Schneier on Security

Clive Robinson • February 24, 2023 9:20 PM

@ Bruce, ALL,

Re : No it’s not 1st April.

Under the title,

“UK Proposes Even More Stupid Ideas for Directly Regulating the Internet Service Providers”

Tech Dirt lists some political and law enforcment fantasies,

https://www.techdirt.com/2023/02/23/uk-proposes-even-more-stupid-ideas-for-directly-regulating-the-internet-service-providers/

As the article notes this is not the first time the current UK Government Incumbents have tried this nonsense and failed, they are now “doubling down” on Oppression and what if it were not online would be very illegal behaviour.

Proof yet again that “Human Rights Legislation” needs to be uprated to cover all forms of electronic communications before it is too late and privacy has been destroyed in the name of a jack-booted Surveillance State.

Clive Robinson • February 25, 2023 1:23 PM

@ JonKnowsNothing,

I’ve been hearing stories about bird flu having crossed into mamals very recently… Some of the story,

https://www.reuters.com/business/healthcare-pharmaceuticals/bird-flu-situation-worrying-who-working-with-cambodia-2023-02-24/

And now that it’s been found in humans the fatality of an 11 year old girl in Cambodia and her father testing positive is causing other questions,

https://www.theguardian.com/world/2023/feb/24/who-says-h5n1-avian-flu-cases-in-humans-worrying-after-girls-death

In the past two decades there have been over 850 human infections with over 450 ie more than half being fatal.

What is not known and won’t be for some time is,

1, If it’s bird to human, or human to human.
2, If human to human if it is sustained thus likely to start community spread or not.

The other problem is disease reservoir in mamals such as vermin. It would be easy for rodents like mice and rats to not only come into contact with infected birds due to “bird feed” issues, but direct blood contact as well from sick birds unable to defend themselves. But just as likely for the same rodents to come into direct contact with humans and bite/scratch into blood vessels etc.

Hopefully it will come to nothing.

But in the UK Imperial College’s professor of mathematical biology and epidemiologist Dr Neil Ferguson OBE who’s models allegedly caused “lockdown” in both the UK and US,has popped up again according to –right wing– Daily Mail,

https://www.dailymail.co.uk/health/article-11786059/Health-chiefs-modelling-worst-case-bird-flu-scenarios-case-killer-virus-jumps-humans.html

Some belive Prof Ferguson’s models have been flawed and thus caused over restrictive government policies (we are talking the Spectator’s abonymous columnist that in policy can make the US GOP look almost socialist),

https://www.spectator.co.uk/article/six-questions-that-neil-ferguson-should-be-asked/

Various other right wing or ultra conservative money sink groups like the Heritage Foundation of US vote manipulation fame,

https://www.theguardian.com/us-news/2023/jan/13/heritage-foundation-voter-suppression-lobbying-election-action-plan

have also chimed in in with their paid for political views,

https://www.heritage.org/public-health/commentary/failures-influential-covid-19-model-used-justify-lockdowns

So expect another major bun-fight if human-human transmission is shown to happen with more than very small fraction R0 figures.

Clive Robinson • February 25, 2023 2:11 PM

@ ResearcherZero, ALL,

Re : Days of freedom passing.

“It’s one of the things that is supposed to set apart democracies from authoritarian regimes, critique the government, speak truth to power or anyone else you jolly well like.”

Those were the days of last century shortly after WWII and into the 1970’s. In the 1980’s with Reagan and Thatcher, democracy was forcefully turned to the dark side.

The result of that we are still trying to deal with very unsuccessfully now, into the fifth decade later.

What we see China and Russia doing is to many western politicians and their backers the prototype for 2025 onwards. The “Man of Iron” nonsense a clear indicator that the politicians concerned can not either think, or failed to learn their history lessons from over the last century.

What makes it worse as one or two others have pointed out is the deceitful behaviour and morality of quite a few allegedly “christian” tribes/churches.

A beief look at the political behaviour of the Russian Orthodox Church will not just shock but give significant pause for thought, as they act as an enforcement arm of oppression for the Kremlin, especially of women and girls.

The fact that this is very much on the rise in the US and certain parts of the UK, is actually more worrying than “white supremacist” groups…

Clive Robinson • February 25, 2023 8:56 PM

@ Steve,

Re : Voice recognition, not…

“This morning I woke up with an entire pond’s worth of frogs in my throat.”

I know that feeling…

A few weeks back I got taken to hospital by ambulance having “creamed in” to the ground big style according to witnesses.

After a week of dicking about with medications the hospital kicked me out. But not soon enough as I came away with a whole bunch of nasty little pathogens that came out to play the following day.

It quickly turned into the worst head cold I’ve had this century and possibly ever. My sinuses were both blocked and draining into my throat, like an endless slug sliming it’s way down… Which felt worse than I could possibly describe.

Along with almost ear drum busting sneezes that turned my nostriles into two or three Newton thrust rocket venturies and splattered projectile mass all over the place as it shot through the paper hankies like the plasma of a shaped charge. I also had a deep braying cough which was, as the medical proffession put it so politely, was “productive” and quickly went that yellow green colour of secondary infection…

Well things are sort of improving, in that I now sleep for 16-18 hours a day in around three hour spurts. In which luckily I don’t cough so the throat is nolonger a burning pit dropping straight down to the furnaces of hell via a volcano (or that’s what it did feel like).

Though I am still coughing enough for the neighbors to complain… I think it’s not so much the cough they don’t want to hear, but the fact it turns into growl like you get in the old westerns when the bad guy hawks up and twangs it into the spitoon at the end of the bar. I don’t get the twang though as the muck comes up so thick it’s enough to tile a bathroom with…

As for “voice recognition” I could barely whisper at one point… So when I finally spoke to my “General Practitioner”(GP) doctor on the phone about the secondary infection, he was quite sympathetic and said “Your not the first today, there’s a lot of it going around at the moment”…

So yeh I send my best to your frogs and hope they are evicted soon, as for my slugs, I think they’ve taken an option to buy…

Clive Robinson • February 26, 2023 1:57 PM

@ JonKnowsNothing, lurker, ALL,

Re : Criminals are mostly scavengers.

“The monkeys are free to travel to and from the forests which they do. However, the population at the Temple is noticeably lower than usual.”

First lets take a little side journey…

When it comes to petty crime like house breaking it’s assumed that it’s by stupid males as these are the ones that get caught. The only women caught for theft are generally “stupid drunk” and stole “street furniture” or the like in full sight of CCTV or mates mobile selfie etc, or have it in their home as a trophy etc.

The reason the males get caught is they make their crimes “obvious to ablind man” at the time they commit them. Thus the evidence against them authorities gather is at just about it’s best. That is not suffering the effects of entropy etc.

Whilst women who have been burglars are caught in other ways, like the fence or recipient of the proceads of the crime “grass them up”. Because their crimes have been cautious and gone unreported at the time or at all.

Because they don’t make the crime “obvious” and they plan a little so as not to leave evidence. So much so that the crime might go undiscovered entirely by the people who have been robbed, or they assume what is missing has been mislaid or moved by a family member and it will turn up. Or a friend might have done it etc but have no idea as to when. And any evidence of the criminal has long since been walked over / Hooverd up / cleaned over, or in other ways degraded or destroyed.

So back to the missing primates…

Taking the primates from a place they go to frequently because they get fed and not harmed would almost be trivially easy. But is also “obvious” and has already caused “noise” that those taking the primates don’t need.

Hence they are being stupid, because at some point the authorities will have to take action. Not because the primates are attractive to the locals, but the money the tourists bring in is and to a certain extent the local economy depends on the primates attracting in the money.

At some point DNA testing will become involved to prove where a primate comes from. If that happens the US etc will start testing primate DNA as it is imported and record it and make the animals tracable.

Having the animals tracable in that way is not what drug testing companies want as it leaves them open on all those “destructive tests” regardless of if they are legal or not.

So rather than stop doing the testing at the higher ethical standards in the US and West, the drugs companies will do it in other places where a brown envelope stuffed with green pieces of paper generally quiets all enquiries.

Such places have lower standards for just about everything so Bio-Security is way way more likely to be compromised and go unreported (some people have already implied that Cambodia might be a good place to test H5N1 for these reasons).

Also there is the “loss of jobs” factor. Drugs testing is expensive in various ways one of which is skilled workers that in the West expect good salaries, health care for them and their family, good and safe working conditions etc. Thus workers abroad could cost maybe 1 to 5% of their US counter parts. As someone with an eye only on the bottom line what’s not to like about such “savings”…

Clive Robinson • February 26, 2023 11:43 PM

@ vas pup,

Re : China is using arctic spy buoys

“Such “activity is not new”, Canadian defence minister Anita Anand said in televised remarks, implying that China has been engaging in surveillance efforts in the region for some time.”

No it’s not new at all.

As far as I’m aware the British started it by hiding a “signals submarine” up on the route taken by shipping to Russia during WWII.

Supposadly they were looking for signs of German U-Boats by finding “oscillator leakage” from the receiver inside the U-Boat tuned to Germany’s U-Boat command “Fleet Broadcast” System.

However it’s way more likely even then that they would also have been listening to Russian armed forces etc communications as well. Winston Churchill hated the Russian leader and distrusted him entirely and acted in a way that made it fairly clear. This had unfortunate consequences when the US president changed. As it turns out it appears Churchill was right, Russia was actively spying on both the UK and US and at the very least stealing nuclear secrets.

Only a little later the British signals intelligence planes and submarines performed early monitoring of Russias active defence systems like radar and founded what we now call “Elint”. After the war other signals gathering related to weapons development and control continued, and upset quite a few in the US who were envious of the raw inteligence “from the brits” that their own military services were not supplying due in part to the ubexpected outbreak of the Korean war (and I’ve been told to significant interservice infighting/rivalry). An issue that led to the formation of the NSA in 1952 and thus a reshaping of the BRUSA “special relationship” that later gave rise to the Five-Eyes as the US discovered it had no territorial access in areas it needed them.

Elint became very dangerous work when in the 1950’s a decision was made to go from “passive monitoring” to “active probing” where Russian defence systems were jammed or “lit up” and as a result there were fatalities. We know that one British submarine HMS Turpin was repeatedly “depth charged” by the Russian’s in the 1950’s.

Basically the French had modified a magnetron design and come up with a new high power Backward Wave Oscillator(BWO) tube/valve in the early 1950’s that could not only be tuned across a very wide bandwidth, it was quite insensitive to load varience, thus was much easier to interface to a feed and antenna system that was not tuned to the frequency of operation (thus was quite frequency agile(. Also being small / compact for it’s output power and having quite a high efficiency, it ended up in most jamming equipment. Called a “Carcinotron” it was the use of this that caused the submarine to be not just “Found” but “Fixed” and the Russian’s moved into the “Finish” phase…

The US military joined in the Elint game firstly as they did not like getting primary intelligence from what they viewed as at best a minor partner. But secondly because they had the manufacturing capability to make the equipment that Britain lacked (basically Britain was not just bankrupt after WWII but all the machines etc used for manufacture had been entirely worn out to the point they had broken down doing war work and were not replaced or properly repaired).

Later with Russian shipping and submarines sneaking out, the US deployed two lines of monitoring devices attached to the sea bed, using systems not to disimilar to acoustic mines in design.

Over the years these systems were upgraded including the development of a couple of “cable laying” submarines to put in more sensors. (I’ve been told that the traffic came ashore and went through the GCHQ Bowermadden listening post near Wick untill it closed in the 1970’s)

By the mid 1960’s the entire north North Sea and up into the arctic circle area and even around to Murmansk and into Russian harbours were criss crossed with sensors one way or another. Other European nations also were putting their toe in to these surveillance waters, so much so that as I was only half humorously told it was unlikely that “a goldfish could fart without it being known”.

As for information in the public domain there is a chapter or three in Richard J. Aldrich’s 2010 book[1].

Sadly much information is still “sat on” in the UK even though the copies given under BRUSA later UKUSA to the UD have been released and Google has scaned many of them into their archive[3].

[1] For a book written in 2010, Richard J. Aldrich’s book,

“GCHQ : The uncensored story of Britain’s most secret intelligence agency”

ISBN 13, 978-0-00-727847-3

has a very bad index, that makes finding things difficult at best. Worse it’s actually very light on technical information, so can be quite a dull read for those less interested in the political figures.

[2] You can read a little about the Carcinotron including a picture of one from the 1950s,

https://spectrum.ieee.org/the-11-greatest-vacuum-tubes-youve-never-heard-of

[3] As I’ve mentioned before on this blog I was surprised to find documents I’d provided technical input to available with just a simple Google search…

Clive Robinson • February 27, 2023 7:47 AM

@ Winter,

Thanks for the alternate link.

After a number of redirects it started the download.

At 163 pages, it’s more of a “paperback” than a journal, and a little worrying that it takes ten pages to get to thr introduction ={

It might take a day or two to get to grips with 😉

Clive Robinson • February 27, 2023 7:47 PM

@ vas pup,

All part of the service 😉

Which reminds me I’ve got to “push in parts” my reply to you that failed last week.

Clive Robinson • February 27, 2023 8:43 PM

@ SpaceLifeForm, ALL,

Re : Accident or Foreign Sabotage?

Not sure if you have seen the news that Taiwan based Foxconn that has plants making Apple products in India had a major fire that has apparently destroyed 50% of the plant,

https://www.reuters.com/technology/apple-supplier-foxlink-halts-production-indian-facility-after-massive-fire-2023-02-27/

Time to think about some dots…

1, I know the US Gov wanted if not effectively insisted Apple bring back “on shore” manufacturing with roumors of using various “War Act” and similar national security legislation.

2, Apple however have been looking more than favourably at moving quite a bit of it’s manufacturing to India.

3, Also the US Gov want Taiwan to move not just high end chip but other manufacturing to the US, under clear indicators the US realise it can not aford to keep Taiwan and other South China Seas nations from significant Chinese military influance if not effective take over…

4, The Taiwanese Government are for obvious reasons not realy playing ball with what the US Gov want. Because they can clearly see the US intent behind the moves. Part of which will be concern over “So sorry war act / national security” nationalisation of Taiwanese assets making the US as bad if not a worse risk than being next to China…

5, The US Gov is far from being “besties” with India currently as India is looking toward both Russia and China’s economic pact and what that does with regards Afghanistan and the US “cats paw” of Pakistan (both India and Russia want the Taliban and their Palastani backing gone as the 80% of problem opiates come from Afghanistan).

6, India are also looking towards Iran and the Middle East but in effect to box-out the US-Israeli regional hegemony.

7, As ties between Iran and North Korea tighten with the blessing of both China and Russia, this means India will almost certainly look favourably towards North Korea in certain ways.

8, Israel has decided war in the Middle East within five years is in effect a certainty and they are starting to “weapon up” with US aircraft etc, as it’s more effective they buy than manufacture under license. Thus keep domestic production on the economy as well as building up land forces weapons.

9, The US are very likely to down grade Ukranian support as shifting obsolete stock comes towards the end. In part to try to force the EU to further “man-up” over Russia via NATO, and reduce US military spending.

So the question arises as to who would benifit most from a very significant factory fire in India effecting not just India, but Taiwan and the largest of US consumer tech corps…

Clive Robinson • February 28, 2023 1:48 AM

@ MarkH,

Re : Lab or not.

I suspect a lot of oppinions outside of the science community changed with Omicron out of Africa.

It apparantly did what the alledged original virus did which was change through a mamalian species and come out of nowhere to become the dominant varient.

But the original bio-weapon from a lab hypothesis if you remember did not come out of the science community. But a political wonk on the rise in the last executive after chatting with his lady friend.

It was “politically inline” with what the then executive wanted, to change the script to cover over the foul-up that the executive made in the first days of the infection.

Something the science community in general was not going to provide.

But as you might not know The WHO very recently has decided under the same leader it had before, to discontinue the science investigation of the outbreak. As others have noted, safely preserving the funding it is getting from China whilst the US has again not payed it’s dues…

So about the only thing to come out of all these investigations is,

“What a dirty game politics is.“

Clive Robinson • March 1, 2023 1:02 AM

@ Modem Phonemes,

Re : Car purchase, is not a purchase.

“What about the part of the car you have already paid for ?”

You have not paid for any part of it in many cases.

You need to understand there are three parties involved and two entirely unrelated transactions,

1, Manufacturers retailer.
2, Loan Company.
3, Customer who takes out the loan.

As the customer you take out a loan agreement with the loan company.

Importantly you do not in any way own the vehicle it’s owned by the loan company, and a small subsection of the loan agreement details under what terms you borrow or effectivrly rent the vehicle from them.

Which is why when you get a “lemon car” you have to be very carefull as you don’t have rights with the manufacturer unless you can prove individual harm, and the “loan company” will usually limit your remediation with them to effectively nothing. In essence you can return the vehicle at any time, but you will not receive a replacment and you must continue making the loan payments.

Oh and watch out for snatch-back clauses or finall differential payments. If you took out the agreement and since then the vehicle has appreciated in fiscal value, to gain “full title” you have to pay an extra fee the loan company will claim it’s entitled to. If you don’t pay it them they will hit you with “recovery charges” even if you take it to their premises. Either way not paying is in some places actually a crime not a tort, so jail time as well as bankruptcy and sequestration of assets for fines etc…

It varies from country to country and I assume state to state in the US.

Oh and watch out for the agreements that are not for purchased but lease, they are covered by a whole different bunch of legal codes.

My advice for what it is worth is “never ever borrow money to buy” that is if you can not save up for it, you can not afford the risk, as you are sleepwalking into a whole world of hurt, you will not realise due to the legalease involved.

The exception used to be “buying your home” but that was “last century” advice that died with Financial Crisis 1 and got buried with Finacial Crisis 2.

From the little I understand of what is going on in the US currently it’s a nightmare with local government committing fraud left right and center because their taxes are based on purchase price and homes being sold for as little as $5000 or even given away don’t earn tax that pays enough to collect it… So they cheat and claim all sorts of things they are not entitled to and use legal loop holes to stop you getting a judge to stop them…

Clive Robinson • March 2, 2023 5:19 AM

@ vas pup, ALL,

Re : Havana syndrome

It is what you would kind of expect.

As I’ve explained before, basic physics appeare to exclude,

1, Directed energy weapon
2, Energy transmitted radiative means.

Essentially the energy falls off with an initial large drop (near field to far field transition). Then drops by the distance squared 1/(r^2) for radiative or by distance cubed 1/(r^3) for volumetric. Which means that it is most dangerous at the emitting device so the operators are at higher risk than the targets at even relatively modest distances.

Also the size of the emitting device, basically if you assume a parabola or parabolic device you can work out just how big it has to be to focus the energy into a given direction, which applies to any radoative energy system even one made of focussing lenses.

So many would consider radiative energy systems ruled out at that point.

The obverse side of the problem is the medical evidence. It’s fairly clear Havana syndrome has a “physical insult” component, that is it’s caused by repeated insults numbering the hundreds or thousands. As seen in those involved with “head contact” sports like boxing or American Football or other sports like ice-hocky, rugby etc. As the NFL found the state of immaging technology could not show the damage in a living brain, however it does show up in certain types of autopsy.

Thus a period of “no tangible evidence” occurs, and “mission focused” organisations for essentially political reasons will not accept the observations, thus will go with any explanation that allows them to go forward. Typically this involves “Victim blaiming” then to further keep the lid on a double down of “Victim Victimization”. At which point the organisation has been taken over a tipping point and again for political reasons it can not back down untill the evidence is overwhelmingly against them.

So we saw first “it’s all in your mind” then “mass hallucination” and people being “removed from post” pension, health care and essentially further ability to eithe get well, get compensation or at the end of the day have an economic future. If they try to speak out they get essentially accused of being traitors and sanctioned in various ways.

So the big issues is that basic radiative weapons have apparently been ruled out by the current known rules of physics as applied to inanimate objects.

Basically they have considered the “heating effect” as the NRPB and other radiative energy protection bodies around the world do. This is because it’s both a high water mark which industry wants and is easy to explain with near simple mathmatics.

The problem with this is it ignores any other effrcts that sit between the unknown low water mark and the high water mark. Worse it enables people in positions of authority to put their fingers in their ears and sing “nargh, nargh, nargh can’t hear you” Or the famous Nelson telescope to the blind eye and saying “I see no ships”, thus alowing “their mission” to procead “full steam ahead” (yes I know don’t mix metaphors especially across vast historic time lines).

But… Look again at the medical evidence of it being similar to hundreds or thousands of “physical insults”. In effect each insufficient to cause harm on it’s own.

Two effects spring to mind,

1, Metal fatigue.
2, Energy built up by resonance.

We know that even quite minor vibration can lead to aircraft falling out of the sky even if the vibration is random if ot goes on long enough ie months. We also know the effects of resonance are way more harmfull and can rip devices of circuit boards in seconds or minutes.

We also have known via the use of gongs, just how powerfull hundreds of llttle hits at resonance or sub resonance can be, and from electronics any harmonic as well. Whilst the mathmatics appears complicated, the actual physical process is easy to see both physically with pendulums and graphically with pencil and paper.

As I’ve said before I’d look into this area for Havana syndrome.

Firstly for the reason given above but for a second reason going back to radio navigation systems of WWII.

If you use two radient beams you can with a little care with the mechanical setup radiate a very narrow beam of difference or coincidence where the two much wider beams just overlap. So if one beam transmits Morse style “dashes” and the other synchronized “dits” you get a continuous tone very narrow beam that you can easily fly along due to the very wide “dit” or “dash” beams.

But we also know that you can take a perfectly random pulse signal and subtract a “wanted” signal from it and end up with a second perfectly random signal. Transmit those two random signalls as the two main beams and where they overlap a very narrow beam or area of “wanted signal” occures.

So as noted with random signals and metal fatigue it would take a very long time to come to harm, as any energy build up would not be at anything like a harmonic or sub harmonic let alone resonance. So seperating the two transmitters over a reasonable distance will protect the operators. Howrver at the area of crossover where the two beams are coincident then the wanted resonance signal appears and just as with metal fatigue the damage would be quickly done…

Thus it’s not the “heating effect” we should be looking at but “resonance” or similar specialized wave forms.

But then what do I know I’m “just an engineer” and don’t have a long list of research grants and published papers. But I have seen such things as resonance effects in actuall implementations. For thosr “qualified doubters” you can find videos of components flying off circuit boards on YouTube (EEVblog has some for instance). Oh and you can buy or rent the transducers to induce such resonances from quite a few manufacturers. But also experienced plumbers also know about it as “apparently random” waterflow turbulance makes “pipes sing” that then fail very quickly”. Oh and as I’ve said “aircraft fall out of the sky”, it’s just a matter of “Mean Time To Fail”(MTTF) and what it is under certain conditions.

Clive Robinson • March 2, 2023 11:23 PM

@ SpaceLifeForm, lurker, ALL,

Re : SMS as a side channel.

“SMS 2FA

When you do this, you have created a dependency out of your control.”

As the probable inventor of “SMS as a side channel” for security, or atleast the discoverer of how to make it work effectively, back a decade or so into the last century and publicising it early to mid 1990’s… I now regard it as being one of my most significant security failures.

It is a prime example of why technology should never be used to solve a human or societal problem.

Oddly today I’ve already posted twice on the failings of factor based authentication / identification,

https://www.schneier.com/blog/archives/2023/03/dumb-password-rules.html/#comment-418838

https://www.schneier.com/blog/archives/2023/03/fooling-a-voice-authentication-system-with-an-ai-generated-voice.html/#comment-418759

And concluded most factor based authentication / identification is a security failure… Leaving only the “Something you Know (memory)” factor of the traditional triad. Further noting we realy need to improve that by playing to the strengths of the human mind not it’s weaknesses. Which because weakness is “easy to code” we mostly do currently…