Recent Comments


Note: new comments may take a few minutes to appear on this page.

December 9, 2022 11:48 PM

JonKnowsNothing on Friday Squid Blogging: China Bans Taiwanese Squid Imports :

@Clive, @MarkH, All

re: How deep does the chain reach

If I understand the Classification Issue in relation to the current cases of Shulte (Vault7), Julian Assange (lots of accusations), and on down to Edward Snowden (did he request help in leaving US jurisdiction either directly, indirectly, financial or legal support), it’s not about the first contact (group1) in the chain (Shulte, Snowden), it’s about all the other people in the chain...

December 9, 2022 11:41 PM

SpaceLifeForm on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ lurker, Clive, Wunter, ALL

Re: ChatGPT

How long does it take a human to acquire the knowledge required to solve those two examples, 10 ~ 15 years?

It may not hapepn.

Just like humans.

It may learn from you, if you interact with it, but it has no real world knowledge. At all.

A child has a plastic mind. If the parents are not thinking (because they have joined tbe cult), the child is going to be brainwashed wifh bullshit and not encourged to learn...

December 9, 2022 11:39 PM

Ted on The Decoupling Principle :

@Clive, lurker

Re: the Q’s

Oh good ideas. I very much like the Quinault (Strawberries) option. In fact, it makes me wonder if some of the other dessert names could have been equally spiffed up.

You would be good at my “counting sheep” game. If I can’t sleep sometimes I will pick a category, say colors, and then go through the alphabet and try to think of one for each letter. So for colors it could go… amber, burgundy, cerulean, dill, ecru and so on. As you can imagine, some letters are more challenging than others. Funnily though, many times I find myself in la la land well before I can make it through the whole alphabet...

December 9, 2022 10:56 PM

MarkH on Friday Squid Blogging: China Bans Taiwanese Squid Imports :

@JohnKnowsNothing, Clive:

Thanks to Jon for calling attention. Yes of course, document classification applies to the content rather than the physical record. That’s one reason why Agent Orange’s claim that he declassified stuff by stealing it is absurd.

I don’t see anything on emptywheel suggesting that there would be a violation by a person who didn’t know the information was restricted.

My main takeaway is that the judge (in a sort of tactful way) was expressing intense skepticism toward the government’s argument...

December 9, 2022 10:27 PM

lurker on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@SpaceLifeForm

ChatGPT has no real world knowledge.

Not even close.

How long does it take a human to acquire the knowledge required to solve those two examples, 10 ~ 15 years? Maybe ChatGPT is asking for some significant fraction of that …

December 9, 2022 9:48 PM

SpaceLifeForm on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ Clive, Winter, ALL

Re: ChatGPT corpus

You can confuse a bot. I may have mentioned this previously.

It has some, but not real world experience.

If you connect to the bot, it has some built-in corpus, but is it not Turing complete.

Just like humans.

It may learn from you, if you interact with it, but it has no real world knowledge. At all.

The other two examples that I did not mention, where it got it wrong...

December 9, 2022 9:46 PM

Clive Robinson on Friday Squid Blogging: China Bans Taiwanese Squid Imports :

@ JonKnowsNothing,

Re : Legal Argument.

In many places the prosecution would have to show,

1, The defendant had knowledge of the information status.
2, Had intent to use it unlawfully.

So if some one “acquires a document” from some place/person and retypes it without classification as a plain *.txt file or print out and passes it on without refrence to it’s origin to another person…

How would that person know it was “clasified” in some way?...

December 9, 2022 9:25 PM

Clive Robinson on Leaked Signing Keys Are Being Used to Sign Malware :

@ Salach

Re : Signing Key security

“I don’t expect small companies to apply strict and serious security around their signing key but I do expect it from the big companies.”

I expect key security to be good for all.

The reason, look at it this way,

A tiny two developer Chinese company writes a driver for a bit of hardware they have designed.

It obviously needs to be code signed to be usable by the OS kernel. Unfortunately a driver can and has compromised major consumer OS’s...

December 9, 2022 9:20 PM

JonKnowsNothing on Friday Squid Blogging: China Bans Taiwanese Squid Imports :

@Clive, SpaceLifeForm, All

Over on Marcy Wheeler’s site, she has a post in reference to a US Court Case involving Classified documents and information. It’s related to many disclosures of the last decades and has significant impacts for current court cases involving Classified items.

It’s fairly convoluted but the US Gov Legal Argument runs something like this:

  • A document with classified security status not only pertains to the physical document but also to the contents of the document...

December 9, 2022 9:10 PM

Clive Robinson on Friday Squid Blogging: China Bans Taiwanese Squid Imports :

@ SpaceLifeForm,

Re : Twitter Implosion

“Besides Elton John leaving”

Speaking of famous singers, do you remember Johnny Cash?

One song he made famous was “burning ring of fire”, it kind of springs to mind for Hell-on Rusk, –as he flies down in a spiral trailing smoke– with the chourus of,

“I went down, down, down
And the flames went higher
And it burns, burns, burns
The ring of fire, the ring of fire”...

December 9, 2022 8:57 PM

Clive Robinson on The Decoupling Principle :

@ Ted, lurker,

“I’ll admit Q would have been a toughie.”

Why?

Look up the English dish called “Queen of Puddings” or the Old English fruit “quince” that is made into many things most often mentioned being “quince jam”. There are a number of other “Q” fruits such as, Quandong (Australian native peach), Quenepa (Spanish lime), Querina (Apples), Quinault (Strawberries) etc, that are made into jams, pies, tarts and pudings[1]...

December 9, 2022 8:39 PM

JonKnowsNothing on Security Vulnerabilities in Eufy Cameras :

@ Gunter Königsmann

re: “Are my Fotos really worth all that money to someone else?”

All photos are worth something to LEAs globally. Palantir is s USA CIA Front for collecting them from “legit business” but they get loads of them other ways.

The NSA+Google have a geo-mapping project where any photo without a geo-tag can be mapped to the precise location, time of day, time of year using massive amounts of the same photos in an overlay to make the identification...

December 9, 2022 7:54 PM

Clive Robinson on Hacking Trespass Law :

@ Bruce,

“But, of course, the legal battle isn’t really about that. It’s about the rights of property owners vs the rights of those who wish to walk on this otherwise-inaccessible public land.”

Actually it’s just an artifact of a deeper problem.

For various ludicrous reasons, mainly to do with out and out violence by what we now know are abnormal or to be more blunt “mental defectives” we have “property laws”...

December 9, 2022 7:28 PM

whatev on Security Vulnerabilities in Eufy Cameras :

@ Gunter Königsmann

“Are my Fotos really worth all that money to someone else?”

Apparently, since the cloud storage mechanism did not appear by itself

December 9, 2022 6:56 PM

SpaceLifeForm on Friday Squid Blogging: China Bans Taiwanese Squid Imports :

Twitter Implosion

You do not want to get trampled in the exodus from the birdhouse. Over 1 Billion will be leaving soon.

Besides Elton John leaving,

3 Members Of Twitter’s Trust And Safety Council Just Resigned

‘https://www.huffpost.com/entry/twitter-trust-safety-council-resign_n_63938a7fe4b09e0de4930034

[I was not aware they had 4. I know of one still. I’ll give her a few more days]

...

December 9, 2022 6:54 PM

lurker on Friday Squid Blogging: China Bans Taiwanese Squid Imports :

I’ve had an acct with Amazon for about 10 years. Due to my misunderstanding their cross-market exclusion rules earlier this year, I attempted to set up an acct at amazon.uk, and learned that an amazon acct is global.

I have just received a message from amazon.uk warning me of scammers over the holiday season and offering some sane and sensible security tips. In 10 years the parent company never cared if I was scammed …...

December 9, 2022 6:27 PM

Clive Robinson on Security Vulnerabilities in Eufy Cameras :

@ Ismar, ALL,

Re : Someone to blaim.

“… just wandering about the owners of these cameras being in the situation they are in due to previous positive ReviewGeek’s reviews…”

Humans have as an over generalised statment, “a number of failings”. Two of which are,

1, We are usually not competent, lazy or both.
2, We do not like being embarrassed.

The result being we do not like taking responsability for our uninformed actions, so seek to blaim others...

December 9, 2022 6:09 PM

Uthor on Hacking Trespass Law :

I find it neat that in Britain the public paths take precedence over the private ownership and you are technically allowed to walk on all of them (not that the land owners don’t threaten the hikers).

Tom Scott had a video about it.
https://www.youtube.com/watch?v=3dYc0Ouxhx0

December 9, 2022 5:37 PM

Ted on The Decoupling Principle :

@lurker

That’s a very helpful update! Glad you emailed. I’m not totally familiar with the Android ecosystem. I see the current Android OS market share is:

Android 12: 30%
Android 11: 25%
Android 10: 19%

Almost wish they were still doing the alphabetical dessert naming motif. 7, 8, and 9 were Nougat, Oreo, and Pie. I’ll admit Q would have been a toughie.

https://gs.statcounter.com/os-version-market-share/android/mobile-tablet/worldwide...

December 9, 2022 5:00 PM

Ismar on Security Vulnerabilities in Eufy Cameras :

Interesting, just wandering about the owners of these cameras being in the situation they are in due to previous positive ReviewGeek’s reviews of Eufy ?

December 9, 2022 3:47 PM

lurker on The Decoupling Principle :

@Ted

Invisv’s web page for the Sep beta release says “INVISV Relay works on any Android device that has Internet access”, yet somewhere I read that it required Android 9+. An email reply to me advises the current version requires Android 11+ …

December 9, 2022 3:46 PM

Clive Robinson on Security Vulnerabilities in Eufy Cameras :

@ Gunter Königsmann, Brenden Walker,

Re : A picture paints a thousand words.

“Are my Fotos really worth all that money to someone else?”

I guess that depends on two unknowns

1, Who you realy are.
2, Who the customer might be.

But most if not all the home security cameras appear to work on the fact that “access to images has value”.

The two worst offenders were,

1, Amazon Ring for giving access to “street images” to law enforcment...

December 9, 2022 3:08 PM

Gunter Königsmann on Security Vulnerabilities in Eufy Cameras :

What I don’t understand: If you want the cloud to store your data that is expensive – which sounds logical: the cloud provider has to buy all those SSDs.
If you don’t want your data in the cloud someone pays for those SSDs, anyway. Are my Fotos really worth all that money to someone else?

December 9, 2022 1:01 PM

Salach on Leaked Signing Keys Are Being Used to Sign Malware :

@Clive:
Yes, access control is for all aspects, logical and physical. Code signing is far from perfect but we don’t have too many alternatives so we need to optimize what we have. I don’t expect small companies to apply strict and serious security around their signing key but I do expect it from the big companies. They can pay an expert and formulate decent policies for key management. With such a leak they look like a bunch of clowns...

December 9, 2022 12:34 PM

NotMuch on Leaked Signing Keys Are Being Used to Sign Malware :

“The whole system of authentication rests on the assumption that signing keys are kept secret by the legitimate signers.”

Same problem as OTP, key distribution. No matter how good the fundamentals of the authentication or encryption system, keys are always difficult to secure. Impossible to secure when widely distributed. Trusted insiders have access, and the possibilities for outsiders to gain access quickly multiply with the number of trusted key holders...

December 9, 2022 11:08 AM

Reply on Security Vulnerabilities in Eufy Cameras :

That company doesn’t stand behind its other products. When that product breaks, the only consolation, if you could call it that, is that they will send you a discount coupon to buy another one, at the same price that you can get on Amazon.

December 9, 2022 10:51 AM

Clive Robinson on Leaked Signing Keys Are Being Used to Sign Malware :

@ Salach,

Re : Non information security

“The security of code signing keys is a question of access control more than anything else.”

It’s “access control” not just “physically” to the HSM, and it’s internal “informational” systems.

It’s both physical and informational access control at all levels of the Computing Stack from the quantum physics level up through the human user/organisasional policy, national regulation and legislation through international treaties...

December 9, 2022 10:18 AM

Clive Robinson on Security Vulnerabilities in Eufy Cameras :

@ Brucr, ALL,

“And we will lose public shaming as an incentive to improve security.”

We already have, it’s just that we don’t want to belive it.

The first indicators were some years ago with the step up in what many indicated was needless security.

Well it was not needless as both Ed Snowden, Julian Assange and many others some known to us others not have shown.

The US and other Western governments are abusing security to cover up things that oversight, ethics, morals and an inate sence of both decency and shame should have adiquately prevented...

December 9, 2022 9:27 AM

Salach on Leaked Signing Keys Are Being Used to Sign Malware :

@Jonathan: It is not enough to put the signing key in an HSM. Even inside an HSM, it is decent protection against extraction, but it can still be (ab)used if the HSM is accessible. The security of code signing keys is a question of access control more than anything else.

December 9, 2022 9:12 AM

Brenden Walker on Security Vulnerabilities in Eufy Cameras :

I think the general population is burning out on worrying about security. Mind numbing mandatory training at work, the plethora of insecure products that everyone has been convinced they ‘need’. I suspect many people just don’t care anymore.

December 9, 2022 7:31 AM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ SpaceLifeForm, Winter,

Re : Five cents on the dollar.

So,

“ChatGPT can not do simple algebra from a word problem…”

Aside from the word problem as given is incorrect by usage of plural with singular “bats-ball” (should be “bat-ball” or “bats-balls”). So can not be solved without an assumption…

It actually does not surprise me.

Google translate used to be famous for allegedly not knowing any languages as such, just how people used them in known contexts found from knowing a lot about the nouns from a dictionary. Thus it learnt not languages but common phrase usage in the languages and went all in on infrance...

December 9, 2022 5:37 AM

Winter on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@SLF

ChatGPT can not do simple algebra from a word problem, but it knows how to emulate a 32-bit X86 cpu.

ChatGPT extends texts. The question is what level of automata GPT is? [1] We do not think GPT and its ilk are Turing Complete. It seems clear that such large language models can master computer languages and CPU’s (context-free grammar) [2].

But what else can they learn? Maybe the current training materials are not enough to teach them word problems? Or maybe, word problems require some higher level processing that they currently cannot deliver?...

December 9, 2022 5:30 AM

Jonathan Wilson on Leaked Signing Keys Are Being Used to Sign Malware :

Critical code signing keys like this should be stored in hardware signing modules that would prevent signing keys from being obtained by hackers, leaked by rogue employees or accidentally shared by people who don’t know any better.

December 9, 2022 4:25 AM

SpaceLifeForm on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

ChatGPT can not do simple algebra from a word problem, but it knows how to emulate a 32-bit X86 cpu.

Bizzare.

It got this simple word problem wrong.

The word problem was:

If a ball and a bat cost a total of $1.10, and the bats costs $1 more than the ball, what is the price of each?

(this was 6 days ago, so it may have learned by now. Yet, it still does not know that Elmo is running twitter as of a couple of days ago)...

December 9, 2022 4:16 AM

Winter on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

Meta needs explicit user consent to run personalized ads, EU watchdog rules
‘https://arstechnica.com/tech-policy/2022/12/meta-needs-explicit-user-consent-to-run-personalized-ads-eu-watchdog-rules/

Meta has already been coping with a slump in ad revenue this year, and now a decision from European Union privacy regulators threatens to reduce Meta’s ad revenue even more next year. According to Reuters, a person familiar with the matter said that the European Data Protection Board ruled Monday that Meta cannot continue targeting ads based on its own users’ online activity—like the Instagram reels they’ve viewed or Facebook profiles they’ve clicked. ...

December 8, 2022 8:25 PM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ Bruce, ALL,

Re : Supply Chain Security.

A new form of supply chain security issue is coming up in the UK and it’s one that few realise unless they get into logistics of distribution.

The usual supply chain model is considered to be a “one way” line or chain from Manufactures loading dock to Purchasers loading dock with variable nodes along it. Whilst not easily described by simple maths it is amenable to simplistic modeling when you reduce certain constraints such as temporal ones by having what are seen as “inefficiences” such as “in chain buffering” storage (the fun of the “1-e^-1” or ~2/3rds rule evolution tends to work on...

December 8, 2022 7:39 PM

JonKnowsNothing on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@MarkH

re: Cultural Food Choices are Cultural

Selecting your own food, preparation methods is not a sign of anything ODD.

  • re: prisoners and visitors (castles and prisons)

Where a leader keeps their opponents and/or visitors varies.

The US Government has a number of houses, parks, forts and vacation spots available, as does the UK and providing housing for diplomatic visits which is something the Diplomatic Services specialize in sorting out. Scheduling meetings is always a challenge...

December 8, 2022 6:17 PM

Ted on Leaked Signing Keys Are Being Used to Sign Malware :

@Doug

Any useful advice for those of us who are not security experts?

I am not an expert, but according to a Chainguard post users would have to sideload a malicious app to be affected. (Does this seem accurate to you?)

Also, only specific phone models were affected, though there’s not a public list yet. And OEMs can push over-the-air updates to rotate the keys.

Going up the supply chain, Zack Newman had some additional suggestions, including a transparency log for Android binaries...

December 8, 2022 4:20 PM

vas pup on Existential Risk and the Fermi Paradox :

@ALL and @Bruce in particular who is very interested in this subject

How to teach children about risk
https://www.bbc.com/future/article/20221101-how-to-teach-kids-to-make-great-choices

“When you’re in charge of a small child, even the most idyllic setting can turn into a danger zone.

In the first years, there is the risk of being hit by a car, falling into a pool or pond, or being bitten by a dog (most commonly, the family’s own). The potential perils change with the...

December 8, 2022 4:18 PM

MarkH on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@JonKnowsNothing:

You know other guys who keep visitors under guard for two weeks? Ok, name one.

And no, it’s not cultural. I visited Russia many times.

The message I hoped to convey, is that Putin seems to take very great precautions to protect his personal survival.

This may, or might not, shed light on his willingness to create a situation which has some risk of escalating to nuclear devastation of his homeland...

December 8, 2022 4:11 PM

vas pup on The Decoupling Principle :

@YF • December 7, 2022 8:05 AM
Same in US.
Unfortunately, US in this case is not following good example of UK – see
@Sumadelet • December 8, 2022 7:00 AM. I.e.
Not having single national identifier. The good idea to have SS# as seed and generate own unique identifier through hash process for each separate data base. When you try to do xref with different DBases you should NOT have single similar primary key to do that but rather submit official request, legal basis for having such data, get information (asap) from unit having interested data and get it. That will really enabling decoupling...

December 8, 2022 3:44 PM

MarkH on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@fib, pt 3:

I can think of several examples of “cult leaders” who did choose suicide when they knew they were trapped, and set out to take all of their followers with them.

But none of them were Putin’s age. Old men tend to think a lot about their legacies, and to go quietly when the time comes.

Remember, if he has a “this is it, I’m done for” moment, it will be because some part of his country’s own power structure is coming for him. Before they come for him, they’ll make sure the button is disconnected...

December 8, 2022 3:41 PM

Benito Bishop on The Decoupling Principle :

@ Sofakinbd,

Isn’t this the basis of Apple’s Private Relay?

Yeah, and that’s pretty similar to Tor, which appeared almost immediately after the Freedom Network died. Freedom, in turn, appeared around the time Paul Syverson’s onion-routing paper was published, and, if I recall correctly, was a pretty straightforward implementation thereof. But they did recognize the privacy problems relating to payment; see ...

December 8, 2022 3:35 PM

MarkH on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@fib, pt 2:

None of that is reassuring, but those flaws don’t predict suicide, murder of his progeny, or destruction of his country.

Perhaps more to the point, he’s making lots of rational (not to say correct, or wise) decisions: trying to pressure his victim into surrender; piling on resources; working carefully to reassure the public by shows of social and governmental normalcy.

He ain’t lost it (yet)...

December 8, 2022 3:27 PM

MarkH on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@fib:

Every person alive has irrational thoughts and actions in each day.

The imaginary “rational actor” is one of those academic constructs which is often more confusing than illuminating.

Obviously, there are serious questions about his psychological condition, especially the consequences of the really extreme isolation he’s imposed on himself.

His willingness to use extreme violence for convenience, with apparent difficulty or remorse, betray a highly antisocial personality...

December 8, 2022 1:56 PM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ fib, JonKnowsNothing, MarkH, Winter,

Re : our elucubration

“seem to have attracted bad traffic”

‘Aghh it be just noises off of stage left, like the gnawing of a rat trying to blunt it’s teeth’

Mind you what was said last time…

Something about a Trumping 400pounder siting in the back bedroom in it’s dirtied scuds beating away at it whilst it still could… After all RSI is only workman’s comp claimable if it was “done on the job”… And I doubt it’s ever been on the job in any way...

December 8, 2022 1:24 PM

Jakob on Leaked Signing Keys Are Being Used to Sign Malware :

Do I understand it correctly that it is “only” the App signing key but not the firmware/secure boot signing key? In that case the affected vendors could just generate a new signing key and ship a firmware upgrade (possibly combined with the monthly security upgrade) to migrate to the new key.

December 8, 2022 1:22 PM

fib on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ Winter, Clive, MarkH, JonKnowsNothing

Yeah, the proverbial rat. That’s precisely my biggest worry:

But now t’rat is wounded potentially beyond recovery politically, he sees this as his “last chance corner”. So for “destiny”, or his claim on forever immortality, he’s going to go down “all in” if given the time to do so as for this,

Which is in irreconcilable opposition to MarkH’s...

December 8, 2022 11:56 AM

JonKnowsNothing on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@MarkH, All

re:


Reportedly, whenever he travels he brings (a) his own food and (b) his own food preparation staff.

Reportedly, he has taken the most extravagant Covid precautions: face-to-face visitors must spend 2 weeks in guarded quarantine, and then pass through a corridor with UV lamps and some kind of antiseptic mist.

This is nothing particularly unusual, loads of people do this every day and whenever they travel...

December 8, 2022 11:30 AM

lurker on Leaked Signing Keys Are Being Used to Sign Malware :

@Andy,

[3] requires that they know when they are violated. Some are so big and complicated (eg. Samsung) it can take quite a while to (a. discover a breach, then (b. move the message to the right place to get action.

Some are so small they suffer the Alfred E. Neuman syndrome, “Wot, me compromised?”

December 8, 2022 10:32 AM

Andy on Leaked Signing Keys Are Being Used to Sign Malware :

Loss or compromise of private keys is as old as PKI infrastructure. And so is the solution:

  1. time-stamps: Code signatures are also co-signed by a trusted (!) time-stamping authority
  2. key revocation: This requires that public keys are checked against a cached list or preferably online (Android’s master?) which is expected to be up to date.
  3. liability: code signers should suffer some penalty if they don’t report in time that the key is compromised. After all, they were supposed to keep it safe...

December 8, 2022 10:03 AM

Winter on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

Why Apple stopped developing end-to-end iCloud encryption before.

Why encrypted backup is so important
Matthew Green in Apple
‘https://blog.cryptographyengineering.com/2022/12/07/apple-icloud-and-why-encrypted-backup-is-the-only-privacy-issue/

What actually happened is unclear, and Apple refuses to talk about it. But the outlines of what we do know tells a story that is somewhere between “meh” and “ugh“. Specifically, reporting from Reuters indicates that Apple came under pressure from government agencies: these agencies wished Apple to maintain the availability of cleartext backup data, since this is now an important law enforcement priority. Whatever the internal details, the result was not so much a retreat but a rout:...

December 8, 2022 8:56 AM

Clive Robinson on Leaked Signing Keys Are Being Used to Sign Malware :

@ Bruce,

“leaked or stolen”

Are not the only options…

There is also “Hanlon’s Razor”[1] of,

“Never attribute to malice that which is adequately explained by stupidity.”

There is also “Murphy’s Law”[2],

“The perversity of inanimate objects, or what can go wrong, will go wrong in the worst possible way at the worst possible time and place.”

Both of which predate the perversion that is “code signing”...

December 8, 2022 7:00 AM

Sumadelet on The Decoupling Principle :

As Clive Robinson points out, this is an old principle. It was followed in part in the UK with the separation of storage ad processing of records between various arms of the state: the health service (NHS) used a different identifier to the tax authorities (Inland Revenue, then Her (now His) Majesty’s Revenue and Customs), who used a different identifier to the state pension and benefits authority (National Insurance, various state benefits, such as unemployment benefit), local councils have their own identifiers for people; and so on...

December 8, 2022 5:37 AM

MarkH on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

continued:

Reportedly, whenever he travels he brings (a) his own food and (b) his own food preparation staff.

Reportedly, he has taken the most extravagant Covid precautions: face-to-face visitors must spend 2 weeks in guarded quarantine, and then pass through a corridor with UV lamps and some kind of antiseptic mist.

Reportedly, there are multiple “doubles” whose role is to decoy potential assassins...

December 8, 2022 5:29 AM

MarkH on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@fib, Winter, Clive:

Been thinking and reading about this a lot.

1) Nukes are unusable: there is no scenario in Ukraine (or in general, anywhere) in which the attacker can reasonably calculate they will be better off afterward.

2) Putler has children, grandchildren, and a young mistress. He’s obviously obsessed with history, looking much more at past than future. He has strong incentives to avoid calamity, and probably doesn’t want to be remembered as the leader who destroyed his country...

December 8, 2022 4:22 AM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

Part 3a.

It should now be getting clear to even the most closed eyed in Europe and the West the lesson learned just short of a century ago is that,

“Appeasement never works”

That is he has no intention of ever being reasonable, and the last decade or so should have made that sufficiently obvious to all.

December 8, 2022 4:18 AM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

Part 3b.

But now t’rat is wounded potentially beyond recovery politically, he sees this as his “last chance corner”. So for “destiny”, or his claim on forever immortality, he’s going to go down “all in” if given the time to do so.

Thus he is of the mentality where he would happily burn 99% of the world if he thinks the other 1% will carry his name forward in the future history books, like those of the dictators, and tyrannts from thousands of years ago who are remembered in the history books of today...

December 8, 2022 3:51 AM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

Part 5.

So at some point very soon someone is going to have to say “enough is enough” load for bear and chase the rat into it’s hole to put it down once and for all for everyones sake.

The sooner they do it the better world security will be for all. Failure to do so jusy gives the rat time and by now mosy should realise what he will do with it if alowed.

And if you don’t realise, then as they used to say,...

December 8, 2022 3:47 AM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

Part 4.

So the odds of the button not being pushed is low, very low, because,

1, He personally has little or nothing to loose.
2, He now has little else to throw into the conflict.
3, He sees that his clock is running out.

The second point is the one that should realy be ringing alarm bells. We know they are that desperate they are taking warheads off of IRBMs etc and replacing them with concrete to make the worlds most expensive kinetic weapons. Because they have no ability to make more delivery systems (rockets)...

December 8, 2022 3:30 AM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ fib, Winter,

Part 2

He might apparently be talking about nuking “Only Ukraine”, but which way do the prevailing winds go? Carrying hundreds if not thousands of years of radioactive poison into one of the largest agricultural regions of the world… Look up the history of Chernobyl, that was not even the equivalent of one nuke…

The food loss involved will set the whole world back decades economically at a minimum, and potentially kill about 1/7th of the worlds current population long before their time in the next couple of decades or so...

December 8, 2022 3:04 AM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ fib, Winter,

Part 1.

Re : The button of the panty poisoner.

“CNN reports a statement by … that seems to me to betray [or actually “telegraph” to the stakeholders] the intention to, in fact, use … weapons.”

The fact that he is only now talkng about them tells you the unbalanced state his mind has got into. Put simply he has crossed over from reality…

Potentially it’s,driven by failure after failure, humiliation after humiliation all of his own making… And now it would appear he is suffering the equivalent of a “Cyber Civil War” that is removing his ability to drag non Rus and other minorities to be more pointless cannon fodder in the mess...

December 8, 2022 2:29 AM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ JonKnowsNothing, lurker, ALL,

Re : EDF being un-smart.

First to anyone in the UK,

!!DO NOT HAVE SMART METERS FITTED!!

It’s not just EDF working this overpayment scam it’s Scotish Power and others as well.

Quite illegally and with deliberate intent they are committing FRAUD and they not only know it they have instituted it as “Policy”.

Look at it this way, on the notion that the family will save money, EDF had already stolen 1000GBP from their bank account. Something that EDF say they “might return someday”. But without interest or other compensation, so they are getting a free “overdraft” from that household...

December 8, 2022 1:14 AM

Winter on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@fib

Am I reading too much into it [hope so]?

Russia is losing and Putin humiliated again and again.

This declaration is just another way to remind the world about the rat story [1]. He is threatening the world he will kill all Ukrainians one way or another.

[1] ‘https://www.gzeromedia.com/putin-ukraine-and-the-rat-story

December 7, 2022 9:57 PM

lurker on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@JonKnowsNothing, @All

… they were already in credit by £1,000 because EDF had been taking bigger payments than the family’s usage, despite them having a smart meter.

Please $DEITY, why are they allowed to call it a “smart” meter? when it’s connected to a system that is so obviously intellectually bankrupt.

December 7, 2022 6:25 PM

Ted on The Decoupling Principle :

@lurker, All

Re: ‘INVISV Relay’ Android app

Would you consider reaching out to them to ask about those things? It looks like the app launched in its Beta version in September 2022. They add:

“However, as a Beta service, you may run into some issues and we’d love to hear about them at relay@invisv.com – please let us know what you think and any questions you have.”

https://invisv.com/relay/...

December 7, 2022 6:19 PM

fib on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ All

CNN reports a statement by Putin[0] that seems to me to betray [or actually “telegraph” to the stakeholders] the intention to, in fact, use nuclear weapons.

“But we are not going to brandish these weapons like a razor, running around the world. Of course, we proceed from the fact that it exists.This is a deterrent factor that does not provoke the expansion of conflicts, but a deterrent, and I hope everyone understands this,”...

December 7, 2022 5:35 PM

lurker on The Decoupling Principle :

@Ted, All

re INVISV, the de-coupling of user from the internet occurs by INVISV coupling to an upstream provider (Fastly), much like the Tor system. So if I was concerned I might like to know the locations of inlet and outlet nodes, and what precautions they took (if any) to avoid traffic routing through certain jurisdictions.

Anyhow that’s moot, since the link on their blog page took me straight to the Google store, where I am informed,...

December 7, 2022 5:25 PM

IMissClippy on CAPTCHA :

@Anonymous Driver

Exactly so. Our CAPTCHA responses are high stakes. Oops

@lurker

The answer is diversity

December 7, 2022 4:44 PM

Raphael Khoury on The Decoupling Principle :

I would argue that this principle is a re-statement (or a special case) of the principle of “Least Common Mechanism”, as stated by Saltzer and Schroeder in their seminal paper.

December 7, 2022 4:10 PM

Ted on The Decoupling Principle :

@Sofakinbd

Isn’t this the basis of Apple’s Private Relay?

I think you’re right on that. Follow along with me for a moment.

Two of the paper’s authors founded INVISV. From what I can tell it’s a company that provides privacy-friendly communication technologies. I might also mention the following comment on their ‘ABOUT US’ page:

INVISV is advised by security and privacy experts Bruce Schneier and Jon Callas. ...

December 7, 2022 3:21 PM

JonKnowsNothing on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@Clive, All

re: Register Rolling Over

A few more incidents being reported of roll over counters causing the Y2K (btdt nothanks) type problems in standard billing and accounting applications. Some of this is because the inflated values, charges run into the millions, far beyond what has been seen in modern times.

In the current MSM report a family got billed £80,000 which was taken by direct debit from their bank account, causing insufficient funds trigger. They got hit for £75,000 more than their overdraft...

December 7, 2022 2:14 PM

iAPX on The Decoupling Principle :

On my last assignment, I was tasked to send the user email address, sha-256 hashed, to the best known ad-network and search engine.

They call it “encrypted”, we all know that it isn’t, in any way.
I tried to pushback but it didn’t worked out.

Things are getting worse, and they try to hide their malevolence through “encryption” that is hashing in fact.
They pretend that PII (Personal Identifying Information) are safe when hashed...

December 7, 2022 1:41 PM

Alan Yoder on The Decoupling Principle :

As noted in previous comments, this principle has been around for quite a long time. It is the “previously not clearly articulated” assertion that gets one’s hair up.

That said, it seems pretty clear that whether or not it was well articulated, it has not been very well understood, especially in the last couple decades of rapid change. So I personally welcome seeing it revisited and re-articulated...

December 7, 2022 1:03 PM

Winter on CryWiper Data Wiper Targeting Russian Sites :

@Clive

Also that he buried four hundred or so Confussion scholars alive after tourturing them, ostensibly for their backstabing and badmouthing behaviours.

His state philosophy was legalism: Laws preempt everything else. Confusianism disagrees, and hence it was outlawed. All Confusianist books were destroyed. Anyone found hiding books was buried alive.

The current works of Confusianism were largely reconstructed from memory...

December 7, 2022 12:47 PM

Sofakinbd on The Decoupling Principle :

Isn’t this the basis of Apple’s Private Relay?

How Private Relay works

Normally when you browse the web, information contained in your web traffic, such as your DNS records and IP address, can be seen by your network provider and the websites you visit. This information could be used to determine your identity and build a profile of your location and browsing history over time. iCloud Private Relay is designed to protect your privacy by ensuring that when you browse the web in Safari, no single party — not even Apple — can see both who you are and what sites you’re visiting...

December 7, 2022 12:25 PM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ lurker, SpaceLifeForm,

A little competition, an original opener of,

There was a young lady from Devizes,
Who had legs of different sizes,

Now having been given aa you give bba.

I will give ba, where b is b…b

She became aware…upon the stair,
She was never going to win any prizes.

December 7, 2022 12:17 PM

Clive Robinson on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@ lurker, SpaceLifeForm,

“Your so-called 4 line limericks…”

The problem is a form of “gentrification” in the Victorian and Edwardian periods.

Limericks, have been around for a lot lot longer than dictionaries.

They were one of the only forms of entertainment for the common man as “plays” were controled by either the Church or Monarch in the former case by excommunication and the latter by licence, which if not obtained or breached could end up very very unpleasantly...

December 7, 2022 11:29 AM

Clive Robinson on The Decoupling Principle :

@ Bruce,

This is an old principle practiced in governments to stop power building up in any one part of Government thus creating a threat.

It was unfortunately the work of IBM that enabled some governments to invert this idea.

With the use of “card tabulators” they could take census and similar data and “audit out” certain information quite rapidly with very few involved.

The results of the inversion of this idea in Europe from the early 1930’s onwards turned out to be quite horrific...

December 7, 2022 11:20 AM

Clive Robinson on CryWiper Data Wiper Targeting Russian Sites :

@ Winter,

Re : First Emperor.

“When he then saw the official had changed it according to his remarks, the Emperor had everyone present that day killed.”

And so “The Fashion Police” were created[1]…

From memory he was disatisfied with being called “King” so actually created the title of “Emperor” so was not just “The first Emperor of China” but anywhere… Oh and the creator of the first man made object that can be seen in space and from the moon we know as “The great wall of China”. Less well known is that his burial site at 20 square miles would also have been visable at those distances...

December 7, 2022 10:46 AM

lurker on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@Clive Robinson

Your so-called 4 line limericks are Aabba with lines 3 & 4 folded into one. Not oft, but always, according to OED

limerick /ˈlɪm(ə)rɪk /
▸ noun a humorous five-line poem with a rhyme scheme aabba

The rare exception gets called out as not a limerick. Now, could an AI work that out …

December 7, 2022 10:12 AM

Robin on The Decoupling Principle :

@Winter I am pretty sure that their site contravenes the GDPR but I hold out little hope of being able to get this through to the bureaucracy in the town hall. Having just downloaded the tickets the little bit of rancid cream on the cake is that they insist the two tickets (with their QR codes) are each printed on a sheet of white A4 paper.

But you’re right – I’ll try to avoid them in future.

...

December 7, 2022 10:04 AM

Winter on Friday Squid Blogging: Legend of the Indiana Oil-Pit Squid :

@Clive
Re The subpostmasters’ scandal is still alive!

Victims of IT scandal in UK postal service will get fresh compensation
Move follows award swallowed up by legal fees
‘https://www.theregister.com/2022/12/07/uk_gov_launches_new_compensation/

The saga began after the Post Office relied on evidence from its Fujitsu-made Horizon branch office management IT system when it privately prosecuted a large number of subpostmasters during the 2000s and early 2010s. While the system was known to throw up accounting errors, managers did not warn subpostmasters. ...

December 7, 2022 9:58 AM

Winter on The Decoupling Principle :

@Robin

But to do that I had to create an account and to do that it wanted name, DoB, phone number, about 20 opt-in/opt-out choices for newsletters etc, email address and the names of both people who are going to attend.

Sounds indeed excessive. I am afraid that unless there are laws against it, the only option is to vote with your feet/wallet.

December 7, 2022 9:15 AM

Robin on The Decoupling Principle :

@Winter: I wish the GDPR data-minimization requirements were more widely known and respected. It seems to be increasingly the case that even trivial transactions demand unnecessary information.

This morning I bought tickets for a local concert on Friday. A couple of guys in a room not much bigger than my sitting room; 6.50€ per seat so you can see it’s hardly Bruce Springsteen at Olympia. But to do that I had to create an account and to do that it wanted name, DoB, phone number, about 20 opt-in/opt-out choices for newsletters etc, email address and the names of both people who are going to attend. None of this was optional and since they claim that ID will be checked at the door, false names seem to be a no-no. They didn’t get a true DoB though; a tiny victory...

December 7, 2022 9:08 AM

Jordan Sherb on The Decoupling Principle :

I think it’s synonymous with the concept of “separation of concerns”.

December 7, 2022 8:31 AM

Winter on The Decoupling Principle :

This is just an elaboration of the data-minimization requirements in the GDPR. No institution should collect or store data it does not need. Also, data storage should have privacy protection built-in.

Without having had time to read the article, I see this as implementing the GDPR provisions.

December 7, 2022 8:26 AM

Winter on CryWiper Data Wiper Targeting Russian Sites :

@Clive

So will Putin go “Bunker Crazy” or “never sleep the same place twice”.

With so much blood at your hands, and so many living enemies, that is not unlikely.

I would be surprised if there are not half a dozen doubles to be his decoys. Stalin, Sadam, and Castro had them, Kim Jong-un has them. Putin will surely have them.

It is not exceptional for tyrants to become bunker crazy.

The first Emperor of China was very secretive about which palace he was staying at any one time. The story goes that he once looked out of the window at an ariving official and made a remark about his atire. When he then saw the official had changed it according to his remarks, the Emperor had everyone present that day killed...

Sidebar photo of Bruce Schneier by Joe MacInnis.