Comments

vas pup September 4, 2020 5:45 PM

Apple delays new anti-tracking privacy measures
https://www.bbc.com/news/technology-54033321

“Apple has delayed the implementation of new privacy measures designed to stop apps and websites tracking people online without their consent.
The changes also mean app will have to ask a user’s permission to access the ad-tracking ID on an iPhone or iPad.
The measures were due to arrive in the latest iOS 14 update in the autumn.

Apple devices including the iPhone, iPad and Apple TV box have a unique ID known as the “identifier for advertisers” (IDAF).

It can help apps monitor the effectiveness of an advertising campaign. For example, it can help determine whether somebody downloaded an app after seeing an ad.

Android has a similar tool known as the Android Advertising ID (AAID).

Apple already lets people switch off access to their IDAF on iOS.

However, once the change is implemented in 2021, it will be off by default and =>advertisers will have to ask permission to access it.

=>Apps will also have to ask permission to track what people do in apps and on websites owned by other companies.

Additionally, when iOS 14 is released in the autumn,
=======>apps will have to declare what data they collect and how they track people in Apple’s App Store.

=======>Another new security feature will highlight when an app accesses information on the user’s clipboard.

It is also releasing a new app, called Translate, which carries out language translations offline, offering an alternative to Google Translate.
It will support 11 languages to begin with, including English, Mandarin, French, German, and Arabic.
==>For the first time, users will be able to set third-party email and web-browser apps as the default in iOS, rather than Apple’s own software.”

Sherman Jay September 4, 2020 5:50 PM

@all,
This quote was on an E-mail I got. I think you will get a chuckle out of it.

“Failure is not an option. It comes bundled with every Microsoft product.”
— Ferenc Mantfeld

Also, there are many articles on sites like techdirt and motherboard about how elementary school children (those few who can get internet connection and have a computer) are having their personal info grabbed (and likely sold) by the ‘online learning’ third-party software the the tech-ignorant school districts are being talked into buying. You would think that parents would vote to fund Schools so they could have a competent IT security and procurement department. But, I guess that is an ideal that is impossible in today’s environment.

I work with an organization that refurbs laptops and desktops and gives them to low-income folks. (on hiatus during the Plague) Why can’t there be more of this?

echo September 4, 2020 6:26 PM

@vas pup

I’m not clicking on a BBC or blind url hidden behind a clickbaity comment because you are too lazy to write it up. Say it in the content of your post or don’t say it. I’m also boycotting the BBC and not the only one doing so because of their self-serving policies and how their News and Current Affairs department and managment structures are Tory and alt-right supporting appointments.

Please do pay attention. I’m not the only one who said this…

@all

I am also considering leaving this blog because it is not safe to discuss certain kinds of content. Most of the readers are tone deaf technocrats without even the legal minimum of the requisite expertise or sensitivity. I have tried but in all honesty more harm than good was created. I am left now just wanting my passport and I’m gone for good anyway. I do not say this lightly.

I seriously think you lot care more about boys toys than people dying.

Fin.

Clive Robinson September 4, 2020 6:58 PM

@ echo,

I seriously think you lot care more about boys toys than people dying.

That is a little unkind, you are making assumptions and drawing conclusions without ensuring your assumptions are even close to valid.

You say,

I am also considering leaving this blog because it is not safe to discuss certain kinds of content.

Has it occured to you that other people have similar if not more serious content concerns, but chose another way than not participating?

What you do is upto you and likewise what others do upto them with in the bounds of what is concidered acceptable behaviour on this blog.

As was once noted by theologian Reinhold Niebuhr, and adopted by many people,

    “Grant me the serenity to accept the things I cannot change,
    courage to change the things I can,
    and the wisdom to know one from the other.
    Living one day at a time,
    Enjoying one moment at a time,
    Accepting hardship as a pathway to peace.”

Clive Robinson September 4, 2020 7:25 PM

@ vas pup,

OMG

Not realy, single chip microcontrolers can be had for as little as three cents… Yup over thirty to the dollar depending on which way the wind is blowing in the Fed, and rumour has it there is a lot of wind there “and it ain’t all hot air no suree feller no suree” 😉

Thus the power of a single chip microcontroler these days has very little to do with the silicon real estate but the chip price and the software development price. The chances are simple as the software actually needs to be it was probably written in a high level language not assembler and was probably “knocked out” in an afternoon as a prototype with a very high chance of working first time.

But we have to remember not all people have either good colour vision or good vision at all. We’ve seen issues with COVID-19 antibody tests where people can not clearly read the results on the test strip even with vision that alows them to drive on the roads.

But look on it another way, that strip of paper that detects the human chorionic gonadotropin hormone, which is produced during pregnancy is better than an older way… Which was to innoculate a female rabbit with an extract from the woman then after a predetermined time kill the rabbit and examin it’s overies for certain tell-tale signs…

$4DLP(e)XORpwnI/O September 4, 2020 8:54 PM

…interesting for y’all…

One of my false positive topic results turned out to be a false negative topic result(!)

https://www.ecosia.org/images?q=data+pollution

This pertains to atmospheric security and breathable air quality safety, amongst other things. I had been searching for tiny infos on the keywords “data” and “pollution”, as in “pollution of data”, “data pollution”.

Nevertheless, I find this pertinent to modern and recent security disturbances. Some of the results which came up for me confirmed some of my suspicions about certain regions of disturbance. It’s nice when the data comes from someone else.

P.S.- Thanks “les honorables”; breveness is good. I am at rest. Rest is good. R is for Resting peacefully. Thanks for existing.

https://www.ecosia.org/images?q=to+the+struggle+against+world+terrorism+closeup+2015
https://www.veteransforpeace.org/

work it out. yes we can. work it out. yes we can. work it out. yes we can. work it out.

name.withheld.for.obvious.reasons September 5, 2020 12:27 AM

4 Sept 2020 — U.S. Ninth Circuit Appeals Court
The U.S. Ninth Circuit Court of Appeals vindicates Snowden’s assessment indirectly by stating the governments arguments were deceitful. What is fascinating is the media and press coverage (print, cable, television, web), falling well short in the MSM. Many independent and reputable reporting sources such as the Washington Post, Ars Technica, and Reuters had press reports about the courts decision. An interview on Jimmy Dore’s show with William Binney is instructive:

Binney said:
Amnesty International versus Clapper, “They collect everything.”…”They’ve been doing this all along. The solicitor general lied to the supreme court to get it thrown out.”

Binney also noted:
September a case before the court, collecting data, emails, business records, location data, etc. will be heard. The immunity offered by law to telecommunications companies and the government retroactively can now be challenged.

Binney unable to grasp the IC thinking frustrated states:
“I don’t understand this, this is un-American. People who fought in World War II, what did we fight for?”

Later on in the interview:
Says section 1021 of the 2011 NDAA regarding indefinite detention is nearly identical to the legal structure under Nazi Germany. Asked a question by the host, Jimmy Dore, Binney responds (paraphrasing) “The conceptual liberty timeline now resembles the standing in 1100 AD.”

In 1983, Casey, Director of the CIA said, we are actively infiltrating the main stream media that we are successful when what the people believe is true, is false. We are here seems to be the sentiment.

The most notable reporting is from the American Bar Association Journal, note for the paucity in coverage or on merits, but the fact that it was covered at all. I have to say the ABA has embarrassed itself with the lack of candor, accountability, and the disregard for professionalism.

The ABA should be a backstop for example when members or representatives of art; under the licensure of their profession, lawful accreditation, and dutiful bond as officer to the court, act unlawfully and against the public’s interest. Excluding ethical considerations as for example when the supposed bad actor is your client and your duty to your client is exceeded by your duty to public safety, and fail to recognize the moral liability a legal officer of the court might have if say they are witness or complicit to 150,000 to 200,000 individual deaths. To just mask over the issue is complete hypocrisy and imputes all facets of law, and of order.

name.withheld.for.obvious.reasons September 5, 2020 12:31 AM

@ Clive
I just thought you were being trolled. And I know you are not a trout, or a fish of any type for that matter…

Seems well afield the characteristic discourse and dissonance found here–and highly ad hominem in tone.

name.withheld.for.obvious.reasons September 5, 2020 12:48 AM

@ Bruce Schneier
Okay, I see what you did there, makes obvious earlier assertions respecting brevity and clarity. Very clever.
+5

MarkH September 5, 2020 4:25 AM

@echo:

In those of your comments I have read (I’m a sporadic reader here), it has seemed to me that you’ve had much tumult and distress.

I wish you all the best, in drawing nearer to peace and contentment.

As Ringo used to sing, “it don’t come easy”

Wesley Parish September 5, 2020 4:41 AM

@usual suspects

Slashdot points us in the direction of (blare of drums and roll of trumpets, together with the yapping of sheep and the bleating of a thoroughly confused and terrified dog):
https://www.theverge.com/2020/9/4/21423087/space-policy-directive-5-cybersecurity-threats-satellites
Trump administration issues directive aimed at enhancing cybersecurity in space

Today, the Trump administration released its fifth Space Policy Directive, this one designed to come up with a list of best practices for the space industry on how to protect their spacecraft from cyber threats. The goal is to encourage the government and space industry to create their space vehicles with cybersecurity plans in place, incorporating tools like encryption software and other protections when designing, building, and operating their vehicles.

I’m sure Sam Weller of great renown in The Pickwick Papers could come up with a more pithy comment than i ever could, but I’m thinking, the goons at various aspects of the US and 5Eyes “Intelligence” communities have been pushing on the idea of “backdoors” in telecommunications equipment for so long I suspect their targets will have wilted under the pressure by now. So how this is ever to happen, I do not know:

The directive also encourages companies to use trusted supply chains

Not to forget:

The report also recommends protecting against jamming and spoofing of satellites.

But that is only as good as the encryption software they use, or are allowed to use. If it has state-sponsored backdoors in the encryption algorithms and software, it won’t be much good. Period.

Cyber Hodza September 5, 2020 5:56 AM

@echo
Using the host‘a email and falsifying replies can land you in a deep sh*t
@Clive – for all your intelligence you still fail to see what real echo is all about ?

Clive Robinson September 5, 2020 6:02 AM

@ echo,

I am seriously done with you.

That is your choice to make, not mine.

However we have been here before and you are still making baseless accusations on your unwarranted assumptions. I do not know you other than as a near anonymous handle that makes comments on this blog. Even though I do use my name I can only assume you do not actually know me, what I do, nor how I do it. This is in part because I’ve the good sense not to talk about it for various good and propper reasons.

As for you throwing around terms like “gaslighting” and “mansplaining” I realy suggest you look up their origins and actual meaning. Just throwing them at people without actual cause is not just upleasent for the undeserving recipient it’s actually extreamly prejudicial in the eyes of others.

Which is why it also happens to be a disruptive tactic used more and more people and organisations to try and discredit those they have taken exception to on the basic principle of “throw enough mud…”.

From what you’ve repeatedly said on this blog recently under your “echo” handle, you appear from what you say to be having some problems with obtaining a UK passport. But you’ve said nothing other than blaim those who work for or act on behalf of the UK Government in very general terms. Thus unsuprisingly nobody has said anything of consequence, because nomater what their expertise you have effectively said nothing other than your generalized dislike for those who work for or on behalf of the UK Government.

I’ve actually made no comment on this, as I’ve likewise made little or no comment on other things you’ve said, even when directly accused by you. Thus what I think or do not think about what you’ve said is not known to anybody other than myself and I shall continue to keep it that way. However common sense should tell you that to accuse me or anyone else who has made no comment of “mansplaing” is realy down to you and no one else, as is how you made your assumptions on which you’ve made the unwarranted accusations you’ve bandied around.

Likewise you’ve also made generalised assumptions about others who sometimes post to this blog, which I have commented on above.

As I’ve indicated you know very little or nothing about the circumstances of people who do post here and some have indicated they do come from places other than America, contrary to one of your generalisations. Likewise you are not the only person who is not male who posts here, nor are you the only person with issues.

In fact it would appear from what they have indicated, some commenters are from countries I would not go to due to the nature of their Governments. Even though some I have been to in the past and not as a tourist, thus have good and sufficient reason not to return to them, even if my health alowed me to travel. Also there are other countries I would have to obtain prior consent to travel to which I’m unlikely to get, even though the Governments of those countries might be more than happy to alow me in.

The fact that you appear to regard “soft issues” with a much higher priority than “technical issues” is your personal choice. This blog originated from a highly technical news letter and even though it has softened over the years some have expressed the view that they come here for “technical comment” which is their personal choice. How many others agree or disagree with their viewpoint or your viewpoint I’ve know idea, as they have not made their personal views apparent, which is obviously their choice to make.

You have indicated again that you are leaving this blog, if that is so it is your choice, and I as others have said, wish you well for your future.

Clive Robinson September 5, 2020 7:11 AM

@ Wesley Parish,

Trump administration issues directive aimed at enhancing cybersecurity in space

Hmm there are times when if you polish hard enough you might actually get a sheen on the scat ering around.

As some are aware I know a little bit about both communications and what is sometimes euphemistically called “space technology”. I also know one or two real specialists in both industries and their broad overlap.

Of those I know I would expect more than one or two pithy comments about this equivalent of “platitude advice to IoT device designers”.

As with much that originates like this it says a lot without saying anything, thus might be impressive to those without domain knowledge, and laughable to those that do.

For instance the supply chain for many “space qualified parts” is tighter than it is for either the defence or aerospace industries. As we know they have been fretting about supply line poisoning publicly for a couple of decades and a lot longer than that privately. Like the nuclear industry they know that the bottom line reality is that a single person in the right place can render all security audits and processes ineffective[1].

We have a throw away line of,

    No security is 100%

The reality is it’s a long long way shy of 100% and there is little or nothing we can do about it. Infact you could say,

    Designing a good security process is harder than comming up with a real perpetual motion device.

As I’ve indicated for many years now the “security Process” is in many ways a “Quality Process” only harder a lot harder and with a price tag that hurts.

But when you spend 100 million USD on building a relativrky inexpensive commercial satellite and another 25 million USD on the launch and god alone knows how much on “insurance” and “import duty” having good Quality and Security processes in place is in effect a “chump change cost” in comparison.

The big problem that part of the space industry is talking about is “microsats” like CubeSats and smaller. For various reasons these tend to be made these days with Commercial/consumer Off The Shelf (COST) parts some of which come straight out of the Digi-Key Catalogue. Thus there is no real supply chain security. Even though a CubeSat might only be 1kg or so in weight, such a mass moving at 5Miles/Second has a very high impact energy. Some CubeSats are actually being used with ion thrusters to do station keeping experiments. It’s not beyond the bounds of possability that such a satellite could be moved into another satellite’s orbit and make contact with it. In fact there are experiments in progress to actually use low cost CubeSats as “de-orbiters” for old satellites and other space junk. So the possability of “take over for terrorism” or more correctly political Machiavelli tactics has been a subject of quiet discussion for a very long period of time now.

Thus from those in the industry this “pamphlet” is a bit of “gradstanding” to “sow a lot of FUD” and also “Wallpaper political backsides” against the inevitable.

Because whilst you can secure communications with strong encryption and authentication” there is little or nothing you can do about jamming. Way to many people think “just design in failsafes” without actually thinking through what a “failsafe” actually means in space[2]…

[1] For those that doubt this have a think back to how the Russian’s repeatedly subverted the highly audited and tightly controled drug testing proceadures of the Olympics and other sporting bodies over and over. Or how they bugged the US embassy in Moscow, not just with the great seal bug, but in parts swapped into IBM electric typewriters that passed many high security checks. This is just the stuff we know about as most was caught by accident not designed process or audit, thus how much else do you think went entirely undetected and still does? After all the Russian’s do not have unique abilities in this sort of thing.

[2] When you analyze most “failsafes” for vehicles on Earth or in the atmosphere they all kind of have an implicit assumption of “usable friction force” to work with. That is if you cut the power that provides “motive force” fairly quickly “friction force” brings the vehicle to a relative stop. Well whilst there is friction from the atmosphere in low earth orbit, many satellites will stay up for decades in their orbits untill they degrade and de-orbit. Such time intervals are not exactly conducive to “failsafe” ideas. Nore for that matter is blowing them up or many other ideas you might see in movies etc. Space even in LEO is a place where even a small flake of paint can kill not just astronauts but their rides and most other space vehicals. There’s several reasons why there are “launch windows” and not all are about getting in the desired orbit, sone are about missing lost spanners etc.

myliit September 5, 2020 10:42 AM

@SpaceLifeForm, All

“ Yes, plain http is easily MITM-ed, just like your postal mail is.” [1]

It is the little things that can fvck us up (sometimes badly) at times. For example, I try to think twice about visiting a site with javascript on. Likewise, I try to think twice about visiting a non-https site; often, if I want to be bothered with the site, I add an s to http in the link. If that doesn’t work I try to think a third, for example, time: “do I give a sh!t about the posted link?”

General question:

For iOS users, preferred configuration of browser(s):

A) javascript off Safari, javascript off Brave

B) vice versa

C) Safari only (toggle javascript on, as needed)

D) Other. Please specify: ________________________

[1] https://www.schneier.com/blog/archives/2020/08/friday_squid_bl_743.html#c6816838

Phaete September 5, 2020 11:21 AM

@myliit

Rather then just turn javascript on/off i find it safer just to whitelist some domains for javascript use.

This way a website can do their fancy smancy animations/imageloading etc, but all the other domains running JS on that same website get denied.

It takes some knowledge and fiddling to work smoothly, so it’s not for the novices.

There seems to be several alternatives for iOS to the NoScript i use.
I am not using iOS (or Android) because they restrict full control of the device by the owner.

Frank Wilhoit September 5, 2020 12:54 PM

@echo,

Please stick around.

Having said that, it’s called “conversation”. It is a game played with tongues, heavier, sharper, and more ornate than halberds, and if you’ve been living in the UK for more than a few milliseconds, you know all about it. This community is very tame. It isn’t even as paranoid as anyone would expect — and if I am ever tempted to tiptoe softly away, an excessive atmosphere of paranoia will probably be the reason. In the universe I was born in (and I’ve lost ocunt of how many wormholes I’ve fallen through), paranoia isn’t fun.

Curious September 5, 2020 12:55 PM

(“Verizon Trials Quantum Key Distribution for Encryption over Fiber Optic Links”)
https://techblog.comsoc.org/2020/09/04/verizon-trials-quantum-key-distribution-for-encryption-over-fiber-optic-links/

“Verizon has begun testing quantum key distribution (QKD) [1.], a new encryption method that uses photon properties to protect subscriber data. The company says they are the first U.S. carrier to do so, although AT&T is also exploring quantum computing applications in partnership with the California Institute of Technology. Verizon said it sent encrypted streaming video from a 5G Lab to two East Coast offices.”

Article source: https://www.cnet.com/news/verizon-reveals-quantum-networking-trials/

I still remember a Brian Snow formerly NSA, some years ago, at RSA Conference’s ‘cryptographers panel’ mentioning that a local university over where I live in Europe having broken a quantum crypto setup at the time, because the setup supposedly wasn’t implemented properly as I remember it. So I guess, bad implementation = pretty much catastrophic failure, and that is assuming things things being theoretically secure in the first place without any built in shenanigans ala backdoors or the like.

echo September 5, 2020 1:17 PM

@echo

fwiw, at times, I think I’ll just step back: maybe read/skim/not read stuff and not post ( or post less ) at SoS’s blog for awhile.

SpaceLifeForm September 5, 2020 2:55 PM

@ Bruce

I do not know why you deleted or hid the post by Cyber Hodza, but it is serious, and it is security related.

I saw nothing malicious or degrading.

SpaceLifeForm September 5, 2020 3:57 PM

@ myliit

Wear a mask. Vote. In person. At your poll.

Plan ahead.

hXXps://www.citizensforethics.org/usps-told-congress-distribution-plans-would-stay-intact-for-voting-by-mail-before-dejoy-changes/

Clive Robinson September 5, 2020 4:56 PM

@ Curious, ALL,

… a local university over where I live in Europe having broken a quantum crypto setup at the time, because the setup supposedly wasn’t implemented properly as I remember it.

The first Quantum Key Distribution (QKD) system was back in 84 –yup 36 years ago– and used an optical work bench. Now refrenced as “BB84” the setup was developed by Charles Bennett and Gilles Brassard.

In theory the protocol is provably secure as it relies on the quantum properties of the no-cloning theorem. In effect a single photon can not be intercepted or measured by a third party without the first and second parties finding out. Thus the non intercepred photons are used to build a One Time Pad protocol which is also theoretically secure due to the “all messages are equiprobable” rrasoning.

However as the old warning has it,

    Whilst in theory it’s secure, in practice it’s probably not.

QKD realy suffers badly from this issue and for about two decades a serious number of QKD implementations had serious “side channel issues”.

If I remember correctly it was Gilles Brassard that mentioned that during the original optical bench setup he did not need to measure the polarisation of the photon, because the polarizing device used in the transmitter made not just sufficient noise to be heard on the other side of the room it had a noise characteristic that indicated what polarisation phase it eas set to…

I’ve noted several areas where defects were not only expected but could be easily exploited.

For instance a polarizer is a bidirectional device that is it cares not which direction a photon travels through it, and they are inherently broadband frequency wise.

Thus any equipment / device on one side of the polarizer can be seen on the other, and if such a device gives a 180degree reflection then the state of the polarizer can be found by shining a narrow band “monochromatic” pulsed light source in and see what comes back thus find out what state the polarizer is in… As the entire security of the system rests on an attacker not knowing the state the polarisor was in the security was a compleat bust if an attacker could find out the TX polarizer state. Unsurprisingly a number of QKD systems had this problem. There were a whole bunch of other attacks which enumerated the equipment but left the individual photons alone.

But QKD had two distinct issues,

1, The QKD fiber range was extreamly limited.
2, The QKD signal checking process ment you could not “switch” the QKD signal onto any other network.

Thus all QKD systems were of limited range and had to be setup as a “one-to-one” system… Both of these limitations were effectively deal breakers for most people… The other thing is “QKD” is effectively “A solution looking for a problem to fix” and a very expensive one as well.

Whilst some of the issues have been sort-of-fixed others have not. Which is a very big question mark to hang over QKD. Hence a lot of people in ICTsec have tended to view QKD technology as something to avoid being at the “bleeding edge” for.

name.withheld.for.obvious.reasons September 5, 2020 7:49 PM

@ Clive

Hmm there are times when if you polish hard enough you might actually get a sheen on the scat ering around.

Again, I must stop drinking coffee whilst reading posts on this blog–especially yours. Very clever.
+5.11

I too have a bit of space platform experience; two projects in which one was a part of exploratory research (Adaptive Optical Mirror) and the other on planetary analysis of atmospheric and surface structures (SSMIS). Neither has sufficiently informed me to the troubles that are part of IoT. My work in control systems has lead me to much that is problematic in the space and it is easy to understand why we are where we are…cus we suck at forward thinking (for the most part, I am just over generalizing here).

Yasser September 6, 2020 3:05 AM

I did my search about the legality of taking a picture of someone in public without his consent. I do believe the current laws are suitable for the past, not for the present or future. Now, technology has been advanced big time, and still, we are at just the beginning of it. f
Drones, Image Recognition, and high resolution camera will negatively impact privacy if laws are not updated. Do you agree with this?

Clive Robinson September 6, 2020 4:02 AM

@ name.withheld…,

My work in control systems has lead me to much that is problematic in the space and it is easy to understand why we are where we are…cus we suck at forward thinking

In evolutionary terms untill fairly recently our forward thinking only had to go as far as the next meal or night up a tree etc. And guess what as we got just that little bit more “tool making” and started cooking our food we lost a lot… One eminent scientist in that area made the comment that we had not lost our fourth stomach we had simply swapped it for a cooking pot. But in the process what we did lose was the ability to generate a whole plethora of digestive enzimes. So it’s a choice we can not go back on…

Which if you think about it is a very very major security concern of existential dimensions.

And most of human evolution can be seen that way, that is we as a species make irreversible trades for “quick result short term gains” that we can not go back on. We see this behaviour refined to a point of idiocy in the managment of many corporate ventures these days.

The reason it’s seen in corporate ventures so vividly is currently assumed to be because of the need for “status” protected by “power” or it’s abstraction “money” in the hands of those with sociopathic and narcissistic personality disorders.

Apparently only a few in the general population have these disorders to any great extent, various tests over the past few years has suggested however they are significantly present in corporate executives. But a caution should be sounded at this point “correlation is not necessarily an indicator of causation”.

These disorders are probably more likely to be “spectrum disorders” that is we all have them to a certain extent. Simply because they do offer not just short term but individual evolutionary benifit over and above that of species benifit. This is not just via “breeding privilege” but also by an increased likelyhood of offspring survivability (which might explain “Politicians Wife” syndrome that is it’s not the individual who is lets face it often repelant by most objective standards, but the environment local to them which causes the wife to “stand by them”).

If they are “spectrum disorders” then we would expect to see traces of them in all human endevors even the “creative endevors” which includes all of the art, artisanal, engineering and science endevors. Which might be why some people want to “leave their mark on history” by making Empires and their trappings (Ozymandias Syndrome[1]).

In the case of corporates the Empires are traditionaly seen through departmental head count, budjet and placement in the corporate edifice or HQ building. All of which has survived the technology explosion that started post WWII, that many pundits had said would make such edifices and head counts irrelevant as the world “virtualised”.

However one little bug, that is not even DNA has caused the virtualization of many corporates almost in the blink of an eye, and it’s something for which they were totaly unprepared, even though red flags have been waving for decades.

Interestingly from this enforced virtualization it’s been found that the “high status jobs” are the easiest to switch to “home working”. Where the status and influance are quite minimal, as some have already experienced,

https://www.theatlantic.com/magazine/archive/2020/10/career-costs-working-from-home/615472/

It will be interesting to see what will happen as the COVID-19 pandemic recedes. That is will the desire for the trapings of status drive us back to unhealthy life styles with unhealthy commutes and unhealthy office environments high stress and rampant disease seasonal and otherwise, or to remain in a “homeworking environment” where neither the commuting or office edifice are needed or required and thus will be a clear candidate for “cost cutting”…

Whilst this might at first appear academic, it is very far from the truth. Take Briggs-Meyers testing many of us have been categorized by it and we get placed in one or two of sixteen little boxes half of which are for extraverts the other half for introverts. What we know is the more extrovert you are the less capable you are to handle “homeworking”. That is the extroverts need the interaction of the crowd, of peers, where they can find a niche of status. Whilst introverts can function in “officeworking” they find it unnecessarily stressful and take to homeworking quite readily…

But work at thr end of the day can be broken into three basic types,

1, Creation work
2, Administration work
3, Makework

Creation is a form of refining and is what the “value added” process is all about that is the taking of raw input goods, processing them to add utility and deliver it as refined input goods to a customer who pays for the added value because it increases to them the utility of the goods.

The processes form both a value added chain as well as a supply chain and like all processes they require feedback and control which is what administration is all about at the end of the day. That is administration is managment of processes.

As noted “status” is measured in various ways one of which is “head count” thus the more people you manage the greater your status. Unfortunatly this is a positive feed forward process and is thus entirely unstable unless subject to quite forcefull constraint via negative feedback. The result though is usually that head count creeps up at any opportunity by a ratchet processes, one of which is “peek demand staffing”. Thus if you take on staff to meet peek demand what do you do with them at non peek times. Well this is where makework arises once aptly described by

    “We trained hard, but it seemed that every time we were beginning to form up into teams, we would be reorganized. I was to learn later in life that we tend to meet any new situation by reorganizing; and a wonderful method it can be for creating the illusion of progress while producing confusion, inefficiency, and demoralization.”

(often attributed to Roman arbiter and satarist Gaius Petronius).

In essence makework alows a senior administrator to gain status by head count and keep those excesses hidden from others. Interestingly makework like peek demand is a headcount ratchet, which is why some estimate that around one third of the working population is performing makework.

Almost entirely makework is hidden away in administration work, though it can also be disguised as low grade creative work in non-core activities. One danger of makework is that it can become both embedded by accident and grow organically. That is you create a process the output of which is irrelevant other than it sounds plausable, one such is the collecting and collating of data on the excuse the data will be used to save costs. It ticks several senior managment boxes thus the process happens. Then some idiot often with their own makework scheme starts using the collated data and thus the first makework becomes a requirment –thus embedded– of the second makework and so it grows like weeds in a vegetable patch but harder to “weed out”…

Thus a switch from “office working” to “home working” will eradicte much of the current makework as well as the need for office space and the personnel required to maintain it. Also those who support offices such as those who provide transport for commuting food and similar for the office workers and so on. Which could be as much as two thirds of the current workforce, based on what happens in single industry towns when the industry shuts down.

But as I’ve pointed out the switch from officeworking to homeworking is not just a human security issue, it’s a much larger security issue of which information security is just a small part.

At the end of the day even virtual companies need “physical space” even if it’s the bottom rack in some cloud service providers data center. If you don’t own that physical space then you can not make it secure thus you are unnecessarily vulnerable to attacks you have absolutly no control over as current online criminal enterprises and their customers have found.

Thus I suspect that whilst offices may remaine empty for a while, security concerns, alied with extroverts need for crowd/peer interaction for status, and the need for makework that implies, will cause offices and corporate HQ edifices and the empires they contain to come back.

However what happens in the meantime might be a major financial colapse. Those buildings are usually rented or mortgaged to the hilt for “fiscal efficiency” or the “don’t leave money on the table mantra” thus when you trace it back “the paper” is owned by the banks and has produced a significant petcentage of their stable income thus base liquidity.

Empty offices don’t pay thus that base income will go if homeworking takes hold for even a year. But banks other base liquidity comes from depositors mainly peoples pay cheques, if between 30_60% of workers do not have jobs then not only will they not be depositing they won’t be making rent or mortgage payments nor will they be buying even essentials like food. Which means shops and their employees get hit financially and so it goes on hence can build into a major recession that could be decades in effect…

Thus the “short term thinking” and the unsustainable financial bubble growth it’s caused could see the death of many of us and the very real possibility of the first world dropping down to third world standards fairly quickly. Which realy would be a security concern across the board…

[1] Ozymandias Syndrome has no official definition and some who use it as an expression have little or no idea as to it’s origins which is from “Ozumandian behaviour” that was first highlighted in two sonets written by different English poets in a friendly competition. Both are on the surface about a traveler who finds an immense pedestal to a long ago broken and abandoned statue in a desolate wilderness. However they are actually morals in verse to the futility of hubris, and turn around the words written on the pedestal. In the case of Percy Shelley’s sonet the words are,

    “My name is Ozymandias, king of kings: Look on my works, ye Mighty, and despair!”

And in in Horace Smith’s,

    “I am great OZYMANDIAS, The King of Kings; this mighty City shows the wonders of my hand.”

In either case it depicts the folly of trying to get immortality of fame through near pointless and ill conceived endevors, as you can not foretell the near let alone distant future,

https://en.m.wikipedia.org/wiki/Ozymandias

Back a half decade or so ago, this behaviour with respect to corporate endevors was pointed out by the Financial Times newspaper,

https://www.ft.com/content/c9687a70-7d79-11e5-98fb-5a6d4728f74e

(The “FT” or the “Pinkun” as the Financial Times was also called, appears to have suffered Ozymandias’s fate, and has gone from being “An estimed organ” of thrusting financial news to a mear “insipid rag” of placed corporate marketing blurb.)

Wesley Parish September 6, 2020 6:16 AM

And this one’s a side-channel doozy:

Linux kernel security fixes spotted before release with side channel attack on…developer mailing lists
https://www.theregister.com/2020/09/04/linux_kernel_flaws/

In an ArXiv-distributed paper [PDF] titled, “The Sound of Silence: Mining Security Vulnerabilities from Secret Integration Channels in Open-Source Projects,” Ralf Ramsauer (University of Applied Sciences Regensburg), Lukas Bulwahn (BMW), Daniel Lohmann (University of Hanover), and Wolfgang Mauerer (University of Applied Sciences Regensburg/Siemens) outline a data mining scheme that amounts to a side channel attack on the open source vulnerability disclosure process.

In a couple of words, traffic analysis.

“Unlike ordinary patches, these patches were—for obvious reasons—not discussed and developed on one of Linux’s public communication channels (i.e., mailing lists) beforehand,” the paper says. “However, the fact that a patch was not publicly discussed betrays it: we will show that it is possible to detect such patches as soon as they enter a public repository.”

Worrying.

Hallo September 6, 2020 4:05 PM

“I am also considering leaving this blog”

Would be much appreciated, since nothing of value is lost.

nonamehere September 6, 2020 4:12 PM

echo: Can you please leave us at least one week alone with your passport BS?

It’s all so tiresome!

SpaceLifeForm September 8, 2020 6:24 PM

@ myliit

hXXps://www.postaltimes.com/postalnews/surveillance-video-shows-bags-of-usps-mail-being-dumped-in-parking-lot-by-budget-truck/

p.s.

Because the new hosting site requires email addy, in less than one hour, my email addys have been correlated.

They know who I am. I don’t care.

I expected this.

Wear a mask. Vote. In person.

WmG September 8, 2020 10:27 PM

@ hallo @nonamehrre
The piling on by anonymous commenters Is not productive and reveals merely their cowardIce.

Sherman Jay September 8, 2020 11:04 PM

@SpaceLifeForm,
With all the third-party contractors, there are too many points of failure in the usps system for the diligent professionals to cover. The public is getting incomplete and misleading stories. Intentional obfuscation abounds.

comments on mail dummped in parking lot:

Kutter 3 days ago
Looks like either surepost or smart post labels. I’m betting it was a fedex contract driver

Brian Reply to Kutter 2 days ago
It is FedEx smart post. You can see the ddu labels right on the bags. I’m betting the news crew already has that Info but doesn’t update its story to let the public know it’s a FedEx contract driver and its FedEx parcels

Steve Reply to Brian 2 days ago

It is not first class mail if any from the postal service

I talked to a friend who is USPS supervisor. He said that there are many problems with contract carriers not being diligent and that the big contractors using USPS often hire sub-contractors who may just rent a truck, take the money dump the truckload anywhere.

I personlly have experienced third-party work is often shoddy or even fraudulent. There is so little security to the usps system when third-party contractors feel no loyalty.

SpaceLifeForm September 9, 2020 12:47 AM

@ Sherman Jay

Thank you for digging.

A Budget rental truck is suspicious.

Whatever really happened, it points to Chain of Custody problem.

SpaceLifeForm September 9, 2020 1:01 AM

@ Sherman Jay

Which is to say, whether your data is “in flight” or “at rest”,
you want it to be delivered, and delivered securely without tampering, to a group that you hope is not in collusion.

When it comes to 2020-11-03, I know where I will be, and I know that the best procedure available to me, is to:

Wear a mask. Vote. In person.

That is my best hope that my vote will be counted.

This way, I am minimizing the Chain of Custody problem.

SpaceLifeForm September 9, 2020 1:21 AM

@ All

So, a bad thing happens, yet no one reacts?

Oh well, not my car.

hXXps://twitter.com/mitchprothero/status/1302878149315719169

MarkH September 9, 2020 2:36 AM

@SpaceLifeForm, Sherman Jay:

According to a report I read, the dumped mail bags appear to be bulk mail, which is assembled by customers (even though the bags are labeled USPS).

It’s possible — and more than likely — that those bags had not yet been delivered to Postal Service custody.

As Sherman seemed to indicate, this situation has no apparent relevance to the handling of any first class mail. The local postal workers union says it has verified that the driver of the rented truck was not a union member.

Perhaps a feeder customer (like one of those “pack and ship” chain stores) hired a contractor to take their bags of bulk mail to a USPS center, and the driver “bailed” for some reason.

Maybe it will comfort you to know that USPS workers include many tens if thousands of military veterans, who take very seriously their duty to deliver election ballots as diligently as possible.

Clive Robinson September 9, 2020 5:54 AM

@ SpaceLifeForm,

So, a bad thing happens, yet no one reacts?

Actually if you look they did react their monkey/lizard brain tracked them all in on the noise. Then as with most people and the unexpected they froze whilst the monkey brain hands over to the conscious brain which just says “WTF!” and they stand there frozen to the spot not knowing if to fight or flee making perfect targets of them selves… (something snipers are trained to take advantage of).

By the time they started to unfreeze you can see the “drop in” was already out of the back of the car and on their feet…

Back when I was wearing the green I saw two parachute accidents. One was a “roman candle” where they “creamed in” at Headcorn “Lashenden” as was (Kent). The second I only saw a bit of was when an inexperienced parachutist dropped into the rota of a hovering helicopter just over 33years ago at Thruxton (Andover Hampshire). She was doing her first jump…

Which by the way was also the first of two helicopter crashes I’ve experienced close up. The second was seven and a half years ago where a helicopter flying at about 650ft smashed into a crane on a very tall building in Vaxhaul South London just up from the MI6 / SiS “Vauxhall Cross” building. Which I bloged about on this site, because it could have been a botched terrorist attack (Vauxhall Cross had been attacked by PIRA with an RPG a few years befor that).

Turns out it was a very experienced helicoptor pilot given incorrect information in very reduced near zero visability and the red lights on the crane had been switched off as it was not nighttime…

And that’s just some of the things I’ve experienced “at home” or close to, and my Dr tells me I need to get out more…

SpaceLifeForm September 9, 2020 6:51 PM

@ Clive, ALL

When the Signal is the Noise.

Keywords: Random, OTP, Numbers Stations, and of course…

Nine Nine Nine Nine Nine Nine

Since it is a slow news day, and since this has no relation to today’s news, really, no, none at all, nothing to see here…

https://twitter.com/mattblaze/status/1303769018411757569

“But that’s not that surprising either. The Cuban shortwave station is extremely powerful, easily heard in the US, and operates so often (currently 12 hrs a day) that people have derived its schedule and posted it to the Internet. But around 2005, something odd started happening.”

https://dilbert.com/strip/2001-10-25

Clive Robinson September 9, 2020 11:01 PM

@ SpaceLifeForm,

When the Signal is the Noise.

Mat Blaze is telling two stories hear and you need to understand the difference.

The first story is a “cryptanalysis” story in that there were “no nines” in the Numbers Station output.

The second is a “traffic analysis” story in that people were caught because their secure signals had a unique transmission fingerprint.

And whilst the stories happen to be linked you need to keep them separately in your mind.

So on with the first story… By tradition “Ontime NUMBER pads” use just the digits 0…9 or Base 10, also called “an alphabet set of size 10”. Likewise “Ontime ALPHA pads” use just the letters A…Z or Base 26 or “an alphabet set of size 26”.

However from a cryptanalytic security perspective there is no reason why the OTP should be Base 10 or Base 26. In fact Base 25 has been used in the past as has Base 36 (in both cases because they are squares).

From the messege security asspect the Base size is unimportant thus Binary Base 2, Octal Base 8, and Hexadecimal Base 16 would all work, and Base 2 is now in the Digital Age considered by many to be the standard which is why the Random Number Generator (RNG) is now often called a Random Bit Generator (RBG) by many people.

But from the message security asspect the only things that are important “in theory” is that what ever Base size you use that the statistics of the respective members of the alpabet set are flat and unpredictable. However in practice there is another requirment that it is unpredictable in the short term so you do not have long runs of any given member of the alphabet set alowing message text statistics to “leak through”[1].

So the fact that the Cuban station used Base 9 rather than Base 10 should not have effected the message security, and probably may not have done.

The reason being is that as long as the statistics of each member of the alphabet set are correct you can simply strike one or more of them out and the statistics of the others remain uneffected. This is a very usefull property in that if you have a Random Bit Generator (RBG) and you need to genetate a Onetime ALPHA Pad you simply take the output of the RBG five bits at a time to get Base 32 and simply throw away any number that is 26 or greater.

So it’s possible that even if the Base 9 of the Cuban transmission was due to faulty generation equipment the actual message security was uneffected.

But the use of Base 9 rather than Base 10 makes the use some what “unique” which brings us into the second “traffic analysis” story… Because the security of a system is dependent on all of it’s parts. The fact that the actual transmissions were “unique” was a dead give away.

So even though the messages may be unrecoverable that does not make the transmitted signals not usefull as a the unique fingerprint would have been almost instantly spotted. Thus the persons using it almost instantly identified by correlating their real world activities with their unique transmissions…

Whilst keeping the stories seperate might not be important for book narration, it is important to keep them seperate for “failure analysis” purposes.

[1] In fact the real alphabet size in most OTPs is “the five letter group” so a maximum of Base 100,000 for Number pads and likewise Base 11,881,376 for Alpha pads. It’s the statistics and “unpredictability” of these that need to be also considered when generating pads to be secure and stop message statistics leakage which is why the actual “five letter group” base size is less than the maximums.

Clive Robinson September 10, 2020 6:59 AM

@ ALL,

The Ghost of Sturgis…

There is an epidemiological based economics report[1] out about the 10 Day Motorbike Rally in Dakota held in August and it’s not good.

I’ve not finished reading it in depth but the highlights are 56% of the near half million (260k/462k) attending became infected, and they have taken it back to their home towns and is likely to have caused 1/5th of the US infections in that period…

Which as it’s an economics paper[2] comes out with an estimated cost to the US of 12.2 Billion sofar in medical bills alone… What the actual total “butchers bill” for society will be is only guessable and will cause argument for years to come. But the one thing that is clear is under currebt US medical insurance it’s not going to be small (a little over 46k/patient).

The report used anonymous cellphone data[!] and other data sources such as CDC data to come up with it’s figures, and it is an economics paper[2] thus not unexpectedly it’s come under scathing critisism from some political quaters[3].

If you want a more indepth synopsis/reporting,

https://www.webmd.com/lung/news/20200909/sturgis-bike-rally-superspreading-event-or-not

https://www.forbes.com/sites/tommybeer/2020/09/08/sturgis-motorcycle-rally-may-have-caused-250000-coronavirus-cases-economists-say/

(Both sites are not just more usable but a lot faster with cookies and javascript turned off).

The actual report (PDF) can be downloaded from an IZA page on it,

https://www.iza.org/publications/dp/13670

[1] A word of caution as with many economics papers this report has not been peer reviewed[2].

[2] Why the domain of economics goes against the more normal practice of science for peer review I don’t know but as long term readers will know I’ve a fairly low opinion on economics in terms of claims of being science. So remember I’m some what biased against it 0:)

[3] Read the Forbes article for quotes from a particular state leader who has not just alowed other potential “superspreader” events to happen in their state but has actively encorage and promote them…

[!] Disclaimer, I may well be linked to the way the anonymous cellphone data was gathered. I was involved with developing such software some years ago and it ended up in some of the cell service providers that would have made the data available.

JG4 September 10, 2020 8:39 AM

@the usual suspects – Have been unpleasantly busy. Meant to comment on the keymat generation story, the one that used a pair of dice. Finding entropy isn’t a problem on your planet. And the Verizon keymat distribution story. It doesn’t matter how good your keymat is, and it doesn’t matter how efficiently and securely you can distribute it. If you don’t have endpoint security, you have nothing. Or worse than nothing, a flawed belief in what you have. Very few have achieved endpoint security. Dr. Hussman teaches in his excellent commentary the concept of a “binding constraint.” Endpoint security is a binding constraint in system construction. Claude Shannon taught us that it is possible to build systems of arbitrary reliability from arbitrarily unreliable components. It probably is possible to build systems of arbitrarily high security, but it is much harder than it looks.

https://www.nakedcapitalism.com/2020/09/links-9-10-2020.html

Big Brother is Watching You Watch

Your Man in the Public Gallery – Assange Hearing Day 8 Craig Murray (UserFriendly)

Body cameras may have little effect on police and citizen behaviors: study PhysOrg

Portland, Oregon, passes toughest ban on facial recognition in US CNET (UserFriendly)

Ireland To Order Facebook To Stop Sending User Data To US Wall Street Journal

Clive Robinson September 10, 2020 3:37 PM

@ JG4,

Have been unpleasantly busy

I’m sorry to hear it’s been unpleasant, sadly it appears to be the way of the world currently, and unfortunately not likely to get any better over the next few months.

The news tells me the West of the US has been “red flagged” from California to Washington State for “fire” which is fairly ominous at this time of year. I wonder how many of the outbreaks will be down to poorly maintained electrical distribution…

With regards keymat and endpoint security sometimes it feels like I’ve been carrying that torch for a lifetime. I know I’ve not, but at the end of the day it’s very tyring to be told verious incorrect things because people want to push product and eother do not know what they are talking about despite simple logic, or they are being deliberately less than factual for what ever reason… Needless to say I do not use the plethora of communications “security applications” on any smart device phone or computer, nor am I going to simply because other people do… Security is not, nor ever was, a “me too game” you either do it properly or not at all, with the latter being the obvious option if you know even a little about “old school fieldcraft”.

With regards Graig Murry and the reporting on Julian Assange situation that the MSM pretend does not exist. Craig has troubles of his own and if an unacountable judge in Scotland has his way then Craig will be bankrupted and jailed “all for the political good” and no doubt honours will be heading “his hounours way” if the judge succeeds. Status vanity, over Justice, is not a world where many would chose to be, but unfortunatly it is a consequence of “Representational Politics”. They might call it “Democracy” but it is anything but, again as I’ve been saying for a very long time. Our current political climate was all to predictable and despite warnings the West has “Sleepwalked into it”, and now the citizens want the nightmare gone, they are finally finding that they have no power to change things. And my prediction is at the very least it’s going to get a lot lot worse before it gets any better.

lurker September 11, 2020 2:42 PM

@Clive

I wonder how many of the outbreaks will be down to poorly maintained electrical distribution…

At least one is known to have come from “recreational” pyrotechnics. How many more came from gunfire? …

Clive Robinson September 11, 2020 4:00 PM

@ Lurker,

At least one is known to have come from “recreational” pyrotechnics.

According to some MSM an “arsonist” has been arrested, but no other real details, just an implication that it may have been more than one fire started by the person.

Based on certain MSM outlets abuse of “free speech” to “try in the court of public oppinion” thus prejudice any opportunity for a defendent to have a “fair trial”, I’m actually quite supprised on the restraint.

All things considered so far this year, it’s not been at all good for the average US citizen and most indicators are showing it’s going to get a lot worse before it gets better.

@ ALL,

For all those in the US who have suffered misfortune way beyond your control this year you have my sympathies and hope that despite the signs things will where possible get better quickly.

SpaceLifeForm September 11, 2020 4:56 PM

@ myliit

In re Glomar response.

Yes, top of list. List of lawyers.

One on my list pleaded guilty today.

Not high on list.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.