In what may be peak hype, Squid Game has its own cryptocurrency. Not in the fictional show, but in real life.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
SpaceLifeForm • October 29, 2021 6:57 PM
@ Scam Coin
Don’t be confused or misdirected. It is all about fascist money laundering.
hxtps://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute
cr0c0d1l3 • October 29, 2021 8:58 PM
Air-gapped networks are wired with Ethernet cables since wireless connections are strictly prohibited.
In this paper we present <b>LANTENNA</b> - a new type of electromagnetic attack allowing adversaries to leak sensitive data from isolated, air-gapped networks. Malicious code in air-gapped computers gathers sensitive data and then encodes it over radio waves emanating from the Ethernet cables, using them as antennas. A nearby receiving device can intercept the signals wirelessly, decode the data, and send it to the attacker. We discuss the exfiltration techniques, examine the covert channel characteristics, and provide implementation details. Notably, the malicious code can run in an ordinary user-mode process and successfully operate from within a virtual machine. We evaluate the covert channel in different scenarios and present a set of countermeasures. Our experiments show that with the LANTENNA attack, data can be exfiltrated from air-gapped computers to a distance of several meters away.
Nick Levinson • October 29, 2021 11:04 PM
If French security products cannot be criticized, that itself is a risk for French security.
Apparently, an authority in France is demanding about $12,000 in court from an expert for “denigration” of a software product. It wasn’t a security product but I don’t know if that makes a legal difference. Now, even if she’ll eventually win and I don’t know if she will, she has to pay for a lawyer.
https://www.lalutineduweb.fr/en/help-lawyer-fees-faciliti-lawsuit/, cited in https://ashton.codes/dai11y-27-10-2021/
Raising alarms helps development. If a product developer blocks alarms by suing, the resulting product is probably worse.
What other nations have these kinds of laws?
Do U.S. states’ trade libel (colloquially, veggie libel) laws have adequate limits?
If laws are worse in other nations, being a U.S. national who is physically in the U.S. may be inadequate protection against one of those foreign laws, if the person alleged to have committed trade libel has nexus in one of the other nations. Many of us do and may not even realize it.
Jim_Penguin • October 29, 2021 11:29 PM
Roblox has been down for more than 24 hours leaving 48 million users out in the cold. The company has tweeted twice in that time:
“Roblox
@Roblox
·
13h
We know you’re having issues using Roblox right now.
We’re sorry and working hard to get things back to normal.”
And,
“Roblox
@Roblox
·
5h
Still making progress on today’s outage. We’ll continue to keep you updated. Once again, we apologize for the delay.
We know that this outage was not related to any specific experiences or partnerships on the platform.”
The reason I’m posting here is that my imagination tells me they are being held for ransom and being told what to release to the public. Anyone think that is a realistic scenario?
SpaceLifeForm • October 30, 2021 12:08 AM
@ cr0c0d1l3
It is not really air-gapped. You need a Faraday Cage to be safe.
News • October 30, 2021 12:09 AM
Microsoft will be working with US community colleges to fill 250,000 cybersecurity jobs over the next four years.
That is one job for every 38,000 views of the Baby Shark Dance video on youtube.
SpaceLifeForm • October 30, 2021 12:23 AM
Meta Data
I love the sweet smell of irony in the morning.
hxtps://www.theguardian.com/technology/2021/oct/27/facebook-staff-preserve-documents-inquiries-latest
On Tuesday, Facebook told its employees to preserve internal documents and communications for legal reasons, as governments and regulators have opened inquiries into its operations amid an onslaught of revelations from whistleblower documents.
A Facebook spokesperson confirmed to Reuters that the company sent a legal hold notice to all personnel for documents. “Document preservation requests are part of the process of responding to legal inquiries,” the spokesperson added.
The request applies to documents and communications dating back to 2016, reported the New York Times, which broke the news of the legal hold.
Clive Robinson • October 30, 2021 3:43 AM
@ cr0c0d1l3, ALL,
Re: LANTENNER paper,
This has already been discused on this blog briefly a couple of weeks back.
There is actually nothing very new in the idea in the paper, I was playing around with similar in serial comms back in the 1980’s and I gather so were other engineers.
So this paper is, like so many similar papers from the same group, “re-boiled cabage served in a new dish”[1]
It is just one of several reasons I coined the term “Energy-Gapping” / “Energy gap” to replace the very out of date and misleading “air gap” / “Air-Gapping” quite some years ago.
The simple fact is in real terms “secrets ride out on both energy and matter, no matter how small”. How fast is realy defined by the leakage channel bandwidth but even when stoppered down hard, leakage is still possible[2]. As for the range, well that is defined by both energy and data rate against the “thermal noise floor” that is considered to be at best -174dbm for a 1hz bandwidth (from √4KBTR)[3]. The signal energy drops off by a factor of ~50 within two wavelengths of the antenna for “near to far field transition” then drop at the expected 1/(r^2) or √radius from then on for the electrical field in EM radiation.
Obviously if the signal is moving out in a restricted channel or on a mechanical object then the range is limited by what ever the 0.5probability limit is and 1/radius. So traveling down a wire the signal goes much much further and written/printed a piece of paper in real terms it’s however far you can “post” it… An example of a restricted energy channel we can directly experience is the rails of a railroad track. As has been seen in “Western Movies” the sound of a train on the rails can be heard many miles from where the train actually is. As my father pointed out to me when I was around six and a half at a quiet railway station, you can hear the rails twitch standing on the platform when the train is still a good minute or more out (around 60mph).
So when it comes to ICTsec with regards EmSec care needs to be taken not just for electronic signals but mechanical and thermal signals as well (and gravity but that’s a whole different story). Shielding systems is only one small part of the issolation techniques you need to take to get effective segregation (gapping) when you take energy into consideration.
If you look back over the years on this blog, I’ve discussed the subject with several people on many occasions.
The fact engineers have to keep reminding ICTsec people this every few years says rather more about the failings of ICTsec than it does anything else.
Why ICTsec practitioners fail to learn from even living history frankly baffles me. As a curious engineer I know that what we now call EmSec issues were part of “Trench warfare” back over a century ago in World War One when electronics had barely got out of being a laboratory curiosity…
[1] The advantage of the paper is the fact of “new dishes” to hold the “re-boild cabbage”. That is as this blogs host @Bruce pointed out some years ago now attacks improve with time, and in this case it is the use of newer Software Defined Radio”(SDR) kit that has tumbled in price over the past two decades. To the point SDR dongles can be had for what realy is “Children’s Pocket Money” prices. Thus should now be seriously considered an “easy attack” vector well within the capabilities not just top of the list Level III / State Level attackers, but also Level I “script kiddy” and below…
[2] Practical information leakage has been demonstrated by the use of “heat in the case” causing parts per million changes in the crystal frequency used by the CPU as the master clock over a period of significant fractions of an hour. This in turn effected network times thus information leaked to the entire Internet… OK the bandwidth was down around 0.0005Bits/sec but it was there and usable.
[3] The thermal electrical noise in a given bandwidth or “Voltage Spectral Density” or noise per unit bandwidth is Sqrt(4KbTR) which is simply the value of the noise at 1 Hz. So for the standard R=50ohm input impedence of a receiver or RF test instrument the thermal noise voltage spectral density is 0.9nV per √Hz of bandwidth.
Clive Robinson • October 30, 2021 4:12 AM
@ Nick Levinson, ALL,
The lady concerned is disabled and spends her life trying to make life better for other disabled people.
Her real crime if you can call it that, was “being easy to contact” both personally and through her employer, because she want’s to make life better for other people.
People on this blog, have wondered in the past why I do not have my own blog and do not give contact details of either myself or the people I have worked for over the years.
Well the reasons are several, one of which is I don’t want to appear to be “hanging ‘a for hire’ notice up” when I give advice, and in part the work involved as our host @Bruce can testify to. But more importantly my liberty and property.
As I’ve mentioned before I had a very near escape back in the 1980’s when UK Prime Minister Margaret Thatcher went on the war path and wanted mine and others scalps on her belt. Also later one or two others in the bad old days before “responsible disclosure” became a subject first of conversation, then later a de facto way of doing things as “best practice” (something several like Oracle and their resident blood suckers hated).
Thus I found out that “speaking truth unto power” can have a significant price to pay for the unwary.
Who? • October 30, 2021 4:35 AM
Bitcoin, and a few well-known altcoins like Ether, have a bright future. Sadly, most altcoins either lack a true project behind or as just a scam. This is specially true for those altcoins themed on films, computer games, memes, TV shows and other high-impact social events.
The cryptocurrency our host talks about in this friday squid blogging is a good example of scam:
hxxps://cointelegraph.com/news/users-not-able-to-sell-squid-game-token-clocking-45-000-gains
As experts on security, all you know we must be really careful when making choices.
Who? • October 30, 2021 4:44 AM
@ cr0c0d1l3
A Wi-Fi airgapped network is more like an airconnected network.
The LANTENNA attack you are talking about looks like a simple variation of a FUNTENNA attack. This one is the reason an air-gapped networks should ideally be energy-gapped too.
On my networks I run at least S/FTP cabling.
Who? • October 30, 2021 4:53 AM
A minor correction on previous post: S/FTP PiMF cabling.
Who? • October 30, 2021 5:14 AM
I agree with Clive Robinson here, the people at Ben-Gurion University has been publishing the same research for years slightly changing the emitter and receiver. Today they are using radio signals, some time ago it was light (in multiple papers, coming from sources like LEDs, displays, document scanners…), sound… it is becoming really boring.
Indeed, energy emanating from electronic devices can be used to establish a covert channel that can be used to exfiltrate information.
Well, they are playing the numbers game[*] again, I guess.
[*] see article from David Lorge Parnas on CACM 50(11), “Stop the numbers game” about how counting papers is seriously hurting scientific progress.
Ted • October 30, 2021 6:00 AM
@Nick Levinson, Clive, All
Re: company response to a software product critique (for web accessibility overlays)
Interesting article. Clive’s comment helped me digest it a little more and dig into exploring the article as well as the topics in your own blog.
First off congratulations on having no “bought” credentials in your field. Your list of actual involvement and competencies is impressive.
You are probably not on Facebook (now metaBook or whatever name you give a naughty pup), however there was a funny post about uni that seemed all too true.
https://www.facebook.com/313227042137369/posts/5504754932984528/
I also, close to what Clive mentioned, do not attach my employer to any of my social media accounts. Though I would probably be more inconsequential than a gnat to swat, I think about them have shifting sensitivities and me having an ‘at-will’ employment contract.
It looks like her concerns were about web accessibility overlays. If you had had a similar concern how would you have voiced it before or after seeing a retaliatory response like this?
To your question:
Do U.S. states’ trade libel (colloquially, veggie libel) laws have adequate limits?
This I don’t know. I thought if it was true than it was not libel?
Nick Levinson • October 30, 2021 10:12 AM
@Ted:
On whether trade libel suits can be defeated by proof of the truth of the supposed libel: In the U.S., truth is a complete defense to any claim of libel (keeping in mind that I’m not a lawyer), and there may be law allowing someone sued for libel who didn’t commit libel to recover the costs of legal defense from the originally-suing party, but there are marginal cases to worry about, such as when there is a disagreement on truth that only experts are likely to understand and judges and juries will often misunderstand (jurors are usually forbidden to ask questions of witnesses or to do research during proceedings except by asking each other). The prospect of having to defend against a claim of libel leads some people to shut up even when they have good reason to believe the truthfulness of their claims. For outside the U.S., my impression is that in the U.K. truthful content that is embarrassing can be libel, i.e., truth is not a complete defense there, and I don’t know about other nations.
Winter • October 30, 2021 11:20 AM
Not entirely the latest news, but the EU is starting to pay attention to IoT security and starting to follow Bruce’s advice:
EU chief announces cybersecurity law for connected devices
ht-tps://www.euractiv.com/section/cybersecurity/news/eu-chief-announces-cybersecurity-law-for-connected-devices/
EU to toughen cybersecurity requirements for wireless devices
ht-tps://telecom.economictimes.indiatimes.com/news/eu-to-toughen-cybersecurity-requirements-for-wireless-devices/87390817
echo • October 30, 2021 4:18 PM
This is a bit of a link dump (edited down to survive auto-moderation) highlighting how bad the Cabinet Office is when it comes to running the Government Digital Services strategy. This is replicated across similar projects for sometimes different but broadly similar reasons.
https://gds.blog.gov.uk/
https://www.globalgovernmentforum.com/the-rise-and-fall-of-gds-lessons-for-digital-government/
It’s coincidental that Chris Ashton (supporting Julie Moynat) works for GDS but as a software develop I find his view on the problem to be lacking.
Accessibility (and human rights and equality in general) is usually handled very badly. Away from this blog I have discussed accessibility before. My view is that the protocols and supporting guidance for developers should place accessibility right at the beginning so everything from the policy formation level through to protocols through to toolchains through to the final output is conformant with requirements under the law. I personally find after the event template patches to websites not to be the greatest of solutions.
Go back and look at the GDS and other guidance and not how rapidly the end user gets dropped from discussion. This is not unique and generally suggests standards are already breaking down before they hit the save button on the document.
echo • October 30, 2021 5:16 PM
@Nick Levinson
For outside the U.S., my impression is that in the U.K. truthful content that is embarrassing can be libel, i.e., truth is not a complete defense there, and I don’t know about other nations.
Partially correct. In the UK the change to libel law shifted things a little bit. There is the issue of truth versus truth versus truth… You may say something which is true and have no problem. The problem happens when something which is true misrepresents a greater truth which then becomes the libel. In theory this may protect against unfair and unreasonable reputational damage but then there is the media who may control the narrative and the far right aligned media are very adept at skirting around this or simply fluffing their favourites and skewing equivalent favourable coverage.
It can get messy when human rights and equality issues are involved, or loopholes in the law are used, or things like SLAPP suits are thrown about.
“Fair comment” has been abolished but the new version is roughly equivalent so comments about state officials and organisations have more leeway.
It was an odd priority of the Cameron government to change libel law. It did need reform but as things stand it looks like a bit of a fix when a majority right wing media exist and access to law is limited to the wealthy. OFCOM is rigged. Levenson II went walkies. It’s all “plausibly legal” but reeks to high heaven.
More on this in a later post on UK constitutional issues…
echo • October 30, 2021 5:22 PM
And What Do You Do?: What The Royal Family Don’t Want You To Know
By Norman Baker
I had a post which outlines some eye opening constitutional issues with the UK but auto-moderation didn’t like a chunk of content so it never made it through the editing down.
This book is work skimming just the “look inside” section for a glimpse of the kind of nonsense which happens in the UK. It is clearly a country in need of a modern social democratic constitution and a lot of other reforms if for no other reason than the institution of monarchy “as is” both facilitates and encourages a make it up as you go along establishment who brainwash and infantilise the public.
SpaceLifeForm • October 30, 2021 5:37 PM
@ Clive
AWS, the Clouds look WildandStormy
Why is NSA even bothering with outside Cloud?
It can not be that Bluffdale is running out of capacity.
(Note: that assumes that you believe that Bluffdale is about collected data. I do not believe that is the case)
hxtps://www.nextgov.com/it-modernization/2021/10/gao-sides-microsoft-massive-nsa-contract-protest/186487/
The Government Accountability Office Friday sustained Microsoft’s protest of a secret National Security Agency cloud computing contract dubbed “WildandStormy,” recommending the agency reevaluate proposals submitted by both Microsoft and the winning bidder, Amazon Web Services.
MarkH • October 30, 2021 6:19 PM
.
Shallow Fakes, Pt. 1
Some of us are understandably worried about the deceptions and manipulations which novel “deepfake” technologies are making possible. This problem will only grow worse with improvement of techniques and affordability.
[Personally, I think the greater danger is that claims of deepfake will be used to discredit authentic records.]
Fakery is hardly new, and seemingly can be found wherever sufficiently detailed historical records are available.
Here’s a modern example from the Soviet Union.
About 5 weeks after the catastrophic explosions in the Chernobyl nuclear power plant in 1986, a reporter from Newsweek (an old and trusted U.S. periodical) made a two-day visit to Kyiv, capitol city of the then Ukrainian S.S.R.
The KGB — by the efforts of 19 members of a special unit, with assistance from 8 retired operatives — ensured that every person the reporter talked with was a KGB officer.
A report declassified in 2018 boasts that “the foreigner didn’t get any biased information from Soviet citizens.”
MarkH • October 30, 2021 6:31 PM
.
Shallow Fakes, Pt. 2
More recently in Russia, the ruling party set out to sabotage an opposition candidate for the national parliament (called Duma in Russia; the election was conducted during the second-to-last weekend of September).
In today’s Russia, opponents will not be permitted to win important elections, or enough Duma seats to matter. But an upset can nonetheless be embarrassing, and pre-election polling was showing less than 30% support for Putin’s “United Russia” party.
In Sankt Peterburg, the candidacy of Boris Vishnevsky caused enough consternation that the in addition to the United Russia candidate, two fake competition parties (a fig-leaf for the fiction that Russian elections are competitive) controlled by United Russia were instructed to put up special candidates for the same seat.
Each of those fake-party candidates had his name legally changed to Boris Vishnevsky, and his appearance changed (or photo doctored) to resemble the real Boris Vishnevsky.
It was a clumsy move which provoked a lot of bad press, but violated no Russian law. The real Vishnevsky lost; whether the fake Vishnevskys garnered enough votes to make a difference, I have not yet discovered.
Ted • October 30, 2021 7:07 PM
@Nick Levinson, echo
Re: Libel
I enjoyed reading both your comments about this. It’s certainly not an amateur topic though it has the potential to impact anyone.
A while ago, I was trying to pick up a qualification through a proprietary school. It’s kind of a more complicated story, but long story short they were telling students that one of their programs qualified them to sit for a particular national certification exam. However, their program did not meet these requirements.
I didn’t realize the nature of their operation until after I had paid $350 towards the cost of the program. They denied my request for any refund, citing a contract I had signed at the start of the program.
It’s rare I find myself in a position of being what I perceived as ‘legally’ right. I’m not usually one to enjoy a confrontation, but I was also trying to save money at the time. And the $350 wasn’t money I just wanted to throw away on an unscrupulous institution.
In a first wave of disbelief, I contacted the Better Business Bureau, my credit card company, the state’s Attorney General’s office, the FTC, the Certification Agency, and my state’s Department of Higher Education.
In a response through the Better Business Bureau, the school seemed to insinuate that I was spreading slander or libel. However, at the end of it all the Department of Higher Education was able to get me a refund.
For a few weeks after this however, I was a little fearful that the school might retaliate either legally or worse. They haven’t yet. I have picked up some voluntary legal benefits through work, but I’d prefer to avoid using them for this just the same.
Clive Robinson • October 30, 2021 9:10 PM
@ SpaceLifeForm, ALL,
Note: that assumes that you believe that Bluffdale is about collected data. I do not believe that is the case
Is that the “power” and “water” problem?
That is too much power and too much cooling, ergo some real heavyweight processing is going on?
I’ve had my suspicions but the site does appear to be “juicing”.
Ted • October 30, 2021 11:25 PM
@NL, echo
Re: Libel (cont.)
I remember listening to a CourtTV podcast episode covering the the libel trial of Johnny Depp vs. The Sun.
It was fascinating to hear more about how British law operates in this arena, because it is different than in the US. In a nutshell (and primarily pertaining to the specific nature of this trial) the host says that in the US the person who has been libel’d against must prove a statement is false. In the UK, it goes the other way. The person who made the statement must prove it is true. So in this case The Sun would have to prove the statements they made about Johnny Depp were true.
I remember the show’s host being rather incredulous as to why Depp would take this to trial considering all the additional exposure it would bring.
JonKnowsNothing • October 31, 2021 1:04 AM
@ Clive, @SpaceLifeForm, ALL
re: too much power and too much cooling, ergo some real heavyweight processing is going on?
iirc(badly)
A few years back, I read an article about the latest in supercomputers. The really BIG iron ones. Quite amazing stuff.
At that time, a new gen version had come out in the USA but was immediately eclipsed twice by Chinese supercomputers. They all have names but I don’t remember them.
The US orders 2 (at least) of each generation of the USA made iron, although I’m pretty sure not everything is Made In The USA but there’s some mega-corp names associated with the final product.
One of them is sent to one of the US National Science facilities and is for public-restricted access. Probably the sort of stuff that’s being used for SARS-CoV-2 modeling.
The other was housed in a secret facility, (Bluffdale) and was a magnitude better than the public use version. The details on the differences were sketchy but the article left the impression that the NSA-3Ls iron had superior capability.
The article indicated that the replacement cycle was quick: 18months-2years and the replacement machines were already under development.
The big hang up in Bluffdale was the data storage. They have enough mini-micro-sized data storage for the next 1,000 years for 100% of all planet exchanges but the retrieval systems could not keep up. They could store it quickly but not extract-read it that fast.
The cables were melting faster than they could be replaced.
As that was a few years ago, I’d expect the NSA-3Ls are sending their older supers to ebay and already have several newer generations taking up the floor space.
I don’t think the NSA-3Ls are going to sign up for Green Energy anytime soon. They need that power plant just to keep the lights on.
Clive Robinson • October 31, 2021 4:57 AM
@ Ted, echo, NL,
I remember the show’s host being rather incredulous as to why Depp would take this to trial considering all the additional exposure it would bring.
Look up UK “super injunctions / interdicts” they were at one point a very good reason to come legal shopping in the UK to protect your image,
https://www.alstonasquith.com/super-injunctions-a-brief-history-of-revealed-cases/
You will see that Rupert “The bear faced liar” Murdoch MSM outlets have been hit with them rather more frequently than others. As was once noted about one of them, their behaviour made the gutter press look respectable.
But for other reasons than puerile yellow jounalism, I think the news outlet with most court experience is the satirical bi-weakly “Private Eye” which Ian Hislop is Editor of[2]. But unlike the Murdoch bumff Private Eye brings real public interest stories to light that are otherwise kept hidden.
But to get an injunction you first need to have a court case going through the long slow legal process, which is where English “Defamation Law”[1] comes in that covers libel and slander and other act,
https://en.m.wikipedia.org/wiki/English_defamation_law
As such it covers both private (civil) and public (criminal) duties in a slightly convoluted way.
The thing is “Defamation” means different things to different people(s). For instance the House of Saud has made it equivalent to terrorism and treats it in similar ways to the US “War on Terror” with what is considered “extrajudicial execution” in other parts of the world. In South Korea it in part covers espionage, as well as being applicable even if the libel is infact true (false light / intent argument)…
[1] As for the story that English Defamation laws arose out of a need for “Gentlemen to avoid the cut and thrust of dueling, and lawyers are oh so much nastier than a rapier to the guts anyway” it’s not actually true, sadly. What happened was an upsurge in libel actions coincident to, but not consequential from, James the First making dueling illegal. Because as both ritual murder and suicide were “mortal sins” as far as the Church was concerned. Unless they were the ones handing it out as penance etc (and yes the Church jealously protects what they see as their “privileges” with a zeal like no other).
[2] The interestingly quaint thing about “Private Eye” is not just how it came to be, but the way the annual dividends are payed…
MarkH • October 31, 2021 5:41 AM
a propos de UK libel laws:
I coincidentally just discovered that U.S. novelist Leon Uris wrote ‘QB VII’ — about a libel case in the UK — based on his own experience, having been sued there by a surgeon claiming libel in response to a footnote in ‘Exodus’ identifying him as a participant in Nazi atrocities.
The court found that Uris had stated a vast number of surgeries greatly in excess of evidence, and found in favor in the plaintiff. However, the trial had also made clear that the surgeon was in fact (if not legally) a war criminal, so the award was a halfpenny, the smallest denomination then existing in the UK.
Applying a rule then in effect (maybe because the defendants’ fees exceeded the award, I didn’t understand well), the court made the surgeon liable for all legal costs, a large sum he could never afford.
MarkH • October 31, 2021 5:53 AM
Re: NSA Computing Resources
It’s fun and intriguing to speculate, but as far as I know none of us really knows the allocation of computational capacity at any point in the NSA.
Keep in mind that this famously opaque organization probably has more than 30,000 employees and a budget well in excess of $10,000,000,000.
I think it quite plausible that the cloud services contract could be for purely administrative purposes. I suppose it certain that no plaintext national security confidential information would be “farmed out” in such manner.
If there is anything other than administrative services involved, I can imagine that this could conceivably include encrypted confidential data, or intensive cryptographic computations for research purposes.
We on this forum understandably focus on (largely unconstitutional) spying against individuals, but remember that NSA has lots of other work than that.
It’s a signals intelligence agency processing large streams of data collected via satellites and terrestrial antennas; is responsible for protecting secrets as well as exposing them, and must always do cutting-edge research to find the strongest protections; and must sift through — and make available to intelligence customers — possibly interesting results from the torrent of intercepted data.
Their appetite for computing capacity must be insatiable.
MikeA • October 31, 2021 10:58 AM
I was amused by the notion that the NSA would put an “old” supercomputer on eBay. It’s been many years since it was safe to dispose of any storage device that did not involve high temperatures and/or grinders.
I have several old laptops that I keep meaning to “find a home”, but what with spinning-rust platters holding “recovery partitions” and flash devices that accept and ACK commands to erase (Trim?), but don’t actually do it, Total Destruction
seems the only safe approach. Of course, with all the major vendors pushing their “cloud backup”, that’s probably the low-hanging fruit, and I might not need to outrun the bear.
The notion of NSA dealing with sanitizing the amount of storage under speculation creates an image of a dire shortage of “Rock Crusher” and “Blast Furnace” hours.
(Remembering back to when we used to “exfiltrate” music from machines like the IBM 1401 and 1620, circa 1960, with sub 100kHz clocks. Also remembering snapping up a 7-track tape from a surplus store. Of course, I read it first, out of curiosity.
A customer list for a bank, with contact info paired with account number. Yes, I overwrote it with FORTRAN backups and line-printer art.)
someone • October 31, 2021 12:30 PM
@MikeA re: HDD disposal Depending on age, those laptops will have HD platters with glass or aluminum substrates. The glass will shatter in a satisfying manner, just be certain to contain the pieces and wear eye protection, the tension is significant. I imagine the aluminum would be fairly easy to melt, although I haven’t done that particular exercise myself.
MarkH • October 31, 2021 1:03 PM
@MikeA, someone:
There’s a long history of IT geeks over-dramatizing such matters.
I remember young computer enthusiasts claiming that the red emergency stop button on IBM mainframes activated a pyrotechnic cutting device to sever the power cables! But it’s just a simple switch.
NSA lists approved 2-tesla degaussers, as well as shredding machines. These are reasonably compact and could be accommodated in a utility room of a typical office space.
The standards are easily to find online.
I suspect that internal persistent storage is not a very large fraction of the cost of a supercomputer. The machine could be sold without the storage, or with replacement drives installed.
echo • October 31, 2021 1:28 PM
https://news.yahoo.com/pulled-63-000-pounds-trash-100018506.html
The testing phase was a step forward in completing the organization’s lofty set of goals. It hopes to deploy enough cleaning systems to reduce the size of the Great Pacific Garbage Patch by 50% every five years and to initiate a 90% reduction in floating ocean plastic by 2040.
In pharmacology the terms “half life” and “terminal half life” are different things. For example you may have a drug which has a half life of three days and a terminal half life of one month. The reason for the difference is a drug accumulates in the body. The terminal half life refers to that.
It’s kind of interesting to apply it to ocean garbage collection and maybe other problems as well.
echo • October 31, 2021 1:40 PM
The Daily Heil reports Lord Frost has been under the influence of a Russian – Igor Ryzov. Apparently, Frost (a failed lawyer like Raab) has been picking up tips in “hardball” negotiating. It’s difficult to work out whether the Kremlin want Frost to succeed with his internationally destablising stupidity or whether it is a clever plan to encourage him to be openly stupid to the point where the Tory Brexiter and far right plan collapses in a heap of its own stupidity.
As for the photos of Frost published at the top of the article in the Daily Heil note the glaring “collar cap” of his suit. And for God’s sake man iron your shirt.
Clive Robinson • October 31, 2021 1:57 PM
@ MarkH, MikeA., someone,
I remember young computer enthusiasts claiming that the red emergency stop button on IBM mainframes activated a pyrotechnic cutting device to sever the power cables!
That old chestnut has a beard that’s longer and whiter than that of Methuselah.
It all comes from two related things,
1, HAL is one letter before IBM.
2, An unused 2001 plot line.
The plot line was saved over for the 2001 book sequal and involved a ceramic bladed cutter that could be activated by someones desk calculator if they typed in the right equation.
As many will renember HAL was the name of not just the computer but the initials of the company that designed it in 2001. The “HAL is a one up on IBM” statment was always denied by the author of the book. Which as it was written at the same time as the film script HAL may not have actually been the authors original idea…
Any way the other story about “Big Red Safety”(BRS) buttons is apparently true, there was a young lady called Molly and when quite small she did indeed push the BRS button on an IBM 4341 one day, hence the need for the “Molly Guard”. However similar “switch covers” had been around before that.
Ted • October 31, 2021 2:38 PM
@Clive
What a wonderful and educational read Clive. Yes, journalism is in a field of its own when it comes to libel.
Regarding “Private Eye”, the British satirical and current affairs news magazine… oh to be full rigor and unafraid of fisticuffs.
Reading further on the litigation the company has faced, I thought it a little on the self-reflective side for them to publish a tenth anniversary issue with a cover that displayed a cartoon headstone inscribed with a long list of well-known names and the epitaph “They did not sue in vain.” 🙂
SpaceLifeForm • October 31, 2021 3:14 PM
@ Clive
Partitioned ‘juicing’.
Imagine 8^1024 cores each of which has 8GB of RAM available.
Each of which is cpu bound, and rarely does any I/O, constantly accessing RAM.
Each working on a partition of the problem space, 24×7.
Yes, the power and cooling requirements would be immense.
Ted • October 31, 2021 3:24 PM
@MarkH
Re: the Dering v Uris libel trial
What an all around unfortunate compilation of circumstances. I was reading that Dering himself was a former Polish doctor who became a prisoner at Auschwitz where he subsequently became a prisoner doctor. It looks like the libel trial he initiated concluded in 1964 and he passed in 1965. The pyrrhic victory of his halfpenny award seems a very sad acknowledgement of many entangled tragedies.
SpaceLifeForm • October 31, 2021 3:59 PM
@ MarkH, Clive
Keep in mind that this famously opaque organization probably has more than 30,000 employees and a budget well in excess of $10,000,000,000.
Exactly. So, why would they even entertain any outside Cloud? It’s not like they don’t have any people with the expertise to do this themselves.
There is something else happening.
vas pup • October 31, 2021 5:21 PM
Europol identifies 12 members of global cybercrime gang after raids
https://www.dw.com/en/europol-identifies-12-members-of-global-cybercrime-gang-after-raids/a-59665317
“A dozen suspects were targeted in Ukraine and Switzerland after carrying out “aggressive” attacks against critical infrastructure. More than 1,800 people in 71 countries were affected by their actions.”
Very interesting article and 16 minutes video inside – good as usually with dw. Enjoy!
vas pup • October 31, 2021 5:36 PM
@all and @MarkH and @echo
Now there is no clear choice during election thanks to lies, half-lies and fabricated information (aka deepfakes).
With new IT tools utilized by political technologist the following quote is applied now (unfortunately) to advanced voter as well. It is easier to brainwashed voters now and manipulate their choice:
“The best argument against democracy is a five-minute conversation with the average voter.
Winston Churchill”
I just want remind all that Adolf Hitler and his NSDAP got power through the election, then they transferred it to dictatorship.
If I were asked in Room 101 what is my choice – I would say meritocracy in which people to govern recruited by their OWN merits measured by objective scales, not demographics or other absolutely unrelated features.
Yeah read this post asap before Moderator delete it based on subjective evaluation of its content.
MarkH • October 31, 2021 5:50 PM
@SpaceLifeForm:
That’s the mystique again.
NSA is a giant bureaucracy, with an enormous proportion of boffins. It has to do a lot of the very dull stuff other bureaucracies do.
Why waste highly specialized talent — and machinery — on humdrum administrative operations?
We don’t know how difficult it is for a new NSA hire to get something as simple as a PC in her office. The answer might astonish you.
If you look around in 2021, many organizations are evaluating the cost/benefit implications of moving various IT operations to cloud services. I don’t understand why NSA should be exempt from that.
MarkH • October 31, 2021 6:07 PM
@vas pup:
W. L. S. Churchill almost certainly did not say that. But he did say, “Indeed it has been said that democracy is the worst form of government except all those other forms that have been tried from time to time.”
There are hundreds — if not thousands — of fabricated or misattributed “quotations” (supposedly by widely admired people) in current circulation.
I’ve been especially impressed by the rubbish brazenly attributed to A. Einstein and N. Mandela.
Доверяй, но проверяй.
echo • October 31, 2021 6:45 PM
Following on from my comments about medical practice and regulation and technology the other day The Times (a Murdoch mouthpiece) is weighing in with a very underinformed and hysterical article to distract everyone from the real issues.
Auto-moderation being difficult again…
Ted • October 31, 2021 8:07 PM
@vas pup
Wow. These were some serious trouble makers. It looks like this group’s ransomeware attack had cost one Norwegian aluminum manufacture over $50 million. The company was apparently shut down for a week and said they were forced to switch to manual operations.
I’m sure they were very supportive of the international effort to apprehend the suspects.
As N. Telsa once said “A boomerang returns back to the person that throws it.”
Anders • October 31, 2021 8:12 PM
@Clive
Fun reading 🙂
hxxps://www.cs.princeton.edu/~bwk/202/summer.scanned.pdf
Anders • October 31, 2021 8:51 PM
Yes, we can only guess what are the three-letter-agencies
capabilities, when already domestic computers are at this level…
hxxps://wccftech.com/asrock-x299-motherboard-rdimm-memory-bios-support-2-tb-capacity/
SpaceLifeForm • October 31, 2021 10:58 PM
@ Anders, Clive, Ken Thompson
Great story. Since it is All Hallows Eve, I’m sure Ken can appreciate the nightmares.
What is important about the story, is that while the product was totally alpha level garbage (if that), they were able to reverse engineer it and get something functional.
The PDP-11 worked fine. 8 inch floppy sneakernet.
Sut Vachz • November 1, 2021 12:45 AM
Utopian schemers, make sure to pay the rent on time at the Apocalypse Drive.
https: //youtu.be/HVN-rFCqU4k
MarkH • November 1, 2021 3:15 AM
.
‘Trojan Source’ Bug Threatens the Security of All Code
This may seem like a sensational click-bait headline, but it has some formidable names attached to the story:
https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/
TL;DR: Many current compilers and interpreters with comprehensive Unicode support can be manipulated via character sequences embedded in source code, in such a way that the boundary between executable code and comments (or string literals) is different from the separation apparent to a person reading the code.
For those of us with software development experience, it’s not very difficult to imagine how malicious code could be concealed using such a technique.
Analysis of this vulnerability is credited to the University of Cambridge. So far, an extensive scan has revealed no signs that it has yet been exploited in the wild.
I recommend reading the article, which I found most interesting.
Security • November 1, 2021 5:39 AM
@MarkH, All
Re: A bug that threatens all code
When I see an interesting article like that, I first like to start with Twitter to help me understand it. Then I can see who has made a funny or summarizing comment that may or may not go viral.
It looks like Brian Krebs liked this tweet, so it must be a good one:
@rossjanderson
The Trojan Source vulnerability allows supply-chain attacks on software written in C, C++, Go, Java, Javascript, Python and Rust. We’re releasing details after a 99-day coordinated disclosure period, and some of these compilers will be patched quickly. See lightbluetouchpaper.org/2021/11/01/tro…
https://twitter.com/rossjanderson/status/1454962928923418626
Ted • November 1, 2021 5:43 AM
@MarkH, All
Re: A code that threatens all code m
Sorry, that post was from me. It is very early here. Security, security, security
Clive Robinson • November 1, 2021 6:20 AM
@ Anders, SpaceLifeForm,
Fun reading
It takes me back to several years before that summer of fun…
Imagine if you can a tall teenager with lank hair standing on the lawn of an English Garden with “post office” bakalite moving metal plate (tellephone receiver) headphones on, with the cotton covered wire sneaking off towards a large wooden shed. In the teenagers hands a length of plastic drain pipe with the reworked parts of a VHF Band II antenna, it’s brown plastic cable in much stiffer coils, than the headphone wire likewise snakes back to the shed. The teenagers eyes are closed and a look of intense concentration is seen on their face, because they are like primeval man spear in hand hunting for the spore of the prey they seek.
The hunter turns left and right slowly listening intently to the static from the headphones, seeking a tone, as the prey is driven by the immutable forces of celestial mechanics towards them over the horizon.
Suddenly the posture changes, now alert and sharp the hunter has the spore, the track begins. The barely heard tone becomes a grinding warble of a mechanical beast traversing the heavens crying out it’s primal song of the sky as endlessly it moves at great speed devouring the miles in just a heartbeat of the hunter. Can he keep up and follow the track of the beast as it arcs and turns in it’s driven flight. The pipe rises it follows a little dance of left and rights ups and downs keeping the warble loud in both ears as it ascends, high across the sky it tracks, the hunter turns as he follows the warble to it’s zenith, then the warble descending to the horizon where the spore is lost.
Huredly the hunter puts down the pipe tears off the headset and sprints to the shed and calls out. Because time is of the essence for soon the beast shall return with a new song of the sky, and there is much to be done between.
In the shed a doctor stands, his hands upon the instruments he has just used to captured this song of the sky. In his mind he wonders is it good, what secrets will it show, are they going to be a portend. The open reel of tape spins back the counter ticks down a mark is reached. Another instrument receives attention as the tape now rolls forward, the song of the sky is heard again, and on the instrument a bright dot traverses across the instruments face, falters but then steadies, each traversal takes the dot down a hairs width mesmerising in it’s path.
Quickly the tape is rolled back the hunter now in the shed, goes to a box mounted on a sturdy frame and checks it. A nod to the Doctor and so the procedure starts with a flurry. The light goes out the selector is turned the song of the sky repeats. The hunter presses a lever and an eye in the box opens. It tracks the dot as it traverses the face of the instrument the minutes pass the dot descends and the Doctor stops the tape and the hunter closes the eye and leaves the shed.
Inside the darkness the doctor opens the box and removes with care a small square of plastic, he drops it in a tray and another lever is pressed. In the tray a liquid swirls a strange brew stirs and the magic it brings turns silver to the gold of information. Slowly though unseen a picture forms. Suddenly a ping is heard a dim satanic light appears the doctor’s shadow thrown in gothic relief against a bank of equipment the slip of plastic is moved from tray to tray and the magic continues the image is now seen in miniature as though tattooed upon it.
A click and flicker and the white florescent light returns and the hunter enters with two cups of steaming brew which are placed with care on the table of operation the doctor is at, his fingers busy with a scalpel, cutting the square to shape. With speed and dexterity of practice the square is fixed in yet more plastic. The Doctor turns and drops it in a carrier slot, and then pushed into another box. A switch is thrown and a bright light shines forth and the image is seen. As the brew is sipped the eyes of hunter and doctor alike look with keen attention. The hunter turns and says,
“That’s dirty weather off Calais”
And the doctor nods and looks at his watch and then a list on the wall and replys,
“Five minutes to the next pass”.
A few more sips the cups are done, the hunter leaves with them. Inside the doctor turns out the light and pulls another plastic square from it’s dark lair and fixes it in the box. The hunter returns to his spot puts on the headphones and picks up the pipe and the hunt for sky songs begins again.
================
This hunt of NOAA’s beasts was back in the 1970’s and the weather pictures obtained were part of a school project for not just an examination but to provide teaching information for several classes.
Part of the project was actually quite dangerous, and it was the conversion of a black and white TV to act as the CRT display as the equivalent of a “photo ploter” using a raster rather than a vector projection.
Now I know the valve/tube TV cost 25pence at a jumble sale and the conversion though involving lots of rewiring only needed the addition of a dual tetrode and socket for an audio amp got from a valve radio also for 25p at the same jumble sale.
As for the 135MHz receiver that was from a modified “Pye Westminster” PMR transverter that had been originally modified to the 144MHz 2 meter amature band and just required a new channel crystal and slight retune.
But the modified TV and home made camera box were the equivalent of the actual working guts of that many tebs of thousands of dollar printer that the Bell Labs team were wrestling with that “Summer of Seventy Nine”.
The advantage we had was we did not have to serialise an image to drive it, that was done by the NOAA satellite for us, and we just recorded it on a rather nice reel to reel 1/4 inch tape recorder (again got from that jumble sale).
The funny thing just a couple of years later I was working on programing a 16bit computer, writing a satelite tracking program that not only output tables of “pass data” but produced a map of the world with the satellite track on it as well as the radio coverage track. Which would show up on a Textronics graphics terminal or a large drum plotter as a fun college project, at about the same time the Bell bods were doing their “summer job”.
As I’ve mentioned before, my official course project was the design and build of a D2A and A2D converter board including PCBs for connecting to CP/M 8bit computers in the computing lab so that other students could “learn”[1]. I later wrote software for it to connect up to a lab X/Y vector display and one of those Polorid instant photo cameras. And yes I used an audio tape and PLL circuit to display WeatherFAX pictures[2] transmitted in the MF shipping band and a modified version of the D2A board to write up “vector” text just like you would see on the very very expensive textronic terminal.
So yeah, it brings back memories of when computing was rolled up sleves, hot soldering irons, and wire wrap guns to make images for other people to put in their project documentation, or just get safely from A to B…
[1] As they were cheap and plentiful I used a DB25 IDC connector and ribbon cable to connect it to the lab computers giving 8data, 6address, R/W, CLK, Enable, power, and ground lines. Which later had the ubexpected advantage that just the addition of a couple of TTL chips ment it worked on the “centronics” parallel connector on my Apple ][ and the early IBM PC as well as the “Hewlart Packard Instruments Bus”(HPIB) used at the University electronics labs.
[2] Another project I did was a compleate “WeatherFAX” machine using originally a Tangerine 6502 board, then a Z80 SMC board and later a custom Z80 card and the guts of an Epsom dot matrix printer, for a company to custom case and sell to sailing clubs and more affluent day boat sailors. They only made a few as they could not get “production” organised in a sensible and cost effective way[3]. Cottage industry production is OK for custom production but not commodity or consumer production, a lesson that has served me well over the many intervening years).
[3] What also might not of helped was the rapidly declining cost of home computers and printers. I Rewrote the WeatherFAX software to run on a couple of very low cost computers including the Jupiter Ace Forth computer and in effect “gave it away” on casset tape…
Clive Robinson • November 1, 2021 6:59 AM
@ MarkH, ALL,
With regards,
“Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right).”
This is not a “new” problem as such. It cropped up last century in *nix “internationalisation” efforts that in part drove unicode development…
It just shows that as an industry we realy “do not learn from our history” which makes us almost unique in any kind of engineering endevor of any consequence…
For those that want to go to the source as it were,
https://www.trojansource.codes/trojan-source.pdf
Or read one of the authors own words,
https://www.lightbluetouchpaper.org/2021/11/01/trojan-source-invisible-vulnerabilities/
No doubt as Prof Ross Anderson, reads this blog from time to time he might have something further to say on the ICT industries inability to “learn from it’s disasters”, unlike most engineering knowledge domains.
Clive Robinson • November 1, 2021 8:23 AM
@ MarkH, ALL,
With regards, the Unicode “bidi” algorithm bug.
Thinking back to when the *nix internationalisation was causing issues and what people did as work arounds. There may be a simple work around[1] for some source code,
1, Run all source code through a filter that converts Unicode to ASCII (many editors will have a “Save as ASCII” option anyway).
2, Run the filter output through the compiler pre-processor only, so you get code expansion.
Take that expanded pre-processor output and then do your code review on it…
[1] Not all compilers are going to have this issue, because they don’t accept “unicode source” as input.
Why modern compilers do by default is a bit of a mystery as well… They realy should not do so unless specifically told to with a “switch”. On the “least unexpected behaviour” principle and likewise the “No hidden behaviour” principle (which did cause older source code control systems to barf).
Ted • November 1, 2021 9:20 AM
@Clive, SpaceLifeForm, All
Imagine if you can a tall teenager with lank hair standing on the lawn of an English Garden … moving metal plate (tellephone receiver) headphones on
This is a virtual reality experience I could get behind. If only every paper was written with as much information. Though it could be difficult to integrate all the sensory elements, imagination has beautiful way of making things possible.
@Anders
Re: Bell labs memo on “Experience with Mergenthslee Linotron 202 Phototypesetter, or, How We Spent Our Summer Vacation”
Was this a diary of their testing experience?
As you can see from this tale of woe, our particular 202 was not “packed with reliability and convenience features”, as your brochure suggests. In fact it’s an unmitigated disaster.”
What an adventurous summer vacation! 🙂
echo • November 1, 2021 1:48 PM
I notice my comments about baking compliance with equality law into toolchains didn’t cause a ripple. Yet the trivial by comparison bikeshedding validation did.
Yes I do know how complex handling raw Unicode is and it’s not a small task. Ditto JPEG. Yes I would use an API or library for both and no I cannot afford to pay to have either independantly audited even if I wanted to. Ditto Zlib.
Eyes glazing over at accessibility is the eternal squeaky wheel complaint of someone I know who is an old associate of Clive and lives fairly close by. At least within one bus ride. He is one of the few who told Clive et al not to meddle with Prestel and after it turned into a bad situation said “told you so” before backpeddling as fast as their legs could carry them.
Murdoch et al got off the phone hacking scandal and like bikeshedding accessibility shows you where the priorities lie.
echo • November 1, 2021 3:53 PM
https://twitter.com/RobynVinter/status/1452959483773194241
BBC News seems to be in editorial crisis at the moment. Terrified to hold the government to account, desperately picking on vulnerable communities in an effort to do hard-hitting journalism. Just awful to watch it drag down the reputation of the entire organisation
The BBC is far from being BBC it used to be. It is now not just a state broadcaster but a state backed broadcaster acting on behalf of the far right aligned Tory party. Pretty much every substantive complaint about the BBC is in this thread.
https://www.theregister.com/2021/10/30/realtime_crowdsourced_fact_checking_not/
They found that while machine learning models based on crowd input perform better than simple aggregation rules, both approaches fell short of fact checking pros. They also found that these automated mechanisms worked even better when the study respondents had high levels of political knowledge. This, they say, suggests “reason for caution for crowdsourced models that rely on a representative sample of the population.”
[…]
Tucker said crowdsourcing likely appeals to platforms because it avoids making platforms like Facebook “arbiters of truth,” as Mark Zuckerberg put it.
“So if Facebook can say ‘we didn’t classify this as legitimate news, our users did,’ that allows Facebook to avoid the question of why it has the right to say what is true and what is not,” explained Tucker.
Not completely true. Most crowds are a bell curve. It really comes down to a handful of people doing the work. The alleged “mavens”. The rest mostly bandwagon although the whole thing is a bit more complicated.
The earlier quoted thread is evidence of “crowdsourced” commentary being adequate. A specific incident this week where the UK government alleged via Tory sympathising journalists and media the French were trying to get the EU to threaten the UK was nothing of the sort. Everyone from native French speakers to translators with 20-30 years of professional experience and academics called them out pretty much immediately yet they held the already established media line and let it linger for as long as they could to do the maximum damage. Everyone had also clearly identified the client journalists who refused to retract or apologise.
SpaceLifeForm • November 1, 2021 5:34 PM
@ Clive, ALL
Run the filter output through the compiler pre-processor only, so you get code expansion.
Take that expanded pre-processor output and then do your code review on it…
No one, in their right mind, would take that route.
You normally would only do that when you suspect a compiler bug. Even, possibly a linker bug.
Oh yeah, you will get code expansion, for sure. Let there be no doubt.
Those doing the code review will want to commit seppuku, or just say that the code looks fine.
It is not a viable approach.
Clive Robinson • November 1, 2021 6:29 PM
@ SpaceLifeForm,
Oh yeah, you will get code expansion, for sure. Let there be no doubt.
Yes, there will be code expansion, that’s unavoidable when looking for non obvious bugs as you indicate,
You normally would only do that when you suspect a compiler bug. Even, possibly a linker bug.
But it’s what you also do when you run any kind of debuging tool on the runtime code.
The reason you have to run it through the pre-processor is that if you think about it, untill the compiler rejects these chars, it should be possible to use the pre-processor to hide this stuff a little deeper.
To be honest, I’m surprised this sort of thing has not come up in the IOCCC in the past.
https://en.wikipedia.org/wiki/International_Obfuscated_C_Code_Contest
SpaceLifeForm • November 1, 2021 7:41 PM
@ ALL
LOL. This is actually on topic!
https://gizmodo.com/squid-game-cryptocurrency-scammers-make-off-with-2-1-m-1847972824
echo • November 1, 2021 8:34 PM
https://www.osapublishing.org/optica/fulltext.cfm?uri=optica-8-11-1365&id=462661
Slashdot: Researchers from the University of Southampton “have developed a fast and energy-efficient laser-writing method for producing high-density nanostructures in silica glass,” reports Optica. “These tiny structures can be used for long-term five-dimensional (5D) optical data storage that is more than 10,000 times denser than Blue-Ray optical disc storage technology.” ExtremeTech reports.
Glass is glass.
And glass breaks.
Ted • November 1, 2021 9:55 PM
@SpaceLifeForm
The fact that no instances of this problem have ever been found in the wild, completely confirms this point.
I was really curious about that statement. I wasn’t sure if you were referring to the ‘Trojan Source’ vulnerability or something else.
However, I was relooking through the paper and saw a section on Ecosystem scanning on page 9.
However, we did find some evidence of techniques similar to Trojan Source attacks being exploited. In one instance, a static code analysis tool for smart contracts, Slither [46], contained scanning for right-to-left override characters.
What do you make of this? Are the authors saying they found a tool that was capable of scanning for RTL code to exploit? And not that they found malicious code?
Clive Robinson • November 2, 2021 12:47 AM
@ echo,
Glass is glass. And glass breaks.
Oh dear out of the mouths…
Observe that if you stretch out aluminum you get “bacofoil”, which even a small child can rip into pieces[1].
However stretch out glass and you get very fine fibers so flexible they can be woven into cloth or made into rope with very significant properties[2]. One of which is their strength. One such property of the cloth is it can be used in the making of “penetration resistant clothing” like “stab vests” and “bullet proof vests”.
Whilst every thing does fail under sufficient stress, in some way as it transitions up into plasma some are way better than others.
To know more you have to ask an engineer or materials scientist, instead of denigrating them at every opportunity by suggesting artisanal behaviours like pattens are some how superior for touchy feely reasons.
[1] Because it is both ductile and malleable and at temprature ranges humans live in it is above it’s Ductil-Brittle Temprature Transition.
[2] Because in use it is a amorphous solid of vitrified viscous liquid below both it’s phase change states and glass transition temprature.
JonKnowsNothing • November 2, 2021 2:55 AM
@ Clive, @ echo
re: spun glass
California Surfing wouldn’t be anything without spun glass: fiberglass (USA)
Although fiberglass drapes, which were popular years ago, where really horrid to hang.
Material transformations can be really intriguing. A fairly recent article on the Elasticity of Yarn described research into how “knitted items” become elastic and malleable, can be formed or draped.
Yarn made of spun fiber (animal and synthetic) does not have much elasticity at all. Normal yarns are not a tensile-strong compared to other spun, woven or rove ropes of similar dimensions. But once knitted they become highly elastic and drape.
There is only 1 knot used: a slip knot loop. It is formed forwards or backwards: knit or purl. It’s a binary system. Only the sequence varies the pattern and design.
The elasticity depends on the order and sequencing of the loops.
The next time you put on a sweater or wrap a knitted blanket around you, you can consider it as one of the origins of computer coding.
Knitting – Weaving – Jacquard – Babbage – Hollerith all from Knit 1 Purl 2.
Sut Vachz • November 2, 2021 6:07 AM
@ JonKnowsNothing
Re: knit 1 purl 2
Then there is this, the Shima Seiki knitting machine – knits whole garments, such as a suit or dress, in one seamless pass. The thing uses a special CAD system with accompanying computer language. There is an option to create the knitting code from a 3D scan of the prospective wearer.
And an encrypted message for Monsieur’s sweater ?
Back to you Jacquard …
https: //www.shimaseiki.com/product/design/
Clive Robinson • November 2, 2021 6:20 AM
@ JonKnowsNothing, ALL,
Normal yarns are not a tensile-strong compared to other spun, woven or rove ropes of similar dimensions. But once knitted they become highly elastic and drape.
The reason they become “elastic” in layman’s terms is something I looked into when younger. It’s also known as a “right royal pain” to anyone handling “spooled” items such as wire etc. Hence the kinks and mutterings it you “drop over the end spool” rather than “unspool / unroll”.
Whilst the thread may not be longitudinally elastic, it tends to be gracious to torsion. Thus energy can be stored in a similar way to turning a spring where the diameter of the turns changes. Within limits a rough rule of thumb is the stiffer the thread, the better it is for storing energy and the faster it will release it.
One important point the material should not be ductile or maliable as any energy that takes it to about 2/3 rds of it’s plastic limit will be used to permanently distort the material. So avoid many precious metals and if using iron, ensure it has a high carbon content (which is known to cause embrittlement if not properly dealt with).
Fun fact, if you are going to use diamond as a cutting tool, remember they disolve fairly quickly and easily in molton iron… It’s one of the reasons “carbide tools” are suggested for cutting iron based materials, they wear less.
echo • November 2, 2021 9:32 AM
@Clive
Glass is glass. And glass breaks.
Oh dear out of the mouths…
Calm down. It was a joke. I was wondering how long it would take before anyone spotted where I got it from. There is also the sidebar of is the final product “squaddie proof”.
To know more you have to ask an engineer or materials scientist, instead of denigrating them at every opportunity by suggesting artisanal behaviours like pattens are some how superior for touchy feely reasons.
Attributing opinion to me I have never expressed.
Material transformations can be really intriguing. A fairly recent article on the Elasticity of Yarn described research into how “knitted items” become elastic and malleable, can be formed or draped.
On my to-do list is tailoring bespoke clothing. I am not an expert tailor but I’ve looked into fabrics and other materials and the use of both as structural items. Unlike off the rack clothing haute couture almost always contains its structure in the garment to the point where some would stand up on their own. Haute couture stitching has the function of being both stronger than normal machine stitching and has more give so although close fitting the garment has a degree of flexibility.
There are some Dior inspired pieces I want to make. I had got most of the way there on my own before researchign and discovering how Dior went about things. Unpacking some of his “New Look” designs is an exercise in materials science and structure and usability. As for Victorian clothing and corsets and suchlike there are a huge number of myths going around about those. No you don’t need to make a special effort to use the loo and no they are not actually hot in summer and no they are not tight and uncomfortable. And yes skirts can have massive hidden pockets. The original “pocket” is a bag attached to a string you tie around your waist and access via a slit in the side of a skirt. Ready made high heel or mid heel shoes often have a poor ball to heel length which places strain on the foot which is why I’m making my own custom fitted insoles out of silicon or laminating silicon sheet. Depending on how life goes I may or may not make my own bespoke shoes.
I’m not going into the gory details but I have read books on materials science and watched hours of videos by expert tailors and fashion designers. I use science when I need to. I use something else when I need to. I sometimes even read academic papers!
From time to time I use maths for clothes selection and yes there may well be some maths in design of makeup looks but I only need to eyeball that.
I forget the name of it but every decade or so there is an inch thick book published (cost around £3000 or more) which contains every conceivable measurement of the human body. There’s a fair bit of maths in this much like maths in clothes manufacture and more lately body weight calculations to replace the crude and often wrong BMI calculation but the science and medical practice is slow moving with this. I just don’t like rote learned ponces throwing their job titles in my face. And yes I do know a qualified engineer who made her own dresses!
JonKnowsNothing • November 2, 2021 11:38 AM
@Clive
re: “right royal pain” to anyone handling “spooled” items such as wire
People who throw ropes know all about the twisting and spooling. In competitive roping events you can watch the before and after effects of the de-spooling.
Traditional ropes have a “natural twist” that comes from the way the rope was made. Some modern woven ropes have much less but classic ropes and garden hoses all have it.
Competitive ropers use a standard length of rope. At the start they coil the rope in it’s natural twist and then open the catch loop with backhand movements to the size of loop they like. The loop is partially held open by the reversed twist. Once the they throw the loop it uncoils and if they tossed it just right they make the catch; otherwise they just catch the arena floor. After the rope is released, they rewind the rope back unto it’s useful coil.
A large number of fences are made with wires in the USA, both barbed, not barbed and electric fence wire. Most of it comes on a spool or coiled ready to put on a de-spooler. A wrong twist in the wire roll generally means that spool gets left to rust out.
Depending on how the spool is created you can get the end-over pull where you get the tumbling motion or center pull where the line feeds from the middle and there’s no tumbling motion.
old joke tl;dr
A couple of hayseeds go to the Olympics but they don’t have tickets, so they try to get in by the maintenance gate.
One picks up a manhole cover and says “Discus” and walks in.
Another picks up a long pipe and says “Javelin” and walks in.
The third picks up a coil of wire and says “Fencing”….
Clive Robinson • November 2, 2021 11:49 AM
@ JonKnowsNothing,
The third picks up a coil of wire and says “Fencing”….
+1 😉
JonKnowsNothing • November 2, 2021 12:03 PM
@Clive, SpaceLifeForm, MarkH, All
re: CDC Updated SARS-CoV-2 Reporting Definitions
In August the CDC, et al, updated some of their official definitions for COVID-19. These went into effect on Sept 1, 2021. Most of the changes are additions to symptom lists and guidance on how to classify reported cases into proper categories.
The changes are from Sept 1, 2021 going forward. There is no retro-reporting or changes to historical reported numbers.
There is one definition area that may cause some swash in future reported death counts.
“COVID-19 disease or SARS-CoV-2 or an equivalent term as an underlying cause of death or a significant condition contributing to death. ”
The key phrases are underlying cause or significant condition. It brings up the old co-morbidity problem. (1)
===
Search terms
CSTE-CDC / COVID-19 / 21-ID-01
Clive Robinson • November 2, 2021 6:44 PM
@ echo,
Attributing opinion to me I have never expressed.
Is your memory realy that short?
What was it you said in your little “clive says” rant just the other day?
And what about earlier comments that have –supprising only to you– been deleted.
When you sling mud, do not be surprised if rocks come back.
Quantry • November 3, 2021 1:51 PM
@cr0c0d1l3 Re: airgap.
Some notes in chapter 19 of Ross Andersons book, “security engineering”, on wiley, I think.
Anyway, certainly makes you wonder why anyone going to the bother of airgapping inside a faraday cage would have network cabling attached, much less a network interface. What’s airgap mean anyway?? And how does a street person manage this sort of security from loyalist ComSec thugs, if anyone can say it.
Clive Robinson • November 3, 2021 3:44 PM
@ Quantry,
What’s airgap mean anyway?? And how does a street person manage this sort of security from loyalist ComSec thugs, if anyone can say it.
Air-gap means what ever you want it to mean these days…
That is “Marketing has got a hold on it” and realised that as it’s on “Check-box Security Lists” that companies have to follow, there is consequently an “easy sale market” forming. So all you need is “product” with a lable with the right “magic words” on it and “cherching” the case register goes into hyperdrive mode.
What it used to mean was an isolated computer with what many thought was a TEMPEST perimiter around it and any attached devices or terminals etc (yes we are talking “Big Iron” of half a century ago).
The thing is that those not “in the know” assumed that “TEMPEST Perimiter” was just about radio frequency (EM spectrum) emissions that would drop any signals down to the 1Hz bandwidth noise floor of -174dBm. Which in a 50ohm impedence system is 0.9nV at 1Hz (it goes up by the square root of the bandwidth so at 3kHz telephone bandwidth if the level is down below 50nV@50z in theory it’s “below the noise floor”).
They missed other gapping techniques such as “shock mounts” and “insulation”, or put them down to other things like being quake proof and keeping environment in the computer room under control…
The point is many things are “duel-use” and if you don’t know, then you miss things.
For instance when it comes to “gap crossing” most will talk of “sneaker-net”. It could not be further from the truth. It was done withe TEMPEST teletypes and punch paper tape. In some places the tape was first read by a human, then it would be used to make a print up that was again checked visually by a human. The print ups were also quickly checked with light boxes (a technique I also used when doing machine code debuging).
It’s why I talk about,
1, Energy-gapping.
2, Choke-points.
3, True data diodes, pumps and sluices.
4, Mandated channels.
5, Instrumented channels
And lower level techniques that limit,
6, Channel Energy.
7, Channel Bandwidth
8, Channel Transparancy.
9, Strong Segregation.
10, Reducing complexity.
And point out that “Security-v-Efficiency” is both very real and has all sorts of subtle issues that can be easily missed.
One such issue being a number of “Data-Diodes” actually have reverse channels due to “error” and “flow control” signalling.
There’s a whole lot more, to do with EmSec etc, of which a big chunk is “mechanical”. But don’t expect to pick it up quickly, it’s actually a very thoughtfull process, and rewards patience.
SpaceLifeForm • November 3, 2021 8:53 PM
No Such Organization
hxtps://www.vice.com/en/article/dypzjq/us-sanctions-could-cut-off-nso-from-tech-it-relies-on
The sanctions effectively prohibit any U.S. company, as well as American citizens working in the U.S. from doing any business with NSO, including selling hardware and software. The sanctions effectively prohibit any U.S. company, as well as American citizens working in the U.S. from doing any business with NSO, including selling hardware and software.
[Rod, you should flip]
echo • November 3, 2021 11:31 PM
So the UK government has just stripped away a corruption oversight committee? In another matter I also caught a minister lying on the record both in fact and in law. It’s clear the UK government hasn’t reached bottom and it’s going to get worse.
While the Speaker of the House looked shaken at being called out a spineless toady at least Angela Raynor threw a punch and decked Johnson.
Clive Robinson • November 4, 2021 6:55 AM
@ SpaceLifeForm, ALL,
With regards,
“The sanctions effectively prohibit any U.S. company, as well as American citizens working in the U.S. from doing any business with NSO”
Sounds like a blanket “You’re not Welcome here” notice[1].
But…
“This sanction does not prevent NSO from selling its spyware to U.S. law enforcement or intelligence agencies, Jacobson said.”
Hmmm so it’s actually not a “go away” notice but aone way street arangment of “keep shipping your spyware to us and we will keep buying it”
So NSO could get the goods and services it needs from other places, then just “pass the cost back” to the USG and LEO’s…
Begining to sound more like “taking target practice at the podium” by the USG…
[1] Such sanctions are fairly easy to avoid if those sanctioned wish to. The just buy through another country with an unrelated company name or ownership, and then ship to where they wish. Some countries would actively help them for a little “Quid Pro Quo”
Quantry • November 4, 2021 4:03 PM
Thanks Clive.
But before I worry about 50nV and -174dbM etc, it remains that continuous repeated offenses by the Canadian government AT THE ENDPOINT, (and WITHIN the “SEIF” room), requires no special detection equipment or technique whatsoever.
[censored bits]
So, while iron man hides in closets, frantic for a nugget to send home, listening to hours of joe average pissing in his urinal, what manner of NON-enforcement is factual? Its whose buddy you are or aren’t. Nothing else. Just sit at the truck weigh scales for endless proof.
SpaceLifeForm • November 4, 2021 4:37 PM
securities art llc
SpaceLifeForm • November 4, 2021 10:37 PM
Seems like a good incentive
I mean, $10 million will buy one a few bitcoin.
hxtps://www.state.gov/reward-offers-for-information-to-bring-darkside-ransomware-variant-co-conspirators-to-justice/
SpaceLifeForm • November 5, 2021 1:08 AM
@ Clive
Interesting sat pic
Suspect it was about 2021-10-31 11:00 CDT, that is, the day before the fire. Based upon shadows, vegetation, lack of vehicles.
Note the vehicles in the southern lot. Strange, but the one shadow is very strange. The right of the pair at the bottom.
I do not see a vehicle, yet the shadow indicates there should be one.
Any ideas?
hxtps://www.google.com/maps/search/1621+E+Elm+St,+Jefferson+City,+MO,+651014124+US/@38.5559202,-92.1531763,121m/data=!3m1!1e3?hl=en
hxtps://krcgtv.com/news/local/part-of-east-elm-st-closed-due-to-fire-at-missouri-state-parks-building
[The skies were clear sunday thru monday night and tuesday. No lightning (well, not from the sky). Privately owned, leased to state. And there is even more strangeness to this address]
Ted • November 5, 2021 8:30 AM
@SpaceLifeForm
So, you just made me re-think my NFT project.
How interesting. What is involved in making NFT’s and what is the significance of beads? Are there any security implications in these endeavors?
Words, comics, tweets, articles, etc. are all valid responses 🙂
Clive Robinson • November 5, 2021 10:14 AM
@ SpaceLifeForm,
I do not see a vehicle, yet the shadow indicates there should be one.
After looking at it for a few minutes and comparing it to the white vehicle to the left…
My guess and it is just a guess as the resolution is not sufficient is that there is a dark coloured vehicle parked up in almost exactly the same way as the white vehicle. The difference being,
1, It’s colour is probably dark blue
2, It has the left hand door open
3, The angle of the glass in wind screen and door are causing flare in the direct and adjacent pixels in the camera sensor.
If you look for a while on the right hand side of what looks like the shadow you can see a small curved bump before the shadow curves to the left. Comparing with similar on the white vehicle, I would say that is the rear left bumper / tail end.
If you look for a while at the entire shadow area you actually see a slight diference in both colour and stipling aproximately the same shape as around the white vehicle.
Further if you look at the white vehicle it appears to also have sun flare off of it’s windscreen as well in the same way as is seen on the right hand shadow/vehicle. Also on the left hand side of both shadows there is a small bump that would appear to corespond to where you would expect door/wing mirrors to throw shadows. That is you can see the door/wing mirror on the white vehicle, if you draw,a line up from it to the bunp, it is parallel to a line you get from the rear of the roof to the maximum point of the shadow. The angles are very slightly different on the dark vehicle shadow. But… If you look at the right hand side, you see the left hand side of the vehicles and the angular difference coresponds to that of those cast by what are door/Wing mirrors.
So my guess and that is all it is, is almost identical vehicles probably both “company vehicles” leadsd/purchased at the same time, but one white the other a different colour probably dark blue. They are parked up at almost the same angle as the difference betweeb the white vehicle and dark vehicle is that the left hand door from the drivers perspective of the dark vehicle on the right has its door open. Even though there is no “human shadow” suggesting the person who opend the dooe is in the vehicle.
So “over to you” and others to tear my rumey old eyesight appart.
Sut Vachz • November 5, 2021 11:23 AM
Relativity as described by Wallace Stevens:
They said, ‘You have a blue guitar,
You do not play things as they are.’
The man replied, ‘Things as they are
Are changed upon the blue guitar.’
And they said then, ‘But play, you must,
A tune beyond us, yet ourselves,
A tune upon the blue guitar
Of things exactly as they are.’
Relativity as described by David Mumford https://www.ams.org/journals/notices/202110/rnoti-p1715.pdf
The whole blue geodesic to infinity has finite length again and, if you take the following coordinate change, it contin-ues into yet another world: 𝜉 = (𝑡 − l).𝑒−(𝜓∗+𝜙), 𝜂 = 𝑒𝜓∗+𝜙.
Mumford discusses how relativity “shakes up our deep psychological conviction of the reality of an external physical time.” His should continue to find the theory that shakes up our deep psychological conviction of the reality of an external physical space.
My work here is done. 😉
SpaceLifeForm • November 5, 2021 4:47 PM
@ Ted, Clive
I am not doing an NFT. Just providing Scatotic bot food for free.
g($24 of beads bought long island)
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Scam Coin • October 29, 2021 5:46 PM
“peak hype”
I can always count on Bruce to be the optimist in the room. I fear, however, that we have gone too far down the cryptocurrency road now, it has become “to big to fail” and that all ways lead to disaster and/or serious social upheaval. The cynical part of me thinks that’s exactly why it was done–to undermine our economy and society–but intentional or not it has passed the hype stage and entered the major social problem stage.