Friday Squid Blogging: Squid Migration and Climate Change

New research on the changing migration of the Doryteuthis opalescens as a result of climate change.

Stanford researchers have solved a mystery about why a species of squid native to California has been found thriving in the Gulf of Alaska about 1,800 miles north of its expected range: climate change.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags: academic papers, squid

Posted on April 1, 2022 at 4:06 PM • 182 Comments

Comments

Leon Theremin • April 1, 2022 4:29 PM

Eric Schmidt, the former Google chairman, told Reuters in a recent interview that high-end processors should have kill-switches.

“Knowing where the chips go is probably a very good thing. You could for example, on every chip put in essentially a public private key pair, which authenticates it and allows it to work”.

hxxps://www.reuters.com/technology/chip-challenge-keeping-western-semiconductors-out-russian-weapons-2022-04-01/

What he won’t tell is that this is already a reality, as I learned after having my air-gapped system and Pixel phone wiped remotely for researching “silent speech interfaces” like this:

SpeakUp: Silent Speech Interface; Low Cost; Arduino; Machine Learning

Project Summary by Varun Chandrashekhar: “I have designed and developed a speech interfaced for the paralyzed, which they can use to communicate without speaking. This device detects speech-related electrical signals from the throat and converts them into letters or words that we recognize using machine learning models.”

SpeakUp – ML Based Speech Aid to Enable Silent Communication
hxxps://create.arduino.cc/projecthub/Varun_Chandrashekhar/speakup-ml-based-speech-aid-to-enable-silent-communication-ffd9f8

My comment about the project: easily replicable by anyone with computer science knowledge, different from what is being done with the silicon trojans in the 3G/4G/5G equipment only on it needing physical probes. Anyone doing research on this area be cautious of sabotage when using US designed CPUs (AMD/INTEL/QUALCOMM/APPLE/ARM), as the microcode, SMM and firmware of your system may be manipulated to mess up your computations. Ask your own Nation to stop trusting Silicon Valley and make your own silicon supply chain and tech services. Meanwhile, mitigate this situation by moving to an area away from any cell radio transmitter (check coverage on OpenCellID.org) and shielding yourself and your devices from electromagnetic eavesdropping and interference.

Q • April 1, 2022 5:40 PM

“Eric Schmidt, the former Google chairman, told Reuters in a recent interview that high-end processors should have kill-switches.”

You can’t solve social problems with technology. Wars (and invasions) are social problems. Technology won’t ever solve them.

If you put kill switches in things, they will be exploited and abused. “We don’t like what you are doing so we will kill your systems”. No thanks, keep your social problems out of the systems.

ResearcherZero • April 1, 2022 5:46 PM

“The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing.”

“Subsequent to this post being published, Viasat confirmed to journalists that our analysis was consistent with their reports.”
https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/

–

“Fire Chili rootkit and two compromised digital signatures, one of which we also directly linked to Winnti.”

several infiltrations into victim networks that were achieved via a Log4Shell exploitation of vulnerable VMware Horizon servers. These attacks spawned a new PowerShell process to download and execute a chain of scripts that ended with the installation of a malicious DLL.

The rootkits are digitally signed with certificates stolen from game development companies, which is a known characteristic of Winnti.
https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits

The first sighting of three of the nine stolen certificates being used maliciously occurred in early 2014. Those three certificates were the only ones used in 2014, making it likely that the other six were not compromised until 2015. All nine certificates were used maliciously in 2015.

…the first certificates used belonged to Company A (educational software developer) and Company B (video game developer #2). Company A’s certificate was used for over a year, from April 2014 until June 2015 and Company B’s certificate was used for almost a year, from July 2014 until June 2015. When we discovered this activity, neither company was aware that their certificates had been stolen or how they were being used. Since the companies were unaware of the activity, neither stolen certificate had been revoked.
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

“stealing the certificates and signing malware for future attacks against other targets was the preferred method of this group”
https://securelist.com/winnti-more-than-just-a-game/37029/

GetSystemDefaultLandID (is language Russian or Chinese?, no, then proceed)
https://www.welivesecurity.com/wp-content/uploads/2019/03/Screen-Shot-2019-02-14-at-10.01.18-AM.png

Clive Robinson • April 1, 2022 6:15 PM

@ Leon Theremin, ALL,

Re : Ex Google Chairman Eric Schmidt’s comment,

“Knowing where the chips go is probably a very good thing. You could for example, on every chip put in essentially a public private key pair, which authenticates it and allows it to work”.

He’s not exactly the brightest lightbulb in the corridor if he genuinely thinks that after reasoned consideration. Similar has been tried before and usually ends up failing if there is sufficient incentive…

Heck think back to stuxnet, and other cases where “malicious signed code” has turned up.

But think about the fact that nearly all the chips are not made in the US or under US Government control, nor is the equipment needed to make chips…

The thing is if Russia wanted to make it’s own chips there are plenty of realdundant 6 and 8 inch fabs out there not making any money, just looking for buyers. You do not need the latest high tech chips to make wrapons, in fact many weapons take so long to get through development, often the chips would be close to being EOL’d anyway.

But there are other issues…

In the UK Military there is a saying,

“Don’t leave ammunition for the enemy.”

And they should know… The Germans left so much 9mm ammunition about that the Brit’s designed the “SMG” also known as “the plumbers delight” especially to use it up shooting Germans…

Something US congress and other critters got their panties in a wad over more than half a century ago with their budding nuclear arsenal.

Which is why there is a sort of joke about why the US needs at least three times the number of nuclear weapons anyone else does. It’s not just about “Permisive Action Links”(PALs) it’s also about all the other sillyness they add to the “physics package” to stop them being used by terrorists, rouge generals, and dumb as a stump guards that get bored and juggle with things like detonators. Oh and every other nightmare the Rand Corp could think up on the US Tax Dollar. In short most US nukes are expected to be duds when used…

But getting back to chips, the next bright idea down in the corridor will be to send out “kill commands”. However the thing about ICTsec and cyber-weapons is the enemy does not need any computers… Because malware actually runs on the computers being attacked…

So the minute you send off a kill command you can expect it to come flying back at your weapons very quickly there after.

Also there are known ways of stopping such attacks that have been discussed on this blog oh a decade or so ago…

The problem is there is no easy answer when it comes to electronics. Nearly every IoT device out there has more than enough smarts to be used in weapons. The same with Smart Phones. The simple fact is the military stopped being the primary force driving the electronics industry forward more or less fourty years ago and now well lets just say they are lucky to get the crumbs off of the consumer electronics table.

Take Sansung Smary Phones, it’s not widely known but like Disney Corp they find North Korea a plentiful supply of very cheap and quite skilled labour…

Anyone daft enough to realy push the issue will find that the nations most economically dependent on the electronics industry is the Americas and their supposed allies in the West.

It’s why some of us had a good laugh about the “Obama Big Red Button”, then later Trumps Trade war with China, the thing is some people realy do not grok-it about “taking target practice at your own feet”.

ResearcherZero • April 1, 2022 6:19 PM

That is a joke because of the rain, not the bribes.
https://www.smh.com.au/environment/weather/flood-emergency-continues-for-lismore-20220331-p5a9k5.html

Bribes are not a joke, they are rather serious, but you got to get that gas out somehow, and fast! Personally I think the bribes are rather measly, but Australian politicians are really, really cheap compared to there counterparts overseas.

ResearcherZero • April 1, 2022 6:33 PM

So how do you funnel the money into your pocket?

Energy and Emissions Reduction Minister Angus Taylor introduced a bill to Parliament on Thursday that would change laws that bar the Clean Energy Finance Corp from investing in conventional fossil fuels and remove a rule that prevents it from investing in loss-making projects.
https://www.smh.com.au/politics/federal/taylor-expands-clean-energy-fund-s-remit-to-fire-up-gas-led-recovery-20200827-p55pvu.html

The new policy bans all onshore gas extracted in WA from being exported east or overseas, except for one project: the Beach Energy and Mitsui and Co Waitsia joint venture.
https://www.smh.com.au/business/companies/beach-energy-oblivious-to-gas-ban-exemption-until-wa-premier-s-announcement-20200820-p55nnl.html

And while you are at it, why not go for broke?

Cotton company reaped $52m windfall in sale of water rights to government

EAA is a private company, which is controlled by a number of investment funds including a large Hong Kong fund, Pacific Alliance, via a Cayman Islands registered company.

“Report back to me on this and seek final approval before settling the purchase,” said Bumblebee Joyce.

EAA has other strong connections with the Coalition. Before entering parliament, Angus Taylor was a director of the company between 2008 and 2009.

The deal for $79m was signed in July last year, allowing EAA to report a large uplift in the value of its water rights. It booked a $52m gain on the water rights sold and a $40m uplift in the value of its water licences.
https://www.theguardian.com/environment/2018/mar/02/cotton-company-reaped-52m-windfall-in-sale-of-water-rights-to-government

https://www.anao.gov.au/work/performance-audit/procurement-strategic-water-entitlements

Clive Robinson • April 1, 2022 6:36 PM

@ ResearcherZero, SpaceLifeForm, ALL

With regards,

““The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers…”

Old News…

I worked it out it was probably a TechSupport managment vulnerabilityvas soon ad I heard about the effected coverage are. Then within a second or two of hearing that a master reset worked, I knew the rest of the probable story. @SpaceLifeForm and myself have exchanged thoughts on it a few days back, it is after all not the first time this sort of thing has happened.

The reality is the only thing that is kind of new is that it’s been done during an active conflict in Europe.

The earliest you might remember about tech support managment going bad was the CarrierIQ debacal on US mobile phones.

Then there was all those set top routers with a managment port out to the ISP WAN with default passwords.

And the list goes on.

All that realy suprises me is that these KA-Sat Terms are the only thing in the conflict notably effectiveted that the MSM has reported. But also it may be because not a lot else has been attacked that way so far… I was kind of expecting most of the infrastructure grids to have been realy whacked.

I guess some people have learnt from earlier lessons, which is a bit of a suprise the way the ICTsec industry usually behaves.

Mind you I do know that at one point the UK was the world leader on pushing to get infrastructure hardened, but…

ResearcherZero • April 1, 2022 6:41 PM

@Clive Robinson

These morons and their backdoors. Ye Gods!

No sooner than the CIA would backdoor something, then the Russian secret services used to find it.

“Here use this, it’s encrypted.” Then a couple weeks later, “don’t use that, the Russians have been intercepting all messages passed over it!”

(No s**t, we kind of noticed the bullets.)

Far safer to encrypt a message yourself, and then pass it along to someone prearranged. Even the hokey terrorists do that and their security is terrible.

ResearcherZero • April 1, 2022 8:13 PM

We all remember this don’t we? How can anyone forget is the question?

“Senators and House members have now sent a letter to the NSA in an effort to learn more about the agency’s role in the Juniper incident.”

In their letter, the lawmakers noted that the Juniper backdoor may have allowed a foreign government or a different adversary to hack into the communications of many businesses and government agencies. They have asked the NSA to describe the steps it took following the disclosure of the Juniper incident to protect government agencies, and why those measures haven’t prevented the recent SolarWinds supply chain attack.
https://www.wyden.senate.gov/imo/media/doc/012921%20Wyden%20Booker%20Letter%20to%20NSA%20RE%20SolarWinds%20Juniper%20Hacks.pdf

How to log into any backdoored Juniper firewall

an employee of Fox-IT stated that they were able to identify the backdoor password in six hours
https://twitter.com/cryptoron/status/677900647560253442

This module scans for the Juniper SSH backdoor (also valid on Telnet). Any username is required, and the password is <<< %s(un='%s') = %u
https://www.rapid7.com/db/modules/auxiliary/scanner/ssh/juniper_backdoor/

Decrypting protected data passing through the VPN

Juniper actually added the insecure algorithm to its software long after the more secure ANSI algorithm was already in it, raising questions about why the company would have knowingly undermined an already secure system.

Checkoway discovered that the company made an additional change to its software when it added Dual_EC, a change that made it even easier for the person who later installed the backdoor to decrypt Juniper's VPN traffic. This change involved altering the size or length of the so-called nonce (the random number string generated by the algorithm that the encryption scheme uses to help encrypt data). Juniper changed the size of the nonce from 20 bytes—the size it had been using for the ANSI algorithm—to 32 bytes.
https://www.wired.com/2016/01/new-discovery-around-juniper-backdoor-raises-more-questions-about-the-company/

That new nonce, 32 bytes, is the precise size the security community had specified in 2007 would be the ideal minimal output an attacker would need to undermine Dual_EC.
https://www.wired.com/images_blogs/threatlevel/2013/09/15-shumow.pdf

"pervasive, persistent access on the global network."
https://www.spiegel.de/international/world/the-nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-networks-a-940969.html

A leaked NSA cyber-arms catalog has shed light on the technologies US and UK spies use to infiltrate and remotely control PCs, routers, firewalls, phones and software from some of the biggest names in IT.

The exploits, often delivered via the web, provide clandestine backdoor access across networks, allowing the intelligence services to carry out man-in-the-middle attacks that conventional security software has no chance of stopping.
https://www.youtube.com/watch?v=b0w36GAyZIA

ResearcherZero • April 1, 2022 8:20 PM

How to remotely operate the kill switch.
https://www.youtube.com/watch?v=USEUcO1PKwU

Clive Robinson • April 1, 2022 8:41 PM

@ ResearcherZero,

No sooner than the CIA would backdoor something, then the Russian secret services used to find it.

The $64,000 question,

“Did they actually “find it” or were they “told about it”?

If you remember back half a decadecade ago, the CIA lost a whole bunch of people in Iran and China. At the time the story was not entirely lucid but,

Aparantly the CIA came up with a new CovComm way for agents to communicate back to their agency handlers via what some called an “Internet App”. The reasoning for the app is confused some saying it was for new untrusted agents, others say it was due to advances,in “technology” apparently there was to much CCTV backed up by facial recognition for handlers to go out and meet agents. What ever it became a SNAFU realy quickly,

https://www.businessinsider.com/how-china-found-cia-spies-leak-2018-8?op=1&r=US&IR=T

But there was a major bluebottle buzzing in the ointment… Apparently the CovComm app was supplied by people not exactly immersed in communications security at all levels and especially in Covert Comms where traffic analysis can have your hide nailed to a tree faster than you can squeek DE.

The US apparently blaim the Iranians for finding “it” and then the Iranians then “told” the Chinese (maybe through the Hermit Kingdom)… Apparently a number of CIA sources in China ended up with low velocity lead poisoning infront of their co-workers.

Then it started getting interesting because the Feebies got involved and things disappeared into the inter departmental long grass etc…

But apparently, and we don’t know who, through a cut out, told a journalist that it was an agency insider that had told somebody rather than the system being “found” (by simple traffic analysis etc).

https://www.thetimes.co.uk/article/cia-hunts-for-traitor-after-american-spies-are-executed-by-chinese-8qrkbs597

Which kind of threw not just tom the domestic cat into the ring but Robert the big wild Bobcat in, to munch on the body parts… Then it all went quiet again.

So… Did the CIA or other Agency have a “talkative talpidae problem” or not? Were they just incompetent or not? And quite a few other questions.

Well we know of atleast two CIA defectors,

https://www.nytimes.com/2021/10/05/us/politics/cia-informants-killed-captured.html

Or did someone just use a yagi around 2.5Ghz and sniff out the soon to be very unfortunate agents, after a face that stood out had been seen in the area?

We don’t know and apparently the feebie enquiry was “on going” around the stems of the long grass…

And that is the way it’s still hanging.

Nick Levinson • April 1, 2022 9:23 PM

Wars’ effects:

— In Afghanistan, war gave huge data to the Taliban on people they want to identify and their activities, making it easier to kill them, and the Taliban might share data with governments it wants as allies. Afghan institutions (unlike U.S. military and diplomatic) may not have had plans for rapid destruction or concealment of data before losing control. (Article in Politico.)

— War between Russia and Ukraine led to Nokia not taking away its connection between a surveillance system and a phone system in Russia, that being a surveillance system used by the FSB, Russia’s main security agency, even though Nokia “unequivocally” denounced the Russian invasion. One expert says that without Nokia’s help the connection could not have been made. The surveillance system, while within Russian law, violated European human rights law, according to a European court. (Article in The New York Times, per Yahoo.)

JonKnowsNothing • April 1, 2022 9:37 PM

@All

re: Hard to crack phone password..

A report on Marcy Wheeler’s site about a phone seized by LEA on Jan 4, 2021 but only recently was the DoJ able to crack the “complex password”.

The phone was seized as part of an incident December 12, 2020, and belonged to Proud Boy leader Enrique Tarrio who is also an FBI informant.

From Jan 4, 2021 thru Dec 2021 LEAs could not crack the phone. About mid Jan 2022 the LEAs managed to get access to the phone and contents.

[EW] [the delay was] presumably due to the physics involved in cracking a complex password and the due process of a privilege review [LEAs can only use what’s on the warrant and all other items are supposed to be omitted]

So…

What kind of complex password would keep LEAs from opening the phone?
Is it possible LEAs used a Quantum Cracking Program?
It is hard to imagine people from Dec37 having prime number generators in their phones but maybe someone else shoveled him a couple of OTP numbers?

===

Search Terms

ht tps://ww w.emptywheel.net/2022/04/01/on-enrique-tarrios-complex-password-and-other-reasons-the-january-6-investigation-can-now-move-to-organizer-inciters/

(url mildly fractured)

SpaceLifeForm • April 1, 2022 10:08 PM

@ Clive

CyberAlarm

There is a pattern. I’ll bet some F12 Right Click came in handy.

Note the date on the first link.

I wonder if it is Mandiant that was called upon.

hxtps://www.theregister.com/2020/12/09/cyberalarm_pervade_software_npcc_kerfuffle/

While the NPCC and the tool’s developer, Pervade Software, initially insisted that Moore was mistaken because he had stumbled upon an early test build rather than the production version of Cyberalarm, The Register has done some digging and all is not as police and Pervade claimed.

hxtps://nitter.net/Paul_Reviews/status/1508933985979797505#m

Please, uninstall #cyberalarm immediately. If you’ve reused #passwords, change them immediately as they’re currently stored in plain text and returned from an API without authentication.

No, that’s not a typo.

ResearcherZero • April 1, 2022 11:45 PM

@SpaceLifeForm

It is pretty easy to get access to police networks. The security is just terrible. Just look through the audits. I’ve never seen anything worse than policing and registry audits, and they are consistently bad.

Admittedly in western Australia’s case it probably could of been a better system if they chose someone else than an undisclosed officer from the GRU to oversee it’s design and rollout, but hey, who better than someone who was repeatedly caught impersonating a police officer, before becoming one. At least the guy was keen.

Time is all it takes. Just pop boy Enrique Tarrio’s favorite slogans in the dictionary, and his social media history and you’ll probably get a hit.

So what was it “Maga2020!”, or did it have a few extra characters?

Pop me in the old folks home and sedate me, then point where you want the payload deployed, then I’ll run your entire “Cyber Warrior Hub” or whatever it’s being called these days.

“New data shows one in five aged care residents are being given anti-psychotic medication – drugs that the aged care royal commission has linked to chemical restraint.”
https://www.abc.net.au/news/2022-04-02/residents-in-rural-aged-care-given-anti-psychotic/13824282

“We’re the pariahs of this world no one takes us seriously,”

the perfect cover for a cyber hub

$10bn fix needed to reform aged care, report finds
https://www.smh.com.au/politics/federal/no-one-respects-us-aged-care-workers-call-on-labor-to-deliver-higher-wages-20220330-p5a9bs.html

perfect alignment

The $10b ‘OLDSPICE’ cyber showstopper
https://www.dailymail.co.uk/news/article-10663123/Threat-China-Russia-Australia-spend-10billion-doubling-cyber-warfare-unit.html

no tax hikes

No tax hikes to pay for aged care: Morrison

Prime Minister Scott Morrison has ruled out tax increases to pay for improvements to the stricken aged care system, saying calls to do so would impede the economic recovery.
https://www.pm.gov.au/media/respect-care-and-dignity-aged-care-royal-commission-452-million-immediate-response-government

Respect, Care, Dignity, …I want some of that.

(resilience, effects, defence, space, intelligence, cyber and enablers)

ResearcherZero • April 2, 2022 12:19 AM

Trump’s latest response to Vladimir Putin’s ongoing assault was to apparently spitball ways the United States might provoke a different national security crisis, an idea he put forward during an 84-minute speech to Republican National Committee donors in New Orleans on Saturday.
https://www.washingtonpost.com/nation/2022/03/06/trump-focuses-foreign-policy-speech-gops-top-donors/

Vindman reserves his harshest criticism for Putin sympathizers in the GOP: “These folks have blood on their hands. They’re going to own this”
https://embed.podcasts.apple.com/us/podcast/hes-a-small-man-of-56-saying-hes-57-the/id1232383877

–

Some unrelated secret sharing…

Unkenholz allegedly transmitted the secrets from his personal email address to the recipient’s private company email addresses. He is further accused of retaining the classified NDI within his personal email account.

The individual who received the data had previously held a Top Secret/SCI clearance from April 2016 until approximately June 2019 while employed at a company referred to in the indictment as Company 1.

However, the individual was working at a different company, referred to in the indictment as Company 2, from July 2019 until approximately January 2021. Consequently, the individual was not authorized to access, or receive, classified information during this time.

Neither Unkenholz’s personal email address nor the company email address to the individual who allegedly received the secret defense information was authorized storage locations for classified NDI.
https://www.infosecurity-magazine.com/news/unkenholz-accused-sharing-ndi/

ResearcherZero • April 2, 2022 12:38 AM

@Clive Robinson

Incompetence mainly, incompetence everywhere. Signals would constantly warn everyone about not associating with certain people (because those people were Russian spies). They would warn people about not handing documents to people. Not getting themselves compromised. They would warn the government about Russian operations, write up reports, no one took any notice.

Everything that is now obvious was all foreseen, put in reports, delivered to government, including all of Russia’s plans over the last 30 years, and it was all ignored or joked about. This in spite of people being locally abducted, murdered, and serious cases of -still to this day- ongoing espionage.

And really it is all a joke, the whole bloody show. All levels of government were infiltrated, everywhere, via simple incompetence.

ResearcherZero • April 2, 2022 12:50 AM

@Clive Robinson

If you want to keep a secret, don’t tell your government.
They won’t take it seriously anyway, and it will be out the door within two weeks.

ResearcherZero • April 2, 2022 12:59 AM

@Clive Robinson

Here are the basic numbers in dollars…

Russia and China have spent more than $300 million interfering in democratic processes more than 100 times spanning 33 countries over the past decade. The frequency of these financial attacks has accelerated aggressively from two or three annually before 2014 to 15 to 30 in each year since 2016.
https://securingdemocracy.gmfus.org/covert-foreign-money/

Fossil fuel lobby plays the same game, which is the direction the government’s eyes are usually looking and yet another direction their hands are reaching for.

“Total signed a deal with Lukoil, another Russian oil company, for exploring more than 1,000 square miles of western Siberian wilderness for shale oil”

“To keep it that way, oil companies are publicly and privately pushing back against more sanctions by speaking out at shareholders’ meetings and by lobbying in Washington.”

The companies are making “a hedged bet that the Russian energy sector will escape sanctions and the Ukraine crisis will quiet down,”
https://www.nytimes.com/2014/06/10/business/international/for-western-oil-companies-expanding-in-russia-is-a-dance-around-sanctions.html

Clive Robinson • April 2, 2022 4:03 AM

@ JonKnowsNothing,

Re : Hard to crack passphrase

And the all important “security marginn passphrase length “guestimates”…

The guestimate of guessing entropy over on Emptywheel is horrible at 30bits… Which is 2^30 or 1073741824.

Which might look like a large number but it realy is not these days. People should be aiming at 60-64 bits for guessing entropy these days. So 2^64 or a little under 20,000,000,000,000,000,000 (2e19) and there are password crackers that can work even on those due to people not understanding things. Because,

!!! Guessing entropy is a fickle thing !!!

So remember these fitst numbers are for “truely random generated” not XKCD or Pass phrase, so are real low balls.

For those trying to do rough translations of “truely random” into other “alphabet sizes” in their head, when it comes to just digits,

3 digits is 000…999 or 1000.

Which is quite close to 10 bits or 1024.

3 uncased alphas is AAA…ZZZ or 17576.

Which is a little over 14 bits or 16384.

3 uncased and digits is 46656 an awkward ~15.5 bits.

3 cased alphas is AAA…zzz or 140608.

Which is a little over 17 bits or 131072.

3 cased and digits is 000…zzz or 238328.

Which is a little under 18 bits or 262144

So the Empty Wheel quoted “30 bits” of guessing entropy would need

Digits : 30/10 lots of 3, so 9 chars.

Uncased : 30/14 lots of 3, so 6-7

Cased : 30/17 lots of 3 so 5-6

Cased+Digits : 30/18 lots of 3 so 5

Which as I’ve indicated is way below what you should consider a minimum these days (as this found within a year shows).

To get 64 bits in cased+digits,

That is 62^11 would be or 5e19 11 would be sufficient.

But to allow for some “human failings” such as case shift issues say 26 alphas and 10 digits or an alphabet size of 36. That would be 36^13 or 13 truely random chars would be sufficcient (actually 12 is ~62bit)…

But that can be hard to remember and password guesses these days know many of the memory tricks people use… So Claude Shannon more than a lifetime ago pointed out 2/3rds to 3/4rs of the English language was effectively redundant so 39 to 52 characters for a pass phrase is what has been calcuable from what had been known for over seven decades.

So you might want to consider the XKCD method which is on average less redundant. If we assume it uses a thousand word list of an average of 6chars . So six random words of around 6 chars each on average gives 36 chars length for 60 bit equivalent.

But what about a Pass Phrase?

Well honestly they are realy quite bad… The first capital alpha is probably only good for 4bits and things drop fairly rapidly there after down to just 1.4bits. On average the first word is probably only 7 bits equivalent. So to get 64bits equivalent your pass phrase would need to be up around,

46 ~= (64-7)/1.4 + 5

Approximately 45-50 alphas not including spaces, for modern usage.

Which is kind of what Claude Shannon told us to expect…

Clive Robinson • April 2, 2022 7:45 AM

@ SpaceLifeForm,

Re : Coppers bent or otherwise in your network.

I can not say much about the give-away tool that you mention.

But based on past history of UK Police Forces behaviours in the quaintly named Cyber-Space, my advice is,

Don’t learn the “hard labour” way the Police can not be trusted, and any “Gift Horse” should always be treated with deep suspicion.

In part because the Police may be pushing “stolen goods” onto you at the very least…

The current UK Home Office Minister’s predecessor Theresa May later UK Prime Minister, had a mission which was to eviscerate justice (something her successor is even more hell bent on).

She did this by cutting police numbers not just frontline but back office and importantly support as well and forced the sell off of Police property. Then doubled or trippled the “usless paperwork” to bog frontline in “makework” to keep them from doing any kind of sensible Policing activity.

Hidden in her agenda was a nasty little tactic. Traditional crime figures were dropping, and cyber-crime were rising. The reason, any half senible crook realised that the UK did not “Police the Cyber Space”.

So she ensured that cyber-crime was not recorded in the usuall figures even though it was running rampant (most card, bank, financial and other fraud became cyber under her direction through some clodish organisation called SOCA[1] she decided to disolve and “shuffle the deck chairs” to create the NCA as a replacment, which kept a lot of things nicely hidden by lost/mislaid/missing records as well as putting “deniability distance” in.).

So she could boast that her policies were reducing crime, thus her party leader could keep banging the “tough on crime” drum as well as “Hug a Hoddie”… when in fact the opposit was true especially when it came to banks and finance industry collectively called,”The City”. The result of her policies was making both “white collar” and “Cyber” crime rocket, not just go orbital, but off to seek out new frontiers… yarder yarder, you get the picture.

Well back in 2007-9 the iniquitous West Yourksire Police Chief presumably to manage resources “Had a cunning Plan…” They needed software to investigate criminals phones. Back then many believed incorrectly just pulling a SIM out of a phone would make it usless as evidence. It didn’t but knowing how to get at the data was a specialised task to put it politely.

A software company in Kent which is the most South East county in The UK were “contracted”. The Chief Police Officer rather dumbly thought being up in the North West of England, that the distance would allow his “officers” to get away with Intellectual Property”(IP) Theft. This “cunning plan” of his backfired and it got draged into the High Court[2].

Such misfeasence has become the hall mark of “British Policing” this century and has got worse with Police officers using their uniforms and “Warrant Cards” to make kidnappe, rape, and murder oh so much easier[3].

[1] The “Serious Organised Crime Agency”(SOCA) was set up under the “Serious Organised Crime Act”(SOCA-2005),

https://www.legislation.gov.uk/ukpga/2005/15/part/1/chapter/1/crossheading/establishment-of-soca/2021-04-29

Was actually brought in under the “Crook in Chief’s” tenure, the supposably honorable Anthony Blair PM, AKA “Bush’s Poodle” who gave us the 45min WMD “dodgy dossiet” and thus subsequent invasion of Iraq, the start of “cash for questions” and similar brown envelope back hander behaviours and much other wickedness to pamper his fundemrntal narcissism. He also took a policy “MAD,Maggie” Thatcher very specifically rejected because even she thought it was utter lunacy and it got called PPI which is where the serious downward spiral UK money troubles realy started that resukted in banking collapses and well yarder yarder, you know the rest that followed in the financial house of cards.

[2] West Yorksihere Plods caught not for the first, or last time in the act of theft and the Devil alone knows what moral turitude from the cesse pit of iniquity, then trying to Brass Neck it out,

https://www.theregister.com/2009/07/14/fts_west_yorkshire/

It is this Police force that satirical author Tom Sharpe “rips the 5h1t out of” in his 1996 book aptly named “The Midden” which is very definitely a “Recommended Read” as are most of his books.

[3] Search for “Sarah Everard” for more details,

https://uk.news.yahoo.com/uk-police-officer-jailed-murder-114607415.html

But he is by a very long way not the only one. And significant qestions remain (unfortunatly kicked into “enquiry long grass”).

Then shortly after the Everard Kidnapp, Rape and Murder by Met Police Officer “Wayne Couzens” we get,

https://www.theguardian.com/uk-news/2021/oct/27/serving-met-police-officer-charged-with

Despite substantial claims of strong evidence the UK “Criminal Prosecution Service”(CPS) decided “Not to offer any further evidence” in court at the last moment and dropped the case at the start of the trial and declined to say why (most odd[4]).

https://www.theguardian.com/uk-news/2022/feb/24/met-police-officer-rape-case-dropped

The officer remained suspended pending an internal disiplinary investigation… The arresting police force (City not Met) made it clear it was not their choice to drop the case…

Both officerscunder the “watchfull” eye of very politically compliant to femail Home Office Minister wishes, “Cressida Dick”. Who first came to world attention as the “Gold Commander” who was responsible for the Death of an entirely innocent Brazilian Electrician who had his head blown off in a very crowded London Underground railway carriage by Police “double tapping” with automatics at little more than arms length, as though it was some “ritual hunting blooding”…

[4] This does unfortunately happen the very adversarial nature of such court cases in the UK has caused the victims to not testify and the like quite often in the past. But usually it is known well before the trial date if a victim will not testify.

Dancing On Thin Ice • April 2, 2022 7:46 AM

Webex added itself to my auto login items. Deleted it since this was for a one time meeting.

2 years ago Bruce wrote “I don’t know. My guess is that it’s just under the microscope right now.” regarding the security of Zoom vs. Teams, Hangouts, GoToMeeting, WebEx.

Any re-assessment on this?

https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html/#comment-348893

Clive Robinson • April 2, 2022 8:12 AM

@ ResearcherZero,

Incompetence mainly, incompetence everywhere.

There is,a great deal of it about.

Have you ever thought “Why?”

I suspect it’s because “controllable fools” are this centuries version of Stallin’s “Useful Idiots”.

If you have one of the “dark triad” mental disorders, that makes you powet hungry beyond moral or ethical control then in the past you only used to need “sadists” to fill your ranks of “Guard labour”.

Then towards the Victorian era it was not just the exceptional psychopaths that needed “front men” as scape goats. Most sociopaths and psychopaths needed the narcissistic front men as they made life oh so much easier. For the likes of deflection and other useful activities, not least because their being the most visable ones, it was they who got to be “put up against the wall etc” come the glorious revolution, whilst the psychopath left quietly to start afresh when thing got quieter.

Thus Stalin took things to a whole new level and any one with desires of power sees advantages in surounding themselves with the incompetent… Think of them as “Chinese Meals” as soon as you’ve finished one and dispossed of what remains, you need another one…

fib • April 2, 2022 8:17 AM

@Clive Robinson

But what about a Pass Phrase?

I assume you are talking about perfect dictionary words. But you can mangle words in some particular ways, or use pass phrases made up of 4 different languages [and also mangled] words, something like

account_usada*furden1Faux-site

I think there’s a lot of entropy to be harvested in these simple tricks. But course I must be wrong.

Regards

Winter • April 2, 2022 8:28 AM

@Clive
“People should be aiming at 60-64 bits for guessing entropy these days.”

I would say, aim for 128 bit. 92 bit is already within reach of supercomputer clusters.

Lenght is your friend. Try this one:
“Hercule investigates wisteria stew in Oxfordshire”

Both Bitwarden and Rumkin Strength test agree that this phrase is strong (200 bits)
ht-tps://bitwarden.com/password-strength/
ht-tp://rumkin.com/tools/password/passchk.php

But even if you simply “count words” (6) and use word frequencies (~12 bits/word for these), you are in the 70 bit range.

Clive Robinson • April 2, 2022 8:49 AM

@ SpaceLifeForm,

In the UK we have a “Sea Shanty” called “What do you do with a drunken sailor?”

Well how about updating it to,

What do you do with a disused satellite?

Well “broadcast to a third of the world” might be your thing,

https://www.wired.com/story/satellite-hacking-anit-f1r-shadytel/

Anonymous • April 2, 2022 8:51 AM

@Clive Robinson

People should be aiming at 60-64 bits for guessing entropy these days.

That’s Diceware five words.

h++ps://en.wikipedia.org/wiki/Diceware

…in 2014 Reinhold [Diceware’s creator] started recommending that at least six words (77.5 bits) be used.

Sumadelet • April 2, 2022 9:53 AM

@fib

I’m afraid using foreign words and mangled words doesn’t help much. You are better off adding an extra word to your passphrase than using foreign words as a replacement for English words.

Let’s assume you are using a word that can be found in a word list/dictionary. Word lists are available for other languages. If we are optimistic, we’ll say the word lists are equal lengths. And we’ll be optimistic and say there are 10000 languages in the world (current counting is a little over 7,000 languages). So we add 10,000 word lists. The additional entropy will be log₂10,000 which is 13.3 bits

There’s an easily available word list here ( h++ps://github.com/dwyl/english-words/ ) with 466,000 words (others can be found with about 2,000,000,000 entries). Choosing one word at random* from that list gives an entropy of log₂ 466,000, which is 18.8 bits – so it is better to choose an additional word at random from that list than blend in all the words from all the languages in the world into a choice of a single word.

I’ll hazard a guess that you will find it easier to remember an additional one or two words in a pass phrase in your best known language than blending in unfamilar foreign words.

As for mangling words, password crackers are already programmed to do the obvious, such as reversing words, replacing letters with numbers, swapping terminal letters etc

Your best strategy is to add more words to a pass ‘phrase’ – not lines of poetry, sentences from books etc.

*I have to be a bit careful here. One could choose a word at random and it turn out to be ‘Password’ or ‘123456’ or ‘Abracadabra’, which, for psychological reasons, are obvious passwords. Any password cracker will use a list of most popular passwords from haveIbeenpwned ordered by popularity as a foundation for the first runs. This is why you need a pass phrase with a number of words chosen at random in it. You are vanishingly unlikely to get a pass phrase of ‘The Magic Words are Squeamish Ossifrage’, for example.

Sumadelet • April 2, 2022 10:07 AM

That last Anonymous was me. I forgot to put my name in the appropriate box.
So it goes.

Clive Robinson • April 2, 2022 10:09 AM

@ fib,

I hope you are well, Oh and we’ve had a few snow flakes this afternoon in London, so we might “Have a White Easter” in a few days =(

But “to business”,

I assume you are talking about perfect dictionary words.

Err no, remember the “human failing” issue, well the usual “threat model” for “passwords/phrases” includes “all rememberable CV-rule words”…

Where “CV-rule” is short hand for “Consonant and Vowel rules” of the languages real or pretend.

Basically if you can pronounce it, thus remember it as a word, it falls within those rules. Which means even glyphs get included in “alphabets” not just ISO-Latin-1 of ASCII.

However the so called “l33t 5p34k” rules are just “simple substitution” or “transformation rules” so don’t. Nore for that matter do “transposition” or “sort/shuffle” rules.

Nore do other basic cipher or code rules includingvthe mathmatical and layout rules.

And yes there are also arguments about rules… For instance the so called “Pig-latin” which children sometimes “invent” where you add extra vowels into a word, but obviously it still remains pronouncable.

The idea is you have a pronouncable set of words that is a tiny subset of the total number of words possible. From this base you then add other transformations.

So,

Fred – base word.

Fr3d – leet speak transformation
Gsfe – +1 Ceaser Cipher.
Gtrf – Keyboard layout right one.
1Fred – one of many add rules

And much more.

Winter • April 2, 2022 11:34 AM

@Sumadelet
“I’ll hazard a guess that you will find it easier to remember an additional one or two words in a pass phrase in your best known language than blending in unfamilar foreign words.”

Indeed, simply add the name of your favorite plant, place, story character, or dish, and you just added >10 bits to your passphrase.

Nick Levinson • April 2, 2022 11:54 AM

@Clive Robinson, @JonKnowsNothing, @fib, @Winter, & @Sumadelet:

Passphrases:

I now have only one context where I use them. In that context, I capitalize at least one initial and insert number/s between words.

That context is guest accounts on my laptops, in case I want to lend one to someone to log into and use the guest account. For that, I wouldn’t want to mangle words and likely don’t want obscure or foreign words, an unlikely case, long numbers, or inconsistent spacing (just all spaced or no spaces, but for amateurs as guests then always spaced).

I read that they’re more secure than traditional passwords, but if I have to use an online generator then I have to trust it. I could make my own but I haven’t put the time into doing that. I guess I’d have to find a list of at least a few thousand common words and copy it (without infringing a copyright on the arrangement) into a spreadsheet and then add a randomizing selector to the spreadsheet, preferably a grid of many randomizing selectors so no one remotely reading my screen or shoulder-surfing can guess my passphrase, and a length specifier or checker. Maybe I’ll do this, now that I’m thinking about it. Some day.

I should develop a post-randomization checker that looks for randomly-generated results, even long ones, that happen to be easily guessable. If I randomly generated the quick brown fox, it being randomly generated is no help. The problem there is that, due to a security concern, I wouldn’t enter the resulting pass phrase or any authentication token into the spreadsheet, so I can do that check only by eyeballing and hoping my brain catches the worst, since it won’t catch everything.

I generally use random characters, where each character tells a cracker nothing about an adjacent character, except for one doubling meant to confound shoulder-surfing if the surfee is adept at typing fast when entering the password.

Sumadelet • April 2, 2022 12:01 PM

@Winter

I’m afraid not: pass phrases are best constructed from a set of randomly chosen words. You really should not add words that are associated with you in any form.

Winter • April 2, 2022 12:36 PM

@Semadelet
“I’m afraid not: pass phrases are best constructed from a set of randomly chosen words. ”

Indeed, but what are the advantages of randomly chosen words over randomly chosen characters? You cannot remember either.

Now, who knows what books or movies I remember? What dishes I like? What plants I nurture on my windowsill? What quotes I remember from my childhood?

When my passphrase is “Nasi goreng bami sate” (favorite dishes, 96 bits, look it up, not my passphrase btw), how would this leak, unless your adversary already knows everything about you[1]. But that is not my threat model, which is drive-by criminals looking for an entry.

[1] I would never use something that I posted anywhere on the intertubes.

Nick Levinson • April 2, 2022 12:57 PM

@Winter:

Pass phrases/passphrases, more:

You may know enough to be sure you haven’t posted something about yourself on the Internet and to be sure no one else has about you, either. That could work for, say, the name of a favorite if you have just experienced it, such as a recipe that was invented last week, but even that’s not reliable.

I don’t have that knowledge. Maybe, as a kid, I filled out a form at a pet store and my first pet’s name is up on the Web even now. Unlikely, but I don’t chance it with those pesky security questions. By the way, nothing forbids a website owner from selling my security answers as part of a bulk sale. Like, the ones about siblings’ names. I imagine an advertiser would buy the list, to sell more balloons for sister’s birthday. I solved that, by answering with strings of random numbers spacelessly surrounding -fictional-, which should suffice as notice that that is not where I graduated from school. If I get to make up my own question, I make both the Q & the A obviously nonsensical. By the way, at least one site does not permit changing a Q&A later, so I’m stuck with my first choice unless I close the account, and at least one website (not the same one) does not allow reopening after closure.

Anonymous • April 2, 2022 1:12 PM

@Winter

I like a good Nasi goreng bame sate too, especially in tropical heat washed down with a cold Anker beer.

You are quite right to illustrate the threat model you are protecting against. In the past it might have been quite difficult gather sufficient background information about a person to make good educated guesses about passwords: these days the naïve post gold dust on social media. I’m sure you are not that naïve.

So please excuse me if I was over critical. I did not mean to be impolite.

There are techniques one can practise to remember apparently unconnected random words. The well known xkcd “Correct Horse Battery Staple” demonstrates a visualisation technique which works for some; there are others, and connecting via things familiar to you is sensible.

Clive Robinson • April 2, 2022 1:39 PM

@ Winter,

Both Bitwarden and Rumkin Strength test agree that this phrase is strong (200 bits)

Sorry they are wrong.

I don’t know how they are working it out but they are about four times the value I would expect for,

“Hercule investigates wisteria stew in Oxfordshire”

So lets assume the XKCD “horse battery…” method. First strip out any stop or connective words such as “in” so five words from a base dictionary. If we assume upper working class to middle midle class vocab then you’ld have about 800-2400 words, so say an alphabet size of 2000 or 11bits.

So five words times 11bits is 55 bits. But the words are obviously rearanged so yould loos 1-2bits for each moved word so say -5 bits giving you 50bits.

Now going back to Claude Shannon and others work in the 1950’s

You would get on one measure 11bits for the first word and 1.4 bits per character there after for a simple charecter frequency estimate or 11 + (1.4 x (44-7)) ~= 63 bits.

But if you then look at language redundacy you loose about 2/3rds of your effective charecter count, and only get a 7bit for the first word so 7 + (1.4/3 x 44) ~= 28 bits.

As it’s just a sentence not a library of books averaged, go for the averag so (63 + 28)x0.5 ~= 46 bits.

So 50 bits and 46 bits are reasonably close and what I would expect for that sort of sentance.

But… As the sentance contains what are three names… It would add maybe upto 4bits each or 12 bits but that is nowhere near the 200bits of the two online services you’ve used. So I’m still going to say they are, so well off of the mark, or deficient that they have to be wrong. And as they say the same thing are probably behind the front end effectively the same estimator.

Clive Robinson • April 2, 2022 2:07 PM

@ Sumadelet,

That’s Diceware five words.

That depends on the “alphabet size” the dictionary represents. You need to remove connectives and stop words as well as proper nouns from them[1]

A lot of people get by on a thousand words or less, whilst junior managers maybe half as much again at 1500 words. Many people on this blog show a command of English that puts them above 2000 words. So lets say 2000 words in the “alphabet” that the dictionary substitutes for or just 11bits.

So five words gives you just 55bits.

But… as I indicated to @Winter rearanging the word order knocks one or two bits off for every word moved so -1 x 5 which gets us down to just 50 bits.

So to get 64 bits equivalent you would need 64/5 ~= 13 bits or a 8000 entery alphapet / dictionary, which is beyond most people.

To get 18 bits you mentioned out of an alphabet / dictionary requires more than a quater of a million charecter equivalents or words. Nobody has a spelling vocabulary that large in the west and unlikely to do so even in the far east either unless they are quite senior in years and a scholar.

[1] It is a bit of a bone of contention how you decide the information content of a name / proper noun. I’m of the view to treat them seperately and as basic letter frequency of their constituent characters on the old “A SIN TO ER” basis. However those with password crackers with way more extensive base dictionaries would probably disagree and put them in the dictionary.

Sumadelet • April 2, 2022 3:10 PM

@Clive Robinson

The Diceware dictionary/ies are 7776 (65) ‘words’, which are defined as unique groups of symbols, with a minimum group size of 1*.

Diceware is not dependant on your own vocabulary: you choose from a word list. 7776 is not far from your 8000.

And similarly, the 18.9 bits was from a precompiled ‘word’ list of 2,000 million words, where encode, encodes, encoded, and encoder would be different words, whereas from the point of view of a vocabulary they would probably be counted as one root-word.

I think the Diceware scheme (random words), using one of the EFF wordlists is reasonably good, and combined with memorisation techniques can produce a good, usable pass phrase, which might well be suitable as the pass phrase for a password manager.

I would be very happy to listen if you believe otherwise and you gently point out my misconceptions.

*The EFF were critical of some of the original choices, and produce their own word-lists: h++ps://www.eff.org/deeplinks/2016/07/new-wordlists-random-passphrases

**Bonus fun: estimating your vocabulary size using Zipf’s law: h++ps://zipfslaw.org/2017/10/31/estimate-your-vocabulary-size/

JonKnowsNothing • April 2, 2022 3:17 PM

@Clive, @All

re: Password cracker jacking

I am still puzzled why the FBI would claim it took them over 365 days to gain entry to the phone.

A flaw in NSO Pegasus?

There wasn’t any direct mention of the type of phone or if they FBI had borked earlier attempts, like triggering an iPhone autodelete-wipe-factory reset.

iirc(badly) The FBI paid a $$$$ to buy a cracker that could by pass that setting after the San Bernadino Affair, along with a simulator-duplicator that allowed them to try the password unlimited times, until they Got The Rain In Spain.

Previous mentions of other phones cracked don’t indicate the FBI Ate Al had any issues jacking those phones.

===

aside: In the novel The Day of the Jackal, there’s a scene in the torture chambers of the French security services, where after much bashing and jolting the interrogators come up with nothing useful. The head of the French security services listens to the torture tapes himself. With his command of argot and the regional languages of France (which are not French), he deciphers part of the plot.

Maybe the guy coughed up the password as part of his plea bargain deal and it wasn’t a technical issue at all?

SpaceLifeForm • April 2, 2022 3:29 PM

@ Winter, Clive

“Hercule investigates wisteria stew in Oxfordshire”

There is absolutely no way you can have 200 bits of entropy in a 49 character 7-bit ASCII string. Absolutely no way.

Maybe, if you are lucky, nearer to 100 bits.

But I count 17 vowels, so reduce.

I see only 1 Uppercase, and 1 Numeric. And 5 spaces.

Basically, you are dealing with an approximately 5-bit alphabet.

So, with 49 approximately 5-bit characters, we are definitely not close to 200 bits of entropy, assuming 2 bits per character.

One could argue that it should be 2.5 bits of entropy per character, but, they are words, not random characters, and as you learned long ago, there be rules about back-to-back characters in a language.

Bitwarden and Rumkin Strength sound like snake oil.

Based upon their math, they think each 7-bit ASCII character has 4 bits of entropy. Which we know is complete garbage.

SpaceLifeForm • April 2, 2022 4:35 PM

@ JonKnowsNothing

re: Password cracker jacking

I believe you have read the dots.

I do not believe that the FBI could not access the contents.

They purposedly made sure that they jumped thru lots of hoops to make sure it would be legal evidence in court.

Informant, Filter Team.

Sources and Methods. You have to read anything from DOJ with some NaCl. They may not be forthcoming wrt actual timing. Remember, there are bad actors inside DOJ. FBI is under DOJ thumb.

SpaceLifeForm • April 2, 2022 5:27 PM

Someone stole my Hippos!

hxtps://www.protocol.com/enterprise/doctor-burnout-ai-patient-risk#toggle-gdpr

Amid pandemic burnout and increased demand for documentation, doctors are recording patient conversations and giving note-writing work to an AI-based tool, even if that risks privacy or medical errors.

SpaceLifeForm • April 2, 2022 5:53 PM

Someone bought a vowel

Good thing he did not post this yesterday. My bold.

hxtps://nitter.net/jack/status/1510314535671922689#m

the days of usenet, irc, the web…even email (w PGP)…were amazing. centralizing discovery and identity into corporations really damaged the internet.

I realize I’m partially to blame, and regret it.

Better late than never.

JonKnowsNothing • April 2, 2022 6:28 PM

@SpaceLifeForm

re: doctors are recording patient conversations and giving note-writing

fwiw:

In ancient days, before the WWW but after there were PCs and there were still R2R Tape, a technology existed called “Data Entry or Keyed Data Entry”. Reams of hard paper punched time cards and paper stuffs flowed into companies that specialized in converting them to R2R Tapes for uploading to corporate mainframes.

You had to be fast, and accurate. (Not Moi)

An offshoot of this process hit medical establishments. In those days, MDs, didn’t do any paperwork other than scribble a few codes on a sheet placed in their out-box to be picked up and entered by their own Data Entry staff into the approved program of the epoch.

MDs did scrawl medical data into one’s paper chart and some of us had voluminous charts.

As the MD-Patient loads increased and MD-Staff decreased, MDs were forced into doing more of the coding as well as “charting”.

In order to keep up with the charting, many MDs (and lawyers) started using dictation devices which were small tape recorders with cassette tapes. An experienced dictation user can cut out all the ahs, ahems, coughs, dohs, that are part of normal speech pattern ending with the a full sentence on replay.

The folks who did Data Entry or Keyed Data Entry also did Dictation Editing where the cassette tape was converted to an text file which was printed and added to the patient’s chart. (WordStar was a favorite)

To do this, not only did you have to be fast and accurate, you also needed an extensive knowledge of medical terms and abbreviations. (Not Moi)

There are various laws about recording patient-MD interactions; most have now been dismantled under the tidal waves of lawsuits. There were times where some MDs used “white noise” machines so that people hanging about in the waiting areas couldn’t hear what was happening in the offices.

Surveillance, audio and video are in nearly every clinic or hospital in the USA. The signs may say “No Pictures No Videos” but that’s for you..not for them.

Clive Robinson • April 2, 2022 7:12 PM

@ SpaceLifeForm,

Someone bought a vowel

As you go through life, you pick up crosses, some small some large, some you even get to put down.

I’ve got a few of my own to carry, not least being the pioner of the use of SMS –and back then “dumb”– mobile phone as a “secure side channel / token” for authentication in financial services[1].

It’s what you carve out of them that matters.

[1] Most definitely not my finest moment. The real salve to the soul, for an engineer though is understanding and the realisation it brings that,

“If not you, then somebody else.”

All ideas that move mankind forward be they technological or otherwise, “come of age”.

So somebody will be “first” to think it up, push it forward, or kill it off. We each play our part sometimes two or more as if actors on a stage in the play of life, love, hope, and yes iniquity.

[2] “The Bard” William Shakespeare most famously put it in “As you like it”,

“All the world’s a stage, and all the men and women merely players;
They have their exits and their entrances;
And one man in his time plays many parts, his acts being seven ages”

SpaceLifeForm • April 2, 2022 7:13 PM

@ JonKnowsNothing

I knew you would be STAT.

Having experience in this field, I would say your description was very accurate some time back, but most hospitals these days are pretty automated, and most charts these days are recent printouts for the nursing staff, so they can catch up quickly on patient status when they come back on shift. If they have questions, or wonder why there was unexpected change in patient status, they can backtrack online, or talk to head nurse staff. But, usually, it is available via a terminal if it is not on the current chart.

The problem is the insurance companies jerking the doctors around, IMO.

SpaceLifeForm • April 2, 2022 8:29 PM

Flipping a wooden nickel

Is it random? Or is there bias?

hxtps://www.cnn.com/2022/04/02/investing/nickel-short-squeeze/index.html

There is too much to blockquote on this one. You just have to read it.

SpaceLifeForm • April 2, 2022 8:59 PM

countering propaganda via cold call

hxtps://www.cnn.com/2022/04/02/europe/cold-calling-ukraine-russia-iron-curtain-intl-hnk-dst/index.html

JonKnowsNothing • April 2, 2022 9:07 PM

@SpaceLifeForm @All

re: The Insurance Boa Squeeze

It’s more than just the insurance industry, it’s also the For Profit aka Least Cost idea of medicine which is ancient but now has fatal repercussions. There’s only so much you can squeeze a system before the wheels fall off or the A-Frame breaks.

We can see this RT as the SARS-CoV-2 pandemic moves into the 3d year, and the varying responses by governments, MDs, RNs, and their populations.

In a way, COVID-19 has given everyone a magnified view of the problems because it is a single condition (with many many sub-lineages). The constant pulling of HIP-RIP-LOVID against STOP THE PLANES. The pull of Profiteering on Vaccines against reduction of illness globally.

As to “reading the chart”, details are certainly listed but the reality is few will look past the headings of the last shift to see “What’s Really Happening”. They look at the top N indicators and rarely look past page 1.

Personally, I know when and if they do look past page 1, because a few eyebrows will rise and jaws drop when they see the number count…

… who has time? Who has time? But then if we do not ever take time, how can we ever have time?

The Merovingian, The Matrix Series

SpaceLifeForm • April 2, 2022 9:22 PM

Ubiquiti may want to research

Maybe the same op, who knows?

hxtps://krebsonsecurity.com/2017/11/r-i-p-root9b-we-hardly-knew-ya/

SpaceLifeForm • April 2, 2022 9:57 PM

W ALL

When your phone settings says that the WIFI and BT is OFF, do not believe that.

lurker • April 2, 2022 10:33 PM

@SpaceLifeForm re wooden nickels

Mr Xiang was betting the price would drop? Since he’s in the area, maybe he knows something about Phillipines & New Caledonia that others don’t. Both have had recent govt/ownership/licensing issues with their mines.

Winter • April 3, 2022 6:51 AM

@SpaceLifeForm
“There is absolutely no way you can have 200 bits of entropy in a 49 character 7-bit ASCII string. Absolutely no way.”

I agree, it is a reminder that password strength measurements are unreliable. But 200 bits for 49 characters is just 4 bits per character. So this is not impossible.

What works is extracting word frequencies and use these to determine the contribution in bits of each word. Word frequencies are difficult to calculate. An alternative is to use trigraph frequencies (three letter combinations). That is often a good approximation.

This site uses the trigraph method and common words. It still comes up with a password strength of ~200 bits.
ht-tps://alecmccutcheon.github.io/Password-Entropy-Calculator/

The ultimate calculation requires the word and bigram frequencies which I do not have, sadly.

Clive Robinson • April 3, 2022 7:20 AM

@ Winter,

Re : Bucha slash and burn.

Sadly this is typical behaviour when oportunistic leaders of conscripts act as invaders and get pushed back.

It’s another form of “salting the ground” by the invading leaders.

The thing is the conscripts get divided into effectively two groups,

The first is those that do the work without question and may even revel in it, they generally survive to become promoted.

The second group are those that do not “follow” what the world considers “illegal orders” or desert. They often become what the first group eventually ends up disposing of as well.

Such is the forge of tyranny providing the next layer of guard labour for the leaders.

As we know from Stalin’s peccadilloes that those returning home from fighting under other commands became “traitors” and were treated as such.

The reason is not what they did, but what they did not do. They had escaped the forge of tyranny and not just survived but prospered. They were thus unacceptably devient from the “one loyal unquestioning path”. And that represented a very real danger to the leaders, as they showed all who saw them another way of behaving, and that the leaders were not omnipotent or even right. So their mear existence was deemed seditious…

So expect graves to be found where conscripts are found striped of all that had worth and in some cases where not even bullets have been wasted.

We have seen this behaviour on the Rus western flank where it borders other European ethnicities before, especially over the past hundred years…

And we also know that those who do come home, are not those you would welcome if their sins were known. Thus they form a closed group who hold themselves seperate from society lest their secrets tumble from their mouths. Worse they can only exist in “state provisioned work” where they are in effect protected and thus provide the seed from which the next generation of leaders will grow.

And so the wheel turns the mill that only the grist and grit survives all else winnowed away or fed to the swine so they may grow.

Clive Robinson • April 3, 2022 7:33 AM

@ SpaceLifeForm, ALL,

Re: When what you buy you do not own.

And,

When your phone settings says that the WIFI and BT is OFF, do not believe that.

Nor much else…

View any smart or mobile device,

“As a hole in your pocket through which your world pours into the greedy maws of those you would sooner jail than have free.”

It will only get worse, as the guilding will come off of the bars of the cage we sleepwalked into…

Waking up, turning around, and walking back, to readopt many common social behaviours of half a century ago is the only solution, and it will probably also increase the enjoyable length of your life more than you might expect.

Clive Robinson • April 3, 2022 8:29 AM

@ lurker, SpaceLifeForm, ALL,

Re : Is it worth a nickel.

Mr Xiang was betting the price would drop? Since he’s in the area, maybe he knows something…

First you should ask,

“What nickel?”

It has two answers that are not unconnected.

Firstly the LME trades in a hard commodity, traditionaly always has done[1] and either you have that commodity or you do not when it comes to settlement.

Secondly the LME only trades one type of nickel currently, and it’s not as popular as it was which has given rise to issues[1]

Whilst the nickle Mr Xiang has may not be wooden, there is more than one type of nickel and his is not that the LME “currently” trades[1].

Unfortunately the LME sets the nickel price on the ingot trade price, therefore the price is effectively artificial and overly high. But was kept lower than it might because a lot of ingot nickel has Russian thumb prints on it at some point in it’s life.

This naturaly gives rise to the question,

“What happens to the price now Russia is out of the game?”

Well an idiot would immediately say “supply and demand” look at the wrong (ingot) figures and conclude the price will staircase to heaven based and beyond based on (industry) demand figures. So conclude you should get in on the ground floor preferably in the high speed escalator of futures trading.

Which is what the Hedge Funds would want you to do as they get two lots of income, that off of the cost of the trades (fees) through the LME and that off of the commodity difference (settlment).

If trading moves out of the LME the hedge funds are the loosers and industry the winner… The LME has steadily lost business because it’s archaic and imposes to higher cost.

Thus a more thoughtfull person might ask the question what will the LME do to stay in the game?

Well one thing they could do is trade the price of nickel down, it’s what industry wants and is increasingly getting elsewhere.

The oppening of a new metal market in Asia must be one of the LME’s worst nightmares, because they would like as not trade worked nickel (ingot metal being antiquated and mostly unneeded).

Mr Xiang has lots of worked nickel at hand, so he would certainly see the opening of another market bring the price of nickel down after an initial hike due to Russia and the delay of opening a new market it would force.

He would also see that the LME might open up the commodities it trades to prevent a new market opening.

There are other factors that also could bring the price down.

Those hedgefunds would see advantages in both the price hike and subsequent drop in futures trading and they would certainly be working it behind the scenes to their advantage.

The problem the LME board went with what is in the short term best for industry…

Thus some hedge funds who thought they “owned the LME” got a bit of a cold bath…

Have the hedge funds actually lost anything?

Well you would think so from the noise they are making, but look a little deeper…

We’ve seen this before with a Computer Games Company and “crowd funding”. In short it’s a turf war and they will be reaching for lawyers already.

[1] Because the LME was loosing trade to outside contracts it made changes, and unfortunately dragged in the sleazy “Hedge Fund Crowd” in on the top table (who you will note are the ones b1tch1ng). They do not like hard commodity settlement as it limits their speculation through their “hidden hand” you or I might consider corruption. But the real reason the LME was loosing trade, was because of what it traded. These days industry works with worked alloys not 999 Fine ingots which add an unwaranted high processing costs. Thus the bulk of real nickel trading is no longer in ingots thus falls outside of the LMEs trading by the LMEs choice, not the markets choice.

Winter • April 3, 2022 9:08 AM

@Clive
“We have seen this behaviour on the Rus western flank where it borders other European ethnicities before, especially over the past hundred years…”

Think Grozny
ht-tps://ca.news.yahoo.com/brutal-russian-playbook-reapplied-ukraine-114436616.html

I expect Putin to try to destroy Ukraine to rubble. I also think Putin is not in a hurry to get these conscripts back. I assume they will be redeployed until they are all gone.

SpaceLifeForm • April 3, 2022 2:55 PM

@ Winter, ALL

re: password strength measurements are unreliable

LOL.

Using the site you noted above, I tested two different 49 character random passwords. Truly Random, I swear! 😉

1234567890123456789012345678901234567890123456789

Charsetsize: 10
ShannonEntropyBits: 162.63
TrigraphEntropyBits: 158.44
Strength Code: Very Strong

and

9999999999999999999999999999999999999999999999999

Charsetsize: 10
ShannonEntropyBits: 0.00
TrigraphEntropyBits: 157.18
Strength Code: Very Strong

I do not see why the second random password results in a Charsetsize of 10.

But, something is wrong with the TrigraphEntropyBits, no?

Here is another site, likely using the same code:

hxtp://tests-always-included.github.io/password-strength/

1234567890123456789012345678901234567890123456789

charsetSize: 10
commonPassword: false
passwordLength: 49
shannonEntropyBits: 162.6340180917139
strengthCode: VERY_STRONG
trigraphEntropyBits: 158.44243595895566

9999999999999999999999999999999999999999999999999

charsetSize: 10
commonPassword: false
passwordLength: 49
shannonEntropyBits: 0
strengthCode: VERY_STRONG
trigraphEntropyBits: 157.1824196172302

You can play around with the link above, and see how as you add more nines, it thinks the password gets stronger because the trigraph entropy keeps increasing, even the the shannon entropy remains ZERO! Start with say 4 nines, and keep adding more. It updates on the fly. Watch the results change as you add more nines.

hxtps://dilbert.com/strip/2001-10-25

&ers • April 3, 2022 4:46 PM

@Clive @SpaceLifeForm @ALL

hxxps://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/

Clive Robinson • April 3, 2022 6:30 PM

@&ers,

The thing that raised my eyebrow was not the RCE’s “they happen” and appear par for the course these days.

It was the CVE number, on the assumption they are sequentially issued and there are no duplicate reports and they are all valid…

We are just a third of the way through the year and it’s effectively 23,000 over ~120days… That’s one heck of a crank rate on the sausage machine say one every ~88 seconds[1] in the normal working week.

Things are getting surreal…

But back to the problem which is at the root of the two RCE’s. From the article we have,

“Anyone using Spring on Java 9 or newer, especially those using TomCat. Java 8 does not appear to be vulnerable.”

Begs the question “What’s changed in Java 9 and why was it changed from java 8?”…

It would be a very relevant question, because “missery loves company”. And unless it’s very particular to Tomcat, I can see the potential for a few more exploits on Java 9 appearing because of it…

Sufficit to say my days of working with Tomcat stopped around 2002 and with that any interest I had in carrying on with Java that I saw as hyped-up junk at the time[2]… So after two decades I’m just way to jaded to care enough to go digging 😉

[1] Say a year is 48 work weeks of 35 hours in a year… That gives us,

(48 x 35 x 3600)/3 = 2016000 seconds

2,016,000/23,000 ~= 87.7 secs/vuln.

[2] I still do have quite a few books on Java in the dead tree cave. But they’ve migrated down to a bottom shelf and have other also depreciated language books like Perl and TCL sitting in front of them. The only book that did not go down is the original describing the design and construction of the byte code machine, and it sits next to stuff on P-Code and Forth. I’m sure this will be a shock / afront to some peoples sensitivities but hey, there are only so many hours in a day and I do not do “language religion”.

Curious • April 4, 2022 5:27 AM

Re. Danish military’s involvement in USA’s X-keyscore program, reportedly involving setting up a new surveillance center for monitoring communications inside Denmark:

From the last I read about this around new years eve, in which two official leaders allegedly had been charged for one or more crimes for revealing information about Denmark’s military’s invovement in X-keyscore program inside Denmark, this article below point out how one of them, as per “sources” to this Danish media ‘Danske Radio’, was wiretapped by the police surveillance unit called PET, inside his own house, apparently listening in to conversations between him and his wife.

‘Danmarks Radio’ (name from 1959) is apparently only called ‘DR’ these days, as of 1996 according to Wikipedia, which is confusing, as one would think DR was more than this simple acronym. And so on their webpage, I only see “DR” being used.

Note: The start of this article has a really weird phrasing of this one sentence that is loosely translated to English like this:
“An extraordinary action, in what is described as Denmark’s largest surveillance scandal since world war two.”

Either, this refers to an official sharing secret information, as if that was to be the scandal, OR, the scandal would be the state surveillance ala X-keyscore and whatever follows from that investement. Why would anyone phrase that one sentence so badly if it could mean two different things? Later in the article, it would seem as if DR perhaps want to characterize this type of transgression as being about himself, and not X-keyscore, but I still this this all sounds weird, as if NSA’s X-keyscore problem was not even a problem to be discussed.

The article points out that the concrete accusations are secret, as per their “source”.

(“DR: Suspected Danish spy chief was voice recorded in his home.”, my English translateion of the title.)
https://www.svt.se/nyheter/utrikes/dr-danska-spionchefen-blev-avlyssnad-i-hemmet (in Swedish)

If I could try add anything interesting to this, although it is claimed that serveral tiny microphones were used, I think one could argue that just maybe this could have been what is known as parallel construction, as if not really revealing the original source of any recording device. Ofc, such an idea would be very speculative, and might even be wrong as if making any assumptions of that having happened, but I would like to think that this is this kind of specualtive problem that a security researcher would come to think of, not really content with forms of hearsay, or news.

Clive Robinson • April 4, 2022 7:59 AM

@ SpaceLifeForm,

Re : viasat outage.

Not sure if you’ve read this or not,

https://www.reversemode.com/2022/03/viasat-incident-from-speculation-to.html

But it aligns with my thinking as I heard about the incident via news snipits…

The point is this sort of security fault is endemic in the comms industry. So much so that some TelCo’s used to have an “air-gap” policy for the phone network…

The problem SS7 used to be alowed through from the phone network with minimal if no AuthN or AuthZ on the payloads… So door wide open and a welcome mat as well…

It appears it was the same problem, once in the VPN due to some AuthN failure or credential theft the system was effectively “open house”.

I’ve mentioned why in the past this is the case, and it’s got a lot worse in recent times… Most TelCo’s are nolonger “opetators” they don’t even “own” network kit. They basically lease not just the kit but those who run it… So the security gets dictated by people outside of the TelCo and as they have laid off all such staff they have now “oversight” of any worth over what is happening with the network they lease… Arguably even if they did have technical oversight their lease agreement would effectivly exclude any type of corrective control, just like nearly every “Outsourcing Agrement”.

John • April 4, 2022 8:54 AM

@clive,

Hmm….

Well said.

The one I like is WEP [Wireless Equivalent Privacy]

Who is kidding who?

These days voip to and from telco is just a protocol conversion!

John

&ers • April 4, 2022 10:47 AM

@ALL

Of course after more than month heavy fighting in trenches,
(perfect example below),

hxxps://nitter.net/SputnikATO/status/1510278616176906251

the partjankas (footwrap) [1] of the glorious russian soldiers
stated to stink so heavily that Ukrainians geolocated them
without ANY electronic means whatsoever. For countermeasure
glorious russian army ordered there a washing machines on site
to organize a laundry day.

However Ukrainians captured the communication, because glorious
russian army uses cheap Baofengs without any encryption [2] and
organized an ambush for those washing machines.

Result is below 🙂

hxxps://nitter.net/UAWeapons/status/1510671563833630720#m

No, of course glorious russian army is not a looters, maraudeurs,
thievs, rapers, torturers etc. How can i think so bad of them 😉

[1] hxxps://en.wikipedia.org/wiki/Footwraps

[2] hxxps://ru.krymr.com/a/ukraina-rossiya-voyna-armiya-svyaz-koordinaciya-porazheniya/31760134.html

** for second link use Google Translate.

Clive Robinson • April 4, 2022 11:11 AM

@ JonKnowsNothing, SpaceLifeForm,

In the UK we have detected a re-combinant VOC of the two main stream Omicrons.

For various reasons now called Omicron XE.

It apprars to be more infective than earlier Omicrons but it’s way too soon to say if it’s more or less pathogenic.

Apparently the UK is the number one in terms of sequencing for actual tests carried out, but a certain European country with a much smaller population is sequencing? everyone so get it on “per head of population.

As I understand that in your neck of the woods, some hospitals are nolonger testing at all… and infected patients are just shoved in with uninfected… (not sure if they even acount for vax status).

fib • April 4, 2022 12:40 PM

@ Sumadelet, Clive, Nick Levinson, all

Thanks for your thoughts on my Saturday post.

Yes, I wholly agree that length is key to high entropy.

To me it’s very easy [and fun] to make pass-phrases using words from different languages, with symbols as separators. It’s an obfuscation effort, marginally useful if Eve is close to you, knows part of the password or your password composing scheme.

I wish you all peace and health.

&ers • April 4, 2022 1:04 PM

@Clive @SpaceLifeForm @ALL

hxxps://nitter.net/MrKovalenko/status/1510785360430833671

hxxps://en.wikipedia.org/wiki/Red_Forest

Pay attention to the “Human activity” section there in wiki,
especially the phrase “digging trenches”.

Winter • April 4, 2022 1:31 PM

@&ers

The #Ukraine intelligence reports about confirmed death of the first Russian Army soldier from Acute Radiation Syndrome (ARS) and 73 more soldiers in a severe condition suffering from this illness. They were camping in the Red Forest near Chernobyl nuclear power plant.

There is a lot of scepticism about this in the thread because the radiation exposure would have needed to be very high to kill this quickly.

However, later in the thread, it is remarked:

@Zachary Ferreira
Replying to @MrKovalenko
There are several possible sources of radiation exposure. Too many people are assuming one improbable source and calling the report fake news too quickly. Another possible source that is underreported:

The monitoring station was looted and all radioactive specimens on hand in stock have gone missing. If Russian soldiers took them, it begs the question: how were the materials handled? I can think of scenarios where mishandling while living in close quarters could expose many.

So, it might not have been just simple stupidity, but devious stupidity that did them in.

SpaceLifeForm • April 4, 2022 2:09 PM

@ Winter, Clive

re: Hercule investigates wisteria stew in Oxfordshire

By the way, I misread Oxfordshire as 0xfordshire, which I why I mentioned 1 numeric. A zero instead of uppercase ‘oh’.

I see the flaw in the trigraph entropy cacluations.

It is assuming that if they see an alpha, that means the charsetsize is 26. If it sees an uppercase alpha, that is worth another 26. If it sees a numeric, another 10.

If they see a space, they do not agree upon what that is worth.

hxtp://tests-always-included.github.io/password-strength/ reports charsetsize of 63 for the above 49 character passphrase.

hxtps://alecmccutcheon.github.io/Password-Entropy-Calculator/ reports charsetsize of 84.

They are both wrong. The actual charsetsize is 23 by my count.

The sites are reporting potentional trigraph entropy, they are not counting the alphabet size of what the user actually entered.

This is why when you enter a string of nines or a string of zzzz, the trigraph entropy keeps increasing based upon length, even though the charsetsize really is 1, and the trigraph entropy for the entered string should remain zero.

Winter • April 4, 2022 2:58 PM

@SLF
“They are both wrong. The actual charsetsize is 23 by my count.”

This example shows the trickiness of calculating the passphrase entropy. Entropy/information is calculated from the probability of a given string from a known set of possible strings. But what is the full set? And what is the probability?

The only consistent definition of the entropy of a single string is Kolmogorov complexity. But that is known to be uncomputable.

For passphrase strength, the relevant question is the expected number of tries before the correct one is found. So, assuming you know the passphrase is a meaningful string of words separated by spaces, the best strategy is trying meaningful sentences, going from short to long sentences. If you know the length, you try all sentences of that length.

Determining the entropy of a sentence, ie, the number you have to test, is well known stuff. It requires you know about the single word frequencies and the higher order, N-gram frequencies. However, these frequencies are all ill defined.

In short, there is no well defined passphrase entropy, just expected time to crack the phrase given specific search strategies.

Ironically, if your search strategy does not include a string of 40 times 9, it will not be found if it is the passphrase.

MarkH • April 4, 2022 3:39 PM

@Winter, &ers:

It’s startling that camping at a contaminated site could cause acute radiation sickness (and even death) within a couple of weeks.

However — as has been remarked — the absolute last thing to do in such a place is to disturb the upper few centimeters of soil.

Depending on how near the plant the site was, I wouldn’t rule out that by bad luck, they found an extreme hot spot. The variability of contamination from a reactor disaster can be very great, and the nearer to the plant the greater the probability that some mass of material landed with a degree of coherence.

The Chernobyl accident wasn’t just a meltdown as has been seen in other reactors; by several analyses, the core went far into supercriticality, and the energy release can reasonably be classified as a very low yield nuclear explosion.

Enormously heavy objects were moved substantial distances. Smaller objects may have been propelled quite far.

MarkH • April 4, 2022 3:40 PM

@Winter, &ers:

It’s startling that camping at a contaminated site could cause acute radiation sickness (and even death) within a couple of weeks.

However — as has been remarked — the absolute last thing to do in such a place is to disturb the upper few centimeters of soil.

The Chernobyl energy release was titanic. Enormously heavy objects were moved substantial distances. Smaller objects may have been propelled quite far.

Winter • April 4, 2022 4:18 PM

@MarkH
“Depending on how near the plant the site was, I wouldn’t rule out that by bad luck, they found an extreme hot spot.”

Actually, if true, Russian soldiers might have taken stupidity, or the Darwin awards, to entirely new levels:

Russia destroys Chernobyl radiation monitoring lab, says Ukraine
ht-tps://edition.cnn.com/2022/03/23/europe/ukraine-chernobyl-update-03-23-intl/index.html

The government agency also reported that samples of radionuclides — unstable atoms that can emit high levels of radiation — had been removed from the lab. It said it hoped Russia would use the samples to “harm itself, and not the civilized world.”

SpaceLifeForm • April 4, 2022 4:24 PM

@ MarkH, Winter, &ers

The Chernobyl engineers warned the Russian troops NOT to go there. But, they wanted to go to Red Forest because it was on the path to Kyiv.

The Russian troops stirred up radioactive dust, and breathed it in. Strontium-90 and Caesium-137.

Game over. They will all die, just a matter of time. Sad for the conscripts that were lied to, and never heard what happened in 1986 because they were not around then.

Clive Robinson • April 4, 2022 4:28 PM

@ Moderator,

I just got the “429” page and then when reposting “held for moderation”

What is going wrong with this sites software?

Clive Robinson • April 4, 2022 4:30 PM

Part One of repost attempt

@ Winter, &ers,

There is a lot of scepticism about this in the thread because the radiation exposure would have needed to be very high to kill this quickly.

Not of necessity. It depends on where the radio isotop is…

If they breathed in dust from below ground level where the fallout would have accumulated. That they may well have “dug through” then just a few days may be enough.

It also depends on how healthy they are… From what I’ve heard they have spent a lot of time “in the field” through winter waiting at the border. There food was probably nutritionaly poor, and soldiers spend much of their time drinking and smoking to fight off hunger, boardom, and home sickness, then there is the depression that arises from the drudge and crulty conscripts get treated with by the officers, who maintain disciplen with “Rule 9mm” or if you prefere “dig and die”.

Clive Robinson • April 4, 2022 4:31 PM

Part two of repost attempt

The chances are those that are reported as sick were significantly deficient in quite a few minerals including iodine. As well as being deficient in vitamins and basically sick with every respiritory disease in the book that passed by.

Whilst we may find the jokes about rotten foot cloths silly, it tells you something important.

Either Russian field hygiene is atrocious or the troops are veru deficient in basic equipment.

When I wore the green we used to go in the shower with our underware. We would soap up our underpants and stamp on them whilst using the socks like flannel cloths on our hands as mittens. You made sure your feet, croch, crack and pits were very well washed and if you had any sense you did not use deoderant but “baby powder / fine fullers earth.

Clive Robinson • April 4, 2022 4:35 PM

Part four of repost attempt

So yes I can see it is possible for some of the Russian troops to be ill with poisoning from the reactor fall out from Chernobyl, and it’s probably mostly not radiation from the environment they are in, but that which they have breathed in or ingested in some way. One of the hardest things to sort out in war is “pottable water”, because you get it from the local environment you don’t ship it in from hundreds of miles away. Even the best of reverse osmotic filters with decent flow rate don’t filter out lighter radio isotopes or some metals and their salts that are poisons…

When I wore the green I made sure I had my drop of iodine in my water bottle every day whilst out in the field –and it was not for purification alone– along with other minerals.

Clive Robinson • April 4, 2022 5:02 PM

@ Winter,

Entropy/information is calculated from the probability of a given string from a known set of possible strings. But what is the full set? And what is the probability?

Whilst the full set is in effect unbounded (but not infinite) the entropy value of a string can be different for the person generating and the person guessing.

There are stabdard salutations… If you do not know about them then their entropy value is higher than it realy is.

For instance in WWII in German communications “Heil Hitler” or the accepted abreviation were effectively obligitory at the end of messages.

This was both,

1, Known plaintext.
2, At a known position.

Thus the entropy value was close to zero…

But worse it leaked sufficient information to work out rotor slug positions and sometimes turn over points…

OK you are generally not performing cryptanalysis when “passphrase guessing” (if the OWF is any good). But it demonstrates that any leakage of information can be quite dire.

But it also brings us onto,

… the best strategy is trying meaningful sentences, going from short to long sentences. If you know the length, you try all sentences of that length.

Quite often it’s best to assume a password / passphrase is compound of three parts, becaude it’s a common modality in peoples thinking.

When you look at password guessers you find they do exactly this because it gets them there faster than just an incrementing brute force search of all strings you can construct.

So we can see that,

235john711

Is actually very weak. It’s simply a list of the first five primes with a short name inserted in the middle of the resulting number string.

It will be quite early on a search list.

&ers • April 4, 2022 5:33 PM

@ALL

Not only radiation kills the russians.

hxxps://dumskaya.net/news/pobeda-pod-pokrovom-nochi-ukrainskoe-boevye-pche-162055/

This one is pretty funny and well written.
Use Google translate, it’s worth reading 🙂

&ers • April 4, 2022 5:41 PM

@ALL

OK, direct English variant too 🙂

hxxps://www.dailystar.co.uk/news/world-news/russian-soldiers-killed-injured-ukrainian-26605366

JonKnowsNothing • April 4, 2022 6:24 PM

@Clive, @SpaceLifeForm, @All

re: In the UK we have detected a re-combinant VOC: XE

There are more where that came from: XA-XS; all recombinants.

Some refreshers or freshers:

When DNA/RNA mix there several outcomes:

a) If the gene pool for the offspring remains the same: no mutations
b) If the gene pool shifts and a replacement gene happens you get a mutation
c) If the gene pool shifts in the same mutation sequence you get a variant
d) If there are 2 completely different but compatible gene pools you get a: hybrid or new lineage (aka F1 Hybrid)

examples:

Parent1, Parent2, Offspring1 with no mutations
Parent1, Parent2, Offspring1. Something changes, or recessive genes become active or random alteration: a mutation
Parent1, Parent2, Offspring1, Offspring2, Offspring3. Something changes, or recessive genes become active or random alteration: variants
ParentType1, ParentType2, OffspringF1: hybrid
* Lions and Tigers hybrid: liger
The liger has parents in the same genus but of different species.
* Horse and Donkey hybrid: mule
Horses and donkeys are different species, with different numbers of chromosomes.

F1 Hybrids can create: heterosis, hybrid vigor, or outbreeding enhancement is the improved or increased function of any biological quality in a hybrid offspring. In cattle, crosses between Black Angus and Hereford produce a cross known as a “Black Baldy”

In the phlyogene tree of SARS-CoV-2

Delta: there are 100+ regional sub-lineages of Delta
Omicron: there are 4-5 main sub-lineages including: BA1, BA2 and 40+ regional sub-lineages

Delta is not related to Omicron. They come from different branches of the SARS-CoV-2 tree.

When you mix these 2 family trees you get an recombinant hybrid. Virus with characteristics of both sides.

Currently there are XA-XS @17 recombinant versions of these 2 lineages.

There will be many more because it’s not just a simple 3×3 table, its a genetic bingo game of which genes end up in the offspring. Additionally Omicron has many more genes than Delta. WhiteTailDeer-COVID has more genes than Omicron.

Naming conventions:

An ongoing issue when referring to SARS-CoV-2 is the naming conventions in use.

There are more than a dozen ways the same genetic layout can be named, including standardized names as well as researcher specific nomenclatures.

Nextstrain Clade / Pango Lineage / WHO

21A(Delta)/ B.1.617.2 / δDelta
21I(Delta)/ na / δDelta
21J(Delta)/ na / δDelta

21K(Omicron)/BA.1 / οOmicron
21L(Omicron)/BA.2 / οOmicron

/ XD /
/ XE /
/ XF /

(note: X indicates recombinant in Pango nomenclature)

The WHO uses Greek Letters for general public information but this does not capture the complexity of the virus as it propagates around the globe. Governments (HIP-RIP-LOVID) have ceased using any detailed definitions and lump reports into big bucket categories on their public dashboards.

To better understand what’s happening with the virus, it’s necessary to dig deeper. There are @15-20 serious mutations that have been traced to how the virus reacts in humans. Many of the other mutation effects are unknown or undetermined. Each virus sublineage contain different combinations, and the combinations impact how the disease progresses or fails.

The following treatments or supports are directly impacted by the mutations present in the virus. What once worked, now doesn’t because the dominant virus contains mutations that block or reduce the effectiveness of the drugs.

REGEN-COV (casirivimab and imdevimab) are not effective against B.1.1.529 Omicron now the dominant United States. (note BA2 is now dominant)
The U.S. government has paused distribution of COVID-19 antibody drug sotrovimab. It works against Omicron but not against BA2.
BA.2 was sensitive to Cilgavimab, partly inhibited by Imdevimab and resistant to Adintrevimab and Sotrovimab.

===

ht tps://git hub.com/cov-lineages/pango-designation/blob/master/lineage_notes.txt

27 page list of all current and withdrawn Pango names
line 1653 starts the X series names

ht tps://ww w.pango.network/how-does-the-system-work/how-to-suggest-a-new-lineage/

ht tps://w ww.pango.network/summary-of-designated-omicron-lineages/
BA.1 BA.2 regional sub-lineages.

ht tps://w ww.gisaid.org/resources/statements-clarifications/clade-and-lineage-nomenclature-aids-in-genomic-epidemiology-of-active-hcov-19-viruses/

ht tps://www. nature.com/articles/s41591-022-01792-5
pre-print 23 March 2022

(urls slightly fractured )

Clive Robinson • April 4, 2022 6:38 PM

@ ALL,

As some will know there has been stories of Russia maybe tyobg it’s self to China’s “apron strings” as the only way to get out of the economic crunch heading it’s way…

Well China or atleast Chinese radio manufacturers are not on some Russian’s good books, and the reason is self inflicted…

Due to corruption all through the “officer class” the troops on the ground are not as well equiped as they could be…

After all why spend $50,000 for ten secure digital frequency agile radios that work from the top end of the HF band through up in to the UHF band, that last 4-6 days on one battery charge and will charge from just about any DC or AC source from 12V to 250V and when charged work on a few milliwats in the HF frequencies at upto 10km or more reliably with the antenna just poking out of a fox hole…

When the same money will get you 2000 “cheap Chinese knock offs” –of the already much maligned Baofeng UV-5R[1]– that cover TX wise VHF 128-176 MHz and UHF 384-524 MHz at 8 or 5 watts of Narrow Band FM as well as recieving wideband FM from 76-108 Mhz?

But have such a shoddy antenna that you’ld be lucky to get 1km with 8 watts when working standing on top of a tank or truck…

You might if you are lucky find a couple of small frequency ranges where the antnnas actualy work like a wet noddle rather than a dummy load. But… you only get 4-6hours on a charge, and they are picky, picky picky about the charging voltage source. But worse they make loud noises and light up like Xmas shows unexpectedly and are less durable than a Nike shoe box…

But being FM analog not digital and not frequency agile, they show up easily on a cheap laptop running open source software and a couple of inexpensive “Software Defined Radios”(SDRs) that enable them to be fairly acurately “Direction Found” by little old ladies with a grim determination to “hunt the fox”…

Which means the little old ladies with way better operational skills –as they know what will happen to them if they are caught– tell a small squad of equally fast learning fresh through the door Ukranian soldiers where to get down wind of the Russians and literally “sniff them out” and drop in a little surprise…

The fact they are then jumping in second hand British cars to race off to find the next fox and send the pack in and have learnt and honed the skills in just days… Where as the Russians actually with atleast half a year in the field shout long and loud with frustration into those “cheap Chinese Knock Offs” and still do not get heard by their commanders…

Apparently their faith in their commanders and the Chinese is at rock bottom currently. Which is maybe why some are crossing over for a few hundred dollars and a Ukranian passport…

[1] The actual Baofeng UV-5R, maligned as it is does suprisingly work quite well if you know how to care for it. Considering it costs around a fifth of what a Japanese HT costs you must expect there to beva few “rough spots”.

I’ve used a couple with the “stock antenna” replaced by a broad band discone antenna –that cost around seven times the UV-5R does– as repeaters to be “hoisted in trees” and got upto 40km out of them. With the addition of a reasonably directional LPDA or highly directional yagi I’ve got quite a bit further. Oh and have used them to talk through satellites 500km or more up…

SpaceLifeForm • April 4, 2022 9:25 PM

@ JonKnowsNothing, ALL

I forgot to mention this. A few weeks back, BNODesk was going to stop collecting and reporting Covid stats. But, a bunch of people crowdfunded them, and they are back at it.

Two recent hxtps://nitter.net/bnodesk

Shanghai reports 13,354 new coronavirus cases, by far the biggest one-day increase on record

CDC estimates that BA.2 accounts for 72% of daily coronavirus cases in the U.S., up from 55% last week

You will never hear Russia numbers but they probably are bad.

SpaceLifeForm • April 4, 2022 10:32 PM

Remember Kaseya?

Again, what does it really, truly mean to be authenticated in a network environment?

hxtps://csirt.divd.nl/2022/04/04/Kaseya-VSA-Full-Disclosure/

This CVE caught my eye. Pure crap design.

hxtps://csirt.divd.nl/cves/CVE-2021-30120/

The need to use 2FA for authentication in enforce client-side instead of server-side and can be bypassed using a local proxy. Thus rendering 2FA useless.

JonKnowsNothing • April 4, 2022 10:46 PM

@SpaceLifeForm , @All

California has moved to Tuesdays and Fridays (with no hamburgers today).

Hospitals are still under the US CDC but expect that to change when the funding fails at Federal levels; along with other stuff which will hit the big waste bin.

I saw a report of a US group that intends to keep reporting but I didn’t see any 411 on their web site as to how they are funded or if they are legit, although they seemed to have a few good general reports.

On the back end, science is going to be farther distanced. California is building in an 8 day numbers lag, plus an additional 1 day for Los Angeles (9 days minimum).

More of the If You Don’t Know You Won’t Care policy.

There are +300+ drugs in the pipeline but most will never get out the gate now, as the Old Rules will kick in and there won’t be any more fast tracking.

With the loss of major SARS-CoV-2 drugs it’s going to be a bumpy ride for the next few months.

SpaceLifeForm • April 4, 2022 11:16 PM

From the Department of Redundancy Department

Again, what does it really, truly mean to be authenticated in a network environment?

hxtps://arstechnica.com/information-technology/2022/04/zyxel-patches-critical-vulnerability-that-can-allow-firewall-and-vpn-hijacks/

“The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device,” Zyxel said in an advisory. The severity rating is 9.8 out of a possible 10.

I will continue to beat this horse until the rider learns to walk.

lurker • April 5, 2022 12:06 AM

@SpaceLifeForm, All

Why do people need to buy firewalls? It’s relatively easy to make your own if you know what you’re doing. Oh, wait…

Wesley Parish • April 5, 2022 12:23 AM

Well, folks, I just ran a little test on this site to see if the moderation could pick up an answer to the question posed earlier about sufficiently randomizing passwords and passphrases – using a joke known to some as The West Indies Holiday joke: “The missis and I went to the West Indies for a holiday.” “Jamaica?” (ie the likely destination) “No. Didn’t have to.” (ie, having heard “Did you make her (go)?”)

And involving such luminaries as Miss Spelling, Emma Chisit and Gloria Sarah Titch, of course, though not Monica Dickens, or Afferbeck Lauder. And moderation didn’t pick it up, let alone display it, so creative miss-spellings definitely have more entropy than your average mutilated text and combined with the average text mutilations, are likely to be harder to guess than your average password or passphrase.

Clive Robinson • April 5, 2022 3:16 AM

@ SpaceLifeForm, ALL,

Re : Remember Kaseya?

It appears that,

“What was old, is now new again!”

Back last century before many readers here were old enough to remember… We did not access services through graphical interfaces but “Terminals” connected by serial lines to “main frames.

The authN was done when the user logged in, and back then many applications did not have any authentication as,

“The OS did all that stuff”.

But first graphical interfaces then networking hit Personal Computer users… In mini-computer and big iron land it was the other way around with the likes of “terminal concentrators” then those fun “boxes” drawn on your terminal screen by addressable cursors and the likes of “curses” library[1] for *nix on mini-computers (big iron had it’s own equivalents).

For a while the X Windows system gave real graphical interfaces across the neywork, it was considered to dificult to work with…

The Internet came late to Microsoft OS’s and was a direct steal from BSD with a few changes to command line switches… By which time “The World Wide Web” was a thing and so were “Web browsers”. As “HTML” and “http” were very simple back then people went that way…

Microsoft tried to “own” things by building their Web Browser into the “desktop” of their OS’s and “big Iron” and minicomputer “legacy systems” had problems…

The solution “middle-ware” where servers acted as a proxie between the old now “back-end” systems and the web browser bassed users…

One problem “what do you do about authentication?” well as the legacy system apps did not do authentication the developers stuck it on the middleware server…

As time went on and PC’s became ever more powerful the desire to reduce costs hit the middle ware. Thus what we call JavaScript from the mid 1990’s was used to “ship functionality from the middleware server to the client”…

This was an industry wide “move problems to the left” excercise by lets just call them “not as worldly wise” as needed web-developers.

Guess what frequently AuthN and AuthZ got moved so far to the left they ended up on the users web browser PC… Opps. Yup those who did it got right royally stuffed by Crackers (yes it was a real live term back then).

It would appear some people have either not learned or forgotton the lesson…

[1] Back in the early 1990’s and earlier there was no agreed set of cursor control commands for terminals, so the need for “curses” was important. But that is history…

But not… whilst curses that was on BSD and later AT&T *nix are gone… If you have a hankering to still do “windows on terminals” there is a more unified Open standard and library “GNU ncurses”,

https://www.gnu.org/software/ncurses/

ResearcherZero • April 5, 2022 3:44 AM

MitM for students
https://www.tenders.nsw.gov.au/doe/?event=public.cn.view&CNUUID=1F0BF5FB-DA5B-F867-4B6402250543E91F

Victorian students can enjoy the benefit of MitM

The Zscaler SSL root certificate allows student browser traffic to be decrypted for inspection, while still presenting to the user as if they were protected by HTTPS.
https://www.itnews.com.au/news/victoria-installing-zscaler-on-students-personal-devices-to-monitor-traffic-577947

“the Victorian Government’s information and communications technology shared services provider, has adopted the Zscaler cloud platform”
https://www.zscaler.com/press/cenitex-deploys-zscaler-to-deliver-secure-services

–

No, no limits… at Macquarie Bank

“Macquarie had no proper practice or procedure to review or monitor $10k alerts and they were only provided to the fraud team”

“no limits placed upon amounts that could be paid through a fees bulk transaction”

“Fees bulk transactions were pushed directly to Macquarie’s central ‘MIMS’ system without passing through a fraud monitoring platform, and without any manual checks confirming that the transactions were for fees,”

“There was no or limited transaction monitoring of payments made under bulk transacting; bulk transacting payment data did not feed into any fraud monitoring system,”

“deficient detective monitoring and controls”
“after the posting of bulk fees transactions”
“prior to the posting of fees bulk transactions”
https://download.asic.gov.au/media/aobnvcuc/22-078mr-20220404-asic-v-macquarie-concise-statement.pdf

Winter • April 5, 2022 6:32 AM

Follow up on the Chernobyl radiation poisoning of Russian soldiers.

INVISIBLE THREAT Russian soldier ‘DIES from radiation poisoning’ after Vlad’s troops dug trenches at Chernobyl before fleeing to Belarus
ht-tps://www.thesun.co.uk/news/18141129/chernobyl-russian-soldier-dies-radiation-sickness-ukraine/

Seven buses with Russian soldiers suffering from acute radiation syndrome arrived in a hospital in Belarus from the Chernobyl Exclusion Zone.

Workers at the plant were quoted as saying that some of the Russian soldiers had no idea they were in a radiation zone.

ht-tps://www.thesun.co.uk/news/18121865/russian-troops-chernobyl-radiation-sickness/

Winter • April 5, 2022 6:38 AM

Continued:

Not missing anymore:
DIRTY TRICKS Dirty bomb ingredients ‘go missing’ from Chernobyl after Russian troops take over nuke site
ht-tps://www.thesun.co.uk/news/18095301/dirty-bomb-ingredients-missing-chernobyl-ukraine-russia/

In the Russian advance, “looters” raided a radiation monitoring lab in Chernobyl village and are said to have made off with radioactive isotopes used to calibrate instruments and pieces of radioactive waste that could be mixed with conventional explosives to form a “dirty bomb” that would spread contamination over a wide area.

Anatolii Nosovskyi, director of the Institute for Safety Problems of Nuclear Power Plants (ISPNPP) in Kyiv, told Science the institute also has a separate lab in Chernobyl which contains even more dangerous materials.

These include “powerful sources of gamma and neutron radiation” used to test devices, Nosovskyi said, as well as intensely radioactive samples of material leftover from the infamous Unit Four meltdown in 1986.

This does remind me of earlier bio-weapons programs in Russia which were rather good at killing Russians:
ht-tps://www.science.org/content/article/anthrax-genome-reveals-secrets-about-soviet-bioweapons-accident
ht-tps://arstechnica.com/science/2016/11/decades-after-deadly-lab-accident-a-secret-russian-bioweapon-decoded/

Clive Robinson • April 5, 2022 8:12 AM

@ Winter, ALL,

Re : Radiation poisoning

“Workers at the plant were quoted as saying that some of the Russian soldiers had no idea they were in a radiation zone.”

Even if they had radiation meters that could still have been possible.

GM tubes are fragile devices and as far as we know GM tubes are what the Russian Military use in their meters.

The GM tubes that are more “robust” for military use, are very insensitive to Alpha radiation. As Alpha radiation won’t make it through a couple of dead skin cells mostly it would not matter that a human standing there would be being bombarded by it.

But get it inside you by inhilation, ingestion or injury then you are in trouble…

It’s why Polunium 210 was used in London back in 2006 to kill Russian disenter Alexander Litvinenko by poisoning his tea. He showed no signs of being radioactive in hospital and his symptoms as they developed looked like thalium poisoning. It was only when specially testing his urine in one of the few labs that could carry out such a test that how he had been poisoned was discovered by then way to late to save him.

It’s actually hard to find factual information on the Internet, it’s either press-sensational or behind journal pay walls.

This article is not sensationalist but does not provide as much information and in a easily readable form about such radio isotopes being used for poisons and how they are missed etc,

https://www.medicalnewstoday.com/articles/58088

Winter • April 5, 2022 12:31 PM

@Clive
“Even if they had radiation meters that could still have been possible.”

Is there anything you know about the treatment of Russian soldiers, conscripts, that would give you the idea that Russian rank and file would be told if there was a risk of radioactive contamination, what that meant, or that their commanders would bother to even check whether there would be radioactive contamination?

@Clive
“It’s why Polunium 210 was used in London back in 2006 to kill Russian disenter Alexander Litvinenko by poisoning his tea. He showed no signs of being radioactive in hospital and his symptoms as they developed looked like thalium poisoning.”

Polonium is indeed one of the most poisonous substances known.
ht-tps://www.nature.com/articles/nchem.1928
ht-tps://www.nbcnews.com/news/world/what-polonium-how-deadly-it-flna8C11551753

pup vas • April 5, 2022 3:01 PM

Republican’s bill would ban intel agencies from domestic spying
https://www.youtube.com/watch?v=hdxBvgliEp8

The destiny of this post will clarified Bruce’s and Moderator’s real attitude towards protection privacy of US citizens.

pup vas • April 5, 2022 3:24 PM

Twitter gives Elon Musk a big job
https://www.youtube.com/watch?v=pK-DmU8yE-A

&ers • April 5, 2022 6:05 PM

@Clive @SpaceLifeForm @MarkH @ALL

Picture of the day.

hxxps://nitter.net/ngumenyuk/status/1511399171261149187

Clive Robinson • April 5, 2022 6:20 PM

@ Winter,

Is there anything you know about the treatment of Russian soldiers, conscripts, that would give you the idea that Russian rank and file would be told if there was a risk of radioactive contamination,

In another argument that would be a good question.

My point is even if they were equiped –with what has been on sale on the surplus market– it would not have shown up strong “alpha only” emiters as they akpha particles would not have got through the wall of the rugadized GM tube.

So the argument applies to all personnel be they military or technicians. Take inhalation, ingestion, and even small injury precautions in areas you think “might just be hot”, as a slow death from alpha radiation poisoning as it destroyes your central nervous system is not even close to being how you might want to go…

But… To get back to your point. When I was wearing the green we were given information on how the Russians did their NBC training with real chemical weapons and acceptable incapacities –including fatalities– of 1/8th of those put in the field (including cooks and hospital bottle washers).

But there was a steady supply of “surplus” Russian military GM radiation detectors on the market, which suggests the equipment was not just manufactured but used in some way (unless stolen and sold off).

The thing is that in western military radiation detectors tend to be of the personal dosomiter variety rather than hand held GM devices.

From what has been said about other equipment shortages, it would suggest that even NBC clothing such as resperators was not being carried by Russian personnel.

Why send troops so ill provisioned?

Admitedly when I was out in the field putting the NBC trousers and smock on at night and just draping your poncho over was preferable to breaking out the sleeping bags etc as it made “bug out” way way faster and your IR signature significantly less. The mob I was with were not infantry or other “grunts” our job was to not engage with the enemy at all if possible, but provide communications support, some intelligence, with logistics and try where possible to be less conspicuous than ears of grass in a wheat field, being a ghost was way to obvious.

The sorts of trenches we were taught to dig were not your “infantry shell scrapes” or slit trenches… We were taught to dig deep narrow trenches length not width wise to where we expected active combat with reinforced roof more than a couple of feet thick. That we hopefully if someone did grow a mushroom or two in the sky we would survive the over preasure waves. Or the odd tank trundling over…

As for radiation they did not “sugar coat it” they made it fairly clear if we were not in our hole “suited and booted” our survivability was about the same as a match stick in a furnace and it would be our own fault…

Untill recently I’d been assuming it was the same advice for all potential belligerents in the European thearter.

But Putin’s boys had been sending signals that they no longer believed Nukes were as dangerous as once thought… Ironically it was based on data from Chernobyl, that now appears to be wrong in certain respects.

JonKnowsNothing • April 5, 2022 7:09 PM

@ Clive, @ Winter, @All

re: Aspects of Radiation Load in the area around Chernobyl

iirc(badly)

Some years ago there were several documentaries about the re-wilded space in the Chernobyl area and the abandoned city.

The deer and wolves and local fauna was doing well, so they added in some rarer species like European Bison and some of the hybrid equine species derived from attempts at extinct species recovery like the Przewalski Horse and Heck horse (a Tarpan lookalike).

From those documentaries, the radiation load varies in the forest and gets worse closer you get to the reactor.

Wolves dig dens in the soil and even though the radiation is high, they and the pups were still OK, even though the fur is radioactive. Poachers had tried their luck but the radioactive meat was easily detected.

Humans could not tolerate even a fraction of the radioactive load, and the science teams regularly did swap-outs to prevent sickness.

If they were digging any deeper than an inch or two, they and everyone near the dig site would have gotten a blast, not just from the exhumed dirt but the newly uncovered area which had huge loads.

ResearcherZero • April 5, 2022 7:22 PM

@Clive Robinson

KGB covered up what happened

“the first item, designated “secret,” was “Information revealing the true reasons for the accident at ChAEhs unit No.4.”
https://avr.org.ua/viewDoc/24475/

“head of the investigative commission, Boris Shcherbina, clearly stated that it was not just the violations of rules committed by the staff that led to the explosion, but that “RBMK reactors are potentially dangerous” in their very design. Shcherbina called for halting further construction of such reactors.”
https://nsarchive.gwu.edu/briefing-book/russia-programs/2020-05-15/top-secret-chernobyl-nuclear-disaster-through-eyes-soviet-politburo-kgb-us-intelligence-volume-2

“the result of two separate inquiries headed by senior scientists and engineers including Valery Legasov, the first deputy director of the Kurchatov Institute of Atomic Energy and Alexander Meshkov, deputy chief of the Ministry of Medium Machine Building. This revealed the extent of the failures in the design of the RBMK reactors used in Chernobyl, and the failure—of both the leaders of the Kurchatov Institute of Atomic Energy and the Ministry of Medium Machine Building—to rectify them.”
https://www.wilsoncenter.org/blog-post/explosion-occurred-power-unit-no-4-the-story-chernobyl-documents

A couple of people think something else might of happened, and that was also covered up.

“according to nuclear physicist Lars-Erik De Geer and his team from the Swedish Defence Research Agency, the Swedish Meteorological and Hydrological Institute, and Stockholm University, that first explosion was far more likely to have been nuclear.”
https://www.tandfonline.com/doi/full/10.1080/00295450.2017.1384269%20

“This result is matched up to a total reactor power of 3,200 MWt. However this estimate is not comparable with the actual explosion scale estimated as 10t TNT. This suggests a local character of the instant nuclear energy release and makes it possible to estimate the mass of fuel involved in this explosion process to be from 0.01 to 0.1% of total quantity.”
https://link.springer.com/article/10.1007/s00024-009-0029-9

RMBK reactors have been described as very large potential bombs.

ResearcherZero • April 5, 2022 7:54 PM

@Clive Robinson

Personally I prefer Putin’s version of events, where someone traveled back in time after arriving in Ukraine, to before the Chernobyl accident, and blew up the reactor using equipment designed to measure how much radiation was spewing out of the reactor.

It’s simple and it blames everything on some external threat, rather than the usual incompetence and cowardice that exists in every society.

JonKnowsNothing • April 5, 2022 8:28 PM

@All

re: Scratch Pad Documents Blue Arrow Red Arrow

Over on Marcy Wheeler’s site, she has a post about some legal documents that have clear alterations to them. The current post references some older documents that had similar alterations.

What’s curious is the order in which the alterations were uncovered or discovered and the possible changes or additions to them.

Of course, the alterations are not beneficial to the defense.

She has some interesting blowups of the areas were redactions happened and highlighted areas where things ought to have been but weren’t, and things that shouldn’t have been there are.

An interesting puzzle to contemplate.

===
h ttps:/ /www.emptywheel.net/2022/04/05/john-durham-is-hiding-evidence-of-altered-notes/

(url lightly fractured)

ResearcherZero • April 5, 2022 9:51 PM

The legal and constitutional affairs references committee, which has been examining the adequacy of Australia’s current AML-CTF regime, said the country was a laggard by international standards and needed to move quickly to avoid being placed on a list of jurisdictions with systemic deficiencies in their laws.

The government first promised to bring “designated nonfinancial businesses and professions” (DNFBPs) – a group that includes lawyers, real estate agents, accountants and company service providers – under the AML-CTF umbrella in 2014 but has failed to do so.
https://www.theguardian.com/australia-news/2022/mar/31/australia-risks-damage-to-economy-without-expanded-money-laundering-laws-says-senate-committee

How to launder money and get away with it…

“An inquiry in October had declared Crown unsuitable to hold a gambling licence in Melbourne, but allowed it to run its biggest-earning casino under supervision.”
https://www.reuters.com/business/regulator-launch-disciplinary-action-against-australias-crown-resorts-2022-04-06/

“Crown Resorts has been found unsuitable to hold a gaming licence in Western Australia, but the lights will stay on in the state’s only casino.”
https://www.abc.net.au/news/2022-03-24/crown-unsuitable-to-hold-wa-casino-licence-royal-commission/100934322

Weak money laundering laws put Australia at risk of becoming a haven for Russian cash…

“That’s the whole modus operandi of this activity – and I’ve been investigating it since the early 1990s.”

Australia is “absolutely” vulnerable to exploitation by sanctions-busters “because you have, effectively, a significant proportion of the gatekeepers or enablers basically, not required to know who their customers are”.
https://www.theguardian.com/australia-news/2022/mar/13/weak-money-laundering-laws-put-australia-at-risk-of-becoming-a-haven-for-russian-cash

–

The Sri Lankan government needs to realize that its international partners are watching with concern, and that friends around the world can act to promote fundamental rights in Sri Lanka.
https://www.hrw.org/news/2021/06/10/european-parliament-alarmed-over-sri-lankas-rights-situation

Sort of…

the AFP said there had been an “administrative oversight” that meant the matter was “not allocated to an investigations team for review”.

The AFP said it had not been aware of the oversight “until receipt of your recent letter”.
https://www.theguardian.com/australia-news/2022/mar/31/federal-police-blame-oversight-for-delay-in-australian-review-of-sri-lankan-war-allegations

ResearcherZero • April 5, 2022 9:55 PM

We might not be watching the war criminals in Australia, but at least we are keeping a close eye on what school students are looking at on their computers right?

ResearcherZero • April 5, 2022 10:20 PM

@Clive Robinson

Just as with Chernobyl, and many other examples such as in the production lines where they produced plutonium without protective equipment, and used spoons or even their bare hands to handle it, the Russian soldiers would be kept in the dark as to any risk. A lot of the time the GRU didn’t know themselves what was going on.

A funny story from Tehran…

“The dark side of the U.S.’s approach toward its spies is not oftentimes reflected in the mainstream media, which plays a pivotal role in keeping public opinion in the dark about what happens to people, particularly those unnaturalized, working as spies for the U.S. government.”
https://www.tehrantimes.com/news/468990/No-Country-for-Spies-Part-Two

the world of espionage bears little resemblance to that of James Bond…
https://www.dailymail.co.uk/femail/article-10564951/Spies-tell-secrets-spooks-really-work.html

It’s the job of ‘all spies’ in ‘all countries’ to keep public opinion in the dark
https://www.foxnews.com/us/russian-ukraine-spy-soviet-union-kgb-agent-trained-double-agents

‘Illegals’ can be arrested however for committing crimes such as abduction, murder and espionage, it’s not also the job of the police to keep the public completely ignorant.

ResearcherZero • April 5, 2022 10:29 PM

Though keeping Australians in the dark is a pretty easy job.

“Scammers target previous scam victims, contacting them out of the blue, and pose as a trusted organisation such as a law firm, fraud taskforce or government agency. They may have official looking websites and use fake testimonials from other victims they have ‘helped’.”

“As well as an up-front payment they often ask victims to fill out fake paperwork or provide identity documents. Scammers may request remote access to computers or smart phones, enabling them to scam their unsuspecting victims.”

“Another tactic scammers use is to contact people by phone or email who haven’t actually been a victim of a scam and convince them that they’ve unknowingly been involved in one and are entitled to a settlement refund.”

“If you get contacted out of the blue by someone offering to help recover scam losses for a fee, it is a scam. Hang up the phone, delete the email and ignore any further contacts,”
https://www.scamwatch.gov.au/news-alerts/scammers-targeting-victims-again-through-money-recovery-scams

lurker • April 5, 2022 10:30 PM

@Clive Robinson, “Why send troops so ill provisioned?”

Some of the reports suggested the troops didn’t know where they were. This is not a joke about Russian map reading skills. The event was 36 years ago, before many of their commanding officers were born. @ResearcherZero refs. above that the event was covered up and the responsible punished. The plant is outside metropolitan Russia and is decommissioned. It is possible it is not marked on their maps…

MarkH • April 5, 2022 11:15 PM

@all, re. what soldiers know:

The Soviet military was (in)famously authoritarian and rigid. Back in the 80s, I was shocked to learn that maps were accessible only to Soviet officers — ordinary soldiers were not permitted to see them.

In the 2014 invasion, Russian soldiers said that they were unaware that they had crossed an international frontier into Ukraine. Soldiers captured by Ukrainian forces in recent weeks have said the same!

A military culture which still has violent hazing (sometimes to the point of mutilation or death) is not on the path to reform and modernization.

ResearcherZero • April 6, 2022 1:12 AM

What happened to that Russian diplomat -living in a world that is far different from reality- could happen to any of us.

The “splinternet”, which already began evolving some time ago, is increasingly being flooded with corporate investment.
https://www.axios.com/americas-internet-splitting-party-lines-54feaa02-7622-4f54-b3e0-ccebd4b393ca.html

Such interference with legislation and rules for purely partisan and commercial gains completely undermines the principles with which the internet was founded, and increasingly threatens freedom and democracy.

Take a look at Russia.

Many of the people in Putin’s circle are all profiting from developments like Yuzhny Satellite City in Saint Petersburg, while the Russian people are instead are being fed a steady diet of nothing but propaganda.

“European Union amending the criteria of designation to include persons and entities supporting and benefitting from the Government of the Russian Federation, persons and entities providing a substantial source of revenue to the Government of the Russian Federation, and natural or legal persons associated with listed persons or entities”

Sanctioned individuals and their interests…

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2022:080:FULL&from=EN

Billionaire businessmen in politics is not a good development, and they are not going to manage the economy in the public’s interests. The slogan of “Big Government” is a simple attempt to sell off more public assets, then “Cut Red Tape”, and “Lower Taxes” for themselves.

The internet already sucks enough at this point… but maybe we all deserve it for already letting it get this bad.

Winter • April 6, 2022 4:04 AM

@ ResearcherZero
“What happened to that Russian diplomat -living in a world that is far different from reality- could happen to any of us.”

Indeed, and not only that. The Kremlin is working hard to make their internal fake news a reality[1].

Sadly, your original story disappeared before I could read it in its totality.

The idea seems to be to emulate the North Korean strategy of convincing the public that life outside of the Own Country is living hell.

This was copied by American’s most vocal apprentice of Putin, Trump, when he made his follwoers believe that Sweden was burning due to an invasion of Muslims from the ME [2]. And I have actually debated this with Americans online, and they really (wanted to) believed it.

So this is already happening.

[1]Russian documents reveal desire to sow racial discord — and violence — in the U.S.
ht-tps://www.nbcnews.com/news/world/russian-documents-reveal-desire-sow-racial-discord-violence-u-s-n1008051

The documents contained proposals for several ways to further exacerbate racial discord in the future, including a suggestion to recruit African Americans and transport them to camps in Africa “for combat prep and training in sabotage.” Those recruits would then be sent back to America to foment violence and work to establish a pan-African state in the South, particularly in South Carolina, Georgia, Alabama, Mississippi and Louisiana.

There is no indication that the plan — which is light on details — was ever put into action, but it offers a fresh example of the mindset around Russian efforts to sow discord in the U.S.

The blueprint, entitled “Development Strategy of a Pan-African State on U.S. Territory,” floated the idea of enlisting poor, formerly incarcerated African Americans “who have experience in organized crime groups” as well as members of “radical black movements for participation in civil disobedience actions.”

[2] ht-tps://gatesofvienna.blogspot.com/2006/03/war-against-swedes.html
debunked in fact check:
ht-tps://www.snopes.com/fact-check/sweden-refugee-center-arson/
Note: I have been in Malmö and know people who live and work there. Compared to any USA inner city, Malmö is a safe, provincial suburb.

Winter • April 6, 2022 4:29 AM

@ ResearcherZero
“What happened to that Russian diplomat -living in a world that is far different from reality- could happen to any of us.”
Continued…

The Kremlin propaganda war is also apparent in covering up violence and murders by Kremlin supporters in teh rest of the world.

The claims that “‘crisis actors’ framing Russia of war crimes” should sound familiar to Americans. It is the same claim that is used by white supremacists[*] whenever one of their followers stages a mass shooting.

The following two accounts sound like they point to the same propaganda source. It has been clear for years that White Supremacists everywhere and the Kremlin are on the same page and coordinate their propaganda.

Crisis actors, deep state, false flag: the rise of conspiracy theory code words
ht-tps://www.theguardian.com/us-news/2018/feb/21/crisis-actors-deep-state-false-flag-the-rise-of-conspiracy-theory-code-words

But in recent years, the term [Crisis Actor] has been appropriated by conspiracy theorists claiming that mass shootings are staged. Social media users, broadcasters and even political staffers now routinely allege that events like the Parkland shooting are orchestrated by shadowy actors in order to effect some political goal. Lately, they are likely to nominate the “deep state” as a culprit – by which they mean segments of the intelligence community and unelected officials who are held to be working against Donald Trump and working towards the confiscation or regulation of firearms.

Russia claims Ukrainian ‘crisis actors’ framing Russia of war crimes – report
ht-tps://www.jpost.com/international/article-702765

Russian Colonel General Mikhail Mizintsev claimed in a Tuesday statement that Ukrainian battalions have been staging videos depicting war crimes in Ukraine, such as mass murder by soldiers or looting of local shops, Russian media outlet TASS reports.

“According to the testimonies of surrendered Ukrainian servicemen, nationalist battalions systematically receive orders from Kyiv authorities to prepare staged videos about atrocities, mass murder of civilians, looting and destruction of social infrastructure, allegedly carried out by Russian servicemen,” Mizintsev said.

[*] Alt-Right is nothing but a rebranding of White Supremacists. So is Christian Nationalist.

Clive Robinson • April 6, 2022 4:48 AM

@ &ers, ALL,

Re : Picture of the Day.

It’s one of those “location location location” shots.

You’ve got instant cognative disonance, two guys doing a job with exactly the same gear they used a year ago. If we could listen in to the two guys, we would probably find they are talking to each other in almost exactly the same way they did a few months ago. A new background reality but hey life is what you make it.

So they are doing a job in almost exactly the same way you will see it being done on a leafy street in England (only in England they get a tent, because what makes England green and leafy is rain…). From what I hear, they may even travel in a British truck or van as the second hand price is lower than that of European second hand vehicles.

Then you have the location, which to many in the West is as surreal as the surface of the moon. But at a glance you can see the street has been swept, all be it with a buldozer or similar. We think that they should be somehow different, because we can not understand we mostly don’t have the experience.

To us it’s the normalcy of an imagined asylum for the mad, to them it’s just about getting back a little useful normalacy. It’s us that can not square the triangle, because for most of us we do not have that forth side to our personality that such war brings to people. It’s latent in us all, though through society we’ve not needed to awaken it in our selves.

But there is a more important lesson in that picture that will be lost on most people, but a good engineer would know at a glance, and probably not even comment on it just taking it as a given.

In the US half the basic utilities are strung up on utility poles and thus even at the best of times have a very short life time with just wind, rain and the likes of mother nature playing. If I mention PG&E and their policy of turning the power off if the wind blows because they gave money to shareholders… Rather than do the new provisioning and maintainance of the existing they were legaly required to do and did not. So causing millions if not billions of damages to other people and their property, some of whom went to court and made PG&E babkrupt[1]. Some readers will know exactly what I’m talking about as they suffered.

In Europe we tend to put our basic utilities in the ground, whilst more expensive initially, because of that we generally start with way greater provision as it’s a given that capacity requirment will grow with time.

The result is that the European way is way way more resilient to nature and societal change. Which usually means “power cuts” are considered a scandle and cause for much discussion, rather than the new normalcy of North West California of even the kids knowing how to start the generator safely.

But now consider that picture again… The guys have the end of an existing in the ground cable despite the destruction all around it’s just a matter of “find the man hole” or equivalent pull the cable up, splice and drop it back in the hole as normal…

But look again at the background, part of that destruction is a street light pole and there are no street lights or other utility poles standing around…

What have you learned?

Now look around where you live and ask yourself if I knocked down all the utility poles what would be left? And how long would it take to repair?

The resilience you get from putting utilities in the ground survives even the brutality of war way way better than utility poles ever can, it’s the simple laws of physics at play…

Whilst it will take the Ukraine decades to get back what they had, they will have basic services up and running again way faster because of that resilience…

And in the war that still rages, “time is the scarcest resource of all” so anything that makes it less of an issue is a distinct advantage. So whilst having that resilience is an advantage few except engineers who know both systems realise. In other times, it most definately saves lives and buys in advance time you would not otherwise have when you need it. Even in those more normal times that should not be the way they are because of utility companies egregious behaviours of not doing what they were legislated to do, it would still has bought you time and saved lives…

[1] https://en.m.wikipedia.org/wiki/Pacific_Gas_and_Electric_Company

Winter • April 6, 2022 6:03 AM

@Clive
“The resilience you get from putting utilities in the ground survives even the brutality of war way way better than utility poles ever can, it’s the simple laws of physics at play…”

Something that was already appreciated by Frederick the Great of Prussia who ordered his people to switch from growing wheat to potatoes. The then current practice of warring armies of marching over the fields just before harvest time became largely ineffective in a single season.

But, burying cables costs money. It is much cheaper to have them hanging on a pole and repair them, eventually, when they are damaged by weather or events.

Winter • April 6, 2022 7:31 AM

Russia might loose their top spot in cybercrime due to a massive brain drain and the splinternet:

As Russia sees tech brain drain, other nations hope to gain
ht-tps://www.click2houston.com/business/2022/03/31/as-russia-sees-tech-brain-drain-other-nations-hope-to-gain/

“The first wave – 50,000-70,000 people – has already left,” Plugotarenko told a parliamentary committee.

Only the high cost of flights out of the country prevented an even larger mass exit. Another 100,000 tech workers nevertheless might leave Russia in April, Plugotarenko predicted.

Konstantin Siniushin, a managing partner at Untitled Ventures, a tech-focused venture capital fund based in Latvia, said that Russian tech firms with international customers had no choice but to move since many foreign companies are hastily distancing themselves from anything Russia-related.

Winter • April 6, 2022 8:30 AM

Situation in Russia

What has been not appreciated enough in the Western world is that Russians are really bad off. Not only has their life expectancy declined due to COVID, population, median income and happiness are still below their 2012 levels while the rest of the world keeps on growing[1]. And as a result of the war, the Russian economy is expected to shrink this year:
ht-tps://www.businessinsider.com/russia-economy-gdp-crash-ukraine-war-inflation-sanctions-energy-putin-2022-3

As remarked, in a democratic country, this would have meant landslide elections.

[1]
Russians are fewer, poorer and more miserable than a decade ago
ht-tps://www.economist.com/graphic-detail/2022/04/01/russians-are-fewer-poorer-and-more-miserable-than-a-decade-ago

All of which is bad enough. But when compared with the world as a whole, or even rich countries in particular, Russia’s decline looks even worse. Over the past decade, GDP in advanced economies has grown by 22%; across the world as a whole it has risen by 41% (both adjusting for price changes). Should projections of a 15% contraction be right, by the end of the year Russia’s economy will be 7% smaller than in 2012. Russia has not just lost a decade of growth—be it in economics, health or happiness. It is moving into the past.

In most democracies, such an unenviable record would spell trouble for the person at the top. But with his opponents locked up or in exile, elections far from free and fair, and the media under his control, Mr Putin has less to fear. The same cannot be said for those who live under his rule.

MarkH • April 6, 2022 8:52 AM

@Clive, Winter:

Ironically, it’s very common for gaseous fuel (natural gas) pipes to be exposed in both Russia and Ukraine.

You can see them snaking up the exteriors of buildings, or run between houses about 2.5 meters above the ground, always painted some more or less bilious shade of yellow.

I hadn’t thought of the military significance of this til yesterday, when I read a Ukrainian eyewitness account of Russian soldiers firing on the gas pipe by her mom’s building.

JonKnowsNothing • April 6, 2022 9:34 AM

@Winter, @Clive, @All

re: Brains Flushing into Other Pools

As previously noted, there have been many migrations of highly educated persons from their place of origin to other locations.

The USA health care industry cannot function at all without importing thousands and thousands of MDs, RNs, LVNs and all the other people needed to run medical clinics and hospitals from the Top floor to the Basement. The USA sucks up as many as they can, bleeding off other countries medical investments.

The USA Silicon Valley cannot function at all without importing thousands and thousands of persons that make High Tech get off the ground. The H1B indenture scheme dangles the possibility of residency, green card and citizenship if you are lucky and the quota limitations for the country of origin is short enough to get approved before the H1B visa runs out.

The USA maintains lists of desirable countries with short queues for approval and undesirable countries with long queues or blocks. H1B visa holders from desirable countries can complete the requirements for remaining in the USA and working as individuals before their indenture periods expire. If an H1B visa holder is not successful, they are returned to their country of origin.

The USA isn’t too picky about where we get the brains from – Wernher von Braun, Peenemünde and a host of others like him. A single line was removed from the USA visa application that made it all hunky dory.

In past flushings from the 12timezones, which had different names at the time, a pile of Highly Educated PhD Top Flight Folks ended up in Israel. Their main jobs were sweeping the street and leaf blowing. Which they did using Advanced Physics Precision. Israel at the time had a more open visa processes, which is now closed. How many physicists does push a broom need?

The other end of the spectrum is also beneficial. For every one bailing without looking too close at their destination, it opens up another spot for someone who wouldn’t get a chance before. Sweeping out the old allows for bringing in new views.

As noted too, by Clive recently, the disaster capitalist are looking to rebuild Ukraine and will do it quickly for enough bucks-or-bitcoins. Massive destruction brings opportunity for new replacements without having to deal with all the old bureaucratic red tape and white elephant zones. It doesn’t mean this will be better per se, but it will be newer. It doesn’t mean they will get safer designs either (Grenfell Tower fire and others).

What won’t happen, is that all of the displaced persons will be able to return and live in these same replacement buildings. The new buildings will come with new prices and higher rents and costs. People with higher paying jobs will buy, and rent these buildings and the old, infirm, low paid workers will be pushed to areas that are less desirable and farther from their work sites (Silicon Valley Commute & Migration)

Not too long ago, there was a mention of folks coming from NORK to ROK. They forgot to mention a good number of these folks, give up on life in ROK: discrimination, job restrictions, low wages and go back. It doesn’t get as much publicity. Same thing happens with the Island That Cannot Be Named. There are some people that cannot adjust to their “new complicated life”.

The novel “The Poisonwood Bible” by Barbara Kingsolver has some interesting views on the topic of what being an ExPat means.

===

Search Terms

Expat Expatriate

Exile

JonKnowsNothing • April 6, 2022 9:37 AM

Something stuck – maybe road rash – maybe heat rash – maybe rashers

pup vas • April 6, 2022 1:17 PM

Taiwan: US approves potential sale of air defense system worth €87 million
https://www.dw.com/en/taiwan-us-approves-potential-sale-of-air-defense-system-worth-87-million/a-61374515

=The defense package would include the sale of the Patriot Air Defense System as well as training and maintenance of the system, said the Pentagon. Taiwan said the deal could become effective within a month.

The package would include training, planning, fielding, deployment, operation, maintenance and associated equipment for the Patriot Air Defense System, according to the Pentagon.

Raytheon would be the primary contractor for the sale, said the Pentagon. There was no indication that a contract had been signed or negotiations had concluded.=

By the way, recently China successfully tested own supersonic weapons (even better than Russian) which circle the globe, and Patriot could not defend against supersonic weapons.

SpaceLifeForm • April 6, 2022 2:19 PM

This is why smart birds screenshot

hxtps://www.theverge.com/2022/4/6/23012913/twitter-tweet-embeds-deleted-tweets-empty-iframe-broken

Twitter change leaves huge gaps in websites

Embedded tweets later deleted now show a blank box

fib • April 6, 2022 3:21 PM

@All

Trap-door function(s) under scrutiny.

we don’t even know for sure that true one-way functions exist

h##ps://www.quantamagazine.org/researchers-identify-master-problem-underlying-all-cryptography-20220406/

SpaceLifeForm • April 6, 2022 4:20 PM

@ fib

Interesting article.

I guess my question is thus;

Given N = P * Q, both prime, and say Q > P

And K(x) is the Kolmogorov complexity of x,

Does that really mean that K(N) = K(P) * K(Q) ?

My gut feel says that is not the case.

I suspect K(N) < K(Q)

Clive Robinson • April 6, 2022 4:29 PM

@ fib, ALL,

we don’t even know for sure that true one-way functions exist

We’ve been through this before on this blog a number of times. And the answer is…

They actually probably do not.

It kind of depends on your view of very fundemental physics rather than mathmatics and,

1, Can information realy be destroyed.
2, If “random” actually exists.

If the answer to either of those is no, “The Houston we have a problem”.

But… “does that actually matter?”

Is leads to the answer as discussed in the past of “not realy”, which is a bit of an hmmm answer.

So the question you should realy ask after the “Does that matter?” “not realy” is why?

To which the answer is,

“In a resource limited environment sufficient complexity can be beyond a time bound recovery.”

That is you can not do it “deterministicaly” in a time period where it would be of use.

Thus the $64,000 is can you make a function that has low resource requirments in the forward direction whilst having high resource requirments in the reverse direction?”

most feel the answer is “probably” after all we use what we currently call OWF’s all the time.

But the answer is only “probably” because the actual answer is currently unknown, because …there is an asspect to it that is a little awkward to deal with and that is “trap-door functions”, these we know exist as we use them in crypto.

So ask a question along the lines of,

“Can we prove that any given function does not have a trap-door function within it?”

That as they say is “One you need to aproach with a very long pole.”

But also note something else that “deterministicaly” above…

If “random” truely exists, and most feel it does, then security drops to “the throw of the dice”. If I throw my dice the way you throw your dice, then it’s game over for security before we even talk about OWF’s.

There’s this little problem in physics we realy do not know the answer to which is “entangled particles”.

The thing is physics and maths do not always agree. Because no matter how delightful and elegant maths may be,

“Mathmatics is a tool to build a model of reality. It’s not reality which physics is”.

vas pup • April 6, 2022 5:20 PM

The art of smell: Research suggests the brain processes smell both like a painting and a symphony
https://www.sciencedaily.com/releases/2022/04/220404164559.htm

“The mathematical models the researchers developed highlight the critical feature of the nervous system — not only diversity in terms of the components that make up the brain but also how these components work together to help the brain experience the world of smell. “These mathematical models reveal critical aspects of how the olfactory system in the brain might work and could help build brain-inspired artificial computing systems,” Padmanabhan said. “Computational approaches inspired by the circuits of the brain such as this have the potential to improve the safety of self-driving cars, or help computer vision algorithms more accurately identify and classify objects in an image.”

SpaceLifeForm • April 6, 2022 5:57 PM

Random Muse

At least a SecurID token can function inside a Faraday cage.

ResearcherZero • April 6, 2022 11:54 PM

@vas pup

The one place the truth might be handy, is in a court of law.

I apologise, that’s a legal joke.

MarkH • April 7, 2022 12:46 AM

From NY Times:

U.S. Says It Secretly Removed Malware Worldwide, Pre-empting Russian Cyberattacks

The U.S. Department of Justice says it, along with the FBI, secretly disabled GRU-controlled botnet malware from computer networks around the world.

Probably readers of this blog will find the means by which this done to be of interest.

Winter • April 7, 2022 1:06 AM

@ Clive Robinson,fib, ALL,
“we don’t even know for sure that true one-way functions exist”

Actually, we kind of do know that they exist.

Turing’s proof of the uncomputability of the Halting Problem and Gödel’s incompleteness theorems show that there are functions (programs/theorems) whose result cannot be calculated in finite time and resources. In complexity theory, this translates into the requirement for an exhaustive search of all possible function values, aka, a brute force attack.

@SpaceLifeForm
“K(N) = K(P) * K(Q)”

Referring to Kolmogorov complexity is not helpful here as that is uncomputable too (follows directly from the undecidability of the Halting Problem). It is doubtful whether it will be possible to prove any relation between these three entities.

Clive Robinson • April 7, 2022 2:46 AM

@ Winter,

Actually, we kind of do know that they exist.

It’s why I carefully noted,

1, Physics -v- Mathmatics
2, Resource limitations in time.

In physics the fundemental rule about energy and matter is that whilst they are interchangable, they can not be created or destroyed. That is our physical universe is “bounded” nothing in nothing out.

The same by extension applies to the “state” of energy/matter which physics demands is bi-directional. That is what is done can and must be capable of being undone at a fundemental level. It’s sometimes talked about with regards the path of billiards balls, and is the fundemental idea behind “reversible logic” required for Quantum Computing.

Reversable logic has as many inputs as outputs explicitly and a one to one map, thus is bi-directional.

A conventional logic gate with two inputs and one output, actually has the second output implicitly as “to substrate”. That is the reversable component signal as energy by radiation transport becomes electrical and thermal noise we call heat. Which is effectively the vector addition of all state information not convayed through the other outputs. It is only by convention we call this highly complex signal “noise”.

So the question is moves to “can we reverse noise into state?” the answer to this is a kind of yes. If we view noise as what it is, a complex multi component signal, we know from Fourier that we can recover the individual components…

So which of the mathmatical arguments most closely represents reality?

Winter • April 7, 2022 3:34 AM

@Clive
“So the question is moves to “can we reverse noise into state?”

Quantum Mechanics preserves information (unitary evolution). That can be summarized as: There is only a single “cause” for every “effect”. There is a large body of literature on how quickly the complexity of the quantum logic grows in time.

The point of all this is that the complexity of dynamic evolution in QM, ie, N body movements, grows in the same order as under classical mechanics. Retracing the evolution backwards is just as difficult as predicting it forward.

For cryptography, this would mean that trying to trace back the original causes of any noise, denoising, might be as difficult as a brute force attack enumerating all possible causes.

Clive Robinson • April 7, 2022 4:25 AM

@ MarkH, name.withheld…, ALL,

The U.S. Department of Justice says it, along with the FBI, secretly disabled GRU-controlled botnet malware from computer networks around the world.

Do you realise the implication of that statment and how scary it is?

In essence the FBI / DoJ psychopaths are saying,

“It is ours, not yours, to do with as we please and you have no say.”

The ICT equivalent of “Might is Right” which boils down to the fundemental rule that gives rise to “The King Game” and slavery / serfdom, where you own nothing and have no rights and sacrifice all…

Clive Robinson • April 7, 2022 7:20 AM

@ Winter,

For cryptography, this would mean that trying to trace back the original causes of any noise, denoising, might be as difficult as a brute force attack enumerating all possible causes.

Difficult, yes, and probably more time consuming than brutforce in some ways. In fact I’d say extreamly difficult, but impossible? No…

Just “bound” by finite resources in terms of energy and time.

But it still leaves two issues,

1, Random chance.
2, Potential trap doors.

There is little we can do about “random chance” if “random” as a concept actually exists.

What concerns me is the notion of “trap doors” being implicit in One Way Functions.

Take one of several mathmatically based crypto algorithms, they are One Way Functions with trap doors.

As time progresses we are finding more trap doors… Nobody knows if you can definately have a One Way Function without a trap door.

The mear implication of being easy in one direction might also mean that it can also be easy in the other if you have the right information.

Look at it this way, a one way function is a one to one mapping within a finite map. The implication of this is that the map must have an inverse. That is it is bijective within the range of the map.

Having one mapping being easy tends to suggest that the inverse is also easy if you know the correct information. That is the structure is such that what twists in one direction still twists in the other direction.

So if the forward function is effectively continuous you would expect the inverse to be able to follow it back like a nut on a long screw thread.

So we can say that one thing we are looking for in our one way function is some kind of discontinuity. That is like a counter overflowing but in at a value that can be calculated easily in the forward direction but not at all or not easily in the reverse direction.

So simplistically a mod N operation with N being calculated from the input value M and some secret K. Like say taking M@K –where @ is a binary operator– to some power that takes the resulting value beyond the mapping range thus it has to overflow an unknown number of times. That way M only maps to a single value based on K in the forward direction but can map to multiple values in the reverse direction.

Importantly we also need the forward process to be actually nonlinear as well…

Does this rule out a reverse mapping, obviously not as the mapping is by definition bijective.

Does it make all attempts at finding a reverse mapping difficult to or beyond that of a brut force search? Well we like to think so as a general case, but we know in some cases the answer is “no” because there are known “trap-door” functions. Can we have a forward function where we can prove with some kind of mathmatical certainty there is no “trap-door” I suspect not as we are still finding new trap-door methods.

Oh and remember Kurt Gödel’s proofs are about mathmatical systems, not physical systems.

We know that spoken language is a system that can be used to describe things such as emotional state which is a system in it’s own right, but importantly the description is imperfect.

Thus mathmatics is a language system used to describe other systems that Kurt Gödel proved was imperfect in that it could not describe it’s self.

Whilst extending Gödel’s proof into computing and other fully determanistic processing systems, is justifiable to an extent, it should be done with care in other systems.

Winter • April 7, 2022 8:19 AM

@Clive
“Look at it this way, a one way function is a one to one mapping within a finite map. The implication of this is that the map must have an inverse. That is it is bijective within the range of the map.”

One-way functions are not meant to be impossible to invert. That is not the point.

The point of a one-way function is that that you can easily go from x -> f(x) (the Polynomial part). However, to go from f(x) -> x, you would need to check every possible x until you get f(x) as a result (the Nondeterministic Polynomial part).

So, one-way means: Yes, it is bijective, no, there is no shortcut.

Winter • April 7, 2022 1:14 PM

Bad Russian opsec: Discussing war crimes over unsecured phone calls

Bucha murders: German report says Russian troops discussed killings
ht-tps://www.bbc.co.uk/news/world-europe-61028380

Germany intercepts Russian talk of indiscriminate killings in Ukraine
ht-tps://www.washingtonpost.com/world/2022/04/07/bucha-german-intelligence-radio-bnd-russia/

Germany has satellite image indication of Russian involvement in Bucha killings -security source
ht-tps://www.reuters.com/world/europe/germany-intercepted-calls-with-russians-discussing-bucha-killings-der-spiegel-2022-04-07/

Grima Squeakersen • April 7, 2022 3:31 PM

@Clive re: ‘In essence the FBI / DoJ psychopaths are saying,
“It is ours, not yours, to do with as we please and you have no say.”’
You and I appear to have some significant differences when it comes to the role of government, but I must concur here. That was my first thought (nearly verbatim) on reading the Watchguard headline. My second thought, after reading more deeply, is in reference to the government claim that their access was limited to gateway devices: no infected clients were examined. Perhaps their technology might limit access to clients behind a truly effective firewall, but almost by definition, the devices in question were not. In regard to any moral or ethical compunctions by the parties in question about accessing private, confidential information that is not implicated in any criminal investigation, we know better.

SpaceLifeForm • April 7, 2022 4:14 PM

Hey Hey, Rise Up!

Pink Floyd

No Roger Waters of course.

hxtps://www.theguardian.com/music/2022/apr/07/pink-floyd-reform-to-support-ukraine

vas pup • April 7, 2022 4:19 PM

@ResearcherZero • April 6, 2022 11:54 PM

Now in US Court is not important who is right or wrong, but rather who has better lawyer, i.e. have more financial resources. Joke as well.

Clive Robinson • April 7, 2022 6:03 PM

@ Grima Squeakersen,

You and I appear to have some significant differences when it comes to the role of government,

I would hope so, life would be the torpid dullness and stagnation, if people did not have differing points of view. Importantly whilst you and I might not agree examining others view points brings freshness to our own.

But with regards,

My second thought, after reading more deeply, is in reference to the government claim that their access was limited to gateway devices: no infected clients were examined.

If you read the statment @Bruce linked to you will find that the Government claim is almost certainly a false one.

Because you will find,

“Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,””

Which is such a qualified statment it raises red flags… As it does not rule out access to the “bot” devices themselves, just the malware on them…

So now alerted to “iffyness” we read on with more caution through paragraph after paragraph of self congratulatory fluf untill we hit,

“It also closed the external management ports that Sandworm was using to access those C2 devices, as recommended in WatchGuard’s remediation guidance (a non-persistent change that the owner of an affected device can reverse through a device restart).”

They changed the configuration of bot devices?

But reading on,

“The operation announced today leveraged direct communications with the Sandworm malware on the identified C2 devices and, other than collecting the underlying C2 devices’ serial numbers through an automated script and copying the C2 malware, it did not search for or collect other information from the relevant victim networks. “

That is not what was stated earlier… Then we get,

“Further, the operation did not involve any FBI communications with bot devices.”

So if not the FBI then “who?” Remember we’ve seen this hooky behaviour before with Australian and European law enforcment willingly acting as agents to do work the FBI is not alowed to do “but can receive information from”. It’s the old BRUSA layer UKUSA agreement tactic that alowed politicians to say “We do not spy on our people” when infact they were by proxie. That is as we now know, UK personnel spied directly on US citizens and handed over all the results to the US, and the US directly spied on UK citizens and handed over only some of the results to the UK.

Anyway having picked up on the above, you then read things again in a different light and even more pops out that is at the very least ambiguous if not deliberate obfuscation. That it raises the questions,

“What are they not saying? And why?”

Clive Robinson • April 7, 2022 6:24 PM

@ SpaceLifeForm,

Re : Pink Floyd and the Ukraine.

Makes you wonder what Iron Maidens Bruce Dickenson is upto,

https://en.m.wikipedia.org/wiki/Bruce_Dickinson

He poped into Sarajevo when an active war was going on to give a moral boosting concert, he’s also flown several mercy missions when others would not or could not into war torn parts of the world.

So if he poped up in the Ukraine even though he is 63 I would not be surprised.

After all he was nice enough to me when I nearly ran him down in Chiswick when I was cycling like a whirling dervish to get to work one morning.

Clive Robinson • April 7, 2022 7:13 PM

@ Winter,

So, one-way means: Yes, it is bijective, no, there is no shortcut.

It’s what you are calling the “shortcut” that is the “trap door”.

As I’ve pointed out, proof of “no trap door” is probably not there,

“Can we have a forward function where we can prove with some kind of mathmatical certainty there is no “trap-door” I suspect not as we are still finding new trap-door methods.”

ResearcherZero • April 7, 2022 10:56 PM

@vas pup

I’ve met Elon and Jeff, very nice fellows. Built their companies up from the ground and self taught.

It’s the crooks I don’t like. The ones like Lang Hancock and Clive Palmer, who’s mates were corrupt premiers. They were ‘gifted’ a very large amount of other people’s land, in return for a share of the profits of leasing that land to mining companies.

They cheated the original owners, put them on buses, then dumped them interstate. Now the people who did that are increasingly playing politics.

I think their was a Federal Police report about this kind of thing, and how if the politicians didn’t adopt the necessary recommendations to improve prosecution of ‘white collar crime’, they might end up with some very real problems of their own. That must of been nearly 30 years ago.

–

“you are using an older version of Chrome” [click here]

The user receives JavaScript that changes the appearance of the page and tries to force the user to download malicious code.

We identified increased activity of the Parrot TDS in February 2022 by detecting suspicious JavaScript files on compromised web servers.

In several cases, we also identified a traditional web shell on the infected web servers, which was located in various locations under different names but still following the same “parroting” pattern.
https://decoded.avast.io/janrubin/parrot-tds-takes-over-web-servers-and-threatens-millions/

ResearcherZero • April 7, 2022 11:02 PM

@vas pup

I think there was a Federal Police report…

But basically the crooks are using a similar trick.

[Vote here for Freedom]

Hey, I’d like some freedom! All I have to do is vote for you you say? 😀

ResearcherZero • April 7, 2022 11:18 PM

@vas pup

I had this one crook grab me by the arm in the main business precinct, and then try and drag me into a building.

“Just come with me into this building,” he said.

“No,” I replied, “did hat crooked detective hiding in the shadows ask you to this?”

A few people had gathered by the point so he had to let go. I might very well have been going to give evidence against that very same crooked detective at the court.

That bloke who grabbed my arm is now the current Australian Prime Minister.

I use the term crook though as he had actually committed a bunch of crimes proceeding that event, that actually were quite serious enough to land him with enough jail time to prevent him ever running for politics. However he committed those crimes for that very same detective and was never prosecuted.

ResearcherZero • April 8, 2022 12:06 AM

“The operators of these profiles build an entire network of friends who are, in reality, targeted people working in Israel’s police, defense forces, emergency services, or the government.”
https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials

–

BND briefed parliamentarians on Wednesday about its findings. Some of the intercepted traffic apparently matches the locations of bodies found along the main road through town. In one of them, a soldier apparently told another that they had just shot a person on a bicycle. That corresponds to the photo of the dead body lying next to a bicycle

…In another intercepted conversation, a man apparently said: First you interrogate soldiers, then you shoot them.

The BND material also apparently provides evidence that members of the Russian mercenary unit called the Wagner Group played a leading role in the atrocities.
https://www.spiegel.de/international/germany/possible-evidence-of-russian-atrocities-german-intelligence-intercepts-radio-traffic-discussing-the-murder-of-civilians-in-bucha-a-0a191c96-634f-4d07-8c5c-c4a772315b0d

“They are expected to deploy more than 1,000 mercenaries, including senior leaders of the organisation, to undertake combat operations,”
https://www.reuters.com/world/europe/british-intelligence-says-russias-wagner-group-deployed-eastern-ukraine-2022-03-28/

ResearcherZero • April 8, 2022 12:46 AM

“The U.S. Secret Service has suspended four agents linked to two men accused of impersonating federal law enforcement officers who authorities said gave gifts worth thousands of dollars to agency personnel including one assigned to protect President Joe Biden’s wife.”

Rothstein said the FBI uncovered evidence after searching several apartments tied to the defendants including a loaded Glock pistol, ammunition, components from disassembled guns and sniper equipment.

In addition, it recovered body armor, gas masks, zip ties, handcuffs, firearm storage cases, a drone, Department of Homeland Security patches and law enforcement clothing, DHS training manuals, surveillance equipment and a binder with a list of residents in the apartment complex.
https://www.reuters.com/world/us/us-secret-service-places-agents-leave-over-gifts-phony-cops-2022-04-07/

One witness believed the two men had access codes to everywhere in the building due to them posing as law enforcement.
https://abcnews.go.com/US/men-posed-federal-agents-gave-gifts-secret-service/story?id=83923156

One could not afford an attorney, and the other said he had no money.

Te strange thing is, it’s a familiar story.

ResearcherZero • April 8, 2022 1:04 AM

“Russia is deaf to the logic of reason but very sensitive to the logic of power.”

“Try it with a bayonet, if it’s soft, push. If it’s hard, leave.”
https://ricochet.com/1214468/finnish-intelligence-officer-explains-the-russian-mindset/

ResearcherZero • April 8, 2022 1:26 AM

@Winter

I could provide some detail about torture at the hands of the GRU and other fun encounters, but my spelling always goes to pot, and the details themselves wouldn’t make for very good reading. The really horrific stuff would be what happened to the others, but it wouldn’t be appropriate to discuss what happened to the other families’ loved ones.

Because of bad intelligence, some of those victims were the wrong targets. The GRU didn’t really seem to care that their intelligence was often bad, or that their operational standards were very poor. Inflicting damage and taking advantage where ever they could, and crossing all and any “lines” appeared the goal. All lines were crossed.

I will say however, that not prosecuting such crimes was akin to leaving the door open, and laying out the welcoming blanket. It must of appeared to be an open invitation, or as Lenin said, “if it’s soft, push.”

Winter • April 8, 2022 1:57 AM

More Russian bad opsec:

‘Find My’ Device Tracker Used by Ukrainians For Locating Stolen Apple Gears From Russians
https://vnexplorer.net/find-my-device-tracker-used-by-ukrainians-for-locating-stolen-apple-gears-from-russians-s924591.html

Of course, looting was also considered rampant during the war. Some people who have no food to eat might steal food from the grocery store. However, in the current case, some Russian soldiers reportedly robbed tech products that mainly came from Apple.

According to the latest report by Cult of Mac, the Ukrainians noticed that some of the Apple devices have been stolen. This is why they arrived with the idea of using the “Find My” tracker to locate them. This also helps them know where Russian troops are marching in.

Winter • April 8, 2022 2:40 AM

@Clive
“As I’ve pointed out, proof of “no trap door” is probably not there,”

It is very well possible that True or False statements, e.g., there is no trapdoor for function F, cannot be proven or disproven. That was basically the idea of Gödel.

If you find a proof that a specific one-way function has no trapdoor, that is the function is easy, ie, polynomial effort, to calculate but difficult, ie, exponential effort, to invert, you have proven that P ≠ NP and you win a million dollars and get a Fields medal.

That is to say, that is really difficult. But like in Fermat’s last theorem, the fact that you cannot prove or disprove a theorem, it does not mean that it is not true.

Winter • April 8, 2022 2:46 AM

@ResearcherZero
“I could provide some detail about torture at the hands of the GRU and other fun encounters,”

I do not expect anything less from an organization that produced a ruler who goes by the nickname “the Poisoner” and adores Stalin. There is little else to say as that its victims are in my thoughts.

Like Ebola, any contact with Russian state organizations should be avoided and if you have had contact, $DEITY’s mercy be with you.

Clive Robinson • April 8, 2022 4:19 AM

@ Winter,

… the fact that you cannot prove or disprove a theorem, it does not mean that it is not true.

Or that it is false, all fine and dandy in the academic world.

But modern cryptography is where the theoretical rubber meets the hard road of reality. The quality of that rubber decides when you get a “blow out”…

Now if you can prove that a function does not have a trap door that makes thst rubber top quality on it’s own. If however you can not then you have to take added measures, and they add to the inefficiency of the system.

For instance if you have two “One Way Functions”(OWFs) that are based on different premises, if one blows out the other likely does not (though it might do later).

So a mitigation in an active short term system is effectively use two OWFs in series, and design the system as a “frame-work” so that you can pull out a bad OWF and drop in a replacment.

The problem though is longterm system output and “collect it all”, mitigation against the long term future is hard very hard. But there are ways to push beyond short term, even if Quantum Computing ever does get to become a threat.

Winter • April 8, 2022 4:38 AM

@Clive
“If however you can not then you have to take added measures, and they add to the inefficiency of the system.”

Isn’t it a Truism that every cryptographic system will be broken eventually? This is not limited to the use of one-way functions.

The longer your secret must be be secured, the more effort you will have to invest to do secure it.

No system will be immune to this.

Clive Robinson • April 8, 2022 11:23 AM

@ Winter,

Isn’t it a Truism that every cryptographic system will be broken eventually?

Like many “truisms” it is not true.

It’s why the question of “random” is so important.

A truely random system, is not just secure, it’s also unlike deyermanistic systems “deniable” thus proof against Second party betrayal if used correctly.

The reason it’s secure deniable and protects against betrayal by the second party or recipient is for the same reason “all messages” of the ciphertext length or less are all equiprobable. So without the actual key used by the first party or sender the ciphertext can mean anything the second party makes a key to fit…

Take the “One Time Pad”(OTP) if made with a “True Random” or at least “Fully Non Determanistic” source of unbiased and independent bits then for a message that is M bits long all 2^M messages are valid under the equiprobable rule.

If I as the first party roll dice to make the TX OTP and get you as the second party to make a copy in long hand as the RX OTP. Then I with care as the first party can deny the contents of any ciphertext I send to you… Your RX decrypt key is in your own hand writing so the message can mean anything you make up an OTP after the fact for…

With a little work as I’ve indicated before you can make ciphertext that actually looks like plain text for transmission, using an OTP. Due to one of the quirks of extended Shannon Channels, which were written about by Wiener and Shanon.

Winter • April 8, 2022 12:32 PM

@Clive
“It’s why the question of “random” is so important.”

How random is random enough?

IIRC, you yourself have many times questioned the true randomness of physical systems to the point that I was left with the impression that no source of randomness I knew was pure enough.

SpaceLifeForm • April 8, 2022 2:02 PM

Encrochat Sources Methods

hxtps://www.fairtrials.org/articles/news/encrochat-hack-fair-trials-denounces-decision-of-french-court/

After the secure communications network was infiltrated by French police authorities, data was transferred to law enforcement agencies in other EU countries via Europol. However, the French authorities used the grounds of ‘defence secrecy’ to suppress information about how the network was infiltrated and what data was retrieved.

There is something implied above, that you may want to take with a grain of salt.

vas pup • April 8, 2022 3:01 PM

@ResearcherZero • April 7, 2022 10:56 PM
My post you’ve replied to and related to Musk was deleted by Moderator.Just fyi.
There is no 1st Amendment on the this blog.
Only discretion of Moderator and owner of this blog.

SpaceLifeForm • April 8, 2022 3:08 PM

@ ALL

Just stop using Windows

hxtps://www.thurrott.com/windows/windows-11/265379/new-windows-11-security-feature-will-require-a-pc-reset

“Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications,” Microsoft vice president David Weston explains. “It goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals.”

April Fools day was last week. Don’t be a Fool.

SpaceLifeForm • April 8, 2022 3:54 PM

@ vas pup, ResearcherZero, -, Clive

Do not assume Moderator deleted.

Remember the batcache. Wait at least 5 minutes, then force refresh in your browser.

Note that recent 100 and a given article operate on batcache, but the clocks are not synchronized. They are different caches.

Still missing?

It was probably not Moderator.

Clive Robinson • April 8, 2022 6:35 PM

@ Winter,

It’s getting late or more correctly “early” in our respective time zones. So hopefully you will read this with a rested mind and a cup of your favourite beverage to imbibe from[1].

IIRC, you yourself have many times questioned the true randomness of physical systems to the point that I was left with the impression that no source of randomness I knew was pure enough.

I do not know if it was original to Terry Pratchett but he had a Dwarfish expression,

“Muck and gold come from the same shaft”

The trick is to get the real gold not just from the muck but tell it from the iron pyrites “fools gold” (which actually are iron disulphide have some medicinal uses).

Oh and these days get the real gold from within the fools gold where it exists in nano-scale amounts[2].

As you note I’ve spent some time over the years talking about what is and is not “true entropy” or “truely random”. I’ve indicated I see it as a scale or spectrum with fully determanistic at one end and truely random at the other. On which psudo random, complex, and chaotic, amongst others also appear.

But whilst fully detetmanistic is easy to see as in the ouput of a simple counter it can be easily obfuscated by a mapping process to produce any output you want, including the so called “gold standard” of the 1993 Bellare and Rogaway “Random Oracle model”[3].

In every case of “random” you will not find a usefull description of what “random is” only what it is not. Likewise there is no test for random only what is not random.

Every year that goes by we get yet more “what random is not” reasoning, argument and tests. It has become an almost exponential slope mountain rising to potentially infinity without ever quite getting there.

Hence the reason to ask,

“Does random actually exist?”

Personally I don’t actually care from a practical sense. That is as an engineer I am very well used to using things that we do not know what they are only that the exist and have reliable characteristics[4].

Which brings us to your question of,

How random is random enough?

Which as I’ve indicated has two answers that of the practical and that of the theoretical considerations.

The answer for the practical issue is,

“A physical source output, without the use of masking algorithms internaly or externally, that produces a signal that is sufficiently unpredictable to both the observer and the generator.”

Where unfortunately,

1, “sufficiently unpredictable”
2, “the generator”

Are “movable feasts” because science and mathmatics from both practical and theoretical aspects moves on.

From a theoretical point it can be reasonably argued that “random” does not exist in the physical universe and has been for centuries. The famous “God does not play dice” quote indicating the level of stress as macro physics gave way to quantum physics, which will nodoubt at some point be replaced by deeper understanding.

But we do not need to “deep dive” on the theory. That is what we call noise is in fact the vector sum of the states and all their changes. That is a basic consequence of thermodynamics in a bounded environment[5].

You can not predict what you can not measure only hope it averages out in a consistant way (think the macro effects of Brownian motion). If for some reason –like the existence of a bulk chaotic process– it does not average out, then you have a reasonable basis for unpredictability. That then may pass all the current statistical processes for detecting determanism.

The question then arises “can we remove all determanism and bias to leave only unpredictability?”. The answer is a qualified “yes” in an unbound environment, but a definate “no” in any kind of bound or resource restricted environment. As we live in the latter environment we have to accept that we can never get a pure form of “truely random” but it does not matter if “unpredictability” holds.

[1] Obligitory Douglas Adams refrence to a “strong cup of brownian motion generator” 😉

[2] https://magazine.scienceconnected.org/2021/06/scientists-discover-hidden-value-of-fools-gold/

[3] Bellare and Rogaway Random Oracle model perspective in 20 year retrospect,

https://eprint.iacr.org/2015/140.pdf

[4] Take Gravity for instance gives mechanical clocks their reliable properties, long before Newton started to experiment. Newton characterized gravity sufficiently well via mass for us to navigate around our solar system with a degree of precision that is beyond our ability to measure realistically. Einstein added a new aspect to gravities characteristics and made things worse not better, but still did not answer what gravity is. Even Peter Higgs’ Boson came up light, and was unable to answer that question, to the point some are thinking the “standard model” is it’s self lacking and a deeper dive is necessitated… But the clocks keep ticking, and the satellites and space craft still moving where we expect.

[5] For an over simplistic model of our universe, consider those machines used for drawing balls for very high value lotteries. All they actually do is use Newton’s observations in a highly complex way. Are such machines “random” at the macro level obviously not, they are in fact quite determanistic producing complex movment of the balls within the bounded environment. But that alone is insufficient to give what appears to be non predictable output. So importantly they add chaotic –in the mathmatical sense– behaviour. That is the result is extreamly sensitive to what are effectively unmeasurable differences to both the observer of the output, and internally state change of the balls to the “generator”. But what of things below the macro level? Well the mathmatics of quantum mechanics indicates that some form of fundemental unpredictability must be present. Which means that it will get in effect amplified by a chaotic process into the macro view of the system. Either way quantum or immeasurable you have unpredictability.

Wesley Parish • April 8, 2022 11:04 PM

Additional note on generating sufficiently weird passwords – there’s a book or two titled “Damn You Autocorrect!”, which gives some sufficiently random “developments” of ordinary words and sentences that – aided and abetted by randomization of alphanumeric and special characters – would fail to occur to most people. And since algorithms are designed by people, they would probably fail to be first in line for brute-force password checking.

Then there are the ever-present travesty generators, such as the one embedded in the Emacs text editor. Just cat several speeches by your least-loved politico, some novels you don’t care for, some religious texts etc, open the resulting mess with Emacs then meta-x dissociated-press the living daylights out of them. “I still hurth tradithin the two-mone that owing to ther to accept jus’ rear sect her to re anyone.”

Since it confounds expectations, it should work.

Winter • April 9, 2022 7:54 AM

@Clive
“I’ve indicated I see it as a scale or spectrum with fully determanistic at one end and truely random at the other.”

I think we should get rid of the term “random” here. Entropy is a better concept. Randomness is not measurable. If you pick a stretch of decimals of π, it will pass all tests of randomness with flying colors. Kolmogorov complexity is a better concept, but that is not computable. At least, Kolmogorov complexity would flag π as non-random, if you knew the generating algorithm.

In theoretical physics, randomness has no place. The one point that is always mentioned is quantum mechanics. But here there is a gap in the theory. You start with a unitary (=deterministic) evolution of a Schrödinger waveform and when you measure it, a miracle happens and you get a random output. Sabine Hossenfelder is doing a lot of work on trying to close that gap. She does not believe there is randomness here.
ht-tps://backreaction.blogspot.com/2019/10/what-is-quantum-measurement-problem.html

When we are concerned with physical systems, you are better off with entropy. Entropy has a solid physical and theoretical base. Statistical physics starts with a known many particle state, say, a bath tub with hot water. If we would know all the positions and momenta of all the particles, there would be no entropy. There would also be no randomness. This is the realm of Maxwell’s demon.

Entropy comes in because we do not know all the positions and momenta of all the particles. We know only averaged values: the total number of particles (its mass), its volume, its temperature (average energy) and its pressure (average momenta). The influence of all the individual particles and their position and momenta is gobbled up into a single value, the entropy.

We can measure some microstate, say Brownian motion or acoustic waves. The output of that measurement would be random as we do not have the information to predict its evolution. These microstate measurements would result in measuring thermal noise. This thermal noise is “random” for everyone who has no access to other information about the heat bath (our bath tub with hot water).

Which brings us back to cryptographic randomness. You can have high entropy, and thus high randomness, if you can ensure that there is no information about the internal states of the source and the output can be considered thermal (Maxwell distributed). Note that entropy calculations can take structure in the data into account.

Clive Robinson • April 9, 2022 12:39 PM

@ Winter,

I think we should get rid of the term “random” here. Entropy is a better concept. Randomness is not measurable.

I’d rather not as they are entirely different concepts.

Random : Is the measurable difference between two or more successive points, the differences are treated as individual measures.

Entropy : Is a bulk measure of the vector sum of all the states measured aground some ground state.

In the case of “possability” in the case of information theory it is a measure of “possability” but not of actuallity.

As I’ve mentioned before my son understood the concept of “Information Entropy” at an early age with “lego bricks”. That is if you have a load of lego bricks spread out on the floor they have little or no meaning as they are disorganized or random in position and thus have a low ground state. But what you could do with them whilst not infinite does feel like “endless possabilities”. As you build a model the individual bricks become locked together the number of possabilities drop dramatically as the individual randomness becomes bulk structure. The end result is hundreds of bricks with all their individual states become a single coherant object which has only an individual state.

Which is a reasonable analogue for “growing crystals from solution”.

With regards,

In theoretical physics, randomness has no place. The one point that is always mentioned is quantum mechanics.

That is actually not true, randomness does have a place in both practical and theoretical physics. It has to do with degrees of freedom of entities under test. In many tests the aim is to limit the degrees of freedom, idealy to one, and then charecterize it, with the limitation on degrees of freedom making life much easier (however look up William Hamilton’s Quaternions[1][2] if you want to see just how fun three physical dimensions and a time element can be).

Which brings us back to cryptographic randomness. You can have high entropy, and thus high randomness

Yes, and you can have high entropy and what is low randomness in bounded systems. Hence the Dilbert cartoon with the Dinosaur in the troll accounting department pushing out a stream of 9’s there is a maximum length based on the internal storage state of any determanistic generator[3]. Statistically those maximum lengths are just part of the set, but as differences between any of the symbols in such output is zero it can alow statistics to leak through thus alow for synchronization and similar attacks.

[1] Quatetnions are normally given in a polynomial form of,

Q = A1 + Bi + Cj + Dk

Where A,B,C,D are real and i,j,k are the Quaternions. There is a matrix used for multiplication that is derived from what Hamilton finaly realised which was that,

i^2 = j^2 = k^2 = i j k = −1

Though he was not the first, he is the one that got the naming rights 😉

Quaternians pop up all over the place in physics, engineering, maths and computing. And to be honest thay can be a pain to play with thus vector analysis or tensor calculus are often prefered. However in computer graphics especially Quaternians are generally a lot more efficient than other transforms, likewise in calculating more complex orbits.

[2] In 2005 just to ‘keep em alive’ Doug Sweetser, wrote “Doing Physics with Quaternions”,

https://ebin.pub/doing-physics-with-quaternions-n-6333898.html

Have fun reading it…

[3] Simple logic dictates a limit on the maximum invariance in the output of any symbol sequence from the “state” of a generator function. That is it is bound as,

Limit = (3 x S) – 2

Where S is the size of the effective state register. So with bits {0,1} and five elements of state you get the maximum length of 13 as invarient output,

10000 00000 00001

Or it’s binary inverse

01111 11111 11110

If the set of symbols in each state element are larger, then the members in the set of maximum length invariance grows.

So {0…9} would give ten lots of nine sequences

——, 011110, 022220, … 099990,
100001, ——, 122221, … 199991,
200002, 211112, ——, … 299992,
…
…
900009, 911119, 922229, … ——.

Which is N^2-N which is kind of what you would expect.

[]

Winter • April 9, 2022 12:55 PM

@Clive
“Random : Is the measurable difference between two or more successive points, the differences are treated as individual measures.”

This means the decimals of π are random?

Clive Robinson • April 9, 2022 1:33 PM

@ Winter,

This means the decimals of π are random?

No it does not, you forgot the,

“You can not predict what you can not measure only hope it averages out in a consistant way (think the macro effects of Brownian motion). If for some reason –like the existence of a bulk chaotic process– it does not average out, then you have a reasonable basis for unpredictability. That then may pass all the current statistical processes for detecting determanism.”

Pi has probably been measured to a trillion bits or so by now, therefore that part of it by definition is not “unpredictable”.

But further I’ve repeatedly pointed out that “the bits have to be independent of each other” for “Truely Random”. As far as I’m aware whilst Pi may go on indefinately, it has a “generator function”, which makes it not in the slightest bit random, but pseudorandom at best.

So is Pu “truely random” absolutly not, “weakly pseudorandom” that depends on how you define it. If memory serves whilst the geberator function is rekatively trivial, it requires state growing at some power of the iteration.

Any way it’s Saturday Night here, and I have things to do…

MarkH • April 9, 2022 9:13 PM

@Winter, Clive:

Entropy in physics and information entropy are quite distinct. Best to minimize confusion, when reasoning about a challenging topic!

When Claude Shannon introduced his coinage of information theoretic entropy, he did not suggest (as far as I can see) any connection between the two, except that certain formulations of physical entropy likewise are calculated as a summation of terms p_i log p_i, where p_i in each term represents the probability of a specific case.

MarkH • April 9, 2022 9:27 PM

@Winter, Clive (continued):

Usually we discuss entropy here in the context of generating secret numbers required to execute cryptographic algorithms and protocols, where those numbers must be kept secret in order to maintain information security.

In such a context, entropy measures a presumed adversary’s lack of knowledge of such secrets, subject to certain constraints.

If by chance Oscar happens to walk past the desk while Stan is writing a secret number on a piece of paper, the entropy for Oscar is greatly reduced, perhaps to zero. A usual predicate, is that such observations are prevented.

When the topic is cryptographic secrets (like secret keys), entropy is a metric of what some set of persons (and/or computers) doesn’t know.

Clive Robinson • April 10, 2022 12:15 AM

@ MarkH, Winter,

entropy is a metric of what some set of persons (and/or computers) doesn’t know.

Hence it’s a “measure” of “possability” or “cardinality” –number of “elements” in or size– of a set.

That is there is a set of all the possabilities or “states”, some or all of which are “candidates”, to be the “secret key”.

Any “search” or “sieve” has two distinct proper subsets of the set of all possibilities those “excluded” from further consideration and those not yet excluded which are the “candidates”.

If the search or sieve is effective then on each iteration the candidate subset will be reduced and the excluded subset increased untill the candidate set contains only the secret key and the search or sieve “halts”.

One issue is when the cardinality of the set of possibilities is so large that it is beyond the available resources to store or search. So another strategy is required. Most often this would be a simple counter used to hold “count state” and if required a mapping function f(x) from the count state value to the element value.

So,

f(x) could be (x^2 + C) mod P

Where P is a prime, and C a constant (of large percentage of P).

Winter • April 10, 2022 7:13 AM

@MarkH, Clive
“Entropy in physics and information entropy are quite distinct. Best to minimize confusion, when reasoning about a challenging topic!”

Already in 1951 the link between Shannon information and Entropy was made [1]. But I see a lot of confusion around these terms. Maybe I can clarify what I mean to say.

Entropy is the unknown state information about a system. This describes the statistics of the evolution of the known states of the system. As it is about the statistics, it only makes sense to talk about the entropy of large systems, e.g., with O(10^23) parameters. When we talk about much smaller systems, we must expect a lot of variation due to statistical flukes.

When I speak about the “information” in a message, I am actually talking about the information in a randomly drawn message from the larger system of all the possible messages. If you want to speak about the probability of a single, isolated bit-string, you have to use Kolmogorov complexity, not entropy.

A lot of people talk about entropy as unknown or missing information as if this information could somehow be extracted if we want. But if I use thermal IR radiation or sound measurements from a slab of hot silicon or such, that is unrealistic. If I count photons or phonons (sound) with specific frequencies coming from a heated slap of material, it is inconceivable that anyone would be able to determine the precise state of the material. Arrival times of the photons or phonons are simply unpredictable for anyone but $DEITY. Such arrival times will be truly random for any reasonable definition of random. This does not distract from the problems that can arise in implementing the counters.

After the arrival times, or whatever measure you want, are recorded, handling these correctly for use for cryptography is also not related to the entropy of the source. Implementation details can kill any source of entropy.

@Clive, MarkH
“Hence it’s a “measure” of “possability” or “cardinality” –number of “elements” in or size– of a set.”

Yes, but if your set is small, using “entropy” does not help much. Entrooy in this sens is a weighted average over bit-string probabilities. In thermodynamic sense, you are referring to microcanonical and canonical ensembles (see Wikipedia). It does not always make sense to delve this deep into the structure of a system. I would suspect that if you have to discuss the structure of your system at such a precision, you might not need to discus entropy at all.

In my opinion, if you want to extract “truly random” numbers from a physical system, pick a system that has such a large number of free parameters, e.g., thermal (IR/sound) radiation from a macroscopic crystal, that any discussion of its internal states becomes meaningless.

[1] Brillouin, Leon. “Physical entropy and information. II.” Journal of Applied Physics 22.3 (1951): 338-343.

MarkH • April 10, 2022 10:32 AM

it only makes sense to talk about the entropy of large systems, e.g., with O(10^23) parameters

This underscores how distinct physical and information entropy are. In information theory, the entropy of a single bit can be both (a) well defined, and (b) practically meaningful.

Entropy-as-uncertainty can be collapsed to zero by a single observation in a tiny fraction of a second. There is no counterpart to this for physical entropy.

Different animals.

Winter • April 10, 2022 11:28 AM

@MarkH
“This underscores how distinct physical and information entropy are. In information theory, the entropy of a single bit can be both (a) well defined, and (b) practically meaningful.”

The entropy you assign to this bit is defined on the source collection from which the bit is derived. The entropy is also the inability to predict the outcome of measuring the bit. So if you do look at the bit, nothing has to be predicted anymore. That does not change the uncertainty of the next bit you extract.

Whether it is practically meaningful is not part of physics or thermodynamics. Usefulness is in the mind of the receiver.

Clive Robinson • April 10, 2022 11:31 AM

@ Winter, MarkH,

In my opinion, if you want to extract “truly random” numbers from a physical system, pick a system that has such a large number of free parameters,

Importantly they need to be fully independent of,

1, Internal Influence.
2, External Influence.

And to ensure that those possibilities and other posabilities, including,

3, Drift
4, Degradation
5, Fault
6, Failure

Do not cause issues, you need to test the raw physical sources on a “bit by bit basis” and upwards.

After all as Audio Engineers will point out “hum will get in where ever it can” and likewise “microphonics”. Old school communications engineers know about “cross talk”, “magnetic coupling”, “capacitive coupling” and that little nasty I mention from time to time called “injection locking” then if you are realy old school “Parametric oscillation / Amplification”. All of which can br used to transfer energy into a physical source such that it effects the source ouput in a number of detrimental ways.

John • April 10, 2022 12:07 PM

@Clive and all,

I don’t understand how a ‘biased’ random source compromises the encrypted information?

As an example suppose the random source averages 0.4 ones and 0.6 zeroes.

John

MarkH • April 10, 2022 12:13 PM

@Winter:

Probably better if I follow your wording … it makes sense to talk about the entropy of a single bit, such as the outcome of a coin toss, or the spin of an elementary particle produced by a certain interaction.

If I understand your reckoning, it only makes sense to talk about the entropy of a physical system if it has a vastly greater scope of variation.

Different animals.

Winter • April 10, 2022 12:21 PM

@MarkH
“it makes sense to talk about the entropy of a single bit, such as the outcome of a coin toss, or the spin of an elementary particle produced by a certain interaction.”

A coin toss samples a large mechanical system, the body of the tosser, the air. The predictability of the outcome depends on the predictability of the whole process. The same of preparing an elementary particle into a specific quantum state.

I look at a tossed coin as a measurement of the body that does the toss.

As entropy and information are about the predictability of outcomes, it makes no sense to talk about entropy and information for a person who already knows the outcome. But the fact that you know the outcome does not tell me anything about the outcome.

Winter • April 10, 2022 12:28 PM

@Clive
“Do not cause issues, you need to test the raw physical sources on a “bit by bit basis” and upwards.”

This just comes down to filtered outcomes. The measurements filter the signal. That means that the outcomes sample a reduced part of the state space. And the entropy used is that of the reduced state space.

Or, reformulated, if your hardware is garbage, no good signal will come out. But that does not say anything about the quality of the input signal.

Entropy is not magic. It is just statistics. And like any statistics, you need to know how to use it effectively.

Clive Robinson • April 10, 2022 3:01 PM

@ John,

I don’t understand how a ‘biased’ random source compromises the encrypted information?

In an unbiased source the number of ones equals the number of zeros over a sufficient period of time thus the probability of ones and zeros is at 0.5 or 50%.

So lets consider collections of bits as numbers. Simply writing down all sixten states of a 4 bit count,

1, 0000 0001 0010 0011
2, 0100 0101 0110 0111
3, 1111 1110 1101 1100
4, 1011 1010 1001 1000

Shows that not only are the number of ones and zeros balanced, they are balanced in smaller groups. If any one bit state was changed to give bias, you would not have 32 of 64 bits set or clear but 31 of 64 or 33 of 64. But you would also then loose one unique 4bit count state and end up with two states the same, thus go from 16 of 16 to 15 of 16 states.

It does not matter how you change the bit bias if it is unbalanced you will end up with a change in the number of states available at the output to a lesser number. Which by definition of information entropy being the log base 2 of the number of states means that the entropy has decreased.

But also check the transitions between pairs of bits you will find when the raw source is unbiased the number of transitions to transitions remains balanced (what you would expect with a parity function). It’s using the 01 or 10 transitions to give “zero” or “one” respectively that makes the John von Neumann debias circuit work but for a significant loss of potential entropy recovered from the source output.

But again note the patterns

1, 0.0 0.0 0.0 0’1 0.0 1’0 0.0 1.1
2, 0’1 0.0 0’1 0’1 0’1 1’0 0’1 1.1
3, 1.1 1.1 1.1 1’0 1.1 0’1 1.1 0.0
4, 1’0 1.1 1’0 1’0 1’0 0’1 1’0 0.0

Any bias would cause disruption to the paterns –in time or sequence– again as you would expect from parity functions. You will also find it relates to “Walsh Transforms” as well which takes us into coding theory which is an interesting part of information theory (but not directly relavant to this explanation).

The point is :-

“Any bias also breaks the structure of events in time or sequency as well, and that comes through the debias circuit.”

As John von Neumann was well aware[1].

The fact the change in structure appears after a von Nuemann de-bias circuit, even though the bit count is debiased makes the point information “leaks through” to the ouput about bias even though you try to stop it doing so[2].

[1] The John von Neumann paper where he describes the de-biaser is more infamous for the “a state of sin” sentance. However the ultimate sentance of the second paragraph says,

“The resulting process is rigorously unbiased, although the amended process is at most 25 percent as efficient as ordinary coin tossing”

Shows he was well aware of the structural bias showing up through the bit de-bias circuit. However he did not amplify on it as it was not relevant to the two points he was making.

Read the paper for yourself, it is after all a piece of history in many fields of endeavor,

https://dornsifecms.usc.edu/assets/sites/520/docs/VonNeumann-ams12p36-38.pdf

[2] This leakage via a side channel is something that those studying cryptography and or ICTsec in general realy need to get their heads around (and few do). It comes about when you disassociate “theory” from “implementation” which the NSA did through hoodwinking NIST in the AES contest as I’ve mentioned several times in the past. To see this with supposed “True Random” bit generators, you need to know that several popular types of hardware “True random’ bit generators –infact mostly all “in silico”[3] these days– use one or more oscillators which tend to be somewhat stable in time. This means that the output from the raw entropy “true source” is also frequently stable in time.

However the von Neumann de-bias circuit at best gives 25% of the output rate. If the actuall “true source” is or becomes biased then it will be less than 25% which is easily measurable with quite some precision. As I’ve mentioned in the past on this blog to much incredulity, you have to take considerable care how you de-couple parts of TRNG’s not just from each other but observers of the output or other parts of the system.

[3] The expression “in silico” (in silicon) is a modern “latinism” added to “in vitro” (in glass), “in vivo” (in life) etc to describe an experimental classification. Meaning not “in silicon” precisely but anything to do with computer simulations,

https://en.m.wikipedia.org/wiki/In_silico

The flip side is the use of algorithms in our heads such as mental arithmetic would be “in vivo” 😉

John • April 10, 2022 5:38 PM

@clive,

Thanks. That paper was an interesting read.

My conclusion is that the biased real random source couples the original sequence to the output. And given enough redundancy in the input ‘signal’, the original signal ‘leaks out’ well enough to be at least partially decoded. Work force reduction!

I am thinking of some experiments I did a long time ago with distorting analog signals with a slow sigma delta converter to test various modem code. While it worked well as a controllable distortion simulator, the real signal leaked out amazingly well.

I am not sure my example makes sense to you? I hope so.

Which brings me back to your original point that you can never test for randomness only for non-randomness and then find non-randomness maybe only by accident!!

I remember thinking many years ago that combining several pseudo-random shift registers would give ‘random’ numbers to power a random noise ‘generator’. Which brings us back to whether our ‘random’ number are ‘good enough’ for our current use. Kinda untractable! Oh well :).

warm regards,
John

akira • April 11, 2022 10:27 AM

@Clive,

which the NSA did through hoodwinking NIST in the AES contest as I’ve mentioned several times in the past.

A good example of “arguing from known effect back to some wanted cause” as you put it yourself just some days ago.

Unless you come up with some proof, your claim that under influence of the NSA ‘the reference implementation of AES was deliberately written to allow timing attacks’ is just a classic conspiracy theory, nothing more.

Clive Robinson • April 11, 2022 11:47 AM

@ akira,

Unless you come up with some proof, your claim that under influence of the NSA ‘the reference implementation of AES was deliberately written to allow timing attacks’ is just a classic conspiracy theory, nothing more.

First off it appears that you are not reading what I wrote, then making at best incorrect assumptions.

You will see from what I wrote,

“It comes about when you disassociate “theory” from “implementation” which the NSA did through hoodwinking NIST in the AES contest as I’ve mentioned several times in the past.”

I made no mention of

‘the reference implementation of AES was deliberately written to allow timing attacks’

Which you quoted, presumably in the vain hope that people would assume you were quoting me, which you are not.

So you came up with something entirely of your own creation so that you could go on and say,

“just a classic conspiracy theory, nothing more.”

Which is a clasic example of some call a “strawman attack”, which has been of such over use by shills, trolls and similar of recent times, I find it odd that some one would think they could get away with it.

Well you’ve clearly failed and been hoist by your own petard.

You should have realised when I said,

“as I’ve mentioned several times in the past”

I’ve already been through the evidence in the past on this blog more than once…

So as I’ve said to those “strawmaning” in the past,

“Go look it up”.

SpaceLifeForm • April 11, 2022 2:23 PM

@ Clive

Agree. Someone is trying to conflate that a side-channel attack is a timing-attack, and attempt to put words in your mouth.

While a timing-attack can become a side-channel attack, the converse is not necessarily true.

And, you clearly did not imply so.

Schneier on Security

Friday Squid Blogging: Squid Migration and Climate Change

Comments

Leave a comment Cancel reply