Comments

Anders October 23, 2020 4:23 PM

@SpaceLifeForm

Do you have Mac & Safari, can you confirm?

hxxps://mobile.twitter.com/alcyonsecurity/status/1319392122458546176

john October 23, 2020 7:14 PM

YouTube-dl has received a DMCA takedown from RIAA

https://news.ycombinator.com/item?id=24872911
https://www.zdnet.com/article/riaa-blitz-takes-down-18-github-projects-used-for-downloading-youtube-videos/
https://old.reddit.com/r/youtubedl/comments/jgttnc/youtubedl_github_repository_disabled_due_to_a/
https://github.com/github/dmca/blob/master/2020/10/2020-10-23-RIAA.md
https://old.reddit.com/r/DataHoarder/comments/jgtzum/youtubedl_repo_had_been_dmcad/
https://old.reddit.com/r/linux/comments/jgubfx/youtubedl_github_repo_taken_down_due_to_dmca/
https://old.reddit.com/r/programming/comments/jgub36/youtubedl_just_received_a_dmca_takedown_from_riaa/?limit=500

Now when you go to their site, it reads:

Repository unavailable due to DMCA takedown.

This repository is currently disabled due to a DMCA takedown notice. We have disabled public access to the repository. The notice has been publicly posted.

If you are the repository owner, and you believe that your repository was disabled as a result of mistake or misidentification, you have the right to file a counter notice and have the repository reinstated. Our help articles provide more details on our DMCA takedown policy and how to file a counter notice. If you have any questions about the process or the risks in filing a counter notice, we suggest that you consult with a lawyer.

So what is it?

Description: downloader of videos from YouTube and other sites
youtube-dl is a small command-line program to download videos from
YouTube.com and other sites that don’t provide direct links to the
videos served.
.
youtube-dl allows the user, among other things, to choose a specific video
quality to download (if available) or let the program automatically
determine the best (or worst) quality video to grab. It supports
downloading entire playlists and all videos from a given user.

JonKnowsNothing October 23, 2020 7:22 PM

Continuing the series on The Bank of Mom and Dad:
    Analysis on the Value of COVID-19 Tests Supplies

The previous “Analysis on the Value of COVID-19 Tests if classified as Taxable Income” examined one aspect of COVID-19 Testing: Tests performed by medical professionals in the ER.

Recap:
  One set of COVID-19 tests cost $1331 USD
  If COVID-19 tests become a taxable benefit,
    the tax value to the State of California (10 06 2020) would be
    Gross Income Tax .095 * $41,127,900,000 = $3,907,150,500

There are other tests for COVID-19 and these are administered by medical professionals or trained persons and are used in common care. There are a number of rapid test devices that are used in care facilities and in other areas where repeated testing is necessary. In some cases the devices are provided free or for a minimal charge. The test kits required for the devices are an Out Of Pocket expense for the facility. Reimbursement schemes, if any, vary while testing requirements are strict. Skilled Nursing Facility (SNF), Care Centers, Rehab Facilities and industries were repeat testing is important to prevent wide spread outbreaks of illness in staff and residents are examples were repeated testing is required.

  * There are 15,000+ SNF in the USA.

  * One device retails for $300 / unit. It is a hand-held device which returns results in 15minutes. False Negative Rate 15%.

  * The US Government provided 14,000 of these types of devices to care facilities.

  * 7,600 SNF have the device from one manufacturer. Some facilities have several units.

  * The devices use a Test Supply Kit that costs $32/test. Test results in 15 minutes.

  * Outside lab fees for processing tests cost $100/test. Tests take 5 days to return results.

CDC Rules on COVID-19 testing in SNF require weekly testing on residents and staff. If the local community has a high COVID-19 positivity rate (+10%) then tests must be done twice weekly. Failure to perform the required testing is a fine of $10,000 USD.

  * California has 1,223 SNF with 118,000+ beds and 86% occupancy rate; @100,000 beds per day. Averaging 38,000,000 billable days.

  occupancy rate 118,000 * .86 = 101,480
  billing days 101,480 * 365 = 37,040,200
  billing months 37,040,200 / 12 = 3,086,683

California Costs
  * average cost per month self-pay  $7,450 / month
  * average cost per day subsidized  $6,700 / month
    ($220 per day)

Gross Revenues $20-23BILL USD
  (occupancy changes about every 3 months)
  * full pay 3,086,683 * $7450 = $22,995,788,350
  * subsidized 3,086,683 * $6700 = $20,680,776,100

At least once per week residents and staff need COVID-19 test.
  * Avg Occupancy 100,000
  * Cost per test kit $32
  * Cost per test lab $100

Testing Costs
  Kits per day 100,000 * 32 = $3,200,000
  Lab per day 100,000 * 100 = $10,000,000

  Kits per month 3,200,000 * 30 = $96,000,000
  Lab per month 10,000,000 * 30 = $300,000,000

  Kits per year 96,000,000 * 12 = $1,152,000,000
  Lab per year 300,000,000 * 12 = $3,600,000,000

Age Ranks
  58% of SNF are 75+ yo
  39% of SNF are 45-74 yo

COVID-19 Death Ratio (10 23 2020) 65+yo = 80%

Cost Saving Per Death of 65+ (California)
  Aged residents 100,000 * 58% = 58,000
  COVID-19 Aged Mortality Rate
    58,000 * 80% = 46,400 potential deaths

Savings on Test Kits Per Death
  Kits per day 46,400 * 32 = $1,484,800
  Lab per day 46,400 * 100 = $4,640,000

  Kits per month 1,484,800 * 30 = $44,544,000
  Lab per month 4,640,000 * 30 = $139,200,000

  Kits per year 44,544,000 * 12 = $534,528,000
  Lab per year 139,200,000 * 12 = $1,670,400,000

Savings on Facility Care Costs Per Death
  per month self-pay 46,400 * $7,450 = $345,680,000
  per month subsidized 46,400 * $6,700 = $310,880,000

  per year self-pay $345,680,000 * 12 = $4,148,160,000
  per year subsidized $310,880,000 * 12 = $3,730,560,000

note: Previous analysis reports maybe found in the blog archives or on the wayback machine. An earlier Explanation of How USA Healthcare is Apportioned, may not have made it to the archives and perhaps can be found on the wayback machine.

data sources: CDC mortality and severity reports, USA Social Security data and life tables, Actuarial Analysis of Risks and Insurance considerations, Real Estate Estimates and Forecasting, various science and research papers, global analysis and reports, local reports and statistics. US Representative Katie Porter COVID-19 Test cost estimates. CA State Skilled Nursing Reports, Medicare-Medicaid data sheets and information sources.

note: There are lot of zeros. Some may have been added or dropped during the copy. Your numbers maybe different.

witnail October 23, 2020 10:17 PM

The Russian state-sponsored APT actor has targeted dozens of SLTT government and aviation networks, attempted intrusions at several SLTT organizations, successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.

us-cert.cisa.gov/ncas/alerts/aa20-296a

AndyF October 23, 2020 11:17 PM

US now applying sanctions against several Russian state organisations in response to an attack on a site using Schneider Triconex based SIS (safety instrumented systems) back in 2017. The attack only failed because of an error which caused the attacked system to shutdown.

https://arstechnica.com/information-technology/2020/10/us-sanctions-russian-hackers-who-hit-chemical-maker-with-dangerous-malware

It seems to have taken a long time for this response to come. Maybe there is more to this announcement that has been said.

Wael October 24, 2020 12:29 AM

@Beatrix Willius,

Apple started hiding the traffic of its own Mac apps

I don’t like this. I’ve been seeing indications of something strange on my iPhone recently: I don’t use iCloud and have it disabled for notes, photos and other things. I want my stuff local, and local only. Sometimes when I am away from WiFi, and I open “notes”, I get a message saying: “Cellular data not enabled for notes”. I am thinking: why do you need cellular data? I am not saving anything to the cloud?

My guess is: everyone has two iCloud accounts: the one you see and have control over, and the one that’s hidden from you, and has a copy of everything on your phone. No other explanation. Same applies to MacOS. I’ll bring up my AMD-based Hackintosh[1] and FreeBSD machine again (after I get the new Ryzen 9 5950X).

When I have a chance (not anytime in the near future), I’ll try to sniff the traffic again and see what’s cooking. I guess I’ll need an external machine for that. But that’s so boring: I know what I’ll find already, I don’t need confirmation.

[1] On a previous machine I removed all telemetry functionality I could see from the kernel before compiling it, but unfortunately, shortly after setting the system up with four or five Operating Systems, I did something stupid with Clover and screwed up all the MacOS partitions. I have a couple of backup copies on remote disks, using Carbon Copy, but I need to upgrade the hardware before I setup another one.

JonKnowsNothing October 24, 2020 1:19 AM

@Wael

re: My guess is: everyone has two iCloud accounts: the one you see and have control over, and the one that’s hidden from you, and has a copy of everything on your phone.

I have presumed at least 2 accounts as you have indicated. Just before the COVID-19 dam broke over California, my *Ph bulged up in the middle with a case of overstuffed battery. This happened after a forced update and my phone got a case of battery bing overload.

The short part of the story is that in order to “repair” it I had to hand over the phone to them. The G-Qs (which were very nice) tried to “backup” my stuff to the iCloud (there wasn’t much) and SURPRISE! they couldn’t since I’d disabled every permutation of anything I could find on the thing.

One senior G-Q evidently had seen this before and buttons and pages flashed by and about 15 min later it was “all backed up”.

When the “ahem” new phone was delivered they restored the “backup” but this time, it took a bit more button and page swiping. One set of restores failed. They tried several times without success. Then they flipped to another new set of swiped pages and did from a different setup which did work.

From this I figured there is my private facing account and a G-Q accessible account. Like Admin-User database settings.

Beyond that there would be the backup system admins, techs and site storage folks and all the folks working in their OneRingToRuleThemAll.

Wael October 24, 2020 1:33 AM

@JonKnowsNothing,

Yes! Or one account with different access controls as you state. Kind of annoying that you can’t expect the least amount of privacy. I bet you this text I’m typing is being teleported elsewhere, as I’m typing it or later on, in an “encapsulated, encrypted” package.

Clive Robinson October 24, 2020 6:13 AM

@ Wael, JonKnowsNothing, SpaceLifeForm, ALL,

Kind of annoying that you can’t expect the least amount of privacy. I bet you this text I’m typing is being teleported elsewhere, as I’m typing it or later on, in an “encapsulated, encrypted” package.

As I’ve mentioned before the “here and now” can be done with a simple diode detector[1].

It always puzzled me as to why back in 2015/16 when Ed snowden and Andrew “bunnie” huang demonstrated their “introspection engine” for the iPhone 6 they had soldered wires to the iPhone CCT board.

My viewpoint then and now is that crossing a border with a phone that can clearly be seen to be modified was not a good idea… Further sourcing a phone locally when across the border not only dropped you into the CarrierIQ “Pre-installed snoopware” issue, it also ment that getting the modifications done by a local technician would like as not get you reported or worse.

However Ed Snowden and Andrew “Bunnie” Huang did later published their reasoning[2] some of which I agree with some of which I know is not exactly correct[3] as others on this blog will know.

My problem this century has not been the “here and now” but “store and forward”… That is what are they hiding away with other traffic that they recorded and tucked away in memory somewhere in the phone.

Back a few years ago you could get “Wireless VoIP” phones that worked only over WiFi or cat3. This did alow you to hotspot and use a PC as a router with extras. But those appear to be a thing of the past. But desktop VoIP phones are fairly plentiful and making a secure router out of one of several single board computers(SBCs) is not that difficult, similar with just a mic and ear piece headset which are again plentiful. Making VoIP content secure is somewhat harder but can be done.

Sadly the days of the POTS phones and “patch boxes” is something that is sliding into the past except in the EmComm arena, where setting up a small PABX in a control center with dialout to a repeater or HF long haul link is sometimes needed.

Something I have been looking at for a customer in North Europe is using an SBC as a “secure voice modem” to use with HF transmitters down in the low HF / Upper MF bands where Near Vertical Incident Skywave (NVIS) provides approximately 250-600km covarage in very rough or hilly terrain where all other form of RF comms except sat phones is not going to work. The prototypes just using digital modes to carry data and digitized low bit rate audio worked fine. However as the customer wants “Privacy” as it’s for general purpose emergancy usage some level of secure voice and data is a requirment. In part this is to meet EU privacy legislation as GPS location data for rescue has to be included because although NVIS gives good coverage it’s quite difficult to Direction Find(DF) due to not having very much or any ground wave and the near verticle incidence making bearings very indistinct and variable. DFing only becomes possible when very close in often very much less than 25 wavelengths (7.5/FMhz = 7.5/5 ie less than 1.5kM at 5Mhz).

[1] Whilst a passive diode detector is a little deaf, you can “bias” a pair of diodes and have very good sensitivity. If you bias with a high frequency signal which is a good square wave you end up with what is in effect a “broad band bug hunter”. These days with a little more skill you can make an IQ receiver or down converter that will pull the entire “DC-2-Daylight” spectrum down into a modern very low cost SDR bandwidth and save it away such that you can later demodulate it and recover the transmitted data and convert it back to “network packets” to push into the more modern FOSS “wire-sharks”.

[2] https://www.tjoe.org/pub/direct-radio-introspection/release/2

[3] One of their rationals is farady cages are “unreliable” whilst true that is true for all mechanical devices when “used and abused by users”. They then go on to talk about making holes in a faraday shield to operate the camera etc. Well you don’t have to poke a hole through if the faraday cage is made of fine wire mesh. Because cameras do work through fine wire mesh quite well. Yes there is some attenuation of the required signal, and in some cases a small amount of refocusing but hiding cameras, microphones and ambient preasure/temp/mag-direction sensors behind mesh is a standard technique in the surveillance world and has been for decades. It’s also a standard technique where EMC issues are involved[4].

[4] Due to outmoded security notions in the US and other places fine wire mesh suitable to make faraday shield cloth used to be very difficult to get hold of. It is more easily available these days, but I get the feeling some suppliers “phone bob” at a Government agency with your details. So whilst I don’t recommend you “weave your own” mesh, I have done it in the past using 40AWG (0.07874mm diameter) “fuse wire” and smaller diameters. You do however need to “chemically dull” it first to take the shine off. The UK based “Scientific Wire Co” used to be a good place to get other “RF wire” such as “silver plated”, but China tends to be the place for fast turn around of “wire cloth” and the like these days (and yes there are if you have the money faraday suits… Which did make me wonder if there was a market for tasser proof jackets and the like;)

Wael October 24, 2020 9:25 AM

@Clive Robinson, JonKnowsNothing, SpaceLifeForm, …

As I’ve mentioned before the “here and now” can be done with a simple diode detector

Question: Don’t we already know the phone is a snitching device? Then what’s the point of a detector, simple or otherwise?

That is what are they hiding

They’re not hiding much. Just Phone content, including emails, text messages, photos and video recordings, notes, browsing habits, crypto-currency addresses, passwords and password vault passwords, phone calls, gps locations, hotspot SSID’s and passwords, BT paired devices, proximity to other wireless devices such as Smart TVs, smart cars, smart homes, other phones, health statistics, number of steps you take every day and where you went, who you passed close to, phone statistics such has battery power left, charging state, screen orientation, proximity to your ear, power state, distance from cell towers, payments through digital wallets, electronic boarding tickets, airplane mode state, access to camera and microphone even when they’re not being used by the owner… Probably a few more things, but not much more, really. Nothing to worry about.

Anders October 24, 2020 9:31 AM

@Wael

You are right.

“Hayden, amused, turned to his wife and quietly asked: “This kid doesn’t know who I am, does he? Four-hundred-thousand apps means 400,000 possibilities for attacks.””

hxxps://www.spiegel.de/international/world/how-the-nsa-spies-on-smartphones-including-the-blackberry-a-921161.html

Clive Robinson October 24, 2020 11:07 AM

@ Anders, ALL,

Four-hundred-thousand apps means 400,000 possibilities for attacks.

And that old fart still does not tell the truth…

They don’t go for four hundred thousand apps, except to train newbies.

They go after the OS’s and hardware, as the ROI is way way greater, as a moments thought will make many here realise.

Then when you think a little further you realise that they are interested in,

1, Known Plaintext.
2, Implementations.
3, Protocols.
4, Standards.
5, Developers.
6, Engineers.
7, Managment.

If they can get a senior engineer / manager to implement a bust standard as default then it’s gravey train times…

Now let me think… Oh yes RSA and that dodgy Dual Eliptic Curve… Then there was Jupiter Networks and similar dodgy math. And the list goes on and on and on…

If those managers don’t take the bribe then it’s send in the SEC, IRS, FBI or just “black bag” the place….

The No Scruples Association and their friends the Complicit In Agent-killing are always playing MICE…

rrd October 24, 2020 11:45 AM

The entire world should feel shame for allowing this to happen.

hXXps://www.varsity.co.uk/interviews/19990

It’s an interview with a Uighur who faced China’s concentration camps.

“Injustice anywhere is a threat to justice everywhere. We are caught in an inescapable network of mutuality, tied in a single garment of destiny. Whatever affects one directly, affects all indirectly.”
— Dr. Martin Luther King, Jr. in his “Letter from the Birmingham Jail”

“We must always take sides. Neutrality helps the oppressor, never the victim. Silence encourages the tormentor, never the tormented.”
–Elie Wiesel

Wael October 24, 2020 12:24 PM

Time to update the 5-year old Mobile Phone specs:

Quad 3.2GHz Core ARM Application CPU (ACPU) w/ the latest Version of OS, with forced updates
2K Zero day exploits
50 Backdoors
195 Front doors – one for each country
54 persistent location snitches that cannot be turned off
195 Compromised keys
200 rogue root certificates
200+ probes to exfiltrate so-called private information.
15 sensor side channel leak facilities
300 identifiable fingerprints and device ID’s for tracking purposes
20 Remote control services for Microphone and camera
3 Environmental awareness and reporting systems and hidden API’s
5 Dysfunctional COVID-19 contact proximity reporting system (for the consumer)
8 Robust COVID-19 contact proximity reporting system for the consumer (for spooks)
1800 Neural network cores and Deep ML HW to predict what no good you’re up to next
5 Prototype subsystems that experiment with reading the consumer’s brain electrical patterns
100 Spare HW resources for future development
3 DNA sample collection sensors, just in case the consumer gets a wound on the phinger, by chance
2 Sharp edges on the phone to grease the slids for sensor functionality, above
7 Undecipherable 14000-page EULA document that basically makes you accept the above
16 Rawhammers
5 Heartbleeds
1 Pass the freaking hash
200 Shock and Owe Shell-shocks
1 Built-in Tazer, for self-inflicting electrecution, triggered by a remote authenticated command
20 Dodgy Dual Eliptic Curves (for so-called random numbers — Dual EC DRBG)
2 Cute POODLE’s
3 Addional free of charge backend accounts — unlimited storage capacit
2 Always-on sensors to collect health-related parameters. For your safety, really!
1 Monotonic counter to decrease phone responsiveness, so you get to enjoy newer models
2 You shall purchase at least one new phone every two years, as a consequence of the above feature
‍‌‍‍‌‌‌‌‍‌‍‍‍‌‌‌‍‍‌‌‍‌‍‌‍‌‍‌‌‍‌‍‍‌‍‍‍‍‌‌‍‌‌‍‍‍‍‌‍‌‌‍‌‍‌‍‍‌‌‍‍‌‌‌‍‍‌‌‍‌‌‌‍‍‌‍‌‍‌‌‍‍‌‌‍‍‍‌‍‌‍‌‍‌‍‌‍‌‍‌‍‍‍‌‍‌‌‍‍‌‌‍‍‍‌‌‍‌‍‍‍‌‌‍‌‍‌‍‍‍‌‌‍‍‌‌‍‌‍‌‍‌‌‌‍‌‌‍‌‌‍‌‍‌‍‍‌‍‍‍‍‌‌‍‍‌‍‍‍‌‍‌‍‌‍‌‍‌‍‍‍‌‌‌‍‌‍‌‍‌‍‍‍‌‍‍‌‌‌‍‍‌‍‍‌‍‍‌‍‌‌‍‌‍‌‌‍‌‌‍‌‌‍‍‍‍‌‍‌‌‌‌‍‍‌‌‍‌‍‍‍‌‌‍‍‍‍‌‍‌‌‍‍‍‍‌‍‌‍‌‌‍‍‍‍‍‌‌‌‍‍‌‍‌‍‍‌‌‍‍‍‌‍‍‌‍‍‍‍‌‌‌‍‍‌‌‍‌‌‍‍‌‌‍‍‌‌‌‍‍‌‌‍‌‍‍‍‌‌‌‍‌‍‍‍‍‍‌‍‌‍‍‍‍‌‍‍‍‌‌‍‍‍‌‍‌‌‍‌‍‌‌‍‌‌‌‍‍‌‍‍‌‌‍‌‍‌‌‍‌‍‍‌‌‌‍‍‌‌‍‌‌‌‌‍‌‍‌‍‌‌‍‍‌‌‍‌‌‌‌‍‌‍‍‌‍‍‍‍‌‌‍‍‌‍‌‍‌‍‌‍‍‌‌‍‌‌‍‌‌‍‍‍‌‍‌‍‌‌‌‍‍‌‌‍‍‍‌‍‌‍‍‍‍‌‍‍‍‌‍‌‌‌‌‍‌‌‍‌‍‌‍‍‍‌‌‌‍‍‌‍‌‌‍‌‌‌‍‍‍‌‌‍‌‍‌‍‍‌‌‍‍‌‍‍‌‌‌‌‍‌‍‍‍‍‍‌‍‌‍‍‌‍‍‍‍‍‌‍‍‌‌‍‌‍‌‍‌‌‌‍‌‍‌‍‌‍‍‌‌‌‍‍‍‌‍‌‌‌‌‍‌‌‌‍‌‍‌‍‌‌‌‌‍‌‍‍‌‍‍‌‍‌‍‍‌‍‌‍‍‌‌‍‍‌‌‍‌‍‍‍‌‍‍‍‌‌‌‍‌‍‍‌‌‌‌‍‌‌‌‍‌‌‍‍‌‍‌‌‍‍‍‍‌‍‍‌‌‌‍‍‌‌‌‌‍‍‌‍‌‌‍‌‌‍‍‍‌‌‍‌‍‍‍‍‌‌‌‍‌‍‍‍‌‌‌‍‍‍‌‍‍‌‌‍‌‌‍‍‌‍‍‍‌‌‍‍‍‌‌‍‍‍‍‍‌‍‌‍‍‌‌‍‌‍‍‍‌‍‌‍‍‌‌‍‍‍‌‍‍‌‌‍‍‍‌‍‌‍‌‍‌‍‍‍‌‌‍‌‍‌‌‍‌‍‍‌‌‌‍‍‌‍‌‌‍‍‌‍‌‍‍‍‍‌‌‍‌‌‍‍‌‍‍‍‌‍‌‌‍‍‌‍‌‍‍‌‌‍‌‍‌‌‌‍‍‌‍‍‌‌‌‍‌‍‌‍‍‌‌‍‍‌‌‍‌‌‌‍‍‌‍‍‌‌‌‍‌‌‍‍‍‌‌‌‍‍‌‍‌‍‌‍‌‌‌‍‌‍‍‍‌‍‌‍‌‍‍‍‌‌‍‍‌‍‍‌‍‌‍‍‌‌‌‍‍‍‍‍‌‍‌‍‍‍‌‍‌‍‌‌‍‍‍‍‌‌‌‌‍‍‍‍‌‍‍‌‌‌‍‍‌‌‌‌‍‌‍‍‌‍‌‍‍‍‍‍‌‌‌‍‌‌‍‍‌‍‌‍‌‍‍‍‌‍‌‍‌‍‍‍‌‍‌‌‍‍‌‍‌‌‌‍‌‍‌‍‍‌‌‍‌‍‌‍‌‌‍‍‌‍‍‍‌‍‌‌‍‌‍‍‌‌‍‍‌‌‍‍‌‍‌‍‍‍‌‍‌‌‍‌‍‍‍‍‌‌‍‌‍‍‌‍‍‍‍‌‍‌‍‍‍‌‌‍‌‍‌‍‌‌‌‍‍‌‌‍‌‌‌‍‍‌‍‍‌‌‍‍‌‌‍‍‍‌‌‌‍‍‌‍‌‌‌‌‍‍‍‍‌‌‍‌‍‌‍‍‌‌‍‍‌‌‌‍‌‍‌‌‍‍‍‍‌‌‌‍‌‍‍‍‍‌‌‍‌‍‌‍‍‌‌‍‌‍‌‍‌‍‌‌‍‍‌‍‌‌‌‍‍‍‍‍‌‌‍‌‌‍‍‍‍‌‌‍‍‌‍‍‍‌‌‍‌‍‍‍‍‌‌‍‌‌‌‍‌‌‍‌‍‌‌‍‌‍‌‍‍‍‌‍‌‌‌‌‍‍‍‍‌‌‌‌‍‍‍‍‌‍‌‌‍‌‍‍‍‌‌‍‌‌‍‍‌‌‍‌‍‍‍‍‌‍‌‍‌‌‌‍‍‌‌‌‍‍‌‍‌‌‍‌‍‍‍‍‍‌‌‌‍‍‍‍‌‌‌‍‌‌‍‍‍‌‌‍‍‌‍‍‌‌‍‍‌‍‌‍‌‍‍‍‍‌‍‍‌‌‌‍‍‍‌‍‍‌‌‍‌‍‍‍‌‍‌‍‌‍‌‍‌‌‍‌‌‍‌‍‌‍‍‌‌‍‌‍‍‌‌‍‌‍‍‍‌‌‌‌‍‌‍‍‌‌‍‌‌‍‍‍‌‌‌‍‌‌‌‍‍‌‌‌‍‍‌‍‌‌‍‌‍‍‍‍‌‍‍‍‍‍‌‍‌‍‍‍‌‌‌‍‌‍‍‌‌‍‌‍‌‌‍‍‍‌‌‍‌‍‍‍‌‌‍‍‍‌‌‍‌‌‌‍‍‌‌‍‌‍‍‍‌‍‌‍‌‍‍‍‌‍‌‍‍‍‌‍‌‌‌‍‍‍‍‍‍‌‌‍‍‍‍‍‌‌‍‌‍‌‌‍‌‌‍‌‍‍‍‍‍‌‌‍‍‌‍‍‌‍‌‍‌‌‍‍‌‍‌‌‍‍‍‍‍‌‍‌‌‌‌‍‌‌‌‍‌‌‌‍‌‍‍‍‍‌‌‍‌‍‌‍‌‌‍‍‍‍‍‌‍‌‍‍‌‌‌‍‌‍‌‍‍‌‌‌‍‍‌‍‌‍‍‍‌‍‌‍‌‌‍‍‍‌‍‍‌‌‌‍‍‌‍‍‍‌‍‌‌‌‌‍‌‍‍‍‌‍‍‍‌‌‌‍‌‍‌‍‌‍‌‍‌‌‌‍‍‌‍‌‌‌‌‍‌‌‍‌‌‍‌‍‍‌‌‍‍‌‍‍‍‌‌‌‍‍‍‍‌‍‍‌‍‍‌‍‌‌‍‌‌‍‍‍‌‌‌‍‍‍‍‍‌‍‌‍‌‌‍‍‌‍‍‌‌‌‍‍‌‍‍‍‍‌‍‍‍‌‌‌‍‍‌‍‌‌‌‍‌‌‍‍‌‌‍‍‌‌‍‍‌‌‍‍‌‌‌‍‌‍‍‍‌‌‍‍‍‌‌‍‌‍‌‍‌‌‍‍‌‌‌‍‍‌‌‍‌‌‌‍‌‌‌‍‌‍‌‍‌‌‌‍‌‍‌‍‌‍‌‍‌‍‍‍‌‍‌‌‍‍‌‍‌‍‌‍‍‌‍‍‌‌‍‍‍‌‍‍‌‍‌‌‍‌‍‍‌‌‍‌‍‍‍‍‌‍‍‍‌‌‌‍‌‌‌‍‌‍‍‍‍‌‍‌‍‌‌‍‌‌‌‍‌‌‍‍‌‌‍‍‍‍‌‍‌‍‍‍‌‍‌‍‌‍‌‍‌‍‍‍‌‌‌‍‍‌‍‍‌‌‍‌‌‌‌‍‍‌‌‍‌‌‌‍‌‌‌‌‍‌‍‍‌‌‍‌‍‍‌‍‌‌‌‌‍‌‍‍‍‌‌‌‍‍‌‍‍‌‌‍‌‍‌‍‍‌‌‍‌‌‍‍‌‍‌‍‌‌‌‍‍‌‌‌‍‍‌‍‌‌‌‍‌‍‍‍‌‌‍‍‍‌‌‍‌‌‍‌‍‌‌‍‌‌‍‍‍‍‌‍‌‌‍‍‌‍‍‍‌‌‌‍‍‍‍‍‍‌‌‍‍‌‍‍‌‍‍‍‍‌‌‍‌‍‌‌‍‌‍‍‌‍‌‍‌‌‌‍‌‍‍‌‌‍‌‍‍‍‍‌‍‌‍‍‌‌‌‍‌‌‌‍‌‌‌‌‍‌‍‍‌‌‌‍‍‍‌‍‍‌‌‍‌‍‌‍‌‍‍‍‍‌‌‍‍‌‍‌‌‌‌‍‌‍‍‌‍‌‌‍‌‍‍‌‌‍‍‍‌‍‍‍‍‌‍‍‌‌‍‍‌‍‍‍‌‍‍‍‌‍‍‍‌‌‍‌‌‍‍‍‌‌‍‌‌‍‌‍‌‍‍‍‌‌‍‍‌‌‍‍‍‌‍‍‌‌‍‍‌‍‌‍‌‌‌‍‍‍‍‍‌‍‍‌‌‌‌‍‌‌‌‌‍‌‍‍‌‌‍‍‍‍‌‍‌‌‍‌‌‍‍‍‌‍‍‍‌‌‍‍‍‌‌‍‌‌‌‍‌‌‍‍‍‌‌‍‌‌‌‍‌‍‌‍‌‍‌‌‍‍‌‍‌‌‌‍‌‌‌‍‌‍‌‍‍‌‌‍‌‌‌‍‌‌‍‍‌‍‌‍‍‍‍‍‌‍‌‍‌‌‍‍‌‌‌‍‍‍‌‍‍‌‌‍‍‍‌‍‍‌‌‍‌‍‍‍‌‌‌‌‍‌‍‍‍‌‌‌‍‍‌‍‌‍‍‍‌‌‌‍‌‌‌‌‍‌‍‍‌‍‍‌‌‍‍‍‌‍‍‌‍‍‌‍‌‍‌‌‍‍‍‍‌‌‍‌‍‍‌‍‌‌‍‍‍‌‍‍‌‌‍‌‌‌‍‍‌‍‍‌‌‌‍‍‌‌‍‌‍‌‌‍‍‌‌‍‍‍‍‍‌‌‍‍‍‌‌‍‌‌‌‍‍‍‍‍‌‍‍‍‍‍‌‍‌‌‌‍‌‍‍‍‌‍‌‌‍‍‌‍‍‌‌‍‌‍‌‍‌‌‍‌‌‌‍‍‌‍‍‌‍‍‌‍‍‌‌‌‍‍‌‍‍‌‌‍‌‌‌‍‍‌‌‍‍‍‌‍‌‍‌‌‍‍‌‍‌‌‌‌‍‍‌‍‍‌‌‌‍‍‍‍‍‌‌‍‌‍‍‍‍‌‌‍‌‌‌‍‍‌‌‍‌‌‍‍‍‍‍‌‍‌‍‍‍‌‌‍‌‌‍‍‌‌‍‌‍‍‌‍‌‌‌‍‍‌‍‍‌‍‍‌‍‌‍‍‌‌‌‍‍‍‍‍‍‌‌‍‌‌‍‍‌‌‍‍‌‍‌‍‌‍‍‌‌‌‌‍‌‍‌‍‌‍‍‍‌‍‌‍‍‌‌‍‌‌‍‍‌‌‌‍‍‌‌‍‍‍‌‍‌‌‍‌‍‌‍‍‌‌‍‌‌‌‍‍‌‌‌‌‍‍‌‍‌‌‍‍‍‍‌‍‌‌‌‍‍‍‍‍‌‍‌‍‍‌‍‍‌‍‍‍‌‌‍‍‌‍‍‌‌‌‌‍‌‌‌‍‍‌‍‍‌‍‌‍‌‍‍‍‌‌‌‌‍‍‌‍‌‍‍‌‍‍‌‍‌‍‌‌‍‌‍‍‌‌‌‌‍‍‌‍‌‌‍‍‌‌‌‍‌‍‌‍‌‌‍‍‌‌‍‌‍‌‌‍‌‍‌‍‍‍‍‍‌‍‌‍‍‌‌‍‍‌‌‍‌‍‌‍‌‌‌‍‍‍‌‍‌‌‍‌‌‌‍‍‍‌‌‍‍‌‌‍‌‍‌‍‍‌‍‍‌‌‍‌‌‍‌‍‌‍‍‌‍‌‍‍‌‌‌‍‍‍‍‍‌‌‍‍‍‌‌‍‍‌‌‌‍‍‌‍‌‍‍‌‍‌‍‍‌‌‍‌‍‌‍‍‌‍‍‍‍‌‍‍‌‍‍‍‌‍‌‍‌‍‍‍‍‌‍‍‍‌‌‍‍‍‍‍‍‌‌‍‍‍‌‍‌‌‌‍‍‌‍‍‌‌‍‌‍‍‍‍‌‍‍‌‍‍‌‍‌‌‌‍‌‍‌‍‍‌‌‍‌‌‍‍‍‌‍‌‍‌‌‍‌‍‌‌‍‌‍‍‌‍‍‌‌‍‌‍‌‌‍‌‌‍‌‍‌‍‍‍‌‌‍‍‌‌‌‍‌‌‌‍‌‍‍‍‌‌‌‍‌‍‍‍‌‌‌‍‌‌‍‌‌‍‌‍‌‍‍‌‍‌‍‍‍‌‌‍‌‌‌‍‍‍‍‌‍‌‍‍‌‍‍‍‍‍‌‍‌‍‍‌‍‌‍‍‌‍‍‍‌‍‌‍‌‍‍‌‍‍‌‍‌‌‍‍‌‌‍‍‌‌‍‌‍‌‍‍‌‌‌‍‍‌‍‍‌‌‌‍‍‍‌‍‌‌‌‍‌‍‌‍‌‌‍‌‍‌‍‍‌‌‍‍‌‍‍‍‌‌‍‌‍‌‌‍‍‌‌‍‌‍‍‍‌‌‍‌‌‍‌‍‌‍‍‌‍‌‍‍‌‍‌‍‍‍‌‍‌‍‍‍‍‌‌‍‌‌‌‌‍‍‍‍‍‌‌‍‌‍‍‍‌‍‍‍‌‌‌‍‍‌‌‍‍‍‍‍‌‍‌‌‍‍‌‍‌‍‍‍‍‌‌‍‌‍‌‍‌‌‍‍‌‍‍‍‍‍‌‍‌‍‍‍‌‌‌‍‌‍‍‍‌‌‍‍‌‌‍‍‌‌‌‍‌‍‍‍‍‍‌‍‌‌‍‌‌‍‍‍‌‍‌‌‍‍‍‍‌‌‌‌‍‍‌‍‍‌‌‍‍‍‍‍‌‍‌‌‍‌‍‍‌‍‌‌‍‍‌‍‍‌‌‍‍‌‍‍‌‍‌‍‍‍‌‍‍‌‌‍‍‌‍‍‍‌‍‌‌‌‌‍‌‌‌‍‌‌‌‍‌‍‍‌‌‌‍‍‍‌‌‍‍‍‍‍‌‌‍‌‍‌‌‍‌‍‍‌‌‌‌‍‌‌‍‌‍‌‌‍‌‌‌‍‍‌‍‍‌‌‌‌‍‍‌‍‌‌‍‍‍‍‌‍‍‌‌‍‍‌‌‍‌‌‍‌‍‌‍‍‌‍‍‌‍‌‍‍‌‌‍‍‍‍‌‍‌‌‍‌‍‍‍‍‌‍‍‍‌‍‍‍‍‌‌‌‍‍‍‍‌‌‍‍‌‍‌‍‍‌‌‍‍‌‍‍‌‍‍‌‍‍‌‍‌‌‌‌‍‍‌‍‌‌‌‌‍‍‌‍‌‌‍‌‍‍‍‍‌‍‌‍‌‌‍‍‍‌‌‍‍‌‌‍‌‍‍‍‍‍‌‍‍‍‍‌‍‌‍‍‌‌‍‍‌‌‌‍‌‌‌‌‍‍‌‍‌‍‍‌‌‌‍‍‌‌‌‌‍‍‌‍‌‌‍‌‌‍‍‍‌‍‌‍‌‍‌‍‌‌‍‍‌‌‌‍‍‌‍‌‍‌‌‍‌‌‍‌‌‌‍‍‌‌‍‍‌‍‌‍‌‌‍‍‌‍‌‍‌‌‍‌‍‌‌‍‌‌‍‌‍‍‌‍‌‌‌‍‌‌‌‍‌‌‌‍‍‌‌‍‌‍‌‌‍‍‍‍‍‌‌‍‌‌‌‍‌‌‍‌‍‍‍‍‍‌‌‍‌‌‌‍‌‌‍‌‌‍‍‍‌‌‍‍‍‍‌‍‍‌‌‍‍‌‌‍‌‍‍‌‌‍‌‍‌‌‍‍‍‍‌‍‍‌‌‍‍‍‌‍‌‌‌‍‍‍‌‍‌‌‍‍‌‌‍‍‌‌‌‌‍‍‌‍‌‍‍‍‍‌‍‍‌‌‍‍‍‍‌‍‌‍‍‍‌‌‍‍‌‌‌‍‌‌‍‍‌‍‌‌‍‍‍‍‍‌‌‍‍‍‌‍‌‌‍‍‌‌‍‍‍‌‍‌‍‌‌‍‌‌‍‍‌‍‍‍‍‌‍‌‌‌‌‍‌‍‍‍‌‍‍‍‌‍‌‍‌‌‌‍‌‌‍‍‍‌‍‍‌‌‍‍‌‌‍‍‌‌‌‍‍‍‍‍‌‌‌‍‌‌‌‍‌‍‍‌‍‍‌‍‌‍‍‌‍‍‌‍‌‌‌‌‍‌‍‍‌‍‌‍‌‌‌‍‌‌‌‍‌‍‍‍‌‌‍‍‌‍‌‍‌‌‍‌‌‌‍‍‍‌‌‌‍‍‍‍‌‌‌‌‍‌‍‍‌‍‍‌‌‍‍‍‌‌‍‌‍‍‍‍‌‌‍‌‍‍‌‍‌‌‌‍‌‌‌‍‌‍‌‍‍‌‌‍‌‍‍‍‍‍‌‍‍‌‌‍‍‍‌‍‌‌‌‌‍‍‍‍‌‌‌‍‍‌‍‍‍‌‌‌‍‍‍‍‌‍‍‌‍‌‌‍‍‍‍‌‍‌‍‍‍‌‌‍‍‌‌‍‌‌‌‌‍‍‌‍‍‌‌‍‌‍‍‍‌‌‌‍‌‌‍‍‌‌‌‍‍‍‍‍‌‌‍‌‌‌‌‍‌‌‍‍‌‍‍‍‌‍‍‍‌‌‍‍‌‌‍‌‌‍‍‍‌‍‌‌‍‌‍‍‌‍‌‌‍‍‌‍‌‌‍‌‍‍‍‍‍‌‌‍‌‍‌‍‌‍‍‌‍‌‌‍‌‍‍‌‍‌‌‍‌‍‍‍‌‌‌‍‌‌‍‍‍‌‌‍‌‌‌‍‌‌‌‍‌‌‍‌‌‌‍‍‌‍‌‍‌‍‍‍‌‍‌‍‍‍‍‍‍‌‌‍‌‍‍‍‌‍‍‍‍‌‍‍‍‌‍‌‍‌‌‍‌‌‌‍‍‌‍‍‍‌‌‍‌‍‌‍‌‌‍‌‌‍‌‍‍‌‍‌‍‌‌‍‌‍‌‍‍‍‍‍‌‍‌‌‍‍‍‍‌‌‌‍‍‍‍‍‌‍‍‍‍‍‌‍‌‌‌‍‌‌‌‍‌‌‍‍‌‌‌‍‍‌‌‍‍‌‍‍‌‍‍‌‍‍‌‍‌‌‌‍‌‍‌‍‌‍‌‍‌‌‌‍‌‌‍‍‌‍‌‍‌‍‌‌‍‍‌‍‌‌‌‌‍‍‍‍‍‌‌‍‍‍‍‍‌‍‌‍‍‌‍‍‌‌‍‌‌‌‍‍‌‍‍‌‌‌‌‍‌‌‌‍‌‍‌‍‌‌‌‌‍‍‍‍‌‌‌‌‍‌‍‍‌‌‍‍‌‍‌‍‌‍‍‌‍‍‍‍‌‌‍‌‌‍‍‍‌‌‍‌‌‌‌‍‍‌‌‍‌‍‍‍‌‌‍‍‍‍‌‍‌‌‍‌‍‍‌‍‌‌‍‍‍‍‌‍‍‌‌‌‍‍‌‍‌‌‍‌‌‍‍‍‌‍‌‍‌‌‌‍‍‌‍‌‌‌‌‍‌‍‌‌‍‍‍‍‌‌‍‌‌‍‍‍‍‌‌‍‌‌‌‍‌‌‌‍‍‌‍‍‍‍‍‌‍‌‍‍‌‌‍‌‌‌‍‍‌‍‍‌‌‌‍‍‌‌‍‍‍‌‌‍‌‍‌‌‍‍‌‍‌‍‍‌‍‍‍‍‌‌‍‌‍‍‌‍‌‍‌‍‍‌‍‍‌‌‍‌‌‌‍‍‌‍‌‍‌‍‌‍‌‌‍‍‍‌‍‍‌‌‍‌‌‌‌‍‌‌‍‍‌‌‌‍‌‌‍‌‌‌‌‍‌‍‍‍‍‌‍‍‌‍‌‍‌‌‍‍‍‌‌‍‍‍‌‍‍‌‌‍‌‍‍‍‍‌‌‍‍‌‌‍‌‌‌‍‍‍‌‍‌‌‍‍‌‍‍‍‌‍‌‍‌‍‌‍‌‍‍‍‌‍‌‍‌‌‍‌‍‌‌‍‌‌‌‍‍‍‌‍‌‍‌‍‍‌‌‍‌‌‍‍‌‌‌‍‌‌‍‍‌‍‌‍‌‌‌‍‌‌‌‍‌‍‌‌‍‍‌‍‌‍‌‍‌‌‍‍‌‍‌‍‍‌‍‍‌‌‍‌‌‍‌‍‍‌‌‍‍‌‍‍‌‌‌‍‌‌‍‍‌‌‍‍‍‌‌‍‌‍‌‍‌‍‍‍‌‌‍‍‍‍‌‍‌‌‌‍‍‌‍‍‌‍‌‍‍‌‌‍‌‍‌‍‌‌‌‍‌‌‌‌‍‍‌‍‌‍‌‌‍‍‌‍‌‌‍‍‌‍‌‍‍‌‌‍‌‌‍‍‌‌‍‍‍‌‍‍‌‌‌‌‍‌‍‍‌‍‌‍‍‌‌‍‌‌‌‌‍‍‌‍‌‌‌‌‍‌‍‍‌‌‌‌‍‍‍‍‍‌‌‌‍‍‌‍‍‌‌‍‍‌‌‍‍‌‌‍‌‌‌‍‌‍‍‌‌‌‍‍‌‌‍‍‌‍‍‍‌‌‍‍‍‍‌‍‌‍‌‍‍‍‌‍‌‌‍‍‌‍‍‍‌‌‌‍‌‌‍‍‌‌‍‍‍‌‍‍‍‌‌‍‌‌‌‍‍‌‌‍‌‍‍‍‌‍‍‍‌‍‌‍‌‍‌‌‍‍‍‍‍‍‍‌‍‌‍‍‌‌‍‍‍‍‌‍‍‌‌‍‌‍‌‍‍‌‌‍‌‍‌‍‍‌‌‍‍‌‌‍‌‍‍‌‍‍‌‍‌‍‍‌‌‍‍‍‍‌‌‍‌‍‌‍‌‌‍‍‌‍‌‍‌‌‍‍‍‍‌‍‌‌‌‍‌‌‍‍‌‌‍‌‌‍‌‍‌‌‍‍‍‌‌‍‌‌‍‌‌‌‌‍‌‌‌‍‍‌‍‍‍‌‌‍‌‌‌‍‌‍‍‍‌‍‌‍‌‌‌‌‍‍‌‍‌‌‍‌‌‌‍‍‌‍‍‌‌‍‌‍‌‍‌‍‍‌‍‍‍‌‍‌‍‌‌‍‌‍‍‍‍‌‍‍‌‌‍‍‌‌‌‍‍‌‌‍‍‌‍‍‌‌‌‍‌‍‌‍‌‍‌‍‌‍‍‍‌‌‍‌‌‌‍‍‌‍‌‍‌‌‌‍‌‌‌‌‍‍‍‍‌‌‌‍‌‍‍‍‌‌‍‍‌‍‌‍‌‌‌‍‌‌‍‍‌‌‍‍‌‍‌‍‍‌‌‍‍‍‌‍‌‌‌‌‍‍‌‍‌‌‍‌‍‍‌‍‌‍‍‍‌‍‍‍‌‌‍‌‌‌‍‍‍‌‌‍‌‍‍‍‍‌‌‍‍‍‍‍‍‌‌‍‌‍‍‍‌‍‍‌‌‌‌‍‌‌‍‌‌‌‌‍‍‌‌‌‌‍‌‍‍‍‍‌‍‌‍

rrd October 24, 2020 12:48 PM

1 Smart Vibrate

Ittttttssss theeeee bbbbbbbeeessssstttt!!!!! !!!! !!!!!!! !!

[Dear Sirs, I would like to apologiz

Anders October 24, 2020 1:34 PM

@ALL

hxxps://www.forbes.com/sites/siladityaray/2020/10/12/united-states-six-other-nations-ask-tech-companies-to-build-backdoors-to-encrypted-communications/#1b1e5e804051

Estonia is also jumping a train.

hxxps://news.err.ee/1149511/ministry-wants-to-tighten-identification-regulations-on-pre-paid-sim-cards

vas pup October 24, 2020 3:44 PM

Presidential debate: Decoding Trump and Biden’s body language:
https://www.bbc.com/news/av/world-us-canada-54661152

My nickel: I’d like to get estimate of truthfulness of each statement based not only on body language, but voice analysis, micro face pattern frame by frame even by changes of thermo image of the face.

By the way, I am sure our top LEAs and IC do have such tool for distant analysis during interrogation, but looks like they their motto is ‘presidents come and go, but we stay’, so they better refrain from such analysis or at least keep it out of public domain to save their future retirement benefits. Just my humble educated guess, not sworn statement – disclaimer :).

name.withheld.for.obvious.reasons October 24, 2020 3:48 PM

20 OCT 2020 — Crisis Matter, Songs not Written by the Doors
An Interview with Professor Noam Chomsky, Aaron Mate of the Grayzone

In an interview with Aaron Mate of the Grayzone, published 20 Oct 2020, my sense of what I understand to be extreme pain, Noam demonstrates to me for the first time and emotional response. The stoic, calm, and monotonic voice that for decades has recorded the events of the day is visibly shaken. In Chomsky’s voice I hear grief and pain when he said;

“…illusions that somehow if the Cold War is over it doesn’t matter, it matters very much greatly and trying to break through on this is (Chomsky is visible shook) is pretty…pretty…I just don’t know how to proceed on it. It goes beyond this incidentally. Now take a look at the New York Times this morning, there is an editorial saying we shouldn’t torture Iranians. Sort of a mixed editorial, but at least it’s there. Read down to the bottom, right below the editorial there’s a questionnaire which asks people to list their reasons for voting in November. What’s your top reason for voting, and look at the choices; hurricane, businesses put of business; all immediate local things. Not only nothing about nuclear weapons, nothing about destroying the environment. The two major topics that humanity not only faces but has every faced in its history, and especially on both but especially on globally warming. A case where the Trump administration is simply driving to catastrophe, but that’s not one of the choices you’re supposed to pick. As why to vote, it’s as if the elites are mesmerized, can’t think. You know, hard to know how to break through on this.”

Clive Robinson October 24, 2020 3:55 PM

@ Anders,

Estonia is also jumping a train.

The thing about trains, is once they are moving they have little or no choice in where they end up.

We have known for as long as code books have existed that the privacy offered by codes and later ciphers depends on those we wish to know not geting their hands on the code books or cipha keys. Thus they were not left out of secure storage no matter how convenient it might be.

For some reason modern users believe for what ever reason that their smart devices give the privacy.

They do not, nore with the way they are currently being designed will they ever give privacy securely.

If users want privacy then they need to consider going back in time and keep their codes and ciphers away from prying eyes in strong safes and the like.

That is treat any “connected device” as having no ability to give privacy of any form what so ever. Thus layer privacy protecting layers on top by using suitably issolated ciphers and codes.

That is use an entirely seperate device that is issolated from the connected smart device to enter your private thoughts. Then transfer the ciphertext of those private thoughts to the connected smart device when the conditions are right and not before….

name.withheld.for.obvious.reasons October 24, 2020 3:57 PM

@ Wael
As the Christian holiday of Christmas approaches, I thought this appropriate…hey, didn’t Trump save Christmas?

Is there some way you could maybe put those specs to, say a tune for a musical?

How about the 12 Days of Christmas,
“…my True Love gave to me…ten phones a phoning in my data, nine golden ring(tones)”

vas pup October 24, 2020 4:00 PM

Why AI live fact-checked the 2020 US presidential debates
https://www.bbc.com/news/av/technology-54658206

“Many news organisations, including the BBC, have dedicated fact-checking services to help audiences make sense of the world and spot lies and misinformation.”

My nickel: it is important to separate truth from false, but for me I want to know does person saying anything (true or false) REALLY believe in what he is saying, i.e. subjective component for me also very important on the subject matter, because human memory is NOT like recording on hard drive, tape, you name it.

Why that is security angle? Based on those findings Judge should decide is paragraph 1001 of Title 18 USC applicable (lying intentionally to federal agent OR just lack of memory due to the age, PSTD, mental disorder). But who really cares?

name.withheld.for.obvious.reasons October 24, 2020 4:11 PM

@ Clive
I understand that the work of intercepting secure communications has already been overcome. It’s one of the reasons Windows 10 exists. Not to get into any conspiracy theories, I commented before, that the textual CONTEXT, whether it is speech, voice, written texts are handled by the textual application interface of the OS. All text passes through this conduit prior to any post process copy, write, transmission, encoding, et cetera. Don’t remember the complete API architectural specification–heck even the name of it escapes me now. But I believe on commented on it in late 2017, or early 2018.

And, from what I gather from the OS X camp, the same architectural approach to contextual textual layers apply.

The strategy is to combine forms of expressive data, pass it through the API, and Bob’s your uncle. Kind of like a universal messaging app; in Star Trek it would be the communicator. Beam me up Scotty, my Xenix kernel is about to panic.

vas pup October 24, 2020 4:18 PM

Dark web ‘Cyberbunker’ trial breaks new ground:
https://www.dw.com/en/dark-web-cyberbunker-trial-breaks-new-ground/a-55368235

“A Cold War bunker in a small German town housed dark net internet servers that facilitated illegal online activity. The group operating the servers are now on trial — but are they really responsible for 250,000 crimes?

The eight people — four Dutch, three German, and one Bulgarian — worked at the “cyber bunker” data center at a disused military bunker in the pretty village of Traben-Trarbach.

=>They are now charged with aiding and abetting criminals in some 249,000 illegal online transactions involving drugs, contract killings, money laundering, and images of child abuse worth millions of euros.

In September 2019, a major police operation that had been in the works for half a decade raided the bunker and closed it down. The key members of the group were arrested.

The alleged ringleader of the operation, 60-year-old Dutchman Johan X. remained impassive and silent throughout the first days of questioning, listening to the testimony of the first three defendants.

Dutchman Michiel R. who worked as a “manager” at the bunker summed up his chequered job history and gave a tearful description of his close relationship with his mother. Jaqueline B., a German who acted as a “bookkeeper” for the operation spoke of her childhood in Cameroon growing up as the daughter of a poor farmer. A 21-year old German IT expert who spent a year working in technical support described his solitary life and history of depression.

There has been much focus in the international media on the bunker the group used for its operation.

The massive construction was built during the Cold War to house a NATO command center. It sits on a hill overlooking a small town of 6,000 people, mostly known for its Riesling wine vineyards.

“We are tourist-oriented here; it really is very picturesque,” Patrice-Christian-Roger Langer, mayor of Traben-Trarbach, explained. He knows the bunker well because he worked there as a computer programmer in the 1980s and 1990s.

“It is like a giant root system,” he explains. “Only one story is above ground and four underground. The only way to differentiate between each floor is through color-coding on the walls. Visitors would often come and have no idea if they were at ground level or tens of meters underground.”

After the end of the Cold War, the bunker gradually fell into disuse and the German government eventually sold it to Johan X. in 2013. Langer says the town council had no say in the sale, and there was much speculation about Johan X. and his plans for the bunker.

The ‘sinister’ dark web

Johan X.* and the other defendants are accused of having run a “bulletproof hosting” service for websites, in which they offered clients the opportunity to run secret online operations.

“There is no consistent meaning for the dark web,” explains Professor Steven Murdoch, expert in security engineering at University College London. “Most commonly it is used as a reference for sinister stuff on the Internet — because it sounds a bit sinister. And bulletproof hosting is entirely unrelated to the dark web, but sometimes might involve the same people.”

Johan X. expressly offered “bulletproof hosting” for Cyberbunker customers from the beginning, which allows clients to access the darknet, where some of the internet’s most nefarious operations take place. He initially advertised that Cyberbunker would host ==>websites with anything except “child pornography and anything related to terrorism.”

“Bulletproof hosting is for services that are normal internet services but are either illegal or illicit,” Professor Murdoch explains. “But it is important to remember that most bad stuff on the internet happens on the normal internet.” He cited one study by the British Internet Watch Foundation into child abuse images and found that less than 1% of those images were accessed through so-called onion services, that help anonymize the user.

==>”The principle that organizations are not responsible for their customers is a good one, and quite widely held,” says Murdoch. “As soon as you are a large organization, there will be terrible people using your services. So the question is — what proportion of your customers are terrible people?”

The proportion is the key part because major internet hosting services like Amazon may well facilitate millions of cases of illegal online activity. But given their mammoth size, this makes up only a tiny proportion of their service, Murdoch points out.

==>The defense attorneys this week argued that the group around Johan X. were unaware of what content and transactions were being carried out on the websites hosted by the bunker’s servers.

With the trial set to last over a year, the public prosecutor says the trial will cover “new legal ground.”

Even if prosecutors can prove that Johan X. and his team knew about the activity,
==>the key question of the trial is whether an internet service provider has any right to act on this knowledge.

Germany is a country where data privacy is fiercely protected:
!!!!electronic payment methods are still unusual in large swathes of the country partly because of fears about data mining. Mayor Langer is among those who see the case as an opportunity to reexamine some of these regulations.”

Good video 42 minutes inside as well. Enjoy!

Wael October 24, 2020 4:35 PM

@name.withheld.for.obvious.reasons,

How about the 12 Days of Christmas,

I think that’s doable. But I have to stick more than than one candidate in it. I don’t want to start a political issue! Gimme some time 😉

vas pup October 24, 2020 5:26 PM

Individuals may legitimize hacking when angry with system or authority

https://www.sciencedaily.com/releases/2020/10/201022125522.htm

“University of Kent research has found that when individuals feel that a system or authority is unresponsive to their demands, they are more likely to legitimize hacker activity at an organization’s expense.

===>Individuals are more likely to experience anger when they believe that systems or authorities have overlooked pursuing justice on their behalf or listening to their demands. In turn, the study found that
=>if the systems or authorities in question were a victim of hacking, individuals would be more likely to legitimize the hackers’ disruptive actions
!!!!as a way to manifest their own anger against the organization.

With more organizations at risk to cyber security breaches, and more elements of individuals’ social lives taking place online, ==>this research is timely in highlighting how hackers are perceived by individuals seeking justice.

The research, led by Maria Heering and Dr Giovanni Travaglino at the University of Kent’s School of Psychology, was carried out with British undergraduate students and participants on academic survey crowdsourcer, Prolific Academic. The participants were presented with fictional scenarios of unfair treatment from authorities, with complaints either dismissed or pursued, before they were told that hackers had defaced the authorities’ websites. Participants were then asked to indicate how much they disagreed or agreed with the hackers’ actions.
=>These hackers were predominantly supported by participants perceiving them as a way to ‘get back at’ the systems who do not listen to their demands.

===>Maria Heering said: ‘When individuals perceive a system as unjust, they are motivated to participate in political protest and collective action to promote social change.

!!!!However, if they believe they will not have voice, they will legitimize groups and individuals who disrupt the system on their behalf.”

My nickel: sense of fairness is inside all of us from the day we were born, even our close relatives orangutans become very angry when treated unfair: distribution as reward of their special food: grapes versus banana for the SAME task performed.

So, are we agree that life is not fair or…

vas pup October 24, 2020 5:37 PM

Seeing no longer believing: the manipulation of online images
Online images are not always what they seem, especially on social media
https://www.sciencedaily.com/releases/2020/10/201021112337.htm

“A peace sign from Martin Luther King, Jr, becomes a rude gesture; dolphins in Venice’s Grand Canal – manipulated or mis-used images posted as truth. Researchers say image editing software is so common and easy to use, it has the power to re-imagine history. Even the White House is doing it and deadline-driven journalists lack the tools to tell the difference, especially when images come from social media.

Image editing software is so ubiquitous and easy to use, according to researchers from QUT’s Digital Media Research Centre, it has the power to re-imagine history.

===>And, they say, deadline-driven journalists lack the tools to tell the difference, especially when the images come through from social media.

Their study, Visual mis/disinformation in journalism and public communications, has been published in Journalism Practice. It was driven by the increased prevalence of fake news and how social media platforms and news organizations are struggling to identify and combat visual mis/disinformation presented to their audiences.

===>”When it is possible to alter past and present images, by methods like cloning, splicing, cropping, re-touching or re-sampling, we face the danger of a re-written history — a very Orwellian scenario.”

Examples highlighted in the report include photos shared by news outlets last year of crocodiles on Townsville streets during a flood which were later shown to be images of alligators in Florida from 2014. It also quotes a Reuters employee on their discovery that a harrowing video shared during Cyclone Idai, which devastated parts of Africa in 2019, had been shot in Libya five years earlier.

===>”While journalists who create visual media are not immune to ethical breaches, the practice of incorporating more user-generated and crowd-sourced visual content into news reports is growing. Verification on social media will have to increase commensurately if we wish to improve trust in institutions and strengthen our democracy.”

!!!!!!”The lack of user-friendly forensic tools available and low levels of digital media literacy, combined, are chief barriers to those seeking to stem the tide of visual mis/disinformation online.”

“Despite knowing little about the provenance and veracity of the visual content they encounter, journalists have to quickly determine whether to re-publish or amplify this content,” he said.

“The many examples of misattributed, doctored, and faked imagery attest to the importance of accuracy, transparency, and trust in the arena of public discourse. People generally vote and make decisions based on information they receive via friends and family, politicians, organizations, and journalists.”

The researchers cite current manual detection strategies — using a reverse image search, examining image metadata, examining light and shadows; and using image editing software — but say more tools need to be developed, including more advanced machine learning methods, to verify visuals on social media.”

There is link to the video at the bottom of the article. Enjoy!

Matrix October 24, 2020 5:43 PM

@name.withheld.for.obvious.reasons

” […] Don’t remember the complete API architectural specification–heck even the name of it escapes me now […]”

Check Travis Ormandy research on Microsoft CTF Protocol.

name.withheld.for.obviosu.reasons October 24, 2020 6:40 PM

12 JUN 2020 — REPORTED BY NEWSWEEK, WEEKLY STANDARD, ETC.
CONTRIBUTORS NOTE:
Seems I missed this one; on a much lighter note but within the realm of information warfare.

A number of press orgs there was a segment pumped out from the “Fox News” (as in sewage spillway) that demonstrates just how maligned and egregious their responsibility to the public is when exercising their publishing license (i.e. a press organization). I would like to see someone argue, successfully, that Fox News is a press organization. It has been Assange, without a single failed attribution, that is in the docket–not Fox News (or SkyNews, or the Wall Street Journal).

NOISE IS NOT NEW(S)
John Cleese of Monty Python fame managed to punk “Fox News” (I call faux noise), after attributing a piece that used quotes from the peasant dialog scene in the movie “The Holy Grail”. Reporting from a story published on Reddit, they referred to the “An Anarcho-Syndicate Commune” scene as the issues of infighting during the recent Seattle rebellion.

hZZ ps://www.newsweek.com/john-cleese-says-that-no-one-fox-news-has-ever-seen-monty-python-holy-grail-it-shows-1511006

(URL: mangled for your pleasure, or is it ribbed)

name.withheld.for.obvious.reasons October 24, 2020 6:44 PM

@ Matrix
Thanks, it’s “something starting with C and Text Framework (CTF)” as I partially remember. I hope it is a critical analysis, as I saw it most people skipped right past this detail.

By the way, are you “Red Pilling” me? Rhetorical, don’t have to answer. Again, thanks.

Matrix October 24, 2020 7:12 PM

Sorry for the glitch but regarding my last comment on the Microsoft CTF protocol, I should have provided some link for better understanding. So here it his:
http s://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html

Wesley Parish October 24, 2020 7:45 PM

Well, it had to rear its ugly head again:

Palo Alto Networks threatens to sue security startup for comparison review, says it breaks software EULA
https://www.theregister.com/2020/10/23/palo_alto_orca_lawsuit/

Israel-based Orca Security received a cease-and-desist letter from a lawyer representing Palo Alto after Orca uploaded a series of online videos reviewing of one of Palo Alto’s products and compared it to its own. Orca sees itself as a competitor of Palo Alto Networks (PAN).

To wit:

“It’s outrageous that the world’s largest cybersecurity vendor, its products being used by over 65,000 organizations according to its website, believes that its users aren’t entitled to share any benchmark or performance comparison of its products,” said Orca.

But wait, there’s more:

Shua told The Register Orca tried to give its rival a fair crack of the whip: “Even if we tried to be objective, we would have some biases. But we did try to do it as objectively as possible, by showing it to users: creating labs, screenshots, and showing how it looks like.” The fairness of the review, we note, is not what is at issue here: PAN forbids any kind of benchmarking and comparison of its gear.

This sort of legal chicanery is trademarked snake oil salesman in my books; it also indicates that Palo Alto are running scared that their product isn’t nearly as good as their price range would suggest. In other words, Palo Alto may well be facing the kind of backlash Microsoft got in the 90s and early 2000s when their products had the security of a soggy toilet roll.

SpaceLifeForm October 24, 2020 7:54 PM

@ Matrix, Clive

Funny you bring up rabbit hole.

Did you see that mentioned here recently?

Here, google this:

“You are being MICROattacked, in a SOFT manner”

xcv October 24, 2020 9:31 PM

@ vas pup

“Bulletproof hosting is for services that are normal internet services but are either illegal or illicit,” Professor Murdoch explains.

==>The defense attorneys this week argued that the group around Johan X. were unaware of what content and transactions were being carried out on the websites hosted by the bunker’s servers.

With the trial set to last over a year, the public prosecutor says the trial will cover “new legal ground.”

No. There’s not really anything “new” here. It’s a “county sheriff” problem. Somebody (allegedly) raped the farmer’s daughter out on the farm and in any event ended up on the sheriff’s registered sex offender list. So the defense plays the prosecution like perverts in cases like this, drawing out the trial and expending the plaintiff’s resources.

It’s a SLAPP == Strategic Lawsuit Against Public Participation.

Similar to a defense against the DMCA (Digital Millennium Copyright Act) takedown orders frequently served on providers of information on how to “hack” or circumvent copyright or other “intellectual property” protection mechanisms for use on open source software.

Wal October 25, 2020 12:35 AM

@xov

In Western Australia we actually have pedophiles in the justice system and they use SLAPP quite effectively. Also the witnesses have a very high rate of death at a young age, most of the witnesses don’t turn up to court, or the offenders die of old age before the prosecution is finished. They try and hack all your equipment, including conversations with lawyers, medical equipment and records, all the ‘strictly legal’ stuff.

One of the offenders is currently being prosecuted, it’s only 35 years since first investigations and charges were laid, and he is only one of many in the investigation. Though they did prosecute the abuse trauma specialist who was abusing abused children that were sent to him for treatment.

It is something special to behold to stand before a judge who tried to rape and strangle you, and he is running one of the cases. You know the justice system is working well when you are a protected witnesses and a man you have multiple legal restraints against is running your case and the cases of other victims of abuse. I guess I should congratulate the state justice system for a job well done.

Clive Robinson October 25, 2020 2:42 AM

@ name.withheld…, Wael,

As the Christian holiday of Christmas approaches, I thought…

Err bit of an assumption there.

Remember we still have “Halloween” and “fireworks night” to get through first. And the latter may not be an entirely British affair this year, with the potential for Fat Man and Little Boy to do their thing. Thus the X in Xmass might have real meaning…

But ask yourself this traditionally one turkey gets a reprieve to live another day, which one will it be this year. There might be a more appropriate carol with “ring out those hells tonight” starting the chorus. You can see the full words here,

https://www.mumsnet.com/Talk/Christmas/1925026-Whats-the-words-to-Little-Donkey

Speaking of which, a lady friend was somewhat shocked by Mum’s Net and Xmass carols and this page,

https://www.mumsnet.com/Talk/am_i_being_unreasonable/1633318-to-teach-my-kids-rude-lyrics-to-Christmas-carols-And-can-you-expand-my-repertoire

I suggest reading the link before clicking…

Wael October 25, 2020 2:53 AM

@Clive Robinson,

I saw it, and my reply to you disappeared as well. Perhaps we’re treading on thin ice already!

SpaceLifeForm October 25, 2020 3:47 AM

@ Ismar, Clive

They could have used a much cheaper generator to prove the attack.

But, I guess the hardware forensics were better for the $300K.

name.withheld.for.obvious.reasons October 25, 2020 3:59 AM

@ MODERATOR — LAST POST IN ERROR, WRAPPER MISSING — PLEASE DELETE
RELATED TO RECENT BLOG ANOMALIES — Extracted from the latest 100 comments page

@ Clive, Wael, SpaceLifeForm, and the unusual suspects – numeric sequence for comment ID’s there are some holes that are (for the most part), I am guessing, BLOG SPAM.

span serially complete 67-86

span serially complete 38-51

name.withheld.for.obvious.reasons October 25, 2020 4:05 AM

@ Clive
Are you suggesting the Guy Fawkes is part of anonymous or is he really Q of QaNoN?

Coded message in Q-key C/W based on 10-10, 40 meters.

SpaceLifeForm October 25, 2020 4:26 AM

@ Clive, Wael, name

We shall see if the Phoenix is hiding in the bathtub or dish sink.

Clive Robinson October 25, 2020 7:22 AM

@ SpaceLifeForm, Matrix,

Where Alice leads, I found,

“The fact that “Microsoft Foundation Class” might be expunged from the world, for some reason makes me feel somewhat “up beat” about the “SHTF””

Yup it’s a thought to saver…

Clive Robinson October 25, 2020 7:36 AM

@ name.withheld…, Matrix,

With regards “Microsoft CTF protocol”

Yes many OS’s have this or it’s equivalent.

Have a look at AT&T Sys V and “streams” I/O for one of the originators of the idea.

Intrinsically there is not much wrong with the idea as long as you take appropriate security precautions.

But get the implimentation wrong in any way, and your tunnel from warren to surface, will get a nasty in it… be it canids vulpes or lupus those teeth are sharp.

Clive Robinson October 25, 2020 8:32 AM

@ name.withheld,

Are you suggesting…

No think more events and what the Happrns in mainland Britain on “fireworks night”.

Whilst the 5th of November Act[1] has been repealed, it only took out the duller parts of the observance. Although the childrens custom of “Penny for the guy” is more or less gone, the night time still calls for much wood, effigies and gunpowder, and other powders most foul[2]. With organised displays offering baked potatoes sausage ina bun and other food stuffs involving fried onions and the like it is one of the few chances children get to see a real fire burning bright in the night without the trauma other fires bring. Then there are the firework displays… As it happens there are other festivals that celebrate the changing of the seasons and fireworks are part of those, and in certain parts of the country the celebrations go on for a week.

Sadly though there is an Americanisation happening with “All Hallows”, traditionaly in Britain seen as a marking of the change of the seasons now raucous with children seeking sugar highs and tooth rot, and adolescents throwing eggs.

However what will happen to both celebrations this year with COVID-19 restrictions I’m not sure…

[1] https://en.m.wikipedia.org/wiki/Observance_of_5th_November_Act_1605

[2] https://en.m.wikipedia.org/wiki/Fireworks_night

P.S. Just to remind people, this weekend was “put the clocks back” in some parts of the world so make the most of the extra hour whilst you can.

Anders October 25, 2020 9:25 AM

hxxps://hackaday.com/2020/10/21/google-meddling-with-urls-in-emails-causing-security-concerns/

Clive Robinson October 25, 2020 10:28 AM

@ Ismar, SpaceLifeForm, ALL,

I remember the, “Aurora Generator Test” well, it was a stupid but necessary thing to do.

An accident from about a decade or so earlier had shown what happens when an out of sync gen set gets dropped onto the grid, so the results of the test were known. The accident had happened due to a mechanical component breaking, and other damage followed as a result. Whilst the damage was repairable there was a considerable time of outage, so the message was clear last century.

You can by the way demonstrate this for yourself using car alternators driven by DC motors something I used to show engineering students, and it quite happily turned a six inch nail to molton dropplets in the process as the “safety fuse”, a lesson I suspect few forgot. It’s also the reason by the way that you should not connect wind generators together directly or to an AC power source (something some “off gridders” learn the hard way).

So yes it was stupid because the results were known well in advance, thus the experiment was little more than wanton vandalism.

But it realy realy was necessary as a wake up call. Because the “it’s got a computer so won’t do that” mentality that was crawling through the Idustrial Control System (ICS) industry as old hands who had used mechanical components and ladder logic, retired out and young bucks with over self confidence moved in…

Saddly if you read the Wikipedia page[1] you will see that many of the proposals still do not “grok the reality” of the problem and thus the US grid in particular is still very very susceptible to the problem as the required mitigations have not happened.

As an “incoming engineer” to ICS I was unusuall because I was certainly a “young buck” and I went in on the design side which was quite unusual at the time. But the demonstrations to trainee engineers I was involved with had been built by the old hands and they taught me much that has mostly been forgotton in modern text books and the like. Stuff that others realy need to learn and stop their “magic thinking”.

By the way it’s not just generator sets that have these narrow control band issues. When you have a failure in a gen set it’s the power supply that goes out, but people in their homes mainly don’t get hurt, just annoyed at unreliable service providers. But with gas pipelines the story is different, and they are even worse a lot worse. Because they have a narrow range of working preasures that if you get them wrong blow up or set on fire peoples homes as was discovered not so long ago in three US towns near Boston[2] and quite a few other places, and even billion dollar fines do not get these companies to do the maintenance work they should do as next quaters profit is still more important…

But it gets worse, look at what went wrong with Piper Alpha a production rig in the North Sea[3]. What went wrong can be easily be reproduced on other platforms today if you know what control circuits to fritz with.

One result of the Piper Alpha disaster was the 180 day Cullen enquiry, that highlighted ‘safety malaise by regulation’ as a major issue. In that, that which was regulated was done, that which was not, was not… Thus the enquiry recognised the important concept that,

The primary responsibility for safety lies with those who create the risks and those who work with them. That is the legal and moral obligations for safety are the responsability of the management and operators of any operation or installation.”

I could go on but I think most people around here can work out that “computers are vulnerable” thus they have to be mitigated for safeties sake in ways not involving computers, and such systems have to be maintained properly for their quater to half century or more in service lifetimes…

[1] https://en.m.wikipedia.org/wiki/Aurora_Generator_Test

[2] https://www.wsj.com/articles/officials-probe-fires-explosions-that-damaged-dozens-of-homes-near-boston-1536933528

[3] https://www.thechemicalengineer.com/features/piper-alpha-the-disaster-in-detail/

Anders October 25, 2020 11:08 AM

hxxps://edition.cnn.com/2020/10/22/europe/edward-snowden-russia-residency-intl/index.html

So what US does now?

JG4 October 25, 2020 11:13 AM

If we live long enough, we all will have health problems. Nonetheless, sorry for the less than ideal situations. Doing OK here, which continues to be a pleasant surprise for three years now. Thirty to sixty if you overlook a few spots of bad luck like being poisoned by mineral deficiencies, second-hand smoke, leaded gasoline and others too numerous to recount.

I am interested in devoting my remaining years to real-time health diagnostics. It would be pretty easy to think of a hypervisor as a real-time system health monitor. I’d include detection of internal environment and external environment for toxins, whether they be ubiquitous, accidental or malicious.

I may have stopped short of saying that the most valuable activities on your planet are enhancing cognitive and sensory capabilities, just like our adversaries are doing as fast as they can. Some of them with misallocated taxes.

Links 10/25/2020 – 10/25/2020
https://www.nakedcapitalism.com/2020/10/links-10-25-2020.html

Facebook demands academics disable ad-targeting data tool AP

Our Famously Free Press

With the Hunter Biden Expose, Suppression is a Bigger Scandal Than The Actual Story Matt Taibbi.

Intelligence Community

The code-breakers who led the rise of computing Nature. The headline is deceptive. The deck is better: “World wars, cold wars, cyberwars — marking a century of state surveillance at GCHQ.” The Five Eyes is mentioned only in the text.

Why the NSA Told Henry Kissinger to Drop Dead When He Tried to Cut Intel Links with Britain Daily Beast

Without a ‘Right to Garden’ Law, It May Be Illegal to Grow Your Own Food Civil Eats

Hold Your Lugnuts: A Right to Repair Automotive Opera in Seven Scenes Dig Boston. Right-to-repair is covered regularly at NC. See, e.g., here, here, here, and here.

Evolutionary Psychology: Predictively Powerful or Riddled with Just-So Stories? Areo

Winter October 25, 2020 12:35 PM

@All
“I remember the, “Aurora Generator Test” well, it was a stupid but necessary thing to do.”

For those who are interested in industrial (and electronic lock) security should have a look at the presentations and writings of Lesley Carhart.

She has a blog with very infrequent entries, but it contains links to her presentations:
hxxps://tisiphone.net/

Or just search youtube for her name.

Spenser Cron October 25, 2020 1:14 PM

@Winter

I searched for “tisiphone” but all I found were a lot of articles on Greek mythology.

JonKnowsNothing October 25, 2020 2:35 PM

Continuing the series on The Bank of Mom and Dad:
    Analysis on the Value of COVID-19 Tests & Supplies

2 updates 10 25 2020:
A. Update on Taxation of COVID-19 supplies
B. Update on Savings from COVID-19 deaths of elderly

A. Update on Taxation of COVID-19 supplies 10 25 2020
A previous analysis showed the income tax value of 1 COVID-19 Hospital Test ( $1331 / test) = $4BILL

Recap:
  * One set of COVID-19 tests cost $1331 USD
  If COVID-19 tests become a taxable benefit,
  the tax value to the State of California (10 06 2020) would be
  Gross Income Tax .095 * $41,127,900,000 = $3,907,150,500

The UK has announced they will remove their tax-exempt status for PPE in November 2020. The exemption first enacted in May 2020, had estimated saving of £300MILL in the private sector.

  * The VAT tax on PPE = 20%
  * The California Income Tax analysis rate = 9.5%
  * Gross Sales Value £1,500,000,000

Sales taxes are highly regressive tax schemes. Poor people pay a larger share of their income than wealthy people. M Bezos has better income flex to absorb a 20% increase in Add-On-SalesTaxes than unemployed/underemployed persons. In practice regressive taxes increase the costs of goods and services (inflationary).

USA unemployment payments and duration of elibility vary by state.
example:
  low $365 12 weeks/max $4,380 USD
  high $1220 36 weeks/max $31,720 USD
  Jeff Bezos earned $13,000,000,000 in one day $13BILL USD

The estimated £300MILL in private sector savings from Wave 1 in the UK, will be recaptured primarily from consumers and businesses who have little or no choice about sourcing PPE. Businesses can claim PPE as Expenses on their tax returns but they will still need to pay up front and out of pocket for supplies.

B. Update on savings from COVID-19 deaths of elderly 10 25 2020
A previous analysis showed that for every 46,400 deaths in Skilled Nursing Facilities in California, the housing cost savings for 46,400 persons in SNF is @ $4BILL.

Recap:
  Savings on Facility Care Costs Per Death
  * per year self-pay $345,680,000 * 12 = $4,148,160,000
  * per year subsidized $310,880,000 * 12 = $3,730,560,000

CDC report Deaths by Age 10 24 2020
  65 – 74 Years  21.1  34,516
  75 – 84 Years  26.6  43,522
  85+ Years     31.9  52,303
  Total        79.6  130,341

Savings Multiplier 130,341/46,400 = 2.81
Housing Care Savings $4BILL * 2.81 = $11,240,000,000 USD ($11BILL USD)

note: USD UK exchange rates vary. They are not 1:1.

note: There are lot of zeros. Some may have been added or dropped during the copy. Your numbers maybe different.

ht tps://www.theguardian.com/business/2020/oct/23/treasury-confirms-it-is-to-end-vat-waiver-on-ppe-in-uk
ht tps://en.wikipedia.org/wiki/Sales_tax
ht tps://en.wikipedia.org/wiki/Regressive_tax
  Regressive describes a distribution effect on income or expenditure

ht tps://en.wikipedia.org/wiki/Inflation
  inflation (or less frequently, price inflation) is a general rise in the price level in an economy over a period of time, resulting in a sustained drop in the purchasing power of money

ht tps://covid.cdc.gov/covid-data-tracker/#demographics

other data sources: CDC mortality and severity reports, USA Social Security data and life tables, Actuarial Analysis of Risks and Insurance considerations, Real Estate Estimates and Forecasting, various science and research papers, global analysis and reports, local reports and statistics. US Representative Katie Porter COVID-19 Test cost estimates. CA State Skilled Nursing Reports, Medicare-Medicaid data sheets and information sources.

(url fractured to prevent autorun)

SpaceLifeForm October 25, 2020 4:14 PM

@ ALL

Confusion in the Land of Observation and Fonts.

hXXps://twitter.com/NordVPN/status/1318888002123403267

Anders October 25, 2020 4:36 PM

hxxps://yle.fi/uutiset/osasto/news/psychotherapy_centres_database_hacked_patient_info_held_ransom/11605460

name.withheld.for.obvious.reasons October 25, 2020 6:00 PM

@ MODERATOR — DID IT AGAIN–MARKUP ERROR BY SUBMITTER — PLEASE DELETE PREVIOUS

@ Clive
Was hoping you’d pick up on my “Are you suggesting…coconuts migrate?” phraseology. And it seems you threw back:

No think more events and what the Happrns in mainland Britain on “fireworks night”

Remember, remember, the 5th of November.An inference received and acknowledged. Thanks, don’t need to walk the 40m Planck.

Side note: I fondly reminisce of nights on the commons in Cambridge. Chilly night are, not yet cold, and many people walk the Cam. Bicyclists negotiating continuously with pedestrian traffic, young and old carry on with laughter and merriment whilst looking at the fireworks and stars from the middle of the green. Heading off with friends to the pub for a pint a round of interesting conversation. Seemed much more civilized than in the United States. Here, a ruckus time is had by picking up a firearm, some ammo, and heading off to a random spot to “shoot something”, anything. I think this goes to the psyche in the states that cultural nuance is not a thing. For many years now, the answer to any problem is “Where’s my gun!”

name.withheld.for.obvious.reasons October 25, 2020 6:10 PM

@ Clive, Matrix

Intrinsically there is not much wrong with the idea as long as you take appropriate security precautions.

From the information I have reviewed so far, my suspicions were correct. But, there’s another aspect that has recently been in the news respecting interprocess communications–which this is not. It is more like interprocess management without documentation or sufficient access controls or perms management. This is a preliminary observation, I have yet to go down the rabbit crevice let alone the “whole hole”. But I am certain there is an answer, and it is not 42.

@ Clive
Are you talking about SYS V semaphores and shared memory interprocess communications? Or, are you talking pipes and I/O control? I would assume the former as pipes are pretty standard across BSD, AT&T, Mach, Minix, QNX, & Xenix.

Anders October 25, 2020 6:15 PM

More.

“Dump includes very sensitive material including full name, SSN, email, phone number, meeting notes”

(i fixed typos)

hxxps://mobile.twitter.com/nulllzero/status/1319184578972651520?p=v

SpaceLifeForm October 25, 2020 7:13 PM

@ Anders, Clive, Wael, Matrix, Winter, name

Everything is broken.

Since 98se, my conclusion was and remains: there is always a bugdoor.

So, I will not use doze.

But, it’s not just there. BGP and DNS are are complete mess.

It’s time to start over based upon lessons learned.

Clive Robinson October 25, 2020 7:38 PM

@ name.withheld…,

Thanks, don’t need to walk the 40m Planck.

But 40m (7.0-7.2MHz) does get out fairly well…

Anyway let’s wait and see how explosive Fireworks Night is in the US, remember you can pick your own effigy to roast to a cinder and beyond up on the bonfire.

As for “where’s my gun” well it might make a loud bang, but visually the result is not even close to a rocket.

Back many years ago when I was quite young, most shops would sell even kids the small fireworks. A friend and I used to buy quite a few and dissect them and sort out the propellant from the charge. The propellant would be put in a suitable container about one third full of powder this would then have a small bonfire lit around it and we would run like the blazes to get far enough away but still be able to watch it blow up…

All jolly good fun back then but all highly illegal these days sadly. I’m of the opinion that getting the mischief out of your system whilst you are young will make you less likely to build big stuff when you are old enough to buy fireworks. I have no idea why but there is something “creative” in blowing things up. One year we built a balsa wood boat and put a fair amount of not just loose gunpowder but the charges from an aerial bomb as well, lit the slow fuse and pushed it into the mid stream of the river and ran along the bank chasing it. When the loose powder caught and flamed up it was quite spectacular, but not as good as a few seconds later when the aerial bomb charges exploaded and blew the boat to less than match wood… Happy days of very creative mischievous behaviour…

Clive Robinson October 25, 2020 7:57 PM

@ name.withheld…,

Are you talking about SYS V semaphores and shared memory interprocess communications?

Have a looksee at,

https://en.m.wikipedia.org/wiki/STREAMS

You will see it got into quote a few places including MS NT and Apple OS’s. The exception was Linux where it was considered “to slow” amongst other things (which was true).

The advantagr of STREAMS was that you could push several modules into a stream. So a compression/decompression module followed by an encrypt/decrypt module followed by a binary to mod64 coding module would give an application your choice of encryption quickly and fairly easily.

xcv October 25, 2020 10:43 PM

https://apnews.com/article/psychotherapy-cabinets-finland-6b27c895df0abd532a4fb000c9d5d517

HELSINKI (AP) — Finland’s interior minister summoned key Cabinet members into an emergency meeting Sunday after hundreds — and possibly thousands — of patient records at a private Finnish psychotherapy center were accessed by a hacker or hackers now demanding ransoms.

Finnish Interior Minister Maria Ohisalo tweeted that authorities would “provide speedy crisis help to victims” of the security breach at the Vastaamo psychotherapy center, an incident she called “shocking and very serious.”

Since Finland previously sold or shared or traded the data to Estonia, what does the Finnish government now have to complain about?

https://e-estonia.com/estonia-and-finland-to-start-sharing-patient-data-and-thats-just-the-start/

Estonia and Finland once again show what good cooperation between neighboring countries can lead to, as both countries prepare to share patient data with one another.

On 10 May this year, Estonian and Finnish Prime Ministers digitally signed a joint declaration on an initial roadmap for launching data exchange and e-services between Estonia and Finland. It was also agreed that, by the end of 2016, specific action plans would be completed for launching automatic data exchange in the field of commercial registers, population registers, social benefit data, e-prescriptions and maritime affairs.

They’re going military with it, naval, it appears, which makes sense, since healthcare in those areas was historically under the jurisdiction of martial law from the Middle Ages of feudal Europe, implying among other things that doctors were court-martialed for malpractice.

SpaceLifeForm October 26, 2020 2:02 AM

@ Clive

<

blockquote>All jolly good fun back then but all highly illegal these days sadly. I’m of the opinion that getting the mischief out of your system whilst you are young will make you less likely to build big stuff when you are old enough to buy fireworks. I have no idea why but there is something “creative” in blowing things up.

<

blockquote>

I call it chemistry self-education. Made my own black powder.

I can still remember when the cops took my calcium carbide (and fireworks).

Nearly 50 years ago.

Interestingly, a couple days ago, I awoke from a dream.

It was about a physics book, probably published around 1950 (guessing).

I was a curious kid. Still am. Love to read.

Why this particular physics book was in the house, I have no idea.
I must have been about 9 years old. So, I found this book, and really got hooked on it. I could not put it down. It was massive. Guessing near 1000 pages. Huge.

Now, I’m good at math, but at that time, I had not learned any trig or calc.

But, I kept reading it. And reading it. There was stuff I was clueless about. Words that I had never seen before. I would check dictionary but maybe not there.

But, I would keep trying to absorb the information.

And then one day, turning pages, there it was. Something I would never have expected to see.

Nutshell: How to make an atomic bomb.

It was a life-changing experience for me. Like I said, this physics book was huge. It had critical mass.

SpaceLifeForm October 26, 2020 2:20 AM

@ Winter, Spenser Cron, Clive, ALL

FYI: Lesley Carhart is @hacks4pancakes on twitter.

She tends to have more stuff there.

I check her every few days to see what’s up.

Speaking of Daylight Saving Time…

US will Fall Back next weekend, cause of All Hallows Eve.
Used to Fall Back this weekend, but it was moved so that there would be a bit more light for the kids trick-or-treating.

I’d prefer to Spring Forward a half-hour next spring and be done with it.

Trivia Question: Do you know how many Time Zones there are?

Clive Robinson October 26, 2020 3:47 AM

@ SpaceLifeForm, ALL,

Since 98se, my conclusion was and remains: there is always a bugdoor.

As well as bugs… With bug / bugdoors a mental image of a PC and OS from this century would not be too disimilar to a termite infested wooden fence. Still looking good on the outside where the paint is holding it together, but riddled with more holes than a swiss cheese on the inside…

As people might have noticed in the past on this blog, @Nick_P and myself had similar oppinions about hardware being infested with bugs / bugdoors as well. We differed slightly on epochs, his was 2005 mine was 1995-2000 depending on motherboard type, not just the CPU level chip set.

My viewpoint also included I/O cards with ROM on as vectors, hence the wide time range. The reason was something I’d explained long before BadBIOS rose up to make people pull their heads out of the sand. It actually goes all the way back to the late 1970’s when Apple were designing the Apple ][…

The thing is when “Flash ROM” started appearing as a prefrence over EPROM or MaskROM it was definately “game over” for making assumptions on how trusted your systems were. Because you could run through all sorts of verification steps via secure hashes etc, but 10min’s after being connected to the Internet, one or more of those “bugs / bugdoors” would have new code loaded into a Flash ROM and you would be owned[1].

It’s why I talk about “mitigation” by the likes of “energy gaps” and the like and using microcontrolers to make mandated choke points to cross gaps.

Becsuse it does not matter how many bugs / bugdoors there are if they can not be seen from the outside or reach out to the outside.

It’s one of the big reasons the likes of Mi$o are gradually forcing you to “be connected” one way or another. Give it oh about another year or two, and consumer grade computers will either just not work unless connected or will stop working in a week or a month if they do not get connected. You will be told “It’s for your security” when in fact the exact opposit is the case, being connected is about the most insecure thing you can do[2] with modern PC’s and most consumer level OS’s[3].

[1] The thing people forget is that whilst a CPU with ROM can check the ROM and produce a checksum/hash, if the ROM is not realy immutable then the code in the ROM can be changed without having physical access. If the code is changed, the CPU will then report back to you, not the true value of the hash or checksum, but the value the new code tells it to report… Most people have no real way to tell the difference. It was something I thought long and hard about some years ago that gave rise to the “Castle-v-Prison” model and the use of a hardware hypervisor and code execution signature monitoring.

[2] As a friend in the US wryly remarked some years ago about connecting new laptops to the Intetnet to get the first update, “You’ld be safer striping butt naked and running around Times Sq flapping your arms and squawking like a chicken”. A sentiment I suspect others might nod in agreement with.

[3] Some FOSS OS’s can be connected directly but before you do so with a “PC” you realy have to “lock them down” rather more than just “Hardening”. Even then there will still be “bugs / bugdoors” in the hardware you will have to deal with like the various “managment engines” and flaky by design comms such as USB, WiFi, Bluetooth, Firewire, etc, etc. Which is why some people use older WiFi AP’s that they have reprogramed or some Single Board Controlers/Computers(SBC) often using ARM or other core CPUs in System on a Chip(SoC) devices.

Cassandra October 26, 2020 3:59 AM

Re: Palo Alto Networks.

Look up the Oracle DeWitt clause and its history.

Note that benchmarking, in all forms, is open to gaming of the results: e.g. the benchmarking of motor vehicle fuel efficiency. The same applies to IT-related benchmarks, and there is some merit in participants claiming the benchmark favours an opponent. It is very difficult to design a benchmark that all parties will agree that is fair.

Re: Fireworks and their use by minors in the past

I suspect there is a little survivorship bias going on here. At least some of the restrictions are nothing to do with anti-terrorism knee-jerk reactions, but to do with preventing stupid and/or ignorant people from permanently maiming themselves or others, or in the worst case, dying.
That said, I suspect that in not so many years time, old buffers will talk about the Internet and its lack of security in the same way some people now talk about the chemistry sets and fireworks available in their youth. The idea of easy access to such things will be regarded as quaint, if not downright irresponsible. Kids these days are more likely to muck about with ‘hacking’ than explosives.

My late father conducted some very public experiments with pyrotechnics, but was not caught. His brother also had similar leanings.

Re: Physics textbook
I had a similar chemistry textbook, published pre-WWI, IIRC. It detailed the practical preparation of quite a number of ‘interesting’ chemical compounds. Knowing the practical details of how to mix ingredients in a manner that minimises the risk to the experimenter is important, as is recognising when, and how, to take cover. I commend the blog ‘In the Pipeline‘ by Derek Lowe to interested reader, and on this particular topic (it is good in general) read entries tagged ‘Things I Won’t Work With‘ e.g. Things I Won’t Work With: Dioxygen Difluoride. The comments, as here, can be well worth reading.

Cassie

Clive Robinson October 26, 2020 5:20 AM

@ SpaceLifeForm, ALL,

Trivia Question: Do you know how many Time Zones there are?

Well… It depends on what you mean by a “Time Zone”…

The military for instance have 25 standard time zones with “Z / Zulu” being UTC0. The other 24 being hourly “local time” zones. The problem with this is not just summer/winter time different days to change over, some local time zones are not based on an hour offset from adjacent time zones or even UTC.

If you have the money you can buy a copy of a standard[1] used for expressing not just time but locality as part of the longitude expressed as an identifier or time based offset.

You will find that ISO8601 alows you to have time as fractional as you want it as seconds have a decimal point which is fine for measuring time periods and marking past and future times.

But the time zone add on is a four digit number, that expresses a negative or positive offset that coresponds to your longitudinal position. The first two digits are clock hours and the second two clock minutes, but there is no seconds which would be needed for acurate conversion to siderial time.

So under ISO8601 the answer to your question would be “There are 24 times 60 or 1440 time zones”.

But as I said that’s not sufficient. There are still places in the world with local ordanences that use Sideral time not UTC as the refrence and “local time” time zone. Unfortunatly the Sun moves around it’s centrum due to the movment of the planets etc and they influance each others orbits as well. Also the earths orbit is not quite circular either, so siderial time and UTC can differ by as much as 15minutes depending on the time of year etc. Which in theory means that some time zones are continuously changing and can therefore be considered to have any number of fixed time offset zones with respect to UTC as the resolution to which you measure time… Not infinate but certainly very large…

So whilst the question might be “trivial” the answer for some is most certainly not as “local time is relative” not just to position but relative velocity between points in space. The relativity difference actually causes problems on the earth’s surface with objects that are in fixed locations such as cell phone towers, so it’s all messy messy messy.

Oh one last thing, if you have to write your own “time routines” do yourself a favour make the begining of the year the first of March. That way the 400year cycle of the Gregorian Calander is much easier to work with as leap days if they happen are the last day of the year and follow a nice easy pattern.

A final thought, if as is appears to be increasingly likely we get off of the Earth in a meaningfull way we will have to come up with new time standards. Many will probably think that one that works within the Solar system should be enough… Sorry it won’t be, we already have man made objects moving out of the solar system as well as other objects moving in and out again thus we will need to know “local time” to galactic coordinates, velocity and direction. Which will mean some quite interesting equations based on the harmonics of the objects involved. As Noel Harris once sang,

Round like a circle in a spiral, like a wheel within a wheel.
Never ending or beginning on an ever spinning reel.
Like a snowball down a mountain, or a carnival balloon.
Like a carousel that’s turning running rings around the moon.
Like a clock whose hands are sweeping past the minutes of its face.
And the world is like an apple whirling silently in space.
Like the circles that you find in the windmills of your mind.

[1] As with other things “it can pay to shop around” as there are several identical or almost identical standards,

1, ISO8601 & ISO8601-2:2019
2, ANSI INCITS 30-1997 (R2008) 3, NIST FIPS PUB 4-2

More importantly they not only are used for time values but time zones and also for time durations. But importantly don’t work with sufficiently historic dates and times, for which there are an eye wateringly large number of exceptions and changes… They also do not handle “leap seconds” at all well at any time. Which is why it’s way better to stick with UTC/Z and add a time zone modifier if you are ever having to use “wall time” inside of a computer[2], in which case start by reading RFC 3339.

[2] But what ever you do, do not use any of the common standards if you intend your computer to travel or leave the earths surface… They are not designed to handle that. Even passenger aircraft suffer from general relativity issues depending in which direction they fly…

[3] You can get a quick overview of ISO 8601 from Markus Kuhn from a page he has at the UK Cambridge computer labs,

https://www.cl.cam.ac.uk/~mgk25/iso-time.html

But he does not go into Time Zones sufficiently well…

Clive Robinson October 26, 2020 10:19 AM

@ Cassie, ALL,

I commend the blog ‘In the Pipeline‘ by Derek Lowe to interested reader

There is an older book, which I can also recommend,

John D. Clark, Ignition : An informal History of Liquid Rocket Propellants, Rutgers University Press, 1972, ISBN 0-8135-0725-1.

https://library.sciencemadness.org/library/books/ignition.pdf

The introduction is by Isaac Azimov and kind of sets the story if the two precesing befor&after photos don’t give a hint.

In it John recommends an esential piece of laboratory equipment we might now call PPE is a good pair of running shoes…

Some things as they say never change.

lurker October 26, 2020 1:27 PM

@Clive, re 5 Nov.
When the Health & Safety people banned skyrockets the oriental makers of such devices already had other ways of putting coloured fireup in the sky. Now instead of a rocket carrying the charge aloft with a gentle hiss, we have an artillery piece on the ground to hurl the payload. I find myself sympathising with the wowsers who are using noise as an excuse to try and ban all sales to the public.

ferritecore October 26, 2020 1:35 PM

@Clive,

There are still places in the world with local ordenances that use Sideral time not UTC as the refrence and “local time” time zone.

Surely you misspoke. Sidereal time would be most inconvenient, with a different length of day than the rest of the world and noon working its way all around the clock with the seasons.

You must mean local solar time.

Back to my telescope controller project…

lurker October 26, 2020 1:39 PM

@Clive

do yourself a favour make the begining of the year the first of March.

Thanks, that makes more sense than my efforts of putting a solar almanac on a HP41C. I used perihelion as the internal year start to simplify my solution of Kepler’s equations, but the wobbling around the first few days of January was ugly.

Cassandra October 26, 2020 2:13 PM

@Clive Robinson

One of the reasons I commended the comments on the blog ‘In the Pipeline‘ was that they provide some interesting links to reading like ‘Ignition’. There were, and are, some real characters dealing with exotic chemistry.

Cassie

Clive Robinson October 26, 2020 3:32 PM

@ ferritecore,

Surely you misspoke. Sidereal time would be most inconvenient

Yup, sideral time has a day difference per year than local solar[1] (so ~4mins less a day[2]).

Blaim it on a tired brain and trying to do four things at the same time.

[1] For people who have never thought about it you need two coins of the same size that are milled and the milling can act like gear teeth. If you mark both coins with a spot of ink on the edge and start of with them both alined then looking down you rotate both of them once you get the spots back together. However try holding on coin fixed and rotate the other coin around whilst that spot is fixed in your view, the other spot goes around twice (try it if you can not see it in your eye) If you now ues a smaller coin with half the curcufrance you will see things are still off by one… That is there are two different points of view for a rotation period. So in the northern hemisohere the first is where the sun crosses the due south point (solar day) and the second when a star crosses the due south point (siderial day).

[2] As a first approximation the diference in minutes is

A day is 24 x 60 = 1440mins.

The difference is,

1440x(1-(364/365)) ~= 3.945min/day

However the Earth rotation is such that the average number of days in a solar year is ~365.25 hence we have a leap year every four years (only it’s not quite hence the year divisable by a hundred rule to remove a leap year). This makes the math easier to do if you do it in an angular measure such as radians or degrees. You can see that being not just calculated but demonstrated with diagrams at,

http://www.celestialnorth.org/FAQtoids/dazed_about_days_(solar_and_sidereal).htm

Oh and the Earth is slowing down so the days are also getting fractionally longer, not that an unaided human can tell.

Céleste and the Mechanics October 26, 2020 10:11 PM

Re: “ rotate the other coin around”

With apologies to Simon de Laplace and Garfunkel

Connection Bundle

Holonomy my old friend
I’ve got to go around again
Because parallel transport not slipping
Left the tangent at the beginning tipping

And the monodromy that was planted
Still remains
It’s a connection bundle

Etc.

Wael October 26, 2020 11:18 PM

@name.withheld.for.obvious.reasons, @Clive Robinson,

I think that’s (12 Days of Christmas) doable.

Forgive me if I retract my statement. I think this will potentialy offend many, and I am not ready to open a can of worms. Instead, I’ll give you the choice of a different song — as long as it’s not related to hot political issues or to religion. Actually give me three songs, and I’ll choose one: you know, I have to steganogriphize some security related stuff in the humor 😉

Wael October 26, 2020 11:25 PM

@Anders,

Hayden, amused, turned to his wife and quietly asked:

Somehow I missed this one — my bad (eyes)…
That was 2013, chief! things are a little more advanced now, I would imagine.

SpaceLifeForm October 26, 2020 11:33 PM

@ Winter, Spenser Cron, Clive, ALL

The answer I was looking for as to number of timezones: 25

That is the old way. A thru Z. No J.

The reason for 25 is because of International Date Line quirks.

hXXps://www.world-timezone.com/military-nato-letter-timezones/

Interestingly, a few years ago, I had a discussion with a retired US Coast Guard serviceman. He had crossed the International Date Line, the Equator, the Arctic Circle, and the Antarctic Circle, all on ship. (Different ships, different trips)

We got into a discussion about timezones, and what time it would be if at location X. He said, it was easy, just add or subtract hours from GMT. I said, not so simple.

He was shocked to learn that not everyone uses whole multiple of hours offset from GMT.

And so, here you get 40.

hXXps://forbrains.co.uk/international_tools/earth_timezones

And there are other quirks such as if on land or at sea.

Antarctica has no timezones.

SpaceLifeForm October 27, 2020 12:00 AM

@ Clive

Another rule I have.

Timestamps should only be stored in a database as UTC or GMT, never local.

Disregard differences between UTC and GMT because most people gloss over that.

Point is, no local. If you store a local timestamp, it can be ambiguous unless you also record whether daylight saving time was in effect or not at the time of record. In addition, also store offset from Zulu. And probably also have to store what daylight saving time rule was in effect at that time.

Speaking of leap seconds, there will be more and more in the future due to global warming.

It’s as clear as the time of day.

Anders October 27, 2020 12:35 AM

@ALL

Bad news for all kids – due to travel restrictions
Santa won’t be able to distribute presents this year.

SpaceLifeForm October 27, 2020 12:48 AM

@ Clive, Anders, Winter, Wael, name

Followup to:

hXXps://www.schneier.com/blog/archives/2020/10/friday-squid-blogging-chinese-squid-fishing-near-the-galapagos.html/#comment-357446

Remember the Twitter hack with the bitcoin spam?

I always questioned the story. And I still do.

And I can envision at least two scenarios as to what is happening at Twitter.

And none of them are clearly positive.

It sure seems like Twitter is being very hush hush. Almost Glomar.

I do not understand why they just don’t release a statement saying:

“Due to an ongoing investigation, we have no further comment at this time”

hXXps://www.forbes.com/sites/zakdoffman/2020/10/25/trumps-twitter-hacker-dismisses-white-house-denials-says-he-has-evidence/#23be88793785

As to the fact that an overseas IP address was able to gain unchallenged access, Gevers accepts that “it is indeed very questionable that a foreign IP address could login in his account. In 2016 this was not possible because of a geofencing security measure. So, something must have gone wrong this time because it appears that the security was much better in 2016.

SpaceLifeForm October 27, 2020 1:03 AM

@ ALL

British study shows evidence of waning immunity to Covid-19

hXXps://www.cnn.com/2020/10/26/health/covid-19-immunity-wanes-large-study-finds/index.html

Researchers who sent out home finger-prick tests to more than 365,000 randomly selected people in England found a more than 26% decline in Covid-19 antibodies over just three months.

“We observe a significant decline in the proportion of the population with detectable antibodies over three rounds of national surveillance, using a self-administered lateral flow test, 12, 18 and 24 weeks after the first peak of infections in England,” the team wrote in a pre-print version of their report, released before peer review.

The study has limits. The samples were not taken from the same people over and over again, but from different people over time. It’s possible people who had been exposed to the coronavirus were less likely to take part over time and that may have skewed the numbers, researchers said.

SpaceLifeForm October 27, 2020 1:40 AM

@ Cassie

Thanks for the link.

Of course, I immediately went to this article:

hXXps://blogs.sciencemag.org/pipeline/archives/2020/10/14/immunity-and-re-infection

Fourth – and here’s where we start digging into some details – note that the mutations in both of these new re-infection cases have nothing to do with the Spike protein. There’s no change in the Spike in the Nevada sequences (they both had D614G), and the changes in the Netherlands sequences are conserved ones that don’t lead to changes in the protein in that region. Antibodies don’t care about genetic sequences; they respond to the eventual proteins that are displayed, and from what I can see, the Spike proteins of all of these strains are identical.

That’s important for several reasons. For one, the vaccines under development are all raising antibodies and T-cells to the Spike region. That was identified early on as the most promising antigen, building on the work during the SARS and MERS outbreaks. Note also this new paper, a thorough look at the various antibody fractions in patients who have recovered from coronavirus infection. The authors find that Spike-targeting neutralizing antibodies persist out to the limits of their study (five to seven months) while antibodies to the nucleocapsid region (N), which are also raised in most people by infection, disappear more quickly.

SpaceLifeForm October 27, 2020 1:56 AM

@ Clive

hXXps://eprint.iacr.org/2020/1343

This means all these parameter sets fall short of the security requirements set out by NIST.

Clive Robinson October 27, 2020 3:04 AM

@ SpaceLifeForm, Winter, All

And so, here you get 40.

But…

In practical use it gets a little more complicated the “civil time zones” as opposed to the “Military time zones” represented by letters have a habit of changing through out the year.

In the UK we have “GMT” which is our “winter time” and “BST” which is our “summer time” or “daylight savings time”. The closer you are to the equator the less meaning “summer time” has. The closer to the poles you are the more meaning it has untill you cross the Arctic or Antarctic circles, where you have times of complete darkness or compleate daylight for upto several weeks (and people go a little crazy).

So take a timezone drawn on a world map, and as you run your finger up or down it, depending on the time of year it can have two different times, but where and when those times change can be a little complicated…

Because Politicians are in charge of each and every “Civil Time Zone” and as a habit they like to be different where they can, if for no better reason than to make a point…

Thus if you consider Arizona for instance it does not have “Daylight Savings” unless you are a Native American,

https://www.timeanddate.com/time/zone/usa/arizona

And with Brexit the UK’s resident “Time Lord” may well find himself “with time on his hands”. Becsuse, legaly the dates the UK changes from GMT to BST and back again are different to those in Europe. So twice a year the “Time Lord” would come down from the upper house (the “House of Lords” or “Revising House”) down to the “commons” (the “House of commons”) with an amendment… To change the date to be inline with Europe.

You might have noticed Australia is one of those places with fraction of an hour time zone offsets. Well it was not that long ago that in several parts of Australian towns picked their own “local time” thus driving from town to town it was possible to go back and forwards in time…

Oh and speaking of going backwards in time, not all places follow the Gregorian Calandar, or follow the calandar but with a different epoch, new year etc.

Take North Korea it uses the “Juche calendar” with an epoch that is 1912 years different to the year the West considers Standard. But… Just over a decade ago, they decided to change their “New Year” to follow the “Lunar new year” which we in the West have a habit of calling “Chinese New Year”…

Speaking of China, they follow the “Chinese Lunar calendar” in social events and in business the “Gregorian Calandar”. The epoch for the Lunar calandar is four thousand seven hundred and eighteen years ago from March this year but due to the use of the phases of the moon will be different next year.

But it’s not just China and North Korea, Taiwan, Japan and Thailand have civil calendars that are a modification of the widely used Gregorian calendar. So we also have, the Minguo calendar, the Japanese Calendar and the Thai solar calendar. With the Thai solar calendar replaceing the earlier Thai lunar calendar around a century and a half ago (1888 if my jaded memory serves correctly).

Saudi Arabia is another “two calander” country following both the Gregorian and Islamic calanders. The Islamic calander is slightly shorter than the Gregorian calander thus the Islamic New year gets earlier. Thus most events have two dates given. I know there are other readers of this blog more familiar with how it works than I do, so I’ll let them explain the ins and outs of the Islamic calander.

India is a three calendar country, it has it’s own national calander since 1957 and it is used alongside the Gregorian Calander but there is also the Vikram Samvat calendar. All of which is an improvment on the state of things prior to 1955, when there were something like thirty calendars in use. Which depending on who you ask is attributed to either political divisions or tradition, the latter being the more diplomatic assumption.

Speaking of the Vikram Samvat calandar, it is the only calendar used in Nepal. Likewise Ethiopia uses only the Ethiopian Calandar, which has an epoch difference with other calandars, and this “backwards” view is used as a joke in neighbouring countries.

Two other countries that do not use the Gregorian Calandar are Iran and Afghanistan that both use the Solar Hijri calendar for administrative and religious purposes. Though for reasons most can guess they are having the Gregorian Calandar shoved down their throats.

There is in Britain a “social rule” about not speaking of religion or politics at the dinner table and at other times. Looking at European history over the past millennium should tell people why…

Well the history of the Gregorian Calandar in Europe was driven by Religion and it’s divisions are still felt to this day. But there are two consequences of this you can see in everyday life in the UK. The first is “the movable feast of Easter” the second is that the tax year starts on the 5th of April… Similar things are visable in other countries, showing the power that religion can have over and above politicians, which should be a warning to us all.

So without going into the many more reasons why you can not move backwards in time without many many quite illogical rules (including Sweden’s 39th of Feb) you can start to see why even current and future times are very difficult to predict and depend on where you are looking as well as when.

So in reality there is rather more to “time differences” than just the 40 time zones you mention, and they are changing all the time… Hence my previous comments about using UTC0[1] for your base time standard for fixed, not mobile computers.

[1] UTC with zero offset can be written in many ways UTC+-0 being just one of many but UTC0 being the easiest to type. The thing about UTC is it’s not continuous and can jump by whole seconds. Which is problematic and caused by biannual “leap seconds” in theory they can be both positive and negative, though so far when they have happened they have been positive. Any software you write has to alow for these jumps, and in reality there is no official way “to do it right”[2]. Which can cause all sorts of problems with amoungst other things computer security. With logs getting entries at rates thousands of time a second sometimes millions, you do not want continuous log entries to get out of order when you search/sort by time. Thus the sensible thing to do in log files is to have an entry serial number as well as a time stamp and use the two appropriately to search, sort and display.

[2] When I design systems I assume the the “system clock” will be “free running” and will be inaccurate with it’s frequency drifting up and down with temprature and the age of the timing element(s). I further assume that it may optionaly be “disciplined” both in frequency and value to external references. But even an atomic clock can give problems as they are not as accurate as you might be led to believe, relativity plays a part even with clocks fixed in position, because time actually moves differently depending on where you are in the world, or as with GPS in Medium Earth Orbit. The question you have to answer is how you discipline the system timing refrence and system clock to wall clock differences. Generally the best way to discipline the system timing refrence is by gently adjusting it’s frequency with the likes of a Frequency Locked Loop with a lowpass element time constant that exceeds the expected difference by five to ten times. Which leaves the problem of clock difference, do you make the system clock continuous thus inaccurate for a while after a UTC leap second or do you jump with a leap second. It rather depends on the application thus making both available is sensible even if you do know what the applications are at design time, they will change with time.

SpaceLifeForm October 27, 2020 3:14 AM

@ Myliit

Attribution is hard. Get popcorn. More later she says.

hXXps://www.emptywheel.net/2020/10/26/part-of-what-i-shared-with-the-fbi/

Cassandra October 27, 2020 3:55 AM

Re: Timezones

Timezones make timestamps on mobile computers ‘interesting’, but a whole new can o’worms is opened up if you start using timestamps to (try and) determine if events in different locations occur before or after each other, especially if the events occur in/on something that is moving (https://en.wikipedia.org/wiki/Relativity_of_simultaneity). Einstein’s theories are pretty well tested and consistent with the idea that there is no absolute time.

Cassandra October 27, 2020 4:08 AM

Re: UTC leap seconds and system logs

I have long wished for a standard monotonic time that ignored leap seconds that computer clocks could be set to. UTC isn’t monotonic. TAI (International Atomic Time) is calculated ‘after the fact’ – you can’t set computer clock to it. If you want to go further down the time rabbit-hole, look into Terrestrial Time (TT).

If you like looking into frustrating insoluble issues, just read this run-down of incorrect assumptions about time from a programmer’s point of view: Infinite Undo!: Falsehoods programmers believe about time.

Cassie

Anders October 27, 2020 5:17 AM

@SpaceLifeForm

I have no problem believing what Gevers claims.
He is well known and why on earth he would pull
off this kind of hoax?

I think due to Covid and travel restrictions and
ongoing elections and for million other reasons
2FA and geofence protection was just off for
convenience so whoever manages that account could
tweet any time, from any place, instantly. I guess
that strategic decision was made

And now they are deeply embarrassed and taking the
silent path. At least ’til the end of the elections.

Being ex sysadmin i know how organization leaders
not only want but demands special privileges for them.

Anders October 27, 2020 10:27 AM

More on Finnish psychotherapy clinic hack

hxxps://yle.fi/uutiset/osasto/news/vastaamo_board_fires_ceo_says_he_kept_data_breach_secret_for_year_and_a_half/11614603

Anders October 27, 2020 1:12 PM

@Clive

Is there in British media more about this MI6 involvement?

hxxps://www.newstatesman.com/node/195304

SpaceLifeForm October 27, 2020 2:14 PM

@ Anders

I also have zero doubt that what Gevers found is true.

Others have confirmed, including, apparently, Twitter employees.

Twitter is either pwned, or Pwned.

In both cases, it may be partly psyop.

I’ve always thought that if a hacker got in, and discovered that someone else had already got in, that the second hacker would back out quietly so as to not be discovered and lose control of their exploit tools.

These days, the thinking (especially if one runs a honeynet), is to not do anything.

Because, these days, one APT will try to remove the other APT.

So, you let them fight it out.

Better telemetry.

Spy vs Spy. Who are the Good Guys?

SpaceLifeForm October 27, 2020 2:29 PM

@ Anders, Clive

FYI. I see funny behaviour at newstatesman link.

Problem may be on my end. I closed.

Clive Robinson October 27, 2020 3:01 PM

@ Anders,

Is there in British media more about this MI6 involvement?

Not in the main stream media as such.

History shows that MI6 used that route for smuggling out defectors some very high level.

As you might know something over twenty russian’s who left and took up residence in the UK because of falling out with Putin and others, have died in mysterious circumstances.

Only other Russian’s their families and friends, know full well the UK authorities are failing to investigate, just comming up with “natural causes” or “accident” as excuses not to investigate properly.

The questions that arise if a shaped charge or mine or similar did blow a hole in the bows of the ferry are,

1, Who put it there?
2, On who’s authority?
3, Why did they put it there?
4, Who else knew?
5, What their involvment is?
6, And to what advantage?

Whilst not quite “Follow the money?” if you follow those questions you will get some indications as to what’s going on, and you will not like where it takes you…

SpaceLifeForm October 27, 2020 3:10 PM

@ ALL

Protip: GuardTabs.

When browsing, open at least two blank tabs.

Use the newest one for whatever.

If you close that tab, you will not go back to an older tab that may refresh.

Open a new tab then. Keep your GuardTab.

MarkH October 27, 2020 4:36 PM

.
Another Grim Covid-19 Effect Discovered

A new report says that some people infected by SARS-CoV-2 respond by developing antibodies that attack their own tissues.

The action of such autoantibodies may help to explain patients with persistent and sometimes severe impairments, months after their viral infections passed.

A ray of hope in this news, is that existing medicines for the treatment of other autoimmune illness might be helpful to such patients. [Autoimmune disease meds often have difficult or dangerous side effects, so needing them is a tough place to be.]

small_data October 27, 2020 6:21 PM

I have to wonder whether GitHub are planning a snowmobile expedition to rip youtube-dl out of their Arctic Code Vault.

pswd_failure October 28, 2020 12:24 AM

When security researchers repeatedly warn that your source code archives for your rather large hardware manufacturing company are not protected by using extraordinarily bad passwords (don’t even require credential stuffing), it’s probably a good idea to take the advice onboard.

Maybe consider implementing some kind of security policy, improve access control, move the archives to infrastructure with a somewhat secure design where the data is not web facing.

Finally, ensure important feedback is prioritized and makes it’s way to the security team, ensure someone in management actually listens to security and has at least some competency at understanding them (a minimum level of training in security concepts). Do it all sooner, rather than later.
http://www.bleepingcomputer.com/news/security/intel-leak-20gb-of-source-code-internal-docs-from-alleged-breach/

SpaceLifeForm October 28, 2020 1:15 AM

@ pswd_failure, Clive

Silicon Turtles.

While I doubt (based upon the descriptions), it is possible that there were clues in the dump that led to this:

hXXps://twitter.com/h0t_max/status/1318625380551589888

We’ve achieved next step – Intel Microcode RC4 key.
We can now decrypt microcode updates!

Clive Robinson October 28, 2020 2:17 AM

@ SpaceLifeForm, ALL,

We can now decrypt microcode updates!

They used RC4… Hmmm I thought that had been kicked into the “Great bit bucket in the sky” last century…

But even if we can decrypt the microcode updates, are they going to mean anything without further information?

I won’t go into the ins and outs of microcode and Register Transfer Logic(RTL) but lets just say a big chunk of what goes on is a very large bit width ROM. Where the outputs directly drive logic lines.

Thus that chunk is effectively a logic sequencer state machine “bit map”, so without knowing exactly what each bit coresponds to as a logic line understanding it will be more guess work than fact.

name.withheld.for.obvious.reasons October 28, 2020 3:15 AM

@ Wael, Clive
Okay; three suggestions:

Somewhere over the rainbow (tables) — Judy Garland
If I were a rich (text) man – Zero Mastel
Thriller (DS 1000, Carnivore) — Micheal Jackson

Wael October 28, 2020 8:54 AM

@name.withheld.for.obvious.reasons, @Clive Robinson,

Accepted. I’ll need some time to find a fee spot. I don’t have a proscription reading glasses yet. So expect some delays.

Sherman Jay October 28, 2020 1:43 PM

Hey, everyone, you have to see the security features on this new phone:
h t tps://xkcd.com/

And if you want to learn about the wonderful new world of security the new ‘space force’ provides here is the video from our artists:

h t tp://theartsinarizona.org/vidspazfarcevid.htm

Clive Robinson October 28, 2020 3:11 PM

@ Sherman Jay,

Hey, everyone, you have to see the security features on this new phone

(You forgot to add the XKCD number “2377” to the URL.)

Though I’m not sure how many will get the “Tactical Helium Supply” joke…

For those that don’t google “iphone mems helium”.

vas pup October 28, 2020 3:33 PM

In Finland, sexting could become a crime
https://www.dw.com/en/in-finland-sexting-could-become-a-crime/a-55403668

“Six months in prison would certainly take the sexiness out of showing off your privates to an unwilling recipient. Finnish parliamentarians debating a reform of the country’s sexual harassment laws are considering whether sending sexual content without permission should be classified as a crime equal to unwanted physical contact, which currently can be punished with fines or jail time.

Mäkynen is on the parliamentary legal affairs committee and says
!!!!!legislation must evolve with technology. “The internet and social media have changed the way people are harassed and how people are becoming victims of different crimes,” he said. “This is partially a result of the ‘MeToo’ discussion and everything that has been discussed internationally for years.” It’s expected the outcome of the consultative process will be presented to the government within the next few months and then would need parliamentary approval.

===>Outing abusers? There’s an app for that

But outside the realm of law enforcement, outraged recipients already have the power to do their own exposing. In 2017, Swedish app developer Per Axbom said he’d had enough. “I saw the opportunity to empower recipients of dick pics and shift the power balance between the parties,” he wrote at the time. He ==>created the “Dick Pic Locator” app to extract photos’ metadata in case those who receive the explicit material want to make it public.

“Whereas I see lots of reasons why it would be important to protect the possibility of being anonymous,” Axbom explained, “this is not one of them.”

Anders October 28, 2020 4:23 PM

@ALL

hxxps://www.securityweek.com/exclusive-medical-records-35-million-us-patients-can-be-accessed-and-manipulated-anyone

SpaceLifeForm October 28, 2020 6:52 PM

@ Clive

And then magic happened.

I am confident that the statement by Intel below will be proven false.

In multiple ways. Soon, if not already.

Parse carefully. Discern what they did not say.

hXXps://arstechnica.com/gadgets/2020/10/in-a-first-researchers-extract-secret-key-used-to-encrypt-intel-cpu-code/

The issue described does not represent security exposure to customers, and we do not rely on obfuscation of information behind red unlock as a security measure. In addition to the INTEL-SA-00086 mitigation, OEMs following Intel’s manufacturing guidance have mitigated the OEM specific unlock capabilities required for this research.

The private key used to authenticate microcode does not reside in the silicon, and an attacker cannot load an unauthenticated patch on a remote system.

Clive Robinson October 28, 2020 8:42 PM

@ SpaceLifeForm,

Provided the signing key remains unknown then this part is sort of true,

“The private key used to authenticate microcode does not reside in the silicon, and an attacker cannot load an unauthenticated patch on a remote system.”

If and that’s a cautious if, Intel have done their job correctly then to get a remote patch to load then one of the followong has to happen,

1, The Private key gets exposed.
2, The Private Key is calculated.
3, A collision is found.

The use by Intel of RC4 might make option 3 workable depending on just how Intel provides the RC4 key for the patch encryption.

As for the preceding paragraph, the first sentence,

“The issue described does not represent security exposure to customers, and we do not rely on obfuscation of information behind red unlock as a security measure.”

by simple logic is false. As ARSTechnica have deduced knowledge of the microcode state machine logic sequencer ROM enables not just the CPU internal architecture being found, but more importantly the error the patch is fixing to be found. As it is unlikely the error will be patched in most computers, thus a vulnerability will be disclosed, with the real question being “is the error exploitable”.

As for hiding behind obfuscation, if they were not hiding something then why encrypt the ROM patch with RC4?

name.withheld.for.obvious.reasons October 28, 2020 11:15 PM

@ Wael,

Just glad you’re back on the blog, I have missed your contributions. Hope you are feeling better and get those old spectacles as opposed to others that would rather be spectacles. Stay well my friend, we need you. That goes for you my old friend Clive.

Coincidentally, have either of you given any thought to an apprenticeship or guild like program? Just recently I have considered indexing my hard copy references and providing a digital compendium of technological resources and history. I know I don’t have to write the whole thing, there’s a lot of good work out there. Bob Pease, at National Semi, comes to mind, a good mix of knowledge and expertise. Also, Jim Williams his buddy at Linear could make a great addition (maybe the best). Would either of you possibly be interested in collaborating on an ad-hoc project to coalesce bits of wisdom (little endian of course) for future generations and posterity?

Others are welcome to participate, would like it to be people that have a history here as it is a bit problematic to do projects greater than five. Understanding the model of thinking and a general sense of character is necessary to make a small group comfortable. In my own mind I have a list of people to ask or solicit but would prefer an opt offer.

There would not be a great deal necessary to organize the effort, I’d volunteer to structure the planning and such and would be happy to make a capsule statement of such. Why are we making an effort to mark moments in history and their significance to a potential future generation that might need a more nuanced view of technological and engineering based challenges?

name.withheld.for.obvious.reasons October 28, 2020 11:20 PM

@ Wael, Clive
Forgot, the proposal is influenced by Bradbury’s protagonist Montag of Fahrenheit 451.

name.withheld.for.obvious.reasons October 29, 2020 1:16 AM

There’s a popular rally crisscrossing the U.S., for branding purposes these events should have a tour title:
“The Jim Jones Farewell Tour, 2020, Free Kool-Aid”

Duodecimal October 29, 2020 3:39 AM

@name.withheld.for.obvious.reasons,
I also worry about such things.. once you startup a third party firewall the enormous amount of connections is worrying. Just for windows update..or mac updates. Linux is our best bet to probably be safe. Why does @Bruce use Windows, is there a concern of security or something..

Clive Robinson October 29, 2020 4:33 AM

@ Duodecimal,

Why does @Bruce use Windows, is there a concern of security or something..

@ Bruce Schneier has been asked that question on this blog before and the answers fall into the “or something” catagory.

Put simply it kind of boils down to “for business compatability” reasons.

People have to remember that nearly all businesses think “short term” not “long term” in their day to day running. So at one level you want to hire “trained staff” that can be productive from the get go and effectively hit the ground running. This means the business is in effect tied to what ever the “industry norm is” irrespective of if it’s the “lowest common denominator”, “least secure” and often “the least stable” solution out there. Which also means you have to take different steps to mitigate at a different level. So you hire network and System Admins that can build a combination of a sturdy fence and safety net around and under the other staff.

It realy does not matter which way you argue it, that pragmatic way of doing things is least costly for a business most of the time.

What will change it, is when the Internet ceases to be a “target rich environment” for attackers, thus the probability of being attacked goes up significantly. That is when the frequency of being attacked and the costs involved rises above the “current pragmatic way”.

Till then the likes of Mi$o and other low cost crapola that is more fat than lean meat “will be king”.

Open Source October 29, 2020 4:40 AM

@Duodecimal
Although some threat actors have been targeting Windows, and some new ransomware modifications target recently disclosed Windows vulnerabilities,
there is significant new development targeting linux. Many ransomware services are cross platform and have targeted vulnerabilities that patches are available for, or use credential stuffing.

If you keep your systems up to date, do not click on links in emails, don’t reuse passwords, change passwords regularly and use strong passwords, then you can mitigate many attacks.

Through comprehensive, detailed analysis of local attacks and threats, ASD has found that at least 85 per cent of the targeted cyber-intrusions it responds to could be mitigated by four basic strategies.
securelist.com/how-to-mitigate-85-of-threats-with-only-four-strategies/69887/

According to researchers from Princeton University, Russia is responsible for 72 percent foreign influence efforts between 2013 and April 2019. That makes Russia three times as aggressive as the rest of the world combined.
comprop.oii.ox.ac.uk/wp-content/uploads/sites/93/2019/09/CyberTroop-Report19.pdf

Clive Robinson October 29, 2020 4:40 AM

@ name.withheld…,

Coincidentally, have either of you given any thought to an apprenticeship or guild like program?

The answer is yes, and I was working towards such a scheme with a life long friend who wanted to give back via his business.

Sadly however earlier this year he died in an unfortunate accident, and the person who has current control of the business appears intent on destroying it.

For legal reasons I can not say more than this at this time.

Duodecimal October 29, 2020 5:07 AM

@Clive Robinson Yes I understand that.. even I am forced to use windows for my work due to proprietary databases and professional requirements. I [foolishly?] assumed that Bruce was in a position to make a choice.

@Open Source I agree with your statement, I always say that if it’s usable it’s hackable.. I thought that some encryption algorithm issues existed.. for cryptonuts. I hope to start using Debian for personal stuff atlest

Clive Robinson October 29, 2020 6:25 AM

@ ,

I thought that some encryption algorithm issues existed..

Whilst encryption “algorithms” can have problems, with competitions most get weeded out fairly quickly.

Where the real crypto issues are is not in the “algoritms” but the things that turn them into usable systems.

So usually a crypto algorithm is not used in “Electronic Code Book”(ECB) mode, because this is in effect a giant substitution cipher as those before and after images of “Tux” the Linux Penguin show. It is used in some other “mode” that is either “feedforward” or “feedback” in effect you XOR either the plaintext or the ciphertext in a way that “chains” individual encryptions together such that simple substitution nolonger happens.

The point is that not all “modes” work equally well with all base crypto algorithms. So if you use the wrong mode then you introduce weaknesses.

The next and perhaps biggest problem is the “bang for the buck” issue. Put simply people want to get the maximum number of bytes encrypted per clock cycle. That is they want “high efficiency” but in crypto that beings a whole raft of issues. It’s why I talk to people about “Security-v-Efficiency” as a general rule of thumb they trade off against each other. That is as you increase Efficiency you generally open “side channels” that leak information about either the plaintext, the keytext or both. AES is a notable very poor performer in this regard, and it’s become fairly clear that the NSA quite deliberately “fritzed the AES competition” such that the most likely outcome was software implementations that would be riddled through with side channels. Which is what happened and even now there are highly insecure implementations of AES code still in use…

But other surrounding protocols and standards can also cause problems. The use of the Dual EC-PRBG algorithm being a case in point. It’s output could if you knew the right information be easily predicted thus the random numbers that go into being the seeds for Digital Certificate Primes or keys etc used by crypto algorithms would be entirely predictable or easily searched for.

But the one most are unaware of that realy muck things up is “fallback attacks”. Put simply if two seperate systems try to talk to each other they have to negotiate a protocol they have in common. Thus a “man in the middle attacker” can reduce the communications security by forcing both ends to “fall back” to the lowest common denominator that could be “no crypto”. The problem is that the software generaly fails to tell the user what algorithm and mode is in use, let alone warn the user it is weak…

I could go on but I think that should give you enough of an idea.

Clive Robinson October 29, 2020 6:33 AM

@ SpaceLifeForm, ALL,

Another oddity has appeared with this new blog software, in that it appears ti behave nondetermanistically for some reason, which is generaly a bad sign.

The issue is as follows,

There are two “required fields” when you submit a post, the “name” and “check question”.

If you leave one of them blank then you get a warning sent to you which is specific to that field.

If you leave both blank for some reason, sometimes you get one specific warning, other times the other specific warning.

The choice of which message you get appears to be non determanistic…

name.withheld.for.obvious.reasons October 29, 2020 9:50 AM

@ Clive
I am sorry to hear about your friend, ironically it reminds me of Bob Pease having a fatal accident after attending the memorial service for Jim Williams. Profoundly and quite sad, and my sympathies to you and hope the situation resulting can be reconciled properly.

SpaceLifeForm October 29, 2020 1:56 PM

@ Clive

The above test was me.

Here is the behaviour I see.

If the Challenge box is empty, on submit, the Javascript immediately catches that and displays an error dialog.

If the name box is empty, (but Challenge box filled in properly), then the post immediately goes to moderation (so it said), and when it appears, name = ‘Anonymous’.

The above test did not actually sit in any moderation for me.

SpaceLifeForm October 29, 2020 2:17 PM

@ Clive, Wael

Interestingly, the prior one also said it went to moderation.

It appears we are the beta testers.

When I was researching on the pressable web site, I found a page that got me stuck in a redirect loop. Could not back out. Had to close the tab.

So, there are bugs, but at least pressable eats their own dog food.

We are probably more on the bleeding side than pressable is currently using.

I just noticed a behaviour change with the batcache here, so my guess is that someone is researching the problems.

Clive Robinson October 29, 2020 2:48 PM

@ SpaceLifeForm, Wael,

so my guess is that someone is researching the problems.

Yes, that would appear to be likely… We are after all “a tough audience” 😉

vas pup October 29, 2020 4:40 PM

Tanzania restricts social media during election

https://www.dw.com/en/tanzania-restricts-social-media-during-election/a-55433057

“A day after millions of voters cast their ballots in Tanzania’s general election, users and watchdogs in the digital space are reporting that authorities are blocking access to WhatsApp and Twitter.

According to reports on the ground, supported by data gathered by the NetBlocks Internet Observatory, major social networks
===>were blocked across Tanzania on the eve of the election, with users relying on virtual private networks (VPNs) to send messages and access information.

The lead up to the election was characterized by vote rigging accusations from opposition parties and independent observers alike, with international media largely barred from gaining accreditation to cover the voting process.”

My nickel: if we really want that platform and personality of prospective candidates in any election, and NOT financial resources they (their political party) could spend on political advertisement on TV, social media, you name it, then it should be established rules that make level field for all candidates. We do have so many lawyers here, so they could help prepare good and sound legislation addressing this, but our nine non-elected gurus of SCOTUS may override it. 🙁

I guess ONE day before election ALL political advertisements on ANY media (papers, TV, social media, you name it) should be stopped altogether under strict penalty including big fines and possible imprisonment. That will authorize government to block them regarding of party affiliation legitimately. Such measure could somehow prevent lust minute manipulation by fake news, ‘hot’ last minute ‘discoveries’ and so on, but is only in my pipe dreams. 🙂

Clive Robinson October 29, 2020 5:04 PM

@ vas pup,

I’m not holding the UK up to be a shining beacon[1] but we do have some legislation along the lines you are talking about.

The most important thing though would be to stop money entering the process.

Put simply the US can not be a democracy when to throw your hat in the ring as a candidate requires hundreds of millions if not billions of USD to get parity with those getting unaccountable money from who knows where.

Which is the second problem with the unaccountable money, who knows what strings it comes with, but I see it as being “bought legislation” which basically means the money the ordinary everyday citizens pay into the Government is effectively not being used for “society” but to give those who in no way deserve it unfair advantages, which means a percentage ends up also feathering the politicians nests.

Full transparancy and clear accountability is a necessity along with independent over sight with very sharp teeth.

[1] Whilst we have the legislation it has to be used and when it is used the banning of people needs to be effective. It’s very clear that the current PM and his “brain” should have been prevented from having anything to do with politics… But there they are running the show as opposed to sweeping streets or other work that would be a benifit to society, not the detriment they currently are. Hence the requirment for independent oversight with very sharp teeth.

Wesley Parish October 29, 2020 11:01 PM

@Bruce, had to see this one coming ….

NSA: We’ve learned our lesson after foreign spies used one of our crypto backdoors – but we can’t say how exactly
https://www.theregister.com/2020/10/28/nsa_backdoor_wyden/

The Reuters report, citing a previously undisclosed statement to Congress from Juniper, claims that the networking biz acknowledged that “an unnamed national government had converted the mechanism first created by the NSA.”

but wait, there’s more …

The reason this malicious code was able to decrypt ScreenOS VPN connections has been attributed to Juniper’s “decision to use the NSA-designed Dual EC Pseudorandom Number Generator.”

and yet more – will this excitement ever cease …

The NSA also declined to provide backdoor policy details to Reuters, stating that it doesn’t share “specific processes and procedures.” The news agency says three former senior intelligence officials have confirmed that NSA policy now requires a fallout plan with some form of warning in the event an implanted back door gets discovered and exploited.

To glad me with his soft black eye,
My son comes trotting home from school.
He’s had a fight, but can’t tell why;
He always was a little fool.
– Lewis Carroll

SpaceLifeForm October 29, 2020 11:26 PM

@ Clive, All

More on TrickBot.

Note: Uses DNS. Allegedly being used to attack hospitals with ransomware.

hXXps://thehackernews.com/2020/10/trickbot-linux-variants-active-in-wild.html

SpaceLifeForm October 30, 2020 3:27 AM

@ Clive, All

I predicted this over a decade ago.

It’s global warming of the ocean. Deep down under high pressure, the methane hydrates are starting to melt. It will be a runaway effect eventually.

Unless the volcanoes kick in and contribute to some global cooling.

Either way, Mother Nature wins. At some point, Covid-19 will disappear too.

hXXps://www.theguardian.com/science/2020/oct/27/sleeping-giant-arctic-methane-deposits-starting-to-release-scientists-find

Cassandra October 30, 2020 7:26 AM

Re: Time

Further to the issue of timestamps, as most of you probably know, UTC (which is the time reference distributed by standard NTP) contains leap seconds – in other words, certain minutes contain 61 seconds, and the count of seconds goes from 59 to 60 to 00. This tends to upset software not programmed to allow for this behaviour. Google implement leap-second smearing in their systems to deal with this.

The following web page, plus linked references, goes into a lot of detail around the flawed use of UTC.

UTC might be redefined without Leap Seconds

It is unashamedly technical, written by Steve Allen of the UCO/Lick Observatory.

I am certainly in favour of having two time references: ‘Civil time’ tied to the Earth’s rotation, and ‘technical time’, which would be a ‘simple’ count of seconds since an epoch, unrelated to the earth’s rotation. Unfortunately UTC tries to be both.

Clive Robinson October 30, 2020 8:06 AM

@ Cassandra,

Unfortunately UTC tries to be both.

And in my experience fails at both, hence my comment about having both a continuous system time and a UTC0 time on a system.

The problem then falls on programmers to deal with leap seconds not just the positive ones we have had so far but for the negative ones we know could happen which is why the standard alows for them….

The good thing about UTC0 is thst although it alows for fractional seconds leap seconds are always whole seconds and only happen occasionaly (currently only about once every six months though their frequency will increase).

This alows for a small table of sub epochs which are leap seconds. Thus everything can be in continuous system time that then gets translated to UTC0 then to “Local”, “solar”, “siderial”, or other time system of your prefrence.

Which just leave the less than minor problem of “relativity” because time does not move at the same rate across even the earth, or even at the top or bottom of a building… Then throw in other relative velocity effects such as Doppler and you can see why things get messy messy messy with communications amongst other things, especially when time and distance are important (think GPS).

Winter October 30, 2020 9:25 AM

@vas pup
“I guess ONE day before election ALL political advertisements on ANY media (papers, TV, social media, you name it) should be stopped altogether under strict penalty including big fines and possible imprisonment.”

No need to reinvent the wheel. Wheels have been around for quite some time.

For instance, take France:
https://en.wikipedia.org/wiki/Elections_in_France

Elections are held on Sundays. The campaigns end at midnight the Friday before the election; then, on election Sunday, by law, no polls can be published, no electoral publication and broadcasts can be made.

[T]he amount of money a presidential contestant is allowed to spend during the campaign for the first round of the election is limited to 16.8 million euros.
https://www.dw.com/en/french-elections-who-finances-the-candidates/a-38704682

Presidents have been arrested over campaign finances:
https://news.sky.com/story/ex-french-president-nicolas-sarkozy-arrested-over-campaign-financing-11297642

And about financing:
https://www.loc.gov/law/help/campaign-finance/france.php

Official electoral campaigns in France are very brief. Campaign finance is strictly regulated. All forms of paid commercial advertisements through the press or by any audiovisual means are prohibited during the three months preceding the election. Instead, political advertisements are aired free of charge on an equal basis for all of the candidates on national television channels and radio stations during the official campaign. Campaign donations and expenditures are capped. Candidates must appoint an independent financial representative to handle all their financial matters relating to the election. Campaign accounts are audited by a special commission. Candidates whose campaign accounts are certified may be reimbursed up to 50 percent of their expenses by the state if they meet certain conditions.

Helen MacGrünenwood October 30, 2020 4:01 PM

“To think that two and two are four
And neither five nor three
The heart of man has long been sore
And long ’tis like to be”

‘nough said.

JonKnowsNothing October 30, 2020 4:27 PM

@Helen MacGrünenwood

re: To think that two and two are four
  And neither five nor three

Until you hold your fingers in front of your eyes close to the end of your nose…

Chris October 30, 2020 8:22 PM

Totally of topic, i am in 2 language courses where we are to say hi brother
Hebrew: Aa chilii
Arabic: Aa chii

Link: hxxps://www.youtube.com/watch?v=yxbCCrsJhrE
Cheers

Helen MacGrünenwood October 31, 2020 12:45 AM

@JonKnowsNothing

“Until you hold your fingers in front of your eyes close to the end of your nose…”

Yes. As when one is at pains to see no evil, hear no evil, speak no evil.

Clive Robinson October 31, 2020 1:41 AM

@ SpaceLifeForm,

More on TrickBot.

From having a trawl around I get the feeling that this Linux version of TrickBot has been “ready to go – full beta” for some time.

Makes you wonder if they have other OS’s “ready to go”.

Such behaviour suggests a proffessional development backend at the very least. Which generally would indicate a “level III” attacker, which are usually cyber-espionage opperations, thus a little rare for just a cyber-criminals operation.

Makes you wonder if those involved are in a “partnership” or just “payed employee”, and if the latter who the employer is.

Clive Robinson October 31, 2020 1:50 AM

@ SpaceLifeForm,

Deep down under high pressure, the methane hydrates are starting to melt. It will be a runaway effect eventually.

But before it becomes runaway you have to consider the various toxicity issues…

Science has said this is a red flag issue for some time, yet two super powers locked in an economic war, do not want to listen…

When you have that situation occuring, you have to ask the question of how do you get them to behave?

JonKnowsNothing October 31, 2020 7:41 AM

@Helen MacGrünenwood

clarification: On re-reading what I wrote, it might be misconstrued as a reference to a rude gesture.

I was actually referring to an optical illusion of “floating fingers”. There are many variations but you place your fingers near your nose and “look through” the fingers and you will see a visual distortion where you “see” multiple fingers or a floating finger, depending on the orientation of your hands.

  * Finger sausage where you see a extra finger portion is one example.
  * If you spread your fingers out and “look though them” you may see fewer or more fingers is another example.

The effect is due to the orientation of the eyes.

Human eyes are horizontally separated by about 50–75 mm (interpupillary distance) depending on each individual. Thus, each eye has a slightly different view of the world around. This can be easily seen when alternately closing one eye while looking at a vertical edge. The binocular disparity can be observed from apparent horizontal shift of the vertical edge between both views.

I apologize for being obtuse in my comments.

ht tps://en.wikipedia.org/wiki/Illusion
ht tps://en.wikipedia.org/wiki/Optical_illusion
ht tps://en.wikipedia.org/wiki/List_of_optical_illusions
ht tps://en.wikipedia.org/wiki/Cyclopean_image
ht tps://en.wikipedia.org/wiki/Stereopsis

Objects at different distances from the eyes project images in the two eyes that differ in their horizontal positions, giving the depth cue of horizontal disparity, also known as retinal disparity and as binocular disparity.

ht tps://en.wikipedia.org/wiki/Binocular_disparity

Binocular disparity refers to the difference in image location of an object seen by the left and right eyes, resulting from the eyes’ horizontal separation (parallax).

(url fractured to prevent autorun)

Helen MacGrünenwood October 31, 2020 9:05 AM

@ JonKnowsNothing

“misconstrued as reference”

I did not take that meaning. I also apologize for ambiguity in my response.

I had tried the experiment you suggested and could get three but not really five. It was while doing this that the resemblance to the three (?!) monkeys occurred to me.

I see now that the law of blog comment auto self-referencing, wherein one unawares is doing exactly what one is warning about, has justly censured me. A righteous collar !

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.