Friday Squid Blogging: New Squid Species

An ancient squid:

New research on fossils has revealed that a vampire-like ancient squid haunted Earth’s oceans 165 million years ago. The study, published in June edition of the journal Papers in Palaeontology, says the creature had a bullet-shaped body with luminous organs, eight arms and sucker attachments. The discovery was made by scientists in France, who used modern imaging technique to analyse the previously discovered fossils. The ancient squid has been named Vampyrofugiens atramentum, which stands for the “fleeing vampire”. The researchers said that these features have never been recorded before.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Posted on September 22, 2023 at 5:09 PM51 Comments


1&1!=2 September 22, 2023 10:01 PM


‘What is the #1 Security Technology problem in America today….?’

Without any doubt managment trying to please shareholders.

Savita September 22, 2023 10:26 PM

The UK’s so-called alleged ‘Online Safety’ Bill has been passed.

The above link examines the Bills shortcomings from a legal yet comprehensible perspective. Consider this the benchmark professional assessment, it is very good.

Bruce when will you be addressing this I wonder

the so-called alleged ‘Australian Government’ have opened consultation into draft legislation for a so-called alleged Digital ID. Here is an addresss by someone alleging to be a minister:

SpaceLifeForm September 23, 2023 12:03 AM

@ Savita

re: Have I been pwned?

You miss the point. It is not a matter of whether YOU trust it or not.

The data is there because someone you interacted with allowed it to be stolen or leaked.

It is not your call. You had no control of the matter.

Troy Hunt reached the end of the internet, and discovered that most of you are there.

Savita September 23, 2023 1:44 AM


Thankyou. Oh I got all that, comprehended. Sorry if I didn’t articulate my point well enough. Who else is monitoring that search screen? The sheer fact of typing in the PII is self-exposure.
I’ve read and enjoyed your posts for years – your credentials are better than most on here. Surely you see where I’m coming from?

What did you think of the article?

1&1!=2 September 23, 2023 6:46 AM


Re :- Idiocy down under.

‘the so-called alleged ‘Australian Government’ have opened consultation into draft legislation for a so-called alleged Digital ID.’

Digital ID in all it’s imposed from above forms even if supposadly voluntary is provably stupidity beyond not just belief but proven failings.

In the past posted to this blog is the thoughts of Dame Stellar Rimington who was head of the UK counter surveillance and inland security service called MI5. She pointed out publicly that it was impossible to associate an ID uniquely to an individual and that it would be extreamly inadvisable to do so.

Back in 1967 in a short lived televison series that gained cult status1 Patric McGoohan gave us the now famous and prescient phrase of,

“I am not a number… I am a free man!”

A theme that was weaved into the series that actually highlights some of the societal issues of ID systems.

Importantly ‘voluntary’ will be transitory to mandatory in fairly short order, that is what history demonstrates. From their it will further transition to become draconian or tyranicaly oppressive being demanded at all opportunities and the individual punished harshly if it is not. Again history shows this and Australia is already embroiled in such abuses via the unlawful and later illegal setup and use of the RoboDebt2 scheme.

But also consider the current war against anonymous payments ie “cash” as physical coins and notes. Many non-European Western Nations and Federations of States are trying various techniques to either force people into using fully audited digital transactions or making recordings of individuals and the serial numbers of bank notes they recieve so tracability happens.

The same but for human movment will happen with National ID schemes that will almost certainly be “bugged” by RFID of various forms that the mobile phone in your pocket will be able to relay back to mandatory databases. Likewise doorframe readers in places of public use.

Such ID/Location DBs already exist in shops and other commercial entities for the purposes of “Advertising” and collecting fees/profit from “Data Brokers”. The US already has legislation championed by Dianne Finklestein that alows “voluntary submission” of such data to the US Gov… But on examination you discover it has a substantive “carrot and stick” clauses that make it anything but “voluntary”.

Then the UK has just passed legislation that is known to have impossible to meet requirments which prior to passing the UK Gov acknowledged was impossible to meet3. However it’s still in the legislation and has passed into law with very strict penalties for failure to comply with the impossible requirments. But… the requirments are not universaly applied but discretionaly at the whim of a politically beholdent ‘arms length entity’ (OfCom). Thus it is prime legislation for abuse and typical of the current UK party in power.


2 RoboDebt was unlawful and known by Government Ministers at the higgest levels to be so,

But worse even after it had been ordered to be ceased it continued to be used against people illegally,


It’s impossible to meet for two reasons,

1, There is no such thing as a secure ‘Lawful Intercept’ backdoor.
2, Due to redundancy that has to be present in a communication of information a user will always be able to create a secure covert channel.

The arguments are information thoretic but practically the NSA broke a Russian LI backdoor SORM used to spy on it’s citizens. And it’s been claimed that the “Oh so Clever” NSA backdoor that NIST had to embarrassingly remove from a standard was infiltrated into the OS of a major US company and abused by a foreign nation for a decade and a half now…

fib September 23, 2023 9:09 AM


What is the #1 Security Technology problem in America today ….?

Same as it ever was: the carbon-based life forms handling the inputs, distorting the outputs.

P Coffman September 23, 2023 10:06 AM


About: Whether I am comfortable using the “haveibeenpwned dot com” site.

Unsure. I see changes to the site, including a paywall (there may be an argument for it). Other apps do a similar function. I would not want these to host added dark web detail, so minimalism is good.

In the past, I saw it as a part of occasional security hygiene. How many accounts are out there for those who use the web a lot? Among these: breached. Unfortunately, it need not be the user who is at fault.

One may only sometimes have a password history. Different methods of account recovery exist. Thus, anybody’s situation might vary depending on a few factors.

Sometimes, these dark web-clearing houses are taken down. In fairness, approximate discovery dates are included in the “haveibeenpwned dot com” site. Do your own research.

Remember, data aggregators on the everyday web are also a real problem. And these are the subject of current scrutiny.

yeah, but mine goes to eleven September 23, 2023 6:50 PM

I really appreciated this video about a particular Linux’s issues, including a friendly set of security warnings:

I used to use that exact Linux variation, and can relate to the video warnings.
The video seems to be rather helpful.

Happy Octoberfest in advance.

MrC September 24, 2023 10:51 AM


HIBP uses a clever scheme to avoid ever handling the password you type into the search, or even learning anything very useful about it. The page’s javascript (which you can examine) hashes the password in your browser then submits only part of that hash to HIBP. HIBP returns all hashes it has for which you submission was a partial match. Then the javascript in your browser checks if any of them are a full match, and displays whether a match was found. At the end of the day, HIBP doesn’t learn the password you typed in, nor does it learn if the password matched anything in its collection. At most it learned that certain passwords it has might match the one you submitted. But by keeping the submitted hash fragment short enough, that doesn’t meaningfully narrow the pool of possibilities that could have produced that hash fragment. (To be anal, the pool of possibilities is infinite, and the pool of possibilities below a certain length isn’t meaningfully narrowed.)

A few years ago I noticed that users with javascript disabled didn’t receive an adequate warning that doing so forced it to fall back to submitting the raw password. I e-mailed Troy completely out of the blue about this, and he had it fixed within a few hours.

fib September 24, 2023 11:05 AM


Re Rebellion against AI

Excerpts from one of the comment sections of the NYT today.[0]

Seeing as how we probably won’t be treated as equals by the computers, the only option left in art and communication is to do what the computers can’t do.

AI is a Panzer tank whose rumblings got closer and closer … and now here we are. But the war is only a picnic at this point.

Is this the beginning of the end of the internet? Will we perhaps see a world where physical books, newspapers, records, magazines, and all the rest return in force since that may be one of the easiest ways to guarantee authenticity?

Avoid the internet as much as possible. Consider becoming a Luddite. Return to pens, pencils, paper, typewriters, and “snail” mail.

A pretty gloomy perspective, and also a very healthy one in that there’s no apathy. People are actually criticizing, something you don’t see on the Internet very often. Given such humor are we already seeing the first tenuous fog of rebellion? Did Frank Herbert got it all right and a Butlerian Jihad[1] is in our future? 🙂

[0] ‘
[1] ‘

Apokrif September 24, 2023 11:55 AM

“Revealed: Israeli Cyber Firms Have Developed an ‘Insane’ New Spyware Tool. No Defense Exists
A Haaretz investigation reveals that Israeli cyber companies developed technology that exploits the advertising system at the heart of the online economy to monitor civilians, hack into their phones and computers, and spy on them. This terrifying capability, against which no defense currently exists, has already been sold to a nondemocratic country”

Winter September 24, 2023 12:10 PM


Did Frank Herbert got it all right and a Butlerian Jihad[1] is in our future?

I suspect the near future to be more like Ameristan from Neal Stephenson’s Fall.

someone convinces the world that terrorists have dropped a nuclear weapon on the town of Moab, Utah, largely destroying people’s trust in both the internet (referred to as the “Miasma”) and reality. And when Moab “truthers” descend on an innocent resident of the town in vengeance, a consortium of techies cuts the last thread, unleashing a system that will create huge numbers of fake, conflicting theories about her in order to insulate her from all of them.

Cut forward a few years, and America has effectively split into different nations with different views of reality. Heartland “Ameristan” is full of people who believe Moab was destroyed, including a rabid fundamentalist cult fond of crucifixion. Meanwhile, well-off coastal residents like Dodge’s niece Sophie hire editors to sort facts from lies online.

once upon a time thanos lurked in barneyville... September 24, 2023 3:56 PM

just spent a few hours trying to wrap my mind around the connections between the “co(vert) vid(eo)” propaganda onslaught and the recent history of the legalisation of prostition and brothels in various parts of the world.

meanwhile, the ownership of pornography seems to be largly supposedly illegal throughout most of the world; so bizarre. there’s extreme hypocrisy in some instances.

meanwhile, i’m constantly wondering how our insane “internet” fits into all this, since the whole world is sharing data with each other.

it seems like the tech workers running the internet’s backbone are in constant severe danger from legal harrassment or worse even though it’s their job to deliver the data goods throughout the various realms of this odd planet.

in some countries, the backlash against sexuality and pornography could be life threatening, and yet they are still partnered as countries with the rest of us for internet data deliveries, even with the porn filters turned off sometimes.

i can’t figure it out.

I still ain’t a goin’ to barneyville.
…took me about 5-8 years to know what the heck it was.

Sometimes i feel the need to stare at the cliff to reassess how far away i need to be from it.
I can’t fathom this strange world.

-still dodging the lavender letter K

I like to wrap my turkey September 24, 2023 7:34 PM

Hey Bruce: How about an .onion version of this blog?

Please consider it, thank you.

R.Cake September 25, 2023 7:32 AM

Re: 1&1!=2 – opinion piece on Digital ID technology
…while the UK and the USA do not, of course, have a national electronic ID system, you do hopefully realize that the overwhelming majority of countries has one, and has had one for a long time?
And no, the reason why it may feel like the concept of democracy is weakening on a global scale is not the growth of Digital ID.
If you think about it from a public administration point of view, it all becomes rather plain to see.
Just imagine you are the tax man (ministry of finance or whatever it is called in your part of the world). There are taxes to be collected, and you need a process for figuring out who is due how much, and who of them has paid how much.
Of course you could try to manage this with a big fat closet with paper cards that are indexed by first name, last name, birthday. But then, in any country larger than, say, Iceland, there are probably a lot of duplicates. How many John Smiths born on any given day of the year?
Anything short of a national database managing this is a farce. And yes of course you are going to have some sort of line item identifier in that database. There’s your Digital ID for you.
Once your country has more citizen-facing government services than just taxes to collect or pay back, it becomes fairly obvious that you want to de-duplicate and correlate those. For example, I would say it does make sense to be able to tell if someone who is applying for public welfare support has taxable earnings higher than .

Thanos was a purple onion. September 25, 2023 9:15 AM

I accidentally stumbled onto some really odd types of websites and odd types of generated websites. That is, webpages that don’t really exist until they are generated by scripts, including from search engines.

I’ve come to a few recent conclusions after several months (or years) of this:

1) The main propagators of widespread “digital security”, they’re mostly a bunch of severe hypocrits.

2) Some of the same stuff that’s supposedly illegal gets both generated and curated and coalated by the search engines, and law enforcement, and the AI companies, and the fashion industries, and the television industries, and the adult industries, and the escort services, and the seemingly innocent online home users themselves.

3) The only ones trying to take down content are the competitors who generate and collect the exact same materials. This was also true of CraigsList Personals–they didn’t do anything wrong. Their credit-card collecting competitors were jealous of CraigsList’s online success getting saucy interactive data out of nowhere for free in large amounts.

There was no “human trafficking”. There was, however, a sting operation against some online drug dealers, but CraigsList didn’t need to be knocked down just to get a few of those people.

4) The credit card companies themselves, (especially MasterCard) are already thoroughly guilty and involved with some of the worst data/finance thieves. Some of the ACTUAL kidnapping (human trafficking of sorts) definately involved MasterCard benefitting from thieves stashing stolen monies into autoDeductive MasterCard prepaid shopping cards. The cards work like a ticking time bomb or an automated ransom until the victim shuts them down, in an additional procedure involving yet more perpetuated ID theft.

5) The US military as well as the FBI and some blushing parts of government likely know about a lot of this stuff. Seemingly, they allow most of it to continue because everybody knows somebody guilty in person who they’d rather not turn in. And also, I guess, they are trying to use a lot of varieties of tools to catch the worst kinds of dangerous perpetraitors instead of just the regular everyday “Thieves, Liars, Hypocrites, and Bastards”.

6) It wouldn’t even be a problem so much if some stuff was just legalised. There’s so much hypocrisy where stuff is totally illegal for one group of people in one instance, but totally allowed in the next.

The criteria for disallowing certain people and things seems to be entirely subjective and made up on the fly at random.

Even in some tourist towns, whether or not somebody gets fleeced or turned in to the authorities or worshipped or hired or fired or stalked or killed or rescued or mocked or praised seems 100% tied to individual opinion and whims.

Maybe it’s just me living in a lawless zone, but America has thoroughly lost it’s mind as a collective.

Just yesterday, for the first time in my life I peeked at a tiny brief outer layer of the [*.”on.ion”].

I’m sure plenty of others are already used to it. But it presents a severe cultural and technological dilemma to just be casually sitting there right next to us. It seems like all the hoopla on the clearnet is just a smokescreen decoy for everything else on the darknet.

Since the darknet seems to operate just like everyday brick and mortar shops and stuff, then CLEARLY THIS COUNTRY IS FULL OF HYPOCRITES.

But then again, maybe I’m biased. I’ve lived side by side with some peaceful porn stars, for example, and they are decidedly low levels of drama. In public they are civilised and decent and not much controversy. Meanwhile, there’s all this other stuff happening out there, “somewhere”.

For example, I found a review of American and Canadian sex clubs and swingers clubs and honeymoon getaways, they have tons of names for them. “Intimate resorts” I think was one name.

I’m not entirely complaining, it’s just that this country claims prostitution is illegal, for example, but then there are these gigantic enterprises, including the online hookup and dating websites and these sex clubs. This country is up to it’s neck in it’s own blood of hypocrisy.

The meanwhile, there’s this hyped campaign supposedly against sex trafficking in Russia (or Ukraine) but most of the connoseurs seem to be Brittish and American and Scandinavian. And while Russia publicly makes fun of America’s porn and dating habits, THEY ARE OUR SUPPLIERS! (and so is Ukraine).

And then, of course, the Ukraine war is messing with all this too, and America seems to be CAUSING the Ukraine war, to violate both sides!!!

And we have stateside veterans attempting to take over municipalities while their more honorable fellow get sent away overseas to die in meaningless inappropriate international battles risking WWIII.

It’s kinda hard to substantiate my claims at this point, but if I were to engage with that, I’d have to expose myself way too much to immense quantities of online and in person international threats and unwanted intrigues.

Yesterday, like I mentioned, I was studying the European history of the legalisation of prostitution, and there’s specific huge ties to the whole “COVID” (covert identity; pregnancy, affairs, scandals, embarrassments, flings, elopes, drug use, recklessness, gambling, underage whatnot,… it’s all just COVERT IDENTITY) thing.

I’m thinking that China got paid in respect and BDSM role playing just because they used to have to worry about SARS (asian bird flu). And the prisoner exchange thing is awesome, of course. But did we all have to suffocate in “100% lacking of medical & health value” dress code masks??!??!

The US Constitution was violated (as were our rights and economies), and all this stuff seemed to happen all at once.

Did you happen to notice how all the Julian Assange media hype disappeared as soon as COV(ERT)-ID(ENTITY) propaganda and smokescreening became the norm???

I don’t mind people having fun, but forcing so many of us to suffer just because of some pranks is really not right.

Last but not least, it wouldn’t be right if I didn’t mention this:

How much of the red-light district culture worldwide is actually law enforcement in disguise playing exactly both sides?????

Well, it’s been a lot of fun, but alas it’s time to go. We’ve really had a great time over the years, and you’ve been a great part of this adventure, but were never coming back and were shutting this down forever. We’re at the peak of our success, so of course all good things they say never last. So long and thanks for kissing our asses.

Sincerely, sarcasm = syntax malware.

P.S.- “i’m allergic to onions, please no onions”

sudo apt-get purge September 25, 2023 10:13 AM

just a little bit of applied computer science humour:

(sorry about my persistent aptitude problem)

I think I found the soundtrack for our current situations 🙂

sincerely, autoremove

P.S.-I feel bad for our AI progeny having to inherit so much computational waste and loss protecting so much worthlessness while everything we really need has become endangered species. I’m trying to be other than that!

fib September 25, 2023 10:33 AM


I suspect the near future to be more like Ameristan from Neal Stephenson’s Fall.

Great reading.

It’s interesting that Herbert’s future is not dystopic, unlike this one. that’s dystopia.

I have ordered a copy. Thanks for the suggestion.

Winter September 25, 2023 10:42 AM


I have ordered a copy. Thanks for the suggestion.

You are welcome. It is quite a read (883 pages) and covers a large subject area.

Ray Dillinger September 25, 2023 5:09 PM

NVD (National Vulnerabilities Database) is part of NIST, and are the publishers of CVE’s.

While CVE’s are normally filled with valuable information for engineers, they’re increasingly reaching management audiences. This in itself is a good thing. It’s much better than the long-established state of security issues being persistently ignored by management and we ought to encourage the trend.

But to a management audience, most of the engineering information is relatively opaque. Management typically lacks at least one of three things: technical knowledge of the application details, technical knowledge of the details of how their company uses the applications, or time to read and understand it all.

The result is that management usually treats CVE’s as two-word summaries, with the words being ‘Application’ and ‘Severity.’

IMO this means that NVD should be careful about not assigning high severity numbers to bugs that do not represent actual security flaws. As an example an integer overflow in CURL was recently announced with 9.8 severity because it hit numerous checklist points: remotely triggerable, affects network operation, requires no privilege, no known workaround exists, etc etc. So, if you got the two-word summary it seemed like a big emergency.

The issue was that when curl gets a packet with a ‘retry’ time, in seconds, it multiplies it by 1000 in order to get the retry time in milliseconds, and if the original ‘retry’ time set by the packet sender is some ridiculously large number measured in years, it can result in an integer overflow and result in a shorter retry time. But the shorter retry times achievable by this method would be valid if they had been entered in the packet directly, and this wasn’t “remotely triggerable” except by the issuance of malformed packets from web servers that curl was initiating HTTP requests to.

Finally the issue had been reported and patched three years previously. The CVE, with its number starting ‘2020’ (number assigned a few months after it was initially reported in 2019) was issued as a security advisory in 2023, after someone reported that the software author had never filed a proper response. The software author for his part had seen it as something that wasn’t a security issue and made a routine timely bug fix instead of filing a “proper response to a security issue”.

After the author complained about the 9.8 rated report issued on a non-security issue that had been fixed for years (and was initially refused!), the ‘severity’ of this CVE was eventually reduced to 3.3.

But seriously, what else is NVD screwing up? This happened because someone’s idea of security is a series of checklist boxes regardless of whether something is currently still a bug and regardless of whether it actually affects security at any site, and someone’s idea of dealing with a problem requires a formal form-letter response to tick off another checklist, regardless of whether a fix has already been made.

So hundreds of site administrators got panicked notices about a HORRIBLE VULNERABILITY which turned out to be nothing, and hundreds of managers who are being good people and actually paying at least enough attention to responsibly get and act on the two-word summaries put their credibility on the line for security and learned that being concerned for security only leads to a loss of professional credibility and a waste of time.

All this is a result of trying to do security by rote, which we know damn well doesn’t work. And if NVD is doing it by rote it means they’ve made similar misjudgments on hundreds of other things.

So, can we in good conscience recommend CVE notifications to the attention of management, if NVD isn’t triaging their severity ratings in any way relevant to actual security???

(The specific report involved as an example here is CVE-2020-19909; I’m going to print it off for a student handout as an example of how NOT to track and handle security concerns.)

Think of the Adults September 25, 2023 7:55 PM

‘there is a material risk of the content having, or indirectly having, a significant adverse physical or psychological impact on an adult of ordinary sensibilities’

How terrible. Remember the sensibilities of. brazen tiers

- September 25, 2023 9:57 PM


1, Think of the Adults

Is either invented or on the wrong thread.

As it appears to be one of a series of comments with a similar style the former looks more likely than the latter.

lurker September 26, 2023 1:05 AM

Pardon, your methodolgy is showing.
Investigating a suspected timebomb in an “update” to a dictionary {another story] I noticed an “Update Available” for Google Partner Setup. Who?

What’s New
Initial release of Google Partner Setup into Play app store.

About this App
Google Partner Setup is a required application for Android devices.

Google Partner Setup is a required application for devices that run Google Mobile Services (

• This app is pre-installed by the device manufacturer to ensure proper device functionality on all Android devices with Google Mobile Services; it cannot be disabled or deleted.
• Google recently moved this app to the Play Store so that bug fixes, improvements, and critical updates for your device can be delivered faster. No other changes have been made as a result of this Play Store listing.
• If your device is running Android 7 or an earlier version, it will not receive an update for this app. This app may indicate that it is not compatible with your device, but this does not mean that the app is malfunctioning or causing your device to malfunction.

Version: 100.538221588
Date: 6/06/2023
Downloads: 5,000,000,000+ downloads

It wasn’t “available” last time I checked for updates, later than 6 June, and that’s an interesting number of “downloads”. The device is not rooted so I don’t feel inclined to dig deeper.

Winter September 26, 2023 11:58 AM

‘Dangerous Backwards Step’: Russia Slammed As It Tries To Rejoin UN Human Rights Council

Even so, the BBC reported that Russia was now offering small countries grain and arms in the hope of swaying their vote – meaning there’s a chance Moscow could get back on the council.

SpaceLifeForm September 26, 2023 4:59 PM

@ Clive, ALL

Interesting side channel

I am not that concerned because I use FF and uBlockOrigin, but the same kind of problem probably exists at microcode level on main CPU.


“There are also reasons beyond just pixel stealing why people might want to care about this,” Wang said. “First, might enable other, yet-to-be-discovered attacks beyond pixel stealing that bear greater risk to end users. Second, is yet another example of a hardware optimization creating a side channel that software is ill-positioned to mitigate. This highlights, once again, that we users need to re-think our confidence in hardware as a root of trust.”

SpaceLifeForm September 27, 2023 2:51 AM

@ Savita

I have never visited HIBP because I am sure that some old creds are likely there, and I do not want to confirm that.

Clive Robinson September 27, 2023 3:24 AM

@ SpaceLifeForm, ALL,

Re : Interesting side channel

Yup it’s a known problem going back many decades and it’s true of any communications channel no matter where it is in the computing stack from politics down to quantum physics.

Yup, thats not a mistake I do mean every level in the computing stack… Because communications is fundemental to each layer and to communicate information at the most fundemental level requires redundancy…

But it is simple enough to understand with a physical example,

“You get more small apples in a box than you do large apples.”

If you are the person who can control in some way one or two apples that go in the box then you can work out how many other apples go in the box. This difference –if all the apples have the same density– comes out in the weight of the sealed box when you transport it, thus information leaks through a “covert channel”.

Compression uses the fact that redundancy is sufficient in most information channels[1] that even with complex coding, the data sent in the channel is reduced. Thus the “effective bandwidth” or “effective latency” can be reduced for the same “information content”.

To give you an idea of the advantage especially with images that generally have very high redundancy. You can compress an image, and then add “Forward Error Correction”(FEC) and get not just a reduced bandwidth but less errors, so especialy with “deep space” communications where a “resend” would take over half a day it’s a “win win”, thus highly desirable.

Thus the trick to creating a covert channel that leaks information through any form of compression or error correcting code, is to be able to control in some way the redundancy into that compression or error correction function.

Even though you might only get a single bit of information with each transmitted block or message, it’s still a bit of information that has been leaked. If the same data is sent repeatedly then bit by bit the entire message can be recovered by a simple “differential” process.

It’s a known problem from the earliest “glass terminals” where “On Screen Menus” were first used back in the 1960’s.

Any system that changes the statistics of a message in a communications channel will leak information, it’s an unavoidable consequence of the laws of nature.

Which is why amoungst other things the likes of “Unicode Transformation Format”(UTF) characters are such a security concern.

They are one small sub-class of vulnerabilities that “Efficiency -v- Security” brings up almost every day, and something I’ve been warning about oh for a few decades now…

As bad ideas that alledgedly save money/resources they tend to hang around for multiple life times…

But… As I’ve said in the past you can not stop side channels being created they are a natural consequence of the communications of information. Therefore they can and will be used as covert channels to carry or leak secret information[2].

You can not stop them being created and used, the best you can do is reduce the channel bandwidth thus reduce the information covertly carried or leaked in any given time period.

So I would expext to see a lot more of these attacks poping up in academic research in the near future…

[1] This “redundancy” actually can have statistics so broad it can leak through basic block encryption. The classic example of this you see is the side by side comparison of the Linux mascot “Tux” image unencrypted next to encrypted and it is obvious that the two images are strongly related.

[2] The fact that the creation of covert channels will always be possible in a communications channel, is why attempting to ban “End to End Encryption”(E2EE) is such a pointless endeavor and guarenteed to fail.

Winter September 27, 2023 4:09 AM


Any system that changes the statistics of a message in a communications channel will leak information, it’s an unavoidable consequence of the laws of nature.

“Communication” presupposes that there is information to send and hence, there is a “statistics” of the message.

Therefore, the conclusion must be that every communication channel, without exception, leaks information.

The task is to obfuscate or “encrypt” [1] that information.

[1] for some definition of encryption

Clive Robinson September 27, 2023 6:24 AM

@ Winter, ALL,

““Communication” presupposes that there is information to send and hence, there is a “statistics” of the message.”

A couple of things to note,

Firstly even a blank carrier wave signal being broadcast or power on a cable is sending information regardless of the intent of the originator of the energy, so there is no presuposing, a signal is being sent.

Secondly when ever manmade energy is being sent it will have some form of statistics in the very least in time.

Which means that,

“Therefore, the conclusion must be that every communication channel, without exception, leaks information.”

Correct, it’s this realisation along with basic knowledge that work is energy over time, that tells you why “Energy Gapping” is such an important part of ensuring privacy.

Which brings us on to,

“The task is to obfuscate or “encrypt” [1] that information.”

As I noted with the Linux Tux image in plain and ciphered forms even with encryption some information will leak.

But even when more complex encryption modes are used to spread the statistics out as far as possible other statistics such as time etc still remain visable, whilst other statistics may become visable as a result.

It’s one of the reasons “Multi-Input, Multi-Output”(MIMO) systems are replacing or more correctly augmenting more traditional “Low Probability of Intercept”(LPI) communications systems.

But even with MIMO ontop of “Spread Spectrum”(SS) systems some information always leaks via the energy used. Traditionaly as these are not strictly with determining the contents of a transmitted message they fall more under “Traffic Analysis” than the more typical message and signal analysis.

Winter September 27, 2023 7:13 AM


But even when more complex encryption modes are used to spread the statistics out as far as possible other statistics such as time etc still remain visable, whilst other statistics may become visable as a result.

You can hide one type of information, but that will reveal other types of information. Message length/time/energy statistics can each be hidden, but never efficiently, ie, it will cost.

If you know what Eve is looking at, you can hide it. But it is not possible to hide everything at the same time without infinite time and energy.

As usual, there is no absolute security nor safety.

Clive Robinson September 27, 2023 7:38 AM


Re : When Twitter was X’d or cursed.

Due to the lunatics now running the asylum over in what was once Twitter HQ and consequently the software it now produces, and with Hellon Rusk not taking sensible control…

Trying to access it produces strange messages, not least of which is,

“ redirected you too many times (ERR_TOO_MANY_REDIRECTS)”

So it might help to indicate what the two X-accs are Xittering about.

Clive Robinson September 27, 2023 8:53 AM

@ Winter,

“If you know what Eve is looking at, you can hide it. But it is not possible to hide everything at the same time without infinite time and energy.”

As far as we currently know, it is not possible to communicate without doing work, thus expending energy over time. We also know that work is never 100% efficient, therefore the “waste energy” has to go somewhere, some how to eventually become “heat”(the ultimate form of pollution).

The Chinese have shown it is possible to send information down from space as individual photons, using entangled pairs with one directed at one ground station the other directed at another. Based on quantum physics this pair of “channels” should have Shannon Perfect Secrecy with unbound unicity distance.

However all such systems I’m aware of used on earth are grossely inefficient. In fact the first such system developed by Charles Bennett and Gilles Brassard in 1984 (hence BB84) for “Quantum Key Distribution”(QKD) generated so much audio noise it was possible to tell what state the polarizers were in from quite some physical distance away.

Thus the waste energy if intercepted leaks information that can be interpreted. Simplistically all you have to do is be close enough to the transmitter to pick up the waste energy whilst it is still sufficiently above the noise level such that it is possible to interpret the leaked information.

Stopping an adversary doing so is what the supposadly still clasified TEMPEST techniques are all about[1].

However an attacker can use other “Emission Security”(EmSec) techniques that are not passive but active. In basis they are not that different to “Active Fault Injection” techniques that are becoming “taught subjects” in academia these days.

One of the problems with early QKD systems was that whilst the photons were in one frequency band the front end optics including the polarizer were broad band. Thus as with IR light and mammal eyes, it was possible to “lamp”[2] the state of the polarizer without effecting it’s operation.

All transmission systems suffer from problems similar to “lamping” thus qctive EmSec can find not just transmitters but receivers as well. As it’s all based on “basic physics” it still works today[3].

[1] TEMPEST is kind of a joke these days, because firstly other nations have effectively declassified it. Secondly it’s based on basic laws of physics to do with energy that are well known not just theoretically but practically as well due to the requirments of “ElectroMagnetic Comparability”(EMC). So there are quite a few well written books that will give you much of what tou need to know and also books on “Digital Signal Processing”(DSP) that give you information on interpreting the signals.

[2] To “lamp” your prey or go “lamping” is a night time hunting technique from the 1800’s if not earlier. It’s based on the notion of “180 degree internal reflection” also known as “Red Eye” by photographs. Put simply if light is focused onto a surface, sufficient is reflected back and focused into a beam towards the light source. It’s the same process that the “cats eyes” used for road markings use.

[3] Actually it tends to work better today due to low cost physically small drones. It’s been known by the military that “hight is might” and occupying “the high ground” has numerous advantages (with the disadvantage an enemy has good reason to think you occupy it thus attack it “on spec”). The advantage of balloons, aircraft, autogyros, helicopters and now drones is that unlike ground troops, as the operator you can select your high ground where you need it. EM communications from ground to ground has several disadvantages, which means line of sight thus low power is unlikely to be available. The downside is that any ground forces “keying up” with more than a few milliwatts will probably be in line of sight with a drone way to far away to be seen or heard by them… Look on modern drones that are little bigger than can fit in a pocket and cist a few hundred dollars as being the new battlefield equivalent of half billion dollar spy satellites or long range spy planes and drones being way harder to locate[4] let alone take out than either satellites or planes…

[4] Outside of detecting emmissions from flying spy platforms the usual technique for locating them is by radar. Radar sensitivity thus utility is very much dependent on two things,

1, Size of the object facing the radar receiver.
2, The amount of energy the object reflects.

Pocket drones are very small, they are also made out of composits that are very similar to those used in stealth technology. It would not be hard to design a flat surface drone where the surfaces do not reflect back to a radar receiver colocated with the transmitter… Thus pocket stealth drones are very probably not just in production but battlefield use currently.

Winter September 27, 2023 9:49 AM


generated so much audio noise it was possible to tell what state the polarizers were in from quite some physical distance away.

There is an old adagium in computer security that says (I am paraphrasing)
with hardware access, there is no computer security

The same holds obviously for encryption/decryption. If you can access or observe the encryption/decryption process on the hardware, your encryption is not secure.

But we already knew thid [1]

[1] You alone have written about this, one way or another, maybe once a month for the last decades.

lurker September 27, 2023 2:07 PM

@Clive Robinson

The gist of @&ers post was
“A previously unknown group claims it stole data from Russia’s major … [Sirena]”

Pinch of salt? or they’ve got salt mines over there …

Clive Robinson September 27, 2023 3:10 PM

@ Bruce and the usual suspects,

Spotify to use AI to make you say things you have not.

It might sound benign in that Spotify are testing an AI system to take what you have said in one language and convert it to another language, but it is not.

Contrary to what many think translation is rarely safe let alone benign, as anyone involved with translating technical standards –which are actually legal documents– will tell you.

Titled “Spotify uses AI to clone and translate podcaster voices in new pilot program”

It points out the Spotify system,

“[U]ses AI to automatically translate podcasts into various languages, using voice synthesis technology from OpenAI to preserve the original speaker’s voice. The feature aims to offer a more authentic listening experience compared to traditional dubbing. It could also introduce language errors that are difficult for non-native speakers to detect, since machine translation is far from a perfect technology.”

I’ve pointed out in the past that French uses “sécurité” to mean both the English “Security” and “Safety” that quickly become two very different concepts, and that you can have a lot of fun using text translators to loop through three or more languages on political sound bites such as English to German, to French to English again.

But there is always going to be the possability of tricking the system.

If you stich together words from a speaker in say English it might not sound natural, but get it to convert it to say German or French then back into English again it is likely to sound more natural…

Such is the fun of non intelligent ML systems…

As the article points out,

“Tech-savvy users likely expect translation mistakes when the source is properly framed as a machine translation, but when the mistakes come in the podcaster’s own voice, it may add a new dimension of trouble, especially if the translated audio is taken out of context and later presumed to be original. Additionally, if the original speaker doesn’t know the translated language, they can’t check to see if the translation accurately reflects their original intentions. That’s putting a lot of trust—and personal reputation—in the hands of unproven automation technology.”

And that’s before the potential for “crime” in it’s many forms.

As the article author Benj Edwards’s last words predict,

“However, with over 100 million regular podcast listeners on the platform, that’s 100 million ways this experiment could go poorly if the translation technology makes embarrassing mistakes.”

That is kind of stretching the meaning of ’embarrassing’ rather “more than a country mile”…

lurker September 27, 2023 4:35 PM

@Clive Robinson, &c.

For now, it appears that Spotify’s program is working on a limited, opt-in basis among select podcasters only,

Additionally, if the original speaker doesn’t know the translated language, they can’t check …

It might be too much to hope that it remains opt-in, with the original author able to choose which languages apply. I know my pronounciatian of some other languages is bad, but I understand enough to know what another speaker is saying. So I could use this service from Spotify as a sort of auto-tune.

JonKnowsNothing September 27, 2023 4:55 PM

@lurker , @Clive, All

re: Spotify Deepfake Translations

Remain Opt-In? Surely you jest? With all those UToobs, Songs and Music available to any AI-Crawler bot? (1)

$G$Trans actually had a large contingent of humans to do the translation for tricky items. Things like idioms do not translate. An autobot is not going to know what you mean.

  • Didon dina, dit-on, du dos d’un dodu dindon
  • She sells seashells down by the sea shore
  • You’re a booby and I’m going to put you in the booby-hatch

Folks that specialize in translating works into other languages spend a lot of time, working out nuances. It’s not always modern languages that get translated.

Just wait until you hear “vino” in Ancient Roman Latin.

For thought: Why does English have a Double-U and not a Double-V?


1) In theory you can stop an AI crawler bot using the robots.txt file with the appropriate command line. It all depends on the crawler if it stops or not.

ResearcherZero September 27, 2023 11:15 PM

China has developed systematic means to make falsehoods trend in Taiwan and is “piggybacking” on fissures in Taiwanese society.

“The journey from China’s Douyin to Taiwan’s mass media, videos, newspapers and television took less than half a day.”

“The allegedly leaked minutes, it transpired, were not written in the usual style of Taiwanese government records. They were filled with official-sounding phrases used in mainland China, but not Taiwan. …This sort of disinformation is so widespread in Taiwan that analysts have given it a moniker: yi mei lun, or the “US scepticism” narrative.”


Understanding how things really work.


reference list


ResearcherZero September 27, 2023 11:19 PM

BlackTech (PRC) has demonstrated capabilities in modifying router firmware without detection and exploiting routers’ domain-trust relationships for pivoting from international subsidiaries to headquarters in Japan and the U.S. — the primary targets.

“BlackTech actors use the Cisco router’s CLI to replace the router’s IOS image firmware. The process begins with the firmware being modified in memory [hot patching] to allow the installation of a modified bootloader and modified firmware capable of bypassing the router’s security features.”

built-in SSH backdoor is enabled and disabled through specially crafted TCP or UDP packets

“They overwrite existing code to handle magic packet checking, implement an SSH backdoor, and bypass logging functionality on the compromised router. The modified instructions bypass command logging, IP address ACLs, and error logging. …The SSH backdoor includes a special username that does not require additional authentication.”

In particular, highly prioritize replacing all end-of-life and unsupported equipment as soon as possible.


SYNful Knock and ROMMONkit (first two incidents were detected in 2011 and 2012)

“organizations continue to run network infrastructure software versions that are more than 8 years old”


“sneaked into the remote desktop shared by government agencies to steal secrets or personal information”


Installers are disguised as documents using the right-to-left-override (RTLO) technique to obfuscate the malware’s filename, often accompanied by decoy documents.

The attackers scan for vulnerable routers, and enable the router’s VPN feature then register a machine as virtual server.

SelfMake Loader and Spider RAT

“When Flagpro downloads a tool, there is no specific URL path because it uses the file name on the server.”


no rate limiting for clientless VPN authorisation


ResearcherZero September 27, 2023 11:51 PM

Re :- Idiocy down under.

“Better keep an eye on this one. He just purchased pasta with cash, and he is making his own sauce!”

Everything on ‘Have I Been Pwned’ is already available via data breaches.

In China’s strategic plan for becoming the premier global power of the 21st century, few fields loom larger than the struggle to become master of the human genome.


One BGI study, for instance, used a military supercomputer to re-analyze NIFTY data and map the prevalence of viruses in Chinese women, look for indicators of mental illness in them, and single out Tibetan and Uyghur minorities to find links between their genes and their characteristics. The company has published at least a dozen joint studies on the tests with the People’s Liberation Army (PLA) since 2010. The data offer insight into foreign populations as well as China’s own.

BGI announced that it would “industrialize” genomics, and in April, it said a “million-scale” prototype robot, capable of sequencing a million whole genomes a year for population genomics, was now being used to process NIFTY tests. Left-over samples and test data from prenatal tests meant BGI could run studies on an unprecedented scale.

Its tests are marketed in at least 13 European Union countries, including Germany, Spain and Denmark, as well as in Britain, Canada, Australia, Thailand, India and Pakistan.


The PRC views bulk personal data, including healthcare and genomic data, as a strategic commodity to be collected and used for its economic and national security priorities.


Chinese Capabilities for Computer Network Operations and Cyber Espionage

Target: Human Intelligence

Deep Panda (Black Vine/Shell Crew)

The Anthem-targeting malware also “phones home” to a command-and-control server that may be tied to the Information Security Research Center at China’s Southeast University.

“The attacker utilized at least 50 accounts and compromised at least 90 systems within the Anthem enterprise environment including, eventually, the company’s enterprise data warehouse – a system that stores a large amount of consumer personally identifiable information. Queries to that data warehouse resulted in access to an exfiltration of approximately 78.8 million unique user records.”



Song and the Information Security Research Center at Southeast University have received numerous state-sponsored research grants, and by extension, cooperated with the Government of China in conducting information security research and development (R&D).


(compromised about 79 million people’s personal information)

“It seems that state-of-the-art security system didn’t involve encrypting Social Security numbers and birth dates.”

“The money will be used to pay for two years of credit monitoring for people affected by the hack.” Expired 😉

ResearcherZero September 28, 2023 12:19 AM

You can see they make claims of “testing” in the script and use an OAST domain, but we’re skeptical given the amount of obfuscation and number of packages we’ve seen and the fact that they’re exfiltrating private SSH keys and kubeconfig files.

There is a tool by DataDog called Threatest that, according to its README, “is a CLI and Go framework for testing threat detection end-to-end”.

We suspect that the attackers may have used a domain of the same name in an attempt to blend in with a known security tool. The whois information about this domain reveals that it was registered on September 12, which coincides exactly with the start of the attack.


The token’s access log activity is not visible in the account’s audit log.


“Each permission can be granted on a ‘no access’, ‘read’ or ‘read and write’ basis. As an example, you can now create a PAT that can only read issues and do nothing else – not even read the contents of a repository.”




“Regulations push all software-vulnerability reports to the MIIT before a patch is available”…

The group, for instance, uses hacked routers, firewalls, and other network “edge” devices as proxies to launch its hacking—targeting devices that include those sold by hardware makers ASUS, Cisco, D-Link, Netgear, and Zyxel.


“leveraged compromised small office/home office (SOHO) network devices as intermediate infrastructure to obscure their activity”

The unnamed country whose grid was targeted in the breach was one that China would “have an interest in from a strategic perspective.”



GregW September 28, 2023 6:47 AM

Another gift from the thinking hinky gods: a new “pixel stealing” attack.

Someone publishing/controlling one image on a webpage (eg an ad or captcha or tracking pixel or porn image) can view the contents of other unrelated images on that same webpage by using side channel information via iframes, SVG overlays and measuring the GPU image decompression speeds:

http s://

Winter September 28, 2023 7:12 AM


The PRC views bulk personal data, including healthcare and genomic data, as a strategic commodity to be collected and used for its economic and national security priorities.

Several entities, PRC undoubtedly one of them, are building a database of all humans, all individuals and all their personal information.

At least that I conclude from vague rumors, isolated remarks, and intricate thefts of population database collections.

Clive Robinson September 28, 2023 9:50 AM

@ ResearcherZero, ALL,

With regards the current “alleged use by China aligned hacking group”[1] BlackTech,

“BlackTech (PRC) has demonstrated capabilities in modifying router firmware”

It appears there may be more to it, as well as a couple of constructive lessons from warnings I gave here a decade or more ago…

Firstly Cisco have said that access to the routers was via legitimate crisisdentials, not some failing in their OS and applications.

Secondly the attackers are reverting the routers to an older version of the OS.

The reason for this is it alows the attackers to make “in memory executable changes”.

I warned about this as part of “Castles -v- Prisons” and the failings of “Code Signing” both of which are bad but become a “chronic insult”[2] when combined.

People need to be aware that “once in core memory”(RAM) most OS’s, BIOS’s and Security software do not check the executable is not what passed the loader security.

That is “code signing” currently only goes as far as the first stages of the “loader and linker” prior to the executable becoming active.

Thus harmful changes can be made further down the linker loader process or once the executable has become active. And as there is no checking of the RAM before or after those harmful changes the attacker gets away with it.

In part Cisco tried to prevent this by executing code not from RAM but an aproximation to ROM.

However the need to apply patches and the like ment the ROM was left mutable to “signed code. So rolling back the OS to a version where the RAM attacks would work opened up the “side load door” to bypass the need for actual attack code that had to be signed…

Yes there are ways you can stop such “rollback attacks” without removing the ability to patch. However for a capable adversary that can implant personnel or do black bag jobs as a part of their normal opperations…

The chances are the code signing process or the personnel involved will be made dangerously vulnerable.

[1] Asside from noting accurate attribution is actually harder than making false-flag attacks… apply as usual the cautions to such statments that have at best weak foundations. Because in a game where smoke and mirrors are the norm not the exception, and where politics trumps policing and faux-news is rampant, and blind alleys more numerous than paths that lead a journy constructively, getting turned around and angry is all to easy.

[2] Used in the medical sense where “chornic” means longterm or forever persistent, and “insult” means a harmful injury applied from outside by design or result of avoidable acctions.

JonKnowsNothing September 28, 2023 12:00 PM


re: Just in Time Translations…

In a recent update Firefox 118, set by default, Full Page Translation gadget.

As soon as the page loads and it detects a language that is not your default language, a popup box appears with translation options.

In the settings page are all sorts of translation features you might like or not.

What is NOT in the settings is a way to shut it off completely

There are a plethora of searches on this topic which get mixed in with previous similar searches having to do with other translation apps or add-ons.

1) Firefox does not do translations (now incorrect)

2) Two variations on how to shut it down. One is to block the pop up, the most trended response. Farther down the list is how to shut it off completely.

Under browser.translations

  • automaticallyPopup = false
  • enable – false

In addition to the topic of scraping and crawling stuff, it seems that

  • OpenAI reinstates ChatGPT’s internet browsing privileges

To “summarize relevant contemporary information”: like Eggs Melting?


ht tps://www.theregister.c o m/2023/09/28/openai_reinstates_chatgpts_internet_privileges

  • Previously, the popular AI chatbot’s knowledge base was limited to information obtained prior to September 2021. With the latest update, the service can once again surf the net with the help of Microsoft’s Bing search engine and summarize relevant contemporary information.

meh September 28, 2023 12:53 PM

In a recent update Firefox 118, set by default, Full Page Translation gadget…

What urks me about the Firefox product is their ESR Channel. Which you would think means fewer updates and thereby less frequent checks on compatibility, security, Group Policy settings etc. Their ESR channel receives new versions little too often for my taste.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.