Recent Comments


Note: new comments may take a few minutes to appear on this page.

October 15, 2018 1:37 PM

Wael on Fingerprinting Digital Documents:

First of you do not define "Security through Obscurity"

Security of the system depends on secrecy of implementation. If the implementation is found, the system is no longer secure.

By which I think you mean the message or knowledge of the message should be confidential even though a third party is aware of a communications.

Acceptable.

That is the communications contains a non confidential message and a confidential message.

Not a necessary restriction. An observer knows...

Read More →

October 15, 2018 1:26 PM

Little Lamb on How DNA Databases Violate Everyone's Privacy:

Consumer genomics databases have reached the scale of millions of individuals. Recently, law enforcement ...

What is this? 23 and me? The sperm bank? A paternity suit for child support? Law enforcement is bragging it up a bit much.

There's an "expert witness" -- specifically exempt from subpoena under court rules -- who can't even explain the particulars for the jury because it's all so bloody PROPRIETARY.

Is it open source? Did they publish all the technical details so that we can test our own DNA at home against an open source database? Repeatable...

Read More →

October 15, 2018 1:13 PM

Jack on How DNA Databases Violate Everyone's Privacy:

Europeans have different views on privacy because in living memory they experienced multiple governments using individuals private records (church, doctor, school, etc.) to actively hunt them down and murder them in large numbers. Americans have (thankfully) different experiences, but we should take those European lessons to heart considering potential consequences. By the time this reaches out to touch you personally and that adjusts your risk-reward calculation it's too late. Ignorance is, as usual, no defense at all.
The terms of use that I've seen on the DNA kit required...

Read More →

October 15, 2018 11:58 AM

Wael on Friday Squid Blogging: Eat Less Squid:

@Tatütata,

Tried the verification script at this end: "Verified OK". Yeah.

Thanks!

I had assumed that the name chosen was some sort of French pun

I don't know French - for future reference.

The limerick is the key, not of the "howto" poem.

Explanation, with details.

Steganography ain't lame, Notepad is the trend;

There is some steganography in the body of the message! It uses "invisible characters".
To unhide and extract the hidden text:...

Read More →

October 15, 2018 11:44 AM

Peter S. Shenkin on How DNA Databases Violate Everyone's Privacy:

@"vas pup"

"So, are we going to provide affirmative action privileges soon based on genetic test or abandon all demographics as criteria for admission into college, job placement, promotion you name it and come back to merit base selection? "

What do you mean "merit-base [sic] selection"? As conventionally defined, "merit-based selection" is something we have never had. There have always been privileged groups: legacy and athletic admissions at colleges; the boss's son-in law in a company. The argument for these, as well as affirmative action, is that they are all...

Read More →

October 15, 2018 11:31 AM

Wael on Friday Squid Blogging: Eat Less Squid:

How to sign a message -- helping script

Script name: preview.sh
Message to be signed and posted: test_message
Private / Public keys: Look here for simple instructions
make sure you do a chmod +x (or 755, or whatever suitable for you) preview.sh

Script starts with#!/bin/bash, below

#!/bin/bash

echo "Usage: preview_signature input_file passphrase"
echo $1 # Did not have time to put command line parsing
echo $2 #...

Read More →

October 15, 2018 11:24 AM

MarkH on How DNA Databases Violate Everyone's Privacy:

As I wrote a couple of days ago on "the squid post" ... as far as I can see, people have an affirmative right to disclose as much personal information as they please.

In this case, where such disclosure may damage my privacy, the consequences of their disclosure may be costly. But my privacy right can not (under any generally accepted frameworks of rights I can think of) limit their right of disclosure (free speech).

Perhaps these various databases could have been set up differently. At this stage, is the situation irreversible, or are there practical steps to restore...

Read More →

October 15, 2018 11:07 AM

vas pup on How DNA Databases Violate Everyone's Privacy:

@all:
Genetics not working by itself. Environment(good rich parents)working through epigenetics i.e. in order good genes turned on (being dormant in both poor and rich kids)circumstances should be favorable. That is what @echo pointed to in her post. But take a look at Chinese kids. 'Tiger mom' force them to be smart having even less good genetic but proper environment: combination of math, science and music education force balance development of left and right brain which has huge plasticity in response to environment.
@Shenkin: could you imagine what genetics could do...

Read More →

October 15, 2018 10:54 AM

echo on Friday Squid Blogging: Eat Less Squid:

https://www.standard.co.uk/news/uk/nearly-18000-members-of-british-armed-forces-are-obese-a3961466.html

Nearly 18,000 members of the British armed forces are clinically obese, figures show.

The stats show 398 troops have Type 2 diabetes, 160 personnel have been prescribed diet pills and 16 given liposuction.

As of July 2018, there were 8,662 obese soldiers in the Army, 4,666 in the Royal Navy and 4,274 in the Royal Air Force.

The...

Read More →

October 15, 2018 10:36 AM

Peter S. Shenkin on How DNA Databases Violate Everyone's Privacy:

I have thousands (yes, thousands) of 3rd-to-fourth cousins on Ancestry, very few of whom are real. (Then again I'm Jewish, so, more than for most people, this is the result of endogamy: a large number of distant ancestors from a small founding population; but still, it's an issue for many individuals of other ethnicities.)

It is well known that security is the enemy of usability, and even usefulness. Loss of privacy in the abstract is difficult for me to see as a problem. I gladly give up my privacy on Ancestry.com , in the hope of finding distant relatives and tracing my...

Read More →

October 15, 2018 10:13 AM

echo on How DNA Databases Violate Everyone's Privacy:

https://www.sciencealert.com/genetics-reveals-being-rich-gives-you-a-better-chance-at-graduating-uni-than-being-talented

A revolution in genomics is creeping into economics. It allows us to say something we might have suspected, but could never confirm: money trumps genes.

Using one new, genome-based measure, economists found genetic endowments are distributed almost equally among children in low-income and high-income families....

Read More →

October 15, 2018 10:06 AM

Me on How DNA Databases Violate Everyone's Privacy:

This is part of why I cautioned my mom about getting a genetic test (for fun, not medical). I told her that the results would not only reduce her privacy, but those of all her descendants.

October 15, 2018 10:04 AM

echo on Friday Squid Blogging: Eat Less Squid:

Given a senior polixe officer hid in his car with locked doors durign a low level terrorism incident when citizens werebeing stabbed in the street and another senior officer who had to resign in disgrace after a bullying scandal has been put in charge of conduct investigations this kind of performance by UK police makes me wonder whether they work for everything else but the public interest. I have little doubt this kind of political roadcrash is deliberate....

Read More →

October 15, 2018 9:54 AM

Frankly on How DNA Databases Violate Everyone's Privacy:

Facebook has knowledge of non-facebook members by means of members. DNA databases have knowledge of persons who did not submit their DNA. It is essentially the same problem. We are all connected to one another. Insecurity for anyone is insecurity for everyone.

October 15, 2018 9:48 AM

SecReport on Security Vulnerabilities in US Weapons Systems:

@ Wesley Parish

Your quote from Alan Shepard and John Glenn is a keeper! Nothing quite like realists with a sardonic eye :)

The DoD-led report on the Industrial Base and Supply Chain does have a series of recommendations: 19 in the Executive Summary, expanded into 24 under Section: “VII.A Blueprint for Action.”

Some of those are:

• Creation of a National...

Read More →

October 15, 2018 8:16 AM

echo on Friday Squid Blogging: Eat Less Squid:

@JG4

Yes, dualism is a problem.

On the legal issue the UK case law says where a persons human rights hang in the balance the judgment must always be in favour of the person. I'm sure you and others realise this puts an altogether different tilt on issues. It's not much help when up against it but another snippet of critical law people are not educated about.

@Clive

I thought I was clear but obviously not. What I was trying to articulate was is there a form of "reverse fingerprinting" which works at the linguistic level which can survive historical analysis...

Read More →

October 15, 2018 8:03 AM

Iggy on Upcoming Speaking Engagements:

@Bruce and commenterati ilustrati:

Tangential to this:
h ttps://www.schneier.com/blog/archives/2017/01/how_the_media_i.html?nc=13#comment-6744149

What say you about the self-anointed Good Censor, Google?:
h ttps://twitter.com/cwarzel/status/1050086964504879104

I have seen the enemy, and he is us.

October 15, 2018 7:24 AM

Clive Robinson on Security Vulnerabilities in US Weapons Systems:

@ Wesley Parish,

I leave that for the inquisitive amongst the spooks to figure out: what level tortoise are they?

Ever hear the exptession "Lower than a snakes belly in a waggon wheel rut"?

Well they still need to keep a digging and a digging ;-)

October 15, 2018 5:30 AM

Clive Robinson on Friday Squid Blogging: Eat Less Squid:

@ Tatütata,

But with twisted-pair based LANs, dumb hubs have being replaced by "smart" switches that route packets based on their MAC address, effectively segregating traffic between nodes.

Only for the majority of user traffic.

What was perhaps not clear is that I was originally talking about "Discovery" which is what the BMC network does amongst other things. It sends packets as broadcasts, otherwise protocols like BOOTP, DHCP, ARP etc would not work.

The ethernet packets being non routable uses Eth-Add FF:FF:FF:FF:FF:FF for broadcast...

Read More →

October 15, 2018 5:17 AM

Wesley Parish on Security Vulnerabilities in US Weapons Systems:

@SecReport

O brave new world, That has such people in ’t!

Keeping the supply chain in-house so to speak, is one way of making sure that vulnerabilities that exist can't be blamed on the PRC. Instead, courtesy of Edward Snowden, we know that the NSA et alii will quite happily corrupt the supply chain on their ownsome.

And then, there's that famous quote from both Alan Shepard and John Glenn:

“I guess the question I'm asked the most often is: "When you were sitting in that capsule listening to the count-down, how did you...

Read More →

October 15, 2018 4:25 AM

Wael on Fingerprinting Digital Documents:

@Clive Robinson,

You owe me "Brekfast at Milliways".

Deal

The rest requires clear mind...

2 canaries, 4 canaries, 6 canaries... Get it? ;)

October 15, 2018 3:30 AM

Clive Robinson on Fingerprinting Digital Documents:

@ Wael,

A mechanism that achieves both Perfect stealthiness and Perfect Confidentiality must necessarily involve Security through Obscurity.

You owe me "Brekfast at Milliways".

First of you do not define "Security through Obscurity" which ordinarily might be described as, something that is kept obscure to keep it secure. Where obscure in general would mean "hiden from view" in some manner. Thus it is,

    Hiding in plain sight

Which is what I will work with.

Now lets examine your first premise,

    1: Perfect...

Read More →

October 15, 2018 2:12 AM

Tatütata on Friday Squid Blogging: Eat Less Squid:

@Clive:

As I've mentioned, on a local area network all hosts can hear a single packet.

That used to be mostly true on coax-based ethernets, although nodes at each extremity of a long segment of coax could have trouble talking to each others. (I remember hours of fun trying to get a bl**dy 2Mb/s ArcNet with 10-20 nodes to work properly).

But with twisted-pair based LANs, dumb hubs have being replaced by "smart" switches that route packets based on their MAC address, effectively segregating...

Read More →

October 15, 2018 1:59 AM

Tatütata on Friday Squid Blogging: Eat Less Squid:

@Ratio will tell you RegEx isn't my cup of tea.

Me neither, and there was a lot of awk and sed going around here. It hardly ever exactly works as advertised, the interpretation seems to vary too widely from one tool to the other. (e.g.: editor find-and-replace, programming library).

The rhyme scheme is AABBA for limericks! AABBA was they AES key

Oh, I understand now! The limerick is the key, not of the "howto" poem. The derived key was apparently meant to be plugged directly into that site as a kind of passphase, and not as a 256 bit wide field....

Read More →

October 15, 2018 12:49 AM

Timothy on Friday Squid Blogging: Eat Less Squid:

According to MeriTalk, a report from the Office of the Director of National Intelligence confirms that the U.S. supply chain is under ‘systemic assault by foreign intelligence entities.' MITRE released a report in August urging the DoD to secure acquisition and the supply chain, recommending 15 changes overall. The DoD is already taking a recommendation from MITRE’s report with a new pilot initiative called “Delivered Uncompromised" under which security guarantees are a 'forth pillar' of contract acquisition. The Pentagon and Congress are also working towards tightening up supply chain...

Read More →

October 15, 2018 12:03 AM

Wael on Friday Squid Blogging: Eat Less Squid:

@Tatütata,

I somehow missed all of that.

Very good effort, by the way! There'll be other opportunities, I think :)

Epiloge:

Assuming I did nothing stoopid, as I am seeing double right now (19 sec video clip https://youtu.be/_u5A0H6PkqE ....) and the signature verification really works: In this exercise, there was a concept, a design, an architecture and an implementation.

Concept
I say there is a security flaw in the concept, for the following reasons:
1- The...

Read More →

October 14, 2018 11:52 PM

Little Lamb on Upcoming Speaking Engagements:

I had slept in that area from time to time the previous winter -- it was cold, but I had warm blankets -- there was a bear attempting to hibernate nearby in those woods, and it was disgruntled at being disturbed, but when it realized that I was only going to bed and not hunting, it breathed a sigh of relief and fell asleep for the winter.

October 14, 2018 11:42 PM

Clive Robinson on Fingerprinting Digital Documents:

@ Wael,

I thought you predicted that a few hours in the future...

Shhhsh, you know the first rule ;-)

After all if it got out, every two bit market hustler would come for a piece of my mind, and quick as you could blink there would be nothing left...

Which would only leave me with one option in life "To become European President" (unless I can forge a birth certificate for "Jamaica Hospital, New York" as some one who looks like a Shetland Pony with a comb over is "alleged" to have done ;-)

October 14, 2018 11:37 PM

Wael on Upcoming Speaking Engagements:

@Clive Robinson,

Richard Dawkins in me sits on my left shoulder urging me..

I get the joke :) How appropriate!

October 14, 2018 11:26 PM

Wael on Friday Squid Blogging: Eat Less Squid:

Correction... (and I was telling @Weather to read the codes... go figure!)

# Convert binary to invisible characters
perl -pe 's/0/‍/g;s/1/‌/g' /tmp/stripped_base64_to_binary > /tmp/embedded_signature

October 14, 2018 11:21 PM

Clive Robinson on Upcoming Speaking Engagements:

@ Thoth,

Maybe a topic on...

You obviously don't know many technolgy "evangelists" ;-)

Because you would know that like their religious brethren what they evangelize about is "perfect" in their universe.

It's naughty man and woman such as us runing through their garden of eden doing what we should not that are the sources of all that is wrong and evil with the real world :-S

Thus they think we should be smited and cast out as though never to have existed. Just like those doddgy contracts that stole "the apple of the eye" of one...

Read More →

October 14, 2018 11:17 PM

Little Lamb on Upcoming Speaking Engagements:

Interesting. A lot of jet lag.

All those cities are places of political and/or military hostility to me.

I cannot stay at a hotel in a large city no matter what. It's a chair-by-the-door situation. I literally have to sneak off and hide somewhere, probably illegally. It has saved me money and saved my life to find a hiding place at night where I was not tracked.

Burglary and arson are constant risks in a hotel, house, or apartment, not to mention somebody smoking a bong and filling up the building with heavily intoxicating but absolutely legal marijuana smoke....

Read More →

October 14, 2018 11:11 PM

Wael on Fingerprinting Digital Documents:

@Clive Robinson,

Got it. Damn, you scared me:

there are two bit's you don't need to send

When I read this, I was working on the scripts (on and off.) Then when I submitted the message, I noticed that I lost a couple of line feeds because I wasn't paying attention (also multi-tasking is a...) Thought: How in the world did he predict I'll loose two things :) But the message was already signed, so I could not change it ;)

I ended up going this to make up for the missing line-feeds:

echo -n -e '\x0a\x0a' >>...

Read More →

October 14, 2018 11:04 PM

Wael on Friday Squid Blogging: Eat Less Squid:

How I composed it:
#!/bin/bash

echo "Usage: preview_signature input_file passphrase"
echo $1 # Did not have time to put command line parsing
echo $2

# Sign message
openssl dgst -sha256 -sign ../../keys/private.pem -out /tmp/sign.sha256 test_message

# Convert message signature to base64
openssl base64 -in /tmp/sign.sha256 -out /tmp/post_signature

# Convert base64 to binary numbers representation
cat /tmp/post_signature | perl -pe '$_=unpack"B*"' | sed 's/.\{8\}/& /g' > /tmp/base64_to_Binary

#...

Read More →

October 14, 2018 10:58 PM

Wael on Friday Squid Blogging: Eat Less Squid:

Forgot to say the signature is only performed on the body of the message. No sender, no time, no nonces, no comment number! Didn't have time for that, and @Ratio will tell you RegEx isn't my cup of tea. So don't flame me -- it's just a POC.

It's not easy to predict the comment number, and one can't reserve a comment number to include in the signature. Also, I could have included the time, but that requires precise submission time-control, which I do have (better than @Ratio, by the way, whose atomic clock is out of sync by a minute or so.)

October 14, 2018 10:57 PM

Clive Robinson on Fingerprinting Digital Documents:

@ Wael,

Not following!

It's a little joke about saving effort (but not realy).

When you multiply two primes of three or above in the result two bits are set,

Odd x odd = odd LSBit set.
And for obvious reasons the MSBit as well.

Thus you don't need to send them as they are known...

But... the reality would be extra work in most cases, hence,

    Just to save that extra bit of effort or two.

As in "twice the effort" to not send them as to sending them.

I thought you were aware thar some early...

Read More →

October 14, 2018 10:46 PM

Wael on Friday Squid Blogging: Eat Less Squid:

These are the scripts you need for 🔑 verification. There was a small mistake I made when I appended the signature to the message body -- I ate a couple of line-feeds, that's why the "get message" script has the last line.

#Obtain Public Key
<b>Obtain Public Key</b>
curl -s https://www.schneier.com/blog/archives/2018/10/friday_squid_bl_646.html#c6783413 \
| awk '/c6783413/{flag=1;next}/class="comment by/{flag=0}flag' \
| tail...

Read More →

October 14, 2018 10:18 PM

Wael on Friday Squid Blogging: Eat Less Squid:

@Tatütata,

The rhyme scheme is (abab) repeated 5 times

No! The rhyme scheme is AABBA for limericks! AABBA was they AES key you needed to put for a secret at https://aesencryption.net/ -- It does not work now, so I switched to openssl. I was too lazy then but realized one can't depend on external sites... Same for quite a few links I previously embedded here, they aren't working any longer.

I can explain the previous poem later, after I share these signature scripts.

October 14, 2018 10:11 PM

Wael on Friday Squid Blogging: Eat Less Squid:

@Tatütata,

I'll share the scripts so that you can verify (and sign) messages. It uses openssl, out of all things, but it's just a POC like I said. So don't worry about "deciphering it" now.

Sounds ominous, is that a warning or a threat?

Neither! Just a caution. Check Kleopatra and the snake; a Serpent -- another crypto thing ;)

October 14, 2018 10:10 PM

JG4 on Friday Squid Blogging: Eat Less Squid:


Thanks for the continued helpful discussion.

@echo - I think that Clive regularly points out that tools are agnostic to use. It would be difficult to think of a tool that wouldn't be useful in some way for carrying out the functions of government and also for carrying out the functions of organized crime. Secure communication tools are a nearly perfect example, and also quite useful to human rights organizations, who essentially want to act against the interests of governments and organized crime in trampling human rights.

This old comment overlaps the topic of...

Read More →

October 14, 2018 9:59 PM

Tatütata on Friday Squid Blogging: Eat Less Squid:

... Legitimate 4k Pub Key.

I ran the text through a base64 decoder and examined the result. It does seem to be a very basic key consisting of a modulus and an exponent, but nothing beyond that. It did make me learn a couple of new things about key formats.

No need to import the Pub Key into Kleopatra -- it might bite you in the chest ;)

Sounds ominous, is that a warning or a threat? :-) Images of the original "...

Read More →

October 14, 2018 7:48 PM

Wael on Fingerprinting Digital Documents:

🔑 (attempt)
@Clive Robinson, cc: @Ratio,

I'm guessing your harsh mistress is having her way with you again?

She's been working an average of 20.5 hours a day for the past couple of weeks!

Oh and the bad "bite in the asp" joke yes I caught it, though I'm not sure who else did ;-)

You alawys do! Our neurons have somehow gotten entangled over the years -- You've got me pinned!
Ahem...

The price you pay is a question that I'll ask you soon.

When is: Perfect + Perfect...

Read More →

October 14, 2018 6:55 PM

Thoth on Upcoming Speaking Engagements:

Hyperledger forum ? That will be very interesting on the type of speech @Bruce will be giving. If memory serves right most Blockchain topics here are usually very gloomy in nature.

Not be surprised a lot of hip and hyper marketing of Blockchain et. al. can be found in the recent conferences that would paint a bright and sunny picture of Blockchain technologies which you would encounter especially in the Hyperledger forum and so on.

@Clive Robinson
Maybe a topic on "How the Blockchain Security Simply Keeps Giving ?" would be a nice topic on the snakeoil security...

Read More →

October 14, 2018 6:47 PM

Wael on Fingerprinting Digital Documents:

@Clive Robinson,

If and when you get around to sending the PubKey just remember there are two bit's you don't need to send

It's already here: Wael's test Public Key

just remember there are two bit's you don't need to send

Not following!

(Wa-iL)

Actually Wa 'el ;)

October 14, 2018 6:36 PM

Clive Robinson on Fingerprinting Digital Documents:

@ Wael (Wa-iL),

If and when you get around to sending the PubKey just remember there are two bit's you don't need to send. Just to save that extra bit of effort or two.

October 14, 2018 6:05 PM

Leave a comment on Another xkcd Cartoon:

@Something
>As far as I can make out, the last posts said:
>Tim: úðB5R¶û

echo '11 111 010 000 0 1010 111 100 0 00 000 001 10 1000 010 0 01 101 01 1000 0100 0 1010 010 1011 0110 1 111 110 010 01 0110 0000 1011' | sed -e 's/0/./g' -e 's/1/-/g'

-- --- .-. ... . -.-. --- -.. . .. ... ..- -. -... .-. . .- -.- .- -... .-.. . -.-. .-. -.-- .--. - --- --. .-. .- .--. .... -.--

MORSECODEISUNBREAKABLECRYPTOGRAPHY

October 14, 2018 5:57 PM

Clive Robinson on Friday Squid Blogging: Eat Less Squid:

@ echo,

It would be an extremely low bit rate but what about systems that hide encoded messages in standard text with no stenographic techniques?

No stego would imply ciphers not even codes...

Whilst "phrase" codes can be made to look like natural language in small numbers of codings per communication, they quickly become to random to maintain the pretence with more than three or four codes per communication. Whilst humans can generaly spot them due to their odd or stylised form computers and AI are still on the threshold of being usefull....

Read More →

October 14, 2018 5:36 PM

Weather on Fingerprinting Digital Documents:

Wael
You have a dulipcate from 0-32 chars, the second char that is dulipcated gets removed set that fixed at 256 bit( hence 60 maths to expand the things) sorry fuzz at the moment can't think what the first 8 chars were for, if the first 8 was a one it would get bruteforced, update later

October 14, 2018 5:00 PM

Ratio on Fingerprinting Digital Documents:

@Wael,

berhabs your ears were clogged, or they were not so native.

Or berhabs they bronounced it two different ways.

there's only one proper way to pronounce it. End of stroy :)

Understood. I… misremembered. Yeah, that’s it. :-)

October 14, 2018 4:30 PM

Timothy on Friday Squid Blogging: Eat Less Squid:

@ Clive

The US has been extreamly profligate with it's resources and thus has to import much of what it needs. China on the otherhand has not been profligate. Much of the US defence and high tech industries are very to critically reliant on raw resources that China has an effective monopoly on currently. They have been using them to effectively force US manufacturing into China, where the IP has been appropriated. This was clear back in the 1990's and the US could have stopped it then, but political interests effectively stopped any action for the sake of "short-termism"...

Read More →

October 14, 2018 4:19 PM

Wael on Fingerprinting Digital Documents:

@Ratio,

If ya say “Wael” ya gotta have uh-oh to avoid gnashing and wailing.

Uh ha. I see. Cute :)

I’ve heard native speakers use two different pronunciations

berhabs your ears were clogged, or they were not so native. There's only one proper way to pronounce it. Actually it's a bit more complex than that, and has to do with the multitude of Arabic proper languages (not dialects.) Arabic is an ensemble of languages, as I said in the past.

I always assumed you prefer the final syllable as “ell” not...

Read More →

October 14, 2018 3:50 PM

Clive Robinson on Friday Squid Blogging: Watch Squid Change Colors:

@ Bob Paddock,

Microsemi SA.45s is usually a better option for Atomic based reference that is portable and low power, relatively speaking for Atomic References.

I've had a look at it it costs around $1000 but it has a major issue for RF MIMO work which is synchronizing two units together reliably. The most important output the 1PPS that gives you time sync is effectively random on power up. Thus you need a GPS or other distance synced 1PPS signal to sync it up.

Thus it's main use is not instead of GPS but to cover for GPS drop out but you have to...

Read More →

October 14, 2018 3:30 PM

Ratio on Fingerprinting Digital Documents:

@Wael,

Out with it

It was already out, visible as Unicode code points and UTF-8 bit strings:

     0626 → 11011000 10100110 → ئ
064A 0654 → 00000110 01001010
            00000110 01010100 → ئ
     064A → 00000110 01001010 → ي
     0654 → 00000110 01010100 → ‏ٔ‎

(U+0626 and U+064A U+0654 are canonical equivalent.)

If ya say “Wael”...

Read More →

October 14, 2018 3:25 PM

echo on Friday Squid Blogging: Eat Less Squid:

I am beginning to wonder if this whole spying game shouldn't be subject to a supra national court. My reasoning being that if good governess and good civic society and equity between nations means something then apart from wars of agression which are themselves unlawul spying is irrelevant and serves no purpose. I accept this position is far short of perfect and contains many flaws but believe the question should be asked.

We have a lot of good models for what should be done but politics or more specifically some politicians often get in the way.

@Clive

It would be...

Read More →

October 14, 2018 3:11 PM

Clive Robinson on Upcoming Speaking Engagements:

@ Bruce,

I guess you will not be residing in the TITANIC for your Berlin trip ;-)

Joking aside are you going to be in London in the near future?

October 14, 2018 3:03 PM

Clive Robinson on Friday Squid Blogging: Eat Less Squid:

@ Timothy,

What are your thoughts on the printed circuit board vulnerabilities as presented by the DoD-led Interagency report?

My first thought is "they are over egging the pudding of doom" and "for the wrong reasons".

To see why they claim the US had a 10billion market in 2000 but only a 3billion market in 2015, but forgot to mention that the world wide market in dollars shrank quite a bit even though the number of PCBs made world wide went up.

Thus the most likely cause is "economic disincentive" due to other factors such as two world...

Read More →

October 14, 2018 12:36 PM

Clive Robinson on Friday Squid Blogging: Eat Less Squid:

@ Wael,

things that'll share

I'm guessing your harsh mistress is having her way with you again?

As you are having the wrong contractions :-S

Oh and the bad "bite in the asp" joke yes I caught it, though I'm not sure who else did ;-)

October 14, 2018 12:34 PM

Winter on Security in a World of Physically Capable Computers:

"Security breaches are expensive. The market will solve them, because the market wants to make money and keep money, which is impossible without adequate security. "

History shows us this has never been true. The market had no problems with thousands of deaths yearly, be it at work, in cars, bad wiring, due to pollution, or toxic drugs and food.

Every regulation was installed to solve a problem where companies took maiming and killing people for granted to make a profit.

In the end there proved to be enough money to protect consumers and workers from danger.

October 14, 2018 12:24 PM

Clive Robinson on Friday Squid Blogging: Eat Less Squid:

@ Ergo Sum,

That's somewhat contradicting statements and begs the question.

I look on Bloomberg with a degree of suspicion, their main line of business is not as journalists and they have been known to behave more than somewhat unprofessionaly. In essence using the Bloomberg terminal to spy on traders and use it not just for news but "market shifting" news.

Further one of their supposed anonymous sources for the first article has come forward and said they have been not just incorectly quoted but in effect used to fabricate the story. With their...

Read More →

October 14, 2018 12:23 PM

Impossibly Stupid on Security in a World of Physically Capable Computers:

@Little Lamb

Security breaches are expensive.

To whom? The CEO of Uber doesn't go to jail when their self-driving car kills people, and neither do the engineers who built it or any of the other employees involved. The common, perverse "market solution" practice is to externalize expenses whenever possible. That means that there is no incentive for industries to improve security, because everyone simply passes on the "cost of doing business" for breaches on to you.

People with money do not like thieves....

Read More →

October 14, 2018 11:38 AM

Timothy on Friday Squid Blogging: Eat Less Squid:

@ Clive

Thank you for sharing the article. I have read it, and will probably have to read it a couple more times to understand the many potential vectors of vulnerability. To the final thought from Dr. Markettos’ article:

“But it is likely news to many people that their systems are a lot more complex than they thought, and in that complexity can lurk surprising vulnerabilities.”

... What are your thoughts on the printed circuit board vulnerabilities as presented by the...

Read More →

October 14, 2018 9:57 AM

Wael on Friday Squid Blogging: Eat Less Squid:

@Tatütata, @Clive Robison,

Re: alleged public key

Legitimate 4k Pub Key. Was working on the script last night but got distracted with other tasks and I also encountered some minor challenges, but learned a few things that'll share once I sign a message and post the verification script. No need to import the Pub Key into Kleopatra -- it might bite you in the chest ;)

[...] blaims me =8( for the start of it a month or two before that...

I blame no one; I only keep score. The price you pay is a question that I'll ask you soon.

October 14, 2018 9:52 AM

moops on The US National Cyber Strategy:

Part of the point of claiming a more aggressive cyber policy (then having that secret leaked) is to get all your enemies to invest more in their own defense.

October 14, 2018 9:49 AM

CallMeLateForSupper on Friday Squid Blogging: Eat Less Squid:

"[...] what is going on with Firefox? [...] When I go back to a tab/page after a minute or two, the data is no longer there [...]"

I have experienced some weird Firefox behavior over the years, but not what you describe. Lovely. Congratulations. :) By the way, what OS do you use?

I run Ubuntu Linux. One of the most persistent (going on three years now) weirdness-es here is a (sound) Volume slider appearing at upper right of window - only when FF is active - and vanishing after 3-5 seconds. Typically I am just reading when this happens.

Adding to the...

Read More →

October 14, 2018 9:22 AM

Clive Robinson on Friday Squid Blogging: Eat Less Squid:

@ Tatütata,

Out of curiosity, I tried...

I suspect --but am to lazy to try-- that it is a scheme of crypto+stego thought up by @Wael and @Ratio.

Where they use "non printing" characters in which ever UTF coding they are using to represent "bits" or other data size. Hence the reason it will show up in "vi" but not most text editors.

If I remember correctly the original idea was a way for a poster to sign their post without having a very anoying visual inclusion at the end, messing it up for readers.

You can see --or not ;-)-- a...

Read More →

October 14, 2018 9:20 AM

Bob Paddock on Friday Squid Blogging: Watch Squid Change Colors:

@Clive Robinson

Thank you for the details. I know some here don't like long explanations, myself I want them.

"LimeSDR"

I've been considering getting the RSPduo as it goes down to 1 kHz, where my interests are and few people look. "1kHz and 2GHz with up to 10MHz of bandwidth or both tuners can operate simultaneously anywhere between 1kHz and 2GHz with up to 2MHz of bandwidth per tuner."


"...front end control software with almost atomic clock precision... GPS ..."

While not as in inexpensive as a GPS 1PPS the Microsemi SA.45s is usually a...

Read More →

October 14, 2018 8:58 AM

Ergo Sum on Friday Squid Blogging: Eat Less Squid:

@ Clive...

As I've said I have my suspicions about Bloomberg, thus I have my doubts.

However it is entirely possible to do (the NSA&GCHQ do it).

That's somewhat contradicting statements and begs the question. Why other state actor(s) wouldn't be able to do the same? Especially, when that other state actor has the factory within in its control that manufactures the product in question?

Which is fine as far as normal attacks go. However a single hardware implant motherboard on this BMC network is in effect an "insider...

Read More →

October 14, 2018 8:25 AM

Tatütata on Friday Squid Blogging: Eat Less Squid:

Re: alleged public key

I first read "POC" as synonymous with "POS", but as my cerebral porridge eventually coalesced, I realized it must have meant "Proof Of Concept".

Out of curiosity, I tried importing that text into Kleopatra. Result: a very user friendly "BER error", which I then Γκοογλε'd to try to understand what it was supposed to mean in plain Volapük, but landed only on cryptic bug reports and "computer service" scamware bait. Then tried the same with command-line gpg, with no better results. After cussing a little bit, I then realized it's a beautiful Sunday out...

Read More →

October 14, 2018 6:18 AM

Clive Robinson on Friday Squid Blogging: Eat Less Squid:

@ Timothy, ALL

You might also like,

https://www.lightbluetouchpaper.org/2018/10/05/making-sense-of-the-supermicro-motherboard-attack/

As I've said I have my suspicions about Bloomberg, thus I have my doubts.

However it is entirely possible to do (the NSA&GCHQ do it).

The real problem is "hard proof", people are claiming "no photo no story" without realy thinking things through.

They are under the impression an attacker needs to...

Read More →

October 14, 2018 5:53 AM

Timothy on Friday Squid Blogging: Eat Less Squid:

A former Apple product engineer writes about circuit boards and whether a Supermicro server board implant was possible. The short answer is yes. She discusses the risks of under-resourced teams, "customer-facing drawings" vs "factory drawings," counterfeit parts, and building digital transparency and traceability in the supply chain. She says that although the technology exists to assess a product's integrity, particularly for high sensitivity electronics, it is not yet considered a standard across the industry....

Read More →

October 14, 2018 2:47 AM

Wesley Parish on The US National Cyber Strategy:

@Clive Robinson

That expression, according to an interesting Scientific American article I read back in the 80s on the mind and its internal indexing, is actually "As American as mother pie and applehood."

Considering that Apple Inc or Corp is now a person under US law, we may well concede it Applehood; it's just the Mother Pie sticks in my throat.

October 14, 2018 1:53 AM

MarkH on Friday Squid Blogging: Eat Less Squid:

@echo:

I wasn't involved in the boiling flow analysis; some colleagues who worked at the "hairy end" were kind enough to explain to me some of the challenges.

My little exposure to turbulence from an engineering perspective comes from looking through some elementary texts in aerodynamics. They give a pretty good idea of where you can expect to see turbulence, but don't attempt to quantify it.

On an airplane wing, smooth (parallel) airflow stays close to the wing surface for a surprisingly short length after the leading edge (nose). Behind this threshold, the...

Read More →

October 14, 2018 1:00 AM

Erik R on Friday Squid Blogging: Eat Less Squid:

Before the EU content filter requirements goes live; Bruce and the new book are mentioned on Swedish public radio. Link to the program, all in Swedish though:

https://sverigesradio.se/sida/avsnitt/1161066?programid=516

The program is not tech related but rather a relaxed and humorous talk show with thoughts about the future. The book virtually opens and drive the idea of increased analogue ways of doing things that wont kill you if clicked.


October 13, 2018 11:52 PM

Wael on Friday Squid Blogging: Eat Less Squid:

The above is just a test public signature for a POC. Once done, I'll delete the private key. Please do not use this to send me encrypted information -- I'll ignore it. Besides, this will be used only for signature verification, you know: a 'Separation of duties' thing...

October 13, 2018 11:47 PM

Wael on Friday Squid Blogging: Eat Less Squid:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4BNhf0wjCMckfCF4leiH
8EnmtNQZ1ZhEXZicDjXhBmLQDaSLEtQhJTMbFkDd4CLfYLgO3mkp4dQVK/pG9FWn
75XO7bpApzcWKmQjJn+EwemIYC5Nc76WkrCQ4FVm5w0ys/sPtJqxGt75yM78ysCM
K2R3Xf5UzHefaNlbUbndvtXFTwy3chRsx/TSyZCXuCRFhybFIQcdE4Es+yRthm8w
U4znkmhiEFjwuW9wMyPhEyHelE6qYWiiR2VCC3xxiLaOH3mXINhjpKXXmbTnfrdB
3L0P4s/YV7BgP7kDKXIRaxTsAL+gqMrwtXYDm18vuHCA2ySNQPItjJaN0pf/6KBC
qyuL1NDlB13tBr9kZhx9OjYo22HG2nffBci9EnfE4i3zsnu+HJoTq7YSpnh4mhpo...

Read More →

October 13, 2018 8:25 PM

Little Lamb on Friday Squid Blogging: Eat Less Squid:

the amount of data 'they' were collecting on mouse clicks ... He was an oldish guy 50+, beard if I remember rightly.

A mad scientist was performing cruel and unusual experiments on captive mice. The psychiatrist next door was muttering something about bestiality or murine-human intercourse, but they didn't want to add it to the DSM-V because they thought it might give people ideas.

October 13, 2018 8:23 PM

Clive Robinson on Friday Squid Blogging: Eat Less Squid:

@ echo,

The encumbrant idiots mentioned are very selective in their remembering of history. Which is what you would expect for those who feel entitled by status.

Whilst they might think they are secure in their places, history shows us that when pushed collective action by the rest of society can have only one of two conclusions. The self appointed elites back down or they are made ineffective in some way, often by violence of some form.

Civil unrest is undesirable but usually that is what ends up happening. First the self appointed call upon their guard labour...

Read More →

October 13, 2018 8:00 PM

Colin Mansell on Friday Squid Blogging: Eat Less Squid:

Great blog. Love your comments policy.

This is about snooping on us, and is therefore security related, but I wouldn't mind betting it is also about commerce/behavior/garnering clicks.

I watched a video on Youtube from a hacker conference, quite possibly Defcon, before 2018, from someone who was concerned about the amount of data 'they' were collecting on mouse clicks and so on, from the packets and amount of data coming in and going out. Can anyone point me back in his direction? He was an oldish guy 50+, beard if I remember rightly.

On, I believe, a related...

Read More →

October 13, 2018 7:40 PM

echo on Friday Squid Blogging: Eat Less Squid:

@Clive

Following on from your comments in the social-economic domain the lack of considering people's social and economic security suggests Brexit as implemented isn't an accident but design intent.

I have no idea what Prof Anderson may say or whether his experience in "security engineering" and "security economics" can add value to a discussion....

Read More →

October 13, 2018 7:37 PM

Wael on Friday Squid Blogging: Eat Less Squid:

@Clive Robinson,

That's helpful. Suppose we use the analogy of a skyscraper or an entire city to be built. Assuming Architecture and Design are separate tasks, regardless of whether they're done by the same person. What would fall under Design and what would fall under Architecture, keeping security in mind?

October 13, 2018 7:15 PM

Clive Robinson on Friday Squid Blogging: Eat Less Squid:

@ Wael,

What's the difference between Architecture and Design in a software development setting, with emphasis on "Security Aspects"?

It's a good question, which has filled many a book to answer, all with different Points of View. Which is going to make answering it in a short comment interesting ;-)

In the main the problem is because of the dual nature of the beast which has both style and substance, and moves from one to the other through many levels of the computing stack. With the addition of security a much larger range of the stack has to be...

Read More →

October 13, 2018 6:25 PM

Thoth on Friday Squid Blogging: Eat Less Squid:

@Clive Robinson, those that helped on bitwise math

Thanks for all the help. Was working to implement Keccak-256 hash function on a smart card and it is finally done. Since Keccak hash is not supported on all smart cards on their crypto processing units and there are no such precedents on actually usable Keccak hash source codes for smart cards, I had to do the 64-bit rotl, add, flip and xor operations by implementing those with the help here.

Works wonderfully and now able to generate a 256 bit Keccak hash in 10 seconds with a 136 bytes input block.

Looking to push...

Read More →

October 13, 2018 5:46 PM

echo on Friday Squid Blogging: Eat Less Squid:

@MarkH

In one of my previous lives, an application required the design of systems to release a fluid which is stored at high pressure as a liquid, and which boils into gas as it flows through the discharge system ... imagine how chaotic that must be!

I didn't know anything beyond the simple stuff until I read a very long article explaining how SpaceX modelled stuff in their engines.I recall mention of the doing some good optimisations and discovering a few good computational shortcuts or something which meant they could do more accurate and faster work....

Read More →

October 13, 2018 5:27 PM

echo on Friday Squid Blogging: Eat Less Squid:

https://www.independent.co.uk/voices/matthew-hedges-jailed-uk-government-uae-relationship-arms-sales-a8582346.html

In May, Matthew Hedges, 31, was seized at Dubai airport as he attempted to leave the country following a two-week research trip for his PhD. The Durham University student had travelled there to conduct fieldwork for his doctoral thesis on the impact of Emirati security and foreign policies following the 2011 Arab Spring – a subject...

Read More →

October 13, 2018 5:22 PM

Clive Robinson on Friday Squid Blogging: Eat Less Squid:

@ echo,

With regards the "pilot wave" mechanics. About five years ago Prof Ross J. Anderson of the Cambridge computer labs published a paper on the subject,

https://www.lightbluetouchpaper.org/2014/01/20/why-bouncing-droplets-are-a-pretty-good-model-of-quantum-mechanics/

As you might know Ross is more normally associated with "Security Engineering", and for a while "Security Economics",

So yes there are crossovers for the curious mind.

October 13, 2018 5:21 PM

Wael on Friday Squid Blogging: Eat Less Squid:

@Clive Robinson,

But I'm guessing that's not quite what you mean ;-)

Told you what I didn't mean but forgot to tell you what I meant. Reduction of the attack surface by Expansion of the search space. There! I said a mouthful :)

October 13, 2018 5:17 PM

MarkH on Friday Squid Blogging: Eat Less Squid:

@Clive:

Thanks for the Bear SSL link, it's a nice write-up. I wrote some bigint code back in the day, and learned many of the speed optimization techniques along the way -- though the extremal-bits optimization to binary gcd was new to me.

It's also interesting to me, reading about measures taken to ensure constant execution time, which wasn't a concern for my application.

@echo:

I haven't attempted to keep up with research in fluid dynamics, but it's no big surprise that turbulence remains elusive.

In one of my previous lives, an application...

Read More →

October 13, 2018 5:12 PM

Wael on Friday Squid Blogging: Eat Less Squid:

@Clive Robinson,

But I'm guessing that's not quite what you mean ;-)

It's not what was on my mind but applicable. It's the beauty of Security Principles that apply to all phases of product development: Inception, Architecture and Design, Implementation, and Operation. We discussed some of these aspects for quite some time. There is one thing I'd like to pick your brain on:

What's the difference between Architecture and Design in a software development setting, with emphasis on "Security Aspects"? I have some opinions...

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.