Zero-Click iPhone Exploits

Citizen Lab is reporting on two zero-click iMessage exploits, in spyware sold by the cyberweapons arms manufacturer NSO Group to the Bahraini government.

These are particularly scary exploits, since they don’t require to victim to do anything, like click on a link or open a file. The victim receives a text message, and then they are hacked.

More on this here.

Posted on September 1, 2021 at 6:14 AM34 Comments


Hedo September 1, 2021 6:51 AM

Sadly, most of us have contributed to the rise of all these monsters around us.
Most of us fed it.
Of course, as I always say: this opens up many new opportunities in terms of rising demand for “dumb” phones. Just phones. Not today’s mobile, hand-held, pocket-computers.

I don’t want to stray off topic too much but I have been wondering about the past civilizations. Think of it this way: if present humans were able to progress so much technologically in such a short period of time, AND we can all kind of see where we’re going – self destruction, just makes me really wonder how many times, on how many planets has human race evolved, then ka-boomed everything and then moved on to the next planet. Nice place – we’ll take it. Greed will consume human race – again. It’s the biggest flaw in human genome.

Wayne September 1, 2021 8:52 AM

Just continues to prove that computer security is very tough and always an on-going game of whack-a-mole.

Apple occasionally ticks me off with IOS changes and I sometimes think about changing to a flip phone with a 4G hotspot – they do exist – plus an iPod Touch to maintain the usage of certain apps, music & podcasts, and data stores.

MikeA September 1, 2021 9:55 AM

Dumb phones are really alleged dumb phones. All you have is the manufacturer’s word that there are no back doors, or maybe the carrier’s word that they are locked. The complexity of mobile communications means that there is plenty of haystack to hide that needle.

A while ago I tried an experiment of using the builtin modem of a (very) old laptop via the headset jack of a dumb flip-phone. The idea was to make sure that (barring some amount of metadata from SigInt. Always a risk) my security endpoint was not on the same device as my communications endpoint. Even dead-simple 300 baud FSK did not work. Apparently the “compression” (seems to be more like Voder/Vocoder) used on 3G phones has a very low “spectrum sample rate”, and combined with crap echo-suppression-suppression, makes this a no-go.

When my carrier announced deprecation of 3G, I moved on to a “4G” phone, which in theory supports better audio, but I’m not holding my breath, because I regularly get dropouts in metro centers, and multi-second “echoes” with about 1 to 3 second lag, messing up even speech.

As a guy who used do telemetry at 1200bps over analog mobiles (9-pin RS-232, Hayes commands), back in the day, I have a hard time looking at this as progress. A dumb-phone could of course provide something similar, but it would be over WiFi or Bluetooth, which have sufficient “hair” to preclude having a “obviously no errors” dumb laptop. A few flip-phones ago, I had one that supported a roughly similar “wired” connection, from the manufacturer, but the carrier disabled it.

All a long-winded way of saying that the “dumb phone” can still be reporting its position and “tapping” conversations when enabled by it’s real owner, let alone blocking messages that might be “inconvenient”, so “Trust, but Verify” is going to be the best we can do, forever.

Steve September 1, 2021 9:56 AM

Hm. I wonder whether these attacks could be used to plant kiddie porn on someone’s iPhone and then trigger Apple’s SCAM . . . er . . . CSAM alert system.

It would be a nice way of eliminating enemies or at least creating huge amounts of trouble for them.

Winter September 1, 2021 10:16 AM

“A while ago I tried an experiment of using the builtin modem of a (very) old laptop via the headset jack of a dumb flip-phone. ”

Who not split the “computer” and communicator part?

Have a cheap 4G phone which you use for voice calls and sms. Use it as a hotspot and couple a tablet with no phone for the digital work. Run all digital communication over VPN or https/private DNS or Tor or whatever suits your need.

This way, the phone part does not see what the computer is doing. You can even put the phone in a different room from the computer/tablet/sim-less phone. Also, the computer part is not accessible from the 4G network. You also have control over the time the 4G part has access to the computer part. And if you are caught with the 4G phone, the incriminating computer part can be somewhere inaccessible.

TimH September 1, 2021 11:34 AM

If Javascript is turned off under settings for the browser, does that prevent calls by imessage to JavaScriptCore?

Hedo September 1, 2021 11:40 AM

I love your comment. I love it very much.
I, more often than not, forget about this little detail
which you now reminded me of: “when enabled by it’s real owner
Man, oh the irony. Sir, you are BRUTALLY down to Earth. Just cold hard truth (them two words in bold). Thanks for the reminder(Reality Check).

Who? September 1, 2021 12:19 PM

There is no such a thing as a zero-click iPhone exploit. The first thing to do to be compromised is buying one of these spyPhones from Apple, a device we buy but we do not own; the second thing to do is using a smartphone for a task it has not been intended, share and/or store private information.

When will we finally accept we cannot use technology for something it has not been designed for?

We have the right tools for our work, we just need to accept they must be used in the right way.

This is not Apple’s fault for having that bug in their software. This is not cyberweapons manufacturers fault either. It is our fault for not using technology in a clever way.

NSO Group and other cyberweapons arms manufacturers would be filing bankruptcy if people learns how using technology on their benefit.

So, it is our fault and only our fault.

lurker September 1, 2021 2:13 PM


The first thing to do to be compromised is buying one of these spyPhones from Apple, a device we buy but we do not own;

Bling, driven by what used to be called Madison Ave. Can you resist?

the second thing to do is using a smartphone for a task it has not been intended, share and/or store private information.

It’s getting tiring trying to explain that I do not want, will not use, the easy-peasy apps touted by my my doctor, my bank, even newspapers…

Like @MikeA, I also did 1200 baud on analogue circuits, so I find it bedazzling what’s going on in the little plastic slab in my pocket. I am using @Winter’s suggestion, using the phone as a hotspot, but not yet to the extent of VPN or Tor. The worst enemy I am aware of is the carrier who is also the ISP, and is selling my netflow data…

So, it is our fault and only our fault.

The answer seems too simple, use a dumb phone. But it’s not just Apple, newer Android phones also no longer have “simple” SMS. Why is a bloated “messaging” app necessary? Is there really no demand for naked SMS?

SpaceLifeForm September 1, 2021 5:16 PM

@ MikeA

I think you could have made it work.

On laptop, you encrypt message, then pipe that as hex into a morse voice synthesizer.

I am only half joking.

MarkH September 1, 2021 6:34 PM


I’ve commented previously on this site — in some detail — on the difficulties of using modems even with today’s landline connections, which in some cases incorporate high-compression VOIP links.

So I’m not surprised by the results you found via mobile. Even very simple modem protocols may be sensitive to time jitter, which was practically non-existent in voice connections in the 20th century.

Though it’s a useless experiment, I wonder whether Bell 101 (110 baud) could survive the audio mangling.

MarkH September 1, 2021 7:02 PM

@MikeA, pt. 2:

Even the most “modern” voice links are supposed to transmit speech at some level of intelligibility.

With present technology, I suppose it to be manageable to realize a “phoneme modem,” achieving data rates up to several kilobits per second.

Probably the signaling of such a modem would make a remarkable impression for human listeners.

echo September 1, 2021 10:00 PM

Thinking of exploits and elaky applications Microsoft seem very keen to get developers to use Webview2 runtime in their applications. They really cannot let go of pushing their web engine and it’s been a nightmare ever since it was integrated with Windows or a requirement. One VPN provider who shall not be named decided it was a smart idea to make Webview2 a prerequisite. For the life of me I cannot imagine why.

Yes nice one. I thought the install had frozen but no it was merrily downloading a 100MB+ file over my hotspot/tethered 4G phone I use to connect to the internet without telling me first. One search and a system restore and reboot later…. I downloaded the original off Microsoft just so I knew what was going on. At least put a download progress bar in and a cancel button which does something! So anyway if you were an NSA target installing a VPN you’ve just been stuffed by your own VPN provider.

As for phones I have a number of different phones for different purposes and they have very little on them. They are mostly used as phones, or for SMS, and email and almost nothign else. I have old school backups for some things too. But SMS? I looked on in horror this week as I read the changelog for the next update which mentioned additional features and bug fixes. Can’t we just have a very dull and boring SMS application and keep it that way?

These people just cannot stop meddling and forcing their entire worldview on every single bit and byte which isn’t nailed down.

lurker September 1, 2021 10:45 PM


Can’t we just have a very dull and boring SMS application and keep it that way?

Nope. It is essential that SMS cannot be accessed in the unadorned manner the telco supplies it. It must for Mothering Sunday be used with an app that inter alia
parses ICC color profiles;
renders Adobe Photoshop PSD data;
decodes JBIG2 data within PDF files;
that’s as well as the old trick of opening urls to web, mail, and wherever.

Note that one of the targets was described in the article as “accidentally” opening a link whilst attempting to copy it. To copy a link from SMS on my Android device, the only sterile method I have discovered is @Clive’s pencil and paper. If the underlying link is not the same as the on-screen text, who loses?

Winter September 2, 2021 2:19 AM

@echo, lurker
“Can’t we just have a very dull and boring SMS application and keep it that way?”.

That is Amerika, you only can get what we put on the menue. You cannot have a side order of toast, because it is not on the menue.

We do have plain bread, and a toaster, but you only can get it with the lettuce, mayonnaise and chicken on top:

Five easy pieces, with Jack Nicholson
ht tps://

MikeA September 2, 2021 11:46 AM

“…not split the “computer” and communicator part?”

That’s what I did. Any encryption would be done on the (8085 based) laptop, with a 300baud (audio) byte-stream connection to the dumb phone. I knew (from having used telephones back when one only got really crappy connections on “long distance”) that I would need some sort of FEC.

I even toyed with the idea of the laptop using Lucifer or Snefru, for the lulz because just the location and call meta-data that cannot be avoided would be enough to hang me if I was actually conspiring against national security. The idea was a proof of concept, but BER was abysmal.

Using the on-phone hotspot means somehow finding a WiFi or Bluetooth device and driver for the laptop, as the one I (deliberately) chose is too old for either, and lacks a modern OS. Both RF protocalls are well-known for security failures, some possibly deliberate, so inviting the vampires into your security endpoint home is game over. This is why I chose a wired, opaque byte stream.

“On laptop, you encrypt message, then pipe that as hex into a morse voice synthesizer.”

Getting closer. I have considered dropping the bit rate to 45.45 and using a Weitbrecht modem, for a couple reasons.

1) The modern audio channel is just not capable of full duplex, even when the Tx and Rx center frequencies are well separated. Weitbrecht is half-duplex, so not as messed up.

2) There is probably still some “TTY” comms going on, so less of an obvious target.

I’d have to build a modem that could connect to the laptop serial port, and either use that with a USBserial to my “head end”. The original concept involved a few connectors and passive components.

Or, the head-end could use the “just pipe the audio” mode of its modem and kluge “DSP” software. But the jitter on pretty much any OS made this millennium makes that dodgy.

And in any case the whole scheme is patented and licensed, and I’d like to avoid litigation. I can see it now: “Well, we can’t get him on terrorism, but the IP violations will get him off the street for a decade”.

Once I have caved in to building a bit of hardware, I have a paper around here somewhere about ITU compliant Touch Tone ™ decoding with software on a PIC. Hex digits over audio here we come.

The battle against jitter has been lost. Movies learned how to synchonize audio and video in the 1920’s IIRC, but now it is routine to have multi-second displacement between A and V on streams. Once all of us who associated this effect with “bad dubbing” have died off, nobody will notice.

As for Bell 101, I used a number of different Bell 103-compliant modems. None of the pairs had remotely acceptable error rates over mobile. Admittedly, I only used “modern” modems on the head end, after finding that very few “RS-232” USB devices work well below 600 bps. Bad match for an audio channel that will struggle with 50 bps. Animats has some suggestions for ones that could work, though.

Pt. 2:
‘Even the most “modern” voice links are supposed to transmit speech at some level of intelligibility.’

Could you check with Apple, LG, Samsung, AT&T, Verizon… about whether they got the memo? 🙂

This pretty much summarizes my (failed) efforts so far. Busy with actual work/life, but may explore Weitbrecht or Touch-tone ™ “later”

echo September 2, 2021 12:29 PM


I figured out why the French are so thin in spite of adding a pack of butter and a bottle of wine to everything. Once you’ve done the mise en place and various faffing around three hours later you’ve burned off more calories than you’re consuming. Okay I’m joking but French cooking is different to fast food.

The thing about fast food and processed and frozen food is it’s easy so you can eat more on demand. Plus The American system from production to the plate is centred around ease of production for large volume and low cost at every single stage of the process. This has an impact on what you eat and quality as well as how often and when with all manner of cumulative problems.

Back to Apple. Why is it Apple stuff is only used by the “good guys” in movies? A combination of bribary and legal threats. Why is it we hear one month of their “security” and the next month hear about a colossal own goal?

I won’t go as far as the Russians or Chinese but I certainly think America should come with a health warning. Nor will I go as far as the Japanese and “Japanese” everything but a turning down of the volume and slowing things down and taking a pause for thought is certainly helpful.

lurker September 2, 2021 1:02 PM


That is Amerika, you only can get what we put on the menue.

That might be America: this is the South Seas Islands; this is an Android device built by an independent Chinese maker for the South Asian market. Why is it strangled by the whims and demands of Washington? and the frills and fancies of Silicon Valley?

Clive Robinson September 2, 2021 2:06 PM

@ MikeA,

Are you aware that GSM standards for the head end block contain a modem that uses the extended Hayes AT command set?

I’ve mentioned this before as well as give links. But I’ve also indicated in the past why you can not send audio tone type signalling via GSM phones, it’s because of the way the CLEP audio codec works.

I mentioned this when everyone was getting excited about the AWIT Systems Inc. “JackPair” back more than half a decade ago.

They failed to get it working as predicted and although they still have a web site up you will notice it’s lack of product…

It’s actually quite dificult to send any kind of “data” that is frequency or phase dependent across a CELP compressed stream and even amplitude modulation does not fare very well.

To see why look CELP up,

Oh and the ideas behind CELP originated from the NSA… Which is why some people are suspicious of them (especially as it makes DIY audio crypto so difficult).

Clive Robinson September 2, 2021 4:42 PM

@ echo, ALL,

I suspect higher bitrates can be obtained if you focused purely on data transmission as opposed to stenography.

I think you will find if you check, the mathematics will be against you.

But don’t let me stop you wasting other peoples money like JackPair did in experimenting and failing.

echo September 2, 2021 5:42 PM


It’s not me who wants to do it and my maths isn’t that good. I do know how to hack stuff though. Anyway, the citation explained more than you did and gives some hard numbers so you can keep pithy lack of gratiude to yourself.

MikeA September 2, 2021 6:35 PM


Thank you for the pointers. I suspect that the CDMA “3G” voice encoding is similar, based on the sort of artifacts I observed. I have CDMA phones because despite living within a mile from a major highway in Silcon Valley, only one carrier is even remotely reliable.

I had been trying to remember what was almost certainly Jack Pair, thanks for the reminder, although their site is “dead” to at least FireFox 80 because “not https enough”.

Thanks to @echo for the to audio steganography. My current inclination is to (if I pursue this at all) try the Weitbrecht or DTMF paths, partly because a cursory examination might find them “harmless enough” to ignore.

That said, the idea of using a Voice sythesizer brought a smile, as it lead me naturally to the idea of a “mobile numbers station”. Yeah, right after I reconstruct Kurt:

Thanks again, all.


annoyed_reader September 3, 2021 8:08 AM

@CLive wrote

You clearly have issues, that others do not, so I suggest you think why you would exhibit them in the way you do.

Given the choice between Echo’s ‘sensibilities’ and your attitude here a as pretentious know-it-all, I find it difficult to say which one is more annoying.

UK legislation[4].

So for once, those politicians whom you ‘blaim’ (sic) for eveything that goes wrong and who are according to you even too stupid to manage something as simple as a worldwide pandemic while for you that’s would be peanuts, got it right ?

And if you think your pronouns are OK, then take any English grammar and look up the difference between “its” and “it’s”.

Who? September 3, 2021 1:50 PM


Yes, I can resist anything sell by Apple stores, even the one at the city of “New Apple”. I would say it this way, what I consider an aesthetically pleasant computer is something Steve Jobs will never use! Same about my idea about functionality.

You have a good point with relation to banks, the health system (including those unconstitutional COVID passports[*]), and other services offered by our society. With relation to banks, I can only say financial data has less protection than medical data[**], but in any case the most I would expect from a bank is sending an SMS to a cell phone, never replacing the web interface with a colorful and addictive app. The health system is getting compromised by tech giants, hopefully some rights remain active in Europe. Other services can be replaced by computers.

It is true, some services need to be reconsidered or built locally. When talking to other people I usually invite them to a private chat I built on an OpenBSD server that I run on the attic of this building. This server has just an ICB service running on the loopback interface. People connects by means of SSH tunnels so they can run whatever IRC client they want.

Do you remember the Penet remailer Sometimes we need to run our own services, it is the only way to slightly increase our privacy. We cannot depend on others to return us the privacy we lost on the last three decades.

Clive is some sort of, let us say… “security taliban” but he is obviously right, and a highly intelligent expert with a lot of knowledge on this field. I certainly admire what he says. Paper is a good way to store information these days, it has been widely used by intelligence services in the last decades and, indeed, I fully agree with him about energy gapping as the only way to make a computer system reasonably secure. What I suggest is just a compromise between functionality and security for ordinary people that want to recover some lost privacy. Nothing more.


Of course, there are alternatives to cell phones. We can start using smartphones for the minimum required by law, like compliance with the PSD2 directive, in case we really want to work remotely with our bank. We can close any account related to social networks, a dangerous privacy swamp. What happened to our classic personal web pages? We can build alternative services, like a tunneled ICB chat service or our own videoconference server with BigBlueButton. If we are working for an employer that uses another, less privacy friendly, service that is ok, but we should restrict its use to the minimum our employer needs.

[*] I got my two jabs some months ago, but have no electronic COVID passport and will never get one (I have no smartphone). Just got my jabs for responsability, but that’s all.

[**] At least outside the United States, as we have been no victims of the huge privacy abuse of something like Google’s project nightingale [yet]. Hopefully we have laws that protect our privacy. We will see if digital euro is finally imposed as, as I said, financial records have no a great protection level these days, but it is another matter.

Clive Robinson September 3, 2021 3:54 PM

@ echo,

Oh, and I have “issues” now?

Well yes your current post clearly indicates you,have lots of issues, however your claims to substantiate them as normal are lacking to put it politely.

What is clear is you do a lot of arm waving and blow smoke.

For instance,

Rewinding back some time there was a discussion which achieved concensus that going around calling coders stupid was not a good idea.

Curious and highly prejudiced.

First I do not know what you mean about “achieved concensus” in this area, I suggest you go back and pull up the links.

What I have said and you take exception to is the lack of real engineering practice in much consumer and similar software development. Now I care not if you do not like this but there are those that develop software that do follow engineering practice, it may not be “high profile” but it keeps you on track and safe from many eventualities such “intrinsically safe” and “fail safe” systems require an engineering process not an artisanal process. In all your comments I can not remember you ever once being cognizant of these facts. So I find it highly unlikely I would have entered into the agreement you claim.

As for,

I think you changed after Bruce cited you as an example to follow. You’ve become more big headed. I’ve noticed this with Oxford types.

The first thing I did when @Bruce did that was to say to him “I wish you had not” because of the obvious reason it would make me a target and here we are surprise suprise wasting blog space because you have got sniffy.

Shortly after @Bruce removed the recomendation and for that I am very glad, I don’t look up to people and likewise I do not look down on people and I certainly do not wish to be put on any kind of pedestal, by you or anyone else. Those as one commebter once remarked you apparently to their view idolized me.

My general MO is if I agree with someones comments, I don’t think “oh they are a good guy / bad guy” before I comment on what they have said, i comment on the post. Likewise if I disagree with them, the UK Civil Service used to run on the principle of “Without fear or favour” well I happen to think that is atleast honest behaviour. I value honesty which from your opening,

I’m sorry Clive but that is a complete lie. I also think it’s clear you have a problem by dragging conflict in one thread into another. You’re escalating.

Paints a very different picture of you.

As for “Oxford types” there you have me, I’ve not a clue what you are refering to. But I’ll take a guess it’s you “looking down” on Universities, Academia, and researchers for some neo-partisan / politicaly correct reason.

But for your information it’s been more than a decade since I’ve worked in a University or for that matter crossed the threshold of Oxford, Cambridge or similar. Even though I have been invited, from memory Oxford Uni it’s self was back in the early 2000’s and an Oxford affiliate to talk about potential work for database research in the mid 2000’s. I’ve likewise avoided most other Universities and higher education establishments I just do not go near them. Whilst I still give guidence to students when asked I try to avoid it, and if I do it is on an individual level these days, and it’s more career related than anything else. In part because the focus of UK Universities is moving towards that of a number of US Universities which is disapointing.

But you really really do arm wave and hope people think you know something. For instance,

Before you go on about the laws of physics and maths you will not find any answers in there as you have half admitted over the past week or so.

As I’ve frequently remarked people will do things “providing the laws of nature as we currently understand them alow”. I use it as a “litmus test” and advise others do so to avoid making mistakes via assumpions that are not valid. If you have a problem with that then you realy do not understand science or the scientific method. Likewise I’ve said maths is not science, it’s bot by any reasonable measure, but it is a very usefull tool for both asking questions about the universe and modeling the natural processes that we believe apply after testing.

But you also say,

You have also used your knowledge of maths and narrow domain knowledge to bully and control narratives.

Well, I have knowledge of maths, so what, so do many others. As for my domain knowledge, you have no knowledge of how much depth or bredth I have or over how many domains, so to say “narrow domain knowledge” is unreasonable perjudice by you. I guess you are saying it to somehow think you gain elevated status in others eyes. Well guess what it has the opposit effect, it makes you sound like you think you are omnipotent, and your utterances should be given supremacy because well it’s you saying them. Perhaps you should take note of your own words,

And I’m sorry … but just because you insist something is correct does not make it so.

But the laws of nature and mathmatical models, logic and reasoning do, even though you insist otherwise.

Which brings us onto your next laughable accusation,

That is before we get into your more colourful sexist remarks and observations about topics you know nothing about and have never contributed any citations to.

There we have not one but two false statments. With regards citations I do give them, rather more than others do, in fact I used to get issues with posts being blocked because of them. This blocking problem got realy quite bad when the blog got moved over, whilst it improved recent events causing significant issues to this blog has caused link issues again. You might have notived atleast five posters including yourself have complained about dropped posts, so much so one calls it “Road Rash” and just a few hours ago abother sent an appology to say she would bot be posting again because of this issue. Since the problems started I’ve increasingly limited the number of links. Sorry if you don’t like that but not my problem. But I still put links in as can be seen from my post above in response to one of your very recent unacceptable behaviours. As for what a citation is you appear somewhat confused. You say,

I’ve also had to put up with you dismissing my contributions as trash while I have citations coming out of my ears and you take over and polish your reputation later yet still add nothing.

As a general rule “citations” are to academic peer reviewed papers or other proffessional publication that moves a proffessional knowledge domain forwards. Much as you think otherwise links to comedy shows and similar YouTube videos, The Atlantic, Guardian and other newspaper stories and Op-eds are not “citations”. You might think this brings you credibility and status, but not knowing this further brings your credibility into doubt with those who carry out research and similar professional work.

Oh and explain to me how,

… you take over and polish your reputation later yet still add nothing


If I add nothing, how can I polish my reputation?

Are you claiming all the readers here are mindless sycophants genuflexing at some pedestal on which you think they have put me?

Grow up this is an open blog which alows anonymous posting as you well know, if what you were implying were true I’d have to be omniscient. I can asure you I’m not, and people do occasionaly disagree with me and sometimes they are right to do so and I acknowledge that and unless @Moderator has removed them you will if you search the blog find them.

You should look for them and add them to your “note book” you claim you are keeping,

I will also point out again I have already noted incidents in my log and also told you at the time.

After all you would not want people to think you are so biased you’ld perform “lies of ommission” as well would you?

Speaking of which, just when and how many times did you tell me about your log at the time?

Links would be handy for every one who’s interested to verify.

Oh you might want to also link to those times you have implied there is a conspiracy to stop you leaving the UK because some shadowy people were blocking you getting a passport, and I actually asked to see if I or others could help you, but you brushed off.

From what you are saying you know what I said is true and instead of acknowledging this you’re now aggressively twisting it to make threats and put me down with rather proves one of the points I was making.

Sorry I have no knowledge as to if anything you say is true or not. For the simple reason of “no corroboration” either from you or more importantly independently, especially your stale white and male boys club statments about the legal proffession and how you have bested barristers and the police and other officials… Yet you could not, you claim, get a passport to forever leave the UK…

I could go on, and I guess I should continue to rebut your comments, but I’m not sure what the current posting length limits are.

SpaceLifeForm September 3, 2021 6:14 PM

@ Clive, tiny

I’ve likewise avoided most other Universities and higher education establishments I just do not go near them.

I took me only one semester to smell the problem.

If there is a good prof, and you want to learn, just go sit in the class without paying the tuition.

JonKnowsNothing September 3, 2021 6:27 PM

@SpaceLifeForm, Clive, tiny

re: Herd Auditing a Class

Most profs (USA) are pretty pleased when someone shows up voluntarily for a course, especially if it’s not one of those “required on the list” ones.

Just don’t pull an all-nighter and fall asleep during the lecture… a large tome thudding on your desk, not only wakes you up but also wakes up the rest of the class.

lurker September 3, 2021 11:12 PM

@Winter: …never replacing the web interface with a colorful and addictive app.

So what should one think, logging in to one’s bank on a classic browser two weeks ago, and finding without warning an interface that looks like an app: big wide buttons, bold colors; yes, good for the visually impaired; but, some time spent by the paranoid with tcpdump and whois before believing what they were seeing.

Yes, I remember Never thought back then that I would have a genuine reason to use it…

Who? September 4, 2021 5:52 AM


I think previous message was targeted to me instead of @Winter.

I would use computers for anything we can, leaving smartphones to the minimum required. Right now most tasks can be accomplished with a computer. I trust more on a computer running OpenBSD, and perhaps a cell phone to receive SMS codes from the bank, than on a smartphone running iOS or Android and an app that requires an odd set of permissions to run; at least, I have a feeling about the operating system being owned by us.

Even if the Penet remailer was not as secure as it should have been, and a service like that one won’t scale well these days (not to say the legal challenges it would receive on a daily basis), it was a good example on the principles we can use to regain part of our freedom and privacy. It was a simple service created by a single system administrator, a musician named Johan Helsingius.

Sometimes, a single idealist can make a difference. A few thousands of idealists can change the world.

Clive Robinson September 6, 2021 11:25 AM

@ echo,

… the citation explained more than you did and gives some hard numbers so you can keep pithy lack of gratiude to yourself.

What you linked to is 17 pages of dense –35 lines by 100chars– text, if I could post something that size it would be over 1600 lines… so get real.

@ ALL,

If you do read the paper, in section 2 there is a key sentance you should note when it comes to the data over voice codecs,

“Miao and Huang presented an adaptive steganography scheme based on the smoothness of the speech block.”

Understanding why this is important is key to trying to push data down a compressed voice channel.

You realy need to know how the codec works quite intimately otherwise you will fail to get the bandwidth you require.

Oh and for those going for GSM compatability, remember the codec in use was designed to be optimal with “A jovial middle aged Bavarian gent”…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.