Recent Comments


Note: new comments may take a few minutes to appear on this page.

August 11, 2022 1:24 AM

Winter on Friday Squid Blogging: New Squid Species :

@lurker

is that you don’t need 3nm. tech for locomotive power controllers, nor for 99 satelite TV sitcom

But you do need it for AI, and China’s ambition is to be world leader in AI and automated mass surveillance. For that goal, China needs the highest performance and most efficient chips.

August 10, 2022 11:39 PM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ JonKnowsNothing,

Re : Life’s Journey.

Much of what I was afraid of with SARS2 has bit by bit come true.

I take no pleasure in this as my predictions were all in effect detremental to the human stock.

The gauling thing is it need not have happened at all. It was two world leaders in particular that fiddled whilst the flames got started.

The UK was and still is as far as SARS2 is concerned “The dirty man of Europe” for which we can thank the blond blow dry idiot and his drink addled cronies. Who it turns out have lied more to the world than the Chinese are aledged to have done...

August 10, 2022 11:03 PM

lurker on Friday Squid Blogging: New Squid Species :

@Clive Robinson et al.
“The important point about China and it’s $50billion investment, …”

is that you don’t need 3nm. tech for locomotive power controllers, nor for 99 satelite TV sitcom channels, nor for twinkly light sneakers for kiddies.

August 10, 2022 9:08 PM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ Winter, SpaceLifeForm,

Re : Getting Chips Tech.

“Just throwing money at the problem won’t do it. The Chinese Big $50B Fund for development of the chip industry just went down in flames in a big fraud investigation.”

Throwing money at a problem has to be done even though it appears to show no returns…

Like “New Product Development” on Marketing, R&D in the tech sector, has a 9 in 10 failure rate, and that is expected to rise...

August 10, 2022 8:10 PM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ Emoya, ALL,

Re : Have to be connected.

“Unless the current path of “progress” is significantly altered, I fear that non-participation will quickly become an impossibility, as has already occurred in many cases.”

“Progress” simply means to move in a chosen direction, so actually means little.

The two main things that actualy mean something are,

1, The destination
2, The journey to it.

My personal view is I don’t want to go to the destination (total loss of privacy for the majority[1]). Or ride that journy (Politicians spouting at best fat far distant corner cases as “bogeymen around every corner and in every childs bedroom”[5])...

August 10, 2022 10:45 AM

Emoya on NIST’s Post-Quantum Cryptography Standards :

@Clive, All

Unless the current path of “progress” is significantly altered, I fear that non-participation will quickly become an impossibility, as has already occurred in many cases.

For example, I would prefer not to carry any cellular device, much less a smartphone. For years I resisted the societal push to carry any form of mobile device to preserve privacy and personal boundaries but was eventually required to tote a pager during the era of flip phones, then a cell phone, and now a smartphone. Unfortunately, this has become a requirement for me, and the vast majority of others, to be professionally effective...

August 10, 2022 10:41 AM

Security Sam on Drone Deliveries into Prisons :

@Jon

That is not very far for the truth
I would at present boldly exclaim
As justice can be rather uncouth
And quite often the innocent blame.

August 10, 2022 8:40 AM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ lurker, SpaceLifeForm, ALL,

“Why should I trust SGX anymore than I trust Posix permissions?”

You should not trust either, because ultimately they will both fail you as will all technology you do not directly control to the exclusion of all others.

Simple rule is if control/operation is shared then any such system is at best split trust thus by definition not trustworthy.

But as you note,

“I’m not the target demographic”...

August 10, 2022 8:36 AM

MrC on NIST’s Post-Quantum Cryptography Standards :

My takeaway from the surprise “demolition” of so many late-round candidates is these relatively young one-way problems simply haven’t been studied enough that we can have confidence in them. Accordingly, the safest bets are probably McEliece for asymmetric encryption (which has been around since the 70s, although receiving less attention than RSA, DH, and ECC), and the hash-based signature stuff (which is secure if the underlying hash function is). Also, it’s probable wise to chain McEliece with RSA, despite the awful bandwidth and runtime costs of that pairing...

August 10, 2022 7:49 AM

SpaceLifeForm on NIST’s Post-Quantum Cryptography Standards :

@ anon

re: influence and insiders

I would not approach your point, which, while valid, as a mutually exclusive proposition. Maybe this is why NIST PQC process is taking so long is because NIST does not want to become a scapegoat again.

August 10, 2022 7:26 AM

Winter on Friday Squid Blogging: New Squid Species :

@SpaceLifeForm

Note the Supply Chain bottlenecks. The biggest one being actual lithography equipment, stretched out nearly 2 years.

When you scan the list, there are many cross-dependencies. For instance, the ASML lithography equipment relies too on Zeiss and many of the usual suspects from the list. Trying to do rebuild that all in a single country is stupid. E.g, TMSC, Zeiss, ASML etc. are market leaders for a reason, and it took them a lot of time to get there...

August 10, 2022 7:04 AM

SpaceLifeForm on Friday Squid Blogging: New Squid Species :

@ vas pup, ALL

re: CHIPS

Note the Supply Chain bottlenecks. The biggest one being actual lithography equipment, stretched out nearly 2 years.

‘https://nitter.net/adam_tooze/status/1556241241490132994#m

Just the image. Probably quicker to view. Setting up new fab is slow.

‘https://nitter.net/pic/orig/media%2FFZivAKwWQAEYke6.jpg

August 10, 2022 7:03 AM

anon on NIST’s Post-Quantum Cryptography Standards :

I think too much emphasis is being placed on the NSAs influence on NIST because I think its likely that ‘former’ NSA employees who now work in the industry are an equally credible threat due to actually still being on the NSA payroll.

August 10, 2022 6:31 AM

SpaceLifeForm on NIST’s Post-Quantum Cryptography Standards :

@ ALL

Silicon Turtles

A different species named SQUIP

Note: this is on AMD and mitigated by disabling SMT which you should have done already because of Spectre and Meltdown.

See this link about the confusion regarding SMT if you are unfamiliar.

‘https://utcc.utoronto.ca/~cks/space/blog/tech/SMTSecurityUncertainty?showcomments

My Bold added:

‘https://www.theregister.com/2022/08/09/intel_sunny_cove/...

August 10, 2022 6:23 AM

Jon on Drone Deliveries into Prisons :

@ Security Sam

And so these sons of hardy soil
Through farming out every seed
Have the results of their toil
The evidence that they need.

“The case is hard and clad and shut”
They cry, in delighted glee,
Until the word comes in as “But…”
From that which are the powers that be.

“The one you’ve got is a decent old gent”
States the governor’s aide-de-camp.
“This is a man who’s long paid my rent,
Throw the blame onto some other tramp.”...

August 10, 2022 3:43 AM

Winter on Signal Adds Cryptocurrency Support :

@Rowan

Now that the cryptocurrency is worthless I wonder how long it will be until they remove it in embarrassment.

$23k is not yet penny stocks, I think. This was also the price of Bitcoin in December 2020, so we are not even two years back yet. There is still some way to go to reach the $1k of March 2017.

With all the sanctions, there will still be some demand. I just heard that Iran is using Bitcoin to order $10M worth of stuff [1]. Russia seems to mull its use for international payments too [2], although it recently has made paying stuff inside Russia itself using cryptocurrencies illegal [3]...

August 10, 2022 3:10 AM

Rowan on Signal Adds Cryptocurrency Support :

Now that the cryptocurrency is worthless I wonder how long it will be until they remove it in embarrassment.

August 9, 2022 7:49 PM

lurker on NIST’s Post-Quantum Cryptography Standards :

@SpaceLifeForm

Æpic Fail. Why should I trust SGX anymore than I trust Posix permissions? Again I’m not the target demographic, because I don’t mind waiting to read my key from disk each time. Yeah, sure, disk drivers, firmware, mumble, mumble …

August 9, 2022 4:47 PM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ David in Toronto,

“Why anyone does this to their kids befuddles me.”

Remember in many cultures “tradition” includes mutilation of the body in various ways…

I won’t go into details because well the comment would be yanked.

But lets say tradition ranges from tattoos, through filing of canine teeth upwards to things you probably could not or would not wish to imagine…

Thatcis the strength of wanting to be part of a tribe…...

August 9, 2022 4:40 PM

vas pup on Friday Squid Blogging: New Squid Species :

Biden signs off on semiconductor bill in challenge to China
https://www.dw.com/en/us-biden-signs-off-on-semiconductor-bill-in-challenge-to-china/a-62761790

“The future of microchip production will be “made in America,” said US President Joe Biden while presenting the $280 billion Chips and Science Act.

The US will invest around $52.7 billion (€51.6 billion) in microchip production under the $280 billion Chips and Science Act. The bipartisan measure is aimed to ensure the US can keep pace with China as the two countries vie for dominance in the high-tech sector...

August 9, 2022 4:34 PM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ Ray Dillinger,

Re Unicity distance.

Shannons “all messages equally probable” definition by inference gives the usefull first party “deniability”.

I’m going to have to think about it but I’m not sure Friedman’s definition does.

(if you hear a strange whirring noise “off stage left” that will be the cogwheels spining up in this mini heat wave we are having in London 😉

...

August 9, 2022 4:16 PM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ SpaceLifeForm,

Re : Silcon Turtles,

Before even looking at the article my first thought was a new varient on,

“The Xmas gift that keeps giving”

Along with,

“Their track record says they won’t fix, or they’ll make it worse.”

But imagine my shock on reading it…

A simple memory read is all that is required…

In essence the problem is as easy to understand as not clearing a buffer created by malloc() before you call free()…...

August 9, 2022 4:13 PM

David in Toronto on NIST’s Post-Quantum Cryptography Standards :

@SpaceLifeForm

Presumablbly you need to be on the box to exploit this. It is not something you will be exploiting from just beyond the network perimiter. The distinction is necessary for proper risk assessment.

If you’re really concerned you’ll be using something like an HSM and not doing your crypto on the box.

Mind you if I can get on your box, does it really matter? I can likely see the plain text anyway!...

August 9, 2022 2:13 PM

SpaceLifeForm on NIST’s Post-Quantum Cryptography Standards :

@ ALL

Silicon Turtles

It likely does not matter what NIST concludes.

‘https://arstechnica.com/information-technology/2022/08/architectural-bug-in-some-intel-cpus-is-more-bad-news-for-sgx-users/

The researchers’ proof-of-concept exploit, available here, is able to obtain a 128-bit AES decryption key on average in 1.35 seconds, with a success rate of 94 percent. The exploit can extract a 1024-bit RSA key on average in 81 seconds with a success rate of 74 percent. ...

August 9, 2022 12:37 PM

Security Sam on Drone Deliveries into Prisons :

@Clive

Spread spectrum now comes to mind
Where the trusted and dexterous staff
Knows there’s something there to find
By separating the wheat from the chaff.

August 9, 2022 12:09 PM

Ray Dillinger on NIST’s Post-Quantum Cryptography Standards :

One of the things I researched for a college class long ago was the feasibility of extending block algorithms to reach unicity distance equal to message size.

Before going further I should clarify a point; I was using Friedman’s definition of Unicity distance (the number of different messages that something could be decrypted to is 2 to the power of the sum of key size and the number of message bits unknown) rather than Shannon’s (all ciphertexts of a given length are equiprobable). The difference is that Shannon’s Unicity can be the same as the message size only if the key is also equal to the message size whereas Friedman’s is defined for a general key size...

August 9, 2022 11:52 AM

Some guy named Dave on Ring Gives Videos to Police without a Warrant or User Consent :

“Ring could build a device, sold straight to residents, that ensures police come to the user’s door if they are interested in footage”

What does this even mean? Part of the value add of Ring for the average consumer is that recordings are stored in the cloud and not on the devices, so how is this magic device in the home doing anything?

August 9, 2022 10:31 AM

David in Toronto on NIST’s Post-Quantum Cryptography Standards :

@clive English and Scottish nicknames can get very confusing even for other English speakers. There was a “Knobby” Clarke at Bletchley and a namesake in “The Ministry of Ungentlemenly Warfare”. Apparently a common Clarke nickname. Imagine my surprise after thinking this clever guy really got around. Even in Canada we see it sometimes but rarely. I know a family of “Swotty’s”. Why anyone does this to their kids befuddles me...

August 9, 2022 10:07 AM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ ALL,

For those that do not know, Ian Cassels was actually John William Scott Cassels. With his father being John William Cassels. Back in the period between the two world wars it was common for this to happen especially in Scotish families[1] and it was likewise common for the child to have a sort of short nick name[2].

Any way his connection to cryptography was a bit more than doing new things at Bletchly Park. He also did early work on eliptic curves that later gave us a new form of asymetric cryptography...

August 9, 2022 8:33 AM

fib on NIST’s Post-Quantum Cryptography Standards :

@ All

Re “cryptography is a mixture of mathematics and muddle”

Muddle is obfuscation by other name, right? But I’ve been told that obfuscation is not the best of practices – and ineffective anyway.

I admit that I’m always looking for ways to add some obfuscation whenever possibel – it gives me a heightened sense of security. So have I been doing the right thing all along?

...

August 9, 2022 8:28 AM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ ALL,

Community Internetless Wireless MESH networking

From HOPE 2022. Shows you how you can set up a community network using easily available parts, that does not need the Internet or Commercial Service Providers. And can go “global” via other radio links that are likewise non commercial so you don’t get to feel the corporate control.

The Talk actually starts at 3mins in

https://m.youtube.com/watch?v=o5g23fGQR-M...

August 9, 2022 8:14 AM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ SpaceLifeForm, pen-testers, ALL,

You might find,

‘https://m.youtube.com/watch?v=MTldbQt6Zbs

Interesting it’s about using SDR to develop your own Spectrum Managment OSInt.

It was put up today, but is a talk from 2017… So it’s a little out of date in some respects.

August 9, 2022 7:48 AM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ SpaceLifeForm, ALL,

Re: NSA does not want PQ-Hybrid

It’s rather more than “hedging bets” to think about.

We know there are as far as “Quantum Computing”(QC) only some types of crypto that will be,

1, Fully vulnerable
2, Semi vulnardle
3, Not vulnarable.

Those based on current “Trapdoored Onway Function”(T-OWF) using a Trapdoor based on the mathmatics of factoring or logerithms, are fully vulnerable...

August 9, 2022 5:11 AM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ Denton Scratch,

Re : Muddle is actually Confusion.

“I take it that “muddle” is code for reversible scrambling schemes, such as S-boxes.”

It’s a lot more than that. Claud Shannon called it “confusion” and it’s to do with the statistics of the message and something called “unicity distance” and it digs deep into the foundations of information theory.

A system with “perfect secracy” has a unicity distance as large as the message, no matter how long...

August 9, 2022 4:32 AM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ Sprewell, ALL,

Re : You can’t stop development.

Referes not to the “end result” –which may or may not be obtainable– but to the “process” of finding out.

The “leading edge” of research is often less than humorously called the “bleeding edge” in refrence to it’s rapidly increasing cost still showing no results. In fact something like 9/10ths of all research goes nowhere on average. However the amount of money people will risk on research depends very much on,...

August 9, 2022 3:14 AM

Clive Robinson on Surveillance of Your Car :

@ battles, ALL,

Re : Cutting Comms

“I am going to disconnect or short the antenna.”

Sorry I’m going to be the “Debbie Downer” on this idea…

Firstly you have to find the antenna.

To do that, you have to know what it looks like… And that is a hard task these days

Because, any conductor can be an antenna, and it’s flip side is any slot, gap or hole in a conductor can also be an antenna due to that anoying fundemental of physics “symmetry”. Even plastics because they are “dielectrics” can “lens” electromagnetic radiation, and grids of wires can do similar...

August 9, 2022 2:49 AM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ BCS, Quantry, SpaceLifeForm, ALL,

Re : Hybrids

“Has anyone tried to hedge bets on the math side of things by building a candidate on multiple “unrelated” hard problems?”

The problem with these One Way Function (OWF) “hard problems” is that even in the easy direction they consume quite a few resources as do their “Trapdoors”.

Thus the NIST competition rules emphasizing both speed and efficiency tend to preclude any hybrids (and this is very probably via the NSA influance)...

August 9, 2022 12:35 AM

Winter on Friday Squid Blogging: New Squid Species :

@JonKnowsNothing

So are the numbers UP or DOWN?

That is immaterial at the moment. SARS2 is not going away any time soon, or ever. We still have 4 different corona variants going around as common cold viruses from zoonotic events from more than a century ago.[1]

So history tells us that it is pretty unlikely that SARS2 will disappear. More likely is that it will evolve over time to some fifth common cold or flu like virus. Until then, we will have to treat it like we treat the flu...

August 8, 2022 11:15 PM

JonKnowsNothing on Friday Squid Blogging: New Squid Species :

@SpaceLIfeForm @Clive, ALL

re: Stealthy Covid rate of non-decline

There isn’t any reason at all to expect a decline in cases. BA5 is significantly more transmissible than BA4; BA4 was more transmissible than previous variants.

Some countries are touting that their “COVID peaks are declining”, which is true enough, but the numbers as reported, are not exactly encouraging.

In one country: the numbers declined 500,000 in one week to 2,500,000 cases. The previous week it was 3,000,000 cases...

August 8, 2022 6:36 PM

SpaceLifeForm on Friday Squid Blogging: New Squid Species :

@ ALL

When a braindead AI chatbot reveals UI

‘https://www.vice.com/en/article/qjkkgm/facebooks-ai-chatbot-since-deleting-facebook-my-life-has-been-much-better

August 8, 2022 3:08 PM

BCS on NIST’s Post-Quantum Cryptography Standards :

Has anyone tried to hedge bets on the math side of things by building a candidate on multiple “unrelated” hard problems?

Or has anyone explicitly built a candidate so that breaking it would require advancements that would be useful outside cryptography? (Sure they broke my candidate, but they also solved this hard problem so I can now build a better navigation app!)

August 8, 2022 2:30 PM

SpaceLIfeForm on Friday Squid Blogging: New Squid Species :

@ JonKnowsNothing, Clive, ALL

re: Stealthy Covid

Yes, the case rate did not decline as much as I expected for Northern Hemisphere Summer.

Two thoughts as to why. One is that the excessive heat is keeping more people indoors with little fresh air ventilation. The other is that many are still flying around on planes.

Check this out. My bold.

‘https://arstechnica.com/science/2022/08/58-of-human-infectious-diseases-can-be-worsened-by-climate-change/...

August 8, 2022 2:00 PM

SpaceLifeForm on Friday Squid Blogging: New Squid Species :

@ ALL

Cryptocurrency money laundering

It is being followed.

‘https://cryptobriefing.com/us-treasury-sanctions-ethereum-mixing-tool-tornado-cash/

August 8, 2022 1:42 PM

Winter on Drone Deliveries into Prisons :

@lurker

Follow the money: are the telcos providing this as patriotic contribution to the war effort?

More or less, Yes.

‘https://9to5mac.com/2022/03/16/ukraine-mobile-carriers-work-together/

Once-rival telecom companies are coming together to help keep lines open. Last week, Kyivstar, Vodafone Ukraine and Lifecell launched “national roaming,” meaning subscribers could quickly switch to the network of other operators if their main provider went down. ...

August 8, 2022 1:03 PM

SpaceLifeForm on NIST’s Post-Quantum Cryptography Standards :

@ Quantry

NSA Doesn’t like Hybrid

That stance may tell you something.

This is from 2021-09-02.

Note: There are pics of slides that will be difficult to read on a phone.

‘https://nitter.net/mjos_crypto/status/1433443198534361101

August 8, 2022 12:56 PM

battles on Surveillance of Your Car :

If I get a newer car, I am going to disconnect or short the antenna.

August 8, 2022 12:53 PM

lurker on Drone Deliveries into Prisons :

@Winter

It is remarkable how much the militaries in Ukraine keep using cell phones

Follow the money: are the telcos providing this as patriotic contribution to the war effort?

Or IOW the miltaries are availing themselves of a service provided and maintained by somebody else, and paying only a fraction of what it would cost for a full milspec system.

August 8, 2022 12:42 PM

Clive Robinson on NIST’s Post-Quantum Cryptography Standards :

@ Bruce, Ray Dillinger, ALL,

“The moral is the need for cryptographic agility. It’s not enough to implement a single standard; it’s vital that our systems be able to easily swap in new algorithms when required. “

As I’ve been saying for most of this Century NIST needs to come up with a “framework standard” in which not just cryptographic algorithms but the modes algorithms they are used in, can quickly and easily be changed. And it needs to be built in to all crypto implementations especially on those “unseen” and “embedded” devices that have 25-50year or more expected life times like medical, industrial and infrastructure electronics...

August 8, 2022 12:12 PM

Quantry on NIST’s Post-Quantum Cryptography Standards :

@ Al Sneed, @ TimH Re: DJB Lawsuit: That’s quite a rigorous indictment.

Definitely seems to contradict

“It’s a good process, mostly because NIST is both trusted and trustworthy.”

I’ve been favoring the likes of France’s “HYBRID” PQC Transistion (‘https://www.ssi.gouv.fr/en/publication/anssi-views-on-the-post-quantum-cryptography-transition/) mentioned in the indictment:

A hybrid mechanism (key establishment or signature) combines the computations of a recognized pre-quantum public key algorithm and an additional algorithm conjectured post-quantum secure. This makes the mechanism benefit both from the strong assurance on the resistance of the first algorithm against classical attackers and from the conjectured resistance of the second algorithm against quantum attackers…...

August 8, 2022 10:04 AM

Ray Dillinger on NIST’s Post-Quantum Cryptography Standards :

A thing I neglected to mention above is that the industry’s experience of ‘algorithm agility’ so far has been nothing short of nightmarish for security. Typically we’ve seen security reduced to the LEAST secure of the available algorithms in cipher negotiation. Before the break is generally known this is a zero-day attack; after the break is known it’s first a ‘deprecated’ cipher that remains in use for a decade and then a downgrade attack that remains in use for another decade...

August 8, 2022 9:57 AM

Ray Dillinger on NIST’s Post-Quantum Cryptography Standards :

It bugs me that NIST is picking a winner when the initial results are demonstrating first that losers are so prevalent and second that it can take this long to show that they are losers.

Just as a statistical matter, we shouldn’t be assuming that we have come up with something secure until we have at least a couple of years during which most of the accepted proposals are apparently secure, and a couple more years when breaks among the remaining pool of candidates have stopped being found. In my estimation finding a break in a remaining candidate five years after the contest started should have postponed any possibility of announcing a winner until the remaining candidates withstand attacks and analysis for at least another five years...

August 8, 2022 9:53 AM

Denton Scratch on NIST’s Post-Quantum Cryptography Standards :

We have too much math and an inability to add more muddle

I take it that “muddle” is code for reversible scrambling schemes, such as S-boxes.

I, a layman, don’t have standing to question the Great Bruce. But don’t these scrambling operations amount to obfuscation? Doesn’t the security of a scheme depend entirely on the maths? Like, isn’t the “muddle” just something that slows down (maybe a lot) the cryptanalytic maths?...

August 8, 2022 9:13 AM

Anton on NIST’s Post-Quantum Cryptography Standards :

I’m a bit confused about the difference between “general encryption” and “public-key encryption”? Does “general encryption” implies a hybrid scheme with a PQ key-exchange algorithm plus a regular symmetric encryption scheme, or is it the other way around?

August 8, 2022 8:26 AM

Carl Mitchell on NIST’s Post-Quantum Cryptography Standards :

@Mathieu, The combination of a Key Encapsulation Mechanism or Key Exchange Mechanism with an Authenticated Encryption mechanism is commonly called “Asymmetric Encryption”. There aren’t any asymmetric schemes that can directly encrypt large ciphertexts in an efficient manner, so some form of hybrid system is used instead. TLS does this, ECIES does this, age does this, PGP does this, etc.

...

August 8, 2022 8:21 AM

Carl Mitchell on NIST’s Post-Quantum Cryptography Standards :

Cryptographic agility is important for safety when deploying untested new algorithms, but it’s also a liability because it often allows downgrade attacks and creates confusion among users (see TLS cipher suites). Within a single protocol version there should be no agility, only across versions. That makes it far harder to attack, though it’s a higher-level concern than what NIST is standardizing...

August 8, 2022 7:50 AM

Winter on Drone Deliveries into Prisons :

@Clive

Also there is the information “Bandwidth Energy” issue.

The link I quoted above wrote:

Prototype system demonstrators are reported, capable of supporting up to 128 beams carrying up to 112 Gbit s−1 per beam.

Sounds reasonable to me for using Infra Red beams.

August 8, 2022 7:45 AM

Mathieu on NIST’s Post-Quantum Cryptography Standards :

I often see discussion about Symmetric and Asymmetric encryption and Digital Signature, but why isn’t there much discussion about Key Exchange (distributed key generation with PFS, à la Diffie-Hellman).

If we have Key Exchange, Symmetric encryption and Digital Signature, the use for Asymmetric encryption is greatly reduced.

Is that a problem that’s “already solved” (in the sense that we already have quantum resistant key exchange algorithms)?...

August 8, 2022 6:59 AM

Clive Robinson on Drone Deliveries into Prisons :

@ Winter, ALL,

… the same people who want to deploy such drones will also find ways around this.

To mis quote a ScFi character,

“Yer canny defie the laws of science Capt’n”

To communicate in our physical universe “information” has to be imprinted / modulated on matter or energy.

If it’s energy in the form of photons then we know two things about them,

1, They move at the speed of light.
2, They only change direction when acted upon by a force...

August 8, 2022 2:05 AM

Winter on Drone Deliveries into Prisons :

@Clive

That “line of sight” makes a very significant difference, and for troops on the ground a couple of drones they can neither see nor hear can fix their location dead within seconds the moment one of them presses that “Push To Talk”(PTT) button…

This is an arms race. So, the same people who want to deploy such drones will also find ways around this. Just throwing stuff at the wall:...

August 7, 2022 9:48 PM

sooth_sayer on Microsoft Zero-Days Sold and then Used :

Need to be stopped — dah!
However MSFT is busy updating windows machines EVERY MONTH — they have no time to fix the crappy code they are pushing.
There is no rigour left to software these days — it’s crapware that MSFT has decided not to improve and just use the whole installed base of users as guinea pigs.

I think MSFT will lose the OS market to maybe Apple — it will be a shame but they don’t care about their software at all now...

August 7, 2022 7:28 PM

Clive Robinson on Drone Deliveries into Prisons :

@ ALL,

Re : Drone drops and observation.

As I noted above,

“The current conflict at the far eastern edge of Europe is pushing the drone boundries / capabilities forwards dramatically (all modern wars cause technology pushes).”

Thus two questions arise,

1, What capabilities now and in the near future.
2, How to negate the benitits it gives to others.

The following to videos, are various things considered usefull viewing,...

August 7, 2022 3:31 PM

vas pup on Friday Squid Blogging: New Squid Species :

Israel’s Innoviz secures $4b deal to supply Volkswagen with LiDAR sensors
https://www.timesofisrael.com/israels-innoviz-secures-4b-deal-to-supply-volkswagen-with-lidar-sensors/

“Israel’s Innoviz Technologies, a maker of sensors for self-driving cars, has landed a contract to supply sensors and perception software to Volkswagen in a deal worth about $4 billion, the company said Tuesday.

Under the deal, Innoviz will provide LiDAR technology and software to VW’s autonomous vehicles unit called CARIAD starting in 2025. Innoviz expects to supply between 5-8 million LiDAR units across multiple brands within the Volkswagen Group over an eight-year period, according to CNBC...

August 7, 2022 11:26 AM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ JonKnowsNothing, SpaceLifeForm, ALL,

Re : SARS2 mutations

… the rate is much faster than originally expected.

The rate depends on three primary things,

1.0, Host availability.
2.0, Virus Infectiousness.
3.0, If host has other diseases.

The first (1.0) is dependent on,

1.1, Host immunity
1.2, Host density
1.3, Host movment.

Thus you would expect the first viral run through a high density city with significant population movment to make many hosts available and spread to be rapid. Thus the abiliry to mutate being similarly high...

August 7, 2022 10:17 AM

JonKnowsNothing on Friday Squid Blogging: New Squid Species :

@Clive, @SpaceLifeForm, All

re: BA.4.6 Mutation S:R346T Growth Advantage

The SARS-CoV-2 mutations are keeping right on track with so many mutations that naming conventions have had to put a break on which mutations get named and which ones don’t. There are a number of agencies that assign names and each has their own criteria. WHO hasn’t issued a new Greek letter since Omicron but we many sub-lineages and mutations and recombinants all hanging out under the Omicron banner...

August 7, 2022 7:54 AM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ ALL,

I’m surprised to note that yesterday passed without historic note…

On 6th Aug 1991 31 years ago the first official “HTTP” site was unvailed…

Since which Internet Security for the individual citizen tripped into “the danger zone”. As first crooks then Governments started to steal and accumulate personal information for their benifit and most others loss.

So when you are slicing that center piece of sunday lunch have a thought about just who knows what you are doing…...

August 7, 2022 3:15 AM

Clive Robinson on SIKE Broken :

@ TimH, SpaceLifeForm,

Re : Pachyderm Squatters

I’m still wondering when “Robbins pentagons”[1] will be looked at as a candidate one way function 😉

[1] Named after mathmetician David P. Robbins back in 2008, in the paper “Cyclic polygons with rational sides and area” authored by Ralph H. Buchholz and James A. MacDougall.

https://en.m.wikipedia.org/wiki/Robbins_pentagon

Robbins Pentagons have some interesting properties of which one springs out from the papers title, which is that every Robbins Pentagon is scaled from a base where it’s area and side lengths are all integers, less obvious is that there are also an infinite number of the bases. When you consider Crypto is after all being about integers and the mappings between them. Further consider that a circle of radius and center can be described by any three points (including the degenerate circle of zero area you might call a straight line). As some know the circle is a basic example of a secret sharing system that can be used for a key exchange system...

August 6, 2022 7:36 PM

TimH on SIKE Broken :

@David Leppik

Again, the issue here per young Clive, “The research paper published over the weekend shows how SIDH is vulnerable to a theorem known as “glue-and-split” developed by mathematician Ernst Kani in 1997, as well as tools devised by fellow mathematicians Everett W. Howe, Franck Leprévost, and Bjorn Poonen in 2000. The new technique builds on what’s known as the “GPST adaptive attack,” described in a 2016 paper.”...

August 6, 2022 6:16 PM

SpaceLifeForm on Friday Squid Blogging: New Squid Species :

@ Leon Theremin

Token Ring over optic fibre seems more secure when it comes to nanonetworking.

It would not be Broadcast, and likely saves energy.

The trick is the splicing interfaces.

August 6, 2022 5:46 PM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ SpaceLifeForm, ALL,

Re: Twitter Behaviour

“I do not believe anything that Twitter says.”

You’ld be quite wise not to as William Shakespeare had one of his characters observe,

“There is something rotten in the State of Denmark.”

“There is good reason to understand why @ElonMusk filed something under seal.”

Even the Twitter board effectively admit they’ve “done wrong” by their filings. The question is when will either the SEC step upto the mark (effectively admiting they and Twitter Share Holders have been hoodwinked by the board’s probably fraudulant claims)...

August 6, 2022 4:55 PM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ pup vas, ALL,

Re : China & Taiwan

The former president of the UN Security Council comment you quoted of,

“Chinese are much more interested in business than in ideologies. For the decision-makers in Beijing, the risks clearly outweigh the opportunities”

Is I would say a reasonable assesment untill fairly recently.

As I noted the other day China has a food supply issue. Specifically protien from fowl and swine is in significant shortage due to various diseases. Thus China has an increasing need of foreign currancy to buy in replacment...

August 6, 2022 4:47 PM

SpaceLifeForm on Friday Squid Blogging: New Squid Species :

@ ALL

re: Twitter Leak

I do not believe anything that Twitter says. There is good reason to understand why @ElonMusk filed something under seal.
I suspect that Twitter may have been caught on the ‘bug’, and they say they fixed it in January, but probably did not deploy until 2022-07-14.

Sorry, but lots of dots. I have a theory.

2016-06-09

‘https://www.socialmediatoday.com/social-networks/login-details-32-million-twitter-accounts-leaked-online-time-update-your-password...

August 6, 2022 4:05 PM

pup vas on Friday Squid Blogging: New Squid Species :

Wireless activation of targeted brain circuits in less than one second
https://www.sciencedaily.com/releases/2022/07/220714165806.htm

=A research team led by Rice University neuroengineers has created wireless technology to remotely activate specific brain circuits in fruit flies in under one second.

Robinson said the ability to activate genetically targeted cells at precise times could be a powerful tool for studying the brain, treating disease and >>>developing direct brain-machine communication technology...

August 6, 2022 3:55 PM

pup vas on Friday Squid Blogging: New Squid Species :

Advancing dynamic brain imaging with AI
https://www.sciencedaily.com/releases/2022/08/220801133143.htm

=MRI, electroencephalography (EEG) and magnetoencephalography have long served as the tools to study brain activity, but new research from Carnegie Mellon University introduces a novel, AI-based dynamic brain imaging technology which could map out rapidly changing electrical activity in the brain with high speed, high resolution, and low cost. The advancement comes on the heels of more than thirty years of research that Bin He has undertaken, focused on ways to improve non-invasive dynamic brain imaging technology...

August 6, 2022 2:26 PM

David Leppik on SIKE Broken :

There seems to be a lot of talk about how impenetrable the math is for SIKE. That probably contributed to it getting so far before being thwarted so thoroughly.

One advantage of RSA and other classic algorithms is that they require little more than high school math. Using well-understood math reduces the places a flaw can hide, plus it also reduces the barriers to entry for budding cryptoanalysts. Looking at the lattice-based approaches, they aren’t exactly easy, but they appear approachable to anyone with a math major. It’s basically polynomial equations using integer constants. These are among the NIST finalists that are still in the running...

August 6, 2022 1:48 PM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ ALL,

Re : Crusties and JavaScript

I suspect some one will take exception to my comments about those righting JavaScript as not bring “full stack” or even having an understanding of what the actual “Computing stack” covers.

Well for those that might take exception you might not know who Douglas Crockford is but at the turn of the last century he came up with what nearly all software devekopers have heard of JSON...

August 6, 2022 1:43 PM

SpaceLifeForm on Friday Squid Blogging: New Squid Species :

@ ALL

re: Twitter Leak

Correction. According to Twiiter, it was only leaking for 6 to 7 months.

It took them another 6 to 7 months to report it. So between January of this year and now, they just kept it secret.

Why would this blunder be introduced into working code? It was likely intentional.

It really smells.

August 6, 2022 1:23 PM

SpaceLifeForm on Friday Squid Blogging: New Squid Species :

@ ALL

Twitter Leak

This is a serious blunder. The SPIN is strong.

This is why attackers want phone numbers and email addresses.

Twitter was leaking information for over a year.

I am shaking my head so much I may need to see a chiropractor.

‘https://privacy.twitter.com/en/blog/2022/an-issue-affecting-some-anonymous-accounts

We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened...

August 6, 2022 12:14 PM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ ALL,

Re : The crusties -v- Young folk.

There is a war of sorts going on in the ICT industry which can be very very partisan at times. It actually should scare those doing “real world security” of “Industrial Control Systems”(ICS) and building systems around IoT Devices and the like. Just remember your kitchen is starting to become an IoT system, and your Home Entertainment system is probably already bowing down to other masters, as have all your Smart Devices...

August 6, 2022 8:58 AM

Frankly on Friday Squid Blogging: New Squid Species :

In the News: Amazon purchases iRobot, giving it a vast data trove mapping the interior of people’s homes, to add to their data on prescription drugs, buying-eating-reading habits, etc. They also have a flying drone for interior home security.

Where does all this lead? One warrant and all that data is available to law enforcement and (potentially overzealous) prosecutors. Abuse of power can easily take the form of abuse of data. Will Congress set limits on data use and abuse? Not if there are serious security issues nationwide...

August 6, 2022 6:32 AM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ SpaceLifeForm, Not really anonymous, ALL,

Re : NIST – NSA and US DOC

NIST “is required” to consult the NSA, not be their front/puppet.

Going back to the AES competition like others I had my suspicions and have said as much.

It started earlier over DES and what was said about IBM pre DES work (Don Coppersmith and a couple of others from the IBM DES team comments over the years did not quite hang together with other info)...

August 6, 2022 3:28 AM

SpaceLifeForm on Friday Squid Blogging: New Squid Species :

@ Not really anonymous, Clive, ALL

This is the main complaint, which can bring you up to speed on the more recent events surrounding the Chasing of the PCQ Ghost. Most of the stuff of interest is on pages 3-5 of the 7 pages.

‘https://storage.courtlistener.com/recap/gov.uscourts.dcd.246022/gov.uscourts.dcd.246022.1.0.pdf

Bottom line: If it is NIST approved, run away. NIST is a Scary Ghost.

...

August 5, 2022 9:58 PM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ Bruce, Usual Suspects,

Re : Helium crypto nonsense

A little while ago when our host @Bruce last posted about “blockchain”, I mentioned an odd ball “crypto-currency” scheme called “Helium” that uses,

“Proof of coverage”

Not “proof of work” and I said it was a joke at best…

Well it appears I’m not the only one,

https://blog.dshr.org/2022/08/helium.html

...

August 5, 2022 9:09 PM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ ALL,

Re : DJB taking NIST to court,

@Not really anonymous, noted above,

“DJB announced a new lawsuit this afternoon.”

But did not include a link.

Well this is a link to DJB’s write up,

http://blog.cr.yp.to/20220805-nsa.html

It’s a very good read and goes into some of the naatier bits of NIST being the NSA’s puppet.

As I’ve mentioned in the past the AES competition, was fairly clearly rigged so that which ever algorithm won, the practical implementation that would get used would be full of time based side channel leaks…...

August 5, 2022 8:26 PM

Clive Robinson on Friday Squid Blogging: New Squid Species :

@ SpaceLifeForm, usual suspects,

Linux vulnerability in Jens Axboe’s “io-uring”[1],

“an exploit that targets a hardened nsjail environment inside of Google’s container optimized OS (COS) distro. The exploit does not require unprivileged user namespaces and results in root privileges in the root namespace. To gain root, we leveraged a Use-After-Free vulnerability. This allowed us to execute our own code in kernelmode.”...

August 5, 2022 6:56 PM

Leon Theremin on Friday Squid Blogging: New Squid Species :

This position paper makes the case for wireless in-package nanonetworking as the enabler of efficient and versatile wired-wireless interconnect fabrics for massive heterogeneous processors.

https://arxiv.org/abs/2011.04107

Comment: Think your processor couldn’t have a covert networking interface phoning home? Think again.

August 5, 2022 6:44 PM

Chris Drake on On the Dangers of Cryptocurrencies and the Uselessness of Blockchain :

Hi Bruce,

Since you asked: imagine you’re asked to build a genuinely secure messenger application, leaking near-zero metadata whatsoever to all (nonlocal to the endpoint device) eavesdroppers (i.e. no listeners-on-the-wire can know who you are, or that you’re even saying anything, let alone who to.).  Imagine also that they want payments included.

I’d guess your solution necessarily includes peer-to-peer transport, and since you need to defeat traffic analysis anyway, it probably uses a “mining” solution based on participants passing encrypted traffic (real and/or fake) around on behalf of themselves or others…...

August 5, 2022 4:39 PM

Not really anonymous on Friday Squid Blogging: New Squid Species :

DJB announced a new lawsuit this afternoon. It seems to be mostly about NIST not respounding to his FIOA requests reguarding NSA influence on the postquauntum cryptograpohy standard creation.

August 5, 2022 3:45 PM

Clive Robinson on SIKE Broken :

@ SpaceLifeForm, TimH, ALL,

Re : ROT N

Ahh the good old days pre the Web, of bad/course jokes on UseNet being obfuscated by ROT13 back in the 1980’s[1]. So common that many could read it by sight…

Apparently still in use by Microsoft in the Registry[2]…

But ROT like IntADD, XOR, and bit shifting with carry around are linear and will “sum up and roll over” just like the mechanical odometer and “trip-meter” in a car where those old enough used expressions like “Distance on the clock”...

Sidebar photo of Bruce Schneier by Joe MacInnis.