Friday Squid Blogging: Protecting Cephalopods in Medical Research

From Nature:

Cephalopods such as octopuses and squid could soon receive the same legal protection as mice and monkeys do when they are used in research. On 7 September, the US National Institutes of Health (NIH) asked for feedback on proposed guidelines that, for the first time in the United States, would require research projects involving cephalopods to be approved by an ethics board before receiving federal funding.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags:

Posted on September 29, 2023 at 5:07 PM107 Comments

Comments

Bernie September 29, 2023 6:19 PM

Has there been any discussion (by Bruce or commenters) related to the Unity game engine situation? Because of what I’ve learned on this blog, I saw some red flags that made me wonder if the topic would make an appearance here. Plus there are some topics (eg, trust) involved that Bruce talks about.

SpaceLifeForm September 29, 2023 7:28 PM

Feature or Bug?

I do not care either way.

‘https://www.neowin.net/news/you-can-no-longer-activate-new-windows-11-builds-with-windows-7-or-8-keys/

WTH September 29, 2023 8:47 PM

@Bernie
What is the Unity game engine situation about?

Anyway Godot is gaining more and more market share so there are interesting developments in that area.

klasp September 29, 2023 8:54 PM

Funny today I learned an older fact. That iPhone with the face ID takes a hidden picture of your face every 5 seconds. The supposed explanation (excuse) for that is that it is a feature that is part of some attention awareness feature.

But in real terms there is no actual need for an attention awareness feature to take a photo of your face every 5 seconds. That is simply BS.

JonKnowsNothing September 29, 2023 9:38 PM

@SpaceLifeForm

re: Feature or Bug?

No, Marketing.

From one MSM report: it’s the upgrade keys used by older versions to get the next OS level for free.

Not the only company to ditch older systems.

Firefox has ended support for Win7 legacy systems, primarily used by Grams and Gramps, who don’t have the funds to buy the latest in leaking gear.

Bernie September 29, 2023 10:00 PM

@WTH
Out of the blue, Unity introduced a per-install Runtime Fee. Yes, you read that right, per-install. So, for example, a bad actor could “install bomb” (similar to “review bomb”) a game they didn’t like, causing the developer to owe Unity so much money that it bankrupts them. One of the red flags I saw was the claim that Unity was going to use their own proprietary data model to track installs and adapt their current fraud detection practices to prevent pirated copies from being counted.

Game devs united against the new fee policy. Remember the Streisand effect? Well, if Unity is trying to make more money, they quite possibly shot themselves in both feet. Even after they revised their plans, a lot of devs had completely lost trust in the company. This has spurred a lot of interest in Godot.

Anyway, the devil is in the details and the details have changed a lot over the weeks. If you investigate, be sure to read from various sources. Unity has already change what is written on certain of their web pages. Here are a few Ars Technica links with a lot more detail, but you can find the info from many outlets.

https://arstechnica.com/gaming/2023/09/game-developers-unite-against-unitys-new-per-install-pricing-structure/
https://arstechnica.com/gaming/2023/09/unity-makes-major-changes-to-controversial-install-fee-program/
https://arstechnica.com/gaming/2023/09/oldest-unity-game-developer-group-breaks-up-over-lack-of-trust-in-the-company/

JonKnowsNothing September 30, 2023 11:37 AM

Several thought provoking articles in MSM about the impacts of tech, or rather perhaps, the unintended impacts of tech, and it’s close twin HAIL.

There were several articles about vandalism, stalking, swatting-as-a-prank that may stem from some direct reason but certainly not improved by tech reasons.

MSM HAIL Warning

  • A prankster-stalker followed a delivery person, then approached closely, aggressively, stuck a mobile device in the delivery person’s face, continued to follow aggressively. The driver asked him to back off and when the prankster didn’t, the driver shot him.
    • The Driver was in jail since the incident, now acquitted
    • The Prankster, never in jail, claims to make $3k/month from the UToob videos

Hmmm…

Acts of vandalism:

  • An ancient tree is chainsawed down.
  • A restaurant has a stolen backhoe driven through four walls.

Hmmm…

More AI Ripoffs in books, music and all other endeavors. Most are HAIL or straight rips, sold for profit. That makes it a bit different that ripping CDs for personal use or mixing sound tracks, it’s the volume (ahem) of the scale. Once the thing hits Amz for even a short time, the results are financially worthwhile.

This is similar to the problem of totally fake fakes, ripoffs of major brands, sold on auction sites or flea markets. Every year, heaps of these counterfeit items are confiscated by the cargo container load and destroyed.

Doesn’t stop counterfeiting.

Hmmm…

It’s not that shocking that tech assists in such behavior but it is shocking that Electric Cars in UK cannot find “cost effective” insurance.

Rates went from £1k per year to £5K+ a year. The increase is due to the cost of repairs with so many breakable gizmos, which are now standard features.

There are other issues in the insurance market besides direct costs. Something to consider when determining the other side of the equation.

RL anecdote, tl;dr

  • Taking an hybrid electric car in for a service issue, during the warranty period, requesting a quote for repair and confirmation that the item was a warranty item. The cost was $90 per issue to plug the code reader into the device port. Since there were 5 issues, the charge to just to determine if the item was covered by warranty item was $450 USD. This did not include any costs of repair or replacement.

===

ht tps://www.theguardian.c o m/us-news/2023/sep/30/delivery-driver-youtube-prankster-shooting-not-guilty

ht tps://www.theguardian.c o m/uk-news/2023/sep/30/mucky-duck-restaurant-digger-nottinghamshire-police

Search Terms:

  • Sycamore Gap tree in Northumberland, Hadrian’s Wall

ht tps://www.theguardian.c o m/technology/2023/sep/30/authors-shocked-to-find-ai-ripoffs-of-their-books-being-sold-on-amazon

ht tps://www.theguardian.c o m/money/2023/sep/30/the-quotes-were-5000-or-more-electric-vehicle-owners-face-soaring-insurance-costs

(url fractured)

vas pup September 30, 2023 3:24 PM

@klasp If information you provided is true,
private business is current Big Brother on steroids violating privacy for their own undisclosed purposes and ready to share with traditional Big Brother (gov) without court oversight.

k18 September 30, 2023 8:28 PM

If you watch something online that, although it comes from a reputable source, you are 90% sure is something that Pegasus or a bad VPN ginned up, where or to whom do you go?

BobInOK October 1, 2023 12:21 AM

@JonKnowsNothing

Jon, can you remind what HAIL stands for or is? I read this site an awful lot, probably too much (but not enough to avoid missing squid discussion posts), but for the life of me I can’t find a description of the term. Between my less-than-great google-fu and search results degrading over time, google thinks you must be talking about dent repair after a nasty thunderstorm.

JonKnowsNothing October 1, 2023 1:40 AM

@BobInOK, All

re: HAIL = Hallucinating Artificial Intelligence Large Language Model

aka: Lie, Deceit, False, Incorrect, Error, Misstatement, Wrong, Fake, Deep Fake, Deeper Fake…

Applied to words, statements, paragraphs, pages, books, audio, video etc. generated by AI programs.

A common output or result from queries to all AI Models.

re: HAIL Storm = HAIL resulting from recycled data fed into a repeating vortex of inputs and outputs; with or without an defined exit point; an infinite loop of GIGO.

A common result from different AI models feeding on each other in a cyclical feedback loop, of self references and circular inputs and outputs.

re: HAIL Warning

A notice that the information may or may not be correct, or accurate. That the information may or may not withstand cross checking or validation. That the source of the information may be human generated or AI generated or human+AI generated with no method to determine the accuracy of the information presented.

All data may now be considered “tainted by HAIL”.

ResearcherZero October 1, 2023 2:23 AM

whois?

‘https://www.france24.com/en/technology/20230930-counterfeit-people-the-dangers-posed-by-meta-s-ai-celebrity-lookalike-chatbots

The defendant must show that a computer was not operating correctly.

“If the presumption is unrealistic in and of itself, or if rebuttal is unrealistic, then the presumption converts from being something that assists the course of justice to something that causes miscarriages of justice.”

This is the failure of the law itself and of the procedures of the courts.

“in the absence of evidence to the contrary, the courts will presume that mechanical instruments were in order at the material time”

In 1984 a law was passed which pointed this presumption in the opposite direction. Section 69 replaced the old common law position. Section 69, however, was repealed in 1999…

The effect of this repeal was that the old common law presumption returned, meaning that is was again for the defendant to show that a computer was not operating correctly, rather than for the prosecutor to show that the computer was operating correctly.

‘https://emptycity.substack.com/p/computer-says-guilty-an-introduction

https://www.youtube.com/watch?v=UAywCnNDVvo

ResearcherZero October 1, 2023 2:28 AM

Procera decsribes how it helps governments implement “regulatory requirements”

‘https://www.proceranetworks.com/hubfs/Resource%20Downloads/Solutions%20Briefs/Procera_SB_Regulatory%20URL%20Filtering.pdf

“ISPs in two (unnamed) countries were likely injecting FinFisher spyware into targeted users’ Internet connections when the users tried to download popular Windows applications.”

The injection was implemented using HTTP redirects matching.

‘http://welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/

MITM injection and via one-time links sent directly to the target
https://blog.google/threat-analysis-group/0-days-exploited-by-commercial-surveillance-vendor-in-egypt/

307 Temporary Redirect (enables websites to make changes or updates seamlessly)

The URL someone is requesting has temporarily moved to a different URI (User Resource Identifier), but will eventually be back in its original location.

As a result, your browser must initiate another request to this new location (specified in the “Location” header) to retrieve the desired content.

‘https://wiki.owasp.org/images/d/dd/Request.JPG

The server at the new location processes the subsequent request and provides the content of the redirected resource in the response.

(The injector attempts to mask its presence by copying IP TTL values it receives into packets it injects.)

https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/

The company advertises that they support “regulatory compliance” but does not mention spyware injection.

‘https://www.sandvine.com/solutions/regulatory-compliance

Intercepting HTTPS traffic with a forged certificate

https://www.wired.com/2013/11/this-is-how-the-internet-backbone-has-been-turned-into-a-weapon/

ResearcherZero October 1, 2023 2:33 AM

“insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature”

Execute arbitrary code and gain full control of the affected system.

‘https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sx

‘https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/

‘https://www.youtube.com/watch?v=x0DPpVh8fO4

bypass authentication

‘https://github.com/Chocapikk/CVE-2023-29357

SysUpdate DLL inicore_v2.3.30.dll

‘https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt

This new version has similar features to the 2021 version, except that the C++ run-time type information (RTTI) classes we previously observed in 2021 had been removed, and that the code structure was changed to use the ASIO C++ asynchronous library.

‘https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html

ResearcherZero October 1, 2023 2:37 AM

Don’t forget to password-protect the instance after maintenance.

login pairs (~3.8 billion)

‘https://cybernews.com/security/darkbeam-data-leak/

anon October 1, 2023 4:41 PM

Are LLMs just a precursor to Douglas Adams’ “Reason” program described in Dirk Gently’s Holistic Detective Agency.

Steve October 1, 2023 4:57 PM

@anon:

Are LLMs just a precursor to Douglas Adams’ “Reason” program described in Dirk Gently’s Holistic Detective Agency.

No.

They’re more like “your plastic pal who’s fun to be with” and their purveyors are “a bunch of mindless jerks who’ll be the first against the wall when the revolution comes.

Anyone interested in taking over the post of Robotics Correspondent?

Clive Robinson October 1, 2023 8:39 PM

@ ResearcherZero, ALL,

“Don’t forget to password-protect the instance after maintenance.”

Or your “LastPass” or other On-Line Password-Safe account[1]…

It appears eight character passwords were protecting crypto-coin “seed phrases” to wallets worth 3million or more…

As they used to say “Read all about it”, in an article entitled,

“LastPass: ‘Horse Gone Barn Bolted’ is Strong Password”

On the Krebs on Security website,

https://krebsonsecurity.com/2023/09/lastpass-horse-gone-barn-bolted-is-strong-password/

“The password manager service LastPass is now forcing some of its users to pick longer master passwords. LastPass says the changes are needed to ensure all customers are protected by their latest security improvements. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.”

Yup, LastPass are not even realy “shutting the stable door” read that last sentance in the above quote…

Then further down you read,

“This is significant because in November 2022, LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users.”

So… the users “secret information” stored on LastPass under incredibly weak password conditions are now tucked away one one or more crooks computers –not in any way realy disimilar to some crypto-coin mining rigs– busting passwords…

So with the price of crypto at an ever sagging value –apparently now to low to “mine v electricity bill”. Is it any real surprise that,

“Since then [Nov 22], a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.”

The real “runaway” / takeaway people should be taking, is it’s not the LastPass password that people need to change but every password, passphrase, security seed, etc that was stored in the vaults stolen back in Nov 22…

Look at it this way, the crooks may have to crack a lot of LastPass Vaults to get at crypto wallet security seeds but they will do that in time[2]. But further consider having broken open a LastPass vault from Nov22 what else are they going to find that they or others may be able to monetize in one way or another as time goes on?

After all even passwords to Meta/FaceBook accounts have value on the darker side of the web… Also access to say “medical accounts” has been used in the past as part of ransomware attacks…

[1] I’ve never considered the likes of “On-Line Password vaults” to be a good idea as there is no “seperation” unlike electronic tokens or pieces of paper in an properly secured form[3] then sealed envelope[5] stored in one or more fire proof safes.

[2] The only way to protect those crypto-coins now is to either “Cash them out” into other crypto-coins at a loss, or move them to another probably freshly created wallet. With some “older wallets” created before “Know Your Customer Regulation” that might be a significant problem for the original wallet creators…

[3] Whilst it would be daft to print out “plaintext” on the medium –paper substitute[4]–, “ciphertext” of “whitened plaintext” would be a better idea with the AES Key and IV stored/created by a “master secret” properly physically secured on “laser cut steel” or similar[4] and put in a secure place[5].

[4] If you have access to a laser engraver/cutter you could quite inexpensively store master secrets with a set of “feeler gauges” used to measure “spark gap distance” or similar that can be purchased from the likes of “ToolChain” for less that $5. You don’t have to own a laser cutter/engraver (though they are quite inexpensive these days). You can often get access to them via “Maker Clubs” and the like even some “local libraries and evening classes” have them. Or you can purchase the likes of various chemicals and make “etching quills” with washed out plastic felt pens (though don’t pour the excess down the drains, neutralize it properly and carefully).

[5] Be inventive but consider as a basic starting point putting it in a small ziplock or vacuum sealed mylar bag with an oxygen and moisture absorber. Making it “tamper evident” can be done in a number of ways, one based on an old idea would be to put it in a “scrap cloth envelope/bag” made by hand stitching a piece of highly decorated by patterned printing –like Paisley pattern– cloth. Sew it using thread with embeded gold or silver metal thread then glue over with epoxy varnish with just a little glitter in it. When hardened take high resolution photographs of both sides for comparison. Alternatively embed the sealed bag in modeling clay as a paper weight or similar ornament and use modern plastic glaze to make it look like finished pottery or similar. A friend prints out colour transfers to put on plates you then seal with the glaze and can hang on the wall as “farm-housey” decorations and similar. Apparently there is money to be made as it’s popular with some who do it with pictures of their children or pets etc or imprints of their baby’s hands or feet…

Clive Robinson October 1, 2023 11:07 PM

@ SpaceLifeForm, ALL,

Re : A quater cetury old side channel, or who needs to wait for QC for Asymmetric and other Crypto Cracking at arms length.

This might amuse,

https://people.redhat.com/~hkario/marvin/

Note,

“In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.”

In essence a large integer “timing side channel” attack.

And a little further down,

“While the main venue of attack are TLS servers, the core issues that caused its wide spread are applicable to most asymmetric cryptographic algorithms (Diffie-Hellman, ECDSA, etc.), not just to RSA. Lessons learned are also applicable to testing the majority of cryptographic algorithms that can be vulnerable to side-channel attacks, not just public key cryptography.”

Note the generalised warning of “the majority of cryptographic algorithms that can be vulnerable to side-channel attacks” so not just Asymetric crypto, such is the nature of timing side channel attacks and “Efficiency -v- Security” coding practices.

Although it does not say so, AES is also very very sensitive to “timing side-channel” attacks which is why I’ve said on this blog for years “AES is only secure for data at rest and should only be used Off-Line”.

But also the work this new paper is based on uses a different way of doing statistical measurments, that is quite general purpose so will be popping up from now on much like those in CPU hardware that “Gave us the Xmas Gift that just keeps giving”.

To see how “scary” it might be in the attached research FAQ they say,

“and the ability to detect very small differences in timing, in the order of a few CPU clock cycles, even when measuring across a production network, a few kilometers away, and 6 router hops between victim and attacker.”

Is a bit of an “Ouch” moment, bearing in mind Sig-Int agencies like the NSA and GCHQ like to play in the upstream router that you as a leaf-node network can not instrument… Oh and remember for that “double whammy feeling” the timing accuracy on “collect it all” from years back can probably be used…

ResearcherZero October 2, 2023 2:18 AM

@Clive Robinson

RSA Prime Factorization on IBM Qiskit

‘https://www.researchgate.net/publication/371479752_RSA_Prime_Factorization_on_IBM_Qiskit

ResearcherZero October 2, 2023 2:39 AM

“They would have plenty of space with five zettabytes to store at least something on the order of 100 years worth of the worldwide communications, phones and emails and stuff like that. And then have plenty of space left over to do any kind of parallel processing to try to break codes.” – William Binney

‘http://www.bluffdale.com/Planning/Planning%20Commission%20Minutes/2011/PC%2002-15-2011.pdf

‘https://www.youtube.com/watch?v=2XAznfybYhI

‘https://www.youtube.com/watch?v=ZD5Lq4GXU7g

Should the agency ever fill the Utah center with a yottabyte of information, it would be equal to about 500 quintillion (500,000,000,000,000,000,000) pages of text.
https://www.wired.com/2012/03/ff-nsadatacenter/

ResearcherZero October 2, 2023 2:49 AM

@Clive

That includes a lot of stuff:

“FIPS certification for cryptographic modules doesn’t require robust testing of side-channel protections. Only on Level 4 certification are protections against side-channel attacks mandatory. You’re just as much at risk if your site’s certificate or key is used anywhere else on a server that does support RSA.”

‘https://people.redhat.com/~hkario/marvin/

ResearcherZero October 2, 2023 5:00 AM

‘https://www.bloomberg.com/news/articles/2023-09-27/palantir-wins-250-million-ai-deal-with-us-defense-department

“The largest database of hashes in the world”

‘https://safer.io/about/

CASM detection

Silicon Valley’s biggest companies have partnered with a single organization to fight sex trafficking — one that maintains a data collection pipeline, is partnered with Palantir, and helps law enforcement profile and track sex workers without their consent. The concern here is that Thorn and its partners like Polaris Project are working closely with companies like Palantir to nonconsensually track sex workers and everyone they come in contact with.

Thorn is now the primary go-to organization for major internet companies in “fighting sex trafficking” and child exploitation material. It has partnered with Google, Facebook, Twitter, Tumblr, Snapchat, Pinterest, Imgur, IAC (Match, Tinder, OkCupid), and more companies that set social policy and wrangle untold reams of sensitive user data.

Its website listed partnerships with data dealers, web scrapers and identity brokers including Connotate, Trusona, Trade Desk, Laxdaela, and 41st Parameter (Experian)

Thorn doesn’t usually like to talk about what its products Safer or Spotlight do. Safer’s whitepaper “Platform Protection 101” mentions its hashing, matching, reporting, and law enforcement modules.

‘https://www.engadget.com/2019-05-31-sex-lies-and-surveillance-fosta-privacy.html

‘https://oakfnd.org/wp-content/uploads/2021/03/Oak-Foundation-Annual-Report-2020-online-version-high-res-1.pdf

“The availability and affordability of these tools undercuts law enforcement’s continual assertions that they need smartphone vendors to be forced to build ‘exceptional access’ capabilities into their devices.”

The GrayKey device itself comes in two “flavors.” The first, a $15,000 option, requires Internet connectivity to work. It is strictly geofenced, meaning that once it is set up, it cannot be used on any other network.

However, there is also a $30,000 option. At this price, the device requires no Internet connection whatsoever and has no limit to the number of unlocks.
https://www.malwarebytes.com/blog/news/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns

ResearcherZero October 2, 2023 5:08 AM

In-Q-Tel, was its first outside investor, and until 2010, its only customers were in intelligence, law enforcement, and defense.

Intelligence and national security agencies use its tools to flag suspicious activities. Palantir’s “forward-deployed engineers” essentially operated as a mobile sales force, customizing the software to the needs of each client.

‘https://www.palantir.com/_ptwp_live_ect0/wp-content/uploads/2012/06/ImpactStudy_USMC.pdf

example

‘https://www.cartercenter.org/news/multimedia/map/exploring-historical-control-in-syria.html

ResearcherZero October 2, 2023 5:18 AM

And that leads to this…

“Cut cables are sometimes pulled away from their marked location as well.”

‘https://www.telegraph.co.uk/business/2023/09/30/secret-subsea-battle-russia-internet-cables-putin/

The sovereign internet law helps to build upon the idea of the RuNet, a Russian internet that can be disconnected from the rest of the world.
https://www.wired.com/story/russia-internet-censorship-splinternet/

That helped stoke a cottage industry of tech contractors, which built products that have become a powerful — and novel — means of digital surveillance.

‘https://www.nytimes.com/2023/07/03/technology/russia-ukraine-surveillance-tech.html

Coercion and Black Boxes

“imposed military censorship on mail, Internet communications and phone conversations”

Russian forces have taken over internet infrastructure in Ukraine and rerouted traffic to Russia-controlled operators.

‘https://apnews.com/article/russia-crackdown-surveillance-censorship-war-ukraine-internet-dab3663774feb666d6d0025bcd082fba

TSPU: Russia’s Decentralized Censorship System
https://www.youtube.com/watch?v=LWoBhWwAY8A

‘https://censoredplanet.org/assets/tspu-imc22.pdf

‘https://www.theregister.com/2023/07/17/great_firewall_even_greater/

In early November 2021, the Great Firewall of China (GFW) deployed a new censorship technique that passively detects—and subsequently blocks—fully encrypted traffic in real time.

“the censor applies crude but efficient heuristics to exempt traffic that is unlikely to be fully encrypted traffic; it then blocks the remaining non-exempted traffic.”

‘https://www.usenix.org/system/files/usenixsecurity23-wu-mingshi.pdf

“A lot of the work we are doing is digging for little scraps of information.”

https://www.latimes.com/world-nation/story/2022-06-23/china-great-firewall-foreign-domestic-virtual-censorship

‘https://tools.cmlabs.co/en/redirect-checker

ResearcherZero October 2, 2023 6:19 AM

Google plans to reduce the lifespan of SSL/TLS certificates.

‘https://www.helpnetsecurity.com/2023/09/28/certificate-automation-challenges/

“The certificate, originally spawned by Symantec, was scheduled to be banished years ago.”

The removed credential is known as a root certificate, meaning it anchors the trust of hundreds or thousands of intermediate and individual certificates downstream.

‘https://arstechnica.com/security/2023/08/a-renegade-certificate-is-removed-from-windows-then-it-returns-confusion-ensues/

As a result of acquisitions over the years the company now controls the root certificates of several formerly standalone certificate authorities including VeriSign, GeoTrust, Thawte and RapidSSL.
https://www.pcworld.com/article/406198/to-punish-symantec-google-may-distrust-a-third-of-the-webs-ssl-certificates.html

Of particular concern are so-called Extended Validation (EV) certificates, for which issuers are supposed to take additional actions to authenticate the identity of the entity requesting them. Faced with the prospect of recontacting millions of its customers to renew their certificates ahead of schedule, and revalidating the identity of EV certificate holders, Symantec chose to hand the problem to DigiCert.

‘https://www.csoonline.com/article/562511/symantec-sells-its-problem-ssl-unit-to-digicert-for-1b.html

GoDaddy discovered that an unauthorised third-party had accessed its managed WordPress hosting environment, with the attacker using a compromised password for it.

The unauthorised acess led to 457,911 private keys for users’ digital certificates being compromised, along with email adddresses and other sensitive data.
https://www.itnews.com.au/news/godaddy-took-weeks-to-revoke-compromised-certificates-573870

This is a violation of the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Section 4.9.1.1 “Reasons for Revoking a Subscriber Certificate” which states that “the CA SHALL revoke a Certificate within 24 hours if the CA obtains evidence that the Subscriber’s Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise”

‘https://bugzilla.mozilla.org/show_bug.cgi?id=1742657#c15

“To protect your business, you must know the location of every certificate in use and be able to replace any of them instantly.”

As we’ve seen with Symantec, GlobalSign, GoDaddy and many more, CAs can make errors, are victims of fraud, and can be hacked.

‘https://www.computerweekly.com/news/450410837/Flawed-GoDaddy-security-certificates-show-need-for-control

” …any web server configured this way caused domain control verification to complete successfully.”
https://groups.google.com/g/mozilla.dev.security.policy/c/Htujoyq-pO8

Attack on DigiNotar resulted in fraudulent web authentication certificates being issue for hundreds of websites, including google[.]com.

(DigiNotar Root CA, DigiNotar Root CA G2, DigiNotar PkIoverheid CA Overheid, DigiNotar PKIoveheid CA Organisate-G2, and DigiNotar PKIoverheid CA Overheid en Bedrijven.)

The Fox-IT report identified 300,000 unique IP requests to the phony domain, with 99 percent originating from Iran.

“The hacker claimed responsibility for the recent attack on DigiNotar and claimed to have access to four other CAs, including GlobalSign.”
https://spectrum.ieee.org/diginotar-certificate-authority-breach-crashes-egovernment-in-the-netherlands

The attack had gone undetected for more than a month. 531 fraudulent certificates were issued for 344 domain names.

‘https://www.diginotar.nl/Portals/7/Persberichten/Operation%20Black%20Tulip%20v1.0a.pdf

Clive Robinson October 2, 2023 7:32 AM

@ ResearcherZero, ALL,

“Google plans to reduce the lifespan of SSL/TLS certificates.”

If this “down to nine months or less” happens, there will be a lot of unhappy people and an immense amount of “E-economy loss” which is one of the few things keeping the US economy floating…

Thus the “To Big to Fail” question is bound to pop up “in the halls of power” in much of the Western World where the E-economy is considered important.

I guess the real question is what is Google upto or what game are they playing?… As there is a lot more behind this than Alphabet/Google is actually saying.

ResearcherZero October 2, 2023 7:53 AM

Theater Undersea Surveillance Command

‘https://www.reuters.com/investigates/special-report/usa-china-tech-surveillance/

“They are now announcing more address space than anything ever in the history of the Internet.”

…messages began to arrive telling network administrators that IP addresses assigned to the Pentagon but long dormant could now accept traffic — but it should be routed to Global Resource Systems.

‘https://www.kentik.com/blog/the-mystery-of-as8003/

“reassignment of a massive government-owned block of well over sixteen million IP addresses”
https://seclists.org/nanog/2021/Mar/186

Modern apps often include SDKs written by little-known companies like Measurement Systems

‘https://www.foxbusiness.com/technology/apps-with-hidden-data-harvesting-software-banned-by-google

Google’s Chrome, Apple’s Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what’s known as a root certificate authority.

Measurement Systems, had been paying developers to include code in a variety of innocuous apps to record and transmit users’ phone numbers, email addresses and exact locations.

Vostrom filed papers in 2007 to do business as Packet Forensics.

‘https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/

“The company’s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade.” (longer)

‘https://www.usaspending.gov/award/CONT_AWD_HB000122C1003_9700_-NONE-_-NONE-

“Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”

‘https://www.wired.com/2010/03/packet-forensics/

An attacker who obtains a certificate, either through theft or malicious enrollment, is limited by the validity period of that certificate. However, they can always issue a renewal request to extend the life of the certificate, which would not leave enrollment records on the server, in case such artifacts are being monitored.
https://posts.specterops.io/certified-pre-owned-d95910965cd2

http://paranoia.dubfire.net/2009/12/8-million-reasons-for-real-surveillance.html

‘https://www.issworldtraining.com/ISS_WASH/

Winter October 2, 2023 8:16 AM

I do not know what to say but to wish him strength.

RMS Says He Has Lymphoma
https://fossforce.com/2023/09/rmss-cancer-linuxs-shrinking-support-googs-privacy-sandbox-naming-opensuse-and-more/

When GNU and Free Software Foundation founder Richard Stallman showed up at the GNU Hacker’s Meeting in Biel, Switzerland on Wednesday as part of GNU’s ongoing celebration of its 40th birthday, he was noticeably without his trademark long hair and beard. We learned about two minutes into a talk he gave at the event, that’s because he’s currently battling cancer.

ResearcherZero October 2, 2023 9:37 AM

@Clive Robinson, ALL,

outage – CNE 😉

Home affairs boss tried to stifle press freedom (his encrypted messages)

“Home Affairs secretary Michael Pezzullo used WhatsApp messages to try to reshape governments.”

The public servant in charge of Australia’s internal security lobbied hard for the power to censor the media’s reporting of national security issues after the Australian Federal Police controversially raided three Australian journalists over their reporting.

In a series of text messages to an influential Liberal Party operative in 2019, the secretary of the Home Affairs Department, Michael Pezzullo, sought to convince then prime minister Scott Morrison to introduce a system of “D-Notices” – by which government agencies would be able to pressure media organisations not to publish stories deemed damaging to national security.

‘https://www.smh.com.au/national/modern-version-of-the-d-notice-how-the-home-affairs-boss-tried-to-stifle-press-freedom-20230919-p5e5sy.html

Last Drinks

“Under our system, when someone falls from a window or gets shot in their driveway, the case is handled by local police. Oftentimes, that’s where the incident will stay.”

…cases involving a foreign intelligence agency are liable to get handled by detectives with no particular expertise in the methods and motivations of state-sponsored assassinations. Worse still, a history of tension between local cops and the feds means detectives might not be especially eager to call for assistance.

“It’s very important for us to communicate to the world that we’re not going to tolerate this and we’re going to throw resources at it to get to the bottom of it,” he says.

What Joyal says he’d like to see is an FBI resource that could be dispatched to local cases where a foreign government might be involved.

‘https://www.politico.com/news/magazine/2023/09/22/foreign-ops-in-america-00117466

ResearcherZero October 2, 2023 9:46 AM

“Because coffee has to be hot, has to be strong. I nearly want a heart attack and I want my tongue burned. Not really, but I want the possibility.” – Carsten Busch

On Rosh Hashanah it is inscribed
And on Yom Kippur it is sealed
How many shall die and how many shall be born
Who shall live and who shall die
Who at the measure of days and who before
Who by fire and who by water
Who by the sword and who by wild beasts
Who by hunger and who by thirst
Who by earthquake and who by plague
Who by strangling and who by stoning
Who shall have rest and who shall go wandering
Who will be tranquil and who shall be harassed
Who shall be at ease and who shall be afflicted
Who shall become poor and who shall become rich
Who shall be brought low and who shall be raised high
https://www.youtube.com/watch?v=jtMi8PpyTvc

lurker October 2, 2023 1:59 PM

@ResearcherZero
“To protect your business, you must know the location of every certificate in use and be able to replace any of them instantly.”

Debian-Linux uses certificates shipped by Mozilla, placed in a folder named mozilla, and disclaims responsibility for their reliability. mod-bot rejected a detailed explanation…

Clive Robinson October 2, 2023 4:46 PM

@ Bruce, ALL,

Re : PhD designs drone for ISIS

I don’t know if you’ve heard about this,

https://www.theguardian.com/uk-news/2023/sep/28/birmingham-phd-student-mohamad-al-bared-guilty-using-3d-printer-to-build-kamikaze-drone

I don’t,know what “engineering research” he was doing for his PhD… But a look at the photographs put up by the authorities / MSM rather suggest it was not involving aeronautics…

I’ve seen better more flightworthy designs by high school hobbyists –team of girls– and undergraduates that have “got off the ground”…

Captain Sensible October 2, 2023 6:12 PM

Australian Broadcasting Commission, (ABC) news editorial

interviews with human sources in organised crime and undercover agents.
the theme of the piece is that sources get abandoned after their work and
left to fend for themselves. A comment by a professional is that US is 20 years behind in Australia in handling human sources. It’s a harrowing read.

https://www.abc.net.au/news/2023-10-02/undercover-organised-crime-informant-australian-law-enforcement/102767496

fib October 2, 2023 7:36 PM

@ResearcherZero

Re DoD IPv4

Interesting information. You’re always bringing some nice aggregation of important topics. I appreciate that. Thanks for your effort.

Faxes October 2, 2023 8:47 PM

I understand that faxes over modern GSM or equivalent 5g+ may not be up to the proven standards of 2400 baud. But, let’s say that bidirectional communication is easy enough in the present – how does this relate to the challenges of future connections?

Clive Robinson October 2, 2023 10:13 PM

@ Faxes,

“… how does this relate to the challenges of future connections?”

I’m not sure I understand what it is you are trying to ask.

Do you want to amplify on what it is you are asking?

Clive Robinson October 3, 2023 7:41 AM

@ ALL,

Re : ARM CVE-2023-4211

Not been able to find actual details currently other than,

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory”

Which is not exactly helpfull…

But apparently found by Google in ARM mali GPU driver.

https://www.bleepingcomputer.com/news/security/arm-warns-of-mali-gpu-flaws-likely-exploited-in-targeted-attacks/

“CVE-2023-4211 is present in a range of Arm GPUs released over the past decade. The Arm chips affected are:

– Midgard GPU Kernel Driver: All versions from r12p0 – r32p0

– Bifrost GPU Kernel Driver: All versions from r0p0 – r42p0

-Valhall GPU Kernel Driver: All versions from r19p0 – r42p0

– Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 – r42p0

Devices believed to use the affected chips include the Google Pixel 7, Samsung S20 and S21, Motorola Edge 40, OnePlus Nord 2, Asus ROG Phone 6, Redmi Note 11, 12, Honor 70 Pro, RealMe GT, Xiaomi 12 Pro, Oppo Find X5 Pro, and Reno 8 Pro and some phones from Mediatek.”

Clive Robinson October 3, 2023 11:41 AM

@ ALL,

Re : FCC enforcment actions.

As some of you might be aware for getting on for a decade and a half the US FCC has not realy been enforcing the rules for CB, FMRS, GMRS, Ham Radio, and even PMR.

Well apparently that has changed and they are now handing out $25,000 fines confiscation of equipment etc.

Some things they are going after appear strange, and not just people doing realy stupid things (like jamming other users).

For instance many who use CB are unaware they are breaking the law if they have a conversation on air that,

1, Lasts for more than 5mins.
2, The other party is not in the US.

Similar rules apply to other radio spectrum users.

The problem is that like most US Gov regulation and legislation it’s been scatter shotted all over the place, thus finding out what rules apply to you can be difficult.

Few realise that all radio equipment, even for receive only has to be type approved, unless there are specific exemptions.

But in all cases one or more of these three have to be true,

1, Equipment has to be “licenced”
2, Station has to be “licenced”
3, Operator has to be “licenced”

This is true even of stuff you buy for your mobile phone which is why those “light-up antennas” are nolonger available for sale.

One problem is that it’s often not clear if equipment is “licenced” or not with the FCC. Some equipment like the ubiquitous UV-5 hand helds may have an FCC label in them, but that does not mean you can legaly use them. Legally you actually have to check on the FCC database in most (but not all) cases.

One area of concern is the current crop of “Software Defined Radios”(SDRs), whilst they are perfectly legal as “laboratory equipment” they are nearly all not legal to use to receive signals outside of a controled environment for specific activities.

An example of which is to receive various bands and services. One such is apparently the “Automatic Dependent Surveillance-Broadcast”(ADS-B) for aircraft and it’s similar for Ships. Also as I understand it any vehicle telemetry systems such as door locking, tire preasure, toll tokens and the like systems.

Similar applies to “data services” used in connection with computers and communications systems such as phones.

So those PenTest people using SDRs in all manner of ways “may be” carrying out unlawful activities.

It gets complicated because receiving signals on your property that are broadcast on your property for lawful activities on your property would appear to be lawful. Hence carrying out a “site survey” with test instruments is legal, but red-teaming a WiFi or Bluetooth system is very probably not…

From what I’ve seen reported the FCC is currently using this “less obvious” legislation for “quick solutions” to issues that have been causing increased calls for the FCC to have it’s scope reduced…

vas pup October 3, 2023 7:04 PM

@Clive said “The problem is that like most US Gov regulation and legislation it’s been scatter shotted all over the place, thus finding out what rules apply to you can be difficult.”

That is why:
1.US have more lawyers than engineers versus China and any other EU country.

2.’Deep state’ aka unelected bureaucracy with huge unchecked power could create ‘case’ against anybody who they or their bosses just don’t like.

  1. Any US resident commit three federal felonies a day and up to deep state mercy to be out of jail.

The legal environment is even more complicated with coexistence and application of statue and precedent law.

glenn f. October 3, 2023 7:17 PM

Daniel J. Bernstein published a blog post today: The inability to count correctly: Debunking NIST’s calculation of the Kyber-512 security level. The same page briefly mentions two lawsuits by Bernstein against NIST, for “stonewall[ing Freedom of Information Act requests], in violation of the law”, one of which “has been gradually revealing secret NIST documents, shedding some light on what was actually going on behind the scenes, including much heavier NSA involvement than indicated by NIST’s public narrative.” There’s a separate page to download the documents received so far.

vas pup October 3, 2023 7:22 PM

Breakthrough in Landmine Detection: Enzymit-Enabled TNT Biosensor Developed in Collaboration with Hebrew University
https://www.biospace.com/article/releases/breakthrough-in-landmine-detection-enzymit-enabled-tnt-biosensor-developed-in-collaboration-with-hebrew-university/

“New Peer-Reviewed Study Shows Efficacy of Protein-Based Biosensor to Detect Unexploded Ordnance Using AI and Deep Learning Algorithms.

NESS ZIONA, Israel, Sept. 19, 2023 /PRNewswire/ — Enzymit, a bioproduction platform company developing cell-free enzymatic manufacturing technology, =>today announced a breakthrough in landmine detection through the development of a novel protein-based biosensor that can accurately detect unexploded ordnance (UXO).

The project resulted in the creation of a sophisticated biosensing platform utilizing the bacterium E. coli* that can detect trace amounts of dinitrotoluene (DNT), the volatile byproduct of TNT that leaks out of mines into the surrounding earth. The efficacy of the solution has been demonstrated in a peer-reviewed study
recently published in the Computational and Structural Biotechnology Journal.

The Belkin lab pioneered the bacterium-based approach to detect explosives. It developed a live cell-based sensor, capable of detecting even trace amounts of DNT, emitting bioluminescence to identify the location of explosive material. Utilizing Enzymit’s proprietary algorithms and experimental capabilities, specific positions on the sensor were modified for optimal performance. The resulting sensor is up to five times more sensitive, has faster reaction times, and a signal strength 30 times stronger than the original construct. The ability to accurately locate unexploded ordnance from a distance provides a safer and more efficient alternative to traditional detection methods, which require manual excavation or use of metal detectors and pose a substantial risk to life. The biosensor can be applied to detect a range of TNT-based ordnance, including unexploded shells and improvised explosive devices (IEDs), while the versatility of the bacterium makes it suitable for use in remote or hard-to-reach locations.

“The global proliferation of landmines continues to pose a serious threat to human lives and the environment, while traditional methods for detection are costly, time-consuming, and entail substantial risk to life,” said Shimshon Belkin, Professor of Environmental Microbiology and head of the Environmental Microbiology and Biosensor Laboratory at the Hebrew University. “This collaboration highlights the potential of synthetic biology in solving some of the world’s most pressing problems, with applications that go beyond landmine detection.”

The Belkin and Enzymit teams are currently working to further optimize the system, while exploring how application of the biosensing platform can be expanded to detect other hazardous materials, such as alternative forms of explosive, environmental toxins, and hazardous chemicals.

For more information, please visit: https://www.enzymit.com/

Clive Robinson October 3, 2023 9:36 PM

@ glenn f., ALL,

This has got needlessly hit by auto-mod so is being partitioned.

Part 1,

Re : Tha NSA – NIST relationship.

“Daniel J. Bernstein published a blog post today: The inability to count correctly: Debunking NIST’s calculation of the Kyber-512 security level.”

I’m glad Daniel J. Bernstein has the guts to go after the NSA as well as the standing in the Open and Academic and Crypto Communities to be taken seriously.

The NSA and those that founded it have a very poor set of morals and ethics, and though called on them repeatedly managed in the past to get away with it. Which with hindsight is actually quite shocking.

In the past I’ve said many things about what I think the NSA would or have be upto. Based on having witnessed what they and other SigInt agencies and those they “sponsor” in “industry” got upto in other International Standards meetings last century. Like those of the ITU (UN) and sovereign state level such as BSI (UK) and European (CEPT etc). As I’ve mentioned in the past they were well practiced in effect forming “tag teams” and using “moral outrage” of “Health & Safety” and other notions we tend to cover these days with “Think of the children” and similar “dog whistle” behaviours.

I’ve pointed out that there was a policy of fielding deliberately weakened “Field Ciphers”[1] by certain personnel long before the NSA as such existed, that they then had very great influance in.

In more recent times it’s become clear that the policy was continued long into the 1980’s and later by first “influance” of the owner, then probable murder of his son, and finally take over by the CIA of the supposadly independent “Crypto AG” of Zug Switzerland.

The trick for the NSA was to ensure NIST was always one or two steps behind the NSA “finessing” of,

1, Implementations
2, Protocols
3, Standards

And more recently “legislation and regulation”.

As I and others have pointed out in the past, the AES competition was “rigged” most likely by NSA verbal suggestions to NIST organizers / officials. Yes as a theoretical construct the selected AES algorithm was sufficient. However stronger algorithms got pushed out by the notion of “efficiency” or speed, which has always opened up time based side channels that leak information in practical implementations. The NSA ensured this implementation weakness by ensuring that “ultra fast” implimentations in code were made available for free… The result techniques like “loop unrolling” made very fast but timing side channel riddled implementations an almost certainty. This then got put into code libraries and the like. With the result there are still, quite a few AES systems in use that are just not secure.

But this though obvious was long made to look like that those who questioned the AES Competition were “paranoid” or similar…

What we now know due to the Dual EC_DRBG “scandle” where it was shown to be very likely “back doored by the NSA” and worse the way the algorithm was,so crudely pushed into a standard –SP 800-90A– as the “primary recomendation” back in 2006. That it caused much strife, that eventually it caused NIST to have to withdraw the standard and reissue it without the Dual EC_DRBG algorithm. It would appear this is “SoP” for the NSA, who later tried pushing other suspect crypto into other standards[2].

The outcry was such and building that then came the semi-famous NSA,”None Apology apology” as Mathew Green named it[2].

It’s therefore reasonably certain there is a lot more “Dirty Laundry” in the NSA closet that needs dragging out into the light of day, which Danial J. Bernstein appears to be doing with dogged determination.

However the NSA reputation is now shot and they appear not to be able to ignore it anylonger nore ride out the storms arising.

Will it “Clean up their act” it’s highly unlikely as their charter and orher documents indicate.

Clive Robinson October 3, 2023 9:42 PM

@ glenn f., ALL,

Part 2,

[1] If you design a mechanical cipher system that is going to be used it’s very much a certainty it’s design,

“Will become known to all”

So designing it to have all strong keys would be “making a rod for your own back”. So you design it to have just a small percentage of strong keys (say less than 20%) and a similar percentage of very weak keys. The result a user who does not know which keys are strong and which are weak will end up using sufficient numbers of weak keys, that can be quickly broken and reveal what is highly probable “plaintext” that alows the breaking of strong keys much more quickly.

Clive Robinson October 3, 2023 9:53 PM

@ glenn f., ALL,

Part 3,

All the system designers had to do, to protect their own sides use of the machine is,

1, Centrally issue keys,
2, Issue codes for certain comman use plaintext.

Clive Robinson October 3, 2023 9:55 PM

@ glenn f., ALL,

Part 4,

In effect so the machine designer’s forces use only “strong keys” and by issuing maps and other documents such that they are “Changed as daily codes” the common “probable plaintext” is removed.

This further makes use of the field cipher machine appear stronger than it realy is… So the more likely it is that others will adopt the designs for their own use. Something we knew certainly happened after WWII and well into the 1980’s.

[2] Rather than me write it out again read,

‘https://arstechnica.com/information-technology/2015/01/nsa-official-support-of-backdoored-dual_ec_drbg-was-regrettable/

Clive Robinson October 4, 2023 12:12 AM

Mr Peed Off, ALL,

Re : Security importance of potable water.

“Lack of freshwater could be a security issue for some.”

It’s actually quite a bit more complicated…

There is a very good reason why we drink “Potable Water”(PW) rather than “Distilled Fresh Water”(DFW) and that is a whole bunch of minerals. Without which we would first become ill, then chronically sick, then die…

Some of the minerals can not relistically be ingested other than in the water we drink.

Some of these minerals are not easy to get other than from “urine brine”, others from filtration through certain types of “soft rocks”.

If you have to build your own water filtration plant using “third world” materials, you are best to look at traditional “sand bed” systems to remove organic and similar suspended particulates (which in the first world is done with a “flocking agent” you can demonstrate the process with “egg white”). Then go to activated charcoal to reduce disolved chemicals including minerals. You would then filter through “unglazed but fired ceramic pots”. The process can be significantly improved and speeded up by increasing the temprature and reducing the preasure so that in effect it’s water vapour that gets condensed.

The same process but “scienced up” is what is used to extract water from human waste on the International Space Station. Where otherwise “lifting water up the Earth’s gravity well” would cost around $10,000/liter (according to some figures but others say $27,000/kg). Unlike on Earth astronauts are limited to a little under 11.5kg / day of water. However you can if healthy survive drinking wise on 2ltr of potable water and another 1-2ltr in your food. As for washing etc the water does not have to be drinkable as dirt is removed by what is at the end of the day a rather simple process.

The ISS system in effect uses a “rotary low preasure evaporator, where the input is human waste water and two outputs, reasonably pure water and a thick brine (which goes on to other processing). However whilst you can drink the water it lacks certain trace minerals that need to be put back in the water.

The process of extracting minerals from human waste is quite an old one and used to be called “leaching”. In effect the modern equivalent is disolving in a working fluid followed by evaporation of the fluid to leave the minerals behind in a form that needs further processing.

Anyway the minerals need to go back into the drinking water, otherwise people become sick and die.

Winter October 4, 2023 1:55 AM

@vas pup

’Deep state’ aka unelected bureaucracy with huge unchecked power

That seems to be a popular American myth.

The myth tells us there is some hidden power who is to blame for all the failings of people’s lives. In Europe the corresponding root of all evil is “Brussels”, in Russia it is “America/the World”.

But the reason the US have more lawyers than engineers versus China and any other[sic] EU country and have bureaucrats with unimaginable power is all of the American voters own makings.[1]

The “deep state” is the public side of the failing health care coverage of the households.[2]

Looking from the outside, the main cause I see is rather straightforeward: Americans want laws to limit other people but not themselves, and they do not want to pay for other people’s health problems. Also, they really, really do not trust other Americans.

The results are many many laws and regulations that are written as algorithms to exclude human intervention.[1] Hence the proliferation of lawyers to manage these laws.

As algorithmic laws simply do not work, the end result is that some bureaucrat ends up with the power to set things in motion. Also, laws that prevent problems, eg, zoning laws, are hugely impopular and contested as they limit us instead of them. The only laws that get implemented are punitive laws that clean up after the fact. Which is orders of magnitude more expensive than preventing the problem.

And if we do not want to pay for them when they get sick, they do not pay for us when we get sick. Medical costs are a major worry of Americans and rightfully so. The average American bankrupcy is caused by medical debt.[3]

Basically, if you want to control others but do not want to be controlled yourself, the US mess of a legal system is a logical outcome.

[1] The Death of Common Sense: How Law Is Suffocating America Philip K. Howard
‘https://www.goodreads.com/book/show/239430.The_Death_of_Common_Sense

[2] ‘https://www.commonwealthfund.org/publications/issue-briefs/2023/jan/us-health-care-global-perspective-2022

Health spending per person in the U.S. was nearly two times higher than in the closest country, Germany, and four times higher than in South Korea.

Despite high U.S. spending, Americans experience worse health outcomes than their peers around world. For example, life expectancy at birth in the U.S. was 77 years in 2020 — three years lower than the OECD average. Provisional data shows life expectancy in the U.S. dropped even further in 2021.

[3] ‘https://www.retireguide.com/retirement-planning/risks/medical-bankruptcy-statistics/

ResearcherZero October 4, 2023 2:24 AM

China is a deep state.

“political-ideological construct”

‘https://www.csis.org/analysis/ideological-security-national-security

Russia is headed in the same direction as China. The U.S. is not a deep state.

The Marine Corps is, for the first time in more than 100 years, without a permanent leader.

“These vacancies place unnecessary uncertainty on critical national security roles and send troubling signals to U.S. allies and adversaries; they undermine command authority at senior levels, making it more difficult for our military leaders to lead effectively.”
https://www.pilotonline.com/2023/09/08/opinion-tubervilles-misguided-stunt-threatens-our-national-security/

“For six months, he’s been blocking the promotion of every general and flag officer in the U.S. military. That’s 301 military positions and counting. Let that sink in.”

“…It has also impacted thousands of officers beneath them who are prevented from advancing. That hamstrings our military – and undermines our readiness to the benefit of our adversaries.” “…the tactics he is using are unconscionable and dangerous.”

“Every single day Tuberville’s block on military nominations continues, the damage to our national security multiplies. He has lost one vote on the policy, declined the opportunity to have another, and no court has agreed with his claim that it’s illegal. Unable to change a policy he disagrees with, he’s opted to take his ball and go home, punishing service members and compounding damage to our national security.”

‘https://www.foxnews.com/opinion/tubervilles-actions-horribly-dangerous-military-hurt-american-families

Waywardness, with little thought for the consequences…

MATT GAETZ strategy of single subject spending bills.

He dictated his list of the first four: Defense, Homeland Security, State-Foreign Operations, and the Agriculture-FDA bill.
https://www.politico.com/newsletters/playbook/2023/09/22/how-matt-gaetz-took-over-the-house-00117565

Factors Jeopardizing Civil-Military Cooperation on Cyber Defense

“The most significant challenges in bridging the gap between civilian and military worlds seems to be power and budget struggles and a lack of political direction on cyber matters from leaders.”

‘http://dx.doi.org/10.1080/19361610.2021.2006033

Serving themselves…

Populism argues that elites are corrupt and the people need better representation, but makes very few policy commitments beyond this criticism.

It is also a message that doesn’t tie politicians down to any other ideological or policy commitment.

“Populist politicians and governments view the formal institutions of liberal democracy as corrupt creations spawned by crooked establishment elites – and so they systematically hollow out and undermine these institutions, such as the courts, regulatory agencies, intelligence services, the press, and so on.”

They justify these attacks as replacing discredited and corrupt institutions with ones that serves “the people” – or, in other words, themselves.

https://news.stanford.edu/2020/03/11/populism-jeopardizes-democracies-around-world/

ResearcherZero October 4, 2023 2:31 AM

buffer overflow ld.so (updates available)

Full root access on popular platforms (Fedora, Ubuntu, and Debian).

“This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.”

‘https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so

Is the Sky Falling? No.

‘https://labs.watchtowr.com/exim-0days-90s-vulns-in-90s-software/

ResearcherZero October 4, 2023 2:45 AM

@Clive Robinson

entirely passive system to desalinate water at low cost

‘https://news.mit.edu/2023/desalination-system-could-produce-freshwater-cheaper-0927

“Fibres were first spun into a tight thread. Four of these threads were then twisted together to create strings, which experiments showed could draw water higher up.”

‘https://www.chemistryworld.com/news/strings-that-draw-up-brine-could-help-supply-the-world-with-lithium/4018121.article

Shoot down drones for a vastly cheaper cost.

The system is capable of countering modern drone threats with just one shot and can track and engage at ranges beyond 800m.

When equipped with thermal imaging and night vision devices, the gun can achieve a firing rate of either 100 or 200 rounds per minute.

The system includes a radar, a 30mm cannon with specialized ammunition, and EOS’s exclusive stabilization and pointing technology. Weighs less than 400 kg and is fully stabilized for on-the-move operation.

‘https://www.abc.net.au/news/2023-10-02/australian-drone-killer-system-ukraine-730/102876242

lurker October 4, 2023 3:33 AM

@ResearcherZero

re: fractional crystallization of lithium from brine

Back in the 90s a NZ outfit called Pacific Lithium was all set to make a fortune extracting lithium from seawater. They found they couldn’t scale up economically enough to beat the cheap labour third world mining, and for a while existed by recycling lithium from wornout batteries.

ResearcherZero October 4, 2023 4:21 AM

@Captain Sensible

5 minutes was about the time it took for someone to show up and put bullets through the door of a “safe house”. Though, that was more than 20 years ago.
I would still avoid WitSec in Australia, but that is just my personal opinion.

I saw a lot of people die just because someone thought they might know something, or just because the people responsible liked inflicting pain by knocking someone’s, friends, family, or children.

It’s better today, but a lot of my friends and colleagues are in the ground via murder, suicide or accident. Many crooks walked, and many innocent people got burned.They could at least properly investigate.

The evidence has been sitting in boxes for about 35 years gathering dust. They could close a number of cold cases, if they wanted to. But they might then have to explain why they let it happen. Why they took no action.

Someone else always has to wear the responsibility. They prefer volunteers, as asking would confer some responsibility on law enforcement. I think it would be both morally correct and polite if they stuck their own necks out on occasion. They simply have to look at who previously kidnapped the victim, leading up to their murder. Interview the witnesses this time, for example, and actually listen to what they say without making assumptions.

This is not the guy.

‘https://www.abc.net.au/news/2019-12-07/claremont-serial-killer-trial-the-case-for-sarah-spiers-murder/11775938

This is the man tried to kidnap Sarah in Claremont, shortly before she vanished

‘https://thewest.com.au/news/wa/karl-ocallaghan-bows-out-how-an-accidental-police-officer-became-was-top-cop-ng-b88537547z

The same guy who put a bullet from a rifle through my window screen, and another through my wife’s bedroom window, after we gave evidence in court after he repeatedly tried to kill us, kidnapped us, including Sarah Spiers.

All the promises they would lock him up if we gave evidence turned out to be a crock of s**t. Afterwards they let him join the police force.

But where is the motive and opportunity? I’m too thick to figure it out.

He had another crack at us right before he resigned. Probably all a complete coincidence. Many of the witnesses are now also pushing up daisies.

However, ‘Claremont Serial Killer’ is a better headline than ‘Top Cop Crook’. Easier to explain, and much simpler to digest.

ResearcherZero October 4, 2023 4:51 AM

@lurker

You win some, you lose some. Plenty of solutions can’t find a market, too costly or decades earlier than the market. Government incentives are often skewed to benefit existing industries, rather than innovative solutions.

Attitudes are often backward looking, unqualified, and not supportive.

“That’s impossible. It won’t work. You can’t do that.”

Developed R&D is then shipped. It is easier to raise investment for overseas companies in Australia than Australian companies. Especially advanced or high-tech development.

“A typical application runs to well over 100 pages. In most cases, these applications are unsuccessful.”
https://www.smh.com.au/national/desperate-despondent-ignored-australian-science-at-crisis-point-20220310-p5a3g2.html

“In Australia, about 30 per cent of the research capacity of universities is carried by international student fees.”

…despite historically high levels of research quality, under-investment in research signalled a “clear red-light warning” that without change, the sector could fall behind in an “increasingly dynamic, competitive global higher education sector”
https://www.theage.com.au/national/victoria/australian-unis-fall-in-global-rankings-melbourne-university-tops-the-country-20230926-p5e7n9.html

“Figures from the OECD show Australia has reduced R&D investment as a percentage of GDP for the past 15 years, while other global economies have recorded an increase over the same period.”

‘https://www.uq.edu.au/news/article/2023/04/slippery-slope-basic-research-underfunded-australia

Instead of providing the environment for ideas to flourish in Australia, a decade ago the government decided it could just import them instead.

“The enormous wealth generated by iron ore, coal, oil and gas masks, and probably contributes to, an economy that has failed to develop the industries needed to sustain its position among the top ranks of the developed world. Australia sells the world almost nothing, relative to total exports, that requires a degree to make.”

‘https://www.afr.com/policy/economy/australia-is-rich-dumb-and-getting-dumber-20191007-p52y8i

Australia’s regional neighbours do it far better
https://theconversation.com/australias-innovation-problem-explained-in-10-charts-51898

ResearcherZero October 4, 2023 7:57 AM

“Cultivating a source is fine. But any self-respecting analyst, journalist, or politician wants to be the one cultivating, not the one being cultivated. And mutual back-scratching can erode one’s integrity and independence.”

“…Malley lost his security clearance for reasons still not explained, and he is on leave from government service.”

‘https://www.theatlantic.com/ideas/archive/2023/09/tehran-times-classified-documents-leak-investigation-robert-malley/675480/

One of the German academics in the IEI, according to the emails, offered to ghostwrite op-eds for officials in Tehran.
https://www.semafor.com/article/09/25/2023/inside-irans-influence-operation

Menendez blocked bill to regulate foreign influence…

Three years later, the act has not been updated. At the time Menendez blocked it, senators said it was a huge missed opportunity.

‘https://www.aol.com/bob-menendez-singlehandedly-blocked-bipartisan-164613126.html

Leveraging Division

“Yes, I’m playing a large role in organising the rally in Sydney. The paperwork is in my name,” Boikov said in a telephone call from the Russian consulate.

‘https://www.telegraph.co.uk/world-news/2023/09/20/simeon-boikov-organising-indigenous-rights-rally-australia/

Some intelligence operations have previously led to tit-for-tat reprisals.
https://www.smh.com.au/national/fake-russian-diplomats-revealed-as-heart-of-hive-spy-ring-in-australia-20230223-p5cmxz.html

(Who doesn’t enjoy being shot or tortured? Get’s the heart pumping! Sometimes it does the opposite, but there is always some risk involved.) 😉

Insertion

The corrupt officials might rig a tender committee. Or leak inside information. Or ensure a contract is awarded without a competitive tender.

“A facilitation payment, payment of a minor value to a foreign public official for the performance of a routine government action of a minor nature, is still permitted in some instances in Australia.”

…serious inadequacies in laws and institutions, hamper enforcement against foreign bribery.

These include problems related to whistleblower protection, levels of sanctions, a lack of training and resources, the underfunding of key enforcement agencies, poor inter-agency coordination and the insufficient independence of prosecution services and the courts.”

Public policies and resources should not be determined by economic power or political influence, and there is an urgent need to control political financing, managing conflicts of interest and regulating lobbying activities. It is even less palatable when it is allowed to go unnoticed because influence by the political party that holds power ensures any claims of corruption within government are covered up by agencies that are relied on to be transparent and trustworthy.

‘https://www.corporatecomplianceinsights.com/corruption-down-under-australia/

Australia’s international education system has become a “Ponzi scheme”

“commonplace sexual exploitation, human trafficking and other organised crime”

‘https://www.afr.com/politics/federal/migration-agents-to-face-tough-background-and-compliance-checks-20231004-p5e9kv

Criminal syndicates have exploited visas to facilitate human trafficking, modern slavery, illegal sex work, drug importation and money laundering.
https://www.msn.com/en-au/news/australia/migration-system-used-for-worst-crimes-in-our-society/ar-AA1hEVUZ

Key to the new body will be Australia’s intelligence agencies, which will be tasked with relaying information gleaned from overseas.

‘https://www.sbs.com.au/news/article/strike-force-agent-crackdowns-the-governments-response-to-industrial-scale-visa-abuse/tb1v7tlfh

glenn f. October 4, 2023 10:43 AM

@ ResearcherZero,

buffer overflow ld.so (updates available) — Full root access on popular platforms

It’s not the first time we’ve been screwed by setuid. People think that, with enough effort and contrary to all historical evidence, we can start a process in an adversarial execution environment and clean it up enough to make it secure. glibc’s dynamic linker, specifically, has been exploited via environment variables before. A libc developer should know the risks better than anyone, so if they can’t get this right in a small bit of code (/lib64/ld-linux-x86-64.so.2 is about 200K, compared to the 2000K of libc.so.6), how can we expect the developers of more complex programs to do it?

(To be more explicit: never try to “remove badness” from anything. Create a new thing, and “import” only specific things believed to be safe. For example, libc’s loader should’ve always been switching processes to an empty set of environment variables, and providing something like getenv_from_untrustworthy() to access the original one.)

Audit your setuid/setgid binaries, and use dpkg-statoverride on Debian or Ubuntu to knock out those bits where possible—that is, almost all the time. Distros should really take a harder position against these, and never install them without explicit permission. Where you deem them necessary, maybe ‘mount’ or ‘su’ (not sudo!; terrible security record), remove world-execute permission and change their group ownership so only a specific group can execute them.

Also look into the no_new_privs bit, which prevents a process from executing setuid/setgid binaries. Almost every running non-shell process should have it set; you can use setpriv --no-new-privs, bwrap, or systemd’s NoNewPrivileges= option (“man 5 systemd.exec”, and “man 5 systemd.unit” for information about “drop-in” configuration overrides). To check, look for the “NoNewPrivs:” line of /proc/PID/status.

lurker October 4, 2023 3:22 PM

@glenn f, ResearcherZero, All

re: glbc-tunables buffer overflow

“It’s not the first time we’ve been screwed by” buffer overflow, in going on for three-quarters of a century.

Yet again confessing my simple mindedness, if this was a hardware problem the engineers would have designed it out, AND put traps in QA to catch it.

Clive Robinson October 4, 2023 3:54 PM

@ Bruce, ALL,

Another horific AI Car meets pedestrian event.

https://www.theregister.com/2023/10/04/driverless_cruise_car_pedestrian/

From what is writen the pedestrian who was legitimately crossing the road, was hit first by a human “hit and run driver”. As a result she got thrown in front of an empty AI vehicle that was just driving around. It drove over her causing more injuries and just stopped on top, of the now baddly injured woman, pinning her down by crushing her leg with a rear wheel. The AI vehicle had to be lifted off of her by first responders at the scene…

https://www.cbsnews.com/sanfrancisco/news/robotaxi-san-francisco-woman-hit-pinned-fifth-street-market/

What has become of the critically injured woman has not been said, but I hope that she recovers.

Clive Robinson October 4, 2023 5:14 PM

@ ALL

Re : What could go wrong when you expand on a half century old known to be a bad idea?

Under the title,

“Security risks of personal access tokens exposed by attacks on GitHub

It explains some of what has gone wrong on GitHub with upgrading “passwords”, which as I’ve mentioned before have been known to be a very bad idea for a whole host of reasons since the 1960’s when calls were being made to replace the security disasters with something more appropriate for security.

https://devclass.com/2023/10/03/security-risks-of-personal-access-tokens-exposed-by-attacks-on-github/

It starts with the paragraph,

“Hundreds of GitHub repositories, including some in private organizations, have been compromised and malicious code injected, according to a report from application security company Checkmarx.”

Before launching into a list of quite eyebrow lifting issues.

One of which is,

“to add password-stealing JavaScript code to web forms found in the repository”

The “Personal Access Tokens” recently added to support automated processes on GitHub that require read-write access to any and all repositories are described as,

“GitHub provides personal access tokens for this purpose, which are passwords that typically have a short lifetime.”

So in order to “toughen up” user access, GitHub have taken the “Rambutan Approach” of having a tough and spikey exterior with a soft, lush, yielding and watered down interior…

Oh and as a closing note of this currently “in beta feature”,

‘GitHub advises users to “treat your access tokens like passwords.” Further best practice is to find ways of working that do not require them, wherever possible’

Hmmm…

lurker October 4, 2023 5:19 PM

@Clive Robinson, ALL
re: robocab hits pedestrian

Note, the pedestrian, although on a legitimate crossing, had failed to clear the crossing before the lights changed green for vehicles. The robocab’s vision may have been obscured by the hit-and-run vehicle to its left.

Then, how would a human driver have done in these circumstances?

glenn f. October 4, 2023 8:37 PM

@ lurker,

Yet again confessing my simple mindedness, if this was a hardware problem the engineers would have designed it out, AND put traps in QA to catch it.

Well, perhaps part of the problem is that there are few engineers in software development, and a lot of people who just call themselves “engineers” while doing nothing of the sort. (It reminds me of “Doctor” Spaceman from the TV show 30 Rock, who’s said to be legally required to put those quotation marks around his title and use air-quotes when speaking it.)

But have you been paying attention to all the speculative execution bugs from the last 6 years? Someone once pointed out a paper from the 1990s saying something along the lines of “but of course security boundaries need to be considered with respect to caching and speculation” (I haven’t been able to find it again). Basically, the CPU designers—I don’t know whether they’re generally engineers—didn’t do that. And nobody noticed for 20 years, and then we found out everything was broken. Do you think AMD and Intel put effective “traps in QA” to catch such things? Well, they keep releasing new CPUs that fix most of the then-known bugs, but people keep discovering new ones. They don’t seem to have modeled security boundaries well enough to catch this stuff before making the CPUs, and then we’re stuck with all kinds of ugly performance-destroying workarounds. (Which causes us to want faster CPUs…)

As to buffer overflows, there’s a project called CHERI to design a hardware architecture that lets us re-compile shitty old C code and actually prevent most of them. I’m a bit baffled by how much trouble people have with string-related functions; but, then, almost every string-related function in C is horrible in some way—actually, much of libc and POSIX are like this—and nobody’s really agreed on any replacement string API, except maybe Rust as a whole language replacement.

While looking up some more information about “no_new_privs”, I found that systemd now has a system.conf setting “NoNewPrivileges=yes” (“man systemd-system.conf”) that will enable that flag on literally all processes, effectively “designing out” setuid and setgid. I think it’s time for some distro-wide project to find all users of these features and rework them such that everyone can enable this. Personally, I could probably replace all my own uses with ssh logins, if I enabled superuser logins with the appropriate command restrictions.

SpaceLifeForm October 4, 2023 9:50 PM

Octopi rider

Not my car, but how much would your car insurance premium go up to have an Octopi rider to cover this event.

‘https://media.infosec.exchange/infosecmediaeu/cache/media_attachments/files/111/179/665/435/496/505/original/5571dab901f75aa8.mp4

Clive Robinson October 4, 2023 10:45 PM

@ SpaceLifeForm, ALL,

Re: Octopus does a car…

“how much would your car insurance premium go up”

In the UK “beyond what you could aford”…

For an EV that the “Mayor For London” wants to be the only privately owned cars on a thousand square km of London roads, the insurance / year for an EV is already above $7000 equivalent because of the hazardous risk of the batteries, not just because they can catch fire oh so easily in a “fender bender”, but because of the “environmental clean up” hazard they represent…

But getting back to the video, they should not have had the flashing lights in it. Because they give away the fact it’s faked…

The edge of an octopus stretches very thin like the skin between your thumb and your index finger. Which if you “backlight” you will see colour to an orangey-red as the light shines through. You don’t see the same effect on the squid in the video, which you would do if it was a real squid crossing the flashing lights… Therefor it was “faked-on” the car, but still done rather well.

Oh and a few other indicators, such as the octopus colour changing as part of it’s camouflage capabilities not happening. Normally the colour change an octopus gors through when crossing the sea floor is mesmerising to watch and why octopuses are sometimes called the chameleons of the sea. As for what the octopus was actually doing…

Clive Robinson October 4, 2023 10:56 PM

@ lurker,

“the pedestrian, although on a legitimate crossing, had failed to clear the crossing before the lights changed green for vehicles.”

I’m uncertain what the legislation says in that part of the US.

But in the UK, and many European nations the legislation boils down to,

“Once a pedestrian has claimed the crossing, no vehical is alowed to enter the crossing even if the signals have changed.”

This is because pedestrians of all ages can trip or fall, as well as the old being slower than expected to cross…

Otherwise the streets would be “Death Race 2000” in nature as anyones granny went to the shops.

ResearcherZero October 4, 2023 11:47 PM

Chinese state-owned enterprises are using Australian law firms to advise on takeovers of critical local infrastructure and minerals projects according to a new report that exposes potential conflicts with other sensitive work the same companies complete at home.

‘https://www.abc.net.au/news/2023-10-03/beijing-owned-businesses-using-australian-law-firms/102925108

Beijing’s attempts to gain influence via infrastructure partnerships and low-cost technology investments comes with risks that China may exploit the systems it helps finance.

‘https://cyberscoop.com/mayorkas-latin-america-china/

“TSA did not ensure all pipeline operators timely adhered to security requirements contained in the directives. TSA also did not follow up and track the pipeline operators’ assessments of the effectiveness of their cybersecurity practices.”

‘https://www.oig.dhs.gov/sites/default/files/assets/2023-09/OIG-23-57-Sep23-Redacted.pdf

Meta reported that it had recently taken down thousands of accounts and Facebook pages that “were part of the largest known cross-platform covert operation in the world,” run by “geographically dispersed operators across China.”

‘https://thediplomat.com/2023/09/chinas-increasingly-aggressive-tactics-for-foreign-disinformation-campaigns/

The Chinese government is pouring billions of dollars annually into a global campaign of disinformation, using investments abroad and an array of tactics to promote Beijing’s geopolitical aims and squelch criticism of its policies, according to a new State Department assessment. Beijing’s broad-ranging efforts feature online bot and troll armies, legal actions against those critical of Chinese companies and investments and content-sharing agreements with media in Latin America and Africa.

X approved all of the fake ads, TikTok approved 70 per cent and Meta allowed all but one through.
https://www.abc.net.au/news/2023-09-30/voice-to-parliament-misinformation-elon-musk-x/102912548

ResearcherZero October 4, 2023 11:49 PM

BlackCat/AlphV

“The Australian Federal Police (AFP) has been revealed as one of the government agencies affected by a cyberattack on a national law firm.”

‘https://www.dailymail.co.uk/news/article-12517793/Australian-Federal-Police-AFP-cyberattack.html

Hackers stole 2.5 million documents from HWL Ebsworth clients in April and published about 1 million on the dark web in June.
https://www.afr.com/companies/professional-services/scale-of-hwl-ebsworth-hack-revealed-2-5m-files-65-agencies-20230920-p5e64t

“obtained government files apparently relating to the top-secret Woomera missile testing site”

driver’s ­licences, including names, dates of birth and photos, employment contracts, briefs of evidence, legal negotiations and consent orders

The Defence Department, …appears particularly exposed, with monthly ­reports updating work on ­defence matters leaked and ­published online by the hackers.

‘https://ia.acs.org.au/article/2023/government-data-feared-stolen-by-hackers.html

Australia remains at the leading edge of hypersonics research, test and evaluation…

‘https://aiaa-stag.aiaa.org/doi/abs/10.2514/6.2006-7909

ResearcherZero October 5, 2023 12:02 AM

When people are desperate enough, they’ll go for a counterfeit. It’s a dangerous time to give people more reasons not to believe what’s in front of them.

Complicating matters is the fact that simply presenting accurate data to the misinformed doesn’t always work.
https://www.smh.com.au/politics/federal/truth-decay-defence-force-chief-warns-of-information-warfare-risks-20230915-p5e4w8.html

The most difficult transition in the intelligence community’s history…

‘https://www.cia.gov/static/242fbcb4c50958e6d49fa7a3c2718a05/Getting-to-Know-the-President-Fourth-Edition-2021-web.pdf

Moral courage comes into play when analysts notice their objectivity being suppressed or politicization going on.

“Want I want to convey here is the human dimension of trying to ensure analytic objectivity and avoiding politicization of intelligence.”

‘https://www.cia.gov/static/d826a89c7c1497ab0ef6cde6cab830b6/Article-Zulauf-SafeguardingObjectivityInIntelligenceAnalysis.pdf

“…any time you declassify information, you run the risk of revealing a source, which, in the Russian case, is almost always sensitive.”

“And there’s another danger here that’s equally important, I think, and that is that you give hostile intelligence services an invitation then to deceive you in the future.”
https://www.pbs.org/newshour/show/the-risks-of-politicizing-the-u-s-intelligence-community

“As chairman, you swear to support and defend the Constitution of the United States, but what if the commander in chief is undermining the Constitution?”
https://www.theatlantic.com/magazine/archive/2023/11/general-mark-milley-trump-coup/675375/

“War on paper and real war are different. In real war, real people die.”

‘https://edition.cnn.com/2023/09/25/politics/mark-milley-chairman-joint-chiefs-controversial-legacy/index.html

“There is nothing more that can be said,” Kelly concluded.
https://edition.cnn.com/2023/10/02/politics/john-kelly-donald-trump-us-service-members-veterans/index.html

Clive Robinson October 5, 2023 6:39 AM

@ lurker, ALL,

The simple reasons for crossway legislation that even a legislator should be able to understand 😉

https://m.youtube.com/watch?v=pI62ANEGK6Q

Don’t worry if you’ve been thinking it’s “speed that kills” it’s always been “distance or a lack there of”[1].

It’s just the way our brains work, especially when we feel the pain of too little distance…

[1] Oh and don’t forget it’s also “relative” to other objects, their speed, direction, AND distance”. Apparantly some think this is just a little too complex for those who practice law by practical application, so imagine what happens when you tell them time is different for those further away from the equator…

bl5q sw5N October 5, 2023 10:23 PM

@ Clive Robinson @ lurker

https://m.youtube.com/watch?v=pI62ANEGK6Q

The presenter’s enthusiasm is attractive and the gonzo journalistic style entertaining, but could not the relationship between speed, acceleration, and distance, and the safety implications been brought out more clearly and succinctly ?

ResearcherZero October 6, 2023 2:59 AM

Budworm deploys HyperBro

‘https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia

Pro-Russia hacker group does not like Slinger drone killer system.

‘https://www.theguardian.com/australia-news/2023/oct/06/australia-department-of-home-affairs-ddos-hack-russia

BADBOX is a global network of consumer products with firmware backdoors installed and sold through a normal hardware supply chain.

libandroid_runtime.so

Upon boot immediately injected the com.jar library into process memory and connected with a C2 server for additional instructions.

“Those initial instructions included a ZIP file which, when unzipped and decrypted, includes two more files of concern: classes.png and config.make.
classes.png when decrypted, turns into classes.dex. (If classes. dex is deleted from memory, it’s immediately restored, underscoring the persistence of the threat.”

BADBOX-infected devices are unsalvageable by an average user, as the malware is located on a read-only (ROM) partition of the device firmware.

Able to setup reverse proxy (hide in or sell access to your home network)

OTP

“The level at which BADBOX infects devices allows the threat actors to intercept text messages before they reach the user.”

‘https://www.humansecurity.com/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf

Do you own an Android TV Box similar to one of these?

‘https://github.com/DesktopECHO/T95-H616-Malware/

Whether the toggle switch is on or off, I am pretty sure it doesn’t matter because the box is rooted regardless.
https://www.malwarebytes.com/blog/news/2023/01/preinstalled-malware-infested-t95-tv-box-from-amazon

ResearcherZero October 6, 2023 3:11 AM

Lift the leg of your pants and keep your mouth shut!

“Mr Pratt, who is a Mar-a-Lago member which costs about $USD200,000 and gives him access to the “World of Trump”, met with the fellow billionaire in April 2021.”

‘https://www.skynews.com.au/world-news/global-affairs/donald-trump-allegedly-revealed-sensitive-information-about-us-nuclear-submarines-to-australian-businessman-anthony-pratt/news-story/2ad0c9fae26d3b424ab72a8e8f062085

‘https://www.abc.net.au/news/2023-10-06/donald-trump-allegedly-discussed-nuclear-subs-with-anthony-pratt/102943844

Letting the Big Fish Swim

‘https://prospect.org/justice/can-our-legal-system-bring-donald-trump-to-justice/

Buying access to elected officials is, in most cases, not a crime.

‘https://www.reuters.com/legal/cuomo-era-new-york-corruption-cases-go-before-us-supreme-court-2022-11-28/

kickbacks and clemency for wealthy crooks

‘https://www.nytimes.com/2021/03/21/us/politics/trump-pardons.html

In effect, the court has defined corruption in a way that requires prosecutors to prove an explicit quid pro quo agreement.
https://www.washingtonpost.com/news/monkey-cage/wp/2016/07/20/defining-corruption-is-inherently-political-why-do-we-think-the-supreme-court-will-solve-it/

The unprivileged are frequently convicted, rarely the wealthy or connected.

‘https://www.theguardian.com/us-news/2015/oct/18/judge-bias-corrupts-court-cases

“WHEN it comes to poor people arrested for felonies in Scott County, Miss., Judge Marcus D. Gordon doesn’t bother with the Constitution. He refuses to appoint counsel until arrestees have been formally charged by an indictment, which means they must languish in jail without legal representation for as long as a year.”
https://www.nytimes.com/2015/11/27/opinion/how-to-prosecute-abusive-prosecutors.html

ResearcherZero October 6, 2023 4:03 AM

Revolving doors…

“Mr McGowan — who has taken on advisory roles with BHP and Mineral Resources after walking away from politics in May — will add more to his plate after taking on positions with Bondi Partners, a Sydney-based partnership and consultancy founded in 2020 by former Federal treasurer Joe Hockey, and APM Human Services International.”

In 2021, Bondi Partners teamed up with Ellerston Capital to set up a fund called 1941, which was pitched as an investment vehicle in national security.

‘https://www.afr.com/politics/federal/exhausted-mcgowan-now-has-four-new-jobs-including-with-joe-hockey-20231006-p5ea8p

“given one hour to brief his board members before the premier addressed the media to announce the guidelines had been withdrawn”

‘https://www.abc.net.au/news/2023-09-10/mark-mcgowan-phone-call-epa-emissions-targets-tom-hatton/102800212

Bondi Partners was working to put together a US consortium to take shipbuilder Austal private. Perth-based Austal will play a role in the trilateral AUKUS security pact.

‘https://www.afr.com/street-talk/austal-s-us-suitors-face-another-interested-party-joe-hockey-20230607-p5desa

https://www.msn.com/en-au/news/australia/mark-mcgowan-has-been-auditioning-for-his-new-mining-job-for-six-years/ar-AA1fxlzl

ResearcherZero October 6, 2023 4:37 AM

The VSSE said every Chinese company was legally obliged to provide data to Chinese security services on request, and it believes they have the “intent and capacity to use this data for non-commercial purposes.”

‘https://www.cnn.com/2023/10/05/business/alibaba-belgium-spying-accusations/

(paywalled)

“Cainiao is able to access data about merchants, products, transport details and flows, said a person familiar with its IT systems.”

The site in Liège is the only European logistics centre run by Alibaba’s logistics spin-off Cainiao. It mainly handles goods sold directly to European consumers through the online shopping site AliExpress. Cainiao is applying for a permit to more than triple the size of its warehouses to 100,000 sq m.

One possible espionage risk relates to Cainiao’s software used to streamline logistics procedures, which is part of Alibaba’s “electronic world trade platform” (EWTP).

‘https://www.ft.com/content/256ee824-9710-49d2-a8bc-f173e3f74286

“Amazon’s pricing tool would repeatedly lower the price on an item to match its competitor, leading to what insiders dubbed a death spiral.”
https://www.geekwire.com/2023/ftc-targets-alleged-secret-amazon-pricing-algorithm-project-nessie-in-antitrust-complaint/

It is able to block third-party sellers from going elsewhere, and therefore also stop potential rivals from gaining share.

‘https://www.thebignewsletter.com/p/the-ftc-sues-to-break-up-amazon-over

Google’s chief argument against public disclosure of its trial is that it might generate “clickbait,” also known as public interest.

‘https://www.theverge.com/2023/9/21/23884734/clickbait-in-my-antitrust-trial

https://www.thebignewsletter.com/p/how-to-hide-a-2-trillion-antitrust

tracking links (html, epub, gmail content, search query, etc)

‘https://www.bloomberg.com/news/features/2023-09-28/google-user-data-is-police-s-top-shortcut-for-solving-crimes

Winter October 6, 2023 10:46 AM

Something for the Weekend.

To Schnorr and beyond (Part 1)
Matthew Green in fundamentals
‘https://blog.cryptographyengineering.com/2023/10/06/to-schnorr-and-beyond-part-1/

Warning: extremely wonky cryptography post. Also, possibly stupid and bound for nowhere. [1]

One of the hardest problems in applied cryptography (and perhaps all of computer science!) is explaining why our tools work the way they do. After all, we’ve been gifted an amazing basket of useful algorithms from those who came before us. Hence it’s perfectly understandable for practitioners to want to take those gifts and simply start to apply them. But sometimes this approach leaves us wondering why we’re doing certain things: in these cases it’s helpful to take a step back and think about what’s actually going on, and perhaps what was in the inventors’ heads when the tools were first invented.

[1] Ignore the note from the author.

Arrak October 7, 2023 1:10 AM

https://www.bleepingcomputer.com/news/security/genetics-firm-23andme-says-user-data-stolen-in-credential-stuffing-attack/

“23andMe has confirmed to BleepingComputer that it is aware of user data from its platform circulating on hacker forums and attributes the leak to a credential-stuffing attack.

The initial data leak was limited, with the threat actor releasing 1 million lines of data for Ashkenazi people. However, on October 4, the threat actor offered to sell data profiles in bulk for $1-$10 per 23andMe account, depending on how many were purchased.
Selling stolen genetic data profiles in bulk
Selling stolen genetic data profiles in bulk
Source: BleepingComputer

A 23andMe spokesperson confirmed the data is legitimate and told BleepingComputer that the threat actors used exposed credentials from other breaches to access 23andMe accounts and steal the sensitive data.”

SpaceLifeForm October 7, 2023 1:18 AM

@ Winter

I agree. Not wonky at all.

I am a bit surprised he did not bring up an Oracle attack.

Maybe he will later.

ResearcherZero October 7, 2023 6:28 AM

Retained a device that allows for access to secure military computer networks and offered the device to Chinese authorities.

‘https://www.justice.gov/opa/pr/former-soldier-indicted-attempting-pass-national-defense-information-peoples-republic-china

Clive Robinson October 7, 2023 1:21 PM

@ ResearcherZero, ALL,

“Retained a device that allows for access to secure military computer networks and offered the device to Chinese authorities.”

Split that into two parts as they are two separate unlawful acts of basic criminality and being a traitor, and you get,

1, Retained a device.
2, Offered the device to China.

Many system owners might think that the second,

“That’s not going to happen to me”

As they don’t have “State Secrets”… But if you are in business you either have or will have rivals if your product is of any value[1]

So that leaves the first point. What is not clear is what “retained” actually means.

Was it a device owned by the employer or the individual for instance?

Was it a device installed officially by the employee or unoficially.

Was it a set of credentials put on a device owned by the employee but allowed by at the time approved by the employer in some way.

The list gets quite long, but from just they few I’ve mentioned you can see how big the securiry issue gets.

Worse think how fast technology advances thus how much faster the security issue grows.

The technology inside a modern miniature WiFi thumb drive you can buy for a few bicks. It is well beyond the technology of the best personal millitary radio systems and about 1% of the price of equipment put into service only a decade or so back and thus still in the ~25year service life rotation…

In fact the capabilities of the current GSM mobile networks is such that certain military thinkers see them as more advantageous.

The current issue at the East of Europe, is causing quite a rethink in many areas.

The use of drones of all sizes both in air and on water is attracting “new thinking” and that’s just the “in the news” reporting. Less well reported is the war involving mobile phones both to support your own troops and to spy on foregin troops.

But also badly reported is the use of non physical weapons, that is the various ranges of “information weapons” of which malware is but a small fraction.

[1] Industrial espionage happens from “bin diving” upwards, often it does not get seen for what it is. But even the makers of “Two buck toys” have it happen to them. After all think of what could be made with “faux Barbies” this year. As a parent you pay 100bucks for the official barbie car, or twenty bucks for an unoficial car, trailer and camping set all in bright pink plastic called “The Barbary Camp Set” or similar.

Clive Robinson October 8, 2023 7:18 AM

@ ALL,

As there has been no new Friday Squid page this week…

This “Something for the Weekend” some might find fascinating…

It’s about computers used in 1950’s aircraft that went above Mach 0.5 where the aerodynamic equations become more dificult as aero-dynamics moves into a form of hydro-dynamics. It’s an interesting look by strip down into a “light weight” –for the time– mechanical analogue computer.

Importantly even for those of today who wrestle with even 64bit computers it contains short-cuts and optimizations that are still very valid today. Because even with modern logic there is still a speed limit analogue systems sail through,

http://www.righto.com/2023/10/bendix-cadc-reverse-engineering.html

In the article it mentions an algorithm for shaping a cam, that not only removes the step in function it improves accuracy by removing a straight line.

Back in the 1980’s on of the things I worked on was making “digital radios” considerably less expensive.

Part of which was designing Direct Digital Signals and mixers with inherent low-pass characteristics that could then be fed into an 8bit later 16bit microcontroler.

I independently invented the same idea but for a ROM based lookup table.

If you look at a sine wave “in the full” you can draw in a triangular wave “inside the curve” that touches the curve at only the max (1,-1) and line crossing (0) points. The result is a slightly odd looking segment that rotates through 90degrees in each quadrant. What is not immediately obvious and easily possible with digital logic is you can do a striped down “one’s complement” arithmetic simply by using XOR gates to invert the input to the ROM so a count up becomes a count down and likewise with the output from the ROM you get the required reflection.

Just as with that mechanical computer things get easier and easier as you “fold functions in” thus puting a digital oscilator function on one set of address pins and the RF signal on other address pins and some of the data output pins fed back along with some control lines you could replace most of a radio from the 10.7MHz IF onwards.

The problem was there were no ROM parts fast enough at the time, so the circuit got changed to use Fast SRAM that could do 1ns or less times. The fun thing is it actually made the circuit rather more usefull as the microcontroler built and loaded the “table values” thus giving a great deal of flexibility. Including being able to use it as a complex signal modulator.

Oh and for those thinking using a look up table to do maths is somehow wrong… Well most Math CoPros strapped on the side of your CPU ALU work that way. But it does not get talked about much… except when it goes horribly wrong for financial services sharks, and Intel became their chum…

Clive Robinson October 8, 2023 8:02 AM

@ Bruce, ALL,

And so the incumbents in the UK have decided that Gerorge Orwell’s warning, is in reality a “business plan” for Corporations and others of a very less savoury nature to profit by.

https://www.theguardian.com/uk-news/2023/oct/02/uk-passport-images-database-could-be-used-to-catch-shoplifters

It’s not just “passports” it’s actually any image database that access can be gained to…

So in London for instance all the digital “travel card” photos of children, special needs, disabled, and some adults.

Likewise it will also nodoubt encompass all “employer databases” and similar in the near future, as there is nothing like a truely bad idea to keep doubling down on.

Oh and if you wonder what’s in it for the politicians, read the last paragraph, that’s a very strong indicator that the UK Gov Ministers have been “seduced” by the likes of Palantir to go down the “robo-cop detective” route, alegedly to “increase productivity gains” but in reality to further cut police manpower thus make life less safe for those living in the UK.

As I know from bitter experience, being young, fit and healthy does not help you perform a “legal” citizens arrest when,

1, There is more than one criminal involved.
2, The criminals are most likely carrying a weapon of some form and quite happy to use it for “attempted murder”.
3, The police will look for every excuse to turn you into an easy arrest and conviction.

Clive Robinson October 8, 2023 8:47 AM

@ Bruce, SpaceLifeForm, Winter, ALL,

As you probably know if been going on about the faux “think of the children” and simillar arguments against “End to End Encryption”(E2EE). Further that I’ve pointed out that there is a lot of quite dark politics involved with it.

Well it appears it’s not just the politics but the “Dark Money” that political legislation has alowed to be come so secretive it’s self in the hand of just a few billionaires who lets be honest are very far from being “ideal roll models”,

https://theintercept.com/2023/10/01/apple-encryption-iphone-heat-initiative/

@ ALL,

As I’ve said befor when it comes to electronic communications, you have to consider the whole signal path. In effect from your lips to their ears or your fingertips to their eyes.

If they have control in any way of any part of that signal path where they can access “plaintext” then you have no privacy, nor does society except for the very few who take adequate precautions.

These attacks on smart devices are based on a simple notion that for the majority,

“User Conveniance trumps privacy every time.”

And it’s flip side faux argument of,

“If you’ve nothing to hide you’ve nothing to fear.”

Which even “Cardinal et duc de Richelieu”, chief minister to King Louis XIII of France in the early to mid 1400’s debunked with his,

“If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”

And for those in the US, the now near worthless,

“[T]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated…”

And what little is left is being avoided by making everything a “Third Party Business Record”, for which there is no oversight.

Thus it is upto the individual to protect their privacy from such unwarranted and in previous times illegal activities by not just the Guard Labour and other Agents of the state but by all parties not actively invited into the communications.

In the past I’ve described why “secure messaging apps” are not actually secure, and why you realy should not use them. Likewise why you should not connect the device you use for “private” thoughts, writings, and activities to ANY communications channel.

Importantly I have in the past described at length how you deal with such issues such that you can maintain your privacy, beyond what those with “Dark Intent” can achieve.

bl5q sw5N October 8, 2023 10:50 AM

@ Clive Robinson

Re: Bendix it like Beckham

Is there something like a set of mechanical primitives that play the role that the most basic Boolean logic functions play in digital design ?

Winter October 8, 2023 11:24 AM

@Clive

Further that I’ve pointed out that there is a lot of quite dark politics involved with it.

Sunak’s newly discovered need to start a crusade against trans people [1] can be seen in this light, as kowtowing to American donors. However, it can also be seen as a desperate attempt to find something, anything, to raise at least some support for the Conservatives.

The polls are not favorable, the Conservatives are at 28% against Labour at 44%.[2] Better trying to sacrificing )or murdering) some trans people than solving real problems like poverty and a tanking economy.

[1] ‘https://www.manchestereveningnews.co.uk/news/rishi-sunak-saying-a-man-27843110

[2] ‘https://www.manchestereveningnews.co.uk/news/rishi-sunak-saying-a-man-27843110

Clive Robinson October 8, 2023 6:50 PM

@ bl5q sw5N, ALL,

Re : Primitives for mechanical analogue computing.

“Is there something like a set of mechanical primitives that play the role that the most basic Boolean logic functions play in digital design ?”

Yes there are, but they are of no relation to “Boolian Logic” in “analogue mechanical” computers that have continuous inputs and outputs. The more spectacular example of which were for navigation, the earliest being seafaring (~100BC) Antikythera mechanism and spacefaring the latest (2002) with the Soviet/Russian “Globus IMP” instruments. Both are things of natural beauty to look at, for those with a mind attracted to things precision that can still be made by just the use of basic mechanical tools.

But the 1930-1960 period was when the mechanical analogue computers hit their peak of sophistication.

I could not find a nice easy list, as different people went different ways. The fundemental fact though is it appears our basic physical life is about “circles and rotations”. And what appears horrendously dificult to do in Boolean Logic, can be done with just a few cogs and wheels, or even “pipes valves and coloured water” of the MONIAC economy visualiser (1949).

Off the top of my head I can give you the basic used at various times.

So first off the “infinite gear” imagine a round disk about six inches across. This is driven at a fixed speed of revolution from underneath. On top is a metal wheel or ball with rubber for grip/friction that can slid along a shaft that goes from the center of the disk to the edge of the disk. Depending on where the wheel is on the radius of the disk depends on how fast it turns. This acts as both a “rate multiplier” and as a form of integrator when driving the likes of an odometer.

A variation on the rate multiplier is two cones seperated by a distance with a band drive going between the two. Obviously the cones can be aranged so that the distance around the pair remains constant. So you get a different form of gearing ratio with “infinate rarios”. But in essence is the same as the cone of wheels gear used in a lot of “drill presses” and the likes of “workshop machines” and even the drive system of some cars.

Cone gears have the advantage of having a much greater torque output to drive “down stream” parts than wheel/disk or ball/roller systems. It was Vaner Bush who solved the torque / accuracy problem by using sychro-motors and magnetic amplifiers in the 1930’s.

If you use a cam&lever system to control the position of the wheel, band, or ball, you get a complex “control input”. You will see such systems on the adjustments of steam engines. However use two geared together and you get the basis of a two dimensional “flat plotter” rather than the harder to use “drum plotter”. The Soviet IMP actually was a “ball plotter” in that it had a continuously moving glob with no pivot points under a cross hairs “nadir” indicator.

The invention of the Chinese novelty of the North Pointing Chariot from several thousand years ago is as far as I know the first use of the differential gear. Normally the gears are aranged as two inputs, one output and an idler as this alows addition and subtraction of the rates of turn. However that forth wheel can also be used as either another input or output depending on how things are to be used.

Cams and followers with profiled heads make a simple but effective “look up table” of most continuous complex functions.

Another trick in a similar vien is to use multiple wheels in a sort of pully system where as the wheels turn a small pully on the periphery will give a sinewave lengthening and shortening of the output rope/wire. Put in say three wheels of the right radius and gearing ratios and you have a simple Fourier Generator, capable of a reaaonable aproximation of any cyclic waveform.

Such as the expected “tide hight” of any port knowing it’s position and using the position of the Sun and Moon as the inputs.

If you live in the south of the UK the London Science Museum has a display of such machines, including a fully functional system made of bit’s of Mechano from UMIST. And yes my curiosity and love of things mechanical made by hand has caused me to linger there longer than my then pre-teen son liked, when he wanted to see the planes rockets and interactive stuff.

But… The days of mechanical analogue computers is not over. They are being used in the design of “Nano Machines” because… Well they still have advantages.

lurker October 8, 2023 7:26 PM

@CliveRobinson
minor nitpick:

The Chinese Chariot was/is South-pointing, towards the Sun in the northern hemisphere. Sure, it could be East-pointing, or anywhere, if you picked it up and set it down in that direction. And forget the prior knowledge, at least three people are credited with independently “inventing” it at different times during the past three millenia.

bl5q sw5N October 9, 2023 6:12 AM

@ Clive Robinson

Re: mechanisms

Thanks for an interesting list. Several articles on the mechanisms (e.g. the chariot) point out the need for extreme precision in the dimensions, gears etc. for correct functioning, and the problems thereby induced by wear. So perhaps the next question is what general purely mechanical mechanism can produce parts with those precisions and additionally are there designs that intrinsically compensate for wear ?

ResearcherZero October 9, 2023 8:56 PM

Researcher discovers sandbox escape for gde (Gnome) tracker-miners when downloading a .cue file.

“The purpose of tracker-miners is to index the files in your home directory to make them easily searchable. The index is automatically updated when you add or modify a file in certain subdirectories of your home directory, in particular including ~/Downloads. …[If] it has a .cue filename extension, tracker-miners uses libcue to parse the file.”

‘https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/

“network map of the court’s systems, complete with local and remote service credentials, personal details…of employees, including judges.”

‘https://www.bleepingcomputer.com/news/security/alphv-ransomware-gang-claims-attack-on-florida-circuit-court/

ResearcherZero October 10, 2023 2:00 AM

Place attachment and perception of climate change as a threat in rural and urban areas

“although rural people express higher levels of place attachment than urbanites, climate change is viewed as less of a threat by those living in very rural areas than more urban ones. …Given the more direct connections between rural people and the local environment, it is likely that rural residents are more used to thinking about nature as part of their daily/weekly routines. Being more disconnected from nature, urban inhabitants may be unused to considering nature in this way and so, when forced to do so by climate change, it is considered more frightening as it is less familiar.”

‘https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0290354

In rural areas people often volunteer for emergency services, (fire, first-aid, rescue) in order to maintain those services. Confrontation with fire, floods, and serious injury due to accidents is far more common.

Clive Robinson October 10, 2023 3:11 AM

@ ResearcherZero, ALL,

Re : File tracker-miners as a security risk.

Not only,

“Researcher discovers sandbox escape for gde (Gnome) tracker-miners when downloading a .cue file.”

But they also provide a time variable execution of task.

Which means the are also a “time based side channel” that leaks certain privacy related information back to the network…

No doubt some researcher will eventually “Find and CVE it”… But it’s just one of those very many “Efficiency -v- Security” issues I’ve talked about in the past. Where realistically the only cure for such “side channels” is,

“Mitigation by segregation.”

Oh fun note Microsoft are deliberately killing Win10 in two years, and thus will force massive unnecessary hardware upgrades which we are led to believe will contain new systems to support “AI Goodness”.

This will almost certainly give rise to a massive increase in,

1, Time Based side channels.
2, Power Spectrum based side channels.

And one or two other forms of side channel all leaking your privacy by the bucket load…

Mind you due to MicroSofts stupidity the take up of Win11 whilst not zero –due to “new sales”– might as well be…

https://www.theregister.com/2023/10/05/win_11_penetration_still_low/

ResearcherZero October 10, 2023 5:38 AM

@Clive Robinson

Generally a good idea to disable file indexing if not required and concerned about privacy and security.

“Russia almost certainly wants to avoid openly sinking civilian ships, instead falsely laying blame on Ukraine for any attacks against civilian vessels in the Black Sea.”

‘https://www.nbcnews.com/news/world/russia-planning-mine-black-sea-target-ukraine-grain-ships-rcna118946

Russian milbloggers continued to exploit Hamas’ attacks in Israel to further Russian information operations on October 8 intended to reduce US and Western support to Ukraine

‘https://www.understandingwar.org/sites/default/files/Russian%20Offensive%20Campaign%20Assessment%2C%20October%208%2C%202023%20%28PDF%29.pdf

The Russian State Social University (RGSU) confirmed that they are testing the “We” platform, a system for generating a social rating of Russians.
https://www.perild.com/2023/10/06/the-we-social-rating-system-is-being-tested-in-russia-it-will-be-used-for-prompt-and-objective-social-support-of-the-population/

The Russian Federal Security Service (FSB) additionally proposed a draft resolution on October 3 that would expand the list of personal and geolocation data that “organizers of information dissemination” (ORIs) are required to store and provide to law enforcement bodies upon request. The FSB’s October 3 proposal notably follows its recent backing of amendments that would allow it unrestricted access to user data of Russian internet, banking, and telecom companies.

‘https://www.understandingwar.org/backgrounder/russian-offensive-campaign-assessment-october-4-2023

Okhotnik can successfully identify Telegram account admins and owners, using a built-in neural-network method. Personal information is then refined based on the target’s phone number, geolocation data, and IP address. …has official access to current law-enforcement data.”

‘https://meduza.io/en/feature/2023/04/01/hunting-down-the-haters

Winter October 10, 2023 7:49 AM

Earn money proving conspiracies TRUE:

Announcing the $12k NIST Elliptic Curves Seeds Bounty
‘https://words.filippo.io/dispatches/seeds-bounty/

[Jerry] told me that he used a seed that was something like:
SEED = SHA1(“Jerry deserves a raise.”)
After he did the work, his machine was replaced or upgraded, and the actual phrase that he used was lost. When the controversy first came up, Jerry tried every phrase that he could think of that was similar to this, but none matched.

That’s unfortunate, because the NIST curves are—surprisingly—looking better and better: we now have complete addition formulas for them, mitigating their major footgun; we know how to design safer interfaces for them; and we painfully learned to appreciate the value of prime order curves immune to cofactor attacks. However, there is—mostly amongst non-practitioners—some fear that the NSA could have picked the seeds to select some intentionally weak curves.

ResearcherZero October 11, 2023 1:07 AM

Improvements in North Korean cyber operations.

‘https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023

“The cyber domain is a perfect breeding ground for political disorder and strategic instability”

‘https://www.mdpi.com/2071-1050/14/3/1744

Iranian state actors are demonstrating increased sophistication.

Gaza actors increase attacks against Israeli telcommunications, defense and gov.

‘https://www.microsoft.com/content/dam/microsoft/final/en-us/microsoft-brand/documents/MDDR_FINAL_2023_1004.pdf

For Iran, its alliance with Hamas is a key point of leverage.

“Iran is building an increasingly capable and cohesive coalition of state security services and foreign militias to execute its rulers’ offensive concepts. This coalition fuses conventional and unconventional means to threaten enemies. They now view their conflict against the US as hybrid in nature, rather than conventional.” (1)

“Increased insecurity in politically sensitive areas will further undermine the legitimacy of military rulers, leading to more internal dissent and creating additional opportunities for insurgents.” (2) “Most weapons are now manufactured in Gaza, using technical expertise from Iran.” (3)

Tehran’s goal goes further than merely maintaining a balance of power with its enemies or ending their influence in the region.
https://newlinesmag.com/reportage/how-irans-missile-strategy-has-rewritten-the-rules-of-middle-eastern-wars/

The surge has occurred alongside an increase in Russian coordination with Iran on planning and intelligence sharing in Syria.

‘https://www.understandingwar.org/backgrounder/salafi-jihadi-movement-weekly-update-july-20-2023

Hamas homemade 140mm rocket launcher
https://bnn.network/world/israel/the-rajum-rocket-launcher-a-new-threat-on-the-battlefield/

  1. ‘https://www.aei.org/wp-content/uploads/2023/05/Pivot-to-Offense-How-Iran-Is-Adapting-for-Modern-Conflict-and-Warfare.pdf
  2. ‘https://www.understandingwar.org/backgrounder/salafi-jihadi-movement-weekly-update-october-4-2023
  3. ‘https://www.nytimes.com/2021/05/13/world/middleeast/gaza-rockets-hamas-israel.html

“Here I Remember Something, Nothing There”

History has a habit of serving the same lessons with changed variables. Geopolitics is moving in a multi-polar direction.

‘https://eurasianet.org/perspectives-pakistan-and-india-wage-proxy-struggle-in-nagorno-karabakh

https://www.aljazeera.com/news/2022/10/22/iran-opens-consulate-in-armenias-kapan-to-deliver-a-message

“Darkness is good,” Bannon said. “Dick Cheney. Darth Vader. Satan. That’s power. …It will be as exciting as the 1930s”

‘https://www.cbsnews.com/news/steve-bannon-on-white-nationalism-donald-trumps-agenda/

The biggest danger, of course, is that the Iranians respond, and possibly miscalculate, and then the United States does the same. That’s how wars start.
https://www.newyorker.com/news/daily-comment/the-dangers-posed-by-the-killing-of-qassem-suleimani

ResearcherZero October 11, 2023 3:17 AM

information exposure

‘https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

“The ubiquity of the information environment makes the cognitive domain one of the most available and vulnerable attack surfaces for belligerents.”

The increasing interdependence of society and its reliance on the information environment make these principles—most notably, a cognitive defeat mechanism—more relevant than ever.

‘https://www.usni.org/magazines/proceedings/2022/february/information-environment-primed-maneuver-warfare

“Information is now the world’s most consequential and contested geopolitical resource.”

“Decision-assistance systems rely on data to operate, making them weak targets for data “food poisoning” attacks. Disrupt or manipulate the data diet they feed on, and their outputs will be corrupted—perhaps unbeknown to the individuals or institutions that depend on them.”

‘https://www.belfercenter.org/sites/default/files/2019-08/GeopoliticsInformation.pdf

“To make sense of a complex and polluted information environment, the research community needs shared infrastructure.”

Processing and analysing massive numbers of posts, often involving multimedia, requires engineering resources that few research centres currently have.
https://www.oecd-forum.org/posts/want-to-protect-the-information-environment-change-how-it-s-studied

“examining the concept of cognitive security”

‘https://www.gao.gov/assets/gao-22-104714.pdf

If a system is dynamic, “smart,” and growing unpredictably, you have a difficult job of modeling indeed.
https://www.context.org/iclib/ic23/berger1/

Winter October 11, 2023 5:48 AM

A new bridge is about to open!

Rights? What rights?

What to expect when the UK-US Data Bridge comes into force this week
‘https://www.theregister.com/2023/10/11/uk_us_data_bridge/

There’s also a questionmark over whether individuals have fewer privacy rights under the Data Bridge. It does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would result in legal or similarly significant effects on the data subject. In particular, the Data Bridge does not include a right to have an automated decision reviewed by a human.

In addition, the Data Bridge does not include a substantially similar “right to be forgotten” or to withdraw consent. While the Data Bridge gives individuals some control over their personal data, it is not as extensive as the rights they enjoy in the UK.

Winter October 11, 2023 5:51 AM

Re Data-Bridge

PS:
A commenter of the article pointed out that this is a one-way bridge. Data gets out of the UK, but there are no provisions for data getting out of the US.

ResearcherZero October 11, 2023 7:47 AM

Intelligence gathering

‘https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks

Actor linked to MSS exploiting CVE-2023-22515 (Atlassian Confluence Data Center and Server)

‘https://twitter.com/MsftSecIntel/status/1711871732644970856

“broken access control”

‘https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html

Larger credential harvesting campaign – “threat actor is likely opportunistically compromising vulnerable NetScaler Gateways”

‘https://securityintelligence.com/x-force/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/

ResearcherZero October 12, 2023 2:28 AM

peace plan

‘https://www.nytimes.com/2023/10/11/us/politics/trump-netanyahu-israel.html

ResearcherZero October 13, 2023 2:15 AM

“Once complete, SAWGraph will power an online map that will display contamination sites color-coded based on where the PFAS was found (soil, water, farm, food, domestic or wild animal), the source of the PFAS, and if the area was ever fertilized with wastewater sludge.”

‘https://www.govtech.com/education/higher-ed/umaine-researcher-building-online-tool-to-track-forever-chemicals

3M executive talked about delaying the publication of a study which suggested forever chemicals were hazardous, arguing they first needed to find a way to cover the “weenie” in bread, ketchup and mustard.

‘https://www.smh.com.au/national/the-factory-that-contaminated-the-world-with-a-forever-chemical-20231005-p5e9zx.html

(bread, ketchup and mustard)

https://lobbymap.org/influencer/American-Petroleum-Institute-API

arsenic, uranium, fracking fluids, lead, nitrates, chlorinated disinfection byproducts, and per- and polyfluoroalkyl substances (PFAS)

‘https://www.dailymail.co.uk/sciencetech/article-12595087/toxins-like-arsenic-uranium-drinking-water-americans.html

Clive Robinson October 13, 2023 8:40 AM

@ ResearcherZero,

Re : PFAs and Forever Chemicals

“[E]xecutive talked about delaying the publication of a study which suggested forever chemicals were hazardous…”

Yup and some of us have them at way higher levels than others…

It’s not just that they were used on the inside of all sorts of food packaging during my life last century, they were also used in all sorts of supposably benign / safe to work with “agents” in my working life, like cleaning, lubricating, and other working processes in “Production Environments” and even “drawing office” work.

On that checklist of “toxilogical disadvantages” let’s just say there’s probably only one unchecked so far…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.