Comments
vas pup • July 29, 2022 5:58 PM
EU says it found evidence that senior officials were targeted with NSO spyware In a letter obtained by Reuters, EU Justice Commissioner Didier Reynders says investigators
have found evidence that his phone was hacked using Israeli tech; NSO offers assistance
vas pup • July 29, 2022 6:00 PM
US-Israel fund launches cybersecurity program for critical infrastructure protection New BIRD initiative to grant $1.5 million per project for joint work on securing supply chains, airports and seaports, and enterprises
“The program will be led by BIRD Cyber, a joint cooperation between the Israel-US Binational Industrial Research and Development (BIRD) Foundation together with the US Department of
Homeland Security’s Science and Technology Directorate and the Israel National Cyber Directorate (INCD), according to an official announcement Tuesday.”
Henry • July 29, 2022 6:22 PM
Has anyone disassembled this NSO spyware and explaind how/why the phone makers have not been able to block it?
SpaceLifeForm • July 29, 2022 9:21 PM
@ Henry, Leon
You may want to start here.
try g(pegasus ForcedEntry)
Or not try. There are rabbit holes.
SpaceLifeForm • July 29, 2022 10:02 PM
@ john
We are at an inflection point. Right now. Seriously. It is a Friday.
GS (the thumb of the invisble hand of the marketplace) is going to learn that hammers hurt.
It will not just be a flesh wound.
The Hammer is coming down.
Paul Rain • July 30, 2022 12:32 AM
Cry more vas pup. Western filth will not overthrow the government of Myanmar.
SpaceLifeForm • July 30, 2022 12:50 AM
@ Leon, Clive, ALL
An interesting typo I did, just the ‘i’.
‘http://info.cern.ch/
Last time I was there was defintely over
15 years ago.
I did mention CERN recently.
Winter • July 30, 2022 7:21 AM
@Paul
Western filth will not overthrow the government of Myanmar.
There is a branch of politics/religion that looks positive upon killing people if that prevents them from letting the peacefully do what they want.
David Rudling • July 30, 2022 1:26 PM
Embedding an EXE inside a .REG file with automatic execution
hxxps://www.x86matthew.com/view_post?id=embed_exe_reg
Clive Robinson • July 30, 2022 2:37 PM
@ David Rudling,
“Embedding an EXE inside a .REG file with automatic execution”
You can do very similar with graphics files that use a “Turing Complete Engine”(TCE) to display them (postscript, PDF etc).
Fun fact back in the olden days 😉 Microsoft had an issue with “text files”
As far as the OS was concerned the file size was recorded in the “File Alocation Table”(FAT) record.
But as far as the editor and other text file manipulation was concerned the text ended at a control Z (Ctrl-Z) character.
So you could hide quite a bit of binary data at the end of a text file by putting in a little text then a control Z then the binary data.
Or executable… As it turns out an old fashioned XXXX.cmd “command file” is simply a file that gets loaded into memory with a simple offset… It does not take much thinking to work out how to make a small text file a command file… In fact this sort of thing was done with early malware.
SpaceLifeForm • July 30, 2022 5:12 PM
@ David Rudling, Clive
I find this one more interesting, because the concept could be applied to any OS.
‘https://www.x86matthew.com/view_post?id=audio_transmit
Nadia El Monsour • July 30, 2022 10:36 PM
Courtesy of Naked Capitalism. Good article comparing the inverted-privacy demands of Web3 compared to Web2. And the impossibility of Web3 aligning with the GDPR
https://www.thepullrequest.com/p/the-right-to-never-be-forgotten
ResearcherZero • July 30, 2022 11:10 PM
@Winter
I kind of remember Australia having a long relationship selling weapons to Myanmar’s junta, which appeared to be a long ongoing effort to prop them up.
But it could have been a secret plan to bore them to death, by subjecting them to the jokes and ramblings of our bureaucrats and politicians at the local embassy building, while securing those arms sales.
–
An Australian man who sparked a worldwide investigation into spyware he allegedly created and sold to domestic violence perpetrators and other criminals, has been charged by the Australian Federal Police (AFP).
The 24-year-old from Frankston, in Victoria, was just 15 years old when he allegedly developed the Remote Access Trojan (RAT).
One of the purchasers was also registered on the Child Sex Offender Register.
The RAT cost about $35 and was allegedly advertised on a forum dedicated to hacking.
The AFP believes the number of victims globally was in the tens of thousands, with 44 victims identified in Australia.
His 42-year-old mother has also been charged with dealing with the proceeds of crime.
https://www.abc.net.au/news/2022-07-30/afp-charge-australian-man-over-alleged-spyware-operation/100996670
–
A funny story about gas and penguins?
“The federal environment minister announces government approval for a large-scale penguin farm near Alice Springs. It will produce 300,000 penguins each year for the high-end feather market in Europe.”
“Penguin feathers are also, in this make-believe world, proven superconductors that could provide an alternative to lithium for renewable energy batteries. The $40 million farming project promises to create jobs and growth in regional Australia.”
“To any informed reader, the idea of farming cold-ocean seabirds in the Australian desert is mind-numbingly silly. But this hypothetical idea helps us better understand how environmental governance in Australia has gone badly wrong.”
https://theconversation.com/a-penguin-farm-in-the-australian-desert-a-thought-experiment-that-reveals-the-flaws-our-in-environment-laws-187142
credits have been issued for emissions reductions that were not real or additional, such as:
protecting forests that were never going to be cleared
growing trees that were already there
growing forests in places that will never sustain them permanently
large landfills operating electricity generators that would have operated anyway.
May 4, 2020
“Gas and gas transmission networks already play an essential role in energy reliability, but gas has even more potential as a resource to produce and transmit hydrogen,” said Energy and Emissions Reduction Minister Angus Taylor.
The announcement of the Advancing Hydrogen Fund follows a crash in the global oil market crash. The fall has flowed on to lower gas prices, which Mr Taylor said “provides us with an opportunity for strategic economic stimulus”.
https://www.smh.com.au/politics/federal/300m-clean-energy-fund-to-back-fossil-fuel-hydrogen-projects-20200503-p54pdr.html
New regulations could allow ARENA (Australian Renewable Energy Agency) to fund developments that use CCS such as the development of “blue” hydrogen made with gas.
“These changes are supported by a broad cross section of peak bodies and industry groups,”
https://www.theguardian.com/australia-news/2022/apr/04/coalition-tries-for-third-time-to-let-renewable-energy-agency-fund-technologies-using-fossil-fuels
January 8, 2021
Asian spot prices for liquefied natural gas (LNG) jumped nearly 50% this week to a record high
https://www.reuters.com/article/global-lng-idUSL1N2JJ1LT
July 7, 2022
In 2020 and 2021, Asia had been the main destination for US LNG exports, accounting for almost half of the nation’s cargoes, according to EIA. But during the first four months of 2022, U.S. LNG exports to Asia declined by 51%, averaging 2.3 Bcf/d compared with the 4.6 Bcf/d average in 2021.
“When Europe’s dependence on gas from Russia didn’t go well, it impacted almost everyone in Asia”
https://www.naturalgasintel.com/south-asia-buyers-again-sidelined-by-high-lng-spot-prices/
July 28, 2022
European wholesale gas prices closed at €204.85 (£172.08) per megawatt hour – the third highest price on record. The all-time high was achieved on 8 March when prices closed at €210.50 (£176.76) per megawatt hour, according to analysts Icis.
However, this time last year the wholesale gas price in Europe was at just above €37 (£31.08) per megawatt hour.
https://www.bbc.com/news/business-62318376
“Secret documents detail a government regulator scrambling after then-energy minister Angus Taylor decided to effectively rip up decades-long contracts for carbon credits, gifting windfall profits of potentially billions of dollars to some private companies.”
https://www.abc.net.au/news/2022-07-25/pre-election-carbon-credit-shake-up-foi-documents/101259776
Financial institutions overseas have pumped $AUD36.7 billion into Australian fossil fuel projects…
“the Morrison Government is deliberately preventing efforts to turn off the tap for this type of overseas financing by playing a blocking role at international negotiations at the OECD”
Of the $36.7bn, $28.07bn went to LNG projects in Australia, including $9.67bn to the Ichthys LNG development in north-west Australia and $7.76bn for Australia Pacific LNG in Queensland.
The research says the total figure is likely to be higher because many public financial institutions do not publish detailed records of their transactions.
https://jubileeaustralia.org/storage/app/uploads/public/618/275/7da/6182757dade85985918918.pdf
Senior energy market analyst and director of Climate Energy Finance Tim Buckley said fossil fuels were behind the huge interest in wholesale electricity prices.
“It is the unreliability of ageing coal power plants and the gouging of eastern Australian consumers by the gas cartel that are the two key factors.”
https://7news.com.au/business/energy/electricity-prices-rose-to-their-highest-on-record-and-the-nightmare-is-set-to-continue-c-7682999
“Australia is at a pivotal point. There is a tidal wave of disruption on the way, and it’s critical we take steps now to get ahead of it,”
“The next wave of digital innovation will generate $10–15 trillion globally.
https://www.csiro.au/en/news/news-releases/2022/seven-megatrends-that-will-shape-the-next-20-years
ResearcherZero • July 30, 2022 11:30 PM
The boss of WhatsApp says it will not “lower the security” of its messenger service. Government plans to detect child sex-abuse images include the possible scanning of private messages.
Mr Cathcart said WhatsApp already detected hundreds of thousands of child sex-abuse images.
“There are techniques that are very effective and that have not been adopted by the industry and do not require us sacrificing everyone’s security,” he said. “We report more than almost any other internet service in the world.”
“Client-side scanning cannot work in practice,” Mr Cathcart said. “What’s being proposed is that we – either directly or indirectly through software – read everyone’s messages,” Mr Cathcart said. “I don’t think people want that.”
Ella Jakubowska, policy adviser at campaign group European Digital Rights, said: “Client-side scanning is almost like putting spyware on every person’s phone. It also creates a backdoor for malicious actors to have a way in to be able to see your messages.”
https://www.bbc.com/news/technology-62291328
Nobby • July 31, 2022 12:42 AM
@Clive
an old fashioned XXXX.cmd “command file” is simply a file that gets loaded into memory with a simple offset
Haven’t you mixed up *.cmd command file, which is merely a windows shell script aka bat-file, and *.com command file, which was relocation-less x86 executable? Long ago it was…
Clive Robinson • July 31, 2022 12:56 AM
@ SpaceLifeForm,
I tried posting a reply to you but it got the “held for moderation” that we know as the “Kiss of death”.
So in parts…
Part 1,
Re : Audio Networking
You might remember I’ve mentioned many years ago (early 90’s) I was designing cordless phones for the “Fast Moving Consumer Electronics Market”(FMCE) and a decade or so prior to that the use of audio for storing data on audio tape and for device to device “networking” to transfer files and also a “Piccolo Modem” for sending 5bit teleprinter codes across HF links. So I’ve a little bit of experience in this area.
Clive Robinson • July 31, 2022 12:58 AM
@ SpaceLifeForm,
Part 2,
There are a few basic ways you can detect an audio tone,
1, Resonator with integrator
2, Direct conversion
3, Phase Locked Loop (PLL)
4, Goertzel algorithm
5, Discrete Fourier Trans(DFT)
6, Fast Fourier Trans(FFT)
The first three are hardware the last mathmatical. However all the hardware ones can be easily converted to software.
But detecting a tone, is just a small part, what you are realy doing is detecting a wanted tone from a composite signal that is mostly unwanted tones combined as “noise” across the full bandwidth.
Clive Robinson • July 31, 2022 12:59 AM
@ SpaceLifeForm,
Part 3,
So an essential part is filtering out or rejecting the unwanted signals. The usual trick is to use “narrow bandwidth acceptance”. However make the bandwidth two small and you will significantly effect the speed of operation of the circuits / algorithms thus communications data rate…
There are two basic ways with resonator circuits, a simple tuned circuit which is inherently narrow band, or coupled tuned circuits that are filters that are highpass, lowpass, or bandpass, and you can tailor their frequency characteristics to suit your needs.
What you do is “load” or “quench” the resonator which changes it’s Q or “quality factor” and use a peak detector, or envelope detector, followed by an integrator. A simple example of this being a TRF or “Crystal Radio”. A way more sensitive circuit being a super regenerative receiver[1].
Clive Robinson • July 31, 2022 1:01 AM
@ SpaceLifeForm,
Part 4,
In essence the resonators act like a pendulum, if you give them a tap then they swing at their natural frequency untill the energy of the tap is lost to the environment. Tap at the same frequency and phase, and the pendulum will swing in larger and larger swings as more energy builds up. The “load” or loss to the environment is often nonlinear thus the pendulum will reach a steady state in the arc of it’s swing.
If however the resonator is “lossless” as a mathmatical resonator would be, the energy would build indefinitely. Which is the principle used in the “Piccolo Modem”[2].
It is known by many that an “RF Mixer” can be used to effectively take two input frequencies and “beat them together” and produce at the output “the sum and difference” frequencies. What is less well known is that phase coherence is maintained. So the use of two mixers driven by an input frequency, and each having a local oscillator frequency that is the same but in phase quadriture makes an “IQ Demodulator” the outputs of which can be used to find the input signal true amplitude and phase, as well as diferentiate between positive and negative frequencies. If the input and local oscillator frequencies are the same the difference beat frequency is zero or “DC” which alows the modulation to be recovered directly, hence it’s called a “Direct Conversion” receiver.
Even less well known even though I mention it from time to time you can use D Type latches and XOR gates to do the equivalent of frequency mixing. In fact the XOR gate can be used as the butterfly in a “Discrete Walsh Transform”(DWT).
Clive Robinson • July 31, 2022 1:03 AM
@ SpaceLifeForm,
Part 5,
Because you can get the phase output as well as if the frequency is positive or negative, you can use DC Receiver, D Type, or XOR as a “frequency/phase detector” the output of which can be used to drive a “voltage controled oscillator”(VCO) to track the input frequency. The control voltage is thus directly proportional to input frequency and can give a very fast indication of trequency. It’s why the circuit is used in many things RF including Data Modems. In software you can make the equivalent of a VCO by implementing a “Direct Digital Synthesizer”(DDS) or “Numrical Oscilator”. In essence these are just a lookup table of a sinewave, driven by a counter, where you change the count step size to control the frequency. You can make the frequency resolution as fine as you like, in fact better than can be measured by instruments. I’ve designed systems for “seismic use” that have frequency step sizes of less than 10^-6 Hz.
The DC receiver is also the direct equivalent of the “Discrete Fourier Transform”(DFT) or “Fast Fourier Transform”(FFT) “butterfly”.
Whilst the DFT is about as efficient for one frequency as you can get, a more efficient algorithm for a small set of frequencies like DTMF detection is the “Goertzel algorithm” that can be efficiently implemented in software[3].
Clive Robinson • July 31, 2022 1:05 AM
@ SpaceLifeForm,
Part 6,
I won’t go into DFT’s and FFT’s there’s bucket loads of information available via google, and as for software there are hundreds of “libraries” covering nearly all popular programing languages. Even Intel providess a highly optomized library set for the IAx86 and later families.
What is quite a bit harder to find is info on DWT and FWT’s and Walsh Transforms in general. They have a lot of advantages, one of which is you do not need slow arithmetic like multiply and add, thus the FWT can be blindingly fast. Importantly the DWT does not detect “frequency” as such but “sequency” I won’t go into it other than to say if you want to get seriously into cryptanalysis then sequency analysis should be on your knowledge list.
Clive Robinson • July 31, 2022 1:47 AM
@ SpaceLifeForm,
Part 7,
Knowing about tone detection and recovering any modulation is fairly essential knowledge for anyone doing Data Communications. Importantly as the world is going to “software defined” now fast “Analog to Digital”(A2D) parts are in the consumer price bracket knowing how to convert hardware circuits into software equivalents is an essential skill.
If you want to play around in this area “GNU Radio” is one tool that many use for prototyping their ideas.
Clive Robinson • July 31, 2022 1:49 AM
@ SpaceLifeForm,
Part 8,
[1] Copy of artical on Super-Regenerative Receivers by ‘Cathode Ray’ from ‘Wireless World’ of June, 1946.
Clive Robinson • July 31, 2022 1:52 AM
@ SpaceLifeForm,
Part 9,
[2] The UK “Diplomatic Wireless Service”(DWS) was an interesting organisation and had a very interesting technical history, probably more interesting than that of Bletchly Park. Unlike BP which became part of what was eventually GCHQ the DWP survived as a seperate entity for a lot longer. In the mid to late 1980’s when I had some involvment with the DWS it was still doing leading edge technical developments in both radio and crypto equipment. Unfortunatle little of this ever came to public notice,
http://alancordwell.co.uk/Legacy/hfradio/dwsint.html
However the design ideas behind the Piccolo HF teletype modem did get published,
https://www.nonstopsystems.com/radio/pdf-hell/article-hell-noise-teleprinters.pdf
Clive Robinson • July 31, 2022 1:55 AM
@ SpaceLifeForm,
Part 10,
[3] The Goertzel algorithm was originaly described by Gerald Goertzel in the late 1950’s. But it became of real interest in the 1980’s as it alowed software on 8bit CPU’s like the Z80 and later single chip microcontrolers to be used to do DTMF and similar multi tone decoding,
Clive Robinson • July 31, 2022 2:03 AM
@ SpaceLifeForm,
Part 12,
hxxps://netwerkt.wordpress.com/2011/08/25/goertzel-filter/
Clive Robinson • July 31, 2022 2:09 AM
@ SpaceLifeForm,
Part 14,
For some reason this link is causing the blog input problems, so I’ve split it up
[https://www].[embedded].[com/]
[the-goertzel-algorithm]
Clive Robinson • July 31, 2022 2:17 AM
@ Nobby, ALL,
Re : mea culpa
“Haven’t you mixed up *.cmd command file, which is merely a windows shell script aka bat-file, and *.com command file,”
Yes it should have been “.com” in my post not “.cmd”
I’ll blaim unseasonaly “hot and humid weather” for the UK and a “tired brain” 😉
Winter • July 31, 2022 3:29 AM
@ResearcherZero
A funny story about gas and penguins?
What always amazes me is how alike the Anglo-Saxon countries are in their politics and public delusions. AU, UK, and USA/CA are on opposite parts of the globe, but their people still continue to fall for the same ruses.
I have to admit the old proverb is true [1]:
Mundus vult decipi, ergo decipiatur,
[The world wants to be deceived, so let it be deceived]
[1] ‘https://en.wikipedia.org/wiki/Mundus_vult_decipi,_ergo_decipiatur
see also
Why do states bother to deceive? Managing trust at home and abroad
‘https://www.cambridge.org/core/journals/review-of-international-studies/article/abs/why-do-states-bother-to-deceive-managing-trust-at-home-and-abroad/7439BF57FC84C00C3000977A1B4303DFPDF: ‘https://www.researchgate.net/profile/Kurt-Jacobsen-2/publication/231857817_Why_do_states_bother_to_deceive_Managing_trust_at_home_and_abroad/links/612e33d438818c2eaf7135da/Why-do-states-bother-to-deceive-Managing-trust-at-home-and-abroad.pdf
SpaceLifeForm • July 31, 2022 3:37 AM
@ Clive
Good stuff. I observe two missing double digit primes less than 15.
I’ve never heard of Goertzel algorithm or Walsh Transforms.
So, thanks for the rabbit holes. I think. 🙂
SpaceLifeForm • July 31, 2022 4:58 AM
@ ALL
re: Musk v Twitter
Popcorn. More popcorn.
I recommend you read this for the observations. Which I have noticed.
‘https://www.teslarati.com/elon-musk-countersues-twitter/
SpaceLifeForm • July 31, 2022 5:48 AM
@ ALL
re: Bio-metrics can fail
‘https://9to5google.com/2022/07/30/pixel-6a-fingerprint-unlock/
Clive Robinson • July 31, 2022 7:21 AM
@ SpaceLifeForm, ALL,
Re : mea culpa
Sorry folks, parts 11 and 13 are not missing.
I incremented the count when trying to post another “attempt” that when it failed I did not decrement so incremented again on a later attempt (of which there were many[1])
Proves one thing though, I’m not upto the “idiot savant” capabilities of a computer, well maybe halfway there 😉
[1] I’ve no idea what is wrong with that URL, but I think I’m going to try a binary chop next time rather than just breaking into two paragraph sized pieces.
Clive Robinson • July 31, 2022 7:38 AM
@ SpaceLifeForm,
In the UK when bodies end up on the railway tracks, there is an unoficial TLA of “JFP” for “Jumped, Fell, or Pushed”.
From the reports the young man exited the aircraft around 3,500ft which is a low altitude, and atleast thirty miles from an airport.
Apparantly the aircraft reported loosing it’s right wheel…
I’ve no idea what type of aircraft it was, but in smaller aircraft with fixed undercarriage often used by people parachuting, opening the side door is normal and you usually get a good view of the undercarriage. So if the two pilots had felt the wheel detach they might well have lost hight and one tried to get a better visual inspection of what the damage was.
Clive Robinson • July 31, 2022 7:49 AM
@ SpaceLifeForm,
Re: Bio-metrics can fail
In this case I suspect it’s a hardware failing on the Google Pixel 6a which does not bode well (especially with the level of discounting you can get on it).
The logic is,
1, Only a very few 6a phones have this fault, if it were software you would expect many more.
2, Importantly the fault is to do with “recording and comparing” finger prints. So lets say a faulty sensor gives a very low resolution that gets recorded and all future reads will be as low a resolution in the same way so are much more likely to match due to the lack of fidelity.
If it is hardware, it’s going to be both a major headache for Google and a major expense…
Clive Robinson • July 31, 2022 8:02 AM
@ SpaceLifeForm,
Re: Musk v Twitter
Yup this is getting as exciting as an Agatha Christie, maybe we should call it,
“The case of the missing traffic”
Quite a few users have noted obvious changes and a significant down turn in what they see since this started.
This suggests a lot more than a 5% downward change in traffic.
So are twitter carrying out more bans of legitimate users?
Or,
Are the Teitter board trying to dig themselves out of the legal hole they dug for themselves with those highly questionable SEC filings?
Time to heat up some more oil, and chuck in another half cup of corn and finely grated hard cheese and then throw in a pinch or two of dried and ground jalapeno chillies and deeply smoked paprika into the mix…
Winter • July 31, 2022 9:11 AM
@Clive
Yup this is getting as exciting as an Agatha Christie, maybe we should call it,
“The case of the missing traffic”
I think it is more a Sherlock Holmes’ quote [1] (from Silver Blaze):
Holmes: “To the curious incident of the dog in the night-time.” “The dog did nothing in the night time.” “That was the curious incident,” remarked Sherlock Holmes.
JonKnowsNothing • July 31, 2022 11:37 AM
@All
re: 2020 Beirut Port Explosion & Grain Silos finally collapse
A small MSM article & video described how the giant grain silos at the port of Beirut have finally collapsed 2 yrs after the port explosion.
A few things to note:
- The silos were left standing
- The grain was left as-is after the explosion
- The grain was exposed to not only rodents but to the elements
- The grain began to ferment from effects of 2 years of weather (1)
- The grain fermentation process created enough heat to spontaneously combust
- The local fire brigade was unable to put out the fire and smoldering (2)
- The same principle technique used by renaissance sappers applied to the standing towers (3)
- The towers collapsed
- Huge waves of bad-for-you smoke rolled across the city
I have no idea why the damaged silos and contaminated grain was allowed to remain and left in place since 2020 and the article didn’t explain why it wasn’t cleaned up as a Public Health Hazard.
It does highlight some of the problems with long term grain and other commodity storage. The stuff sitting in ports is a major hazard (eg UKRvRU), it’s not only a humanitarian issue but it’s extremely dangerous to have stored for long periods. Such storage is meant for in-transit storage.
===
1) Deliberately fermented grains and grass is called Silage. It is commonly fed to cattle. A very large pile of feed is stacked or chopped up and sprayed into long plastic tubes where fermentation takes place. The density of the fodder pack determines the nutrient characteristics. It’s like sauerkraut for animals.
2) Low level smoldering of fires is a common problem with many over packed materials. Coal Seam fires and landfill automobile tire depots fires can run decades or longer.
Coal-seam fire
Tire fire
3) Sapper / The word “sapper” comes from the French word sapeur, itself being derived from the verb saper (to undermine, to dig under a wall or building to cause its collapse).
Clive Robinson • July 31, 2022 1:00 PM
@ JonKnowsNothing, ALL,
Re :
I have no idea why the damaged silos and contaminated grain was allowed to remain and left in place since 2020
Due to the actions of the West, the country is bankrupt.
Thus resourcess have to be triaged.
Another problem was the whole site and everything in it had become “toxic waste” and nobody wants that going down their road. So “store in place” would have been easier.
Then there are the on going legal issues with the ship that started the whole problem in the first place, then insurance, then… Such things are often never ending.
lurker • July 31, 2022 8:28 PM
@SpaceLifeForm
biometrics can be forged
There was recent discussion here on this (search-fu low today) where some guys at Cambridge showed how to persuade iOS some specially crafted garbage was the real owner’s finger.
I can’t use those systems: my current day job renders my fingers unreliable.
SpaceLifeForm • July 31, 2022 11:06 PM
@ Clive, ALL
The TLS certificate for nitter.net expired just over 2 hours ago. Not likely to re-rolled immediately.
Also, while chasing this down, I realized that my desktop FF (Debian Stable) during recent updates at some point, had enabled DoH.
I disabled it, partly for debugging reasons, but also because it was using CloudFlare to get the DNS info. When debugging, you want consistent views of DNS when using different tools.
In this case, it was not a DNS problem.
Using wget and curl, they both said expired certificate.
You can not work-around this by using plain http because the server is forcing a 301 redirect to https.
Confirmed with:
‘https://www.ssllabs.com/ssltest/analyze.html?d=nitter.net
Interestingly,
‘https://securityheaders.com/?q=nitter.net&followRedirects=on
Says everything is great, but apparently does not check expire timestamp.
Winter • August 1, 2022 1:06 AM
If this were a TV show, we would dismiss it as “Alarmist nonsense”. Read the articles and guess what the punishment and reparations to the victims are.
Double-double tracking: How Tim Hortons knows where you sleep, work and vacation
Tim Hortons is logging detailed location data of customers through its app — and many may not realize it’s happening at all
‘https://financialpost.com/technology/tim-hortons-app-tracking-customers-intimate-data
Using Places, Radar generated a JSON batch when the app thought I was at one of Tim Hortons’ competitors. There are snippets in the JSON code that read “event_name: user.entered_place,” and, a couple lines down, “place_chain_name: Starbucks.”
According to these batches, Tim Hortons was using the Radar service [1] to track me every time it thought I might have entered a Starbucks, Second Cup, McDonald’s, Pizza Pizza, A&W, KFC or Subway.
Notably, those fast-food outlets appear to be competition for Tim Hortons, as well as Burger King and Popeyes Louisiana Kitchen, two other fast-food chains owned by RBI.
Tim Hortons app violated privacy laws in collection of ‘vast amounts’ of sensitive location data
‘https://www.priv.gc.ca/en/opc-news/news-and-announcements/2022/nr-c_220601/
People who downloaded the Tim Hortons app had their movements tracked and recorded every few minutes of every day, even when their app was not open, in violation of Canadian privacy laws, a joint investigation by federal and provincial privacy authorities has found.
[1] From The Privacy Commissioner of Canada:
While Tim Hortons stopped continually tracking users’ location in 2020, after the investigation was launched, that decision did not eliminate the risk of surveillance. The investigation found that Tim Hortons’ contract with an American third-party location services supplier [Radar] contained language so vague and permissive that it would have allowed the company to sell “de-identified” location data for its own purposes.
There is a real risk that de-identified geolocation data could be re-identified. A research report by the Office of the Privacy Commissioner of Canada underscored how easily people can be identified by their movements.
Answer to punishment Tim Hortons and damages paid:
Tim Hortons to offer free coffee, doughnut to app users involved in privacy lawsuit
‘https://globalnews.ca/news/9024843/tim-hortons-app-coffee-doughnut-lawsuit-settlement/
Winter • August 1, 2022 1:18 AM
Nichelle Nichols, groundbreaking ‘Star Trek’ actor, dead at 89
Nichols and her “Star Trek” character Uhura broke barriers as one of the first Black female leads on television.
‘https://www.nbcnews.com/pop-culture/pop-culture-news/nichelle-nichols-groundbreaking-star-trek-actor-dead-89-rcna40857
I was a fan of Start Trek [1] when I was a boy. I never noticed she was black then, or rather, that was not something worth noticing among Asian and Russian crew members, or a Vulcan. But I did not live in the USA and those where different times.
[1] and before that, the Thunderbirds, I am that old
ResearcherZero • August 1, 2022 1:46 AM
@Winter
I might possibly have some Star Trek episodes on cassette, may have engaged in the odd ‘Star Trek Night’ with a good bottle of Irish whiskey, but don’t tell the captain.
–
How to graduate from geek to creep.
In 2012, a developer, “Shockwave™”, registered the domain imminentmethods[.]info, and in April 2013 started selling his “Imminent Monitor” RAT on online forums and at his site, which later changed to imminentmethods[.]net. Earlier in 2012, he had offered a Distributed Denial of Service (DDoS) tool, “Shockwave™Booter,” but seemed to drop that project in favor of his new RAT.
He proudly claimed “the fastest remote administration tool ever created using new socket technology that has never been used before.”
In 2014, Imminent Monitor started supporting third-party plugins. The first of these offered the ability to turn the webcam light off while monitoring. Shockwave™ wrote: “Hey, good job on being the first to release a plugin for Imminent Monitor.” – a plugin with an obviously illegitimate intent.
Legitimate remote access tools don’t need to hide and encrypt their logs. A crypter, allowing a “Fully UnDetectable” (FUD) client, only has one purpose: to attempt to evade antivirus detection.
“The keylogger: The logs are hidden, and encrypted, fast transfer of the logs aswell, with progress indicating how much of the log is downloaded”…
“The crypter: The crypter is really just a bonus feature, not always FUD but I try and do my best to keep it FUD.” [Sic]
https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/
–
Big Data and Health
Millions of smartphone users confess their most intimate secrets to apps, including when they want to work on their belly fat or the price of the house they checked out last weekend. Other apps know users’ body weight, blood pressure, menstrual cycles or pregnancy status.
Unbeknown to most people, in many cases that data is being shared with someone else: Facebook.
The social-media giant collects intensely personal information from many popular smartphone apps just seconds after users enter it, even if the user has no connection to Facebook. The Federal Trade Commission has taken an interest in cases in which data sharing deviates widely from what users might expect, particularly if any explanation was hard for users to find.
https://www.osnews.com/story/129468/you-give-apps-sensitive-personal-information-then-they-tell-facebook/
As Heartbeat International says on its webpage marketing its data management system: “Big data is revolutionizing all sorts of industries. Why shouldn’t it do the same for a critical ministry like ours?”
The Meta Pixel is a piece of code that can be injected into any website to aid with visitor profiling, data collection, and targeted advertising.
It takes up the space of a single pixel, hence the name and stealthiness, and helps collect data such as button clicks, scrolling patterns, data entered in forms, IP addresses, and more.
Meta, Facebook’s parent company, prohibits websites and apps that use Facebook’s advertising technology from sending Facebook “sexual and reproductive health” data.
Facebook does not have an incentive to crack down on violations of its advertising policies, said Serge Egelman, research director of the Usable Security & Privacy Group at UC Berkeley’s International Computer Science Institute. “That costs them money to do. As long as they’re not legally obligated to do so, why would they expend any resources to fix this?”
Meta is already collecting data about people who visit the websites of hundreds of crisis pregnancy centers, which are quasi-health clinics, mostly run by religiously aligned organizations whose mission is to persuade people to choose an option other than abortion.
Using Blacklight, a Markup tool that detects cookies, keyloggers, and other types of user-tracking technology on websites, Reveal analyzed the sites of nearly 2,500 crisis pregnancy centers—with data provided by the University of Georgia—and found that at least 294 shared visitor information with Facebook.
Meta’s tracking code is present on 33 websites of the top 100 hospitals in the United States, and in seven cases, the code runs beyond password-protected patient portals.
According to the complaint, the 33 hospitals found to have the Meta Pixel collectively admitted over 26 million patients and outpatient visits in 2020 alone.
https://themarkup.org/pixel-hunt/2022/06/15/facebook-and-anti-abortion-clinics-are-collecting-highly-sensitive-info-on-would-be-patients
“Healthcare Defendants do not have the legal right to use or share Plaintiffs’ and Class members data, as this information is protected by the Health Insurance Portability and Accountability Act of 1996’s (“HIPAA”) Privacy Rule, which protects all electronically protected health information a covered entity like Healthcare Defendants “create[], receive[], maintain[], or transmit[]” in electronic form.”
https://www.documentcloud.org/documents/22123376-meta-lawsuit?responsive=1&title=1
Prior to the digital revolution, the information that a business could, as a practical matter, collect about consumers was limited and, generally speaking, relatively obvious to the consumer. That has changed dramatically in an age when consumers are using the Internet, mobile applications, and social media platforms to facilitate interactions throughout their daily lives.
According to the WSJ Article, data being sent to Facebook included information such as users’ heart rates, blood pressure readings, menstrual cycles, and even pregnancy statuses. In one such case, Flo Health, Inc. (“Flo”), a menstruation and fertility-tracking app used by more than 100 million consumers, sent Facebook data every time a user logged a period or told the app that she intended to get pregnant. The app would also send data whenever it was opened, apprising Facebook of where the user was in her menstrual cycle — noting “ordinary” or “period” to “ovulation” or “pregnant.”
…it is painfully obvious that laws and regulations in this area have plainly not kept up with technological advancement, and even with respect to categories of data that any reasonable person would deem extremely private and out of bounds, consumers currently are not adequately protected.
https://www.dfs.ny.gov/system/files/documents/2021/02/facebook_report_20210218.pdf
The generally applicable laws that constitute the current legal framework for the regulation of social media giants and their data analytics divisions are blatantly insufficient.
https://www.dfs.ny.gov/Twitter_Report
ResearcherZero • August 1, 2022 2:01 AM
MyHealth
“I implore Michigan residents to read the fine print in the user agreements for phone applications and programs because their registration often gives companies the right to sell personal information to other companies.”
“Be aware that your information may be sold to entities for other uses.”
https://www.detroitnews.com/story/news/local/michigan/2022/07/05/michigan-ag-issues-alert-health-apps-after-abortion-ruling/7810168001/
Privacy International (PI) investigated more than 100 mental health websites in France, Germany and the UK.
It found many shared user data with third parties, including advertisers and large technology companies.
The way information was being sold was “neither transparent nor fair and often lacked a clear legal basis”
https://www.bbc.com/news/technology-49578500
Big Tech has flirted with health care for years. Amazon’s direct entry into primary health care is a turning point. It will increase the perils of surveillance capitalism, with implications for everyone.
https://www.msn.com/en-us/news/technology/amazons-dangerous-ambition-to-dominate-healthcare/ar-AA104wMG
In an information civilization our lives are rendered as and mediated by information. But what is the quality of this information? Who knows this information? Who decides who knows? Who decides who decides who knows?
When human data are the hunted prey, a great deal of bait must continuously fill the traps. The bait was also part of the big taking, including all the web pages, the books, the music, the bodies, cars, shops, homes, classrooms, hospitals, maps of all territories, streets, buildings, houses… and all the news. The more bait, the more engagement, the more data extraction, the more predictions, the more revenues.
The giants and their ecosystems now own all the data about all the people, the data science and the scientists, the cables, computers, and clouds. They control the global market in knowledge production known as artificial intelligence and machine learning. They decide what becomes knowledge, who knows it, and to what purpose.
https://time.com/6173639/democracy-big-techs-dominance-shoshana-zuboff/
ResearcherZero • August 1, 2022 2:17 AM
“This report does not paint a pretty picture of the status of information technology acquisition and management by the Administrative Office of the U.S. Courts,”
“It is telling that the AOUSC refused to agree to implement any of the 18 recommendations GAO has included in its report, and these will be an intense focus of continued Congressional oversight. We will also expect the AOUSC to work with us to establish in statute [the] position of Chief Information Officer for the AOUSC as GAO recommended in its report.”
https://www.gao.gov/assets/gao-22-105068.pdf
As long as they can get our names and addresses correct, then we are all in good hands, right? At least the right person appeared in the court, they did check that didn’t they?
ResearcherZero • August 1, 2022 5:05 AM
Across the globe, governments are using social media surveillance tools to collect and analyse vast amounts of data on their own citizens.
“lack of transparency in government practices in terms of data-based surveillance has kept ASEAN citizens in the dark on how their information is being retrieved or how governments are blocking, distorting, and manipulating the information they receive.”
https://theaseanpost.com/article/internet-surveillance-and-censorship-asean
“The scope of the government’s intrusion is far larger than we ever imagined. It’s quite literally large-scale espionage,”
1,584,547 phone lines were bugged in 2021, representing over 20 percent of Telefónica’s customers in Venezuela. Government entities also requested metadata of 997,679 accounts, or 13 percent of users. …interception requests in Venezuela bypass judicial orders and are instead made by Conatel on behalf of the nation’s military, police and intelligence agencies, as well as the Experimental Security University, which trains police and security forces.
The true extent of the government’s surveillance remains widely unknown — after all, Telefónica is only one of Venezuela’s telecommunications providers…
https://www.washingtonpost.com/nation/2022/06/28/telefonica-wiretapping-venezuela-phone/
“Cell carriers, staffed with special law enforcement liaison teams, charge police departments from a few hundred dollars for locating a phone to more than $2,200 for a full-scale wiretap of a suspect.”
https://www.aclu.org/blog/privacy-technology/youre-getting-warmer?redirect=blog/technology-and-liberty/youre-getting-warmer
“Law enforcement tracking of cellphones, once the province mainly of federal agents, has become a powerful and widely used surveillance tool for local police officials, with hundreds of departments, large and small, often using it aggressively with little or no court oversight.”
https://www.nytimes.com/2012/04/01/us/police-tracking-of-cellphones-raises-privacy-fears.html
“in the context of big data, individual events are meaningless”
https://www.eweek.com/security/big-data-surveillance-is-real-purpose-of-huge-nsa-phone-record-sweep/
The mobile network/ SIM-card operators themselves have the ability to intercept and record all of the data about visited websites, who called or sent SMS to whom, when, and what they said.
Your Wi-Fi internet provider offers DNS as part of your service, which means your provider can also log your DNS traffic — in essence, recording your entire browsing history.
Any mobile network operator can also precisely calculate where a particular subscriber’s phone is located whenever the phone is powered on and registered with the network. The ability to do this is called triangulation.
https://infosecwriteups.com/smartphone-surveillance-techniques-f9e206c5c456
Dirt Boxes
https://theintercept.com/surveillance-catalogue/
“The boxes used by the program allow planes to pose as the nearest cell phone tower, which prompts cell phones under surveillance to disclose their location and identity information, even if a legitimate tower is closer than the plane overhead.”
https://resources.infosecinstitute.com/topic/cellphone-surveillance-the-secret-arsenal/
Cessna aircrafts fly from at least five airports near major cities, effectively allowing them to surveil most Americans.
https://www.businessinsider.com/us-spy-program-targets-americans-cellphones-2014-11
Venntel
DHS has paid a government contractor named Venntel nearly half a million dollars for access to a commercial database containing location data mined from applications on millions of Americans’ mobile phones.
https://www.wyden.senate.gov/news/press-releases/wyden-warren-brown-markey-schatz-push-for-investigation-of-cbp-phone-location-data-surveillance-program
Veraset
“Veraset refuses to reveal even how they get their data or which apps they purchase it from, and I think that’s because if anyone realized that the app you’re using” also “opts you into having your location data sold on the open market, people would be angry and creeped out.”
https://www.eff.org/deeplinks/2021/11/data-broker-veraset-gave-bulk-device-level-gps-data-dc-government
PenLink
PenLink’s trade is in collecting and organizing that information for police as it streams in from the likes of Facebook and Google.
The contract requires PenLink, at a minimum, to help wiretap a large number of providers, including AT&T, Iridium Satellite, Sprint, Verizon, T-Mobile, Cricket, Cablevision, Comcast, Time Warner, Cox, Skype, Vonage, Virgin Mobile and what the government calls “social media and advertising websites” such as Facebook and WhatsApp.
https://www.forbes.com/sites/thomasbrewster/2022/02/23/meet-the-secretive-surveillance-wizards-helping-the-fbi-and-ice-wiretap-facebook-and-google-users/
ResearcherZero • August 1, 2022 5:19 AM
“in the context of big data, individual events are meaningless”
It’s your behavior that is suspicious…
“Sharp Eyes is one of a number of overlapping and intersecting technological surveillance projects built by the Chinese government over the last two decades. Projects like the Golden Shield Project, Safe Cities, SkyNet, Smart Cities, and now Sharp Eyes mean that there are more than 200 million public and private security cameras installed across China.”
“In 2013, the local government in Pingyi County began installing tens of thousands of security cameras across urban and rural areas — more than 28,500 in total by 2016. Even the smallest villages had at least six security cameras installed, according to state media.”
“Those cameras weren’t just monitored by police and automated facial recognition algorithms. Through special TV boxes installed in their homes, local residents could watch live security footage and press a button to summon police if they saw anything amiss. The security footage could also be viewed on smartphones.”
https://cset.georgetown.edu/article/chinas-sharp-eyes-program-aims-to-surveil-100-of-public-space/
That guy is running, and it looks suspicious to me…
https://www.youtube.com/watch?v=USEUcO1PKwU
The National Computing Power Network
China seeks to become the global leader in technologies emerging from advancements in artificial intelligence (AI) and data analytics. This strategy has the dual objectives of accelerating the transformation of China’s own economy and building the nation into a cyber power.
https://www.nbr.org/publication/chinas-data-ambitions-strategy-emerging-technologies-and-implications-for-democracies/
The purpose of China’s Nationally Integrated System of Big Data Centers is to generate computing power; in fact, the system is sometimes simply called the “national computing power network.” When complete, it will process lots of data, fast. All the data.
First, Eastern Data Western Computing provides top-level design for China’s Computing Power Network. Eastern Data Western Computing will eliminate redundancies and inefficiencies in the overall national computing power layout. In particular, the plan improves the “imbalance in data center supply and demand” by transferring data from China’s more developed eastern region where most data resides to its less developed but energy-rich western region where it will be processed.
Second, China is positioned to construct the world’s leading ultra-large-scale market for data. With China’s immense set of data resources, Eastern Data Western Computing will help drive the “marketized” allocation of data elements and better reveal the value of data as a productive resource. The goal is not just simply a national market for data, it is the “world’s leading” ultra-large-scale data market (一体化超大规模数据要素市场) with national and global reach.
Third, global competition will be increasingly focused on data. As the most important factor of production in the digital age, data is comprehensively reconstructing global production, distribution, and consumption and is “becoming the high ground in the competition between major countries (成为大国间竞相争夺的制高点).”
Fourth, computing power joins data, algorithms, and application software as the key resources of a digital economy. China’s future international competitiveness is dependent on its digital economy. And the future of China’s digital economy is dependent on the development of this economy’s key resources (computing power, data, algorithms, and applications) as well as the coordinated governance and control of these resources through a Nationally Integrated System of Big Data Centers.
Eastern Data Western Computing is just the latest announcement in China’s accelerating drive for Digital China “to win the future.”
China’s current “in-advance” policy of digital infrastructure construction (build the infrastructure first and the other key digital economy resources will follow) characterizes this thinking in concrete terms.
https://nationalinterest.org/blog/techland-when-great-power-competition-meets-digital-world/how-china-will-dominate-global
Leaders in Beijing wanted to urge economic officials, directors of various research bodies and tech entrepreneurs to join their efforts in implementing the “state big data strategy”.
https://www.scmp.com/news/china/economy/article/2086229/beijing-thinking-big-switch-big-data-economy
“The CCP [has used] technology to make its Gordian knot of political control inseparable from China’s social and economic development.”
https://www.lowyinstitute.org/publications/digital-authoritarianism-china-and-covid
Clive Robinson • August 1, 2022 7:02 AM
@ Bruce, ALL,
Re : Break PQC SIKEp434 in an hour.
An efficient key recovery attack on SIDH
Not had time to digest this yet, but it is interesting.
“We present an efficient key recovery attack on the Supersingular Isogeny Diffie-Hellman protocol (SIDH), based on a “glue-and-split” theorem due to Kani. Our attack exploits the existence of a small non-scalar endomorphism on the starting curve, and it also relies on the auxiliary torsion point information that Alice and Bob share during the protocol. Our Magma implementation breaks the instantiation SIKEp434, which aims at security level 1 of the Post-Quantum Cryptography standardization process currently ran by NIST, in about one hour on a single core. This is a preliminary version of a longer article in preparation.”
https://eprint.iacr.org/2022/975
The 15page pre-print,
https://eprint.iacr.org/2022/975.pdf
Enjoy.
SpaceLifeForm • August 1, 2022 7:23 AM
@ Bruce, Clive, ALL
Re : Break PQC SIKEp434 in an hour.
I thought I mentioned this over a week ago, but maybe it was a slightly different attack.
I would not chase the Quantum Crypto Ghost thru the swamp unless you like to bleed.
Clive Robinson • August 1, 2022 8:15 AM
@ SpaceLifeForm,
Re : Break PQC SIKEp434 in an hour.
“I thought I mentioned this over a week ago, but maybe it was a slightly different attack.”
The IACR site gives,
“2022-07-30: received”
Which is less than a week ago, are we talking about the same thing?
To be honest these attacks are not coming through as thick and fast as I was expecting… After all for many this will be the “one shot” of launching their name thus career up a league or two.
Clive Robinson • August 1, 2022 8:42 AM
@ JonKnowsNothing,
Re : Google Technology Rights Striping.
You might be aware of the problem, but it’s only going to get worse,
https://docs.google.com/document/d/1f6HPQbUjslcbjVHkJkAgYmQmBV3PRRHEcx4WL5rxuE8/preview
Clive Robinson • August 1, 2022 9:22 AM
@ SpaceLifeForm,
Re : Down spin of Intel.
You will probably find this of interest,
https://www.nextplatform.com/2022/07/29/intel-let-the-chips-fall-where-they-might/
Especially the comments…
Winter • August 1, 2022 9:33 AM
@Clvie
You might be aware of the problem, but it’s only going to get worse,
What I see there has nothing to do with Google, and everything with the third world nature of US public/government services.
That poor people cannot access social security or government services is the sole and only responsibility of the US local, state, and federal institutions that supply these services.
If Americans want to believe in smaller and less government, this is exactly what that means.
&ers • August 1, 2022 1:33 PM
@Clive
This time i need your help.
I’m planning to leave my country,
things are getting bad here. Initial destination : UK.
Can you please suggest me any good infosec company
in UK to connect with? Before leaving i need a job there.
Thanks!
Clive Robinson • August 1, 2022 2:42 PM
@ &ers,
“Initial destination : UK.”
First thing if you do decide to come to the UK, is to travel direct, do not travel via any other country (international law requirement).
The next problem is even if you are recognised as a “refugee”, you very probably will not be able to work when you get here or draw benifits. As that is the prevailing attitude of the current political incumbents, even though we have a tech skills shortage in the UK.
Apparently the UK Governments current plan believe it or not is to still ship anyone and everyone, especially single males who are almost always,treated as illegal economic migrants, not refugees back out to another country first stripping them of any valuables etc.
The chosen destination being Rwanda… Apparently the East African nation which saw terrible civil insurection and slaughter not so long ago has agreed a £120million deal. Unlike Albania and Ghana who were both previously aproached and said no.
Whilst there are supposadly legal ways in via work visas, apparantly they currently are impossible to obtain for several reasons. One being “Ukranian refugee families” are blocking up the system…
There is also another issue which is “sponsorship”. Somebody has to not just sponsor you but pay many thousands of pounds. You also have to pay significant sums as well.
What all the current rules are I’ve no real idea any more, just that you need a legal specialist to avoid very large fines and similar for getting even the tiniest thing wrong…
Clive Robinson • August 1, 2022 3:41 PM
@ &ers,
One way in with minimal requirments is via an “inovators visa” (See UK Gov website),
https://www.gov.uk/innovator-visa
One approved “Sponsoring Organisation” is
Basically pitch a cyber-security idea and get start-up funding.
There is also a Robotics for the likes of industry and transportation “sponsoring organisation”.
Otherwise you are looking for either a “global talent visa” as a researcher,
https://www.gov.uk/global-talent-researcher-academic
Or a “Skilled Worker Visa”,
https://www.gov.uk/skilled-worker-visa
There is another way if you want to get into the UK, that is via the CTA which long predates the UK membership of the EU. Basically where you are a citizen of Ireland, Isle of Man, or Channel islands.
I’m told by someone who got Irish Citizenship quite a few years ago who was from an East European nation then outside of the EU that it was the “easier route” likewise some people with dual South American – Portuguese/Spanish nationality.
SpaceLifeForm • August 1, 2022 6:35 PM
@ Clive
Re : Down spin of Intel.
Yes, good comments. Intel is definitely bleeding. They probably lost their path in the Go-Faster Forrest.
Look at it this way, most people do not need lots of cpu cores with high clock rates, and a simpler RISC cpu that uses less power is sufficient.
So, their market these days is probably going to cloud. And I would not count on that being a growing, profitable market.
One way for Intel to regain some respect from the marketplace would be to start seriously addressing the problems in microcode. And backfix old kit.
Because those problems are a disincentive to use Intel kit from a security perspective.
lurker • August 1, 2022 6:55 PM
@Winter, Tim Hortons app violated privacy laws . . .
There’s an app for that? Why?
SpaceLifeForm • August 1, 2022 8:01 PM
@ Clive
Re : Break PQC SIKEp434 in an hour
I know I read about it on Twitter, but I can not find the specific article I earlier read.
This is close enough. SIKE and SIDH.
Do not chase the Quantum Crypto Ghost thru the swamp.
Get as much of your infrastructure you can to use ECC with a SafeCurve.
‘https://ellipticnews.wordpress.com/2022/07/31/breaking-supersingular-isogeny-diffie-hellman-sidh/
- Does it break ECC?
No. The attack assumes the degree of the isogeny is known, and that is exactly the secret key in ECC. There is no particular reason to think attacks on SIDH lead to attacks on ECC.
- Implications for PQ crypto
There is no doubt that this result will reduce confidence in isogenies. The sudden appearance of an attack this powerful shows that the field is not yet mature. The relatively recent attack by Ward Beullens on Rainbow has a similar impact on multivariate crypto.
Also see the comments here
‘https://news.ycombinator.com/item?id=30466063
SpaceLifeForm • August 1, 2022 9:34 PM
@ Clive, ALL
So, nitter.net is functioning again. In a much better, expected fashion.
Via Observation, I suspect the prior 90 day TLS Certificate was MITM-ed.
I will note later if or when I Observe behaviour changes. But, hey, what do I know when it comes to that which I think I can Observe?
Winter • August 2, 2022 1:47 AM
@Lurker
There’s an app for that? Why?
My partial understanding is that the location has to do with ordering coffee and knowing to which Hortons it should be send. But that sounds idiotic to me too, so that might not be the whole story. Maybe some kind of loyalty card stuff?
However, the point is that the app shows Hortons has no concept of privacy at all. Clients to Horton are not better than whales are to a whaler.
SpaceLifeForm • August 2, 2022 2:21 AM
@ ALL
ANOM source code
‘https://www.abc.net.au/news/2022-07-29/police-to-share-coding-of-an0m-app/101281212
Clive Robinson • August 2, 2022 6:11 AM
@ SpaceLifeForm, ALL,
Re : PQC Breaking
I think we can take it as read that it’s not just going to be SIKE/SIDH.
Which is part of the reasoning behind your,
“Get as much of your infrastructure you can to use ECC with a SafeCurve.”
But we need to think a little more generally or with broader brush strokes, if we are to avoid the “Hamster Wheel of Pain”. That is what crypto is it that QC threatens and by how much overly broadly (for simple listing 20,000ft view),
1, Asymetric – full break.
2, Symetric block – weakening.
3, Provably secure – not at all.
Which means no change required for OTP or similar where the unicity distance is as great as the ciphertext length.
Due to the equivalent of the “birthday attack’ symmetric crypto needs to square the keyspace for equivalent security. Which is effectively double the number of bits.
Symmetric crypto, using QC vulnerable maths we basically need to replace with something else.
Two problems,
1, We are not sure what math is and is not secure against QC.
2, The applications we mainly use asymmetric crypto for, are in effect only possible with because of that math.
Loosely the math concerned so far is a subset of “One Way Functions”(OWF) with secure “Trap Door Functions”(TDF).
The two main uses are,
1, Key negotiation and exchange systems for other crypto.
2, Authentication of digital assets via signing.
If QC breaks the maths, so we can nolonger do Key Exchange or “Bag of Bits”(BoB) signing would it actually matter?
Well we were exchanging secret keys and signing information hadndreds if not thousands of years before the math…
Logic therefore says we can, all be it differently, still do them.
So maybe we should consider that there is no such thing as a QC proof OWF with TDF and design our systems and processes accordingly…
Clive Robinson • August 2, 2022 7:20 AM
@ SpaceLifeForm,
Re : Nitter Behaviours
Via Observation, I suspect the prior 90 day TLS Certificate was MITM-ed.
That I can not say… as the primary behaviour I was seeing was indicatiors the site was getting overloaded in several ways such that resources were being well and truly exhausted or load balancing was kaput…
JonKnowsNothing • August 2, 2022 8:03 AM
@ Clive , @ &ers,
BHTM v2 t3 P1
re: First thing if you do decide to come to the UK, is to travel direct, do not travel via any other country (international law requirement).
This is really important point; if people have any hope at all of getting a visa or permit to stay. Many countries have a similar policy that the USA calls “First Safe Third Country”.
- “Under the agreement, persons seeking refugee status must make their claim in the first country in which they arrive.”
If you transit through or via any country before you hit the USA borders, you may not be allowed to remain or get a visa and can be permanently barred from retry. It’s a nasty business designed to prevent anyone that is not on the “official list” from entry.
There are 4 travel paths to USA: Canada, Mexico, Oceans and Air. If you travel into Canada and/or Mexico and then attempt to cross the US Border from those points, you will be denied entry because both Canada and Mexico are considered “safe” for this purpose.
There are “come ons” that will tout access via enlistment in US Armed Services or via working for USA government institutions overseas (consulates, translation services) but these are highly variable and a good number of people either are “left behind” or at the end of their military service period are deported due to “you forgot to file the paperwork” or using any of the current “bad character” exclusions. The US military will wait until you complete your enlistment before handing you over to ICE because “you stole an apple when you were 10”.
It should be noted that anyone who is a “Naturalized US Citizen” is subject to the application of these “bad character” actions. This means stripping you of US Citizenship and Deporting you to any country that will take you. You do not need to have any contacts, history, support system or speak the language(s) in the selected destination.
Getting legal assistance and getting immigration paperwork completed, is not easy and not cheap. For people leaving their home countries under duress, it’s nearly impossible to obtain in a timely manner. The expense is astronomical, 10s of thousands of dollars per application, for every application or reapplication or submission and for every renewal of permit.
As Clive pointed out, being able to work or being able to use social services or health care is excluded from these permits. “No social services, No work income, No burden” are demands of the system. If you are at all successful, you will need a bank account with $250,000+ USD as proof of independence. If you can pledge $350,000+ USD for any business development, you will be eligible for an easier visa path.
iirc The UK laws, AU laws, NZ laws are similar. Places like Poland and the Eastern Edge of the EU have more draconian versions.
JonKnowsNothing • August 2, 2022 8:06 AM
@ Clive , @ &ers,
BHTM v2 t4 P2
Search Terms
Asylum_in_the_United_States
- Majority of asylum claims in the United States fail or are rejected.
JonKnowsNothing • August 2, 2022 8:09 AM
@ Clive , @ &ers,
BHTM v2 t6 P3
Canada–United States Safe Third Country Agreement
- persons seeking refugee status must make their claim in the first country in which they arrive, between either the United States or Canada, unless they qualify for an exception. For example, refugee claimants who are citizens of a country other than the United States who arrive from the US at the Canada–United States land border can only pursue their refugee claims in Canada if they meet an exception under the Safe Third Country Agreement.
JonKnowsNothing • August 2, 2022 8:14 AM
@ Clive , @ &ers,
BHTM v2 t8 P4 Road Rash.
It is just a definition of one of the words in the post.
Leon Theremin • August 2, 2022 9:01 AM
Here is a report of an anti-terrorism activist having “computer issues”.
- browser windows closed automatically.
- browser did not start again.
- internet connection did not work at all.
- suddenly, airplane mode was turned on.
- Even after unplugging and again plugging the WiFi adapter, nothing worked.
- Restarting the computer did not help.
- LinkedIn suddenly showed the registration page instead of the login page.
- When pressing the return key to start certain website services, the respective window closed.
https://www.linkedin.com/posts/activity-6960034365716242432-ukxg
Which kind of malware could this be? BadBIOS I say. Agree?
lurker • August 2, 2022 1:35 PM
@Leon Theremin, “Which kind of malware could this be?”
Linkedin? Considered by some to be malware at least half as bad as FB. Why do we continue to see stories of XXX activists who persist in visiting sites with a history of leaking, and not using any sandbox or airgap?
lurker • August 2, 2022 1:45 PM
@Winter
IIRC it was St Steve who said “There’s an app for that” for some trivial function. I was once shown an “app” by a proud student: it was nothing more than a database including pictures and sound. The whole thing could have been done server-side, SQL-PHP-CSS.
Loyalty cards and location awareness are peripheral. Once there’s an app running on your device it’s game over.
Winter • August 2, 2022 1:51 PM
@lurker
Loyalty cards and location awareness are peripheral.
The loyalty card is just some trinket to get it installed. Loyalty cards themselves are invented to track clients. An app is just a better tracker.
SpaceLifeForm • August 2, 2022 7:09 PM
@ Leon Theremin, lurker
Just reading the bullet points, and seeing the domain mentioned. Yes, about the same as FB, Both are bad.
If one avoids both, less issues.
Kangaroos can be Brutal.
If still not clear, try Windex.
Clive Robinson • August 2, 2022 9:32 PM
@ SpaceLifeForm,
“If still not clear, try Windex.”
That ammonia based, thus both poisonous and corrosive product[1], is not available in a number of places outside the US. So unless people living in such places have seen “My Big Fat Greek Wedding” where Gus thinks it cures all evils so tells everyone to “Put Windex on it”[2]…
In fact Windex and many organic chemicals do not play well when it comes to your wellbeing[3].
[1] Strangely there are a number of cocktail drinks named on/after Windex. One uses liberal amounts of 40% “blue lable” vodka from the freezer and Blue Curacao over ice… Best not to get them mixed up… Though I’d consider both “Harmful to health and wellbeing”…
[2] Please do not get Windex on any part of you at any time, those words “Poisonous” and “Corrosive” have real meaning. Apparently one use of Windex is killing ant/termites and all manner of other insects that come crawling into your house, then breaking their corpses down….
[3] Never mix Windex and other cleaning products together. Especially those containing bleach. Remember Windex like many other glass de-greasers uses Ammonia. The gas given off “chloramine” has “Toxicological disadvantages” or if you prefer “kills people”. Even in very low concentrations it can make your eyes burn. See more at,
https://www.goodhousekeeping.com/home/cleaning/tips/a32773/cleaning-products-never-mix/
SpaceLifeForm • August 2, 2022 9:35 PM
@ Clive, ALL
Re : Nitter Behaviours
It always gets slow at times. That is a given because nitter does not have lots of network infrastructure, and there are many users.
But, there were two other behaviours that, so far, seem to have disappeared.
One was 429 (rate limited).
The other was that a twitter user had no posts, even though I knew they did.
Those two symptoms seem to have disappeared. For now.
Note/Hint: The entire chain of trust regarding the nitter.net TLS Certificate are all using RSA, none are ECC.
‘https://www.ssllabs.com/ssltest/analyze.html?d=nitter.net
Also, the reason I prefer nitter even though I am only reading, is that twitter will nag you to signup, which is a workflow disruption.
Twitter trying to force engagement is actually discouraging engagement. I do not believe they have thought thru the UX. Or, maybe that is the point. They want to collect your PII. They want suckers to sign up.
Forcing engagement is what FaceBook and LinkedIn also try to do. To collect PII.
Oh! A squirrel
Turnip truck rolls on.
SpaceLifeForm • August 2, 2022 10:32 PM
@ Clive, ALL
Yogi: It’s deja vu all over again
So, I turn on this channel, and this is on:
‘https://m.slashdot.org/story/402974
Net quarterly loss of $1.062 billion compared with a loss of $299.3 million in the same quarter of last year. The quarterly loss is almost exactly twice the company’s revenue in the last 12 months. As of June 30, the carrying value of the company’s 129,699 Bitcoins was $1.988 billion, the company said, reflecting the cumulative impairment loss of $1.989 billion. The cumulative amount is now more than Bitcoin on the company’s balance sheet.
Yep, it is about cryptocurrency money laundering.
There is a link at top of article. Me, thinking this a sitcom that I believe I may have seen before, I guess that I know where the link points to.
Sure enough, I was correct. [Redacted]
Yogi: It is amazing what you can observe just by watching.
Intel: Popcorn please.
Yogi: When you come to the fork in the road near Tysons Corner, take it.
SpaceLifeForm • August 2, 2022 11:21 PM
@ Clive
Re : PQC Breaking
Ars comment, page 3 from handle “sqrt(-1)”
‘https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/?comments=1&start=80
I suspect they were paranoid about insider attack. Drive cloning.
Something about root of trust.
SpaceLifeForm • August 3, 2022 12:52 AM
@ ALL
If you just reject Software Patents, metric gigatons of nonsense disappears.
Society: No, Entity X, you do not get a software patent.
Society: Any foreign software patents are inapplicable here.
Lawyers: Not fair! We need billable hours!
‘https://www.theregister.com/2022/08/02/ai_patent_reform/
Clive Robinson • August 3, 2022 3:35 AM
@ SpaceLifeForm,
Re: Something about root of trust.
I’d need to know more to say…
But I suspect we are talking about “Red_Pike” not “Rambutin” from CESG. Both eneded up getting used in the failed NHS Spine “World’s Largest ICT Disaster” project[1].
https://en.m.wikipedia.org/wiki/Red_Pike_(cipher)
Our host, and UK Cambridge labs Ross J. Anderson, and Markus Kuhn have written about it.
From a basic description, Red_Pike,
“64bit… uses the same basic operations as RC5 and “has no look-up tables, virtually no key schedule and requires only five lines of code” With “the influence of each key bit quickly cascades” and “each encryption involves of the order of 100 operations”.”
Hearing it works only with “add, XOR, and left shift” you would expect the cipher is going to be quite linear on a per operation basis, hence you would not expect it to be particularly strong even with a lot of operations.
With all these “software” implementations being the way described by sqrt(-1) it’s realy obfuscation, so it was not surprising what appears to be the algorithm got posted to the Cypherpunk mailing list.
I’ve not looked at the alledged code yet, so have no comment to make on the cipher it’s self.
But I suspect that Red_Pike was cooked up by/for CESG as a “let them eat cake” solution, rather than as serious crypto.
[1] The idea was to connect up the entire UK Health System onto a computer network so your medical records could be availavable anywhere at any time, so a “best diagnosis” could be made in emergancies and such like. Obviously this involved Privacy of Records, which is what the crypto was used for. Because it had to be put on Win XP and lower MS OS machines a software cipher was required for end users systems.
[2] If the 100 Comments page is to be believed he was here yesterday asking a question, about an author relating to TEMPEST documents,
https://www.schneier.com/blog/archives/2009/01/the_discovery_o.html/#comment-408515
Clive Robinson • August 3, 2022 7:01 AM
@ Moderator, SpaceLifeform,
I have just posted a response to @SpaceLifeForm, and it came back held for Moderation
Can you please get it through moderation as I can not see any reason at all for it to be held.
SpaceLifeForm • August 3, 2022 7:09 AM
@ Clive, Markus Kuhn
re: Observation on recent 100
I’m kinda scratching my head wondering what rabbit hole he went down that led him back to that 2009-01-20 article.
I can understand if he started with the SIKE/SIDH news, but to chain back to the TEMPEST article is, well, interesting. Obviously, the tags would explain it, but for him to get back there, and have that specific question is interesting.
So, Dr. Kuhn, do you having any interesting dots to share that you found on your travels?
Clive Robinson • August 3, 2022 7:46 AM
@ SpaceLifeForm, Markus Kuhn,
Re : Observation on recent 100
“I’m kinda scratching my head wondering what rabbit hole he went down that led him back to that 2009-01-20 article.”
I suspect you may not remember Dr Kuhn’s research speciality at Cambridge was “TEMPEST” related subjects, specifically minimising the signal energy towards or below the “noise floor”
Thus I suspect the answer will in effect be “area of research speciality” especially when seaking out information the NSA, GCHQ et al are still keeping hidden for some reason.
As our host @Bruce once said the way to keep digging, especially with FOI requests is to gather threads and pull on them.
The question Dr Kuhn is asking is based on finding an anomaly in what can be seen. This may indicate the start of a new thread to pull on.
That is if “Jeffrey Friedman” worked at the NSA as a researcher or historian, then the chances are good he has written other documents that are in the NSA archives. If such documents are either research or historical, they would almost certainly lift the corner of the curtain a little further.
SpaceLifeForm • August 3, 2022 9:11 AM
@ Moderator, Clive, ALL
re: Held for Moderation
So I did some testing. Yeah, there I go again.
Clive, your comment would have been comment_id = 408538 or 408539 to post_id = 65677
I see them both as ‘held’. Did you try twice? If you only did it once, then someone else ran into the problem at nearly the same time.
I tested using variations of
‘https://www.schneier.com/comment-thankyou/?post_id=65678&comment_id=408537
That particular comment corresponds to
‘https://www.schneier.com/blog/archives/2022/08/surveillance-of-your-car.html/#comment-408537
Which is visible.
But, using post_id=65677 (this article), and comment_id=408538 or 408539 says ‘held’. 408541 and 408542 are me and you, they are visible. 408540 is somewhere, but on a different article (post_id). I did not chase that down.
Here is what is interesting. If you come up with a nonsense post_id, it does not change the results.
For example, changing the post_id on the thankyou link does not effect the results. I tried it with a higher numbered post_id that does not exist yet but with a valid comment_id.
Having the post_id as a parameter on the thankyou link is useless.
But, it gets better. If you come up with a comment_id that does not exist yet, it still reports it as ‘held’.
So, if the blog software, for whatever reason, gets a No Rows Found condition on a SELECT, it defaults to lying thru it’s teeth and just reporting ‘held’.
Therefore, the next question is: Did it ever really get to committed to the database or not?
Because if there is a bug that prevents a database COMMIT in the first place, or the MariaDB software is so buggy that there exists silent failures, it will appear to the Observer that it was ‘held’.
I’m thinking about the malloc problems again, but it may also be that some parts of the blog software are just flat out not checking for errors properly.
You know the scoop. Hastily assembled code stack, missing error checking, lack of testing, horrible specifications, no way to bubble up error conditions thru the stack so that they become user visible and can be reported.
Just plain and simple Silent Failure.
My hunch is that comment_id = 408538 and comment_id = 408539 are NOT in the database.
They were silently lost. Immediately. Never survived to the database.
SpaceLifeForm • August 3, 2022 10:07 AM
@ Moderator, Clive, ALL
re: Held for Moderation
Wow. This is some really messed up software.
Horrible stuff.
As I noted above, the post_id parameter to the thankyou page can be varied to be nonsensical and not related to the comment_id.
So, I test again, this time removing the parameter from the URL, because it apparently is being ignored.
But, no, we can’t have nice things.
Repeating for clarity:
This says ‘approved’.
‘https://www.schneier.com/comment-thankyou/?post_id=65678&comment_id=408537
That particular comment corresponds to
‘https://www.schneier.com/blog/archives/2022/08/surveillance-of-your-car.html/#comment-408537
Changing post_id to a non-existent post_id
‘https://www.schneier.com/comment-thankyou/?post_id=79999&comment_id=408537
Also says ‘approved’.
So, the post_id has no bearing on the status of the comment.
Therefore, the post_id parameter means nothing, and therefore it is not needed to determine the status of a comment, right?
Wrong.
This comment_id in ‘approved’ status
‘https://www.schneier.com/comment-thankyou/?comment_id=408537
Just says ‘Thank you for your comment’
This comment_id in ‘held’ status
‘https://www.schneier.com/comment-thankyou/?comment_id=408538
Just says ‘Thank you for your comment’
Spot the difference?
You can not see the status of a comment unless you have a post_id parameter, even though it is ignored.
Non-existent comment says ‘held’
‘https://www.schneier.com/comment-thankyou/?post_id=1&comment_id=409999
Non-existent comment says ‘thank you’
‘https://www.schneier.com/comment-thankyou/?comment_id=409999
This is seriously [REDACTED].
Clive Robinson • August 3, 2022 12:47 PM
@ SpaceLifeForm,
Re : This is seriously [REDACTED]
I’ve not dug into it due to UK legislation issues.
But I can see how such issues could arise with “long term development” with many release points.
Actually designing even simple blog software can quickly become messy as just a few features are added, that appear “simple” to a non expert eye are infact full of quite nasty traps for the unwary.
lurker • August 3, 2022 3:41 PM
@SpaceLifeForm re Software Patents
The meetings . . raised important questions . . should [AI] algorithms be patentable?
This was all debated eloquently by the denizens of Groklaw more than ten years ago. Apropos the recent tendency to return to fundamental literalism, “art” had a specific meaning. The created object or idea had to be appreciable to a human observer.
I agree, the question will be decided on billable hours, not logic.
vas pup • August 4, 2022 5:22 PM
OrganEx may save donor organs by ‘telling’ cells not to die
https://www.dw.com/en/organex-may-save-donor-organs-by-telling-cells-not-to-die/a-62697834
“The technology has two parts. One is a device that simulates the heart and lung function of a living mammal and pushes a mix of blood and a drug cocktail to the organs.
The other is the drug cocktail, or synthetic perfusate. This liquid is made up of 13 chemical compounds and contains drugs that are already in clinical use to target issues such as cell death and coagulation.
One hour post-death, the pigs, who had been anesthetized so they could not feel their hearts being stopped, were hooked up to the OrganEx machine. The machine has sensors that transmit information about metabolic and circulation parameters in real time. Then the system pumped the perfusate to the animal’s organs for six hours.”
Clive Robinson • August 4, 2022 7:42 PM
@ SpaceLifeForm, ALL,
Re : TSCM, Cyber Security & China.
Following on from the Intel post the other day you are probably aware that TSCM has now apparently got greater revenues…
But you might not be aware the TSCM chairman has just had a chat with Nancy Pelosi who dropped in to Taiwan to meet various people[1].
One subject that almost certainly would have come up, is the supposed 2trillion USD “Chips Act”…
It’s said that 70% of chips used in US manufacturing come from TSCM fabs[2]. Further that the loss of those fabs should China invade Taiwan would bring the US economy not to a stand still, but major recession.
However it would probably be worse than that for the US consumer. The loss of TSCM would also have a very significant effect on China as well. Whilst TSCM only sell to China’s consumer industry, much of that output actually does not go to China, but in exported products to bring foreign currency into China (which it badly needs). A very big chunk of that export even now is to the US…
However China appears committed to ramping up aggression and has caused a number of significant Security issues including Cyber attacks over the past couple of days,
https://www.theregister.com/2022/08/04/taiwanese_military_reports_ddos_in/?td=keepreading
[1] Apparently “Anonymous” hacked a couple of Official State Chinese web sites upsetting the CCP by posting “Welcome Nancy” type messages and causing the sites to be taken down for a while.
[2] One report I heard is that every modern vehicle currently manufactured or assembled in the US uses atleast ten TSCM chips… So getting an old school non electronic car or motorbike for “restoring” in the garage might not be a bad idea…
SpaceLifeForm • August 5, 2022 2:30 PM
@ ALL
re: Twitter v Musk v Twitter v ?
You know you need more popcorn when Twitter has to subpoena Twitter for legal evidentiary reasons.
This is not going to be resolved as soon as the Delaware Chancery Court thought.
This will take many years. The lawyers are happy.
SEC: More popcorn please
‘https://s3.documentcloud.org/documents/22127242/twitters-reply-to-verified-counterclaims.pdf
‘https://arstechnica.com/tech-policy/2022/08/twitter-says-musks-spam-analysis-used-tool-that-called-his-own-account-a-bot/
Jose • October 17, 2022 12:31 AM
Thank for sharing .
https://directkitchendeals.com/ Here in Kitchen Deals, you can explore different kitchen appliances from different stores and know its specifications. We feature a wide selection of brands per category to ensure you get what you want. We make sure to feature quality products from different brands and kitchen appliances in a categorized and orderly manner.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
vas pup • July 29, 2022 5:57 PM
How Myanmar’s junta is using Chinese facial recognition technology
https://www.dw.com/en/how-myanmars-junta-is-using-chinese-facial-recognition-technology/a-62624413
“In March, Human Rights Watch (HRW) released a report on Myanmar’s use of the Chinese-made facial recognition systems, warning of a “serious threat” to human rights.
HRW said hundreds of cameras were installed in townships around the capital Naypyidaw in December 2020, before the military took power in a coup, in the first phase of a security initiative called “safe city.” Cameras were also installed in Myanmar’s largest city, Yangon.
Experts and activists on the ground fear that the military’s increased access to this technology could have consequences for the safety of anyone opposing the junta.
The cameras, sourced from Chinese tech conglomerates Huawei, Dahua and Hikvision, are equipped with artificial intelligence technology that automatically scans faces and vehicle license
plates in public places and alerts authorities to those on a wanted list.
By controlling the biggest telecommunication company in Myanmar, Telenor, the junta has restricted internet access and censored online content. There have also been reports that the
junta has installed spyware on telecom services and internet providers to further monitor and
combat online “traitors.”