Recent Comments

Note: new comments may take a few minutes to appear on this page.

December 4, 2016 6:04 AM

Clive Robinson on Auditing Elections for Signs of Hacking:

@ MotorVotor,

An ID by itself is meaningless unless it is tied to *citizenship.*

Define what a "citizen" is other than where they were born?...

That is if someone works pays their taxes and contributes to society, why should the be denied a chance to have a say in the society they live in?

It's the problem with "sound bite politics" used to "vote grab" it all sounds very appealing untill you actually start to think about things from "If that were me, what woukd I want?" perspective.

As many are comming to think, the US exceptional lifestyle is drawing to it's conclusion, jobs and money are fleeing outwards to other havens. It might not be that long before say your grand children become economic migrants to say China, ask yourself how would you like them to be treated?...

December 4, 2016 5:54 AM

Clive Robinson on Friday Squid Blogging: Striped Pyjama Squid:

@ Denise,

Over-inflating the minimum wage has further consequences than inflated local prices. It effectively prices sub par workers out of labor market. Factories will move across borders in search of lower and fairer labour rates, raising our unemployment.

Unfortunatly your explanation is not the reason "Factories will move" The reason the employment cost is so different is the "cost of society as a whole" not the "cost of labour".

Lower labour rates are found in undeveloped areas/nations, because there is no cost of development and no cost of maintenance. As the land has very low utility value because of the lack of development it's value is subsequently very low as well. This in turn makes the cost of housing/accommodation very low as well, which is most workers largest capital requirment.

Such situations are exploited by itinerant manufacturing, so what is cheap land/labour today will be increasingly more expensive over time. Thus you have the guarentee that the itinerant employer will move yet again leaving devistation in it's wake at every jump.

But there is now a reason for the pace of jumping to increase, which is that more and more goods are becoming information based and less tangible than services. Thus the barrier to moving is significantly reduced. Hence we have the likes of outsourcing which are an absolute disaster in more respects than most can understand.

Ultimately it has a knock on effect in that outsourcing gets down to the individual. Thus wages every where go down to the lowest bidder irrespective of the quality of the work. This knocks on to the fact that workers can not afford to become skilled as there is insufficient return in doing so... The result ultimately is the economy not just stalls but stagnates.

Nearly all of this can fairly be laid at the doors of "quick buck" investors, known as shareholders. Who likewise cause the companies to enter into the labour skill fast flight jumping where the only thing of interest is the next quaters share value. Which can only be maintaind by the sort of "creative accounting" that Enron senior managment indulged in.

But this is the trap that libeterian's want to jump in with both feet and drag the rest of society in on top of them...

Much as people do not like it society grows by socialism with a small s and it's a tide that raises all boats. Conservatism with a small c allows for an individual ship to be more efficient. But if you get conseratism with a big C where there water is drained, and there is no tide, thus it does not matter how efficient you make a ship it's beached like a whale, to in short order suffer the same fate.

December 4, 2016 4:38 AM

Dubai offshore company on Headphones as Microphones:

In my long-ago youth (maybe Clive will appreciate this), I was very interested in sound recording and reproduction. Well aware of reciprocity in "dynamic" speakers, I tried using a speaker element of 12 or 15 cm as a microphone out of curiosity. I knew that it was too large to be sensitive to really high frequencies, and certainly wasn't optimized as a microphone, so I didn't expect much. Dubai offshore company formation

December 4, 2016 4:24 AM

Gerard van Vooren on A 50-Foot Squid Has Not been Found in New Zealand:


On on hand is liability the key. On the other hand: Who should pay the insurance needed under such a law for the Linux kernel? And the respective Linux distributions?

If you read the blog post that I linked you can read the vision of PHK. My opinion is that (F)OSS should legally be considered as hacking. There is nothing wrong with that. Everyone can express their creativity, jump in, eliminate and create bugs. The code can be verified etc..

That all change when it becomes (part of) a product that is gonna be used for a profit. Whether that product is (F)OSS, closed source, or the web, cloud, it doesn’t make a difference. Then there should be liability. So the question is whether the Linux kernel is a product. I don’t think it is, but if the Linux kernel is being used in Red Hat, then that question is definitely yes and it’s Red Hat who is selling the product so they should be liable. And if they are then you can be damn sure they take commits much more seriously.

December 4, 2016 3:14 AM

Clive Robinson on Auditing Elections for Signs of Hacking:

@ ДѠѬ,

CIA war propaganda against Russia is osmotically instilled in your brains

Funny you should say that. On reading comments in this blog, when you remove the obvious agenda types; you find that those that remain are calling all sides positions as bogus.

The reasons they give are,

  1. No testable evidence.
  2. No circumstantial evidence.
  3. Clear OMG credulity from reporting MSM etc.
  4. Clear agenda from primary accusors DNC etc.
  5. Clear agenda from administration Federal agencies.

But clearly the more thoughtful commentors appear to know the difficulty of proving attribution, as a recent discussion on the reliability of "Methods and Sources" and potential "False Flag" operations show.

Importantly with a conventional crime it's generaly possible to see a clear "for gain" motive thus the old "Follow the Money" investigative methodology will give up the likely suspects. That is the important point is "cyber-evidence" is actually of little or no worth in an investigation as conventional non "cyber" investigation techniques will suffice to track, identify and convict the culprits.

However with unconventional crime where the gain is indirect thus the intent is that of reputational damage, politically motivated or for propaganda reasons, investigation is rather more difficult. Because often there is no direct or clear "Follow the Money" trail to investigate. Nor are conventional investigators of much use as can be seen by the lack of --non plea bargin-- convictions for the likes of "Insider Trading" etc, except where the perpetrators have been in effect stupid and left sufficient direct or circumstantial evidence (see LIBOR scandal) that conventional investigation techniques will suffice.

You actually see little or no cyber evidence that does not have a direct correspondence with conventional evidence. That is digital photograps are like old style paper based photographs, it's not the storage medium that provides the evidence but the actuall image contents. Likewise with other evidence such as documents and audio / video. Importantly it's the old conventional investigation techniques being used to investigate.

This is because digital evidence is extreamly problematic as it's mostly intangible "information objects" impressed on some storage medium thus copying and manipulation are trivial compared to tangible "physical objects" of conventional evidence. In effect there is no solid ground to build a case upon.

This is because the problem with digital information objects is that they are "just intangible information" and information can be transformed easily in ways that make conventional forensic investigation impossible (think encryption as just one of many). This is because of a lack of the forensic touch stone of "trace evidence".

Trace evidence is the foundation of nearly all --if not all-- forensic science as we know it currently. It was the French forensics pioneer Dr. Edmond Locard, formulated the hypothesis of,

    Every contact leaves a trace.

This is known as "Locard's exchange principle" and comes from the knowledge that when physical objects are brought into contact they exchange small almost but not quite immeasurable parts of themselves. Thus a criminal at the scene of a crime might leave a fingerprint or DNA sample, likewise they take away tiny shards of glass, GSR etc on the criminals clothing etc. Likewise tools leave almost unique marks when used, and minute samples of the material they have been used on become attached to the tool (think metal dust in the teeth of a file etc).

The problem with "information objects" are that they are intangible they lack physical actuality, thus there is no physical trace evidence. Whilst there may be informational trace, the fact that digital information is so easily copied modified and morphed renders such informational traces as little more than fuel for a pissing contest between supposed experts trying to "Make a name therefore a gain." for themselves. Much like the "Publish or die" of academia.

But worse is the fact that the forensic techniques are almost always "Use once only"... To see why look at an example of a UK case a few years ago. The case effectively hung on an audio recording, that supposedly was made at a particular date and time. However it was demonstrated in court that the background "mains hum" in the recording was not from that date and time when compared to the "National Record" of mains frequency variation and correction, therefor the tape was called into question.

Whilst the specifics of what was tested and in what way are unclear, it's now public knowledge that such a method has been given credability in a court. Thus anyone of sufficient technical ability will not only be able to repeate the tests, as the substance of the test is information they will now be capable of removing such a trace from an audio recording and then applying a trace coresponding to a different time and date... Thus the method is in effect a "one shot" forensic technique, as it only works against those who are unaware of it or lack the ability to exploit it.

Thus when it comes to "false flag" operations at government level, they have not just the technical ability, they also have "foreknowledge" of what is forensicaly possible in the way of information trace and therefore can adjust it to make others find the faux trace and thus make the mistake of believing it.

Which brings up the impossibility of "proving a negative", if you can not find evidence of information being modified, it in no way proves that it has not been modified.

Thus those with a knowledge of this are not just highly sceptical of "Cyber-Forensics" but are prepared not to call it "evidence" at all, and rightly so as it's not possible to show it has not been fabricated in some way...

Which brings us back to the notion of crimes are committed "for gain" and the notion of the test for "burden of proof". With tangible physical evidence the bar is set at the criminal "beyond reasonable doubt" for good and proper reasons. However with intangible informational evidence the very best you can get is the much much much lower coin toss "balance of probability" used in petty non criminal cases such as minor torts, where the harm of making a wrong toss of the coin is looked on as minimal...

But with the potential for escalation being high, some people think as the lives of their loved ones are involved even the "beyond reasonable doubt" is to low a bar to be aiming for. After all do you realy want to start a kinetic war where civilian casualties and deaths will be high over political posturing with coin flip probability or worse fabricated evidence as the cause?

Perhaps people should ask the loved ones involved with each repatriated body bag from the Iraq conflict befor they decide...

December 4, 2016 2:19 AM

Karen Starrett on A 50-Foot Squid Has Not been Found in New Zealand:

@ Clive
thankyou for taking the time to reply, appreciated.
It's really a miracle that someone as inventive, original and insightful as yourself endured wearing the green for so long (not that I know how long).
Surviving blockheads with authority over you, all the middle management and utter inefficiency, carbon copy triplicate x 4 to order a meal etc. Diametric opposite of thinky hinky

@ Thoth
Thankyou also for responding in depth. I was't actually asking about OTP, did get that it was not compatible with your project. Mentioned in context of old school methods - was in facct suggesting/asking about microdots as an old school steganography for your smartcard. I don't know if they have a place in modern computing cryptography/obscurity but it's an interesting thought. It would require kilobyte space to implement however.

@ Daniel

Thanks. You almost sorta lost me but I get the general gist.
I think people do care about privacy. They want curtains on their windows. They would be offended if someone eavesdropped on their conversation at a cafe, or opened their personnal envelope before it was delivered. For some reason the electronic sphere seems to be more ephemeral in the mind of the average joanna and is not taken as seriously

if one is going to split hairs I would say they want privacy but are not prepared to take threats to it seriously and/or are not prepared to do what it takes to uphold it.

@ All

new book for your interest.

A biography of the man whom was the actual, genuine inspiration for James Bond as stated by Ian Fleming whom witnessed him in action.
It's a full biography, very well written and researched. His extraordinary service to britain as an agent during the war. His courage, ingenuity and capacity and scope was amazing. Dusko Popov. Agent stories really don't get any more remarkeable than this. He provided FBI and Hoopy or whatever his name was, with the full details of the pearl harbour event about 4 months before it occurred, and followed it up more than once. They refused to do anything with the information.

December 4, 2016 12:17 AM

Ratio on Friday Squid Blogging: Striped Pyjama Squid:


I don't mind reading about روسيا (roosia: Russia, for the Arabic impaired.)

The Arabic-impaired could of course also try and find out things on their own, like what a word written in another script means. Might do some of 'em some good. (It'll also show them how transparent their BS is.)

[Favorites?] Anything that can be tied to security.

Heh. Should've seen that one coming. :)

It makes no difference who rules.

Hold on to that thought, you'll need it later.

@Clive Robinson,

I hope I at least finally got my point across.

Oh which one, your affinity for "reductio ad absurdum" as the phrase originaly ment?

So I try (again) to move to a less antagonistic situation and your response is more ad hominem. Interesting...

December 3, 2016 11:21 PM

Andy on A 50-Foot Squid Has Not been Found in New Zealand:

What's wrong of this, last squid friday.
Memset(out,0,Glen); first 0 should be 0x00 , out should only be used like that if it's on the stack, if in heap use &out and let heapalloc sort out the size and 3 dword sig, plen, should differentially be a global var, start of the program initialization, they fixed it but don't look for a specific error code, instead go white list in
If(error == 0x00(differrent for other os) && error != cfflag && error != 0x22,0x25,0x5f,0off,0x0d,0x0a, me meet is secure well they fixed the thing, but it's what's before that's the important bit, the above which I called could use 7 different version of strcmp, some even are logged as such, it's the IF statements, that need to be sat on like a toilet.

December 3, 2016 10:26 PM

Figureitout on Friday Squid Blogging: Striped Pyjama Squid:

Clive Robinson
--That would be nice, as it's not even clear whatsoever to simply go somewhere and get all the laws, it got mangled when international business started happening. And now backdoored standards being forced on the population via laws. It's a heaping mass right now that'll drag a lot of people down w/ it...

RE: no slim c compiler
--Damn, well, I've got a working project right now. Been working all day. In C, feels like it should be like 200 bytes in asm. Useful but lame for right now. On the PIC16F18855. 444 bytes, reads a cap. touch button and turns on a relay, so you could control a motor w/ it. If there's no code in the motor driver (I'd need to check that), I could add that in. I could do serial comms, or add IR activation for relay, enable watchdog, brown out, low power etc, maybe I2C LCD screen (if there's code in the driver chip then prob. not), and I'm going to have to power it separately b/c there's likely too much code in USB chip.

I'll see if I can port it over to asm (I would classify myself as an average asm programmer but I enjoy it, don't aim for code that blows the mind, more like calms ;P) and get more space, should be straight forward, just never done PIC assembly (lots of "f's" in instructions, don't use colons at the ends of labels (bleh..)).

RE: the 4k rom part story
--Pretty sick, I'd be pretty pissed though if I had that thrown at me. Is the 3byte vs 2byte jump like "short" jumps and "long" jumps? In our school boards I didn't have those contraints thankfully nor did I need to enable more memory like some people needed (think my code ended up being around 6.3KB), not as fun w/ such extreme limits IMO (I like 16K or 32K is really nice now, guess you need to do these exercises to feel it). I just used long jumps and branches everywhere just for consistency.

Well, I'm looking for a feature to really make my project "pop". Not sure...

December 3, 2016 10:09 PM

Thoth on A 50-Foot Squid Has Not been Found in New Zealand:


Re: Mozilla + Tor under active attack et. al.

The simplest way to handle it is use NAT and a zero ot thin client Live CD setup. Do note that the PC used for this setup should be classified as public facing network and should never be used to handle anything classified.

December 3, 2016 9:32 PM

Andy on Auditing Elections for Signs of Hacking:

It was saying tax fraud investigation teams know numbers are less likely to be real numbers if they are in the range 6,9,
If you want to fake a number you are more likely to uses that range., not random, lower more probability range.

Widget was autocorrected from ligit

December 3, 2016 9:21 PM

r on Friday Squid Blogging: Striped Pyjama Squid:



@Dennis, Anura,

That's why wages aren't the problem, it's returns.

What's the ROI on time?

Whatever happened to Moore's Law?

December 3, 2016 8:58 PM

Maliaki on A 50-Foot Squid Has Not been Found in New Zealand:

@ Grauhut,

"Seems the social media Trump-Bots were real high tech, based on big data, deep learning and psychometrical AI. :)"

Our mainstream media bots got schooled big time... must be the Russians. :)

December 3, 2016 8:41 PM

Jessica Stone on Is WhatsApp Hacked?:

This makes me think of myself. No one should ever accept deceit in the name of love.
About 3 years ago my husbsnd started acting strange and I became supiscious,
a friend of mine referred me to this guy
He helped me hack my husbands WHATSAPP AND FACEBOOK account and I got to find out that he had another family in Canada apparently.
I was deceived for that long I would not like to see anyone go through such.
My advice is to contact the hack process is so cheap and affordable he his so reliable

December 3, 2016 8:08 PM

ab praeceptis on A 50-Foot Squid Has Not been Found in New Zealand:

"The general concensus then is that secushare is a blueteam false flag?"

I didn't look deeper into it so what I say here is just a subjective opinion. But, no, I'm not under the impression that those guys run a false flag.

My personal take is rather that those guys are well meaning "religious" zealots (keep in mind the old wisdom "well meaning often leads to done bad") who seriously and honestly believe that they are out to save the world and that everybody must must must use their toy^h^h^h tool or else the dark evil forces will read all the apple pie recipees Jane and Joe are so bloody insecurely sending to each other.

Moreover I'm under the impression that they do not really know what they are doing but that they rather collected the usual security must-haves zoo from stupipedia. otr, perfect forward, etc.

Also, I didn't find any tangible information on the crypto on their home page or in their faq. Oh well, ...

Btw: their stuff is in C, of course, as befits cool world saviours. Need I say more?

December 3, 2016 7:49 PM

MotorVotor on Auditing Elections for Signs of Hacking:


>With all the other things a valid photo id is required for not having it a requirement >for voting seems logical. A photo ID is pretty much a necessity to live in current >America. It's a minimal barrier to meet.

Sure. As long as the photo ID's are only given to legal citizens. California and a dozen other states give illegal aliens driver's licenses. So, in those states, a driver's license is certainly NOT proof of eligibility to vote. An ID by itself is meaningless unless it is tied to *citizenship.*

And, besides, the Democrats would never go for this. They want illegals to continue voting -- it's the only chance they have in a national election.

December 3, 2016 7:10 PM

Dennis on Friday Squid Blogging: Striped Pyjama Squid:

@ r, "careful what you wish for and how you/they represent it."

Now, you're writing like a sore wishful democrat.

Shouldn't it be 'careful what you vote for'?

@ Anura,

Over-inflating the minimum wage has further consequences than inflated local prices. It effectively prices sub par workers out of labor market. Factories will move across borders in search of lower and fairer labour rates, raising our unemployment. Unemployment breeds further social unrest and income inequality. It's a hole the liberals dig ourselves into, time and time again.

December 3, 2016 6:24 PM

Grauhut on A 50-Foot Squid Has Not been Found in New Zealand:

Seems the social media Trump-Bots were real high tech, based on big data, deep learning and psychometrical AI. :)

"...the bomb has burst: Contrary to projections of all leading statistician Donald J. Trump has been selected.

Kosinski long looked at the Trumps jubilee celebration and the election results of the individual federal states. He suspects that the result might have something to do with his research..."

"NEW YORK, Nov. 9, 2016 /PRNewswire/ -- Cambridge Analytica, the market leader in the provision of data analytics and behavioral communications, would like to congratulate President-elect Donald Trump and Vice President-elect Mike Pence on their historic victory.

Cambridge Analytica was instrumental in identifying supporters, persuading undecided voters, and driving turnout to the polls. "

December 3, 2016 6:08 PM

ДѠѬ on Auditing Elections for Signs of Hacking:

For example. JF above has all the hallmarks of a US war propaganda bot. The modeling of unsubstantiated personal opinion is their trademark. Note what this one is trying to slip into your rearbrain: the adjective 'selective,' implying that this

lacks context, when any educated observer can see it's a historic mother lode for study of the inner workings of the US kleptocracy.

Also, JF falls in with the cheap trick of coordinated braying, 'release the facts!' CIA has no evidence to implicate Russia. They're just misusing classification, as always, to deceptively imply that they know something you don't.

The NCS knuckledraggers failed to install their senile figurehead Hillary and now they might have to stop their cowardly illegal sneak attacks on Russia. This limp and flaccid Red Scare is all they've got left, their whiny tantrum. They reallly need a war. The CIA torture cowards are about to be declared hostis humani generis. Universal jurisdiction. No statute of limitations.

They don't wanna fight em, they just want real men to tie em up so they can beat em up in safety. Sabrina DeSousa is going to sing like a canary, and Italian courts are going to roll CIA up like any other chickenshit mafia. Pussy coward CIA scum. We're gonna watch you timmies beg and cry in the dock.

December 3, 2016 5:59 PM

Czerno on A 50-Foot Squid Has Not been Found in New Zealand:

@r : I hear your point. Can you provide a trusted site where exploits against known vulerabilities of old FF versions are demonstrated and can be tested ?

And I mean not just bugs, not even the kind that will crash the browser (even the OS) but actual exploits that either exfiltrate data from or allow secret code execution, system file modifications on a windows or linux sytem (and non-root, non-admin, and sandvoxied in Windows).

Until I can /see/ such exploits -that I could not further mitigate by adequate configuration restrictions, I feel comfortably secure using good old FF 3.5. I could be persuaded to run FF 10 (ESR) torified instead, but won't go for any newer : Mozilla keep inflating the attack surface endlessly adding crap like webgl, websockets, html5, geolocation ... every bit of which can introduce new dangers and possible bugs and by-passes and exploits (intended or not)...

December 3, 2016 5:18 PM

r on A 50-Foot Squid Has Not been Found in New Zealand:


While I appreciate your sentiments, using an old version of FF may leave you far more vulnerable than I think you're anticipating unless you're recompiling it yourself with updated dependancies.

Never ever ever assume that the images you're seeing are valid representations, we have had exploits in GIF WAV PNG MP3 JP[e]G and SVG.

Those will punch through noscript and ublock practically every time.

@Nick, ab

Thanks for responding to the threadpost on pgp opinions.

December 3, 2016 5:17 PM

Thoth on A 50-Foot Squid Has Not been Found in New Zealand:

@r, Nick P, ab praeceptis

Re: OpenPGP
I have always found Secushare's many recommendations and articles (not just OpenPGP bash party) not only a bunch of bad advises but have no solutions either. The most troubling and dangerous is the possibility of misguiding new comers who are trying hard to secure themselves.

RSA being broken anytime soon is clearly fear mongering. As @Clive Robinson have mentioned, how would a 256-bit ECC be more secure when you need 2048-bit equivalent in RSA. It has always been a mystery to me how people can go about "selling ECC" when it's rather obvious that a smaller key size attemptimg to provide the same security as a bigger key size of between RSA and ECC. Also, RSA maths are more straightforward whereas ECC you have to handle all minds of curves and weird parameters. Too much esoteric stuff in ECC while RSA is much cleaner.

In short, that Secushare thingy is highly dubious.

My GroggyBox format was designed from day 1 to have capability of preventing the knowledge of who sent to who and with some obfuscation capability to create seemingly "targetless" messages but I am still implementing it during my free times. It is currently usable in the level of sending smart card commands to he applet but for GUI, I am still working on it.

December 3, 2016 5:10 PM

Czerno on A 50-Foot Squid Has Not been Found in New Zealand:

@Cive, @Jason : reportedly the exploit steals both the local IP address (which, as you wrote, would be meaningless to a global attacker if the computer be NATed); /and also/ it steals the computer's MAC address (which might be much more useful to pierce anonymity, unless the attacked has taken more precautions than usual, viz MAC address "spoofing").

Also, according to Tor's Roger Dingledine aka Arma, the exploit might be adapted to work in Linux even though the specific found incarnation of it worked against Windows only.

That said, the exploit requires Javascript in the victim's browser. Perso, contrary to the Torproject guys recommendation, 1. I will /never/ allow scripts to run in a torified browser (and only reluctantly in non-torified ones, btw), and furthermore, 2. I will /never/ use the official, tweaked Firefox aka Tor-browser, which will never be secured. I use an old firefox 3.5 instead, without scripting as said, no Java, no nothing... that has little to no attack surface !

The Tor guys would argue that by not doing it in their prescribed way, I'm standing out of their (small btw) "crowd" (re. Panopticon and similar tests) BUT I will gladly sacrifice the "crowd" effect for more security against nasty penetration exploits and zero-days !

I do cosmeticly change Firefox 3's "user-agent" string to look alike the official Tor-browser, which won't fool the real "spooks" but is enough to make me look like I'm a regular Tor user to many sites, - including Torproject's own "Am I using Tor?" at "" :=)

December 3, 2016 5:03 PM

r on A 50-Foot Squid Has Not been Found in New Zealand:


They don't just go after the originating IP, we already know they gather at least the hw MAC's too. Likely anything else available through ring3 methods not excluding values made available through various **cough** subsystems which wouldn't normally be available to something left to lower iopl's.

I highly doubt they under normal circumstances use priv esc attacks for their purposes but I'm more than willing to bet quality identifying markers are available even with the lowest of privs under _most_ OSs.

It's a great argument for Qubes/Whonix not for the networking qualities but for some of the isolation tendencies themselves.

December 3, 2016 4:28 PM

Clive Robinson on A 50-Foot Squid Has Not been Found in New Zealand:

@ Jason,

A good mitigation strategy would be to avoid using the Tor package on a Windows machine.

In the case of this particular exploit, which as described in the articles gets what the computer thinks is it's real IP address... Just running a private network at home on one of the reserved IP address ranges behind a Network Address Translation Router/Firewall might well nullify it.

However I can not see them just going for the IP address, afterall why be that restrained when they could fingerprint the computer by other techniques such as the fonts etc.

December 3, 2016 4:14 PM

ab praeceptis on A 50-Foot Squid Has Not been Found in New Zealand:

That secushare link is ridulous blabla and "competition bashing".

Examples: "1. Downgrade Attack: The risk of using it wrong." - I'm no fan of PGP but I've seen used by users whose IT knowledge reached it borders in ms word.

"2. The OpenPGP Format: You might aswell run around the city naked."

PGP didn't aim for that. It aimed for example for you being able to send confidential information to your lawyer. The question whether anyone (e.g. state agency) sees that you send encrypted confidential information wasn't addressed.

One might as well say "But everyone can see you riding in a train. Hence trains are an insuffient means of travelling".

"3. Transaction Data: Mallory knows who you are talking to."

Oh gawd! Well, Mallory knowing that isn't to do with PGP but with SMTP.


But the best part comes at the end where they talk about alternatives as promised early on:

"... let's first acknowledge that there is no obvious alternative.", some entences later followed by "There is no one magic bullet you can learn about." in bold.

Ridiculous self promoting competetion bashing blabla.

December 3, 2016 3:59 PM

BSODMako on Auditing Elections for Signs of Hacking:

I beg to differ. When I lived in Massachusetts, I walked in to my townhall, signed my name on a list of citizens that lived in the voting region, voted on a punchcard thingy, and watched it get fed into a machine. I asked the police officer or deputy if he needed my DL, and they didn't ask for anything. I could have waited to the last minute and arbitrarily signed in an empty slot of the same sex. That was for the first Obama term. Fraud is very do-able without ID check, as an example. In Texas, people complained, but people have no fewer than 5 forms of ID you can use. The argument against that is specifically to make allowance for people too stupid to figure out an ID, and that is all. And for the elderly, when your time is come, look to the sky, not the ballot.

I don't know what that means, but I like it. Just remember to ref the struct in your method signature or it doubles on the stack memory.

December 3, 2016 3:56 PM

Andy on You, Too, Can Rent the Murai Botnet:

The router one upstream is the key, hop, if you can access that, you don't need router golding keys, just Mac spoof to by pass nat, but software has to take the lead, lock that down, then the rest can be followed upstream with privs

December 3, 2016 3:12 PM

Andy on Auditing Elections for Signs of Hacking:

Reading fooled by randomness life and markets, numbers in the lower region's 1-5 are more likely widget than numbers from 6-9

December 3, 2016 2:16 PM

keiner on A 50-Foot Squid Has Not been Found in New Zealand:

@Gerard vV

On on hand is liability the key. On the other hand: Who should pay the insurance needed under such a law for the Linux kernel? And the respective Linux distributions?

December 3, 2016 1:47 PM

r on Friday Squid Blogging: Striped Pyjama Squid:


Our guys had ignored some of the basic rules of the trade like the one that says that the two branches of an if are not at all equal in cost.

Maybe they skipped the lesson that day or maybe just maybe coding from within an IDE (nicks gonna jump me for my notepad usage heretofor "undocumented") doesn't exactly scream that not so obvious dilemma.

It bothers me, because we've heard of 'rounding errors' where community colleges and some universities are concerned.

December 3, 2016 1:21 PM

Gerard van Vooren on A 50-Foot Squid Has Not been Found in New Zealand:


First tell us how to prevent backdoors being mandated in the legislation

I will tell you right after I have figured out how to cure capitalism. In other words: I don’t have the answer to that question.

What's actually needed is better engineering, then extensive checking (they're different skills, the primary creators, then the checkers and testers) and actual actions of individuals proactively preventing attacks via OPSEC dedicating computers to specific purposes so the opportunity cost of any attack goes up.

I don’t disagree. I hear you. But how can you make that happen? Punishment! Punish the "cowboys"! And you need a legal framework for that. That's why legislation is probably the only answer (I can think of). I have linked this blog post a couple of times but it's still a good read.

December 3, 2016 12:47 PM

Counterpoint on Auditing Elections for Signs of Hacking:

re voter fraud.

Perhaps I am naive, but voter fraud seems untenably inefficient. You have to get a large list of registered voters who are not going to vote themselves, and you have to gather a group of people to go in and vote in their place. This means you need a large visible organization (the fake voters, and the logistical support to move them to the polling places), which means there are many points to be discovered. Additionally, if any of your list actually decides to vote themselves, it will be noted that there is something up.

Now, you could do absentee voting, which makes the number of fake voters smaller, but then you need to request from different (computers|addresses) and return them from different post offices, and you have to consider that absentee votes are often not counted unless the in-person vote is close enough that the absentee votes might alter the result.

So how can voter fraud be a big concern? Why is a photo ID necessary if you are on the rolls?

December 3, 2016 12:38 PM

Daniel on A 50-Foot Squid Has Not been Found in New Zealand:


Thank you for your comment regarding the nature of attack vs. defense because I have recently been thinking about that issue myself. As I see it the best phrasing is to say that "defense must be asserted". That may seem like a contradiction in terms but I suggest it is not. Privacy is an interest and a value that must be asserted against a universe where the default is to permit. It doesn't follow, however, that this means privacy or defense is inherently weaker because a defensive stance doesn't tell us anything about the relative strength of the two parties.

So in my view the reason why assertions of privacy fail are not because there is anything inherently weak about privacy, it is that there simply aren't enough people who hold privacy as a value. That truth is not natural but cultural give your thesis the coup de grace...culture is always an assertion against nature. This leads to the ironic conclusion that a culture of openness is by definition an assertion of privacy. This irony helps us to see that hidden behind claims of openness vs privacy are actual claims to privilege of one cultural group over another cultural group, claims such as a preference for introversion over extroversion (or vice versa).

So claims that nature favors the attacker are in error because attack and defense are inherently cultural constructs and there is no evidence that culture over the long term favors anyone.

December 3, 2016 12:27 PM

Jeff on Auditing Elections for Signs of Hacking:

@Leon, @parabarbarian: You misunderstand the law. Voter receipts, if given, do not and can not include the vote itself. This would facilitate voter fraud via the selling of votes. For the same reason, it is illegal in about 20 states to take a photo of your completed ballot.

December 3, 2016 12:22 PM

BSODMako on Auditing Elections for Signs of Hacking:

Since I am a non-voting centrist Libra rabbit that is actually trying to follow the Pirate Party, I thought I should throw in my 2 cents.

How does one come across such a lame document that looks like it could be forged, and gets in the hands of somebody in California? People have the money and time to capture such documents?

Why would Russians 'have to hack the election? The &*#@^%#**@& is already hacked and co-opted with an electoral college. Whoever wins, doesn't change Russia's mission. Putin is probably laughing at this idea. We are still pushing to not send astronauts to the ISS in their beer cans, and I do not care if EMC is doing business with them. It looks like the press pre-emptively tried to load our brains with more disinformation.

Pointing fingers at a third-party? I thought Hillary was a Manchurian candidate until I got my premium hike in the mail... 54%. People didn't vote for Trump, they voted against the Dems because the working class got burned. Don't think in binary terms of partisan politics. Osamacare prevents Wallstreet from having to pay for their cheap labor policy. That benefits everybody at the top who believes 200 more dollars a month is nothing.

It was the worst election yet, people cutting wrists, feeling obligated. I don't. If you believe in systems analysis, think like this: let it break. Stupid politicians expose everything in time. The lies are stacked. I'm not looking for someone to follow.

December 3, 2016 11:33 AM

Winter on A 50-Foot Squid Has Not been Found in New Zealand:

For those who still can sleep. Most of the above is just part of the pattern:

War/ning 2020
Social integration and expansion in anarchistic systems
How connectivity and our urge to survive determine and shape the war dynamics and development of the System.

Free book download. Read and shudder.

Maybe we won't even make it long enough to care about global climate change

December 3, 2016 11:18 AM

ab praeceptis on Friday Squid Blogging: Striped Pyjama Squid:

Clive Robinson

"I suspect @ad praeceptis also has his own similar "war stories"."

Sure. Once at a carrier, about 15 years ago, we needed md5 + base64 on some backend (read: every cycle counts) equipment. It was done in C which was the normal professional way then (probably still is). Problem was it was way too slow. Funny was that the guys either didn't know or considered it exotic that any decent compiler also spits out assembler of you ask it to. Taking that as a starting point I went at looking for the cycle waster spots. And there were plenty. One I remember because it demonstrated so bluntly how stupid many compilers were was the push some register holding the result of one function as param for the next one which again popped it off into the very same register. Another one was tha for whatever reason the compiler guys seemed to not like registers; they used only about half of them.
To be fair it wasn't the compiler alone. Our guys had ignored some of the basic rules of the trade like the one that says that the two branches of an if are not at all equal in cost.

Which brings me to my point (that I make so boringly often). Sure, the compilers were still poor then. But the real problem was the guys; the real problem was that they saw C as a language and not as a meta-assembler and that they blissfully ignored (or didn't know) about the hardware.

To cut it short: Doing those routines properly we increased speed about 50-fold.

Another short story that helped me to set some youngsters on the right track was my "How I learned to program". I learned it by designing and building a "high-speed" interface with ttl. *Nothing* in my whole career tought me more than I learned then. Having gotten a nor wrong at 3 in the morning and seeing everything going wrong is a lesson one remembers for a life.
Btw, (as it came up) the programming for that thing was done in basic. Simple reason: that's all I had then. It was a nightmare; I hated it but it worked. And it tought me another lesson for life: Language is important. The right one for the job will get it done well, the wrong one will make it cumbersome and very unpleasant.

re politics/regulations:

I think that we shouldn't ignore a certain point, namely that legislation/regulation *will* come, no matter what. Maybe a trainwreck will trigger it, maybe a pacemaker accident producing corpses and some bad luck, meaning they can't hush it up. But it *will* come.
The problem I see with that is that politicians will do what they always do: They won't listen to experts but to "experts" and they will be guided by the desire to not disturb the large corporations.

If we are very, very lucky, they will at least nail down some reasonable points, too. Things like setting some *reasonable* rules along the line of "do178 is blabla. How to properly implement it?", things like proper *formal* specs and proper formal verif. in some critical areas. We must urgently get out of the "we wrote 1000 spec pages in legalese/engineerese" and "we did unit tests" loony bin.

December 3, 2016 11:15 AM

CallMeLateForSupper on DigiTally:

@ab praeceptis
"I wonder why you are a no-mentionologist [...]"

Three reasons:
Um... What was the question? ;-)

December 3, 2016 10:45 AM

Jason on A 50-Foot Squid Has Not been Found in New Zealand:

Just days before the FBI was given permission to hack any computer, anywhere in the world:

A Firefox zero day exploit that allowed Tor users' real IP address to be exposed was discovered. When a corrupted web page was opened by a Firefox or Tor Browser with Javascript enabled on a Windows computer, it leverages a memory corruption vulnerability in the background to make direct calls to kernel32.dll, which allows malicious code to be executed on computers running Windows. Using virtually the same code as a 2013 exploit used by the FBI to unmask Tor users, the exploit submits users' real IP address, MAC address, and machine name to a server belonging to French Web host OVH at on port 80.

The source code of the exploit was released:

A patch was quickly issued to close the vulnerability:

The exploit worked only on Windows computers, and only if Javascript was enabled. MalwareBytes also claims their Anti-Exploit Premium program would have prevented the exploit from working.

It sounds as though some TLA or LEA has had their parade rained on. We got lucky this time. But with Tor itself relatively secure, browser exploits are going to happen again... and again... and again... With browsers continually being "improved", vulnerabilities allowing the Tor proxy running on the same machine to be bypassed are inevitable.

A good mitigation strategy would be to avoid using the Tor package on a Windows machine. Not because Linux is immune to exploits, but with the majority of computers using Windows, they will go for the low hanging fruit. With so many different Kernals and Distros in use, writing an exploit for Linux would be much more difficult and time consuming with little to show for it.

A much better strategy for protecting your identity would be to run the hardened Tor browser on a dedicated Linux machine, but run the Tor package on a separate appliance such as TorPi. If a browser exploit did occur, the Tor appliance would either reject the data packet or force it through the Tor network effectively hiding your real IP address.

December 3, 2016 10:33 AM

r on Friday Squid Blogging: Striped Pyjama Squid:


Trampolines huh?

You're right, the compiler doesn't technically do that - in the world of c it's the linker that is privy to all those hartificial constructs.

Well, it's that or you have to do what you did in your case which is handcode a solution I suppose.

Considering how similar that type of lookup (albeit yours was code) is similar to the IDT/GDT give yourself a pat on the back for reinventing a reasonable facsimile of the modern wheel. ;-) (it's a good thing)

Borland and MS do imports differently, one is a space saver in the short term (direct calls) the other is a space saver over the long run (multiple callers)

call [dword ptr _Import] ; 6 bytes, borland

call (relative) _Import ; 5 bytes
jmp [dword ptr _imp_Import] ; 6 more bytes

December 3, 2016 10:19 AM

r on Friday Squid Blogging: Striped Pyjama Squid:


What you propose would only work in a protectionist environment, which is what we voted for.

May I point out that @Clive and others covered the whole representational politics the other day, that being said: careful what you wish for and how you/they represent it.

December 3, 2016 10:13 AM

keiner on A 50-Foot Squid Has Not been Found in New Zealand:


We live in a world FULL of lies and parallel constructions. Hard to say where it starts and where it ends. Has been so for the last 2-3000 years.

But things are moving faster now, people are not that experienced in handling the amount of trash and so we get lost in a hurricane of false flag and "who-to-trust-and-who-not" until the whole world has become totally neurotic.

December 3, 2016 9:59 AM

Ted on A 50-Foot Squid Has Not been Found in New Zealand:


I am also doing the same. There are a lot of unanswered questions [See my question list in prior posts]. -Ratio Q and A of Snoopers’ Charter cont. 2.2.0

Great questions, thanks for the keeping the links so well organized :)

2] Who is not covered in the Snoopers Charter? Politicians? Lawyers? Doctors? Banks?

According to The Independent, under a tailored application of the law, Parliament has exempted itself from the same level of surveillance access as its compatriots. Warrants to access records belonging to members of the British parliament, as well as assembly members of other European parliaments, must be further be approved by the prime minister. This is an additional approval that is beyond the secretary of state approved warrant access applicable to most citizens, and is actually less than parliament had hoped for.

3] Who is the judicial arm that allows MI5/MI6, law enforcement and others to view this huge data base?

Although, this does not answer that question specifically, it provides some context on the evolving matter of oversight. A special report from The Economist "Espionage: Shaken and stirred" provides a look at the transition intelligence services are experiencing as they move from services governed under the reigns of public trust to operations that are subject to higher levels of scrutiny. According to the report, the struggle to come to terms with increasing accountability from the press, the legislative assembly, and the courts over the past 15 years is one that is ongoing.

And more on the petition: The petition to repeal the Investigatory Powers Act is now the most signed petition of 3,300 open petitions. As of today, it has received over 152,350 signatures. Only 60 unarchived petitions have garnered more than 100,000 signatures, less than 1% of the 8,000 petitions accepted for signatures. It is currently the 23rd most signed petition of 23,000 petitions submitted.

December 3, 2016 9:18 AM

r on A 50-Foot Squid Has Not been Found in New Zealand:

They're going dark because they no longer report their methods, accurately even. It's not we're going dark, it's that they have to turn to backroom misgivings and the extortion racket they learned from the mob.

They ARE going dark; parallel construction, redaction, black budget financing.

December 3, 2016 8:12 AM

Thoth on A 50-Foot Squid Has Not been Found in New Zealand:


The baneful Buffer Overflow has never ceased to turn systems into crap and after so many years, it is still alive and kicking ... making a shame out of "security".

don't worry about all the iOS security if you can't access one of those Apple devices ... they can't defeat a Buffer Overflow.

Didn't James Comey, Theresa May, Cameron, Mike Rogers et. al. sweared to their governmental hearings (parliaments and congress) that their agencies are going dark ? How are they even going dark when Apple known for it's recent improvements in security couldn't even keep the baneful Buffer Overflow bug from appearing ? Going dark is a very bad lie....


December 3, 2016 7:21 AM

JF on Auditing Elections for Signs of Hacking:

Bruce: "My guess is that it has nothing to do with hacking the voting machines -- "..... "-- but something related to either the political-organization hacking, the propaganda machines, or something else before Election Day."

I would agree with that assessment. Selective release of hacked emails and paid foreign troll armies injecting their "talking points" into news comments sections and on social media, creating buzz for Trump, both early and late, is what I suspect.

Yes, the US intelligence agencies should reveal to the the public what it knows.

December 3, 2016 6:24 AM

JG4 on A 50-Foot Squid Has Not been Found in New Zealand:

I failed to comment on several interesting topics that came up in last week's squid post, for lack of time. I do want to address the climate change topic that I accidentally injected into the discussion. It has been the long-standing approach of companies and groups with profitable businesses to steer public thinking (and political thinking) in generally-successful attempts to maintain profits. Sugar, tobacco, fossil fuels, petrochemicals, weapons, the list is very long. So it is with climate. My point was that cognitive limitations will be exploited, not that climate change is real or not. For the record, I am an agnostic of sorts, but I find the physics of the greenhouse effect compelling. Refining computer models of the effects until they can be trusted is a good approach.

It is likely that humans are more or less unintentionally altering the climate with CO2 emissions, methane, etc. and possibly dust/aerosol effects. The problem is that the cost of addressing the issues is very large and upfront, while the costs of not addressing them are unknown and lie at unknown times in the future. Further, solar effects and space weather almost certainly alter climate in ways as yet unknown. I am in favor of increased research to better understand the issues, and put in place mitigating technologies. I even like the idea of carbon taxes. They at least begin the process of weaning off of fossil fuels.

Hubbert showed in 1956 that fossil fuels only ever could be a stepping stone for humans, irrespective of climate change. His conclusion was that nuclear fission would be a second bridge to provide abundant power for millenia, while fossil fuels could only last for a few centuries. I'm not against nuclear power, although it was disappointng to see the country that brought Toyota and Honda quality to the world floundering in profound and continuing dysfunction during a catastrophic nuclear accident. The sharper knives in the drawer will note that it was a US reactor design, not that the Soviet or UK designs were much better. Codename Chernobyl and Windscale. Just another orbit around your star on the blue marble of unintended consequences.

I am absolutely delighted with what has happened in solar PV. The earth's crust is all but made of silicon, aluminum and oxygen, which can be used to transduce energy with very low environmental impact. I am surprised that after 400 years of battery technology innovation (not counting whatever the ancients knew), the problem of cost-effectively storing renewable energy really hasn't been solved at a level affordable to the average formerly-middle class househould. For what the US spent on genocide in the middle East, enough solar thermal infrastructure could have been built in the desert Southwest to power the entire US electric grid and free up all of the coal and natural gas for transportation uses. The savings from that would have paid for the next round of innovations (energy storage) to run the transportation system from a second solar thermal infrastructure in the Southwest. It also would have left the middle East to sort out their political difficulties with a lot less dollars and weapons. They too will have to put in place solar energy installations and figure out how to grow food in the desert.

December 3, 2016 5:45 AM

JG4 on A 50-Foot Squid Has Not been Found in New Zealand:

Skynet grows stronger with each passing day. It is just a matter of time until it becomes self-aware.
To create the program, the MIT team relied on a scientific technique called deep learning that's become central to modern artificial intelligence research. It's the approach that lets digital assistants like Apple's Siri and Amazon's Alexa understand what users want, and that drives image search and facial recognition advancements at Facebook and Google.
Experts say deep learning, which uses mathematical structures called neural networks to pull patterns from massive sets of data, could soon let computers make diagnoses from medical images, detect bank fraud, predict customer order patterns, and operate vehicles at least as well as people.
"Deep neural networks are performing better than humans on all kinds of significant problems, like image recognition, for example," says Chris Nicholson, CEO of San Francisco startup Skymind, which develops deep learning software and offers consulting. "Without them, I think self-driving cars would be a danger on the roads, but with them, self-driving cars are safer than human drivers."
While research into neural networks, loosely based on the human brain, dates back decades, progress has been particularly remarkable in roughly the past ten years, Nicholson says. A 2006 set of papers by renowned computer scientist Geoffrey Hinton, who now divides his time between Google and the University of Toronto, helped pave the way for deep learning's rapid development.

December 3, 2016 5:32 AM

Anura on Friday Squid Blogging: Striped Pyjama Squid:


Those are three complementary policies that each reduce the negatives of the other. They are complete, and don't require protectionism. Protectionism is a bad long term strategy, and even that won't save the manufacturing sector from being automated away. You want to improve jobs, you need to focus on education. While minimum wage can contribute to inflation, in terms of real prices, essentially you can only change the relative prices, so there is no loss to the economy in the long run (basically, things in which the cost is largely high-paid labor goes down in price, things in which it is largely low paid go up, but as long as overall pay doesn't go up, then the overall cost of goods doesn't go up), but it can cause short-term labor demand declines, which any change in distribution of income does that is not growth, as spending habits change and labor needs to be reallocated), which the infrastructure spending counters. For long-term economic policy, it's sufficient to do so gradually (as long as you don't exceed

The big reason rural towns can't survive is a lack of income; you need local services, retailers, etc. and these workers depend on cash flows into the economy. Cutting wages, propping up low productivity sectors will only exasperate that - minimum wage increases income for these towns, and if we would have kept minimum wage growing with labor productivity for the last 40 years, then rural communities wouldn't have died off so quickly. Protectionist policies have likely made the problem worse, not better, as you can only prop up a dying industry so long before it has a real effect on economic growth - and we propped them up long enough that automation took them away, and this has hurt real income for most workers in this country.

Now, there is another problem which is that the high inequality leads to poorly allocated resources. At some point, if incomes do not grow for most people, due to the marginal propensity to spend the wealthy end up pumping all their money into wealth-gaining, and since there is diminishing returns for investment, it ends up inflating asset prices, lowering real productivity. An economy with high inequality that became more equal would likely see strong growth in productivity, and especially in the net utility of goods and services produced, meaning more real income overall and lower inequality.

December 3, 2016 5:19 AM

Clive Robinson on Friday Squid Blogging: Striped Pyjama Squid:

@ Figureitout,

With respect to legislation, I'm in favour of slow-n-steady with plenty of mandatory check points (sunset clauses). My view of legislators is they should be "cleaning up" not "piling shit up". That is in the main "tending the garden" by carefull pruning and considered oppinion, not adding piles of shit that will blow back in your face.

The problem is the corruption caused by corporations feathering the nests of politicians and civil servants that believe that they are both exceptional and entitled. There is no hell I would not consider for these people, and I'd even bring the popcorn.

That aside to the meat of your post,

Speaking of which, do you have a free compiler for PIC MCU's that can build w/ least amount of cruft, microchip offers a "pro" version of their compiler for more optimized builds.

No I don't, as the PICs prior to the 18family are not realy suited to high level language constructs (even Forth ;)

But there is an issue with MicroChip and the 18 and above family, their compiler was based on GCC... With it's FOSS licence, which kind of means they are not alowed to do this "only paid for premium rate" nonsence.

There is actually little to be gained from even optimized C code when the chips are realy down in ROM/RAM. Such compilers look to be on parity with "average" not "exceptional" assembler programers.

The way C does loops does not realy optomize well compared to other typrs of loop construct and usefull assembler tricks don't translate well to C. One example of this is multi-entry subroutines. In assembler you just call your chosen entry point, with C you have to muck about with "if" or "switch" statments, which is one heck of an overhead. Then there is all the crap to do with pointer arithmetic... I could go on but you probably get the point.

In essence, hard as it is to believe C was designed to be "maintainable", the OneK-Code chalenges are about wringing the last drop out of every bit you can.

A number of years ago I wrote some "quite tight" assembler code on a 4K ROM part that did an entire cordless phone with LCD display, intercom function data coding for PRK etc handset. Got the sign off to go to mask, only to discover CRC errors coming back from the foundry interface... Turns out the actual mask part was only 3.5K and I had about two hours to refine the code down by around 10%... To cut a long story short I complicated the way the LCD messages were stored and knocked around 50% of their storage space, it was still not enough, then something a colleag haf mentioned came back to me. The CPU had two jump instructions a three byte and a two byte, likewise calls. However the two byte would only jump into page zero, so I built a three byte "jump table" in page zero and accessed it via two byte jump's from the rest of the code. This shaved just enough off to get me a few bytes under the 3.5K limit. But the result wad one heck of a lot more complexity in the code.

There are no compilers around that can do that sort of trick nor are there ever likely to be as they are way to case specific bit savings. And it's those very case specific tricks that will get you under the OneK bar, not an optimizing compiler.

I suspect @ad praeceptis also has his own similar "war stories".

December 3, 2016 3:08 AM

Clive Robinson on A 50-Foot Squid Has Not been Found in New Zealand:

@ Thorh,

The reason is that ChaCha20 is not FIPS algorithm...

Thus demonstrating once again the law of "Unintended Consequences" or "IC finessing" depending on your viewpoint of the beast.

And the more I see of the beast, the easier it is to understand the latter view point, especially when NIST are also involved as the front/ fall guy (such is power of the much favoured "Plausible Deniability" meme).

December 3, 2016 2:58 AM

Clive Robinson on A 50-Foot Squid Has Not been Found in New Zealand:

@ Karen Starrett,

I think Assange was drawing from the "mixing paint" argument, of "the more you mix two paints the harder it is to unmix them if at all...", it applies to many things in nature. It also applies to the notion of energy being effectively "self mixing" in any bounded environment and it's where Shannon borrowed the name "entropy" from, and the phrase "Nature moves from a state of order to disorder" which is true even when you are trying to do the opposite, as you have to supply more energy than you would get back (think turning CO2 and H2O molecules back to hydrocarbons).

As for "attack-v-defence" one implies the other and they are both a waste of resources and if things progress that far quite destructive and inordinately costly.

Mankind is gradually comming to terms with the idea that you actually gain nothing constructive from conflict, something most conflict tainted soldiers learn fairly quickly.

So the real answer to "the art of war" is consideration and diplomacy, to avoid destruction of any kind. Unfortunatly it's something both sides have to believe in, which often is not the case ("Might is right" is a stupid philosophy as there will always be some one who will be mightier than you at some point, and you most asuradly will not want to meet them when they are looking for payback...).

December 3, 2016 2:28 AM

Clive Robinson on Friday Squid Blogging: Striped Pyjama Squid:

@ Ratio,

I hope I at least finally got my point across.

Oh which one, your affinity for "reductio ad absurdum" as the phrase originaly ment?

December 3, 2016 1:34 AM

Figureitout on Friday Squid Blogging: Striped Pyjama Squid:

Gerard van Vooren
I think that legislation is needed here, I don't see an alternative.
--First tell us how to prevent backdoors being mandated in the legislation (will be a false sense of security as backdoor will be found or many attacks are still too easy even w/ legislation). That's step 1, and is the burden of anyone saying this is a solution. How much experience do you have w/ legislatures or how laws are made? Laws are guidelines written on paper or bits on harddrives. What's actually needed is better engineering, then extensive checking (they're different skills, the primary creators, then the checkers and testers) and actual actions of individuals proactively preventing attacks via OPSEC dedicating computers to specific purposes so the opportunity cost of any attack goes up. Or setting up loggers to track down attackers. Ask any attacker what they don't want (speaking from a bit of personal experience), is a total f*cking minefield of wolves in sheep's clothing, honeypots and elaborate traps out there, anywhere. Wasting their time and bringing the attacks back their way is what they don't want. You retract from what you're doing at that point.

Clive Robinson
So I'm rather more cautious than our host about invoking the use of legislation to alter markets
--Why do you think I'm so against it, w/ your bias you think I'm sort of cheerleading freemarket race to bottom imbecile. Intelligent laws aren't being created...look at all the crappy laws being made all over the world now (check out the UK laws making the news, not too good...). People need to actually observe the law-making process and just how shallow it can be. Better yet, everyone needs to see experiments of laws made in a controlled environment, my most useful class getting a public affairs degree (sadly they were considering removing that class...);'s so revealing of humans too. It only takes *1* mindless zealot of a person to completely ruin it all, unless they can be overridden. To get other people to agree the end result of legislation is massive crappy piece of law. To make smarter pieces of law, you need to involve less people (need to be localized as much as possible), which means our laws need to be based on a publicized algorithm that any citizen can check themselves and judges need to be open source robots (open source hardware and software). Laws need to apply more strongly to local places, that's how humans work; not huge global laws, they lead to tyranny/slavery and loopholes and backdoors etc. if they can't be changed quickly and easily...Trust needs to be regained that laws are not just mandating backdoors into products or just completely out of touch "pie in the sky" wishes.

People that advocate need for more legislation than the "London fatberg" mass we already have, need to say specific legislation they want and if it can actually a) be implemented and b) not be a total fail, otherwise this is just a worthless exercise.

Such programers are very rarely the product of a graduate CompSci course
--Yep, but they do exist. Had one in my class, weird guy but he seems to be a damn good programmer (likely not at assembly though, not sure). Pulled off a pretty good project in the class. Works for a local company which is known for just excellent programmers that track down bugs so fast and do such a wide range of projects.

RE: dijkstra's quote on basic
--Probably not fair since actual good programmers are going to want to program anything in any language, toy projects in new languages are pretty fun usually. I barely do any BASIC coding, have a couple programs on my calcs, but I love being able to program more things. That I can immediately write code and execute it in my calculator is great, even if it is BASIC. So many things I want to just program and automate the way I want...

Speaking of which, do you have a free compiler for PIC MCU's that can build w/ least amount of cruft, microchip offers a "pro" version of their compiler for more optimized builds. I downloaded the latest MPLABX and built a stupid LED blinking program and it was like 1.18 kB...I'm trying to make an entry for the 1kB challenge on hackaday, know it'll be lame compared to some of the insane entries already since I'll have like a week or 2 at best but want to put something in anyway...

December 3, 2016 1:19 AM

tyr on Friday Squid Blogging: Striped Pyjama Squid:

@ Wael

Those easily offended are in therapy over the
USA elections. I blame Milo since colleges
were such tranquil ivory towers before the
Dangerous Faggot Tour bus arrived.

@ others

The movie Tucker has a much clearer picture of
how autos became safer through idea stealings
and crooked back door deals. Legislation was
a late comer after the death tolls got high

@ Clive

Ignition is turning out to be a great read.

December 3, 2016 12:17 AM

V on Auditing Elections for Signs of Hacking:

I'm pleased to report that my state had an actual election about adding a voter ID requirement to the state constitution ... and it failed.

If you are paranoid about people voting twice in an election require voters to dip a thumb in ink. Sure, you might vote in a municipal election that's not the one where you reside, but if you feel strongly enough about that election maybe that's where your vote rightfully belongs.

Ex felons voting are just fine with me. If you've served a jail term and have been released you should be a regular citizen once again.

Voter ID requirements exist for one reason only: to reduce the percentage of poor people who can vote.

December 2, 2016 11:23 PM

Wael on Friday Squid Blogging: Striped Pyjama Squid:


You don't enjoy the constant trolling about روسيا for example?

I don't mind reading about روسيا (roosia: Russia, for the Arabic impaired.) What I read is expected and not surprising, but the sarcasm is sometimes interesting. As you may know, I and sarcasm are quite fond of each other... oh, those Russians. Politics isn't my cup of Darjeeling tea, though. I learned long time ago not to believe politicians[1].

Any favorites?

Anything that can be tied to security.

[1] Two stories during college days. One is not that interesting about a chess game, and the other is funny / strange and hard to decipher, but could potentially be offensive to some.

December 2, 2016 10:32 PM

Dennis on Friday Squid Blogging: Striped Pyjama Squid:

@ Anura, "So while I agree with you that *if* capital has disproportionate bargaining power, inflation is bad for wages as it means that workers need to fight against the tide (something you can combat by indexing minimum wage to labor productivity, growing union labor, and increasing infrastructure spending to increase demand for labor)"

What you propose would only work in a protectionist environment, which is what we voted for.

December 2, 2016 10:10 PM

Ratio on Friday Squid Blogging: Striped Pyjama Squid:


I was enjoying the show and wanted to pour more fuel on the fire. Burn, baby! Burn :)

I guess it was all worth it, then. :)

But maybe we could find some alternative form of entertainment for you? The first reviews are in and not everyone seems to be so enthusiastic about the latest production. ;)

(You don't enjoy the constant trolling about روسيا for example? We never seem to run out of that lately. Any favorites?)

December 2, 2016 9:32 PM

ay on A 50-Foot Squid Has Not been Found in New Zealand:

> Foreign special services are preparing a cyber attack aimed at destabilizing the financial system of Russia

> Russian Federal Security Service received information about the preparation of the foreign intelligence services in the period from December 5, 2016 large-scale cyber attacks in order to destabilize the financial system of the Russian Federation, including the activities of a number of major Russian banks.

> As a result of operational search activities found that the server capacity and command and control centers for cyber attacks are located in the Netherlands and belong to «BlazingFast» Ukrainian hosting company.

> Cyber planned to accompany the mass sending of SMS-messages and publications in social networks (blogs) provocative in relation to the crisis of credit and financial system in Russia, business failure and revocation of licenses of a number of leading banks in the federal and regional significance. The action is aimed at several dozen Russian cities.

> Russian FSB carried out to neutralize the threats the necessary measures of economic and information security of the Russian Federation and the documentation of the impending action.

December 2, 2016 9:22 PM

65535 on A 50-Foot Squid Has Not been Found in New Zealand:

Q and A of Snoopers’ Charter cont. 2.2.0

@ Inmate #137468

"Starting Tomorrow, Feds Can Hack Millions of Devices with One Warrant" -Inmate

This seems to follow the invasive/mass surveillance trend codified the UK’s Snoopers’ Charter. This leads to the use of Network Investigative Techniques such as planting key loggers on individual computers, Fox Acid and Quantum Insert attacks. The question now is will these be used on a mass scale?

"Network Investigative Technique, or NIT, is a form of malware (or hacking) employed by the FBI since at least 2002. Its usage has raised both Fourth Amendment concerns and jurisdictional issues. The FBI has to date, despite a court order, declined to provide the complete code…” Wikipedia

‘How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID’

[Snoopers’ Charter is a done deal and most likely active]

@ Ratio


“All that's missing is the (royal) rubber stamp. It's done.”

“Well that is a blunt no nonsense assessment. High praise indeed. :) By the way, it's been stamped. “

“Does this mean the UK Intelligence Agencies is engaging the spying apparatus at this point in time? No, that happened long ago.” -Ratio

@ Ted

“I am still trying to understand the substantive details of the legislation and its historical, political, and social underpinnings.”- Ted

I am also doing the same. There are a lot of unanswered questions [See my question list in prior posts].


Feel free to add sneaky tricks used by both the UK and the USA in the name of “National Security” and saving our children. Things are looking bad for privacy advocates at this time.

December 2, 2016 9:03 PM

ab praeceptis on Auditing Elections for Signs of Hacking:


Plus, don't you forget that them Russkies heinously move their evil country ever closer towards the good and peaceful nato troups in europe!

But them evil Russkies have no chance against the lighthouse of democracy with their f-22 (except the stealth wears off when flying, but that's just a detail), their f-35 (except certain technical issues but that's just a detail), their zumwalt destroyers (except ammo being somewhat expensive and the ship not working but that's just a detail), and their super-superior new lcs (which reliable fail but that's just a detail).

No chance I say. The Russkies Kalibr cruise missiles, for example are worthless rusty crap (except they work fine and hit their targets but that's just a detail), or the rusty Su-30 and Su-35 (except they work fine and reliably but that's just a detail), or their rusty "black hole" submarines (except they work fine but that's just a detail).

But one thing I must confess: I'm still a little bewildered and wondering how them always-drunk Russkies with their rusted sowjet KGB komputrs could hack the us-american election. They must have a mole inside. I'd think it might be comey but he's too ugly.

Those russkie devils!

December 2, 2016 8:56 PM

Wael on Friday Squid Blogging: Striped Pyjama Squid:


Isn't the latest train wreck enough for a while?

I was enjoying the show and wanted to pour more fuel on the fire. Burn, baby! Burn :)

December 2, 2016 8:52 PM

name.withheld.for.obvious.reasons on Friday Squid Blogging: Striped Pyjama Squid:

A moment in a preponderance, of sorts, considering a highly virtualized shadow internet infrastructure...

1. Internetworking infrastructure (major and some other nodes Mae West/East, NAP hubs, etc.) virtualized using pseudo, not physical, links
2. DNS Root servers (duplicate DNS and DNSSec records and certs/keys/)
3. PKI Certificate Infrastructure (Duplicate of Root (highly prized) and Registered Issuing CA's (Trusted CA's)
4. Packet Traffic in time (snapshot of all these points at any/all moments of time) on the public internet
5. Resultant network from the above processes (queued from traps in the public network) can provide useful data?

Without having to capture all packets, but only the ones that from a session topology, the data is mapped to a logical (operationally minimum as defined above) and network topology to provide a parallel network inspection capacity using the virtualized shadow network.

December 2, 2016 8:43 PM

Pete on Auditing Elections for Signs of Hacking:

"What evidence led you to conclude that Russia wants to weaken the West's global economic system? "

They are filthy soviet-ruski commies, that'a what evidence .
Just see how they are strangling Europe every winter with their freezing Siberian-gulag weather-war - All so they can extort Euro-money for natural gas ..

Better all watch your backs, the stalinists are coming to get you with their marxist propaganda !!

December 2, 2016 8:28 PM

65535 on Friday Squid Blogging: Striped Pyjama Squid:

@ Clive Robinson

“It would appear that Adobe are doing it again this time with sound rather than pictures...” –Clive

"Note the "big laugh moment" in there where they mention "digital watermarking". Anyone remember why DWM was a failure with photographs and the like?" -Clive

The ability to alter voice conversations by just typing in what you want to alter is somewhat unnerving given the Snoopers’ Charter and the possibility of creating instant evidence, probable cause and manipulating conversations to add people to no-fly list and so.

I guess Adobe knows the dangers for their voice/conversation editing software and is attempting to put some controls on the use of their voice editor. I doubt Abobe’s first concern is safety – but instead profits. What could go wrong? /

December 2, 2016 8:12 PM

Ratio on Friday Squid Blogging: Striped Pyjama Squid:

@Wael, hey, hadn't seen you around in a bit. :)

Nope, no @ianf-made foot covering that I'm aware of.

Why the commotion? Ha! I ain't falling for that one. :P Isn't the latest train wreck enough for a while? ;)

December 2, 2016 7:59 PM

ab praeceptis on A 50-Foot Squid Has Not been Found in New Zealand:


Well noted, I say the following absolutely friendly.

When will you get it? How many more times do they need to spit in our face for you to get the message? All that "secure card" crap doesn't care a rats poop about security. They care about committee orgies and golden "secure" stickers (like eal).

You, however, care about security. It's sad, I know, but caring about security not only is quite different from golden sticker business but it actually often is quite the opposite.

I think you should step back for a moment and have a fresh view.

Those funny cards offer quite nice hw protection features. The important ones for you are probably that it's at least difficult to force-read them and that they offer some tamper protection.

They have disadvantages, too. They are quite hardcore closed off, they offer lousy performance and to make things worse, they add a fat secret sauce layer.

So what? Give me a couple of bytes that with a reasonable certainty an opponent can't know and I'll give you exabyte of pseudo-random bytes an opponent can't know/predict.
Give some kilobyte of reasonably secure storage and I'll give you exabyte of reasonably secure stored bytes.
And so on.

I'd strongly advise to finally make use of what's useful instead of fighting against insane wanton limitations (as just again reported by you).

Here goes (lose description and pseudo code):

- card spits out some random bytes
- ProgThoth on whatever (say amd64 on linux) calcs hash of itself.
- ProgThoth allocates 1 (or 50) MB of memory, zeroes itand initializes some state, then calcultes hash of that.
- ProgThoth encrypts initial bytes from card using hash as key and sends result to card.
- If card is happy it sends some kind of reasonably crypto-secured "Go!" plus part 1 of some secret stuff, keys, whatever needed by ProgThoth.
- ProgThoth does its thing. Just before "opening the safe" (doing whatever sensitive) progThoth req's another random string, repeats hash checks above and if everything is OK gets the second part of some secret stuff, key, whatever.

Is it high end secure? No. But neither is the card thingy (unless you blindly trust their marketing blabla). But you get
- fast operations
- lots and lots of space
- considerably higher security than with PC or whatever alone.
You have, for example, blocked about all the usual attacks. They can't change a byte in ProgThoth, they can't inject poison, they can't get any secret keys or whatever from the PC, they can't guess anything. And thrown in for free the whole mechanism doesn't work without the card thingy inserted.

Man, you have invested so much work. Don't allow that committee and banking standards golden sticker mafia to stand in your way. Your basic approach "Hey, one should be able to quite interesting and useful stuff with them secure chips on them cards!" is perfectly OK and smart.

December 2, 2016 7:10 PM

albert on San Francisco Transit System Target of Ransomware:


It eventually comes down to money, doesn't it. Commercial developers, contractors, and ultimately, equipment manufacturers, are some of the stingiest folks I've met. It's a good thing we have the NEC, etc., otherwise, we'd all be in trouble.

I wouldn't expect CAT5 cables to be intrinsically safe. I've done installations in environments that require it, and they are super expensive. On regular industrial machines, we often needed to 'pipe' the Ethernet just to reduce interference.

The problem is simply this: there is no incentive ($$) for a developer, business owner, or leasee, to pay extra for secure wiring. They are either unaware of potential hacks, or are simply willing to throw the dice, and let the insurance company handle it.

When all is said and done, more is said than done :)

The WiFi chickens are coming home to roost. The Java and the Flash chickens are already there.
. .. . .. --- ....

December 2, 2016 7:03 PM

Thoth on A 50-Foot Squid Has Not been Found in New Zealand:

@Karen Starrett, Nick P, Clive Robinson et. al.

I have recently talked to one of my manufacturers to request ChaCha20 be integrated natively and the answer is no ... not anytime soon. The reason is that ChaCha20 is not FIPS algorithm and the inclusion of a ChaCha20 native app (even if I were to create one and ask the manufacturer to inject my native ChaCha20 app inside the smart card chip) will immediately void the FIPS 140-2 and CC EAL rating. The manufacturer chose to follow FIPS and CC ... so we wouldn't be seeing native ChaCha20 apps that uses native routines to accelerate 32 bit maths. Now I can only bet on the Java/Card side 32-bit maths (hoping the manufacturer did a good job implementing the 32-bit maths in Java/Card).

Note that injecting native apps is fully beyond my control as a card developer, you can only do the Java/C side which will run within the card VM. Only manufacturers of cards who have signed NDAs and paid their fees are allowed access to native developments.

December 2, 2016 6:58 PM

Thoth on A 50-Foot Squid Has Not been Found in New Zealand:

@Karen Starrett

OTPs can be done in smart cards but where are you going to find space to store the OTP keymats inside a smart card with say around 80 KB to 144 KB of EEPROM space ? You would run out of keymats very quickly unless you intend to carry a lot of smart cards on you or have a refill mechanism of sorts.

More practically, I am thinking of revisiting my ChaCha20 cipher for smart cards and upgrade it to full 32 bit support but that will mean a lot of smart cards wouldn't be able to support the 32-bit ChaCha20 cipher expect for chips with full 32-bit operation support.

Anyway, for smart cards, it's better to stick to AES-256 despite the fact that AES has huge amounts of leaky side-channel issue as trying to create a cipher in something so constrainted like a smart card is very difficult (includes NDAs as well if you are going to code native apps).

December 2, 2016 6:56 PM

Karen Starrett on A 50-Foot Squid Has Not been Found in New Zealand:

Apologies all and Mod, Please excuse my error above. I intended to say, as we know, in IT / InfoSec, defending is the default weak or vulnerable position, and to be the attacker is the position of strength in perpetuity.
To follow on from Mr Assanges statement about crypto - does the Universe / Nature favour the attacker as a rule.

December 2, 2016 6:52 PM

Karen Starrett on A 50-Foot Squid Has Not been Found in New Zealand:

damn you @ Inmate numbers. You beat me to poll position.

@ Clive

Thank you for all your important contributions.
Curiosity question/musing for you

Mr Assange was quoted in a book called Cypherpunks, about how the universe (or nature) favours crypto, because it is easy to encrypt and difficult to decrypt.
It is articulated far better than this simplistic explanation.

From that 'meta' level, it is intriguing to ponder that defending is a fundamentally weak position and to be the attack is always the weaker position
@ Clive does that prompt any commentary?

[ it reminds me of martial arts - the notion of 'self defense' is a fallacy. One only attacks, only an attack can physically exist. The dog is not defending itself against the man with the stick, the dog is biting the man. ]

December 2, 2016 6:47 PM

Karen Starrett on A 50-Foot Squid Has Not been Found in New Zealand:

i'm number one! Love me long time!

@ Thoth

respect for your committment and toil on your smart card project.
there has been a lot of discussion (thanks @ Clive @ others) on one time pads.
Thoth, what about the old school trade craft method of micro dots - can that have an obscurity value in your smart card project ?

@ All

RE: he with the unfortunate name that as a result was no doubt was teased a lot at school: some important news

December 2, 2016 6:42 PM

Inmate #137468 on A 50-Foot Squid Has Not been Found in New Zealand:

"Starting Tomorrow, Feds Can Hack Millions of Devices with One Warrant"

"Senator Ron Wyden, a member of the Senate’s Intelligence Committee, is a sponsor of the Stopping Mass Hacking Act. In a last ditch effort, he called on Congress to take action in an attempt to block the rule change. Unfortunately, the motion was voted down on Wednesday morning.

“If Congress doesn’t stop these changes, a single judge will be able to grant a warrant to hack a million (or more) computers and other devices. By hacking the devices of victims of a botnet, the government will be treating victims the same way it treats attackers. We need to pass my Stopping Mass Hacking (SMH) Act right now.”

The "rule" went into effect yesterday, Dec. 1.

So tomorrow was yesterday.

I've seen weird "glitchy" stuff going on already.

Resistance is futile when the standard bearers of law can make a rules exempting themselves from the rule of law and any serious scrutiny or accountability.

They do it because they can and there is no one who can stop them.

December 2, 2016 6:21 PM

Wael on Friday Squid Blogging: Striped Pyjama Squid:

@Clive Robinson,

Did you Realy say that!!!

Wait a minute, now! You mean we were fooled all these years? This is not real? I always thought there was something peculiar about this picture, but I couldn't put my phinger on it!

What him say? Him say: Your Kung fu isn't good, bi**h!

December 2, 2016 6:11 PM

Ratio on Friday Squid Blogging: Striped Pyjama Squid:


After another train wreck, I'm not sure if there's much point in pursuing this further. I'll respond briefly to your comment and probably leave it at that.

Bargaining power is largely relative, and this means that if all actors in the economy had equal bargaining power, then all actors in the economy end up with the same income, and the same influence over the government. [...]

I agree, in both cases it's about the power is derived from the differential.

But I think the rest of your comment is problematic in various ways. (I mean that in the sense that I think that what you're proposing doesn't really work the way you'd like it to, and / or has associated costs that you maybe haven't considered and wouldn't like to pay.)

Three things to (maybe) ponder:

First, government also has power, vastly more than large groups of individuals (outside government) in this hypothetical situation, and that power is wielded by individuals inside the government.

Second, while all private actors in the economy would have equal power, that is only true when taken individually.

Third, trying to maintain the hypothetical situation you describe would put real restrictions on people's liberties.

(My initial comment was meant the same way, but... well... see what happened above.)

@Clive Robinson,

What blockquote would that be?

I thought I had mangled the <blockquote> around the penultimate pargagraph in my response to you, but now that I look at the source I see no evidence of any <blockquote> at all, mangled or not. Anyway, that paragraph was supposed to be in a <blockquote> (and there are some other... "imperfections", shall we say?), but there's not much I can do about that now.

I hope I at least finally got my point across.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.