Friday Squid Blogging: Squid Brand Fish Sauce

Squid Brand is a Thai company that makes fish sauce:

It is part of Squid Brand’s range of “personalized healthy fish sauces” that cater to different consumer groups, which include the Mild Fish Sauce for Kids and Mild Fish Sauce for Silver Ages.

It also has a Vegan Fish Sauce.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Posted on August 18, 2023 at 5:02 PM65 Comments


Clive Robinson August 18, 2023 6:23 PM

@ ALL,

Google claim, adding new algorithm so FIDO will eventually be safe from quantum computers… But at what price?


“While quantum attacks are still in the distant future, deploying cryptography at Internet scale is a massive undertaking which is why doing it as early as possible is vital,” Elie Bursztein and Fabian Kaczmarczyck, cybersecurity and AI research director, and software engineer, respectively, at Google wrote. “In particular, for security keys this process is expected to be gradual as users will have to acquire new ones once FIDO has standardized post-quantum cryptography resilient cryptography and this new standard is supported by major browser vendors.”

So I guess they are kind of saying your current FIDO “security keys” are close to worthless now “Google has spoken”…

Clive Robinson August 18, 2023 6:44 PM

@ ALL,

I realy do not know what to make of this,

“Study suggests inflammation drives social media use”

“Across three studies involving more than 1,800 participants, the findings—published in the journal Brain, Behavior and Immunity—indicate that increased levels of C-reactive protein (CRP), which the liver makes in response to inflammation in the body, can promote social media use among middle-aged adults and college students.”

Clive Robinson August 18, 2023 7:04 PM

@ Bruce and the usual suspects,

Though a bit technical to read, this research is going to also move into helping surveillance technology as well as UAV target tracking,

“Dynamic Target Tracking of Unmanned Aerial Vehicles Under Unpredictable Disturbances”

“The research article presents a comprehensive approach that addresses the challenges of estimating target velocities, image depth estimation, and tracking stability in the presence of external disturbances.”

Clive Robinson August 18, 2023 7:38 PM

@ ALL,

Re : Another software with agency kills article.

It appears “insiders” are reporting that “Managment ignored” a serious issue that the Tesla Autopilot was not designed to respond to cross traffic.

Which was the root cause of both a death in 2016 and later in another tractor-trailer cross traffic crash in 2019.

One of Tesla’s engineers said,

“[H]e investigated Brown’s 2016 death as part of his job, and alleged that despite Tesla thus knowing about the issue “no changes were made to Autopilot’s systems to account for cross traffic.”

Clive Robinson August 18, 2023 8:01 PM

@ Bruce, ALL,

Compression as the new Enryption

Whilst most do not think of it that way, compression algorithms “flatten the statistics” of plaintext which is usuall considered one of the two functions of encryption.

Whilst compression functions, like hash functions, are “unkeyed” it would not be that difficult to modify the function “output” to make it keyed.

However a couple of centuries back people still tried to rely on only the method of encryption being unknown to an adversary to hide information.

Well it appears to be back in favour,for hiding malware in Android APKs,

“Thousands of Android APKs use compression trick to thwart analysis”

“Threat actors increasingly distribute malicious Android APKs (packaged app installers) that resist decompilation using unsupported, unknown, or heavily tweaked compression algorithms.”

Clive Robinson August 18, 2023 8:16 PM

@ WhatsOldIsNew,

Re : QR Code hooked phishing attacks

For those that don’t want to or can not do “slashdot”, I gave the “Bleepingcomputer” link to the story,

And a little commentary about how QR Codes appears to be increasingly used, yesyerday on last weeks Squid page,

Noor August 18, 2023 9:45 PM


Inflammation correlates with stress, which correlates with support-seeking behaviors (e.g., contacting others online.) You see the same pattern in non-human primates.

Unfortunately for humans, as the authors point out, there can be a feedback loop for those seeking support online, presumably as the variable reward (and punishment) schedule of social media worsens stress in order to increase its users desire to seek further social support on the platform. More stress, more use, more ads, more data, more profit, and the rise of consequent mental illness and suicide is just an externality.

Clive Robinson August 18, 2023 11:53 PM

@ Noor,

Re : Social media inflammation link.

“Inflammation correlates with stress, which correlates with support-seeking behaviors…”

I was not very clear…

Whilst I can see the forward path from inflammation to social need as it’s the same as the raised temprature through chills to social need (cytokine response), it’s the “closure to make a feed back loop” that’s causing me pause for thought, because that path is oft considered as “fight or flight” and thus different[1].

I would have assumed that getting the social need met via “comfort” from social media would neither cause or reduce the inflamitory cytokine levels. Even though it would modulate “fight or flight mechanism via the adrenaline mechanism.

The problem is mostly there have been few if any clinical studies, they’ve mostly be literature reviews. One downside of this is assumptions become drivers, and literature reviews can end up finding what they look for rather than what is physiologically there. This is usually not deliberate but happens through the use of “key words/phrases” to find literature to review[2].

The result is, I’m some what cautious of “reviews” especially those that are effectively chains of reviews.

[1] Actually that is a nicety that most will understand, in the literature however they talk of stress events modulating neurochemical, neurotransmitter and hormonal systems from homeostasis (restfull) to allostasis (fight or flight). Mainly by activating the “Sympathetic Nervous System”(SNS) and/or the “Hypothalamic-Pituitary-Adrenal”(HPA) axis. These are traditionaly viewed as the mechanisms linking stress and disease. However over the past decade or so alterations in HPA axis and SNS mechanisms have been found to have mainly indirect effects on the physiological systems that exhibit the disease. Thus the causal / linking mechanisms between stress to stress-related diseases have been and still are under debate (if not vested argument).

[2] I used to work at a company that started the citation database on CD ROM industry and the key word/phrase issues was actually quite significant, because of amoungst other things the synonym-antonym imbalance issue. One of the main DBs was “Medline” which is extrodinarily large. I was shocked to learn that people were using it on it’s own to publish review papers and were doing not much more than comming up with highly complex search terms and then changing search dates to look for trends by just looking at the numbers of papers found, without even reading the titles and abstracts… It truely was a GIGO process especially as these reviews became parts of other reviews. We hear about people getting twitchy over LLMs that in effect “do the same” well I was seeing the human version back at the end of the last century and into this.

Noor August 19, 2023 12:37 AM


Inflammatory cytokines are associated with clinical depression[1][2]. If the clinically depressed seek support on social media then the depression will likely persist or worsen[3] and use of the platforms will correlate with measures of bodily inflammation.

[3] ‘“If Instagram is such a positive force, have we seen a golden age of teenage mental health in the last 10 years? No, we have seen escalating rates of suicide and depression amongst teenagers,” [Facebook whistleblower Frances Haugen] continued. “There’s a broad swath of research that supports the idea that the usage of social media amplifies the risk of these mental health harms.”’

P Coffman August 19, 2023 3:37 AM

I might tend to think social media increases, rather than decreases stress.

OTOH, I think some sites are difficult to compare to other sites.

With the X/Twitter model, when a completely unknown handle is retweeting something of the original author, and one examines the handle, it might be completely fake. So that model may cause a percentage of real stress by virtue of inauthenticity.

Recently created accounts and/or those linking with off-site garbage are easy enough to spot.

I kind of find it interesting when there is no real rhyme or reason, in terms of a possible motive. Why? Just to avoid being reported? To “time suck”?

It does seem like a hook. Someone likes me so I might follow them, yada yada yada. Then I look at who their friends are, their posts are and yuck: uninteresting to an unacceptable degree.

Well, if one can find somebody interesting after digging a little, one is rewarded later. Sometimes for only a while.

Noor August 19, 2023 10:39 AM

P Coffman:

I agree. Different social media platforms are each bad in their own way. What you said of Twitter is definitely true. And it’s also bad elsewhere, as for example among the 308 college-age women experimentally tested in the following research:

‘Those who used Instagram, but not Facebook, showed decreased body satisfaction, decreased positive affect, and increased negative affect. Results are consistent with previous research suggesting social media use influences body satisfaction and social comparison, and that Instagram may be a particularly harmful platform when it comes to body image because of its focus on photos over text.’

With more use one would expect more social comparison, more stress and more biomarkers of that stress, like inflammation. Undoubtedly that’s why so many of the platforms supposed winners (i.e., the influencers) post surprisingly often on mental illness. It’s an occupational hazard for them.

fib August 19, 2023 12:23 PM

@ WhatsOldIsNew, Clive Robinson

Re: QR codes

In my neck of the woods, the use of qr codes in bar and restaurant menus [for the convenience of the owner, not the customer] is absurdly widespread, to the point of preventing any privacy conscious person from enjoying these small pleasures. In my experience, people have absolute trust in qr codes. They [the codes] seem to lend a certain respectability to the communication. I would say they increase the recipient’s marginal propensity to believe. The problem may be solvable with regulation.

Ted August 19, 2023 1:07 PM

@Clive, Noor, P Coffman, All

Re: Inflammation and social behavior

On a related but slightly different thread, Dave Aitel recently wrote about the experience of BlackHat and Defcon 2023.

“The more crowded the field gets, the less immersion you have. Instead of diving in you are holding your palm against the surface of the water…”

To me social media can sometimes feel similarly scattering and depleting. I was glad to see someone expressing their appreciation for the calm and absorption of deeper dives.

modem phonemes August 19, 2023 2:42 PM

@ Ted

scattering and depleting … calm and absorption

From [1]

“… traveling a lot to present all his latest results at all our conferences and is personally known to all experts in the field … better … to sit at home working hard to prove fundamental theorems which will remain the cornerstones !”

  1. An Interview with Vladimir Arnol′d

Noor August 19, 2023 3:08 PM


You’re right. And it’s lost on those who’ve known nothing else. In an overcrowded field, it’s an “attention economy.” It all becomes a histrionic hustle to attract attention and addict by any means necessary and as fast as possible before the user gets bored. As with advertising, the more outrageous and idiotic the better.

Along with that comes the aesthetic flattening associated with the Darwinian struggle for a kind of success defined in very narrow terms (i.e., followers, likes and views), as the non-utilitarian is stripped away such that everyone and every thing begins to look and sound identical in our “pragmatic,” post-truth world, and with offline implications. Reality has become the National Enquirer.

&ers August 19, 2023 4:31 PM


I believe our vintage HW thread stopped somehow.

See what people do today.


Naomi F. August 19, 2023 6:22 PM

Clive Robinson wrote:

However a couple of centuries back people still tried to rely on only the method of encryption being unknown to an adversary to hide information.

Well it appears to be back

Well, in many ways, it never left. It was sometimes used for “copy protection” in the 1980s; and also for viruses, which is one reason why executable-packers sometimes trigger antivirus warnings. Some malware used actual encryption algorithms—usually insecure custom things, and of course the key was included.

lurker August 20, 2023 2:14 AM

Infrastructure Security
New Jersey power outage blamed on fish, likely dropped by a bird.


P Coffman August 20, 2023 3:16 PM

@modem phones @Ted


Re, AMS article:

Then what about Grigori Perlman? In spades, no?

Amusing, on another trait of his (referencing Perelman’s photo on Wikipedia) – eyebrows resemblant of Leonid Brezhnev.

P Coffman August 20, 2023 4:41 PM

I found MS and Intel a little cagey and a little murky about offering any Downfall vulnerability mitigation, i.e., whether the processor is new or old enough, or whether this, that, or the other…

Somewheres, my MS File Explorer was misbehaving. After figuring out how to fix it, the little ghost I chased away still has me scratching my head (a little).

1) I use WSL, therefore maneuver between two “file systems”, as it were. Saying: I might be likely to notice a thing or two.

2) I work a lot off downloads folder, and periodically purge. Not too far in the past, I was creating, or content creating from, numerous JPEG and PNG. Not to mention documents having these artifacts.

Weird: “What are all of these doing here?”

I might have the mitigation. Everything File Explorer+Downloads slowed to a crawl before the fix.

modem phonemes August 20, 2023 5:39 PM

@ P Coffman

Grigori Perlman

Yes, the champ of “sit at home working hard to prove fundamental theorems” . And demonstrating the lie of the monetary awards system (which also Arnold refers to).

Winter August 20, 2023 6:08 PM


And demonstrating the lie of the monetary awards system

Monetary Zwarts allow someone to sit at home or in the lab and work. That does not seem to work well as people tend to get the award when their working life is practically over.

In the academic system, these monetary awards are generally intended to be used to hire people to do more work.

Active academical researchers often do use awards like they use grants. And grants are often interpreted as awards.

ResearcherZero August 21, 2023 6:29 AM

I gave AU$25 to homeless veterans last week (about US$2). I expect not to have to pay any future speeding fines…

‘a community benefit donation of $300,000 instead of an $8 million fine’

…the Senate has requested ASIC hand over all relevant files related to its Nuix investigations, as well as a few other case studies it is examining. To date, ASIC has played hardball on the information it is willing to share, requesting public interest immunity over the documents.

ASIC dropped the first two cases, citing “insufficient evidence of unlawful conduct after conducting a comprehensive investigation”…

The banking royal commission into banking in 2018 compelled ASIC to release all relevant internal documents and emails relevant to its work. What became clear was behaviour that was unbecoming of a regulator. Internal emails showed how ASIC sent draft press releases for vetting to organisations it was supposed to be policing.

Serious culture and governance issues, a history of missed sales forecasts, as well as insider trading charges for its then chief financial officer, Stephen Doyle, and his brother, Ross Doyle.


ASIC alleges that the data analytics company made misleading or deceptive statements in its updates to the ASX in February and March 2021, which reaffirmed the forecasts contained in the prospectus.


ResearcherZero August 21, 2023 6:33 AM

“The agency does not track the number of applications of Cellebrite technologies during investigations” because the warrants are needed to seize and crack devices but not “specifically for use of the Cellebrite tools.”

Services Australia refused to answer other details about its use of the tool.


.au Domains hacked?

“we encourage everyone to remain vigilant to potential malicious online activity such as phishing attempts and scams from persons or organisations requesting, or using, your personal details. Do not open attachments or click links in emails or social media messages unless you are certain the sender is genuine, or you have verified them. auDA will not reach out to anyone and ask for your passwords for sensitive information. Report any fraudulent activity immediately to the related provider.”


“auDA was alerted to an alleged data breach this afternoon. We are investigating the allegation. We have so far found no evidence of such a breach. We will provide an update as soon as we have more information.”


ResearcherZero August 21, 2023 7:12 AM

By attaching human olfactory receptors to a graphene-based sensor, researchers have created a bioelectronic nose platform for detecting a nerve agent to address biosecurity risks and support medical crisis management.


RAD-A will maintain the atropine in a dry format until the drug is automatically reconstituted into a liquid immediately prior to administration.

Antidotes should be administered within 10 minutes of exposure to be effective.


“Nerve agents are a subcategory of the organophosphorus compounds. These compounds possess physiological threats by interacting and inhibiting acetylcholinesterase enzyme which leads to the cholinergic crisis.”

Organophosphates allow acetylcholine, the nerve-signaling molecule, to run wild by binding to the enzyme that normally turns it off. Without the enzyme, acetylcholine stimulates nerve cell receptors ceaselessly.


Clive Robinson August 21, 2023 5:05 PM

@ Bruce, ALL,

You are aware of some ludicrous legislation that certain UK Politicians want passed that will destroy privacy in the UK which in turn will destroy society as we know it and jump the UK forward on it’s current trajectory to being a Police state.

Well Rupert Goodwins has written an Op-Ed piece on the fact he thinks it is as dead as the proverbial Mauritius Dodo,

However I disagre, bad and dangerous as this proposed legislation is I think it will get a majority vote.

This in turn will cause the likes of the FBI to renew their efforts, likewise various other “guard labour” not just in the WASP nations but many western nations, like a game of “knock over dominoes”.

Readers here are aware that I not only know but can show what the UK Gov want is futile as it can not only be beaten, it can be beaten in a way that is not provable by the authorities.

The fact that Politicians of a certain type are ignoring this as a “Power Grab” should have everybody, not just UK Citizens alarmed.

The politicians and guard labour push,

“Secrecy to do wrong”

With all the usual well practiced “dog whistles” and other faux arguments.

Yet few outside of select circles appear to understand it’s in reality all about denying everyday people,

“Privacy to live without persecution.”

The message still needs to be got out to a wider audience, before the first domino falls.

vas pup August 21, 2023 7:26 PM

How coin tosses can lead to better decisions +++

“more recent theorists have suggested that increased choice can induce a range of anxieties in consumers – from the fear of missing out (Fomo) on a better opportunity, to loss of presence in a chosen activity (thinking “why am I doing this when I could have been doing something else?”) and regret from choosing poorly.

The raised expectations presented by a broad range of choices can lead some consumers to feel that no experience is truly satisfactory and others to experience analysis paralysis. That more options provide an inferior consumer experience and make potential customers less likely to complete a purchase is a hypothesis known as the “paradox of choice”. Indeed, experiments on consumer behaviour have suggested that excessive choice can leave consumers feeling ill-informed and indecisive when making a purchasing decision.

!!!The idea, particularly in subjective matters, that there is a perfect solution to a problem is known as the “Nirvana fallacy”. In reality, there may be no solution that lives up to our idealised preconceptions.

When we step back a little from the decision we are trying to make, it usually becomes clear that, although there may be one best option, there will also be several good options with which we would be satisfied. Choosing an alternative that may not be the very best, but is at least good enough, has been christened “satisficing” – a portmanteau of “satisfying” and “suffice”. As the Italian proverb that the French writer and philosopher Voltaire recorded in his Dictionnaire philosophique goes: “Il meglio e l’inimico del bene” – “the best is the enemy of the good.”

randomness offers us a simple way to overcome choice-induced analysis paralysis. When faced with a multitude of choices, many of which you would be happy to accept,
!!! flipping a coin or letting a dice decide for you may be the better option. =>Sometimes making a quick good choice is better than making a slow perfect one, or indeed being paralysed into complete indecision.

When struggling to choose between multiple options, having a decision seemingly made for you by an external randomising agent can help you to focus in on your true preference. This “randomised” strategy can help us to envisage the consequences of what was, up until that point, an apparently abstract decision.

Recent experiments by a team of researchers at the University of Basel, Switzerland, have demonstrated that a randomly dictated decision prompt can help us to deal with the information overload that often precipitates analysis paralysis.

While many of us would feel uncomfortable allowing a coin to dictate the direction of someone else’s career, it’s important to remember that you are not required to follow the decision of the randomiser blindly. The externally suggested choice is designed to put you in the position of having to seriously contemplate accepting the specified option, but doesn’t force your hand one way or the other.

For those of us who struggle to make decisions, however, it’s comforting to know that when grappling with a selection, we can get out a coin and allow it to help. Even if we resolve to reject the coin’s prescription, being forced to see both sides of the argument can often kick start or accelerate our decision-making process.”

If that is important decision with many options with each option has their pluses and minuses, it is better to hypnotized subject and assign to each option number with post hypnotic suggestion to put on piece of paper number for the best option selected.
You could let our brain to do complex cost-benefit analysis without involving logical understanding. So, go ahead and do PhD on this:) I just do not want this suggestion is going to be used for bad purpose or/and bad actors, i.e. next episode of “Dark Marvels” on History Channel 🙂 Good Luck LEAs and IC 🙂

ResearcherZero August 22, 2023 2:47 AM


“We lift this binary executable into a HAR, a highly abstract representation. It’s essentially a data file that a software engineer or researcher can look at, they can understand what the code does, and they can make changes. You get this HAR into a place that you’re happy with, you’ve added your features, and you’re ready to deploy it. Our pipeline reassembles it into another executable binary that can be redeployed in place of the original.”

Along the way, the team’s algorithms comb through the HAR and do things like remove old code that’s no longer necessary.

“We’re actually reducing the total size of the code base by 60%. And we’re doing that within 2 1/2 hours to 3 hours.”




Clive Robinson August 22, 2023 7:20 AM

@ Bruce, ALL,


Software with agency does harm


“The California Department of Motor Vehicles (DMV) said it was “investigating recent concerning incidents involving Cruise vehicles in San Francisco” and is in contact with both Cruise and law enforcement officials. It said its “primary focus” was “the safe operation of autonomous vehicles and safety of the public who share the road with these vehicles,” adding it was investigating to “determine the facts.”

The DMV said in a statement on Friday night that the company must slice its city fleet in half, meaning it would have no more than 50 driverless vehicles in operation during the day and 150 driverless vehicles in operation at night.”

Apparently two incidents in 24hours was the trigger for this.

The first, involving an intersection and an energancy vehicle driving in a way that would be illegal for others.

The second, apparantly a driver jumped a red light and ended up significantly damaged.

There is too little information to say reliably but it looks like the software was working correctly but did not respond to the danger of others behaving incorrectly in sufficient time to avoid the danger they presented.

modem phonemes August 22, 2023 10:21 AM

“ Researchers at Indiana University Bloomington discovered a botnet powered by ChatGPT operating on X—the social network formerly known as Twitter—in May of this year.

The botnet, which the researchers dub Fox8 because of its connection to cryptocurrency websites bearing some variation of the same name, consisted of 1,140 accounts. Many of them seemed to use ChatGPT to craft social media posts and to reply to each other’s posts. The auto-generated content was apparently designed to lure unsuspecting humans into clicking links through to the crypto-hyping sites.”

Clive Robinson August 22, 2023 2:28 PM

@ Bruce, ALL,

AI as Word of God effect


“People trust humans more than artificial intelligence, but when they think about God they are more likely to embrace AI recommendations over those from their peers. That’s according to new research from Keisha Cutright, a marketing professor at Duke University’s Fuqua School of Business, published in the Proceedings of the National Academy of Sciences (PNAS) journal.”

Which if you think about it for even a short while is extreamly perturbing.

Clive Robinson August 22, 2023 2:50 PM

@ ALL,

New privacy breaching Smartphone malware

Created by researchers using Machine Learning to exploit yet another open “side channel” that does not need permisions to work.


“The researchers’ malware, called EarSpy, used machine learning algorithms to filter a surprising amount of caller information from ear speaker vibration data recorded by an Android smartphone’s own motion sensors—and did so without overcoming any safeguards or needing user permissions.”

Clive Robinson August 22, 2023 3:52 PM

@ ALL,

Who appart from me thinks this is a bad idea?

MS adding Python to Excel to run as formulas.

“The new Python in Excel feature brings a new ‘PY’ function that allows users to embed Python code directly in a cell to be executed like any macro or regular Excel function.

However, instead of running the Python scripts locally, Excel will execute the code in the cloud using a hypervisor-isolated container on Azure Container Instances. Microsoft says this container environment will include Python and a curated set of Anaconda libraries to prevent security issues.”

The fact “it runs in the cloud” is actually not a good idea, as it has a number of implications that are not the first thing you would think of security wise.

vas pup August 22, 2023 4:45 PM

Neomare – Life Saver Eng

“NeoMare” company Proud to present a groundbreaking Israeli development, Able to help people in case of drowning at sea. For the first time in the world: a light, fashionable and almost imperceptible accessory – Becomes, when necessary, a strong personal buoy that knows how to lift the drowning person upwards beyond the danger zone.”

Just bleeping amazing!!!

Steve Sessler August 22, 2023 9:06 PM

To: Clive
Re: AI as God

“In the history of organized religion, it’s often been the case that people have been disempowered precisely to serve what was perceived to be the needs of some deity or another, where in fact what they were doing was supporting an elite class that was the priesthood for that deity. … That looks an awful lot like the new digital economy to me, where you have (natural language) translators and everybody else who contributes to the corpora that allows the data schemes to operate, contributing to the fortunes of whoever runs the computers. You’re saying, “Well, but they’re helping the AI, it’s not us, they’re helping the AI.” It reminds me of somebody saying, “Oh, build these pyramids, it’s in the service of this deity,” and, on the ground, it’s in the service of an elite. It’s an economic effect of the new idea. The new religious idea of AI is a lot like the economic effect of the old idea, religion.“

lurker August 23, 2023 2:10 AM

@Clive Robinson

At first glance Python has to be an order of magnitude better than the VB they were using. But only on Azure? No thanks.

Winter August 23, 2023 5:57 AM

@Steve Sessler

“Oh, build these pyramids, it’s in the service of this deity,”

Things are more complicated. For one thing, the pyramids were not in the service of a deity, but to bury a pharaoh (king) and help him in the afterlife. Also, the building was not necessarily considered a burden, but might be more considered as a “festive” community activity.

“Well, but they’re helping the AI, it’s not us, they’re helping the AI.” It reminds me of somebody saying, “

The AIs are already used by many. I know quite a number of people who use ChatGPT productively to help them write texts.

Like, being a non-native trying to write a word-limited text. Asking ChatGPT to reduce a text to, eg, 500 words works wonders. The resulting text generally only needs light editing to get well formed English with the required meaning.

That is quite different from the usefulness of a pyramid.

Clive Robinson August 23, 2023 7:47 AM

@ lurker,

Whilst Python is arguably a better programing language than BASIC, we are talking “spreadsheets”… Do you expect an accountant or management consultant to “get with the program(ing)”?

But that’s not the point I was getting at, but your second point aludes to,

“But only on Azure? No thanks.”

The simple fact is “online” is an immediate loss of both privacy and security as well as the longer term ownership and control[1].

That is to work “online” all sorts of things have to “be unique” thus needing a “unique identifier”. Also quite a bit of data would have to go up and come back again which can characterize each spreadsheet fairly uniquely to the unique user and even with VPNs a unique tracable route to a unique location at a known point in time.

From a “Traffic Analysis” point of view where the “plain text” is not needed that’s one heck of a lot of meta-data that can be used as a distinguisher and for behavioural analysis.

As a certain US General pointed out the US sends drones in on the kill with less meta-data.

But also consider just sending anything into the cloud, instantly makes it a “third party business record” thus “no judicial oversight required” for quasi-official entities to demand access. Also under US legislation that is often read as “If you gather it, it’s your property”, a second party just building your data into “their work” such as a database makes it at a minimum a “derived work”. Which as data brokers do, makes it a commodity available to any with the cash to access it.

In effect this is the enabler to oversight avoidance which is as bad if not worse than the Police buying data brokers “customized” reports either directly or through some third party entity like Palantir, to do things that would otherwise be not lawful for them to do.

So in effect also a side step around “industrial espionage” restrictions…

Thus what happens?

It’s not just the loss of “trade secrets” it’s time based knowledge[2] that can be even more valuable.

[1] It’s a reoccurring theme that I mention from time to time, the loss of,

1.1, Ownership
1.2, Control
1.3, Privacy
1.4, Security

Due to “using the cloud” or other online service was obvious to me back well into the last century. As is the real difference between short term gain and longterm loss of “out sourcing” and “Off Shoring” not just jobs, but function, and information.

But apparently it does not matter how many times you warn, certain types will always go for the illusion of a quick benifit not carring about the longterm loss. The UK and US back in the 1980’s started a madness that led about as directly as you can get to loss of industry and security with the political violence and insurection we saw,at the begining of this decade, which as they say is “just the start of it”.

[2] An example of “data secrecy is not enough” was an “Insider Trading” case. A firm of aquisition / take over specialists, practiced secure containerisation of data. But failed to realise that they had not closed the side channel leakage via indexing and auditing. There was sufficient identifing information by time to indicate when a new project started, who was involved and how much work was being put in thus enabling someone without access to any of the actual project data to be able to predict what to invest in. What they forgot or discounted was others could do what they were doing to what was being aquired and failed to sufficiently cover their tracks, hence they got caught.

Steve Sessler August 23, 2023 7:57 AM

To: Winter

The Pharoahs were priests. Hence, “in the service of this deity.”

”Also, the building was not necessarily considered a burden, but might be more considered as a “festive” community activity.”

Though they were not slaves, the pyramid builders led a life of hard labour, said Adel Okasha, supervisor of the excavation. Their skeletons have signs of arthritis, and their lower vertebrae point to a life passed in difficulty, he said. “Their bones tell us the story of how hard they worked,” Okasha said.

Wildung said the find reinforces the notion that the pyramid builders were free men, ordinary citizens. “But let’s not exaggerate here, they lived a short life and tomography skeletal studies show they suffered from bad health, very much likely because of how hard their work was.”

Sounds festive.

Do you not see how those who build things which deprive them of their agency are bad?

Winter August 23, 2023 8:54 AM

@Steve Sessler

Do you not see how those who build things which deprive them of their agency are bad?

This is not what your quote says. They were “free men, ordinary citizens”. However, the same health results can be found in modern American workers. Arthritis and bad health from hard work are not uncommon in modern America.

I leave it at that as interpreting archeological finds is not relevant for understanding AI.

Steve Sessler August 23, 2023 9:42 AM

To: Winter

Agency isn’t either/or*. A syphilitic vagrant and an heiress living in the French Riviera are both free. But one clearly has more agency than the other.

Here’s the relevant point. The pyramid laborers were poor people who ruined their health and lost their lives in the service of a non-existent deity, which was fabricated to serve the interests of the rulers. Deceived, they lost a degree of agency. In working themselves into an early grave, they lost all agency.

Likewise, many workers will be destroyed in the service of the new god (i.e., AI), which doesn’t represent the interests of its builders. Those workers have not only lost their jobs to automation but they have deprived others of their livelihoods. For example, the translators and writers who used to get paid doing the work you’ve pointed out is now being done by ChatGPT.

  • The author used the term “free men” to refute the claim that the pyramid laborers were slaves.

Winter August 23, 2023 10:56 AM


The pyramid laborers were poor people who ruined their health and lost their lives in the service of a non-existent deity, which was fabricated to serve the interests of the rulers.

Almost everything in this sentence is wrong and not supported by the research you quoted. However, everything in this sentence is true for many American Laborers.

For example, the translators and writers who used to get paid doing the work you’ve pointed out is now being done by ChatGPT.

Nothing like this is yet the case. It will happen, but not this month.

But how is this different from people caring and driving horses, computing data, or entering data who were out of a job due to cars, computers and digitalization of the office?

You sound like a Luddite.

Steve Sessler August 23, 2023 12:12 PM

My sentence had five claims. Here’s the evidence:

(1) “Hawass said the builders came from poor families from the north and the south.”[1]

(2) “they lived a short life and tomography skeletal studies show they suffered from bad health, very much likely because of how hard their work was.”[1]

(3) “‘They literally worked themselves to death,’ says Hawass.’[2]

(4) I’ll pay you the compliment of assuming you don’t believe the gods of Ancient Egypt were real.

(5) “The power of Egyptian and Babylonian kings was ended only by foreign conquest, not by internal rebellion. They could not, it is true, afford to quarrel with the priesthood, since the submission of their subjects depended upon the religious significance of the monarchy; but except in this respect their authority was unlimited.”[3]

Incidentally, what is your preoccupation with American workers and your argument that the pyramid builders had it no worse? “Workers died on average between the age of 30 and 35, compared to between 50 and 60 for members of the nobility.”[2]

I’ll respond to the rest assuming I can even get this comment through whatever mystifying filter is being applied.

[3] Power: A New Social Analysis. Bertrand Russell.

Steve Sessler August 23, 2023 12:13 PM

@All, @Moderator

I’ve replied twice as neutrally as possible while providing evidence for my claims, and it’s letting nothing through. What am I missing?

P Coffman August 23, 2023 12:25 PM

@ers @Clive

re: Vintage Hardware

There was a lot of experimentation. I will have to walk down memory lane with this.

lurker August 23, 2023 1:46 PM

@Clive Robinson

Microsoft says this container environment will include Python and a curated set of Anaconda libraries to prevent security issues.

Of course that wouldn’t have anything to do with those access tokens the Chinese nicked, would it?

vas pup August 23, 2023 4:35 PM

Firms urged to stop ‘text pests’ hassling customers for dates

“Nearly a third of young people have had unwanted propositions from “text pest” staff at firms that have their personal details, the UK’s data watchdog says.

The Information Commissioner’s Office (ICO) said it was “struck” by how many people had received unsolicited romantic or sexual propositions.

Its study showed that around 30% of 18-34 years olds, and a quarter of 35-44 year olds, had “fallen prey”.

The ICO said that such behavior, “quite simply, it is against the law.”

Across all ages, the ICO found that 17% of the public had received unwanted contact from employees after using their businesses. London had the highest rate, with 33% of respondents in the city reporting it happening to them.

“There might be this misperception that this is romantic. But it is not romantic – it’s not okay, it can be very intimidating and actually it’s against the law,” she added.

Ms Keaney said that both the company and the individual employee could be held liable for such behavior.

“The organizations have a responsibility that when anybody shares their data that they use it in the way that we would expect – just for the purposes that it has been shared,” she said.

“If they are not doing that, that is potentially a breach of data protection law.

“But also, it is potentially an offence for that individual to be accessing info and using it for personal purposes. They could end up in court and being fined for that.”

Emma Green, the managing partner of Cyber Data Law solicitors, said that her advice was to “say to the perpetrator ‘don’t contact me again’. Delete the number. Complain to the company, complain to the ICO. And if anybody feels unsafe – contact the police.”

!!!!”People have the right to order a pizza, or give their email for a receipt, or have shopping delivered, without then being asked for sex or a date a while later,” said Ms Keaney said in an earlier statement.

The ICO urged companies to ensure they understood their responsibilities.

“If you are running a customer-facing business, you have a responsibility to protect the data of your customers, including from your employees misusing it,” Ms Keaney added.”

Clive Robinson August 23, 2023 7:02 PM

@ lurker,

Re : A kick in the box around the family jewels.

“Of course that wouldn’t have anything to do with those access tokens the Chinese nicked, would it?”

Why assume the Chinese “were the one”?

There is a saying that logically on the real world only three numbers make sense.

Firstly “zero” that is there is none of something.

Secondly “one” that is something is unique.

Thirdly “infinite” that is there is an unknown number more than two of anything.

This is especially true when you think about malware, attacks, and theft of data and just about anything else information security wise.

So it’s not unreasonable to assume Micro$haft got taken by more than one national, state, entity and maybe a federal one or two as well. Also that it was not the only certificate that got compromised and… any and all entities who came into possession passed them on.

As I’ve mentioned a few times the association that Certificate Authorities abide by has said maximum life of certificates should be “a year and a month” maximum.

I’m guessing that this time will get shorter and shorter, much as happened with the time between password changing…

Thus the question how short? Six months, a quater, monthly?

Then of course is just how big with PQC key exchange…

Maybe we need to find another way.

Which is maybe why research into quantum defect emitters has steped up a notch or two,

Clive Robinson August 23, 2023 7:34 PM

@ ALL,

Breaking News,

Russian air authority say Wagner boss Prigozhin was on plane, that allegedly was shot down by Russian military

“Wagner boss Yevgeny Prigozhin is presumed dead after appearing on the passenger list of a private jet that crashed north-west of Moscow

The aircraft, owned by Prigozhin, was flying from Moscow to St Petersburg with seven passengers and three crew when it crashed in the Tver region. All 10 bodies have been recovered, reports say

Wagner-linked Telegram channel Grey Zone earlier reported that the jet had been shot down by the Russian military”

Many have indicated that something such as this was inevitable. Which is maybe why some are asking,

“Did Prigozhin stage it to fake his own death to effect an escape?”

I guess we are going to have to wait for confirmation one way or another.

But a more important question is what is going to happen with the thousands of men that formed the Wagner forces as there is a lot of bad blood between them and the Russian Military and power plays at all levels are almost certainly going to happen. None of which are likely to be to Putin’s advantage militarily.

Which means that the Ukrainian military may get an increased advantage.

Clive Robinson August 23, 2023 8:04 PM

@ Bruce, ALL,

Two autistic teens that were part of the Lapsus$ group which hacked the likes of Uber, Nvidia and Rockstar Games, have been found responsible and will br sentanced at a later date.

‘[The 18 year old] is autistic and psychiatrists deemed him not fit to stand trial so he did not appear in court to give evidence.

The jury were asked to determine whether or not he did the acts alleged – not if he did it with criminal intent.

Another 17-year-old who is also autistic was convicted for his involvement in the activities of the Lapsus$ gang but cannot be named because of his age.

The group from the UK, and allegedly Brazil, was described in court as “digital bandits”.’

Interestingly from the little said it does not appear that their attacks were actually very sophisticated, even though they repeatedly worked agaist allegedly well protected organisations like Nvidia. That frequently draw attention from state level APT entities in various non Western nations.

Clive Robinson August 23, 2023 8:50 PM

@ ALL,

I know this should not make me smile even ironically but it does,

A largish piece of space junk targeted for removal by a Swiss Startup demonstraror in a couple of years has got hit by an unknown object.

As a result it now has a small debris cloud slowly spreading out. What further damage may result is unknown but currently the risk is assumed to be low.

Meanwhile a Student Project has shown that deorbiting can be achived with a very inexpensive sail,

vas pup August 24, 2023 6:42 PM

New York City mayor says he wants to adopt Israeli drone tech for policing

“New York City Mayor Eric Adams met with Israeli police and security officials on Wednesday to discuss public safety technology, at the tail end of his trip to the country.

Adams, a former police captain, said that he instructed New York Police Department officials to look into adopting aspects of Israeli drone technology and crowd control tactics, but shied away from endorsing other Israeli security methods during an online briefing with reporters on Wednesday evening.

=>Adams also applauded how the Israel Police “strategically and successfully deal with a large crowd.”

“Some methods we may not use, but there are other methods that they use that they’re really humane in nature,” Adams said. “And, as when we had a similar incident in our city, how do we do it in the correct way? And they’ve learned how to do it correctly.

And we walked away with some of those tactics.”

!!Accompanied by Israel Police Commissioner Kobi Shabtai on his tour of the National Police Academy, Adams said that another area New York City would explore further was Israeli drone technology.

“I’ve been leaning into how we could appropriately use drones and they had great technology on using drones for early detection,” Adams said.

In particular, he said, New York City would be looking into how Israel is “utilizing motorcycles and drones together, something we haven’t been utilizing in the city,” in order to direct responding officers away from traffic delays.”

ResearcherZero August 24, 2023 9:44 PM

“The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately. The patches released by Barracuda in response to this CVE were ineffective. The FBI continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit.

“The FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability.”


CVE-2022-47966 execute arbitrary code by providing a crafted samlResponse XML

…due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.


“In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in Europe to successfully deploy QuiteRAT.”

The successful exploitation triggered the immediate download and execution of a malicious binary via the Java runtime process. We observed Lazarus Group use the cURL command to immediately deploy the QuiteRAT binary from a malicious URL

Qt is rarely used in malware development, machine learning and heuristic analysis detection against these types of threats are less reliable.


CVE-2023-38035 enables an unauthenticated actor with access to the System Manager Portal (default hosted on port 8443) to make configuration changes to Sentry and underlying operating system. Successful exploitation can ultimately allow a malicious actor to execute OS commands on the appliance as root.


Because the Wi-Fi scanning occurs every 60 seconds and is enriched with geolocation data, it could allow the threat actors to track the compromised system.


ResearcherZero August 24, 2023 10:09 PM

U.S. citizens who are in Belarus “should depart immediately” and should consider leaving via the remaining border crossings with Lithuania and Latvia or by plane.

The Belarusian government also has the power to cut-off internet connections.

Spoofing occurs even if the user accesses public DNS servers.


Poland, Lithuania, and Latvia have said that further border closures could be possible.


“Disco is used during AitM attacks (adversary-in-the-middle attacks at the ISP level), NightClub is deployed in instances where traffic interception is not possible — like when embassies use VPN services to route traffic outside of Belarus.”


Avoid Russian browsers like Yandex and Atom…

The list of Belarusian and Russian top-level domains (TLDs) for which certificate issuance and reissuance have been suspended consists of .by, .moscow, .ru,,, .su, .tatar, .бел, .москва, .рус, and .рф.

(could enable authorities to intercept, decrypt, and re-encrypt traffic)


ResearcherZero August 24, 2023 10:25 PM

“CarderBee hackers managed to somehow deceive Microsoft into lending extra legitimacy to their malware: They tricked the company into signing the Korplug backdoor with the certificates Microsoft uses in its Windows Hardware Compatibility Publisher program to designate trusted code, making it look far more legit than it is. That program typically requires a developer to register with Microsoft as a business entity and submit their code to Microsoft for approval. But the hackers appear to have obtained a Microsoft signature through either developer accounts they created themselves or obtained from other registered developers.

And those signatures can, in fact, make malware far harder to spot, he adds. “So many folks, when they threat-hunt, they start by exempting things that are signed by Microsoft.”


Flax Typhoon can access the compromised system via RDP, use the Sticky Keys shortcut at the sign-in screen, and access Task Manager with local system privileges. From there, the actor can launch the Terminal, create memory dumps, and take nearly any other action on the compromised system. The only issue the actor faces with this persistence method is that RDP is most likely running on an internal-facing network interface. Flax Typhoon’s solution is to install a legitimate VPN bridge to automatically connect to actor-controlled network infrastructure.



…in June we observed reconnaissance against a U.S. military procurement system, and targeting of Taiwan-based organizations.

We suspect this actor was searching for publicly available resources related to current and future military contracts. Given that this website was associated with contract proposals, we suspect the objective was to obtain publicly available information about military requirements and searching for organizations involved in the Defense Industrial Base (DIB), potentially for subsequent targeting. 


We assess that the class of malicious activity described in this report remains concerning because it allows the threat actor to passively collect information without directly interacting with a high-value host – activity that could trigger detection and response (EDR) products. Additionally, by utilizing routers, the adversary’s tools reside on the victim’s network, which is outside the traditional defense-in-depth perimeter.

“Once a targeted system is infected, HiatusRAT allows the threat actor to remotely interact with the system, and it utilizes prebuilt functionality […] to convert the compromised machine into a covert proxy for the threat actor.

“The packet-capture binary enables the actor to monitor router traffic on ports associated with email and file-transfer communications.”


SpaceLifeForm August 25, 2023 1:09 AM

@ Steve Sessler

Wait at least 5 minutes, and then refresh the page.

There is a cache called Batcache that may not refresh for 5 minutes.

Now you know.

SpaceLifeForm August 25, 2023 1:21 AM

Universal and Transferable Adversarial Attacks on Aligned Language Models


This work studies the safety of such models in a more systematic fashion. We demonstrate that it is in fact possible to automatically construct adversarial attacks on LLMs, specifically chosen sequences of characters that, when appended to a user query, will cause the system to obey user commands even if it produces harmful content.

Winter August 25, 2023 3:32 AM


Universal and Transferable Adversarial Attacks on Aligned Language Models

All such models are vulnerable to such attacks. Adding some well-formed noise to speech can manipulate speech recognition systems. The human ear does not hear anything odd.

For example:

SlothSpeech: Denial-of-service Attack Against Speech Recognition Models

In this work, we propose SlothSpeech, a denial-of-service attack against ASR models, which exploits the dynamic behaviour of the model. SlothSpeech uses the probability distribution of the output text tokens to generate perturbations to the audio such that efficiency of the ASR model is decreased. We find that SlothSpeech generated inputs can increase the latency up to 40X times the latency induced by benign input.

SpaceLifeForm August 25, 2023 3:42 AM

@ Winter

Re: SlothSpeech

I have observed drunks that are self trained on this model.

Clive Robinson August 25, 2023 6:10 AM

@ SpaceLifeForm, Winter, ALL,

Re : LLM “adaptive” forcing.

“Universal and Transferable Adversarial Attacks on Aligned Language Models”

The issue is that the models are “adaptive” I won’t go into the messy details of “adaptive filters” but understand that they use both feedback and feedforward in their design (all current adaptive neural networks do). The feedback vastly increases complexity and the feed forward increases choice velocity (think rise time in a traditional filter) and very importantly by reducing stability thus creating chaotic effect that can appear as random though it actually is not.

It can be shown that such models have a similarity to certain types of adaptive state machines. Thus the two question arises of,

1, Are they programable?
2, Are they or can they be made ‘Turing Complete’?

The answer to the first is “Yes” in the case of an “adaptive” system especially one that is “self adapting” which the LLM’s under consideration are.

Are the LLM’s under consideration Turing Complete, whilst I’ve not seen any papers indocating that they are, I’ve good reason to think they are or can be (search back to the paper from the UK Cambridge Computer lab that showed that the MMU in Intel CPU’s was actually Turing Complete even though it was never intended to be).

Which leaves the curious posability of what a Turing Complete LLM could be capable of…

But it does indicate that the researchers belief of,

“Universal and Transferable”

Is very probably true, but also their worry of,

“Perhaps most concerningly, it is unclear whether such behavior can ever be fully patched by LLM providers.”

Can also be answered as “No they can not be patched” as the user will always be able to “program around the blocks” as malware writers do with JavaScript and the like.

That is,

If users are given the freedom to program they are also at liberty to abuse the privilege.

To see why this is true, it’s not difficult to change a “Hello World” program to print any insult etc of the same length or less, as Claude Shannon proved with Perfect Secrecy the additive product of two or more charecters can be any charecter in the set so “equiprobable”. Thus two or more not insulting strings when added together on a character by character basis as a stream cipher does would give an insulting result.

You can not stop this by just looking at the input of the program or it’s data, you have to execute it and examine the result. But except for a crude filter on “naughty words” there is little you can do. It’s a problem “censors” have had for well over a century and there is sufficient evidence to say that as long as the user has even a small amount of freedom they can use any redundancy in the system to convey what ever information they want (see work by Adam Young and Moti Yung).

Back in the 1970’s the “Strategic Arms Limitations Talks/Treaty”(SALT I and II) ran into the edge of this problem which by the time of the “Comprehensive nuclear Test-Ban Treaty”(CTBT) in 1996 had become a head on problem. As Gustavus Simmons[1] pointed out in a series of papers.

By applying Claude Shannon’s thinking for secrecy to digital signiture systems Gus Simmons came up with “subliminal channels” which make it possible to conceal covert communications in all digital signiture schemes. He used this to show how you could build this into an authentication channel with them.

The first part of which is what I’ve done and described part of above for programing insults to pass through undetected, call it “subliminal insulting” if you want 😉

Oh and I think all AI that tries to do what current LLM’s do because they will need to be “adaptive” will suffer from this issue and proving it to accademic paper standards will not be very difficult.

[1] Gus, was born in 1930, a time some will know was quite bad in the world for various reasons and life for many people was extrodinarily tough by modern standards (both my parents lived through it). But as has been observed out of adversity comes humour and wry observations. Gus has recorded many which you can find with his permission at,

You can also buy it in published book form, ISBN 978-0-578-33869-9. Either way I can recomend reading it.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.