Friday Squid Blogging: Unexpectedly Low Squid Population in the Arctic

Abstract: The retreating ice cover of the Central Arctic Ocean (CAO) fuels speculations on future fisheries. However, very little is known about the existence of harvestable fish stocks in this 3.3 million–square kilometer ecosystem around the North Pole. Crossing the Eurasian Basin, we documented an uninterrupted 3170-kilometer-long deep scattering layer (DSL) with zooplankton and small fish in the Atlantic water layer at 100- to 500-meter depth. Diel vertical migration of this central Arctic DSL was lacking most of the year when daily light variation was absent. Unexpectedly, the DSL also contained low abundances of Atlantic cod, along with lanternfish, armhook squid, and Arctic endemic ice cod. The Atlantic cod originated from Norwegian spawning grounds and had lived in Arctic water temperature for up to 6 years. The potential fish abundance was far below commercially sustainable levels and is expected to remain so because of the low productivity of the CAO.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags: academic papers, squid

Posted on March 25, 2022 at 4:07 PM • 127 Comments

Comments

SpaceLifeForm • March 25, 2022 4:16 PM

Let them eat Bitcoin

hxtps://arstechnica.com/tech-policy/2022/03/russia-considers-selling-oil-for-bitcoin-to-evade-sanctions/

SpaceLifeForm • March 25, 2022 4:55 PM

Re: LAPSUS$

What does it really, truly mean to be authenticated in a network environment?

hxtps://www.vice.com/en/article/3abedn/who-is-lapsus-hacking-gang

They essentially allow the hackers to load their web browser in a state where they are already logged into a stolen account, fooling a system into thinking they are the legitimate user.

This is how you can be the Schrödinger employee of Microsoft and be working in USA and Germany at the same time.

You need a HSM to stop this. You need to force a security challenge to be signed by the HSM, to guarantee physical presense.

SpaceLifeForm • March 25, 2022 5:18 PM

Still using a Chromium based browser?

Nothing tastes as good as a V8, with some JavaScript for extra seasoning.

hxtps://www.bleepingcomputer.com/news/security/emergency-google-chrome-update-fixes-zero-day-used-in-attacks/

Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug exploited in the wild.

Looks like some interesting version numbering there. I wonder what may happen with a 3 digit Major.

pup vas • March 25, 2022 5:19 PM

Breakthrough application of moisture-trapping film to reduce heat stress in personal protective suits
https://www.sciencedaily.com/releases/2022/03/220325122703.htm

=Researchers have developed a novel super-hygroscopic material that enhances sweat evaporation within a personal protective suit, to create a cooling effect for better thermal comfort for users such as healthcare workers and other frontline officers. With this innovation, users will feel 40% cooler and their risk of getting heat stroke is lowered significantly.

In another laboratory experiment, the research team also showed that body temperature (or skin temperature) could be significantly reduced by 1.5 deg C through evaporative cooling. This further proves that the composite film can potentially help users !!! such as healthcare workers, soldiers or firefighters — relieve thermal stress, especially during strenuous activities.=

Clive Robinson • March 25, 2022 5:34 PM

@ SpaceLifeForm,

Let them eat Bitcoin

It won’t work for Russia…

All coins are uniquely tracable, that’s what the “Public Block Chain” ensures (to stop double spend etc). So individual coins can be quickly and easily “black-listed” and their value will drop dramatically in any exchange that wants to trade with the west etc.

So in effect they will be of no use except inside a very small group of nations. Such an arrangement will almost certainly “fracture” as the bit coins have no intrinsic worth or for that matter “trust”.

But money transfers could be done in other ways in a much less costly way, it is what “junk bonds” were created for.

But that is not the issue that is going to cause the big problem…

Trade for physical items in any quantity will show up on satellite imagery… And physical items is all that Russia has to offer, and will certainly need fairly soon (think spare parys etc). Any ships, planes and other trafic flows will be identified and those involved in any way will discover that they will be “sanctioned” as harshly if not more so.

So take Turkey for instance, it might buy Russian Oil, Minerals etc, to “wash-up” to other nations, but they know they are going to get a sizable hit internationaly… So the price they will want from Russia may be even less than they are getting with the Ruble…

Basically it sounds like desperate men trying to talk a lead life-belt into to flying…

Clive Robinson • March 25, 2022 5:53 PM

@ vas pup,

Breakthrough application of moisture-trapping film

I’d be more intetested to see how much it could improve “fog and dew” catchers in arid areas to provide drinking water etc.

Matrix • March 25, 2022 6:58 PM

SpaceLifeForm:
“You need a HSM to stop this. You need to force a security challenge to be signed by the HSM, to guarantee physical presense”

And then you just compromise the poorly developed/backdoored HSM modules just like RSA SecureID [1]

[1] http s://en.wikipedia.org/wiki/RSA_SecurID

samson • March 25, 2022 7:45 PM

@Matrix
The Wikipedia article says nothing about a backdoor.

samson • March 25, 2022 7:54 PM

@ SpaceLifeForm
Re: LAPSUS$

I think your comment is valid.

Nick Levinson • March 25, 2022 9:54 PM

A dirty diaper can provide security. Most people won’t go near it, never mind unroll it to get valuables that might possibly be hidden inside. And it just has to look dirty, not actually be dirty. It’s a case of hiding in plain sight. See https://www.yahoo.com/lifestyle/mom-shares-brilliant-hack-hiding-183513659.html (as accessed 3-24-22). No guarantee, of course.

Bruce has said that sometimes security through obscurity works. But only sometimes.

name.withheld.for.obvious.reasons • March 25, 2022 10:48 PM

@ Clive, vas pup
There is a nano material that is a molecular capillary for a water molecule. It is about a 10nm structure, uniform in composition, and has a material density an order of magnitude larger than fabricated materials (chemical or organic). Forgot the name off the top of my head. It would be useful in several applications, the issue is secondary reuse and large scale applications. Too lazy to go look at my notes, I may pull them from the shelf tonight.

JonKnowsNothing • March 25, 2022 10:55 PM

@ Nick Levinson

re: A dirty diaper can provide security. Most people won’t go near it..

TSA will.

Some years ago there was an incident were an elderly woman was flying with family. The woman was in a wheel chair and used adult diapers (aka depends USA).

The hauled the elderly lady (and her caretaker daughter) into one of the Interview Rooms for a strip search. The TSA Agents insisted on removing the diaper too.

FBI and LEAs will.

If LEAs think you have ingested “the goods”, they take you to a special room with a toilet that has no flush but dumps directly into a dry RV style portable holding tank. I dunno who gets to find the ring, but if you ate it and it’s non-digestible, they will find it.

Nick Levinson • March 25, 2022 11:19 PM

@JonKnowsNothing:

People shouldn’t do illegal things, so that’s a different predicate than hiding valuables from takers not entitled to them.

But, given that, I overheard someone talk about a trip from the U.S. to Jamaica, an international trip, and talk about hiding an illegal drug in socks.

Again, no guarantees.

As to handling human waste, it’s not the worst thing one could do. Parents of babies and nurses do it routinely. Unless you have an open wound or lesion on a hand or on other skin that makes contact, even a tiny wound or lesion, washing hands and other skin afterwards wit soap and water is usually good enough protection. The disgust is high because of how we were trained as babies ourselves, which is not wrong for babies whose ability to understand nuances is limited, but we can reduce that in teen and later years by acknowledging safety knowledge.

JonKnowsNothing • March 26, 2022 2:07 AM

@Clive, @SpaceLifeForm, @All

re: Watching the alphabet: XD XE XF

There are peeks and glimmers of the next SARS-CoV-2 Mutations of Significance. Reports this week highlight 3 versions of recombinant COVID19 virus.

Recombinant means the virus has characteristics of different lineages. In these cases it’s Omicron and Delta.

Delta is an off shoot from the Greek Letter Salad of the last 2.5 years.
Omicron popped up recently but was undetected or unnoticed for nearly the same time frame.

The new combinations carry different mixes of each. Omicron has multiple sub-lineages of which BA.1 and BA.2 are the dominant ones. BA.1 brought us December 2021-Jan 2022 wave spike. BA.2 is taking it from there. The Delta sub-lineage is AY.4.

The new letters:

XD Delta and BA.1. has an Omicron S gene incorporated into a Delta genome. aka Deltacron

It is present in several European countries but has not been detected in the UK.
XD is predominantly associated with France.
XD contains the unique mutation NSP2: E172D.
XD recombinant lineage is Delta AY.4
XD has acquired a BA.1 spike sequence (nucleotide positions 21,643 to 25,581).

XF Delta and BA.1. Caused a small cluster in the UK but has not been detected since 15 Feb 2022.

(Likely a dud-ended)

XE is a BA.1/BA.2 recombinant, with the majority of the genome including the S gene belonging to BA.2.

XE shows evidence of community transmission within England.
3 mutations that are not present in all BA.1 or BA.2 sequences: (NSP3 C3241T and V1069I), and (NSP12 C14599T).
XE recombinant contains BA.1 mutations for NSP1-6
XE then has BA.2 mutations for the remainder of the genome.

In the UK report Figure 6 is a very good graphic showing the relative amounts of BA.1 BA.2 and Delta in each variant.

It should be noted that these reports are from human testing, genomic surveillance and human waste water testing. It does not include the observations of zoonotic transfer. (Human – White Tail Deer (WTD) – Human) found in a few cases in Canada.

===

Sources.

Note: The UK which has been in the forefront of research is winding down their science groups and reduced funding. Other countries are doing the same. The USA has a Big Dilemma pending over how the USA COVID-19 Response has been authorized and funded. Sources that used to provide detailed reports may no longer do so or report infrequently. In other words: get the reports while their hot.

this is a download link
ht tps://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1063424/Tech-Briefing-39-25March2022_FINAL.pdf
this is a download link
ht tps://www.who.int/docs/default-source/coronaviruse/situation-reports/20220322_weekly_epi_update_84.pdf?sfvrsn=9ec904fc_4&download=true )

(url slightly fractured)

ResearcherZero • March 26, 2022 2:10 AM

@SpaceLifeForm

This might go some way to explaining why it is has been a chore to report vulnerabilities or other problems to Microsoft, both within their product and their networks.

“a stunning look at the ongoing corruption associated with international tech contracting — and Microsoft’s ongoing struggles to contain it.”

a $40,000 payment to a client in Africa that didn’t smell right. The payment came from Microsoft’s business investment fund — money meant for closing deals and opening up new lines of business.

…Microsoft wasn’t interested in stopping the payouts, preferring to let phony contracts slip through and accept the associated cash.
https://www.theverge.com/2022/3/25/22995144/microsoft-foreign-corrupt-practices-bribery-whistleblower-contracting

ResearcherZero • March 26, 2022 3:19 AM

‘We don’t need the army. We need the navy’

Fred Hollows’ doctor son Cam treated people in flood-ravaged Coraki, in northern NSW, as the flood crisis unfolded. The real disaster, he says, has been the lack of planning and failed response from government.
https://www.smh.com.au/national/nsw/we-don-t-need-the-army-we-need-the-navy-i-saw-the-flood-destruction-where-was-our-government-20220309-p5a34l.html

After weeks stuck in her house due to a flood-damaged road, beloved 79-year-old “Nan”, Margaret Allen, was struggling.

Fed up with waiting for authorities — and fearing for Nan’s wellbeing if she remained stranded — locals eventually banded together to fix it.
They did it with plenty of help, and none of it came from the government.

A council spokeswoman said residents were aware when buying in the rural area that it was a “private access road” and that the council was not responsible for it.
The families along the stretch said they just needed access to material and some machinery to make the road passable, and were not asking for a full upgrade or ongoing maintenance.
https://www.abc.net.au/news/2022-03-26/no-nan-left-behind-volunteers-fix-flood-torn-beausangs-lane/100935326

“If I had’ve been told two months ago I’d be homeless, I would have been very surprised.” she said.

Widespread flood damage has seen thousands of Queenslanders forced into homelessness amid an already major housing shortage.
https://www.news.com.au/national/queensland/news/housing-shortage-hidden-cost-of-queenslanders-flood-reality/news-story/d71c6b6a5afcb39c7eb5445301e081f9

The volunteers estimate they have cooked a staggering 60,000 meals for flood victims, aided by $170,000 in donations and the participation of countless other businesses.
https://www.theguardian.com/australia-news/2022/mar/08/chefs-lead-volunteers-to-feed-nsw-flood-victims-in-absence-of-government-food-relief

Private helicopter pilots claim they were never asked to help rescue Australia’s flood victims – despite offering to help
https://www.dailymail.co.uk/news/article-10609093/amp/NSW-floods-Private-helicopter-operators-claim-not-wanted-flood-crisis.html

The veterinarian said phones had been inaccessible for parts of the flooding event, and that many animals in need could only be spotted from the air.
“We heard on Monday afternoon of mobs of two or three hundred cattle that had not been fed, because nobody is there to report it,” he said.
“The only way they can get fed is to spot them from the sky.”
https://www.news.com.au/national/nsw-act/news/nsw-vet-accuses-government-of-slow-flood-response-as-images-of-drowned-cattle-emerge/news-story/48f78057bc70cf9e18e47c911de38e56

The Federal Government has been accused of delivering a delayed and, ultimately, unsatisfactory response to one of Australia’s most severe natural disasters in recent memory.
https://independentaustralia.net/politics/politics-display/federal-governments–flood-response-branded-a-failure-as-recovery-begins,16178

It’s still raining in flood affected areas of NSW

Winter • March 26, 2022 3:26 AM

@ResearcherZero
“The real disaster, he says, has been the lack of planning and failed response from government.”

Is this any different from the response to the horrible fires that raged not long ago?

I assume people do not learn, or rather, do not want to learn.

Leon Theremin • March 26, 2022 3:35 AM

Ransomware is to personal/business computers what “Havana Syndrome/Directed Energy Weapons” is to 3G/4G/5G infrastructure computers: a way to extort people.

The biggest software companies are hacked again and again, but somehow telecom companies never get in the media for having had their systems broken.

The wind of change is due.

Winter • March 26, 2022 5:13 AM

‘Precursor malware’ infection may be sign you’re about to get ransomware, says startup
https://www.theregister.com/2022/03/26/lumu-ransomware-precursor-malware/

A ransomware infection is usually preceded by what Lumu founder and CEO Ricardo Villadiego calls “precursor malware,” essentially reconnaissance malicious code that has been around for a while and which lays the groundwork for the full ransomware campaign to come. Find and remediate that precursor malware and a company can ward off the ransomware attack is the theory.

“The moment you see your network – and by network, I mean the network defined the modern times, whatever you have on premises, whatever is out in the clouds, whatever you have with your remote users – when you see any assets from your network contacting an adversarial infrastructure, eliminate that contact because that puts you in your zone of maximum resistance to attacks,” Villadiego told The Register.

…

Citing statistics from cybersecurity consultancy CyberEdge, Lumu said that victims that pay the ransom are increasingly recovering their data, from 19.4 percent in 2018 to 71.6 percent last year. This has made companies more willing to pay the ransom – 38.7 percent in 2018, 57 percent now – despite recommendations and pleas from the government and cybersecurity experts not to pay.

Winter • March 26, 2022 5:19 AM

Some positive news in these dark times:

Vaccines elicit highly conserved cellular immunity to Omicron
ht-tps://www.nature.com/articles/s41586-022-04465-y

T cell responses to spike cross-recognize Omicron
ht-tps://www.nature.com/articles/s41586-022-04460-3

tl;dr

These data provide immunological context for the observation that current vaccines still show robust protection against severe disease with the Omicron variant despite the substantially reduced neutralizing antibody responses

name.withheld.for.obvious.reasons • March 26, 2022 9:10 AM

10 Jul 2020 — International Bodies on the Move
Alternate essay title, ‘Observing Mars in Retrograde’

Question: What borders on stupidity? …

Answer: Canada and Mexico

Multi-Polar and/or Unipolar Alignments
In recent weeks, given all the confusion and outright idiotic behavior that has plagued the world visa-via authoritative bodies (the word government implying governance–when there isn’t), we are starting to see the first bits of polarization in global power and authority. If I am reading this correctly, China is moving toward an international power model that has what I call a “WeChat-centric integration model”, or WIM, flavor to it.

For example; Hong Kong appears to have fallen directly into China’s hands. Is Taiwan next? U.S. companies have expressed concern for data-centers and data that is exposed (or stored) in Hong Kong. If China makes good on its promises than those companies have a serious compliance issue. And, with GDPR I don’t see how European concerns manage to make this work.

As I understand, China sees no borders to data or information at the governmental level. This is not a communist perspective, this is a Chinese imperial one. The Chinese people are not allowed to know the state secrets of its own country. Pro-democracy is out, conforming to state ideology is in. And some would argue that is true in the United States as well, may I suggest this is the affect of agent orange.

The United States is exceedingly impotent (that may be a good thing) in the context of international relations. Those outside of the U.S. have grown tired of the incompetence and outright malice that is U.S. foreign and security policy. My point, a serious set of events prescribes a large scale alignment with actions and reactions that have anything but a predictable outcome. And for the most part, it is being done outside the view of the the citizens of the concerned nation states. I think it was a Outer Limits episode and a sci-fi book that wrote about a captive human picks up a book titled “Humans, How to Prepare”. Two seconds later, the human opens the cover page, the subtitle: “A Cookbook”.

On U.S. national security policy, hasn’t the six decade embargo and blockade of Cuba sufficiently evidenced this act of aggression against the Cuban people, and has not worked. How is this defensible? A policy that was initiated during the Cold War, the underlying premise that a communist country represented some existential threat the U.S. democracy (I leave out the whole Madisonian and Wilsonian thesis), cannot possible align with the realities of today. How is this policy measured, is it in absolute terms (i.e. Cuba must fly a flag the U.S. approves) or is it in relative terms (i.e. Cuba is not going to bomb anybody, today)?

The point is none of what has been the history of a unlawful punishment of Cuba seems to be answered in ANYWAY. There are nuanced and important issue regarding the U.S. and Cuban relationship.

name.withheld.for.obvious.reasons • March 26, 2022 9:31 AM

More whitewashing via search engines. Again, in performing a search on Biblical Citizenship returned only affirmative sites. I am guessing there is a price for scrubbing bubbles to be applied to a database, Mr. Clean for those with checks clearing the appropriate bank.

Bloated Cow • March 26, 2022 12:42 PM

@name.withheld

I think it was a Outer Limits episode and a sci-fi book that wrote about a captive human picks up a book titled “Humans, How to Prepare”.

I know this as a Twilight Zone episode: “To Server Man”

hxxps://www.youtube.com/watch?v=wJjvg-Gq1LE

I agree that we appear to be entering a multi-polar world. But that does not seem to be slowing down the construction of the digital control grid.

SpaceLifeForm • March 26, 2022 12:53 PM

@ name.withheld.for.obvious.reasons

Zeolite ?

JonKnowsNothing • March 26, 2022 2:11 PM

@Winter @All

Re: Vax at Work

The WHO document referenced in my post has a section on how the major global vaccines are doing. The tables include vaccines one might not have access too. (1)

There’s also a section on available drugs and effectiveness. Again, there may be items on the list that are not country-locally available. (2)

===

1) In the USA we have Pfizer and Moderna; not sure J&J is even an option now

2) There is an approved drug in the USA for immunocompromised persons that is not available in my locale. As recent as a few days ago, I again requested access to it but was told it isn’t available here.

Evusheld is the only non-vaccine with emergency use authorization (EUA) from the FDA to prevent infection from COVID-19 before you’re exposed to the virus.

Part of the problem is supply-demand and the other part of the problem is the USA COVID Funding Scheme. Other countries are just pulling the plug, but in the USA all sorts of things were tied to the Emergency Funding Response and renewed funding hasn’t happened.

Worse is that all of the Fast Track Medical, Vaccination and Treatment programs are all tied in and once they drop the “emergency” part, every aspect reverts to The Old Method: 10 year Development Cycle. So if it’s not out before the change happens it will be delayed. Plus anything that got the Fast Track Access will revert to the 10 Year Cycle.

The ransomware is in the funding and the routers are in DC.

Clive Robinson • March 26, 2022 2:54 PM

@ Bloated Cow, name.withheld…,

But that does not seem to be slowing down the construction of the digital control grid.

When you fall off of a cliff, you tend to speed up untill the crunches that lead to the one that brings you to your final rest…

If you are slightly luckier you get into a slower tail spin, that becomes a spiral to the bottom…

If you are part of a “lemming Industry” then those tail spins become a race for the bottom…

The ICT industry and especially the ICTsec sub industry have long since started their “swan dives”, so the two real questions are,

1, What is the terminal velocity
2, How deep is the hole

From which we can calculate an aproximate final splat down time.

Clive Robinson • March 26, 2022 3:16 PM

@ name.withheld…,

More whitewashing via search engines. Again, in performing a search on Biblical…

Remember when it comes to religion “free screech” is a one way street.

They can preach any old lies, barbarity, and worse at you, but you are an evil blaspheming heretic fit only for nailing up, stabing in the gut, or being burnt alive or stoned to death for even saying “hang on a moment…”

The law in most places says religion has rights you as an individual do not have.

Such inequality is not the last bastion of aging conservative curtain twitchers, it is worse way worse, it is a form of enslavment where you have to pay to be enslaved…

Mankind would do a lot better for it’s self if it adopted a little honesty in life. Rather than chasing something that does not exist, maybe we should try to be the best we can with what we have got.

But then certain types would loose power over others, and they feel that can not be alowed.

So rather than face the wrath of religion Silicon Valley kow-tows to those them yet waves two fingers at the legislature…

What does that tell you about society?

As I’ve noted in the past I had to write a thesis for a DD and I chose to debunk deities… Whilst there is more evidence than anyone person could read in a lifetime about the callous manipulation of mankind through deity worship, there is actually no evidence for the existance of deities, just cultish brainwashing techniques.

It’s easy to conclude that religion is about political control, and an attempt by the landed gentry and other rich, to not pay for what needs to be done for a functional equitable society.

SpaceLifeForm • March 26, 2022 3:21 PM

@ Matrix, samson

re: RSA SecureID

There was no backdoor in the token.

It was that the validation data was exfiltrated. Note the year.

https://arstechnica.com/information-technology/2011/06/rsa-finally-comes-clean-securid-is-compromised/

The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token. Each token has a different seed, and it’s this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.

https://www.theregister.com/2011/03/18/rsa_breach_leaks_securid_data/

Attackers breached the servers of RSA and stole information that could be used to compromise the security of two-factor authentication tokens used by 40 million employees to access sensitive corporate and government networks, the company said late Thursday.

John • March 26, 2022 3:42 PM

Hmm…

I seems to me that we should all re-read:

Sun Tzu – The Art of War.

In at least two different English translations!!

John

pup vas • March 26, 2022 3:56 PM

@Clive Robinson
Check this link and get answer for your question
https://www.watergen.com/

&ers • March 26, 2022 4:06 PM

@Winter

Sorry, but that Lumu is a rubbish.
Just another “get quick rich in infosec field” startup.
There is no silver bullet.

SpaceLifeForm • March 26, 2022 4:43 PM

@ FBI, FinCEN, ALL

For Soviet Russia, Anonymous provides free offsite backup

hxtps://www.hackread.com/anonymous-hacks-central-bank-russia-leaks-28gb-data/

Hackread.com has seen the leaked data however due to its humongous size, it was virtually and physically impossible to scan each file/folder. Nevertheless, our limited analysis shows that the exposed records included years’ worth of financial records with some documents going as far back as 1999.

Furthermore, invoices, internal communication, documents, memos, bank statements, names of shareholders of various banks, bank licenses, names, addresses of apparently high-profile customers/clients, etc. are part of the leaked records.

hxtps://nitter.net/xxNB65/status/1507748987461419011#m

Total data being prepared for release is 870GB.

I realize that it is the weekend, and there is a lot on everyones plate, but this would be a perfect case where one should use the best tools.

You could start with

grep -i trump *

Jon • March 26, 2022 5:11 PM

@SpaceLifeForm

You need a HSM to stop this. You need to force a security challenge to be signed by the HSM, to guarantee physical presense.

At which point the problem becomes “How to fake, override, or otherwise compromise the HSM module”. It’s whack-a-mole all the way down…

Jon

SpaceLifeForm • March 26, 2022 6:44 PM

@ Jon, Matrix, samson, Clive

There is a box. You are thinking. But you are not thinking outside of the box.

The security token does not have to have a radio, like SMS 2FA requires.

see https://www.schneier.com/blog/archives/2022/03/friday-squid-blogging-unexpectedly-low-squid-population-in-the-arctic.html/#comment-402337

There is no radio in SecureID. Just a serial, and a clock. The authentication happens on the server end. When a SecureID battery dies, then the clock is useless, and then the token is useless.

But, there are other ways to sign a challenge.

This can be done, albeitly very slowly, with paper and pencil.

Or other methods that are faster, but possibly less secure.

The key (no pun intended) to the RSA SecureID problem, was that KEYMAT was exfiltrated from a hacked server.

It was a software issue.

Clive Robinson • March 26, 2022 8:28 PM

@ Mafia,

With regards “Gladio”, if only my old kit bag could talk… Actually it does not need to, as much of what Gladio was “supposed” to be about, but what Allen Dulles tried to force it to be is now comming to light in European archives.

The name “Gladio” was Italian, and used for their “Stay behind” forces, in various places. They consisted of three parts that were not supposed to know about each other, and in some cases required to assasinate each other…

Broadly the three parts were,

1, Political
2, Civilian
3, Military

They were deployed in three basic types of territory,

1, Enemy nation (like CCCP)
2, A nation which the enemy would invade / overrun (like West Germany).
3, The controling nation (like UK) should the enemy invade.

Mostly the political and some of the civilian –like law enforcment– were natives to the territory and they got “recruited” (much like “agents” for spying). As they would pass background checks etc.

However civilian businessman were not always natives some were those that got “embedded” from the control nation a decade or so before in either enemy territory or territory that would most likely be invaded.

Their jobs were to behave in certain ways to disrupt things for the enemy but fascilitate in various covert ways the control nations goverments intentions.

Then there were the military…

They kind of fell into two groups,

1, Established in territory
2, Drop-ins to territory

The later group also known to some as “The awkward Squad” had dual roles,

1, Establish and maintain long term inteligence posts.
2, Drop in immediately in advance of special forces to establish not just inteligence but communications for command.

But also some were to support Diplomatic Missions that had to fall back under enemy advance or may even have been over-run.

There is a myth in the UK that the SAS are the first in and last out… Often in reality they are not, nor are the inteligence services, it’s communications and logistics specialists from the military who are very definately “Not official Cover”(NOC) but may well be “under flag”. As such you were expected to respect the various Hague and Geneva Conventions (something the CIA under the psychopath Allen Dulles were unsurprisingly very much against).

Sometimes the Ops were “Milk runs” where teams of two or three “bricks” would come in and support “black bag job” operatives to get them to a place to gather physical intel or place surveillance equipment. Often those doing the black bag job were actually “contractors” on a daily rate which matched their status as expendable and fully deniable, some were natives of the country who had previously “emigrated”. Whilst getting in and setting up was generally an orderly process sometimes extraction was not…

But as the article you link to points out Gladio had a different meaning to some people and lets just say during the 50’s through 70’s the US placed to much emphasis on commercial technology solutions not boots on the ground HumInt and that let them down badly. But… The CIA under Dulles and successors realy were on a cuckoo’s nest circuit and bumps, where about the only place feet touched ground was the bottom of a bourbon bottle.

It’s now known that the CIA either carried out directly or more often through local proxies all sorts of atrocities against even quite moderate Union Leaders and left wing politicians. Where “left” in CIA eyes of Allen Dulles was considered anything less than rabidly fascist or stacking up “the disapeard” like cord-wood in a forrest. Something they were doing not just in Europe but South America as well. Allen Dulles and his brother “did many favours” for US Corporations to ensure access to raw resources like copper etc.

https://www.cambridgeclarion.org/press_cuttings/gladio.mi6.sas_graun_5dec1990.html

Jon • March 26, 2022 8:49 PM

@ Space Life Form

Oh, thinking outside the box just fine. As your example of ‘Secure ID’ shows, you don’t have to bash the token – just bash the server.

Or, even better, intercept the communications between the wanna-be authenticated and the authenticator, and send back “Oh, the server said you’re fine!”.

This was old hat in the days of copy-protected computer games. You didn’t bother to break the encryption, or come up with a list of keys – you just overwrote the intro to that function with JMP instructions to leap to ‘return authorized’.

For really out-of-the-box, consider what happens, as a hardware chip designer, some very polite men in impeccable if cheap suits and sunglasses show up in your office and say “stick in this back-door. We promise nobody will find it. Or Else.”

Those who found out what “or else” meant don’t design anything anymore.

Then someone else does find the lil’ backdoor, and guess who the blame falls upon? J.

_ • March 26, 2022 8:56 PM

Hackers remotely start, unlock Honda Civics with $300 tech

Any models made between 2016 and 2020 can have key fob codes sniffed and re-transmitted

“If you’re driving a Honda Civic manufactured between 2016 and 2020, this newly reported key fob hijack should start your worry engine.

Keyless entry exploits are nothing new. Anyone armed with the right equipment can sniff out a lock or unlock code and retransmit it. This particular issue with some Honda vehicles is just the latest demonstration that auto manufacturers haven’t adapted their technology to keep up with known threats.

This security weakness, tagged CVE-2022-27254, was discovered by Ayyappan Rajesh, a student at University of Massachusetts Dartmouth, and someone with the handle HackingIntoYourHeart. Their research indicated that Honda Civic LX, EX, EX-L, Touring, Si, and Type R vehicles manufactured between 2016 and 2020 all have this vulnerability.

According to the duo, who thanked professors Hong Liu and Ruolin Zhou and mentor Sam Curry, “various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack.””

https://www.theregister.com/2022/03/25/honda_civic_hack/

Clive Robinson • March 26, 2022 9:00 PM

@ SpaceLifeForm, JonKnowsNotging, Matrix, samson, ALL,

The key (no pun intended) to the RSA SecureID problem, was that KEYMAT was exfiltrated from a hacked server.

Not exactly…

It was actually down to a “cost saving measure” implemented on the direct authority of senior managment.

As you note each SecureID holds a “secret” known as the “seed value” and RSA stored every one of them in what was originally only an “internal database”.

However at some point it was felt vy bonus hungry senior managment that “shareholder value” could be gained by giving sales support staff direct access to the database, as well as having their computers directly connected to the Internet… Opps.

And people wonder why almost the first question I ask is,

“What is the business case for this computer having external communications?”

Trust me it’s not just Chinese APT knocking on your doors, ratteling the locks and pushing at the windows. Your everyday gumshoe investigator can download the tools for a small fee.

Remember,

“If they can see it they can successfully attack it”

Even if you install all the latest patches as soon as you get them, the chances are they will at some point be “too late to save you”. It’s why I advise,

“Two computers, the first the “On-Line” or “Public box” for connection to the outside world, the second the “Off-Line” or “Private box” that is never ever connected to any extetnal communications.”

Prior to Win10 that was not that much of an issue… Now MicroSoft try almost every trick they can to “force you on line” thus destroying your privacy for their profit.

JonKnowsNothing • March 26, 2022 9:29 PM

@ Clive, @SpaceLifeForm, @ALL,

re: The “I need it because I want it” Security Method

Along with the “I’m not going to follow the red-tape-rules” folks, are the other folks who want it for “no good reason” other than ego-rush.

Trying to talk a senior member of a company, especially one that robo-signs your paycheck that “this is not a good thing to do”, rarely works. At best you can block someone below your status and suffer with the social-fallout-name-calling of the day. You can expect this to shorten the already short duration of your employment.

The stories are legion and the outcome is usually a pink-slip.

The only variables are the list of adjectives and adverbs attached. None of which need to be “true” or “real” descriptors of one’s personal attributes.

In California, we are an At Will State. Meaning, you can be fired at anytime, with no reason given. You are also “free” to walk away with no notice and no reason. The first happens often, the second rarely.

Something… something about technical blacklisting.

===

Search Terms

Pink Slip, Termination of employment, At-will employment

Hung • March 27, 2022 5:31 AM

Good that in our days all legacy and successors of strategies of tension and stay-behinds and Galios and etc. etc. etc. just vanished, and didn’t evolve and refine and adapt to the current realities.

Winter • March 27, 2022 6:12 AM

@mafia
Re: Gladio

Gladio is also suspected of organizing the gang of the Brabant killers in Belgium
ht-tps://en.m.wikipedia.org/wiki/Brabant_killers

This gang was run by a branch of the Belgium police.

At the same time, there was a very inept communist terrorist group, the CCC active in Belgium
https://en.m.wikipedia.org/wiki/Communist_Combatant_Cells

They were suspected (by me, at least) to be organized by the CIA to get traction for yet another coup attempt in concert with the Brabant Killers.

Mafia • March 27, 2022 11:17 AM

@Winter @Clive @All
Re: “Operation Gladio”

There is an informative BBC documentary on youtube about Gladio: https://www.youtube.com/watch?v=1hJrQisPVk8 worth viewing.

What I find interesting in the documentary, and something often recurring in the context of secret services [1], was the involvement of the masonic lodge Propaganda Due [2] withing the Italian Secret Services.

[1] If I recall correctly: Read Peter Wright book: https://en.wikipedia.org/wiki/Spycatcher where he mentions is father advising him he should become a mason if he wanted to rise up through the rank of British Security Services.

[2] P2 Lodge: https://en.wikipedia.org/wiki/Propaganda_Due

name.withheld.for.obvious.reasons • March 27, 2022 2:39 PM

@ Clive
Additional fun fact, previously the search results returned one article that tangentially referred to the search term.
But after one month, the result had been dropped from the list. Went through the 13 pages of results this last time, and nada, null, zero, zip, zilch. The common thread is based on the reporting about a pseudo historian claiming the foundation of the United States is based and modeled on being a Christian nation. But it is not, never has been.

It is concerning to think that a segment of the population can assert an ahistorical proposition and be fine with that. Not unlike trying to whitewash the history of slavery from the American experience (language is inaccurate, it should be the United States of America but for continuity with popularized expression). Similarly, many people are fine with de-referencing slavery and the enslavers from history–look no further than all the monuments to their proud heritage. To me it is like being a ardent pacifist and at the same time saying, but this war is good and justifies narrowly reframing the elements of that war. But worse than that, creating a legal framework to make certain that this ahistorical perspective stick. Putin would be so proud.

name.withheld.for.obvious.reasons • March 27, 2022 2:44 PM

@ Clive
Loved the word you used and in the context given; screech. Awesome.

SpaceLifeForm • March 27, 2022 3:02 PM

Heisenberg would love JavaScript

For small values of NULL near Planck’s Constant.

Apparently NULL is either null or zero depending upon how you observe it.

hxtps://nitter.net/AshleeMBoyer/status/1508123239154921482#m

null == 0 evaluates to False
null >= 0 evaluates to True
null > 0 evaluates to False
null < 1 evaluates to True

SpaceLifeForm • March 27, 2022 3:44 PM

@ _

re: Honda Civic circa 2016 – 2020

Again, what does it really, truly mean to be authenticated in a network environment?

Until a fob and a car can do encrypted comms over the air with no possibility of replay attack, then the better security model is the physical key.

A fob costs more than a physical key last I checked. If your car can do both, maybe just never use the fob.

Security. Convenience. Pick one.

vas pup • March 27, 2022 5:00 PM

Ukraine is using Elon Musk’s Starlink for drone strikes
https://www.dw.com/en/ukraine-is-using-elon-musks-starlink-for-drone-strikes/a-61270528

“Elon Musk’s satellites are connecting Ukraine with the internet. Starlink was conceived as a civilian program — but Ukraine’s military can also use it to guide drones and strike Russian tanks and positions.

British media have reported that Ukraine’s army is making very successful use of Starlink for drone attacks on Russian tanks and positions. The Telegraph reported that Starlink is of particular military significance in areas where the infrastructure is weak and there is no internet connection.

According to The Telegraph, the aerial reconnaissance unit Aerorozvidka is using Starlink to monitor and coordinate unmanned aerial vehicles, enabling soldiers to fire anti-tank weapons with targeted precision. Only the system’s high data rates can provide the stable communication required, The Telegraph reported.

An officer with the Aerorozvidka unit described the system to The Times: “We use Starlink equipment and connect the drone team with our artillery team,” he said. “If we use a drone with thermal vision at night, the drone must connect through Starlink to the artillery guy and create target acquisition.”

Ukrainian President Volodymyr Zelenskyy uses the Starlink satellites to make speeches to the nation and to national parliaments around the world. Quite apart from its military usefulness, Starlink has become vital to Ukraine, both for obtaining worldwide support and for maintaining the unbroken resistance of the people.

With Russia trying to target and destroy Ukrainian infrastructure, including power and internet, the connection will likely be even more important in the coming weeks and months. !!!!!!!This, of course, also means that Starlink reception dishes, which are not exactly inconspicuous, will be targets for Russian troops.

The biggest danger, however, is that the reception equipment can be geolocated while in operation. Shortly after the first terminals were delivered in early March, Musk tweeted: “Turn on Starlink only when needed and place antenna as far away from people as possible.”

Clive Robinson • March 27, 2022 5:22 PM

@ _, SpaceLifeForm, ALL,

Re Honder Civic

And similar small cars and electronic locks…

A fob costs more than a physical key last I checked.

Quite a bit more even at the best of times. But…with current silicon chip issues the price of the silicon used in fobs is apparently nearly a 1000% greater than a couple of years back, and availability is very low…

But “electronic locking” in cars is at best a joke, and at best just another way for criminals to attack, so lowering the security threshold even if “super-dooper secure”.

The other aspect is they are actually dangerous and can increase your chances of being killed in your car…

So why do they exist on so many vehicles?

Blaim the “Marketing people”…

It took just one advertising campaign of a girl with a realy nice bum in tight pants holding a couple of paper bags of shopping with a close up shot of her bum next to the door handle to make “hands free” entry a must have, not with men but with girls…

The thing is though, no matter what you do to make the fob secure in authentication and replay attacks it still fails to relay attacks…

If I and my accomplice see you get out of your car in the parking lot of your local super market. I follow you in and then get in the check out que behind you. My acomplice stands by the car door with his end box of the relay whilst I stand just behind you with the other end of the relay. Push the button and the key-fob talks across the relay that can be hundreds of meters appart (I’ve seen it work over 2km using modified ultra cheep Baoufung HT’s) and the door unlocks…

At which point the inside of the car is available to the criminal which may be all that’s needed for some thefts, or planting of surveillance / tracking equipment inside the vehicle.

But as any repo-man will tell you these cheeper cars doors still open the old ways with a metal shim or even metal coat-hanger hook.

Oh and some will tell you how to fit a piece of metal inside the door that stops those old attacks…

You might ask why auto manufacturers don’t fit them as standard?

Well don’t be surprised if you get given a pile of “horse apples” about “first responders” getting access in emergancy, or similar…

olga • March 27, 2022 5:52 PM

re: RSA SecureID
There was no backdoor in the token.

RSA had the keys, just as someone would’ve had the keys to every Clipper chip. I’d say it’s fair to use the term “backdoor” for both. The only real difference was the entity holding the key.

One might reasonably have expected “RSA” Security to have come up with a system that didn’t require any private key to leave the token, or at least didn’t require the key to be programmed by the manufacturer. Have they become so incompetent that they missed the security implications? It’s either that, or they intentionally left a backdoor, and I don’t know which looks worse for them. (What makes them and their customers look even worse is that they still seem to be selling them, and I don’t see anything about a redesign. One would think their marketing people would put that front-and-center if it had happened—well, without mentioning “compromise” or “re”design—but it’s just pictures of happy people with no technical details. If it’s the same old design, that would lend credibility to a “backdoor” hypothesis.)

Petre Peter • March 27, 2022 6:34 PM

“What you find depends on what you seek. Context matters.”

–Michael Hayden

ResearcherZero • March 27, 2022 6:46 PM

Right to left override exploits doing the rounds again and being exploited in instant messengers.

“RTLO is used to fake extensions by writing part of the filename or other descriptions back to front.”

The method called RTLO, or RLO, uses the method built into Windows to deal with languages that are written from right to left, the “Right to left override”.

Let’s say you want to use a right-to-left written language, like Hebrew or Arabic, on a site combined with a left-to-right written language like English or French. In this case, you would want bidirectional script support.

Bidirectional script support is the capability of a computer system to correctly display bi-directional text.

On systems that support Unicode filenames, RTLO can be used to spoof fake extensions. To do this we need a hidden Unicode character in the file name, that will reverse the order of the characters that follow it.

The last seven characters in the file name are displayed backwards because I inserted the RTLO character before those seven characters.

One way to catch these fakes on more modern versions of Windows is to set the “Change your view” ruler to “Content”.
https://blog.malwarebytes.com/cybercrime/2014/01/the-rtlo-method/

“Turn off link previews in everything, especially mail apps and anything related to notifications. Don’t visit weird websites with popups. Don’t click random prize giveaways.

You already have a phone, so use your bookmarks and make sure to keep it up to date. Given the amount of zero-days flying around, especially those disclosed recently for iOS, it would be perilous to trust URLs in IMs.”
https://sick.codes/sick-2022-40/

ResearcherZero • March 27, 2022 11:51 PM

“Why is the department apparently not interested in receiving notification about cyber incidents that affect their assets, or not interest in enabling [the Australian Signals Directorate (ASD)] to provide technical assistance to them in the event of a serious cyber attack?”

The government proposed changing the current definition, that any provider supplying services to commonwealth, state or territory governments is classed as critical infrastructure, would be qualified by whether they were handling ‘business critical data’.

Macquarie said this change should be abandoned, because “business-critical data does not describe the type of information that is most commonly held by government departments and agencies nor what is crucial to the functioning of government”.

“A data storage or processing service provider that stores or processes any form of government data should absolutely be recognised and regulated as a critical infrastructure provider,” Macquarie said, adding that the “gaps and consequences arising from the proposed change… seem absurd”.

“If the proposed amendment does proceed, then the definition of business-critical data in… the SOCI Act must be broadened to reflect the types of sensitive and classified information that are commonly held by Commonwealth and state and territory government entities.”

At a hearing of the Parliamentary Joint Committee on Intelligence and Security last week, shadow attorney-general Mark Dreyfus confronted representatives from Home Affairs over Macquarie concerns, which had not addressed in the department’s supplementary submission.
https://www.itnews.com.au/news/home-affairs-downplays-gov-data-gaps-in-critical-infrastructure-regime-577704

Committee recommends no major changes

“This accelerated need has driven perception that the bill may have been rushed, or that the Department has not taken industry concerns seriously, but the committee has ultimately concluded that this is not the case,”
https://www.itnews.com.au/news/second-critical-infrastructure-cyber-security-bill-gets-pjcis-green-light-577953

–

550 vulnerabilities in Juniper Space, and the most severe of these are rated critical.
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11176&cat=SIRT_1&actp=LIST

–

unauthenticated remote code execution

“The Hazelcast cluster join procedure is vulnerable to remote code execution due to Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes are also on the classpath, the attacker can run arbitrary shell commands (among other nefarious things). Hazelcast will blindly deserialize any object it receives in that request stream. Since the JoinRequest is what implements authentication, this is necessarily pre-authentication.”
https://github.com/hazelcast/hazelcast/issues/8024

https://confluence.atlassian.com/security/multiple-products-security-advisory-hazelcast-vulnerable-to-remote-code-execution-cve-2016-10750-1116292387.html

Clive Robinson • March 28, 2022 12:50 AM

@ olga,

One might reasonably have expected “RSA” Security to have come up with a system that didn’t require any private key to leave the token, or at least didn’t require the key to be programmed by the manufacturer.

I realy do not think you understand or know sufficient about what you are talking about.

For such a system to work there needs to be a “shared secret” between the token and the softwear on the server the user of the token is trying to log into. Such a secret needs to be generated and supplied to both the token and the software running on the server(s) the user is to authenticate to.

Now some things to note,

1, What ever “seed value” generation process is used it would have to leave the confines of the generator to become “shared” by the Token and the authentication software on the server(s) the user of the token authenticates to.

2, The authentication software on the server(s) the user authenticates to, needs to have the “seed value” for every RSA ID key that is to be used with it stored on it to work.

3, The security of the deployed system is only as strong as the weakest link. Which was in nearly all cases, not the technical system RSA supplied, but the OS and Apps running on the server(s) user(s) authenticate to, and the behaviours of the user(s) and owner of the tokens. .

4, The owners of the RSA ID token system were at best “cost not security” sensitive.

5, Because there was nothing stopping the “owner” of the RSA ID token from changing the shared “seed value” on the token and the authentication software on the server the user authenticates to if they wished to. RSA provided the tools required to do so.

6, The fact the owners of the tokens chose not to change the factory setting of the seed value in each token they owned, even though RSA provided the tools to do so was because of 4.

7, As previously indicated RSA kept the factory set “seed value” for “Customer support” reasons[1].

8, It was the cost of the customer support increasing that caused RSA managment to make the changes they did for “shareholder value” reasons.

What needed to be changed was not the technical design of the “system” as you insist, but the “behaviours” of those people involved. As I’ve pointed out in 3, the weakest link in the use of the system is the human behaviours, which you would have realised if you actually understood sufficient about the system.

As for,

What makes them and their customers look even worse is that they still seem to be selling them, and I don’t see anything about a redesign

As I’ve pointed out it’s not the technical design of the token system that was the weakest link, or what actualy failed but “human behaviours”

As for changing those… Good luck.

Trying to go around and change humans with non security oriented priorities to be more secure is going to continue to be a task of Sisyphus[2] our host has pointed that out as have others for some considerable time now. But it goes back long before even that. Because if the acient Greeks understood this basic fact of human behaviours, how come you appear unaware of it or chose to ignore it?

[1] Part of this would be to guarentee that each token that left the factory had a unique “seed value”.

[2] https://en.wikipedia.org/wiki/Sisyphus

Clive Robinson • March 28, 2022 1:07 AM

@ ResearcherZero, ALL,

After the divorce, Wendi Deng purportedly began dating Vladimir Putin as well as continued her close relationship with Ivanka Trump and Jared Kushner.

But what caused Rupert “the bare fwced lier” Murdoch to divorce Wendi Deng?

Who was she making “Google Eyes” at back then?

Apparently on Anthony Blair, father of numerous offspring some of whom wake up drunk in the gutter, married to a rail fare cheating wife who is a Barrister, oh and at the time Prime Minister of the UK. Who is so corrupt, he refused to take up the peerage that “came with the job” because he would have to make financial declarations that he knew would get investigated and the Blair’s fairly evident crookedness would be laid bare for all to see…

Rember Tony lined his pockets, yet he effectively bankrupted both the political party he was head of, ohvand the country he was head of as well… Then there was the fact that he was the “enabler” G W Bush needed to get the Gulf War going, so neo-con financial interests would be preserved…

I could go on, but I think you get the idea,

“Wendi Loves Bad Boys”

And obviously Rupert was not bad enough.

Winter • March 28, 2022 3:23 AM

@Clive Robinson
“Wendi Loves Bad Boys”

Birds of a feather flock together.

I must say, in a sense I admire Ms Deng. It is difficult for women to stand their ground in an evil men’s world. For a woman to not only stand her ground but beat these men in their own game to me seems truly heroic.

Nothing like watching “Bad Boys” being trounced thoroughly by a babe.

Winter • March 28, 2022 5:32 AM

Google found with its hands in your phone data:

Android’s Messages, Dialer apps quietly sent text, call info to Google
ht-tps://www.theregister.com/2022/03/21/google_messages_gdpr/

“The data sent by Google Messages includes a hash of the message text, allowing linking of sender and receiver in a message exchange,” the paper says. “The data sent by Google Dialer includes the call time and duration, again allowing linking of the two handsets engaged in a phone call. Phone numbers are also sent to Google.”

The timing and duration of other user interactions with these apps has also been transmitted to Google. And Google offers no way to opt-out of this data collection.

The first step to data privacy is admitting you have a problem, Google
ht-tps://www.theregister.com/2022/03/28/google_data_privacy/

One of the joys of academic research is that if you do it right, you can prove the truth. In the case of computer science professor Douglas Leith, this truth is that Google has been taking detailed notes of every telephone call and SMS message made and received on the default Android apps.

The original research:
ht-tps://www.scss.tcd.ie/doug.leith/privacyofdialerandsmsapps.pdf

SpaceLifeForm • March 28, 2022 1:53 PM

The solution is simple, don’t use HP Printers

https://www.securityweek.com/serious-vulnerability-exploited-hacking-contest-impacts-over-200-hp-printers

HP lists roughly 250 printer models that are impacted by this bug, including Enterprise (LaserJet, Color LaserJet, Digital Sender Flow, OfficeJet, PageWide, and ScanJet), LaserJet Pro, PageWide Pro, DeskJet, and DesignJet series devices.

Firmware updates were released for the majority of the impacted products, but tens of printer models remain vulnerable. For them, the company recommends disabling LLMNR in network settings to mitigate the flaw.

Last week, I had to find a printer for someone. HP printers are everywhere in stores. Other brands are hard to find.

People are not buying HP printers these days. Probably the toner prices.

SpaceLifeForm • March 28, 2022 2:34 PM

Major version of browser being 3 digit number does lead to issues

Looks like many have been changing their browser User-Agent for testing.

re: https://www.schneier.com/blog/archives/2022/03/friday-squid-blogging-unexpectedly-low-squid-population-in-the-arctic.html/#comment-402297

Here are some sites that will break.

Two notable: citi.com and yahoo.com

hxtps://github.com/webcompat/web-bugs/labels/version100

olga • March 28, 2022 3:08 PM

Clive Robinson:

For such a system to work there needs to be a “shared secret” between the token and the softwear on the server the user of the token is trying to log into. Such a secret needs to be generated and supplied to both the token and the software running on the server(s) the user is to authenticate to.

Yes, with only a million possible codes (6 decimal digits), a validation server would be able to brute-force any code it could validate. They could’ve designed it to fake keyboard input, like the CueCat (cheap enough by 2000 to be given away for free), or used some other clever mechanism by which they could’ve provided enough data to make asymmetric crypto work.

6, The fact the owners of the tokens chose not to change the factory setting of the seed value in each token they owned, even though RSA provided the tools to do so was because of [cost].

I have my doubts. You say the tools existed, which means there would’ve been no additional costs for each token. One would then just need a programming device and physical possession of each token for a few seconds; no harder than typing in a username and serial number. I find it much more likely customers were ignorant of the risk. The only advantage I see for pre-programmed tokens is that a company could ask RSA to directly ship to an employee. That’s no reason to backdoor all of them.

7, As previously indicated RSA kept the factory set “seed value” for “Customer support” reasons.

Well, that’s a backdoor then, no different from a router manufacturer keeping a password or key for remote troubleshooting. What event was this intended to support, though? A company losing all of their secret keys?

Part of this would be to guarentee that each token that left the factory had a unique “seed value”.

What? Any sane key generation process simply uses enough entropy to ensure uniqueness, and RSA’s token-programming software could’ve enforced that. Even with cheesy methods like PGP’s old “wiggle the mouse and press some keys” prompt. That’s assuming a hardware entropy generator in each token would’ve been too expensive.

I’ve never heard of anyone keeping a key database to check uniqueness at generation time. Some post-hoc compilations (e.g. via SSH and TLS scanning) have found insufficient entropy, but nobody’s proposing database-checks as a solution.

Clive Robinson • March 28, 2022 3:41 PM

@ Olga,

As I said, you appear to either not understand or do not want to understand what happened with the RSA Secure ID tokens.

As for the 6digits that’s the equivalent of 20bits. Do you know how long a passphrase that is equivalent to?

Well by the time you tuck back in not just the letter frequency dual, triple and quad letter redundancies and sentance redundancy, it’s about 150bits at 5bits/letter or 30 or more characters. It’s why the XKCD “horse battery staple…” method is better. Provided people don’t remove duplicate words or reorder words to make them easier to remember.

Also remember that number changes many times a day as well so there is not time to do any kind of brute force search on a server, unless of course you’ve already got a level of access on the server that makes doing a brut force search fairly pointless anyway…

Maybe you should do a little reading up on the security involved.

Your claims of “backdoor” are not supported by your observations and the arguments you make from them.

But don’t let me stop you finding out how to do a better security analysis in fact I positively encorage you to do so, then applying your new found information, you might find something probative that is not already known.

SpaceLifeForm • March 28, 2022 4:33 PM

@ olga, Clive

The only way I can see to do this properly is for the user to create a keypair, that the HSM has, and enroll the publickey with the server.

In order to authenticate, the server has to provide a challenge, that the user signs with the private key, and sends back to server. The server then validates the signature with the previously enrolled public key.

This is the simple overview. There are other issues and attack angles to deal with regarding the enrollment process.

There are also issues as to how to actually make the challenge signing process easy, and secure.

In the threat model I am thinking about, there can be no USB, Ethernet, or any Radio involved with the HSM.

I want my HSM to be as dumb as possible and not support any networking protocols.

Also, it should not require a clock.

I want to be able to get the challenge from the networked computer to the offline computer (the HSM), and then get the signature from the offline computer (the HSM) back to the online computer, so it can send the signature to the server and fulfill the authentication process.

And, that’s only the beginning. Then you have to worry about the security of a authentication software token, when it expires, MITM, etc. It is not simple.

lurker • March 28, 2022 4:44 PM

@Winter, re G messages/phone

And here’s me been sitting for 12+ months now refusing a Carrier Services update because the blurb that came with it made no sense to me. Following your heads-up I checked again and there’s a new update 2022-03-24 for “Bug fixes and stability improvements.” Period.

At least it hasn’t sneakily turned its own data access back on as some apps will do when G “checks” them.

ResearcherZero • March 28, 2022 6:17 PM

@Clive Robinson

Could of been she was a spy, hooking an old hand? Who knows?

–

“lock your cyber doors” – quote from government official

“The conduct alleged in these charges is the kind of conduct that we are concerned about under the current circumstances,” the official said.

“These charges show the dark art of the possible when it comes to critical infrastructure.”
https://finance.yahoo.com/news/1-u-unveils-charges-against-212935293.html

–

Ukraine’s national telecoms operator Ukrtelecom is restoring internet services after driving back a major cyber-attack.

“the enemy launched a powerful cyberattack against Ukrtelecom’s IT-infrastructure,” said Yurii Shchyhol, chairman of the State Service of Special Communication and Information Protection of Ukraine.

NetBlocks, which monitors internet service disruptions, posted on Twitter earlier on Monday that it saw “connectivity collapsing” with an “ongoing and intensifying nation-scale disruption.”

A similar incident took place earlier this month with Triolan, a smaller Ukrainian telecom company, Forbes previously reported.
https://www.reuters.com/business/media-telecom/ukrainian-telecom-companys-internet-service-disrupted-by-powerful-cyberattack-2022-03-28/

“real-time network data show connectivity collapsing to 13% of pre-war levels; the provider reports issues assigning new sessions”
https://twitter.com/netblocks/status/1508465391244304389

Repair crews and even techie volunteers making DIY fixes are working around the clock to patch up disruptions. And Ukraine has an unusually large number of internet providers, which means there are fewer chokepoints.
https://espresso.economist.com/f0581ab7f8e6b8695051457df75cd9c0

–

The spike in tor bridges after everyone was called to fight against the emergent Tor censorship in Russia has grown.
https://metrics.torproject.org/userstats-bridge-country.html?start=2021-11-04&end=2022-03-28&country=ru

–

The GRU has a history of malicious cyber operations against Ukraine.
Russian military spy hackers were behind a cyberattack on a satellite broadband service that disrupted Ukraine’s military communications at the start of the war last month.
Viasat is shipping new modems to the distributors so they can get them to affected customers.
https://www.washingtonpost.com/national-security/2022/03/24/russian-military-behind-hack-satellite-communication-devices-ukraine-wars-outset-us-officials-say/

Clive Robinson • March 28, 2022 7:03 PM

@ SpaceLifeForm,

The only way I can see to do this properly is for the user to create a keypair, that the HSM has, and enroll the publickey with the server.

Whilst in theory that is a nice idea, PubKey crypto is way way beyond the capabilities of the microcontrolers that would have been around at the time RSA designed their token.

Further, even these days the number of CPU cycles and CPU clockspeed required would make PubKey crypto inadvisable due to the fact it would suck the life out of the token battery in way less time than the owner / user of the token would be happy with and the token supplier would not want the support calls for[1].

As for,

I want my HSM to be as dumb as possible and not support any networking protocols.

Also, it should not require a clock.

Whilst I can see good reason for the simplicity, the clock is a requirment to stop an intetesting array of attacks.

At it’s simplest all the token needs is,

1, An efficient crypto algorithm of sufficiently wide data and key (say “256bit in this day and age”).

2, A “wall time” clock that is somehow synchronised with that on the server(s) the user authenticates to.

3, The shared secret / “seed value”.

To run it you use the synchronised time as the data into crypto algorithm and the shared secret as the key to produce the ciphertext to use as a session key. You then take the shared secret and encrypt that with the session key and the ciphertext out becomes the session grid.

You then have another time changing algorithm that takes bits out of the session grid based on time etc and that produces the 6 digit TAN on the token LCD…

The had part is ensuring clock synchronisation… Which can not be done with that simple algorithm and multiple servers a user has to authenticate to that in this more modern age may be “issolated / gapped” from not just networks but centalised time sources as well.

I could go through how to make time synchronisation less of a problem but it’s eye itchingly dull. But to put it overly simply each server stores a delta for each token that it updates when a user logs in. The server also calculates a spread of chalenge responses across a time window and checks which coresponds to that from the users token and uses that to update the delta.

The point is to use the absolute minimum of CPU cycles and at the lowest usable speed on the token to try to give maximal battery life.

You then give the server the “heavy lift” operations as there are no CPU cycle or clock speed limits to save battery power as the server runs off of the mains etc.

[1] RSA are not the only makers of secure tokene, and I must admit none of the ones I have, have the ability to have the battery changed, and I’ve had to replace a couple and the calls to local “tech support” are not fun (they want all sorts of ownership “proof”, but… Interestingly some do not require you to produce the “seed value” which suggests they too have a database…

ResearcherZero • March 28, 2022 7:24 PM

Australian government launches another cyber centre as part of national plan, and this time it’s a cybercrime centre.
https://www.9news.com.au/national/cyber-criminal/f528d7c2-841b-4a57-be6c-5148613c0fab

A quarter of cyber incidents reported to Australian security officials over the past year have targeted critical infrastructure and essential services, including health care, food distribution and energy.
https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-2020-21

Businesses Still Woefully Unprepared

Russian intelligence agencies might influence cyber-extortion groups to up their activity and target a much broader group of Western targets.
https://www.abc.net.au/news/2022-03-17/russia-ransomware-ally-conti-group-could-hit-australia/100915396

The personal details of job applicants and staff at a range of major Australian companies and government agencies have potentially been exposed in a “significant” data breach and extortion attempt against Australian recruitment company Finite.

” more than 300 gigabytes of data has been stolen, including financials, contracts, customer databases, phone numbers, addresses, passports and a variety of other sensitive personal information. ”

Conti — the same hacking group responsible for the data breach affecting up to 80,000 South Australian government employees… includes names, dates of birth, tax file numbers, home addresses, bank account details, remuneration and superannuation contributions.
https://www.msn.com/en-au/money/markets/coles-westpac-amp-and-department-of-defence-caught-up-in-significant-data-breach-of-finite-recruitment/ar-AARVu2I

ResearcherZero • March 28, 2022 7:47 PM

The minister is usually one of the most senior members of Cabinet – the position is equivalent to that of Secretary of State for Foreign and Commonwealth Affairs in Britain or Secretary of State in the United States – as shown by the fact that eleven Prime Ministers of Australia have also worked as the Minister for Foreign Affairs. The minister is seen as one of the people most responsible for formulating Australia’s foreign policy, as they along with other relevant ministers advise the Prime Minister in developing and implementing foreign policy, and also acts as the government’s main spokesperson on international affairs issues. In recent times, the minister also undertakes numerous international trips to meet with foreign representatives and Heads of State or Government.
https://www.reuters.com/world/australia-host-quad-meeting-foreign-ministers-2022-01-31/

she’s not one of ours

ResearcherZero • March 28, 2022 9:59 PM

“We have your economic secrets now, you will tremble with fear, Putin.”

limited analysis shows that the exposed records included years’ worth of financial records with some documents going as far back as 1999.

Furthermore, invoices, internal communication, documents, memos, bank statements, names of shareholders of various banks, bank licenses, names, addresses of apparently high-profile customers/clients, etc. are part of the leaked records.
https://www.hackread.com/anonymous-hacks-central-bank-russia-leaks-28gb-data/

620 FSB officers had been engaged in criminal activities for the Kremlin across Europe
https://www.pcmag.com/news/ukraine-doxes-620-alleged-russian-spies-by-publishing-names-addresses

List of employees of the FSB of the Russian Federation registered at the address: Moscow, st. Bolshaya Lubyanka
https://ddosecrets.com/wiki/FSB_employee_leak

lurker • March 28, 2022 11:35 PM

@ResearcherZero What is the cost in Australia of a government lead by a number of people with a history of criminality?

Of course there’s the worn out joke that the nation was designed that way by George III.

fwiw the garbage coming out of Canberra at times may have something to do with there being no official language at federal level [according to Wikipedia].

Who? • March 29, 2022 7:16 AM

@ SpaceLifeForm, Clive Robinson

Bitcoin gives privacy, not anonymity. All transactions are public and can be tracked from services like blockchain.info; transactions and amount of bitcoins on each wallet are publicly accessible. In fact, these features make it the most transparent and fraud-resistant form of money imaginable. It has not been designed with anonymity in mind, but it is a very private form of money.

In fact, there is no anonymous form of money and will never be. As soon as you use money for buying real-life things, it loses its anonymity (if it had any).

Clive Robinson • March 29, 2022 10:36 AM

@ Who?, SpaceLifeForm,

In fact, there is no anonymous form of money and will never be. As soon as you use money for buying real-life things, it loses its anonymity (if it had any).

Oh dear I don’t think you actually understand transactions.

Transactions are based on the notion of transferable value, where value is indeterminate or fluid. The reality is anything can stand in for value providing those involved in the transaction agree.

So the value can be in,

1, Goods (physical objects).
2, Services (work undertaken).
3, Information (written etc).

In general what we call “money” is in fact a normalisation of “services” that represent labour / work. And is in either “goods” such as physical objects like coins, or in “information” such as financial instruments such as promissory notes that form contracts like bank notes.

Coins and their equivalent originated from their inherant value such as being an ounce of gold, silver or other “precious” metal etc that substituted for other goods that might be “bartered”. As they had inherent “real value” that did not change, they needed no unique identifier, just a way to ensure it’s inherant value easily (hence not just by weight and volume, but by minting and milling).

Financial instruments have no inherant or real value they are just “information”. That is “impressed” on matter or in more recent times modulated on energy. Being inherently worthless the value is by contract, which had to be unique in some recognisable way to prevent crime.

Bank notes are promissory notes ment to replace coins that is they have a “face” or “fiscal value” standing in for inherant or “real value” and are generally made to look the same, that is like a coins minting and milling, but… Also be unique to limit crime, usually by their bank note number or other “serial” mark.

In theory both coins and bank notes are tracable by contact or “trace evidence”[1], however with time and further contact such evidence reduces below some threashold beyond which it can not be reliably measured[2]. This is often called the “noise floor” these days from work in “information theory” carried out in the couple of decades preceading 1960. Which ever way you look at it contact trace evidence is ephemeral in line with basic laws of both physics and probability of information theory and also more importantly common sense logic.

The only way to ensure that the use of a financial instrument remains is by having a reliable audit process.

With bank notes that would be by recording the note serial numbers as part of an auditing process.

Whilst such audit processes are extending their reach, they rapidly become unreliable or not carried out when low cost technology is not involved.

That is not only is it unlikely that you can tell me the serial numbers of the used bank notes in your wallet, it’s just as unlikely that you can say which of say three $10 notes you were given by whom at the end of a day long “cash only” shopping trip where the high denomination new notes you got from the bank the day before get broken down as change from purchases you make.

The usual way criminals get caught is they “talk there way into jail” directly or indirectly. If they don’t do that, it’s next most likely to be behavioural mistakes. In the case of financial transactions it’s because they use tracable payments like credit / Debit cards or cheques which are all “financial instruments” that are directly tracable. Or they show abnormal bank withdrawals or similar that come up under Audit of bank records etc.

Live by cash and be erratic makes finding audit trails at best difficult. If you think a little further, you can see why criminals can have very large stashes of heavily used bank notes tucked away in all sorts of odd places.

That is you need say half a million to buy certain not legal commodities, you are not if you have got any sense going to take money out of the bank, but from a hidden “float” you have stashed away that you might have built up bit by bit over a year or more so it is what some call “untracable”.

So “cash” especially coinage even bullion coinage, if aquired cautiously remains anonymous. One good way to ensure it is anonymous is by trading it in some way. If you make say custom jewelry you have many precious metals and stones moving through your hands. Whilst large “jem stones” of high value are getting serial numbers cut in them with lasers not all are and uncut diamonds can become cut diamonds without getting serial numbers put on them if you know the right people.

Yes it gets harder to hide transactions as the years go on due to the dropping in price of technology, but we are still a very long way away from making the laundering of money in coins and bank notes impossible.

When I go out with friends for a meal one frequently pays on plastic and I will give them the cash balance, as I pay the tip in cash. Not because I want to turn waitresses into criminals, but to stop their bosses stealing from them…

[1] Contact evidence is based on Lockards Exchange Principle that when ever two objects come into physical contact the exchange evidence of the contact,

https://science.howstuffworks.com/locards-exchange-principle2.htm

[2] Every measurment is a “test” and as such it is not just inherantly inacurate it lacks sensitivity or specifity. Which means you have Type I and Type II errors, or false positive and false negative,

https://www.formpl.us/blog/type-errors

As nature is inherantly noisy the less of a signal you have the greater the potential for either type of error. But also simple logic tells you that “if there is an exchance on contact”[1] each subsequent contact removes some of the trace from the first contact thus reducing the signal, but also adds new trace thus increasing the noise floor. At some point the original signal can not be differentiated from the noise. Thus the physical trace is not just ephemeral effectively suffers from continuous exponential decay. Combined means that within just a very few contacts any tracability is beyond measure.

olga • March 29, 2022 2:09 PM

SpaceLifeForm, Clive:

Some trade-offs seem unavoidable here. If one accepts the constrained environment of a SecurID token—one-way communication via a human intermediary—one can’t do much better, cryptographically, than SecurID already does (because who wants to type 40+ hex digits every time?). Operationally, though, avoiding the buildup of “toxic waste” (a term previously used by Bruce to refer to private data of others) is important. Anyway, I don’t accept these constaints. If they made sense in the early days of SecurID, those days are long past: smartcards has done battery-free public-key authentication for at least 20 years (notably, OpenPGP and EMV cards, the latter proving they can be user-friendly and manageable at scale).

There are risks to USB and radio interfaces, and costs to avoiding or mitigating those risks. Realistically, almost all environments have accepted those risks by providing wi-fi, and there’s significant benefit to being able to bidirectionally pass more than 6 digits. Some ways to do this without USB or radio: contact-based smartcards, audio-based communication, RS232. “Clock” is a broad term that, in computer science, could encompass even simple counters and timers (some systems measure communication delays in nanoseconds to ensure the token is within a metre of its counterpart, so as to avoid replay attacks). I agree these things aren’t simple, but as I wrote above, better-than-SecurID implementations existed 20 years ago.

Clive, can you be more specific about “your claims of ‘backdoor’ are not supported by your observations and the arguments you make from them”? RSA could have destroyed their copy of the key material immediately after programming the token and encrypting it to the customer’s private key (or printing it and sealing it in a tamper-evident envelope, or whatever). Nothing in the protocol required them to remain involved. They chose to keep the secrets, for “customer support” reasons according to your message. By what definition is that not a backdoor? It’s not exactly secret, though some people seemed surprised, and the Clipper chip was called “backdoored” by cryptographers despite the overtness around it.

JonKnowsNothing • March 29, 2022 5:03 PM

@ olga , @SpaceLifeForm, @Clive

re: Some trade-offs seem unavoidable …

Then you have no security…

Any trade off is a weakness in the system and exploitable attack area.

If you are running down the “Risk Analysis” road, again you have no security because you are willing to accept “some risk” that the system will fail.

There are 2 issues:

1) Either you know your system is attack proof because you did all the relevant tasks to make it so
Or
2) You are guessing that your system is attack proof because (fill in the blank)

a) Guessing == Risk Acceptance there are defined-known or undefined-not known points of failure
b) Security == Understanding where the fail points are and plugging them.

A further problem, is that under the current setup of HW/SW there is always someone bigger than you or smaller than you that will do everything they can to make sure that Security is synonymous with the word Failed.

It’s a similar problem to using a B-Tree for Testing Failures. We want to go down every branch to the end because humans like to get to the bottom.(1) But once a failure point is found anywhere other than the end node, there really isn’t much point of going down the rest of that line.

Once your security system hits any failure, it’s failed.

===
1) In the never ending battle between QA and Development, programmers want many bugs listed on a rejection and not just the one at the rejection node. Their thinking is

I can fix a bunch of bugs at one time; (because I don’t do unit testing any more than I write documentation)

Whereas the error condition invalidates the entire line after the error. It doesn’t matter how many other bugs are found below the failure point because every time the developer rewrites the code at the initial fail point, they also introduce new errors below that point.

So what’s the point of doing testing on code below the fail point that is going to be ripped out?

There isn’t any except, companies like to pay $$$ for you to do it and programmers get to shovel their buggy code onward to a junior programmer to fix.

Clive Robinson • March 29, 2022 5:35 PM

@ Olga, SpaceLifeForm,

First things in reverse,

The Clipper chip was very definately backdoored, and very much by overt design, and can not be argued otherwise. That is what the “Law Enforcement Access Field”(LEAF) was all about. Also as it turns out it was doubly backdoored possibly by accident but more probably by somebodies covert design.

Look up Mat Blaze and his investigation that showed how to by pass the LEAF control because the field size was way to small thus so was it’s work factor. Thus the NSA and others “in the know” could use Clipper without the LEAF being functional, thus turning the overt backdoor off covertly” making their communications via clipper secure from the LEAF overt user security bypass…

Which brings us onto the RSA issue.

The problem with saying that the RSA token is backdoored is a lot different. It’s built to a published specification and as far as I’m aware it functions the way described. The spec has had “many eyes” look it over and are content with the way it works. As these people are from all different places around the world, it would appear unlikely they are all colluding.

Thus any deliberate covert backdoor would have to be something rather special to evade all their eyes. The problem with that is bad as the RSA implementation might be considered, it’s actuall stronger security wise than just about everything else in use…

How do I put it politely, looking back historically, as far as I can see every MS Win NT OS version has been continuously vulnerable one way or several. Thus the only question would have been “Who knew of the vulnerabilities and when?”. That is the “zero day question” of “Cyber-Weapons”.

That is based on history all the current MS OS’s have a very high probability of having serious security vulnerabilities. It’s just a question of who knows them and when they found or were informed of them. Likewise all of the Apps in the MS OS that have any kind of connectivity access.

So the only way to make an MS environment –or any other consumer level OS/Apps– secure is by the mittigation of “segregation” by “total issolation”. That is if no entity can get to it via any kind of connectivity local or otherwise then they can not attack it. Such levels of issolation are at best impractical with most modern motherboards, and probably impossible to achieve in most normal environments (rumour has it that Win11 will not be able to run “off-line” not just by default but by deliberate design).

But it’s not just MS OS’s that have this problem, the same can be said for nearly every other consumer grade OS with user Apps on board runing on consumer oriented hardware. The nonsense currently coming out with Googles Chrome and Android products, shows without doubt they have been quite deliberately backdoored by design for Google to make profit.

So putting a clever backdoor in the RSA tokens that only run on consumer OS and consumer Hardware level systems would be as we say in the UK “guilding the lilly”. Because a sophisticated attacker could if they can get connectivity to the consumer level computer easily bypass the system security and get access to the required “seed values” for any and all users tokens on that system. Once you have those you can access any server that a given token works with, you don’t need to attack the RSA database.

The reason the customer “seed value” database exists, is as I said it ensures that the seed values are unique, or atleast unique within an owners domain.

But also the “customer support” issue… If you do not put a new seed value on a token, then you have the backup of RSA Customer support database when the server you are responsible for goes belly up and you have to rebuild it (as frequently happens with some consumer OS level Servers).

Users being (ab)users at the best of times, servers get felled like daisies in a hurricane.

Those (ab)users are known to be impatient at the best of times and woe betide any SysAdmin saying things were held up by “RSA Customer Support”, as the tokens are generally hated by (ab)users who also see “Single Sign On”(SSO) as an afront to their ability to get their job done and their bonus earned.

So using RSA Customer Support as the equivalent of “Online bullet proof backup” would be very appealing.

Especially when,

1, Changing token seed values needs some hardware, and a process that whilst not difficult is less easy than leaving the RSA suppled defaults.

2, Changing seed values carries way more responsability than leaving things the way RSA supplied the token defaults.

RSA senior managment came to look on it as just another “revenue stream” to be optomised for “Shareholder value” and did not consider the issue of,

“Having all your eggs in one basket on a table that can easily be toppled over.”

But… can you argue RSA designed it originally as a backdoor? Not realy because they did not put the required failings in place untill later much later than you would have expected if that were the case.

If you want to argue that RSA backdoored their other Crypto Software, now there is evidence for the fact they did that with the NIST RNG standard. In that they took a large handfull of cash to give priority to the NSA Back-Doored algorithm. If they knew the NSA recommended DRNG algorithm was backdoored or not is irrelevant. The “bribe” alone should have made them deeply suspicious, but for some reason they chose to fail to look…

Somebody else did, and now as they say, that NIST “approved NSA algorithm is toast”.

Have I made that sufficiently clear?

ResearcherZero • March 29, 2022 6:19 PM

@lurker

The only language I ever heard coming out of Canberra back when we were delivering intelligence reports and risk assessments was,

“Oooooo, that’s a hot potato!”

They probably all went in the bin. Certainly few showed up for briefings and it was clear not many were listening.

Does not look like much as changed:

An outgoing Liberal senator has unleashed on Prime Minister Scott Morrison, branding him a manipulator who uses his faith as a “marketing advantage”.

“He is adept at running with the foxes and hunting with the hounds, lacking a moral compass and having no conscience,”

“There is a putrid stench of corruption emanating from the NSW division of the Liberal party,”

“I have received hundreds if not thousands of emails outlining their disgust. They have lost faith in the party. They want to leave,”

“By now, you might be getting the picture that Morrison is not interested in the rules-based order, it is his way or the highway, an autocrat, a bully, who has no moral compass,”
https://www.theleader.com.au/story/7678873/not-fit-to-be-pm-outgoing-liberal-senator-lashes-morrison-as-manipulator-bully/

The U.K. isn’t looking too flash either:

“The move by the Metropolitan police was seen as clearcut confirmation of lawbreaking at the heart of government, yet Downing Street provoked fury and derision by refusing to accept that the fixed-penalty notices meant the rules had definitively been broken.”
https://www.theguardian.com/politics/2022/mar/29/partygate-new-threat-to-boris-johnsons-leadership-as-met-fines-20-over-scandal

ResearcherZero • March 29, 2022 6:44 PM

@lurker

I could post all the Intelligence and Security Committee reports into Russian infiltration of politics, Neo-Nazi groups, and Putin’s plans dating back to the 1990’s, but there is an awful lot of it.

Some commentators in the media have stated, “The West and the United States are slowly waking to a new, cold realization that Putin is not someone you can deal with, as many in Berlin, Paris, London, and Washington wrongly believed.”

but The West has always know:

IN the 1990s, an inner-circle of Generals and political scientists wrote a manifesto outlining Russia’s goals over the coming decades. They’re falling into place.
https://www.news.com.au/world/europe/1990s-manifesto-outlining-russias-plans-is-starting-to-come-true/news-story/343a27c71077b87668f1aa783d03032c

Dugin’s theory of “geopolitical Eurasianism” involves a revival of the Russian empire that includes Communist China and various Islamic elements such as a nuclear Iran.
https://n01r.com/wp-content/uploads/2022/01/Foundations-of-Geopolitics-Geopolitical-Future-of-Russia-Alexander-Dugin-English-auto-translation-with-appended-original.pdf

James Clapper, the US Director of National Intelligence, has been instructed by the US Congress to conduct a major review into Russian clandestine funding of European parties over the last decade.

The US intelligence review will examine whether Russian security services are funding parties and charities with the intent of “undermining political cohesion”, fostering agitation against the Nato missile defence programme and undermining attempts to find alternatives to Russian energy.
https://www.stopfake.org/en/russia-accused-of-clandestine-funding-of-european-parties-as-us-conducts-major-review-of-vladimir-putin-s-strategy/

original (paywalled)

Russia accused of clandestine funding of European parties as US conducts major review of Vladimir Putin’s strategy
http://www.telegraph.co.uk/news/worldnews/europe/russia/12103602/America-to-investigate-Russian-meddling-in-EU.html

‘Hot potato’

“government made no effort to investigate Russian interference in the EU referendum”

Much of the “highly sensitive” detail was not published due to fears Russia could use the evidence to threaten the UK.
https://www.bbc.co.uk/news/uk-politics-53484344

REDACTED Intelligence and Security Committee Russia report 2

https://isc.independent.gov.uk/wp-content/uploads/2021/03/CCS207_CCS0221966010-001_Russia-Report-v02-Web_Accessible.pdf

“make the world safe for autocracy”

Then there is the countless articles and assessments of widespread Russian infiltration into Neo-Nazi organizations across the globe, Malign Finance, and Putin’s goal to “make the world safe for autocracy.”
https://www.theatlantic.com/international/archive/2016/12/russia-liberal-democracy/510011/

It may be too early to sound alarm, but the formation of a Russia-backed far right international movement that will have a military component may become a serious challenge to democratic societies in Europe.
https://www.interpretermag.com/russian-politicians-building-an-international-extreme-right-alliance/

Hungarian intelligence officials told a parliamentary committee in Budapest that Mr. Gyorkos had for years been under scrutiny for his role in a network of extremists linked to and encouraged by Russia. So close was the relationship, the committee heard, that Russian military intelligence officers, masquerading as diplomats, staged regular mock combat exercises using plastic guns with neo-Nazi activists near Mr. Gyorkos’s home.
https://www.nytimes.com/2016/12/24/world/europe/intent-on-unsettling-eu-russia-taps-foot-soldiers-from-the-fringe.html

Deep in the forests of Slovakia, former Russian Spetsnaz commandos trained young men from a right-wing paramilitary group called the Slovak Conscripts. Following Russia’s invasion of Ukraine in 2014, some of these freshly-minted paramilitaries went to fight with Russian forces in eastern Ukraine while others stayed at home to agitate against NATO as a “terrorist organization.”
https://www.theatlantic.com/ideas/archive/2018/08/russia-is-co-opting-angry-young-men/568741/

The plan, he said, would trigger the relocation to the Pacific north-west of the white population in the United States.
https://www.theguardian.com/world/2020/jan/23/revealed-the-true-identity-of-the-leader-of-americas-neo-nazi-terror-group

“Attending this paramilitary camp in St. Petersburg was a key step in Melin and Thulin’s radicalization,”
https://www.thedailybeast.com/russian-extremists-are-training-right-wing-terrorists-from-western-europe

David Duke spent considerable time in Russia
https://web.archive.org/web/20161101103320/http:/www.radixjournal.com/journal/2016/10/28/beyond-nato

Russian spies in Western Neo-Nazi orginisations
https://www.politicalcapital.hu/pc-admin/source/documents/PC_NED_country_study_AT_20170428.pdf

and finally the Republican Party has completely lost the plot:

“Leery of the base, they are avoiding — and in some cases, rejecting — the tough-on-Russia rhetoric that once defined the Republican Party.”

Carlson has had a profound effect on how Republican candidates talk about the Russia-Ukraine issue, according to GOP operatives working on primary races.
https://www.axios.com/tucker-carlson-fueled-republicans-drop-tough-on-russia-stance-7311d46f-49fc-47b5-af46-f365c4e7809d.html

olga • March 29, 2022 7:11 PM

Clive:

Have I made that sufficiently clear?

Sorry, not entirely.

The problem with saying that the RSA token is backdoored is a lot different. It’s built to a published specification and as far as I’m aware it functions the way described.

So did Clipper; even if the full specifications weren’t public, the nature of the backdoor was. The “double-backdoor” is interesting, in more ways than one (who could’ve expected people would overlook the weakness of a 16-bit checksum?—is someone playing “Sicilian mind games” à la The Princess Bride?), but I’m sure that’s not what anyone meant when they said it was backdoored. Nor did they mean Skipjack was weak (which we learned it kind of was, after declassification, but probably not “intentionally backdoored” weak).

To be precise, I should say that it wasn’t the tokens that were backdoored, it was the larger system of which they were a part. And I mean that we have a security-related interaction between parties A and B (encryption, authentication, whatever); that the security of that interaction can be broken by some other party C; and that it was intentionally designed as such. I’m explicitly not requiring cleverness or covertness in this definition. Nor does it matter to me whether a system was originally designed with a backdoor; if someone other than A or B starts saving private keys later, it becomes backdoored.

(Some alternate definitions require a backdoor to be secret, meaning key-escrow would not have been considered a backdoor in Clipper.)

The reason the customer “seed value” database exists, is as I said it ensures that the seed values are unique, or atleast unique within an owners domain.

What am I missing here? This makes no sense to me. If there’s enough entropy, there’s less than a 1 in 2^100 chance of duplication. No reasonable cryptographer, to my knowledege, has ever suggested maintaining and checking a key database to avoid this tiny chance. The conclusion that the database would add more risk than it removed seems inescapable.

But also the “customer support” issue… If you do not put a new seed value on a token, then you have the backup of RSA Customer support database when the server you are responsible for goes belly up and you have to rebuild it (as frequently happens with some consumer OS level Servers).

I think you’re conflating two separate things here. I’m saying there’s a backdoor, as defined above, not saying that backdoored crypto never makes things easier.

We may have to agree to disagree on the merits of this. If one is bad at backups, and one’s server goes belly-up, it might seem handy that there’s a third party with a copy of the token data. Except, it’s only the token data. What about the rest of the user data? Usernames, passwords, security IDs, group memberships, not to mention the data all this stuff was meant to protect. If that’s gone, the token data does no good, and paying for 10,000 new tokens will seem a minor expense; if it’s not gone, why couldn’t the token data have been preserved in the same way? Why’s this any harder to deal with than the shared symmetric keys used by Kerberos a.k.a. Active Domain?

1, Changing token seed values needs some hardware, and a process that whilst not difficult is less easy than leaving the RSA suppled defaults.

2, Changing seed values carries way more responsability than leaving things the way RSA supplied the token defaults.

I’m skeptical that these are sufficient justification for RSA’s design decisions. “Way more responsibility”? It would be up to RSA to supply provisioning software and hardware that are easy to use and secure, and I don’t think that would be prohibitively expensive or difficult. Per the last paragraph, I don’t count backups as an “extra” responsibility of much significance.

The “bribe” [to RSA for making Dual_EC_BRBG the default] alone should have made them deeply suspicious, but for some reason they chose to fail to look…

I basically agree with you on this, but “bribe” is a loaded word. If we called it a “payment for custom engineering to meeting government cryptographic standards”, it might be perceived differently. And the business and marketing people might have even believed that, which to me is irrelevant: a company founded on strong cryptography pushed obviously questionable crypto, whether for malice or greed or incompetence. (Daniel R. L. Brown caught the weakness within 3 months of the draft being published; it wasn’t subtle.)

JonKnowsNothing • March 29, 2022 9:08 PM

@All

On Friday April 1, 2022 (not an April Fools) the UK will dismantle much of the science and reporting systems they have built over the last 2.5 years. Groups and funding are cut and any remaining reporting will have long delays.

So along with the No Free COVID Testing in the UK and the No Free Parking for NHS Staff the UK Weather folks have decided that due to Global Warming, the definition for “heat wave” will be +1C or +1.8F degrees higher than current level.

So if you were in a heat wave in the UK last summer, you might very well be in an arctic blast with the same temperature on the thermometer.

Heat Waves threshold change
UK 26C / 78.8F — 27C / 80.6F
UK 27C / 80.6F — 28C / 82.4F

Down in the hot lands of California, those are our winter temperatures.

HOT 112F / 44.444C
HOT 114F / 45.455C
HOT 116F / 46.667C

They might open the cooling-centers @114F/ 45.455C but they may wait for 116F. Cooling centers are the big malls. After the shops close and cage doors locked, they let people bring in sleeping bags to camp on the floor. (1)

This is not the same sort of street camping that gets police attention with a person’s property being slashed and trashed.

===

1) Bring your own self inflating air mattress or camping ground pad.

ResearcherZero • March 29, 2022 10:44 PM

“Based on the evidence, the Court finds it more likely than not that President Trump corruptly attempted to obstruct the Joint Session of Congress on January 6, 2021.”
https://news.yahoo.com/federal-judge-calls-illegality-trump-171312878.html

Eastman acknowledged his argument “was contrary to historical practice” and said in his memo “we’re no longer laying by Queensbury Rules.”

Carter, the judge, ruled that Eastman was aware his plan violated the Electoral Count Act.

“Dr. Eastman likely acted deceitfully and dishonestly each time he pushed an outcome-driven plan that he knew was unsupported by the law,” Carter wrote.
https://edition.cnn.com/2021/09/21/politics/read-eastman-memo/index.html

ResearcherZero • March 29, 2022 10:56 PM

“As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials.”

“If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems,”
https://www.ic3.gov/Media/News/2022/220329.pdf

Clive Robinson • March 29, 2022 11:13 PM

@ JonKnowsNothing,

With regards,

On Friday April 1, 2022 (not an April Fools) the UK will dismantle much of the science and reporting systems they have built over the last 2.5 years.

It’s actually been going on for the past few weeks and months.

The “official” reported “symptoms” are probably two years out of date… With the real most prevalent symptom recorded indipendently being “runny nose” for OmBA2.

As far as we can tell 7% of the UK pop having Om with BA2 about 15-30 times more prevelant than BA1.

We also have the greatest prevelence we’ve ever had with it still rising in all but N.I. With some saying next week it will possibly peak between 1 in 10 (10%) and 1 in 13 (7.5%)…

What we don’t know “yet” is what the mutation rate is. As you’ve indicatedd there are are,some Om/Del hybrids appearing, but there virulance and pathogenicity are unknown. But with OmB2 being atleast as virulent as measles a new hybrid is going to find it hard to make headway, but it could, and also have a higher pathogenicity.

As for the “herd immunity” notion, in the UK the age range that are not vaccinated we are at 80% have antibodies (from natural infection). Yet the infection rate is still rising… Which suggests all the HIP figures thrown around in the past were a compleate nonsense and that HIP is likewise nonsense for a novel pathogen.

As for the effectivness of a third/booster shot, it’s maybe 65% with the result there is a significant rise in infections in the over fifties.

But the funding cuts are hitting the independent data collector analysers and qiestions are starting to be asked about the reporting from the UK “National Audit Office”(NAO)…

That is nobody is saying the information the NAO is publishing is “inaccurate” but it is a very long way from being sufficient to draw meaningful answers to important questions from.

For instance I’m caught in a kind of limbo where one part of the “health system” says I’m high risk and should have a booster. Yet another part of the “health system” says “Blood clots in the heart within 4weeks of 2nd vaccine shot” no booster shot for you… The data I need to make a meaningful decision from, we know is in the input data set the NAO collects, but they do not provide it in their output analysis set…

With funding being withdrawn especially from independent analysis I for one am almost certainly likelt to come to harm for want of information.

But another deficient data area is Long Covid, it’s estimated that ovet 1.5million in the UK have it that’s 2-2.5% of the population that have been dibilitated for 12 weeks or more… The trouble is these are a “self reporting group” which means that in all probability they are the ones with the worst symptoms. With the consequence that those with milder symptoms are “struggling through” almost certainly doing irreparable harm to not just their long term health and quality of life, but also life expectancy…

ResearcherZero • March 29, 2022 11:38 PM

@Clive Robinson @JonKnowsNothing

I hate to tell you this, but Australia has been well ahead of the U.K. for decades. It started dismantling and mothballing our quarantine facilities and the quarantine department in the 1990’s (brand new facilities at the time), then moved on to our scientific organisations and began systematically de-funding them and firing staff.

Cleverly, the government also fired most of our permanent fire fighters in regional areas, and also de-funding our emergency services.

Which is unfortunately not really a laughing matter for those now affected.
Though the politicians have certainly had a good laugh about it, with many a joke in the parliament over the years.

Australia surely is the “The Lucky Country”

As New South Wales floods again, costs revealed to top $6bn

https://www.theguardian.com/australia-news/2022/mar/29/australia-federal-budget-2022-flood-recovery-spend-6bn-four-years-nsw-queensland-floods-disasters-lismore-northern-rivers-south-east-qld-emergency-response

The latest rainfall research on Australia reveals how heavy and quick rain storms are intensifying more rapidly than expected.
This means more flash floods, severe water surges in urban areas and bigger dry and wet extremes in general.

…the amount of water falling in thunderstorms is increasing at a rate two to three times higher than expected, with the most extreme events showing the biggest increases.
https://www.news.com.au/technology/environment/climate-change/scientists-warn-intensity-of-australian-storms-has-more-than-doubled-and-could-get-worse/news-story/e66014d4d8149f163bff43ac8c6fc1bc

For well over 20 years, scientists have warned that climate change would increase the risk of extreme bushfires in Australia.
https://www.climatecouncil.org.au/not-normal-climate-change-bushfire-web/

Increased risk to Australian banks
https://www.rba.gov.au/publications/bulletin/2021/sep/climate-change-risks-to-australian-banks.html

Insurance giants IAG and QBE are calling for a debate about the planning and development of housing in flood-prone areas, as the industry faces a long-term rise in costs from natural disasters.
https://www.smh.com.au/business/banking-and-finance/insurance-giants-back-planning-debate-as-flood-costs-mount-20220304-p5a1ua.html

October 3, 2011

Climate Change and the End of Australia

“In many ways, it is a disaster of biblical proportions,” Andrew Fraser, the Queensland state treasurer, told reporters. He was talking about the floods in his region, but the sense that Australia – which maintains one of the highest per-capita carbon footprints on the planet – has summoned up the wrath of the climate gods is everywhere. “Australia is the canary in the coal mine,” says David Karoly, a top climate researcher at the University of Melbourne. “What is happening in Australia now is similar to what we can expect to see in other places in the future.”

Over the course of just a few weeks, the continent has been hit by a record heat wave, a crippling drought, bush fires, floods that swamped an area the size of France and Germany combined, even a plague of locusts.
https://www.rollingstone.com/politics/politics-news/climate-change-and-the-end-of-australia-238860/

[Insert image: Scott Morrison laughing in parliament]

Winter • March 30, 2022 12:49 AM

Real internet crime:

In Brazil, your internet provider may be a mobster, cops say
ht-tps://www.reuters.com/business/media-telecom/brazil-your-internet-provider-may-be-mobster-cops-say-2022-03-28/

The people and documents described an audacious takeover of internet service in dozens of neighborhoods in Brazil’s major cities by companies associated with alleged criminals unafraid to use force and intimidation to push out rivals. The result, these sources said, is that tens of thousands of Brazilians now depend on unreliable, second-rate broadband networks estimated by industry and law enforcement officials to be generating millions of dollars annually for purported crooks.

Bootleg providers can be unresponsive when service crashes and impatient when a bill is missed, some customers told Reuters. In Rio’s working-class Campo Grande neighborhood, a resident described how someone knocks on his door monthly to collect 35 reais ($6.80) – in cash.

There’s “pressure to pay on the day that they choose with no delay,” said the customer, who requested anonymity for fear of retaliation.

ResearcherZero • March 30, 2022 2:08 AM

Russell Ramsland Jr. and his associates at Allied Security Operations Group began giving presentations to conservative lawmakers, activists, and donors that said audit logs in voting machines, the mechanisms that document the machine’s activity, had indications of manipulation beginning in late 2018.

Powell has used Ramsland’s assertions in lawsuits that she filed on behalf of Trump and Giuliani, and has publicly made some of the assertions that started with Ramsland.

The allegations about voting systems and fraud made by Ramsland and ASOG were unsubstantiated and widely debunked by data-security experts.
https://www.yahoo.com/entertainment/trumps-election-fraud-claims-traced-063920631.html

Using the Fox News channel Roger Ailes created with Rupert Murdoch, Ailes played a singular role in changing the political media landscape. Attuned to the anxieties of white America, he influenced conservative politics, amplified messages and picked winners.
http://smh.com.au/business/media-and-marketing/roger-ailes-the-man-who-mined-a-divided-america-paving-the-way-for-trump-20170518-gw8c9i.html

During the 1990’s, Sidney Powell met with a Russian intelligence officer while visiting Perth, Western Australia with Roger Ailes.
She refused to answer questions put to her by officials from Australian intelligence agencies about her meeting with the Russian intelligence officer.

If you want to organise something quietly, it’s about as far away and as quiet as you can get, and a hotbed for foreign interference.

ResearcherZero • March 30, 2022 2:33 AM

The Ukrainian Security Service (SSU) has announced that since the start of the war with Russia, it has discovered and shut down five bot farms with over 100,000 fake social media accounts spreading fake news.

seized:

100 sets of GSM gateways 10,000 SIM cards for various mobile operators to disguise the fraudulent activity Laptops and computers used for controlling and coordinating the bots

https://ssu.gov.ua/novyny/z-pochatku-viiny-sbu-likviduvala-5-vorozhykh-botoferm-potuzhnistiu-ponad-100-tys-feikovykh-akauntiv

–

Don’t use default usernames and passwords on ya UPS ya knobs says CISA
https://www.cisa.gov/uscert/ncas/current-activity/2022/03/29/mitigating-attacks-against-uninterruptable-power-supply-devices

Clive Robinson • March 30, 2022 6:47 AM

@ ResearcherZero, JonKnowsNothing,

I hate to tell you this, but Australia has been well ahead of the U.K. for decades. It started dismantling and mothballing our quarantine facilities and the quarantine department in the 1990’s

I thought @JonKnowsNothing was only talking about “covid” with the 2.5 year marker.

If you are talking about the longer term, well I’m old enough to remember the 1970’s and not just the Vietnam war footage on TV, but only being able to see it three or four nights a week and reading books huddled in blankets due to the power cuts.

Vietnam was not the only war visable in my then young life, there was a power strugle between the Government and those who did manual work, and the Goverment was visably loosing and for good reason[1]. It effectived others rather more strongly than it did me. One such was Margaret Thatcher the so called “milk snatcher”. As she gained powervshe started an intetnal almost civil war against “the workers” which she paid for by “cutting services”, “Selling off national assets”, “market liberalisation”, “anti-worker legislation” and much more. The thing is “slash and burn” applies to much more than agriculture, it applies to all types of production. So though her policies appeared to be successful they were abything but. They were infact a compleate disaster. The same applies to Reaganomics and other such nonsense, such as the “free market” and all that neo-con claptrap pushed by the likrs of the Chicago School of Economics into MBA’s via silly mantras of “not leaving money on the table” and much more.

So yes the “war on resilience” to build private war chests to fight a slow burn civil war that few are even aware of due to much propaganda, has been building apace since the end of WWII and took a significant upturn in the 1980’s, which is what you are seeing part of in retrospect.

However based on predominant history it will only come to an end with WWIII. Usually the side to come out worst from such conflicts, is the one that appears to have the bigger wealth as seen by others at the outset. So WWIII will be about the US and it’s conspicuous consumption, then other parts of the West. It will as in all wars destroy much that has built up, some at the bottom will see improvmentd, but they will be fractional compared to the losses.

Thus “ratchet step by ratchet step” humanity spirals downwards and destroys it’s self…

As no doubt @Winter can point out this war cycle will continue to happen as long as we or those we put in power venerate those of the “Dark Triad” (narcissism, sadism, socio/psychopathy). There is a maths game that is used to illistrate some of the core concepts, look up the “Hawkes and Doves” and successor models. Supprisingly they are not that difficult to get your head around. One thing that comes out of it is “shortetmism” especially of “slash, and burn” to “run with the profit” is always at the expense of the longtermism of survival. That is longternism takes the excess today and invests it in the future thus not only builds it’s self, but builds resilience against the natural swings and random purtibations of existance. In short “Robbing and destroying the now, kills the future” with no way out in a “bounded and finite environment” that the world is.

[1] It started with the “Beer and fags for the boys” policy after WWII, Britain was destroyed, more thoroughly by “the war effort” than it was by German bombs and terror weapons. Basically every part of manufacturing and transport was compleatly knackered or too out of date and inefficient to bevof use to rebuild the economy and make the switch back from “war work” to “piece-work” in factories and the like. The country was actually starving to death, and if it had not been for the ordinary people in the US sending countless numbers of food parcels I suspect my parents would have starved along with thousands of others. There was a fundemental reason that food rationing was still happening in Britain even in the 1950’s, as a nation Britain was entierly bankrupt, our treasuries and industries gone and not replacable, and we could not grow sufficient food to feed ourselves as our population was too large. When Britain got support from abroad via the George C. Marshal plan, the British Politicians then in power unfortunately decided to waste it on providing quick fix cheap consumables rather than rebuild industry, national infrastructure and thus a functioning economy. US Politicians however still assumed that Britain was sitting on vast wealth from the Empire and wanted it effectively as there slice of war reparations. But Britain did not have vast piles of treasure hidden away it was sitting on nore had it been. The British Empire lasted as long as it did because it was mainly a “Trading Empire” not a “Parasitic Empire”. Britain sustained it’s wealth from two things, industrial processes and trade. We imported raw materials and energy, and turned out “value added” goods in return, and we lived off the difference. Such apparent wealth is not based on vast troves of treasure, but economic churn and the differential you create by hiding information (the real “hidden hand of the market” is deception, fraud and theft but it keeps the merry-go-round running).

So what the British Politicians failed to do in not restarting the economy was a death sentence. Made worse by US politicians like conquistadors of an earlier age seeking fabled mountains of gold and finding only rocks.

The sad thing is “conquest” element of the “empire” was caused by what we would now call “super power proxie wars”. Europe had had way to many wars for over half a millennium and that was why people were moving out into what they considered “un-claimed territory” and unfortunately took their power strugles with them. Much of the nonsense that happened in the Americas was because of this (and the fact they had started out thinking it was potentially the other side of Asia). The other part was “merchant venturers” quite deliberatly using propagander to get their home nations to subsidise them with military support (see what Cecil Rhodes and similar got upto).

The simple fact is a parasitic empire colapses fairly quickly because it costs to much to defend against those it oppresses, and not just the eventual opportunistic “barbarian hords outside the gate” you get told about from the idealised “Roman Empire” nonsense used as propaganda for hundreds of years (if you think about it the barbarians would have been easily defeated if the Romans had not been so badly weakened by having endless internal wars caused by power struggles and driven by economic stagnation).

Winter • March 30, 2022 8:25 AM

All conspiracy theories are one and the same theory:

Pro-Putin Disinformation on Ukraine Is Thriving in Online Anti-Vax Groups
ht-tps://www.motherjones.com/politics/2022/03/pro-putin-disinformation-on-ukraine-is-thriving-in-online-anti-vax-groups/

Meanwhile, Candace Owens, a conservative political pundit-turned-anti-vaccine activist, used an extended metaphor involving the lab-leak Covid origin theory to describe the conflict in Ukraine. “We are now experiencing Foreign policy Covid: ‘Experts’ pretending that what is happening between Russia and Ukraine is a naturally occurring event, when in fact, it was manufactured in a lab by the people who stood to benefit trillions,” she tweeted to her 3 million followers last week.

…

Nonetheless, Dubow expects that Ukraine conspiracy theories will remain mostly a fringe phenomenon. “We’ve seen for the first time in a while, both in terms of total posts and in terms of total engagements, Russia’s really losing control over the narrative,” he says. Yet Ahmed cautions that above all, anti-vaccine influencers are opportunists—and they will adapt whatever happens to command the headlines into their own narratives. Indeed, as Candace Owens Tweets furiously about Ukraine, she is gaining more followers—to whom she is also promoting her forthcoming documentary series about the supposed dangers of each of the recommended childhood vaccines. Anti-vaccine activists are “always looking to see how they can mold their narrative to fit any breaking news item and fit it into a conspiracy theory,” says Ahmed. “Because the key element of conspiracy theorists is that they don’t have to rely on facts.”

Winter • March 30, 2022 8:37 AM

@Clive
“When Britain got support from abroad via the George C. Marshal plan, the British Politicians then in power unfortunately decided to waste it on providing quick fix cheap consumables rather than rebuild industry, national infrastructure and thus a functioning economy. ”

From abroad, we saw a different picture.

Yes GB was bankrupt, but so were Germany and France. But in Germany and France, the war had also destroyed the old social order. Both countries reorganized to the postwar order. GB did not reorganize and kept the old prewar order. Two decades on, a skill shortage killed GBs industry. All cards were put on banking and financial services with predictable outcomes.

Leon Theremin • March 30, 2022 11:16 AM

This blog is ranked #2 on a blog search engine called “BlogSurf.io”.

hxxps://blogsurf.io/rankings

Blogs are manually curated and heavily biased to a tech crowd.

lurker • March 30, 2022 12:58 PM

@ResearcherZero, All

A recent study by MIT projects that without “rapid and massive action” to cut carbon pollution, the Earth’s temperature could soar by nine degrees this century. [Rolling Stone]

Stop right there. Think carefully. How many nations on Earth still use inches, ounces and Fahrenheit?

lurker • March 30, 2022 1:20 PM

Why does a UPS need to be connected to the internet?

SpaceLifeForm • March 30, 2022 1:44 PM

Ubiquiti, meet Streisand

TL;DR is Ubiquiti is suing Brian Krebs for defamation. Apparently there is a lawyer that needs some billable hours.

hxtps://nitter.net/QuinnyPig/status/1508965090019577856#m

SpaceLifeForm • March 30, 2022 2:34 PM

Not buying

hxtps://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/

Viasat has conducted an exhaustive analysis of impacted modems and confirmed no anomalies or impacts to any electrical components, no impact or compromise of any modem physical or electronic components, no evidence of any compromise or tampering with Viasat modem software or firmware images and no evidence of any supply-chain interference. The modems can be fully restored via a factory reset.

vas pup • March 30, 2022 4:36 PM

Artist Jeff Koons to send sculptures to the moon
https://www.dw.com/en/artist-jeff-koons-to-send-sculptures-to-the-moon/a-61302275

“Millionaire pop artist Jeff Koons wants to send his artworks to the surface of the moon, and leave them there permanently. The project is tied to his debut NFT collection.

The details of the project have not yet been revealed.

Pace Gallery in New York City, which represents Koons, has not yet announced the number or size of the moon-bound sculptures, but it has said the works will be left permanently on the lunar surface in a transparent, thermally coated miniature satellite. Launching the spacecraft is private US company Intuitive Machines.

The gallery announced they plan to land the objects on a part of the moon called the Oceanus Procellarum, located on the near side of the planet, which faces the earth. On average, it takes about three days to travel the 240,000 miles (386,400 kilometers) between earth and the moon.

The gallery plans for the landing area are to become a “lunar heritage site.” NASA is aiming to do a test flight of the satellite, called Artemis 1 — which will be an unmanned lunar mission — in May. The actual landing with crew and art on board will likely take place in 2026 at the earliest.”

Very interesting short video at the end of article as well!

vas pup • March 30, 2022 4:47 PM

The genetic messenger: mRNA
https://www.dw.com/en/the-genetic-messenger-mrna/av-61263008

“Before the pandemic almost none had even heard the abbreviation mRNA. The it burst onto the scene as the active component of a corona virus vaccine. What’s behind its apparently sudden success? And what promise does it hold for the future?”

Sort and good video.

SpaceLifeForm • March 30, 2022 5:11 PM

re: Let them eat Bitcoin

Looks like Putin bought a vowel and realizes no one is going to help prop up the value of the rubble.

Plus, he needs as much useful viable currency as possible.

hxtps://www.usnews.com/news/world/articles/2022-03-30/germanys-scholz-did-not-agree-with-putin-on-rouble-energy-payments-spokesperson

BERLIN (Reuters) -Germany will continue to pay for Russian gas in euros or dollars, a government spokesman said, adding that Russian President Vladimir Putin had told the German chancellor nothing would change for European partners despite his plan for rouble payments.

Gazprombank and Sberbank will be watched closely.

name.withheld.for.obvious.reasons • March 30, 2022 5:29 PM

An approximated measure of the health of the democratic republic of the United States. The work of the Pulitzer Prize winning Journalist and former war correspondent for the New York Times has been scrubbed from the media giant Youtube site. Chris Hedges’ “On Contact” produced on Russia Today. Hedges’ hardly an apologist for Putin or even the Russian state is the victim of the broad brush that gets pulled out by the United States when it comes to crisis management. If a mosquito is in the room, the United States will pull out automatic weapons and open fire.

Clive Robinson • March 30, 2022 6:28 PM

@ SpaceLifeForm,

Re : Ubiquiti is suing Brian Krebs

Apparantly the back story through a court filing is,

1, A senior developer at Ubiquiti came up with a get rich scheme.

2, The developer used own AWS credentials to download data through a VPN he payed for via PayPal.

3, During the download an issue at the Developers ISP caused the Developers IP address to become known.

4, The developer then tried to get 50bitcoin from Ubiquiti.

5, Ubiquiti did not pay.

6, Developer pretended to be a whistleblower or some such and contacted journalist.

7, Story went out Ubiquiti share price dropped 4billion.

8, Eventually US Law Enforcment went and had “a chat” with the Developer whilst taking some of his personal possessions, and he denied having payed for the VPN at the time.

9, The developer is facing the usual charges including lying to Federal Authorities.

As for the 4billion loss by Ubiquity, well others have pointed out that Ubiquity will have problems proving that was not down to their own actions/inactions/behavioirs in part or full.

Time to rumage in the kitchen cupboard for a real pan, popcorn and vegtable oil, and turn up the heat…

Not a brown envelope of that strangebrew stuff of hydrolised this that or the other you throw in the microwave and “duck and cover” lest you get hit by tinfoil hat rays. That a certain company apparently stocks equipment to generate…

Remember the plot line,

“Betty!! Don’t go in the kitchen!”

Appears some has not heard it on the air…

SpaceLifeForm • March 30, 2022 6:33 PM

Defend your perimeter

Get any servers off the internet that do not be to be there.

https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/30/notice-on-the-continuation-of-the-national-emergency-with-respect-to-significant-malicious-cyber-enabled-activities-2/

Clive Robinson • March 30, 2022 7:07 PM

@ SpaceLifeForm,

RE : Not buying

Note they are only saying the system as supplied is still the same functionality as before…

In what you quote they’ve said nothing about,

1, Software vulnerability
2, Protocol vulnerability
3, Standard vulnerability

Or if configuration data in semi-mutable memory on the device has been changed…

Now consider it was only some terminals in Europe not all effected, and what that might imply.

If I had 2cents to gamble with I’d put it on 1 or 2 to do with a “test harness” or “tech support” device similar to that found in Cable TV “set top boxes” that was somehow remotely accessable. At a stretch it was possibly “triggerable APT” that had gone into semi-mutable memory at some point in the past –which needed a “stay-alive” signal to not be activated– that a factory reset clears out.

If my guesses are correct that would imply the terminals are still as vulnerable after a factory reset, as they were when they were supplied.

Now… If no similar attacks happen again, we might make a further guess along the lines of,

The vulnerability was accessed from the Internet through the backend systems the company supplies and they have now fitted a filter of some kind, to trap such attempts again[1].

If you think back we’ve discussed such “stay behind” / “Deadman’s switche” APT on this blog since the days of the “Obama Big Red Button” anouncment. Because it’s the obvious counter to such “Molly buttons”.

[1] https://www.urbandictionary.com/define.php?term=molly-guard

Clive Robinson • March 30, 2022 7:49 PM

@ SpaceLifeForm, ALL,

Get any servers off the internet that do not be to be there.

Why limit it to servers?

Ransomware, APT and worse attackers certainly don’t limit themselves to servers, or PC’s or even anything physical (phish a mind by email).

As I frequently ask,

“What is the business case for having this computer connected to external communications?”

Or if people want to look from a different view point,

“If an attacker can not reach a resource directly or indirectly then they can not attack it”

Whilst stopping “Direct” access should be relatively easy… The history of ICTsec and “Managment by MBA Mantra” suggests where the power exists.

As for stopping “indirect” even “Energy Gaps” won’t stop the various “insider attacks” as centuries of “espionage” amply demonstrate.

Oh and don’t forget to include “going postal” in some way on your threat list… It’s reasonable to think that some people have been considering how to induce cognative impairment etc it one way or another, when you see evidence of people burning down mobile phone masts and sites due to “5G Conspiracy therories”. Likewise events around Dec 37 that are still rippling out.

ResearcherZero • March 30, 2022 10:06 PM

@lurker

Large UPS systems for commercial applications have remote access. I know admins who used to log in to such facilities from the other side of the country with a four letter password, usually their nickname or something similarly terrible. Couple million worth of hardware that none of the managers have the slightest clue about how it might work, giving the admin password to folks managing the call desk.

I think there is quite a bit of comedy value to be gained from that Rolling Stone article, and it is written for an American audience, which still uses Fahrenheit. Though I probably shouldn’t laugh while Lismore in NSW is dealing with floods again, and may be for some time yet.

On the one hand a writer has to snap people out of complacency, on the other not frighten them into a state of terror. But humans are pretty adept at ignoring stuff. In Mayak in Russia for example, where they still process fissile material for civilian and military purposes, workers used to handle plutonium by hand. There is more than enough uranium (nearly 40t) and plutonium (around 50t) there to slip a little in a former FSB officers tea.

–

Apple, Meta gave user data to hackers who used forged requests

Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don’t require a court order.

Snap Inc. received a forged legal request from the same hackers, but it isn’t known whether the company provided data in response. It’s also not clear how many times the companies provided data prompted by forged legal requests.

The information obtained by the hackers using the forged legal requests has been used to enable harassment campaigns, according to one of the people familiar with the inquiry. The three people said it may be primarily used to facilitate financial fraud schemes. By knowing the victim’s information, the hackers could use it to assist in attempting to bypass account security.

The fraudulent legal requests are part of a months-long campaign that targeted many technology companies and began as early as January 2021, according to two of the people. The forged legal requests are believed to be sent via hacked email domains belonging to law enforcement agencies in multiple countries, according to the three people and an additional person investigating the matter.

The forged requests were made to appear legitimate. In some instances, the documents included the forged signatures of real or fictional law enforcement officers, according to two of the people. By compromising law enforcement email systems, the hackers may have found legitimate legal requests and used them as a template to create forgeries, according to one of the people.
https://www.aljazeera.com/economy/2022/3/30/apple-meta-gave-user-data-to-hackers-who-used-forged-requests

–

COLDRIVER, a Russian-based threat actor sometimes referred to as Calisto, has launched credential phishing campaigns, targeting several US based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor. However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence. These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown.

Ghostwriter, a Belarusian threat actor, recently introduced a new capability into their credential phishing campaigns. In mid-March, a security researcher released a blog post detailing a ‘Browser in the Browser’ phishing technique.

Curious Gorge, a group TAG attributes to China’s PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.
https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/

–

Spring Core on JDK9+ is vulnerable to remote code execution due to a bypass for CVE-2010-1622. At the time of writing, this vulnerability is unpatched in Spring Framework and there is a public proof-of-concept available.

In certain configurations, exploitation of this issue is straightforward, as it only requires an attacker to send a crafted HTTP request to a vulnerable system. However, exploitation of different configurations will require the attacker to do additional research to find payloads that will be effective.

Praetorian recommends creating a ControllerAdvice component (which is a Spring component shared across Controllers) and adding dangerous patterns to the denylist.
https://www.praetorian.com/blog/spring-core-jdk9-rce/

ResearcherZero • March 30, 2022 10:17 PM

@Winter

Russian security services is where Anti-Vax Groups information originates from. It’s been that way since fluoridation, and will likely remain so.
People are literally quitting $250,000/yr jobs in favour of Russian disinformation, some of it half a century old.

Brigadier General Jack Ripper expounds his theory about fluoridation and precious bodily fluids to Group Captain Lionel Mandrake
https://www.youtube.com/watch?v=Qr2bSL5VQgM

Clive Robinson • March 31, 2022 12:40 AM

@ SpaceLifeForm, ALL,

The otherday I noted similarities in the older SolarWinds attacks and the more recent Lapsus$ and the faillings of other organisations…

Well it appears I’m not the only one to notice that such people have similar habits,

“Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA”

https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/

In this case the article is specific about “Multi-factor Authentication”(MFA) which is unfortunatly seen by way to many peoplw as the way to solve all those password problems.

The problem is, in the over six decades since passwords were thought up the world has moved on significantly and much has radically changed.

Whilst MFA is seen almost as an incantation to substantiate a “gold standard” by some who want a tick in the auditors checkbox. You can only do this through either “rose tinted glasses” or “sepia prints”, that filter out the raw realities of the more modern age.

Back in the 1950’s and 60’s computers were so rare, and so difficult to use, they only did one job at a time, and there realy was no concept of users or that they needed to be authenticated except by the security guard at the door, or building entrance.

These days we may use more than half a hundred different servers a day, many of which we may never use again. If we consider our usage by proxie such as search engines then our usage could be up in the tens of thousands a day most of which we never ever visit directly now or ever.

In effect the computing world has been stood on it’s head, but…

We still need to do somethings “the old fashioned way” and actually interact directly with a host system either as directly as a keyboard, mouse, microphone, and speaker alow. Or more likely at some distantce via some “shared communications” medium. In the first case, physical security is still possible, in the second I guess “not a chance” would not be too far off of the mark.

The majority of humans are about “communications” and “sharing” but mostly not about “trust”, we call it “being social”. You only have to be on a far distant edge of “gossip central’s web” to be aware of this, or within ear shot of the office water cooler / coffee pot. Worse for most “security” is seen as authoritarian, “secrecy” as paranoid/criminal, and “privacy” as anti-social except for the messy things in life where embarrassment is a major risk.

So “authentication”(AuthN) and “authorization”(AuthZ) whilst not quite alien concepts to most “neurotypical” humans are very definately seen as a hinderance at best most of the time.

So what do we get… well from what the majority see as, –the lets face it– ‘non-neurotypical’ humans we get the technological response of “We can fix it” with a “Single Sign On”(SSO) or similar concept. Worse if you are realy unluky by some “bio-metric” do hicky… But that does not rely fix the AuthN nuisance factor and lets be honest as way too much web development so acutely shows, most developers take the non-neurotypical view by apparently having no concept of the standard social concept of “roles” and their segregation etc, so AuthZ is a mine field we have yet to realy come to[1].

Because of these changes and trying to make things work MFA is actually very nearly as much of a liability as passwords and in some cases more so.

In fact with Silicon Valley’s Mega-Corps using MFA as a way to get more valuable data on people, arguably MFA has become a “Health Hazzard” in it’s own right. But worse in that particular usage type MFA has opened up way more new attack methods for criminals and worse, than most people realise.

So MFA is in fact more dangerous, in those forms, than old fashioned passwords, and it’s almost certainly not going to get any better, which does not bode well for the future.

[1] The concept of an individuals sepetate “social roles” and the fact neither Governments or Sillicon Valley’s Mega-Corps want you to have them is an issue I mention from time to time. But few in ICTsec want to hear about let alone even consider “roles” in the easier non social sense as it applies to tasks.

So “roles” has like the famed “head in the sand” posture the developers have instinctively adopted, left them looking, both undignified and highly vulnerable. Worse, with most normaly people having a fairly good idea of what outcome is likely to happen (historical note, the “Stocks” held those who had offended in a similar bottom upmost position and were frequently placed on the village green outside of the local tavern, for the convenience of the passing patrons not the offender).

Winter • March 31, 2022 1:09 AM

@ResearcherZero
“People are literally quitting $250,000/yr jobs in favour of Russian disinformation, some of it half a century old.”

That is not special. Below] is an account of the troubles in Europe around AD 1000 [1, the origin of the the term millenialism (or was it the other way around?). For all of Christianity there have been people who destroyed their livelihood to wait for the end of the world[2].

My question is never “Why do they believe that?”. I think the right question is “Why do they want or need to believe that?”. I am convinced these people would simply switch one conspiracy for another if they ever have to abandon their current pet theory.

Fluoridation is a perfect example of this attitude. Those who refuse to drink tap fluoridated water tend to have no clue what fluoride is and how it affects humans. More important, they also do not really try to find out. We had the same craze locally with iodide in salt (bread). Both fluoride and iodide can be exchanged with everything you want as the source of apocalyptic fears.

[1] WAITING FOR THE END? APOCALYPTICISM, HERESIES, PAX DEI AND INVASIONS AROUND ANNO DOMINI 1000
ht-tps://www.academia.edu/download/57670372/Waiting_for_the_End._Apocalypticism__Heresies__Pax_Dei_and_Invasions_Around_Anno_Domini.pdf

However, millenarian expectations and ideas persisted among the lower classes and acquired immense popularity in times of natural disaster and political and military turmoil. Very often these two lines combined in the religious consciousness and believers held that the Second Coming of Christ would be preceded by the Apocalypse. Thus, with the approach of the third eschatological date, Anno Domini 1000, in the count of the years after Christ, preconditions for a new chronological change no longer existed. The starting points, or the
Incarnation, the Crucifixion and the Resurrection, were already properly and accurately recorded (Landes, “Apocalypse” 290–291). It was for the first time that the Latin Christian world faced such an eschatological end date, which intensified apocalyptic attitudes. As a result, two basic groups were formed among the supporters of millenarianism in medieval society. The first was that of popular mass supporters, and the second was associated with educated religious circles, whose moods and attitudes differed from the chiliastically
oriented mainstream.

[2] ht-tps://psmag.com/news/why-are-so-many-christians-obsessed-with-predicting-the-rapture

Winter • March 31, 2022 2:15 AM

@ResearcherZero
Continued…
“Russian security services is where Anti-Vax Groups information originates from. It’s been that way since fluoridation, and will likely remain so.”

Note that this is Russian state operatives that try to kill you, your family, your friends and acquaintances, your colleagues and neighbors.

How do you call an entity that tries to kill you and everyone you know? How should you approach such an entity?

ResearcherZero • March 31, 2022 2:40 AM

@Winter

Approach in public. Have hand to hand combat skills, and at least some basic counter-surveillance skills taught to you by professionals. Keep your vehicle regularly serviced.

–

Putin’s hackers gained full access to Hungary’s foreign ministry networks, the Orbán government has been unable to stop them

By the second half of 2021, it had also become apparent to the ministry’s leadership that Russian hackers were behind the active, serious infection of ministry systems, several former Hungarian state officials told Direkt36.

One of the ministry’s cables hints at this: “Measurable amounts of devices are in use that have been proven to communicate personal data to China in a covert manner. These include (but are not limited to) Huawei (ZTE), Honor, Xiaomi, Wiko, OnePlus, among others”.

The letter is also interesting because it shows that the Orbán government is aware of the security risk posed by Chinese devices, while denying in public for years that this is a problem.
https://www.direkt36.hu/en/putyin-hekkerei-is-latjak-a-magyar-kulugy-titkait-az-orban-kormany-evek-ota-nem-birja-elharitani-oket/

ResearcherZero • March 31, 2022 2:52 AM

@Winter

Alternatively you could approach them with some kind of dael like Mr. Manafort or Mr. Flynn did. I’m not trying to imply they sold out their country, you would have to ask them what their intentions were, but it does look a little odd in retrospect.

“The conversations deeply concerned US intelligence officials, some of whom acted on their own to limit how much sensitive information they shared with Flynn, who was tapped to become Trump’s national security adviser, current and former governments officials said.”
https://edition.cnn.com/2017/05/19/politics/michael-flynn-donald-trump-russia-influence/index.html

“Our boy can become president of the USA and we can engineer it,” Mr. Sater wrote in an email. “I will get all of Putin’s team to buy in on this, I will manage this process.”
https://www.nytimes.com/2017/08/28/us/politics/trump-tower-putin-felix-sater.html

Person A was a former intelligence officer with the GRU, Russia’s military intelligence directorate.

Mr. Manafort and Mr. Kilimnik repeatedly communicated about a so-called peace plan for Ukraine starting in early August 2016, while Mr. Manafort was still running Mr. Trump’s campaign, and continuing into 2018, months after Mr. Manafort had been charged by the special counsel’s office with a litany of crimes related to his work in the country.
https://www.nytimes.com/2019/02/10/us/politics/manafort-mueller-russia-inquiry.html

Manafort and Kilimnik had discussed the topic “in January 2017, in person, in Washington, D.C., when Kilimnik was here for the inauguration.”
https://www.voanews.com/a/russian-ukrainian-operative-was-at-trump-inauguration-filing-shows/4778021.html

Patten & “Foreigner A,” a Russian, formed a US co. to do work starting in 2015.
And DC incorporation papers show that the pair formed Begemot Ventures International in 2015.
https://twitter.com/kenvogel/status/1035547870349418496

the letter requested that Soriano, who runs a London-based security firm called USG Security Limited, provide documents dating back to June 2015 and including all his communication with Paul Manafort, Michael Flynn, Psy-Group, Wikistrat, and Black Cube, as well as any communications with Orbis Business Intelligence
https://www.timesofisrael.com/report-us-senate-asks-to-interview-israeli-brit-in-connection-with-russia-probe/

The FBI is offering a reward of up to $250,000 for information leading to the arrest of Konstantin Viktorovich Kilimnik.

Kilimnik was designated pursuant to E.O. 13848 for having engaged in foreign interference in the U.S. 2020 presidential election. Kilimnik was also designated pursuant to E.O. 13660 for acting for or on behalf of Yanukovych. Yanukovych, who is currently hiding in exile in Russia, was designated in 2014 pursuant to E.O. 13660 for his role in violating Ukrainian sovereignty.
https://www.fbi.gov/wanted/counterintelligence/konstantin-viktorovich-kilimnik

ResearcherZero • March 31, 2022 5:54 AM

@Winter

Give it 20 to 30 years and there might be a likely chance for reasonable negotiation with the Kremlin.

Winter • March 31, 2022 9:00 AM

@ResearcherZero
“Wagner Group”

I expect we will hear more of them soon. Also, being deployed close to EU and NATO puts them in the cross-hairs of people who do command their own mercenary and black-ops armies.

Russia planning to deploy 1,000 Wagner mercenaries to eastern Ukraine, says UK’s defence ministry
https://www.euronews.com/2022/03/29/russia-planning-to-deploy-1-000-wagner-mercenaries-to-eastern-ukraine-says-uk-s-defence-mi

Clive Robinson • March 31, 2022 9:41 AM

@ ResearcherZero, Winter,

Give it 20 to 30 years and there might be a likely chance for reasonable negotiation with the Kremlin.

Err no.

Two reasons to start with,

1, Nearly a thousand years of nearly unchanged socio-political history.

2, The chances are the Kremlin won’t exist in ten years let alone thirty.

What I expect is the same old nonsense that has gone on in what is Russia for 600 or more years of history…

Thirty years ago the incarntation of the parasitic Russian Empire (CCCP/USSR) as was back then, was near colapse. It had no working economy, the then leader decided that things had to change and tried what “economists” and “sociologists” in the West had hypothesized would be a solution[1].

It failed for various deep seated reasons none of which had changed for half a millennium, nore have they changed since.

On the surface faces and names change to suit the nonsense the latest psychopath is pushing, but underneath it’s still the same old game[2].

So do not hold your breath, Russia abd the people that make it and surrounding areas have had repeated opportunities to break with the past and build an economy. But they don’t, the fall back on the same parasitic behaviour they always have done as they get sold the proverbial “good old days” myths by the latest psycho pretending to be a “strong man” who in reality is asset stripping what he and his cronies can, every which way they can.

Which is actuall one of the reasons the Rouble(RUB) is rapidly becoming RUBish or RUBble depending on who you ask. Because anything of value above raw resources or their extraction has already been siphoned out of Russia by the criminals one way or another.

So realistically what do you realy expect to have changed? After all the behaviour has survived two world wars the deaths of possibly hundredsds of millions of “Rus” and economic devistation stretching from central Europe right across to the West Pacific Coast and down through many parts of Asia.

To a certain “mentality” of people “It’s a winning formular” and they are going to fight tooth and claw to not just keep it that way but to spread their desires of subjugation as far and as wide as possible.

Oh and expect the kleptocrats that call themselves Capatalists in the West to find “easy accommodation” with those in Russia because they are both playing the same game at heart…

[1] Something by the way those the the same mental makeup are trying to reintroduce in the West (and have done for effectively the last century or more). The objective is not as most are led to believe economic prosperity for “all” but to trap assets in the hands of a very few and implement a rent seeking kleptogracy[2]. These days publicly fronted by those with strong narcistic tendencies, who almost always end up being the “fall guys” for those who remain as safely anonymous as they can (Hence German National Socialist fundemental economics survived WWII and became those of the EU which gave us the “Euro Project” and the financial crippling, asset striping and subjugation of South Europe and it’s agricultural production to the industrial North, along with any wealth the South had to try to build it’s own economy away from agriculture into more gainful industrial activities).

[2] The name for the simple mathmatical game is “Hawks and Doves” but other knowledge domains give it their own varient names. Over simplistically it is a parasitic relationship with the majority being prey to a few. If you want a more historical name call it “The King Game” where a thug, and their followers –guard labour– set themselves up as faux “protectors” and thus thieth those they see as serfs or less, with control going out via unquestionable “Divine Right” of the “Godhead” or King, via religion and guard labour.

Winter • March 31, 2022 9:59 AM

@Clive
“So do not hold your breath, Russia abd the people that make it and surrounding areas have had repeated opportunities to break with the past and build an economy. ”

It is not so much the economy, it is their society.

Russia is a serf society build on mistrust and servitude. The reason that the “elite” can go on with this is classical “divide and conquer”. The lowest classes are deeply mistrusted and feared by the middle and higher classes, and vice versa. Within each group, every subgroup fights every other subgroup.

There are good reasons for Russian men to become alcoholics and die in their fifties. There is pretty little a common man can do to earn “respect” from anyone. If you are not a member of a criminal gang or the state’s henchmen, you will be driven into despair by those who are.

For instance, a dash cam is a life saving requirement for any Russian motorist. As someone remarked

“You can get into your car without your pants on, but never get into a car without a dash cam,”

ht-tps://www.wired.com/2013/02/russian-dash-cams/

The sheer size of the country, combined with lax – and often corrupt – law enforcement, and a legal system that rarely favors first-hand accounts of traffic collisions has made dash cams all but a requirement for motorists.

Which is an euphemism for One driver said others believe that police officers are only on the roads to take bribes, bending traffic laws—or ignoring them completely—to benefit themselves. A camera will save you from false accusations.
ht-tps://www.mentalfloss.com/article/48952/why-do-so-many-russian-drivers-have-dashboard-cams

Clive Robinson • March 31, 2022 11:12 AM

@ Winter, ResearcherZero, All,

It is not so much the economy, it is their society.

Oh it is very definately their society and has bern for 600 years or more, as I thought I’d made clear.

There are two ways out of the Rus cycle,

1, A functioning economy.
2, Total annihilation of the Rus social structure.

I know which path I would rather they take, because I’m not keen on cultural genocide.

The thing is we can see this in action with Belarus abd the Ukraine.

Belarus’s citizens tried to go for a functioning economy… But Putin stuck his oar in, and instead they got a kleptogracy forced onto them and they became not just subjugated, but asset stripped with much of it going into Russian kleptocrat hands.

The Ukraine, has managed to develop an economy and was seen as “getting away” by Putin…

I think that many of the younger Western Ukranian’s can see what is ahead of them if they let Putin have his way in any way. So I expect the current “crisis” to develop into a longterm conflict with heavy casualties on both sides. However as with the Russian invasion of Afghanistan, it is clear the dog can be sent packing both neutered and with it’s tail between it’s legs.

I know it sounds horrible, but the best think to do, is not to get “militarily involved” because thst will legitimize many of Putin’s lies in Russian eyes.

The best thing is to “give” the Ukranian’s the food, medicnes and similar to keep their society going, and “sell” them the weapons so their armed forces can keep fighting Putin’s invaders.

Whilst Putin can win a propaganda war for a short while with the Russian people, the fact that conscripts are not comming home or even contacting their families will spread the old fashioned non electronic ways.

Unfortunately as you’ve observed this war is falling unfairly on the bottom strata of Russian Society. This is something that will eventually turn around and bite Putin and his cronies hard. They know this, which is why they have tried to get their illicit gains out of Russia.

Thus the best tactic is to grab all of those assets and block the kleptocrats escape routes.

Also as the US has broken the cardinal rule of not puting a price on “leaders heads” several timed recently. They might usefully offer a “Dead or Alive” reward on Putin, his cronies and those who might support them, and pay it with the grabed assets…

But the real problem, that is the major pachyderm in the room is not the RHINO that Putin is, but what will follow in the footsteps if not stopped, and how you stop the whole cycle repeating.

The best way I can see is get Russia out of the Ukraine by Ukranian effort, then repeate with Belarus, and ensure that Rumania, Moldover and similar old CCCP vassals become and remain economically viable.

But they will need support but not from the “anglo-saxons” that Putin blaims for all his stupidities at home that condem the Rus to servitude and fatelistic outlook.

Much as Europe hates the idea, they need to “step up to the plate” and replace NATO and North America with a European defensive force, that “acts not prevaricates”.

Because very much of the old Rus psyche in Russia is “You own only what you can take and hold” and there is no way that will go away over night.

Especially as in some minds it’s seen as a conquestors “You keep what you kill”, which only stops against a credible counter force.

SpaceLifeForm • March 31, 2022 1:57 PM

NSA dude with TS/SCI uses email offsite

https://www.justice.gov/opa/pr/national-security-agency-employee-indicted-willful-transmission-and-retention-national

transmitted the classified information using his personal email address to the other person’s private company email addresses. The person receiving the information held a Top Secret/SCI clearance from April 2016 until approximately June 2019, while employed at a company referred to in the indictment as Company 1. From July 2019 until approximately January 2021, the person worked for a company referred to in the indictment as Company 2, and was not authorized to access, or receive, classified information.

Maybe he did use his patented method

hxtps://patents.justia.com/patent/5631961

A device for and method of transmitting an encrypted message and an access field from a sender to a receiver, where a third party may intercept and process the transmission.

JonKnowsNothing • March 31, 2022 2:07 PM

@ Clive, @ ResearcherZero, @ Winter, @All

re: Culture and Cultural Genocide

It’s nearly impossible to eradicate a culture. It has been done but even in cases where conquering societies have made all out efforts to eradicate the previous culture, history and art, remnants remain and from those remnants a new version of the old culture emerges.

The Colonial Powers of the last 2 centuries are finding out their concerted and unified attempts at Stamping Out and Forced Adoption of European Culture at the risk of death, bodily harm (legs and hands) and assorted mutilations didn’t work.

A cultural echo remains and we can see in many geographic areas a determined push back against the Euro-Anglo-Saxon-USA view of what “culture is” and “what makes civilization”.

In the few cases of successful cultural genocide, the primary method is 100% extermination of all the previous members leaving no living members or relatives or decedents. This has been the method used since Pre-Roman Times and the Romans used it extensively. The practice was improved on and enhanced as Europe developed beyond Rome and has been carried forward by the Colonial Period to the rest of the globe.

The failures to eradicate 100% of the previous group make for historical events, stories, dramas and epic tales.

In many of the comments about the status of Russia and Russian Culture and Russian Areas of Influence is a distinct view from Colonial Europe and USA.

We look Eastward at Russia when we should be looking Westward.

It’s a longer view and Peter I, aka The Great, was known for his attempts to push Russia Westward. He did it by Wars against European Kings. The Right of Kings to Bring War is undisputed by the victor, Right of Conquest and Doctrine of Discovery.

*[Peter I:] “paradoxical dichotomy” in the black and white images such as God/Antichrist, educator/ignoramus, architect of Russia’s greatness/destroyer of national culture, father of his country/scourge of the common man.

Look from the other direction to see the pressure ridge between Eastern View and Western Views.

It is one reason, among many, that 2,000 years hasn’t changed much in Russia.

SpaceLifeForm • March 31, 2022 2:58 PM

I will buy this theory

Not what Viasat tried to spin.

What is Viasat trying to hide or deflect from? Because their self-contradictory explanation does not make sense.

https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/

At the time of writing, Viasat has not provided any technical indicators nor an incident response report. They did provide a general sense of the attack chain with conclusions that are difficult to reconcile.

…

With those requirements in mind, we postulate an alternative hypothesis: The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing.

…

On Tuesday, March 15th, 2022, a suspicious upload caught our attention. A MIPS ELF binary was uploaded to VirusTotal from Italy with the name ‘ukrop’.

There is more technical elaboration at the link that makes way more sense than what Viasat has said.

Clive Robinson • March 31, 2022 4:43 PM

@ SpaceLifeForm,

I will buy this theory

It’s exactly the same conclusion I had come to and posted the other day, but in different words.

As I indicated the “clear after factory reset” was a strong indicator, and the fact that only certain modems were affected in the region suggested “APT via a Test/TechSup harness through the operators back end”. Which I suspect they now filter/block out.

Something quite a few “service providers” realy should think about, especially Mobile Service providers and Cable Service Providers many of whom are natoriously deficit in this area…

Clive Robinson • March 31, 2022 4:50 PM

@ SpaceLifeForm, ALL,

My original “test harness” comment,

https://www.schneier.com/blog/archives/2022/03/friday-squid-blogging-unexpectedly-low-squid-population-in-the-arctic.html/#comment-402506

vas pup • March 31, 2022 4:59 PM

Researchers test far-UVC lamps that kill bacteria safely
https://www.dw.com/en/researchers-test-far-uvc-lamps-that-kill-bacteria-safely/a-61305895

“Researchers say their far-UVC lamps kill viruses and bacteria in real-world settings in minutes. They say the lamps are safe and would save lives.”

Read the whole article for details.

Clive Robinson • March 31, 2022 5:16 PM

@ vas pup,

Researchers test far-UVC lamps that kill bacteria safely

UV-C is generally not safe near humans as it can go through the dead skin and do DNA damage below.

Far-UVC is of a higher frequency and mostly does not make it through the dead skin layers so does not do DNA damage to humans.

Bacteria lacking the protection of dead skin cells are vulnerable under certain conditions… But caution needs to be excercised because with some mediums, bacteria will thrive in them safety as the medium like dead skin cells blocks Far-UVC.

As a rule of thumb, all mediums respond differently to EM energy at different frequencies. So can be,

1, Transparent to some.
2, Opaque by scattering to others.
3, Reflective to some.
4, Absorbant to others.

SpaceLifeForm • March 31, 2022 5:31 PM

@ Clive

We are on the same page, saw your post.

My question is: why the spin?

Are they trying to cover up an inside job?

Were select modems already backdoored?

Was the mass wipe intentional to destroy evidence of backdoors?

It may be good to get some of the modem firmware dumped from modems that were offline in Ukraine due to power outage before the mass wipe started. (This is NOT a HINT, BTW)

You may recall that Maersk recovered relatively quickly from NotPetya because one of their AD servers happened to be offline due to a power failure.

There may be Viasat modem/routers in Ukraine that may have evidence of backdoors.

More coverage now.

https://arstechnica.com/information-technology/2022/03/mystery-solved-in-destructive-attack-that-knocked-out-10k-viasat-modems/

Is something similiar happening at Ubiquiti? The CEO of Ubiquiti owns 90% of the stock.

Clive Robinson • March 31, 2022 6:22 PM

@ SpaceLifeForm,

If I had to chose one, thr most likely would be,

Were select modems already backdoored?

As you, I and others have discussed over the years “APT as a Deadman’s Switch” is a very valid stratagy to turn into reality as an attack method.

Just the fear of it could stop a nation “puting up the shutters” on the “electronic frontier”.

The fact that every neo-con mantra chanting idiot that enters managment ignores this rather obvious point is more than somewhat scary. Especially as the also strive to make everything more vulnerable by removing as much resiliance and defence in depth as possible does not fill me with any kind of confidence they are “safe behind the wheel”.

But them I’m an engineer of many forms with many scars earnt through others at best cupidity, if not down right malicious behaviours (making “Disaster Capitalism” look almost tame in comparison).

JonKnowsNothing • March 31, 2022 8:05 PM

@All

re: Planning for Average Use or Planning for Peak Use?

Per a MSM article:

The UK is about to introduce shoot-em-up style energy pricing. Pricing is to go up t 54% price with additional multiple hikes. An average home faces an increase on their annual bill of £693 to £1,971.

“Bleak Friday” April 1 2022 is the date set for the price change.

A consumer advocate recommended that folks “read their meters and submit the readings before Friday April 1 2022, so they can get the lower rate through the end of March.

So many people tried to connect to their energy suppliers to post the last reading, all the websites crashed… or perhaps they didn’t, but the sites are still inaccessible.

The Energy Companies claim their sites failed because too many people tried to post their lower cost readings, when they should have just let the Energy Companies use weighted averaging to reweigh the old readings at the newer costs. That way The Energy Companies didn’t need to plan for Peak Website Usage.

Brown Outs for Websites

===

Search Terms

Bleak Friday

The chaos was triggered by energy regulator Ofgem increasing the price cap, the maximum per-unit rate that can be charged for gas and electricity, in response to persistently sky-high wholesale gas prices.

Stories of Energy Poverty:
* ‘It’s worse than under Thatcher’: energy price rises pile pressure on UK

Ted • March 31, 2022 9:22 PM

@SpaceLifeForm

Regarding the NSA employee who mishandled classified info… did you see this comment from Matt Blaze?

Mark Robert Unkenholz, an NSA cryptographer who I believe was one of the inventors of the Clipper chip, was arrested today for allegedly mishandling and disclosing classified information(!)

https://twitter.com/mattblaze/status/1509701377412452358

I had read the press release you posted earlier. I was super surprised to see this. Hope we get more details.

lurker • March 31, 2022 9:46 PM

@SpaceLifeForm

Some MSM describing that when lower ranks discovered where they were digging, there was a “near mutiny”.

JonKnowsNothing • March 31, 2022 11:34 PM

@ Ted, @SpaceLifeForm, @All

re: NSA employee who mishandled classified info…

fwiw This is the line the USA LEAs use when someone has gotten their nose(s) out of joint.

It’s a moving target because items get classified, declassified, reclassified, and post-event classification changed all the time. It’s useful to pressure someone or coerce them and powerful enough to get one’s attention.

It’s also hard to find good lawyers, and courts that are willing or able to unsort the mess.

iirc(badly) The last classification wins, even if the item wasn’t classified and it was OK to take it out of the building, 20 years ago, where it got filed in a secured and approved security cabinet in an approved off-site work area.

Most courts won’t bother. They fall back to the Ex Parte (no Defense allowed) and In-camera aka Closed Review (not public / Judge only), or Special Master (where even the Judge doesn’t see it) and/or hand offs to FISC.

===

Search Terms

Jeffrey Alexander Sterling

Thomas A. Drake

William Binney (intelligence official)

Winter • April 1, 2022 1:39 AM

“Dog bites man” is not news, “Man bites dog” is.

Jerry Seinfeld wins copyright suit. Opposing lawyer has to pay!

Charles vs Seinfeld
ht-tps://www.heise.de/downloads/18/3/4/4/5/6/8/0/162.pdf

V. Conclusion

For the reasons above, the Court GRANTS IN PART Defendants’ motion for fees. The Court awards Defendants $28,750 in attorneys’ fees and $92 in costs for a total of $28,842. The Court further awards mandatory interest to Defendants at the rate specified in 28 U.S.C. § 1961(a) running from the date of judgment. Charles and his counsel, Mr. Peter Skolnik, are jointly and severally liability for the payment of this award. If Charles so chooses, he may make these payments in equal monthly installments over a ten-year period.

(emphasis mine)

Also, note how the lawyers of Seinfeld fleeced him royally.

Clive Robinson • April 1, 2022 6:23 AM

@ JonKnowsNothing, ALL,

Re : This is the line the USA LEAs use when someone has gotten their nose(s) out of joint.

You can add,

1, Gordon Welchman
2, Peter Wright

To your list, neither were US citizens, and it was UK PM “Mad Maggie” Thatcher they upset…

I’ve mentioned in the past that my name has shown up involved with DMCA take down, I don’t know why, and Google will not say.

So it confirmed my view I’d taken that the US was not a wise place to travel to based on what happened to Russian programer Dmitry Sklyarov. Who had legitimately and legaly reversed engineered and reported that Adobe used XOR with a short fixed string as a protection mechanism…

https://www.eff.org/uk/wp/unintended-consequences-seven-years-under-the-dmca

I have also mentioned that I nearly got my collar felt back in the 1980’s for what at the time was the perfectly legal investigating and reporting on a weakness in the BT Gold system and the very diliberate misrepresebtation by BT in the press.

It was only my “sixth sense” that kept me being “entrapped” as slightly later happened to two others over BT Prestel security failings, even though I had warned them and our other mutual friends and aquaintances of my then suspicions…

Well fairly recebtly via the UK National Archives, it shows I was indeed very lucky to have escaped. The entrapment I nearly got caught in had been personaly ordered by “Mad Maggie” Thatcher.

She was in the process of trying to sell off BT and obviously wanted the best price she could get. Having a teenager, bring bucket loads of “cow bird droppings, on her parade” was not something she was going to allow. So she issued the equivalent of a Fatwa or if you preferr “Off with their heade, action this day” instruction. We were thus marked out for “show trials” but first we had “to be caught with our hands in the pot” as it were.

The fact I dug my heels in and absolutly refused to play, even though my credibility was repeatedly challenged[1], saved me.

But I’m glad I did listen to an older journalist who had once been under State Surveillance[2] back in earlier “labour times”, when talking to union leaders was considered “treason” an idea “Mad Maggie” had brought back…

Any way I’m now glad, I’d declined an offer to go to the US for a “job interview”… The sort of crap that got people into is not something you want landing on you.

That’s not to say I did not later go to the US, I did and have friends there who these days also tell me I probably got “lucky by chance”.

A lesson in life,

“You do not have to be a criminal to be treated as one or turned into one by those who find you inconvenient, or usefull as an example to others.”

A reality even US MSM Journalists are waking upto…

[1] I had given fairly detailed instructions in writing that was way way more than what these days we would call a “Proof of Concept”. Even a child who could barely read and not type could have followed them… So when they said they wanted a denonstration I asked myself,

1, Are they idiots?
2, What’s in it for me?
3, Are they prepared to pay me consultant rates?

So as I’d caught BT out having already changed things and lying about it, and the fact they were not going to pay just made me think it was some hooky publicity stunt at first to discredit me.

But more preasure arose and I just became what some said at the time was paranoid… I in effect issued a “no way, no how, jose” edict and refused to entertain any further discussion. In one case having very pointedly and loudly saying NO, and when it persisted walking out and slaming an office door.

Then odd things started to happen, it became clear that there were things wrong with my phone line, and when a BT engineer tried to convince me that the problems with bad line noise and interferance comming off of the line was some how my fault with a multimeter I chucked him out on his ear. But there were other odd things, the wife of a neighbour had said the workmen I’d had around were “odd”. But even though I had not had workmen around I did not immediately realise what she had seen. But then I remembered that things in my place had been moved… I’m one of those “untidy people” that stack work up in heaps, but the heaps are not random piles, a bit of each thing sticks out so I can see it thus immediately put my hand on it when needed, and things were most definately not as I’d left them. As a couple of friends had “emergancy spare keys” and occasionaly “stopped over” to “doss on the couch” I thought it could have been one of them. But when I phoned them up, not only did they say no, as if by magic the “line noise” issues disapeared. All most odd… Or not[2].

[2] Back then I knew quite a few journalists like Guy Kewney and later author Neil Gaiman (both who encoraged my unsuccessfully to write). I got introduced to older journalists as a kind of “intermeduary” to the very young “home computer types”. On having a few beers on night, I mentioned the facy BT were a bunch of liars, and got asked more… A couplevof the older jornos looked knowingly and took me aside and suggested that I needed to keep an eye open over my shoulder and being paranoid “kept you alive, alive and at large”. Which to a twenty sonething orphan full of “piss-n-vinegar” trying to make a go of things kind of fell on deaf ears. So one of them told me the story of what happened to another journalist and “State Surveillance”… Any way shortly there after it all blew up one way or another.

Schneier on Security

Friday Squid Blogging: Unexpectedly Low Squid Population in the Arctic

Comments

Leave a comment Cancel reply