Comments
SpaceLifeForm • June 25, 2021 6:20 PM
Smart Electric Meters.
Sure appears attackable via drive-by (or other). And leaky.
The operators must have been in near chaos as they forced the load shedding via radio which would not necessarily have been instantaneous. Remember, they were very close to total grid failure.
hxtps://www.dailydot.com/debug/hacker-smart-meter-texas-snowstorm/
Power companies across Texas have refused to disclose which areas of the state were exempt from controlled blackouts after a devastating snowstorm crippled the power grid in February—but one hacker has found that smart meters, the electrical devices on the sides of homes and businesses that monitor energy consumption, are quietly broadcasting data that could be used to determine what infrastructure may have been protected.
Clive Robinson • June 25, 2021 8:15 PM
@ SpaceLifeForm,
Can you do me a favour and check if,
Is the same content as you link to?
It’s just the morons in the UK tgink that connecting to what is ostensibly a security related web resource is “to dangerous for UK eyes” thus they block it under instruction from the UK Government…
It’s the same nonsense the Roman Catholic Church pulled for centuries, causing significant stagnation of mankind. The realy dumb thing is the Catholic Church were to stupid to realise that they were hurting themselves as well… All in the name of “moronic status”.
I guess “moronic stupidity” runs in certain types, especially those with strong religious connections in the previous executive and administration.
For those who have not thought about it there was a darn good reason why the framers of what is the US said there had to be strong seperation between Church and State. A look at European History might give people a clue…
Fake • June 25, 2021 8:20 PM
https://news.ycombinator.com/item?id=27632659
re
Where’s the cream filling?
Clive Robinson • June 25, 2021 8:45 PM
@ JPA,
The Post Office Ltd new darn well what they were upto, the woman in charge was an out and out psycho. But has gone on to do other well paid “government” work and failed miserably yet again,
https://www.standard.co.uk/news/uk/post-office-ceo-kevan-jones-high-court-simon-clarke-b931437.html
But like many psycho’s she believes she is doing God’s work unquestioningly,
5 million GBP in bonuses on top of wages and other perks, for doing not “God’s work” but the work of “cupid politicians” who have eyes turned away. The wages of sin and all that…
But you might also look into the History of “failed mega projects” in the UK and how a certain company that was behind the POL keeps cropping up in all of them very very profitably…
Their contract has an interesting set of clauses in it I won’t go into the nitty gritty specifics but
1, You pay all their costs.
2, You pay all the overrun costs.
3, They always own the software.
4, If they fail you have to pay them plus an exit fee amounting to atleast half the costs on top.
And quite a few more eue openers. Unsurprisingly they almost always fail on such contracts.
Then go on and sell the software to multiple others…
To say it is a scam run by crooks is an understatment.
SpaceLifeForm • June 25, 2021 8:53 PM
@ Clive
Yes, same report. Your link is cleaner.
Researcher/hacker is Hash (@BitBangingBytes).
He has some youtubes he put together, and a wiki.
hxtps://www.youtube.com/watch?v=Y_sh605Q7oA
hxtps://wiki.recessim.com/view/Advanced_Metering_Infrastructure
Dick Wriggler • June 25, 2021 8:54 PM
Snowden on self-censorship: https://edwardsnowden.substack.com/p/on-censorship-pt-1
What do you think • June 25, 2021 10:00 PM
https://finance.yahoo.com/news/microsoft-says-breach-discovered-probe-230641113.html
Their employees (customer service) are attacking customers and they are blaming it on SW.
This is not just a few customers.
Didn’t seem like Russia, they were surely Microsoft employees (at some point). They showed themselves and sent emails. Messed with AD, logs, deleted and moved files. Killed accounts.
They were impersonating numerous services, but not convincingly. Microsoft sites from within corporate O365 and calls were misdirected and seemingly hijacked. Heard roosters and clanging metal dishes in the background.
The first step is admitting you have a problem.
Fake • June 25, 2021 10:04 PM
Speaking of problems,
Where’s all the auditors?
You say HELO I say goodbye
Clive Robinson • June 25, 2021 10:18 PM
@ ALL,
Re : Snowden on self-censorship
If you read the article you will find that Ed Snowden has not drilled down far enough.
He needs to ask the question “Why?” do we find self-censorship so acceptable we do it all the time day in day out, hour by hour minute by minute…
The answer is “society expects” not just us to consider our own feelings but the feelings of others. Thus we wear “public faces” to hide our own feelings, these extend into our private lives and even most intimate moments.
Thus the old joke of the wife asking the husband,
“Does my bum look big in this?”
She realy is not asking the question because she want’s to know the answer good or bad. She knows or atleast hopes that she is going to have her ego gently stroked and assured, in short to feel a little love.
Nearly everything we say to others is, in fact self censored in some way. Why? because “Society expects” us to be that way, and except for a few who believe themselves to be some how exceptional we all are to a lesser or greater effect “Responsible to the mores of Society”
Thus it’s easy to lie those “little white lies”, but hard oh so hard to be honest with people when we actually need to be.
Thus we are “pre-conditioned” to self-censor.
Yes I know I look like the unfortunate love child of Karl Marx and a Klingon, but do I want people making it worse by saying “Hey them furrows on your brow look deep enough to plant potatoes in today”…
I think we all know the answer, most of us would prefer a sympathetic “Are you feeling OK today?” or similar, not that the actual enquirer realy wants to know how we feel, but it’s made them feel good for having asked…
We don’t just have “responsability to society”, “society has expectations of us” and it’s these “expectations” those in authority abuse to their own advantage to get the censorship they want.
SpaceLifeForm • June 25, 2021 11:48 PM
@ JPA, Fake
Where is any evidence to review if there is a MITM or a compromised computer somewhere within a network?
Cash is King.
Ismar • June 26, 2021 7:12 AM
@Bruce
The authenticity of the giant squid photo is questionable due to
1. Giant squids are not common in polar regions
2. The squid shape looks more like a Humboldt one with wider body and shorter tentacles, so a digitaly enlarged photo of one of them might have been used
3. No description of any kind as the exact location and the ship the photo was taken from
JonKnowsNothing • June 26, 2021 8:43 AM
@Clive, @All
re: COVID-19 Reinfection Update
As COVID-19 and it’s variants are making global walkabouts, and as countries have started to do more data analysis, better information on reinfections is available.
Official reinfections are 2 different sequences more than 90days apart. Everything else falls into other buckets.
USA Washington State from 10/20/2020 – 06/11/2021
10 20 2020 | 120 | suspected cases of reinfection
03 23 2021 | 968 | suspected cases of reinfection
05 11 2021 | 1361 | suspected cases of reinfection
06 11 2021 | 2 | confirmed CURRENT reinfections
UK reported 05 30 2021
15,893 | possible reinfections
478 | probable reinfections
53 | confirmed reinfections
Around 0.4% cases becoming reinfected.
* 15893 (possible) / 4,000,000 (population) = 0.00397325
* 0.00397325 * 100 = 0.397325 = 4%
Around 3% of cases have full sequencing.
* 53 (confirmed) / 15893(possible) = 0.0033348014849305
* 0.0033348014849305 * 100 = 0.3334801484930473 = 3%
BNO Global tracker
71,931 | suspected cases
149 | current cases
280 | deaths
===
ht tps://en.wikipedia.org/wiki/BNO_News
ht tps://bnonews.com/index.php/2020/08/covid-19-reinfection-tracker/
- a running tally of reinfections compiled from government reports
ht tps://www.gov.uk/government/news/new-national-surveillance-of-possible-covid-19-reinfection-published-by-phe
- report 06 17 2021 on reinfection status in UK
note: I really dislike the editing option… I don’t get it… either you cannot form a table or you cannot limit reformatting. If the lists are jumbles on publishing, they look fine in preview.
(url fractured to prevent autorun)
Anders • June 26, 2021 9:41 AM
Due to the Win11 requirements…
hxxps://twitter.com/shen/status/1408284995131645956
Luna • June 26, 2021 11:21 AM
WD My Book Live users wake up to find their data deleted
Some people buy hard drives that connect via USB; others buy ones that use ethernet (or wifi). Do you think they were aware of the huge difference in risk?
The My Book Live was a network-attached-storage device, first released in 2011—and end-of-lifed only 4 years later! There have been no security updates since, despite WD’s knowledge of some serious vulnerabilities; their advice is to disconnect the drive from the internet. Being able to access it remotely was a selling point, and I’m sure some users bought it for that while others were largely unaware.
A preview of our internet-of-things future. Remember that the 4-year timeframe measures from initial release to trashworthiness; reports say there were still sold in 2014, meaning some people may have lost support for a drive so new it was still under warranty. I don’t know how long WD expect people to use their products, but SMART says my computer’s original Hitachi drive has 80000 Power_On_Hours: nearly a decade. (A Seagate drive has been in the same RAID set since the beginning, and shows only about 10000—I guess the counter overflowed.) I’m sure that almost nobody throws away 1- or 2-year-old hard drives as a matter of policy. These internet-of-things companies always act shocked that anyone’s still using their product after 2 years; with attitudes like that, we should all wonder why anyone’s still using any IoT products. (But, hey, on the bright side, some lawyer might get you $5 off your next WD product by 2025, if you still have the decade-old receipt.)
Humdee • June 26, 2021 1:50 PM
Re: self-censorship.
I don’t buy into that schema. If one takes it as evident that humans have limitations then it is not possible for any single person to say or do everything all at once. So what is the difference between “self-censorship” and “lack of interest”? We censor ourselves all the time when we chose to talk about A rather than B. If the point is as Clive suggests that we don’t talk about A rather than B because of social expectations, peer pressure, effective propaganda, or whatever you like to call it then how is it self-censorship? It plain old fashioned censorship.
In other words, if one one hand all we mean by self-censorship is the mental faculty of attention to this rather than that then self-censorship is true but trivial and banal. If on the other hand what we mean by self-censorship doing what someone else wants us to do because of external pressures then I don’t see what the word self adds to the notion of censorship. The fact one has internalized such norms is simply an indication that the propaganda/indoctrination/education etc was successful.
Richard Wriggler • June 26, 2021 3:03 PM
Re: self-censorship.
X benefits me, but X harms others, so I’d rather not think about X. It’s not that important anyway.
SpaceLifeForm • June 26, 2021 4:01 PM
Time flys. So do bats.
hxtps://www.cell.com/current-biology/fulltext/S0960-9822(21)00794-6
Our results suggest that East Asia might have also been a natural range for coronavirus reservoir species during the last 25,000 years
SpaceLifeForm • June 26, 2021 4:51 PM
@ JonKnowsNothing, -, Clive, Moderator
note: I really dislike the editing option… I don’t get it… either you cannot form a table or you cannot limit reformatting. If the lists are jumbles on publishing, they look fine in preview.
The problem is that the order of the filters is not consistent between PreView and Submit.
Mixing Markdown and Markup in different orders is criminal.
It is absolute garbage programming by Pressable. They should be ashamed of their IT staff. Seriously kindergartener level.
I could fix this very quickly. It is not a difficult problem.
I suspect it is totally intentional.
So, just Fire-and-Forget.
Human readers will be able to parse.
Anders • June 26, 2021 5:40 PM
This WD MyBook hacking is very interesting event.
World-wide scale event.
Victims are everywhere.
hxxps://gist.github.com/phikshun/9655056
I suggest everyone go through this thread.
hxxps://community.wd.com/t/help-all-data-in-mybook-live-gone-and-owner-password-unknown/268111/
And I don’t buy for one second that this was result of
factory reset. Factory reset, that deletes all data in all
folders but leaves folders?
Factory reset was done after data wiping.
SpaceLifeForm • June 26, 2021 5:54 PM
Silicon Turtles
Someone on twitter, please request threadreader unroll on
hxtps://www.twitter.com/dwizzzleMSFT/status/1408423860848889861
Much appreciated.
Truth.is.stranger.than.fiction • June 26, 2021 6:23 PM
@Luna
WD is a data storage company. Not IoT.
It would be interesting to know whether these WD victims had O365 subscriptions that they weren’t using. Were they saving data to WD hard drive instead of OneDrive?
We need more information before we assign blame.
It is responsible for WD to identify a known vulnerability but often attackers use vulnerabilities as cover so they can keep the true attack vector hidden to perpetuate further attacks.
I cannot help but wonder if this is an extension of the ongoing Microsoft attacks.
When the Microsoft Exchange attacks were announced earlier this year their solution was that everyone should migrate to the cloud. But this was weeks after O365 attack and Cybersecurity experts should recognize the pattern here. Spectra Logic was attacked by Ransomware in March, 2021 too.
Everyone should also check their data sharing permissions which default to opt in. It is easiest in Excel – File > More > Options > LinkedIn sharing. Read the links about what is shared. Then read the blue box warnings here. https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/linkedin-integration
The announcement from Microsoft yesterday about the latest attack is that most of the victims are tech companies. I’d be very curious to know how many of them are involved in the data storage sector?
The US government also saw evidence that employees of Federal Agencies that were compromised by Microsoft, their personal Microsoft accounts were attacked too. So if any WD victims are employees of tech companies I would also make sure your employer’s Cybersecurity department knows you’ve been compromised. If your employer has the Azure LinkedIn connection enabled then perhaps this could potentially be used a way to gain access to your employer too. Remember LI was compromised in April 2021 and we have no idea where that data was from or what it contained.
Truth.is.stranger.than.fiction • June 26, 2021 6:59 PM
RE: the DOJ complaint above about deleting data. He’s in jail and his victim in this complaint is NOT listed on his LI. You decide if he learned how to execute a Golden SAML attack while at Microsoft or there are back doors?
https://in.linkedin.com/in/deepanshukher
Why all of these attacks? Is this Microsoft’s growth strategy or do their contractors/employees think this is good for job security. Are these insider attacks too?
Attackers always have reasons and deleting data is purposeful even if it seems like it isn’t.
The victim in that DOJ Complaint likely had exceptional security. This is why they immediately let him go. They probably saw him doing something suspicious before they gave him privileges access, is my thought.
Anders • June 26, 2021 7:08 PM
@SpaceLifeForm
hxxps://pbs.twimg.com/media/E4v1QK-WQAIboRi?format=jpg
SpaceLifeForm • June 26, 2021 7:10 PM
@ Luna, Truth.is.stranger.than.fiction
Excel – File > More > Options > LinkedIn
Spot the problem yet?
Start at front, goto end of chain.
The end has always been an op.
It’s not the TLA APT you might guess.
echo • June 26, 2021 7:18 PM
A comment went walkies between posting it and checking back later. I have a backup but I’m not posting it again. That’s the second time this has happened. Total loss of enthusiasm for posting on another article I found too.
Anders • June 26, 2021 7:39 PM
Sorry, but WHY those things are accessible from the
internet at THAT LEVEL?
hxxps://www.shodan.io/search?query=%22My+Book+Live%22+
lurker • June 26, 2021 9:35 PM
@SpaceLifeForm, @All
Stop The Planes!
Limo driver carrying international flight crew avoided AZ because of family history, is under police investigation for compliance with state health rules. This the person who did the AU-NZ-AU flit last week.
https://www.abc.net.au/news/2021-06-17/nsw-quarantine-worker-may-have-breached-health-order/100223120
Interstate commuter flight attendant tests positive after day at work:
https://www.abc.net.au/news/2021-06-26/virgin-australia-flight-attendant-covid19-positive/100247100
From the Truth or Fiction dept, Adam Hamdy discusses pandemics, espionage and things:
https://www.rnz.co.nz/national/programmes/sunday/audio/2018801487/the-thriller-writer-who-called-the-covid-19-pandemic
Fake • June 26, 2021 10:05 PM
re higher myths
Clive, we all know how quick you are on wayback links without the wayback where this specific site is concerned. Would you perchance have anything itching the nail bed underneath your pointer finger for the rest of us button pushers out here in no man’s land?
I’d be interested to see a semi recent curated list or a plug to an older one c np e wl or an earlier advent.
There’s a current thread on hn regarding 😉 information theory.
https://news.ycombinator.com/item?id=27642906
Depending on your view of the word classical; I AM, most classically schooled.
Maybe my question is unnecessary, thanks in advance.
I’ve been looking at calculus books on Amazon but everytime I create an account they ban me, I’m thinking about suing over lack of access to the electrical books I’ve paid for. Maybe filing a complaint with my bank at least.
Almost didn’t post this, then I realized @echo was self censuring after being frustrated over potential perceived censorship.
Insecurity is fun.
@echo, SHARE PLEASE I’m curious not @curious
SpaceLifeForm • June 26, 2021 10:55 PM
@ Clive, ALL
Smart Electric Meter infrastructure
Windows 7. On a pole. With radios. Totally secure, right?
“Don’t ask” “totally non-nefarious purposes” LOL.
hxtps://www.youtube.com/watch?v=cKhxK_8n2cc
telepathy is real and all around you • June 27, 2021 12:04 AM
Microsoft signed a malicious Netfilter rootkit 06/25/2021
https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit
What started as a false positive alert for a Microsoft signed file turns out to be a WFP application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen?
Last week our alert system notified us of a possible false positive because we detected a driver[1] named “Netfilter” that was signed by Microsoft. Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system. Drivers without a Microsoft certificate cannot be installed by default.
In this case the detection was a true positive, so we forwarded our findings to Microsoft who promptly added malware signatures to Windows Defender and are now conducting an internal investigation. At the time of writing it is still unknown how the driver could pass the signing process.
The first thing I noted after opening the strings view are some strings that looked encoded or encrypted. While this is not necessarily a sign of a malicious file, it is odd that a driver obfuscates a part of their strings.
I decoded the strings using the following Python snippet.
def decryptNetfilterStr(encodedString):
key = [9,0,7,6,8,3,1]
i = 0
decodedString = “”
for ch in encodedString:
decodedString = decodedString + chr(ord(ch) ^ key[i%7])
i += 1
return decodedString
Similar samples
Searching for this URL as well as the PDB path and the similar samples feature on Virustotal we found older samples as well as the dropper[2] of the netfilter driver. The oldest sample[3] signatures date back to March 2021. Virustotal queries to find similar samples via URL and PDB path are listed below.
content:{5c68656c6c6f5c52656c656173655c6e657466696c7465726472762e706462}
content:{687474703a2f2f3131302e34322e342e3138303a323038302f75}
Additionally the following Yara rule will find samples via retrohunting.
rule NetfilterRootkit : Rootkit x64
{
meta:
author = “Karsten Hahn @ GDATA CyberDefense”
description = “Netfilter kernel-mode rootkit”
sha256 = “115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406”
sha256 = “63D61549030FCF46FF1DC138122580B4364F0FE99E6B068BC6A3D6903656AFF0”
strings:
$s_1 = “\??\netfilter\x00” wide
$s_2 = “IPv4 filter for redirect\x00” wide
$s_3 = “\Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\\x00”
$s_4 = “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9\x0D”
$url = "http://110.42.4.180:2080/u\x00"
$pdb_1 = "C:\\Users\\omen\\source\\repos\\netfilterdrv\\x64\\Release\\netfilterdrv.pdb\x00"
//RSDS [20] G:\\hello\x64\Release\netfilterdrv.pdb
$pdb_2 = {52 53 44 53 [20] 47 3A 5C E6 BA 90 E7 A0 81 5C 68 65 6C 6C 6F 5C 78 36 34 5C 52 65 6C 65 61 73 65 5C 6E 65 74 66 69 6C 74 65 72 64 72 76 2E 70 64 62}
condition:
any of ($pdb_*, $url) or
all of ($s_*)
}
Dropper and installation
The dropper places the driver into %APPDATA%\netfilter.sys. Then it creates the file %TEMP%\c.xalm with the following contents and issues the command regini.exe x.calm to register the driver.
Command and control server
The URL hxxp://110.42.4.180:2081/u in the decoded string listing is the server of the rootkit. The Netfilter driver[1] connects to it for fetching configuration information.
Each URL has a specific purpose.
URL Purpose
hxxp://110.42.4.180:2081/p Proxy settings
hxxp://110.42.4.180:2081/s Redirection IPs
hxxp://110.42.4.180:2081/h? Ping with CPU-ID
hxxp://110.42.4.180:2081/c Root certificate
hxxp://110.42.4.180:2081/v? Self update
IP redirection
The core functionality of the malware is its IP redirection. A list of targeted IP addresses are redirected to 45(.)248.10.244:3000. These IP addresses as well as the redirection target are fetched from hxxp://110.42.4.180:2081/s.
Researcher @jaydinbas reversed the redirection configuration in this tweet and provided the latest decoded configuration in a pastebin. The general format as observed by @cci_forensics and @jaydinbas is [-]{||…}
Update mechanism
The sample has a self-update routine that sends its own MD5 hash to the server via hxxp://110.42.4.180:2081/v?v=6&m=. A request might look like this: hxxp://110.42.4.180:2081/v?v=6&m=921fa8a5442e9bf3fe727e770cded4ab. The server then responds with the URL for the latest sample, e.g., hxxp://110.42.4.180:2081/d6 or with OK if the sample is up-to-date. The malware replaces its own file accordingly.
Root certificate
The rootkit receives a root certificate via hxxp://110.42.4.180:2081/c and writes it to \Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates. The data that is returned from the server has the format []:{}
Proxy
At hxxp://110.42.4.180:2081/p the malware requests the proxy which it sets as AutoConfigURL in the registry key \Software\Microsoft\Windows\CurrentVersion\Internet Settings. The returned value at the time of writing is hxxp://ptaohuawu.bagua.com.hgdjkgh.com:2508/baidu.txt
Sample hashes
Description SHA256
[1] Netfilter driver 63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0
[2] Netfilter dropper d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe
[3] Netfilter driver, older version signed in March 115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406
More hashes related to the Netfilter rootkit are in this spreadsheet created by Florian Roth.
JonKnowsNothing • June 27, 2021 12:08 AM
@ D-wop
re: microchips into people such as criminals, whistleblowers, journalists accused of “secret” crimes.
RFID chips have been used by corporations and employees have voluntarily had them inserted in order to do the Jedi Hand Wave method of logging in to their computers and opening security doors. They are normally inserted between the thumb and index finger in the web part or back of the hand.
RFID chips are used to track livestock, dogs, cats, horses, wolves, and all sorts of animals. There are more sophisticated tracking systems for wild animals. Surprising to city dwellers, rustling is big business and RFID chips can help ID the remains or recover a stolen horse that has been sold on.
Rustlers are quite automated. They back up a mobile butcher enclosed trailer to a pen of cattle or pasture and load up a few head. They kill and butcher the animals while Movin’ On Down The Road and sell the meats to people could care less about the provenance than the good deal on the Rib Eye Steaks.
A while back there was a scandal in the UK over ground meat that was supplied from an abattoir in Europe. It was supposed to be 100% beef but didn’t hit that mark by a long shot. RFID chips from horses that had been sent for euthanasia were found in the mix.
Eating horse meat varies from country to country and culture to culture but the question of how a horse sent for euthanasia ends up in a burger patty begs a few questions for the veterinarian who was paid to properly put the horse down.
Weather • June 27, 2021 12:33 AM
@telepathy
I’m running sha256 = “115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406, a day to run, but by the looks 1-12 char length or not that complex 😉
SpaceLifeForm • June 27, 2021 1:45 AM
@ lurker
Fail to follow procedures, Delta flys you!
The next 12 months will be crazy, world wide, as Delta spreads it’s wings.
Clive Robinson • June 27, 2021 3:06 AM
@ SpaceLifeForm,
Someone on twitter, please request threadreader unroll on
“Simples” as the UK insurance add says,
1, A bunch of people downloaded Micro$haft Windoze 11.
2, They tried installing on hardware that Intel had wanted rid off as they want you to bleed through the nose for their new CPU’s and chips with all those nasty nasty features they will not fix.
3, True to form the Micro$haft 11 download blew up in peoples faces (renember the forced Win10 death of laptops?)
4, Now people are moaning…
Normally you would expect some Darwinism to work with supposadly intelligent individuals…
But as Apple have proved over and over “Fan-bois” are not the most usefull of light bulbs in a corridor…
I’ve not upgraded to Win10 and have no intention of doing so XP still works fine for me with Win2000 actually needed for some eyewateringly expebsive software I’ve purchased in the past.
If at some point I have a need to use such crap as Win10 or Win11 –remember it’s mainly “tinsel on top” to push other products,– I’ll either get someone else to pay for it, or I’ll buy the cheapest bit of consumer kit that will work, then bill somebody for it. That way it files the,
“Douglas Adams S.E.P. criteria”
And I can get good cardiovascular excercise passing the buck onto them in a very very direct and firm way, moving on to defenistration if required.
[1] People speak of the “pachyderm in the room” because well when grey they are kind of obvious and try though you might, you can not ignore them they are just a little to… However paint it neon pink and add accessories then you can pretend “Grandma Lil has not left yet” thus safely ignore it. Thus making it invisable to concious thought not very difficult,
https://hitchhikers.fandom.com/wiki/Somebody_Else%27s_Problem_Field
[2] Cardiovascular excercise being vigorous and requiring large amounts of air to be moved in and out of the lungs can be obtained in many ways, wild gesticulation and annunciation for a minimum of your 20mins a day can do wonders for lowering your stress and bad hormone levels… As for the person who might consider themselves the object of invective, well clearly they are to “it’s all about me” so are very much into dirty office politics and the like, so should be painted neon pink and accessorized untill every one can safely ignore them, except of course when the need for a cardiovascular workout is required 😉
SpaceLifeForm • June 27, 2021 3:09 AM
Just checking on the status of the Ever Given
Now just over 3 months ago.
Haggling. Just settle for $500m, and move on.
hxtps://www.egypttoday.com/Article/1/105208/Egypt-s-court-of-Ismailia-adjourns-hearing-for-upholding-seizure
But, alas, I find another ship grounded. Room to work around in this case.
Climate change at work, changing history by changing behaviour.
hxtps://splash247.com/low-water-level-in-argentinas-parana-river-causes-french-bulker-to-run-aground/
Clive Robinson • June 27, 2021 3:27 AM
@ D-wop,
I was just reading an article the other day about embedding microchips into people such as criminals, whistleblowers, journalists accused of “secret” crimes.
That sounds like made up conspiracy nonsense.
However animals do get regularly “ID-Tagged” for “pet-pasports”, “Stock Control” and indirectly via bright orange ear tags in the food chain.
The most common use in humans currently is in the chest or arm for medical reasons. Such as heart monitoring and blood glucose monitoring.
Whilst not an issue for heart monitoring other sensors stop working fairly quickly due to the build up of a “fibroid” around the device.
In a way it’s the human bodies equivalent od making pearls in oysters.
Some years ago there was a “transhumanism fad” where people were injecting all sorts of crap in their bodies including highly dangerous lithium batteries, one guy actually built in a microphone and recorder… As those that just put tiny quater matchstick size bar magnets in found, they,start of fine. But fairly quickly become useless due to the fibroid. The problem is whilst the fibroid does eventually get reabsorbed by the body often the functioning of nerves does not…
Thus there are or will be all sorts of issues about compelling people to have chips installed.
After all we do not generally look kindly on chopping off the hands of thieves or the cutting out of toungs for not telling the truth, castration or the removal etc of body parts or the stopping of body parts functioning (on the eye for an eye principle).
SpaceLifeForm • June 27, 2021 3:28 AM
Climate change
The two links below provide two graphics. One is ships, the other planes.
If you can, combine the images in your minds eye. Maybe with the help of some evil device like the Ames Window.
And then, remember that those two graphics do not include trains, automobiles, etc. Including people.
Seems like a lot carbon dioxide every day.
hxtps://www.marinetraffic.com/en/ais/home/centerx:-84.0/centery:1.4/zoom:2
hxtps://www.flightradar24.com/-10.65,33.65/2
Clive Robinson • June 27, 2021 3:51 AM
@ Fake,
Not sure what you are asking for.
Most undergraduate stuff on Information and the statistical mechanics that come up in it are available as freely downloadable PDFs from Uni Course web sites.
Whilst calculus can be seen as the search for the infinitesimal the truth is it’s actually not much use in the real world out side of mathmatics as anyone who’s tried to apply it to a real world engineering problem has found.
Information theory can be thought of as finding meaning in noise and the limits of communication in “bound systems” which all real world systems effectively are.
The use if the word “entropy” in infornation theory has as much impact on the real world as it’s thermodynamic equivalent.
The problem is it’s “beguiling simple” as an idea, that is it is a measure of “what is possible” not “what is” and that can cause people problems the way the ideas about infinity did back in Cantor’s time when he showed with a proof that there was and always would be an infinity of infities within finite bounds.
Mind you, you do not have to go back that far in time to find that zero caused significant problems for those studying mathmatics… Most of us these days accept the fact of zero as nothing but actually still do not realy understand the implications of it. Some one once observed nature does not do nothing it simply changes something to something else. So like bubbles under wallpaper as you hang it, pushing down on one only makes others pop up some place else.
Clive Robinson • June 27, 2021 6:39 AM
@ SpaceLifeForm,
Fail to follow procedures, Delta flys you!
Apparently it “packed it’s bags” in the USA,and got into Australia via air-crew… The Australian Government know exactly who the member of Air-crew is from testing, but apparently that information has been given to US authorities to “follow up on”.
I’ve not seen any US MSM stories to say the US authorities have followed up on it…
Also it then “community spread” via a “private hire” limo driver, who denys it’s him. And guess what… another entirely different person who is airline crew for Virgin got infected.
The five Virgin Airlines flights that the infected aircrew member worked on are as follows:
VA939, Friday 25 June: departed Sydney at 11.51am and arrived in Brisbane at 1.25pm;
VA334, Friday 25 June: departed Brisbane at 2.59pm and arrived in Melbourne at 5.16pm;
VA827, Saturday 26 June: departed Melbourne at 9am and arrived in Sydney at 10.14am;
VA517, Saturday 26 June: departed Sydney at 11.14am and arrived in Gold Coast at 12.40pm;
VA524, Saturday 26 June: departed Gold Coast at 1.26pm and arrived in Sydney at 2.47pm.
Thus has we presume infected others on those flights.
One thing we can say is this Delta varient just loves the “mile high club”…
What is politely called “Greater Sydney” is now in lockdown effecting 6million people, with something like thirty new cases in the last 24hours bringing the number infected up to over 80 people… So prolific as well as upwardly mobile…
I guess the next question for the geneticists to answer is how it got to the US from India, something tells me we won’t get told any time soon enough to make a difference, the dice have rolled and peoples numbers have come up…
It’s all so sad considering we could have stoped it and exterminated it more than a year ago if not for politicians and their cupidity.
Winter • June 27, 2021 7:31 AM
@Clive
“I’ve not seen any US MSM stories to say the US authorities have followed up on it…”
Why the blame game?
It is clear quarantine and/or testing procedures were ineffective. Punishing the person’s will not help. Punishing the “guilty” is almost always a diversion from doing something that is really effective.
Instead of trying to punish a random victim, the procedures and their enforcement should be evaluated and, maybe, reconsidered?
Truth.is.stranger.than.fiction • June 27, 2021 8:41 AM
@telepathy is real
Thank you for posting about the Microsoft Chinese rootkit malware. That is really important. Here’s more information. https://www.bleepingcomputer.com/news/security/microsoft-admits-to-signing-rootkit-malware-in-supply-chain-fiasco/
Has anyone else wondered how Western Digital LAN and direct attached devices were concurrently accessed and terabytes of data siphoned from all of the world? The attack had nothing to do with WD. Somehow the attackers knew which users had these devices and were able to bypass their password and firewalls too.
On Friday Microsoft said that a few technology customers were attacked by a customer service agent’s tools. But Microsoft uses Confluence Quick Assist for remote support. Quick Assist requires users accept install and then approve access. So it would not make sense that stolen customer service tools were used to compromise customers. Unless customer service also has a Golden SAML tool at their disposal.
At what point will the US Federal Government start upholding law? Why isn’t this Obstruction of Justice? How much more damage needs to happen before someone does something? Or do our laws only apply to people who cannot afford lawyers?
Obama’s EO 13556 is also clearly violated. PII is not permitted to be sent overseas. This isn’t only happening to gaming devices. This malware was distributed in Windows Defender. Not a supply chain attack. Microsoft signed and distributed it.
Grinsga • June 27, 2021 11:02 AM
If God projects reality from timeless state in a similar way how a light projector in a movie theator projects light and film is like our essence of our awareness what we call “I” or our programming(speech, actions or sometimes our intentional thoughts which are like a lightning strikes that touches the earth. All these are exactly similar to thunder, light and electricity before raining) then the reality is like screen. They can’t change the God’s natural projecter’s characteristics but they can influence the film that runs infront of it so that we perceive modified version of that projector. Thats what religions do. They created a false idea of love which is like a screen on which the reality projects. As long as our consciousness is not overcommed these false or inverted layers of love we end up percieving modified version of reality. They call it as the “tenet effet”. Symbolically, its like a small plane that which is traveling between two poles, while it moves forward the pushed air pressure hits the pole infront of it and the resulted ripples affect its tail so that it can affect its navigation. Just replace plane with a person and air with time and pole with inverted idea of love. The radio, tv, books, internet, porn, vaccenes lot of things comes under this tenet effect. They know what programming(especially speech and actions) causes what projection in reality. We are greatly influenced by third party entities due to this. They can control our mind. We get influenced by them more or less because its our natural innate nature. Thats what happenning. They made them as religions and social norms and now as science and technology. Thats what a modern world is all about. Thats what internet is about, it captures our words. A near complete system that enslaves humanity through artificial belief based on inverted ideas of love like a combined projection of just three satillites that covers 95% of earth’s suface. Lot of us do not even know we are are being “tenet effected” means what we do now is because what happend in past. If they influence our “now” that means they affected our past.
B-bop • June 27, 2021 11:07 AM
@Clive, Winter
Its a good thing western civilized societies dont cut hands and tongues out for lying and stealing. However, im curious about what oversight or recourse for a victim that might genuinely not know, or possibly not have done anything wrong. For instance if that person happened to come across something “sensitive” and didnt realize it, but others are convinced of a security threat, the “guilty” might seem as if they are suspicious because how can anyone challenge or contest an accusation with facts in which they have no conception of? Anyone can make accusations and manufacture evidence.
Weather • June 27, 2021 11:14 AM
@telepathy ,truth is
I think Microsoft used one of there in house number generator then Hash’s that for there code signing, maybe someone in China can self sign.
The numbers generator is like
For(end of dllstr)
V = dllstr[]
V1 = 0x45
V2 = v2 * v
V2 = v2 + v1
)
Sha256(v2)
They have used things like that in win2k7 programs, so just guessing.
Anders • June 27, 2021 12:59 PM
Regarding WD My Book wipe – I’m starting to
think WD cloud was compromized. A lot of NAS’es
were behind NAT router, remote access disabled etc.
Only cloud would provide access at that level.
This is also the reason why this hasn’t happened
so far albeit exploit is public.
They took over the cloud and then controlled those
devices just like in case of Botnet.
Master Of Puppets
lurker • June 27, 2021 1:33 PM
@Truth.is.stranger… @telepathy…
Not a supply chain attack. Microsoft signed and distributed it.
Wouldn’t a stolen certificate be a supply chain attack? Creating the illusion that MS signed. It’s been done before…
Weather • June 27, 2021 2:37 PM
@telepathy, truth is
Its done 76% ,it might be a md5 hash that was feed into sha256. I’m pretty sure its less than 12 bytes a 8 byte would fit for the first 32 byte number.
Weather • June 27, 2021 2:51 PM
Private key 2048 -> md5(old DLLs saved getting update) -> sha256
Backwards compatible, maybe the private key wasn’t stolen, how long would it take to bruteforce 2048 bit with md5?
lurker • June 27, 2021 3:14 PM
Tabloid Headline of the Day:
Why do you need Russian Hackers when you’ve got British Busstops
https://www.euronews.com/2021/06/27/us-russia-britain-navy-documents
Fake • June 27, 2021 4:39 PM
If there’s an ML algorithm out there that +1s CAPS LOCK and profanity it’s news to me.
man and simm • June 27, 2021 4:59 PM
@intind44 You seem to describe what JulianAssange’s technologist described in his “chaos computer club” utube video as ‘Intimidation Surveillance’.
I call it “Systematic Radicalisation” because it is never as benign as it initially appears on the surface. R.A Wewun published a paper on it, but the upshot is, “since you can never afford to battle it, try to focus your mind vigorously and masterfully on joyful times ahead: THAT is your weapon.”
May sound simplistic, but this is 10 millennia old war craft, often funded by an endless ocean of money from complicit Western tax-payers.
“Ignore it, just as you might when your child is having a fit.”
No link for you yet.
Peace. Not everyone is a murderous freak. Care for your self, and sleep well.
Anders • June 27, 2021 7:17 PM
Seems like all the regulars are tired with this
namecalling and also i am.
Moreover, since i don’t have always high end computer
at hand that satisfies the modern browser requirement
that is needed for TLS, i’m cutted out. I have brought
up this issue several times, no single feedback or change
whatsoever from our host. Since he don’t care and i can’t
connect here from my older systems, i leave.
And i leave you one hint regarding WD hack. Handle with
care. I MEAN IT. Wget !!!
hxxp://213.217.0.184/w
Winter • June 28, 2021 12:39 AM
@-
“Can I suggest “DO NOT ENGAGE” as that is part ot the Troll-Tools plan to worm their way in so that their nonsense can not be easily deleated.”
That is a good point. I can address my message better, indeed.
Thanks for the tip.
SpaceLifeForm • June 28, 2021 1:36 AM
@ Clive
Looks like Hash found a hardcoded key in the collector box win7 code.
Whether or not their is a protocol to replace the key via radio, unknown so far.
I suspect not. Though I can envision why there would be a hardcoded key. Who wants to be lifted up via bucket truck to update the software in the box on the pole? And then the next pole some blocks away. And the next…
In other news, I did actually nail my Portland, Oregon forecast for Sunday. 112F
Not too bad considering I’ve never been there. I feel for the people there, because that is way, way, way above normal for Portland.
Checking on ‘the little engine that could’, it’s not even a tropical depression yet, but it is visible via satellite. The disturbance has not fallen apart yet.
It’s marked #2 on the graphic.
hxtps://www.nhc.noaa.gov/gtwo.php?basin=atlc&fdays=2
JokingInTuva • June 28, 2021 1:51 AM
Smart Electric Meters: @SpaceLifeForm, @Clive Robinson
hxtps://dailypopulous.com/2021-06-25-evening/exclusive-hacker-reveals-smart-meters-are-spilling-secrets-about-the-texas-snowstorm.html
hxtps://www.dailydot.com/debug/hacker-smart-meter-texas-snowstorm/
Quite interesting! Thanks!
Still, one thing I see a little bit misleading in the article is that in fact the ‘attack’ is not deciphering data, as it points out:
“Hash spent weeks in the wake of the snowstorm collecting, analyzing, and deciphering the data streams …”
This would imply some issue in the encryption being used or the associated key management, etc …
Checking the video from HASH (https://www.youtube.com/watch?v=Y_sh605Q7oA) it looks that the issue is a design flaw allowing some sensible info (location, uptime, …) being broadcasted encoded but in clear. Then HASH is not really decrypting, but decoding the info in order to build the nice maps, etc
Do you agree?
Clive Robinson • June 28, 2021 3:32 AM
@ SpaceLifeForm,
You might want to see the “probable” projection of #2,
https://www.nhc.noaa.gov/gtwo.php?basin=atlc&fdays=5
However my gut says it’s going to be not quite that “straight track” thus there is a chance it will go north a bit and continue to build as it turns to go up the eastern seaboard… Which means it could then head off for Scotland in a week or three and make another mess up there as some have in the past.
I’m not putting any money on it… But then I’m not going to go anywhere on the UK west coast then either.
We’ve had rain with extra added rain with a few downpours sprinkled on top over night in London which is a bit much even for the notoriously fickle and sometimes tempestuous “longest day” weather period in England.
People tend to forget that “global warming” for most humans is not realy about long term averages, but short term extremes that can cause crops to be destroyed just before harvest etc.
But if you want one indicator… Back about a quater of a century ago a small group of parakeets escaped/released in “Strawberry Hill” west London. Since then they have become endemic in and around most of South London and increasingly SE England. They are an invasive spiecies (from Brazil) and have almost entirely displaced / killed off the native Starling population. Last night I had twenty seven of them sitting on the fence and god alone knows how many in the trees. They were not just loud but apparently unafraid of humans…
So “Do we have “climate change?” well it appears to be increasingly hard to argue against one way or another.
Clive Robinson • June 28, 2021 3:53 AM
@ JonKnowsNothing,
Since somebody else asked, and you are “collecting” data points,
Not definitive evidence of Delat VoC escaping, but certainly cause for a raised eyebrow or three…
Winter • June 28, 2021 4:18 AM
@Clive
“Not definitive evidence of Delat VoC escaping, but certainly cause for a raised eyebrow or three…”
Not really. The efficacy of Sinovac against SARS2 infection is not very good.
The quoted article is rather imprecise. COVID is the disease. If you are a-symptomatic, which is what the article talks about, you are infected but do not necessarily (yet) have the disease.
Dozens of doctors were hospitalized, which is the really important statistic. But the efficacy of Sinovac against severe disease is ~80%, which means that if 100 unvaccinated doctors would have been hospitalized, only 20 would have been hospitalized if they all had been vaccinated.
ht tps://qz.com/2018838/what-we-know-about-efficacy-of-sinopharm-sinovac-vaccines/
Weather • June 28, 2021 5:51 AM
@telepathy ,others
It say the input to that malware netfilter hash has these chars, numbers ,capital letters
1c-1f,21,2f,31,3f,41-4f,6d-6f,70-73,91-9f,a9-af,b0-bb,f1-fe
Takes to long on my hardware to try 8-12 char length.
SpaceLifeForm • June 28, 2021 3:21 PM
@ JokingInTuva, Clive
Do not confuse attack with collection.
The wardriving Hash did was to collect non-encrypted data. It was plaintext bit stream data. He figured out the format of the bitstreams. He figured out how to interpret the bag-o-bits.
A hypothetical attack is a potentionality. As far is known, it does not exist in the wild.
He is still researching. He explicitly has not revealed the key he found, as that could lead to attacks.
He is doing the research to prevent attacks.
The easiest attacks these days would come from inside the orgs allegedly managing the infrastructure. Those that control the supply chains that your life depends upon.
If there is a pipe, you are at their mercy.
Water, Gas, Electric, Sewer, Mail, Transportation, Internet.
Critical infrastructure.
Is there any wonder why fascists do not want solar to be viable?
SpaceLifeForm • June 28, 2021 3:43 PM
Critical infrastructure
hxtps://breakingdefense.com/2021/06/cisa-publishes-cyber-bad-practices/amp/
[Note: I totally disagree with changing passwords every X days. That is security theatre. If you work at an org that requires this, then that should tell you that they do not want put in the effort at proper security. They are basically telling you that they do not trust that your password hash will not be exfiltrated. They are telling you that they do not know up from down. They are telling you that you probably are working amoungst dummies. Because those that know better are not working there.]
ADFGVX • June 28, 2021 4:18 PM
@ SpaceLifeForm
Note: I totally disagree with changing passwords every X days
So why am I getting that sinking feeling that someone has been looking over my shoulder and it’s time to change all my passwords all over again?
SpaceLifeForm • June 28, 2021 4:21 PM
Insider attacks
It took 6 hours, but shows that if people pay attention and speak up, bad decisions can be reversed.
The short: Youtube took down RWW.
I’m very confident this will be covered by techdirt and others soon.
Don’t bother to google this yet, their hands are dirty.
SpaceLifeForm • June 28, 2021 5:23 PM
@ ADFGVX
Like most people, you use a lot of left-handed keyboard characters in your password. You need to mix in more right-handed keyboard characters to increase the entropy.
If needed, you write it down on a yellow post-it, and stick it under the keyboard.
The key, is to put it upside down sticking to the bottom of the keyboard.
That is important. It must be upside-down. Otherwise, the chip in the keyboard can leak the password.
😉
Don't feed the Bears • June 28, 2021 5:38 PM
“Amazon is reportedly unconcerned about the hiccups and bad press that result so long as sufficient numbers of drivers are available to replace those whose accounts are mistakenly terminated.”
If at first you don’t succeed; file bankruptcy, liquidate and reconstitute under a new corporate charter.
Freezing_in_Brazil • June 28, 2021 7:32 PM
@ SpaceLifeForm
Regarding the Paraná river.
Thanks for the post. I was unaware of the incident.
There is no chance of opening Itaipu’s floodgates. The Paraná basin upstream [southeastern Brazil] is under severe drought conditions – that’s what contributed to this incident. This drought is becoming the big topic of discussion down here, along with the pandemic. When (if?) the pandemic recedes, hopefully at the end of this year, or early next year, this issue will dominate the entire southern cone agenda [as well as the next year presidential election in Brazil – The cumulative effect of the pandemic plus the drought may help bringing the nation to its senses [it is likely Bolsonaro will lose]. And yes, Climate change qualifies as the ultimate cause. It used to be [or feel] markedly colder and wetter when I was a child – so, a change perceived within a person’s lifetime.
As we speak of a large mass of cold, dry air moves across the region. This is the big one cold mass of the year – when it happens it normally leaves behind a stationary high pressure system [dry air] that will last until November. The wet season usually starts at the end of November. This year it is not certain that there will be a wet season. Prospects are dire.
SpaceLifeForm • June 28, 2021 8:17 PM
@ Freezing_In_Brazil
Thank you. Seriously. Thank you for paying attention. Thank you for responding. Thank you for communicating.
You made me cry. Happy tears.
Last check, the ship was free.
Climate Change. Not good.
We must communicate to solve problems.
“This is the world we live in”
“the land of confusion”
Weather • June 29, 2021 12:28 AM
@slf, others
I’ve spent most of my adult life looking at energy gennys.
I’ve invented a pmm in 2011 and built a prototype. It worked until the glue gave way.
You have two cube neos you sperate them by 1.5 * there dimeter, you Aline it with north and south on the centre X axis, you Aline the second on the Y axis but on the X axis.
You place two gears with the centre neo fixed, the gear ratio is 570 degrees per 180 degrees, what happens is the north gets pulled and turns to the centre south, it keeps on spinning trying to catch its tail.
And yes it does work, but I doubt you will believe me.
@mod can you not delete this post.
Clive Robinson • June 29, 2021 12:46 AM
@ SpaceLifeForm,
If you work at an org that requires this, then that should tell you that they do not want put in the effort at proper security.
Or…
They have the misfortune to work with the likes of “The Payment Card Industry” who have moronic “Auditing Check Lists”, because the auditors the “industry” employ have trouble counting their fingers with one hand holding a clipboard…
What we need is a legal / regulatory requirment to stop the use of Passwords by oh I guess it should have been 1975, but 2025 might make an achievable date.
But I must admit I’m waiting for people to realise that “Single Sign On” is just madness dressed up like the butler in a Victorian melodrama.
SpaceLifeForm • June 29, 2021 1:23 AM
WX.
Even though my prediction of Sundays high temp in Portland, Oregon at 112F was correct, I would not have called for the Monday high of 116F.
The models are getting better, but IMO, still rely upon too much historical data.
The models need to throw out the data that is over 5 years old.
That is how fast the climate is changing.
When the weather patterns get stuck, I always look for a disturbance in the force. A hurricane that disrupts the pattern.
The disturbance I have been watching is now looking like it might get going. May see some circulation in next 24-36 hours. Time will tell. If it stays on westerly course, and can slide into the Gulf of Mexico between Yucatan and Cuba, it could be a major.
SpaceLifeForm • June 29, 2021 1:54 AM
WX
Someone that has the compute power, please, just take any of the current models, roll a new one that throws out any data over 5 years old. Seriously. You will spot trends that are being hidden because of the use of old data.
It’s not like this is rocket science. 😉
Clive Robinson • June 29, 2021 1:59 AM
@ SpaceLifeForm,
Regards WX
Time will tell. If it stays on westerly course, and can slide into the Gulf of Mexico between Yucatan and Cuba, it could be a major.
Danny proved stronger than the prevaling SW to NE off shore and has thus gone inland.
But as I thought it might, the prediction for the 2nd proto-trouble is starting to turn north and I suspect people in Florida’s East coast are starting to think it’s time to start getting in a few supplies, if they did not for when Danny went twirling by like Cinderella’s Skirts at Disney.
SpaceLifeForm • June 29, 2021 2:33 AM
@ Weather
I got it, but I don’t get it. Need a diagram. Do they need to be cube neos? How do you keep the gears engaged? Are the gears metal? What do you mean by the diameter of the cube? Is there 3 neos in this picture?
I know my ellipsoid neos will not work, but they sure can wobble.
I can totally envision. Just need a better picture in my minds eye.
JokingInTuva • June 29, 2021 2:42 AM
Smart Electric Meters: @SpaceLifeForm
"He is still researching. He explicitly has not revealed the key he found, as that could lead to attacks
Where is HASH talking about that Keys and not revelaing them? In some of those videos?
(sorry, I could not locate it…)
Weather • June 29, 2021 2:43 AM
@slf
They have to be cubed,the neos I used were 10mm3 spaced 15mm apart, and plastic toy gears, one was 12mm dia, can’t remember the other size, the smaller dia gear is the one that rotates around itself and also rotates around the fixed center one. The magnetic pull into with tangent force 45 degrees no matter what angle position it is at. I though about adding a rod with bushels to stop coming in or out separation wise, but didn’t do that. Just two, they both start on the same x axis, but the outside one faces y axis, the fixed x axis.
JokingInTuva • June 29, 2021 2:44 AM
Smart Electric Meters: @SpaceLifeForm,
"He is still researching. He explicitly has not revealed the key he found, as that could lead to attacks"
Where is HASH talking about that Keys and not revelaing them? In some of those videos?
(sorry, I could not locate it…)
Weather • June 29, 2021 3:07 AM
@slf
I used a 2d magnetic sim, so the z axis might not have to be 10mm. I think the centre plastic gear was 22-27mm, you don’t need the separate rod, the pull in a circle direction but in as well. The sim gave direction of force, the 570/180 degrees keeled the force always pointing in a circle anti clockwise. If the centre is on the left, with S facing the right, with north up and south down both on the X axis.
SpaceLifeForm • June 29, 2021 3:29 AM
@ JokingInTuva
hxtps://twitter.com/BitBangingBytes/status/1409283738752765952
Fake • June 29, 2021 6:32 AM
Many many many middle men
https://9to5google.com/2021/06/28/google-verification-code-sms-ad/amp/
Front end, back end, every end?
Could be a vpn ‘appending’ an https downloaded sms, I just opened the link there don’t seem to be allot of answers just yet.
JonKnowsNothing • June 29, 2021 10:17 AM
@Clive, All
re: Sinovac Vaccine Failure
As you know, all the vaccines have “failures”, this is the other portion of the Effectiveness Percentage.
Sinovac had low effectiveness to start with around 50.4%.
From the Brazil Trials 01 12 2021
*…even if it’s crap it’s better than nothing *
From 06 04 2021 Sinovac-CoronaVac failing Gamma, Delta, and Lambda. Right after the WHO approved the vaccine for use 06 01 2021:
Reports of C19 outbreaks in Early Adopter Countries. 2jabs not enough. Re-Vaccinations starting in those countries with outbreaks using other vaccines.
Chile Uruguay Bahrain Seychelles Dubai
As long as the Rich Countries demand their Patent Protections in order to Max Profit (and there is a lot of that), the Poorer Countries are stuck with
*…even if it’s crap it’s better than nothing *
Or as most of the Really Poor Countries might say
*…we don’t even have the Crap Vax, we have nothing, we just die *
Russian Sputnik is getting disappointing results too. Sputnik Light has had better early reports.
One thing about China and Russia, they at least have tried to help.
JonKnowsNothing • June 29, 2021 10:30 AM
@Clive, SpaceLifeForm, All
re: Delta is not The Delta(1) but the tide is rising
Masks Off June 15 2021
Masks On June 28 2021Delta B.1.617.2 in California
May 4.7%
June 14.5%
===
1, The Delta is a geographic name for an area of California. Very popular for vacations on houseboats. The over all area is important to the State economy.
ht tps://en.wikipedia.org/wiki/Sacramento%E2%80%93San_Joaquin_River_Delta
ht tps://en.wikipedia.org/wiki/Sacramento%E2%80%93San_Joaquin_River_Delta#Recreation
The Sacramento–San Joaquin River Delta, or California Delta, is an expansive inland river delta and estuary in Northern California. The Delta is formed at the western edge of the Central Valley by the confluence of the Sacramento and San Joaquin rivers and lies just east of where the rivers enter Suisun Bay. The Delta is recognized for protection by the California Bays and Estuaries Policy.[1] Sacramento–San Joaquin Delta was designated a National Heritage Area on March 12, 2019. The city of Stockton is located on the San Joaquin River on the eastern edge of the delta. The total area of the Delta, including both land and water, is about 1,100 square miles (2,800 km2). Its population is around 500,000 residents.
ht tps://www.latimes.com/california/story/2021-06-28/as-delta-variant-spreads-l-a-county-recommends-everyone-mask-indoors
L.A. County urges everyone to wear masks indoors as Delta variant spreads
With the highly contagious Delta variant of the coronavirus continuing to spread statewide, the Los Angeles County Department of Public Health is recommending that all residents wear masks in public indoor spaces — regardless of whether they’ve been vaccinated for COVID-19.
- California Vaccines are: Pfizer, Moderna and J&J
(url fractured to prevent autorun)
Clive Robinson • June 29, 2021 11:07 AM
@ SpaceLifeForm,
With regards the Weather outlook at,
https://www.nhc.noaa.gov/gtwo.php?basin=atlc&fdays=5
Just looked and, whilst Storm Danny is now off of the prediction maps…
Another wave appears to be building behind what was the second. And what was the second has now moved up from “low” and looks like it’s going to be further north still and might miss the Lesser Antilles and hed into the gulf or up to Florida… thus of concern to some.
Or to quote their forcast,
”
1. Disorganized showers and thunderstorms continue in association with
a tropical wave located over the tropical Atlantic, about 850 miles
east of the Lesser Antilles. Some slow development of this
disturbance is possible later this week and this weekend while the
system moves westward to west-northwestward at 15 to 20 mph, likely
reaching the Lesser Antilles by Wednesday night.
* Formation chance through 48 hours…low…30 percent.
* Formation chance through 5 days…medium…40 percent.2. Shower activity associated with a tropical wave located about 800
miles southwest of the Cabo Verde islands has become a little
better organized since yesterday. Additional slow development of
this system is possible during the next several days as it moves
generally west-northwestward at about 20 mph.
* Formation chance through 48 hours…low…10 percent.
* Formation chance through 5 days…low…20 percent.
“
What’s that old saying about “It never rains just pours…”
SpaceLifeForm • June 29, 2021 4:40 PM
@ Clive
The wave I have always been watching is the one in yellow. The orange wave has developed faster than I expected. It apoears to me that the latter is making westward progress faster than the former. Probably due to more favorable trade winds as it is at a lower latitude. Both could end up interacting, and could influence their respective trajectories. It could be a double wammy, and Cuba gets hit hard twice.
Time will tell. Mother Nature is a Honey Badger.
SpaceLifeForm • June 29, 2021 5:43 PM
@ Weather, Clive
I still can not envision your Rube Goldberg device.
So, there are three gears, and the two magnets are joyriding on the outer two gears?
Does this only appear to work because the magnets are not actually perfectly symmetrical?
Won’t it eventually get stuck at some point?
Fake • June 29, 2021 5:49 PM
RealID for the real world, the author wants a copy of your eyes and eventually maybe he’ll provide a universal basic income… So I guess don’t forget to scan your kids eyes too.
Maybe pre register everyone you know while they sleep one eye at a time.
And, delightfully:
Weather • June 29, 2021 6:22 PM
@slf
Just two sets of gears top and bottom on the z axis. The centre neo is fixed in place with the gear’s and the outer neo that can move has gears.
( ) ( –)
( [N S]. )( N. )
( center). ( S. )
( ) (–)
The right goes up and rotates anticlockwise and spins 570/180 degrees, it didn’t seem to get stuck as the gears turn it at fixed spacing.
-------- -------
-N. S- - $ -
-------- -------
$ is south facing you.
Weather • June 29, 2021 6:40 PM
@slf
The picture got muded
Buy
2 * 10mm3 cube neos
2 * 12mm plastic toy gears
2 * 27mm plastic toy gears
Some glue
Weather • June 29, 2021 6:54 PM
@slf
Just two sets of gears top and bottom on the z axis. The centre neo is fixed in place with the gear’s and the outer neo that can move has gears.
++++++(+)++++++(+-+)
++++([N S]+)++(++N++)
+++(+center+)(+++S+++)
++++++(+)++++++(+–+)
The right goes up and rotates anticlockwise and spins 570/180 degrees, it didn’t seem to get stuck as the gears turn it at fixed spacing.
=============+====
——–+++———
-N++++S-+++-+++$+++-
——–+++———
=============+====
$ is south facing you
@mod can you delete the duplicate post above, thanks
SpaceLifeForm • June 29, 2021 7:04 PM
@ Clive
Interesting. EMFI hacking.
hxtps://limitedresults.com/2021/06/enter-the-efm32-gecko/
Clive Robinson • June 29, 2021 7:41 PM
@ SpaceLifeForm,
EMFI hacking.
Nice to see a new generation getting a bit of fun out of such tricks.
Mind you I’ll give LR their due, they published, which is more than I did after the first run in I had with one major hardware manufacturer who basically tried to set their corporate sharks on me…
The trick with the “local eddy current” has other uses at lower power, if you can locate the part of the chip with the AES hardware on it you can use “cross modulation” to get the key to leak out…
You can also “mung-up” any hardware TRNG etc to give a more or less known output…
And a few less interesting things.
The obvious defence is to put a “shield plate” inside the chip, but that just means stepping up the game a bit…
SpaceLifeForm • June 29, 2021 7:44 PM
@ Weather, Clive
I’m starting to see the fog in the mist.
I knew that it had to be more than 3 gears.
Which you were not clear on.
It will still get stuck at some point. The gears will wear down. The geometry will change. May take a long time.
Still, it is very interesting.
Fail • June 29, 2021 9:10 PM
Meh, I’m tired. Here’s a link to one of those higher myths.
Escape! an aaa64 story.
https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html
JokingInTuva • June 30, 2021 2:06 AM
Smart Electric Meters: @SpaceLifeForm
hxtps://twitter.com/BitBangingBytes/status/1409283738752765952
OK, thanks!!
That code snapshot looks like something reverse engineered from the .Net Collector (hxtps://youtu.be/cKhxK_8n2cc?t=190)
Winter • June 30, 2021 2:37 AM
@Fake
“And, delightfully:
https://blogs.sciencemag.org/pipeline/archives/2021/06/29/what-mrna-is-good-for-and-what-it-maybe-isnt
”
Very good explanation of the pitfalls of mRNA technology in anything other than vaccines. The main feature/bug of injected mRNA is that the body is very keen on, and efficient in, clearing it. That is a bug in almost every application. But it is a feature in vaccines.
There is a lot of talk in using it to “vaccinate” against cancer cells. The problem in using the immune system against cancer cells is not that it does not recognize the cancer cells. It very often does. But when you get a tumor, that is already a sign that the cancer has found a way to fool the immune system in leaving it alone. In practice, this means that the cancer cells put a brake on the immune system. Cancer immune-therapy currently works by lifting that brake. That is a very dangerous approach and can lead to serious, and lethal, auto-immune reactions against various healthy cells and organs. Not something you will try if there are other options available.
I think the author of the blogpost is right, any other mRNA applications might be decades away.
Fail • June 30, 2021 7:16 AM
https://research.swtch.com/hwmm
Hardware memory impl aspects v multithreading
Related to race conditions and safe design very easy reading for beginners.
Multi platform
Freezing_in_Brazil • June 30, 2021 11:29 AM
I used to live in a university town [upstate São Paulo], which is also a meteorological research hub. I have many friends in the area, and I fondly remember the many balloon launches that I witnessed years ago. I’m a meteorology geek, and I hardly ever start my day without scanning the weather conditions across the planet.
It’s nice to see that members here, notably @SpaceLifeForm, @Clive Robinson, are also interested in the topic [and very knowledgeable at it, btw]. It is a passionate science for those who are connected to nature and enjoy the challenges of chaos.
Cheers
Freezing_in_Brazil • June 30, 2021 11:42 AM
@ JonKnowsNothing
The Delta is a geographic name for an area of California. Very popular for vacations on houseboats. The over all area is important to the State economy.
It is ironic to think that the Greek alphabet was adopted precisely to avoid associations with geographic regions…
Winter • June 30, 2021 12:00 PM
@Freezing
“It is ironic to think that the Greek alphabet was adopted precisely to avoid associations with geographic regions…”
The Delta is a general a abbreviation for a river-delta. You find them everywhere. I suppose you could call the outflow of the Rio Santana in São Paulo a river delta. My own country is one big delta.
Freezing_in_Brazil • June 30, 2021 12:40 PM
@ Winter
The Delta is a general a abbreviation for a river-delta. You find them everywhere. I suppose you could call the outflow of the Rio Santana in São Paulo a river delta.
No doubt about that, yes. 🙂
I was under the impression that he was some region in California called “Delta”. I was speaking in terms of socio-cultural identity. I did not express myself well. Sorry.
Freezing_in_Brazil • June 30, 2021 12:48 PM
Correction
I was under the impression that he was some region in California called “Delta”
I was under the impression that he was talking about some region in California called “Delta”
Freezing_in_Brazil • June 30, 2021 1:12 PM
@ Winter
I didn’t mean to sound rude, but now I feel that, for the sake of truth, I must say there is no river Delta in São Paulo. A famous authentic Delta in Brazil [and S. America] is the Parnaiba Delta, in Northeastern Brazil.
There is also a town in Brazil called Delta.
*Look up “Delta do Parnaíba”
Regards
Weather • June 30, 2021 1:38 PM
If anyone wants a project, turn a mouse with a laser/senser into a microphone, by measuring x/y values with something like getaysnickey(); 😉
Winter • June 30, 2021 1:40 PM
@Freezing
“I didn’t mean to sound rude, but now I feel that, for the sake of truth, I must say there is no river Delta in São Paulo.”
No worry. Quite possible that there are no deltas.
SpaceLifeForm • June 30, 2021 3:30 PM
Bit Rot, Content Rot, and Procrastination Principle
hxtps://www.theatlantic.com/technology/archive/2021/06/the-internet-is-a-collective-hallucination/619320/
SpaceLifeForm • June 30, 2021 4:14 PM
@ Clive, Freezing_in_Brazil
It looks like NHC has given up on the wave that I have been watching for a week now.
It is not clear to me why. I see no discussion of wind shear. But, they are sure convinced that the wave behind it will get going.
Models using old data. May be a problem.
I’m not convinced that NHC is correct.
Note that both waves are still on the path that I expected. To cut into Gulf of Mexico between Yucatan and Cuba.
Time will tell.
lurker • June 30, 2021 4:39 PM
@SpaceLifeForm: re bitrot
Zittrain is one of the Gods of the ‘net, not because he has the answers, but because he understands the questions few others do…
SpaceLifeForm • June 30, 2021 8:58 PM
When you follow the money laundering, you get a slow news day
hxtps://www.fincen.gov/news/news-releases/fincen-issues-first-national-amlcft-priorities-and-accompanying-statements
hxtps://money.usnews.com/investing/news/articles/2021-06-30/firms-face-owner-disclosure-as-uae-acts-to-avoid-dirty-money-list
SpaceLifeForm • June 30, 2021 10:23 PM
Twitter working again. Allegedly, the problem was in New York. Why the problems were noticed world wide is curious.
Or, maybe not.
Fail • June 30, 2021 10:40 PM
I’m keeping this out of the ‘evidentiary software’ thread.
“shocking … just how routine secrecy orders have become” –Tom Burt
When was the last time the DoJ sent a subpoena to the Linux foundation for our emails? I think they just red team or target downstream operations on kernel.org don’t they?
I would’ve checked my email but opensmtpd has been airgapped for a year now.
Clive Robinson • June 30, 2021 10:41 PM
@ SpaceLifeForm,
It looks like NHC has given up on the wave that I have been watching for a week now.
Two reasons might be,
1, They turned South.
2, They have run out of steam.
There may be a cold/dry weather front coming down from the North West across the US causing one or both effects.
But the forcasters have obviously decided the two weather waves are disipating and won’t become cyclonic.
But that third wave, is not so much a wave as a depression with defining edges, thus has a high probability of not just cyclonic behaviour but increasing cyclonic behaviour upto or above storm levels. At a thousand miles out, it’s got about 40hours of “build time” in it which will with a little advantageous help of sun and wind get “the kettle to boil”. If it does it will tighten up increasing the thermal energy density, thus causing more thermal energy to get drawn in and rise and so on. There is insufficient data to say if it will get to a critical point or not where “inertia wins”[1], but it looks like the forecasters think it will.
[1] Think of it the same way you would a jet engine, you need a degree of inertia for it to get going and be self sustaining.
Fail • June 30, 2021 11:29 PM
@slf,
Okay, figured out the first. It’s not down, it’s under duress.
@mouse,
jiggly poof
lurker • July 1, 2021 12:42 AM
@Clive
The Atlantic article is dull, dull, dull, and to wordy and wooly.
But the same might be said of many articles in The Atlantic. Zittrain seemed to be aiming for a non-techie audience. Imagine explaining automatic transmission to your aged aunt who rarely drives furher than the shopping mall. Now you and I might be aware of the implications of entropy in a finite universe, but I’m happy to be an intellectual snob and suggest that topic might not be top of the shopping list for many readers of The Atlantic,
Historians know this, it’s why they seek out history where we dispose of our rubbish, the middens, graveyards and other such places.
Umm, aren’t those called archaeologists? Most of the historians I have known have insisted on written records. Except for a small subset called “oral historians” who deal with societies that avoid writing.
Clive Robinson • July 1, 2021 4:16 AM
@ Lurker,
The route of Archaeology is the same as it is for Archive, and in effect means “past record”.
Yiu will find several online dictionaries that give you,
“Archaeology : the study of ancient cultures through examination of their buildings, tools, and other objects”
So what is a “historian” well firstly like scientist it’s an overly broad term and covers archaeology within it.
At least on definition has a historian as a “chronicler” of past events through records and objects.
But what is it a historian actualy does that distinguish them from say an archavist or librarian?
Actually not as much as you would think, and it falls under on of those “lets think of a fancy shmansy word ending in “-ography”, –the root of which I’ll let you look up,– with the word “history” smacked on the front. So we end up with the term “historiography”. Which when looked up gives,
Historiography : the writing of history based on the critical examination of sources, the selection of particulars from the authentic materials, and the synthesis of particulars into a narrative that will stand the test of critical methods.
In other words “authentic materials” is
1, Some peoples treasure or collectables.
2, Other peoples junk they have discarded but is still available from what ever pile of junk/rubish it happens to be found in.
Thus I guess your definition of a historian and distinction from an archaeologist would boil down to,
Historian : a person who hypothesizes on the work of others, because they want to keep their hands clean and not get down in the dirt of reality as others do…
The effectively discredited aristolian approach not the working newtonian approach to gaining knowledge.
Oh I suppose I should “declare my interest” and that I might be somewhat biased. As you might have seen from my past comments I have had a significant side interest in industrial archaeology for most of my life. From as a child actually finding the lost gun powder mills that in part caused the defeate of Napoleon[1] (I triped over an over grown lump of foundations in woodland) with my mother who was an archaeologist and historian through to these days where age and ill health stops me getting out in the field safely.
[1] Yes capatilist war mongering and selling weapons to the enemy was rife even back then. The gun powder mills in leafy England were actually selling gun powder to Napoleonic forces. As it turns out what the mills concerned sold was bad powder causing weapons to be shall we say unreliable. Sulfur is not needed in gunpowder for it to “explode”, but is if you want consistant performance in fuses / explosive trains etc. It is, especially needed when your igniter is what used to be called a “match” which is a low burn temprature slow burn piece of cord. No sulfur or too little means your rifle does not fire and with muzzle loaders that means what you are left with is little more than a club… Likewise exploding cannon shells need a timing fuse, and of course so do grenades…
https://www.compoundchem.com/2014/07/02/the-chemistry-of-gunpowder/
Fail • July 1, 2021 9:35 AM
back chatter from exxon at gizmodo
w comments
https://news.ycombinator.com/item?id=27698751
game on!
Fail • July 1, 2021 9:59 AM
sparkfun v enterprise class trolling
Fail • July 1, 2021 11:33 AM
And…
Now we’ve just got to get the banks to sign on and start the weeding process.
I don’t see a list of actual participants yet
Clive Robinson • July 1, 2021 11:45 AM
@ The usual suspects,
Signal’s murkier parts are getting another little re-boil again,
But whilst the “ghost idea” of GCHQ etc can be made to work and would be more in line with a Signal’s Intelligence Agencies “arms length” attack method.
The simple fact remains is Signal’s security end points are in the wrong place, as are all “connected” consumer device security end points currently.
winter • July 1, 2021 12:04 PM
@Clive
“The simple fact remains is Signal’s security end points are in the wrong place, as are all “connected” consumer device security end points currently.”
You simply ask for the impossible. There is absolutely no secure communication channel. Even meeting in person is insecure (how to set up a secure meeting?)
A quote from “The Hitchhiker’s Guide to Online Anonymity”
Will this guide help you protect yourself from the NSA, the FSB, Mark Zuckerberg, or the Mossad if they are out to find you? Probably not … Mossad will be doing “Mossad things” and will probably find you no matter how hard you try to hide.
ht tps://anonymousplanet.org/guide.html
(URL fractured for your protection)
Clive Robinson • July 1, 2021 2:49 PM
@ Winter,
You simply ask for the impossible.
Far from it, provided you put your security end point beyond the reach of your opponent, the the opponent has only three choices,
1, Accept you have secure comms they have to attack the security of directly which may be impossible.
2, Find another “technical” way around your security end points.
3, Find another “non-technical” way around your security end points.
There is absolutely no secure communication channel.
Again not true as it requires the impossability of an omniocular, omnipresent, thus omniscient opponent. That currently only exists as some kind of “night terrors monster inside your head” that “Sees all you see, knows all you know, and goes where ever you go”. That is a nonsense instilled in the very young to gain power over them, and is frequently oracticed by religions to ensure obedience.
The reality is all real opponents are resource bound and the resources they have are far from perfect, though technology is improving their abilities. But importantly there are infact techniques that exist where “knowing everything you know” and “seeing everything you see” is insufficient.
So lets look at point 1 above, is it possible to have a secure comms channel that an opponent can not attack? The answer is “Yes within what we currently know”.
That is it is currently assumed that we do not live in a purely determanistic universe, therefor non-determanistic processes can be used to create streams of unpredictable bits. These in turn can be used to communicate a message between two parties, that a third party can only guess at the meaning of. That is,
“To a third party evesdropper, seeing a commnications C of length N bits any bit pattern they can formulate of N bits or less[1] is equiprobable.”
Thus within certain rules the secure communications of a message is not just possible it’s inherent in our current understanding of the laws of nature.
The real issue though is you have “moved the problem” that is both the first and second parties have to have copies of the unpredictable stream of bits for the communication of information between them to be completed. As importantly though, no other party should have a copy of this stream of unpredictable bits.
Whilst a second channel for communications of the copy of the unpredictable bit stream is required it has the advantage of enabling amoungst other things “time shifting” that works for the first and second parties against any other parties.
Without going into details there are actually ways to ensure that a third party can not gain sufficient information if they are neither omniscient or omnipresent for the technical attacks covered by point 2 above. You do this by using certain unproven but thought likely to be true theorems such as the use of “One way functions”. Other technical attacks in point 2 can usually be dealt with by appropriate OpSec precautions that have long been established.
You can even come up with a system that with care stops the most likely non technical attacks in point 3 above. That is you can make a message not just deniable “covert”, but deniable by the first party if the second party “betrays” them to a third party. It’s a consequence of unpredictability. Whilst the bandwidth of such a channel is usually small it can not be eliminated by an opponent. Thus it is possible to have a third party see all the messages as though they were sent as a “broadcast in the clear” such systems have been in use quite successfully since WWII and are reasonably well documented.
In short where information is to be communicated, it can contain other information within it as a consequence of structure and thus redundancy. Even if as a third party opponent you think you have eliminated all structure within your system, you actually can not stop the first and second parties overlaying structure on your system except by stopping all communications between them.
It is by the way the actual reasoning behind what some call “Special Administrative Measures” which we know has already failed in various ways. People tend to forget the absence of something is actually a message in it’s own right, that people have usefully used (warrant canaries being just one example).
[1] Actually it’s a bit more complicated due to “redundancy” it is possible to compress messages with “structure” prior to being communicated so the actual message could be longer than N bits[2].
[2] However structure in messages does not convey information it duplicates it in some manner thus is “redundant” so the actual information content of the message would still be N bits or less. Structure is mostly used in communications to ensure the correct transmission of information in an imperfect communications channel[3].
[3] For various reasons it is best to remove all structure from a message prior to encoding it for communications, then add any structure to ensure the communications is received correctly outside of the information encoding. The primary reason for this is “structure” by it’s presence acts as a discriminator making one or more possible guesses at the message content more probable than others. Structure thus significantly helps a cryptanalist when the first party makes the mistake of sending two messages encoded under the same nondetermanistic stream of bits (look up Chi Squared statistical method).
Winter • July 1, 2021 4:38 PM
@Clive
“The real issue though is you have “moved the problem” that is both the first and second parties have to have copies of the unpredictable stream of bits for the communication of information between them to be completed. As importantly though, no other party should have a copy of this stream of unpredictable bits.”
That does not solve the security of the end points, except if you do everything by pencil and paper. That limits the number of partners and the length of the messages severely. A little bit like the system used by the ANC.
ht tps://mybroadband.co.za/news/security/131822-how-the-anc-sent-encrypted-messages-in-the-fight-against-apartheid.html
It might still work, but the amount of information that can be exchanged and the number of partners it can be used with is so limited that no one will even bother to go after you.
The basic problem is that security is non-conposable. It is possible to construct secure components, e.g., Signal’s communication channel, but the whole system is still likely to be insecure.
Solutions like yours might be made secure, but they are brittle and require very strong opsec.
SpaceLifeForm • July 1, 2021 5:38 PM
@ Clive, Winter, ALL
you actually can not stop the first and second parties overlaying structure on your system except by stopping all communications between them.
This is ultimate bottom line.
Solutions like yours might be made secure, but they are brittle and require very strong opsec.
This is true. Security is hard.
The key is to securely transmit a key.
If you think that transmitting a key securely via numbers stations is not possible, you have not been paying attention.
If you have energy, one can transmit a key via radio.
No one is in position to stop radio.
Except that which you do not want to think of.
@ Winter,
That does not solve the security of the end points, except if you do everything by pencil and paper.
Whilst “pencil and paper” offers some security benifits, they are not the point of contention.
The problem is realy “human” not technical. That is,
1, Humans are lazy.
2, Convenience trumps security.
It’s reasonable to assume that if you set up,
3, A general communications end point,
4, On a public network
Then,
5, The world and his dog can reach it.
Further it is reasonable to assume that,
6, A current consumer level device is in no way secure.
So 5&6 says “the device is owned” therefore everything on it is not secure and all security end points on it can be simply walked around to any plain text user interface.
The only logical conclusion is to move the security end point off of any device where 5&6 hold true.
However that does not mean “Pen and Paper only” far from it. Whilst “5&6” is not secure it does not mean that “6&7” is insecure. But what is 7? Obviously it is some form of mitigation that logic dictates negates “5”. Which in turn logically dictates negates “3”, “4”, or “3&4”.
Thus a TI or similar programable calculator could be used instead of “Pencil and Paper”. An older computer, a microcontroller development board and even a mechanical device such as an old mechanical calculator with the “carry” from digit to digit removed.
Even a new computer with certain “modifications” will work as a secure node if it does not have any external communications connections.
The problem is that whilst there are a myriad of technical mitigations available,the real mitigation as evidenced by more recent Law Enforcment Successes is to mitigate the side effects of points “1&2”.
Points 1&2 are where all the security failings that matter happen, as long as they are not mitigated then people can not have Privacy, nor in this day and age those rights laid out in the 4th Amendment,
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
That is you need to get people to give up being totally lazy and reliant on convenience.
As Benjamin Franklin once put it,
“Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety.”
But ask a judge where the real problem is… As Justice Louis Brandeis noted,
“The greatest dangers to liberty lurk in the insidious encroachment by men of zeal, well meaning but without understanding.”
Combined paves the road to a fate worse than slavery…
Fail • July 1, 2021 5:54 PM
Fun for profit entities
https://news.ycombinator.com/item?id=27705548
“It’s a shame we don’t have a better mechanism for this”
Makes me feel warm and squishy inside, kind’ve like an executable stack and an http connection back home.
Clive Robinson • July 1, 2021 7:49 PM
@ SpaceLifeForm,
If you think that transmitting a key securely via numbers stations is not possible, you have not been paying attention.
Many many years ago now, I used to run a fake numbers station.
The reason was to “hold a frequency”.
Back in the days of “HF Pirates” it took very little power to “cover the world” but you had to change frequency during the day.
Thus your chosen frequency would get stolen out from under you unless you “protected it”. So withba hacked up bit of hardware on my Apple ][ it was not that difficult to generate apparently endless random strings.
So when the “radio station” finished at the end of the weekend the “numbers station” went straight on air.
The funny thing about numbers stations is they scared people… Whilst active radio stations might get another station come over the top of them few dared jam or go over the top of a numbers station…
Why I don’t know maybe they were worried that Natasha or Boris might come knocking in a forcefull way…
Any way it was many years ago now and is already well into four decades… But hey the Apple ][ still works as does the old program I wrote to get the numbers…
As for the transmitter, that was made with valves/tubes and it’s long since been scrapped for other things. But the Philips cassette recorder amazingly still works on the same old rubber drive band…
JonKnowsNothing • July 1, 2021 8:39 PM
@- • , All
re: The 4th Amendment
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
A good while ago, General Michael Hayden (retired), former Director of the National Security Agency, Principal Deputy Director of National Intelligence, and Director of the Central Intelligence Agency (the Big Ones), explained the 4th Amendment very succinctly during an interview (televised) (1).
It does not mean what you think and there are a couple of important bits that get missed.
- Definition: search
- Punctuation: comma
The critical part is this: “unreasonable searches”.
- Unreasonable searches require a warrant
- Reasonable searches do not require a warrant.
The NSA and others for a long time have defined All Searches to be “Reasonable”, for the same reason FISA searches take ALL because “Relevant now means All”.
The 4th Amendment only applies in the USA.
Once your citizenship has been revoked and you have been returned to your ancestral country, or you have been jurisdiction hopped, the 4th doesn’t apply to you anymore.
Rendition overrides the 4th Amendment along with other legal aspects.
===
1, The video tape of the interview is likely still on-line. General Hayden was lampooned widely at the time. No one is laughing now.
ht tps://en.wikipedia.org/wiki/Michael_Hayden_(general)
ht tps://en.wikipedia.org/wiki/Eats,Shoots%26_Leaves
Eats, Shoots & Leaves
- A panda that eats bamboo shoots and bamboo leaves
or - A gunslinger that shoots first and then leaves the scene
ht tps://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act
(url fractured to prevent autorun)
SpaceLifeForm • July 2, 2021 12:29 AM
PrintNightmare
There are advantages to not having a printer connected to a windows machine.
Besides saving on ink.
hxtps://www.kb.cert.org/vuls/id/383432
The Microsoft Windows Print Spooler service fails to restrict access to the RpcAddPrinterDriverEx() function, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.
Winter • July 2, 2021 12:33 AM
@-
“Thus a TI or similar programable calculator could be used instead of “Pencil and Paper”. An older computer, a microcontroller development board and even a mechanical device such as an old mechanical calculator with the “carry” from digit to digit removed.”
How many people can use such a system? Can you honestly advice this to all your (grand-)parents, (grand-)children, and other relations? Do you expect your average woman or man in the street to be able to use this productively and securely?
Such a system puts the benefits of encryption far out of reach from a large majority of the people.
But in the end this discussion about the imperfections of secure communication is a lot like the old discussion arguing against using HTTPS everywhere. We found out the hard way that these arguments were advanced by those who wanted to spy on all internet traffic. Although HTTPS/SSH etc are far from perfect, they have made spying much more expensive and thus improved our collective privacy and security (a little).
If everyone switched to end-to-end encrypted communication channels, this would again improve our privacy and security a little.
Winter • July 2, 2021 12:37 AM
@SLF
“If you think that transmitting a key securely via numbers stations is not possible, you have not been paying attention.”
I must admit that I am not able to set up a numbers station to communicate with my relatives. And even if I could, I am sure they will not use it to communicate with me.
lurker • July 2, 2021 1:56 AM
@Clive
Whilst active radio stations might get another station come over the top of them few dared jam or go over the top of a numbers station…
Why I don’t know …
If I were your adversary I would want to keep your frequency clear so I could get clean recordings for post-facto analysis
@Winter:
Such a system puts the benefits of encryption far out of reach from a large majority of the people.
Is a false argument.
How many people can use such a system? Can you honestly advice this to all your (grand-)parents, (grand-)children, and other relations?
They learned to do much harder and with good reason as they knew what you apparently do not.
But your argument is esentially the usual do nothing defeatist one of,
“To old, to lame or to infirm to keep up with the herd when it panics and runs blindly, therefor you are left as the easy meat.”
Yes with luck our fate is to become Old, Lame, and Infirm with time, but it is not a crime, especially one that carries a death penalty from a younger more able generation.
You “do nothing defeatist” argument can be shown to be an existential argument for the whole species.
Because to make no change in oneself to a changing environment just encourages those that live by predation even if they predate mindlessly to thrive and predate on the younger the fitter and healthier till there is no herd to find safety in numbers.
We learnt that to survive as a spicies we had to reach for what apprared unreachable, grasp it, learn to first bend it to our will then make it easier to use, thus common place, normal and then of no thought to use.
Think of how we went from lightning in a stormy night through to not even thinking just flicking a switch to turn darkness into light. And what that means for modern society.
My grand parents when young children in the 1890’s and later knew how to use “flint and steel” to make sparks turn them into embers, then to flames to light fires, candles, oil lamps and coal or carbide gas lights. They knew how to use a mantal and optics to get white light where they wanted it. Would you claim that what they did was too dificult because you yourself can not do it? Or more correctly never had need to learn?
The history of mankind is reaching out for that which becomes necessary no matter how unreachable. If it is possible, a few reach it, those of high status may pay others to have it brought within their reach. But in turn they make it more reachable to others then to any who want to use it.
When you look at history a clear pattern becomes clear. Those with status, jealously seek for the almost unreachable to use as a mark of their status. They see themselves as the gods that hold fire over the heads of those they see beneath them. Thus they seek to hold what is necessary for the growth of society from society…
But ask yourself a question,
“What price status?”
As little as three hundred years ago life was short, nasty, brutal, painful and uncomfortable in just about every way for everyone King to commoner. We do not have to live like that today, so would you be King of old or commoner today?
Status is in short a mental aberration, to have it means denying others so you can keep it. It is every bit as destructive as other apparently incurable mental disorders, and mankind historically evolves around such disorders.
So whilst you may think what is to hard for you to do should not be attempted. We know not only is such a level of security possible, it is more importantly reachable by individuals with what they have around them. What is stopping it becoming reachable by all is,
1, Those who do not want to learn.
2, Those who do not want society to evolve.
And they do this for their own mental aberrations, to keep their unwarranted often unearned status that they are in all probability congenitaly incapable of holding onto without the assistance of others. Status is at best a peacocks tail and is as detrimental to the species.
It’s been shown that unreachable as many thought privacy is not just possible but graspable by those who chose to. As they chose to it will become increasingly reachable, eventually becoming a natural part of society.
Those who argue against privacy have reasons to do so, usually because they’ve been sold FUD or sell FUD. The fact that those who believe themselves to have status thus god hood try to stop progress to privacy should speak volumes to you.
The cautionary aspect is that those who sell FUD to maintain not status but actual power know that if they can sell failure after failure to people they can make what is reachable appear unreachable thus stop people chasing after it for a time. They also know that if they can sell “broken systems” that can not give privacy then they can hold off privacy for even longer.
What you see currently is a desperate rush to force everyone into using broken systems so that unbroken systems will be incompatable with the broken systems the masses end up using.
Thus to fight back is doing society a favour not just in the short term but in the long term, all you have to do is,
“Teach the young, for they will take your knowledge and use it to create a better future that all will enjoy.”
Winter • July 2, 2021 3:54 AM
@-
“But your argument is esentially the usual do nothing defeatist one of,”
No, security is hard. If the UI is difficult, (fatal) errors will be made. ALWAYS.
ht tps://www.cracked.com/article_19776_6-disasters-caused-by-poorly-designed-user-interfaces.html
People can lead happy and productive lives without needing to know how to hand-craft cryptography. I am pretty sure only a handful of the people visiting this website will even try to do their encryption by hand. And for any type of program, the basic message has been for decades not to roll your own cryptography.
The worst cryptography is the one that is not used. Forcing people to spend more than half of their time communicating on “overhead” is not sustainable.
This is not about people being stupid, but about being able to do complex and dangerous tasks safely on a daily basis, with a hangover and after a sleepless night.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
JPA • June 25, 2021 4:25 PM
Very interesting article from Lawfare on use of “evidence” based on software and the dangers associated with that.
ht tps://www.lawfareblog.com/dangers-posed-evidentiary-softwareand-what-do-about-it