Recent Comments


Note: new comments may take a few minutes to appear on this page.

July 2, 2020 4:46 AM

Clive Robinson on COVID-19 Risks of Flying:

@ Jon,

Goats? What do they have to do with anything here?

@JonKnowsNothing did say, they are to keep weeds and other types of vegitation down so they do not become a fire hazard.

But as you appear not to get it,

Plants will grow where ever they can[1] and in quite a few cases protect themselves with poisons and thorns etc.

The thing is some plants especially annuals grow fast and die or die back at the end of the year leaving a lot of "celulous fibre" behind which is a lot lot less dense than wood so burns increadibly easily and...

Read More →

July 2, 2020 1:39 AM

Weather on Friday Squid Blogging: Fishing for Jumbo Squid:

Trust Dilbert , but that is what I'm asking, is dev random produce the same output, but that's my lack of knowledge, you should be able to find vector, as I know there is one.

July 2, 2020 1:25 AM

SpaceLifeForm on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Sherman Jay

"But, I encourage you all to keep thinking and dreaming, you might just come up with a workable answer to either or both."

My thoughts exactly.

To me, it's not just a hardware issue and/or a software issue, but trusting the crypto whether in hardware or software.

How's that random working for you today?


https://dilbert.com/strip/2001-10-25


July 2, 2020 12:44 AM

SpaceLifeForm on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Weather

Oh, it was '92 char with 6 char', and now it is 7 by 92?

You guys code talking? ;-)


@ rrd

Excellent link about the Vietnam response.

Three things stood out to me.

43% asymptomatic
Mandatory mask usage in public
No International plane flights

The entire report should be a PDB.

Ah, nevermind. #UnfitForOffice won't read it anyway.

July 1, 2020 9:47 PM

Mark on iPhone Apps Stealing Clipboard Data:

absolutely insane that Apple let this happen. How many passwords and other sensitive data leaked? This is on Apple for failing to secure the OS.

July 1, 2020 9:39 PM

Weather on The Unintended Harms of Cybersecurity:

@Spacelifeform
Something you can't look up on Wikipedia stumped them, they don't know that its wrong half the time, but maybe...

July 1, 2020 8:42 PM

SpaceLifeForm on The Unintended Harms of Cybersecurity:

@ Weather

By my reading of RFC7413, the TFO cookie is 4 to 16 bytes.

As to authentic, that is where a problem may lie.

July 1, 2020 8:36 PM

Weather on Friday Squid Blogging: Fishing for Jumbo Squid:

@rrd
You hadn't sent me a 7 char input made of 92 chars of the keyboard to test, you use freebsd but can display in %2x the hash,
Wasn't going to replied because someone else sorted it out, but maybe..

July 1, 2020 8:16 PM

Jon on COVID-19 Risks of Flying:

@JonKnowsNothing

It's interesting how complicated your "just Grass and Water" horse becomes when we start looking at details like "Where does the grass grow?", "Where does the water come from?", and "Who cleans up the poop?".

Looking at the mere mathematics, having a horse in California is a sign of wealth. Maybe not extreme (define that?) but I have pointed out that it is an unattainable dream for at least half the state's population, because there just isn't enough suitable land.

Sure, you can put a horse in an 8x8 box - but the grass (or other feed) has to be...

Read More →

July 1, 2020 7:40 PM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

Oops. I seem to have forgotten them beating the heck out of people with sticks, so let me be clear that I'm not condoning that aspect of their response at all; "the same" I was referring to is solely with respect to the medical-advice-related behaviors that the people ended up adopting.

By hook or crook. Sophie's Choice? Majority rule vs. minority rights?

It's essential that people just choose to willingly adopt better cultural behaviors solely because they have learned it is best for the whole, not because they are physically threatened or worse.

But dang if those...

Read More →

July 1, 2020 6:47 PM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

Vietnam has Chuck Norris'd COVID-19.

hXXps://ourworldindata.org/covid-exemplar-vietnam

Not that anyone anywhere has any valid excuse for not doing the same, as everyone's experts have known from the beginning.

This situation is proving to be a cultural IQ test, with a heavy burnden of responsibility on their leaders, and the inertia of their educations fruiting predictably.

July 1, 2020 6:12 PM

Weather on The Unintended Harms of Cybersecurity:

@Spacelifeform
TCP fast open, if you send a Syn and a cookie, you are pre authentic and data, well at least one data packet is going to be send. going to read the Rfc, but what range for the key in the cookie 64000?

Thanks

July 1, 2020 6:01 PM

JonKnowsNothing on COVID-19 Risks of Flying:

@Jon

re: The Rabbit or Rat Hole

There are lots of aspects that would not suit others. There are other aspects that would not suit more.

re: Horse Space

The minimum space you need for a horse is 8x8ft but more commonly 10x10ft or 12x12ft with 24x24ft considered luxury accommodations.

If you live in an area with lots of rain fall and available water, you can keep a horse on green pasture. If you have irrigation you can keep a horse on green pasture that way too. Race Horses are raised on green pastures.

If you live in an area with less...

Read More →

July 1, 2020 5:42 PM

SpaceLifeForm on The Unintended Harms of Cybersecurity:

@ Impossibly Stupid

Want to try an experiment?

Make sure your servers do not support TCP Fast Open.

Let us know if you see a difference.

July 1, 2020 5:34 PM

Weather on COVID-19 Risks of Flying:

@Sancho
In software to check hardware, you can't use ,if x==1 ,but you can do 2+2+corruption+4 =opcode(8), in theory there's still the question of 8 and if the silicon readdress the table.
Just thinking...

July 1, 2020 5:02 PM

Sancho_P on Securing the International IoT Supply Chain:

” … to sell only products that meet the requirements of a security framework developed by U.S. cybersecurity agencies. (@Bruce, my emph)
- This is a joke, isn’t it?
Do we know how to correctly spell cybersecurity? Today? Future?

And: SW / FW is legally out of bounds, thanks to Bill G, since decades and forever.

July 1, 2020 4:56 PM

Sancho_P on COVID-19 Risks of Flying:

@JonKnowsNothing, Jon, Clive Robinson

Yea, sometimes it helps to ignore reality, only it won’t last long.
I can see ya with wife, kids and your horse living in the bronx, 4th floor, 350 ft2,
thanks for taking pity on us other plebs :-P

Now these daydreams lead us way OT from “COVID-19 Risks of Flying”.
I’ve understood @Bruce’s concern as:

”I fly a lot [- and to continue my life I need to fly. Should I take the risk?].”

- My unease was him using the term “risk” in this context:
”Risk :
- A
...

Read More →

July 1, 2020 4:22 PM

SpaceLifeForm on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Clive

An interesting side-channel attack because WIFI and BT use same freqs.

The devil will be in the details which will not come out until next month.

hxxps://www.blackhat.com/us-20/briefings/schedule/#spectra-breaking-separation-between-wireless-chips-20005

"During code execution within the Wi-Fi firmware, we even experience kernel panics on Android and iOS."

July 1, 2020 4:13 PM

Jon on COVID-19 Risks of Flying:

@JonKnowsNothing

Time to change. We have all the time we want. Time is infinite.

But real estate isn't. A few quick Google searches told me that, in California, there are about 16 million acres of grazing land*, and that a reasonable area for one horse is between 1.5 and 2 acres.

The population of California is a hair shy of 40 million. Granting an average of roughly one horse per person, I think you can see why your lifestyle, while no doubt fun and economical, is not a reasonable solution for the vast bulk of the population.

You could...

Read More →

July 1, 2020 3:10 PM

vas pup on Friday Squid Blogging: Fishing for Jumbo Squid:

@Weather.
Thank you for your input.
I guess they should not have such time for talking, but rather exhaustive training and honing their skills(physical, emotional, tactical, etc.), so when time for real thing come, they are prepared as much as possible.

I found article on wiki:
https://en.wikipedia.org/wiki/Riot_control
with many links related to the subject which is currently hot around the globe.
I hope you'll like it.

July 1, 2020 2:56 PM

vas pup on Securing the International IoT Supply Chain:

@Bob Paddock said:
"If there is going to be approval body certification for this, then it needs to be a 'non-profit' and (sadly?) probably a government division."
Agree with your point 100%.

Just small addition: often label on products manufactured outside US contains: 'Distributed by [name of US company]', but I hope not only me but other consumers want on the label AS WELL information of the country of origin!, e.g. Made in China, Made in Canada, but our regulators currently is not enforcing even such thing. Distributor is for lawyers where chase money(reactive...

Read More →

July 1, 2020 2:07 PM

Sherman Jay on Friday Squid Blogging: Fishing for Jumbo Squid:

@rrd and @Weather • June 30, 2020 1:15 PM
'I'll say a prison setup, were each program gets its on play box with guard's'

While the below 'distro' is not a usable system yet, it is a step in the direction you mention:

hXXp://distrowatch.org/weekly.php?issue=20200629#gobo
he GoboLinux project develops a distribution with an unusual goal: reorganizing the operating system's filesystem. . . . . In GoboLinux you don't need a package database because the filesystem is the database: >>> each program resides in its own directory.

Sandboxes are another...

Read More →

July 1, 2020 1:40 PM

Bob Paddock on Securing the International IoT Supply Chain:

@wiredog

"Remember that UL is a private certification, with copyrights (the "UL"), and the insurance companies (the Underwriters in "Underwriters Laboratories") have a strong incentive to protect the brand."

Speaking from a manufacture perspective we are held hostage to what amounts to high extortion "protection racket" fees, that some government regulations mandate.

Getting UL expensive, especially if you need more than one and are a small company.

If there is going to be approval body certification for this, then it needs to be a 'non-profit' and (sadly?)...

Read More →

July 1, 2020 1:01 PM

wiredog on Securing the International IoT Supply Chain:

@Chelloveck
At least with UL listing if the distributor or end user want to validate the listing there's a method to do it. Remember that UL is a private certification, with copyrights (the "UL"), and the insurance companies (the Underwriters in "Underwriters Laboratories") have a strong incentive to protect the brand. UL listing means that there's a lower chance that the device in question will fail catastrophically and generate an insurance claim.

July 1, 2020 12:14 PM

JonKnowsNothing on COVID-19 Risks of Flying:

@Clive

Your recollections and reflections are fantastic. Thank you for sharing them!

Perhaps because I see the End of Me coming Soonerish, I reflect more about what trade offs I made to enjoy the bounty of Silicon Valley from the very start of "what's a computer?".

For all my Luddite postings, I am not a true Luddite in the sense that I do not want all the GOOD stuff thrown into a trash bin because some BAD stuff overwhelmed everything (up to now). Folks posting here are all interested in making more GOOD stuff and fixing the BAD so it isn't so bad and that's a...

Read More →

July 1, 2020 11:51 AM

Phaete on Securing the International IoT Supply Chain:

Most of the routers in private/smb internet connections are delivered by the ISP with the connection (and upgraded when needed).
And again most of them have some custom firmware from the ISP.
I had to install a separate router instead of their modem/router combination garbage.
Not just for security but mainly to control traffic flow in/out my network.

Just regulating them to install a 'secure' router and maintain it will be a very big deal. They can put the pressure on the manufacturers.

But accountability is going to foil it here, you cannot guarantee a...

Read More →

July 1, 2020 11:09 AM

Chelloveck on Securing the International IoT Supply Chain:

"That would put pressure on manufacturers to make sure their products are labelled as compliant with the standards set out in this security framework"

Call me a cynic, but it's a lot cheaper to just print a UL, CE, or Council of Conscientious Concerned Cryptographers certification logo than to actually do the work. It's not like merchants actually verify manufacturers' certifications. They just sell it and push the blame back if anyone calls them on it. You might successfully block products from being sold by the big names like Amazon or Best Buy, but the...

Read More →

July 1, 2020 11:00 AM

Michel on Securing the International IoT Supply Chain:

... so the remedy is not to let any UI-less IoT access anything that is not one of the non-routable IP addresses - let a separate piece of software, installed and running on a local network, handle further contacts if any.

Having a closed "thing" with unrestricted-Internet access installed in my own home appears to be such an immense opportunity for abuse that I fail to understand how it happened at all.

July 1, 2020 10:31 AM

myliit on Friday Squid Blogging: Fishing for Jumbo Squid:

@popcorn eaters, misc.

I’m going to try to take a break for awhile. Before I do, however, here’s a look at one event in a retirement community in the land of our President or the United States of Amnesia (“‘USA’”):

https://twitter.com/davenewworld_2/status/1276965068048158720 millions of views, 2:07

“Seniors [ older people ] from The Villages in Florida protesting against each other ...”

.

Meanwhile, I might head over to:...

Read More →

July 1, 2020 10:20 AM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Clive & SpaceLifeForm

That's simply fantastic, the kind of education that makes this place great. Thank you both for both your selfless time and effort. Such incredibly concise deep-dives.

@ etv

Thanks for the very interesting link. That definitely very much looks like the kind of approach I have in mind.

@ ALL

As a software guy, I'm realizing that I intrinsically view such a design exercise as finding which model(s) would best facilitate developing such a system, those models being inseparable from the modelling tools. You have all plugged a...

Read More →

July 1, 2020 10:16 AM

Clive Robinson on Securing the International IoT Supply Chain:

@ Bruce,

And our solution is: enforce the regulations on the domestic company that's selling the stuff to consumers.

It's the most expensive and most difficult if not impossible place to do it. Thus the place that is most going to hurt the consumer.

Lets assume the IoT designer / manufacturer decides to "add a little security" the most likely way to do that is with "key signing executable code".

This turns the device into a "walled garden" not just for the consumer but the US distributor as well.

As we've seen with Android and iOS...

Read More →

July 1, 2020 9:30 AM

myliit on Android Apps Stealing Facebook Credentials:

At least with Apple, you might have tolerable to excellent functionality, depending on your needs, without having to install many, if any, third party apps.

July 1, 2020 7:03 AM

Petre Peter on Android Apps Stealing Facebook Credentials:

Google or Apple cannot scan all the applications in their entirety, so they have to rely on trusting the developers not to be malefic. It's the same way the ESRB rating works for video games with the difference being that when I was playing tekken3 Facebook wasn't around and I didn't have to worry about my bank account because I paid cash for the CD. Today, the priority for these stores is how easy it is to make purchases. Security comes after.

July 1, 2020 6:19 AM

etv on Friday Squid Blogging: Fishing for Jumbo Squid:

Andrew Zonenberg has been looking at secure fpga hardware/OS setups for some time

hXXps://www.researchgate.net/publication/305810806_Antikernel_A_Decentralized_Secure_Hardware-Software_Operating_System_Architecture

July 1, 2020 4:00 AM

Don't trust anything, anyone, ever. on Android Apps Stealing Facebook Credentials:

I think we can safely add Norton/Symantec to this list. Maybe not exactly stealing the credentials but rather *ignoring* some gov't keyloggers/backdoors with their IPS/IDS installed on private user's endpoints and/or collecting *telemetry*, saving it (by writing to a file) in a secret location on a local endpoint, then sending it at a later date (encrypted) to either Symantec or the interested party (gov't) for *analysis* and future product *improvements*. And the dummy, the customer who PAYS for the service/product has no idea he/she is being screwed and paying for it on top. Similar...

Read More →

July 1, 2020 3:24 AM

lurker on Friday Squid Blogging: Fishing for Jumbo Squid:

@name.withheld...

Shades of Wuhan in Texas

No, it'll never happen. The Chinese method that is, in Texas. Australia and New Zealand both closed their borders early, but avoided a conflict by allowing their own citizens to continue to come home from the world's danger spots. During the initial 4 weeks tight lockdown the returnees were shut in at home, no problem.

As the lockdown eased a few of the more liberal minded returnees tried to skirt round the corners of "self-isolation". So hotels vacant from the lack of foreign tourist were pressed into...

Read More →

July 1, 2020 2:36 AM

Clive Robinson on COVID-19 Risks of Flying:

@ JonKnowsNothing,

And for all of the above, his only requirements are: Grass and Water

And love, and you stopping by everyday come rain or shine to check and provide those little extras.

You can not put a horse in the garage and go away on vacation for a couple of weeks or business trips etc

But as you note getting him ready to roll in the morning os rather more than stuffing a bit of toast in your mouth whilst turning the ignition key...

I'm old enough to remember horse drawn carts of a few tradesmen such as the...

Read More →

July 1, 2020 1:25 AM

JonKnowsNothing on COVID-19 Risks of Flying:

@Jon

Those are valid points as far as they go... but you might have missed a few side paths.

5G is faster than 4mph. It doesn't require a 4hour RT. It can be done from horseback, a boat, a train, on foot, on bicycle...

Horse emissions are biodegradable and if you like mushrooms, white, crimini or portabella, you know they like what horses produce.

Given that a good many hi-tech folks, consider their urban dwellings and lifestyles as "THE WAY PEOPLE LIVE", they often miss that a great part of the world does not live in the same sort of environment....

Read More →

July 1, 2020 12:13 AM

SpaceLifeForm on Friday Squid Blogging: Fishing for Jumbo Squid:

@ rrd, weather, Clive

"I'm referring to the *entire* system: kernel, devices, the whole thing. This is a greenfield, no limits, clean from-scratch design exercise."

Well, if you really think you want to take that path...

1. You have un-imaginable work to do

2. Look at FPGA

3. All development must be done offline. You will need to hand transfer all source code to a *trusted* machine that is off-net.

4. You will need to rebuild all software on the *trusted* machine from scratch using a *trusted* kernel, *trusted* toolchain, and a few more...

Read More →

June 30, 2020 11:18 PM

SpaceLifeForm on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Drone

Lie, Destroy, or Blame?

The 3 things that the fascists have been looping on for eons, in order to extract money.

A loop of their own design.

Covid-19 has exposed their useless system.

June 30, 2020 10:16 PM

SpaceLifeForm on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Drone

Lie, Destroy, or Blame?
(repeat...)

A play on words of the useless DOS three choice dialog box.

Reboot the system means we most vote and remove the malware next year (US).

The current system has a horrible UX (User eXperience).

https://en.wikipedia.org/wiki/Abort,_Retry,_Fail%3F

"It has become an icon of poor interface design, because it led exactly nowhere . . . A veritable Catch 22, since the only viable option appeared to be to keep typing R until one was...

Read More →

June 30, 2020 9:10 PM

Jon on COVID-19 Risks of Flying:

@JonKnowsNothing

Sounds delightful, except you are overlooking a few more requirements, one being a large amount of underpopulated and reasonably fertile real estate(1).

Grass is not common in urban areas(2) and complaints about your horse's 'emissions' might come rather more frequently in more densely populated areas.

An average speed of 4mph, given a reasonable commute of 16 miles, implies a four-hour trip - one-way. To many this would also be unacceptable. I imagine you are quite fortunate in not having such that every day. Many people are not as lucky as...

Read More →

June 30, 2020 8:27 PM

JonKnowsNothing on COVID-19 Risks of Flying:

@Sancho_P

No (I have a so called smart phone)
No (I have a so called smart tablet)
No (btdt, all done now)

I can faithfully attest that riding my horse is very enjoyable experience.

I get to see the sky, the birds, the coyotes, enjoy the agricultural area and watch the grapes and oranges grow and get harvested. I can watch the hawks as they soar overhead and the local ground squirrels raise their pups. I get loads of time to think about what my next plans are (or aren't). (1)

He does not require oil changes, new engines, new transmissions,...

Read More →

June 30, 2020 7:48 PM

Jon on COVID-19 Risks of Flying:

Incidentally, I suspect that travelling by personal automobile the same distance is still more dangerous than on a jet airliner, despite the virus. J.

June 30, 2020 6:30 PM

Clive Robinson on Android Apps Stealing Facebook Credentials:

@ Jesse Thompson,

An analogy...

We can not stop people in the street throwing stones...

I think most would accept that as being a reasonable assumption.

However if we are given sufficient freedom we can put up walls/fences or hedges, shrubs, trees or build our homes a sufficient distance back from the street, such that potential stone throwing is mitigated.

The alternative is that some "authority" comes along and walls off every house from the street, and puts in "one size restricts all" doors and security systems.

If you have seen such...

Read More →

June 30, 2020 6:30 PM

Weather on Friday Squid Blogging: Fishing for Jumbo Squid:

@rrd
Even 0xa5 would be better, I only have a 15 year old laptop running winxp home, maybe Linux could process it, but Linux skill isn't the question.
A 0x00-0x7f systnax 32 long ,I will know if it is a sha2 hash, but the only reason I got a computer is some one died.

June 30, 2020 6:12 PM

Clive Robinson on iPhone Apps Stealing Clipboard Data:

@ Gruel,

You've got the general idea.

But text it's self is a problem because it frequently has attributes that people want to keep after transferring it such as "bold", "italicized", and a whole lot more.

But even if they don't the question of "fonts" and "extended characters" for the likes of Internationalization occurs.

Which brings in the issues of multibyte characters and backwards and forwards compatability.

The whole thing is just an entite mess that users generaly do not get to see except for when they don't get what they want, which often...

Read More →

June 30, 2020 6:02 PM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Weather

>> It will take me week to understand that, but can you send me a keyboard 92 char with 6 char input to openssl sha256, so the testorcheck function can be checked.

Done. And you've got three days, tops ;-)

June 30, 2020 5:46 PM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Thunderbird

[Oops, your post arrived while I was composing my previous.]

>> I think the primary characteristic is that it does not execute a program.

Ohh, you're no fun anymore ;-)

But, yeah, I'm referring to security from bad actors that are not the owner! That said, I do believe there is a path to that, too, but hoo-boy that would be the ultimate protection.

As with any project like this, the key is to start minimally and then expand carefully. As @Weather said, there are numerous technological approaches to walling off our processes, and I...

Read More →

June 30, 2020 5:31 PM

Clive Robinson on Friday Squid Blogging: Fishing for Jumbo Squid:

@ rrd, ALL,

When setting out to design a truly secure general purpose computing system (functioning like a modern pc), what is the single most important characteristic the resulting operating system must possess?

The short answer would be that,

    It should maintain confidentiality at all times.

It sounds a little trite but it's actually very very difficult to do, hence the old joke about disconnecting your computer setting it in a lage concrete block and dropping it in the deepest ocean trench...

The important thing to note however...

Read More →

June 30, 2020 5:28 PM

Sancho_P on COVID-19 Risks of Flying:

@JonKnowsNothing

Luddite? Do you have (and watch) TV? A job?
- Wouldn’t eremite / caveman be more appropriate? ;-)

My “free” means “We don’t wear a mask because we are free”, as seen in the US and everywhere in the west.

… Of course we can travel by donkey and Rocinante, Sire!
- But we don’t :-(

June 30, 2020 5:27 PM

Jesse Thompson on Android Apps Stealing Facebook Credentials:

@Clive

At least in this case, upon our first hearing of it the apps have been identified and eradicated. I did not get that sense from Apple's story.

2.34 million downloads over 25 apps (averaging less than 5 figures per app) doesn't sound like the apps had to have been up for very long before being discovered. And if the malicious code they had in common was a zero day, then we don't have any evidence that Google allowed the apps to remain available for a single day longer than any researcher would reasonably have been able to detect their fault.

Now I do...

Read More →

June 30, 2020 5:27 PM

Weather on Friday Squid Blogging: Fishing for Jumbo Squid:

@rrd
It will take me week to understand that, but can you send me a keyboard 92 char with 6 char input to openssl sha256, so the testorcheck function can be checked.

June 30, 2020 4:50 PM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Weather

CvP seems interesting (from the little I've gleaned so far from googling this site), but I'm not interested in having to overcome inherent insecurities in my system's components. And the sandboxes for userland processes certainly are a sound idea, and perhaps even successful in practice (I wouldn't know), but I'm interested in security by design, not security as a result of having to deal with bad payloads.

I'm referring to the *entire* system: kernel, devices, the whole thing. This is a greenfield, no limits, clean from-scratch design exercise.

As to...

Read More →

June 30, 2020 4:23 PM

Thunderbird on Friday Squid Blogging: Fishing for Jumbo Squid:

I'm specifically asking what primary characteristic is required for such a working general purpose computer system whose OS implementation is absolutely secure.

I think the primary characteristic is that it does not execute a program. I believe it is the case that for any computer complicated enough to do something useful and any definition of "absolutely secure" that matches most people's intuition, it won't be "secure." Therefore, it can't do anything and be secure.

But, if you're willing to accept "pretty secure" I would say first of all you...

Read More →

June 30, 2020 4:15 PM

Gruel on iPhone Apps Stealing Clipboard Data:

Copy and paste between different apps is the majority of my personal usage of the feature, both on desktop and mobile.

What should happen is that copy/paste should be an OS-provided service that apps have no access to... all the apps see is a stream of characters coming in on paste that look exactly the same as if the user had literally typed them out. That's all. No direct access to the clipboard for apps.

I guess that would only support text clipboards, not images. I personally rarely if ever use images. But I could see that being different for some others. To...

Read More →

June 30, 2020 3:57 PM

Weather on Friday Squid Blogging: Fishing for Jumbo Squid:

@vas pup
Its called fire house syndrome, based on fire fighter not having much to do most of the time talk about concectivle stranger ideas over breaks.
But isn't it a good thing they are not used much.

June 30, 2020 3:37 PM

vas pup on Friday Squid Blogging: Fishing for Jumbo Squid:

Germany to overhaul elite army force tied to right-wing extremism
https://www.dw.com/en/germany-to-overhaul-elite-army-force-tied-to-right-wing-extremism/a-54004898

"German Defense Minister Annegret Kramp-Karrenbauer plans on restructuring the country's Bundeswehr's Special Forces Command (KSK) in the wake of numerous allegations of far-right extremism among its ranks, German media reported on Tuesday.

According to newspaper Die Welt, Kramp-Karrenbauer...

Read More →

June 30, 2020 3:15 PM

Clive Robinson on Friday Squid Blogging: Fishing for Jumbo Squid:

@ rrd,

my wife's son called (he is now finally beginning work as a doctor after all these years)

I wish him and the rest of the family well in these troubling times. Front line medical staff are at risk more of the time than we perhaps realise even in better times.

My son's mum is a cardiac specialist but still spends a lot of her time with clinics and patients she has frequently mentioned that these days the police are almost always present at hospitals. In fact a hospital she used to work in that became famous because it had a number one chart...

Read More →

June 30, 2020 3:02 PM

Awaywego on Criminals and the Normalization of Masks:

From rrd:
“ of black people still being regularly gunned down in the street ”
Throwaway line from a rabid progressive Labour Party member.
Oh yes it may well be true if it were Shitcago, or Baltimore.
Pre-Pandemic. Anybody wearing a bandanna, kerchief face mask and sunglasses into a bank would be cause for alarm, maybe.

June 30, 2020 2:44 PM

Clive Robinson on Android Apps Stealing Facebook Credentials:

@ Bruce,

I should make the same comment today about Google and it's Walled Garden as I did yesterday about Apples Walled Garden.

But the simple fact is it's not just Google and Apple, I've yet to find a Walled Garden with 3rd Party Apps that has honoured it's majorly touted "reason to exist" the promise to keep users safe from malicious programs and exploiters...

I indicated back when Microsoft said similar things about TPM that I doubted it was possible and so it's turned out to be so.

The reality is these walled gardens are not just a failure security...

Read More →

June 30, 2020 1:15 PM

Weather on Friday Squid Blogging: Fishing for Jumbo Squid:

@rrd
About a secure general purpose computer ,I'll say a prison setup, were each program gets its on play box with guard's and a Warden (kernel) checking the guards.
I'll trying and find the link on here but if you write a program that gets injected into another program before the main function, then you program runs one asm instruction at a time from what it injected to, saving register and flag vars after the one instruction you are then free to encrypt or decrypt one the fly, check memory data, strings etc, a really basic ids,or block instruction.
You can make the...

Read More →

June 30, 2020 12:28 PM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Weather

Thanks. I just realized my use-case is solely about document integrity verification, not the use-case of storing the hash of a password so it's not transmitted or stored in plaintext. In the second case, the collision itself is a system failure, whereas a forged document must be semantically meaningful to result in a successful attack.

Underlying assumptions got me; I apologize for the lack of clarity; however, this conversation has really helped me clarify my own thinking.

To sum up my understanding now: for binary (non visually inspectable) files, I...

Read More →

June 30, 2020 11:13 AM

Weather on Friday Squid Blogging: Fishing for Jumbo Squid:

@rrd
It does make a difference if its a 8,16,24,32 char password compared to a 100mb file, as collision aren't the only area that needs protecting, knowing what made that hash value might be the point, evening with two 64bit you run through all 8*0xff for md5 and seperatly for sha1 16*0xff and then compare the collider's if you have 8 chars that match the first 8 chars of sha1 it will be less than 3^64

June 30, 2020 11:00 AM

Chris on iPhone Apps Stealing Clipboard Data:

I tend to give all those apps the benefit of the doubt regarding scraping the clipboard intentionally. To me it looks more like they all use some intrusive SDK, perhaps Google's or Facebook's or one of the many product usage analytics solutions, that does it. Of course, without inspecting the app source code, this is just a speculation. Which begets the question whether there is a known open-source app that also triggers the warning.

The clipboard is there to facilitate data exchange between different applications and it is inherently insecure, which is why passwords should never...

Read More →

June 30, 2020 9:13 AM

Alejandro on iPhone Apps Stealing Clipboard Data:

A small mean thought: Think how much fun it would be scamming the collectors by putting...irreverent....comments on your copy/paste cache. Tee Hee.

June 30, 2020 8:21 AM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Weather

>> because if they find a collision for md5 there's no guarantee that sha1 will collide

Yeah, I'm guessing well-nigh impossible for the same source document.

>> If they are chained, then it is as strong as one hash.

With that much computation, I'd probably just use a newer, wider hash function, like SHA-256 or whatever.

>> With computer processor now days 128bit hash is stronger than two 64bit because they can be attacked seperatly

Yeah, but that goes back to my original thought: will two different hashes of the same data ever be...

Read More →

June 30, 2020 8:15 AM

John on Analyzing IoT Security Best Practices:

I like the Nutrition Label idea the best. It is a light-touch by Govt for evolving technology, but depending on what is mandated on the label, can be a hammer.

Computing & IoT devices need to have a few things printed on the box:

* Support EoL date
* Patch schedule
* What works without internet connectivity
* What requires internet connectivity to work
* List of all {domains|IPs}:{ports} required for each network connection
* List of protocols used for each external connectivity
* 2FA standards supported
* How new firmware is...

Read More →

June 30, 2020 7:35 AM

Ergo Sum on iPhone Apps Stealing Clipboard Data:

@Ismar Duderija..

Unfortunately, the trends towards convenience still seem to be winning and now you can even sync your clipboards between devices as well - what kind of usage workflow would this be supporting I have now idea ?

Not to downplay the risk of security and privacy implications of the clipboard history, but...

By default, the clipboard history is disabled in Windows 10. For the ignorant masses, enabling it is just a simple click in settings. Unless, the administrator of the systems disabled clipboard history in the registry,...

Read More →

June 30, 2020 6:25 AM

Clive Robinson on Friday Squid Blogging: Fishing for Jumbo Squid:

@ MarkH,

Based on what we know, how could people have been infected without it soon becoming obvious?

Well one way is for a transitory visitor from china.

We still do not know enough about how a SARS-CoV-2 infection progresses in a human, especially in the outliers at beyond 12 days from initial infection to being infectious.

It may well be the case that the usual transport of mucus through the GI shows signs in stools etc upto several days before an individual produces enough virus in their breath to represent a sufficient viral load to...

Read More →

June 30, 2020 4:04 AM

Ismar Duderija on iPhone Apps Stealing Clipboard Data:

Why, o why, should the apps be allowed to access clipboard content without user interaction - what possible valid scenario would allow for hijacking of this functionality?

One way for an OS to implement a decent compromise between security and convenience here is by

1. Only allow reading from clipboard (copying, cutting) and writing to clipboard (pasting) when user initiates the action

2. Restrict clipboard history to the same app - i.e. don't allow apps to read content of the clipboard populated from a different app apart from the last clipboard entry (and also...

Read More →

June 30, 2020 3:08 AM

MarkH on Friday Squid Blogging: Fishing for Jumbo Squid:

@Clive, re Spanish report of "premature Covid":

I pondered this for some time. It seems very likely to be some kind of false positive.

Based on what we know, how could people have been infected without it soon becoming obvious?

In the unlikely event that SARS-CoV-2 was indeed in their sample, one can imagine that some animals were infected without transmission to humans ... and that somehow, enough of their shed virus made it into Barcelona's sanitary sewage system?

A brief look at how things might have gone astray:...

Read More →

June 30, 2020 2:12 AM

SpaceLifeForm on Friday Squid Blogging: Giant Squid Washes Up on South African Beach:

As expected, ncov2019 aerosol is bad. Do not fly.

hxxps://wwwnc.cdc.gov/eid/article/26/9/20-1806_article

Abstract

We aerosolized severe acute respiratory syndrome coronavirus 2 and determined that its dynamic aerosol efficiency surpassed those of severe acute respiratory syndrome coronavirus and Middle East respiratory syndrome. Although we performed experiment only once across several laboratories, our findings suggest retained infectivity and virion integrity for up to 16 hours in respirable-sized aerosols.

June 30, 2020 2:05 AM

Clip Bored on iPhone Apps Stealing Clipboard Data:

Fortunately I don't use any of the listed apps. However I agree that notifications about which apps accessed my clipboard and when is a good step.

I still wonder why does the OS even let the clipboard contents linger once it's been pasted? Or like 1 minute after paste in case you have to paste a password more than once.

Or just autoclear the effing clipboard based on user setting -- same as the one for "require unlock password after: immediately, 1 min, 5 mins, 15 mins" in user settings.

Or maybe have a separate private clipboard for copying from "sensitive...

Read More →

June 30, 2020 1:42 AM

Johnas on FTC Investigating Android Patching Practices:

I agree with the author. It’s time for a long time to come up with an automation and testing life cycle so that updates from Google adapt automatically for each smartphone and don’t have to wait half a year or not receive this update at all.

June 30, 2020 12:59 AM

Clive Robinson on Friday Squid Blogging: Fishing for Jumbo Squid:

@ name.withheld...,

Sorry @ Clive

No worries, the thoughtful reply was much appreciated and hopefully others will read it and realise what is creaping up on the ordinary citizen bit by bit, in enough time that something might be done to stop it.

June 29, 2020 10:45 PM

Weather on Friday Squid Blogging: Fishing for Jumbo Squid:

@rrd
If you have two different hash programs in parrellel and both have to check out from the file its more secure, because if they find a collision for md5 there's no gaurenty that sha1 will collide.
If they are chained, then it is as strong as one hash.
With computer processor now days 128bit hash is stronger than two 64bit because they can be attacked seperatly

With you question I'll say accuracy and repeatable for a general purpose computer.

June 29, 2020 9:51 PM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

@ name.withheld...

Our city has a notice that says that, through the CARES Act, it has a rental and utility assistance program for people who face employment hardship due to the pandemic (as we will as the stimulus unemployment benefits will be done in a few weeks), there being a hotline residents can call.

We haven't called yet to see if we are eligible or how much assistence may be available, but our state's govt is fully Dem and seems to be doing a good job on all fronts so I am hopeful.

And, from one cynic to another, there is a special place but I'd rather...

Read More →

June 29, 2020 9:50 PM

name.withheld.for.obvious.reasons on Friday Squid Blogging: Fishing for Jumbo Squid:

... maybe they should take a look at the US justice system in the likes of Chicago where "illegal detention centers" were setup and used against those on the lower rungs of the socioeconomic ladder.
Have been to the south side of Chicago but it was ten years ago. What was astonishing was that the physical landscape was out of a surreal dystopian failed "Planet of the Doomcoughs" movie where the button had been pressed and nuclear winter had arrived. Not too dissimilar from images from WWII, Beirut, Lebanon, or Gaza in the Middle East. It was so eerie and unsettling...

Read More →

June 29, 2020 9:44 PM

Weather on Friday Squid Blogging: Fishing for Jumbo Squid:

@rrd
The program generation a sha256 32byte from 3 byte, most of the range, the program then runs a foumla on the 32 byte hash it compares it to other ones that got the same value, and uses the table of what 3 bytes the chars were, if the values workout to the same there's 19% chance they were also in the new hash.
The 19% can change to high percent, but then its more likely )80 chars.

Still have to think about the rest of your replied.

June 29, 2020 9:21 PM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Weather et al

So, old hashes (eg: SHA1 and MD5) have collision problems, but (I assume) they are way faster than their newer, wider variants.

Why not just use both hashes on the same document? Given a specific document, certainly a collision that allows the document to be altered for one of the hashes could not possibly also result in a useful collision for the other hash given the same document, no?

I'm guessing that two smaller hashes computed concurrently would be less computationally expensive than the newer hashes (assuming the source file need not be read...

Read More →

June 29, 2020 8:13 PM

rrd on Friday Squid Blogging: Fishing for Jumbo Squid:

@ Clive

[from your comment to Bruce's "Commenting Policy for this Blog]

>> As for the posters here we are an eclectic bunch from all corners, and our differing points of view encorage thinking in a wider scope and give not just bredth but often considerable depth on not just arcane technology but things that are yet to be. I've lost count of the number of times things have been discussed on this blog that subsiquently come to be. Sometimes the comments are years ahead of what is being considered even in academia, and as I've indicated before you will read here things that...

Read More →

June 29, 2020 6:22 PM

Steve on The Unintended Harms of Cybersecurity:

@SpaceLifeForm:

I'm pretty sure that insanity spreads faster than the speed of light.
Makes sense to me. It has no mass and less information.

June 29, 2020 6:15 PM

JonKnowsNothing on COVID-19 Risks of Flying:

@Sancho_P

at the risk of sounding more of a Luddite than normal...

re: 1. We are free

This is debatable depending on where in the world you happen to live, what legal systems are in place and WAI (working as intended), religion, ethnicity, gender(all types of) and a host of other criteria.

We have an "illusion of freedom" and we have an "ideal of freedom". Sometimes those match up. Sometimes they don't.

Freedom is also associated with wealth and disposable income. You can be Free and have no food, no shelter,no legal recourse, no ability to...

Read More →

June 29, 2020 5:08 PM

Sancho_P on COVID-19 Risks of Flying:

(@Smith, ...)

I hate to say that, but it doesn’t matter whether @Bruce takes to the plane or not.
It doesn’t matter neither to him nor to others. There’s no risk, just normality.
We can delay it for weeks, but we (individuals) can not stop “the flu”.
Likely westerners never could.
Two reasons: (1) We are free + (2) we can not stop flying / traveling.

America first!
Yes, they did a very good, a great, a tremendous job! Fantastic! Top!
Clap, clap, clap.
- But EU will follow en suit, in just a couple of weeks.

I’m literally...

Read More →

June 29, 2020 4:29 PM

name.withheld.for.obvious.reasons on Friday Squid Blogging: Fishing for Jumbo Squid:

CNN Report, a Houston Hospital and Pandemic Triage Shades of Wuhan in Texas
CNN reported today, 29 June 2020, an example of the COVID-19 patient experience and a hospital walk through that informs to a degree that has not been done before in the MSM. I cannot believe I am crediting CNN, hardly a bastion of journalism--but there it is.

The ability to grasp reality seems to be the skill acquired by those that live their lives at an abstract and unconscious level later in life, if ever. The YouTube video is at:...

Read More →

Sidebar photo of Bruce Schneier by Joe MacInnis.