Friday Squid Blogging: Mayfly Squid
This is surprisingly funny.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
This is surprisingly funny.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
SpaceLifeForm • September 16, 2022 6:45 PM
@ Bruce, ALL
I guess this is the part you found funny
I find it very interesting. My bold. Note for readers, this is very long, yet very interesting from an ecological biological perspective.
However, if the mayfly squid’s third eye does detect bioluminescence, then the evolutionary advantage of such control becomes apparent: even in the high silt conditions of the Amazon (or some of Florida’s more polluted rivers), it can remain in communication with other squid, using what amounts to a form of cryptography.
Ted • September 16, 2022 10:31 PM
@SpaceLifeForm, Bruce, All
Is it funny because it’s fiction? Is there really no such thing as a freshwater squid?
“Do you know just how difficult squid taxonomy already is?” he asked me. “Don’t go screwing around with people’s heads with your”—and the contempt in these last words before he hung up the phone (and his email) cannot be overstated, “FAKE SQUID.”
lurker • September 16, 2022 10:37 PM
The average adult mayfly squid weighs about 18 ounces and, including tentacles, is about two inches long.
Decimal point slipped? or what did it have for lunch …
Clive Robinson • September 17, 2022 12:00 AM
You started a curious thought with the quote…
So does “two inches long” have to mean the dimension that is longest?
Look at it this way you are “X feet in hight” convention says that is a “from top of head to sole of heel mesurment”.
Now just for argument what if you visit Disney land and see lying in the Florida sun, a statue of what for even a dwarf, would be one of very modest stature so say “3 feet from head to heel” but also pictured of less than modest appetite so has a ten foot circumferance waist line that rises 3 foot 3inches towards the noonday sun.
Is the recumbrant dwarf 3 foot tall or 3 foot 3 inches tall?
SpaceLifeForm • September 17, 2022 12:03 AM
@ Ted, lurker
Maybe we should ask Sidney Powell to investigate this.
She seems to be an expert on Kraken.
Clive Robinson • September 17, 2022 5:15 AM
Re : EO 14067 update.
When you read it with caution, you will find it is not as it’s title suggests to protect,
“Consumers, Investors, Businesses, Financial Stability, and the Environment”
You will find that via the “National Security” argument it’s a naked power grab, instrument of “domination and control”. Designed to ensure the US control of world systems of emerging finance thus trading.
What follows when you read it is the usual “We are the good guys” nonsense to disguise the actual “Might is Right”, “Do as we say or else” rehetoric. The US has been already using to push their “Domestic” agendas onto the world. Thus make the world a vasal to a US “Imperium Empire”, or dred “Co-prosparity Sphere” not to disimilar to those put in place a century or less ago across Europe and Asia. The vestages of which still exist and are designed to center wealth and power away from others to the US and it’s interests.
Back in the Obama era this was tried via “Trade Agrements” negotiated in secret with catastrophic dispute resolution systems that would be under US direct influance or control. Thankfully the news of what was going on got out and the politicians of the Nations targeted with the secrecy gave voice in opposition, and the policy effectively became “stillborn”.
Nick Levinson • September 17, 2022 10:46 AM
Forged documents can sometimes easily enter court records as if real. See this Associated Press story, as accessed today.
Ted • September 17, 2022 11:58 AM
@SpaceLifeForm, Clive, All
Re: Update on EO 14067
So many reports.
vas pup • September 17, 2022 1:42 PM
The shift we need to stop mass surveillance:
Laws are good but technological means preventing ability to conduct surveillance are working better and proactive regardless of source of surveillance: private, government, criminals, foreign agents you name it.
vas pup • September 17, 2022 1:59 PM
More on the subject – very good presenattion and points. Enjoy!
Inside the massive (and unregulated) world of surveillance tech
SpaceLifeForm • September 17, 2022 2:48 PM
Re: Update on EO 14067
While I understand your cynicism, something must change. I personally do not care that there are stupid people speculating on cryptocurrency that lose their money. I do care that it is being used for money laundering and financing illegal activities that have national security implications.
Stupid people are helping criminals.
Reminds me, I need to check out Tulip prices.
Nick Levinson • September 18, 2022 11:09 AM
Russia’s GRU and NATO were both imperfect with a spy.
Open-source datasets were used by a reporter to identify the spy (the reporter even tried online face-matching the suspected spy’s cat). Photos of her were hard to come by but there was one of a hand of hers and the reporter said hands’ vein patterns are unique and support personal identification.
NATO officers were too social with her. She seemed personally too chaotic to be a spy. But she may have collected personal info useful for bribery and blackmail, rather than directly military secrets, such as on one later candidate for the U.S. Congress. The cheap jewelry she gave to wives could have had bugs.
Spies might come from rural areas, so they’d be less likely to encounter childhood friends who accidentally blow their covers.
From How a Russian Sleeper Agent Charmed Her Way Onto NATO’s Social Scene (WNYC radio, On the Media, as of Sep. 14, 2022, transcript), as accessed today.
Clive Robinson • September 18, 2022 1:02 PM
@ Nick Levinson, ALL,
“hands’ vein patterns are unique and support personal identification.”
Yes and they can be clearly seen from quite a distance by certain types of camera. Whilst not from space, it can be done from drones, blimps and other slow or stationary UAVs.
There are two basic types of bio-metric in use,
1, The near usless ones used for access control and the like.
2, The ones that covertly identify us even from quite a distance.
The thing is every human including identical twins is unique in physical make up and mannerisms. As a rough rule of thumb the closer you get, the more unique the physical makeup is. But as seen with the near usless access control bio-metrics, it is not necessarily usefull.
However with gross physical features like size whilst the uniquness is small to human eyes it’s not to modern computer systems, likewise mannerisms and other movments which can reflect a persons internal structures including long healed injuries.
I have a small scar on one of my elbows from having tripped whilst running and landing on a metal strip. More than half a century later even though the skin scar has faded almost to nothing, you can feel the dent in the bone just below the surface and it’s visable by that when the light is at the right angle. Likewise, though only a third of a century ago, I was stabbed in the head by a burglar I had caught in the act, the skull still bears the mark a finger can feel under my now thining hair. As for the broken jaw from less than a quater of a century ago from having my head karate kicked into a street sign pole, well that shows up in every bite I take, and as it permanently caused me to loose some of my sense of taste, it also shows up in the flavour of food I cook, which others can tell…
“We are the sum of our experiences”
Well I certainly know that’s true for injuries as every step reminds me. But I’m also begining to understand the same is true for all diseases including common infections, that give rise to immune system disfunction with symptoms comming through years later…
Something that effects “National Security”, with around 7% of the US population now starting to come to terms with, long covid and it’s debilitating effects. And it’s effects are showing through on the economy by loss of workers thus unfilled jobs and drops in production / productivity. Especially in the “white collar” workforce with nearly twice as many women as men being lost (especially in education and healthcare).
Such economic signs are visable from anywhere in the world you might care to be in these days due to modern communications technology. And it is clear from this why “Fake News” is such a security problem.
Few tend to think of “News” as a “supply chain” and then go on to think about how you would both analyse it and thus be able to start securing it…
PeeDee • September 18, 2022 2:48 PM
@ Clive Robinson
Great book on knowledge infrastructure….
Forged in War
How A Century of War Created Today’s Information Society
by Lankes, R. David
Regis • September 18, 2022 8:25 PM
I have discovered the SQUID! FACTS! HOTLINE!
JonKnowsNothing • September 19, 2022 7:42 AM
The USA President Joe Biden, quoted in MSM:
…. But the pandemic is over. If you notice, no one’s wearing masks. Everybody seems to be in pretty good shape.
Joe Biden President USA 09 18 2022
Per MSM counts:
I was going to post about the local upward trends, as COVID starts spreading from schools, holidays and the energy crisis where people cannot heat or cool their homes and take to Cooling Centers and Heating Centers. I was going to post observations of standing in queues with strangers while waiting for food pantry distributions or while queuing for a plate of a hot food. The death of QE2 and the long lines of mourners, far surpass the number of people I’m standing in line with. Regardless of the size of the queue, all it takes is ONE.
In the last weeks, the State of California has again shifted how it reports COVID numbers, altering baseline calculations. The recalc & hidden calc, foreshadowing the pronouncement that NoMaskNoVax is now The Norm. It’s an irony that so much angst was spent on the NoMaskNoVax issue, which has now become THE acceptable COVID Response.
Yet in Los Angeles County, more people died of COVID between May and July this year than during the same months last year. The virus claimed the lives of nearly 800 people in L.A. County in those months, compared with nearly 500 a year earlier. Elderly people bore the brunt of that increase, with a death rate that had tripled among people who had reached their 80th birthday.
The Bank of Mom and Dad still fuels the actuarial summaries and predictions.
pandemic is over
US daily deaths
Who’s still dying from COVID-19?
Hundreds of Americans daily
Winter • September 19, 2022 8:03 AM
The recalc & hidden calc, foreshadowing the pronouncement that NoMaskNoVax is now The Norm.
We have reached the point were vaccines and medication are available who wants them. The failings of local health care are independent of the pandemic. If people rather believe quacks than science, then it is their own private decision and they will have to live with the consequences.
Slowing the pandemic down has no benefits anymore. Every unvaccinated person will get infected eventually at least once, even in China.
What is left to fight for with a mask?
Clive Robinson • September 19, 2022 9:07 AM
@ Winter, JonKnowsNothing,
Re : NoMaskNoVax.
I For instance wear a mask all the time when out of my home, and I don’t alow abyone in as I assume they are very probably “Endangering my life”.
As for NoVax, that is because the Vaccines available in,the US and much of the EU are either ineffective or usless. That is they are coded for a way to narrow width of strain or a now extinct strain.
Let’s be honest would you expect a vaccine for influenza to save you from covid?
Well… The answer is it is not going to do abything against the SARS-CoV-2 virus family so you might be forgiven for thinking “NO”.
But consider it from a wider perspective, what are your odds of surviving a covid infection if you don’t have this years flu strain versus if you do? (that will spread far and wide due to NoMask).
What about other corona or similar “winter respiratory illness season?”
I would very much like a Covid Booster shot, but I’ve been told “No” because of the quite serious cardiac incidence just over a year ago a few weeks after having my second shot.
But as none of those being offered in the west are of much use anyway as covid has escaped them, I would rather have one of the “old style” vaccines that consist of actual brewed up virus from all or many of the known strains that has been chemically diminished so they can not enter the replication cycle. The reason is such vaccines tend to have a very wide coverage skirt. Unlike the mRNA etc.
Even though these broad skirt vaccines might might appear to have low efficacy, you have to ask the which is better question?
Well we now know that over 40% of people admittined to hospital due to covid, have had both the original vaccine course, and one or more “booster shots” of the same or other vaccine, so another shot of the same appears to be of less efficacy than the vaccines being used in other parts of the world…
Whilst this might come as a shock to people, I’ve more or less expected this from fairly near the start as will be seen by rereading my past comments.
The thing about natural pathogens is they are more zombie than wearwolf, there is no magic bullet silver or otherwise that gets shot of them.
We have been lucky in that the strains of covid now around whilst being many many times more infectious they have appart from one or two strains become less likely to harm or kill you. But new strains are going to happen this Winter Respitory disease season, it’s a forgon conclusion with the NoMask policy, oh and even with a ProVax policy the strain is almost certainly to hwve undergone vaccine escape from what you are going to get offered.
Thus the question is,
“As one of the reasons so much money was sunk into these new vaccines, because the big pharma companies said they would be agile and could be changed in just a few weeks to combat new strains, why has big phama no new vaccines to offer, and are not going to give the money back, why should governments keep buying what is now usless, let alone at the over inflated prices bog phama demands?”
But the increased death rate in those of older or poorer circumstances, appears to correlate with increases in long covid, and evidence slowely trickling out appears to confirm long covid in the vaccinated is higher in those who have had the new type of vaccines…
I suspect that if I can remain respiritory infection free this comming season then my health will steadily improve.
So you won’t see me without a mask outside my home and you will be very very unlikely to see me outside my home, and even if you do I will very definately be “keeping my distance”.
We have an expresion in the UK that might be seen as appropriate for people that make stupid choices.
So for those that want to be NoMaskNoVax that is their choice,
“And at the end of the day their funeral”
lurker • September 19, 2022 1:06 PM
@Winter, JonKnowsNothing, Clive R.
“What is left to fight for with a mask?”
I’m with @Clive on the masks. Local MSM is also downplaying numbers to the point of not reporting deaths, which are still ~8 times the road accident rate. But they’re only the olds … Yup, I’m an “old”, and I don’t see why I should contribute to a reduction in the national life expectancy.
It may be the traditional Chinese veneration of their elders behind their insistence on minimun spread.
vas pup • September 19, 2022 3:17 PM
Leipzig Robot Festival: Where robots and humans meet
“Industry leaders and startups are coming together in Leipzig at the Robotics Festival 2022 to showcase innovation in Germany and beyond. Robots could help fight labour shortage and the lack of skilled workers.”
Norio • September 19, 2022 4:53 PM
@ Bruce – thank you for the article. It was very entertaining, especially the section on “The Festival of the Freshwater Squid.” This was as much a naturalist’s description of the odd habits of Floridians, as well as the mayfly squid. How can anyone not find the following to be humorous?
“…The usual cavalcade of Shriners in tiny red cars, high school bands, ROTC units, and clowns is supplemented by six or seven squid floats mounted on rusting Ford pickup trucks. … Meanwhile, the parade-goers have begun to don their squid masks and take out their squid noise-makers. …As I follow the festival crowds, the fake squid formed by the floats seem to waver and disintegrate in the early morning light.”
Norio • September 19, 2022 5:54 PM
I’m with @ Clive and @ lurker on the mask issue. I wear a mask pretty much all the time unless I’m home alone. I have a chronic illness and and also have scarred lung tissue from exposure to asbestos. Plus I’m an “old.” I will be damned if I’m going to take a chance on getting “long Covid.” And it’s not just viri that keep me wearing a mask. I use the Korean N94 masks because they are much cheaper and just as effective as the USA N95 masks. The thing about the Korean masks is that they were being made & distributed way before Covid. South Korea has terrible air quality, especially in the urban areas, and they have been wearing masks for decades to block particulates. The area I live in has frequent air quality alerts, and the mask makes it easier for me to breathe. I wear one driving alone in my car, and frequently get odd looks while doing so.
JonKnowsNothing • September 20, 2022 12:48 AM
@ lurker, @Winter, Clive, All
re: “What is left to fight for with a mask?”
It’s pretty straight forward to sort this out. It all depends on which segments of the local, regional, national, global demographics match your personal profile.
The Bank of Mom and Dad is yielding great bonuses. Numbers from the LA County COVID counts May-June 2022, 800 deaths.
‘800 * $2,000 avg monthly pension = $1,600,000 USD per month savings
‘$1,600,000 * 12 months = $19,200,000 USD annual pension costs saved
‘$19,200,000 * 6 yrs avg Years of Lost Life = $115,200,000 value of 800 early deaths.
‘800 * $5,000 avg monthly skilled nursing board & care home charge = $4,000,000 monthly savings
‘$4,000,000 * 12 months = $48,000,000 annual care home expenditures saved
‘$48,000,000 * 6 yrs avg Years of Lost Life = $288,000,000 value of 800 early deaths
‘$288,000,000 + $115,200,000 = $403,200,000 Combined 6 year ROI of 800 COVID Deaths USA
The above only counts direct savings. There are other saving involved too with wealth transfer, real estate transfer, asset transfers, taxation issues etc.
The key component is still Age and Location.
Australia’s oldest person
after moving in with close family
Clive Robinson • September 20, 2022 4:19 AM
@ JonKnowsNothing, ALL,
Re : Lowering National life expectancy.
“2-3yrs min up to 5-8 years for western economies.”
Sometimes more… As I’ve mentioned before across less than 20miles of London in the leafy green of Richmond and South West from there 81years is the average. However over in the deprived old industrial East of London it’s as low as 50years.
So a year/kM difference, or three years every couple of miles, six years in an hours healthy walk…
But in the US the National Average is plumiting compared to the rest of the Western World. Which is why the age of death in 2020 is higher than the expected age of death for those born in 2020 (which is already back to World War II 1944 life expectancy).
The BMJ published a report on the 16th of this month,
It makes salutory reading, for instance,
“The largest contributor to these reductions in life expectancy was an increasing number of deaths from covid-19, followed closely by unintentional injuries, which largely comprised drug overdose deaths.”
“Even before the pandemic, life expectancy in the US was lagging behind other high income countries that spend notably less money on healthcare.”
“Examining covid-19 infection and death rates by political affiliation of US states helps contextualise racial and ethnic trends in life expectancy. One analysis of data from March 2020 to December 2020 found that, as the pandemic progressed, the burden of covid-19 became increasingly concentrated in Republican led states. Similar patterns were documented throughout the pandemic.”
The “drug overdose deaths” appears to be a consistant thread through the figures in the socially disadvantaged. It can be hard to seperate out “prescription” and “illicit” figures (looks like they are deliberately mashed). But there are significant indicators that for many “health care is a hand full of pain killers”. That is many socially disadvantaged US Citizens get not constructive healthcare but a fast track to being a junkie. The reason is they can not get access to needed but expensive treatments like surgery or physiotherapy. Drs also know that if the patients did get such treatment they would in all probability loose their jobs, their homes, their families. So a handfull of pills dulls the pain so they can continue earning…
As I’ve pointed out in the past an unhealthy sub population actually makes the whole population at risk. As the report concludes,
“Looking at these data as epidemiologists, we see not only declines in life expectancy, but also who is most vulnerable and the lives that have been cut short due to systemic failures in safeguarding the health of populations.”
So the US has the most expensive healthcare yet a significant decline in not just health but life expectancy. For many in the US it’s the worst in the Western World, perhaps people should be asking,
“Who’s pocket is all the money going into?”
ResearcherZero • September 20, 2022 11:59 PM
Generally they would just offer people money, and many of those individuals were incredibly cheap. Often they would deposit the cash straight into their bank accounts. They often denied it up until the point they were shown the transaction records.
The video and audio recordings of their meetings are generally convincing enough for a judge to make a decision on application for a warrant. They all talk, except what they say in public is often very different than what they admit in public.
However they do have the some considerable advantages, such as cases being handed off to police and other political difficulties. Intelligence is a two way process, with often very little on the other end.
Intelligence officials “had a list of things they could never get the signoffs on,” one intelligence official said. “The truth is, nobody wanted to p__s off the Russians.”
What is MFA Fatigue?
When an organization’s multi-factor authentication is configured to use ‘push’ notifications, the employee sees a prompt on their mobile device when someone tries to log in with their credentials.
An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account’s owner’s mobile device.
The goal is to keep this up, day and night, to break down the target’s cybersecurity posture and inflict a sense of “fatigue” regarding these MFA prompts.
Insecure Control Systems
SpaceLifeForm • September 21, 2022 12:46 AM
That is a hot take Microsoft
Your CPU temperature has exceeded [redacted] Prolonged use at this temperature may shorten the CPU’s lifespan.
Or should we just go to Mercury and cool the laptop down? You know, on the sunny side.
ResearcherZero • September 21, 2022 3:07 PM
I’ve been accused of being too cryptic by colleagues, so perhaps this is more helpful.
a “confluence of events”
There is a pattern forming here that continues back to the 1990’s, which if you could read the reports from that time, hypothetically, may say much the same thing.
Hageman was allegedly very helpful, divulged everything and said because she cooperated she could not be arrested. Powell was smarter, allegedly, and sighted “client confidentiality” as to why she could not discuss the conversation with the departing undeclared GRU officer. Bannon has been repeating the same things since the 1980’s, so allegedly, may not have even required interviewing.
Those classified intelligence reports from the 1990’s may be all crap, but then many of the sources cited in those reports were assassinated, so who knows? If we expected politicians and businessmen to all be honest over the last 40 years, then we would seriously have to be a whole lot of fools. As it was said:
Intelligence officials “had a list of things they could never get the signoffs on,” one intelligence official said. “The truth is, nobody wanted to piss off the Russians.”
It was the same in the 80’s and 90’s.
this is a very old document
Most buildings targeted contained bugging devices.
ResearcherZero • September 21, 2022 3:10 PM
24:20 – opening statement by Geoffery Cain
Tik Tok collects search and browsing histories, keystroke patterns, biometric identifiers, draft messages and metadata, plus it has collected the text, images, and videos that are stored on a device’s clipboard.
China-based employees of ByteDance have repeatedly accessed nonpublic data about US TikTok users.
2.05 billion records in a massive 790GB database containing user data, platform statistics, software code, cookies, auth tokens, server info…
ResearcherZero • September 21, 2022 3:12 PM
Opportunistic cyber criminals could register your .au domain name in an attempt to impersonate your business.
Winter • September 21, 2022 7:11 PM
I’ve been accused of being too cryptic by colleagues, so perhaps this is more helpful.
I am sorry to say that I too have often been unable to follow your hints.
From your first link:
Russia aims to become one of the great powers in the polycentric world order, to become an equal player in the international system and to challenge the unipolar world order.
(And more along these lines)
It was obvious to anyone who looked that Putin et al. were convinced that Russia was denied it’s rightful place as the only world power that could challenge and dethrone the USA and that it was only a matter of time, and not much time, before the Western alliance would crumble and Western societies would decay in utter decadence. Then, Russia would be the leading star of Christian Orthodox (white) supremacy, ending the rule of the golden Billion. (Look it up)
I see it as a case of propaganda pushers “getting high on their own supply”.
After Trump, Brexit, and the rise of fascism in the USA and Europe, the end of the pandemic marked the perfect time for Russia to deliver a final “coupe de grace” to the West.
In hindsight, I think the basic failure of the West was to believe that Putin et al. could not be that stupid. Because, for all of the failings of, eg, the German East Politics, they did perfectly understand how weak Russia was. I think the main fear was that Russia would implode leading to a protracted civil war and continuous chaos from the Baltic to Vladivostok.
Even though we all believed the Russian army to be a formidable foe, it was still known to be a giant on mud feet. Russian society simply did not have the industrial and economic base to “lead the world”.
Russian secret services are evil schemers. However, te master plan they were trying to implement, next to their petty corruption and theft, were a fever mirage that never could come true.
SpaceLifeForm • September 22, 2022 5:48 PM
Escape from Russia
There are plenty of programmers in Russia that understand Linux, They smartly do not want to be sent to Ukraine to die.
The queues to escape are long. They have to lie about their skills. It is interesting that many China flights have been cancelled.
Here is a Google translated snip:
Linux lived, Linux is alive, Linux will live Software developers will have to adapt to the registry of domestic software The Ministry of Digital Development is preparing another change in the rules for including software products in the registry of domestic software: in order to receive preferences in public procurement and tax benefits, vendors will have to adapt their solutions to operating systems on Linux. Now most of the software of accredited developers is based only on Windows. To adapt, many products will have to actually be created from scratch, market participants argue, attracting Linux specialists, who may simply not be enough.
ResearcherZero • September 22, 2022 7:16 PM
Optus warns cyberattack may have exposed Australian client details
Screenshot of database containing 1.1 million Optus customers’ details, comprising names, email addresses and mobile numbers.
I see it as a case of propaganda pushers “getting high on their own supply”.
That is the public face of it, – that no one had any knowledge that all these events were likely to transpire. The private story may somewhat differ.
Ted • September 22, 2022 9:39 PM
Who is Team Cymru selling internet data to and how is it being restricted?
“It’s everything. There’s nothing else to capture except the smell of electricity,” one cybersecurity expert said.
Ted • September 22, 2022 10:10 PM
Hello Linux? This is Russia calling…
… some programs will have to be created virtually from scratch: “Including, for example, banking systems that have been written by Windows for twenty years”
Coming to a government office near Uyar around Spring 2023, or thereabouts.
SpaceLifeForm • September 23, 2022 12:39 AM
@ Clive, ALL
Someone in Cupertino is reading here. We just need to get all libc to do this. It will help more than it hurts. But, they have only done half of the work. You must zero on calloc(), AND zero on free().
Apple is being lazy, and not zeroing on calloc() which most sane programmers expect to happen. This is going to lead to crashes (good) and new exploits (bad). They are not honoring the contract which says that calloc() will zero the memory.
The system memory allocator free operation zeroes out all deallocated blocks in iOS 16.1 beta or later. Invalid accesses to free memory might result in new crashes or corruption, including NULL-pointer dereferences and non-zero memory being returned from calloc.
Nadia el Mansour • September 23, 2022 5:47 AM
Optus cellular phone network in Australia has suffered a massive data breach. I was listening to the report on the radio about how bad it is, and how many can expect to be the victim of scammers using their PII.
And wondered – why isn’t Optus being punished for this? It’s their fault!
Why should their customers have to suffer it?
In other news. The country Iran blocks the use of Signal messenger app.
Here’s how you can help people in Iran use Signal by running a proxy for them
JonKnowsNothing • September 23, 2022 11:16 AM
@ SpaceLifeForm, @ Clive, ALL
re: Someone in Cupertino is reading here. We just need to get all libc to do this. It will help more than it hurts. But, they have only done half of the work. You must zero on calloc(), AND zero on free().
Reading maybe, but not necessarily the ones who can act on the information.
A common change like this is not often in the scope of a particular group. It has to be done by the lower level teams to automatically include this. Then there needs to be a massive search and replace and recompile to make sure every single module and sub-module uses the new versions.
It isn’t just the alteration of the call but the massive hunt for all existing versions with the recompile and retest and regressions that derails these sorts of fixes which then shuffles them upwards in the development teams where programmers may or may not insert the changes into their current code base.
SpaceLifeForm • September 23, 2022 6:15 PM
@ JonKnowsNothing, Clive, ALL
re: non-zero memory being returned from calloc()
Apple is holding it wrong.
To the best of my knowledge, Linux, FreeBSD, and Windows all do lazy page fault remapping on zero pages allocated by calloc() and then do CoW (Copy on Write) . This provides a performance benefit to the app. But, that assumes an assumption. That the allocated block size forces the malloc code to use mmap().
The lazy approach is good. Whqt if you allocate a GB, but only dirty one byte?
Malloc() and friends are not your friends. There are semantic issues that can interact in unpredictable ways, similar to the likes of getenv(), putenv(), and setenv().
See Dangling Pointers.
If you want to use malloc() you better think very carefully thru your code.
Note the Go Language only uses mmap(), no brk()/sbrk() using the heap.
Also note, that this requires an OS that supports virtual memory. You will not run any Go code on bare metal.
Clive Robinson • September 23, 2022 11:09 PM
@ SpaceLifeForm, JonKnowsNothing, ALL,
Re: Security and non-zeroed memory
We have a saying in the UK that is less heard than it should be,
“Why leave untill tommorow what you can do today?”
Unfortunately the mantra that has leaked through every where is,
“Why do something now at low cost when you can do it for high cost later”
Yes read it again it is the mantra for this century… If you do not immediately believe it think back a quater century and the start of the exponential cost rise of Y2K.
What does this have to do not just with malloc() and friends but Garbage Collection and much more besides including those tsunamis of technical debt?
Well the simple answer is,
“There is a time and a place for everything and missing it is expensive”.
It applies as much to doing things early as it does for doing them late. However as a general rule of thumb early has less cost than late.
In security the general rule of thumb is,
“Destroy secrets immediately after use.”
“The security cost is less whilst a secret is in context.”
So the generalised,
“Leave untill tomorrow, because you may not need to do it.”
Thinking of normal life and thus programing is in conflict with security.
As this conflict will not be resolved as doing the secure way will slow things down a very great deal another way needs to be considered.
One such way that will be suggested is to mark an object as being secure with a flag when it is created, thus have the likes of free() act on it and clear the object when it’s nolonger needed. The problem is it does not work reliably as is often seen when people try to get rid of malloc() and free() with garbage collection, you can get “zombie objects” especially in programs like web browsers that try to replace OS functionality badly.
The problem is “human” in origin and we have to acknowledge that “automatic” can deadlock thus not happen.
We realy do have to “do today” in security even though it may cost more a lot more.
 There are several reasons why doing something early has greater costs, but two basic reasons are,
1.1, All actions have in addition set-up and tear-down costs. If you aggregate actions together you only pay those costs once for the aggregate, not once for each action.
1.2, The next user may not need the memory clear as it “writes right in”, most data objects are created this way thus clearing is redundant and the cost needlessly bourn.
Whilst there are other reasons these two alone can justify a very significant advantage to a program in execution performance.
JonKnowsNothing • September 24, 2022 2:08 PM
@ Clive, @ SpaceLifeForm, ALL
re: “Leave until tomorrow, because you may not need to do it.”
Deferred Maintenance is the favorite by default. It works with all sorts of things besides software and hardware, it works with housing.
The main concept in deferred maintenance is to invest as little as possible and off-load the item before it becomes costly to keep. Let the Next Owner take care of it…
On a 1:1 scale it is an issue of actual expense and ability. People learn to fix things as they go along (life learning) until they find they can no longer fix the item. Either the fix is beyond their budget or their ability.
We used to call it kludges…
Now we pretty-print up the issue(s) with all sorts of mis-directions and alt-naming.
An outstanding example is the cost of a house (USA). Prices are up for sure, astronomical and beyond the ability for many to pay. If people are fortunate enough to find something affordable, they become House Poor. All their funds a sunk into the house and they have no extras for “deferred maintenance” items. So items do not get fixed, at first it’s the easy ones to fix and they may attempt some repairs but eventually they run into something major and that doesn’t get fixed. They either have to take out an add-on mortgage to fix it or they sell up and buy something else hoping that has less issues than the one they are off loading.
When evaluating the cost of housing, it’s a fair bet that the price of resale house includes a large amount of deferred maintenance.
People think the differential is profit. It isn’t really to the buyer, it’s an outright clue as to how bad the repairs are going to be. Repairs generally include materials and labor; labor is another variant of profit.
In this case the buyer pays the seller for NOT doing the maintained. Later the buyer, provided they are not House Poor, ends up doing the work and pays the penalty.
We really do have to “do today” in security even though it may cost more a lot more.
It doesn’t really cost more, provided the entire chain of costs are included. However, W$ and Tech Oligarchs all plan to off load their products before they have to really pay the deferred costs. They call it “next version, new release” and roll the deferred costs forward as long as they can.
A kludge or kluge is a workaround or quick-and-dirty solution that is clumsy, inelegant, inefficient, difficult to extend and hard to maintain.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Leave a comment