Schneier on Security

Clive Robinson • November 26, 2021 5:35 PM

@ Anders,

Supply chain security
IS hard, VERY hard. Our host knows.

Err no “supply chain security” is impossible against a suitably motivated and resourced adversary.

It’s been known since before the “Rainbow Books” and it will continue to remain so unless we have a few very fundemental changes.

In fact at a certain point security of the supply chain be it tangible or intangible goods becomes “probabilistic” in nature.

Or if you prefere as you approach one end of the line your only hope is “security by obscurity” which is practiced in the tangible physical world as standard. But in the intangible information world various Western Governments are seeking to make even that illegal…

Clive Robinson • November 27, 2021 9:48 AM

@ Ismar,

This is significant

Yes FECC’s with Higher Dimension “wormholes” as short cuts to rejecting bad forms of codes, not just errors.

I don’t know if you’ve actually tried reading the pre-print, but it’s almost like stepping into a rabbit hole after a couple of paragraphs after the intro…

I think it’s the first paper I’ve read on what could be a major advancment in the art, where all the refrence papers are less than half my age old… I was a working stiff when ECC’s of the more interesting forms were being put into use… Yup I’m now offically “An old creaky” on my way to “grey-beard” status 😉

For those who do not know anything about “Forward Error Correction –
Codes”(FEC / FECC) beyond having heard maybe of “Hamming Codes”, or “Reed-Solomon Codes” Wikipedia has an OK over view of “Error Correction Codes”(ECC),

https://en.m.wikipedia.org/wiki/Error_correction_code

Clive Robinson • November 27, 2021 6:23 PM

@ SpaceLifeForm,

I’m sure we are related.

You did read,

“Size about 1.5+ inches”

Mind you it does vaguely remind me of an “alien in the Whitehouse”…

I Can’t remember the name of the film I guess it was not important 😉

Clive Robinson • November 28, 2021 2:47 AM

@ Ted,

Are you saying that the energy used to mine cryptocurrency could be better used elsewhere? Or perhaps that the energy intensive proof-of-work mining method should be abandoned?

In short “Yes” to the first, so “Yes” to the second follows by default.

It may not be obvious to all at the moment, but @SpaceLifeform has seen one or two of the indicators as have others here, but we are just about to run into another energy crisis which is due largely to global mismanagement[1] but will probably be blaimed on something else such as COVID.

Luckily the unseasonably good weather has so far held off the sorts of behaviour we saw in Texas not so long back. But what are the consequences of this?

Look at it this way, if we don’t have “global warming” then to maintain the average temprature over a seasonal cycle or longer then we are going to have to “pay back”[2] the excess. The basic questions then are “how?” and “how fast?” with secondary questions about plants and insects. Remember you can not eat numbers etc, and generating crypto-coins is in the real world non-productive work that generates only heat, a lot of it and for what?

The estimates for the electricity burned up in crypto-coin mining rigs is about that of a small to medium sized European country… Ask how much real economic production there is in such a country because that is the real “direct” lost cost of crypto-coins.

But there is another side as I’ve mentioned before the “finance industry” can be viewed in a number of ways. But like any industry it has an “ouput” of some form. The rosey picture they industry wants to present is one of investment and growth… The reality is it creates inflation in large measures, crypto-coins are just another form of crazy mad inflation scheme, to the point that the implementations are steadily becoming clasified as “scams” at best.

Have a look at the history of what are sometimes called “Black Tulip Markets” because that is another way to view crypto-coins.

[1] You could view this energy industry mismanagment as a “Supply Chain” failure, but that is only a small part of the problem. The reality is the mismanagement has caused the entire energy industry to become overly fragile and it lacks any real measure of resiliance. It is in effect living in the “la la land” fantasy of “Rainbows and Unicorns of an endless perfect summer”, whilst in reality it’s autumn has arived without any preparation for winter and those times when you need the resilience of stored resources to get you through… It’s a lack of the old “put by half of what you grow” that sensible grain farmers in times past used to do.

[2] There are various ways you can look at things but we do know that the weather “averages out” across the globe due to the movment of air and water in global spanning “streams”. Simplistically as a first approximation you could say the weather behaves like a rubber band, if you stretch it too far in one direction it will “snap back” in the other. In effect this is in both the seasonal short term and longer term that has given us iceages in the past. The world has in effect “memory” due to “thermal energy” in air water and soil. Look on it acting like a battery it has both charge and discharge cycles and they have to stay in some kind of equilibrium. The only way it can’t is to move the global average temprature in some way. From a survival prospect we don’t want to be living in either type of desert (ie “no rain fall” due to to high or two low temprature). Nor do we want to live through a transition as historic information stored in various places such as tree rings, ice cores, and sedimentary rocks indicate it could be rough to put it politely.

Clive Robinson • November 28, 2021 4:29 AM

@ ALL,

Sometimes you just have to have a laugh otherwise things will just fall off and then where would you be…

https://www.theregister.com/2021/11/26/bofh_2021_episode_21/

Clive Robinson • November 28, 2021 8:21 AM

@ ResearcherZero, ALL,

With regards Australia and “troll legislation” anounced by “Scotty from Morrisons” there are a couple of important points to note,

Firstly and most importabtly §230 is US legislation and much though the US thinks it’s legislation is premier where ever an American places their foot (much as some Muslims believe about Shia law). The rest of the world does not think that way. Up untill recently most of these large Silicon Valley Corps have been getting away with preyending they are “telecoms or posta” delivery services, not publishers. It’s a view I’ve mainly disagreed with because the web is mainly NOT push but pull, which is the publisher model, where as the telephone and postal services are very much “Push not pull”. This differentiation might appear odd till you realise that the end user pull model in most cases requires the platform to have knowledge of the contents of any potential communications prior to the communications, where as a postal or phone network has no knowledge about the communication untill after it has started. Thus “publishers” have time to review prior to communications thus are either complicit or negligent. I suspect the Australian court took this view, as will most other courts in non US juresdictions that are based on English jurisprudence… So all of a sudden the chances are the US is now facing self inflicted “lock out” from all but US territories. I suspect from the number of US News sites that are nolonger available in the UK, that their lawyers have thought for some time that this was likely the case so when GDPR came along they probably “dog piled” all those differences onto the table, and with the “4% on global income” fines of the GDPR decided the risk was not worth it (that “4% of global” has unsurprisingly poped up in other places now Governments have lost corporate taxation, they are going to move to the “fines revenue raising model” I predicted quite a few years ago which you can find on this blog).

Secondly this change falls into the “Know your Customer” legislation that has been foisted onto the Finance industry. In the usual FUD lies of Government anouncments this has been portrayed as to stop major criminals and tax evaders, it won’t we know that, it’s all aimed at “revenue raising from the little guy” by destroying anonymity, the politicians get control of “the message” back from the citizens via the use of guard labour and punitive criminal and civil legislation.

We’ve seen this latter “war on journalists” played out in the UK recently with judges who are clearly politically influenced in England and Scottland saying who they think is or is not a journalist thus alowed any legal protection or to get “Death will us part” style jail sentencing.

Clive Robinson • November 28, 2021 12:34 PM

80% of Ships AIS Disapears around China

As some of you know I keep an eye on what China is upto and their warlike behaviours in the South China Seas.

Although this story appears in multiple places and formats it all appears to have originated from a single non technical source.

One copy is,

https://www.news.com.au/finance/economy/world-economy/thousands-of-ships-off-chinas-coast-vanish/news-story/961af8de2fe8597801afe066d32d1b75

Another,

https://m.youtube.com/watch?v=PaFsW3p9ELA

I suspect that a number of you have heard of Aircraft and the legal requirment for them to use ADS-B, well AIS is the equivalent for ships.

Apparently China has passed a law claiming various nonsense and made it illegal for most AIS info to be forwarded…

Make of it what you will but some have noted that this alows China to cobtinue it’s piratanical and warlike behaviours against other nations around the South China Seas that have in the past involved machine gunning fishing vessels and similar.

Clive Robinson • November 29, 2021 3:05 AM

@ SpaceLifeForm, Ted, ALL,

It may be that Nanobots got into the Quarkcoin servers

Hidden in the ROM no doubt…

I’ve actually been thinking about “NFT” recently. Not as some technology but as an alternate TLA quest…

For instance simple ones that are “suitable for work”[1],

1, Not For Twits
2, Nice For Taking
3, Numpties Fortune Takers
4, Nothing For Treasure

I won’t say the list is endless but so far it’s a lot longer than I expected.

Oh on a related note a “Fun fact of the moment” on Wikipedia’s ConstitutionDAO page,

https://en.m.wikipedia.org/wiki/ConstitutionDAO

The total comment on the “rolling con” is,

“Apart from Ethereum fees”

So that tells you the number of Crypto-Con shills there are editing there… The truth as they say is “a matter of perspective” which could be entierly different[3].

[1] I was kind of surprised when I sat down and realised just how many “Not Suitable For Work”(NSFW) pejoratives[2] there are begining with N or T, to say I was “Shocked, yes shocked, that such copious perfidious calumny existed” 😉

[2] Oh the spell checker on this phone did not know “perjoratives”, it suggested “purgatives” instead which has a whole different meaning, but could be an apt description for the fealing some will get when they realise that NFT’s and Crypto-Coin are,

“California Yachts : “A hole in the water into which you pour money for less than nothing return.”

[3] A recent “California Yacht” and “purgative fealing”[2] event must be the epic –fail– story of ConstitutionDAO. I suspect that the “purgative” feeling may have been felt by those who put real fiat-money into such a hair-brained scheme to find that to get their money back they would have to pay more in fees to the exchanges than the alledged value of the Ethereum Crypto-Cons,

https://www.pymnts.com/cryptocurrency/2021/ethereum-gas-fees-blew-up-40m-crypto-constitution-crowdfunding-project/

But… the story goes on, oh yes it does, as a consolation prize it was rumored that the core team were talking about buying a no hope sports team to throw yet more money after… But are now claiming a lack of a “unifying mission”, so the core team are basically telling people to either fend for themselves with the GAS exchange losses, or… Buy into a new Crypto-Con “long con” of “$PEOPLE tokens”. I think either way you could call that a major win for the exchanges on their “rolling con”…

Clive Robinson • November 29, 2021 9:00 AM

@ Cassandra,

It looks like you and I have similar long memories…

The funny thing is I just happened to have the book “GCHQ” to hand having got it out of the dead tree cave to check something that got posted the other day about events that will be 40years old in just a few weeks.

It feels strange to have someting from so long ago so fresh in my mind…

As I said the other day, I don’t look in the mirror very much, because I look out with the eyes of a twenty something, but in the mirror a sixty something looks back.

It’s a big gap, yet for somethings they are, despite all that has happened in between with near misses in various ways, still very fresh in my mind.

As some say as they raise a glass,

“To absent friends, that stay forever young in our hearts and memories.”

I guess a variation of the excerpt from, “For the Fallen” by Laurence Binyon,

“They shall grow not old, as we that are left grow old.
Age shall not weary them, nor the years condemn.
At the going down of the sun and in the morning, we will remember them.”

It was written more than a century ago, and it’s still worth reading the whole poem,

https://www.poetryfoundation.org/poems/57322/for-the-fallen

Clive Robinson • November 29, 2021 11:13 AM

@ Mr Peed…, ALL,

I am starting to believe that most security is just a theory waiting to be disproved.

It depends on what you mean by “security” and “theory”…

There is more than a fairly large grain of truth to,

“It’s secure in theory, but in practice, not a chance”

For instance take AES in theory and on paper the algorithm is good. In practice however on modern hardware unless special care is taken it leaks data to the network, such that keys can be recovered several router hops upstream.

It’s why I repeatedly say that AES should only be used in “off-line” mode to do encryption or decryption, preferably with a near fully isolated or “Energy Gapped” computer with encrypted files moved through a “mandated choke point” to the computer connected to any communications.

It’s the reason “Secure Messaging Apps” are anything but secure, as I keep pointing out.

As noted,

“Extremists, and extremist-friendly entities, have a noticeable shortage of even-tempered, thoughtful people doing even-tempered, thoughtful work at securing sites and managing personnel.”

Security is without doubt a very thoughtful process requiring high intelligence with a 150+ IQ to be good at “thinking hinky”. But they also need a calm demeanor and ability to focus on immense details for hours at a time. People joke about it “Not being work for Neuro-Typicals” and they may not be wrong.

But it’s not just “far-right groups” with an above normal quotient of knuckle draggers, where this problem exists. Less than one in ten executives understand the basics of ICT, and I gues less than a fifth of those understand even the basics of ICTsec. Many appear to be congenitally incapable of understanding basic OpSec or even risk evaluation.

There is a reason why those alledged US “protestors” are being rounded up one by one, and will end up either pleading guilty or being found guilty. They neither understand technology or basic field craft let alone OpSec. If they are sensible they will “rat out” their leaders who in turn will rat out their leaders untill the actual politically involved behind it are dragged into the light.

So the real question is will the other politicians who again know next to nothing about ICT etc will alow the draging into the light?

Probably not, based on the notion that they might set a president that will turn around and bite them in future times.

Clive Robinson • November 29, 2021 12:16 PM

@ Winter,

The average episode would seriously affect the English Midlands homicide statistics if they were real.

Ouch…

In the US they used to have a set of stores called,

“Bed, Bath and Beyond”

That I once visited in down town Readmond shortly before Xmas one year[1]. It was dull, dull, dull to put it mildly.

That said I often thought that,

“B’edibg, Blood bath and Beyond the Grave”

Could make a nice title for one of those “history channel” programs aimed and pre teens. Kind of a “Horrible Histories” but with bite 😉

[1] A project with “Cingular”(AT&T Wireless) got put forward by surprise, thus I was not going to get time back in the UK to do my planned Xmas shopping for the all important family presents. I was told BBBY did luxury stuff, but I was not impressed, I’d seen better tat in the UK. My son who was young back then however got a bit of a surprise a toy shop was doing an own brand wooden railway which was as far as I could see directly compatable with an expensive UK/European brand… The result he got about 30meters of track, bridges, junctions, and quite a bit of rolling stock very much to his delight which before the end of Xmas day had been built into both the lounge/sitting room and the dining room. All of which we still have in a couple of crates in the loft (he upgraded to Hornby OH). How I got it through UK customs is still a bit of surprise to me but the officer who looked like he could be a dad himself smiled with a twinkle in his eye and said it would need a big xmass tree to go under.

Clive Robinson • November 29, 2021 2:31 PM

@ 6449-225, winter,

Urgent note from the Department of Pedantic Insistence

It depends…

The original UK “MidSomer Murders” goes back to 1997,

https://en.wikipedia.org/wiki/Midsomer_Murders

However, in 2007 there was Most Haunted sub series “Midsummer Murders”,

https://simple.m.wikipedia.org/wiki/Most_Haunted

So yup confusing or what, enough to get a certain young lady stamping her foot and thretannning to “Scream and scream untill I’m sick” 😉

Clive Robinson • November 30, 2021 4:52 AM

@ SpaceLifeForm, lurker, MarkH, ALL,

Seems fishy down under

Not so much fishy, more the sharks are circling…

As some are slowly begining to realise, behind every barrel of “Chum Downunder” you will find a Murdoch wallowing.

In short this is more “News International” protectionism from “scotty in marketing”. As a “formally recognised” publisher Rupert “the bear faced lier” Murdoch will gain significant protection for all his various organs not just the ones down under.

Whilst those “not formally recognised” as a publisher or journalist will like Graig Murray and Juilian Assange be legaly persecuted into silence, prison, or both. And as some hope bankruptcy and an early death in captivity just to keep things tidy.

This is the way the politicians are trying to get back to the cosy pre internet days where “Press Barrons” were “King Makers” and also “polished the turd” that most politicos are by making them look “moral, upstanding men of probity” by simply not publishing about the disgusting, imoral, illegal, and worse things politicians get upto in their “power crazed” not so private lives.

Clive Robinson • November 30, 2021 9:17 PM

@ SpaceLifeForm, Ted,

Sadly Neil Arundale[1] is “silent key”, but his work still remains,

https://arundaleais.github.io/docs/ais/sp_map.html

https://help.marinetraffic.com/hc/en-us/articles/204666828-NMEA-Router

His website,

‎https://www.arundale.co.uk/

Appears to be nolonger responding.

[1] He was a licenced UK Amateur Radio Operator, Callsign : M1CHS

[2] He also designed a 162Mhz high gain omnidirectional colinear array antenna for VHF AIS receivers and software you could use with an AIS receiver that has NEMA (serial port) output so you could find the place the antenna gave the best signals.

https://arundaleais.github.io/docs/ais/aerial.html

Clive Robinson • December 1, 2021 4:59 AM

@ Ted,

… you say amateur radio operator…

In the UK “Amateur Radio”[1] is the officially approved and frequently used term, the same is true for many other places. The use of “Amateur” back many moons ago ment what it still does in sport, that is “You are not paid for your endevours” unlike a “professional” where “you are paid for your endevours”. It had no connotation about your ability to do constructive work in the field of endevor.

Unfortunately as we have seen with the terms “Hacker” and “Crypto” certain people change the original meaning of the words for their own benifit.

As I’ve previously pointed out English is a lazy language, as such it has a single word for any given meaning or definition, though a single word can have two or more context related meanings (minute being but one). So if you have two words that appear to have the same meaning by definition then very probably you have the definition wrong or incompleate.

You can see that with “Hacker” which had connotations of both skill and the fact that the endevor was “Helpful”. Whilst “Cracker” had no conotation as to skill level, but did to the fact the endevor was seen as “Criminal”. So a “script kiddy” who was just acting as an automata runing other peoples scripts was not in the slightest bit a helpful “Hacker” but is now almost definately a criminal “Cracker”. The “script” would have been produced by a “programmer” and the kiddy was just a “user” (a term that also has negative conitations in another context).

So “crypto” is derived from a non English word that means to “hide”. So does it’s use in crypto-coin mean there is something “hidden”, I think you know my view on that 😉

Finally a little bit of history worth knowing which tells you about peoples intentions and pretentions. Meat in the farm yard or on the table have diferent names, pig = pork, cow = beef etc. Why the English word used in the farm yard, and the French derived word on the table? Simple it goes back to the Normans who wanted to differentiate themselves from others for establishing “status” in all parts of life, in short they went to a lot of trouble to be pointlessly superior something they failed to do by interbreading thus bringing genetic disease to their descendents, hemophilia and pyforia being just two “Royal diseases” the latter causing madness and paranoia, which when you consider it explains quite a lot.

So English was the language “of the people”, whilst French the language of the Norman’s thus “of the court” and latin “of the cloister”. All of which derives from “The King Game” that gave rise to “the estates of man”. And also why we have so many abused latin expressions in the practice of law and medicine, both of which were once was carried out by the church. Which is the probable reason for the word “Profession” ie to “Profess to God” etc. It’s certainly true that in Medieval times there were only three Professions, devinity, law, and medicine, all of which were along with their teaching strictly the province of the church untill well into the Victorian era, when “Natural Philosopy” became “science” with the implication that “Men of Science” were atleast of the rank of Esquire or higher in Court Ranking.

[1] In the US the official term is still “Amateur Radio”, but the frequently used term is “Ham Radio”. The word “Ham” has had negative connotations for a long time as in “Ham Actor”. It is thought that it originated in the mid 1800’s with the term “Hamfatter” refering to the use of pork grease as a lubricant to remove certain types of cheap stage makeup. However the term “hamfat” was also used with regards people who had been involuntarily brought from Africa or their American born descendents. As such either way it was used in a derogatory sense.

Clive Robinson • December 1, 2021 5:16 AM

@ SpaceLifeForm, Ted, ALL,

The only reason I know this is because I was in the right place, at the right time, looking in the right direction, and caught the Signals

Demonstrating the three most important factors of what is required with “intelligence gathering”,

1, Time
2, Location
3, Observation

It’s why “boots on the ground” are more discriminating than “birds in the air”, something that many get confused about.

In part because of the military maxim about “high ground” it can enable you to see further, thus earlier. But it has a down side it makes you more visable in a very predictable way.

Back in the early days of recognizance satellites the Russias used to send out “orbit pass” information to commanders such that they could time their activities to be “out of sight” to US “birds in the air”.

Clive Robinson • December 1, 2021 5:27 PM

@ Ted, lurker, ALL,

I still have to try to figure out what a CSPRNG subsystem is, and if this is really a viable solution. Do you know anything about this?

I have no clue as to who first thought the idea for a “Cryptographically Secure Pseudo Random Number Generator”(CS-PRNG) up was but many many people including myself have thought it up independently.

In essence it is a “stream generator” where you omit the mixer function with plain text and just output the stream instead.

As you might or might not know any base cryptographic algorithm thsy is not a stream cipher already, is trivially converted into a stream cipher.

So take a block cipher like AES, you drive it’s plaintext input from a determanistic system such as a counter snd you use the ciphertext output as your PRNG value. You have two secret values, the block cipher “Encryption Key”(Ek) and the “Initialisation Vector”(IV) you load into the counter as the start value.

You just “clock the counter” and you get a new value out of the block cipher every time. Officialy you have used the block cipher AES in counter(CRT) mode so it gets called AES-CRT. You can use AES in other modes such as by using a latch to provide a “feed-back mode” such as “Cipher FeedBack”(CFB) Mode. The possibilities are large. But at the end of the day they all can be modeled as a counter followed by a mapping function.

Now I won’t go through them all but there is a big long list of things “NOT TO DO” with stream ciphers. Perhaps the biggest “No No” is,

1, “Key Material”(KeyMat) reuse.

The big problem with “embedded systems” is that KeyMat reuse is guarenteed unless you take specific precautions to stop it.

Worse the precautions have to be such that not only must the KeyMat and IV be unique to each device there are further constraints one of which is,

2, The selection has to be non predictable.

That is you can not use the device serial number either as it is or encrypted in some way.

But there is a further constraint,

3, The stream has to evolve during use.

That is the stream output has to become entirely unpredictable both in the forwards and backwards direction. This requires a source of “True Random Number Generation”(TRNG) that also,

4, Evolves over a long time period.

This is so the internal state can not be forced or guessed. Generally this is done by the use of an “entropy pool” into which the TRNG output is mixed. But there is a problem, which is what happens when somebody kicks the power lead out of the wall, or there is a “brown out” or worse “black out”? Unless precautions are taken then an embedded system will simply drop back to a previous state and just give the same output again ie Stream Reuse happens. So to stop this,

5, Internal state should be preserved across reset and powerup.

The list goes on but by now you should realise that this means very fundemental design issues in the hardware, firmware, and other software etc.

But other problem are,

6, What do you do when the TRNG stops working correctly?

But more importantly,

7, How do you know the TRNG is working correctly?

So lots of things to consider and in away the above are the easy ones.

There are fun issues such as “short cycles”. When you use the likes of Cipher FeedBack modes you can get a state where the output goes into an “endless loop” of just a few values, so you get stream reuse… The question is,

8, How do you know when the output is in a short cycle loop?

When you think about it you quickly realise that beyond very very very short cycles you can not easily check…

Clive Robinson • December 1, 2021 11:14 PM

@ Ted,

I mean I even had to look up why this xkcd comic on random numbers was funny. And I’m still not sure if I get it. 🙂

Like many XKCD quips it is funny on so many levels it’s almost as though you can read anything into them.

For instance 221 is when you look on it a sad commentary on life. That is the comment shows that,

1, The specification has been read.
2, The programmer has gone and looked the requirment up.
3, The programmer has forefilled the requirment as they have read it.
4, The programer is satisfied they have done what the specification asks for.

And in all that intellectual processing of gathering of information working through it carrying out a requirment analysis by both thought and deed, has in fact totally failed to grasp the point…

So in just one line of code and a comment, has encapsulated one of the biggest failings of the entire software industry.

In the second volume of his epic work Donald Knuth says,

‘People who think about this topic almost invariably get into philosophical discussions about what the word “random” means. In a sense, there is no such thing as a random number; for example, is 2 a random number? Rather, we speak of a sequence of independent random numbers with a specified distribution, and this means loosely that each number was obtained merely by chance, having nothing to do with other numbers of the sequence, and that each number has a specified probability of falling in any given range of values.’

What ever you do, do not try and read the third sentance out loud, unless you have athletic prowess you will probably turn blue 😉

He then goes on to say that with a long string of digits you would expext say 9 to occure 1/10th of the time etc. In effect concluding this with,

‘Any specified sequence of a million digits is equally as probable as the sequence consisting of a million zeros. Thus, if we are choosing a million digits at random and if the first 999,999 of them happen to come out to be zero, the chance that the final digit is zero is still exactly 1/10, in a truely random situation. These statements seem paradoxical to many people, but there is realy no contradiction involved.’

Now having upped your “Zen level” a little by reading that consider that program code again from the “Chinese Room” perspective of being the person outside the door observing those million pieces of paper all with a zero drawn on them.

As an observer outside the door, and not privy to what is going on in the room, what would you conclude, –long long before you got to the millionth piece of paper– was going on inside the room?

The fact that you can not know, but only draw a conclusion based on what you have seen is the essence of the subject.

So our unknown programmer concluding what they did thus, wrote the code they did, is in a sense understandable. The fact it is totaly the wrong conclusion to come to is neither here nor there, because “It passes the test”…

Remember this when you start looking at Die Hard / Die Harder and the various standards organisations tests for randomness. They are in fact not tests for randomness at all, they are actually tests for statistical correlations, that is “a beat in the chaos of cacophony” that is the sound track to every thing. The tests only tell you they have failed to detect correlations, not that your generator is “truely random”. In all probability it is nothing of the sort.

Ironically what we usually want as “good randomness” can only be produced by a “fully deterministic process” of high complexity in it’s output.

In fact if we take two of the purest signals we can have –that is two non harnonically related sinewaves with no harmonic content– and mix them together we end up with two more pure sinewaves. These waves when added together make a complex pattern, if you digitize it what you end up with looks to most people to be totaly random. And will for a short run of output pass those statistical tests…

There is nothing random or chaotic in that output, in fact if you integrate it in a lossy integrator or low pass filter you get a very pure sinewave at the difference frequency of the two original sinewaves. Which is exactly what the maths you were taught in high school will tell you to expect. It’s also what any RF Engineer would tell you to expect.

Yet many “on chip” alledgedly “True Random Generators” are in fact exactly that. That is they are “ring oscillators” that are effectively mixed in a D-Type latch.

Because the the output has such low entropy the chip designers hide this by putting a cryptographic function such as a “hash function” after it.

So… The reason those tests can not detect correlations in the output of those On Chip TRNG circuits is not because there are no correlations. There very assuredly are, but because they have been “encrypted” by a strong cryptographic algorithm they are hiden beyond what the tests can see.

That is such On Chip TRNGs are not realy any different to AES in CTR mode. Only the counter rather than producing a sawtooth waveform when graphed out, instead produces a very pure sinewave…

As they say “Food for thought”.

Clive Robinson • December 2, 2021 12:44 AM

@ SpaceLifeForm,

Consider a cloud of data that is NEVER AT REST.

To some it is a strange notion but to others who work close to the wire it’s just a consequence of the way things work, like the loose change you carry around in your pocket.

Which is what got me thinking in the early 90’s, “information has value” so “What is the value of information in transit?”

To understand this you need to understand the notion of “Seigniorage” from the French “right of the lord”. Wikipedia says of it,

“Seigniorage can be a convenient source of revenue for a government. By providing the government with increased purchasing power at the expense of public purchasing power, it imposes what is metaphorically known as an inflation tax on the public.”

Another way to look at it is that,

“The money in your pocket has to earn interest, but it accrues to the issuer of the currancy not the holder.”

So if information has value, when it is in transit it is like your pocket change[1], it is earning interest but not for you.

But who is it earning value for?

Well take a look at Google when you analyze it it earns value only on information in transit, not on stored information. More importabtly the more Google keeps information in transit the more value it earns.

The same is true for all the big Silicon Valley Information Corporations. Their “income” is as a direct result of “devaluing your information”.

It’s the question that sparked my thinking on truly decentralized databases that are highly parallel, but importantly incomplete as individual entities or nodes.

Therefore the database exists in the network by data in transit. As Alphabet/Google and others have proved such data can have imense value.

Interestingly though, whilst,

“What is the value of information in transit?”

Was going to be “the question” underlying the PhD I wanted to do, but academia was not ready to get to grips with it in the 1990’s. Nor were they even remotely close to wanting to get to grips with the whole notion of databases that were not just distributed but by definition incompleate at any node. The idea of having to apply special relativity to information that only existed if the fields defined by Maxwell’s equations and Poynting vectors around the wire “was beyond their comfort zone”.

But guess what getting on for a third of a century later, academia is still showing next to no signs of wanting to get to grips with just the notion that information can exist as a shadow on the wire and not anywhere else… let alone the idea it can have real value, as Google and Co have demonstrated.

[1] The thing is pocket change, is mostly “never at rest” and actualky has “real” not “fiscal” value. For instance in the UK, though now rare there are still “decimal pennies” in circulation and use, that were issued in the 1970s. Their “real” scrap metal value is around six times their “fiscal” face value because of the copper content etc… Obviously the English Royal Mint –not the bank of England– situated in Wales wants these pennies back so they can extract the real value.

Clive Robinson • December 2, 2021 10:52 AM

@ Ted,

Hmm are you slipping lines from songs in your posts 😉

Clive Robinson • December 2, 2021 10:59 AM

@ Ted, Winter, 6449-225, ALL,

Re: Wankel engines

I hear they are good for round trips 0:)

On a more serious note, you can not just drop them into existing vehicular “power trains” as they have different characteristics to the conventional “Infernal Combustion” engine.

Clive Robinson • December 3, 2021 3:40 PM

@ JonKnowsNothing,

Some more O-heck news out of SA.

There has been a paper published based on observation of about 36000 people who have so far got a replay with O-heck…

In SA they have found if you had a primary infection and you are unjabbed your risk of getting Delta was 0.71 but with O-heck it appears to be 2.4… Yup that is high.

No figures yet on those that have been jabbed and their risk.

Some think that O-heck is going to become dominant around the globe which might actually be good news in some senses. Apparently those who are fully jabed and get it as a break through are not seriously effected.

That said I hear the O-heck has been discovered down in your neck of the woods.

Clive Robinson • December 4, 2021 6:46 AM

@ JonKnowsNothing, ALL,

Can you imagine a Cuban vaccine being provide inside the USA?

How about a British one?

It’s clear that the FDA was not going to aprove it for shall we say “political” reasons. The FDA “revolving door” with Big Phama kind of got highlighted, then there was the Pig Phama attacks via Rupert Murdoch’s news organs…

But how about a Chinese vaccine?

One of the issues with mRNA that is comming out is just how very specific it is, and that’s dangerous.

Old fashioned vaccones were made by brewing up the pathogen in large chemical kettles not unlike those used by the Whisky manufacturers. Then the virus would be inactivated and the result injected into people.

The thing is that old way alows the bodies immune system to see the whole of the virus not just one highly specific part of it.

The result is a vaccine that has broad applicability to many varients even though it is not as effective against a specific varient.

So mRNA is great against one or two specific varients, but rapidly drops off in the face of others, as we are seeing. So as long as a virus does not mutate mRNA would be your choice.

But we knew that viruses mutate at quite a high rate as it’s proportional to the number of people infected.

The older style brewed up and inactivated virus vaccines will keep working as the virus mutates, thus alowing the job of catchup to work.

With mRNA there is the very real probability catchup will never work, because the virus will “mutate on”.

If you were a suspicious person, you would think that political behaviour rather than political words is based on turning South America and much of Africa into a human disease reservoir for SARS-CoV-2 and regular vaccine avoidant mutations.

The fact that Big Phama and one or two other very wealthy organisations are going to get not just wealthier but more politically powerfull is one thing that keeps comming up which is claimed as being paranoid conspiracy theories…

But the Chinese have Sinovac,

https://www.who.int/news-room/feature-stories/detail/the-sinovac-covid-19-vaccine-what-you-need-to-know

Which is very “old school” using a well known and well understood system. Where the process is well known and has a well known well established safety profile and does not have much in the way of supply chain issues.

It will be interesting to see how it fairs against O-Hec and other VoC’s that are getting out from under the mRNA “pencil skirt”.

Not that you or I will be alowed anywhere near it…