Friday Squid Blogging: Baby Colossal Squid

Home Blog

Friday Squid Blogging: Baby Colossal Squid

This video might be a juvenile colossal squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags: squid, video

Posted on May 31, 2024 at 5:02 PM • 74 Comments

Comments

cybershow • May 31, 2024 6:05 PM

This week we’ve a blog post about how cybersecurity problems start at
the top and are structurally a trickle-down problem rather than a
bottom-up behavioural one.

Trickle-down insecurity

Have a very fine weekend all.

corinne • May 31, 2024 8:14 PM

Does anyone know what’s up with the Risks Digest site (“catless”)? Apart from the unknown certificate issuer, which is the error Tor Browser shows, the cert seems to have expired in February. I’m pretty sure that its last post, before it stopped working, was reasonably recent and didn’t include any notice of a pending shutdown.

Wannabe Techguy • May 31, 2024 11:02 PM

@ Cybershow
Thanks for that link. Even I could understand it and I was nodding my head in agreement.

finagle • June 1, 2024 4:12 AM

I’m just going through a morass of privacy settings and security theatre courtesy of Apple.
My iPad started having problems, so I dusted off an old one and updated it to see which apps would be broken.
Side note, I stopped using iPads in an internet connected way a couple of years ago. I use them now primarily as controllers for photography equipment where the manufacturers prioritise connectivity over functionality. But before that I used to surf on them and so on, till I got to the point where the next software update would stop an app I used daily working because it was no longer supported, but ran the interface for a device I rely on. As the ‘your browser is no longer supported’ began to get annoying, I stopped using the iPad as anything but a dumb controller. I now have 3 (4 when I finish seeing what’s broken, 3 if the lightning connector problems prove terminal) on different iOS versions because it’s more important to me that older unmaintained apps work.
After 2 days… yes 2 days of backing up and failed downloads and re-installing via iTunes (otw is not allowed because of the age of the older version…? wtf?); the first notification I got was that a load of old passwords for sites I never visit had been compromised. Ok. I opened the notification and scrolled through the list. None bothered me, none of the accounts had anything like stored credit cards, or personal info. Till I got to the password for my ISP. Now I’ve had the same ISP since 1995. They have excellent service and are on the cheaper end. The password in question is the one used by my router to setup the ADSL connection. There is no way to change it, and it was set back in 1995 for dialup. It’s on the iPad because I saved it there while swapping out routers years ago. The password is unique. I selected it back in 1995 and it’s a conflation of words and numbers. No special characters, but they weren’t allowed back then. The words in it relate to 2 different hobbies of mine, which do not overlap, and the first part is a fictional word known only to members of that hobby, who number less than 10k worldwide, and having checked is unknown to Google. The next is a technical term that is known to Google, but is again a niche hobby. Apple’s opinion of the password? It’s weak, and it is used by a large number of people worldwide.
Excuse me? It isn’t strong. I’ll concede that, but used by a large number of people? No. Don’t believe you. Here’s a link to change it… No. That link takes me to the homepage of my ISP. It can’t take me to a page to change the password, there isn’t one, largely because passwords for routers are generated nowadays, if they are used at all. But since I’ve been with them so long I pre-date that.
Security theatre? Definitely. Wrong? Definitely. Which makes me distrust the entire of the rest of the list.
Meanwhile I’m going through the Siri settings manually telling it to not index the content or usage of every single app individually because there is no master kill switch and of course it defaults to scraping every single one. All because I have to have WiFi and bluetooth on to operate my studio.

cls • June 1, 2024 5:10 AM

@corinne

Does anyone know what’s up with the Risks Digest site (“catless”)?

Yes. The host, NCL, hasn’t updated the certificate. Use the plain text site instead for now.

‘http://catless.ncl.ac.uk/

Comp.risks is one of my favorites! Enjoy.

What price common sense? • June 1, 2024 6:44 AM

@ALL

https://www.bbc.co.uk/news/articles/cq55qrjdlqpo

There is a major fire in Cornwall UK involving ten fire units/crews.

It’s in an ‘Industrial Estate’ and has spread rapidly.

The reason for the rapid spread is way to many flammable materials stacked up in too small an area duplicated across several Industrial Units without thought.

The rise in the number of such fires indicates that one of

Safety rules are not being followed.
Safety rules are not being enforced.
Safety rules are inadequate.
Safety rules do not exist.

Is an issue that must be addressed.

Because Industrial Units and housing are now being built next to each other due to building land shortages.

All fires produce carcinogens and worse in large quantities that whilst heavier than air are sufficiently buoyant in the heat and updraft of a large fire to spread considerable distance from a fire.

To give people an idea, wood when not burned properly converts about a third of it’s mass to carcinogenic compounds. Synthetic rubber is way worse as are petrochemical derived plastics. In fact all of what we are currently told should be “recycled” fall into significant carcinogen producing categories.

Such recycling has what you might call an “inverse supply chain” and like all supply chains it has security concerns.

The result is high density storage of highly volatile materials that if even a small fire starts can spread to an entire industrial estate in a short period of time spewing life harming and endangering chemicals into the air that spread out and contaminate large areas for decades through millennium.

Because recycling is almost always “done on the cheap” people are being not just put at considerable risk but actually harmed for generations.

Whilst this might not be seen as “ICT Security” consider just how much Electronic and Electrical Waste gets “recycled” and very poorly in the process.

corinne • June 1, 2024 9:29 AM

@cls, thanks, but most browsers these days have “HTTPS-only” modes and Tor Browser has it enabled by default (and I guess a lot of people reading Bruce’s blog will have enabled it explicitly, maybe in other browsers). So, either way, accessing the site will involve bypassing security warnings. For now, that’s still allowed, but there’s always talk of removing the “easy” ways to do so. Because of the risks, of course; seems ironic.

What price common sense? • June 1, 2024 10:26 AM

@corinne
@ALL

“For now, that’s still allowed, but there’s always talk of removing the “easy” ways to do so. Because of the risks, of course; seems ironic.”

I look on it as another less than subtle nudge/push into DRM.

You will shortly see renewed pressure to make “Certificate Revocation” mandatory and likewise the blocking of “Self Signed Certificates”

Thus taking the access control of a web site away from the site and firmly into the hands of the notoriously questionable “Certificate Authorities”(CAs).

And no I’m not being paranoid, there are already talks occurring on the quiet about making the maximum life of a certificate six months or less. The only reason it’s not happened yet is that the CA industry is hard pressed to keep up with current “year and a month” times.

The other problem is many web sites use older smaller more reliable software that can not do the latest “Key EXchange”(KEX) protocols and it’s unlikely the demands for ever larger key sizes can be accommodated due to sites beging CPU bound.

jelo 117 • June 1, 2024 12:54 PM

It is a commonplace that a stopped clock is right once twice a day; but actually any clock (whose hands move continuously) is right at least once twice a day. And, the more erratic, the greater the chance it will be right.

What price common sense? • June 1, 2024 3:47 PM

@ALL

Timing attacks on string comparisons

Whilst not new to some, it is one of those things that more often than not cause a “time based side channel” which almost always leak information.

So it is a security concern,

https://www.sjoerdlangkemper.nl/2024/05/29/string-comparison-timing-attacks/

Such time based side channels were discovered before computers with automated cipher systems connected to telegraph/telex lines. It was due to differences between pull-in and drop-back timing on relays, demonstrating just how fundamental comparison operations are in the generation of time based side channels.

What price common sense? • June 1, 2024 4:10 PM

@ALL

There have been comments that “Copilot and Recall” are a security disaster yet fanbuoys bob up and down shilling with delight.

In an article titled

“Stealing everything you’ve ever typed or viewed on your own Windows PC is now possible with two lines of code — inside the Copilot+ Recall disaster.”

Kevin Beaumont indicates just how insecure the system is thus how easy it is to “steal all”. Oh and that in effect Microsoft has “scr@^@d the pouch”

https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e

Kevin is sometimes better known as “GossiTheDog” and is a security researcher of long renown.

vas pup • June 1, 2024 4:15 PM

MIT by Eric Schmidt

https://www.technologyreview.com/2024/05/13/1092322/why-america-needs-an-apollo-program-for-the-age-of-ai/

“The global race for computational power is well underway, fueled by a worldwide boom in artificial intelligence. OpenAI’s Sam Altman is seeking to raise as much as $7 trillion for a chipmaking venture. Tech giants like Microsoft and Amazon are building AI chips of their own. The need for more computing horsepower to train and use AI models—fueling a quest for everything from cutting-edge chips to giant data sets—isn’t just a current source of geopolitical leverage (as with US curbs on chip exports to China). It is also shaping the way nations will grow and compete in the future, with governments
from India to the UK developing national strategies and stockpiling Nvidia graphics processing units.

Advanced computing is now core to the security and prosperity of our nation; we need it to optimize national intelligence, pursue scientific breakthroughs like fusion reactions, accelerate advanced materials discovery, ensure the cybersecurity of our financial markets and critical infrastructure, and more.

The federal government played a pivotal role in enabling the last century’s major technological breakthroughs by providing the core research infrastructure, like particle accelerators for high-energy physics in the 1960s and supercomputing centers in the 1980s.

First, more dedicated government AI supercomputers need to be built for an array of missions ranging from classified intelligence processing to advanced
biological computing. In the modern era, computing capabilities and technical
progress have proceeded in lockstep.

US has successfully pushed classic scientific computing into the exascale era
with the Frontier, Aurora, and soon-to-arrive El Capitan machines—massive
computers that can perform over a quintillion (a billion billion) operations
per second. Over the next decade, the power of AI models is projected to increase by a factor of 1,000 to 10,000, and leading compute architectures may be capable of training a 500-trillion-parameter AI model in a week (for comparison, GPT-3 has 175 billion parameters). Supporting research at this
scale will require more powerful and dedicated AI research infrastructure,
significantly better algorithms, and more investment.

Second, while some may argue for using existing commercial cloud platforms
instead of building a high-performance federal computing infrastructure, I believe a hybrid model is necessary. Studies have shown significant long-term
cost savings from using federal computing instead of commercial cloud services.

In the near term, scaling up cloud computing offers quick, streamlined base-
level access for projects—that’s the approach the NAIRR pilot is embracing, with contributions from both industry and federal agencies. In the long run, however, procuring and operating powerful government-owned AI supercomputers with a dedicated mission of supporting US public-sector needs will set the stage for a time when AI is much more ubiquitous and central to our national security and prosperity.

Third, any national compute strategy must go hand in hand with a talent strategy. The government can better compete with the private sector for AI talent by offering workers an opportunity to tackle national security challenges using world-class computational infrastructure. To ensure that the nation has available a large and sophisticated workforce for these highly
technical, specialized roles in developing and implementing AI, America must also recruit and retain the best global students. Crucial to this effort will be creating clear immigration pathways—for example, exempting PhD holders in relevant technical fields from the current H-1B visa cap.

We’ll need the brightest minds to fundamentally reimagine how computation takes place and spearhead novel paradigms that can shape AI for the public good, push forward the technology’s boundaries, and deliver its gains to all.”

What price common sense • June 1, 2024 6:16 PM

@ALL

For those with an interest in new “Abstract Data Types”(ADTs) that have a useful purpose

https://github.com/MultiArrayQueue/MultiArrayQueue

To quote the readme

“A new Queue data structure that inherits the positive properties of array-based Queues while removing their main drawback: a fixed size.

The Queue is backed by arrays of Objects with exponentially growing sizes, of which all are in use, but only the first one (with initialCapacity) is allocated up-front.”

The research paper is at

https://multiarrayqueue.github.io/Paper_MultiArrayQueue.pdf

What price common sense? • June 1, 2024 7:19 PM

@vas pup

With regards Eric Schmidt and his US needs an Apollo Programme for AI.

If you read in a little you discover

“The need for more computing horsepower to train and use AI models”

Oh dear that’s a boondoggle pitch to help inflate the LLM bubble.

The Chips we have will not solve the AI issue nor will any that can be conceived of currently.

As for LLM’s and current ML they never will solve AI either. They are a technological equivalent of “A California Sail Boat” that is,

“A hole in the water into which you pour money and get nothing back except worry of where the next bucket load of cash is going to come from.”

But there is another problem which is the input data. Contrary to what many think “scraping the Internet” does not provide much more than garbage input data. Getting quality data free from contamination and repetition to use as a model basis is going to be expensive very expensive.

If you go to say the Science or other reputable Journals they want a lot of money for what is still low grade data for AI work (science papers are about findings / results not the reasoning that got there, and it’s the reasoning that AI needs not the results).

But we can not afford as a planet current AI, the power and potable water required is immense and we need them for way more important things than machines that produce glorified marketing / management speak spoken by a flaky pot addict (which sadly is what describes the way the Internet reads these days).

The question that nobody is asking because the bubble builders don’t want you bursting it, is

“Is current AI actually ever going to pay it’s way?”

And the honest answer is

“Did the Dutch black tulip bulb market ever pay and to who?”

How about any other of the “Investor bubbles”?

Because that is what Eric’s article is an “Investor pitch using scare tactics”.

corinne • June 1, 2024 8:00 PM

@What price common sense?,

You will shortly see renewed pressure to make “Certificate Revocation” mandatory

Shortly? In some sense, it’s already happening: Let’s Encrypt limits certificates to 90-day validity, and (if I recall correctly) there’s been talk of going lower. “OCSP stapling” is a stronger form of this. I kind of doubt that revocation per se will make a comeback.

and likewise the blocking of “Self Signed Certificates”

I wouldn’t be surprised if something like Chromium’s awkward but useful
--ignore-certificate-errors-spki-list option were eventually needed, or if the self-signer had to be added as a custom Certificate Authority. I imagine there will always be some way to bypass the Authorities for local testing.

What I wonder is how long unencrypted HTTP will be allowed. I suspect the major browsers will eventually disable it for non-LAN connections, however they define “LAN”. Home router setup normally involves unencrypted HTTP to a 192.168 address, and I’m not sure anyone’s figured out how to make it work with HTTPS and a proper certificate.

ResearcherZero • June 2, 2024 2:36 AM

@finagle

It is not how many people use a password, it is it’s randomness, and hence the ease of which to brute force compute which determines is ease of compromise.

A regular computer today can make tens of billions of attempts per second.

You could try calling your ISP and asking them how to update the password for your account (along with your ISP router). It is also a good idea to set a strong password for the router management login and check that the firmware is up to date for the ISP router. It will take time for the password change to update, so it is best to perform the change when you are not busy. Don’t forget to carefully write down the new passwords clearly and carefully. Normally ISP routers have an option to update the password, but it is best to ask your ISP first how to go about changing the password for your internet account. You might have to supply a bunch of personal information in order to authorise the change.

Failing that, a more costly method, which would disable your internet at least for a few weeks, would be to smash the ISP router to bits, assuming it has a unique password. Then order a new router, which should have a new unique password and it should be more secure.

Passwords under 10 characters are easy to crack regardless of their complexity.

A password under or using 14 characters can be cracked in weeks or months due to the enormous compute power available today. Many passwords under 20 characters will soon be fair game if they lack randomness. There are also other ways of compromising passwords through reuse, redirection, data breaches, or exfiltration techniques through compromised devices or web browsers, due to the many vulnerabilities in OS’s, software or firmware.

“We tend to follow predictable patterns, even if it feels to us like we came up with random numbers: we tend to use sequential numbers, we are more likely to think in groups of two or four numbers because of our date system, etc.”

https://auth0.com/blog/defending-against-password-cracking-understanding-the-math/

Password Tester

‘https://bitwarden.com/password-strength/

–

APT28 widening attacks on Ukrainian allies and credential harvesting operations.

“government, military, defense, energy, transportation, and think tanks, must bolster their awareness and defenses against these tactics”

APT28 continues to use emails and lures about sensitive topics, while also employing payloads disguised as Windows updates. They have also impersonated online services like webmail and used scripts to exfiltrate credentials to compromised Ubiquiti EdgeRouters.

‘https://www.recordedfuture.com/grus-bluedelta-targets-key-networks-in-europe-with-multi-phase-espionage-camp

Impersonating popular webmail services through typosquat domains:

“it is assumed that it can also relay any CAPTCHA challenges issued by the legitimate website”

‘https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

For 2FA accounts, APT28 created dedicated webpages…
https://blog.sekoia.io/apt28-leverages-multiple-phishing-techniques-to-target-ukrainian-civil-society/

–

Attackers increasingly target poorly secured OT devices.

‘https://www.microsoft.com/en-us/security/blog/2024/05/30/exposed-and-vulnerable-recent-attacks-highlight-critical-need-to-protect-internet-exposed-ot-devices/

–

‘https://huggingface.co/blog/space-secrets-disclosure

ResearcherZero • June 2, 2024 2:48 AM

@finagle

Avast has a free online password generator, and Nord provides one with a wide number of settings that can also eliminate ambiguous characters. They both generate strong passwords.

ResearcherZero • June 2, 2024 3:53 AM

@finagle

Generating a strong random password for WiFi networks greatly reduces the risk.
As does ensuring the firmware is updated.
As long as passwords are good and firmware is updated then most devices are secure.

If the ISP router still is supported with firmware updates, calling the ISP to change the internet account password is the best approach. It can take 15 to 30 minutes, but they do warn it can take an entire day. This is much less time than weeks without internet and the best approach.

You can place a better quality router behind the ISP router and disable any WiFi networks on the ISP router. A good home router often comes with a firewall and sometimes End Point security. The support is often much better, with more frequent updates, and networking and wireless performance is significantly faster.

If you order a new ISP router they do charge for the replacement cost. You don’t really have to break the old one, but if it did “perhaps” fall from the wall or desk, it’s at least a plausible excuse if they are reluctant to issue a new one. But ISP routers do not often come with better networking performance as they use cheap hardware and smaller memory and CPU specs.

It’s disappointing that many an ISP still ships poorly supported, cheap products.

Newer models generally have newer firmware, but some of the old ISP modem/routers came with fairly ordinary passwords for their wireless networks. Those default WiFi passwords were often an abbreviation of the ISP name, followed by a short series of numbers. This approach can greatly reduce the strength of the hashing scheme. Many ISP routers also shipped with known vulnerabilities and lacked an auto update firmware function.

Winter • June 2, 2024 4:53 AM

@ResearcherZero

You can place a better quality router behind the ISP router and disable any WiFi networks on the ISP router. A good home router often comes with a firewall and sometimes End Point security.

See eg,
‘https://www.tomsguide.com/us/best-wifi-routers,review-2498.html

But if someone cracks your ISP router/modem from the “outside”, you are still without Internet.

ResearcherZero • June 2, 2024 5:48 AM

@Winter

It’s a good idea not to reuse the credentials for the ISP router/internet account and ensure that the account is using strong credentials. You can also disable remote access and limit network access to the administration panel to whitelisted MAC and/or specific LAN IP. At least make it hard to brute force and keep that device regularly updated.

Probably a good idea to keep a written record of those details to avoid a factory reset.
It is a good habit to change all those details every so often following a major firmware version update. That is a good time for a factory reset and a check through of all the settings. Writing down internet account credentials is safer than saving those details.

Phishing emails may also target internet accounts, sometimes through browser exploits.
Via a malicious link, or by capturing credentials into an impersonated login window. If anyone downloads an information stealer, then it may exfiltrate any network credentials.

–

@cybershow

the trickle-down

Snowflake recommends to check MFA is enabled for accounts.

‘https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

Ticketmaster has so far refused to disclose how the breach took place.
https://techcrunch.com/2024/05/31/live-nation-confirms-ticketmaster-was-hacked-says-personal-information-stolen-in-data-breach/

Ticketek was also stung, along with other vendors.

‘https://www.teg.com.au/statement-regarding-ticketek-cyber-incident/

It is possible a Snowflake employee may have been compromised.
https://web.archive.org/web/20240531225301/https://www.hudsonrock.com/blog/snowflake-massive-breach-access-through-infostealer-infection

Australian authorities sight targeted attacks against platforms using Snowflake services.

‘https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/increased-cyber-threat-activity-targeting-snowflake-customers

Further details can be found here:

‘https://community.snowflake.com/s/question/0D5VI00000Emyl00AB/detecting-and-preventing-unauthorized-user-access

–

‘https://www.wired.com/story/911-s5-botnet-arrest/

Bots go where the money is.

…including transaction fraud, web scraping, and data harvesting.

‘https://ia.acs.org.au/article/2024/bad-bots-have-taken-over-the-internet.html

What price common sense • June 2, 2024 6:51 AM

@ResearcherZero
@finagle

“It is not how many people use a password, it is it’s randomness, and hence the ease of which to brute force compute which determines is ease of compromise.”

I do wish people would not say “randomness” with the likes of passwords.

Because “randomness” implies “equiprobable” and that is what gets stuck in some peoples heads, and that is not good.

So “A4ppr-stk” is seen as random and fitting “password rules” rather than a common text string of “A4 paper-stock” with the vowels and other unessential characters taken out, which the newer password crackers would find.

Any password that follows deterministic rules of some kind even if accidentally is more vulnerable to modern password hacking attacks than those that do not.

As you note,

It is a failings of the human mind that gives these bad habits and worse.

At a low level we remember by pattern matching thus we break long strings down into deterministically selected short strings.

Thus we transform by quite predictable deterministic steps that which won’t pass the password rules into something that will

The cat sat on the mat
Th3 c4t s4t 0n th3 m4t
Th3 c4t st 0n mt
Th3 c4t s 0n m
Th3:c4t-s 0n m
Th3:c4t-s0nm

After a week or so of typing it, it goes into muscle memory.

It can be noted that in most cases the steps can be used in any order and in fact combined

The cat sat on the mat
The:cat-sat on the mat
Th3:c4t-s4t 0n th3 mat
Th3:c4t-s0nm

Which can be done with a *nix ‘sed’ or shell script and the likes of ‘tr’ etc.

The hard part is finding all the rules people use as though simple they may not be immediately obvious such as using patterns in a keyboard.

As has been noted before some names are easy

FRED
DES
POL
WAZ
JK

Which is why they get used in test passwords like

“fred1234”

Or similar.

The important question though is would you have expected any names to be an easy set of moves on a keyboard? The honest answer is probably no. How about the words “serf” and “wed”?

Those names and words that make sense to the human brain are there not because they were ‘put there’ by choice, they came about “by chance” as “a side effect” of another set of rules put into the keyboard layout as “constraints” to typists.

The thing about “by chance” or “a side effect” is they show up apparently “at random” because we do not see that each and every deterministic rule gives rise to “as a side effect”.

Thus rather than say passwords should be “Random” we should say “Truly Indeterministic” which in reality is a very small fraction of all those “equiprobable” strings.

What price common sense? • June 2, 2024 7:29 AM

@Winter
@ResearcherZero
@ALL

The idea for the use of two routers for enhanced security originated with the ideas of “Network DMZs”

To use it for even more enhanced security by instrumenting the space between the two routers originated on this blog over a decade ago.

You can see the discussion between @Clive Robinson and @Nick P. Where @Clive Robinson describes the basics. A more full description was given with the “Garden Path” design by @Clive Robinson that’s since been mentioned more than a couple of times over the years

https://www.schneier.com/blog/archives/2015/09/synful_knock_at.html/#comment-258188

https://www.schneier.com/blog/archives/2017/07/more_on_the_nsa_2.html/#comment-303617

https://www.schneier.com/blog/archives/2021/01/backdoor-in-zyxel-firewalls-and-gateways.html/#comment-362363

If you go back far enough you will find it’s apparently so called because of an “English front garden” that set a house back from the highway. The analogy of a “garden gate” as the first router and a house “front door” as the second router and the path between being the “garden path” a semi-secure zone where anything on it could be legally surveilled where as the main “highway” on the other side of the garden gate can not be.

What price common sense? • June 2, 2024 10:20 AM

@corinne

“What I wonder is how long unencrypted HTTP will be allowed. I suspect the major browsers will eventually disable it for non-LAN connections, however they define “LAN”. Home router setup normally involves unencrypted HTTP to a 192.168 address, and I’m not sure anyone’s figured out how to make it work with HTTPS and a proper certificate.”

Unencrypted HTTP across the Internet has been a sore subject for well over a decade or two and longer in some circles. Which culminated with the deciding vote it was a bad idea effectively cast by the Ed Snowden Revelations. The revelations showed beyond doubt that the founding members of what became known as the “Five-Eyes” were practicing “collect it all” on a number of major “choke points” around the globe on ALL Internet traffic using various techniques to avoid legislation that supposedly prevented such activities.

Unfortunately we know that “collect it all” still goes on, not by just the SigInt agencies but by all manner of entities you would not want having any kind of access to your electronic communications.

Back last century with the network bandwidths and download speeds being a tiny fraction of what they are there was good reason to use a plaintext protocol as it allowed for “local caching” amongst other things so HTTP allowed this along with multicasting as a way to reduce unnecessary network load.

Now such constraints tend not to apply (other than those governed by the laws of physics). So the small increase of security of HTTPS is seen as worthwhile.

The problem is HTTPS has proven it’s self to be not very secure in many ways, with more insecurities being discovered all the time.

HTTPS adds just two things to HTTP and then not always that

A “Key EXchange”(KEX) mechanism using asymmetric encryption.
Over the wire symmetric encryption.

It all sounds good till you start digging into the KEX and the Certificate Authorities and Web Browser developers funded by those with a significant interest in abusing your communications for their benefit and income etc.

What people need to understand is that you can not have “symmetric encryption” without a “shared secret” which forms a “Root of Trust”(RoT).

In times passed the RoT was passed by the hand of “a trusted party” long prior to active communications being established. For various reasons this is open to betrayal and is an expensive and mostly impractical process at the best of times.

Back in the early 1970’s the first publicly known “asymmetric encryption” system became known like many new things it was before it’s time.

However it was not what most thought it to be. What it actually does is take a secret to be shared and split it and using a form of “One Way Function” send it to another person. Who in turn has their own split secret to be shared. Think of it like a square where each party has two corners one to send one to receive and the two paths in-between. An attacker only gets to see the paths that are in public and due to the issue of “factoring” what they see is in approximate theory is of no use to them.

However although secrets can be transferred there is actually no RoT involved.

So whilst there can be secrecy there is not any form of trust.

This was supposedly solved by “Certificate Authorities(CAs) with “master certificates” signing lower certificates in a “chain of trust”

This only works if the user can trust the “master certificate” which is at best problematical as CA History so far has shown.

In essence the user has to obtain the public half of each and every CA Master Certificate and currently this can not be done in a secure way.

But few consider the problem of embedded systems that act like servers such as rooters as you mention.

To steal an Arthur Conan Doyle saying via the fictional Sherlock Holmes,

“This is fully a three pipe problem”

Or as the “usual suspects” who are nolonger with us (because of the increasing political nonsense, falsehoods and worse) put it not in pipes of tobacco from a Persian Slipper, but Popcorn from a large bowl.

How do you get a router or similar network appliance to make a certificate

Off line
Via a secure process
That limits the security scope
That is trustworthy

The answer is nobody has worked out a way to do it yet.

One suggested answer is that the manufacturer embeds both the public and private key in the factory… This potentially destroys the security as the private key is available to all in the supply chain.

You can step through all manner of methods but it boils down to

“Self signed certificate”

Or nothing else.

Just one of many reasons why HTTPS is really not the way to do security in a reliable and consistent way.

Not really anonymous • June 2, 2024 12:58 PM

@jelo 117
Your statement about stopped clocks is not true. The simplest counter example is where the clock is running at the correct speed, but has the wrong time. It will always be incorrect.

lurker • June 2, 2024 2:37 PM

@ResearcherZero, @ALL

Would you use a password from an online password generator? Or that had been tested by an online password tester? Why?

jelo 117 • June 2, 2024 4:05 PM

@ Not really anonymous

simplest counter example

You are right.

However, the following quibble allows the statement to be justified. Where it was said “hands move continuously” was really meant “time reading is continuous”. The counter example given is not continuous in this sense.

corinne • June 2, 2024 8:08 PM

@What price common sense?,

One suggested answer is that the manufacturer embeds both the public and private key in the factory… This potentially destroys the security as the private key is available to all in the supply chain.

You can step through all manner of methods but it boils down to

“Self signed certificate”

Or nothing else.

It doesn’t have to be self-signed. If the private key is in the router, and different from that of any other router, it could be signed by an Authority. You’d have to give each router a different domain name, but that’s no huge problem. It’d resolve to the manufacturer’s IP address during cert creation, then to 192.168 afterward. And then we’re back at the revocation problem: if the cert doesn’t last 10 or 20 years, it’ll lead to trouble, but the CA rules probably forbid such long terms.

DNSSEC with DANE might work if any browser supported it… until the manafacturer’s servers go down and blow the whole thing up. Fixing it won’t be as easy as editing a ‘hosts’ file.

Alternately, there are ways to do mutual authentication, such as Secure Remote Password. They’re even supported in TLS. The user interface is the problem here: if a man in the middle replaced the SRP handshake with an HTTP basic-auth prompt, or an HTML form, probably 99% of people would type the password anyway.

We could probably do something with keys as QR codes, but then we’re getting into non-standard stuff. If one needs a phone app, is that app still gonna be available and working in a decade? What about people without the necessary devices, or running in unusual configurations (e.g. “de-Googled”)?

This mostly ignores the “supply chain” concern you mention, but I don’t see much specific relevance. Sure, some party could track the private keys, as with RSA “Secur”ID. They could also patch the software to forward the password wherever they like, to disable encryption, add a backdoor login, etc.

lurker • June 3, 2024 1:23 AM

I’m glad I’m not voting on the Sceptred Isle,

‘https://www.bbc.com/news/articles/c1ww6vz1l81o

And if the AI fakes on TikTok dont faze you, Sir John Curtice throws numbers in the air and doesn’t seem to know or care where they fall,

‘https://www.bbc.com/news/videos/cqllzg4wz5lo

finagle • June 3, 2024 4:25 AM

@ResearcherZero

To be clear, this is my router, not the ISPs. The password was not supplied by the ISP, I created it. The account password that I use to log in to the ISP portal is different and was long ago changed to a strong one, created by a good random generator.

My complaint is that although the password is not strong, albeit long and not subject to dictionary attack, is that Apple tell me it’s being used by a lot of people. That is nonsense. It is blatantly scaremongering and the chances of it being true are in the realms of monkeys and typewriters. I would cheerfully bet that password has never been used anywhere else. I’m absolutely not saying anything about the randomness or security of the password beyond the fact it is obscure, and yes I do know not to rely on obscurity. My point is that I do not believe what the notification tells me, and that undermines the value of it. I’m now ignoring the whole notification because it is not verifiable. I have checked a couple of the accounts it claims are compromised, and they are not according to haveIbeenpwned, further undermining the quality of the report. Hence it’s security theatre.

Meanwhile I am still going through 2 different groups of settings telling each app individually not to allow Siri and Search to scrape data. So while I’ve wasted time investigating and subsequently debunking the first notification I received, I’ve been distracted from dealing with the larger (to me) privacy issue of Apple scraping data by default.

ResearcherZero • June 3, 2024 6:31 AM

@fiangle

I usually set all the settings myself and ignore or disable annoying notifications. I prefer to look at the logs and use a bunch of 3rd party tools to check security/updates.

Many Apple products are quite annoying. I have had many people bring them to me to repair and it is always a hassle. The security claims of products are often inflated, and I can’t say I have noticed much of a difference between higher end products. I wouldn’t put much stock in Apple’s claims, or any other product. I have seen other products claim passwords are secure that are clearly not. Such claims are not always helpful for consumers.

–

The recent history of partisan perceptions.

“Once it becomes a personal battle, not only do you often end up losing people from your team, but you’re not getting the information . . . that at a nuanced level will help you as a leader make a decision.”

After his election in 1860, for example, Abraham Lincoln appointed all three of his rivals for the Republican nomination to his cabinet.

‘https://www.pon.harvard.edu/daily/leadership-skills-daily/collaborative-leadership-managing-constructive-conflict/

“States should replace partisan primaries with nonpartisan primaries.”
https://www.uniteamerica.org/reports/the-primary-problem

More ideologically extreme politicians have been running for office since the 1980s.

Among the pool of people wishing to run, party chairs more often select and support extreme candidates, especially on the right. Parties and candidates clearly believe that more polarizing candidates are more likely to win elections. This may be a self-fulfilling prophecy: voters exposed to more polarizing rhetoric from leaders who share their partisan identity are likely to alter their preferences based on their understanding of what their group believes and has normalized…

“An intervention designed to shift feelings on other races leads to a parallel shift in feelings toward opposing partisans, and vice versa, suggesting that some individuals see race and party as linked. Aspects of it have been observed internationally, with members of opposing political groups becoming increasingly antagonistic toward one another…”

‘https://mediawell.ssrc.org/research-reviews/vicious-hateful-and-divisive-partisans-understanding-and-countering-antidemocratic-political-polarization/

Views of American presidents have become more and more polarized by party identification.
https://www.nbcnews.com/meet-the-press/meetthepressblog/s-s-driving-americas-increasing-political-polarization-rcna89559

–

The fairness gap

Inequality perceptions are an important factor shaping trust into political institutions.
Societies with lower levels of income inequality have higher levels of trust in political institutions.
https://link.springer.com/article/10.1007/s11205-023-03168-9

“Even minor efforts against corruption yield societal benefits that transcend the costs of such initiatives.”

‘https://www.nature.com/articles/s41599-023-01930-5

Inequality is a social and historical phenomenon, therefore it is not immutable.
https://www.tuhin.world/the-bronze-age-collapse-understanding-societal-decline

The bottom 40% earned less than a quarter of income in all countries surveyed.

‘https://digitallibrary.un.org/record/4000104?v=pdf

Increasing inequality has a destabilising effect;

Inequality between identity groups and social unrest…

Structural inequality can lead to social division and conflict between different groups in society. Structural inequality restricts access to opportunities such as education, employment, healthcare, and housing. This can result in limited social mobility and perpetuate intergenerational cycles of disadvantage.
https://sparq.stanford.edu/news/reductions-economic-inequality-and-viewing-society-fair-strengthen-political-and-social-trust

ResearcherZero • June 3, 2024 6:36 AM

“symbiotic radicalization”

Depoliticize issues by setting a responsible tone

Defuse tensions at a local level

“First is the wider tone of elected leaders and opinion shapers. On one hand, many figures on the political right have tended to engage in alarmism that grossly mischaracterizes and overestimates the prevalence of violent far-left activity, thereby inflating the threat.”

Mitigate politically motivated bias within law enforcement.

Second is certain law enforcement agencies’ responses to threats and attempted acts of political violence. Critics have charged that federal, state, and local agencies have engaged in disparate treatment between far-left and far-right violent actors… These claims have drawn parallels to law enforcement/intelligence abuses uncovered in the 1970s and raised questions about entrapment of arrested individuals, misallocation of government resources, and charges of systematic political bias.

‘https://newlinesinstitute.org/nonstate-actors/operating-under-the-radar-violent-left-wing-extremism-is-becoming-more-dangerous/

“Portland being the largest metropolis in the Northwest, is where these ideologies collide.”
https://abcnews.go.com/US/liberal-portland-focal-point/story?id=79731161

What price common sense? • June 3, 2024 8:20 AM

@ALL

This month narks the second centenary of Lord Kelvin’s birth

We owe rather more than knowing where absolute zero is to him.

He built a rather useful device based on the ideas of French mathematician Pierre-Simon Laplace to predict tide heights anywhere in the world.

The IEEE have an article on it where the author describes it as an “Analog Computer”

https://spectrum.ieee.org/tide-predictions

I’ve not just seen the instrument but quite some years ago now was allowed to actually use it (wearing gloves). It was whilst developing a navigation program for 8bit computers that calculated not just tide height but the positions of the main solar bodies. It is a most beautiful instrument and it’s movement like a ballet dance.

ResearcherZero • June 3, 2024 11:19 PM

Vulnerabilities allowed access to API calls for an ISP’s customers’ modems.

“We had confirmed that we could bypass authorization for the API endpoints by simply replaying the HTTP request multiple times, and there were over 700 other API requests that we could hit. It was time to see what the real impact was.”

…”a fully external attacker with no prerequisites could’ve executed commands and modified the settings of millions of modems,accessed any business customer’s PII, and gained essentially the same permissions of an ISP support team.”

‘https://samcurry.net/hacking-millions-of-modems

ResearcherZero • June 4, 2024 12:28 AM

@lurker

Re: Would you use a password from an online password generator?

I’d worry more that an adversary capable of mounting attacks against something like that would be quite capable of attacking hardware or software on the network, and would not need to worry about discerning the source of a password and where that password came from.

Or they could just send the user a convincing email or message with a hidden surprise.
Many consumers devices are so full of dubious apps and junk they would not even notice.

For the average consumer, a generated password is better than what they are already using.
Password reuse is very common and often people do not change their passwords regularly.

It depends on your threat level and how sensitive a system you are working with. There are techniques to generate reasonably secure passwords yourself that don’t take too much time.

–

Another example of malware targeting developers.

‘https://blog.phylum.io/sophisticated-rat-shell-targeting-gulp-projects-on-npm/

ResearcherZero • June 4, 2024 2:31 AM

Hey Neighbour. It has been more than twenty years, but do I have an other for you. 😉

‘https://www.smh.com.au/politics/federal/the-50-billion-gas-deal-australia-hopes-will-keep-china-quiet-20240531-p5jidz.html

–

‘https://www.abc.net.au/news/2024-06-04/rare-earths-miner-targeted-in-cyber-attack/103934020

Australian Treasurer Jim Chalmers ordered several China-linked investors to dispose of shares in rare earths miner Northern Minerals on national interest grounds.

Northern Minerals had asked the Foreign Investment Review Board to probe whether recent share acquisitions are a covert attempt by Chinese interests to gain control of the rare earth play’s strategically important assets in Western Australia.
https://www.cnbc.com/2024/06/03/australia-orders-chinese-investors-to-sell-down-stake-in-rare-earths-miner.html

Tod H • June 4, 2024 12:53 PM

ResearcherZero, I suspect ISP-level problems like that are much more common that people realize. 20 years ago, Canadian cable provider Cogeco was using the SNMP community strings “rcgoips” and “cgoipsrw” for all their modems. They would set an IP-address-filter on the writable version, but only after the modem had been online for a few hours, and it could be bypassed anyway by spoofing the 24.226.1 subnet. (Adding my own access-table entry was the obvious move. I also once adjusted a friend’s IP-filter to block access to an online gaming server, as a prank. And since IP-filters had associated counters, it was possible to check whether someone was trying to access a specific server.)

There was no disclosure, because I had no idea about such processes at the time, and wouldn’t have wanted to do it non-anonymously anyway (what if they retaliated?; there was no competitor in my area). Also, it’s such an amateurish thing that I figured “if they didn’t think of this, there’s probably nobody there who’d understand the problem”. I’m a bit surprised the author of the linked story thought the low-level employee at “the local Cox store” would have any idea was “reverse engineering” was or would have any authority to let them keep hardware; that would be a question to have asked the employee handling the disclosure.

Anyway, disable TR-069 wherever possible. Unfortunately, there’s no general way to protect a DOCSIS modem against an ISP; even if that’s blocked, an ISP can force firmware-flashing at a lower level, by design. I wonder what kind of damage someone could do by purchasing a CMTS (maybe on eBay?), attaching it to a cable segment, and trying to overpower its legitimate one… I don’t think DSL has such problems, but it’s obsolescent and I’m not sure what the situation is with fiber.

Winter • June 4, 2024 5:10 PM

@no comment

This incident raises concerns about the US government’s ability to restrict citizens’ travel and freedom of movement, potentially setting a precedent for future interventions.

You also identify this person as:

Former US Marine intelligence officer

When you have or have had military intelligence clearance, I presume you know you are not free to fraternize with the enemy.

The lack of transparency surrounding the incident

You must be joking, or working for the St Petersburg Troll factory to lament a lack of transparency in military spying.

echo • June 4, 2024 8:22 PM

The Russian troll factory is small beer. My jaw just dropped this evening when I learned a transphobic hate network has launched a pop up branch for the UK police. This isn’t the first example of its kind. It’s known transphobic hate networks plot to infiltrate institutions and acquire positions of authority within organisations.

This is as bad as UK media turning Farage who was a fringe crank into the tail that wagged the dog. He’s done enormous damage to the UK (and EU) with his racist and xenophobic and thinly veiled violent rhetoric. All this because he was platformed by UK media.

Today on the Starmer v Sunak election debate Sunak openly admitted he wanted to leave the European Court of Human Rights if he couldn’t get his way with his anti-EU and anti-refugee scheme which breaks international law. The Tory line is the ECHR is a “foreign court”. In reality it was a creation of Churchill and UK lawyers among others designed to make sure the atrocities of WWII never happened again. Under UK law it’s really the only way of holding the government to account. Take the ECHR away and then what??

I’m less bothered by the Kremlin than I am by US dark money and other wealthy cranks. operating behind Tufton Street.

I have to admit I’m disenchanted with a blog stuffed with men who have a tech fetish who can’t even get governance and social policy right even when it’s a topic. I’m slightly shocked by academics in the tech sphere trying to edge their way into this sphere without the first clue of what they’re talking about or any reference or citation to people in fields who do. This kind of thing has happened before in computing and medicine to name but two fields and it’s inherently misogynistic.

Both STEM and security only have 30% participation by women. Gee. I wonder why.

lastoftheV8s • June 5, 2024 12:17 AM

@echo “The Russian troll factory is small beer” err no its not thats a fact…no really its a thing right? “Origins of” ( you’re small beer Russian troll factory )

1) Background and Emergence: The term “Russian troll factory” refers to organized groups, often state-backed, that produce and disseminate disinformation and propaganda through various online platforms. One of the most notorious examples is the Internet Research Agency (IRA), headquartered in Saint Petersburg Russia.

2) Historical Context: Cold War Influence: Disinformation and propaganda have long been tools of statecraft, particularly during the Cold War. The Soviet Union used similar tactics to influence public opinion and undermine Western democracies.

📌Digital Transformation: With the advent of the internet and social media, these tactics have evolved to exploit the speed, reach, and anonymity provided by digital platforms.

3) Foundation of the IRA:
📌The IRA was founded around 2013 by Yevgeny Prigozhin, a businessman with close ties to Russian President Vladimir Putin Its main goal is to influence public opinion and political outcomes both domestically and internationally, supporting Russian geopolitical interests.

4) Operations and Tactics: Hierarchical Setup:
The IRA operates with a clear hierarchical structure, with managers overseeing various teams and departments these teams are specialized, focusing on different regions, languages, and types of content (e.g., text posts, memes, videos).The agency is (allegedly/reported as funded by a complex web..companies / Prigozhin,??

📌Social Media Manipulation:Troll factories create thousands of fake accounts on platforms like Facebook, Twitter, Instagram, and VKontakte (a Russian social network). They produce a high volume of content, including fake news articles, memes, videos, and comments, designed to spread misinformation and provoke emotional responses.

📌Astroturfing:Fake Grassroots Movements: Trolls create the illusion of widespread grassroots movements to support or oppose particular causes or political candidates. This is done by coordinating posts and interactions to simulate genuine public opinion.Amplification:Bot Networks: Hashtag Campaigns:Exploiting Divides: Targeted Messaging:Pro-Kremlin Agendas: Domestically, troll factories support the Kremlin’s narrative, attacking opposition figures and promoting government policies.Suppressing Dissent: They target dissenting voices, aiming to discredit and silence critics of the government…these terms need to be included so these too 👉Polarization,Manipulating Outcomes,plenty more here if ya feel the need put these into a search engine of you’re choice👉Philip N. Howard,Publications Intelligence Committee – United States Senate Select,RAND Corporation,”The Agency” by Adrian Chen.
SO @echo dismissing the Russian troll factory away in a one liner and in turn imo trying to give the reader a nudge and or deflection to this SO called war against transphobia was a deliberate action, you have headlined and inadvertently nailed your flag ” transphobia trumps Russian troll farms hands down” thats not saying youre concerns are invalid nor doubting the concerns you have but idk about anyone else im sick n tired of ‘the message’ getting shoved in front of me 24/7 geez! how bout posting a transphobic concern in a transphobic concern forum/blog like idk twitter.peace☮

Winter • June 5, 2024 2:32 AM

@echo

Most people according to polling in the UK and US are fine with transgender people and LGBT in general. In the UK only 3% of people saw the transgender “debate” as important. This has since fallen to 1%.

Which explains the crickets you hear when posting about it.

But I admit there are people here, this ~1%?, who are transphobic. However, I do not see how your chosen strategy improves the situation.

Winter • June 5, 2024 8:33 AM

@Man Hidding Behind a Thousa Names

Yes and all instigated by @echo

Nope. There were a lot during the COVID avalanche of Trolls.

Not everything revolves around you.

Winter • June 5, 2024 10:30 AM

@echo

They never stop at that.

What they want is what Iran and Saudi Arabia have: A fascist theocracy.

Especially for women.

For the cyber-criminal @Winter • June 5, 2024 11:02 AM

@ Winter the cyber-stalking criminal

Two things,

Giving an incompleate quote like you have is a form of fraud.

But secondly,

“Nope. There were a lot during the COVID avalanche of Trolls.”

Nope they called you many things to do with what are still called in legal circles “unnatural sexual acts”. But none were to do with transphobia.

And all the people that tried to defend, help, and support you back then, you turned around and accused of being transphobic or transphobic supporters when you were pushing fraud as science.

The archives have quite a bit of both your nonsense and nonsense from the IRA / St Petersburg attacks on this site that singled you out.

Possibly because of your comments over the Malasian Airlines flight MH17, shot down with a Russian Buk-Telar missile just about a decade ago, that you got understandably upset about and gave voice to nade you a “marked man” on a “Putin List” somewhere.

So I’m sure @echo’s comment today of

“The Russian troll factory is small beer. My jaw just dropped this evening when I learned a transphobic hate network has launched a pop up…”

Must have upset you, but it’s no excuse to lie about things and lie about other people.

Winter • June 5, 2024 12:40 PM

@Handle Hopper

Nope they called you many things to do with what are still called in legal circles “unnatural sexual acts”.

The Trolls posted hundreds of comments covering the whole Putin menu, including discriminatory attacks on every minority in the US. This included trans people. What they called me was immaterial.

accused of being transphobic or transphobic supporters

I have literally pointed out one single post as transphobic, so you are exaggerating. I have always said that I judge every comment on its own merit. This one was bad, period.

nade you a “marked man” on a “Putin List” somewhere.

Too much honor. They were angry because I, together with others, eg, @-, marked them as Trolls. They tried to intimidate all those who marked them.

lie about other people.

I write about what I see, and you saw too. If you consider that lying, so be it.

Clive Robinson • June 5, 2024 6:51 PM

@ Bruce, ALL,

Yes I’m alive but…

Several London hospitals one of which I’m a patient at have been hit by a cyber-attack. “Procedures have been canceled” and patients either sent home or not admitted for amongst other things life saving operations…

Apparently it’s yet another “supply chain” attack via software from Synnovis a pathology services provider.

“Pathology services” are usually virtually unknown to many patients all they tend to see is the tip of the needle going in their arm to draw blood. However modern medicine does not happen in any way without pathology services. So yup it’s back on the waiting list for thousands in London, with sadly some from emergencies such as road accidents, shootings, knifings, child birth and other ‘critical care’ not making it.

https://www.bbc.co.uk/news/articles/c288n8rkpvno

Remember when a ransom or other gang attacks medical facilities a direct consequence is lives lost sooner than they should have that could have been prevented.

In the West we forget that an insect bite or even a prick from a thorn on a plant in a garden or field used to and still does kill people all the time in less fortunate places.

Underlying those miracles that now appear mundane in the West is pathology services that give the frontline medical staff the “senses” that nature did not, that saves millions of lives every year.

Clive Robinson • June 5, 2024 7:21 PM

@ ALL,

I mentioned stabbings in my post as though they are a daily occurrence in London.

Well they unfortunately are more than daily…

The small quadrant of East London around Newham had multiple stabbings on some days and at least one a day,

https://www.newhamrecorder.co.uk/news/24368513.horror-five-days-london-sees-seven-stabbed/

Some of those places I’ve walked along with my son on several occasions when doing shopping or on
the way to more fun things.

All main roads used by pedestrians in London have had stabbings in the not to distant past, especially in high density housing areas.

We know why it happens and it’s mostly preventable. But the politicians do not want to put in place the measures to reduce it’s occurrence just up the number of victims thus criminals so they can waste vast resources on apparently “Being tough on Crime”.

echo • June 6, 2024 3:22 AM

It’s interesting what comment gets deleted sometimes. I know I can be a bit sharp which caused two to go walkies. I’m not going to challenge that decision but it’s certainly feeding into my public policy view which I don’t discuss on here.

I’m quite familiar with governance and policy and outcomes. I know how it works on paper and how it works in practice. If there’s one problem this blog does have is it’s the over reliance on technical and authority gained via status and limited experience. That’s why only the technical quadrant gets traction and the human rights and economic and social quadrants dissolve into flannel.

We know why it happens and it’s mostly preventable. But the politicians do not want to put in place the measures to reduce it’s occurrence just up the number of victims thus criminals so they can waste vast resources on apparently “Being tough on Crime”.

Plans are easy. Planning is hard. So what’s the planning? Instead of complaining can we hear your solution. I mean, if it’s that easy?…

https://en.wikipedia.org/wiki/Murder_of_Brianna_Ghey

The only person who cried tears over this on this blog was me. As for Nex Benedict nobody else cared and some people told me to shut up. Hold this thought in your head. I will be returning to it later.

https://www.erininthemorning.com/p/splc-designates-genspect-segm-as

SPLC Designates Genspect, SEGM As Anti-LGBTQ Hate Groups
SEGM members and associates were part of a secret advisory group for the Cass Review in England. Genspect and SEGM pushed anti-trans policies in the United States. Now, they are listed as hate groups.

Hands up who knows what this decision means? 99% of you will filter it through existing ideas of how you think governance works, public policy in practice (do you even know what “public policy means”?), and your own subjective emotional attachments and reactions as well as take a kneejerk headline view through this filter.

https://www.ft.com/content/c987890e-b47d-49e5-8298-d796989797c1
Keir Starmer accuses Rishi Sunak of ‘lying’ over Labour £2,000 tax claim
Opposition leader hits out in escalating election dispute that puts UK prime minister at odds with top Treasury official

Sunak lied in beach of the Nolan principles. Who decides whether a case based on the Nolan principles is actioned? Sunak.

I’m not going to make this personal. It’s more of a general comment. What I will say is that you are not the only people who are trying to fix problems and fixing even simple problems can be much more involved than meets the eye. You’re not the only people who know stuff or have technical skills or expertise or a mountain of case studies to refer to. This is just a personal perspective but it is incredibly frustrating dealing with a techbro boys club who won’t listen to the first thing they’re told.

There’s people whose job titles and qualifications and skills outstrip mine by orders of magnitude and even they have problems.

If I can wind back 10-15 years the issues of violence in the community and policing were on my radar. There’s some very specific technical public policy issues involved here. I did have influence at one point with one key person and this did have an influence in the US. I also have a specific issue of governance in the UK to pick up on which still hasn’t been resolved and this gets into some larger mismanagement at a local government and policing level. This has to take its place in the queue and may feed in to a corruption scandal which is gently brewing in the background.

As for London Kahn isn’t the world’s greatest mayor. He’s mostly a technocrat but better than some of the alternatives under the current political system. It’s not just London but every local authority has had an effective 30% budget cut. Then there’s police underfunding including drastic underfinding for “white collar crime” which guts the effectiveness of policing and keeps a lid on police developing expertise where they might begin to punch up. There’s also been a breakdown in “separation of powers” with veiled threats or direct threats of budget cuts if you don’t go with prevailing dogma at the top. It gets worse as various jobs have had the wrong sort of person parachuted in and NGO’s have been directly threatened with withdrawal of grant funding if they speak up.

But but “SECURITY!!!” God, give me strength…

You may think you’re the only one with qualification, or who knows about security, or who is trying to get stuff fixed but you are simply one voice on a blog complaining when there are tens, hundreds, or even thousands of people working on this stuff. Some people I know have been working on things for decades. They’ve brought cases, had high level meetings, sat on committees, and are deeply involved in communities and it’s all for nought when one government minister who doesn’t have a clue what they’re doing pulls the rug. That can be years of work down the drain.

Some of you need to ponder this before you roll up on a blog and bikeshed from the comfort of your own privilege thinking you know everything and gobbing off because you read something in the newspaper this week.

It's AI Jim not life as we know it. • June 6, 2024 5:18 AM

More on LLMs not being AI or I at all.

In a paper titled,

“Alice in Wonderland: Simple Tasks Showing Complete Reasoning Breakdown in State-Of-the-Art Large Language Models”

https://arxiv.org/abs/2406.02061

A description of yet another set of “LLM Behaviours” that beg askance of how the models fundamentally perform or more correctly do not perform.

“We demonstrate here a dramatic breakdown of function and reasoning capabilities of state-of-the-art models trained at the largest available scales which claim strong function, using a simple, short, conventional common sense problem formulated in concise natural language, easily solvable by humans. The breakdown is dramatic, as models also express strong overconfidence in their wrong solutions, while providing often non-sensical “reasoning”-like explanations akin to confabulations to justify and backup the validity of their clearly failed responses, making them sound plausible. Various standard interventions in an attempt to get the right solution, like various type of enhanced prompting, or urging the models to reconsider the wrong solutions again by multi step re-evaluation, fail. We take these initial observations to the scientific and technological community to stimulate urgent re-assessment of the claimed capabilities of current generation of LLMs”

Thoughts on building a dead-drop • June 6, 2024 7:24 AM

@Bruce Schneier

Part of being a “Public-interest Technologist” is having privacy of communications from others and providing the knowledge of how to do this to others.

In the long past of oh fifty years ago, the “tried and true” was “Field Craft” of the “Dead letter box/drop”. Setting up such traditional “dead-drop” systems in the modern high tech world of ubiquitous CCTV to small/hidden for people to see has kind of killed it even for “one time use”.

But what of the electronic realm?

Whilst it is not as easy, it might work.

Occasionally people think the problem through and make their thoughts available for others to consider,

https://ayende.com/blog/201153-B/building-a-serverless-secured-dead-drop

echo • June 6, 2024 7:49 AM

This may be of some interest to the military and intelligence back-office types as well as counter-terrorism agencies for those who can’t see security unless it’s things which go boom or gadgets with a plug on the end.

https://www.theguardian.com/society/article/2024/jun/05/women-perform-better-in-cognitive-tests-when-menstruating-study-finds

Women make fewer mistakes and have better mental agility while on their period despite feeling worse than at any other time during their menstrual cycle, research suggests.

https://www.sciencedirect.com/science/article/pii/S0028393224001246
Attentional, anticipatory and spatial cognition fluctuate throughout the menstrual cycle: potential implications for female sport

I knew that cognition changes due to fluctuations in the endocrinology. I never thought about it much deeper than that. There’s papers on drug addiction and rehabilition too which are linked with the endo system. So performance and injury risk can be added to the list? Okey dokey.

https://www.theguardian.com/world/article/2024/jun/04/spain-historic-menstrual-leave-law-hardly-used-period-pain-endometriosis
A year on, Spain’s ‘historic’ menstrual leave law has hardly been used. Why?

https://blogs.lse.ac.uk/gender/2024/02/27/redefining-menstrual-equity-in-prisons-why-menstrual-equity-demands-prison-abolition/
Redefining menstrual equity in prisons: Why menstrual equity demands prison abolition.

https://www.telegraph.co.uk/us/news/2024/05/31/biden-mocked-for-advice-on-menstruation-no-women/
White House mocked for advice on menstruation – with no mention of women

Social media points out guidance aimed at ‘menstruating employees’ instead of women or females

The backwash from male dominated healthcare and other systems and legacy attitudes continues to harm women. Not only does this degrade or sideline talent it harms women’s life changes. I don’t expect the famously male owned telegraph with regressive attitudes propping up far right hate groups which have men behind the scenes pulling the strings to have much of a clue.

The whole prison and rehabilitation and life opportunity cycle is kaput anyway. Full prisons like JDAM’s falling from the sky are not signs of success. They’re signs you already failed.

DEI and teaching sex and relationships in school isn’t just wokery bolt-on. It’s part and parcel of building civil society and part of mechanisms which prevent future abuse and breakdown 5, 10, 20 steps down the road. It’s impact isn’t necessarily felt today but in 5, 10, 20 years time.

Ignorant right wing politicians and media are such a pain. Hopefully the general election will shoo the Tories away and this bunch can fade into irrelevance.

echo • June 6, 2024 10:21 AM

https://theconversation.com/human-culture-is-changing-too-fast-for-evolution-to-catch-up-heres-how-it-may-affect-you-227711
Human culture is changing too fast for evolution to catch up – here’s how it may affect you

This is interesting. There’s nothing new here but it rolls a few things up in one place. There’s a few gaping holes in the authors position though which explain how the article itself turns into a big exercise in gaslighting and shifting the blame.

While the uber wealthy only have one vote they have disproportionate influence due to throwing money at lobbying or getting themselves invited to political media parties or simply using everyone else’s efforts to turn themselves into a media story. As for living conditions various schemes and financial crashes have led to the uber rich benefiting from capital inflation and buying up all the property. Then there’s big fibs told about taxation which results in lack of public services which, again, impoverishes people.

Reviewing the authors CV and some of the papers he’s been involved with publishing and his recommended reading list he looks iffy to me. There’s a thumb on the scales there for sure. For a start critical theory is extremely niche and just a tool and he takes it too literally. He’s also got problematic bioessentialism views among others.

Maybe it’s the week for it but I’m been noticing a few problematic essays and papers from people sticking their beaks in. That’s all a bit curious but shouldn’t be much of a surprise thinking about it. Le sigh…

https://journals.sagepub.com/doi/10.1177/13684302211067151
Disgust sensitivity relates to attitudes toward gay men and lesbian women across 31 nations

This is an exercise in backwards rationalising. Happy LGBT Pride month! roll eyes…

EvilKiru • June 6, 2024 3:35 PM

Regarding generating passwords. One safe way is by visiting https://www.grc.com/passwords.htm and copy-pasting the number of characters you need from one of the 3 presented text strings.

ResearcherZero • June 7, 2024 1:12 AM

‘https://www.politico.eu/article/dutch-party-websites-attacked-as-eu-vote-kicks-off/

–

According to two sources close to the case, the man stayed at a hotel in the town of Roissy-en-France, home to Paris’ Charles de Gaulle airport.

‘https://www.cbsnews.com/news/france-detains-ukrainian-russian-man-suspected-planning-violent-act-explosion/

Russia’s GRU is ramping up sabotage campaigns across Europe.
https://www.chathamhouse.org/2024/05/russian-disruption-europe-points-patterns-future-aggression

Russia has staged thousands of cyberattacks on Czech and European railways, including hacking into signals and ticketing services.

‘https://www.nbcnews.com/news/investigations/russias-brazen-intensifying-sabotage-campaign-europe-rcna147178

Russia is conducting a “shadow war” against Europe.
The use of local recruits has been a hallmark of the recent sabotage campaign.

“Russia’s strategy is one of divide and conquer.”

“Right now, it’s not a very costly strategy for Russia because we are all responding separately. That is why it is important that over time, we collectivize the response.”

https://www.nytimes.com/2024/05/26/us/politics/russia-sabotage-campaign-ukraine.html

‘https://www.enisa.europa.eu/news/understanding-cyber-threats-in-transport

What is the actual story? • June 7, 2024 1:48 AM

@ALL in US

I’ve heard news reports like,

“Network outage impacting cellular phone services across the U.S.”

But for three different service providers not just AT&T.

Which makes it either something they have in common, or it’s concerted action by an individual entity.

Hence some media speculation with

Inadvisable finger pointing at Russian Cyber-Attack for changes in US foreign policy.
Further extreme solar activity, which is causing havoc on HF Radio.
Interconnectivity issue at base network levels.

The latter is suggested by reports such as

https://www.macrumors.com/2024/06/04/us-carriers-call-outage/

Anyone with solid news on what the real cause was?

Protect this precious blog from harmers • June 7, 2024 9:28 AM

The number 1 viewed program on Netflix presently is called Baby Reindeer
Addresses fascinating and gruelling psychological themes

Did the writers do an excellent job portraying @echo via the lead character Martha?

Winter • June 7, 2024 10:04 AM

@moderator

comment-438101 June 7, 2024 9:28 AM

Pointless insult towards other blog visitor

echo • June 7, 2024 10:17 AM

@ALL

All the many named troll is achieving is informing a public policy view and building up a case file against themself. They’re so unimportant and so not a threat I cannot even be bothered to open a log file on them. I have bigger fish to fry and I never lose sight of that so the joke is on them.

I’m living my best life. I can’t say the same about them. Most of the best of the worst enemies I had online or offline are in jail or dead, or sad people who never amounted to anything.

Keep it up, sweetie. If you’re trying it on with me you’re not bothering someone else more vulnerable.

@moderator

https://www.schneier.com/blog/archives/2024/05/friday-squid-blogging-baby-colossal-squid.html/#comment-438101

Name witheld due to @echo behaviour • June 7, 2024 11:35 AM

@moderator

@echo is instigating and fomenting as a deliberate ploy to aid in cyber-stalking

The plan appears to be between @echo and @winters behaviours to make wild if not lunatic allegations about AI and sock-puppets and similar as an attempt to “out” a previous poster who was well liked and respected. Who the archives on the Internet show @echo not just vilified but attacked over @echo’s inability to face reality that @echo’s knowledge was very deficient and @echo made things up and pretended they were factual.

Something that @Winter also did that made several people think @echo and @Winter were a “sock-puppet” because of their “birds of a feather” behaviour in presenting false evidence as argument in support of each other.

The fact is cyber-stalking is a crime in both the UK where @echo claims to be from and in North West Europe in the EU where @Winter has indicated they are from.

Cyber-stalking is looked on as a serious form of Cyber-crime and “section 230” which falls under US Title 47 of the United States Code that was enacted in 1996 as the sole part that remains of the Communications Decency Act does not apply in jurisdictions outside of the US no matter how much the US State Dept might wish otherwise.

So section 230 does not protect site and system administrators from being prosecuted or litigated against for allowing the criminal activities that @echo and @winter have demonstrated.

Oh and as the site administrator full well knows the criminal behaviour of @echo and @Winter has forced others to adopt multiple “subject lines in the name field” as alowed by the blog rules.

So far stylistic information indicates between four and eight people are doing so since @echo seriously liabled a female US Athlete, and @Winter started throwing in false argument to support @echo in the liable.

@echo claims to have expertise in law and UK legislation. If this were true then @echo would know from basic pre-grad / first year education that @echo’s actions are actually crimes.

The politest argument for @echo’s unlawful behaviours is that @echo is a fantasist and sufferes from a form of “Walter Mitty syndrome” or “Maladaptive Daydreaming”. Whilst not yet in the “Diagnostic and Statistical Manual of Mental Disorders”(DSM-5) it is becoming sufficiently understood this century so far that inclusion in the DSM-5 is likely fairly soon.

If it is not “maladaptive daydreaming” then the other options for @echo’s behaviours fall under a criteria that is currently believed to be incurable, and the pathology has a high incidence of premeditated violence associated with it (due to it’s prevalence in convicted criminals).

For those that have some experience in the relevant fields @echo exhibits other indicators that suggest a less charitable investigative hypothesis.

The archives of this blog show this has been mentioned over the years as a concern by several people.

Because of this history we know @echo will not change their behaviours and it is likely they will progress and become worse with time as the archives already show.

I think many will know what @echo’s likely next behaviours will be, as @echo has a recognizable MO that does not bode well.

Because,

By : echo
At : June 7, 2024 10:17 AM
In : https://www.schneier.com/blog/archives/2024/05/friday-squid-blogging-baby-colossal-squid.html/#comment-438106

We get,

I’m living my best life. I can’t say the same about them. Most of the best of the worst enemies I had online or offline are in jail or dead, or sad people who never amounted to anything.

Any judge or jury would recognise that as what it is, a thinly veiled threat of violence that has been stymied by their inability to get physical access for vengeful spite of a failed narcissist, failing in their attempts to be anything than an impotent keyboard thumper / screen screamer.

The thing is @echo keeps doing this behaviour and apparently is incapable of learning or stopping themselves… Which is more evidence that the charitable “Maladaptive Daydreaming” is not the issue behind @echo’s behaviours.

echo • June 7, 2024 12:43 PM

@ALL

If the many named troll believes they are correct and they are in the UK they can report a none urgent crime to 101 or fill in an online form on the website of their local police force. They are welcome to do so and I encourage them to do so. The sooner the better if it will shut them up and provide a hard and verifiable link to their identity.

https://www.gov.uk/report-crime

As for all my best worst enemies being in jail or dead, or sad people who never amounted to anything this happened as a result of their own actions. Most police officers and assorted experts would likely recognise this kind of scenario. These scenarious are easily avoided by living a sensible life or seeking medical help or other help as appropriate.

I’m familiar with UK law and ICD/DSM and relevant US law. I don’t get my advice from internet randoms.

@moderator

https://www.schneier.com/blog/archives/2024/05/friday-squid-blogging-baby-colossal-squid.html/#comment-438113

Winter • June 7, 2024 12:51 PM

@Man hiding behind a thousand names

The fact is cyber-stalking is a crime in both the UK where @echo claims to be from and in North West Europe in the EU where @Winter has indicated they are from.

As @echo writes, feel free to file a complaint with the responsible authorities.

Name withheld due to @echo behaviour • June 7, 2024 3:40 PM

@moderator

As predicted both @echo and @winter are carrying on with their cyber-crime. Which is unfortunate when it comes to complicity.

You will see

By : echo
At : June 7, 2024 12:43 PM
In : https://www.schneier.com/blog/archives/2024/05/friday-squid-blogging-baby-colossal-squid.html/#comment-438115

"The sooner the better if it will shut them up and provide a hard and verifiable link to their identity."

Shows the intent by @echo is cyber-stalking and presumably doxing. Also further evidence of their narcissistic behaviours.

Oh and @echo is wrong legally yet again, so blows their own pretence yet again.

There are other avenues, and they do not end up with @echo or their representatives getting a “verifiable link” or “identity” they do not even get to see/challenge a person in court.

Further @Winter is showing their intent of doing the same with,

By : Winter
At : June 7, 2024 12:51 PM
In : https://www.schneier.com/blog/archives/2024/05/friday-squid-blogging-baby-colossal-squid.html/#comment-438116

As @echo writes, feel free to file a complaint with the responsible authorities.

Virtuous • June 8, 2024 2:07 AM

@Name withheld due to @echo behaviour

Well done.

Winter • June 8, 2024 2:32 AM

@Virtuous
Re: Well done.

Now there is an enigma. Are you just the same entity using yet another handle to congratulate yourself?

echo • June 8, 2024 3:15 AM

@ALL

The many named troll has no valid complaint and is too cowardly to reveal themself to the police for fear they will be the one arrested, charged, and prosecuted. I’m sure this surprises nobody.

@moderator

https://www.schneier.com/blog/archives/2024/05/friday-squid-blogging-baby-colossal-squid.html/#comment-438122
https://www.schneier.com/blog/archives/2024/05/friday-squid-blogging-baby-colossal-squid.html/#comment-438134

Winter • June 8, 2024 5:33 AM

@echo

I’m still wondering how much is human versus AI.

You can look for signal words. There was a lot of noise recently about word choice.
‘https://medium.com/practice-in-public/these-words-make-it-obvious-that-your-text-is-written-by-ai-9b04f399d88c

There are AI detectors, eg, a Chrome app. However, I do not know how reliably they are. Also, He could use AI to speed up writing.

I think the best Troll detector still is looking for validated information you did not already know. Troll never volunteer information and never make you wiser. Links offered by Trolls are always towards disinformation sites, never actually useful, validated information.

Our old “pal” was always fond to tell us things about electronics and opsec we did not know. The Handle Hopper much much less so, if at all. AI by definition has only Internet info, and bad info at that.

So, any uninformative text is a surefire candidate for scrutinizing as fake.

Winter • June 8, 2024 7:52 AM

@Man Hidding Behind a Thousand Names

Just so you know @Virtuous is not me, and never was, etc.

Thanks for letting us know. With all those fleeting handles you never know.

echo • June 8, 2024 8:37 AM

@Winter

That’s what I kind of thought. Thanks for the confirmation. I look for other things too. Ethics(!) and emotional texture and relationship engagement. Word pattern, flow, timing, context, history. With some it can get very indirect and very subtle. It’s not always what they say but don’t say.

Regardless of what they say the dynamic duo act to me is still a bit suss. There’s fuzzy clouds of bad actors out there. Even if they’re not sock puppets there can be direct or indirect connections between disparate actors. Even if they weren’t the same person and didn’t know each other I’m still a bit “hmmm” about things.

Oh and I’m anonymous not “many named” as has been indicated several times like others I’m using the name field as a subject line. Which is well within the blog posting rules and a way to stop their being confusion in a thread with more than on “Anonymous”.

This is the same thing the “plausible” actor said. Another entity when pulled up on women’s names said they weren’t one of the many named ones and said it was a random name picked by software they were using and can change. It’s the level of BS you’d get from an Indian scammer call centre.

Unless someone has a known good stable handle and verifiably good content and history and interaction I’m going to trust them. Not in the slightest. Even then with LGBT stuff they’re under the microscope. Bear in mind this is an approach I stated a few weeks and some months ago I do wonder if the name changing may be an attempt to thwart this. Coincidence? Deliberate? It’s hard to say but it doesn’t stop things looking odd and confusing discussion and group relationships.

Winter • June 8, 2024 8:55 AM

@echo

. I look for other things too. Ethics(!) and emotional texture and relationship engagement.

We can also look for things an AI cannot do, and cannot learn. Every AI today has been trained on old data, that is, from a few years back. Also, current AI is bad at reasoning, be it logically, emotionally, or relationally.

An entity that can comment on new or recent information in context, can reason “intelligently” about it, and can supply good sources in context, is unlikely to be an AI. For now, that is.

Winter • June 8, 2024 12:09 PM

@echo

I mean, I could be wrong and all this name changing is confusing things but it is all very odd.

That is the whole point of this handle hopping. It is straight out of Putin’s playbook on the Firehouse of Falsehoods.

echo • June 8, 2024 1:16 PM

@Winter

Thanks for recommending some light Sunday afternoon reading. I’m familiar with some of it but a coherent refresh is a good palette cleanser.

https://www.rand.org/pubs/perspectives/PE198.html

Okay, that makes sense.

jelo 117 • June 8, 2024 7:30 PM

Check in the mirror.

https://youtu.be/BiqDZlAZygU?si=dkKZT3JIRWE6MJiV

Winter • June 9, 2024 4:53 AM

@jelo 117

Check in the mirror.

Please check the words of our host:
‘https://www.schneier.com/blog/archives/2017/03/commenting_poli.html

I have been engaging in more active comment moderation. What that means is that I have been quicker to delete posts that are rude, insulting, or off-topic. This is my blog. I consider the comments section as analogous to a gathering at my home. It’s not a town square. Everyone is expected to be polite and respectful, and if you’re an unpleasant guest, I’m going to ask you to leave. Your freedom of speech does not compel me to publish your words.

Linking to:
‘http://www.antipope.org/charlie/blog-static/2008/06/moderation-policy.html

Winter • June 9, 2024 1:06 PM

@jelo 117

The intent of the US law on freedom of speech

for US citizens. It is irrelevant for the rest of humans. Furthermore, according to the US constitution, Freedom of Speech includes the freedom to not publish speech you do not want. Which is a right our host executes when he removed posts he doesn’t like.

This may involve expressions of views that some will find emotionally offensive and distressing. But there is no other way in practice to make a path to truth.

Europe has a long history where words did break bones, and killed people, very, very many people. So the Europeans decided that speech directly or indirectly inciting to violence is not permitted. Hate speech is included.

Note that European countries, notwithstanding,lead the list of Freedom of the Press charts.

Winter • June 9, 2024 1:22 PM

@jelo 117

battaglia delle idee

What Americans call Freedom of Speech is called Freedom of Expression in most European jurisdictions. That is, you have a freedom to express your opinions.

Speech for hire, advertising, lies, and misinformation are not opinions, so are not necessarily protected under Freedom of Expression laws.

Schneier on Security

Friday Squid Blogging: Baby Colossal Squid

Comments

Leave a comment Cancel reply