Friday Squid Blogging: Interview with a Squid Researcher

Interview with Mike Vecchione, Curator of Cephalopoda—now that’s a job title—at the Smithsonian Museum of National History.

One reason they’re so interesting is they are intelligent invertebrates. Almost everything that we think of as being intelligent—parrots, dolphins, etc.—are vertebrates, so their brains are built on the same basic structure. Whereas cephalopod brains have evolved from a ring of nerves around the esophagus. It’s a form of intelligence that’s completely independent from ours.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags:

Posted on October 30, 2020 at 4:07 PM235 Comments

Comments

Anders October 30, 2020 4:56 PM

Massive ransomware campaign against US medical sector.

hxxps://us-cert.cisa.gov/ncas/alerts/aa20-302a

Matrix October 30, 2020 5:09 PM

Will you take the blue pill or the red pill?

http s://www.guru3d.com/news-story/researchers-manage-to-decrypt-intels-secret-cpu-code-key.html

If you want the red pill get it here:

http s://github.com/chip-red-pill

Anders October 30, 2020 5:34 PM

@vas pup @ ALL

Actually more important is not ‘where’ but ‘how’.

hxxps://theconversation.com/a-second-pathway-into-cells-for-sars-cov-2-new-understanding-of-the-neuropilin-1-protein-could-speed-vaccine-research-148497

hxxps://www.sciencealert.com/a-second-key-used-by-sars-cov-2-to-enter-cells-could-explain-why-it-s-so-infectious

SpaceLifeForm October 31, 2020 12:40 AM

@ MasterCard

I want to apologize for my rant some time back regarding your relationship with Wirecard.

I’ve connected the dots.

hXXps://www.courthousenews.com/report-fugitive-tech-boss-was-austrian-spy-agency-informant/

SpaceLifeForm October 31, 2020 2:38 AM

@ Clive, JonKnowsNothing, MarkH, All

Still thinking about flying?

A large national outbreak of COVID-19 linked to air travel, Ireland, summer 2020

hXXps://www.eurosurveillance.org/content/10.2807/1560-7917.ES.2020.25.42.2001624#html_fulltext

Or do you want to believe the tales of a mannequin?

hXXps://www.latimes.com/business/story/2020-10-29/covid-19-risk-airplanes

Clive Robinson October 31, 2020 2:49 AM

@ vas pup,

Where do people get infected with the coronavirus?

At home is not at all surprising as the answer.

But that is fairly irrelevant, the question should be, is “Who brings it into the house?” and “Where did they get it from?”

It’s one of the reasons I’ve tallked about the potential for children being turned into “Granny Killers” by state policy.

One thing that is clear is that the “physical social” “service sector” is going to be worst hit, that is Bars, Restaurants, shops, clubs, cinema, music venues, theaters, sporting events, and the secondary service sectors behind those which includes hotels and travel. Much of which was actually in trouble beforehand due to the Internet.

Some might think that more “online living” would be a good thing, but the physical health and mental health information from before COVID-19 was raising major Red Flags about the deleterious effects it was having on people.

And that was before we start talking about Privacy and Individual Security issues. For instance many politicians are touting the fact that “Being hard on crime” has “payed off” in fact it’s done nothing of the sort, when you add in “online-crime” the crime figures look worse, a lot lot worse…

Then there are the State Crimes against Society, over a millennium of jurisprudence had established basic rules of what should be done and what should not be done by the State and it’s Guard Labour with respect to the citizenry such that there was a small backward and forward swinging around an acceptable point in which society could function without oppressive authoritarianism or taxation to fund it.

Pushing society online into an information world where there is neither balance or financial or other resource constraint on the State, has enabled authoritarians to steal by what would be crime in the physical world peoples personal data and with it their everyday lives and is instilling a sense of fear in those who look a little further than their next pay packet.

We may find that the lasting legacy of COVID is the proliferation of Authoritarian if not Totalitarian take over of States for the benifit of the very few and the subjugation of the majority. Which will be ably assidted by International Corporations.

name.withheld.for.obvious.reasons October 31, 2020 5:21 AM

@ Bruce Schneier.com
I am certain the entire animal, mineral, and vegetable hierarchical domains disavow sharing anything remotely considered intelligent with us hue-mans. Humanity is the AI, but without the I.

Winter October 31, 2020 6:03 AM

@Clive et al.
“@ vas pup,

Where do people get infected with the coronavirus?

At home is not at all surprising as the answer.”

Mark Twain already warned us:

The Danger Of Lying In Bed
https://www.mtwain.com/The_Danger_Of_Lying_In_Bed/0.html

If you want to stay safe, leave the home immediately.

But joking aside, the real answer is that it is difficult to control people in their own home. The other measures that can be taken are all trying to prevent people from leaving the house and reduce their traveling.

Curious October 31, 2020 6:06 AM

(“In a first, researchers extract secret key used to encrypt Intel CPU code”)
https://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/

“Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured.”

“At the moment, it is quite difficult to assess the security impact,” independent researcher Maxim Goryachy said in a direct message. “But in any case, this is the first time in the history of Intel processors when you can execute your microcode inside and analyze the updates.” Goryachy and two other researchers—Dmitry Sklyarov and Mark Ermolov, both with security firm Positive Technologies—worked jointly on the project.”

“The key can be extracted for any chip—be it a Celeron, Pentium, or Atom—that’s based on Intel’s Goldmont architecture.”

Clive Robinson October 31, 2020 7:22 AM

@ SpaceLifeForm,

Or do you want to believe the tales of a mannequin?

Yes… “speak no evil, hear no evil” as we know “crash test dummies”, “mannequins”, and “Martinets” are not the talkative types they are too “stiff necked” let alone “stiff upper lipped” and as others would observe “Lacking the I in AI and Id”.

The article on the other hand is probably taking a few liberties with syaing this,

“Infectious-disease and healthcare experts say the study correctly concludes that the infection risk is lower on a plane than in places such as stores and restaurants.”

You note they name people they publish the opinions of, yet are strangly coy on this opinion…

I realy can not see any reputable infectious disease or healthcare expert saying that. It’s an apples to oranges situation and also unmeasurable in any meaningfull way…

After all if you are the only person sitting in a restaurant with your mask off eating where the restaurant, that takes reasonable precautions then your infection risk is probably less than walking down a quiet street without a mask on…

The simple fact is you can bet for the “tests” they did not just pull an aircraft straight out of service and use it… You can bet a specialist maintaince team went over it very very carefully and ensured everything was brand new and airtight etc. So what’s the betting any aircraft you get on has had the same level of attention? Yup I wouldn’t bet on it either…

Yes airlines are going to go out of business, yes flights are going to get expensive, but no it realy does not matter it’s just another “end of life” “service sector” clutching at straws…

After all why spend half a day to a day getting to the airport, going through checkin security etc etc, spend hours on what is a healthrisk above the norm (remember DVT etc), just to arive somewhere to spend 14days imprisoned in an overpriced hotel with a rent-a-cop on the door where one or more of them are looking for a few extras from the inmates…

It might be better to hop on a “slow boat” and swap a “flying petri dish” for a floating one[1].

The simple fact is like it or not ICT has reached the point where we can have high resolution near enough real time communications to most places we might go to visit.

Back three decades ago a Reader at a University I was attending posed a question,

“When the bandwidth and technology is sufficient to make it feel like you are there, but still with all the comforts of home, why fly half way around the world to kiss Granny on the cheek?”

I suspect it’s a question quite a few more people will be asking themselves, especially with two weeks of quarantine when you get there and two weeks of quarantine when you get back…

Four weeks of tedious isolation ontop of two days or more of unpleasant travel is a lot to ask, just “to press the flesh”.

[1] Personally I don’t even get on trains or busses now due to the fact the Drs have told me my risk factor is worse than that of a blind drunk motorcyclist having their first try at the wall of death…

Curious October 31, 2020 7:49 AM

This below seems like whacky horrible storage systems for medical data in USA. If I understood this correctly, not only could/can you get access to very personal meta data, but also alter the medical files in a trivial manner.

(“EXCLUSIVE: Medical Records of 3.5 Million U.S. Patients Can be Accessed and Manipulated by Anyone”)
https://www.securityweek.com/exclusive-medical-records-35-million-us-patients-can-be-accessed-and-manipulated-anyone

“The details were disclosed to SecurityWeek by Dirk Schrader, global vice president at New Net Technologies (NNT — a security and compliance software firm headquartered in Naples, Florida). He demonstrated that the records can be accessed via an app that can be downloaded from the internet by anyone. The records found are in files that are still actively updated, and provide three separate threats: personal identity theft (including the more valuable medical identity theft), personal extortion, and healthcare company breaches”.

“Schrader has been investigating this issue for several years, looking at healthcare institutions around the world. In December 2019, he sent disclosure notices to the administrators of 120 unprotected systems in the U.S. Sixty-nine administrators completely ignored the warnings, including 19 children’s hospitals. Elsewhere, responses have been better. In general, the response from Europe and the UK has been positive, and the data has been secured. The U.S., India and Brazil are the primary culprits today, but other unprotected PACS systems exist in Australia and Canada – and one in France. The figures he gave to SecurityWeek relate entirely to the U.S.; and rather than exposed systems being removed, new systems are still being added without adequate or any authentication requirements.”

SocraticGadfly October 31, 2020 12:16 PM

Not a squid, but …

We now know that the platypus …

GLOWS IN THE DARK!

Kids, not too late for a cool Halloween costume!

ht tps://gizmodo.com/as-if-the-platypus-couldn-t-get-any-weirder-1845529134

Forget URLs go in queue

SpaceLifeForm October 31, 2020 3:20 PM

@ All

It’s All Hallows Eve.

Sometimes, a transformer helps your power.

hXXps://mobile.twitter.com/RexChapman/status/1322335105076088832

SpaceLifeForm October 31, 2020 3:28 PM

@ Rj, Clive, All

DO NOT connect to ANY external server that you do not own! If you don’t know how to do these things, then why are you here reading this blog?

I get your point.

But, do you not see the levels of irony in your comment?

JonKnowsNothing October 31, 2020 4:19 PM

@Clive @All

MSM article on how COVID-19 is detected in waste water systems (aka sewage). This same process is used to detected other diseases and drugs (legal and illegal) and other components that get flushed down the drain.

Location: New South Wales, Australia (Sydney)

  * 25 Waste Treatment Plants
  * 40 Sewage Treatment Centers
  * 80 sample bottles tested per week
  * Accuracy EXTREMELY HIGH: if there is 1 (one) it will be found.
  * Limits: Cannot tell active infectious state from non-infectious state
  * RNA extracted using reverse transcription
  * 1.85MILL toilet flushes

Future enhancements planned

  * Increase staff size (currently 4)
  * Add collection locations farther up-stream
  * Location specific areas identified on analysis

ht tps://www.theguardian.com/australia-news/2020/nov/01/it-can-be-smelly-at-times-nsw-wastewater-provides-a-treasure-trove-for-covid-19-hunters
(url fractured to prevent autorun)

name.withheld.for.obvious.reasons October 31, 2020 4:36 PM

@ SpaceLifeForm, Clive, the unusual suspects
Just noticed this be post-pended page generated by the server (outside the html section, and not meant to be ironic, ironically);

<!–
generated 210 seconds ago
generated in 0.270 seconds
served from batcache in 0.002 seconds
expires in 90 seconds
<–>

SpaceLifeForm October 31, 2020 5:17 PM

@ name, Clive, Moderator

Name, I saw immediately what the attack is. Just from the handle. I knew it was not you.

Sumptin, sumptin, writing style.

@ Moderator. Leave it up. I want to investigate further.

Remember: There is no MITM. Snark.

SpaceLifeForm October 31, 2020 5:34 PM

@ name, Clive, Moderator

It “looks” like a bot.

But it may be misdirection.

I believe most bots have a ‘handler’.

Just saying.

Steve October 31, 2020 5:54 PM

It’s a form of intelligence that’s completely independent from ours.

And obviously a superior form of intelligence.

They’re smart enough to stay out of the comments section of blogs.

JonKnowsNothing October 31, 2020 9:13 PM

@Clive @All

re: Fresnel Lens (fray-nel) for solar panel augmentation

Fresnel Lens are what made lighthouse lights so bright. It is a flat piece of glass or plastic with concentric rings on the other side that capture and magnify light. It is also used as a magnifying lens on some TVs and in optical devices. Light weight Fresnel Lens are made of plastic and can be mounted in frames. The frames are positioned to concentrate the light to pinpoint or diffuse concentrations and can heat water (solar hot water supply), cook food (solar cooker) or melt metal (solar forge) and credit card size ones are used for fire starting.

I’ve been reading about how to use Fresnel Lens to enhance solar panel collection.

The OH? in the reading is that it can be so powerful that you need welder’s goggles and you can burn up the house or shed if it’s left were the sun can hit it. It also seems that you have to be careful about the focal point or you can melt the solar panel.

  * .8 ft distance from the solar panel is the most effective output.
  * 17.77% (cloudy) 15.49% (sunny) improvement
  * Fresnel lenses can concentrate sunlight onto solar cells with a ratio of almost 500:1.

Given that California is still burning, as well as much of the USA, is using a Fresnel Lens even a good thing to consider?

ht tps://en.wikipedia.org/wiki/Fresnel_lens
ht tps://en.wikipedia.org/wiki/Solar_cooker
ht tps://en.wikipedia.org/wiki/Stirling_engine
(url fractured to prevent autorun)

name.withheld.for.obvious.reasons October 31, 2020 10:52 PM

31 OCT 2020 — Ellsberg Testimony in Assange Hearing
CONTRIBUTORS NOTE:
Reflects what I’d asserted when the title of a video segment was given as Collateral Murder, I’d thought it was mislabeled, more appropriately “U.S. Murder of Iraqi Civilians”. Irrespective of attribution or self praise, here is a portion of Ellsberg’s testimony.

“My further observation is that the civilian victims of the population cease to be seen as human beings whose lives had the same worth as those involved in the bringing of war to their respective countries; in those circumstances, crimes against humanity of the worst kind, and mass atrocities could and did become the norm.”

“My attention, as with the rest of the world was first caught by the video of the Apache helicopter assault in Iraq, which became known as ‘Collateral Murder’.. That title, given by Assange, was often criticized as overly
accusatory. On the contrary, as a former battalion training officer (Third Battalion, Second Marines) and rifle company commander, I was acutely aware that what was depicted in that video deserved the term murder, a war crime. (In fact, deliberate as the the killing of civilians was, it was the word “collateral” that was questionable.) The American public needed urgently to know what was being done routinely in their name, and there was no other way for them to learn it than by unauthorized disclosure.”

SpaceLifeForm November 1, 2020 1:17 AM

@ name.*.*.*.*, Wael, Clive

generated 210 seconds ago
generated in 0.270 seconds
served from batcache in 0.002 seconds
expires in 90 seconds

Those are the comments appended by batcache.

In the case you saw, there are 4 lines.

Note the generated 210 and expires 90 give you 300. 5 Minutes.

That is the default time to keep a page in the batcache.

If the page you view source on does not have these lines,
it was not in the batcache. The webpage was newly generated.

There is another case, where there is only 2 lines.
That happens when you were the one that caused it to be cached.

Initial page creation took 0.270 seconds.

Serving from the batcache only took 0.002 seconds.

So, at least 0.268 seconds were saved in response time.

Clive Robinson November 1, 2020 1:29 AM

@ JonKnowsNothing, ALL,

Fresnel Lens (fray-nel) for solar panel augmentation

In practice there is little difference between a Fresnel lens and an ordinary lens in the over all optical properties (though as Fresnel lenses are flat they do not self obscure thus can have wider acceptance angles).

But the first point that people need to realise is that lenses do not amplify light, they simply change the angle of propagation. Thus they can be used to “concentrate” light. That is there is a ratio of the effective surface of the lens to the area at the point of focus minus the losses. That is to get an increase of power out of the solar cell you have to have a Fresnel lens that has a rather larger surface area than the solar cell.

Also like an ordinary lens a Fresnel lens has to point at the illuminating source. That is it’s plane has to be normal to the sun, and kept that way. Which for higher concentrations requires a two axis rotator system for the lens and cell asembly to maintain higher efficiency as the sun tracks across the sky.

Importantly solar cells need two things to work efficiently,

1, Uniform illumination.
2, Moderate temprature of operation.

Without going into monocrystal solar cell physics, they require a uniform illumination to make a maximal conversion of light into electrical energy. The simplest way to do this is via a “Köhler illuminator”[1] thus the lens system in use should be a Fresnel-Köhler (FK) concentrator system that is designed not for “image integrity” but “uniform illumination” over “spot” areas[2] thus alowing cost savings on high efficiency monocrystalline and other very much more expensive multilayered cells. One advantage of an FK system is that you can make the incident light performance somewhat better thus having a wider acceptance or usage angle. Currently you will see such lens systems on “light pipe” installations.

But this FK “spot” technique by reducing the area of the solar cell significantly increases the big problem with silicon solar cells be they monocrystalline, polycrystalline, or thin film, which as they are quite inefficient 5-25%[3] and their efficiency is very temprature sensitive is heat. Thus if you use a Fresnel or Frenel- Köhler lens system even in high latitudes you will need to cool the solar cell in some way. Normally solar cells in consumer setups are “sort of mounted” in a way to promote a “chimney effect” where an updraft occurs either across one or both of the surfaces to remove the 4/5ths visable light energy that has become heat (then there is the biggy of IR). More expensive combined systems use a liquid cooling system and heat pump system to “move the heat” into a thermal mass such as a heat storage device which can be from a large concrete block upwards through water storage through phase material storage (think waxes). Such combined systems whilst rare in consumer setups currently will become more prevalent with time, especially in higher latitudes where electric power and space saving are not the main concerns.

[1] https://en.m.wikipedia.org/wiki/Köhler_illumination

[2] Fresnel-Köhler (FK) Concentrator research for reduced area solar cells,

https://core.ac.uk/download/pdf/148663815.pdf

And one that as it’s a PhD thesis will take more than five cups of coffee to get you through, even though it’s quite readable, the multitude of images actually says rather more on first reading,

http://oa.upm.es/22768/1/PABLO_ZAMORA_HERRANZ.pdf

(ignore the bit in Spanish prior to the Introduction it’s “paperwork”).

[3] There are reasons why solar cells are inefficient, one of which is they only convert moderately narrow spectrums of light. One way around this is multiple layer cells where the topmost layer responds to light at the upper frequencies (blue) and as the layers go down they respond to lower frequencies (red). Obviously such multilayered cells are very expensive, however FK systems help make “a little go a lot further”. Where this might go comercially is still very much unknown and may prove to costly except in very restricted areas where you want to get maximum efficiency regardles of increased cost.

SpaceLifeForm November 1, 2020 1:38 AM

@ Clive

In the light of the Blue Moon…

Tell me the attack angles you see in this scenario.

Alice wants to privately and securely send some data to Bob.

Alice and Bob each have the others Public Key.

Disregard bitflip attack. I have the authentication issue covered.
I have the replay attack covered. Assume Faraday cage when I say offline.
Traffic analysis issues are covered via noise.

I am looking for any attacks on the crypto here. This is combination of PKI and OTP. PKI is used for the small simple message. OTP for the larger data.

Assume that a small simple message is accepted or ignored.
The receiver decides if valid or noise.

Alice wants to send Bob a large chunk of data.

Alice appends a signature.

Alice generates a OTP that is of the same size of the chunk of data which includes the signature.

The OTP is generated by a program using some random input.

Alice creates the ciphertext using the OTP,

Next, Alice creates the small simple message which has the random input that was given to the OTP generator.

This small simple message is signed and encrypted.

So, we have two things, both encrypted. Both steps can be done offline.

Alice, then puts the big ciphertext bit-string somewhere on a server. Think deaddrop.

Alice, then (magic happens), sends the small simple message to Bob.

Bob, at some point, gets the small simple message.

Bob, gets the small simple message over to an offline machine.

Bob, decrypts, checks signature, and decides that Alice has communicated.

Bob, using the random input from the small simple message, generates the OTP.

Bob, knowing where to look, finds the ciphertext, gets to offline machine, and decrypts. And verifies signature.

FA November 1, 2020 2:13 AM

@SpaceLifeForm

Alice generates a OTP that is of the same size of the chunk of data which includes the signature.

You should get your terminology right. Whatever is generated and can be regenerated from a shorter input is definitely NOT an OTP.

What you describe is using a PKI to send a key, and then using that key for a stream cipher. This has been analysed to death, nothing new here.

SpaceLifeForm November 1, 2020 2:30 AM

@ ALL

Driverless vehicles equals Artificial Insanity

hXXps://www.carscoops.com/2020/10/roborace-driverless-race-car-hilariously-plows-into-wall/

MarkH November 1, 2020 2:54 AM

@SpaceLifeForm:

FA has it exactly right.

To be OTP by Shannon’s definition, the keystream must be truly random, which means that its minimum encoding is practically as large at the raw data.

If the keystream is generated from a much smaller bit sequence by some algorithm, then that’s a stream cipher.

Imagining a stream cipher to have security properties equivalent to OTP is the most common mistake made by people who’ve learned a little cryptography. My guess is that worldwide, somebody re-invents the stream cipher in this fashion roughly once per day.

Clive Robinson November 1, 2020 3:06 AM

@ Bob Paddock,

I find myself in need of such things, unfortunately, are there any that have non-pathetic security?

It rather depends on your definition of security and where you want it to start and end.

CCTV cameras –which is what nany cams are– come in a variaty of classes.

Firstly there is the analog / digital divide. Whilst analog is tending to disappear they are still around and are generally easier to secure when using dedicated wiring.

Which brings us to the next division, wired / wireless. Whilst wireless in the ISM bands is all the rage in consumer devices it’s laughed at by the brighter criminals and avoided by proffesionals. Because it’s at the very least a “beacon” giving away not just it’s presence but it’s location, and it does not matter if it’s analog, digital, or encrypted the systems are usually insecure in that the signal changes as things apear in it’s field of view, thus a smarter criminal can work out not just it’s field of view but it’s range at night as well as during the day.

But the digital side of things has several sub domains. Many “office cameras” are IP over Ethetnet on Cat5 or above cabling with PoE being not uncommon. Whilst Ethetnet protocols are not routable, IP protocols are, and that creates a whole bunch more security issues. It also creates other problems, such as information bandwidth. Many of the more sensibly designed IP based cameras use methods to reduce data transmission. Which means that the network traffic is quite variable. Thus it is possible to set systems up that work fine under normal conditions but fail in the likes of fire alarms when suddenly all camaras are maxed out.

But as I’ve remarked before the market place has changed and the race to the bottom marketing techniques have actually punched through ground zero and are heading ever downwards draging the rest of us to hell and beyond. In essence these IoT type cameras have minimal cost components, and all the features are done over the Internet where extra money is made. This could be by paying “cost or less” for the hardware but then having to rent by subscription etc the service to use the hardware you have purchased but now do not actually own… And paying for the service leaks all sorts of PPI that can then be “repackaged, wrapped up and sold” to third parties you have no relationship with at all. Worse if the company folds or decides they won’t support your cameras any more, they stop working… This is known by some as “Doing an Amazon”.

But speaking of Amazon their Ring system is realy realy bad news from an information privacy viewpoint. It turns out not only are they insecure, Amazon also gives your feeds to LEO’s without any form of privacy protection…

I hope that helps in a general non product specific way.

But if you want a more specific way, there is an Australian company Swann whose miniture wireless products I’ve put in model railway engines to give people “drivers eye” and “pasenger eye” views whilst playing with them.

Thus have you considered making your own “nanny-cam”?

Because I’ve also attached them to RC aircraft, helicopters cars and boats, as they are generally a lot less expensive than “drone” equivalents.

I’ve also used their wired cameras which you can put unobtrusively in objects such as clocks, fake fire detectors, alarm detectors, box files, lighting fitings and even computers etc. The ones I used were not “IP based” so are not a remote security risk and their local risk is more based on your abilities to hide them in objects and get the cables away.

For some reason their US and UK web site does not show up the cameras alone, just finished quite obtrusive security cameras.

So you might have to use other suppliers via China and AliBaba etc.

MarkH November 1, 2020 3:14 AM

@JonKnowsNothing:

Probably, most readers over a certain age threshold have direct experience of Fresnel lenses.

Before people in the corporate world suffered through Powerpoint presentations, we suffered through overhead projector (viewgraph) presentations.

In all of the overhead projectors I have seen, the illuminated window on which the transparent sheets are laid is a Fresnel lens, which essentially focuses the diverging rays from the lamp underneath, toward the right-angle mirror/lens assembly suspended above. In this way, it greatly enhances the intensity and uniformity of illumination on the screen.

I never took one apart, but I suppose that those lenses were a very few millimeters in thickness.

Fresnel lenses are not best suited to imaging, in which light from a point source is focused to a sharp point in a real image (on camera film, for example). To make a Fresnel lens good enough for high-quality imaging must require extremely precise specialized processes, with some combination of mitigation and acceptance of the diffraction and scattering effects.

But for illumination purposes — as in lighthouses, projectors, solar cells and the like — even a very simple manufacture of Fresnel lens serves admirably, with great savings in weight and thickness of lens structures.

Clive Robinson November 1, 2020 3:54 AM

@ MarkH,

To be OTP by Shannon’s definition, the keystream must be truly random

Actually no, the proof does not require “truly random”, it only requires it to be “non determanistic” to the observer such that “all messages are equiprobable”.

The difference is subtle but “truly random” can be shown to be insecure for a number of reasons as I’ve explained some of in the past.

@ FA,

You should get your terminology right. Whatever is generated and can be regenerated from a shorter input is definitely NOT an OTP.

That is something that is not exactly true.

Party A generates a very large nondetermanistic file that they give to party B. Which is a standard OTP procedure.

What party A does to encrypt a message is use a part of that file that has not been used thus it is an OTP encryption.

In normal OTP usage some kind of index into the file or message indicator is sent which can be sent with the OTP or sent separately from the OTP.

Thus a short “index” will regenerate the required OTP from the file, as securely as an OTP.

@ SpaceLifeForm,

Yes you may have a weakness in the system,

Alice generates a OTP that is of the same size of the chunk of data which includes the signature.

If I am reading your “shortform” correctly then your plaintext going into the OTP is,

Plaintext = [data + signiture]

Where “+” implies a cancatonation or other linking process in some way.

If this is the case then it breaks the OTP “equiprobable” rule because it provides a method of distinguishing a valid message from many many other invalid messages.

It’s the reason you should not compress the plaintext input to an OTP (especially using any of the normal compression systems).

It’s just one of those subtle things about OTP’s that don’t get into the text books.

FA November 1, 2020 4:33 AM

@MarkH, @SpaceLifeForm

If the keystream is generated from a much smaller bit sequence by some algorithm, then that’s a stream cipher.

Indeed. But even if we relax the definition of an OTP and allow it to be generated that way, the proposed system still fails.

One requirement for an OTP is that when all copies are destroyed, there must be no way to regenerate it. But in this case there is, all it takes is to break the PKI and recover the generator key. The problem here is not only that the OTP is not truly random, but also that a copy of the key used to generate it remains in existence, protected only by the PKI.

You could try to keep the generator algorithm secret, but that would be ‘security by obscurity’.

Now SbyO can make sense, but only if you can enforce the obscurity, which requires organisation, infrastructure, and the option to use physical violence. Even the military have failed doing this a number of times.

Clive Robinson November 1, 2020 6:13 AM

@ name.withheld…,

Where the FEC has had a clear role in traditional media…

Two pertinent questions at this point is “Who runs the FEC?” and “How did they get their positions?”

One of the things I forgot to mention to @vas pup, the other day is “It’s not just money, that needs removing from the equation, it’s “appointees to.”.

But also for the sake of society lower apointments such as are made by “people voting” is not a good idea either, there are way to many who get “voted in” who run things without impartiality, or fairly in other ways.

It is easy after all to pull all kinds of questionable activities when oversight etc is also elected, thus you have whole Dept’s where “crime is part of the benifits”. Even Judges have been found getting what we might call “Election Help” by privatised organisations such as Prisons and those providing uncompetative but highly profitable services to not just Prisoners but others trapped in systems run for profit.

It’s the flip side of the “Great American Dream” when the resources run out or become –deliberatly scarces[1]– then others profit greatly especially if they can become a monopoly in some way.

[1] A classic example a few years back when a certain financial organisation got hold of the aluminium supply the profit they made by just stacking the ingots up in yards under tarpaulins was eye wateringly large. But whilst just about every consumer in the US payed this “tax” those who effectively ran an illegal monopoly hardly got mentioned or punished…

Infd November 1, 2020 7:22 AM

One of the accused participated in a 2014 conference of hackers on the topic of “infiltration, hacking, and the national peculiarities of cyberwarfare.”
h ps://www.rferl.org/a/investigative-report-on-the-trail-of-the-12-indicted-russian-intelligence-officers/29376821.html

Andriy Derkach graduated from the Academy of the Federal Security Service of the Russian Federation in 1993. His diploma thesis was titled “Organization and execution of meetings with undercover agents.”
h ps://informnapalm.org/en/derkach-tapes-as-part-of-russian-hybrid-war-against-ukraine/

Usually, if the recordings are authentic, the complete set of files is published, and the original raw recording is provided to independent experts.
h ps://informnapalm.org/en/andriy-derkach-us-presidential-election-2020/

The Russian Aggression database will be useful to journalists and experts who are studying Russia’s participation in the armed conflicts and hybrid wars.
h ps://informnapalm.org/en/proofs-of-the-russian-aggression-informnapalm-releases-extensive-database-of-evidence/

Curious November 1, 2020 7:52 AM

Off topic: (And apologies in advance if this below sounds dumb.)

Not knowing much about math and thinking very naively about the little I think I know about ECC crypto, I wonder if a ‘logarithmic spiral’ could be used to, well sort of crack ECC crypto, somehow. A log spiral looks different than a linear Archimedean spiral, and doesn’t snail to the center like the Arhimedean variant afaik. A log spiral can have varied pitch angle and also be made into a circle according to Wikipedia.

I already had some vague ideas for imagining using a log spiral, partly as perhaps as an dimensionless non local inverse geometrical system compared to our 3d + time “point like/localized” world, and also some super vauge idea for Riemann hypothesis to maybe get to show why so called “non trivial zeros” for the contineous analytic function are at the 0.5 line, and so when I saw this video on youtube last night, I couldn’t help but wonder if there could be a simple way to bypass the hard ‘elliptic curve discrete logarithm function’ problem if it made sense to game the system of remainders from working with modulo numbers, here called ‘residue classes’ of modulo numbers in the video. I can imagine that the axis lines with zeros themselves could perhaps be important, and then maybe just look for spiral lines crossing, or maybe something with a spiral’s constant pitch angle compared to other spirals. Sort of seems to me that the “remainder” off modulo numbers is inherent to basic math in general and to prime numbers which is used for crypto afaik, and so maybe there is some kind of greater symmetri to all of this I was thinking. If I understood this correctly, the ‘critical line’ in Riemanns hypothesis, is associated with all prime numbers. I won’t pretend here to really understand the Riemanns hypothesis. I guess, with a log spiral, even though the center point is the same, when the spiral is non linear, the center “sort of expands/moves” I imagine, and so I guess could indirectly represent fractions that way, with a single static center point. However looking at a video showing somebody drawing a log spiral manually, it sort of looks like a full rotation of 360 deg, has four circle segments each with a shifted center (one circle segment drawn for each of the four “quadrants” of the X and Y axsis coord system). I wonder if this is also true if drawn on a computer (presumably not), having four circle segments for every full turn of the spiral. Even if a log spiral is truly non-circular like if drawn on a computer, perhaps this hints at some “unseen” fractional qualities of a log spiral I am thinking, in a X/Y coord system. Presumably, “this” in turn would have had been something discovered a long time ago by professionals I would think.

(“Why do prime numbers make these spirals?”)
https://www.youtube.com/watch?v=EK32jo7i5LQ (22min)

(“Visualizing the Riemann hypothesis and analytic continuation”)
https://www.youtube.com/watch?v=sD0NjbwqlYw (20min) (Riemann hypothesis problem mentioned after 17m)

JonKnowsNothing November 1, 2020 9:41 AM

@All

re: The hazards of concatenation

An error message on a webpage:

We’re sorry but immigrant_rights doesn’t work properly without JavaScript ….

I don’t think they are working that well even if it’s enabled…

JonKnowsNothing November 1, 2020 11:51 AM

@ SpaceLifeForm @Clive @All

re: Test dummies, planes and COVID-19

“Infectious-disease and healthcare experts say the study correctly concludes that the infection risk is lower on a plane than in places such as stores and restaurants.”

An observation:

In countries that have strict border quarantines and that have little or no COVID-19 internally which are primarily island countries (NZ, Taiwan, AU), most people arrive by plane.

To get on a plane to these countries, access is rather limited (airline price gouging) and you need to meet several criteria: either be a VIP of VIPs or a stranded citizen trying to return home.

To get on such a plane you have to have a COVID-19 clear test n-days prior to getting on, pass through the airport pre-flight-COVID-19-testing protocols. Once you arrive you have to spend n-days in quarantine.

If you are “clear before take off” and you arrive “sick” or “become sick during quarantine” there are rather limited points of contact.

Either these continuing cases are failures of the quarantine system (which happens), they are failures of the testing methods (which happens), or they were healthy at the time of departure and became infected while in flight (the airlines dispute this).

Flights to NZ AU from EU are long haul flights, far more than the 15 minute periods of exposure rule used for “contact tracing”.

I find any assertion by the airline-tourist industry that it’s safe, to be disingenuous at best.

The cruise industry has already tried several times to no avail, although the last attempt was an own-goal because they did not want to hire or pay the crew to remain in quarantine and only hired them last minute and set sail before their positive tests were returned.

note: NZ had their quarantine failure and AU States of Victoria and New South Wales have just recovered from their catastrophic quarantine failures. The Government of Australia opened an incoming-no-quarantine travel corridor with NZ. There was a bit of a fluff because the incoming Kiwis went walkabout while the States were still doing whack-a-COVID clean up. The let-loose-on-arrival may not be quite as safe as imagined because of internal regulations relating to tourists and visitors.

Anders November 1, 2020 1:11 PM

@Clive

Sadly i see UK has passed million infection margin.
Now there’s 9 countries in that set.

hxxps://en.wikipedia.org/wiki/COVID-19_pandemic_by_country_and_territory

Stay safe!

Sancho_P November 1, 2020 5:42 PM

@ name.withheld…

Forget the importance of election security, it’s not needed.
When voters are nearly equally divided between only two unfit options you have at least one deeper problem, but most likely two or more.

Sancho_P November 1, 2020 5:45 PM

@Clive Robinson

“It’s the reason you should not compress the plaintext input to an OTP (especially using any of the normal compression systems).”

This is something I do not understand – could you elaborate, please?

Clive Robinson November 1, 2020 8:39 PM

@ JonKnowsNothing, SpaceLifeForm, ALL,

I find any assertion by the airline-tourist industry that it’s safe, to be disingenuous at best.

And quite rightly you are not the only one.

Especially as the tests carried out with the “crash test dummy” were as others have pointed out “not even close to realistic”.

The reason that mainly island nations have been so successful at keeping COVID in check were in three parts,

1, Early and Fast response.
2, Strong border controls.
3, The weather.

The first two went hand in hand, and the third due to mainly UV exposure gave a lower initial infection rate[1] thus giving a little more time at the bottom of the exponential curve, so community spread dod not become significant.

But then we knew all of this from SARS (CoV-1) in 2002/3 which was quickly eradicated[2].

So there was no excuse we knew what to do, what stopped the prompt action being taken to stop SARS-CoV-2 was the evils of short term thinking when coupled with lobbying and politicians doing favours for the short term thinkers.

I guess the only question is “How long are the citizens –who are most hurt by this political failure and undemocratic behavior– going to put up with it?”…

[1] There are several reasons why the weather would slow things down. Firstly it appears SARS-CoV-2 is less UV tolerant than other pathogens which significantly reduced one infection route (fomites). Secondly peoples immune systems are a lot stronger in summer than they are in winter, part of which is skin exposure to UV is higher in summer and thus human Vitamin D levels are higher thus bringing the immune system more towards optimal performance. But also peoples diet tends to change, it’s one of the reasons Japan is thought to have got off so lightly the diet eaten in summer tends to be much higher in vitamins, minerals and other nutrients that help our immune systems be much improved.

[2] The 2002/3 SARS corona virus had a significant disadvantage, in that people were only infective after symptoms had been present for around 48hours. Thus infected people could be simply identified before they became infectious. SARS-CoV-2 unfortunatly is very different in this respect when you are infected you become significantly infectious before you become symptomatic if you do at all, with more than 1/5th of people not showing signs or symptoms at all. One of the reasons some people are so interested in using dogs as detectors is they can smell the virus as people start shedding thus become infectious before they develope signs and symptoms. It appears thst it takes about a week to train a dog, they have a similar success rate as very expensive tests, and unlike all the other tests, it gives results in around 15 seconds, not 150minutes, 15hours or 5 or more days that the more expensive tests have taken.

xcv November 1, 2020 9:44 PM

Whereas cephalopod brains have evolved from a ring of nerves around the esophagus.

Similar to the motor nerves that control human speech, as well as the sympathetic and parasympathetic nerves that connect the human brain to the human heart, the atrioventricular and sinoatrial nodes in the heart, and the Purkinje fibers that conduct impulses like nerves to cause the heart to beat.

Delight thyself also in the Lord: and he shall give thee the desires of thine heart [Psalms 37:4].

The heart beats harder and faster than its resting rate when a person has a desire or intention to do anything at all, and to those who are at law in the Hebrew or Jewish Bible, (the “spirituality of the law” etc.,) that is the “actus reus” of a crime already when the “mens rea” is evil, to use the ancient Roman terminology.

lurker November 1, 2020 9:58 PM

@JonKnows0

The Government of Australia opened an incoming-no-quarantine travel corridor with NZ. There was a bit of a fluff because the incoming Kiwis went walkabout…

Correction: The Government of Australia opened an incoming-no-quarantine travel corridor from NZ to NSW and NT. Add to that a lot of Kiwis don’t grok the Federal nature of the Commonwealth of Australia, where the States are individually responsible for public health. It’s the States-Rights question that has exacerbated the US lack of coherent covid response.

lurker November 1, 2020 10:10 PM

@rocket man:
There can be up to 24 horses in a race. youtube-dl is only one of those. I find that rather than the RIAA, it is YT itself that keeps changing the running course, or requiring the jockeys to wear different colors, so my favorites over the years keep getting broken and updated in a continual arms race.

SpaceLifeForm November 1, 2020 11:49 PM

@ FA, MarkH, Clive, Sancho_P

Thank you for the input.

I left out a few things for brevity.

My OTP is closer to a synchronous stream cipher, but it is NOT true pseudo-random. It is deterministic, provided you have the correct inputs. There is no periodicity.

The PKI is ECC, not RSA.

The random input also includes a Nonce with a timestamp.

This is one-way communication only. Think broadcast.

I was not thinking about any compression, but like Sancho_P, why not?

I’ve not stated anything about the plaintext. I never even mentioned whether it is human readable or not.

As, to the “equiprobable” issue:
There must be a signature otherwise any random garbage can be decrypted to better smelling random garbage. So, maybe need to append some random garbage.

“But in this case there is, all it takes is to break the PKI and recover the generator key.”

This is quite true. Of course the attacker would not only have to break the PKI, they also would have to correlate that specific simple message with the larger ciphertext.

The use case I am looking at: None of the data chunks survive more than 1 day.

If Bob does not respond to Alice within 24 hours, she can assume that something went wrong, and try again. Or, she can assume other outcomes. That part of the protocol is between them.

Mattis Riony Finorecu November 2, 2020 12:30 AM

As some here remind us, ignoring history leads to repeating it. It seems to me the press and some platforms are cooperating as in the past.

From Tom Wolfe,”Mauve Gloves and Madmen …”, near the end of the essay “The Intelligent Co-ed’s Guide”, writing on Solzhenitsyn’s full account of the Gulag, and his speeches soon after his exile from the USSR, –

“Yet Solzhenitsyn went still further. He said that not only Stalinism, not only Leninism, not only Communism—but socialism itself led to the concentration camps; and not only socialism, but Marxism; and not only Marxism but any ideology that sought to reorganize morality on an a priori basis. Sadder still, it was impossible to say that Soviet socialism was not “real socialism.” On the contrary—it was socialism done by experts! Intellectuals in Europe and America were willing to forgive Solzhenitsyn a great deal. After all, he had been born and raised in the Soviet Union as a Marxist, he had fought in combat for his country, he was a great novelist, he had been in the camps for eight years, he had suffered. But for his insistence that the isms themselves led to the death camps—for this he was not likely to be forgiven soon. And in fact the campaign of antisepsis began soon after he was expelled from the Soviet Union in 1974. (“He suffered too much—he’s crazy.” “He’s a Christian zealot with a Christ complex.” “He’s an agrarian reactionary.” “He’s an egotist and a publicity junkie.”)

“The New York Times sought to bury his two major speeches, and only the moral pressure of a lone Times writer, Hilton Kramer, brought them any appreciable coverage at all. The major television networks declined to run the Solzhenitsyn interview that created such a stir in England earlier this year (it ran on some of the educational channels). And the literary world in general ignored him completely. In the huge unseen coffin that Solzhenitsyn towed behind him were not only the souls of the zeks who died in the Archipelago. No, the heartless bastard had also chucked in one of the last great visions: the intellectual as the Stainless Steel Socialist glistening against the bone heap of capitalism in its final, brutal, fascist phase. There was a bone heap, all right, and it was grisly”

Winter November 2, 2020 12:53 AM

@Clive
“So there was no excuse we knew what to do, what stopped the prompt action being taken to stop SARS-CoV-2 was the evils of short term thinking when coupled with lobbying and politicians doing favours for the short term thinkers.”

I do not think this is right.

This is more people encountering the unimaginable and having to respond. And most people have too little imagination to believe in a pandemic reaching their shores.

The reaction to COVID-19 in Europe and the USA is not much different to that of the people in West Africa to Ebola: It is not true and it is a conspiracy of foreign powers and the health care workers. Nurses and doctors have been murdered during the Ebola epidemic in West Africa because they were considered the cause of the infections.

Principally, COVID-19 is the first major pandemic reaching the USA and Europe in a century. SARS1 and MERS, nor Ebola reached these areas. The last global warning for a pandemic in 2009 about the Swine flue proved to be a dud (it killed less than 300k globally). People did remember that one.

No one was expecting such a rapid spread with that many fatalities. Which means that no one was willing to actually do something. Especially those with porous borders that could not limit travel. The exceptions were, indeed, islands that had bad experiences with SARS-1 (Thailand, Korea, which is an island in practice, and Japan) and the likes of New Zealand that have had a history of infestations by foreign creatures wrecking havoc with the local ecosystems.

@Clive
@”The 2002/3 SARS corona virus had a significant disadvantage, in that people were only invective after symptoms had been present for around 48hours.”

That was the other killer feature of COVID19. Everyone was banking on track and trace of the infected and their contacts. However, inevitably whenever an infected person was first detected in a country, the virus had already taken hold and the spread was uncontrollable.

What you see in the spread is that the first countries were hit really hard (Italy and Spain in Europe) and then their neighbors (France, Austria). Then other countries took notice and started to react. Even then, one or two weeks timing difference in the response made the difference between a bad situation (Germany) and a genuine disaster (Belgium, Netherlands, UK).

SpaceLifeForm November 2, 2020 12:54 AM

@ Curious

Exclusive: Medical Records of 3.5 Million U.S. Patients Can be Accessed and Manipulated by Anyone

I knew, I knew, right away. But you made me do it.

hXXps://aws.amazon.com/blogs/publicsector/how-to-bring-your-pacs-solution-to-aws/

Anyone that continues to use AWS is completely insane.

It is NOT a secure cloud. Over, and over, and over, again, and again.

I’ve truly lost count.

ferritecore November 2, 2020 1:25 AM

@SpaceLifeForm:

>
My OTP is closer to a synchronous stream cipher, but it is NOT true pseudo-random. It is deterministic, provided you have the correct inputs. There is no periodicity.

Like Penrose tiles?

SpaceLifeForm November 2, 2020 1:43 AM

@ Clive, ALL

This took serious painstaking work over years. Amazing. Really amazing.

Did I mention this is amazing work? Great writeup.

Unreal. Amazing.

hXXps://samy.pl/slipstream/

NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.

Maybe this is how AIVD watched SVR.

hXXps://arstechnica.com/information-technology/2018/01/dutch-intelligence-hacked-video-cameras-in-office-of-russians-who-hacked-dnc/

MarkH November 2, 2020 1:49 AM

@SpaceLifeForm:

The usual meaning of one-time pad is a system meeting Shannon’s criteria for perfect secrecy.

In such a system, the key shared between participants CANNOT be shorter than the total length of all messages encrypted under that key.

If the shared secret (key) is even one bit shorter than the cumulative message length, then the property of perfect secrecy can’t obtain, and calling it OTP is a misuse of technical nomenclature.

BTW, did you prove that the keystream cannot be periodic?

name.withheld.for.obvious.reasons November 2, 2020 1:57 AM

Okay, going to try one more time on the topic of election security…highly redacted version.

31 OCT 2020 — Enhancing Election Day Security and Vote Integrity
I know there is plenty to consider in a blanket shutdown but I don’t understand a mostly workable plan to emulate the behaviors present in classic media formats or seem untenable in restricting voter and voting manipulation. The maturity level of the platforms, the users of those platforms, and the lengths that others will go to exploit these systems is a significant problem, it affects real people in a non-trivial manner. It also does damage to the institutions and processes associated with voting and represents an outsized potential for harm and disaffection.

What has been mostly missing from the conversation of election security, the manner and types of subversions to a process that occurs blatantly in newer media platforms and provides an opportunity to skirt the regulatory process that has held traditionally. Where the FEC has had a clear role in traditional media, it is largely absent from the modern media landscape. Twitter for example, has been abused where in the past it was not possible to broadcast outside a specific context. Now Twitter is used as an end-run with respect to traditional messaging and is ripe for abuse (okay, obviously it has been abused). Recently Twitter has come under fire for marking and removing tweets that have false or misleading information or represent messaging that affects public health. It is something, but we are a long way from the classic disclosure and attribution to sources and material supporters.

NOTE: Comments to my previous post on this topic survived, but not the original post.

JonKnowsNothing November 2, 2020 1:59 AM

@Winter @Clive @Space @All

re:
Clive: We knew what to do…

Winter: I do not think this is right.

If you grep your way through the archives here you will find very early on before COVID-19 hit Europe or the USA, a lot of us knew what to do.

see Space: STOP THE PLANES

It did not happen. What we discussed here in that time frame was also being discussed in the economic sancta sanctorum around the globe. There are a pile of references to documents in the posts.

What was clear is that nothing was going to be done because there is a very high economic rate of return on killing off 10%-40% of the population, especially in high value neoliberal run economies (those with austerity stamped on every document).

The policies are referred to as the Herd Immunity Policies and have been adopted by most of Europe, UK and USA. The original architect of the policy for Herd Die Off is Anders Tegnell.

What you have described is the particular problem that people cannot believe that their government intends to kill them, one way or another. The trains are at the station and masks are optional but you will be getting on one with a no-return ticket.

It is the nature of health care to have CARE as part of the name, and people working in that field do their very best to provide it. They will not be able to do so and it’s not by accident. It is by design. No PPE, No Food, No Stipends, No Help. All part of the program designed to force more people into situations where they will get infected and continue to infect others.

It is not natural. It is not an accident. As long as people cling to the idea that “someone is going to save us” they will avoid seeing what really is happening.

So far 1,200,000+ people have fallen under this policy.

Wave 2 is flooding Europe and the USA is Doing The Wave(1b).

Take it away, Ernie! It’s going to be a bumpy ride! (Harry Potter)

ht tps://en.wikipedia.org/wiki/Wave_(audience)
(url fractured to prevent autorun)

MarkH November 2, 2020 3:20 AM

@Clive:

What is the distinction you have in mind, between random and non-deterministic?

It seems to me that the qualifier you offered — non-deterministic to the observer — reflects a foundation stone of Shannon’s thinking.

For a cryptosystem, surely the key must be non-deterministic to every observer who doesn’t actually possess a copy of the “pad.”

How is that possible, unless the bits of the pad are chosen at random — or more precisely, chosen in such a way that the value of the nth bit is absolutely independent of all of the other bits?

===================

It seems to me that you’ve written before that a message should not be compressed before OTP encryption.

If at some time I grasped the reasoning behind that, I’ve plum forgotten it by now … would you mind explaining again?

Winter November 2, 2020 4:31 AM

@JonKnowsNothing
“If you grep your way through the archives here you will find very early on before COVID-19 hit Europe or the USA, a lot of us knew what to do.”

If you talk to the people on the ground who advised the governments, they were preparing a track and trace policy like South Korea did very effectively. That was, and still is, the best response to an prospective pandemic.

What took the CDC’s of the world by surprise was the submarine spread of the infections and the subsequent collapse of the supply chains which left everybody with insufficient supplies to do the needed testing. Even the tips to sample the patients were scarce.

Summarized, everyone was standing guard to jump on the first case, only to find out there were too many cases cropping up too fast and too few supplies to scale up the testing.

Only those who jumped in very early and could limit border crossings were able to keep the spread of SARS2 at bay. Witness South Korea and Taiwan. New Zealand was able to curb the spread with a lock-down. The rest could do little more than go full lock down and desperately scramble to increase testing capacity by several orders of magnitude (literally from hundreds of tests a day to tens of thousands a day up to a hundreds of thousands a day) in the light of collapsing supply lines.

@Jon
“What was clear is that nothing was going to be done because there is a very high economic rate of return on killing off 10%-40% of the population, especially in high value neoliberal run economies ”

I could see there is a case to make for this in the USA, but I do not see much evidence for it in the rest of the world.

Clive Robinson November 2, 2020 5:11 AM

Sancho_P,

This is something I do not understand – could you elaborate, please?

Yes, but first you have to remember is that,

“To err is human”

That is all systems are subject to human failings, even at the best of times.

Secondly you have to remember,

“The Enemy Knows The System[1]”

Is quite a bit broader than just the crypto algorithm or mode it is used in. In essence it means that the enemy knows not just about the whole communications system but the probable content of the messages as well (which gives rise to “known plaintext” as well as “Traffic Analysis” attacks).

So any compression system used will be known to the attacker. As I indicated most compression systems work on the message in a way that acts as a distinquisher. That is many compression systems have an internal structure that can be verified as correct or in-error[2]. If you look at all messages of the same length as the compressed file, by far the majority will not produce a valid output when put through decompression.

So not only have you eliminated by far the majority of messages, you’ve also broken the “OTP proof” of “all messages are equiprobable”.

Whilst this does not eliminate all methods of compression you have to find those that maintain or keep close to “equiprobable” that is do not add structure or distinquishers to the message.

But this raises the question with other cipher types including stream ciphers of “Why do people talk about using compression?”

Well it’s to do with statistics. You hear of “flatening the statistics of the plaintext” that is reducing or removing natural language or other recognisable features of the message. In essense trying to make the message unrecognisable statistically. Which does work with the right kind of compression, that is if it also acts like a form of encryption.

This was a necessary step with older cipher methods that could be attacked through various statistical methods. For instance simple substitution or transposition at the language alphabet level did not change the letter frequency statistics. Even combining them and repeating several steps of substitution and transposition did not change them as all the substitution mapings compress into a single mapping likewise the transposition mappings.

But with encryption algorithms of sufficient quality used in the right type of modes it should be unnecessary.

However using compression does alow you to change the encrypted message length, which for years was also desirable because reducing the size of a message had other benifits, not the least of which was cost, which is why the later Victorians were apparently “code book crazy”.

If you are looking to use compression appart from using one that has low artifacts in it’s output, try and find one that has variable “fractionation”[3] properties, which also provides strong “diffusion” within the message. Which is one of Claude Shannon’s primary requirments of an encryption “system”[4] along with “confusion” brought about with the mixing with the key.

Many get the incorrect assumption that diffusion and confusion” are ment to be part of the encryption algorithm which is why you get statments such as “diffusion is not a property of stream ciphers only block ciphers”. It is actually only true dependant on your definition of a stream cipher and a block cipher[5] which tends to be muddled depending on the level you look at them and if they fractionate or not causing diffusion.

So with a true stream cipher that does not cause diffusion, the preprocess of compression if propperly done does cause diffusion in the message. Leaving the confusion to the mixing process.

The way most OTP’s in pencil and paper form are used they are actually block ciphers where the block is the size of the message underlying alphabet, unless the alphabet size is changed (as in Number OTP’s not Letter OTP’s). Whilst this does add some limited diffusion it’s weak, but the nature of the key stream being non determanistic so overwhelms this with the strongest of confusion it makes little difference.

But if you are going to use OTP systems, I’d give the advice that you use it “Only as super-encryption” that is you actually encrypt the message with a good encryption algorithm and mode before you push it into the OTP. For two reasons,

1, It will significantly limit the damage done if due to error you get OTP “key-reuse”.

2, It will flatten the statistics rather better than most compression algorithms.

Thus you avoid not just the “to err is human” failing but weak fractionation that Project VENONA[6] used over four decades to reveal Soviet Spys etc.

But importantly this way you can use compression to change the message length prior to the use of the good encryption algorithm. The point being you have seperated the changing of the message length and message statistics flattening, thus can optomise them seperately, as well as change them easily when required.

[1] Is actually a quote from Claude Shannon, which restates Auguste Kerckhoff’s second principle of cipher systems,

“It should not require secrecy, and it should not be a problem if it falls into enemy hands;”

In a broader setting than just the cipher part of the overall system in use.

[2] If you look at how many compression software systems work, the output file has a structure, which is in part input file (message) specific. That is a dynamic dictionary is built as part of it. This structure is recognisable in the output file. Such structure will not be visable in by far the majority of possible message texts of that length.

[3] https://en.m.wikipedia.org/wiki/Transposition_cipher#Fractionation

[4] https://en.m.wikipedia.org/wiki/Confusion_and_diffusion#Theory

[5] The misunderstanding exists because of loose definitions, for instance the mixing function in a “stream cipher” can be by either “bit based addition mod two” (bit level XOR) or by a larger block such as a byte or word thus “block addition mod block size” (such as byte or word addition without carry). They are both “seen as stream ciphers” due to their similarities but they are not which can be seen by how the mixing function behaves. Whilst the bit addition by XOR does not cause diffusion as it does not carry across bits, the byte or word addition does as the carry process can cause all bits in the block to carry into the bits above it, thus it “fractionates”.

[6] https://en.m.wikipedia.org/wiki/Venona_project#Decryption

Clive Robinson November 2, 2020 5:28 AM

@ xcv,

Similar to the motor nerves that control human speech, as well as the sympathetic and parasympathetic nerves that connect the human brain to the human heart,

Err no.

Even humans have a “digestive brain” even though it is much reduced. It is that which controls of our digestive processes. It is done by a nervous system that does not take input from the brain but the digestive system. It does however output to what we call the brain in various ways, which is why you get thoughts of being hungry or thirsty. Some researchers are looking into if some “eating disorders” arise there rather than in what we call the brain.

It appears that at some point in the very distant past what became cephalopods took a different evolutionary approach to what became amongst many other creatures primates.

Clive Robinson November 2, 2020 5:41 AM

@ SpaceLifeForm,

As, to the “equiprobable” issue:
There must be a signature otherwise any random garbage can be decrypted to better smelling random garbage. So, maybe need to append some random garbage.

The important thing is to stop the signature becoming a distinquisher.

One solution is to modify the signature in a way that makes it “equiprobable” as well.

One way to do this is to add a secret IV to the start of the message hash process that goes into the signature. Then random fill the rest of the available space to fill the input to the ECC signing process.

I hope that helps.

Clive Robinson November 2, 2020 6:19 AM

@ MarkH,

What is the distinction you have in mind, between random and non-deterministic?

Truly Random has no bounds, non determanistic is a subset of that with some bounds.

The bounds are important as if they are not mitigated the statistics of the message start to leak through.

It seems to me that the qualifier you offered — non-deterministic to the observer — reflects a foundation stone of Shannon’s thinking.

It does, but you have to read Claude Shannon’s paper in the right frame of mind. Then you will realise he was fully cognizant of the bounds issue, but chose for what ever reason not to highlight it in an obvious way.

One such bound is “run-length” in theory a,truely random bit generator has no constraint on how many bits in thr same state it puts out. So as you can see if it puts out a hundred zero bits in succession that will alow one hundred bits of plaintext to be seen in the ciphettext. Back when Shannon wrote his paper the ITU teletype alphabet was five bits wide, thus 19 or 20 charecters of plain text would be seen by an observer of the ciphertext.

The correct way to deal with this problem is complex, because the usual recommended process of “discard bit from the generator” which if done naively could result very occasionaly in a very regular or “repeating key” pattern in the key stream which is almost as bad.

When it comes to the generation of KeyMat for OTP’s there are a very great number of things you have to check for and they are often in conflict with each other. Poor keystream generation is at the end of the day the equivalent of “key-resuse” which we know is a rather big “no no”.

When you think about it “key-reuse” issues sets a bound that means you can only have a finite number of OTP’s… The problem thus becomes detecting duplicate key streams.

Which is why quite a few people look on using CS-PRBG’s as more sensible than True Random Bit Generators.

Winter November 2, 2020 7:38 AM

Deep Fakes: The makers of South park come to the rescue:
Trey Parker and Matt Stone, best known for their cartoon South Park, have created a new comedy deepfake series called Sassy Justice.
https://www.theregister.com/2020/11/02/in_brief_ai/

Whatever you might think of the humor of this new series, it will forcefully drive home to everyone how unreliable online videos are.

This was always my conviction. People will simply learn to mistrust unsupported anonymous photographs or video.

JonKnowsNothing November 2, 2020 9:41 AM

@Winter @Clive @MarkH @All

re: “surprise about the spread”

No, the global health organizations were well aware of pandemic complications. They ran numerous simulations. It was no surprise.

The economic departments of global governments were also running the calculations. It was no surprise there either.

There is a significant difference between:
  * Health Care oriented aspects
  * Economic oriented aspects

re: “overwhelmed by the case load”

Case load is intended to flood the system. It is designed into Herd Immunity Policy.

re: “no evidence of economic value”

If you are unable to find Anders original emails between his colleagues which were published in Europe, then you can try the Great Barrington Declaration for illumination.

My small calculations under the Bank of Mom and Dad are derived from specific economic statements regarding Herd Immunity Policy. They are only a small dot on the subject. The big dogs have big iron and run much bigger numbers. Anders Tegnell explains much of this in his emails.

I quite understand that it is hard to accept that money plays a huge part in the outcomes of the pandemic.

An early days exchange when the death rate was 50,000 Global.
[@Clive @MarkH circa April 2020]

this pandemic is likely to kill more than a million people (possibly many millions)

@Clive Rather sooner than many might think or hope…

We have achieved the 1,000,000+ deaths as discussed.

The economic view exchanges circa 03 27 2020
[@Clive @MarkH @Jordan Brown @JonKnowsNothing]

@Jordan Brown: If we have a choice between losing 100,000 people and losing a trillion dollars of wealth, what’s the right answer?

@Clive: As it’s the wrong question the answer realy does not matter.

The reason the question is wrong is you have an assumption in there which is,
losing a trillion dollars of wealth

Fiscal wealth is not real wealth, these days it’s just ones and zeros…
Thus the real question you should be asking is,

If we have a choice between losing 100,000 people and losing a 200 million hours of production, what’s the right answer?

At the end of the day, on what we accept and what we deny:
    You pays your money and you takes your chances

ht tps://en.wiktionary.org/wiki/you_pays_your_money_and_you_takes_your_chances
(url fractured to prevent autorun)

JonKnowsNothing November 2, 2020 9:52 AM

@SpaceLifeForm @All

re:
NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.

Maybe this is how AIVD watched SVR.

Maybe this is how Turkey watched while the Saudi’s dismembered Jamal Khashoggi …

FA November 2, 2020 10:28 AM

@Clive

Plaintext = [data + signiture]

Where “+” implies a cancatonation or other linking process in some way.

If this is the case then it breaks the OTP “equiprobable” rule because it provides a method of distinguishing a valid message from many many other invalid messages.

I don’t buy this. There is no rule that says that the input to OTP encryption must not have redundancy.

Let’s take an extreme example: a 1-bit message and a 256-bit signature.
For both possible values of the message there is a valid signature, and a valid encryption given any 257-bit OTP.

Assuming Eve knows the structure, she knows that the message is just one bit.
That’s all. She has no information regarding the value of that bit.

Same for compression before encryption, even if the compressed data has a very strongly structured header.

Winter November 2, 2020 11:00 AM

@Jon
“No, the global health organizations were well aware of pandemic complications. They ran numerous simulations. It was no surprise.”

I personally know people working in public health over here. They do know all these conspiracy theories. Nothing you write makes any sense to them. They were totally run over by the virus.

Whatever theoretical models were available, they could not predict the course of COVID-19 as the details of this virus became only known during early 2020. Information from China was sparse and only partially trusted. Furthermore, if your models predict the end of the world, you want to double-check the results.

JonKnowsNothing November 2, 2020 11:44 AM

@Winter

re:

“No, the global health organizations were well aware of pandemic complications. They ran numerous simulations. It was no surprise.”

I personally know people working in public health over here. They do know all these conspiracy theories. Nothing you write makes any sense to them. They were totally run over by the virus.

I will only address one of these comments.

WHO ran several pandemic evaluation scenario projections. They do this regularly. In one of the more recent test cycles the results were restricted in distribution.

Anders and CO got copies. If you are in Health Care and not Economics you would not be on the CC list. I am sorry your friends were not on the distribution list.

That however has nothing to do with the economics involved. There are 1,000,000+ dead. That’s a lot of housing to be reallocated. That’s a lot of lost paychecks. That’s a lot of pensions no longer to be paid. That’s a lot orphans and a lot of graveyards and a lot money flowing into the Pharmaceutical Industry.

Money like this does not grow on trees…

Disaster Capitalism: “Never let a good pandemic go to waste.”

Winter November 2, 2020 12:24 PM

@Jon
“That however has nothing to do with the economics involved.”

I simply do not understand the rationale behind your conspiracies.

Continental European countries all installed lockdowns to reduce the death rates. Most, e.g., Spain, Italy, France, enforced rather draconian lockdowns. Essentially, halting their economies for months.

Why would they do that if they were planning to kill 10% and more of their population?

Also, all of these countries have universal health care insurance and they installed monumental support packages for the poor which also does not make sense if the plan was to take the money of the sick and deceased. This even holds for the UK.

Your conspiracies do not make sense in the European situation. I cannot speak for other continents, or eg, Canada, but for what I know, your theories do not make sense there either.

Winter November 2, 2020 12:32 PM

@Jon
“Money like this does not grow on trees…”

Indeed, money is printed paper, and currently, it is numbers in a ledger. And to get more money, you need to print more notes, or add numbers to the ledger.

There are some consequences of changing the numbers, but these consequences are less straightforward than is generally admitted. And we see the evidence every day, but we do not want to acknowledge it.

I thought the 2008 financial crisis had amply proven that to rob the people in a global scale, you do not have to physically harm them, or even do anything to them. But it seems this lesson did not stick.

JonKnowsNothing November 2, 2020 1:27 PM

@Winter

re: Your conspiracies do not make sense in the European situation.

It is pretty clear you have not even bothered to look up M. Tegnell’s emails as reported in the EU and elsewhere. There are even earlier documents from M. Anders that explain the entire sorry mess.

You ought not to blame me for the mess that was created by Sweden and M. Tegnell. Nor for the lures of neoliberal economics as enacted by politicians on the advice of folks like Dominic Cummings (every country as at least one).

I am not responsible for the 1,000,000 global deaths. I am not responsible for the 80% of elderly who die in “civilized countries” like Sweden and USA. I am not responsible for the deaths of thousands of BAME persons who die because of their ethnicity and discrimination. I am not responsible for the the deaths of those who die from neglect or poverty. I am not responsible for the millions now impoverished in perpetuity to pay the piper.

I am also not responsible for you or anyone else if they do not wish to take appropriate actions to save their own lives or those of their families, friends and loved ones and even OMG strangers.

“We’re in for a whole lot of hurt. It’s not a good situation. All the stars are aligned in the wrong place as you go into the fall and winter season, with people congregating at home indoors. You could not possibly be positioned more poorly.” Dr. Anthony Fauci 10 31 2020

ht tps://www.washingtonpost.com/politics/fauci-covid-winter-forecast/2020/10/31/e3970eb0-1b8b-11eb-bb35-2dcfdab0a345_story.html

note: contains links to Scott Atlas Herd Immunity Policy comments, Great Barrington Declaration on Herd Immunity Policy.

And some more bones for you…

ht tps://www.newsweek.com/sweden-emails-anders-tegnell-johan-giesecke-herd-immunity-coronavirus-1524847
ht tps://www.expressen.se/nyheter/qs/interna-radslaget-om-flockimmunitet/
ht tps://www.telegraph.co.uk/news/2020/08/13/swedens-chief-epidemiologist-wanted-keep-schools-open-spread/
ht tps://emanuelkarlsten.se/tegnell-mejlen-sa-fick-flockimmuniteten-faste-hos-folkhalsomyndigheten/

note: there are more to be found …As Anders Tegnell said: “might be worth it?”…
(url fractured to prevent autorun)

MarkH November 2, 2020 2:24 PM

@Clive:

I share FA’s reasoning.

If the plaintext has a known structure — or even more strongly, some of the plaintext is known — then part of the pad can of course be inferred.

But how does that help an adversary?

Clive Robinson November 2, 2020 2:53 PM

@ FA,

I don’t buy this. There is no rule that says that the input to OTP encryption must not have redundancy.

I never said their was, to remove redundancy is to remove information capacity which is generally kind of self defeating.

However there are occasions when it is done, and for good reason, that is for a specific set of advantages, such as for “error checking / correction” and similar.

So if you look at a simple case of a checksum, the,

Message = [data + Checksum]

form a unique pair[1].

Change either the data or the checksum in any way, and the unique pairing created by the checksum algorithm is not just broken it is easily detectable as such. Which is the purpose of digital signitures when you think about it.

So if I get given all the possible messages for a given message length how many are going to fall into having that unique pairing and how many are not?

Have a think on it, and the implications.

[1] This assumes that the “data” is of a size that does not cause a check sum overflow, which is usually the case with modern hash functions used in digital signatures.

vas pup November 2, 2020 3:13 PM

@Clive and @Winter

Thank you for your input on COVID.

Unfortunately, my detailed response to your inputs on election was deleted by Moderator.

You know, in former CCCP, they claim yes, we do have censorship by Government, but in West countries you do have freedom of speech, but all newspapers, TV, radio are private, and you do have your freedom of speech, but you do not have opportunity to realize it because OWNER of the media impose their own censorship if they just does not share your point of view.

That become kind of relaxed with Internet, FB, other social media, blogging.

I guess that Government should establish clear criteria what kind of posts should be banned by Law by all media platforms (e.g. child pornography), but for all other issues 230 should stay, but who really cares?

I hope that least this post is not going to die or deleted and simultaneously passed to Big Brother (bitter joke!)

FA November 2, 2020 3:30 PM

@clive

So if I get given all the possible messages for a given message length how many are going to fall into having that unique pairing and how many are not?

Assume the data is d bits and the checksum is c bits, and that Eve knows d and c and how the checksum is computed. That still reveals nothing about the data, as all 2^d values for the data are compatible with the encoded message she intercepts.

If you think otherwise, please explain.

vas pup November 2, 2020 3:34 PM

Algorithm spots ‘Covid cough’ inaudible to humans
https://www.bbc.com/news/technology-54780460

“An algorithm developed in the US has correctly identified people with Covid-19 only by the sound of their coughs.
In tests, it achieved a 98.5% success rate among people who had received an official positive coronavirus test result, rising to 100% in those who had no other symptoms.
The researchers would need regulatory approval to develop it into an app.
==>They said the crucial difference in the sound of an asymptomatic-Covid-patient cough could not be heard by human ears.

=>The artificial-intelligence (AI) algorithm was built at the Massachusetts Institute of Technology (MIT) lab.

MIT scientist Brian Subirana, who co-authored the paper, published in the IEEE Journal of Engineering in Medicine and Biology, said: “The way you produce sound changes when you have Covid, even if you’re asymptomatic.”

“Practical use cases could be for daily screening of students, workers and public, as schools, jobs, and transport reopen, or for pool testing to quickly alert of outbreaks in groups,” the report says.

Several organizations, including Cambridge University, Carnegie Mellon University and UK health start-up Novoic, have been working on similar projects.

Artificial-intelligence expert Calum Chace described the algorithm as “a classic piece of AI”.
“It’s the same principle as feeding a machine a lot of X-rays so it learns to detect cancer,” he said.
==>”It’s an example of AI being helpful.
“And, for once, I don’t see a lot of downside in this.”

JonKnowsNothing November 2, 2020 3:39 PM

@vas pup @all

I noticed the “your post is being moderated” message but being use to “game forum” censors I really didn’t pay attention, although I learned from previous experience to keep a copy of everything important before pressing the Big Go button. Lots of forums are buggy and things vanish into The Great Bit Bucket in the Sky regularly.

I admit I thought the delay was due to testing that Space was doing with the input factors. Well, I’m not sure I understand what he was doing as I expect some of the intermediate messages got zapped as part of the testing.

If not that, then I’m not that clever to understand the hints. The video games I play have come a long way from Fog Of War Maps and Dink til you Figure it Out. They have labels on everything of importance: bears, buildings, baddies. They have radar maps showing locations of hostiles. They have a variety of markers to direct your attention to important stuff. You get a Cold-Warm-Hot indicator when you are near an objective. Hints pop up on the screen in case you didn’t notice the 15ft high troll about to whomp you and stealth warnings abound for those pesky back-stabbers with long knockdown durations.

Maybe there’s flood of gold spammers spamming the LFF-Raid channels….

vas pup November 2, 2020 3:57 PM

Kanye West, Kim Kardashian and her dad: Should we make holograms of the dead?
https://www.bbc.com/news/entertainment-arts-54753214

“Getting a hologram of a lost loved one might not be on your birthday wish list.
Nor was it on reality star Kim Kardashian West’s before she was surprised by husband Kanye West with a “hologram” of her late father Robert for her 40th celebrations.
But in tweets that have since gone viral, she called it “the most thoughtful gift of a lifetime”.

==>The talking hologram, which appears as a video, has remarkable visual detail and a pretty well-matched voice. But many people have been unnerved by how the hologram had been scripted by Kanye.

At one point, the hologram says: “You married the most, most, most, most, most genius man in the whole world, Kanye West.”

For Per Axbom, a digital ethicist, this poses serious concerns =>for the rights of individuals after they die.
“Even if a person gives their consent to being used as a hologram, is it even possible for this to be an informed =>consent?” he asks. “If yes, that would mean that they also give their consent to that same hologram expressing phrases or sentiments that are not part of their belief or value system.

“More than a hologram, they become a puppet. Dangerously, by extension they can become a puppet that can not be discerned from their real self.

===> It will matter who is given control of that puppet.”
Kardashian West’s reaction to the hologram seemed to be
positive – but
!!!!!the same technology that can restore a loved one to digital life can also be used to manipulate footage of those still living, such as politicians, which can lead to powerful disinformation.

====>Deepfake technology like that used here on Robert Kardashian’s face has also been used to manipulate footage of world leaders ahead of the US election, as well as to fake nude images of more than 100,000 women.

You do not need to be in the public eye to be deepfaked or hologrammed – but it helps.

David Ripert, founder of augmented reality firm Poplar Studio, thinks the hologram was achieved using a projection known as Pepper’s Ghost along with an actor in front of a green screen. AI deepfake is then used to overlay the face onto the body.

====>”You can 3D render from a photograph, but it’s not as realistic,” he says. “If you want to train a model with the father’s face you need a lot of footage. Five hundred to 1,000 photos or assets are needed to train a machine. It helps if you have been on television or filmed a lot.”
!!!!!But you only need a few words of audio. “It’s speech synthesis. You only need a few words to train the machine.”

Guys, this is amazing!!!

vas pup November 2, 2020 4:04 PM

Edward Snowden seeks Russian citizenship for sake of future child
https://www.dw.com/en/edward-snowden-seeks-russian-citizenship-for-sake-of-future-child/a-55475880

“Edward Snowden, the US whistleblower who is living in exile after leaking NSA files in 2013, says he and his wife are applying for Russian citizenship. The two US nationals want to avoid separation from their child.

Former US security contractor Edward Snowden said on Monday that he and his wife wanted to apply for Russian citizenship without giving up their US citizenship.

He said it was to avoid becoming potentially separated from their future son if borders were to be closed as they have been during the coronavirus pandemic.

“After years of separation from our parents, my wife and I have no desire to be separated from our son. That’s why, in this era of pandemics and closed borders, we’re applying for dual US-Russian citizenship,” he said in a tweet on Monday.

Snowden’s lawyer, Anatoly Kucherena, has said the child, due in December, will have Russian citizenship and that the parents want to have the same citizenship as their son.

Russian citizenship laws were relaxed earlier this year to allow foreigners to have dual citizenship. Snowden has already received permanent residency in Russia, his lawyer said last month.

Snowden said last year he would be willing to go back to the US for trial if it was guaranteed to be fair.

In another tweet on Monday, he also said he and his wife would raise “our son with all the values of the America we love, including the freedom to speak his mind.”

=>In August, US President Donald Trump said he was considering a pardon for Snowden.”

Two good videos inside as usual!

Thunderbird November 2, 2020 4:09 PM

I wonder if you’d agree with this, Clive: “if no system mistakes occur (e.g., pad reuse, predictable-unrandom pad, mistaken transmission of plaintext) there is no benefit to an attacker knowing the structure of the plaintext for a message.” I thought that for perfect secrecy you had to have an equal probability of each encrypted message.

MarkH November 2, 2020 4:47 PM

@Clive, FA, Thunderbird, SpaceLifeForm:

The noteworthy property of OTP (when done correctly!):

Every possible plaintext not longer than the ciphertext is an equally probable decryption.

If the attacker doesn’t have any part of the pad, then the ciphertext offers absolutely no basis on which to assign one hypothetical decryption as being more probable than another.

[Note: Presumably, intelligible plaintexts are expected in preference to pure gibberish, so there may be some a priori basis for estimating relative probabilities of decryptions. But the ciphertext itself adds absolutely zero knowledge to enhance such probability estimates.]

I don’t see how any structure, compression algorithm, or known partial plaintext can alter that.

If I’m missing something about this, I welcome enlightenment!

Sancho_P November 2, 2020 5:04 PM

@SpaceLifeForm

”My OTP … is deterministic …”
I think that’s a no go if it means someone “in the know” can re-create it at any time they want.

One of the two not solved issues with OTP is reuse of keymat, on both sides, the sender and recipient: The keymat doesn’t automagically vanish after first (just one) use (1).

Your “determanistic” process MUST be single shot, not repeatable, lost after a couple of minutes – nearly impossible in our digital world.

But I think @Clive had a good example: Using a crookle search and a clever search term the results would change within a couple of minutes.
There are issues and limits, but it should give you an idea to start with.

”There must be a signature otherwise …”
No, on the contrary (deniability), and if it’s a known to the adversary it acts like a repeated known plaintext part. You would avoid that.
The key and successful decryption are the proof, more isn’t possible. Signatures can be faked as well.

Oh, and plain text means plain text, not .docx (= kind a signature).
Weakness remains weakness.

(1) This leads to the second not solved /solvable issue: The keyman.
If you create your keymat and send it over to the recipient there are at least two copies of the key(s, e.g. when you think of an OTP-DVD and apply @Clive’s pointer solution). The problem isn’t the transport but the DVD itself with all your keymat, being both, evidence and compromising all communication, from past and into future, after “they” have raided the sender’s or recipient’s home.

Sancho_P November 2, 2020 5:08 PM

@Clive Robinson

Understood, thank you, I’m back on track 🙂
“This is not a valid xyz archive” would be a horrible deal breaker.
Well, in the end each and every system must be breakable, otherwise the recipient could never understand the message.
– “How close is the enemy?”, that’s the question.

Sancho_P November 2, 2020 5:11 PM

@MarkH

But structure + compression algorithm + known partial plaintext are already three nails to the coffin.
From the OTP-DVD it would be easy to brute force the part that decrypts a known signature.

Clive Robinson November 2, 2020 5:11 PM

@ MarkH, FA,

But how does that help an adversary?

Firstly you need to ask who your “adverary” is. So you need to consider what a very well resourced Level III could do.

In theory with properly designed and operated systems the answer is nothing even with known plaintext.

But as I’ve said,

“To err is human”

The major failing of OTP’s that you get told about is “operator error” giving rise to “keystream reuse”. Less often mentioned is the system design around the OTP is a compleate screwup.

How you take advantage of these “err’s” as an adversary is rather boringly mundane. But can be very worthwhile which is what the four decades of Project VENONA by the NSA and GCHQ was all about.

So in the case of suspected keystream reuse or failure in KeyMat production you compare OTP ciphertexts to strip off the keystream. You are looking for a way to distinguish when the key-streams are not just the same but also aligned. This is usually done by looking at the statistics of the result.

Thus you need to design your system such that it does not produce changes in the statistics or other distinguishers.

But there are other problems unless the plaintext into the OTP’s is “recognisable” in some way you can end up with a lot of probables. In the case of Project VENONA they had to deal with how the Soviet OTP System changed the alphabet size, which acted like a low grade cipher.

So as I indicated you should not compress but encrypt to flatten the statistics. Depending on the quality of the encryption algoritm and how you implement it, this obviously significantly increases the “probables”. If done right –which it rarely is– you would have too little statistical information thus the number of the probables increases to the point where they become unmanageable unless there is some kind of easy to use distinquisher which is what a checksum or digital signiture is.

The simplest way to avoid this checksum problem is to do the OTP encryption and then do a checksum or hash[1] of the ciphertext not the plaintext.

Anyway as I’ve said go and have a think on this as your questions suggest you’ve not had reason to before.

Think especially in the terms of what a National Sig Int agency etc can bring to focus on any “operator errors” that can reveal “design errors”.

There are many reasons why OTP’s are not practical or safe to use and few people ever discuss them such as the issues involving KeyMat generation. Frequently those that do the KeyMat side of things are given “instructions to follow” and are never told the reason why the instructions are what they are. Hence things become a “witches brew of incantations” and other “dark arts” and “ju ju magic”. Similar on the operator side and those who write about OTP’s. Hence the usage of OTP’s get an undeserved aurora of invulnerability they realy do not deserve and just about any programmer thinks at some point they can design an invulnerable crypto system around them…

[1] Whilst a hash is fine it’s actually unwise to sign it as that ties it to a PKI cert, which if known by the adversary is effectively pointing a gun at your head. If you must use signitures then you need some way to make them unusable to anyone but the intended recipient and only identifiable to single messages Thus the use of a secret message specific IV into the hash or similar and random padding to fill the rest of the signature input.

Clive Robinson November 2, 2020 5:16 PM

@ FA,

That still reveals nothing about the data, as all 2^d values for the data are compatible with the encoded message she intercepts.

Did you proof read that?

MarkH November 2, 2020 5:17 PM

@Sancho_P:

My stated predicate is no access to the pad.

If an attacker has access to the long pad, and the only question is hunting for the offset, then the message is at great risk of decryption anyway, regardless

Clive Robinson November 2, 2020 5:29 PM

@ Sancho_P,

crookle

That’s a word I would expect few outside the UK Midlands would know.

For those that do not it referes to bending something, not in a smooth way but more like a “dog leg”.

Sancho_P November 2, 2020 5:52 PM

@MarkH

The risk you are talking of requires to know or understand when the decryption was successful.
Searching the OTP-DVD makes only sense when you know the result are e.g. valid English words or whatever.

This is the reason I disliked TrueCrypt (and didn’t check the successor), it told you right away your key is wrong.
Automated decryption must not give any hint re success or fail, it has to encrypt, that’s it.
Evaluation is the next step, it’s human.

Clive Robinson November 2, 2020 6:29 PM

@ Thunderbird,

“if no system mistakes occur…

Yes, but whilst “if” is a small word it has big implications…

As has become clear over the years on this blog nearly every one has heard of OTP’s and “Perfect Secrecy” but from then on in their knowledge gets patchy.

So whilst quite a few know about,

1, The KeyMat has to be as big as the message.

2, The KeyMat must never be reused.

You should ask have they thought about the implications of the points when it comes to generating KeyMat?

In most cases probably not. So they are probably compleatly unaware of why bounds need to be put on “truly random” to reduce not just information leakage, but inadvertant in KeyMat key-reuse. Oh and have thet thought further that the bounds mean that the amount of KeyMat that can be generated is also bounded thus finite (which has major implications in large scale networks).

But how about a simpler question, how many are aware that in the common use of paper and pad OTP’s the mixing function is “addative over a small block of bits” not as is often taught a bitwise XOR?

Even if they are, are they aware of how this effects “diffusion”?

Probably not, so when using the mixing function as a building block in a system will they evaluate it correctly?

The list goes “on and on” and each time I mention one the response is in effect “but… Perfect Secrecy”.

It’s why I hardly ever use the term prefering to state the actuall security proof which is “all messages of the same length are equiprobable”.

That way you can see that an OTP with a very short message of say just two characters, the probability is the last one is a Carriage Return(CR) or Line Feed(LF) and is very likely to be preceded by a Y or N or single digit number or one of the first few letters of the alphabet (ie menu system selection). Which reveals a part of the KeyMat, which if imperfectly generated alows for the possibility of attack by an adversary. Thus if it’s used with a fixed format the adverary knows the plaintext for… So an OTP system realy should not be used with interactive systems such as a computer terminal, where known plaintext abounds, nor the likes of Word Processer files where upto the first 4k can be “known plaintext” similarly other common file formats. Just having “probable KeyMat” of such length makes attacking systems where key-reuse happens due to poor KeyMat generation or poor system design, oh so much easier…

Bob Morris senior, on retiring from his job at the NSA gave an open speach, in which he warned about known plaintex… Something people who design systems realy realy should keep in their head.

The big problem is not designing an OTP system, but due to the fragility of the OTP designing a system that remains secure in the face of a multitude of potential failure modes, and very very few can do that, even when they know what the failure modes are (ie prevention of key-reuse due to poor KeyMan).

name.withheld.for.obvious.reasons November 2, 2020 9:02 PM

@ Clive, SpaceLifeForm, JonKnowNothing, and those interested in U.S. power struggle (coup d’etat)

Posted to a previous discussion, a related topical area, and it is long.

https://www.schneier.com/blog/archives/2020/10/covid-19-and-acedia.html/#comment-357953

THE PLAN LOOKS LIKE ITS ABOUT TO GEL…
This is the analysis, a rebuke to the AG’s theoretical BS. But now we have Barrett and Barr on Board with this BS. Along with Five of the Justices, Pompeo, De Vos, I do not think there is one cabinet member outside of Esper and the Director at CIA. And in the house, 250 members scored a 100% on the Ralph Reed’s organization. Nearly all of the senate, NOTICE HOW Mitt Romney is allowed to be outside, he’s a Morman. There is a full house being held by the current power structure, but the hand being held by the cabal is a royal straight flush.

The sycophants are willing to carry water, and the lies, of D. Trump is because the ends justifies the means. This is a minimum amount of resistance, and very little in strategic planning or coordination. I fear a sneak attack is imminent but do not know the form or character. Trump is no longer necessary in the scheme of things, his usefulness has been exhausted. And I am not Trying to be hyperbolic here, but, the pieces are more than just coming together. A video of the Biden campaign bus being wrangled by 100 other vehicles on a highway in Texas seems to be a close approximation.

https://www.schneier.com/blog/archives/2020/10/covid-19-and-acedia.html/#comment-357953

convenienceoverip November 2, 2020 11:12 PM

@spacelifeform

Slipstream targets protocols using control channel + data channel, FTP, VoIP, SIP and other applications using multiple ports. I think I remember some signals guys chuckling about this technique.
Disabling Application Level Gateways (ALG) in your router is one inconvenient short term fix, disabling WebRTC doesn’t prevent the attack, but limits the technique.
Isolating critical systems from vulnerable systems that are used for email, web browsing IRC, VoIP etc. would lower risk.

There are some growing arguments for shipping routers, modems & IoT devices with secure configuration rather than convenience, like this quote:
“If businesses don’t take appropriate action soon to mitigate risks, regulators and governments will,”

SpaceLifeForm November 3, 2020 12:25 AM

@ name

It is over. Putin knows this. He finally figured that out.

The others have not.

Building yet another wall (non-climbable they say) around the Whitehouse.

Hell, trump can not climb over a couch.

We will throw him Big Macs over the fence.

On Jan 20, 2021, the cleanup in aisle 45 starts. Or sooner.

Winter November 3, 2020 12:41 AM

@Jon
“I am not responsible for the 1,000,000 global deaths. ”

This does not make any sense.

And I know about the ideas of M. Tegnell, which were rather inconsequential. Sweden’s policies were shaped by the fact that the government has NO legal tools to force a lockdown, none. However, most Swedes have followed the advice of the government to keep a distance. This, and the less than cozy cuddly Swedish culture helped to reduce the spread of COVID.

All in all, your COVID conspiracies make no sense. You failed to heed the immortal advice of Hanlon’s razor
“never attribute to malice that which is adequately explained by stupidity”

You as an American should know better than everyone else that politicians, and their voters, can be afflicted by this scourge of humanity.

See also “The Basic Laws of Human Stupidity” by Carlo M. Cipolla

(Cipolla’s theory has been tested in an interesting agent based simulation:
https://hal.archives-ouvertes.fr/hal-01085988/document
)

SpaceLifeForm November 3, 2020 12:42 AM

@ ALL

It’s not RT-PCR, but it is an interesting diagnostic indicator.

Especially when there are so many asymptomatic carriers.

hXXps://www.sciencealert.com/ai-cough-analysis-could-detect-covid-19-even-if-you-re-asymptomatic

MIT Team’s Cough Detector Identifies 97% of COVID-19 Cases Even in Asymptomatic People

SpaceLifeForm November 3, 2020 1:19 AM

@ Winter, ALL

“never attribute to malice that which is adequately explained by stupidity”

I’ve heard this excuse used for too many decades.

Here’s my version:

Always attribute to malice that which stupidity can be used as a cover story.

Winter November 3, 2020 1:21 AM

@Space
“MIT Team’s Cough Detector Identifies 97% of COVID-19 Cases Even in Asymptomatic People”

Interesting and encouraging results. I cannot find how they selected the test subjects. Ideally, they recruited subjects that were to be tested for COVID before they were tested, i.e., prospective testing.

If they recruited retrospectively, there is a huge risk of a bias in the COVID positive vs negative subjects. Such a bias in the training data could make deep learning (AI) systems useless.

As usual, wait for the peer-reviewed paper.

Winter November 3, 2020 1:28 AM

@Space
“Always attribute to malice that which stupidity can be used as a cover story.”

If the current crop in power were that smart, they would not be in the bind they are in now.

Furthermore, I cannot remember a single politician that intentionally tried to appear stupid while in power. But maybe you can help out here?

Clive Robinson November 3, 2020 2:21 AM

@ Winter, SpaceLifeForm,

If the current crop in power were that smart, they would not be in the bind they are in now.

Those you see are puppets in a limited life beauty pageant…

It’s those that pull the financial strings that need to be smart, and part of being smart is knowing when to discard rotting meat just as it starts to smell, but before it creates too much of a stink. Thus by the time the rankness is overcoming to the average citizen, those who pull those financial strings have fresh meat hanging on the hook to dangle in front of the citizenry…

That is the smart power behind the throne is virtually unknown even to the politico’s it uses cut outs we call lobbyists that work for think tanks and trade associations so they don’t know where the orders comefrom either.

Back when Cambridge Analytica were doing their thing, it appears they funneled US sourced money through Russian cut outs to certain self deluding thugs in the UK.

The hidden power behind the throne is well practiced in the arts of not just hiding but deceiving as well, and the craft was old before Machiavelli was a twinkle in his fathers eye.

Interestingly their grasp on technology and techniques appears to remain well in advance of the puppets that dance on the line.

So yes, malice will hide behind stupidity by a couple of steps, and take care not to be seen.

As I’ve said once before if you want to see some of the more senior cut outs have a look at who goes to Davos each year and hide behind The World Economic Forum (cancelled for 2021 due to COVID). It’s there they put out “groundbait” for politicos.

Winter November 3, 2020 3:06 AM

@Clive
“As I’ve said once before if you want to see some of the more senior cut outs have a look at who goes to Davos each year and hide behind The World Economic Forum (cancelled for 2021 due to COVID). It’s there they put out “groundbait” for politicos.”

It would seem to me that if there are such puppet masters, they would not show up at Davos. Conspirators and plotters are well able to meet in private. Davos and Bilderberg are simply exponents of the human desire to go to conventions to meet like-minded people.

But this discussion between Space and me was about Space’s insistence that the response to COVID was a conspiracy to decimate the population:

What was clear is that nothing was going to be done because there is a very high economic rate of return on killing off 10%-40% of the population, especially in high value neoliberal run economies

I keep saying that the policies that were installed in most countries, e.g., Europe, East Asia, belie that conspiracy theory.

Also, the knowledge of COVID epidemiology and biology developed in ways that explain the initial response in most countries. And yes, I did kept taps on the developments in the scientific community.

FA November 3, 2020 4:06 AM

@clive

That still reveals nothing about the data, as all 2^d values for the data are compatible with the encoded message she intercepts.

Did you proof read that?

I did.

Eve intercepts M = (D + C) * OTP (with D = data, C = checksum, + means concatenation and * means XOR)

Assuming some particular value for D, she can compute the d bits of the OTP used to encrypt D. She can also compute C and find the c bits of the OTP used to encrypt C. She can do this for all 2^d possible values of D.

Now please explain what, according to you reasoning, this reveals about D.

Of course if the OTP is not really an OTP (i.e. not generated by a non-deterministic process) this may reveal something about the generator. Any redundancy in the plaintext would do that.

Clive Robinson November 3, 2020 4:34 AM

@ FA,

Now please explain what, according to you reasoning, this reveals about D.

It tells Eve if the plaintext (Dn+Cn) (where n denotes bit length) is valid or not thus acts as a distinquisher to 1/(2^Cn), therby eliminating 1-(1/(2^Cn)) of the potential equiprobable plaintexts of length Dn.

That is what you would expect of a hash that does not have collisions with messages of length Dn.

FA November 3, 2020 4:50 AM

@clive

It tells Eve if the plaintext (Dn+Cn) (where n denotes bit length) is valid or not thus acts as a distinquisher to 1/(2^Cn), therby eliminating 1-(1/(2^Cn)) of the potential equiprobable plaintexts of length Dn.

I’m trying to grok what you mean here, but I fail.

I have already shown (I hope) that given the intercepted message M, none of the 2^d possible values of data are excluded.

The only effect I see is that instead of 2^(d + c) possible values for the OTP, there now are only 2^d. Why would that matter (for a real OTP) ?

Clive Robinson November 3, 2020 5:17 AM

@ Winter,

It would seem to me that if there are such puppet masters, they would not show up at Davos.

They do not, it’s their higher level cut outs throwing out “groundbait”[1] to lure towards the hook on the end of puppet masters line. If you are smart you see the groundbait for what it is and stear clear.

As for “winowing out the population” in the UK just about every step taken by the Government encorraged the deaths of the old and infirm. In Spain the triage indtructions in hospitals was not to put the retired on ventilation, and in some cases deliberately remove ventillation if they were on it so that the “economically viable” were prioritised.

But as was said at the very begining,

1, Close the borders.
2, Stop / limit flights.
3, Isolate symptomatic in healthcare provision.
4, Institute drive in testing remotely from healthcare.
5, Institute compulsory hard quarantine.
6, Ensure mask availability.
7, Implement track and trace.

Was their priority order for those countries that have been hardly touched by COVID. Because they understood the nature of exponential rise and the importance of clamping down early, to protect not just the economy but the citizens.

The US and UK very clearly pandered to the short term interests of the transport and hospitality industries, and only grudgingly took action after the number of cases were already compleatly out of hand.

Then, rather than implement the priorities in the sensible order they took the reverse order of least effective measures first… Abd in track and trace botched it up so many times it was a compleat comedy of errors that had no humour in it what so ever.

The evidence so far is stacking up against your position, and I sadly suspect it will continue to do so, as I’ve indicated the current education policy is to turn children into granny killers. Not exactly a humane thing to do for the elderly who will die in a horible way, or for the children who later in life will realise their inadvertent guilt, thus develop a hate and loathing for the neo-con behaviours that turned them into “child soldiers” of a sick economic war.

[1] Not sure what your native language equivalent of “groundbait” is. But it’s the equivalent of shark fishers “chum” for fresh water fishing. That is it is “cast upon the water” to “lure not land” the prey. In essence it pulls in the less smart prey one of which will gobble the bait on the hook and thus can be landed and dropped in the “keep net” trapped untill dispatched or set free.

Winter November 3, 2020 5:25 AM

@Clive
” In Spain the triage indtructions in hospitals was not to put the retired on ventilation, and in some cases deliberately remove ventillation if they were on it so that the “economically viable” were prioritised.”

I have seen this argument often. What people always leave out is that the chances of an older person getting out of the artificially induced coma intact is rather slim. There is a specific cruelty to putting people on an extended coma only to get back a patient in a half vegetative state.

And if a choice must be made between two patients when only 1 ventilator is available, the choice will fall on the person who has the biggest chance of surviving. And that is the younger one in most cases. The alternative would in most cases give you two dead people instead of one.

Neither of these were planned, btw.

Clive Robinson November 3, 2020 6:06 AM

@ FA,

I’m trying to grok what you mean here, but I fail.

As I’ve indicated with “to err is human” and “the eneny knows the system” the adversary has either KeyMat or Known Plaintext they can use to find KeyMat.

This assumed KeyMat is then used to try and find “key-reuse” which produces a very large number of possible plaintext messages.

Because having a copy of some or all of the KeyMat does not enable an adversary to use it.

That is the adversary has to know which section of the KeyMat is used for any given piece of ciphertext. If the users of the system have a way of hiding this behind “key indicators” that are effectively hidden (ie an index into a shared lookup table the adversary does not have) then a brut force –sliding rod– search has to be carried out by the adversary.

Which means the adversary ends up with as many probable plaintexts as there are bits in the KeyMat the adversary has.

The problem the adversary then has is finding which of the probable plaintexts they have generated is the correct message –if there is one– from amongst all those probable plaintexts the adversary has created.

There are just two ways to do this,

1, By statistical means.
2, By identifying distinquisher.

Of the two an identifying distinquisher is by far the best.

So when you design a system around an OTP you try your best to design out any distinquishers or usable statistics.

The use of most modern compression systems provide both weak distinquishers and supprisingly to some weak but more than usable statistics.

Hence you should only use an OTP as a form of super-encryption, after you have already appled a suitably strong form of statistics flattening and distinquisher removing encryption process that also has wide ranging fractionation / diffusion charecteristics across the message length.

The use of a strong distinquisher such as a checksum, hash, or signiture inside the OTP encrypted section of the communications should be strongly resisted by the designer. If there are technical reasons why this can not be done, then the distinquisher has to be strongly mitigated by a secure method unique not just to the communicating parties but at the individual message level.

Because at the end of the day two things can be said,

1, The users will “err”.
2, A Level III adversary will record all communications.

Thus it’s not just the whole system “that the enemy knows” it’s “every err that has been made” as well.

Thus the system designers job in not just to get a working OTP based system, but one secure against any and all “errs” the operators of the system might make. Which includes the theft of KeyMat and “Known Plaintext” or even “Probable Plaintext” based on related plaintext and “gardening” / “traffic analysis”[1] due to use of standard formats and the like.

[1] Many of these techniques were used to get “probable plaintext” during WWII to form “cribs” used on the bombs at Bletchly and later in the US. Two types of “gardening” are documented, one was the use of dropping mines from aircraft, such that a “standard worded” warning message would be sent on the “dockyard cipher” Which coukd be broken, this then gave a “known plaintext” message that would be sent out over the Donitz’s U-Boat Fleet Broafcast system, thus enabaling the daily four wheel Enigma key to be found. Another was to put contentious columns in news papers knowing that the embassy staff would put the column in a high level cipher back to their soverign state “word for word” in the current key used for all messages in that period…

FA November 3, 2020 7:09 AM

@clive

This assumed KeyMat is then used to try and find “key-reuse” which produces a very large number of possible plaintext messages.

So in the whole of this discussion you assume from the start that key material is being re-used, and all you are saying is that in that case the system is no longer secure.

Has it occured to you that you may not be the only one who knows this ?

What a waste of time…

rrd November 3, 2020 7:45 AM

@ FA

When someone’s ego is completely dominant, their only purpose is to give themselves a dopamine bump by projecting superiority upon others, especially if they’re already the leader of the alpha-group of the territory. What was probably once true grows less so as we age, especially if alcohol is involved (and one never knows in a forum like this).

And one must never divorce the person from the system that produced them. Taken together with the systems we hold dear, we begin to understand a great deal about them, usually without their ever realizing it.

Once the master stops learning, they stop being a master.

This is the result for all people who value knowledge over understanding. A person’s knowledge will always be superseded by the next generation, whereas a person with understanding knows that their treatment of the world around them is the only lasting legacy we can create over the course of our lives, and that treatment is always a direct result of the attitudes we choose to make our own.

The primary problem with the Earth in 2020 is that people are rarely critical of the cultures they grow up within, therefore they just blindly go along with their herd(s). That is why our world is filled with fools who fight the same old selfish battles with the same old ignorant enemies for the same old stupid, destructive reasons.

There’s an old aphorism that says that trying to convince the inertia-laden fools of the world is a waste of time; that there’s only ever hope in teaching the young how to be better, and that we’re better off just waiting for the dead wood to fall off the tree where it will be consumed by the fungi.

TL;DR: The egos of the self-superior always perceive others as their lessers, which solely determines how they treat them. Despite being objectively better, it is rare for an accomplished person to deeply grasp humility, where their remembrance of their own past ignorance gives them a kind gentleness with respect to those they have the opportunity to teach.

“Time will tell.” –Bob Marley

Clive Robinson November 3, 2020 8:49 AM

@ FA,

So in the whole of this discussion you assume from the start that key material is being re-used,

I did not assume it, I said it from the begining, which is why I found your repeated statments and questions odd. Also why I thought your statment of “as all 2^d values” was in error and that you actually ment 2^c.

Clive Robinson November 3, 2020 8:55 AM

@ rrd,

When someone’s ego is completely dominant, their only purpose is to give themselves a dopamine bump by projecting superiority upon others,

Oh dear more of your projecting your at best odd failings out into the universe.

When are you actuall going to realise your failings and take steps to address them?

rrd November 3, 2020 9:05 AM

@ Clive

At least I try to edit my posts.

“No one , no one is blinder ,, than he , who will not see.”
— U2 “I Threw a Brick Through a Window”

You said that Biden wouldn’t be any better than Trump.

Winter November 3, 2020 9:17 AM

On OTP
“So in the whole of this discussion you assume from the start that key material is being re-used,”

So, If I understand it correctly, OTP works well if, and only if, you use real random key material and every bit is only used once.

The problem being that to use OTP, you have to send the keymat securely. As the keymat is just as long as the message, you could also send the message itself. So, OTP is only useful if you can send messages (keymat) securely only intermittently.

That does not bode well for the future of OTP. I see only a single practical “use case”. That would be a slow quantum communication channel, which accumulates secure random bits at both ends. These bits can then be used as the keymat when the need arises.

Still sounds inefficient. With secure key material at both ends, you can use any one of the more stronger symmetric ciphers using ridiculously long keys (2048 bit?). And compared to OTP, using a new 2048 bit key only for every new message would even be more efficient.

JonKnowsNothing November 3, 2020 9:28 AM

@Winter

re: What people always leave out is that the chances of an older person getting out of the artificially induced coma intact is rather slim. There is a specific cruelty to putting people on an extended coma only to get back a patient in a half vegetative state.

And if a choice must be made between two patients when only 1 ventilator is available, the choice will fall on the person who has the biggest chance of surviving. And that is the younger one in most cases. The alternative would in most cases give you two dead people instead of one.

Neither of these were planned, btw.

It is planned and it is planned for. It is called TRIAGE or CRISIS CARE.

It is based on SOFA Scores and every health care professional knows it and every hospital has detailed documentation of when, how and under which directions it is to be used.

It is and was used in the USA and continues to be used regularly for COVID-19 and other conditions.

SOFA Scores are NOT reliable predictors of recovery from COVID-19.

AGE is NOT a valid criteria for COVID-19 SOFA Scores and is NOT officially permitted in the USA.

TRIAGE or CRISIS CARE documents and documentation are extremely hard for the public to find in the USA. It is well buried in the depths of least accessible public documents and the Public Health Officers make sure that any official communications uses an obfuscation in titles and text to avoid public scrutiny.

re: There is a specific cruelty to putting [older] people on an extended coma only to get back a patient in a half vegetative state.

This is both a value judgement and an economic one. Your judgement to remove care. The economic one that obscures why you think so. When your thinking has been influenced by Cost of Care / Cost of Long Term Care hidden in the SOFA Scores you will make that same error over and over.

fwiw: if you look in the archives @07-08 2020 you will find posts detailing the odds of “COVID-19 45+yo” escaping a SOFA Score Death during W1a Surge in USA.

In Short: Not Good At All.

ht tps://en.wikipedia.org/wiki/SOFA_score
note: This is a very basic description. Better find the complete text and system used in your locale. Rules vary and application conditions can differ.
(url fractured to prevent autorun)

Winter November 3, 2020 10:03 AM

“This is both a value judgement and an economic one. Your judgement to remove care.”

I remember the Catholic position on dying in extreme agony: They valued it (look up your favorite saint). The worse the agony, the better. I see this back in these discussions.

All medical treatments are value judgments. The basis of the Oath of Hippocratic Oath is “Do no harm”. That is a value judgment. Every hospital will encounter cases where keeping a patient alive is worse than letting him or her die. And every doctor knows that at the end of life, treatment can become a senseless burden.

Now for the numbers. In the early days of COVID 19, 50-90% of patients on ventilators died. The very early reports were more than 80% mortality rates. Compared to 36% mortality in non-COVID patients. That informed the triage.
hxxps://www.physiciansweekly.com/mortality-rate-of-covid-19-patients-on-ventilators/

It is even worse for the old. In May, 80% of the over 80 on ventilators died.
hxxps://www.ndtv.com/world-news/elderly-covid-19-patients-on-ventilator-support-have-less-survival-chances-report-2232523

This has become much better now, with mortality rates of COVID patients going down to non-COVID patients.

As the interviewee said:

That fact, he said, should be shared with elderly patients and their family members when trying to decide whether to use the invasive procedure to treat severe illness associated with covid-19, the disease caused by the novel coronavirus.

Also notice, patients coming back from a coma will need a very long recuperation time, roughly one month for every day in coma. Longer if older.

Now again, the question:
I have only one ventilator and two dying patients, one who has a chance of less than 20% to survive the procedure, and one who has a 65% chance of surviving. Whom should I chose? And now, fill in the ages.

Winter November 3, 2020 10:15 AM

@JonKnowsNothing
“It is based on SOFA Scores and every health care professional knows it and every hospital has detailed documentation of when, how and under which directions it is to be used.”

US hospitals seem to dump patients in a wheel chair at a bus stop wearing only a hospital gown, in winter. Forced unsafe discharges, patient dumping, are really a thing in the USA. So I do not see what a discussion about SOFA score or COVID triaging could reveal that is worse?

JonKnowsNothing November 3, 2020 10:44 AM

@Winter

re:“It is based on SOFA Scores and every health care professional knows it and every hospital has detailed documentation of when, how and under which directions it is to be used.”

US hospitals seem to dump patients in a wheel chair at a bus stop wearing only a hospital gown, in winter. Forced unsafe discharges, patient dumping, are really a thing in the USA. So I do not see what a discussion about SOFA score or COVID triaging could reveal that is worse?

USA healthcare is based on MONEY. If you have MONEY you get healthcare. If you Do Not have MONEY you do not get Health Care.

What is worse: Being dumped or SOFA-TRIAGED?

  * Being dumped at a bus stop in a hospital gown means you are still alive at the time of dump off.

  * Being TRIAGED means you are dead and residing in a graveyard.

I do have to commend your sense of humor.

I do not think Anders Tegnell considers himself to be Stupid or Inconsequential.

  * MD
  * specializing in infectious disease
  * current state epidemiologist of Sweden
  * key roles in the Swedish response to the 2009 swine flu pandemic
  * key roles in the Swedish response to the COVID-19 pandemic.
  * 1990 treated the first patient in Sweden with a viral hemorrhagic fever, believed to be a case to be either the Ebola or the Marburg virus disease
  * worked for the WHO in Laos to create vaccination programs
  * worked as a national expert for the European Commission to prepare at the EU level for public health threats such as anthrax, smallpox and other infectious diseases
  * Member of the Royal Swedish Academy of War Sciences. His inaugural lecture was on the effect of pandemics on society.

The list is extensive.

ht tps://en.wikipedia.org/wiki/Anders_Tegnell
note: a minimal description.
(url fractured to prevent autorun)

Winter November 3, 2020 11:03 AM

@Jon
“I do not think Anders Tegnell considers himself to be Stupid or Inconsequential.”

Given that the whole of Europe is in lockdown again, I still do not see why his past opinion matters. Except for the Republicans in the US, or some of them, there is no one embracing the virus for herd immunity.

@Jon
“USA healthcare is based on MONEY.”

Yes, we all agree US healthcare is a dysfunctional and utter mess. By design, I would add (see Sicko by Michael Moore). What is new. So, do something about it. The world is full of examples of better systems. Choose one.

lurker November 3, 2020 11:33 AM

Context matters: first Tuesday in November, afternoon, work comes to a stop in the SW Pacific for the running of a horse race. In times of Covid the jockeys urged their mounts around the 2 mile Melbourne Cup course to empty stands, no cheering punters, no on-course bookies…

Clive Robinson November 3, 2020 12:41 PM

@ Winter,

So, If I understand it correctly, OTP works well if, and only if, you use real random key material and every bit is only used once.

Not quite “real random” has to be constrained or bounded otherwise there is the possibility of plaintext leakage, but also inadvertent key-reuse, the probability of which gets worse the more you constrain the KeyMat (so cursed if you do, damned if you don’t).

But there is a more subtle problem, which is as a cipher it offers only Shannon Confusion, not Shannon Diffusion, which makes the OTP system brittle / fragile.

Thus appart from generating real pencil and paper One Time Pads for the likes of emergancy re-keying after the loss of KeyMat for other cipher systems or for giving super-encryption, it does not have any real practical use.

But worse the KeyMan from generation of the KeyMat, auditing, transportation, storage and disposal due to the vast quantity of KeyMat involved is just a nightmare.

As our host @Bruce noted not long after a NIST Crypto Competition, we need to move on to dealing with Key Managment because it’s an area that is very neglected not just in academia but in the Open Information arena (as anyone doing a depth or breadth search will find).

Our current solution to KeyMan by PKI is to put it mildly “a disaster area that has happened”, with people talking about certs being 8k bits or more to be secure, that’s way longer than a half dozen consecutive SMS messages or original tweets.

Compared to OTP KeyMan PKI would appear to be a positive delight…

Yes there are niche uses for OTP’s but you realy want to avoid them if and where ever you can.

And before you ask yes I do talk about using them as an example of a secure pencil and paper cipher, that can be moderately easy to use. But it is more as an example for the purposes of explanation rather than use some mainly non existant secure electronic token (with all the EmSec issues on top). That is people rather more intuatively understand the risks involved with pencil and paper than some electronic gizmo.

If you look back far enough in this blog you will find discussions between @Nick P and myself about not just “chaining ciphers” but also hybrid ciphers. In there was a discussion of taking a block cipher “mixer function” using Fiestel type rounds and replacing the key schedual functions that generate the rounds keys with either a shift register feed from a “stream generator” or via several stream generators each one for a subset of the rounds.

The point is the rounds provide the Shannon Diffusion along with some Shannon Confusion.

lurker November 3, 2020 1:07 PM

@Clive, Winter, All: somebody eventually heard @Space.. Stop The Planes!
Pilots retraining for large agricultural machines are reported to understand and adhere to technical and safety protocols, and have excellent spatial awareness of objects around their machine, but not so good at reversing, a skill not required for planes in the air or on the ground.

https://www.rnz.co.nz/national/programmes/countrylife/audio/2018770654/from-the-cockpit-to-the-tractor-cab

MarkH November 3, 2020 1:45 PM

Re “OTP”:

The reality check has cleared … this discussion went full Monty Python.

For those confused about the meaning of “One Time” in the expression “One Time Pad,” it means that a key (or part thereof) is used for not more than one message.

Any key re-use, by definition, is absolutely and unambiguously outside the universe of OTP.

To discuss key re-use in OTP is as meaningful as discussion of fish bicycles, or the best algorithm to factor prime numbers …

In principle, I suppose, one could invest some time in exploring the security implications of NTP (n-Time Pad) encryption.

But I can save our dear readers this effort:

Never use NTP

JonKnowsNothing November 3, 2020 3:46 PM

@Winter

re:
JonKnowsNothing: “I do not think Anders Tegnell considers himself to be Stupid or Inconsequential.”

Winter: Given that the whole of Europe is in lockdown again, I still do not see why his past opinion matters. Except for the Republicans in the US, or some of them, there is no one embracing the virus for herd immunity.

For every Lockdown, there will be an Open, followed by another Lockdown, followed by another Open.

Here is your future: Global Death Count

Wave 1 1,000,000 40 weeks 10 01 2020
Wave 2 2,000,000 10 weeks eta Dec-Jan 2020-2021
Wave 3 3,000,000 4 weeks eta EOM Jan 2021

Anders is extremely happy: Herd Immunity Policy is working:
  * Millions more will die.
  * Millions more houses to reallocate.
  * Millions of Pensions no longer to be paid.
  * Global Demographic Age Shift.
  * Millions of jobs open for the YOUNG.
  * Food Distribution Re-allocation
  * Reduced Human Carbon Footprint
  * Every Lockdown Protest builds another Wave.

If you are holding your breath for a vaccine you might need to hold it for a good long while. First vaccines are only expected to be 50-60% effective (aka toss a coin). Global Vaccine Distribution will be another exercise in brutality. Vaccine rollout might be 3-5 years.

Take it away, Ernie! It’s going to be a bumpy ride! (Harry Potter)

vas pup November 3, 2020 3:52 PM

@JonKnowsNothing • November 2, 2020 3:39 PM
Thank you!

The post was deleted from the last week blog and contained not so sweet assessment of US-type of exceptionalism, i.e. by examples I provided view that many other countries are exceptionally better in particular fields, but as you know,
==>do you really want the truth if in fact you can’t handle it?

I guess critics should be always constructive meaning if you criticize something, you must provide view on how it should be fixed or at least example how it is better working elsewhere.

There is no shame to learn something good from anybody even enemies. Chinese do understand this expanding it to stealing.

vas pup November 3, 2020 4:02 PM

It’s not if, but how people use social media that impacts their well-being
https://www.sciencedaily.com/releases/2020/11/201102110030.htm

“Passively scrolling through posts may not result in feelings of happiness.

New research indicates what’s important for overall happiness is how a person uses social media. Researchers took a close look at how people use three major social platforms — Facebook, Twitter and Instagram — and how that use can impact a person’s overall well-being.

Even before COVID-19 and self-isolation became standard practice, Wirtz says social media has transformed how we interact with others. Face-to-face, in-person contact is now matched or exceeded by online social interactions as the primary way people connect. While most people gain happiness from interacting with others face-to-face, Wirtz notes that some come away from using social media with a feeling of negativity — for a variety of different reasons.

===>One issue is social comparison. Participants in Wirtz’s study said the more they compared themselves to others while using social media, the less happy they felt.

“Viewing images and updates that selectively portray others positively may lead social media users to underestimate how much others actually experience negative emotions and lead people to conclude that their own life — with its mix of positive and negative feelings — is, by comparison, not as good,” he says.

Wirtz notes that viewing other people’s posts and images
==>while not interacting with them lends itself to comparison without the mood-boosting benefits that ordinarily follow social contact, undermining well-being and reducing self-esteem.
===>”Passive use, scrolling through others’ posts and updates, involves little person-to-person reciprocal interaction while providing ample opportunity for upward comparison.”

Read the whole article if interested.

vas pup November 3, 2020 4:12 PM

Trust levels in AI predicted by people’s relationship style
https://www.sciencedaily.com/releases/2020/10/201029115840.htm

“Relationship psychologists have shown that people’s trust in artificial intelligence (AI) is tied to their relationship or attachment style.

A University of Kansas interdisciplinary team led by relationship psychologist Omri Gillath has published a new paper in the journal Computers in Human Behavior showing
==>people’s trust in artificial intelligence (AI) is tied to their relationship or attachment style.

The research indicates for the first time that
===>people who are anxious about their relationships with humans tend to have less trust in AI as well.
!!!!Importantly, the research also suggests trust in artificial intelligence can be increased by reminding people of their secure relationships with other humans.”

Read the whole article for details if interested.

JonKnowsNothing November 3, 2020 4:13 PM

@Clive @All

re: Tiff over GitHub forks of a DMCA’d YouTube download tool

So, it seems that a public-domain utility, allowed the downloading of “original video content” hosted on YouTube, directly to disk (for personal use natch).

The GitHub repository for the tool (YouTube-DL) was hit with a RIAA DMCA take-down so GitHub “hid” the project. But if you know the pathing, you can fork a copy of the source into a different project and some folks have done that.

M$/GitHub is saying that IF they find these code forks, those Devs will be banned. But there is a hedge:

    If and only If it is the SAME CODE (identity).

So there are a bunch of hints on how not to get banned by changing some of the code.

Here’s the interesting part: The code area of concern is a “rolling cipher circumvention code” that decrypts the true location of the video. It may not be the decryption part itself but the samples of where things are located out in The Cloud.

The rolling cipher is used in certain circumstances to generate the URL of the actual underlying video file of a YouTube page, and may not have to be excised from Youtube-DL to stay within the bounds of the DMCA. Figuring out the address of the source video isn’t exactly circumventing an anti-piracy protection, you might argue.

All those pesky tinyURLs are not OTP secured. 🙂

note: M$ owns GitHub

ht tps://www.theregister.com/2020/11/03/github_youtubedl_deletion/
(url fractured to prevent autorun)

SpaceLifeForm November 3, 2020 4:30 PM

@ Clive, All

I really appreciate the input.

Great discussion.

More hints:

Encrypt(Sign(Encrypt(Sign(Payload))))

Apple, Pecan, Pumpkin.

Want a nibble?

SpaceLifeForm November 3, 2020 4:53 PM

@ MarkH, Clive

NTP works pretty well.

No privacy implications that I am aware of, other than you may be using NTP.

NNTP is another story.

SpaceLifeForm November 3, 2020 6:12 PM

@ Clive, ALL

There is no surprise that USPS ignored order by Judge.

There is also no surprise that Deutsche Bank and Goldman Sachs are now trying to hide their strings.

Just a flesh wound.

SpaceLifeForm November 3, 2020 7:50 PM

@ All

Because I had a write-in slot, I went with Dr. Anthony Fauci.

Also, sometimes it helps to procrastinate.

I was literally the last person to vote at my poll station.

No waiting. Got a free pen too!

JonKnowsNothing November 3, 2020 8:39 PM

@SpaceLifeForm

They are having a major flame war over on Emptywheel over the status of the US Constitution (as far as I can tell).

While they are lobbing stable residue at each other, we are having civilized discussions about the value of 1,000,000 deaths and OneTimePads.

Bring your own veggie-burgers or steaks and load up on the popcorn while we all DoomScroll through the night…

The sun will rise in the morning, I’m going to have a drink at 6:00.
That’s my faith.

  Really? A lot of people in your church, are there?

Most people. Most people are in my church.

Page Eight by David Hare

Take it away, Ernie! It’s going to be a bumpy ride! (Harry Potter)

lurker November 3, 2020 8:52 PM

@JonKnows0

For every Lockdown, there will be an Open, followed by another Lockdown, followed by another Open.

Lockdown doesn’t have to be binary: open-shut: on-off. A slow gradual opening allows the population some freedom while still maintaining some restrictions. They can see the light at the far end and hopefully some will educate themselves on the reason for Lockdown, and how to put it off longer into the future. That seems to work in small democratic countries, less so in large autocracies.

JonKnowsNothing November 3, 2020 9:43 PM

@lurker

re: Lockdown doesn’t have to be binary: open-shut: on-off. A slow gradual opening allows the population some freedom while still maintaining some restrictions.

Oh! A proponent of Herd Immunity Policy!

Any lockdown that does not take the viral load to zero AND does not have a first tier Track Track Track, Test Test Test, Trace Trace Trace, system in place AND does not provide ample support for everyone in lockdown (rich or poor or homeless or sans-official-paperwork) with food, medications, necessities and communications systems (that work), will yield a New Wave in short order.

All it takes is 1 infected person and 30-40 days later you have another Lockdown. Bungle the process and you get another Wave and another Lockdown.

(Which is one reason Victoria State was sooo POed that PM Morrison let the Kiwis loose to travel internally passing through active COVID-19 hot zones while on walkabout; since they were not on the Victoria radar trackers and they could have reset the count down clock by infecting an unknown number of persons.)

It is the constant cycling that yields the benefits to Herd Immunity Policy which as a goal is not at all interested in Saving Your Hide.

To actually Save Your Hide you need viral load at Zero (for 6-8 weeks) and then you do not need a vaccine… Oi Vey the money that would be lost to big pharma.

The countries that are at zero now don’t need masks, distancing, or vaccines. They can dance and party all night long… Their risk is a quarantine failure or sabotage (see above).

It’s not hard. 8 weeks. Nice vacation at full pay. A small dent in the economy for 2 months and then full blast on the reopen.

But… for those of us stuck in Herd Immunity Policy Countries the best we can do is hunker down and ignore the bread crumbs leading to a non-breathing-state.

name.withheld.for.obvious.reasons November 3, 2020 11:45 PM

@ What a shame
As a participant, there is some responsibility with respect to your own engagement. If challenging the veracity and usefulness of the contributions made, than do so. If not, you appear to be working from a pseudo virtue signaling position.

And if your are signaling, possibly trolling, then forget the next two paragraphs.

And has Bruce politicized this site, or, has the nature of technological applications had a broader impact and thus affected much more of society in say the last 30 years ago? Used to be nerds only had to deal with technological problems, because nerds were the only ones really using technology. When as has Bruce mentioned in several essays and books, the computer you carry in your pocket, that is also a phone, a funds transfer tool, investment platform, and where you often see your friends we are dealing with a domain consisting of humanity. So, it is no wonder that inevitably the lines between a purely hobbyist environment and a full fledge panoply of devices available and used by everyone, should completely disappear.

And if you think the government hasn’t totally coopted systems in a context well beyond security, which by the way serves the Surveillance capitalists at the same time, then what is the whole NSA budget of some 70 billion dollars a year about? How many development projects, such as a robust and secure device platform and applications for communications, might we entertain. There is a huge opportunity cost, I can guess that 50 projects of the scale of systems (applications and devices) could be done for half the NSA budget.

Question: How many planes of concern, security, and technolgy are covered in the context of this diatribe?

SpaceLifeForm November 4, 2020 12:22 AM

@ JonKnowsNothing

I’ll check later. I’m sure BMAZ is on a roll.

It’s like a AWS data dump. I know.

Winter November 4, 2020 12:39 AM

@Jon
“Any lockdown that does not take the viral load to zero AND does not have a first tier ….”

Keeping people locked up for 6+ months causes severe mental and logistic problems in itself. It does not help curbing the virus if the streets have to be full of “enforcers”. Too much force, and the people vote you out anyway.

Virus to zero does not work outside an island or North Korea. Too many people have essential travel, family and relatives across the borders. The virus reemerged in Western Europe from the Mediterranean.

What remains is keeping the number of infections to a minimum while waiting for a vaccine. At least it gives people some breathing space to be able to get out once in a white.

A 50% effective vaccine would slow down the spread already to make it more manageable. Fast tests are becoming available that are not perfect but can reduce the effective number of circulating infectious virus.

It is fun to see a big conspiracy behind every move. But the hands of elected politicians are generally tied in such grave matters. If the people want something really bad, they tend to get it. And if people want to deny COVID-19, there will be a con man to please them

SpaceLifeForm November 4, 2020 12:58 AM

@ name

Good job.

I wonder how the writer knew it was specifically four years ago?

Gee, I wonder what happened back then.

Curious November 4, 2020 1:13 AM

Local news tells of how ‘Cellebrite’ software (article refers to ‘software’) has been used by police to extract data from mobile phones, but according to the article, the software has for two years assigned wrong time of creation for various image and video files from these mobile phones. The flaw is said to only have impacted iOS mobile phones using AFPS filesystem which was introduced in 2017 according to the article. It is also pointed out that local police was informed by Cellebrite on 18. March this year about the errors for their products ‘Cellebrite Premium’ and ‘Cellebrite Physical Analyzer’.

(My) local police estimate that the software was used in 57 cases during this time period.

A neighboring country’s police forces reevaluated some 315 cases, and it is claimed by their state prosecutor that that none of those convictions was impacted by the wrong time stamps.

Anders November 4, 2020 1:32 AM

@Clive @SpaceLifeForm @ALL

Nice writeup.

scatteredsecrets.medium.com/bcrypt-password-cracking-extremely-slow-not-if-you-are-using-hundreds-of-fpgas-7ae42e3272f6

SpaceLifeForm November 4, 2020 1:48 AM

@ ALL

Mark your calendar.

Dec. 8, 2020: Deadline for Resolving Election Disputes. All state recounts and court contests over presidential election results must be completed by this date. (3 U.S.C. § 5). For the majority of states the date of certification is the same as for all contests, but in eight states there is a deadline that either directly references 3 USC §5 or uses similar language, requiring that disputes surrounding the selection of presidential electors be resolved in time to meet the “safe harbor” deadline: Indiana, Iowa, New Jersey, North Carolina, Ohio, Tennessee, Texas and Virginia. For detailed information on state post-election processes, please visit this page.

Dec. 14, 2020: Meeting of the Electors. The electors meet in each state and cast their ballots for president and vice president. Each elector votes on his or her own ballot and signs it. The ballots are immediately transmitted to various people: one copy goes to the president of the U.S. Senate (who is also the vice president of the United States); this is the copy that will be officially counted later. Other copies go to the state’s secretary of state, the National Archives and Records Administration, and the presiding judge in the district where the electors meet (this serves as a backup copy that would replace the official copy sent to the president of the Senate if it is lost or destroyed).

Dec. 23, 2020: Deadline for Receipt of Ballots. The electors’ ballots from all states must be received by the president of the Senate by this date. There is no penalty for missing this deadline.

Jan. 6, 2021: Counting of the Electoral Ballots. The U.S. Congress meets in joint session to count the electoral votes.

hXXps://www.ncsl.org/research/elections-and-campaigns/the-electoral-college.aspx

FA November 4, 2020 4:49 AM

@clive,

Not quite “real random” has to be constrained or bounded

Again I don’t buy that.

A real random generator will produce any finite-lenght key sooner or later with non-zero probability. If that happens and as a result two messages are sent with the same key, that doesn’t matter at all.

Let those two messages be M1 and M2. Assume just to fix our ideas that M1 and M2 are English text XORed with the OTP.

If Eve systematically compares all intercepted messages against each other, she will notice that M1 XOR M2 has some unusual statistics. Now these unusual statistics are to be expected anyway, and with the same probability as having a repeated OTP, for pairs of messages that do not share the same key.

In other words, unless the re-use is systematic (meaning it occurs with a probability significantly higher than by chance) there is no way to detect it.

This is really similar to having an key that results in a perfectly readable English text after encryption. If such keys are systematically excluded, that only weakens the system [1].

Now re. your remark that a pure OTP system is ‘brittle’, I do agree. It can be very unforgiving in case of operational errors, and should always be combined with some other cyrpto. That doesn’t invalidate what I wrote above.

[1] You will no doubt recall that Enigma’s feature of never encoding a character to itself was also its major flaw, and the one that allowed the efficient use of ‘cribs’.

MarkH November 4, 2020 5:48 AM

@FA:

As I understood an explanation above from Clive, the constraints he had in mind were not to protect from random key duplication (which is not worth bothering about), but rather to protect against the appearance of a “window” consisting of a long run of the same bit.

For example, imagine that by some freakish chance the key sequence has 100 0-bits in a row, and the plaintext is flat ASCII. The ciphertext will then include a run 7 or 8 characters “in the clear.”

Because of the equal-probability property of OTP, the ciphertext would have a very high density of letter codes, so runs of a few letters are expected rather frequently.

If by bad luck the run of letters leaking through the window formed a very distinctive pattern — for example, a proper name or part thereof — then the probability of that occurring randomly is quite a lot smaller, and an adversary could reason that it was more likely to be an actual plaintext name, than a name which appeared randomly in the ciphertext.

This “plaintext leak” might be useful to an adversary. Note that because cryptanalysis is impossible for a random keystream that is not reused, the leak would reveal nothing about the rest of the plaintext.

If four characters were presumed to be the smallest window worth worrying about, on average one or two such windows would be expected per 4 gigabytes of raw random key material (if my sleepy head is doing math correctly).

To avoid such potential leaks, a simple filter could look for long runs, and edit them out.

FA November 4, 2020 6:34 AM

@MarkH

If by bad luck the run of letters leaking through the window formed a very distinctive pattern — for example, a proper name or part thereof — then the probability of that occurring randomly is quite a lot smaller, and an adversary could reason that it was more likely to be an actual plaintext name, than a name which appeared randomly in the ciphertext.

Unless there is a-priori knowledge that the OTP generator is defective and has a excessive probability of generating a string of zeros of a given lenght (or any other particular sequence), no competent adversary would reason like that. They would be deluding themselves and know it.

If you intercept enough messages, the sequence ‘MARK’ or any other sequency of four characters will occur sooner or later. Assuming a real random OTP generator, the probability of this happening is independent of how often the same string occurs in the plaintext. So if it happens that means nothing. It is not a leak.

Winter November 4, 2020 7:08 AM

@FA
“If you intercept enough messages, the sequence ‘MARK’ or any other sequence of four characters will occur sooner or later.”

I think that the reasoning goes like this:
The frequency of long strings of 0 (or 1) is p, the frequency of readable/meaningful plain text fragments in a random string is r > p.

We expect to find meaningful fragments at rate r, but do find it at rate r+p. Thus we can extract information from the ciphertext.

Not sure how much ciphertext is needed for that to extract useful information. But say we take “MARK” in ASCII = 28 bits. The probability of 28 times 0 and MARK are both 1 in 2^28 is ~ 1 in 256 million. The calculation of the increase in occurrences of MARK in the cipher stream due to the random occurrences of 28 0’s as a function of the frequency of the word MARK in the messages is left as an exercise for the reader.

FA November 4, 2020 7:10 AM

@ MarkH

Re. previous message.

Another way to see why removing runs of zeros is wrong is to take it to the limit.

With an OTP using XOR, on average half of the ciphertext bits are identical to the plaintext bits. So half of the plaintext is leaked. So we must not have zero bits in the OTP.

FA November 4, 2020 7:45 AM

@Mark,

We expect to find meaningful fragments at rate r, but do find it at rate r+p

No, assuming a random OTP (allowing any string of zeros) you will find r.
That value already includes the all-zeros case.

Now if you don’t allow the all-zero case, you will find r-p. And that is a leak (no matter how small).

Clive Robinson November 4, 2020 8:27 AM

@ FA,

A real random generator will produce any finite-lenght key sooner or later with non-zero probability.

I’m guessing you’ve never designed, built, tested, certified or maintained a “real random generator”…

If that happens and as a result two messages are sent with the same key, that doesn’t matter at all.

So you think “key-reuse” is OK?

Again I will ask,

“Did you proof read that?”

rrd November 4, 2020 8:46 AM

@ FA et al (re: OTP)

How do multi-bit functions for combining chunks of message and OTP compare to XOR?

Winter November 4, 2020 9:05 AM

@FA
“No, assuming a random OTP (allowing any string of zeros) you will find r.
That value already includes the all-zeros case.”

I think you are right. The OTP keystring that encodes to MARK is 28*0 is the message is MARK. I had forgotten that.

FA November 4, 2020 10:14 AM

I’m guessing you’ve never designed, built, tested, certified or maintained a “real random generator”…

That is irrelevant to this discussion, and you know it.

So you think “key-reuse” is OK?

If the re-use is just the consequence of there being only a finite number of keys of any lenght, and the keys are random, yes.

In fact you can’t avoid it. Consider this:

I send a message consisting of 10^6 bytes, encrypted with an equally long OTP. Assume the OTP was generated by whatever method you would approve.

Same thing, formulated differently: instead of sending that single message, I divide it into 10^6 messages of one byte each, and encrypt those by using the corresponding byte from the OTP. Since there are only 256 byte values, I am now massively re-using keys.

What is the difference ?

no.name November 4, 2020 12:34 PM

SpaceLifeForm: “No waiting. Got a free pen too!”

Are you talking about a biro or a sharpie?

Clive Robinson November 4, 2020 1:05 PM

@ FA,

What is the difference ?

About the same as one combination lock with 10^6 wheels and 10^6 locks of one wheel each.

As for,

That is irrelevant to this discussion, and you know it.

Actually no it is highly relevant and yes I do no it, which you apparently do not.

I suggest you contemplate what happens when things go wrong with TRBG’s, how you recognize the fact they have gone wrong and how, and what you do about it.

As a designer of systems you have to live in the real world where things always go wrong at some point and what you do to mitigate thst practical reality.

Clive Robinson November 4, 2020 1:40 PM

@ Winter,

The OTP keystring that encodes to MARK is 28*0 is the message is MARK.

Actually it’s not 4x7bits as with ASCII many of the bit’s are effectively redundant.

Also people tend to use 8N1 ASCII these days so if you are just looking at bits that would be 32bits.

You actually only need 4bits per character in a string of characters to work out what the string probably is, if it’s in English or some other recognizable language. And you know which bits they are due to ASCII’s strong structure.

FA November 4, 2020 1:52 PM

About the same as one combination lock with 10^6 wheels and 10^6 locks of one wheel each.

Care to explain that, instead of providing an invalid analogy ?

I suggest you contemplate what happens when things go wrong with TRBG’s, how you recognize the fact they have gone wrong and how, and what you do about it.
As a designer of systems you have to live in the real world where things always go wrong at some point and what you do to mitigate thst practical reality.

Once again you are diverting the discussion by adding assumptions (imperfect implementation, human errors, etc.) that were explicitly not part of the original context.

MarkH November 4, 2020 2:11 PM

@Clive et al:

Terminology matters.

If somebody deliberately reuses OTP key material, then by definition it is not OTP any longer.

It’s also necessary to distinguish between a True random number generator — an ideal which can only be approximated by any realizable system — and a Hardware random number generator, which is intended to come close to true random number generation.

For practical purposes, we can call a high-quality hardware generator a TRNG … when it’s working correctly. But when it’s malfunctioning, it is not a TRNG any longer!

And because OTP requires that the keystream have maximal entropy, if the hardware RNG is broken, then by definition the system is not OTP any longer.

If I were using a hardware RNG for a critical security application, I would maintain continuous monitoring of the quality of its output. An additional precaution would be to combine the outputs of two or three such units: even if one had a gross failure, the net output would remain unpredictable.

===========================

As Clive observed, there are very very rare cases in which it might make sense to use OTP. When the proposed solution is, “let’s use OTP!” then you can be almost certain that the problem was not understood correctly.

But if for some weird reason somebody is relying on OTP, and ensures that keystream generation is done correctly (with nearly one bit of entropy per keystream bit), then the probability that a long sequence of new keystream bits happens to match some previous keystream sequence is too low to be of any use to an attacker.

===========================

When I was young and had a full head of hair, I worked on a product which incorporated a stepper switch (the baby brother of the Strowger switches which used to form the heart of automatic telephone exchanges).

It occurred to me whimsically that in principle, one could drive some load via the stepper switch shaft, and thereby obtain a perfectly awful motor:

• minimal torque
• massive cogging
• extremely high cost
• short lifetime
• loud acoustic noise
• prone to RFI/EMI generation

It struck me funny as a pessimal (as opposed to optimal) engineering solution.

Using OTP to maintain message confidentiality perhaps makes more sense than my hypothetical motor … but not by much.

My all-time favorite man page — for library function strtok() — had under the Bugs heading, “Never use this function.”

Clive Robinson November 4, 2020 2:45 PM

@ rrd, ALL,

How do multi-bit functions for combining chunks of message and OTP compare to XOR?

I’ve already answered this, but I will say it again.

The mixing function can work on just one bit (XOR) or many bit blocks / “chunks” (ADD etc) the important question is what happens when you change an input bit? how many output bits change?

For both Shannon Diffusion and Shannon Confusion you would like on average half the bits in the output to change for just one bit of change at the input.

In a true OTP where you XOR on a single bit there is no Shannon Diffusion into other bits, and Shannon Confusion is limited to a single bit. This is true even when you XOR a byte, word or larger block / chunk. Because the XOR function is a “bitwide or logical operator”. If however you use say ADD whilst the least significant bit is still XOR, subsequent bits have the overflow from previous bits affecting them as “carry” these are known as “bytewide or arithmetic operators”. Which can provide both Shannon Diffusion and Shannon Confusion.

So you would need to analyze the mixing function on a case by case basis. For instance if you multiply (MUL) rather than use addition (ADD) the least significan bit is actually the AND function not the XOR function.

These least significant bit oddities of XOR for ADD and AND for MUL, were taught to you in primary school with the rules for working with even(E) and odd(O) numbers,

E+E=E, E+O=O, O+E=O, O+O=E

EE=E, EO=O, OE=O, OO=O

If you draw these up as logical truth tables you will see they corespond to XOR and AND respectively.

The same rules actually apply to all bits in the results if they have not had a “carry in”[1]. But looking only at the output without either input you can only get some “probable” information from the least significan bits of the MUL as the AND function is unbalanced in it’s output thus leaks some information about it’s inputs –both odd,– that might or might not be useful in cryptanalysis.

[1] If you doubt this then go and look up the logic diagrams for hardware Adders and Multipliers. A search on “ALU” or “bit slice processor” with “diagram” usually pulls up the required information,

https://en.m.wikipedia.org/wiki/File:Binary_multi1.jpg

Shows the four AND gate array used for bit multiplying followed by two full adders to get the required four bit result. You can see from this that the LSBit C0 is just a single AND gate and the full adders use XOR gates for output and AND for carry.

Clive Robinson November 4, 2020 2:58 PM

@ FA,

Once again you are diverting the discussion by adding assumptions (imperfect implementation, human errors, etc.) that were explicitly not part of the original context.

I realy do not know what is going on in your head, but your statment is clearly incorrect.

I made it fairly clear I was talking about “practical” issurs with “to err is human” and by mentioning Project VENONA.

But as @SpaceLifeForm was “proposing a system to use” and “asking for comments” do you think he was going to only be interested in “theory only” replies about potential weaknesses?

Clive Robinson November 4, 2020 3:16 PM

@ MarkH,

For practical purposes, we can call a high-quality hardware generator a TRNG … when it’s working correctly. But when it’s malfunctioning, it is not a TRNG any longer!

Hmm not sure how many people would agree with you.

Look at it this way,

You are driving in your car and it stalls and stops and you can not start it. When you call the AutoClub to get a repair man, do you say “can you come and fix my car” or do you say “can you fix my mechanical contrivance that nolonger functions”.

Likrwise does your pocket radio cease to be a pocket radio when it has a dead battery in it?

A TRBG is still a TRBG irrespective of if it is working or not, it is upto the user to decide if it is functioning or not hence people say “My XXXX is working” or “My XXXX is not working”, or “My XXXX is broken”…

That is the name of something rarely changes if it’s usage state changes.

FA November 4, 2020 3:42 PM

@clive

I realy do not know what is going on in your head, but your statment is clearly incorrect.

The context in which I formulated the question (about the two ways of looking at the 10^6 byte message) was clearly a purely theoretical one. I even made that very clear by referring to a ‘perfect’ way to generate the OTP.

So you could just have confirmed that there is indeed no difference between the two cases. Which could lead to an interesting discussion of what exactly is meant by ‘re-using a key’, knowing that every finite lenght key will eventually be repeated.

But instead, again you just tried to show off.

JonKnowsNothing November 4, 2020 4:29 PM

@All

re:
  * Confirmed Mink to Human COVID-19 transmission
  * Confirmed new COVID-19 Mink2Human Antibody Resistant strain.

It’s a bad day in Denmark…

Today the PM of Denmark announced that 100% of all Mink Farms would be culled due to serious outbreaks of COVID-19 in the farms.

  * A New Strain of COVID-19 has been confirmed (no strain name given)
  * The New Strain is derived from Mink-COVID-19
  * The New Strain of Mink-COVID-19 is Antibody Resistant
  * There are confirmed 12 Mink to Human COVID-19 infections
  * There are 5 confirmed humans cases of the New Mink-C19-Antibody-Resistant variant

  * Projected Economic loss to Denmark: ~€350M-€400M
  * 15-17MILL mink to be culled. Culling has been in process since @min Oct 2020.
  * Army, police, and national emergency services will accelerate the cull.
  * 783 C19 positive in Northern Denmark (Jutland). 50%+/- on Mink Farms
  (note: this is the normal COVID-19 for Denmark)

The international reports of the outbreak in Denmark indicated everything was “under control” until “Update 5 on the COVID-19 situation in mink in Denmark 10 16 2020” filed by Danish Veterinary and Food Administration. In Update 5 they indicated they will start culling mink.

The previous report (Update 4) from Sept 29 2020 had indicated they were still implementing new bio-security controls at the infected farms (July 20 2020).

Update 5:

“The significant increase in infected farms and the derived risk for the public health has proven that these initiatives have not been enough”

Update 5 made no direct mention of the new mutated strain.

Lawrence November 4, 2020 5:57 PM

@ALL

New Zealand Police digital armoury

NZ Police recently released, and then sought to have deleted, a brief report of the digital tools they have acquired or are interested in. Phone breaking, facial recognition, aerial and CCTV surveillance and other tools with brands such as Clearview AI, Cellebrite, Brief Cam, NewX. Interestingly there is mention of the body cams “but a directive was given to pause any further work on this”

Much of the tecnology is used in other countries so may not be new however, as the police have being going about this business under the radar, some concerns are being raised.

As might be expected privacy considerations are minimal.

The originating news item is here: ht tps://www.rnz.co.nz/news/national/429896/audit-reveals-new-tech-tools-in-police-s-digital-armoury The page contains links to the stocktake document and other potentially interesting stuff including a police document on privacy aspects plus critiques of police actions.

bub November 4, 2020 9:13 PM

Configuration Snafu Exposes Passwords For Two Million Marijuana Growers

hxxps://www.linkedin.com/pulse/cannabis-growing-community-site-exposes-34-million-user-diachenko/

Cannabis growing community site exposes 3.4 million user records and passwords
Published on November 3, 2020 | Volodymyr “Bob” Diachenko

Passwords, posts, and other data about 1.4 million users exposed without any protection.

GrowDiaries, a community website where cannabis growers can journal and share updates about their plants, has exposed more than 3.4 million user records on the web without a password.

I discovered the unprotected database on October 10, 2020. It consisted of about 1.4 million records with email addresses and IP addresses, plus 2 million records containing user posts and hashed account passwords. The passwords were hashed using MD5, a deprecated algorithm that an attacker could easily crack to access passwords in plain-text.

The IP addresses span a range of provinces and countries, in some of which marijuana is not legal.

GrowDiaries acknowledged the incident but did not respond to my request for comment as of time of writing.

Timeline of the exposure

GrowDiaries exposed two identical unsecured Kibana instances. Here’s what I know happened:

September 22, 2020: The database was indexed by search engine BinaryEdge
October 10, 2020: I discovered the database and immediately alerted GrowDiaries.
October 12, 2020: GrowDiaries responded to me asking for additional details.
October 15, 2020: The data was secured.

I do not know if any other third parties accessed the data while it was exposed, but it seems likely.
What data was exposed?

The database included two large indexes of user data.

The first, called “users”, consisted of 1,427,347 records containing:

Email address
IP address
Username

The second, called “reports”, included about two million records:

User posts including grow updates and questions and answers
MD5-hashed account password
Image URLs
Post timestamps
Email address
Username

The passwords are of particular concern. They were hashed (encrypted) with MD5, a deprecated algorithm with a number of known security flaws. If an attacker managed to access the data, they could easily crack the passwords.

No payment data was exposed.
Dangers of exposed data

Users of GrowDiaries could be at risk of a number of possible attacks and threats from this exposure.

The passwords, once cracked, could be used in credential stuffing attacks on users’ other accounts. Attackers will use an automated bot to try the same email and password combinations on other sites and apps. To avoid credential stuffing attacks, always use a unique password for every account.

Many users appear to be from locations where growing and using marijuana is not legal. They could face legal repercussions or possibly extortion if their growing activities come to light.

Lastly, GrowDiaries users should be on the lookout for targeted phishing attacks. Watch out for emails and messages from scammers posing as GrowDiaries or a related company. Never click on links or attachments in unsolicited emails and always verify the sender’s identity before responding.
About GrowDiaries.com

US-based GrowDiaries lets users track their cannabis growing progress and share updates with fellow users. Users can compare their grow to other users and previous cycles, get advice from fellow cultivators, and win prizes. A diary can include photos, text, and a variety of factors that go into cannabis cultivation. Typically, users post updates about their plants about once per week.

Although we aren’t certain how many users GrowDiaries has, it seems likely that all users were affected by this data incident. The GrowDiaries website claims that starting a diary is “100% anonymous and secure,” but this incident certainly suggests otherwise.

As far as I know, GrowDiaries has not been involved in any previous data incidents.

https://www.zdnet.com/article/configuration-snafu-exposes-passwords-for-two-million-marijuana-growers/

Clive Robinson November 4, 2020 10:31 PM

@ FA,

But instead, again you just tried to show off.

You ask a question, I give a brief reply with an answer that does not fit your agenda, so you accuse me of “showing off”.
How asinine.

I guess now most can see what is going on in your head.

JG4 November 4, 2020 11:30 PM

@the usual suspects – Thanks for the helpful discussion.

https://www.nakedcapitalism.com/2020/11/links-11-4-2020.html

Big Brother Is Watching You Watch

Police Will Pilot a Program To Live-Stream Amazon Ring Cameras Electronic Frontier Foundation

A Nameless Hiker and the Case the Internet Can’t Crack Wired (Chuck L)

The Tech Antitrust Problem No One Is Talking About: US Broadband Providers ars technica

Norwegians Got Paid To Use Electricity As Prices Fall Below Zero OilPrice

Clive Robinson November 4, 2020 11:44 PM

@ SpaceLifeForm,

No waiting. Got a free pen too!

I hope that was all you got…

https://m.youtube.com/watch?v=Z27M-ekXlbI

@ JonKnowsNothing,

There are 5 confirmed humans cases of the New Mink-C19-Antibody-Resistant variant.

I guess a new variety of zoonotic infection was to be expected at some point. Likewise that a new strain would eventually be antibody resistant.

As @SpaceLifeForm observed at the time, it appeared the Chinese were potentially culling all cats and dogs, in that none were visable in any photographs or video clips from Wu Han.

I’m assuming that it’s American mink of the genus “Neovison vison”? that are getting the “cull and burn” finding. Which were originally imported into Europe back around a century ago to supply the fur trade. Which has repeatedly escaped and can now be found wild around the world in the northern hemisphere “forrest belt”.

The American mink is part of the larger weasle/polecat family “Mustelidae”[1] that includes badgers and otters and is going to provide quite a large disease reservoir, if it gets into them.

So I can understand the desire to “Cull & burn” much like the UK did with it’s unsuccessful initial control of “foot and mouth” very nearly exactly two decades ago[2]. It eventually led to such stringent controls that it makes the “lockdown” England and Wales have just entered look a little tame in comparison.

Nobody knows what the actual economic cost was at the time but it would be something like the equivalent of 1000USD per citizen in modern terms, and has probably added a 10-15% cost to food production costs that would get passed onto the consumer of all farmed products not just meat animals.

The big lesson from the UK 2001 Foot and Mouth, was demonstrated to be correct in the 2007, when a second outbreak was stopped in it’s tracks by fast response and strong lockdown measures. Showing that is the only way to go when vacination is unavailable.

It’s why I keep saying the UK and US were well aware of what sort of response SARS-CoV-2 required, but for political reasons of lobbying from short term interests the political leaders looked the other way, and again we have absolutly no idea what the economic and social costs will be.

But one thing is clear those short term lobbyists from the travel and entertainment sector shot themselves in the foot big style. The pandemic they created has turned into repeated lockdowns that has cost them many many times over what a one off fast response lockdown for a month would have cost them. Sadly though these repeated lockdowns are now destroying not just the UK and US economies but society’s as well.

[1] https://en.m.wikipedia.org/wiki/Mustelidae

[2] https://www.bbc.co.uk/news/magazine-35581830

MarkH November 5, 2020 12:21 AM

@Clive:

“the name of something rarely changes if it’s usage state changes”

Agreed — though I would say “functional” rather than “usage” — in ordinary conversation … but it depends on context.

When a fleet dispatcher asks “how many trucks (lorries to you) have we in Pittsburgh?” she doesn’t want to know how many truck-looking things that may say “truck” on them are present: she’s asking how many of them are ready for dispatch.

The U.S. military has an attitude (the fruits, I’m sure, of much bitter experience) of skepticism: presented with a gadget that looks like an avionic radar set, with a nameplate and part number that declares it to be a radar set, the default position is “that is no radar until you show us that it’s functional.”

Cryptographic systems are defined in terms of formalisms. Where the schema calls for a random bit generator, it must be a system actually outputting random bits. A broken box spitting out all 1-bits is not an RBG, regardless of what is silkscreened on its front panel.

The design of an implemented system must take account of inevitable faults. I proposed two such techniques in my previous comment.

The attempt to make guidelines which might preserve some shreds of security when OTP is fundamentally abused is heroic, but misguided.

Asking “how do we preserve OTP when keys are reused, or non-random?” is like asking “what’s the safest place to stand near an unshielded nuclear reactor?” or “how best to land your jet when all flight controls have failed?”

It’s many orders of magnitude better to prevent such situations, than to devise mitigations.

JonKnowsNothing November 5, 2020 1:15 AM

@Clive @All

afaik all the farmed minks are Neovison vison.

Interesting side notes:

A research paper indicated that Minks are more susceptible to COVID-19 than Ferrets. Both are in the same family of mustelids. Ferrets are used in labs as their lungs respond more like human lungs. It is not known why Minks get COVID-19 easier than Ferrets.

It may have to do with the number of ACE2 receptors in the lungs. There are more ACE2 receptors in lungs than other parts of the body. The amount varies by species and maybe by individuals.

Other veterinary reports indicate a mix of observations. In most reports the first indication of a COVID-19 outbreak in a mink farm is increased mortality in the minks. In some reports it is reported there is only a 5% mortality from COVID-19. In more recent reports there were indications that the mortality rate was near 100% for older minks (breeding stock) and near NIL for young minks (under 2 years). A situation that mirrors the current human mortality distribution.

Mink farms in general have added regular COVID-19 testing on a daily/weekly basis on their minks. Like with human tests, getting Positive doesn’t help much as it means the minks are already sick. It’s only a matter of degree and disease progression before things go pear shaped.

Official Veterinary Reports that reference wild or escaped mink either indicate that the animals are found dead or that they have been captured-killed-disposed of.

A pre-print research paper found that there are 2 COVID-19 mutations that specifically affect mink but do not affect humans.

There are some animal diseases that the only method we have of dealing with them are kill-destroy. ASFV outbreaks continue causing a global pandemic with no end in sight. The only positive news on ASFV is that there is a push on for finding a vaccine. The economic and famine aspects are getting to be noticeable.

Anthrax is still about.

The spores of anthrax are able to survive in harsh conditions for decades or even centuries. Such spores can be found on all continents, including Antarctica. Disturbed grave sites of infected animals have been known to cause infection after 70 years

Before the advent of anthrax vaccines and antibiotics there were only 2 states of infection: Dead and Dying. It still kills about 2,000 people annually.

ht tps://en.wikipedia.org/wiki/Anthrax
(url fractured to prevent autorun)

Winter November 5, 2020 1:16 AM

@Clive
“But one thing is clear those short term lobbyists from the travel and entertainment sector shot themselves in the foot big style. ”

Straight out of a disaster movie. Wasn’t that the plot behind Jaws?

@Clive
“It’s why I keep saying the UK and US were well aware of what sort of response …”

It is: “Every populist leader”
Be it Bolsenaro or Putin, Trump or Johnson. It is something in the blood of populists to never say anything that might upset their voters.

JonKnowsNothing November 5, 2020 1:29 AM

@MarkH @Clive

re:
Clive: “the name of something rarely changes if it’s usage state changes”

MarkH …regardless of what is silkscreened on its front panel.

We used a strong fluid cleaner to wipe the old silkscreen name off the box. Then we stenciled on a new one…

MarkH November 5, 2020 2:46 AM

@JonKnowsNothing:

The military equipment I worked on in the 70s was made with extraordinarily robust materials, including paints and markings. I would have been scared to handle a solvent capable of removing that stuff …

Clive Robinson November 5, 2020 4:21 AM

@ MarkH, JonKnowsNothing,

I would have been scared to handle a solvent capable of removing that stuff …

As it’s the 5th of Nov…

I won’t mention the name of the solvent[1] but it’s in regular use in some areas of the electronics industry, does not carry a gas mask symbol or fumes warning other than “Disolves all plastics and organics” and in the explosion warning “Explodes on contact with plastics and organics”.

Technically it disolves sand, glass, asbestos and similar releasing the oxygen from them that it then “high order” combines with…

A friend who is an organic chemist remarked on me mentioning it was on a list of poisons and other hazardous chemicals I had “health and safety” responsability to over see remarked of it “Oh lovely, no need to worry if it has toxilogical disadvantages, you won’t be around long enough to find out”…

I guess it falls under the “Chemicals I won’t work with” heading 😉

[1] Because last time I mentioned a chemical name the post got deleated, because someone got all “Roman Catholic” about it and issued a “bull”.

Winter November 5, 2020 6:46 AM

@Clive
“Disolves all plastics and organics”

So that would not be the stuff used liberally in Breaking Bad? That does not dissolve non-polar plastics well.

echo November 5, 2020 7:58 AM

@Clive

Please retract that slander. I gave my reasons for asking for references to be deleted. Do I have to drag up a post from you within the past two weeks where you yourself outlined the reasoning framework? (I’m trying to figure out whether you ripped me off 2-3 times in the same topic but I’ll let that ride as updating a heuristic. I don’t have a patent on ideas.) Being a “certified engineer” doesn’t give you special rights. That’s just pulling job title. I even offered to email Bruce privately and explain my reasons in full. Perhaps I was being paranoid but I think this item which should disappear down the memory hole. People will need to consult psychologists and sociologists for full explanations but basically you have problems like copycat crime plus the fact that once someone knows something is possible by picking up another person joining the dots or putting together the “jigsaw” this unlocks cognitive blocks. See also “D notices” and their reasoning framework. Yes, there are human rights and legal subtleties in that topic but this is beyond the scope of this comment.

I am not happy contributing to a site where there is no clear framework for discussing human rights and “soft” sciences which include technical subjects not reducable to boys toys. Not everything is not “political”. Just because these topics are not understood or followed by the majority of people does not make them political. Sabine Hossenfelder produced a youtube within the past month or so highlighting the difference between opinion and science. In law “political” is that which is not defined by law. These are two bases to begin with.

Don’t drag me back in because I’m increasingly tuning this site out. I’m not learning anything which interests me and get my essential news elsewhere.

Winter November 5, 2020 8:34 AM

@echo
“People will need to consult psychologists and sociologists for full explanations but basically you have problems like copycat crime plus the fact that once someone knows something is possible by picking up another person joining the dots or putting together the “jigsaw” this unlocks cognitive blocks.”

IIRC, the substance involved had been extensively in the news, including a big case review in Nature. Before that, I had been informed about this during high school chemistry in the 1970s. Also, it was the substance involved in one of the biggest environmental disasters in the 1950’s.

If I did RC, this would hardly be a reason to pull the comments now, 60 years after it plastered the newspapers. Which I also commented on at the time.

Anders November 5, 2020 9:39 AM

@SpaceLifeForm

How’s election?

Is this real or some conspiracy theory?

hxxps://thedonald.win/p/11PpBIG1Vk/please-look-at-this-i-think-the-/c/

JonKnowsNothing November 5, 2020 9:41 AM

@Clive @MarkH @All

re: Dormant Bitcoin Wallet Opened

MSM report about a dormant Bitcoin Wallet (since 2015) had been opened and 69,369 BTC worth @$1BILL value of bitcoins removed.

The chances of successfully cracking the password that unlocked the wallet was widely viewed as a long shot. Passwords are generally long, and the encryption involved—a combination of AES-256-CBC and SHA-512—is extremely slow to process. What’s more, it was never certain that the wallet.dat file that was passed around was the real bitcoin wallet or a forgery.

Well, it appears the wallet was not a forgery….

The question LEAs will be looking at is: where will the anonymous party stash 69,000+ of 101010101s?

ht tps://arstechnica.com/information-technology/2020/11/someone-has-withdrawn-1-billion-from-a-bitcoin-wallet-dormant-since-2015/
(url fractured to prevent autorun)

Winter November 5, 2020 10:29 AM

@Jon
“MSM report about a dormant Bitcoin Wallet (since 2015) had been opened and 69,369 BTC worth @$1BILL value of bitcoins removed.”

These bitcoins will be very carefully tracked. It is not easy to hide “stolen” bitcoins, but it can be done. And for $1B, people will be willing to do a lot of work. Still, such money can be blacklisted and difficult to spend.

Trying to get this money converted into currency or goods will be dangerous.

name.withheld.for.obvious.reasons November 5, 2020 11:21 AM

23 MAR 2020 — SARS2-ACE2, Renin-Angiotensin System
The feedback loop that occurs across the AT1 and AT2 regulation of vasodilation and vasoconstriction are prominent in the ACE2 loop and represent the viral respiratory and vascular affects in patients and the resultant targets of infection. Interesting note is a mapping of the occurrence between dependent vascular and respiratory organs. A suggested emphasis appears to be gastrointestinal, by far. This may further explain why masks are so effective, as the infective pathway may be a two tract event. The droplets received from the mouth or nasal passage enter the digestive tract, thus a person is more likely symptomatic and re-expresses the viral components from the lungs in close contact. (The last bit is my assumptive take, full disclosure).

See the Michigan State University, College of Human Medicine presentation on the tubes hZZps://youtu.be/JkcRxGu6ltk

Clive Robinson November 5, 2020 11:30 AM

@ Echo (in “#comment-358101” above)

Being a “certified engineer” doesn’t give you special rights. That’s just pulling job title.

That is actually not true, as you should be aware of if you have any knowledge of the legal process and law. As it happens I am aware that UK courts put emphasis on the words of those “chartered” or “certified” or in other ways recognised in a knowledge domain or art by acreditation, publication, recognition or other standing. So for that matter do other courts based in Europe and the US and many other places.

I even offered to email Bruce privately and explain my reasons in full. Perhaps I was being paranoid but I think this item which should disappear down the memory hole.

You say this to what end?

Do you claim you have “standing” in the legal sense in the relevant knowlege domain or art and therefor you have valid opinion?

What would be your reason for Emailing the host of this web site? Or are you trying to claim a defence for defamation against a named individual that you caused a harm to?

Are you trying to establish some kind of defence for actions you claim to have made in the past, that you think might or might not fit in your mind to an obviously satirical comment by another?

Do go on, it is rather interesting what a person who uses a common word pseudonym and makes claims of slander then claims they have also sort to harm the reputation of a named individual is upto. But more interesting the same single word pseudonym was used to repeatedly harris a named individual contray to the provisions detailed,

https://www.legislation.gov.uk/ukpga/1997/40/section/1

You go on to say,

People will need to consult psychologists and sociologists for full explanations but basically you have problems like copycat crime plus the fact…

Are you claiming you have standing or recognition in these knowledge domains and arts or similar such as criminology?

Or are you just making arm waving statments over something you might have read or viewed?

Speaking of which you go on to say,

Sabine Hossenfelder produced a youtube within the past month or so highlighting the difference between opinion and science.

Who is this “Sabine Hossenfelder” you speak of but do not refrence?

Is it the person refrenced by,

https://en.wikipedia.org/wiki/Sabine_Hossenfelder

If so, I see no evidence she has any expertise in “law”, or knowledge domains or Art pertaining to “psychologists and sociologists”.

Also in what sense is the person or you using the word “opinion”?

As for,

In law “political” is that which is not defined by law.

How otiose.

As for,

Don’t drag me back in because I’m increasingly tuning this site out.

I am unaware of anyone trying any form of compulsion on you to read this site, but then as you are using a pseudonym that is a common word how could anyone else even know?. Speaking of that common word pseudonym as far as I’m aware since an individual made a very grandiose exit statment under the pseudonym “Echo” quite some time ago, nobody has used or even mentioned it. Are you therefore claiming you are the person who has always previously used that pseudonym on this web site?

If you are, then I hope life is otherwise treating you well, and what ever previous stresses in your life you talked about so animatedly about in the past have now resolved themselves.

Sherman Jay November 5, 2020 12:08 PM

@all
Civil discussion on subjects and the policy of groups is important. Ad hominem attacks on individuals/groups not related to verifiable immoral/criminal behavior are a frequent tool of our current socio-political class (especially in the u.s.) used to undermine any rational points by inflaming emotional responses. This tactic diminishes the validity and security of our world.

We live in a world where rampant socio-political mud-slinging destroys the security and safety of many individuals/groups. The mud-slinging is amplified by main- stream media to improve ratings.

Clive is a valued contributor to the Schneier blog. He is not perfect – none of us are. Petty attacks by and on other contributors only degrade the viability of this blog.

Thank you, Bruce and Moderator for putting up with us even when we act like a bunch of beligerent children. I would like to see us all act as ‘mature, rational, decent adults’ and drop all the bickering and re-focus on more pertinent Security issues.

P.S. I have known many highly credentialed people who were credible authorities. I have known many highly credentialed people who were imbeciles. I have also known many learned but non-credentialed people who were credible authorities. ‘Kleider machen leute – Nicht’ (dressy clothes DO NOT make the man) Credentials are not automatic indicators of authority.

Sherman Jay November 5, 2020 12:23 PM

I would like to draw your attention to this pertinent personal/professional computer security issue:

h t tps://freedom.press/news/computer-crime-supreme-court-freedom-press-foundation-and-others-weigh-upcoming-cfaa-case/

Thanks. Everybody Stay safe.

Clive Robinson November 5, 2020 12:27 PM

@ Sherman Jay,

Credentials are not automatic indicators of authority.

They should not be, like respect credibility needs to be developed or earned depending on your chosen phraseology.

However for reasons best known to themselves our legal breatheren deal mainly not in the real world but a poor facsimile of it based on words on piles of paper. Thus they more or lrs give credibility based on what pirces of paper give you “standing” in their eyes.

Having had to go through the process in the past, I’m aware it is a “sword that is three edged”.

JonKnowsNothing November 5, 2020 1:04 PM

@ Sherman Jay @Clive @All

re: Credentials

In general, the USA has not much respect for credentials. A condition which makes Higher Education a two-edged sword. You may make more money in your field but it doesn’t cut much mustard much farther than that.

There are exceptions where each State had a “Certification Board” like for USA accountants. Accountancy rules in USA are different than other countries had we treat US Certified Public Accountants (CPAs) with more deference.

iirc(badly) Not that long ago a highly trained engineer with degrees from the EU, was living in the State of Oregon. He had determined that there was a fault in the analysis of traffic signals when his spouse got a ticket for running a red light while making a turn.

The analysis showed that there is a timing differential between straight, left turn and right turns when determining if you ran the light. Since this failure was programmed into the AI for auto-ticketing people got tickets even though they had not crossed when the light was red.

It was pretty kewl stuff.

The problem happened when he tried to explain this to the City/County/State. Since he was an “engineer” trained in EU he had no problems dealing with the “you don’t know xxx” attitudes but it was the law suit from the Certified Engineering societies that charged him with “practicing engineering without a license”, which is required in Oregon, that was unexpected.

The society came down on him like an unstable building because well.. anyone might claim to be an engineer and then what would happen to the Certified Engineer Wet Stamps (and fees) for plans, drawings and other required documents that people have to submit to the city/county/state authorities.

Well the guy was, as we say, gobsmacked.

Eventually with a great deal of fortitude on his part, he got the society to drop the law suit, the city, county, state to recognize his findings and updated all the AI for auto-ticketing.

iirc his contribution is now standard for AI auto-ticketing systems.

File under: When is an Engineer, Not an Engineer even with an Engineering Degree.

name.withheld.for.obvious.reasons November 5, 2020 1:43 PM

Public Crisis Management Organization — A Multi-National Crisis Response Program
We should be organizing a Global Public Crisis Organization for Action; an open source and commons-based citizen management/governance outside of the incongruous and failed institutions and can answer large scale problems which cannot (or will not) be answered by those charged with that task. Stepping in to serve humanity when enlightened self interest, core values, history, and future has been sacrificed for raw greed and power. We the many, they few, can be made to heal. Did I just hear “Let them eat ventilators and masks!” just now?

A Deep Look into the Biology and evolution of SAR-CoV-2 held by scientists from the University of California (the California University System, home to BSD). The one and a half hour round table discussion covers some of the basic topics but also goes to the more challenging nature of the viral response options and strategies.

Clive Robinson November 5, 2020 2:45 PM

@ Sherman Jay,

I just heard a ‘partisan’ official claim that ‘dead people are voting in Nevada’. Insanity prevails.

I can rase you one 😉

Heard about the “Watch the Water” Qdrop from two years ago and a DHS press conference from the same that that called for all states to “Watetmark ballots” well some not so bright blonds on TikTok have turned it into a “military sting operation” where the DHS secretly watermarked ballot papers and issued special printers and scanners so that Democrate States would be caught cheating, and soon the national guard is going to arrest them. Oh and apparently these special watermarks are recorded using “blockchain”… But it gets better for the retelling, apparently the watermarks use some secret “non radioactive isotopes” and the Dems got the Chinese to mail them in…

Basically a bunch of people who know nothing about watetmarks, blockchain, the National Guard, the DHS, who prints the ballots etc just grabed stuff off of the Internet…

Eventually after trying various search terms you find somebody has traced it back to a bunch of what are sometimes called “Botox Blonds” who look like they are one chemical substances,

https://www.mediamatters.org/tiktok/qanon-election-conspiracy-theory-about-ballot-fraud-going-viral-tiktok

Also as they have abused TikTok’s “Terms of conditions” that due to 40year old legislation that Ronnie “the ray gun” Reagan thought up after watching “Wargames” that has overly broad scope could make them “criminals”…

Oh a hint for people trying to start such stories “understand the technology” otherwise those who do are going to laugh at you…

MarkH November 5, 2020 2:47 PM

@Clive, JonKnowsNothing:

Are we permitted to write chemical formulae, or are those also prohibited?

As far as I’m aware, in the U.S. legal certification for engineers is limited to expertise needed for large boilers and other pressure vessels.

I remember my mentor telling me that if you don’t have such a license, advertising or publicly proclaiming yourself as an engineer puts you in a legal gray zone.

xcv November 5, 2020 3:15 PM

U.S. legal certification for engineers is limited to expertise needed for large boilers and other pressure vessels.

I remember my mentor telling me that if you don’t have such a license, advertising or publicly proclaiming yourself as an engineer puts you in a legal gray zone.

There’s no need for a legal gray zone. Call yourself an engineer, what’s wrong with that? What’s your calling or profession in this life? Who else has the say? If it weren’t for partisan politics, anyone would be free to engineer and design boilers, pressure vessels or anything else technical or industrial. The only legal problem should be if you claimed that you had a specific engineering or operating license when in fact you did not.

Sherman Jay November 5, 2020 3:33 PM

@clive,
Yes! I have always tried to remain within the bounds of my limited sphere of knowledge. It keeps me (mostly) out of trouble and prevents me from looking like a bad Monty Python sketch.

from h t tps://freedom.press/news/computer-crime-supreme-court-freedom-press-foundation-and-others-weigh-upcoming-cfaa-case/

The CFAA has been on the books since 1986 — reportedly introduced in response to president Ronald Reagan becoming concerned after watching the cyberthriller WarGames
h t tps://www.cnet.com/news/from-wargames-to-aaron-swartz-how-u-s-anti-hacking-law-went-astray/

The scholar Tim Wu has called it “the worst law in technology,”
h t tps://www.newyorker.com/news/news-desk/fixing-the-worst-law-in-technology

Sherman Jay November 5, 2020 3:37 PM

@xcv,

Decades ago I worked in an old house converted into a store in Oregon. I was required to take courses and get a state license to operate a ‘low-pressure steam boiler’ in order to start-up and turn on the steam heating system.

Even though it was prudent, never underestimate government licensing requirements.

Clive Robinson November 5, 2020 4:06 PM

@ MarkH,

As far as I’m aware, in the U.S. legal certification for engineers is limited to expertise needed for large boilers and other pressure vessels.

It depends on your definition of “engineer” and how you view people who design and build houses, buildings, ships, planes and automobiles.

But it all goes back to,

“First Do No Harm”

From some acient greek bloke 😉

Oh and the slightly more modern,

Q: What do chefs do with sauces, lawyers with words, and doctors with dirt?

A: Cover up their mistakes.

But it also involves the notion of “Guilds” etc where “artisans” clubed together to come up with “trade secrets” and “cheap labour” and cartels to increase profits.

The result has been the “legal professions” by which I do not mean Lawyers but any group of people including accountants and doctors that have the legal right to give and take away “a licence to practice”.

The argument is that certified proffesionals ensure safe, honest and trustworthy work is carried out. As we should know that is far from true, in fact proffesions can actually hide unsafe, dishonest and thoroughly untrustworthy individuals (Look up Dr Harold Shipman or Nurse Beverley Allitt)

As for “pressure boilers” the requirment came about in the Victorian era with boiler explosions flinging body parts around the scenery. In the UK Parliment enacted legislation that made a distinction between artisan’s such as “wheel-wrights” and boiler “engineers”.

In Europe in quite a few countries you have to be a Registered Technician or Chartered Engineer to carry out many types of work and if you register with the right body you are entitled to put T.Eng or C.Eng after your name so you could end up with,

“Dr Fred Smith C.Eng, T.Eng, PhD, MSc, BSc”

Etc but I for one don’t bother it’s two pretentious. Also if you go around calling yourself Dr you know darn well you will be at some social event and somebody will take you aside and confidentially ask you about their bad back[1] or worse. Then it gets realy embarising trying to explain you are not that sort of doctor (especially if you are a DD or worse yet a “Doctor of Sacred Theology” which is “STD”, who wants to add that to their name ;-).

[1] I have a standard reply for those who have the cheek to ask me about their back problems which is “Have you had a dentist check you out?” and if that fails “How about an opticion or podiatrist?”. Before you say “but but but… your not qualified” I’m not giving opinion or advice just asking questions. But it turns out for those that want to go look it up, current thinking is most back problems are caused by what is politely called “poor posture” and the only cure is to correct it. So squinting, clenching your teeth, and different length legs are often the root cause of bad backs, and the cure is get the posture problem sorted out and spend time with a physiotherapist to learn the right excercises to undo the muscle problems the poor posture has caused. Unfortunately there are some, myself included that have other issues for their bad backs that cannot be so easily corrected if at all, hence my getting around on crutches which does work upto a point, rather than have spinal injections or operations that something like 9 times out of ten don’t work…

echo November 5, 2020 4:12 PM

@Clive
.
I’m not adding to my previous comments. There’s enough data in them for anyone to check up on their own time only a click or two away. RE: Slander/libel against a psuedonym? Yes, this is legally possible for an established pseudonymous identity hence actionable. Please do consult lawyers on your own time. I’m not getting into “yes it isn’t no it’s not” tit for tat squabbles. I’m content with my legal opinions and have a fair record of being right enough as far as things go and the paper trails to prove it. Law as you know in practice isn’t always about what is seen but making sure attention is diverted from what is unseen, and indirectness and pincer movements but this is drifting off onto other things.

No stresses have not alleviated only got worse. A certain UK institution I need to get moving has made and is continuing to make basic administrative errors which are actionable for tiresomely well trod reasons and this trips up X, and then Y, and Z.

I mentioned quite some time ago a couple of things I won’t mention again but people have died and have continued to die because of system failures. These are subtle enough the media who lack in-depth expertise and who fail to join the dots keep missing. It’s a gross failing of the UK to uphold the European Convention. All logged. All waiting for a “habeous corpus” moment and, sadly, the way things are going why I need to leave the UK both to get justice and secondly to avoid direct threats against my person for whistleblowing. When those who are supposed to protect us kill us with benign indifference and self-serving mediocrity (aka egotism or institutionalised discrimination or economic murder) we have a problem and I have no wish to be a footnote in a public enquiry.

Anyway. Back to my sad life of being catcalled like men have never seen 16 inch denim miniskirts before and shouting at delivery men who don’t take social distancing seriously.

JonKnowsNothing November 5, 2020 4:13 PM

@MarkH @All

re:Are we permitted to write chemical formulae, or are those also prohibited?

Well, you can write it but you better not fill it …

Though, there are some you best not write down at all, ’cause even knowing them could land you in an uncomfortable location.

JonKnowsNothing November 5, 2020 4:38 PM

@Clive Robinson @MarkH @All

re: “Dr Fred Smith C.Eng, T.Eng, PhD, MSc, BSc”

Alexander McCall Smith stories about German academics,”Portuguese Irregular Verbs”, and the foibles of Professor Dr. Dr. Moritz-Maria von Igelfeld have a good bit of that in it.

Not being familiar with how things are structured in Germany, I originally thought that it was a typo in the printing.

In RL, a colleague was tapped for a trip to Milan Italy to do a computer detail exchange. The entire week was spent looking at Organization Charts, pointing out where and how the person was set in the overall schema. It is very important to know where one is in the Org Charts in Italy.

In RL, in France it was most beneficial to pretend to be from anywhere else, except from the USA. That and learn how to eat a whole raw peach with a knife and fork.

ht tps://en.wikipedia.org/wiki/Alexander_McCall_Smith

ht tps://en.wikipedia.org/wiki/Portuguese_Irregular_Verbs_(novel)

Portuguese Irregular Verbs is a short comic novel by Alexander McCall Smith, and the first of McCall Smith’s series of novels featuring Professor Dr von Igelfeld. … the main character is “a gentle figure who deserves every cartoon anvil that falls on his head”, in the humorous tradition of fictional characters Mr. Samuel Pickwick (in The Pickwick Papers by Charles Dickens)…

(url fractured to prevent autorun)

Clive Robinson November 5, 2020 5:38 PM

@ JonKnowsNothing,

That and learn how to eat a whole raw peach with a knife and fork.

Skined or unskined 😉

The secret to doing it for those who have not tried is a fork with very small tines and a very sharp knife. The first cut is to slice a flat down to the stone then turn the whole peach onto the flat… If it’s realy ripe you can be flashy and make an equitorial cut, halve lift out the stone turn both halves cut side down and proceed from there…

The thing I never got the hang of was eating “milly-fillies” or more corectly “mille-feuille” which are simply a sandwich of fine puff pastry seperated about an inch and a half appart with “Crème Pâtissière” and sometimes fruit as well, the top of the top slice glazed with a layer of white sugar icing and on this thinnly piped lines of chocolate (solid choc not a sauce). The slice is about two inches wide and four long, and has verticle cut sides…

It’s hard enough making the darn things without botching it up, but when the fruit is halved glacier cherries or segment of poached pears or peaches the fun with eating the darn thing without making a mess realy starts. I’ve only seen three people do this with “elegance” one was a PhD student from the Far East who also had a taste for raw garlic and ginger, both sliced so thin they were translucent and a great acompliment to raw oily fish or as a snack on their own, she would effortlessly pick individual slices up with chop sticks, drop it delicately on her tounge and savor slowly… She did it with mesmerizing elegance and if she caught you watching she would get all embarrassed and giggle slightly.

Though I’ve been using chopsticks very regularly for over four decades and can pick up individual grains of rice fairly confidently and baked beans without them flying, I still can not pick up a thin slice of garlic and it’s frustrating frustrating frustraiting 🙁

But whilst I still will not eat a milly-filly in company, I’m happy enough making them and inflicting them on others with a fine sliced wild strawberry spread in a rosette on a fine square slice of bitter chocolate and a very light dusting of icing sugar and a couple of baby mint leaves.

Or if I’m fealing realy mean, a verticle “fruit cornucopia” made from either puff pastry or piped meringue…

You can fight many a battle with fine patisserie, so my advice is stick to the cheese board 😉

SpaceLifeForm November 5, 2020 5:43 PM

@ Anders, All

Just noting: Twitter in last 24-36 hours has been in heavy Catch-and-Release mode.

Potus not tweeting.

Clive Robinson November 5, 2020 6:45 PM

@ SpaceLifeForm, Anders,

The deep cleaning starts next year.

But tonight is it fireworks or not, it is after all Nov 5th…

SpaceLifeForm November 5, 2020 9:57 PM

@ ALL

The interesting thing about non-zero numbers.

They may be imaginary. Got to love clueless lawyers.

hXXps://twitter.com/kadhim/status/1324485100629823494

SpaceLifeForm November 5, 2020 10:16 PM

@ ALL

Insanity. LOL.

I told you there is stuff going on with Twitter.

Steve Bannon banned on Twitter.

SpaceLifeForm November 5, 2020 10:38 PM

@ ALL

Breaking news:

Opening thousands and thousands of mail-in envelopes takes time.

Also, there are over 68 million brainwashed idiots in the US.

no.name November 6, 2020 7:32 AM

SpaceLifeForm: “Also, there are over 68 million brainwashed idiots in the US.”

I see. You refer the the famous deplorables?

Am astonished the mods let this through. Then again, it is Bruce’s “house”.

Yet, comments like those do not add credibility to Mr Schneier (who probably neither cares nor reads those comments).

Still, you got a good sense of democracy…

BTW: You did not let me know wheter they got you a sharpie.

@Bruce: Why do you not rename the Friday blog?

“About politics, unhinged stuff, and other tales.”

Winter November 6, 2020 8:11 AM

@no.name
“Still, you got a good sense of democracy…”

It is not the insulting that makes one undemocratic. It is interfering with the voting rights of people you object to that makes you anti-democratic. It is a pure and clear Democratic mindset to say that those you think are objectionable on all levels have voting rights too.

I want to add that “brainwashed idiots”, “Socialists”, “Stalinist”, and “Communists” all have voting rights in a real democracy. All are allowed to vote for the candidate of their choice in fair and free elections.

For instance, the Constitution of the USA does not exclude these categories of people from voting rights.

The peril of a Democracy is that the people can vote for a dictatorship, just as a Monarch can decree a Democracy with free elections (both have happened).

Clive Robinson November 6, 2020 1:01 PM

@ Winter, SpaceLifeForm,

Whilst the handle “no.name” appears to be new, and a rip off of another handle, the style looks old, very like that of someone who has previoisly been banned for their antagonistic behaviour.

So tred with care.

Clive Robinson November 6, 2020 2:01 PM

@ JonKnowsNothing, SpaceLifeForm, Winter, ALL,

Here we go again?

As has been mentioned in the past couple of days Denmark potentialy is going to be the new Wuhan with it being mink not bats –or other creature– as the cause.

But even though the alarm has been raised and infected humans has gone from 5 to 12 in just a few days the response is ludicrous to put it mildly, when you consider it is,

1, A mutated / new strain
2, A globe circling wild disease reservoir (Mustelidae).
3, Zoonotic infection into humans (12 so far).

Denmark should,

1, Shut it’s borders now.
2, Go into full lockdown now.
3, Ensure quarantine is enforced.
4, Cull all mink on farms where the infection is found and in surounding areas.
5, Put proper bio-security measures in place for mink and relative genus of “Mustelidae”

Which we know would stop the infection spread provided their are no “escapees” be they human or animal. As I’ve said in the past both Australia and New Zealand have shown why the measures should be taken seriously with accompanying prompt action, and other island nations such as Taiwan who went into rapid border shutdown and other measures has had minimal economic and social distress, unlike nations that procrastinated.

I’m not the only person with this viewpoint,

https://m.youtube.com/watch?v=3QvvMDw6YQw

Hopefully he can get the message out more rapidly, such that things are done to stop it dead in it’s tracks.

vas pup November 6, 2020 3:08 PM

@ALL usual suspects.

Recent election saga in US reminds me old statement from Soviet Dictator Joseph Stalin: ‘It is not important how people vote, important is how their vote is counted’.

Security vector as I see this: people remain the WEAKEST link in ANY security chain, so even the worst voting machine could not so screw up (even with possible hacking) as biased or/and incentivized people doing manual poor controlled vote count regardless what side they are leaned towards.

@Moderator – per advice of one of our respected bloggers I save this post, because it is going to be deleted ‘highly likely’ how our IC community used to say when they do not have facts but reasonable assumption only.

JonKnowsNothing November 6, 2020 3:24 PM

@Clive @SpaceLifeForm @Winter @ALL

Yes agreed the Human-Mink-Human transmission has again been confirmed.

The previous transmission was in the Netherlands and “Nothing To See Here and There’s No Proof” was printed in the media, however the Dutch official reports from 09 01 2020 have details about the transmission. The Dutch were active from the start and that strain is now extinct.

I was waiting for the new squid to post more details about what might be happening because there is a dearth of information on exactly what changed and how.

The information about the Danish Mink-Human strain was shared with the WHO and appropriate authorities and it will no doubt take a while for science to short things out properly.

Here are some advance areas to consider:

  * It is likely the Denmark authorities identified the problem @Sept 2020.
  * Denmark had been dealing with an outbreak in Mink Farms for some months
  * The initial reports indicated things went pretty normally for the first months
  * @Sept 2020 reports indicated the outbreak was wider spread than previously believed and affected more farms in a wider area, including finding more people infected than previously thought. (Mink farms currently use restricted access protocols so they are not a tourist destinations).

Re: The Mink-Mutation
There are several no-problemo scenarios and some that might be of concern but I have not found a public analysis of the genome (yet).

  * Vaccines are targeting the D614G COVID-19 Mutation
  * DG146 is the dominant global form of COVID-19
  * There are 3 main branches under D614G (A B C) and many sub-branches leading to leaf-nodes that are area and locale specific.
  * Jutland has a different leaf node than New York or Auckland or London.

  * There are already 20+ identified Antibody Resistant mutations known
  * Antibody Resistant mutations are referred to as Immune Escape variations
  * N439K was a spontaneous mutation originating in Scotland
  * N439K is extinct in Scotland due to their lockdown in Wave1
  * N439K and similar mutations arise spontaneously and die out
  * These mutations can recycle within the population
  * N439K re-spawned in Europe independently with no linkage to the version in Scotland even though it is the same mutation.
  * N439K blocks an antibody accessible receptor site. COVID-19 with this mutation can hook to 2 cells (or 2 cell parts) using 2 of its spikes. The second hook is to the receptor for certain antibodies.

Mutations like N439K are on the radar. There is research and evaluations about how they work or might interfere with recovery and vaccines. (eg This is not New News).

So, the question is: what was so startling about the new mutation that made the Danish dump a half-billion euros over it.

  A – If the mutation is in the leaf nodes, like N439K, it may not be a huge problem but it could cause the vaccine to be less effective. The expected effectiveness is only 50-60% as is.

  B – If the mutation is at the top of the tree, in the root node, then THAT would be worth dumping half-a-billion euros to prevent its escape.

  * COVID-19 continues to mutate and it’s no surprise that there are surprises waiting. The longer it hangs around, the more open-shut-open-shut Tweedledee and Tweedledum cycles, the more likely COVID-19 will mutate into something We Really DO Not Want Around.

  * Even if “WE” do not want COVID-19 to hang around permanently, Big Pharma has already predicted they will make $1,000,000,000 (1BILL USD) per year just for the vaccine(s).

note: If the moderator wants to move this to the new squid that is OK with me.

vas pup November 6, 2020 3:28 PM

Bitcoin: $1bn seized from Silk Road account by US government
https://www.bbc.com/news/technology-54833130

“More than $1bn (£772m) in Bitcoin linked to the notorious Silk Road website has been seized by the US Department of Justice (DoJ).
Earlier this week, crypto-currency watchers noticed about 70,000 bitcoins being moved from an account believed to be linked to the illicit marketplace.

Silk Road was an online black market, selling everything from drugs to stolen credit cards and murderers-for-hire.
It was shut down by the US government in 2013.

The sum is the largest amount of crypto-currency seized to date by the Department of Justice.
On Thursday, US Attorney David Anderson confirmed that the officials had seized the crypto-currency assets.

The Internal Revenue Service’s Criminal Investigation unit said
===>it used third-party company to analyze Bitcoin transactions that had been executed by Silk Road.
This led it to an address belonging to “Individual X”, who is alleged to have hacked the funds from the marketplace.

Law enforcement officers in turn took control of the sum on 3 November, and the DoJ claims the funds are now subject to forfeiture.”

Other interesting details – read the article!

“Criminal proceeds should not remain in the hands of the thieves,” said IRS special agent Kelly Jackson.

JonKnowsNothing November 6, 2020 3:46 PM

@ vas pup @Winter @All

re: “people remain the WEAKEST link in ANY security chain, so even the worst voting machine could not so screw up (even with possible hacking) as biased or/and incentivized people doing manual poor controlled vote count regardless what side they are leaned towards.”

Hmmm well, one of my big issues is “leaning on the keyboard”. Depending on why depends on how I feel about it.

  * If I’m spamming my “kill skills” then hammering or locking the key is great.

  * If I’m doing something online like typing a post and my key gets stuck with a bunch of ssssssssssssssssssssssss …. not so good

  * The worst are the auto-run keys built into the keyboard, a windows helper feature, either I end up with volume set to MAX-MAX or I’ve opened a hundred windows of notepad….

I think Winter said: “never ascribe to malice what stupid (fingers) do..”

Clive Robinson November 6, 2020 5:10 PM

@ vas pup,

the idea that listening to music boosted intelligence

There are three problems,

1, What is intelligence?
2, How do you measure it?
3, Are you fooling yourself?

The first problem of “what is intelligence?” is actually a very vexed one. To some it’s the speed of pattern matching, others the ability to use words and grammar, others the ability to do maths, others short term memory ability and so on and so on… Nobody realy agrees for various reasons.

The second problem of how do you measure it? Tests have a very checkered history and are more like a xenaphobia induced racial purity measure than much else…

But the third problem is the real fun one. That is are you fooling yourself? It’s kind of the human version of “The AI Problem”. That is you decide what your criteria for inteligence is, and you come up with a series of tests to pick out those characteristics, the thing is people then “learn the test”…

But has anyone ever stopped to ask if those who pass the test are actually any better at anything of practical importance?

The “British Empire” came up with what became the “Civil Service Exams” which actually can be shown to have been of very little or no worth. In essence it was a memory test of historical dates, names and the like. What it did not do was teach the lessons to be learned from history. It likewise at one point focused on obscure or dead languages (greek and latin). Whilst it is possible to learn logical thought processes from latin the main value of the languages was that they had been used as a form of Orwellian Newspeak. That is as with the Bible latin and greek were used as “Pale Languages”. That is a pale –from latin “palus”– is a stake, that is used as the main support in a fence. Thus as the expression “beyond the pale” implies there were insiders and outsiders with a “ring fence” acting as the demarcation –hence the word “ringfenced”– between the two. Thus knowledge and use of greek and latin both of which were taught at “Private Schools” but not otherwise, gave favour to a self selecting few.

When you dig into most measures of intelligence, they in effect ringfence a selected group…

However like “in breeding” self selection can go wrong…

When I was much younger for a bet I did an IQ test cold, that is with no knowledge of the exam thus no “learning the exam”. I came out with a mark more than sufficient to win the bet but also get an invitation to join Mensa. I’ve no idea what Mensa is like these days but near on half a century ago… Let’s just say that before joining I went along to one of their social meetings. I was not impressed to put it mildly. In short it was full of “civil service types” trying to prove they were clever by what the talked about.

Rather than being like a social event where you have fun to unwind it was excruciating painful to watch. Generallt people go to a pub then a club to have a drink and dance a little, along with dress up and dish the dirt on their friends. They generally do not do a full on “knife them in the back” competative ballroom dance… Trust me when I say that Mensa social meet made a national championships Ballroom competition look oh so tame…

Whilst I can do “nasty” with words, it’s very far from my idea of fun in fact I find it most disagreeable, so needless to say I did not join Mensa. Life is just “to darn short” for that sort of idiocy I’d rather read a book.

The nearest I get to that sort of competitiveness these days is “doing the puzzle page against the clock” from time to time when on the train (I can’t do it on busses they give me travel sickness in London).

SpaceLifeForm November 7, 2020 1:34 AM

@ Clive, Winter

When one decides to support a supposed “leader” that has totally mismanaged Covid response from day one, they are not thinking in their own self-interest.

Clive Robinson November 7, 2020 2:10 AM

@ SpaceLifeForm,

they are not thinking in their own self-interest.

Unfortunately that is the way for some people, and others also pay the price… Just Keep an eye on the numbers to see if the graph goes around a corner…

SpaceLifeForm November 7, 2020 2:26 AM

@ Clive

I said it was over at the start.

Yet, the US TV networks just refuse to state the obvious.

I guess the Ad money is too important.

MarkH November 7, 2020 4:24 AM

@vas pup, JonKnowsNothing re elections:

I wish that knowledge of election mechanics were more widespread.

The conduct of U.S. has many problems, some quite worrisome, but I see no evidence that the counting of votes is one of them … the big exception being “pure digital” voting machines. The part of the process carried out by people is the strong link, not the weak one.

I start from the premise (based on decades of experience with measurement technology) that for large elections, a perfect tally of the intentions of authorized voters who believed they cast their ballots correctly is unattainable — or in other words, the error cannot be forced to zero.

With that in mind, U.S. elections have a variety of protections, including:

• a workforce in which the duty to ensure accurate results is broadly accepted

• the ability for observers from both of the dominant political parties to monitor the steps of the process

• the risk of imprisonment for those found to be intentionally falsifying the vote

• the ability to audit all physical ballots

It appears to me that U.S. vote counting is generally accurate, and that this accuracy has been gradually improving.

The results of post-2000 state-wide recounts have typically resulted in revisions on the order of 0.01% of the total ballots collected.

Another datum worth considering is that prosecutions and convictions for fraudulent voting are extremely rare, even though the major parties have an enormous incentive to publicize such infractions, and to pursue their prosecution, whenever they benefit the other side.

=================

PS Two armed men were not long ago arrested in Philadelphia, in the vicinity of the building in which the counting of city votes is still underway. Their vehicle reportedly contained a large quantity of fraudulent ballots, which police believe they intended to deliver to the election facility.

They were wearing “Qanon” logos … in whose favor the ballots were marked has not yet been disclosed.

Clive Robinson November 7, 2020 5:02 AM

@ SpaceLifeForm, MarkH, JonKnowsNothing, Winter, ALL,

It is funny that you should say,

Yet, the US TV networks just refuse to state the obvious.

Apparently there is editorial warfare going on within the various Rupert “the bear faced lier” Murdoch organisations…

It would appear “the truth will out” despite the fear of senior managment more than minor peccadillos.

Apparent polls show the most trusted person from the White House by voters on both sides by a very large margin, is Dr. Anthony Fauci…

And unfortunately his predictions like that by some of this blogs members are unfortunately coming to fruition and might just be considered in a few months under estimates,

https://bgr.com/2020/11/06/coronavirus-update-latest-covid-19-figures-dr-fauci-comments/

Just Keep an eye on the numbers to see if the graph goes around a corner…

JonKnowsNothing November 7, 2020 7:16 AM

@SpaceLifeForm @Clive @Winter @MarkH @All

re:they are not thinking in their own self-interest

There are volumes written on this topic. It’s befuddled a good number of people, organizations, countries and just about anywhere you get 2-3 people in a group.

After all the history of civilization you can see the same topics over and over just dressed in different togas.

I don’t think research has uncovered why people accept or even promote things that are not in their own self interest but some focus group psychology types certainly know how to exploit it.

In the USA we have the additional mythos narrative that no one needs education and our “heroes” are often people who had little or none or just bought-the-paperwork.

We are more easily exploited because of the razzle-dazzle and flash of cash, none of which is going to fall into your personal pockets.

RL Anecdote: Years past I did the standard High Tech Start Up rounds in Silicon Valley. It was fun, exciting and we had no idea what a pile of SHYTE we were about to dump on the world creating The Age of Surveillance. One of the big draws are “stock options” and boy they throw a good pile of them at you to get you to sign up.

Having had a more varied background than many of my counterparts, I actually READ the documents all the way to the footnotes and back again. When you get to the bottom and you fill-in-the-blank about IRS rules (USA taxes) and the really fine print about Venture Capital shares, it becomes clear that you are not going to get much even if you manage to keep your job long enough to cash in. You are more likely to end up with a huge tax bill with no cash and no stock.

The razzle-dazzle is that there are some folks that will Hit The Jackpot and many a discussion was had about the probability of getting a few coins from the deal.

The bottom line: They preferred to believe in the myth rather that what was on the page. Over and over they voted with their time, energy and missed-life-opportunities to fuel a completely false narrative of acquiring wealth (aka money).

The scale of the people working in the tech industry is an indicator of how much fantasy prevails over rationality.

Clive Robinson November 7, 2020 9:20 AM

@ JonKnowsNothing,

The bottom line: They preferred to believe in the myth rather that what was on the page. Over and over they voted with their time, energy and missed-life-opportunities to fuel a completely false narrative of acquiring wealth (aka money).

Psychologists say that the form of risk taking / gambling is something boys develop around the age of six before they develip social communications skills. Whilst girls tend to develop social communications skills first, which changes the way they thing about risk…

It might be why “Silicon Valley” is seen as a “Testosterone Central” and why “the boys” are just filters of cash from “Investors” in Venture Capital to “rent seeking” real estate owners…

Clive Robinson November 7, 2020 12:11 PM

@ JonKnowsNothing, SpaceLifeForm, ALL,

It appears the UK is starting to wake up to the idea of “urgency”,

https://www.bbc.co.uk/news/uk-54851042

Unfortunately it only stops non UK citizens directly from Denmark, which leaves open the old trick of “fly to another EU country” where your pasport does not get stamped. Then buy a new ticket in that country to the UK…

But atleast the response has been fairly rapid.

I also think it’s time the UK put in place the old “rabies” rules again with regards pets and livestock etc now that we have evidence that SARS-CoV-2 csn hop in and out of humans through other species.

It’s not just the “disease reservoir” issue. But without trying to be an alarmist there are other issues.

There are a lot of other Corona Virus out there, which mainly effect not the animals respiratory system but it’s digestive tract. Which means it’s very much less likely to kill the animal.

Secondly the general rule of thumb is viruses become less fatal with time as killing the host reduces the number of future hosts.

But whilst the effects a virus has on an animal’s digestive tract might be little more than a bad case of the squits, if it crosses over it may well respond much more virulently in the human respiratory system, which is what is believed to have happened with SARS-CoV-2.

Thus it could get into other spiecies of animals such as pets, livestock or wildlife and exist and mutate for years. Occasionally mutating into a form with new capsid or spike proteins against which we have no natural antibodies or vaccines which can infect us sigbificantly.

But there is a third aspect to consider, which is the response speed of a particular genuses host. Bats have a very much faster immune response time than humans, thus the predecessor to SARS-CoV-2 had to be significantly more infectious to be tenable in bats. But when it had crossed over to humans it was in effect more infectious thus spread more rapidly.

So if there is another host spiecies for varients of SARS-CoV-2 and they have a fast immune response time the chances are any mutation will favour greater infectivity which if it hops back into humans is not going to be good news, especially if it negates existing antibodies or vaccines.

Whilst we hope the probability of this is low, every mutation makes it that little bit more likely.

Which is why a rapid response and hard lockdown is the best response as the virus ceases when there are no more viable hosts it can reach. It’s much much cheaper than developing vaccines and if you stop it getting into your community then the economy is only mildly effected.

In some ways, although it does not feel like it, we’ve dodged a bullet with SARS-CoV-2 and we now have valuable data on how to deal with potential pandemics in the future. All we have to do is convert that data to knowledge and learn from it so we do not repeate the mistakes from this time.

As I said the UK had a realy bad issue with foot and mouth nearly two decades ago simply due to procrastination. When we had another outbreak less than a decade later we responded rather differently and the outcome was majorly different.

udon1nano November 12, 2020 4:02 PM

@Bob Paddock re: secure cameras – If you are asking about consumer-grade equipment, most of it seems to be pretty pathetic. I’ve been looking at “trail” cameras to be able to see what is going on at an off-grid cabin without actually traveling there to pull the SD card. While some cams use some measure of encryption, it isn’t very strong. Worse, most upload photos to a cloud drive with no other option. One that I’m looking at at least allows that “feature” to be turned off in favor of sending thumbnails as email attachments (all of this operates over the cellular network). Obviously the photo does exist in their on-line data store while transfer occurs, but they allegedly delete it immediately after sending. Highly imperfect security, but probably good enough for my limited needs.

Valery Prince November 14, 2020 4:10 AM

Being a “certified engineer” doesn’t give you special rights. That’s just pulling job title. I even offered to email Bruce privately and explain my reasons in full. Perhaps I was being paranoid but I think this item which should disappear down the memory hole. People will need to consult psychologists and sociologists for full explanations but basically you have problems like copycat crime plus the fact that once someone knows something is possible by picking up another person joining the dots or putting together the “jigsaw” this unlocks cognitive blocks. https://aduk.de/services/custom-software-development/ See also “D notices” and their reasoning framework.

- November 14, 2020 5:48 AM

@ Moderator,

The above from “Valery Prince” is very clearly unsolicited advertising.

The advertiser has copied text from further up the blog, clearly without reading it.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.