I had no idea that squid contain sufficient oil to be worth extracting.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
RobertT • August 4, 2023 8:38 PM
Clearly seeing faults where others see just a fantastic new technology is the domain of the elderly, it’s sort of the stage we reach before we depart this life. I’m certain I have become cynical with age but who isn’t at least somewhat reticent when presented with the absolutely fabulous benefits of new technology.
As a youngster I spent some time in the islands and met my fair share of cargo-cult worshipers (including some who worshipped Prince Philip). These were not stupid people they were just average people who shared some somewhat bizarre beliefs. If you wanted to fit in you quickly learned to ignore their eccentricities and just accept them. Trouble was deep down they knew that you didn’t share their beliefs…
Today I find myself at the same junction. I look at our modern world and see nothing but a cargo-cult. We worship at the alters of Amazon and Alibaba, with little or no concept of how real things are actually made, it’s all magic. Production is magic, Sales is magic, Delivery is magic…stuff just appears on my doorstep if and only if I pray at these same alters. It’s weird it’s like revisiting my youth but only being able to see the world through jaded eyes.
Today it seems that the whole world has gone quantum crazy, it’s obvious that 9 out of 10 people don’t have the foggiest idea of why/how quantum processes / algorithms function but that doesn’t mean they keep their mouths shut, matter of fact there is zero correlation between real knowhow and how loudly their gums flap. As I said for me it’s all like revisiting the cargo cults…you want to get along but how can you when the very foundation of their belief is some form of craziness?
The real laugh comes when they want your opinion on whether this or that system is secure.
Jon • August 5, 2023 9:22 AM
Was the Squid Oil Global Market Report written by AI? So much useless, trivial and barely related info. Chunks of copy/paste boilerplate.
Why are Rosemary Oil sales lumped in with squid extracts? This is likely mainly trying to describe the market for Vitamin-E oils.
And just how does one Winterize Squid oil?
People are eating more seafood, so sales of squid oil will be rising. Really?
Also, no detail on the non-food and industrial uses of squid oil.
My questions can all be answered (I’m certain) for the extremely modest cost of only four thousand dollars. https://www.reportlinker.com/p06479991/Squid-Oil-Global-Market-Report.html?utm_source=GNW
If nothing else, this reinforces my intention to stay well away from ‘nutritional supplements’ and their ilk.
Clive Robinson • August 5, 2023 11:08 AM
@ RobertT,
“Clearly seeing faults where others see just a fantastic new technology is the domain of the elderly,”
Or perhaps “The more worldly wise” who have learned to recognise the oft centuries old behaviours of what we call “Confidence Tricksters” or as some call themselves more recently “Venture Capatilists”.
“Today it seems that the whole world has gone quantum crazy, it’s obvious that 9 out of 10 people don’t have the foggiest idea of why/how quantum processes / algorithms function but that doesn’t mean they keep their mouths shut, matter of fact there is zero correlation between real knowhow and how loudly their gums flap.”
Such are the joys of apparant magic. As Arthur C. Clarke is said to have observed,
“Any sufficiently advanced technology is indistinguishable from magic.”
Is actually more subtle than many realise, because it defines two subsets of people,
1, Those who understand the technology and work with it.
2, Those who do not understand the technology and are dazzled by it.
I suspect very few understand quantum technology, in fact there is an insiders joke about many people who practice in the field.
Where it is observed they are part of the,
“Shut up and caculate”(SUAC)”[1]
Club or “card carrying” Union.
But as far as Information Security goes there are three areas it covers currently,
1, Quantum Key Distribution (QKD)
2, Quantum Computing (QC)
3, Quantum Systems
A few years back all the noise was about QKD thatvstarted with the BB84 paper and physical hardware as a proof of concept.
Those early systems had so many holes in them that it got to the point it was embarrassing to shoot another one in, it was just not sporting. That’s not to say that the QKD idea is flawed, it’s not, it was a quater century ahead of what technology could support, thus it was the support technology that was failing. However being a creature of physics it is also a slave to physics and the limitations it imposes the most severe of which is the inverse relationship between speed and distance that brings a range limit on the technology.
An interesting area arising out of the technical developments that QKD helped push forward is things that get lumped under Quantum Systems. It’s an interesting area but we don’t get to here very much about it. One proponent indicated that what could be done with electrical and mechanical systems could be done with quantum systems more effectively, reliably and robustly. People tend to get things muddled with nano machines and “Micro Electro Mechanical Systems”(MEMS) devices that have made very rapid advancments to smart devices as micro miniture sensors which though small are not quantum devices.
But the real noise and confusion is over a suggestion made by Richard Feynman in 1982, and given theoretical flesh by David Deutsch in 1985 we call “Quantum Computing”.
Quantum Computing mostly started off with the likes of Feynman’s CNOT and Tommaso Toffoli’s and Edward Fredkin’s gates and similar based on Charles Bennett’s demonstration of the reversability of classical computation. As such QC did not really attract that much attention though. That is until 1994, when Peter Shor chucked the proverbial match in the firework box with his factoring algorithm.
That’s when it’s ICTsec implications became obvious to a few[2], the fast factoring of composite numbers would through a large rusty bolt in the gear box of the nascent engine of E-Commerce. Very shortly there after The US Government through NIST organized their first workshop on quantum computing (with the obligitory help from the NSA).
Since then Quantum Computing has been seen much like AI in that,
“It will be with us in a decade”
Well here we are thirty years later and both QC and AI still appear to be a decade away.
Though my viewpoint is that QC will happen befor Artificial Inteligence but a decade is some what optomistic.
Others think even five decades is probably optimistic
But the NSA through NIST has decided that we need to act and act now… hence the world and his dog has become “Post Quantum Computing” experts, in the same way as Fox News Talking Heads are experts on politics…
Back in the 1980’s a TV Script Writer wrote a Radio Script that got broadcast at some very odd time of day on BBC Radio 4. It strangly gathered a following. In it appears the largest computer in the universe to calculate “The Answer” which as we all now know is 42. However the realy funny side of “Deep Thought” was how it solved the problem of what to do whilst the next largest computer looked not for “The Answer” but “The Question”. It advised “talking head behaviour, with much in the way of mud slinging arguments”. Whilst we’ve not seen it quite that bad with QC we have however seen the “Sharks” that Venture Capitalists and the like are, have been circling looking for blood in the water to start a feeding frenzy… It appears they have been momentarily been destracted by the vast richescto be made in selling AI Start Ups pushing LLM systems with eye wateringly expensive but available technology.
And I suspect that’s what is holding back a QC Frenzy is the lack of available hardware.
But few ask the obviois question,
“Why all the theory but no hardware?”
Well, I suspect you are more than aware of it.
A conventional bit of data has two discrete states that represent zero or one.
A Quantum Bit or Q-Bit is not discrete but continuous thus in theory has an above measurable range of values it can represent as a complex number. Most engineers that have built hardware the hard way know there are various problems with not just measurments but power supplies. As far as I can tell currently we can not have more than about 1:1000 levels for the real and imaginary parts of the complex number…
Which is why I suspect usefull QC is longer away than you or I are ever going to see.
However the fear of large composit factorisation should keep the money tap on for a decade or so more…
And solving the Post-QC problems that are not likely to happen should keep many “well tenured” for a half century or more.
But hey what do I know 😉
[1] It’s been attributed to a few people over the years,
https://quantumformalism.substack.com/p/shut-up-and-calculate
[2] The big problem with cryptography has always been “Secure key distribution”. At the very least cryptography needs a “shared secret” to become a “root of trust” upon which all else is built, establishing it between individuals had always involved a “secure channel” which implied a “face to facr” meating to exchange the “root of trust”. Then in the 1970’s it was realised that the use of “One Way Functions”(OWFs) with “Trapdoor functions” could be used. One of which is the idea of multiplying two large Prime Numbers which is trivial in comparison to factoring them back out of the composite.
Winter • August 5, 2023 12:51 PM
@RobertT
Today it seems that the whole world has gone quantum crazy, it’s obvious that 9 out of 10 people don’t have the foggiest idea of why/how quantum processes / algorithms function
I think you are overly optimistic here. I think 1 out of 1000 might be more in the right ballpark. And even that seems optimistic to me.
Clive Robinson • August 5, 2023 5:15 PM
@ Jon, ALL,
“And just how does one Winterize Squid oil?”
Simple answer is cool it off and filter out the results.
Winterizing is a dewaxing process that a lot of people actually do in their kitchen without realising there is a “scientific term” for it.
Put simply due to different phase state change tempratures lipids of all forms have changing mechanical properties at different tempratures, that alow simple mechanical processes to seperate them.
In the kitchen gravy left to cool in a glass dish undergoes stratification that you can see. If you use that cooling temprature grade stratification to make mechanical seperation easy then you’ve basically done a “winterisation de-waxing” process.
But as for your first question,
“Was the Squid Oil Global Market Report written by AI? So much useless, trivial and barely related info. Chunks of copy/paste boilerplate.”
Contrary to the old joke about it needing a computer to “realy f-up” if it was AI you would expect a smother more polished result…
So I suspect it was produced by a “ten cents per word turk” that has become a fashionable way for certain “News Organisations” to fill web pages. I don’t know who started the modern varient, but I do know Rupert “the bear faced liar” Murdoch of “News International informy” was so badly obvious about it quite a few blaim him for it.
There used to be a song,
“Mammas, Don’t Let Your Babies Grow Up To Be Cowboys”
That in the 1970’s described the death of not just a job but lifestyle as well… Well today’s version would swap “Journalists” for “Cowboys” and a few other words, but would say much the same…
RobertT • August 5, 2023 5:19 PM
@CliveR
lots of useful techno mumbo jumbo but my point was that it is the system itself which is insecure. Much like the cargo cults of Papua where “religious believers” built impossibly tall antennas out of bamboo and strung vines between them because that’s what they thought they needed to build to convince airplanes to drop more cargo on their island. People died building these structures, many lives were lost worshiping someone called John Frum.
Today we all just laugh about these primitive peoples, we point and laugh, we say to ourselves, how Fing stupid were they. Yet without so much as a thought we turn around and stare at a screen with a pretty picture of something we just cant live without. We preform the necessary worship rituals and Amazon delivers.
At some point we ask ourselves: Is this secure? but even then we are not interested in the security of the economic structure/system we are creating, just limit yourself to answering if the transaction was secure…
It’s all craziness supported by technical magic to make us believe we’re not just another reincarnation of the cargo cults, we’re better, we’re different, we have quantum mechanics on our side.
Sherlock • August 5, 2023 5:22 PM
@Jon
“And just how does one Winterize Squid oil?”
Elementary my dear Watson (=Jon).
Our good Winter here consumes the squid oil, processes it overnight
and the fluid what then exits out good Winter in the morning is
Winterized Squid Oil 😉
Ted • August 5, 2023 11:05 PM
Quoi?
Be wary of AI-generated travel books.
https://www.nytimes.com/2023/08/05/travel/amazon-guidebooks-artificial-intelligence.html
Amy Kolsky entered the words “travel, guidebook, France” into Amazon’s search bar. One of the top results was Mike Steves’ “France Travel Guide.”
It had more than 100 five-star ratings, outstanding reviews, and was reasonable priced.
When it arrived, Ms. Kolsky was disappointed by its vague descriptions, repetitive text and lack of itineraries. “It seemed like the guy just went on the internet, copied a whole bunch of information from Wikipedia and just pasted it in”
The Times found similar books on other topics.
The Times ran 35 passages from the Mike Steves book through an artificial intelligence detector from Originality.ai … All 35 passages scored a perfect 100, meaning they were almost certainly produced by A.I.
Amazon does not have rules prohibiting content generated primarily by AI. Though “the ability to solicit, purchase and post phony online reviews” may soon draw attention from the FTC.
The Times noted that the distribution of a book’s reviews may also draw suspicion. They may be all five and one star reviews.
Winter • August 6, 2023 4:27 AM
@Ted
Be wary of AI-generated travel books.
Reminds me of Monty Python’s dirty Hungarian phrasebook sketch
‘https://youtube.com/watch?v=aRXmcXhEfXc&feature=share
Ismar • August 6, 2023 6:21 AM
@Clive Just wandering, You don’t travel much, do you?
Ted • August 6, 2023 4:52 PM
@Winter
re: Monty Python’s dirty Hungarian phrasebook sketch
Too funny!
Although I can see why someone may have cOnFuSed a ‘Mike Steves’ with Rick Steves.
Looks like he has a bunch going on.
This month he appears to be featuring Brussels (Belgium)?
&ers • August 6, 2023 5:02 PM
hxxps://www.theguardian.com/us-news/2023/aug/04/cyberattack-us-hospitals-california
hxxps://www.theverge.com/2023/8/5/23821110/hospital-ransomeware-attack-us-prospect-medical-cybersecurity-fbi
Steve • August 6, 2023 6:11 PM
@RobertT:
People died building these structures, many lives were lost worshiping someone called John Frum.
Substitute the deity, guru, prophet, or savior of your choice and, in a nutshell, you have much of the the history of humankind.
It’s all just variations on a theme.
lurker • August 7, 2023 1:37 AM
@MarkH, ALL
Even when one tries to do the right thing, accidents happen.
Recycling plant fire could burn for ‘potentially days’
‘https://www.koat.com/article/albuquerque-recycling-plant-fire/44744910
Phillip • August 7, 2023 3:25 AM
We are reaching through “Somebody’s problem.” You remain at, before ABBA-loo-Lee. My party is suffering pan-suit. Suffer me over “he’s-a-genius” former president. And why ask, everything is my gender politicking? Wasted with it, when I cannot (shoulder me) post a mighty byte here. Without being called to history’s carpet. We hate wait-mode when we are partying. Aware. If only it were rules for me, not you.
Clive Robinson • August 7, 2023 4:16 AM
@ lurker, ALL,
Re : Albuquerque recycling plant fire.
The KOAT link you give is regionaly blocked.
This BBC link may work,
https://www.bbc.com/news/av/world-us-canada-66424830
As might this KOAT YouTube video,
https://m.youtube.com/watch?v=0ng-TkmOqzI
And “News Flash”,
https://m.youtube.com/watch?v=WLtHgjj05tk&pp=QAFIAQ%3D%3D
I suspect that what the anouncer thinks are tyres are actually bulk bailing bags full of loose material such as pellets.
Some years ago there was a tyre recycling plant fire in East London that produced similar black acrid smoke.
What was pointed out at the time is that what was coming in and what was going out were essentialy “dirty fuels” in a ready to if not optimal burn mix[1]
And that the storage rules with regards hazardous materials such as fuels did not extend to such recycling plants and should do[2].
Which effectively drew the response “from the industry” that if they did then recycling could not be made cost effective…
From the video on the BBC clip and from KOAT on YouTube I suspect the same arguments are going to be made again.
I think few would argue against recycling, however in the UK it’s become a real issue. Put simply you can not buy anything without “buying plastic” or similar packaging much of which is “mixed” thus difficult to recycle. The simple solution would be to ban the use of such plastics especially with respect to many foods. However that requires a change in consumer habits. Back less than a half century ago plastic wrapping was rare, now it’s a major industrial sub section in it’s own right which adds other problems such as replacing employment.
[1] Plastics and artificial rubber are basically hydrocarbons made from fossil fuels. Like fossil fuels they contain a large number of other chemicals so “burn dirty”. As input to the plant “bailed” materials contain a lot of air, likewise as pelleted or similar loose material in bailing sacks they contain a large amount of air. Thus they are a fire hazard and once ignited will easily continue to burn (unlike block/brick/billits which do not make good “feed stock”).
[2] In the UK fuel storage has safety rules to hopefully reduce the risk of fire and any harms should a fire start. Part of these rules are about dispersal and fire breaks to limit the potential fire size. However the UK Government has other aims and objectives to do with household refuse and similar. In times past local government was responsible for it’s collection and disposal, but the UK Goverment changed the laws to effectively force this to be “out sourced” to private companies. The result has been nothing short of an environmental disaster with incineration under the pretence of CHP and no real controls on the recycling plants. So they have all been built in areas close to or actually in areas where people live, under road and rail systems etc.
Clive Robinson • August 7, 2023 4:37 AM
@ Ismar,
“You don’t travel much, do you?”
A curious question…
But as I’ve indicated in the past for medical reasons I’ve been told to keep below the equivalent of 8000ft ASL which is also called “cabin altitude” so can no longer fly on international jet airline flights.
Which limits not just low cost international travel, it means other hobbies have had to stop.
However I used to be almost continuously on the move one way or another. And I had a passion for high ground so mountains, moorland, hills and even high buildings, attracted my feet and my boots.
Mind you as I used to joke,
“I’m not scared of hights, I can stand and look up at them all day, it’s drops that worry me.”
However for the past few weeks even a flight of stairs has been dangerous. Due to blood poisoning both my feet are significabtly swollen and extreamly painfull at the ball of the foot. And I can not stand or balance properly, which makes getting down a flight of stairs hazardous…
RobertT • August 7, 2023 5:24 AM
There’s a field of social science called Complexity Economics.
https://en.wikipedia.org/wiki/Complexity_economics
It’s relatively new and attempts to understand and rank the “value” of economies by their product/ service complexity.
A country which only produces bananas is a price taker in a low complexity market and scores very low on the Complexity Index. By contrast a country which produces precision mechanical/electrical systems like say Japan or Switzerland scores high on the complexity Index. There’s an obvious correlation between complex product production and a country’s education system. It should surprise nobody when there is close correlation between PISA rankings and Complexity Index rankings.
https://en.wikipedia.org/wiki/Programme_for_International_Student_Assessment
Ah… but what does this have to do with security?
Well, indirectly what we’re also measuring as “complexity” is the robustness of the system. In the case of the Banana republic it only takes a small change in the dynamics of the banana market to have this country on its knees and begging to be bailed-out. They have no choices and accept whatever terms are on offer (for a recent example think Solomon Islands and China).
Contrast this with a complex economy like Japan, the dynamics of no single industry or sector is sufficient to cause collapse the system. Japan is robust whereas the banana republic is fragile.
In my opinion Real world security is about robustness more so than correctness, yet where do we focus 99% of our security attention and analysis?
Why aren’t we talking about economic fragility as a security systems failure?
I know it’s a lot to process…
SpaceLifeForm • August 7, 2023 5:53 AM
You probably don’t want to read this.
No, seriously, you probably don’t. But, you should.
‘https://www.insidehighered.com/sites/default/files/2023-07/ejmr_paper_nber(1).pdf
In this paper, we identify the scheme used to assign usernames for each post written by
an anonymous user on EJMR. We show how the statistical properties of that algorithm do
not anonymize posts, but instead allows the IP address from which each post was made to be determined with high probability.
Winter • August 7, 2023 6:12 AM
@SLF
In this paper, we identify the scheme used to assign usernames for each post written by an anonymous user on EJMR.
A common trap to fall into. Use a one way algorithm to derive a unique id from an IP address+fixed text. The algorithm is truly one way so the id is “secure”.
Solution: Iterate over all IPv4 addresses plus the known text and calculate the ID. The ID you are looking for is in there.
As there are O(2^32) IPv4 addresses, the task is a simple one on current hardware.
It would probably be secure for IPv6 as that search space is much too large to currently do this.
Ismar • August 7, 2023 7:04 AM
@Clive It is a pity you cannot travel anymore as an important aspect on life is lost in those who don’t travel
@Moderator:
1, #comment-425250
Lacks coherence, but has politics weighting in it a search engine would pick up on.
Clive Robinson • August 7, 2023 12:34 PM
@ RobertT,
“lots of useful techno mumbo jumbo but my point was that it is the system itself which is insecure.”
The two basic reasons most systems are “insecure” are,
1, They have “entities with agency” within the loop.
2, The designers fundementally do not understand “why secrecy is not security”.
But as Arthur C Clark noted, about advanced technology looking like magic, to 99.9…% of the population we are always going to have “magical systems”. The difference is how much you become “enslaved by you beliefs”.
If I hold up my hand pointing a finger and say bang, and a hole appears where I’ve been pointing, how soon before you say it’s not coincidence?
Three times, ten times a hundred? Eventually you will accept there is some “cause and effect” and that it’s not just coincidence.
The question then is having accepted it’s not coincidence,
“What do you think is happening?”
The answer to that depends on two things,
1, What you known
2, What you believe
From which we can say,
“The more you know the less you need to believe.”
Hence the more technically sophisticated you are the less like magic it looks.
Now I don’t care what some may say, the reality is none of us are going to be sufficiently sophisticated that there can not be the magic of a little unknown in our lives.
For instance there is sufficient evidence around that hypnosis can change the way people respond to various stimuli. We don’t know why but it does for many people (but not all).
There is also abundent evidence for cognative bias, and I’m sure many can think of many quite public examples in recent times.
But it actually runs deeper, due not to what you know by experience or observation but only by what you have been told before you could reason sufficiently to question… That is arguably something like 300million people in the US with “Cargo Cult” like beliefs on the existance of a “Higher Power”[1] that controls their existance…
I’m cautious about “quantum security” for a number of reasons. First and foremost those who actively research into that side of science themselves are quite cautious. Yes we joke about “Shut Up And Calculate”(SUAC) but most of it is theory with insufficient experimental confirmation. In part because we don’t yet have the technology to test. But also we know there are hard limitations on what can be done due to environmental limitations.
But also, I see to many claims where secrecy and security are confused or muddled in peoples thinking and that does not give me confidence in what they say let alone claim.
As for Quantum Computing I realy don’t think we are even close to having the technical sophistication to turn the multitude of theory into practical fact.
But consider that it’s argued that we need a minimum of 1000 Qbits to have the practical computing power to rival a high end laptop.
Unlike discrete digital bits that have only two states, Qbits to work need to have a continuous state that covers all potential values simultaniously. So they are effectively analog and would need a 2^1000 or 10^301 state range. How do we keep the noise out let alone measure accurately enough to be of use?
[1] Pew Research after various polls concluded ~90% of US adults believed in a “Higher Power” with an inverse ratio based on educational attainment,
https://www.pewresearch.org/short-reads/2018/04/25/key-findings-about-americans-belief-in-god/
Petre Peter • August 7, 2023 3:35 PM
If it is retained, it does not need to survive.
lurker • August 7, 2023 5:36 PM
@Ismar, @Clive
I thought not travelling was an English problem. I lived in England for a while in the ’70s. Bank Holiday weekends my wife and I would take our bikes on the Friday night boat train to France, or Denmark, or … Back at the office Tuesday colleagues would be astonished, and confess they were unable to do such a thing.
NZ is an island nation, far from almost everywhere, so we have to travel. UK is an island nation, but developed as a trading and finance centre: everybody else comes to them, they don’t have to travel. Until the likes of RyanAir came along ….
vas pup • August 7, 2023 6:38 PM
Eric Schmidt – AI will transform science
https://www.technologyreview.com/2023/07/05/1075865/eric-schmidt-ai-will-transform-science/
“It’s yet another summer of extreme weather, with unprecedented heat waves, wildfires, and floods battering countries around the world. In response to the challenge of accurately predicting such extremes, semiconductor giant !!! Nvidia is building an AI-
powered “digital twin” for the entire planet.
This digital twin, called Earth-2, will use predictions from FourCastNet, an AI model that uses tens of terabytes of Earth system data and can predict the next two weeks of
weather tens of thousands of times faster and more accurately than current forecasting methods.
Usual weather prediction systems have the capacity to generate around 50 predictions for the week ahead. FourCastNet !!!!can instead predict thousands of possibilities, accurately capturing the risk of rare but deadly disasters and thereby giving
vulnerable populations valuable time to prepare and evacuate.
AI can rewrite the scientific process. We can build a future where AI-powered tools will both save us from mindless and time-consuming labor and also lead us to creative inventions and discoveries, encouraging breakthroughs that would otherwise take
decades.
Scientists at McMaster and MIT, for example, used an AI model to identify an antibiotic to combat a pathogen that the World Health Organization labeled one of the world’s most dangerous antibiotic-resistant bacteria for hospital patients. A Google DeepMind model
can control plasma in nuclear fusion reactions, bringing us closer to a clean-energy revolution. Within health care, the US Food and Drug Administration has already cleared 523 devices that use AI—75% of them for use in radiology.
AI tools can help formulate stronger hypotheses, such as models that spit out more promising candidates for new drugs. We’re already seeing simulations running multiple orders of magnitude faster than just a few years ago, allowing scientists to try more
design options in simulation before carrying out real-world experiments.
Eventually, much of science will be conducted at “self-driving labs”—automated robotic platforms combined with artificial intelligence. Here, we can bring AI prowess from the digital realm into the physical world. Such self-driving labs are already emerging at companies like Emerald Cloud Lab and Artificial and even at Argonne National Laboratory.
AI tools can lower the barrier to entry for new scientists and open up opportunities to those traditionally excluded from the field. With LLMs able to assist in building code, STEM students will no longer have to master obscure coding languages, opening the doors of the ivory tower to new, nontraditional talent and making it easier for scientists to engage with fields beyond their own.
With all these areas, it’s essential to remember the inherent limitations and risks of artificial intelligence. AI is such a powerful tool because it allows humans to accomplish more with less: less time, less education, less equipment. But these
=>capabilities make it a dangerous weapon in the wrong hands.
!!!Even humans with entirely good intentions can still prompt AIs to produce bad outcomes. We should worry less about creating the Terminator and, as computer scientist Stuart Russell has put it, more about becoming King Midas, who wished for everything he
=>touched to turn to gold and thereby accidentally killed his daughter with a hug.
To address both intentional and unintentional bad uses of AI, we need smart, well-informed regulation—on both tech giants and open-source models—that doesn’t keep us from using AI in ways that can be beneficial to science. Although tech companies have
made strides in AI safety, government regulators are currently woefully underprepared to enact proper laws and should take greater steps to educate themselves on the latest
developments.”
Outcome #3: Your friends are here.
Aaron Cross: Yeah. Don’t you think that strange? Wolves, they don’t do that. They don’t track people.
Outcome #3: Yeah, maybe they don’t think you’re human.
######################################
“For we wrestle not against flesh and blood, but against principalities, against powers, against the rulers of the darkness of this world, against spiritual wickedness in high places.”
pilot • August 8, 2023 6:48 AM
I’ve been told to keep below the equivalent of 8000ft
Cabin altitude will be around 7000 ft AMSL on almost all commercial airliners. Recent models have even lower cabin altitude, e.g. 6000 ft for the A350 and B787.
Clive Robinson • August 8, 2023 7:23 AM
@ pilot,
“Recent models have even lower cabin altitude”
But don’t have to be as the highest airports are well above 8000ft.
So it’s not a certainty, and you can not buy a ticket guaranteeing they will keep to 7000ft ASL and they won’t sell you a ticket if you ask for such a guarantee.
So do you keep your feet on the ground or flip a coin to see if you will have dangerous if not fatal issues to your brain?
Just let me stand here awhiles and think about it 😉
modem phonemes • August 8, 2023 2:54 PM
“Few tools like that are as legendary and impactful as the Vim open source code editor, the first version of which was written and released by Dutch engineer Bram Moolenaar in 1991.
“According to a note published by his family to Google Groups this week, Moolenaar passed away on August 3 at the age of 62.”
Clive Robinson • August 8, 2023 3:24 PM
@ Bruce, usuall suspects, ALL,
Don’t type whilst on the phone
Yet another “acoustic side channel” that enables typing to be recovered about 95%…
https://arxiv.org/abs/2308.01074
It’s less reliable with fast touch typists and does not pick up the shift key –and presumably control ESC key combos– very well.
From the Intro,
“This paper presents a practical implementation of a state-of-the-art deep learning model in order to classify laptop keystrokes, using a smartphone integrated microphone. When trained on keystrokes recorded by a nearby phone, the classifier achieved an accuracy of 95%, the highest accuracy seen without the use of a language model. When trained on keystrokes recorded using the video-conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium. Our results prove the practicality of these side channel attacks via off-the-shelf equipment and algorithms.”
Note,
1, No language model needed.
2, Off-the-shelf equipment and algorithms.
So well within “high school kid” attack cabilities.
lurker • August 8, 2023 5:01 PM
@modem, All
I was at a course once where we were told to use vi to blah. I commented to the instructor, “This vi seems to be behaving a little odd.” Turned out all the machines in that lab had vi as an alias to vim. It convinced me that was how vi should have always worked.
RIP Bram
RobertT • August 8, 2023 6:06 PM
I made a longish post a couple of days ago that drifted significantly away from the narrow definition of “security”. I know this is Bruce’s blog so his rules apply, however are readers generally interested in me expanding on the topic of economic robustness vs economic fragility as security topics?
I firmly believe that understanding and maximizing Complexity Economics is essential for the AI transition that most of the world is sleep-walking into. Traditional economics puts too much emphasis on money itself and too little emphasis on complexity and diversity which imo are the foundations of a 21st century economy.
If there is wide spread interest than I will try to setup a web site so interested parties can explore this wider definition of “security”.
SpaceLifeForm • August 8, 2023 10:43 PM
@ RobertT
If people do not have economic security, they probably do not have personal physical security. And when there are many in that situation, then you are looking at National Security issues. See Jan 6.
Clive Robinson • August 9, 2023 12:09 AM
@ RobertT,
Re : Economics as the quick sand beneath ICTsec.
“Traditional economics puts too much emphasis on money itself and too little emphasis on complexity and diversity which imo are the foundations of a 21st century economy.”
I’ve been mulling over a reply…
It’s no secret I have little regard for economics for many reasons, not least it’s based on way to many assumptions that can not be considered axiomatic just get built in.
The big failing it’s had with the Internet as I’ve indicated in the past is the implicit assumption built in in much general economics is that “distance raises cost” thus a “market must have a home advantage” compared to a distant manufacturer.
I think most here realise that the only cost the internet has for by far the majority is “connection fees” that have no effect on the distance data travels, thus no “home market advantage” and so “first to market takes all” which is what we’ve seen.
But not as many have realised that even when distance does cost these days it’s actually a very small fraction of other costs. Thus manufacturing in the far east of Europe where land and labour are inexpensive compared to west Europe is why we had the horsemeat scandle a decade ago and worse has been building up since.
Likewise why for instance the US-China issue is such that the US can not solve the trade imbalance in the idiotic ways it is going about it.
This then brings in “National Security” not just in the general sense, but from this blogs perspective the ICTsec sense.
I think it’s no secret that the US spys on everyone every which way it can and,
1, Being the center of the Internet.
2, Being the center of software.
3, Being the center of hardware.
Has for three decades given the US the “Spider at the center of the web” advantage which they have significantly abused along with the Five-Eyes stradling the global “choke Points” for data communications.
Well it’s hardly suprising other nations are now retaliating.
The problem is “the US has bet the farm” on the Internet with all it’s weak protocols and easy to attack hardware. Thus the US is extreamly vulnerable economically on the Internet whilst the likes of China and India are not. The fact that they have taken away hardware and software development from the US due to short sighted outsourcing and the like means US entities are much more vulnerable to ICTsec issues than China or India…
So yes the economics side is very much not “the feet of clay” in ICTsec, but “the shifting quick sands of doom”.
SpaceLifeForm • August 9, 2023 1:03 AM
@ Clive
Satint news
‘https://spacenews.com/noaa-lifts-many-commercial-remote-sensing-license-conditions/
SpaceLifeForm • August 9, 2023 2:12 AM
Milksad
Something about Random amd KeySpace.
I may be confused. 😉
‘https://milksad.info/
pilot • August 9, 2023 6:05 AM
But don’t have to be as the highest airports are well above 8000ft.
There are few in Asia and South America (can’t remember one in Europe from the top of my head), but with your condition you clearly wouldn’t want to fly there.
There is also some common misconception on how cabin pressure changes during a flight.
If M is the max allowed cabin altitude (e.g. 8000 ft) it is NOT true that cabin pressure will be equal to outside pressure as long as you fly below M, and then be kept constant at M when climbing above.
In fact pressurization will start on departure as soon as the doors are closed, and cabin pressure will be a smooth and almost linear function of outside pressure, reaching the limit value only at the programmed cruise altitude. A similar thing happens on descent – the system knows the arrival airport altitude.
they won’t sell you a ticket if you ask for such a guarantee.
They won’t sell a ticket if you insist on any guarantee, no matter how trivial or relevant it may be…
Clive Robinson • August 9, 2023 7:09 AM
@ SpaceLifeForm, ALL,
Re : NOAA changes to satellite imaging.
It was to be expected, the US Gov has been dragging their heals every which way they can on space imaging.
It got well past the point where you could walk into “high st” shops and buy cameras and lenses that if put in low earth orbit would CubeSats would out perform what the US Gov would alow one way or another.
The final nail in the coffin as it were was India which has progressed more rapidly than some expected. Basically India has seen the economic benifit in ignoring the US Gov’s wishes to control space. It’s part of what went on that led up to India’s anti-sat experiment carried out four and a half years ago,
You might note that the sat India destroyed was in a very low and quickly decaying orbit, and at 740kg was a distinct oddity having been launched only a just two months before,
Clive Robinson • August 9, 2023 9:07 AM
@ SpaceLifeForm, ALL,
Re : Entropy what entropy you don’t have the time 😉
“Something about Random amd KeySpace.”
I went and took a look and when I saw,
“On Libbitcoin Explorer 3.x versions, bx seed uses the Mersenne Twister pseudorandom number generator (PRNG) initialized with 32 bits of system time.“
I started to laugh and almost fell of my pearch where I was resting with a cup of the hot brown stuff… The result the phone hit the floor, but the “strong brownian motion generator” was safely saved so did not go everywhere.
For the young and tender amoungst us, who were not hacking back in the 1970’s or last century, this is a known attack method that has a beard to rival Methuselah.
To start with consider 32bits is just 4billion choices which is a very very small “key space” and easily crackable by brut force in short order on even a cheap laptop running Python.
But because time is kind of common to everyone, if the attacker can get a time refrence say via a file time stamp that 4billion key space drops to oh less than a millionth of that.
But worse still, if the user has their system connected to the Internet when they generate the new wallet the attacker could get a way more accurate reference down to just a few bits…
That is the “uncertainty” entropy of a system clock is obviously low and due to XTAL Delta F (think around 2ppm for a laptop). But from a security aspect if an attacker can get a multipoint set of time refrences it would be maybe a couple of bits of “uncertainty” entropy if that.
If you hunt back quite a way on this blog you will find discussions of just how little “uncertainty” there is, with it being down to the system clock frequency drift, that can via network time stamps be measured from the other side of the world…
Clive Robinson • August 9, 2023 9:51 AM
@ SpaceLifeForm, ALL,
Re : That Xmas gift keeps giving…
Those silicon turtles are certainly getting the Elvis “way on down” jive.
Called “downfall” CVE-2022-40982 Intel are in the frame for this one for several of their server CPUs (Skylake through Ice Lake). Oh and SGX gets the end run…
“A threat actor exploiting the security issue can extract sensitive information that is protected by Software Guard eXtensions (SGX), Intel’s hardware-based memory encryption that separates in memory code and data from software on the system.”
So potentially not what you might want if you are developing certain kinds of user to user communications that you want to keep a third party “nose prod” camel out of the tent.
But as normal with such “specmanship failings”,
“Eliminating the risk of Downfall/GDS attacks requires a hardware redesign, which comes at a cost that the industry is not yet ready to pay.”
Petre Peter • August 9, 2023 1:33 PM
When we will manufacture dreams, we will start living our dreams.
Petre Peter • August 9, 2023 2:50 PM
Purchase your dreams, and they will never come true.
RobertT • August 9, 2023 6:29 PM
re Libbitcoin Explorer 3.x
Wow I can’t believe we’re having another discussion about PRNG’s being used where a TRNG is required.
This cannot be accidental, nobody that has been actively involved in secure payment systems at any point in the last 25 years, can be in any doubt about the weaknesses of PRNG’s.
The real underlying problem is that no as-is TRNG can pass all the available “randomness” tests, but every PRNG (beyond the simplest LFSR) passes the tests easily.
The solution is obvious combine the two, which is easier said than done AND is the route used by many to obscure their products/ methods lack of real entropy. The simplest solution is to use a not-very random RNG to seed the PRNG and then run it for some unknown (not suppose to be known) time before resampling the output. This is trivial to implement and won’t cost you much if any additional hardware AND it’ll pass every test that anyone can throw at it…. but but but it’s not random and it’s relatively easy to unpick if you have any sort of independent access to system clocks (or clock derived time)
Massive fail, go to the back of the security bus and hang your head in shame!
unless, of course, that’s what you wanted, in which case congrats, you fooled us all once again and you weren’t even cute about how you fooled us.
So why are we falling systems implemented with flaws that should have been embarrassing for anyone working this century? frankly anyone working in security systems should have known this weakness as far back as the late 70’s, Clive will probably say 60’s and others will add 10 years to that number.
Here’s the thing, this problem is only fixable with dedicated TRNG hardware but nobody is willing to pay for the dedicated hardware because these weak system implementations can pass all the available randomness tests. It might be time to ask ourselves who is setting these weak TRNG standards and why? but that’s a question way beyond my pay grade.
SpaceLifeForm • August 9, 2023 7:42 PM
@ Clive, ALL
#SiliconTurtles
If you disable SMT, you will reduce attack surface.
Yes, there will probably be a performance penalty.
But, I think trading away security for performance may not be the wise choice.
‘https://downfall.page/
Clive Robinson • August 10, 2023 5:03 AM
@ RobertT, ALL,
Re : To count or not to count that is the question.
“It might be time to ask ourselves who is setting these weak TRNG standards and why?”
The answer is in effect the same purse string holders as,
“nobody is willing to pay for the dedicated hardware because these weak system implementations can pass all the available randomness tests.”
So as the old saying has it,
“You get what you pay for”
And with all “Pseudo Random Number Generators”(PRNG) that boils down to,
1, A state array
2, A complexity map
3, An update function.
With a little bit of rearangment the update function(3) and state array(1) combine to become a counter.
Which tells you that,
All “Pseudo Random Number Generator”(PRNG) systems have a well defined frequency spectrum that is hidden behind a complexity map.
All “True Random Number Generator”(TRNG) systems if designed and built correctly has no defined frequency spectrum in it’s output.
Which tells you that it is possible to design a “Distinguisher Test” that with sufficient input will answer the question of,
“Counting or not counting?”
Effectively all those tests are all aimed at finding “the hidden frequency spectrum”. But as we know from cryptanalysis undoing that complexity map requires lots of resources, and they all boil down at the end of the day to “time and money”.
So all the “DIEHARD”[1] and later tests are not looking to see if an RNG is random or not, just to see if it fails to one of several easy to find spectral or equivalent tests[2].
The truth of the matter is that standard cryptographic algorithms go through far more rigours testing than PRNGs do. Which is where the biggest failing of on chip RNG’s starts.
The argument is,
“If a crypto algorithm is better tested then why not replace the complexity map with a crypto algorithm?”
After all AES in counter mode (AES-CTR) is considered “Crypto Secure”(CS). So for practical purposes a CS-PRNG should be sufficient…
The actual answer boils down to,
“Where does the CryptoKey come from?”
Because if an attacker can determin the key then it’s “game over”. That is,
“A known or fixed key is a backdoor”
As anyone who reads data sheets will know, as the user, you don’t get to chose the key… That’s done by the chip manufacturer and known to them and whom ever they chose to tell…
As I’ve indicated in the past there are other reasons not to trust “on chip RNGs” be they PRNGs or TRNGs.
So I don’t trust them…
[1] The first well-known suite of tests for random number generators was George Marsalia’s DIEHARD battery of tests. This has since been updated and augmented a number of times so DIEHARDER, PractRand, TestU01, etc. Eventually NIST came out with their Statistical Test Suite”(STS),
NIST Special Publication 800-22
A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications.
[2] Not being nasty about these tests or the people behind them but they should be regarded as the low water mark. That is if your RNG fails any of them it’s probably not fit for any serious use. If it passes all of them, all it says is you’ve cleared the first of many hurdles. The tests certainly will not show if an RNG is a PRNG or TRNG unless it fails. And likewise will not show if the RNG has a backdoor in it.
Ted • August 10, 2023 11:42 AM
The second ever Cyber Safety Review Board (CSRB) report is out… and drum roll… it’s on Lapsus$ and related threat groups!
Heather Adkins described it as “a study of a loosely affiliated hacker group that compromised dozens of well-defended companies with low-complexity attacks.”
Bruce had a post related to Lapsus$ activity here:
https://www.schneier.com/blog/archives/2022/04/bypassing-two-factor-authentication.html
Petre Peter • August 10, 2023 2:11 PM
Do we have to suffer by design?
Anonymous • August 10, 2023 2:21 PM
Ha, the meaning of life buried in a Squid Blog 🙂
Anonymous • August 10, 2023 2:49 PM
I need a menu on my screen, not at my table 🙂
Clive Robinson • August 10, 2023 4:57 PM
@ SpaceLifeForm, ALL,
I’m begining to suffer from “silicon turtle fatigue” with AMD…
It appears that not only do they go way on down, it’s a family affair with not just grand parents and grand children but a whole historic lineage longer than a beggers arm…
https://www.theregister.com/2023/08/09/amd_inception/
I guess we’ll hear the same or similar about Intel and Arm in the very near future, as that’s the way these things tend to go…
Clive Robinson • August 10, 2023 5:08 PM
@ SpaceLifeForm, All,
Opps left a link of the end of ny previous,
https://www.theregister.com/2023/08/09/google_intel_downfall/
That’s it I’m heading for a cup of the “Strong Brownian motion producer” and the DVD remote to watch “evolution” as I’m in need of a laugh.
SpaceLifeForm • August 10, 2023 7:50 PM
Bad assumptions
‘https://www.theregister.com/2023/08/10/tunnelcrack_vpn/
We’re assuming here your secure connections can resist man-in-the-middle decryption attacks.
SpaceLifeForm • August 10, 2023 8:00 PM
I suspect that CloudFlare is seeing this
Ukraine is warning of a wave of attacks targeting state organizations using ‘Merlin,’ an open-source post-exploitation and command and control framework.
‘https://www.bleepingcomputer.com/news/security/hackers-use-open-source-merlin-post-exploitation-toolkit-in-attacks/
Domain fronting for bypassing network filtering.
Ted • August 10, 2023 9:22 PM
Tweet: “Chrome announces enabling post-quantum key agreement in 116. 😎”
From Chromium blog:
As a step down this path, Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS, starting in Chrome 116, and available behind a flag in Chrome 115.
Clive Robinson • August 10, 2023 10:38 PM
@ SpaceLifeForm,
Re : Bad assumptions
With regards the article,
“We’re assuming here your secure connections can resist man-in-the-middle decryption attacks.”
Not all traffic can be encrypted in mixed usage networking.
For instance, if you can not use your local network DNS you will have to use either IP only addressing from a local hosts table or a DNS out the other end of the VPN. Unless both DNS servers are either encrypted or not encrypted you will find life more difficult than the user would like.
But the actual traffic re-routing is not a new attack and there are a few others similar to it.
For instance in conventional Ethernet networks, IP routing has no meaning, thus you can re-route via the Ethernet MAC addresses (a usefull trick if you get second hand network appliances and you’ve no idea what the IP address is for the “Web Managment Port”).
But IP also sits on top of all sorts of other protocols –including IP– that do their own routing. X25 is still used under both Ethernet and IP.
But similar happens at other levels in IP networks, on the more grand end of the scale is fritzing with BGP.
The important thing to note is, as long as there is a gap between your devices IP stack and the VPN entrance IP stack there will be an opportunity to “get in between”.
The big problem in BSD Networking –which Microsoft etc still use apparently– that became the foundation for POSIX and thus many other OSs etc… was the assumption that using the network stack for interprocess communications was OK (look up “Berkeley Sockets IPC”[1]).
In effect even if the client and server are running on the same machine and using 127.0.0.1 the packets go down the stack and back up again so all the firewall etc rules make sense (it also alowed the firewall to get moved into the kernel thus improving throughput).
Worse or better depending on your viewpoint shoving IPC to an async stack with hardware buffering and other reliability mechanisms takes a lot of work out of the equation as it’s already been done… There used to be other “groovy stuff” you could do via “Unix Streams” on Sys V but I gather it’s not as popular as it was thirty years ago. Both BSD and Linux dug their donkey hoofs in and in 2013 POSIX effectively killed it, and we were left with something “inferior”…
With both Microsoft and Apple moving their OSs more and more “into the cloud”… Linux or a stripped down version of it[2] will in one form or another become the underlying default user device OS.
[1] The “Berkeley Sockets IPC” was originally released with BSD4.2 back in 1983, whilst it was originally “encumbered by AT&T licencing” it was free by the end of the decade. Just about everybody grabbed the code including Microsoft and stuck it on their own OS’s. Which is still true today if Wikipedia is to be believed,
“All modern operating systems implement a version of the Berkeley socket interface. It became the standard interface for applications running in the Internet. Even the Winsock implementation for MS Windows, created by unaffiliated developers, closely follows the standard.”
https://en.m.wikipedia.org/wiki/Berkeley_sockets
[2] Can I strongly suggest people avoid Google OS’s on user devices because they are “building in expiry” which will force you to ditch your device every few years,
When the Google “Time to die” is reached you have some options, but as people have found with some Cloud services even though their device is still functioning the provider won’t alow it to be used with their service… So what to do other than don’t buy one in the first place?
Well upgrading to a version of Linux that supports the hardware is probably a good option (however it has a risk of bricking which can be a pain to sort out[3]).
Other suggestions avoiding “WEEE fines” or landfill are,
https://www.wikihow.com/What-to-Do-with-Your-Chromebook-After-End-of-Life
However as the migration to Cloud continues those other options become less attractive. But also expect those Google “time before dead” dates to get shorter at the point of retail, as it will be one of the few ways to push new over priced hardware sales. Especially at the economy end where hard pressed parents trying to do the best for their kids get fleeced over and over as a captive market.
[3] How to “unbrick” a Chrome device
https://gist.github.com/jcs/4bf59314d604538a5098
As you will read you have to do a number of things before you do brick it. Similar applies to other Chrome Devices on which the shine has come off.
Clive Robinson • August 10, 2023 11:13 PM
@ Bruce, RobertT, ALL,
Static key as bad as no key.
A few hours ago I mentioned that one of the problems with On-Chip RNGs was the use of Encryption where the user had no control of the key…
Little did I expect to read an article within the day and get that “synchronicity feeling”,
Yup falling under the “they should have known better” banner Dell have hardcoded an AES key in their “Compellent” systems (one of their major enterprise lines),
“discovered in a penetration exercise that Dell CITV contains a static AES encryption key that is identical for all Dell customers across all installs.”
This includes all the admin credentials etc… So unlike using a hard coded password which gives just access to the effected systems, if the sysadmin password is the same on other machines then because AES is not one way like a hash, an attacker gets the plaintext password…
So Dell get “a double SmackFoo” on this one…
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
lurker • August 4, 2023 5:43 PM
@Bruce
From the linked article
But
and
The squid is indeed a fish of many colours.