Wednesday, August 31, 2016


The Silicon Graybeard left comment #40,000 here. Eight years ago that wasn't something that seemed even concevable.

Those of you who stop by regularly, you can't even begin to know how much I appreciate our community here.

That's not helpful

It reminds me of Mark Twain's essay, "The Awful German Language".  He read a book in German but didn't understand what happened in the story.  You see, all the verbs went to the last page and someone had torn out that page.

Why we may never have self-driving cars

The problem is really, really hard:
Automobile drivers, for obvious reasons, often have much less time to react. “When something pops up in front of your car, you have one second,” Casner says. “You think of a Top Gun pilot needing to have lightning-fast reflexes? Well, an ordinary driver needs to be even faster.” 
In other words, the everyday driving environment affords so little margin for error that any distinction between “on” and “in” the loop can quickly become moot. Tesla acknowledges this by constraining the circumstances in which a driver can engage Autopilot: “clear lane lines, a relatively constant speed, a sense of the cars around you and a map of the area you’re traveling through,”  according to MIT Technology Review. But Brown’s death suggests that, even within this seemingly conservative envelope, driving “on the loop” may be uniquely unforgiving.
Clear lanes, constant speed, awareness of cars around you, a good map.  That's about as easy as you can make it for the guidance system, and it's still too hard.
But NASA has been down this road before, too. In studies of highly automated cockpits, NASA researchers documented a peculiar psychological pattern: The more foolproof the automation’s performance becomes, the harder it is for an on-the-loop supervisor to monitor it. “What we heard from pilots is that they had trouble following along [with the automation],” Casner says. “If you’re sitting there watching the system and it’s doing great, it’s very tiring.” In fact, it’s extremely difficult for humans to accurately monitor a repetitive process for long periods of time. This so-called “vigilance decrement” was first identified and measured in 1948 by psychologist Robert Mackworth, who asked British radar operators to spend two hours watching for errors in the sweep of a rigged analog clock. Mackworth found that the radar operators’ accuracy plummeted after 30 minutes; more recent versions of the experiment have documented similar vigilance decrements after just 15 minutes.
The fallback for the guidance system is to have the driver take over, but it looks like people don't handle this situation very well.  And it also looks like people don't want to handle the situation well.
According to some researchers, this potentially dangerous contradiction is baked into the demand for self-driving cars themselves. “No one is going to buy a partially-automated car [like Tesla’s Model S] just so they can monitor the automation,” says Edwin Hutchins, a MacArthur Fellow and cognitive scientist who recently co-authored a paper on self-driving cars with Casner and design expert Donald Norman. “People are already eating, applying makeup, talking on the phone and fiddling with the entertainment system when they should be paying attention to the road,” Hutchins explains. “They’re going to buy [self-driving cars] so that they can do more of that stuff, not less.”
This problem (self-driving cars) smells a lot to me like what we've seen in the Artificial Intelligence research community.  There have been widely publicized advances on very narrow, specific technology problems, but AI has remained "just 5 years away" for 30 years.  The problem there is that we really don't know what Intelligence is (at least in enough detail to specify it for a computer).  Likewise, we don't understand how to safely react to the myriad of potentially dangerous driving situations to be able to specify it for the computer.

Maybe it's just that computers process data so differently from us that we simply can't specify these things.

Bottom line: don't expect a self-driving car anytime soon, no matter what the auto companies are saying.

Tuesday, August 30, 2016


This is why you get more government regulation:
An airliner circling Heathrow narrowly missed colliding with a drone flying at 7,000 feet – while another aircraft approaching the London airport saw a drone hurtle past just 30 feet from its cockpit. 
The first near miss took place in mid-May when an Airbus A319 pilot flying to Heathrow saw a one metre-long drone, painted green and purple, “extremely close” to his aircraft. 
The drone, which was flying just above the airliner's level, was only 10 metres (30 feet) from the cockpit. Investigators thought the operator was flying on first-person view using the drone's cameras. 
The UK Airprox Board graded the risk of collision as Category A, the most severe level.
In the second incident, which took place a fortnight after the first, an Airbus A320's first officer saw “a white, twin rotor drone pass by the right wingtip” barely 100m away as the aircraft was descending through 7,000ft over New Malden, south London.
Let's see now: Flying a drone over 1000 feet?  Check.  Flying a drone near an airport?  Check.  Flying a drone in the approach path for the airport?  Check.

Idiot.  He's peeing in everyone else's cornflakes.  It makes me want to take up drone skeet like that lady in Virginia.

About that iPhone emergency patch

The government of the U.A.E. used it to to target a human rights activist:
I am pleased to announce a new Citizen Lab report: “The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender,” authored by senior researchers Bill Marczak and John Scott Railton.
If you are one of hundreds of millions of people that own an iPhone, today you will receive a critical security patch.  While updating your software, you should pause for a moment to thank human rights activist, Ahmed Mansoor.
Mansoor is a citizen of the United Arab Emirates, and because he’s a human rights activist in an autocratic country his government views him as a menace.  For security researchers at the Citizen Lab, on the other hand, Mansoor’s unfortunate experiences are the gift that won’t stop giving.
Interesting story.

Monday, August 29, 2016

R.I.P. Gene Wilder

Thanks for all the laughs.

About Colin Kaepernick

When they say it's about the principle, it's actually about the money.

Chris Lynch has a great analysis about how Kaepernick - a backup quarterback - has created a controversy that will give him a big payday:
Kaepernick has a disastrously large contract. He signed a 6-year $114 million contract in 2014 that has $61 million guaranteed. He could have used some of that $61 million to quietly become a benefactor to so very many. Instead he's become a lightning rod, complete ingrate prick, salary cap albatross or potential season long distraction depending on your point of view.

From the San Francisco 49er's point of view this is a distraction they didn't need from a player with an almost $20 million cap hit if they cut him. For their back-up QB! And if the team cuts him there will be people who complain that it was because Chip Kelly doesn't like black people ...

I have to wonder if this is some sort of diabolical genius on the part of Kaepernick. Say if he no longer wants to play football but wants to collect all of his guaranteed money. This would be almost the perfect plan. Just sitting during the anthem isn't against the law or even team policy. Sure many people will hate him but this might be a way out of playing football and maybe even into some high paying speaking gigs for clueless kids at liberal arts colleges. I haven't seen anything this diabolical since Al Gore made millions pretending to care about global warming.
The 49ers simply cannot win now.  If they cut him there will be a huge outcry against them.  Remember, this is San Francisco, perhaps the most famously liberal area in the country.  While your typical football fan is more patriotic than the average bear, it's Silicon Valley wealthy who fill the stadium in Frisco.  They're all to the left of Karl Marx.

Or the 49ers keep him and pay him, even though he's only gone 10-14 in the last two seasons.

He's got them over a barrel, right good.

Internet Of Things gets a security patch?

I did not expect that:
In a shocking development, smart lock manufacturer August has been caught promptly patching security holes discovered in its product. 
At this year's DEF CON, security researcher Anthony Rose gave a presentation where he outlined how a whole range of "smart locks" were hackable. 
But what was surprising was that just 10 days later, August had put out patches that fix the holes. Even Rose was surprised, tweeting: "August just patched their web services to stop guest from being able to insert backdoor keys in homekit locks! Kudos to their engineers."

Kudos indeed.  Now if we could just get the other 11 manufacturers named by Mr. Rose to act likewise, we'll really get somewhere.

Quote of the Day: On Democracy

What you have under a representative, egalitarian, winner take all, democracy is a shifting coalition of about 51% of voters aligned to threaten about 49%.
If you’re getting more than 51% of the vote (which is certainly possible) that just means you’re leaving rents on the table. You could take more, and/or give less, and still win the election.
Additionally, maximum rent extraction occurs if your coalition comprises the cheapest 51% of voters, in other words, the most useless and parasitic.
His conclusions are also pretty interesting.  I would add that this situation is very likely to be Game-Theory stable as well - meaning that the only (likely temporary) way out is an external shock, or internal revolt.

Implications for the Trumpening are left unexplored.

Sunday, August 28, 2016

Red Rooster Carry Out - Damascus, MD

This place is (as they say in New England) wicked local. While they have sandwiches, and BBQ chicken is king. $2.99 for two pieces of dark meat. They also have dinners which include fries, cole slaw, and a biscuit.

It was $12 for one dinner, 2 extra pieces of chicken, and two drinks. Everything tastes great.

Probably that's why they've been here since 1971. Recommended.

William Herschel - Symphony No 12 in D major

Image via Der Wik
On this day in 1789, William Herschel discovered Enceladus, a moon of Saturn.

Herschel was a polymath in an age famous for polymaths.  As an astronomer, he discovered the planet Uranus as well as four moons of Saturn.  As an economist, he noted the striking correlation between the number of sunspots visible on the sun and the price of grain.  When experimenting with new techniques for observing sunspots, he discovered infrared radiation.  He was the first to note that the Martian ice caps vary by season.  Pointing his magnifying devices inwards, not outwards, he established via microscope observation that coral was not a plant (the cells did not have cell walls).

In his spare time, he was a prolific composer, with eighteen symphonies and many shorter works to his credit.  His was a remarkable  career in an age of remarkable careers.  So remarkable that I've posted his music before, as well as mentioning him in a number of other posts.  He may be the only scientist that could have his own blog post tag here.

Saturday, August 27, 2016

Your travel Protip for the day

Uncle Jay brings the snark as only he can in a hilarious post that ends with really good advice for when you fly internationally.

And since he really is a professional traveler, this really is a ProTip ...

Steve Earle & The Dukes - The Other Kind

Steve Earle has led a life that would make a good country song: dropped out of high school, worked blue collar jobs during the day while playing in a band at night, married seven (!) times, did time in prison for drugs and weapons charges.  But through it all, he's written a ton of great music that blends country with good solid rock.

This song from his 1990 album The Hard Way reached #37 on the rock charts.

The Other Kind (Songwriter: Steve Earle)
I woke up this morning and I took a look around at all that I got
These days I've been lookin' in the mirror and wondering if that's me lookin' back or not
I'm still the apple of my mama's eye
I'm my daddy's worst fears realized
Here of late all this real estate don't seem all that real to me sometimes
I'm back out on that road again
Turn this beast into the wind
There are those that break and bend
I'm the other kind, I'm the other kind
Now my old buddy, what's his name, says, "Man what the hell are you thinkin' 'bout
Fool, you got two of everything, but you hang your head just like you was down and out";
And I'm damn sure not suffering from a lack of love
There's plenty more where that came from
Ah - but leave it up to me to say something wrong and hurt someone before I'm done
You see it used to be I was really free
I didn't need no gasoline to run
Before you could say Jack Kerouac you'd turn your back and I'd be gone
Yeah nowadays I got me two good wheels and I seek refuge in aluminum and steel
Aw, it takes me out there for just a little while
And the years fall away with every mile

Friday, August 26, 2016

URGENT: Yeah, you really need to update your iPhone

The good news is that I haven't heard of mass attacks (yet) using these attacks.  The bad news is that it typically doesn't take long for those to start once the Bad Guys know that something is possible.

The attack sends a web link to a page that contains malware.  This malware is unpleasant - it's the first remote jailbreak exploit, so it basically takes total control of you iDevice.

In your iPhone (and iPad), click the "Settings" app, then "General" then "Updates" and select "Check for updates".  You want iOS 9.3.5.  I'm not sure if this applies to iPads as well but recommend that you check.

Like I said, I expect there's a Bad Moon rising.  We'll likely see mass exploitation of this in a few days.

Thursday, August 25, 2016

Wolfgang would not like this

He's the only dog I've ever known who won't stick his head out of the car window.

Why self-driving cars are a lot further from practical use than we think

It turns out that this is a really, really hard problem:
Rosenband added that four-way junctions with no lights are still a nightmare for the robot cars. An example junction is California and Powell in San Francisco, which has the added bonus of two cable car lines going through it. Human motorists rely on eye contact to know when it's safe to go or just take the initiative and move first. A driver-less car gets stuck trying to safely nudge its way across the box. 
"At four-way stops, oftentimes cars arrive sorta at the same time and it's a coin flip for who goes first. We have to make it comfortable for the person in the car; you don’t want the vehicle to inch forward and then slam the brakes, and you also want to be courteous to other drivers," Rosenband explained.
This is a great overview of the problems of computer/sensor recognition of what is trivially easy for humans.  There are great examples here of the problems that we overcome instantly and naturally, but which flummox the computer:  the red balloon next to a green traffic light, the traffic light partially obscured by a bus, a traffic light with the setting sun right behind it which blinds the sensor.

We handle this via common sense, but you can't program common sense.  They're trying, though:
You can teach a computer what an under-construction sign looks like so that when it sees one, it knows to drive around someone digging a hole in the road. But what happens when there is no sign, and one of the workers is directing traffic with their hands? What happens when a cop waves the car on to continue, or to slow down and stop? You'll have to train the car for that scenario. 
What happens when the computer sees a ball bouncing across a street – will it anticipate a child suddenly stepping out of nowhere and chasing after their toy into oncoming traffic? Only if you teach it.
And this is the heart of the problem: you have to define literally every possible failure condition and program those into the software.  Even with machine learning, there are too many to be practical.  If you miss one and a car kills someone, the lawsuits will be enormous.

This is an outstanding article on the complexity that technologists are trying to bite off.  While unstated, you get a real feel for how they want to fly high - perhaps so close to the sun that their wings will melt.

Wednesday, August 24, 2016

Atom Smasher has lost his dog

"I know every dog is the best dog ever, but Sam was the best dog ever."

We love them because they love us unconditionally.  In their eyes we see ourselves reflected, not as we are but as we would wish to be.
Near this Spot are deposited the Remains of one
who possessed Beauty without Vanity,
Strength without Insolence,
Courage without Ferosity,
and all the virtues of Man
without his Vices.

- Lord Byron's epitaph to his beloved Newfoundland, Boatswain

Man, it's hard to buy a gun there

Especially if you're a senior citizen and somewhat hard of hearing ...


But this sure is funny:
A plucky German nudist out for a swim at a local lake was left in agony after an angler hooked his worm. 
Herbert Fendt - an alias the embarrassed man adopted to spare his family's blushes - was taking a dip in the Kaisersee, near Augsberg in south-eastern Germany, when the tackle-on-tackle action occurred. 
Initially the man thought he’d caught his todger on some weeds in the lake - a popular spot for fisherman and nudists - but soon discovered the cause of the pain. 
“I cried out to the fisherman ashore shouting ‘do not pull, do not pull’. I was terrified he was going to try to reel me in,” Fendt told the local press.
The rest of the article is just as funny.  The Germans are indeed very german.

Patriot Guard Riders escort Civil War veteran from Oregon to Maine

Desjardin learned that the 20th Maine veteran’s ashes were in Oregon when he was researching what had happened to each soldier who fought in the regiment. He proposed the state bring Williams home.
“I discovered that his remains were in a can on a shelf in a shed out in Oregon and had been there for 94 years, unclaimed,” the historian said. “Back home is better than a shelf on a shed in Oregon.”
This is the Patriot Guard Riders:

They escort the living and departed veterans on their journeys.  They escorted Pvt. Williams in relays all cross the country:
Williams’ ashes traveled across the country in style, accompanied by a battalion of Patriot Guard Riders who handed the box off from one group of motorcyclists to the next like a kind of modern-day Pony Express. Many of those riders came to Togus on Monday to witness Williams’ cremains being handed over to Maine VA officials, including Neil Wagner of Royersford, Pennsylvania.
“When I found out they were bringing a Civil War veteran, I said, ‘I can’t miss this one.’ I could be part of history,” he said. “It was very humbling. Every time he was handed off to a different guard group there were tears shed because he was getting closer to home.”
And 150 riders met him at the state line, to escort him back to Maine.  Bravo Zulu.

If you're in Augusta, Maine, you can pay your respects to Pvt. Williams through mid September at the Maine Veteran's Memorial  Cemetery, after which he will be buried next to his parents.

Hat tip (and thanks) to childhood buddy Rick for a pointer to this story.

Tuesday, August 23, 2016

Well, so much for Gary Johnson

He wants a carbon tax to "fight global warming":
Libertarian Party presidential nominee and former New Mexico Gov. Gary Johnson said he’s no skeptic of man-made global warming and endorsed a “fee” on carbon dioxide emissions.
So why a tax?  I mean, these are libertarians (excuse me: Libertarians).  You'd think that they'd want a market.  The problem there is that we've seen a market tried, and it collapsed from all the fraud:
The alternative to a carbon tax is a carbon market, but as the European experience demonstrates, carbon markets lead to massive corruption and inevitable collapse.
The reason is very simple – with a carbon market, unlike a real market, fraud benefits all the market participants.
Fraud benefits the issuers of fake carbon credits – they get to make money for nothing.
Fraud benefits the purchasers of carbon credits – a flood of fake carbon credits keeps prices down.
Fraud benefits market regulators – they get rich turning a blind eye to the fraud.
The only people carbon fraud doesn’t benefit is anyone silly enough to think that market based carbon pricing can make a long term difference to CO2 emissions.
And so, the tax.  That will never collapse from rent seekers gaming the system (*cough* E.P.A. *cough*).  You'd think that the problem here would be blindingly obvious for a Libertarian.

Bah.  I even voted for him last time around.  But if this is what Libertarian looks like, then no thanks. But then, I'm not a libertarian.

Just how badly does Windows 10 spy on you?

It's worse than you think.  So far, people have focused on the aggressive upgrade tricks that Microsoft has used to get users on Windows 10.  But the far more serious concern is the amount of data about you that Windows 10 sends to Microsoft:
Windows 10 sends an unprecedented amount of usage data back to Microsoft, particularly if users opt in to “personalize” the software using the OS assistant called Cortana. Here’s a non-exhaustive list of data sent back: location data, text input, voice input, touch input, webpages you visit, and telemetry data regarding your general usage of your computer, including which programs you run and for how long.
And while users can disable some of these settings, it is not a guarantee that your computer will stop talking to Microsoft’s servers. A significant issue is the telemetry data the company receives. While Microsoft insists that it aggregates and anonymizes this data, it hasn’t explained just how it does so. Microsoft also won’t say how long this data is retained, instead providing only general timeframes. Worse yet, unless you’re an enterprise user, no matter what, you have to share at least some of this telemetry data with Microsoft and there’s no way to opt-out of it.
Microsoft has tried to explain this lack of choice by saying that Windows Update won’t function properly on copies of the operating system with telemetry reporting turned to its lowest level. In other words, Microsoft is claiming that giving ordinary users more privacy by letting them turn telemetry reporting down to its lowest level would risk their security since they would no longer get security updates1. (Notably, this is not something many articles about Windows 10 have touched on.)
But this is a false choice that is entirely of Microsoft’s own creation. There’s no good reason why the types of data Microsoft collects at each telemetry level couldn’t be adjusted so that even at the lowest level of telemetry collection, users could still benefit from Windows Update and secure their machines from vulnerabilities, without having to send back things like app usage data or unique IDs like an IMEI number.
Yuck.  Microsoft seems to be combining the worst of Apple with the worst of Google, at least from a privacy and you-can-do-it-any-way-you-like-as-long-as-it's-my-way perspectives.


What does August in Germany look like?

This is shaping up as the first summer since 1989 where there is year-round snow on the Zugspitze (Germany's highest mountain). Sure, this is weather, not climate - but late or missing snows in winter would cause a breathless round of ZOMG Thermageddon!!!one! headlines, so turnaround is air play.

Even more so as this is (once again, yawn) being billed as the "hottest year ever".  No wonder the public no longer listens to "Climate Scientists" - I mean, who you going to believe?  The scientists or your lying eyes?


Monday, August 22, 2016

There IS only one Country Music song on the radio

Pistolero put out a fatwa on the new Country Music years ago, but I just figured you know how HE is.  Man, was he ever right.  Sir Mashalot puts five hit Country songs together at the same time, and they are all the same song.

3 guitarists, 1 solo.  Heh.

Pistolero, let me say it here: you were right and I was wrong.

As a palate cleanser, let me offer a song that is authentic.

Hack the Planet!

Free Kevin!

And regarding the T-shirt at the link, it's an old computer security joke:

Q: What's the difference between a hacker and a Security Professional?

A: The Security Professional has a mortgage.

The Presidential debates from the perspective of an Internet Security guru

No, not me (I don't have guru status).  But people who do are applying those analytical techniques to the upcoming debates:
The moderators, the ones running the debate, will do their best to ask Trump the toughest questions they think of. At this point, I think their first question will be about the Kahn family, and Trump's crappy treatment of their hero son. This is one of Trump's biggest weaknesses, but especially so among military-obsessed Republicans.

And Trump's response to this will be awesome. I don't know what it will be, but I do know that he's employing some of the world's top speech writers and debate specialists to work on the answer. He'll be practicing this question diligently working on a scripted answer, from many ways it can be asked, from now until the election. And then, when that question comes up, it'll look like he's just responding off-the-cuff, without any special thought, and it'll impress the heck out of all the viewers that don't already hate him.

The same will apply too all Trump's weak points. You think the debates are an opportunity for the press to lock him down, to make him reveal his weak points once and for all in front of a national audience, but the reverse is true. What the audience will instead see is somebody given tough, nearly impossible questions, and who nonetheless has a competent answer to everything. This will impress everyone with how "presidential" Trump has become.
The persuasion techniques in play are what in the security biz are called "social engineering".  The expectation is that Trump will be displaying advanced social engineering skillz.

Windows 10 update breaks most webcams

The Windows 10 "Anniversary update" breaks almost all webcams:
The Windows 10 Anniversary Update, aka version 1607, has been found to leave many webcams inoperable. The update prevents the use of webcams in applications such as Skype and Open Broadcaster Software (OBS), along with all manner of custom CCTV programs. Extremely popular hardware, such as Logitech's C920 and C930e cameras, in conjunction even with Microsoft's own Skype, will fail to properly broadcast video.
People first noticed the issue earlier this month. But it's only within the last couple of days that the exact cause became clear via a post by Brad Sams on
Microsoft has said that a fix is in development, but has not yet said when that fix will be distributed.
Me, I recommend Linux.

Sunday, August 21, 2016

You can say anything on your last day

This is one of the Queen Of The World's favorite sayings.

Watching the Olympics is better when you're drunk

Especially if you're watching the Irish sports commentator announcing sailing (which he clearly doesn't know anything about).

Open a Guinness, kick back, and enjoy!  Just make sure you watch all the way to the end.

Hat tip: Chris Lynch.

The wrong concerto

Ever had a dream that you studied for the wrong test?    That's what happened with Maria Joao Pires. The expression on her face about 40 seconds into the piece is pretty funny, as she realizes that she needs to play a piece that she hadn't practiced.  Fortunately this was a rehearsal - I guess that's why you have rehearsals!

She finishes the piece anyway, playing from memory.  The Show must go on, indeed.


Saturday, August 20, 2016

It seems that I am now "Colonel Borepatch"

As in Kentucky Colonel.  I now have something in common with Winston Churchill and Igor Stravinsky.  But please, let's keep things informal here.  Although I do like a snappy salute ...

And I probably have a halloween costume in my future ...

Friday, August 19, 2016

Sometimes News breaks so fast ...

... that there's no time to caption the picture.

Man, that's fast breaking news!

Thursday, August 18, 2016

Curmudgeons of the World, unite!

First, kill all the philosophers


But not Aretae, who's a good guy (even if he is a philosopher).  And not the Bad Ass Philosophers.

Wednesday, August 17, 2016

The definition of passive-aggressive

Quote of the Day - End of the Republic edition

The Roman Republic fell, not because of the ambition of Caesar or Augustus, but because it had already long ceased to be in any real sense a republic at all,” he said. “When the sturdy Roman plebian, who lived by his own labor, who voted without reward according to his own convictions, and who with his fellows joined in war the terrible Roman legion, had been changed into an idle creature who craved nothing in life save the gratification of a thirst for vapid excitement, who was fed by the state, and who directly or indirectly sold his vote to the highest bidder, then the end of the republic was at hand, and nothing could save it. The laws were the same as they had been, but the people behind the laws had changed, and so the laws counted for nothing

 - Theodore Roosevelt

NSA hack: probably real. NSA had a mole.

Most likely a government.  Russia tops the list, but China is a suspect, too.  Certainly the text reads like it was written by Chinese-as-a-first-language person (for whatever that's worth).  This is the most interesting bit:
This just isn't something that can be faked in this way. (Good proof would be for The Intercept to run the code names in the new leak against their database, and confirm that some of the previously unpublished ones are legitimate.) 
This is definitely not Snowden stuff. This isn't the sort of data he took, and the release mechanism is not one that any of the reporters with access to the material would use. This is someone else, probably an outsider...probably a government. 
Okay, so let's think about the game theory here. Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you." 
They claim to be auctioning off the rest of the data to the highest bidder. I think that's PR nonsense. More likely, that second file is random nonsense, and this is all we're going to get. It's a lot, though. Yesterday was a very bad day for the NSA.
I haven't looked at the stuff and have no intent to do so.  However, people whose opinion I respect are.  I find the file timestamps to be very interesting, and in fact is evidence that Snowden was not working for the Russians (but rather was a whistleblower, as he claims).  It looks like the Russians had a mole in NSA while Snowden was there, and their mole had to scramble to gather up what data he had after Snowden went public and NSA security got dialed up to 11.

ObDisclaimer: I worked at NSA for a few years starting in the mid 1980s, doing (defensive, not offensive) computer security.

The Tomb of Scipio

Image from Archeology News Network
Scipio Africanus was one of Rome's greatest soldiers, beating the great Hannibal himself in a stand up, toe-to-toe slug fest at Zama, ending a half century of Superpower war in the ancient world.

Even more, he was an honorable man, gracious to his foes.  For many years he tried even to protect Hannibal from a blood thirsty Roman Senate eager for vengeance.  When his troops captured the fiancee of a Nubian war chief, he had her restored to him, her (and his) honor intact.

Naturally, he had a legion of enemies in Rome.  Disgusted with the degenerate and vicious politics of his day, he left Rome for good.  His family tomb is shown here, but his own is a bit of a mystery - it is said that he asked that his be inscribed with his own epitaph:
Ingrata patria, ne ossa quidem habebis. (Ungrateful fatherland, you will not even have my bones).

He was followed by a viper's nest, one that ultimately broke the Republic through increasingly divided and violent political division.  It got so bad that 150 years after his death, a grateful Rome welcomed Augustus as Imperator simply because it meant the end of the incessant blood letting.

An honorable - if flawed - man, followed by the contemptible.

Comrade Misfit looks on the corruption in which this Republic finds itself mired.  It feels like an "end of the Roman Republic" time.  Sophisticates can compete to show their, well, sophistication in comparing various recent Presidents to Scipio (flawed but honorable men), and the current crop of rogues to those who followed Scipio - each competing for most corrupt, venal, and destructive to the res publica.

Tuesday, August 16, 2016

"I hung around with hackers for a week ..."

"... and now I'm completely paranoid."

Good introduction to security from someone who pretty clearly hasn't thought much about it before.

Did the NSA get hacked?

Rick emails to point out something pretty interesting:
(NEWSER) – An apparent hacking group calling itself the "Shadow Brokers" claims to have hacked the NSA and is asking for about $570 million to share the data. Two sets of files were posted online Saturday—one open, the other encrypted—which the group claims are from the Equation Group, an advanced group of hackers believed to be working with US intelligence. The open files contain "a series of tools for penetrating network gear made by Cisco, Juniper, and other major firms," along with code words found in documents leaked by Edward Snowden, reports Foreign Policy. They are "most likely … part of the NSA toolset," an expert tells Ars Technica. But the encrypted files are "the best files," says the Shadow Brokers, which is asking for 1 million Bitcoin, currently worth about $570 million, to release them.
I have no idea whether this is legit or not, but know people who are in the "cyber weapon" business.  The encrypted file is interesting - typically the most damaging information would go there along with an automated "dead man's switch" that would release the encryption key.  If the Feds put the snatch on the perps, the information could be disclosed anyway.

Should NSA disclose Zero Day security bugs

Interesting analysis says "no":
The point is that no sane person can argue that it's worth it for the government to spend $1 million per iOS 0day in order to disclose/fix. If it were in the national interest, we'd already have federal bug bounties of that order, for all sorts of products. Long before the EFF argues that it's in the national interest that purchased bugs should be disclosed rather than exploited, the EFF needs to first show that it's in the national interest to have a federal bug bounty program at all.

Conversely, it's insane to argue it's not worth $1 million to hack into terrorist iPhones. Assuming the rumors are true, the NSA has been incredibly effective at disrupting terrorist networks, reducing the collateral damage of drone strikes and such. Seriously, I know lots of people in government, and they have stories. Even if you discount the value of taking out terrorists, 0days have been hugely effective at preventing "collateral damage" -- i.e. the deaths of innocents.
iOS "Day Zero" bugs (ones where there is no patch to protect the target) sell for around a million dollars.  Less for Windows, maybe the same for Android.  There could be a billion dollars a year in this sort of bug bounty program.  So it is doable - pricy, but probably not in the grand scheme of NSA's budget.

Or you can use them to attack high value targets.

The worry, of course, is whether you can trust NSA to attack legitimate targets and not everybody else.  The author shares those concerns:
The NSA/DoD/FBI buying and using 0days is here to stay. Nothing the EFF does or says will ever change that. Given this constant, the only question is how We The People get more visibility into what's going on, that our representative get more oversight, that the courts have clearer and more consistent rules. I'm the first to stand up and express my worry that the NSA might unleash a worm that takes down the Internet, or the FBI secretly hacks into my home devices. Policy makers need to address these issues, not the nonsense issues promoted by the EFF.
The EFF is, of course, the Electronic Frontier Foundation.  This is pretty interesting stuff, so if you're a security nerd you should RTWT.

Monday, August 15, 2016

Automotive software: unsafe at any speed

The problem isn't that there's software bugs.  The problem is an engineering culture that ensures that security problems are designed in and not fixed:
One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.
“These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report, which it released last week. The report was based on an analysis of more than 150 vehicle security flaws identified over three years by IOActive or publicly disclosed by way of third-party firms.
Where do all these "hair on fire" vulnerabilities come from?
The bulk of vulnerabilities that were identified stemmed from a failure by automakers and suppliers to follow security best practices including designing in security or applying secure development lifecycle (SDL) practices to software creation. “These are all great things that the software industry learned as it has progressed in the last 20 years. But (automakers) are not doing them.”
So the auto makers have basically ignored what the rest of the world has learned over the last two decades.  Got it.
The result is that vehicle cybersecurity vulnerabilities are not solvable using “bolt-on” solutions, IOActive concluded. That is because they are caused by flawed engineering assumptions or insecure development best practices. “The most effective cybersecurity work occurs during the planning, design and early implementation phases of products, with the difficulty and cost of remediation increasing in correlation with product age and complexity,” IOActive’s report notes.
Err, so the auto makers have basically ignored what the rest of the world has learned over the last two decades ...
Still, auto firms remain wary of information security firms and wedded to the notion that keeping the details of their systems secret will ensure security (aka “security through obscurity”).
“Their general attitude is that they don’t want to  engage researchers or share their ‘secret sauce,'” Thuen said. “The attitude is anti-security in general. It’s the Ostrich approach – we’re going to stick our head in the sand and say that we can’t hear you, or that everthing you’re saying isn’t important.”
What could possibly go wrong?  Oh yeah, problems not fixable once you release ...
Resistance to the attentions of security researchers is rooted in an engineering culture that looks on software vulnerabilities as shameful – far different from software-based engineering that generally accepts vulnerabilities as an inevitable byproduct of writing code. “It’s not shameful to have vulnerabilities. What is shameful is to have them and not move forward to fixing them,” he said.
So failure is inevitable.  I cannot say more strongly that I will not buy any "connected" car, ever.  And I will not ride in a self-driving car, ever.  There are too may ways that this breaks and the culture that builds them simply doesn't care.

Hackers say: vote early, vote often

Electronic voting machines hacked in public demo.  Candy, babies:
But for the hackers at Symantec Security Response, Election Day results could be manipulated by an affordable device you can find online.
"I can insert it, and then it resets the card, and now I'm able to vote again," said Brian Varner, a principle researcher at Symantec, demonstrating the device.
And you can hack them after voting is done, remotely.  Communications isn't encrypted, presumably because the people who designed the systems were n00bs.  And there's likely no way to tell that the system was hacked:
CBS News learned that only 60 percent of states routinely conduct audits post-election by checking paper trails. But not all states even have paper records, like in some parts of swing states Virginia and Pennsylvania, which experts say could be devastating.
Confidence is not high in the integrity of our political system.

Sunday, August 14, 2016

U.S. Military Officer Corps is worse than useless

Fundamentally transformed:
Four U.S. military officials told me that the 300 or so U.S. special operators in Syria are under very strict rules of engagement. Because such rules are highly classified, these sources have requested anonymity.
But the rules in place, known as "last cover and concealment," are highly restrictive compared to special operations missions in the war on terror before 2014. Those rules of engagement allowed for U.S. special operators to fight alongside the local forces they trained. The rules of engagement for Syria, according to one military officer, amount to: "don't get shot."
The Queen Of The World saw red when she read this in the Sunday paper.  I can't blame her.  What use is an Officer Corps that isn't interested in winning wars, or protecting their most valuable assets?

Sir Arthur Sullivan - The Lost Chord

Everyone has heard of Gilbert and Sullivan and their comedic operettas.  However, Arthur Sullivan was a successful composer in his own right, and indeed it was his independent compositions that won him his knighthood from Queen Victoria.

In 1877, Sullivan's brother Fred was on his death bed.  Sullivan composed this music while sitting at Fred's bedside, using the poem "A Lost Chord" by Adelaide Anne Proctor.  It became wildly popular, perhaps his most famous work outside of his operettas.  Thomas Edison recorded this on his new fangled phonograph on this day in 1888, one of the first musical recordings ever made.  Jimmy Durante recorded a song "I'm The Guy Who Found The Lost Chord" which inspired The Moody Blues to write "In Search Of The Lost Chord".

Saturday, August 13, 2016

Jolly good Pith Helmet, Old Boy

The big wheel race at Frederick's BestFest.

Wonder if RobertaX is here ...

Festival time

The Queen Of The World and I are off to nearby Frederick's BestFest.  Live music along the canal, a biergarten tent, street vendors.  It's not just festive, it's BestFestive.

The fly in the ointment?  The forecast is for 96°.  Oof.

Oh, well.  Just because it's hot doesn't mean it can't be fun.

Friday, August 12, 2016

Quote of the Day - Political Correctness edition

Yeah, I know I've already done one today.  Samizdata recalls George Carlin's epic description of this scourge:
Political correctness is fascism pretending to be manners

Do you have data on your computer that you care about?

No?  You can stop reading.  Everyone else needs to go here.

History repeats itself because nobody listens the first time.

Quote of the Day - Both parties stink edition

Michael Bane echoes my "a pox on both your houses" attitude:
I despise the Democratic Party for pretending they are not the Socialist Workers Party of America, and I despise the Republicans for their gutlessness and their willingness to throw us all under the bus to protect their dacha by the lake.

Another passes

Yesterday saw the sendoff of another of the generation who saved the world.  Via Patriot Guard Riders:
Lt. Col. James D. Hammond, Jr. USMC(ret), WWII/Korea, Canton, GA 11 Aug 16

The family of Lt. Col. James D. Hammond, Jr. has requested the Patriot Guard to honor their loved one and our hero.  It is our honor to do so.  We will stand a flag line at Georgia National Cemetery for his interment service.

Lt. Col. Hammond graduated from George Washington High School and attended Virginia Military Institute.  He served in the Marine Corps during WWII with the 2nd Marines and was part of the Saipan, Tinian, and Okinawa campaigns.  Lt. Col. Hammond served at Chosin Reservoir with Dog Company, 2nd Bn, 7th Marines, 1st Marine Division in Korea.  He retired from active duty in 1965 and from the Marine Corps reserves in 1983.

Lt. Col. Hammond earned two National Defense Service Medals, a United States Service Medal, a Korean Defense Medal with 3 bronze stars, and a Korean Presidential Unit Citation.
Saipan, Tinian, Okinawa, Chosin.  There's an honor roll for you.  Rest in peace, sir.  And may flights of Angels sing thee to thy rest.

Thursday, August 11, 2016

Professional Video Gamers

While #1 Son and #2 Son were here, they told me about the DOTA 2 International game championship currently under way.  Teams of gamers face off, for a share of a $20 Million prize pool.  Last year's winning team scored a cool $6M, out of an $18M pool.

[blink] [blink]

They sell out stadiums.  This was last year, with a capacity crowd at Seattle's Key Arena.

[blink] [blink]

I really don't know what to say.  The World is a stranger place than we can imagine.

Handy guide to the Olympic events

"Smart" Thermostats hacked

More news from the Internet of (Insecure) Things:
Last week, Andrew Tierney and Ken Munro from Pen Test Partners demoed their proof-of-concept ransomware for smart thermostats, which relies on users being tricked into downloading malware that then roots the device and locks the user out while displaying a demand for one bitcoin. 
The researchers have not released sourcecode or the name of the manufacturer. They say that they gained vital intelligence by examining the manufacturer's regulatory filings with the FCC, and that they could design an attack that turned heating or cooling to arbitrary setpoints, ran both at once, or rapidly power-cycled them, possibly causing damage.
This seems to be not just bad coding and a grotesque inattention to security, but architectural decisions that seem to guarantee failure:
* First, the device has no interlocks to prevent unsafe or unwise settings -- nothing to limit the heating or cooling, or simultaneous air-conditioner/furnace operation, or repeated high-speed power-cycling -- which means that software defects, as well as malicious software, can do significant damage that might be prevented with more thoughtful systems design 
* Second, the business-model for smart thermostats overwhelmingly assumes that users are hostile parties, and protects against them with DRM of some kind. Some thermostats are designed to be sold to power companies who'll subsidize their installation in customers' homes so that the power authority can tweak power consumption to reduce load at peak times -- these sales are much easier to make if the vendor can assure the power company that there are no apps that allow users to override these tweaks, and no apps that enable this will be approved for the device (and the device will not run unapproved apps).
Interestingly, the vendor is not named, so it's not possible for consumers to make informed decisions on what product not to purchase:
This matters because a device with DRM poses significant legal risks to security researchers. Anti-circumvention laws like the section 1201 of the DMCA and European laws implementing Article 6 of the EUCD have been invoked to make civil and criminal threats against security researchers, on the theory that information about defects in a device will assist people who want to bypass the DRM, which is banned under these laws.
Government is what we choose to do together.  Like forcing you to only have insecure products to purchase.  Behold your Philosopher Kings.

Wednesday, August 10, 2016

Free retro games!

The Internet Archive now has a long list of games developed for the Commodore Amiga available for free play.  All you need is a Browser to get access to King's Quest II, Hunt for Red October, Pac Man, Galaga, and other 1980s nostalgia.

Knock yourselves out.

Bluetooth door locks - insecure and staying that way

Ah, the "Internet Of Things" - ubiquitous insecurity.  Not just coming to your house, but coming to your front door:
Many Bluetooth Low Energy smart locks can be hacked and opened by unauthorized users, but their manufacturers seem to want to do nothing about it, a security researcher said yesterday (Aug. 6) at the DEF CON hacker conference here. 
Researcher Anthony Rose, an electrical engineer, said that of 16 Bluetooth smart locks he and fellow researcher Ben Ramsey had tested, 12 locks opened when wirelessly attacked. The locks — including models made by Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Okidokey and Mesh Motion — had security vulnerabilities that ranged from ridiculously easy to moderately difficult to exploit. 
"We figured we'd find vulnerabilities in Bluetooth Low Energy locks, then contact the vendors. It turned out that the vendors actually don't care," Rose said. "We contacted 12 vendors. Only one responded, and they said, 'We know it's a problem, but we're not gonna fix it.'"
None of these will ever come to my front door, and I recommend the same to you.

Security: not an afterthought - it wasn't thought of at all.

It looks like the Russians didn't hack the DNC

I've been skeptical, and posted this a little while back:
There are other plausible actors who would be more embarrassing to the Democrats.  It's not beyond belief that a [DNC] IT Administrator was a closet Bernie Bro who caught a whiff of what was going on, and leaked the emails to Wikileaks.
And look at this:
Julian Assange seems to suggests on Dutch television program Nieuwsuur that [DNC staffer] Seth Rich was the source for the Wikileaks-exposed DNC emails and was murdered. 
From the video:
Julian Assange: Whistleblowers go to significant efforts to get us material and often very significant risks. As a 27 year-old, works for the DNC, was shot in the back, murdered just a few weeks ago for unknown reasons as he was walking down the street in Washington. 
Reporter: That was just a robbery, I believe. Wasn’t it? 
Julian Assange: No. There’s no finding. So… I’m suggesting that our sources take risks.
No doubt the crack investigators at the FBI will be on this in a jiffy.  And no doubt the ruling ultimately will be that no prosecutor would file charges ...

Tuesday, August 9, 2016

What they promise vs. what they deliver

This is God's own truth.

Why does "Green" power kill so many people?

The Department of Veteran's Affairs repeatedly delayed veteran's health care, killing many.  The reason, we are told, is because they didn't have a big enough budget.  So what did they have budget for?
The Department of Veterans Affairs has spent more than $408 million to install solar panels on its medical facilities in recent years, despite many of the projects experiencing significant delays and some of the systems not becoming operational at all.
Hundreds of millions of dollars flowing not to health care for veterans, but to Solyndra and other "Green" companies feeding at the public trough.

Does the VA even know what their mission is?  I mean, it's in their Agency's name and everything.

Hat tip: Rick via email.

Hack the Vote!

This is my surprised face:
“People weren’t thinking about voting system security or all the additional challenges that come with electronic voting systems,” says the Brennan Center’s Lawrence Norden. “Moving to electronic voting systems solved a lot of problems, but created a lot of new ones.”
The list of those problems is what you’d expect from any computer or, more specifically, any computer that’s a decade or older. Most of these machines are running Windows XP, for which Microsoft hasn’t released a security patch since April 2014. Though there’s no evidence of direct voting machine interference to date, researchers have demonstrated that many of them are susceptible to malware or, equally if not more alarming, a well-timed denial of service attack. 
“When people think that people think about doing something major to impact our election results at the voting machine, they think they’d try to switch results,” says Norden, referring to potential software tampering. “But you can do a lot less than that and do a lot of damage… If you have machines not working, or working slowly, that could create lots of problems too, preventing people from voting at all.”
The extent of vulnerability isn’t just hypothetical; late last summer, Virginia decertified thousands of insecure WinVote machines. As one security researcher described it, “anyone within a half mile could have modified every vote, undetected” without “any technical expertise.” The vendor had gone out of business years prior.
Stalin would have had them all shot.


Monday, August 8, 2016


OK, that would be a time I would take a self-driving car

Tesla drives man to hospital, saves his life:
A Missouri man says his Tesla helped saved his life by driving him to the hospital during a life-threatening emergency. 
Joshua Neally is a lawyer and Tesla owner from Springfield, Missouri, who often uses the semi-autonomous driving system called Autopilot on his Tesla Model X. 
The system has come under fire after it was involved in a fatal Florida crash in May, but Neally told online magazine Slate that Autopilot drove him 20 miles down a freeway to a hospital, while Neally suffered a potentially fatal blood vessel blockage in his lung, known as a pulmonary embolism. The hospital was right off the freeway exit, and Neally was able to steer the car the last few meters and check himself into the emergency room, the report said.
I don't like the lack of security in self-driving cars, but I like the idea of death even less.