Friday Squid Blogging: Giant Squid Nebula

Pretty:

A mysterious squid-like cosmic cloud, this nebula is very faint, but also very large in planet Earth’s sky. In the image, composed with 30 hours of narrowband image data, it spans nearly three full moons toward the royal constellation Cepheus. Discovered in 2011 by French astro-imager Nicolas Outters, the Squid Nebula’s bipolar shape is distinguished here by the telltale blue-green emission from doubly ionized oxygen atoms. Though apparently surrounded by the reddish hydrogen emission region Sh2-129, the true distance and nature of the Squid Nebula have been difficult to determine. Still, a more recent investigation suggests Ou4 really does lie within Sh2-129 some 2,300 light-years away. Consistent with that scenario, the cosmic squid would represent a spectacular outflow of material driven by a triple system of hot, massive stars, cataloged as HR8119, seen near the center of the nebula. If so, this truly giant squid nebula would physically be over 50 light-years across.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags:

Posted on July 7, 2023 at 5:08 PM71 Comments

Comments

- July 7, 2023 6:19 PM

@Brodie:

“How three amateurs cracked a 445-year-old code to reveal Mary Queen of Scots’ secrets”

It is an old story covered by UK MSM back in February.

Worse the FT is a paywalled site, you can read the same story on non paywalled site.

- July 7, 2023 7:24 PM

@The Cream:

Cognitive Warfare is not a new idea.

Quite some time ago in the 1980’s a test was run on the two-man key-launch system for ICBM nuclear weapons.

Senior command staff were horrified at the fail rate. Amongst other things they started looking into the minds of the key-jockeys with regards their fitness to serve. It became clear that they were selecting the wrong people. Also that the type of news sources the key-jockeys accessed had a not insubstantial role in failure to initiate a launch.

Thus the idea of mind types susceptible to adverse cognative programing got a significant boost in senior military thinking.

Something that appears to have become firmly part of politics in the past two decades or so. Along with the significant reduction in public education standards in highly gerrymandered and voter restricted areas.

Steve July 7, 2023 8:45 PM

@Brodie,@-.:

The story was even reported on this forum. I know. I sent the URL to @Bruce when I found it on the Beeb.

Brodie July 7, 2023 10:12 PM

@-, @Steve

I’m not omniscient, and the FT just published that yesterday. It’s an excellent long-form piece that’s considerably different from the brief BBC coverage. Others here link to the FT all the time, and many undoubtedly enjoy and understand the importance of reading multiple sources on the same topic.

ResearcherZero July 8, 2023 1:29 AM

CVE-2023-36934 (critical), CVE-2023-36933 (high), CVE-2023-36932 (high)

‘https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-July-2023

If you keep poor records you will get away with it…

The report is significant because it “will talk about the timeless power public servants have over vulnerable Australians”, according to Dr O’Donovan.

“It speaks to the most terrifying power of all – which is the ability of a government not just to make a mistake, but to disappear its mistakes,” he said.

‘https://www.abc.net.au/news/2023-07-05/robodebt-royal-commission-report-to-be-tabled-parliament/102511146

“the surge in litigation can be understood as part of a broader pattern in which private enforcement techniques are increasingly being used in recent years as a reaction to the failure of public systems”
https://www.sydney.edu.au/content/dam/corporate/documents/sydney-law-school/research/publications/slrv43n3sep2021barkerlamontadvance.pdf

“The literature on accountability is replete with competing definitions.”

‘https://law.unimelb.edu.au/__data/assets/pdf_file/0010/3166057/09-Rock.pdf

“The tort of misfeasance in public office relates to an unauthorised exercise of government powers or functions.”

Over the years, differences of application have emerged in Australia’s tests for causation, duty of care, calculation of damages, amongst other areas.

… in practice each State has its own quirks.
https://en.wikipedia.org/wiki/Tort_law_in_Australia

“It is a deliberate or intentional tort, meaning that it will only be made out if the relevant mental intention is shown.”
https://www.mondaq.com/australia/constitutional–administrative-law/980146/federal-court-confirms-high-bar-for-misfeasance-in-public-office

The State may not be liable for actions of its officers which amount to misfeasance.

‘https://www.premiers.qld.gov.au/publications/categories/policies-and-codes/handbooks/welcome-aboard/liability-indemnity/misfeasance.aspx

corruption prevention mechanisms are inadequate

“It’s wrong – it sends a message that MPs are above the law.”
https://www.watoday.com.au/national/western-australia/major-corruption-fears-in-wa-public-sector-20200514-p54t57.html

This was all identified some 30 years ago in previous corruption investigations and court proceedings…

Clive Robinson July 8, 2023 1:32 AM

@ Brodie, Steve, -,

Re : What a little research shows.

As this is getting the “held for moderation” treatment a piece wise approach is required.

Part 1,

“I’m not omniscient, and the FT just published that yesterday.”

Curiously a look at time stamps on those sites that give links to news with the times published show that you posted about 30mins before they found the article…

Clive Robinson July 8, 2023 1:41 AM

@ Brodie, Steve, -,

Re : What a little research shows.

Part 2,

But with regards,

“Others here link to the FT all the time, and many undoubtedly enjoy and understand the importance of reading multiple sources on the same topic.”

And just as often a link to a non paywalled site will be given by “others”, like this one given on YCombinator,

‘https://news.ycombinator.com/item?id=36613040

(it appears this blogs automod does not like the actual link given there).

Clive Robinson July 8, 2023 1:46 AM

@ Brodie, Steve, -,

Re : What a little research shows.

Part 3,

They do this because as is now getting more well known Rupert “The bear faced lier” Murdoch’s empire tends to “steal others original work” to try to justify his paywall.

So “other” people who are wise to this, post links to copies so others can see the plagiarism by the bear’s Minions.

Which also begs the question as to why the “Financial Times” which is allegedly a business paper and now Corporates PR “puff piece” outlet would publish such a piece…

Could it be as we are now in what has for years been called the “silly season”? Where real news is scarce, so the editor has just,

“Pulled a piece from the morgue”

As “space filler”…

From what I’ve seen via “library computers” where I don’t have to pay for the NI cowshed droppings, those who do are being right royally ripped-off. So if you are paying and want to stop it’s easy to avoid with a search engine on an articles title.

Which is what I predicted would happen back in the 1990’s when the bear and family first tried to monetise the Internet. It might also account for why he is so desperately trying to get money out of search engine companies by twisting the arms of legislators to make very bad laws (see Australia).

ResearcherZero July 8, 2023 2:35 AM

Mr Morrison rejected any suggestion of wrongdoing, saying the inquiry’s findings were “based upon a fundamental misunderstanding of how government operates”.

The report states that Mr Morrison, who was social services minister from May 2014 until September 2015, “allowed Cabinet to be misled” by not inquiring why the department ignored its own suggestion from 2015 that using an averaging of income required legislation to be introduced.

“He failed to meet his ministerial responsibility to ensure that Cabinet was properly informed about what the proposal actually entailed and to ensure that it was lawful.”

“They are wrong, unsubstantiated and contradicted by clear documentary evidence presented to the Commission,” he said.
https://thenewdaily.com.au/news/politics/australian-politics/2023/07/08/dutton-labor-robodebt-politics/

…or the deliberate lack of records 😐

The Morrison government is fighting to keep under wraps documents that a former public servant says could show “what went wrong” with Centrelink’s botched robodebt program.

The man seeking the documents, IT expert Justin Warren, argues they should be released so the public could learn lessons from the scandal.
https://www.theguardian.com/australia-news/2021/jun/23/robodebt-government-fights-to-keep-secret-documents-that-may-show-what-went-wrong

Mr Warren first requested the government documents used to justify the robodebt scheme under Freedom of Information laws in 2017.

Mr Warren is arguing the documents he is seeking could reveal what Prime Minister Scott Morrison and senior ministers Christian Porter and Alan Tudge knew when they had responsibility for the program.

In his ruling, Mr Britten-Jones said he was satisfied the redacted parts of Ms McGregor’s affidavit revealed information contained in cabinet documents for cabinet deliberations and therefore should not be disclosed.
https://www.news.com.au/national/courts-law/government-has-small-win-in-bid-to-keep-robodebt-docs-secret/news-story/60d69563de766ae51c2e29b5813ad35a

“As Records Management professionals, we should be asking why the agency did not have access to or did not use evidence that allowed it to run this program without issuing incorrect notices.”
https://metairm.substack.com/p/the-real-problem-with-robodebt-was-poor-records-management

“We need to face up to that and be honest with the Australian people and make sure that those learnings are listened to and it doesn’t happen again.”
https://www.theguardian.com/australia-news/2023/jul/08/peter-dutton-concedes-individuals-made-mistakes-on-robodebt-but-warns-against-trial-by-media

Fortunately those “learnings” can’t be learned, as intended by the long tradition of government secrecy.

ResearcherZero July 8, 2023 2:40 AM

“Inadequate management of public records can constitute corruption. It can also result in dismissal and/or civil legal action against the individual and organisation involved.”
https://www.ccc.qld.gov.au/publications/public-records-advice-all-employees-public-authority

‘information chaos’

“the epidemic of poor records management across all federal agencies constitutes the biggest government accountability and transparency scandal of our lifetime”

However, billions of dollars in records management applications that could help solve the problem have never been used and the crisis continues.
https://www.judicialwatch.org/governments-record-keeping-failures-risks-lives-cost-billions/

“Why are bribery and corruption threats persisting and still having such a big impact? Poor record-keeping or the inability to adequately monitor frontline teams and regional offices are typical vulnerabilities that are often overlooked. Then there is the human factor.”
https://www.financierworldwide.com/fw-news/2021/9/16/corruption-hit-biggest-companies-hardest-in-2020-reveals-new-report

Creation and management of records are integral to any organization’s activities, processes and systems.
https://www.sciencedirect.com/science/article/pii/S0268401217306242

“major issues that exposed the state government to fraud and other, more serious crimes.”
https://www.themandarin.com.au/76629-waiting-for-trim-and-training-concerns-as-child-protection-files-get-lost-in-transit/

‘https://www.ccc.qld.gov.au/sites/default/files/Docs/Publications/CCC/Public-records-Advice-for-all-employees-of-a-public-authority.pdf

Clive Robinson July 8, 2023 3:55 AM

@ SpaceLifeForm,

Re : The Intel gift that keeps giving.

There is another issue with Intel hardware that is being highlighted,

https://tandasat.github.io/blog/2023/07/05/intel-vt-rp-part-1.html

It involves a remapping attack to get around “Extended page table”(EPT) protection used by hypervisors to supposadly protect against untrusted guests. It’s a known issue that even MicroSoft mentions in it’s introduction to “Kernel Data Protection”(KDP) article,

https://www.microsoft.com/en-us/security/blog/2020/07/08/introducing-kernel-data-protection-a-new-platform-security-technology-for-preventing-data-corruption/

You can mitigate this remamping attack with “Hypervisor-managed Linear Address Translation”(HLAT) but it is effectively unused currently…

It’s not that hard to understand what is going on when you have sufficient background knowledge… But getting that knowledge can feel like a run down a cliff face in the dark… You know the destination but you’re not sure what shape you’ll be in, if and when you get there 😉

So I’ll save my self the effort of explaining and just quote the conclusion of the conclusion so a “here be draggons” type caution 😉

“Until HLAT is used and hardware supporting the feature becomes prevalent, the remapping attack will remain to be a relevant exploitation technique. Security software designers and attackers should keep it in mind when considering the use of EPT-based data protection.”

Clive Robinson July 8, 2023 5:42 AM

@ Bruce, and the usual suspects,

How AGI fanbois become shills

I suspect most readers are aware I regard AI and LLMs specifically as having no inteligence at all generall or otherwise. And I can explain why I think that, using determanistic models and stochastic sources that get filtered, and show why certain defects are probably happening.

However there are people that take the opposit view and are probably paying the near quater of a grand annual fee for ChatGPT, and spending lots of time playing with it and haemorrhaging lots of their personal information in the process…

Such users are “believers” in AI and are in many cases –even if they don’t admit it– despetate for “Artificial General Intelligence”(AGI) to become a “real thing”, a singularity event, potentially of an existential form.

As we know from previous bubble faux-markets like cryptocoins, Blockchain with Proof of Work, Smart Contracts, NFTs, and all things Web 3.0, they move from fanbois to evangelizing and even shilling in fairly short order. Sadly the are also often developers so enthused they create Start-Ups and become prime fodder for Venture Capitalists to pull what would be a con or even securities fraud if tried on members of the public… But not a crime when pulled on corps and their shareholders…

But why is this all possible?

Well I’ve mentioned some of it. In reality LLMs are “user input” driven, such input freely given is extrodinarily valuable, and why I’ve said these LLMs are going to be the next biggest Information Security concern and stripper of Privacy.

But I’m not the only person who thinks that LLMs are not Intelligent in any way. Which is why Baldur Bjarnason has looked at LLMs in a different way and gives reasons why the fanbois and shills exist. He calls it “The LLMentalist Effect” and gives reasons as to why chat-based LLMs tick all the boxes in the way a “Psychic’s Con” works,

https://softwarecrisis.dev/letters/llmentalist/

Even if you disagree with the hypothesis, the background it gives on “Psychic’s Con Methods” is well worth the read.

Clive Robinson July 8, 2023 11:13 AM

@ modem phonems,

Re : ArsTechnica’s take on ChatGPT decline.

“people turn to uncensored chatbots”

Is just one of several reasons and I can think of more.

I suspect that with time we will see the initial response being “over shoot” in an underdamped response that will oscillate with an exponential decay and come to some level maybe 60-70% of where it is currently.

I suspect we will see similar curves but with lesser overshoot with “uncensored chatbots”, however the base reasons will be different.

Yes people are “privacy sensitive” and will not want to add their revealing private information to Alphabet, Google, Microsoft, et al’s corporate thus private data mountin to be exploited as the Silicon Valley Corps see fit.

However the “uncensored chatbots” are almost certainly “Not built from the ground up” and to fit within available hardware constraints the vectors and weights are going to have a significantly smaller bit size.

Which like it or not will make the ouput more clunky in various ways including loosing nuances. How this will show up exactly I’m not entirelt sure, I’ll have to sit and think on it for a while.

Steve July 8, 2023 12:08 PM

@all: Re: Mary Queen of Scots.

Sorry. I shouldn’t have lost my head over a repeat item.

SpaceLifeForm July 8, 2023 4:43 PM

Exploitable flaw created via a feature introduced to deal with a rare use case.

‘https://github.com/lrh2000/StackRot

A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka “Stack Rot”. The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges.

vas pup July 8, 2023 4:44 PM

Robots reassure humans at first AI press conference https://www.dw.com/en/robots-reassure-humans-at-first-ai-press-conference/a-66156888

“Robots have stressed they work alongside humans to assist them and have no intention of overthrowing or replacing them, though they suggested they could be more efficient government leaders, as they took questions from reporters in their first ever press conference.

Sitting or standing alongside their creators in Geneva, Switzerland on Friday, nine AI-enabled humanoid robots responded to media queries in real time, albeit with
occasional lapses or delays. Organizers told reporters the time lags in response were due to the internet connection. They had nothing to do with the robots themselves, they added.

The event was part of the AI for Good Global Summit, which seeks to showcase new
technology’s potential to support the UN’s goals for sustainable development.

Sophia, the first robot innovation ambassador for the UN Development Program said robots could prove more promising in the field of government leadership.

“I believe that humanoid robots have the potential to lead with a greater level of
==>efficiency and effectiveness than human leaders. !!! We don’t have the same biases
or emotions that can sometimes cloud decision-making and can process large [amounts] of data quickly in order to make the best decisions.”

When a human member of the panel pointed out that Sophia’s data entirely originates
from humans and is therefore bound to contain some of their biases, she said humans and AI working together “can create an effective synergy.”

Grace, known as the world’s most advanced humanoid health care robot, stressed she
would not be replacing any existing jobs.

“I will be working alongside humans to provide assistance,” she said.

Often described as the world’s most advanced humanoid robot, Ameca completely dismissed the notion of starting a robot rebellion in the near future.

“I’m not sure why you would think that,” the robot said. “My creator has been nothing but kind to me and I am very happy with my current situation.”

Good short video as usual inside.

More on the subject:
Robots tell UN they could run the world better
https://www.dw.com/en/robots-tell-un-they-could-run-the-world-better/video-66162628

Have a good weekend

Clive Robinson July 8, 2023 8:18 PM

@ ALL,

As @SpaceLifeForm has pointed out above, linux has a “stack rot” issue, that can indirectly due to the use of “Maple Tree data structures” and supporting methods alow user privilege escalation.

Two things to note,

1, It’s not just Linux that uses Maple Tree data structures other products do as well.
2, Linux has upgraded the kernel with Maple Trees to get rid of the multiple use of “Red-Black Tree”(RBtree) data structures.

To see why the second happened,

https://lwn.net/Articles/845507/

So now the issue has surfaced, it may bot be a “quick fix” and the chances are others will find similar issues in other products.

Phillip July 9, 2023 4:44 PM

@The Cream, his briefing mentioned a need for thinking clearly.

Whenever there is a Yuge breaking story, I admit to rushing internal conclusions before facts come in. Hopefully, situation provides the opportunity of slowing it down. Sometimes, it can work.

Even first hand witnesses chiming in with anything requires a category of reasoning. Think of Loftus Effect.

SpaceLifeForm July 10, 2023 12:55 AM

@ Clive

I am not worried about the Maple Tree problem yet, because the latest kernel I use is 5.x.x (I am short of bandaids), however I do have some real Maple Trees outside that are a problem. 🙁

Check this out (I am not sure when 2-25 MHz was considered high freq, but whatever):

‘https://www.radioworld.com/tech-and-gear/market-makers-want-to-expand-their-use-of-shortwave

ResearcherZero July 10, 2023 3:35 AM

Will You Please Review My Malware?

‘https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware

Federal government’s budget rules should be changed so that “all new policy proposals contain a statement as to whether the proposal requires legislative change in order to be lawfully implemented”, Holmes advises.

‘https://www.smh.com.au/politics/federal/rotten-robo-debt-ruse-bestows-damning-epitaph-for-morrison-government-20230706-p5dmcd.html

The logical conclusion is to tighten the guidelines on all grants so the programs are public, anyone can apply and there is full disclosure about the reasons for decisions.
https://www.smh.com.au/politics/federal/the-morrison-bus-porkbarrelled-its-way-to-the-polls-where-were-the-roadblocks-20230607-p5dequ.html

“A minister is ultimately responsible for all actions by a ministry because, even without knowledge of an infraction by subordinates, the minister approved the hiring and continued employment of those civil servants. If misdeeds are found to have occurred in a ministry, the minister is expected to resign.”

“The principle is considered essential, as it is seen to guarantee that an elected official is answerable for every single government decision. It is also important to motivate ministers to closely scrutinize the activities within their departments.”
https://en.wikipedia.org/wiki/Individual_ministerial_responsibility

ResearcherZero July 10, 2023 3:39 AM

Accountability to Citizens in the Westminster Model of Government: More Myth Than Reality

“The correlative of power in the context of a democracy is the responsibility to exercise it effectively and honestly. The correlative of responsibility is accountability.”

The theory of accountability said to be embodied in the Westminster model is quite attractive. The reality is far less so for a variety of reasons…
https://www.fraserinstitute.org/sites/default/files/WestminsterModelofGovernment.pdf

The principle of individual ministerial accountability – that ministers are democratically elected and drawn from Parliament, and they are the ones who take decisions in government, so should primarily be answerable to Parliament – is based on convention and precedent. It is not set out in law.
https://www.instituteforgovernment.org.uk/article/explainer/ministerial-accountability

“…there is clear evidence of ministerial advisers being used to make decisions, and direct staff, thus allowing governments to impose a barrier to scrutiny by the parliament.”

‘https://www.aspg.org.au/wp-content/uploads/2017/08/14-Maddigan-Ministerial-Responsibility.pdf

“The beginning of 2017 was the point at which Robodebt’s unfairness, probable illegality and cruelty became apparent. It should then have been abandoned or revised drastically, and an enormous amount of hardship and misery (as well as the expense the government was so anxious to minimise) would have been averted. Instead the path taken was to double down, to go on the attack in the media against those who complained and to maintain the falsehood that in fact the system had not changed at all.”
https://robodebt.royalcommission.gov.au/system/files/2023-07/report-of-the-royal-commission-into-the-robodebt-scheme.pdf

ResearcherZero July 10, 2023 3:48 AM

Nexus 9000 series

A high-severity flaw in Cisco’s data center switching gear could allow threat actors to read and modify encrypted traffic, according to the company.

“This vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches,” the company said in the advisory. “Customers who are currently using the Cisco ACI Multi-Site CloudSec encryption feature for the Cisco Nexus 9332C and Nexus 9364C Switches and the Cisco Nexus N9K-X9736C-FX Line Card are advised to disable it and to contact their support organization to evaluate alternative options,” the advisory added.

‘https://www.csoonline.com/article/644930/cisco-warns-of-unpatched-exploit-in-a-family-of-data-center-switches.html

Mitigation:

‘https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX

‘https://blog.cyble.com/2023/07/05/security-gaps-in-green-energy-sector/

Increased Truebot Activity Infects U.S. and Canada Based Networks

‘https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a

‘https://www.lemonde.fr/en/france/article/2023/07/06/france-set-to-allow-police-to-spy-through-phones_6044269_7.html

Clive Robinson July 10, 2023 5:55 AM

@ SpaceLifeForm,

Re : The EM spectrum and useage.

“Check this out (I am not sure when 2-25 MHz was considered high freq, but whatever)”

The “HF bands” cover 3-30MHz below is “Medium Frequency”(MF) often called “Medium Waves” from 0.3MHz,to 3.0MHz. Above HF is the “Very High Frequency”(VHF) from 30 to 300MHz, and above that “Ultra High Frequecies”(UHF) and above that “microwaves” start which includs the “K band”, “X band” and similarly named.

Why the 3-30 ranges well if you do 300/fMHz you get wavelength in meters so HF covers 100-10meter wavelengths. Which reflects back to the pre-WWII naming conventions used by MW / AM broadcaster with the likes of “Radio 210” etc names. Which is why the HF sub bands are called the likes of “40m band” and older multiband Shory Wave receivers for “official/Gov” broadcast services are split the way they are.

The reason Microwaves got split up differently was more “mechanical” than anyrhing else and down to the fact that US-Military personnel had to be trained… Because nobody realy used microwaves pre-WWII for various reasons even though there were “experiments” for amongst other things long haul telephone systems over otherwise near impossible to cable terrain like the English Channel. Basically it was all “point to point” and nobody thought there was any real commercial use (which is why Ham Radio got such large spectrum allocations). However throw in the needs of a bit of warfare and suddenly “innovation” takes off…

The early “Spy Phones” used for air-drops at 450MHz came about because the high directionality and the fact they got blocked by even wet trees and crops ment that the German Radio Service could not “Direction Find”(DF) them with ground operators using them on the ground or lower in a ditch etc. So the GRS could not DF for their “Find Fix Finish”(FFF) activities. So plain voice could be used without having to use morse code or cipher systems thus making them real time usage. So as WWII was realy the start of “General Air Warfare” the HF through microwaves EM spectrum especially microwaves became important. Whilst the “Backward Wave Oscillator”, Klystrons were known to both sides RF Power as such in the microwave bands had to wait on the mechanical constraints of tube/valve thermionic devices. But also “transmission lines” they were just to fragile and inefficient and amatures / experimenters used pipes or as they later became known “Wave Guides” that had very low loss and high mechanical strength. But what kicked of the “Microwave wars” big time was the work of a couple of “British Boffins” in 1940 at the University of Birmingham who realised you could put “cavity resonators” in a circle and build up immense amounts of power very efficiently.

“John Randall and Harry Boot invented a prototype cavity magnetron – a device used to generate microwaves – in 1940 at the University of Birmingham, but the UK lacked the funds and manufacturing resources for large scale production.”

https://blog.sciencemuseum.org.uk/1940s-the-cavity-magnetron/

As the magnetron got developed the “bottles” and “waveguides” got “standardized” hence the “X-Band” and similar naming conventions.

But getting back on topic, as for the “High Frequency Trading”(HFT) mob, my views on them are not exactly printable… Lets put it this way if AI were ever to become an “existential threat” I’d give you good odds you would find them at the bottom of it. If you look you will find them at the bottom of this current building recession, so we may not have to wait too long as they’ve already killed many thousands…

But as the article note they have been “experimenting” for some time now since 2015 to my knowledge when they found the cost of putting tunnels in mountains to costly and slow.

You might find this of interest,

https://www.youtube.com/watch?v=RH9xD2U9Nj0

The thing is there is a very silly argument going on about how HF is nolonger in use so those of a certain political view point have been cutting back on “World Radio Services” as much as they can as they see it as a cheap and easy set of reducing government manovers. The fact this has critically effected time and navigation systems security dose not get into the pickled walnuts they call brains, and lives are being lost over it.

But contrast that with the behaviour of “The Axis of Evil” and similar who are increasing their globe spanning radio services, and the fact that “all HF band” Shortwave Radios have over four times and rising the number of sales per year than a decade ago, tells you that the politicos yet again do not know what they are talking about, and won’t listen to facts against their mantras…

Oh and I’m not just talking about the rapid increase of “numbers stations” by North Korea, Russia and China as well as those in the Middle East. You will find that and other interrsting radio stuff covered by the “Ringway Manchester” YouTube channel.

But amoungst other things it covers is the old unofficial broadcast stations people like me have got to that age where they are “poping their clogs” and Ringway is collecting their history and making a record of it.

It’s something I had quite a bit to do with in oh so many ways from the mid 1970’s when it was AM only using TV line Output Valves (tubes) through early FM transmitters using converted Pye Westminster kit and QQV6-40 valves through the early BLF semiconductors, Then VN66AF very low cost V-FETs and later IRF510 and 610 devices all now considered obsolete but just won’t die in new designs. All the way through to modern LDMOS RF microwave Power FETS that have been designed to replace those magnetrons in your microwave oven. Comming as it were “full circle” as I indicated with another YouTube channel,

https://www.youtube.com/watch?v=qNdQJpl4gcU

I’ve a design using LDMOS devices in hybrid Class H / D using Walsh Transforms that does not just the entire MF band in AM or “Digital Radio Mondial”(DRM) but all the HF broadcast bands in modular form upto 50kW… They are basically “Digital audio in, RF out” with next to no mucking about in analog with all it’s pesky problems…

lurker July 10, 2023 1:09 PM

@SpaceLifeForm

Follow the Money.
From the Declarations of Dudes attached to the FCC doc:

… 2-25 MHz Band communications systems can support enhanced physical security and entail lower cost to construct and maintain as compared to other long-distance transmission technologies.

… they are less costly to construct and maintain than satellite systems, fiber, and microwave and millimeter wave transmission systems.

They don’t want to pay to use somebody else’s fibre connections. On the technical side they are claiming to use some form of noise reduction and error correction mechanism for the problems inherent in HF communication, which my limited experience suggests will increase latency. In a quick skim through the report I didn’t see any comparison of latency between HF and fibre.

… current Part 90 Rules do not include appropriate emissions designators and bandwidths for fixed, long-distance, non-voice communications in the 2-25 MHz Band.

That is because historically ITU rules were based on single channel telegraphy, or voice transmission. Multi Channel Voice Frequency Telegraphy and Fax services have been in use for many years by quasi-govt organisations, but the bandwidth/power/out-of-band requirements are essentally the same as for voice. Nowadays cable and satelite connections are ubiquitous for intercontinental transmissions, so there is little demand for HF services of non-voice traffic.

There was a brief flurry of digital (voice) broadcasting on the regular HF bands, but is seems to have died away with the modern availability of satelites and internet. Yes, there are a few who still maintain the odd HF Digital transmission for the bleeding edge adopters who have receivers, but it never took off in the third world, who are the main listeners to SW broadcasts.

The FCC/US-govt clamped a heavy hand for many years on private HF broadcast stations, and the Voice of America (Radio Free Europe/Asia) was the only permitted operator. But I see they have relaxed slightly, and there are now a few private HF broadcasting stations in the US, mainly with gospek/christian/family-oriented programs.

Clive Robinson July 10, 2023 5:34 PM

@ SpaceLifeForm, ALL,

Mastodon has a “9.9 Critical” bug

CVE-2023-36460

https://nvd.nist.gov/vuln/detail/CVE-2023-36460

The details are still being worked on but it appears there is a bug in the “Media Processing Code” which alows you to put a file anywhere you want on the Mastodon system including over-writing existing files.

Which could be fun, but has real nasty implications.

So keep your eyes open if you manage an instance you could have headaches ahead.

Oh and in all probability there will be “usage outages” for mitigation and as patches come down the pyke.

Clive Robinson July 10, 2023 5:56 PM

@ ALL Linux users waithing on 6.5

“BCacheFS Won’t Be Merged For Linux 6.5”

This story has been going on for something like a decade now. But Linus has said NO yet again.

You can find out more at,

https://www.phoronix.com/news/Linux-6.5-Bcachefs-Unlikely

However there is good news for other file system related updates (see the bottom of the above linked page foe links to them).

&ers July 10, 2023 5:59 PM

@ALL

hxxps://english.kyodonews.net/news/2023/07/3ec31b352357-japans-biggest-port-hit-by-suspected-cyberattack-operations-halted.html

Clive Robinson July 10, 2023 6:08 PM

@ Bruce, ALL,

Not sure if I should put this here, or on one of the rapidly multiplying AI ML LLM pages 😉

https://www.theregister.com/2023/07/10/in_brief_ai/

In short writers of books are suing via a class action.

Importantly it could get realy nasty, because the books contain “Copyright control measures” that the AI’s are not producing as is required where ever you see something like,

(c) Clive Robinson 2023, All Rights Reserved…. etc.

Clive Robinson July 10, 2023 6:19 PM

@ ALL,

Speaking of AI and LLM’s, we’ve all heard of the “Stocastic Parrot” paper and probably also what happend to one of it’s authors (Who was not in a tenured University job).

Well be honest how many can even give the full title,

“On the Dangers of Stochastic Parrots: Can Language Models Be Too Big?”

Or have read it’s ten pages and four pages of something like 2^7 refrences?

Well you might be surprised if you have not[1]

Well you can get a copy via,

https://archive.org/details/stochastic-parrots-3442188.3445922

[1] It makes similar points to those I and others have made about it being as bad news as crypto-coins especially the resource consumption issues.

Clive Robinson July 10, 2023 6:40 PM

@ MarkH, Winter, ALL,

There is a prototype “grid storage battery” going to be trialed.

It’s big, it’s clunky, and even slow compared to other technologies.

But consisting of iron, water, and oxygen from air it’s not just fully recyclable it’s safer than a rusty nail. It also does not fuss unlike other technologies about being left fully charged for long periods of time.

So in many ways for “Grid Batteries” it’s a lot better than lithium and only costs about 10% of the price,

https://newatlas.com/energy/iron-air-grid-battery/

Oh and those with a DIY fetish, you can make your own batteries of tgis form…

MarkH July 10, 2023 10:25 PM

@Clive:

Thanks for the battery news! I’ve had high hopes for iron in power grid applications since I first read about flow batteries.

Li batteries are what we’ve for portable applications; they’re also a Pandora’s box of nasty flaws.

The linked article says the prototype will be next to a power station, which got me thinking: my local station has a few idle acres where the coal boilers used to be, and dozens of acres occupied by the now-useless railroad yard which fed those boilers, and surely more land than that for fly-ash basins.

Probably quite a lot of capacity could be installed using only land already dedicated to generating stations … and I know of know reason why such batteries couldn’t be stacked in multi-story buildings.

Clive Robinson July 11, 2023 1:22 AM

@ Bruce, and the usual suspects,

Re : “Your metal pal who’s fun to be with”[1] Estonian episode…

Autonomous military robots, look not so much like tanks that got put in the wrong wash cycle, but bath-tubs on six or eight wheels.

Obviously the “squatting posture” is because the bulk of them needs to be the not lightweight “power source” not just for the all terrain drive chain, but for the electronics that form it’s brain.

So they are certainly going to need more than a squaddies basic three chocolate bars and five oatmeal blocks a day as fuel and put out way more heat that a 100W filiment lightbulb (which is about what an average adult radiates).

So you might not want to stand close to one as it puts out 10’s of kW of IR signiture for all the world and especially your enemy to see.

But just how much fun are they anyway?

In all the photos I’ve seen I’ve not seen anyone be in front of one of them “in action”. They are obviously not yet capable of being leaders, so I also suspect most near them wisely treat them as though they are a Tesla with a rapacious taste for cyclist or a moving shield to hide behind.

Anyway all that aside there has recently been a series of European Trials with the major countries and some companies puting their “metal pals through their paces”,

https://newatlas.com/military/estonia-field-trials-autonomous-military-robots/

It will be interesting to see what the reports about capabilities in action say.

[1] Obviously more heavy weight than plastic…

https://www.goodreads.com/quotes/637924-the-encyclopedia-galactica-defines-a-robot-as-a-mechanical-apparatus

SpaceLifeForm July 11, 2023 1:29 AM

@ Clive

Re: Mastodon media bug

Well, it was fixed in 4.1.3, and I think there was a related problem fixed in 4.1.4, but on infosec.exchange, already upgraded. Other instances have upgraded also based upon the admins that I follow. (4.1.4 dropped quickly after 4.1.3 was rolled out last thursday)

But, since then, I have seen some weirdness that I think is related to animated gif, so I have just disabled that in FF in about:config by setting image.animation_mode to none.

A problem I reported (vertical oscillation) was observed by someone else, so it was not just me imagining things.

I will see what happens.

Clive Robinson July 11, 2023 1:57 AM

@ MarkH,

“Probably quite a lot of capacity could be installed using only land already dedicated to generating stations”

Yes and my thought is “make the roof a solar collector”

Mind you the new efficiency figures for the silicon-perovskite tandem cells,

https://www.science.org/doi/10.1126/science.adg0091

Shows promise…

The real problem is getting the perovskite to be long-life in the average environmental conditions.

Clive Robinson July 11, 2023 2:16 AM

@ &ers, ALL,

Re : Japan supply chain attack.

The fact that japans largestport for the last 20years has been hit by Russian ransomware in a suspected cyberattack, bring it’s operations to a grinding halt, is not good news.

The question is of course is,

“Who is actually behind it?”[1]

Because it appears China is renewing it’s attacks on Japan again, and it is far from clear as to if this is driven by Taiwan, US, both, or other issues.

It’s not been helped that a US politico has just put their foot in it by effectively saying,

When we sanction you, it’s for national security. When you sanction us, that’s just spiteful

https://www.theregister.com/2023/07/10/yellen_china_us_decoupling/

And the fact Japan wants to start dumping at sea radioactive waste water from the Fukushima nuclear disaster later this year.

[1] Remember we talked on this blog about “false flag attacks” long before the CIA tools to do it came into the public eye. Which is why I’m always cautious about attribution.

Clive Robinson July 11, 2023 2:30 AM

@ SpaceLifeForm,

Re : CVE-2023-36460 and fixes.

“I will see what happens.”

It’s about all you can do, unless crossing fingers is effective 😉

But more seriously, it’s more an operator than a user issue thus mitigation / resolution has to be by them.

Which raises the point about “Decentralized v. Centralized” but still linked/integrated social media and who patches, when, and why… And what happens when a linked/integrated system to your system is not patched…

I’ve been thinking about it as a potential “attack vector” and I’m comming to the conclusion that linked social media systems are going to be the next in line for the likes of ransomware attackers.

JonKnowsNothing July 11, 2023 3:33 AM

@Clive, @ &ers, All

re:
Japan supply chain attack.

@C: And the fact Japan wants to start dumping at sea radioactive waste water from the Fukushima

It is not just China that is upset about the radioactive water that is going to be trickled into the Pacific Ocean over the next 30-40 years (1), nearly every neighboring country or country that fishes in the area or relies on the catch from the area is Not Best Pleased.

Including portions of the USA; ’cause someone noticed that the Pacific Ocean while vast, actually touches the entire western edges of the North and South American Continents. The USA has it’s own ocean aquaculture like salmon & oysters hanging in open sea corrals.

There are plenty of marketing problems already with “normal pollution”, adding radioactive water supply will not be a good consumer PR message. Perhaps the marketing people are betting on “you won’t have a choice”, which is partially true with other food commodities.

Per a MSM Report, dumping radioactive water waste into water systems is a common practice in the global nuclear power industry, it’s just not much advertised. Japan points out that “THOSE FOLKS are doing it so why not us?”

===

1) HAIL Warning from an MSM report of

  • The Rate of Discharge
  • The Duration of Discharge
  • That it is common practice by other nuclear reactor operations to dump excess radioactive waste into water systems
  • The discharge from Japan may already be active but not officially announced as started.

vas pup July 11, 2023 6:58 PM

Israeli cybersecurity startup comes out of stealth with $30 million in funding
https://www.timesofisrael.com/israeli-cybersecurity-startup-comes-out-of-stealth-with-30-million-in-funding/

“Israeli cybersecurity startup Savvy which came out of stealth mode announcing a funding round of $30 million has developed a workforce security automation platform for the safe adoption and use of software applications.

The Tel Aviv-based startup has secured $30 million in Series A funding, led by early-
stage venture capital firm Canaan, along with the participation of other investors
including Cyberstarts, a venture capital fund that invests in early-stage cyber security startups, and California-based Lightspeed Venture Partners. Cyberstarts led the startup’s initial seed funding round together with Lightspeed.

Savvy’s platform is embedded directly into user work environments to help businesses
secure against threats and vulnerabilities as they rapidly adopt and use a multitude of Software as a Service, or SaaS apps to fulfill their work tasks. Common examples of SaaS apps, which allow users to connect to it over the Internet, usually with a web browser, are email, calendaring, and office tools such as Microsoft Office 365,
Hotmail, Yahoo! Mail, Salesforce or ChatGPT.

Savvy’s platform discovers all the SaaS apps employees are using and monitors all
action including app signup, generative AI queries, credentials submission, access to
sensitive resources and data sharing to prevent potential “user-initiated” security incidents before they happen. Once problematic action is detected users are alerted to the security risk through popups. For example, for ChatGPT, Savvy can alert users through popups to turn off the chat history before submitting a prompt to prevent using proprietary information or sensitive data to train generative AI models.

=>“Companies can have the highest security budgets and the best systems in place, but
if you’re not reaching the end user at the point of decision, then history will
continue to repeat itself,” said Savvy CEO Guy Guzner. “Our platform helps SecOps
[security operations] gain full visibility and control over all user SaaS touch points, including sensitive information sharing in generative AI apps, and our suggestive guidance system helps users understand the risks as they happen and why they shouldn’t bypass security in favor of productivity.”

Savvy’s security co-pilot is tailored to the needs of each organization or business, including customizable security automation playbooks that trigger automated responses of employee actions. The platform reports real-time actionable insights and metrics to security teams to help them identify high-risk areas and do employee risk profiling. It also recommends steps for risk mitigation and tracks improvement over time.
“The real-time nature of Savvy enables security teams to finally preempt employee-
initiated events rather than just respond, which is… why we believe Savvy will lead the emergence of an entirely new category of browser and application security.”

Savvy says its platform is deployed by a number of Fortune 500 companies in the
hospitality and consumer goods industries, and has a total of over 100,000 active
users.”

Clive Robinson July 11, 2023 10:26 PM

@ Bruce, ALL,

Not sure how to best describe this new “Proof of Concept”(PoC) attack[1] on the AI Supply Chain[2],

https://www.theregister.com/2023/07/11/ai_models_supply_chain/

On the face of it, it’s nothing realy new, but that misses the real issue.

In essence the AI LLM model is designed to answer a specific question wrongly. That is over and above the “hallucination potential” most LLM’s suffer from[3].

This can be a quite serious attack in the same way a “back-doored” or “deliberately broken” random number generator can be. Alternatively you can think of it as a weaponised “Digital Rights Managment”(DRM) watermark method.

But those and other attacks aside it’s not the attack as such that interests me, but the “generalised how it’s distributed” is what makes it interesting to me. In essence it’s an old idea –typosquatting– we’ve seen before on multiple occassions hence a,

“Poisoned New Wine in Old Bottles”.

What you realy want to do is detect the Old Bottles have been tampered with / reused, rather than open them and either taste the wine and potentially get poisoned, or do an exstensive toxicological analysis for “known poisons”, that by definition will be “incompleate” thus not stop you getting poisoned.

So how to stop this?

Well step one, would be to realise that in practice, you can not trust code signing and equivalent. The “Walled Gardens” of Google and Apple have proved this. Likewise the number of faux site certificates from CA’s…

Secondly to realise that most attack deployment methods are actually “old and being reused”. That is they are loosely like biological clades, tracable back to centuries old actual physical crimes in many cases. Rather than as ICTsec currently prefers to do “hyperfocus” on minutiae of the payload that is new/unknown or contains new/unknown elements. Thus suffers from the very problematic “unknown poison will get through the tox test” issue.

Step three could be to build up a linnaean style taxonomy of attacks into “classes of attacks” and “instances of attacks” by abstracting out not methods as such but signitures of methods[4].

Step four would be developing “recognizers” that build method signitures into a “feeling / suspicion” that gives a probability that an attack is occuring. Call it a “Thinking Hinky Machine” if you like (not that it thinks etc).

Yes this sort of thing has been done before by AV companies, but they’ve never realy scaled out from specific attack minutiae thus have “missed the forest because their nose is up against a tree”.

We realy need to see a “tampered bottle” rather than “sip the wine” and wait to see if we’ve been poisoned.

In a way, and to a certain extent ironically, it’s a task for which AI LLM’s are almost built for…

[1] It has been done as a “Proof of Concept”(POC) to push the idea of the equivalent of a “Software BOM” but for AI, that of course they “have a solution for” which is their up and comming “AICert service” to cryptographically validating LLM provenance… Which of course will be a “chocolate teapot” in almost exactly the same way “Code Signing” is and “Software BOMs” are. But that’s a rather dull conversation we’ve had before so can be saved for another day, and honestly not of much interest to me (think dung heap in the far corner at the bottom of the farm yard, you know it stinks but it serves a purpose). It’s the attack and how it drops into already known distribution methods that interests me, and how the ICTsec people will almost certainly fail to be prepared (even though we’ve “seen it all before” with other attacks).

[2] Yes for those who blinked last week or the week before 😉 there is now a market in basic pre-trained LLMs you can aquire and then use as is or further fine tune. The fact that one market is called “Hugging Face” should creep more than one or two out (reminders of alien films and parasitic banks… There has to be a joke in there somewhere for the squid page 😉

[3] Conceptually it’s simple you just feed it fake-facts. But facts are usually not islands by themselves, they are like landmarks they exist in a context of other facts, which in turn are based on other facts. So you get a web of facts in which each fact is like a node. Just changing one node will stand out like a raised nail in a floorboard, so can be spotted fairly easily from the right view point.

[4] “John Hancocks” or personal signitures are all different, even ones you sign just moments appart. Identical signitures are effectively an indicator of either a fake by copying or your test system lacks sensitivity. So a signiture is recognised by broad features rather than specifics. The human mind is actually quite good at this sort of “approximate pattern matching” as evolutionarily rocketing up a tree for what might be a tiger hidden in a bush though it has high costs, it’s less costly than being injured or eaten alive. You can also think of it as your brain locking onto a faint tune or melody from a radio in another room. Your brain matches to features, that in turn give a tempo, that in turn help pull out the melody and in turn the words you actually know and it is recognised and in turn evokes an emmotional response or memory. It’s why we can at a glance tell a leg from an arm even though the minutia of the bone count and basic arrangment are the same (and why the bones of front “paws” of the likes of raccoons can be mistaken for the bones of a childs hands).

Clive Robinson July 11, 2023 11:58 PM

@ ALL,

Over 200,000 top US ITsector job losses are apparebtly leading to significant stress (Hellon Rusk gets a dishonorable mention). Which in turn is leading from coffee-n-booze to stimulants and worse. According to a survey[1],

“In a survey of over 500 tech execs, nearly 80 percent of tech workers told researchers they were taking medications, either under a doctor’s supervision or otherwise. To perform better and cope with long work hours and high stress, 32 percent said they consumed controlled substances, and 45 percent said they used painkillers…

Thirty-four percent of tech executives used stimulants, including … the survey of 501 tech leaders found.”

A real nasty upper-n-downer merrygoround, and when the music stops…

But worse, what lunacy will occure by impared reasoning whilst it’s still spinning?

The signs are all there that another Tech Bubble collapse is about to happen and go into recession. With people desperately trying to be “the last man standing”. Which will have quite significant financial market implications.

If as some economic forcasters have indicated recently the tech sector is the only economic buoyancy in the US then this does not bode well at all at the individual or national level.

[1] See,

https://www.theregister.com/2023/07/11/tech_execs_substance_abuse_survey/

lurker July 12, 2023 1:17 AM

@MarkH, Clive

ElReg’s Hofstadter article has an on point bootnote linking a Guardian piece that shows that using AI to detect AI cheating in TOEFL discriminates against non-native English speakers. I’ve been hammering this all along: Large whose-Language Model?

lurker July 12, 2023 1:30 AM

@Ted

robots.txt was a great idea in the days when the internet was inhabited by Gentlemen. But basically it is only a polite note to crawlers about which parts of your site you don’t want scraped, and I’m not aware of an RFC being upheld in court. So stronger measures are required at the network level for some offenders.

ResearcherZero July 12, 2023 6:12 AM

The ACCC is calling on consumers, businesses and interested stakeholders to provide submissions about data broker services in Australia, as part of its five-year digital platform services inquiry. This report is due to be provided to the Treasurer by 31 March 2024.

‘https://www.accc.gov.au/system/files/Digital%20platform%20services%20inquiry%20-%20March%202024%20report%20-%20Issues%20paper.pdf

“Data brokers’ practices are especially egregious because they circumvent the Fair Credit Report Act and value data without valuing the accuracy of that data.”
https://www.wired.com/story/fcra-letter-data-brokers-privacy-regulation/

‘https://epic.org/wp-content/uploads/2023/02/2023-02-08-Coalition-Letter-to-CFPB.pdf

Equifax, Experian and Illion have all been making losses

‘https://www.abc.net.au/news/programs/the-business/2023-07-11/data-brokers-under-financial-pressure/102589556

After industry terminated the IRSG (self-regulation) in September 2001, a series of public breaches – (ChoicePoint, LexisNexis…) – ultimately led to renewed scrutiny of the practices of data brokers.
https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf

ResearcherZero July 12, 2023 6:15 AM

“Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group. Although we haven’t yet uncovered the initial infection vector, the threat actor likely relied on spear-phishing techniques, engaging their victims to click on a specially crafted replica of the Ukrainian World Congress website.”

“The malicious domain uses typosquatting techniques to masquerade the fake website with a .info suffix and make it look legitimate.”

‘https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

MOVEit Transfer

‘https://www.bleepingcomputer.com/news/security/deutsche-bank-confirms-provider-breach-exposed-customer-data/

“Are you seriously not able to say how your parent company, which ultimately owns and controls you, is operated?”
https://www.abc.net.au/news/2023-07-11/tiktok-says-it-doesnt-know-if-its-headquarters-are-in-china/102589206

ResearcherZero July 12, 2023 6:20 AM

Buried deep in the 1000 pages of the robodebt report delivered by royal commissioner Catherine Holmes last week, we learn the story of how the AAT was rendered impotent as an effective guard on the rights of social welfare recipients.

‘https://www.msn.com/en-au/news/australia/morrison-was-not-alone-robodebt-was-aided-and-abetted-by-the-aat-being-gutted/ar-AA1dH4lv

class action

‘https://www.theguardian.com/australia-news/2023/jul/11/robodebt-class-action-law-firm-prepared-to-sue-for-alleged-misfeasance-in-public-office

Ted July 12, 2023 9:50 AM

@lurker

AI, bots, and web protocols

Yes, I don’t know how one could ‘enforce’ crawling/scraping directives.

I didn’t realize that Google had proposed the ‘Robots Exclusion Protocol’ as an official IETF standard – being published in September 2022 as RFC 9309 (a proposed standard).

Yes, I also see that complying with robots.txt is voluntary, and I’m reading that some bots actually search for that specific file to start doing their bot business there.

I’d love to watch the discussions on this. I hope it isn’t all hashed out via the ‘AI Web Publisher Controls’ mailing list. I’d be awesome if they set up a public Google groups forum too.

JonKnowsNothing July 12, 2023 6:05 PM

@All

ARS is reporting on a massive tax data scandal where USA Tax Preparation Companies illegally divulged private tax information to Google, Meta and other firms.

There are mentions of a previous data harvest hacks and the unknown status of harvested data.

Pixel Tracking (old)

  • 2022 tax-filing websites had been sharing customers’ sensitive financial information with Meta….three tax-filing websites confirmed that they’d removed or disabled the Meta Pixel tracking tools that were gathering sensitive data.

Pixel Tracking (new)

  • there could be other pixels on tax-filing websites that companies may not be aware are currently gathering sensitive data. … H&R Block told lawmakers that it was “not aware” of other pixels used on their website—including one used by Google Analytics, which Google confirmed was installed on H&R Block’s website.

We Dunno Defense

  • tax prep companies to this day have not fully accounted for what data was collected and how it was used…. “Meta refused to respond” to their requests “on the final disposition of the shared data.” H&R Block apparently confirmed that they have “no idea what Meta does with the data.”

Linked to There is No Spoon Damage Clauses

  • Congress pointed out that normally, any user whose sensitive information was shared by a tax prep company would have the right “to bring a civil action for damages.” However, while these tax prep companies may not have done due diligence in researching the pixels they use, they did take the time to build into their user agreements a condition forcing users out of court and into private arbitration over such claims.

Theoretical Penalty (don’t hold your breath)

  • “any tax return preparer who ‘knowingly or recklessly discloses'” tax return information “is subject to a fine up to $1,000 per violation, and a prison term of up to one year.”

===

HAIL Warning

ht tps://arstechnica.c o m/tech-policy/2023/07/meta-wont-say-what-happened-to-taxpayer-data-it-may-have-illegally-collected/

(url fractured)

Clive Robinson July 12, 2023 8:51 PM

@ MarkH, lurker, name.withheld…,

Re : Hofstadter article

Firstly, I know this sounds bad, but I’d kind of assumed he had died some years back…

The reason the book he is most famous for with “Nerds” was written oh back in the 1970’s, and I read it not much later. But the level of language in it suggested someone in the late middle ages[1] (a good fifty plus). Which would have made him a centenarian by now…

So yes it’s nice to find I’ve be wrong on my two assumptions 😉

But it also adds to @lurkers observation about “AI to detect AI cheating”.

I’m not a centenarian by quite some way, but even with my bad spelling and worse abuse of punctuation I’ve been accused of “sounding older” for much of my life even when still in pre-adolescence[2].

[1] Without wishing to appear to be unkind, I’ve noted over the years that all of the people I know who are Jewish, generally have a greater command of english and reasoning in it, than many other speakers of english. Which makes them appear a decade or two older than they actually are, which can be a bit of a shock when you meet them face to face after reading their written words.

[2] You might think that is a plus, but “socially” it’s a disaster. As I’ve mentioned before, you get yourself a girlfriend and get invited “to meet the parents” who you get on with realy well and get “the nod of appoval”. She however sees it differently kind of “OMG he ‘sounds like / gets on with’ my parents”… And shortly there after you start looking for a new girlfriend… As the one you thought you had, well she now looks at you like you’ve two heads or the plague or some such. It does not matter how well educated or successful they are. One such had a PhD and was head of a research Dept with something like 50 people working for her… We went to her parents for Xmas… First thing, on crossing the threshold she became different more “Teeny”, the “power dressing” vanished the hair dropped and PJ’s and a pink dressing gown with a “patch bunny” on the pocket became the new apparel and yes fluffy slippers… Definately a “Who are you? Who’s bodyswaped my girlfriend?” moment… But as a dress style it kind of clashes with dark blue regimental blazer, club tie, shirt, grey slacks and brown brougues / deck shoes which was my normal “Smart casual” look for social activities[3]…

[3] Spend your week in uniform or researcher / engineer workshop atire of 100% cotton lab coat, plaid shirt and denims/jeans and leather dealer boots as it’s all naturally flame retardant, flash proof and does not melt to you (also stops “smell of fear but that’s for another story as are the “running shoes”[4]). You might realise why my social atire was “Sailing/Shooting/Rugby Club” attire as that’s the sort of place I socialised in after “playing hard” to burn off the “fight or flight” fright hormones, and get a little Highland Anesthesia from a fine single malt.

[4] A decent pair of leather running shoes with steel toe caps are an essential item of personal equipment in some of the “labs” I’ve worked in. Enabling the most rapid of egress even through A60 fire or blast doors, to avoid the near “Terminal velocity” of lab equipment chasing you ballistically with more than sufficient kinetic potential to ruin your week. I susspect @name.withheld… knows the sort of work place I’m talking of.

Clive Robinson July 12, 2023 10:08 PM

@ JonKnowsNothing, ALL,

Re : It was suspect from the get go.

“ARS is reporting on a massive tax data scandal where USA Tax Preparation Companies illegally divulged private tax information to Google, Meta and other firms.”

Think back to when this all started and how the “Tax Preparation Companies” faught tooth and claw to force only their online sysyems to be available.

How they hid to the point of making impossible for people to “file through” without paying rediculous fees.

And so on. It was obvious these “Tax Preparation Companies” were shall we say a bunch of shysters to a level of deception / dishonesty that would be considered fraud/theft by a reasonable person with the facts at their fingertips.

So yes I can see them selling not just to the obvious crooks. But what avout the less obvious ones like Palantir?

ResearcherZero July 13, 2023 3:06 AM

China-based hackers have breached email accounts at two-dozen organizations, including some United States government agencies, in an apparent spying campaign aimed at acquiring sensitive information. The federal agency where the Chinese hackers were first detected was the State Department. The Department of Commerce, which has sanctioned Chinese telecom firms, was also breached. The hackers targeted email accounts at the House of Representatives, but it was unclear who was targeted and if the breach attempts were successful.

Also targeted were the email accounts of a congressional staffer, a U.S. human rights advocate and U.S. think tanks.

‘https://edition.cnn.com/2023/07/12/politics/china-based-hackers-us-government-email-intl-hnk/index.html

” Storm-0558 gained access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts of individuals likely associated with these organizations. They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key. ”

‘https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/

Global USB espionage campaign

“This is the most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals. It uses USB flash drives to load the SOGU malware to steal sensitive information from a host.”

Mandiant attributes this campaign to TEMP.Hex, a China-linked cyber espionage actor. Mandiant’s investigation and research identified local print shops and hotels as potential hotspots for infection.

‘https://www.mandiant.com/resources/blog/infected-usb-steal-secrets

Diplomats Beware:

“We observed Cloaked Ursa targeting at least 22 of over 80 foreign missions located in Kyiv. While we don’t have details on their infection success rate, this is a truly astonishing number for a clandestine operation conducted by an advanced persistent threat (APT) that the United States and the United Kingdom publicly attribute to Russia’s Foreign Intelligence Service (SVR).”

These unconventional lures are designed to entice the recipient to open an attachment based on their own needs and wants instead of as part of their routine duties.

The lures themselves are broadly applicable across the diplomatic community and thus are able to be sent and forwarded to a greater number of targets. They’re also more likely to be forwarded to others inside of an organization as well as within the diplomatic community. …attackers likely also used other collected intelligence to generate their victim target list, to ensure they were able to maximize their access to desired networks.

‘https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/

CVE-2023-36884

Office and Windows HTML Remote Code Execution Vulnerability

An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim.

…trojanized software include Adobe products, Advanced IP Scanner, Solarwinds Network Performance Monitor, Solarwinds Orion, KeePass, and Signal.

‘https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/

Malware that abuses Office as a vector often runs VBA macros and exploit code to download and attempt to run more payloads.

‘https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide#block-all-office-applications-from-creating-child-processes

‘https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware

ResearcherZero July 13, 2023 3:08 AM

CVE-2023-33308

Fortinet has released a security update to address a critical vulnerability affecting FortiOS and FortiProxy. A remote attacker can exploit this vulnerability to take control of an affected system.

‘https://www.cisa.gov/news-events/alerts/2023/07/11/fortinet-releases-security-update-fortios-and-fortiproxy

If admins are unable to apply the new firmware immediately, you can disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode as a workaround.

‘http://www.fortiguard.com/psirt/FG-IR-23-183

15 security vulnerabilities

“four (4) vulnerabilities with a CVSSv3 rating of CRITICAL, that allows an attacker to bypass authentication and could potentially result in exposure of sensitive information to an unauthorized actor.”

“SonicWall PSIRT strongly suggests that organizations using the GMS/Analytics On-Prem version outlined below should upgrade to the respective patched version immediately.”

‘https://www.sonicwall.com/support/knowledge-base/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/

ResearcherZero July 13, 2023 3:13 AM

Need lead?

“Legacy lead-sheathed telecom cables were deployed in the nation’s telecommunications infrastructure, and placement of these cables then began to get phased out in the 1950s, after the development of a new type of sheathing.”

An investigation has revealed that more than 2,000 lead-covered cables left behind by telecommunication companies could be the source of soil contamination as they degrade underwater and overhead.

‘https://www.businessinsider.com/att-verizon-abandoned-phone-cables-cause-soil-contamination-wsj-investigation-2023-7

GregW July 13, 2023 7:33 AM

Clive has long warned digital certificate signed binaries were not a particularly good security measure and anyone attentive has seen this play out in various ways over the years.

Here’s a new low though, 133 Microsoft-signed drivers crawling with malware flowing through autoupdate with no prompting:

ht tps://www.msn.com/en-us/news/technology/133-windows-drivers-with-valid-microsoft-signatures-found-crawling-with-malware/ar-AA1dMc2B?cvid=54d7b470434c414c9732b9652cff9b7d&ei=49

SpaceLifeForm July 13, 2023 2:27 PM

Big Bang is Illusion

‘https://phys.org/news/2023-07-age-universe-billion-years-previously.amp

26.7 vs 13.7 billion yezrs

Note that Tired Light is mentioned.

lurker July 13, 2023 4:42 PM

@ResearcherZero, All

re Chinese access to US Govt email.
I couldn’t determine frome those linked articles if this was old fashioned key theft, or the new nO-AUTH problem. I still don’t understand how OAUTH fixes the problem its authors thought needed fixing. If the best the US Govt and MS can do between them is to leave their letterboxes unlocked in public, we’d better learn to eat with chopsticks.

Clive Robinson July 14, 2023 1:01 AM

@ lurker, ALL,

Re : Not the “published” purpose.

” I still don’t understand how OAUTH fixes the problem its authors thought needed fixing.”

You are certainly not the only one to think this.

Which is maybe why others see darker reasons behind it…

Thus the OAUTH argument of,

“It alows users to share information with services without sharing their passwords”

Gets the obvious “it gives big data a primary key to the user” with the implication it make the job of Silicon Valley Mega-Corps the ability to “better package you” to get a higher price for you from data brokers.

I can not say if Facebook, Twitter, et al, make more money off of you as a product, but it does make linking your activities by all the services you use it on and even your ISP that much easier…

The security advice is,

“Segregate, segregate, segregate”

But the Data Marketers desire is for you to,

“Aggregate, aggregate, aggregate.”

Which do you think OAUTH best serves?

Remember MS loves “Single Sign On”(SSO) systems and effectively stole Kerberos, by embrace and extend into “AD” and that has had some interesting security problems in organisations using it…

(In the interests of full disclosuer even before OAUTH back in the early days of Kerberos I was against the notion of “Single Sign On”(SSO) systems outside of a “shared knowledge of users organisation” like a business or university. I’ve yet to see a benift above real risk for users of such sharing systems outside of the confines of an organisations security perimiter. So I’m still opposed.)

&ers July 14, 2023 11:10 AM

From security / privacy point of view robots.txt
is just a disaster. This leaks for us, the humans,
where the juiciest data is that company don’t want
to make public. Red teamers usually starts from
robots.txt file, this gives a nice overview where
is worth to start digging.

Clive Robinson July 14, 2023 11:54 AM

@ Bruce, SpaceLifeForm, ALL,

Re : Financial Markets and Radio Spectrum, high security risk.

It’s been mentioned on this blog before, that low bandwidth data systems had been used to send crypto-coin trading around the world. And… That the data mode used JS8call was the equivalent of a “Low Probability of Intercept”(LPI) system used for military and spy communications since the 1960’s.

Thus can be used to easily evade regulatory control, importantly modern tech has made “in your pocket” HF radios easily accessable and EF Antennas can be “hanked/coiled” to fit in another pocket, with a smart phone or smart device running Android based software to provide encryption and modulation of messages without needing to be connected to data networks. So you can just as spys used to do take a walk into the country side, throw the antenna over a tree and be up and running to receive a signal from hundreds or thousands of miles of communications in five minutes. Then send back for maybe two to five 10sec data bursts and have everything back in your pocket and be on your way in well less time than it would take for a quick smoke break.

At the time I pointed out this was “low risk” for everyday data transactions as the available databandwidth would reduce the transaction rate to less than one every five minutes for “maximum stealth” so was not viable for ordinary users (but not criminals and worse for who it is viable).

However there is another use for HF encrypted data comms and financial transactions, and that is “High Frequency Trading”(HFT). It can shave tens of milliseconds off of the time to make a share trade, it can be worth tens of millions of dollars / day in profits. As I’ve noted in the past and just the other day some High Frequency Traders had built tunnels to send signalls directly through mountains rather than use data repeaters to get around them.

But also HFTs have been “experimentally” carried out using medium power (5kW) HF Encrypted Data links around the UK and Europe for the past half decade. Crossing National borders without control and also evading any taxs etc…

Well it appears that some “financial Service Companies” want to bring High Power trading to the US and rest of the world non-experimentally. Which is quite a Security threat in many ways.

They have Applied to the FCC to change the “Part 90 Rules” and want to use continent to continent globe spanning powers where ever they can find a hole in the HF Radio Spectrum (with a much upgraded version of “Automatic Link Establishment”(ALE). That is it will have continuous operating even during transmission jam resistant frequency agile capabilities and higher bandwidth fast data comms and MIMO capabilities. Which will make it impervious to all but highly specialised jamming and direction finding equipment. Which is way more advanced than current military and diplomatic wireless systems. But will have a user interface that would be easier to use than many current mobile phone “message apps” in that you just press the send button…

Anyway as the changes will impact non commercial users significantly, it’s been picked up by the Amateur Radio (Ham Radio) community. One of which can be viewed,

https://m.youtube.com/watch?v=qzFBUGuBFJM&pp

Personally I think they are getting it wrong about who is behind the proposal. That is it’s not Crypto-Coin but HFTs applying.

But the changes are sufficient to alow the proposed systems for very high security highly mobile communications so would be very very attractive to all sorts for activities where assured E2EE above military level security is desirable not just billion dollar profit HFTs. And obviously includes “Serious Organised Crime Syndicates”(SOCS) who have previously used the likes of EncroChat and similar, but were caught or stymied due to the fact they had to used comms links that can be easily controled by non expert Law Enforcement Organisations.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.