National Geographic has a photo of a 7-foot long shark that fought a giant squid and lived to tell the tale. Or, at least, lived to show off the suction marks on his skin.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Mr. Peed Off • June 5, 2020 6:10 PM
https://www.lawfareblog.com/cybersecurity-lessons-pandemic-or-pandemic-lessons-cybersecurity
First, both the pandemic and a significant cyberattack can be global in nature, requiring that nations simultaneously look inward to manage a crisis and work across borders to contain its spread.
Second, both the COVID-19 pandemic and a significant cyberattack require a whole-of-nation response effort and are likely to challenge existing incident management doctrine and coordination mechanisms.
Third, when no immediate therapies or vaccines are available, testing and treatments emerge slowly; such circumstances place a premium on building systems that are agile, are resilient, and enable coordination across the government and private sector, much as is necessary in the cyber realm.
Finally, and perhaps most importantly, prevention is far cheaper and preestablished relationships far more effective than a strategy based solely on detection and response.
Chris • June 5, 2020 6:28 PM
Hi so what i am trying to say is that
if a modern computer lacks entropy
and entropy in a modern cipher is an important part
we might have a new “hagelin cipher” scenario where
we are hijacked meening every virtual machine can be intercepted
since the encryptions is encrancrapted with bad entropy
and we have a new hagelin machine that the 5-eye etc can listen into
So.. pay attention to the entropy just saying
//C.L//
myliit • June 6, 2020 6:53 AM
https://www.buzzfeednews.com/article/jasonleopold/lawmakers-call-for-halt-to-covert-surveillance-of
“Lawmakers Call For Halt To Covert Surveillance Of Protesters By DEA
Following a BuzzFeed News report revealing that the Justice Department authorized the spying, two members of Congress called the program “antithetical to the American people’s right to peacefully assemble.”
Posted on 5 June 2020, at 10:11 p.m. …”
myliit • June 6, 2020 8:27 AM
Hi @Pink Floyd
The last I knew, personal security is a subset of security
MarkH • June 6, 2020 10:32 AM
@Pink Floyd:
There are other blogs for expressing hurt feelings about criticism of Agent Orange, or why violence is heroic when committed by pale people, but hideous when done by dark people.
Had you an open mind, you could learn a lot from Roger Waters.
Peace Be Upon You
Alejandro • June 6, 2020 12:27 PM
Health data for profit locked in with a government contract.
Who would have guessed? In fairness, the contracts with Faculty and Palantir supposedly were changed to prevent profiteering, but the contracts have not been made public.Why else would data brokers want the data?
Folks, just say no this app and it’s litter mates, if they give you have a chance. None of this is for your own good or any good. It’s another data grab plain and simple. Plus, it’s been shown the apps are more a high tech side show than practical medical science. They won’t ‘work’.
Clive Robinson • June 6, 2020 12:38 PM
@ Pink Floyd,
Appart from the obviously false name you are hiding behind, have you actually read what you have written?
Do you realise what it makes you sound like?
Your last sentance in particular with it’s phraseology makes you sound like a certain type of extreamist and thus actually calls into question your stated reason for posting.
As for “i.e. do yr job” that makes you sound dictitorial as though you believe you have some entitlement to authoritarian behaviour, which you just as obviously do not have in life.
As with similar postings in the past your post says rather more about you than I think most here would care to know about you.
JonKnowsNothing • June 6, 2020 12:55 PM
@Clive, @MarkH, @All
re: COVID19 zoonotic report between Minks and Humans
MSM Report on COVID19 being vectored by Minks
ht tps://www.theguardian.com/world/2020/jun/06/dutch-mink-farms-ordered-to-cull-10000-animals-over-coronavirus-risk
ht tps://en.wikipedia.org/wiki/Zoonosis
ht tps://en.wikipedia.org/wiki/Mink
Mink are dark-colored, semiaquatic, carnivorous mammals of the genera Neovison and Mustela, and part of the family Mustelidae, which also includes weasels, otters and ferrets.
(url fractured to prevent autorun)
Mr. Peed Off • June 6, 2020 2:16 PM
What Kaspersky revealed this week is a custom-designed stealthy tool called ‘USBCulprit’, which has sophisticated information-leeching capabilities, especially when used on an air-gapped system.
It enters the system via RTF documents or other unknown means, performs an extensive scanning of the victim’s system, and begins to leech documents, passing them and replicating itself onto removable media.
“This tool, which we saw downloaded by RedCore implants in several instances, is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually,” Kaspersky explains.
RedCore and BlueCore are terms used by Kaspersky to describe the two different styles (variants) of malware deployed by the group. Initial Infection Vector for BlueCore has been listed as “RTF documents,” whereas that for RedCore is still unknown.
Be safe all
Mr. Peed Off • June 6, 2020 2:57 PM
A bit more info on my previous post.
“Each cluster of activity had a different geographical focus,” the researchers said. “The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018.”
Both BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems.
Chief among them is a malware called USBCulprit that’s capable of scanning a number of paths, collecting documents with specific extensions (.pdf;.doc;.wps;docx;ppt;.xls;.xlsx;.pptx;*.rtf), and exporting them to a connected USB drive.
What’s more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine.
A telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year.
The initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what’s called DLL search order hijacking before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device.
“The characteristics of the malware can give rise to several assumptions about its purpose and use cases, one of which is to reach and obtain data from air-gapped machines,” the researchers said. “This would explain the lack of any network communication in the malware and the use of only removable media as a means of transferring inbound and outbound data.”
https://thehackernews.com/2020/06/air-gap-malware-usbculprit.html
Clive Robinson • June 6, 2020 3:24 PM
@ JonKnowsNothing, SpaceLifeform, MarkH, ALL
re: COVID19 zoonotic report between Minks and Humans
You might be interested in this BBC-Science article,
https://www.bbc.com/news/science-environment-52775386
It’s about environmental destruction and zoonotic transfer, and starts by pointing out that in a quite short period of time humanity has avoided five noval pandemics, but the sixth got us… (kind of Russian roulette with the bullet in the China chamber).
Interestingly when you read down it gives a path from bats to pigs discovered in 1999 where half eaten fruit covered in bat saliva dropped into areas of a pig farm built into recently deforested land. The pigs ate the saliva covered fruit and in one of them the disease crossed over… It answers a transmission path question that came up on this blog a week ago.
Clive Robinson • June 6, 2020 3:46 PM
@ MarkH,
With regards HCQ and trials and two suspect papers…
A large UK trial independent of those controversial papers has stopped it’s trial because the figures are unfavourable to HCQ. Thus there is a probability HCQ is actually harmfull to those already infected with COVID-19, but certainly of no benifit. Which begs the question of why the WHO restarted it’s trials…
I guess we will have to wait on other trials but my gut feeling is that HCQ with or without zinc and or macrolide antibiotics is not going to prove to be benificial, if it does not actually prove to be harmfull.
JonKnowsNothing • June 6, 2020 4:20 PM
@Clive @MarkH @SpaceLifeform @All
re: COVID19 zoonotic report between Minks and Humans
Some additional information about the COVId19 Mink to Human transmission
MSM Reports
(dates maybe official announcements others are news published dates):
It went from Nothing to See … to Kill Them All, in double quick time fashion.
Of note:
ht tps://www.nationalgeographic.com/animals/2020/05/coronavirus-from-mink-to-human-cvd/
https://www.dailymail.co.uk/sciencetech/article-8387937/Dutch-government-closes-infected-mink-farms-amid-fears-animals-act-COVID-19-reservoirs.html
(url fractured to prevent autorun)
Clive Robinson • June 6, 2020 4:30 PM
@ JonKnowsNothing,
[Dutch] government identified two cases in which humans had been infected by sick animals in May, the only animal-to-human transmissions known since the global outbreak began in China.
As I’ve said in the past, logically as it had come from an animall into humans, and humans could pass it on to other animals such as domestic pets and livestock it was logical to conclude that a reservoir species would be found…
So by a short nose it would appear the bad tempered mink are first across the line.
Which leaves two questions,
1, Are there other reservoir species?
2, Will SARS-CoV-2 mutate in a reservoir species?
To which I suspect the answer will be yes in both cases.
Whilst the breeding of mink is for their fur for the luxury clothing market, thus culling the farm animals realy only represents a financial loss. The same can not be said for their wild brethren.
But worse may be to come, if a major protien source livestock becomes a reservoir species then mass cullings and significant food shortages can be expected.
And before any one starts talking about vegetable protein, it’s very far from being a viable substitute in most cases. Put simply most of us do not have the right digestive enzymes thus will suffer side effects from excessive gas through to intestinal bleeding and scarring, and reduced immuno efficiency if we eat the vegtable protein directly.
Often where vegetable protein such as soy forms a part of the staple diet, like “corn” it has to be pre-treated in some way before it becomes an effective food source.
With soy the traditional method is to have it “predigested” by micro organisms such as bacteria (fermentation or pickling).
It’s also known that a lack of animal proteins and fats has a detrimental effect not just on women who are trying to become mothers, but also on child development.
MarkH • June 6, 2020 9:26 PM
@Clive re HCQ:
Though I haven’t been giving much attention to medicine studies in application to the pandemic, I know that at least a few have independently (of each other, and of “Surgisphere”) indicated both (a) no apparent benefit from HCQ, and (b) greater frequency of adverse events or outcomes. At least one was accordingly cut short.
So whatever is going on with this guy Desai, HCQ looks like a bad bet.
As far as I know, those studies (like the one now retracted) were not case-controlled trials.
What’s going on with the WHO study, I haven’t a clue. If they’re testing lower doses, then adverse reactions might well be much rarer.
Probably dozens of substances (including vitamin D) will be tested soon. It will be a great help if one or more prove efficacious.
MarkH • June 6, 2020 9:42 PM
A reflection on some bigoted comments which appeared within the past 24 hours …
It’s worth remembering that 76 years ago today, a large well-armed force of antifascist fighters arrived in France for the express purpose of cleansing Europe of white supremacist dominance.
They inflicted a crushing defeat on those white supremacists, which was surely a great blessing for humankind.
A few weeks after the Normandy invasion, my father’s unit arrived as part of the massive reinforcement of the antifascist forces.
I think of those soldiers, who did so much in that conflict without hope of narrow personal gain, with humility and gratitude.
name.withheld.for.obvious.reasons • June 6, 2020 10:13 PM
Often where vegetable protein such as soy forms a part of the staple diet, like “corn” it has to be pre-treated in some way before it becomes an effective food source.
Am surprised that you have pre-determined the value of vegetable sources. Dietary information of value is of no interest to the industrial food giants.
The only missing protein from a proper vegetarian diet is B12. Of course, B12 can be acquired from a diet that includes whole foods grown, picked, and consumed straight from the ground. The microbe source for B12 is present in the bacterial nitrogen absorption take-up of ground nutrients for the plant. Almost all ground root food sources will provide B12. Might want to argue the amount and health or safety issues of eating raw foods from particular soils. Spinach, beets, carrots, peas, and tons of beans are all great sources of various nutrients.
Vegetarian diets would do much to end our carbon and food chain, viral, and resource (water, nitrogen, CO2) intensive industrial production. I’d argue the ideal diet consists of raw fruits and vegetables, sea foods based on seaweeds and kelps are also a great source.
SpaceLifeForm • June 7, 2020 12:54 AM
@ Chris
Paying attention to the entropy.
What I described, remains sound to me.
Feed your own random into /dev/random
Otherwise, you are trusting unknown sources.
As @Clive noted, timing entropy (jitter) will not generate a lot of random bits very fast.
And if you whiten bitpairs, there goes half of the supposed randomness due to 00 or 11 bitpairs.
Then flattening the 10 or 01 bitpairs into 1 or 0, another 25% of bits generated are lost.
So, on average, if the random bit generators are actually doing well, you can measure their performance.
If the whitener process, on average sees a pretty decent distribution of the four possible bitpairs, then you can reasonably conclude that this random is not worthless. (within various measures of reasonable)
But, if the whitener is consistently throwing out more than 50% (00,11), then, maybe you are not trying hard enough to mix it up. Alternatively, you could go full paranoid, and just deep-size your computer, encased in concrete, in the middle of an ocean.
The point being, you must do the whitening process to measure.
It’s the only way you can really see future entropy. You can not trust black boxes, like a /dev/random pool. If you try to measure the entropy in the /dev/random pool, you become a consumer of it, immediately depleting the entropy of the pool.
You must create your own entropy and inject it into /dev/random in order to have any hope that it helps.
If you don’t try it, you really can’t whine later that you should have taken more precautions.
But, that said, time to build a kernel. Been a while.
Going to check out the new /dev/random ‘stuff’. Will check 5.6.16, freshly minted ‘stable’ a few days ago.
Not saying I’m going to boot it.
Read it and weep.
hxxps://lwn.net/Articles/808575/
Clive Robinson • June 7, 2020 2:10 AM
@ name.withheld…,
I’d argue the ideal diet consists of raw fruits and vegetables, sea foods based on seaweeds and kelps are also a great source.
Our ancestors ate such diets and they were much more varied than today. But sea food is one of the few ways certain required minerals such as iodine and salt make it into our diet without “fortification”. But even fresh water fish are essential to our diets which religion in Continental Europe effectively monopolized and made mandatory[1] and profited by nicely.
Importantly though what often gets left out of the raw/whole food versus cooked/processed food debate is our ancestors had a much wider set of enzimes to process raw fruits and vegetables than we do now (we’ve even lost a stomach). So we can nolonger eat the diet our ancestors did. Also the fact that cooked food is more easily utilized by our bodies, thus we need not eat as much or as frequently. Which frees up time for other activities.
Importantly though increasingly we “civilized humans” don’t have the enzimes, as we loose them by genetic processes. Thus we have become increasingly reliant on “cooked food” which may be one cause of hyperglycemia thus type two diabetes especially with root vegetables. Thus some members of society become genuinely intolerant of not just raw foods but certain types of food altogether, and via the usual genetic process they become a larger part of our “civilized” society.
I know it’s not PC to say it but some races of humans have genuine differences[2]. For instance over several millennia ago those who moved into the higher latitudes of the northern hemisphere had an issue with water bourn diseases. Thus population sizes would get to a certain smallish –village– size and collapse.
Somewhere between two thousand and four thousand years ago the development of beer making, that boils the water in the mash process killed many water bourn pathogens thus alowed larger population centers, often around religious institutions that had the excess manpower to make beer brewing feasable. However along with beer came a toxin “alcohol”. Due to accidents etc whilst intoxicated those without tolerance to alcohol became less geneticaly prevelant. However beer drinking allowed larger population groups of just about 40,000 people in Europe, before water bourn diseases became sufficiently prevelent. Thus the increase of manpower in such large towns alowed other skills to be developed such as white smithing and painting and the making of fine finish and luxury goods.
However in Britain things became slightly different. People joke about the “National drink being tea” where as the “Continentals drink coffee”, tea contains chemicals that just happen to also act against other pathogens that boiling water alone does not kill off. Thus population sizes in Britain started to quickly exceed the 40k limit, and with it the excess manpower to make industrialisation move from “artisanal manufacturing[3] to machine driven manufacturing.
Over in Asia where tea was also drunk they also had large population centers due to tea but the drinking of alcohol was actually quite rare. The result is intolerance to alcohol still runs around 50% of the population and due to modern healthcare reducing the fatality of accidents and such that can result from intoxicated behaviour it’s less likely to get removed from the genetic pool. Whilst this might sound unfortunate, it’s actually the Europeans that you should feel sorry for. Because genetic traits generally have a number of reasons to be in a societal genome. Thus by gaining a tolerance to alcohol what have the various European gene lines lost?
After all to gain tollerance to eucalyptus leaves and the high quantaties of poisons in them, the Koala bear had to significantly limit it’s brain capacity as well as eat almost continuously, thus they are effectively an evolutionary dead end with very low survival prospects.
There is an “extend your life diet” that is largely raw foods that are low in simple carbohydrates. Tests in animals suggest such a diet would add as much as a third to life expectancy. The problem however is that it requires a very very large quantity of not very palatable plant material to be eaten thus much extra time a day is required for attending both ends of the dietary tract. So what you can in longevity, you kind of loose by eating unsatisfying foods etc.
[1] Monasteries had “carp/fish pools” in which “friday fish” were grown. What many do not realise is what carp are quite happy to eat… Yup it sounds nasty because it’s livestock manure, which contains large quantities of “partialy digested” food which encorages fast growth in various fresh water fish that are effectively “bottom feeders”.
[2] You might want to look up “death by casava”, like a number of plants and especially fruit pits casava contains cyanide. There are effectively two types of casava those lower in cyanide and those not. But even the lower level casava still needs to be processed before it becomes edible to some humans that have an increased tollerance to that form of cyanide. In the animal kingdom it’s not hard to find the end result of cyanide tolerance, just look in a eucalyptus tree, where you will find various creatures, the most well known of which is that Australian mascot the very much endangered Koala bear (the eucalyptus is a highly inflamable plant as well as having leaves full of cyanide, thus it is a serious health hazard but it does smell nice).
[3] The word “manufacture” actually means “to make by hand” however with changes in society and time the word to many means almost the exact opposit as in “to make by machine”.
Clive Robinson • June 7, 2020 2:54 AM
@ MarkH,
to my understanding, it implicitly presupposes some capacity to feel shame.
As far as I’m aware, like the ability to feel love, the ability to feel shame is what makes us normal empathic humans.
The inability to feel empathy thus shame is one of the hallmarks of a psychopath. Also what is politely called “Narcissistic Personality Disorder”[1] the fragility of which causes all sorts of problems not just for the person and those immediately around them but more general society as well.
Thus when challenged the response predictably is to blaim the messanger, as we have seen. The hast they used again revealed more about them by also acting as recognised “tells” of socioeconomic standing or lack there of…
[1] https://www.psychologytoday.com/us/conditions/narcissistic-personality-disorder
Clive Robinson • June 7, 2020 3:13 AM
@ MarkH,
I think of those soldiers, who did so much in that conflict without hope of narrow personal gain, with humility and gratitude.
Both my parents were likewise in WWII, my mother was involved with RADAR at a level which she could not talk about, but she did express some fairly strong opinions on the man who claimed the credit, and also changed his name to get “ancestor grandeur”.
My father was in another theater of war around the other side of the globe, he was in the signals but again did not talk much about what he did. He was however a keen photographer as well and from those I was able to trace some of what he did, and it was not what his “pay book” rating would suggest.
Both my parents refused the medals they were entitled to on principle and I guess some of those principles have rubbed off on me.
Even though both of them died before I was an adult four decades ago I still remember them almost daily, more by what they taught me about what it means by being a “responsible” member of society than anything else.
As the old British Civil Service ethos had it, to present the truth “Without fear or favour”.
Clive Robinson • June 7, 2020 6:02 AM
@ Chris, SpaceLifeForm,
It looks like the HAVEGE based haveged is depteciated by the linux kernel bods for reasonable reasons.
So I had a little dig around and you can read more on HAVEGE at,
http://www.irisa.fr/caps/projects/hipsor/publi.php
What it boils down to is that the assumed entropy is grnerated when interupts interfere with user program execution and hardware subsystems in the CPU. That is though a program takes a constant time based on CPU cycles, other things like memory cache updates etc add “unpredictability”. So when compared to “CPU clock time” you can use the time difference as your source of assumed entropy…
Or can you?
Well it depends on two things,
1, The real time source of the interupts.
2, How visable the “unpredictability” is to an external observer.
Well with “embedded systems” mostly there is a single crystal oscillator that everything gets tied back to so interupts are in effect mainly synchronous thus “no entropy” from there. It’s only interputs coming in “off board” from an indipendent external time source that generate any entropy and often that’s in tiny tiny amounts. Thus if from just an administrative SSL connection on a private test/setup network it’s going to be measured in bits per minute at best…
So you would be wise to wait a good long while of intensive usage before generating any “master secrets” such as “Private Keys”. But quite often on such systems that will be beyond your control for various reasons, such as it being done by a background script from start up to make the “user interface more responsive”. Thus the script runs untill “enough” entropy has been aquired from startup. With the “enough” based on a fully determanistic algorithm…
The second point is an assumption by the HAVEGE RNG designers. From the HAVEGE site,
The “unmonitorable” is an assumption nothing more by the designers.
Put simply they simply assume that,
2.1, Those volatile states have entropy (and in large quantities).
2.2, The internal state can not be derived because it’s not directly visable of device.
Both of those assumptions are at best questionable if not actually disprovable, when it comes to embedded systems that have started up and always bootup the same software in the same way, with no external entropy being put into the system.
When your opponent is “Level three” –state / specialised corporate– and you are using a Consumer Off The Shelf (COTS) product of which there are hundreds if not hundreds of thousands that are identical available. So that any one with a very moderate outlay could buy several of them effectively invisably.
Then “reverse engineering” is a near certainty, and the technical knowledge to emmulate all the System on a Chip (SoC) internal states well within bounds, has to be assumed.
Thus the likes of a network appliance or router (NSA favoured hiding places) Private Key “primes” are,known or within a limited subset that is known…
As demonstrated in the past whilst factoring a pair of primes is hard, there is a mathmatical short cut which can tell you if public keys share a common prime. This method was used a few years back by the UK Cambridge Computer labs to show that a substantial number of “self signed certs” were generated by faulty software. Similar was done to show the same issues with embeded systems.
As I pointed out back then if I were the NSA I would be running both a reverse enginering programe to find likely primes and an automated system to check any and all new public keys they could get for such embedded systems for likely primes.
Alejandro • June 7, 2020 12:01 PM
$5B Lawsuit Claims Google Still Tracks Users in Incognito Mode
“Lawyers for the plaintiffs say Google is violating federal and state wiretapping laws by gathering data from Incognito sessions. However, Google points to the warnings that appear when you start an Incognito session. Incognito Mode doesn’t log any data on your local machine or in your Google account history. However, Incognito Mode doesn’t hide your activity from websites and online trackers.”
I wonder if google means, for example, the browser itself while in Incognito mode doesn’t ‘gather data’ but websites deploying, google analytics and the other hundred of trackers still work just fine.
The article cautions not to hold your breath for answers, it’s expected a final decision will take many years. Which of course is another problem.
Anyway, You were warned.
JonKnowsNothing • June 7, 2020 12:23 PM
@Clive @MarkH @All
re: COVID19 zoonotic report between Minks and Humans
Some more digging into the link between Minks and Humans, although a good deal of the technical information is above my pay grade.
Summary
So, this answers a few questions I had about Mink COVID19.
ht tps://pubmed.ncbi.nlm.nih.gov/30342822/
ht tps://www.ncbi.nlm.nih.gov/pmc/articles/PMC4681245/
ht tps://blogs.webmd.com/webmd-interviews/20200403/cats-and-ferrets-can-be-infected-with-covid-19
ht tps://www.statnews.com/2020/03/05/coronavirus-labs-scramble-to-find-right-animals-for-covid-19-studies/
(url fractured to prevent autorun / if I don’t forget to fracture the link)
JonKnowsNothing • June 7, 2020 3:40 PM
@Alejandro
re:
[If] the browser itself while in Incognito mode doesn’t ‘gather data’ but websites deploying, google analytics and the other hundred of trackers still work just fine. [tracking data]
There are a lot of points along the way that can collect data even if one part doesn’t collect it. The success of non-collection really depends on what data parts you are hoping do not get collected.
Consider:
There are multiple segments between you and your destination.
Local Software – Network – ISP local – Transition ISP (maybe the same) – Backend – Long Haul – Backend – Destination Transition ISP – Destination ISP local – Network – Server – Server Software
There are a lot of places along the pathway, which can be very complex with various routing connections and international junctions, that can collect data and figure print your PC (graphics, system drivers and fonts types) or harvest a bunch of other stuff.
Corporations along the whole path can collect stuff. LEOs of course collect the Whole Haystack, and sometimes splitters are used to funnel your network packet into different stream paths.
If a browser does not collect aspects for its internal history, that doesn’t mean everyone else along that pathway skips collecting it too. DONOTTRACK is an example of failed attempts to get corporations to stop harvesting voluntarily.
ht tps://en.wikipedia.org/wiki/Routing_table
The routing table contains information about the topology of the network immediately around it.
https://en.wikipedia.org/wiki/Routing_metric
Router metrics are metrics used by a router to make routing decisions
ht tps://en.wikipedia.org/wiki/Do_Not_Track
The Do Not Track header was originally proposed in 2009… Efforts to standardize Do Not Track … ended in September 2018 due to insufficient deployment and support… companies citing the lack of legal mandates for its use
(url fractured to prevent autorun)
JG4 • June 7, 2020 10:17 PM
Thanks for the helpful discussion. I recently pointed out that ultrasonic capabilities in cell phones are a calling card of big brother. It is worth mentioning that all known exploits, thus far, are commercial ad-tracking.
I probably forgot to post this link to Linda Hamilton demonstrating the use of disinfectant:
Terminator 2: Sarah Connor Escapes the Asylum (widescreen)
https://www.youtube.com/watch?v=TE8o2EQCC4w
61,250 views•Nov 19, 2018
There was a lot of good security-related content at NakedCapitalism this week. This barely scratches the surface.
nakedcapitalism.com/2020/06/links-6-5-2020.html
…
The Risks of Autonomous Weapons Systems for Crisis Stability and Conflict Escalation in Future US-Russia Confrontations Russia Matters
Swarms of Mass Destruction: The Case For Declaring Armed and Fully Autonomous Drone Swarms as WMD Modern War Institute
…
Decoding Radio Telemetry Heard on News Helicopter Video Footage with GNU Radio RTL-SDR.COM
…
How Apple learned automation can’t match human skill Apple Insider. Whaddaya know, turns out labor power is worth paying for.
…
Clive Robinson • June 7, 2020 11:35 PM
@ JonKnowsNothing, MarkH, ALL,
With regards animals, Corona Viruses, infection, and disease.
The basic facts are there are many corona viruses out there and they mostly infect wild animals, often but not always as some kind of intestinal tract disorder. Thus the symptoms are mainly the likes of diarrhea and sometimes vomiting from inflammation of the intestines or stomach (gastroenteritis). The severity and length of the symptoms vary a lot depending on the animal species but as a very very rough indicator the symptoms start 12 to 48 hours after being exposed to the corona virus and last around 3 days or so. There are various transmission vectors but animal excrement is one.
In humans we appear to only be susceptable to four that produce “common cold” symptoms, as well as SARS (2002), MERS and COVID-19. All of which infect the respitory tract.
Thus for testing scientists were on the look out for animals that are human respiratory system analogs. That is when infected with SARS-CoV-2 it’s their respiratory tract not intestinal tract that effected.
There have been various papers published not all in english and their appears to have been a “lost in translation” issue.
Thus some livestock have been infected by SARS-CoV-2 but not in a way suitable to be analogs for humans in testing. That is they don’t get COVID-19 signs and symptoms.
It appears that some have taken that to mean that as the animals do not get COVID-19 signs and symptoms they can not be infected by SARS-CoV-2 which is not true.
What we have found is some creatures auch as rodents and those of the “cat” and “pole cat” families do not only get infected by SARS-CoV-2 they also get it in the respiratory system sufficiently similarly to be used as partial analogs thus suitable for some types of science testing “hamsters” being one such spieces used in transmission studies.
But what of animals not suitable as analogs for testing, can they act as not just vectors but reservoirs of the virus? The answer is as far as we know is there is nothing to stop that happening, in fact it would be reasonable to assume there might be, but it is early days for this virus so we just do not know yet…
Thus there is an important difference between testing animals to find analogs for humans, and testing animals to see if they can be a human healthcare issue.
So caution is needed by all when reading papers, especially when they have been translated.
Rachel • June 8, 2020 1:06 AM
A free to stream 53 minute video about private papers of Newton purchased by Keynes at an auction, never before seen by the public.
The papers were in code, and reveal many aspects of Newtons work and preoccupations never before realised.
Wesley Parish • June 8, 2020 2:30 AM
@usual suspects
One aspect of contact tracing they won’t tell you about until it’s too late:
Contact-tracer spoofing is already happening – and it’s dangerously simple to do
https://www.theregister.com/2020/06/02/contact_tracing_spoofable/
British people will soon begin receiving random phone calls from so-called “contact tracers” warning them about having been in close proximity with potential coronavirus carriers. One of many problems with this scheme is it’s dangerously easy to pose as a government contact tracer.
[…]
El Reg asked Jake Davis, one-time Lulzsec hacker turned security researcher, about SMS spoofing and the ease with which malicious people could impersonate UK.gov. He pointed us to a blog post he wrote back in March when the British government sent the entire nation a text message saying “Stay at home.”
In this case the best defense is a sharp sense of incongruities and appropriate behaviour. And an unwillingness to take what anyone says at face value, just because they say so. Or in other words, the kind of mind-set that usually protects one from scammers anyway.
Ismar • June 8, 2020 3:34 AM
Personality of a computer
https://brettshavers.com/brett-s-blog/entry/personality-of-a-computer
Clive Robinson • June 8, 2020 5:09 AM
@ Iamar,
Personality of a computer
It’s not a new technique, but it’s certainly not talked about very often.
I’ve heard about it being used as an “arm twister” in the UK, by investigators. In essence they claim it’s proof positive of usage, but at best it’s actually circumstantial and may not even be admissable.
I suspect the reason it’s not much talked about is it only realy works when people do not know about it.
Also unless a user is extrodinarily carefull their hairs, finger prints and DNA traces end up on the computer. However such tests take time and money which runs against investigators budget constraints, so a little “arm twisting” may be faster and less expensive, thus get a conviction on a case that might not be of sufficient “crime value” to meet an investagative bar on resources (another reason for criminals to keep their crimes “low value”, “across jurisdictions” and thus effectively unrelated so the multiple still remains below the various jurisdictions bar limits.
However any investigator has to be carefull, there may be a reason why a computer is set up a particular way, that has nothing to do with the alledged owner. For instance there are utilities available that “set up environments” for people to learn in etc. That is when you go on a course all the computers are usually set up the same way, school and college issued computers likewise. Not just the utilities but setup scripts for them can be found on the Internet.
As for things that indicate where a computer has been such as WiFi and other network information, again if it’s at certain places like train stations, airports, major education establishments and other public places then this information can be found out and fairly easily faked.
If the laptop appears to have been used in an airport when the alledged user was giving a talk or some such a hundred miles away then Opps that is going to come out during discovery and that’s going to make a conviction difficult.
Thus some one who is fairly smart that knows about this, can set up a machine to be unlike any others they have and have geo-tells pointing to places they were not.
In London it is known that some of the smarter young criminals swap phones and travel cards and even clothes to make “tracking” them not just difficult but distinctly unreliable.
Thus this technique is like “mains hum in audio recordings” and “cell tower pings” it only realy works against those who do not know about it, and in fact can work against an investigator if the person under investigation not only knows about it but is sufficiently smart to exploit it as a form of alibi etc.
But a realy smart criminal would get a second hand computer with cash load it up with “free software” off of the internet in some anonymous little place, then disable various things like WiFi etc and not use it for a year or two, before using it for anything illegal.
One way to get things like WiFi not to work is to boot with an older version of Linux from the front of a magazine, that’s been put on a USB drive and boot directly from that with the hard drive disconnected…
One of the mistakes less smart hackers make is being daft. They get used to having a custom environment and the latest tools and libraries because they are “l33t”. Smarter types learn to live with older “out of the box” or “out the back of a book” setups. They will also know how not only, not to leave their hair, fingerprints, or DNA on the machine, but actually have other peoples that are entirely unrelated to them on it…
Learning how to do this is not exactly difficult, however it needs a quiet thoughtful and meticulous person who knows firstly how not to create other evidence against themselves, and secondlt also how to “set up a legend” for the tools they use, that points another way for investigators to disappear down a rabbit hole.
name.withheld.for.obvious.reasons • June 8, 2020 5:36 AM
@ Clive
Thanks Clive, you forced me to go the remainder (not arithmetically) of the way with a hypothesis in dietary consumption. I must say that I dislike the fact that you are a task master and I have to work harder since clarity is an important feature of expression. Known you on this blog for years and have great respect (not going to say admiration…sounds cliche or weird). Thank you protectorate of the source data sheets–hope your plans to hand down the collection are well structured. If I know you, that’s not a problem. You mentioned this quite a few years back about your plans…
As I said, ‘a diet consisting of’ and did not say ‘exclusively raw fruits and vegetables’. I know, a technical point but it is important. And yes, aquatic sources of food are beneficial in ways that could be more successfully employed in dietary regiments that are ecologically more appealing.
In modern diets we consume foods that are from a vast trove of sources and environments. The number and extent of these sources continues to grow. Over fifty years ago most food was sourced locally where today; a single meal might include sources from ten or more different ecological regions globally. Fruits are made available all year round. Chile, Argentina, Brazil for example provides much in the way of seasonal foods to the north and visa-versa.
One interesting feature of this global industrial food production includes the number of antigen interactions are the result of pollens, bacteria, microbes, fertilizers, chemical insecticides, and other non-local components that exercise our auto-immune system to a degree that I argue is orders of magnitude greater than any previous human system has experienced.
I see it as a noise level that skews the hysteresis of autonomic responses that are “stressed” by the compressed time domain and the rep-rate and frequency change in exposure to a multitude of elements. In fact, I see it as an opportunity, genetically, for viral and bacterium to exploit new elements of long structured immune systems. In a way, the entropic curve of the bounded responses possible by the immune system where so many antigen and antibodies are necessary that the overhead makes other structures of the immune response vulnerable. For example, the ability to transmogrify the classical transcription phase of protein message into a replication phase without delivering the message prior to interception by antigen attachments. A complete change to the inter-molecular protein model that has no known descendent. Kind of like procaryote to mitochondria, not that drastic but similar in concept.
This may be a poor analog but don’t focus on the analog but the conceptual method of exploitation of a system of systems structural component as opposed to an operational component. Much like a weakness in a standard as opposed to a flaw in implementation. One requires redesign and development, the other a bug fix. Again, a hypothesis and not a formalized thesis headed towards theory. Don’t have the time or space for this one, our models are not structured to rethink existing structures as models; similar to the difference between past mechanical engineering without FEA and engineering with finite element analysis of today. Have even entertained protein modeling; different models that include spherical torus proteins that have an order of magnitude more flexibility in genetic structure.
myliit • June 8, 2020 11:59 AM
https://www.cnn.com/travel/article/coronavirus-safety-restaurants-wellness/
“Drink & Food
How to lower your coronavirus risk while eating out: Advice from an infectious disease expert
As restaurants and bars reopen to the public, it’s important to realize that eating out will increase your risk of exposure to the new coronavirus.
Two of the most important public health measures for keeping illnesses to a minimum are nearly impossible in these situations: First, it’s hard to eat or drink while wearing a face mask. Second, social distancing is difficult in tight spaces normally filled with back-to-back seating and servers who weave among the busy tables all evening long.
So, what should you look out for, and how can you and the restaurant reduce the risk? Here are answers to a few common questions.
How far apart should tables and bar stools be? …”
MarkH • June 8, 2020 12:46 PM
@JonKnowsNothing:
Thanks for taking the time to learn about, and inform us of, the news concerning Covid-19 in minks and other animals. I, for one, surely didn’t see this one coming!
The public health significance of this development is probably unknowable as yet. It might fall almost anywhere on the continuum …
If we’re doomed to a permanent endemic situation with this virus (which seems likely), and transmission from non-human animals to people is infrequent, then its effect will probably be in the fifth decimal place.
If some time in the future there’s an attempt at eradication (as in smallpox or polio), then such animal reservoirs could make it difficult or even impossible, especially if the virus makes its way into wild populations.
@All:
As I predicted, Sweden has knocked France out the Top Five of Covid-19 deaths per unit of population (excluding tiny states with less than 100 fatalities).
Although I wasn’t anticipating this, I now think it more likely than not than Sweden will surpass Italy to be the 4th country in the world for Covid deaths per unit of population. This is likely to happen during the summer months.
The unfortunates of Sweden are paying this price, while the country probably still has at least 80 percent of the distance to go to reach infection-caused herd immunity (if that’s even possible!)
Meanwhile, case growth is explosive in Russia and Brazil, in keeping with the observed trend that states with authoritarian leaders are doing an especially bad job of protecting their populations.
Who? • June 8, 2020 2:05 PM
@ Alejandro
Incognito mode just means that your browser will not remember your activity, and nothing more. It is not a replacement for good OPSEC, nor a replacement for anti-surveillance techniques either.
In short, any activity done in an incognito window will leave a traceable digital fingerprint on remote servers. Why will services you are using stop recording your activity just because your browser is in incognito mode? It is good for not leaving logs on your computer, but will not automagically hide your activity.
This lawsuit claim is nonsense.
Who? • June 8, 2020 2:30 PM
I would like being a bit more specific on this issue. Incognito mode just means your browser will not log any activity, it does not have impact on the performance of other systems on the Internet.
A very different issue, of course, is you choosing not record your activity on your Google account (e.g. location history) but Google does yet on a private, not accesible to you, log file. If you disable tracking on your account activity controls but Google tracks you privately yet, then they will of course be liable. In case plaintiffs know it is happening then Google should indemnize millions of users, including me.
SpaceLifeForm • June 8, 2020 4:21 PM
@ Name....
“This may be a poor analog but don’t focus on the analog but the conceptual method of exploitation of a system of systems structural component as opposed to an operational component. Much like a weakness in a standard as opposed to a flaw in implementation. One requires redesign and development, the other a bug fix.”
F*ck NIST. (goggle it, s/NIST/TRUMP)
That said, Three branches of government, should be seven.
Freezing_in_Brazil • June 8, 2020 5:27 PM
Incognito mode is a positive, albeit modest, step addressing those home circle Privacy Threats Bruce wrote about in his recent paper. Pretty timely.
name.withheld.for.obvious.reasons • June 8, 2020 8:17 PM
@ SpaceLifeForm
I can see you are quite passionate about standards bodies. Regular expressions for searching text is the only thing in my toolset at the time. I prefer grep or awk to manage my ad-hoc index searches.
Understanding that organizations such as NIST have a specific “technical bias” there are components of the process well outside the scope of their mandate. Me, quite concerned that appointed officials are under the influence of industry and undisclosed lobbyists. NIST has disappointed multiple times in the past and am certain this will be true in the future.
myliit • June 9, 2020 10:11 AM
@Sherman Jay
Thank for for your post last week.
https://www.schneier.com/blog/archives/2020/05/friday_squid_bl_731.html#c6811889
I, too, thought of Stingrays, Dirt Boxes, IMEI or IMSI catchers, etc., perhaps cameras, too, when I saw helicopters circling at a recent event.
https://www.eff.org/it/pages/cell-site-simulatorsimsi-catchers
https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks 28 June 2019
https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchers 28 January 2019
Sherman Jay • June 9, 2020 2:27 PM
@ myliit
Thanks for the EFF links. I use their privacy badger to show all the spyware/tracking detritus that sites put on my computer.
The head of our public interest socio-technological-artistic Organization still uses a 2003 vintage motorola phone. While we are not in a ‘large city surveillance hot-spot’, he can pull the battery in 2 seconds if needed.
New ‘now/wow’ tech is not always an advancement, especially when it comes to privacy and security. Many of us use ‘linux live CD’s’ on computers that don’t even have a hard drive. This is not a security cure-all since the ISP and trackers get your computer ID, MAC address and current IP address easily. Debian has programs that allow you to change the DNS and MAC address. Most VPN’s are not all that safe and proxy servers are even worse.
Everyone stay safe (both in the computing sense and the ‘mask and distancing’ covid sense!
vas pup • June 9, 2020 3:43 PM
BBC Click on privacy in employer-employee environment:
https://www.bbc.co.uk/programmes/p08fk0tx
Just 5 minutes, but very interesting video.
I am sure that same application could be secretly downloaded not only for employer’s interest, but by other actors (you know them) and definitely not in your best interest.
It is great that Europe has GDPR s legal framework, but in US usually when there is now clear regulation, winner is not who is right, but who has better lawyer.
vas pup • June 9, 2020 3:59 PM
How drones with AI could distinguish at night in wooded area different species including humans:
https://www.bbc.co.uk/programmes/p08fk5l5
It is good to combine phone trace with actual person location, e.g. in rescue missions.
Sherman Jay • June 9, 2020 4:19 PM
As a follow-up to New tech vs. Old tech and privacy/security, I talked to some of our artisans and found that some of them are still using 1998-2001 vintage Pent III computers (their specialized art/music software won’t run on Win Vista, 7, 8, or 10) And, the PIII based PC’s usually have a bios provision to turn off ability for ‘outsiders’ to read the CPU serial/ID number. Greater security, but of course, less speed.
#vas pup
good info. BBC is mostly uk.
I have heard from reliable friends that many large employers in the u.s. have numerous means of keeping track of their employees. Key-loggers are often a cheap first step. I don’t think (hope) we’ve gotten to the ‘RFID chip in the arm’ point yet. But, even in the 1990’s there were companies that had a number of facilities and each employee had to swipe their mag-stripe badge whenever they entered or left a building.
A few months ago, I talked to a techie credit union teller friend who said he used clear tape, lifted the thumb print from a ‘thumb print reader’ security device, dusted it with carbon black and was able to fool the reader and gain access to the teller’s computer. The manager he showed that to was rather upset.
Curious • June 9, 2020 5:34 PM
(“IBM abandons ‘biased’ facial recognition tech”)
https://www.bbc.com/news/technology-52978191
I don’t know what to think about this, no idea what technology has been deployed and how long existing things will maybe keep being used.
Who? • June 9, 2020 6:13 PM
INTEL-SA-00320 — Special Register Buffer Data Sampling Advisory
Another security vulnerability in some Intel processors allowing information disclosure. It has been assigned CVE-2020-0543 —not a lot of details available yet— and microcode updates are being released now. My Dell Precision workstation received updated microcode three hours ago; the Spectre and Meltdown mitigation detection tool has been updated to version 0.43 one hour ago, and identifies my workstation as not vulnerable.
I would certainly appreciate a “map” to understand the status of the hardware vulnerabilities discovered since rowhammer, in the last lustrum.
Who? • June 9, 2020 6:14 PM
Missed the link to the Intel Advisory in the last post:
https://www.intel.com/content/www/us/en/security-center/advisory/INTEL-SA-00320.html
Who? • June 9, 2020 7:10 PM
Information is being made available. It looks like a side-channel vulnerability against random number generation:
This one looks like the class of side-channel attack intelligence community would like to hoard as part of its arsenal.
JonKnowsNothing • June 9, 2020 7:33 PM
@Sherman Jay
re:
I don’t think (hope) we’ve gotten to the ‘RFID chip in the arm’ point yet
There are companies in the USA, that insert RFID chips providing the employee “agrees”. They have Chip-Insertion-Day events.
Technically, they cannot mandate the chip but how can one truely consent when all the rest of SHEEPLE in the department are lining up for the free swag: beer and pizza.
They get to open electronic doors auto-magically, login to their work system-network auto-magically and get their free-cafeteria-food allocation with a hand wave.
re:
‘thumb print reader’ security device
iirc(badly) there was a discussion (maybe a @Clive tech-chat) about mag-card readers. You see these hanging around people’s necks and my healthcare system has everyone using them to swipe in. They also have another set of swipeables they use too.
The repeated use of magnetics leads to a magnetic-traceable alignment. Physical magnets leave a mark in the environment and repeated use can be tracked and traced. With the right kit you can login right in.
Well… it works until the magnetic fields shift polarization.
ht tps://en.wikipedia.org/wiki/Geomagnetic_reversal
The magnetic field will not vanish completely, but many poles might form chaotically in different places during reversal, until it stabilizes again
(url fractured to prevent autorun)
Clive Robinson • June 10, 2020 5:42 AM
@ Who?, ALL,
This one looks like the class of side-channel attack intelligence community would like to hoard as part of its arsenal.
Yes, it kind of does alow access to all sorts of things.
Thus the question “Accidental or deliberate?” does arise.
At a ten thousand foot view what has happened is that a hardware buffer is “not getting cleared after use” such an attack vector is well known from it’s software equivalent trick[1].
For some reason not stated[2] a hidden hardware buffer is used that is designed to pass different width data blocks. So if a large width data block is written by one data source, then later a narrow width data block is written to it by a different data source, the buffer ends up holding the large data block with a small data block over writing it… Thus if you read the entire width of the buffer you get most of the data from the big data block.
If the data source writting the big data block is the Hardware RNG, for a security privileged process on one core, then guess what an unprivileged process on another core gets to see…
Back in the early days of C you had malloc() which gave you a block of memory but “for efficiency” the memory was not cleared. Thus if you had a software buffer that you wrote you encryption key in to pass it from one function to another but did not clear it before free() then the encryption key would just sit in memory waiting for the memory to get allocated again. If you know how malloc works in the system you are using you can use the trick of making a buffer passing the encryption key then apparently destroying it. To later get the memory back and read out the encryption key. Such code can get past many an experienced set of eyes doing a “code review”… As I’ve mentioned in the past, I used exactly that trick to prove a point about “code reviews” and why they should be done properly by those with the actual ability to spot such things…
So yes it could be a deliberate attempt to pass data with high security value down to an unprivileged process…
[1] See Peter van der Linden’s book, “Expert C Programming : Deep C Secrets” from SunSoft Press, ISBN 0-13-177429-8. It was written in the early 1990’s on experiences and issues from the 1980’s and earlier…
[2] Sometimes such hidden buffer are called “letterbox buffers” they can solve a number of timing and synchronizing issues, and occasionally appear to defeat the speed of light…
name.withheld.for.obvious.reasons • June 10, 2020 12:43 PM
If there is a structured or deliberate objective to designate and diminish the so called organization ANTIFA suggests a troubling motive.
Why would the government align itself against movements or people that are acting to answer violent fascistic elements? This is similar to having the government specify a campaign to crush democracy or those that engage in promoting democracies anywhere.
SpaceLifeForm • June 10, 2020 2:45 PM
@ Sherman Jay
“The manager he showed that to was rather upset.”
Was the manager upset that that the security hole existed? Or upset that it was exposed?
@clive
Back in the early days of C you had malloc() which gave you a block of memory but “for efficiency” the memory was not cleared. Thus if you had a software buffer that you wrote you encryption key in to pass it from one function to another but did not clear it before free() then the encryption key would just sit in memory waiting for the memory to get allocated again.
We still have malloc() and free(), and they are perfectly OK as they are.
Such code can get past many an experienced set of eyes doing a “code review”…
No. It passes only the eyes of the incompetent.
I get sick of the repeated claims here (and elsewhere) that C is an unsafe language. It’s the opposite, as using it forces you to be very well aware of what you are doing. And that is always better than lazily relying on someone else having done your job. It’s like using a very sharp knife to cut food. A competent chef knows how to handle it and won’t cut his fingers.
And anyway, most bad security these days is by design, and not the consequence of language features.
SpaceLifeForm • June 10, 2020 3:57 PM
@ name....
You got it.
Random.
The love of money is the root of all evil.
The early signs of insanity is hypocrisy and denial of reality.
I’m sure you have to deal with people that exhibit those symptoms.
ANTIFA does not exist as an organization.
ANTIFA is normal people that are not addicted to money (because they can barely survive), do not deny reality (because they understand abuse by police, etc), and are not hypocrites.
It’s actually a good thing that the fascists, insane denialists, are attacking a ghost that they can not attack in a court.
But, the bad part is they try to attack on the streets and online.
https://amp.ft.com/content/0f2c8952-a719-11ea-92e2-cbd9b7e28ee6
Oligarchs are immoral business leaders who, as Russia’s Vladimir Putin defined them in the Financial Times, use their “proximity to the authorities to receive super profits”.
That makes me wonder: is there any better description of Facebook chief executive Mark Zuckerberg — a man who caters to US President Donald Trump by refusing to remove his inaccurate and inflammatory posts from the social media platform — than an American
oligarch?
Potus tweet:
Incredible! @FoxNews just took Congressional Hearing off the air just prior to important witness statements. More like CNN!!! Fox is lost!!!
(no denialism or hypocrisy there, none at all)
Be like Columbo, not like Columbus
https://columbophile.com/2016/07/10/why-is-there-a-columbo-statue-in-budapest/
SpaceLifeForm • June 10, 2020 4:33 PM
@ FA
Totally agree. When you write the C code, you have to seriously, deeply, think thru the scenarios, think about flaws and attack angles. I trust C, and assembler. Nothing more.
If you are really paranoid, compile the C to assembler, the visually inspect the assembler code before proceeding.
Are you still confident that there is not a flaw downstream in the toolchain with the actual assembler and linker?
Are you sure?
You have to actually think.
F*CK RUST, c++, JS, Webassembly, etc.
Too much magic for me.
‘I get sick of the repeated claims here (and elsewhere) that C is an unsafe language. It’s the opposite, as using it forces you to be very well aware of what you are doing”
SpaceLifeForm • June 10, 2020 5:26 PM
@ FA, Clive
The heap, well, is a heap of shit.
malloc is not your friend.
There should be no wonder why there exists so many implementations of malloc() and free().
vas pup • June 10, 2020 5:27 PM
Engineers put tens of thousands of artificial brain synapses on a single chip
The design could advance the development of small, portable AI devices
https://www.sciencedaily.com/releases/2020/06/200608132518.htm
“Engineers have designed a ‘brain-on-a-chip,’ smaller than a piece of confetti, that is made from tens of thousands of artificial brain synapses known as memristors — silicon-based components that mimic the information-transmitting synapses in the human brain.
“So far, artificial synapse networks exist as software. We’re trying to build real neural network hardware for portable artificial intelligence systems,” says Jeehwan Kim, associate professor of mechanical engineering at MIT. “Imagine connecting a neuromorphic device to a camera on your car, and having it recognize lights and objects and make a decision immediately, without having to connect to the internet. We hope to use energy-efficient memristors to do those tasks on-site, in real-time.”
Memristors, or memory transistors, are an essential element in neuromorphic computing. In a neuromorphic device, a memristor would serve as the transistor in a circuit, though its workings would more closely resemble a brain synapse — the junction between two neurons. The synapse receives signals from one neuron, in the form of ions, and sends a corresponding signal to the next neuron.
A transistor in a conventional circuit transmits information by switching between one of only two values, 0 and 1, and doing so only when the signal it receives, in the form of an electric current, is of a particular strength. In contrast,
========>>>a memristor would work along a gradient, much like a synapse in the brain. The signal it produces would vary depending on the strength of the signal that it receives. This would enable a single memristor to have many values, and therefore carry out a far wider range of operations than binary transistors.”
Who? • June 10, 2020 5:53 PM
@ Clive Robinson, FA, SpaceLifeForm, all
I really appreciate C, in the same way I appreciate Z80 assembler since I learned it at the age of twelve years four decades ago. C is a powerful, compact, portable and very fast programming language, being some sort of elegant high-level assembler.
However these languages can be dangerous if we do not write code carefully. As someone that writes code for a BSD operating system I know it is very easy making mistakes. The same simplicity that turns pointer arithmetic into a powerful tool can turn it into a security nightmare if you are unlucky. The flexibility and lack of security controls inherent to C, makes this programming language a dangerous ally if you are unable to review each line of code you write. Sometimes you need to write much code too quickly. In this scenario C is not your best friend.
malloc(3) and free(3) are great but must be used carefully. This one is the reason we must be really careful with signed integers and size_t overflow in malloc(3). Remember a signed integer overflow, as a difference to a unsigned integer overflow, has an undefined behaviour in C. malloc(3) is not a good choice either when storing sensitive data, like [pseudo]random numbers, digital certificates or passwords.
As Clive noted, you can get most part of a buffer that has not been previously “sanitised” just writing a small block to it before reading the entire buffer.
What Intel did was a mistake? Something deliberate? A performance optimization that went wrong? I am not sure, but it certainly is worrying.
I would love seeing a C language that, even being slower, has the appropriate security checks in place. But these security checks would break the language paradigm.
name.withheld.for.obvious.reasons • June 10, 2020 7:33 PM
@ SpaceLifeForm
ACK, SYN
Yes, that is why I phrased my statement as the “so called organization”. Hear ya, loud and clear.
I share much in perspective. Am quite old school, possibly older than Clive. If you have seen the movie “Enemy of the State” then you have an idea of where I am coming from and how I live.
Too bad I have to squelch much that I’ve written as it is politically intolerable by most. Clive has voiced a concern or two and has engaged in thoughtful debate on related topics but I am probably more cynical. Our community, and am taking the opportunity here to speak to it, has not taken the collective responsibility for how we operate and the way we see the world. Our sense is that we are individuals that share little with the world–and that is antithetical to reality. One of my favorite cliches is, “I see further because I stand on the shoulders of giants.” — Sir Issac Newton (from memory, may be a misquote)
My criticism of the intellectual class that and those of knowledge (not much found in the way of wisdom) has for too long sat on their hands. Engineers and scientists often become victims of their own formalism. I was once asked to work with a specific scientist for just that reason, to knock at the edges of his self-imposed box. Don’t get me wrong, the gentleman was brilliant but captive to fear.
My one joy or liberty, thank you Bruce, is to be able to communicate with others that more than likely understand my concerns and have the ability to inform. We are at extreme risk of losing that opportunity. Color me not hopeful.
SpaceLifeForm • June 11, 2020 12:43 AM
@ name....
SYN, ACK
“Our community, and am taking the opportunity here to speak to it, has not taken the collective responsibility for how we operate and the way we see the world. Our sense is that we are individuals that share little with the world–and that is antithetical to reality.”
Actually, I believe that almost everyone here “get’s it”.
It’s just that there are so many non-tech people that do not. Uneducated, unwilling to learn.
You know what I am talking about. As soon as you try to explain, in the most simplistic manner possible, a concept, to someone that is not really aware, they immediately attack.
It hurts their brain. It hurts them to think. It hurts their brain to entertain a concept that is antithetical to their brainwashing.
Until there are more educated leaders in the technical sense, there will always be bad decisions made.
But, we have to keep trying, to educate.
Clive Robinson • June 11, 2020 2:26 AM
@ FA,
We still have malloc() and free(), and they are perfectly OK as they are.
And when did calloc() come along, and why?[1]
But you have mistaken my intent with,
I get sick of the repeated claims here (and elsewhere) that C is an unsafe language.
My point was not to “bash C” that historically had a horrible job to do, but for people to realise that “data left in buffers” as a security issue has been known probably longer than their working lives…
Thus as usual Intel has no excuse for the “go faster stripes” mistakes they have made for so long now the “Xmas Gift that keeps giving” will continue to do so for some time to come.
I’m on record here for saying that people should not use Intel’s internal RNG for various reasons (the design is sloppy, and they use “magic pixie dust thinking” to try and hide the mistakes behind a crypto algorithm).
However I had not realised that Intel’s sloppy security thinking had gone on further with features down stream of the RNG…
Would I have made the same mistake, well having had more than my fair share of experience designing “letterbox buffer” dependent systems, I would have pointed out the security risks… But I would probably have been overruled by some “go faster stripe” obssessed managment droid and more senior managment with a “market share” objective in mind.
[1] Actually malloc() is becoming less and less fine as time goes on[2]. The interface on calloc() is actually a bit more subtle than malloc() over and above most peoples “it’s just a malloc() followed by memset()” thinking, and for good reason. Because it alowed for subtleties in non power of two memory width sizes –IBM, Gec, Burrows etc with multiples of 12bits hence “octal” etc–, also large Virtual Memory systems that malloc() can not. Remember size_t is technically data bus width bound as are all “simple pointers”[3] whilst the address width is not, especially in certain types of computer designs[2]. Though trying to work that out from reading the standard will make your head hurt as it requires “Alice through a one way looking glass” thinking 😉
[2] Even Intel’s early IAx86 chips had this issue, hence the segmented design of 64k blocks in a 1M space. There are “super computer” designs out there, that have memory architectures that are essentially unbound for most practical purposes thus need an equivalent paged, segmented, windowed, keyholed, etc address space. Because even 64bit addresses are limiting for some data sets.
[3] Simple pointers as “absolute addresses” are on their way out and have been for a few decades data sets are too large and getting bigger. Thus it’s best to think of simple pointers as “offsets to complex abstract pointers” where the complex part is hidden from you for good reason. Even the early Unix developers realised they had problems with addressing data in storage as the “hidden life behind inodes” shows. Likewise URL’s that are in theory “unbounded” have limitations, and how we deal with them now will have consequences in the future, a lesson that inodes etc have taught us.
@clive
My point was not to “bash C” that historically had a horrible job to do, but for people to realise that “data left in buffers” as a security issue has been known probably longer than their working lives…
Indeed. Which is why there is no excuse if data is leaked in that way.
Note that requiring the equivalent of free() to clear the memory before it is released is not really a solution. What if a routine stores a crypto key in local storage (on the stack) ? It’s still there when the routine returns and trivally easy to access. Now would we require a compiler to sanitise the stack each time a function returns ? In 99% of cases such things are pure overhead, and there is good reason to avoid them.
My point is that if your application is using sensitive data, then making sure that data is destroyed before it goes out of context must part of the design process. That happens before coding and it has nothing to do with language features.
That said, some crypto libraries will provide ‘safe’ memory management routines and also use those internally. That is probably the way to go for most programmers, but it doesn’t solve all problems.
JG4 • June 11, 2020 10:46 AM
I was reminded in recent days of the value of natural language processing for extracting various types of information from written documents. It hadn’t occurred to me until now that you could use NLP to find evidence of racism in the patent literature (vide infra). I’ll say again that the only hope of managing (from our status as victims) the forests of dead trees that are converted to laws and regulations every year is natural language processing. The only hope of managing all of the vulnerabilities in hardware and software is something that might be called machine intelligence or AI. And that machine intelligence may be useful for designing drugs and vaccines.
How to Discover Antiviral Drugs Quickly
https://www.nejm.org/doi/full/10.1056/NEJMcibr2007042
This week, I scoured the web trying to find an article that I recall reading roughly three to four years ago. It is likely that I mentioned it here around that time. I welcome anyone pointing it out. In the wake of the Podesta and DNC email incidents, at least one academic researcher ran an NLP analysis. What it showed was that 80 to 95% of the efforts of the elites are dedicated to what might be called cognitive hacking. Which is to say, crafting messages that benefit themselves and their friends. I did find Jonathan Toro’s efforts, but I didn’t see him make the point about all of the effort expended by the liars, thieves and murderers on crafting messages.
Money and power serve themselves first, their friends second and you as the main course. Not to put too fine a point on it, “Money and power are liars, thieves and murderers.” Police power in particular. If I didn’t say it before, every time that I’ve ever been in a courtroom, and most of the times I’ve heard from credible friends, the police lied. I am cautiously optimistic that the robot police will not be programmed by psychopaths. I am pretty sure that both the Fever Swamp and the Grand Casino are ruled by psychopaths. I am sympathetic to the 80% of police who aren’t psychopaths, but I’d like them to stop lying in court. Dealing with scumbags every day can’t be much fun. And donuts will kill you quicker than a bullet.
The history of crafting messages to exploit cognitive biases isn’t new. What is relatively new is using mass media to scale the exploitation. I credit Bernays as being the first to use mass media. I was delighted to see that there are interviews of him on Youtube from the 1980’s. Now we can add to the arsenal of tools used to exploit cognitive biases Cambridge Analytica, the five horsemen of the tech apocalpyse, brain-scanning (fMRI, etc.) and soon real-time chemical imaging. Visualization of chemical thought waves. Testing in real-time the perfection of lies. And identifying dangerous troublemakers who don’t believe the lies. The only crime that you need commit to become an enemy of the state is to not believe the lies for which the soldiers died.
Natural language processing offers a path to tools that might be used to resist cognitive hacking by alarming any time a politician is lying. It might be easier use image analysis to see if their lips are moving. NLP also could alarm on detection of fake news, pretty much everything in the mainstream media. Bernays played a major role in bringing the US into WWI. Wilson was incapacitated by the flu (I previously thought that it was his stroke) and the punitive conditions imposed at Versailles insured the devastation of Europe in WWII. Such is the power of cognitive hacking. I haven’t lately said that Karl Rove and James Carville are blood descendants of Goebbels. It always and everywhere is about controlling the narrative.
The Man Who Created the Modern Elite
https://www.youtube.com/watch?v=LviSndYlLhA
3,196 views•Jun 8, 2020
My own efforts are directed to helping continue the human experiment. Eicosapentaenoic acid is an essential human nutrient that preserves cognitive function and improves virus outcomes, among other miraculous effects.
https://www.nakedcapitalism.com/2020/06/links-6-11-2020.html
…
Violence and economic activity: evidence from African American patents, 1870–1940 Journal of Economic Growth
Police State Watch
The Left’s New War On Police Patrick Buchanan, The American Conservative. Also, to be fair, Cato, from the privatization angle.
Police have been spying on black reporters and activists for years. I know because I’m one of them. Nieman Labs
Health Care
Babylon Health admits GP app suffered a data breach BBC. No problems with telemedicine, no, not at all. Your data is secure with us. Especially — putting on my tinfoil hat, here — the kind of data that health insurance would buy up on the black market to keep their actuaries sweet.
…
Sherman Jay • June 11, 2020 12:21 PM
@SpaceLifeForm • June 10, 2020 2:45 PM
“The manager he showed that to was rather upset.”
Was the manager upset that that the security hole existed? Or upset that it was exposed?
reply:
I would assume (with all the risk that entails) that the manager was upset that their fancy keyboard thumbprint readers were so close to useless. But, they probably also were quite upset that some ‘flunky’ teller found out their IT department pushed ineffective security and that the teller might embarrass the credit union by telling others of the insecurity (maybe psychologically insecure as well as ‘tech’ insecure).
Sherman Jay • June 11, 2020 1:09 PM
@JG4 • June 11, 2020 10:46 AM
I thank you for reminding us of the lack of mental security we have when we are not consciously aware of all the attempted manipulation of our thoughts (mental hacking).
There have been so many in addition to Bernay that have used those tactics. However, I think that today the tactics used in the surveillance and manipulation of people are both more insidious and at times even blatant. Think of all the tracking and targeting of ads on the internet.
As most on this blog are quite aware, it takes critical analytical thinking at every turn to prevent from being propagandized. However, we also must guard against becoming too cynical, seeing manipulation behind every single sentence. Too many sheople will readily drink the kool-aid offered or at the other extreme see a conspiracy behind every theory.
Chris • June 11, 2020 3:23 PM
One thing I have been musing about is building a hand-cipher that used the structures we use around block ciphers.
Most of the attacks on the better classical ciphers worked because of practices in how they were used that we’d never do, today.
How hard would it be to break a hand cipher if we used more modern practices?
1: Use session keys. That is, never use the same key for two different messages. And never use a key that had meaning – keys should be random.
This doesn’t mean that you have to have one-time pads. In a military network, for example, every station could have its own key,
and every day a key, and every message index a key. A sender could then take 4 keys, add them together, perhaps run the result through
a lagged-fibonacci PRNG, and create the session key.
Now I don’t think this would be secure.
A single fractionated transposition wouldn’t -provide anything like the diffusion necessary to prevent a modern computer attack.
Differential cryptanalysis would have a field-day with it.
But in the real world, differential cryptanalysis only works when you have the ability to have large numbers of chosen plaintexts encrypted for you.
In other words, it’s an attack that works against encryption hardware that you hold in your hand, it won’t work against evesdropped traffic.
It seems to me that this is simple enough to do by hand. It’s not much more complicated than ADFGVX, and much less complicated than VIC.
And I don’t think any of the classical attacks would work against it. The question is, could it be hill-climbed? I’m not sure.
Someday I’ll give it a try.
Läste om en ide som MOSSAD använder/använt sig av nämligen att man inte skickar hela meddelandet på en gång
utan det som händer är förklarat så här:
7.4. MOSSAD Verfahren, beschrieben in “Der MOSSAD” S.22. Lit. *Mossad
Beschrieben als Mossad-Doppel-Kodiersystem.
Die phonetischen Laute werden mittels einer Substitutionstabelle durch Zahlen ersetzt.
Beispiel: ABDUL in AB = 7, DUL in 21.
Die gebildeten Ziffern erhält einen weiteren Buchstaben oder Ziffer.
Beispiel: A7O 21B
Die Substitutionstabelle wird wöchentlich gewechselt.
Zur Übertragung der Nachricht wird diese gesplittet:
Sendung 1: A7O
Sendung 2: 21B
Welche Sendung zuerst erfolgt und wie die Splittung erfolgt ist nicht dokumentiert.
Hursom som jag tolkar det är att man splittar meddelandet via olika vägar
och det blir ganska effektivt, vi har tidigare labbat med ideer som fungerar i praktiken
där vi ändrar i bitstrukturen i en befintlig kryptering på disk tex för totalen får ett totalvärde av CRAP
så det är samma tänk här egentligen, och detta irriterar minst sagt fienden
Tex som ett simpelt exempel:
Encrypter blob: xxx
med en hex editor ändra valfri bite i blobben och dokumentera vilken blob
detta räcker för att en krypterad blob där du har ett bit fel gör det oläsligt
Voila (Beror lite på krypterings algoritm) men super effektivt för data at rest
//a@b.com
myliit • June 11, 2020 4:31 PM
I consider this a feature, not a bug.
https://tidbits.com/2020/06/11/beware-icloud-backups-deleted-after-180-days/
“Beware! iCloud Backups Deleted after 180 Days …”
myliit • June 11, 2020 4:45 PM
Perhaps to be announced 22 June 2020, FYI
https://www.macworld.com/article/3561594/apple-might-be-dumping-intel-sooner-than-we-think.html
Chris • June 11, 2020 5:09 PM
Many things has been written about them lets write some more …
An UTOPIAN Nuclear free Nordic area proposed by Palme
SOSUS Line 1986-09-09 System-4 (After Palme)
Russian Submarine U137 was jammed and fed with false navigation data via NATO
U137/S363 using advanced Electronic Warfare
so it actually thought it was at a very different place than it was at. (Only found this info once, and then its gone totally dark!) (Anyone has any info on this theory)
The info i saw was very deep and it showed a mirrored image of where the brittish/americans projected they russian submarine to think they were at.
At this time the russians had multiple navigational systems, so one can imagine that since they were in the midst of a excersises jamming on the primary would have been plausible and then the secondary was somehow falsified…
1985 The Submarines were visible everywhere in Swedish Archipelago and…
Bodström is not sure they are correct in januari 8 1985
1985 The Opposition in Sweden at that time makes alot of noise regardint Bodströms question and makes a “Misstroende Röstning”
in february 8 against the Palme lead Socialdemokraterna
Today we know couple of things more, we know that one submarine was very close to get caught, and it signaled a green ing which is a typical NATO Distress color not used by the Sovjets at that time
We also know that both Germans and British used the Swedish archipelago as an learning ground, with the Swedish high commands knowledge (Never confirmed!) just rumours
Also last but not least I am not pro Russia/Sovjet or any communists but I think that truth is truth and falsifications are falsifications
//Vänta du bara tills du får tag på mig
vas pup • June 12, 2020 1:38 PM
@Sherman Jay:
Take a look at the link below directly related how Stasi utilize mental hacking many years before AI tools, social media, etc. utilized to break your mental health:
https://en.wikipedia.org/wiki/Zersetzung
In short, that is gas lighting utilized by oppressive establishment against those for whom truth is stronger than loyalty.
vas pup • June 12, 2020 1:43 PM
AI and unusual angle of utilization:
https://www.bbc.com/news/technology-53024123
vas pup • June 12, 2020 1:54 PM
The hidden detectors looking for guns and knives
https://www.bbc.com/news/business-52734768
“Traditional metal detectors throw up a lot of alarms for innocent metallic objects, creating a chokepoint for paying customers who just want to get to their seat in a stadium or concert hall.
This very high alarm rate prompted Evolv to blend AI software with radar to cut down on false alerts and keep the crowds flowing into a venue without irksome interruptions.
This is not just looking for the shape of a gun as defined by the software, but also for small shards of metal packed into a confined space to create shrapnel around an explosive device as was tragically demonstrated in the 2017 Manchester Arena bombing.
Evolv’s software engineers have written algorithms that interpret shapes as signatures, with the outlines of knives and guns catalogued as reasons to alert an operator.”
Very good article! Enjoy reading it all.
SpaceLifeForm • June 12, 2020 5:08 PM
@ chris
I am not a crypto security expert by any measure, but I would stay away from any block ciphers.
It’s really way too easy to make implementation mistakes.
Security is hard.
SpaceLifeForm • June 14, 2020 3:22 AM
@ Chris
“Differential cryptanalysis would have a field-day with it.
But in the real world, differential cryptanalysis only works when you have the ability to have large numbers of chosen plaintexts encrypted for you.
In other words, it’s an attack that works against encryption hardware that you hold in your hand, it won’t work against evesdropped traffic.”
Ads.
Ads are chosen plaintext.
All Ads are eavesdropped.
Read my lips: DO NOT USE BLOCK CIPHERS.
RealFakeNews • June 14, 2020 4:16 AM
+1 for nothing wrong with C!
Too often I read of people blaming the language for mistakes, when really what happened was someone failed to adequately consider the problem and the solution.
The mere fact that such software development methodologies such as AGILE exist, shows that too many software developers not only have apparent disdain for software design, but a total lack of understanding that design is more important than code.
The analogy I like to use is writing a novel. An author must first have a storyline; a plot, characters, basis of the story, backgrounds, etc. before they can write a single chapter.
Why so many software developers think they can write a single line of code without having a plan for the system design, I’ll never know.
Consequently, these people end up writing code that solves a bunch of disjointed problems, without considering what the ultimate end-goal is. It stops being about carefully managing cryptographic data, and instead just moving a bunch of data around. That leads to bad decisions, lack of foresight, and ultimately, insecure software.
Clive Robinson • June 15, 2020 5:38 AM
@ RealFakeNews,
Why so many software developers think they can write a single line of code without having a plan for the system design, I’ll never know.
It kind of depends on what level you are looking at.
As a designer of embedded systems for more years than I care to remember (I started when the Z80 was considered “the best thing since sliced bread”) there was a lot of code that was almost always thr same but not quite. This code you could write almost blind from the hardware specification.
Eventually you realise that with sequential code systems there are two almost hard and fast rules,
1.0, Firstly all code that actually has any semblance of a usable function has three parts
1.1, Setup,
1.2, Function,
1.3, Teardown.
Importantly is the realisation that this rule applies through out all code thus programs, functions and sub functions have the same three stages (this includes the lowest of the low like device drivers).
2.0, Secondly, is the important realisation that there are two basic types of program,
2.1 Filters.
2.2 Persistent.
That is filters run a specific function and then terminate naturaly, whilst persistent remain and do not terminate naturaly. That is the top level “function” block in a filter is markedly different to the function block in a persistent program and is generally a control loop that calls filters. The important thing to remember is what type of control loop you use (that is if your loop is one that, 1, goes through all conditions in turn, or 2, one that if a codition is true performs a function then breaks back to the top of the control loop).
Either way what you end up with is a “Pyramid of Code” the top of which is very specific to function whilst the bottom is very general thus specific to method.
The next realisation is that as a rule of thumb code that is method such as device drivers etc have a very high degree of commanality, thus you in effect can reduce the number of code lines at the bottom of the pyramid to form a truncated diamond. Where what was the tip of the pyramid is very predictable, and likewise the bottom of the now truncated pyramid is likewise very predictable.
In non embedded systems programmers actually often have all of this work done for them via a BIOS, OS, and programing libraries. Likewise the initial “setup” phase of the program is done by the BIOS or OS loader, also the later parts of the “teardown” phase that do the clean up and restor of resources such as memory and I/O.
But that still leaves all programers the choice of program type and if not a filter then the choice of control loop type. An experienced programer on just reading the introduction or overview in the specification should in most cases know the answer to these two decisions. They will also probably know what major functions are required thus can produce the “stubs” the high level control loop will likely need.
But the majority of non embeded programmers are writing supplemental programs or functions to existing programs and systems, where the likes of interfaces are already established and code reuse of lower level functions encouraged (perhaps rather more than it should).
So many programmers are in effect playing in a “join the dots” type environment which dictates to a very great degree what they are going to do. That is their degrees of freedom are very much “tied down” or if you prefere “boxed in”.
If the programmers were not effectively “boxed in” then most of these modern programming style paradigms just would not work. Especially those that are very much more abusive to team members than they need to be. Such abuse is rarely of any practical use other than it plays into a certain type of managment ethos/style born out of the fantasy of story telling you get from the likes of “Startrek” which spawned the “Make it so” ethos amongst others. I won’t go through them all but at root they are nearly all adverserial and come from story books, films, TV shows and sports, and contain an explicit or implicit bullying process. None of which are particularly conducive to what should be a thoughtful process using scientific and engineering methods. Which is why experience shows more often than not the cause of failure in large projects is such methods where the bullying process has become a significant if not overriding factor. To look at it another way “you can not manage complexity by blindly hitting it with a hammer”.
JonKnowsNothing • June 15, 2020 9:53 AM
@ RealFakeNews @Clive @Bobbi
re:
Why so many software developers think they can write a single line of code without having a plan for the system design
programmers are in effect playing in a “join the dots” type environment
When considering complex systems, even in the old days, rarely did anyone “roll their own” software or designs. You maybe did it once at some point in your career, early on before you knew much, then you rolled into a portable device to bring your “tool set” to your next assignment. You acquired “other’s toolkits” as you moved from company to company.
Things got even more difficult as the complexity of “join the dots” programming became the fixture and focus of Marketing-CEOs. A programmer’s employability depends on which and how many “join the dots” systems they know. It has nothing to do with design, only on lines-of-code-generated per hour/day/month.
From another thread:
The problem is talent….makes them reluctant to work for their own government.
The reality is this:
Governments and Corporations no longer HIRE anyone. It’s all OUTSOURCED to a contracting agency. It’s all a function of the Big Government Downsizing to the Private Sector for the cheapest labor available.
When the focus is on cheap, expendable, no commitment, no strings, replaceable cogs, there is no space or place for continuity of design. This system is retained because it’s very lucrative arrangement for the contract-agencies and corporations generating never-ending recurring contracts, product replacements, and consumer rip-offs.
ht tps://www.schneier.com/blog/archives/2020/06/examining_the_u.html#c6812411
(url fractured to prevent autorun)
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
greenup • June 5, 2020 5:50 PM
so, I’ll use this as my starting point for “security story in the news uncovered by Bruce”:
https://www.androidpolice.com/2020/06/03/using-a-2fa-security-key-with-your-google-account-on-ios-is-about-to-get-easier/
Though honestly, I don’t care about ios. What I really care about is trying to secure my own and family’s stuff.
The market seems to be at something of a tipping point, with SOME OF the new stuff offering Real security AND usability, and the old stuff (passwords)being less manageable and cracked/dodgy all the time.
That said, “the new stuff” seems to come in a bunch of flavors, and despite having a fairly good background in security, I am having problems finding what I am looking for in the marketplace, and could use some suggestions, or suggestions on information sources or forums.
The “new stuff” is 2FA… Except the term means too many things– TOTP, HOTP, SMS, U2F, FIDO2, PGP CAC, PIV, and hoards of others, each with their own technology issues, costs, and limitations. (and my fruit-looping bank doesn’t support any of them, except for SMS and doesn’t consistently use that)
My goals are:
Technology factors:
1. MITM. Many of the 2FA technologies are susceptible to Man-In-The-Middle attacks, with increasing sophistication to the level that I might not spot it in action, so what help would there be for my kids or mom? I am particularly talking about HOTP, TOTP, and SMS here, and while I understand that short “Security Codes” are essentially all we have for humans to use over the phone to other humans, (…again, susceptible to MITM) when talking essentially computer-to-computer, both sides should be able to cryptographically verify that there is no man in the middle. (public/private keys, client And server authentication, etc). This stuff (MITM) is only getting better, and there are practically kits for it now; upgrading family security to TOTP today just to discard it in 18 months is not viable. What technologies don’t use these stupid short codes, and why aren’t they labeled better? <—THIS is at the heart of my problem. OTP of almost all kinds are… poor. But the most common “solution”.
Tangentially related to Ease-of-use is Backups; the problem with Great Security is that it can be Very Secure against Yourself too, if you don’t have a backup. Or Two. But, that effectively means that you have to set up all of your backups with each site that you use? What if you want to keep your backup in a secure location; do you have to go drag it out every time you sign up for a new service?
Military-grade security is not necessary. I don’t consider my meager family resources to be a target of foreign governments. Biometrics are more than I think are necessary for normal consumers, and I personally consider fingerprint identification no better than passwords. WAY too easy to duplicate/replicate/steal, with anything you’ve touched (like a shiny phone screen), or a camera, or a knife. (hyperbole again) If the industry wants to do something useful with biometrics, they should do more finger-vein, which doesn’t leave its pattern behind on everything you touch, and can even work without touching germ-laden surfaces.
Frankly, I don’t think a toy yet exists that solves (in a practical way) modern security problems as mentioned above, but I feel like we are getting so close, and yet so far. Securing Lastpass with a non-shortcode second factor would be a great step forward; (though I am a Tiny bit concerned about someone MITMing the javascript delivered from lastpass). Social media accounts can stay on password-based auth forever as far as I’m concerned, particularly if I am able to use a tool to generate sufficiently long and cryptic passwords. The backup thing concerns me too; if I buy a cool $60 GoTrust Idem card with all the bells and whistles, do I have to get a backup to store in a fire-proof location? and retrieve it too often (or forget) to add accounts/synchronize? Do I have to buy 2x of them for each family member (x7), or try to cut costs and use one highly overused backup for everybody;
I really would like to get the critical stuff, like my email, password manager, and bank off to something better; How do I clearly market that “something better” to my colleagues, friends, and the suggestion box at my bank? Is there a general term dividing the short-code 2FA technologies from the others that I am just missing? Does a term for 2-Way-Computational-Authentication need to be invented? 2G2FA? Ugh.
On a totally practical level, can someone who has used a BLE or NFC FIDO2 device give me some feedback on how slow and awkward it is?
Too many questions. I need a good spreadsheet.