Schneier on Security

Clive Robinson • April 20, 2019 4:19 AM

Was Julian Assange subject to mind games by the Ecuadorian regime?

At least one of their diplomats has sad so publically,

https://news.sky.com/story/julian-assange-put-through-hell-at-embassy-says-former-diplomat-11698113

Oh and as we know “money talks” have a look at the history behind the IMF and other US backed finance organisations loans to Ecuador. Lenin is very proud of them, but most Ecuadorians have long memories of previous “loans with strings”. Oh and Lenin is just about to launch major austerity and privatisation, all directly out of the recipe book that has failed badly in the EU, to the gross enrichment of a very few…

Clive Robinson • April 20, 2019 4:23 AM

@ Moderator,

Sorry, “fat finger syndrome” has struck again.

Of my two posts about Assange / Ecuador, can you remove the one which lacks the second link.

Thank you.

Clive Robinson • April 20, 2019 7:27 AM

Utah ban warrantless digital searches

As some know, in what is potentially good news, at the end of last month Utah’s Governor signed the “Electronic Information or Data Privacy Act” (House Bill 0057) into law. In the House vote it passed without any dissenting votes.

https://le.utah.gov/~2019/bills/static/HB0057.html

From what has been said this closes the loop hole in the 4th Amendment that many and especially the FBI have tried to force many cases of what would be illegal searches of paper and other documents.

Obviously this is not going to be popular with some, so no doubt all sorts of funny cases are likely to appear as various LEO’s try to find work arounds (what’s the guessing on “Parallel Construction” becoming popular).

Anyway there is a lot more to it, which Forbes has a piece on,

https://www.forbes.com/sites/nicksibilla/2019/04/16/utah-bans-police-from-searching-digital-data-without-a-warrant-closes-fourth-amendment-loophole/

Clive Robinson • April 21, 2019 4:17 AM

@ MarkH,

I suspect that the author of the Spectrum article may be out of his own league. There are numerous precedents for pleasure pilots overestimating their understanding of jet transport operations. In any case, he seems to have gotten at least some of the facts wrong.

The article has been reviewed by professional pilots, and I assume that they don’t see things the way you do.

As for his usage of the Wright flyer, well there is lot’s of myth surounding it and people therefor mistakenly use it as a “touch stone”. However as history actually shows it was by no means the first flying machine. As the Smithsonian Institution takes care to point out, the aircraft was (1) the first powered (2) heavier-than-air machine to (3) achieve controlled, (4) sustained flight with (5) a pilot aboard. Thus much like Marconi it was in effect a collection of others work.

The way the Wright’s did things with the canard and wing warping was as far as I know ‘original to them’. However it was very unlikely to move forward in time, for the same reason we knew long befor then that you don’t put rudders on the front of boats whose engines are at the back, and horses go before the cart, and why we call it ‘drag’ not ‘push’. Doing it the other way around is not a naturaly stable condition in fact it can be shown to be chaotic and require continuous physical corrective input from the pilot in what would very quickly become tiring, as well as making some interesting ‘self destructing rocket’ films just a few years later. I suspect most engineers with any real world practical experience with feedback systems would know this, but software developers as a general case probably not, and oddly perhaps most pilots don’t either, such is the myth behind the Wright’s Flyer, and thr care engineers have taken to design out such issues. Which is possibly why the Smithsonian Institution used “controled” but not “practical” in their “claims” list. It’s known that others had already solved this particular ‘self stability’ problem, and not having known about it, it’s probably the reason why the Wright Flyer crashed almost immediately on it’s maiden flight and had to be repaired before it made it’s actual first flight. What the Wright’s should have a claim to fame for but don’t is the use of “moving picture cameras” in engineering development work. It’s the fact they filmed things that give what we now call ‘conspiracy theorists’ the excuse to say it was all rigged…

As for the use of the force feedback system, my view is that he was using it to make the point that it was about taking the primacy away from the pilot and giving it to the dog… That is a system with less, and unreliable inputs than the pilots, was making incorrect decisions on that bad information, and the pilots had no ‘natural way’ to overcome it. The actual mechanics of how such primacy should be returned to the pilot were not that important, though he did note that in his planes system it would automatically return control to the pilot is it detected an error. His repeated point however was the Boeing system lacked any ability to detect any errors due to too few inputs.

It followed from the fact that Boeings software developers actively chose not to use the information available, thus remove any possability of error checking in their design and worse chose to implicitly trust a known to be unreliable input. All things that are contrary to “Standard Practice” in the rest of the industry for very good reason, which is what caused the author to say that Boeings software developers were clearly “terribly far out of their league”… Put simply they obviously were.

Trying to argue against that view point is a little pointless. Arguing they were working to a specification is a little like arguing ‘they were only following orders’, it’s not an acceptable legal or moral defence…

Unless you can show without doubt that they were totally issolated from knowing about what the code they were writing was to be used for, and what the industry regarded as “Standard Practice” at the time. And lets be honest here fault tolerance in the pressence of unreliable components was a solved problem befor they or anyone else working at Boeing was born. It was solved by voting systems back in the early days of electromechanical exchange equipment by the New York Telephone company.

Clive Robinson • April 21, 2019 6:20 PM

@ vas pup,

How superstitions spread

It’s also highly relevant to security and the judicial processes.

Have a think about the myths surounding “Best Practice”.

In essence you perform a survey by questionnaire, where the results are quite biased as the responses are “voluntary” thus mainly very few and many are self serving/promotion.

You then take these biased results and analyse them by some method which is again biased as there is no agreed or sound measurand[1].

Having ranked the responses you then look for what the top responders claim to do, and then call this “Best Practice”.

Simply because you hang such a label on your realy shody non-research, that does not rate sufficiently for “yellow journalism” it confers by the process of “magic pixie dust” a legitimacy it does not in any way deserve, hence it’s myth status of false/unknowing belief.

[1] Saying the AV your site uses reported X suspicious events blocked is not a valid measureand for a whole heap of reasons. Not least because it does not count it’s failures only it’s partial successes. Further and quite importantly it’s not independent of other factors that would make a site more or less attractive to attackers, and a whole bunch of other factors, that to be honest currently form an incompleate set. Thus as a figure it is fairly usless for anything other than “fill” in a managment report. ICTsec abounds with these non measurand numbers and yet apparently nobody wants to push for actual measurands that are of use for analysis.

Clive Robinson • April 21, 2019 7:06 PM

@ The Pull,

If you roll on ‘no javascript’ browser these days, a lot of sites do not work well.

Interestingly the sites that fail the hardest or work least well are those that are natorious for one of two things,

1, Using JS to get user PII.
2, Using JS to serve adverts.

With regards the adverts is the issue of,

A, Malware.
B, Bandwidth.

It’s not in the intetests of those serving the adverts to end users to put in place checking methods for Malware. But worse for those with slow data rates or capped bandwidth (something like seven tenths of nations Internet provision) is the excessive data the adverts bring. Thus a simple text web page with 2K-4K of actual data the end user wants, comes with 3M-10M of unwanted data if they have JS enabled.

Thus dumping JS is most definitely not just the sensible, but logical thing to do.

All the noise you hear against such a policy is generaly fostered by those making money out of abusing the users.

From that perspective, making their sites unusable is actually self defeating, because they actually reduce their audience.

I have finally “De-Googlefied” myself because of Google Managments stupidity in this respect, and worse for them I will talk about Google’s stupid policy with others, and promote their competitors who do not behave in the same stupid way. In this it appears I am far from alone as finding others doing simillar anti-Google things is relatively easy.

This one actually struck me as quite amusing,

https://strugee.net/blog/2019/04/make-recaptchas-im-not-a-robot-accurate

Further other people are realising that the World Wide Web Consortium W3C has sold out to the likes of Google, and HTML5 being riddled with PII stealing opportunities are not upgrading to it.

Whilst people like features they like identity theft a lot lot less. Stories about Facebook spending millions on how to make their PII stealing platform more addictive likewise are turning people off of new features. I guess people will start to see the Internet as more and more like they do addictive substances A.K.A “Drugs” and will start behaving differently. Eventually sufficient people will realise just how realy evil Google, Facebook and the other big Silicon Valley companies realy are, and will reduce or stop using them, at which point the reason for their existance (making money off of PII) will stall and go into a decline.

For me turning off both cookies and JavaScript were easy choices several years ago. Has it hurt my use of the Internet, not realy as a general case very little usefull information is “single sourced” thus I see both cookies and JavaScript in the same way I do paywalls, “just a small and mostly unimportant bump in the road, that’s easy to evade”.

Clive Robinson • April 22, 2019 2:06 AM

@ Alyer Babtu,

I am told by users in what would be considered an allied area that telecoms are trying to take over and monopolize/monetize the part of the radio spectrum that has been always left for ham operators.

It’s rather more than “allied” we are seen as the same enemy by the same people… But first a quick history and overview of the current situation / battle ground,

The Amateur radio spectrum has been under threat for longer than I’ve held a call sign and thats four decades. In fact longer than I’ve had an interest in radio, so you can add atleast another decade. It is a war of atrician that the various National Amateur Radio associations (ARRL, RSGB, et al) have had to fight every day for years, just to try and slow the process down.

The big issue is the tricks those attacking use. For instance in some countries power companies have made the HF band useless by “data over powerline” systems. Which range from home systems for the control of lights and other gadgets through Smart Power Meter systems all the way up to the equivalent of DSL etc. All of which put high levels of RF noise in urban ares that raise the Noise Floor by between a thousand and ten thousand times, effectively making the bands unusable unless you can get a couple of miles from it in every direction (thus work mobile/portable which can be difficult for some such as the disabled who use Amature Radio to have some form of social life).

Then there are all those house hold and commercial premises “gizmos” ising LED lights, displays and screens spewing out RF Noise. Many of these start out quiet but as the cheap capacitors dry out / break down in a year or two of a ten or more year life cycle… The same applies to florescent lights, energy saving lights and more recently Smart Meters and our new friends the IoT devices… It’s a never ending list.

As you know politicians are very short sighted at the best of times and ‘lobbyists bearing gifts’ are almost always listened to especially when the gifts are campaign funds or prewritten legislation etc. AT&T I’m told are one of the worst offenders in this regard in the US, especially when it comes to killing off “Community Internet” by making it illegal…

The simple fact is the RF spectrum is finite and most of it that was usable at the time was allocated out. This has been going on for a century, with Amatures being given parts of the spectrum that were considered “unusable” by then Government and Commercial interests. Amatures then by their own inventivness made the best use of the slim pickings they had been thrown. As they made the spectrum usable Governments and Commercial interests took the alocations to Amature radio operators back. By the mid 1980’s most of the spectrum had been allocated beyond the microwave bands, with just a tiny fraction allocated to Amatures, compared to other users such as public broadcasting, the military, maritime and aircraft communications, and commercial Private Mobile Radio (PMR).

Then three things happened, firstly Space started “opening up commercially”, secondly “personal communications” became mobile and individuals started having excessive “personal data usage” requirments.

Then perhaps the most mindless event in the history of radio happened, the first of the “spectrum auctions” happened. Some major Telco organisations lost all reason and sense and things went bid feaver crazy. Suddenly radio spectrum was a gold mine for national treasureries, as everybody wanted it… Soon the military was loosing bandwidth, as was law enforcment and first responders. Then national broadcasters began loosing bandwidth. Over the air or through cheap leaky cables RF spectrum was being swallowed up to alow animations of dancing hamsters, cute kittens and the like along with innane conversation about Z listers private lives.

Back in the 1960s through 80’s the image projected by many was housewives during the day and teenage girls sitting at home yacking all early afternoon and early evening with their school friends over fixed land lines. Then in the 80’s nerdish boys and their modems were seen as the next land line hogs… Whilst these images are not exactly true their was enough truth in them to drive the industry. I was involved with trying to get data over analogue cellular radio to work. Basically it was failing to work because of the issue of “in band signalling” what realy solved the issue was switching from analogue to digital. As some know, the Europran originated GSM standards effectively won the mobile standards war and effectively global dominance which put more than a few noses out of joint in the US and one or two other places where people holding fistfulls of patents were assuming they were going to get ten cents on the dollar of billions of mobile phones…

GSM in current use is 4G / 4G-LTE and the specification alows a handset user to have hundreds of megabits of data per second. There is not the bandwidth below the microwave bands to support this sort of data rates. Which is why 5G is going to need vast amounts of microwave spectrum. For various reasons the microwave bands were not previously of much use to commercial users which is why Amature Radio was given the spectrum it was in these bands. Telcos had in the 70’s to 90’s used them for phone line “trunks” but the advent of fiber optics rendered that mainly unused this century. So 5G is looking to use as much if not all the bandwidth it can grab between the satellite televison bands at 4Ghz (C Band) and 11 Ghz (X-band) as well as spectrum above and below this, including the ISM and Amature bands.

But the mobile phone operators are not the only game in town there are various Silicon Valley interests that want to put up helium balloons and run Internet connectivity in areas where installing fiber optics would be expensive (ie they actually mean everywhere) so they want bandwidth in the same region of the microwave spectrum. They likewise see the amateur and ISM spectrum as impediments to their profits hence their keen lobying for that spectrum.

But there are “cuckoo’s in the nest” in the HF bands. There are a lot of very “silly sailors” who think taking over the amature radio spectrum will give them the Internet on their boats… I won’t go into the details but there has been a lot of upset in the ARRL some of whom were apparently in favour of turning the entire HF spectrum over to the worst of propriety data modes, just as long as they could use it to in the very short term leverage more members…

So yes there are people after the Amature Radio Spectrum, and believe it or not it’s become an issue in the US-China trade war and the very bad feelings about US politics… Enter stage left the “prepers” who believe rightly or wrongly that very very soon the SHTF event will happen and the compleate breakdown of “US life as we know it” such that it will be on par with “The Zombie Apocalypse” with the loss of all civil infrastructure for communications. They are buying up equipment aimed at the Amature Radio market and “Broadbanding” it which is use it illegaly and in spectrum areas outside the Amature Radio allocations. With them are a whole bunch of others such as sail plane pilots, dirt bike, offroading, paintballing and similar enthusiasts and many others wanting the convenience of mobile comms they get from mobile phones in areas where there is no or poor coverage. The real issue is the FCC rules, the US has become a minority market place and low cost equipment manufacturers don’t want the hassle of the FCC rules that are frankly from the long past of “Market protectionism” which failed around about the time Japan started making Colour TV tubes if you are old enough to remember them… Nobody wants to make fifty different two way radios for tiny segments of the radio spectrum if they can make one that covers all the spectrum used by two way radios. Enter the likes of Boefang with it’s thirty dollar VHF/UHF 5watt handsets that also do both digital and tone squelch and any repeater / band split shifts you care to use… The same handset will do all the Private Mobile Radio (PMR) both VHF and UHF, VHF Maritime, VHF 2meter and UHF 70cm Amature bands, and all those silly home user “unlicenced band” systems used in childrens toys.

They have been tested to meet the various international standards on power, emmission quality, audio quality and modulation depth etc. Thus on the technical side they meet every national regulatory body standards. They also meet most of the non technical additions because they have to be “programed” to work on any frequency. Thus they have been certified for use to European CE and other standards world wide. Including FCC regulations…

However the current administration has decided that such equipment is now illegal for various reasons and the excuse is “Amature Radio users” where as the actual cause of problems is the prepers and others I mentioned above. Their view being if I can spend a hundred bucks for four Chinese radios that give me thoudands of channels, twenty five times the power and come with decent life LiPo4 batteries, and I can put a realy big antenna on, why should I spend sixty bucks on two toy radios with only eight channels, so little power out it barely goes down the street, runs off of expensive AAA batteries with a realy short life and only has a tiny tiny non changable antenna?

Such users know not quite enough to be a danger to themselves, they are however frequently a danger to many others due to their ignorance or stupid malice.

One of the reasons an Amature Radio licence requires study even at the lowest level is to ensure you have enough knowledge not to be a danger to anyone with radio equipment…

Amature Radio Operators are under attack not just from Commercial intetests and the deliberate conflation for political ends, even the Main Stream Media get it wrong quite deliberatly so. Take a popular series like NCIS quite deliberatly passing off the worst of CB behaviour as Amature Radio… Why do we know the passing off was deliberate, well it happens that some of the people working on the series are licenced amatures and they talked to people and the story came out…

So yes I’m not surprised you heard Amature Radio Spectrum is under threat because it is, from all sides and some of those doing the attacking have multiple billions at their disposal to achieve their ends, whilst all most Amatures have is the ability to try and engage the publics attention and educate them against the half truths and outright lies put out by various self interrsted parties.

It’s an endless battle and one Amature Radio operators fight continuously day in day out and in comparison the efforts in the Crypto Wars has been “small potatoes”. It’s a lesson that every person who reads this blog and cares about privacy etc should get to know and understand because the same people are also comming after the Security Comnunity using the same tactics, and honestly I don’t think the Security commubity is even close to being ready to fight the war.

Clive Robinson • April 22, 2019 10:40 AM

@ Bruce and the usual suspects,

This story is about a small ultrasound device that costs around 2K USD called the Butterfly iQ which connects to a mobile phone as the display etc and fits easily in a pocket. Thus is very portable and also a lot more robust than more traditional ultrasound scan heads.

Although according to the article it was designed for “frontier” type medicine in places without healthcare systems. I can not help thinking about just how useful it would be for physical security,

https://www.nytimes.com/2019/04/15/health/medical-scans-butterfly-iq.html

One to keep an eye on and maybe a little investment speculation if you’ve a few dollars you don’t mind taking a risk on.

Clive Robinson • April 23, 2019 5:47 AM

@ Bruce and the usual suspects,

This is certainly going to make news,

https://www.engadget.com/2019/04/23/apple-facial-recognition-false-arrest-lawsuit/

Somebody was arested because of identity theft. But because Apple Stores used facial recognition and falsely linked his details to that of the real thief, he is now suing Apple for 1billionUSD…

Clive Robinson • April 24, 2019 5:14 PM

@ Bruce and the usual suspects,

An interesting article on Quantum Computing,

https://arstechnica.com/science/2019/04/electron-qubit-non-destructively-read-silicon-qubits-may-be-better/

Unfortunately the paper it’s based on is hidden behind a Usurious paywall.

It’s the last couple of paragraphs that are of interest. As followers of QC know electrons have issues as Qbits and are often discounted as Qbits because of the need for significant error correction. Well it appears that the papers authors think that if they use silicon then they can have a system whereby the error correction is not required… If true then it will be an important step forward, especially as we know more about silicon and electrons and how to practically use them together than any other element.