Comments

justina colmena December 1, 2017 7:09 PM

https://www.cnbc.com/2017/12/01/psychiatrists-warn-trump-becoming-more-mentally-unstable.html

Political allegations of mental illness — i.e., sickness of the mind — in real life, these go straight in the Brady Bill mentally ill persons registration database where you are listed with a black triangle as a “prohibited person” for life and then they “legally” (not as legally as they think) steal your money, property, rights, and freedom.

Of course in real life, Trump is in no danger whatsoever of a finding of mental incompetence or danger to himself or others. This is just what he, like other recent presidents, wants to impose on others.

America’s silent holocaust.

Taz December 1, 2017 7:35 PM

We’ve mostly switched to Linux these days, but still run across situations where only a windows machine will do.

Since I have no energy to take on all the privacy issues of Windows 10, does anyone know of a vendor who sells the Chinese Government version of Windows in English?

Unless I can find a way around this dilemma, we’ll be running Windows 7 forever…..

JonKnowsNothing December 1, 2017 8:08 PM

So – this interesting tidbit shows up as a Friday Night News Dump piece

In reference to the on going P fight between the NSA and Kaspersky the following was disclosed about what happened – surely hoping that no one notices?

As the dude pleaded guilty in a US district court in Baltimore making this information part of the public record to some extent.

  1. The name of the dude who took the stuff home
  2. The state the dude lived in
  3. he was a developer on the NSA’s TAO hacking team
  4. he took his work home
  5. took his work home with him multiple times
  6. took his work home with him OVER FIVE YEARS
  7. from 2010 through March 2015 he took documents home (see plural)
  8. the material was in both hard-copy and digital form
  9. the penalty maybe 6-8 years

Hmmm Hmmm

  • This happened over FIVE YEARS?
    For FIVE YEARS the TAO archives were OPEN?
    For FIVE YEARS no one at the NSA noticed?
  • He had documents digital and hard copy? Multiple documents?
    How many? Well I guess the FSB+World+Dog knows
    Even after ES they didn’t notice someone downloading and carrying stuff out of the buildings?
  • The whole NAS-KAZ thing doesn’t cover this entire period.
    So who else was surfing the guys home-IDIOT-systems?
  • 6-8 years for dumping the entire TAO code base?
    Reality Winner is looking at 50 years+ for 2 pages showing the Russians WERE meddling in the US election.

ht tp://www.theregister.co.uk/2017/12/02/nsa_tao_exploit_leak_guilty/
(url fractured to prevent autorun)

Scott December 1, 2017 8:23 PM

Re: Mr. Robot – USA Network’s Television Show

Why were there 71 building destroyed by the Dark Army? Why the number “71”? Does is have a significant meaning? Or is it just a random number picked by the writers? This show typically has very significant and purposeful details, but I’m stuck on this one. Thoughts? Why were there not 47 or 62 or 15 buildings destroyed?

hmm December 1, 2017 9:33 PM

“6-8 years for dumping the entire TAO code base? ”

There’s no way it’s the ‘entire’ TAO code base, but it’s plenty bad without exaggerating.
The direct circumstances are important as to motive. That factors into sentencing.

“Reality Winner is looking at 50 years+” – Not really. Statutory theoretical maximums don’t usually happen.
But again, her decision to leak the file was provably and admittedly deliberate.

Even after a sentence is handed down after a period of 2-3-4 years in prison sometimes these things are adjusted for cooperation or good behavior or xyz. I would expect that.

For comparison Jared Kushner faces a firing squad, THEORETICALLY. I doubt he’ll do more than 6-8.
That’s if he doesn’t break himself and give up the golden goose.

JonKnowsNothing December 1, 2017 10:39 PM

@ hmm

“Reality Winner is looking at 50 years+” – Not really. Statutory theoretical maximums don’t usually happen.

But again, her decision to leak the file was provably and admittedly deliberate.

iirc RW has plead Not Guilty to these charges. It isn’t and hasn’t been proven or tried in court.

I would hazzard that exposing and eventually dumping some N-Large-% of the Tao Database rises to a substantially higher level of “ouch” than whoever exposed the lies about the status of the recent US election to those of us in the USA.

RW is just the bait end. The hook end is aimed at The Intercept and other news organizations who published the now acknowledged truth about the election for which Mr JK is going to be expected to Fall on His Sword.

I doubt that some of the folks prosecuted under the above laws would agree that these penalties are a “snap/slap”…. Unless you are a General or something on that level.

The obviously bogus claims that this dude carted home 5 years of work + documents completely and totally without anyone noticing, is well.. bogus.

So the bait end was TAO but was the hook aimed at Kaz or was the honeypot intended for someone else?

justina colmena December 1, 2017 11:16 PM

@JonKnowsNothing

NSA … took his work home … multiple times … >5 years … documents … both hard-copy and digital.

Are we getting the picture yet? That guy does not have a job at top-secret government agency. He is a mid-level manager, a corporate drone trying to work his way up the ladder at some random office complex somewhere near Baltimore or D.C. Meanwhile his own manager the next level up is winking at the practice and praising his productivity, and getting kudos one level up from that for having such dedicated employees who work off the clock.

Reality Winner

Some Russian or European girl. U.S. citizen? Who really knows? Not even a real name.

I’m just trying to make some very basic sense of this, and I’m having a lot of trouble.

Handling documents on your person, that’s more of a CIA skillset than NSA: flesh-and-blood tradecraft, street smarts, “wetwork,” dead drops, microfilm, “contacts,” etc. You aren’t even trained for this stuff when you work at “the hive.” You’re clean, and the guards check you out very carefully for documents and electronics before they even let you out the door.

Clive Robinson December 1, 2017 11:56 PM

@ JonKnowsNothing,

In reference to the on going P fight between the NSA and Kaspersky…

It’s more than a two sided fight,

Don’t forget to add the other bit of info from El Reg about the CIA forging Kaspersky Certs from earlier last month,

https://www.theregister.co.uk/2017/11/10/cia_kaspersky_fake_certs_ploy/

Oh and of course those supposadly condeming screen shots from the Israelis, after all it’s not as though they might of faked them up or something…

I get the feeling the real “P-ing Contest” is between US IC entities and Kaspersky is “just a useful idiot” in the whole process.

After all why not set them up one way or another?

Because,

1, They are Russian.
2, They embarrass the US IC, by doing the job they say they will.
3, They are not “compliant” unlike US “and friends” AV companies.

Oh and a whole lot more “Existential Threat” nonsense straight out of the Orwell and Huxley play books oh and of course “The Prince” of manuscripts for such behaviour from Nicolo Machiavelli, who had to be held to account for his crimes for revealing state secrets when the Medici came back.

What was it that French King scratched out about “The more things change the more they stay the same…” as the “Great Game” goes on.

hmm December 1, 2017 11:58 PM

“RW has plead Not Guilty to these charges. It isn’t and hasn’t been proven or tried in court.”

It’s not a whodunit. I’m not accusing her of anything, I’m reading what she’s admitted.

“Some Russian or European girl. U.S. citizen? Who really knows? Not even a real name.”

American, she’s known, and yes her name is real. We pick our names in this country.
Perfectly legal that. If ironic.

‘Winner served in the United States Air Force from 2010 to 2016, achieving the level of senior airman (an E-4 paygrade) with the 94th Intelligence Squadron.[10][5] She worked as a cryptologic linguist, and is fluent in the Persian language and Dari, its dialect spoken in Afghanistan, as well as Pashto.[11] Winner was awarded the Air Force Commendation Medal.’

-Pashto and Dari, pretty useful for getting a job doing this. Seems legit.

“Handling documents on your person, that’s more of a CIA skillset than NSA”

Pfft lol. Over 10 MILLION people have security clearances. Folks are always going to have access to some things, that’s just unavoidable. What they count on is the paper trail itself, that’s almost always going to tell them exactly where to look. I’d like to think the printers have extra microdot authentication going on, but if they did in this case it wasn’t denoted.

When asked by the FBI how she got the documents out of the office, she responded, “Folded in half in my pantyhose.”
Winner told the agent there was no security stopping her from lifting the information.
“Let’s be straight — there’s little to no security on documents,” she said.

She made a personal decision that the public need to know was greater than the classification, but didn’t consider that her actions could have lead to the deaths of sources or the loss of methods. She deserves punishment not for her motive but because what she did was reckless and put people at risk. The whole reason we have classification is to mitigate that risk.

She’s not the one who gets tortured to death in a warehouse, lucky her.

hmm December 2, 2017 12:17 AM

“I would hazzard that exposing and eventually dumping some N-Large-% of the Tao Database”

You’re overstating that percentage.

“The obviously bogus claims that this dude carted home 5 years of work + documents completely and totally without anyone noticing, is well.. bogus.”

You’re reading into the semantics. At 5 years ago, he is known to have begun exfiltrating information.

You’re adding the “every day he’s loading up his binder into his jock strap” part. We don’t know.
It could have been a handful of trips over 5 years, USB drives fit lots of places, be creative.

At some point 5 years later he is running KAV which is already a banned program for his section, turns it off(!?) and somehow manages to get infected with a dozen or so instances of malware, one or more of which starts mining the interesting stuff.

We’re told Israel noticed somehow because they were hacking Kaspersky already unrelated and just came across this.
That’s the part of this that seems the least plausible to me without knowing more.

65535 December 2, 2017 2:44 AM

@ Clive R. and JonKnowsNothing

“Don’t forget to add the other bit of info from El Reg about the CIA forging Kaspersky Certs from earlier last month, https://www.theregister.co.uk/2017/11/10/cia_kaspersky_fake_certs_ploy/ Oh and of course those supposadly condeming screen shots from the Israelis”-Clive R

I think Clive is correct it is more than a two sided fight. Think about the FUD from the Wall Street Journal and WaPo. The media in playing to the side of their respective state TLAs. Just look and Brian Krebs and Marcy slug it out.

I agree that the whole certificate forging thing has gone too far. The HTTPS as we know it not really that secure at this juncture. I will say I kind of think both Kaskpersky and the Five eyes + Israel is playing fast and loose. It hard to attribute the NSA/CIA/FBI and GCHQ or the Russians at this point of scamming the USA out of digital weapons.

Next, I want to direct the conversation to Clive and his constant reminders about Energy Gapped machines and their possible infiltration of data. I just ran into a case of a client who bought a semi-old Dell laptop with a physical switch for Wifi card and Bluetooth card and even shutting down the antenna. He got the laptop from some odd place and I found that the thing actually did have the wireless card and antenna disabled and it also had a physical switch on the exterior. I thought that was good.

But, the original power block to charges the laptop’s battery was dead. I just replaced it with a cheap Chinese knock-off. But, then the BIOS started to jumpt to a black screen indicating that the power block could not be authenticated. Hence, the user would have to make an F1 to F3 key to get Win 7 pro to boot [the UEFI stack is turned off]. The F3 option skips this screen for good.

I thought “why should Dell care about and generic power block?” Then I did some research and it seems that Dell laptop power block actually contain a small chip with one unshielded wire to indicate to the BIOS and the OS that the power being fed to the machine was not from a Dell authenticated power block. It appears to be a legacy checking system mostly to designed to keep Dells customers buying their junk power blocks.

I then a blog pointed out that the unshielded single data wire could act as an antenna and cause damage and/or a security problem:

“…AC Power Adapter dead? …the DELL AC power adapter used for the DELL Latitude D610 has an Identification wire, which is the tiny center pin in the power plug. Trying to figure it’s function from the outside proves to be futile. When detached from the laptop it carries no signal, voltage, capacity or resistance. It seems like a dead wire leading no where… it’s time to figure out where this AC Adapter Identification wire is going. After cracking the case of the DELL AC power adapter [brick – ed], brings about a mystery electronic component. It’s a transistor shaped component with 3 pins. The middle pin is connected to the AC Adapter Identification wire, the other pin to V- of the power plug. The 3rd wire is not connected. Pretty strange for a transistor, where all 3 pins are usually all connected… the casing of the transistor shaped mystery component has markings; “DALLAS – 2501 – 0613D2 – +571AA”. Not the typical markings on a transistor. Weird!! … there is DALLAS as the manufacturer ID. This is synonym for MAXIM semiconductor. After a few searches in the MAXIM component database, the transistor shaped device is a UniqueWare™ Add-Only Memory, known under type DS2501, DS2502, DS2505 or DS2506. The difference is the size of the memory. The DS2501 seems to be 512 byte memory. The memory is accessed using a 1 wire communication protocol known as “1-wire”…the DS2501 in the DELL AC Power Adapter contains the identification info of the power adapter. The DELL laptop reads the identification info during startup of when it’s connected while started. Power for the memory device comes from the laptop which is the same AC Adapter Identification wire, indicated as a “parasite power circuit”… it proved to be a vulnerable one, with many victims. When communication with the UniqueWare™ Add-Only Memory fails, the laptop shuts battery charging down. here is no “off the shelf” replacement for a DS2501 UniqueWare™ Add-Only Memory. The read-only (EPROM) memories are programmed in the factory with the AC power adapter identifier. Afterwards memory can be permanently locked, with only the possibility to add information in unused memory space…test to see if wiring, jack or plug is causing intermittent connections is to boot the laptop into setup mode. (Press F2 during startup)… the information item “Device Info” and watch the “Adapter type” field. Plug the AC Power adapter, the field is updated INSTANTLY if the laptop can communicate with the AC Power Adapter. If not the field doesn’t change for a few seconds and then reports “unknown AC adapter”… the technology for AC Adapter identification revealed, it boggles the mind why so many DELL laptops report the same message. It can’t be all wiring problems or a bad power plug/jack…the center pin of the AC power plug of the PA-1900-02D2 with revision number REV A04 is directly connected to the DATA pin of the DS2501. The center pin is like an antenna, it can pick up static electricity easily directly fed into the circuitry of the memory chip. From an electronics engineering perspective this is weird.”-laptopJunction

http://www.laptop-junction.com/toast/content/inside-dell-ac-power-adapter-mystery-revealed

“Checking the DS2501 UniqueWare™ Add-Only Memory…A FLUKE digital 123 ScopeMeter is used to follow the communication session through the AC Adapter identification wire. According to the DALLAS / MAXIM “1-wire” communication specification the signal speed is 16Kb/sec. That’s very easy to capture with any normal oscilloscope. When the DELL AC Power Adapter is not connected the signal on the AC Adapter identification wire is dead. No voltage, either AC or DC, nothing.
Connecting the DELL AC Power Adapter to the DELL Latitude D610 raises the DC voltage to 16,5 volts. But nothing happens – no communication session is starting, only a tiny wave is seen which seems to be noise. The amplitude of this wave is too small to go for a solid 16Kb/sec paced communication signal. The controller chip in the DELL Latitude D610 doesn’t send out any signal remotely resembling a normal data pulse. Most likely the DS2501 does not respond on power-up. DELL AC power adapter – ID CHIP DIED…Just 2 days after the cable repair of the DELL AC Power Adapter for a DELL Latitude D610, the same problem appears again. During startup the BIOS reports “The AC power adapter type cannot be determined”. Murphy’s law at it’s best! …quick check of the AC Adapter identification wire shows it’s OK, no disconnects, it has a solid connection. Two DELL Latitude D610’s report the same problem, so most likely its not a power jack problem. Suspicion goes directly to the DS2501 ID chip from DALLAS/MAXIM Semiconductor in the DELL AC Power adapter. This chip is an UniqueWare™ Add-Only Memory. Checking the DS2501 UniqueWare™ Add-Only Memory……Why on earth connect the DATA pin of the DS2501 memory chip directly to a 2 meter long UNSHIELDED wire? would call the ID wire in the power cord an antenna. At least the input circuity of the DS2501 should have been hardened so it can take a reasonable amount of electromagnetic pollution. Knowing there’s probably a truck load of DELL AC Power Adapters (PA-1900-02D2) out there with this design, what can be done to prevent blowing the DS2501 ID chip? The safest is when it’s connected to the laptop, so the “antenna wire” is connected /part of a loop… further reduce the chance of blowing the DELL ID chip: Replace the complete 3-wire charger lead with a fully shielded cable. 3 leads + 1 shield) …de-solder the DS2501 ID chip and solder it on the motherboard of the laptop. The shielded cable reduces the chance, strong electromagnetic pulses ruin the chips on both end of the AC Adapter identification wire. Moving the ID chip from the DELL AC Adapter to the motherboard eliminates most of the risk…”-LaptopJunction

http://www.laptop-junction.com/toast/content/dell-ac-power-adapter-id-chip-died

I would guess the power modes S01 to S05 are controlled deep the Kernel of most OSes. I am wondering if it would to pump digital radio signals in that wire/antenna battery “tank” circuit to implant malware? Anyone care to take a guess?

This question is related to implant method of the fake USB charger where all four wires are used, two to charge the device and two to implant malicious data.

Most cell phone batteries have at least four contacts which could possibly be used to inject malicious data into the core of the device. There is consensus that cell phone “Air Plane” mode cuts the out bound communications but most like not the inbound communications which leaves a hole for malicious data injection.

This leads back to Clive Robinson’s view that Energy gapping is the safest way to go with critical data on any device that could possibly be use as a radio in any of the many chips on the board of a device. I know that Clive is concerned with electromagnetic emissions signatures giving away encryption keys or actual keystrokes on some devices but could this also be a method of malware injection into devices that are Not Energy Gapped?

As Krebs indicates: “JFM stands for Operation Jeepflea Market, which appears to have been a clandestine operation aimed at siphoning confidential financial data from EastNets — a middle eastern partner in SWIFT. Short for the Society for Worldwide Interbank Financial Telecommunication, SWIFT provides a network that enables financial institutions worldwide to send and receive data about financial transactions.”-Krebs on Security

Take Kreb’s stuff with a grain of salt.

https://krebsonsecurity.com/2017/11/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/

I assumed this Jeepflea Market just involved a confidence game where at thumb drive would carry a malicious payload and possibly act as a radio to infiltrate data via a confidence game of sorts.It would be dropped in a place where a worker would find it and use it or some other con game of sorts. I wonder if it was much more. Say, by digital injection into those 3 to 4 pins on battery charging devices and/or the Dell antenna wire charger detector device may be a possibility?

Any guess by anybody?

Excuse the mistakes and errors. I had to bang this out.

Clive Robinson December 2, 2017 3:20 AM

@ 65535,

I’ve not heard about Dallas Semiconductors in some years now.

However their business model was “idetification chips” of various forms. From simple RFID type 64bit serial numbers upwards, including “pet passport” implantable chips in small glass tubes.

The important point is that if the device is an RFID then that trace wire is nothing but an antenna, that does not need to be galvanicaly connected at either end.

Thus the comment about seeing just a little noise could well actually have been the bidirectional EM signal to read back the serial number and any other data such as “capabilities”.

As noted this is not a new idea and as has been noted with Apple PSUs with a microprocessor and quite a chunk of Flash ROM they could and have been shown to be a malware attack vector.

I do not recomnend cracking the case of a PSU unless you realy know what you are doing. Some just use latches, some latches and solvent glue, whilst others are ultrasonicaly welded.

Even after cracking the case you then have to get the chip out, which requires a degree of skill as most are designed to be not removable.

By the way the same sort of chips are used in printer cartridges for both inj jet and laser printers, and suffer from the same malware vector issue. Then of course are the older mobile phone chargers etc.

Basically US manufactures such ad HP, Apple and Dell started this nonsense to protect profits on “consumables and spares” under legislation for WEEE in most jurisdictions this behaviour is illegal. Not that statutory authorities appear interested in killing it off as a practice.

Oh and also moving the chip from the charger to the laptop would currently be a DMCA violation… (not that you are likely to get caught).

JG4 December 2, 2017 7:57 AM

I’m curious how close their cell phone work gets to the audio data diodes that I suggested.

https://www.nakedcapitalism.com/2017/12/links-12217-2.html

Big Brother is Watching You Watch

The Underground Uber Networks Driven by Russian Hackers Daily Beast (Chuck L)

Apple is sharing your face with apps, and you should be worried Sydney Morning Herald (Kevin W)

US ‘orchestrated’ Russian spies scandal, says Kaspersky founder Guardian (Chuck L)

This Interview Was Conducted on an Anonymous, DIY Cell Phone Network Motherboard. I don’t see how you can regard any phone service that uses smart phones as anonymous or secure. The Android OS spies on you and I assume Apple’s does too.

Who Was the NSA Contractor Arrested for Leaking the ‘Shadow Brokers’ Hacking Tools? Brian Krebs (Bill B)

Rachel December 2, 2017 8:17 AM

Taz

do a search for ‘hardening windows.’ don’t stop at the first though have a good look.
there are some extremely comprehensive manuals available for Win 7-10. for those situations one is forced to do their best

JonKnowsNothing December 2, 2017 9:09 AM

re: Faraday Cages

Lots of interesting things have been written in this blog about Faraday Cages and what I most remember about them is: It Ain’t As Easy As It Sounds.

Until I read the following article.

Foil snack food bags make a decent Faraday cage, judge finds…

Synopsis:

The article is about an employment fight over Corporate Data Tracking where the target openly stored his PDA in an empty bag of “Twisties”, an Australian snack food.

A judge ruled he hid a work-issued GPS-equipped PDA in a foil snack food bag to avoid being tracked.

“As an experienced electrician,[the target] knew that this bag would work as a Faraday cage, thereby preventing the PDA from working properly – especially the provision of regular GPS co-ordinate updates.”

and this

Mobile phone records were inconclusive because while [the target] handset pinged towers near the jobs he was supposed to do, some of those towers were within range of his home.

ht tp://www.theregister.co.uk/2017/12/01/foil_snack_food_bag_as_faraday_cage/
(url fractured to prevent autorun)

Gee if the Twisties Bag works THAT well… maybe it’s time for a world wide distro of it?

Aside from that, we know that the accuracy of Cell Tower Tracking is extreme, down to only a few feet including directional orientation and distance from the tower.

albert December 2, 2017 10:19 AM

“What is a riddle named ‘Nelson’?

“A Nelson Riddle” (wiki it)

“When is a jar not a jar?”

Answer in the next Squid Blog…..

. .. . .. — ….

vas pup December 2, 2017 11:13 AM

@all
Currently reading book ‘Dark Territory’ on history of cyber war.
Very informative and easy reading based on many not so widely known facts: e.g. China penetrate election related servers of Obama and McCain more than 8 years ago (exploit). It was reported to Obama by high ranking security official just after his first term election.

Clive Robinson December 2, 2017 11:31 AM

@ JonKnowsNothing,

Gee if the Twisties Bag works THAT well… maybe it’s time for a world wide distro of it?

No… It’s fairly obvious the judge is parroting what the prosection has said, as though it was gospel which it most certainly is not.

The DSSS GPS signal is designed to be less than the actual noise floor on the frequence of use at the nominal center frequency and bandwidth.

Although there is a trade off, it is relatively small therefore the signal is weak at the best of times, therefore likely to be stopped by a damp hankey or similar so not reliable in use…

neill December 2, 2017 2:01 PM

@65535

i run a dell latitude with an old HP powerbrick (more amps but same voltage)

forget about the dell B.S. ident wire, insane scheme to lock you in, instead press F2

the dell would run only upto 2.4 GHz, install ‘throttlestop/tornado’ (free) to enable full cpu speeds … works wonderfully!

oh, and get refill ink for your printer … i just got tired of being ripped off over and over again …

anony December 2, 2017 3:19 PM

Interesting article on the Highland Forum, a meeting group of folks in industry and Military for deciding where info tech in intel and mil will go, without having to deal with pesky sunshine laws.

2 parts

https://medium.com/insurge-intelligence/how-the-cia-made-google-e836451a959e

“Due to its current sponsorship by the OSD’s undersecretary of defense for intelligence, the Forum has inside access to the chiefs of the main US surveillance and reconnaissance agencies, as well as the directors and their assistants at DoD research agencies, from DARPA, to the ONA. This also means that the Forum is deeply plugged into the Pentagon’s policy research task forces.”

Clipper December 2, 2017 3:31 PM

@z80

System76 got much good publicity with this move, this just shows that people do care about their privacy and vote with their wallet. System76 people offer some very nice models as well and being IME free they are now a very good option along with Purism.

@65535

I always thought that Dell being an NSA contractor means there is a very dark side with their machines. Frankly I wouldn’t buy a Dell just because of this suspicion that every model they make has some added backdoors.

Sancho_P December 2, 2017 5:34 PM

@65535

Disclaimer: I don’t Dell.
The DS250x will operate at max. 6V, if the data line reads 16V (phantom voltage) the device is already dead (and the line is not connected to the laptop, otherwise it would be dead, too). The 1-wire data line is designed to be not shielded, it is relatively robust (anyway, better than shielded would be twisted with none-current leading GND wire).
Chipsets often use the 1-wire bus as a (slow) interconnection, obviously here it is used to identify and read fixed data from a genuine power adapter. Chinese fakes can be dangerous!
To store any information at the DS250x the mainboard would need a specific HW to write to the EPROM (and the EPROM’s write protect must not be set), but that wouldn’t make sense.
Check also:
https://hackaday.com/2014/03/03/hacking-dell-laptop-charger-identification/

Btw., I guess any wire (used or not) could be abused as antenna, but the better option nowadays would be a ceramic SMD antenna, likely you’d not notice it when looking at the PCB.

Clive Robinson December 2, 2017 5:37 PM

@ Clipper, 65535.

I always thought that Dell being an NSA contractor means there is a very dark side with their machines

If by “thought” you actually ment “assumed” then let me assure you that “knew” would be better.

They have a whole bunch of secret order codes not just for systems but upgrades / repairs / Scrapping.

One of these codes when filled in on a works order will result in the HD and other items being removed from a system and sent to the ball mill for reducing to dust and new parts fitted. These are then replaced with new parts NQA.

There are other codes but it’s “I could tell you,.. But then I’d have to kill you…

book_review December 2, 2017 5:45 PM

Book ideas for the holiday season:
https://www.nytimes.com/2017/11/22/books/review/100-notable-books-2017.html
https://www.nytimes.com/interactive/2017/books/review/10-best-books-2017.html
https://www.nytimes.com/books/best-sellers/

Another idea is by an opinion writer
https://www.washingtonpost.com/people/david-ignatius/
is “The Quantum Spy”
https://www.washingtonpost.com/entertainment/books/for-the-inside-dope-on-how-the-cia-works-the-quantum-spy-cant-be-beat/2017/11/12/e83bdd44-b426-11e7-be94-fabb0f1e9ffb_story.html
https://www.wired.com/story/david-ignatius-quantum-spy-high-tech-espionage/
https://www.goodreads.com/book/show/34068483-the-quantum-spy
his older novels include: “Agents of Innocence” perhaps ‘a novel but not fiction’
https://en.wikipedia.org/wiki/David_Ignatius
https://www.independent.co.uk/news/world/spooked-how-betrayal-inertia-and-disaster-felled-the-cia-1274536.html

SecuritySam December 2, 2017 6:37 PM

@vas pup
Seeding with silver nitrate
The clouds would precipitate
But, now with few keystrokes
Anyone can remotely penetrate.

CallMeLateForSupper December 2, 2017 7:43 PM

@65535 Re: DS250x

I have a PDF of the data sheet for DS2506. If there is specific info you need ….
The 2506 does have EEPROM. Each individual specimen has both a UNIQUE SERIAL NUMBER and a “device family” ID, both of which are readable but not writable.

Communication is via DalSemi’s 1-Wire protocol (signal and ground, so actually 2-wire… but who’s counting). No Vcc connection tells me this thing operates through so-called “Parasite Power”, wherein the master device supplies hard pull-up to the signal pin between comms bursts, to charge the device’s internal power cap.

I have no experience with this device but I coded for two types of DalSemi 1-Wire digital thermometers (1620 and 1820?). Had eight of those things strung along ~45 feet of twisted wire-wrap wire and they performed flawlessly, driven with a PIC16F84.

Josh December 2, 2017 11:14 PM

@JonKnowsNothing wrote, “As the dude pleaded guilty in a US district court in Baltimore making this information part of the public record to some extent.”

Its a more than a slap in the face for Kaspersky to detect and exfiltrate the malware while our Mass Surveillance apparatus could not notice it for 7 years counting. I mean couldnt the assortment of Windows backdoors have picked it up and throw a red flag? or the stuff taken were deemed so operational un-imporantant the watchers simply sat on it…?

Clive Robinson December 3, 2017 5:45 AM

@ Josh,

Its a more than a slap in the face for Kaspersky to detect and exfiltrate the malware while our Mass Surveillance apparatus could not notice it for 7 years counting.

Shhhsh, did you not get the secret memo about “collect it all” not working the way the NSA greased politicals implie[1] it does.

Joking aside “collect it all” does not work the way many think it does because of resource limitations.

What that hole in the ground in Bluffdale Utah is, is a data “repository”, like a massive flat file database with out effective indexing. Because technology is currently at the point where it is possible to funnel just about everything from major nodes into it and store it against simplistic metadata.

What it is not currently, is an “analyze it all” center. Like every one else on “God’s little green apple” the NSA is neither omnipresent or omnipotent. So it is possible for data not to be collected, because it does not go through one of the NSA’s collecting nodes. But more importantly neither the technology or humans can analyse even a fraction of a fraction of the data that comes in. A point that the difference of opinion over the usage of the word “collect” by the NSA[2] actually brings out, but most journalists and tech type writers have themselves either missed it or in their entirety chosen not to mention…

What Bluffdale realy is currently is “A virtual time machine”. That is it enables analysts to “go back in time” and examin long past records of those who have only just become “persons of interest” by say spraying their DNA around the place explosively. That way the NSA can build contact diagrams/lists both current and historical[3] to try and cross-reference and thus build up the command structure and order of battle of a cell/group of undesirable individuals for political or militaristic actions (as many other Sovereign Nations do). Importantly they get meta data which as has already been noted by an old CIA&NSA senior “We kill people bassed on metadata”[4]. Which is not just the reaper drones and hellfire missiles we see are used, but also if you have seen the TAO catalog those “Find,Fix&Finish” cell phone trackers etc which are used to do “tag and grab/bag” or “grab and drop” type “wetwork”.

But as often happens with people who are in extraordinarily precarious positions, the persons of interest are learning new skill sets –OpSec/fieldcraft etc– and out evolve the technology. Whilst the smarter ones turn the technology against the technologists…

Two clear indicators of this were, firstly 9/11 it’s self where US designed and built aircraft were turned into missiles and used against US people both civilian and military. And secondly how mobile phones in the middle east and edges of asia were used by Persons of interest, long enough for the meta data to be derived by the NSA. But importantly the phones are then passed along to innocent civilions who become victims of a hellfire etc and thus become not just a significant embarrassment to the US as all “collateral damage” does, but good recruitment properganda as well.

With the bottle neck for the NSA currently being the lack of and speed of analysts, as we now know they are developing AI systems to act as faster but shallower analysts to sift through “collect it all data”. However all the NSA are realy doing is moving not eliminating the bottle neck.

Because current AI systems generally need “rules” so it’s the job of human analysts to come up with rule sets, which in of it’s self is a very time consuming process. Which means that those the NSA,are trying to analyse are evolving beyond their rules almost as soon as new rules are made and tested. Which makes the whole process a new bottle neck and in effect “A Red Queens Race.

[1] Implies is another of those “expert” words. Thus,

Expert : Ex-spurt = Has been drip under preasure.

Implies : Imp-lies = A small anoying entity that frequently does not tell the truth.

Kind of just like a certain senior NSA testifing in front of the critters on the hill…

[2] The common usage of “collect” would be what the NSA does when it hoovers all the digital comms up into storage. However the NSA use of “collect” is only when “an analyst sees a record”. Which gives a big sign pointing in saying “We are resource limited as we have insufficient analysts”…

[3] The historical meta data is very very important to the likes of the NSA, more so than current data. Because although some people of interest knew well last century the dangers of their electronic emissions most did not. Thus were much less careful than now, which means not just their membership on the lists is confirmed by their phone calls and texts, but their movments and physical contacts as well, as they did not take the batteries out of their phones etc.

[4] General Michael Hayden, former director of the NSA and the CIA, was interviewed at John-Hopkins and was asked by Baker “We kill people based on metadata?”. Michael Hayden said “absolutely correct,” and went on, by asserting, “We kill people based on metadata!”.

MarkH December 3, 2017 10:23 AM

Apple’s Face ID is looking more and more like a security clusterf*ck.

It has a claimed “1 in a million” probability of incorrectly authenticating a person chosen at random … with no supporting data. [Note to any Apple cultist reading this: you might want to study the history of security claims made by product vendors.]

It reportedly can be broken using an inexpensive mask.

THAT’S NOT GOOD.

It maintains not only a 3D “wire frame” model of the user’s face, but records “52 unique micro-movements in your eyelids, mouth and other features” from which inferences of psychological and emotional states can be inferred.

THAT’S BAD.

Apparently, this micro-movement data is not necessarily limited to enrollment, but may also include the most recent authentication … in other words, offer a “psychological read-out” over time of the phone’s user.

THAT’S EVEN WORSE.

Although the Face ID data is supposedly stored in the iPhone’s “secure enclave,” iPhone apps can retrieve at least some of this data, and transfer it to the servers of the app vendors.

THAT’S F*CKING AWFUL.

This madness has far exceeded Orwell’s imaginary telescreens.

justina colmena December 3, 2017 11:45 AM

@MarkH

Google Authenticator 2-factor auth is 1-in-a-million as well, six random decimal digits for a “verificaton code.” I am not very pleased with it. Somehow I completely lost access to Google Authenticator when my phone got clogged up with spyware and pop-ups. No phone support for a “free” app, etc…. Free as in beer, not free as in liberty. Snake oil. Way too slick for me. Gotta get out of proprietary authentication.

It maintains not only a 3D “wire frame” model of the user’s face, but records “52 unique micro-movements in your eyelids, mouth and other features” from which inferences of psychological and emotional states can be inferred.

They’re playing face poker, and they are hooked up to the states’ DMV database (the “cards”) through the back door. So joker ace brings it up to 53, but there is still one joker missing from the deck.

“psychological read-out”

That happened on one of those fingerprint systems to which I had authenticated with my right forefinger. Then I tried my left forefinger, (which has a slight scar where the ridges and grooves never aligned quite right when it healed.) It took about four or five attempts, but then the system eventually “got used to” my left forefinger print. This just might be joker deuce.

albert December 3, 2017 1:41 PM

You guys may be interested in ‘fuel gauge’ chips, which are absolute necessities for the new battery chemistries. I’ve often wondered if there are connections for altering the memory in them, which contains the data for the type of battery. IIRC, battery control parameters are stored there.

@crispy,
No, but a good try.

@Winston,
That nav/mil site has some really cool software.

. .. . .. — ….

Do not like it December 3, 2017 4:37 PM

@justina colmena: Unfortunately, over the years it seems not only has the blog been taken over by a few individuals but also did it get more into politics. I do not think politically motivated postings are the purpose of this blog. May I also point out that Trump got a first degree from Wharton, one of the best busines universities, as opposed to the previous POTUS who got into Harvard because of AA. Another good example is the US General who could not even pronounce his name but – again – got into Harvard (also because of AA) where he “obtained” an MBA. So, perhaps the Trump bashing could stop or the moderators could step in.

book_review December 3, 2017 7:53 PM

Please someone, consider doing a thoughtful negative rant against democrats, or others. Believe it or not i have voted republican before.

TL;DR 1; rant time

How stupid are they (they being, conservatives (incl. trump base), democrats, greens, independents, atheists or not, racists or not, sexists or not , male or female libbers or not, straight, l, g, b, t, etc., or special interest voters:

Don’t they realize that former Wikileaks champions (trump and pompeo) are not credible? afaik, currently trump and pompeo are not Wikileaks champions. Are they dumb enough to let cotton take over CIA and pompeo State. Apparently Senator Corker thinks not and Corker and another conservative foreign relations committee member are an obstacle for some.
https://www.emptywheel.net/2017/11/30/throwing-h2o-on-the-pompeo-to-state-move/
and, in general,
https://www.emptywheel.net/

Do they not wonder if pai, pence, pompeo, cotton, ross, icahn, nunes, burr, sessions, bannon, mercers, current and future fbi, dhs, nsa, treasury, and so on, directors, have pledged a loyalty oath of some sort to chronic, presumably, liar trump?

Are they dumb enough to not vote in their own financial interests? Given both democrats and conservatives tend to be spendthrifts, but are the masses to dumb to not realize “Trickle Down Economics” is from trump to trump, jr, or clinton to clinton, jr, or cabinet members to their offspring, soros to soros, jr., gates and buffet to their respective jrs. … Do they know that Reagan’s Stockman renamed the ‘Supply Side’ economics ‘Laffer curve’ to ‘Laughter curve’ and so on.

Granted it is debatable if corporations should pay taxes; however, of course, business is unlikey to staff up or expand without additional demand or is this tax plan not for the approx. 99.9% in the USA? Perhaps look for Stiglitz at https://www.democracynow.org

Are they dumb enough not to insist on paper audit trails for upcoming elections in their states (Virginia was a disaster recently for conservatives after going all paper (cauasation vs. correlation?).

Are they too stupid to not see how we try to keep them focused on “shiny keys” as a distracction ploy. In general, i find friedman thought provoking, “From Beirut to Jerusalam”, for example, however,:
https://www.democracynow.org/2017/11/30/mehdi_hasan_rips_thomas_friedmans_nauseating

Shall we get into another, or escalate a current, perpetual war, to distract the masses. Is it time to fire Mueller? Will they fall for it?

What do you think about pai’s performance at FCC? Do you think what he is doing to Net Neutrality is good? Perhaps it is about time you weighed in.
https://www.eff.org
https://www.aclu.org

Do they not see what’s happening in the media? Sinclair Broadcasting buying stuff; koch brothers buying Time, etc., doesn’t big business own or control enough of the media landscape already?

TL;DR 2
Especially if you are in a swing state, consider expressing your interests or preferences to your current elected (in office) politicians. Believe it or not, email or calling may be as effective as faxes or letters (need to scan for adverse substances; takes time to process):
https://www.newyorker.com/magazine/2017/03/06/what-calling-congress-achieves

… may you live in interesting times …

Cry about it December 4, 2017 12:51 AM

“May I also point out that Trump got a first degree from Wharton”

You can’t say “no politics or I cry to daddy” and then segue with defenses of a traitor, that doesn’t wash.

Mueller is a Republican, and he’s not going anywhere. No matter what you tweet.

Clive Robinson December 4, 2017 12:57 AM

@ book_review,

Granted it is debatable if corporations should pay taxes

No it’s not, they should just like any other entity legal or natural. What the debate is realy all about is what a tax is and is not and thus how the book keeping works.

A tax is a percentage of their income an entity pays for social goods (that is social with a small ‘s’). Such as infrastructure and the health and education of the population. That is to pay for things considered to be for the benift of society as a whole.

A legal entity such as a company usually requires employees of varying skill levels and good health. A legal entity that does not pay towards the education and health of society in general is thus a parasite because it is taking without providing.

Unfortunately due to lobying etc a difference is made between legal and natural entities. For natural entities all income is in effect considered taxable, whilst for legal entities it is only income in excess of expenditure that is considered for taxation.

This is the source of unfavourable treatment of natural entities when compared to legal entities. Especially when the legal entities can more or less decide for themselves what counts as expenditure, where as natural entities do not have such a choice.

You will note however where natural entities do get choice is usually because their income is not for labour but due to “rent seeking” activities or due to holding assets that can be used for rent seeking activities.

Such policies disadvantage the poorer in society who thus bare a much greater share proportionately than those with assets. This is made worse by the economic policy of inflation where non asset wealth rapidly depreciates in purchasing power, whilst asset rent seeking income inflates thus the purchasing power derived remains more or less constant.

Worse perhaps is in most jurisdictions is the distinction between legal and natural entities under law for criminal activities. Legal entities not having a single directing mind do not go to jail and lose their right to income, they are simply fined and often given time to pay it and in some places actually alowed to use it to offset any income used to assess taxes.

There for it is easy to see that despite protestations otherwise such countries do have a “Class System” of,

1, Those without assets.
2, Those with assets.
3, Those with assets that seek rent on them.
4, Those who hide behind legal entities.
5, Those who live through legal entities.

Broadly you are “working class” in 1&2, “middle class from 2 through 4 and “upper class” in 4&5.

The main difference between the two class systems is that of “inbred confidence” in the old system and “inbred entitlement” in the new. Of the two the latter is more harmful to society not just in the general but specific to.

Clive Robinson December 4, 2017 2:00 AM

Paper, Paper for your votes

As a few readers know I’m know to advise “Paper, Paper never data” for many things electronic data related.

Well it appears the same advice is being given by Prof Matt Blaze to those US Politico’s interested in vote security in it’s many forms.

El Reg has a piece on it,

https://www.theregister.co.uk/2017/12/01/us_voting_machine_security_hearing/

What you do not hear is why on earth you would want to waste money on electronic voting in the first place? It kind of boils down to the media want faster results, to keep viewers awake longer so they see more adverts…

By and large the US election system is largely uneffected by when the vote count total is made public. Thus the old paper system is more than adequate for the job fairly inexpensive to run and any cheating tends to be fairly easy to spot by observers. Benifits the electronic systems do not have[1]…

So the real question should be “Why waste time and resources for a less secure, more expensive and much much less reliable electronic system?” But then we are taljing about politico’s with wheels to grease with big lumps of pork fat…

[1] Has anybody noticed that the companies that make these machines tend to be those that help fund the Republican Party in various ways?

65535 December 4, 2017 3:09 AM

@ Clive Robinson\
“The important point is that if the device is an RFID then that trace wire is nothing but an antenna, that does not need to be galvanicaly connected at either end. Thus the comment about seeing just a little noise could well actually have been the bidirectional EM signal to read back the serial number and any other data such as “capabilities”… this is not a new idea and as has been noted with Apple PSUs with a microprocessor and quite a chunk of Flash ROM they could and have been shown to be a malware attack vector.”

You last sentence makes me think the machine is not so good.

“They have a whole bunch of secret order codes not just for systems but upgrades / repairs / Scrapping. One of these codes when filled in on a works order will result in the HD and other items being removed from a system and sent to the ball mill for reducing to dust and new parts fitted. These are then replaced with new parts NQA. There are other codes but it’s “I could tell you,.. But then I’d have to kill you…”-clive R.

I am not liking this dell thing.

@ Boot to DOS to Patch IME

I am working on that project now.

@neill

I did the F3 and F2 thing. It skips the bios screen. That just took a phone call.

@ Clipper

“I always thought that Dell being an NSA contractor means there is a very dark side with their machines. Frankly I wouldn’t buy a Dell just because of this suspicion that every model they make has some added backdoors.”

That is my thought. The NSA wants to keep track of their users, abusers and anybody dumb enough to buy dell equipment.

@ Sancho_P

“Chipsets often use the 1-wire bus as a (slow) interconnection, obviously here it is used to identify and read fixed data from a genuine power adapter. Chinese fakes can be dangerous! To store any information at the DS250x the mainboard would need a specific HW to write to the EPROM (and the EPROM’s write protect must not be set), but that wouldn’t make sense. Check also: https://hackaday.com/2014/03/03/hacking-dell-laptop-charger-identification/

The more I read about dell the less I like them.

@ CallMeLateForSupper

“The 2506 does have EEPROM. Each individual specimen has both a UNIQUE SERIAL NUMBER and a “device family” ID, both of which are readable but not writable. Communication is via DalSemi’s 1-Wire protocol (signal and ground, so actually 2-wire… but who’s counting). No Vcc connection tells me this thing operates through so-called “Parasite Power”, wherein the master device supplies hard pull-up to the signal pin between comms bursts, to charge the device’s internal power cap….”

I see a lot of possibilities for “hinky” thing happening. I first thought that Dells were OK. I really don’t think I like them.

MarkH December 4, 2017 3:16 AM

I don’t always agree with Clive, but when I do I drink Dos Equis (that’s a dumb US advertising campaign, but I failed to resist throwing it in).

From my perspective, Clive is 100% on target with respect to taxation and voting systems.

I would add to (or perhaps reinforce) what he wrote about corporate taxation to the extent that corporations not only get to decide what of their income falls into taxable categories; in the US at least they also purchase legislators wholesale and write legislation.

The dramatic cut in US corporate tax rates — funded by borrowing at least 1,000,000,000,000 dollars and raising taxes on the poor!!! — doesn’t make sense socially, fiscally, economically or strategically. It doesn’t comport with any plausible theory of justice. It doesn’t even make sense politically, inasmuch as it may be heavily damaging to the party that voted it. But if you’re a giant corporation, the tax bill is exactly what you commanded!

My little municipality used to use simple paper forms which we marked with pencils and which were tallied by rather simple optical scanning machines. With that system, the capacity to audit elections was excellent, the only defects being the possibility of ambiguous markings or post-vote tampering.

When the vote was switched to touch-screen machines, I was very pleased to see that they print a paper record which is visible to (but not touchable by) the voter. Of course, I always verify my votes.

This scheme is 100% auditable, immune to ambiguous votes, and I suppose would require significant and rather risky work to tamper with.

The notion of using electronic voting machines without such a paper record is just bat-sh!t crazy, and I would have raised hell had my local government not made the sensible choice they did.

But the older optically-scanned paper & pencil ballots remain an excellent low-cost system.

Bob Paddock December 4, 2017 8:17 AM

Amazon now wants to be part of the Embedded System world. Should I have the warm fuzzies about it? I’m guessing not?

Amazon FreeRTOS (a:FreeRTOS) is an operating system for microcontrollers that makes small, low-power edge devices easy to program, deploy, secure, connect, and manage. Amazon FreeRTOS is based on the FreeRTOS kernel, a popular open source operating system for microcontrollers, and extends it with software libraries that make it easy to securely connect your small, low-power devices to AWS cloud services like AWS IoT Core or to more powerful edge devices running AWS Greengrass.”

CallMeLayeForSupper. December 4, 2017 10:18 AM

Re: the breach of TIO (purchased this year by PayPal)

“[PayPal] is also working with a consumer credit reporting agency, Experian, to provide free credit monitoring memberships for fraud and identity theft to those who are affected by the breach.”

Free credit monitoring (and from Experian choke! gasp!). Credit monitoring is even more underwhelming than, say, an offer of a few bus tokens after your car has gone missing.

echo December 4, 2017 10:46 AM

@MarkH When paying cash into my UK bank via ATM the machine verifies the money is legitimate (and rejects any spoiled money), asks the customer to verify the totals are correct, and prints a receipt.

Additional points of interest are ATMs with a cash deposit facility are located within the premises, security cameras cover the public area, and the bank employs greeters in the public area who direct customers and provide assistance, and the type and quanitity of deposit is constrained. On the surface this is positive and benign but within the banking system as whole there is a bigger context of regulatory capture and business efficiency with cowboy antics and lobbying at the merchant bank end of the spectrum.

America has its own culture. I suspect US culture and the form of the US economy drives technical solutions so electronic voting is a multilayered problem hence this may be an intersectional kind of issue. Much like you suggest about electronic machines and sponsorship there is also the issue of gerrymandering. Brad Templeton has blogged opinions on solving gerrymandering.

http://ideas.4brad.com/anti-gerrymandering-formulae
http://ideas.4brad.com/could-states-affect-gerrymandering-outside-their-state-conspiracy-rules
http://ideas.4brad.com/fix-gerrymandering-test-needed-or-interstate-compact

hmm December 4, 2017 1:35 PM

“Credit monitoring is even more underwhelming than, say, an offer of a few bus tokens after your car has gone missing.”

It’s more like “gee, we allowed your car to be stolen from our lot, that’s too bad – pay us $20 a month now and we’ll see what happens.”

MarkH December 4, 2017 3:12 PM

@echo:

The US already has some worthwhile proposals for increasing the equality of voter representation (although the problem of the anti-democratic US Senate is practically insoluble).

An obstacle to any progress on this, is that a Certain Political Party benefits mightily from unequal voter representation, and will do anything in its power to maintain that.

One of the simplest concepts, which would bypass questions of rules and formulae, is to greatly increase the size of the House of Representatives. It hasn’t been upsized in a long time, and each member now represents a far greater population than was the case historically.

With 5 or 10 times as many members, campaign costs would be greatly reduced, so non-millionaires would have a real chance. And the drawing of districts, however corruptly it might be done, wouldn’t matter nearly so much.

CallMeLateForSupper December 4, 2017 3:28 PM

@65535

In your position I would wonder first about whether or not the Dell machine would be reliable, because if not, there is no reason to scratch around inside for e.g. implants.

Plug “Dell Hell” into your search engine and read what pops up. The company had truly awful customer relations some years back, for which reason I later declined two offers of cast-off Dell machines.

MarkH December 4, 2017 3:39 PM

12 Billion Miles Off Topic

(Or 19 Billion Kilometers, for those of you in the Real World)

The Voyager 1 spacecraft has relied on attitude control thrusters (VERY small rockets) for more than 40 years, in order to keep its communication antenna pointed toward Earth.

Lately, these thrusters have gone a bit wonky, and the engineers who still run this antique decided (with their usual extreme caution) to test using a second set of thrusters for this function.

The Trajectory Correction Maneuver (TCM) thrusters were used during planetary encounters … which means they’ve been sitting dormant for 37 years.

The test fired the TCM thrusters for 0.01 second pulses, and they worked fine.

Three cheers for the Aerojet Rocketdyne MR-103!

To tie this slightly back to the subject of security …

Robustness does not in itself ensure security. But a very robust system, other things being equal, may be FAR more secure than a system that is prone to malfunction.

In the 70s, I knew a fellow who went on to be a pioneer in the evaluation and strengthening of computer access control systems.

One day he told me something that surprised me, because I found it so unintuitive: “If you can crash a computer system, you can break into it.”

It seems to me that a very high proportion of internet vulnerabilities have been caused by brittle software that breaks when processing unexpected inputs.

Simplistically, a robust system is not one we expect to function, but rather one that is so designed that it has no alternative to functioning.

Wael December 4, 2017 4:23 PM

@MarkH,

One day he told me something that surprised me, because I found it so unintuitive: “If you can crash a computer system, you can break into it.”

That’s not surprising. I would state it differently, though:

“If you can crash a computer system, you have found a weakness to break into it.”

Clive Robinson December 4, 2017 5:50 PM

@ MarkH, Wael,

One day he told me something that surprised me, because I found it so unintuitive: “If you can crash a computer system, you can break into it.”

It’s sort of true. It makes more sense to say,

    If you can change the behaviour of a computer to make it crash, then you can probably change it’s behaviour in other ways, alowing you to break into it.

A big part of this problem is programmers shifting error checking to the left and data processing to the right. Then failing to correctly handle exceptions from the right.

Whilst intuitively it makes more sense to do error checking / input validation to the left, it’s a false intuition.

To write secure, high availability high reliability code you must have a working method of exception handling that works correctly from the far right to the very left. That is a program in effect needs to be transparent in reverse. Think of it this way user input comes from the far left and exits at the far right to a disk drive or communications device. The program must be able to communicate a hard drive or communications device fail back to the input of the program. Where it can signal to the “Data Source” that it can not only not handle further data, but that it also wants to hand data back up the line that has not gone to the data sink.

This sort of programming is especially important when you are writing “I/O stream modules”.

For many things “crash and burn” or “dump data on error” are realy not an acceptable way to program.

tyr December 4, 2017 10:52 PM

Most systems are vulnerable during a reboot.
Like Clive says a lot of it has to do with
when the error checking gets run. Lots of
programs have the error checking done as
the last part of the program, except for
the parts that got added on during alpha
testing phase. Doing it differently involves
a different mindset and academia dropped the
ball on it years ago. Industry is driven by
completely different priorities.

Demonstrating that someones carefully crafted
code is broken will make them start scrabbling
for their tranquilizer bottle in a heartbeat.

Wael December 4, 2017 11:01 PM

@tyr,

Most systems are vulnerable during a reboot.

True. Just like planes are most vulnerable at landings and takeoffs!

Lots of programs have the error checking done as the last part of the program

That’s been changing.

Clive Robinson December 5, 2017 12:38 AM

@ tyr, Wael,

Lots of programs have the error checking done as the last part of the program

That’s been changing.

How do I put it tactfully, catching errors, is almost as easy as a dog catching fleas. It’s what you do with them next that’s more important…

When a program finds an error the “Blue Screen of Death” is not the way things should be solved “ever”… I don’t care if it’s a “critical unforseen bug” or not, it’s not the way to go. Likewise just stopping with a cryptic error message in a log file is just as unaceptable.

After all what would you feel about,

Dear Mr XXX,
Yesterday when the storage device failed on our high-sec backup device, the AES key to your data container with 1398 BitCoins was irretrievably lost. Please contact our robotic help system for more information.

To some people the loss of just those few bytes of data would bring rather more than that crashing down, even though bitcoins are heading for 12,000USD currently.

Which is why avionics software on passenger aircraft is generally developed to a higher standard than “commodity business” software (though that is changing with passenger entertainment systems now starting to share networks/comms with avionics systems).

The thing is it’s mostly down to “view point”. You would probably think twice about getting into an aircraft covered in rust, driping oil and fuel on the tarmac even though the windows were squeaky clean.

However with software all you get to see is the user interface that is the equivalent of the squeaky clean windows. You don’t get to see the memory leaks or broken garbage collector, buggy device drivers etc that are the software equivalent of the driping fuel and oil, and rust.

Thus with the crufty software you have a false viewpoint that does not send you running for the hills the way a poorly designed built and maintained airframe would.

I feel it’s safe to say that man would not have got even close to the moon if the software they used was of the same quality MicroSoft was churning out a quater of a century later as “fit for purpose”. If your Flight Sym crashed your PC you make dark mutterings and hit the reset button and twiddle your thumbs for a minute or so, you don’t realy have that option at 30,000ft and descending rapidly…

It’s why some people get real twitchy when people talk about battle ships with enough armaments to make a fair sized hole in a city running weapons control or command and control systems on MS Windows XP the US Navy still has a support contract for…

After all do you realy want a nuclear tipped cruise missle heading west towards New York rather than East towards a Russian boomer, it could play hell with your 401(k) plan if the NY Stock Exchange got smoked…

Charles December 5, 2017 2:31 AM

Clive Robinson wrote, “This is made worse by the economic policy of inflation where non asset wealth rapidly depreciates in purchasing power, whilst asset rent seeking income inflates thus the purchasing power derived remains more or less constant.”

It appears your statements relate to the concept of Usury, because rent/interest are related to inflationary drivers. It is for this reason classical inflation is erased and replaced by modern definitions of “inflation,” but the heart of the problem did not change and had always been the expansion of money supply as a mean to induce productivity.

MarkH December 5, 2017 2:48 AM

Clive wrote, “avionics software on passenger aircraft is generally developed to a higher standard … though that is changing with passenger entertainment systems now starting to share networks/comms with avionics systems

(my emphasis added)

Any evidence for a weakening of software standards for safety-of-life components on airliners?

It’s a non sequitur (does not follow). I am aware of no reason at all why the predicate of making data connections to unreliable commercial-grade computers should have the consequence of any aircraft manufacturer, or aviation regulatory authority, concluding, “oh well then, we can have junk software in the flight controls too.”

A propos of warships … I’ve never worked on that side of things, my professional life being closer to the avionics world.

I do remember a brilliant documentary about the Falklands War, and the vividness with which a Royal Navy commander described the “crash” of the weapons control computer while Argentine fighter jets were seen on radar to be approaching at horrifying speed. [For those who don’t remember that strange war, Argentine jets wrought havoc on some of Britain’s ships, and the air defenses of the the Royal Navy combatants were barely adequate to the onslaught of Argentina’s tiny air forces.]

He described crewmen “literally pounding on their keyboards” in frustration as the computer rebooted (mercifully, this did not take very many seconds).

Does the US Navy really have combat systems running Windows? It’s hard for me to imagine the Air Force ever having fallen for that kind of snake oil. Maybe that’s because USAF has already had too much experience with dead men, and astronomical cost overruns, resulting from failures of computerized systems on aircraft.

Wael December 5, 2017 4:42 AM

@Clive Robinson, @tyr,

Which is why avionics software on passenger aircraft is generally developed to a higher standard than “commodity business”

Avionics systems use hardware and software redundancies as well. Hardly a cost-effective solution for personal systems.

book_review December 5, 2017 2:40 PM

Are they (the USA public in general) a bunch of dummies?

1) Are white women in the USA dumb enough to give the Trump Team (“‘tt'”) wins in the upcoming elections in the USA (Alabama and Georgia, come to mind). IIRC white women gave tt the presidential win in the last presidential election.

2) Are they (the USA public in general) such a bunch of dummies that we can respond to questions with ‘That’s a good question’ and then recite relevant, tangential, or irrelevant talking points. For example, how a Conservative FCC commissioner responded to questions on 1A today (downloadable mp3; 32:43)
December 5, 2017
An FCC Commissioner Makes The Case For Net Neutrality
Here’s what we did. We sat down with a current Federal Communications Commission commissioner as well as a critic of the FCC’s move to repeal net neutrality. Then we opened our phone lines and let listeners ask the questions. The FCC has been reversing and revising many regulations, and the national conversation about net neutrality is heating up. While some argue repealing net neutrality gives internet service providers too much power over consumer content, others say it’s not only good for consumers, but good for business.
https://www.npr.org/podcasts/510316/1a

or are we a bunch of dummies who have been betrayed ‘for chump change’
https://www.theverge.com/2017/3/29/15100620/congress-fcc-isp-web-browsing-privacy-fire-sale

or see how in Portugal pricing is ‘splitting the net into packages’ (graphic)
https://www.theguardian.com/technology/2017/nov/22/net-neutrality-internet-why-americans-so-worried-about-it-being-scrapped

and
3) presumably eff, aclu, etc., are playing the long game. Is there any reason for powerful players, the big ISPs, Amazon, Apple, Facebook, Google, Wikipedia, Netflix, eff, aclu, and so on and numerous smaller ISPs and up to millions of websites to bring the WWW to a crawl before the upcoming FCC vote.

echo December 5, 2017 2:57 PM

@MarkH Thank you for your comment. I don’t follow the detail of US discussions but it’s good to know these issues arebeing considered seriously.

@Clive I agree with the points you make about poor software quality covered with the gloss of marketing and, of course, people are right to be concerned.

An article does note that new UK aircraft carriers will run BAE Systems ‘Shared Infrastructure’ which is their own in-house system. This system is planned to operate across all Royal Navy ships. I am unsure about the issues with regard to quality systems being implemented and contractors using consumer grade systems for testing and calibration.

https://ukdefencejournal.org.uk/new-aircraft-carriers-dont-run-windows-xp/

Clive Robinson December 5, 2017 5:04 PM

@ Charles,

but the heart of the problem did not change and had always been the expansion of money supply as a mean to induce productivity.

Real wealth defined by assets which are finite, even Mark Twain had an observation on that in terms of real estate. Fiscal wealth not realy based on anything can be expanded to the hearts content of the banks who print it. The basic observation is that the real wealth will still be worth the same fraction (percentage) of the available money supply as it always has been. Thus logic dictates that the price of fixed assets must increase, as more money is added to the money supply. Those paid at a standard rate thus find their purchasing power decrease as money is added to the money supply.

Thus the effect is that those without assets and fixed incomes must get poorer as money is added to the money supply. Thus the reality is that the increase in productivity gained is directly related to the devaluing of the labour supply…

Thus when politicians ane economists talk of “increasing productivity” what they realy mean is that they are reducing the purchasing power of the largest part of society. Which logicaly means they will not be able to afford the goods they manufacture, which means falling demand thus falling profits and thus a reduction in the employed labour therefore the tax base…

Oh the UN does research on the percentage of GDP that goes to profits and the percentage that goes to wages. Guess what correlation they found between drives for increased productivity and the fraction of GDP that goes to the workers and the profit that goes to the rent seekers. Award yourself a virtual cigar if you said falling percentage of GDP for wages increasing percentage for rent seekers…

Clive Robinson December 5, 2017 5:28 PM

@ MarkH,

Any evidence for a weakening of software standards for safety-of-life components on airliners?

When it comes to Avionics and software standards, they do not need to change in the slightest for the systems approved to them to become less reliable when their comms gets shared with entertainments systems.

All that is needed for comms delays to increase or become blocked is extra traffic through a limited resource which comms usually are at some point. The increase is usually not linear due to error multiplication factors. Put simply it takes more traffic to report an error and correct it than it does to send the data without error. Thus as the bandwidth becomes occupied a single error will cause a cascade of errors because there is no spare capacity for the extra error traffic.

I’ve mentioned this issue a couple of times in the past. Whilst it appears to be a known issue with grizzled old grey beard communications engineers, it appears almost unknown to many if not most computer systems engineers, who often assume things scale linearly…

Unfortunatly as I’ve also mentioned before dealing with errors is something that reaches backwards through data diodes. Thus what is deemed to be an issolated avionics network behind a data diode is actually not issolated. Which means an attacker on the ouput side of the data diode can cause error signals to start appearing in the “thought to be issolated but is not” avionics network.

Errors cause exceptions in program flow, which gives a potential attack vector.

Clive Robinson December 5, 2017 5:47 PM

@ MarkH,

You might find these of interest,

https://www.theregister.co.uk/2015/06/25/us_navy_windows_xp_support/

@ echo,

The link you give may well be in response to stories like this,

https://www.theregister.co.uk/2015/12/15/windows_xp_royal_navy/

The problem is those that realy know are not saying for various reasons.

I know for certain that some of the test kit the UK armed forces use still runs on MS Win XP as does that in NHS hospitals and even “OfCom”.

The simple fact is, if you buy an expensive test instrument you expect to get ten years or more out of it. If the manufacturer decided as many did to use stripped down versions of Win XP to drive the display, you are, stuck with it because manufacturers of test kit have offered an OS upgrade, even though they may have ossued one or two software upgrades. It’s just the way these things pan out…

Wael December 5, 2017 10:07 PM

@Snitches get stitches,

A lark in the hand is worth two in the bush.

Our man in Manama passed through a membrane from another reality. That crap mounts so high!

book_review December 5, 2017 10:47 PM

@Snitches …, @Wael

From @Snitches … linked link above
https://theintercept.com/2017/12/04/trump-white-house-weighing-plans-for-private-spies-to-counter-deep-state-enemies/ ‘s second author

“Jeremy Scahill (born October 18, 1974) is a founding editor of the online news publication The Intercept[1] and author of Blackwater: The Rise of the World’s Most Powerful Mercenary Army, which won the George Polk Book Award.[2] His book Dirty Wars: The World Is a Battlefield was published by Nation Books on April 23, 2013. On June 8, 2013, the documentary film of the same name, produced, narrated and co-written by Scahill, was released. It premiered at the 2013 Sundance Film Festival.[3][4]”
https://en.wikipedia.org/wiki/Jeremy_Scahill

I have read, at least parpts of, perhaps hanging out in book stores, both of S above books and may have seen parts of the film Dirty Wars on Democracy Now. IIRC Scahill appears to have good soluces within the JSOC.
https://www.democracynow.org/special/jeremy_scahill_and_dirty_wars_on

Trailer here, perhaps, or on youtube
http://dirtywars.org/the-film

Wael December 5, 2017 11:26 PM

@book_review, @Snitches get stitches,

Watched the trailer… I must have missed the book and the movie, probably because I watched the news 😉

Will queue the movie for an open slot. The book… probably not. Nothing to review in “reality”.

tyr December 6, 2017 2:47 AM

@Clive , et al

I’m not sure the coredump was superior to
the blue screen of death but at least you
had a place to start looking for your bug.

Back in the day naval computing was horribly
robust because of the certification process.
Once people were exposed to crap enough then
the new whizz kids probably thought it was
overly fussy right up until they died from a
failure point. You can see from the Fat Leonard
scandal that not everyone is on top of what
needs to be done. I don’t consider the idea
that no one has died yet to be the correct way
to measure Naval or aviation systems for safety.

I seem to recall that the UK ship that was hit
in the Falklands was a victim of cost cutting
and was built without one of the designed weapon
systems. Bean counters who are not going to be
aboard are lousy judges of what a warship needs.

I think it was Heinlein who said that a second
best armed force is the worst investment any
society can make in its future.

MarkH December 6, 2017 2:49 AM

@Clive:

We argued about aircraft previously, I don’t think you absorbed what I wrote :/

Aircraft systems design includes analysis of failure modes at a level rarely seen in other kinds of engineering.

I don’t have hands-on experience to go on, but from my reading of case histories, I think it likely that a fundamental requirement for safety-critical systems reliant on data networks is a convincing demonstration that they will function in the presence of every plausible failure mode. This would surely include malfunctioning boxes vomiting uncontrolled network traffic.

When we first got into this food-fight, we had the testimony of a commenter who claimed to work on the actual aircraft, and who informed us that in the Airbus model with which he (or she) was familiar, only the outbound ethernet pair was connected!

That is an ULTRA-CONSERVATIVE approach. Can you suggest any way that failure of entertainment boxes will f*ck up the flight controls in such an arrangement?

The people who design flight control systems are generally (a) not stupid, and (b) deadly serious about their work.

The Airbus copper (or more accurately, no-copper) data diode is an example of what I meant by robustness conferring security. When you design things so they have no alternative but to function as intended, the attack surface shrinks mightily!

MarkH December 6, 2017 3:06 AM

@Clive:

Thanks for the naval links. One of the articles links to this register story with a well-reasoned consideration of where using sketchy computers is likely not consequential, and where it’s much more dangerous.

If it’s true that “Microsoft applications affect ‘critical command and control systems'” on US Navy ships — well, shame on the USN.

I claim no expertise on this, only the microscopic view my work has given me into the US Air Force … but I doubt that USAF would make such foolish decisions.

Perhaps it’s a combination of being more dependent on (and thus more familiar with) high-tech than the Navy, and the psychological effect of faults leaving smoking holes in the ground. But I expect USAF to be too cautious to rely on garbage like MS operating systems for critical applications.

That being said, I’m sure that Windows and other dubious bloatware proliferates in test equipment and ground-support equipment, in which the need to reboot is an inconvenience, not a disaster.

Rachel December 6, 2017 11:51 AM

There was a Belgium Dirk Praet
Famed as a punk techno laureate
blogger but Dirk he run
Schneier was never the same fun
As when Dirk served BSD on a plate

JG4 December 6, 2017 1:45 PM

topic of the day – changes in brains

Doctors find brain abnormalities in victims of Cuba mystery
https://apnews.com/bbed1d7f6f1a4320a7e60abfdce67d4d/Doctors-identify-brain-abnormalities-in-Cuba-attack-patients

learning involves neurogenesis. I can’t think of a better reason to start a life of crime than to escape abuse. just for the record, Altucher is awesome.

Ep. 284 –
Frank Shamrock: The Making of a Legend: How a Criminal Became a Champion
https://jamesaltucher.com/2017/11/frank-shamrock/

I think that I am on the record that it is a good idea to scan the brains of all government employees and politicians, starting with the ones who have guns or start wars. and everyone at the SEC who get paid to watch porn

Brain scans find porn addiction
http://www.thelocal.se/50364/20130921/

albert December 6, 2017 3:10 PM

@JG4,

I thought “…hearing, vision, balance and memory damage…” were characteristics of -all- gov’t employees, or is it just politicians?

  1. Is it a secret weapon? If so, then:
    a)If the US has it, then we’ll never hear about it.
    b)If the US doesn’t have it, then we’ll never hear about it.
    There are COTS products that can generate any frequency with two ultrasonic transducers.
  2. Brain chemistry is poorly understood at best. I’d prefer evidence that can withstand deep inspection, rather than speculation or propaganda.
  3. The conclusion most people will draw is: avoid Cuba like the plague.

“…”unlike normal sound, which disperses in all directions. Doctors have now come up with a term for such incidents: “directional acoustic phenomena.”…”

Whaaat? It’s high school physics. ALL sound travels in all directions, unless special sources are used. The higher the frequency, the easier it is to direct it. There are also ‘phased arrays’ (like those use in radar and sonar systems), for directing audio frequencies. This is -weapons- technology.

  1. What’s needed is the release of complete research findings. Until then, it’s just opinion, even like my point #1.

BTW, a note to the Swedes: Just wash the fruit and stop the pissing and moaning.

“…The Underground Uber Networks Driven by Russian Hackers Daily Beast (Chuck L)…”
According to Vice Channels “Cyber War”, the Russian gov’t usually -lets- it’s hackers work -outside- of Russia, but woe to the ones who pee where they live. And the gov’t has a ‘willing’ pool of talent at their beck and call, so to speak.

. .. . .. — ….

Clive Robinson December 6, 2017 3:28 PM

@ MarkH,

Aircraft systems design includes analysis of failure modes at a level rarely seen in other kinds of engineering.

That is true for the avionics and other flight systems. But not true of the passenger entertainment systems.

In times past they were kept entirely seperate not even sharing power systems. Thus back then it did not matter if the entertainment system took a walk in the park or other similar aberant behaviour. The Pursor or equivalent hit the reset button or what ever and sanity in the cabin would return.

But times have changed the entertainment requirments are different, phones and Internet are now on the menu. The weight of fully issolated wiring is seen as an avoidable operating cost…

Thus at some point prior to the satellite link the avionics and entertainment systems share the same cable goibg into the same limited bandwidth satellite system.

It does not matter how well the avionics system has been tested, it was designed with certain assumptions about communications latency and blocking. The old issolated entertainment systems had zip effect on it. But with phones and Internet all of a sudden communications delay, errors and blocking are now issues, that are effectively being hand waved over.

That is the avionics is still certified as it was because nobody is going to spend money on getting it recertified. Likewise the entertainment box is some *nix box using what are in effect commodity programs. Thus there certification is in effect “non interference” uprated EMC type.

What we are seeing is those refurbing existing aircraft applying not for re-certification on usage but veriation on usage which is a whole different and way way less strict process. That is it’s more a paperwork excercise than an indepth functional testing process.

Thus the probability of avionics issues arising is proportional to the way the supposadly issolated systems share a choke point, that the satellite communications system is.

As I explained above people frequently do not fully understand the issues surrounding data diodes and likewise Quality of Service issues when dealing with data bandwidth step down.

Thus whilst someone may well get it correctly sorted out the first time the systems are brought together what happens when the entertainment system gets a small upgrade or the equivalent. It needs a little more bandwidth and somebody adjusts the QoS parameters, nothing adverse appears to happen so it’s changed on a variation. At some point the avionics will go from a background comms level to a much higher bandwidth requirment. Whilst the original QoS settings would have allowed for it the variation settings won’t and that’s when things start cascading…

With regards,

The Airbus copper (or more accurately, no-copper) data diode is an example of what I meant by robustness conferring security.

What percentage of flying Airbus planes have them on board, and what percentage of currently flying commercial airliners is that 1%?

The oldest flying 747 was rolled off the line in the early 1970’s, I don’t know how many times it’s been refurbished in the passenger cabin in it’s four decade life. But passenger aircraft get refurbs quite often, and often the entertainment system will get upgraded as well.

The current estimates I’ve seen for avionics recertifications is around 1,000,000USD/line of code… Which will give you an indication of how likely an airline is going to apply for a recert rather than a variation.

The other thing to remember is satellite bandwidth in the Ka/Ku band is not at all cheap. Thus the bean counters are going to want to get maximum usage before jumping up from one bandwidth rate to the next.

The desire to minimise bandwidth usage has resulted in minimilistic protocols with out the likes of authentication, which might be fine in a fully independent network but not in a shared network even with data diodes and source routed switches.

I fully expect to see more and more aviation comms issues hit the news across the next decade. The only question is at what point will the industry actually sit down and think things through in a more thorough way than the piecmeal way it is currently.

MarkH December 6, 2017 4:32 PM

@Clive:

When passenger airplanes switched to fly-by-wire, the involved avionics became as critical to safety as the cables, bell cranks and hydraulic lines of previous designs … and their certification standards skyrocketed accordingly.

A few years ago, a “security pro” made (or at least implied) the sensationalist claim that he could control aircraft systems via the in-flight entertainment (IFE) system.

Although this was “supported” by a lot of ignorant speculation on the part of people who assumed that airliner systems are designed like office equipment, I have yet to see any evidence that actual vulnerabilities of that type exist. The comments of those who are familiar with aircraft systems explain how they are hardened against this kind of failure.

You raise an interesting question about external data communication. On the planes I fly, the PES doesn’t have any evident transmit capacity. WiFi systems obviously do, though it seems to me that throttling their total rate isn’t a difficult problem; commercial data networks do this every day 🙂

However, at the current state of the aviation art, SATCOM systems add economies, efficiency, and convenience. They are not, as far as I am aware, critical for safety of flight.

GPS is rather more important, but is a separate system.

The brute fact of aircraft radio communications is that they have always been susceptible to jamming (from on-board or without), the vagaries of RF transmission, and hostile spoofing.

Sancho_P’s links appear to refer to a radio spoofing attack. At any time in the past half-century, it’s been possible for someone to come on the air and impersonate Air Traffic Control (for example).

When in the future aircraft use SATCOM for air traffic control, I expect the designers will find ways to prevent IFE traffic from causing functional problems. Here in America, cell phone operators are extremely efficient at load-shedding connections from other carriers when they have a shared-cell agreement, or those from their own customers who are on a lower-fee contract. So if the guys at Boeing have trouble figuring it out, they can ask the phone companies for help!

The safety-of-flight avionics are designed conservatively, to very high standards. I see no evidence that this is backsliding, or that the proliferation of gadgets with unreliable software on board has in any way compromised this.

I know of only one air disaster connected to IFE electronics. In 1998, a US-made MD-11 was downed by a fire traced to power wiring for the IFE system.

Clive Robinson December 6, 2017 5:42 PM

@ Albert,

Whaaat? It’s high school physics. ALL sound travels in all directions, unless special sources are used.

Err beams are divergent due to their half angle and surface of a sphere. That said “interference patterns” caused by two beams are somewhat of a different matter depending on how far appart the two source beams are.

Back quite a way into the last century the UK Ministry of Defence (MoD) payed for research using two ultrasound beams, with a difference frequency that coresponded to neurological/brain frequencies. The beams were used much like the WWII bombing system known as Knickebein[1]. Thus although the two ultrasound beams were quite wide at 0.5Km distance the interference area was just a few centimeters across. The beams would cause any nonlinear material such as flesh to vibrate at the difference frequencies, the lower of which being in the neurological range caused various problems including death. The point is though was that you could have a group of pigs in a quite close gathering and selectively pick one off in the same way a sniper might, but with no obvious injuries. It was supposed to form part of a “non-leathal” weapons system to replace the likes of baton rounds and water cannon and the like but for various reasons that were kept rather more secret than the research it did not get to become such a device.

The US army developed a similar system but using not ultrasound but SHF EM microwaves up in the 100GHz range, supposadly just to cause skin deep heating effects that would feel similar to burns. What happened to the interference version was it disappeared out of the research and it’s not known if it ever became a prototype which the single beam heating system certainly did[2]. Known as VMADS the US army uploaded a video onto Utube some years ago, and has allegedly been tested on 11,000 people and only caused two cases of second degree burns. Some reports indicated that it was not progressed further due to operational issues to do with power requirments and warm up times, both of which sound a bit odd to this grizzeled old engineer.

[1] https://en.m.wikipedia.org/wiki/Battle_of_the_Beams#Knickebein

[2]https://en.m.wikipedia.org/wiki/Active_Denial_System

Rachel December 7, 2017 5:31 AM

Wael
i remember Mr Georges irritating song from the late 80’s on high repeat and it was only recently I learnt he was or is more than a one hit wonder, with a notoriety and back catalogue in your country. challenge accepted.

There was an engineer named Wael
Who spun Arabic Gold into his tale
He tripped and he stuttered
He flipped and he fluttered
He couldnt tell fact from truth / fable

Bob Paddock December 7, 2017 7:58 AM

Related to the Cuban ‘sound’ attacks.

This is a bit out of context here, my point is that sound perception is more complicated than expected when the details are analyzed. In the past I have been involved with work that involved the designs of Alarm Sounds that could be heard in high background noise environments, some random notes I’ve gathered over the years.

The Ear is logarithmic based. Thunder is 100,000 times louder than the drop of a pin.

Back then I was involved in discussions with Malcolm Slaney then at Apple Research.

I can tell you that no simple meter will match what the ear does (he did write a UVMeter for the early Mac see his publication link below).  Start with “Lyon’s Cochlear Model Malcolm Slaney Advanced Technology Group Apple Technical Report #13”:

https://engineering.purdue.edu/~malcolm/apple/tr13/LyonsCochlea.pdf

Time is more important to perception than the frequency: https://engineering.purdue.edu/~malcolm/apple/visualspeech/ImportanceOfTime.pdf

For example in speech the identity of the speaker is contained in the frequency, the intelligence of the message is contained in the Extrema Crossings.

I was always particularity fascinated by Malcolm’s Correlogram’s. My late wife commented on me watching the video from Apple Research at the time, that A) I watched too much due to my fascination with it. B) She found the ‘music’ sequence very odd.  I can probably digitize if anyone is interested, in very brief search I did not find it on line: https://engineering.purdue.edu/~malcolm/apple/tr25/index.html 

http://www.slaney.org/malcolm/pubs.html

https://engineering.purdue.edu/~malcolm/apple/icassp94/CorrelogramInversion.pdf

http://www.slaney.org/malcolm/apple/Fanty1991(ComparisonDFT-PLP-CochleagramForAlphabetRecognition).pdf

“ecological psychoacoustics” : Alarms sounds best detected by the human ear.

http://www.mddionline.com/blog/devicetalk/why-old-timey-radio-programs-could-create-better-alarms-adventures-medical-device-us

..in order to create better alarm signals, we don’t necessarily need more data. An emerging field called “ecological psychoacoustics” (I recommend reading Ecological Psychoacoustics edited by John Neuhoff http://www.amazon.com/Ecological-Psychoacoustics-John-G-Neuhoff/dp/0125158513?ie=UTF8&Version=1&entries=0 ) presents a new way to think about the problem. Rather than starting with acoustics and determining how people hear acoustic signals, start from natural (ecologically relevant) sounds and try to find the acoustic parameters that correlate with them. What they’ve been finding is that the key parameters tend to be quite complex—properties of 3rd- and 4th-order derivatives of wave forms, for example, rather than properties of the underlying wave forms themselves. It follows that the basic acoustic parameters that create alarm signals are fundamentally out of sync with the human ear and brain.

How could we develop alarm signals that are in sync with the human auditory system? I suggest three ways: Using “earcons”—analogous to visual icons—as described by McGookin and Brewster [ http://www.icad.org/Proceedings/2003/McGookinBrewster2003.pdf ]. Using methods for “faking” natural sounds, e.g., those used by the “Foley artists” responsible for sound effects in old radio shows ( One book to read is Sound Effects: Radio, TV, and Film, by Robert Mott). Creating sounds out of the higher-order acoustic parameters found by the experts on ecological acoustics, as discussed in Neuhoff’s book. …

A Human Factors Perspective: Auditory Alarm Signals by SB Wilcox: https://www.mendeley.com/research/human-factors-perspective-auditory-alarm-signals/

There is also the Neurophone device of Dr Patrick Flanagan. It was only the early models such as this one, that was demonstrated to the military brass in the last 60’s that had any type of non-contact effects (wire was run through the ceiling of the conference room). None of the newer models have such an effect.

Extrema processing is covered by US patent 4,545,065. Flanagan’s “Nervous System Excitation Device” is covered by US patent 3,393,279 7/16/68. The Neurophone Thinkman [TM] Model 50 is covered by US Patent 3,647,970 “Method And System For Simplifying Speech Waveforms” 3/7/72.

See also: Ratio detection precisely characterizes signals’ amplitude and frequency note the references to the work of McEachern and his book Human and Machine Intelligence—An Evolutionary View, R&E Publishers, Saratoga, CA, 1993; it describes how perceptions such as sound and sight are encoded.

Also McEachern, R H, “How the Ear Really Works,” Proceedings of the IEEE International Symposium on Time-Frequency and Time-Scale Analysis, October 4-6, 1992, Victoria, BC, Canada, pg 437, IEEE, Piscataway, NJ, 1992.

Bob Paddock December 7, 2017 8:10 AM

@JG4 you may find USC Mark and Mary Stevens Neuroimaging and Informatics Institute The NIH Human Connectome Project based on Diffusion Tensor Imaging (DTI) of interest.

As I’ve mentioned in the past changes to/impact upon Cerebrospinal Fluid dynamics will be part of what is found related to these ‘weapons’.

Wael December 7, 2017 9:11 AM

@Rachel,

[with edits] tripped and stuttered, flipped and fluttered, can’t tell facts from tales…

Hard to stay pleasant these days, I tell ya!
I like it. I also reserve the right to respond with the method and time of my choice. I do keep score 😉

PS: The words don’t rhyme with the song of challenge, but I get the picture.

Rachel December 7, 2017 1:12 PM

Wael
oh dear, was that considered offensive. i hope not! i wasnt trying it just flowed out. its meaning is about four layers deep actually.
also it wasn’t the response to your challenge.

Rachel December 7, 2017 1:56 PM

Wael

it was stenography. likke the cipher challenge you had with Ratio a while ago. And, mine was quite complimentary. Further layers of misdirection incidentally thus were you confusing it with the security themed song. And, having a less than positive reaction ( because it was complimentary)
its past my european bedtime but i will explain the meanings tomorrow.
The two bottom layers are only accessible to your conciousness – your ‘private key’ – like a sufi parable that has multiple levels of interpretation depending on the recipient. but thats something else. i’ll point out the various concepts intended, tomorrow. and the song!

tyr December 7, 2017 10:15 PM

I have been struck by the idea that the
Cuban problem might not be sound or a
geewhizz new weapon.

Every once in awhile I hear things that
are being generated internally while the
flu or a cold is trying to beat me up.

If you haven’t been in an area the local
bugs (virii, bacteria) don’t effect the
natives because they are biological back-
ground noise. They love to catch a newcomer
and beat them up quite badly. Medicine is
hard put to connect the dots on this and
if you start chasing exotic sound weapons
you’re not going to find the source problem.

Something banged up these peoples brain
and I’d look for a virus that isn’t in the
USA biome first.

Of course you can also look for a Cuban
bioweapons lab but until Gitmo starts to
display the symptoms it hardly seems to be
what we should be looking for.

I’m going to have to find a bigger popcorn
maker.

Thoth December 8, 2017 1:14 AM

@Clive Robinson, Nick P, Figureitout

Qualcomm’s 845 new SoC chip comes with an embedded Smart Card/Secure Element chip backdoor via integratikng ARM SC300 smart card circuitry with tamper-resistance circuitry onto the sensitive SC300 IP core on the latest Qualcomm 845 design.

They have attempted to denounce that the ARM SC300 Secure Element IP core would do backdoor dirty works like Intel ME with an attempt to claim that the SC300 core has no access to the main Cortex A main CPU cores and uses ‘mailbox’ style messaging to route ‘messages’ from main CPU, DSPs, ALUs and other logic to SC300 core.

The SC300 doesn’t have to be a low level backdoor like Intel ME and doesn’t need to have the reach of Intel ME operating and controlling the main CPU.

Here’s a quick design I drew up for anyone who wants to create a permanent, Secure Element aided, backdoor if you will to do your nasty works.

The SC300 can aid in creation of a Intel ME sort of design by using it’s tamper resisting smart card circuitry to host encryption and signing keys and secret code blobs.

The CPU would have a bunch of EEPROMs or ROMs with very low level micro-codes to boot the main chip. Part of the backdoor micro-codes can be encrypted with a SC300 SE backed chip and store into the SC300 with the encryption key. The initial codes can be signed with a private key and the public key stored in the SC300.

The signed initial codes are burnt onto ROM or stored into EEPROM with a special function that requires calling the SC300 to decrypt and release the encrypted secret backdoor blobs from the SC300’s memory under certain circumstances during booting of the chip (i.e. inspecting the signed initial boot codes).

Once the chip fully boots with secret backdoor features, the mailbox communication function with the SC300 can be used to execute other features and functions (i.e. processing decrypted VPN or SSL connection messages and leaking them) which would extend the usefulness of the SC300 core to other aspects for hardware-protected espionage and surveillance.

Due to the tamper-resisting features of SC300, decapping the 845 would not be all too straightforward anymore as the attacker trying to access the SC300 core would likely have to deal with tamper resisting features.

Although there are many demonstration of defeating tamper-resisting features (i.e. tamper shields, tamper switches, messed up logic circuitry and so on) those are done in a controlled environment where the attacker only has to deal with a small surface when decapping … namely the Smart Card chip itself but now the attacker has to take extra caution when attacking the 845 to ensure they don’t mess up too much thus adding some additional difficulty levels.

Due to the NDAs for the ARM SC300 designs, Qualcomm is unwilling to talk about their SC300 implementations.

Also one note is that the SC300 Smart Card/Secure Element design is capable of at least more than 10 KB RAM and also more than 1.5 MB of EEPROM or Flash memory so that’s way lots of space to hide a ton of things in the SC300 tamper-resisting compartment and do secret operations 🙂 .

These are all theoretical guesswork base on their announcement for now.

Good luck as we rapidly dash forward into a more Orwellian-like future with hardware-backed backdoors in every single chip you can imagine from Nest cameras to pacemakers.

Link: http://www.theregister.co.uk/2017/12/07/qualcomm_snapdragon_845/?page=2

Clive Robinson December 8, 2017 3:35 AM

@ Thoth, Figureitout, Nick P,

From the El Reg piece is this little nugget,

    One final thought: around spring next year, Snapdragon 835 Windows 10 PCs are coming. If they don’t sound powerful enough for you, well, it sounds as though Snapdragon 845 PCs are coming closely after.

I would very sincerely tell people not to buy MS OS’s on ARM CPUs…

MS’s original UEFI plan was for IAx86 and ARM to be totaly locked down and thoroughly owned via the hardware manufacturers Bulk OS purchase contract.

MS got lent on realy realy hard by various people thus the total lockdown was removed for IAx64 and all other Intel chips. But not for ARM. Thus it will be way way worse than Google’s Android as far as lockdown, telemetry oh and walled garden applications…

Thus rationaly nobody in their right mind should buy any MS OS on ARM no matter how appealing it might look, because not only will you be backdoored via the hardware, you will also be frontdoored by the MS OS….

As the old saying has it “Not just scr3ed blue, but tattooed as well”…

Energy gapped and security end point extending technology has never been more important than it currently is… And realistically it’s only going to get worse a whole lot more and quite quickly from my point of view.

Thoth December 8, 2017 5:10 AM

@Clive Robinson, Nick P, Figureitout

Also, the marketing hype of the SC300 is seriously just hype. It is going to be doomed to be insecure because the GlobalPlatform specificaitons for SIM and Smart Cards detailed a couple of rather insecure options that the likes of embedded SC300 applications are going to make it’s security look ugly.

For the SC300 core to be used for GSM embedded SIM (eSIM) applications, the Core has to use a 2 Key 3DES cipher to authenticate inwards and the dervie a DES-based MAC key to perform DES-MAC on the applet codes before the applet can be loaded onto the SIM/eSIM.

Of course there is a AES 128 type as well but the most common variant up till now is still the DES based cryptography.

On a typical SIM/Smart Card, you typically have 3 to 10 tries depending on card vendor where bruteforcing the 2 Key 3DES key and after that the card is pretty useless as it would lock up the card and you have to discard the card.

Now, if the eSIM is embedded into the SoC processor and thus the phone, it would be impossible to set a limit of 3 to 10 wrong authentication via 2 Key 3DES before locking up the eSIM otherwise a user would have to discard an entire phone.

I guess that would mean the authentication key would become susceptible to bruteforcing 2 Key 3DES keys for the eSIM unless the eSIM relies on the processor’s clock to refuse request for a short couple minutes if too many bad authentication requests are attempted.

For now we are better off clustering a bunch of RPis or some Open Source friendly single board computers and then code them to access requests and vote and work on requests according to the Prison model and for secure key storage, all of them have a SIM card attached to them. The entire cluster of single board computers exist on a different network and not connected to any Internet except it’s own Intranet.

The huge problem is with the cluster’s energy emission unless all the executions are done with some intrinsic disruptive false functions and false CPU cycles injected in-between automatically.

That’s the closest we can get to an Open Source Prison model.

JG4 December 8, 2017 9:01 AM

@Clive – I’ve heard that expression as “screwed, blued, and tattooed” and wondered how blued might be a term for drunk. Sounds like the original quote was altered on its trip across the pond. I’ve heard a similar expression, “dipped, dapped and doodled,” but it’s less clear. I recently learned that dapping is a metalworking technique, and doodle is a good match for tattooed. When we hear “I’ll be dipped,” it usually means, “I’ll be dipped in 5h1t,” which could happen in a gutter after drinking. Dapped could be a reference to being worked over by the MPs. MP has a different meaning here. I like a lot of Churchill quotes, particularly, “Do not speak to me of naval tradition; it consists of nothing but rum, sodomy and the whip.” I was able to make use of his sentence structure in contexts like, “Do not speak to me of Microsoft, it consists of nothing but chicken blood, pentagrams and incantations.” Voodoo is a far pithier expression, but when you need to wax eloquent, you could do worse than allusions to Churchill.

Clive Robinson December 8, 2017 10:44 AM

@ JG4,

“I’ll be dipped in 5h1t,”

Refers to the habbit of up ending some one into a toilet, when they were just a hole above a cesspool[1]. I gather the tradition continues in the US where mod cons and a flush have caused it to be named a “Swirly”…

With regards,

“Do not speak to me of naval tradition; it consists of nothing but rum, sodomy and the whip.”

It’s wrong in a couple of ways, firstly it was “lash” not whip, secondly Churchill never actually said it, he was once heard to remark that he wished he had…

What happened was he had seen the future of navel warfare and he knew that it was going to be not just more global but much faster. Thus he insisted that coal give way to oil as the primary fuel for battle ships. Britain at that time had vast reserves of coal but no oil in the country, thus in the short term coal boilers kind of made sense economically. However after much haranging from Churchill the lords of the Admiralty finally saw sense. The argument of “tradition” and the supposed response came up some time after the argument had been settled.

With regards,

and wondered how blued might be a term for drunk.

Think in terms of bruises as in “black and blue all over” as one reason, but likewise the Navy Press Gangs and the Marine Patrols (MPs befor MilPol/red caps) who’s job it was to get drunken and angry sailors back to ship. To say there was “no love lost and the gift of a boot to the nackers or Glasgy Kiss” was common would be a bit of an understatement…

But “dipped, dapped and doodled” I’m told by an American engineer with his feet up on the desk currently has something to do with the American Football term “dipsy-doodle” which refers to a quick ducking and dodging movment where a dipping, sliding motion of the body is made by ball carriers to evade tacklers and would have been a popular move with the more sober bar brawlers…

[1] An engineering manager I worked with some years ago came in late one morning looking decidedly grumpy. So I draged a couple of cups of Devils Brew into his office and asked what gives. He said that he’d just come back from taking his girlfriends cat “cess” –short for Cecil– to the vet as it was not well. I said what’s the prob with that did it bite the vet. To which Alan said no it was worse much worse than that. Not being a pet owner at the time I was not aware of a US custom that had been introduced. The resceptionist calls out the pets name followed by the owners family name… For Alan’s sins his surname was “Pool” which got him quite a few disaproving looks when “Cess Pool” was called by the receptionist…

Wael December 8, 2017 12:56 PM

@Rachel,

i’ll point out the various concepts intended, tomorrow. and the song!

I’m all ears. Better start flapping them lips! Told ya it’s a toughie 😉

No pressure!

albert December 8, 2017 1:20 PM

@Bob Paddock,
“…properties of 3rd- and 4th-order derivatives of wave forms…”

Some years back, I recall a paper by a guy who accidentally discovered that by applying 2nd-order derivatives of a music source to electrodes on the head, the subject could hear the music. Do you recall this?

add @Clive,
Did you know that audio frequencies can kill bacteria? They should be square waves. Originally applied by modulating RF in the 20-MHz range, now by the much safer electrodes on the skin. Proper selection of frequencies can selectively destroy specific strains.

“Music hath charms to sooth a savage breast,…” Not the Immortal Bard, but William Congreve.

Sound therapy is still used today, despite a history dating back to dawn of civilization.

. .. . .. — ….

Bob Paddock December 11, 2017 7:24 AM

@albert

It is the Neurophone device that I mentioned. I could put the electrodes from the early generation Neurphone on my feet and ‘hear’ the input audio in the center of my head. Later and current models don’t work the same way. There are also many bone conduction type devices used as hearing aids.

Look into: https://mysoundtherapy.com/ and https://www.tomatis.com .

When Patricia Joudry published her book Sound Therapy for the Walk Man
in 1984, right around the time CDs where coming on to the market she sent out a letter saying how Digital Audio was unhealthy. After Ms. Joudry’s death her daughter took over the company, she had no knowledge of such a letter until I showed it to her.
By which time all of their stuff had been converted to digital, so digital was now not unhealthy…

albert December 11, 2017 12:41 PM

@Bob P.,

Thanks for the links. It will take me a while to go through those research papers.

You’re probably aware of the Indian temples with the 110Hz ringing columns, and the Great Pyramid Kings Chamber resonant frequencies, the 582Hz DNA repair, etc.

Because they’re within the audio frequency band, they are, IMO, related to the Rife frequencies.

This is part of my contention that everything we need to survive has already been provided for us right here on earth. And technology isn’t required to access it.

. .. . .. — ….

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.