Friday Squid Blogging: Squid Images
iStock has over 13,000 royalty-free images of squid.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Comments
Steven • September 2, 2022 8:47 PM
Wake up and smell the fraud
https://www.npr.org/transcripts/1119606931
NPR story on triangulation fraud: a way to monetize stolen credit cards.
Basically, you split the fraudulent charge across multiple actors in a way that makes it hard to trace and tends to stay under the radar.
Clive Robinson • September 3, 2022 5:59 AM
@ v,
“… way to dangerous to American civilians, private property, property rights, etc.”
Opps letting your political petticoats show there…
“… no different than the shakedown artists of ISIS, al-Qaeda, the Khmer Rouge, Viet Cong, Viet Minh, Gestapo, Waffen SS, Nazi elites, or Bolsheviks… …and a pack of thieves just like the British Redcoats”
Oh and your lack of knowledge of history…
I could make other observations such as you probably don’t own a passport that has been used to get outside North America, further about your age, religion type, education and economic status.
But it’s probably better you should read,
Thus you might learn why you are the way you are and why the US is as you say,
“This is why America is in decline. This is why America shall continue to decline and fall further behind… …advancing world and culture of science, engineering, technologies, industry and commerce”
You should try to get out and see the world whilst you still can. Especially how the world sees the United States as a Nation and why.
The funny –in a sad way– thing, is that the reason so many hate the US is because of the way certain US citizens have treated them, in their homes half way around the world either directly or indirectly.
And they like you get fed propaganda, so you all just hate and don’t look to see who is pulling the strings and who benifits and why. So you form part of a near zombie army, not aware of how you have been manipulated.
Do a little research, find out who are buying up “water rights” and then work out why. If you are unsure go back and study history from ten thousand years ago to the present day about “resource wars” and especially “water wars”. It’s something that will be coming soon probably after the “energy war” that is rising into prominance has got significantly kinetic.
Winter • September 3, 2022 7:12 AM
@Clive, v
Do a little research, find out who are buying up “water rights” and then work out why.
Al Jazeera is a very good complementary news source. It is often much better than any USA news source geared to the common public.
Who owns America’s water?
Not you. Not if you’re an average American citizen.
‘https://www.aljazeera.com/opinions/2018/6/9/who-owns-americas-water/
A local source example that can be replicated in most other states:
Wall Street spends millions to buy up Washington state water
‘https://www.seattletimes.com/seattle-news/environment/wall-street-spends-millions-to-buy-up-washington-state-water/
Burned • September 3, 2022 8:31 AM
A note on royalty-free images: this does not mean free. You still have to pay to use the image, but no royalties (ongoing payments) are required for approved use. If you use them without paying for the license, understand that these companies have large teams of rookie attorneys just itching to penalize you harshly.
JonKnowsNothing • September 3, 2022 9:51 AM
@Clive, @Winter, All
re: Water, Water Everywhere but None for You
Water Rights in the USA is a mine field bigger than a hot potato on 115F day. It drives more of our politics than oil, although oil might get more headlines. It’s part of our Ag and MegaAg business which dwarfs both oil and high tech. It’s something that “we know about” based on where we live. It’s also something not often understood by others.
Generically: You can split water rights views down the Mississippi River Line: East and West. Diametrically opposed views and not much going to meet in the middle.
The West side is arid. Not a lot of water. The East side has good rains and the US American Rain Forest. (yes the US has a rain forest).
So those living where they have a natural over supply of water, they have different agendas than those on the West side where water is limited.
I live on the West Side. Here you need to be mighty careful about any water that’s falling or puddling or ponding or running off. Lot of non-native-Western-inhabitants get into loads of trouble when they decide to build a koi pond…
Every drop of water that falls from the sky is owned by someone somewhere in the west. Whether you can “borrow” it temporarily to build that koi pond is a local, regional issue and rules vary by state.
In some western states, you can dig as many water wells as you have funding for, but you better not touch a drop of runoff flowing in the ditches.
Currently one battle is in Northern California. It’s an arid area where building developers created subdivisions but didn’t provide water or actually build out the division. You can buy a ready to build out sub for Not Much $$ but there isn’t any water. People moved there because the cost was cheap and live in what is called a Dry Camp. They have no wells, no city piped water. They either carry water drums down to a filling spot or spigot or they pay a water delivery truck to bring them water which they hold in cisterns or tanks. (1) The local police and city council has decided they don’t like these folks living in their county and have passed laws prohibiting the trucking in of water or carrying more than 100gals of water over the roads. The No Water No Truck Water Law is enforced in this area but not so much in other areas. There is no question about the safety of having cisterns or tanks (2) for water storage. No issue that the water is stolen (3). It’s all about the people who live in that area and only in that area.
===
1) If you live on top of the mesa area of the Grand Canyon you have dry camp and cisterns. There are no wells. Something to do with the depth of the Grand Canyon to reach the water table of the Colorado River at the bottom…
2) In my area, in the rural sections, one is required to have 2,500 gallon tank or cistern just for the use by the fire department. Another 500 gallons is required for sprinkler systems in new housing. So you need a minimum of 3,000 gallons of dedicated water ONLY for fire department use. Water for personal uses is in a different tank.
3) People steal water. They can back up a water tanker to your Fire Tank and drain out 3,000 gallons of water in quick time. They can also steal the well head, pumps, wires, connections, solar panels from the wells.
Winter • September 3, 2022 11:01 AM
@Clive, v, jonknowsnothin
Re: Water
Many parts of the USA are facing water shortages and there is more to come [1].
But America is also experiencing a labor shortage that will only intensify [2].
The traditional plantation system in the American South came to a halt when a labor shortage in the industrial North lured away all the badly paid and even worse treated plantation workers moved North in masses.
No water means No agriculture and no humans. Someone will figure out that it is easy to get people who live in bad places to move to your factory or other jobs if you supply housing with clean water. And migrants will look for such places too.
The future of the arid South-West could be difficult.
[1] ‘https://www.nationalgeographic.com/science/article/partner-content-americas-looming-water-crisis
‘https://news.stanford.edu/2021/03/23/future-americas-drinking-water/
[2] ‘https://www.bloomberg.com/opinion/articles/2022-02-04/2022-worker-shortage-u-s-needs-to-boost-top-talent-to-stack-up-to-china
Nick Levinson • September 3, 2022 11:05 AM
Student test-at-home room scans and law:
If students taking university tests at home are directed to camera-scan their rooms before testing, that may be unconstitutional in the U.S. under the Fourth Amendment, according to a district court ruling, despite the school’s claim that this had become widely accepted and the scan taking less than a minute, the judge questioning the practice’s efficacy and seeing this practice as starting down a slippery slope. This may extend to common law on privacy governing nongovernmental parties. See Ars Technica, The National Law Review, and Ballard Spahr (firm) and the official text of the opinion in Ogletree v. Cleveland State University (PDF) (URLs as accessed a few days ago, this week).
vas pup • September 3, 2022 4:37 PM
Metaphysic use AI technology to make Terry, Howie, and Simon sing “Nessun Dorma” on America’s Got Talent.
JonKnowsNothing • September 3, 2022 5:10 PM
@Winter @All
re: But America is also experiencing a labor shortage that will only intensify
Let me challenge that statement with a slight alteration.
There isn’t a “labor shortage” anywhere. There are lots of people on the planet. The vast majority of them working at “something”
What there is a “shortage of” are 2 parts of the labor force:
1) Highly Educated, Highly Technical people that have degrees in “something” deemed useful. Like, High Tech or Medicine. This group generally gets a significantly above average pay scale. In general, neocon-economies do not produce enough of these people to fill their needs. This is mostly because of sieving “funds and access” to educational programs. In order to make even a small dent in their requirements, they poach people who get better education and better access in their home countries and entice them to leave. Most often the neocon countries do not compensate the home country for the full costs or even a portion of the costs, or for the loss of a highly valued person, while at the same time charging the incoming “immigrant” exorbitant fees for VISAs, applications and all sorts of tack-on charges effectively rendering this class an indebted-bondsman to the new country.
2) Low Educated, Manual Skills, Stoop Labor. No one wants to do this work, not even the folks that do it want to do it. It pays poorly, its subject to all sorts of exploitation. The costs of the applications for “field labor” render the person debt-enslaved. In a fair number of countries their laws prohibit the person from leaving-at-will and confiscate their passports and documents to make sure they cannot leave no matter what the conditions.
So when statements such as “labor shortage” get tossed out, take a good look around you and check for yourself exactly what labor shortage they are talking about.
- Would you have gotten a PhD or Medical Degree if you were not shackled with $250,000+USD of debt?
- Would you have gotten a better education if your GPA was just .02 higher? Or your GMAT GRE score was 500pts more?
- Would you have have pursued a technical vocational program if it didn’t require extensive funding and extensive UnPaid Labor for n-years?
- Would you have had a better work outcome if you didn’t get that Dear John letter: “All placements have been allocated.”
The so called labor shorted is manufactured and maintained by the very people who need the labor and maintain the system.
In the USA we are having a neocon C2J moment. We have forgotten that, previously, our education system did not require extensive funds nor did it shackle students with life long debt. It was designed to turn out the very people desired in Group 1. The system was redesigned to the current format of PAYMEPAYMEPAYME under the concept that Everything Must Be For Profit. (1)
===
1) I do not think it is true any more but not too many decades past in France anyone who had qualifications to University could enroll in The School of Medicine. It was a 6 year program leading to an MD degree (general practice). The competition once admitted was brutal but didn’t need to be that way. At that time, there were no restrictions on access. The French decided to sieve the number of MDs by winnowing out percentages of each year’s admissions. It was tough to get to year 6 and get booted in the final rounds.
Leon Theremin • September 3, 2022 5:39 PM
Cloudflare: “Blocking Kiwifarms”
https://blog.cloudflare.com/kiwifarms-blocked/
We have blocked Kiwifarms. Visitors to any of the Kiwifarms sites that use any of Cloudflare’s services will see a Cloudflare block page and a link to this post. Kiwifarms may move their sites to other providers and, in doing so, come back online, but we have taken steps to block their content from being accessed through our infrastructure.
Winter • September 4, 2022 12:50 AM
@JonKnowsNothing
2) Low Educated, Manual Skills, Stoop Labor. No one wants to do this work, not even the folks that do it want to do it.
That is not what happens. In North America and Europe there is a shortage of all type of jobs. For instance, truck drivers are in short supply everywhere. These are neither unschooled jobs nor unwanted jobs.
If you look closer, at least in Europe, there are simply more open job positions than unemployed people who as looking for a job. Higher pay or better job quality will shift the problem but is not going to solve this shortage.
All efforts are now geared towards getting people who do not yet work full hours for personal reasons to change their minds.
In the end we have a growing economy with a shrinking work force due to demographics. [1]
There are indeed enough people in the world looking for a job, but these people are at different places as the jobs.
When I entered the work force, the saying was “we have ten candidates to replace you”, now it is “I have ten offers to leave for”.
In the end the solution will be either to let the labor force immigrate to the jobs or to see the jobs emigrate to the labor force. In the long term, there need to be more automation
[1] ‘https://www.forbes.com/sites/edwardsegal/2021/06/03/new-report-says-demographic-drought-will-worsen-labor-shortage-crisis/
JonKnowsNothing • September 4, 2022 2:25 AM
@Winter, @All
re: Skills Shortages a Neocon Counter
There isn’t really any shortage or rather the shortages are model driven estimates.
Again, the shortages are manufactured and work as intended. They drive up the price of goods and the claim of insufficient workers really begs the question of “What labor at What price at What cost”. Neocon economies still operate on “The Least Cost Most Extraction Model”.
Your mention of truck drivers gave me a good chuckle. What I know about Truck Driving in EU is that the ones described by MSM come from the lower economic EU countries and the higher economic countries don’t want to Pay More for the Services.
I know much more about Truck Drivers in the USA.
The training program costs @$10,000USD more or less. You get some time as a trainee driver riding with an experience trucker. After you graduate you find that the pay per hour and per load doesn’t cover the costs of running the truck, paying the lease, the insurance and all the other aspects of maintaining a Big Rig Semi. A good majority of truck drivers are “contract employees”. They have the same issues as everyone in the Gig Economy. Low ROI. Big Investment. Buying your own rig means years of big buck costs. The turn over is nearly 90% of all trainees in the first 2 years.
Have you considered all the tactics Amazon uses to avoid forking over an extra $1.00 per hour for their warehouse workers? Truck drivers have even less clout.
Amazon already knows they will run out of potential workers soon. Not because there is a shortage of workers but because they fire a lot of them, the work is grueling, dangerous and there is little in the way of benefits, so when folks get hurt, they have to leave.
Amazon is not keen on rehiring people they fired nor do they want the sick and injured back on their payroll. They want new virgin workers. These last 3-4 months. Amazon wants them only for the Holiday Season. So short term work, followed by no work at all.
Amazon is so desperate for temporary workers they had a program to find Houseless Nomads living in trailers and RVs and offered them parking slots for their homes-on-wheels if they could do the grind at the warehouse. When they can’t keep up, that’s just tough.
Still Amazon can complain they need more workers. Amazon considers workers disposable, interchangeable, and acts accordingly.
So… manufactured shortages.
As far as High Tech Staff Poaching.
I’ve BTDT. Made a good leap a few times. Got lucky once and unlucky more times than I care to count. It happens rarely. Enjoy it while it lasts. What killed the Good Times in Silicon Valley? H1BVisas, Contract Outsourcing, International Outsourcing, Velocity of Change and Fix It In The Next Release with Time To Market.
If you are truly worried about Truck Drivers, enroll in a course and see what it’s really like.
===
Search Terms
Bullock Driver
Five Miles from Gundagai [Roud 9121 ; AFS 64 ; Ballad Index MA095 ; trad.]
I’m used to punchin’ bullock teams across the hills and plains
I’ve teamed outback for forty years through bleedin’ hail and rain
I’ve lived a lot of troubles down, without a bloomin’ lie
But I can’t forget what happened just five miles from Gundagai
Nick Levinson • September 4, 2022 2:35 AM
Metaverse and the Chinese Internet model was discussed on BBC radio. Technologists from People’s Republic of China are advocating within Internet governance groups for the Internet system that China wants nations to adopt and are saying that the Chinese model is needed for Metaverse.
If it is needed for that, one wonders if Meta or Facebook supports the Chinese Internet model, or if China simply wishes it did and Meta/Facebook doesn’t want to require it.
The Chinese Internet model would include more granular control, such as by denying someone access to the Internet and, I think, preventing anonymity. The U.S. supports anonymity even in Constitutional law granting free speech/press rights to the anonymous. Abuses of anonymity may be growing in visibility (e.g., the KiwiFarms case (@Leon Theremin)), giving the Chinese meat for their arguments.
(No BBC URL, since the BBC does not post its radio stories online. It was broadcast early today, U.S. Eastern time.)
Winter • September 4, 2022 3:01 AM
@JonKnowsNothing
There isn’t really any shortage or rather the shortages are model driven estimates.
I do not know about the USA, but over here in Europe, these shortages are pretty real.
I cannot get anyone to do any small construction work AT ALL. Restaurants close their doors part of the week or keep their part of their tables empty because they simply cannot find the personnel to cook or serve the meals. It is everywhere, and in every part of the economy.
I do know an international truck driver, and he is happy in his work, thank you. We also do know about low paid drivers from Eastern Europe, and the bad stories about that have disappeared during the pandemic. Transport firms simply cannot find enough drivers.
I even hear of companies that dropped job interviews and take anyone who shows up.
And the demographics are pretty real: The fraction of the population that is over retirement age is growing and the fraction of youngsters entering the labor market is shrinking. We knew it was coming for 50 years, and now it has arrived. Because they all looked the other way, they act surprised.
As the labor shortage is not a USA specific problem, but hits Canada and Europe quite as hard, any explanation that looks at some idiosyncratic USA political shenanigans can be rejected without looking.
Background reading:
Quits, big raises and severe labor shortages: 10 charts on the completely surprising 2021 labor market
‘https://www.washingtonpost.com/business/2021/12/29/job-market-2021/
JonKnowsNothing • September 4, 2022 9:41 AM
@Winter, @All
re: Demographics and the True Cost of Neoliberal Economics
1) The demographics of the global population are changing. There is no doubt about it. Your worry of that older people will cause problems in the economy has been tabled under COVID Triage and the Bank of Mom and Dad (1) and is Self-Limiting. At some point along the life line people die. COVID has knocked that down 2-3 years for some groups and 5-6 years for others: Self-Limiting.
It’s also another upcoming catastrophe for Neoliberal Economies: Once the majority of older people (that big boomer lump) die, all the people involved in Health Care for them will be SOL. This goes from the farmers growing special allergy free crops for special diets, to the people who do the laundry at the hospitals, to the ambulance manufactures buying truck tires, all the way up the line. The old folks have funded what you are enjoying now, once they are gone, those behind will have to sort out a new option.
2) Construction Workers. For the construction problem, I have my own theory on this: It is the rise of Google and demise of The Yellow Pages. (2) It isn’t a labor shortage it’s a “Discover who is doing the work” shortage. When you pop phrases in the search box you get all sorts of crap results because Google’s AI doesn’t connect with what people are really looking for.
I too, have struggled to find contractors but it isn’t because they are not there, it’s because I cannot find a phone number and the YPages on the internet are … a joke … when it comes to finding reliable contractors.
My own recent examples of contractor hunting: House Painter, Roofer, Drapery Cleaners, Gardeners, Small Project Builders, Agricultural Fencing Contractors, Building Material Delivery.
Once I found them, by making many phone calls to near-related businesses and chain referrals, these companies had all been in business for decades, some were family businesses of multiple generations. They were there all along. No shortages. Just bad search results.
3) Restaurants and their labor problems. This is a very broad brush area and the restaurant industry is a huge spectrum of providers. One isn’t the same as another. One chain franchisee isn’t the same as another franchisee even though the corporation promotes “its the same thing” concept. (3) If you wish to delve into the labor problems of this industry it might be best to spec the parameters a bit more. A locally owned taco truck doesn’t have the same profile as a high end 3star restaurant. They have similar critical paths of how to provide food service but not the same scope or financial profiles.
===
1) Exchanges detailing the economic benefits and costs of the deaths caused by COVID may be found in the archives or perhaps the wayback machine under titles of The Bank of Mom and Dad.
2) Yellow Pages was part of a physical telephone book listing that was delivered 1x or 2x a year to every house. The White Pages listed residential phones by name. You wanted to look up your friends number, you looked up their name in the White Pages. The Yellow Pages were dedicated to businesses and commercial enterprises. This was sorted by category. If you needed a roofer, you looked under roofing. The books listed people within your own geographic area. If you live in San Francisco, the book held listings for that area. If you live in Muskogee Oklahoma you got listings for that area. A physical book may still be delivered but is far from the previously extensive listings.
3) For a humorous view of “It’s the same thing” see the comedy routine on the topic by George Lopez.
Winter • September 4, 2022 11:08 AM
@JonKnowsNothing
I too, have struggled to find contractors but it isn’t because they are not there, it’s because I cannot find a phone number and the YPages on the internet are … a joke … when it comes to finding reliable contractors.
You are way too US centric. USA, Canada, Europe, Japan, and in a decade or so, China have a demographic change coming when 1/3 (and more) of the people is too old to work. And they get older and older before they die. Look at Japan if you want to see the future.
We have local websites for and by contractors (with customer reviews). There are enough of them listed, but they do not have time for new clients. Some development projects run into delays due to lack of people to do to the construction work.
In a recent situation I could hire good people. They were all from the eastern edges of the European continent. I know for sure they will go back when they can make a living there, just as Poles, Rumenians and Bulgarians have already done. Which leaves us with even less choice.
And it is not “some” restaurants that lack people, it is all restaurants, pubs, and hotels in Amsterdam.
Your worry of that older people will cause problems in the economy has been tabled under COVID Triage and the Bank of Mom and Dad (1) and is Self-Limiting.
Europe has a patchwork of national healthcare and pension systems, but most if not all people are covered. Manipulating these massive pots of money is suicide for any politician. We know, because elections were lost over pensions and healthcare.
However, having money to spend is useless if you have no people who can take it to do the work. If more people want services than there are services offered, this leads to inflation, the money you saved is worth less than you think.
Bloated Cow • September 4, 2022 12:17 PM
@JonKnowsNothing, @Winter, @All
This just crossed my newsfeed. (Analysis for USA.)
hxxps://www.axios.com/2022/09/03/a-deep-dive-into-the-labor-shortage
The big picture: Folks retired (see item 2). They got COVID (see item 3). They failed to immigrate (see item 4). They couldn’t find childcare (see this story from Axios’ Emily Peck). They couldn’t afford housing near millions of the jobs that were open.
Winter • September 4, 2022 1:32 PM
@Bloated Cow
Folks retired (see item 2). They got COVID (see item 3). They failed to immigrate (see item 4). They couldn’t find childcare (see this story from Axios’ Emily Peck). They couldn’t afford housing near millions of the jobs that were open.
Very good description of the problem and the unhelpful “nationalist” policies.
Clive Robinson • September 4, 2022 2:21 PM
@ JonKnowsNothing, Bloated Cow, Winter,
Re : Age of mortality falling.
“…the economic benefits and costs of the deaths caused by COVID may be found in the archives”
I mentioned the other day that the excess mortality rate was up by 20% over the five year average in the UK whilst not so much in the US which had a massive increase during C19 which as you bote,
“COVID has knocked that down 2-3 years for some groups and 5-6 years for others: Self-Limiting.”
Which is actually a small amount, due in the main to the quite poor life expectancy in the US which is possibly below 60years for some demographics.
In the UK however in most afluent places the life expectancy was above 80years. So the drop in life expectancy of a 20% increase in excess mortality is going to cause major issues very soon… In fact I can see the average life expectancy to crash down through the stepping increase in the pension age. It was 65 but is now 67 and due to go up one month for every year you were born after 1970. But in England they are looking at upping “the pension age” yet again even though life expectance is going to crash down (C19 mortality is still something like six times that of flu mortality).
Children / adolescents of the post war years may be the last to routienly live beyond 80…
The situation in Europe is not going to be much better…
As for the far East of Europe, well life expectancy in the old Soviet Republics where “cheap labour” still comes from was not that high before C19, what it will be now does not look at all good.
Then there is long covid, and disability to consider. There appears to be three basic groups[1],
1, Neurological symptoms such as fatigue, brain-fog and headache.
2, Respiratory symptoms including chest pain and severe shortness of breath (which could point to lung and heart damage).
3, Diverse symptoms including heart palpitations, muscle ache and pain, and changes in skin and hair.
[1] See KCL / Zoe report from last month,
‘https://www.kcl.ac.uk/news/three-types-long-covid-people-experiencing-symptoms-12-weeks
SpaceLifeForm • September 4, 2022 3:14 PM
@ Steven, ALL
re: Australian Signals Directorate coin
I suspect there exists a 6th and 7th level of encoding/encryption, yet to be found.
‘http://senwerks.com/hacktheplanet/Solving-the-Australian-Signals-Directorate-cryptography-challenge-coin.html
It took a while, but eventually we figured out the inner circle is actually just binary, and the letters themselves don’t matter at all.
I believe that is a false conclusion to reach, which may keep one off of the trail. The inner circle letters must mean something else besides morse code. They appear to be tied to the outer ring.
If they were only intended to convey morse code, there would be no reason to make some of them bold.
Note the non-alpha engraving on the bottom of the inner ring.
Kudos to those that put in the effort to design this coin.
SpaceLifeForm • September 4, 2022 4:43 PM
@ Clive, ALL
False Positive?
I suspect it is a UAF exploit in Chromium and V8. Detected just yesterday.
‘https://teddit.net/r/computerviruses/comments/x5idjw/help_behaviorwin32hivezy/
‘https://m.slashdot.org/story/404295
Note: FireFox does not have this problem, because it does not use V8 Javascript engine.
It is interesting that the Windows Defender quarantine keeps failing, which is a hint of an clever obfuscation attack.
lurker • September 4, 2022 6:17 PM
@SpaceLifeForm
False positive?
Detecting anything associated with .js as malware must surely be a step forwards. V8 should be an opt-in extra, not a burden.
Ismar • September 4, 2022 7:04 PM
@SpaceLifeForm
There are multiple other applications apart from Chrome browser running on top of Chromium (Electron) such as Visual Studio Code and Slack to name but the most well known ones
JonKnowsNothing • September 4, 2022 7:04 PM
@Winter, @Clive, All
re: Finding what you need based on a website
While I can sympathize with your difficulty in finding a contractor capable and able to do your project I can point to a significant problem:
We have local websites for and by contractors (with customer reviews). There are enough of them listed, but they do not have time for new clients. Some development projects run into delays due to lack of people to do to the construction work.
I will make a basic prediction that if THIS is the method you are using to find what you need, you aren’t going to be successful in the near term.
This of course depends on the project, the scope, the cost of materials, the cost of labor, the time for design, and if you have my local problem, the hours spent satisfying local regulations and getting permits.
So, if we reduce the scope of discussion to say a 1 or 2 day project with minimal materials costs and no requirements for local permits or design submissions and waiting on permit approvals, we might gain some insight into the difficulty.
First Problem: You are being inconvenienced. You may never have had to wait for anything in your lifetime and it’s not comfortable now. It doesn’t fit into your view of what your expectations should be. The pub is short handed, someone got COVID and passed it to the kitchen staff. You can’t get the round of drinks with your chums: inconvenienced. Planning a garden party for that new construction project but the current eta is 3 years: inconvenienced.
So now we can delve past the “I want it when I want it” view, into some harder truths about the global economy.
Consider carefully, Pretend: (USA style)
You are a small contractor. You don’t have a fancy phone. You don’t have a fancy car. You have a pickup truck, well used, more than a few dents. You do small jobs that don’t take too long and you don’t have a crew of thousands at your disposal. You might have a colleague that will help or maybe you have to resort to “The Shape Up”, to bring in manual hard labor muscle.
You might make $1,000 USD per job gross. From this you have to pay taxes, your help, materials (hopefully not too many) and you can split this into $500 labor and $500 materials+taxes.
You get your jobs by Word of Mouth referrals. You aren’t going to invest in a fancy website. You aren’t going to split your fee with the General Contractor running that website who will take 50% of the total job price, leaving you with half.
You have a few regular clients, that need work done periodically. Maybe replacing the innards on a toilet. Fixing a screen door. Re-grouting the tile in the bath.
Then comes a Big Whale with a 4 week job, willing to pay you $40,000 USD if you get it done before the holiday.
What would you do?
Having been in the same position with many small technical clients, I tell them NO.
Because the scope is too large for me to do in short time. The Critical Path is too rigid a time frame and it doesn’t allow for SNAFUs.
I’d need to hire a bunch of HopeTheyKnows to do the install, and if they screw it up, I’m the one that gets sued.
I would tell them, I can do the job over time. Not all at once. If that’s OK then we can proceed. If not I point to the Big Dog Tech Companies and wish them the best of luck.
I can also tell you that most of those companies that insisted it be done by the holiday, didn’t get the project done by that time. The budget overruns stripped their bank accounts and the installation doesn’t work.
I often would get a call to come and sort out the mess. Sometimes I did so and sometimes after seeing what was installed I backed away.
So your small contractor is in a similar business category. A one person shop.
If you want to build a Mega-mansion and have $Millions to spend, you can find people lining up to do that. Good work, lasting years, extensions, add-ons, a cash flow feed trough wide enough to buy that private island.
If you want a contractor to fix your garden gate, I’d look elsewhere.
Winter • September 5, 2022 12:33 AM
@JonKnowsNothing
You are being inconvenienced. You may never have had to wait for anything in your lifetime and it’s not comfortable now.
I can appreciate this insight in American life, but nothing you write is applicable to where I live.
First of all, the labor shortage is real, like the links I and others describe from various angles. We see it everywhere, from relatives who tell us their employer cannot find them new colleagues, to painters who can schedule your job next year at the earliest, to restaurants who keep half their tables empty or close extra days.
You are a small contractor. You don’t have a fancy phone. You don’t have a fancy car.
Every school kid has a smartphone nowadays. SIM only contracts are $10/month for 10GB/month (real full speed download). So, that is not really a thing.
About my personal (im)patience or preferences, that is irrelevant to all the reports about the labor crunch you can find from every country and every part of the economy.
I think you should just admit to the fact that the demographic shift is real. Immigrants did come to do useful work. Stopping immigration has real effects.
Clive Robinson • September 5, 2022 1:27 AM
@ lurker, Ismar, SpaceLifeForm, ALL,
Re : MS screws the pooch during Sunday Worship…
“Detecting anything associated with .js as malware must surely be a step forwards. V8 should be an opt-in extra, not a burden.”
Amen to that, now if the choir will turn to page 21 and sing “fight the good fight, with all your might”…
@ Ismar,
“There are multiple other applications…”
Yup, perhaps the very old Scottish lament “Waly Waly” most know as “The water is wide, I can’t cross over” might be a better song to sing…
@ SpaceLifeForm, ALL,
“It is interesting that the Windows Defender quarantine keeps failing, which is a hint of an clever obfuscation attack.”
Or as it appears a major “Cluster Duck” issue[1].
But let us be honest, it was going to happen sooner rather than later, and I’m supprised it’s taken this long. Because it’s a direct result of “code reuse”…
We know from biology that “hybrid vigor”(heterosis)[2] is a “double edged sword”. That is it can give evolutionary advantage or considerably more offten disadvantage. The trouble is “upside thinking” sometimes called “investors folly”[3] it’s a non rational behaviour where a person only sees the potential profit not the very real danger of complete loss.
The XKCD cartoon that came out after the Log4J incident points it out rather nicely…
From a Security perspective “common code” is realy something that should be avoided for essentially three basic reasons. The first is it potentially introduces “common vulnarabilities”. The second is usually it carries needless “excess complexity” which is what you might call a “vulnarability pattern”. And thirdly it’s a “recognizer” which is what looks like what has happened here.
At it’s simplest a “recognizer” is like a search key, or byte pattern that acts like a pointer in memory, when you find it you assume you know what is going to follow. But as I pointed out back in the 1980’s executing code has a signiture that can be recognised to be used as a “trigger” for a “Fault Injection Attack” (though the idea of code producing an EM signal goes back to the 1960’s with people getting code to play tunes on AM radios, so I’m probably not alone in my observation). As computers developed a little excess power in the 1990’s and computer viruses had became a problem, Anti-Virus developers started to look for “code behaviour” as a recognizer. Now we have “Artificial Inteligence” doing the same thing.
Whilst recognizers have their advantages they also have their disadvantages. That is they can produce an undesired action…
With “code reuse” if the code recognizer triggers an undesired action then it’s almost like a DoS attack… Which is what we’ve seen here.
[1] “Cluster Duck” is one of those terms like “A Custard” or “(ab)user” that have been thought up by “tech support staff” over the years. It is a conjoining of two well known sayings, in this case the rude word has been replaced, with a word from “If it walks like a duck…” saying linking the two sayings together. Less obvious is “Custard” which is the conjoining of CUST-omer and bar-STARD (You sometimes hear people say “Bar-Steward” for similar reasons). Likewise “(ab)user” goes back to the 1980’s where marketing departments classified potential customers by types like “ab1” being one of the supposadly more lucrative but actually often a PITA due to their self-entitled ways.
[2] Heterosis, or hybrid vigor is a random event that occurs in the children / offspring of unrelated parent plants or animals. The offspring develop hybrid characteristics of the parents. If the hybrid posses one or more superior traits, this can be adventageous and give evolutionary advantage. However as has been seen with “closed stud book breeding” the hybrid results can be very undesirable and are considered genetic defects.
[3] The “investors folly” notion is what lies behind why scams / conns like “Pump and Dump”, “Crypto-Coin” and “Non Fungible Tokens”(NFTs) exist. The most frequently heard explanation is “Black Tulips” or “Tulip Mania” from a nearly four centuries back in Holland (Haarlem, Feb 1637). The actual issue is some people lose sight of reality and only see the “upside potential” not the “downside potential” or do not realise that some things realy are zero sum games and they are not going to be on the plus side at the end. So they effectively “go all in” and “go down in flames”. Especially when a “good” has little or no intrinsic value only perceived value of the speculator.
Blaziken • September 5, 2022 2:21 AM
@SpaceLifeForm
Note the non-alpha engraving on the bottom of the inner ring.
That says “ASD” in the marketing font designed for them. See ‘https://www.cre8ive.com.au/work/asd/
JonKnowsNothing • September 5, 2022 7:19 AM
@Winter, All
re: Shifting Economic Goal Posts
I doubt we can connect up on the issues because they are rather slippery and perhaps I am less able to communicate my insights.
Demographic shift in Age is quite real. Within a short time the large lump of Boomers is going to die off. The WW2 folks are gone except for a small remainder. The Boomers are next on they die off listing; with a bit of help, they will die off faster. So what’s “faster”? At the upper end the boomers are 80yo. At the bottom end 70yo. Of course that depends on the where you start and end the Boomer period. So SWAG that has you like.
The neoliberal economies are worried about the costs of this time frame: 10-20 years. The biggest part of the boomers will be gone in 10yrs or perhaps less. Being in that age group makes you vulnerable to all sorts of conditions, so it’s possible the lump will start contracting in 5yrs.
5yrs is a long time but not in economic policy modeling.
Immigration issues from both Global Climate Change and Economic and War conditions is also real. However I was not referring to any of these issues in my posts.
Localized Economics and Downshifting. A good number of people are downshifting out of the economy and also out of high tech. It is perhaps a blind spot for those of us who have made our careers out of high tech that there are actually lots of people who cannot use it because they cannot afford to use it. There are certainly aspects of this downshifting that intertwine with many other aspects. Not everyone has ditched their smartphones, but a lot of people can no longer afford them and so have ditched them. It is an irony for this group that having a smartphone is nearly mandatory to access Official Assistance Programs.
Like many dystopian novels, those on the one side never see what’s going on with the other side until they find themselves on the other side too. No manner of warning kicks in until the reality hits the protagonist hard.
If your view is that $10/month is a snap, I doubt you’re near ready to see that it is not.
Our discussion of the costs of finding a contractor on the web vs finding a contractor by word of mouth is an example of downshifting. There are several economic forces at work: the cost of tech, the cost of the middleman, the cost of layered fee scraping. Until a person has experience with how this impacts every aspect of economies, it’s hard to get the idea across.
The small contractor and the gig worker and the zero days worker and the no pay worker all are part of the downshifting.
It isn’t that they are not working, it’s that they are invisible as individuals.
===
Search Terms
TRONC scheme
A tronc is a separate organised pay arrangement sometimes used to distribute tips, gratuities and service charges.
Winter • September 5, 2022 8:00 AM
@JonKnowsNothing
If your view is that $10/month is a snap, I doubt you’re near ready to see that it is not.
If you are a contractor, it is a snap. If you cannot afford it, you can take one with less data, say 5GB/m for $7.50, If it is necessary to make money, it is like filling up gaz.
Within a short time the large lump of Boomers is going to die off.
It is not that they die. But most (post)boomers are retired or will do so soon. That is less people to work. Having money is useless if there is no one to take it.
Immigration issues from both Global Climate Change and Economic and War conditions is also real.
In this context, immigration is just a source of labor, nothing else. People who work in exchange for money. Less immigration, smaller workforce.
A good number of people are downshifting out of the economy and also out of high tech.
Not all countries have the inequality of the US. But you will find smartphones everywhere in the world. I live in a densely populated country (like a single big city if you are used to the US). I do not see or hear much about downshifting. There is the digital decide, and everything is indeed digital now. But that problem has been solved by always having a non-digital alternative, telephone, surface mail, or a counter to do business.
SpaceLifeForm • September 5, 2022 4:09 PM
@ Ted, Clive, ALL
Twitter v Musk
Mark your calendar. September 13.
First, I want to note that Bruce added a link to an earlier article a few days ago, which probably flew under your radar.
For your convenience, this is the link he added. Worth a read, not long.
‘https://www.kolide.com/blog/the-twitter-whistleblower-story-is-worse-than-you-think
As to September 13, I may be the only one that has been paying attention, because I have seen no one else connect the dots.
On September 13, we have two quantum entangled events.
We will have:
- Peiter “Mudge” Zatko (@dotMudge) testifying to US Senate Judiciary Committee
- Twitter Shareholders voting on the Musk “Offer”
Note that the announcement of the hearing was two days before the Twitter board announced the shareholder vote. July 24 and July 26 respectively.
Gut feel call here: The shareholders will vote against the Musk “Offer”.
My hunch is that Musk has plenty of leverage, will end up taking control of Twitter for way less than $44B, and will clean house.
He already has more shares than the entire Board of Directors. They are shaking in their boots.
vas pup • September 5, 2022 4:38 PM
Israeli startup touts AI-powered virtual lifeguard, Mylo, to prevent pool drownings
“Coral Smart Pool was founded in 2015 by entrepreneurs Eyal Golan (not the famous,controversial Israeli singer) and Dr. Tamar Avraham, and is named after Coral Sheri, an 11-year-old Israeli girl who fatally drowned with her friend Or Koren in the private swimming pool of her Savyon home in 2014.
Following the tragic incident, Golan, a homeland security expert, looked for technology to secure his own private swimming pool but came up empty-handed. He co-founded the company a short while later to harness advanced technology in the fight against accidental drownings.
Coral uses sensors and above-pool and underwater cameras to continuously monitor people in the pool and detect signs and movements of drowning using artificial intelligence (AI) and
computer vision. It comes with a separate home unit that can receive alerts and an accompanying app that can view inside the pool.
The device, said Bisharat, has been trained on hundreds of hours of videos showing real people in water distress, as well as simulated scenarios of drowning, that make up the company’s
propriety software. “We’ve been doing this training since 2018 and have accumulated a great amount of data — four years’ worth — that makes the device smarter. So we have that
advantage,” he said.
Mylo can detect two types of drownings, Bisharat said. “One where people sink to the bottom — like young children — and one where they show signs of distress, or pre-drowning.”
Coral’s Mylo device is outfitted with a number of features ranging from water quality monitoring for things like debris and chemical levels to lifestyle and wellness applications.”
Clive Robinson • September 5, 2022 7:12 PM
@ SpaceLifeForm,
“So, why does Judge Loose Cannon issue a ruling on Labor Day when all Courthouses in the U.S. are closed for a National Holiday?”
Possibly because the DoJ and FBI agents are not on holiday.
It appears the FBI/DoJ have already not adhered to the requirments of “privileged communications” handeling, therefor it could be easily argued that such unlawfull behave would continue without Judicial Check.
The law that says courthouses should be closed on certain days, is not there for the prosecution or defence personnel but court personnel such that they get “a holiday”.
Something tells me the labour day holiday would not stop the FBI/DoJ seeking a warrant or other similar order if they had an excuse. But they would not need to…
That excuse for not seeking out a warrant is “Exigent Circumstances” and all to frequently it’s used as an excuse to “game the system”.
There is supposed to be “equity of arms” in the Old English and thus US judicial systems. Giving one side “Exigent Circumstances” but not the other is not giving “equity of arms”.
Which could give rise to all sorts of FBI/DoJ gaming in the future over and above all the nonsense they currently get away with because judges just look the other way for various reasons (Federal Judges may not be elected but their career progression is still not fully independent).
What’s of rather more interest is that the judge may just have set case law with regards continuance of “executive privilege” for an individual beyond their elected office period…
If that gets traction all sorts of interesting side effects will come leaping out of the wood work like termites on speed…
So expect all sorts of fun and games over the next few days.
But the real issue is not the documents but yet again the “politicization of classification action”. Do I need to say “Email Server?”…
Clive Robinson • September 5, 2022 7:37 PM
@ SpaceLifeForm,
Re : Twitter v. Musk
I’ve already said,
“The Twitter CEO is making at best unsubstantiated claims, then getting other unnamed individuals to make claims that at best are dubious.
On balance of probability I would now say that all of Twitters claims should be independently investigated for veracity.”
The fact that there is an unseemly hurry “by the judge” realy calls into question her impartiality and people should ask why she is “rushing her fences”.
Let us be honest, the deal is dead and there is a serious question of criminality over hanging atleast four members of Twitter’s governing board.
As I’ve also noted the share price history suggests the Venture Capatalists were trying an unlawful “Pump and Dump” and for various reasons left things too late.
The Musk Offer came along after their mistiming and they have jumped on it like a drowning man to a straw…
As I’ve said the FTC and possibly the SEC should be considering rather more than just fines, they should be looking at stopping some of those involved ever being able to hold any controling position in a company in future, either by long term jail sentences, disbarment, or preferably both.
The venture capitalist market realy does need a significant shake up especially with regards HiTec Corp behaviours, and Twitter’s egregious behaviour obviously provides such an opportunity.
Ted • September 5, 2022 9:08 PM
@SpaceLifeForm, Clive, All
Re: Updates on Twitter security and Hearing
It’s a good article. It’s not overly alarmist. I hadn’t necessarily been expecting a behind the scenes exposure of the company’s security practices.
It’s hard for me to gauge the significance of some of these revelations. Does it matter if they’re common? To what extent is any activity illegal?
I’m really looking forward to the hearing though. I’m glad you mentioned it. It’s not listed on the Senate Judiciary site yet, but there was a committee press release and we’re still one week out.
I was just looking through some other hearings. And there’s a few others I wouldn’t mind listening to including:
“Digital Dragnets: Examining the Government’s Access to Your Personal Data” 7/19/22
https://judiciary.house.gov/calendar/eventsingle.aspx?EventID=4983
JonKnowsNothing • September 5, 2022 10:48 PM
@ Clive @ SpaceLifeForm
re: Court Holidays USA
iirc(badly) Justice and Police are never on Holiday. There is always someone holding the rudder. 24×7.
We have a staggered tier of Judges and Magistrates and they have an On Call Rotation, like medical professionals. They have to be available at all levels all the way up to SCOTUS.
Filings can be released at a different times than their creation. There are timetables and guidelines about what has to be done at what time. Missing a deadline has serious consequences. Not providing required time for review also has serious consequences.
Criminal Courts and Civil Contract Courts have different schedules.
Clive Robinson • September 6, 2022 2:01 AM
@ SpaceLifeForm, JonKnowsNothing,
Re : Ghosts in the machine.
It would appear that what I responded to has like a ghost in the night become in the cold light of day not apparent to my eye…
SpaceLifeForm • September 6, 2022 3:53 AM
@ Ted, Clive, ALL
re: Security practices and illegal activity
The Board of Directors has a Fiduciary Duty to the stockholders. The stockholders expect that there will be no Unjust Enrichment for the BoD.
If the BoD does not care about security practices, maybe that is because they are making a personal profit by looking the other way.
‘https://www.nasdaq.com/articles/twitter-settles-shareholder-derivative-lawsuits-2021-01-26
‘https://www.prnewswire.com/news-releases/twitter-announces-proposed-settlement-of-shareholder-derivative-lawsuits-301214335.html
By allowing insecure network security to insiders and outsiders for profit.
JonKnowsNothing • September 6, 2022 8:01 AM
@ SpaceLifeForm, @ Ted, Clive, ALL
re: Popcorn Time in Sept
While you are nuking up a batch of popcorn (don’t forget you can season it many ways: salt, sugar, spicy, herby or make fruit balls by rolling it together with chopped dried fruit) keep track of the different pathways that will be discussed.
While for us on the outside, it might seem All The Same it’s not. Each nuance may lead to a different setting and different outcome.
SEC is not a Criminal Court and is not a Contract Court. They are 3 different courts and 3 different lawsuits may find their way to them.
US Congressional Investigations are “investigations”. They are not criminal courts but they can uncover criminal activity. Such activity is passed along to the Dept of Justice and/or the FBI for evaluation. Dec37 proceedings are an example.
There are prescribed accounting and reporting systems used by the SEC and by the different stock exchanges. They have rules and these rules may differ one exchange to another. In the USA we have 3 sets of rules that may be invoked. Accounting or GAAP (generally accepted accounting principles), Stock Market Regulations and Taxation Laws. There is overlap but not necessarily.
GAAP rules are about how to account for stuff on reporting documents. Every business, even hobby businesses, may have these. Cash flow, Income Statement etc. In broad terms: ((sum of debits) minus (sum of credits) == zero). Not every country has these rules and some countries have no rules at all.
Taxation Laws are about paying the Federal, State, County, City levies from the proceeds of business operations. The rules on how the accounting is done, differs from the normal GAAP rules. In general (net proceeds from operations * tax rate = amount to transfer to the government). What constitutes net proceeds differs from the standard GAAP rules.
Stock Market Regulations are about providing a public accessible online auction system to qualifying businesses with enough supporting documentation and funding determining authenticity (not a fake business), so they can exchange paper for paper (certificates for money). Stock Markets are nothing more than auction houses, although great sums of money passes through them daily. The rules are intended to keep the auction bidding and selling at a transparent level. It is also tied directly to gambling systems, such that people are enticed to think “they can make more money on resale” and will bid against The House.
If people do not make more money on resale and it’s discovered that the company fudged some “material aspect” of their GAAP reporting, there are penalties that can apply. If it’s also found that the fudged number reduced the amount of funds paid into the taxation coffers, a taxation case may result. If it’s determined that there was a criminal aspect to the fudged number then a criminal case may follow.
Generally: In the USA, there is no way to clean ownership-title to something that was illegally obtained. Other countries do have wash-it-clean laws, that allow stolen items to become the legal property of a new owner, but not the USA. Any monies earned from such stolen goods and reported as legal goods would have serious GAAP issues and also legal problems galore.
So, while the news rolls along, tick the different boxes being reviewed. There will surely be efforts to misdirect people and of course, influence the court, about what is before that jurisdiction. Keep in mind, that there are multiple avenues in play. Keeping box scores will help sort out what’s being discussed for the different venues.
Ted • September 6, 2022 9:02 AM
@SpaceLifeForm, JohnKnowsNothing, Clive, All
Re: Twitter
I’m glad you’re doing some continued research. It’s important to have the facts and understand the environments in which Twitter operates.
To throw a few more thoughts out there, the WaPo adds that Twitter is vastly smaller than some of its social media cohorts. Meta, for example, has 12 times the user base of Twitter, close to 12 times the number of employees, and earned $28 billion in revenue last quarter compared to Twitter’s $1.2 billion.
https://www.washingtonpost.com/technology/2022/09/04/twitter-mudge-alethea-resources/
JonKnowsNothing • September 6, 2022 12:14 PM
@Ted, @SpaceLifeForm, Clive, All
re: Organizational Size as Yard Sticks
It is useful to know which yardsticks are being used in the run up to the court cases but there isn’t much it does in real terms.
Each side will have their own yardsticks and saying the other side’s version is not correct. The yardstick that matters is the one in the regulations.
Businesses fit into classes by size or by revenue scope. A small high tech firm can make huge amounts of money with nearly no staff (btdt). Huge employers with an enormous payroll base may struggle to make a reportable profit (btdt2). Both groups will minimize their profit statements regardless of the number of employees, to minimize their taxes.
For GAAP, profit is just a number based on addition and subtraction of different categories. There isn’t any GAAP rule that says a business has to be profitable or earn a ROI or have any particular employment stance. The only thing any business needs is CASH or CASH FLOW. You can run a zero-profit, negative-profit company for years and years, as long as you have Funding/Cash to pay the bills. If you do not score a profit within certain time frames, you may run afoul of taxation laws about if your business model: is it a hobby or does you business have a chance of making money sometime in the future. If your business is declared a hobby, you will fall into a different tax code section. If your business has no chance of ever making a profit you may fall into the fraud section of the tax code. Sometimes called the 2in7 rule but it’s flexible depending on the business. ex: a vaccine research company might go 20-30years with no profit, still have ample funding to pay the bills and employees, and IF their product is realized and successful, the profits (and future tax revenues) will more than offset the 20-30yrs of no-taxable income.
The size of the company does play a part in which stock exchanges it can be registered with. Tiny companies are called Penny Stocks and trade on a different exchange than NASDAQ. A company who’s profits are in terminal decline, will get “delisted” from the bigger exchanges but can relist with the smaller exchanges.
Operational concerns do relate to the number of employees, the cash/cash flow situation and the management of the company. The level of what is “material” can vary with size. A 100 person company generally does not have the resources of a 100,000 person company.
- Having virus checkers for all employees, all contractors, in every venue and location maybe material, but it may not be depending on what the concerns, challenges, law suits allege happened or didn’t happen and the rebuttal may deflect those concerns. If deploying such a virus checker is illegal in other countries or jurisdictions it may not be a problem at all.
Then there is the allegation that 5% of X is too low a number and 10% is a better count. Does that make any difference in the operational scope of the business?
- If a company downgraded their sales by -5% in order to diminish their tax liability and they do not have a legitimate GAAP ruling for that change, that could lead to a problem with the IRS tax code.
- A company that added +5% and puffed their earnings up by that amount, and paid taxes based on the puffed numbers, might be in trouble with the SEC and criminal agencies for fraud.(1) It may not rise to any of that at all. 5% is quite a small number (2). There are plenty of statistical methods that could lead to that much flex and as long as it was consistently applied across the entire accounting structure it might be allowed without any negative consequences (see percentage estimates of field plantings, growth, and harvest).
===
1) Search Terms
The Billion Dollar Bubble
Equity Funding Corporation of America
2) 5% as a small number
see the statistical counts and rebuttals over the deaths, cases and on going illness for COVID.
SpaceLifeForm • September 6, 2022 3:21 PM
@ lurker, Ismar, Clive, ALL
re: False Positive?
It may not be a direct UAF exploit in Chromium and V8, but in C code (Mojo lib), but exploitable using the V8 to drive it.
Microsoft probably had the exploit info from Google (or reverse), and jumped the gun deploying new Windows Defender rules before the fix could be rolled out.
That it took multiple iterations for Microsoft to attempt to fix the Defender rules, tells me they just gave up and backed it out, because it was causing too much breakage.
So, at this point, the hole likely continues to exist, which is why Google is staying quiet for now. No deets.
Updating the browsers is the easy part.
Note that as soon as patches start to appear, the bug will be Reverse Engineered, and further exploits will be developed. Those that are not in good position to quickly upgrade Electron apps will become low hanging fruit. It will be a mess.
SpaceLifeForm • September 6, 2022 4:04 PM
@ Clive, JonKnowsNothing
re: Ghosts in the machine
All Times are CDT.
Yep. My comment was at 5:16 PM which you obviously Observed later as noted at 7:12 PM. Interestingly, at some time in between, it had already disappeared to me as Observed via a different network route. Do you recall the time when you first spotted the ghost? Was it still visible at say 7:00 PM to you? Or had you pulled up the page closer to 5:30 PM and then started reading thru the comments?
SpaceLifeForm • September 6, 2022 5:35 PM
@ ALL
Some mammals can actually get along.
This is from Kharkiv, Ukraine. Brought tears to my eyes.
Short video that may indicate that there are some that understand security issues and threat detection.
‘https://nitter.net/HannaLiubakova/status/1567051177132494851#m
Rich Less • September 6, 2022 6:05 PM
Hackers Create Traffic Jam in Moscow by Ordering Dozens of Taxis at Once Through App https://www.vice.com/en/article/y3pbgy/hackers-create-traffic-jam-in-moscow-by-ordering-dozens-of-taxis-at-once-through-app
lurker • September 6, 2022 6:48 PM
@SpaceLifeForm
Mojo, a collection of runtime libraries that facilitates message passing across arbitrary inter- and intra-process boundaries
Well, nothing could go wrong, could it?
Clive Robinson • September 6, 2022 7:10 PM
@ SpaceLifeForm,
Re : Ghost in the machine.
“Do you recall the time when you first spotted the ghost?”
No, but I do know I took time to reply because I had a lengthy phone call of around 40-50mins in the middle of replying.
Clive Robinson • September 6, 2022 7:22 PM
@ JonKnowsNothing,
I think you and I are looking at things in different ways.
When you say,
“The yardstick that matters is the one in the regulations.”
You miss out the pertinent point that –as you earlier noted– there are different sets of regulations, and the outcomes will depend on “which order they are applied”.
The order in the English Justice system is breach of a public duty before breach of a private duty. Thus time is generally ruled out as a factor.
As you note in the US things are somewhat different not least because there are Federal legislation and regulation as well as one or more State level legislation and regulation. Thus the time order has importance in the US justice systems.
Hence my point about the State level judge apparently moving with unseemly hast.
ResearcherZero • September 6, 2022 7:43 PM
If you need more water, give Siemens a call…
In 2013, the City of Jackson entered into the $90-million performance contract with Siemens to upgrade Jackson’s sewer lines and water-treatment plants and to install a new automated water-sewer billing system. Court records show that, in the months leading up to the contract, Siemens had promised $120 million in “guaranteed savings” for the city. The corporation stated that the new water-sewer repairs and billing system alone would generate enough savings to pay for the $90-million project.
The City argued in the lawsuit that Siemens “essentially used the City of Jackson as a $90 million test case for an unproven system, failing to disclose to the City that Siemens had never successfully paired the two systems before. Siemens also failed to disclose that installing a new automated water meter system at the same time as a new electronic billing system is unprecedented and is contrary to industry standards.”
https://www.jacksonfreepress.com/news/2020/mar/04/siemens-settlement-explained/
Clive Robinson • September 6, 2022 8:13 PM
@ lurker, SpaceLifeForm,
Re : Mojo UAF vulnerability.
“Well, nothing could go wrong, could it?”
Assuming you did not forget the sarcasm marks 😉
It depends on the What, Where, and When.
In the past I’ve alloc’d up a buffer and filled it with KeyMat, then free’d it without clearing it. I then used alloc again in an entirely different part of the program to get a new buffer… For various reasons to do with alloc it handed me the same pointer thus the KeyMat was available in some other part of the program.
So the “What” can be somewhat devastating.
The “Where” can also be important when process space gets shared or duplicated, early IPC systems had issues…
As for “When” with IPC things can get realy nasty in ways most would not imagine unless they had either, a realy hinky outlook on life based on past experience, or somebody telling / explaining some nasty little wrinkle.
One such wrinkle is messages getting passed “back against the flow”…
A simplistic example of one way this can happen with a message passing is, when a buffer is primarily designed as “letter box buffer” or the head of a stream, thus to the originating process it should be “write only” and to the destination process “read only”. Normally if the destination process changes the buffer it does not matter… However some programs have been known to consider “Write Only Buffers” as “Temp Buffers” and “read back” from them… If the destination process has not changed the buffer then nothing happens… But if it has, then the originating process is using data that is nolonger valid.
The way to stop this simple example is to actually have two buffers, the “write buffer” for the originating process and a “read buffer” for the destination process. Another process is responsible for copying the write buffer to the read buffer.
Obviously this is seen as “inefficient” hence the “use only one buffer” mentality. So potentially you get hit by “Efficiency -v- Security”, it all depends on “When”. That is such a bug may not show up if for some reason the read back of the buffer by the first process happens before the second process changes it. However if not…
This is just a simple easy to follow example a UAF can do similar in quite a number of ways, some of which are quite hard to get your head around.
Clive Robinson • September 6, 2022 8:34 PM
@ ResearcherZero, ALL,
Re : The first mouse problem.
“The City argued in the lawsuit that Siemens “essentially used the City of Jackson as a $90 million test case for an unproven system”
Any sufficiently large system is essentially unique, thus by definition is “unproven”.
The solution to this in non software engineering is to use,
“Standard parts and sub-systems, with well defined and tested interfaces.”
The problem with software and communications systems is the interfaces are,
1, Highly Complex.
2, Essentially Random in time.
So yes such large essentially unique systems have “failier built in by default” and in many cases there is little that can be done when you cross a certain threashold of complexity, because the initial system design was not designed to scale (think about all the fun with IPv4 and why IPv6 is not a solution as just one example).
ResearcherZero • September 7, 2022 12:47 AM
@Clive Robinson
The ICS market is predicted to have substantial growth over the next decade, along with an already increasing number of intrusions and vulnerabilities. The research into to this area is pretty stark, but none of it surprising as even though there is often a lack of documentation, they have made it increasingly easy to get a reverse shell.
“There’s a lack of imagination or a lack of anticipation about the next move that hackers will make.”
https://portswigger.net/daily-swig/it-industry-guilty-of-lack-of-imagination-in-failure-to-anticipate-cyber-attack-evolution
Two years have passed since our previous research, and things have continued to evolve. Unfortunately, they have not evolved with robust security in mind, and the landscape is less secure than ever before.
https://ioactive.com/scada-and-mobile-security-in-iot-era/
243,469 Kubernetes clusters publicly exposed and identified on Shodan. Furthermore, these clusters also exposed port 10250, which is used by kubelet by default.
https://www.trendmicro.com/en_us/research/22/e/the-fault-in-our-kubelets-analyzing-the-security-of-publicly-exposed-kubernetes-clusters.html
“We identified 1,859 publicly available apps, both Android and iOS, containing hard-coded AWS credentials. The problem is often the same AWS access token exposes all files and buckets in the Amazon S3 cloud, often corporate files, infrastructure files and components, database backups, etc. Not to mention cloud services beyond Amazon S3 that are accessible using the same AWS access token.”
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mobile-supply-chain-aws
This is good presentation on intrusions into industrial systems with an increasing number taking place in 2021
https://media.ccc.de/v/mch2022-27-first-privacy-now-safety-an-anthology-of-tales-from-the-front-lines-of-cyber-physical-security
SpaceLifeForm • September 7, 2022 2:35 AM
@ lurker, Clive
re: Mojo library
I’ve now spent some time reading Mojo documentation. I understand the concept, which is to create a more portable codebase for Chromium. So that you don’t have to code a bunch of IPC stuff up in a platform specific way. That the MoJo library is there to hide platform specific implementation details. Hence, to work on Linux, Windows, or OSX.
However, it is still very complex. I am too lazy to want to go thru the learning curve on using this library. It sure appears to me that it definitely can have malloc() problems. That it has C++, Javascript, and Java bindings does point to a Javascript attack vector being plausible.
I will stick with Firefox, and deal with random crashes that are probably due to Javascript and malloc() problems. I always submit crash reports. Interestingly, yesterday, after a crash, then restart, I got another crash immediately. For some reason, the crash reporter then crashed too as I was trying to enter some details!
There is one specific website that seems to create problems: news dot google dot com
I’m not sure why I even bother to check it anymore, since it is always olds.
Clive Robinson • September 7, 2022 5:00 AM
@ SpaceLifeForm, ResearcherZero,
Re : Work and time wasting
“I am too lazy to want to go thru the learning curve on using this library.”
Not “lazy” but “time-wise”…
That is you’ve read sufficient to know it’s not going to be of practical use to you either from a direct use for writing code or from an indirect use such as running code that uses it and offers interfacing potential.
The only other reason to look at a code library is from an analysis perspective to see how others might use it, thus gain an advantage or be vulnerable. Such as being an attacker looking for a vulnerability, or a defender looking to see how it might be used to attack.
Most code libraries try way to hard for “Code Reusability” thus “Try to be all things to all men” which is never a good idea as it takes “complexity” way up and “understanability” way down so realy bad “cut-n-paste coding” from web download happens with all the nasty issues that brings (like no error or exception handeling as a minimum). Worse the library rapidly “Falls into ‘Kitchen-Sink’ mode” where anything and everything thats usually unfinished just gets chucked in till either some one does the dishes or the stink is such people just throw it out (Log4J being such an example).
People need to learn to make code libraries very limited in scope, minimal in impact, work on “Least Suprise” principles and have very clear interfaces that as a minimum catch input errors and output exceptions and handle them in a sensible minimum impact way.
Which takes us down into the philosophy of interfacing… One aspect of which is
“Serialization is a security vulnerability by default”
thus should not realy be used in the ways it mostly is currently. Worse “soft error handeling” should never ever be done, it should always be both hard and explicit. If a programer does not know what they are doing they should not be trying to do it in non experimental code.
But perhaps the most grevious sin of most programers is to write poorly pipe-lined code with interfaces that can not be “rolled-back” (implicit hard left to right progression). Thus the only real choice on “error or exception” is to “Blue Screen of Death” or equivalent “Panic fault” thus loosing all data in the pipe-line, and bringing any system the code component is used in crashing down. Obviously this is not good for “Data Integrity”, “Reliability”, or “Availability”.
One of these days I should dig out the documentation I wrote back in the 1980’s about clear interfacing when writing machine code… All the points in it still apply today. Trouble is I’m not sure who in theory has the copyright these days, the company that employed me “turned it’s toes up” way back last century.
Clive Robinson • September 7, 2022 5:46 AM
@ ResearcherZero, lurker, SpaceLifeForm, ALL,
Re : ICS is just high price IoT.
The “Industrial Control System”(ICS) market is actually moving inexorably towards all that is bad in the “Internet of Things”(IoT) development sphere. The only real difference is,
“The price you pay”
Not just on initial acquisition but down the line when all the nasties become apparant. Which is why I’ve always recommend,
“Hard segregation, with gap crossing by not just ‘strongly mandated’ but ‘strongly instrumented’ interface.”
Which brings us onto your point of,
“The research into to this area is pretty stark, but none of it surprising as even though there is often a lack of documentation, they have made it increasingly easy to get a reverse shell.”
It’s not just a “Reverse Shell” that is a problem…
In the past I’ve pointed out that there are very few genuinely “one way” communications paths, and that whilst there might be an imbalance in data bandwidth, any “Reverse Error Control/Corrrction” is a “Reverse Data Path”. This applies all the way up from the lowest of physical layers right through the computing stack.
For instance the “Ring Signal” on a data modem can be activated by some one dialing and then dropping the line. This signal and it’s implicit time duration get flaged by the Operating System via the serial device driver (tty). Thus an attacker could dial in a “Pulse Width Modulated” Data channel… A version that works on a network connection you might know as “Port Knocking”…
If you do not know what “listens” and,
“As a given you do not know”
Then you have no idea if their is a “covert channel” or not. Worse you have no idea how far back it can reach due to the “Efficiency -v- Security” issue. For instance “flow control” reaches all the way back to the “Data Generator” at some point no matter how much buffering / caching you put in. The data bandwidth might only be 1 bit an Hour but that may be sufficient for some attackers. I’ve mentioned this in the past on this blog with respect to aircraft control systems, that even though protected via a Data Diode, share a down stream data path with the entertainment systems. If you do not realise it in the design, an entertainment system can “flood” the down stream data path and thus “modulate” the control system flow control or error signals thus send data in reverse through the Data Diode.
When explained “It’s Obvious” but when not it’s invisably covert.
But there is another horrible issue I’ve mentioned today indirectly with the “When” issue with a letter box buffer.
As a general rule of thumb, high level programers have no sight into memory and the data that it holds.
Most do not consider the difference between “copying data and passing data” as a general rule again due to “Efficiency -v- Security” data is copied not passed and the copy never erased, only maybe overwritten at some point. But even passing can leave a reverse data path open…
I’ve no hope that sodtware developers will ever understand these issues let alone code defensively against them. Because managment will always go down the “Efficiency -v- Security” Path in the wrong way.
But hey I’ve only been banging the “Efficiency -v- Security” drum for oh over a third of a century if not four decades or more…
JonKnowsNothing • September 7, 2022 12:18 PM
@Clive, @Ted, @SpaceLifeForm, All
re: The Order of Precedence
There is an order of hierarchy among the courts. Cases can be moved up and down and across the chains as determined by the different systems.
Each of the courts listed can take cases serially or simultaneously. There isn’t any particular reason why a Contract Case and a Criminal Case and an Investigation (FBI/Congress) cannot happen at the same time. They do.
However so far, the only case we know about is the Contract Case. There may be investigations happening elsewhere but those have not yet been revealed.
So first to bat is the Contract Case.
Today’s ruling was 1:1
SpaceLifeForm • September 7, 2022 3:02 PM
@ JonKnowsNothing, Clive, Ted, ALL
re: The Order of Precedence
September 13 is before October 17 last I checked. Shareholder vote then trial.
If the shareholders vote against the offer, it will be interesting to watch any changes in legal posture by Twitter.
Because Musk has counter-sued, I do not believe that Twitter will be able to pull an Emily Litella and say “Nevermind”.
Musk has trolled the Twitter BoD, and they bit. As I said before, Twitter should have let Musk walk and forego the $1B penalty. But they let the Dollar Signs cloud their brains.
Stock up on popcorn. The FTC and SEC brands are both tasty.
‘https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-charges-twitter-deceptively-using-account-security-data-sell-targeted-ads
‘https://apnews.com/article/elon-musk-twitter-inc-technology-434b2c0588a6cee2fd7c9477b0bd7902
I know this seems like eons ago, but remember Elon Musk was one of the accounts abused.
‘https://en.m.wikipedia.org/wiki/2020_Twitter_account_hijacking
SpaceLifeForm • September 7, 2022 4:41 PM
@ JonKnowsNothing, Clive, Ted, ALL
The Twitter lawyers today in the Delaware Court of Chancery. They are well honed, fine, sharp knives.
They actually said in court that Musk did not comply fully in the Discovery Process.
They said he did not turn over all of the texts requested.
They said they have 3rd Party evidence.
There are questions:
Were they actual SMS texts?
Or were they Tweets?
Who is the 3rd Party?
Note that Judge McCormick has now twice denied Musk to delay. What will happen after September 13, if Twitter wants to delay?
I need to check out the Sun Tzu popcorn.
JonKnowsNothing • September 7, 2022 5:00 PM
@SpaceLifeForm, @Clive, @Ted, All
re:Proxy Fights Rounds of Controlling Shares
The proxy fight is sure to be entertaining. HP-Compaq, HP-Autonomy were both scintillating as well as instructive that it isn’t the best idea or the best tech that wins in the end. It’s the political aspirations of the CEOs and their connections to massive funds, banking and finance and the political movers and shakers that wins the fight. Ordinary shareholders are well… ordinarily ignored.
Shareholders get a copy of the meeting agenda, often there is an exit line: Non Binding Recommendation. It’s quite a common tack-on. I dunno if that’s part of this vote.
We may get to see some of Musk’s Saudi backers although they have recently backed off the MSM scope. We may also get to see who is backing TheT. What will be more interesting is what the Saudi Bankers are expecting to gain. It may be an indicator of future litigation (years).
RL tl;dr
Years in the rear view mirror ago, I went to a Stockholder’s Public Meeting. I’d already filed my proxy and voted on items before the Board. I was exercising an educational opportunity.
There is a pro-forma layout to such meetings, if you live in an HOA (USA) you get this monthly and annually. It’s not what is looks like in the movies and there is no TomC screaming at JackN as in the legal dramas. It’s flat, structured and non-participatory.
An investor showed up who owned a fair quantity of shares and wanted to change some aspect that was in front of the BoD. Turned out he had only an insignificant number of shares compared to what was held by the Directors, the Company Officials and all the proxy votes that were assigned. He did not get his change accepted. It was out voted long before he arrived. In fact he was out voted when he bought his shares but didn’t know it because the back end structure of such systems is hidden.
So hopefully we will get to see some of the deeper innards of both M and T as they line up on the scrimmage lines.
And Deutsche Bank is just a txt msg distance away.
JonKnowsNothing • September 7, 2022 5:09 PM
@SpaceLifeForm, @Clive, @Ted, All
re Delaware Court of Chancery: T v M
The 1:1 I mentioned above is what’s important about today.
1-4-T: M was denied delay
1-4-M: M was allowed to Amend the Suit and expand it to cover concerns on the security issue.
The judge indicated that the addition would be allowed as the rules on this aspect are flexible. The judge did not make any indications of how that would be ruled on or the merits of the addition.
M will have to get the addition online in ASAP with all the supporting facts/factiods. Exactly what M puts up, will tell us a lot more about which flavors of popcorn to cook up.
Who? • September 7, 2022 5:22 PM
Announcing the NSA’s Commercial National Security Algorithm (CNSA) suite 2.0
A new CNSA suite was announced a few hours ago. Most algorithms are approved for all classification levels (e.g. RSA 3072-bit and higher):
Can we trust them? I think that, at least, RSA is a proven algorithm.
Clive Robinson • September 7, 2022 10:59 PM
@ Who?, ALL,
Re: NSA CNSA suite 2.
“Can we trust them?”
No, but that is not the point, they effectively dictate, we bow down and comply, if we want to stay in the compliance league game.
The real problem is there is a lot missing…
Firstly the obvious,
“RSA 3072-bit and higher“
OK “3072-bit” is now the new low-water mark, but “and higher” is of little use to a software developer in a constrained environment (and all environments are constrained). As they need a high-water mark or maximum to size buffers and algorithm implementations.
There are already people out there using RSA 16384-bit and some implementations that will work with 32768-bit. Shifting 2k-byte blocks of data around, with high integrity is already somewhat of a challenge with de-serialisation[1], in an embedded system, what do you do when you get 4k-byte data block and wrapping come over the wire?
But the “grosse pachyderm in the corner” waiting to leap out with a song and dance routine is “Legacy Data”…
For various reasons you can not igbore earlier data that used say RSA 512-bit or all the other being depreciated key sizes, usage modes or crypto algorithms in a “code library”.
Thus that low-water mark becomes an issue in it’s own right. That is the question of,
“What level do you put the interlocks at?”
As well as how do you define them. Because if you do not get it right that fat pachyderm not only sings but dances to center stage as “fall back” attacks happen…
[1] Remember that to get high integrity on a block of data your hash for MAC needs to be atleast as big as the block of data and reality means twice that. So now you are at 3 times block size memory needed before you wrap it up in other communications protocols that if they are also to give “high integrity” will be on that 2-3times issue as well.
SpaceLifeForm • September 8, 2022 12:17 AM
@ Clive, ALL
Meta Nonsense
I’m pretty sure I can figure out which pieces of data are flowing to the various 55 subsystems. Not quickly, but it is doable.
I just start turning down routers, pulling cables, and find out what functionality breaks. I can make a map from the breakage.
‘https://www.vice.com/en/article/qjk3wb/facebook-engineers-admit-they-dont-know-what-they-do-with-your-data
A Meta spokesperson said that the company’s “systems are sophisticated and it shouldn’t be a surprise that no single company engineer can answer every question about where each piece of user information is stored.”
By design.
lurker • September 8, 2022 4:13 AM
@SpaceLifeForm
Those routers and cables will be virtual, since it all happens in the MetaCloud/Fog.
In other news cultural (mis)appropriation continues,
https://www.rnz.co.nz/news/world/474426/snapchat-removes-moko-mataora-filters-after-outcry
Clive Robinson • September 8, 2022 5:38 AM
@ The Usual Suspects,
Re : Smart Device Camera acces via HTML
I’ve not yet tried this out…
But apparently you can in HTML only via the “capture” attribute get access to the camera(s) on a users Smart Device,
Clive Robinso • September 8, 2022 6:26 AM
@ ALL,
As some of you are aware, I have a very dim view of certain types of manager and have described the way some get up the greasy pole by organisation hoping about 1/3rd of the way into projects they manage.
Well it appears I’m not the only one who takes a dim view of certain other types of manager,
https://www.makeartwithpython.com/blog/is-engineering-management-bullshit/
As a read it’s a bit of a slow start as it gives historical back ground as scene setting, but it is definitely worth sticking through to the end.
Clive Robinson • September 8, 2022 7:04 AM
@ ALL,
NIST has updated it’s “call for proposals” page for new Post QC algorithms,
https://csrc.nist.gov/projects/pqc-dig-sig/standardization/call-for-proposals
Clive Robinson • September 8, 2022 7:47 AM
@ ALL,
As some of you know, it’s not just “social media” I do not do, I don’t do Personal Email either…
The reason for no Personal Email was ostensibly,
“I was not prepared to have the likes of Google or others in Silicon Valley reading my Email any longer”
But the underlying reason all those years back was the fact it was becoming clear you got discriminated against by Google and Co for not alowing them to read your private communications or at the very least the meta-data… So I said “no more” and rather than “give in”, “I don’t play”[1] which frequently upsets the “Karan types” I come across that usually work in certain types of organisation…
Well I’m not the only one to have seen the way things were going… Some however “give in”,
[1] Not quite true, I still have the equivalent of Email alerts (just subject no body etc) sent to me from a server abroad, but they do not reach me via the “Internet” at all.
SpaceLifeForm • September 8, 2022 2:55 PM
@ JonKnowsNothing, Ted, Clive, ALL
Twitter v Musk
Bob Iger may be looking at a subpoena soon. I’m sure he realizes this.
Does ‘substantial’ mean over 5 percent?
‘https://www.vox.com/recode/2022/9/7/23339402/bob-iger-disney-streaming-code
Interestingly enough, because I read the news these days, we did look very carefully at all of the Twitter users — I guess they’re called users? — and we at that point estimated with some of Twitter’s help that a substantial portion — not a majority — were not real
vas pup • September 8, 2022 3:47 PM
Brazil bans sales of iPhones without USB power adapters
https://www.bbc.com/news/technology-62833037
“Incomplete product’
Senacon also said the sale of new iPhones without power adapters was an example of Apple effectively forcing consumers to buy a second product after purchasing a new iPhone.
It said a power adapter should form part of the product because it is required to operate the phone and is an “incomplete product” without it.
The organization added the move has transferred responsibility to third-party providers, as well as consumers, because iPhones without power adapters have not fallen in price.”
Absolutely agree. You did not buy violin without fiddle-bow. Did you?
vas pup • September 8, 2022 4:18 PM
Concerns rise over a new law that lets Indian police record prisoners’ DNA
https://www.dw.com/en/concerns-rise-over-a-new-law-that-lets-indian-police-record-prisoners-dna/a-63044478
“The Identification of Prisoners Act of 1920 — which has been superseded by the new law — had allowed police to collect only photographs, fingerprints and footprint impressions from suspects.
However, the scope of the new CPI Act includes other sensitive information such as fingerprints, retina scans, behavioral attributes — like signatures and handwriting — and other biological samples such as DNA profiling.
“Perhaps the most egregious provision of the bill is that it authorizes the retention of all the measurement data digitally for 75 years from the date of collection, without any in-built checks to protect the confidentiality of such data,” Vrinda Bhandari, a consultant with India’s Law Commission, told DW.
“This is a gross violation of privacy and data storage limitations and is contrary to the law laid down in the Supreme Court’s privacy judgment.”
In 2017, the country’s top court gave a momentous judgment affirming that the constitution guarantees to each individual a fundamental right to privacy. This includes three aspects, the ruling found: intrusion with an individual’s physical body, informational privacy and privacy of choice.
Several countries, including the US and the UK, collect biometric identifiers such as facial features, fingerprints or retina scans of people who are arrested or convicted.
But given that India lacks well-defined systems to investigate alleged police misconduct, there are concerns that collected data could be misused.”
More interesting details in the article.
lurker • September 8, 2022 4:53 PM
@vas pup
Bad analogy: fiddles and bows are often sold separate, especially high end stuff. But Apple’s greenwash for why they don’t include one in the box, covers their difficulty in making power supplies reliable in the real world.
SpaceLifeForm • September 8, 2022 5:13 PM
@ JonKnowsNothing, Ted, Clive, ALL
Twitter v Musk
I hope @dotMudge also got a lot of stock.
‘https://www.wsj.com/articles/twitter-agreed-to-pay-whistleblower-7-million-in-june-settlement-11662661116
Ted • September 8, 2022 5:29 PM
@SpaceLifeForm, JonKnowsNothing, Clive, All
Re: Twitter’s $7 million payment to Zatko
Interesting. I couldn’t read the whole WSJ article, but did find similar coverage on CNET and the NYTimes.
The Wall Street Journal, citing people familiar with the matter, reported on Thursday that the June settlement was related to Zatko’s lost compensation…
As part of his settlement with Twitter, Zatko agreed to a nondisclosure agreement that bars him from speaking publicly about his time at Twitter or disparaging the company but that doesn’t prevent him from testifying before Congress or filing whistleblower complaints.
https://www.cnet.com/news/twitter-reportedly-agreed-to-pay-7-million-to-whistleblower-in-settlement/
No witness list yet.
lurker • September 8, 2022 5:40 PM
@Clive Robinson, ALL
re. self-hosted email:
following his link to prove email is 15 points higher than social media has a startling reveal:
The “Most popular online activit[y] of adult internet users in the United States as of November 2021” at 93.3% share of internet users was “Text messaging or instant messaging”
Is this just confusion on the part of whoever compiled that table? or in the words of the Chief Munchkin, is SMS “not only really dead, it’s well and truly dead”?
Clive Robinson • September 8, 2022 7:37 PM
@ SpaceLifeForm, JonKnowsNothing, Ted, ALL,
Re : Twitter v. Musk & PII Security
“Bob Iger may be looking at a subpoena soon.”
Whilst he might dodge that bullet
He realy did “Dodge a bullet” on purchasing Twitter. Without any doubt it would have turned into a disaster for both Bob Iger and Disney, and the clock on that bomb is tick tick ticking. Which brings up the PII security issue.
Interestingly the quote over on Vox about “realy cheap” has further irritated an itch I’ve had building for some time. It also shows that the “Pump and Dump” I suspect some on Twitter’s board have been running is even more likely than not.
Further it shows something I’ve been seeing happening for a while… I’m going to make this plain as I can, you can agree with it or not but I suspect time will tell fairly quickly,
The bubble on social media is at bursting point and I believe the tipping point has already been passed.
I might be wrong, but lets put it this way if I had shares in Twitter, Facebook, Linkedin and similar, I would be “off loading them fast” whilst I still could pass the hot potato at an “endvof day discount”.
I suspect the Venture Capatilists behind the Twitter Sale know this and want to “off load” as fast as possible as well. But probably being sociopaths, they are still trying to “chase the upside” of the Musk offer, even though it’s gone and won’t come back.
I suspect Musk does not regret his decision to go after Twitter as an Enterprise, as Bob Iger pointed out in the Vox artical it makes sense from several stand points.
But those stand points are now on rapidly shifting ground as more and more day light illuminates ever clearer signs fast appearing that the Social Media bubble is about to burst as far as the share market is concerned.
This latest nonsense with Facebook “not knowing what user data they have” should be “A Five Alarm” wake up call. If the bubble bursts then several Social Media organisations are going to be “Fire Sale” status at best.
The only asset they will have that anyone might consider buying is PII “user data”. Under US law this is at best highly problematic both Privacy and Security wise.
Those who have used Social Media should at the very least be highly concerned. So for that matter should those who whilst not using Social Media have been “added” by those that do via their comments and photograps.
Even I who avoid Social Media and it’s participents like they are “Plague, Pestilence, Famine and Death” combined have significant concerns due to the “background Building Process” Social Media Companies are known to indulge in and their selling of data to both indiscriminate “Data Brokers” and worse Private Intelligence Entities like Palantir.
As usual the US legislators are so far behind the curve on this due to the largesse such “Dark Tetrad” types get that they do not even have their eye in the same park, let alone on the ball…
Of course they will claim they are not to blaim when it inevitably goes bad…
Clive Robinson • September 8, 2022 8:38 PM
@ lurker, ALL,
Re : SMS dying out.
“Or in the words of the Chief Munchkin, is SMS “not only really dead, it’s well and truly dead”?”
It’s certainly on life support at best for those under thirtyish, and even “Siver Surfers” as well.
Put simply SMS is very old technology, and was never designed for what it became. Worse “behind the curtain” the technical side is pretty close to being a disaster area. It has no security or privacy and it’s capabilities for modern communications are to be blunt Pi55-P00r and as messy as Dog-Puke on the carpet.
To see why, you need to go back in time. Twitter was based on the idea of SMS but with a wider presentation base. It did not take Twitter long to realise the inadequacy of their system so the just bolted bits on badly (which was a stupid thing to do as they now have a technical debt problem there is no rug big enough to sweep it under).
Mean while others realised that Twitter was so far behind the times technology wise they could be beaten just by making a better more supportive network stack that would support the Presentation Layer users had come to expect.
Then remember Ed Snowden? I don’t think people credit him enough for the effect he had on Social Media. All of a sudden “Secrecy was Sexy” with the “Pretty Young Things” not just the “Pimply Faced Youths”.
So we got “Secure Messaging” –even though it’s nothing of the sort– being more “Hip and Trendy” than cuffs on denim drain-pipes and more “Fragrant” than beard-oil.
The real secret behind Secure Messaging and the likes of Tic Tok for the user are two fold,
1, Content richnessss.
2, Ease of use.
Put simply if you want to communicate something with out thought, and you are technically inept and don’t want to learn then Secure Messaging and the likes of Tic Tok are effectively “heaven sent”.
Leaving SMS is the equivalent of “banging the rocks together” to put dents on a monolith you then get dragged across the swamp maybe (remember SMS is a “secondary service” thus “unreliable” that the phone companies have outsourced).
Even dinosaurs like me can see why SMS is flat on it’s back with it’s toes up, and the beep beep beep of the cardiac monitor saying flat-line is comming if not imminent, fairly soon.
Oh and it’s not just SMS, it’s phone calls as well. There are several IP based apps that not just replace the voice channel, but add video as well, and some even are investigating “touch”. How long it will be before near full VR I don’t know but the technology is mostly there just clunky currently, but that could change in less than a year once the semiconductor industry gets over it’s current problems.
The fear the Cellular and traditional Plain Old Telephone Service Land Line telecommunications providers had in the 1980-90’s has come true. Voice and Video like fax and Telex are gone and “Data is King”… Which for the Traditional Telco’s is problematical. Because they can not realy make money on “open data connections” as there is no “Premium Service Capability” to exploit. So they’ve joined the PII stealing market as well as lobbying legislators and regulators to get “Closed Data Connections” that they can then force “Premium Service” onto at what will turn out to be an extream cost to the average citizen, unless an alternative “Open Data Connection” service becomes available.
So much as I dislike what Elon Musk is upto with his very low earth orbit (VLEO) satellites, people should thank him as he and similar are going to put a spoke in the wheel of the traditional telecommunications providers, especially in the US where the prices are ludicrously expensive already.
lurker • September 8, 2022 9:52 PM
@Clive Robinson
Those who have used Social Media should at the very least be highly concerned.
Including all those SMEs, Mom & Pop outfits, and a few Govt entities, whose preferred method of communicating with their clients has become their FB channel …
cfenollosa is a bit worriesome too, just when I was about to tear myself away from the G.
lurker • September 8, 2022 9:58 PM
@Clive Robinson
So here’s a question for the Trade Practices authorities, if all those “messages” are really going over the internet, why are the telcos creaming it charging users SMS rates for each message?
SpaceLifeForm • September 9, 2022 1:55 AM
@ JonKnowsNothing, Ted, Clive, ALL
Twitter v Musk
I doubt it is 80% overall, but Musk seeing multiple replies in seconds from the same accounts, sure points to bots, and not a human.
The bots are probably targeting users. Some will see a lot of noise, and others will not. Interesting typos.
‘https://news.abplive.com/technology/elon-musk-twitter-tweet-90-percent-comments-bots-spam-binance-changpeng-zhao-1551989
‘https://www.f5.com/company/blog/bot-traffic-percentage-fake-accounts-expert
Clive Robinson • September 9, 2022 6:12 AM
@ SpaceLifeForm, ALL,
Re : Twitterverse is bot traffic.
The second link you give from F5 makes salutary reading for those who otherwise chose not to look at the problem of “Bots”.
From my own very limited experience of just randomly following down Twitter paths, I usually find more than half the Tweats look suspect even on first glance.
But those 90% and up figures Dan Woods of F5 gives for Bot traffic I would say are for special reasons not just general traffic.
So I can understand,
“I doubt it is 80% overall, but Musk seeing multiple replies in seconds from the same accounts, sure points to bots, and not a human.”
But as I noted just a few hours ago[1] it would appear that Dan Woods has also seen, when he notes,
“However, there is something much more important at stake here. The problem of bots is bigger than any advertising revenue or stock price or company valuation. Allowing this problem to persist threatens the entire foundation of our digital world.”
When everything is resourced to the demands of “faux traffic” and “add traffic” not “real traffic” the question of “Where’s the money?” is bound to arise in investors minds. We already know that online advertising shows a worse response that just leafletting every physical front door, and costs more, so is a waste of marketing resources[2].
We are also seeing new long and short cons being pushed, look carefully at the difference between “Web 3” and “Web,3.0” and all the NFT nonsense that is replacing the now mostly discredited “Blockchain” nonsense. Oh and with one of the few winners in the crypto-coin game being North Korea stealing the contents of peoples badly designed electronic wallets and cashing them out.
Expect to see investors get “cold feet” and then turn white and do the equivalent of the Pamplona bull run[3] out of “online” to avoid “the fate of the saint” for a while.
[1] At 7:37 PM, with regards Disney dodging a bullet on buying Twitter, and why I think Social Media has not just become a bubble, but is going to burst very soon leaving PII of users as the only asset, to be sold off at fire sale pricing, thus existing as a very real security issue,
[2] It is fairly easy to blow out most web sites advertising by not having cookies or javascript enabled, and it makes the page download way way faster and obviously saves your bandwidth if you are “metered” or “capped” which appears quite stringent in the US where as not so bad in Europe. Also when using someone elses Smart Device for viewing YouTube, I was very quickly agrivated by the dumber than piles of rotting cattle scat advertising and learned within two or three views to keep my attention focused on the “skip add” button. Then a few more to experimenting and finding ways to hit the settings button to not see the adds at all. Interestingly I’ve seen an experimental version of a “middle ware” service that uses “bots” to pull the content and not just strip it of the YouTube “protections” but the “adds” as well and deliver it as a simple “Open Source Format” media file… So my feeling is adds are not reaching let alone going through eyeballs. Also if you look into the way the add revenue is distributed, you can see that the major players are using “Hollywood Accounting” techniques to fleece the majority of those daft enough to advertise online.
[3] As Hemingway noted there are two animals side by side in the run. But the question of which gets slaughtered? is only certain for one, but as in the stock market everything is a question of the order of time…
JonKnowsNothing • September 9, 2022 8:00 AM
@ SpaceLifeForm @Clive, Ted, ALL
re: Shoo those Bots Away
I would hazard a small guess that it will end up as the 80-20 rule, with distribution of 10-80-10. The curve might be distorted some, perhaps more packed in the center.
Maintaining a large set with only a 5% error is not trivial. Within that 5-10% is another 80-20 distribution of components, again 10-80-10. So it is still possible to hit the 5% threshold depending on how many layers deep you want to split the sample.
The speed of responses might have been useful once, before everyone got auto-reply options. I’d guess if you looked at the number of “do not disturb I’m driving now” replies and the number of “Liked w repeated txt msg” replies and “emoji-only” replies one could make some interesting conclusions.
The question also revolves around “what is a bot”
- eg An entity with multiple accounts acting under different personas used by a single individual or organization while pretending to be unique individuals.
You’d have to include every Local, State, National and International LEA and 3L agency pumping the internet with their State’s Agenda.
So, here’s a Wild Question: What If
- The problem with bots isn’t that it’s some soloer with a multibox keyboard and a home office wall of spanned monitors with their bezels removed running T*N accounts, but it’s the scope of it’s usage by LEAs and International Military Organizations running 24×7 operations?
LEOs often have NDA and Gag Orders (NSLs) that go with the terrain. They have their own offices in nearly every major ISP and SW organization. Compliance is mandatory.
My original thought was Musk was pissed about getting multiboxed by some soloers, but maybe he’s pissed about getting multiboxed by LEOs?
Anonymous • September 9, 2022 4:48 PM
@ Ted, JonKnowsNothing, Clive, ALL
Have you ever met MITM and catch-and-release? I know you have.
That’s a bold and interesting exit strategy Cotton
We was haxored!
‘magic :[slashy] /www [.] cyberscoop.com/patreon-security-team-layoffs/
‘stuffy s://news [dot] ycombinator.com/item?id=32772597
‘hx zzy ://www.securitysystemsnews.com/article/patreon-fires-entire-security-team
It will not be long now.
Ted • September 9, 2022 9:47 PM
@SpaceLifeForm, JonKnowsNothing, Clive, All
Re: Patreon security layoffs
Great articles. I was amazed at all the security/privacy jobs people posted in response to Metcalfe’s LinkedIn post. I have a good feeling about her being able to find work again. Does make you wonder what happened though. It’s a pretty big splash for the company to make without releasing many more details.
vas pup • September 10, 2022 2:50 PM
Sorry @lurker • September 8, 2022 4:53 PM
My example came out of my childhood experience living in a country when regular folks could buy both only in set because in
in Continental System of Civil Law Accessory is always follow Main item.
Best,
vp
SpaceLifeForm • September 10, 2022 4:44 PM
@ ALL
Won’t Somebody Please Think of the Ferris Wheels?
‘https://nitter.net/IntelCrab/status/1568633440110628865#m
The Ferris Wheel that Putin opened in Moscow this morning? It’s already broken…
lurker • September 10, 2022 5:15 PM
Sorry @vas pup, I had different experience with people who went to a violin maker for the instrument, then to a different bow maker.
On the main topic, I’ve filed hardware bugs with Apple for several of their power supplies, never got any reply. So I suppose pulling psu out of the package avoids having to replace under warranty.
Subscribe to comments on this entry
Leave a comment
← Montenegro Is the Victim of a Cyberattack The LockBit Ransomware Gang Is Surprisingly Professional →
Sidebar photo of Bruce Schneier by Joe MacInnis.
Steven • September 2, 2022 8:23 PM
Australian Signals Directorate releases coin with secret code to mark cyber-spy agency’s 75th anniversary
https://www.abc.net.au/news/2022-09-01/act-spy-agency-releases-coin-with-secret-code/101391964