Ismar June 12, 2020 5:28 PM

A bit of personal news from me this week (I seem to be one of the very few on this blog to share personal stories).
Namely, a couple of months ago I joined an online photo showcasing platform (500px) in order to , well, showcase, or share some of my photos with fellow photo enthusiasts.
The platform provides for exchange of comments on each photo posted, and it did not take too long before I started getting some comments completely unrelated to the photos posted. One good example would be this one
Also, I was jut yesterday contacted by an unsolicited user on the photo work platform called 500px
The message I got is


My name is Lizzy mohammed, am from South Africa presently living in London England i make a proposal i wish to share with you i will brief you more once i hear from you as soon as possible i will like to discuss with you, but not here.OK email me to ( add me on whats app so that we can chat there +27656360119
With Regards
Mrs Lizzy mohammed”

I live it to the readers of this blog to make up their mind about the intentions of those responsible for sending it (and possibly let us know of your thoughts here as well)
On another note, and being in the context of the squid cell post, I also happen to be reading quite a lot of microbiology articles of late as my interest in this area was peaked by the latest advances in bioinformatics.
As such, it is worth considering that the hard problem of computer security can only be successfully solved by a multidisciplinary approach, rather than just leaving it to the engineers among us to tackle it alone.

lurker June 13, 2020 12:15 AM

We had no such thing as printed newspapers in those days to spread rumours and reports of things, and to improve them by the invention of men, as I have lived to see practised since.

… the best preparation for the plague was to run away from it.

350 years since then it seems we’ve learned nothing new about pandemics.
A Journal of the Plague Year [1665] Daniel Defoe, published 1722.

David Rudling June 13, 2020 4:14 AM

Article from Wired about an apparently fairly simple twist on a basically old technique.
ht tps://
(url fractured to prevent autorun)

myliit June 13, 2020 5:38 AM


“ I live it to the readers of this blog to make up their mind about the intentions of those responsible for sending it (and possibly let us know of your thoughts here as well)”

I don’t know. Did you get an attachment, too? Did they, or might they be planning to send you a 0day that you could collect and maybe send to Citizen Lab, etc., Might they think you are up to steganography? …

John June 13, 2020 6:01 AM

“a proposal i wish to share with you i will brief you more once i hear from you”

Sounds like a fairly standard 419 scam email. I get those regularly, and this one matches what I’ve seen in their “evolution” from “I am a nigerian prince with X million” to the “contact me for details”.

Apparently they’ve discovered that the kind of person to actually respond to something this vague is more likely to fall for their scam.

Delete and move on.

0805 June 13, 2020 6:36 AM

Since there is not much about computer security here this time, still:

I’ve sent a link to an .ogg audio file to a friend of mine who claims that her iPhone insists on opening the link with the “Deutsche Bank” internet banking app.
To me an internet banking app trying to open audio files looks like being a potential first step in an exploit chain. I therefore tried to send a mail to Deutsche Bank. They replied quickly asking if I have a bank account with them. I told them I haven’t. The reply to this mail was: Then we cannot accept hints about security issues from you.
I guess the problem is that every ticket is linked to a bank account in their ticket system and they cannot file tickets without a bank account number. Also the problem might not lie in the bank’s app but in that individual iPhone. But that feels like bank grade security might not be too proactive, after all.

Clive Robinson June 13, 2020 8:37 AM

@ David Rudling,

Article from Wired about an apparently fairly simple twist on a basically old technique.

From the article,

    “Researchers from Israeli’s Ben-Gurion University of the Negev and the Weizmann Institute of Science”

It’s the usual suspects for “reboiling cabbage” 😉

As for how old the idea is…

Basically what is happening is that sound is getting superimposed onto a light source by some cross modulation method. Think about an Aldis Lamp or heliograph[1]for sending morse code between military units and ships at sea, which is good for upto 15 nautical miles (~27km or 17miles) at sea and further from hill tops on land.

Or if you want to go even further back waving of tourches several millennia ago that gave rise to what many call a Polybius square[2].

Any way as for the telescope for picking up light, if you have a look on the UK Cambridge Compuyer Labs web site you will find that quite some time ago they used that and a photomultiplier to read the changes of light intensiry off of a wall caused by the “flying spot” of a Cathode Ray Tube (CRT) computer screen as a modified type of Van Eck Phreeking.

So most of the idea is “borrowed” as normall for this group of researchers from others.

As for the “novel” part if you can call it that. From the article they talk about “hanging lamps” without mentioning shades or reflectors, but go on to say,

    “LED bulbs also offer a signal-to-noise ratio that’s about 6.3 times that of an incandescent bulb and 70 times a fluorescent one.”

This suggests that it’s not the vibration of the glass, but the vibration of the light source such as the filament, and thus it’s actually the entire bulb moving. Which brings into the consideration the mass of the bulb. Because as with a pendulum the mass on the end of the link from the pivot effects the frequency response especially anything near resonance or a multiple where the swinging will in effect increasingly store energy…

Anyway, yes it’s new in “academic papers” but actually it’s just a variation on Optical TEMPEST techniques, which is a small subset of passive EmSec techniques going back to the 1980’s or earlier one way or another.

It’s reasonably certain that GCHQ and the NSA were aware of it at least as far back as the 1980’s from the release of “redacted documents” under FOI etc. Most things were not redacted thus confirming what was well known at the time about electrical energy. However there was not mention of items relating to “mechanical vibration” conduction and radiation such as acoustics and seismology and their spin offs. Thus we might find out that those redacted areas were about various forms of mechanical energy.

However if nothing else this paper reinforces the point I make about “energy gaps” rather than “air gaps” because this is most definitely an “air gap” crossing technique that transports information impressed on mechanical vibrations over a considerable “air gap” and very probably works around corners and even from down corridors.


[2] The Polybius square is actually a simple device that was invented by “Cleoxenus and Democleitus” who were a couple of Ancient Greeks for military signalling. As with other ciphers (playfair) the name that became attached to it was the name of the person who publicized it not who invented it. In this case the famous Ancient Greek scholar Polybius.

myliit June 13, 2020 3:08 PM

@SoS popcorn eaters, other

“Chicago Cops Hung Out Inside U.S. Rep’s Office as Protest Raged. They Made Popcorn [1], Drank Coffee, Napped.

At least 13 officers were caught on CCTV lounging around in Bobby Rush’s [ Rush may have been a co-founder of the Illinois Black Panther Party in 1968 ] office while protests devolved into chaos outside. …”

[1] second source

“ During George Floyd protests, 13 Chicago cops lounged in a congressman’s office and ate his popcorn …”

vas pup June 13, 2020 3:40 PM

@David Rudling – Thank for the link provided. There are other interesting links on subject inside the article as well.
@Clive: thank for your as usually invaluable input on the subject as well.

vas pup June 13, 2020 3:52 PM

@Rachel in particular:

“Social-media impact

But with 69% of younger adolescents in the UK, aged 12-15, having a social-media profile, social connection is still possible – via anything from Instagram to online gaming.

The question is how much and what kinds of digital communication help to lessen the effects of physical distancing, says Dr Orben.

“Some studies have shown that active social-media use, such as messaging or posting directly on another person’s profile, increases well-being and helps maintain personal relationships.

“However, it has been suggested that passive uses of social media, such as scrolling through newsfeeds, negatively influence wellbeing.”

vas pup June 13, 2020 4:13 PM

Researchers uncover a new mindset that predicts success

“To succeed in modern life, people need to accomplish challenging tasks effectively. Many successful entrepreneurs, businesspeople, students, athletes and more, tend to be more strategic — and hence, more effective — than others at meeting such challenges. A new study shows that one important psychological factor behind their success may be a ‘strategic mindset’.

This research, led by Assistant Professor Patricia Chen from the Department of Psychology at the National University of Singapore (NUS) Faculty of Arts and Social Sciences, shows that people with a strategic mindset are the ones who, in the face of challenges or setbacks, ask themselves: “How else can I do this? Is there a better way of doing this?.”

How does the strategic mindset work? Co-author Professor Carol Dweck from the Department of Psychology at Stanford University explained, “There are key points in any challenging pursuit that require people to step back and come up with new strategies. A strategic mindset helps them do just that.”

My take: that is very important point for security industry in particular and in any political field versus doing same thing many times and expect to get different results.

JG4 June 13, 2020 4:55 PM

Thanks for the ever helpful discussion. There is a lot more to say on many topics. Just not as much time and energy to say it. Just for the record, JG3 was an anarcho-libertarian. JG5 is a compassionate fatalist. I almost posted the link to the latest police beating headline. I’m cautiously optimistic that the robot police will be less emotional/ sadistic/ sociopathic/ psychopathic.

“Americans always can be counted on to do the right thing, after exhausting all of the other possibilities.” – Churchill

@vas pup – I missed in 2017 how difficult it would be to filter radar data when I posted these three comments.

JG4 • March 2, 2017 5:50 PM

SMAKN HB100 Microwave Sensor Module 10.525GHz Doppler Radar Motion Detector Arduino $7.60 & FREE Shipping

JG4 • March 25, 2018 7:20 AM

I’ve pointed out before that you can buy a radar system from Amazon for $7.99. It’s a short step from there to a hidden radar-based metal detection system that scans everyone who enters the building.

JG4 • June 23, 2017 8:45 AM
file under border/checkpoint security

I think that I posted the link to an Amazon radar system for $7.99 The Lockheed Martin version is slightly more expensive, but will be able track insects crossing into the zone.

Big Brother is Watching You Watch

How to Spot Police Surveillance Tools Popular Mechanics (resilc)

The hidden detectors looking for guns and knives BBC

Are you an anarchist? Lawyers say New York police grilled protesters’ politics Reuters (Kevin W)

Did a Government Drone Flight Over a Protest Violate the Fourth Amendment? Lawfare (David L)

Ismar June 13, 2020 9:35 PM

Do you think that this approach could be used to determine if artificial intelligence systems can start evolving by themselves and / or to forecast if one of them has a potential to do so ?

More broadly, what would be the role of security in evolution processes as the evolution indeed depends on occasional errors being introduced in the replication of DNA

name.withheld.for.obvious.reasons June 14, 2020 1:54 AM

Amazingly the re-election candidate decided to do some social media polling:

Didn’t do a whois on the domain, I am thinking maybe PRNK is behind this–jokingly of course. Or maybe I’m targeted and this is a way to get me to expose myself. I added guard characters to add psuedo noise, throw off a parsing and/or filter that could be deterministic.

Dangerous and disturbing, whether or not it is a “poll” it is moreover an attempt to plant a seed of anger towards a group or people that is not well defined. This is like yelling “A neighbor near you has a bomb, they will probably try to blow you up. Better see to that neighbor or you won’t be safe.”

“A_n_t_iXfXa T/e/r/r/o/r/i/s/t P-e-t-i-t-i-o-n”
“Sign The Petition Supporting Making The R=a=d=i=c=a=l M-o-b, A/n/t/i/f/a, A T er r o_r_i_s_t Organ–iz–ation.”

Is there not a public safety issue here? Is this either ethically, morally, or legal sound? I remember the court ruling on something akin to yelling fire in a theatre or some such thing. I cannot believe this is where we are…

SpaceLifeForm June 14, 2020 2:25 AM

@ name....

Where to start?

First, one could want to believe this is true:

“The power to see the truth in the moment”


(that link will become apparent to most in the next 12 hours or so, the dots will connect)


Configurable up to 120 seconds


AES-XTS 128-bit

moving on…


Tried to toss top link into wayback, but…

Maybe someone can get lucky.

I deem it evidence.

SpaceLifeForm June 14, 2020 2:48 AM

@ name...., ALL

Sorry, bad cut-and-paste.

It should read PRE-EVENT buffer.

Why is there an up to 2 minute encrypted buffer?

Why is there such a buffer when the device has 12 hour battery life, and 64GB of storage?

Maybe my C+P was not really off the mark.

When does the officer decide it is now an ‘event’?

Is there are magic button?

Maybe, PRE-EVENT is shorthand for Police REconstruction-EVENT.

Time shifting.

SpaceLifeForm June 14, 2020 2:52 AM

One more thought:

Why do police body cams have encrypted storage in the first place?

Andy Fletcher June 14, 2020 3:38 AM


Body cameras normally have encrypted storage to protect against theft of the camera. The user will often come into sensitive situations (abuse, family matters, talking to informants etc.) and the consequences of the recordings getting into the public domain could be serious.

It also reduces the chance of the user making copies of juicy encounters for non-law enforcement purposes.

The encryption is not intended to prevent those tasked with oversight from gaining access to the recordings although with an uncooperative police force this can unfortunately be the result.

myliit June 14, 2020 4:41 AM

“They Used Smartphone Cameras to Record Police Brutality—and Change History

Video-camera technology on our phones got better. In the process, it made eyewitnesses of us all.

In the last decade, the smartphone has become a tool for witnessing police violence toward African Americans. From the 2009 killing of Oscar Grant to the 2020 killing of George Floyd, we reviewed the footage and talked to the people who captured it, to see how the accounts of racial injustice became clearer as the phones evolved.

In 2008, Steve Jobs had an assignment for a small team of engineers in Cupertino: Make the iPhone record video. After seeing that people liked taking photos with the first iPhones, he wanted to add moving pictures. A year later, Apple released the iPhone 3GS, the first iPhone to record video.

About 10 years and 10 iPhone models later, 17-year-old Darnella Frazier [ Who Captured George Floyd’s Last Moments ] found herself standing on a sidewalk in Minneapolis, swiping on her purple iPhone 11 lock screen to launch the video camera as fast as possible.


Alejandro June 14, 2020 6:22 AM

I can testify one or more of the latest updates from MS might very well cause a very nasty and real BDOD-blue screen of death. I haven’t had one of those in many years, until now. (It’s lighter blue and explains you have a ‘critical process failure’.)

Believe me, this is really a bad one. All the usual stuff like remove update, sfc /scannow, restore point, etc did not work. I had to resort to an old windows image to get back up. (Even my more recent Macrium Reflect images could not be be reached.)

There’s a lot of advice about what to do if it happens to you. Apparently the best option is to try to go back to a prior Windows 10 version. Which I didn’t have.

My advice is to make darn sure you have an up to date Windows 10 image stashed on the computer before you allow any new ms updates.

One write up:


myliit June 14, 2020 6:24 AM

First heard about Signal trending up on App Annie at @bartongellman

“Personal Technology

Signal: The Pros and Cons of a Truly Private Chat App

Signal, the encrypted messaging app, is seeing record numbers of downloads amid the pandemic and nationwide protests. It might make sense for you, too.

The pandemic drove unprecedented sign-ups on the encrypted messaging app, as people started communicating more online. Then, nationwide protests over police brutality prompted another round of records. Signal saw about one million downloads world-wide in May, according to analytics firm App Annie.

Protesters have …“

Curious June 14, 2020 6:58 AM

norway put into law 11. June, afaik some kind of mass surveillance law, afaik with the rationale that the military must be able to do whatever is necessary to spy on people for its “digital defence”. Apparently the contentious parts of the law is said to be chapter 7 and 8. Law is called “Lov om etteretningstjenesten” or “etteretningstjenesteloven”, which loosely translates to “intelligence agency law”. An article points out the votes being down to 77 to 11, but a commenter below the article wondered how many blank votes there had to have been (or people not voting at all I guess).

What irks me in particular, is that, as I like playing this one game on a North American server, and have been for some 10 years. I believe have been subject to instances of taunting, insinuated intimidation and insinuated threats to me personally and my health and I suspect the US military is behind this. If I were to be correct about that (I could be wrong ofc), now I guess my own country can spy on me and presumably share whatever with other countries, and perhaps whitewash any activity that might otherwise be illegal in my country I would think.

Curious June 14, 2020 8:32 AM

Somewhat off topic:
To add to what I wrote. It just occurred to me, that perhaps what you all like to call the “surveillance state”, which I am inclined to think of as a “police state”, could be argued to not be about “law and order” but “order and law”; if relying on a need for control and having priviliges based on law as opposed to things being fair and legal (immunity presumably being one type of such privilige that goes against the notion of fairness and law as having anything to do with notions of ‘democracy’). I am ofc entertaining the idea that it makes sense what order these two words (law and order) go together. It sort of sounds like ‘law’ is something nicer than ‘order’.

SpaceLifeForm June 14, 2020 4:03 PM

@ Alejandro

Pretty sure win10 deletes your restore points after 90 days.

Why is mystery. Or not.

May want to check out Clonezilla.

SpaceLifeForm June 14, 2020 4:57 PM

@ Andy Fletcher

“Body cameras normally have encrypted storage to protect against theft of the camera.”

What is there to hide?

Who are they trying to hide it from?

It used to be that the police were working for the citizens.

“It also reduces the chance of the user making copies of juicy encounters for non-law enforcement purposes.”

Assumes facts not in evidence.

“The encryption is not intended to prevent those tasked with oversight from gaining access to the recordings although with an uncooperative police force this can unfortunately be the result.”

Or, something like that.


G(evidence [dot] com) – note top result

Evidence and com is oxymoron.

SpaceLifeForm June 15, 2020 12:25 AM

@ Andy Fletcher

I guess you saw this coming.

A comment by DA.

Howard said his office is “still experiencing some difficulty” getting all of the body-camera and dashcam footage from Atlanta Police.


[If they have the keys, and it is stored in cloud, wherein lies the difficulty?]

Trudi Fenster-Klotz June 15, 2020 1:00 AM

“Wireless communication is currently transitioning to a new 5G standard that promises, among other advantages, faster speeds. One reason for the improvement, as we’ll explain here, is the use of polar codes, which were first introduced by Erdal Arikan in 2009 and which are optimal in a specific information-theoretic sense.

“… proof of Shannon’s theorem tells us that an encoding with an arbitrarily small error rate exists, but it doesn’t provide a means of constructing it. This then is the significance of Arikan’s polar codes: they provide encodings for an important class of channels that enable us to transmit information at the greatest possible rate and with an arbitrarily small error rate.

“Additional effort went into improving the decoding operation, which was, in practice, too slow and error prone to be effective. With this hurdle overcome, polar codes have now been adopted into the 5G framework, only 10 years after their original introduction.”

Clive Robinson June 15, 2020 11:38 AM

@ Ismar,

Do you think that this approach could be used to determine if artificial intelligence systems can start evolving by themselves and / or to forecast if one of them has a potential to do so ?

I’ve read about half the paper, and have found it to have a lot of assumptions and to have missed out something important.

Evolution is about interaction with an environment, but whilst it might be a random selection at each stage it’s not a “drunkards walk” that is there is in evolution a utility function for change. If a change does not measurably achive an increase of utility in any given environment then it is slightly more likely than not to have an adverse effect.

However the utility function is complex, because successful evolution “rides out the tides of fortune” to do this it has to have the ability to take advantage of glut, whilst having the reserves to survive famine.

It’s fairly clear to anyone who observes modern business practices for instance that the utility function is strongly biased towards the very very short term which engenders an anti-survival thus anti-evolutionary utility response. That is the fitness function rules are to remove all resiliance for very marginal gain even in times of glut, thus have no survivability in times of stress such as even very minor decreases in supply cause rapid starvation…

I will read the rest of the paper but if it does not mention a utility function process and criteria for selecting not just goals but resiliently so then it’s not describing an eveloutionary system.

We glibly say evolution is about “Natural Selection” which is a small part that most call “The survival of the fittest”. It’s not it’s more complex than that and we should thing in terms of “The longterm survival by the ability to repeatedly adapt to an ever changing environment”. Inteligence arives when “a species can adapt the enviroment to best suit it’s survivability”, often but not always this is by the ability to think sufficiently abstractly to come up with tools.

Thus when you ask about AI it’s not complexity or available permutations that count it’s “abstract thinking towards goal driven needs” that you need to think of as a measure. The problem is how do you sufficiently define “abstract thought” such that you can not just accurately measure it but come up with some kind of measured value where inteligence can be defined? Because firstly how do you recognize the ability to recognise and seek goals? Then identify the free will that alows an organism to change goals it’s seeking to best suit it’s self…

MarkH June 15, 2020 1:49 PM

Today, the U.S. FDA revoked the emergency authorizations it granted for chloroquinine and hydroxychloroquinine as (hoped-for) Covid-19 treatments, based on a determination that these drugs are “unlikely to be effective” against SARS-CoV-2.

I have not yet seen any reports of significant positive findings for these drugs from analytic or case-controlled studies. Numerous clinical studies have been initiated worldwide; at least a few of them have been in progress for enough time that if such medications made a strong difference in outcomes, this would be visible in the data.

Ideally, the notion of CQ/HCQ as pandemic treatments would soon be “put to bed.”

On the policy side of this subject, there has certainly been shameful political intervention in the matter of medical treatments, which should never occur in a responsibly run government.

It’s worthwhile to investigate whether such politics may have played a role in the granting of the now-terminated authorization, which may have harmed numerous patients.

JG4 June 15, 2020 2:00 PM

Life imitates fiction again.

Silicon Valley S4E5 – Blood transfusion
116,121 views•May 23, 2017

I’d love to have the energy that I did 30 years ago.

In a paper posted to BioRxiv on Friday, Katcher and Horvath report results of the methylation measurements in rejuvenated rats. “Crucially, plasma treatment of the old rats [109 weeks] reduced the epigenetic ages of blood, liver and heart by a very large and significant margin, to levels that are comparable with the young rats [30 weeks]….According to the final version of the epigenetic clocks, the average rejuvenation across four tissues was 54.2%. In other words, the treatment more than halved the epigenetic age.”

see also:

Silicon Valley 4×06 Promo “Customer Service” (HD)
19,714 views•May 21, 2017

Not sure where I stumbled into this:

Facebook Dive: Engineers Create First Ever ‘Underwater WiFi’ System

I don’t think that the face recognition genie is going back in the lamp.

Big Brother IS Watching You Watch

The two-year fight to stop Amazon from selling face recognition to the police MIT Technology Review

Julian Assange

WATCH: ‘Spying on Assange’ With Max Blumenthal, Stefania Maurizi and Fidel Narváez Consortium News

Tatütata June 15, 2020 3:00 PM

In the news, in French and German:

Géraldine Delacroix, “StopCovid, l’appli qui en savait trop”, Médiapart, 15 june 2020 (“StopCovid, the app who know too much”; paywalled)

The Coronavirus tracking app promoted by the French government is supposed to record proximate devices which remain for at least fifteen minute at a range of less than one meter, as stipulated by the data protection implementing decree.

Security researchers found out that this app in fact uploads indiscriminately every Bluetooth contact met in the last 14 days, regardless of the duration or distance, when the user reports being ill, contrary to the guidance provided by the CNIL (French Information Commissioner). There is however some apparently inactive range determination code.

Markus Beckedahl of Netzpolitik has some rare brownie points (“Zentral oder dezentral?
Europa gespalten bei Contact-Tracing-Apps”
— “Centralised or decentralised? Europe divided on contact tracing apps”) on the implementation of the equivalent German app, even though he considers that the proof of its usefulness must still be made, and the first results rather negative. An Oxford university study is mentioned which suggests that at least 60% of the population would have to be equipped with such an app to make a difference.

According to Beckedahl, the public debate in the early stages has helped to avoid some mistakes, and in selecting a decentralised solution, but the author admonishes the parties not to let up now. The question of interoperability with other European apps in border areas, e.g., with France (!), is also raised.

Anders June 15, 2020 3:11 PM

@Clive @SpaceLifeForm @ALL

That speed is amazing.

Clive Robinson June 15, 2020 4:09 PM

@ JG4, MarkH,

I’d love to have the energy that I did 30 years ago.

I guess that might change when you understand the potential price…

Put simply your genetics have “counters” that alow cells to reproduce a certain number of times then they stop and some time after that your body is heading for the “K-Wave” that kills off the rest of your body.

So the blood transfusion you get from that supposadly healthy teenager actually gives you a marginal increase in life for what is probably a significant reduction in the healthy teens life expectancy…

This “Vampire treatment” is actually being carried out currently and I’ve had a posting or two with @MarkH about it.

In essence if you are a COVID survivor your “white blood serum” contains IgI and IgM antibodies to the COVID-19 antigen SARS-CoV-2. Which means that injecting someone elses tissue typed serum into you when you are actively sick with a SARS-CoV-2 infection will improve your chances of survival. If the antibodies can be synthesized in a bio-reactor etc, then a short term vacine could result for those most in need.

But… People are talking about “COVID Passports” that is those who have had the disease are in theory not going to get it again (for a while). Because their body is producing anti-bodies, the only way to certify someone for the passport is to check that they have the antibodies in their blood serum.

All well and good untill you realise that the injection of someones serum with the antibodies will cause a positive on the test.

I suspect if such passports become a reality some people who have not had COVID-19 will pay good money for an injection of antibodies so they can get a passport to go back to work.

So such “Vampire treatment” will become quite profitable and thus appear on the black market. Where like the “back street abortions” of old little real medical input will happen and thus people will almost certainly die…

MarkH June 15, 2020 5:20 PM

@Clive, JG4:

I guess that might change when you understand the potential price…

See Wilde, Oscar: “The Picture of Dorian Gray” (1890)

Clive Robinson June 16, 2020 9:07 AM

@ Bruce and the usual suspects,

I’m hearing reports from various sources that some one or some group has stepped up a notch or two against the Police and other services in Chicago.

The news is that whilst BLM protests continue, other people / groups are latching on, to the protests in various ways. In particular they have moved up to using electronic warfare against the authorities…

That is they are jamming police and other authorities radio channels with what has been reported as “Music and Speeches” so that they are becoming inoperable as the police on the ground can not hear their dispatchers[1].

This is despite the fact police systems are encrypted. Of the Security CIA triad, encrypting only gives some degree of “Confidentiality” and as a consequence actually makes the system less reliable as the signal margin dropps.

However in the case of intentional jamming it’s a “power game” in that the strongest signal at the receivers IF Detector is going to be the one that wins…

The thing is these days jamming police radio frequencies is almost trivial. You can by for as little as 30USD a Chinese import hand held radio (HT) that covers the known frequency ranges. High gain omnidirectional antennas such as co-linears can be purchased for 200USD or made from a plastic tube and lengths of coax for 20USD and power amplifiers can be purchased for 50USD upwards depending on just how much power you want but it works out about 1.5USD/watt. Find a suitable high location and that’s you setup with your own Electronic Warfare setup… The addition of a 300USD or less laptop will make it considerably more versatile and effective. Put three or four of those around a city and get your timing right and you will have a powerfull weapon.

However some of what’s been said about the way those operating the jammers are doing it, they arr either planning on getting caught or have very little or no knowledge or experience. Not that there is any shortage of people with both the knowledge as well as the experience. There are after all quite a few current and Ex military “Echo Fours” around.

Thus I suspect that those doing the jamming are being given at the very least “technical assistance” in much the same way the FBI have been caught out in the past providing “technical assistance” to turn idiots into wanabe terrorists… Thus the question arises as to who is paying for the technical assistance and why?

[1] In the UK where the Met Police shot themselves in the foot with Motorola’s TETRA system years ago. It was so patchy and unreliable that police on the ground started using their mobile phones. Now it’s “almost uniform” for Met police to carry two or more mobile phones as this works better than TETRA 99.9% of the time. I’m guessing US police forces will follow the same pattern fairly quickly…

Clive Robinson June 16, 2020 2:25 PM

@ Trudi Fenster-Klotz, SpaceLifeForm, MarkH,

A randomized controlled trial supports a readily available treatment for COVID-19

The drug “Dexamethasone” is a steroid which is generaly considered unwise to give to people with sever infection because like most antipyretics they bring temprature down by reducing the effectiveness of the immune system.

What this drug is most likely doing is interfereing with the “cytokine storm” that the most severe cases of COVID-19 get.

Thus it would be either harmful or of no use to those who have not got a prevelance to cytokine storms (ie the majority). What is needed is to test those who have had success with Dexamethasone for the genetic markers that indicate a susceptability for cytokine storms, to look for correlation that might be used as a predictor thus alow the drug to be targeted.

Clive Robinson June 16, 2020 3:39 PM

@ ALL,

In one of those “no 5h1t Sherlock” moments some researchers have announced that Twitter has just had it’s saddest two weeks…

As usual though there are others who think it might not be the case…

Make your own minds up but even if it is not actually the saddest two weeks, if you consider all that’s currently going on in the world currently you can easily see why it might be so.

name.withheld.for.obvious.reasons June 16, 2020 9:42 PM

@ Clive

What this drug is most likely doing is interfereing with the “cytokine storm” that the most severe cases of COVID-19 get.

Agree strongly.

From what I’ve been able to determine is that a component of the SARS-CoV-2 virus pathophysiology is early suppression of ACE-2 response at infection (cannot explain the asymptotic responses that may or may not trigger antigens) that leads to the cytokine storm.

Interesting work is being done on modeling the plasma chains on the coating of the virus in order to break valence bonds between replication molecules. Kind of similar to putting sugar in the oil of an engine forcing the vehicle to stop due to excessive wear by the sugar and caramelization.

We don’t even know if blood plasma treatments are effective yet, and that is a solution that does not scale well.

Clive Robinson June 17, 2020 7:21 AM

@ ALL,

As some of you might know Sweden has been running a “Herd Immunity Policy” with regards the SARS-Cov-2 virus and the COVID-19 disease.

It’s run long enough to draw conclusions about where it has and has not been successful.

It’s important to take stock of this, because nations comming prematurely out of lockdown either by de jure political imperative or by de facto behaviour of a sufficient percentage of the population behaving recklessly, they are effextively adopting the “Herd Immunity Policy”.

If you compare the per capita death rate of Sweden to it’s nearest neighbours they are upto 25 times (2500%) worse with around 50% dying in care homes where effectively no benificial medical treatment was given, and a deliberate policy of not admitting to hospital was put in place. Perhaps worse Drs using “end of life cocktails” in very early symptomatic stages that are actualy known to make any respiritory disease thus death with COVID-19 very much more likely.

Perhaps unsuprisingly the three adjacent nations have closed the borders to Sweden and appear to have no interest in opening them currently or nearish future. Which suggests that other nations would be well to do likewise.

This video kind of sums it up,

Basicaly as worse than a failure with less than 10% of the population with antibodies which means despite the horific death rate per capita still leaves 90% of the population vulnerable. It’s pointed out that effectively “Herd Immunity Policy” is a euthanasia of the old and vulnerable or economic gain for the surviving population at the expense of the old and vulnerable policy…

Something those in the US where the Fed is keeping the quantative easing of over 3 trillion USD in the hands of Stock Market Bulls. A debt that is going to have to be repayed by the rest of society some how as soon as possible.

JonKnowsNothing June 17, 2020 5:39 PM

@Clive @All

It’s pointed out that effectively “Herd Immunity Policy” is a euthanasia of the old and vulnerable or economic gain for the surviving population at the expense of the old and vulnerable policy…

The expected overall benefits of the Herd Immunity Policy was in the calculations that each worker was worth $10MillUSD and the death of 100,000 workers would more than pay for itself by maintaining $1TrillUSD in economic value.

Few of the notable calculations included direct economic death-benefit of reducing the non-worker category in their populations. These knock on benefits to governments of reducing pension costs, long term health care costs, service costs and more, all generally portrayed as “money taken from the pockets of the oligarchs”.

     Every worker killed by COVID19+complications, was worth $10Mill
     What was/is the value of granny and gramps?

They did not overly publicize the cash value of the deaths of the elderly with their increasing costs for support systems until natural death. In some areas more than half the official deaths come from elderly or the infirm/disabled.

As we move towards the next eye-popping phase where neoliberal policies continue to push or nudge that Everything is Fine and Dandy, we can see some of the cashways under consideration and economic functions expected in the near term.

  • High risk of negative equity from the collapse of real estate requiring more cash infusion for purchases.
  • In countries that did provide some financial support for housing, the rents have continued to hit high water marks. The plans to drop financial supports with the toxic debit of unpaid rents and the blockade around purchasing or renting a new abode will generate an enormous housing bubble and collapse.
  • With the massive herd die-offs governments are planning on reducing pension benefits. Since the dead are no longer are collecting a pension, the timing is good for “oligarch tax reduction scheme” to further reduce their cost of supporting the survivors.

While the examples are from the UK, the USA has been floating the same concepts and Australia as enumerated similar plans.

While, governments might not have publicized the death-benefit costs, the actuaries certain calculated them. It’s what they do, it’s their job.

ht tps://

triples minimum deposit for UK first-time buyers… from 5% to 15% .. protect customers from negative equity

ht tps://

period between 1 April 2019 and 31 March 2020 …. Private-sector rents in England hit a record high … In total about 8.5 million people rent privately

ht tps://

Introduced in 2011 by the coalition government, the triple lock guarantees that the basic state pension will rise by a minimum of either 2.5%, the rate of inflation or average earnings growth, whichever is largest…
[UK Gov] consider ways of getting round the “triple lock” on pensions next year … a temporary one-year suspension of the triple lock

ht tps://

Actuarial science became a formal mathematical discipline in the late 17th century with the increased demand for long-term insurance coverage such as burial, life insurance, and annuities. These long term coverages required that money be set aside to pay future benefits, such as annuity and death benefits many years into the future. This requires estimating future contingent events, such as the rates of mortality by age, as well as the development of mathematical techniques for discounting the value of funds set aside and invested.

(url fractured to prevent autorun)

JonKnowsNothing June 17, 2020 9:29 PM


re: “question about can you avoid being tracked”

From another thread, there was an exchange about whether you can avoid being tracked in today’s world. The answer was NO.

This MSM report shows in interesting detail of how LEOs can track someone, using more public resources than LEO resources. As always, LEOs can use parallel construction too when they need to find “legal” methods to present in court, supplementing non-legal methods with approved ones.

Object: Find a suspect in an criminal case during George Floyd protests.

  • a video clip of a live news feed showing general activities in the area
  • from that video clip pick out details giving a general sense of a masked subject’s gender, race, clothing, and accessories
  • Homeland Security obtains a second video clip from Vimeo of the same time frame
  • more details noted
  • viewed an Instagram photo depicting the incident (same time frame and area)
  • contacted the Instagram account owner who provided several relevant pictures from the scene
  • one of the images shows the right forearm detailing a partial tattoo
  • obtain 500 images from an amateur photographer who documented that time period
  • located in the stack is a photo of a person with similar tattoo, mask, goggles and a T-shirt with a readable slogan.
  • locate an on-line vendor of T-shirt with same slogan.
  • read the on-line comments left by purchasers
  • checked the customer profile pages for the on-line vendor system.
  • reviewed the customer profile details for location match
  • noted the user-id naming convention for matching location
  • performed an open web search (pick your favor search provider) for similar user id names in the same geographic region
  • results returned LinkedIn account(s) with names
  • LinkedIn account photo scraped
  • Linked photo compared to State DMV photos with matching LinkedIn name
  • Four-year-old corporate marketing videos showed a person’s full arm with the same stylized tattoo.
  • collected address and phone number of corporation/business
  • match the provided address to the shipping address of the T-shirt.

ht tps://

a TV news clip, Insta snaps, a glimpse of a tat and a T-shirt sold on Etsy led FBI [to a suspect]

ht tps://

Parallel construction is a law enforcement process of building a parallel, or separate, evidentiary basis for a criminal investigation in order to conceal how an investigation actually began.

In the US, a particular form is evidence laundering, where one police officer obtains evidence via means that are in violation of the Fourth Amendment’s protection against unreasonable searches and seizures, and then passes it on to another officer, who builds on it and gets it accepted by the court under the good-faith exception as applied to the second officer.[2] This practice gained support after the Supreme Court’s 2009 Herring v. United States decision

(url fractured to prevent autorun)

Nik June 17, 2020 11:54 PM


Excellent analysis and deconstruction. While I appreciate your great posts, I will have have a harder time falling asleep tonight.

I am just glad I grew up when I grew up.

Clive Robinson June 18, 2020 5:34 AM

@ JonKnowsNothing,

Four-year-old corporate marketing videos showed a person’s full arm with the same stylized tattoo.

Back when I used to wear the green there were rules about tattoos not being on the arm low enough to be seen when wearing a short sleeved shirt. Nor anywhere else where they might be seen such as the face or kneck etc. Female soldiers were at that time not alowed any tattoos at all. The only exception was your blood group on your wrist where it would be covered by your watch.

On passing various courses I was thought odd by others that passed because I did not go out and get either the “crossed flags” or “crossed rifles” tattoos etc.

I always used to say they were a “hepatitis risk” but the reality was I’d read history…

Such tattoos marked you out as firstly someone with military training, but secondly as a Signaler or Sniper etc. Thus you would stand out very much from the crowd which is not a very good idea if you ever want to do “behind the lines work” or simple escape and evasion. In some conflicts Snipers very very rarely survived the first hour or so of capture… Because those who caught them would either kick or “slice and dice” them to death. Worse Signalers were assumed “to know inteligence” and they would get more or less the same treatment but slower in the name of “field interrogation”.

Even back in the 1980s anyone who could think and read knew that warfare was changing, “set piece actions” of WWII were over and either nuclear or guerilla warfare was in.

But, I can not remember quite when I first heard the expression but young women bearing tattoos were regarded in less regard than others and various types of tattoos they had were called “Tramp Stamps”.

I hope “gang tats” don’t need explanation, where they originated is claimed variously but very violent Triad and Russian drug gangs have been known to use them. It’s sufficient to know that many LEOs now have databases of all such tattoos and who has them and where including more recently high definition digital pictures. Some may have seen “gothic horror” films where they used the notion of tattoos as “slave / food / property” markings. History shows that tattoos were used in a similar way. That is the Gestapo had serial number and blood group tattoos and Jews and others in concentration camps were tattooed or branded just as live stock were.

The list goes on, but hopefully people will realise that anything you do to yourself such as Tattoos, Piercings or even Scars are effectively “Citizen/Serf bar codes”, and as with “army tats” could easily mark you for an unfortunate early expiration date by violence.

Nik June 18, 2020 10:05 AM

Re: Tattoos

There are very interesting books I have about Russian prison tattoos. There is a reason why any wardens love if their inmates mark themselves and tattoos are not officially sanctioned but not fully suppressed.

@Clive is right-on with the intelligence they provide and with the military background that is a huge issue.

A good friend died of acute liver failure – hep C from a tattoo – she was in a quite outrageous band and in the music scene they are quite the business attire.

PRINKER is a temporary tattoo printer where you can even print custom color tattoos on you. This would be a way to divert things, but still these can track you for even a short time.

name.withheld.for.obvious.reasons June 18, 2020 11:43 AM

@ JonKnowsNothing

On tracking…

These tactics were employed at fusion centers across the country during the occupy movement. Now, after learning the lessons of occupy were the level of violence stands out as significant, by the authorities, that this tactic is a result of the perception that the authorities failed to “counter” the occupy demonstrations.

Other should be aware that infiltration was a big component of the counter-protest efforts lead by LEA’s.

Stay alert, it has yet to get weird and I’m afraid it will.

I wrote a movie scenario for this back in February, the strategic themes and underlying plot are quite relevant to the moment.

myliit June 18, 2020 12:04 PM

Our President at Work

“John Bolton Says Trump Asked China for Help with 2020 Reelection Campaign

Former national security adviser John Bolton has accused President Trump of personally asking Chinese President Xi Jinping to use his economic power to help him win the 2020 presidential election by purchasing more soybeans and wheat. Bolton makes the claim in his forthcoming memoir. The Justice Department has sued Bolton in an attempt to block publication of the book, but copies have already been obtained by journalists.

Bolton’s book comes just months after he declined to testify during President Trump’s impeachment trial. In the book, he faults Democrats for focusing on Trump’s dealings with Ukraine, saying Trump was willing to halt criminal investigations for “dictators he liked,” citing China and Turkey as two examples. Bolton also writes that Trump privately called for the execution of journalists who do not reveal their sources, reportedly saying, “These people should be executed. They are scumbags.”

Bolton also criticizes Trump for not being hawkish enough on foreign policy. He claims Trump’s decision not to attack Iran in 2019 following the downing of a U.S. drone was “the most irrational thing I ever witnessed any President do.” Bolton, who strongly advocated for the U.S. to overthrow the Venezuelan government, claims in the book that Trump said invading Venezuela would be “cool” and that it was “really part of the United States.”

TOPICS:Donald TrumpTrump’s CabinetChinaImpeachmentUkraineTurkeyFreedom of the PressIranVenezuela“

name.withheld.for.obvious.reasons June 18, 2020 12:21 PM

@ Moderator
As this is a lengthy post, editorial scrutiny is certain to apply.
DRAFT GPL 2.0 – 13 APR 2020 2050 PDT EDITED – 17 JUNE 2020 2220 PDT
&lt——————– BEGIN OPEN LETTER ———————&gt
Without assumption, under direct observation, the United States Government does not exceed or meet its mandates. Grotesque in scale, as it is difficult to ascertain with a significant amount of deterministic and quantitatively substantive evidence, studies, or reports about the performance of large institutions, an attempt must be made to approximate what is failing and why. Until an analysis of the broad contours of U.S. political and governmental power and control, understanding how and why the 8000 pound gorilla is acting out, we will not fix this. And today, in less than a month the U.S. government has demonstrated that it is not concerned for the welfare of its citizens. FULL STOP

And, that the United States of American has unofficially decided to align itself in a manner and method that threatens the lives of many citizens, it is wise to act in favor of the citizen, who ARE the sovereign, and disseminate the fact that maladministration of public offices, by public officials, threatens their pursuits, liberty, and perhaps their lives. Unfortunately this is not a hyperbolic statement, if a month prior someone had sent me a similar letter, I would have dismissed it out of hand. But, in looking at the data from the Centers for Disease Control, Johns Hopkins University, Wolfram Research, University of Arizona, University of Kentucky, Stanford University, California Public University, testimonials from immunologists, microbiologists, public health administrators, practicing physicians, nurses, emergency medical personnel, and their families, I reach only one conclusion[1].

In the recent resignation of the acting Secretary of the Navy, Modly, and relieving from duty the commander of the USS Theodore Roosevelt, Cozier, speaks deafeningly to the nature of administrative fealty. When the armed services must be made to serve as loyalists to the Commander and Chief, the underlying structural institutions are failing. There is no requirement, constitutionally, that binds one to any other “person or office” of the United States of America.
As a citizen, the ability to protect and defend that to which one swore is not possible–not by my hand or word. The primary tool and weapon to wield against foreign and domestic enemies to ideals; research and studies using evidence, objective information, analysis and reporting in a manner consistent with clinical studies standards, and to call on fellow citizens into service of their country. Lastly, with an ear on the ground listening to the murmuring of the those alive during the enlightenment for guidance and wisdom. To Thomas Paine, my sincerest gratitude and respect for facing history in the moment, to inform fellow citizens of the injustices and crimes committed against them and without their knowledge.

And in signing this letter, I acknowledge and understand that the expressions and statements, ARE given freely and without reservation. It is my contention that the proof given by the President of the United States of America during the month of March, April, and June of 2020, is evidenced by a comprehensive set of records provided publicly and make indisputably clear by any objective measure, the United States of America’s Federal government is incapable of honoring and maintaining the Union in good faith. State governments are operating under the rubric of fending for themselves, and in some cases THREATENED WITH military invasion from the federal government, in order to fulfill obligations to their health and security services personnel and citizens.

Not only does the federal government fail to honor its own edicts and proclamations, but it is acting in a manner hostile to state and local governments across the United States. As state government procurement offices must contend with purchase arrangements or RFQ’s and related mechanisms, state officials rarely contemplated that the U.S. federal government would DENY OR intercede during the acquisition process in a manner that could be characterized as KLEPTOCRATIC. THIS INJURY IS NOT SINGULAR, WE ARE WITNESS TO MANY AND THE GROTESQUE.

As states are denied purchasing opportunities by the federal government during a national emergency (as in an invasion BY a foreign power) and have deployed the guard, if the federal government takes from available sources the ammunition the guard needs to defend citizens, then most certainly there has been a criminal act. Using the power of federal government to bring harm to a state–premeditated and prejudiciously, with malice and distain IS NOT AN UNCOMMON OCCURRENCE. State governors have actively engaged in “ring kissing ceremonies” in order to secure resources for personnel and citizens WHILE TACITLY REPELLING OVERT THREATS TO THE STATES LAWFUL AUTHORITIES.

CASE FOR REDRESS: A vigilante Citizen of the “Former” United States of America
[1] This is not OUR government, but THEIR government.
&lt——————– END OPEN LETTER ———————&gt

Clive Robinson June 18, 2020 12:50 PM

@ name.withheld…, JonKnowsNothing,

Other should be aware that infiltration was a big component of the counter-protest efforts lead by LEA’s.

This is as finally came out the UK’s Metropolitan Police’s method, unfortunatly the level of control over the infiltrators was to be blunt lax, thus several needless criminal offences got “covered up” as “Not in the public interest” as well as a whole bunch of civil offences including fathering children and not paying the maintainence they were legaly required to do. The latter was what crow barred the lid of the very nasty can of worms it had become.

It is almost without doubt safe to say that the UK’s Metropolitan Police under it’s current commander Ms Dick[1] is still using infiltration and infiltrators of various types. Because even though they have turned out to be a liability on a number of occasions, they add “intrigue” which people such as not the brightest of politicians love.

So expect more disasters and more cover ups followed by more exposes as time goes by.

From experience I know that the best method of infiltration is to use highly experienced “contractors” who not only provide arms length deniability but as they are not “tied to the pay role” or other tracable renumeration system are easier to conceal. They also tend to be a whole lot brighter than those “from the regular ranks” and certainly more OpSec aware as they are effectively NOC[2]. They also tend to bring some highly specialised skills with them.

[1] Dame Cressida Rose Dick DBE QPM, first came to public attention a decade and a half ago –and got mentioned even on this blog at the time– as “Gold Commander” of the unlawfull fatal shooting of Brazilian Electrician Jean Charles de Menezes on a London Underground train, by a bunch of police officers who were just not upto the surveillance job and were far to gun happy to get “first blooded”.

[2] NOC stands for “No Official Cover” and is a term borrowed from the actual Intelligence Services. In essence it means you have no legality, support or backup. Also it’s often upto the contractor to “build a legend”[3] or supportable history that will pass more than a cursory examination.

[3] Due to the Internet it’s becoming harder and harder to “build a legend” that will stand up to even minor examination. So much so it can be nearly a full time job and it’s all to easy to make mistakes. This is not getting any easier with the likes of Google getting at childrens school work and communications from a very early age. I’m of a generation where it’s still plausable not to have a multitude of “Social Networking” accounts and similar, however if you are under 40 and don’t have a significant presence then suspicion is raised even with low wage border guards.

JonKnowsNothing June 18, 2020 2:05 PM

@name.withheld…, Clive,

Other should be aware that infiltration was a big component of the counter-protest efforts lead by LEA’s.

In the USA there are numerous levels of LEO placements in groups. Some are official members of the LEO organization but these are probably fewer now because of the blowback and lack of plausible-deniability when exposed.

Organizations like Tiger Swan and similar military-mercenary-LEO-supported but external/arms-length companies provide similar services. Because these organizations are not LEOs they can be hired by anyone with enough zeros in their bank accounts and on the checks to Pay The Iron Price.

The FBI, which handles internal affairs inside the USA, has many thousands of paid informers who are just ordinary folks getting some extra cash for dolling out insider information.


Early on during the major blow up about the NSA and USA internal surveillance, it was revealed that one LEO had obtained all the rail train schedules and passenger lists from an insider who sold them the lists for years. When exposed the person was not charged and retired. The interesting OH? was the LEO was fully authorized to have the listings, all they had to do was “ask for them”. So they had 2 paths to the information, one official and one unofficial.

The mentioned MET-sexploitation-scandal targeted women in leadership roles because of group dynamics. Group members rarely questioned another woman’s Significant-Other thereby gaining immediate acceptance into the group. A male’s new companion would have shouted “honey pot”.

The MET-sexploiters had very good cover stories; the long term damage to the women, children, and families has still not been reckoned. The MET continues to hide the majority of the names of officers (men and women) who participated, only a dozen real names are known. One particular officer had left a suicide note but was spotted many years later in the market. When approached, the MET relocated that officer to Australia with yet another new identity. Another officer lived a very good and prosperous life as a professor teaching other police how to do Undercover Work.

Other mercenary-military companies come and go. When their cover is blown, they disband and reform with a new name. Not unlike corporations who find themselves suddenly with an “improper or impolite” reputation.

   Yesterday it was pancakes, today it is rice…

ht tps://
ht tps://

TigerSwan was hired by Dakota Access, LLC to provide security consulting during the Dakota Access Pipeline protests.[8] Internal company documents, which were leaked to The Intercept, reportedly compared the movement opposed to the pipeline with jihadis, calling them “an ideologically driven insurgency with a strong religious component.”[9] The Intercept called the DAPL operation a “multi-faceted private security operation characterized by sweeping and invasive surveillance of protesters,” and reported that the leaked situation and disinformation reports prepared by the company during the protest provide evidence of aerial surveillance, as well as radio eavesdropping.[9] Further revelations emerged from The Intercept leak including: TigerSwan had protesters followed, TigerSwan targeted protesters of Middle-Eastern descent, TigerSwan placed infiltrators at the camps and TigerSwan posted fake social media posts opposing the pipeline.

TigerSwan is currently being sued by North Dakota’s Private Investigative and Security Board for operating without a license in the state in 2016 and 2017, during which time TigerSwan was working for Dakota Access, LLC.

ht tps://
ht tps://
(url fractured to prevent autorun)

Wesley Parish June 18, 2020 11:36 PM

Fun and Games on the Browser … NOT

Chrome extensions are ‘the new rootkit’ say researchers linking surveillance campaign to Israeli registrar Galcomm

The story begins with some heuristic malware detection by Awake, looking for things like signs of uploads going to rare or known bad destinations. This led them to a bunch of malicious browser extensions, 111 in total, which “were found to upload sensitive data or not perform the task they’re advertised to perform (generally, they surveil user activity and device properties.”


If the user can be tricked into allowing it, a browser extension can have considerable power. “When the permission requires access to all data on your computer and the websites you visit, it means that the app or extension can access almost anything. This could be your webcam or personal files, inside or outside of your browser,” notes Google. Many dodgy extensions pose as security utilities, which typically do require a high level of permission to work.

For some strange reason I’ve never felt secure with the thought of overloading my browser with extensions. Not when I know I can do the work without them anyway.

Clive Robinson June 19, 2020 3:42 AM

@ Wesley Parish,

With regards,

    “Chrome extensions are ‘the new rootkit'”

Not exactly unexpected, what feels like forever ago I had a chat on this blog with @Nick P about “Chrome” when it first saw the light of day.

Back then I pointed out that it was atleast taking security more seriously than all the other browsers –at the time– did, especially Microsoft IE (which was trying to make IE the desktop at the time).

The problem I’d noted was that “the App was replacing the OS” and doing it badly very badly. In essence people were “working in the browser” and having multiple windows –tabs these days– open to different services, much as an earlier generation would have multiple terminals open. However where as the OS had strong issolation between the terminals because they ran as seperate processes in their own process spaces, the browsers rather than use this strong segregation idea just shoved everything in one process space with at the very best very weak segregation… I pointed out not only did the browser have access to everything but that individual windows would have access to other windows memory and communications, thus a malicious site would be able to see other sites through the browser, which would cause new types of malware to be produced, which @Nick P gave an example of what advantage doing so might give. Any way with a little time such attacks and malware did indeed happened and has now become quite common.

Some time later I also pointed out that this bad browser design and the increasing use of browsers to work through had significant impact on users in a less obvious –to the developers– way. Because each user has multiple often segregated roles in life, where as browsers written by software developers who had to little social contact wrote browsers such that having segregated roles was near impossible. After all even though they might relate via a purchase, you as a customer of a merchant is a different role to you as an account holder at a bank role. Which for obvious reasons you would want to have the merchant and bank issolated as much as possible especially as you would have next to zero trust in a merchant.

These security issues are still present in most browsers so it’s easier to get access via the incredibly poor browser security design than it is through the OS which used to have better security design (this unfortunately is changing as commercial OS’s not only get less secure, they also steal private information via “Telemetry” and much more.

With regards,

For some strange reason I’ve never felt secure with the thought of overloading my browser with extensions.

That’s a viewpoint I can understand as my above indicates browser security is not good, and OS security less so daily, thus any extention on a browser will almost by default get the same access as the browser which in some commercial OS’s is not just high but effectively beyond the users control (smart devices, IoT devices etc).

It’s the same logic that makes me have both cookies and javascript off in browsers… Something I used to regularly get told was “not good for the browsing experience” or some other tosh[1], even though people were obviously getting attacked via their use of them. I guess that’s why a decade later I’m hearing less people telling me in effect ‘I’m Paranoid'[2] for having them turned off even though there is now an advantage in doing so[1].

Which brings us to the important point,

Not when I know I can do the work without them anyway.

Whilst you, I, and several others can do this, we are not encoraged to do so in oh so many ways. Thus the majority of people are being “led by the nose” into a world where they have no control, not even the choice of not participating. You can see this happening in education where institutional email servers etc are being replaced by the likes of Googles online services that are “data mined” not just for use today in advertising, but use tommorow against the individual in oh so many ways we can not even think of them all.

[1] The funny thing is having both cookies and javascript off rarely effects the actual viewing experience, and can in many cases give you a faster less fussy experience. Because it tends to get you around “Web Developers” limited thinking thus you don’t get adds or popups that tell you you have to click on ‘TOS accept’ etc.

[2] Not quite true, I get it curently because I won’t use “Secure Messaging Apps” on my phone[3]. For what is basically the same problems with browser security, that is it is to easy for an attacker to do an “endrun attack” around the security of the applications and users get “gulled” into a false sense of security. I guess in this comming decade people will call me paranoid for not doing some other new silly security fad that actually gives little security what so ever[4].

[3] It’s not just apps, I’ve had it as well over the fact I don’t do “social networking” via Vampire Corps etc, nor do I have personal email and the fact I insist on 7bit ASCII and no attachments for other communications.

[4] I just wish people would realise that having the “Human Computer Interface” (HCI/UI) on the same device as the “Communications End Point” (CEP) is a built in security failure. Because it puts the “Security End Point” (SEP) which is in the application in a position where an attacker can perform an “End Run Attack” around it either at the OS level or if the app is a browser extension then in the browser. Further that both OS and Browser security is being deliberatly weakened as time goes on under preasure from third party interests, be they commercial data aggregators or Governmental Guard labour entities such as the many various, military, security, law enforcment, and intelligence agencies.

JonKnowsNothing June 19, 2020 10:37 AM

@Wesley Parish, @Clive, @All

the App was replacing the OS” and doing it badly very badly. In essence people were “working in the browser”

This MSM report on yet another change to the address line functionality by Google. Google plans to add an automatic text-search-in-page as part of the URL. Essentially doing a URL page get, with a Text Search in one command, that they call “text fragment links”.


  1. URL
  2. plus the code for text search “#:~:text=”
  3. search text


ht tps:// breeds of cat have a noted fondness for sitting in high places

(url fractured to prevent the link from being active)

As explained in the article, adding in “spaces” in the URL line is not good, and there are restrictions on special characters that require escape coding.

The corrected URL looks like this:

ht tps://

(url fractured to prevent the link from being active)

Google’s new Chrome extension, called “Link to Text Fragment,” (it’s also on Github) will put a new entry in Chrome’s right-click menu. You just highlight text on a page, right-click it, and hit “Copy link to selected text.”

The links have already started to show up in some Google search results, which allow Chrome users to zip right to the relevant text. It’s probably only a matter of time before link creation moves from an extension to a normal Chrome feature.

Some browsers already support multiple functions on the input line.
Firefox offers:
  Address bar for Search and Navigation (a single input box for two functions )
  Add search to the toolbar (two input boxes each with their own function)

Another aspect about this “feature” is in order to avoid showing all the garbage they will drop visibility of everything after the proper URL, so you won’t even “see” the rest of the call line.

Just looking at the amount of escapes needed and all the existing problems with address spoofing and redirection, this is another failing.

ht tps://

(url fractured to prevent autorun)

Weather June 19, 2020 3:20 PM

Sha256 half byte range dropped down from 32 but brute force 20% sucessful with time x, 50% success with x*1.5

Clive Robinson June 20, 2020 9:44 AM

@ JonKnowsNothing, ALL,

Your example got munched by the webserver parser by the looks of it.

This Google “link text” add on will almost certainly be a security disaster in the making because certain characters that are normally used in freetext such as single quote marks are ‘Danger Will Robinson’ and they are thus excluded from URL’s…

So at the very least text can change meaning, sometimes significantly. Thus,

    Snake’s eye’s and Snakes’ eyes’ will be Snakes eyes etc.

Which appears harmless enough but it’s not as it changes meaning. I used to work for the number one company making “citation databases” few realise just what researchers do with such databases. One is to look for trends in literature which can effect billions of research funding, especially if people got the trends wrong which such changes of meaning could do…

But this has another aspect to it, people tend to forget that Google is the smiley face on an expanding reseach organisation. Alphabet/Google know that the “Personal Data Market” is a “bubble market” and at some point fairly soon others will as well, and at that point the profit will rapidly start to vanish… Thus Alphabet/Google have been “hedging” into research in other areas. We’ve heard of some when they have offended the morals of those inside the organisation, but you can bet there is a whole lot we’ve not yet got to see…

Which brings up a number of issues…

Most will be able to see these extensions are actually an underhanded way for Google to get more “meta-data” on you. But that is especially true for those doing valuable research, where Alphabet/Google has a high probability of being a research competitor.

Look at it this way as a researcher I might pull up ten to a hundred pages of information, then search them for specific “research revealing” strings localy in my browser. Google only gets very broad information on what I’m doing from the pages. However if I use this new find text in the URL input from Google, Google’s search engine gets the actual text I’m searching for, thus the meta-data they get is not broad or open to interpretation but laser scalpel fine. Such information has significant value, not just because it can give you a jump on somebodies IP thus you can thwart patent applications outside of the US, but in the US such strings could get you a three times uprating in any patent despute claims under US civil jurisdiction.

But remember it’s also a privacy issue, because there is the issue of “third party business records”. Whilst it’s your thoughts and your search it becomes Google’s “Third Party Business” records, which do not require a warrant or probable cause to be shown to just about all “guard labour” types to get easy access to via an NSL or equivalent…

Remember as Cardinal Richelieu’s “Give me six lines…” should tell you the opertunity for mischief by loonie authoritarian types should be apparent, irrespective of where they are in the “Guard Labour” hierarchy…

And that’s all before people start getting creative with other “feature failings” this power grab addition by Google will have.

After all there was a reason[1] why this was funny,

Something you kind of had to have lived through in the late 1990’s and onwards[2].

[1] For those of “younger years”, who might not have experienced the significant wave of abusable vectors that arose from moving server applications with terminal access into web based systems with user PCs[2]… When even the public got to hear about “Input sanitation”,

But read down into the comments as well 😉

[2] The underlying reason input sanitation became such an issue was the habit most old iron programers of that time and earlier had, of “Moving error checking as far to the left as possible” usually compleatly seperate to the “business logic”. In moving the old iron apps onto webservers they left the business logic on the old iron, but moved the user input error checking to the users browser… Whilst this gave good performance, it ment that anyone with even skills learned in one of those “24Hours” books could hack the business logic which was nolonger protected by the left shifted error checking…

JonKnowsNothing June 20, 2020 12:40 PM

@Clive, All

re: Example got munched

It is ugly coding for sure. Maybe a good thing the parser ate it.

re: database searching and values

The modern method of refining searches is to give you “More of What You Asked For” or what the engines determined You Asked For, not what you are really looking for.

This bias shows up very prominently if you watch “Buster Keaton” movies on line. All of a sudden, your “suggested list” will fill with Buster Keaton Movies. You won’t find movies with Yakima Canutt because the algorithm has improperly classified what you are looking for.

With the add-on interior-page-search to the URL, this bias isn’t going to change. You get more of what you search on but not what you want.

A huge problem is when someone makes a poor search phrase selection, your AI-Score-Card is going to get ticked and picked and you may find you cannot fly to your Post-COVID19 Vacation (aka COVID19-Death Trip). To be sure, this happens now, but it will be even worse. There are some terms you BEST NOT search for in the USA if u don’t want to end up in prison (afaik this list is not published).

Another aspect yet to be exposed is the on-going legality of searching not only the top part of the website but the internal pages. Currently the fighting between publishers and tech companies is over payment for items like news reports. The tech company position is that this is “fair use”; there are world wide legal challenges in progress along with demands that they pay for the content. Should the big tech companies start paying for the content there won’t be much impediment to searching internal pages. It maybe a new source of income to non-news sources (authors, poets, lyrics etc.).

The brouhaha over the lending of books by the Internet Archive during the massive closure of libraries during COVID19, by publishers and authors demanding payment for lending books, shows not even altruism will get a pass when it comes to money.

ht tps://
ht tps://

ht tps://
ht tps://

ht tps://
(url fractured to prevent autorun)

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.