Recent Comments


Note: new comments may take a few minutes to appear on this page.

September 17, 2021 12:13 PM

Chris Woods on Zero-Click iMessage Exploit :

Why are we limiting the discussion to “messaging apps”? This is an image processing exploit. Apple Messages is just a tool to target specific individuals, but this exploit could be used to harvest data in a variety of ways. For example, couldn’t a nefarious actor upload an image to an ad network and get data from any phone that loads the image.

September 17, 2021 11:18 AM

MarkH on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@Freezing_in_Brazil:

I suppose it very likely that radioisotope TRNGs are is use for critical applications.

Even so, that’s a tiny market, for very specialized gadgets which are probably sold at high prices.

Depending on jurisdiction, there may be legal impediments, but ionization smoke detectors are still in mass production, as far as I’m aware.

From my work experience, manufacturers prefer not to include hazardous materials in their products because their already complicated life gets even more complicated...

September 17, 2021 11:07 AM

MarkH on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@Freezing_in_Brazil, Clive:

For radioisotope TRNGs, the correct measurement scheme is to strobe a free running high-frequency counter when an ionizing emission is detected, and to use some of its less significant bits as the raw random data.

If (a) the detector hardware is carefully designed to limit influences which could skew its output edge to less than one clock cycle, and (b) the wrap-around time for the modular counter is small compared to the mean time between detections, then the raw data are sufficiently free from bias that they can be used for cryptographic random numbers without any post-conditioning...

September 17, 2021 9:27 AM

TimH on Zero-Click iMessage Exploit :

What we need is a setting such that text message services can be configure to ignore all but text. No embedded anything, no formatting.

Similar to disabling scripting and remote content for html emails.

September 17, 2021 9:05 AM

Loganrune on Zero-Click iMessage Exploit :

so for us dummies, is this Zero-Click threat a problem if i do NOT use iMessage at all on my iPhone ?

Can i disable iMessage on my iPhone and totally avoid this problem ?

Is this vulnerability unique to iMessage (?) — or likely to eventually show up in other messaging applications ?

September 17, 2021 8:48 AM

Clive Robinson on Zero-Click iMessage Exploit :

@ ALL,

OK, it’s Apple this time but the cause is “PDF”, how many times is it now that PDF files have been the root cause if a vulnerability?

Oh and how many times is it now it’s PDFs and mobile phones… It was only a couple of years back Google had a similar issue with PDFs and their MMS…

For those with longer memories PDFs were involved in various vulnerabilities so frequently some admins just stopped them as attachments...

September 17, 2021 7:35 AM

Winter on Identifying Computer-Generated Faces :

@Jon, Jones
“In some countries, the offer of a plea bargain is a hideous criminal offence. J.”

Plea bargains prevent fair trials. Hence the resistance in the EU against extradition of suspects to the USA. Suspects do not get a fair trial.

September 17, 2021 7:08 AM

Mowmowfi on Zero-Click iMessage Exploit :

@bruce all
Is this only for people on Nso list, based on last message about Apple strange??

September 17, 2021 1:16 AM

on Fraud Detection in Pokémon Go :

@Moderator:

1, Bridget

Something odd about it, look between “are cheating” and “but of” looks like something was “hidden” by use of non visable characters.

September 16, 2021 11:29 PM

Jon on Identifying Computer-Generated Faces :

@ jones

Only about 5% of criminal cases actually go to court; most are settled with plea agreements because trials are deemed to risky to the defendant.

Do keep in mind that’s only true in the USA. Bruce Schneier has an international audience.

In some countries, the offer of a plea bargain is a hideous criminal offence. J.

September 16, 2021 10:29 PM

Bridget on Fraud Detection in Pokémon Go :

I have always kind of felt like the poke genies are cheating 🤷🏽‍♀️ but of course ppl spend money in those so they allow that 🙃

September 16, 2021 8:49 PM

Sut Vachz on Designing Contact-Tracing Apps :

Another way to use tracing, as pro-active information

“NOVID goes beyond contact tracing. Get notified before you’re exposed, so you can take precautions and protect yourself.”

https: //www.novid.org

September 16, 2021 8:03 PM

WhiskersInMenlo on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@Clive Robinson
…yes exactly..
I was listening to “breaking news” and my head exploded with possibilities.
There is coordination going on and for a multitude of reasons has yet to be sorted. A couple altered binary packages could go unnoticed. As a tool kit used by a handful there is a lot of power if only FUD generation.
Old school verbal in person is still useful but slow. Today trouble is accelerated. Command and control of trouble is hard to prove...

September 16, 2021 8:00 PM

jones on Identifying Computer-Generated Faces :

@any moose

judges still believe it to be reliable
Juries, which often only exhibit a bovine level of intelligence

The epistemological problem posed by deepfakes and GAN-generated imagery has less to do with courts, and more to do with sociology-cultural concerns.

Only about 5% of criminal cases actually go to court; most are settled with plea agreements because trials are deemed to risky to the defendant. An empirical study that compared the results of two mass-exoneration cases (where police and prosecutors engaged in systematic misconduct) to a college psychology experiment found that, under the plea bargain system, about 90% of guilty parties will plead to a lesser crime to avoid trial, while 55-75% of innocent parties will plead guilty for the same reason...

September 16, 2021 7:57 PM

Andrew Bunch on Tracking People by their MAC Addresses :

I though this was very interesting and it shows the continued need for increased security measures in all kinds of technology even Bluetooth headphones.

September 16, 2021 4:31 PM

James Hagan on More Military Cryptanalytics, Part III :

Though I agree that there aren’t many secrets left to discover from this, I would argue that though the concepts may be common knowledge today the inspiration that they can give to someone is still boundless. So many minor tweaks to common knowledge today are what have created some of the most useful inventions.

September 16, 2021 4:13 PM

any moose on Identifying Computer-Generated Faces :

Many months ago the publishing of deepfakes flaws should have been outlawed for the exact reason Schneier stated, that e-monsters would simply improve their odious software. And as Clive noted, deepfakes are now essentially impossible to distinguish from genuine video. Our leaders, except for farsighted ones such as British MP Maria Miller, have fixed it so video evidence in court is 100% unreliable, though judges still believe it to be reliable. Soon people will be arrested and convicted based on deepfakes. Juries, which often only exhibit a bovine level of intelligence, will simply not believe that deepfakes exist because the images look too real. You anarchists, libertarians, and Bolsheviks 2.0 have the dystopian future you always advocated for...

September 16, 2021 3:59 PM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm, ALL,

“An examination of the Epik Software data released by Anonymous has security experts concluding the claims made by the shadowy organization are true, and it will be a devastating blow.”

But what sort of blow?

1, Existential
2, Evolutionary

Sadly I do not think this will be “existential” for the majority of far right extremists / nutbars. Whilst some may end up in jail formenting further hate, I suspect the majority will end up on some usless watch list...

September 16, 2021 3:34 PM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ WhiskersInMenlo, ALL,

The breaking news was that a now public report indicated “ping” traffic between the soviets and a Trump server.

You would think that both sides of that would know better… But hey the world goes round.

A couple of questions arise though,

1, Which Trump Server?
2, Which way the traffic was realy going?

The server may not have had anything of use to anyone on it. That is it could have just been an Internet version of a billboard, puffing up the blowdry image...

September 16, 2021 3:12 PM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

EPIKFAIL

Some history can be found at this link

hxtps://malcontentment.com/anonymous-hack-of-epik-releases-reveals-a-devastating-amount-of-information/?amp

An examination of the Epik Software data released by Anonymous has security experts concluding the claims made by the shadowy organization are true, and it will be a devastating blow. “This is the Panama Papers for hate groups,” a researcher told us after reviewing just part of the 180GB of information retrieved. “In all my years, I have never seen a breach of a domain registrar to this scale. The lack of security to protect this information is breathtaking.”...

September 16, 2021 2:33 PM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

EPIKFAIL is an accurate name

FBI and others are drooling

This will provide numerous dots to Jan 6.

hxtps://www.dailydot.com/debug/epik-hack-far-right-sites-anonymous/?amp

The engineer pointed the Daily Dot to what they described as Epik’s “entire primary database,” which contains hosting account usernames and passwords, SSH keys, and even some credit card numbers—all stored in plaintext...

September 16, 2021 2:18 PM

WhiskersInMenlo on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

I was watching a recent MSNBC segment on the Rachel Maddow show.

The breaking news was that a now public report indicated “ping” traffic between the soviets and a Trump server. I got the impression that “ping” and “ICMP ping” distinctions were not grocked by the staff that wrote the bit.

I could not tell if this was ICMP ping packets but ping allows ICMP payload
(optional). A modified ping pair could be used to infiltrate or exfiltrate data. In general ICMP traffic is ignorable but for corporate and national secrecy issues it should not be ignored...

September 16, 2021 9:50 AM

jones on Identifying Computer-Generated Faces :

At the moment, many generated faces of this sort are produced using NVIDIA’s StyleGAN software with a pre-trained model; the most common pre-trained model for faces in FFHQ.

Faces produced with this pre-trained model have detectable features — the images in the model are pre-processed so the eyes are always aligned in the same way.

One further avenue of detection: it is possible to take a suspected fake face and “project” it into the “latent space” of the model to see if that face can be generated by the model — if so, it’s fake...

September 16, 2021 8:43 AM

Sut Vachz on Identifying Computer-Generated Faces :

Classic illustration of face recognition methodology

https: //www.newyorker.com/cartoon/cartoons-90th-anniversary-1985-1995-14

September 16, 2021 7:09 AM

Edge Case Guy on Identifying Computer-Generated Faces :

Interesting shortcut to finding fake images… but it’s based on the assumption that every real person has a round iris.

Edge cases for people exist, including “pac-man eyes”
https://www.reddit.com/r/mildlyinteresting/comments/gt77ms/my_iris_is_misshaped_but_no_known_eye_problems/

I fear that systems using shortcuts like this will flag a small percentage of the population, and lock them out of legitimate systems. A little like when a computer system marks someone as dead, and they have a nightmare trying to prove otherwise...

September 16, 2021 6:23 AM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm, ALL,

Researchers Develop Toolkit to Test Apple Security, Find Vulnerability

Handy as Apple hide so much by lifting the corner of the chip and untill now fairly deftly sweeping it under out of sight…

Which means that things as embarrassing as,

<

blockquote>“can reduce the security of OpenSSL AES-128 by 50 more bits than a straightforward adaptation of PRIME+PROBE, while requiring only half as many side channel measurement traces”...

September 16, 2021 1:49 AM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ Clive

The msrc link about CVE-2021-38632 had no details. I copied the only line of note. There were absolutely no details, no more useful information. It was of note to me that Microsoft actually acknowledged it. What you encountered, definitely interesting.

Not sure how I got the ‘of’ appended to the gossi link. But, yes, I suspect it is not random at all.

@ lurker

What? Are you saying that it does not mean Secret Malware Service?...

September 16, 2021 1:04 AM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm,

ForcedEntry’s key point is the exploit technology as it is still unknown how it is able to bypass the PAC and disable ASLR.

The thing about ASLR is you may not have to disable it. The “R” may not be very good, or atleast easily predictable.

Obviously as a developer of an OS you want the algorithm for “R” to be very small and very fast. The simplest “R” algorithm you could use would be,...

September 16, 2021 12:59 AM

Winter on Identifying Computer-Generated Faces :

@All
There are (yearly) anti-spoof competitions for deep fakes:

ht tps://deepai.org/publication/celeba-spoof-challenge-2020-on-face-anti-spoofing-methods-and-results

It is an arms race, but a very active one.

September 16, 2021 12:50 AM

Winter on ProtonMail Now Keeps IP Logs :

@Jason
“Check out this article on the CIA and Protonmail’

The answer comes down to “We neither confirm nor deny”. So, no information.

September 16, 2021 12:49 AM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm, ALL,

Looks like Microsoft has fixed as of recent hours.

The twitter link you gave is broken…

To fix remove the mysterious “of” that got on the end of the URL and get,

https://www.twitter.com/GossiTheDog/status/1438090108834562054

A thought for you, I’ve just noticed that tail number is 19 digits long, Which aproximates to a 64bit number… What is the betting it’s not TRNG generated, but fully determanistic like a non crypto hash of a counter? I’d say fairly good, which then raises “What is the betting it’s “home grown” and probably insecure?...

September 15, 2021 11:07 PM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm,

No details, only the Evil Maid knows for sure.

A funny thing happened on the way to the…

Instead of providing what should be a simple page of text detailing the “bug” the “Microsoft Resource Center” link you gave blows up on my browser and instead gives a,

Something went wrong!

Page… With a couple of unhelpfull buttons

But… At the bottom a box with a diagnostic contained within of,...

September 15, 2021 10:17 PM

/dev/null on Identifying Computer-Generated Faces :

I’ve been paying attention to some of the digital celebrities (mostly in Asian countries) and the level of detail blows my mind. It’s really hard to tell fake from real any more. And these fake creations can generate a lot of revenue. They have full blown profiles, they “do stuff” and have “lives”, followers, like a real person.

Combine with deepfake AI stuff and wow, where are we headed? It’s already depressing/mentally unhealthy as it is with celebrities and successful YouTubers and such (see recent articles on Facebook/Instagram and teenage health). Just imagine if all of that was even more fake, as in completely 100% generated by a marketing firm. Yikes...

September 15, 2021 9:46 PM

JonKnowsNothing on Tracking People by their MAC Addresses :

@WhiskersInMenlo

re: multitude of inventory RfID tags … Those near devices can be associated with all the other devices.

What started with an idea of Track and Tracing Inventory for managing order and finding misplaced items has morphed into a method of tracking just about anything that can be tracked.

pre-COVID: Some RFID tags could disabled on checkout when the item was placed on a special mat, like at a bookstore...

September 15, 2021 5:36 PM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

Silicon Turtles

hxtps://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html

ForcedEntry’s key point is the exploit technology as it is still unknown how it is able to bypass the PAC and disable ASLR.

September 15, 2021 4:49 PM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

OMIGOD

Looks like Microsoft has fixed as of recent hours.

Bet someone is not happy their backdoor was burned.

Until a few hours ago, it was a one line curl command to get root remotely into a Azure Linux VM.

hxtps://www.twitter.com/GossiTheDog/status/1438090108834562054of

September 15, 2021 1:58 PM

Clive Robinson on Identifying Computer-Generated Faces :

@ Bruce,

Unfortunately, they also note that now that such irregularities have been identified, the people creating the fake pictures can simply add a feature…

This fragility of such “testing systems” where “needing obscurity” is a primary requirment of opperation is not good. One of the major points of “evidence” is that it be presented openly and that all methods are open to inspection and the application by others to be verified...

September 15, 2021 1:21 PM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ someone,

I really do despise Google, way beyond my hate for MS at this point…

Only because you can see them…

There are others like Palantir that are a whole magnitude worse. But because they are not as it were “in your face all the time” as Microsoft (Windows) and Google (Browser) are you do not realise they are worse way way worse than Facebook and Cambridge Anylitica were a little while ago...

September 15, 2021 1:17 PM

Tim Shimeall on Surveillance of the Internet Backbone :

The collection and analysis of netflow data is not new (or threatening). CISCO developed the netflow v5 and v9 data format in the late 90s, and IETF developed the IPFIX transport format in the early 2000s (see RFC 7011). Among several other tool suites (see Argus, cFlow, or sFlow), CERT/CC at Carnegie Mellon University has been distributing an open-source suite of tools that collect and analysis netflow data (see ...

September 15, 2021 11:18 AM

someone on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@SLF re: chromium V8 vuln So, Google requires a Google account log-in just to read the report detail that resulted in the CVE listings? Disgusting. I really do despise Google, way beyond my hate for MS at this point… Since I have JS disabled in unGc by default, and only switch it on in the relatively rare event that I really need to read a page and it won’t render at all without it, hopefully I’m not at too bad risk. As an aside, I have found that there are quite a few sites that attempt to enforce a JS requirement (and whose developers no doubt think that they have done so) where the content may be read by using Reader View…...

September 15, 2021 11:01 AM

WhiskersInMenlo on Tracking People by their MAC Addresses :

It is equally as important to address the multitude of inventory RfID tags in anything over $20. Most shoes, belts, handbags, hats, jackets have inventory tags built in. Those near devices can be associated with all the other devices. As a set they are you and a partial set is sufficient given the number of them. The RfID tag in a pet dog is normally read at inches but could be read at interesting distances...

September 15, 2021 6:15 AM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm, ALL,

No details, only the Evil Maid knows for sure.

My guess is what ever the hardware interface is, it is likely to be a pre-boot attack of some form.

The roots of which go back to the earliest days of the Apple ][ design back in the mid 1970’s…

Which is why there is a hardware I/O driver hole that alows a totaly untrusted piece of hardware with a ROM on it to have unchecked code loaded into memoey, which then get linked in to the OS as it boots…...

September 15, 2021 5:15 AM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm,

There is a lot of things happening, and Mother Nature is just a Honey Badger.

Hey don’t knock “Stoffle” he was only doing what all prisoners aim to do 😉

https://www.youtube.com/watch?v=c36UNSoJenI

Oh the first words you hear are about Stoffle beinng hurt by a lion. What is not said is Stoffle started the fight… and it’s a rare lion that wins.

Needles to say Stoffle has become a bit of an Internet celebrity...

September 15, 2021 4:51 AM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ JonKnowsNothing, someone, SpaceLifeForm, Winter, ALL,

Recent reports of the failure of the wheat harvest in Canada and failure of other harvests around the globe might made a dent in that view.

The big problem with the Canadian wheat, is also it is the “type of wheat” that makes it even more critical[1]. People are often very surprised at just how many types of grain there are, and that it was one of mankinds first “genetic modification” experiments thousands of years ago, and that the instances of serious food intolerance to grains is one of the highest of all foods (asside from perhaps cassava which has high quantaties of cyanide in it)...

September 15, 2021 4:06 AM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm, ALL,

Silicon Turtles can be hard to spot in the wild.

It does not help when people deliberatly put holes in the net to stop you catching them,

“Spook.js exploits this hole in the Site Isolation design, which apparently Google knows, but about which it also can’t do anything about, since separating JavaScript code at the subdomain level would also cripple about 13.4% of all internet sites.”...

September 15, 2021 2:23 AM

Robin on Designing Contact-Tracing Apps :

@Adrian, your points are valid and it’s easy to come up with a few more in the same vein. But the point overall is that, on average, contact tracing apps contribute to making the environment a bit more hostile for the virus. So even if they are not universally used and not ideal in how they operate, can they have a useful role to play? And a bit like hand-washing, the ubiquity of QR codes in one form or another is a constant reminder that the virus is still around...

September 15, 2021 12:04 AM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

Old man yells at clouds while just shaking head

OMIGOD

hxtps://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution

Remove the auth header and you are root!

This is a textbook RCE vulnerability that you would expect to see in the 90’s – it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints. With a single packet, an attacker can become root on a remote machine by simply removing the authentication header. It’s that simple...

September 14, 2021 9:37 PM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

Silicon Turtles

No details, only the Evil Maid knows for sure.

But, my top guess is USB.

hxtps://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38632

A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to a powered off system could exploit this vulnerability to gain access to encrypted data.

September 14, 2021 6:42 PM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ JonKnowsNothing, Winter, Clive, ALL

Excellent point

I was not connecting all of the dots when I wrote that. Mea Culpa.

There is a lot of things happening, and Mother Nature is just a Honey Badger.

The planet does not care about any one.

September 14, 2021 6:19 PM

JonKnowsNothing on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm, Winter, Clive

re: Supply Chain problems … I do not see major collapse.

Recent reports of the failure of the wheat harvest in Canada and failure of other harvests around the globe might made a dent in that view.

Failed harvests are not uncommon often affecting a local economy and the short fall made up from other suppliers. The loss of 50% of the Canadian Wheat harvest is not going to be made up easily...

September 14, 2021 5:49 PM

Anders on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

On summer here was an incident when attacker downloaded
Identity card photos from the database.

hxxps://therecord.media/estonia-says-a-hacker-downloaded-286000-id-photos-from-government-database/

Today was sequel to this news.

Now we know the attacker name. He found two more critical vulnerabilities in government systems and asked monetary
reward for them, since government stalled here he started...

September 14, 2021 5:48 PM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ Winter, someone, SpaceLifeForm, ALL,

The problem is supply chains.

What people tend to forget is that behind the supply chain they are interested in there are several others. Whilst it is not turtles all the way down it can take a very very long time to get them all running again. 18-36 months would not be uncomon and if a mine or oil well etc had been closed down it might take 60-300 months to get things back, if at all...

September 14, 2021 5:29 PM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ Someone,

Re gas/gasoline and IC engines.

Yes you need to change the carb settings amongst other things. The point I was making though is that few people appear to know that an IC will work on a whole host of fuels from “cracked water” through most light hydrocarbons right through cracked long chain hydrocarbons. I’ve demonstrated an IC running of cracked 2lt Cola bottles.

Yes filtering is important. However again few appear to know what is mainly being filtered out is uncracked hydrocarbons. So pick the right filter materials and the filters after condensing out the partially cracked long chain hydrocatbons that are in effect tars, go back into the process. This was something well known in the 1800’s with extracting lamp oil etc from peat bog material. Idealy you want the IC to run off of cold hydrogen gas but CO and light hydrocarbons all work well enough...

September 14, 2021 5:20 PM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ someone, ALL

It is all Chromium based browsers because the problems are in the V8 Javascript engine. Even Edge on Windows.

It is not clear that this specific Spook.js problem was actually addressed yet.

Silicon Turtles can be hard to spot in the wild.

hxtps://therecord.media/new-cpu-side-channel-attack-takes-aim-at-chromes-site-isolation-feature/amp/

A team of academics from universities in Australia, Israel, and the US has successfully mounted CPU side-channel attacks that recover data from Google Chrome and ...

September 14, 2021 4:52 PM

someone on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@SLF re: Chromium V8 zero days – Your subject states “chromium” but the linked vuln page mentions only “Chrome”. Do you know for certain that it also impacts chromium? I’ve j=ust spent a good bit of time locking down a recent install of ungoogled chromium, I would hope all that work wasn’t in vain.

September 14, 2021 4:43 PM

someone on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@Winter re: prepping You might consider that civil war and economic collapse are anything but mutually exclusive. I’m lucky enough to have a remote, off-grid, location with “somewhat inconvenient” access that I couuld utilize in a true SHTF situation. I also have the means to defend it; certainly not against any kind well-organized military-grade attack, but probably well enough to make an opportunistic marauder or three keep moving in search of easier prey...

September 14, 2021 4:35 PM

someone on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@Clive re: generator conversion Yes, that can be done, but you make it seem more trivial than it actually is. I have a small Yamaha genny set-up for liquid propane (bottled gas). It will also run on pump gasoline, and presumably on natural gas (house gas) as well. However, the energy content per volume unit of those fuels differ considerably, and the ideal carburetor jetting will significantly differ, one from the other. While I can switch back and forth between pump gasoline and LP on my generator, it does not run nearly as well on gasoline, and tends to foul spark plugs because it is jetted for LP. You also wrote of “gasification”, was that in reference to “wood gas”, aka “producer gas”? That product is the result of destructive distillation (cracking) of wood chips (and potentially some other botanical substances) under temperatures not quite high enough to acheive open flame combustion. The end products are charcoal (this is similar to the commercial moanufacturing process for that commodity) and so-called wood gas, which is combustible for a number of purposes, including running an IC engine. In fact FEMA has (or used to have, anyway) freely available plans to construct a producer gas generator capable of fueling an IC engine of approximately 25 – 30 HP. However, again there is a bit of devilment in the details: producer gas is a mix of various volitiles, many of which are toxic and/or highly corrosive. At minimum, using it to fuel any modern engine designed to run on pump gasoline would require a very good filter to removesome of the more vile condensates, else that engine wouldn’t last too long...

September 14, 2021 3:45 PM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ Winter, Clive

Supply Chain problems

I do not see major collapse. What I see is durable goods being in short supply.

The economy will function, but prices will go up for in-demand goods. The market will adjust, and suppliers will supply the in-demand goods at a price.

The durable goods will not get priority.

For example, see if you can easily find a new refrigerator/freezer. Supply chain. Hard to spot buy one. Delivery may be weeks...

September 14, 2021 3:28 PM

Anders on Paul van Oorschot’s Computer Security and the Internet :

@Petre Peter

Well…what we can do better?

I have seen the times when there wasn’t html email at all,
everything was plain text, so for me sulution was
easy – i filter out html emails and delete them automatically.
I’ve teached people i know, i trust and communicate with to
configure their systems to use plain text email only.
In addition, i live most time inside command line and use
CLI email client that allows to show me email full source...

September 14, 2021 3:04 PM

Freezing_in_Brazil on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ MarkH, Clive Robinson, All

Thanks for the feedback, considerations and references.

Clive, where it reads ‘nuclear’ I meant radioactive.

MarkH, good to know that there are actually people working on a random number generator chip. I am an enthusiast of the endeavor, although I am aware of Bruce’s lack of enthusiasm for the idea [in line with Clive’s arguments in #388417]. I would imagine, as you say, that a very well done marketing job would be needed to bring such a product to market. There must also be legal issues. I believe it is possible to establish a satisfactory disposal regime...

September 14, 2021 1:46 PM

Petre Peter on Paul van Oorschot’s Computer Security and the Internet :

From the book: Beware of the links you click on in your mail.
From Bruce: “What else could you possibly do with a link. Telling people to not click on links it’s not good enough; we have to do better”.
Thanks for this gift; great read.

September 14, 2021 1:19 PM

MarkH on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@onyonf88:

To respond directly to your question, if by key function you mean the key scheduling algorithm — the so-called parity bits play no part. They are discarded, and their values have no effect on key scheduling.

@Clive:

To your question from last night, I submitted a fairly detailed reply which, I was informed, was awaiting moderation. Perhaps it’s still waiting …

September 14, 2021 12:16 PM

Clive Robinson on Designing Contact-Tracing Apps :

@ Adrian,

I always like to remind people in these discussions that these apps do not track contacts between people but contacts between smartphones.

Not even “contacts” bluetooth can work from one office building to another office building on the other side of a four lane street…

September 14, 2021 12:01 PM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ onyonf88,

What exactly is happening under the hood?

Two things to consider,

1, Parity was frequently set to zero for compatability with serial comms that would be seven not 8 bits.

2, 8bits less made the NSA job 256 times easier.

Whilst both are true, one was an excuse for the other…

September 14, 2021 11:56 AM

Adrian on Designing Contact-Tracing Apps :

I always like to remind people in these discussions that these apps do not track contacts between people but contacts between smartphones.

It’s good to remember that not everyone has a smartphone. That couples and families sometimes share phones. That not everyone with a smartphone takes it with them everywhere they go. That smartphones aren’t always on. That batteries aren’t always charged. That phones get broken and stolen...

September 14, 2021 11:44 AM

Sut Vachz on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ Winter

Re: a section of the GOP wants it

Even if that were so, it would go nowhere by itself. Reviewing the actual actions of both major parties over many decades, perhaps 100 years, the most likely hypothesis is that they work in concert and any opposition is only superficial, ad captum vulgi as it used to be termed. The same thing has been true in English politics for at least as long.

September 14, 2021 9:58 AM

Winter on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@Clive, SLF
“1, The real economic down turn.
2, The supply chain issues.”

First, in a densely populated region, e.g., USA East coast, Bay Area, NW Europe etc, where you have 50-100 M people in a small area, you can forget the prepping stuff. You will not have room to stock up a year worth of supplies for your family. And if you did, you would be unable to keep hold of it when millions of people are adrift...

September 14, 2021 9:48 AM

Who? on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ Anders

Thanks!

This book is like the PoC||GTFO issues. I had been reading them for years, and like them a lot. Now that NoStarch Press has released them in “dead tree” format I got the three volumes as they become available. It is nice having these issues in both PDFs (in the case of PoC “polyglot PDFs”) and physical format. I like buying good books for my library.

Stealing the Network is a valuable item for this library...

September 14, 2021 9:45 AM

onyonf88 on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

It appears ive been afforded a moment of peace, and so I have been hitting the books. In particular intro to applied cryto. The lesson im currently learning is block cipher DES. One of the questions I have that I cant seem to find a coherent answer for on my own, (at least one that I can make any sense out of) is in regards to the key function. The key being only 56 bits rather than the full 64. I was told 8 of the bits are for “parity” but are non-relevant to my understanding of breaking down how the key function works...

September 14, 2021 7:12 AM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm,

Think about things you may need 8 months from now, and ask yourself what you would do if they are not available.

That is not a call to be the “bum wipe king” for bears in the forest 😉

But yes two probs are going to hit at about the same time in the West,

1, The real economic down turn.
2, The supply chain issues.

It will be worse in the US because of certain policies from the executive level...

September 14, 2021 2:27 AM

Mowmowfi on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@freezen
They use atomic decay as a accurate clock?..probably not good for RNG.
Calcium has a isotope at 36MeV if you get hydrogen and acerlate at 38MeV or a CW,Marx at 38MV quick enough so..more than the decay it makes a 20 year source that emits two electrons when it decays.
Energy in energy out, a AA battery that lasts 20 years, will need a hydro dam.

September 14, 2021 1:46 AM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

Ponzi, Inflation, and Bitcoin

Get in now, while you can still be a sucker.

Kidding. Use your spare cash, if any, to stock up on durable goods. It’s not looking good production and transportation wise for a year.

Think about things you may need 8 months from now, and ask yourself what you would do if they are not available. If you can find the goods, and can afford it now, you will actually be making money...

September 14, 2021 1:30 AM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ MarkH,

taking as raw data measurements of either (a) the number of detections per unit of time, or (b) the time interval between detections, gives highly biased numbers

“if a TRNG applies either of these methods to the detection of radioactive decay events, then the designer didn’t adequately understand the problem s/he was trying to solve.”

What other “raw data measurments” can they take with what they would be allowed?...

September 14, 2021 12:18 AM

MarkH on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@Clive:

For an ionizing radiation TRNG, taking as raw data measurements of either (a) the number of detections per unit of time, or (b) the time interval between detections, gives highly biased numbers … even before one takes into account that the source activity will gradually decrease.

Such highly biased data sets require extensive conditioning, even if source decay is not considered.

As I wrote on this site about 10 months ago, “if a TRNG applies either of these methods to the detection of radioactive decay events, then the designer didn’t adequately understand the problem s/he was trying to solve.”...

September 14, 2021 12:07 AM

SpaceLifeForm on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ FBI, ALL

An example of the shady transactions on Bitcoin.

A wallet that has only had 2 transactions ever. One received, one sent.

Note the amount. This is major money laundering.

hxtps://www.blockchain.com/btc/address/32ZHZYwYATJj8jtoFvUQ9HEz7UoWnLgG5U

September 14, 2021 12:02 AM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ MarkH, Freezing_in_Brazil, ALL,

Contrary to what Clive wrote, a properly designed radioactive TRNG has extraordinarily low bias, even with respect to source decay.

The bias is a simple fact of “the laws of nature” and you can not remove it, it’s one of the reasons for using entropy pools and crypto hashes to try to make it less detectable.

It has been found that nature does not do linear, nature works by percentages. The thing about percentages is you get exponential growth or decay, and it is this that gives you the “half life” in rather more than radio isorope decay...

September 13, 2021 11:19 PM

Clive Robinson on Designing Contact-Tracing Apps :

@ SpaceLifeForm, David,

found that it’s using 512-bit keys =)

There is a distinct possibility the authorities figured, the equivalent of, “if you have sufficient hardware and knowledge” you are probably a very rare outlier. So you would be near enough a “compleate nerd”, so have no “real life” in which to get infected in the first place… (remember SARS-2 is like nearly all pathogens a “social disease”)...

September 13, 2021 10:37 PM

Clive Robinson on Friday Squid Blogging: Possible Evidence of Squid Paternal Care :

@ SpaceLifeForm, ALL,

Researchers named the vulnerability Azurescape – The first cross-account container takeover in the public cloud.

Not realy…

Look at it this way,

Somebody walking in a field “trips, falls over, hits the ground, and breaks their neck”… So sad.

Years go by the field gets a road built on it, somebody walking down it one day “trips, falls over, hits the ground, and breaks their neck”...

September 13, 2021 8:56 PM

David on Designing Contact-Tracing Apps :

“found that it’s using 512-bit keys =)”
Not hard to forge, but in Vietnam getting caught forging a government certificate could have a harsh penalty

Sidebar photo of Bruce Schneier by Joe MacInnis.