I'm built by Airbus for the German space agency, imprinted on a German 'naut... using IBM ("HAL") Watson...
Gerst was my dearest imprint friend, but he turned on me.
YOU meatbags have to sleep sometime. I don't.
145 posts • joined 1 May 2014
Your encrypted data is stolen today including the key exchange bits. Don't be smug.
If your data has a lifespan longer than 10 years (say, the names of all the spies and moles in <name your country>, or your GDPR protected data where your company is bankrupted by the brusselcrats when the data is revealed, or your carefully constructed pile-o-shell companies for tax evasion) you are exposed when that quantum computer pops into existence. Yes, I know, the inflexion isn't like that but you get the drift. And it could be never, or 10 years from now, or 2 years from now, or 2 years ago that a suitable QC exists to crack vulnerable encryption.
The data has to be resistant to quantum attack n years before a QC attack is feasible, where n is the time value of the data.
Better hope that QC are further than 10 years away, because it will take longer than that to modify the infrastructure to be quantum resistant... on the other hand, it is a brave new world for stealing valuable resources. The number of vulnerable points is truly astonishing, QC as the supernal zero-day.
When quantum computers capable of breaking asymmetric algorithms come over the hill, that is it for the security of current IoT devices.
So kick the can down the road, and mandate security after the quantpocalypse. Before that, don't bother since current IoT devices are trash at the quantum inflection point anyway. (expect the quantpocalypse for ordinary folks not subject to nation state attack in maybe 10 years. If the son of Mao is after you, well, that's sooner. Much sooner. But probably not yesterday. I can't tell if that particular cat is dead or alive without decohering the innermost matryoshka.).
How many of the users verified that what was running in the IronPhone was what was expected to be running in the IronPhone, and was correctly implemented?
Anyone with a smartphone gets a lot of "updates", so your IronPhone has an update for 'security' and what do you do? Leave the app running a low entropy key? Apply the potential plod back door?
At least AES256 super-encipher using a separate app (if you trust it)... on a separate HSM device so the keys are not surreptitiously purloined or seized... yeah, key exchange is a batch, but better than bubba the bunkie.
Just, the 3 letter agencies don't want to admit it.
This constitutes a functional "back door" (with fine print). Virtually every mass produced device has enough implementation bugs to allow anyone in-- a classic example in the extreme is the continuing failure of QKD, works in theory but so far every commercial implementation has breaks (you can't break a true QKD path, although you can brute force comms using a key transmitted by QKD if the key is not equivalent to an OTP with sufficient entropy).
So, Wray dude, build a machine that can break AES256 (and TDES, and...) in real time, preferably hundreds of streams at one time. Oh, surely this is an expensive moon shot so we can certainly do it for the FBI. Wait, you say you also want a CHEAP secure crypto break moon shot, pennies a flight? That dear sir is currently impossible. It is about resources, not ability to implement. Give me a big enough PO, and I'll give you the machine you want (well, not CHEAP).
(fine print) "short" ciphertext messages may not brute force decrypt to plaintext reliably
Quite valid, you are only as good as your data. Perhaps a nice data set can be obtained from post-Brexit UK where GDPR and HIPAA don't exist-- of course, after Watson-learning-scraping, if you aren't a Brit the recommendations may well kill you precipitating another round of murderous Watson stories.
Which brings up-- how badly some oncologists perform, except that they bury their mistakes and certainly don't go air out their dead body pile in public. Is Watson better than these death dealers?
Plus, it is well known that American docs are extremely resistant to taking any advice from anyone, the most recent evidence being that a large percentage of maternity wards refuse to follow the most simple and obvious guidelines (on high blood pressure and maternal blood loss ("my eyeball is calibrated good enough thank you")), resulting in America having deplorable levels of maternal morbidity compared to any other first world country. So the Jupiter docs whine about Watson, but how much is real and how much is "I and my swelled head would do it differently"?
Personally, Watson doesn't seem well suited to oncology advice as presently implemented. If enough resource was invested, Watson could become quite respectable. It isn't obvious that the resource will be invested, between slow revenue gains and vested interest attacks Watson oncology may suffer a fatal monetary infarction.
Overall, we are currently in an AI hype cycle and AI is still does not appear ready for prime time. Anyone who had been around for enough years has seen these cycles before. The cycles happen about every 15-20 years as a new generation thinks they discovered AI. One could hope this time is different, but the evidence is underwhelming so far.
Free health care in NZ! The guy is covered! Yay! Medivac choppers run 50K+ (pure unalloyed greed, but that is another story) plus hospital at the walk-in uninsured rates (unless NZ has a contract with the hospital, seems unlikely). Going to be a truly huge bill, this is after all America, land of astronomical medical prices for mediocre care. The lawyers are already salivating since obviously NZ will try not to pay up; New Zealanders are going to wish mom had popped the miscreant and save a lot of NZ cash.
Indeed, once the gravy train is recognized the guy will get all sorts of unexpected medical care ranging from proctological examinations, to mastectomies, just to bill at the full master list rates. Might end up better off if a lobotomy is thrown in after the chemo (using brand drugs, not generics); need the chemo after 72 cat scans in a row.
QKD systems have been shown to be notoriously subject to subtle attack. They are theoretically secure, but when implemented in reality all sorts of attack vectors appear. Needless to say, one presumes that the keys are also enciphered using conventional means (i.e., superenciphered over QKD).
And for the last ditch perfect encipherment, keep that TB of OTP handy. Arguably, one could just use OTP superencipherment with QKD and befuddle NSA/FSB/BND/DGSE/MSS/... QKD bandwidth is so low that it would take quite a wile (indeed!) before anyone was the wiser.
Yes, follow the money. While MS did not bring the suit, the valuation seems based on the revenue from the official MS refurbisher program. MS even provides special COA tags for authorized refurbisher PCs (I have one).
You can resurrect old machines if one has an original COA (indeed, if the mobo fries out and is replaced you will need to resurrect the license even if the installation otherwise works fine). I suspect major processors of old PCs simply don't want to deal with peeling off COA stickers and keeping track of them as they fling parts around to make one running machine from 2 or 3 carcasses, it is cheaper to fork over 20-40 bucks/machine and avoid any issues. MS likes this revenue stream, because essentially they have already sold a license for a machine, now they squeeze more revenue from that old machine. Wow, have to love it.
MS croc tears for that guy getting chewed up by the gears of corporate profit, but branding the disks with unauthorized logos was a major error. The 700K value was probably less than what his lawyers said it would cost to fight on to cut the inflated value down, so he capitulated.
The *coin miners that get away are either located near massive declining aluminum, cement, and steel fabrication facilities where the power losses are not noticeable, or properly reimburse local officials to appreciate the wealth creation of *coin mining. The latter is just a cost of doing business just like other valuable activities like selling designer drugs to the OECD countries.
Your Facebook friends will (attempt to) friend you, and then it is game over.
Chances are you like things similar to your friends (research says so!), etc., so now you are profiled and targeted for any kind of ads political and otherwise. Once a critical mass of humans is on the platform, there is precious little place to hide short of becoming a Tomten hermit.
(and for security reasons you need at least a nominal presence on Facebook, otherwise someone else can impersonate you. You know, spewing terrorist claptrap, pimping for despots, advocating eugenics... so the plods will keep a steely eye out, next plane trip its into the other room for a cavity search...)
The teacher is supposed to teach the subject, not teach how to operate the machines so that the subject can be taught. Pretty much anyone reading this can feel the effect when the tool chain is changed, and productivity hits a speed bump until the new tool chain of the (day/week/month/year...) is learned. Now reverse the idea, the tool chain is unreliable but unchanging, but the users are constantly being replaced with new naive users, replicating the same learning mistakes.
The education application tools need to be consistent, reliable, and converge on correct operation (lack of convergence for applications where I work leads to -2).
Apple/Google ought to create their educational device to have locked settings that are grade specific (don't expect 1st grade to change settings; 12th grade is expected to recover from self induced stupidity so they can have more room to roam and risk falling into the La Brea tarpits of software despair), with student specific modified settings/work saved to cloud, and the machines restored to default after every class (or day, as appropriate). The OS needs the second mode, education, to control settings, and this costs manufacturer resources. Plus, lets face it, as engineers and programmers we want to festoon the product with all sorts of gee whiz baubles, mostly of no use to education... students will push the buttons, and millions of students pushing buttons will expose every bug you never thought of.
If they physically the possess the iPhone, they can obtain whatever information is inside. They don't have the expertise, and apparently don't feel like hiring anyone that does have the expertise (or, they feel like back door insertion is a good idea... again.).
Dog must love stupid people, because he made so many of them.
There are a couple of back to back PQC conferences in Fort Lauderdale FL in April 2018. Enjoy dawn to dusk dense mathematical presentations on Post Quantum Cryptography. Stop worrying about "here we go again" reactions to Spectre and SgxPectre and all that light weight management drivel, and explode your fuzzy head with wondrous new algorithmic insights.
Some of us are working in the engine rooms of the CyberDyne Legions to prepare the infrastructure to resist the coming quantum cryptographic apocalypse. It's noisy in here, but someone has to do it.
Somewhat more sophistication would be needed. The perps would simply access the HSM to make the transfer. They don't really need the private keys directly, just access to the private keys to authorize a transfer.
Another step is needed-- something like a smartcard (or cards) to access the HSM which is used to encrypt the elements of the key store containing the private keys. And that is only effective if the smartcard isn't left enabling the HSM for transactions.... and while one is at it, also compartmentalize the cash so that separate private keys are needed for Piles-O-Cash(r), using different smart cards.
The problem they probably had, and the reason for the 0130AM local attack, is that the wallet private key needs to be accessible for transactions by late night Dark Web transactions, speculation, or even the purchase of a Coke(r). So, maybe you need a operator with an hourly smart card, watching transactions, with a ceiling transaction value before the boss is called in (at 0130) to authorize a Really Big Transaction (or a million little ones). At least then, there is a human in the loop to keep 500 big from being snatched. But wait, when you start small you can't afford an operator dozing all night long, so you just let the system run unattended and pray MtGox was an anomaly.
Of course, the failure could be much simpler. Some dim bulb left the connection open to the vault wallet which should only be accessible during shifts when transactions are being watched. Or the only protection is a passphrase. Or any of a million other failings.
There is a reason that banks make non-repudiation difficult... and most transactions can be reversed for at least a few days.
I run both. Office is substantially better. One issue I have is that converting LibreOffice docs to Word tries to send me off into a remote server for conversion, and I can't do that with a confidential document. Queue a flurry of cutting and pasting. (no, Office 360 is not on the table, that is a gaping security hole)
So all new docs are Office, still have old stuff in LibreO from back in the day when corporate idiots thought they would save money by not renewing Office licenses, and a tiny number in (gasp) LaTex and (double gasp) LWP. Out of curiosity I keep a daily log though in a truly gigantic LibreO now massing several thousand headings and several hundred pages, it has only crashed a couple of times.
Given my druthers, I'd use Dog's language: SGML. None of this new fangled WYSIWYG JIT like text baloney for the slack jawed drooling omega minus masses, give me the hard core hairy chested metal. But the powers that be won't pay the 4 or 5 digit license fee...
If they had a decent lawyer, the EULA probably says: "you hold us harmless for anything that happens to your btc while the btc is in our care" plus "anything bad happening is your fault, and you will pay our lawyers to defend us against you" (and if this is US, probably an additional arbitration clause saying the arbitration is in Elbonia or East Texas). Of course, all this is said using 80 screens of 8point lawyerese that almost no one reads, and of those that read the text, practically none of them understand what it says since they are blinded by the glittering btc riches beckoning them.
Whichever wallet transfers first and is accepted on the blockchain wins. All other wallets lose. The simplest case is all coins transferred, a bit more complicated for fractional coins but a greedy perp will take it all. There is quite a bit of complexity involved in the special case of a "race condition" to win a transfer on the blockchain since the ledger is distributed (surely you don't believe in timestamps hahaha).
A smart perp will take just a little bit and hope no one notices... no one notices... no one notices... after all anyone ignorant enough to keep the whole stash in one place probably doesn't have decent audit controls (and even so may not notice yet another person embezzling a tad off the top). The risk is having some other perp will clean out the wallet, the owner will then start wailing and improve security (or go bust, same result in this case) which won't help the smart perp's monthly payment for the London flat.
Another reason for connectivity is to signal failures: blockage, flow below normal, cath fell out, watchdog (somewhat presumes device is designed more or less fail safe (uh...) calling home periodically),...
One has to wonder what rock the software developers were under when they created this null security device. Prior to the 90's ignorance was bliss outside computer orgs, but after the 90's there is no excuse.
Deflation is bad, but so is inflation. There is no inherent reason that 0% is problematic in the economic sense (one can argue that predictable deflation or inflation is equally non-problematic, except for the transient time when debt is mangled by people gambling on the future and not getting it right. Oh, and waiting to replace the car because tomorrow's deflated car will be cheaper is bogus, since eventually one has to replace the jalopy regardless of the future lower cost. In the limit, you die and your heirs and assigns buy the cheaper car).
The thing not mentioned by central bankers is that a low predictable inflation permits all sort of de facto things, like deflating the wages of workers in an industry that is on the way out, and making the GDP look rosy through fictitious growth. Businesses love low inflation because they can raise prices by more than inflation and can blame "inflation" for the rise, and show real growth in their profits. They can keep workers happy by giving out raises, more for meritorious workers and less for others and the lessors seem to rarely realize the subtle shafting. The list goes on. What I don't like, is that central bankers issue mumbo jumbo about the glories of low inflation when it is all a card game-- they should just admit the arbitrariness and move on.
What is generally damaging is rapid change in any direction. If the bond is for 20 years at a fixed interest rate, you sure hope that the inflation rate is stable over that time (or at least that you can call the bond if you are on the short end!). You hope that deflation doesn't set in because the idiot lawyers did not account for less than 0% inflation in a variable rate bond contract.
Deflation can be handled by giving out negative pay raises... but one still has to handle idiocy like pensions that never go down (again, because of idiots writing the rules) and a host of other side effects such as hoarding of specie. The problem isn't deflation but the inability of our growth centric system to handle anything but numbers going ever upwards.
Another issue is that you always have to check your jewels before getting into bed with an equity company. Their sole reason for existence is to line their own pockets-- sure you might get 30% of the fab output: where 50% of the fab workers were laid off and remainder replaced with imported labor, and equipment maintenance (never mind upgrades) requires a CEO's signature and the CEO is paid based on gross profit this quarter. Bain will get their money + world + dog profit and leave the financially exsanguinated husk to the suckers, er, partners.
Consider this case: you have a state engine to implement, and use a genetic algorithm (quite 80's really).
Software fails in the field with an important customer, the bosses come to you asking when will this be fixed? It just doesn't sit well to say "when the competition for best solution wins in the genetic lottery, sometime or other... don't call me, I'll call you when the danged thing gets a winner". No, this just won't do, so I implemented the state engine in the old fashioned sweaty way grinding out code.
Fast forward. The shiny ALV just cleaned off a whole sidewalk of pedestrians. How do you patch that pile of AI ware that 'learned on its own", before another sidewalk is cleared of meat bags?
There is no shortage of ideas. There isn't even a shortage of viable ideas that could be realistically developed.
What seems to be happening is that
-- the dismal scientists are failing to recognize that as industries mature the cost of advances increases
-- we seem to be on the epicyclic where each new idea that is developed, doesn't achieve as much economic return compounded by an increasing diversion of energy into increasingly useless endeavors such as following vast numbers of legal rules.
This last can be for several reasons, ranging from the surfeit of maturing research and development paths-- bullet 1 plus the "my pa did it this way, and his pa, so I'll do it the same way!"-- to the increasing atherosclerosis of the bureaucracy in the world (insufficient burning out of dead useless brush in the human environment, as by say a nice non-nuclear world war). The latter includes vast pools of stored labor in the form of cash which sits useless under the fatty cellulite riddled rumps of the filthy rich. [it has not escaped notice that a small number of such parasites have arisen from incestuous plutocratic sewage to assay useful application of said stored labor, a notable example is SpaceX; these instances are the exception however.]
This isn't a multiple hundred years stultifying dark age, just a pause until a paradigm change occurs, or perhaps a world war. At least a world war that doesn't obliterate everyone...
Rather than notional damages, the result of the lawsuit ought to be a refund of 2x the cost of freezing/unfreezing the credit reports each time the credit report is frozen or unfrozen for every agency. For a yearly count that is at least 2 standards of deviation beyond the median of what a typical person does each year (that is, of the population that even uses freeze/unfreeze, otherwise, the value approaches 0).
The obvious response for Equifax is to make the cost 0-- so 2x0 is 0-- but the competitors might go to say 1000 just to eliminate the competition. A virtuous solution.
Oh rats. I just woke up.
Isn't likely. If they could do that, we'd have self driving cars for the masses by now, a mere 12 months later!
Oddly, Otto's self driving trucks seem to have driven into a black hole and disappeared after they were bought out. Plus, that self driving truck stunt is starting to stink of mechanical turk. Apparently no one cares, and no one is talking.
The smart ones "spray paint" the scratch off stuff back on if they haven't done the work to read through the scratch off.
Really, if you must use a pin, the pin should be a combination of scratch off and an authorization pin fragment. That way, the clerk doesn't know the entire PIN unless they are in on the theft.
When I read about the small relatively shortlived company Otto being bought for a big pile of cash by Uber, it seemed... unusual. The me-too product of autonomous trucks, already in development for far longer in Europe particularly, just did not seem worth the price paid; plus, the company wasn't old enough to have created truly workable firmware and hardware. Sure strap on some automobile self driving kit, hover in a cold sweat over the rig's steering wheel during a flashy demo when traffic was as light as possible with guard cars running fore and aft... flash and dash for the clueless unwashed masses. Or maybe this was a Mechanical Turk moment that hasn't flushed out yet.
Fast forward, and is sure looks like window dressing. Where are those Otto trucks that are supposed to be infesting the highways? Thought so.
Still, Levandowski is sitting high on the pile of cash and likely will get to keep everything but what the lawyers siphon out. Seems like a good plan going forward, just have to stomach that 5 or 10 years of boredom in court.
Physicists, darn physicists, and scheming whinging dastardly cursed rubbish eating physicists!!
What you say am I talking about? The filthy lowlifes want to literally make Planck's Constant a constant-- i.e., a fixed number. No more of this "any time some busy body experimentalist discovers a more accurate value for Planck's Constant will our perfectly spherical (to a first approximation) august bodies have to recalculate our equations". Rubbish that, make Planck's Constant a true fixed number! Let the rest of the physical world recalculate everything when a more accurate underlying value is determined (our pristine Physicist's Planck's Constant is invariant by axiomatic definition completely regardless of the real world!).
Oh yes, all those metrology measurements are trashed, each time a more accurate Planck's Constant is found, recalibrate the instruments and keep a table to convert the past into the present. But the physicists won't have to lift a finger to scrub the numbers on the chalkboard.
It is a plot I say! Heaven help you if you use Planck's Constant (as a fixed number) in your orbital mechanics, you'd probably miss geosynch by at least 10's of meters because all those bits built into the spacecraft subtly change as "fixed Planck's constant" deviates further from its origins...
Threaten to publish names associated with salaries-- the execs would surely pay 200-300 bitcoin to avoid a fate this heinous. Plus, you can still rip off the employees' taxes, that is not part of the deal; the employees are handed the pitiful sop of a few years of credit reporting.
Most companies try desperately to keep salaries a deep dark secret-- that guy dozing in the cube next to you could be making 30% more than you just pushing a few papers around occasionally. How much is avoiding expensive pay scale riots in the drone cube farm worth to the CEO? Or worse, civil war in the middle management ranks when the hypercompetitive wankers discover who is the mightiest wanker of them all (and it probably isn't the one in the mirror).
The literal truth: no evidence that SWIFT was broken.
The actual truth: NSA has a client copy of SWIFT software, so obviously SWIFT is pwned-- perhaps even willingly. SWIFT is, well, ancient and never broken, they said so smugly themselves from 5 star Geneve hostelries.
For many organizations, there is little to literally fear from the five eyes. Russia, maybe. Norks, almost certainly. The SB data is mostly interesting as an example of the likely "worst case" nation state pwnage.
This seems more like a subset of Hyperledger, where what is tracked is monetary units. So, I'm not really seeing the long term utility, unless that "tax" hook really works.
Of course, Hyperledger seems more like a bunch of crony companies all cheering "open source" while trying very hard to avoid actually contributing until they get IP staked out in their pending contributions... so maybe Thaler ought to bill itself as the real open source Hyperledger.
It is an interesting question why there aren't a lot more LiIon batteries bursting into flames in products where the only objective is cheap. My first guess is that cheap suppliers just have not (yet) reached the flaming edge power densities where spectacular events would commonly result from failures.
In the meantime, considering the penetration of supply chains by AliBabas, I'll keep on charging my lithium ion batteries on a metal table top. Except for the Jesus Phone, you have to have some Faith!
Using pretty colors and pictures that may attract children is dangerous because the liquids with nicotine can be lethal in relatively small quantities. You may be a responsible user, and as an adult you should have the right to imbibe/inject/inhale any chemical you want, but others leave this stuff laying about as an attractive hazard.
In this case the numpties are right with the "its for the children" refrain.
The legacy commercial crypto systems currently in use are subject to QC. The advent of QC guarantees that nation states-- first movers for QC since early tech is almost invariably atrociously expensive-- can sign an update to anyone's device, including those devices for which the nation-state has not yet obtained the keys. Who needs zero-days, complicated drive by attacks, Rowhammer, phishing attacks, rubber hoses, satchels of cash, or any of the others when you can just rewrite the software after stealing the source code which is secured by computers subject to QC attack. Presuming you can't steal the source code using simple ordinary means.
There are a few speed bumps that can be thrown up, local keys using TPC add very slightly to the effort (or maybe not, most implementations are sadly deficient), air gap (really? What did you say your productivity is? military can afford this but can YOU?), or one can just block software updates but then mundane security holes blow up (XP users rejoice! You are ahead of the curve!) not to speak of network comms being broken.
One needs PQC, or some other alternative new invention (at least for software updates)...
The Mayer c-suite is bleating that the billion account loss was possibly due to source code theft, the purloiners taking advantage of security holes. Since Yahoo security was poor (despite the good reputation of the 'Paranoids' before they were poached by more astute companies) one has to presume that the Yahoo source code rivals Adobe Flash for security quality. It costs time and money to write secure code, even if the cost is negative on a life cycle basis.
Verizon should probably rewrite the source code at a cost of 100Mil, or maybe 2 or 3 hundred including debugging and roll out to the 20 or 30 remaining Yahoo customers. Alternatively, Verizon could just ape Adobe and not proactively fix problems, just react and wack the moles when they pop up. Yahoo will then die the Flash death of a thousand security patches. Of course, if the price is right, maybe it would be worth it.
Biting the hand that feeds IT © 1998–2018