:07 AM

I believe Clive to be Right:
– Every state wants communication to be backdoored because police needs to be able to get to know things. Therefore there will be backdoors.
– every state wants their secret service to be able to use backdoors, as well. So there will be additional backdoors from every state that has the possibility to introduce them, if there is any possibility to introduce them. I guess the countries the key components are manufactured in have this possibility.
Ergo if you use telecommunications you use a backdoored service, no matter where you bought the devices. There are concepts, though, for communication over untrusted media.
…and the services we trust on are globally interconnected to the extend that every country depends on services from nearly every other – maybe in many places without knowing. Which isn’t this bad, in some aspects:
The first ideas for founding the European Union were proposed hoping it would introduce tight enough bonds that starting wars would be a non-option because it would loose the industries that otherwise might profit from a war the infrastructure they depend on.

JonKnowsNothing February 15, 2020 2:15 AM



What do you think the motives for hating on Huawei are?

Adjusting my tinfoil hat to be square…

Using Huawei equipment will expose something the FiveEyes + chums are doing.

The chums are not likely the EU, because those folks seem to want to install the Huawei equipment. If they were doing naughty things they wouldn’t want it exposed.

The chums maybe in the NewK, but PM Bois hasn’t gotten the memo… yet. Theresa May might know, but Bois hasn’t invited her to tea and she might not accept the invite even if it were put on fancy parchment with hand scripted calligraphy lettering.

That leaves a lot of the rest of the planet, and if per chance to dream, it maybe the NSA+CIA haven’t shared their bounty with anyone (except perhaps Israel which gets a special delivery from the NSA).

Whatever the folks at Huawei are going to uncover when they plug in their gear, it’s going to be bigger than Belgacom. The US wouldn’t fight this hard if it wasn’t something they cannot dismantle easily and/or it would be highly embarrassing like spy cams in toilets but that’s an upskirting specialty.

Tinfoil hat tilted to the side…

ht tps://
ht tps://
ht tps://
(url fractured to prevent autorun)

Clive Robinson February 15, 2020 10:35 AM


the internet of space junk apparently neglected to secure it’s operating instructions.

Actually you can blaim two things for this,

1, Engineers being engineers.
2, Crypto export legislation incorrectly applied by various people in the “launch chain”.

A classic example of the second is the North American AMSAT organisation, they are so confused by the paperwork rules, regulations and legislation domestic and foreign that they quake in fear that US bureaucrats will stop a project. So much so that they have fallen into “paralysis by analysis” syndrom trying to second guess themselves…

The problem with engineers being engineers is they adopt an increasingly layered aproach to have more simplicity at each level during a design process.

Put simply they get the simplest model they can and make it as simple to test as possible as a starting point. When communications is involved this means unauthenticated plaintext without error correction. They then layer on error correction which with round trip times in space being prohibitively long means the first layer is “Forward Error Correction” (FEC). For a whole heap of reasons the simplest type of FEC and Crypto do not play nicely together nor do other more complex types of FEC. Without Crypto un-spoofable authentication is not possible…

But there are other issues to think about. It takes 20mins to get a message and response to the likes of Mars, ever wondered about Voyeger way out beyond Pluto? Well it was launched back in the 1970’s and obviously designed around technology a decade older…

Whilst not as bad nearly all “space qualified” parts are a decade or more old, and with a 25million plus cost of getting a lump into space you want atleast a twenty five year lifetime out of it[1]… So some of the technology still in use in space is older than most of this blogs readers…

And as a concequence it’s functionality is extreamly limited. The result was that there were only so many layers that the engineers could put in…

So yes there is a lack of crypto and reliable authentication in spacecraft.

However with the US falling in ascendancy in the launch game, the US Gov “iron fist” grip on space has been considerably loosened. First Russia, then Europe, China, India and now New Zeland have made it clear they don’t care about US views on what can and can not be done in space.

The result is even sixteen year olds are building spacecraft and getting them launched…

Have a look at Julian Fernandez and his company FOSSA and their “pocket-cube” satellite “Sat-1” which is a 5cm by 5cm LoRa satellite working in the amature radio 70cm band that was launched in Nov from NZ on a twelve ton 17meter long Rocket Labs Electron launch platform. Which is an eighth the size of the Cube-Sat prototype I have sitting on my desk. But a lot bigger than some pico-sats that are smaller than some of those metal “happy birthday” badges you get on kids birthday cards. Essentially they are a large “coin cell” rechargable battery and surface mount dual sided PCB sandwiched between two solar cells. The antenna being spring wire finer than a guitar string.

Oh and launch costs into LEO for such “experiments” is comming down, to around the price of a new executive car…

So hopefully there will soon be a lot more “space qualified” parts with nearly modern “smartphone” capabilities, which hopefully will improve things to the point where there is nolonger any excuse not to use spoof-proof authentication.

[1] It’s now an almost racing certainty that any Intel CPU from this century, will not get space qualified, for primary “satellite bus” design because nobody in their right mind would consider it even remotely reliable.

Clive Robinson February 15, 2020 11:26 AM

@ Mr. Peed Off,

Link to tapped Nokia equipment in Russian Federation.

Tech Crunch has made it onto my “do not use” list because of their cookie and javascript policies, and I would recomend others stop using them till Tech Crunch reverse their decision. After all who wants to be spied upon?

That said the link you provided mentions SORM which has been around since the late 1990s, and is at the lower technical levels, the Russian Federation equivalent of the US CALEA.

But at as with all things with multiple layers you have to watch what happens at the higher levels.

Thus you might find this of interest,

With this comment,

    The ECHR [European Court of Human Rights] held that the [SORM] legislation “institutes a system which cannot protect individuals from secret surveillance” and “any person using mobile telephone services of Russian providers can have his or her mobile telephone communications intercepted, without ever being notified of the surveillance.”

The points I’ve highlighted apply to any country that has a “Communications Lawfull Assistance” port legislation. Worse most such “port” software is implemented as part of the switch, not as a seperate unit, thus with a few minor software hacks becomes a “Remote Unlawful Access” port to whom ever wishes to do so. Which we know the NSA/CIA have exploited for quite some time…

As CALEA and SORM are not the only legislation of this form, Telco manufacturers take a “pragmatic view” and install the low level Tee/Tap in the equipment as standard with their own API. They then have software to translate to the required countries legislation, and it’s in this API and software component interface that the most security issues exist.

If Nokia were supplying equipment to the Russian Federation in the last couple of decades they would certainly have had to meet the lower technical levels of SORM, as for the higher levels that would probavly be in other equipment attached to the SORM technical port.

The same would be true for any Telco equipment supplier regardless of the nationality of the company or those that supply it the component parts it puts into it’s systems.

Which brings up a point many do not realise, that is there are actually darn few component suppliers when it comes to telco kit. Which means that each Telco manufacturer has limited supply options and uses the same parts as others do. SO if a security issue arises in a chip from XYC then Telco manufacturers AAA, BBB, CCC, DDD etc are probably all vulnerable to it.

Exactly the same issue applies to PC’s as we have seen with the Audio chips and USB-RS232 chips, and why FTDI became very very unpopular when they updated their drivers via Microsoft and had to backtrack.

Clive Robinson February 15, 2020 11:56 AM

@ RealFakeNews,

What do you think the motives for hating on Huawei are?

If I said it was the average Americans loathing of “The American Dream” you might think I had a screw loose?

Put simply the US became noticably resource limited in the 1950s and the population has grown fairly steadily since which means the slice of the apple pie each American gets on average is getting very very much smaller with time.

However the average American never ever gets even remotely close to the average slice. Because the “American Way” encorages what would be criminal behaviour if what voters wanted were put into legislation.

The fact it does not get put into legislation tells you a lot about the American political system where “Money is King” or more correctly “the king maker”. The cost of becoming US President is now more than a million dollars per day for every single one of the 1461 days in office…

Few have such financial resources, and if they do they are most probably not the sort of person you would want in that position.

How do people get to command such resources? Well not by means most would regard as either fair or honest. Such people have in effect gutted not just the working class in the US but the middle class Americans as well… By amongst other things “outsourcing” jobs and ideas to foreign countries benifit. But too many people in the US blaim not those who do the outsourcing but those in foreign countries who have received the work all be it at rates nobody in the US could live on.

Thus how do you get votes? Capitalise on this ill will and pump up the xenophobia as much as possible and make outlandish promisses to “bring it on home”. Promises that no person who actually thinks logically will realise can be delivered upon…

So how having raised emotions to the point a blood sacrafice is demanded do you not become the goat?

Easy make somebody else the goat. At home you play politicians off in a way that the other party is seen publically as obstructive to “the big plan”. And as George Orwell pointed out you need a distant foreign enemy to focus the beasts desire for blood on.

It’s why I will be very unsurprised if the same arse is in the chair in the oval office this time next year.

American emotions are being played like drumming on an upturned refuse can…

gordo February 15, 2020 12:04 PM

Nevada Democrats Look to Silicon Valley to Prevent Iowa-Like Meltdown
Google and Apple are about to play a big role in 2020’s next presidential contest
By Steven Rosenfeld, February 14, 2020

[I]t appears that the primary way that the Nevada State Democratic Party will be reporting and tallying votes is not by examining these paper records, but by using the party-provided iPads and Google forms. In short, there will be two evidence trails created—one paper, one digital. Iowa had a similar system, but it did not expect to have to fall back on the paper to tally its results.

Google’s eleventh-hour entry into the Nevada caucus is potentially very significant. It appears that the Nevada Democrats will use Google forms as a key input for voter registration and also for the recording, counting and reporting of precinct totals and compiling the statewide results. This is in addition to whatever paper records are created.

[ . . . ]

“If I were to design the ideal system, I’d have it based entirely on paper,” he [Michael Glover, a PhD engineer and software writer who had worked at Google and was familiar with Google forms’ strengths and weaknesses] said. “You get a ballot. You mark it. You have these registration forms—they’re all paper. And you maintain custody of the paper… You can feed thousands of ballots into a scanner. You can count everything. You can manually verify the counts against various segments.”

“If they design a system that does everything based on paper with these various acceleration mechanisms, then it is brilliant,” Glover continued. “But if they are actually representing the fundamental information, not on paper but electronically, I get really scared, because there are all kinds of ways to hack it—even Google forms.”

Slightly off-topic: It’s been argued that incorrect math, in the Iowa caucus, recorded and tabulated on paper worksheets, can’t be corrected since those outputs are legal records. (IANAL, however,) Given this logic of (apparently) “efficacious, incorrect maths”, should it continue, I imagine that we’ll one day witness the widescale eschewing of paper backups altogether. Thus far, “on the making of a better mousetrap”, etc.

Tatütata February 15, 2020 12:47 PM

I’ll believe it when I see them out on the lawn with handkerchiefs around their necks playing frisbee.

OTOH, you needn’t walk your squid around the block by any weather with a silly plastic bag in your hand.

So it’s one-all.

I believe that my cat worships me only because I have an opposable thumb that can open tins. Squids would obviously have no use for me.


And you don’t even need a cat-flap, the mailbox slot in the door is more than enough for them. Heck, the key-hole is almost too much.

Sed Contra February 15, 2020 1:56 PM

Heck, the key-hole is almost too much.

Maybe they are smarter, as the video shows they are way out there on the softness spectrum

“ … as Aristotle says that men of delicate touch and soft flesh are clever. 384 384 De anima, II, ix, 4, where we further read that delicacy or obtuseness of touch makes the difference between cleverness and stupidity … “

contingency_triage February 15, 2020 2:51 PM

Take a look at some of the current and up to date pollinator health statistical maps of the USA. I will maybe, if I can, upload some later.

The pollinator areas of the central USA are possibly in the worst condition of all, according to some maps and stats. This implies that the midwest has a faulty confidence about food stability and availability. Pollinators ensure that the food supply exists! Without biologically natural pollinators, there is zero food supply.

The main changes in the midwest are cultural and technological and political, NOT bee mites. Also, I have a theory that there are some active hate groups who worship death and disease of both people and wildlife, and are actively attempting to kill America, if not the whole planet.

Anyways, also, plants themselves and their seeds have specific windows of time for seed viability and capability. It varies per type of seeds and plants. This is also affected very much by weather and how the seeds are stored or allowed to grow.

This implies that if the flow of weather and other circumstances is too harsh through too many seasons, no matter how many seeds or plants there are, if it’s too harsh, they won’t grow into new lives, and hence the food and shelter of the food and shelter-makers will die, and then so will all of us too.

Food security is a top concern, in my opinion.

Another troubling factor, for example, are those who recieve tax reductions for donating “extra food” to charities. In some places, that food ends up thrown away no matter what and who complains. Also bad about this, is that some grocers have taken to producing artificial surpluses of possibly tainted foodstuffs just to get the tax reduction.

They are deliberately wasting food at the source and distribution levels just to get the tax reduction. And since the donated food often ends up in landfills instead of in hungry mouths of the poor or back into gardens or the wild (as seed supplies), they are guilty of plundering and hastening the food crisis of all of us.

Other factors affecting food security:

1) wars (we do NOT need more wars and war technology; it’s a huge drain upon living resources needed for survival; also, they propagate lethal toxins)

2) hate groups and saboteurs

thanks for reading this.

la abeja February 15, 2020 3:09 PM

@Mr. Peed Off

Re: Tutanota, Autistici, lawfareblog, etc.

Those are political sites with a very aggressive, militaristic left-wing socialist agenda. Sometimes it is best if they are blocked from collecting too much information on you.

People are making decisions that adversely affect the lives of people without any accountablility on their own part.

And I do not like the sudden and arbitrary criminal charges they file out of the blue without any apparent warning.

In other news: WEAK CIPHERS reported by ssllabs

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS WEAK 256
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS WEAK 128
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS WEAK 128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128

What next?

We’re having that NSA problem again, with weak ciphers in common deployment, and great corporate resistance from left field to improving the strength and resilience of the TLS cipher suite in common use. Or else there are different opinions to the strength of various ciphers and their implementation and modes of operation. Where are the other finalists to the AES challenge?

SERPENT, Twofish (Bruce’s own), RC6 and MARS?

Is it time to deprecate anything less than a 256-bit block cipher?

Is the CBC (Cipher Block Chaining) mode deprecated in favor of Galois/Counter Mode (GCM)?

la abeja February 15, 2020 3:48 PM


That’s a lot of Mormonism, and not particularly anything they want revealed in a public forum.

active hate groups who worship death and disease of both people and wildlife, and are actively attempting to kill America, if not the whole planet

There is a certain level of “Satanism” or opposition to the prevailing religion in LDS-dominated areas, including NSA’s relatively new data center in Utah.

How you believe or how you choose to view that, the “Satanism” may be interpreted as an impersonation or personification of the “death and disease” to which you are opposed.

cDc = Cult of the Dead Cow
CDC = Centers for Disease Control

I do not mean to imply they are friends, but the Satanists do bring out certain issues that do need to be addressed in the open even though other people don’t want such matters discussed openly.

SpaceLifeForm February 15, 2020 5:33 PM

@ Clive

‘We also know that the NSA and CIA have been exploiting this Tee/Tap requirment for years and sometimes it goes tragically wrong”

This is why I said Emotet is out of control.

“Control” may be lost.

When malware can be reverse engineered…

la abeja February 15, 2020 7:17 PM


I have specified the following.

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on

In effect, TLSv1.2 is the only version of the protocol allowed by these settings, since TLSv1.3 is not yet supported by Apache 2.4 series.

I have used the settings more or less as recommended to specify only the strongest ciphers.

You are right. The weak ciphers reported by ssllabs all use RSA and they all use CBC mode.

Is there a specific attack that we should be aware of here?

la abeja February 15, 2020 10:14 PM


A new variant of the original POODLE attack was announced on December 8, 2014. This attack exploits implementation flaws of CBC encryption mode in the TLS 1.0 – 1.2 protocols. Even though TLS specifications require servers to check the padding, some implementations fail to validate it properly, which makes some servers vulnerable to POODLE even if they disable SSL 3.0.[1] …

The POODLE attack against TLS was found to be easier to initiate than the initial POODLE attack against SSL. There is no need to downgrade clients to SSL 3.0, meaning fewer steps are needed to execute a successful attack. [2]


That partially explains the reported weakness of CBC-mode ciphers. The “chain” of CBC, which is simply a XOR with the previously encrypted cipherblock, can easily be broken at will with arbitrary padding values, if the plaintext for the padding is irrelevant or left unverified.

According to the referenced blog article,

This seems like a good moment to reiterate that everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken.

But that was over five years ago, TLSv1.2 was the latest back then, and there is not really any news that POODLE has been fixed. I am left with the feeling that the entire CBC mode of operation for block ciphers is fundamentally broken, as it is in reality only a slight improvement over ECB.

The ciphers that remain on ssllabs’ “good” list are 128-bit-block ciphers use the GCM mode of operation based on a polynomial

x128 + x7 + x2 + x + 1

“Intel has added the PCLMULQDQ instruction, highlighting its use for GCM.”

and there are various other “modes” proposed by the math nerds.

They’re a little bit to cutesy with that abstract algebra stuff at the frat house, and they gotta have a tailored special-order CISC machine instruction for it. That ChaCha and Salsa stuff is coming on a bit too strong from the ivy league fraternity, and there is no independent critique of it, just … Omertà!

They’re the experts and we’re not.

name.withheld.for.obvious.reasons February 16, 2020 2:26 AM

@ Clive (from a previous thread, posting an issue)

People wonder occasionaly why I still use MS DOS 5 and WordStar 4 or other WordStar compatible editor or IDE.

Also eyebrow raising surprisingly my Apple ][ from the 1970’s using a 1MHz CPU and 64k RAM (with language card)

Hardly an eyebrow here, though I have moved on to 6.22.

Hardware terminals, my VT’s work just great and I have spare CRT’s. The tactile response and firmness makes all the difference. Hardware is more modern, I486/33 with 16M of RAM and a Orchid Video card for running X apps locally. It is tasked as a server and does just fine. CPU is on an American Mega Trends board, quite beautiful in fabrication, and quality comps all around. Ever ogled long and hard at an SGI motherboard and platform–how pretty. Some of the best construction with attention to detail (and attenuation).

So ya got me beat Clive, and am glad there is someone that can don a hat of foil construction with honour and pride. Me, the pocket protector keeps me safe.

name.withheld.for.obvious.reasons February 16, 2020 2:41 AM

@ Clive
On CALEA, manufacturers and Telcos have been dragging implementation up to the year 2007. Haven’t recently researched the topic but I do remember from a industry research paper (may have even been the Congressional Research Service) that there are still issues surrounding this topic. I have suggested for some time that we have an affective CALEA II in operation. If you look at what long haul backbone providers services differ from network access providers, telecomm, and other service provisioning companies it is apparent that many are attempting to divide up the salable trove of data/information (yours and mine).

Almost all ISP’s for example scrap/proxy and filter their customers network data (no treatment under title 2 FCC communications, thanks Adjant Pai). All the telecos are trying to complete a total packet, not switched, network to unburden themselves from the taxes on those services.

SpaceLifeForm February 16, 2020 3:24 PM

@ la abeja

“they gotta have a tailored special-order CISC machine instruction for it.”

Ah, the magic of microcode. The cpu under the CPU. Especially vertical microcode.

If I was micro-coding, probably could roll a new vertical CISC op-code in a day or so.

Throw in a few more days for testing.

Does not mean the end user will ever get the microcode update onto their computer.

Conversely, end users may have gotten malicious microcode installed without ever knowing it.

“That ChaCha and Salsa stuff is coming on a bit too strong from the ivy league fraternity”

Well, I do not really trust RSA for years now, and have become suspicious of ECC, my thinking is:

Assume both mathematically backdoored.

Defense in depth.

Make it expensive for an attacker.

la abeja February 16, 2020 3:52 PM

Does not mean the end user will ever get the microcode update onto their computer.

Conversely, end users may have gotten malicious microcode installed without ever knowing it.

That is vice, and no, not the motherboard news site. The old-fashioned sort of vice. There are cheaters at the casinos in Las Vegas, and they make a lot of money on this stuff.

I do not really trust RSA for years now, and have become suspicious of ECC, my thinking is:

Assume both mathematically backdoored.

RSA is too simple. Is factoring really that hard? There almost has to be a trick somewhere. How long has it been since Facebook cracked Tor to create http://facebookcorewwwi.onion/ ?

ECC is based on some pretty complicated maths. Poorly understood, and poorly explained. We (as code monkeys) are handed cipher specs abounding with “magic constants” and “special polynomials” over arbitrarily specified “finite fields” to implement, if we wish to do ECC. The choices may or may not be more or less arbitrary, and they are never explained to us.

ECC is rife with opportunities for mathematical backdoors.

SpaceLifeForm February 16, 2020 4:00 PM

@ name....

“All the telecos are trying to complete a total packet, not switched, network to unburden themselves from the taxes on those services.”


Why have a cash outflow when you can get income from government?

This is why VOIP is way cheaper than POTS.

Clive Robinson February 16, 2020 4:33 PM

@ SpaceLifeForm, la abeja,

Well, I do not really trust RSA for years now, and have become suspicious of ECC

It’s a not unreasonable assumption when you look into kleptographic attacks (have a look at the work of Adam Young and Moti Yung[1], it might raise your eyebrows so far it will look like your shirt has a fur collar 😉

Put simply both have way way way to much redundancy in them not to have space for multiple backdoors, thus be subject to Cryptovirology[2]… Which is why you need to do certain things yourself and not let a a bit of software you know nothing about do things for you.

Because the joy is from outside the black box you can not tell the difference between “random” and “plaintext encrypted to look random”. Which is why we have the CTR modes for CS-DRBGs in the same standard Dual-EC-DRBG was in, because cryptographers tend to trust the combinatorial logic of block ciphers over the likes of Elliptic Curves, especially those curves that get rammed down their throats by a known NSA “spiv” who now –the NSA see the US citizen and politicians as the enemy– could be regarded as a Quisling.

[1] There are many times when I think this book should be required reading before any software person is alowed to write any crypto code,

“Malicious Cryptography: Exposing Cryptovirology,” John Wiley & Sons, ISBN: 7645-4975-8


SpaceLifeForm February 16, 2020 4:33 PM

@ la abeja

“RSA is too simple. Is factoring really that hard?”

Sure it is. Unless one has been sieving for nearly 10 years in a place like Bluffdale.

Bumblehive is not just a random Codeword.

Another angle:

Certificate Authority == Casino

Clive Robinson February 16, 2020 4:45 PM

@ SpaceLifeForm, name.withheld…,

This is why VOIP is way cheaper than POTS.

You beat me to it 😉

Back in the days when phones were all rotary, the US Gov had good intentions much like the idea behind the original “Penny Black” postal service in the UK of making phones accessable to all.

This ment making some pay more to cover the cost to those who would otherwise be “priced out” in a “free market”.

But now the telco’s and cable operators have payed legislators into the “greed is good” viewpoint, with some of the strangest legislation on the planet. Much the same as has been done by the “tax software industry” over US citizens personal tax payments.

SpaceLifeForm February 16, 2020 5:32 PM

@ la abeja

Note: it’s not just CBC.

IIRC, you mentioned GCM.

How about that microcode !!!

That new CISC opcode working ok?


gordo February 16, 2020 9:13 PM

Long lines, time-consuming Google Forms snag but do not snarl first day of early caucusing in Nevada
By Megan Messerly, The Nevada Independent, February 16th, 2020

Those long lines didn’t come without their challenges, though. Multiple polling places, including the one at Sierra Vista, made the decision mid-day to abandon the use of a Google Form for the check-in process. Under the original procedure, caucusgoers were supposed to have their voter registrations verified by a volunteer equipped with an iPad loaded with the county’s voter rolls at one station, and then proceed to a second station where another volunteer would fill out a Google Form on another iPad to complete the check-in process.

Caucus sites quickly found themselves overwhelmed by the procedure, which wasn’t difficult so much as it was lengthy. Each check-in was taking several minutes per person. So, in consultation with the party, several caucus sites made the decision to stop using the Google Form and transition to an almost entirely paper-based process, only using the iPad to access the voter rolls.

After the switch-over happened at about 2:30 p.m. the line at Sierra Vista started moving much more quickly. Under the new process, caucusgoers had their voter registrations checked by a volunteer on an iPad, received a paper ballot and voter card, completed those forms, took them to a station where a volunteer would record their unique voter PIN sticker affixed to those forms next to their ballot’s number, had their forms checked to ensure they were completed correctly and then deposited them in the ballot box. Though still a multi-step process, it didn’t seem to bother most voters.

MarkH February 17, 2020 2:48 AM

@la abeja:

We have good reason to believe that yes, factoring is very hard for a properly constructed RSA modulus.

If I understand Clive’s response correctly, it addresses the case in which the party creating the keypair forms the key to in a manner which will deterministically open it to attack.

Factoring is what’s called a “well-studied problem.” Enough brilliant minds have worked on it for enough years, that the probability of some yet-unknown dramatic shortcut emerging seems quite low.

As far as public knowledge goes, factoring a 1024-bit RSA modulus is still extremely expensive, and factoring a 2048-bit semiprime is beyond the reach of even extremely powerful attackers.


The fruits of a large investment in sieving may be useful against discrete log systems (like Diffie-Hellman) which use well-known primes.

If I understand correctly, there’s no counterpart to this for factoring. The sieving process is based on the semiprime modulus, which is unique for every key pair in properly implemented RSA. Accordingly, a precomputation attack is not available.

anonymoose February 17, 2020 4:48 AM

@ la abeja

In effect, TLSv1.2 is the only version of the protocol allowed by these settings, since TLSv1.3 is not yet supported by Apache 2.4 series.

Good news, it has for over a year now with OpenSSL 1.1.1.

SpaceLifeForm February 17, 2020 3:19 PM

@ MarkH, la abeja

How is that random working for you lately?

Have you seen your MITM lately?


MarkH February 17, 2020 3:48 PM


I wrote above mainly about RSA and factoring, but replied to you that precomputation is useful against discrete log systems (like DH), but NOT against RSA.

Logjam is exactly that: a precomputation attack against discrete logs. Defeating Logjam is dirt simple.

SpaceLifeForm February 17, 2020 3:53 PM

@ gordo

‘Though still a multi-step process, it didn’t seem to bother most voters.’

Because that is basically the process.

Lesson: Do not attempt to automate a process that works perfectly well using paper.

Lesson: Never attempt to automate a process that has not already been tested using paper.

Lesson: If the automation fails, fall back to paper.

Lesson: Don’t hand an iPad to a poll worker that has never seen an iPad ever.

Lesson: Don’t expect a poll worker to know diddly about a web-based form on Google.

Lesson: Paper is best for Audit.

Let us know when the IOWA results are final.


gordo February 17, 2020 5:19 PM

@ SpaceLifeForm,

Let us know when the IOWA results are final.

Sure, I suppose anything’s possible, these days. 😉

BTW, here’s a more complete quote from Weaver on the recanvass request:

“While a recanvass is just the first step in the process and we don’t expect it to change the current calculations, it is a necessary part of making sure Iowans can trust the final results of the caucus,” Jeff Weaver, a senior adviser for the Sanders campaign, said Monday in a statement about the recanvass request. “… Once the recanvass and a subsequent recount are completed in these precincts, we feel confident we will be awarded the extra national delegate our volunteers and grassroots donors earned.”

In the meantime, here’s some nominal FUD:


plus this:

Clive Robinson February 17, 2020 7:50 PM

@ Thoth,

Hmm, so “nobody died in Singapore”… Is what the government claims.

I wonder how they intend to prove that… After all nobody else can in any other Asian country.

The simple fact is, as with early deaths in China, if your clinicians do not recognize the quite subtle differences in symptoms, any respiratory failure death of that type will be put down to pneumonia.

So the government are throwing the toys out of the pram for either a “fit of peak” or some other reason. However as there are other sites that made or reported the death claim that have not been served with a notice, the “other reason” looks more probable.

SpaceLifeForm February 17, 2020 8:00 PM

I guess everyone here is smart, and does not have to deal with this Win10 problem from last patch Tuesday. (2020-02-11)

My conclusion: Windows is so complex that testing is worthless.


A standalone security update released as part of the February Patch Tuesday cycle has created headaches for some owners of PCs running Windows 10. After investigating reports of those issues, Microsoft has yanked KB4524244 from its update servers.

SpaceLifeForm February 17, 2020 8:31 PM

@ Clive, Bruce, All

I hope you noticed the new trolls that carry links.


If you do not see the two new names above, please say so.

That would be what is called ‘Useful Information’

RealFakeNews February 18, 2020 4:06 AM


I think the @Moderator has removed them.

Windows 10: paying to be a perpetual Alpha tester. Do not use in production environments.

This whole “update your computer to remain secure” is getting old. It placates insurance and legal issues, but does it really help when the updates are poorly written, untested, and applied anyway?

Each new update means new zero-days.

Curious February 18, 2020 5:07 AM

Looking at twitter today (re. Crypto AG story of recent), I find it puzzling that someone like Matt Blaze (who I think was the one to find flaws in US governments Clipper chip for enabling eavesdropping capability unless I am mistaken) apparently thinks that espionage towards other nations governments “are arguably fair game”. He does point out, what he refers to as “moral dimensions”, as being problematic as I understand it, something to do with government backdoors being abused by other nation states. I guess it could be that he also had other things in mind, re. espionage and morals, but it didn’t read like that to me given the other things he said in the tweet.

Seems obvious to me that, the US, and I guess every other country would have a criminal code for espionage (at least for own citizens), so why should nations be thought to be allowed to do this, I wonder. I think the US even charges foreigners for espionage now, unless I am mistaken. If they didn’t I think that would be a little weird, or maybe such people are simply charged for other things, maybe simply to avoid hypocracy re. espionage.

I don’t know how (I never got to read the Washington Post article) but apparently Argentina is re-using the crypto backdoor in the Crypto AG stuff as I understand it. Not sure what the source from that is though, presumably the WP.

What I find objectionable, is the very idea that nation states are not supposed to have privacy. I remember from a book, how espionage was thought to enable a nation state to basically sabotage another nation’s power to make agreements by exploiting the other nation’s most private information on direct decisions in making processes. It also seems obvious to me that, and in this context of the Crypto AG story, selling a nation state backdoored crypto equipment is obviously fraud even if a writte agreement said otherwise, unless ofc the other nation state was informed about the backdoor. Even though, one might try argue that such nation states somehow deserved it, or that you would benefit from such acts, it would still be wrong to defraud them in the first place. Even EU wouldn’t let UK just walk away from existing agreements I am sure, which imo it makes sense to argue that say UK couldn’t just make changes to their own laws intended to directly undermine or break an agreement and just forget they ever had an agreement with the EU (a particular youtuber in the UK apparently thought that, before he changed his mind later on). Agreements are basically not to be broken.

I (now in my 40’s) like to think I grew up in a world that thought that the concept of ‘casus belli’ was basically a moral requirement (particularly for declaring war), however, I can’t help but think that today’s world, or maybe just the world I never really knew well, just behave in a corrupt and in a sense a pragmatic way, as if might makes right. The very idea of ‘regime change’ would not be casus belli material I am sure.

I suppose one might be tempted to argue that, somehow it was deemed necessary to defraud some other nation’s government by selling them backdoored crypto equipement, but that isn’t what Blaze said in his tweet. I just don’t like this casual tone of how espionage would be something that is ok. I guess if Blaze just thought to offer a presumed others’ world view on the topic of espionage, still it sort of sounds like his own idea, which is what made me write this comment. I would think that he wanted to point out how bad the use of backdoors can get, but I just couldn’t help but being hung up on the other language used.

Clive Robinson February 18, 2020 5:10 AM

@ SpaceLifeForm, RealFakeNews,

There are atleast four above I would not touch for various reasons,

1, Wen the coffer
2, Sam
3, contingency_triage
4, William Jackets

Curious February 18, 2020 5:22 AM

Ah, before I forget this.

Referring to my post just above, and with the risks in trying to extrapolate things off a single twitter message, I have to say that there is also an interesting philosophical problem in discussing what is moral, or, whatver is believed to have a ‘moral dimension’.

The way Blaze uses the word, is presumably about awareness as such, as opposed to discussing the vague term “moral values” or ‘principles’ even, and although English is not my native language, I think I have learned that a similar topic to anything ‘moral’, is amoral. Amoral, is by me understood to being aware of things, but also knowing you are doing wrong things, or, should or must have known to be doing things that are wrong for one reason or another.

I like to sum this up with what I read recently on twitter somewhere, and at the risk of paraphrasing the original tweet: “How quickly one forget when one chose the lesser evil, that one chose evil nonetheless”. 🙂

lurker February 18, 2020 12:29 PM

@Curious -espionage has been going on since before writing was invented; its methods have advanced with the available technology. Here’s a thought experiment: what would happen to espionage if the Nation State was abolished? The answer may depend on what happens to the personal moral landscape in the absence of belligerent Nation States. There is ample historic record showing belligerent Nation States existed millenia before the Treaties of Westphalia. Some might argue the United Nations was supposed to reduce/remove belligerence from Nation States: good luck with that.

SpaceLifeForm February 18, 2020 2:08 PM

@ Clive, RealFakeNews

So, Clive saw:

1, Wen the coffer
2, Sam
3, contingency_triage
4, William Jackets

@ RealFakeNews

What names did you see?

I saw one that Clive did not. Press Brake

He saw three that I did not.

Wesley Parish February 18, 2020 4:43 PM

@RealFakeNews et alii re: Windows 10

I think Microsoft is making the point of the FSF in its request for Microsoft to open the MS Win7 source tree under a FOSS license.

@Clive Robinson re: Huawei

Remember Princess Leia’s words to Tarkin while on board the Death Star:

The more you tighten your grip, Tarkin, the more star systems will slip through your fingers.

Or perhaps the general rule of this current administration is: A foot in the mouth is worth two on the ground.

SpaceLifeForm February 18, 2020 5:19 PM

@ Wesley Parish

I guarantee, that if MS did open source Win7, there would be patches every week for quite some time.

I’m sure NSA has more fixes than MS has at this point in time.

myliit February 18, 2020 6:07 PM

@Wesley Parish, Space Life Form, Clive Robinson

Obviously our president is not credible, doesn’t always check reality with his statements, is for sale, etc., …, but

“ Trump Contradicts Advisers on China Technology Fears

The president, in a series of tweets, said the U.S. would not restrict sales to the country, a sharp shift in administration policy.”

@SLF, Whats wrong with WP & NYT newspapers? Is it better with javascript and cookies turned off?

la abeja February 18, 2020 7:58 PM

@Electronic Content Creation

Re: []

–> []

What? No goofy D0nald Trum% videos?

No, that’s slashdot, originally a free and open source software discussion forum, which has since been bought out by DICE.COM for the purpose of collecting political intelligence on its userbase for the use of hiring managers and private investors in the proprietary software industry.

And that original article being promoted is from VICE.COM, which is slowly but surely returning to the subject of “pornography,” which is in a certain sense a “natural” fit for that domain, as it was before the feds seized it and auctioned it off for use in the interim as a family-friendly safe-for-work news site, but that story has been buried for so long that people no longer feel “uncomfortable” with it now, and with the current upheaval in the D.O.J., the p1m%s and proprietors of those domains suddenly feel a lot more comfortable promoting such trafficking services.


Clive Robinson February 18, 2020 11:59 PM

@ myliit,

Obviously our president is not credible, doesn’t always check reality with his statements, is for sale, etc

Well first off with regards chips,

1, It’s virtually impossible to find bacdoors in modern chips.

2, If you don’t alow China to buy your chips, they won’t be buying US backdoors.

3, Other nations will buy Huawei kit regardless of US using threats and FUD. Especially nations that the US would want to spy on.

4, Other nations with more indepth technical knowledge such as in Europe will layer kit making US backdoored kit issolated by kit that does not contain US chips etc

So I suspect that the NSA has had a word at the very least.

But there is another asspect which most people have not thought about. I design electronics, from FMCE gozmos, through various broadcast equipment, surveillence, mil compatable and space qualified kit.

Anyone who manufacturers equipment knows what the “limit of first purchase” is you see people talk about it with regards “grey market” or just plain “second hand sales”. Put simply a manufacturer can chose who it sells equipment to, but appart from “not worth the paper” contracts the manufacturer can not stop a purchasor selling on to a third party. Even under US law all such contracts get revoked for “acutioning off” by a reciever or any creditor who has debtor goods.

The rules the idiots in the two US houses want to put in place would mean that the manufacturer of the good remains liable if it ends up in China… That is a que to all design engineers even in the US to “design out all US chips” which is why I’m in the process of dumping all Microchip microcontrolers at the moment, and I’ll be moving to other US chip makers very soon untill all are gone… From my point of view as the designs use chinese parts such as metalwork, printed circuit boards, switches, connectors, displays, coils/capacitors and other components, it’s way easier to take US parts out entirely…

You can not have a manufacturing industry of which chips are a small but high value part, if even your own countries manufactures won’t buy your parts due to fear of ending up imprisoned somewhere. And lets be clear about this, the Huawei executive illegally detained in Canada and the UK Government treatment of Julian Assange are not exactly going to encorage engineers who are risk averse by nature using US parts in their products.

Even software engineers, put Android or part there of in your product and it ends up in China, hope you like orange as a colour…

Or instead use the Chinese Open Source equivalent code. OK your product might not be let into the US but the rest of the world will probably not object… Plus the growth in the Chinese market will probably be worth more than the US market fairly shortly anyway…

So take the choice of,

1, get some kind of rendition back to some US controled cage (gitmo) or hole in the ground (some us federal prisons) for using US tech.

2, Potentially loose the US part of the world market for using Chinese tech.

Which would you chose?

But also there are other non US and non Chinese options with *nix type OS’s for embedded systems etc. But which ever way you slice it the US looses, even from it’s own engineers…

As several people have warned such legislation from idiot politicians “Choices have concequences…”

And guess what, it appears the rest of the world is thinking “no US parts” or asking US manufacturers for indemnities that they can not give. Even an engineer asking a sales rep about liability especially if acomnpanied by a “hold/delay” from the potential customer will get back to the US C-Level fairly fast because guys on commission or target based pay are going to want “consideration”…

As the wiser C-Level types know “A customer lost will not easily be won back”. I’ll be honest and say up front, it’s going to take something realy exceptional to even think about puting US parts back in my designs the US politicians “Have crossed the Rubicon” and can nolonger be trusted.

So yes I’m not the least supprised by this change, as lets put it this way “Unless you are a realy bad shot, you fairly quickly stop using your feet for target practice”.

lurker February 19, 2020 12:12 AM

@SpaceLifeForm: re chip sales to Huawei
Hmmm, so the US of A wants to interfere in the internal trade of another nation, ie. between China and its renegade province Taiwan. Or put another way, if I buy a tractor from John Deere, why should I need another licence from them to plant non-American turnip seeds? China got rid of the last of its extra-territoriality‡ in 1932 or 33.

‡ where foreigners in China were subject to their own national law, and not Chinese law.

JonKnowsNothing February 19, 2020 1:58 AM

@ Clive @All


Many moons ago, the USA tried this with automobiles. Japan was cleaning up and Detroit was going belly up. So, we passed a law that said essentially, cars and trucks purchased by the US Government had to be USA made, parts and all.

Looked great on paper.

The was only 1 car maker that qualified under that Made in USA rule: a Volkswagen manufactured in their Kentucky USA plant.

What the Detroit folks got was not want they intended. They wanted to buy overseas engines and parts at big discounts and sell cars in the USA at a bigger markup at the same time preventing competition from the importers. It was the beginning of globalization and reduction of USA based manufacturing and start of the race to the bottom.

At one point, at least in one USA assembly line, they ran the same car with different brands at the same time. Evens were USA branded; odds were Japanese branded. It was the same car, the same style only the chrome nameplate changed.

By mixing up the brands, both sides bypassed the Made in USA flop law.

Remnants of this concept are still popular and it gets air-time during election cycles.

Clive Robinson February 19, 2020 9:16 AM

@ ALL Vodafone users,

Think twice then thrice about anything you do on a Vodafone Internet connection…

It appears there is no crack they will not intrude into to grab what they can and then hand it over to a third party you have no control over,

Not nice to say the least especially the bit about them getting access to the users private side network to change things “for their own good”…

Clive Robinson February 19, 2020 9:45 AM

@ Bruce and the usual suspects,

Who Pownes your hardware?

Is a subject that keeps coming back again and again… This week Eclypsium released a report on equipment that will except any update no matter how untrust worthy and addled it might be…

This issue is getting realy bad as hardware increasingly has more and more hidden Flash ROM that users do not know about, nor in the ordinary course of events is there anything they can do about it as the offending manufacturers often do not provide utilities whereby the Flash ROM can be checked or re-flashed securely.

It’s one of those things that @Nick P and myself used to warn people about fairly regularly.

It was also part of our debate over how old hardware would have to be not to have “Hidden Flash” in IO that could be exploited. @Nick P favoured “mid naughties” and I favoured “mid nineties” as the cut off points.

As we now know the NSA had been exploiting Flash ROM on hard drives for the beter part of this century if not longer, so it would be safe to assume they have exploited every other bit of Flash ROM on hardware, especially that of routers and other network equipment that realy does not have any useful way for ordinary users to detect it’s now “NSA Inside”.

MarkH February 19, 2020 9:51 AM

Did the Early Internet Activists Blow It?

A thoughtful Slate article by Mike Godwin, who was EFF’s first staff lawyer.

It addresses the inherent conflicts between free speech, and protection from the consequences of manifestly damaging speech.

I think it will be interesting for many readers here, especially inasmuch as questions of internet regulation and censorship policy have often been topics of discussion.

A quote, with my emphasis added:

My colleague Renee DiResta and I have been arguing in the past year or two that empowering tech companies to partner with governments and multistakeholder efforts in fighting disinformation is properly characterized as simply good cybersecurity.

My personal inclination, if not quite free-speech absolutism, is to be a free-speech hawk. I’m also inclined to study perspectives — if they’re intellectually serious — which challenge my own position.

I suppose that many people are like me in that they regard free speech as something of inherent value, regardless of consequences.

However, as it is usually framed in the drafting of the U.S. constitution, the argument for the free circulation of ideas was based on utility, rather than inherent worth: a free press was held to be indispensable to democracy.

In recent years, dissemination of disinformation appears to have been an effective mechanism helping to undermine democracy in many parts of the world. If free speech absolutism contributed to the destruction of those systems which protect freedom, and empowered authoritarian regimes sure to apply brutal censorship, the loss to humanity would be devastating.

Clive Robinson February 19, 2020 11:20 AM

@ MarkH,

It addresses the inherent conflicts between free speech, and protection from the consequences of manifestly damaging speech.

The essential problem is,

    One man’s truth is another man’s propaganda

We all have diferent Points of View (PoV) which makes us assess the always incompleate[1] information we recieve differently.

This means there is no “real truth” just “perceptive truth” which is in effect “fake news”.

Reporters write to their Editors instructions, and the Editors take instructions from the owners and “house style” etc.

Which means Mark Twain’s advice of,

    If you don’t read the newspaper, you’re uninformed. If you read the newspaper, you’re mis-informed.

Oh and the is also the sage advice about editorial slant,

    If you are going to read a newspaper, first learn to read the newspaper.

The simple truth is that it does not matter what technology is used to carry the information, from acient tribal song, knots in string, impressions in clay, carvings in stone, hand drawn manuscripts, printed books, newspapers, radio, television or the Internet, all of them present not the truth but a “Point of View”.

Even academic and scientific papers do not the truth give. As students sometimes get told about physics –which is about the most foundational of sciences–,

    You will be told a succession of lies, each more accurate than it’s predecessor.

When we accept that we never will be told the absolute truth, we can become more critical of what information we recieve. At which point we take one of the first steps of becoming an independent and worth while human being.

Attempting to stop people presenting information in the way they chose especially by legislation is always bound to fail. It’s also worse than not doing anything at all, because by not doing anything in the name of “Free Speech” encorages people to take the step to being more cautious about what they hear and thus apply critical thinking.

The other thing is the easy way to lose an argument is to tell somebody they are wrong. Their “hackles are raised” and mostly they would rather paint themselves into a corner than admit they are wrong. The way to win the argument is to gently let their mind follow a path from where they are to where they can be, by gently asking questions about why they see things the way they do. And when they ask you in return tell them gently why you see it differently. After all you never know they might know things you don’t and you might both be wrong or right just in different ways.

Where I can I like to reason from the laws of nature as we currently understand them, and from first principles. Sometimes it leads me to places I would not otherwise have got to by other routes. Whilst a good imagination can be a wonderful thing, it needs to have it’s feet firmly on the floor, unless it wants to be just flights of fancy.

[1] As I’ve noted before that whenever something occurs there is always one more PoV than there are witnesses, and that is what actually happened. Because a witnesses view is always limited their PoV is thus also limited, and goodness knows how many tests have shown not only this to be true, but that our brain “fills in” missing detail. The problem is that the “filling in” is very malleable and even when care is taken simple questions can change not just the “fill in” but what was actually seen / heared / perceived.

SpaceLifeForm February 19, 2020 1:59 PM

@ myliit

My concerns about NYT and WAPO websites are twofold.

As Clive noted above, Fake News is an issue.

But, that is not the only problem.

Many, many, nany people on East Coast read those two websites every day, numerous times per day. In particular, DC and NY.

A lot of those readers are government people. IC, LE, etc, etc.

You can pay for some security, get some non-breaking news (stale), if you get the dead-tree issue.

Last I checked, dead-tree news does not require Javascript or Cookies.

Clive Robinson February 19, 2020 2:20 PM

@ All,

How to jam hidden microphones,

I hate to burst their bubble but the idea of jamming microphones with ultrasonics or just plain high frequency bandwidth limited complex psudonoise is not new.

If you had the money back in the 1980’s and you knew who to talk to in the proffessional surveillance industry (not the bug-shop types) then you could aquire such a device to sit on a boardroom table.

The way they work is fairly simple physics.

The diaphragm of a microphone is a “resonator” just like the cymbals in a drum kit resonate when hit. They also resonate at harmonics of their resonant frequency. Resonance is an “energy storage mode” if you know anyone who knows how to play a giant gong of the sort you used to see on the “Rank Movie” logo or hanging between posts at oriental temples, they will tell just how much energy you can put into such a resonator. At resonance they are highly efficient.

However well below their resonant frequency a microphone diaphragm has an approximately linear response with frequency. However it’s not at all efficient.

Thus although ultrasonics do not travel to well in air the relative difference in efficiency between well below resonance and at resonance makes up for the difference by quite a bit. Even across a fixed bandwidth like 100Hz (the -3dB bandwidth at the first resonance point can be more or less multipled by the harmonic multipler at the harmonic resonances).

The thing is that for various reasons you get the highfrequency noise folded down in frequency to “baseband” where due to the differences in efficiency ordinary bassband audio signals (human speech range) get swamped. But not with the human ear, so you can hear a quiet conversation whilst the person listening in on the bug microphone gets lots of noise.

Anonymouse February 19, 2020 3:37 PM

@Clive Robinson

How to jam hidden microphones,

I hate to burst their bubble but the idea of jamming microphones with ultrasonics or just plain high frequency bandwidth limited complex psudonoise is not new.

MarkH February 19, 2020 4:11 PM


  1. The literal meaning of propaganda is the broad dissemination of messages; a more specific meaning is the dissemination of messages hoped to persuade people to adopt particular positions.

Propaganda has often been laced with falsehoods, but persuasive argument (however wrong-headed some may think it) is distinct from counterfactual statements.

  1. No post-modernist I! Many facts have a substantiality independent of observers, and are accessible to reasonable people, who may agree on their truth.

In the 1940s, the German government, in furtherance of policy decisions made at high levels, murdered millions of non-combatants. Contradictions of this are objectively false.

  1. Did you read Godwin’s article? His default position is, the more speech the better. His legislative advocacy is not for laws regulating which speech is permissible, but rather for an existing U.S. law which enables site/service operators to enforce their own standards without excessive liability.

As techniques and tools develop, the oft-repeated refrain is “this is just a new means for people to do what they did before.” The sometimes unstated corollary is “so it’s wrong-headed to enact policies with new restrictions for it.”

The first part is broadly true, except for the implication that the difference is not very meaningful. The corollary, however, is in general not valid, as I shall illustrate by the example of urbicide, the intentional killing of cities.

This is absolutely not a new activity. It is likely almost as old as organized military activity. Carthage is a famous (if not altogether accurate) example.

In the first half of the 1940s, the U.S. and UK demonstrated that using their “strategic bomber” forces, a number of men roughly equivalent to an army division could wreak extreme devastation against great urban centers in less than 48 hours.

It was doing what had been done before, but it was quicker and imposed costs which were, for the societies of the attacking countries, easier to bear.

Then in 1945 the U.S. demonstrated that it could achieve an even greater level of destruction in the space of a few hours, with less men at the point of attack than a typical army platoon.

Urbicide had become so quick and cheap that the U.S. plan was to continue destroying Japanese cities at the rate of a few per month until Japan surrendered. Further, it had become so quick and cheap that the U.S. and USSR were soon contemplating the demolition of dozens (and eventually hundreds) of cities and towns in a single day.

To say that “it’s only a new technique for doing what people have always done” is to erase the awesome implications of low cost and high speed.

The world recognized that no, this ain’t just a new way of doing what people always did, and that it deserved very serious policy responses … though they remain very much an unfinished business, I think a good case can be made that attempts to restrain this kind of warfare have enhanced stability and margins of safety.

A smaller-scale (though to date, far more deadly) example related to weapon are personal firearms.

When the second amendment to the U.S. constitution was approved, usual firearms could be discharged a maximum of 3 or 4 times per minute, and had modest velocity and range.

Now, millions of Americans have — for strictly private purposes — weapons which can conveniently fire 100 (or with a little preparation, several hundred) times per minute, with rounds so energetic that the impact on a human body typically destroys many hundreds of cm3 of tissue.

An oft-stated view is that these weapons require no policy difference from that intended for their 18th century predecessors.

Excepting a minority of Americans, most people don’t think that this view makes sense.

People have surely been committing financial fraud via mails for as long as postal systems existed. Email recently reduced the cost of attempting such fraud to something like a few dollars per one million messages. It’s nonsense to pretend that the efficiency enabled by new technology has not altered the character of the criminal activity.

The disinformation attacks recently demonstrated using electronic “social media” systems offered the attackers a combination of cost effectiveness, ability to tailor disinformation to critical slivers of population, anonymity and impunity which (as far as I’m aware) the world had not seen before.

Dude, this stuff is different.

Anonymouse February 19, 2020 4:43 PM


In the 1940s, the German government, in furtherance of policy decisions made at high levels, murdered millions of non-combatants. Contradictions of this are objectively false.

It was not Stalin’s Communist Party talking points that won the war. At some level, the “non-combatants” by their inaction and refusal to bear arms and fight were responsible for the deaths of the innocent ones.

When the second amendment to the U.S. constitution was approved,

It was effective for everyone. Now, some people are more privileged than others, and allowed to own firearms while others are trafficked out of the privilege of owning firearms on pain of arbitrary arrest and felony prosecution: even as their very lives are destroyed and their property is confiscated by a corrupt government and self-dealing law enforcement community under color of law but without the due process of law.

SpaceLifeForm February 19, 2020 5:06 PM

@ Clive, RealFakeNews


One of the trolls that Clive saw that I did not, well, now I see.

Fits a 2 decade old theory of mine.

@ Bruce

Remove old ciphers from web server, please.

There is fishy stuff going on.

SpaceLifeForm February 19, 2020 5:14 PM

@ MarkH

“Defeating Logjam is dirt simple.”

Correct me if I am reading you wrong.

I think you meant ‘exploiting Logjam is dirt simple”

Clive Robinson February 19, 2020 5:49 PM

@ MarkH,

Yes I have read the article.

I think you have misunderstood what I eas getting at with the notion of new technology not chsnging things. It was the motivation of those doing those things I eas getting at.

Enacting new legislation, won’t stop them they will just find another way to achive their base objective.

However you are right about force multipliers enabling more to be done in a given period of time and nukes are certainly more effective city levelers than a bunch of blokes with picks and shovels.

But it brings to mind is it a linear or more effect. In the case of ciry leveling it’s less than linear, that is the power required goes up with the square of the radius as it’s area not distance the destruction is aimed at. However with information it’s actually not the attacker who is expending energy, but the recipients computer. Thus each extra machine is very nearly free…

Normally with spoken or printed word you can see a falsehood by the length of time it takes to spread, after all one man can only nail one poster at a time to street trees and fence posts. However with modern programing in malware a single person can be an army of a billion at the press of a button.

Will this rapidity giving the appearence of omnipresence make a difference to how others see it?

To be honest I’ve not realy given it thought untill now… In part because I’ve thought mainly about the other differentials of action at a distance for near free.

SpaceLifeForm February 19, 2020 6:36 PM



“turned out that the cruise ship was completely inadequate in terms of the infection control.”

“There was no single professional infection control person inside the ship, and there was nobody in charge of infection prevention as a professional. The bureaucrats were in charge of everything,”

MarkH February 19, 2020 6:36 PM


I’m often frustrated by the rate at which I make mistakes, but in this case the language expressed my meaning quite accurately.

It’s my pleasure to enlarge:

  1. Exploiting Logjam requires truly massive computational resources. There’s a trade-off to reduce that cost by forcing downgrades with a MITM attack, which of course requires other resources, sophistication, and above all the right kind of access.

For the vast majority of web traffic, only the world-class intelligence service of a wealthy state could successfully implement a Logjam exploit.

  1. Defeating Logjam is possible using very simple precautions. But I should clarify that the average home web surfer wouldn’t know how to do these things, and people are often stuck connecting to remote systems with poor security configurations.

That being said, in cases where you have sufficient control, the protective measures are truly dirt simple.

A. Disable DH; TLS can use other methods. For example, no such precomputation attack is known for ECDH.

B. If you don’t want to eliminate DH, ensure that the key size is greater than 1024 bits (preferably 2048).

C. If you don’t want to eliminate 1024 bit DH, disable the use of any smaller size than 1024, and only allow keys based on non-standard primes.

The Logjam authors estimated that precomputation for a single 1024-bit DH prime in one year would require hardware costing hundreds of millions of dollars, and I don’t think they accounted for energy cost to do the number crunching, which would also be very steep. Logjam was suggested to be feasible because many systems use keys based on one of a small list of primes. Simply not being on the list (rolling your own prime) would make you too dang expensive to attack, unless there’s something about your traffic worth hundreds of millions of dollars.

But A or B above, both dirt simple, are fully sufficient.

MarkH February 19, 2020 6:51 PM


We are in an era — like it or not — in which capacities are scaling up by factors of thousands or millions over intervals of not many years.

The dangerous consequences of these expansions are mostly unforeseen, and unfold at a rate exceeding my ability to process them.

There has been lively discussion in this blog of facial recognition technology. Of course, surveillance is as old as civilization. In East Germany, it seems to have consumed a large percentage of all available labor hours!

Surveillance becoming so cheap and so ubiquitous has implications — especially in authoritarian or totalitarian polities — which are difficult to comprehend, and so psychologically distressing (to me, at least) that the prospect of even trying to visualize them is sickening …

Even Elon Musk’s modest plan to pollute the night sky with thousands of his sh!tty little sputniks breaks my heart.

O, wonder!
How many goodly creatures are there here!
How beauteous mankind is!
O brave new world,
That has such people in’t!

Sed Contra February 19, 2020 8:25 PM

@Clive Robinson @MarkH

As a wise man remarked in 1945 about the bomb, it has fallen on that city and so has fallen everywhere. The geni is out of the bottle and the task we are faced with now is to manage it. It would have been better to have avoided it but now we are stuck. It seems to me the situation is the same with computerization. It was a bad choice. Our tedious and earnest duriy now it to manage it as best we can. We need to learn to make better choices. The whole surveillance thing, and the whole utopian computer pipe dream, would fail if enough people were to make those choices.

Anonymouse February 19, 2020 8:55 PM


There has been lively discussion in this blog of facial recognition technology. Of course, surveillance is as old as civilization. In East Germany, it seems to have consumed a large percentage of all available labor hours!

Surveillance becoming so cheap and so ubiquitous has implications — especially in authoritarian or totalitarian polities

The East Germans were, again, somewhat like the old Finns in their culture. Some of the older folks might have been at one time in theory available for labor, but out of work so long that it was a pastime for them to sit on a park bench somewhere and watch (surveiller) the young punks go by, embarking and disembarking the bus, meeting and greeting, who their friends were, etc. Definitely, a very authoritarian regime. Those older folks were not happy with their lot in life or with the general conduct of the younger folks.

You cannot have gun control without that extreme totalitarianism to which our current civilization has devolved, to such heartbreaking general poverty and devastating waste of human potential, all because of the unrelenting denial of our rights and freedoms by political motives under color of law without the due process of law.

SpaceLifeForm February 19, 2020 10:05 PM


Looks bad. When two people die in Iran, and they decide to turn a hospital into a dedicated facility…

It’s out of control.

Interestingly, the fataliies are not all due to lung failure.

Heart Attacks. Not implying not related.

But, when an apparently healthy, young (25ish) male police officer, walking down a completely empty street in china (with two other cops), just drops dead…

Also, lots of false negatives at first.

Need 30 days to be sure.

Something keeps bringing me back to


Sed Contra February 19, 2020 11:08 PM


And there is this

ht tps://

lurker February 20, 2020 12:56 AM

@SpaceLifeFORM: The bureaucrats were in charge of everything,

Ah, OK then. I was beginning to fear it was Unit 731 again…

Clive Robinson February 20, 2020 2:02 AM

@ SpaceLifeForm, Sed Contra,

Looks bad. When two people die in Iran, and they decide to turn a hospital into a dedicated facility…

It’s actually a rational decision based on the limited availability of information and resources, and rather better than using sports halls, conference centers and hotels. It’s something China has shown is the way to go.

China has indicated that they think that they are only seeing ~5% presenting at healthcare centers of which ~18% become severe cases requiring more critical care. With a 14-35 day critical care period say an avarage of 1/13th of a year.

So 5% is 1/20 and 18% ~ 1/5 so about 1% of the population in general requiring critical health care… Most western healthcare systems could not support this level of critical care over a three month period.

However much Iran might wish to have a better healthcare system for it’s citizens, US sanctions do not alow this in one way or another.

Iran and infact every countries only solution to is to “capture, contain and kill” the virus as quickly as possible. That is as people become symptomatic or test positive put them immediately in issolation and likewise those who have had contact with them. Implementing as wide a screening process in the community as possible.

This is where the vexed issue of “personal -v- societal” comes into play. For the health and well being of society or “the greater good”[1] draconian almost tyrannical measures are required early on to stop the spread. Such measures are a suppression of “personal freedoms” and thus not at all popular[2].

It’s no secret that one of the reasons Ebola was so difficult to get under control in Africa was “Death rituals” both pre and post mortality. Such customs need to be curtailed if viral disease is to be contained. This is often highly contentious in even secular states, and near impossible in non secular states. About the only time people accept changes to such ritials with little or no complaint is in the clinical setting of a hospital. Thus from a disease control view point keeping patients that you know are going to die in hospital care, rather than send them home for palitive “comfort care” is what is required. However for this to work over more than a few weeks, the number of patients that come out alive needs to be up in the 90-100% range (ie preferably a lot better than normal hospital mortality rates[3]).

Also what few realise is that even in first world western healthcare there are various measures already in place for the likes of seasonal flu. There are hospital wards that get “closed” as new wards are opened but the closed wards are kept in a state of unstaffed readyness as “overflow”. Elective surgury gets curtailed and surgical wards get “annual deep cleaning” and available as “overflow”. Governments stock up on drugs and equipment in warehouses and similar.

Something else people need to come to terms with is that disease epidemics are becoming more frequent. It is not just down to increasing travel, or increasing population or any other nonsense you might get from politicians. It has a correlation with industrialisation in “green field” environments including factory farming and the need for raw resources destroying eco systems and help cause global warming. We are in effect driving “wild diseases” into society and forcing them to migrate. Healthcare specialists have been waving several red flags over this for decades now, but “free market” mantra and ethics have over ridden such considerations. As the old saying has it “you reap what you sow”…

Oh and ask yourself this do you realy want race to the bottom “free market” ethics driving healthcare? I’ll tell you now that Kan-ban, JIT and LEAN don’t work in non steady state or predictable systems. Pandemics are at the chaotic end of things and health care resources can not be turned on and off like a switch. When dealing with such events you need “slack in the system” or more politely “spare capacity” that can be called on at very short notice. When you study “natural systems” that have developed and survived over thousands of years, you find they are all “inefficient” that is they are runing at 10-40% of capacity. Ask yourself why they are still around whilst more efficient systems are not…

So yes I think Iran has taken a quite rational view based on the limited information and resources available to them.

[1] “For the greater good” is a phrase I’ve warned before should cause significant pause for thought in the population of any democracy as it can quickly become vigilantism rules.

[2] Also like any defensive measure it will be seen afterwards as to oppressive if it succeeds, and a failure of those in charge if it does not. Such is the way humans tend to work. Thus the real secret is “stage managing perception” which unfortunatly needs “Heros and villains”. People tend to forget society is a beast with primitive desires, blood lust and adulation being but two. Thus expecting rational[3] or calm behaviour is not a good point to start at.

[3] Human beings in general are not very good with numbers or correlation. In the US road deaths in the 30-40 thousand range are societaly acceptable but less than half that due to ordinary seasonal flu gets questioned in the media. Trust me when I say if deaths from COVID-19 get above a few hundred in the US there will be rabid MSM behaviour and consequent unrest in society. We’ve seen vigilante behaviour in China already when the official death figures were less than a hundred.

Puppy February 20, 2020 3:15 AM


Thanks for Vodaphone article
They are one of the three original service providers here in Australia (Telstra and Optus being other two). although they don’t own any infrastructure.
Wouldn’t their activities as detailed be severely infringing upon the GDPR? I can’t see how not.

On that note, it was recently ruled under GDPR (no link on hand sorry) its not enough for a website to say ‘we use cookies, so if you use this site, suck it up’
A website must allow the option to not only comprehend the cookies used but refine the active cookies by choice.

name.withheld.for.obvious.reasons February 20, 2020 6:23 AM

From the level of retreat from our institutional structures and governance with the concomitant relationships that have held together, however haphazardly, the environment we are entering will have a commensurate feedback loop.

Am afraid that that loop will require the effort that was necessary in answering retreat that was expressed as World War II. Forgive us for not what was willed, but what will.

MarkH February 20, 2020 8:18 AM


“We both may be correct.”

I couldn’t judge that, not knowing clearly what the claim is.

I did an extremely rough estimate just now, that the precomputation for a 1024 bit prime used in DH would cost half a billion USD if you rented the computing horsepower from Amazon. (If I understand correctly, their rates are competitive with trying to set up the cluster yourself).

I don’t know how much capacity they have lying around, but I’m guessing you might need a few months to burn up all that money and get the results for that one prime.

If you chose the most popular prime for internet DH you would now have the potential to decrypt a tiny sliver of all TLS traffic.

For each intercept, you’d need to wait a week or two: the last step doesn’t need much computer power, but it can’t be parallelized. Of course, if you have a lot of intercepts (based on that same prime you just “bought” for the price of a jumbo jet) you could run these multi-day computations in parallel.

If you have all those resources, and you’re willing to invest them for this purpose, then sure, exploiting Logjam is dirt simple.

And please remember, there’s no such precomputation attack for RSA.

MarkH February 20, 2020 9:21 AM

Just yesterday, I posted a link to Mike Godwin’s piece about the protection of, and the limits to, freedom to publish online.

The urgency of the topic is apparent: not long after my comment, Washington Post published an article based on a meeting yesterday that included representatives of the DoJ (including the Attorney General himself) and people from some of the ultra-rich tech industry companies involved in this tug-of-war.

The core topic was apparently Section 230, which shields online providers from legal liability. Mike Godwin wants to protect this provision, because it enables online publishers and providers to set rules enabling them to police what is published, without the risk of being forced into courts by lawsuits complaining of bias or harm.

To make this concrete, think of our gracious host Mr Schneier. The comments here are masterfully moderated: for many years, a very wide range of ideas and views have been expressed by commenters, without degenerating into the ugly combinations of nastiness and meaninglessness have been seen in so many online forums. If Bruce could be sued for comment moderation, he could scarcely afford to continue keeping such a forum open.

After the public meeting yesterday, there was a private gathering of at least some of the same participants, which reportedly was rather volatile.

Lots of people want to weaken or eliminate the Section 230 liability protections, primarily on two bases:

  1. Concrete harm to individuals (for example, some instances of doxing); and
  2. Claims of viewpoint discrimination by people on the political right.

For some strange reason, when content providers block posts saturated with disinformation and bigotry, this is interpreted as unfairly affecting conservatives.

Reportedly, Attorney General William Barr, while not asserting a DoJ position on the matter, took the “internet giants” to task and expressed an openness to the possibility of rolling back liability protections.

Changing federal law requires an act of Congress, so it’s early days yet. But surely, this evolving situation could powerfully affect how things are done on the internet.

Clive Robinson February 20, 2020 10:43 AM

@ MarkH, SpaceLifeForm,

[It] would cost half a billion USD if you rented the computing horsepower from Amazon. (If I understand correctly, their rates are competitive with trying to set up the cluster yourself).

I’m assuming you were just considering high end Intel/AMD CPU’s, not systems using a moderate boost via GPU’s of about 8:1 or CPU’s with built in FPGA’s that can give an improvment of around 50:1 or time saving or cost reduction.

Things kind of get more interesting when that half billion becomes only 10 million, that brings it to a value where “robbing” online banks and financial houses becomes profitable…

MarkH February 20, 2020 11:38 AM

@Clive, SpaceLifeForm:

When the team who wrote up Logjam estimated several hundreds of millions of dollars to build the hardware, they were assuming that it was based on ASICs, and that these custom chips would provide quite large factors of performance/cost ratio enhancement.

As I recall, they described their astronomical cost estimate as perhaps optimistic.

That was about ten years ago, so current costs would presumably be less, but still a very heavy investment. And that investment would buy you one 1024-bit prime per year.

My ballpark number was for rentable computer power, naturally based on standard general-purpose CPUs.

That $10 million threshold you suggest would seem to remain far out of reach.

It’s worth noting that it has not been confirmed (as far as I am aware) that NSA ever made this attack. I assume they’ve done the work for 512 and 768 bit DH.

By 1024 bits, it would be necessary to judge the resource allocation versus the likely intelligence yield, and compare that to other available exploits against the relevant targets.

As far as we know, no agency on Earth could manage 1536 (or greater) bit DH.

These guys seem to have zero-days falling out of their desk drawers. Maybe they have better alternatives to frontal attacks against strong crypto …

As you’ve observed many times on this site, if your PRBG is compromised, everything else is f*cked. Perhaps NSA has focused their attentions on that, and other highly cost-efficient exploits.

Clive Robinson February 20, 2020 11:41 AM

@ MarkH,

Lots of people want to weaken or eliminate the Section 230 liability protections, primarily on two bases:

The idea behind §230 was to try and bring some measure of “common carrier” status into the Internet. Common carrier status has never existed in “publishing” thus the pretense was that “Internet publishers” were acting as “Common Carrier” status “Telecommunications or postal” carriers.

That pretense fails when you “advertise content” because there is no way you can claime to be providing “information transport” when you are “information advertising” you have clearly crossed over to “publishing”.

Publishing by law requires care that normally falls under the “Editing process” which in the USA I’m told requires “legal oversight” to the point “lawyers edit copy” on a daily basis.

The problem is as you note, that the Internet alows almost anyone to set up an “Online Journal” or to participate in others Journals, much like the old fashioned “public message boards” in vilage squares/greens or even outside Churches. These got “moderated” by the same people who could post to them, which was “anyone in the village”. This became problematical and thus public message boards started to move into shop windows and the like, where the shop keeper became the moderator.

The problem is moderation is an expensive thing to do. Consider what a junior or middle manager would get paid per hour and multiply that by around ten, then use the cost/minute to read an item. Even though reading is around five times speaking speed, it’s a slow and thus expensive process.

As for the two issues you mention both could have legal remidies, the problem is “time lag”… I could make all sorts of pointed or just plain nasty comments about Mr William Barr and his attitude, many would consider free speech, whilst he may not. Unless he was a regular here which is somewhat unlikely, he would have to be told of my comments, worse if I used a “nickname for him” it’s unlikely a search engine would be sufficiently good to find even some of the comments let alone all. Even an AI system would be unlikely to work. Worse even the small percentage a search engine might find is likely to be actually such an imemse quantaty that it would require rather more than a full time job sorting the stuff through. Thus “harm/hurtfull comment” might exist of days months or years before he might become aware of it. In essence he would only get to hear of it after the harm has reached a point where his attention is drawn to it…

Thus from a politicians view any negative comments should “never appear” and the only way to do that is by moderation…

Which again from a politicians view point puts them back in the driving seat as it used to be in the days of the press barrons who could at the very least be negotiated with, or dragged into court or worse.

Never ever make the mistake of thinking politicians are OK with the Internet, they are not, and it scares them immensely. Even those politicians that “embrace social networking” as a way “to reach the people” are scared of it and what it can do. It’s why appart from a notable / infamous few they get “PR Wonks” to put up their Orwellian “sound bytes”.

The essence of the Internet is “it’s flat” or “non hierarchical” thus “power” is in many ways spread thinly across all. What message gets noted and amplified is “by the people for the people” which is not what politicians want.

Thus you can be fairly certain of two things about any legislation that arises,

1, It will favour hierarchical structures that politicians can control.

2, It will be a compleat shambles that will fail.

In the current climate Politicoes are going for overly broad very inspecific legislation, you could call it the Cardinal Richelieu approach of the “judge, jury and executioner”. Unfortunately for many politicians they are finding that an independent Judiciary rather than use the overly broad legislation to do the politicians bidding, they are taking a very narrow view as years of experience has taught them the dangers of “quick decisions” on future generations.

vas pup February 20, 2020 2:07 PM

EU plans new rules for AI but experts seek more detail

“The European Commission has said it intends to draw up new rules to protect citizens against misuses of artificial intelligence (AI) tech.

It likened the current situation to “the Wild West” and said it would focus on “high-risk” cases.

But some experts are disappointed that a white paper it published did not provide more details.

A leaked draft had suggested a ban on facial recognition’s use in public areas would be proposed.

While there were no specific proposals on how to regulate facial recognition, the document did say in a footnote that “freedom of expression, association and assembly must not be undermined by the use of the technology”.

It also contained suggestions about how AI in general could be regulated in order to ensure it is ethical.

These included:
◾training AI on datasets that are broadly representative of the population, to avoid bias
◾requiring organizations to keep detailed records of how AI systems were developed
◾requiring that citizens be clearly informed whenever they are interacting with automated systems rather than human beings
◾potentially re-training AI systems developed outside the EU so that they comply with rules particular to the bloc.”

Read the whole article – informative…

vas pup February 20, 2020 2:34 PM

Gun control and firearms possession in Germany

“The suspected gunman in a far-right extremist shooting attack in Hanau is reported to have had a gun license and legally owned several handguns. DW looks at Germany’s gun ownership laws.

What kinds of gun licenses exist in Germany?

According to the Weapons Act, you need a weapons possession card (Waffenbesitzkarte) to own or buy a firearm and a weapons license (Waffenschein) to use or carry a loaded firearm. This means collectors, for instance, only need the first, whereas hunters must have both.

If you only have the weapons possession card, you can only “transport” a firearm, rather than carry it. That means it must be unloaded and inside a locked case when you take it out in public. But German law has no provision stipulating whether a gun must be concealed or not.

There is also a minor firearms certificate, (Kleiner Waffenschein) which is easier to obtain, and which you need to carry lower-powered weapons, such as air guns, starting pistols, flare guns, or anything that can only shoot blanks or irritants.

Both licenses are only valid for three years, after which the application must be re-submitted. Altogether, the costs for an application, >!!!!!including the required insurance!!!!<, can run to around €500 ($540).

What kinds of guns are legal in Germany?

==>>German law makes a distinction between weapons and war weapons, with the latter listed in the War Weapons Control Act.

In Germany it is illegal to possess or use any war weapons. These include all fully automatic or semi-automatic rifles, machine guns (unless antiques from World War II or earlier), or barrels or breeches for such weapons.

Who is allowed to own guns in Germany?

Applicants for a German gun license must

1) be at least 18 years old,

2) have the necessary “reliability” and “personal aptitude,”

3) demonstrate the necessary “specialized knowledge,”

4) demonstrate a “need,” and

!!!!5) have liability insurance for personal injury and property damage of at least €1 million ($1.1 million).

Amongst other criteria, the law state that applicants are deemed unreliable or lacking personal aptitude if:

They have been convicted of a crime in the last ten years
Their circumstances give reason to assume they will use weapons recklessly
They have been members of an organization that has been banned or deemed unconstitutional
They have in the last five years pursued or supported activities deemed a threat to Germany’s foreign interests
They have been taken into preventive police custody more than once in the last five years
They are dependent on alcohol, drugs, or are mentally ill

Anyone under 25 applying for their first gun license must provide a certificate of “mental aptitude” from a public health officer or psychologist.

How do applicants demonstrate “need”?

The law states that gun license applicants must prove some need to obtain one, and defines this as “personal or economic interests meriting special recognition, above all as a hunter, marksman, traditional marksman, collector of weapons or ammunition, weapons or ammunition expert, endangered person, weapons manufacturer, weapons dealer or security firm.”

People who show they are unusually likely to be the victim of a crime can also be deemed as having a need to own a firearm.

In practice, being a member of a sports shooting club can also demonstrate the “need” to get a gun license.”

My take: insurance requirement should be implemented in US ASAP.

SpaceLifeForm February 20, 2020 3:26 PM

@ MarkH, Clive

While DLP is hard…

“These guys seem to have zero-days falling out of their desk drawers. Maybe they have better alternatives to frontal attacks against strong crypto …”

Like POODLE and lack of separation of encryption and comms.

End-point Security. Lack thereof.

SpaceLifeForm February 20, 2020 3:55 PM


In one day, deaths quadrupled in Qom, Iran.

In one day, infections doubled in Seoul, South Korea.

Other reports are no better.

It looks airborne to me.

SpaceLifeForm February 20, 2020 4:46 PM


Sure looks airborne.

A report: Man, wearing mask, talking to neighbor 3 metres away, apparently was infected via his eyes. No goggles.

SpaceLifeForm February 20, 2020 5:02 PM


Iran Health Minister says 5 of the 8 reported deceased never ever left Iran. Now 9.

Heart Attacks.

Qom reportedly in military lockdown now.

At least 4 sudden death heart attacks in china streets.

SpaceLifeForm February 20, 2020 5:50 PM


While I’m not a biochemist, doctor, or even an epidemiologist, I may have a clue, because I may have bought a few vowels over the years.

Many things point to Cytokine Storm Syndrome.

At this point, since there is no vaccine, I think the best treatment would be Anakinra or Kineret.

SpaceLifeForm February 20, 2020 6:29 PM


The U.S. Department of Health and Human Services asked Spokane’s Sacred Heart Medical Center to treat the four patients because the hospital is one of only 10 in the nation with secure airborne infection isolation rooms.

Rachel February 20, 2020 10:15 PM

Vas Pup

Japan is even more impressive in its firearm regulations. Comprehensive firearm handling training course is required by law before purchase
Just removing accidental discharge from the mortality rate is significant

Clive Robinson February 20, 2020 10:46 PM

@ SpaceLifeForm,

It looks airborne to me.

That is the conclusuon I had reached in the early days of the Diamond Princess, on what now turns out to be a false assumption that the Japanese had a reasonable quarantine regimen put in place aboard the ship[1].

But there was no scientific evidence presented[2] to that effect and as far as I’m aware at the time of writing there still is not.

However common sense would indicate that for both individuals and societal safety people should act as though it is airborne.

Unfortunately there is not enough IPE / PPE available to put that into effective as regional let alone national measures. Which would suggest “wildfire” “Fire-break” methodologies be employed to bring about area containment quarantine. This is something individuals will not like and will resist against in a number of ways…

Yes I know how cold and uncaring that sounds but at the end of the day either we accept the virus as part of our existance or we find ways to stop it. A safe vaccine is months away and knowing it is effective would make it more than a year away. Individual quarantine is the best way to go but that is very resource intensive especially for an airborne infection. Based on the fact it can spread in Iran and Singapore, sugests that “spring/summer” weather in the industrialized north of the northern hemisphere will not be effective at stopping it’s spread we will see most of Europe and North America infected within a few months if containment is not achieved. The WHO report suggests that for the majority under 40years old the death rate is in fractions of a percent, but rapidly increases with age being 2% in those under sixty and higher in those older.

The problem is what will kill the minority in any age range, and it’s “unfortunate genetics”. The Cytokine Storm Syndrome ( hemophagocytic lymphohistiocytosis “HLH” or macrophage activation syndrome “MAS”) you mention is not something the medical proffession has much knowledge on, as untill fairly recently it’s been “over looked” and deaths by it have been attributed to other things such as sepsis[3] or one of the 40% of heart attacks with no directly or indirectly attributable cause. It appears the only indicator that would not be as expected with a servere flu or respiritory type infection is a higher than normal elevated ferritin (iron storage protein) levels, and hypertriglyeridemia (high blood level triglycerides).

So it’s fairly well masked during viral and bacterial infections. As you note “Anakinra” is probably the drug that might be most effective for HLH but it has side effects in about 10% of people which can be quite severe.

[1] Unfortunately it turns out that the quarantine regimen on the ship was not run by anyone with ane experience of quarantine or even basic medicine, but a highly bureaucratic and dictitorial mind… When some one with both medical and quarantine experience went aboard they were horrified about what the saw, made a report to that effect and ended up being sensured by the authorities in Japan. I guess on the “rice bowl” principle.

[2] Nore is there likely to be as what would be in effect a fairly simple “two chamber test” would be unbelievably unethical to put it mildly. Thus any evidence will have to be gathered the hard way by carefull analysis of case histories etc.

[3] Sepsis is a real nasty as I know having survived it, it has various stages, first chills and rigor caused by the cytokine released activating the hyperthalmus to raise the body temprature. If your body does not get ontop of the infection or your immune system is defective you then go into shock which is where the body cannot perfuse the tissues sufficiently and necrosis starts and total organ failure starts and disseminated intravascular coagulation (DIC known informally as “Death is Coming”) takes over your blood INR/PTT go off the reservation thrombosis starts blood vessles clog flow diminishes clotting thus increases in positive feedback and you die of heart attack / stroke / total organ failure… The Cytokine storm appears to happen when your immune system is deficient, the first stages present like flu as the natural immune response gets out of control and more and more cytokine is released the body temprature rises and the rigor gets out of control, what is called “overshooting inflammatory response” in medical journals. If your body temprature gets to high (40C 104F) then the protiens start to depolarize (think slow poaching an egg) and the result is a much faster death. If you want things in a little more depth see the “Clinical presentation” section of,

Clive Robinson February 21, 2020 12:25 AM

@ SpaceLifeForm,

This short vid on droplet-v-aerosolised infection might be of interest,

Note although the good doctor does mention time, distance, and humidity and adjacent room infection (what may have happened on the Diamond Princess). But he avoids talking about a maximum range (technically it’s unquantifiable). The reason is it might only take one viable RNA virus strand to infect you, even though density falls of volumetricaly as 1/(r^3) you still need to think of such strands as “bullets” not “gases”, that is their lethality range drops of as a function of time and velocity.

The time an RNA virus strand remains viable is often measured in hours or fractions of a day. However it goes up with humidity and lower temprature. So with a moderate breeze being 4mph 20-50miles over night is possible especially in temperate maratime climates in winter.

But the chance or probability of infection at that range much like that of a bullet being on target depends on the “target” or population density and how clear the path is and the turbulence.

Oh something you might want to look up is “wet filters” in essence air is pumped through a chemical solution, then a dehumidifing process then activated charcoal filters with absorbtion chemicals for the chemical solution.

So an electrolysis of brine produces chlorine (bleaching agent) compounds that render virus and bacteria inert. However the air passing/bubbling through it will lift water, salts and chlorine components as droplets and areosol components. The dehumidifier takes care of much of that but some chlorine components remain as gasses or nano particulates. These get taken care of by the absorbtion chemicals and activated charcoal. These were sometimes followed by electrostatic and vortex filters. Such filters were designed for post WWII / cold war bunkers to protect against Nuclear, biological, or chemical (NBC) weapons and as such were once “classified” information, but modern industry has tended to be more advanced.

Whilst expensive to run such filters can achive high flow rates.

One of the things that have surpassed “wet filters” is micro and nano channel filters. You might be more used to seeing them being used in camping water filters but the same or similar internal filter materials are used in air filters. Again they need a pump to get air through them and unless pre filtered will fairly quickly get blocked (but can be cleared by a short term reverse flow).

The simple fact is RNA viruses are very small at just a few nanometers and even the best of face masks like N100 are only good to PM10 or exceptionaly PM1 which are 10,000 and 1,000 nanometers respectively with their abilities being at best about 50% filtering at 300nanometers. The reason smaller PM filtering is not done in ordinary tie behind the head / loop over the ears face masks is the shear effot to actually breath through anything better and issues surounding the reliability of exhale valves (needed to stop you physically blowing the mask of your face breaking the seal and drawing external air in around the broken seal via the Venturi effect). Full face respirators can filter out all biological components but as anyone who has done a military excercise of more than a couple of hours in NBC kit can tell you it saps your strength and dehydrates you to the point of feeling compleatly geriatric. Then there is the issue of sleeping, think sleep apnea on steroids…

It’s why the higher class Individual / Personal Protective Equipment environment (IPE/PPE) suits have power driven air filters (as well as to maintain positive air preasure protection if the suit gets punctured).

JonKnowsNothing February 21, 2020 1:51 AM

Some ominous reports from MSM, hopefully these are not propaganda scares.

The report is that it has hit several prisons. It appears that the guards brought the illness inside and infected the prisoners.

When treatment resistant TB entered the prison systems in Eastern Europe and Russia the results of under treatment or no treatment flowed back out to the general public. Prisoners do not rate high on a bureaucrat’s lists of priorities.

It gives more credence to airborne dispersal as prisoners don’t get out to the mall often….

My Simple Simon math calcs based on the reported cases vs deaths shows an uptick in deaths. That may be from under reporting cases or it maybe from improved counts. SWAG was .025 now at .030

Another side report of an unknown illness dating from ~2014. The arrow points at some type of toxic pollution.

eyes began turning yellow. Then the palms of his hands did the same. Soon he was bleeding from his nose, and from his mouth, and his body was swelling all over. Eventually he collapsed with fever.

ht tps://

ht tps://

ht tps://
(url fractured to prevent autorun)

Thoth February 21, 2020 6:35 AM

@Clive Robinson

More attacks on Secure Enclaves including Intel SGX incoming. This one has a nice name of CopyCat. It allows extraction of encryption keys from Secure Enclaves as usual.

Secure Enclaves are literally wonderful gifts that keeps gifting endlessly…


Clive Robinson February 21, 2020 9:17 AM

@ Bruce, All,

You might find this research article from Communications of the ACM interesting,

It looks at “hacker to hire” services for getting into peoples Email accounts, which at the end of the day is the usual “Root of Security” for most online accounts.

The article shows several things but the big take aways are,

1, The services are not expensive.
2, They get in due to account holder mistakes.

Which is probably why they conclude,

    [W]e believe that the best line of defense for at-risk users is to protect accounts with universal 2nd factor (U2F) security keys as a 2FA mechanism. U2F security keys protect against sophisticated phishing attacks because the U2F protocol validates the domain before sending the 2FA code, preventing a user from getting phished.

Clive Robinson February 21, 2020 9:52 AM

@ Thoth,

More attacks on Secure Enclaves including Intel SGX incoming.

How many “hardware failing” attacks has it been in this last year alone?

There have been so many I’ve lost count…

I guess it just makes my point about using “energy gapped” systems, that never ever get connected to “standard communications” or “removable memory devices”.

The link I gave the other day about the NSA putting all kinds of “hooks” in computer “firmware” stored on IO Flash ROM for most of this century… Means that right from purchase of a computer for “private use” it should never be alowed to communicate likewise care should be taken with external IO device Flash ROM in keyboards, mice, monitors/screens, printers, and scanners. Even Apple products with replacable “batteries”, they contain Flash ROM that the computer can communicate with…

It also means that to maintain “Privacy” you need to address physical security, never letting the computer out of your direct control. @Nick P and I used to discuss physical security and many appeared suprised when I talked about not just keeping laptops in safes but actually building computers into safes.

I’m guessing if they still read this blog they are begining to understand why, what might have sounded paranoid back then now sounds mearly cautious for those with a duty of care towards “Privacy” not just for the like of financial, legal, and medical information, but also higher value Intellectual Property and the like. Importantly that the only two differences between then and now are,

1, We have more information on the SigInt orgs be the Private or Governmental.

2, The SigInt orgs have had a decade or so to find new ways to get into PCs.

With the latter almost certainly involving these “hardware faults”…

I once said to @Nick P the reason I never carried electronics across boarders was that I did not think I could protect it against Level III (Gov or equiv resourced) attacks by those at customs etc. I’ve slowly come to the conclusion that not even the SigInt orgs can secure consumer level electronics that virtually all computers, phones and smart devices are these days.

I’ve even got to the point of questioning if commercial HSM’s are realy secure with these sorts of large CPU “Hardware faults” abounding. Thus my increased interest in low cost microcontrolers and smart cards to do the actual “security” functions using sensible segregation / gapping techniques with strongly monitored “choke point” low tech gap crossing Communications.

Sed Contra February 21, 2020 12:52 PM

“… arrested … hid a piece of paper containing the access codes inside a fishing rod case at his home … cleared the man’s belongings … taken to a dump …”


Meanwhile, a beautiful redhead in a Fendi suit and fashion sunglasses is cruising in a newly acquired classic Ferrari (in red) along the highway passing Positano, the polished wire wheels gleaming and glinting in the sunshine. As the camera zooms in, we see, pinned to the collar of her jacket, beautifully sculpted in gold, a miniature fly-rod and captured fish. The car turns off the road and heads up a curving drive towards an immaculate modern architect-designed villa with a breathtaking vantage on the Mediterranean. The driver’s cell phone rings, it’s an Irish number. “Is that you darling … in five years then.”

MarkH February 21, 2020 2:29 PM

Caution: Better not to read whilst eating …

We’ve had several comments addressing the question of whether COVID-19 can be transmitted person-to-person through the air as a dry aerosol. It’s an important question because if the answer is yes, containment grows far more difficult.

So far, epidemiologists seem to think it likely (while acknowledging that more data are needed) that airborne spread is via wet droplets, as is the usual case for such viruses, rather than as a dry aerosol. I don’t know why they lean that direction, but they’re the ones with the experience and insight.

Although there’s surely no simple correlation, estimates of R0 have pretty consistently stayed in the range of 2 to 3, whereas a much higher value might be expected with dry aerosol transmission.

One reason to suspect dry aerosol transmission is the rapid spread on at least one cruise ship in the present epidemic. However, cruise ships are notorious for massive norovirus outbreaks, for which the primary means of spread is believed to be from particles originating from body effluents, especially feces and vomit. In particular, fecal-to-oral is supposed to be the primary vector for norovirus.

So, a cruise ship COVID-19 explosion is not really evidence for its spread as a dry aerosol.

Separately and independently, researchers have in recent days apparently been focusing progressively on fecal-to-oral as an important transmission mechanism for the new epidemic.

As an aside, it’s distressing (in more than one way) how many people fail to wash their hands after toileting and/or before eating …

So, the good news is that:

  1. Rapid spread on cruise ships does not necessarily foretell a similar rate of spread under more typical conditions; and
  2. If the present surmises about mechanisms of spread are true, then simple hygiene measures may be very effective at reducing R0.

The bad news is that in populations lacking hygiene discipline, or even worse with inadequate or low-quality sanitary technology (plumbing and sewage systems, clean water supplies and the like), COVID-19 is likely to be far more dangerous.

Worst of all, is the prospect for poverty-stricken regions in which sanitary technology is simply not available to large segments of population.

From the moment this epidemic was recognized as large and deadly, public health researchers were especially concerned about regions of Africa with a large Chinese presence. [This is pursuant to a major Chinese policy of expanding economic and geopolitical presence on the African continent.]

The combination of many people traveling from China, extremely poor sanitation, and dreadfully inadequate medical infrastructure could create conditions for extreme mortality.

The same risk factors largely apply to Chinese prisons, where large numbers of deaths have already been reported, and the gigantic network of concentration camps for Uyghur men in China’s Xinjiang region.

Present data are too sketchy to allow a reasonable extrapolation of how the outbreak will progress, either within or outside of China. I think there’s reasonable hope that its baleful effects can be limited in prosperous countries, but it might prove to be a great tragedy in poor countries.

Clive Robinson February 21, 2020 3:18 PM

@ MarkH,

Separately and independently, researchers have in recent days apparently been focusing progressively on fecal-to-oral as an important transmission mechanism for the new epidemic.

Apparently the definitive case was in a well to do area of Hong Kong, where a resident on one of the upper floors of an appartment block infected a person on a much lower floor…

Thus this is very likely to happen in any built up medium to high density living area irrespective of wealth or poverty…

As an aside, it’s distressing (in more than one way) how many people fail to wash their hands after toileting and/or before eating …

And more importantly “not putting the toilet seat down before flushing”. The flushing process actually aerosolises fecal matter and the secondary venturi effect with the seat up causes a column of aerosolised fecal matter to rise quite high usually the ceiling. With the lid down however the column hits the lid and gets deflected back dowh into the primary venturi process and thus gets sucked down into the waste system. It’s one of the reasons low water usage flush toilets are not such a good idea as has been found a number of times by researchers.

For those that flush with the lid up consider this, if your toilet is not in a seperate room (which mine is) but is in your bathroom. All that aerosolised fecal matter has two places to go,

1, out any ventilation available.
2, over every surface in the bathroom.

The later will include your toothbrush, towels, medicine cabinate, hand basin, bath, and floor or it’s soft fluffy rug covering.

There is no doubt about this, researchers have found more fecal mater and active bacteria per unit of area on peoples toothbrushes than actually found on toilet seats…

@ ALL,

Just a word to the wise “PUT THE Bl@@DY LID DOWN” as the wife keeps telling you to do, you might regret not listening.

Oh and a funny bit from a public Q&A with a Dr about COVID-19 which talked about the fecal to oral transmission path.

Somebody asked the question “what about farts?”. The Dr was about to laugh it off gently, then their brain jumped in and realised that yes gas under preasure moving through the colon would also aerosolise not just fecal matter but also bacteria and virii… So instead answered that it was possible but they were not aware of any evidence…

That said, the questioner was by no means the first to think about such gas. Back in the first half of the last century, prior to the discovery of penicillin and later main stream use of antibiotics it was not uncommon to see a little notice that said,

    Coughs and sneezes, spread the most terible of diseases.

Because any simple bacterial infection was quite life threatening. As were viral infections such as the pandemic at the end of WW I.

As kids at a young age disgusting things like “poo” were fascinating as were other things parents disaproved of talking about.

So to be objectionable and anoying as even the best behaved children can be, we added a couple of words to the phrase,

    Coughs and sneezes, farts and wheezes, spread the most terible of diseases.

It appears we might have been half a century premature…

Either way the saying needs to be come common again.

Clive Robinson February 21, 2020 4:08 PM

@ All,

Beware journalists reporting science at this time…

If for instance you look at,

It makes lots of quotes but it also makes assumptions, mistakes, and ommissions of very important details.

If you read through it it talks at one point about “vertical infection” from mother to baby, and talks about a paper discusing nine cases where there was no transmission at birth.

Unfortunatly the paper it’s self was based on incompleate evidence gathering. It mentions various potential infection sources that were tested but found negative for the virus even though the mothers tested positive. What the investigators failed to do was test vaginal mucus for virus and this is a major piece of evidence that should have been collected.

Because during conventional birth the babies eyes, nose and mouth come into contact with vaginal mucus, and as virologists will tell you this is a very important part of giving babies immunity to pathogens the mother has experienced and developed antibodies etc for.

However in a cesarean birth, this contact with the vaginal mucus does not happen (hence the reputation that ceaser children are sickly babies).

Whilst the journalists web page does not mention this ommission which it should have done as it’s key evidence. Much much worse it fails to mention that all nine babies in the report were by cesarean birth.

Thus the journalists work portrays a false image that babies will not get the virus by vertical transmission. Whilst we do know that other older babies have become infected by their mothers, the transmission route is still unknown and is thus assumed to be by droplet or direct contact with saliva by a kiss from the mother or similar such as via the mothers hands when carring / washing the baby etc.

Which raises an issue I’ve not seen covered and should be.

So called “no tears” or “baby friendly” washes are not soaps and they do not disolve the sebum on the skin in the way hard soap does. Also the way we tend to wash babies in a bath does not exactly remove surface virii and even where it does this remains in contact with the baby because it is not “washed away” by running water.

Luckily perhaps it would appear that babies and small children are not very much effected by COVID-19 based on medical figures so far.

SpaceLifeForm February 21, 2020 4:20 PM

@ Thoth, Clive

It is interesting that if you g(intel sgx copycat),
you may get a ip addy link instead of domain link.


Even, if correct ip addy, why did google show search results in that manner?

Tells me that primary crawler is pure ip addy based. Secondary crawlers are domain based.

What is wierd, is that google could reverse, and show the domain name.

But, why not?

Is it because the reverse name does not match the common name?

What I see:

G reports
Matches dns lookup (for me!) using Thoth URL.
Reverse gives me

But lookup on that name is NXDOMAIN.

Interesting that Cornell University is doing this.

Must be a logical explanation.

Anyone know their reasoning?

Why lie on a reverse lookup?

There must be some kind of attack.

SpaceLifeForm February 21, 2020 4:38 PM

@ Clive

“However in a cesarean birth, this contact with the vaginal mucus does not happen (hence the reputation that ceaser children are sickly babies).”

It has always been my understanding that C-section is bad for the mother also.

SpaceLifeForm February 21, 2020 5:34 PM

@ Clive

Which would suggest “wildfire” “Fire-break” methodologies be employed to bring about area containment quarantine

Well, that is what I suggested nearly a month ago. Stop international flight.

Now, Iraq has stopped all flights to Iran.

And, apparently all border crossings.

In Iran, Health Minister thinks it is everywhere now. Not sure, but suspects.

Not just Qom, but Tehran. Every city.

They are going to be overwhelmed like China.

If it is airborne, as I believe, and can survive for a long time, you would have to be insane to ever get on a plane for a long time.

Or a Cruise Ship.

SpaceLifeForm February 21, 2020 6:09 PM


It’s P time.

Sorry to say.

It must be airborne. Extremely virulent. Long lived. Looks like a bioweapon.

May not be a bioweapon at all. Just stupid Homo Sapiens hubris.

Even ACE2 not necessarily contributing factor.

Medical resources will be overwhelmed.

I had a premonition long ago. 1974.

Good Luck to all.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.