Friday Squid Blogging: Sqids

They’re short unique strings:

Sqids (pronounced “squids”) is an open-source library that lets you generate YouTube-looking IDs from numbers. These IDs are short, can be generated from a custom alphabet and are guaranteed to be collision-free.

I haven’t dug into the details enough to know how they can be guaranteed to be collision-free.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Tags: ,

Posted on December 29, 2023 at 5:08 PM76 Comments

Comments

vas pup December 29, 2023 7:00 PM

Are there health risks to using public toilets? Here’s what experts say.
https://www.yahoo.com/lifestyle/are-there-health-risks-to-using-public-toilets-140059968.html

“What makes public bathrooms particularly germy is the sheer volume of people that go through them, and the microbes that those people might be carrying,” Lena Ciric, professor of built environment microbiology at University College London, tells Yahoo Life.

“You ultimately just don’t know who’s been there and what they might have. It’s more sort of a game of chance than anything.”

That game is highly influenced by how often the bathroom is cleaned and how well it’s ventilated, as certain bacteria and viruses can linger on surfaces or in the air longer than others, Kevin Garey, chair of pharmacy practice at the University of Houston, tells Yahoo Life. Norovirus, for example, can survive on surfaces for up to four weeks.

There’s also concern about hand dryers circulating contaminated air. However, research says they make little difference to an indoor area’s bacterial load compared to the use of paper towels. Ciric adds that they may actually be helpful in diluting a concentrated plume of disease by mixing the air around, thereby decreasing its likelihood for infection. “It all depends on how much you’re starting off with,” she says.

It’s very unlikely that you’d get sick by stepping into and using a public bathroom. After all, in order to be infected, microbes have to enter your system, and that’s most likely to happen via ingestion from your very own hands, contaminated by surfaces like the toilet seat, flush handle, stall latch or faucet tap, Ciric says. But if you wash your hands well and don’t touch your face, you should be fine.

If you do happen to pick up a bug during your pee break, it’s most likely to be gastrointestinal, such as norovirus, e.coli or
shigella, as those are found in feces, says Jyoti Kini, a primary care physician with Medical Offices of Manhattan. The likelihood of catching a virus like COVID in the bathroom, on the other hand, is low. “From a respiratory point of view, you’re in there for a relatively short time,” Ciric explains. “So it’s not the same as … sitting in a room with somebody for three hours.”

You also don’t have to worry about sitting on a toilet and contracting sexually transmitted infections such as chlamydia, gonorrhea and syphilis, Kini adds, because they die as soon as they leave the protection of the mucus lining. However, viruses such as hepatitis, HPV, HIV and herpes “can live outside the body on surfaces anywhere from a few seconds up to a few weeks,” she says.

Still, generally speaking, intact skin — meaning, not having an open wound — and our body’s existing healthy, protective microbes “do a really good job at preventing germs we pick up in public bathrooms or other places from causing infections,” says Garey. “For that reason, sitting on a toilet seat and picking up a few germs won’t generally make you sick.”

!!!the best thing you can do to avoid germs in public bathroom is to minimize your contact with high-touch areas such as flush
handles, toilet seats and faucet taps (or at least avoid touching your face after), and wash your hands as soon as possible and
thoroughly “with soap and water, scrubbing with the soap for at least 20 seconds,” Garey instructs.

!!!it’s fine to use a toilet seat protector. But if you’re concerned about the seat specifically, it’s even better to carry
disinfectant wipes to quickly clean the seat and flush handle — with the handle far more likely to be germy, as people touch it
immediately after wiping, Ciric points out — before sitting down. If you’re extra cautious: Carry your own toilet paper to avoid using potentially contaminated — and let’s be honest, crappy one-ply — toilet paper within the stall, Kini suggests. Last, avoid putting your purse or other items on the stall floor as it “tends to be the dirtiest spot in the bathroom and is usually cleaned the least,” Garey says.”

Clive Robinson December 29, 2023 7:53 PM

@ Bruce, dorukayhan, ALL,

Re : Guaranteeing “Collision Free” requires unique mapping.

“I haven’t dug into the details enough to know how they can be guaranteed to be collision-free.”

If we assume a “free input” then it is effectively impossible.

Thus the input must somehow be constrained.

I am assuming that they will “pass the buck backwards” by stating as a minimum requirment all individual inputs in their unreduced form “must be unique”. Which when you think about it quickly becomes near impossible even with a finite set of inputs of by modern standards “moderate size”, without a “master record database” that has every so far generated record.

It would have to be distributed thus would end up stored in a tree like fashion. Which is what in effect the DNS does.

However DNS is not compressed to avoid the collision problem of all “Hash Functions of Finite Size” and also all to frequebtly stop the use of an effective tree structure.

Obviously alowing an unconstrained input or output length, is a very significant security risk as it’s open to all sorts of attack.

So yes it’s something that is shall we say “curious”.

ResearcherZero December 30, 2023 12:47 AM

It appears my phone has sunk to the bottom of the English Channel.

(paywalled)

“a grade A scope for disaster”

The issue is back on the political agenda after both Blair and former Tory leader William Hague called on the current Conservative government to revive the policy despite concerns about misuse of personal data. …a similar programme in Australia had been a failure: “The whole thing [was] scrapped within two years on the back of administrative cock-ups and a massive public backlash.”

‘https://www.ft.com/content/d94c5f67-ccd1-4231-9235-bf30fc8ac958

“The paper also suggests a digital ID system will help tackle the issue of migrants and refugees entering the country illegally on small boats.”

Tony is proposing the digital IDs be issued by a single government body, rather than outsourced. Considering the potential for issues or bugs within the system, as occurred at the Post Office and led to 736 people being prosecuted for crimes they didn’t commit, he admitted it would not be without problems.
https://metro.co.uk/2023/06/15/digital-ids-for-all-under-latest-proposals-from-sir-tony-blair-18951998/

‘trust framework’

“Industry sources also warned about the proliferation of authentication systems run by US-based tech giants, which they said amounted to the companies setting up digital ID systems by stealth.”

The ID would likely contain biometric information such as fingerprints and facial recognition.

‘https://ca.news.yahoo.com/bt-plots-role-digital-successor-160000264.html

“Engaging the private sector to ensure digital ID can be used to access private as well as public services is essential.”

‘https://www.institute.global/insights/geopolitics-and-security/digital-identity-roundtable-key-takeaways-0

Anymouse December 30, 2023 6:40 AM

Alert:

iPhone has no security of preventing being spied upon by foreign actors and our own intelligence agencys and LEA.

Remember Occupy Wall St movement
where taxpayers bailed out the gambling bets of Wallstreet. Liar loans, toxic assets. Goldman Sachs betting the farm going up and then shorted on going down caused by security derviatives buyingba rating of A+ at Moodys

https://www.pbs.org/wgbh/frontline/documentary/meltdown/

Where were Intel Agencies & Feds ? Inside the boardrooms consulting on how to destroy the Occupy Wass Street movement. How many CEO’s of major corporation went to jail ?

Well Apple knows about these exploits. Has anyone heard of BLUETOOL NOT Bluetooth. ?
Lockdown is a joke. MITRE vulnerabilites in XPC services, SSH

Exploit in Wifi byoass, Home Cintrol and Facetime

Using oscilating freq at different rates, strengths and different variations targeting the chipset will cause buffer overflow in Darwin kernel /xnu root. Must be within a short distance.

One purpose of Havana Syndrome direct energy emp/rf pulse is to
1. exfiltrate data
2. Destroy evidence as itvcan fry the HD
3. Inject makicious code in buffer overflow crashing the Kernel

FBI knows this as I reported it to them so why the cover-up ir blackout. This method could
wreck havoc with any electrinic device !

JonKnowsNothing December 30, 2023 1:08 PM

@All

re: US Bank with an AI induced Security failure

RL tl;dr

I had occasion to call my US bank (a major US bank) about a letter I had received with their letterhead informing me that I had “signed up” for a ID theft protection program and if I did not authorize this feature to call them within 60 days from date of letter (Dec 21 2023).

It was all very official looking, lots of code number, QR code, and call this number with the reverse side translated into Spanish.

It all looked dodgy to me.

So I called a different bank number, not the one on the paper, and was passed through 8 different departments about the letter.(1)

The opening phone tree seems to have been upgraded with AI or actually a downgrade in functionality.

The standard Please Answer These Questions So I Can Better Direct Your Call exchange started, and then it hit a Security Collapse question.

1) Name
2) ID
3) Verify Addresses
4) Which Account

5) NOW ENTER or SAY YOUR PIN NUMBER

For every human or maybe human, through 7 or 8 departments I informed them that I would never give my PIN to anyone, not a banker and not a robot.

One of the persons I talked to said

  • “Oh you can by pass giving us your pin if you don’t want to tell us”

So, they know exactly what they are asking for and NO you cannot by pass it … easily.

Since this was on the main number for the bank, every person calling in would have been required to divulge their PIN.

  • AI has decided that a PIN is no longer a secure private exchange method

===

1)
The letter is perhaps a different post because it is an Official Letter but the circumstances are dodgy for sure.

lurker December 30, 2023 4:51 PM

@JonKnowsNothing

My bank (NZ) repeatedly (on website, letter footers, &c.) says it will never ask for pin or password. If someone does ask, it’s not them: hang up.

Yet, their system must know my pin, or perhaps a hash of it. In earlier times we had to enter the pin on a new card thru a little machine at the teller’s desk. Now when a replacement card arrives (in the plain old snail mail, no signature reqd) it has the pin “already installed, from your old card.” It becomes “activated” at first use in an ATM.

MK December 30, 2023 6:08 PM

My cell provider just instituted mandatory 2FA, even though I have turned it off. This is a problem as I live in an area with no SMS cell coverage. I’ll need to wait until next week to see if there is an alternative authorization method.

lurker December 30, 2023 7:01 PM

Eurostar train service disrupted:

A video taken inside the flooded tunnel shows water gushing onto the tracks from a pipe attached to the tunnel’s wall.

Thames Water said a “fire control system” was likely to have caused the flooding, rather than one of its own pipes.

The pipe appears in the video to be now not attached. One might ask why there are not sufficient provisions for removing water from a tunnel that goes under a river. Penny-pinching? The Chunnel part of this line has the fire access in a separate service tunnel.

Also, St. Pancras? My simple mind assumed that a line from the south would terminate in south London.

‘https://www.bbc.com/news/uk-67846863

JonKnowsNothing December 30, 2023 10:45 PM

@lurker, All

re: why there are not sufficient provisions for removing water

There likely are but it’s all about stopping the water first and then pumping it out, the latter is what you are referring to.

The amount of water gushing from the fire pipe is likely to have been calibrated to handle large scale fires. Think: an entire train on fire. The water would normally be channeled through a series of nozzles and not gushing out on the floor. But you need a large volume of water, a specific pressures, for a specific duration which determines the amount of water that needs to come out of the pipe.

  • In California, new homes now need fire sprinklers as do large retrofit projects. For a home, the sprinklers, at least 1 per room, have to maintain a minimum of 15min full force throughout the system. (1)

So once the broken pipe is fixed or the valve shut down (2) then they can bring in the big sump pumps to empty the pool.

===

1) Not everyone is keen on this building spec which is designed to stop the house from burning down, which is a covered insurance event vs flooding the interior which is not a covered event. Once wall board is wet, it begins to mold fast. The entire interior has to be gutted, furniture trashed, the structure requires remediation and comes under New Building Codes which are not a covered insurance event.

To be sure a fire does pretty much the same thing except the insurance policy pays a higher percentage of the costs.

It is a big mess.

  • Neither will cover the full cost of rebuilding, as can be seen in many communities that have had urban or personal disasters.

2)
Because people do not like having the sprinklers go off due to burnt toast, they often shut off the sprinkler value. The latest building specs require that there be No Shut Off Valve.

MDK December 30, 2023 11:37 PM

All,

No surprise here.

hxxps://cybernews.com/news/russian-zero-day-firm-offers-15m-for-a-signal-rce-exploit/

MDK December 30, 2023 11:40 PM

@All

No surprise here.

hxxps://cybernews.com/news/russian-zero-day-firm-offers-15m-for-a-signal-rce-exploit/

Happy New Years.

Clive Robinson December 31, 2023 2:34 AM

@ lurker,

Re : A so 90’s choice.

“Also, St. Pancras? My simple mind assumed that a line from the south would terminate in south London.”

And so it did back in the 1990’s at the much famed “Waterloo International” (which is still there but has spent a lot of time unused).

It’s well neigh impossible to find the real reasons behind shifting it into the “High Speed One”(HS1) project but you can be sure such a boondongle had political backing / backseat driving pushing it along.

As for the “Channel Tunnel” proper, a funny story. It was assumed when designed, that what was and I believe still is the worlds longest sub-sea tunnel was going to leak, thus water would have to be pumped out more or less continuously.

Only it turned out the amount leaked was way way smaller than designed for. Which was a problem as it was in reality too little for the pump systems to work with.

So the solution artificially create the effect of leaks to the minimum required flow (ie in effect turn the taps on).

It’s been very many years since I actually walked in the tunnels prior to “The Chunnel” opening in 94 and as tunnels go from an engineering perspective I remember they were quite impressive.

As for that HS1 tunnel under the Thames, it’s not just EuroStar trains it carries. A whole series of swrvices from St Pancras to South East Kent and places like Hastings go through it as “London Worker” commuter trains. My son when young was a bit of a railway fanatic, so as a “Day Out” I took him on the then brand new Hi-Tech Hitachi trains down into Kent from St P and then came back by the old route and trains that were probably then more than 30years old back to Waterloo.

I remember trying to teach him how to do Sodoko on the way back… I obviously was a bad teacher as as far as I’m aware in the decade and a half since he’s not touched one 🙁

His engineering interests have moved on to satellites and the like so maybe there’s hope 😉

Winter December 31, 2023 4:54 AM

@MDK

Russian zero-day firm offers $1.5m for a Signal RCE exploit

This could be interpreted that they have some difficulty in cracking Signal. At least on a scale useful in war.

Maybe, just maybe, this could actually mean that the Ukrainians have a point:

The use of the end-to-end encrypted messaging app Signal, widely held to be the most secure platform of this kind, has exploded in Ukraine since the beginning of the war.

Clive Robinson December 31, 2023 7:38 AM

@ Winter, MDK, ALL,

Re : Signal and other secure apps.

With regards the quote,

“The use of the end-to-end encrypted messaging app Signal, widely held to be the most secure platform of this kind, has exploded in Ukraine since the beginning of the war.”

The increase in use of a secure app does not in the least surprise me.

But I caution people about making assumptions on what it actually means.

Communications in war is mostly tactical not strategic, thus it only needs to be “message secure” for a few hours or days to be effective.

However most communications during peace that actual needs security, needs it for a very long time, like a lifetime or longer. And not just for “message security” but as importantly “traffic security”.

Because the most likely enemy you would be facing is a government agency / guard labour and they have no time limits on prosecuting action against you if for no other reason than vengence and show trial / execution.

Which makes,

“This could be interpreted that they have some difficulty in cracking Signal. At least on a scale useful in war.”

A partially correct but easily misunderstood statement as it does not highlight the time or traffic elements.

But of interest for further thought,

“… for a Signal RCE exploit”

The implication of “RCE” is not “surveillance” of messages but “control” of the system. Which although they can overlap in results are two distinctly different functions.

This is a whole different ball park when it comes to security, and of a level well above traffic or message security.

So arguably the Russian’s may alread have got past message and traffic security and be going for a way different form of attack level.

Winter December 31, 2023 8:54 AM

@Clive

But I caution people about making assumptions on what it actually means.

Massive use by well informed people whose lives depend on it not being broken by one of the more capable state spy agencies is good enough for me.

However most communications during peace that actual needs security, needs it for a very long time, like a lifetime or longer.

That is not my threat model.

If I ever need to worry about multi year threats, I will use different communication options. Say, if I were a woman in American South states, I would make sure I would not divulge anything about my body or health, ever.

JonKnowsNothing December 31, 2023 9:22 AM

@Winter, @Clive, All

re: would not divulge anything about my body or health, ever

Too late, if you ever have been to a MD.

One issue with multilevel, multiyear threats is that they change. Things that today are not a problem can become one years down the road.

The UK patients seeing their GP since 1920s had their paper charts scanned and now uploaded heading into the maw of Palantir.

They didn’t have any concept that a case of the clap would end up in the hands of the USA. Nor tonsillitis in their children and maybe surgery which was common years ago, would end up in the hands of the CIA.

Your bank accounts are also gone too. The NSA hacked the SWIFT system years ago and track large scale financial exchanges. Hackers have hacked the local ATM and customer POS systems too (1).

Your data is gone a long time ago.

What authorities do with the data, is the threat you will not know until it is revealed.

===

1)
ht tps:/ /krebsonsecurity.com/

htt ps: //krebsonsecurity .com/category/all-about-skimmers/

Has a complete breakdown and schematic and many posts about SKIMMERS. Tiny simple devices they slip into ATMs and similar POS systems, that do MITM data capture including the PIN. The data ends up on the Dark Web for sale in bulk.

Winter December 31, 2023 9:47 AM

@JonKnows

One issue with multilevel, multiyear threats is that they change. Things that today are not a problem can become one years down the road.

If your own government is after you, technology is not going to save you.

Clive Robinson December 31, 2023 11:26 AM

@ Winter, JonKnowsNothing, ALL,

Re : Low hanging fruit.

“If your own government is after you, technology is not going to save you.”

It rather depends…

If you are say Ed Snowden, then whilst technology might make you physically safer, you’ve already come to too much notice and way too many stupid numpties in Government have foolishly “set their reputation on your destruction”… Thus they have like a bunch of dumb herd creatures have crossed a tipping point they can not get back from.

So Ed will probably have to wait for the silly old farts to become dead in one way or another.

Then there are those who are the level of criminal where their activities are measured in millions a year and form self interested groups.

Whilst some are actually smart and chose low profile crimes etc so you don’t get to hear about them and quite often they live as respected individuals in their chosen community (some have been found to be elected public officials etc).

Some other criminals even if smart make the mistake of working in crimes that harm humans in ways that are generally abhorant to the general public. Thus their crimes attract attention in the media which forces politicians, to force law enforcment agencies, to use disproportianate amounts of resources against the criminals concerned.

Whilst other criminals are not smart at all and make themselves and their activities widely known as they “big it up”.

The thing that is important to remember is that generally “Government agencies” are “Resource Limited”. Which means the principle of low hanging fruit comes into play.

If you are smart you can always be on a level several above the low hanging fruit. Unless given incentive otherwise government agencies will go for the greatest number at minimum resource cost, “to meet targets” or other performance indicators set by politicians.

If you take care to stay off the radar, and other precautions so you are as fully decoupled as you can be then, the cost of aprehending you becomes higher than is worth the resources involved.

Which means that they will as an outside third party, go for getting an inside second party betrayal.

There are two things in effect you need to do as a criminal or other who might become of interest to a government agency,

1, Have more to trade with a third party than any second party you deal with has on you (that way any second party knows the price of betraying you is probably to high).

2, Only use deniable communications between you and any second party. I’ve mentioned this a couple of times. In essence you send every message in an encrypted form which can be decoded into any other message of the same length or less.

If the 2nd PTY hands over a key to the 3rd PTY, then if it is generated “algorithmically” at some usually quite short length the probability of it not being the right key gets so small it’s realistically seen as improbable unless you can provide a key that fits as well or better by some measure.

Whilst you can by using a non algorithmically generated key stop “betrayal of past events being meaningful” you have the problem of “betraying the future being meaningful”. That is if the 2nd PTY has to much key material they can hand over that which is unused to the 3rd PTY, who then waits for the 1st PTY to send a new message that incriminates.

Thus as the 1st PTY you need to come up with a way that none of your messages inxriminate you.

Interestingly there are ways you can do this, but you have to take great care that you do not create a corelation or anticorelation that can be used as a discriminator to incriminate you.

Thus if you must go down the indirect communications route a third party can monitor or trace back to you, low information content, short, banal, messages are best.

Cyber Hodza January 1, 2024 12:59 AM

@MDK – re Signal zero day, something doesn’t make sense here as if Russian state hackers can’t break the Signal communication, they would most likely approach other state level actors directly for a possible exploit (China, N Korea and possibly Israel) . On the other hand, other actors would neither sell to them nor have technical expertise to discover a zero day in Signal.

JonKnowsNothing January 1, 2024 6:35 PM

@All

re: The non security of things thought to be secure

On Marcy Wheeler’s site she has an interesting analysis of a legal case where iphone, bank transfers, various other financial transactions took place or perhaps took place by other people using multiple devices, or which maybe duplicate transactions.

One of the interesting aspects of this time-line analysis, which is from a legal proceeding, is based on the court submitted information and evidence:

  • Attribution is not Easy.

Per the analysis, the attribution of who made certain electronic transaction is in question. It’s an interesting case in forensic data tracking.

====

ht tps://w ww.emptywhe el.net/2024/01/01/what-joseph-ziegler-didnt-find-when-he-looked-for-hunter-bidens-sex-workers/

  • Joseph Ziegler, the disgruntled IRS agent who built a tax case on the digital payments Hunter Biden made during the depth of his addiction, is quite proud that he found one of the sex workers who slept with Joe Biden’s son.

The article continues with an analysis of what digital payments went where, to who, which ones flopped, which ones were blocked, and which devices where on line or missing yet described as the source of a transaction, lots of device resets, password resets, faceID resets, lost devices, different devices from multiple locations (at the same time)

lurker January 1, 2024 8:16 PM

@JonKnowsNothing

Are ‘Murrican ATMs really that dumb? Ours spit out the card first. You must take the card before it will give you the cash. If you don’t take the card inside a 30 second timeout the card is swallowed and the transaction is cancelled. These actions are recorded on the account.

Maybe the story given is light on detail, he took the card and cash, then reinserted the card for another transaction but got “distracted”…

Our machines eject card first only for cash withdrawals. AFAIK for all other transactions the card is held and the ATM asks “Do You Wish to do Any More Actions?” Those with a cluebat leave the cash withdrawal till last.

Clive Robinson January 1, 2024 11:56 PM

@ Bruce, SpaceLifeForm, ALL,

Re : Economic cost of stalled shipping.

As some may know the Panama Canal is a “Ship Elevator” system using locks and millions of tones of water.

The problem

“What happens when you have a drought”

As we currently do… Shipping slows down or just stops, or it’s priced out.

Likewise many will have seen the Red Sea is in the news currently with billions of dollars of Navy assets costing billions a week to run anti-anti-ship systems, where each missile launched is the GDP of a small US Town. With the target it’s aimed at costing little more than the price of a good night out for a group of friends…

Economically not a good balance.

Then through additional insurance at upto 1% of “all loss” ship and cargo value, the $1,000,000 in extra operating expenses going for just one long route around the whole of Africa look like a good bargain.

But what havoc does that extra fortnight add in in terms of “missed connections”? Add that in and suddenly “Air Freight” starts looking good.

But… There is in practice a shortage not just of ships but aircraft, trains, lorries etc, thanks to neo-con “don’t leave money on the…” mantras etc supply chains are fragile and under resourced at the best of times.

Thus basic “supply and demand” economics comes into play across the whole supply chain around the whole world.

You might have paid for shipment, but when every one now asks premium and can not get it, you go on the bottom of a list that says your goods don’t get shipped any time soon, if ever.

So you probably don’t get your goods or money back… So your supply chain is not just broken your “Just In Time”(JIT) scheduals and Kanban system have just been “deep sixed” to “40,000 leagues” or similar. You can not supply so your income stream stops but your costs don’t. It’s not hard to see where things are heading along with the led kippers…

Now think about that across a whole nations economy including food and fuel and fertilizer supply… You thought that “Organic Tomato was expensive” just you wait and see how much the price of basics such as potatoes and wheat goes up…

For instance cooking oil has doubled in price atleast in the past year, there is no reason it won’t do that again not just this year but for the next three years due to fertilizer not being shipped.

It might be an inconveniance for the upper middle class, but what of the bottom of the socio economic ladder where food and fuel is more than 50% of their actual pay in hand?

Much though they are ignored, they form the bottom layer upon which the rest of society is built.

Now think further, how many of those things you have around you that were actually produced in some way in “third world” countries where starvation is only a days pay away at the best of times…

When you go on to consider that the two canals are just a couple of quite a number of Maritime “Choke Points” I’ve already mentioned you start to realise that it’s not just fragile in places, but fragile across the whole world in a way most just can not easily grasp.

Rather than have me go through it again in my rather dry way…

I’ll say listen to this latest from Perun,

https://m.youtube.com/watch?v=8GKlKYQDDcQ

(Fast forward to the section where the economics start).

Oh and for those who have wondered why over the past decade or two I’ve mentioned all this several times along with other “choke points” such as in information flows in subsea cables well hopefully the “second pair of eyes” perspective will help.

Happy New Year to you all, hopefully we will all make it to next.

Ismar January 2, 2024 1:07 AM

@Clive – good analysis as always. I would just add that it is going to be us , ordinary citizens, paying from our own pockets for someone else’s wars again and again . So more price hikes on basic goods and energy in the New Year

Tatütata January 2, 2024 2:38 AM

Happy chronometer digit flip!

This is a test. I repeat, this is a test. Do not disregard.

I’ve been trying to post a short comment here for some time about the German CCC year-end meeting returning, but it never goes through. Can’t figure out what’s wrong with it. Or is it me?

JonKnowsNothing January 2, 2024 3:11 AM

@Tatütata, All

There are many oddities about the Hold Back on some posts. A number of posters have problems but few are the same.

Sometimes there is an odd non-printing letter that is part of a cut and paste from an article that is used as a tracking beacon for the publisher. I’m sure I’ve had that a few times because I copied text directly from a reference source.

  • I once copied some articles for personal reference and when I pasted them into a simple editor every paragraph had a URL graphic link with a “mouse over” or “page down” trigger to track how much of an article you read.

When in doubt I drop the copy into a plain text editor to clip the hidden URLs.

The one that I get most often is a clash with the naughty word list, for words that are not naughty but the parser is looking at REGEX segments in the word for naughtiness.

  • bases-ment, easem-ent are examples in English

Sometimes, you just cannot tell at all what the problem is and need to post multiple times and break the comment into sections to find out what will go and what won’t go. Part 1-Part 99

JonKnowsNothing January 2, 2024 3:49 AM

@Clive, @ Bruce, @SpaceLifeForm, ALL

re: paid for shipment but do not get it

There is an contract condition that many consumers are unaware of but is very important if you are shipping items to-from any location on a regular basis.

Consumers use Postal Services or Small Package Shipping Companies. Large on-line consumer stores also use Small Package Shipping Companies.

But for larger items, entire train loads of product, whole cargo ships worth, large building or supply orders you run into the commercial terms:

  • FOB Shipping Point
  • FOB Destination

This determines the location where the legal change of ownership happens. Either when it leaves the factory or when it arrives at the destination address.

Most manufactures will only use FOB Shipping Point. Once it is on the designated truck-train-plane to you, you own it and are responsible to get insurance coverage for it while it is in transit (optional).

The manufacturer will warranty defects in manufacturing but not if the trucker damages the item in transit.

  • Farm prefab pipe panel fencing comes FOB Shipping Point. You have to have transit insurance coverage in case the panels get dented during transport. Otherwise, you own a load of dented fence panels.

===

ht tps:// en .wikipedia.org/wiki/FOB_(shipping)

  • FOB (free on board) is a term in international commercial law specifying at what point respective obligations, costs, and risk involved in the delivery of goods shift from the seller to the buyer

ResearcherZero January 2, 2024 4:29 AM

‘https://www.abc.net.au/news/2024-01-02/victoria-court-system-targeted-in-cyber-attack-russian-hackers/103272118

There is no indication that the news industry will reverse its decades-long decline.

‘https://www.poynter.org/business-work/2023/2023-was-the-worst-year-for-the-news-business-since-the-pandemic/

The loss of thousands of local newspapers across the country is depriving communities of some of the glue that holds them together and fueling division.
https://www.pbs.org/newshour/show/the-connections-between-decline-of-local-news-and-growing-political-division

“partisan fighting gets too much attention while important issues facing the country get too little”

‘https://www.pewtrusts.org/en/research-and-analysis/articles/2023/12/15/beyond-polarization-finding-a-way-forward

Broad public awareness of the collapse of local news in the U.S. is likewise scarce.
https://niemanreports.org/articles/state-public-funding-local-news/

“The aim is to silence those who dare tell Australia’s dirty secret.”

It’s a phenomenon that we’ve seen for decades that the News Corp columnists gang up on individuals or organisations that they don’t like.

‘https://truthout.org/articles/how-the-murdoch-press-keeps-australias-dirty-secret/

“For Murdoch newspapers, ordinary notions of journalistic ethics simply went out the window.”

There is a fundamental misalignment between profit-seeking and democracy’s need for a well-informed public.
https://www.currentaffairs.org/2023/08/how-rupert-murdoch-destroyed-the-news

“the local press is an effective monitor of corporate misconduct — closures increase facility-level misconduct”

Studies show that areas with fewer local news outlets have lower levels of civic engagement, voter turnout and political accountability.

‘https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3889039

Tatütata January 2, 2024 9:40 AM

My test comment went through without being “routed to moderation”, which I came to be synonymous to “flushed”. This is my number 7 attempt at posting the one below, with yet some more tweaks, and this time separated in parts. The frustration resulting from apparently random flagging/deletion of comments is one of the main reasons I don’t come here that often anymore. I’m pretty much down to breaking up the text into individual sentences.

After 2020-2022 eclipse, the annual German CCC congress is at last back in a non-virtual format, and has also returned to the Hamburg venue.

[end of part 1]

Tatütata January 2, 2024 9:43 AM

Hurray! The bug is indeed still out there, but watching people actually deliver on-stage (and receiving applause) is rather more satisfying than enduring some poorly lit bloke droning endlessly out of a base==ment [is that word the offender???] somewhere.

See media.ccc.de/c/37c3

Many, if not all, videos are also available on you tube. There north of 100 videos online, Happy binge-watching.

[end of part 2]

Tatütata January 2, 2024 9:54 AM

[At last, after paraphrasing left and right, the under-ground word was the offender. It took me a bit of parsing to see why, and frankly this is silly. Note to self: never try to discuss base-60 computation]

Some presentations caught my attention.

“Breaking ‘DRM’ in Polish trains” explains how some regional trains began showing mysterious problems which couldn’t be repaired by anyone else but the original supplier. (After the expiry of the warranty period the maintenance contract had been put out to tender and granted to third-party vendors) . An analysis of the on-board software showed that every unit delivered hosted different code, which included some strange tests involving a number of conditions…

“All […] are broadcasting” presents the reverse-engineering of TETRA security, and demonstrates that the system which is in use in dozens of countries has essentially worthless authentication and encryption procedures. The evidence suggests that this might not be unintentional…

“NEW IMPORTANT INSTRUCTIONS” discusses security implications of LLMs (Large Language Models) such as ChatGPT, with many examples of remote code execution and data exfiltration. A different talk, in German, speaks of “Social Engineering” attacks on LLMs.

[Final part. Phew. All that for 5 letters. Even with the word-split examples provided above I initially just couldn’t see it.]

Thanks.

Tatütata January 2, 2024 10:08 AM

Drunk with my newfound knowledge, I grep‘ped one of the word lists I keep, in the English language, for word games, anagram search, and other stuff, and found about 45 words containing the censored sequence:

abase.ent advertise.ent advertise.ents advise.ent amuse.ent amuse.ents appease.ent appease.ents appraise.ent base.en base.ent base.ents case.ent case.ents chastise.ent debase.ent disburse.ent disburse.ents disenfranchise.ent disenfranchise.ents disfranchise.ent disfranchise.ents disguise.ent disguise.ents disperse.ent ease.ent ease.ents encase.ent endorse.ent endorse.ents enfranchise.ent enfranchise.ents excise.en horse.en house.en indorse.ent norse.en reappraise.ent reimburse.ent reimburse.ents se.en se.ens subbase.ent subbase.ents verse.en warehouse.en

I would use (and have used) many of these here without a second thought.

The three-letter Latin loan word beginning in “c” and ending in “m”, signifying “with” or “plus”, is found within 180 other words, including the middle syllable of the elongated green fruit called “Gurke” in German, which is used in salads and tzatziki.

emily’s post January 2, 2024 10:53 AM

@ JonKnowsNothing

Re: underground

I believe PA.RSER and REG.EX are among those ancient capricious chthonic gods. “Burner” phone takes on a whole new meaning in this context.

lurker January 2, 2024 11:54 AM

@Clive Robinson
re: shipping delays

You missed one choke point, shortage of pilots due to the number who made a significant permanent career change while the planes were not flying. Those flying schools that survived C19 are now doing brisk business.

Clive Robinson January 2, 2024 12:24 PM

@ Bruce, ALL,

Fake News covered by AI generated stories.

I don’t know if you saw this from just before the holidays,

https://www.bbc.co.uk/news/world-us-canada-67766964

But it covers how “Fake News” gets hidden in AI modified/generated stores, so appears almost in the noise. Then the Fake News gets amplified, by people “in the know”.

But to a simple look most might make it appears to come from a real news channel etc.

I expect to see a lot more of this kind of trickery.

vas pup January 2, 2024 4:45 PM

Mark Zuckerberg sparks outrage with plan for multimillion-dollar Hawaiian compound: ‘There’s cameras everywhere’
https://www.yahoo.com/news/mark-zuckerberg-sparks-outrage-plan-020000976.html

“A WIRED report revealed Zuckerberg’s plans to construct a private 1,400-acre compound called “Koolau Ranch” on Kauai. Allegedly, the $270 million property will include two mansions, a gym, a tennis court, pools, spa facilities, guest houses, operations buildings, and even an underground bunker.

=>WIRED’s interviews with former contractors for the compound revealed that workers were required to sign strict NDAs and were observed under military-like security measures. Employees were allegedly fired for sharing social media posts on the property.

Allegedly, Zuckerberg created a number of “shell” businesses to own Koolau Ranch on his behalf. According to WIRED, these shell businesses filed lawsuits that pressured locals with ancestral land rights to either sell their stakes in the land or bid for them at auction.”

Q:Is this area earthquake safe, volcano eruption safe to provide security for compound against natural causes?

Tatütata January 2, 2024 4:54 PM

I have partially recovered from my freakout.

On SQIDS:

I haven’t dug into the details enough to know how they can be guaranteed to be collision-free.

I took a few minutes to look at the library on github.

https://github.com/sqids

There can be no collisions because this is not a hash library, but merely a transcoding function, similar to what Base64, Ascii85, and, for the near-fossils among us, DEC’s RAD50, but with the wrinkles that an arbitrary transcoding alphabet can be an arbitrary 7-bit ASCII sequence, the input is an integer instead of a sequence of octets, and that a list of taboo words to be avoided in the transliteration can be defined.

It’s value comes IMO that the code is maintained for a range of languages, but the actual module is actually very short. In the python version, the class sqids.py contains exactly 130 non-blank lines, and the only other file of some significance contains the default encoding alphabet (its regex equivlent would be [A-Za-z0-9]), and the list of about 560 “spicy” words to be avoided. I think one can work out in one’s head without looking at the code how this list is handled.

The taboo list is somewhat trivial. I recognized entries in English, French, German, Spanish, Italian, and Portuguese, there might be more. Their variations with the Is and Os replaced with 1s and 0s respectively are also included.

But how was it created? Some of George Carlin’s seven words are not in there. The word “schwachsinnig” (“feeble-minded”) was actually found until recently in the German criminal code to defined categories of defendants with reduced responsibility, until it was modernized. (I bet that the previous StGB wording has a Nazi origin, there still quite a bit of that crap floating around).

Interestingly, the 5-letter word which I believe was the source of my grief is not in that list. But the three-letter I mention later one is.

The Mexican slang “chingón” and its variations are on that list. I learned when I watched “Better Call Saul”, and my perception of it is that it can be more something of a compliment, even though it does have se-xual connotations.

SQIDS used to be called HASHIDS. I suppose that the change happened because of the misunderstanding “HASH” could induce.

Clive Robinson January 2, 2024 5:33 PM

@ Tatütata,

“The frustration resulting from apparently random flagging/deletion of comments is one of the main reasons I don’t come here that often anymore. I’m pretty much down to breaking up the text into individual sentences.”

You might have noticed that you are not the only one discoraged, many nolonger post since the blog moved host.

But the “random” effect is possibly caused by the number of attempts you make in a given time period. Kind of like the old password thing of three trys then wait an hour to stop repeat guessing but not give the support staff grief.

Getting down ro the sentence or word can be frustraiting.

One way to “speed it up” is using a “binary chop” method where you find if it’s the first half or not.

Then by a peocess of halving the half and so on get down to where you can often guess what the offending word might be.

I get the feeling[1] there may be a two list system in play. That is you have a “naughty word list” that just string matches irrespective of if it is part of a word or not. Then it takes the whole word and checks it against an “OK word list” if it’s in that list it lets it go[2].

[1] Obviously I don’t want to do more than minimal testing, as having odd bits of posts popup is going to be anoting for others. So I’m working on the “if the cap appears to fit… Just nail it to the head” technique 😉

[2] In times past I’ve mentiond the apocryphal story of a Town Council in England that had a new “naughty word filter” added over a weekend. Many were supprised Monday morning to have empty inboxes. The fillter was for some reason rejecting 100% of the emails that were replys to outbound emails. Then someone “remembered” that the town name held a naughty four letter word… Yup the filter saw it and deep sixed the emails…

Clive Robinson January 2, 2024 5:38 PM

@ Marty K., ALL,

“But all computation is base-60.”

Only if you need the big hand to go around again…

vas pup January 2, 2024 5:56 PM

US tech giant Palantir decides to hold first board meeting of new year in Tel Aviv
https://www.timesofisrael.com/us-tech-giant-palantir-decides-to-hold-first-board-meeting-of-new-year-in-tel-aviv/

“US data-analysis software giant Palantir Technologies announced on Tuesday that it will hold its first board meeting of the new year in Tel Aviv to show solidarity with Israel, as the country is nearly three months into a war with the Hamas terror group.

“We stand with Israel,” Palantir said in posts on X and LinkedIn. “The board of directors of Palantir will be gathering in Tel Aviv next week for its first meeting of the new year.”

The Denver-based data-mining firm has been active in Israel for the past decade and has an office in Tel Aviv run by many former Israeli government officials.

!!!Palantir develops software using artificial intelligence to analyze vast amounts of facts and figures that the firm says help investigators uncover human trafficking rings, find exploited children, and flag complex financial crimes and insider trading.

Public health organizations are deploying Palantir’s software platform to track and contain the spread of deadly diseases. On the defense front, the US firm says its AI technology platform can be used to help deter and defend against military attacks.

=>Last year, Palantir secured multi-million dollar government contracts, including with the US Army to bring artificial intelligence and machine learning into battlefield applications and with the UK’s state-run National Health Service (NHS) to develop software for a patient data-sharing platform.”

Clive Robinson January 2, 2024 6:30 PM

@ Ismar, ALL,

Re : For whom the tax bell tolls.

“I would just add that it is going to be us, ordinary citizens, paying from our own pockets for someone else’s wars again and again”

It is what ever way you look at it a tax inflicted on the least able to pay, by those who’s intention is never to pay.

It does not matter if the price, is labour, gelt, sweat, or blood of life, they demand it be paid…

Yet we out number them and their guard labour… Hence their incessantnt demand for the technology of surveillance so they can try to see in time.

Many thought my views paranoid back near a half century ago, now in some ways I’m not paranoid enough.

But is it paranoia when you watch it unfold from distant vision of what might be to harmfull reality of what is and more is becoming ever closer?

Not so much Xmass past, present, and future, but evil like an endless train crossing a distant horizon and thundering down upon us…

Clive Robinson January 2, 2024 6:58 PM

@ emily’s post, ALL,

“I know, citation reqiired.”

Ah memories of enjoyable times past.

I used to have those Calvine Days, but architecture was so not me, it was just poor art painted in bricks and glass.

So I learnt to make canoes, boats and even planes, and the world of Pirates snared me… Before I was old enough to shave I was riding not wind nor wave of tangible matter but the intangible mostly invisable waves from moving charge. Just as I was starting my professional studies in electronics and communications, computers became 8bit home and single chip to micro controlers. Before I got the proverbial key to the door, I had designed a robot to turn it for me. Then security called it’s sieren song… A very young passion for locks became no more a hobby but a proffession and so it went on, hobby after hobby fell, to the relentless desire.

I gave agency to silicon and still do, in the likes of space payloads.

Yes I feel Calvin’s desire every day, but not to bind man to a rock and peck out his liver, but to give him fire to ride, to free him to walk and fly amoungst what we once thought of the domains of gods.

How on earth can being an architect could compeate 😉

Marty K January 2, 2024 8:22 PM

@ Clive Robinson

Only if you need the big hand

The big hand has gone round many times before. Of something that has happened, it is necessary that we can only say it happened, that is, necessarily it happened, that is, it needed to have happened.This moment is typical. Therefore, the big hand needs go round again. Therefore, all our computations are base-60.

Ismar January 2, 2024 8:35 PM

@Clive – like your quote from Dracula ,

Here is one from my favourite book:
“The mystery of life isn’t a problem to solve, but a reality to experience “

Hope your health serves you well in this year

Tatütata January 3, 2024 12:03 AM

The CCC conference hosted a seriously impressive presentation by three Kaspersky researchers explaining the details of the “Operation Triangulation” Zero-Click iPhone Malware, which was reported here in June 2023.

The malware is also very impressive, and relies on a very long chain of vulnerabilities that makes the life cycle of Plasmodium Falciparum (the Malaria parasite) look trivial in comparison.

The initial infection came through a PDF containing a special font. An obsolete system call in the TrueType font definition which was last used about 30 years ago was still present in the API, and had a vulnerability (CVE-2023-41990). So just any interaction with the file would be sufficient to provoke the initial infection. A subsequent step involves a large (10+ klocs) JavaScript module, which is run without passing through the JiT compiler, providing better memory access. Further down the line a way is found to bypass memory protection and access the kernel through an undocumented backdoor put in place by the manufacturer, some sort of DMA vulnerability: if you write an address to a certain memory mapped control register address controlling the GPU, together with its hash, then the GPU will access the memory directly. All you need to know is the special hash function, which is a S-box.

A few steps later, the payload is ready to be downloaded, after the victim is validated (twice) as a being on the hit list.

At that point, the phone is an open book. The malware has features to check whether it is run in an emulator, whether there is security software present, clear logs, etc. The developers had made some mistakes here.

The instructions on how to connect to the C&C system are obtained by the Apple messaging, and the initial clues came from traffic analysis of the internal corporate WLAN. The researchers then made heavy use of TLS MITM proxy, against which the malware wasn’t equipped.

Among the novel features of the payload, Apple’s AI based image tagging is used to select which photos might be of interest to the spies.

What I found surprising is that the researchers, which I believe are based in Moscow, managed to get Schengen visas, and were allowed to leave Russia, even though they are of cannon-fodder age… Crossing the external EU border is also a lot more complicated these days, with the currency restrictions and the suspension of direct air and rail travel. One wonders whether politics are involved… By its sheer complexity, the malware and its infrastructure are clearly the product of a large-scale effort.

The presenters resisted against any attribution. They did state however that there were signs in the code that showed that it has been developed for at least one decade.

ResearcherZero January 3, 2024 2:28 AM

‘https://www.reuters.com/world/india/indias-top-court-asks-regulator-complete-adani-group-probe-within-3-months-2024-01-03/

“Two sets of accounts were done. One was for regulators. The second set was for each investor mapping their holdings.”
https://www.ft.com/content/8d46b435-9725-46d4-80be-2cb3e276c4c9

BLASTPAST forensic report

South Asia editor of OCCRP among those recently targeted from the same attacker-controlled email address.

‘https://securitylab.amnesty.org/latest/2023/12/pegasus-zero-click-exploit-threatens-journalists-in-india/

Journalists attached to the project became subject to intimidation and surveillance.
https://www.theguardian.com/world/2023/aug/31/modi-linked-adani-family-secretly-invested-in-own-shares-documents-suggest-india

‘https://developer.apple.com/documentation/walletpasses/building_a_pass

Dell computer servers, Cisco network equipment, and UPS batteries. (two computer racks, network equipment, servers, network cables)
https://www.occrp.org/en/daily/16915-indian-spy-agency-bought-hardware-matching-equipment-used-for-pegasus

‘https://telecom.economictimes.indiatimes.com/news/devices/apple-warns-indias-opposition-leaders-of-state-sponsored-attack-on-their-iphones/104846280

Clive Robinson January 3, 2024 3:02 AM

@ Tatütata, ALL,

Re : Is,1+1 equal to 1.414 or is someone hoping so.

An earlt morning thought occured…

If we take,

“… were allowed to leave Russia, even though they are of cannon-fodder age…”

And,

“resisted against any attribution.”

Are we in effect being “sent a message” that might have a lot to do with,

“… access the kernel through an undocumented backdoor put in place by the manufacturer … together with its hash … you need to know the special hash function, which is a S-box.”

In effect that is a “One Way Function” as you can not realy “black box out” the S-box (if it’s designed correctly).

The implication of which is “somebody knows” the S-box structure outside of what should be a very limited subset of people[1].

If we say the S-box came about as either,

1, An internal 1st Party design.
2, Supplied by an external 2nd Party.

Then the question would be,

“Where was the leak?”

My first guess would be any “engineering tool” used by the 1st Party engineers to access it, as that would be the hardest thing to secure from a practical perspective.

Such a tool would have to contain a mapping function equivalent to the S-box function or it’s inverse, depending on if it’s used in series or parallel. Knowing which might indicate which party designed the S-box.

The question is has some journalist put 2 and 2 together and come up with 2 or 4 and thus fingered the NSA or similar…

Because if it became known the 2nd Party was a US Agency, then the “NOBUS Back door” notion pushed so hard by William Barr and friends has been proved “blown for good”.

Which is just the sort of mayhem certain folks night like to chuck in some cosy “highly secret” 2 party agrement…

Just a thought from before my breakfast cup of tea 😉

[1] If it was me, I’d use something like the AES cipher and a Flash ROM embedded key for the S-box. Such that you would end up with as many potential S-box varients as there are keys. In that way you could program each “Nation’s Agencies” with it’s own “Golden Key Back Door” without making every device insecure. If you added an update and audit function then you could “finger” individual National Agencies.

Canis familiaris January 3, 2024 4:20 AM

It looks like Digital Rights Management software used to manage films (movies) in cinemas (movie theaters) worked as designed and prevented many showings on New Year’s Day.

‘https://entertainment.slashdot.org/story/24/01/03/0026254/alamo-drafthouse-blames-nationwide-theater-outage-on-sony-projector-fail

It appears to have been a certificate expiry, which means that a large amount of media is now unplayable on the (Sony) equipment. The projection systems in question have a ‘secure system clock’ that is required to be connected to a Stratum 2 time server, and cannot be changed to allow, for example, resetting the clock backwards.

Perhaps people will in future start checking the expiry dates on certificates in the chains of certificates that allow access to managed information.

I wonder if the contracts between the distributors and the cinema/movie theater operators say anything about who might be liable for the financial losses incurred.

ResearcherZero January 3, 2024 6:05 AM

It is the way the internet works after all.

‘https://www.nbcnews.com/news/investigations/us-intelligence-officials-determined-chinese-spy-balloon-used-us-inter-rcna131150

JonKnowsNothing January 3, 2024 11:42 AM

@Clive, @SpaceLifeForm, @Winter, All

re: UK Econ: Update to Bank of Mom and Dad

Recap: At the start of Sars-COV-2 outbreak, I prepared a number of financial analysis posts titled The Bank of Mom and Dad. These maybe found in the archives or wayback machine. These posts detailed the economic shifts due to excess deaths + total deaths due to COVID. At the time, there was some skepticism about government intentions, but with the many C19 Inquires now happening globally, pushed by family members of those who died prematurely, it can be confirmed that many of those policies were intentional and exploitation of the pandemic for economic reasons was driving many decisions.

One of the topics was Inheritance Wealth Transfers. The shifting of wealth from one generation to another. The economic impacts of hand-me-down wealth and the lack of wealth in younger cohorts.

A MSM article (1) primarily focused on the benefits obtained by the younger cohorts from early inheritance and whether they will be mindful of those who have to wait longer, includes some interesting numbers about the value of the dead.

  • Value of the Dead = £13.2bn inheritance tax revenues.

Treasury figures, inheritance tax (IHT) reached a record £7.1bn in the most recent tax year. The 2021-22 year was also record-breaking, with £6.1bn: itself an increase of 14% on the preceding period. Investment platform Hargreaves Lansdown concluded in an analysis that “the peaks in IHT revenue align with surges in deaths due to the virus”.

The inheritance taxation rate is based on the total value of the estate. This is the amount that goes into government coffers. The residual goes into the pockets of the survivors. The tax is a fraction of the total amount. Rates vary by country and by laws.

In UK inheritance tax applied to Britons with estates worth more than £1,000,000. So, the £13.2bn tax is from estates worth more than £1m.

13,200,000,000 tax revenue / 0.01 tax rate = 1,320,000,000,000

13,200,000,000 tax revenue / 0.50 tax rate = 2,640,000,000

* note format errors maybe happen in posting some numbers

In short, people who died had something of value, that value generated £13.2bn tax revenues for a 2 year period. As COVID continues to kill predominantly older persons, this accelerated revenue transfer will continue.

An interesting follow up change in economic behavior, is that people are transferring wealth earlier, aka Giving While Living.

£11bn of bequests are made annually in private transfers, on top of a further £99bn given through wills.

Separately, the Institute for Fiscal Studies found that parents give away or loan about £17bn to their adult children every year.

While a lot of this early transfer wealth will end up in the Velocity of Money whirlpool, it also means that the Inheritance Tax Revenue stream, previously a stable source of revenues, will be disrupted over a number of years, with more revenues now and fewer revenues later.

  • It is not only the younger cohorts getting funds early, so are governments.

===

1)
MSM Hail Warning

htt ps://www.the guardian .com/commentisfree/2024/jan/03/generational-inequality-housing-inheritance-tax

  • With inheritance about to divide millennials into haves and have-nots, solidarity comes at a price
  • A wealth transfer is under way, driven by legacies and parents ‘giving while living’.

Clive Robinson January 3, 2024 6:16 PM

@ JonKnowsNothing, SpaceLifeForm, Winter, ALL,

Re: Economics of death.

“In UK inheritance tax applied to Britons with estates worth more than £1,000,000.”

It’s a little more complicated, and yes it sounds a lot, but realy it’s not.

For instance a semi-detached house in London that’s 1000ft/sq or less –ie small by most other Western Nations– is over £750,000 add in the contents and a few savings that are “pension like” but not and yup you are easily over that line.

The trick that only a few did before was “Inheretance Planning”. The old way was set up a “Trust Fund” but whilst that works for smallish values high value items like “second homes” or “unearned income pots” will either not allowed or will get swallowed at higher rate taxation 40% etc for very many people.

Thus homes get put up for sale, and that’s where the “big money” tax windfall comes in for the UK treasury in what is still called “stamp duty”,

https://en.m.wikipedia.org/wiki/Stamp_duty_in_the_United_Kingdom

And it can be crippling imagine getting hit with 5% plus 3% of the value on a home of a parent then getting another simillar charge when you try to sell the property to clear the debt to the UK Treasury if… You are alowed to sell it which you may not be. You can get a domino effect where a child may have to sell their own home to clear the debt, but still not get the parental home or anything else, but still have to pay all other taxes. Thus the death of a parent can bankrupt their child even if the child has had no say in anything…

To say the law is complicated and the various legal fees etc high would be considered an understatment.

Have a look at the idea of “Mansion Tax” which has caused all sorts of issues this century.

vas pup January 3, 2024 6:37 PM

Sniffing women’s tears reduces aggressive behavior in men, researchers report
https://www.sciencedaily.com/releases/2023/12/231221162243.htm

“New research shows that tears from women contain chemicals that block aggression in men. The study finds that sniffing tears leads to reduced brain activity related to aggression, which results is less aggressive behavior.

Revenge-seeking aggressive behavior during the game dropped more than 40% after the men sniffed women’s emotional tears.

When repeated in an MRI scanner, functional imaging showed two aggression-
related brain regions — the prefrontal cortex and anterior insula – that became more active when the men were provoked during the game, but did not become as active in the same situations when the men were sniffing the tears.

Individually, the greater the difference in this brain activity, the less often the player took revenge during the game.”

What to do next? Identify substance, replicate it in mass, and generate non-lethal substance to suppress riots. But is anybody really care? Is anytime soon reactive mode is going to be change to proactive? I doubt.

ResearcherZero January 4, 2024 12:40 AM

@Clive Robinson, JonKnowsNothing

Re: Bank of Dad

Helps enormously if your father is a party power broker and a former keeper of the books.

‘https://apnews.com/article/australia-iraq-war-cabinet-documents-secret-a681c26307c66d89475ef75f62bf50c2

Porter is keeping the funds donated to a “blind trust”, the amount of which is unknown. He declined to reveal the names of the anonymous benefactors who have helped fund his legal costs and has resigned.
https://theconversation.com/christian-porter-quits-cabinet-refusing-to-find-out-who-gave-him-money-for-legal-costs-168246

Morrison had been contemplating secretly taking on the administration of extra departments from his early days in the top job. The Attorney General’s Department told Senate estimates that it did not provide advice to Christian Porter before the then attorney general advised Morrison on the way he could be appointed to multiple ministries in 2020.

‘https://www.sydneycriminallawyers.com.au/blog/morrisons-multiple-ministry-plan-was-hatched-early-on-suggests-solicitor-general/

The Morrison government has moved to keep national cabinet deliberations secret by introducing new legislation intended to blunt the impact of a recent tribunal decision that would have allowed access to key documents. None of the documents sought by Patrick under the freedom of information system were an “official record of a committee of cabinet” and were, therefore, not covered by the cabinet exemption.
https://www.theguardian.com/australia-news/2021/sep/02/a-sore-loser-scott-morrison-attacked-over-move-to-keep-national-cabinet-deliberations-secret

ResearcherZero January 4, 2024 12:42 AM

‘https://www.infostealers.com/article/infostealer-infection-of-an-orange-employee-results-in-bgp-disruptions/

Perl module Spreadsheet::ParseExcel 0.65 (and earlier) is vulnerable to arbitrary code execution.

‘https://www.computerweekly.com/news/366565053/Chinas-UNC4841-pivots-to-new-Barracuda-ESG-zero-day

“narrowly focused on the most select of targets”
https://arstechnica.com/security/2023/08/barracuda-thought-it-drove-0-day-hackers-out-of-customers-networks-it-was-wrong/

ResearcherZero January 4, 2024 12:55 AM

@Clive Robinson, JonKnowsNothing

Morrison got the dirt on Porter before he went into politics then rode that horse. It was a well funded horse, but eventually Morrison rode it into the ground.

ResearcherZero January 4, 2024 1:27 AM

@Clive Robinson, JonKnowsNothing

There is also a reason certain stories are withheld from print here.

Why do high-income earners benefit? (also from high interest rates)

‘https://www.afr.com/politics/federal/who-gets-what-from-stage-three-tax-cuts-and-why-in-four-charts-20221006-p5bnm4

Stage three tax cut limited the pace at which the nations’ finances could be improved.
https://www.smh.com.au/politics/federal/stage-three-tax-cuts-should-be-on-the-table-imf-warns-on-budget-costs-20230201-p5ch28.html

Australia has the most concentrated media ownership after Egypt and China.

“It’s true the money will flow to Murdoch and the Big Three.”

The Morrison government’s media bargaining code will tighten the grip of News Corp and other powerful giants on Australian media.
https://www.thenewdaily.com.au/news/national/2021/02/24/media-ownership-concentration

‘https://www.sbs.com.au/news/article/factbox-who-owns-what-in-the-australian-media/jk2o4myoi

emily’s post January 4, 2024 5:45 AM

Roman à cléboard, Part Deux II

It may be, is probably, too late to shut down Skynet.

Clive Robinson January 4, 2024 7:21 AM

@ emily’s post, ALL,

Re : Micro$haft digging holes.

“[MS] expects Copilot keys to be required on Windows 11 keyboards “over time.”

I know, as do increasing numbers now, that Copilot is a surveillance tool on steroids designed “to assimilate users” like some vampire con-artist to slurp out not just peoples knowledge but feelings and emotions. Thus be able to increase the value of a person as a commodity to be repeatedly sold.

From a legal perspective, some jobs come with a legal liability that is called “a duty of confidentiality”. It’s not hard to see how MS Copilot will easily cause an individual to fall foul of this.

Thus from an employers perspective I would ban MS Copilot in the same way as I’ve killed MS cloud etc.

The fact Micro$haft are trying to force people into divulging confidential information in just about every which way possible should tell you that legislation to stop it is long long over due.

Then of course there is the flip side of LLMs, as we know they are in no way creative, and not even remotely close to “second best”, but like a spiro-graph they can give a false impression. But who has the rights to the gears and cogs of LLMs and how the wheels are set?

The simple fact is LLMs are devices designed to steal the work of others and repackage it. They at best mimic poorly so can write obvious “Marketing blurb” but not works that stand as original creativity. In short they,

“Average out the best, to serve the least.”

Crappy as it is the output would be seen as misappropriated and then poorly disguised. As such it’s actually a crime of fraud known as “Passing Off” but carries civil penalties as well. Which raises the question,

“Who owns the repackaged product?”

As they say,

“Only Time will tell.”

But I suspect that MS Copilot or anything similar would be unwise to use as the legal liabilities could be immense. Esspecially if all natural content creators decided to get their slice of the cake.

Remember, as the “input” to an LLM is “known” there can be no defence of “unknowing” copying / impersonation. Which means a much bigger payout or easier conviction…

lurker January 4, 2024 11:59 AM

@emily’s post, Clive Robinson

I fear the loss of workable OEM PCs for the rest of us who install our own BSD &c. Linux will adapt with a Copilot “shim” …

JonKnowsNothing January 4, 2024 1:23 PM

@Clive, @ emily’s post, ALL

re: MS Copilot on Key or Off

While there maybe ways to disable the key (Power Toys) or by removing the key cap, that does not mean the software is not running in the background hoovering up everything on the system – old and new data.

  • SWAG it will be hard or impossible to remove the software or disable it in any significant way.

It will take a lot of legal actions against M$ to put a block on this auto-magic program.

  • The first n-times women are pulled into court on murder charges for having a termination that was hoovered up by these systems and divulged to the LEAs in the 50% of the USA where medical conditions for women are punishable by death and imprisonment. All the LEAs have to do is simply ask the LLM to “provide me a list of names that….”.

It’s already being done, but on a small scale.

To paraphrase from an important documentary:

  • Es ist eine Fabrik

Clive Robinson January 4, 2024 2:19 PM

@ JonKnowsNothing, emily’s post, lurker, ALL,

Re : You need channels to talk.

“… that does not mean the software is not running in the background hoovering up everything on the system…”

But without a communications channel in theory it can not send it back to the mother ship.

As others will note Microsoft have done a great deal to force people not only to have accounts but be online all the time.

That said Win 10 can be set up not to use an MS account or need to be online if you find the right docs and put the effort in.

The same was apparent not true for Win 11 Beta, where you had to have both an account and be online being snooped on 24×375.25 by the Numpties in Micro$haft.

It would not surprise me –if you did “strip it back” to not use your communications– to find Micro$haft “Mesh networking” via a “beaconing system” not unlike those that Apple and Google built in the capability “for Covid”.

As I’ve observed for a while “air gapping is insufficient” you need to properly “energy gap”.

Which is where running alternative OS’s comes in.

I’m assuming that the “key” will be just “another keyboard key” to be grabbed by the keyboard driver, rather than actually run software directly via the keyboard CPU or through the equivalent of the BIOS/driver.

Thus it could be “re-mapped” or just ignored.

If so then I’d run an older version of MS-Win / MS-Dos under a *nix emulator or equivalent.

As I’ve said before I’m fond of WinXP and some of my software will only run as far as Win2K. Other software needs 16bit MS-Dos but zipps along fine. For my sins I still stretch my fingers with “debug” and Ed/BASIC and I’m fond of all things WordStar and the IDE’s it spawned with Turbo C / Pascal etc and Mirror, that for my realy bad sins of pleasure I still run.

Then I even run Kermit across serial ports which is a whole different story for another day.

I’ll be honest I’m to old to “work the mill” in Micro$hafts “hamster wheel of pain” and I’ve noticed that these days “Real Productivity” has stagnated with regards Micro$haft tools.

&ers January 4, 2024 2:48 PM

@Clive @ALL

A little bit more about Kyivstar

hxxps://www.reuters.com/world/europe/russian-hackers-were-inside-ukraine-telecoms-giant-months-cyber-spy-chief-2024-01-04/

ps. where SpaceLifeForm is gone?

JonKnowsNothing January 4, 2024 3:10 PM

@Clive, @emily’s post, @lurker, ALL

re: MS Copilot Comm Channels

You do need a M$ Account to setup Windows but you do not need to keep it active or signed in. Of course, it is not easy to stay logged out.

However, even if you manage to stay logged out, there are the regular updates that flow downhill into the system (Patch Tuesday) so they know who you are, where you are and where the computer is and if it is powered on.

Even if you manage to limit the amount of bloatware on the system, there are the log files and telemetry files. Current editions of M$ OS cannot block telemetry files. So M$ knows the usage and activities of all profiles on the system. Since most people use only 1 profile (Admin) they get more than enough telemetry.

If you connect to the internet, your system is going to send all off-lined telemetry files.

I doubt that sending LLM telemetry is going to be a problem for M$.

RL tl;dr

A user did not know they had “Visual Voicemail” enabled on their cellphone. Periodically the phone would act “weird” but a power cycle seemed to fix it. After much digging they found this “app” feature active and disabled it. A nice by-product was the number of marketing calls decreased.

Not long after disabling it, the user found it had reactivated itself and the marketing calls came in again. This time they did more disabling and removing and things seemed better.

A short while later, the previous behavior returned and when they looked at the system the “Visual Voicemail” was gone, but a replacement app with a different name having the same function had auto installed itself.

I do not think users, good, bad, or expert, can prevent zombie programs from running and telemetry is one of the biggest zombie programs on computers.

AL January 4, 2024 4:09 PM

“I know, as do increasing numbers now, that Copilot is a surveillance tool on steroids designed “to assimilate users” like some vampire con-artist to slurp out not just peoples knowledge but feelings and emotions.”

The answer is, don’t pour your heart out to Microsoft. I used Copilot this morning to get a complete VBnet program to free up working set on a particular process.

But, more sensitive stuff – install and use AI on the desktop. I’m using this uncensored LLM.
https://huggingface.co/TheBloke/dolphin-2.6-mistral-7B-GGUF

There is various software available to run this stuff. I’m more than happy now, and this stuff is evolving and getting better. I’m using this program, but do not recommend it since VirusTotal doesn’t give it a clean bill of health. I have my own program that starts it in a Chromium style sandbox, so it is contained. That said, it is a Mozilla project.

https://github.com/Mozilla-Ocho/llamafile/releases/

Bigger computers can use bigger LLMs. But the one I’m using packs a lot of information.

So, the answer I see is, use the public LLMs for unimportant stuff and use your own for sensitive issues. And there is a number of web portals that have chatbots too, so any public inquiries can be spread around.

I’m hoping to see more specialized LMMs for the desktop, as opposed to these all-in-one versions. But, I’m happy with what I see, particularly on the desktop.

lurker January 4, 2024 5:08 PM

@ResearcherZero, All
re, Barracuda, Madiant
From the link

By attaching a specially crafted file to an email and sending it to addresses behind the perimeter …

Oops, there’s really no way to stop them opening email attachments.

lurker January 4, 2024 5:15 PM

@ResearcherZero

further to the Barracuda-Mandiant story, the mod-bot doesn’t like the bit I wanted to quote. Saving your .config to reinstall in the new machine is great when you’re in a hurry, but this sounds like a job that shouldn’t be rushed.

lurker January 4, 2024 6:04 PM

@ResearcherZero

Sorry I’m dumb, but why would a “secure” mail server need to parse spreadsheets? and worse, Excel spreadsheets?

Clive Robinson January 4, 2024 6:48 PM

@ lurker,

Re : Catch 22

“why would a “secure” mail server need to parse spreadsheets?”

Well it depends on what you mean by “parse”…

But looking for certain types of malicious code might be one reason.

Back when I had more tooth on my smiles, AV software was not exactly smart. In many cases it looked only for signitures… So find a way to make the signitures change and it would get past the AV system.

One way this was done was to put a very short bit of executable code on the front, that did an XOR along the code with a value that changed.

So for signiture checking to work, you first had to run the short bit of executable…

So back then as Excel had as a minimum a full blown basic interpreter built in –and maybe a flight simulator– the “parsing process” may have be considered necessary… Excel Macros are even worse these days, so… The argument is thus sand-box it then look for unacceptable behaviour… if it can be properly sand-boxed –which it can can not– the it should be all all right…

My view based on mathmatics from the early 1930’s –before electronic computers even existed– is that a computer can not reliably detect that it has had it’s code or behaviour changed, and you can hide code, within code, within code,… If you doubt this look at the way PostScript, the forerunner of PDF’s is actually a stack based interpretive language that draws pictures, or does just about anything you want including having possibly the simplest way to write an interpreter in an interpreter.

So from my perspective sand-boxing and running unknown code,

“Not a good idea”

Which is why I mostly have JavaScript etc turned off to reduce my risk (all be it marginally these days).

Clive Robinson January 4, 2024 7:02 PM

@ AL, ALL,

“The answer is, don’t pour your heart out to Microsoft.”

And how many people have been told,

“Don’t click on attachments…”

And similar yet they do it any way for one of XXX reasons…

Saying “don’t do” is a well known failed policy not just in computing but most asspects of living.

For instance you have a friend at work that want’s to loose weight[1]… So you say “Don’t eat the doughnuts” on the day it’s somebodies birthday and they’ve put a couple of dozen glazed ones in the break room where the coffee machine is… You know what’s very probably going to happen…

[1] I was the mean sort that used to bake cookies, cakes, tarts, and other sweet pastries and just leave a couple of plates of them in the break room… It’s funny how the sugar overload makes people mellow of temperament.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.