Friday Squid Blogging: Strawberry Squid

Pretty pictures of a strawberry squid (Histioteuthis heteropsis).

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Posted on October 8, 2021 at 4:25 PM73 Comments

Comments

JonKnowsNothing October 8, 2021 5:46 PM

@All

2 interesting MSM stories about long distance control-effects.

a) Another story about ‘Havana Syndrome’ sonic weapon attack. This one associated with the US embassy in Berlin continuing since August [2021] and being checked on by Germany. 200 cases of Havana syndrome have been reported since 2016

b) Reports of “noisy grannies” gathering to line-dance in public squares in China causing a disturbance because their boomboxes are blasting out their dance tunes. Apparently, not everyone enjoys the grannies choice of playlists. There are about 100 million dancing grannies in China and each group has a boombox and each group has their own playlists. One might think noise canceling headphones or ear-pucks would be the easiest solution but…

a viral online report that someone invented a remote stun gun-style device that claims to be able to disable a speaker from 50 metres away. … For two days the grannies thought their speaker is not working!

If a person can disable a boombox from 50 meters and keep it disabled for multiple days, maybe there’s another avenue to the cause of Havana Syndrome: via the speaker systems in phones and conference rooms in the building. The US diplomatic corps must be using some common component in the different buildings. Perhaps a specific “scrambler on a chip” in the phone systems.

===

ht tps://ww w.theguardian.com/world/2021/oct/08/germany-havana-syndrome-sonic-weapon-us-embassy-staff

ht tps://ww w.theguardian.com/world/2021/oct/08/chinas-noisy-dancing-grannies-silenced-by-device-that-disables-speakers

(2x url fracture)

name.withheld.for.obvious.reasons October 8, 2021 5:57 PM

8 Oct 2021 — Shut er’ down Scotty, She’s sucking Mud

As congress debates the efficacy of Facebook’s algorithmic marketing and advertising, testimony provide by a former product manager Frances Haugen, congress has done little to make accountable a whole ecosystem of the digital information domain. Not just Facebook, Instagram, and what other platforms have had an impact on the societal health of the global population, it has not faced the issues often cited by our host Bruce Schneier.

We are beyond the edge, the precipice of a marked diminution of societal health and communications. The security state has already wielded significant influence over the scope and depth of public information and has readied a dystopia less able to speak to anything of substance on issues deemed to sensitive for the public to participate in. Edward Snowden correctly observed that the engine for a “Turnkey Tyranny” was online and possible, that the switch had yet to be turned. I suggest it has been on for quite some time and it needs to be shut down.

Anders October 8, 2021 7:01 PM

Ah, i just re-created my ~30 years old setup…win 3.1 + internet + gopher

What a time it was – no watering hole sites, no webkits, no
zero click…

Gopher is still usable.

Enjoy!

hxxps://phroxy.net/gopher://gopher.viste.fr/1/ogup/list

SpaceLifeForm October 8, 2021 11:06 PM

@ JonKnowsNothing

If the fusion peptide can be blocked, game over, but not likely as that is the key, that does not mutate, because if it does mutate, then the virus will not spread.

hxtps://www.nature.com/articles/s41580-021-00418-x

JonKnowsNothing October 9, 2021 12:41 AM

@SpaceLifeForm, All

Much of the article is very interesting and a good overview of what’s what on the detail insides of SARS-CoV-2 but there was some odd looking quacks in a few of the details that did not match with my previous information.

I am certainly not qualified to determine the exact value of those oddities or their meanings/indications.

Overall though the GEN2 and GEN3 vax, drugs, treatments are jettisoning the FSpike for other parts of the virus and other mechanisms of how the virus replicates inside the host.

There are some very good items coming SOON(tm) and have been submitted to reviews in the USA.

One that that is interesting is a long-term mAB (monoclonalantibody) AZD7442 / PROVENT AstraZeneca. This can be taken before or with vaccination and lasts about 12 months. It is not a replacement for vaccination but it gives a significant bump in antibodies and is long lasting.

Regeneron type mABs only last about 2 months before they fade. Already the effectiveness of 1 of the 3 mABs currently approved in the USA is diminishing.

The Merck drug Molnupiravir is interesting as it’s a prodrug; the pill does not contain the active ingredients only the base chemistry to produce it. The actual production takes place in the gut when the chemical bonds are resorted into the active medication.

Both of these may be available by Q4 2021 – Q1 2022.

There is a downside to some of these new therapies and that is the NEW part. Like mRNA, these may not have had a long history of actual usage but the alternatives are not so good either.

(note: many posts were lost during road-rash episodes)

Clive Robinson October 9, 2021 3:30 AM

@ SpaceLifeForm, ALL,

RE : Scott Helme and the lets-encrypt Root Certificate expiration post mortem.

He does not explicitly say what the problem is and how it applies not just to the whole “Certificate Authority”(CA) game, but all privacy and security using any kind of “shared knowledge” secret or otherwise which they all do in some way[1].

Fundamentally it is due to,

“The root of trust issue”

And the Root of Trust failing in some manner.

In this case the failing being by it being explicitly expired “for security”[2]. Whilst there are many reasons to do this they basically boil down to the fact “all systems fail” in some way eventually and so you need a way to “clean up” the resulting mess. So the idea is to “get ahead of the problem” by creating other problems…

The secondary problems are several but some stand out.

Firstly is that the more you try to hide the truth of this from people the more painfull it becomes when the inevitable failure happens.

Secondly that the methods used to hide the truth add not just complexity, they also make system failure more likely by increasing the potential attack surface.

Thirdly that the increased complexity makes the “clean up” much more onerous.

So it appears that the apparant reality is not that we can stop the pain, but that we can chose the type of pain. But further thought reveals that it’s a “Hobson’s Choice”[4] at best (which the CA industry likes).

As with life in general people have to take personal responsability for their privacy and security. That is do the equivalent of draw your curtains and lock your doors. Whilst technology can in limited circumstances help, it has to be remembered it will always fail, especially when it is in the control of others.

Therefor your only two choices are,

1, Be circumspect at all times and in all places.
2, Use mitigation methods you not others control.

To do the latter which is realy the only choice in the society we had, means understanding what a Root of Trust is and the issues attached to it.

Importantly understanding that we should never allow our choices to be just Hobson’s Choices. And to do that requires us to understand things such as the Root of Trust and the issues involved.

[1] Whilst there is no way to solve the “Root of Trust” problem there are ways to mitigate it but they in turn open up other potential vulnerabilities such as the very likely “Man In The Middle”(MITM) attacks and hacking of automated systems.

[2] The reason for expiring the certificates CA’s use as their individual Roots of Trust are many and varied, and at a high level much the same as changing passwords frequently[3] “for security”. Which is down to “stuff happens” so “things fail” and so “security fails in time” so “we have to get in first” thinking.

[3] Interestingly with passwords, the expiration period got shorter and shorter with time, due in the main to non pasword failings in software alowing the theft of pasword files and DataBases (ie the Root of Trust “secrets”). Due to the level of pain this caused users, other techniques such as “one time passwords” generated by tokens became popular replacments. But… the tokens have inside them a shared secret that acts as a Root of Trust and as demonstrated by the “RSA Hack” due to unrelated failings in software and managment the shared secrets of many of their tokens got stolen. So it’s “Turtles all the way down” with Root of Trust security. As observers of CA behaviours might have noted their “industry policy” currently is to issue host / leaf certificates on shorter and shorter time scales “for security”… So the question people should be asking is “What is going to happen when the pain of this gets too high?” as it did with password changing. One thing is certain however “automation” will not solve the fundemental Root of Trust issue[1].

[4] Basically take what you are given or have nothing,

https://en.wikipedia.org/wiki/Hobson's_choice

Be it by the “industry” or increasingly by legislation or regulation brought about by the deliberate campaign of FUD such as “Think of the children” and similar.

Clive Robinson October 9, 2021 5:05 AM

@ Moderator, JonKnowsNothing, SpaceLifeForm,

note: many posts were lost during road-rash episodes

Like @JonKnowsNothing, I to have seen a post I made in reply to @SpaceLifeForm in the same time frame “disapear”.

This has been going on for some time, and it is noticable that the number of posts made to the blog have significabtly decreased in the same time period.

So the question of “cause -v- coincidence” must be in the back of more minds than just mine.

The fact others are breaking their posts into little pieces some of which have quite spread appart time stamps suggests they are trying to mitigate the same “road rash” problem.

anon9 October 9, 2021 5:17 AM

Havana Syndrome – Is it possible there is a mobile app that can periodically spike transmitter power to dangerous levels?

telepathic AI is the enemy October 9, 2021 5:46 AM

Of course they won’t expose the real reason.

That would hinder counterintelligence and reveal methods used against “our enemies.”

I'm dumb - help October 9, 2021 8:37 AM

I’m trying my best to pick up the pieces. I’m new on the scene so to speak. Can someone help me figure out what the monster(rash) to the (road) is?

Freezing_in_Brazil October 9, 2021 8:42 AM

@ All

re Lost posts

My posts disappear when I preview them prior to submitting. The decreased post count that @Clive mentions must be due to the same error [people previewing before submitting]. In WP preview is done via plugin.

Anders October 9, 2021 9:44 AM

@Freezing_in_Brazil

I post here mainly without any preview,
because preview requires javascript and i
have it disabled via NoScript for most sites.

MarkH October 9, 2021 9:50 AM

Re: lost posts

Although I’ve had comments simply vanish, it’s been very infrequent.

I’ve been paying attention to the preview matter since I first saw it raised (more than a week ago, I think). I virtually always click Submit from the preview “view,” it doesn’t seem to be a problem … but my very old system/browser might be leading to different results.

The roadblock I frequently encounter has been the “held for moderation” message, which in recent weeks (at least) has almost always meant that the comment vanished.

I’ve been having Pretty Good Luck (so far) by chunking longer comments into smaller pieces, as Clive mentioned.

The Real JG4 October 9, 2021 9:58 AM

Sorry that I’ve been too busy to comment. Not like the good old days, but good enough. The cricket story smacks of disinformation. From the time that the brilliant microwave-reflector gift was discovered, you might think that monitoring and shielding have been in place. Copper or aluminum screen would do a pretty good job. ITO on glass might be a weak link.

From long before the time of Melissa’s DefCon talk on fugitive RF, the technology has been available for real-time monitoring of microwave energy. It is laughably cheap now. There could be wavelengths above the range of most detection. Unfortunately,the hardware for attacks also is laughably cheap. If the numerical aperture from the source were large, the energy could be quite concentrated. If the idiots failed to deploy monitoring, they deserve what they got.

Speaking of above the range, one of the coolest things that I’ve ever seen was a device for testing EPIRBs. It was a small handheld device with an ultrasonic microphone, amplifier, mixer, speaker and 9 volt battery in it. Elegant in its simplicity – it just shifted some range of ultrasound to the audible range. I’m sorry that I wasn’t clever enough to test it with a signal generator and oscope to map out the sensitivity and shift. If you held a small cluster of keys across the room and shook it gently, the speaker would produce a strong audible output. The obvious conclusion is that the resonant frequency of most keys is well above the range of hearing. You could make a covert communication system where small metal objects are rattled to transmit inaudible sound over substantial distances. In the good old days, TV remote controls had ultrasonic resonators in them, not unlike tuning forks.

The apes came down from the trees and dug up the ancient dark matter, forged in the hearts of dying stars. The stardust in the apes also was forged in supernovae. Dust of stars in earthen jars. Empire is a machine. Better dead than red. Better poisoned with firefighting foam than burned alive. This jogged my memory:

How do humans make sense of the bomb?
https://thebulletin.org/2021/10/how-do-humans-make-sense-of-the-bomb-a-photo-essay/
Photography and introduction by Robert Del Tredici. Captions by Robert Del Tredici and Gordon Edwards. | October 7, 2021
[picture caption: This glass sphere, 3.2 inches across, is the exact size of the plutonium ball in the Nagasaki bomb. (Robert Del Tredici)]
From the moment the atomic bomb was invented, humanity has struggled to make sense of it. It is a weapon of war, an enforcer of peace, a talisman of sovereignty, a fountainhead of undying radioactivity, and a fateful burden for humans into the far future. Yet the bomb’s physical presence—its deep grit and material magnitude of its mass production—has remained culturally invisible.

I had nearly forgotten about this:

The 50th Anniversary of Starfish Prime: The Nuke that Shook the World
https://www.discovermagazine.com/the-sciences/the-50th-anniversary-of-starfish-prime-the-nuke-that-shook-the-world
Bad Astronomy By Phil Plait Jul 9, 2012 8:05 AM

On July 9, 1962, the U.S. launched a Thor missile from Johnston island, an atoll about 1,500 kilometers (900 miles) southwest of Hawaii. The missile arced up to a height of over 1,100 km (660 miles), then came back down. At the preprogrammed height of 400 km (240 miles), just seconds after 09:00 UTC, the 1.4 megaton nuclear warhead detonated.

Freezing_in_Brazil October 9, 2021 10:15 AM

@ MarkH

As for “preview”, I’m saying it on a hunch [only because it seems so].

the “held for moderation” message, which in recent weeks (at least) has almost always meant that the comment vanished.he “held for moderation” message, which in recent weeks (at least) has almost always meant that the comment vanished.

It sure looks that way to me.

Anders October 9, 2021 10:30 AM

hxxps://news.yahoo.com/kidnapping-assassination-and-a-london-shoot-out-inside-the-ci-as-secret-war-plans-against-wiki-leaks-090057786.html

SpaceLifeForm October 9, 2021 6:25 PM

Problematic Random

hxtps://www.texasmonthly.com/news-politics/brazoria-county-jury-panels/amp/

Anders October 9, 2021 7:41 PM

Strange, Tor browser has now on it’s home page message:

“Do you use a VPN?

We’d like to learn more about how and why our users use VPNs. Complete this short ten-minute survey to tell us about your experience:

Launch the Survey”

Survey link:

hxxp://eh5esdnd6fkbkapfc6nuyvkjgbtnzq2is72lmpwbdbxepd2z7zbgzsqd.onion/index.php/664393

“Understanding your use of Tor and VPNs”

“This survey is anonymous.”

Yeah, right.

Clive Robinson October 9, 2021 9:03 PM

@ SpaceLifeForm,

Problematic Random

Back last century when what would become ISO9000 was the new “must have” I was in a meeting discussing a “production process” with a Quality Control assessor doing death by view foil[1], they actually described the process they used on the factory floor as,

“Select the population, randomize, and select 10% as test subjects.”

I would never have thought I would hear that someone would use it to select humans…

[1] Yes real plastic flimsies from a ring binder put on an old “hot lamp” “Overhead Projector”… OK one or two had been printed in a “laser printer” from Word Perfect but many were hand written using coloured pens…

SpaceLifeForm October 9, 2021 10:05 PM

@ Clive, Anders

I liked mimeograph back in the olden daze.

No yellow dots to worry about.

The Tor survey is priceless! Was that originally on The Onion?

Maybe I am confusing my Onion stuff.

Clive Robinson October 9, 2021 11:56 PM

@ SpaceLifeForm,

No yellow dots to worry about.

They only catch those who are not sufficiently “old school”.

Way back in the last century I used to design not just printed circuit boards but equipment front pannels and the like.

Back then laser printers were still just a dream not a practical reality and “light ploters” were “beyond the budget”.

So I used A2 sized feint ruled acetate graphpaper (~0.5cm but Imperial) pencil and “india ink” in Rotoring pens, to make a much enlarged master.

When you made a “high contrast” photographic copy all the pencil and graphpaper lines small smudges etc disapeared… As you used a “negative” any marks that did get through could be removed by “touching up the negative” with black ink.

The negatives were fairly easy to turn into “bromides” etc for old style “offset printing” which is still done today (yup digital has not got everywhere yet[1]).

If you think about it you will see why “yellow dots” would not be an issue.

[1] A historical printing time line, from a company who’s products I’ve used over the years in making equipment,

http://autotype.macdermid.com/about/timeline

renke October 10, 2021 3:18 PM

@Anders

afaik the survey link is part of http : //eweiibe6tdjsdprb4px6rqrzzcsi22m4koia44kc5pcjr7nec2rlxyad.onion/groups/tpo/-/milestones/32 (clearnet https : //gitlab.torproject.org/groups/tpo/-/milestones/32), to give the Tor project more infos about general VPN usage and use cases. not the worst idea, imo, asking users before developing something 🙂

Winter October 11, 2021 4:24 AM

Definitely security and health related:

Facebook Banned Me for Life Because I Help People Use It Less
ht tps://slate.com/technology/2021/10/facebook-unfollow-everything-cease-desist.html

If someone built a tool that made Facebook less addictive—a tool that allowed users to benefit from Facebook’s positive features while limiting their exposure to its negative ones—how would Facebook respond?

I know the answer, because I built the tool, and Facebook squashed it. This summer, Facebook sent me a cease-and-desist letter threatening legal action. It permanently disabled my Facebook and Instagram accounts. And it demanded that I agree to never again create tools that interact with Facebook or its other services.

The tool I created, a browser extension called Unfollow Everything, allowed users to delete their News Feed by unfollowing their friends, groups, and pages. The News Feed, as users of Facebook know, is that never-ending page that greets you when you log in. It’s the central hub of Facebook. It’s also a major source of revenue. As a Facebook whistleblower observed on 60 Minutes on Sunday, time spent on the platform translates to ads viewed and clicked on, which in turn translates to billions of dollars for Facebook. The News Feed is the thing that keeps people glued to the platform for hours on end, often on a daily basis; without it, time spent on the network would drop considerably.

john October 11, 2021 8:09 AM

With an access point, a simple Linux based computer and a little software and a voip account….

Microsoft, Facebook, Google, ISP garbage, telco garbage and Apple are ALL much less annoying.

I use dillo -l and almost all garbage just disappears!

Filtering is easy :).

John

Winter October 11, 2021 9:29 AM

@John,
“dillo -l”

Dillo has not been updated since 2015. I am afraid it is dead. It was very usefull, I agree.

But I think setting NoScript with the default Untrusted should do the trick just as well. Also setting Ublock etc. will block a lot of the other traffic.

john October 11, 2021 11:14 AM

Hi Winter,

Old browser for an old guy. Works great for me.

I extract the text from .html with lynx and then text edit the beginning and ending garbage.

1/2 meg file becomes 4k ! Then I can e-mail it to my friends.

Getting text from .pdf is still sometimes a problem. There ‘must’ be an easier way!

What SIP software to you use that works well with Linux? Most seem to only 1/2 work.

John

lurker October 11, 2021 1:07 PM

@john, Winter
dillo might not have been updated since 2015, does this really mean it’s dead? Perhaps not loved; it’s the default html plug in for Claws Mail, but chokes on a lot of html “email” from MS & Ggl

SpaceLifeForm October 11, 2021 5:36 PM

Bitcoin is ‘worthless’: JPMorgan CEO Dimon

FBI: Hold my beer! I want to eat my nuclear powered peanut butter sandwich!

hxtps://edition.cnn.com/2021/10/10/politics/fbi-nuclear-string-operation/index.html

name.withheld.for.obvious.reasons October 11, 2021 11:39 PM

Using a predetermined search expression, in the form of a question, some interesting results form google that may inform those here.

The expression “The impact of surveillance technology on freedom and safety” returned with a top ranking result, the number one on the list, Bruce Schneier’s blog essay on “How Surveillance Inhibits Freedom of Expression”.

Bravo Bruce, may the internet gods shine only the good photons down upon you and none of the other particles, the morons.

SpaceLifeForm October 12, 2021 2:05 AM

@ Clive

So, something that I took for granted half a century ago, that I assumed was obvious, trivial, and axiomatic. I have no idea how I came to that conclusion, but somehow I believed it. Not incorrectly, but I had no proof.

It just popped into me brain. Never studied it. Somehow, to me, it was a given.

Well, wow, was I wrong. The proof is not trivial.

Dirichlet’s theorem on arithmetic progressions

(key: Will contain prime numbers)

SpaceLifeForm October 12, 2021 3:10 AM

@ Clive

I’ve a hunch that there is a simpler, clearer proof, yet to be discovered.

Recall t-primes.

hxtps://mathworld.wolfram.com/DirichletsTheorem.html

Dirichlet’s Theorem

Given an arithmetic progression of terms an+b, for n=1, 2, …, the series contains an infinite number of primes if a and b are relatively prime, i.e., (a,b)=1. This result had been conjectured by Gauss (Derbyshire 2004, p. 96), but was first proved by Dirichlet (1837).

Dirichlet proved this theorem using Dirichlet L-series, but the proof is challenging enough that, in their classic text on number theory, the usually explicit Hardy and Wright (1979) report “this theorem is too difficult for insertion in this book.”

SpaceLifeForm October 12, 2021 3:49 AM

@ Clive

Those are the dots. Can you guess where I am going with this?

The proof is indirect. It looks good. Not complicated. It’s requires Dirichlet’s theorem.

Going to review for some time. It is easy to make a math mistake. Or misread my own handwriting. Been there, done that.

What scares me, is that I could fit it in the margin of a book.

Well, almost. But, I am studying only two pages of notes and equations. The rest is embedded in my brain over the years, is not complicated, and, in fact, I have described such here.

Woke from a dream last night with an insight.

Clive Robinson October 12, 2021 8:08 AM

@ SpaceLifeForm,

So, something that I took for granted half a century ago, that I assumed was obvious, trivial, and axiomatic. I have no idea how I came to that conclusion, but somehow I believed it. Not incorrectly, but I had no proof.

But what type of proof?

Remember there are two basic classes of proof,

1, Graphical
2, Logical

For instance the “Three four five ratio triangle is easy to prove graphically, and by simple induction of “scaling” as it is a ratio, for all other triangles in that therefor infinite set.

Likewise the proof of,

(Nn+1)^2 = n^2 + 2n + 1

Oh and similar for higher powers.

Now consider a number sieve, you have a number line and you strike out every integer multiple of N.

Now think of two strike outs M and N you start to get a pattern with each additional strike out you strike out not just numbers that are still there but numbers that have been previously struck out. Eventially all numbers will be struck out as you work your way through the integers.

However a pattern emerges, as you increment you discover that sometimes that number has already been struck out and somwtimes not.

Those that have not been struck out when you reach them are called “primes” by convention.

At first sight the primes look placed randomly on the number line. In fact the opposit is true. If you look at the number line as you sieve you notice that there are other “special numbers” these are the “prime factorials” so,

6, 30, 210, 2310, 30030…

Around these you see “twin primes” form, even though one or both might later get struck out.

Now consider the multiples of the strike out numbers, not as numbers but the zero crossing point of a waveform like a sinewave.

As you envision it you see that around the “prime factorials” the primes “mirror” but more interestingly they mirror around all the “prime factorials” and their multiples.

Whilst it is easy to see graphically try thinking about comming up with a formula you can use to produce the primes from it.

But you also come up against another type of very special number. As you build up the twin primes around the reflection points, you will occasionaly come across a prime that strikes out one of a potential twin prime. Thus the question is are all primes “very special” or just some.

My gut feeling is that if twin primes are infinite the answer is “no” but how to prove it?

It is something that has nagged at me since before I was a teenager some “cough cough” decades ago.

SpaceLifeForm October 12, 2021 5:24 PM

@ Clive

Yes, you connected the dots.

Upon further review…

I have a logic flaw in my approach. In order to properly apply Dirichlet’s Theorem, my number set must be linear and contiguous. But, my number set is not contiguous, there are gaps in the progression.

Whilst I suspect the concept could still apply, it is way more complicated than I had hoped.

SpaceLifeForm October 12, 2021 6:15 PM

@ Clive

The gap sizes are not linear, but quadratic. If the gap sizes were linear, then the approach would still work.

I remain confident that Dirichlet’s Theorem can be applicable.

Nuts Hell:

I just have to prove that Dirichlet’s Theorem can apply to Quadratic Curves.

Simple, right? 😉

Clive Robinson October 12, 2021 9:05 PM

@ SpaceLifeForm,

I just have to prove that Dirichlet’s Theorem can apply to Quadratic Curves.

Not of necessity, there may be other proofs that have been formulated you could use, or… you could formulate your own new proof using different criteria.

Me, I prefere graphical proofs, because they are way way less likely to be open to argument and importantly are usually well within the capabilities of “ordinary mortals” with what they have to hand. And importantly usually do not as such require specialist knowledge, that even specialists in the domain may not be aware of…

The problem with infinities is there is just not a piece of paper big enough 😉

SpaceLifeForm October 13, 2021 5:54 PM

I am smelling Silicon Turtles burning on the grill. Bad Cook. The Secret Sauce is no longer secret.

Use an iPhone?

Did you update in last 24 hours to iOS 15.0.2 ?

Reverse Engineering is a thing.

Prepare to update soon. And the next week. And the next week, etc.

When you have a fundamental flaw, no amount of bandaids will stop the bleeding.

hxtps://www.twitter.com/jonathandata1/status/1448037463419674625

This will be one of the toughest vulnerabilities to patch, we will need to help @apple with ways to patch after I disclose. I mean this in all seriousness. There are many vulnerabilities that stem from this, if we don’t come together and stop fighting, threat actors will win.

Winter October 14, 2021 4:23 AM

We knew this would be possible.

LAN cables can be sniffed to reveal network traffic with a $30 setup, says researcher
What’s a long length of electrical wire? A transmitter, of course
ht tps://www.theregister.com/2021/10/14/lantenna_ethernet_cable_rf_emissions/

Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique to The Register, which consists of putting an ordinary radio antenna up to four metres from a category 6A Ethernet cable and using an off-the-shelf software defined radio (SDR) to listen around 250MHz.

Nicknamed LANtenna, Guri’s technique is an academic proof of concept and not a fully fledged attack that could be deployed today. Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.

Winter October 14, 2021 7:54 AM

A new insight into Fake News: Hacker X = Robert Willis.

“Hacker X”—the American who built a pro-Trump fake news empire—unmasks himself
He was hired to build a fake news op but now wants to put things right.
ht tps://arstechnica.com/information-technology/2021/10/hacker-x-the-american-who-built-a-pro-trump-fake-news-empire-unmasks-himself/

Sources also told Ars that Koala Media owners realized the massive potential for financial gain in pushing out the pro-Trump and anti-Clinton rhetoric after analyzing Trump’s voter base and their emotional reactions to the fake news articles all adding to traffic. Had Clinton’s voter base earned them more money, the pro-Clinton narrative might have been their focus, claim the sources.

Winter October 14, 2021 8:04 AM

“A new insight into Fake News: Hacker X = Robert Willis.”

PS: Now, who might be behind the pseudonym “Koala Media”?
😉

Clive Robinson October 14, 2021 11:40 AM

@ Winter, ALL,

With regards,

“Mordechai Guri of Israel’s Ben Gurion University of the Negev described the disarmingly simple technique”

Simple and a re-boiling of an existing technique in the TEMPEST EmSec cannon.

Be aware that “The Register” article contains some misleading information, and It is not immediately obvious how they arose. So you need to read the 11 page research paper[1].

For instance The Register article has two statments,

1,

“Guri when El Reg asked about the obvious limitations described in his paper [PDF]. “However, due to environmental noises (e.g. from other cables) higher bit-rate are rather theoretical and not practical in all scenarios.””

2,

“He added that his setup’s $1 antenna was a big limiting factor and that specialised antennas could well reach “tens of metres” of range.”

One type of once specialised setup uses “Phased Array” antennas. Put simply two or more antennas spaced and angled correctly produce a much narrower beam with deep nulls so that interferance can be “notched out”. As the antennas are spaced quite an angular distance appart they effectively cover a “patch” or “volume” of space where the beams cross.

Whilst known in engineering circles prior to World War II, it was certainly made available to a much wider audiance back in the 1970’s when Prof R.V.Jones published his book about the technology war within WWII. There are a number of chapters that talk about the “Battle of the Beams” and give a discription of how they worked, and why things went wrong and the consequent devistating Blitzing / “Bombing of Coventry”. So the basic information has been available to the general public for nearly half a century, and the practical technology available for around a century or more.

But more importantly the techniques were used in early radio networking with “Space Diversity” systems and more recently multi-antenna WiFi systems.

For those wishing to dig deeper there is a couple or more decades of Open information on “MIMO” radio systems that will give you nearly everytging you need to know.

But of more interest to Network and System Admins was how this attack is possible… The standard literature implys that “Cat Cables” do not radiate, even though they contain enough radio energy to be picked up at several miles in favourable circumstances, The Register article mentions this with,

“Nonetheless, the research shows that poorly shielded cables have the potential to leak information which sysadmins may have believed were secure or otherwise air-gapped from the outside world.”

Firstly I keep saying “air-gapping” is insufficient and you need to do “energy-gapping” that does require a degree of EmSec knowledge. Fortunately much of which in this case can be found on books dealing with EMC design.

However “poorly shielded” is only part of the problem, because many Cat Cables used for Ethernet Networking are not shielded at all, they use “twisted pair” cables where two signals are sent one down either wire in the pair. When properly phased the signals cancel each other out and do not radiate. Likewise any radiated EM signals that cross the twisted pair lift both wires equally so gets canceled out by the differential receiver (which can be as simple as using a specialised transformer often called a “balun” in communications work).

However getting both the phase and amplitude of signals correct is actually very hard and requirse specialised equipment that few Network or Sysadmins would have or know how to use to achive the required “balance” of the differential signals.

But simply radio receivers which the “Software Defined Radios”(SDR) being used by the researche are have a number of specifications that define how usefull they are for this application,

1, Front end noise.
2, System Noise Floor.
3, Linear dynamic range.
4, Effective demodulator bandwidth.

The sensitivity of the radio is defined primarily by front end noise and sufficient applification such that a signal is lifted above the system noise floor. Most modern receivers if sufficiently well designed can get within a few db of the 4KTB Noise floor which for a 1Hz bandwidth is -174dbm. Which is the equivalent of 4x10e-21 Watts of CW signal. Which when compared to the ~0.1 Watts of actual signal power. So the noise floor of -174dbm/Hz is not even measurable with most standard test equipment.

Yet signals only 2x10e19W can be received at 2.4meters, 3.4meters at 4x10e19W. With standard dipole antennas, however “long-wire” antennes at the operating frequency provide noiseless “gain” as do other antennas. Like the Yagi-Uda antennes many think of as “TV antennas” and more importantly the likes of Log Periodic Dipole Antennas(LPDA).

Any one who has done “Echo 4” or TEMPEST training should know all of this. Even though they have been told the information is “classified” it’s all quite publically available in both standard Physics and Radio Engineering texts and EMC Design guides.

I could go one and on and on, but I realy do not see anything fundementally original in the paper. Oh and I was doing similar over a third of a century ago, as were quite a few other engineers.

So as I said cabbage re-boiling, yet again…

That said, hopefully it will actually wake a few people up now they can see it as practical as opposed to theoretical.

[1] The actual published paper,

https://arxiv.org/pdf/2110.00104.pdf

If you read through it you will discover nothing that has not been discussed on this blog years ago other than their software, and as far as I can remember the toggling of the Ethernet speed, which requires “root” or better access.

lurker October 14, 2021 12:27 PM

@Winter: re lantenna
Thirty years ago I installed some PhoneNet cables to extend an existing AppleTalk network. PhoneNet = 4 wire analog telephone cable; AppleTalk official cables = single twisted pair inside a braided shield. Back then Apple engineered up to a spec, not down to a price. Their cable cost ~4x the other. My concern at the time was how much rubbish would get into the cheaper cable.

Winter October 14, 2021 1:23 PM

@Clive
“I could go one and on and on, but I realy do not see anything fundementally original in the paper. ”

I consider $30 for the whole setup to listen into UTP quite informative. Think what $3000 could buy you.

And noise and speed are just temporary. When gravitational waves are recorded and a 1970s space probe can be communicated with over 23 billion km, a simple UTP wire over a few meters should not be a big problem.

Freezing_in_Brazil October 14, 2021 2:01 PM

@ SpaceLifeForm

Is it useful Random?

Interesting. I think that it would be essentially analogous to @MarkH`s Earthquake model we discussed recently [last Squid?].

Clive Robinson October 14, 2021 3:15 PM

@ Winter,

I consider $30 for the whole setup to listen into UTP quite informative.

If you look up the SDR they claim they used the HackRF you won’t get it for $30 it’s more like $300.

Mind you I can get an SDR for around $12 that goes upto ~700Mhz which should work as well…

I have help make an extensible system with some frends using multiple SDR’s connected to individual Raspberry Pi’s. The hard part is “gen-locking” if others can get the code right it will form part of a radio telescope as a building block for a 1km square system.

Clive Robinson October 14, 2021 3:52 PM

@ SpaceLifeForm, Freezing_in_Brazil,

Is it useful Random?

First define random 😉

Oddly for most practical uses cryptography has lower requirments for “random” than quite a few simulations that use millions of bytes and require no funnies in higher dimensions, etc, etc, etc.

But there is one curious corner of cryptography, which is “deniability” by the first party to third parties even if the second party betrays whilst still giving a second party “authentication”.

And before people go “that’s impossible” in theory it is not. The first part of debiabiliry can be done with a genuine OTP the second part becomes somewhat harder.

MarkH October 14, 2021 4:59 PM

@Freezing_in_Brazil:

Most readers will know that crypto most often needs secret random numbers. But there are a great many applications for random data, and unpredictable public numbers can be most useful.

This has given rise to the notion of a “randomness beacon” as a service which publishes unpredictable numbers at regular frequent intervals.

For example, NIST has operated such a beacon for some time.

A couple of years ago, CloudFlare founded the “League of Entropy” as a distributed project to gather and combine random data from a variety of organizations; the idea is to alleviate concerns that the numbers might be manipulated in some way so as to control outcomes.

Fortunately, it’s not difficult to combine entropy from multiple sources in such a way that even if only one of them is really good, the other partially (or even completely) predictable sources won’t harm the unpredictability of the result, provided that the bad inputs were made independently of the good source(s).

As an example of a very interesting application, a governmental jurisdiction needing to audit election processes might apply special vigilance to a randomly selected subset of election districts. If such selection were in any way predictable, then persons hoping to get away with subverting the next election might limit their cheating to districts which won’t receive special checking.

If (a) the audit process consults a randomness beacon at some specified time after the election has concluded, using its output for district selection, and (b) the operators of the beacon aren’t manipulating its outputs, then it’s impossible for would-be election hackers to know which districts won’t receive special examination until after the election is completed.

If the beacon-based selection protocol is properly designed, then anyone can verify the value of the public beacon, and that the selection of districts was made both according to the rules, and with results that couldn’t have been predicted before the beacon value was published.

The League of Entropy seems to apply a variety of protocols intended to provide robust assurances that the output numbers are protected against possible manipulations, so as to reduce the need to place trust in any particular organization.

MarkH October 14, 2021 5:08 PM

@Freezing_in_Brazil:

As a footnote, I wouldn’t generally recommend the sort of earthquake record I’ve been using as a random source.

My idea wasn’t to measure the randomness of earthquakes as such; if we found a way to predict them, we might become very wealthy indeed. Rather, I thought that earthquake data are a good “stand-in” for radioactive decays in order to demonstrate properties of the much-scorned “roulette wheel” extraction technique.

Along the way, my analyses seemed to show that although global earthquake timings are sufficiently different from radioisotope decays to that they can be distinguished statistically, they are indeed nearly Poisson processes.

========================

If I recall my reading correctly, one South American contributor to the League of Entropy does indeed use real-time seismic data as one of several entropy sources which they combine before sending it along to be combined with data from other entropy-gathering organizations.

SpaceLifeForm October 14, 2021 7:57 PM

Bugs in our Pockets: The Risks of Client-Side Scanning

https://www.theregister.com/2021/10/15/clientside_side_scanning/

Penned by some of the most prominent computer science and cryptography professionals – Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, and Carmela Troncoso – the paper contends that CSS represents bulk surveillance that threatens free speech, democracy, security, and privacy.

SpaceLifeForm October 14, 2021 10:11 PM

Who knew one can decode the HTML source code?

It must be tricky. Does not seem to be much coverage.

Parson issues legal threat against Post-Dispatch after database flaws exposed

hxtps://www.stltoday.com/news/local/govt-and-politics/parson-issues-legal-threat-against-post-dispatch-after-database-flaws-exposed/article_93f4d7d6-f792-5b1b-b556-00b5cac23af3.html#tracking-source=home-trending

The data on DESE’s website was encoded but not encrypted, said Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis — and that’s a key distinction.

No one can view encrypted data without the specific decryption key used to hide the data. But encoded just means the data is in a different format, and can be relatively easily decoded and viewed.

“Anybody who knows anything about development — and the bad guys are way ahead — can easily decode that data,” Khan said on Thursday.

But the bigger problem, Khan said, is that the sensitive data was there at all.

[Exactly. This was an inside job]

hxtps://www.washingtonpost.com/politics/2021/10/14/newspaper-informed-missouri-about-website-flaw-governor-accused-it-hacking/

hxtps://tech.slashdot.org/story/21/10/14/207225/a-newspaper-informed-missouri-about-a-website-flaw-the-governor-accused-it-of-hacking

SpaceLifeForm October 15, 2021 1:25 AM

Who knew one can decode the HTML source code?

This is why we have problems. The ‘leaders’ are clueless about tech.

Sorry, but I have to do this while possible for record preservation purposes.

There are replies from people you probably are familiar with.

hxtps://twitter.com/GovParsonMO/status/1448697768311132160

Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.

We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.

Upon receiving this notice, DESE immediately contacted the Missouri Office of Administration ITSD, who programs and maintains the web application, to remove public access to the portal and update the code.

This matter is serious. The state is committing to bring to justice anyone who hacked our system and anyone who aided or encouraged them to do so — in accordance with what Missouri law allows AND requires.

A hacker is someone who gains unauthorized access to information or content. This individual did not have permission to do what they did. They had no authorization to convert and decode the code.

Under Missouri law, a person commits the offense of tampering with computer data if he or she knowingly and without authorization accesses, takes, and examines personal information without permission. This data was not freely available and had to be converted and decoded.

[My guess is that the PII (the SSN) was base64 encoded. It should not have been embedded in the HTML under any circumstances]

Winter October 15, 2021 3:00 AM

@All
“Who knew one can decode the HTML source code?”

It is about the cost of fixing the flaw: $50M
Security is not priceless.

From: Krebs on Security
“In a press conference this morning, Missouri Gov. Mike Parson (R) said fixing the flaw could cost the state $50 million, and vowed his administration would seek to prosecute and investigate the “hackers” and anyone who aided the publication in its “attempt to embarrass the state and sell headlines for their news outlet.””
ht tps://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/

Clive Robinson October 15, 2021 7:23 AM

@ lurker, SpaceLifeForm, ALL,

What is the value of π in Missouri?

“Oh about four and an irrational”

Which could also be said of the Goverhor.

I guess the price of peanuts is high there, probably the bananas as well.

Clive Robinson October 15, 2021 8:26 AM

@ Winter, ALL,

It is about the cost of fixing the flaw: $50M

Remember,

“Never an honest word passes a politicians lips, when they are on the make.”

I very much doubt the $50M figure. I doubt the annual budjet for the IT unit responsible for this is a fraction of that, and I doubt that fixing this particular bug will take more than a Man-Week.

The question is though, just how many “follow on” security vulnarabilities are involved.

Think of it this way, the SSN’s could be replaced with an encrypted version…

But even though it’s not the SSN any more it would still be a “fixed identifier” unless other work was carried out. So other design problems would quite likely still be there…

That is the fact that the SSN or any fixed identifier was used in such a cavalier fashion, does not inspire any confidence that a similar attitude was not used through out the rest of the design process.

Which tickles a thought in the back of my mind. Which is,

“Such an organisation that let this through is clearly not even competent at a rudimentry level.”

Thus what would a competent or above person in such an environment feel like?

Which raises a “prickly short hair” feeling,

“What if the system has been designed for revenge?”

That is to embarrass the heck out of the whole organisation… If you are going to encode one “embarrassment” and get it through to deployment, how about two, three or more each more subtle than the others?

What would an incompetent organisation do when facing that?

The logical solution would be to scrap the entire current system and replace it with one designed and built by people that are more competent. Which is not going to be inexpensive but $50M? I think will be unlikely.

Freezing_in_Brazil October 15, 2021 8:47 AM

@ MarkH, Clive Robinson

Very interesting [and enlightening] the history of the Entropy League. I will be following the developments. I believe that the South American you are referring to is the Chilean guy who is part of the founders. 🙂

I like the idea of combining entropy from various sources around the world and ​​broadcasting it via a public entropy broadcasting service [number stations and atomic clocks come to mind]. At the very least, it’s fun to think about it.

Regarding Earthquake, in fact, mentally I did the direct conversion of seismograph peaks into bits. But a more important thought creeps into my head that natural phenomena actually tend to produce sequences that are not random – only chaotic – and therefore deterministic – which makes @Clive’s [rhetorical] question about the nature of random moot [in this discussion]. I even get to think that natural phenomena are good entropy generators only when, in essence, they derive from the four fundamental forces [back to radioactivity…].

(*) I’m just a [somewhat old] Security Padawan. I’m here to learn, so bear with me.

Winter October 15, 2021 9:02 AM

@Clive
“The logical solution would be to scrap the entire current system and replace it with one designed and built by people that are more competent. Which is not going to be inexpensive but $50M? I think will be unlikely.”

I do not think the governor knows what it will cost, and even if he knows, he would tell us.

If the data are indeed in the HTML, then there is no backend database nor backend servers. Which means that, indeed, everything has to be scrapped, an IT department set up with people hired, real-estate leased, hardware must be bought or a cloud service set up, a DBMS contract set up and people hired to enter the data. That is, everything has to be build from scratch, including the very department that will do the work.

I can understand that you think this might indeed cost $50M

Clive Robinson October 15, 2021 10:00 AM

@ Freezing_in_Brazil, ALL,

I’m just a [somewhat old] Security Padawan. I’m here to learn, so bear with me.

If we are lucky we will all get to a venerable age with our mental faculties sufficiently in tact that we can “cuss the youngsters” 😉

As for learning, this blog has often discused things many years ahead of when the academic and industry do.

I once worked out the average time was around eight years…

Whilst tgis might sound impressive, it’s actually a sad reflection on academia and industry.

As a rule of thumb we can not know what the “Level III” entities are upto, but they to “are assumed” to be ahead of the ICT industry by quite some way, though evidence of this is at best scant. What we tend to see is “old wine in new bottles”.

That is the evidence that comes to light is more often than not an old class of attack using a new instance, even though the vulnerability the instance is based on could be two or more decades old in the case of Microsoft Products.

The watch words for our industry realy should be,

1, Eternal vigilance.
2, Learn from the past.

On an evidence based viewpoint we are doing very badly on both. However the evidence is shall we say not reliable just indicative. Not because it is not accurate, but because after more than half a century if not more we do not have “measurands” we can use to assess it…

Which begs the question of,

“How much is realy going on in front of our eyes we just do not see?”

For example we know that the NSA avoids where possible direct attacks on a target. That is they attack not the targets but points up stream of them.

A couple of things I point out on a regular basis is that,

1, You can not see beyond the next node out of your control.
2, Efficient systems are virtually transparant to time based side channels.
3, Time based side channels can not be removed from connected systems.
4, Air-Gapping is nolonger sufficient to issolate secure systems.

So in practice the NSA can get at all your communications traffic one way or another without being visable to you. All they need for connected systems is the traffic to go by and be recorded against a high precision clock. Time based side channels can / will give them the rest.

It’s why I frequently talk about using two systems. One for communications which is used in the “on-line mode” and is regarded as being compleatly insecure but is effectively the “communications endpoint”. The second which is used for private activities including encryption and decryption and is “energy-gapped” which is used in the “Off-line” mode, and has the issolated “security endpoint”.

Provided sufficient precautions are taken the second computer might be considered secure.

But an issolated computer is mainly not of use. Which means you need a secure metgod to “cross the gap” which is quite complex and can be got wrong.

For instance the general belief is “Data Diodes are one way”, they are often not. Because the designers and users want them to be “reliable” they often incorporate “error correction”(EC) if it is not “Forward Error Correction”(FEC) then the EC generally involves a feedback path that goes back across the issolation barrier giving a backwards channel that can be used to exploit the supposadly protected systems behind the data diode… Even if there is not a direct path, generating high volumes of network traffic on the output side of the data diode causes the diode to become blocked, this then gets sent back across the barrier to any issolated / protected system thus providing a signalling path back to them.

If people that are working for Level III agencies are not using or developing such techniques I for one would be very surprised.

Yet you do not hear it being talked about in other places nor do you hear about how to detect if such “obvious” techniques are being used against your site, or what you could do to mitigate them in your system designs…

MarkH October 15, 2021 11:06 AM

@Freezing_in_Brazil:

The key distinction is that the nuclear decays in TRNG sources are completely independent.

Earthquakes most definitely are not!

Clive Robinson October 15, 2021 2:43 PM

@ The usual suspects, ALL,

This might be of interest,

https://research.nccgroup.com/2021/10/15/cracking-random-number-generators-using-machine-learning-part-1-xorshift128/

Note it’s a non-cryptographic xorshift128 PRNG not a TRNG or CS-PRNG. However as our host @Bruce is known to comment these things tend to get better with time.

From the article,

“This blog post proposes an approach to crack Pseudo-Random Number Generators (PRNGs) using machine learning.”

“This blog aims to show how to train a machine learning model that can reach 100% accuracy in generating random numbers without knowing the seed.”

SpaceLifeForm October 15, 2021 5:15 PM

Who knew one can decode the HTML source code?

The Parson HTML story is worse than one may guess.

It’s not a surprise to me, but it is a tip of the iceberg story, and now that there is worldwide coverage, I will add a couple of more points.

Note: Jefferson City, Cole County is the seat of Missouri State government. Also note that these problems were found from South Carolina.

hxtps://www.twitter.com/bitsdigits/status/1448827015319199751

We informed the MO CISO in 2019 of this in Jefferson City face to face. Along with 32 other major flaws.

A few days ago…

hxtps://www.govtech.com/workforce/missouri-ciso-stephen-meyer-leaves-post-for-private-sector

Freezing_in_Brazil October 16, 2021 10:41 AM

@ Clive Robinson

<

blockquote>As for learning, this blog has often discused things many years ahead of when the academic and industry do. I once worked out the average time was around eight years… Whilst tgis might sound impressive, it’s actually a sad reflection on academia and industry.

<

blockquote>

Clive, I live among academics [I`m an engineer and a consultant], and I am delighted with the quality of research in English-speaking countries [what you call sad state I can’t help calling excellence]. I like to try to get ahead too. When I discovered this forum years ago it was like a revelation. I don’t know anything similar in Portuguese in the coverage of security affairs. I’m trying to do my little bit to close this gap through my humble blog [among other things].

Recently, a family member who is doing a master’s degree in the United States [Notre Dame] in the legal area asked the advisor where else he could get subsidies for his research [smart contracts]. The master was quick to say always follow Schneier. He then came to ask me if I knew about Schneier’s blog . 🙂

It’s an honor to be here among you. Thanks for all the fish.

Cheers

SpaceLifeForm October 16, 2021 4:19 PM

@ Freezing_in_Brazil

Likewise.

Whilst we all do not always see things from the same angle, that is fine. It is the discourse that is important.

This is how one learns. Instead of just accepting dogma.

name.withheld.for.obvious.reasons October 16, 2021 10:04 PM

@SpaceLifeForm
Oh don’t be so down on the dogma, it’s delightful when you’re at the park throwing a frisbee or ball. Gotta try catma too, it is a bit smaller and not as playful though but you get used to it after a while. Soon you find yourself watching Faux Noise and trying to find out who stole your predilection.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.