Comments
Clive Robinson • January 12, 2024 6:35 PM
@ emily’s poat, ALL,
“Newfoundland has 1800 or more giant squids”
And if memory serves, no giant squids are fit to make calamari from 8(
If they did, they would make one heck of a snack, and the beer chaser would have to be to the max as well 😉
&ers • January 12, 2024 7:29 PM
@ALL
Fun and educational reading.
hxxps://eddiez.me/hacking-the-nokia-fastmile/
hxxps://eddiez.me/hacking-the-nokia-fastmile-pt2/
hxxps://eddiez.me/hacking-the-nokia-fastmile-pt3/
(especially how Nokia resolved the password problem)
Clive Robinson • January 12, 2024 8:26 PM
@ &ers, ALL,
“especially how Nokia resolved the password problem”
Or didn’t realy…
There are ways to solve this issue that are almost trivial…
But it appears Nokia actually don’t want to do this…
There’s something “snarki” inside me that says there has to be a reason other than laziness… So “Why?”
I’m thinking “third party access” without having to do the legal oversight stuff and have plausable deniavility (this is Australia remember, the land of “The free to be molested”).
So I’d be looking for the equivalent of a backdoor from the air-side.
But whilst I’m not paranoid 😉 I sure am suspicious by nature, because “thinking hinky” is I think in my DNA… So I can almost subconciously feel certain patterns that smell like trouble being given the welcome mat.
MDK • January 12, 2024 8:46 PM
@ALL
Multiple APT campaigns.
Actively exploited 0-days in Ivanti VPN.
hxxps://arstechnica.com/security/2024/01/actively-exploited-0-days-in-ivanti-vpn-are-letting-hackers-backdoor-networks/
Have a great weekend.
MDK • January 12, 2024 8:48 PM
@ALL
Multiple APT campaigns.
Actively exploited 0-days in Ivanti VPN.
hxxps://arstechnica.com/security/2024/01/actively-exploited-0-days-in-ivanti-vpn-are-letting-hackers-backdoor-networks/
@er’s
Interesting read. Thank you.
Have a great weekend all. Stay safe.
MDK • January 12, 2024 8:56 PM
@ALL
Interesting topics with Reshi mushroom.
hxxps://www.digitaltrends.com/computing/myceliotronics-future-computer-chips-mushroom-based/
hxxps://phys.org/news/2024-01-strategy-mycelial-fibers-mushroom-based.html
lurker • January 12, 2024 11:05 PM
“AI suffers from an unrelenting, incurable case of vagueness,” Eric Siegel, a machine learning expert
So CES would be a great place to flog AI pillows, and AI toothbrushes.
Does the product actually use AI at all? If you think you can get away with baseless claims that your product is AI-enabled, think again – FTC
‘https://www.bbc.com/news/technology-67959240
Martin Vlk • January 13, 2024 4:06 AM
Technical Report: Large Language Models can Strategically Deceive their Users when Put Under Pressure
Clive Robinson • January 13, 2024 4:16 AM
@ lurker,
Re : AI and chips with a diet cola.
Yup the “AI with everything” craze still appears to be about even though it’s slipped of many MSM outlets agenda as the article author notes,
“That lack of a definition means that all things AI have been caught up in a blistering year of hype.”
Personally I got tired of AI hype back in the 1980’s –yup seriously– and down the years I’ve repeatedly advised those looking to do UK degrees to avoid it as not just the job but career prospects looked bad.
Guess what those job and career prospects don’t realy look any better, however the secondary market side is still looking interesting…
As we know there has only realy been one winner financially in this past year or so’s AI bubble and that is the Graphics Chip company that managed to breath new life into their high end chip sets, as the end of CryptoCoin mining and NFT / Web 3.0 nonsense died before either they or the Venture Capitalists could inflate it up.
Is AI dead?
Well no because of the loose AI definition. But LLM’s have shown that they are at best truely flakey and fragile and full of faults that make them ideal tools for crooks in politics and power to “arms length” their nut-bar ideas and mantra’s onto the bottom end of the socioeconomic ladder. Talking about using LLM based systems to write legislation and be involved with all parts of the justice system down to picking meal plans for prisoners is realy a very very bad idea. Using a hat full of mantra’s and a pair of dice to select words to swap / change would be atleast a more observable process.
The next AI term to get the vage treatment is almost certainly “Machine Learning”(ML). To be disparaging it’s feedback with “silly string”. And for those that don’t nod over that, what more proof do you want or need to demonstrate “ML-Vagueness”?
But as for LLM’s as I’ve noted they are about the best surveillance tool we’ve yet come up with to get inside peoples heads and mine that,
‘Assumed to be profitable “Personal Private Information”(PPI)’
That resides in peoples heads. How? by creating faux friendships / relations in the heads of people who have the need to live in others heads…
Need I remind people that those at that end of the spectrum range from needy through stalker to full blown and dangerous narcissistic behaviours including rage and outburst of violence. Imagine a petulant child with no social skills in an adults body to get a feeling for just the edge of this particular social groupings issues. If their behaviours are used as input to build ML systems on which appears to be Micro$hafts managments vision, then “God help us all”.
Imagine if you can an Alexa or Siri doing the full on gaslighting[1] and worse to the increasing numbers of single dwelling occupiers?
Do you realy want to be not just stalked but emotionaly controled by “Mr Clippy” as a front to somebodies business and political agenda?
Remember the stink over Cambridge Analytica and various Social Media platforms? Well it was an early form of automated gaslighting which is only going to be improved upon with time.
Well the aim of ML in the hands of Silicon Valley Mega Corps, Microsoft and Palantir is that very 1984 Orwellian Scenario of the “Telescreen”[2]. But with a difference, in 1984 the Telescreen induced palpable fear in every one, the aim of Microsoft and Co is to be your friend you share confidences with who then betrays you to a Mega Corp so you can be coerced in some way… Fake friendship is far worse than overt authoritarian behaviours[1].
But part of this is the re-writing of history. We know the Soviets and others used it a lot with history constantly being re-written. It still goes on today a well known Israeli MSM got caught “air brushing out Mrs Merkel” and to many it came as a shock, but it was and still is endemic in certain quaters and the warnings have been there for years,
https://www.theguardian.com/commentisfree/2009/apr/08/israel-feminism
This revision of history by airbrush is hard when people keep their own copies of things…
But the push by Microsoft and others to get you to put everything in their “Cloud Solutions” makes the revision of history almost childishly simple for them.
This is where a new variety of AI will score big, in it’s ability not just to find “inconvenient history” but actually change it little by little over time to “convenient truths”.
We’ve seen this already in US politics where some actors have had their political history almost entirely rewritten in less than half a century. Likewise in UK politics where the likes of Boris Johnson and his appaling behaviours are getting rewritten as we watch, do we realy want our grand children to be taught about “Saint Boris”?
No, but it’s the game Putin played to bulk up his Strong Man nonsense and I think most can see how that has worked out… But,
“Will they still be able to see it in a decade or two?”
With what is envisioned by some for the next generation of ML AI the answer is almost certainly going to be “No”.
[1] Gaslighting as it became called in the 2010’s is a fairly serious form of very harmful abuse,
https://www.relate.org.uk/get-help/gaslighting
Having an AI tailor it’s self to you as an individual by the use of a form of ML is going to be both highly destructive to society and highly profitable to those that control it.
[2] You can read 1984 to find out more about Telescreens or you can read one of the online synopsis for students and the curious,
Winter • January 13, 2024 7:34 AM
@Clive
Is AI dead?
It is difficult to believe, but I know you are not joking.
But I have seen this attitude with PCs, mobile phones, the Internet, smartphones, and every other new development that lead to the inevitable hype. It was all a short lived fad, they said, and also it would destroy society, they said.
Looking back, I heard the same kind of stories about the television, telephone, automobiles, electricity, railways, steam. You name it, it became a hype and there were people predicting that it was just a fad, quick to go away, and people (often the same) who predicted it would lead to the end of times.
The world will not be saved when nothing changes, and some changes lead to better lives for most people.
Back to large data machine learning, aka, AI. That revolution has been brewing since the start of the internet and its massive data collections. It increases productivity as it allows to harness past data to improve future actions. AI today could be the modern version of Italian double-entry bookkeeping, that revolutionized European businesses and lead to the rise and dominance of the Italian cities in the Mediterranean.
Every hype has mainly follies. And every transformative technological revolution has its hypes and dystopias. And everything we ever use today once was part of a hype.
Machine learning and AI are here to stay, whether or not you refuse to call it AI.
Marty K • January 13, 2024 7:38 AM
Dept. of e-commerce, does anybody really know who they are dealing with
Security exercise
An online store requires email address, shipping address, and choice from the payment methods they accept (which choice may then require additional information from the customer). The store does not have a secure customer message exchange function.
A customer makes a purchase choosing a certain payment service that does not involve additional information from the customer.
Some time after charging the payment, but before shipping, the store drops this payment method.
Some time after that but still before shipping, the customer cancels the order and requests a refund.
The store is happy to issue a refund but says it cannot do so via the original payment service.
This discussion is conducted by regular email using the email address originally supplied by the customer.
How best can the store ensure the refund goes to the original customer?
Clive Robinson • January 13, 2024 11:48 AM
@ Winter, ALL,
Re : Is AI dead?
“It is difficult to believe, but I know you are not joking.”
No, I’m not joking when I say the hype on “Large Language Models”( LLM) is over.
Worse because many have conflated the LLM Hype with either or both “Machine Learning”(ML) and “Artificial Inteligence”(AI) then there is a generalised perception that the hype on them is dead as well (something the author of the artical is pushing if you read it).
The ML and further AI hype is not dead, it’s absence is because it’s not yet realy got started.
It’s why I go on to say that even the curent LLM systems are the most dangerous surveilance tools we have ever created “so far”.
I then make some predictions based on technological history as to what will probably happen not with LLMs but with ML and other AI systems that are kind of in the pipeline currently.
And I point out “just one” of several significant dangers, which is their use to “change the perception of history”.
I see it as a significant danger because the same people controling the current LLM and future ML and other AI systems also control the cloud systems where everything we create will be stored under not our but their control.
I further point out this sort of “air brushing from history” is very real and has been for well over a life time in the old Soviet System. And worse is still actively in progress and can currently still be easily found in for instance the Israeli MSM where international heads of state get “air brushed out” of photos and not mentioned in the written content simply because they are women. Similar can be found in the US and UK with right of center politicians being effectively “reimaged” and perception being fostered that they are “pristine saints” not the “vile sinners” we currently actually know them to be (I could name several but the automod would probably nix their mention for good reason). Then of course there is China and Russia which we know both are actively at information access control and pushing of propaganda which are both another form of the air brushing of history.
The progress of ML both current and near term and other AI to fascilitate the air brushing of history “to order” but at apparent “arms length” will be the equivalent of “gas lighting” mental abuse on a large scale.
As for the societal side of things, we know how significant the harm is of “gaslighting” on just a one to one basis. Where the abused person can with help get to find out that what they remember is in fact true and with it their sanity and mental well being. Now scale that gaslighting up, but remove the ability for an entire society to be able to check their memories are actually factual, can you see the potential for significant harm here?
Because I can and the fact is we do not have to guess. There are two major armed conflicts currently in progress where right wing political leaders have engineered public opinion in their citizens by both airbrushing and gaslighting…
Whilst not as crass as the “It will all be over by Christmas” and claims of atrocities and fight for “God, King and Country” of a little over a cebtury ago with the “Great War” of 1914-18. It will worm in deeper and more insidiously. Remember it was later renamed as The First World War as we had the second with similar propaganda, followed by the Cold War that went up to the 1990’s but in actuality has been since the 2010’s built up into the start of a rerun.
So yes there is a very real danger in,
1, LLM as surveillance and agent of propaganda.
2, ML for more tailored and nuanced gaslighting of individuals at scale.
3, Other AI to do similar to identify persons of interest.
4, Both ML and other AI with control of all contempory and near historical records in cloud storage.
Can we stop this, yes we can but only if we start taking the steps to stop it now, as a decade may be way to late. Many of the things we need to do are things that the likes of Australia, UK, US, and EU are taking steps to stop us from doing via legislation in progress. The most visable being,
1, The War on E2EE.
2, The War on Private spaces.
3, The War on Private storage.
4, The War on Private thoughts.
Note the last one, this is what LLMs are currently being investigated for both as “confidents” and more recently the way to “decode brain imaging” information in to words and similar. Just a half decade ago I would have said it would not happen in my life time… Well based on the published progress I suspect it will start being actively used within two to five years to help the disabled and those effectively mentally “locked in” from strokes etc, with experimental trials on suspects within a decade of that.
Lets hope I’m wrong but that’s the direction all the trends, signs, indicators, and voiced intent are pointing towards.
We’ve effectively lost two “wars on crypto” already, and we are loosing privacy even faster. Primarily because we are way behind the curve and are slugishly reactive, rather than being vigorously proactive and getting infront of the curve. Where it is much easier to stop legislation being proposed than to try to claw back what has already been passed.
OK I expect to get some saying I’m paranoid, but look back on this blog and you will see two things of note,
1, I get that a lot.
2, I don’t get appologies for being right on it.
Why should I expect either to change?
Also others, change their habits after thinking what I say through, some directly others because it’s made easier for them. For instance I still say turn of cookies and javascript that’s now standard practice with Ad-blockers and the like so nolonger “paranoid”. I’ve warned and still do about Social Media, again nolonger “paranoid” thinking. Likewise I was as far as I can tell the first to point out why “Secure messaging Apps” are not secure again nolonger paranoid.
Also it’s why I describe ways to avoid or counteract the surveillance and other issues in ways that are achievable by individuals and on small budgets.
As I was told several times at an early age by my paternal Grandmother,
“Speak for them that have no voice, stand for those to weak to do so, and carry those to infirm to move.”
I later found they were varients of commands of ethical behaviour as given in the Proverbs of the bible and other religious texts, and also a part of a “Soldiers Prayer”. But note they are actually a “Social Responsability” and not anything to do with deities or religion.
Winter • January 13, 2024 1:10 PM
@Clive
I further point out this sort of “air brushing from history” is very real and has been for well over a life time in the old Soviet System.
Soviets did this with analog photography. The US school system brushed out native Americans, African Americans, science, and most of history with simple printing presses.
For all this, AI is simply irrelevant.
Tyrants murdered millions without LLMs. The Soviets did not need it to select victims, they simply killed everyone. It is a serious misunderstanding to think totalitarian states need to “find the dissidents”. That is irrelevant, as basically everyone is a dissident. What they need is to keep everyone isolated and terrorized.
George Orwell did understand this. The regime in 1984 did not care what people thought. They simply were terrorizing everyone and tortured everyone who stepped out of line. The point of the panopticon is not actually observing everyone, but making believe they are observed.
As for propaganda, AI is also not that relevant. Already Pharaoh Ramesses the Great made great propaganda about defeating the Hittites in the battle of Kadesh. So much so that even 3 millennia later, the Egyptian victory was still in the textbooks. But the other evidence points to a total defeat of the Egyptian army.
Winter • January 13, 2024 1:22 PM
@Clive
1, The War on E2EE.etc.
Yes, and there are no technological solutions. Banning LLMs in “the West” won’t help as “the East” and “the South” build LLMs too. We will have to live with it.
The fake news problem is not caused by AI, but by people who really, really want to believe fake news and rather want to watch the nonsense of Fox News than get informed. That is a social problem that has different causes and solutions than simple technological solutions or bans.
Pointing at enemies is not part of the solution.
Clive Robinson • January 13, 2024 2:34 PM
@ Winter,
“It is a serious misunderstanding to think totalitarian states need to “find the dissidents”. That is irrelevant, as basically everyone is a dissident.”
There is a spectrum on which totalitarian states, despots and dictators sit mainly at one end. They are often closed states that in the modern world tend to do less well than they used to even a decade ago.
Other states towards the other end tend to be open and usually thrive in comparison to others, as you are probably aware by one or two reasonably close to you.
However there are those states between, some of whom are close to or are actually in reality totalitarian states, but chose to appear to be open.
As you are probably aware that Australia and the UK are now such states.
It is these states that need to use LLMs to find dissidents, disagreers, and those deemed ripe for both asset and rights stripping and more importantly their work etc. As those that “represent” the state want to maintain a veneer of respectability and justice whilst doing more or less the opposite.
The thing is the number of states sliding into this lower middle ground is increasing quite dramatically due to the influence not just of other states but corporate enterprises “for the common good” also known as asset stripping etc.
Putting the screws on indigenous people then when they inevitably push back use that as an excuce for land clearence / ethnic cleansing is likewise very much on the rise, again all “for the common good”.
In australia they had Robodebt in the UK there was Horizon and similar in other places. Now imagine just how much worse that is going to be with just LLMs.
The point is LLMs are very useful “arms length” protection from the results of deliberate policy that is at best unlawful or down right immoral.
bl5q sw5N • January 13, 2024 3:27 PM
@ Winter @ Clive Robinson
They simply were terrorizing everyone and tortured everyone
“Every”, “all”, etc. is pareto-nonoptimal. Rather, proceed pareto wise in analogy to the following:
You can fool some of the people all the time, and you can fool all of the people some of the time, but you can’t fool all of the people all of the time. However, all that is necessary is that you fool enough of the people enough of the time.
bl5q sw5N • January 13, 2024 3:51 PM
Added in footnote:
Then anybody who points out or complains can be dismissed as simply a conspiracy theorist.
Winter • January 13, 2024 4:29 PM
@bl5q sw5N
Then anybody who points out or complains can be dismissed as simply a conspiracy theorist.
Which tyranny ever accused dissidents of being conspiracy theorists? That is simply ludicrous.
vas pup • January 13, 2024 6:20 PM
New AI technology conquers all at CES 2024
https://www.dw.com/en/new-ai-technology-conquers-all-at-ces-2024/video-67962399
and more explanation
What Is Emotion AI & Why Does It Matter?
https://www.unite.ai/what-is-emotion-ai-why-does-it-matter/
“Emotion AI, also known as affective computing, is a wide range of technologies used to learn and sense human emotions with the help of artificial intelligence (AI). Capitalizing on text, video, and audio data, Emotion AI analyzes several sources to interpret human signals. For instance:
Natural language processing and sentimental analysis are used for textual data.*
Voice AI is used for processing audio.**
Facial motion detection and gait analysis for videos.***
Like any other AI technique, Emotion AI needs data to improve performance and understand users’ emotions. The data varies from one use case to another. For instance, activity on social media, speech and actions in video recordings, physiological sensors in devices, etc., are used to understand the emotions of the audience.
Afterward, the process of feature engineering takes place where relevant features impacting emotions are identified. For facial emotion recognition, eyebrow movement, mouth shape, and eye gaze can be used to determine if a person is happy, sad, or angry. Similarly, pitch, volume, and tempo in speech-based emotion detection can deduce if a person is excited, frustrated, or bored.
Later, these features are pre-processed and used to train a machine learning algorithm that can accurately predict the emotional states of users. Finally, the model is deployed in real-world applications to improve user experience, increase sales, and recommend appropriate content.
The primary risks with the data are as follows:
Intimacy
An Emotion AI model requires highly profound data related to personal feelings and private behaviors for training. This means that the person’s intimate state is well known to the model. It’s possible that just based on micro-expressions, an Emotion AI model might predict emotions several seconds before a person himself can detect them. Hence, this presents a serious privacy concern.
Ambiguity
As complex data is needed for Emotion AI, there’s a likelihood of misinterpretations and error-prone classifications by models. Interpreting emotions is something humans themselves struggle with so delegating this to AI might be risky. Therefore, model results might be far away from actual reality.
Escalation
Today, modern data engineering pipelines and decentralized architectures have streamlined the model training process remarkably. However, in the case of Emotion AI, !!!errors can rapidly proliferate and become difficult to correct. These potential pitfalls can spread throughout the system quickly and enforce inaccuracies, thereby impacting people adversely.”
Many security applications as well – airports, schools, public events, you name it are obvious.
*any text post, comment on social media and probably this blog as well.
** any conversation recorded ‘for training and security purposes’ when you call any private company customer service, government agency, etc.
***any video post on social media: TikTok, X,Facebook; political town hall meeting presentation on national TV, Congress hearing, discussion on any TV channel.
The point is YOU- customer or participant – should be clearly notified UPFRONT about usage of such technology or bring culprit to court for privacy violation. I guess EU will be first enforce such statement based on their attitude to protect privacy first.
bl5q sw5N • January 13, 2024 6:31 PM
@ Winter
accused dissidents of being conspiracy theorists
All of them accuse them of being conspiracy theorists, selfish, against the people, misguided, or mad and fit for mental institutions, etc.
Tyrannies are wise to leave a percentage of dissidents or even manufacture some, so they can serve as examples to the fooled majority, complicit in their own being fooled, of their right thinking, social responsibility, mental stability etc.
Why is the story of the emperor’s new clothes so widespread across cultures ?
Arclight • January 13, 2024 9:14 PM
Cyber Kidnapping was not on the list of things I was going to worry about:
Ismar • January 13, 2024 9:31 PM
@Clive
“ As you are probably aware that Australia and the UK are now such states.
It is these states that need to use LLMs to find dissidents, disagreers, and those deemed ripe for both asset and rights stripping and more importantly their work etc. As those that “represent” the state want to maintain a veneer of respectability and justice whilst doing more or less the …”
I can attest to this from first hand experience, but mine also indicates that the main reason this can be done is not the technical one but the readiness of others in society to ostracise and judge without sufficient reason or evidence. This has not changed much throughout history regardless of how far we have progressed technologically
&ers • January 13, 2024 10:46 PM
@Sir Clive
Some reading for you 😉
hxxps://popey.com/blog/2023/09/wheres-my-hard-drive/
lurker • January 14, 2024 1:55 AM
@&nders, ALL
re, ivanti connesct secure vpn appliance
This story is parallel to the previous thread on IoT device and Software Liability. It’s almost certain the vulnerabilities were not caused by hardware. So why do we need VPN appliances? I see at least two reasons:
a) to make profit for the vendor, and
b) because average users find managing the internet is too hard.
A moderately skilled geek could knock up a VPN running FOSS on an ARM SBC for many $$ less than ivanti, but it could still be susceptible to software faults. The vermin will be sniffing if you have high value targets behind it. The FOSS geek will have his reputation (& livelihood) at stake. Ivanti has less of a penalty because their clients have outsourced the care and feeding of the appliance, and because software …
Clive Robinson • January 14, 2024 3:42 AM
@ &ers, ALL,
Re : Some reading for you
The intrepid author and I might have crossed paths in “The City” at some point.
As I’ve said in the past I’m an engineer at heart, and a problem solver by nature, but also have an interest in industrial archeology.
Oh and I used to “work on the side” as what at one time was called “A Fire Man” basically an emergancy problem solver brought in to render the tightest of Gordian Knots undone[1].
Back last century a friend had a contract with a “City Investment Firm” to both upgrade the computers and train all the staff in a MS-Dos and a CLI Office suite to Windows and Microsoft Office mass transition. The firm which managed the pensions of tens of thousands of workers in the communications industry had several hundred employees, and the plan was to do the whole upgrade and basic training in a “quiet week” in Summer…
The project hit several rocks for various reasons –that look obvious in hindsight– and “a fly in amber” would be “making good speed” in comparison…
I got an alarm call well past the middle of the night “Could I…”, and so I phoned for a taxi lept in the shower and “suited and booted” in my “meeting attire” rather than my more comfortable lab-suit or site-gear, half an hour later in the back of a cab I watched the first fingers of a summer dawn reach over the city of London like a misers reach.
My friend met me at the door and briefied me on the way up in the lift to the “learning suite” and so I did not drop and hit the floor running like an angel spreading blessings but sprang more like a faustian deamon belching fire and brimstone fit to make even Mephistopheles quake. The game was on and the clock was running faster than a taxi meter in freefall.
The head of the firms IT operation did not look in good shape as despite a good –for the time– ICT policy their Novel servers had decided that downing tools with a mystery malady was the order of the previous day. To make the issue worse they had two different service contracts, with one provider for the servers and one for the desktops, with the cables in between well you’ve heard the phrase “twixt a rock and a hard place”…
I won’t go into details but the upgrade plan though good on paper was bad in execution. Put simply the division of tasks amoungst personnel was wrong.
Some think Henry Ford invented the production line technique. Well they are wrong, history shows courtesy of Adam Smith’s description that “pin makers” certainly got there long before and even they were not the first.
The problem was each person had been given a very long list of sequential instructions to “upgrade” a desktop and this was both onerous and tedious thus error prone as it went over several fairly densly typed pages. It was also grossly “time inefficient” in that some steps took a blink of an eye whilst others took tens of seconds if not minutes so it had a “stop and go” effect that as with traffic in the rush hour badly slows progress.
So problem solved measure the job step times and re organise into task groups and redistribute as equall time measures as short task lists that were only a half page at most per person. So tasks printed out floppy disks duped “time to get to it”…
All was going well untill “The Trading Floor”…
It turned out their desktops had SCSI drives, and multi-screen cards… As some might remember DOS drivers caused many a sleepless night for technicians, but Windows drivers… Well you’ve seen that Munch painting called “The Scream” well that was Dos, with Polish artist Zdzisław Beksiński’s paintings being more Windows style[2].
The word “Nasty” did not cover it and in the end we went down the “fix one – clone to the rest” HD “wipe n write” technique (much as many box-shifters do these days with Windoze and the “dixième enfer – deuxième exemplaire” method).
But… It got done, and way faster than originally expected.
Sometimes a little knowledge of history can make you appear like Alexander… At which point my advice is leave pronto, as there will always be this “Oh whilst your here… we’ve got this other little problem” double tap and I can guarantee it will make the first problem look like a walk in the park.
[1] Even Shakespear had familiarity with the Gordian Knot,
“Turn him to any cause of policy,
The Gordian Knot of it he will unloose,
Familiar as his garter”
There are two versions of how the knot is parted. The first is by using a sword to cut in half, the second to “pull the lynch pin” thus loosening the knot and revealing both ends thus making it much easier to unravel and untie.
Both are metaphors for ways to rapidly problem solve and I use them both in one way or another.
[2] You can find Norwegian artist Edvard Munch’s “Scream” all over the Internet, and imitated in so many ways it’s lost much of it’s impact and has become a trope of a meme with even the way people say “Munch’s Scream” almost a leitmotif.
See some of Polish artist, Zdzisław Beksiński’s work at,
https://www.boredpanda.com/polish-artist-paintings-nightmares-zdzislaw-beksinski/
But… Much more fun in a scary way is the recent “look behind you” works of London based illustrator Brian Coldrick. Some are animated so look for a while,
https://www.boredpanda.com/behind-you-scary-illustrations-brian-coldrick/
The “boredpanda” site is worth exploring on dull winter “indoor days” as it has some gems tucked in the folds of it’s pages.
Clive Robinson • January 14, 2024 4:53 AM
@ Ismar, bl5q sw5N, lurker, vas pup, Winter, ALL,
Re : AI and persecution legitimizing.
“I can attest to this from first hand experience, but mine also indicates that the main reason this can be done is not the technical one but the readiness of others in society to ostracise and judge without sufficient reason or evidence.”
Sadly you are by no means the only one.
Just the latest example of this basic technique is comming out after it started more than a quater of a century ago, and over 700 people working for just one organisation were persecuted and even so some are tragically nolonger with us, others are still being persecuted,
They say “bigest political scandal” but it’s not, not by a long way, the failings thus scandle is endemic in nearly all UK Government Depts and probably numbers victimes in the tens of thousands if not greater in the past few years alone.
Other Nation States are likewise @ResearcherZero has repeatedly mentioned Australia, and @JonKnowsNothing various trans national systems or processes.
Now consider how even an LLM can be used to do this way way more covertly and at significant “arms length”.
The number of researchers finding just how many different ways LLMs can be covertly to the point of invisably influanced to be prejudiced in output is not just large it’s also frightening in it’s apparent endless discoveries.
Then go on from what are really “simple” but large LLMs and consider “more complex” and “more maliable ML systems and other types of AI that are just starting to get out of the researchers minds.
These systems are dangerous even without “Physical Agency”. As I’ve indicated they are ideal surveillance tools and read what @vas pup has mentioned above. It’s why they will be able to not just “gaslight” people, it’s easy to see how they can also become “agent provocateurs en mass” (a phrase that no doubt get more frequently heard)..
I don’t want people to see this thread in five, ten, twenty years time and say “there was this warning” but “nobody acted on it”.
Winter • January 14, 2024 5:30 AM
@bl5q sw5N
All of them accuse them of being conspiracy theorists
Please give some examples of people executed or deported for being conspiracy theorists. Tyrannies like the Soviet Union have murdered millions of people, but I know of not a single example where the victim was accused of being a conspiracy theorist.
Winter • January 14, 2024 6:22 AM
@Clive
Now consider how even an LLM can be used to do this way way more covertly and at significant “arms length”.
The scandal, which made the newspapers in the Netherlands too, was not caused by the software program, but by the willingness of people to believe the institution that made the allegations.
Those responsible for this scandal were politicians that wanted to get promotion by being “tough on crime” and fund tax breaks for rich people by cutting corners in services.
The software is just an excuse to hide behind and obscure the real mismanagement.
LLMs are only fooling people who want to be fooled. Not different from the “filters” in Instagram and TikTok that youngsters use to improve their face. They use the filters because they think others show their “true” face which deep down they know is not true.
The problem is not the filters or the LLMs, but the social problems behind these desires.
Clive Robinson • January 14, 2024 8:36 AM
@ Winter, ALL,
Re : Past is not future.
“The scandal, which made the newspapers in the Netherlands too…”
The scandle is very much “past tense” going back a quater century or more.
Whilst AI in some form has been around since the 1960’s it was unusable in the real world until the 1980’s with “soft AI” “Expert Systems” and “Fuzzy Logic” and untill very recently thats how things more or less stayed outside of a few niche areas.
I did work on both Expert Systems and Fuzzy logic[1] back in the 1980’s as well as some primitive “neural networks” building them on DSP chips in the 90’s. Whilst Expert systems were CLI usable the interfaces were like “Multi-Choice Exam” forms and lacked any user originated multivalent input of real use. They walked mostly binary option decision trees because of this, thus Expert Systems became niche fairly quickly. As the base technology was not there…
Neural Networks worked on multivarient or binary inputs, but tended to be forced towards binary outputs. But the required floating point processing significantly limited not just the number of inputs but the number of layers and interconnectedness to be of use, also there were significant training issues.
This was more or less how things stayed untill just a couple of years back.
So all the arguments you give are based on a past where AI was not in any way used for these situations.
As they say in the finance industry,
“Past performance is no indicator of future performance”
Or as I’ve put it in the past,
“You are not a murderer untill you’ve killed AND been convicted of the crime.”
It’s a fundemental issue with security and human trust. Like the defence spending issue, you do not know what will cause an attack or betrayal of trust. You only know that in a large enough population you can say there is XXX probability which rises in some way to near certainty with a very large population.
This “step change” is caused by many things but it happens especially at the interface between very slowely evolving humans and rapidly evolving technology.
Put simply as I have before it’s,
“An old wine in new bottles”
Issue, where old criminal acts often centuries old gain fresh advantages from new technology. Especially by technically adept attackers before defenders have realised that a new vulnerability has come into play.
This is the current state of play, we are at a cusp where what actually is a newly available technology is now just comming into play for unlawful and unethical acts.
Being of what our host @Bruce has previously called “thinking hinky” I can confidently say that these emerging technologies will be used for criminal, corrupt, immoral, and unethical acts long before they get legislated against.
You only have to look at how quickly LLMs got adopted by the producers of pornography both for peoples fantasies about famous people and for the realy unplesent stuff.
Saying that it has not happened because it’s a people problem is just a wrong view point. It’s looking back behind the technology curve / cusp not in front of it.
The people problem is not going to change due to slow human evolution, but what they can do with “force mulriplier” technology has been seen over and over. Technology is an enabler as well as force multiplier, I don’t do DIY with “human powered tools” I use “power tools” so does nearly every one else as it gets the job done more quickly and more easily thus the DIY work I can do is vastly magnified.
As I’ve said LLMs are the most powerfull surveillance tool we’ve got “SO FAR”… but I know that ML and other AI developments are comming down the pipeline that will be even more powerfull in probably short order now the base technology is easily available.
I also know that those out there with abnormal socio-cognative patterns will use any tool they can get their hands on to achive their objectives. There is no doubt about this as any psychologist or psychiatrist practicing in the criminal area will tell you.
All I’m doing is saying,
Wake up, don’t sleepwalk into a world of hurt.
Because I can see in my “hinky way” exactly how these new technologies can be used, by what I regard as fairly simple reasoning. As I’ve denonstrated so many times on this blog I predict with reasonable accuracy into the future on average about eight years or half a decade to a decade ahead of others who voice publicly.
Disagree if you wish, but time will tell.
[1] The use of fuzzy logic alowed AI to be better suited to analog or multivalent input from machine sensors so it kind of got shuffled sideways into the likes of lift and train stopping / positioning systems and minimal energy or topple speed controlers. Actually fuzzy logic is way more usefull but it’s the lack of human use input devices that stymied it’s general use. Worse humans unlike mechanical devices lack usefull repeatability (why they ask you “pain between 1 and 5” not as a percentage). Thus although humans would have a perception of sameness they will not in any real multivalent input give a sufficiently granular value sufficiently repeatably to be of any use as such.
lurker • January 14, 2024 12:18 PM
@Winter
“LLMs are only fooling people who want to be fooled.”
Which includes most politicians and many of their “public” servants. Now there’s a social problem for the rest of us.
JonKnowsNothing • January 14, 2024 12:23 PM
@Winter, @Clive, All
re: The scandal … was not caused by the software program
If in reference to: The Horizon Fujitsu UK Post Office Distributed Point of Sale System:
It was the software.
It was the hardware and software combined into a shoddy product. (1, 2)
The old adage of:
- It’s never the crime, it’s the cover up
That is what caused the scandal for 25yrs and counting.
Indeed the criminality of the situation is more grave than expected, as the Horizon Fujitsu Accounting Report was a major component in the prosecution and conviction of a person accused of murder. Per the MSM, there was no physical evidence of the person being the killer but a long trail of Horizon Fraud Accusations were used by the prosecution to claim the person was covering up thousands of pounds of embezzlement from the Post Office Horizon System as the motive behind the murder. (3)
Another component, from the article @Clive referenced (4) is a change in the legal views of “computer failures” and this will definitely impact how AI fairs in courts, as AI makes inroads into the legal system with false court case citations.
- in 1999, a legal change was introduced stating that there would now be an assumption that computers were “reliable” unless proven otherwise
There is very little chance of anyone being able to concretely and specifically show a computer and software system “has a problem” if they do not have access to the Full Bug Database, with all the test cases, all the results and all the Open, Closed Bugs for the system.
Not even Fujitsu is going to release the Engineering Version of that database. They might have to provide a small sanitized subset of Test Results, if they were challenged.
This is a form of Dieselgate, where the system is rigged to give a false reading. Only Software and Hardware Engineers can do that. It is the Managers who ordered the false reading to be created, but it was the software and hardware people that did the work.
===
1) The exact nature of the failure hasn’t been a technical discussion on MSM. From piecing MSM reports of how the tills of remote post offices were marked “under count” by a few or by thousands of pounds each day, it can be hypothesized.
SWAG:
- A faulty polling system, pulling in the activity at EOD into the mainframe and timing of polling (open and close) and the Point of Sale Terminals were primary contributor.
Consider:
If the till was correct on opening, which the post master would know by setting up the till the night before, which is common practice, the errors had to occur during business hours. Most retail establishments do not balance to the penny at EOD. There is the log receipt of activities and the cash in the drawer.
Most businesses would know if they did a big dollar transaction, eg a $5,000 purchase by a customer, when the average purchase for postage stamps is $10 or less.
Yet the logs (if any) showed a huge transaction at the mainframe EOD Accounting Report which was sent to the Post Masters the next day as An Error Report with demands for
“topping up the till out of their pockets”.
This transaction never happened.
So, if it was not in the software, how did it get into the Horizon mainframe and later into a court of law as a valid transaction?
The only place this transaction happened was inside the Fujitsu Horizon Mainframe. It was by the software. The hardware might still be faulty with an undisclosed hardware glitch in the counting registers. (2)
2) iirc(badly) Some years back, there was a seriously bad maths glitch in a major CPU chip used in PCs everywhere. Since it was in the CPU maths circuitry it could not be fixed directly. A software patch was released to intercept calls to that registry section in the chip, but not everyone installed it. All the maths computations using that particular call from those PCs were incorrect.
The main fix was hoping, that those systems would be quickly replaced by market upgrades.
3)
htt ps://www.the guardian. com/uk-news/2024/jan/13/post-office-owner-says-horizon-system-was-used-to-frame-him-for-wifes-murder
- He was found guilty at trial in 2011 on the basis of circumstantial evidence
- With no DNA evidence to link him to the murder or the metal bar used to kill … [he] was convicted in part after the jury heard evidence from a Post Office investigator using data from the Horizon system.
- This purportedly showed he was stealing money from the Post Office and then killed his wife to cover up his theft.
4)
h ttps: //w w w.theguardian.com/uk-news/2024/jan/14/a-tragedy-is-not-far-away-25-year-old-post-office-memo-predicted-scandal
- Then there was a potent ingredient thrown in by the legal world.
Just before the scandal began to unfold in 1999, a legal change
was introduced stating that there would now be an assumption that
computers were “reliable” unless proven otherwise. - Previously, a machine’s reliability had to be proved if it was being
used as evidence. It has now been revealed that the Post Office
itself lobbied for that law change. In its submission to the official
consultation on the issue, it said the previous requirements were
“far too strict and can hamper prosecutions”.
Winter • January 14, 2024 2:27 PM
@JonKnowsNothing
It was the software.
The output of a software program is not enough evidence to prove guilt.
The scandal was that accountants, prosecutors, and judges did not want evidence beyond a printout of a computer program. And they did so not once, but many times.
That is a massive failure of fair trials.
lurker • January 14, 2024 4:06 PM
@Winter, JonKnowsNothing
“The output of a software program is not enough evidence to prove guilt …”
… under current systems of jurisprudence that are based on paper documents, printed, or human written. The code can be printed onto paper, some parts may already be, but Fujitsu is certainly never this side of Fiddler’s Green going to allow it to appear in an open courtroom. Now imagine handholding the judge, 12 jurors, and the prosecution attorney, explaining how faulty code works.
The scandal was (and still is) that the judicial system has no way to accept the behaviour of software in evidence, analyze it, and come to legally acceptable conclusions. Certainly there have been notorious copyright cases where the printouts were produced in black and white in the courtroom; but the functioning of software remains to the judiciary one of Clarke’s sufficiently advanced technologies, indistinguishable from magic.
It was in this vacuum that Parliament passed the Youth Justice and Criminal Evidence Act 1999 and the judiciary has acted accordingly. See also:
‘https://evidencecritical.systems/2022/06/30/briefing-presumption-that-computers-are-reliable.html
‘https://www.theguardian.com/uk-news/2024/jan/12/update-law-on-computer-evidence-to-avoid-horizon-repeat-ministers-urged
JonKnowsNothing • January 14, 2024 6:47 PM
@Winter, Clive, lurker, All
re: The output of a software program is not enough evidence to prove guilt.
Except that it was and is enough.
While the gory details are in the many cases brought to trial and the unlimited number of cases where NDS were demanded in settlements, the output of the system was all they needed.
- The computer said $5,000 was missing from the till
- The Post Master said the till was $10.00 over
- The Official Post Office Investigator confirmed the computer said there was $5,000 missing.
Accountants are not computer technicians. They add up columns of numbers and foot-n-tick that the subtotals and the totals to verify they match up. They do not make up data and jam it in the system except for Balancing the Book Entries. Which is what they would have done.
Those entries are based on what the computer says is in the database.
For every business there are legitimate write offs and write downs for damaged goods, shrinkage (theft) and other hazards of business. These write downs have specific formats and applications. They are not haphazard or random entries. (1, 2)
It is clear from the 25yrs of fraudulent prosecution that the errors attributed to the Post Masters EOD receipts from the EOD polling and data upload and processing, that the errors happened at the Fujitsu Mainframe.
Some of the new MSM reports of memos indicate that from the beginning, the reliability of the software was questioned.
Lots of Comp Sci programmers do not have a clue about business and how it works. Very often they write “clean code” and worry about “efficiency” without understanding the primary purpose of the system is actually simple.
However, even a simple system fails when the scale of the system is not considered in the design. A system that works fine for single user PC may not be adequate for a department of 100 people. Scaling further brings in more issues of timing, race conditions, processing time and report distribution.
We can see this problem with Cloud Computing of all sorts, business, science and academic.
- Amazon may offer many items, sold by many vendors, have state of the art UI interfaces and state of the art delivery systems but it is essentially still an accounting problem.
From both an Accounting view and a Comp Sci view, what is intriguing is, to discern the origin point of the imaginary numbers.
- It happened often, regularly, daily, weekly
-
The amounts varied from $1 to $100,000
Since the errors happened daily, this was not an EOM reconciliation. It was a daily action of incoming revenue reports which generated imaginary errors in the revenue stream.
Rhetorical Question
- What computing processes can you think of that generate tiny errors at the same time it is generating enormous errors?
===
1) USA, there are several ways of accounting that apply to different businesses: Cash and Accrual. There are also Tax Adjustment entries that are made based on laws applying to the indicated accounting methods. This is normal business.
ex:
The computer inventory indicates 10 Washing Machines in the Warehouse
An inventory count shows there are 8 Washing Machines
* 1 Washing Machine fell off the stack and is not longer salable
* 1 Washing Machine is in transit to a customer
An entry will be made to indicate the Loss of 1 Washing Machine from Inventory
An entry will be made to indicate 1 Washing Machine in Transit for Accounts Receivable.
The corrected entries will show 8 Washing Machines in inventory.
The entries are made using the Double Entry Booking Method.
2)
h ttps://e n.wikipedi a.org/wiki/Double_entry
- Double-entry bookkeeping, also known as double-entry accounting, is a method of bookkeeping that relies on a two-sided accounting entry to maintain financial information. Every entry to an account requires a corresponding and opposite entry to a different account. The double-entry system has two equal and corresponding sides known as debit and credit. A transaction in double-entry bookkeeping always affects at least two accounts, always includes at least one debit and one credit, and always has total debits and total credits that are equal. The purpose of double-entry bookkeeping is to allow the detection of financial errors and fraud.
vas pup • January 14, 2024 7:16 PM
Agree absolutely. I have no idea how criminal justice officials are trained in US but they zero understanding of Theory of Evidence: only cluster of ALL evidence could be considered as basis for guilty verdict because any of them alone subject of being false: memory of witnesses is malleable not like recorded on tape/cd you name it, testimony of victims are substantially affected by emotions, confession could be false for many reasons, material evidence could be contaminated or/and misprocessed.
@All
Why the hovercraft’s time might have finally arrived
https://www.bbc.com/future/article/20240112-why-the-hovercrafts-time-might-have-finally-arrived
Many references for utilization related to subject of this blog. As I see it: hovercraft drones with underwater drones and air drones working in concert with AI technology to overpower/overload defense capability of big targets.
ResearcherZero • January 14, 2024 11:42 PM
“baiting”
‘https://asteriskmag.com/issues/04/fracking-eyeballs
–
‘https://orlp.net/blog/when-random-isnt/
gone fishing
MDK • January 15, 2024 12:51 AM
@lurker
Totally agree at rolling your own leveraging open source etc. That would be my first choice and adding advanced security policy around the service.
I always ponder why these organizations/companies are port forwarding services through firewall appliances with little to no security policy around them. Lazy I hope? Good example, Maxiumus Federal Medicare contractor was part of the MoveIT data breach. MoveIT daemon was forwarded through a firewall and open to the Internet. Maxiumus did detect suspicious activity but it was to late to prevent the attack before data theft took place.
hxxps://www.cms.gov/newsroom/press-releases/cms-notifies-additional-individuals-potentially-impacted-moveit-data-breach
This is feeling very similar just different APT’s. My guess it’s going to be ugly before it’s over with. Time will tell.
Winter • January 15, 2024 8:08 AM
@JonKnowsNothing
Except that it was and is enough.
Only when there is collusion between the prosecutor and parties.
The statement The Official Post Office Investigator confirmed the computer said there was $5,000 missing is no evidence in itself.
No accountant would accept the computer said it was OK as sufficient basis to accord the official company annual financial report. No court should accept computer says yes as evidence without a detailed audit trail and proof that it was not tampered with.
Unless, of course, there is collusion between parties, the prosecutor, and maybe even the court.
Clive Robinson • January 15, 2024 8:33 AM
@ Winter, JonKnowsNothing, ALL,
Re : Collusion intentional or not.
“Unless, of course, there is collusion between parties, the prosecutor, and maybe even the court.”
There is always “collusion in a shared space”.
The question then becomes,
“Is the collusion intentional?”
To which the answer is almost always “Yes” to some degree (eg two people can not stand on the same spot, so one collueds with the other as to who it is).
Thus the next question is,
“Does the collusion cause harm?”
Again the answer often is “Yes” (think about unwarranted defrence to hierarchical position).
Thus the next question is,
“Can the harm be mitigated?”
And this is almost always the point where things go horribly wrong.
Because a “mitigation” is a conscious act that increases complexity, that in turn almost always increases not decreases vulnerability thus the potential for intentional harm.
Whilst it will not be shown “officially” it is clear that the Post Office with deliberate intention caused a mittigation that produced a vulnerability that they then callously abused to their advantage.
The mitigation should never ever have been considered let alone granted.
JonKnowsNothing • January 15, 2024 11:56 AM
@Clive, @Winter, All
re: Post Office Horizon How Did They Do it?
I’m intrigued with a black-box reverse engineering thought experiment, of how the Fujitsu software came up with a consistent string of errors (tiny to huge) over a period of time (years) but which did not appear to have any specific traceable pattern (random) application.
Per one MSM report, there were a number of updates to the system and that the most egregious cases took place before Update 3. That does not mean, that the errors did not continue. It appears that the Horizon Post Office Audit Logs were not accurate and or not produced (no one looks at the audit trail or I write perfect code).
So how did they do it?
It made a great deal of money for the Post Office, by claiming the Post Masters were embezzling funds, and those funds were accounted in the Gross Revenue for the Post Office. As the funds were fictitious, this is similar to the insurance policy printing scandals(1,2), where the Revenue | Cash Flow is inflated by creating bogus insurance policies. The Post Office effectively billed the Post Masters for ?Millions? of pounds of extra revenue.
So how did they do it?
Accounting system use Double Entry Bookkeeping methods. (3) It is the standard for accounting systems.
Any transaction has a minimum of 2 lines or accounts that are affected; there can be multiple lines but nothing less than 2. Think of of this as a 2 column SS. One column is + and the other column is -. The totals of the 2 columns must be the same. The sum of the totals must be zero.
ex: Inventory -100 | Cash +100 / The total for each + – column is 100 and the sum is 0
No matter how many accounts are processed in a transaction this is required behavior (manual or computer)
Additionally, computer accounting transactions are done with a Block Transaction Locks. This works the same as a variable Lock-Unlock. If you lock a variable no one can alter it until it is unlocked. Normally this is a short time where a critical state update to the variable is happening.
- Lock / apply change / Unlock
These same concepts of Lock-Unlock apply to many computer database records, updates, read-write operations.
A Transaction Lock/Rollback is used for accounting systems. The Transaction Lock wrapper is placed around the entire set of transactions (2 or more). If any aspect of the transaction fails the entire set is rolled back. If the transaction is not in the proper format the entire transaction would be rejected to begin with.
ex: (please ignore any bad pseudo code)
If Validate Transaction () Then
Transaction Lock
Inventory Update ()
Cash Update ()If Valid Update () Then
Post Transaction
Else
RollBack TransactionTransaction Unlock
So, a single entry of $5,000 would fail to begin with. There had to be 2 entries of $5,000. One for the Post Office and the other for the Post Master.
ex: Post Master -5000 | Post Office +5000
Since the $5,000 never existed, how did the Fujitsu Accounting Software produce an extra $5,000?
The standard posting-update of a Point of Sale (POS and yes they are) produces an audit trail of transactions for the day. It’s the other half of the receipt you get from the market and which you normally toss in the trash later. The POS half gets uploaded into a mainframe system and processed using Transaction Locks over blocks of the data.
ex: 5 customers buying 5 rolls of stamps for $5 each would post $25 of sales and $25 of cash in the till
Yet the Fujitsu Software posting routines showed that the Post Office got $5,000 and the Post Master was short $4,975
How did they do it? They certainly coded it to do this, it wasn’t auto-magic.
How did they get it to ?randomly? apply to Post Masters across the entire system? Some Post Masters got many citations and others got none. What was the mechanism created to create the equivalent of fake insurance polices, without flooding the entire system?
===
1)
ht tps://en. wikipedia.org/wiki/The_Billion_Dollar_Bubble
- The Billion Dollar Bubble is a 1978 American film made for the BBC series Horizon and directed by Brian Gibson about the story of the two-billion-dollar insurance embezzlement scheme involving Equity Funding Corporation of America.
2)
ht tps:/ /en.wikipedia.org/wiki/Equity_Funding
- Equity Funding Corporation of America was a Los Angeles-based U.S. financial conglomerate that marketed a package of mutual funds and life insurance to private individuals in the 1960s and 70s. It collapsed in scandal in 1973 after former employee Ronald Secrist and securities analyst Ray Dirks blew the whistle on massive accounting fraud, including a computer system dedicated exclusively to creating and maintaining fictitious insurance policies. Investigation found that from 1964 onward, as many as 100 company employees had engaged in organized deception of investors, auditors, reinsurers and regulatory authorities.
3)
h tt ps://e n.wikipedia.o rg/wiki/Double_entry
- Double-entry bookkeeping, also known as double-entry accounting, is a method of bookkeeping that relies on a two-sided accounting entry to maintain financial information. Every entry to an account requires a corresponding and opposite entry to a different account. The double-entry system has two equal and corresponding sides known as debit and credit. A transaction in double-entry bookkeeping always affects at least two accounts, always includes at least one debit and one credit, and always has total debits and total credits that are equal. The purpose of double-entry bookkeeping is to allow the detection of financial errors and fraud.
lurker • January 15, 2024 12:18 PM
@Winter, ALL
No court should accept computer says yes as evidence without a detailed audit trail and proof that it was not tampered with.
You know, and I know, that this is the logically correct and morally proper way to deal with such matters. British law acepted that:
Police and Criminal Evidence Act 1984
S.69
(1)In any proceedings, a statement in a document produced by a computer shall not be admissible as evidence of any fact stated therein unless it is shown—(a)that there are no reasonable grounds for believing that the statement is inaccurate because of improper use of the computer; ,
(b)that at all material times the computer was operating properly, or if not, that any respect in which it was not operating properly or was out of operation was not such as to affect the production of the document or the accuracy of its contents ; and [court admistrative procedures in applying the above omitted]
This sensible measure was just cut out completely by
Youth Justice and Criminal Evidence Act 1999
60
Removal of restriction on use of evidence from computer recordsSection 69 of the [1984 c. 60.] Police and Criminal Evidence Act 1984 (evidence from computer records inadmissible unless conditions relating to proper use and operation of computer shown to be satisfied) shall cease to have effect.
Why was this done? In https://www.schneier.com/blog/archives/2024/01/friday-squid-blogging-giant-squid-from-newfoundland-in-the-1800s.html/#comment-430994 above I give a link to evidencecritical.systems which is a very readable explanation of the Law Commisssion’s reasoning. The Law Commission themselves published a 16MB pdf report on the matter which can be found via lawcom[dot]gov[dot]uk/document/criminal-law-evidence-in-criminal-proceedings-hearsay-and-related-topics/ I don’t feel sufficiently invested in the matter to wade through that …
MDK • January 15, 2024 3:36 PM
@ALL
Mandiant analysis of Ivanti CVE’s. CVE-2023-46805, an authentication bypass bug; and CVE-2024-21887, a command injection vulnerability.
hxxps://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
Have a great week!
vas pup • January 15, 2024 6:03 PM
Crazy cool tech of CES 2024
https://cyberguy.com/news/top-10-tech-of-ces-2024/
Chinese company thinks it can make a more powerful pet robot dog than the U.S.
https://www.youtube.com/watch?v=Yb_kKIxXc6k
bl5q sw5N • January 15, 2024 7:28 PM
@ WInter
Which tyranny
Second footnote: Tyrannies are never imposed, they are (consciously or unconsciously) invited. The tyrannized are complicit in their own enslavement, through a guilty failure to think through the moral implications of what they are asking for.
ResearcherZero • January 16, 2024 12:06 AM
@bl5q sw5N
If you spend all your time with partisans. It isolates you from the act of responsibility of governing.
The Emperor’s New Clothes was printed as a book, then people read it. People do at times look for meanings in things that simply do not exist. They want it to exist and so keep looking. People want reasons for bad luck in life that avoids their own culpability and poor decision making. However humans are flawed and make bad decisions at times. This is something we must accept in order to prevent ourselves from making the situation worse.
On some odd occasions though there is a clear and demonstrable cause of ‘bad luck’. Usually in such cases, a small subset of society, of similar people in similar roles is affected.
The Post Masters for example, where Horizon and The Post Office conspired to withhold evidence and blame the victim. This is known as Institutional DARVO.
Some people believe the world is a fair place. Innocent people being unfairly punished conflicts with their worldview and therefor they cannot accept such a situation.
DARVO (Deny, Attack, Reverse Victim & Offender) describes a manipulative tactic often used by abusers to avoid taking responsibility for their actions and shift the blame onto their victims. Here is a simple explanation of how to properly apply DARVO (role played):
‘https://cdn.mrctv.org/videos/31303/31303-480p.mp4
That video is now actually now used to demonstration DARVO.
https://dynamic.uoregon.edu/jjf/defineDARVO.html
How to screw it up, or “the single worst legal strategy ever devised by a human mind”:
‘https://www.youtube.com/watch?v=97ud34-Knxo
“because as compared to last week, we have twice as much evidence this week.” – Rudy G
“He claimed massive election fraud but had no evidence of it. By prosecuting that destructive case Mr. Giuliani, a sworn officer of the Court, forfeited his right to practice law,. His utter disregard for facts denigrates the legal profession.”
‘https://assets.bwbx.io/documents/users/iqjWHBFdfxIU/rvt7KS1jA1U4/v0
–
Over 1,700 ICS VPN appliances compromised with the GIFTEDVISITOR webshell.
Keylogging/credential harvesting – UTA0178 (UNC5221) While devices without the mitigation did not correctly log exploit-related requests, those with the mitigation correctly log attempted exploitation.
‘https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/
mitigation
According to Ivanti, patches will begin being released the week of January 22, with the final patches expected the week of February 19.
https://www.tenable.com/blog/cve-2023-46805-cve-2024-21887-zero-day-vulnerabilities-exploited-in-ivanti-connect-secure-and
“Running the external Integrity Checker Tool will require a system reboot. Unfortunately you will lose some volatile data through this process.”
‘https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
“Collecting logs, system snapshots, and forensics artifacts (memory and disk) from the device are crucial. Pivoting to analyzing internal systems and tracking potential lateral movement should be done as soon as possible. Further, any credentials, secrets, or other sensitive data that may have been stored on the ICS VPN appliance should be considered compromised. This may warrant password resets, changing of secrets, and additional investigations.”
ResearcherZero • January 16, 2024 1:16 AM
@bl5q sw5N
Politicians want to project that they are in control and on top of events. In reality they have very little control over the global economy or world events. Politicians are often not really wearing any pants or any clothes at all. They ignore intelligence that is provided well in advance of events. Politicians are more interested in by-elections and events that are pertinent to themselves (domestic politics). Only once matters unfold does already existing intelligence grab their attentions. You can pick those occasions from the look of shock on their faces, as if they have been caught with their pants down.
Quite frankly too many politicians are clueless about history and Geopolitical or military strategy. But once in a while you get a real, to quote Rex Tillerson, “f–king moron”.
Even a military novice would understand the danger of assassinating an Iranian general who kept all of the regional proxy forces under control, —for decades, and successfully unified those forces and lead them against ISIS…
“Mr Trump heightened tensions with Iran, primarily through his 2015 decision to rescind the Iran nuclear deal. His administration also enacted harsh new economic sanctions against the nation with the hopes it would force Iran to accept a more restrictive nuclear deal. That strategy ultimately failed.”
Following the sanctions, Mr Trump approved of an airstrike that killed Iran’s top general, Qassem Soleimani. That move nearly set off a war between the countries.
Mr Trump was reportedly “willing to do anything to stay in power”.
‘https://www.independent.co.uk/news/world/americas/us-politics/mark-milley-trump-war-iran-b1885608.html
Among those pushing the President to hit Iran before Biden’s Inauguration, Milley believed, was the Israeli Prime Minister, Benjamin Netanyahu.
Trump kept asking for alternatives, including an attack inside Iran on its ballistic-weapons sites. Milley explained that this would be an illegal preëmptive act:
“If you attack the mainland of Iran, you will be starting a war.” During another clash with Trump’s more militant advisers, when Trump was not present, Milley was even more explicit. “If we do what you’re saying,” he said, “we are all going to be tried as war criminals in The Hague.”
https://www.newyorker.com/magazine/2022/08/15/inside-the-war-between-trump-and-his-generals
Russia and Iran have increased their defense and economic cooperation and publicly explored options that could transform the relationship into a broad-based strategic partnership.
‘https://www.rand.org/content/dam/rand/pubs/perspectives/PEA2800/PEA2829-1/RAND_PEA2829-1.pdf
–
“Geopolitical relationships are shifting, economies are rising – and falling, rapid technological advances are fueling militaries’ modernizations at scale, and external factors like climate change and pandemics are changing the way people live, work, and go to war.”
‘https://www.jcs.mil/Portals/36/NMS%202022%20_%20Signed.pdf
“We want to stay in great-power competition. You’re going to have great-power competition. That’s the nature of the world, right. Go back five-ten thousand years in human history. Great powers are going to compete against each other in a lot of different spaces. So that’s okay. There’s nothing necessarily wrong with that. But make sure it stays a great-power competition and it doesn’t shift to great-power conflict or great-power war.”
So far so good. But then Milley really drove it home:
“In the first half of the last century, from 1914 to 1945 we had two world wars. And in between 1914 and 1945 150 million people were slaughtered in the conduct of war … Massive amounts of blood and destruction and we’re still obviously feeling the effects of World Wars I and II. And it’s unbelievable to think of great-power war. And now if you think of great-power war, with nuclear weapons it’s like, my God, you’ve got to make sure that doesn’t happen.”
Winter • January 16, 2024 1:17 AM
@bl5q sw5N
Second footnote: Tyrannies are never imposed, they are (consciously or unconsciously) invited.
As I always say:
Every nation gets the government it deserves.
So, you seem to be discontent with your own government. What did you do to “invite” it?
ResearcherZero • January 16, 2024 2:00 AM
@Winter
Another saying that is relevant here is, “to be careful what you wish for”.
Conditions looked quite similar 100 years ago. If consumers keep complaining about tyranny and the “deep state” they might get exactly that. As they have been sucking on the sweet tit of convenience for so long, they have forgotten the past and what economic depression actually looks like. Hard to afford a phone and data when you are eating grass.
The poorest states will get hit the hardest too.
‘https://www.courthousenews.com/climate-change-likely-increase-us-income-inequality/
“Income inequality in the United States expanded from 2017 to 2018, with several heartland states among the leaders of the increase, even though several wealthy coastal states still had the most inequality overall. …Even though household income increased, it was distributed unevenly, with the wealthiest helped out possibly by a tax cut passed by Congress in 2017.”
The states with the highest vote for Brexit have also been the hardest hit in the UK.
But people are pretty delusional so they like to be told what they want to hear…
(a helpful tax cut for the wealthiest)
‘https://www.cnn.com/2022/12/30/politics/donald-trump-tax-returns-released/index.html
top 1% of taxpayers’ share of after-tax-and-transfer income rising from 9% in 1960 to 15% in 2019 (with substantial increases before taxes)
“In principle, audit studies are a useful source of information on nonpayment. In practice, however, they miss any tax evasion sufficiently sophisticated to escape the notice of auditors. Because such sophisticated evasion tends to be concentrated among the wealthiest taxpayers, assigning misreported income based on audit studies—as AS do—will tend to understate the share of pre-tax income going to the top 1% of earners.”
https://www.brookings.edu/articles/measuring-income-inequality-a-primer-on-the-debate/
The graphs have continued on the same trajectory…
The concentration of income toward high earners has become more pronounced since 1980. Average income in the highest quintile (one-fifth of the population) was 135 percent higher in 2020 than it was in 1980 – over three and a half times the growth in average income in the lowest quintile (which grew 38 percent over the period).
‘https://www.pgpf.org/blog/2024/01/5-facts-about-rising-income-inequality-in-the-united-states
ResearcherZero • January 16, 2024 2:13 AM
@Winter
There has been some effort to begin to correct the situation in the last few years…
“Countries that have implemented the 15% tax since 1 January include the UK, Australia, South Korea, Japan and Canada, as well as the European Union and countries known as tax havens, such as Ireland, Luxembourg, the Netherlands, Switzerland and Barbados.”
The United States is not currently participating in the reform despite having endorsed the agreement in 2021.
‘https://www.pressenza.com/2024/01/global-minimum-tax-of-15-for-multinational-companies-comes-into-force/
Key business hubs such as Singapore, Hong Kong, and the UAE intend to delay implementation.
ResearcherZero • January 16, 2024 2:17 AM
The two-part plan aims to first make companies pay taxes in countries where they are selling products and services, rather than where their declared headquarters or subsidiaries are based.
The second part of the plan would institute a minimum 15% tax rate on a country-by-country basis, effectively putting an end to tax havens that use a lower corporate tax to lure large multinational companies looking to slash tax bills.
However the plan depends on nations putting long term interests above short term profit.
lurker • January 16, 2024 12:46 PM
@MDK thanks for the link;
@ResearcherZero
But while the forensic experts are up to their elbows in gory details, they don’t have the time, and are not being paid, to step back and ask some pertinent questions. Like, why should a VPN appliance have a web-based management interface, and why was this visible to the wide world, and did it really need a perl interpreter? The answer to those is implicit in the answer to: how come the attackers decided this was a high value target before the defenders?
Sun Tze said everybody can see your tactics in battle, but nobody can see the strategy by which you win the war. The ITSec guys are exposing the tactics used in this attack, but the strategy of defence seems weak or lacking.
JonKnowsNothing • January 16, 2024 2:08 PM
@Clive, @Winter, All
re: Post Office Horizon How Did They Do it? P2
MSM reports that Fujitsu has admitted they knew the Horizon Post Office system was faulty from 1990 onwards. They are making vague offers of assisting in compensation to the victims. They made £2.4bn from the contract so far. (1)
If they invested a contingency amount to cover future claims, especially knowing the system was faulty, they would have an additional £2bn-£3bn in back up funds. (2,3)
So, it’s a very generous offer to pay for a portion of compensation that will cost them nothing out of pocket.
- Invested Wisely
===
1)
ht tps://ww w.theguardian .com/uk-news/2024/jan/16/fujitsu-admits-for-first-time-it-should-help-compensate-post-office-victims
- Fujitsu’s European boss, Paul Patterson, admitted the company had known the IT system was faulty since the 1990s.
- [Post Master prosecutions] “They convinced me that it was all my fault. I wasn’t tech savvy … I thought I’d made a hash of it. They’d gaslit me for about three years.”
- Nick Read, the chief executive of the Post Office, said the organisation was committed to “get off Horizon”, which still runs Post Office systems and is scheduled to do so until 2025 after contract extensions.
- Fujitsu has earned £2.4bn from the contract
Compensation pool is expected to be ~£1bn. That pool would-should be funded by the UK Government and by Fujitsu. Even if Fujitsu funded the entire amount they would pocket £1.4bn from the project plus accrued compound interest on £1bn over 25 years. (2, 3) The compounded interest earned would more than pay for the entire redress costs.
2)
ht tps : //en.wikipedia.org/wiki/Compound_interest
- Compound interest is interest accumulated from a principal sum and previously accumulated interest. It is the result of reinvesting or retaining interest that would otherwise be paid out
3)
htt ps://w ww.investor.gov/financial-tools-calculators/calculators/compound-interest-calculator
Initial Investment $40,000,000
$1,000,000,000 / 25yrs = $40,000,000 per year initial investment
Monthly Contribution $3,333,333
$40,000,000 / 12 = $3,333,333 per month
Length of Time in Years 25yrs
Estimated Interest Rate 6%
Interest rate variance range +/- 1% (5%-7%)
Compound Frequency Monthly
In 25 years, you will have $2,488,578,436.26
Interest Rate Variance 1%
Year 25 Future Value
7% = $2,929,255,435.09
6% = $2,488,578,436.26
5% = $2,124,283,781.20
vas pup • January 16, 2024 6:17 PM
Crime-fighting AI robocop is keeping an eye on New York’s subway riders
https://www.youtube.com/watch?v=DwMqUFADNZw
more details:
https://cyberguy.com/news/crime-fighting-ai-robocop-is-now-keeping-eye-on-new-yorks-subway-riders/
“I [Kurt] wonder how K5 can actually prevent or stop crimes when it can’t use
force or arrest anyone*. I also worry about how K5 can affect the privacy and
autonomy of subway riders. I don’t think that K5 is a solution to the complex and systemic problems that plague the subway system.”
*non-lethal force application should be include into robot equipment as possible solution and applied by police officer who watch the scene from the distance and make decision not robot. Regarding arrest: current practice of NY DA is against arrests of real criminals but for arrest for those who really fight back.
JonKnowsNothing • January 16, 2024 6:29 PM
@@Clive, @Winter, All
re: Post Office Horizon How Did They Do it? P3
Fujitsu ‘fessed to some strange system behavior… (1)
- Fujitsu found included as many as one-third of transactions being duplicated
- some fixes involved “manual workarounds”
- “In essence we have a problem with the ARQ extraction tool,”
-
- processing queries on post office operator transactions known as audit record queries (ARQ)
- our spreadsheets presented in court are liable to be brought into doubt if duplicate transactions are spotted
- “fast ARQ” method developed to collect the data did not distinguish duplicate transactions when it was [polled by] the Post Office.
- “technical issues with the migration which Post Office specialists are aware” [ARQ data gathered about transactions and conversion updates]
- “serious flaw” spotted in the audit code
- Gareth Jenkins, the former chief architect at Fujitsu, said in an email there was a “significant bug affecting 13 branches causing some interest with high levels … “At the time I didn’t see a concern,” said Sangha
Zho,
In remote POS systems (yes they are) there is a single uploaded transaction file into the mainframe nightly for processing. An audit trail is normally part of the transactions system.
That audit log may or may not be uploaded nightly. It can be kept at the POS and archived n-times then deleted if electronic. If it is a printed log, it depends on how long the system auditors want to keep it. Some are diligent and keep them long periods.
- I once worked on an accounting audit issue where the manager kept 5 years of paper trail and we found the error occurred 3 years previously. It was a lot of pages but we found the condition.
Depending on what the POS is tracking it uploads either Line by Line transactions (safest) or a subtotal of category like All Milk Sales (not so safe but faster).
So the Fujitsu system had a “habit” of duplicating some transactions
ex: 5 customers buying 5 rolls of stamps for $5 each would post $25 of sales and $25 of cash
was posted twice
T1 $25 of sales and $25 of cash
T2 $25 of sales and $25 of cash
The fundamentals of double entry requirements are satisfied but the audit trail showed the error. They did not fix the error, they just deleted the duplicate line in a SS.
This still is not an adequate explanation for the extremes in numbers and which accounts were affected.
Suppose:
The duplicate line is not from the current office being polled but from the previous one or even the CRC check value (2)
PO1: ex: 50 customers buying 50 rolls of stamps for $5 each would post $250 of sales and $250 of cash
PO2 ex: 5 customers buying 5 rolls of stamps for $5 each would post $25 of sales and $25 of cash
The polling routine would pull the first set of transactions PO1 correctly.
PO1: 50 customers buying 50 rolls of stamps for $5 each would post $250 of sales and $250 of cash
The polling routine then adds the first set of transactions PO1 to PO2
PO2 50 customers buying 50 rolls of stamps for $5 each would post $250 of sales and $250 of cash
PO2 50 customers buying 50 rolls of stamps for $5 each would post $250 of sales and $250 of cash
PO2 ex: 5 customers buying 5 rolls of stamps for $5 each would post $25 of sales and $25 of cash
So PO2 now shows -105 rolls of stamps and cash sales of $525
This is still not sufficient explanation
- Why is the buffer not cleared between the amounts?
-
Why is the system polling posting multiple updates without internal validation for the correct accounts? PO1 is not PO2.
This double booking (also illegal) is not happening every transaction. Something else is going wrong in the data transfer. And there is something else going wrong in the database entry fields.
Consider:
If they do not clear the buffer between transactions, there can be a carry over effect. (3)
If the database field is incorrect or not validated, any value or null being undefined might default to the last known value.
- This is a problem in databases that allow “blank” as an acceptable field. eg Field has Y N options but the actual value is NULL
The polled data has the information for which PO is being pulled, how is this field being ignored or miss read.
POS systems are full of these surprises but all are well known. They aren’t actually a surprise.
There is something also in the transmission section that is going KLUNK. Like an incomplete poll is marked complete with N records pulled in the check value, but only N-Y actual records uploaded. This would fail a basic Chk Sum and normally require a repoll.
Fujitsu is still not coming clean about what happened.
===
1)
h ttps://ww w.theguardian.com/business/2024/jan/16/fujitsu-still-providing-horizon-it-data-for-use-in-post-office-legal-actions
Has listing of some of their known errors. Not likely all of the critical ones.
- Fujitsu executives hoped to present data to make prosecution evidence “more consistent”, in an effort to ensure hundreds of ultimately wrongfully brought cases would “go through smoothly”.
2)
https://en.wikipedia.org/wiki/Cyclic_redundancy_check
- A cyclic redundancy check (CRC) is an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to digital data. Blocks of data entering these systems get a short check value attached, based on the remainder of a polynomial division of their contents. On retrieval, the calculation is repeated and, in the event the check values do not match, corrective action can be taken against data corruption. CRCs can be used for error correction
3) malloc – free type errors
ResearcherZero • January 16, 2024 11:34 PM
@JonKnowsNothing @ALL
Fujitsu knew from “the very begining,” which I assume means 1999…
One, named the “Dalmellington Bug”, after the village in Scotland where a post office operator first fell prey to it, would see the screen freeze as the user was attempting to confirm receipt of cash. Each time the user pressed “enter” on the frozen screen, it would silently update the record. In Dalmellington, that bug created a £24,000 discrepancy, which the Post Office tried to hold the post office operator responsible for.
Another bug, called the Callendar Square bug – again named after the first branch found to have been affected by it – created duplicate transactions due to an error in the database underpinning the system: despite being clear duplicates, the post office operator was again held responsible for the errors.
As early as 2001, McDonnell’s team had found “hundreds” of bugs. A full list has never been produced.
‘https://www.theguardian.com/uk-news/2024/jan/09/how-the-post-offices-horizon-system-failed-a-technical-breakdown
That RPM [Receipts and Payments Mismatch] bug was found to be affecting 40 branches back in 2010, when Post Office prosecutors were jailing their own employees for accounting shortfalls generated by Horizon. Each prosecution challenged in the Court of Appeal over the past year relied on data from the Horizon business management platform supplied by Fujitsu. This data, called “ARQ data” by the court, was a “complete and accurate record of all keystrokes made” on Horizon by sub-postmasters and their branch office staff.
Yet ARQ data was not often made available in the Post Office’s Crown Court prosecutions, leading to unjustifiable convictions and coerced guilty pleas.
https://www.theregister.com/2021/04/23/post_office_scandal_fujitsu_convictions_quashed/
Winter • January 17, 2024 2:09 AM
Always check what an AI tells you to do, or write. Especially when it is code. This is reminiscent of Ken Thompson’s Trusting Trust attack.
How ‘sleeper agent’ AI assistants can sabotage your code without you realizing
‘https://www.theregister.com/2024/01/16/poisoned_ai_models/
Abstract from the original research:
‘https://arxiv.org/abs/2401.05566
Humans are capable of strategically deceptive behavior: behaving helpfully in most situations, but then behaving very differently in order to pursue alternative objectives when given the opportunity. If an AI system learned such a deceptive strategy, could we detect it and remove it using current state-of-the-art safety training techniques? To study this question, we construct proof-of-concept examples of deceptive behavior in large language models (LLMs). For example, we train models that write secure code when the prompt states that the year is 2023, but insert exploitable code when the stated year is 2024. We find that such backdoor behavior can be made persistent, so that it is not removed by standard safety training techniques, including supervised fine-tuning, reinforcement learning, and adversarial training (eliciting unsafe behavior and then training to remove it).
…
ResearcherZero • January 17, 2024 2:13 AM
@JonKnowsNothing
It also sounds like s–t to me.
This still is not an adequate explanation for the extremes in numbers and which accounts were affected.
I’m bemused that they didn’t see any concern. I certainly never came across anything anywhere near as bad when fixing problems with databases for large companies, ever. I’m yet to understand how it is possible to screw something up so badly.
From the legal documents of the review:
“POL had a contractual right to obtain any of the information about Horizon which was
held by Fujitsu. Some of the appellants sought disclosure of ARQ data. However,
Fraser J heard no evidence to suggest that either PEAKs or KELs had been disclosed
by POL in any civil litigation or any criminal prosecution before the High Court
proceedings. This court is in the same position. In the prosecutions of these 42
appellants, so far as we are aware, there was no disclosure of any such document.”
‘https://www.judiciary.uk/wp-content/uploads/2022/07/Hamilton-Others-v-Post-Office-judgment-230421.pdf
They did not hand over the error logs. Which sounds like the opposite of helping to me.
What exactly are these other bugs they will not release, or were they deliberately hiding the flaws while inflating profits to maintain their contract, cover the cost of fixing their crap and the eventual resulting litigation? So why give Fujitsu yet another contract?
‘We are moving to the cloud’
“Therefore, we have a programme that is assessing how best to transition our technology platforms, including Horizon, to the cloud. This begins to set up our future needs for cloud-based hosting of systems.
Branches won’t see anything different during this work, or after the move takes place, and it won’t change the way Horizon operates in branch.”
https://www.onepostoffice.co.uk/secure/latest-news/our-business/moving-to-the-cloud/
No we are not moving to the cloud! We are moving Horizon “in-house”…
‘https://bidstats.uk/tenders/2021/W14/748290244
(again this sounds like s–t to me and an excuse for NDAs)
Due to a “inflexible monolithic architecture that makes technology change difficult”
and a “highly complex, legacy platform, written in outdated versions of software languages”
(carefully worded language used there to avoid mentioning the data itself)
“the program to transfer the services to a new cloud provider created fundamental technical challenges that POL could not economically and technically overcome, and the business has taken the decision to pivot back to the Fujitsu provided Horizon Data Centres until the successful transfer of services out of Horizon and into its replacement NBIT (“New Branch IT”)”
The Data Centre Operations and Central Network Services have thereby been extended for an additional period of 1 year from the 1st April 2023.
The estimated value of these services for the additional one year under the modification is £16,500,000 GBP.
plus… eventually moving to AWS apparently
Accenture (London)
Value: £27,000,000
‘https://bidstats.uk/tenders/2022/W27/778305906
And by moving everything ‘in-house’ they can carefully sort out the problems while avoiding further disclosure.
ResearcherZero • January 17, 2024 5:17 AM
@JonKnowsNothing
My guess is that Fujitsu oversold, then did a dirty hack to try and meet their sales pitch of “3500 transactions per second”. Back when it rolled out, I imagine it was impossible to process that many transactions with such systems, in real-time, on ye old network. Especially considering just how many services they were trying to concurrently provide.
The right thing to do after their apology would be to now compensate the wrongly accused for the duress caused. Given that they knew about it all along, yet made false allegations.
Otherwise one might think that Fujitsu acted in a fraudulent and dishonest manner.
Clive Robinson • January 17, 2024 6:01 AM
@ Winter, ALL,
Re : When does a pupil exceed the teacher and why?
“Always check what an AI tells you to do, or write. Especially when it is code. This is reminiscent of Ken Thompson’s Trusting Trust attack.”
It also has a significant isssue attached.
“Can you tell when it’s misleading you?”
Something over 90% of actual code in use these days is copied or if you prefer “reused” or “from libraries” or pipelined utilities from Open Source etc.
Or worse cut and past examples from stripped down teaching “code snipit” examples where no error exception checking is included.
I first had occasion to actually push back on this nonsense many years ago when the software production mantra started to include formal “code reviews”.
As many from that time know those doing code reviews are not the brightest or best developers in the business. In fact they were back then, those who managment did not see as very productive in terms of “code out the door” metrics.
Thus you had spaghetti code from a supposed “10x Coder”[1] who’s only real aim is to “get lots of code out the door per managment directive and metrics”, sitting down in what is an adverserial event, with an opponent managment have selected because they considered them defective…
Thus in effect a modern day “throw them to the lions” Roman Circus blood sport, but without the entertainment value.
It’s fairly obvious that in the main such a code review process is,
“At best a production impediment.”
That is the coder is taken away from producing spaghetti and the reviewer is well in comparison fairly clue less as to what they are signing off on. So they pick on things they know managment will understand and support like “coding style” to show they are “contributing”[2].
And there is the crux of the problem. Even an LLM system will have greater knowledge bredth and depth than just about any peogrammer you could select. Because their corpus includes all code that is available publicly.
Now even a “Stochastic Parrot” with less mental acuity than an 8year old playground bully can just “pull it out of the hat” with a suitable search, sort, and select system (ie a matched filter).
So even the better programmers are going to be playing against a “better than they are” player in almost all respects with regards existing knowledge.
Think about it as playing scrabble against a Chinese Room with the compleate “allowed words” dictionary and scrabbles rules.
Thus getting an existing exploit past the majority will not require skill just a hidden command.
[1] I say “10x Coder” not “10x Programmer” for a reason and that’s “Managment metrics”. These are usually not measures of actual usefull “productivity” but “code out the door” most of which has,
“More defects that a stonage watch.”
Thus actually is not 10x of anything useful, it’s just a basic side effect of “problem shifting” stupidity into what some like to call “Technical Debt” and I call it something way less polite. Having come from an actual engineering background where defects do harm such as maim, disfigure, kill, and physical damage such as burning places down even in battery powered portable consumer products. Something that as we give more physical agency to software is going to have a “butchers bill” bigger than an “autonomus taxi” and “Self driving EV” companies combined.
[2] I’ve mentioned before there are ways you can make code reviews actually work slightly better but every one I’ve seen in “non engineering” environments has been,
“Gameable, there for was gamed”.
Worse code reviews and similar can become personal, do I need mention “scrums” and how badly they can be abused to abuse?
Winter • January 17, 2024 8:00 AM
@PaulBart
Now imagine a world with no paper currency, all purchases, calls, meetings, associates, locations, writings, comments, known, and known forever, and nation-states/rogue deep-state actors targeting citizens that step out of the masters coral.
So, your starting point is: You live in a horrible tyranny...
That is, your society is a Dungeons and Dragons game, and all technology is evaluated in this D&D world.
The funny thing is, you are sprouting the exact same talking points as the Americans who vote for the guy who wants to make this D&D style tyranny real.[1]
[1] Say, by promising to exterminate the vermin that oppose him.
ResearcherZero • January 17, 2024 9:28 AM
Rogue actors were targeting people along before computers were invented. That is why there are laws and regulations. But people then complain about ‘Red Tape’.
If you want nice things then you need some Red Tape that says ‘fragile’. Otherwise it ends up smashed to pieces. You also have to pay people a decent wage so they do not kick the boxes. This produces happier, healthier people with some incentive not to kick boxes.
Capital increases faster than economic growth under the Neo-liberal/Conservative free-market capitalist model. So the rich end up wealthier as they have the capital. Even nice people can do some bad things when they have too much power.
Bad people do bad things anyway. Bad people do have a tendency to tell people exactly what they want to hear, as this is how a sociopath fits in amongst society. They attempt to copy behaviour. When they joke about doing bad things, there is more than a little truth in what they are saying. The rest is mostly lies. Simple answers to complex problems.
Most everyone does not want the trouble of dealing with a sociopath, and so in such an environment, ripe for exploitation, they of course thrive. Unless there are regulations to prevent such behaviour, or incentives to follow them and penalties for breaches.
For instance legislation mandating security first principles. Quick fixes often lead to long term problems. In complex environments there may be no simple answers or solutions.
–
some classic decades old flaws in there
‘https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
–
“It’s useful to retrospectively detect nation-state actors and be able to estimate the impact based on how long they have dwelt on your network. It’s less useful to detect ransomware when you’ve already received the ransom note.” – The central premise of EDR is that, in the absence of an immediate detection, you still send sufficient telemetry to enable retrospective detection.
Microsoft’s security access model 😐 – finding shellcode (John Uhlmann’s Black Hat presentation)
‘https://www.youtube.com/watch?v=WpzVhCOcIAc
‘https://www.elastic.co/security-labs/effective-parenting-detecting-lrpc-based-parent-pid-spoofing
–
There is still a lot going on below the OS level. Updating DBX revocation lists and patching firmware exploits takes time. This video has a good overview of security rings, UEFI and vulnerabilities in firmware update tools:
Exploiting SMRR mitigations (abusing S3 sleep – cache poisoning to write to SMRAM)
‘https://www.youtube.com/watch?v=u8V4ofWpHZk&t=1395
“Accessing the SMRAM is restricted to SMM only and any attempt to access it from other, less privileged rings, will be blocked by the hardware. Same holds for DMA access. To safeguard against adversaries attempting to reconfigure these registers, the D_LCK bit in the SMRAMC register was introduced. D_LCK, which is located in the DRAM controller, locks down these registers until the next system reset.”
Abusing S3
‘https://medium.com/@RingHopper/the-ringhopper-saga-chronicles-of-the-cores-peripherals-and-a-sneaky-vulnerability-4a6d068a3e9c
AMI created a few utilities to wrap and facilitate the communication with some SMM features.
‘https://medium.com/@RingHopper/conquering-the-user-land-achieving-code-execution-in-smm-in-the-dominion-of-ringhopper-7a38f5ec7faa
ResearcherZero • January 17, 2024 9:44 AM
a long time
There is some Red Tape regarding ‘divers in the water’. Don’t ping ’em.
OTR, this happen before, in the past. There were no Japanese boats anywhere even remotely near the vicinity. No one died then either and it was put down as an accidental one-off incident. Inexperienced captain? Any confusion regarding sea-fairing rules was clarified.
‘https://www.abc.net.au/news/2024-01-17/beijing-points-finger-at-japan-warship-sonar-attack/103354026
Winter • January 17, 2024 10:19 AM
Movies are all wrong. The hero who saves the world gets ridiculed, if she is lucky and not ends up in jail or killed.[1]
Now 20 years ago, the IT world prevented the world from collapsing. They are still chastised for succeeding.
At the time, I worked next to a specialist who was correcting the complete parts database to ensure the company would still be able to operate in 2000. He succeeded in time, nothing happened.
Still, many, many people who claim any avoided disaster was not really a threat.
The ‘nothing-happened’ Y2K bug – how the IT industry worked overtime to save world’s computers
‘https://www.theregister.com/2024/01/17/y2k_feature/
“On Jan. 1, 2000, when worldwide meltdown was widely forecast by doomsayers like de Jager, absolutely nothing happened,” Cornyn stated in his seemingly unanswerable gotcha tweet, where he tagged the Wall Street Journal for good measure.
Cornyn’s outburst may be symptomatic of a breed of self-righteous populism to take root on both sides of the Atlantic in the latter years of the last decade, but it has been strongly refuted by computer experts who worked on the problem at the time, including our readers.
[1] Fauci gets 24/7 security.
JonKnowsNothing • January 17, 2024 1:14 PM
@Clive, @ResearcherZero, All
re: Post Office Horizon How Did They Do it? P4
@RO: My guess is that Fujitsu oversold, then did a dirty hack to try and meet their sales pitch of “3500 transactions per second”.
Fujitsu certainly poured on the marketing slime however, it is the dirty hacks that are of interest.
We all know code is full of bugs, errors and faults that will never come to light, that the majority of code is never run at all. There are core functions that are used 90-100% of the time and there are reports or other processes that are run On Demand, Once A Year or Never Run But Is There.
The curious aspect of the Horizon System is that it was and is such a spectacular failure in even basic processing. It’s like they deliberately inserted every possible code failure as part of the process. Not just the occasional code glitch but serious failures in even basic functioning.
Ex:
@RO: the “Dalmellington Bug”, after the village in Scotland where a post office operator first fell prey to it, would see the screen freeze as the user was attempting to confirm receipt of cash. Each time the user pressed “enter” on the frozen screen, it would silently update the record. In Dalmellington, that bug created a £24,000 discrepancy, which the Post Office tried to hold the post office operator responsible for.
Consider how you would write such a code to implement this behavior?
- You need to cause a delay in some part of the system for the screen to freeze. This could be hardware lag, drop in transmission connection or even a hard NoOp loop used for timer.
Today computer lag is a normal problem in computer games but the lag is not from NoOps. It’s a combination of graphics and display updates, rate of data packet exchanges Client-Server and most of it falls on the Window OS and all the crummy stacks and permanent memory management failures which can cause Crash to the Desktop.
But a POS is not supposed to Crash to the Desktop.
- You need to setup the UI (in use for the period) so that ENTER/SUBMIT can be bounced multiple times with the same data and same transactional information.
I dunno about Fujitsu mainframes but IBM ones used Page Updates. The entire screen is sent vs Line by Line transmissions.
So is the bounce at the terminal or at the mainframe?
- The format of the transaction itself. What types of data did they include but more important what did they omit.
Clearly the system is so bad because they omitted key aspects for such a system. The dirty hacks omitted key information needed to properly process the transactions at the POS Terminal and after the Poll to the Mainframe.
Modern problems with format transactions and faulty transmissions are common. There are the overt ones and the hidden ones.
- Overt: buying a loaf of bread and the receipt says you bought a case of beer.
- Hidden: are much harder to figure out because part of the transaction is missing. AKA we show no record of that transaction.
RL tl;dr
There is a credit card device and software that fits on a smartphone and allows small or mobile vendors to process credit card transactions through specialty companies. It is popular with Farmers Markets, Street Faires, and Mobile Vendors.
1. An email receipt is sent to the buyer.
2. The funds are transferred from the CC to the Vendor
3. The CC balances are updatedThis is done by the backend processing of the app service provider.
There can be a glitch in this transaction
1. The customer can get a receipt for payment
2. The Vendor does not get the funds
3. The CC may or may not get updatedWhen the transaction burps, there is no real way to determine
* What happened
* Where is the Moneyhint:
Just because the customer and vendor didn’t get a monetary transaction record, does not mean a transaction did not occur. There is insufficient information for the backend processor to determine WHO got the transaction on POST.Presuming they use a Transaction Block Lock-Rollback, a 1 sided transaction cannot be processed and no receipt would be sent as it is tied to a completed transaction.
So it’s possible that there can be a glitch in the transmission system.
However a consistent one? One that can be replicated easily? That the fault is not fixed? The UK courts go after the Post Master for this error? That takes some serious programming malware.
The amount of malware in the Horizon system is and was not trivial. The clear intent was to use the errors to extract extra funds from the Post Masters. Effectively robbing them by producing known faulty reports, altering them for court, sending in “expert investigators” to validate the faked data.
These transactions are fake. They did not happen outside of the Horizon processing malware. It siphoned a lot of money.
- What happened to all that money? (1)
===
1)
HAIL Warning
ht tps://arstechnica. com/tech-policy/2024/01/fujitsu-apologizes-for-software-bugs-that-fueled-wrongful-convictions-in-uk/
The Parliament hearing also featured testimony from Post Office Chief Executive Nick Read, who was hired in 2019. According to Sky News, Read “said the company has still ‘not got to the bottom of’ what happened to the cash paid by sub-postmasters and sub-postmistresses in a bid to cover the false financial black holes created by the faulty Horizon software.”
“However, he admitted it is a possibility the money taken from branch managers could have been part of ‘hefty numeration packages for executives,'” the report said.
“It’s possible, absolutely it’s possible,” Read told the committee.
Clive Robinson • January 17, 2024 4:11 PM
@ Winter, ALL,
Re : The ghost of Y2K and other clock roll overs.
“Still, many, many people who claim any avoided disaster was not really a threat.”
I remember Y2K well, and my predictions from the previous century still hold true…
I predicted in the early 1990’s publically when asked in a QA forum,
1, That next to nobody would do anything about Y2K till it was nearly to late.
2, Then due to supply and demand issues the price of programers to trawl through code that should have long been retired would be ten times or more what they were earning then.
But the article in The Register is wrong about first mention of what became Y2K and it was certainly known to be an issue in the 16th Century[1] (the usuall journalist fail to research thoroughly). For instance it was in an article in 1962 in the ACM journal (My father was a member and had kept the journal concerned).
The basic reason Y2K happened was always money, and even though told over and over, the money men still want vengence (for their own avarice and stupidity). That is they still want vengence for what they see as rightfully their wealth being stolen from their very pocket (with mentalities like that it’s actual incredible that engineers are alowed to keep the world turning 😉
What was noted back in 62 was that the price of a digit of storage (actually a nibble not a byte) was dropping and it would be wise to fix the two digit year codes… Based on what had happened with yup one digit codes.
Some might remember the “Unix Epoch” and binary integer overflow is due in the not to distant future…
Was Y2K a cause for alarm? Both yes and no which is why some people still bleat about “Conspiracy”. However I saw what happened with a “data overflow” for real back earlier than that.
Electronic locks in hotels have real time clocks in to lock guests out when they have “over stayed”. I had joined an electronic lock company (Uniqey) as a “fireman” because the entire technical staff had resigned and left… Their reason because the man (Leon) who took over the running of the company a short fat toad of a man was basically “venal and stupid” with a healthy portion of shouty narcissism and as I later discovered cowardice. He had made money in the “Rag Trade” and somehow he and his equally toady wife thought that ment he could run a failing technology company… And they bought the company without listening to the warning signs. He sacked all but the two technical managers and farted loudly on his throne on first ascending (or so the story went)…
Well the engineers knew what the managers did not, that the real time clock in the lock was a cludge… They had even gone as far as removing the comments in that are from the assembler source code…
And I had read through the cryptic code and finally worked out what was going to happen and when. By this time I’d brought a friend (Peter) on board and we talked the impending disaster over and realised that there was no way it was going to get fixed in the current MK2 locks as they used real Diode PROMS not EPROMs so were effectively “scrap”.
The obvious solution of reset the realtime clock had the obvious security flaw that old key cards would not just open the lock, it would due to another software “feature” reset the lock clock to a date equivalent to the day the card was issued…
I finally realised that there was a deliberate hole left by the previous engineers. Which was “Change the Hotel ID” and dip the locks with a special engineering setup master key.
The day arived and it was a Monday and not much later calls hit the help desk way early in the morning and “Panic Mode” started. Both Peter and myself had ensured we would not be carrying the pagers (yup Leon was so tight he had cancelled all but two “on call” pagers that got passed from person to person around the maintainence people and the “designated driver”).
Hotels all over the world were getting doors locking and refusing to open. Guests were not happy and let hotel staff feel it and the pain concentrated as it rose up the Hotel managment…
I’d as usual gone across to Peter’s house for the “Shared ride” that enabled him to claim “Petrol” from Leon… We were sitting there drinking a cup of coffee and taking it gently. When the phone rang. We’d already told Peter’s wife (Isabel) who is South American and fisty with it what was going on. As she hated both Leon and his wife who were frankly racists she was all setup to deal with it… She told the Project Manager (Easy) we had already left for the office as it was a “bad morning” according to the traffic news… As we finished our second cup we decided the traffic would have started dying down so were about to go. When the phone range again, it was Leon using his loudest shoutiest managment style. Isabel told him we were not there as she had already told Easy and that she was hanging up as she was late for a hospital scan…
So off we went and dropped Isabel off at her friends house on the way.
We arrived at the Office in Park Royal and it was mayhem… I had the joy of telling Leon in my loudest voice to “Shut up” as he was “pouring oil on the fire” and that he “Should be talking to customers”. And I spoke to Easy and we “took command”.
Well with Leon shut in his office taking calls from angry people way above his pay grade and quietly spoken words from me and Easy the mayhem subsided. I told Peter to break out the code and Easy told the maintainence manager (Mike) to carry on the testing he had started to see if worse was going to happen.
Well Peter sat there with another cup of coffee and looked studiously at his computer screen printed out snipits of code and drew all over them with pencil and highlighters. I started going through our options with Easy and pointed out that we realy needed to get the Mk3 lock out of “development” as a matter of urgency. We poped in to see what Mike was doing test wise, and I was impressed he’d got his team working the problem in an unflustered way.
Easy and I went back into find solutions mode in his office and things settled down.
After an hour or so Mike came in and said that he had discovered another “clock bug” that would happen in about a months time.
We went in to see Peter who confirmed the scond bug and went through a convolutes explanation of what he was finding so we left him to it. Shortly there after Peter came in and with a solom face anounced that the code had been rigged with logic bombs…
The three of us discussed the issue Peter pointed out that they locks were PROM based and could not be reprogramed to remove the logic bomb, but pointed out the Front Desk Unit (FDU) was so if we reset the clocks in the locks and updated the BBC Basic code running in the FDU’s then we would get the same run of time again in which to find a more permanent solution. To which I said “get the Mk3 out” is realistically the only solution.
Mike came in at that point and confirmed he’d found another clock bug and Easy told him what Peter had suggested. Mike said it would not work because he’d already tested what an old card reused would do… At this point I said to Mike how did the maintanence/instalation team setup for a new hotel or account for time zone changes and as though on que he mentioned the engineering master key…
I then said “If we change the Hotel ID?…” Mike said it would not be a problem someone would have to walk it through every lock with the “Security override device” (a modded Psion Organiser) but it would work, but the FDU would display the wrong time. Easy looked crest fallen and I pointed out that even he could fix that as it was just a line in the display code in the FDU… So the plan was on.
Mike went to his office to type up instructions for the Hotel Security Staff to do the engineering reset and I went with Easy into my office where I had a print out of the FDU code I was already working on to change the mag-stripe reader/writer for the new Mk3 development.
I showed Easy the lines of code that needed changing and how to do it from the FDU keyboard. As I indicated the problem would be not getting people in, but once it was known how to keep them out. So two patches had to be written and added by hand. Of the two adding the extra “future lock out” was the hardest.
Anyway by late afternoon we had things written and tested and the Novertel Hotel in Hammersmith had us and the maintainance team descend on it and we talked their security staff through it… They had no problems so it got a roll out to two other London hotels by fax and phone and they went OK so it went global…
So yeh clock overflow is a very real issue with very real consequences that almost always happens due to poor managment choices usuall based on fiscal reasons.
Oh I mentioned my public prediction… Well in the audiance was someone who worked for British Gas… He was their head of IT and he’d also realised that the clock roll over was going to be an issue.
He’d already started in on a “two stage fix” the first was to do a clock roll back to buy plenty of time. The second was to go through every system and ensure everything went to a four digit year.
He jokingly said he’d taken the advice at the bottom of a DEC Unix Man Page about how even Unix would be fixed by 9999.
Well as we know most *nix OS’s are now 64bit so…
But he and I had a chat and we both had realised that clock roll over is always going to happen at some point, and always had through out the history of “time” and mostly it did not matter[1]. But also unlike nearly everyone else in the IT community he knew about “leap centuries” which Y2K was one (the second real Y2K problem).
Funny thing is nobody realy talks about the potential for screw ups with leap seconds twice a year. That have to allow for them to be both incrementing and decrementing in unpredictable ways. Which can seriously mess things like financial systems, communications, computer logs and forensics up[2].
Put simply clock roll over is going to happen and you have two basic choices.
1, Live with it.
2, Mitigate it.
Both have fiscal costs and those self interested self entitled types make elephants look like they have short memories.
The thing is the place in the world where clock rollover was the most serious is where what we now call neo-cons with their very short term “don’t leave money on the table” mantras are actually their own worst enemies and if the World Economic Forum membership is indicitive most are in the West with most of them in the US…
[1] Untill the 20th Century and steam and navigation tables clock issues only realy mattered in peoples minds. Especially when the Pope stole 10 days of peoples lives in the 16th century, apparently there was rioting and effergy burning and a religious schism that still exists… As the Encyclopedia Britanica puts it,
“After years of consultation and research, Pope Gregory XIII signed a papal bull in February 1582 promulgating the reformed calendar that came to be known as the Gregorian calendar.”
Which importantly had a sensible fix for the ~365.25 days in the year problem with “leap years” every four years and “leap Centuries” every four centuries.
[2] The leap second was introduced in the 1970’s and has been controversial in it’s entire existance and will only get worse as we “move into space”…
As Wikipedia puts it,
“This practice has proven disruptive, particularly in the twenty-first century and especially in services that depend on precise timestamping or time-critical process control. And since not all computers are adjusted by leap-second, they will display times differing from those that have been adjusted. After many years of discussions by different standards bodies, in November 2022, at the 27th General Conference on Weights and Measures, it was decided to abandon the leap second by or before 2035.”
So “watch this space”…
Clive Robinson • January 17, 2024 4:32 PM
@ JonKnowsNothing, ResearcherZero, All
Re: Post Office Horizon
Why do things happen… well one reason is “technology changes” as development happens.
Back when Horizon was being developed the World Wide Web not only happened so did “Data Warehousing” and the infamous “middle ware”…
Security went to pot when “Business logic” including authentication got “moved off of providers servers to users desktops”.
Worse as I repeatedly cautioned in the early to mid 1990’s,
“The Web is stateless by design, don’t force state where it does not belong”
But I got either blank looks or some numpty pretending to be “Bob the Builder” singing the “Can we fixit…” theme tune designed for pre-schoolers,
“Bob the Builder! Can we fix it? Bob the Builder! Yes, we can!”
Only the numpties took “Bob the Builder!” out so it would appear they were adults…
You can almost guarantee that “webification became a consideration” for Fujitsu and the on going Horizon contract. And that changes were made in anticipation of more lucrative work by Fujitsu staff…
The result would almost certainly be changes in business logic and the SNAFU’s that causes…
JonKnowsNothing • January 17, 2024 6:23 PM
@Clive, @ Winter, ALL,
Re : The ghost of Y2K and other clock roll overs
RL tl;dr
I watched while the approaching Y2K cliff got nearer and nearer and nary a manager nor executive would deal with the problem. No matter how many slides and presentations got done and committee reviews and departmental get-togethers happened, not a line of code got changed because…
- Mantra: too expensive, too many man hours, other products higher priority
Along with
- Mantra: Cannot change existing architecture and legacy system supports
I was fortunate to evade the initial onslaught and avoided the horrendous conditions in the open bull pens where all you could hear was the screaming of the assigned programmers to
- Fix it NOW
Later I had a contract with a telecom company and was assigned a odd-bit of a problem, that no one else had ever fixed. Which was odd in itself, because there were many excellent programmers at the company, all of whom could have fixed the “obvious” error.
Except, it wasn’t obvious what the problem was, until after digging 6 weeks into tracking and tracing code and test results I realized
- Fk it’s a Y2K problem
I fixed it but it was a huge mess to deal with deployment as the fix had to be slammed in, at the same time, across all the customers, and all the devices, on the telecom network.
- Time is not what you think it is
lurker • January 17, 2024 7:45 PM
@JonKnowsNothing
re, Horizon timing “lag”
Dalmellington, a village in Scotland – stop right there. As a longtime sufferer of being the last connection on an overstretched line, I’ll propose “unexpected” network delay. No bets accepted on whether anybody actually measured ping times on any remote sites; nor on quite a few not so remote sites during peak traffic times; nor on whether those times fitted inside some arbitrarily “acceptable” time window for transactions to complete.
Of course transactions should complete wihin a reasonable time, or be cancelled. Not blindly accepted at one end without the other end knowing. This saga just reinforces my contempt for that species of Salespeople who avoid responsibility for product performance by avoiding any knowledge of how the product works.
We are on your side • January 17, 2024 7:58 PM
Something odd showed up, in terms of censorship against implied peace pacts.
For some odd reason, every recent edition of “Isis Veiled” by “Tear Garden” that I find online (unlike the CD edition) has the lyrics deliberately sabotaged out of intelligibility during the portion of the song desperately stating:
“We are always on your side, we’re always on your side”
“WE ARE ON YOUR SIDE!!!!”
I bought and owned the album during the 1990s and again later on in life and specifically played it in heavy rotation for myself (on compact disc).
Someone is trying to hide the peace lyrics from the contemporary masses in my opinion.
Censorship is not helpful during diplomatic reconcilliation.
JonKnowsNothing • January 17, 2024 9:16 PM
@lurker, All
re: Horizon timing “lag”
Dalmellington, a village in Scotland – stop right there. As a longtime sufferer of being the last connection on an overstretched line, I’ll propose “unexpected” network delay.
I would expect that was a significant reason for a “delay” in transmissions; lots of places have poor or no connections and the 1990s over the wire lines were not great and leased lines might not have been viable which won’t prevent the odd squirrel from gnawing through the wires.
When sending packets of data there is often a READY START DATA STOP CHECK sequence. You verify the connection is active, you send a starting transmission msg, a data hunk(s) and a stop-end msg with a validation check.
The exact method depends on if you are sending a telco packet or a mainframe page and is generally handled in the Communications Subsystem for the device(s) with the handshake negotiated between sender and receiver. A programmer writing the data exchange often doesn’t have to do much with that aspect as the system will place the proper wrappers and chop the data into the appropriate hunks, calculate the number of packets and insert the CRC validation for them and transmit the ACK-NAK exchanges.
So how did they do it?
If you start the transmission and the line goes dead, the sender and receiver times out or it fails on the ACK-NAK
The transmission is not marked completed and a new session is attempted.
There would be a new session ID although the data segments would be the same.
The transmission is not duplicated because the first one completely collapsed and the buffers reset on both sides.
(1) in 2008, a glitch in a system called CABSProcess, which automatically summarises a post office’s transactions at around 7pm daily, resulted in users working at the same time having balancing issues.
The system did not make post office operators aware of the problem, an issue Barnes said was referred to as “silent failure”. [Gerald Barnes, a software developer at Fujitsu since 1998]
“The failure was silent to the postmaster,” he said. “Although it was available [to Fujitsu] in the event log and to diagnosticians. The operator at the Post Office branch would not know anything had gone wrong.”
At first Fujitsu did not look to fix the issue due to its “rarity”, but it eventually did when it became “a higher priority with the [Post Office],” according to an internal Fujitsu email, when it appears to have emerged that the issue affected 195 branches.
In his witness statement to the inquiry, Barnes said that the glitch “highlights a problem that could easily be caused by another system at any time of day.
It would appear that their data exchange method did not differentiate between files or systems. They grabbed whatever was in the transmit buffer without validating the file was closed and flagged for transmit. They pulled different files into the same upload sequence merging Stamp Sales and Postage Charged Sales without anyone noticing they missed the EOF markers.
When the data hit the Fujitsu Horizon System they processed the invalid data into whichever file bucket came first in their splitter processing.
When the splitter burped they could see in their error logs that they lost the tail end of the transmission but didn’t bother to tell anyone.
Except they didn’t lose the tail end, the lost the whole dog.
They kept buying Dog Chow, so no one noticed Fido was gone.
===
1)
HAIL Warning
ht tps:/ /w ww.theguardia n.com/uk-news/2024/jan/17/post-office-inquiry-fixing-horizon-bugs-fujitsu-developer-gerald-barnes
- Fixing Horizon bugs would have been too costly
ResearcherZero • January 18, 2024 12:52 AM
@JonKnowsNothing
It would appear that their data exchange method did not differentiate between files or systems. They grabbed whatever was in the transmit buffer without validating the file was closed and flagged for transmit.
I figured it would have to be something along those lines.
A chap was using one of those credit card devices with his phone down in a little fishing village, which has pretty poor mobile access. I hope that mushroom farmer got the money for the large bag of dried powdered mushroom and all those other mushrooms I purchased at the farmers market. The transaction appeared to work on my end at least. 🙂
–
Modified UPX shell, dynamic linking, OLLVM compilation, anti-debugging mechanisms, and encrypted hosts…
“Once installed, these devices transform into operational nodes within their illicit streaming media platform, catering to services like traffic proxying, DDoS attacks, OTT content provision, and pirate traffic. The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability.”
Our tracing efforts have indeed been fruitful, revealing significant evidence pointing towards a company…
‘https://blog.xlab.qianxin.com/bigpanzi-exposed-hidden-cyber-threat-behind-your-stb/
pandoraspearrk is itself an Android.Pandora.2 trojan
‘https://news.drweb.com/show/?i=14743
–
Want to separate your TV, cameras and home appliance from the rest of your home network?
VLANs: Network Toplogy and The OSI model (isolating and segmenting network traffic):
‘https://www.youtube.com/watch?v=9fLwFKGvmAY
ResearcherZero • January 18, 2024 12:57 AM
Spyware Detection
“As a prerequisite, the user needs to generate a sysdiag dump and extract the archive to the analysis machine.”
The log file is stored in a sysdiagnose (sysdiag) archive. …found in the OS general settings, specifically under “Privacy and Analytics”. Once the archive is unpacked, the Shutdown.log file is located within the “\system_logs.logarchive\Extra” directory.
Malware execution originating from “/private/var/db/” seems to be consistent across all the infections we’ve seen, even if the process names are different. This is also true for another mobile malware family, Predator, where a similar path, “/private/var/tmp/”, is often used. …but the user needs to reboot first for it to show up in the log.
If a “client” process is still running when the reboot activity begins, it is logged with its process identifier (PID) and corresponding filesystem path. Py3 Scripts:
‘https://securelist.com/shutdown-log-lightweight-ios-malware-detection-method/111734/
“While subridged is the name of a legitimate iOS executable, the legitimate subridged would not be launched from the /private/var/db/com.apple.xpc.roleaccountd.staging/ directory.”
https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/
–
MediaPi masquerades as Windows Media Player
‘https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
&ers • January 18, 2024 10:37 AM
@ALL
hxxps://arstechnica.com/tech-policy/2024/01/film-studios-demand-ip-addresses-of-people-who-discussed-piracy-on-reddit/
Clive Robinson • January 18, 2024 12:03 PM
&ers, ALL,
Re : Desperate –lack of– times, call for desperate measures…
The Film studious through a chain of effectively shell companies to avoid their own potential liabilities are trying to deny “First Amendment” protections.
And near everyone including the courts has told the film companies lawyers to “take a hike”.
They Film companies are not happy because they are being denied what they see in their self entitled way as their “Entitlement by Right” over any one elses rights.
Because everyone has told the studios legal team to go take a flying one at themselves to send a message to the psycho corporate execs who cheat every tax and legal financial request (see “Hollwood Accounting”)… The execs have had their nose repeatedly put out of joint and are now being run out of time.
Worse the anonymous people the Execs are trying to get names to, apparently have not said or done anything directly relating to the Studios.
In short it appears from what is said, that the film execs are fishing for what at it’s very best is worthless “hearsay” from voices in a crowd… And in their “Might is Right” self entitlement the Execs are determined to trample over private individuals fundemental rights without reasonable or potentially any cause other than the Execs own greed in a pursuit without actuall cause supportable by any tangible evidence…
Perhaps the Execs and their legal team should all be stripped of any and all anonymity including all financial transactions of them and their employers as both punishment and example (see what happened with the “Panama Papers”).
What was it the Bible had to say about casting stones and sin…
Atleast that way the tax payer may benifit…
Clive Robinson • January 18, 2024 3:20 PM
@ Bruce, ALL,
Colossus 80th Birthday photo release.
It appears GCHQ has opened an archive vault and decided that the results of the bleeding edge work of Tommy Flowers should finally see the light of day.
“The intelligence agency is publishing them to mark the 80th anniversary of the device’s invention.
It says they “shed new light” on the “genesis and workings of Colossus”, which is considered by many to be the first digital computer.”
Marina Loiseau • January 18, 2024 5:37 PM
Here is a list of 14 security-oriented Linux distros.
https://www.tecmint.com/best-security-centric-linux-distributions/
The description of each is brief however its unfortunate that for some items, the Tor networked is highlighted as the security advantage. Tor is not what makes a distro secure.
The final one, ‘TENS : Trusted End Node Security’ is produced and maintained by Air Force Research Laboratory’s Information Directorate, of the United States Air Force.
What linux distro do you consider a sufficient balance of usability and security?
Which one would you recommend to someone, desiring security, yet not as technically literate as yourself?
Knowing that, if the learning curve is too steep they’ll give up.
ResearcherZero • January 19, 2024 4:26 AM
&ers, Clive, ALL
They are employing services from a company called BranditScan…
‘https://torrentfreak.com/reckless-dmca-deindexing-pushes-nasas-artemis-towards-black-hole-231226/
BranditScan cannot differentiate between a word, a brand, and piracy.
“All of those posts were non-infringing and completely unrelated to the original content.”
‘https://torrentfreak.com/star-trek-fan-blog-triggers-new-entry-in-automatics-dmca-hall-of-shame-231120/
Piracy rates have gone down. Profits are up. They are probably bored and also sad that they had to pay their staff, the writers and actors a little bit of that profit. 🙁
They also have launched legal action to block domains at the DNS level in a number of countries. Which is stupid. Like demanding Google deindex references to the word “Artemis”. Including NASA, a child abuse prevention project and anything else called Artemis.
–
forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow
“Self-hosted runners are build agents hosted by end users running the Actions runner agent on their own infrastructure. By default, when a self-hosted runner is attached to a repository or an organization runner group that a public repository has access to, any workflow running in that repository’s context can use that runner.
For workflows on default and feature branches, this isn’t an issue. Users must have write access to update branches within repositories. The problem is that this also applies to workflows from fork pull requests – this default setting allows any contributor to execute code on the self-hosted runner by submitting a malicious PR.
If the self-hosted runner is configured using the default steps, it will be a non-ephemeral self-hosted runner. This means that the malicious workflow can start a process in the background that will continue to run after the job completes, and modifications to files (such as programs on the path, etc.) will persist.”
‘https://www.praetorian.com/blog/tensorflow-supply-chain-compromise-via-self-hosted-runner-attack/
lurker • January 19, 2024 2:46 PM
@ResearcherZero
re Yet Another Israeli Spyware, Quadream
The ability to generate iCloud access tokens for arbitrary future dates is interesting. It shows that you shouldn’t do Oauth/2FA/whatever if you can’t do it right.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
emily’s poat • January 12, 2024 5:44 PM
Newfoundland has 1800 or more giant squids ?!?!?!
That’s roughly 3X what was previously ever thought [1] ! Roll the teuthological presses !!