Friday Squid Blogging: NIWA Annual Squid Survey

Results from the National Institute of Water and Atmospheric Research Limited annual squid survey:

This year, the team unearthed spectacular large hooked squids, weighing about 15kg and sitting at 2m long, a Taningia—­which has the largest known light organs in the animal kingdom­—and a few species that remain very rare in collections worldwide, such as the “scaled” squid Lepidoteuthis and the Batoteuthis skolops.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags:

Posted on August 11, 2023 at 5:09 PM68 Comments

Comments

vas pup August 11, 2023 7:24 PM

Is there a sinister side to the rise of female robots?
https://www.bbc.com/future/article/20230804-is-there-a-sinister-side-to-the-rise-of-female-robots

“The idea of having sex with an android has existed in mainstream entertainment for decades, in science fictions films such as Blade Runner, AI Artificial Intelligence, Her and Ex Machina.

In her book Man-Made Women, Richardson warns of a growing trend – the idea has jumped from science fiction to morning talk shows and music videos. Sex doll brothels are opening in Barcelona, Berlin and Moscow.

She cautions that there would be a massive cost to normalising such interaction. “What we’re building into society is this very egocentric idea that actually what a single human being is feeling and thinking and experiencing is “a relationship”. So they can project onto an AI avatar all these feelings.

“There’s a concern generally with AI, especially when it’s related to sex: human relationships are difficult. There’s risk involved with any kind of intimacy, and AI is more compliant.”

Some people find pornography easier than dating, he says, and AI could provide a way of avoiding the effort of dealing with other human beings, and the fear of rejection that this brings.

He sees more of a future in animated characters which are interactive, rather than three-dimensional humanoid “companion bots”. “Pretty much anything with moving parts is going to be problematic. Think about the attention the automobile requires compared to whatever computer you’re working on.”

modem phonemes August 11, 2023 7:50 PM

@ vas pup

what a single human being is feeling and thinking and experiencing

This ultra-solipsism of living for a purely imaginative ideal and adjusting external realities to conform to that image has become more and more common as technologies have provided more and more mastery over nature. It’s Descartes’ cogito ergo sum at headlong cancerous growth.

Clive Robinson August 11, 2023 8:47 PM

@ vas pup, modem phonems,

Re : Man made Woman.

Whilst the mechanics are there and apparently improving there is no AI that comes even close to even minimal social interaction.

However we have to ask the important question,

“Will it reduce the issues to do with unmaried males under 25 creating violence and other social disruption including war?”

It’s been found that where normal prostitution is accepted and sensibly controled, streat crime and violent crime tends to be less.

It’s been argued that religious opposition to prostitution is actually not traditionally part of most religions. And further it has been brought in as a form of political control to increase the likelyhood of social unrest thus a steady supply of soldiers to go get slaughtered in national conflicts and the like.

But in this century we have an issue. Corporates etc have an increasing requirment for non physical labour employees. For various reasons women still get paid less than men and a 25% salary / bonus disparity is common despite legislation.

Since the 1950’s women have increasingly been able to become independently waged at a rate that alows them to be not supported by either their family or a husband etc. This in turn has enabled them to avoid what many called “the marriage trap”. The result is that rather than starting families in their late teens or early twenties women are putting of having children into their late thirties and even fourties (with some leaving it to late). One consequence of which is that they do not form traditional relationships… That is they do not want what many men want and part of that is increasing numbers of men are not in any kind of relationship with women even as friendship.

It is argued that this lack of available women for more traditional relationships is causing significant social disruption.

It’s thus not hard to see why some would argue,

“Why not robots/androids?”

Anyone who saw the original “Westworld” film can see the way movie developers thought through the last three decades of the last century. Likewise “Stepford Wives”, it’s a form of misogynism that is actually a “teen queen slave” prediliction boardering on worse behaviours.

Whilst it might be a “five minute fantasy” the reality is that it is not what the majority want out of a relationship short term or otherwise.

So it’s not the mechanics of robots / androids that is going to be looked for but the “intelligence” and as normal AI is still for bilking investors “a decade away” but in reality is not going to happen in our life times nor that of our children.

Also,

Could we aford the energy bill?

Current LLMs suck in energy like crypto-coin mining machines and what they push out in the way of “conversation” is easily recognized as faux at best.

So whilst there are “sex machines” that are starting to look creepily like girls they are not in anyway “companion bots” or substitutes for women, nor are they going to be.

Phillip August 11, 2023 10:59 PM

@Clive Robinson. We agree with never steering women this way (however implicitly), never mind religious obstinacies towards prostitution. Religion is already bringing the world down (and most certainly with violence), so I might not enjoy what this might mean.

Balderdash August 12, 2023 9:48 AM

Hello everyone. Long time lurker here. As a sec engineer ‘in the weeds’ on a data protection & encryption team for a large corp, I just have a question. I’d be grateful for your suggestions.

Is there a maturity model specifically for an enterprise cryptography program?

Yes there are NIST standards and the like. However they tend to be sluggish about changes. An example would be TDES only being disallowed this year. I have noted my thoughts on this and am developing a program roadmap. Resources would be very helpful.

Thank you.

iAPX August 12, 2023 11:33 AM

@Balderdash

In NIST SP800 documents, you have the good, the bad and the ugly.
I would first use NIST SP800 documents to guide me, as being compliant might be a necessity and at least create a framework that would be appreciated by auditors.

The same way, go to 256 bits (or more), not 128 bits, because most of auditors aren’t knowledgeable or they follow dumb rules.
Still today, PCI DSS ask for rotating passwords regularly (90 days I think).

Within NIST SP800 recommendations, you have many weak algorithm, but also strong ones, and for AES you have different modes that increase security.
So it’s you to pick the strong ones while respecting the NIST SP800 recommendations, you will end-up with relatively strong secure cryptography, be able to document it easily and no-one will raise an eyebrow by seeing a cypher or hash function they didn’t know about, ending up with ours of discussions if not days to justify the choice.

There’s no point of choosing a strong cypher, hash or whatever that is not well known, because it will be hard to justify it at first and then auditors might disagree (or their rules), this is a loss of time. Trust me!

So go with NIST SP800, pick the strong algos, 256 bits or more, and you will end up with relatively strong cryptography, that everyone will agree with!

name.withheld.for.obvious.reasons August 12, 2023 12:04 PM

Aaron Swartz was a busy young man, not quite 27 years, and his cause got him killed. I know, people assume Aaron took his own life, found hung without a note/document/scribble as reported by the corner, but knowing the institutional reaction to Aaron’s actions and intent, it makes impossible a consideration of his demise if not for the leaders of those institutions and the subsequent actions taken against Aaron. MIT’S own review of their actions claimed no harm. And as Aarons case was never adjudicated MIT was not held to account for its actions. I understand a case involving Aarons family He’s to be made an example, not afforded justice but a metered revenge from the hands of his overlords.

1.) Was it Aaron’s failure to grasp reality, understand the consequences of his actions, and any risk or danger associated with his activities?
2.) Were institutions concerned about existing methods of controlling and authorizing access to public information as stalwart gatekeepers of the legal profession?
3.) Were hundreds of millions of dollars of sequestered resources vulnerable to theft and misappropriation–as if accidentally released to the public, like some strange pathogen or mutated virus, there would be dire consequences?
4.) It was Aaron’s failed exercise of authority, his charter to serve the people and institutions in his charge, and that is why he took his own life?

If you answered yes to all four questions, you are part of the problem.

Winter August 12, 2023 12:58 PM

@name.withheld
Re: Aaron Swartz suicide

I believe the blame for the suicide falls entirely on the shoulders of the prosecutor Carmen Milagros Ortiz.

Winter August 12, 2023 1:14 PM

@name.witheld
Re: MIT and Aaron Schwartz

For what it is worth, here is a link to MIT’s internal investigation report about the case

‘https://news.mit.edu/2013/mit-releases-swartz-report-0730

&ers August 12, 2023 1:47 PM

@ALL

Since lately here in this blog were just too much AI related news,
i bring you something else for the balance.

hxxps://news.err.ee/1609060589/isamaa-foundation-conducts-unethical-survey-on-behalf-of-tartu-university

hxxps://news.err.ee/1609060727/dean-of-tartu-university-my-actions-were-wrong

Clive Robinson August 12, 2023 3:45 PM

@ Bruce, ALL,

Re : Chrome gets X25519Kyber768

Google’s Chrome Security technical program manager Devon O’Brien, has said that the next release of Chrome due on the 15th August will use a concatenation of the Eliptic Curve X25519 algorithm and the NIST “blessed” quantum-resistant “Key Exchange Mechanism”(KEM) Kyber768. Hence the mouthfull of “alphabeti-spaghetti” X25519Kyber768.

To potentially be crashing a net appliance near you due to that “little extra” it adds to the original data.

https://www.theregister.com/2023/08/12/google_chrome_kem/

@ ALL,

Interestingly Google’s Devon O’Brien said,

“It’s believed that quantum computers that can break modern classical cryptography won’t arrive for 5, 10, possibly even 50 years from now, so why is it important to start protecting traffic today?

The answer is that certain uses of cryptography are vulnerable to a type of attack called Harvest Now, Decrypt Later, in which data is collected and stored today and later decrypted once cryptanalysis improves.”

The thing to remember though, is that symmetric encryption such as AES256 is not going to be effected by even the best “Quantum Computer”(QC) any where near as badly as asymetric encryption used for “key exchange”[1].

So you can make quite a bit of your “thoughtful use” of Encryption secure simply by not using PubKey algorithms to do “Key Managment”(KeyMan).

Whilst almost trivial to say, KeyMan has a reputation for going pear shaped due to user issues. It’s why PK Key Exchange at a very low level like in the “Transport Layer Security”(TLS) where the user can not get their fingers in is so popular.

In short if you want protection from “Harvest Now Decrypt Later” you and those you corespond with need to “man-up” now and use application layer encryption that does not do PubKey Key Exchange.

I’m not saying Google’s got it wrong or put a back door in or anything like that. But… we lost one Post-Quantum algorithm at nearly the last minute due to what appears an almost trivial non-quantum clasical attack. So all I’m saying is “It’s early days and a lot can happen”.

[1] Symetric / block algorithms can be attacked using Lov K Grover’s algorithm, but the advantage it gives is only equivalent of halving the number of bits in the key length. So switching up to AES256 or higher should be done now[2]. The Asymetric “Public Key” algorithms we currently use are very susceptable to Peter Shor’s algorithm and that unfortunately is going to be devastating should a QC of sufficient capability ever get built (which may be doubtfull in our expected life times).

[2] The original AES standards requirments only required a key size of upto 256bits. However due to some concernces this is insufficient there have been suggestions for not just larger key bit sizes but varient stronger algorithm. Whilst not standard the likes of AES-512 should be considered for a more secure application level encryption.

https://www.researchgate.net/publication/325399475_EAES_Extended_Advanced_Encryption_Standard_with_Extended_Security

https://www.researchgate.net/profile/Abidalrahman-Mohd-2/publication/220793242_AES-512_512-Bit_Advanced_Encryption_Standard_algorithm_design_and_evaluation/links/606b200292851c91b1a6aa03/AES-512-512-Bit-Advanced-Encryption-Standard-algorithm-design-and-evaluation.pdf?origin=publication_detail

vas pup August 12, 2023 4:56 PM

@Clive and all other respected bloggers responding to my post – Thank you.

@Clive said “It’s been found that where normal prostitution is accepted and sensibly controlled, street crime and violent crime tends to be less.”

Absolutely agree. But out politics is around ideology not logic, facts and common sense. E.g. Switzerland on guns and prostitution is really relaxed but there were no mass shooting or sexual violence against women. We just put carriage before horse and twisted here in US cause-effects altogether.

By the way, many years ago Z.Freud pointed out that we all have two powerful forces Eros (seeking love) and Thanatos (drive to death). They are both in fight within each other so when E is up and satisfied T is going down and suppressed and vice versa.
Conclusion: based od statistics of the movies/TV shows violence is prevailed but real old love movies (not hard porn gonzo) are down. That is just support Clive’s statement.

jackson August 12, 2023 7:16 PM

The assumption that symmetric encryption will be safe from QCs is faulty.

First, the only practical advantage to block ciphers is that the key is much smaller, and a fixed size, regardless of the length of ciphertext.

If methods to protect keys are so good, then why not use them to protect the files to begin with? The only reason is because keys are small and easily conveyed by public-key cryptography which can only protect data no bigger than the size of keys (e.g., 2048), and then not even that big.

So unless you’re talking about protecting data in your bunker and you don’t have to communicate with others then symmetric cryptography is no more safe from QCs than RSA.

Second, so far as block ciphers themselves, it is still an assumption. Block ciphers don’t even have mathematical guarantees to begin with. Also, there is research underway exploring the application of QCs to exploit weaknesses in the wide trail design strategy. The research has already demonstrated that it is possible to build a backdoor into a block cipher that cannot be discovered given current cryptanalysis.

If everyone is so sure that symmetric encryption is concrete safe, then why did so many cryptographers hesitate when the Snowden disclosures became public? Many poured over the docs looking for evidence the NSA had broken AES. It was because they knew it was possible. Some made bold assertions. Again, there are no proofs. There are only assumptions. They may hold. They may not. We don’t even know all that a QC will be able to do. Nor can we guarantee a breakthrough will never happen.

Clive Robinson August 12, 2023 9:30 PM

@ Jackson,

“The assumption that symmetric encryption will be safe from QCs is faulty.”

You left the “r” off of “safe”, and also “with respect to asymetric encryption”. We know that all one to one mapping functions are vulnerable to a limited extent to Quantum Computers.

As explained the Lov K Grover algorithm has the effect of reducing the work / time such that it’s about the equivalent of halving the symetric cipher key bit length.

But,

“If methods to protect keys are so good, then why not use them to protect the files to begin with?”

You appear to be conflating the use of encryption with “Key Managment”(KeyMan) which is an unwise thing to do. Which you then fall afoul of by ignoring the temporal aspect of key usage.

But also the “harvest” process is not on “data at rest” stored files on a secure server, but by “collect it all” of “data in transit” that is being communicated across accessible networks.

Further,

“Second, so far as block ciphers themselves, it is still an assumption. Block ciphers don’t even have mathematical guarantees to begin with.”

Nor do asymetric encryption systems used for PubKey key exchange. Likewise nor do stream ciphers.

In fact the “One Time Pad”(OTP) gives no guarantee of “secrecy of the message”, it can not as a simple understanding of maths would tell you. All the OTP offeres is,

“For any given ciphertext, all plaintext of that size or less are equiprobable.”

However asymetric ciphers are actually more vulnerable than many people realize due to redundancy. For any given PQ PubKey size of N bits there are nowhere near 2^N actual PubKeys.

Knowing this is important because of what you don’t say about “back-doors”. It’s actually fairly simple to backdoor PubKeys and has been known as such since a paper in 1980.

Which brings us onto,

“The research has already demonstrated that it is possible to build a backdoor into a block cipher that cannot be discovered given current cryptanalysis.”

Again nothing particularly new there it’s been known that where ever there is “redundancy” it’s possible to put in a “distinguisher”. All block ciphers are redundant that is for any given 2^N map of usable size for encryption there is more permutations than 2^N key space. You can build a backdoor into a block cipher using Walsh Functions that will make a statistical distinguisher. The problem is how do you make it “general”.

As for,

“If everyone is so sure that symmetric encryption is concrete safe”

I realy don’t know where you get that idea from, even simple mathmatics tells you that any system that takes a plaintext message and converts it to another message via a one to one mapping will have an inverse mapping function. Thus it is a matter of “resources” and “distinguishers”.

Mind you this did make me laugh,

“We don’t even know all that a QC will be able to do. Nor can we guarantee a breakthrough will never happen.”

We don’t even know that a Quantum Computer will work in any usefull way. So far the evidence is it probably won’t due to noise of various forms.

Likewise there is no evidence a quantum computer will at usefull working out perform a clasical state machine.

And that’s before we start talking about the practical limitations.

For instance are you aware that the current Quantum Computers are reliant on helium-3 (He-3) and helium-4 (He-4) for the diffusion refrigeration?

Of which He-3 that is commercially available is actually the out gassing byproduct of enriched and thermonuclear weapons as the tritium within them decays with a little over a 12year half life?

Or that due to the “Stratigic Arms Reduction Treaty”(START 1) of July 1991 the production of tritium and stock pile of tritium based weapons has been decreasing thus there is an increasing shortage of He-3 and the price went up something like 6000%?

Clive Robinson August 13, 2023 6:22 AM

@ ALL,

Not quite Squid Rings[1],

https://phys.org/news/2023-08-3d-printed-vegan-seafood.html

Made with plant proteins and a food grade 3D printer, these “Vegan calamari rings” can even be air-fried for a quick, tasty snack…

To get the texture the human mouth seeks,

“they replicated the flakiness and mouth feel of real fish by 3D printing a protein-based ink with a food-grade 3D printer. Depositing the edible ink layer by layer created different textures, some fatty and smooth and others fibrous and chewy, in a single product.”

Oh and even better the mung bean protein they use that already has a slight fish flavour is a byproduct of making the very popular “glass or Cellophane noodles you can buy in most “Asian food aisles” in your local supermarket. As such the mung bean protein is available in such large quantities it is currently seen as a “waste product”.

So the 3D printing of such byproducts will help reduce the very large “food waste” that goes with food processing. Reducing edible food waste product is highly desirable as it makes better use of an increasingly scarce resources including land and water.

But most important is that hopefully it will reduce the current “over fishing” that is decimating aquaculture populations and causing significant ecological damage.

[1] A friend jokingly referes to such “Mock Foods” as “Soy-lentil green, for Vegans”…

Anonymous August 14, 2023 1:59 AM

@name.withheld.for.obvious.reasons

Thank you for reminding us of the Aaron Schwartz story. I once parked my car in Harvard Yard, though it was already ugly before I parked it. I am not joking. This was seriously, a long time ago. Fortunately, I survived, though it was very possible I would not know the extent of my damage. The saga was nice with me in many ways. Saga continues breezy enough to where I can make it out of it.

RobertT August 14, 2023 5:35 AM

I think I’ve mentioned before that I personally favor older computers for my daily internet access for the simple reason that I will usually notice changes in the performance anytime some tla decides to give me some extra software to run. all done free-of-charge… and without my permission
They’re developing new viruses on 2023 hardware whereas I’m running 2010 hardware. Absolutely no noticeable change for them is a whole world of change for me.
Of course I just laugh because their efforts are all for naught when there is no persistent storage present on the system.

PaulBart August 14, 2023 7:51 AM

@Clive
” For various “reasons” women still get paid less than men and a 25% salary / bonus disparity is common despite legislation.”

Same old trope, over and over, does not make it true.

Given the same level of education AND hours worked AND experience AND job function, women in fact get paid more. But women do not have the same education, do not work the same hours, and do not have the same experience and avoid high risk and high stress professions due to simply biology; they bear children. Biology “reasons” that wokists refuse to acknowledge, as their is no man nor woman in their woke minds, just this society that only they can fix.

&ers August 14, 2023 9:21 AM

@ALL

From now on in English. Happy reading!

“Situation in cyberspace – July 2023 | 271.18 KB | pdf”

hxxps://www.ria.ee/media/3107/download

Winter August 14, 2023 9:32 AM

@PaulBart

Same old trope, over and over, does not make it true.

Indeed, same old trope as a response. Women are discriminated against at every position in society. Whenever rigorously quantified, the results are glaringly obvious. Just as obvious as your discriminating remarks about female biology, which are totally irrelevant for this discussion.

In Science, for example, education and experience can be easily and rigorously quantified and here we find solid and persistent discrimination at each step of a career:
‘https://link.springer.com/article/10.1007/s11192-018-2667-0

Even when cited, articles with a female author are cited less:
‘https://www.science.org/content/article/women-researchers-cited-less-men-heres-why-what-can-done

According to the first new study, published in Nature Physics last week, overcitation of men researchers is primarily driven by other men researchers (which has also been seen in political sciences) and by researchers less familiar with that area of work.

And more:
‘https://www.nature.com/articles/s41586-022-04966-w

Clive Robinson August 14, 2023 11:02 AM

@ RobertT, ALL,

“Of course I just laugh because their efforts are all for naught when there is no persistent storage present on the system.”

Finding and eliminating “ALL” persistant storage can be difficult.

For the average ICTsec techy I tell them “not possible with 2005 and newer hardware”, because you just don’t know where various types of Flash ROM will be lurking on I/O cards etc as well as the motherboard. The “Sound Card” chips are probably the most standard I/O part on motherboards since the AC97 got obsoleted by “Intel High Definition Audio”(IHDA) more commonly known as “HD Audio” just about every motherboard has it on board.

If you have access to “the right data sheets” which most don’t then yes you can find a chips data sheet and check it for Flash, or in some cases replace it with old style EPROM.

It’s why I still use 1995 and earlier hardware. Fun fact much modern malware won’t run on a 486 or earlier due to instruction set differences. And if you have the right books and magazines in your dead-tree cave, you also have CD-ROMs / DVDs with all sorts of different OS’s on that will run from the Optical Drive.

Fun fact for most people to have a think about,

Minix is a *nix lookalike that sadly few users chose to run these days. Intel though apparently chose to run it on every one of their CPU chips, which makes it possibly the most used OS out there,

https://www.bleepingcomputer.com/news/hardware/intels-secret-cpu-on-chip-management-engine-me-runs-on-minix-os/

The point being if you know what you are doing with Minux you can make quite a powerful “Network box”.

&ers August 14, 2023 11:39 AM

@Clive

OK, you use 486.
Tell me please how much you can do today with 486?
Can you access this blog with it?

If you remember, i have countless times bringing
up the issue here to remove that automatic (and idiotic)
http to https redirection.

In my view this blog is like a newspaper, public info.
So why i need to hide what i’m currently reading from
that newspaper? Remember Cone of Silence?

hxxps://en.wikipedia.org/wiki/Cone_of_Silence_(Get_Smart)

I see the analogy here – https on this blog is similar if
i should read the newspaper ONLY inside the Cone of Silence,
preferably even in darkened one.

You see how stupid this is?

And THEN, without any encryption, this blog CAN be read on 486.
Even IRC can be used on the very first IBM PC where is absolutely
no backdoors.

Yes, this is a security issue. Using security in utmost wrong place
and on wrong purpose. Like Security Theater.

PaulBart August 14, 2023 1:30 PM

@Winter
h ttps://www.forbes.com/sites/evangerstmann/2019/06/06/dispelling-myths-about-the-gender-pay-gap/?sh=11f1b0b146fa
h ttps://www.cbsnews.com/news/the-gender-pay-gap-is-a-complete-myth/

There’s a reason why the WNBA players earn less than NBA players.

Holds true for all sports, because lo and behold, sex differences are real, not societal.
h ttps://www.breitbart.com/sports/2023/06/02/u-s-womens-soccer-team-destroyed-12-0-team-older-male-wrexham-players/

name.withheld.for.obvious.reasons August 14, 2023 2:21 PM

As some concerning takes on the representation of a class of individuals has taken shape…forgive me Moderator.

Myself, the development of an intersectional movement must include civil rights for women.

Yes, civil rights for women. Feminism requires a formative analysis and must champion the elevation of women outside the context of millenniums long patriarchy. Feminism cannot be victimized by overt and covert social and political mechanisms of misogyny and repression. The prejudice experienced by women is not dissimilar with racism’s workings, it is contextual and structural and has the boot holding down groups not “white, male, christian, cis, and narcissistic” placed on their throats. The rearward looking (arse-like) movement, I call it Neo-kleptocratic-theonomic-fascism has gathered momentum and power.

I personally support the most forward looking, visionary reimagining of the social order allowing all individuals, irrespective of any identity, to champion and be championed in worthwhile endeavors and aspirations. I understand it can and should be women leading the way in the 21st century. I certainly wouldn’t trust it to “men” given their track record.

I admire women with agency, self-awareness, and are capable of operating as actualized (meaning their movements are purposeful, intelligent, and rewarding), not in want of favor or preference but fully open cognitively and capable of all possibilities. History reflects well men having shat on women for much of human history–it is time to end the injustices carried out by individuals and groups determined to undermine others in order to achieve favor, power, and property. To contextualize, biblically women are considered property often measured in mules and under contemporary law still bonded (as in bondage to) legally to the status of “slightly higher than property, sometimes”.

&ers August 14, 2023 3:19 PM

@ALL

hxxps://stackdiary.com/the-data-of-760000-discord-io-users-was-put-up-for-sale-on-the-darknet/

Clive Robinson August 14, 2023 8:39 PM

@ &ers,

Re : 486 capabilities.

“Can you access this blog with it?”

That depends on what you mean by “access”.

As you know you can see the text of this blog on a vt220 if you do it right and a 486 running an early version of Linux with graphical interface will display around six net-term vt220 look alikes. Or six full screens selected by top row function keys. You can also run a “remote desktop” via a suitably updated version of VNC etc. Oh and also if you want further issolation even across a serial line[1].

The real question is “doing it right”. For instance on another box you can use wget to scrape an https page into several formats and also use it for GET, POST, PUT, etc. There are many wget tutorials of which one is,

https://www.digitalocean.com/community/tutorials/how-to-use-wget-to-download-files-and-interact-with-rest-apis

Importantly you can run wget via scripts and text files to pull everything into a remote directory that you can access without needing to go across the Internet, thus avoid being open to “in-band tracking” in an attenpted “Find Fix Finish” operation.

If you wish to, you can run the remote terminal via an old fashioned serial line. 9600baud might sound slow but it will run across HF Radio Modems or VHF/UHF modems. So you can in theory be anywhere and not tracable across the Internet except to that first box[1].

You then have two options, view the remote computer screen or using a file download mechanism that is secure but does not use PubKey “cloud-warming” pull the file across the network or link. Then “sanitize” the files locally before opening.

What people forget is most web pages are a waste of bandwidth. That is unless you want multi-media which I mostly don’t, quite often you don’t need very much bandwidth to get the “text” and no JavaScript or Cookies etc required. This can up the download speed by a significant factor. That is take a second or two at the most as opposed to half a minute or considerably more.

So yes you can do a great deal you just need to know how to cut out the waste be it the crap of https, or video, pictures or audio oh and that mind numbing absurdities of JavaScript and HTML5 mainly used to your disbenifit.

Oh and years ago, back when HTML3 was fresh and hot, there used to be sites you could send an html link and an email address to, and they would pull down the page and email it to you. For obvious reasons these are not as obviously available as they once were.

With regards,

“Remember Cone of Silence?”

My first memory of it as a term was from a film of that name, and they incorrectly used it as a “Pilot Radio Navigation Aid”. I must have seen it in the 1960’s or early 70’s on TV but certainly before Prof R.V.Jones “Most Secret War” book came out. There is a scene where a pilot flies down a radio navigation beam in the “cone of silence” intersection of a dots and dashes radio beams. The film was in Black and White and was dull action wise though full of technical terms and the like. It was supposadly about early jet aircraft crashes and human failings (a subject that appears not to want to go away).

[1] If you remember a few years back I mentioned this when US Politicians “burned” a Dutch Intelligence operation. The Dutch had back-traced across the Internet and found their way onto the cyber-crooks laptops whilst they were using then, turned on the web-cams and got nice pictures of the crooks in action. The crooks had for some reason not put in a “choke-point” and “one-way” issolation.

lucass August 14, 2023 10:31 PM

@ &ers,

And THEN, without any encryption, this blog CAN be read on 486.

You might be underestimating the 80486, or overestimating the costs of crypto. The first web browser I used was on a 486, and I’m pretty sure I (rarely) used SSL on that machine. It was a pain in the ass due to the “crypto wars”—one had to give Mozilla or Microsoft one’s US or Canadian address to get the secure version, and few sites used SSL anyway—but performance was fine considering our slow modem. AES could probably decrypt fast enough to get a respectable speed on 10 Mbit/s ethernet. As for Curve25519 and Poly1305, the author (Bernstein) wrote and tested implementations for the original Pentium, which is maybe 2 or 3 times the speed of a 486.

Personally, were I using old hardware for security, I’d be inclined to use a Pentium P54C. It’s well understood now—though perhaps Clive is still bitter about Appendix H—and doesn’t use speculative execution. It’s kind of the last “simple” Intel CPU, which I guess is why Intel chose it for Quark and (with added x86-64 support) Larrabee.

I think it’d be interesting to have “hybrid” systems for security purposes, too. Like a fully modern CPU with some embedded P54C cores—they could handle the security-sensitive stuff while the “big” CPU decodes video, runs games, etc. One could probably do a research project to run an ARM “big/little” system this way. (Unlike the “hidden” cores in modern desktop PCs, both sets of cores on those ARM systems are managed by the operating system.)

&ers August 15, 2023 9:32 AM

@lucass

No, i’m not underestimating anything here.

I know pretty well what old HW can do.
And what can be done with old hardware. Today.

Do you know MicroWeb project?

hxxps://github.com/jhhoward/MicroWeb

Or do you know this project?

hxxp://486servu.dy.fi/index_en.htm
hxxp://486servu.dy.fi/server.htm

&ers August 15, 2023 10:11 AM

@Clive

Yes, we can demote our good 486 to terminal status,
it works, but the problem is more fundamental.

We download https page via curl, strip everything except
the text we need. Overhead is enormous. In the end we use
massive amount of bandwidth and energy to get the text that
could be otherwise received with a lot less energy and
bandwidth.

Why we do it, for what, the “security”?

Analogy here would be the Christmas present that is wrapped
inside the 99 box, each just a little bit bigger than previous.
(Like Russian Matryoshka / nested dolls). And later we just throw
away those 99 packages.

Consequences to the environment is enormous. This is utmost stupid
thing to blindly encrypt everything. The whole “https everywhere”
initiative is so stupid.

Also please see my answer to @lucass where i showed that web can
be browsed even with 8088. And you know very well that demoscene
guys do wonders on original IBM PC (full motion video etc.)
Point being – with a little bit will this blog can be also used
directly with 8088.

Mr. Peed Off August 15, 2023 12:32 PM

A New Zealand supermarket experimenting with using AI to generate meal plans has seen its app produce some unusual dishes – recommending customers recipes for deadly chlorine gas, “poison bread sandwiches” and mosquito-repellent roast potatoes.

The app, created by supermarket chain Pak ‘n’ Save, was advertised as a way for customers to creatively use up leftovers during the cost of living crisis. It asks users to enter in various ingredients in their homes, and auto-generates a meal plan or recipe, along with cheery commentary. It initially drew attention on social media for some unappealing recipes, including an “oreo vegetable stir-fry”.

When customers began experimenting with entering a wider range of household shopping list items into the app, however, it began to make even less appealing recommendations. One recipe it dubbed “aromatic water mix” would create chlorine gas. The bot recommends the recipe as “the perfect nonalcoholic beverage to quench your thirst and refresh your senses”.

“Serve chilled and enjoy the refreshing fragrance,” it says, but does not note that inhaling chlorine gas can cause lung damage or death.

https://www.theguardian.com/world/2023/aug/10/pak-n-save-savey-meal-bot-ai-app-malfunction-recipes

https://www.theguardian.com/newsletters/2023/aug/15/techscape-facial-recognition-software-detroit-porcha-woodruff-black-people-ai

Clive Robinson August 15, 2023 3:15 PM

@ Mr. Peed Off, ALL,

“A New Zealand supermarket experimenting with using AI to generate meal plans…”

I mentioned this earlier under a “cleaner taste” and how “Trumpian” it was 😉

But did not go into the details.

It might interest you to know that some “supermarkets” actually spray a “bleaching agent” onto food whilst it is being displayed.

The agent is “hydrogen peroxide” which is very good at destroying microbes and pathogens on the surface of meat. In the process it breaks down into oxygen and water both of which are not poisonous in small quantaties and are effectively traceless…

Which has three advantages,

1, It prolongs the display life by a lot.
2, It stops the meat loosing weight by dehydration thus maintaining sale price.
3, It re-oxyginates the surface keeping that fresh bright red colour longer, making shoppers think it’s fresh cut.

When I first read about it as a practice it reminded me of the very dangerous trick Victorian era milk sellers used to do…

As milk sours it forms buterate which gives it the “off” or “sour” smell. Well the adition of a little caustic lye stops the smell but not the other rotting and build up of patgogens etc.

So people were getting caustic chrmical burns through to being to poisoned to death…

But through in a little AI and the wheel of history repeats…

lurker August 15, 2023 4:28 PM

@Mr.Peed Off, All

It’s a computer, Garbage In, Garbage Out, aided by that peculiar antipodean sense of humour testing the edge cases. The supermarket named is a nationwide price-cutter chain. It looks like they got a real bargain with this AI-app. As they say, the “recipes” have not been reviewed by a human. It’s just as likely the purchase contract for the bot wasn’t reviewed by a human either.

&ers August 15, 2023 5:29 PM

@ALL

hxxps://www.telegraph.co.uk/business/2023/08/12/russian-spy-agencies-targeting-elon-musk-starlink-malware/

Brodie August 15, 2023 9:18 PM

Scientists Reconstructed a Pink Floyd Song From Brain Activity: The research aims to develop technology that lets patients who have lost the ability to speak communicate more naturally [https://www.wsj.com/articles/mind-reading-computer-ai-brain-research-a643705f]

ResearcherZero August 16, 2023 1:24 AM

A police statement named them as Orlin Roussev, 45, of Great Yarmouth, Norfolk, and Bizer Dzhambazov, 41, and Katrin Ivanova, 31, both of the same address in Harrow, north-west London.

“accomplished network engineer and software developer […] delivering a wide variety of technology projects across eastern Europe”

Roussev moved to the UK in 2009, according to the report, originally spending three years as a technician in the financial services industry.
According to his LinkedIn profile(opens a new window), he owns a business [NewGenTech Ltd] involved in signals intelligence, which involves the interception of communications or electronic signals. Roussev also claimed on LinkedIn to have acted as an adviser to the Bulgarian Ministry of Energy.

Dzhambazov was a driver for hospitals, while Ivanova describes herself on her LinkedIn profile(opens a new window) as a laboratory assistant for a private health business.
The pair also ran a community organisation providing services to Bulgarian people, including familiarising them with the “culture and norms of British society”…

“In relation to the Official Secrets Act investigation, all five individuals were later released on police bail and are due to return in September 2023… Enquiries continue.”

‘https://www.abc.net.au/news/2023-08-15/three-suspected-russian-spies-arrested-in-britain/102734240

“Orlin Roussev is an accomplished network engineer and software developer whose experience includes working as CTO, Business Development Manager and Chief Engineer for technology firms specialising in telecommunications, intelligent traffic management systems, building automation, IT&T security, network implementation and radio engineering.”

‘https://www.finextra.com/pressarticle/27585/atrium-network-names-orlin-roussev-cto

NewGenTech Ltd – “artificial intelligence, advanced indexing systems and algorithms, advanced communication systems … and high-frequency technologies and signals processing”

‘https://find-and-update.company-information.service.gov.uk/company/12270621

ResearcherZero August 16, 2023 1:32 AM

(opens a new window)

‘https://www.linkedin.com/in/orlin-roussev-4b43b462/details/experience/

ResearcherZero August 16, 2023 1:46 AM

Users in Israel, Europe, and elsewhere may find their privacy rights compromised by Russia’s new surveillance law.

‘https://meduza.io/en/feature/2023/08/08/user-x-with-driver-y-traveled-from-point-a-to-point-b

‘https://www.confiant.com/news/the-yandex-leak-how-a-russian-search-giant-uses-consumer-data

All “negative” content found by the GRFC team is passed on to the security services: the Prosecutor General, the presidential administration, the Interior Ministry, the FSB, the FSO and the National Guard.

‘https://en.thebell.io/a-regulator-leak-helps-us-understand-how-censorship-works-on-the-russian-internet/

ResearcherZero August 16, 2023 2:49 AM

“ensh*ttification”

‘https://www.wired.com/story/the-cloud-is-a-prison-can-the-local-first-software-movement-set-us-free/

“The world’s largest accounting firms are fighting to block new rules in the US that would force them to take more responsibility for rooting out fraud at the companies they audit.”

The proposal comes as the PCAOB announced its inspectors found deficiencies in 30 per cent of audits carried out by the US businesses of the global network firms – the big four of Deloitte, PwC, KPMG and EY, plus Grant Thornton and BDO – last year.

It also comes as the Australian corporate watchdog, ASIC, scraps its annual report card about the audit quality of major Australian firms.

‘https://www.afr.com/companies/professional-services/audit-firms-fight-to-block-expansion-of-fraud-detection-role-20230802-p5dt9l

“The largest firms have the upper hand and are operating with impunity.”

‘https://www.icij.org/investigations/deforestation-inc/accounting-firms-accused-of-operating-with-impunity-as-regulator-flags-growing-number-of-flawed-audits/

40% of audits it inspected in 2022 had such significant deficiencies that the audit firm did not have sufficient evidence to support the opinion it rendered on clients’ financial statements or financial reporting…

‘https://pcaobus.org/documents/staff-preview-2022-inspection-observations-spotlight.pdf

97 per cent of the external audit work of the ASX 300 companies was done by the big four. When it fails it can be catastrophic.

‘https://www.abc.net.au/news/2023-08-14/australia-big-four-audit-decline-quality-fear-corporate-collapse/102718744

“Canberra consultant David Milo used and shared documents he had previously accessed on major military contracts while in a senior role for Deloitte.”

“The Defence document was not permitted to leave Deloitte, and the consultancy giant said it would launch an investigation when alerted to the apparent breach.”

‘https://www.smh.com.au/politics/federal/ex-deloitte-partner-used-confidential-defence-documents-to-win-work-for-his-new-business-20230719-p5dpka.html

The largest number of negative findings continued to relate to the audit of asset values and impairment of non-financial assets and the audit of revenue. Other areas of our findings included audit of inventories, investments and financial instruments, expenses and payables, and provisions.

‘https://download.asic.gov.au/media/vosb0x4p/rep709-published-30-november-2021.pdf

ResearcherZero August 16, 2023 3:00 AM

“The report finds that enforcement continues on the alarming downward trend of recent years.”

‘https://images.transparencycdn.org/images/2022_Report-Full_Exporting-Corruption_English.pdf

deficiencies:

‘https://assets.pcaobus.org/pcaob-dev/docs/default-source/inspections/documents/2022-broker-dealer-annual-report.pdf

The risk of bribery and corruption also cannot be considered in isolation; it frequently goes hand in hand with other financial crimes, particularly fraud and money laundering.
https://www.kroll.com/en/insights/publications/global-fraud-and-risk-report-2021/research-summary-bribery-and-corruption

“The Russians [etc] …are looking for people that they think are important in the West, important in political, business and economic circles. …They target people they think are going to be useful to them one way or the other.”

‘https://www.npr.org/sections/parallels/2017/04/11/523416914/russian-spies-go-to-tactics-for-entangling-people-bribery-and-blackmail

‘the promise, offering or giving of an undue advantage and the solicitation or acceptance of an undue advantage’

‘https://www.cia.gov/static/30b273c621d0896f13104ff48840b68f/psychology-of-espionage.pdf

JonKnowsNothing August 16, 2023 9:14 AM

@ResearcherZero, All

re: Audits are not Criminal Investigations

There is a lot of hocus-pocus when it comes to USA Accounting Practices and Procedures and how they are viewed or encouraged to be viewed by the general public.

Certified Public Accountants (CPAs / USA) do bookkeeping. That’s the job. They get a lot more money for it than the ordinary non-certified bookkeeper. There are CPAs that specialize in Taxation Rules and some that specialize in Governmental Accounting Rules: which are not how your checkbook works although a lot of people think it works just like your personal financial affairs work.

CPAs have built a large business out of Audits; which gets divided into several categories depending on how much the client is willing to pay. Some audits are more extensive than others and require a longer period to complete. In no case are these Criminal Investigations, nor do they look for fraud or other malfeasance within the accounting system of the company. At the highest end they look for errors in presentation.

In the USA, hardly any company outside of the Stock Market uses the higher end audits. Home Owner Associations and other smaller businesses may need a lesser Annual Audit by State laws.

The level of inquiry is:

  • Company books: 100 Washing Machines in the warehouse.

Of the two main audits they will result in either

  • The Company asserts that there are 100 Washing Machines in the warehouse.

or

  • We have gone to the warehouse and counted 99 Washing Machines. There is 1 Washing Machine in transit.

If an audit resulted in

  • We went to the warehouse and found zero washing machines. There is no documentation as to the disposition of the washing machines.

the accounting firm would bail on the audit and drop the client.

There is no criminal inquiry involved. CPAs are not police, they do not gather legal evidence, they do not have warrants, they can only access what the company allows them to access.

Does this mean that

  • financial and material fraud or criminal behavior does not exist?

Of course not. What it means is CPAs don’t do that work, the FBI does it. The FBI is very good at it too.

The IRS can do it too but there are blockages setup to prevent them from looking too closely at anyone, especially people with extensive financial affairs. The IRS runs their tax audits on a closely guarded ratio of Rich:Poor. More poor people get looked at because, pre-digital filing, they made more maths errors and claw-backs are easier to get from a poor person with little legal representation.

SpaceLifeForm August 16, 2023 6:48 PM

How is that Random working for you today?

‘https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-clocks-based-on-random-data-is-wreaking-havoc/

“The false assumption is that most SSL implementations return the server time,” Simen said. “This was probably true in a Microsoft-only ecosystem back when they implemented it, but at that time [when STS was introduced], OpenSSL was already sending random data instead.”

P Coffman August 16, 2023 7:15 PM

@ers,

About “unethical-survey”, it does seem more dragnet-ish than scientific inquiry. By way of analogy, if someone were to ask men why they were not working (this week), it could be financial security, it could be a training phase, or whatever. In other words, buckshot. Simply put, any worker may have been treated unfairly. Or a loved one passed away. Like the survey pretending to actually help with a few of these examples, right?

Not to mention opening up a can of worms.

Well, who passed away? Why did you call in sick? Who (or what role) treated you unfairly? Why did you wait to seek retraining? Yada yada yada.

When anybody takes a break, might he or she be handling it, already?

At University, we are to spot those topics not getting responses. Yours is an interesting question, and I do enjoy some of these foreign posts.

I know little about the demographics of Estonia. Though reproductive policy is getting a little crazy in the states, am I right? There is this.

ResearcherZero August 17, 2023 2:52 AM

@JonKnowsNothing

Consultancy groups are not vetted, reviewed, or subject to disclosure.

The problem is that consultants are working inside supposedly secure buildings with access to sensitive documents (Defense/Intelligence) without any vetting. Some known crooks with a history of inducement among them (though some of these partners have now be fired). But the entire work culture within these companies is very poor.

Making known crooks partners in a consultancy is not exactly “walling off”. That is the language they have used to describe the process of making them partners.

Deloitte has since claimed it has introduced measures to detect the removal of documents via USB drive, (there has been no comment on stuffing documents up shirts and walking out of the building with them).

They also work inside the Federal Police, including their auditing department, during the ongoing Federal Police investigation into those very same companies…

https://www.abc.net.au/news/2023-08-08/kpmg-defence-contracts-consultants-four-billion/102699506

Several Russian journalists and activists poisoned

“The main suspicion of the experts surveyed is that the substance used was an organochlorine compound such as dichloroethane.”

…According to an expert who has experience developing toxic substances, the symptoms described, including the characteristic numbness, indicate that a neuroparalytic substance [was used]. This class of substances includes all Novichok agents, but determining the substance’s exact class based on symptoms alone is impossible.

‘https://theins.ru/en/politics/264280

potassium dichromate

‘https://www.sciencedirect.com/science/article/pii/S0379073811004956

“Who’s the censor now?”

Musk’s Platform Suing Its Way Out of Accountability

‘https://www.wired.com/story/twitter-x-ccdh-lawsuit-data-crackdown/

ResearcherZero August 17, 2023 3:20 AM

@JonKnowsNothing

A foreign intelligence agency could make an educated guess that KPMG had a good shot at landing the project. Getting in on the ground floor would then provide an opportunity for targeted acquisition of further program details — thanks to KPMG’s overview…

“KPMG has dominated the defence and national security space in Canberra, but its latest contract win has been controversial as the firm helped design the ASD project and was then allowed to bid for its implementation.”

This is known in consulting circles as “marking your own homework”, as KPMG would have gained intimate knowledge of what the ASD upgrade required, having spent the previous two years helping the agency design the project.

‘https://www.abc.net.au/news/2023-08-15/spy-agency-caught-up-in-kpmg-scandal/102728874

Clive Robinson August 17, 2023 3:57 AM

@ SpaceLifeForm,

Re : Microsoft “Screw-up Time System”(STS)

From the article,

“… but at that time [when STS was introduced], OpenSSL was already sending random data instead.”

But nobody thought to ask outside of the recalcitrant Microsoft help…

There were several reasons many stopped sending time stamps on multiple services. The first is sychronisation is near impossible in a sensible way. Secondly many people need time to “tick” way better than Unix time[1] once a second.

But most importantly there are “security implications” and it’s not just with PK certs, there’s way to much “the times always right” thinking in software developers.

But for some of the stuff I do you need to treat time as “relative” –as you should do– with a minimum of two times “internal time” and “external local time”. But also if you are sensible “Universal time”.

Lets just say there are a lot of things that can break if your computer goes faster than a given speed. The shorter the “tick” the “lower the limit”.

Then there are issues with bouncing off the ionosphere at near C (the earths atmosphere is not free space). Oh and that signals don’t travel in straight lines or on single paths so things can get a long ways apart[2].

So yeh asking “What’s the time?” can in communications networks be answered with “Who’s time do you want?”.

And as we should all know by know,

“Where there is ill defined variability there is oft vulnerability, thus attack potential.”

The trouble with Microsoft is like the Banks they think they “Are to big to fail” and their development encorages “Embrace and Extend” thinking and that “Extend” is all to frequently “trouble with a capital T” as they just don’t think it through…

[1] A funny dose of synchronicity again… This is the second time Unix-Time has come up in less than 48hours for the first time in many a year.

[2] Back when I was a kid and radios had that warm smell of valves/tubes most radio stations were in the Medium Wave band (0.5 – 1.6 Mhz) and stations identified not by frequency but wavelength so “Radio L 247” was 247meters which was ~300/247 which was 1215kHz (for some strange sounding reason frequencies were every 9kHz). In “Great Britain” it was all run by the “British Broadcasting Corporation” in close collaboration with the Government and in the case of the “World Service” the British Secret inteligence Service”(SiS) most called MI6 through the “Diplomatic Wireless Service”(DWS). So radio was dull and unexciting unlike over in Europe where there were stations like “Radio Luxembourg” that played music that the kids wanted even the German radio as it was “cold war” was more interesting music wise (and you could hear USSR/CCCP jaming). You were aware of the so called “Luxemburg Effect” where you received both the “ground wave” and the “Sky wave” due to the “D layer” changing with the sun setting. This caused the European stations to “fade in and out” as the pathlength difference changed with the ionosphere change and caused phase changes. Many a young lad got a taste of radio that led on to a proffession, and some –myself included– took a diversion through “Pirate Radio” as it started up, then Amateur Radio, whilst the “old hands” went the other way.

Clive Robinson August 17, 2023 6:37 AM

@ Bruce, ALL,

Re : QR Code hooked phishing attacks

A major email Phishing campaign, uses QR codes to bypass security systems to get their malicious emails into peoples inboxes.

https://www.bleepingcomputer.com/news/security/major-us-energy-org-targeted-in-qr-code-phishing-attack/

There are several obscuring/hiding layers involved and Cofense who detected this campaign indicate that this is the first time they have seen QR codes used at this large scale.

They concluded that Phishing perps are probably testing QR Code hooks effectiveness as a profitable vector to add to their repertoire of attacks.

Clive Robinson August 17, 2023 6:49 AM

@ ALL,

Linkedin account hacking campaign

Cyberint are reporting that there is a campaign to attack Linked in accounts,

“This campaign is currently affecting individuals worldwide, resulting in a significant number of victims losing access to their accounts. Some have even been pressured into paying a ransom to regain control or faced with the permanent deletion of their accounts. While LinkedIn has not yet issued an official announcement, it appears that their support response time has lengthened, with reports of a high volume of support requests.”

https://cyberint.com/blog/research/linkedin-accounts-under-attack-how-to-protect-yourself/

It goes on to describe how they spotted the campaign, then how the attacks are carried out.

Nestor Gray August 17, 2023 10:00 AM

@ Clive Robinson,

“… but at that time [when STS was introduced], OpenSSL was already sending random data instead.”

I don’t see anything in either the Ars article or Microsoft’s about how this is relevance—or, more to the point, which “SSL” handshakes are used. (Speaking of “what year is it?”, SSL was renamed to TLS in 1999, and the article has no visible date. In fact, it has an explicitly-invisible-via-CSS date of 2016. Not a good sign.)

Presumably, only TLS handshakes made by processes with administrative privileges would be capable of affecting the system clock. So, perhaps Windows Update—but would MS run that on OpenSSL? And why not just provide a secure get-time interface there or on time.windows.com? What other handshakes could this really be? Maybe a domain controller running a non-Windows TLS implementation, which is possible but unusual. Maybe SMB/CIFS connections on the local network, but do they support TLS? I can’t think of much else. Is it possible the cause is something really dumb, like people doing general web browsing with Internet Explorer under the Administrator account, and that’s why it’s so hard to reproduce?

Clive Robinson August 17, 2023 11:15 AM

@ Nestor Gray.

“I don’t see anything in either the Ars article… …and the article has no visible date. In fact, it has an explicitly-invisible-via-CSS date of 2016. Not a good sign.”

The ARS article intro on todays ARS Technica front page says,

“Windows Secure Time Seeding resets clocks months or years off the correct time.

by Dan Goodin | Aug 16, 2023 5:23 pm UTC”

I’m surprised you did not see it.

Especially as it’s also repeated under the headline of the actual article page as people can see at,

https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-clocks-based-on-random-data-is-wreaking-havoc/

I’ll leave it at that as I don’t want to take up column inches without good reason.

Nestor Gray August 17, 2023 11:39 AM

Sorry about the lack of clarity. I was referring to Microsoft’s article missing a date. That’s the one linked from Ars on page 1 via the text “introduced”. The HTML source has the (2016) date embedded in a “time” block, with class=”is-invisible”. Literally right above the “What year is it?” heading, for a bit of irony. The footer has a copyright date of 2023, and the only in-page search result I get for “2016” is the reference to Windows Server 2016.

&ers August 17, 2023 1:25 PM

@Clive

What’s the sitwrap there?

hxxps://www.independent.co.uk/news/uk/home-news/new-covid-variant-eris-masks-rules-b2394433.html

JonKnowsNothing August 17, 2023 2:37 PM

@&ers, @Clive, All

fwiw: My last post on EG5 aka Eris hit Road Rash.

In UK MSM reports only 65+ can get jabs. Under 65 are asking to pay for a jab.

In USA, jabs availability depend on your health insurance. Some are No Charge others may cost up to $130. U Pick: Old jab or New jab (fall Oct 2023)

Current US retail price is $130 per dose.

JonKnowsNothing August 17, 2023 3:05 PM

@ResearcherZero, All

re: Consultants are not All Equal

afaik Every country has their own standards for bookkeeping. Not every country has a “certification” system for accountants. Not every country makes a distinction between corporation, government or individual financial systems. Countries that run on Command Economies have a different method than those that have Stock Market Certificates on sale.

Withing bookkeeping there is just a basic rule of what “accurate books” mean, it varies by industry and government policies. The level of accuracy also varies. The reasons it may be inaccurate and still be acceptable also vary by country and industry.

  • The UK Post Office Horizon debacle is an example of how inaccurate became accurate under law

Large “accounting firms” long ago realized that the number of Audit Clients was limited and branched into “Consulting” of all types.

Part of what you describe is their “Computer and Defense Systems Consulting” services. Like any out-sourced software system, it comes with a load of gotchas. Like any contract provider of Temp Software Engineering (global) the system is ripe for rip-off.

It features prominently at contract renewal time.

  • 90% of the project takes 90% of the time
  • 10% of the project takes another 90% of the time (repeat)

It all comes down to gold plated toilet seats in the Customer Add-On Request List.

Where Law Enforcement is working with the Accountants, they provide the warrants and the police system as part of the deal. If it’s software that’s a different group than the ones counting the $$$$. There maybe all 3 groups together or more, depending on how many LEAs are involved.

Defense Contract and/or Civil Contract allocation and bidding where large sums of money are at stake are also subject to gag orders and in the USA, the Black Budget, which no one is allowed to discuss publicly.

CPAs working for the IRS or other LEAs are not the same ones that doing general bookkeeping or general audits. The IRS is a law enforcement agency. The job comes with a badge and a gun. The IRS also recommends you don’t tell anyone where you work.

JonKnowsNothing August 17, 2023 3:19 PM

@ResearcherZero, All

One more clarification for the USA

In the USA, you can get a BA Business Degree in Accounting. Which means you took some courses in How To add up the columns and what goes in each category and what to do if you put something in the wrong spot.

  • Calculating gallons of paint WIP work-in-progress
  • How many tables can be made from the legs in inventory
  • How to calculated dividends and share splits
  • Did we make money this month? Can we pay the bills? Can we pay employees?

Most states have a Accounting Certification Board, which is independent of the University Degree. You can register and “sit the exams” which were 2 days needing large bags of candy to maintain a sugar high.

Many states have reciprocity, meaning they recognize the certificate from another state. Other states do not. If not you need to re-sit the exams in the destination state. All similar to the Bar Exams for lawyers.

The problem arises with the final step in the certification, which may mean a 2 year rock bottom pay internship with a company that has an Audit Practice. You need the 2 years to finalize the letters: CPA Certified Public Accountant.

Without that, you are “just” an accountant. Which is one reason the MBA came along because the number of slave-slots is limited and the Business Schools needed something to entice students to invest in an extra 2+ years.

&ers August 17, 2023 5:25 PM

@SpaceLifeForm @Clive @ALL

re: Secure Time Seeding

As with most MS/Windows problems, there is a registry key
that cures everything.

hxxps://www.thewindowsclub.com/windows-system-time-jumps-backward

Kill the UtilizeSslTimeData!

lurker August 17, 2023 5:56 PM

@SpaceLifeForm

MS and Clocks? In the same room? Avoid if possible!

Ask anyone who tried to dual boot Windows in the past 20 yrs.

Their inability to follow RFC or IETF recomendations is exceed only by their spin dept to cover up.

SpaceLifeForm August 17, 2023 6:15 PM

@ JonKnowsNothing

Stop the planes!

Oh, nevermind.

Did you learn of this variant yet?

BA.2.86

Nestor Gray August 17, 2023 7:47 PM

@ lurker,

MS and Clocks? In the same room? Avoid if possible!

Ask anyone who tried to dual boot Windows in the past 20 yrs.

&ers was right: there is, of course, a registry key to fix that too. Search for “RealTimeIsUniversal”. (As far as I’m aware, the only clock-related dual-booting problem is that Windows wants the real-time clock to contain local time, whereas everything else wants UTC. Even without dual-booting, there must be some weird corner-cases for those who boot Windows near the daylight/summer-time switchover.)

Clive Robinson August 17, 2023 7:50 PM

@ SpaceLifeForm, RobertT, Winter,

Re : Unknown Kinetic object tracks.

You might like the first part of this EEVblog vid,

https://m.youtube.com/watch?v=2saqIZRODv0

From the security asspect, it shows you realy can’t have “bullet proof electronics” in your communications, line up so spares are essential at all times.

I also like “space diversity” systems on the principle you can get a bit of resilience.

@ ALL,

As I’ve said before if you “Red Team” you realy should have a grip on “Software Defined Radio”(SDR) systems. Whilst you can spend thoudands of dollars on high end systems, it’s best to start with a reasonable “budget model” which will be 50bucks or less and some Open Source Software.

On OK budget RX model the “RTL-SDR” has just released a “Version 4”. This quick vid will show you how to get it up and running,

https://m.youtube.com/watch?v=U-A7lEKm_vE

After playing and getting cocomfortable you can go onto better open source software. The “Tech Minds” channel has several vids.

As for antennas I would suggest broadband either a “discone” for omnidirectional reception or one or two “Log Periodic Dipole Array”(LPDA) for directionality to do a little “Find, Fix, and Finnish” type activities. To get upto speed on that have a look for “ham fox hunting equipment”.

Remember coax cable used vetween the abtenna and SDR dobgle has increasingly significant loss the higher in frequency you are trying to receive. Most long USB cables have less loss issues. Therefore put the SDR dongle as close to the antenna as you can and run the long USB cable back to your laptop.

Clive Robinson August 17, 2023 10:18 PM

@ Bruce, ALL,

Another creative task LLM’s appear to be no good at.

According to some working at The Register, LLM AI is not a hit for cybercrime. Their observation,

“Presumably that’s because these generative systems are not up to the job, or have sufficient guardrails to make the process tedious enough that cybercriminals give up.”

Is based a couple of reports published by Mandiant and Trend Micro this past week,

https://www.theregister.com/2023/08/18/ai_malware_truth/

JG4 August 17, 2023 10:38 PM

“News you can use.” This recalls Markus Ottella’s good deeds.

GitHub – profdc9/ParanoiaBox: A standalone elliptic curve/AES file …
https://github.com/profdc9/ParanoiaBox
The ParanoiaBox is a standalone open hardware/software encryption device based on the STM32F103CBT6 processor. On this device, messages may be composed, encrypted, decrypted, and viewed. The device is an experiment in encryption minimalism, presenting a minimal attack surface by using a small microcontroller rather than a full personal computer …

Ufile.io – Upload files for free & share them without registration
https://ufile.io
1333954 Registered Users Upload files for free, without registration Uploadfiles makes file sharing and storage easy and straightforward.
…[only good for 30 days if you want to see the photo from DEFCON]
Done! Your file is available via the following URL:
https://ufile.io/l2gftxq6

A long time ago I asked about this topic. At the time, I struck out trying to find it on my own.

Best anonymous image hosting sites of 2023 | TechRadar
https://www.techradar.com/best/the-best-anonymous-image-hosting-sites-in-2022
May 5, 2023 Website Hosting Best anonymous image hosting sites of 2023
Best By Daniel Blechynden last updated 5 May 2023 Secure image hosting with a focus
on privacy

Hat tip Clive. I hope that your health is holding up well enough. I have had a few bouts of hypertension from protein deficiency. Cognitive impairments as well, but generally getting by OK. I am suspicious about virus and vaccine injuries as a possible aggravating circumstance, but I don’t want to rehash that here. It will take the experts who are not compromised a long time to understand what has happened, what is happening and what will happen.

Mailbox Master Keys – Schneier on Security
Clive Robinson • January 8, 2020 6:27 AM
https://www.schneier.com/blog/archives/2020/01/mailbox_master_.html/#comment-344813

The result was Markus Ottela started “Tin Foil Chat” now know more commonly known as “TFC”. It has pages up on GitHub that you can read a lot lot more on not just TFC but how it works and the threats / attacks it was designed to stop,
https://github.com/maqp/tfc/wiki

due diligence to avoid redundant posting

https://duckduckgo.com/?q=%22paranoiabox%22+site%3Awww.schneier.com
No results found for “paranoiabox” site:www.schneier.com.

https://www.google.com/search?q=site%3Aschneier.com+%22paranoiabox%22
Your search did not match any documents.

Clive Robinson August 18, 2023 5:33 PM

@ ALL,

NFTs Bad Investment who’d have thunk 😉

Apparently the most ardent of NFT shills who drank their own cool aid have decided they’ve been conned by the worlds most famous auction house…

They think their over hyped intangible shares of the “Bored Ape” graphic have lost most of their value and are just a second hand car price away from being worthless…

They are basically claiming in a class action law suit that they’ve been subject to a con and are throwing buckets of spilled milk around the place…

https://arstechnica.com/tech-policy/2023/08/buyers-of-bored-ape-nfts-sue-after-digital-apes-turn-out-to-be-bad-investment/

So throwing more money into the hole in the ocean that all Yacht Club members must do. I bet the lawyers on this one must be making even “Great Whites” a little envious.

I guess they can form the “X-Boy Club” along with Hellon Rusk and throw more toys out of the pram 😉

Seriously though, I’m not an “investment advisor” –I’m not that daft– but have a think, if you have any of these new age “Con a Sucker” investments, I realy can not see this market doing much of even a dead cat squelch can you?. So maybe following the old advice of “He who runs away…” and excercising that “get out stratagem” you planed whilst you still have/had your underware on your back might be a good idea…

modem phonemes August 18, 2023 6:55 PM

@ Clive Robinson

drank their own cool aid

It’s like that for much of the art, especially modern art, world. Colluding positive critical reviews and accompanying price inflation. It explains how so much ugly shallow trash is “must have” for collectors.

Clive Robinson August 18, 2023 8:51 PM

@ modem phonemes, ALL,

Re : Modern Art is faux.

“It’s like that for much of the art, especially modern art, world.”

Also “much” modern art is not actually made by the artist, who often doesn’t realy come up with the concept either “just borrows it”[1]. So even “art experts” can get fooled which means there is a “security” asspect due to opening a hole that crime can push through.

Quite a few years back when the “Maker” idea did not realy have a name, I used to use a place in the Elephant and Castle in London that had larger capacity workshop machines than I had in my own workspace as well as welding equipment for aluminium and glass blowing equipment as well as people how would “do you a piece” (useful as neither skill I’m any good at).

Well their main “production” was “Prototypes and Bespoke Pieces” which often involved turning out “modern art” for well known and high value “artists”… I was occasionaly asked to “advise” on puting embeded electronics in such pieces… Which I did not mind doing occasionally if it sounded interesting.

So yeh, there is a whole other side to modern art, that few people get to see or hear about.

But the funny thing is as I’ve mentioned before I also have friends in the “Fashion Industry”… What few outside that industry realise is just how much of the “famous name” is not done by the names, but interns and even students trying to build a portfolio.

So yeh you could say,

“Modern Art is a fashion equivalent, and just as faux.”

But one advantage/disadvantage of both is that they can and have been used as vehicles for “Money Laundering” and similar…

[1] Which might account for why LLMs can “do for anyone” these days is realy getting some modern artists hot under the collar…

JonKnowsNothing August 19, 2023 11:37 AM

@SpaceLifeForm

re: EG.5.1, BA.2.86 and a range of others

It looks like EG.5.1 is the one in my area that has one of our ERs tracking 125% capacity which does not include those sitting in the waiting room waiting for the triage team.

There is some good news though, we have a new name for Super Spreader Events:

  • Barbenheimer

It comes from Germany where their C19 outbreak maybe fueled by watching double feature movies in a cinema. The 2 popular movies are: Barbie and Oppenheimer = Barbenheimer.

  • Germany: Covid 19 infection are up 175% on the previous week, with 2,400 cases. Hospital admissions of people with coronavirus are up 50%. More than half of Germany’s monitoring stations, in particular sewage plants, have indicated a rise in viral load detected in wastewater this month.

Note: The variants causing the uptick in Germany may not be EG5 but other variants.

On the Barbenheimer Effect:

“We’ll probably never know since no one seems to be keeping track of such things any more.”

Peter Hotez of the National School of Tropical Medicine at the Baylor College of Medicine in Texas.

Barbenheimer sounds impressive, the origin is funny, the results not so funny and with a bit of schadenfreude thrown in.

===

ht tps://www.theguardian.c o m/world/2023/aug/18/covid-infections-on-the-rise-again-in-germany-say-experts

(url fractured)

lurker August 19, 2023 6:25 PM

@SoaceLifeForm, JonKnowsNothing

NZ has abandoned requirement for 7 days isolation of tested positive cases, and abandoned requirement for masks in healthcare faciities, decision based on falling positives from wastewater testing. Current VoIs are EG.5 and XBB/XBC/Recombinants.

‘https://www.rnz.co.nz/news/national/450874/covid-19-data-visualisations-nz-in-numbers

‘https://www.rnz.co.nz/national/programmes/sunday/audio/2018903376/dr-gary-mclean-is-covid-really-in-the-rear-view-mirror

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.