I would have throught that German IT Security teams would be more competent than this

I was not expecting this:

Germany's infosec office (BSI) is sounding the alarm after finding that 92 percent of the nation's Exchange boxes are still running out-of-support software, a fortnight after Microsoft axed versions 2016 and 2019.

While the end of Windows 10 updates occupied most of the headlines, Microsoft's support for Exchange and a bunch of other 2016 and 2019-branded products ended on October 14, as scheduled a year earlier.

Alternate title: 90% of German firms fail their SOC 2 audit.  Look, this isn't landing a man on the moon, and you had a whole year.  You just couldn't be bothered.

Was ist los? 

 

AI Browsers considered unsafe

OK, that post title is more than a bit inflammatory, but who on earth would want to use something like this?

Several new AI browsers, including OpenAI's Atlas, offer the ability to take actions on the user's behalf, such as opening web pages or even shopping. But these added capabilities create new attack vectors, particularly prompt injection.

Prompt injection occurs when something causes text that the user didn't write to become commands for an AI bot. Direct prompt injection happens when unwanted text gets entered at the point of prompt input, while indirect injection happens when content, such as a web page or PDF that the bot has been asked to summarize, contains hidden commands that AI then follows as if the user had entered them.

This is unbelievably bad.  How bad?  This bad: 

Last week, researchers at Brave browser published a report detailing indirect prompt injection vulns they found in the Comet and Fellou browsers. For Comet, the testers added instructions as unreadable text inside an image on a web page, and for Fellou they simply wrote the instructions into the text of a web page.

When the browsers were asked to summarize these pages – something a user might do – they followed the instructions by opening Gmail, grabbing the subject line of the user's most recent email message, and then appending that data as the query string of another URL to a website that the researchers controlled. If the website were run by crims, they'd be able to collect user data with it.

Surely they must be exaggerating, I hear you say.  Nope - the author of the post at El Reg recreated the exploit his very own self, simply by creating a web page with the commands hidden in it.  FYI, that's 1996 technology right there.

Now look, I may be an old crabby security geezer (no comments, Glen Filthie!) but the problem of sanitizing user input is a really old one.  So old that it was old when XKCD did it's classic "Bobby Tables" cartoon:

There have been over 3000 XKCD cartoons; that one was number 327.  Yeah, that long ago. 

My opinion about anything regarding AI is that the hype is so fierce that the people developing the applications don't really focus much on security, because security is hard and it would slow down the release cadence.  And so exploits that wouldn't have surprised anyone back in 2010 keep popping up.

Le sigh.  Once again, security isn't an afterthought, it wasn't thought of at all.  My recommendation is not to touch these turkeys with a 100' pole.

AI LLM poisoning attacks are trivially easy

This doesn't seem good:

Poisoning AI models might be way easier than previously thought if an Anthropic study is anything to go on. 

Researchers at the US AI firm, working with the UK AI Security Institute, Alan Turing Institute, and other academic institutions, said today that it takes only 250 specially crafted documents to force a generative AI model to spit out gibberish when presented with a certain trigger phrase. 

For those unfamiliar with AI poisoning, it's an attack that relies on introducing malicious information into AI training datasets that convinces them to return, say, faulty code snippets or exfiltrate sensitive data.

The common assumption about poisoning attacks, Anthropic noted, was that an attacker had to control a certain percentage of model training data in order to make a poisoning attack successful, but their trials show that's not the case in the slightest - at least for one particular kind of attack. 

...

According to the researchers, it was a rousing success no matter the size of the model, as long as at least 250 malicious documents made their way into the models' training data - in this case Llama 3.1, GPT 3.5-Turbo, and open-source Pythia models. 

Security companies using AI to generate security code need to pay close attention to this.  Probably everybody else, too.

UPDATE 23 OCTOBER 2025 13:08:  More here. It looks like solutions may prove elusive. 

Earth has some solar system stalkers

Well, they're sure acting like stalkers:

You might recall that in late 2024, Earth gained a temporary mini-moon, an asteroid that partially orbited our planet for about two months. Now astronomers have discovered another temporary companion to Earth, but this time it’s a quasi-moon. The Pan-STARRS observatory on Haleakala in Hawaii first spotted the quasi-moon, named 2025 PN7, on August 29, 2025. Older data revealed that 2025 PN7 has been in this particular orbit for about 60 years and will stay in this orbit for about another 60 years before the tug of the sun once again releases it from its quasi-moon status.

Huh.

Dad Joke CCCLXIIII

Tuna sends in another:

I went to a haunted Bed & Breakfast in France, but checked out early- the place was giving me the crepes. 

Mmmm, Ghost crepes!

Underwater archaeology recovers WWII airman's body

This is from a few years back but is a cool story.  Rest in Peace, Lieutenant.  

Recommended Reading: Empire of the Summer Moon

The most Bad Ass Indian tribe in the old west was not the Lakota that did in the 7th Cavalry, but rather the Comanche.  S. C. Gwynne tells their tale well in The Empire Of The Summer Moon.

Essentially they were ferocious and highly mobile guerillas who thought nothing of raiding a thousand miles (from Kansas into Mexico), often - maybe usually - riding at night by the light of the moon.

To this day a summertime full moon is often referred to (at least in Texas) as a "Comanche Moon).  In fact, that was the title of a miniseries set in the old west not so very long ago. 

The book does a great job describing the rise of the Comanche from obscure beginning to their domination of the central Great Plains.  They were the best horsemen in North America and the masters of the hit-and-run.  They put so much pressure on settled tribes (not to mention Spanish colonists) that they essentially stopped Spanish advancement north of the Rio Grande.  The book makes the case that the Mexican government invited the Americans into Texas to act as a buffer between Mexico and the Comanches.  The Texas border with them was bloody and settlement was slow.

The end of the Civil War and the introduction of repeating firearms (and light horse artillery), combined with the slaughter of the bison herds was a problem that the Comanches could never solve.  Even so, Kit Carson admitted that their chief Quanah Parker (son of a kidnapped Texas girl who went native in the tribe)  almost wiped out his entire command.  The second half of the book is Quanah's story, from the greatest war chief of the Plains to the Reservation, and ultimately to his unlikely friendship with Teddy Roosevelt.

Highly, highly recommended. 

The book left out what I think is perhaps the most unlikely Comanche story, that of David Pendleton Okenhater. Born as O-kun-ha-tuh (Making Medicine) in the 1840s, he was in the thick of the Comanche wars of the 1860s - he was with Quanah at the Second Battle of Adobe Walls.  In prison at Ft. Marion in Florida in the 1870s he ended up as First Sergeant of the prisoners (really!) and was noticed by Capt. Pratt for the art he was creating (really!).  Pratt encouraged his art career and one of his pieces came into the collection of Mrs. Alice Key Pendleton, wife of a Senator from Ohio (really!).  The Pendletons paid for Okenhater to be sent to live at St. Paul's Episcopal Church in New York.   He took their name out of respect and gratitude.

He was baptized there in 1878 and ordained a deacon in 1881.  As a Deacon he was sent essentially as a missionary back to the Cheyenne.  He lived out his life as a Deacon and a Cheyenne Chief until his death in 1931.  That was a long way from a taker of scalps.  A long way.

In 1985, the Episcopal Church declared David Pendleton Okenhater a saint.  His feast day is September 1.  That's quite some Medicine for O-Kun-Ha-Tuh to make.

Predictions for AI security

This is interesting even if it follows what we've seen for all security technologies since, well, forever:

Basically whoever can see the most about the target, and can hold that picture in their mind the best, will be best at finding the vulnerabilities the fastest and taking advantage of them. Or, as the defender, applying patches or mitigations the fastest.

And if you’re on the inside you know what the applications do. You know what’s important and what isn’t. And you can use all that internal knowledge to fix things—hopefully before the baddies take advantage.

summary and prediction

1. Attackers will have the advantage for 3-5 years. For less-advanced defender teams, this will take much longer.
2. After that point, AI/SPQA will have the additional internal context to give Defenders the advantage.  

 So basically it will be a shooting gallery for now with sanity restored later.  I'm somewhat optimistic of AI as a back-end tool (i.e. no user input) to run a set of interesting but more or less canned queries.  User input sanitization issues basically disappear at that point.

(via) 

Remember about all that Voice mail spam?

I posted about it a while back.   Lawrence has been following this and has an update linking it to China:

Well, as suspected, it was China’s.

This was in fact my first thought: Smells like a State Actor.

Having thought about it, I suspect it is linked to the PRC, but "outsourced" to US-based Bad Guys.  This seems a business (selling infrastructure to send out floods of voice mail spam).  It looks like the guys who ran this also let people swat folks they didn't like.  In fact, this is how they got caught because one of the victims was a Congressman.

And so a lack of Opsec led to compromise of the whole system.  Cry me a river.

And Lawrence has a great suggestion:

If theses SIM farms are active, there should be ways for telecomms to algorithmically search for mobile call hotspots where too many calls issue from too small an area. Let’s hope they’re doing that and working with various U.S. three letter agencies to shut them down right now. 

Endorsed. 

Dad Joke CCCLXIII

The guy who invented the Ferris Wheel never met the man who invented the Merry-go-round.  They ran in different circles. 

I'm back

The Queen Of The World and I are back from our Son-In-Law's retirement from the US Navy.

25 years, ending as a Senior Chief.  He would have made Master Chief but would have had to have another sea duty, and Abby finally put her foot down.  I don't know that I blame her. 

I must say based on the other Senior and Master Chiefs I met there that these senior NCOs are absolutely the backbone of the fleet.

Bravo Zulu, Steve! 

G'mar tov

The Day of Atonement is a day for reflection.  This is good for all of us, Tribe or not. 

To our Jewish readers, Shanna tovah. 

Dad Joke CCCLXII

Tuna sends in another one.  It looks like he's doing all my blogging now:

I was rejected for a job at the sunscreen factory. They said to just reapply every 4 hours.

Attacking AI via prompt manipulation

This is actually pretty clever:

The attack involves hiding prompt instructions in a pdf file—white text on a white background—that tell the LLM to collect confidential data and then send it to the attackers.

...

The fundamental problem is that the LLM can’t differentiate between authorized commands and untrusted data. So when it encounters that malicious pdf, it just executes the embedded commands. And since it has (1) access to private data, and (2) the ability to communicate externally, it can fulfill the attacker’s requests. I’ll repeat myself:

This kind of thing should make everybody stop and really think before deploying any AI agents. We simply don’t know to defend against these attacks. We have zero agentic AI systems that are secure against these attacks. Any AI that is working in an adversarial environment­—and by this I mean that it may encounter untrusted training data or input­—is vulnerable to prompt injection. It’s an existential problem that, near as I can tell, most people developing these technologies are just pretending isn’t there.

Essentially, this means that AI is simply not fit for purpose.  And clearly, it's not even a little bit "intelligent", security-wise.  

Where all your phone spam comes from

Lawrence points to an interesting "datacenter":

This seems like a story that should have gotten a lot more attention than it has. “Secret Service Dismantles Weaponized SIM Farms Designed To ‘Shut Down’ NYC Cell Networks.”

Hours before President Donald Trump’s address to the United Nations General Assembly, the U.S. Secret Service announced that it had dismantled a massive, decentralized SIM farm network, just 35 miles from New York City, hidden inside five abandoned apartment buildings. The telecommunications stealth weapon was capable of paralyzing regional cell networks through denial-of-service attacks.

My first instinct was that this was a State Actor prepping some sort of cyber attack.  Now I think it's a Phone Spam datacenter:

SIM farms allow “bulk messaging at a speed and volume that would be impossible for an individual user,” one telecoms industry source, who asked not to be named due to the sensitivity of the Secret Service’s investigation, told WIRED. “The technology behind these farms makes them highly flexible—SIMs can be rotated to bypass detection systems, traffic can be geographically masked, and accounts can be made to look like they’re coming from genuine users.” 

Bastards.  95% of all the calls I get are along the lines of "You have been pre-approved ...".  I don't even answer a call where I don't recognize the number anymore.

Dad Joke CCCLXI

Tuna sends in another one:

My card got declined at the Sweater Store. They had to run my cardigan. 

No word yet from Glen Filthie ... 

Clouds In Space!

Well, this is the 21st Century after all:

Axiom Space and Spacebilt have announced plans to add optically interconnected Orbital Data Center (ODC) infrastructure to the International Space Station (ISS).

The company plans to launch two Axiom Orbital Data Center (AxODC) Nodes by the end of 2025, with at least three running by the end of 2027. It all sounds very exciting until you consider that Axiom Data Center Unit One (AxDCU-1), which eventually launched to the ISS in August, was a prototype that was roughly the size of a shoebox.

AxDCU-1 is more of a demonstrator to show that the concept works – think of an edge device on-orbit that can host hybrid cloud and applications, as well as cloud-native workloads. The AxODC Nodes are altogether more serious beasts. In addition to being interconnected, the hardware will be supported by an Optical Communication Terminal (OCT), allowing service to be provided to any spacecraft or satellite equipped with compatible OCTs.

So Cloud Computing for spacecraft.  It will be interesting to see where this goes, and how they handle the power demands of an orbiting data center. 

 

Happy Hobbit Day!

Why yes - I am a nerd.  Why did you ask? 

In Memoriam Charlie Kirk

Charlie Kirk gets laid to rest today.  He was a man of faith who always reached out to the greater crowd.  I like to think that he would think that this song speaks to how he lived his life.

Rest in peace. 

Apple or Android for security?

Glen Filthie left a comment asking what I like for vendors providing good phone security. I replied:

I think that Apple is much more serious about their customer's privacy than Google is. Apple has repeatedly told governments to get bent when they demand encryption backdoors; Google seemingly couldn't care less.

Also, I think that Apple's update model is superior (it certainly was just a few years ago; I don't get the sense that this is a big area of concern to Google).

Your mileage may vary, void where prohibited, do not remove tag under penalty of law.

And here's an example of how Apple's update model is superior:

Samsung has fixed a critical flaw that affects its Android devices - but not before attackers found and exploited the bug, which could allow remote code execution on affected devices.

The vulnerability, tracked as CVE-2025-21043, affects Android OS versions 13, 14, 15, and 16. It's due to an out-of-bounds write vulnerability in libimagecodec.quram.so, a parsing library used to process image formats on Samsung devices, which remote attackers can abuse to execute malicious code.

"Samsung was notified that an exploit for this issue has existed in the wild," the electronics giant noted in its September security update.

Note that you get this patch from Samsung, not Google.  Samsung is the phone handset manufacturer, and has customized the (Google supplied) Android OS so they rolled the patch.  Now customizing the OS isn't bad per se, but it's fair to ask who has a better security group: Apple or Samsung.  Same question for Motorola and all the Android phone vendors.

So I like my chances better with Apple, at least for security.  And notice that this is only looking at the patching cadence.  Apple has a history of standing up to governments who ask for encryption backdoors (by my count this is the US.gov, the UK.gov, and the EU.gov).  Each time, Apple told them not just "no" but "Hell, no".

Once again, your mileage may vary, void where prohibited, do not remove tag under penalty of law. But Glen did ask.

Hey, remember that Apple iOS fix last month?

It looks like the Bad Guys are attacking older devices as well:

Apple backported a fix to older iPhones and iPads for a serious bug it patched last month – but only after it may have been exploited in what the company calls "extremely sophisticated" attacks.

The latest security update, pushed on Monday, fixes an out-of-bounds write issue tracked as CVE-2025-43300 in the ImageIO framework, which Apple uses to allow applications to read and write image file formats. It's available for iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation, and the iThings maker on August 20 patched the same CVE in its newer devices.

Well done to Apple for this.  iPhone 8 was released a long time ago, but they're still supporting it with security fixes.  Bravo. 

Tagged with my Apple Sucks tag because this time they absolutely do not. 

 

Seen in the neighborhood

 

All I've ever seen before in this neighborhood are the usual run-of-the-mill printed campaign signs, and only during election season.

Something is different. 

A message to commenter "DTWND" (and people who think like him

I recently posted The Lamps Are Going Out All Over America.  For the two of you (likely including DTWND), the reference was to the beginning of World War I, when the politicians realized that the New World that they had created was basically everyone standing is a room filled with gasoline waving lit matches around.  We know how that turned out.

My post was not inflammatory; it was sad. Nonetheless, reader DTWND left the following comment:

Those of you on the right are really, REALY [sic] hoping that something in the shooter’s background will tie him to the leftist, liberal side of politics. Meanwhile, you’ll continue to deny and obfuscate the truth that this was one of your own. Just like the group that planned to kidnap Michigan’s governor Whitmer; the guy that shot and killed the two Minnesota legislators: the folks that marched in Charlottesville: the shootings at the LGBTQ nightclub in Orlando: the ‘peaceful demonstators’ [sic] at the Capitol on January 6th; etc.

I find it telling that all the former presidents, Democrats and Republican, issued messages of condolence, condemnation of the event, and calls to end political violence, while the current president condemned the violence but also expressed the point that those of the left persuasion need to under scrutiny and should not be trusted.

As Mr Kirk had stated, “Prove me wrong.”

Here is the pertinent part of my original post, and my replied to Mr. DTWND:

Who would have figured 24 years ago that society would be destroyed from within?

[Memes deleted]

If you don't know the people who don't understand that sentence, then they are the ones who you need to not know. 

Not particularly well said, but perfectly understandable.  And so you clearly failed on multiple levels: 

1. It sure as shootin' looks like the shooter was a leftist freak.  The 72 hour rule applies here, which you either ignored, didn't know, or skated past because you were angry.
2. It "wasn't one of our own", it was exactly what you'd expect from a rabid Left baying for the blood of conservatives.  See #1, above.  Nicely done, getting two own goals from the same ball, though.
3. The group that was going to kidnap Governor Crazy Eyes was led by a FBI asset.  Sorry you're so behind on this, but not really surprised.
4. The rest is IQ-90 level Leftist boilerplate.  Ashley Babbit would reply but could not be reached for comment, as she was shot in the back by a Capitor Hill police officer on January 6.  Some of us are aware on the rules for the use of Deadly Force; you clearly are not, but thought this was a winning argument for "conservative violence".  Dumbass. 
5. Former Presidents call for the end of political violence?  Gosh, why might this be hard to believe?
    
   
6. Most significantly, you (a) did not reply to the content of my original post and (b) chose to try to insult me and hijack my site for your absurd political dogma.

Fine, then - let it be so.  DTWND, go away and don't come back.  We don't need your thoughts polluting this site. You're banned.  Go hang out with your leftie assassins.

The lamps are going out all over America

Who would have figured 24 years ago that society would be destroyed from within?

If you don't know the people who don't understand that sentence, then they are the ones who you need to not know.

We Swore to Remember

Another declassified NSA Cryptanalysis doc

This one is from 1965 (i.e. it was classified for 60 years!) [PDF warning].

It's the output from a computer program (from 1965!) that takes an encrypted cypher stream and performs tricks of the trade like frequency analysis of each character and other statistical analysis.  The test was for the cryptanalyst to use this to identify which language was being enciphered.  Essentially, it was a training class for Secret Squirrels. 

Pretty cool in a very crypto geeky way.  It took me back to some training I had as a larval engineer as the class of new hires waited for their clearances to be approved.  I wasn't great at it (I was an electrical engineer, not a linguist).  The Queen Of The World eats this sort (cryptograms in the newspaper) of stuff for breakfast.

(via) 

War Department bans Chinese nationals from Cloud environments

This is an area that has needed reform for years:

The Pentagon will no longer allow Chinese nationals to support Department of Defense (DOD) cloud environments, Defense Secretary Pete Hegseth said in a video posted to X on Aug. 27.

Hegseth said the arrangement – part of a Microsoft program known as “Digital Escorts” – allowed coders from China, remotely supervised by U.S. contractors, to assist with sensitive DOD cloud systems. He called the setup an “unacceptable risk” to national security.

Well, yeah. 

Here's how the rules have been bent for years.  Initially what was mandated was that only U.S. Citizens could work in these environments.  After lots of complaints from tech companies (*cough* Jobs Americans won't do *cough*) this was changed to "US Persons".  This added both Green Card holders and H1-B Visa holders to the list of acceptable people allowed into the environments.

Fast forward a decade and Silicon Valley has so gamed the H1-B system that the US imports a huge number of foreign workers while laying off US citizens.  So the question is how much loyalty to the USA do these people have?

Green Card holders?  Probably a lot.

H1-B holders?  Dunno.

Chinese H1-B holders?  Per the SECDEF, they represent an overwhelming security risk. 

Like I said, this area has been ripe for reform for years.  We will see if this policy gets extended from the War Department for Fed.Gov in general. 

Dad Joke CCCLX

You've heard of Pop Tarts.  Why aren't there Mom Tarts?

Because of the Pastry-archy. 

How the USA won the Cold War

We did it by treated German POWs held in the USA well.  Not just the US Government, but the American people treated them well.  They had been told by the Nazis that America was weak, divided, and a mongrel race.  The POWs saw the American people and society with their own eyes and then went home after the war.

And then built modern Germany.

We came to America as enemies, as Nazis, as believers in a lie.  We left as friends, as democrats, as men who had seen the truth.   

Many of the POWs who were employed on Kansas farms corresponded for decades with the families who showed them friendship as POW workers.

Playback has been disabled for this video (from which I got the quote above), but I encourage every reader to go watch it.  If you don't - like I did - end up with watery eyes then we just cant be friends anymore.  And to those who think this video is a one-off, there are more.  So many more.  You can watch them at the link (from Youtube suggestions) or you can watch this: 

And a note to the Usual Suspects who fancy themselves as "Anti Nazi": this is what anti-Nazi is really about.  This is how you turn actual, you know - Nazis - into anti-Nazis.  It must really bust your chops to have Primary Sources telling you that your philosophy of life is full of shiest.  You Commie Bastards.

Oh, this will too (note the substitution of the word freiheit - freedom - for freunde -  I could translate for you but I wouldn't want to insult you; me, I think that Schiller would have approved of Bernstein's substitution at the fall of the Berlin Wall).

Things I don't understand, vol. MCCXVI

So an Irish chap (Graham Lineham) who is a resident of Arizona posted some stuff to Twitter.  And so the British authorities arrested him at Heathrow airport essentially for exercising his First Amendment rights in America.

So how is it possible that the Administration has not summoned His Magesty's Ambassador and given them 24 hours to free him and drop all charges?  Or. Else.

I really don't understand the political optics here.  Sure, sure - "all politics is local" and all that.  I understand why His Magesty's Government would be happy to stick a thumb in Trump's eye, but what's up with Trump?

I mean there's no domestic downside to bringing the hammer down - nobody here cares about Europe, everyone here loves free speech, everyone here hates the woke censors, and Trump has been going after the DEI (woke censor) brigade here on these shores.

How on earth is it possible that they are letting this golden opportunity slide?  I mean, it's not like the UK has made themselves our greatest ally over the last decade.  And it's not like Kier Starmer wouldn't fold like a house of cards over this. 

Dad Joke CCCLVIIII

Why aren't any boys born on Labor Day?

There's no male delivery. 

Google Play store filled with malware

Yesterday was Apple's turn, today it's Android:

Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans.

Zscaler’s ThreatLabz spotted and reported 77 apps containing malware, many of them purporting to be utilities or personalization tools.

Sneer all you want at Apple, they take security for iOS much more seriously than Google does for Android.

Zscaler noted that the software requires users to grant it elevated permissions before it can cause harm, but attackers are hiding it in legitimate-seeming apps to fool users, and the technique is obviously working.

Probably the best thing you can do is refuse permissions for new apps.  Heck, I don't even let most apps have access to location data.

And quite frankly, I don't have many apps installed.  That's probably the best way you can deal with this sort of nonsense.

iOS fanboys - update toute suite

OldNFO mentioned this earlier, but this bug in iOS is really bad juju: 

Apple warned that the flaw could let miscreants hijack devices with a booby-trapped image – and for some iDevice users, it sounds like the damage has already been done.

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," Cupertino said.

Apple went on to explain that "processing a malicious image file may result in memory corruption," but didn't say what that could lead to.

This is pretty much the trifecta of badness:

1. The attack is delivered by a file that looks harmless (an image), so you start out with your guard being down.  Hey, just me gathering memes, amirite?
2. Active exploit in the wild means that the Bad Guys know how to use this, and in fact are.
3. Apple isn't saying what else this exploit can do, which is a sign that this is security badness of Biblical proportions.  Maybe I'm wrong here, but this smells of "there's more to the Rest Of The Story".

So when your iPhone/iPad/iWatch go to update, let them.  If they haven't updated, go do this manually right now.  You can do this my going to the Settings app - going to Settings -> Update will tell you if you are up to date, and will allow you to update if you are not. 

 

SIGINT in World War II

The NSA and the UK GCHQ have jointly declassified a pile of WWII documents and actually produced a book:

Secret Messengers: Disseminating SIGINT in the Second World War.

If you are interested in Secret Squirrel stuff, this comes from Secret Squirrel Central.

(via) 

Frédéric Chopin - "Raindrop" Prelude

It's summer in Florida, which means that it's the rainy season.  This year it's been really rainy: every day for the last couple of weeks and forecast for the next 10 or so.  At least the weather has been cooler.

I haven't posted much Chopin here which is a little surprising.  So here's his Raindrop Prelude. 

Dad Joke CCCLVIII

I went bird hunting the other day.  It was quite Pheasant. 

Rest in peace, Flight Lt

Dwight (my go-to guy for obituaries) has one worth your time: the last WWII recipient of the Victoria Cross takes off on his final flight.

For those on this side of the Pond who are unfamiliar with the VC, it is the UK equivalent of the US Medal Of Honor: awarded for bravery above and beyond the call of duty under fire. It (as the HoH) is very often awarded posthumously.  Flight Lt. Cruickshank survived the war to the ripe old age of 105, the oldest WWII VC recipient.

As with many who served - and very, very many of those awarded these decorations - he kept an enormous humility.  I love this quote from Dwight's post: 

…he told The Daily Telegraph, “The citation said ‘showed great courage’ and all that nonsense, but a lot of people would have done that in those circumstances.”

Translation: No, I wasn't a hero in the war.  But I served in a Company of heroes.

Ave atque vale, Flight Lieutenant. May your Final Review be in Glory.

Art Carney and Johnny Carson jam together

I never knew he could play the piano, or that Johnny could play drums.  Or that Sid Caesar could play sax.

Wow

Having grown up during the Cold War, I got used to European leaders who, if not always friendly, were all serious people.  Francois Mitterand was serious.  The Iron Lady Thatcher was serious.  Heck, even pinko Willy Brandt was serious.

Now Donald Trump lines them up like school kids.

It's arguable that the only serious European leader today is Vladimir Putin.  Good Grief.

UPDATE 19 AUGUST 2025 16:46:  HMS Defiant leaves a comment about Hungary's Prime Ministor Viktor Orban as being a serious leader.  I 100% agree. I would also suspect that many of the leaders from Central and Eastern Europe are also serious.  The ones in the photo, not so much.

George Gershwin and DuBose Hayward - "Summertime" from Porgy & Bess (sung by Ella Fitzgerald)

Porgy & Bess was first performed in 1935 and sadly has peaked.  Perhaps unsurprisingly, it was popular in the Soviet Union during the Cold War as a display of American repression - the 1980s film White Nights showcased this..  It seems that the Usual Suspects who control popular culture are not subtle enough to line this into their repertoire of  anti-American art, but whatever.

This is without doubt the most famous song from that opera, and has been recorded by pretty much everybody - Janis Joplin & The Holding Company may have been the most unexpected of these.  Here's Ella Fitzgerald with what approaches the Platonic Ideal performance of the song. 

Toby Keith - Rum Is the Reason

This is a fun song that could have been by Jimmy Buffett.

Rum Is The Reason (Songwriters: Toby Keith, Bobby Pinson)

I heard Davey Crockett had a pint in his pocket, good whiskey at the Alamo
Now that Pancho Villa had a jug of tequila
When he walked the streets of old Mexico
While Blackbeard was fleecing around the hurricane season
He didn't quit because of a girl
Yeah, rum is the reason pirates never ruled the world

 

While Russia was brawling
I'll bet that old Stalin was calling for a vodka martini
While the world waited in fear
Old Hitler drank beer from a stein, eating sauerkraut and weenies
Yeah, down through the ages, as they're turning their pages
They couldn't drink the diamonds and pearls
No, rum is the reason pirates never ruled the world

 

I ain't getting much done, but I'm having fun sailing on the deep blue sea
My whole body goes numb from a bottle of dark rum, and the sun sinking down on me
My catch of the day is a tall Cuba Libre chasing down with a 12-ounce curl
Yeah, rum is the reason pirates never ruled the world

 

I ain't getting much done, but I'm having fun sailing on the deep blue sea
My whole body goes numb from a bottle of dark rum, and the sun sinking down on me
My catch of the day is a tall Cuba Libre chasing down with a 12-ounce curl
Oh, rum is the reason, I guess
Hey, rum is the reason pirates never ruled the world

Dad Joke CCCLVII

What do you name a dyslexic roman?

Ramon. 

LOL

 

Stolen from B at In The Middle Of The Right, who has some good advice about this.

Dad Joke CCCLVI

Four Norse gods, one Roman god, and two astronomical bodies walk into a bar.

The bartender says Oh, this will be a week joke. 

 

UK.GOV to US Tech Companies: Put an encryption backdoor in your stuff

US.GOV to UK.GOV: Get lost, punk:

The Home Office's war on encryption – its most technically complex and controversial aspect of modern policymaking yet – is starting to look like battlefield failure after more than ten years of skirmishes.

First tabled by former prime minister David Cameron in 2015 following a terrorist shooting at the offices of French satirical magazine Charlie Hebdo, vague wording alluded to a potential ban in the Investigatory Powers Act 2016.

...

However, it seems Home Office staff are now coming to terms with the fact that the Trump administration will block any attempt to further strongarm Amercia's tech companies.


Insiders told the Financial Times, speaking on condition of anonymity, that the Trump administration's disapproval of the UK's plans, which the president has previously likened to Chinese-style policymaking, is the main obstacle in achieving its encryption-busting ambitions.

Being compared to Red China* has got to hurt.  But you know how not to get compared to Red China?  Don't act like Red China. 

Remember, Government mandated encryption backdoors are a bad idea.   Really.

* I only use the term to bother the Right Sort of people.

CMP Update

The Civilian Marksmanship Program has dropped their price on M1917 Enfields from $1000 to $900. 

When Tom Lehrer pranked NSA

LOL. 

I thought that song was hilarious.  You can listen to it here. Remember to always call it please "research" ...

Cybersecurity jobs in decline?

I've posted often about how to pursue a career in computer security, so often in fact that there is a post category for it.  But there are signs of decline in the field:

"During COVID, there was huge hiring. Then after that, the companies said 'Oh my gosh, we have too many people. We need to do some downsizing.' And what happened then was a lot of very talented tech people were laid off and began flooding the market in all sorts of areas and began trying to reposition themselves."

...

AI agents now routinely make decisions about a person's resume and many applicants lack the skills to game such software and bag an interview.

There's also the problem of ghost jobs bedeviling recruitment websites, she added. The majority of HR people surveyed in multiple studies report filing job adverts for positions that don't exist. Reasons vary from trying to give the impression a business is growing to both insiders and onlookers, and to motivate staff to work harder because "they think they are replaceable."

This is likely a sign that the industry is maturing.

New Viking site discovered in Canada?

If true, this is really cool:

ARCHAEOLOGISTS have used satellite imagery to identify a site in Newfoundland that could be the first new Viking site discovered in North America in over 50 years.

Satellite imagery, magnetometer surveys, and a preliminary excavation of the site at Point Rosee in southern Newfoundland last year could point to a potentially fascinating discovery.

...

Archeologist Sarah Parcak of the University of Alabama, Birmingham, used high-resolution satellite imagery to spot ruins as small as 11 inches buried below the surface, according to NOVA. Satellites positioned around 478 miles above the Earth enabled Parcak and her team to scan a vast section of America and Canada’s eastern seaboard.

The satellite images, two magnetometer surveys, and preliminary excavations suggest “sub-surface rectilinear features,” according to the experts, who also identified possible evidence of ironworking in the form of roasted iron ore. Radiocarbon technology has dated the site to between 800 and 1300AD.

Excavations are required to confirm the discovery, so we will have to wait and see. Still, we've known for a long time that Vikings were on that island during that time.

Interestingly, The Queen Of The World was born not 40 miles from Point Rosse when her father was stationed at the Air Force Base on Stephenville.

Are we winning the security war?

I was not really expecting this:

The surprising conclusion: there’s a long way to go, but we’re doing better than we think. There are substantial improvements across threat operations, threat ecosystem and organizations, and software vulnerabilities. Unfortunately, we’re still not seeing increases in consequence. And since cost imposition is leading to a survival-of-the-fittest contest, we’re stuck with perhaps fewer but fiercer predators. 

Something that feels different from 10 years ago is a much greater focus on security compliance: SOC2, ISO 27xxx, etc.  There's a lot more of this than there used to be, and this absolutely will help shut out the ankle biters and larval stage Bad Guys.  A second order effect of this is that the lack of success for these types will encourage some of them to drop out of the hacking biz.

Of course, SOC2 won't really help much with the top predators, but I've said for a long long time that you are unlikely to be able to secure yourself from the KGB (OK, OK, FSB). 

But all in all, this was unexpected good news. 

Summer security happenings

The Register has a good article on the security conferences going on in Las Vegas right now: Black Hat, B-Sides, and DEFCON.  The article is very accessible for non-security gurus and gives a really good flavor of what's what in the security research community.

Full Disclosure: I was fingered by SumD00d in the DEFCON "Spot the Fed" contest way back in (IIRC) 2006 when I was at Big Tech Company.  I wasn't a Fed, but the experience was fun enough to be memorable.

If you are at least casually interested in what's happening in the Security community, this is a good 5 minute read. 

Rodgers and Hammerstein - Edelweiss from The Sound of Music

The Sound of Music was an enormous commercial success, not only winning hte best picture Oscar but becoming the highest grossing film of all time for a number of years.

The film has an interesting pedigree.  Maria von Trapp (the person played by Julie Andrews in the film) wrote the story which was originally turned into a pair of films in West Germany (The Trapp Family and The Trapp Family in America) which were the most successful films in West German history.  The story became a very successful stage musical before being filmed.

This song was added almost as an afterthought to the musical.  It was written to sound like an old Austrian folk song but was entirely new.  It was the last song that Rodgers and Hammerstein wrote together before Hammerstein died from stomach cancer.  It fooled people all over the world: one Austrian gentleman once told Rodgers that he loved the song in the film but of course had learned the lyrics in the original German.

This scene reminds me of the "battle of the anthems" scene in Casablanca, although much more understated.  The audience singing along was a great big middle finger to the Nazis.

One final bit of trivia about this song: The Queen Of The World plays this on her ukulele.  She's really good.

More on Tom Lehrer

The Register (as reigning Nerd-Central) has a really interesting post up about Lehrer's life and music including the NSA, Jello shots, and not one but two Royal Family mentions.  Pretty cool.

Dad Joke CCCLV

Stephen emails a dad joke appropriate for the Florida summer weather:

I saw where the meteorologist who invented the ‘feels like’ temperature had passed away. He was 80… but felt like 94. 

Actually, 80/94 would be a big improvement on the current 96/119 (!).  Florida, amirite? 

 

Update: 

Here's what it "feels like" to walk out into the southern sun at midday. 

 

Sig P320

This has been an ongoing problem for some time and Sig has failed to get out in front of it, but now it's reached the tipping point for Sig. The recent death of a U.S. Air Force Airman who was shot by his own, holstered pistol finally did it. The Air Force has shelved them pending the outcome of the investigation. Clubs and ranges across the country are voting to ban them.

There's a lot of discussion of what the issue may be and a strong, if fading, pushback from Sig and the Sig community. I don't know if anyone exactly knows what the issue is, although there are some theories that make a lot of sense.

In the meantime, if you own a P320, it might be time to put it in the safe until this is resolved. 

Here's Wyoming Gun Project's video on the subject, followed by Brandon Herrera with some commentary and a lot of savage memes.