Schneier on Security

Clive Robinson • December 19, 2023 12:24 PM

@ emily’s post, ALL,

Re : Equating seigniorage with data in transit.

“Maybe also so is the power to store, serve, protect, serve ads etc.”

Back in the early 1990’s I was doing a bit of post-grad study. Back then most peoples view of information was little different to,

“A box full of waste paper occuping warehouse space”

However anyone who understood not just DataBases but “Data Warehousing” back half a lifetime ago realised that the notion of those boxes of “waste paper”, had infact been sprinkled with “Fairy Gold” that you could repeatedly exchange for real gold.

Thus you could equate it in part with seiniorage[1] on the money supply.

So being a “smart arse” I asked one of the lecturers who was a “reader” at the University the question,

“What is seigniorage on data in transit or other circulation?”

I think it only surprised him for about a second and a half, other people in that class room I suspect still don’t get it.

But arguably most of the US Economy that is allegadly “information based” rests on the “seigniorage of data in circulation”. So upwards of a Trillion or so USD/year.

And with seigniorage comes the power of stealth tax which gets you all sorts of other power and thus importantly control over the masses.

[1] I won’t go into the depths of seigniorage you can look it up,

https://en.m.wikipedia.org/wiki/Seigniorage

But in essence, the person who prints money gets not only the benifit of “first purchase” but also the equivalent of interest it creates whilst in peoples pockets. Economists have good reason to call it “Inflation Tax” and it’s of significant value.

Clive Robinson • December 19, 2023 12:44 PM

@ emily’s post,

“Proof (by reductio ad venumdere)”

Hmm comparing “Marketing” (ie selling/vending) with “Absurdity”…

I think that earns you a “+1” 😉

Clive Robinson • December 19, 2023 5:21 PM

@ ,

Re : Distance cost metric.

“does this have something to do with Tier 1 networks ?”

Not in the way you are thinking.

The short answer to what you are thinking is,

“Information objects have no effective mass so unlike physical objects which do have sometimes quite considerable mass, the cost of transportating information is effectively to small to charge for.”

Thus the top tier networks (T1) of which there are sixteen have a peering agreement where they pay for their own infrastructure but unlike the POTS lines of old they don’t charge each other to carry data through.

The longer answer to what you are thinking is,

In basic economics there is a hidden assumption that goods cost more the further they are from their point of production.

Whilst that might sort of be true for physical goods the “Penny Post” of the Victorian era first put the boot in on the “Distance costs metric”. The Internet which carries information unlike the old telephone network does not care about distance just volume.

This Distance Costs Metric is important because it underlys a very basic economic assumption,

The cost of producing a physical good generally decreeses nonlinearly with volume produced. Thus any new market entrant is at a disadvantage at the same local as an existing producer all other things being equal. However at a suitable distance the new entrant does not have to cover the costs of transportation that the existing distant producer does and so the two producers costs are equal thus simple market conditions such as supply and demand become dominant (it’s a hidden assumption that underlies the faux “free market” idea).

So having got that out of the way 😉

What I am talking about is,

“Information when used has value” that is it is like “capital at work” effectively producing value or if you like “interest” to a lender.

Now “cash in your pocket” is not doing work and inflation is constantly devaluing it’s purchase power. In places where there is “Hyper-Inflation” shop keepers tend not to price goods as the price goes up during the day (which has other effects such as shops not offering customers choice).

Simplistically, money in a bank is loosing the bank value, you take cash out and those losses fall on you for the time the money is in your pocket. When you purchase something those losses transfer to the person you buy from untill either they purchase something with the cash or put the cash back in the bank at which point the losses fall back on the bank.

In such a system, for every loss there is a gain by lack of loss, or a gain by charging interest. Banks try to fiddle it by not paying customers interest for deposits where they can get away with it or by paying interest at well below the “banking rate”. They also charge exorbitant rates of interest for credit well above the banking rate.

Now using this model you can replace cash with information and use the same ideas for credit / deposits / withdrawals. That is information becomes Intellectual Property and can effectively be treated as money is.

Thus information in transit is like cash in your pocket it is devaluing against the clock.

Nobody realy cared about this back last century because the value was so small…

However two things that most are aware of changed all of that,

1, High Frequency Trading.
2, High Value Crypro-Currency.

Where nano-seconds that light travelled at the rate of one foot diatance could be worth tens of dollars.

So it you are in New York and make a trade in London the distance costs metric of the information at 1cent/nS would be at a minimum 0.01USD x 5280ft/mile x 3461.33miles or $182,759… Which is why HFT traders use high power(~20kW) “High Frequency”(HF) short wave communications with computed “skip distance reduction” and all sorts of “pre-trade” tricks with specialised time mininising communications.

Lets just say I could see all this nonsense heading my way well before even those who now spend multiple millions on it were even aware the problem was going to smack them between the eyes like a well swung lead pipe… How do I know, well lets just say about half of them sitting in the same lecture came from the City of London and their jobs were about ICT in trading floors… What they did not know was that I’d been involved with developing “Trading Platforms” for banks and Investment houses since the early 1980’s (the company I worked for designed them as well as high end body scanners and other very high resolution –for back then– display systems such as military training simulators).

Clive Robinson • December 19, 2023 7:56 PM

@ JonKnowsNothing,

Re : Snow White and the seven dwarfs

“Today’s AT&T is not really the Old Ma Bel…”

I remember this rather well… Judge H. Harold Green made his Modified Final Judgement in 1982 and it was not popular. But January 1st 1984 AT&T became a long-distance company, while seven regional Bell Operating Companies (RBOCs) took control of various parts of the business by geography and function.

So Ma Bell became Snow White and the RBOCs / Baby Bells the Seven Dwarfs.

What few had realised was that in effect it was a paper shuffling excercise as none of them were in competition with each other, nor was their any inhibition on them being sold and remerged etc.

The result was a massive “shell game” that resulted in the US public amoungst others getting “asset stripped” and given a truely terrible system in return at vastly over priced rates.

I worked in one of the RBOCs that was “international” called “Pacific Telesis”. The part I worked in was virtually opposite “Chelsea Town Hall” where celebrities got married. But it only existed because of what another RBOC had done. Back the “Telex” was still a vital legal service and any international company had to use it. In the US it was about three to ten times as expensive as it was in the UK to send a Telex depending on where it went.

Pacific Telesis had virtually significant spare capaciry data lines across from the US-UK outside of normal US business hours. But even in US and UK business hours it was still cheaper most of the time to send telex messages from the UK by quite an amount.

The result we developed a “Telex Pump” system. Companies from all over the world sent messages as data to have it sent out from the UK. It got to the point that we could cut the telex network out all together with some customers…

Well whilst working there, there was a “Special Occasion” and we all got “tie pins” of various quality with the “splat” logo on them. Due to a cock-up mine was solid gold not plated like my coworkers or boss, but it did not have the small ruby at the center my bosses boss got. I still have it in my cufflinks box but have never realy had reason to wear it, except once…

Years later I was working for another company designing FMCE to be manufactured in South Korea… It was announced that there would be a customer visit from the seniors of a new potential customer… Realising who they were I unusually wore a “good suit and tie” with the tie pin. Nobody in the company I worked for spotted the pins significance. However on arrival the seniors who were all once Pacific Telesis employees immediately recognised it as a level 3 (mid managment) pin and got very cosy. My immediate boss did not have a clue what was going on and his boss the Chairman who I got on well with picked up on the fact that I was obviously a plus point so went with it. The contract came through and I got effectively a liason position, much to the surprise of the QA manager…

It got even wierder as part of Pacific Telesis got spun of mid 1990’s to become “AirTouch Communications” which as a mobile phone company… They later linked up and became part of Vodafone, another company I’d worked for in an earlier existance as Racal down in the old manor by the A3 in Raynes Park SW London… All a bit odd but that’s how it goes sometimes.

Clive Robinson • December 20, 2023 8:54 PM

@ vas pup,

“AI cannot patent inventions, UK Supreme Court confirms”

I’m actually not at all surprised.

The law not just in the UK but much of the world does not alow even creatures that clearly have consciousness and can communicate intent etc coherantly –by sign language– to be “property owning” because they are “owned property”.

Whilst this stems from a rather idiotic self promotion by humans via religion to near deity status –God’s domain and human domain over nature– it’s currently reasonable to say that man made machines no matter how complex are not concious entities capable of “free existance”.

If that will ever change is somewhat open debate and has been for some time. From the 1950’s ScFi author Issac Asimov in bicentennial man raised the point that “robots” did not die.

It’s an important point because nearly all “Intellectual Property”(IP) law is based on the fact people die and at some point there after any rights they may have held or assigned would cease.

If a machine can not definately expire within a reasonable time frame then IP Law becomes a mockery (though I’m sure Disney Corp would love perpetual rights).

Clive Robinson • December 21, 2023 5:19 AM

@ lurker,

“My not having or watching TV is I suppose some form of malfeasance …”

Or even “treason” to the XXX way…

After all how can you be indoctronated into the XXX way without thirty hours a week of Reality TV to make you one of the mindless masses?

The next sign of such “unXXX behaviour” demanding the “hang them up by their thumbs” re-education process is growing your own food… As it prevents you injesting the hormones and other drugs and chemicals that are in fast food that make you sterile, block your arteries, damage your kidneys, give you type II diabetes etc, if not actually the Big C [1] by thirty as well.

But of course the true mark of a traitor / agent of insurection is having curtains… After all if you have nothing to hide…

Yup and have a very merry winter solstice for you[2], and remember, that it is,

https://m.youtube.com/watch?v=1JsnzhP0eX4

By order of the Corporate over-lords, remember,

“It’s “excess and bankruptcy,
as the XXX way,
or tis off down the highway,
both lead they say,
to purgatory so dreary.”

It is what they demand of you…

[1] No I’m not a UK “Daily Mail” reader but you now get such stories via the News International / Sky Rupert “the bare faced lier” Murdoch empire. And lets be honest have you seen him recently? Rumour has it he’s going to play Davros in the BBC Xmas “Dr Who” special, without the need for time in makeup. Along with Jeff Bezos playing Count Dracula for the Amazon Prime Video “Xmas panto” 😉

[2] A better but less well known Bob Rivers feastive song and more attune with the “off grid ideal” is the “Not quite suitable for work”,

“Chipmunks roasting on an open fire”

https://m.youtube.com/watch?v=H_4xnCSXTfQ

Clive Robinson • December 21, 2023 8:33 PM

@ lurker, emily’s post,

Re : Fraud or not…

“but if I use an AI to respond to these ads it’s called click-fraud.”

What some corporate toe-rag may call it does not make it of necessity true.

In most jurisdictions Fraud has two hurdles,

1, Intent to deceive
2, Intent to gain an illegal advantage (from the deception).

Thus an actor or film star may have a “stage name”, “hold a bank account in that name” and “carry out transactions in that name” as –it’s assumed– there is no intent to deceive, or intent to gain an illegal advantage.

Thus mostly the prosecution burden is to prove beyond doubt the “intent”.

An AI used to dismiss an advert or similar is not “a person legal or natural” and “has no intent other than that given by it’s designer or user”.

Hence it would appear to fall to the “Directing Mind”… But common law is traditionally held to,

“actus reus non facit reum nisi mens sit rea”

That is it requires proof both of “mens rea”(guilty mind) and “actus reus”(guilty act) before any defendant can usually be found guilty.

Which raises a problem with AI… It can act –in theory– beyond the direct instruction of the designer or user. In the case of LLMs by introducing a stochastic bias to output selection and aditionally in ML systems by building in a bias to it’s data set.

Thus,

“Where is the ‘mens rea’?”

Look at it this way, if an engineer designs an engine and gives specifications for materials and tolerances, can they be held liable if an engine is constructed outside of those requirments and malfunctions thus causing a consequent harm?

Most would say no…

So is the designer or user of an AI guilty if the AI uses an out of specification input set?

As they used to say,

“A bit of a posser…”

But that is only the “mens rae” half of the issue there is still “actus reus” to demonstrate. With the AI standing in as a “middle man with random ability” that may be a bit of an issue…

But there is also the question of “rights” lurking in the background.

Untill Tony Blair and his flat mate Charlie Falconer destroyed more than a thousand years of established judicial proceadure in England and other parts of the UK, there was an interesting quirk in the judicial process.

If you were detained and gave a name, and was subsequently arrested under that name… Then that was the name you were prosecuted under and if found guilty also the name you would be imprisoned under.

One of the rights you had befor Tony and Charlie mucked around with things, was the right to silence, without guilt being construed by it (nolonger true as the caution indirectly indicates with “may harm you defence…”).

Thus originally if asked after arrest if the name you had given was your birth/legal name you could just be silent or reply in a noncommittal way without further issue.

If you think about it the old way makes reasonable sense.

Because as the first female Director of MI5 Stella Rimington pointed out, there is no way you can actually prove you are who you say you are[1]…

Also the logical inverse of which is others can not prove who you are either holds as well…

It’s this foundational failing that makes all “National ID Schemes” a failure from the get go. Because the entity that controls the central records, controls the ID(s) a person is tagged with.

So if you can change the central records then you can be “The Magical Mystery Fairy Godmother” if you so chose[2].

But what of an AI, it has no physicallity in that it’s a “bag of bits” that can run on one or more hardware instances. So where is the unique “body”?

It’s an issue we will hear more of with these “self driving vehicles” that,

“Leave road kill in their wake or tyre treads”

What part is guilty, the bag of bits or the machinery?

[1] There are two parts to a “natural person”, their “physical” body/being, and the “informational” tag/name by which people identify them. There is no way to actually reliably and beyond reasonable doubt link the two. DNA like all bio-metrics only links to the physical attributes of the body or some part there of. Where as all others only link to the informational attributes of the name or assigned number on the birth certificate (if there is one).

[2] Actually within reason any one can be who they want to be by either simple deed or in England and similar a legal process by “Deed Poll”.

Clive Robinson • December 24, 2023 12:37 AM

@ Winter, Lars, ALL,

Part 2,

A concern I share bearing the UK Government effectively gave away the entire UK populations detailed medical records to an organisation called Palantir who’s owners intent is to build the worlds largest surveillance database, and sell the product in a way that will destroy the jobs and careers of police detectives and inteligence analysts. And build up, by the same business models illicit substance dealers use, a dependency relationship with the police departments and intelligence agencies, which would no doubt involve the,

“Get them dependent keep doubling up the price over time.”

Thus siphon-off[1] vast amounts of tax payer money and even more Private and Personal Information to create new dependents with.

Clive Robinson • December 24, 2023 12:43 AM

@ Winter, Lars, ALL,

Part 4,

Which is basically what we are seeing with this LLM model.

The input from millions of people has been averaged in various ways to build statistical models to be used as “matched filters”. Then use those matched filter models against an individuals data set to see if they ring any of statistical matched filter models how much and importantly why. If they do, they then put the matches into another weighted model and see where the individuals signal falls on the output of the weighted bell curves when summed and compare that to the population distribution obtained from the mortality figures[2].

Insurance companies have been doing “curve fit approximation” from populations to individuals for a couple of hundred years now it’s where the “Body Mass Index”(BMI) figure comes from…

It’s what life asurance actuaries do, which is look for “sweet spots” in the dead population information to make more profit from the current living population. The acturies are playing against “the dead population average” so will win if they covince the living population they are paying on a flat model or worse[2].

Clive Robinson • December 24, 2023 12:48 AM

@ Winter, Lars, ALL,

Part 6,

[2] The way it works is to find things that others have not realised. For instance the day in the year you were born statisticaly effects your life expectancy, in different ways in different jurisdictions. Because legislation sets arbitary points in the calander when things happen, so two individuals born just a day apart can have a year of difference effect them. One such is your birthday and how much state provided education you receive and from how earlier a point in your life, as well as total days of education. Because extra education effects your lifetime socioeconomic ability, and that in turn effects you physical and mental health which in turn effects your life expectancy. Which is good news for those looking to profit from life insurance and bad news for those providing pensions and health care insurance.

Part of the reason is explained in,

https://theconversation.com/nobel-economics-prize-winners-showed-economists-how-to-turn-the-real-world-into-their-laboratory-169697

By the way I object to the “Nobel Economics Prize” term for good reason, because it’s a falsehood come con-job of what you might correctly call “influenced faux-news by undesirable parties”[3].

[3] The so called “Nobel in economics” is not an actual Nobel Prize. It’s a “con-job” by the “Sveriges Riksbank” that started back in 1968. What Sveriges Riksbank did was set up a “memorial to Nobel prize” and give the money to the Nobel Foundation to dole out under a not open or visable influence guidence… It’s realy upset one of Nobel’s decendants who think quite rightly it’s abusing the name and memory of Nobel (which it is). Worse it shows significant bias to the discredited Chicago School… Hence the argument that it is faux-award to faux-academics who panda to capitalist profiteers who have “bought and payed for their supportive opinions” a credible argumentive base…

Clive Robinson • December 24, 2023 1:35 PM

@ lurker, JonKnowsNothing, Winter, ALL,

Re : Private Medical records.

“If they find nothing, then nobody loses, do they?”

Sadly not true…

Remember Prof Ross j. Anderson’s group in the UK Cambridge Computer labs, demonstrated and provided sufficient proof to show that to sufficiently anonymize a data base renders ir effectively usless.

Or to put it the other way, for the data to be of use for research, then it’s only vaguely obscured and finding out who one data record belongs to is fairly trivial. Thus anonymity is not happening.

It’s why people in the UK are so shocked about the cavalier attirude of the UK government.

Then it gets revieled there are atleast two levels of records… The ordinary people who’s privacy is not in the slightest protected, and the special people like MP’s and senior Government officials who’s records are treated all together differently as in way more securely. So one eule for them and another rule for the rest of us.

Worse the company they were given to is Palantir which is US based… There the act of deanonymizing makes “a new work” made on US territory thus under US jurisdiction… So no privacy protection what so ever…

Clive Robinson • December 25, 2023 5:44 AM

@ Winter,

Re : Trust is based on what you can brutally enforce.

“It must be difficult to live in a low trust society.”

Remember the UK health data given to both Google and Palantir?

That was protected under the EU data protection and UK data protection.

The likes of Jeremy Hunt saw the data as a quick way to gain a benifit.

So despite peoples written notification they did not want their data diseminated or used for research the UK Gov took the view they owned the data so could do what they damn well liked.

The thing is medical data unlike other personal data is in a very special group of personal information, that you have to share with others for it to be of use to you. Such information is a “personal genie” when alowed out of it’s bottle it can not be put back in.

In the UK it used to be so protected that even patients were not alowed to see it nor other professionals.

Now this century the likes of Google lobbying has in effect stolen it away, beyond my and others express wishes,

Why?

Because I am not alowed to brutaly enforce my rights over it…

In the past English law allowed as punishments for offending the common or specific morals “gelding”, “gouging”, “drawing” and even “boiling alive” to individuals who had offended trust.

Now those offenders hide their plans and ill intent to others –and that is what it is– behind corporate walls and the like. As they see it safe from others retribution.

So it is only a matter of time, with politician and civil servant positions attracting certain types before everyones “Personal genies” are let out of the bottle never to return.

You are I know aware of the danger of “Think of the children” well there is another phrase I’ve warned about befor which is “for the common good”.

Basically it’s been used to turn the sanctity of a persons body and death into a very profitable “Organ Harvesting” operation in various parts of the world…

In effect people who can not defend themselves are being sentenced to a very unnatural death even against their express and written wishes.

If a state by claim of “for the common good” gives it’s self the right to execute innocent people and steal their bodies in part or whole, do you honestly think anything lesser will not given a little time and influance become up for grabs for theft for others profit?

Clive Robinson • December 25, 2023 11:13 AM

@ Winter, JonKnowsNothing, ALL,

“Any evidence this is even considered in Denmark? Have they done anything like this in the past?”

As I’ve pointed out on this blog before,

“You are not a murder untill you are convicted of committing the crime.”

Thus as they say in financial adverts,

“Past performance is no indicator of future performance.”

Add in mathmatically as time progresses the likelihood of an act occuring for the first time increases.

So whilst this may not hqve been formally “considered in Denmark” yet, it is almost a certainty it has been thought of informally. Thus with the way US High Tech Corporate lobbying works it just becomes a matter of time before discussions are held. Thus,

“Not if, but when?”

To think otherwise would be shall we say “just a little bit quaint”…

Clive Robinson • December 25, 2023 10:58 PM

@ lurker, JonKnowsNothing, Winter, ALL,

Re : To stop a horse you don’t need a stable door or paddock gate just a hobble on the legs.

“The methods to achieve a ban would be truly Byzantine.”

Because what you are suggesting will not applying preasure at a viable choke point.

Consider, such Corps only exist to gain value for their shareholders.

The way to ban them is to stop their income stream that gives them value.

Most Corps are uterly reliant on,

1, The EVM credit card system.
2, The Swift interbank system.

Make it illegal for them to transfer money and these Corps would stop over night and their shareholders flee in the days to follow.

The point @JonKnowsNothing was making with,

“Europe did NOT protect the data. Europe got a lot of money for pretending to protect the data.”

Is a point most have failed to grasp. The EU sees a tremendous amount of wealth leave the EU to US Corps that pay no tax etc on their activities in Europe. Thus the fines are not actually “Preventative actions” but “Revenue Raising actions”.

It’s a point I’ve been making for some years now. Tax authorities are seeing declining revenues due to “off shore” activities that “virtual organisations” easily achive via communications.

The Government tax authorities can not raise taxes because it “kills businesses” and makes individuals very angry thus vote against those who even hint at raising taxes.

Thus the only two ways left are,

1, Reduce outgoings.
2, Increase penalty fines.

The first can be seen by the “War on the poor and disadvantaged” that gives rise eventually to the fraud of Robo-Debt and the like.

The second can be seen with the level of fines for what is increasingly “invented offences” such as putting a used tea bag in the wrong bin.

So because the EU can not tax Google, Amazon, Meta and Co they are going to find ways of fining them to a similar amount. Whilst it won’t “kill the Corps” it will either get revenue from them, or cause them to nolonger trade in Europe which opens the market to those the EU can tax, fine, or both.

Clive Robinson • December 26, 2023 2:04 PM

@ Winter, JonKnowsNothing, lurket, ALL,

“Spying is already illegal.”

Says who?

Whilst there are restrictions on some of the guard labour in a given nation subjecting that nations citizens to both spying, surveillance, and other forms of espionage… As a general rule,

1, There are exceptions for “National security”.
2, There is no restrictive legislation for citizens of other nations and the citizens they contact.

Further any limitation only applies to activities inside the juresdictional boundries.

Thus any trafic,

1, “routed out” and back is fair game.
2, Intercepted abroad and sent back by another nations guard labour is fair game.

We know both of these are actively in use not just by SigInt agencies, but the Law Enforcment Agencies.

Take a look at the games behind the various fake “Secure Mobile Phone” companies run by Law Enforcment Agencies for other Law Enforcment agencies.

In short any restrictive legislation is totally ineffective, and was designed to be that way.

Pretending that “The Rule of Law” has some actual prevention of such tactics is a sad sad notion…

A few years back UK MP’s were horrified to be told that most if not all their communications was monitored legaly by GCHQ.

For years MPs had been incorrectly under the impression they were peotected under the Harold Wilson Doctrine,

https://www.theguardian.com/world/2015/oct/14/wilson-doctrine-spying-house-of-commons-surveillance

(note the date of the article nearly a decade old. It can be safely assumed that there has been no improvment, in fact we know the opposite is true and survailance on MPs has been significantly increased because of the use of “cloud” products that the “Sargent at Arms” of the “House of Commons” personally approved…).