Schneier on Security

@Clive Robinson

entirely passive system to desalinate water at low cost

‘https://news.mit.edu/2023/desalination-system-could-produce-freshwater-cheaper-0927

–

“Fibres were first spun into a tight thread. Four of these threads were then twisted together to create strings, which experiments showed could draw water higher up.”

‘https://www.chemistryworld.com/news/strings-that-draw-up-brine-could-help-supply-the-world-with-lithium/4018121.article...

buffer overflow ld.so (updates available)

Full root access on popular platforms (Fedora, Ubuntu, and Debian).

“This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.”

‘https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so...

China is a deep state.

“political-ideological construct”

‘https://www.csis.org/analysis/ideological-security-national-security

Russia is headed in the same direction as China. The U.S. is not a deep state.

–

The Marine Corps is, for the first time in more than 100 years, without a permanent leader.

“These vacancies place unnecessary uncertainty on critical national security roles and send troubling signals to U.S. allies and adversaries; they undermine command authority at senior levels, making it more difficult for our military leaders to lead effectively.”...

@vas pup

’Deep state’ aka unelected bureaucracy with huge unchecked power

That seems to be a popular American myth.

The myth tells us there is some hidden power who is to blame for all the failings of people’s lives. In Europe the corresponding root of all evil is “Brussels”, in Russia it is “America/the World”.

But the reason the US have more lawyers than engineers versus China and any other[sic] EU country...

Mr Peed Off, ALL,

Re : Security importance of potable water.

“Lack of freshwater could be a security issue for some.”

It’s actually quite a bit more complicated…

There is a very good reason why we drink “Potable Water”(PW) rather than “Distilled Fresh Water”(DFW) and that is a whole bunch of minerals. Without which we would first become ill, then chronically sick, then die…

Some of the minerals can not relistically be ingested other than in the water we drink...

The NSA’s main role in my defense-contractor career is setting standards and imposing them via other agencies. Some of these standards are good and some, less so.

Basically, in the little world I have to live in, FIPS 140 is mandatory, NIST SP800 is the Bible, ECDSA and 3DES are trusted, AES is unassailable, and ED25519 is untrusted. I’m not even getting into the “TACLANE is the only trusted crypto hardware technology” crowd...

@ glenn f., ALL,

Part 4,

In effect so the machine designer’s forces use only “strong keys” and by issuing maps and other documents such that they are “Changed as daily codes” the common “probable plaintext” is removed.

This further makes use of the field cipher machine appear stronger than it realy is… So the more likely it is that others will adopt the designs for their own use. Something we knew certainly happened after WWII and well into the 1980’s...

@ glenn f., ALL,

Part 3,

All the system designers had to do, to protect their own sides use of the machine is,

1, Centrally issue keys,
2, Issue codes for certain comman use plaintext.

@ glenn f., ALL,

Part 2,

[1] If you design a mechanical cipher system that is going to be used it’s very much a certainty it’s design,

“Will become known to all”

So designing it to have all strong keys would be “making a rod for your own back”. So you design it to have just a small percentage of strong keys (say less than 20%) and a similar percentage of very weak keys. The result a user who does not know which keys are strong and which are weak will end up using sufficient numbers of weak keys, that can be quickly broken and reveal what is highly probable “plaintext” that alows the breaking of strong keys much more quickly...

@ glenn f., ALL,

This has got needlessly hit by auto-mod so is being partitioned.

Part 1,

Re : Tha NSA – NIST relationship.

“Daniel J. Bernstein published a blog post today: The inability to count correctly: Debunking NIST’s calculation of the Kyber-512 security level.”

I’m glad Daniel J. Bernstein has the guts to go after the NSA as well as the standing in the Open and Academic and Crypto Communities to be taken seriously...

Lack of freshwater could be a security issue for some.

https://www.sciencedirect.com/science/article/pii/S2542435123003604

Breakthrough in Landmine Detection: Enzymit-Enabled TNT Biosensor Developed in Collaboration with Hebrew University
https://www.biospace.com/article/releases/breakthrough-in-landmine-detection-enzymit-enabled-tnt-biosensor-developed-in-collaboration-with-hebrew-university/

“New Peer-Reviewed Study Shows Efficacy of Protein-Based Biosensor to Detect Unexploded Ordnance Using AI and Deep Learning Algorithms...

Daniel J. Bernstein published a blog post today: The inability to count correctly: Debunking NIST’s calculation of the Kyber-512 security level. The same page briefly mentions two lawsuits by Bernstein against NIST, for “stonewall[ing Freedom of Information Act requests], in violation of the law”, one of which “has been gradually revealing secret NIST documents, shedding some light on what was actually going on behind the scenes, including much heavier NSA involvement than indicated by NIST’s public narrative.” There’s a separate page to ...

@Clive said “The problem is that like most US Gov regulation and legislation it’s been scatter shotted all over the place, thus finding out what rules apply to you can be difficult.”

That is why:
1.US have more lawyers than engineers versus China and any other EU country.

2.’Deep state’ aka unelected bureaucracy with huge unchecked power could create ‘case’ against anybody who they or their bosses just don’t like...

Give me a break. The real criminals are those operating the Gas Pumps (proprietaries). Most of countries there is a rounding error being introduced in price per liter, that is basically a tax evasion. Besides that con tactic when prices go up that reflects immediately on stocked material, previously purchased at a lower price. I would say Hack the Planet and Hack a Gas pump.

Yes, likely the BT connection was used to “update” the pumps, so they no longer needed to have a conduit from each pump to the payment centre, and could use an off the shelf PC with a BT dongle in it, to emulate all the serial ports needed, instead of needing to use a multidrop RS 232 card, which originally used an ISA bus, and later on PCI, while cheap motherboards no longer provide PCI bus sockets. So you need to spend a few dollars more to get a more upmarket motherboard. No $100 PC you bought from anywhere, but now you need a $200 name brand PC. Plus a $100 card as well...

@Clive and I were brought up on Radio/Wireless. Many RS232/serial bus designers would not have in front of their minds the basic fact we know: All your signals are visible to us. Even though the product is valuable and becoming more so, pumping gas remains a low margin business. So pump control systems are bought from the lowest bidder, and the spec writers (if any) are also blind to wireless promiscuity...

There was another scam to do with pumping fuel reported fairly widely in last few weeks, this one low tech. When you are almost finished filling ‘er up, the scammer approaches you and offers to hang up the pump for you, so you can save a couple of seconds of your life. He then doesn’t replace the pump, but offers to fill up the next person’s tank for $10-20, then the next, and the next, all without replacing the pump. All of the fuel pumped goes into one transaction, on your credit card...

This is a stupid way to steal. The reward versus risk is terrible.
You’d better be filling up a vehicle that doesn’t have a visible license plate that can be associated with you.
This method also competes with just pumping gas out of the tanks in the ground. At least in times past, those weren’t secured.

Peter A
@Joe D: the article says the clerks could clearly see that gas is being dispensed without paymen

Not all stations are manned to that degree at all times of the day. Although I was thinking more of an issue in Europe where there are more self-service stations.

But it is theft nevertheless.

@ bennie s, ALL,

Re : For retail use can not be secure by default.

“If we ever actually find an example like that.”

We won’t for the simple reason such systems such ad e-POS terminals/devices,need to be as inexpensively made as possible.

But also consider there are “Hardware Security Modules”(HSMs) that have cost tens of thousands and supposadly tested against various standards, that are later found to be easily susceptible to often quite simple attacks…...

@ ALL,

Re : FCC enforcment actions.

As some of you might be aware for getting on for a decade and a half the US FCC has not realy been enforcing the rules for CB, FMRS, GMRS, Ham Radio, and even PMR.

Well apparently that has changed and they are now handing out $25,000 fines confiscation of equipment etc.

Some things they are going after appear strange, and not just people doing realy stupid things (like jamming other users)...

The linked story is… not well-written, to say the least. They call this a “scam”, when it’s nothing of the sort (merely theft based on a security exploit; no person was tricked). It also says “Paying at the pump is for chumps – when you can get gas for free – and illegal”—no, paying at the pump is not illegal in Michigan. The use of the term “guys” seems much too informal for news reporting, when not quoting a person (or referencing an earlier quote). The use of en-dashes and hyphen-minus where an em-dash would be called for. Quoting a person as speaking a decimal price (possible, but almost unheard of). Including a trailing space in the link for the author’s name…...

@Anonymous

“La fuite an avant” translates to: the escape into the future.

It is more the flight ahead or the flight forward (as in “into the battle”).

Which, as far as AI is concerned, means the same.

@Joe D: the article says the clerks could clearly see that gas is being dispensed without payment and they could not stop the pump from the console save by cutting power (aka emergency stop) This is open theft in broad daylight, not low profile.

I just wonder: if it is possible to hack the pump to start dispensing without payment, it’s probably possible to hack the dispensed volume and payment amount. Half-price gas may not seem as attractive as free gas, but it’ll be much less detectable – probably only after fuel truck arrives and total amount is checked, and you still don’t know how that gas ‘leaked’...

What other aspects of the dispensing unit are hackable this way ?

“La fuite an avant” translates to: the escape into the future.
So far, I was not able to find a better description for Artificial Intelligence

It’s a complicated crime to monetize, though.

Unless your goal is free gas for yourself. If you keep a low profile, you could probably get away with it for a while.

@ Bruce, ALL,

“Turns out pumps at gas stations are controlled via Bluetooth, and that the connections are insecure.”

I suspect it’s not all pumps at gas stations, but “Bluetooth” is in effect an Open Use Standard with many low cost chip sets, or microcontroller based “System On a Chip”(SoC) components that are in the “less than pocket change” price range that contain Bluetooth as a “freebie”.

I suspect that the designers of these forecourt pump systems are looking for little more than the old equivalent of an “RS232 Serial link”, and the code to support that is across USB / WiFi / Bluetooth and others like Zigbee are “easily available”...

@ ALL,

Re : ARM CVE-2023-4211

Not been able to find actual details currently other than,

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory”

Which is not exactly helpfull…

But apparently found by Google in ARM mali GPU driver.

https://www.bleepingcomputer.com/news/security/arm-warns-of-mali-gpu-flaws-likely-exploited-in-targeted-attacks/...

Is this something new, or, as previously reported, pumps are modified with a BT module?

@ Faxes,

“… how does this relate to the challenges of future connections?”

I’m not sure I understand what it is you are trying to ask.

Do you want to amplify on what it is you are asking?

@ Bruce, ALL,

Re : AI and embeded distinquishers by DRM style watermarking.

Some are aware that “The Big Boys” who have thrown billions so far at AI ML that is “Stochastic Parrot” style “Large Language Models”(LLMs) and similar are suggesting “Digital Watermarking”(DW) as a way to quiet politicians jitters on a whole manner of issues.

Well some researchers currentlt say in effect the idea of wayermarking will fail for various reasons,...

@ knovus, ALL,

“NSA OBVIOUSLY would be interested in AI”

But probably not all AI which leaves the rather interesting question of what sort of AI and why…

The military would not be that interested in LLMs, but would other types of ML system especially rapidly adaptive ML systems with minimal nodes. In theory such that they act as side kicks or wingmen to actual humans. Over the weekend before last Perun covered part of this,...

I understand that faxes over modern GSM or equivalent 5g+ may not be up to the proven standards of 2400 baud. But, let’s say that bidirectional communication is easy enough in the present – how does this relate to the challenges of future connections?

@ResearcherZero

Re DoD IPv4

Interesting information. You’re always bringing some nice aggregation of important topics. I appreciate that. Thanks for your effort.

Australian Broadcasting Commission, (ABC) news editorial

interviews with human sources in organised crime and undercover agents.
the theme of the piece is that sources get abandoned after their work and
left to fend for themselves. A comment by a professional is that US is 20 years behind in Australia in handling human sources. It’s a harrowing read.

https://www.abc.net.au/news/2023-10-02/undercover-organised-crime-informant-australian-law-enforcement/102767496...

@ Bruce, ALL,

Re : PhD designs drone for ISIS

I don’t know if you’ve heard about this,

https://www.theguardian.com/uk-news/2023/sep/28/birmingham-phd-student-mohamad-al-bared-guilty-using-3d-printer-to-build-kamikaze-drone

I don’t,know what “engineering research” he was doing for his PhD… But a look at the photographs put up by the authorities / MSM rather suggest it was not involving aeronautics…...

Yawn

… so NSA is somehow ‘studying’ AI — a vague useless factoid

NSA OBVIOUSLY would be interested in AI

@ResearcherZero
“To protect your business, you must know the location of every certificate in use and be able to replace any of them instantly.”

Debian-Linux uses certificates shipped by Mozilla, placed in a folder named mozilla, and disclaims responsibility for their reliability. mod-bot rejected a detailed explanation…

A large part of the issue is one of repeatability and transparent evaluation of detectors in the face of changing models and changing detectors. I have been working to at least compare detectors as part of the evaluation of my own (open-source) detector [1], and there is a lot of nuance in how the evaluations are performed that can drastically change performance. That said, this detector [2] scores very highly, though is incredibly slow...

Great old tape deck from japan.

I wonder if much of U.S. industry, national labs, or academia have responded positively towards this announcement or if this is more aspirational such as the public/private employee exchange they’ve been talking of for years.

AI has tremendous surveillance potential. I would hope private industry, national labs, and academia would be wary of working too closely with the NSA on the field.

“Because coffee has to be hot, has to be strong. I nearly want a heart attack and I want my tongue burned. Not really, but I want the possibility.” – Carsten Busch

On Rosh Hashanah it is inscribed
And on Yom Kippur it is sealed
How many shall die and how many shall be born
Who shall live and who shall die
Who at the measure of days and who before
Who by fire and who by water
Who by the sword and who by wild beasts...

@Clive Robinson, ALL,

outage – CNE 😉

–

Home affairs boss tried to stifle press freedom (his encrypted messages)

“Home Affairs secretary Michael Pezzullo used WhatsApp messages to try to reshape governments.”

The public servant in charge of Australia’s internal security lobbied hard for the power to censor the media’s reporting of national security issues after the Australian Federal Police controversially raided three Australian journalists over their reporting...

My previous comemnt was
@idk

Legit what’s wrong with the xkcd method

I do not know what to say but to wish him strength.

RMS Says He Has Lymphoma
https://fossforce.com/2023/09/rmss-cancer-linuxs-shrinking-support-googs-privacy-sandbox-naming-opensuse-and-more/

When GNU and Free Software Foundation founder Richard Stallman showed up at the GNU Hacker’s Meeting in Biel, Switzerland on Wednesday as part of GNU’s ongoing celebration of its 40th birthday, he was noticeably without his trademark long hair and beard. We learned about two minutes into a talk he gave at the event, that’s because he’s currently battling cancer. ...

Theater Undersea Surveillance Command

‘https://www.reuters.com/investigates/special-report/usa-china-tech-surveillance/

–

“They are now announcing more address space than anything ever in the history of the Internet.”

…messages began to arrive telling network administrators that IP addresses assigned to the Pentagon but long dormant could now accept traffic — but it should be routed to Global Resource Systems...

@legit

Legit what’s wrong with the xkcd method

As @Clive lists.

To simplify the argument.

The xkcd method let’s you choose a number of words, eg, 4, from a list of, say, 1000 words. Although you might end up with a long password in number of characters, it is still only a list of 4 symbols. Each symbol corresponds to just 10 bits of entropy. So, a 4 word password has 40 bits of entropy. That is equivalent to the strongest 7 character password you can create. No one would advice you to use a 7 character password...

@ ResearcherZero, ALL,

“Google plans to reduce the lifespan of SSL/TLS certificates.”

If this “down to nine months or less” happens, there will be a lot of unhappy people and an immense amount of “E-economy loss” which is one of the few things keeping the US economy floating…

Thus the “To Big to Fail” question is bound to pop up “in the halls of power” in much of the Western World where the E-economy is considered important...

@ idk,

“Legit what’s wrong with the xkcd method”

Mainly three things,

1, Low entropy density
2, Humans mung the output
3, Systems won’t use long strings correctly.

The XKCD method has an “alphabet” of say a thousand words made from the common human spoken English words.

If you consider the entropy on a character by character basis you will see the entropy is very small, and smaller still on a bit by bit basis of say ASCII...

Google plans to reduce the lifespan of SSL/TLS certificates.

‘https://www.helpnetsecurity.com/2023/09/28/certificate-automation-challenges/

–

“The certificate, originally spawned by Symantec, was scheduled to be banished years ago.”

The removed credential is known as a root certificate, meaning it anchors the trust of hundreds or thousands of intermediate and individual certificates downstream...

And that leads to this…

“Cut cables are sometimes pulled away from their marked location as well.”

‘https://www.telegraph.co.uk/business/2023/09/30/secret-subsea-battle-russia-internet-cables-putin/

The sovereign internet law helps to build upon the idea of the RuNet, a Russian internet that can be disconnected from the rest of the world.
https://www.wired.com/story/russia-internet-censorship-splinternet/...

In-Q-Tel, was its first outside investor, and until 2010, its only customers were in intelligence, law enforcement, and defense.

Intelligence and national security agencies use its tools to flag suspicious activities. Palantir’s “forward-deployed engineers” essentially operated as a mobile sales force, customizing the software to the needs of each client.

‘https://www.palantir.com/_ptwp_live_ect0/wp-content/uploads/2012/06/ImpactStudy_USMC.pdf...

‘https://www.bloomberg.com/news/articles/2023-09-27/palantir-wins-250-million-ai-deal-with-us-defense-department

“The largest database of hashes in the world”

‘https://safer.io/about/

CASM detection

Silicon Valley’s biggest companies have partnered with a single organization to fight sex trafficking — one that maintains a data collection pipeline, is partnered with Palantir, and helps law enforcement profile and track sex workers without their consent. The concern here is that Thorn and its partners like Polaris Project are working closely with companies like Palantir to nonconsensually track sex workers and everyone they come in contact with...

@Clive

That includes a lot of stuff:

“FIPS certification for cryptographic modules doesn’t require robust testing of side-channel protections. Only on Level 4 certification are protections against side-channel attacks mandatory. You’re just as much at risk if your site’s certificate or key is used anywhere else on a server that does support RSA.”

‘https://people.redhat.com/~hkario/marvin/

“They would have plenty of space with five zettabytes to store at least something on the order of 100 years worth of the worldwide communications, phones and emails and stuff like that. And then have plenty of space left over to do any kind of parallel processing to try to break codes.” – William Binney

‘http://www.bluffdale.com/Planning/Planning%20Commission%20Minutes/2011/PC%2002-15-2011.pdf

@Clive Robinson

RSA Prime Factorization on IBM Qiskit

‘https://www.researchgate.net/publication/371479752_RSA_Prime_Factorization_on_IBM_Qiskit

@ SpaceLifeForm, ALL,

Re : A quater cetury old side channel, or who needs to wait for QC for Asymmetric and other Crypto Cracking at arms length.

This might amuse,

https://people.redhat.com/~hkario/marvin/

Note,

“In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.”...

Legit what’s wrong with the xkcd method

@ ResearcherZero, ALL,

“Don’t forget to password-protect the instance after maintenance.”

Or your “LastPass” or other On-Line Password-Safe account[1]…

It appears eight character passwords were protecting crypto-coin “seed phrases” to wallets worth 3million or more…

As they used to say “Read all about it”, in an article entitled,

“LastPass: ‘Horse Gone Barn Bolted’ is Strong Password”

On the Krebs on Security website,...

@anon:

Are LLMs just a precursor to Douglas Adams’ “Reason” program described in Dirk Gently’s Holistic Detective Agency.

No.

They’re more like “your plastic pal who’s fun to be with” and their purveyors are “a bunch of mindless jerks who’ll be the first against the wall when the revolution comes.”

Anyone interested in taking over the post of Robotics Correspondent?

Are LLMs just a precursor to Douglas Adams’ “Reason” program described in Dirk Gently’s Holistic Detective Agency.

Fresh link, old is broken https://www.cnet.com/news/privacy/microsoft-security-guru-jot-down-your-passwords

Don’t forget to password-protect the instance after maintenance.

login pairs (~3.8 billion)

‘https://cybernews.com/security/darkbeam-data-leak/

“insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols of the GET VPN feature”

Execute arbitrary code and gain full control of the affected system.

‘https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-getvpn-rce-g8qR68sx

–

‘https://starlabs.sg/blog/2023/09-sharepoint-pre-auth-rce-chain/

‘https://www.youtube.com/watch?v=x0DPpVh8fO4...

Procera decsribes how it helps governments implement “regulatory requirements”

‘https://www.proceranetworks.com/hubfs/Resource%20Downloads/Solutions%20Briefs/Procera_SB_Regulatory%20URL%20Filtering.pdf

“ISPs in two (unnamed) countries were likely injecting FinFisher spyware into targeted users’ Internet connections when the users tried to download popular Windows applications.”

The injection was implemented using HTTP redirects matching...

whois?

‘https://www.france24.com/en/technology/20230930-counterfeit-people-the-dangers-posed-by-meta-s-ai-celebrity-lookalike-chatbots

–

The defendant must show that a computer was not operating correctly.

“If the presumption is unrealistic in and of itself, or if rebuttal is unrealistic, then the presumption converts from being something that assists the course of justice to something that causes miscarriages of justice.”...

@BobInOK, All

re: HAIL = Hallucinating Artificial Intelligence Large Language Model

aka: Lie, Deceit, False, Incorrect, Error, Misstatement, Wrong, Fake, Deep Fake, Deeper Fake…

Applied to words, statements, paragraphs, pages, books, audio, video etc. generated by AI programs.

A common output or result from queries to all AI Models.

re: HAIL Storm = HAIL resulting from recycled data fed into a repeating vortex of inputs and outputs; with or without an defined exit point; an infinite loop of GIGO. ...

@JonKnowsNothing

Jon, can you remind what HAIL stands for or is? I read this site an awful lot, probably too much (but not enough to avoid missing squid discussion posts), but for the life of me I can’t find a description of the term. Between my less-than-great google-fu and search results degrading over time, google thinks you must be talking about dent repair after a nasty thunderstorm.

If you watch something online that, although it comes from a reputable source, you are 90% sure is something that Pegasus or a bad VPN ginned up, where or to whom do you go?

No comments on the zero-day Exim vulnerability?!
https://www.zerodayinitiative.com/advisories/ZDI-23-1469/
Most people have never heard of Exim but probably use it every day. It’s by far the most widely-used mail-transfer agent.

US-China ‘tech war’: AI sparks first battle in Middle East
https://www.dw.com/en/in-the-us-china-tech-war-ai-sparks-first-battle-in-the-middle-east/a-66968886

“The US has restricted exports of some computer chips going into the Middle East. It’s meant to stop AI-enabling chips from getting to China. But there’s no information on which countries or how chips would get to China.”

Read the whole article for more details...

@klasp If information you provided is true,
private business is current Big Brother on steroids violating privacy for their own undisclosed purposes and ready to share with traditional Big Brother (gov) without court oversight.

The problem with Signal’s position is it basically abandons the people of the UK. They have done some work in implementing anti-censorship to help people in oppressive regimes to still access the service, but even GETTING the app in those places is tough due to centralized app stores.

Signal has to get over this whole system architecture of requiring a phone as the master on the account; it makes it incredibly difficult for people in China, the UK, or wherever to get on the service...

I mess around occasionally open 3D engine.

https://o3de.org/

It is an open source alternative to Unity, Unreal, and Godot.

Several thought provoking articles in MSM about the impacts of tech, or rather perhaps, the unintended impacts of tech, and it’s close twin HAIL.

There were several articles about vandalism, stalking, swatting-as-a-prank that may stem from some direct reason but certainly not improved by tech reasons.

MSM HAIL Warning

• A prankster-stalker followed a delivery person, then approached closely, aggressively, stuck a mobile device in the delivery person’s face, continued to follow aggressively. The driver asked him to back off and when the prankster didn’t, the driver shot him...

https://www.theregister.com/2023/09/27/unity_install_fee_tycoon/
1-0 for the devs lol

DM

@Clive

Many will tell you that US Courts side with US Corps, and the figures they quote tends to support that view. Hence your point of,

The US uses patents as a global tax on doing business. If you do business in the US, you will have to pay patent license fees to your US competitors for using your own inventions.

The Freedom to Innovate: A Privilege or a Right?
‘https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1913731/...

@WTH
Out of the blue, Unity introduced a per-install Runtime Fee. Yes, you read that right, per-install. So, for example, a bad actor could “install bomb” (similar to “review bomb”) a game they didn’t like, causing the developer to owe Unity so much money that it bankrupts them. One of the red flags I saw was the claim that Unity was going to use their own proprietary data model to track installs and adapt their current fraud detection practices to prevent pirated copies from being counted...

@SpaceLifeForm

re: Feature or Bug?

No, Marketing.

From one MSM report: it’s the upgrade keys used by older versions to get the next OS level for free.

Not the only company to ditch older systems.

Firefox has ended support for Win7 legacy systems, primarily used by Grams and Gramps, who don’t have the funds to buy the latest in leaking gear.

Funny today I learned an older fact. That iPhone with the face ID takes a hidden picture of your face every 5 seconds. The supposed explanation (excuse) for that is that it is a feature that is part of some attention awareness feature.

But in real terms there is no actual need for an attention awareness feature to take a photo of your face every 5 seconds. That is simply BS.

@Bernie
What is the Unity game engine situation about?

Anyway Godot is gaining more and more market share so there are interesting developments in that area.

The combination of encryption and error-correction doesn’t seem like something that would work well with existing workflows. We need something that works with TCP/IP (which gives us an already-error-corrected stream) and TLS (which does encryption and signing on top); and DNSSEC, DKIM, and various other protocols. A “sensibley designed communications system” that combines these layers is a non-starter. We can’t even get people to switch from IPv4 to IPv6, despite it existing for 27 years and us being out of IPv4 addresses for the last 12. And IPv6 was intentionally designed with the same layering model as IPv4—no real changes to TCP or UDP, nor any cleanup of the BSD sockets API—to ensure it would be an easy switch...

Feature or Bug?

I do not care either way.

‘https://www.neowin.net/news/you-can-no-longer-activate-new-windows-11-builds-with-windows-7-or-8-keys/

Has there been any discussion (by Bruce or commenters) related to the Unity game engine situation? Because of what I’ve learned on this blog, I saw some red flags that made me wonder if the topic would make an appearance here. Plus there are some topics (eg, trust) involved that Bruce talks about.

@ Winter,

“Look up the Neem tree patent.”

Well atleast that was won and the EPO patent was struck down.

In the US you see the same sort of nonsense with the FDA and traditional medicines such as colchacine…

But also look into US courts decisions. A patent obtained in the US by a UK company for Liquid Crystals was challenged and thrown out in it’s entirety because the court arbitarily decided it was too broad…...

@ Maureen Monroe, ALL,

Re : McEliece Key size.

“Although Classic McEliece is widely regarded as secure, NIST does not anticipate it being widely used due to its large public key size [around 1 megabyte]. NIST may choose to standardize Classic McEliece at the end of the fourth round.”

They neglected to mention why the alleged key size is large, but when used in a sensibley designed communications system would not actually be of any real note...

My issue with the whole thing is that Apple, Samsung and likely others are collecting each and every BT ID they see, and transmitting the location and time it was seen to their servers.
If my wife is jogging down the canal, and her earbuds pass by one of those devices, that’s recorded.

And people say, “well, it’s secured and Apple is trustworthy”. As true as that may be, what happens when the data is leaked? @BAM# people instantly know what Bluetooth equipment I have, including my car, and also a tidy little schedule of when and where I am at any given date...

@Clive

If you don’t get a lawyer and don’t access patents in anyway, then you can plead that you thought it was “open knowledge” as you got the idea in part from a book or magazine. Thus push the “prior knowledge” aspect.

I would not hold your breath about the use of “prior knowledge”.

Look up the Neem tree patent. Having been described 2000 years ago in holy scriptures, the Veda’s was not considered “prior knowledge”. This knowledge was widely used in India, which was also not considered “prior knowledge”...

@ Winter,

Re : Getting a lawyer…

“However, the US patent situation is such a mess with patent trolls, patent thickets, and repatenting small variations that even an expired patent can still be a problem.”

You forgot the other issue of importance…

If you don’t get a lawyer and don’t access patents in anyway, then you can plead that you thought it was “open knowledge” as you got the idea in part from a book or magazine. Thus push the “prior knowledge” aspect...

@Wow:

“I swear sometimes I feel like the smartest people are the dumbest.”

And what exactly are you trying to say with,

“I can’t believe how many people dom’t understand crypto and feel the need to give their opinion.”

Or are we to assume you are one of the ‘smartest people’ you refer to?

@ Clive Robinson,

Sadly Robert McEliece’s system from the 1970’s never gained favour with the open cryptographic community. Even now when it’s known to have “Quantum Computing”(QC) algorithm resistance it’s still more or less shuned for mostly spurious reasons

It gained enough favour to be entered into NIST’s post-quantum cryptography standardisation process. I had some trouble finding out why they ultimately rejected it—they apparently never mentioned it in any formal report. The answer is in ...

I can’t believe how many people dom’t understand crypto and feel the need to give their opinion. This is the same as complaining that knives are dangerous and stupid because murderers use knives…..

I swear sometimes I feel like the smartest people are the dumbest.

@ RobertT,

“If I was really trying to hide something I’d probably use a combination of the above.”

Those are what I would call “low level in the stack” attacks as they are right down on the “physical device” physics. And you would have to do it on a device by device basis as part of the design, or modify the design tools to somehow know where to build in the fault, which would not be that easy...

@CliveR
What’s the famous Benjamin Franklin quote
“The only way that three people can keep a secret is if two of them are dead”
there’s a lot of wisdom in these words and they also give us direction visavis, how to implement functionality that should remain secret.

If you wanted to backdoor something like a chip it seems to me that also you’d want to keep the fact that it was backdoored secret, even from other engineers with full access to the entire chip database. If nothing else it’s plausable deniability...

@ RobertT,

“How would you ever get away with hiding backdoors on a chip?”

Depends on what you mean by “back-door”.

The allegation is apparebtly that “the standard was back-doored” like the Dual EC-DRBG that the NSA pushed into a NIST standard.

We know for a fact that ETSI had regularly issued under NDA “oh so secret” crypto algorithms for over thirty years under direct “French influance” and design. To be used in Cordless and Mobile Phones, Private Mobile Radio”(PMR) and other commercial communications systems. Especially anything that might be used “internationally” (look up A5/1 abd A5/2 as a starting point)...

Re Cavium
Semiconductor Chips being backdoored during the design phase, hmmm that seems unlikely, I mean, how would you even go about it?
Wouldn’t every junior engineer that even glanced at the code/database see the intentional vulnerabilities?
How would you ever get away with hiding backdoors on a chip?
What would you do with such a backdoor if it existed? I mean the code still has to run correctly, so what’s the point of the “backdooring” at the chip level?...

@ Sean, Josh Z. Tillman, ALL,

“Well SRAM will retain state for a long time as voltage decays, and can generally also be persuaded to hold it using cryogenic freezing, then cutting the power pins, and moving to a new board to read it.”

Actually from experience I know you don’t need to remove the chip or even cut the power lines…

The easiest way is to activate the “HLT” or “RST” line on the CPU and the chip select pin on the SRAM chip most of which back in the old DIP days could be done with “chip-clips” used to do hardware debugging...

Protecting the RAM of live or recently-live systems, as in hardware security modules or everyday smart cards, is certainly an interesting challenge. It’s probably overkill for the use case I was considering, though, which was making sure that files deleted hours or days ago (such as old Signal chat logs) are not still available in the “garbage data” of a filesystem, readable by anyone with the encryption key—the single encryption key protecting the whole block device, which one could be legally compelled to provide...