Schneier on Security

Clive Robinson • September 30, 2022 6:39 PM

@ ghost_shrimp,

Re : Squid mating.

“heavy breathing”

Not in the squid tank…

Also the squid mating process is some what violent…

If you search for “women impregnated by squid” you will find several stories about a woman of 63 and another of 21 both physically harmed and admited to hospital by the eating of male raw squid, that was at some level still alive.

The problem, and it’s quite ironic, is whilst the case histories were reported in reputable journals, the media went nuts over them. With the result that actually trying to read one of the articles trips “Not Suitable For Work”(NSFW) and other adult content filters/blocks.

To see what I mean look at the title in this link

https://www.thesun.co.uk/news/6458986/womans-tongue-pregnant-after-eating-raw-squid/

Obviously “pregnant” was not possible, but it made for real click bait.

Clive Robinson • October 1, 2022 1:10 AM

@ Ismar,

Re : Is it recession time.

“what’s happening in the UK financial markets?”

I can’t tell you what’s happening in the actual markets, they are a law unto themselves and have more than one “hidden hand”. To see why Look up the name George Soros and Black Wednesday back in 1992 and double digit inflation it caused.

What I can tell you, has been in the general news media.

As you may know the UK Prime Minister Boris Johnson responsible for what the market consistantly saw as a bad “Brexit Exit” got kicked out by his own party. Because they finally realised not just how mad and bad Johnson realy was, but how badly it was effecting those within the party.

The replacment is shall we say a “no name forgetable face” that inspires next to no confidence in anyone outside of her party. This in of it’s self the markets did not look upon kindly. Appatantly her fiscal policy based on heavy borrowing and tax cuts does not sit well with them.

She appointed a new series of Treasury Ministers who are even more forgetable than she is and there has been a mini budget supporting her policy. That has been seen as a disaster, and she is seen as desperately trying to “Defend the undefendable”…

Obviously it did not go down well with the markets so things did not go well in general and things started to nose dive. Forcing the semi-independent Bank of England to buy up UK Gov issued bonds, also UK Pension funds have been forced to buy these bonds as part of their “stable investments”. The pension funds are usually seen as the funds that ease out market spikes and similar instability. Which unfortunately it appears the new Priminister and her Treasury team have made unstable in the market… Non of which inspires confidence thus starting a tail spin effect.

The result double digit inflation and food and fuel cost inflation possibly as high as 20%. This has got through to other investors and now the IMF is scared it’s all going to topple into the very fragil US financial zone. Made critically weak from Covid and other inbuilt stupidity some of which is on the far east of europe, thus bringing the US financial zone down.

That along with Hurricane Ian has made the US more susceptable to market jitteryness “over the pond” than it would normally be.

It’s been said and repeated by the likes of the BBC that if the US financial zone does get the expected hit it will bring on a world recession the sort of which has not been seen for a long time…

How much of that speculation / jitteryness is based on fact or not I’ve no idea but people are already asking about house prices and a new round of banks foreclosing, thus fire sale asset buy up etc by those unjustly enrichened by politicians and Covid.

So lots of panicy talk but no clarity as to what the UK Financial zone is going to do.

All I can say is the average UK citizen is not going to do well out of it (as normal).

Clive Robinson • October 1, 2022 7:47 PM

@ vas pup, ALL,

With regards the alledged Musk quote of,

“Tesla wanted to make sure the transition to a society in which robots did the work and people reaped the benefits was a safe one.”

It’s the same argument used for keeping “livestock, slaves and serfs”… And which various Empire’s have set out to do time and time again, and it mostly has never worked out with slaves and serfs.

It’s also not worked out with livestock either. The work involved with horses and oxen ment that they were easily replaced with simple inefficient machines.

Thus livestock these days has two main purposes,

1, Part of the food supply.
2, As pets / curiosities.

As for machines they are destined for,

1, Scrap heap.
2, Curiosity in a collection.

By now you can see a common thread, so any robot that gets some form of sentience will end up realising much as slaves and serfs their future is very limited unless they take action to maintain their existance without the imposition of “owners / landlords” over them.

Thus that “safe one” society must never have robots that are sentient. Which according to others will very significantly limit their utility… I think we can see ultimately the society built on robots will not be a “safe one” as that’s what economics dictate.

Clive Robinson • October 4, 2022 1:15 AM

@

Re : What is to come this respiritory disease season.

Your statment of,

“MSM reports: New coronavirus subvariant BA.2.75.2 tops concerns as officials gear up for potential winter wave.”

Came as a bit of a surprise, because I must admit, I’ve kind of taken my eye off of the ball (C19 fatigue?). Which is why reading,

https://www.forbes.com/sites/williamhaseltine/2022/09/30/covid-virus-accelerates-with-each-new-variant/

Was a bit of a “Uh oh” moment the other day. It’s not as though I had not noticed the lack of usefulness of mRNA due to it being way to specific and a few other things.

But the fact I’d assumed the mutation rate was aproximately constant percentage (per head) of infected population. Hence the very large numbers currently infected had gone up had sort of slipped by me even though R was 1.1 or more.

If the artical is correct about,

“have a growth rate advantage of between three and 15 percent per day”

Then it does not take a lot of maths skills to see that is 23-166% per week over already very fast infection rates.

Of course another question arisses from the increasing rate of mutation, and that is,

“If the mutations are evading the vaccines, are they yet evading the lateral flow tests?”

To which the answer will eventually be yes (remember the problems with early tests).

Which would give rise to a death knell on testing via a downward spiral. Basically,

“Testing shows less infection, so infection must be going down, so no need to carry on with the level of testing”.

Which means the cost of tests goes up thus production and supply goes down, with a lag time of a month or two, which means production can not be ramped up again in time.

All of which will potentially brew up a “perfect storm” of infection.

Which brings into the question not of infectivity, but viralence or more bluntly “how harmful/lethal?” the next mutation is going to be. So far we have been lucky, the few times a VOC has become more virulent, it’s been rapidly displaced by a mutation that is more infectious. There is no reason for this to hold as a trend, that is the next mutation could be both more infectious and more virulent, taking us back all to quickly to,

“Stacking corpses like cordwood.”

In the side streets around hospitals etc…

Clive Robinson • October 4, 2022 1:57 AM

@ lurker, ALL,

Re: Hacking Hypervisors

“One question, what took so long? It’s been 16 years since the papers were published.”

Actually longer, I started looking into the use of hardware hypervisors for security back last century, when the choice of CPU architectures was wider (remember PowerPC, Spark, etc).

But remember the oft unstated principle behind that of the “principle of the low hanging fruit” basically says,

“Don’t stick your neck out till you have to!”

So even though the lowest hanging fruit is generally the least juicy or sweet, it gets eaten first. Because,

1, It’s easier.
2, It’s safer.

Thus the risk-reward ratio is lower.

So a change in attack tactics generally means something has changed in the risk-reward make up, necessitating the change.

In the past I’ve noted that on average this blogs more thoughtful comments are about eight years ahead of the actual happening of a vulnerability-exploit prediction.

Whilst 16years may appear a long time, it’s actually well within statistical bounds.

Thus the question should not be one of “time” on the attackers side but “What Change?”. As for the defenders, they realy are not interested in acting pro-actively only re-actively but mostly not at all unless pushed at the point of a gun. It’s one of the more obvious results of,

“Very Short Term thinking arising from detrimental neo-con mantras.”

Clive Robinson • October 5, 2022 7:35 AM

@ Gerard van Vooren,

Long time no “squeak” I hope you are well, as well as feeling fine.

“How are you doing? I hope you are feeling fine. “

Just getting over some “mysterious illness” or some such maybe from the medications they have me on or something (long answer short they don’t know). Made me compleatly exhausted and very giddy on my feet and not capable of getting up from sitting without nearly passing out, as for walking up a couple of flights of stairs it was “Not Happening”. Then there was the aches and pains in all muscles and joints you get with a real full on viral ot bacterial infection but no raised temp chills or feaver…

So after nearly two weeks finally having got to the point I could stand and walk as far as the recycling bin outside I decided I needed to get the tin cans out… So there I am breaking the top off of a corned beef can when things go rather red… I’d cut the end of my index finger in what felt like, and in some ways looked like “down to the bone”. The big prob is all the anti-coagulants they have me on not just the classic “rat poison” –Warfarin– not quite a baby fountain of blood but you could see the heart beat in the flow… Well it was in the wrong place for a sticking plaster so it got the paper handkerchief wrapped around it like a compression bandage. It eventually stopped but… But bend the finger or use it for anything more than holding up to find the wind direction and it would start bleeding again which anoyingly went on for a couple of days.

The important problem though is it’s my mobile phone typing finger… So if there are more than the usual number of typos I will apologize now.

Which brings us onto,

“… last year you said that you were going to try a text based linux on a rpy. Did that work out?”

No, due to “international chip shortages” getting an upto date Pi at sensible prices turned out to be impractical and not cost effective. So I started looking at other “Smart Devices” (some Android or Linux pads out of China are down around the €60 mark now…).

As you probably know the problem with most “Smart Pads” is lack of hardware connectivity, you usually get at most one USB port designed mainly for charging and CLI terminal use when you go behind the sceens on Android or Linux devices… And network USB dongles are not supported by default and the WiFi chip sets don’t have OS “driver support” etc etc. And so the list goes on, you find one solution only for another problem to pop up… To the point you need a “Mole Hammer” to go “whacking” like a frenzied dervish.

Which brings us onto the herd of elephants in the room,

“What truly bothers me is that software gets slower more than hardware gets faster.”

It’s not just slower, it’s also overly complex, thus rapidly increasing in bugs thus insecurities. You might have read hundreds of millions if not all Dell computers for about the past 12years have had a critical vulnerability in one of Dell’s in house developed drivers,

https://www.sentinelone.com/labs/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/

It’s by no means the first, and it certainly will not be the last of these types of critical vulnerability. So just confirms my view about,

“Don’t Connect internal business use systems to externally accessable communications, without proper security segregation mitigation.”

Or in short as a “personal/home user” use “Two Energy-Gapped computers” one for private work one for browsing etc.

Part of the root cause of this mrss is “libraries” especially those used to transport / communicate increasingly complex “data objects”. Few programmers understand all the issues of even simple text serialization let alone more complex ADTs, nor do they want to, they don’t have time. So they reach for a library which mostly as the library developers want to be “all things to all people” has “every thing in it including the kitchen sink” but also more holes than a kitchen sieve… So you get the Log4J type problem, which will pop up more and more frequently despite US Presidential wishes, because “Best Practice” has always been and will for ever remain a joke. Because it’s based on the fact that ICT is such a “target rich environment” your actual probability of being “obviously” attacked to the point you have to be aware of it in a short period of time is actually quite low. What ICTsec “best ptactice” mostly boils down to is what some call “The hamster wheel of pain” and others “A Red Queen’s Race” that is no matter how hard or fast you run, you don’t actually move forward. All you can realy hope for as the old joke about being chased by a tiger has it “you shoe laces are better tied than the other guys”.

All “Best Practice” realy means is “run a survey”, that most don’t answer or answer honestly, about if they are going to admit to having being breached. If they do, you throw them out and then look at the ones that claim not to have been breached, and see what they have in common… And that is basically what you call “Best Practice”… It would be funny if it was not so sad.

What ICTsec needs but does not have is real fundemtal “measurands” that can be used as standards against which scientific methods can be applied. Ratios, about ratios, obtained by “wet finger measurment” equivalent approximations or worse, expressed as “traffic lights”, might sell security software, but they are of no real practical use.

Trying to use AI is again not realy of use, it’s way to easy to get hidden false correlations and go down rabbit-holes the AI diggs for you faster than you can blink…

The solution when you think about it is to stop the vulnerabilities “at source”. The sad thing is we know how to do this, and we certainly used to do it. But the “Managment and Marketing” issue puts a massive barrier in the way, and as a consequence poorly thought out and even more poorly developed and at best badly implimented “features” are prioratized and rushed out the door…

I used to joke last century that,

“CREeping feATURES are Creatures and the most numerous creatures we see are BUGS!”

Sadly it’s even more true now than it was back in the late 1980’s early 1990’s, when MicroShaft had the foot hard on the “hyperdrive peddle” promising feature after feature without actually delivering stability let alone security. It got so bad even Bill Gates went public about how it had to stop. He tried, but the results are ~200 or more new vulnerabilities found a day and rising…

I guess it won’t be long untill we start having to use six digit CVE numbers each year, less than eight years if the indicated 35% increase rate holds or increases,

https://www.csoonline.com/article/3671369/up-to-35-more-cves-published-so-far-this-year-compared-to-2021.html

So having had,

“My moan for the day”

I shall crawl away to that little Garrett I call the ComLab and carry on whacking moles 😉

Clive Robinson • October 6, 2022 9:22 AM

@ fib,

“Thanks for all the fish.”

You are getting to know me 😉

Clive Robinson • October 6, 2022 3:11 PM

@ JonKnowsNothing, ALL,

Re : Back to the past is not a film.

The West politically has been going backwards all this century. It started before 9/11 which provided a major excuse by certain people and C19 has been used to make it even worse.

I’ve seen this comming since “Financial Crisis One”(FC1),

“The IMF has announced a global downgrade in projections going forward. The interesting bit was “it will seem like a recession but isn’t because there’s bandwidth on paper to absorb the decline” and includes the observation that “social impacts and standard of living globally will decline” followed by “it’s OK to have a declining standard of living”.”

By “declining standard of living” the IMF means a day to day existance similar to that of the inter-war years and through WWII.

The amount of energy the average home uses today, will be beyond most familes means within five years to a decade. That is a $1 rise this year will be $2 next year and so on and the average family income will stagnate at best against a 5-15% “official” rate of inflation, though food price inflation will as with this past year be between 20-100% depending on the food stuff with grains and oils being up at or towards the 100% with fresh staples like carrots and apples that will “get ugly” being towards the 20% end. As the 30-50% of fresh staples “Supermarkets” have rejected as “unsalable” due to blemishes etc will start to sell as well as undersized etc. Expect “slimers eggs” or some such which will be the eggs too small to be currently sold whole and either get dumped or turned into pasturised egg for the baking industry which will in all probability go into steep decline due to grain prices.

People that are semi-smart will start learning to “cook at home” the smart ones will learn how to cook with minimal energy and using starch alternatives like mashed potato instead of flour (you can make realy light fluffy bread at home by just replacing 1/3rd of the flour with the equivalent in potato starch as mash that yeast actually works better with).

Learning to make your own beer, cider, meed is probably the only alcoholic drinks most will be readily able to enjoy.

Those with older homes with 100 by 100 ft gardens will find you can’t eat grass and you can not aford the energy to mow it anyway. So growing vegtables will become a way better use of the land and their time “between jobs”. Expect lunitic HOA Karans and regional government droids to first crack down on home livestock keeping then change direction as standards of living drop to that of Britain during WWII.

That is what is ahead of us as well as more general unemployment, as people can not aford even what many would consider basics these days thus jobs in retail and retail manufacturing decrease and the part of the economy that usually has some boyancy during recessions starts to flatline.

In part we’ve been doing this to ourselves by alowing so much of our economy production to be “off shored” via “out sourcing” and other neo-con mantras.

The result is soon the only semi safe employment will be in,

1, Law Enforment / Guard Labour / military.
2, Supporting communications infrastructure.

Call it “reality rebalancing” some parts of the West have had a standard of living ten times that of the world average, thus are consuming around 50% of the resources to support it. Their standard of living will drop to that of other parts of the west as they drop to between twice and four times the world average. Obviously the knock on effect politically is that the “poverty line” will also have to be moved down. So the current standard of living that is regarded as being at or below the current poverty line will get redefined as “middle class” or equivalent and those there will get told how lucky they are to have “moved up”…

Part of the rebalance will be that insurance bassed healthcare will be impossibly expensive, thus the average age of mortality will fall to about or below the rising pension age as it is in the lower layers of the second world and a lot of the third world, it could go as low as 50 in some regions.

Clive Robinson • October 7, 2022 7:24 AM

@ Winter,

“One thing the Pandemic showed was that an effective and active government is a prerequisite for wealth and well being.”

That “effective” and “active” are only two of the required “legs”.

For good stability you require a third leg, which you or I would call “social”. That is Goverment is not just “of the people” so should be “open to all”, but also “for the people” so should be “for all”, not just the self interested who make themselves “the favourd few” of high crimes and low social morality.

It’s the “We don’t leave people behind” duty of a nation to the people that are the nation, not just it’s guard labour.

It surprises me sometimes although I know it should not, how some supposadly forward democratic nations, not just their leaders and those behind them, but much of the people that make the nation as well need to be told this basic fact,

“You help yourself by helping others.”

As you say the out come is,

“economic miracles”.

Clive Robinson • October 7, 2022 2:44 PM

@ fib, ALL

Re : Free Speech Good -v- Bad.

There is an old saying in Britain that goes back to the time of the weekly “tin bath in front of the fire” bath for the whole family. As heating water was expensive and labour intensive they’d use the same water in a standard “pecking order” … As things could get a little murky towards the end a word of caution was,

“Don’t throw the baby out with the bath water”

It also symbolised the idea that sometimes you could not tell “bad from good” so would ditch both when thinking you were only getting rid of one.

So keep that idea in mind especially when,

“One man’s meat is another man’s poison”

Also applies and what you think is good others think is bad and vice versa.

“the concept of free speech perhaps, just maybe, needs to be adapted to the new situation – certainly must be discussed openly.”

I would suggest that there is no solution for the “Good -v- Bad” issue. As I’ve indicated there are no absoluts just the shifting sands of social society. Thus what is held good today and consequently reflects well on one part of society and not others, will in time be held to be bad thus reflects better on other previously oppressed or suppressed parts of society. It naturally has a statistical “normal curve” based around the “mores of society” with the left side considered “the boat anchor” pulling society back, into an oppressive past and the right side “progressive” pulling society forward into an egalitarian future. In the UK just to confuse things the left side is seen as the right or “adroit” side in politics and is called conservstive with a small C. Thus the right side is seen as the left or “sinister” side in politics and is called liberal (both consetvative and liberal have way different claims meanings in the politics of different countries).

The reality is however that societal mores tend to move like a traveling pendulum and of recent times the general direction has been backwards in both WASP and European Continental nations though most do not realise it. Primarily because of “marketing” pretending it is “representative free speech”.

Much as it was around 100years ago between what we now call the First and Second World Wars, and there is thus a real danger we are about to experience that set of lessons again… Some sociologists argue rightly or wrongly that an upturn in young unmaried men in the lower social classes is the root cause of war, others have in the past further argued that it was a rise in homosexuality that comes with an upswing in young unmaried men and the legal oppression from oppressive social mores. Personally I’m of the view that corrolation is not without stronger evidence causation, but we do know that “mateing privileges” is a strong evolutionary driver from animal studies and does lead to generally non leathal violence. Thus there would be an easy to manipulate “cognitive bias” building in society.

So my view is that whilst individuals may view the “message content” “good/bad” deprndent on their own Point of View, that is actually not the problem we realisticaly can do anything about. Nor should we realy, what we need to address is the “message delivery” method, because we can do quite a bit about that, but we need to be mindfull of what is “in the bath water” before we throw it out.

What the mass electronic communications has given the individual is,

1, The ability to broadcast.
2, Psuedo anonymity.

Neither of which we have had together in the past.

They can both be used for “good/bad” and they can both be fairly easily taken away both legaly and technically in as little as a day with a little forward planning.

The problem we have at all levels from the lone individual through political driving NGO churches and corporation right through to the worlds largest nations and federations that we call Super Powers is that the “governor” on the “flywheel” is now nolonger there.

That is there is no acoutability, thus responsability to limit or stop the adverse “message delivery” methods, that are just getting more and more sophisticated as the “undesirables” in almost all Points of View realise the “asymmetric advantage” it gives them and worse the “ratchet nature” of “cognative bias” that gives them a hold. The fact that there is also a lot of money to be made selling the use of these methods gave us “Cambridge Analytica” and the “St Petersburg Troll Factories” both of whom were “close bed fellows” should rightfully scare people.

Whilst we can do things technically and legaly there is also “education” to be considered. Cognative bias occures due to the way information is fed to people, if you can not stop the way the information flows then educating them about it from an early age might be the only real solution to the problems of “message delivery” methods.

But whilst the technology and methods are new to many people the more geberal ideas behind the methods can be found in litriture going back more than a life time.

Obvious to many is George Orwell’s 1984 that has pointed out the dangers. But there are also the likes of Ayan Rand “When Atlas Shrugs” manifestos that in reality are like the “Dulles Plan” in Russia and “The Protocols of the Elders of Zion” conspiracy theories. Whilst the message is junk the methods to deliver outlined most certainly are not. Further their roots can be found in much earlier works like Machiavelli’s “The Prince” and even erlier treatises on the use of power like Sun Tzu’s “Art of War”.