Friday Squid Blogging: Influencer Accidentally Posts Restaurant Table QR Ordering Code

Another rare security + squid story:

The woman—who has only been identified by her surname, Wang—was having a meal with friends at a hotpot restaurant in Kunming, a city in southwest China. When everyone’s selections arrived at the table, she posted a photo of the spread on the Chinese social media platform WeChat. What she didn’t notice was that she’d included the QR code on her table, which the restaurant’s customers use to place their orders.

Even though the photo was only shared with her WeChat friends list and not the entire social network, someone—or a lot of someones—used that QR code to add a ridiculous amount of food to her order. Wang was absolutely shocked to learn that “her” meal soon included 1,850 orders of duck blood, 2,580 orders of squid, and an absolutely bonkers 9,990 orders of shrimp paste.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags: , ,

Posted on December 8, 2023 at 5:03 PM38 Comments

Comments

vas pup December 8, 2023 6:01 PM

Second attempt!!!

Inside the secret complex making high-tech gadgets for UK spies
https://www.bbc.com/news/uk-67626880

“With its anonymous-looking buildings, the place looks like an industrial estate.

Engineers, physicists, chemists, designers, coders and other specialists work on what is described rather hazily as a “mix of artistry and engineering”.

In some areas we have to wear anti-static clothing, while in others we are shown a bewildering variety of machines. They include ones that make electronic
circuit boards, laser cutters and 3D printers (labelled Darth Vader, Luke and
Leia in a tribute to Star Wars).

But what exactly are the machines’ creations used for? Part of the problem is
that, despite my best efforts, no one will say. That is because the devices that come out the other end are highly classified.

By the time the war [ww2] began, this evolved into building smaller radio sets
which could be given to agents from MI6 who were parachuted behind enemy lines
in occupied Europe to send back intelligence.

During the war, Turing lived and worked at Hanslope Park. Most famous for breaking Nazi codes at nearby Bletchley Park, he worked at HMGCC to develop a device that !!!could provide speech encryption.

The existing system used by wartime leaders Winston Churchill and Franklin D
Roosevelt weighed 50 tones. Turing’s prototype, Delilah, overlaid noise from a
record turntable onto speech. It was portable, ahead of its time and is another
clue to what is built there today.

!!!”The need for secure communications hasn’t gone away.”

So how does this relate to the modern world? These days, undercover agents operating in what are called “denied areas” like Russia or Iran need to
communicate.

=>While HMGCC will not comment, other sources say modern-day spies rely on things like clandestine-burst transmitters. These can be made to look like ordinary objects and send information in fractions of a second. I am imagining that is what is made here – but no-one wants to say.

Communication is one part of the job. But so, it seems, are concealed bugging and tracking devices although, again, officials remain extremely tight-lipped
when I ask them.

“For most of our 85 years we have been producing secure communications systems that enable people in often difficult, dangerous, remote locations to
communicate in secrecy back to the UK,” Mr Williamson says.

One of HMGCC’s customers is MI5, who may need to secretly listen to a suspect at their house in the UK, or track them in a vehicle.

This could involve disguising a listening device as an everyday object that
nobody would spot. Quite what that could be is something else no-one wants to
discuss.”

Erdem Memisyazici December 8, 2023 8:00 PM

Would that be close to the number of bots on that network? It’s worse if it’s just her stalkers. I wonder if the restaurant can trace the IPs. That’s the Internet today for you. In a word, “yech.”

ResearcherZero December 8, 2023 8:39 PM

Highlighting the need for tools and technologies specifically targeted to test the robustness of 5G devices.

5G Qualcomm and MediaTek modem firmware vulnerabilities. Forced reboot and downgrade attacks.

“Moreover, in certain cases, manually rebooting the phone does not restore the connectivity either, instead, the SIM card requires to be taken out manually and then re-inserted to ensure a hard reset on the modem.”

‘https://asset-group.github.io/disclosures/5ghoul/

emily’s post December 8, 2023 9:32 PM

@ ResearcherZero

instead, the SIM card requires to be taken out manually

What about phones that are only eSIM ?

Peter December 9, 2023 12:25 AM

I’ve yet to understand why every story like this one about the restaurant qr code is described as the users fault. Why is Wang “of the hook” for orders place by others?

It could have been an amusing story if hundreds of strangers placed, AND PAID, for a lot of extra orders that arrived at their table.

Clive Robinson December 9, 2023 3:03 AM

Holding up your new super-car or luxury flat keys for a selfie to boast about your life style is known to be a stupid thing to do in this age of 3D printers.

Likewise you would have thought the message of how QR Codes realy are “bad news” in oh so many ways would have got around by now.

Yet there is always some techno-fool seeing them as a way to be Hi-tech or Techno-cool with a double rabit ear finger curl.

The important thing we know about an exchange of value or transaction is that the transaction be authenticated in some way.

When intangible information stands in for tangible physical authentication it needs additionally an identifier. Thus we have a User-ID:PassWord couplet as an authenticator going back more than a human life time, where the password is the intangible information authenticator code. Two important things we know about authentication codes are,

1, A shared secret proof of ID.
2, It should be secure in use.

The ability to do a “replay attack” violates the second and obviates the first.

As QR codes also violate the second and obviate the first and are also unlikely to be sufficiently unique, they obviously should not be used as “transaction authentication”.

But hey we went through all this nonsense back in the 1990’s with Banks “Authenticating the comms channel” but not “Authenticating the transaction” so a Man In The Middle could get rather wealthy at your expense…

There is that Pete Seeger song[1] chorus in the back of my head again,

“When will they ever learn, when will they ever learn”.

[1] Pete Seeger wrote “Where have all the flowers gone” back in the early to mid 1950’s after reading about a Cossack poem. He set it to a Gaelic tune, he probably heard the first time when too young to remember, as many parents sing to their children as it brings both some comfort.

Ismar December 9, 2023 3:25 AM

QR codes in restaurants- what sense this makes – none whatsoever.
Essential part of going to a restaurant is to be served by a waiter and have a human conversation and set the tone for the rest of the evening of social eating.
Younger generations are being offered a raw deal with the dehumanisation of dining out and they are not even aware of it as they often don’t know any better.

Robin December 9, 2023 3:51 AM

“Only shared with a few friends”. If true, it shouldn’t be too hard to identify the “friend” in question. Or maybe “a few friends” is a euphemism for several thousand followers.

As it says in the article, the restaurant acted with some sense and with luck didn’t actually start to prepare all those extras. It also explains why some restaurants want/need to use such a system – apart from just trying (badly) to be seen as tech savvy.

@Ismar – agreed.

Winter December 9, 2023 6:25 AM

@Ismar

QR codes in restaurants- what sense this makes – none whatsoever.

Lack of staff. Restaurants and pubs have to close tables or extra days because they simply cannot get the people to do the work. QR codes remove one trip to the table allowing more tables to be served by the same staff.

Will McC December 9, 2023 12:26 PM

QR codes remove one trip to the table allowing more tables to be served by the same staff.

It’s gotta be more about the time spent taking the order than the trip per se, because the trip is rarely just for one reason. They’ll stop by to take an order after they deliver food to a nearby table, for example, or they’ll take multiple orders in one trip.

It’s always a bit disconcerting to me when they don’t write anything down, particularly when we’re making customizations like “X on the side”, so I guess these electronic order-taking systems can help with accuracy too. Except they might not be able to do custom orders, and probably can’t answer questions about menu items; and despite the labor savings, people will be expected to tip more than was historically normal (well, not in China). And, of course, diners have to be screwing around with smartphones at the table (“is the wi-fi working for you?”), and not everyone has them (people often believe that’s rare, while it’s in fact very common that a family dining together won’t have one per person), and there are privacy concerns…

People have always disagreed about the importance of “humanisation” when dining out, with “impersonal” restaurants occasionally being in style: self-service cafeterias, automats, conveyor-belt sushi, drive-ins, “fast food”; and now, computerized ordering and even robots driving around with food.

Overall, I see such systems as being maybe slightly useful when optional, especially if orders can be placed before arrival. The real problem with “simply cannot get the people to do the work” is, as always, compensation. People got used to an unsustainably cheap service (that’s still incredibly expensive compared to cooking), and something’s gotta give. Historically, a lot of restaurant work had been done by young people who weren’t treated all that well—paid “restaurant-minimum” wage, less than regular minimum, after spamming applications all over town; then struggling to pick up hours. Now, the kids can “shop around”—everyone’s hiring—but they’re less interested in working: they’re in no hurry to buy cars, don’t view apartments as realistic, and in the USA have no hope of amassing enough money to make a dent in their eventual student debt.

Its just me December 9, 2023 12:34 PM

Suppose a prankster eats lunch at a restaurant table that has a qr code. Suppose he takes a picture of it. He now has access to qr code that subsequent customers will be using to order. He can now order for them.

The restaurant put this weak security system in place. They should bear the cost when it is breached.

Will McC December 9, 2023 3:14 PM

Suppose a prankster eats lunch at a restaurant table that has a qr code. Suppose he takes a picture of it. He now has access to qr code that subsequent customers will be using to order.

Wait, what? The article made no mention of the QR code being a permanent feature of the table. Wouldn’t any person with common sense know that every customer should get a new code? Either that, or ensure whoever’s using the code has arranged for payment.

This was $60,000 of bogus ordering, so of course it got noticed. Had a prankster been more subtle, maybe slipping in a squid order every few days, it could’ve continued for a while. The restaurant might even make a policy of getting verbal confirmation anytime someone tries to order squid, which would be somewhat amusing.

As Peter points out, there’s also a possibility of pranksters actually paying for orders, and indeed people have executed such pranks—sending absurb numbers of pizza deliveries to someone, for example, each paid by a different person. Or as non-pranks, they could buy food for others, maybe making a “free food table” for those with financial trouble (some restaurants have walls of food orders, donated and pre-paid by others).

Ismar December 9, 2023 3:43 PM

@Winter – i know it might make sense from the owners perspective but definitely not from the customer one. It also reminds me of self checkouts in supermarkets or online checking into hospitals or registering with a government department here in Australia(where even to pay for something you have to do all the work) !. The point I was making is that with modern technology customers are burdened with additional work in order to keep costs for business down. And most of us never bother to complain about it so that in not so distant future we will not have any other alternative to this type of service.

Clive Robinson December 9, 2023 4:53 PM

@ Will McC, ALL,

“Wouldn’t any person with common sense know that every customer should get a new code?”

To quote an oldish saying,

“There’s nowt so rare as common sense.”

You can almost guarantee that this system was done on the cheap, thus each QR code was,

1, An Identifier not an authenticator.
2, Printed out or in some other way effectively static for a time window in which replay attacks would work.

Now this is “obvious” with “20/20 hindsight” the system developers might now become aware of it and attempt to fix it, but the reality is probably not.

Implementing “one time” systems tends to be expensive for a whole host of reasons.

&ers December 9, 2023 5:01 PM

@ALL

hxxps://www.nbcnews.com/tech/security/breaches-iran-affiliated-hackers-spanned-multiple-us-states-federal-ag-rcna127886

Steve December 9, 2023 6:26 PM

@Winter: QR codes are popular for more than just reducing staff interaction with customers. They also produce valuable data that can be mined and sold to the highest bidder.

For that reason alone I’d avoid using them.

However, one of the reasons I go to a restaurant is to interact with the wait staff, chit-chat, share a few pleasantries, etc.

One local place has gone to QR-only ordering — they’ve basically eliminated the wait staff and replaced them with order-deliverers that have zero interaction with the customer and have garnered the expected dissatifaction in reviews on social media. You get more personal interaction at a fast food burger joint.

Will McC December 9, 2023 8:03 PM

@ Ismar,

I thought self-checkouts were there to transmute our purchases into bananas. Bananas, 4011, mangos, 4011, steak, 4011… from what I’ve heard, stores aren’t getting the cost savings they expected, and some are bringing back cashiers. Even Walmart seems to have, at least, gotten rid of those people assigned to stand near the artificially-long cashier lines to suggest you go to self-checkout.

My closest grocery store actually has a decent self-checkout setup. They take cash, the kiosks aren’t huge, and they’ve got human cashiers right beside that area and don’t let those lines get too long; so the people at self-checkout are mostly people who don’t have much stuff and want to use self-checkout. I do it when I’m only buying a few things, or want to use up a lot of small change.

@ Steve,

QR codes are popular for more than just reducing staff interaction with customers. They also produce valuable data that can be mined and sold to the highest bidder.

And I’ll bet anyone who complains or asks about such things gets the standard answer “we don’t actually run that system” or “I don’t know anything about it”.

You get more personal interaction at a fast food burger joint.

As long as it’s not a McDonalds (actually, I rarely eat at such places, so maybe other ones are bad too). They really want you to use the kiosk, which accepts no cash—meaning one or more companies are tracking your purchase. And then your “interaction” is “number 994!” and being handed a bag. If you try to not use the kiosk, the only available menu is on a TV screen that shows a few items at a time, for like 10 seconds at a time, as if infuriating people will make them pay at the kiosk.

JonKnowsNothing December 9, 2023 8:28 PM

@Ismar , Winter, Clive , Steve , All

re: self checkouts

While some stores like Amz, are going 100% robot, other stores are removing their self checkouts.

For reasons mentioned, customers don’t like them and it doesn’t take too many grey cells to realize the store just hired you to bag your own groceries and be a cashier for $0.00.

Another reason, like the restaurant one, is self checkouts are big sources of Shrinkage (store speak for theft).

re: restaurant turn overs

Stores that use a combo of human and automated orders, have an extremely tight audit trail in their order system. (there’s a burger chain in California that does; not McD)

During the busy periods, a pre-order clerk stands in the parking lot with an order pad.

They go to each car or as the cars advance and take the order including all options for special orders (it is a limited menu) which is sent to the kitchen and the cashier.

Then the cars advance to the payment window where the order is read back, alterations or additions made and you PAY for the order.

Then you advance to the receiving window where the order is confirmed with all the details and handed over. If there is anything that needs changing they do it before the handover.

No one is going to order NNN fries without paying first.

This is a simple Queuing Problem: keeping all servers running at full speed by having a single queue and FIFO order.

These systems are not about the experience of social dining and good food, but simply stuffing your face.

When going to a fancier, sit down place, the food has to match the social design. Of course people pay tons of $$$ to eat at super fancy places where there is a 6 month waiting list. This is more about showing off that you have the funds to wine and dine with the jet set crowd. The food maybe good or great but it’s the social status that you are paying for. The restaurants know that.

For middle-upper tier dinning, it is an hour or so of pretending you are a wealthy person and have “service staff”. The staff make having the meal interesting and they make suggestions on the specials (up selling) and interact with the dinners. They know when to pick up the empty plates and bring the dessert and drinks menus. What is required is TIME, you have to make time, to have time, to enjoy the interaction and food.

RL tl;dr

  • a US person took a trip overseas and went to an upscale restaurant. They were miffed because the restaurant only had 2 seatings per night. The second one was at 10pm. They could not understand why a restaurant only had 2 seatings when western business practices dictated that such restaurants have 4-6 turn overs in an evening. They had expected to be seated quickly, have their food ordered and delivered faster. Clearly the restaurant was on a different wave length than Min-Maxing.

Winter December 10, 2023 12:59 PM

@JonKnowsNothing, Ismar , Clive , Steve , All

Of course people pay tons of $$$ to eat at super fancy places where there is a 6 month waiting list. This is more about showing off that you have the funds to wine and dine with the jet set crowd.

I am always puzzled by the way USA restaurants let you wait so long in line. In Europe I simply look for a restaurant that has seats free and go eat there. They indeed generally have only two shifts in Europe.

But the puzzlement quickly vanishes when I am in the US again. The food is often so bad (bland and tasteless)! McD even seems to belong to the better ones.

You really have to pick a rare restaurant that has at least good reviews. But, as I was told most Americans will eat out as that often is cheaper than cooking yourself (I just report what I hear), there will be lines. There simply are not enough good restaurants to cater to everyone.

So, for the sake of our taste buds, we stand in line again.

lurker December 10, 2023 2:36 PM

@Matija

Interestingly, although there is litigation in the case, it is hard to find an institution in Poland that has done anything beyond kindly expressing interest in the matter.

Surely someone in Poland must have experienced the HP printer cartridge authenticity check. But to apply it to a locomotive, in multiple layers and pathways, is somewhat agressive. I wonder if Newag themselves could fix the “faults” on these trains …

JW December 10, 2023 3:43 PM

Most mid range restaurants around me use QR codes for their orders. The security is obvious though – the order doesn’t go through without payment being processed. You can order someone else food if you retain the QR code (or just remember the URL) but you will pay for it so the restaurant doesn’t really care.

Mr. Peed Off December 10, 2023 3:53 PM

The National Defense Authorization Act, or NDAA, is one of the few major pieces of legislation that the U.S. Congress passes every year, a practice started in 1961.

The more than 3,000-page bill extends the domestic surveillance authority that allows law enforcement to spy on Americans without a warrant by another four months, giving lawmakers more time to either reform or keep the disputed program.

The extension of the surveillance provision – known as Section 702 of the Foreign Intelligence Surveillance Act (FISA) – was tucked into the 2,353rd page of the bill.

https://www.reuters.com/world/us/key-provisions-us-congress-massive-defense-bill-2023-12-07/

Erdem Memisyazici December 11, 2023 2:09 AM

I think a good subject to consider is the use of “A.I.” (another one being what qualifies as A.I.? DCNN, eigenfaces, and ChatGPT are all A.I. apparently but that’s a different topic) in law enforcement in the last decade or so.

Just Google “man wrongfully accused A.I.” in the News tab and enjoy the good reads from as early as 2005 to today.

I’ve read about so many people who had their life changed because they all of a sudden had to prove that they are innocent because of our perception of A.I.

The media and the hype that A.I. generated from being used for lobbying to commiting white-collar crimes like insider trading as if this was a new philosophical debate on pre-established morals has definitely been a huge factor in this. Some judges even used A.I. systems to judge how likely someone is to commit a crime.

It’s dangerous to be obsessed with bleeding edge technology and more dangerous still to not learn about it as early as possible in schools.

A lot of these systems have not even had all possible states tested which is definitely difficult to do from a computational perspective but an interesting point to consider when using it to bring unwanted permanent change in people’s lives. Often people say, “well we didn’t yet have policies for the use of this technology, now we made some so it’s okay.” I think in most of those cases we absolutely did have historical precedence.

People should never forget what fishing expeditions are, why privacy matters to each citizen and why media hype will always be a threat in these matters. No one should have to lose their wife and kids, their job, freedom, and get brain damage because A.I. is cool and magical but it’s what happened for so many people in the last decade in so many different ways.

AlanS December 11, 2023 10:52 AM

Ex-MI6 chief among hundreds targeted by Russian hackers

An attempt to infiltrate St Andrews University, one of the UK’s most prestigious, was thwarted when the hackers began their email: “I hope this finds you well.” Dame Sally Mapstone, the university’s principal, had banned email niceties, so the fake message purportedly from Stephen Gethins, an international relations professor, to Phillips O’Brien, professor of strategic studies, was spotted.

Principal’s Principles Prevent Phishing

emily’s post December 11, 2023 12:38 PM

@ ResearcherZero

instead, the SIM card requires to be taken out manually

Generalizing from the specific modem attack, are there attacks that physical SIM phones can relatively easily recover from but for which eSIM and iSIM phones can mot ?

Why Aren't Zippers Obsolete Already December 11, 2023 3:11 PM

Please don’t worry too many times per second about that.
It seems like maybe nobody died of food poisoning there, even though too many innocent lives die too much every day. Each death is an authentic actual tragedy.

Slight change of subject, yet still about security related oddity:

https://i.postimg.cc/R0H7Sqg1/Arbeit-VVas-Machst-Du-Da-Question-PNG-Oddity-2023y.png

(I’m not really sure what’s going on waaaay over there but I think it makes me nervous for them needing greater safety (and implicitly security).

These odd times are already seeming to be covariant.  
Censorship needs to eat more lightning rods, maybe.

ResearcherZero December 12, 2023 2:27 AM

“This sentence is false. I am lying.”

Contradictions do not exist in the physical universe. However there are places where contradictions do exist: in our minds and language.

“In an era of high-tech forensics, the persistence of such brazen miscarriages of justice is more than unsettling.”

“This paradox arises because scientific evidence is highly valued by juries, which often lack the expertise to correctly interpret or question it. Juries with a lower understanding of the potential limitations of such evidence are more likely to convict without questioning the evidence or its context. This is exacerbated by undue trust in expert witnesses, who may overstate evidence or underplay uncertainty.”

The disconcerting reality is that illusions of scientific legitimacy and flawed expert testimony are often the catalyst for deeply unsound convictions.

‘https://www.scientificamerican.com/article/bad-science-and-bad-statistics-in-the-courtroom-convict-innocent-people/

“culture in mind” — influencing the cognition of cultural group members

“Conscious processing involves attentional resources and can be employed flexibly and deal with novelty. However, it requires motivation and takes time to operate, which can lead to relatively slow serial processing of information. Automatic processing operates outside of attention, occurs rapidly and involves parallel processing. However, it tends to be inflexible and (to a high degree) uncontrollable.”
https://www.nature.com/articles/palcomms201786

“We see it as a part of the natural statistics of the real world, and therefore a signal—or cue—that can be the basis of rational decisions.”

“If we could wait forever in any given situation, we’d have all the information we need to reach a fair conclusion.”

“But in the real world, we need to make decisions more quickly. And that involves working with bundles of data that convey, what looks like, consistent information—such as a coin coming up heads four straight times.”

‘https://www.rochester.edu/newscenter/making-sense-through-order-83092/

ResearcherZero December 12, 2023 2:57 AM

@emily’s post

Wait for a patch.

You might be able to force a hard reset on the modem by ADB if such a problem ever eventuates before a patch is released.

The flaw was reported two months before disclosure. Additional time will be needed by product vendors who may need to tweak the various smartphone firmware based on their product customisations. Other devices may take a little longer.

Patch status

‘https://corp.mediatek.com/product-security-bulletin/December-2023/

‘https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2023-bulletin.html

Worker Factories

“Given the thread pool structure of the target process, we can tamper with its timer queue to inject a malicious timer work item into it.”

‘https://www.safebreach.com/blog/process-injection-using-windows-thread-pools

Winter December 13, 2023 1:35 AM

Something For Christmas.

A X-mass movie plot comes to life:

How the Grinch’s Intellectual Property Stole Christmas
‘https://www.techdirt.com/2023/12/12/how-the-grinchs-intellectual-property-stole-christmas/

The estate of Dr. Seuss is obviously no stranger to playing the intellectual property maximalist, having appeared on our pages many times in the past. But more specifically for this post, the estate has also, ironically enough, been more than happy to stomp on the Christmas joy of others in favor of jealously guarding its IP when it comes to The Grinch Who Stole Christmas. I have to say, I have no concept of just how much cognitive dissonance one would need to have attained to take a story that is all about sharing and celebrating the Christmas holiday with others and use control over it to do the exact opposite, but it’s impressive nonetheless.

&ers December 13, 2023 10:29 AM

@ALL

People with knowledge told that Kyivstar hacking was a payback.

hxxps://therecord.media/ukraine-intelligence-claims-attack-on-russia-tax-service

ResearcherZero December 14, 2023 1:53 AM

supply chain SVR shenanigans (source code and signing certificates)

“observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.”

”https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

APT28 phishy poos

Multiple legitimate documents associated with finance, think tanks, educational organizations and government and non-government organizations (NGOs) leveraged as lure materials. The contents of each lure contain themes relevant to a unique audience interested in research and policy creation.

‘https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/

“These entities are priority targets and as a result, the threat actor attempted broad, lower effort campaigns regularly to try and gain access.”

‘https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week 


Perhaps related to this…

“Russia’s objective has been eroding Western support for Ukraine”

‘https://www.nytimes.com/2023/12/12/us/politics/russia-intelligence-assessment.html

The Kremlin appears to be returning to expansionist rhetoric last observed before Russia’s full-scale invasion of Ukraine in an effort to resurface its claims that Ukraine is part of historically Russian territory and discuss the borders Russian leaders regard as appropriate for a rump Ukrainian state.

Russia appears to believe that a military “deadlock” through the winter will drain Western support for Ukraine and give Russian forces the advantage despite high Russian losses and persistent Russian shortages of trained personnel, munitions, and equipment.

‘https://www.understandingwar.org/sites/default/files/Russian%20Offensive%20Campaign%20Assessment%2C%20December%2012%2C%202023.pdf

Thousands of nuclear arms had been left on Ukrainian soil by Moscow after the collapse of the Soviet Union in 1991. In return for the promise of security Ukraine returned them to Russia. Russia, the US and the UK agreed to the Budapest Memorandum on Dec 5 1994.

The Budapest Memorandum consists of a series of political assurances whereby the signatory states commit to “respect the independence and sovereignty and the existing borders of Ukraine”.
https://www.brookings.edu/articles/the-budapest-memorandum-and-u-s-obligations/

ResearcherZero December 15, 2023 2:08 AM

A shortage of eggs.
https://www.csmonitor.com/World/Europe/2023/1214/Putin-doubles-down-on-war-in-Ukraine.-Victory-will-be-ours

(paywalled)

“Asked what keeps him up at night, Vladimir Putin identified one problem: Russia’s population decline and the threat it poses to the country’s economy.”

‘https://www.ft.com/content/8c576a9c-ba65-4fb1-967a-fc4fa5457c62

What to do?

Russia quite vexingly argues that it has a “special responsibility for maintaining peace and security at the global and regional levels.” Yet, this document points to Russia committing itself to fundamentally different principles and values, which ultimately hinder cooperation on preventing and resolving violent conflicts.
https://www.usip.org/publications/2023/05/what-you-need-know-about-russias-new-foreign-policy-concept

Transform Ukrainians from the occupied territories into an even more precarious workforce. And make them sign a paper that they have no claims against the state.
https://www.nbcnews.com/news/world/ukraine-forced-deportations-russia-un-filtration-rcna46804

Mass confusion is often a deliberate technique deployed by dictators.
https://www.youtube.com/watch?v=NYJ2w82WifU

“By refraining from announcing another wave of mobilization, the authorities are able to sustain public calm and indifference. They sedate people with propaganda and buy their support with financial assistance (except for immigrants).”
https://carnegieendowment.org/2023/11/28/alternate-reality-how-russian-society-learned-to-stop-worrying-about-war-pub-91118

The Russian regime in comparison to two other historical cases: the sanctioned economies of contemporary Iran and apartheid-era South Africa.

‘https://csis-website-prod.s3.amazonaws.com/s3fs-public/2023-10/231031_Bergmann_Russia_after2022.pdf

Without any real physical threat, an enemy is required to expand population and territory.
https://newsroom.unsw.edu.au/news/art-architecture-design/how-solntsepyok-brutal-2021-propaganda-film-primed-russians-war-

To keep the other super powers busy, —expertly play them off against one another.

‘https://tass.com/politics/1721069

Keep them busy, distracted, while you dance with the Globe
https://www.youtube.com/watch?v=&t=27

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.