Friday Squid Blogging: Fishing for Jumbo Squid

Interesting article on the rise of the jumbo squid industry as a result of climate change.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Posted on June 26, 2020 at 3:57 PM125 Comments

Comments

SpaceLifeForm June 26, 2020 5:17 PM

@ name....

Who knew that bluebird house builders actually don’t like trees?

hxxps://www.wired.com/story/ddosecrets-blueleaks-wikileaks/

name.withheld.for.obvious.reasons June 26, 2020 6:15 PM

Lawful Access to Encrypted Data act
There is a disturbing amount of propaganda that has been part of this direct assault on general security that is part of the human defined transactional and operational domains. Couched in the classic boogie-man arguments (nearly all of them) appear in one sentence of the statement published by the U.S. Senate on background regarding the act. From child exploitation to trafficking of various illicit acts/objects–includes terrorism in several flavors. One sentence.

Disingenuous Contextual Framing
The troubling propagandized text sets a contextual relationship between cryptography and criminality with the use of “warrant proof”. The ideas in my head, to date, are “warrant proof”. The banana I had for breakfast this morning is “warrant proof” even though I am still in possession of the banana. The foundational destruction of rights is clearly present in the statements supporting this fecal specimen wrapped in a senatorial trope. Underlying the issue is the apparent “government first” assertion where in the fourth amendment to the constitution specifies when an intrusion might be appropriate, not that intrusion is the first act. The senate is proposing a functional revocation of the state property/privacy firewall and the rights in both the fourth and fifth amendments.

Get the LEAD out
Legislative Title Suggestion: Lousy Encryption ASSerted by Dummies (LEAD)

The definition that I would assert describes this crowbar plied at citizens, all persons really, security online; from financial transactions, inter-organizational and intra-organizational communications, research and development, and confidential or sensitive messaging and documents. The is also a threat to speech and unpopular ideas and political dissent.

Dissent and speech have yet to be made formally illegal, only functionally the case is made reflecting the edges of speech slowly peeling off the parchment.

name.withheld.for.obvious.reasons June 26, 2020 6:19 PM

@ SpaceLifeForm

Unbelievable, or wait, normalizing authoritarian tendencies seems to be a pastime that has gone from amateur unorganized ad-hoc sporting event to amateur checkers formally organized with multiple professional associations and nationwide conventions.

Chris June 26, 2020 6:28 PM

I have tried previously to tell some person that i think should understand what i was talking about regarding RF sensors.

In this particular case we were talking about someone that was actually following ME 🙂
yes so i told the person that dont use radios tactically to send position changes.

What would we need to mitigate this i told very perfectly was, that you better use a nonstop tx network such as internet 3g/4g and some audio reflector to use as the “virtual radio network” …

The person i told it to told me she understood what i was saying, still 2.5 years after nothing has happened!!!!!!

//Jarkko

name.withheld.for.obvious.reasons June 26, 2020 6:28 PM

@ SpaceLifeForm, Clive, Jonknowsnothing, Sherman Jay, MarkH, and the irregular suspects
Am hoping that a few D.C. advocates, jurists, solicitors, officers of the court, having just recently awoken to the risks that are part of the landscape we witnessed for decades. Barr may be the spark, though I’d argue at less than a joule, in which those that have unwittingly tied their fortunes to the power structure understand that they too are at great risk. Have been in conversation with trusted citizens and thoughtful human beings, there is some hope in the wider world that may make a future possible instead of the destruction of the (a bit sarcastically) Universe.

A rumbling afoot, not a rambling.

Chris June 26, 2020 6:36 PM

Then we have another thing that is almost obvious and its ANPR

Do you think people that have a possibility to be a target of some LEA not have tools to do.

Remember Regnumber
Use alarm for previous remembered Regnumber
Use a central database of previously remembered Regnumber

Ok

Now also this can be implemented not only for regnumber but for.
– Voice fingerprint
– Picture fingerprint

etc

Drone June 26, 2020 8:55 PM

A perfect example of what mail-In ballot fraud Looks Like…

  • 13-May-2020: Paterson, NJ 1st-Ward Councilman Michael Jackson (remember that name) complains about his upcoming election being converted to only mail-in ballots because of COVID-19:

“This whole election has been screwed up,” said Jackson, the incumbent in the 1st Ward race.[1]

Meanwhile, Councilman Michael Jackson and three others in Paterson, NJ were quietly conducting mail-in ballot harvesting and other forms of ballot fraud. As the counts came in, it became clear to the race losers that something wasn’t right. There were calls for recounts and investigations. It turns out that due to the way the stupid fraudsters mailed-in their fake ballots, there was already a mail-in ballot fraud investigation underway.

“Voting fraud charges filed against Paterson councilman and councilman-elect…

[New Jersey] Attorney General Gurbir S. Grewal announced voting fraud charges against 1st Ward Councilman Michael Jackson, 3rd Ward Council-Elect Alex Mendez and two other men, weeks after the May 12 local election in which the Passaic County Board of Elections decided not to count 800 city ballots found scattered across different municipalities.

Both Jackson, 48, and Mendez, 45, were charged with fraud in casting mail-in votes, unauthorized possession of ballots, tampering with public records and falsifying or tampering with records, according to the statement. Mendez was additionally charged with election fraud and false registration or transfer.

Along with Jackson and Mendez, two Passaic County men, Shelim Khalique, 51, of Wayne, and Abu Razyen, 21, of Prospect Park, were also charged.

The investigation was sparked by reports that hundreds of mail-in ballots were found in a mailbox in Paterson and in a mailbox in Haledon.”

Moral of the story: Don’t dump all your fake mail-in ballots in the same mail box all at once, it looks suspicious.

After reading many mainstream media reports about this case of mail-in ballot fraud, none cited the political affiliation of any of the perpetrators. I think that speaks for itself. In-fact I’m surprised this case was reported on at all.

Happy squid day…

  • References:
  1. https://www.northjersey.com/story/news/paterson-press/2020/05/13/nj-elections-patersons-vote-count-delayed-until-next-week/5184358002/

  2. https://www.nj.com/passaic-county/2020/06/voting-fraud-charges-filed-against-paterson-councilman-and-councilman-elect.html

SpaceLifeForm June 27, 2020 1:49 AM

@ Drone

Lie, Destroy, or Blame?

Lie, Destroy, or Blame?

Lie, Destroy, or Blame?

In order to escape from this three-choice dialog box in a loop that refuses to acknowledge reality,

we must reboot the system.

Gaius Petronius Harper Ogburn June 27, 2020 2:25 AM

@SpaceLifeForm

we must reboot the system

Maybe not

“We trained hard, but it seemed that every time we were beginning to form up into teams we would be reorganized. Presumably the plans for our employment were being changed. I was to learn later in life that, perhaps because we are so good at organizing, we tend as a nation to meet any new situation by reorganizing; and a wonderful method it can be for creating the illusion of progress while producing confusion, inefficiency and demoralization.”

Alejandro June 27, 2020 7:07 AM

Another face ID fail:

‘The Computer Got It Wrong’: How Facial Recognition Led To False Arrest Of Black Man

https://www.npr.org/2020/06/24/882683463/the-computer-got-it-wrong-how-facial-recognition-led-to-a-false-arrest-in-michig

Seems facial-id footage from a cheap store video cam is not accurate with black folks. It’s a well known issue of the technology in general.

Not to worry, Detroit PD jumped in regardless and grabbed a man named Williams off his front lawn, in front of the kids, based on the footage and ID software. But, they were…wrong. Oops!

NOW, they say they will only use it for very serious crimes or whatever.

Police, cannot handle the new technologies. We should work harder to handle the police.

Clive Robinson June 27, 2020 8:26 AM

@ Alejandro,

Not to worry, Detroit PD jumped in regardless and grabbed a man named Williams off his front lawn, in front of the kids, based on the footage and ID software. But, they were…wrong. Oops!

It will be found that they were not wrong… Just acting on “good faith” or whatever, just as they are when a CI gives a tip that was either wrong or the handler noted down the wrong address.

People need to understand how law enforcment works or more correctly does not.

To start off with around 80% of cases that are realy solved are down to the criminal fraternity either “mouthing off” or getting “grassed up”.

That is the police have a suspect that “they know did it” all they have to do is build a case around them. Thus they only look at what incriminates not what excalpates.

That is the polices basic MO, the problems start when they are not “gifted a guilty individual”. They then fall back on the old “foot work” they hate of interviewing people checking stories and facts and basically not sitting at their desks with a coffee and doughnut etc. They thus have to,

1, Build a list of suspects.
2, Eliminate the unlikelies
3, Then pick who ever makes the top of their list.

Often this is done by a bunch of “rules of thumb” including the good old favourits of “They look odd so it must be them”, “We know they are guilty of something”, or “We know they are crooked so it’s their turn”, but best of all “My gut tells me it’s them”.

At which point they go for “find what makes them look guilty” as indicated eny exculpatory evidence will not only “not be investigated” it will not get recorded in any way because there is that annoying thing that says all evidence has to be handed over to the defence. And the lust thing a doughnut muncher wants is all his hard work finding things to make the defendent look guilty will be wasted and the muncher will loose any pay/job enhancment/promotion “brownie points”.

It’s why smart lawyers tell their clients not to say anything, not even confirm their name, and let the lawyer do all the talking.

Three reasons for this in the US are,

1, The LEO’s are alowed to lie.
2, The defendent is not alowed to lie, mislead or even make an honest mistake due to poor memory or because they are confused/scared.
3, Actually claiming your rights has been made so difficult that it can eaaily be got wrong even by a smart lawyer.

But there is a fourth reason that is not the LEO’s but the DA’s. They have to find you guilty of something even if it’s just looking at the moon in a funny way. The reason is if you are innocent and wrongfully arrested etc you stand a chance of getting compensation, but only if they can not find an excuse to find you guilty of something. This is what is behind plea deals etc, the more they threten you the less likely it is they have a real case. If you don’t take the deal their only way to avoid the ignominy of failing is to “rights strip you” which is a well known process of keeping you forever locked up or incapable of earning money, they thrn keep throwing junk charges and asking for more time etc till they bankrupt you and your family etc.

That’s the system and all those who play against the defendent are in it up to their eyebrows and mostly judges let them get away with it, because it’s generally not in a judges best interests to do anything else…

The notion that a person is innocent untill proven guilty does not sit well with the “beast”. That is the less bright in society being driven on by the MSM that in effect “demand blood”. For they car not who’s blood as long as there is blood. Any judge that gets either elected or effectively promoted by politicians knows that if the beast does not get some defendents blood then it will be the judges blood that the beast will go after.

If people think I’m being overly despondent about the MO of LEO’s, DA’s or politically controled judges, maybe they should take a look at the US justice system in the likes of Chicago where “illegal detention centers” were setup and used against those on the lower rungs of the socioeconomic ladder. Then there are the judges who have been on the take from private prison opperators and much much more.

The release of those secret police records are likely to throw up lots and lots of further examples.

But we already know that LEO’s tamper with body cams, and now the disapearing text message apps (Tiger Text / Silent Phone) story is going to show just a little more of the corrupt under belly of the US justice system.

As my father used to tell me,

The best place to be when there is trouble, is somewhere else. Preferably as far away as you can be.

As the entire US justice system from the AG down to the lowest of street cops are “trouble” it’s going to be a bit hard to “be somewhere else” unless you fancy foreign climes, and that’s none to certain either these days…

myliit June 27, 2020 8:47 AM

@Alejandro, Clive Robinson

From the OP: “… What makes Williams’ case extraordinary is that police admitted that facial recognition technology, conducted by Michigan State Police in a crime lab at the request of the Detroit Police Department, prompted the arrest, according to charging documents reviewed by NPR. …”

What makes me thankful is LEO(s) divulged that, something like, “ the computer told them to arrest him.” Without their disclosure(s) then, we might be clueless or still in the dark about what’s going on.

Let’s see: a) wholesale surveillance, b) facial, voice, license plate, gait, etc., recognition, deep fakes, and so on, c) then computers making arresting decisions, then d) (d for duh) what’s next: drones or robots arresting people? What could possibly go wrong under our President or Attorney General?

Nick Levinson June 27, 2020 3:06 PM

“China Standards 2035” appears to be a concerning risk. It’s not fully formed. Now, it’s reportedly just a guide to development goals. But the People’s Republic of China apparently may be building it into some of its international agreements with nations dependent on China’s Belt and Road Initiative, an international development program financed by loans that some nations may have difficulty paying off, deepening the obligation they will have to the P.R.C., and, anyway, some nations may find enough benefit for their governments to not want to object.

China may want a new IP system to give nations more control over connections, permission to use, and content. The system of introduction of final standards may be that new technology that the present IP system is not ready to support at the level users would demand (there’s always new tech) would be the opening for a P.R.C.-developed IP system. I don’t think IPv6 or 4 would be banned outright soon, but China might want to obsolete them, internationally and over time. The system may be mandatory for some products and services sold internationally from P.R.C. even before standards are finalized, such as by requiring that a framework be in place. Possibly, that requirement could conflict with the better standards, conflicting technologically (e.g., in forcing leaks through incompatibility), financially (in, e.g., cost of manufacturing), and/or legally (in some jurisdictions).

Cracking security can do more or less the same things, but this would forbid fixing without governmental consent. Governments can disconnect the Internet at border crossings and over the air now, but this would give governments more fine-grained control.

The role of U.S. government-to-government diplomacy may be in jeopardy, if we are less likely (since a 2017 order) to have people in place to protect some version of a system that’s reasonably secure, supports popular demands such as for information flows, and is reliable and inexpensive. We may need to address third nations’ concerns. There are negotiations anyway; our presence would make a difference.

Some sources (and higher-quality sources are available to subscribers et al.):

Overview: https://techcrunch.com/2020/04/11/chinas-next-plan-to-dominate-international-tech-standards/

Lay meaning of standards as concept: https://www.cnbc.com/2020/04/27/china-standards-2035-explained.html

Arguing against P.R.C.’s plan: https://securityboulevard.com/2020/04/china-wants-to-control-all-the-internet-with-new-ip-plan/

There must be something more substantial from P.R.C. giving its view, even unofficially, but at least there’s this promotional tidbit: https://www.globaltimes.cn/content/1187060.shtml

dbCooper June 27, 2020 5:23 PM

For those of the belief the major social media platforms are in need of a reformation, as regards content and security, Mr. Schneider has been a proponent that a economic angle of attack would likely cause the fastest response.

From a content perspective this will be playing out over the coming weeks, at a minimum on one type of content. Here’s to hoping that is successful and it leads to further reforms on these sites.

ismar June 27, 2020 7:38 PM

Further to my question from previous Friday, and having received no satisfactory answer (Clive was for some reason shy to wade in and it looks like that the saying “If you want something done , do it yourself ” still holds as well as ever), here is one possible explanation on why the oppressive regimes are so successful in maintaining their grip on power

https://theconversation.com/would-you-stand-up-to-an-oppressive-regime-or-would-you-conform-heres-the-science-124469

which explains a couple of social behaviour-based reasons for maintaining of the status quo.

One interesting aspect of these behaviours is that, even though the people may be fully aware of the oppression, (like in case of Edward’s revelation of the NSA spying on American citizens), the possibility of change is minimal unless an alternative solution (for governance) is offered.

This is something that Edvard has failed to do – there is still time Edward :-), yet something that Bruce tries to tackle in his book Data and Goliath – there is a whole chapter on possible solutions.

As we know the book was released 5 years ago now …

Dan Rachamim June 27, 2020 8:53 PM

I thought the HOR policing proposal on cameras demonstrated how hard it is to create policy around video– who gets access to the recordings? When can cops record? When must they? When can there be editing.

Wesley Parish June 28, 2020 1:54 AM

I thought I’d swear off commenting for a while, but today I found something so interesting, an analysis of the power plays that lead to the First World War and the similarities to today, that I thought I should pass it on. It’s in a book titled “Dreadnought: The Ship that Changed the World” by Roger Parkinson, ch 10 “From Jutland to Washington”, pg 244, and reads:

In an age of deterrent weapons their deployment is based on the possession and preservation of the weapon rather than its use. […] That the dreadnoughts were not a very effective deterrent is beyond doubt, which leads again to the conclusion that the effectiveness of a deterrent is directly related to the available counter-measures deployed against it. […] Strategic deterrents of our own age have yet to be subverted by effective counter-measures and for the moment in some sense remain ‘classical’ weapons. […] [The dreadnoughts] were designed as ‘classical’ weapons to emulate the role of the eighteenth-century wooden line-of-battleship, yet were compromised by covert weapons that proscribed their role to an extraordinary degree. […] Howbeit, the disinclination of the fleet commanders to seek action places the dreadnoughts much closer to the strategic deterrents of the late twentieth century than to the wooden battleships of the age of Nelson.

Note: the “covert weapons” referred to are the mine, the torpedo, the torpedo boat/destroyer and submarine.

And its relationship to the subject of this blog, namely cybersecurity and its correlation, personal privacy and protection? Well, for a start, as everybody who’s got a working brain and who has analysed nuclear issues over the past few decades knows, nuclear weapons are unusable except as threats. They are too absolute. Cyberweaponry – to the degree we can use that word of malware and suchlike – are not. They can be used, and as far as we can see, that is what is happening – they are being used.

They are making the nuclear weaponry obsolete – not so much as by the old Third Ronnie trick of explicit counterweaponry aka SDI (renamed by Arthur C Clarke as BDI – Budgetary Defense Initiative) aka “Star Wars” – as by the simple procedure of taking the back route and bypassing them completely.

You see, with “cyberweaponry” you take “war” – conflict between nations – off the battlefield and into the ordinary citizens’ lives. It makes PsychOps – “psychological warfare” – into the centre of the conflict, with battlefield clashes a mere sideline. And it bases its PsychOps on details it gets from the data so lovingly and assiduously collected by various home team TLAs and corporations, and so assiduously leaked by incompetent admins.

Defense must be in-depth in this scenario, which isn’t happening. I think the Chinese and the Indians and the Pakistanis know this and I wouldn’t be surprised to find out after another half-century – assuming I live that long – that I hit bullseye with that statement. Judging from the attempts to roll back various human rights provisions of various human rights instruments – treaties, constitutions, whatnot – the well-heeled classes in the “Democratic West” have yet to understand this. I expect the major current cyberwar battlefields to be between India and China, and India and Pakistan – the US is most probably a sideshow by now. Thank the repeal of the Glass-Steagall Act and the Citizens United decision for that.

myliit June 28, 2020 7:47 AM

re: Wirecard

https://www.bloomberg.com/opinion/articles/2020-06-23/wirecard-fraud-scandal-could-give-fintech-a-bad-name

“… It’s also tempting to argue Wirecard isn’t emblematic of fintech anyway. Industry insiders say they’ve long been confused about the mismatch between the German firm’s DAX blue-chip status and its lack of presence on the ground bidding for clients. Wirecard’s bombshell revelation of a $2 billion hole in its bank account has little to do with technology and potentially a lot to do with dodgy accounting, as a series of Financial Times articles over the past year had already pointed out.

[…]

There are also hidden complexities in the business. Garen Markarian, chair of financial accounting at the Otto Beisheim School of Management, gives the theoretical example of someone buying a KLM airline ticket in Vietnam: A Wirecard partner might collect the money, transfer it to a foreign-exchange firm for a currency conversion, hand it to Wirecard to pass on to KLM for a fee and take a cut itself. This isn’t quantum physics, but it introduces execution risk. If internal controls aren’t strong, money can be lost. …”

Anders June 28, 2020 8:10 AM

@Clive

Have you got a chance to see the Megaprocessor up close and personal?

megaprocessor.com/index.html

metro.co.uk/2016/07/09/hero-spends-40000-on-supercomputer-that-only-plays-tetris-5996891/

rrd June 28, 2020 9:55 AM

@ ismar

my question from previous Friday, and having received no satisfactory answer

We all have the freewill to choose willful ignorance over open-minded curiosity. That fact is especially obvious here in America with the Trumpers, but it’s true for atheists, too, who contend that they can comprehend the Creator of all that will ever exist, its physical laws and consequences, and our role in it, without first going within and making contact themself. (And while ignoring the point-source of the universe and the fact that 5/6ths of its mass is utterly missing.)

Trumpers will never receive a “satisfactory answer” to how awful a human being he is or how anti-American and anti-Christian he is. They will only ever believe in what they already believe, and that is their choice, even though they can’t defend their position logically in words and are obviously falling on the down side of Dunning & Kruger’s monumental findings from 21 years ago.

You reject my position out-of-hand, with no questions asked and no points made. In fact, I doubt you even read it for comprehension. I see no difference in attitude between you and the Trumpers, although you are no doubt both more intelligent and less belligerent.

If you tasted the joy my family experiences on a daily basis you would know what I say to be true, yet you persist in failing to live the life of a scientist: to test the theory for yourself. All I suggest is for you to go within yourself and beg our Creator and Its universe to help you transmute your vices into their corresponding virtues. I ask for nothing for myself nor do I state any preference for any one form of religion over another. I merely suggest that you make your own connection and follow your intuition from there. (I also suggested Huxley’s “The Perennial Philosophy” as an excellent, Western approach to the universality of the Religion of Love that comes in many forms.)

So you simply categorically deny my description of human nature because of what, exactly? And yet you have no question for my advanced understanding of human nature and the nature of spiritual development? You have no argument and no counter-claims and yet you claim you can judge what I have said to be wrong?

So you do what the Trumpists do: you just ignore the new facts until you find someone to mollify you with what you are already familiar with.

Remember, the word ignorance comes from the verb “to ignore”.

This entire world’s peoples have been doing a heckuva lot of ignoring for a heckuva long time, from our treatment of others to our treatment of the Earth to how exactly we can consciously evolve ourselves into a cooperative world society of equals.

The 4th World Chess Champion, Alexander Alekhine said:

You can become a big master in chess only if you see your mistakes and short-comings. Exactly the same as in life itself.

You asked a question and the universe answered you.

We can never have security if we don’t understand how the hateful, deceitful power-mongers of the world work. Neither can we establish a just society that treats people solely according to the “content of their character”, until we at least try to become better people ourselves.

The people who actively encourage the oppression of others (physically, economically, or however) are living in their mammal brains and its pack-on-pack brutal competition. To be “humane”, a “humanitarian” and possess “humanity” requires us to go beyond mammalian divisions, and that requires us to first and foremost be open-minded as to why we are here and how we should act for the benefit of all our fellow human beings.

The eye doesn’t make the light, the ears don’t make the sound; which thoughts and emotions are you choosing to tune into, and which are you turning away from?

I have seen my parents’ warping themselfs over the years by first FoxNews and now OAN. That these populations of hypocritical, self-blinding oppressors crop up in every culture and ethnicity across the Earth are really the only threat to our security. They’re the only threat there ever has been to anyone’s security (at least as far as human-sourced causality). That’s because they have the free will to choose to be an evil bastard, but there’s also the way of Dr. King, the (by far) Greatest American Yet, whose final lesson was chilling for those of us who see his self-sacrifice for what it is: a lesson in how evil a group of people can become. Our 2020 American society is rife with people who align themselves with the evil, evil people who wanted Dr. King dead.

There are only so many ways a person can deal with a new truth:

  1. Accept it and modify one’s attutudes correspondingly.
  2. Ignore it because it doesn’t fit into their preconceptions.
  3. Attack it by simply claiming it’s false.
  4. Attack it by making up lies as counter-claims.
  5. Leave it under consideration until further exploration is performed.

Pick a number, any number. Open-mindedness and honest self-evaluation are rewarded by the universe, we being the only abstract information processors around this delightful, beautiful, mind-blowing creation.

rrd June 28, 2020 11:33 AM

@ Wesley Parish

Yeah, airplanes and their carriers killed the dreadnoughts dead. Being able to use extremely cheap squadrons of planes to scout, surprise and sink ginormous ships in minutes put paid to the “romance” of crossing the T.

I’d say that the West’s failure to address the PsyOps available via the internet is more about our own politicians treating our citizens merely as consumers that the politicians, themselves, wage their own PsyOps against. GOPers are actively using the very same techniques developed decades and decades ago, in addition to good `ol American campaign bullsht, bolstered by modern data collection, as you mention.

Speaking of PsyOps, I wonder if any of you have an opinion about Yuri Bezmenov’s 80’s interviews “Deception was My Job” and “Psychological Warfare: Subversion of Western Society” (both were on youtube and appear to still be). Sure looks like Putin’s playbook to me, and evidently rather effective, the more so with the internet now in full voice. (Bezmenov, IIRC, talked about his efforts in India on behalf of the USSR, so perhaps that’s how India is so intimately acquainted with such ops, as you suggest.)

Alas, probably the simplest (but not at all simple) way to effectively defeat such efforts against the populace would be mass education but that first requires willing students and those are obviously thin on the ground, especially in the vulnerable groups.

The only other way I can imagine solving the problem would be to deanonymize the internet, but that opens up all sorts of other barrels of worms related to the utter untrustworthiness of our politicians. I mean, the world had to take back a Nobel Peace Prize because of how, as leader, she allowed what appears to be genocide and other atrocities among her own citizens, albeit ones of a marginalized minority sub-society, her government’s crimes aided, abetted and stoked by FB’s pipe.

Finally, with anonymity as with anything we do when no one’s watching, it all boils down to personal ethics/morality on how one chooses to live their life with respect to our fellows. Consensus on the issue of that “how” certainly resides in the realm of contention thus far.

JonKnowsNothing June 28, 2020 11:34 AM

@All

re: Triage and COVID19 deaths UPDATE

The COVID19 outbreak in care homes, specifically in the UK and Sweden but in other countries too, represents a huge percentage of total deaths. There are on-going questions about how the “protective rings” and “secured settings” were breached to the extent that ~50% of the deaths in some areas came from care homes.

The stories or porkies as they say, just get worse as the truth of what is taking place become clearer with every death.

The post dated 06 02 2020 referenced an outbreak of COVID19 in a care home in the UK:

  • [An] outbreak infected 62 of the 82 residents [in a care home]
  • 24 people have died
  • [The care home] offers nursing, palliative care and dementia care and accepted patients with Covid-19 who were discharged from hospital.
  • Four of the people who died were those who were sent from hospital after supposedly having recovered from the virus

The unanswered question was

  1. If they were truly cleared by the hospital then this is a confirmed second re-infection of 4 people.
  2. If they were not actually cleared and sent to a care home, 20 other people became infected and died and 58 people became ill.

Well, we have some new answers:

  1. The Hospital Transfers were not clear of COVID19
  2. The Hospital Transfers had active COVID19 infections
  3. The care homes were not informed
  4. The care homes did not get PPE (and still do not get PPE)
  5. Little or no COVID19 testing occurs
  6. “Releasing hospital patients into care homes without Covid-19 tests was not illegal”
  7. “excess death toll in UK care homes during the pandemic is now close to 32,000, almost twice the official number of confirmed or suspected fatalities from the virus.”
  8. “In England 54% of all excess deaths were in care homes”

The Hospital Transfers were likely sent as hospice/not expected to survive, freeing up beds for others.

The popular finger pointing goes to infected staff, working at multiple facilities as the primary source of infection. Active COVID19 patients being released from hospital into a care setting may be bigger source of infections.

The good news finding? That the 4 known COVID19 patients who were “clear” did not get a second helping of COVID19, they had active infections when they arrived and never recovered.

The bad news finding? Surviving The Swedish Treatment (aka Herd Immunity Policy), is going to be much harder to achieve because it “isn’t illegal for the government to kill you”.

ht tps://www.schneier.com/blog/archives/2020/05/friday_squid_bl_731.html#c6811841

ht tps://www.theguardian.com/world/2020/jun/28/covid-19-risk-of-death-in-uk-care-homes-13-times-higher-than-in-germany

ht tps://www.theguardian.com/world/2020/jun/12/matt-hancock-faces-legal-action-from-daughter-of-covid-19-care-home-victim

ht tps://www.theguardian.com/world/2020/jun/21/releasing-english-hospital-patients-into-care-homes-not-illegal

def: Telling Porkies / Porky Pies is Cockney slang for Lies
(url fractured to prevent autorun)

Clive Robinson June 28, 2020 12:42 PM

@ Anders,

Have you got a chance to see the Megaprocessor up close and personal?

I think we talked about it on this blog half a decade ago…

But no I’ve been no closer than look at photographs.

One of the things I remember is that it was “not quite” how computers work, even the old PDP8 that was transistorized (which I not only worked on but had occasion to repair a couple of times)…

That is if you look in the photographs of the Megaprocessor at the “full adders” used in the ALU, they are what you find in school/college text books given as simple “two input logic gates”.

In practice we don’t do things that way and have not done so since the Z80 or earlier (some cough cough fourty years or more ago). What we do is include “lookahead carry” to speed things up and then “strip out” redundancies at the gate level and below.

But more importantly we also use entirely different methods these days as well. One such is small look up tables via multiplexers as in effect they have less gates in series and are thus faster by nanosecs or fractions there of[1].

Supprisingly to some ALU adder designs are still a “hot research topic” with papers being published from time to time. The problem is that they’ve moved several steps ahead of the “full adders” you get taught in school/college in ways where reading a paper from this decade would be almost meaningless without knowing the steps in between.

If however you go back to just before the turn of the last century you can still find redable papers such as,

    64 bit media adder : Aamir A. Farooqui , Vojin G. Oklobdzija , Farzad Chechrazi

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.119.1158

However for those playing “catch up” or wanting to know more this paper from a decade ago goes into various adder types and the trade offs as well as nice logic diagrams for those “doing the VHDL thing” on a graduate course,

    Energy-Efficient Design Methodologies: High-Performance VLSI Adders (2010) : Bart R. Zeydel , Dursun Baran , Vojin G. Oklobdzija

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.190.3022

[1] Untill about a decade and a half ago, when energy became way more important due to “heat death” issues, speed or more correctly minimising “gate depth and delays” was what people were talking about. Conventional simple two input TTL logic gates have around 7nS delay with XOR gates having longer delays. Which along with other “metastability” delays is a “glacialy” long time slowing your potential clock speed down to 10MHz or less, even the 74LS181 4-bit ALU had 60ns or more delays. Which when you consider it is critically important as all “Arithmetic” instructions use the N-bit adder at their base (CPU ALU’s only speak “integer” and ADD, to get SUM and MUL instructions, with DIV being done in various ways including by MUL).

rrd June 28, 2020 12:57 PM

@ JonKnowsNothing

All your points are bang-on, as the Brits say.

Baltimore’s “Maryland Baptist Aged Home” has had zero deaths. They attributed their taking COVID-19 seriously and requiring mask use, limiting visitation to outdoors and social distancing (via more TVs) to doing the opposite of what Trump said. I mean, that is precisely what their director said.

Really, infectious disease handling is not something mysterious nor particularly difficult, once we know the vectors of transmission and have the PPE necessary to contain the infection. The problem is solely with the people that refuse to listen to science (and the recommendations of its experts). This occurs especially in those whose motivations in life run counter to those recommendations due to their being enamored with money, wanting to display their allegience to power, or just simply not giving a crap about other peoples’ health and safety. The opposite of love really is selfishness, at least in the dimension of action (the emotional opposite being hatred, of course, with its cruelties, oppressions and other comorbidities).

The key to Maryland Baptist Aged Home’s success is simply that they made a determined effort to learn what experts suggested they do to protect its patients, staff and relatives, then they effing made sure they did it, like an engineer in the Mercedes F1 factory machining a crankshaft or Lin-Manuel Miranda scripting a musical.

It’s really not that amazing what people can do when they put their minds and hearts into something (because people can be suuuper amazing), except for it’s so dang rare that people ever do anything for the good of others with passionate intensity, especially if it requires selfless giving of some kind.

People really aren’t that complex when you ignore what they say and focus solely on what they do. What they do, for those with enough clarity, says all that needs to be said about their attitudes and beliefs. That’s why Rumi said, “You have no idea how little we care about what people say.”

The actions of a significant percent of America are a direct reflection of American culture’s obeissance to wealth, competition and ignorance. Add in people wanting to get drunk with other idiots at bars and sit in restaurants instead of having a nice takeout meal, and bullsh like “The economy needs us to open back up”, “I’m free to not wear a mask” and all the other kinds of tripe that flows from their ignorant pie-holes, and here we are.

This is nothing less than Social Darwinism writ large (read: life, itself) where the current primary stressor (w/rt COVID-19) is willful ignorance of science and apathy towards others’ well-being. All the innocents destroyed by these callous, selfish attitudes are truly heartbreaking, but that’s where we have to just do the right thing by others, even if the stir crazy is tough to deal with at times.

Remember that Einstein referred to the rise of Nazism as a “mass psychosis”. I can’t imagine anyone successfully arguing that we aren’t experiencing (and have been for decades) something damn near identical both here and abroad. It’s just that the COVID-19 crucible is pushing everyone’s true colors to the surface and making it very difficult to ignore how belligerently ignorant and harmful so many of our fellows are.

Clive Robinson June 28, 2020 1:23 PM

@ JonKnowsNothing,

If they were truly cleared by the hospital then this is a confirmed second re-infection of 4 people.

Err not necessarily.

A friend is helping the family of a person who has now spent over 100days in ICU in hospital[1] due to the “complications” of a SARS-CoV-2 infection. The infection would have been gone from their body within four weeks or they would have succumbed to it. What has kept them in hospital is the results of the infection on the lungs etc, these are more correctly called “sequeli” and you can die from them days, weeks, months, or years later[2].

What we do know is that one care home where the staff ellected to have a “lock-in” has not had any COVID-19. Which realistically suggests it is the staff that are the initial infection vectors, from community spread infection. We see this every year with the likes of influenza and Noro Virus in nearly all hospitals, care homes and other “close confines” places such as prisons. We lable it “institutional infection” which sounds like it is an inevitability, but the reality is it is anything but, and is actually a symptom of quite deliberate policy decisions which kills many many people each year quite needlessly.

As with all such “policy decisions” they come down from the highest levels based on political ideals and mantra.

Thus these care home deaths are “policy decisions” and are part of the “norm” not the “exception” and it is something we should stop giving politicians and policy makers a pass on…

[1] Something I’m told would not be alowed to happen in the US as apparently your lifetime entitlement to ICU treatment via your medical insurance is just 48days. Which you could think of as not a “medical sequeli” but a political one…

[2] There is reasonable evidence to say that Type I Diabetes is started by a virus that causes your bodies immune system to turn on you, and gradually destroy the cells that make insulin. This was within living memory a death sentence and even today those with diabetes need to take more precautions against common infections. We also know that cervical canncer that still kills women today is caused by a virus. It’s thus assumed that other cancers are also triggered by a virus that via an impared immune system gives rise to the cell that starts a tumor. The biggest cause of an impared immune system is the environment we live in and that of what we injest. Which is why strong environmental protection is vitaly important to a nations health, and in fact a lack of this generaly shows up in the reduced life expectancy in comparable socioeconomic circumstances.

myliit June 28, 2020 1:55 PM

@ Chris

“Hi ive been lurking for sometime, i recon you guys know lot about sec on computers.
One thing you dont touch on toomuch is that people in the know on the military side have there own Military Intelligence Services, they are very much like the CIA of sorts but they are much more muddy….

And … much more dangerous “ [1]

For example, from the U. S. mainstream media (“‘MSM’”):

https://www.nytimes.com/2020/06/26/us/politics/russia-afghanistan-bounties.html

“Russia Secretly Offered Afghan Militants Bounties to Kill U.S. Troops, Intelligence Says

The Trump administration has been deliberating for months about what to do about a stunning intelligence assessment.

American troops in Afghanistan have been the target of some Taliban operations backed by Russia, intelligence officials found.

American intelligence officials have concluded that a Russian military intelligence unit secretly offered bounties to Taliban-linked militants for killing coalition forces in Afghanistan — including targeting American troops — amid the peace talks to end the long-running war there, according to officials briefed on the matter.

The United States concluded months ago that the Russian unit, which has been linked to assassination attempts and other covert operations in Europe intended to destabilize the West or take revenge on turncoats, had covertly offered rewards for successful attacks last year.

Islamist militants, or armed criminal elements closely associated with them, are believed to have collected some bounty money, the officials said. Twenty Americans were killed in combat in Afghanistan in 2019, but it was not clear which killings were under suspicion.

The intelligence finding was briefed to President Trump, and the White House’s National Security Council discussed the problem at an interagency meeting in late March, the officials said. …”

https://www.washingtonpost.com/national-security/russian-operation-targeted-coalition-troops-in-afghanistan-intelligence-finds/2020/06/26/ac710092-b80f-11ea-9b0f-c797548c1154_story.html

https://www.wsj.com/articles/russian-spy-unit-paid-taliban-to-attack-americans-u-s-intelligence-says-11593214584

https://www.wsj.com/articles/trump-says-he-wasnt-aware-of-russia-bounty-allegations-11593362109 of course, it isn’t clear if anybody believes anything that our President says anymore

[1] https://www.schneier.com/blog/archives/2020/06/friday_squid_bl_734.html#c6812872

MarkH June 28, 2020 3:03 PM

.
Pandemic Developments

  1. To start with some (apparent) good news, the mathematical mortality rate is decreasing significantly: worldwide, new cases show a rising trend, whereas deaths are decreasing.

I propose a few possible causes:

• case detection has improved, enlarging the denominator of the fraction

• congregate facilities for the elderly may be experiencing some combination of better safeguards and the extermination-by-Covid of their most susceptible residents

• medical systems are climbing the learning curve for care of acute cases


  1. Almost everywhere “re-opening” has been attempted, case rates are increasing sharply. As I wrote before, it’s like slowing a vehicle using the brakes. Within a few milliseconds of brake release, perceptible acceleration will begin.

Other regions of the U.S. didn’t re-open because they never closed down to begin with. They followed the sophisticated reasoning, “it ain’t here so we don’t need to do nothin'” In many such places, Covid is arriving, and showing the high growth rates to be expected where precautions are minimal.


  1. It’s been plain from statistical data that case growth doesn’t show its simplistic-model exponential growth rate after case counts become large, for a variety of reasons. New cases per unit time tend to “flatten out.” But here’s an exception:

In Florida — one of the states in which government has consistently wanted to minimize disease-spread precautions — poorly managed re-opening is playing out spectacularly.

Florida is actually showing near-exponential case growth with a doubling time of about 6 days, even as new case detections are in the thousands per day.

Scaled to population, recent Covid-19 case growth in recent days is far worse than the peak observed in Italy.


  1. Speaking of Italy, Sweden is on track to exceed Italy’s grievous per-capita death rate sometime in July.

Reportedly, the Swedish populace is losing its enthusiasm for the official “herd immunity policy.” Mo one yet knows whether herd immunity by spread of infection is even possible, because the strength and durability of post-infection immunity has not been sufficiently measured — so the promise that the human sacrifice will eventually be rewarded by stopping the epidemic could prove false.

It’s worth noting that increasing volumes of observational evidence (sorry, ScienceGeek) show that governmental recommendations meet with far less compliance than mandatory requirements for pandemic precautions.


  1. Recently, two people flew to New Zealand in order to visit a dying relative. They unknowingly brought the virus with them, resulting in New Zealand’s first new case detection in 24 days.

  1. The U.S. president recently announced that he has asked the federal government to reduce testing for SARS-CoV-2.

The only ways I have yet visualized for resumption of something like normal activities without heavy new case numbers are:

A. Reduce cases nearly to zero, and apply an aggressive program of testing/tracing/isolation (a la New Zealand), or

B. Apply astronomical volumes of testing, so almost everyone can be tested at intervals of not more than two to four days. This might enable feasible separation/isolation schemes even in regions where case numbers are high.

Clive Robinson June 28, 2020 4:45 PM

@ MarkH,

To start with some (apparent) good news, the mathematical mortality rate is decreasing significantly: worldwide, new cases show a rising trend, whereas deaths are decreasing.

There may be a non human agency reason for this.

Whilst the virus does not appear to be “seasonaly effected” it’s environment is.

We know that the virus viability persistence is environmentally effected by the likes of humidity and UV radiation as well as temprature. Increased temperature causes the droplets by which infection spreads to evaporate faster a decrease in humidity likewise. And as we know one of the side effects to sunlight is damaged DNA and RNA due to UV radiation, it’s just that we tend to think of it more as “sun burn”.

But there is also a human agency effect. As light levels and tempratures rise humans tend to move outdoors into fresh air where dropplets are very quickly dispersed unlike closed environments. Humans tend to expose more skin as the temprature rises and with being outdoors this is exposed to increasing levels of sunlight. Sunlight effects the human immune system in a number of ways one of which is it increases the level of vitimin D which is known to improve the human immune system against respiritory diseases, it’s also an anti-inflammatory agent as well which helps reduce the levels of damage in the lungs and other organs.

But as we know in South America where COVID-19 is very much on the rise deaths are significantly under reported, thus the apparent fall in death rate is very probably not as goodvas it appears. Likewise we know Russia is almost certainly well under reporting COVID-19 deaths as a matter of “policy”…

As for India, who knows what is happening there even with the best will in the world the nature of the country is not currently conducive to gathering information of this sort. Whilst this is rapidly changing as technology improves things they are still constrained by the resources available. A quick look at India’s per capita GDP tells you that overall they are not yet a rich country with abundent spare resources thus levels of available health care vary wildly and are not yet at the levels to deal with significant epidemics of what is still effectively an unknown disease.

SpaceLifeForm June 28, 2020 4:54 PM

E3 still active.

hxxps://betanews.com/2020/06/24/windows-10-mail-gmail/

An update from last month seems to have introduced a bug into the Mail app which is causing problems with Gmail accounts.

SpaceLifeForm June 28, 2020 5:23 PM

@ myliit

I am pretty sure who leaked the info that she went to fbi about.

hxxps://www.cjr.org/tow_center/emptywheels-marcy-wheeler-knows-more-than-she-tells-but-she-tells-a-lot.php

SpaceLifeForm June 28, 2020 5:51 PM

@ Myliit

Google is burying the news.

Years now. Becoming totally obvious.

Ismar June 28, 2020 6:09 PM

@rrd
The reason I said I did not get a satisfactory answer is very simple- I did not find your answer very useful. I visit this site mostly expecting to get (and occasionally maybe make a small contribution to) some knowledge that can bring some positive change to the society as a whole. Unfortunately, none of your writing was suggesting anything useful and actionable in that respect.
I was also tempted to ask you about the possible comments on my post and the link provided but I don’t think that would lead us anywhere as we seem to be operating on very different frequencies at this time.
I will, however, note my concern, once more, about our collective tendencies to preserve the status quo which is true in science as well the society at large.

rrd June 28, 2020 8:22 PM

@ Ismar

I visit this site mostly expecting to get (and occasionally maybe make a small contribution to) some knowledge that can bring some positive change to the society as a whole.

That is a beautifully perfect wish. You are already a part of the solution.

To magnify your ability to effect change in this brutal world of competition, go within yourself and connect to our Creator, begging for the purification of your own vices so that you will not become like those who use their power to serve their own selfish desires and those of their in-groups.

Making this wish will also give you sublime peace and happiness, so long as you follow the Path of Love along its full course. It’s not easy, but it’s the only way to reach our individual potential as fully self-evolved (in cahoots with our Creator) human beings.

Love is the key, so you already have the most important element, but there are levels upon levels yet for each of us to reach, both individually and in our groups. As we reach higher levels, our perceptual clarity also deepens and expands.

Only by seeing others through the lens of humble compassion can we see them for who they truly are; otherwise, our perceptions are shaded by our prejudices, enmities, jealousies, rumors or whatever. Only through the hard graft of self-evolution can we be clear enough to discern who the true fascists are and how best to strip them of their power to harm others. Only then can we maximize our benefit to this entire planet.

I know you expected something different from your visits here, but I despise lies of any kind and I respect you all too much to tell you anything else but the truth I have lived, for quite a few years now. It is the road less traveled (especially in 2020 America), but it gives me a foundational perspective on how we can achieve lasting security for all of us that aren’t evil bastards.

Peace be with you all. Thanks for your patience with my rambling.

name.withheld.for.obvious.reasons June 28, 2020 10:26 PM

Understanding that law enforcement benefits from a detachment from cause and effect, immunity from prosecution is a good example, a side-effect of this attitude is the distance from a duty of care.

To extend as analogous; the treatment of evidence can be seen as less important over time when it comes to duty of care. I suggest that when evidence is no longer given the level of care, but is subject to alteration, modification, or outright suppression–the distance from the legitimacy of any organization and its core mission must be questioned.

The case in Buffalo where a 75 year old man “tripped” according the reports by the police gives this argument context. I won’t even go into the level of depravity represented by a President of the United States implicating the individual whom amplified the force of his “tripping” as an Antifa tactic. My mind fails to submit to qualifications of reason and runs right to indignit moral outrage. But that’s just me.

Weather June 29, 2020 12:09 AM

@name.with…
I have parents that are that age and wouldn’t like that treatment, but is that area doing tit for tat, don’t know much about your country.

MarkH June 29, 2020 12:12 AM

@StephenMelba:

Australia has done an extraordinarily fine job of controlling Covid-19 spread.

However, the new cases graph on worldometers.info shows an increasing trend in Australia starting about 3 weeks ago.

Sadly, as far as I’m aware, reproduction rates below one have been attained only in regions with “shelter in place” regimes.

Whether any place can shift toward more normal activities without raising the reproduction rate above 1 remains to be demonstrated.

Lawrence June 29, 2020 5:19 AM

Palantir not invited to NZ’s Covid solution.

Palantir sought the opportunity to provide a Covid tracking system to the NZ government. When first not successful it tried again. Now seems likely that the bureaucrats making the decisions felt the leakage of personal data outweighed any possible benefit Palantir could provide.

hxxps://www.rnz.co.nz/news/national/415835/us-tech-firm-palantir-held-talks-with-privacy-commissioner

hxxps://www.rnz.co.nz/news/national/420112/new-zealand-government-sat-on-palantir-covid-19-data-tracking-offer

As it happens Mr Thiel rather mysteriously managed to obtain NZ citizenship in a very very fast-tracked way during the time of the Key neo-liberal government. Didn’t seem to help in this instance.

Clive Robinson June 29, 2020 6:14 AM

@ Lawrence,

As it happens Mr Thiel rather mysteriously managed to obtain NZ citizenship in a very very fast-tracked way during the time of the Key neo-liberal government. Didn’t seem to help in this instance.

Yes Mr Thiel still apparently thinks of NZ as “The last bus stop before the south pole” and has bought up considerable land, and if stories are correct has a number of “hardened refuges” to hide away in. However he is reputed to be a “Silicon Valley Vampire” which should have rendered him ineligable for citizenship in any part of the world.

As for his business practices with Palantir, what can I say that’s nice about them… As my granny used to say “If you can not say anything nice then say nothing at all”.

So all I will say is the UK Government has been extreamly foolish beyond any kind of measure to let Palantir get involved with any UK databases. So much so you have to ask what on earth they were thinking. Some will no doubt suspect “coruption” of various forms and I suspect that there would be some degree of truth in it depending on your definition of coruption, which is very lax in UK Government circles and their “Revolving Door” policies.

rrd June 29, 2020 9:09 AM

@name.with…

My mind fails to submit to qualifications of reason and runs right to indignant moral outrage. But that’s just me.

That’s definitely not just you. That’s anyone with a functioning moral compass.

There are two other sides a person can come down on when seeing that man receive brain damage from police brutality:

  1. They don’t care at all.
  2. They take pleasure from such brutal treatment of people they consider “other”.

Both of these attitudes are evil. The first is callous cruelty, the second is actively oppressive cruelty.

Personally, having kids, what these ghouls are doing to the immigrant kids they cruelly separated at the border is almost more than I can stand, but I must — WE must — divert that energy to better use in order that things are set right one day, to the extent that is will ever be possible for those traumatized children. And all the black people getting murdered by cops pushes my same buttons.

One thing I have not seen mentioned yet in all our focus on our racially oppressive LEOs in America is doctor-prescribed TESTOSTERONE REPLACEMENT THERAPY, not to mention black-market steroids.

I played sports with guys who took steroids. There is no question that taking such hormone “therapy” often makes the man far more aggressive.

It is my understanding that police unions refuse to allow their members to be drug tested. Does anyone know if that’s correct?

I saw a vid a couple of weeks ago with a police chief who, after asking what the protesters wanted and getting a “Walk with us” response, proceeded to put down his gear and walk with them (it was a nice gesture, for sure). But I did notice that that guy was jacked. His arms were enormous. And yeah, I get it, policing is a dangerous job, but having roided-up dudes having to make split-second life-or-death decisions is (IMO) not a recipe for societal success. And four jacked-up idiots with power is a million times worse than a single guy on his own. (RIP Breonna Taylor.)

Combine this with a significant percentage of our LEOs being — if not military veterans themselves — military wannabes (or worse), and here we are.

I have yet to see TRT/steroids mentioned in any of the coverage of our BLM movement, but its effects can certainly not be insignificant.

myliit June 29, 2020 11:41 AM

Not figure fiddling, afaik, but The Chicks have fiddled a protest song.

https://www.youtube.com/watch?v=xwBjF_VVFvE 4:03

The Chicks – March March [1]

https://www.youtube.com/watch?v=sbVPcPL30x 3:48

Dixie Chicks – Gaslighter (Official Video) with lyrics

[1] https://genius.com/The-chicks-march-march-lyrics

https://www.rollingstone.com/music/music-country/dixie-chicks-name-change-march-march-1020398/

“… Along with the name change, the Chicks released a brand new single on Thursday, titled “March March,” which will be appearing on their upcoming fifth studio album, Gaslighter. The protest song, produced by Jack Antonoff, combines a minimalist electronic beat with subdued instrumentation from Maguire’s fiddle and Strayer’s banjo.

Lyrically, Maines addresses everything from Greta Thunberg and youth climate protests to gun violence and underpaid school teachers, over a music video that edits together footage from recent Black Lives Matter protests and police confrontations. Toward the end, as Maguire dives into a fiery fiddle solo, the names of black Americans killed by police flash onscreen, and the video concludes with a message from the Chicks — “Use your voice. Use your vote.” — along with links to various social justice organizations and nonprofits. …”

rrd June 29, 2020 12:13 PM

@ JonKnowsNothing

You are aware that not all police/LEOs are men or male gendered?

Sure, and there are female war-mongers. And there are woman rapists, too.

It’s about numbers and testosterone and aggressiveness.

Look around the world. Are you saying that women pose nearly as much of a threat to our peace and safety as men?

In the 8:46 video, that looked like four dudes to me (including a black guy!).

And — AAANNND — when in the minority, are women more or less likely to speak up against the male officers on the team, especially if they are in a leadership position? And would they ever be the majority in a situation like George Floyd’s or Breonna Taylor’s?

Years ago, I read that girls fared better in gender-segregated math classes because they didn’t have to compete against the aggressiveness of the boys, who would raise their hands first to answer the questions even when they were wrong. That intimidated the girls which lead to their not feeling positive about their ability to succeed in math.

How many female anti-riot police have you seen in the fascist oppression of the largely peaceful protests? How many women walked with Trump for his bible photo-op? (I saw Ivanka, and she was the only one wearing a mask.)

How many female incels are there? How many female school shooters?

I really don’t know what your point was supposed to be, all I can come up with is that it’s just a really weak ad hominem attempt.

I suggest you watch Stanford neuroendocrinologist Dr. Robert Sopolsky’s “Human Behavioral Biology” class. It’s free on YouTube. I made it all the way to the last three. It forever taught me that Trans folks can have physically gender-opposite brain structures, so their claims of “I always felt like the opposite gender” have been demonstrated scientifically, physiologically.

Learning is the gateway to wisdom, but few choose to approach the door, much less walk through it. Fewer still do so to increase their compassion.

Toxic masculinity is the single greatest threat to our world’s security, from one-on-one interactions to nation-state interactions. It’s certainly the single greatest threat to women’s security; that’s for damned sure.

Besides, anyone who increases their testosterone is almost certainly increasing their aggressiveness (endocrinologists, feel free to correct me), especially if it is exogenous. But yeah, I can imagine a lady cop augmenting her testosterone, too, because of all the meatheads she has to deal with on both sides of the job. And if a woman brutalizes someone because she’s jacked-up on T then she gets the same punishment — nothing else would demonstrate justice.

But, c’mon man, statistics, physiology, thousands of years of evidence, the news every single dang day, our rapist-in-chief? Really?

Drone June 29, 2020 1:56 PM

@SpaceLifeForm… I’m sorry, I truly do not understand your reply to my post. I like your “SpaceLifeForm” handle though 🙂

You said in your reply: “Lie, Destroy, or Blame?… In order to escape from this three-choice dialog box in a loop that refuses to acknowledge reality, we must reboot the system.”

Yeah, to me this sounds like some sort of insane “trigger words” for a child-like Anarchist movement. But that’s just a guess. Regardless I will always defend with my life, if necessary, your right to speak freely – in America anyway.

By the way, how about these “trigger words” for your “reboot the system” movement:

“Give me liberty, or give me death!”, Patrick Henry 1775.[1]

By the way, if you think it is easy to “…give me death”, I say bring it on! I am ready and waiting for you to try.

  • References:
  1. Patrick Henry addressing the Second Virginia Convention in Richmond, 23-March-1775.[2]

https://en.wikipedia.org/wiki/Give_me_liberty%2C_or_give_me_death!

  1. Second Virginia Convention

https://en.wikipedia.org/wiki/Second_Virginia_Convention

MarkH June 29, 2020 2:29 PM

.
Covid-19 May Have Grown More Contagious

https://www.washingtonpost.com/science/2020/06/29/coronavirus-mutation-science

Note: The scientific inferences below are preliminary, and have yet to be peer-reviewed or adequately confirmed.

A genetic variation called D614G in SARS-CoV-2 appears in about 70% of genomes contributed to a world-wide database. It doesn’t appear in the early genomes from China.

Although D614G was rare before late February, it now appears in more than 90% of virus samples. The most plausible hypothesis for its rapid proliferation, is that this Covid variant is more contagious.

D614G affects the composition of the “spike structures” on the virus surface, which enable attachment to host cells.

Laboratory experiments suggest that these modified spike structures work better, enabling the virus to reproduce more efficiently in the host, creating greater viral loads … and presumably, more of the viral shedding which causes community transmission.

Because D614G had effectively “taken over the world” sometime in April, it does not signify a change in present pandemic conditions.

However, if this variant is in fact more contagious, then the Covid-19 reproduction rate for a given level of precautions against community spread will be greater than observed before April; or as a corollary, to get the same reproduction rate as before April, stronger precautions against spread are necessary.

Clive Robinson June 29, 2020 4:23 PM

@ MarkH, ALL,

Speaking of yet to be peer reviewed papers…

There is a paper that indicates SARS-CoV-2 has been found in frozen sewerage samples in Spain back in early 2019.

The paper is written by respected researchers some of whom are in a top flight research university.

They believe that this finding is not a false positive or cross contamination in the laboratory etc.

They started doing their “back search” after finding credible evidence that people in Europe had had novel corona virus infections back in mid to late 2019 and it had been diagnosed as some varient of influenza.

Assuming it is true it opens up a whole can of worms about the origin of SARS-CoV-2 and just how long it has been around, not just in China but other countries.

name.withheld.for.obvious.reasons June 29, 2020 4:29 PM

CNN Report, a Houston Hospital and Pandemic Triage Shades of Wuhan in Texas
CNN reported today, 29 June 2020, an example of the COVID-19 patient experience and a hospital walk through that informs to a degree that has not been done before in the MSM. I cannot believe I am crediting CNN, hardly a bastion of journalism–but there it is.

The ability to grasp reality seems to be the skill acquired by those that live their lives at an abstract and unconscious level later in life, if ever. The YouTube video is at:
hxxps://www.youtube.com/watch?v=LkyXhPYbX0c

Though the ten minute and 39 second report does not provide a lot of detail, it is missing much in the way of epidemiological information it does however provide a wider and deeper context for those that remain ignorant of facts. One interesting fact is that one in eight test positive. Not a good number…

There is an element of the video that reminds me of the earliest reports smuggled out of Wuhan concerning the tactical situation from a pandemic response effort. Why did we not learn from information that was available? Hell, if I knew what was up how could some many others not?

Clive Robinson June 29, 2020 4:38 PM

@ Ismar,

Clive was for some reason shy to wade in

Because I had reason to think it would get Moderated.

rrd June 29, 2020 8:13 PM

@ Clive

[from your comment to Bruce’s “Commenting Policy for this Blog]

As for the posters here we are an eclectic bunch from all corners, and our differing points of view encorage thinking in a wider scope and give not just bredth but often considerable depth on not just arcane technology but things that are yet to be. I’ve lost count of the number of times things have been discussed on this blog that subsiquently come to be. Sometimes the comments are years ahead of what is being considered even in academia, and as I’ve indicated before you will read here things that can not be found in any other place on the Web, and I’m reasonably certain that there are those who come here to get insipiration on technical and future matters. Thus your site is actually a resource without par in this respect.

I had never read this comment until a few minutes ago, but I must say it is an outstanding ethos. I hope that I live up to it.

[Then, in this thread:]

Because I had reason to think it would get Moderated.

You’re the gold standard on this blog, so go light on the profanity and you should be ok 😉


@ ALL

Anyway, to prove my fidelity to the technical purpose of this blog, let me pose a technical security question and see what all y’all’s perspectives are:

When setting out to design a truly secure general purpose computing system (functioning like a modern pc), what is the single most important characteristic the resulting operating system must possess?

(Note that this is directly related to a very long-term project of mine, so this is a very real question. I’ll withhold my perspective until later, not that I assume anyone here cares.)

rrd June 29, 2020 9:21 PM

@ Weather et al

So, old hashes (eg: SHA1 and MD5) have collision problems, but (I assume) they are way faster than their newer, wider variants.

Why not just use both hashes on the same document? Given a specific document, certainly a collision that allows the document to be altered for one of the hashes could not possibly also result in a useful collision for the other hash given the same document, no?

I’m guessing that two smaller hashes computed concurrently would be less computationally expensive than the newer hashes (assuming the source file need not be read twice), or am I completely missing something here?

I imagine that there would also be a side benefit for the code in that the older hashes’ code is much tighter, easier to find, verify and integrate, no?

My other thought from a couple of years ago on securing old hashes was to create a standard header or footer for documents that gets hashed along with the content, that extra info containing in the minimum the length of the document, but perhaps even containing a table of byte counts (maybe path or filename, too?).

Surely such a nested, double-layered document hash would be dang-near impossible to find a collision for, no? And stripping off the extra header or footer should be easy-peasy on the receiving end.

Is it that important to have a single-pass hash verifier? And, is this already being done? Or maybe I’m not understanding what collisions are used for?

Weather June 29, 2020 9:44 PM

@rrd
The program generation a sha256 32byte from 3 byte, most of the range, the program then runs a foumla on the 32 byte hash it compares it to other ones that got the same value, and uses the table of what 3 bytes the chars were, if the values workout to the same there’s 19% chance they were also in the new hash.
The 19% can change to high percent, but then its more likely )80 chars.

Still have to think about the rest of your replied.

name.withheld.for.obvious.reasons June 29, 2020 9:50 PM

… maybe they should take a look at the US justice system in the likes of Chicago where “illegal detention centers” were setup and used against those on the lower rungs of the socioeconomic ladder.

Have been to the south side of Chicago but it was ten years ago. What was astonishing was that the physical landscape was out of a surreal dystopian failed “Planet of the Doomcoughs” movie where the button had been pressed and nuclear winter had arrived. Not too dissimilar from images from WWII, Beirut, Lebanon, or Gaza in the Middle East.
It was so eerie and unsettling but it did not move me in a way, viewed in hindsight, that would cause me to respond appropriately. It was almost as if it is better to forget about it then confront the absolute horror witnessed.

AND WE ARE HERE, AT THAT SAME PLACE TODAY.

Future peoples, maybe there’s a civilization in the next millennium, will certainly construct a timeline that if human enlightenment is possible will give testimony as to how truly poor we all are.

rrd June 29, 2020 9:51 PM

@ name.withheld…

Our city has a notice that says that, through the CARES Act, it has a rental and utility assistance program for people who face employment hardship due to the pandemic (as we will as the stimulus unemployment benefits will be done in a few weeks), there being a hotline residents can call.

We haven’t called yet to see if we are eligible or how much assistence may be available, but our state’s govt is fully Dem and seems to be doing a good job on all fronts so I am hopeful.

And, from one cynic to another, there is a special place but I’d rather they suffer their loss of social status here, perhaps to the extent that they realize that they need to look in the mirror and undertake some personal growth.

name.withheld.for.obvious.reasons June 29, 2020 9:51 PM

Oops, the lead-in qoute was a post of Clive’s
Sorry @ Clive

Weather June 29, 2020 10:45 PM

@rrd
If you have two different hash programs in parrellel and both have to check out from the file its more secure, because if they find a collision for md5 there’s no gaurenty that sha1 will collide.
If they are chained, then it is as strong as one hash.
With computer processor now days 128bit hash is stronger than two 64bit because they can be attacked seperatly

With you question I’ll say accuracy and repeatable for a general purpose computer.

Clive Robinson June 30, 2020 12:59 AM

@ name.withheld…,

Sorry @ Clive

No worries, the thoughtful reply was much appreciated and hopefully others will read it and realise what is creaping up on the ordinary citizen bit by bit, in enough time that something might be done to stop it.

MarkH June 30, 2020 3:08 AM

@Clive, re Spanish report of “premature Covid”:

I pondered this for some time. It seems very likely to be some kind of false positive.

Based on what we know, how could people have been infected without it soon becoming obvious?

In the unlikely event that SARS-CoV-2 was indeed in their sample, one can imagine that some animals were infected without transmission to humans … and that somehow, enough of their shed virus made it into Barcelona’s sanitary sewage system?

A brief look at how things might have gone astray:

https://theconversation.com/was-coronavirus-really-in-europe-in-march-2019-141582

Clive Robinson June 30, 2020 6:25 AM

@ MarkH,

Based on what we know, how could people have been infected without it soon becoming obvious?

Well one way is for a transitory visitor from china.

We still do not know enough about how a SARS-CoV-2 infection progresses in a human, especially in the outliers at beyond 12 days from initial infection to being infectious.

It may well be the case that the usual transport of mucus through the GI shows signs in stools etc upto several days before an individual produces enough virus in their breath to represent a sufficient viral load to infect another person.

The city concerned being of significant historical and cultural interest has a quite high transitory population of tourists. As you may remember around that time it is Chinese New Year a time when many Chinese take holidays, and pre/post grad students travel to various meetups/seminars etc.

Thus it’s possible for an infected younger person who is probably going to be asymptomatic anyway to have been infected in China, traveled to the city for a short time and incubated it for long enough for it to show up in stools but not for them to be sufficiently infectious before their return to China. They might also have had a sufficiently strong immune system that in effect they did not produce sufficient viral load to infect others at any time.

Other corona viruses that effect people give them “common colds” when I was younger I quite happily mixed with people who had the charecteristic coughs, runny noses and rough voices of the common cold because if I got it I did not notice it so I may not have had it at all or been effectively asymptomatic. This has been seen quite frequently in the past.

It’s only since I became immuno compromised after a botched operation that I went from being virtualy disease free to being hospitalized several times a year with various infections… Even so I still tend to miss out on “man flu”[1], “Colds” and most years Noro virus. That is I still appear to have a high tolerance for common viruses but not certain types of quite common bacteria we all have millions on us at any one time.

[1] Much to the anoyance of my sons mum, who gets it most years even after getting prioroty on vaccination as she’s front line staff in the medical proffession. But what “grips her the most” is the only times I have had “man flu” is when I’ve made the mistake of getting vaccinated. My own Dr raises a wry smile when I say I’m holding off on vacinations untill after the year I get flu without having been vaccinated…

rrd June 30, 2020 8:21 AM

@ Weather

because if they find a collision for md5 there’s no guarantee that sha1 will collide

Yeah, I’m guessing well-nigh impossible for the same source document.

If they are chained, then it is as strong as one hash.

With that much computation, I’d probably just use a newer, wider hash function, like SHA-256 or whatever.

With computer processor now days 128bit hash is stronger than two 64bit because they can be attacked seperatly

Yeah, but that goes back to my original thought: will two different hashes of the same data ever be “collidable”; i.e. can they ever be attacked separately for the same source data such that the resulting imposter data hashes down to both original hashes? I doubt they can, even for something as simple as MD5 and SHA1.

With your question I’ll say accuracy and repeatable for a general purpose computer.

Sorry for the confusion, but that is simply a requirement for a working general purpose computer.

I’m specifically asking what primary characteristic is required for such a working general purpose computer system whose OS implementation is absolutely secure.

I should add a qualification on the system that it must not only be secure but mutable — i.e. the operating system can be upgraded over time — so having the entire OS in ROM is non-qualifying.


@ Clive

I hope you’re getting your Vitamin D. I hope you all are. Depending on your dwelling, getting D the natural way may be difficult in this life under some form of lockdown. As such, we’ve all been augmenting ours since March (one of them comes with K as well), though the kids get far less just a couple of times a week. I, personally, feel more sharp in the morning as a result.

One week after we began taking the extra D, my wife’s son called (he is now finally beginning work as a doctor after all these years) and suggested we take it, as his Mom has autoimmune issues and his hospital had a significant surge in COVID-19 cases (it was all-hands-on-deck for a month or so and he got pulled into active ICU duty even though he was post-doc’ing for a year).

Weather June 30, 2020 11:13 AM

@rrd
It does make a difference if its a 8,16,24,32 char password compared to a 100mb file, as collision aren’t the only area that needs protecting, knowing what made that hash value might be the point, evening with two 64bit you run through all 80xff for md5 and seperatly for sha1 160xff and then compare the collider’s if you have 8 chars that match the first 8 chars of sha1 it will be less than 3^64

rrd June 30, 2020 12:28 PM

@ Weather

Thanks. I just realized my use-case is solely about document integrity verification, not the use-case of storing the hash of a password so it’s not transmitted or stored in plaintext. In the second case, the collision itself is a system failure, whereas a forged document must be semantically meaningful to result in a successful attack.

Underlying assumptions got me; I apologize for the lack of clarity; however, this conversation has really helped me clarify my own thinking.

To sum up my understanding now: for binary (non visually inspectable) files, I need to go with the best, most-bits-in-the-resulting-hash-value algorithms. But for visually inspectable files (eg: semantically meaningful, like source code or an email), there really is a very small chance that meaningful changes can be made to the file and still result in a collision. Of course, the more bits the better, but the internal format of the file itself provides its own consistency check that limit the attacker’s set of possible viable collisions.

[Side note: I have, on more than one occasion, had a bug in code that I just couldn’t track down so I finally asked a colleague for their opinion; then, halfway through explaining it, the answer would come to me without their even saying a word. I chalk that up to putting the problem into words engages different parts of the brain, the resulting expanded neural pathways then give the perspective needed to see the problem.]

Weather June 30, 2020 1:15 PM

@rrd
About a secure general purpose computer ,I’ll say a prison setup, were each program gets its on play box with guard’s and a Warden (kernel) checking the guards.
I’ll trying and find the link on here but if you write a program that gets injected into another program before the main function, then you program runs one asm instruction at a time from what it injected to, saving register and flag vars after the one instruction you are then free to encrypt or decrypt one the fly, check memory data, strings etc, a really basic ids,or block instruction.
You can make the thing minimal so test each part for hole in your program.

Ask @clive and @weal about CvP

Clive Robinson June 30, 2020 3:15 PM

@ rrd,

my wife’s son called (he is now finally beginning work as a doctor after all these years)

I wish him and the rest of the family well in these troubling times. Front line medical staff are at risk more of the time than we perhaps realise even in better times.

My son’s mum is a cardiac specialist but still spends a lot of her time with clinics and patients she has frequently mentioned that these days the police are almost always present at hospitals. In fact a hospital she used to work in that became famous because it had a number one chart single has a permanent police presence as well as security staff. Even though the patients she sees are unlikely to cause her direct harm I still worry about other patients. And yes she frequently gets the latest bug going around, which is a bit awkward as I’m the one with an impared immune system since an operation went wrong and have frequently ended up in hospital myself because of it. Which all told is maybe why our son has decided to become an engineer, which like medicine has a long academic pathway.

vas pup June 30, 2020 3:37 PM

Germany to overhaul elite army force tied to right-wing extremism
https://www.dw.com/en/germany-to-overhaul-elite-army-force-tied-to-right-wing-extremism/a-54004898

“German Defense Minister Annegret Kramp-Karrenbauer plans on restructuring the country’s Bundeswehr’s Special Forces Command (KSK) in the wake of numerous allegations of far-right extremism among its ranks, German media reported on Tuesday.

According to newspaper Die Welt, Kramp-Karrenbauer will announce structural reforms of the KSK unit, which will include the dissolution of one of its four combat companies.

Some 70 soldiers would be affected by the changes, Die Welt reported.

+++The KSK has been part of the German Army since 1996. The group focuses on anti-terrorism operations and hostage rescues from hostile areas. Its members have served in Afghanistan and the Balkans, but its operations are kept secret.

====>Today, the KSK has “become partially independent” from the chain of command and developed a “toxic leadership culture,” Kramp-Karrenbauer told the Süddeutsche Zeitung newspaper.”

I guess that is real problem when folks who really had on their shoulders security of the country move to the extreme right as they see the only option to save the country. See +++ above – they just know what is possible incoming option for their country otherwise.

Weather June 30, 2020 3:57 PM

@vas pup
Its called fire house syndrome, based on fire fighter not having much to do most of the time talk about concectivle stranger ideas over breaks.
But isn’t it a good thing they are not used much.

Thunderbird June 30, 2020 4:23 PM


I’m specifically asking what primary characteristic is required for such a working general purpose computer system whose OS implementation is absolutely secure.

I think the primary characteristic is that it does not execute a program. I believe it is the case that for any computer complicated enough to do something useful and any definition of “absolutely secure” that matches most people’s intuition, it won’t be “secure.” Therefore, it can’t do anything and be secure.

But, if you’re willing to accept “pretty secure” I would say first of all you have to be able to be sure only the programs you want are actually executed. This is incredibly difficult, since a) everyone wants to have data that includes programs (i.e., Javascript in web pages, macros in Word files, spreadsheets in … spreadsheets, editors that can be upgraded, etc.) and b) it is startling how simple a programming system can still be Turing complete. So you would have to have a very tight walled garden, similar to the Apple model but much more strictly enforced. So, no PDF or Postscript viewers, no Microsoft Word, no EMACS, no ability to browse modern web pages, no compilers and nothing like Perl or Python or (god forbid) Powershell.

The second thing you need is that the system needs to be simple enough to be comprehensible. I think just the first requirement is enough to ensure your system never gets built and used, but if it isn’t, the second one should prevent its success. Marketing people always want to add to the pile, not subtract from it.

rrd June 30, 2020 4:50 PM

@ Weather

CvP seems interesting (from the little I’ve gleaned so far from googling this site), but I’m not interested in having to overcome inherent insecurities in my system’s components. And the sandboxes for userland processes certainly are a sound idea, and perhaps even successful in practice (I wouldn’t know), but I’m interested in security by design, not security as a result of having to deal with bad payloads.

I’m referring to the entire system: kernel, devices, the whole thing. This is a greenfield, no limits, clean from-scratch design exercise.

As to separation of process privileges, having run/managed/recompiled OpenBSD 5.4 for a couple of years, I would naturally gravitate towards evaluating unveil/pledge/privdrop first as I prefer explict declaration to attempting to police the process blindly. Explict, highly-specific declarations of each process’s capability requirements at install time — by requiring it be installed via source — is my general thinking as to how to approach such resource dependency security issues, both kernel-userland and kernel-kernel.

Of course, like people, verifying their stated intentions against their actual behaviors is a separate level of complexity, but if the capabilities declaration can physically limit the resources the process can even compile against, then I’d say we’ve scraped off an entire layer of potential problems, but further complexities await.

And, really, this naturally leads to what I consider the most important element of any truly secure system: have ALL the design information available at any level it is needed at any stage in its development. This is already happening in the hardware industry, as I’ve seen (I don’t remember the brand) a laptop that has not only open source software but open source hardware. (I don’t know if they got rid of blackbox firmware requirements or not.) The key is not that they haven’t fully achieved their goal, but that their goal is perfectly lofty and they’re well on their way.

Having all that information is essential for verification. At the hardware level, this means that there are no undocumented system calls/instructions/whatever. That also means that if a component is having a problem, we can redesign its interface to surface more debug info (or less if it’s a performance problem.)

And while my question was about security, my perspective on security is that it is ultimately a design plus verification-in-test issue, which is really a verification-of-functionality issue, which is where the bulk of my systems research goes: how to create digital info flow systems that do what they’re supposed to do, by design. Security then becomes simply one design criteria (allowing for castle-building, if necessary).

Now, the software running on the hardware needs to be able to leverage whatever amount of system knowledge facilitates its achieving a high confidence level, while also exposing its own metadata to both its human and other software users. Each kind of layer artifact will expose its own kind of metadata, today’s software being woefully inexact in its construction and descriptiveness. An example of what I consider information loss is a C int declaration: there are so many unknowns that cannot be answered unless one traverses the entire code tree of possibilities in order to answer questions like: can it ever be negative? can it even be decremented? (And, yes, I know there are many type systems but C is a good example because it’s so ubiquitous especially in system programming.)

A complete and detailed description of system codependencies and source logic is my answer then. In my attempt at a first-principles opinion, this totality of system codependencies is essential for any info system, from a single program, to an entire topology of superscalar mega machines.

This accumulation of better system info is what OpenBSD has done over the years. First they busted their tails to remove bad programming patterns. This integrated their best practices into the code, a freehand embedding of information not only on top of the C programs but outside of C’s abilities to facilitate such patterns where a separate data structure/interface/lib was infeasible.

Then, they proceeded to add capability-restriction info in their kernel interface. Once again, by increasing the amount of system info defined and available to the compile-time and runtime systems, better security is achieved (I assume).

And this is just scratching the surface. Beyond security, better and more complete total system info at any point in the SDLC allows for better analysis that may begin with simple functionality, becoming security analysis and finally perhaps being able to minimize energy usage (which first requires measuring it, though predicting it is superior still).

I don’t know building architecture or structural engineering but I imagine they have undergone their own revolutions as their tools contained more and better information across all a project’s subsystems, allowing advanced analyses across structural engineering, human usability (enough bathrooms?, enough light?), airflow, plumbing, energy consumption, and of course aesthetics via fly-throughs. What once required tedious manual analyses is now a simple by-product of constructing the model correctly after having the appropriate amount of money to buy the design software and the requisite modules.

No, I don’t think I’m saying anything Earth-shattering here.

What I envision is an info appliance that exposes its entire fabrication, installation and functional process design documents to the user for analysis and modification, from hardware to software, open and explorable and ultimately expandable.

Weather June 30, 2020 5:27 PM

@rrd
It will take me week to understand that, but can you send me a keyboard 92 char with 6 char input to openssl sha256, so the testorcheck function can be checked.

Clive Robinson June 30, 2020 5:31 PM

@ rrd, ALL,

When setting out to design a truly secure general purpose computing system (functioning like a modern pc), what is the single most important characteristic the resulting operating system must possess?

The short answer would be that,

    It should maintain confidentiality at all times.

It sounds a little trite but it’s actually very very difficult to do, hence the old joke about disconnecting your computer setting it in a lage concrete block and dropping it in the deepest ocean trench…

The important thing to note however is back when that joke started we could not get down to the bottom of that trench, but now we can. Thus

    Security has to evolve with ALL technology.

Which means in quite a few respects we are in a “Red Queen’s Race” running just as hard as we can just to stay where we are. But for an individual generaly we have depth and breadth of knowledge in just domain or field of expertise, which implies we might be in a loosing position.

Well we are and we are not it depends on where you and a potential attacker stand. If you want to make a secure OS then sorry you’ve already lost the security race, because it is only a part, actually quite a small part, of a secure system and in the general case it has way to much complexity. If you want to make the system secure then you have a chance, and the old joke gives you a clue as to how to do it,

    You need to consider the system as a whole and control access.

That is “disconnect it and put it in a concrete block” is the clue. It’s describing what is a form of “perimeter security” all be it not a very usefull one unless the concreate block is a “block house” with guarded access points. Which is basically the security model used with early computers. Whilst it works it’s kind of large and expensive to run for Personal Computing that these days can fit in a shirt pocket.

That is a Single Board Computer (SBC) that can be smaller than a 4 ounce chocolate bar can provide you with considerable computing power. The problem is that small as it is when it’s connected up to make it usefull it “Eminates Compromising Emissions” and is also “Susceptible” to other compromising energy sources as well as being “overly transparant”.

That is all functioning machines do work inefficiently. That is whilst they use energy some of that energy becomes by various transportation mechanisms the ultimate form of polution “heat”. All of those transportation mechanisms are “Shannon Channels” and can carry information proportional to the channel bandwidth. Which means they can carry information out of the SBC that should not be. But also Shannon channels whilst apparently one way –from TX Source to RX Sink– out of a system they can work in the opposite direction and carry energy back into a system and due to the way many systems are designed information can get back through the outputs through the system and out of the inputs thus the system is bidirectionaly transparent[1]. Also intentional energy inputs such as from a power supply can also carry information into a system that then appears on the system outputs and have confidential information superimposed on top of it. In essence this was a major problem with secure smart cards at the end of the last century and hence an attack called “Differential Power Analysis” caused all sorts of issues that entirely defeated other security mechanisms.

In short as our host has noted “Attacks only get better”.

Because few people can build their own hardware and even of those that can only a very very tiny fraction can design them to be not just secure at “specification time” but through to actually getting into the field for a reasonable service life I’ve recommended people take a different approach to security which is mitigation rather than trying for “secure design”.

I’ve talked about it in the past on this blog as “moving the security end point”. In essence you have two computer systems one that is regarded as “insecurable” that is used as a “communications end point” the second as as “secure via energy gapping” that is the final “security end point” and connecting the two is a “choke point” which is a specialised communications channel that has the ability to have a high level of security[2] in part by instrumentation as well as by providing the important energy gap.

In essence information can only be compromised if it is communicated, and all communications requires the use of energy in some form. If you either stop the energy flowing from one computer to another or render the available bandwidth too small then the information can not travel from one computer to another. That is the basis of “energy gapping” and the process by which you stop the energy flow is by remmoving any transmission channels.

The energy you need to consider is,

1, Electromagnetic.
2, Mechanical.

Which can be carried in a transmission medium (Shannon Channel) by,

1, Conduction.
2, Radiation.
3, Convection.

Sometimes you can not remove the transmission medium (RF will travel through a vaccum quite easily). So you have to block the transmission method (radiation in the case of RF through a vaccum). This is usually done by using the likes of “shielding” and “absorbing” materials.

I’ve discussed how to do this in more depth in the past on this blog.

If however you do want to go down the design route as @Weather has pointed out I have also discussed this in depth as well on this blog in the past.

Whilst I’m happy to go through them again, the explanations take up quite a bit of space, which is why in the past the discussions were held at the end of pages after other discussions had had time to move on to other pages.

And I guess by this point you’ve possibly got some questions.

[1] A real world example of this are “Data Diodes with Error Correction”. A data diode is “assumed” to alow information to flow only from it’s input to it’s output thus bee secure. However such a system can be unreliable for various reasons including data colision on a network connected output. The “engineering solution” to this unreliability is “error correction” which is a Shannon Channel in it’s own right but in the opposite direction. It is all to easy to loose sight of this as as a communications channel and design the system “to be robust” such that the error correction goes all the way back through the data diode from the output to the input. It might not have a high bandwidth but it’s probably sufficient in most cases to form a control channel such that an unprivileged system can talk to a privileged system through the security barrier of the data diode that is intended to stop that being possible.

[2] The simplest secure channel that can be used for a choke point is also impractical for most uses. It is that youvas a human take pencil and paper and write down the information from one computers screen and walk to the keyboard of the second computer and type it in. In effect “it puts the human in the security chain” thus the human mind acts as significant instrumentation to stop any compromising communications. From this you can reason upwards to more practical instrumented choke point communications channels.

rrd June 30, 2020 5:46 PM

@ Thunderbird

[Oops, your post arrived while I was composing my previous.]

I think the primary characteristic is that it does not execute a program.

Ohh, you’re no fun anymore 😉

But, yeah, I’m referring to security from bad actors that are not the owner! That said, I do believe there is a path to that, too, but hoo-boy that would be the ultimate protection.

As with any project like this, the key is to start minimally and then expand carefully. As @Weather said, there are numerous technological approaches to walling off our processes, and I agree with their intents, but I’m thinking more first-principles, hardware-and-all complete system design.

I don’t think there is anything at all inherently insecure about browsers and javascript (much as I loathe them both (and I loathed Gopher, too)); no, I’m sure that it’s the OS that is insecure such that its apps’ running amok can compromise its security.

But, if you’re willing to accept “pretty secure”

No way. Nuh-uh. Never.

I would say first of all you have to be able to be sure only the programs you want are actually executed.

Yes, utterly essential.

This is incredibly difficult

Nothing worth doing in life is. (It’s actually true, look at our world situation.)

As to the rest of your points in that paragraph, you are absolutely correct given our current architectures. No doubt.

All that said, I still disagree that any of the software you mention (Turing-complete included) is inherently insecure. Even software that generates and executes its own bare-metal machine instructions is not inherently insecure. In both cases the layers that wrap them (OS and even the microprocessor itself) are really the source of the insecurities, not the bumbling or malicious software that leads to being compromised.

[I want to know how many people’s carpal tunnel was directly caused by EMACS; CTL-x, CTL-c !? No thanks. #TeamViBaby]

The second thing you need is that the system needs to be simple enough to be comprehensible.

You got it, but just complex enough to get the job done properly.

I think just the first requirement is enough to ensure your system never gets built and used, but if it isn’t, the second one should prevent its success.

I love it. Fred Brooks’ “No Silver Bullet” also inspires me. I don’t know who said it (or if anyone ever did), but it’s true: “Nothing is ever possible until someone does it.” Sure, it’s not technically correct, but I’m sure you understand my point about defying common beliefs as to what is possible.

Marketing people always want to add to the pile, not subtract from it.

Marketing people are a steaming pile. I worked for a marketing company a million years ago. If I ever, ever employ one, I hereby beg you to euthenize me forthwith. Consider this your indemnity clause.

Anyway, I’m curious what you think about my detailed response above. Cheers.

rrd June 30, 2020 6:02 PM

@ Weather

It will take me week to understand that, but can you send me a keyboard 92 char with 6 char input to openssl sha256, so the testorcheck function can be checked.

Done. And you’ve got three days, tops 😉

Weather June 30, 2020 6:30 PM

@rrd
Even 0xa5 would be better, I only have a 15 year old laptop running winxp home, maybe Linux could process it, but Linux skill isn’t the question.
A 0x00-0x7f systnax 32 long ,I will know if it is a sha2 hash, but the only reason I got a computer is some one died.

SpaceLifeForm June 30, 2020 10:16 PM

@ Drone

Lie, Destroy, or Blame?
(repeat…)

A play on words of the useless DOS three choice dialog box.

Reboot the system means we most vote and remove the malware next year (US).

The current system has a horrible UX (User eXperience).

https://en.wikipedia.org/wiki/Abort,_Retry,_Fail%3F

“It has become an icon of poor interface design, because it led exactly nowhere . . . A veritable Catch 22, since the only viable option appeared to be to keep typing R until one was willing to accept that one’s work was lost and there was nothing left to do but shut down the program and start anew.”

SpaceLifeForm June 30, 2020 11:18 PM

@ Drone

Lie, Destroy, or Blame?

The 3 things that the fascists have been looping on for eons, in order to extract money.

A loop of their own design.

Covid-19 has exposed their useless system.

SpaceLifeForm July 1, 2020 12:13 AM

@ rrd, weather, Clive

“I’m referring to the entire system: kernel, devices, the whole thing. This is a greenfield, no limits, clean from-scratch design exercise.”

Well, if you really think you want to take that path…

  1. You have un-imaginable work to do

  2. Look at FPGA

  3. All development must be done offline. You will need to hand transfer all source code to a trusted machine that is off-net.

  4. You will need to rebuild all software on the trusted machine from scratch using a trusted kernel, trusted toolchain, and a few more trusted tools such as bash and busybox. Those are static binaries.

  5. To get those trusted binaries (toolchain, bash, busybox) onto your development machine, you will have to build them somewhere using tools you trust.

  6. Your trusted machine has to have trusted microcode, and trusted bios/uefi, and trusted bootloader. Again, static code, but can it be trusted? At least it is off-net.

  7. Read Reflections on Trusting Trust

  8. Decide on your Faraday Cage design.

  9. Verify that it is Evil Maid proof.

  10. Punt, and follow the thinking of Clive, and re-evaluate your plans. It’s way less headache to separate comms from another machine, energy gapped, and still get close to your security goals.

lurker July 1, 2020 3:24 AM

@name.withheld…

Shades of Wuhan in Texas

No, it’ll never happen. The Chinese method that is, in Texas. Australia and New Zealand both closed their borders early, but avoided a conflict by allowing their own citizens to continue to come home from the world’s danger spots. During the initial 4 weeks tight lockdown the returnees were shut in at home, no problem.

As the lockdown eased a few of the more liberal minded returnees tried to skirt round the corners of “self-isolation”. So hotels vacant from the lack of foreign tourist were pressed into action as “managed isolation” institutes. Lack of training or enthusiasm resulted in noticeable leakage, so some places were designated “managed quarantine”. There was still leakage, so NZ appointed a military commander to instill some discipline and rigour to the process. Australia has just appointed their Department of Corrections [prisons] to manage the quarantine hotels. Still not the full Chinese method.

Jus imagine if you can, Texans confined by armed guards to temporary isolation facilities in a football stadium (or a conference hotel if they’re lucky), armed guards on all doors and street corners, disinfectant spray trucks through every streeet. No?

etv July 1, 2020 6:19 AM

Andrew Zonenberg has been looking at secure fpga hardware/OS setups for some time

hXXps://www.researchgate.net/publication/305810806_Antikernel_A_Decentralized_Secure_Hardware-Software_Operating_System_Architecture

rrd July 1, 2020 10:20 AM

@ Clive & SpaceLifeForm

That’s simply fantastic, the kind of education that makes this place great. Thank you both for both your selfless time and effort. Such incredibly concise deep-dives.

@ etv

Thanks for the very interesting link. That definitely very much looks like the kind of approach I have in mind.

@ ALL

As a software guy, I’m realizing that I intrinsically view such a design exercise as finding which model(s) would best facilitate developing such a system, those models being inseparable from the modelling tools. You have all plugged a bunch of new info into my own mental models about such an endeavor, and it’s going to take awhile for me to integrate it all.

I don’t think you will ever know how grateful I am for you all. The best we can do is plant seeds of positivity in our every interaction with others, and you have indeed done that; I hope to continue improving myself in that dimension.

As well, I hope you and your loved ones are staying healthy and hopeful in these troubled times. Namaste.

Now it’s time for some hard graft…

myliit July 1, 2020 10:31 AM

@popcorn eaters, misc.

I’m going to try to take a break for awhile. Before I do, however, here’s a look at one event in a retirement community in the land of our President or the United States of Amnesia (“‘USA’”):

https://twitter.com/davenewworld_2/status/1276965068048158720 millions of views, 2:07

“Seniors [ older people ] from The Villages in Florida protesting against each other …”

.

Meanwhile, I might head over to:

https://twitter.com/ratemyskyperoom

Take care,
may you live in interesting times

Sherman Jay July 1, 2020 2:07 PM

@rrd and @Weather • June 30, 2020 1:15 PM
‘I’ll say a prison setup, were each program gets its on play box with guard’s’

While the below ‘distro’ is not a usable system yet, it is a step in the direction you mention:

hXXp://distrowatch.org/weekly.php?issue=20200629#gobo
he GoboLinux project develops a distribution with an unusual goal: reorganizing the operating system’s filesystem. . . . . In GoboLinux you don’t need a package database because the filesystem is the database: >>> each program resides in its own directory. <<<

Sandboxes are another partial technique.

However, based on the fact that all the great minds here and in the ‘outside world’ haven’t come up with a secure computing system. I must conclude that for now, it is the same as ‘internet security’ – vaporware and pipe dreams.

But, I encourage you all to keep thinking and dreaming, you might just come up with a workable answer to either or both.

vas pup July 1, 2020 3:10 PM

@Weather.
Thank you for your input.
I guess they should not have such time for talking, but rather exhaustive training and honing their skills(physical, emotional, tactical, etc.), so when time for real thing come, they are prepared as much as possible.

I found article on wiki:
https://en.wikipedia.org/wiki/Riot_control
with many links related to the subject which is currently hot around the globe.
I hope you’ll like it.

SpaceLifeForm July 1, 2020 4:22 PM

@ Clive

An interesting side-channel attack because WIFI and BT use same freqs.

The devil will be in the details which will not come out until next month.

hxxps://www.blackhat.com/us-20/briefings/schedule/#spectra-breaking-separation-between-wireless-chips-20005

“During code execution within the Wi-Fi firmware, we even experience kernel panics on Android and iOS.”

rrd July 1, 2020 6:47 PM

Vietnam has Chuck Norris’d COVID-19.

hXXps://ourworldindata.org/covid-exemplar-vietnam

Not that anyone anywhere has any valid excuse for not doing the same, as everyone’s experts have known from the beginning.

This situation is proving to be a cultural IQ test, with a heavy burnden of responsibility on their leaders, and the inertia of their educations fruiting predictably.

rrd July 1, 2020 7:40 PM

Oops. I seem to have forgotten them beating the heck out of people with sticks, so let me be clear that I’m not condoning that aspect of their response at all; “the same” I was referring to is solely with respect to the medical-advice-related behaviors that the people ended up adopting.

By hook or crook. Sophie’s Choice? Majority rule vs. minority rights?

It’s essential that people just choose to willingly adopt better cultural behaviors solely because they have learned it is best for the whole, not because they are physically threatened or worse.

But dang if those aren’t some impressive results.

Regardless, I don’t feel such rebels should be acosted unless it is proven they’re recklessly spreading COVID-19.

Their ignorance sucks, especially for vulnerable populations — espcially when they’re so dang arrogant, whiney, illogical and belligerent about it — but we must be very careful where our fear of what might happen leads us, even those of us familiar with epidemic math.

Even when we know that they should never have been let in the dang store without a mask in the first place. (I suppose the worst of our Americans are probably going in with a mask and then removing it.)

Adding to the ugliness is the fact that when a person of color goes against the rules of some establishment — especially under govt regulation — they are at serious risk of getting murdered or at least locked-up.

New pressures are showing old cracks, creating others, testing resilience.

Weather July 1, 2020 8:36 PM

@rrd
You hadn’t sent me a 7 char input made of 92 chars of the keyboard to test, you use freebsd but can display in %2x the hash,
Wasn’t going to replied because someone else sorted it out, but maybe..

SpaceLifeForm July 2, 2020 12:44 AM

@ Weather

Oh, it was ’92 char with 6 char’, and now it is 7 by 92?

You guys code talking? 😉

@ rrd

Excellent link about the Vietnam response.

Three things stood out to me.

43% asymptomatic
Mandatory mask usage in public
No International plane flights

The entire report should be a PDB.

Ah, nevermind. #UnfitForOffice won’t read it anyway.

SpaceLifeForm July 2, 2020 1:25 AM

@ Sherman Jay

“But, I encourage you all to keep thinking and dreaming, you might just come up with a workable answer to either or both.”

My thoughts exactly.

To me, it’s not just a hardware issue and/or a software issue, but trusting the crypto whether in hardware or software.

How’s that random working for you today?

https://dilbert.com/strip/2001-10-25

Weather July 2, 2020 1:39 AM

Trust Dilbert , but that is what I’m asking, is dev random produce the same output, but that’s my lack of knowledge, you should be able to find vector, as I know there is one.

Clive Robinson July 2, 2020 5:06 AM

@ rrd,

By hook or crook. Sophie’s Choice? Majority rule vs. minority rights?

Since this virus started it’s world tour I’ve been talking about,

    Individual Rights -v- Social Responsabilities

It’s now abundantly clear to anyone who can read and are not locked into some moronic mantra that in this case “Social Responsability” trumps “individual rights” by a very very long way.

The current policy in the UK and US is infact “self entitlement of the few” where a tiny fraction of the population vehemently believe their unwarranted self entitlement is an “individual right” that trumps everything including the masacaring of a sizable number of people, and the enslavment into debt of the rest for generations to come.

moz July 2, 2020 7:50 AM

Hi Bruce,

This might be one for the Crypt Snake Oil Hall of Fame?

https://www.independent.co.uk/news/uk/crime/encrochat-phone-network-encryption-organised-crime-uk-arrests-police-a9597501.html

https://www.independent.co.uk/news/encrochat-phone-network-encryption-organised-crime-uk-arrests-police-a9597576.html

The feature sheet in the second link actually sounds pretty good – you can find it on archive.org

https://web.archive.org/web/20200625115717/https://encrophone.com/en/

“More than 700 arrested in ‘biggest ever’ UK operation against organised crime after encrypted phone network cracked”

moz July 2, 2020 8:03 AM

Independent report says:

In April, an international team cracked its encryption and started spying on users and harvesting their data as they carried on unawares.

but Vice says

French authorities had penetrated the Encrochat network, leveraged that access to install a technical tool in what appears to be a mass hacking operation, and had been quietly reading the users’ communications for months.

which sounds more likely?

rrd July 2, 2020 10:29 AM

@ Sancho_P

Thanks for the very nice link. From the abstract:

At every level, a trade-off exists between complexity and the feasibility of non-destructive end-user verification with minimal tooling: a system simple enough to be readily verified will not have the equivalent compute power or features of a smartphone. However, we believe that a verifiable system should have adequate performance for a select range of tasks that include text chats, cryptocurrency wallets, and voice calls.

Yeah, that’s been my general understanding for quite awhile, made only more obvious with the timing attacks that have cropped up, showing that the complexity involved in such performance hacks almost certainly lessen security, and that a simpler, security-focused system would end up being fast enough for most of what we day-to-day users need from our machines anyway. Then there’s all the bloat in our OSes and apps now, too.

When I thought about investigating FPGAs some years ago, I quickly realized that (as I’m no EE) the various logic blocks required to implement essential subsystems were both expensive and way beyond my ken. I settled on focusing on my software skills to hopefully make enough money/clout to be a part of a team that includes plenty of hardware folks. Regardless, the Betrusted people in the paper appear to be providing the IP cornerstones required for FPGA system design exploration. Very nice, indeed (in theory, at least).

Side note: It seems also that FPGA blocks would be a difficult target for bad actors to usefully attack. I mean, they could certainly sabotage its viability or performance and create security weaknesses (especially at Clive’s level of physical radiation leakage), but piggy-backing such a low-level injection of bad logic to create gaping security holes seems to me to be a very difficult set of dots to connect to result in actual data exfiltration, especially if they don’t know which operating system will be using the hardware.

Clive Robinson July 2, 2020 1:00 PM

@ Moz,

which sounds more likely?

It could be both…

On a distributed network that uses circuit switching the chances are that there is some “sourced in the middle keyMat”.

All the authorities would have to do is weaken the KeyGen process or make it somehow predictable.

The most likely thing to do would be to install a piece of software that attacks the Key_Gen process so that it still appears random to statistical tests whilst actually being predictable if you know a secret.

A method to do this with RSA Private Key encryption has been known for years and was made public by Adam Young and Moti Yung.

The issue boils down to the fact there is actually “too much redundancy” in multiplying two primes, something that had a single sentance acknowledgment back in a 1980 paper.

It is therefore not unlikely that people have read either the paper or Adam Young and Moti Yungs book,

http://www.cryptovirology.com/

It’s not that big a book and suprisingly an easy read, thus most people capable of programing coherantly should be able to read it and understand it and think further on how to use the techniques.

@ ALL,

The fact that the criminals were daft enough to trust a third party encryption system where the security end point was on the same device as the communications end point says quite a bit about the lack of basic education on secure systems out there.

Mind you 60,000 customers at 3,000 per year is actually a “nice little earner” so I would fully expect another service that was very similar to pop up if it has not already done so.

After all buying a phone on which a stock developer copy of Android can be loaded is fairly easy, and their are many many programers out there capable of “modifying Android” or putting a VM on it to run the “custom OS”. You don’t even need to get the phone recertified if you do it properly.

The real question is not can they “get the crypto right” but can they get all the other parts that make a “secure system” together correctly and I would say that very few could based on what has come to market in one way or another…

vas pup July 2, 2020 3:19 PM

The facts on Tianwen-1: Mars orbiter and rover:
With Tianwen-1, China will attempt to send both an orbiter and rover to explore Mars. Here’s an overview of the facts.

https://www.dw.com/en/the-facts-on-tianwen-1-mars-orbiter-and-rover/a-54014414

“China’s 2020 mission to Mars, Tianwen-1,
==>aims to send a probe to orbit the planet and also land a rover on its surface.
As with other Mars missions run by NASA and the United Arab Emirates this year, China’s mission is scheduled to launch between July and August 2020, and begin operation at Mars by February 2021.

China has been keen to highlight its collaboration with international partners on the Tianwen-1 mission.

It started with a collaboration with Russia, and grew to build technical partnerships with, for instance, the Austrian Space Research Institute (IWF). The IWF has contributed to the orbiter’s magnetometer and helped with the calibration of the flight instrument.

Meanwhile, space officials from the UN Office for Outer Space Affairs, the International Astronautical Federation, the European Space Agency, the Asia-Pacific Space Cooperation Organization, Brazil, France, Pakistan and Russia have sent congratulatory videos or letters to China ahead of the launch and expressed a desire to strengthen aerospace cooperation.”

Read the whole article for details.
Now when competition is up, many security aspects should be work out upfront.

rrd July 2, 2020 3:37 PM

@ Clive

and the enslavment into debt of the rest for generations to come.

Lavoisier’s last demonstration of chemistry is tagged cultural anthropology.

SpaceLifeForm July 2, 2020 4:15 PM

@rrd

“but piggy-backing such a low-level injection of bad logic to create gaping security holes seems to me to be a very difficult set of dots to connect to result in actual data exfiltration, especially if they don’t know which operating system will be using the hardware.”

This is why I mentioned FPGA.

You have more control.

At the software level, ask yourself why AES is so fcking special, that it’s so fcking worthy, that there are dedicated hardware (cough, microcode) instructions for AES on both x86 and ARM?

Prove to me that AES does not leak bits of the key.

Clive Robinson July 2, 2020 4:18 PM

@ Bruce and the usual suspects,

A BBC Business page on employee privacy -v- employers intrusion into their personal life etc over COVID-19.

https://www.bbc.com/news/business-53109207

One such concern is who owns your DNA and the information it contains. I’ve mentioned this in the past on numerous occasions but if you have any kind of medical test, getting a DNA test off of a swab or from a blood sample is easily possible. In fact the RT-PCR test used for detecting SARS-CoV-2 is a genetic test but supposadly only for the viral RNA.

With “health insurance” not disclosing you’ve had a DNA test and disclosing the full results could easily invalidate your ability to be insured ever again… Their argument being you are withholding it because you have information that would effect the rates they charge for you, thus you are in effect committing fraud.

Even taking your temprarure can disclose information about you something women should be aware of, such information can be used in a prejudicial way.

But those badges, wristbands and similar say other things about you not just how often you go to the kitchen or the bathroom which is bad enoufh but who you tend to get within social range of. Thus it can be used like “Traffic Analysis” to elicit all sorts of information that may or may not be factual (such as illicit inter office relationships).

P.S. Remember folks unless it’s Monday morning, if you turn up to work and have a temprature it’s around 95% certain you’ve been infectious in the workplace for a day or two but asymptomatic…

Clive Robinson July 2, 2020 5:01 PM

@ rrd,

Lavoisier’s last demonstration of chemistry is tagged cultural anthropology.

It’s interesting to note, that having been falsly accused, by money grubbing low lifes petty adulterating traders, at his appeal the judge who’s name is long gone from public memory reputedly claimed,

    “The Republic needs neither scholars nor chemists; the course of justice cannot be delayed.”

And shortly there after a tumbrle came to take the judge for a shortening of stature, and a journy into ignominy.

And a year later, Lavoisier’s thirty six year old wife was given back all his belongings along with a curt note that he had been falsely accused. By which time of course much had changed in politics and the squares had run red with blood day after day such that the popularity of the public spectacle had waned to almost disinterest, cultural anthropology indeed.

Clive Robinson July 2, 2020 5:43 PM

@ SpaceLifeForm,

Prove to me that AES does not leak bits of the key.

The algorithm or the implementation?

We know that the “official Rinjdal” software implementation that everybody used in their libraries leaked key bit like a leaky bucket, and did so for atleast a quater of a century. And may well still be doing so in some embedded application tucked away somewhere.

We also know that the NSA approved use of AES in it’s Inline Media Encryptors (IMEs) but importantly only for “data at rest”. Thus I can understand people questioning if the NSA know something about the algorithm likewise leaking key bits.

I’m afraid to say the jury is still out on that. Many people myself included do not like the structure within AES mainly because it feals wrong. But fealings are not evidence and nobody as far as I am aware has come up with anything approaching a realistic attack on AES.

That said I try to avoid using it on it’s own and rely on other algorithms for end to end message security and let AES be used for superfluous comms link security.

With regards AES CPU instructions I’m not overly fussed by them, except when the same hardware may be used in conjunction with internal TRNGs as “magic pixie dust”…

As for Intel’s on chip TRNGs I neither trust them or use them on principle. Intel do not alow you to examine the raw output of the TRNG before whitening by a crypto algorithm. Thus I am deeply suspicious of the implementation and do not use it, and I would not advise anyone else to either.

rrd July 2, 2020 5:56 PM

@ Clive

Wow. Yeah, I’d rather Antoine had kept his head but merely realized that overtaxing the peasantry was bad policy, but it looks like that simplistic view may be far from the entire story (or outright bs); a story, I’ll note, that I got entirely from a couple of multi-part science documentaries, so thanks for sharpening my understanding of history.

Of course, it all makes sense as, while I’m no longer a fan Frank Herbert, he did sprinkle some interesting perspectives about, one of them being, “Every revolutionary is a closet aristocrat” (or at least that’s where I think I heard it). And the docs did mention that a failed scientist was one of the rebels that brought “charges” against him.

Still, we ignore the ignorant, hateful, short-sighted reagents of our societies at our peril, even those of us without anything but disdain for those who catalyze and profit from the class divides of this world, who are — in the least — ignorant, callous and short-sighted themselves, but in a differently destructive way.

Here (especially in America) in 2020, we have a similar group of ignorant rebels who are actually rebelling against their own best interests by following the duplicitous, anti-scientific, hazardous, arrogant, greedy lies of their so-called betters, foolishly thinking they’ll ever be let into the club.

Then again, I’m with Feynman on clubs. And science.

But I love study groups. They’re awesome.

MarkH July 2, 2020 11:12 PM

In case any interested readers missed recent developments, studies now coming to light seem to indicate a rapid (within 2-3 months) decline in Covid-19 antibodies for recovered patients, especially those with mild or no symptoms.

The implications of this are not at all clear, because no linkage has yet been drawn between any particular amount of antibodies, and acquired immunity.

Antibodies are only one component of the human immune system; T-cells and memory B-cells might also play an important role in any acquired immunity.

Overall, this situation highlights how little is known about acquired immunity to the pandemic.

Given these unknowns, whether the dream of natural (without vaccines) herd immunity is even possible remains speculative.


I estimate that Sweden is within 2 weeks of overtaking Italy in per-population pandemic mortality.

Increasingly, medical experience suggests lasting — and perhaps, in some cases permanent — impairments in many post-infection patients, even those who had no symptoms.

If your only choices are risking Covid-19 infection and doing something else … do the other thing.

Clive Robinson July 3, 2020 4:10 AM

@ MarkH,

If your only choices are risking Covid-19 infection and doing something else … do the other thing.

For a while I used to live and work remotely, but failing health and physical disability stopped me living remotely…

If I had the choice with my health then living half way up a remote mountain bellow 30degrees lattitude would be my preference.

Some people can not stand solitude I guess because they have to live in others heads like moths to a flame. I am quite content with solitude as long as I have things to keep me busy in my own head, and luckily I’ve a sufficiently varied past that I have the skills to do the “good life” thing and live quite comfortably off of an appropriate plot of land and enjoy it. Sadly as the old saying has it “Whilst the spirit is willing the flesh is weak”.

I can also quite happily do without many of the foibles of modern “sharing culture” we call social media/networking. I’ve never found the sort of mindless sharing we see to be either wise or cathartic. Such sharing either has to be totaly vacuous of personal meaning or it almost certainly will come back and haunt people in the future if they start to become successful. The problem with success often is that it is little diferent from fame in some peoples minds and that creates jealousy all be it the low level of the “Karens phenomenon” of passive agressive red flagging co workers through to out and out doxing and pathalogical stalking be it cyber or physical.

Something I suspect the majority of us could happily do without at any time in our lives.

So yes if people can work from/at home and “far from the maddening crowds” where disease festers and they can be content within themselves then I say, be greedy and grab it with both hands and hang on to it with a tenacity that would embarrass a bull dog, because the sadest thing in life is regret.

SpaceLifeForm July 3, 2020 4:50 AM

@ Clive

I have chalk, and I’m not afraid to use it.

hxxps://www.seattletimes.com/seattle-news/selah-city-lawyer-family-could-be-prosecuted-for-black-lives-matter-chalk-art/

A city attorney in a small town near Yakima said a family who has put Black Lives Matter chalk art on their street could face prosecution if they do it again.

Clive Robinson July 3, 2020 8:57 AM

@ V,

Hacked “secure app for criminals”, or so it was reported

Yes, it looks like a “Cut-n-Paste” from a UK NCA PR piece.

Currently we are not sure what has actually happened.

However the best guess is the French infiltrated the Servers and caused the phones to download malware that disabled features like the ability to wipe the phones memory.

The piece you link to gives several impressions that are not so far factually supported in fact the opposit. Other reports indicate that whilst the domain had been taken over it was the phone company that shut the service down when they realized that their upstream supplier was not doing what contractually they were supposed to do.

I’m guessing that the service provider did this to avoid getting hitmen turning up and machine gunning them in their cars or whilst out walking their dogs etc.

Both of which have happened in the past over secure phones, apparently Moroccan Narco-Criminals get very tetchy about quite minor things.

Anyway from other reportings it would appear that other “allegadly secure” phone service providers, presumably run by different criminals have stepped in to fill the breach, so business is probably almost back to normal in the criminal underworld, irrespective of what the UK NCA might wish to portray for obvious reasons.

But simply the UK has had a series of “super crime fighting agencies” and they have all pretty much failed to deliver in the way their political masters want…

Which when you think about it is hardly surprising, I suspect more than a couple of this blogs long term readers now know enough to make a fair old wad of cash giving advice or setting up services for criminals. After all €3000/year/user at 60,000 users is a fair old wad of cash.

The only reason we are hearing about this other than the politics of a group of law enforcment trying to show their political pay masters they are not totaly usless is that the users of the service had very lousy Operational Security. They were complacent and flapped their gums and somehow even managed to send photograps of themselves, family, mistresses and friends. As we know this sort of bad OpSec behaviour led to the downfall of a Mexican drug cartel leader, who could aford better advice and more secure services.

Untill such criminals realy wise up they are going to get taken over and over again not just by security people on the make but law enforcment as well.

Oh and criminals having “police insiders” generaly will not help them in the slightest when it comes to the security of their technology. The police they are going to get to know have worse OpSec than they do.

As for the supposed “Mr and Mrs Bigs” they have rounded up it would appear that they are not exactly that high up the criminal tree. They are basically “thugs” that are only a little smarter than street criminals, it’s almost certain that most of them are known to law enforcment from previous contact when they were just low life street criminals stabing their way up the worst of the crime trees. That is they are only one or two layers above “low hanging fruit” at best, the fact they had so much “cash” on hand tells you that.

Any way I suspect we will get to know more as trials approach, as there are a lot of smart lawyers out there who are going to have ideas such as “data protection laws” as to how to get evidence excluded or other evidence the authorities do not want brought to light used in their clients favour.

Pascal July 3, 2020 10:06 AM

@Bruce Sorry for using last week’s squid post, I would be curious to hear tour thoughts about the Encrochat breakdown.

Sancho_P July 3, 2020 5:56 PM

@rrd, SpaceLifeForm, re use of FPGAs

My doubt with FPGAs (and high-power chips in general) has a different cause.

”the various logic blocks required to implement essential subsystems were both expensive and way beyond my ken.”
Probably correct, but the cell and block structure is not what you’d have to deal with. People simply (cough) copy / paste tons of functions and libraries taken from the Net to form kinda OS and run their crypto on that FW to form a security hell.
– That may be “somewhat” OK for a single personal device that you keep in your pocket.
But when the design hits “the market” it’s only good until someone gets access to that insecure mess …

”Side note: It seems also that FPGA blocks would be a difficult target for bad actors to usefully attack. I mean, they could certainly sabotage its viability or performance and create security weaknesses (especially at Clive’s level of physical radiation leakage), but piggy-backing such a low-level injection of bad logic to create gaping security holes seems to me to be a very difficult set of dots to connect to result in actual data exfiltration, especially if they don’t know which operating system will be using the hardware.”

… and here is the deal:
No need to piggy-back at low-level required!

When dedicated professionals get access to one or two devices they will break the chip’s weak IP – protection (or use manufacturer-channels to do it –
oh, sorry, not documented functions built in for “your safety”).

Now pants are down, whatever “OS” tries to hide functionality / security:
“They” can download the program, reverse engineer and access all kind of keys and key functions to exploit traffic or inject not just low-level logic to compromise new devices during shipment.

Look @Phaete’s posting / link to a fascinating example, this chip is used in countless devices:
https://www.schneier.com/blog/archives/2020/06/friday_squid_bl_735.html#c6812963

-> Don’t trust any bought IP-protection to hide your crown jewels.

rrd July 3, 2020 7:37 PM

@ Sancho_P

I concur, though my idea to use FPGAs was purely for prototyping, as a way to block out the hardware. But thanks for noting that distributing hardware via FPGA would expose the system to whatever scaffolding comes with their system. (Once again, however, my inspecificity has to be filled-in after-the-fact.)

A core tenet of my dev philosophy is that every dependency external to my directly compiled logic is something I will have to not only support but co-evolve with over time, therefore I minimize such dependencies by just saying no. I barely tweak my dev machines’ environments anymore.

Having spent three days tracking down a floating point C/C++ compiler library bug over 25 years ago taught me a valuable lesson. Python’s pip might be nice, but I’ll likely never know.

All that said, ensuring that the resulting FPGA-developed system design gets faithfully constructed as a separate device would then be a further can of worms. Certainly, however, we can never escape the possibility for weak links in the supply chain, but we may be able to develop with a good enough system to bootstrap clear.

And, as a huge fan of the four-part BBC documentary on Bletchly Park (“Enigma Station: The History of Station X”, I know the value of a SneakerNet.

name.withheld.for.obvious.reasons July 3, 2020 11:43 PM

@ Sancho_P, SpaceLifeForm, Clive, weather, rrd

@Robert_T had a few years back entertained several approaches that gathered some steam amongst the participants here (am a fan of a new domestic SEMI fab). I believe the ideas here seeded a distro of linux and had some impact on the community. I believe Clive, Nick_P, and other old-timers came to the conclusion that a step wise effort that started with discreet, provable, and auditable hardware architecture was required to baseline a secure and robust platform. Personally, a set of discrete set of subsystems that are operable isolated (can be a standalone DUT candidate with full exercise, including destructive), a modular architecture that builds on a set of while defined design principles.

I agree, FPGA and structured ASIC’s should only be used in the development cycle prior to committing to a hardware fabric which should not have a mutable code stream.

Some of the larger challenges is interclock, asymmetric, parallel fanning of CPLD or LUT’s. Synthesis in the final stages can help in developing the masks for fabrication but should not source from an FPGA target through netlists that are an order of magnitude away from the final product. I do not know many that will fully audit a spice model from line and bus and back.

Unless you are manually reviewing every list and assured that the vendor’s libraries that may be part of a design are robust. Leaning on a platform’s performance is always seen to be a risk/benefit proposition when deciding to include it in a product that you have investments.

Weather July 4, 2020 12:24 PM

@ Sancho_P, SpaceLifeForm, Clive, name.with…, rrd

I don’t know much about FPGA, I tried once for a bitcoin miner, is it just there low power usage, or does it have fast speed.
Would it make more sense to buy a two CPU motherboard, with 8 cores per CPU, and use openmp or would a basic or performance FPGA be better?

name.withheld.for.obvious.reasons July 4, 2020 6:25 PM

@ Weather, et al

There are designs for FPGA bitcoin mining engines, their efficiency is twofold;
a.) Logical fanning of data paths customized for the data sets a mining engine processes,
b.) Decreased energy profile due to minimized circuity (does not have the overhead a CISC and some RISC CPU’s).

Item b. is dependent on design and FPGA core selection to be cost/energy perspective, oversizing FPGA cores can be problematic, but not as much as undersizing. The ability to do mixed model shared memory (global/local) with high speed synchronization is a FPGA feature though I believe structured ASICs to be the way to go in this case.

Though the FPGA based mining tools are effective, total costs for generating bitcoins has markedly increased. Of those actively mining, the distance between cheap energy and cool operating environments are primary drivers.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.