Friday Squid Blogging: Fishing for Jumbo Squid

Interesting article on the rise of the jumbo squid industry as a result of climate change.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on June 26, 2020 at 3:57 PM • 97 Comments


SpaceLifeFormJune 26, 2020 5:17 PM

@ name.*.*.*.*

Who knew that bluebird house builders actually don't like trees?


name.withheld.for.obvious.reasonsJune 26, 2020 6:15 PM

Lawful Access to Encrypted Data act
There is a disturbing amount of propaganda that has been part of this direct assault on general security that is part of the human defined transactional and operational domains. Couched in the classic boogie-man arguments (nearly all of them) appear in one sentence of the statement published by the U.S. Senate on background regarding the act. From child exploitation to trafficking of various illicit acts/objects--includes terrorism in several flavors. One sentence.

Disingenuous Contextual Framing
The troubling propagandized text sets a contextual relationship between cryptography and criminality with the use of "warrant proof". The ideas in my head, to date, are "warrant proof". The banana I had for breakfast this morning is "warrant proof" even though I am still in possession of the banana. The foundational destruction of rights is clearly present in the statements supporting this fecal specimen wrapped in a senatorial trope. Underlying the issue is the apparent "government first" assertion where in the fourth amendment to the constitution specifies when an intrusion might be appropriate, not that intrusion is the first act. The senate is proposing a functional revocation of the state property/privacy firewall and the rights in both the fourth and fifth amendments.

Get the LEAD out
Legislative Title Suggestion: Lousy Encryption ASSerted by Dummies (LEAD)

The definition that I would assert describes this crowbar plied at citizens, all persons really, security online; from financial transactions, inter-organizational and intra-organizational communications, research and development, and confidential or sensitive messaging and documents. The is also a threat to speech and unpopular ideas and political dissent.

Dissent and speech have yet to be made formally illegal, only functionally the case is made reflecting the edges of speech slowly peeling off the parchment.

name.withheld.for.obvious.reasonsJune 26, 2020 6:19 PM

@ SpaceLifeForm

Unbelievable, or wait, normalizing authoritarian tendencies seems to be a pastime that has gone from amateur unorganized ad-hoc sporting event to amateur checkers formally organized with multiple professional associations and nationwide conventions.

ChrisJune 26, 2020 6:28 PM

I have tried previously to tell some person that i think should understand what i was talking about regarding RF sensors.

In this particular case we were talking about someone that was actually following ME :-)
yes so i told the person that dont use radios tactically to send position changes.

What would we need to mitigate this i told very perfectly was, that you better use a nonstop tx network such as internet 3g/4g and some audio reflector to use as the "virtual radio network" ...

The person i told it to told me she understood what i was saying, still 2.5 years after nothing has happened!!!!!!


name.withheld.for.obvious.reasonsJune 26, 2020 6:28 PM

@ SpaceLifeForm, Clive, Jonknowsnothing, Sherman Jay, MarkH, and the irregular suspects
Am hoping that a few D.C. advocates, jurists, solicitors, officers of the court, having just recently awoken to the risks that are part of the landscape we witnessed for decades. Barr may be the spark, though I'd argue at less than a joule, in which those that have unwittingly tied their fortunes to the power structure understand that they too are at great risk. Have been in conversation with trusted citizens and thoughtful human beings, there is some hope in the wider world that may make a future possible instead of the destruction of the (a bit sarcastically) Universe.

A rumbling afoot, not a rambling.

ChrisJune 26, 2020 6:36 PM

Then we have another thing that is almost obvious and its ANPR

Do you think people that have a possibility to be a target of some LEA not have tools to do.

Remember Regnumber
Use alarm for previous remembered Regnumber
Use a central database of previously remembered Regnumber

Now also this can be implemented not only for regnumber but for.
- Voice fingerprint
- Picture fingerprint


DroneJune 26, 2020 8:55 PM

A perfect example of what mail-In ballot fraud Looks Like...

* 13-May-2020: Paterson, NJ 1st-Ward Councilman Michael Jackson (remember that name) complains about his upcoming election being converted to only mail-in ballots because of COVID-19:

“This whole election has been screwed up,” said Jackson, the incumbent in the 1st Ward race.[1]

Meanwhile, Councilman Michael Jackson and three others in Paterson, NJ were quietly conducting mail-in ballot harvesting and other forms of ballot fraud. As the counts came in, it became clear to the race losers that something wasn't right. There were calls for recounts and investigations. It turns out that due to the way the stupid fraudsters mailed-in their fake ballots, there was already a mail-in ballot fraud investigation underway.

* Fast forward to 26-June-2020. Quoting[2]:

"Voting fraud charges filed against Paterson councilman and councilman-elect...

[New Jersey] Attorney General Gurbir S. Grewal announced voting fraud charges against 1st Ward Councilman Michael Jackson, 3rd Ward Council-Elect Alex Mendez and two other men, weeks after the May 12 local election in which the Passaic County Board of Elections decided not to count 800 city ballots found scattered across different municipalities.

Both Jackson, 48, and Mendez, 45, were charged with fraud in casting mail-in votes, unauthorized possession of ballots, tampering with public records and falsifying or tampering with records, according to the statement. Mendez was additionally charged with election fraud and false registration or transfer.

Along with Jackson and Mendez, two Passaic County men, Shelim Khalique, 51, of Wayne, and Abu Razyen, 21, of Prospect Park, were also charged.

The investigation was sparked by reports that hundreds of mail-in ballots were found in a mailbox in Paterson and in a mailbox in Haledon."

Moral of the story: Don't dump all your fake mail-in ballots in the same mail box all at once, it looks suspicious.

After reading many mainstream media reports about this case of mail-in ballot fraud, none cited the political affiliation of any of the perpetrators. I think that speaks for itself. In-fact I'm surprised this case was reported on at all.

Happy squid day...

* References:



SpaceLifeFormJune 27, 2020 1:49 AM

@ Drone

Lie, Destroy, or Blame?

Lie, Destroy, or Blame?

Lie, Destroy, or Blame?

In order to escape from this three-choice dialog box in a loop that refuses to acknowledge reality,

we must reboot the system.

Gaius Petronius Harper OgburnJune 27, 2020 2:25 AM


we must reboot the system

Maybe not

"We trained hard, but it seemed that every time we were beginning to form up into teams we would be reorganized. Presumably the plans for our employment were being changed. I was to learn later in life that, perhaps because we are so good at organizing, we tend as a nation to meet any new situation by reorganizing; and a wonderful method it can be for creating the illusion of progress while producing confusion, inefficiency and demoralization."

AlejandroJune 27, 2020 7:07 AM

Another face ID fail:

'The Computer Got It Wrong': How Facial Recognition Led To False Arrest Of Black Man

Seems facial-id footage from a cheap store video cam is not accurate with black folks. It's a well known issue of the technology in general.

Not to worry, Detroit PD jumped in regardless and grabbed a man named Williams off his front lawn, in front of the kids, based on the footage and ID software. But, they were...wrong. Oops!

NOW, they say they will only use it for very serious crimes or whatever.

Police, cannot handle the new technologies. We should work harder to handle the police.

Clive RobinsonJune 27, 2020 8:26 AM

@ Alejandro,

Not to worry, Detroit PD jumped in regardless and grabbed a man named Williams off his front lawn, in front of the kids, based on the footage and ID software. But, they were...wrong. Oops!

It will be found that they were not wrong... Just acting on "good faith" or whatever, just as they are when a CI gives a tip that was either wrong or the handler noted down the wrong address.

People need to understand how law enforcment works or more correctly does not.

To start off with around 80% of cases that are realy solved are down to the criminal fraternity either "mouthing off" or getting "grassed up".

That is the police have a suspect that "they know did it" all they have to do is build a case around them. Thus they only look at what incriminates not what excalpates.

That is the polices basic MO, the problems start when they are not "gifted a guilty individual". They then fall back on the old "foot work" they hate of interviewing people checking stories and facts and basically not sitting at their desks with a coffee and doughnut etc. They thus have to,

1, Build a list of suspects.
2, Eliminate the unlikelies
3, Then pick who ever makes the top of their list.

Often this is done by a bunch of "rules of thumb" including the good old favourits of "They look odd so it must be them", "We know they are guilty of something", or "We know they are crooked so it's their turn", but best of all "My gut tells me it's them".

At which point they go for "find what makes them look guilty" as indicated eny exculpatory evidence will not only "not be investigated" it will not get recorded in any way because there is that annoying thing that says all evidence has to be handed over to the defence. And the lust thing a doughnut muncher wants is all his hard work finding things to make the defendent look guilty will be wasted and the muncher will loose any pay/job enhancment/promotion "brownie points".

It's why smart lawyers tell their clients not to say anything, not even confirm their name, and let the lawyer do all the talking.

Three reasons for this in the US are,

1, The LEO's are alowed to lie.
2, The defendent is not alowed to lie, mislead or even make an honest mistake due to poor memory or because they are confused/scared.
3, Actually claiming your rights has been made so difficult that it can eaaily be got wrong even by a smart lawyer.

But there is a fourth reason that is not the LEO's but the DA's. They have to find you guilty of something even if it's just looking at the moon in a funny way. The reason is if you are innocent and wrongfully arrested etc you stand a chance of getting compensation, but only if they can not find an excuse to find you guilty of something. This is what is behind plea deals etc, the more they threten you the less likely it is they have a real case. If you don't take the deal their only way to avoid the ignominy of failing is to "rights strip you" which is a well known process of keeping you forever locked up or incapable of earning money, they thrn keep throwing junk charges and asking for more time etc till they bankrupt you and your family etc.

That's the system and all those who play against the defendent are in it up to their eyebrows and mostly judges let them get away with it, because it's generally not in a judges best interests to do anything else...

The notion that a person is innocent untill proven guilty does not sit well with the "beast". That is the less bright in society being driven on by the MSM that in effect "demand blood". For they car not who's blood as long as there is blood. Any judge that gets either elected or effectively promoted by politicians knows that if the beast does not get some defendents blood then it will be the judges blood that the beast will go after.

If people think I'm being overly despondent about the MO of LEO's, DA's or politically controled judges, maybe they should take a look at the US justice system in the likes of Chicago where "illegal detention centers" were setup and used against those on the lower rungs of the socioeconomic ladder. Then there are the judges who have been on the take from private prison opperators and much much more.

The release of those secret police records are likely to throw up lots and lots of further examples.

But we already know that LEO's tamper with body cams, and now the disapearing text message apps (Tiger Text / Silent Phone) story is going to show just a little more of the corrupt under belly of the US justice system.

As my father used to tell me,

The best place to be when there is trouble, is somewhere else. Preferably as far away as you can be.

As the entire US justice system from the AG down to the lowest of street cops are "trouble" it's going to be a bit hard to "be somewhere else" unless you fancy foreign climes, and that's none to certain either these days...

myliitJune 27, 2020 8:47 AM

@Alejandro, Clive Robinson

From the OP: “... What makes Williams' case extraordinary is that police admitted that facial recognition technology, conducted by Michigan State Police in a crime lab at the request of the Detroit Police Department, prompted the arrest, according to charging documents reviewed by NPR. ...”

What makes me thankful is LEO(s) divulged that, something like, “ the computer told them to arrest him.” Without their disclosure(s) then, we might be clueless or still in the dark about what’s going on.

Let’s see: a) wholesale surveillance, b) facial, voice, license plate, gait, etc., recognition, deep fakes, and so on, c) then computers making arresting decisions, then d) (d for duh) what’s next: drones or robots arresting people? What could possibly go wrong under our President or Attorney General?

PhaeteJune 27, 2020 12:25 PM

LimitedResults has made a nice writeup of a hardware hack/glitch to gain access to the protected data parts of a common used chip.

It was 2 weeks ago already but i haven't seen it passing by and i was enjoying the sun and garden too much to bother, but here it is.

nRF52 Debug Resurrection (APPROTECT Bypass). Its got 2 parts, the link to no.2 is in the sidebar.

Nick LevinsonJune 27, 2020 3:06 PM

"China Standards 2035" appears to be a concerning risk. It's not fully formed. Now, it's reportedly just a guide to development goals. But the People's Republic of China apparently may be building it into some of its international agreements with nations dependent on China's Belt and Road Initiative, an international development program financed by loans that some nations may have difficulty paying off, deepening the obligation they will have to the P.R.C., and, anyway, some nations may find enough benefit for their governments to not want to object.

China may want a new IP system to give nations more control over connections, permission to use, and content. The system of introduction of final standards may be that new technology that the present IP system is not ready to support at the level users would demand (there's always new tech) would be the opening for a P.R.C.-developed IP system. I don't think IPv6 or 4 would be banned outright soon, but China might want to obsolete them, internationally and over time. The system may be mandatory for some products and services sold internationally from P.R.C. even before standards are finalized, such as by requiring that a framework be in place. Possibly, that requirement could conflict with the better standards, conflicting technologically (e.g., in forcing leaks through incompatibility), financially (in, e.g., cost of manufacturing), and/or legally (in some jurisdictions).

Cracking security can do more or less the same things, but this would forbid fixing without governmental consent. Governments can disconnect the Internet at border crossings and over the air now, but this would give governments more fine-grained control.

The role of U.S. government-to-government diplomacy may be in jeopardy, if we are less likely (since a 2017 order) to have people in place to protect some version of a system that's reasonably secure, supports popular demands such as for information flows, and is reliable and inexpensive. We may need to address third nations' concerns. There are negotiations anyway; our presence would make a difference.

Some sources (and higher-quality sources are available to subscribers et al.):


Lay meaning of standards as concept:

Arguing against P.R.C.'s plan:

There must be something more substantial from P.R.C. giving its view, even unofficially, but at least there's this promotional tidbit:

Sancho_PJune 27, 2020 5:17 PM

@Phaete re nRF52: Thanks + Ouch!
Have you seen their ESP32 hack? Ouch Ouch!

dbCooperJune 27, 2020 5:23 PM

For those of the belief the major social media platforms are in need of a reformation, as regards content and security, Mr. Schneider has been a proponent that a economic angle of attack would likely cause the fastest response.

From a content perspective this will be playing out over the coming weeks, at a minimum on one type of content. Here's to hoping that is successful and it leads to further reforms on these sites.

ismarJune 27, 2020 7:38 PM

Further to my question from previous Friday, and having received no satisfactory answer (Clive was for some reason shy to wade in and it looks like that the saying "If you want something done , do it yourself " still holds as well as ever), here is one possible explanation on why the oppressive regimes are so successful in maintaining their grip on power

which explains a couple of social behaviour-based reasons for maintaining of the status quo.

One interesting aspect of these behaviours is that, even though the people may be fully aware of the oppression, (like in case of Edward's revelation of the NSA spying on American citizens), the possibility of change is minimal unless an alternative solution (for governance) is offered.

This is something that Edvard has failed to do - there is still time Edward :-), yet something that Bruce tries to tackle in his book Data and Goliath - there is a whole chapter on possible solutions.

As we know the book was released 5 years ago now ...

Dan RachamimJune 27, 2020 8:53 PM

I thought the HOR policing proposal on cameras demonstrated how hard it is to create policy around video-- who gets access to the recordings? When can cops record? When must they? When can there be editing.

Wesley ParishJune 28, 2020 1:54 AM

I thought I'd swear off commenting for a while, but today I found something so interesting, an analysis of the power plays that lead to the First World War and the similarities to today, that I thought I should pass it on. It's in a book titled "Dreadnought: The Ship that Changed the World" by Roger Parkinson, ch 10 "From Jutland to Washington", pg 244, and reads:

In an age of deterrent weapons their deployment is based on the possession and preservation of the weapon rather than its use. [...] That the dreadnoughts were not a very effective deterrent is beyond doubt, which leads again to the conclusion that the effectiveness of a deterrent is directly related to the available counter-measures deployed against it. [...] Strategic deterrents of our own age have yet to be subverted by effective counter-measures and for the moment in some sense remain 'classical' weapons. [...] [The dreadnoughts] were designed as 'classical' weapons to emulate the role of the eighteenth-century wooden line-of-battleship, yet were compromised by covert weapons that proscribed their role to an extraordinary degree. [...] Howbeit, the disinclination of the fleet commanders to seek action places the dreadnoughts much closer to the strategic deterrents of the late twentieth century than to the wooden battleships of the age of Nelson.

Note: the "covert weapons" referred to are the mine, the torpedo, the torpedo boat/destroyer and submarine.

And its relationship to the subject of this blog, namely cybersecurity and its correlation, personal privacy and protection? Well, for a start, as everybody who's got a working brain and who has analysed nuclear issues over the past few decades knows, nuclear weapons are unusable except as threats. They are too absolute. Cyberweaponry - to the degree we can use that word of malware and suchlike - are not. They can be used, and as far as we can see, that is what is happening - they are being used.

They are making the nuclear weaponry obsolete - not so much as by the old Third Ronnie trick of explicit counterweaponry aka SDI (renamed by Arthur C Clarke as BDI - Budgetary Defense Initiative) aka "Star Wars" - as by the simple procedure of taking the back route and bypassing them completely.

You see, with "cyberweaponry" you take "war" - conflict between nations - off the battlefield and into the ordinary citizens' lives. It makes PsychOps - "psychological warfare" - into the centre of the conflict, with battlefield clashes a mere sideline. And it bases its PsychOps on details it gets from the data so lovingly and assiduously collected by various home team TLAs and corporations, and so assiduously leaked by incompetent admins.

Defense must be in-depth in this scenario, which isn't happening. I think the Chinese and the Indians and the Pakistanis know this and I wouldn't be surprised to find out after another half-century - assuming I live that long - that I hit bullseye with that statement. Judging from the attempts to roll back various human rights provisions of various human rights instruments - treaties, constitutions, whatnot - the well-heeled classes in the "Democratic West" have yet to understand this. I expect the major current cyberwar battlefields to be between India and China, and India and Pakistan - the US is most probably a sideshow by now. Thank the repeal of the Glass-Steagall Act and the Citizens United decision for that.

myliitJune 28, 2020 7:47 AM

re: Wirecard

“... It’s also tempting to argue Wirecard isn’t emblematic of fintech anyway. Industry insiders say they’ve long been confused about the mismatch between the German firm’s DAX blue-chip status and its lack of presence on the ground bidding for clients. Wirecard’s bombshell revelation of a $2 billion hole in its bank account has little to do with technology and potentially a lot to do with dodgy accounting, as a series of Financial Times articles over the past year had already pointed out.


There are also hidden complexities in the business. Garen Markarian, chair of financial accounting at the Otto Beisheim School of Management, gives the theoretical example of someone buying a KLM airline ticket in Vietnam: A Wirecard partner might collect the money, transfer it to a foreign-exchange firm for a currency conversion, hand it to Wirecard to pass on to KLM for a fee and take a cut itself. This isn’t quantum physics, but it introduces execution risk. If internal controls aren’t strong, money can be lost. ...”

AndersJune 28, 2020 8:10 AM


Have you got a chance to see the Megaprocessor up close and personal?

rrdJune 28, 2020 9:55 AM

@ ismar

>> my question from previous Friday, and having received no satisfactory answer

We all have the freewill to choose willful ignorance over open-minded curiosity. That fact is especially obvious here in America with the Trumpers, but it's true for atheists, too, who contend that they can comprehend the Creator of all that will ever exist, its physical laws and consequences, and our role in it, without first going within and making contact themself. (And while ignoring the point-source of the universe and the fact that 5/6ths of its mass is utterly missing.)

Trumpers will never receive a "satisfactory answer" to how awful a human being he is or how anti-American and anti-Christian he is. They will only ever believe in what they already believe, and that is their choice, even though they can't defend their position logically in words and are obviously falling on the down side of Dunning & Kruger's monumental findings from 21 years ago.

You reject my position out-of-hand, with no questions asked and no points made. In fact, I doubt you even read it for comprehension. I see no difference in attitude between you and the Trumpers, although you are no doubt both more intelligent and less belligerent.

If you tasted the joy my family experiences on a daily basis you would *know* what I say to be true, yet you persist in failing to live the life of a scientist: to test the theory for yourself. All I suggest is for you to go within yourself and beg our Creator and Its universe to help you transmute your vices into their corresponding virtues. I ask for nothing for myself nor do I state any preference for any one form of religion over another. I merely suggest that you make your own connection and follow your intuition from there. (I also suggested Huxley's "The Perennial Philosophy" as an excellent, Western approach to the universality of the Religion of Love that comes in many forms.)

So you simply categorically deny my description of human nature because of what, exactly? And yet you have no question for my advanced understanding of human nature and the nature of spiritual development? You have no argument and no counter-claims and yet you claim you can judge what I have said to be wrong?

So you do what the Trumpists do: you just ignore the new facts until you find someone to mollify you with what you are already familiar with.

Remember, the word ignorance comes from the verb "to ignore".

This entire world's peoples have been doing a heckuva lot of ignoring for a heckuva long time, from our treatment of others to our treatment of the Earth to how exactly we can consciously evolve ourselves into a cooperative world society of equals.

The 4th World Chess Champion, Alexander Alekhine said:

You can become a big master in chess only if you see your mistakes and short-comings. Exactly the same as in life itself.

You asked a question and the universe answered you.

We can never have security if we don't understand how the hateful, deceitful power-mongers of the world work. Neither can we establish a just society that treats people solely according to the "content of their character", until we at least try to become better people ourselves.

The people who actively encourage the oppression of others (physically, economically, or however) are living in their mammal brains and its pack-on-pack brutal competition. To be "humane", a "humanitarian" and possess "humanity" requires us to go beyond mammalian divisions, and that requires us to first and foremost be open-minded as to why we are here and how we should act for the benefit of *all* our fellow human beings.

The eye doesn't make the light, the ears don't make the sound; which thoughts and emotions are you choosing to tune into, and which are you turning away from?

I have seen my parents' warping themselfs over the years by first FoxNews and now OAN. That these populations of hypocritical, self-blinding oppressors crop up in every culture and ethnicity across the Earth are really the only threat to our security. They're the only threat there *ever has been* to anyone's security (at least as far as human-sourced causality). That's because they have the free will to choose to be an evil bastard, but there's also the way of Dr. King, the (by far) Greatest American Yet, whose final lesson was chilling for those of us who see his self-sacrifice for what it is: a lesson in how evil a group of people can become. Our 2020 American society is rife with people who align themselves with the evil, evil people who wanted Dr. King dead.

There are only so many ways a person can deal with a new truth:

1. Accept it and modify one's attutudes correspondingly.
2. Ignore it because it doesn't fit into their preconceptions.
3. Attack it by simply claiming it's false.
4. Attack it by making up lies as counter-claims.
5. Leave it under consideration until further exploration is performed.

Pick a number, any number. Open-mindedness and honest self-evaluation are rewarded by the universe, we being the only abstract information processors around this delightful, beautiful, mind-blowing creation.

rrdJune 28, 2020 11:33 AM

@ Wesley Parish

Yeah, airplanes and their carriers killed the dreadnoughts dead. Being able to use extremely cheap squadrons of planes to scout, surprise and sink ginormous ships in minutes put paid to the "romance" of crossing the T.

I'd say that the West's failure to address the PsyOps available via the internet is more about our own politicians treating our citizens merely as consumers that the politicians, themselves, wage their own PsyOps against. GOPers are actively using the very same techniques developed decades and decades ago, in addition to good `ol American campaign bullsht, bolstered by modern data collection, as you mention.

Speaking of PsyOps, I wonder if any of you have an opinion about Yuri Bezmenov's 80's interviews "Deception was My Job" and "Psychological Warfare: Subversion of Western Society" (both were on youtube and appear to still be). Sure looks like Putin's playbook to me, and evidently rather effective, the more so with the internet now in full voice. (Bezmenov, IIRC, talked about his efforts in India on behalf of the USSR, so perhaps that's how India is so intimately acquainted with such ops, as you suggest.)

Alas, probably the simplest (but not at all simple) way to effectively defeat such efforts against the populace would be mass education but that first requires willing students and those are obviously thin on the ground, especially in the vulnerable groups.

The only other way I can imagine solving the problem would be to deanonymize the internet, but that opens up all sorts of other barrels of worms related to the utter untrustworthiness of our politicians. I mean, the world had to take back a Nobel Peace Prize because of how, as leader, she allowed what appears to be genocide and other atrocities among her own citizens, albeit ones of a marginalized minority sub-society, her government's crimes aided, abetted and stoked by FB's pipe.

Finally, with anonymity as with anything we do when no one's watching, it all boils down to personal ethics/morality on *how* one chooses to live their life with respect to our fellows. Consensus on the issue of that "how" certainly resides in the realm of contention thus far.

JonKnowsNothingJune 28, 2020 11:34 AM


re: Triage and COVID19 deaths UPDATE

The COVID19 outbreak in care homes, specifically in the UK and Sweden but in other countries too, represents a huge percentage of total deaths. There are on-going questions about how the "protective rings" and "secured settings" were breached to the extent that ~50% of the deaths in some areas came from care homes.

The stories or porkies as they say, just get worse as the truth of what is taking place become clearer with every death.

The post dated 06 02 2020 referenced an outbreak of COVID19 in a care home in the UK:

  • [An] outbreak infected 62 of the 82 residents [in a care home]
  • 24 people have died
  • [The care home] offers nursing, palliative care and dementia care and accepted patients with Covid-19 who were discharged from hospital.
  • Four of the people who died were those who were sent from hospital after supposedly having recovered from the virus

The unanswered question was

  1. If they were truly cleared by the hospital then this is a confirmed second re-infection of 4 people.
  2. If they were not actually cleared and sent to a care home, 20 other people became infected and died and 58 people became ill.

Well, we have some new answers:

  1. The Hospital Transfers were not clear of COVID19
  2. The Hospital Transfers had active COVID19 infections
  3. The care homes were not informed
  4. The care homes did not get PPE (and still do not get PPE)
  5. Little or no COVID19 testing occurs
  6. "Releasing hospital patients into care homes without Covid-19 tests was not illegal"
  7. "excess death toll in UK care homes during the pandemic is now close to 32,000, almost twice the official number of confirmed or suspected fatalities from the virus."
  8. "In England 54% of all excess deaths were in care homes"

The Hospital Transfers were likely sent as hospice/not expected to survive, freeing up beds for others.

The popular finger pointing goes to infected staff, working at multiple facilities as the primary source of infection. Active COVID19 patients being released from hospital into a care setting may be bigger source of infections.

The good news finding? That the 4 known COVID19 patients who were "clear" did not get a second helping of COVID19, they had active infections when they arrived and never recovered.

The bad news finding? Surviving The Swedish Treatment (aka Herd Immunity Policy), is going to be much harder to achieve because it "isn't illegal for the government to kill you".

ht tps://

ht tps://

ht tps://

ht tps://

def: Telling Porkies / Porky Pies is Cockney slang for Lies
(url fractured to prevent autorun)

Clive RobinsonJune 28, 2020 12:42 PM

@ Anders,

Have you got a chance to see the Megaprocessor up close and personal?

I think we talked about it on this blog half a decade ago...

But no I've been no closer than look at photographs.

One of the things I remember is that it was "not quite" how computers work, even the old PDP8 that was transistorized (which I not only worked on but had occasion to repair a couple of times)...

That is if you look in the photographs of the Megaprocessor at the "full adders" used in the ALU, they are what you find in school/college text books given as simple "two input logic gates".

In practice we don't do things that way and have not done so since the Z80 or earlier (some cough cough fourty years or more ago). What we do is include "lookahead carry" to speed things up and then "strip out" redundancies at the gate level and below.

But more importantly we also use entirely different methods these days as well. One such is small look up tables via multiplexers as in effect they have less gates in series and are thus faster by nanosecs or fractions there of[1].

Supprisingly to some ALU adder designs are still a "hot research topic" with papers being published from time to time. The problem is that they've moved several steps ahead of the "full adders" you get taught in school/college in ways where reading a paper from this decade would be almost meaningless without knowing the steps in between.

If however you go back to just before the turn of the last century you can still find redable papers such as,

    64 bit media adder : Aamir A. Farooqui , Vojin G. Oklobdzija , Farzad Chechrazi

However for those playing "catch up" or wanting to know more this paper from a decade ago goes into various adder types and the trade offs as well as nice logic diagrams for those "doing the VHDL thing" on a graduate course,

    Energy-Efficient Design Methodologies: High-Performance VLSI Adders (2010) : Bart R. Zeydel , Dursun Baran , Vojin G. Oklobdzija

[1] Untill about a decade and a half ago, when energy became way more important due to "heat death" issues, speed or more correctly minimising "gate depth and delays" was what people were talking about. Conventional simple two input TTL logic gates have around 7nS delay with XOR gates having longer delays. Which along with other "metastability" delays is a "glacialy" long time slowing your potential clock speed down to 10MHz or less, even the 74LS181 4-bit ALU had 60ns or more delays. Which when you consider it is critically important as all "Arithmetic" instructions use the N-bit adder at their base (CPU ALU's only speak "integer" and ADD, to get SUM and MUL instructions, with DIV being done in various ways including by MUL).

rrdJune 28, 2020 12:57 PM

@ JonKnowsNothing

All your points are bang-on, as the Brits say.

Baltimore's "Maryland Baptist Aged Home" has had zero deaths. They attributed their taking COVID-19 seriously and requiring mask use, limiting visitation to outdoors and social distancing (via more TVs) to doing the opposite of what Trump said. I mean, that is precisely what their director said.

Really, infectious disease handling is not something mysterious nor particularly difficult, once we know the vectors of transmission and have the PPE necessary to contain the infection. The problem is solely with the people that refuse to listen to science (and the recommendations of its experts). This occurs especially in those whose motivations in life run counter to those recommendations due to their being enamored with money, wanting to display their allegience to power, or just simply not giving a crap about other peoples' health and safety. The opposite of love really is selfishness, at least in the dimension of action (the emotional opposite being hatred, of course, with its cruelties, oppressions and other comorbidities).

The key to Maryland Baptist Aged Home's success is simply that they made a determined effort to learn what experts suggested they do to protect its patients, staff and relatives, then they effing made sure they did it, like an engineer in the Mercedes F1 factory machining a crankshaft or Lin-Manuel Miranda scripting a musical.

It's really not that amazing what people can do when they put their minds and hearts into something (because people can be suuuper amazing), except for it's so dang rare that people ever do anything for the good of others with passionate intensity, especially if it requires selfless giving of some kind.

People really aren't that complex when you ignore what they say and focus solely on what they do. What they do, for those with enough clarity, says all that needs to be said about their attitudes and beliefs. That's why Rumi said, "You have no idea how little we care about what people say."

The actions of a significant percent of America are a direct reflection of American culture's obeissance to wealth, competition and ignorance. Add in people wanting to get drunk with other idiots at bars and sit in restaurants instead of having a nice takeout meal, and bullsh like "The economy needs us to open back up", "I'm free to not wear a mask" and all the other kinds of tripe that flows from their ignorant pie-holes, and here we are.

This is nothing less than Social Darwinism writ large (read: life, itself) where the current primary stressor (w/rt COVID-19) is willful ignorance of science and apathy towards others' well-being. All the innocents destroyed by these callous, selfish attitudes are truly heartbreaking, but that's where we have to just do the right thing by others, even if the stir crazy is tough to deal with at times.

Remember that Einstein referred to the rise of Nazism as a "mass psychosis". I can't imagine anyone successfully arguing that we aren't experiencing (and have been for decades) something damn near identical both here and abroad. It's just that the COVID-19 crucible is pushing everyone's true colors to the surface and making it very difficult to ignore how belligerently ignorant and harmful so many of our fellows are.

Clive RobinsonJune 28, 2020 1:23 PM

@ JonKnowsNothing,

If they were truly cleared by the hospital then this is a confirmed second re-infection of 4 people.

Err not necessarily.

A friend is helping the family of a person who has now spent over 100days in ICU in hospital[1] due to the "complications" of a SARS-CoV-2 infection. The infection would have been gone from their body within four weeks or they would have succumbed to it. What has kept them in hospital is the results of the infection on the lungs etc, these are more correctly called "sequeli" and you can die from them days, weeks, months, or years later[2].

What we do know is that one care home where the staff ellected to have a "lock-in" has not had any COVID-19. Which realistically suggests it is the staff that are the initial infection vectors, from community spread infection. We see this every year with the likes of influenza and Noro Virus in nearly all hospitals, care homes and other "close confines" places such as prisons. We lable it "institutional infection" which sounds like it is an inevitability, but the reality is it is anything but, and is actually a symptom of quite deliberate policy decisions which kills many many people each year quite needlessly.

As with all such "policy decisions" they come down from the highest levels based on political ideals and mantra.

Thus these care home deaths are "policy decisions" and are part of the "norm" not the "exception" and it is something we should stop giving politicians and policy makers a pass on...

[1] Something I'm told would not be alowed to happen in the US as apparently your lifetime entitlement to ICU treatment via your medical insurance is just 48days. Which you could think of as not a "medical sequeli" but a political one...

[2] There is reasonable evidence to say that Type I Diabetes is started by a virus that causes your bodies immune system to turn on you, and gradually destroy the cells that make insulin. This was within living memory a death sentence and even today those with diabetes need to take more precautions against common infections. We also know that cervical canncer that still kills women today is caused by a virus. It's thus assumed that other cancers are also triggered by a virus that via an impared immune system gives rise to the cell that starts a tumor. The biggest cause of an impared immune system is the environment we live in and that of what we injest. Which is why strong environmental protection is vitaly important to a nations health, and in fact a lack of this generaly shows up in the reduced life expectancy in comparable socioeconomic circumstances.

myliitJune 28, 2020 1:55 PM

@ Chris

“Hi ive been lurking for sometime, i recon you guys know lot about sec on computers.
One thing you dont touch on toomuch is that people in the know on the military side have there own Military Intelligence Services, they are very much like the CIA of sorts but they are much more muddy....

And ... much more dangerous “ [1]

For example, from the U. S. mainstream media (“‘MSM’”):

“Russia Secretly Offered Afghan Militants Bounties to Kill U.S. Troops, Intelligence Says

The Trump administration has been deliberating for months about what to do about a stunning intelligence assessment.

American troops in Afghanistan have been the target of some Taliban operations backed by Russia, intelligence officials found.

American intelligence officials have concluded that a Russian military intelligence unit secretly offered bounties to Taliban-linked militants for killing coalition forces in Afghanistan — including targeting American troops — amid the peace talks to end the long-running war there, according to officials briefed on the matter.

The United States concluded months ago that the Russian unit, which has been linked to assassination attempts and other covert operations in Europe intended to destabilize the West or take revenge on turncoats, had covertly offered rewards for successful attacks last year.

Islamist militants, or armed criminal elements closely associated with them, are believed to have collected some bounty money, the officials said. Twenty Americans were killed in combat in Afghanistan in 2019, but it was not clear which killings were under suspicion.

The intelligence finding was briefed to President Trump, and the White House’s National Security Council discussed the problem at an interagency meeting in late March, the officials said. ...” of course, it isn’t clear if anybody believes anything that our President says anymore


MarkHJune 28, 2020 3:03 PM

Pandemic Developments

1. To start with some (apparent) good news, the mathematical mortality rate is decreasing significantly: worldwide, new cases show a rising trend, whereas deaths are decreasing.

I propose a few possible causes:

• case detection has improved, enlarging the denominator of the fraction

• congregate facilities for the elderly may be experiencing some combination of better safeguards and the extermination-by-Covid of their most susceptible residents

• medical systems are climbing the learning curve for care of acute cases

2. Almost everywhere "re-opening" has been attempted, case rates are increasing sharply. As I wrote before, it's like slowing a vehicle using the brakes. Within a few milliseconds of brake release, perceptible acceleration will begin.

Other regions of the U.S. didn't re-open because they never closed down to begin with. They followed the sophisticated reasoning, "it ain't here so we don't need to do nothin'" In many such places, Covid is arriving, and showing the high growth rates to be expected where precautions are minimal.

3. It's been plain from statistical data that case growth doesn't show its simplistic-model exponential growth rate after case counts become large, for a variety of reasons. New cases per unit time tend to "flatten out." But here's an exception:

In Florida -- one of the states in which government has consistently wanted to minimize disease-spread precautions -- poorly managed re-opening is playing out spectacularly.

Florida is actually showing near-exponential case growth with a doubling time of about 6 days, even as new case detections are in the thousands per day.

Scaled to population, recent Covid-19 case growth in recent days is far worse than the peak observed in Italy.

4. Speaking of Italy, Sweden is on track to exceed Italy's grievous per-capita death rate sometime in July.

Reportedly, the Swedish populace is losing its enthusiasm for the official "herd immunity policy." Mo one yet knows whether herd immunity by spread of infection is even possible, because the strength and durability of post-infection immunity has not been sufficiently measured -- so the promise that the human sacrifice will eventually be rewarded by stopping the epidemic could prove false.

It's worth noting that increasing volumes of observational evidence (sorry, ScienceGeek) show that governmental recommendations meet with far less compliance than mandatory requirements for pandemic precautions.

5. Recently, two people flew to New Zealand in order to visit a dying relative. They unknowingly brought the virus with them, resulting in New Zealand's first new case detection in 24 days.

6. The U.S. president recently announced that he has asked the federal government to reduce testing for SARS-CoV-2.

The only ways I have yet visualized for resumption of something like normal activities without heavy new case numbers are:

A. Reduce cases nearly to zero, and apply an aggressive program of testing/tracing/isolation (a la New Zealand), or

B. Apply astronomical volumes of testing, so almost everyone can be tested at intervals of not more than two to four days. This might enable feasible separation/isolation schemes even in regions where case numbers are high.

Clive RobinsonJune 28, 2020 4:45 PM

@ MarkH,

To start with some (apparent) good news, the mathematical mortality rate is decreasing significantly: worldwide, new cases show a rising trend, whereas deaths are decreasing.

There may be a non human agency reason for this.

Whilst the virus does not appear to be "seasonaly effected" it's environment is.

We know that the virus viability persistence is environmentally effected by the likes of humidity and UV radiation as well as temprature. Increased temperature causes the droplets by which infection spreads to evaporate faster a decrease in humidity likewise. And as we know one of the side effects to sunlight is damaged DNA and RNA due to UV radiation, it's just that we tend to think of it more as "sun burn".

But there is also a human agency effect. As light levels and tempratures rise humans tend to move outdoors into fresh air where dropplets are very quickly dispersed unlike closed environments. Humans tend to expose more skin as the temprature rises and with being outdoors this is exposed to increasing levels of sunlight. Sunlight effects the human immune system in a number of ways one of which is it increases the level of vitimin D which is known to improve the human immune system against respiritory diseases, it's also an anti-inflammatory agent as well which helps reduce the levels of damage in the lungs and other organs.

But as we know in South America where COVID-19 is very much on the rise deaths are significantly under reported, thus the apparent fall in death rate is very probably not as goodvas it appears. Likewise we know Russia is almost certainly well under reporting COVID-19 deaths as a matter of "policy"...

As for India, who knows what is happening there even with the best will in the world the nature of the country is not currently conducive to gathering information of this sort. Whilst this is rapidly changing as technology improves things they are still constrained by the resources available. A quick look at India's per capita GDP tells you that overall they are not yet a rich country with abundent spare resources thus levels of available health care vary wildly and are not yet at the levels to deal with significant epidemics of what is still effectively an unknown disease.

SpaceLifeFormJune 28, 2020 4:54 PM

E3 still active.


An update from last month seems to have introduced a bug into the Mail app which is causing problems with Gmail accounts.

SpaceLifeFormJune 28, 2020 5:23 PM

@ myliit

I am pretty sure who leaked the info that she went to fbi about.


SpaceLifeFormJune 28, 2020 5:51 PM

@ Myliit

Google is burying the news.

Years now. Becoming totally obvious.

Ismar June 28, 2020 6:09 PM

The reason I said I did not get a satisfactory answer is very simple- I did not find your answer very useful. I visit this site mostly expecting to get (and occasionally maybe make a small contribution to) some knowledge that can bring some positive change to the society as a whole. Unfortunately, none of your writing was suggesting anything useful and actionable in that respect.
I was also tempted to ask you about the possible comments on my post and the link provided but I don’t think that would lead us anywhere as we seem to be operating on very different frequencies at this time.
I will, however, note my concern, once more, about our collective tendencies to preserve the status quo which is true in science as well the society at large.

StephenMelbaJune 28, 2020 8:02 PM

@ MarkH


There has been re-opening across Australia. Tas, WA, SA, Qld, NSW & NT show that the reproduction rate can be kept below 1 with the right restrictions (

rrdJune 28, 2020 8:22 PM

@ Ismar

>> I visit this site mostly expecting to get (and occasionally maybe make a small contribution to) some knowledge that can bring some positive change to the society as a whole.

That is a beautifully perfect wish. You are already a part of the solution.

To magnify your ability to effect change in this brutal world of competition, go within yourself and connect to our Creator, begging for the purification of your own vices so that you will not become like those who use their power to serve their own selfish desires and those of their in-groups.

Making this wish will also give you sublime peace and happiness, so long as you follow the Path of Love along its full course. It's not easy, but it's the only way to reach our individual potential as fully self-evolved (in cahoots with our Creator) human beings.

Love is the key, so you already have the most important element, but there are levels upon levels yet for each of us to reach, both individually and in our groups. As we reach higher levels, our perceptual clarity also deepens and expands.

Only by seeing others through the lens of humble compassion can we see them for who they truly are; otherwise, our perceptions are shaded by our prejudices, enmities, jealousies, rumors or whatever. Only through the hard graft of self-evolution can we be clear enough to discern who the true fascists are and how best to strip them of their power to harm others. Only then can we maximize our benefit to this entire planet.

I know you expected something different from your visits here, but I despise lies of any kind and I respect you all too much to tell you anything else but the truth I have lived, for quite a few years now. It is the road less traveled (especially in 2020 America), but it gives me a foundational perspective on how we can achieve lasting security for all of us that aren't evil bastards.

Peace be with you all. Thanks for your patience with my rambling.

name.withheld.for.obvious.reasonsJune 28, 2020 10:26 PM

Understanding that law enforcement benefits from a detachment from cause and effect, immunity from prosecution is a good example, a side-effect of this attitude is the distance from a duty of care.

To extend as analogous; the treatment of evidence can be seen as less important over time when it comes to duty of care. I suggest that when evidence is no longer given the level of care, but is subject to alteration, modification, or outright suppression--the distance from the legitimacy of any organization and its core mission must be questioned.

The case in Buffalo where a 75 year old man "tripped" according the reports by the police gives this argument context. I won't even go into the level of depravity represented by a President of the United States implicating the individual whom amplified the force of his "tripping" as an Antifa tactic. My mind fails to submit to qualifications of reason and runs right to indignit moral outrage. But that's just me.

WeatherJune 29, 2020 12:09 AM

I have parents that are that age and wouldn't like that treatment, but is that area doing tit for tat, don't know much about your country.

MarkHJune 29, 2020 12:12 AM


Australia has done an extraordinarily fine job of controlling Covid-19 spread.

However, the new cases graph on shows an increasing trend in Australia starting about 3 weeks ago.

Sadly, as far as I'm aware, reproduction rates below one have been attained only in regions with "shelter in place" regimes.

Whether any place can shift toward more normal activities without raising the reproduction rate above 1 remains to be demonstrated.

LawrenceJune 29, 2020 5:19 AM

Palantir not invited to NZ's Covid solution.

Palantir sought the opportunity to provide a Covid tracking system to the NZ government. When first not successful it tried again. Now seems likely that the bureaucrats making the decisions felt the leakage of personal data outweighed any possible benefit Palantir could provide.



As it happens Mr Thiel rather mysteriously managed to obtain NZ citizenship in a very very fast-tracked way during the time of the Key neo-liberal government. Didn't seem to help in this instance.

Clive RobinsonJune 29, 2020 6:14 AM

@ Lawrence,

As it happens Mr Thiel rather mysteriously managed to obtain NZ citizenship in a very very fast-tracked way during the time of the Key neo-liberal government. Didn't seem to help in this instance.

Yes Mr Thiel still apparently thinks of NZ as "The last bus stop before the south pole" and has bought up considerable land, and if stories are correct has a number of "hardened refuges" to hide away in. However he is reputed to be a "Silicon Valley Vampire" which should have rendered him ineligable for citizenship in any part of the world.

As for his business practices with Palantir, what can I say that's nice about them... As my granny used to say "If you can not say anything nice then say nothing at all".

So all I will say is the UK Government has been extreamly foolish beyond any kind of measure to let Palantir get involved with any UK databases. So much so you have to ask what on earth they were thinking. Some will no doubt suspect "coruption" of various forms and I suspect that there would be some degree of truth in it depending on your definition of coruption, which is very lax in UK Government circles and their "Revolving Door" policies.

rrdJune 29, 2020 9:09 AM


>> My mind fails to submit to qualifications of reason and runs right to indignant moral outrage. But that's just me.

That's definitely not just you. That's anyone with a functioning moral compass.

There are two other sides a person can come down on when seeing that man receive brain damage from police brutality:

1. They don't care at all.
2. They take pleasure from such brutal treatment of people they consider "other".

Both of these attitudes are evil. The first is callous cruelty, the second is actively oppressive cruelty.

Personally, having kids, what these ghouls are doing to the immigrant kids they cruelly separated at the border is almost more than I can stand, but I must -- *WE* must -- divert that energy to better use in order that things are set right one day, to the extent that is will ever be possible for those traumatized children. And all the black people getting murdered by cops pushes my same buttons.

One thing I have not seen mentioned yet in all our focus on our racially oppressive LEOs in America is doctor-prescribed TESTOSTERONE REPLACEMENT THERAPY, not to mention black-market steroids.

I played sports with guys who took steroids. There is no question that taking such hormone "therapy" often makes the man far more aggressive.

It is my understanding that police unions refuse to allow their members to be drug tested. Does anyone know if that's correct?

I saw a vid a couple of weeks ago with a police chief who, after asking what the protesters wanted and getting a "Walk with us" response, proceeded to put down his gear and walk with them (it was a nice gesture, for sure). But I did notice that that guy was *jacked*. His arms were enormous. And yeah, I get it, policing is a dangerous job, but having roided-up dudes having to make split-second life-or-death decisions is (IMO) not a recipe for societal success. And four jacked-up idiots with power is a million times worse than a single guy on his own. (RIP Breonna Taylor.)

Combine this with a significant percentage of our LEOs being -- if not military veterans themselves -- military wannabes (or worse), and here we are.

I have yet to see TRT/steroids mentioned in any of the coverage of our BLM movement, but its effects can certainly not be insignificant.

JonKnowsNothingJune 29, 2020 11:11 AM


You are aware that not all police/LEOs are men or male gendered?

myliitJune 29, 2020 11:41 AM

Not figure fiddling, afaik, but The Chicks have fiddled a protest song. 4:03

The Chicks - March March [1] 3:48

Dixie Chicks - Gaslighter (Official Video) with lyrics


“... Along with the name change, the Chicks released a brand new single on Thursday, titled “March March,” which will be appearing on their upcoming fifth studio album, Gaslighter. The protest song, produced by Jack Antonoff, combines a minimalist electronic beat with subdued instrumentation from Maguire’s fiddle and Strayer’s banjo.

Lyrically, Maines addresses everything from Greta Thunberg and youth climate protests to gun violence and underpaid school teachers, over a music video that edits together footage from recent Black Lives Matter protests and police confrontations. Toward the end, as Maguire dives into a fiery fiddle solo, the names of black Americans killed by police flash onscreen, and the video concludes with a message from the Chicks — “Use your voice. Use your vote.” — along with links to various social justice organizations and nonprofits. ...”

rrdJune 29, 2020 12:13 PM

@ JonKnowsNothing

>> You are aware that not all police/LEOs are men or male gendered?

Sure, and there are female war-mongers. And there are woman rapists, too.

It's about numbers and testosterone and aggressiveness.

Look around the world. Are you saying that women pose *nearly* as much of a threat to our peace and safety as men?

In the 8:46 video, that looked like four dudes to me (including a black guy!).

And -- *AAANNND* -- when in the minority, are women more or less likely to speak up against the male officers on the team, especially if they are in a leadership position? And would they ever be the majority in a situation like George Floyd's or Breonna Taylor's?

Years ago, I read that girls fared better in gender-segregated math classes because they didn't have to compete against the aggressiveness of the boys, who would raise their hands first to answer the questions even when they were wrong. That intimidated the girls which lead to their not feeling positive about their ability to succeed in math.

How many female anti-riot police have you seen in the fascist oppression of the largely peaceful protests? How many women walked with Trump for his bible photo-op? (I saw Ivanka, and she was the only one wearing a mask.)

How many female incels are there? How many female school shooters?

I really don't know what your point was supposed to be, all I can come up with is that it's just a really weak ad hominem attempt.

I suggest you watch Stanford neuroendocrinologist Dr. Robert Sopolsky's "Human Behavioral Biology" class. It's free on YouTube. I made it all the way to the last three. It forever taught me that Trans folks can have physically gender-opposite brain structures, so their claims of "I always felt like the opposite gender" have been demonstrated scientifically, physiologically.

Learning is the gateway to wisdom, but few choose to approach the door, much less walk through it. Fewer still do so to increase their compassion.

Toxic masculinity is the single greatest threat to our world's security, from one-on-one interactions to nation-state interactions. It's certainly the single greatest threat to women's security; that's for damned sure.

Besides, anyone who increases their testosterone is almost certainly increasing their aggressiveness (endocrinologists, feel free to correct me), especially if it is exogenous. But yeah, I can imagine a lady cop augmenting her testosterone, too, because of all the meatheads she has to deal with on both sides of the job. And if a woman brutalizes someone because she's jacked-up on T then she gets the same punishment -- nothing else would demonstrate justice.

But, c'mon man, statistics, physiology, thousands of years of evidence, the news every single dang day, our rapist-in-chief? Really?

DroneJune 29, 2020 1:56 PM

@SpaceLifeForm... I'm sorry, I truly do not understand your reply to my post. I like your "SpaceLifeForm" handle though :-)

You said in your reply: "Lie, Destroy, or Blame?... In order to escape from this three-choice dialog box in a loop that refuses to acknowledge reality, we must reboot the system."

Yeah, to me this sounds like some sort of insane "trigger words" for a child-like Anarchist movement. But that's just a guess. Regardless I will always defend with my life, if necessary, your right to speak freely - in America anyway.

By the way, how about these "trigger words" for your "reboot the system" movement:

"Give me liberty, or give me death!", Patrick Henry 1775.[1]

By the way, if you think it is easy to "...give me death", I say bring it on! I am ready and waiting for you to try.

* References:

1. Patrick Henry addressing the Second Virginia Convention in Richmond, 23-March-1775.[2]!

2. Second Virginia Convention

MarkHJune 29, 2020 2:29 PM

Covid-19 May Have Grown More Contagious

Note: The scientific inferences below are preliminary, and have yet to be peer-reviewed or adequately confirmed.

A genetic variation called D614G in SARS-CoV-2 appears in about 70% of genomes contributed to a world-wide database. It doesn't appear in the early genomes from China.

Although D614G was rare before late February, it now appears in more than 90% of virus samples. The most plausible hypothesis for its rapid proliferation, is that this Covid variant is more contagious.

D614G affects the composition of the "spike structures" on the virus surface, which enable attachment to host cells.

Laboratory experiments suggest that these modified spike structures work better, enabling the virus to reproduce more efficiently in the host, creating greater viral loads ... and presumably, more of the viral shedding which causes community transmission.

Because D614G had effectively "taken over the world" sometime in April, it does not signify a change in present pandemic conditions.

However, if this variant is in fact more contagious, then the Covid-19 reproduction rate for a given level of precautions against community spread will be greater than observed before April; or as a corollary, to get the same reproduction rate as before April, stronger precautions against spread are necessary.

Clive RobinsonJune 29, 2020 4:23 PM

@ MarkH, ALL,

Speaking of yet to be peer reviewed papers...

There is a paper that indicates SARS-CoV-2 has been found in frozen sewerage samples in Spain back in early 2019.

The paper is written by respected researchers some of whom are in a top flight research university.

They believe that this finding is not a false positive or cross contamination in the laboratory etc.

They started doing their "back search" after finding credible evidence that people in Europe had had novel corona virus infections back in mid to late 2019 and it had been diagnosed as some varient of influenza.

Assuming it is true it opens up a whole can of worms about the origin of SARS-CoV-2 and just how long it has been around, not just in China but other countries.

name.withheld.for.obvious.reasonsJune 29, 2020 4:29 PM

CNN Report, a Houston Hospital and Pandemic Triage Shades of Wuhan in Texas
CNN reported today, 29 June 2020, an example of the COVID-19 patient experience and a hospital walk through that informs to a degree that has not been done before in the MSM. I cannot believe I am crediting CNN, hardly a bastion of journalism--but there it is.

The ability to grasp reality seems to be the skill acquired by those that live their lives at an abstract and unconscious level later in life, if ever. The YouTube video is at:

Though the ten minute and 39 second report does not provide a lot of detail, it is missing much in the way of epidemiological information it does however provide a wider and deeper context for those that remain ignorant of facts. One interesting fact is that one in eight test positive. Not a good number...

There is an element of the video that reminds me of the earliest reports smuggled out of Wuhan concerning the tactical situation from a pandemic response effort. Why did we not learn from information that was available? Hell, if I knew what was up how could some many others not?

Clive RobinsonJune 29, 2020 4:38 PM

@ Ismar,

Clive was for some reason shy to wade in

Because I had reason to think it would get Moderated.

rrdJune 29, 2020 8:13 PM

@ Clive

[from your comment to Bruce's "Commenting Policy for this Blog]

>> As for the posters here we are an eclectic bunch from all corners, and our differing points of view encorage thinking in a wider scope and give not just bredth but often considerable depth on not just arcane technology but things that are yet to be. I've lost count of the number of times things have been discussed on this blog that subsiquently come to be. Sometimes the comments are years ahead of what is being considered even in academia, and as I've indicated before you will read here things that can not be found in any other place on the Web, and I'm reasonably certain that there are those who come here to get insipiration on technical and future matters. Thus your site is actually a resource without par in this respect.

I had never read this comment until a few minutes ago, but I must say it is an outstanding ethos. I hope that I live up to it.

[Then, in this thread:]

>> Because I had reason to think it would get Moderated.

You're the gold standard on this blog, so go light on the profanity and you should be ok ;-)



Anyway, to prove my fidelity to the technical purpose of this blog, let me pose a technical security question and see what all y'all's perspectives are:

When setting out to design a truly secure general purpose computing system (functioning like a modern pc), what is the single most important characteristic the resulting operating system must possess?

(Note that this is directly related to a very long-term project of mine, so this is a very real question. I'll withhold my perspective until later, not that I assume anyone here cares.)

rrdJune 29, 2020 9:21 PM

@ Weather et al

So, old hashes (eg: SHA1 and MD5) have collision problems, but (I assume) they are way faster than their newer, wider variants.

Why not just use both hashes on the same document? Given a specific document, certainly a collision that allows the document to be altered for one of the hashes could not possibly also result in a useful collision for the other hash given the same document, no?

I'm guessing that two smaller hashes computed concurrently would be less computationally expensive than the newer hashes (assuming the source file need not be read twice), or am I completely missing something here?

I imagine that there would also be a side benefit for the code in that the older hashes' code is much tighter, easier to find, verify and integrate, no?

My other thought from a couple of years ago on securing old hashes was to create a standard header or footer for documents that gets hashed along with the content, that extra info containing in the minimum the length of the document, but perhaps even containing a table of byte counts (maybe path or filename, too?).

Surely such a nested, double-layered document hash would be dang-near impossible to find a collision for, no? And stripping off the extra header or footer should be easy-peasy on the receiving end.

Is it that important to have a single-pass hash verifier? And, is this already being done? Or maybe I'm not understanding what collisions are used for?

WeatherJune 29, 2020 9:44 PM

The program generation a sha256 32byte from 3 byte, most of the range, the program then runs a foumla on the 32 byte hash it compares it to other ones that got the same value, and uses the table of what 3 bytes the chars were, if the values workout to the same there's 19% chance they were also in the new hash.
The 19% can change to high percent, but then its more likely )80 chars.

Still have to think about the rest of your replied.

name.withheld.for.obvious.reasonsJune 29, 2020 9:50 PM

... maybe they should take a look at the US justice system in the likes of Chicago where "illegal detention centers" were setup and used against those on the lower rungs of the socioeconomic ladder.
Have been to the south side of Chicago but it was ten years ago. What was astonishing was that the physical landscape was out of a surreal dystopian failed "Planet of the Doomcoughs" movie where the button had been pressed and nuclear winter had arrived. Not too dissimilar from images from WWII, Beirut, Lebanon, or Gaza in the Middle East. It was so eerie and unsettling but it did not move me in a way, viewed in hindsight, that would cause me to respond appropriately. It was almost as if it is better to forget about it then confront the absolute horror witnessed.


Future peoples, maybe there's a civilization in the next millennium, will certainly construct a timeline that if human enlightenment is possible will give testimony as to how truly poor we all are.

rrdJune 29, 2020 9:51 PM

@ name.withheld...

Our city has a notice that says that, through the CARES Act, it has a rental and utility assistance program for people who face employment hardship due to the pandemic (as we will as the stimulus unemployment benefits will be done in a few weeks), there being a hotline residents can call.

We haven't called yet to see if we are eligible or how much assistence may be available, but our state's govt is fully Dem and seems to be doing a good job on all fronts so I am hopeful.

And, from one cynic to another, there is a special place but I'd rather they suffer their loss of social status here, perhaps to the extent that they realize that they need to look in the mirror and undertake some personal growth.

name.withheld.for.obvious.reasonsJune 29, 2020 9:51 PM

Oops, the lead-in qoute was a post of Clive's
Sorry @ Clive

WeatherJune 29, 2020 10:45 PM

If you have two different hash programs in parrellel and both have to check out from the file its more secure, because if they find a collision for md5 there's no gaurenty that sha1 will collide.
If they are chained, then it is as strong as one hash.
With computer processor now days 128bit hash is stronger than two 64bit because they can be attacked seperatly

With you question I'll say accuracy and repeatable for a general purpose computer.

Clive RobinsonJune 30, 2020 12:59 AM

@ name.withheld...,

Sorry @ Clive

No worries, the thoughtful reply was much appreciated and hopefully others will read it and realise what is creaping up on the ordinary citizen bit by bit, in enough time that something might be done to stop it.

MarkHJune 30, 2020 3:08 AM

@Clive, re Spanish report of "premature Covid":

I pondered this for some time. It seems very likely to be some kind of false positive.

Based on what we know, how could people have been infected without it soon becoming obvious?

In the unlikely event that SARS-CoV-2 was indeed in their sample, one can imagine that some animals were infected without transmission to humans ... and that somehow, enough of their shed virus made it into Barcelona's sanitary sewage system?

A brief look at how things might have gone astray:

Clive RobinsonJune 30, 2020 6:25 AM

@ MarkH,

Based on what we know, how could people have been infected without it soon becoming obvious?

Well one way is for a transitory visitor from china.

We still do not know enough about how a SARS-CoV-2 infection progresses in a human, especially in the outliers at beyond 12 days from initial infection to being infectious.

It may well be the case that the usual transport of mucus through the GI shows signs in stools etc upto several days before an individual produces enough virus in their breath to represent a sufficient viral load to infect another person.

The city concerned being of significant historical and cultural interest has a quite high transitory population of tourists. As you may remember around that time it is Chinese New Year a time when many Chinese take holidays, and pre/post grad students travel to various meetups/seminars etc.

Thus it's possible for an infected younger person who is probably going to be asymptomatic anyway to have been infected in China, traveled to the city for a short time and incubated it for long enough for it to show up in stools but not for them to be sufficiently infectious before their return to China. They might also have had a sufficiently strong immune system that in effect they did not produce sufficient viral load to infect others at any time.

Other corona viruses that effect people give them "common colds" when I was younger I quite happily mixed with people who had the charecteristic coughs, runny noses and rough voices of the common cold because if I got it I did not notice it so I may not have had it at all or been effectively asymptomatic. This has been seen quite frequently in the past.

It's only since I became immuno compromised after a botched operation that I went from being virtualy disease free to being hospitalized several times a year with various infections... Even so I still tend to miss out on "man flu"[1], "Colds" and most years Noro virus. That is I still appear to have a high tolerance for common viruses but not certain types of quite common bacteria we all have millions on us at any one time.

[1] Much to the anoyance of my sons mum, who gets it most years even after getting prioroty on vaccination as she's front line staff in the medical proffession. But what "grips her the most" is the only times I have had "man flu" is when I've made the mistake of getting vaccinated. My own Dr raises a wry smile when I say I'm holding off on vacinations untill after the year I get flu without having been vaccinated...

rrdJune 30, 2020 8:21 AM

@ Weather

>> because if they find a collision for md5 there's no guarantee that sha1 will collide

Yeah, I'm guessing well-nigh impossible for the same source document.

>> If they are chained, then it is as strong as one hash.

With that much computation, I'd probably just use a newer, wider hash function, like SHA-256 or whatever.

>> With computer processor now days 128bit hash is stronger than two 64bit because they can be attacked seperatly

Yeah, but that goes back to my original thought: will two different hashes of the same data ever be "collidable"; i.e. can they ever be attacked separately for the same source data such that the resulting imposter data hashes down to both original hashes? I doubt they can, even for something as simple as MD5 and SHA1.

>> With your question I'll say accuracy and repeatable for a general purpose computer.

Sorry for the confusion, but that is simply a requirement for a working general purpose computer.

I'm specifically asking what primary characteristic is required for such a working general purpose computer system whose OS implementation is absolutely secure.

I should add a qualification on the system that it must not only be secure but mutable -- i.e. the operating system can be upgraded over time -- so having the entire OS in ROM is non-qualifying.


@ Clive

I hope you're getting your Vitamin D. I hope you all are. Depending on your dwelling, getting D the natural way may be difficult in this life under some form of lockdown. As such, we've all been augmenting ours since March (one of them comes with K as well), though the kids get far less just a couple of times a week. I, personally, feel more sharp in the morning as a result.

One week after we began taking the extra D, my wife's son called (he is now finally beginning work as a doctor after all these years) and suggested we take it, as his Mom has autoimmune issues and his hospital had a significant surge in COVID-19 cases (it was all-hands-on-deck for a month or so and he got pulled into active ICU duty even though he was post-doc'ing for a year).

WeatherJune 30, 2020 11:13 AM

It does make a difference if its a 8,16,24,32 char password compared to a 100mb file, as collision aren't the only area that needs protecting, knowing what made that hash value might be the point, evening with two 64bit you run through all 8*0xff for md5 and seperatly for sha1 16*0xff and then compare the collider's if you have 8 chars that match the first 8 chars of sha1 it will be less than 3^64

rrdJune 30, 2020 12:28 PM

@ Weather

Thanks. I just realized my use-case is solely about document integrity verification, not the use-case of storing the hash of a password so it's not transmitted or stored in plaintext. In the second case, the collision itself is a system failure, whereas a forged document must be semantically meaningful to result in a successful attack.

Underlying assumptions got me; I apologize for the lack of clarity; however, this conversation has really helped me clarify my own thinking.

To sum up my understanding now: for binary (non visually inspectable) files, I need to go with the best, most-bits-in-the-resulting-hash-value algorithms. But for visually inspectable files (eg: semantically meaningful, like source code or an email), there really is a very small chance that meaningful changes can be made to the file and still result in a collision. Of course, the more bits the better, but the internal format of the file itself provides its own consistency check that limit the attacker's set of possible viable collisions.

[Side note: I have, on more than one occasion, had a bug in code that I just couldn't track down so I finally asked a colleague for their opinion; then, halfway through explaining it, the answer would come to me without their even saying a word. I chalk that up to putting the problem into words engages different parts of the brain, the resulting expanded neural pathways then give the perspective needed to see the problem.]

WeatherJune 30, 2020 1:15 PM

About a secure general purpose computer ,I'll say a prison setup, were each program gets its on play box with guard's and a Warden (kernel) checking the guards.
I'll trying and find the link on here but if you write a program that gets injected into another program before the main function, then you program runs one asm instruction at a time from what it injected to, saving register and flag vars after the one instruction you are then free to encrypt or decrypt one the fly, check memory data, strings etc, a really basic ids,or block instruction.
You can make the thing minimal so test each part for hole in your program.

Ask @clive and @weal about CvP

Clive RobinsonJune 30, 2020 3:15 PM

@ rrd,

my wife's son called (he is now finally beginning work as a doctor after all these years)

I wish him and the rest of the family well in these troubling times. Front line medical staff are at risk more of the time than we perhaps realise even in better times.

My son's mum is a cardiac specialist but still spends a lot of her time with clinics and patients she has frequently mentioned that these days the police are almost always present at hospitals. In fact a hospital she used to work in that became famous because it had a number one chart single has a permanent police presence as well as security staff. Even though the patients she sees are unlikely to cause her direct harm I still worry about other patients. And yes she frequently gets the latest bug going around, which is a bit awkward as I'm the one with an impared immune system since an operation went wrong and have frequently ended up in hospital myself because of it. Which all told is maybe why our son has decided to become an engineer, which like medicine has a long academic pathway.

vas pupJune 30, 2020 3:37 PM

Germany to overhaul elite army force tied to right-wing extremism

"German Defense Minister Annegret Kramp-Karrenbauer plans on restructuring the country's Bundeswehr's Special Forces Command (KSK) in the wake of numerous allegations of far-right extremism among its ranks, German media reported on Tuesday.

According to newspaper Die Welt, Kramp-Karrenbauer will announce structural reforms of the KSK unit, which will include the dissolution of one of its four combat companies.

Some 70 soldiers would be affected by the changes, Die Welt reported.

+++The KSK has been part of the German Army since 1996. The group focuses on anti-terrorism operations and hostage rescues from hostile areas. Its members have served in Afghanistan and the Balkans, but its operations are kept secret.

====>Today, the KSK has "become partially independent" from the chain of command and developed a "toxic leadership culture," Kramp-Karrenbauer told the Süddeutsche Zeitung newspaper."

I guess that is real problem when folks who really had on their shoulders security of the country move to the extreme right as they see the only option to save the country. See +++ above - they just know what is possible incoming option for their country otherwise.

WeatherJune 30, 2020 3:57 PM

@vas pup
Its called fire house syndrome, based on fire fighter not having much to do most of the time talk about concectivle stranger ideas over breaks.
But isn't it a good thing they are not used much.

ThunderbirdJune 30, 2020 4:23 PM

I'm specifically asking what primary characteristic is required for such a working general purpose computer system whose OS implementation is absolutely secure.

I think the primary characteristic is that it does not execute a program. I believe it is the case that for any computer complicated enough to do something useful and any definition of "absolutely secure" that matches most people's intuition, it won't be "secure." Therefore, it can't do anything and be secure.

But, if you're willing to accept "pretty secure" I would say first of all you have to be able to be sure only the programs you want are actually executed. This is incredibly difficult, since a) everyone wants to have data that includes programs (i.e., Javascript in web pages, macros in Word files, spreadsheets in ... spreadsheets, editors that can be upgraded, etc.) and b) it is startling how simple a programming system can still be Turing complete. So you would have to have a very tight walled garden, similar to the Apple model but much more strictly enforced. So, no PDF or Postscript viewers, no Microsoft Word, no EMACS, no ability to browse modern web pages, no compilers and nothing like Perl or Python or (god forbid) Powershell.

The second thing you need is that the system needs to be simple enough to be comprehensible. I think just the first requirement is enough to ensure your system never gets built and used, but if it isn't, the second one should prevent its success. Marketing people always want to add to the pile, not subtract from it.

rrdJune 30, 2020 4:50 PM

@ Weather

CvP seems interesting (from the little I've gleaned so far from googling this site), but I'm not interested in having to overcome inherent insecurities in my system's components. And the sandboxes for userland processes certainly are a sound idea, and perhaps even successful in practice (I wouldn't know), but I'm interested in security by design, not security as a result of having to deal with bad payloads.

I'm referring to the *entire* system: kernel, devices, the whole thing. This is a greenfield, no limits, clean from-scratch design exercise.

As to separation of process privileges, having run/managed/recompiled OpenBSD 5.4 for a couple of years, I would naturally gravitate towards evaluating unveil/pledge/privdrop first as I prefer explict declaration to attempting to police the process blindly. Explict, highly-specific declarations of each process's capability requirements at install time -- by requiring it be installed via source -- is my general thinking as to how to approach such resource dependency security issues, both kernel-userland and kernel-kernel.

Of course, like people, verifying their stated intentions against their actual behaviors is a separate level of complexity, but if the capabilities declaration can physically limit the resources the process can even compile against, then I'd say we've scraped off an entire layer of potential problems, but further complexities await.

And, really, this naturally leads to what I consider the most important element of any truly secure system: have *ALL* the design information available at any level it is needed at any stage in its development. This is already happening in the hardware industry, as I've seen (I don't remember the brand) a laptop that has not only open source software but open source hardware. (I don't know if they got rid of blackbox firmware requirements or not.) The key is not that they haven't fully achieved their goal, but that their goal is perfectly lofty and they're well on their way.

Having all that information is essential for verification. At the hardware level, this means that there are no undocumented system calls/instructions/whatever. That also means that if a component is having a problem, we can redesign its interface to surface more debug info (or less if it's a performance problem.)

And while my question was about security, my perspective on security is that it is ultimately a design plus verification-in-test issue, which is really a verification-of-functionality issue, which is where the bulk of my systems research goes: how to create digital info flow systems that do what they're supposed to do, by design. Security then becomes simply one design criteria (allowing for castle-building, if necessary).

Now, the software running on the hardware needs to be able to leverage whatever amount of system knowledge facilitates its achieving a high confidence level, while also exposing its own metadata to both its human and other software users. Each kind of layer artifact will expose its own kind of metadata, today's software being woefully inexact in its construction and descriptiveness. An example of what I consider information loss is a C int declaration: there are so many unknowns that cannot be answered unless one traverses the entire code tree of possibilities in order to answer questions like: can it ever be negative? can it even be decremented? (And, yes, I know there are many type systems but C is a good example because it's so ubiquitous especially in system programming.)

A complete and detailed description of system codependencies and source logic is my answer then. In my attempt at a first-principles opinion, this totality of system codependencies is essential for any info system, from a single program, to an entire topology of superscalar mega machines.

This accumulation of better system info is what OpenBSD has done over the years. First they busted their tails to remove bad programming patterns. This integrated their best practices into the code, a freehand embedding of information not only on top of the C programs but outside of C's abilities to facilitate such patterns where a separate data structure/interface/lib was infeasible.

Then, they proceeded to add capability-restriction info in their kernel interface. Once again, by increasing the amount of system info defined and available to the compile-time and runtime systems, better security is achieved (I assume).

And this is just scratching the surface. Beyond security, better and more complete total system info at any point in the SDLC allows for better analysis that may begin with simple functionality, becoming security analysis and finally perhaps being able to minimize energy usage (which first requires measuring it, though predicting it is superior still).

I don't know building architecture or structural engineering but I imagine they have undergone their own revolutions as their tools contained more and better information across all a project's subsystems, allowing advanced analyses across structural engineering, human usability (enough bathrooms?, enough light?), airflow, plumbing, energy consumption, and of course aesthetics via fly-throughs. What once required tedious manual analyses is now a simple by-product of constructing the model correctly after having the appropriate amount of money to buy the design software and the requisite modules.

No, I don't think I'm saying anything Earth-shattering here.

What I envision is an info appliance that exposes its entire fabrication, installation and functional process design documents to the user for analysis and modification, from hardware to software, open and explorable and ultimately expandable.

WeatherJune 30, 2020 5:27 PM

It will take me week to understand that, but can you send me a keyboard 92 char with 6 char input to openssl sha256, so the testorcheck function can be checked.

Clive RobinsonJune 30, 2020 5:31 PM

@ rrd, ALL,

When setting out to design a truly secure general purpose computing system (functioning like a modern pc), what is the single most important characteristic the resulting operating system must possess?

The short answer would be that,

    It should maintain confidentiality at all times.

It sounds a little trite but it's actually very very difficult to do, hence the old joke about disconnecting your computer setting it in a lage concrete block and dropping it in the deepest ocean trench...

The important thing to note however is back when that joke started we could not get down to the bottom of that trench, but now we can. Thus

    Security has to evolve with ALL technology.

Which means in quite a few respects we are in a "Red Queen's Race" running just as hard as we can just to stay where we are. But for an individual generaly we have depth and breadth of knowledge in just domain or field of expertise, which implies we might be in a loosing position.

Well we are and we are not it depends on where you and a potential attacker stand. If you want to make a secure OS then sorry you've already lost the security race, because it is only a part, actually quite a small part, of a secure system and in the general case it has way to much complexity. If you want to make the system secure then you have a chance, and the old joke gives you a clue as to how to do it,

    You need to consider the system as a whole and control access.

That is "disconnect it and put it in a concrete block" is the clue. It's describing what is a form of "perimeter security" all be it not a very usefull one unless the concreate block is a "block house" with guarded access points. Which is basically the security model used with early computers. Whilst it works it's kind of large and expensive to run for Personal Computing that these days can fit in a shirt pocket.

That is a Single Board Computer (SBC) that can be smaller than a 4 ounce chocolate bar can provide you with considerable computing power. The problem is that small as it is when it's connected up to make it usefull it "Eminates Compromising Emissions" and is also "Susceptible" to other compromising energy sources as well as being "overly transparant".

That is all functioning machines do work inefficiently. That is whilst they use energy some of that energy becomes by various transportation mechanisms the ultimate form of polution "heat". All of those transportation mechanisms are "Shannon Channels" and can carry information proportional to the channel bandwidth. Which means they can carry information out of the SBC that should not be. But also Shannon channels whilst apparently one way --from TX Source to RX Sink-- out of a system they can work in the opposite direction and carry energy back into a system and due to the way many systems are designed information can get back through the outputs through the system and out of the inputs thus the system is bidirectionaly transparent[1]. Also intentional energy inputs such as from a power supply can also carry information into a system that then appears on the system outputs and have confidential information superimposed on top of it. In essence this was a major problem with secure smart cards at the end of the last century and hence an attack called "Differential Power Analysis" caused all sorts of issues that entirely defeated other security mechanisms.

In short as our host has noted "Attacks only get better".

Because few people can build their own hardware and even of those that can only a very very tiny fraction can design them to be not just secure at "specification time" but through to actually getting into the field for a reasonable service life I've recommended people take a different approach to security which is mitigation rather than trying for "secure design".

I've talked about it in the past on this blog as "moving the security end point". In essence you have two computer systems one that is regarded as "insecurable" that is used as a "communications end point" the second as as "secure via energy gapping" that is the final "security end point" and connecting the two is a "choke point" which is a specialised communications channel that has the ability to have a high level of security[2] in part by instrumentation as well as by providing the important energy gap.

In essence information can only be compromised if it is communicated, and all communications requires the use of energy in some form. If you either stop the energy flowing from one computer to another or render the available bandwidth too small then the information can not travel from one computer to another. That is the basis of "energy gapping" and the process by which you stop the energy flow is by remmoving any transmission channels.

The energy you need to consider is,

1, Electromagnetic.
2, Mechanical.

Which can be carried in a transmission medium (Shannon Channel) by,

1, Conduction.
2, Radiation.
3, Convection.

Sometimes you can not remove the transmission medium (RF will travel through a vaccum quite easily). So you have to block the transmission method (radiation in the case of RF through a vaccum). This is usually done by using the likes of "shielding" and "absorbing" materials.

I've discussed how to do this in more depth in the past on this blog.

If however you do want to go down the design route as @Weather has pointed out I have also discussed this in depth as well on this blog in the past.

Whilst I'm happy to go through them again, the explanations take up quite a bit of space, which is why in the past the discussions were held at the end of pages after other discussions had had time to move on to other pages.

And I guess by this point you've possibly got some questions.

[1] A real world example of this are "Data Diodes with Error Correction". A data diode is "assumed" to alow information to flow only from it's input to it's output thus bee secure. However such a system can be unreliable for various reasons including data colision on a network connected output. The "engineering solution" to this unreliability is "error correction" which is a Shannon Channel in it's own right but in the opposite direction. It is all to easy to loose sight of this as as a communications channel and design the system "to be robust" such that the error correction goes all the way back through the data diode from the output to the input. It might not have a high bandwidth but it's probably sufficient in most cases to form a control channel such that an unprivileged system can talk to a privileged system through the security barrier of the data diode that is intended to stop that being possible.

[2] The simplest secure channel that can be used for a choke point is also impractical for most uses. It is that youvas a human take pencil and paper and write down the information from one computers screen and walk to the keyboard of the second computer and type it in. In effect "it puts the human in the security chain" thus the human mind acts as significant instrumentation to stop any compromising communications. From this you can reason upwards to more practical instrumented choke point communications channels.

rrdJune 30, 2020 5:46 PM

@ Thunderbird

[Oops, your post arrived while I was composing my previous.]

>> I think the primary characteristic is that it does not execute a program.

Ohh, you're no fun anymore ;-)

But, yeah, I'm referring to security from bad actors that are not the owner! That said, I do believe there is a path to that, too, but hoo-boy that would be the ultimate protection.

As with any project like this, the key is to start minimally and then expand carefully. As @Weather said, there are numerous technological approaches to walling off our processes, and I agree with their intents, but I'm thinking more first-principles, hardware-and-all complete system design.

I don't think there is anything at all inherently insecure about browsers and javascript (much as I loathe them both (and I loathed Gopher, too)); no, I'm sure that it's the OS that is insecure such that its apps' running amok can compromise its security.

>> But, if you're willing to accept "pretty secure"

No way. Nuh-uh. Never.

>> I would say first of all you have to be able to be sure only the programs you want are actually executed.

Yes, utterly essential.

>> This is incredibly difficult

Nothing worth doing in life is. (It's actually true, look at our world situation.)

As to the rest of your points in that paragraph, you are absolutely correct given our current architectures. No doubt.

All that said, I still disagree that any of the software you mention (Turing-complete included) is inherently insecure. Even software that generates and executes its own bare-metal machine instructions is not inherently insecure. In both cases the layers that wrap them (OS and even the microprocessor itself) are really the source of the insecurities, not the bumbling or malicious software that leads to being compromised.

[I want to know how many people's carpal tunnel was directly caused by EMACS; CTL-x, CTL-c !? No thanks. #TeamViBaby]

>> The second thing you need is that the system needs to be simple enough to be comprehensible.

You got it, but just complex enough to get the job done properly.

>> I think just the first requirement is enough to ensure your system never gets built and used, but if it isn't, the second one should prevent its success.

I love it. Fred Brooks' "No Silver Bullet" also inspires me. I don't know who said it (or if anyone ever did), but it's true: "Nothing is ever possible until someone does it." Sure, it's not technically correct, but I'm sure you understand my point about defying common beliefs as to what is possible.

>> Marketing people always want to add to the pile, not subtract from it.

Marketing people *are* a steaming pile. I worked for a marketing company a million years ago. If I ever, ever employ one, I hereby beg you to euthenize me forthwith. Consider this your indemnity clause.

Anyway, I'm curious what you think about my detailed response above. Cheers.

rrdJune 30, 2020 6:02 PM

@ Weather

>> It will take me week to understand that, but can you send me a keyboard 92 char with 6 char input to openssl sha256, so the testorcheck function can be checked.

Done. And you've got three days, tops ;-)

WeatherJune 30, 2020 6:30 PM

Even 0xa5 would be better, I only have a 15 year old laptop running winxp home, maybe Linux could process it, but Linux skill isn't the question.
A 0x00-0x7f systnax 32 long ,I will know if it is a sha2 hash, but the only reason I got a computer is some one died.

SpaceLifeFormJune 30, 2020 10:16 PM

@ Drone

Lie, Destroy, or Blame?

A play on words of the useless DOS three choice dialog box.

Reboot the system means we most vote and remove the malware next year (US).

The current system has a horrible UX (User eXperience).,_Retry,_Fail%3F

"It has become an icon of poor interface design, because it led exactly nowhere . . . A veritable Catch 22, since the only viable option appeared to be to keep typing R until one was willing to accept that one's work was lost and there was nothing left to do but shut down the program and start anew."

SpaceLifeFormJune 30, 2020 11:18 PM

@ Drone

Lie, Destroy, or Blame?

The 3 things that the fascists have been looping on for eons, in order to extract money.

A loop of their own design.

Covid-19 has exposed their useless system.

SpaceLifeFormJuly 1, 2020 12:13 AM

@ rrd, weather, Clive

"I'm referring to the *entire* system: kernel, devices, the whole thing. This is a greenfield, no limits, clean from-scratch design exercise."

Well, if you really think you want to take that path...

1. You have un-imaginable work to do

2. Look at FPGA

3. All development must be done offline. You will need to hand transfer all source code to a *trusted* machine that is off-net.

4. You will need to rebuild all software on the *trusted* machine from scratch using a *trusted* kernel, *trusted* toolchain, and a few more *trusted* tools such as bash and busybox. Those are static binaries.

5. To get those *trusted* binaries (toolchain, bash, busybox) onto your development machine, you will have to build them somewhere using tools you *trust*.

6. Your *trusted* machine has to have *trusted* microcode, and *trusted* bios/uefi, and *trusted* bootloader. Again, static code, but can it be *trusted*? At least it is off-net.

7. Read Reflections on Trusting Trust

8. Decide on your Faraday Cage design.

9. Verify that it is Evil Maid proof.

10. Punt, and follow the thinking of Clive, and re-evaluate your plans. It's way less headache to separate comms from another machine, energy gapped, and still get close to your security goals.

lurkerJuly 1, 2020 3:24 AM


Shades of Wuhan in Texas

No, it'll never happen. The Chinese method that is, in Texas. Australia and New Zealand both closed their borders early, but avoided a conflict by allowing their own citizens to continue to come home from the world's danger spots. During the initial 4 weeks tight lockdown the returnees were shut in at home, no problem.

As the lockdown eased a few of the more liberal minded returnees tried to skirt round the corners of "self-isolation". So hotels vacant from the lack of foreign tourist were pressed into action as "managed isolation" institutes. Lack of training or enthusiasm resulted in noticeable leakage, so some places were designated "managed quarantine". There was still leakage, so NZ appointed a military commander to instill some discipline and rigour to the process. Australia has just appointed their Department of Corrections [prisons] to manage the quarantine hotels. Still not the full Chinese method.

Jus imagine if you can, Texans confined by armed guards to temporary isolation facilities in a football stadium (or a conference hotel if they're lucky), armed guards on all doors and street corners, disinfectant spray trucks through every streeet. No?

etvJuly 1, 2020 6:19 AM

Andrew Zonenberg has been looking at secure fpga hardware/OS setups for some time


rrdJuly 1, 2020 10:20 AM

@ Clive & SpaceLifeForm

That's simply fantastic, the kind of education that makes this place great. Thank you both for both your selfless time and effort. Such incredibly concise deep-dives.

@ etv

Thanks for the very interesting link. That definitely very much looks like the kind of approach I have in mind.


As a software guy, I'm realizing that I intrinsically view such a design exercise as finding which model(s) would best facilitate developing such a system, those models being inseparable from the modelling tools. You have all plugged a bunch of new info into my own mental models about such an endeavor, and it's going to take awhile for me to integrate it all.

I don't think you will ever know how grateful I am for you all. The best we can do is plant seeds of positivity in our every interaction with others, and you have indeed done that; I hope to continue improving myself in that dimension.

As well, I hope you and your loved ones are staying healthy and hopeful in these troubled times. Namaste.

Now it's time for some hard graft...

myliitJuly 1, 2020 10:31 AM

@popcorn eaters, misc.

I’m going to try to take a break for awhile. Before I do, however, here’s a look at one event in a retirement community in the land of our President or the United States of Amnesia (“‘USA’”): millions of views, 2:07

“Seniors [ older people ] from The Villages in Florida protesting against each other ...”


Meanwhile, I might head over to:

Take care,
may you live in interesting times

Sherman JayJuly 1, 2020 2:07 PM

@rrd and @Weather • June 30, 2020 1:15 PM
'I'll say a prison setup, were each program gets its on play box with guard's'

While the below 'distro' is not a usable system yet, it is a step in the direction you mention:

he GoboLinux project develops a distribution with an unusual goal: reorganizing the operating system's filesystem. . . . . In GoboLinux you don't need a package database because the filesystem is the database: >>> each program resides in its own directory.

Sandboxes are another partial technique.

However, based on the fact that all the great minds here and in the 'outside world' haven't come up with a secure computing system. I must conclude that for now, it is the same as 'internet security' - vaporware and pipe dreams.

But, I encourage you all to keep thinking and dreaming, you might just come up with a workable answer to either or both.

vas pupJuly 1, 2020 3:10 PM

Thank you for your input.
I guess they should not have such time for talking, but rather exhaustive training and honing their skills(physical, emotional, tactical, etc.), so when time for real thing come, they are prepared as much as possible.

I found article on wiki:
with many links related to the subject which is currently hot around the globe.
I hope you'll like it.

SpaceLifeFormJuly 1, 2020 4:22 PM

@ Clive

An interesting side-channel attack because WIFI and BT use same freqs.

The devil will be in the details which will not come out until next month.


"During code execution within the Wi-Fi firmware, we even experience kernel panics on Android and iOS."

rrdJuly 1, 2020 6:47 PM

Vietnam has Chuck Norris'd COVID-19.


Not that anyone anywhere has any valid excuse for not doing the same, as everyone's experts have known from the beginning.

This situation is proving to be a cultural IQ test, with a heavy burnden of responsibility on their leaders, and the inertia of their educations fruiting predictably.

rrdJuly 1, 2020 7:40 PM

Oops. I seem to have forgotten them beating the heck out of people with sticks, so let me be clear that I'm not condoning that aspect of their response at all; "the same" I was referring to is solely with respect to the medical-advice-related behaviors that the people ended up adopting.

By hook or crook. Sophie's Choice? Majority rule vs. minority rights?

It's essential that people just choose to willingly adopt better cultural behaviors solely because they have learned it is best for the whole, not because they are physically threatened or worse.

But dang if those aren't some impressive results.

Regardless, I don't feel such rebels should be acosted unless it is proven they're recklessly spreading COVID-19.

Their ignorance sucks, especially for vulnerable populations -- espcially when they're so dang arrogant, whiney, illogical and belligerent about it -- but we must be very careful where our fear of what *might* happen leads us, even those of us familiar with epidemic math.

Even when we *know* that they should never have been let in the dang store without a mask in the first place. (I suppose the worst of our Americans are probably going in with a mask and then removing it.)

Adding to the ugliness is the fact that when a person of color goes against the rules of some establishment -- especially under govt regulation -- they are at serious risk of getting murdered or at least locked-up.

New pressures are showing old cracks, creating others, testing resilience.

WeatherJuly 1, 2020 8:36 PM

You hadn't sent me a 7 char input made of 92 chars of the keyboard to test, you use freebsd but can display in %2x the hash,
Wasn't going to replied because someone else sorted it out, but maybe..

SpaceLifeFormJuly 2, 2020 12:44 AM

@ Weather

Oh, it was '92 char with 6 char', and now it is 7 by 92?

You guys code talking? ;-)

@ rrd

Excellent link about the Vietnam response.

Three things stood out to me.

43% asymptomatic
Mandatory mask usage in public
No International plane flights

The entire report should be a PDB.

Ah, nevermind. #UnfitForOffice won't read it anyway.

SpaceLifeFormJuly 2, 2020 1:25 AM

@ Sherman Jay

"But, I encourage you all to keep thinking and dreaming, you might just come up with a workable answer to either or both."

My thoughts exactly.

To me, it's not just a hardware issue and/or a software issue, but trusting the crypto whether in hardware or software.

How's that random working for you today?

WeatherJuly 2, 2020 1:39 AM

Trust Dilbert , but that is what I'm asking, is dev random produce the same output, but that's my lack of knowledge, you should be able to find vector, as I know there is one.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.