Friday Squid Blogging: Deep-Dwelling Squid

We have discovered a squid — (Oegopsida, Magnapinnidae, Magnapinna sp.) — that lives at 6,000 meters deep.

:They’re really weird,” says Vecchione. “They drift along with their arms spread out and these really long, skinny, spaghetti-like extensions dangling down underneath them.” Microscopic suckers on those filaments enable the squid to capture their prey.

But the squid that Jamieson and Vecchione saw in the footage captured 6,212 meters below the ocean’s surface is a small one. They estimate that its mantle measured 10 centimeters long — ­about a third the size of the largest-known magnapinnid. And the characteristically long extensions observed on other magnapinnids were nowhere to be seen in the video. That could mean, says Vecchione, that this bigfin squid was a juvenile.

Research paper.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Posted on December 31, 2021 at 4:03 PM142 Comments

Comments

ResearcherZero January 1, 2022 2:48 AM

According to a count by the historian Peter Galison, the United States has compiled enough secret documents in the past 80 years to overflow every library in the world. The government, as far as we know, regularly issues some three times as many classified records as unclassified ones, and it now spends roughly $20 billion a year just on classifications. These secrets have not always made its citizens more secure. Even a peek at a classified document from the advent of the modern security regime, during the early Cold War, is enough to reveal the folly.

codes, misinformation, background checks, clearances, misdirection, wire taps, isolation, guards, fences, censorship of the press, “need to know” policies, and oaths

“These tensions, between the ideals of science and secrecy on the one hand, and of desires for openness and security on the other, are what make the history of nuclear secrecy in the United States unpredictable, surprising, and, at times, bizarre.”

“What makes secrecy feel different is its intentionality: the information I may want is actually knowable and may even be known, but just not by me, at least right now.” He could have submitted to a security clearance to be in the know, but he elected not to. “This no doubt leaves many additional gaps in the story, but it also allows me to share what I have found with impunity.” – Alex Wellerstein

Secrecy also had one by-product that the military appreciated — terror.

General Groves was so proud of his secrecy regime during the war that military intelligence reprimanded him for boasting of it afterward, fearing he might draw further attention to the nation’s guile. Groves did not yet know the extent of espionage during the war, so he believed that his strict regime was critical to the project’s success and should remain in place.

More than 70 years ago, physicists gave humans the means, if not the motivation, to slaughter all life on earth. That we have not done so yet is hardly the triumph of secrecy. Wellerstein even concludes that “the value of ‘secrets’ appears overblown.” Most security experts have reached the same conclusion. For the latest threats to humanity, cyberweapons, “researchers do not believe secrecy is an effective countermeasure, and tend to prefer radical openness, because these informational ‘weapons’ can in fact be countered by other informational countermeasures.”

In 2010, in the interests of openness and national security, the Department of Defense finally released the information that it had denied to congressmen 60 years earlier. The number of warheads in the nuclear stockpile was a little more than 5,000. Few noticed and fewer cared.
https://lareviewofbooks.org/article/taking-it-to-the-grave-secrets-sins-and-nuclear-insecurity/

ResearcherZero January 1, 2022 3:17 AM

45 million healthcare records have been exposed or stolen in breaches reported in 2021
https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2021/

Rhode Island Public Transit Authority (RIPTA) data breach exposes UnitedHealthcare information.

“the breach was identified on August 5th, but it was purportedly not until October 28th — over two and a half months later — that RIPTA identified the individuals whose private information had been hacked, and it then took almost two more months to notify those individuals,”

Rep. Edith Ajello told The Providence Journal that her information was involved in the breach despite her never having been on a RIPTA bus in “almost a decade.”

Ajello explained that when she pressed RIPTA to explain why her information was involved, she was told that UnitedHealthcare sent RIPTA “all state employees’ health claims.” This allegedly forced the agency to effectively sort through the entire batch to figure out which claims were from RIPTA employees.

The Attorney General will now investigate whether RIPTA violated Rhode Island’s Identity Theft Protection Act of 2015, which gives government agencies 45 days to report a breach. It took RIPTA more than two months to notify victims.
https://www.zdnet.com/article/rhode-island-attorney-general-opening-investigation-into-transit-authority-after-data-breach/

Gerard van Vooren January 1, 2022 1:34 PM

Now it’s “official”, Omicron is less dangerous, according to Dr. John Campbell.

New science explains South Africa’s low rates of omicron severe disease

SARS-CoV-2 spike T cell responses induced upon vaccination or infection remain robust against Omicron

https://www.youtube.com/watch?v=8EDBJBmlvXY

name.withheld.for.obvious.reasons January 1, 2022 2:08 PM

@ ResearcherZero
It is the operational tempo surrounding nuclear weapons and systems that is a fulcrum all its own. Between the need to launch, system survivability, targeting, yields, and strategic response and counter-response when one or more states engage in nuclear warfare, it is obvious the long chain of operations elevates risk. Worked with Carl Page, yes brother of Larry, back in the 90’s on the risks of weapon systems beyond the operational level. At the time he was at Microsoft and held the title Evangelist. Scared the crap out me…what does that even mean? Cyber-weapons systems bring their own set of political, strategic, and operational baloney and what in practices versus what is statutorily permissible shouldn’t be two different things, but it is. Lots of EO and PPD’s that challenge constitutional law–it is worrying to say the least.

Clive Robinson January 1, 2022 3:30 PM

@ name.withheld…, ResearcherZero,

Cyber-weapons systems bring their own set of political, strategic, and operational baloney and what in practices versus what is statutorily permissible shouldn’t be two different things, but it is.

It’s actually worse, it’s not just “two different things”…

You would be very very hard pushed to find any relationship between what is done lawfully and what is done behind the name of the law are so far apart we are not talking different planets but solar systems.

It’s got to the point where I wonder a number of things when “cyber goes to court”,

Firstly, has an actual “real” crime been committed? Or is it just an invented crime due to legislation so broad in scope that it is a joke (compare and contrast “protest in person” and any kind of “cyber protest”).

Secondly, where has alleged evidence come from? If you have a piece of paper in a simple folder on your desk, then legally it is out of sight, and requires judicial permission to be seen. In many parts of the US anything on an electronic device is considered to be in “plain sight” even if the device is powered down.

Thirdly, when an approach is made to get judicial permission, where did the “probable evidence” come from and of what quality is it? There has been a case where an image of a very well known actress fully clothed in her thirties used as a desktop background has been claimed to be evidence of child abuse images…

Forthly, evidence supplied by “interagency co-operation” was it legaly obtained? I’ve seen two cases where falsified evidence has been supplied and used in UK Courts without checking or challenge. The first was French Police, claiming a person who had never lived in France had multiple bank accounts in several French Banks, there were no such accounts. The second more famous was the FBI faking up an image of a pornography payment gateway in the US, to get child abuse prosecutions.

Fifthly, is it evidence obtained based on illegal surveillance, sometimes called “Parallel Construction”. When you get those “lucky pull” claims in court, where supposadly somebody was driving eratically or some such and when stopped it just so happened to be a K9 officer doing the pull, and his dog went bananas and a big stash of cash / weapons / drugs etc etc were found…

There is more on the list but you get the point. Many of the evidence laws and rules are there as protective measures. In the UK the “Special Branch” of the UK Met Police, were found repeatedly to be “fitting up” people it got so embarrassing that they were disolved in name… But were there any criminal prosecutions of those who did it, none that I remember but there were several “Retired on full Pension” etc.

The thing is law enforcment who go down these lets call them questionable routes, claim various things when caught. All of the reasons are actually lies, the law enforcment officers who were caught all did it for two basic reasons,

1, Cognitive bias.
2, Pay/Promotion.

Generally the second gives rise to the first.

Nobody in either “oversight” or “control” of Law Enforcment Agencies want to admit these problems are actually endemic. So they make no real attempt to clean things up, if anything their behaviours are such they actually encorage Law Enforcment Officers to travel these routes as there is no expectation of punishment. Infact some figures suggest the officers gettong caught in effect get rewarded…

ResearcherZero January 2, 2022 12:27 AM

@Clive, name.withheld…

Australia has none of the inconvenient protections such as a Bill of Rights, and is merely a signatory to Universal Declaration of Human Rights. Any protections come down to what ever may take place in a court of law, if it takes place at all, and how generous the government is feeling at the time.

There are protections that can be bestowed upon people if they are deemed ‘protected persons’, which means basically the government gets to decide what happens to a protected person, subject to ‘after the fact’ the court of public opinion. Basically if a ‘protected person’ is shot, or dies in custody, there may or may not be a public outcry.

Australia is not China, we do have elections, and depending on a persons status or class they will receive much better treatment generally than a those of a much lower status or class.
Except for surveillance, everyone has the equal right to surveillance, and politically exposed persons who are naughty will definitely get extra attention, along with anyone else who might engage in unlawful activity.

…and as of this year there are some very powerful surveillance laws in Australia with very little bothersome oversight.

In 2014, the state-backed newspaper China Daily said more than 2 million people were working as public opinion analysts. In 2018, the People’s Daily, another official organ, said the government’s online opinion analysis industry was worth “tens of billions of yuan,” equivalent to billions of dollars, and was growing at a rate of 50 percent a year.

That surveillance network system is expanding to include foreign social media at a time when global perceptions of Beijing are at their lowest in recent history.

The invitation to tender lays out specifications for a program that mines Twitter, Facebook and YouTube for data on “well known Western media journalists” and other “key personnel from political, business and media circles.”

“We are competing with the US and Western media, the battle for the right to speak has begun,” it said.

The software should run 24 hours a day, according to the specifications, and map the relationships between target personnel and uncover “factions” between personnel, measuring their “China tendencies” and building an alarm system that automatically flags “false statements and reports on China.”

The vast data collection and monitoring efforts give officials insight into public opinion, a challenge in a country that does not hold public elections or permit independent media.

The services also provide increasingly technical surveillance for China’s censorship apparatus. And most systems include alarm functions designed to alert officials and police to negative content in real time.

These operations are an important function of what Beijing calls “public opinion guidance work” — a policy of molding public sentiment in favor of the government through targeted propaganda and censorship.

The documents, publicly accessible through domestic government bidding platforms, also show that agencies including state media, propaganda departments, police, military and cyber regulators are purchasing new or more sophisticated systems to gather data.

These include a $320,000 Chinese state media software program that mines Twitter and Facebook to create a database of foreign journalists and academics; a $216,000 Beijing police intelligence program that analyzes Western chatter on Hong Kong and Taiwan; and a cybercenter in Xinjiang, home to most of China’s Uyghur population, that catalogues the mainly Muslim minority group’s language content abroad.

In an April 2020 article, the chief analyst at the People’s Daily Online Public Opinion Data Center, Liao Canliang, laid out the ultimate goal of public opinion analysis.

“The ultimate purpose of analysis and prediction is to guide and intervene in public opinion,” Canliang wrote. “… Public data from social network users can be used to analyze the characteristics and preferences of users, and then guide them in a targeted manner.”

In the article, Liao points to Cambridge Analytica’s impact on the 2016 U.S. election as evidence of social media’s ability to mold public opinion.

“The West uses big data to analyze, research and judge public opinion to influence political activities. … As long as there is a correct grasp on the situation, public opinion can also be guided and interfered with,” he wrote.
https://www.washingtonpost.com/national-security/china-harvests-masses-of-data-on-western-targets-documents-show/2021/12/31/3981ce9c-538e-11ec-8927-c396fa861a71_story.html

Winter January 2, 2022 4:25 AM

@Gerard
“Now it’s “official”, Omicron is less dangerous, according to Dr. John Campbell.”

Not yet official, but the numbers strongly point in that direction. Infections are very high, but actual disease is relatively low (30+% less).

A smaller fraction of a larger number of infections means we still do not know what will happen to the number of people ending up in hospitals.

Gerard van Vooren January 2, 2022 6:34 AM

@ Winter,

Me: “Now it’s “official”, Omicron is less dangerous, according to Dr. John Campbell.”

You: Not yet official, but the numbers strongly point in that direction. Infections are very high, but actual disease is relatively low (30+% less).

Yes, you are right, that is why I put the word official between quotes. The document still needs a review.

You: A smaller fraction of a larger number of infections means we still do not know what will happen to the number of people ending up in hospitals.

My guess is that the numbers of the PCR is going up and inside the hospital down. That is what this report tells us.

null clam January 2, 2022 8:46 AM

Big data and statistics don’t free science from the search for causes.

David J. Hand. Dark Data. Princeton University Press, 2022.

From the author interview at PUP https://press.princeton.edu/ideas/david-hand-on-dark-data

“Dark data are important because, if the data actually available in your database, stored in your computer, written in your notebooks, or posted in your spreadsheet are only partial and hide important information, then your analysis is likely to mislead.

There is a myth that small amounts of missing data are not a problem. In the world of “big data”, so goes the claim, the vast masses of data which now readily accumulate will dilute away any errors or mistakes arising from small missing amounts. But this is wrong …

I think it was a growing awareness of how issues of poor data quality impacted the conclusions people were drawing, even from highly sophisticated (and valid) analyses. As I worked in different areas, so I saw the same dark data problems arising – in medical research, in consumer credit, in manufacturing, in financial trading, and so on. Everywhere in fact. The bottom line is that, no matter how clever you are, and no matter how advanced the statistical models and algorithms you use, if you are ignorant of distortions in your data then your conclusions are likely to be wrong.”

Maybe the reflections in the book will help to understand and remedy the “replication crisis”, which affects even RCTs. See for example J. Lehrer, The Truth Wears Off, https://www.newyorker.com/magazine/2010/12/13/the-truth-wears-off

Winter January 2, 2022 9:29 AM

@null
“In the world of “big data”, so goes the claim, the vast masses of data which now readily accumulate will dilute away any errors or mistakes arising from small missing amounts. But this is wrong …”

The underlying assumption is that the missing data is unbiased or “not very” biased. This is never true. The missing data is always strongly biased.

Hence, almost all Big Data applications are strongly biased in their outcomes.

Clive Robinson January 2, 2022 9:34 AM

@ null clam,

Re what David Hand is calling “dark data”, if you sit and think on it for a moment you will understand why you get less out than you put into a database (structured collection of data).

Each entry represents a point in one or more dimensions. Either unique or as a part of a collection of points.

All that exists between the points can not be “pulled out of thin air”.

Therefor at best a database is an integrating function, or if you prefere a low pass filter function that removes higher order data.

But it gets worse, many databases are structured to meet the needs of queries efficiently. In making the data forefill such needs only a limited number of relationships get preserved… So other perhaps more important relationships are effectively removed.

The more we process data the more specific answers we can get up to a poiny. But the less use the data becomes in a general sense.

We realy should realise this from the get go, after all the equations have been used in information theory and signal processing for half a century or more… but for some reason we apparently intuitively think otherwise.

There are reasons why the real “collect it all” folk use such very high precision, but even they know that with data on networks “time cones” and “relativity” have to be allowed for.

Ted January 2, 2022 10:20 AM

@null clam, ALL

Re: Dark Data book by David Hand

Interesting research. I just saw his book has a related website. There he has a blog post on Covid-19 and dark data.

https://darkdata.website/2020/03/covid-19-and-dark-data/

One thing which is fundamental to science is that it is evidence-based and if the evidence, the data, changes (that is, more, hitherto dark, data become visible), then the scientific models and conclusions, as well as decisions and actions based on them, can change.

Also, here’s a tweet from Imperial College London where he is a Emeritus Professor of Mathematics and a Senior Research Investigator.

https://twitter.com/imperialcollege/status/1227880202413449216

Ted January 2, 2022 10:48 AM

@JG4

And until we get AI for code verification, people should not be afraid to employ available heuristics.

Ethereum + smart contracts + tokens = 🤡

Winter January 2, 2022 12:12 PM

@Clive
“you will understand why you get less out than you put into a database (structured collection of data).”

Not quite. Big Data does not have to be a SQL database. AI/ML works perfectly well with unstructured data. You can build good speech and vision recognizers using just annotated speech and images/photographs. And the annotations do not have to be complete. Remarkable things have been achieved with unstructured data and machine learning.

As another example, I always found Amazon book suggestions quite good. I won’t buy things there anymore out of principle, but their suggestions used to be good.

Loyal reader January 2, 2022 12:25 PM

The web site for Schedulefly is reported to be down as a result of a ransomware attack. The company does scheduling software for businesses including restaurants. Going to their site redirects users to a different URL with info about the attack. https://sflive.schedulefly.com/
Note the name schedulefly has another L in it at the end of the first update.

Winter January 2, 2022 12:40 PM

@Ted
“And until we get AI for code verification, people should not be afraid to employ available heuristics.”

AI for code verification is the worst possible use case.

AI fails catastrophically [1]. The (in)famous halting problem[2] shows you cannot determine unequivocally whether a program is bug free. The combination guarantees that any such code verification AI can be gamed for sure.

[1] AI learns to distinguish poisonous and edible berries: Red – Poisson, Blue: Edible. What will be the answer when presented with a Yellow berry? Don’t know is a indeterminate category that AIs have not yet mastered.

[2] ht-tps://link.springer.com/article/10.1007/s10699-019-09611-w
PDF: (handle with care)
ht-tps://kuscholarworks.ku.edu/bitstream/handle/1808/29420/Symons_Horner_2019_SoftwareVerification.pdf

SeattleSipper January 2, 2022 12:46 PM

A long-standing bug in the Microsoft Exchange email server software leads to increased vulnerabilities elsewhere.

It turns out that a poorly chosen date format will overflow a poorly chosen data format. YYMMDDHHMM does not fit in to a 32-bit integer starting with 2201010001, which is New Year’s Day in 2022.

From an article – ‘However, for on-premise Exchange Servers currently affected, admins have found that you can disable the FIP-FS scanning engine to allow email to start delivering again… Unfortunately, with this unofficial fix, delivered mail will no longer be scanned by Microsoft’s scanning engine, leading to more malicious emails and spam getting through to users.’ [[emphasis added]]

And a reference – https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-year-2022-bug-in-fip-fs-breaks-email-delivery/

null clam January 2, 2022 1:16 PM

@ Ted @ Winter @ Clive Robinson … all

Re: BIG data

Is aliasing just a phenomenon of linear frequency analysis and signal reconstruction (“old” data world) ? Maybe not, perhaps all “new” and “big” data and its nonlinear interpolators (ML/AI models) has the same problems, and more so. What artifacts of nonlinear aliasing and moiré-ing are possible ? Do false effects that forcefully suggest intriguing but chimerical realities emerge here ? Would we know ?

Ted January 2, 2022 1:29 PM

@Winter

Re: A Philosopher’s guide to software verification

I was intrigued when I saw the authors of the paper were employed in Philosophy Departments. I had to do a double take on the paper title.

“Why There is no General Solution to the Problem of Software Verification.” So yes, it was the paper it was supposed to be. ​

From the paper:

Is the loss of a handful of lives an acceptable price to pay for cars with more desirable features? How should one approach the risks associated with purchasing such a vehicle? What duty does the manufacturer have to explain the presence of error in its product? These are not questions that computer scientists or engineers are equipped to answer.

AI go home. The Tao of software?

pup vas January 2, 2022 3:07 PM

Consciousness in humans, animals and artificial intelligence
https://www.sciencedaily.com/releases/2021/12/211220120719.htm

=The platform theory in detail

The complex cognitive operations that, according to platform theory, are associated with consciousness are applied to mental representations that are maintained and processed. They can include perceptions, emotions, sensations, memories, imaginations and associations. Conscious cognitive operations are necessary, for example, in situations where learned behavior or habits are no longer sufficient for coping. People don’t necessarily need consciousness to drive a car or take a shower. But when something unexpected happens, conscious cognitive actions are required to resolve the situation. They are also necessary to predict future events or problems and to develop suitable coping strategies. Most importantly, conscious cognitive operations are at the basis for adaptive and flexible behavior that enables humans and animals to adapt to new environmental conditions.

According to the new theory, conscious cognitive actions take place on the basis of a so-called online platform, a kind of central executive that controls subordinate platforms.

!!!!”To what extent an artificial intelligence which is capable of independently solving a new and complex problem for which it has no predefined solution algorithm can likewise be considered conscious has to be tested,” point out the authors.=

Clive Robinson January 2, 2022 5:58 PM

@ JG4, Ted, ALL,

Happy New Year, hopefully neither of you got that pulled rug feeling.

With regards,

And further proof of the need for something like AI verification of code.

I’m not sure it would help. AI systems are still based on the old “Expert Systems” which means they will have had to see almost exactly that same exploit to spot it.

Or to put it another way an AI system learns nothing, it only sees what other humans have seen and told it, it should look for similar.

So to get to the fun bit from the posting, some one who claimed to have done a code review on the contract claims,

“We were all busy looking for an obvious red flag that we brushed over what looked like a novice coding mistake.”

People who have read this blog for long enough, know I have a low opinion on the worth of code reviews. Not because the process it’s self is a bad idea, it’s not it’s a good idea, but because of the majority of people that carry them out.

Doing a code review has no upsides for most software developers, and it’s bot a job most want as it’s seen as a career killer. But… because it’s a managment “Check Box Item” it has to be done. So team leaders use it as a way to dump those members of their team they do not want for some reason.

So the reality is most “Code Reviewers” are not the most motivated or observant of individuals, and some may not be all that high on the coding tricks front. It is very unlikely that they “think hinky” and they don’t have time to actually work through the code with all input changes.

As people who have read my comments going back awhile will know, I’ve mentioned how I backdoored some crypto comms code to leak KeyMat quite a few years ago. I used a trick with free() and malloc()[1] to covertly copy the KeyMat secretly, and used a faux key leak argument to actually leak the key[2] into the communications channel, so anyone monitoring it can recover the key.

Whilst these are “known tricks”, they are only “known” to those who have done the right reading[3], which does not cover most developers, or AI developers…

So unless “things are obvious” code reviewers are not going to “see” them. But even when obvious is being very obvious as the poster claimed, it was in effect “to obvious” so it was missed and in this case and some crypto coins got taken in a basic “rug pull”.

But people forget that “very obvious” can be so “common place” it just gets ignored…

Some years ago I mentioned how a “brain dead script-kiddy attack” could be used to hide the fact a time sensitive probe was being used to find “Honey-Pot” systems. Oh and it still works quite well today, even against Microsoft’s Honey-Pots/Nets. That is even though I told the Honey-Pot software developers about it ages and ages ago they ignored it… Oh and it is also usefull to find “multiple host port” computers used in data centers etc, which can be very usefull for certain types of target enumeration.

So imagine you are an attacker and have a nice new shiny “Zero Day” exploit worth several million dollars… You do not want to use it against a “Honey-Pot/Net” as it will get “seen”, “advertised”, and “negated” in short order, which is a burn rate even Level III attackers can not aford for very long.

So the question you should ask as an attacker is “how do I find out it’s a Honey-Pot/Net remotely, without alerting the operator?”

Well you need to know two things, the first is,

1, What are the current “script-kiddies” running?

Which is fairly easy to find out. The second is a bit more interesting and requires you to think a bit. Which is,

2, What is different between a Honey-Pot/Net and a normal computer / neywork?

Most Honey-Pot/Nets have an achilles heel, which is thay are “faked” on a single computer. So knowing this, how do you tell a single computer pretending to be multiple computers from ordinary multiple computers.

The answer is look for something a single computer pretending to be multiple computers would have but multiple computers would not.

The answer is “the same motherboard”. So how can you detect that?

Well a motherboard at it’s lowest level is driven from a single crystal oscillator. Any changes in that oscillator would happen to all the computers it’s pretending to be fully synchronously. Where as multiple computer might have their clocks change in the same direction due to say heat, they would not do so synchronusly.

So the question arises as to “How do you detect this remotely?” the answer is “network timing”.

Without going into all the details, the timing of network packets can be used to tell if the IP addresses are all from the same motherboard. The problem is “How do you measure it remotely?” especially from the other side of the planet. Well the simple answer is “By active probes”. That is you try connecting to each IP address of interest in some manner that gives you timing information back. You then check the timings are not just heading in the same direction but importantly at the same rate, that is they are synchronised.

But if you just “probe” your behaviour is a “signal” that can be seen in the Honey-Pot/Net logs. So in theory your activities will be “sufficiently overt” to be picked up.

So how do you make your signal “sufficiently covert” to remain out of sight. Well you can not, but you can look like your probe is something else, something so common it is not just expected but ignored.

Which is where those script-kiddy attacks come in. If your apply the “duck question”[4] in reverse, that is you make your probe indistinguishable from a script-kiddy attack, then your signal gets hidden in it’s noise.

It was that so “very obvious” it is “common place” that the code reviewer indicates they forget so what looked like a very basic coding error just get ignored…

But people got hurt to the tune of ~125k Dollars because others effectively “ignored the obvious”…

As the code reviewing poster says,

“In engineering culture, postmortems are designed to help each other get better after a failure.

They’re also blameless — everyone knows when they’ve messed up, the best thing we can do is help each other level up.”

Whilst “postmortems” do happen from time to time, when they can not be avoided… For them to be effective, you need “History files”, which are the “What whent wrong and what we did about it” project documentation that the old “99% do not do” guesstimate gets tagged to.

[1] heap memory managment in C has changed over the years but malloc() and free() –see back of K&R book– still march on. Unfortunately the alow a covert channel. Use malloc to get a block of memory and fill it with the secret data you wish to covertly transfer. Then free() the block, whilst it goes out of most developers persprctives at that point the data is still in the heap memory. Providing you don’t mess with free()/malloc() in the wrong way… There are a couple of things you can do to get at the data. The first is still use the now invalid pointer, but this can get picked up, the second less obvious is to call malloc() again for the same size block of memory. With most malloc() calls you will get the same memory block you have previously free’d. So now the trick is to get the data out without it being obvious and there is a way to do this. One way is a fake clear using XOR. XOR A with A and it becomes zero, but XOR A with const or other known pattern and it’s a stream encipherment…

[2] For those who are not as old and creaky as some of us, the ASCII character code is 7bit, but back then serial data was sent as 8bits with the 8th bit reserved for parity or more ofteb than not just set to “none” or left clear. So if you use a stream cipher to encrypt a byte of 7bit ASCII one bit in a known place leaks 1bit of Key-Stream data. You can not just argue this is a bad idea after all NIST with DES had that “perm” to reduce it. But you can also using a simple stream generator like a “Linear Feedback Shift Register”(LFSR) demonstrate a “recovery attack” using those leaked bits… Whilst it is convincing to developers, cryptographers are wise to this type of attack so a Crypto-KeyStream generator should not be vulnerable to it. But the developers having seen an attack and recovery will accept your argument that the 8th bit should be randomly set or clear with some other generator… Which gives you your covert communications channel to leak the KeyMat data you transfered using the Heap Memory covert channel with free()/malloc()[1].

[3] There is something called the “International Obfuscated C Code Competition”(IOCCC) that encorages people to “think hinky” and come up with tricks,

https://www.ioccc.org/

I can not of the top of my head remember which one it was but someone used the old XOR trick to swap bytes of info without using a tempory byte to do it. However they knew that it could be used to slowly “zero data” and that’s how they demonstrated a cipher that went to emmitting just plaintext after a hundred or so bytes (just long enough to get missed by testers).

[4] The “Duck Question” is, “If it looks like a duck, waddles like a duck, and quacks like a duck, why would you not think it’s a duck?”… To which the reply from someone sufficiently “switched on” should be “Because ut might be a goose”… In essence it’s about “camouflage” people “See what they think they see, not what they realy see”. If you think you see a bush, but it’s realy a machine gun nest camouflaged to look like a bush you could end up in a world of hurt. In other words you should be alert to differences which is part of what our host calls “thinking hinky”.

Clive Robinson January 2, 2022 6:16 PM

@ Winter,

Not quite. Big Data does not have to be a SQL database. AI/ML works perfectly well with unstructured data.

You and I obviously have a different view as to what “structured data” is.

The “unstructured data” you refere to I would most certainly call structured, though I would not call it “relational”, “CSV”, etc. It’s why I did not mention SQL or abything remotely similar.

I view and always have done a “database” as a “bag of bits” within a larger “bag of bits” that is as collection of “Abstract data Types”(ADT). That form individual records within the collection. Where the collection is amenable to basic set theory and algebra, and the individual records to searching etc.

So I see a “hard drive” as a database, where the individual records can be either files or sectors etc.

Likewise I see Core RAM as a database, where the individual records can be blocks of memory or process spaces.

It might appear as an odd viewpoint to some, but it is a correct one when you work at those levels and below.

Clive Robinson January 2, 2022 7:25 PM

@ null clam,

What artifacts of nonlinear aliasing and moiré-ing are possible ? Do false effects that forcefully suggest intriguing but chimerical realities emerge here ? Would we know ?

Three questions in one paragraph, you obviously want to start the New Year “Big” 😉

I have a slightly odd view of “informattion” in that I view it as a potential super set of the physical universe. Part of this is our physical universe is both granular / discrete and bounded / finite.

As a general rule we can not see or touch “information” only the effects it has on physical objects which we can interact with in some manner.

Look at it this way, two apparently random objects have a space between them, we can measure the space in many many ways and record it as one of many numbers. The numbers are synthesized information from that space. Such numbers can represent all types of information. Importantly such numbers are not finite, so we have the curious issue of a physical universe that can be used to hold a finite number of infinite numbers.

Another issue is that we tend to view things in a binary fashion. That is “something is” or “something is not” comparabke to something else. In logic we tend to say “something is True” or “something is not True” or “something is False”. The problem is that is not the way the universe works. Consider the universe as a set of objects, and each object matches a descriptor in a set of descriptors. The “something is” / True matches just one member of that descriptor set. The “something is not” / False in effect matches all the other members of that descriptor set. For our basic logic to work we have to reduce the number of set members to just two, some how, which is problematic (as we see fairly frequently in certain programming languages).

But in the physical world it’s also problematical. It’s why under Scottish Law you can be found “innocent”, “guilty”, or “case not proven”. It recognises there is a point inbetween.

We have a bad habbit of saying something is “determanistic” or it is “random” and whilst “determanistic” is well found “random” is not. It also gives rise to an issue that something can be said to be both.

If we have a “black box” that emits information as bits an observer of the output can either demonstrate it is “determanistic” or they can say they can not demonstrate a pattern therefore it is from their point of view unpredictable or random.

But now think about the inside of the box where some process generates those bits that are emitted. It can be a determanistic process or one that is not. The problem is that when a determanistic process is sufficiently complex it’s output may not exhibit a recognisable pattern for quite some time, if at all within the practical limits of mankind.

How do we describe something that the generator knows is determanistic but the observer can not tell appart from random?

We tend to talk of “signals” and “noise” where we assume noise is “random”. Well something sufficiently complex to look random to the observer can clearly be demonstrated by the generator not to be.

Science is about “observation” of the physical universe. As time progresses our ability to detect complexity increases, but it is never going to get to the point where we can demonstrate the physical universe is determanistic.

Which should answer your three questions or atleast the third directly with a “No”.

Ted January 2, 2022 7:26 PM

@null clam

Re: BIG data

So many good questions. What resources do you reference for big data? Do you have fav experts?

ResearcherZero January 2, 2022 7:59 PM

@Clive Robinson, name.withheld…

The information environment exists simultaneously in the physical, virtual, and cognitive domains. It is comprised of social, personal, informational, network, and actual (or “real”) elements. To illustrate the difference, a radio station is in the physical domain, its frequency is in the virtual domain, and its messages target the cognitive domain (i.e., the minds of people). An integrated targeting approach, which includes information activities, can target and deliver effects in all three domains: a radio station may be destroyed, its frequency jammed, and its content manipulated to influence its audience.

Our adversaries, competitors, and other actors attempt to shape media narratives through the overt and covert use of news and social media. These information operations do not always seek credibility. Instead, they aim to destabilize the target audience by creating uncertainty and fear, undermining “confidence in sources of knowledge” and the very notion of objective truth.
https://www.armyupress.army.mil/Journals/Military-Review/English-Edition-Archives/May-June-2019/Blythe-Calhoun-Influence/

Iran has recently become so good at planting false news stories to inflame public opinion that even the Russians have been their victims. Putin’s press has been unknowingly publishing fake news planted by Iran. Moreover, the Russians have been framed for planting fake news in the Western press when Iran was the real culprit. It would all be a bit funny if it were not so deadly serious and destructive of our ability to tell the truths from the falsehoods in the news we get about world affairs.

The Russians are whining about Iran pulling the kind of sneaky tricks on them that they have been using for years. The Iranians were quick to learn the Russian Bear’s tricks and then turned the fake foreign news game on Putin.
https://www.amimagazine.org/2019/05/22/iran-is-faking-the-fake-news/

The campaign team of Jokowi and Ma’ruf Amin amplified the incumbent’s statement, with deputy chairman Abdul Kadir Karding explaining that the propaganda technique mentioned by Jokowi was dubbed a “fire hose of falsehood”. “By producing massive hoaxes, the strategy aims to overturn all data and facts to influence the people, particularly in voting,” Karding said. “It’s dangerous, because people will gradually get used to fake narratives.”
https://www.thejakartapost.com/news/2019/02/04/jokowi-accuses-prabowo-camp-of-enlisting-foreign-propaganda-help.html

the characteristics of the Trump campaign’s media push – its relentlessness, its volume, the cacophony of voices – share traits of a 21st-century propaganda technique pioneered, if not perfected, by Russia.
https://www.smh.com.au/world/north-america/donald-trump-campaigns-firehose-of-falsehoods-has-parallels-with-russian-propaganda-20160809-gqo044.html

The strategy is effective for those trying to hold on to political power, and it’s the same for those who gain power from engaging in science denial.
https://www.theguardian.com/commentisfree/2019/nov/07/firehosing-the-systemic-strategy-that-anti-vaxxers-are-using-to-spread-misinformation

We characterize the contemporary Russian model for propaganda as “the firehose of falsehood” because of two of its distinctive features: high numbers of channels and messages and a shameless willingness to disseminate partial truths or outright fictions. In the words of one observer, “[N]ew Russian propaganda entertains, confuses and overwhelms the audience.”

Contemporary Russian propaganda has at least two other distinctive features. It is also rapid, continuous, and repetitive, and it lacks commitment to consistency.

Interestingly, several of these features run directly counter to the conventional wisdom on effective influence and communication from government or defense sources, which traditionally emphasize the importance of truth, credibility, and the avoidance of contradiction.3 Despite ignoring these traditional principles, Russia seems to have enjoyed some success under its contemporary propaganda model, either through more direct persuasion and influence or by engaging in obfuscation, confusion, and the disruption or diminution of truthful reporting and messaging.
https://www.rand.org/pubs/perspectives/PE198.html

The goal here is not simply to undermine a particular claim, but to challenge the idea of verifiable news, period. The narrative we’ll see more and more of is that journalists are simply pursuing political agendas; that they are driven by the same petty vendettas and partisan loyalties as some of those they cover.

“from those of us who have worked in places where the institutional fabric is thinner, the legal protections less absolute, and the social license to operate less secure. Not outright dictatorships, but majoritarian democracies where big men — and they are usually men — polish their image in the mirror of state media or social media, while slowly squeezing the life out of independent institutions.”

“Get used to being stigmatized as the opposition… The basic idea is simple: to delegitimize accountability journalism by framing it as partisan. Why should anyone care about your investigation of the president’s conflicts of interest, or his tax bills, if they emanate from the political opposition? The scariest thing about ‘fake news’ is that all news becomes fake. Yours too.” – Nic Dawes
https://www.niemanlab.org/2017/12/the-firehose-of-falsehood/

the biggest danger of deepfakes is disbelief by default: they call into question the veracity of real videos in order to undermine credibility and cast doubt. This can further erode trust in journalism and create havoc in societies.
https://medium.com/jsk-class-of-2019/six-lessons-from-my-deepfake-research-at-stanford-1666594a8e50

ResearcherZero January 2, 2022 8:11 PM

@Clive Robinson

They have come up with a solution for evidence not being credible in the UK.

“The nationality and borders bill is now in the House of Lords for readings after passing through the House of Commons. The bill makes it a criminal offence to arrive in the UK without permission, with a maximum sentence of up to four years. The bill lets the UK send asylum seekers to a “safe third country”, and can allow for offshore processing centres overseas instead of considering their asylum claims in the UK.”

“In November, home secretary Priti Patel introduced a provision that would allow the government to strip people of their British citizenship without notice, which was debated for nine minutes in the House of Commons before passage on December 8.”

Citizenship stripping can take place for public interest reasons, mostly connected to national security and counter-terrorism. These decisions come into effect even before appeals can be processed, so it is crucial for the affected person to be notified.
https://theconversation.com/stripping-british-citizenship-the-governments-new-bill-explained-173547

ResearcherZero January 2, 2022 9:25 PM

Mandiant said the hackers associated with Russia’s SVR foreign intelligence agency continue to steal data “relevant to Russian interests” with great effect using novel, stealthy techniques that it detailed in a mostly technical report aimed at helping security professionals stay alert.

The Mandiant findings follow an October report from Microsoft that the hackers, whose umbrella group it calls Nobelium, continue to infiltrate the government agencies, foreign policy think tanks and other organizations focused on Russian affairs through the cloud service companies and so-called managed services providers on which they increasingly rely. The Mandiant researchers said the Russian hackers “continue to innovate and identify new techniques and tradecraft” that lets them linger in victim networks, hinder detection and confuse attempts to attribute hacks to them.

…the hackers’ path of least resistance to their targets were cloud-computing services. From there, they used stolen credentials to infiltrate networks. The report describes how in one case they gained access to one victim’s Microsoft 365 system through a stolen session token. And, the report says, the hackers routinely relied on advanced tradecraft to cover their tracks.

Hackers set up intrusion beachheads using IP addresses in the same address block, say, as the person’s local internet provider.
https://www.sfgate.com/business/article/Report-says-Russian-hackers-haven-t-eased-spying-16678761.php

The records were stolen from a police contractor, and the Russian hackers released just a small portion of what they stole but have threatened to release more if their demands continue to be rebuffed. It remains unclear exactly what personal information has been breached, but the dark web samples contain indications that the data was stolen from a national traffic monitoring system and contains photos of drivers that were caught speeding.

Dacoll was apparently phished successfully, giving the Russian hackers access to about 13 million records of UK police data.

There is reason for concern given that Dacoll provides services to 90% of the UK’s law enforcement agencies through its subsidiary NDI Technologies. The company’s NDI Recognition Systems firm is the one that supports the ANPR systems; UK police data is shared with Highways England and DVLA through the company’s software products.

The incident raises the question of what the average person can be expected to do when government agencies, trusted with the most sensitive of their personal information, have a security failing. Heading into the holiday season, it remains to be seen what the UK government will do to remedy the situation; UK citizens still need to know exactly what the Russian hackers made off with. The worst-case scenario would be access to their drivers license information, a key element for thieves to establish a change of address for the purposes of identity fraud.
https://www.cpomagazine.com/cyber-security/uk-police-data-leaked-to-dark-web-russian-hackers-hold-13-million-records-to-ransom/

A CYBER attack on the UK’s Defence Academy – possibly by Russia or China – caused “significant” damage, a retired high-ranking officer has revealed.

Air Marshal Edward Stringer, who left the armed forces in August, said the attack which was discovered in March 2021 meant the Defence Academy was forced to rebuild its network.
https://www.the-sun.com/news/4384505/uk-defence-school-hit-by-sick-cyber-attack/

SpaceLifeForm January 2, 2022 9:32 PM

@ SeattleSipper

re: YYMMDDHHMM in exchange filter

It’s brain-dead design. Negligence.

Probably met the specification. No need to waste 4 bytes of expensive storage, right?

After Y2K, there is no excuse for not supporting a 4 digit year. Why not use full timestamp, and store into a 64-bit integer in the first place?

And where are the seconds? If the software can manage without seconds (there is probably a bug in there somewhere), they could probably drop the minutes also, and this code could have survived until 2148-01-01. Obviously, they were not thinking ahead.

Note the problem is that they crammed this pseudo-timestamp into a Signed 32-bit integer (probably why the seconds were dropped).

I suspect they will just change the code and declare the field as an Unsigned 32-bit integer.

Then it will survive until 2043-01-01.

They then will have 21 years to re-design this mess. That will surely happen, and everyone will upgrade by then, right? 😉

lurker January 2, 2022 10:14 PM

@null-clam,@ResearcherZero,@Clive
Am I looking too far ahead of you?

The Final Anthropic Principle requires intelligent life to continue to exist forever. […] We shall say that ‘life’ continues to exist forever if three conditions hold:
(1) information processing—the running of programs—continues along some future-endless timelike curve γ all the way to the future c-boundary of the Universe;
(2) the amount of information processed in I^-(γ) between now and the c-boundary is infinite; and
(3) the amount of information stored in I^-(γ)∩S(t), where S(t) denotes the constant mean curvature foliation of the Universe, diverges as the leaves of the foliation approach the future c-boundary.

John D. Barrow, Frank J. Tipler, The Anthropic Cosmological Principle, OUP 1986, §10.6.

SpaceLifeForm January 3, 2022 2:00 AM

YYMMDDHHMM vs 211233ssss

December 33, 2021 was a Sunday.

https://techcommunity.microsoft.com/t5/exchange-team-blog/email-stuck-in-exchange-on-premises-transport-queues/ba-p/3049447

The version of the updated scan engine starts with 2112330001; is this right? Should we be concerned that it seems to reference a date that does not exist?

The newly updated scanning engine is fully supported by Microsoft. While we need to work on this sequence longer term, the scanning engine version was not rolled back, rather it was rolled forward into this new sequence. The scanning engine will continue to receive updates in this new sequence.

So, the YYMMDDHHMM was just a versioning method. Which explains why the seconds were never used. Because they can not update that fast, yet for some reason they thought they could update more than once per hour.

So, 2112 is now hardcoded.

And for now, the 33 is hardcoded, because somewhere there is some sorting going on, and they have to keep this version id at 10 numeric characters, and force new updates to sort after 211231xxxx.

ResearcherZero January 3, 2022 4:07 AM

@lurker

It probably depends on the wisdom and ethics of that intelligence. Very large volumes of information can be processed and vetted, but if that information does not provide knowledge delivered to the right place at the right time, and if that knowledge is not accepted and acted on it’s completely useless.

Here is a case in point.

House and Senate sergeants at arms had knowledge Jan. 6 would be larger than expected, but did not respond to Capitol Police requests for help from the National Guard.

Sund, who resigned his post the day after the riot, told The Washington Post he had been concerned that the protest planned for Jan. 6 would be larger than expected. Sund said he asked House and Senate security officials for permission to request that the National Guard be placed on standby.

Sund said House and Senate sergeants at arms told him they were not comfortable with the “optics” of declaring an emergency days before the protest and suggested Sund should informally ask Guard officials to be on alert. Both have since resigned.
https://eu.usatoday.com/story/news/politics/2021/01/11/steven-sund-national-guard-help-capitol-riots/6620195002/

It was the first of six times Sund’s request for help was rejected or delayed, he said. Two days later on Wednesday afternoon, his forces already in the midst of crisis, Sund said he pleaded for help five more times as a scene far more dire than he had ever imagined unfolded on the historic Capitol grounds.
https://www.washingtonpost.com/politics/sund-riot-national-guard/2021/01/10/fc2ce7d4-5384-11eb-a817-e5e7f8a406d6_story.html

Congress passed a bipartisan bill allowing the Capitol Police chief to directly request assistance from the city’s National Guard.
https://www.airforcetimes.com/news/pentagon-congress/2021/12/30/the-pentagon-has-streamlined-the-process-for-sending-national-guard-troops-into-dc/

In a statement, the Capitol Police previously said it “agrees with the Inspector General that the Department must continue to improve and expand its intelligence and protective capabilities. This is vital for carrying out our critical mission.”
https://edition.cnn.com/2021/12/14/politics/capitol-police-chief-national-guard-help/index.html

Inspector General Michael Bolton said that out of 104 recommendations he made to the department, only 30 have been implemented so far.

“The Department still lacks the overall training infrastructure to meet the needs of the Department, the level of Intelligence gathering and expertise needed, and an overall cultural change needed to move the department into a protective agency as opposed to a traditional Police Department,”

Bolton also said the department has not made many of the 200 security enhancements it said it would.
https://www.msn.com/en-us/news/us/us-capitol-police-has-made-a-fraction-of-recommended-changes-since-january-6-internal-watchdog-says/ar-AARzC7A

Task Force Report on Security Shortcomings During Capitol Riot
https://www.nytimes.com/interactive/2021/03/05/us/capitol-security-review.html

The Information Operations Handbook states:

“The days of securing campaign success solely through traditional combat operations are over. Victories on the twenty-first century’s physical battlefields will be fleeting unless tied to an integrated information operations campaign.”
http://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_13.pdf

“The achievement of campaign and strategic objectives requires a sustained competitive advantage over other actors in the ability to influence outcomes. Otherwise, hard-won victories can be negated or even reversed, and our policy makers will be left with limited options by misinformation or disinformation and a resulting perception of illegitimacy planted by adversaries and competitors who employ information-psychological warfare in contested environments to gain a strategic advantage.”
https://www.armyupress.army.mil/Journals/Military-Review/English-Edition-Archives/May-June-2019/Blythe-Calhoun-Influence/

Countering misinformation or disinformation is therefore of a high priority in an information rich environment, especially in one which ‘soft power’ has been significantly disrupted by emerging information technology, combined with reduced funding and deregulation of public media.

Clive Robinson January 3, 2022 4:34 AM

@ lurker,

Am I looking too far ahead of you?

With regarts the “Final Anthropic Principle”(FAP) it is one of very many Anthropic Principles.

I would caution against anything that has “Anthropic Principle” as part of it’s formalism in part because it’s validility is questionable to put it politely (some even equate it with creationism).

About five and a half centuries ago Copernicus came up with a notion that was very much the opposite of the dictat of the Church and other power structures of the time. He pointed out that there was no reason to assume mankind was in anyway privileged, that the universe was not made for us and therefore we were not the center of it.

As you will appreciate it was not popular with those in power that in part used that conceit to maintain their privileged positions in society (see “King Game” and “The Estates of Man”).

However like William of Ockham’s Razor it’s idea became a touch stone of what would eventually become science based on the scientific process.

It became known as the “Copernican Principle” and is usually given as,

“Humans do not occupy a privileged position in the Universe.”

But actually has broader scope to all organised matter in the universe, not just one genus of life.

You could call the “Anthropic Principle” kick-back after the event. It was a reactionary proposal given on the Copernican 500th aniversary. Which in effect states that

“The universe is too finely tuned therefore …”

The proponents assume incorrectly that because we are in a “special place, we must be special”…

Look at it another way, if you draw up a large enough grid to cover all possibilities with time, you know if you explode a bomb above it pieces of shrapnel will land in many places. As an observer after the event ask yourself,

1, Are those places special?
2, Are those pieces special?

You are most likely to conclude not.

Now add a time related dimension, lets assume the places are of different hights and water falls as rain and things get washed down or washed away. What can you say about those pieces that remain in place because they are on the top of a hill or rise are they somehow special? Obviously not.

But now imagine you are one of those pieces atop some hill you look around you and all else within your view is gone, “Would you feel special?” the simple answer is yes you probably would…

We have a term for this and it’s “Survivorship Bias”,

https://en.m.wikipedia.org/wiki/Survivorship_bias

One problem which applies in quite a number of cases is,

“We can not see those that did not survive.”

Therefor we are making judgment on an incompleate set of data, thereby drawing biased conclusions. When you chase down an “Anthropic Principle”, you usually find such bias at the bottom.

Oh then there is “ebtropy” and “evolution” to consider. As was once pointed out to me,

“To be able to stear a rock it must first be rolling, and they do not roll up hill to higher than where they started.”

That is generally how the universe works,

“Clocks run down, and would stop, unless we wind them up.”

So for evolution to happen or if you like, for rocks to get to a higher place, they need to use energy aquired from something else.

name.withheld.for.obvious.reasons January 3, 2022 7:16 AM

Securing a Place in History
Can the Crown Court be charged with criminal negligence and manslaughter regarding Julian Assange’s treatment and the actions of the courts to completely affect his decline and possible death? I am asking, is judicial malfeasance and engaging in the bodily harm of Julian Assange a new standard for the court? Can’t wait until the friends of the court and jurists as well as barristers find themselves in the same application of Justice. Given the level of transitory “rule of law” expressed operationally against the wind of political favoritism, will it eventually blow back in their face? I await that day.

Least We Forget (Sung to the rap tune of ‘Too illegitimate to Quit’)
The Crown Court is not risking the loss of legitimacy, it has successfully embraced mediocrity and will forever mark the court with the stain of these incompetent jurists

name.withheld.for.obvious.reasons January 3, 2022 7:34 AM

@ Clive
On your list, the 5 items cited, two important elements I’d like to add and emphasize are changes to authority and unknown rules of engagement. First, the devolution of constitutional authority within the executive. For example, departments may at their discretion initiate offensive or defensive kinetic responses to cyber-based events with caveats (think of it as a FISA court for the U.S. DoD). Second, the classified “Laws of Cyber-war”. From what I have been able to determine from just these two is the ability to escalate from a cyber attack to a response that includes nuclear weapons. I think the Bulletin of Atomic Scientists need to consider what is knowable of U.S. military policy (think of it as Cyber Gone Mad).

name.withheld.for.obvious.reasons January 3, 2022 8:29 AM

Followup on Potential Content Based Political Profiling (Cambridge Analytica?)
More on the subject of content scrapping from Youtube by Chinese/Russian Cooperative Group? KZsection — Youtube knockoff? One or two threads on Reddit regarding the sources and remedies for context exposure.

Primlimnary Findings:
– Sites host content, copied Youtube videos, on various hosts using separate domains
– References to both Chinese and Russian servers and/or programmatic interest for unknown purposes, conjecture no solid evidence of a collaboration, yet.

CONTEXTUAL DETERMINISM BASED ON COMMENTS TO VIDEOS
OR
CONTENT WITH COMMENTS CONTEXTUALIZED

Categories:
Neocons
State Department
Non Christian Nation
Judiciary
Cold War II
Steve Bannon
Trinity Hall Cambridge
Abortion Rights
Texas State Representatives
House of Representatives
Voting Rights

Domains:
mbnbc.irlost.info
msnbc.ltreds.info
msnbc.eslike.info
ukposts.info
kzits.info
msnbc.nlmem.info
softpanorama.info (Russophobia)
kzread.info

name.withheld.for.obvious.reasons January 3, 2022 9:47 AM

Is Amazon a Technology Company
When Sears and Roebuck started adding products from other companies in their catalog in the early 20th century, the company started a vertical monopolization of markets. From consumer goods to light industrial products, Sears sold a myriad of products through mail order catalogs. At its peek, Sears catalog bindings where nearly 600 pages of products in the 1960’s.

Today, Amazon is nothing more than Sears and Roebuck with the global supply chain at its beckon call. Not unlike Walmart operating in meatspace, Amazon changes the delivery mechanisms and ties to the supply chain. Is this a good model? I’d argue it is plagued with issues that will not be addressed by Amazon. As more advantage accrues to Amazon so does it control and manipulation of markets. It doesn’t get better because Amazon does better. It is naive to think so, the results are objectively measurable.

What needs to be addressed is the endpoint. Do all markets become vertical monopolies and what incentives will be killed and what opportunity costs will be the result of commodification of commodities? This is similar to the financialization of banking and the Fortune 500 such as GM and GE for whom their core business is subsumed by a monetization of the company and not of value. What zombies will be born by Amazon both near and far in time?

lurker January 3, 2022 11:27 AM

@Clive

The authors evaluate the Drake equation, twice, and get answers of ~1 and ~2. Was Drake an anti-Copernican?

@ResearcherZero …if that knowledge is not accepted and acted on it’s completely useless.

Surely the increase in entropy it creates contributes to the heat death of the universe. Yes, contrary to the postulate of infinite life.

David Rudling January 3, 2022 12:20 PM

@ SeattleSipper, @SoaceLifeForm

Couldn’t agree with you more @SpaceLifeForm.
Trying to cram a date and time representation into a 32 bit signed integer is just lazy and asking for trouble. Y2K all over again.

When (if?) the whole mess is redesigned it would be an example of good practice to use the ISO 8601 format (1) which was first ratified in 1988 well before Y2K and no need for further changes until we start getting near the year 9999 ME.
The globally unambiguously defined first second of 2022 in UTC/GMT (time zone Z) would be 20220101T000001Z in the basic representation format.

Microsoft adopt a rationally designed and approved international standard ? I agree, not a hope in hades.

(1) https://www.iso.org/iso-8601-date-and-time-format.html

SeattleSipper January 3, 2022 2:22 PM

@SpaceLifeForm, @David –
Good points.
To which I add –
1. I like to think I would have caught this in a code review, but would I really? Ever since Y2K, I am anal-retentive about YYYY, but could I make that argument in a code review? Expanding this beyond my persuasiveness, it looks like Xilinx developers had the same problem, so I am not the only one who loves code reviews but executes them poorly. I seem to recall another, recent conversation about the effectiveness of code reviews (TLDR: merely a checkbox on the manager’s list).
2. Testing might have caught this. Using the four YYYY digits would have revealed this instantly. A good test-writer would find out what the design boundaries are and probe them. Using YY in the format would push a tester to YY==99 and that would quickly blow up; using YYYY would be even more obvious. Why no testing?
3. A proposed workaround for the bug is to turn off whatever filtering mechanism uses the date format. Great! A design-programming error becomes an open invitation to assaults.
4. Had the programmer treated the value as a string instead of being clever with a (signed) int, this would never have happened. Moral of the story: the original data is not an int, it is a string, so use a string datatype for type-safety.

I sound like I am beating up on the programmer. I have made equivalent errors and learned that using a code review, reallly using one, can make one’s life much easier.

Clive Robinson January 3, 2022 3:40 PM

@ lurker,

The authors evaluate the Drake equation, twice, and get answers of ~1 and ~2. Was Drake an anti-Copernican?

I’m not aware of Dr. Frank Drake being so, and he was a founder member of SETI and as far as I’m aware still is, which might suggest he favours the Copernican Principle.

SETI unsurprisingly acknowledges the existance of life in the universe and on the “None, One, Infinity”[1] argument go for “Infinity”. That is they take a plurality view point not just on species but intelligent species and importantly places. Which is why they look for inteligent “ET” by what are industrial development signitures (have a look at Dyson’s thoughts on it).

But what of Drake’s Equation, well it was more an “ice breaker” or “debate initiator” than anything else.

From,

https://en.wikipedia.org/wiki/Drake_equation

“The equation was formulated in 1961 by Frank Drake, not for purposes of quantifying the number of civilizations, but as a way to stimulate scientific dialogue at the first scientific meeting on the search for extraterrestrial intelligence (SETI).”

Which means it was sort of “out of the hat thinking”, a sort of “OK folks what do we have to consider, hear is my starter”. We actually know from the “get go” it is going to be inaccurate,

“The Drake equation amounts to a summary of the factors affecting the likelihood that we might detect radio-communication from intelligent extraterrestrial life.”

If we look at Earth’s history so far, we’ve only broadcast coherent signals with enough power to be reasonably recognisable outside of the solar system for a very very small period of time, maybe a quater of a century and it’s rapidly comming to an end. The two primary signals the earth radiates do not carry information as they are,

1, Aerospace RADAR.
2, Mains power “hum”,

The old days of High Power Analog radio transmissions are rapidly fading and the spectrum in the UHF and above will be reasigned to low power digital mobile service provision in a cellular arrangement within a few years. Mobile service charecteristics are not just low power, but where vertical radiation is reduced significantly and likewise horizontal radiation to avoid one cell base station effectively jamming adjacent cells. Even from Low Earth Orbit (LEO) the jamming effect has now reached a point over cities etc where signal differentiation is getting to and in some cases beyond technical limits (one of the reasons why aircraft have been tested with marches and demonstrations). But another asspect to consider is the “Shannon limit” most digital systems work as close to the limit as they can. This means that they are very much self limiting in range and the expected error rate rises dramatically eith distance, and quickly ends up looking like background noise. Then of course these days most digital radio transmissions are encrypted either weakly via “whitening / Spread Spectrum” for channel/spectrum efficiency, or strongly for privacy protection. Both of which make the signals aproximate random noise significantly.

The upshot is it would only be an intentional transmission such as the Arecebo experiment that might get heard but probably not for various reasons.

“Criticism of the Drake equation follows mostly from the observation that several terms in the equation are largely or entirely based on conjecture. Star formation rates are well-known, and the incidence of planets has a sound theoretical and observational basis, but the other terms in the equation become very speculative. The uncertainties revolve around our understanding of the evolution of life, intelligence, and civilization, not physics. No statistical estimates are possible for some of the parameters, where only one example is known. The net result is that the equation cannot be used to draw firm conclusions of any kind, and the resulting margin of error is huge, far beyond what some consider acceptable or meaningful.”

As I’ve indicated I think that SETI are looking for the wrong thing in the wrong way. But also we see no reason to intentionaly send out high power radio signals, why should any other life form think differently? Therefore I think the odds of SETI picking up an “intentional broadcast” are so small as to be vanishing.

But consider this “Secrecy arises through Evolution”.

Evolution is “greedy” that is your best chance of survival is to utilise all available resources to the exclusion of others. Both as an individual and a species. So from very early times as soon as competition became relevant, keeping resources hidden offered an evolutionary advantage. As a species develops such hidding / secrecy of information develops with it.

There is no reason to suppose that this is not a universal trait in the development of intelligence. Thus the question arises of what benifit is there to anouncing to all that you exist on a pile of resources?..

One argument, is that we are safe, because the expenditure of resources to come get our resources would be to great.

However more conteporary thinking brings two things into consideration

1, Self Replication.
2, Information take over.

Imagine if you will a probe that is designed to duplicate it’s self when ever the opportunity arises. As part of getting such an opportunity the probe is designed to be like malware that evolves to take advantage of any intelligent systems it can find and take it over.

Whilst the idea sounds “new” it’s not have a read of “The Black Cloud” and “A for Andromeda” both by Sir Fred Hoyle FRS (a noted astronomer and physicist). The black cloud 1957 may well be older than all who read this blog, and Andromeda 1962 older than most.

https://en.m.wikipedia.org/wiki/The_Black_Cloud

https://en.m.wikipedia.org/wiki/A_for_Andromeda

Oh and to show the change in the times Fred Hoyal caused an out cry by pointing out that a Joyclen Bell “a woman” made the discovery her “male” boss got the Nobel Prize for… In what some consider “Stale White And Male”(SWAM) kickback, he was not given recognition for his discovering and promoting of the stella formation of elements so others got the Nobel for his work…

[1] It is argued that in the physical universe logically only three numbers make any sense. That is,

1, None : something does not exist.
2, One : something is unique.
3, Infinite : There is an unknown number of something above two.

Interestingly “one & infinite” are not mutually exclusive, it depends on how closely you look. For instance we know that humans are a very small subset of “living things” on Planet Earth. But in human terms more than a million humans is not quantifiable by personall perception. So it does not matter if there are 7billion or 7.5billion humans it’s just an ever changing number. However if what is claimed about DNA etc is true, we are all unique.

Anders January 3, 2022 4:42 PM

@Clive @SpaceLifeForm @ALL

hxxps://thestack.technology/supercomputer-files-deleted-kyoto-university-hpe/

Anders January 3, 2022 4:51 PM

hxxps://cloud7.news/software/hpe-update-deletes-77-tb-of-critical-data-from-kyoto-university/

“We were not aware of the side effects of this behavior and released the [updated] script, overwriting a bash script while it was still running. This resulted in the reloading of the modified shell script in the middle of the execution, resulting in undefined variables.”

SpaceLifeForm January 3, 2022 5:32 PM

@ Anders, Clive, ALL

Three lessons

  1. Always test your backup and recovery procedures
  2. Always have multiple backups, preferably with at least 2 sets offsite and offline
  3. Never recursively invoke scripts

:(){ :|:& };:

null clam January 3, 2022 6:29 PM

@ Ted @ Clive Robinson @lurker

Re: big data resources

I have so far been able to keep at arm’s length from big data. It seems much of the time a black box.

In the long standing area of linear signal processing, signal reconstruction from isolated points can go awry by aliasing, extracting a “signal” that isn’t there but fits the data and is in some sense minimal. This is relatively understandable.

But, in non-linear “big” data processing, I have seen demonstrations where looking for any wrong thing can make it appear. Looking for smiles in an arbitrary data set can make the data equivalent of a grinning Cheshire Cat emerge quite nicely. This seems like a very open ended analogue of aliasing in linear analysis.

So, one has to have some idea of what is appropriate to look for in a data set, that is, a kind of understanding of the nature of the data, and this seems to imply some kind of grasp of the causality behind the data.

As @ Clive R is pointing out (if I follow what he says above), these new methods can be used with some caution and direction like focussing devices to explore for and bring into view new phenomena. We want to find all the complementary cases that make up some general category and avoid binary or repeated nested binary “yes/no” divisions of the category. As Aristotle said, it’s not scientific to divide the genus by negation, one has to find the specific and characteristic differences that define each sub part.

So much for my trivial thoughts 😉

Loyal Reader January 3, 2022 7:02 PM

More on Schedulefly

https://m.youtube.com/watch?v=ElE75ZGnSSs

This is the closest thing I’ve seen to any news on this outside of what’s on the company’s site. Which if one believes is back under their control STILL incorrectly spells the company’s name on the end of one of their posts. Also for a while the mobile url of m.schedulefly.com seemed to be redirecting to a scheduleD url before bouncing to the company’s page on daily updates. None of this looks like anything resembling a good response from a company allegedly getting help from an expert firm.

Anders January 3, 2022 8:03 PM

@Clive @SpaceLifeForm @ALL

And another one…

hxxps://www.msn.com/en-gb/news/world/covid-warning-as-new-variant-with-46-mutations-infects-12-in-southern-france/ar-AASnGhn?ocid=st

Winter January 4, 2022 3:37 AM

@null
“I have so far been able to keep at arm’s length from big data. It seems much of the time a black box.”

That is already well known in the field. If you want to publish anything, you have to add ablation studies (removing parts and data to see which are used) and heat maps (which parts of the data are important to reach a decision).

Drivers are applications, e.g., health care, where the users are legally responsible for bad outcomes.

Black boxes are only used by people who are not accountable. Sadly, this includes police, the criminal justice system, and civil services in many countries.

Clive Robinson January 4, 2022 4:44 AM

@ Anders, JonKnowsNothing, SpaceLifeForm, ALL,

And another one…

As I’ve said it’s to be expected as long as the infection rate is high, I suspect there may be several brewing up in places where monitoring is at best rudimentary. It has been indicated that this variant actually pre-dates Om.

Apparently a couple of US based researchers tweeted about it and… Whilst there’s a lot of noise there is very little signal. Most appear to be re-wording from one original article that got translated.

So not much helpful information to give yet.

Apparently there is a pre-review paper from France that I am trying to track down.

But anyway here is what I’ve provisionaly put together,

Most say it is issolated in France but some say it’s now in the UK. As for Africa no data available.

How infective and pathogenic it is, is not yet known but it appears that it may be sufficiently vaccine avoident to get a toe hold and community spread and increased ICU occupancy.

The new strain is B.1.640.2 (apparantly Pangolin strain), was first detected by symptom anomaly in November in France in the Marseille geographical region. With the index patient (first in region) being a fully vaccinated person recently returned from the African country of Cameroon.

It was sequenced and discovered to be a new varient by researchers from the Méditerranée Infection University Hospital Institute (IHU) in December. But is apparantly not yet under investigation by the World Health Organisation (WHO)…

Dubbed by some as “variant IHU”, B.1.640.2 apparently it has 46 mutations & 37 deletions.

Whilst it has relatively few known patients currently the first wave were found via hospital admission so what the community spread rate is, is currently unknown but it has been detected in children.

Though attention has been drawn by a US researcher to the fact that the ICU occupancy in the Marseille region is notably higher than in the rest of France[1].

So potentially there will be two spread rates,

1, If B.1.640.2 is sufficiently vaccine avoident then it would be effectively novel to many people who have only been vaccinated.

2, In those who have had a previous infection which tends to give broader immunity B.1.640.2 would be compeating on aquired immunity from another strain such as Alpha, Delta, Om.

About the most reasonably written piece I’ve found so far via duckduckgo[2] is,

https://www.nzherald.co.nz/world/covid-19-french-scientists-discover-new-mutant-variant/72ZE4BV64DSPBM5UCTM3USKDEA/

So not realy much to be said so far.

[1] Marseilles is also a major international port with vessels comming up the east of Africa through Suez and is effectively the first stop with better healthcare fascilities. So sick sailors tend to get de-shipped there rather than other places earlier in their journey.

[2] Is it me, or have other people noticed DuckDuckGo search results getting worse and worse?

Clive Robinson January 4, 2022 5:35 AM

@ Anders, JonKnowsNothing, SpaceLifeForm, ALL,

And another one…

It’s funny how a fresh cup of tea[1] can help,

The paper can be found at,

https://www.medrxiv.org/content/10.1101/2021.12.24.21268174v1

So time to sit down and read…

[1] This necessitated having to go for a walk in a rain storm on crutches, to get fresh milk… So it might not be the tea that reinvigorated the few remaing grey cells 😉

John January 4, 2022 5:37 AM

Hmm….

Next step. ‘good’ search cost money?

Just like copies of free books cost money from Amazon!!

John

JonKnowsNothing January 4, 2022 5:48 AM

@Clive, @Anders, @SpaceLifeForm, @ALL

re: IHU” B.1.640.2 46 mutations & 37 deletions

A few things to keep in mind about the variant:

  • It’s not that THIS variant is important, it is that MORE variants are happening.

The majority of cases in 5EY hospitals are still DELTA. The majority of cases still on walkabout are OMICRON.

One of the CDC data charts put back the reference to regional sub-lineages of DELTA AY.1-AY.127 after removing them for many months. It’s not 1 DELTA but 127 DELTAS. DELTA in London is different that DELTA in Paris and that’s different from DELTA in Des Moines USA.

Omicron is now 3: BA.1 BA.2 and BA.3. OMICRON in NSW AU is not the same as OMICRON in Moscow or OMICRON in New York USA.

The official technical reason for omitting this information is that the base mutations of DELTA, OMICRON remain stable. The base mutations are parked on phylogenomic tree (PANGOLIN nomenclature, there are other naming conventions). All the sub-lineages are nodes branching out from that point.

In an effort to “not scare the horses”, governments do not inform the population about these differences.

Current HIP-LetErRip policies are doing even less. Only OFFICIAL tests are including in the OFFICIAL numbers. Pretty convenient to not have any tests available.

If they cannot manufacture a dip in the Case Numbers, the plans are to stop reporting Case Numbers entirely: the Florida method.

Hospital Numbers are being touted as more indicative of what’s happening, rather convenient that more than a few hospitals are in TRIAGE mode. Hospital numbers are hard capped at the total beds available; the body count of the Ganges is not included.

One of the CDC reports has “Other” @.2%, Other is anything other than DELTA and OMICRON.

It’s all still in the pot and 5 isn’t going to be enough…

Ted January 4, 2022 7:33 AM

@null clam, Winter, ALL

Re: big data resources

I was looking briefly at Amazon and saw a book called “Designing Data-Intensive Applications.” Does this look like a good resource for someone like me to learn about big data? Assume that I’m starting at a pretty low level.

Here is part of a customer review:

[…] The book deals with all the stuff that happens around data engineering : storage, models, structures, access patterns, encoding, replication, partitioning, distributed systems, batch & stream processing and the future of data systems (don’t expect ML because it is a different beast).

[…] If you are working on or interviewing for big data engineering, systems design, cloud consulting or devops/SRE, then this book is a keeper for a long-long time.

Winter January 4, 2022 8:36 AM

@Ted
“Does this look like a good resource for someone like me to learn about big data? Assume that I’m starting at a pretty low level.”

No idea, really. The field is changing at a very fast (exponential?) pace. What was a solid foundation two years ago is yesterday’s legacy technology today.

You should look at text books explaining the mathematical foundations of the systems. That will allow you to understand at least the principles of what is presented.

For the rest, focus on what you are interested in. If it is security or ethics, then the precise technology is less important. If you are interested in a specific field, e.g., natural language processing or image recognition, focus on these fields.

If you want to play with it, use Python (avoid Matlab and Windows). I mainly hear about Pytorch, but others exist:
ht-tps://hackernoon.com/top-8-python-libraries-for-machine-learning-and-artificial-intelligence-y08id3031

If you want to get knowledge that is very robust against obsolescence from technological progress, learn about biological neural nets. They are the real thing and way, way more advanced than current technologies.

For instance, I find that a lot of modern AI technology can be understood easily if you know how the human retina works. The Hebb learning rule from 1950s neurology is still relevant in AI.

Winter January 4, 2022 8:54 AM

@Jonknows er al
“In an effort to “not scare the horses”, governments do not inform the population about these differences.”

They are also largely irrelevant. The effects of all these mutations on immunity, disease spread, and progression are unknown.

There are only two things relevant for the public:
1) Jabs work, more jabs work better

2) Wear are all in the same boat. It will only be over when every human, even those humans you dislike, have had their jabs.

The rest is only relevant to specialists.

lurker January 4, 2022 10:02 AM

@Clive re Cameroon variant

Looking at it too simply I see about half the substitutions and three quarters of the deletions are in the spike protein. Perhaps not such a good target for a vaccine. Could protease inhibitors be less susceptible to variants, since the protease has a more fundamental role in viral multiplication?

Winter January 4, 2022 12:03 PM

@lurker
“Could protease inhibitors be less susceptible to variants, since the protease has a more fundamental role in viral multiplication?”

The spike protein is currently the only target when you want to prefent infection. Nothing else seems to be exposed before infection and to be specific enough to be useful. Protease inhibitors are useful for stopping active disease (hospital and ICU).

The art of jab development is to find a conserved region that is exposed enough to allow access to antibodies. A lot of research is directed to find some other SARS specific protein motive that is exposed and for which antibodies will be generated. Preferably something that covers most coronaviruses.
ht-tps://www.ncbi.nlm.nih.gov/pmc/articles/PMC7803365/
ht-tps://www.sciencedirect.com/science/article/pii/S2213671120305051

lurker January 4, 2022 12:44 PM

@Winter

Protease inhibitors are useful for stopping active disease (hospital and ICU).

MSM is reporting US daily case rate now 1M, and that’s only Om+Delta, and includes already vaccinated. Again simplistically that could mean everybody will have had it before Halloween. So let everybody catch it, then hit it in the protease so they don’t fill the hospitals and morgues. That is, a protease inhibitor vaccine, which were looking promising so far in trials. At this distance it looks a more sure solution than chasing a moving target with little scraps of mRNA.

null clam January 4, 2022 2:03 PM

@ Ted @ Winter @ Clive Robinson

Re: good resource

Advice – a truism that applies to any field – given decades ago by an expert: one has to know the complete history of the field in order to work in it. The talks by the “great” often include as a preface a summary of the key prior work going back to the beginning. Beware of starting with the latest greatest “hot” stuff.

One way to start chipping away at the history is to find the names of eminent researchers (e.g. Wiki can be a help), go to their websites, see what they reference as to other people, papers, books, etc., and iterate this process.

There used to be a two volume “collected landmark papers in NNs” book from MIT Press but I wasn’t able to search up a reference.

@ Winter mentioned biological starting points – A bit out of the ordinary, and regarded as an outlier or even “heretic” by some eminent ANN researchers – Stephen Grossberg is a noted ANN researcher who starts conceptually from biological NNs and tries to abstract their functional dynamics, representing them by continuous dynamical system analogues. His papers show extensive familiartiy with biological and psychological literature. The systems he and his group have worked on are intelligible and not the comparatively opaque network stacks of nodes and connections one often sees (“backpropagation” inspired systems). Grossberg’s models generalize and explain many common ANN types such as perceptron, self organizing feature maps, content addressable memory, etc.

Winter January 4, 2022 2:24 PM

@lurker
“So let everybody catch it, then hit it in the protease so they don’t fill the hospitals and morgues. ”

The US health care system supplying everyone with effective treatment? Has that ever happened? The US was even not willing to give people a day off to get a jab, and no sick days for any side effects.

Moreover, even the best treatment is worse than prevention. Om is less dangerous than the other variants, but if 300M people go through an infection, too many will die.

Clive Robinson January 4, 2022 3:29 PM

@ Moderator,

I made a post around 15:05 in reply to @null clam and @Ted.

I got the,

“Your comment is being held for moderation”

Comment, which I suspect is because of the wikipedia link may have triggered the “naughty word list” filter.

Not sure what to do about the Wikipedia page name, It is what the programing language got named back around thirty years ago, when people did not care about “Not Suitable For Work”(NSFW) etc as it did not become a real issue untill a number of years later.

SpaceLifeForm January 4, 2022 4:15 PM

@ JonKnowsNothing, ALL

Only OFFICIAL tests are including in the OFFICIAL numbers. Pretty convenient to not have any tests available.

Yep. Even if you can find one, no one is counting Rapid tests.

The new case counts will stabilize soon because they will flatline.

Basically new case counts will reflect official testing capacity levels, nothing more.

I think the rolling 7 day averages will stabilize next week.

It will not mean that the numbers reflect reality.

SpaceLifeForm January 4, 2022 4:48 PM

@ Clive, Red Fish

DDG uses Bing. Need I say more?

I gave up on DDG some time ago because I was looking for something that I knew existed, but could not recall the site.

So, via google, I found it after wading thru the swamp that did not exist 2 decades ago.

I miss the old Yahoo curated search.

JonKnowsNothing January 4, 2022 5:04 PM

@Winter

re: The rest is only relevant to specialists.

We will continue to disagree on the withholding of LIFE ALTERING information.

Any informed decision needs to have all the data on the table, not 1% of the data because THATDUDE-ETTE decided YOU didn’t need to know about it.

The HIP-RIPPERS use the mantra of “self determination”, that people should decide what’s good for them and not have someone else tell them what to do. If the information is withheld, there is NO Informed Consent.

You might not have any consent when it comes to government actions, but normal medical procedures require informed consent.

There are all sorts of folks in the world who have immense knowledge and understanding of areas “without having a paper” to say so.

iirc(badly)

Isaac Asimov reported that he lamented he was not a specialist in Astronomy or Physics. His paperwork said “Chemistry” and he worked as a chemist. While most may remember his Sci-Fi stories, his Non-Fiction works are just as important.

RL annecdote tl;dr

I’ve have more than one conversation with folks from EU about “qualifications”. Some places there require an entire 4 year apprenticeship just on how to remove a screw with a screwdriver.

At a German client, I was removing a screw from a PC Case when the CEO asked me if I had gone to school to learn how to do that. I am sure the CEO expected me to say “oh yeah, 2 years turning to the left and 2 years turning to the right”.

I told him, I didn’t go to school to learn how to remove screw from a PC chassis. I asked him if he knew the American Idiom “Yankee Know How”? He indicated he knew what that meant.

“Well, Yankees know how…”

Opt Out/Opt In/No Op

Clive Robinson January 4, 2022 5:08 PM

@ SpaceLifeForm, JonKnowsNothing, ALL,

It will not mean that the numbers reflect reality.

During the entire SARS-2 outbreak have the numbers ever reflected reality?

The joke of it was the West for political reasons claiming the Chinese were “lying” yet what the west was doing was what?…

It’s why early on I started saying “look at the excess death figures”. For a while they atleast gave some near reality.

Then of course all that mask wearing and hand washing etc killed of that flu pandemic we had expected…

So that in effect “hid” a very large number of deaths because the average for flu deaths based on the previous five years was in reality effectively zero for “flu season”. So those numbers became politically usefull and got replaced with Covid deaths, but described so ambiguously on the death certificates…

As far as I can tell for WASP nations the only country near acurately reporting figures is New Zealand, because they are so low, faking them for political reasons would be fairly pointless…

As Stalin is said to have noted “One death is a tragedy, a million is a statistic”, the reality is whilst it’s easy for some to hide things with statistics, it’s difficult to impossible to hide tragedies.

SpaceLifeForm January 4, 2022 7:49 PM

@ Ted, Clive, ALL

Interesting FTC shot across the bow.

If you think outside the box here, as I have previously dropped some hints, one should realize that FTC will easily be able to track this. The FTC easily will be able to discern lack of compliance. The infrastructure is in place. Let there be no doubt.

So, when an org is warned, but ignores, they will probably be given some more time, but if they repeatedly fail or continue to stonewall, they will be facing a lawsuit.

And if they still do not respond, BGP.

That will wake the org up. Or the reverse.

Ted January 4, 2022 9:34 PM

@SpaceLifeForm, Clive, ALL

Here’s the tweet from Tech@FTC about Log4j.

You can who’s interacting with the tweet. One person quote retweeted:

This is the first time that I’ve seen the FTC to preemptively and explicitly “incentivize” companies to take a specific security measure. Powerful!

https://twitter.com/techftc/status/1478456970986373122

Is this true?

Katie Moussouris says:

[…] Good to take this seriously, but complex to enforce.
They cite Equifax’s $700M settlement for the data breach caused by delays in applying a Struts patch that CISA recently gave federal agencies until June to patch.

And Patrick Howell O’Neill says:

The @FTC (1) threatens legal action against companies that don’t fix Log4j vulnerabilities and (2) cites @techreview’s story on open source volunteer projects lacking resources and personnel “even as their projects are critical to the internet economy.”

Clive Robinson January 4, 2022 10:02 PM

@ Ted,

With regards the FTC notice, and legal threat under the FTC Act[1] read it again a bit more suspicion.

It actually worse than you words convey. It is in short the start of a direct threat or movement against Open Source usage.

Read the last paragraph and in particular the final sentance.

Then ask yourself what a corporate lawyer would advise their boss / client about Open Source Software now the FTC has put the cross hairs of ambiguous intent.

[1] It’s not the FTC act as such[2], but the “U.S. BOTS act 2016” that amended it. But also there is for those outside of direct U.S. jurisdition the provisions of the “U.S. SAFE WEB Act of 2006” as well (which was supposed to have been repealed in 2020 but is now moved to 2027).

1, BOTS Act of 2016 Amendment
Pub. L. 114–274, §1, Dec. 14, 2016, 130 Stat. 1401, provided that: “This Act [enacting section 45c of this title and provisions set out as a note under section 45c of this title] may be cited as the ‘Better Online Ticket Sales Act of 2016’ or the ‘BOTS Act of 2016’.”

2, SAFE WEB Act of 2006 Amendment
Pub. L. 109–455, §1, Dec. 22, 2006, 120 Stat. 3372, provided that: “This Act [enacting sections 57b–2a, 57b–2b, 57c–1, and 57c–2 of this title, amending this section, sections 44, 45, 46, 56, and 57b–2 of this title, and section 3412 of Title 12, Banks and Banking, and enacting provisions set out as notes under section 44 of this title] may be cited as the ‘Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006’ or the ‘U.S. SAFE WEB Act of 2006’.”

[2] The Federal Trade Commission Act,

“15 U.S.C. Chapter 2, Subchapter I: Federal Trade Commission §§ 41-58, as amended”

Is the primary statute of the FTC, which came into being back in 1914. It has been amended a few times since. Two of which have added some degree of control over trade over the internet[1].

http://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter2-subchapter1&edition=prelim

Of interest to those here is §45c-2 that came in with the BOTS Act of 2016.

SpaceLifeForm January 4, 2022 10:10 PM

@ Ted, Clive, ALL

Can the FTC action be effective on Government agencies that are not responsive?

Governor Right Click wants to know.

Ted January 4, 2022 10:30 PM

@Clive, SpaceLifeForm, ALL

The FTC notice says:

Failure to identify and patch instances of this software may violate the FTC Act. 

https://www.ftc.gov/news-events/blogs/techftc/2022/01/ftc-warns-companies-remediate-log4j-security-vulnerability

Do you think they are prioritizing enforcement of a specific part of the law to address “the single biggest, most critical vulnerability of the last decade”?

That’s probably a very good reason they have important laws like that ready in the wings.

@SpaceLifeForm

Can the FTC action be effective on Government agencies that are not responsive?

I know nothing. But I would guess yes the FTC could ring up some paperwork. Do you think so too?

Clive Robinson January 4, 2022 11:11 PM

@ SpaceLifeForm, ALL,

Can the FTC action be effective on Government agencies that are not responsive?

In general “no” nor on US States either. What you might call the “FTC Commisioning Charter” from back in 1914 makes it’s aim to protect customers of commercial services. In fact it gives US States legal priority…

But that ‘U.S. SAFE WEB Act of 2006’ makes frightening reading as it gives in US Eyes, the FTC primacy over all other Sovereign Nations…

Which is counter productive. For instance that nonsense is one reason why Russia has laws that tell the US “Keep of our Grass” but they quite deliberatly use them to protect those “Kicking US butt” thus effectively actively encorage it.

Oh and if you look in the FTC Act amendments you will find a lot of stuff about serving via a treaty mechanism. The treaty requires each nation to bare the cost of serving the paperwork on the “entities”. However as was pointed out a few weeks back the US has been stupid, and outsourced it to a company that charges for service… Russia has said as long as the US goes against the treaty requirments it will not service US requests…

This sort of US nonsense is so antagonistic, and generates so much kick back, you have to ask the “incompetance or malice” question, to which a normal person would probably err on the latter.

Winter January 5, 2022 1:48 AM

@Lurker
“We will continue to disagree on the withholding of LIFE ALTERING information.”

This information is not “withheld”. You can find it using Medline (ht-tps://www.nlm.nih.gov/medline/index.html) and Google Scholar (ht-tps://scholar.google.com/).

If you want someone to translate it into “plain English”, you will have to give them incentives to do so. I doubt whether the larger public would be interested in weekly updates of mutations found. Those involved in the research will announce it when they find something that could be dangerous (variants of concern).

The point is, multiplication of RNA viruses is rather error prone, so there are many mutations going round. Until a mutation has clinical relevance, there is no reason to cry wolf every time.

Winter January 5, 2022 2:55 AM

@Clive
“During the entire SARS-2 outbreak have the numbers ever reflected reality?”

I cannot speak for other countries, but in the Netherlands, they always very clearly stated:

  • 1) We do not know the true numbers
  • 2) We give you the registered numbers, but they are too low
  • 3) We give you excess mortality, but they are also not the real toll
  • This was added to all numbers given in the news. No one knew the real numbers.

    What else could they have done?

    SpaceLifeForm January 5, 2022 3:29 AM

    @ JonKnowsNothing, Clive, ALL

    Excess deaths, long Covid

    I am not endorsing these viewpoints, even though they may be accurate.

    I just want to note them, and point out that they may correlate.

    hxtps://twitter.com/MicahPollak/status/1477727474003894274

    Deaths are up 40% from pre-pandemic levels among working-age people.

    hxtps://www.researchsquare.com/article/rs-1139035/v1

    hxtps://twitter.com/search?q=researchsquare.com/article/rs-1139035

    Sumadelet January 5, 2022 5:32 AM

    @Clive Robinson

    Was that NSFW language name Brain-eff-ewe-sea-kay?

    I used to participate in a forum that had an optional naughty word filter, which was by default on, but could be disabled by each user in their profile. Letters of words matching the naughty words list were replaced by dots, which made accessing the forum from libraries and other places with Net Nanny software that prevented access to web-pages by keyword matching possible – so the above name would be rendered as Brainf..k; but if you didn’t need to worry about filters and were not going to take offence, you could turn off the filter and see posts in their unexpurgated glory.

    If you accessed the forum anonymously, you could read only the filtered version. Usernames were not explicitly tied to real-world identities.

    It struck me as a sensible approach.

    Clive Robinson January 5, 2022 6:16 AM

    @ SpaceLifeForm,

    Both you and I had views about the lack of seriousness by our respective governmental leaders back at the very start of this.

    The official “estimate” of what are needless deaths is a little over 5 million some are,saying the reality is over five times that.

    What people tend to forget is that “economically active” members of society AKA “Work Force” is about 1/4 of the entire population. But the age range given about 1/2.

    There was already evidence that SARS-2 related deaths in that age range fell disproportionately on the “actual working stiffs” who had to directly interact with people (thus their risk factor was not unsuprisingly higher). These people mainly fell in the “traditional” workforce doing jobs that had been around a half century or more before.

    So the real “labour shortages” are most likely to hit the “traditional” labour force.

    I know many people talk down traditional jobs and push the idea of the finance and information / knowledge sectors as king and Princes… But the reality is without a strong traditional sector the other two are as nothing.

    Things are not going to look good overall.

    As for “long Covid” disability, as I’ve pointed out repratedly viral infections are now increasingly believed to be the root cause of autoimmune disease that cause significant disability and early mortality. With each passing year this century, prior to SARS-2 more and more longterm diseases and syndroms were indicated to have an autoimmunity component from a probable viral cause.

    Thus the likelihood of there being a whole new raft of autoimmune diseases from SARS-2 is quite likely. They should start showing up now and over the next thirty years. Interestingly for researchers we will know who had vaccines or not, and to quite an extent who had Covid or not.

    Not that any of that will be any comfort to those robbed of between two and six decades of life and their families and loved ones.

    As @Winter will no doubt remember our conversation on the subject, I pointed out the negative impact on the human race by the reduction in genetic diversity SARS-CoV-2. The hurd has been thined, and will continue to be so for atleast another five centuries now that it is effectively “endemic”.

    Mind you there is perhaps a little light in the tunnel, scientists think we may well have made two of four endemic flu viruses extinct due to simple measures.

    Which raises the question of “employer liability” via “unhealthy work environments”. We joke about “sick buildings” but the reality is many work places are needlessly centers of contagion. Modern architecture is almost certainly going to change with respect to Covid, the question then is “What else will have to change?”. Well if work environments will have to change, so to will work it’s self.

    There is significant evidence that “long work hours” –basically anything over 6-7 hours / day has measurable negative health outcomes. Perhaps it is time we started to rethink the way of life we lead, before we start to have much shorter and more brutish lives.

    Clive Robinson January 5, 2022 6:38 AM

    @ Sumadelet,

    It struck me as a sensible approach.

    It is…except for when it isn’t, like when the naughty words are in URLs.

    If you displayed the link without the naughty words then they would still show up when you put your cursor over the URL.

    The obvious solution to that would be a link redirector which we know is a security nightmare. But also the naughty word would turn up when you had gone to the page, thus making your act of pulling up an NSFW word “intentional” rather than “unintentional”. Such differences can have a major impact on peoples employment.

    Quirky but true story for you, I’ll leave out names to protect the innocent and guilty alike. But a medal winning female athlete works for a company that also sponsers her. They thus have pictures of her being presented with her medals and of her in sporting action. However in her chosen sport the sports clothing is effectively “beach wear”. So whilst there are “official” pictures of her around the work place, the NSFW rules stop her from having her own personal sporting photographs on her desk and wall…

    Clive Robinson January 5, 2022 8:12 AM

    @ Sumadelet, ALL,

    I’m going to try reposting the original comment, but… With the offendibg URL with spaces in the naughty word…

    Fingers crossed.

    Clive Robinson January 5, 2022 8:12 AM

    @ null claim, Ted, Winter, ALL,

    Advice – a truism that applies to any field – given decades ago by an expert: one has to know the complete history of the field in order to work in it.

    Not sure how long you have been reading this blog, but one of the things I complain about the ICTsec industry is that,

    “The ICTsec industry visibly does not learn even from it’s living history. It’s history is just not taught, nor do practitioners apparently feel there is value in learning it…”

    The result which I’m sure many readers of this blog have subconsciously, if not consciously noticed, is the same old “bad guy” tricks sometimes without even minor variations just keep working over abd over every few years at most.

    If you look back on this blog you will see things discussed that just a few years later pop up in some security report.

    Sometimes you get the overwhelming feeling that the only people that act on the information discussed here are “bad guys” in one way or another.

    Like one or two others here I yearn for something new and original to surprise me and make me think “Hey that’s realy new”.

    Sometimes I get a dark thought of,

    “Hey what if there never is anything realy new, what if we have fundamentally seen it all?”

    The implication of that is not good.

    Just to show what I mean, just recently we had the phone spyware that had an inbuilt Turing engine, some investigators were “Wow”/”OMG” surprised by this. Yet I know I was not the only person who has made their own ALU controled by state machine sequencers for microcode to make a CPU. Someone did it in Minecraft just for fun, and researchers have been looking at Intel CPU’s where the memory managment was Turing compleate. One paper showed how you could make a Turing compleate engine just using a single instruction. At the end of the day when you drop through the layers of the computing stack you always find an interpreter, it’s just that we appear to not know any other way to make a CPU… Quite a few compiled languages these days use an abstract engine that is effectively a CPU/interpreter often called a “bytecode interpreter”. One of the earliest that there is still a lot of information on is the UCSD P-Machine. Java likewise has a bytecode interpretive engine known as the “Java Virtual Machine”(JVM).

    One of the simplest interpreters in that it only has eight instructions has been around since 1993. Hopefully the “rude word filter will not barf on the name in the link,

    https://en.m.wikipedia.org/wiki/Brainf.-.-.k

    [NOTE, the two hyphens and three dots around them in the URL are an attempt to stop the “naughty word filter”. You need to replace the “.-.-.” with “uc” respectively.]

    One interesting thing about it, is that it “ignores other charecters” which means a program can be added to a simple text file. So you can write a program in human redable form and just append the actual code at the end of each statment sentence.

    It’s actually worth getting your toe in it’s water, because it will teach you a lot about how to think about programs.

    Clive Robinson January 5, 2022 8:50 AM

    @ SpaceLifeForm, ALL,

    I miss the old Yahoo curated search.

    I to miss the old days, befor both Google and Yahoo…

    Gopher, Veronica, WAIS and anonymous http://FTP... And not a “web page to worry you”.

    Mind you I was perhaps slightly biased… As I was later being partly paid to keep the “interface” of “Wide Area Information Server”(WAIS) known as Z39.50 alive…

    https://en.m.wikipedia.org/wiki/Wide_area_information_server

    Mind you others have “Kept the dream alive” with the “Way Back Machine” etc and the U.S. Library of Congress still keeps a candal alight for Z39.50.

    Anders January 5, 2022 9:05 AM

    @Clive @SpaceLifeForm @ALL

    This haven’t been here yet i believe…

    hxxps://www.bloomberg.com/news/articles/2022-01-03/kremlin-insider-klyushin-is-said-to-have-2016-hack-details

    JonKnowsNothing January 5, 2022 11:00 AM

    @Winter, @Clive, @SpaceLifeForm, @All

    re: Withholding of LIFE ALTERING information. If you want someone to translate it into “plain English”, you will have to give them incentives to do so.

    One of few decent things in US pharmaceuticals is the “package insert”. Granted it’s written in the tiniest font possible on the thinnest paper possible and folded with origami precision to fit in the box size, but it is required to be in the box.

    Most of the time, people do not read the paper and just give it a heave but some of us do read the paper because

    a) Experience with Adverse Reactions.(1)

    and

    b) you cannot trust your overworked PCP/GP to really know all the details when they prescribe the drug. (2)

    In the packet of data are the chemical bonds and layout of the active ingredient. While I can read those bonds, most folks cannot read it and don’t understand the tinker-toy diagram but the diagram is still presented.

    One does not need to obscure information and one does not need to make it more convoluted than it really is. It might not change a single view or use but it needs to be disclosed.

    There is zero reason to withhold that sub-lineage N is dominant in the Netherlands and sub-linage N+1 is dominant in UK and that sub-lineage N+2 is dominant in NY. If you travel to those 3 locations you are just providing extra opportunities for Mutation Exchange. Eventually, you WILL get a mutation of “clinical relevance”.

    There are 2 types of mutations that can be expected:

    1) Spontaneous, cosmic mutation
    2) Mutation of opportunity

    We cannot predict the first, because we do not know when it will happen.

    We can limit the second, because we know that it WILL happen if we continuously provide the opportunity for exchange.

    There are reports of “flurona” circulating in California: Influenza+COVID-19.

    ===

    1, 2) One particular adverse reaction was having my hair fall out after starting a new drug (not cancer). It fell out by the handful. At the very bottom end of the List of Adverse Reactions was Alopecia. The PCP/GP had never seen that reaction before: “It’s normally very well tolerated”.

    That drug got dropped quick off my list and fortunately my hair grew back in time.

    Winter January 5, 2022 11:09 AM

    @Jon
    “There is zero reason to withhold that sub-lineage N is dominant in the Netherlands and sub-linage N+1 is dominant in UK and that sub-lineage N+2 is dominant in NY. ”

    Then, is it withheld?

    The website of the RIVM (Dutch CDC) publishes them on a weekly basis:
    ht-tps://www.rivm.nl/en/coronavirus-covid-19/virus/variants

    Jim Next January 5, 2022 11:39 AM

    Google is manipulating browser extensions to stifle competitors, DuckDuckGo CEO says

    https://www.washingtonpost.com/politics/2022/01/05/google-is-manipulating-browser-extensions-stifle-competitors-duckduckgo-ceo-says/

    DuckDuckGo CEO Gabriel Weinberg, whose company offers a competing search engine that touts its privacy protections, told myself and Gerrit De Vynck during an interview Tuesday that Google is deploying manipulative design features, known as “dark patterns,” to trick users into abandoning rival products.

    According to DuckDuckGo, Google for years has used misleading notifications to lure users into disabling its rival’s browser extensions and to discourage them from switching their default search engines on its web browser, Chrome. But Weinberg said Google in August 2020 tweaked the prompts to more blatantly nudge users away from jumping ship.

    The changes include requiring users to answer whether they would rather “Change back to Google search” after adding the DuckDuckGo extension and showing users a larger, highlighted button when giving them the option to “Change it back” or not.

    Although, I would think Microsoft has similar systems in Windows OS?

    Bob Paddock January 5, 2022 1:08 PM

    @JonKnowsNothing

    “One of few decent things in US pharmaceuticals is the ‘package insert’…”

    The FDA has proposed eliminating those and making them “Digital Only”.

    Also Inserts those are summary documents. The full documents are found on the FDA website and the make it as hard as they can to find them.

    I’m far to familiar with the Antibacterial Fluoroquinolones:

    The actual full documents are:

    Levaquin 71 pages Cipro 43 pages Avelox 35 pages

    How many doctors have actually read the TEN PAGES of warnings in this 71 page document about Levaquin?

    The Pharmaceutical Printed Literature Association (PPLA) is fighting to keep the FDA from going digital:

    h_ttps://pplaonline.org/efforts-to-eliminate-paper/

    What the FDA says about labeling:

    h_ttps://www.fda.gov/drugs/laws-acts-and-rules/prescription-drug-labeling-resources

    lurker January 5, 2022 1:15 PM

    @Clive

    The old days of High Power Analog radio transmissions are rapidly fading Comment 397977

    Observation: one nation is maintaining its HF broadcasting presence, China. Using native speakers of most of the world’s main economic and political languages, with transmitter sites widely dispersed across the country, plus broadcasts to the Chinese diaspora, China appears to run more than half the stations audible on the shortwave bands any time day or night. A new Silk Road in the ether? or insurance against the day the satellites die?

    Clive Robinson January 5, 2022 2:04 PM

    @ Jim Next,

    Google is manipulating browser extensions to stifle competitors, DuckDuckGo CEO says

    It may well be true.

    As I noted the other day my observations of DuckDuck’s performance is it’s failing to be relevant in it’s searches.

    I have no intention of using Google, Microsoft or other of the “data rape pillage and plunderes” who are desperatly trying to force HTML5 insecurities or have forced JavaScript insecurities onto people.

    The problem is the options of workable alternatives is reducing.

    From my point of view if one alternative goes bad, that’s probably down to them. But if two go bad, it’s probably some underlying technology issue. But three or more then that is very likeky “enemy action”…

    With the enemy being Google / MicroSoft etc who can not in any way be trusted, and it is long over due that the EU took a very hardline podition against the pair of them, and several others that are slightly less visable to most people.

    My vote would be the EU goes after some of the less obvious ones and does to them what the US Government did to China’s ZTE (the second biggest telecommunications company). Then go after one of the big boys and put them out of business.

    Why? Because it looks like the only way the US legislators will enact sensible privacy legislation. So not only do EU citizens benifit, but also do US citizens benifit as well.

    Clive Robinson January 5, 2022 3:02 PM

    @ lurker, ALL,

    A new Silk Road in the ether? or insurance against the day the satellites die?

    Does it have to be “a or b” from my point of view,”a and b” makes sense.

    In geopolitics, especially warfare you aim is to “occupie territory” so you prevent others from doing so.

    So as western broadcasters walk away from HF Broadcasting it makes sense for some to “occupy territory vacated by your opponent”. It’s not just China, North Korea and a number of other countries have started putting up “numbers stations” some in the middle of Amateur Radio bands.

    The “walk away” by the west is based on the notion of bandwidth via satelites and subsea cables, as we know China has developed quite effective anti satelite and anti cable systems…

    The places where China is “influencing” are the same that Google are laying cable to and Starlink are putting thousands of satellites up for.

    As far as propaganda be it white, grey or black, is concerned MF, HF and VHF radio is a way cheaper option. HF for sparsely occupied areas, can be done from almost anywhere around the world due ti skywave propogation. MF for urban and suburban using ground wave and night time NVIS propergation does adjacent country / on continent coverage. With VHF for cities and urban areas using line of sight coverage “in country”. China is actively involved with all three.

    But also consider what the “High Frequency Trading” boys are upto,

    https://m.youtube.com/watch?v=LpeXmLpDC30

    Croydon is sort of South East London and happens to be in my “stamping ground” and yes I know exactly where those antennas were pointing and why. As anyone with a topografic map would also know sometime the geographic shortest path is not the shortest time path[1]. I’ve used the same “corridors” for VHF traffic last century using VHF PMR radio frequencies, untill OfCom ran out of available slots and started clawing back range coverage limits.

    But that Log Periodic antenna you see in the picture is in the upper HF lower VHF range, that used to be much favoured by military aircraft and “grunt” forces. It is unfortunatly at certain times of year subject to very long propogation paths, I’ve worked Mil frequencies from both “Crystal Palace” and “Dollis Hill” London UK into various EU countries including Switzerland quite reliably.

    [1] Radio waves move in the atmosphear at nearly the speed of light. However in transnission line it can move at less than half the speed of light, and in data transmission cables such as “twisted pair” well one tenth. But RF filters thus all radio circuits havr a delay proportional to the inverse of the bandwidth. Likewise audio and data circuits can add significant delay. So the shortest path on a map might need three repeaters giving three lots of sigbificant delay. Where as a topographic path being physically longer but only needing one repeater can get there faster by tens of milliseconds. Which can be worth hundreds of millions in trading advantage each year.

    Anders January 5, 2022 5:18 PM

    @SpaceLifeForm

    Problem with this “poll” is that people don’t realize that
    “cyber security” isn’t a technical field. It’s a managing field.
    Eventually business goals decide everything.

    That’s why there are so many burn-out cyber security experts.
    They handle all the technical stuff but eventually that means
    nothing.

    SpaceLifeForm January 5, 2022 5:39 PM

    Password length matters

    hxtps://twitter.com/TychoTithonus/status/1478175603744378882

    Day 12: Out of 233,639,156 new SHA1 hashes in @haveibeenpwned v8, now 99.96769% have been cracked. Only 75,485 remaining (but it’s very slow going now).

    SpaceLifeForm January 5, 2022 6:49 PM

    @ Anders

    Klyushin probably has way more info about Cambridge Analytica than you can shake a stick at.

    Anders January 5, 2022 7:27 PM

    @SpaceLifeForm

    If Klyushin is what i think he is, then he has a lot of
    info about Colonial Pipeline too. Goldmine acquisition.

    Clive Robinson January 5, 2022 7:32 PM

    @ SpaceLifeForm,

    What is the part you struggle with most?

    As an old dog, that’s been around longer than the term “cyber security” by quite some measure of country miles and having learned many a trick along the way it’s

    “knowing tools to use”

    Tools come and go faster than the fleas in a mangey mutts pelt. Especially those with a graphical interface, (many of which are either kitchen sink or more style than grunt). Genuine Command line tools have a habit of being stable for years.

    As a side note when I actually did ny first “training” before I was even a young teen, and only just on my way to secondary school, it was to learn about building boats. The guy teaching me Ron Jolt, knew I’d taught myself not just how to pick locks but make keys with needle files and the like. He impressed on me that realy the first and most important thing you needed to be was a “tool maker” it’s what all master craftsmen are. And half a century later I still make my own hand tools as required for the “odd” jobs. A friend sadly nolonger with us once joked with me that I used to “Not bother looking for the right tool for a job, because I could make it faster from a wrong tool”.

    So I guess it’s why rather than learn the latest tool among thousands on github, I tend to “roll my own”. I’m of the opinion that a tool has three parts “The tip/head, the shaft and, the handle”. Software tools are much the same.

    But getting back to the list, it is why I find, knowing the last three is way more important than the first will ever be. Look at it this way on *nix systems you can nearly always find a scripting language (shaft) even if it is just sh, which you can then cobble the basic command line OS tools (tip) into more useful tools that are more easily controled and directed (handle).

    Cyber “Tool Making” is a skill all cyber security personnel should have. Not least because you realy get to learn the strengths and weaknesses of protocols that other peoples bells and whistles tools hide from you.

    And if you realy want to be any good at cyber security you need to understand the weaknesses of all protocols, because that’s where the vulnerabilities are to be found…

    I’m sure there will be those that will have a different point of view, but I will say something people should remember,

    There is a saying of “You get the face you deserve by the time you are forty, and it stays with you for good”. Actually the same is true of the tools you learn to use. By the time you are fourty you will be beyond learning new tools simply because you won’t want to waste the time and effort. So what do you do when the tool you learned is nolonger available to use?

    There are times when finally you have to learn a new tool, and others where people somehow get lucky…

    Some such as those who write proffessionaly that still use “Word Perfect” or “WordStar” both of which –thankfully– run in 16bit MS-DOS (which can be emulated). As most will know neither of the word processors have been supported this century and MicroSoft killed off 16bit DOS back in MS-DOS 5.x and introduced NTVDM…

    Thankfulky there are tricks under the likes of *nix with “DOS-Merge” and later Linux had and still does various emulators.

    The point is some people back in the 1980’s learnt vi and something like fourty years later it’s still around via vim. Supprisingly to many the command line editor ed is likewise still around after half a century, sometimes as an alias for sed which is still used to this day in sh scripts.

    If you pick the right tools, and they are usually command line tools you will not have to keep learning a new set every half decade at the whim of some commercial OS provider wanting to create a faux market for training and the like.

    SpaceLifeForm January 5, 2022 7:46 PM

    @ Clive, Ted, ALL

    Silicon Turtles

    This is why you want a removable battery.

    And then wait at least 24 hours for the caps to drain. And hope they do.

    Meet “NoReboot”: The Ultimate Persistence Bug

    https://blog.zecops.com/research/persistence-without-persistence-meet-the-ultimate-persistence-bug-noreboot/

    We’ll dissect the iOS system and show how it’s possible to alter a shutdown event, tricking a user that got infected into thinking that the phone has been powered off, but in fact, it’s still running. The “NoReboot” approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a “fake shutdown”. There is no user-interface or any button feedback until the user turns the phone back “on”.

    To demonstrate this technique, we’ll show a remote microphone & camera accessed after “turning off” the phone, and “persisting” when the phone will get back to a “powered on” state.

    [sumptin, sumptin, airtag. Let them fight]

    SpaceLifeForm January 5, 2022 8:22 PM

    @ Anders

    I would also throw SolarWinds and Kaseya into the pot.

    The broth is FaceBook.

    ResearcherZero January 5, 2022 10:44 PM

    News of Klyushin’s detention provoked immediate action in Moscow: On April 7, Russia filed papers with Switzerland accusing Klyushin of fraud and seeking his extradition to face charges in his home country — a strategy the country has attempted to use in recent years when nationals have been accused abroad.

    He was accompanied by as many as 10 police, most of them heavily armed, on his only trip between the jail and the courthouse in Sion in April — unprecedented security measures for white-collar cases in Switzerland, according to his lawyer.

    He blamed his detention on an “operation mounted by the U.S. in cooperation with Swiss authorities” to obtain “certain confidential information the American authorities consider” he has.
    https://www.bloomberg.com/news/articles/2022-01-03/kremlin-insider-klyushin-is-said-to-have-2016-hack-details

    ResearcherZero January 5, 2022 11:23 PM

    @SpaceLifeForm

    They should put physical switches on mass produced phones.

    Though there are many other problems that exist in the design of smart phones.

    “This bug poses a significant risk to the data of iOS users, but the public can protect themselves from the worst of its effects by disabling Home devices in control center in order to protect local data.”
    https://trevorspiniolas.com/doorlock/doorlock.html

    Physical switches are probably uncool, but they work.

    The Birth of Uncool by TISM

    [Intro]
    Sounds like last summer
    Sounds like last summer
    Sounds like last summer
    Sounds like last summer

    [Verse 1]
    If sounding like last summer is such a bummer
    Then how good’s what you’re in to gonna be, come winter?
    If sounding like last year is something you should fear
    Then this year won’t be fine given twelve months’ time
    Why is it that you rave about what is today’s
    When you’ll react with sorrow same time tomorrow?
    Why not enjoy the sound of summer all year round?
    There is a place, you know, where the groove police don’t go

    [Chorus]
    Uncool
    Hey babe you’re looking un–…keeeewl
    Uncool
    Unkeeeewl
    Uncool

    [Interlude]
    Sounds like last summer
    Sounds like last summer

    [Verse 2]
    If something’s bad, it’s bad, that’s a quality it had
    On the day that it was born, no matter what the norm
    Ask if it’s fake or true, not “Is it old or new?”
    You learn what things are fine, all it takes is time

    [Chorus]
    Uncool
    Hey babe you’re looking un–…keeeewl
    Uncool
    You and me, go for a drive… unkeeeewl
    Uncool

    [Bridge]
    There is a place, you know, where the groove police don’t go
    Bob’s your un–…keeeewl
    Very uncooool

    [Verse 3]
    Let me take you to uncool
    Where old school is still the golden rule
    Where appearances never flatter
    Where the rhyming that matters is more than street patter
    Where the stars of R’n’B are still old and ugly
    Where nobody spells new with a “U”
    Let me take you to uncool

    [Verse 4]
    Let me take you to uncool
    Where Ben Lee still dates some chick from high school
    Where it’s not post-modern to like Kiss
    Your desert island discs are full of greatest hits
    (If something’s bad, it’s bad, that’s a quality it had)
    Where perception isn’t reality
    Where you get a text message from a library
    Where the Emperor’s new clothes have got nobody fooled
    Let me take you to uncool

    ResearcherZero January 6, 2022 12:18 AM

    Bannon praised the Mercers’ strategic approach: “The Mercers laid the groundwork for the Trump revolution. Irrefutably, when you look at donors during the past four years, they have had the single biggest impact of anybody, including the Kochs.”

    Mercer is the co-C.E.O. of Renaissance Technologies, which is among the most profitable hedge funds in the country. A brilliant computer scientist, he helped transform the financial industry through the innovative use of trading algorithms.

    “I think if you studied Bob’s views of what the ideal state would look like, you’d find that, basically, he wants a system where the state just gets out of the way,”

    “Bob thinks the less government the better. He’s happy if people don’t trust the government. And if the President’s a bozo? He’s fine with that. He wants it to all fall down.”
    https://www.newyorker.com/magazine/2017/03/27/the-reclusive-hedge-fund-tycoon-behind-the-trump-presidency

    The Mercers funded numerous key players who helped foment the Jan. 6 insurrection, though their full involvement remains unclear. Along with far-right candidates and groups, they have also funded the far-right social network Parler, which was used to coordinate the Capitol siege, and Cambridge Analytica, the now-defunct London-based data firm that stole Facebook user data to help Trump’s 2016 campaign target potential voters.
    https://www.salon.com/2021/02/04/how-one-billionaire-family-bankrolled-election-lies-white-nationalism–and-the-capitol-riot/

    The Mercer family is both a major owner of Cambridge Analytica and one of Trump’s biggest donors. Steve Bannon, in addition to acting as Trump’s Chief Strategist and a member of the White House Security Council, is a Cambridge Analytica board member.

    “This is a propaganda machine. It’s targeting people individually to recruit them to an idea. It’s a level of social engineering that I’ve never seen before. They’re capturing people and then keeping them on an emotional leash and never letting them go,”
    https://medium.com/join-scout/the-rise-of-the-weaponized-ai-propaganda-machine-86dac61668b

    Episodes that endorsed false or misleading electoral narratives had broad cross-platform reach, with total audiences on Twitter and YouTube in the tens of millions.

    Election misinformation shot upward, with about 52 percent of episodes containing misinformation in the weeks after the election, up from about 6 percent of episodes before the election.

    In the aftermath of the ensuing attack on the Capitol, Bannon’s podcast stands out for its prescient blend of violent rhetoric and blatant disinformation.

    “Bannon’s War Room,” was flagged 115 times for episodes using voter fraud terms included in Brookings’ analysis between the election and Jan. 6.
    https://www.brookings.edu/techstream/prominent-political-podcasters-played-key-role-in-spreading-the-big-lie/

    The trend is in keeping with Bannon’s stated Trump-era media strategy of “flooding the zone” with inflammatory information, real or fabricated.
    https://www.vox.com/policy-and-politics/2020/1/16/20991816/impeachment-trial-trump-bannon-misinformation

    “McInerney’s tale had spread widely on Facebook, Twitter, Parler, and propaganda sites like We Love Trump and InfoWars. It joined the January 6 denialist canon and lodged firmly in Patterson’s head. I reached the general by phone and asked about evidence for his claims. He mentioned a source, whose name he couldn’t reveal, who had heard some people saying “We are playing antifa today.” McInerney believed they were special operators because “they looked like SOF people.” He believed that one of them had Pelosi’s laptop, because his source had seen something bulky and square under the suspect’s raincoat. He conceded that even if it was a laptop, he couldn’t know whose it was or what was on it. For most of his story, McInerney did not even claim to have proof. He was putting two and two together. It stood to reason. In truth, prosecutors had caught and charged a neo-Nazi sympathizer who had videotaped herself taking the laptop from Pelosi’s office and bragged about it on Discord. She was a home health aide, not a special operator.”
    https://www.theatlantic.com/magazine/archive/2022/01/january-6-insurrection-trump-coup-2024-election/620843/

    Mr. Bannon’s show was removed from Spotify in November 2020 after he discussed beheading federal officials, but it remains available on Apple and Google.
    https://www.mediamatters.org/steve-bannon/steve-bannon-and-his-co-host-discuss-beheading-dr-anthony-fauci-and-fbi-director

    David Duke, a former KKK leader who lost his Senate bid last week in Louisiana, called Bannon’s hiring an “excellent” decision.

    Bannon will “push Trump in the right direction,” suggested Richard Spencer, president of the white nationalist National Policy Institute. “That would be a wonderful thing.”
    https://thehill.com/blogs/blog-briefing-room/305912-kkk-american-nazi-party-praise-trumps-hiring-of-bannon

    I may have worked for RenTech a long time ago, knew Robert Mercer back then, and at the time he was a member of the KKK, so none of these claims would surprise me.

    Unleashing information warfare tools loose on our society seems like something that could badly backfire, as even Generals who should know better and have had access to vetted information got sucked in by the misinformation and disinformation operations. Originally though these tools were designed to do exactly that, which speaks to why they are so dangerous once unleashed.

    Psywar explores the evolution of propaganda, public relations in the United States and history of information and disinformation in various theaters of operation. It references the use of information operations against foreign officials to influence their decision making.

    It’s long and dry but contains some interesting information. Best watched when you have a few hours to spare.
    https://www.youtube.com/watch?v=nSh6qtoQkmU

    JonKnowsNothing January 6, 2022 1:32 AM

    @SpaceLifeForm, @Clive, @All

    Big check for: “knowing tools to use”.

    It seems I am always in need of some tool because the ones I have won’t work for the problem I’m trying to fix. It doesn’t matter if it’s hardware or software, without the proper tool, the job’s a nightmare.

    Today, I needed a software tool to fix a busted JSON file and well, the ones I tried didn’t do what I needed to fix.

    It’s the DWIM principle.

    I was also short a wrench(spanner?) to fix a leaking toilet last winter during hard lock down. It’s not easy to reach the bolts on the back of the tank with the wrong size and it didn’t help that the repair kit that said “universal fits all” really meant “fits most but not mine”.

    It’s the WaddaYaMean It Doesn’t problem.

    My graphics card took a dive over the holiday making the PC screen go all wonky. Great boxes and vector flashing all over the monitor, very little readable text. The replacement card is 2 slots thick. Yeah… it’s in but I expect it will pop out of the slot soonerisher.

    You never have enough slots or złoty when you need it.

    Other than the above, “All of the Above” on the poll would nearly encompass it.

    It’s missing the part of being tasked with

      Part 1: Inventing Something All Brandy New That No One Has Ever Done Before (successfully)
      Part 2: Make sure it can be patented or held as Trade Secret. (No you don’t get any bonus)
      Part 3: Have it in QA by EOW.(drum roll)

    A Pocket-Clive would have been extremely useful.

    SpaceLifeForm January 6, 2022 1:55 AM

    @ JonKnowsNothing

    Re: busted JSON file? leaking toilet?

    I hear Emacs can solve both problems.

    Just need the proper plugin.

    SpaceLifeForm January 6, 2022 3:11 AM

    Stop the Planes!

    Apparently there has been bandwidth and/or signal quality issues for nearly two years now.

    Xi’an Xianyang International Airport, one of China’s busiest airports, cancels all remaining flights amid COVID outbreak

    Gerard van Vooren January 6, 2022 3:27 AM

    @ SpaceLifeForm,

    Stop the Planes!

    Yes. It is groundhogday… Again.

    What happened to the world? Why did everyone get insane?

    It is a flu, it’s not Ebola.

    SpaceLifeForm January 6, 2022 4:37 AM

    Weird math automagic fix

    https://www.bleepingcomputer.com/news/technology/honda-acura-cars-hit-by-y2k22-bug-that-rolls-back-clocks-to-2002/

    “Yes, we are so sorry for the issue you are experiencing with your vehicle. We have escalated the NAVI Clock Issue to our Engineering Team and they have informed us that you will experience issue from Jan 2022 thru August 2022 and then it will auto-correct,” Honda customer support told a car owner.

    Another Honda owner was given a similar response that the issue will automatically be fixed in August 2022.

    ResearcherZero January 6, 2022 4:52 AM

    @SpaceLifeForm

    No one wants to take responsibility when a nation state is involved, but there are agencies that will lend a hand and also provide advice. Despite all the rhetoric, government will also try and stay out of it, apart from laming blame as to who should be responsible, along with the police, who also are not responsible. There seems to be no real consensus on who exactly is responsible, apart from the victim, who is obviously always responsible for their own fate.

    Winter January 6, 2022 8:09 AM

    @Gerard
    “It is a flu, it’s not Ebola.”

    It depends on how you value the life of others. As has been written and said many times, this is not about your personal health, but about whether the hospitals and the rest of the health care system can keep working and treating people or are swamped with sick people.

    The reason for the panic is that so many people did not get all the jabs. If you say “It is just the flu”, and “I won’t get sick anyway”, then I say “It is just a simple jab” and “the jab won’t hurt you”.

    So, get all your jabs and make a 2G policy. Then the pubs and clubs can open again.

    Clive Robinson January 6, 2022 9:13 AM

    @ SpaceLifeForm, ALL,

    Meet “NoReboot”: The Ultimate Persistence Bug

    Firstly, as you know the statment,

    “The “NoReboot” approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a “fake shutdown”.”

    Is not true, it only applies in this case to “user interface”(UI) not the “Over the Air”(OTA) or RF Interfaces, or the “Power” interface. And as it is doing “work” by the basic laws of physics it has to radiate the energy used or go down the “Heat Death” road.

    So there will be two things a user can detect,

    1, It’s slightly warmer than it’s suroundings.

    2, The battery life when the user turns the phone back on will be markedly shorter.

    There are also other simple tests for RF emmisions I’ve mentioned in the past etc.

    But all that asside,

    Yes it’s to be expected and darn dificult to stop.

    I know this from several decades of experience, which was once common, but now appears to be becoming one of those “forgotton arts of ICTsec”…

    So time to roll out a little history so that those under fifty can learn something a little new.

    @ ALL,

    Many years ago I designed electronic locks, and as I mentioned previously somebody was stealing our code…

    Back then this was a problem that plagued the “Computer Games Industry” as well, so there was a lot of money tied up in stopping “code theft” from “tapes”, ROMs and later Floppy Disks and CD-ROMs.

    But the electronic locks were “embeded systems” that were quite small and had no predictably moving parts you could use, so I only had the “unencrypted ROM” option avsilable to me.

    I re-wrote the code to use a jump table to some subroutiens, that was built in RAM. The 8bit CPU we used had the advantage that it had an 8bit JMP as well as a 16bit JMP so for very regularly called routiens the use of such a jump table could quickly save quite a few bytes of ROM at the expense of some RAM. So it was a not unexpected trick amoungst assembler level programmers that nearly all embedded system designers were back then. Because both bytes and speed realy counted back then and assembker with tricks was the only way you got both.

    The thing is though what if your jump table is in RAM then you can make that jump table “evolve” as the code progressed (this idea is still used as part of the idea about “locality” with such apparently mundain things as filling CPU caches, which is another potential side channel I’m waiting to see get explored by Doctoral Thesis writers 😉

    But an evolving jump table can be quite a bit of a mind bender for anyone trying to reverse engineer. Because in effect the ROM says JMP via X to YY but YY keeps changing.

    But as those trying to stop “games protction cracker” knew it was not sufficient, as all determanistc processes suffer from Kerckhoffs’s principle[1] so you need something secret that is not in plain sight…

    So how to do it… One of the advantages of embeded systems is you can design them to use “non standard pin out” parts. Or if you want things very small “flip chip” and “ball grid array” parts are available where getting at pins to run “In Circuit Emulator”(ICE) equipment is not realistically possible except with very expensive lab equipment. So data in a CPU register can be hidden from being probed out. The question is how to make it extrodinarily dificult to work out playing “paper computer” or these days using a software based ICE. You do it in two parts the first is by a hardware trick, to stop the use of a Soft-ICE the second is to make the algorithm incomprehensible but still of use, and preferably dual purpose as well as every byte in ROM counts…

    There are several groups of “anoyingly useful” algorithms that act like “generators” or “hashes” that are minimal code but infuriatingly difficult to understand if they are not an area you specialise in.

    One such is certain “Cyclic Redundancy Checksums”(CRCs) can have two or more ways to be not just generated but checked. One side effect of this is you can roll some of them backwards with the result you can end up with a predetermined value. Think of it like adding a fixed value repeatedly and modding it by a prime, it generates a fixed sequence of numbers, by knowing the trick of mathmatical complementing you can geberate the same sequence using subtraction. O there are “logical equivalents”. Or the likes of “Linear Feedback Shift Register”(LFSR) where you can generate seguences with the XOR gates function either in between the shift register storage ellements or like parity circuits as an invers tree to generate the feedback value (known as “Galois LFSR” or “Fibonacci LFSR” forms).

    The result is you can end up with a “hidden value” in a CPU register that can not be easily “reverse engineered”. Worse for an attacker you can roll it in either direction so it continuously evolves up or down the sequence. Oh and due to the nature of such sequences, adding the same sequence to it’s self but with an offset, generates the same sequence but with a different offset. Giving opportunities for all sorts of fun and games…

    As far as I am aware those trying to steal the code, stopped doing so…

    The point is if you can use a RAM based Jump Table or similar to change the flow of execution at the block/subroutien level, it gives you some very interesting possibilities, which is in effect what this “NoReboot” code uses. When you think about it it is way more powerful than by the older method of making just in line branch statments change incorrectly…

    [1] Kerckhoffs’s principle is usually associated with cryptography where it is considered one of the basic or foundation principles. However in reality it is much broader in scope when considered in terms of both information and physical security, a point many do not consider.

    Dutch cryptographer Auguste Kerckhoffs, formulated the idea around the end of the nineteenth century and he wrote it in a couple of manuscripts on cryptography in 1883 as the second of six rules designers and assessors of systems using cryptography should consider.

    Auguste Kerckhoffs’s principle is usually stated in an unhelpfull short hand also attributed to Claude Shannon,

    “The eneny knows the system”

    But more fully,

    “Any cryptographic system has to be secure even when everything about the system functioning is known to the enemy.”

    Oh,

    “With the exception of the key” 😉

    The cryptographic algorithm key becomes part of the system root of trust on which all the system security rests. Other parts of the root of trust, arise when base crypto algorithms such as AES are used in a “mode” algorithm such such as CBC/CFB/OFB or CNT as a chaining mode “Initialization Vector”(IV) or as a stream cipher counter or State Array “seed”. In a sensible but not efficient design, each layer would have it’s own part share of the “root of trust”.

    [2] Cyclic Redundancy Checksums (CRC) are mainly used as “error-detecting codes” for data storage and transmission (but rarely as a processing element). They use a linear algorithm to create a short integer, in which every bit of a long block of data changes the value, preferably by some “avalanche” mechanism. As noted they are very commonly seen in digital communications and storage systems to detect accidental changes to what is unstructured or effectively random blocks of data in known sizes. Blocks of data are run through these algorithms with the checksum changing significantly for each bit, byte or word. The result gets appended to the data block. When data is recieved or retrieved the process is repeated and the appended checksum compared with the freshly generated checksum. If they match the data is “probably” without error. CRCs are a subset of “hash functions” but are generally linear which makes them not just reversable but makes generating two blocks of entirely different data but with the same checksum trivial. Unlike nonlinear crypto hashes which are generally not reversable and are used to detect and effectively stop deliberate data block changes.

    Clive Robinson January 6, 2022 9:19 AM

    @ SpaceLifeForm, Anders,

    I would also throw SolarWinds and Kaseya into the pot

    Just as you would any other “vegetables” 😉

    lurker January 6, 2022 11:55 AM

    @ResearcherZero

    Sure, physical switches are cool, for you, me, and maybe some others who read this. But as a hardware guy I gotta tell you, physical switches have moving parts, they will break and/or wear out; and they cost more to put in. So manufacturers don’t like ’em.

    A physical switch can turn the device OFF. Nice, but then it will have to reboot from cold. Users prefer to be watching twittgrams than a spinning orange. So users don’t like ’em.

    Even if we can see advantage in a physical switch, convenience will always trump security.

    Clive Robinson January 6, 2022 12:45 PM

    @ lurker, ALL,

    Even if we can see advantage in a physical switch, convenience will always trump security.

    The number of times I think “I should get that printed on tee-shirts” is increasing to the point it is almost daily…

    @ ResearcherZero, SpaceLifeForm, ALL,

    They should put physical switches on mass produced phones.

    Physical switches have very many problems sometimes you wonder how we ever got anywhere with them.

    But the question arises as to,

    “What are you going to switch?”

    Turning of “the power” does not work for a number of reasons

    1, “System on a Chip”(SoC) is the way things tend to be done so “one off = all off”.

    2, Many chips “share common”circuits so have to remain powered.

    3, Bus I/O lines don’t get issolated.

    The last one can be a classic to watch people “debug”. I’ve actually seen VLSI IO chips get powered up by the diode protection on the CPU side busses, so disconnecting Vcc does not actually do very much, but does put one truck load of noise on the CPU busses with all the attendent problems that creates.

    But at the end of the day, switches are, a nightmare. Modern electronics is too thin to have the needed mechanical space. They are also too fragile because they are too small. Operating force can be way to high for “little fingers” and too fragile for big fingers. The number of reliable guaranteed operations can be as low as 100… Oh and they are gettig on for being either very noisy electronicly or eye wateringly expensive due to the need for rare earth metals.

    But another issue is they do not work well in surface mount electronics as they can eaisly rip the tracks and pads off of micro fine PCBs…

    The cost of solving there problems is actually be prohibitive for the whole product…

    Clive Robinson January 6, 2022 3:26 PM

    @ JonKnowsNothing,

    Apparently this paper has noe been peer reviewrd and published.

    https://www.biorxiv.org/content/10.1101/2021.12.14.472632v1

    Whilst it might sound initially like good news if you remember back to our discussions on mink and otters one of the general species I was most concerned about becoming a reservoir species was “rodents” as you are generally within six feet of one every day even in cities…

    It might also on part account for the stange “misting” pictures we saw from China just recently, as getting at such rodents is not easy except when they appear to feed on garbage and the like.

    ASmith January 6, 2022 8:39 PM

    Greetings to Bruce Schneier and readers of the Schneier on Security blog.

    Afew years ago I was working to engage the free software security auditing panel to which Schneier and other security experts in their various fields were panelists. The foss project lead developer at that time stated the newest beta release of Retroshare v0.6.0 wasn’t ready for a security audit and my efforts to put the two parties together for that wonderful opportunity was dashed.

    Is the free software project security auditing panel still up and accepting requests?

    I can’t seem to locate my notes nor links to that group. Thanks for updates and your responses.

    Winter January 7, 2022 12:43 AM

    @All
    WHO reports that Om mainly infects the upper respiratory tract leading to less severe symptoms:

    ht-tps://www.reuters.com/business/healthcare-pharmaceuticals/who-sees-more-evidence-that-omicron-affects-upper-respiratory-tract-2022-01-04/

    This reminds me of a study from 2012 by Ron Fouger[1] (Netherlands) where he studied how bird flu could evolve into a more contagious form that could easily hop from human to human, or rather from ferret to ferret in this study:
    ht-tps://www.independent.co.uk/news/science/alarm-as-dutch-lab-creates-highly-contagious-killer-flu-6279474.html

    There was a worldwide panic, as bird flu is deadly, even though the study was done in ferrets. The study was censored and could not be published. Ron Fouger was put under a restraining order not to say a word about it, so he could not tell us the happy outcome.

    I attended a talk by Dr Foucher where he made it clear (he couldn’t tell it outright) that the study found that the higher infectiousness was caused by a switch of the site of infection from the deep to the upper respiratory tract. That also made the variant rather harmless. These results were later confirmed when the craze was over.

    Which is to show that we already knew how the virus could evolve from timely research that we did not want to hear back then. The Independent piece also indicates why the US did not want others to do such research.

    [1] Ron Fouger is a colleague of Marion Koopmans in Rotterdam, who was one of the members of the WHO mission to Wuhan to look for evidence of the origin of the pandemic. They do world class research on the flu and other viruses.

    JonKnowsNothing January 7, 2022 12:44 AM

    @Clive, @SpaceLifeForm, @All

    re: The mouse that roared

    Grand Fenwick might not be coming to the rescue if that research proves correct.

    I am fairly sure that engineered mice are used for SARS-CoV-2 testing. They have very short shelf lives. There are other engineered lab animals used too, as mentioned in the paper but tracking that 1(?) mutation to the mouse genome is an interesting stretch.

    If I understood the proposed jump:

    • HumanD614G/Alpha/Delta@2019->MouseOmicron@2020->HumanOmicron+Mouse@2021

    If it was circulating in wild mice throughout 2020, there ought to be some regional differences between MouseOmicron@2020 aka sub-lineages and geographic distribution of that mouse population as well as evidence of viral residue.(1)

    It was left ambiguous whether the OriginalMouseOmicron@2020 survived after the jump to humans in the wild, or did it die out like the OriginalCOVID-19-Wuhan strain when D614G emerged.

    We have deer and mice now to consider.

    iirc(badly) There are 2 primary veterinarian use vaccines for COVID-19 in animals. There is one used in the USA (Zoetis) by zoos and mink farms. There is another in Russia (Carnivac-Cov) used in their mink farms and works in a wide variety of fur animals.

    The Russians and now vaccinating cats and dogs with their vaccine.

    The USA version is attempting to raise funds to submit their vaccine for human use.

    ===
    1) Same as the White Tailed Deer that all seem to have gotten COVID-19 in short order across multiple states and countries. They test positive for COVID-19 antibodies, that match the human genome variants dominant at the time of discovery.

    Clive Robinson January 7, 2022 5:35 AM

    @ JonKnowsNothing,

    If it was circulating in wild mice throughout 2020, there ought to be some regional differences between MouseOmicron@2020 aka sub-lineages and geographic distribution of that mouse population as well as evidence of viral residue.(1)

    There very probably is.

    But it’s been going on in an “information free zone”. There were two reasons Om got picked up,

    1, It got into a much higher testing region.
    2, Whilst it was originally thouggt to be a cold on symptoms, testibg showed it was SARS2 related.

    So yes there would be a “big hole in the data” without testing available and medical support very low and it’s survivability amongst the previously infected high, then it wouls get missed quite easily without testing. Oh and cognative bias would also come into play as well.

    The paper is written on what is in a numver of genome DB’s and “in silico” computer simulation testing.

    Could it be wrong well GIGO does apply as does data “paucity / spottyness / islands” issues.

    Should the paper be read and considered yes, should policy be set on it not yet as further verification in other study types is needed.

    Does it explain what we are seeing, yes, but that’s not to say other causes may be in play[1] and it does not rule that out. So more real life “in vitro” and “in vivo” lab work needs to be done.

    But, the cost of changing policy slightly to meet a “rodent reservoir” threat is not that high and would have many other societal health benifits…

    So there are pros and cons, but from where I’m sitting the pros have the advantage currently and not just with respect to covid.

    [1] From one respect this is not science in that it argues from effect to cause, rather than the accepted effect to cause. Currently doing the effect to cause has not been carried out and arguably is unethical in a number of ways.

    JonKnowsNothing January 7, 2022 3:00 PM

    @Clive, @SpaceLifeForm, @All

    re: Mouse Virus Reservoirs

    There are existing mouse reservoirs of different viruses. So a potential mouse-omicron-vector model isn’t that far from other known mouse-virus-vectors.

    The method of transmission for these is aerosolized virus shed from stool, urine. Omicron-SARS-CoV-2 is still a live virus respiratory illness transmitted human-human by breathing within 30 ft and under 15 seconds.

    So there would need to be another jump in how the vector worked. From active breathing to inhaled wet or dried urine.

    • Sin Nombre SNV orthohantavirus

    First isolated in 1993 from mice; causes hantavirus pulmonary syndrome (HPS).

    Hantavirus pulmonary syndrome (HPS) is one of two potentially fatal syndromes of zoonotic origin.

    HPS has an incubation phase of 2–4 weeks, in which patients remain asymptomatic. Subsequently, patients can experience 3–5 days of flu-like prodromal phase symptoms, including fever, cough, muscle pain, headache, lethargy, shortness of breath, nausea, vomiting and diarrhea.

    In the following 5–7 day cardiopulmonary phase, the patient’s condition rapidly deteriorates into acute respiratory failure.

    The virus can be transmitted to humans by a direct bite or inhalation of aerosolized virus, shed from stool, urine, or saliva from a natural reservoir rodent.

    Hispid cotton rat, deer mouse, white-footed mouse, long-tailed mouse & others

    • Hantaan orthohantavirus

    Is the causative agent of Epidemic hemorrhagic fever in humans.

    Symptoms appear within one to two weeks after exposure to infectious material, but in rare cases, they may take up to eight weeks to develop.

    Initial symptoms begin suddenly and include intense headaches, back and abdominal pain, fever, chills, nausea, and blurred vision. Individuals may have flushing of the face, inflammation or redness of the eyes, or a rash. Later symptoms can include low blood pressure, acute shock, vascular leakage, and acute kidney failure,

    Transmission is believed to be through inhalation of aerosolized rodent urine and feces.

    rodents, mice, rats, voles.

    In Australia they have had repeated mouse plague tsunamis:

    • Mouse plagues occur in southern and eastern Australia, usually in the grain-growing regions, around every four years. Aggregating around food sources during plagues, mice can reach a density of up to 3,000 per hectare (1,200/acre)

    ===

    Search Terms

    • Sin Nombre SNV orthohantavirus / Hantavirus pulmonary syndrome
    • Hantaan orthohantavirus / Hantavirus hemorrhagic fever

    SpaceLifeForm January 7, 2022 5:17 PM

    @ Ted

    Attribution is hard

    Even though we are pretty sure that most of the attacks originate from Russia and/or China, that it not enough.

    It is too easy to false-flag malware, and make it appear as though the perps were X or Y, but they really were Z.

    This is why the sellers of ransomware insurance will have an out.

    It actually will save an org money if they ditch the insurance, and just properly harden their systems.

    Insurance has been a scam for a long time. The insurance companies love to collect the premiums, but they find excuses to not pay out large amounts.

    lurker January 7, 2022 6:13 PM

    @JonKnowsNothing

    So there would need to be another jump in how the vector worked. From active breathing to inhaled wet or dried urine.

    Back in the ’70s the local people in NW Zaïre knew Ebola as Green Monkey fever. Local folklore said transmission from monkey to human came from the monkeys urinating on sacks of rice, beans, groundnuts &c. in storehouses.

    SpaceLifeForm January 7, 2022 7:14 PM

    @ name.withheld.for.obvious.reasons, ALL

    Irony vs Hypocrisy

    Can the Onion sue for irony infringement?

    https://www.reuters.com/world/us/state-lawyers-arguing-against-biden-vaccine-mandates-test-positive-covid-19-2022-01-07

    Two officials presenting arguments on Friday to the U.S. Supreme Court seeking to block vaccine mandates ordered by President Joe Biden’s administration have tested positive for COVID-19 and will make their cases remotely, their offices said.

    [defense lawyers: Your honour, there was no irony intended, our clients are just hypocrites, and it is their First Ammendment Right to be a hypocrite]

    Ted January 7, 2022 7:37 PM

    @SpaceLifeForm

    Re: Attribution is hard

    Did it surprise you to hear that several cybersecurity experts are saying attribution is becoming easier? It did me. And I made a mental note of it.

    The article you posted earlier said that insurers are trying to avoid covering a lot of costly situations – like nation-state cyber attacks, attacks on critical infrastructure, ransomware, etc. It seems you’re right to say that an insurance policy wouldn’t cover these types of events, even if attribution was possible.

    Clive Robinson January 8, 2022 12:14 AM

    @ Ted, SpaceLifeForm,

    Did it surprise you to hear that several cybersecurity experts are saying attribution is becoming easier? It did me. And I made a mental note of it.

    I saw something earlier this week and mentally skated over it…

    Just tried searching for it and DDG is letting me down.

    I’ve seen similar things said before, and almost invariably the experts have been wrong.

    The usuall reason is the experts look in the wrong places in the wrong way and miss the fact that the ofenders can chose what to attack and when.

    Look at it this way, “the experts” talk about their “nethods and sources” and within a short while they either nolonger work or they are working against Muppets.

    If I were a “cybersecurity expert” I’d be asking the obvious question of “Where are the Cyberattack experts doing their thing?”

    A little history about CCTV systems… They were touted as the miricle solution to street crime…

    Yes arests were initially high but the smarter crooks,

    1, First moved where there was no CCTV.
    2, Developed anti-CCTV techniques.
    3, Moved into other types of crime.

    Generally the only people getting caught on CCTV are drunks and idiots, the smarter criminals now know that anti-CCTV techniques nolonger work because the number of cameras is just to great…

    You stop your car somewhere quiet nip out to have a quick whiz behind a bush and some nut bar will catch you on their “Wildlife stalking cam” and would have the vid with your number plate and face up on Social Media to for ever haunt you…

    The so called “Dec 37” investigation is basically doing exactly that.

    So getting back to “attribution getting easier” well yes probably because the smart ones have moved on and left the idiots behind.

    There is just way to much money to be made. Ransomware is just a sign that some people have had way to easier a time, and have got complacent and lazy.

    If I were getting into some of the places these ransomware people have got into, I would be looking at making money from the information via stock trades and passing it on to the opposition etc. Basically taking a more APT approach and making money two or more steps away from it. Oh and taking small bites not big gulps.

    It is allegedly the big gulps that has led to a Russian having his Swiss holiday interrupted last year. The trades as portrayed were just “to obvious to be ignored”, but the real question is not if the US authorities have got the right guy on that, it is unimportant. No the real question is can they pin enough on him one way or another for the real shakedown to work…

    Ted January 8, 2022 5:54 AM

    @Clive

    Re: Attribution

    Yeah, I understand what you are saying. I think they were saying that cyber incidents (and particularly significant ones) could be attributed more often. I don’t know if less critical cyber pick-pockets merit the same level of investigation.

    I hadn’t really been keeping up, but am wondering if many big cyber events have been attributed?

    JonKnowsNothing January 8, 2022 10:58 AM

    @Ted, @Clive, @All

    re:Cyber Attribution

    When large scale Quantum Computers are common desktop items, it might be possible to do large scale Hunts-For-Red-October thru all the data held a Bluffdale. It might be possible to do large scale statistical analysis on the data for coding-patterns to ID individual coders (Stylometry).

    We all have a style, even you.

    There is however a different quadrant to consider:

    • Why do you even care about “attribution”?

    It really does not matter, not in the short term and not in the long term. The only thing that matters is:

    • If you found a bug, can you fix the bug?

    The answer to that is much quicker than worrying about which person on the planet triggered/exploited the bug.

    • The bug(s) cannot be fixed, under the current iteration of the internet

    For instance:

    A MSM report “UK military chief warns of Russian threat to vital undersea cables” is a fair example of this.

    There isn’t any secret about the undersea cables. They are not hard to find. Anyone with even basic telemetry tracing and/or access to Wikipedia can locate all the public cables. The only cables we don’t officially know about are the private cables:DOD Stuff.

    The thing about the DOD cables is:

      The DOD has no clothes and Norwegian soldiers even have to return their underwear.

    Cables are physical items. Clive and others write often about physical items have PHYSICAL presence. You cannot throw a Harry-Potter-Invisiblity-Cloak over them.

    Space based satellites are just as visible. Even a poor telescope can spot them and young schoolers in astronomy clubs not only spot comets and celestial bodies but also secret military deployed satellites and even decode their transmissions.

    The other aspect of “secret cables” is also the physical aspect: they are dropped by special cable laying ships. These are not dinghies they are big ships and have a constant stream of supply ships chugging out to bring them more cable. All you have to do is Follow The Suppliers which can be done by nearly everyone, including G$Maps.

    From an old folk song:

    Follow the metal to find the foundry, follow the product to find the ports, find the wakes to follow the ships, follow the ships to find the destination.

    You don’t even have to follow it all that far. A some point in the voyage, the range of possible landfalls becomes small enough to predict.

    Then you can continue from the other end.

    Lt. Uhura: “Well the thing’s got to have a tailpipe.”

    Although in Norway, the rear-ends are very cold.

    Clive Robinson January 8, 2022 1:17 PM

    @ SpaceLifeForm, Ted, ALL,

    Is this the one? If not, it may flip some toggles for you.

    No it’s not, though it might be the underlying work for the article I did see mentioned.

    If memory serves correctly I was on a security site I don’t usually frequent –the world, his son, and the sheep dog, all have’m these days, oh and some of the sheep as wel…– doing some research on an other topic, and there was a title and URL to another article there and it was the title I remember, as I did not read the actual article.

    However the “Clara Assumpcao” paper you point to, starts off blandly enough setting up an over view. Then we get this…

    “The more elaborate the attack, the harder it is to attribute. Even perfect technical attribution, however, will only go as far as identifying the individual or group behind the attack.”

    No it won’t. Either she has a different meaning for the distinction between what she considers technical-v-human or she has got a problem with understanding the issue.

    It’s why there is a limit on “technical” via the network etc, the last mile realy does have to be “boots on the ground HumInt” or else the conclusions are not “beyond reasonable doubt” where current computer architectures are in use.

    The problem is one that I’ve explained a few times over the years on this blog, and for many it’s troublesome, and not where they want things to go or be like. To them it’s “Phantom limb syndrome” and it it itches every bit as much, and there is nothing that can be done about it with current computer architectures.

    This is actually due to work carried out before even Konrad Zuse made his Z1 electro mechanical computer[1]. The work in mathmatics[2] predates even Alonzo Church, Alan Turing and Steveb Kleen’s works all published in 1936.

    That is hslf a decade earlier Kurt Gödel showed that without doubt beyond a certain point mankind can not create a descriptive model or logical system that can describe it’s self. That is there will always be some things that we can not determine the truth of in any useful or meaningful logic. Further by extension there are things we can not deduce, but we might be able to find them by observation of real systems we try to model.

    Cutting out a lot of steps in between one consequence of this is that any modeling system –of which Turing Machines are just one– can only have outputs that you can determin from just it’s inputs and knowledge of how the logic of the system works, and these are necessarily incompleate (See Georg Cantor’s 1891 diagonal argument).

    Yes read that again, it says that of all the outputs that are possible from a Turing engine, not all of them can be generated from it’s inputs or logic. It is what the bases of the “Halting problem” is all about. Which Turing, Church and others showed by importantly different techniques[3].

    Again cutting out many drear steps in between a further consequence is that a Turing Engine can not tell if it has been suborned or not[4] in fact nobody can do it with 100% reliability no matter how much time they expend.

    So if the “Deamon in the black box” can not truly enounciate it’s state, nor can an observer test the black box state to see if it is true or false.

    Look at it this way, if I put malware into a current computer architecture system, that detects you are trying to establish if the malware is there I can via the malware make the computer give the same response as it would if there was no malware there…

    Since the 1980’s atleast the smarter system intruders and later malware writers have done just this. Whilst they can not do it perfectly, they certainly can with current computer architectures do it beyond the point an external observer or even other system intruder can reliably or even realistically detect (hence my thoughts over several years that gave rise to the “Castle-v-Prison” architecture).

    Which is the point that statment from the papers author I quote above misses so glaringly to my eyes…

    [1] Konrad Zuse’s Z1 electro-mechanical computer was constructed prior to WWII unfortunately like Charles Babages mechanical computer it was an “incremental work in progress” used for testing. That is the inventors paper work designs far outstriped the capabilities of the built design. Whilst little bits of Babages much early work survived and was well documented by others including Government committies and auditors and members of the public and press, Zuse’s work was not for various reasons. As far as we know nothing remains of Zuse’s Z1 it was bombed during WWII and as far as we know totally destroyed. At about the same time Tommy Flowers in Dollis Hill England at the Post Office Research labs was having trouble convincing his bosses to switch from electro-mechanical to electronic circuits using thermionic valves (tubes) and he ended up paying for the development of the first electronic computer out of his own pocket and having it classified for nearly half a century…

    [2] Kurt Gödel’s incompleatness theorms proved the “immovable object” reef on which the well ordered ship of mathmatics not just ran aground but was for ever wrecked. He came up with the ideas in the late 1920’s that gave rise to the published proofs by 1931. But it was not just mathmatics it effected it was philosophy thus all things to do with information processing and the yet to be fields of computing and modern forensics, computer security and much more besides. Oh and even that of quantum computing and no doubt much more in the future as well,

    https://www.quantamagazine.org/how-godels-incompleteness-theorems-work-20200714/

    Prior to Gödel’s publications mathematicians and philosophers were looking for “the brush strokes of the hand of God” and “Determinism” thus “absolute truth” as a rigid foundation of all understanding. What Gödel gave them was not what they wanted, what it showed them was “The Work of the Devil” instead. That is there a point at which not just modeling of systems but determinism it’s self is not possible. There is no absolute truth, nor can there be. Which is actually a good thing not a bad, as others are coming to realise, because by inferance it shows there will be a successor set of points, where the limits of the descriptions of the foundations are surpassed. We are starting to see with Chaos theory and similar by which the likes of complexity can be investegated, and even Hard AI might one day become achivable, maybe 😉

    [3] Life as we live it is about “rules of thumb” they are not proofs and they are not always right, but “generally they are indicative”. One such is the quasi military rule of,

    “Once is happenstance,
    Twice is coincidence,
    Thrice is enemy action.”

    Or if you prefer it describes a spectrum from pure random to pure determanistic with complexity / chaos filling to various degrees points in between.

    [4] Actually computer systems sometimes do indeed give an output that can not be predicted by full knowledge of the inputs and functionality of the system and they are not broken when they do so. I’m not going to go into the full ins and outs of metastability and how you can reduce it but rest assured it is always there waiting… It’s easy to describe by physical object analogy. Imagine a length of metal rod, which you throw into the air spinning as it goes, how do you expect it to land? Most would say “on it’s side” not “on it’s end” and most of the time they would be right to do so. But what if the length of the rod is reduced to considerably less than the diameter that is it becomes what many would think of as a disk or even a coin, then they would say one of the two “faces” or what are actually ends of a very short rod not it’s “rim” or what was the side of the rod from which it was cut. The thing is sometimes coins do land on their rim I’ve seen it twice in my life, and like those who were with me it was a matter of instinctive disbelief. Obviously at some length of rod the probability of it being the end or the side of the rod –or face and rim of the coin– becomes equal. You will never have a rod long enough to eliminate the possability of “an end” nor a coin thin enough to eliminate the possabiliry of “a rim”. What actually happens when you get down to it, is dependent on what appear to be random effects from thermodynanics.

    Many physical systems be they mechanical or electronic are actually designed to be at this mid point where metastability is the greatest. The reason why is down to a number of things but two are,

    1, Enhanced speed of operation.
    2, Reduced energy of operation.

    If you want to know more about the electronics side of things that relates to logic gates and thus computer chips then have a read of,

    https://www.mpi-inf.mpg.de/fileadmin/inf/d1/teaching/summer18/TKDS/lec6.pdf

    The point to remember is that the possibility of even the thinest of coins landing on it’s rim is always there… In fact sometimes we actually try to design for increased instability in logic systems, one such being the so called “True Random Number Generators”(TRNG) you find on some computer chips, (of which I have “many negative things to say”).

    Clive Robinson January 8, 2022 2:18 PM

    @ JonKnowsNothing, ALL,

    Although in Norway, the rear-ends are very cold.

    It ain’t just Norway…

    And something to turn your stomach… That handed in underware gets put in a bin “unwashed and unchecked” and when heavy enough makes a “lot” to suppodadly be recycled…

    But some lot’s become “military surplus” still unwashed, still unchecked…

    If you ain’t got an itch or an Ewhee feeling, then you’ve spent to long on the farm shovelling it up 😉

    Oh and remember the stories of colonial attempts at genocide in the Americas where they handed out “smallpox blankets” to the indigenous peoples?

    https://www.history.com/news/colonists-native-americans-smallpox-blankets

    Now are people itching? If not look up how long the likes of anthrax spores remain viable…

    JonKnowsNothing January 8, 2022 9:41 PM

    @Ted, @Clive, @All

    re: Cyber Attribution by Underwear

    An aspect to attribution that may get missed in the mist is the Unknown-Unknown.

    By pre-focusing on “the knowns”, it sets up an internal bias that is difficult to redirect to “unknowns”. By pre-focusing on “Russian threat…” it’s much harder to consider “Not Russian threat”.

    It’s partly due to how our brains work.

    example
      “Don’t think of Pink Elephants”

    A very large number of people will have already “thought about Pink Elephants” before they even realize they have thought it.

    So it maybe that there is a “Russian threat” but there maybe “other threats” that are just as important to note.

    Consider: Known Threats A B C D

    Set them in a Venn Diagram with an intersection between them. You can move the distribution points to overlap or not overlap. Regardless of how you move the areas there are still: A B C D

    By focusing on A B C, D you may miss O. Primarily because you were not looking for O so you didn’t see it.

    It’s how Omicron got missed. We were looking at Delta and missed Omicron.

    You can look at any grouping for attribution and you will find:

    What you want to find. You may not find what is there.

    This is one hazard of focusing on attribution rather than method and response.

    Farmers know all about Left Open Gates. It’s less important to worry over who left the gate open, than to round up the cattle and get them back in the pen.

    After you get the cattle back in the corral you can fuss over the gate.

    At least most gates are fixable, not so with the current internet code.

    Spit, gum and bailing twine won’t work.

    Leave a comment

    Login

    Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

    Sidebar photo of Bruce Schneier by Joe MacInnis.