Schneier on Security

Clive Robinson • January 29, 2021 7:52 PM

@ Ismar,

(for Clive to dismiss outright 😉 )

Seeing as you asked… You know that stuff is more than half a decade old[1]?

That’s about four generations ago in the ICTSec field… Or in human and other physical world equivalent terms that would be something around 80 years old… When Black and White TV had just about got going, and they were still using valves/tubes in electronics, and steam engines were not just on rails but in agriculture as traction engines…

So having done what you asked I might just read one or two of them but not the 37 or so, I’ve more upto date stuff on a fairly large reading pile as it is.

And that’s on top of designing a universal interface to turn two way radios and transceivers into repeaters/beacons that do not just do HT2HT audio, but HT2Pone both POTS and Cellular, as well as to Data networks from MF through UHF. That somebody wants a prototype of late next month…

[1] Looks like they are from a 2016 conferance that “position papers” would probably have be prevelant at.

Clive Robinson • January 30, 2021 12:30 AM

@ AL, Ismar,

The DW article,

https://www.dw.com/en/coronavirus-germany-recommends-astrazeneca-vaccine-for-under-65s-only/a-56371850

Is at best out of date if not factually incorrect.

There is trial data about the efficacy in 65 and older test subjects. Whilst the efficacy was less it was inline with what you would expect with aging immune sysyems.

The reason there is not as much data for 65 years old and up is that they have been told by their governments to “shelter” as they are higher risk. Which means they are way less likely to come into contact with the virus so the testing of efficacy between the two test groups is taking a lot longer (though safety figures are fine as these do not need test subjects to get the virus).

But on the other errors, AZ has not in any way broken it’s “best possible” contract with Brussels. As the company quickly pointed out.

Lets just say a certain woman is trying to cover up not just her failings, but the failings of those she has work for her. Basically she made threats she had no real legal right to make, which got pointed out fairly rapidly.

Further it was also quickly pointed out that any such action would infact fsirly rapidly stop vaccine manufacture in the EU due to reciprocation. Put simply the countries outside the EU that supply the raw stock into the EU without which the vaccines can not be made would simply reciprocate any EU restrictive measure.

Such was the howl raised by her ill thought out threats, the following day she basically said that the vaccines made in the UK were the EU’s by right. Which surprise suprise they are not as AZ rather promptly pointed out.

I guess the real question is how long she can keep saying ill thought out things rather than just either keep her mouth closed or admit that she and those under her have failed to act in a timely fashion by atleast a quater of a year. Worse she has quite deliberately withheld information from MEPs who had a right to know it, and are thus not at all happy with her and it appears that “blood is in the water”.

I can see the EU fracturing badly over the fact that the EU vaccine situation is truely appaling and it’s her, and those that work for her who have failed all EU citizans. A number of which are now without doubt are going to die because of her inactions. Thus some EU members are buying in Russian and Chinese vaccines which arr not approved for use in the EU…

Oh in other news perhaps some good news, both Novavax and Johnson and Johnson vaccines data got released today. Thus the question now arises as to if the FDA and EMA get their respective acts together and issue approvals if justified.

As I keep pointing out we are in a race between vaccines in arms and virus mutation and exponential growth that increases the mutation rate.

Remember the virus in all it’s mutations is no respector of money, power, politics or other status humans might kow tow to…

Clive Robinson • February 1, 2021 1:07 AM

@ SpaceLifeForm, JonKnowsNothing, ALL,

If this was going to be easy, we would have eliminated common cold long ago.

I suspect that SARS-CoV-2 in it’s ever changing varients, will become the “new common cold” as more and more disease reservoirs form. With the average life expectancy to drop in the Western World from it’s high of 83 down a decade or so to just under 70 without a suitable vaccine.

Thus the question,

“What price a decade of life?”

If you remember back to the “epi-pen” episode in the US not that long ago… We know that, that sort of profit potential will mean jabs at what ever price that will not get sufficient bad press to force legislators to act in some way, and even they will “look away” if the pharma company is big enough…

Remember, big pharma do not want to cure you, they want to convert “fatal to chronic” and seek rent on your soul. We know this from the long history of stomach ulcers. If you look back to 1982 and the gnashing of teeth from big pharma when Australian Dr’s Barry Marshall and Robin Warren duscovered what we now call Helicobacter Pylori or H.Pylori bacteria and that it could be cured with a couple of weeks or three of high dosage of “off patent” antibiotics, and a lucrative multibillion dollar drug, research, and surgery market collapsed almosy over night. I remember what big news the cure was back then as stomach ulcers was the scourge of the affluent western world.

What also was discovered at the same time, was that some stomach cancers were also “cured” by the antibiotic treatment for H.Pylori…

https://en.m.wikipedia.org/wiki/Helicobacter_pylori

Clive Robinson • February 1, 2021 1:22 AM

@ name.withheld…,

With regards the,

“/sensitive-court-procedures”

PDF document. Reading the last sentence in section three that is repeated in section four would be amussing if it were not so sad.

In essence they are saying the only electronic filing security measure is a standalone pretend air gapped computer…

What’s the betting that it will be a laptop using an MS OS (that reaches out). Shared by atleast three or four people not propperly backed up and with at best randomly updated AV software etc, etc… and maybe left –but probably not locked– in a draw over night, or just left charging somewhere rather than be locked in a safe etc.

Thus paper would be more secure…

Clive Robinson • February 1, 2021 6:52 AM

@ name.withheld…,

How about an “air-gapped” Compaq…

And when did Compaq cease to exist in reality? Before 9/11 if memory serves correctly HP bought them out and almost immediatly phased out the Compaq designs. The same with the rest of that “so last century” spec that atleast had some chance of being secured.

But you and I both know what is actually going to happen, that document is going to be used as a “funding request” for each and every court room to have it’s own “secure computer”. They won’t actually be able to get one so it’s going to have to be either a high end laptop or some low end office box. And it does not take much in the way of brains to guess what will be pushed for.

The only half way “secure” computers that will run commodity software you can buy these days originate in China… And I can not see funding granted for that with the political wind not yet visably changing direction.

If somebody asked me to quote for a secure system I would be asking for the better part of $30k/unit shipped to recipient but not installed.

What they would get would look a lot like a largish office safe, because that’s what I would use for it’s case and I would put some gizmos in there so it would have to be bolted down with a fair degree of force, otherwise it would loose it’s FDE key as well as failing to power up.

Yes I, know from an electronic security point it would be mainly window dressing but it would be about the only way you could stop it magically growing legs… And be found all lonely in the back of a taxi just asking to be taken to a nice home or some such…

Clive Robinson • February 1, 2021 6:08 PM

@ Winter,

And the fact that the EU did not fund the research does not mean there was no European government funding of the vaccine development.

Tell me why do you think the US Government has the patents and rights to the mRNA technology that both Pfizer and Moderna use?

Well it was all the work of a US Government employee…

So the US legaly would be well within their IP rights to say that both Pfizer and Moderna could only develop for the US or give the US priority, it all depends on what went in the contract and as far as I’m aware nobody outside of Brussels and AZ can say they’ve seen all of it as the Brussels issued copy had been significantly redacted (apparrntly badly, but that works both ways)…

But the figures you give show that the EU was demanding the AZ vaccine at around half what the US was paying and an even smaller fraction than the UK was paying…

In return the EU alledgedly took on a lot of risk, and they also demanded bigger discounts (but only after they knew the vaccine was effective and the EMA was apparently sitting on the application for some reason)[1].

AZ could have turned around and politely declined to have anthing to do with the EU, and I suspect in practical terms they off loaded the risk as much as possible onto the EU. They are after all not making any profit on the vacine they supply.

But consider, under the EU flag it’s all gone wrong, which is tough but you have to ask why so many of the EU “bought as cheap as they can” vaccines went and are still going wrong on them?[2]

That is what is the EU and in particular Brussels doing so wrong they can not do what other nations appear not to be having trouble with? Then trying to hide the truth of things from not just the MEPs but member states governments as well.

Trying to pretend the EU is entitled to anything more than the contracts they entered into because they have apparently screwed it up some how is not winning the EU any friends…

In fact it looks like Brussels has actually managed to alienat 27 EU state Govetnments not just once but repeatedly over COVID and by the looks of it the blaim is all Brussels own fault.

In short they took a gamble with the EU citizens lives, and they lost the bet, now the council of ministers and the French premier himself appear to be vey sore loosers. Like all gamblers that loose they think it must be somebody elses fault not there’s…

The people I feel sorry for are the European Citizens, who’s governments were gulled by the Brussels clique, and are now well behind on their jabs programs, which is not just AZ Pfizer and Moderna are likrwise having problems and the two French vaccine attempts have been abandoned or sent back to the drawing board. So again why is Europe having these problems?

It appears Germany had a fairly good idea there was going to be several buckets of the brown stuff heading for the fan, thus it’s been said they did their own deal on the side and the German Chancellor sent a very very pointed message to Brussels when they started “acting up”. Looks like if Germany did do a side deal then they did make a sensible choice.

Oh by the way, making the vaccine in EU home territory is realy not any more secure than getting it made else where…

I thought people would have realised this with just a tiny smidgen of thought about supply chain security that has popped up increasingly in recent times. Because you still have to get the “raw stock” from somewhere and that comes from places like India and China amoungst others all outside the EU.

So whilst having manufacturing capability security is nice, it’s worth squat diddly without supply chain security which I understand Brussels has not put in place either… As industry insiders in the EU have pointed out, the Brussels clique have not exactly done the EU citizens any favours. The Government of any raw stock manufacturer and the manufacturer as well are almost certainly going to be way more cautious thus stricter on their contracts and agreements and regulations. Or as the insider pointed out just not trade with the EU as the risk is not warranted. And… if they don’t trade all that production capacity the EU has got at what it considers bargin basement pricing, could be a white elephant or a very expensive on sitting in the room.

As some people might say the EU Council of Ministers has “Realy scr3ed the pooch” and so far, as far as we can tell publicly, it’s a self inflicted wound with lying to people left right and center their current MO.

As I’ve said before, I did not want Brexit, but the behaviour of the Council of Ministers and the Brussels clique kind of made it a foregone conclusion. Their little nonsense trying to stir up deep routed secterian hatred in Ireland was both extreamly callous and inordinately stupid and well “beyond the pale” or as some would say “Off the reservation”…

When the Irish premier said it could have explosive consequences he real was not joking in any way, nor was it “diplomatic speech”. I remember when both sides of the Irish divde brought their politics forcefully to the UK mainland. Trust me you do not want them doing the same in Brussels where both the population density is higher, and the means to make a point forcefully way way easier to obtain.

Oh and in the process remember where the largest Irish community is outside of Ireland, it’s the US. They helped bring about the Irish ceasefire and eventually the good friday agreement. I doubt they would even slightly be ammused by the troubles starting up again, in fact they might see it as a very unfriendly act. When the previous Presedent appointed his ambassador to Europe, almost the first thing the ambassador confided in his European counterparts was that his mission was to destroy Europe… Something tells me Brussels does not want to be giving the US state dept reasons to do so as nicely gift wrapped as they have done over the past few days.

But I’m apparently not alone in this view others are saying that Brussels has just gift wrapped and handed a reason for other EU nations to consider heading for door number 50 and the exit behind it…

So I would say don’t make excuses for any of them, dig in and get the truth and then if required hold them to account. But make sure you investigate both sides as best you can because it might not be just Brussels with a credibility problem, people are being less than forthcoming on information and that always makes me cautious.

As I said we will just have to see what comes out with time…

[1] There is a story in an EU nations MSM that a certain person from Brussels has indicated the EMA will sit on any further applications from AZ in a phone call she had with AZ executives. Which would suggest if true this is not the first time she has handed down orders to the EMA to sit on things. But the implication If true is she is actively gambling the lives of many in the EU. Because the most likely new applications from AZ to the EMA would most likely be for variations to target COVID strains that are mutating away from vaccine protection.

[2] A professor at Trinity College Dublin, has commented that the processes are new for all the problematic vaccines thus in AZ’s case which uses a live process scalling up may be a not unexpected issue. Something I would kind of assume from experience with scaling up production runs in various industries. Thus it’s something I hope those in Brussels would have been advised of by any competant production engineer. But at least three companies with issues in the EU but apparently not other places… We need more information but it sure does sound odd to be a coincidence. I think it was Ian Fleming that said,

“Once is happenstance, twice is coincidence, three times is enemy action.”

What does that make four times?

Clive Robinson • February 1, 2021 8:11 PM

@ ALL,

Anyone heard about “Philly Fighting COVID”?

This sounds crazy…

Apoarently Philadelphia has not recieved federal money to distribute COVID vaccines.

So you fill in a form and they send you vaccines and you just inject people, take their details and send them on to Phillies health people…

Yup fill in a form and get just under 7k vaccine shots…

Apparantly at the begining of last year a bunch of self confessed nerds at oldest just about 21 years old from the Uni, set up a nonprofit to manufacture PPE.

They then went on to run one of the larger COVID test places.

And from there they “filled out that form” ane became the largest vaccine point in Philly…

Apparently there were no concerns about if the “nerds” were even qualified to be giving people the needle… Or if they knew about how to resuscitate in a case of anaphylaxis, which is a serious life threatening condition that can be expected when vaccines are administered. They certainly did not appear to have the equipment required to open up the airway in a conscious or unconscious person to stop them asphyxiating.

Then a news organisation informed the city council that the “nerds” had gone from non profit to for profot and had a licence agreement that alowed the personal data of those receiving vaccine to be sold.

This was just one of several caises of concern including alledged stealing of vaccine…

Apparently the city council went from prasing the nerds as fine examples of people doing their best for the commniry to not just dropping them but significantly distancing them selves from the nerds.

As for if they sold anybodies data or not apparrntly it’s an open question and just under 200 shots of vaccine are missing…

It all sounds weird to me…

https://www.nbcphiladelphia.com/news/coronavirus/philadelphia-coronavirus-vaccine-doses-philly-fighting-covid-andrei-doroshin/2679962/

Clive Robinson • February 2, 2021 3:44 AM

@ SpaceLifeForm, JonKnowsNothing, MarkH,

Maybe those enforcing the quarantine should wear a mask? Doh!

I started hearing about this, but not the details in relation to another case. What I had heard is that a person who spent the required time in supervised Quarantine, who had have tested negative on the three required dates got let into the community as being clean only to develop it.

As I’d heard it the puting people into Quarantine and letting them out, had not been well organised and thus bodies were meeting in corridors or within 20mins in hotel corridors with non moving stale air. Masks were not being worn by those leaving and hotel staff had been caught not wearing masks whilst slipping out for “smoko” etc. But the security guards being on minimal wages and not realy trained has been a continuous factor dogging the Australian quarantine, so guards double working as taxi drivers should be no surprise to anyone. Also that guards not being resourced with PPE and some reporting being told to “get their own” it’s not supprising masks are not being worn. Likewise the “treat’m like sheep” attitude of hearding in small groups when being moved from A to B is a symptom of too few guards etc.

This sort of nonsense I’m afraid starts at the very top with the lunitic ideas of Australias premier and has filtered down with austerity drives, small government thinking and the like. With jobs being reduced and those in more senior roles ordered to make savings or find other employment… Some things require not just man power but properly trained and resourced man power, which is not compatable with “dime store thinking” that comes from the top.

But the real problem in the case I’d heard about was N501Y varients or “New COVID”. They might all have got away with the sloppiness with “Old COVID” but not “New COVID” said to be more than half as infectious again as Old COVID and with a doubling time down from a month to a week.

You might remember when the figure of 1.55 times more infective came out the assumption was it was an increase in viral load so I did a first order adjustment on the “Minimum Safe Distance”(MSD) rules.

The problem is such first order adjustments by necessity make certain assumptions such as suspension times remain constant. Since then information comming out is suggesting that the increase in infectivity “Is NOT” from increased viral load, but increased infectivity in the virus it’s self. Which means suspension time information does need to be adjusted and that is not an easy linear adjustment as not only do you have to allow for a parabolic arc as particle size changes you have to make time based non linear adjustments.

Think of it if you will like “terminal velocity” calculations, if you are above a certain density and the presented surface area small and adjusted for minimum friction your terminal velocity goes up.

I’ve never tried it[1] but some calculations indicate for humans terminal velocity is only reached at a hight where the probable outcome will be always fatal. For mice however it apparently won’t be injured from any hight. But for cats due to their self correcting behaviours similar applies as with mice, but… With a band between 10m and 23m where the probability of the cat being significantly hurt or dead crosses over a threshhold where it becomes more likely than not…

Well the same sort of crazy applies to droplets in suspension as they evaporate they reach a point where their surface area and mass reach a point where they effectively hang in still air for considerable periods of time… So if being more infectious per virus rather than more more virus per volume, it kind of makes the figures entierly different and whilst still calculable there are no easy straight lines to work with even in log log views. But… a major effector has not been published which is if these new N501Y varients are more or less robust. The fact it is more infectious suggests it is not less robust and may actually be more so, but we just don’t know currently.

[1] Whilst at school there was a bit of a problem, apparently one child had made a parachute for their cat and the cat showed many potential indicators that it enjoyed it… However the childs neighbours had complained to the local police who passed it on to the local council and so on down untill the RSPCA sent an inspector round. Which resulted in the rest of the school having to go through a “be nice to our furry friends lecture”. In later life I learned that a very large tom cat who I’d named “wart” and in effect given to my sister had worked out how to solve the parachute problem for himself… He would hide on a house roof ridge line and wait for a pigeon to glide by on it’s way to the bird feeder. He would leap off the roof and land on the pigeon in mid air… Whilst the tom cat survived the pigeon did not as the tom would promptly eat the pigeon that had been the landing cushion…

Clive Robinson • February 2, 2021 5:45 AM

@ SpaceLifeForm, ResearcherZero,

They are going old school. Paper, secured filing cabinets.

As you know from my “Paper Paper never Data” advice with regards adveserial court or in all honesty any documentation I would be all for that if we could be certain they are not just going to scan it into a “convenient” laptop, that can be moved around the court house “to increse the utility” or some other managment speak of “I can not be bothered” or “Im to important”, etc, etc.

The dream of “The paperless Office” and “Unlocking the data within documents” is still the goal of many who do not understand the security implications or (ab)users in general. Back in the 1980’s when Mad Maggie Thatcher sold off the UK state owned utility companies, part of the then legislation and regulation was that many documents were “time sensitive” and the only way to meet the time requirments was to scan in every piece of paper and pass it around the organisation electronically…

Such behaviour has knock on effects in all sorts of ways, and more than three decades later the problems of the 80’s have not been resolved and new problems are occuring still on an all to frequent basis as the MS scr3wup behind SolarWinds slowly gets draged into the daylight.

My other standing piece of advice of “Do not connect unless essential then think twice again” is still good decades later as well…

Both get ignored, then “things happen” and everybody sticks their heads in the fire bucket and cluck like deranged chickens. The excuse is pretty much always some variation of,

1, We were not told.
2, We did not know.
3, We can not be responsible.

But as judges have reminded people on many occasions “Ignorance is no defence” (it’s also the law of the jungle, just try explaining you ment no harm to a mother grisly to see what consideration you get on that defence).

Several years ago now on this blog I had a chat with @Nick P about crossing borders with consumer level electronics with storage such as laptops and mobile phones. I indicated that even with what I knew I could not harden them against a state / level III attacker that could get hands on, on demand.

My conclusion then as it still is now, is that “If you can not secure, then mitigate”. The simplest mitigation back then was not to take consumer level electronics into a border crossing zone, and taking non consumer electronics into a boarder crossing attracts all kinds of unwanted attention so don’t do that either. Then on arival just walk into random computer retail outlet smack down a pile of cash and buy the second or third box in the stack and use it for the duration then “wipe and dump” it before going back to the border zone. However the US has since then made the border zone cover about 99% of the US population which is still mainly coastal dwelling which necesitates a different mitigation.

Now of course traveling without consumer electronics is considered “unnatural” thus deeply deeply suspicious. I suspect that some of the Five-Eyes flag you up on departure for the tickle treatment on arival. Back when I used to still fly the occasions when I left the UK tech-lite for another Extended Five-Eye I’d get pulled for a customs search on arrival even though I was in the nothing to declare lane. After that had happened twice every time I flew to the US after that I’d get pulled, on one occasion on the excuse I did not have enough luggage for a three day max stay… It was excruciatingly embarrassing not for me but the unfortunate person who had been told to pull me you could see it in their eyes as their “supervisor” stood in eye-line giving me the “stink-eye”. The solution was to be enderingly embarrising back, by insisting on unpacking everything even unrolling my socks and pants I’d put in my spare shoes at the bottom of my suit carrier and rambling on about how good I’d found the laundry service at the Hilton I’d stayed in the last time I was over doing a software upgrade just a couple of weeks before. Then asking in a friendly way if there was any off the beat and track places they could recommend for going out to see / eat at in the evenings. I just kept going till the supervisor started looking suicidal. I guess there is only so much cheesy politness and happy to oblige they can stomach. The supervisor obviously knew that I knew I’d been dicked and knew it was going to happen so they were not going to find anything as I’d “spring cleaned” before entering a UK airport.

The only tech I would have was a brand new phone with recipt and everything. When asked why I’d trot out the line that was kind of new back then that I’d had to buy a new phone as my old one was not “US compatable” which is realy not possible to use these days, though “my normal phone is locked by the phone company” can still be true even these days. The other trick was have a company AmEx card, even in the US AmEx is not popular with retailers so having a big wedge of cash is covered by that alone just make sure it’s got a lot of low denomination notes “for tipping” and if some one is daft enough to say don’t you put it on the card? just look horrifed and say “If I do that in the UK the business keeps the tip not the waitress who’s earned it!” (which unfortunatly is true).

The point is “easy mitigation” for good security is getting harder because of other people… Who see you not doing things there way as at best odd if not a down right annoyance. Which unfortunatly plays into the hands of autoritarians and surveillance types…

Which as we should all realise, the result will be within a year or so these Court Secure Systems will be a thorn to be avoided however possible. Thus either they won’t get used or they will be less secure than second hand string underpants…

Clive Robinson • February 2, 2021 11:45 PM

@ SpaceLifeForm,

Y2k never ceases to amaze

Oh if only it were Y2K…

Are people aware that the issue behind Y2K was discussed in a published article back as far as 1962?

I know it sounds mad now but computers used in business often had data width sizes designed not on nibbles of 4bits, bytes of 8bits etc. But mainly octets[1] of 3bits, and thus other data sizes were 12bits 24bits and 36bits.

For those that doubt, go have a look at why *nix has 3bit file permissions and why the IA486 ISA which we still use today has three bit binary fields that select addressing modes.

And thus why there are some very strange date and time algorithms around, as programers did some stupid things[2] to get as much date&time in a computer word as they could within the machine instruction limitations.

These ad hoc algorithms all have an Epoch, most are selected because it was close to the time the algorithm was written OR when data went back to plus a bit. All wrapped to a programers idea of what a nice time/date datum point should look like. So the begining of the first second of the first day in 1970 or 1980 looked good but in fact are about as bad as you can get…

So many epochs start at the first second of the first year in a decade, which is realy just about the worst you can pick…

Because there is in fact a variable number of seconds on the first day of the year (look up leap seconds) and thus the first minute is not always 60seconds it can be 59 or 61. Further most decades are not divisable by either 4 (leap years) or 400years (when a leap year does not happen). Thus not all years are 365days long etc. All this is knowledge that’s been around for a long time, but certainly longer than electronic computers. So it should not have been too hard to pick a better Epoch in most cases, but they did not.

So whilst “ignorance” might be “bliss” for the programmer who thinks they are realy smart… they are in fact very “unread” and thus leap second by leap second a hidden cost builds up, just waiting to bring the world down around the ears of those in the future[2].

Thus a big chunk of change gets spent every few years, when somebodies “smart” time algorithm that has got “baked in” goes wrong.

What’s worse is “fixes” get put in the wrong place… Like in applications or the OS and not the time driver underneath the OS…

Microsoft has made this mistake quite often and about the only good thing you can say about it is that for those in the know it adds an extra little bit of “forensics” information when people are not aware of how it effects the track and sector positioning of files on hard drives etc…

The rest of the time it makes the likes of astronomers, historians, space scientists/engineers, communications engineers and even those who deal with legislation grumpy (yes I’m one of the grumpy ones).

For instance some of us are aware of relativity, but few of us realise that one side effect of relativity is that time moves at a different rate at different points on the surface of the earth. For the few that do know most realy don’t care, we laugh it off as getting a little fraction more life or some such. But the reality is for many it’s an unseen daily struggle as people in the various global “Space Command” organisations adjust their Global Positioning Systems.

But even those adjustments cause problems for geologists and communications engineers. Who’s problems get “sorted” by programmers who are still not smart enough to get it right “for all time” 😉

But worse as CPU clock speeds rise our ability to measure time becomes finer and the area we do it over way way greater. Back in the 1980’s clock speeds were below 10MHz and time to the nearest second was fine for most and a millisecond for those who were more exacting and the area covered was mostly just a lab bench or room.

Now we have CPU clock speeds a thousand times faster, but our need to measure time in fractions of a second now exceeds that and microseconds are just not good enough. Nanoseconds are just about acceptable for small area communications networks where being out by a foot or two does not greatly matter. But nanoseconds are way to granular for some and picoseconds, the time it takes light to move across a grain of sand still not good enough for some labs where light drives optical switches that will form parts of the computers of tommorow and time synchronisation across the surface of a silicon chip a hard engineering task to solve.

In fact time synchronisation across an area the size of the solar system is an engineering issue we have right now and we are mainly doing it wrong because doing it right is so very very hard. And yes at some point in time there will be a price to pay for not doing it right and something will in all probability “crash and burn”.

[1] Yes “octet” means different things to different people. You will find some documentation often translated where a “byte” of eight bits is called an octet. As with much in life “Context is king”.

[2] And yes I am an offender in this programers not getting time right game, not because I was not smart enough to know what I was doing was wrong… But because I allowed “a more senior pay grade” to have their way instead of just ignoring them.

Clive Robinson • February 3, 2021 6:39 AM

@ FA,

This is wrong. Leap seconds are added to the last minute of the previous day

Ask your self a question, is what the specification says, what you are actually doing as a programmer? What about the majority of programmers?

At Bletchly Park during WWII a question was asked of people who looked promising, and their future career would turn on how they answered it…

It’s still as relevant today if not a whole lot more so, as with all such questions it was beguiling simple,

“Which way do the hands of a clock turn?”

And the answer they were realy asking for was not “clockwise” but “It depends on which way are you looking?” That is the answer is “relative” to where you are as the recipient of information or a signal[2].

Your statment looks a lot like “clockwise” than asking which way should I be looking at the problem.

So back to the specification, it’s written from the perspective of those generating the time signals that is the clock. Where they are “intentionaly” adding to the end of the last day of Dec etc. Which is as you say what the standard says, however you are very unlikely to be the programer generating the time signals…

As a programer, you are most likely receiving the time signals and programing for that. What you see is in effect the hands turning the other way. Your new year has already started when the extra second comes in, you are not adding to “your old year” but subtracting from “your new year”[1].

So from that “majority perspective”, you then have the awkward task of deciding what to do with the two new year seconds you’ve experienced as you flick your computer wall time back one second and live through it again in wall clock time but not elapsed time.

The easy solution for events that have finished is to put them in the last second of the old year. But that means all your time algorithms have to alow for an extra second from then onwards. But also what about tasks that are in progress during that second or started in that second?

Especially as you actually measure nearly everything by “local” elapsed time, as it, not wall clock/calendar time, is fundemental to SI units and derived units involving time used for calculating work and power and just about everything else, as all K12 and above people should know.

Do you stick with wall clock time with the inconvenient leap seconds, hours, years, etc, or the elapsed time of reality that cares not a jot about what the clock and calender on the wall say?

If you stick with elapsed time how do you work out when something actually happened in wall clock time, which some people strangely hold sacrosanct, the legal and finance fraterinities especially so.

It means that you can not do simple “CPU tick” elapsed time maths used for calculating used time without knowing where the accurate time anchor is. But which one? When the process started or when the process finished or when in the process elapsed time wall clock time changed discontinuously and jumped or folded back on it’s self. Thus all of a sudden your elapsed time maths has exceptions in it which needs a complicated set of corrections if you are storing things in file systems etc against wall clock/calendar time.

But then… just when you thought yes I can do that, you find out that elapsed time is not fixed it’s relative and can and does change with both movment and velocity between two or more points in space the faster you go and in which direction needs to be known and that can be a bit awkward (hence the elapsed time difference effect at the poles and the equator).

As normal in life, if there is a right way and a multiplicity of wrong ways, we will draw boundaries around the problem to make “our problem simpler” and kick the can down the road of the future for the next poor person to do atleast twice the work on and so draw their own boundries to double it up for the next person down the road of the future.

As I am a comms engineer amongst other things and my work has included designs for objects in space and for being on other planetary bodies I don’t want to build up what some glibly call “technical debt” because it can become a very real massive smoking crater of real debt you can never repay, because people are not data.

[1] Oh and don’t forget the specification alows for both positive and negative leap second signals, though from memory they have all been positive so far as the slow down of Earths rotation has not varied enough to need a negative leap second… I wonder what will break if a negative leap second is ever needed, what will people try to hide in that little time hole that reality never had but the wall clock created of the last year end second that never existed.

[2] It’s something communications engineers do so much of we sometimes forget others do not. In the main most programmers avoid thinking about it[3] in fact they are trained not to think about it when you think about it. It’s one of the major reasons resource errors bring the whole house down with a “blue screen of death” when even a modicum of “world as it happens” thinking would remove the problem.

[3] Arguably they are paid not to think about it by their managers, hence the smell of singed tail feathers and burning bank notes in forst line support when angry customers phone up.

Clive Robinson • February 3, 2021 10:06 AM

Amazon toeing FCC line

Amazon has anounced that it’s stopping sales of equipment the FCC “thinks” should be approved by the FCC…

Which is unfortunate because the FCC is trying to stray into areas and excert powers it has no legal right to do… As well as stray outside of the US juresdiction it most definately has no right to do as it’s been slapped down for before.

To cut out much of the nonsense the FCC issues licence and permits for,

1, Services
2, Operators
3, Equipment.

In the order of assumed technical competence.

That is as to run a service I must have technically competent people to build the system and operate it withnin the licence grants and restrictions. Thus the service can use equipment to build there systems that have not been FCC licensed.

As an assumed non technically competent person Jo(e) Public can go and buy FCC approved equipment to use in a service the FCC has licensed “for public use” one way or another. This includes “family radio services”, “mobile phones” and similar, but does not include equipment the user can modify (even if they are technically competent to do so). This also includes some services you have to pay a licence fee to the FCC for.

Also there are “Private Mobile Radio” (PMR) services these are where the FCC issues a service licence to an entity to use in a fixed geographic area on a specific frequency using a specific modulation type and bandwidth. The entity is not considered any more technically competent than Jo(e) Public therefore they have to use FCC certified equipment.

Then there are individuals that are considered technically competent which are “operators”. The normal example is “Ham Radio Operators” who can take any piece of equipment licenced or unlicenced and modify it to work to be compliant with the service requirments the FCC puts on the amature bands. Likewise Ships Radio Officers. In both cases they could build equipment for there systems from scratch out of wire, resistors capacitors inductors and active components such as thermionic valves, transistors or more modern integrated circuits. The responsability falls on them to ensure the system works within the FCC requirments.

So far so good. The problem arises in that a two way radio for PMR bands can also operate in adjacent Ham Bands without modification. For various political reasons going back to WWI and subsequently the FCC does not want this as they loose political control and get other issues.

However from an equipment mabufactures perspective the more general purpose a piece of equipment is the more easily it can be sold the more units that can be made for a lesser price, which also makes costs considerably less to those purchasing equipment.

For years there has been an unofficial policy of “lies” going on that many manufacturers have bought into because if they all do it they can all make vastly more profit. Thus commetcial equipment has “links” or “mods” that force the same piece of equipment to behave differently. So load a piece of firmware or add a resistor/diode to the PCB and what was PMR equipment becomes Ham equipment, and Ham equipment can have MARS extentions etc added or become PMR gear or as some say “broadbanded” to cover all at the same time. Not an issue for ham “Operators” as that falls within their licence provisions. But PMR “service users” or Public “service users” are not covered by the service aspects of their licence provisions.

As long as the “lie” persisted the FCC and others all of whom did well out of it “looked the other way”.

Then the Chinese “Fast Moving Consumer Electronics”(FMCE) mass producers got involved. They just said “not interested in lying game” because it cost money. So they submited equipment for FCC approvals as PMR Ham etc etc pre programed for each “type approval” and got one or more FCC type approvals, but then sold the equipment “widebanded” leaving it to the users to program correctly to meet service provision licencing. Which ment they could sell equipment for 1/10th the price those who bought into the lie could. Users voted with their pocket.

Then others reasoned if the equipment can do it I can use it to do it as I like and “No FCC rules is gona stop me”. Which started happening about a decade and a half ago with “sport” activities, spread into “prepper” activities and in the last couple of years “political” activities some of which as seen just a short while ago were violent and organised with multiple near or real time communications channels.

So, social media has been cracked down upon, personal messaging has been cracked down upon, two way radio is now starting to be cracked down upon, which leaves mobile phones which will no doubt have a crack down start in the not to distant future as has already happened in less open societies.

BUT… The FCC has been given broadet and broader powers to cove the mess that is all consumer electronics. Just about every piece of finished consumer electronics requires an FCC number, and this has good and bad sides. On the Electromagnetic Compatability(EMC) front it has been good, but the delays and costs involved have stopped many small inovators in the US getting going. Which is one of the reasons all those dreadfully insecure IoT devices are designed and sourced from abroad with the Far East and in particular China beong the point of origin. In the ensuing race for the bottom minimum functionality is added to IoT devices all the stuff you are actually paying for is done on servers in China, which then sell on the data to cross subsidise the price of the IoT hardware.

Amazon’s anouncment implies they are also going to crack down on all “cased”[1] consumer electronics. However I very much suspect they will not, unless politics unavoidably gets involved for some reason.

Because that is what lies behind Amazon’s decision, a slowly festering loss of power and prestige in political institutions and nation state this century has come to form a ripe boil through politics. Now every one is running around trying to lance the boil and in the process a grab back and consequent over reach by institutions and state power is happening. Well like the trade war with China the most lijely loosers will be the US Citizens as more freedoms are lost and more domestic surveillance results.

[1] Cased equipment is effectively “a finished item” needing an Approvals from the regulator in charge of the juresdictional market so the FCC for the US and the various entities behined the European CE mark. There can be two types of approval “by test” and “by constructors file” the later sometimes called “self certified”. However uncased equipment can be treated as a “sub assembly” that qualified others will build into finished systems, thus does not require approval just data sheets to end up in constructors files. This cosy little “uncased electronics” arangment came about in the 1970’s with home brew computer equipment that through Apple and then IBM gave us those ISA / PCI etc cards we push into slots in our PCs if we still have them. And yes legaly you are supposed to have a constructors file for your home PC that the FCC can demand to see if your PC is found to be infringing EMC or other regulations…