Recent Comments


Note: new comments may take a few minutes to appear on this page.

May 20, 2022 12:43 AM

ResearcherZero on Friday Squid Blogging: Squidmobile :

Government report finds no flying objects over Afghanistan

The Afghan air force, the main military advantage the government had over the Taliban, had not been projected to be self-sufficient until 2030 at the earliest.

The contractors maintained basically all of the Western equipment, particularly the air assets that we had given the Afghans.

We never really trained them on logistics. Their logistics were horrible...

May 20, 2022 12:02 AM

ResearcherZero on Friday Squid Blogging: Squidmobile :

@SpaceLifeForm

Ever get the feeling that some announcements are disguised to cover up creepy surveillance laws which are further designed to erode human rights?

As long as spies have unbreakable encryption, then we can assume we are all safe.

“Ofcom, Britain’s telecommunications regulator, says that a startling 60% of teenagers who use smartphones describe themselves as “highly addicted” to being ...

May 19, 2022 11:44 PM

ResearcherZero on Friday Squid Blogging: Squidmobile :

“A global comprehensive treaty to counter cybercrime first proposed by Russia has gained enough support at the United Nations for negotiations to begin early next year” (2022).

“many of the governments leading the initiative use cybercrime as a cover to crack down on rights”

“Russia was joined by seven co-sponsors. They include China, which employs technology for coercion, control, and repression, in a model of techno-authoritarianism that is spreading around the world. Cambodia, another initial co-sponsor, has proposed a cybercrime law that threatens increased surveillance of internet users, including whistleblowers, and would restrict free expression online and reduce privacy. This comes on top of several repressive laws, including its recently approved National Internet Gateway, which will enable the government to significantly increase its control over the internet.”...

May 19, 2022 10:39 PM

kari on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ SpaceLifeForm, re: “Cellcos do not run NTP by design”, what’s that got to do with anything? There are thousands of NTP servers online, which should be usable by any phone with internet access. Last I checked, the cellular network was a popular time source for stratum 1 servers, which implies any device dealing with a “cellco” shouldn’t even need NTP. Rather, NTP could be a fallback for devices that are not on the cellular network (for whatever reason) and don’t have the GPS time...

May 19, 2022 9:53 PM

SpaceLifeForm on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ Asker

That is not a dumb question at all.

The odds are very high that this is the case if there are are other devices around that have some kind of net. The other devices have already been geolocated, and via proximity, it will leak.

Did you mention your iPhone being off? Good luck with that theory.

May 19, 2022 8:27 PM

SpaceLifeForm on Friday Squid Blogging: Squidmobile :

It’s a bold move Cotton, let’s see if it pays off.

hxtps://arstechnica.com/tech-policy/2022/05/twitter-deal-leaves-elon-musk-with-no-easy-way-out/

© 2022 The Financial Times Ltd. All rights reserved. Not to be redistributed, copied, or modified in any way.

FOAD FT. Ever heard of Fair Use?

Seriously, just FOAD. HTH. HAND.

May 19, 2022 8:17 PM

kari on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ SpaceLifeForm,

The Elephant in the Room is that a semi-accurate clock is required for any TLS Certificates to work these days.

I wouldn’t necessarily call that an elephant, since we’re mostly talking about the case where network is unavailable—leaving little use for TLS. I do wonder whether it could cause WPA authentication to fail, for methods such as EAP-TLS. If not, you’re only a few seconds away from learning the time via NTP (the NTS “Network Time Security” feature does consider ...

May 19, 2022 7:05 PM

SpaceLifeForm on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ kari, tfb, Clive, ALL

re: Do not fall into the trap that implies you need net and an accurate clock.

The Elephant in the Room is that a semi-accurate clock is required for any TLS Certificates to work these days.

You can try this at home. Set your clock back a year, and then try to read this.

May 19, 2022 6:37 PM

fib on Friday Squid Blogging: Squidmobile :

@Clive

Assuming it is not a rhetorical question, I’m posting this to say I’m not getting any problem with the site loading speed. Among all the posters I’m probably at the lowest end of the Internet infrastructure, so I should have noticed. Good luck.

Regards

May 19, 2022 6:19 PM

Clive Robinson on Friday Squid Blogging: Squidmobile :

@ SpaceLifeForm,

I get the fealing there is a lot mor DJB would like to say, but can not because of his position and the fact it is a public forum.

As for me, as I guess you know by now I’ve not realy worried to much about “image” so I tend to call it as I see it and supply the evidence behind my thinking (hence the reason why I still claim the NSA deliberatly “fixed” the AES competition, but not in the way most would think)...

May 19, 2022 5:34 PM

Clive Robinson on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ tfb,

Re : Chances are electronic clocks can too, if we want them to.

Actually the then UK watch manufacturer Timex, made a watch back last century that used the heat difference between your wrist and cooler air temp via thermocouples or peltier devices that charged a battery that powered a watch. It was bot a market success. In the 1990’s I had removed a low power microcontroler from it’s packaging to demonstrate it running off of the heat from the back of your hand for a “science fair” to show kids what was possible (the average adult generates about the same amount of heat as those old 100W incandescent light bulbs, something worth knowing if you are involved with testing designs for efficient homes etc)...

May 19, 2022 4:52 PM

SpaceLifeForm on Friday Squid Blogging: Squidmobile :

DOJ Announces It Won’t Prosecute White Hat Security Researchers

hxtps://www.vice.com/en/article/v7d9nb/department-of-justice-security-researchers-new-cfaa-policy

“The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.” ...

May 19, 2022 4:38 PM

Charlie on Obscure E-Mail Vulnerability :

I can’t believe I read the whole thread.

I will post a synopsis for future readers to pan down to.

1) Google’s service is 100% standards compliant and there is no evidence that they are doing anything wrong.

2) Netflix doesn’t have any obligation to prevent random people from paying other people’s bills. That’s a feature, not a bug – I can pay your bill for you if I want to.

3) At time of writing, Netflix was not validating email addresses or email address changes. That is DEFINITELY not best current practice or good Internet citizenship. If you don’t validate email addresses, your service can be used for harrassment and other criminal activities. Not validating email addresses will get your email completely blocked from the (extremely large) email infrastructure I run, and I recommend others take the same approach – don’t let companies get away with not validating addresses!...

May 19, 2022 4:16 PM

Ian Mason on Websites that Collect Your Data as You Type :

The first thought I had on first reading about this was: “Now, if they harvest emails as soon as they are entered, does this open up an exploit whereby one could stuff their databases full of whatever garbage one wished to?”.

May 19, 2022 4:07 PM

SpaceLifeForm on Friday Squid Blogging: Squidmobile :

@ MrC, Clive

re: NIST PQC

Yeah, it smells fishy. DJB is pointing that out. Some group is pushing Kyber.

My Hinky Sense says that this exercise is misdirection, wasting time.

I am old skool. My measurement of cumputer power has always been Cycletime times RAM size.

My Hinky Sense has been telling me for some time that there are players trying to get you to stick to RSA, and avoid ECC because Post Quantum Crypto. I.E., the message is, do not convert to ECC now, because you should be wasting your time chasing the PQC Ghost...

May 19, 2022 3:32 PM

fallon on Websites that Collect Your Data as You Type :

…several available free websites will quickly test any given URL for keyloggers, trackers, etc … using custom forensic browsers.

(“schneier.com” tests very clean)

May 19, 2022 3:25 PM

kari on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ tfb,

As to ‘impossible’: what I meant (which I had assumed was obvious, sorry) was ‘impossible to do the things people tend to like to use phones for which very often require knowing and recording the time’

Sure, I kind of guessed you might mean that, and perhaps I should’ve said I consider the time to be “nice to have” rather than “necessary”.

like look at calendars (needs the time to be useful),...

May 19, 2022 2:45 PM

tfb on iPhone Malware that Operates Even When the Phone Is Turned Off :

@Clive Robinson

Pretty sure that relying on half-life for timekeeping is not going to be usefully accurate over useful timescales if the half-life is long enough to be useful as a battery. I like the idea though.

However I think the point is moot really since as you say RTCs do in fact last for ages on tiny batteries. I have a watch I bought in the 1980s which runs for about a decade on a (small) battery. I have a watch ...

May 19, 2022 2:29 PM

tfb on iPhone Malware that Operates Even When the Phone Is Turned Off :

@kari

GPS is a good point. I am not sure how long it takes a GPS receiver to get a good idea of the time, but it may be fairly quick: I think frames are 30s and each frame has the time. Whether waiting 30s is too long I’m not sure.

As to ‘impossible’: what I meant (which I had assumed was obvious, sorry) was ‘impossible to do the things people tend to like to use phones for which very often require knowing ...

May 19, 2022 2:06 PM

SpaceLifeForm on Friday Squid Blogging: Squidmobile :

@ Clive

I have never seen any horrible response time for this site. But, being on the other side of the pond, I am closer to the servers.

I would clear your browser cache and reboot.

Voyager engineering is amazing, but I have to say that Webb Telescope tops that. Not just the hardware, but the entire process of deployment. The recent pics are amazing.

hxtps://petapixel.com/2022/05/10/nasa-shows-off-webb-telescope-sharpness-with-comparison-photo/...

May 19, 2022 2:04 PM

tfb on iPhone Malware that Operates Even When the Phone Is Turned Off :

@SpaceLifeForm

Yes, I am quite familiar with machines that had no real time clock, thank you: I have used many such. And I am fully aware that you can boot machines from volatile file systems.

But, you may not have noticed, we’re talking about a phone. I probably want to do the things people do with phones with it (no, not make calls, no-one does that), like look at calendars (needs the time to be useful), make notes which I would like not to be dated in 1970 (or 1900 if you’re using a proper OS), listen to music where I would like the last listened log to have sane dates &c &c &c...

May 19, 2022 1:14 PM

Quantry on Websites that Collect Your Data as You Type :

since you likely already downloaded it anyway
(from the source of the page you are now reading),
someone tell me at a glance if this 90Kb script has a keylogger,
and whether it does’t any other time, or for “certain users”:

…/jquery/3.5.1/jquery.min.js?ver=3.5.1

TAG: Dependency Hell

May 19, 2022 12:33 PM

Ted on Websites that Collect Your Data as You Type :

@Gideon

has anybody actually used an email aquired this way

That is a good question. Especially when enough users actually submit their email. Plus, using leaked data seems like a good way to get into a fight with the EU (GDPR).

Just read that people could use an email relay to further hide their real email from online services.

Recently, Mozilla [20], Apple [18], and DuckDuckGo [19] started to offer private email relay services that give users the ability to generate and use pseudonymous (alias) email addresses. ...

May 19, 2022 12:30 PM

kari on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ Clive Robinson,

In modern wrist watches that could last for ten to twenty years on a tiny battery if not for the batteries self discharge

Well, not too modern, because the cool new thing is the idea of watches that run out of juice in tens of hours, whose non-user-replacable batteries won’t even be able to be recharged in ten years (but don’t worry: there’s little chance the software will still be supported by then, and you can’t replace the provided software). Reviewers call this “all-day battery life” pretty good...

May 19, 2022 11:54 AM

Pasquale on Websites that Collect Your Data as You Type :

Re: turn off Javascript, and turn it back on when needed:

The problem with that, even ignoring third-party stuff, is that many sites require JS for no good reason; hell, even this blog no longer has a working preview button for comments. For the last year, nytimes.com pages usually show nothing but “Please enable JS and disable any ad blocker” (sometimes the onion service works)—just to show a news story, i.e., the very model of what a web page could do in 1993...

May 19, 2022 11:27 AM

lurker on Websites that Collect Your Data as You Type :

@temy
Turning js on only when you and the site both need it, then turning it off before leaving the site, seems to be the only practical solution.

Building a whitelist is fraught with peril. They’re usually of the form,
Allow js from these sites:
XXX
YYY
ZZZ
but who hosts their own js these days? It usually comes from a cdn that hosts js for everybody including crooks.

May 19, 2022 11:05 AM

Clive Robinson on Websites that Collect Your Data as You Type :

@ Bruce, All,

A surprising number of websites include JavaScript keyloggers that collect everything you type as you type it, not just when you submit a form.

You should not be at all surprised about this.

I’ve tallked about Google identifing users by their typing cadence in the search box with it’s helpful auto-hints, for several years now on this blog…

In fact it’s one of the reasons I’ve advised in many places from the late 1990’s not just on this blog that Javascript and certain other features of HTML, etc that Google and Co pushed into specifications should be removed from the specifications (but that of course would cause a loss of fiscal and other benificial input to these standards bodies…)...

May 19, 2022 10:10 AM

temy on Websites that Collect Your Data as You Type :

JavaScript has long been known as a fundamental privacy/security vulnerability, though it has many legitimate uses.

most websites do not require javascript.

activate it only when actually needed.

May 19, 2022 10:01 AM

Gideon on Websites that Collect Your Data as You Type :

This paper raises more questions than it answers…

NB: The researches went to an enquiry form and typed in their email address – nothing was collected that wasn’t typed.

Which begs the question – how many people fill in their email ‘accidentally’ and then decide not to send the enquiry.

To anybody who cares about such things I think we can all agree that typing private information onto other peoples’ websites is not a good plan!...

May 19, 2022 8:46 AM

Ted on Websites that Collect Your Data as You Type :

Furthermore, we find incidental password collection on 52 websites by third-party session replay scripts.

The incidental password collection seems rather scary to me. Does anyone know what a session replay script is?

An overwhelming majority (50/52) of these leaks were due to Yandex Metrica’s session recording feature.

Also, has anyone tried LeakInspector, the research group’s browser add-on? I’d almost like to see what details it gives about sniff and leak attempts...

May 19, 2022 8:35 AM

Jan on Websites that Collect Your Data as You Type :

An adblocker would probably block most of the scripts responsible for this.

I’m conflicted. I used to turn off ad blocking on sites I trusted and wanted to support, but you open yourself up to so much crap from third parties. Just blocking everything seems the safe choice.

May 19, 2022 8:16 AM

Sumadelet on The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms :

Although I’m late to this party, I may as well refer to the apposite quotation by Mandy Rice-Davies.

‘Well he would, wouldn’t he?’

( h++ps://inews.co.uk/culture/well-he-would-wouldnt-he-bbcs-the-trial-of-christine-keeler-gets-famous-quote-right-374825 )

Further reading: h++ps://en.wikipedia.org/wiki/Profumo_affair

May 19, 2022 7:59 AM

Andrew on Websites that Collect Your Data as You Type :

Every time I have a browser that autofills an email address when I want to use a different email address for that site, I think how its easier for those two identities to be joined together.

May 19, 2022 7:35 AM

Peter A. on iPhone Malware that Operates Even When the Phone Is Turned Off :

As already said, quite stable RTCs in cheap wrist watches run for years on a tiny battery quite fine, while powering the LCD display 24/7 on top of that. An RTC chip will run for decades on the charge available in a watch battery if the battery would not obliterate itself earlier (acid or base in the electrolyte eating the housing or internal connecting wires). Damn, it will run on a slice of pickled cucumber. But why you worry? You’ll throw your fartfone in the trash in less than a year anyway to get a new shiny model...

May 19, 2022 6:31 AM

Clive Robinson on Friday Squid Blogging: Squidmobile :

@ ALL,

Anyone else noticed Daniel J. Bernstein’s comment on the NIST Post Quantum Crypto contest of,

“So, instead of a scientific process studying clearly defined questions, there’s a political process weaponizing a lack of clarity. At some point
observers are forced to ask whether the lack of clarity is deliberate.”

In essence he is saying that there is a high probability “someone has put the fix in”…...

May 19, 2022 5:52 AM

Clive Robinson on Friday Squid Blogging: Squidmobile :

@ SpaceLifeForm, ALL,

Re : If we do not hear back from you after two days

Two things,

Firstly I’m seeing page load times from this blogs site in the 1-2minute range at the moment, anyone else see abnormaly long load times?

Secondly JPL’s superannurated space craft. I fondly remember the excitment those they caused in me when they were first talked about in the media, their launch and what came back, even the ScFi Startreck movie…...

May 19, 2022 5:35 AM

JokingInTuva on Friday Squid Blogging: Squidmobile :

From the “The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms” thread:

https://www.schneier.com/blog/archives/2022/05/the-nsa-says-that-there-are-no-known-flaws-in-nists-quantum-resistant-algorithms.html/#comment-404902
https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s

It points to some feasible attacks to LWE based PQC candidates.

Is it risking the whole LWE schemas? or just the “simplified” Saber/Kyber proposals?...

May 19, 2022 5:31 AM

Clive Robinson on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ lurker, Karl, ALL,

Re : Real Time Clocks

When it comes to,

I suspect a modern RTC could run on a lot less than a microamp

Yes and nearly yes.

A Clock has two parts,

1, A stable oscillator.
2, A counter.

With a little careful thought and design the electronics of the counter can run on pico amps these days, you are only shuffling a very few electrons around a tiny distance for a tiny fraction of the oscillator period. It averages out to next to nothing...

May 19, 2022 4:52 AM

Clive Robinson on The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms :

@ Denton Scratch,

Re : Maybe I expressed myself badly

No and yes…

The problem is naturaly we say,

me, I, you…

in english, even though we are in reality a collection of “relationships” based on “roles”,

friend, colleague, boss, subordinate, son, daughter, mother, emoloyee, employer, club member, customer, etc.

Our actual data communications are based on the relashionship or role, not on who we, you, I, are, as a physical body, name, or social security number issued by the State for the “Convenience of the State”...

May 19, 2022 1:42 AM

lurker on iPhone Malware that Operates Even When the Phone Is Turned Off :

@karl

I suspect a modern RTC could run on a lot less than a microamp; however my back of envelope calculations indicate one microampere could be supplied for 24 hours at typical cmos device voltages from a one millifarad capacitor. Physical size will depend on the dielectric and construction method, which I haven’t been following for a few years.

May 18, 2022 10:05 PM

SpaceLifeForm on Friday Squid Blogging: Squidmobile :

Tech Support: Did you try turning it off and back on?

If we do not hear back from you after two days, we will close this trouble ticket as Resolved: Cosmic Rays.

hxtps://www.jpl.nasa.gov/news/engineers-investigating-nasas-voyager-1-telemetry-data

May 18, 2022 9:11 PM

JonKnowsNothing on Friday Squid Blogging: Squidmobile :

@SpaceLifeForm, @Clive, @All

re:North Korea “fevers”

While watching the temperatures rise as the “fevers” roll through the North Korean countryside, it would be useful to consider what would happen if China, abandons their Zero-COVID policy.

The HIP-RIP-LOVIDs are primarily concerned with China’s factory closures but China has already estimated the blow out if BA2121 really escapes containment. Factory closures will be the least of China’s worries...

May 18, 2022 8:59 PM

kari on iPhone Malware that Operates Even When the Phone Is Turned Off :

@tfb,

Without a real-time clock it would be impossible to turn the device on and use it (causing timestamps to be recorded in the filesystem) without it seeing a network, and thus probably revealing its location. So, yes, real-time clocks matter, quite a lot, if you want to be able to use the device off the network after it’s been off.

The GPS network sends time anonymously (but doesn’t reach inside all buildings). I’m not sure about the cellular network. With wi-fi, not always, but if there’s an open network, NTP with a random MAC address wouldn’t reveal much...

May 18, 2022 8:46 PM

SpaceLifeForm on Attacks on Managed Service Providers Expected to Increase :

Must control app store.

Must control platform.

Are Apple and Google MSPs?

hxtps://www.androidpolice.com/total-commander-apk-installation-block/

Both Apple and Google are dreaming.

It’s all about the dollar signs. As you may have noted, neither control their platform. See Pegasus for example.

May 18, 2022 8:25 PM

Ted on Attacks on Managed Service Providers Expected to Increase :

@Clive

Howrver what you give from their legal team is to us so obviously lies,

I’d like to rephrase “lies” here to “corporate optimism.”

Continuing with SolarWinds’ legal response, we should all note that aspirational statements (aka corporate puffery) cannot be considered materially misleading.

These would include statements such as SolarWinds “is committed to taking its customers security and privacy concerns seriously” and that it “strives to implement and maintain security processes.”...

May 18, 2022 7:57 PM

JonKnowsNothing on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ SpaceLifeForm, @ tfb, Clive, ALL

re: Do not fall into the trap that implies you need net and an accurate clock.

Rewritten to:

  • Do not fall into the trap that implies the clock is accurate or an acculturate representation of anything.

===

Of note: The seats are warming up for one of the trials that Marcy Wheeler (emptywheel .net) is following. A fair number of exhibits show manipulated and altered timestamps...

May 18, 2022 7:43 PM

SpaceLifeForm on Friday Squid Blogging: Squidmobile :

@ JonKnowsNothing

HIP-RIP

Authoritarians always say it is not their fault. Always someone else to blame. Always. Never them.

A week ago, no big deal.

hxtps://arstechnica.com/science/2022/05/north-koreas-covid-outbreak-taking-favorable-turn-as-cases-exceed-1-7m/

May 18, 2022 7:13 PM

SpaceLifeForm on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ tfb, Clive, ALL

In the Land of Confusion

Without a real-time clock it would be impossible to turn the device on and use it (causing timestamps to be recorded in the filesystem) without it seeing a network, and thus probably revealing its location.

Completely wrong.

It depends upon your use case.

I can live boot a computer, with my root filesystem existing entirely in RAM, and I can make it usable whilst not giving a care in the world what the clock thinks the timestamp is. And no net...

May 18, 2022 5:09 PM

SpaceLifeForm on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ Andrew, Clive, ALL

hxtps://arstechnica.com/gadgets/2022/01/the-pinephone-pro-brings-upgraded-hardware-to-the-linux-phone/

The phone has a 6-inch, 1440×720 LCD, 4GB of RAM, 128GB of eMMC storage, and a 3,000 mAh battery. There’s a USB-C port with 15 W charging, a headphone jack, a 13MP main camera, and an 8MP front camera. The back cover pops off, and inside the phone, you’ll find a removable battery (whoa!), a microSD slot, pogo pins, and a series of privacy DIP switches that let you kill the modem, Wi-Fi/Bluetooth, microphone, rear camera, front camera, and headphones. ...

May 18, 2022 4:48 PM

tfb on iPhone Malware that Operates Even When the Phone Is Turned Off :

@kari

Without a real-time clock it would be impossible to turn the device on and use it (causing timestamps to be recorded in the filesystem) without it seeing a network, and thus probably revealing its location. So, yes, real-time clocks matter, quite a lot, if you want to be able to use the device off the network after it’s been off.

However I suspect real-time clocks can be kept alive for a very long time from big caps: you don’t need a special second battery...

May 18, 2022 3:51 PM

vas pup on Friday Squid Blogging: Squidmobile :

Robot Dog Olympics takes place at MoD in Bristol

https://www.bbc.com/news/uk-england-bristol-61483615

“The robots are designed to perform non-offensive tasks to protect troops and do not carry firearms.

Instead they aid troops by searching and scanning or delivering medicine and food into disaster areas.

The event was run by the Future Capabilities Group (FCG) at Defence Equipment and Support, the procurement arm of the MoD...

May 18, 2022 3:26 PM

Ted on Attacks on Managed Service Providers Expected to Increase :

@JonKnowsNothing

Re: HP and Autonomy acquisition

What a fiasco. I see what you mean. We are not immune from misrepresentations issued from supposedly trusted institutions.

The details are certainly interesting. I’ve enjoyed several books on stunning financial crimes. However, I find the investigations and judgements to be positive signs.

I remember listening to a podcast about Russia and Putin. The guest was asked how Russia might fare under a different leader. They responded that Russia more importantly suffered from diminished institutions – think a robust and impartial legal system...

May 18, 2022 1:18 PM

Ted on iPhone Malware that Operates Even When the Phone Is Turned Off :

@lurker

Re: Uses of NFC, UWB, and Bluetooth

Here’s a feature I’d never heard of… Digital Car Key (DCK). I guess it’s supported by Ultra-wideband (UWB) and Bluetooth. So says the paper.

…the Bluetooth and the UWB chip are able to operate standalone while iOS is powered off. These capabilities are undocumented and have not been researched before.

From bop to beep beep.

May 18, 2022 12:31 PM

Clive Robinson on Attacks on Managed Service Providers Expected to Increase :

@ Ted,

Re : I will start with flouring a cyberattack as…

In the UK we say “over egging the pudding” and similar.

Howrver what you give from their legal team is to us so obviously lies, it astounds us that they think they can get away with it.

They know full well they can make such absolutly unsupported claims for several reasons.

1, The judge likely has insufficient knowkedge to tell what a steaning pile it is...

May 18, 2022 12:20 PM

Quantry on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ Gang

The statement

the attack isn’t really feasible

mis-leads us to believe there is no feasible attack:

APPLE ITSELF still has access. This IS a successful attack against a user who thinks the phone is off: There is no other way to say it. IT IS MALWARE.

ONCE AGAIN, the users’ own devices are their worst enemy.

(Use an RFID Faraday bag, during off times.
h–ps://www.cisa.gov/ recommends
defendershield.com/shop, shop.faradaydefense.com, and mosequipment.com...

May 18, 2022 12:17 PM

Clive Robinson on Attacks on Managed Service Providers Expected to Increase :

@ lurker, ALL,

Re : CISOs should spend less time and money on security tech, and more on contract language (Rakoski viewpoint).

And how do you think that viewpoint arose, “Why?”, and as importantly “What the likely out come is going to be?”.

@ Winter,

Re : I always considered them to be mercenaries.

I actually know many people who would fit under the definition of mercenary. That is they provide “Guard Labour” for “Hire or Reward” this does not make them bad or objectional people…...

May 18, 2022 11:47 AM

kari on iPhone Malware that Operates Even When the Phone Is Turned Off :

The differing firmware-security requirements between chips remind me of Michael Steil’s 2005 talk “17 Mistakes Microsoft Made in the Xbox Security System” (Xbox dashboard loads audio, 3D meshes, fonts; it hashes audio, 3D meshes… but not fonts). There’s probably no good reason, and the less-restrictive component will naturally attract the attention of attackers.

@ Andrew,

First, the actual physical space requirements are hard to fit into today’s slimline phone designs...

May 18, 2022 11:14 AM

JonKnowsNothing on Attacks on Managed Service Providers Expected to Increase :

@Ted, @All

Actually this is the one I was referring to:

  • HPE’s (then HP’s) $11bn acquisition of Autonomy back in 2011.

While the case continues its meandering between USA and UK jurisdictions, it looks ever more probably that “Autonomy founder Mike Lynch” might be joining Julian Assange on a flight to the USA but for different charges.

  • The ruling [05 17 2022] clears the way for the British software exec’s extradition proceedings to the US to face criminal charges. Lynch faces trial on 17 charges of wire fraud and conspiracy regarding Hewlett Packard’s acquisition of his software company back in 2011...

May 18, 2022 10:55 AM

lurker on iPhone Malware that Operates Even When the Phone Is Turned Off :

@Ted

NFC is used for transactions involving money. UWB was invented at a time when people had started to think what they were doing. I can’t remember what BT was intended to do, but one of its first major uses was for playing bop over boom boxes, hardly a major security risk.

May 18, 2022 10:55 AM

Clive Robinson on The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms :

@ Denton Scratch, Lupe, ALL,

What I really need is a way to prove that this “me” is the same “me” as in my other posts.

Actually that would be a major mistake to commit.

Your life is “not you as an individual” but “a collection of individual roles”

It’s the roles that the world sees but bureaucrats and authoritarians that want to see you as a single entity, which is realy very very bad news for every individual...

May 18, 2022 10:42 AM

Winter on iPhone Malware that Operates Even When the Phone Is Turned Off :

@Andrew

Second, and more important, there are things that still need to run even when “off”; the immediate item that comes to mind is the real-time clock.

There are quite a number of phones that do have a hardware switch for a silent mode. That could also be used to construct a hardware airplane mode. It could also disconnect the microphone and cameras. If my phone is on silent, I really do not want to use it...

May 18, 2022 10:30 AM

lurker on Attacks on Managed Service Providers Expected to Increase :

re: SolarWinds suit

It was brought by “a group of investors” concerned that SW “embraced intentional or severely reckless deceit on investors.” Follow the money . . .

I read XPAN’s Rakoski as saying in the final para: CISOs should spend less time and money on security tech, and more on contract language.

May 18, 2022 10:20 AM

Andrew on iPhone Malware that Operates Even When the Phone Is Turned Off :

A hardware switch is problematic for many reasons. First, the actual physical space requirements are hard to fit into today’s slimline phone designs. Second, and more important, there are things that still need to run even when “off”; the immediate item that comes to mind is the real-time clock. It’s simply not feasible to put a second dedicated battery for the clock into a phone that takes up space, can run down over time, etc...

May 18, 2022 10:10 AM

Ted on Attacks on Managed Service Providers Expected to Increase :

@Clive, All

work out the likely ingrediants that will make that pie…

I will start with flouring a cyberattack as:

“the largest and most sophisticated operation” that the world has ever seen, and so sophisticated that it took “at least a thousand very skilled, capable engineers” to carry out such an attack.

SolarWinds legal response:

https://info.secureworld.io/hubfs/SolarWinds-investor-suit-response-CISO.pdf...

May 18, 2022 9:32 AM

Winter on Attacks on Managed Service Providers Expected to Increase :

@Clive

Lawyers are a form of “Guard Labour” and as such are “Authoritarian followers” not just be nature, but nurture as well.

I always considered them to be mercenaries. However, like so many prejudices, that falls apart when you know them closer, and see that most are socially engaged and motivated with a love for justice and the law.

I must add that my personal acquaintances with lawyers was in academic settings, far, far away from corporate law. The people I spoke with were activists for the protection of privacy...

May 18, 2022 9:13 AM

Clive Robinson on Attacks on Managed Service Providers Expected to Increase :

@ Ted, JonKnowsNothing, ALL,

Re : legally defensible security

Take a moment or two to “chew down” on that thought, and work out the likely ingrediants that will make that pie…

Lawyers are a form of “Guard Labour” and as such are “Authoritarian followers” not just be nature, but nurture as well. Not only do they take an “at war” mentality with every one, –seeing all as potential enemies,– they rarely understand the notion of impartial or benificial parties, so they do not “trust” in the human sense...

May 18, 2022 8:57 AM

Denton Scratch on The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms :

@Lupe

Well, we tried that with PGP, and a common complaint was that nobody knew how to answer when PGP asked “how much do you trust this person?” or “how sure are you of their identity?”

This business of trust and identity. I once set out to get a PGP key authenticated through the Web Of Trust system. It involved meeting a certifier in person, and presenting personal documents, including passport and bank statements. I didn’t go through with it, because:...

May 18, 2022 8:44 AM

Clive Robinson on iPhone Malware that Operates Even When the Phone Is Turned Off :

@ Bruce, The usual suspects, ALL,

Researchers have demonstrated iPhone malware that works even when the phone is fully shut down.

As long as there is power connected to a chip with a suitable state machine or microcontroler in it, as well as indipendent communications IO this is going to happen.

Which brings us onto,

“[I]t turns out that the iPhone’s Bluetooth chip­ — which is key to making features like Find My work­ — has no mechanism for digitally signing or even encrypting the firmware it runs.”...

May 18, 2022 8:25 AM

Ted on iPhone Malware that Operates Even When the Phone Is Turned Off :

Big ask in the research paper:

Apple should add a hardware-based switch to disconnect the battery

I haven’t yet figured out why the Bluetooth chip would have been designed with less security than the other two wireless chips (NFC and UWB).

The NFC chip has encrypted and signed firmware. The UWB chip has firmware that is signed, although not encrypted. However, the Bluetooth chip’s firmware is neither signed nor encrypted...

May 18, 2022 5:53 AM

Clive Robinson on The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms :

@ Anon User, ALL,

For the real secret stuff, just keep the public keys as secret as the private keys.

And now for the bad news…

It can be shown that like most key based systems the key encodes a shadow of it’s self in the ciphertext. It is at the end of a day just a “mapping function” of large size

That is it can be distinquished from “truely random” in quite a few ways[1]. Thus you have to do a lot lot more to get reasonable security for more than a handfull of bits...

May 18, 2022 5:31 AM

Clive Robinson on Surveillance by Driverless Car :

@ SpaceLifeForm,

Re : But I am laughing.

Remember, I’ve been likened in the past to looking like an overly large Klingon with a Karl Marx beard and hair do, and a bullish temprament to suit. Not helped by photos of me running down a rugby pitch with people hanging off of me.

It’s rumored, that as long as I’m smiling a little… You might be safe 😉

But yeh the joys of the english language you can hide more in a single sentence than in a “dead dogs pelt” all waiting to jump out and bite you =(...

May 18, 2022 5:20 AM

Clive Robinson on Attacks on Managed Service Providers Expected to Increase :

@ Ted, JonKnowsNothing,

I’m still surprised that only 40% of MSPs use MFA themselves,

MFA is seen by many to be,

1, Expensive to implement.
2, Expensive to operate.
3, Expensive to maintain.
4, Of no real security purpose.

All of which are true to some extent, but MFA is not a “sum of the parts” solution, so should not be looked at in that way.

So the report kind of tells you a lot about the point of view of the “Directing Minds” of MSPs…...

May 18, 2022 5:15 AM

daftar situs judi online on New Feature: 100 Latest Comments :

Hello, this is my first time at your site or blogger.
i,m on the processes on the learning be a good blogger…
to make the improvement at my blogger, i decide to surfing at google..
when surfing at google.. i find your site or blogger…
i hope i can learn something new for my blog..

your site or blogger alr give me some inspiration for what i should do to my blog..
thanks you, for your hard work to provide such a nice blog, i hope i can be a good blogger someday…...

May 18, 2022 5:04 AM

Clive Robinson on Surveillance by Driverless Car :

@ MarkH, ALL,

He said he was from Newbridge (which I take to be the village near Edinburgh)

Sounds about right… Back when working in the Petro-Chem industry when “Brent-Spar” went walk about, I had to visit it a couple of times.

It would once have been called a “one pub village” as it had less than a thousand inhabitants, in fact the Idustrial estate is about the same size as the village and there is an old dolamite quarry that is now flooded that is also about the same size. It’s famed for the Newbridge Chariot that got dug up there along with other signs that indicate humans have lived there for oh about 8500-9000 years one way or another and some jokes infer some are still living there on the local council...

May 18, 2022 4:05 AM

Anon User on The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms :

For the real secret stuff, just keep the public keys as secret as the private keys. Don’t distribute them over the net at any cost, instead keep them local between the communicating parties. Even if all encrypted communication was collected and the algorithm gets broken, there is still nothing to decrypt without a public key available to the attacker.

It doesn’t scale too well, but still much better than a One Time Pad, and once established you get most of the advantages of public key schemes...

May 18, 2022 2:11 AM

Winter on Surveillance by Driverless Car :

@JonKnowsNothing

I was totally shocked at how “old” the buildings were in Europe and not only were they old but people still lived in them

Makes sense. A house that still stands after a few centuries can be expected to withstand another century.

One of the places I worked was a 4 centuries old canal house. It was actually two houses combined. It’s interior reminded me of the old Labyrinth mythe. Even telling which floor you were on was tricky (elevators? You must be joking). It sold for $1M+ a decade ago. I am sure it will be $4M+ (or maybe double that) by now...

May 18, 2022 1:37 AM

SpaceLifeForm on Surveillance by Driverless Car :

@ Clive

I have to apologize for parsing closely. But I am laughing.
I’m sorry, but tears funny to me.

Later in life I had a girlfriend that lived in the old coach house in Hampton Court, that likewise was older than the most of the US.

May 18, 2022 12:36 AM

Ted on Attacks on Managed Service Providers Expected to Increase :

@Clive, JonKnowsNothing, All

So you have very valid points. It wouldn’t make sense to go crazy chasing shadows. I’m still surprised that only 40% of MSPs use MFA themselves, according to a linked report.

May 18, 2022 12:04 AM

MarkH on Surveillance by Driverless Car :

@Clive, re age of structures:

When I was a kid, I saw on the TV a stand-up comedian from Scotland. He said he was from Newbridge (which I take to be the village near Edinburgh), and that it had gotten its name from the construction there of a new bridge …

… many centuries ago, which got a good laugh from the U.S. audience.

He got an even better laugh, when he added that people were (as of about 1970) still using the ...

May 17, 2022 10:42 PM

JonKnowsNothing on Attacks on Managed Service Providers Expected to Increase :

@Ted @All

re: probably wouldn’t hurt to ask if they participate in any assessment programs

Due diligence is always a good idea but as far as the scope of the topic consider

1) The company states in their brochures that they participate in N-Programs

2) The company states in face to face meetings they participate in N-Programs

3) You ask to see their certificates of completion or whatever these N-Program supply in way of documentation and you get shown some papers that say that...

Sidebar photo of Bruce Schneier by Joe MacInnis.