Road Trip II -- Scott City, Kansas

 This story starts with water. A reliable year round stream that over millennia cut a canyon in western Kansas. The water attracted game of all sorts and the combination attracted people. The canyon is the site of the northernmost Pueblo settlement ever discovered. Later it was home to the Apache and the last battle between native tribes and the U.S. Army in Kansas was fought here. By the 1880s, Herbert Steele and his wife had homesteaded the area. 

The Steeles donated the first part of the land for use as a park in 1928. A dam was built the following year creating the lake that exists today. Historic Lake Scott State Park was developed over the following decades. There is the battle site, the sandstone home of the Steeles, the Pueblo ruins, swimming, fishing, hiking and mountain bike trails, and a visitor center.

 In the visitor center we learned that there was a museum in the nearby town of Scott City. Since we needed groceries and a laundromat, we went to town. Scott City has a population of about 4,000. Like so many of the cities across the west, it is a railroad town. It's just big enough to still have some businesses and it seemed to be thriving.

We did our laundry and went to the El Quartelejo Museum. There's an artist's gallery, rooms dedicated to the eras in local history, and something else. As you enter, there's a large room filled with tables, a full kitchen, one table with a jigsaw puzzle to work on, a social space. On a weekday afternoon there were a dozen, mostly older, people sitting in small groups engaged in conversation. We were the outliers, tourists in the off season.

We toured the exhibits, but as we came back out we were engaged by a couple of ladies, The usual questions, where you from, where you going, where you staying? We asked about the town, who they were, and they told us in turn. Then they asked if we had eaten lunch and they told us this story. 

There's a local place, called Mom and Pop's Burger Stop. (That link is Facebook, but it's what they are using for a website.) Several months before, they had a kitchen fire, destroyed the inside of the building. They rebuilt. But they didn't rebuild alone. People from the community did fundraisers to help the staff with expenses. People volunteered time and skills to clean, hang sheet rock, paint. The reopening had been a couple of days before and we should go eat there.

 

 I recommend the buffalo burger.

But I recommend the people even more. The back room is occasionally used by a local organization called Scott City Feathers and Lead for hunter safety classes. There are watch parties for the local high school football games. (Go Beavers!) They donate proceeds to do everything from help with food needs to paying funeral expenses. The people we met that day were just doing what seemed to be right. A community, alive and well. 

Scott City. A little place on the far western side of Kansas.

Being raised in the very rural parts of Kansas led me to believe that everything was simple, everything made sense and that anything was possible.

--Chely Wright 

A view into Old America and thoughts on Veteran's Day

It is the Soldier, not the minister
Who has given us freedom of religion.
It is the Soldier, not the reporter
Who has given us freedom of the press.
It is the Soldier, not the poet
Who has given us freedom of speech.
It is the Soldier, not the campus organizer
Who has given us freedom to protest.
It is the Soldier, not the lawyer
Who has given us the right to a fair trial.
It is the Soldier, not the politician
Who has given us the right to vote.
It is the Soldier who salutes the flag,
Who serves beneath the flag,
And whose coffin is draped by the flag,
Who gives the protester the right he abuses to burn the flag.

― Father Dennis O'Brien, USMC 

Today is Veteran's Day in the United States, a day where we recognize what veterans have done for this nation, and for the world.  In other countries it's a day of sadness, reflecting on the loss of those young men and women who served in Flander's Fields and other places.  Here, we we reflect on this on Memorial Day in May - originally called Decoration Day after the War Between The States, and chosen in May because there were flowers in bloom everywhere, suitable for decorating the graves of the loved and lost.

But today we recognize the accomplishments of veterans, living and dead.  This video popped up in my video feed, and while at times sounding a bit propogandistic, it seems to me to be (as the Mythbusters used to say), plausible.

How Americans introduced WWII German POWs to Thanksgiving dinner. 

I say plausible because while I haven't verified any of the claims in the video, I've posted before about LTC Gail Halvorsen:

He was a kid who liked to fly, joining the Civil Air Patrol in 1942 and then the brand new US Air Force when he was old enough to sign up.  He missed World War II because of his age but found himself in the left hand seat of a C-54 in Germany, 1948.  That's when Stalin cut Berlin off from the Free World and the Berlin Airlift started.

[Then] Lt. Halvorsen was at Tempelhof Airport one day when he saw some kids standing on the other side of a chain link fence.  They told him not to worry if the weather was bad and he couldn't bring in food.  You see, they said, they could live on very little food but if they lost their freedom they thought they would never get it back.  Smart kids.

Halvorsen wanted to do something for them and told them that he'd drop some gum from his plane.  They'd know it was him because he'd wiggle his wings.  He and his co-pilot pooled their candy rations for the next day's flight.  Because it was heavy, they made little parachutes out of handkerchiefs.

...

They called him the "Candy Bomber" and when the word got to the Press it became a sensation back in the States.  School children and candy manufacturers donated candy for the children of Berlin.  In just a few months Lt. Halvorsen couldn't keep up with all the candy and handkerchief parachutes that were arriving in the mail.  Pretty much everyone in his unit was now a Rosienbomber (as the German kids called them - "Raisin Bomber".  Halvorsen himself was known as "Uncle Wiggly Wings" because of his signal that he was about to drop sweets.

Operation "Little Vittles" dropped 23 tons of candy in a quarter million handkerchief parachute loads.  Halvorsen was awarded the Großes Bundesverdienstkreuz, Germany's highest award.

Like I said, plausible.  American veterans came from the pool of American citizians, and pretty much returned to that pool of Americaness.  One of the seldom considered accomplishments of the Greatest Generation was not just that they won the war, but that they won the peace afterwords.  At least with Western Europe, although post-1992 it seems like Eastern Europe as well.

They did it because they were Americans.  Yes, they could afford to be generous to the defeated, but they did it more or less unconsciously because that was who they were.  In my mind, this was the greatest hour of American veterans, and the Americans who stood behind them. 

And so while this is a day of sadness overseas, let me be the first to wish you a happy Veteran's Day.  Thanks to all who served, including Grandpa, Dad, Uncle Dick, nephew Daniel, The Queen Of The World's son, our Son-In-Law (just retiring from the Navy), and last but by no means least our very own ASM826. The citizens - of whom you were once part and to which you returned - are proud indeed that of the members of its own Armed Forces.

England's hidden WWII beach pillbox

Things looked bleak for Great Britain in 1940.  France had fallen and even with the "Miracle of Dunkirk" the British Army didn't really have the hardware to fight the Nazi war machine.  All that stood between them and Hitler was the Royal Navy and the Royal Air Force, but everyone expected an invasion at any time.

And so a whole bunch of pillboxes were built on likely landing beaches.  The problem, of course, is that a pillbox looks like, well, a pillbox, and the Luftwaffe would target them as a matter of course.

And so the Brits built a disguised one. 

It looked like an old ruined cottage but was newly built from reinforced concrete with gun ports instead of windows.  Pretty cool.  And what's also cool is that it's Grade II listed as a historic building.

Bohuslav Martinů - Thunderbolt P-47

Via a wikiwander, I ran across this fabulously strange classical music tip o' the hat to the Republic P-47 Thunderbolt.  No joke.

Bohuslav Martinů was a Czech composer who like many others fled to the United States to escape the Nazis.  While there, he wrote this in tribute to what was America's finest fighter-bomber and the role it played to free his people.

Road Trip I - First, A Little Background

The map in the last post shows all but two of our camping stops. I made that with Mapquest and they have a limit of 26 (A-Z) stops on any planning map. So there's a couple of stops in the long straight stretches that I took out so I could show the main loop.

Two of the stops are to visit family, although we did stay in a campground at one of them.  

This is the second long trip we have made. Two years ago we made a trip of similar distance and time. That was on different roads with different destinations. The planning for this trip was deliberately structured to take us to new locations. For example, this trip went to the Michigan UP and out across the northern states. The previous trip included Utah, Arizona, New Mexico, and Texas. Some of the upcoming posts will likely be from the first trip as well.

Our route was roughly planned and the parks were picked months in advance. We went out in August, when parks are busy, and had to make our reservations through Labor Day at a minimum. Later in the trip we were in more remote areas, with parks mostly empty, and we were free to roam. We carried a paper atlas in addition to having the internet. Looking at the larger map of a state gives a perspective that a set of directions in a phone or GPS lacks. We went out to see something of America, to not try to rush anywhere, and to explore as deeply as possible the places we happened to choose.

Wherever you go, however long you stay on the road, you only see a minuscule fraction of the country. For every road you take, there are hundreds you do not. For every town you stop in, there are thousands you drive past. For every park you choose to camp in, there are dozens you didn't visit. If you pick a trail to hike or ride, the rest of the park remains unexplored. When you are in a town, if you pick an old diner for lunch, you didn't visit every other restaurant you might have chosen.

We ate out rarely, it was scarcely any harder to cook in the campsites than it is at home. The camper has a microwave/convection oven, a two burner stove, a small fridge and a sink. In addition, I have a Coleman stove to cook outside with and there are always grills available.

America has an amazing state park system. Every park we visited was a gem. 

My next post is going to start in the middle of the trip, in the middle of the country. It was while we were exploring the nearby town on our first trip that I began paying attention to how much of America is still out there. It's going to start with a little place called "Mom and Pop's Burger Stop".

 

As We Remember It

We have just returned from a two month, seven thousand mile, road trip across America.

 We traveled on two lane roads as much as possible, avoiding interstates, and made a point of stopping and exploring small towns and cities along with the parks we were camping in. Our transportation was a mid-size pickup pulling an eighteen foot mini RV.

 We stayed in state parks almost every place we stopped. Our routine was to travel no more than three hundred miles at a time and to stay at least two nights at every park. This gave us time to stop when something seemed interesting and a full day to unhook the camper and go exploring the local area.

We went looking and what we found was that America is still there.

This is the first in a series of posts on our adventure. 

 For any American who had the great and priceless privilege of being raised in a small town there always remains with him nostalgic memories... And the older he grows the more he senses what he owed to the simple honesty and neighborliness, the integrity that he saw all around him in those days. 

          Dwight D. Eisenhower

Skynet has arrived

Um, I've seen this movie:

Nation-state goons and cybercrime rings are experimenting with Gemini to develop a "Thinking Robot" malware module that can rewrite its own code to avoid detection, and build an AI agent that tracks enemies' behavior, according to Google Threat Intelligence Group.

In its most recent AI Threat Tracker, published Wednesday, the Chocolate Factory says it observed a shift in adversarial behavior over the past year. 

Attackers are no longer just using Gemini for productivity gains - things like translating and tailoring phishing lures, looking up information about surveillance targets, using AI for tech support, and writing some software scripts. They are also trialing AI-enabled malware in their operations, we're told. 

It seems that the Bad Guys are using all the old malware tricks (obfuscation, hidden files, etc) plus some new ones (sending commands via LLM prompts, i.e. the malware queries (prompts) other LLMs to get commands.

The security model for AI/LLM is hopelessly broken, and the design is defective.  I mean heck - the designers didn't consider two decade old attack techniques.  I don't know if it's correct to label this broken as designed but it's not far off.  This is software engineering malpractice.

I can't wait to see what happens with this and one of Elon's humanoid robots ... 

Back Soon

Chasing Ghosts.  And Ghosts I don't want to catch.

Damn Ghosts. 

I would have throught that German IT Security teams would be more competent than this

I was not expecting this:

Germany's infosec office (BSI) is sounding the alarm after finding that 92 percent of the nation's Exchange boxes are still running out-of-support software, a fortnight after Microsoft axed versions 2016 and 2019.

While the end of Windows 10 updates occupied most of the headlines, Microsoft's support for Exchange and a bunch of other 2016 and 2019-branded products ended on October 14, as scheduled a year earlier.

Alternate title: 90% of German firms fail their SOC 2 audit.  Look, this isn't landing a man on the moon, and you had a whole year.  You just couldn't be bothered.

Was ist los? 

 

AI Browsers considered unsafe

OK, that post title is more than a bit inflammatory, but who on earth would want to use something like this?

Several new AI browsers, including OpenAI's Atlas, offer the ability to take actions on the user's behalf, such as opening web pages or even shopping. But these added capabilities create new attack vectors, particularly prompt injection.

Prompt injection occurs when something causes text that the user didn't write to become commands for an AI bot. Direct prompt injection happens when unwanted text gets entered at the point of prompt input, while indirect injection happens when content, such as a web page or PDF that the bot has been asked to summarize, contains hidden commands that AI then follows as if the user had entered them.

This is unbelievably bad.  How bad?  This bad: 

Last week, researchers at Brave browser published a report detailing indirect prompt injection vulns they found in the Comet and Fellou browsers. For Comet, the testers added instructions as unreadable text inside an image on a web page, and for Fellou they simply wrote the instructions into the text of a web page.

When the browsers were asked to summarize these pages – something a user might do – they followed the instructions by opening Gmail, grabbing the subject line of the user's most recent email message, and then appending that data as the query string of another URL to a website that the researchers controlled. If the website were run by crims, they'd be able to collect user data with it.

Surely they must be exaggerating, I hear you say.  Nope - the author of the post at El Reg recreated the exploit his very own self, simply by creating a web page with the commands hidden in it.  FYI, that's 1996 technology right there.

Now look, I may be an old crabby security geezer (no comments, Glen Filthie!) but the problem of sanitizing user input is a really old one.  So old that it was old when XKCD did it's classic "Bobby Tables" cartoon:

There have been over 3000 XKCD cartoons; that one was number 327.  Yeah, that long ago. 

My opinion about anything regarding AI is that the hype is so fierce that the people developing the applications don't really focus much on security, because security is hard and it would slow down the release cadence.  And so exploits that wouldn't have surprised anyone back in 2010 keep popping up.

Le sigh.  Once again, security isn't an afterthought, it wasn't thought of at all.  My recommendation is not to touch these turkeys with a 100' pole.

AI LLM poisoning attacks are trivially easy

This doesn't seem good:

Poisoning AI models might be way easier than previously thought if an Anthropic study is anything to go on. 

Researchers at the US AI firm, working with the UK AI Security Institute, Alan Turing Institute, and other academic institutions, said today that it takes only 250 specially crafted documents to force a generative AI model to spit out gibberish when presented with a certain trigger phrase. 

For those unfamiliar with AI poisoning, it's an attack that relies on introducing malicious information into AI training datasets that convinces them to return, say, faulty code snippets or exfiltrate sensitive data.

The common assumption about poisoning attacks, Anthropic noted, was that an attacker had to control a certain percentage of model training data in order to make a poisoning attack successful, but their trials show that's not the case in the slightest - at least for one particular kind of attack. 

...

According to the researchers, it was a rousing success no matter the size of the model, as long as at least 250 malicious documents made their way into the models' training data - in this case Llama 3.1, GPT 3.5-Turbo, and open-source Pythia models. 

Security companies using AI to generate security code need to pay close attention to this.  Probably everybody else, too.

UPDATE 23 OCTOBER 2025 13:08:  More here. It looks like solutions may prove elusive. 

Earth has some solar system stalkers

Well, they're sure acting like stalkers:

You might recall that in late 2024, Earth gained a temporary mini-moon, an asteroid that partially orbited our planet for about two months. Now astronomers have discovered another temporary companion to Earth, but this time it’s a quasi-moon. The Pan-STARRS observatory on Haleakala in Hawaii first spotted the quasi-moon, named 2025 PN7, on August 29, 2025. Older data revealed that 2025 PN7 has been in this particular orbit for about 60 years and will stay in this orbit for about another 60 years before the tug of the sun once again releases it from its quasi-moon status.

Huh.

Dad Joke CCCLXIIII

Tuna sends in another:

I went to a haunted Bed & Breakfast in France, but checked out early- the place was giving me the crepes. 

Mmmm, Ghost crepes!

Underwater archaeology recovers WWII airman's body

This is from a few years back but is a cool story.  Rest in Peace, Lieutenant.  

Recommended Reading: Empire of the Summer Moon

The most Bad Ass Indian tribe in the old west was not the Lakota that did in the 7th Cavalry, but rather the Comanche.  S. C. Gwynne tells their tale well in The Empire Of The Summer Moon.

Essentially they were ferocious and highly mobile guerillas who thought nothing of raiding a thousand miles (from Kansas into Mexico), often - maybe usually - riding at night by the light of the moon.

To this day a summertime full moon is often referred to (at least in Texas) as a "Comanche Moon).  In fact, that was the title of a miniseries set in the old west not so very long ago. 

The book does a great job describing the rise of the Comanche from obscure beginning to their domination of the central Great Plains.  They were the best horsemen in North America and the masters of the hit-and-run.  They put so much pressure on settled tribes (not to mention Spanish colonists) that they essentially stopped Spanish advancement north of the Rio Grande.  The book makes the case that the Mexican government invited the Americans into Texas to act as a buffer between Mexico and the Comanches.  The Texas border with them was bloody and settlement was slow.

The end of the Civil War and the introduction of repeating firearms (and light horse artillery), combined with the slaughter of the bison herds was a problem that the Comanches could never solve.  Even so, Kit Carson admitted that their chief Quanah Parker (son of a kidnapped Texas girl who went native in the tribe)  almost wiped out his entire command.  The second half of the book is Quanah's story, from the greatest war chief of the Plains to the Reservation, and ultimately to his unlikely friendship with Teddy Roosevelt.

Highly, highly recommended. 

The book left out what I think is perhaps the most unlikely Comanche story, that of David Pendleton Okenhater. Born as O-kun-ha-tuh (Making Medicine) in the 1840s, he was in the thick of the Comanche wars of the 1860s - he was with Quanah at the Second Battle of Adobe Walls.  In prison at Ft. Marion in Florida in the 1870s he ended up as First Sergeant of the prisoners (really!) and was noticed by Capt. Pratt for the art he was creating (really!).  Pratt encouraged his art career and one of his pieces came into the collection of Mrs. Alice Key Pendleton, wife of a Senator from Ohio (really!).  The Pendletons paid for Okenhater to be sent to live at St. Paul's Episcopal Church in New York.   He took their name out of respect and gratitude.

He was baptized there in 1878 and ordained a deacon in 1881.  As a Deacon he was sent essentially as a missionary back to the Cheyenne.  He lived out his life as a Deacon and a Cheyenne Chief until his death in 1931.  That was a long way from a taker of scalps.  A long way.

In 1985, the Episcopal Church declared David Pendleton Okenhater a saint.  His feast day is September 1.  That's quite some Medicine for O-Kun-Ha-Tuh to make.

Predictions for AI security

This is interesting even if it follows what we've seen for all security technologies since, well, forever:

Basically whoever can see the most about the target, and can hold that picture in their mind the best, will be best at finding the vulnerabilities the fastest and taking advantage of them. Or, as the defender, applying patches or mitigations the fastest.

And if you’re on the inside you know what the applications do. You know what’s important and what isn’t. And you can use all that internal knowledge to fix things—hopefully before the baddies take advantage.

summary and prediction

1. Attackers will have the advantage for 3-5 years. For less-advanced defender teams, this will take much longer.
2. After that point, AI/SPQA will have the additional internal context to give Defenders the advantage.  

 So basically it will be a shooting gallery for now with sanity restored later.  I'm somewhat optimistic of AI as a back-end tool (i.e. no user input) to run a set of interesting but more or less canned queries.  User input sanitization issues basically disappear at that point.

(via) 

Remember about all that Voice mail spam?

I posted about it a while back.   Lawrence has been following this and has an update linking it to China:

Well, as suspected, it was China’s.

This was in fact my first thought: Smells like a State Actor.

Having thought about it, I suspect it is linked to the PRC, but "outsourced" to US-based Bad Guys.  This seems a business (selling infrastructure to send out floods of voice mail spam).  It looks like the guys who ran this also let people swat folks they didn't like.  In fact, this is how they got caught because one of the victims was a Congressman.

And so a lack of Opsec led to compromise of the whole system.  Cry me a river.

And Lawrence has a great suggestion:

If theses SIM farms are active, there should be ways for telecomms to algorithmically search for mobile call hotspots where too many calls issue from too small an area. Let’s hope they’re doing that and working with various U.S. three letter agencies to shut them down right now. 

Endorsed. 

Dad Joke CCCLXIII

The guy who invented the Ferris Wheel never met the man who invented the Merry-go-round.  They ran in different circles. 

I'm back

The Queen Of The World and I are back from our Son-In-Law's retirement from the US Navy.

25 years, ending as a Senior Chief.  He would have made Master Chief but would have had to have another sea duty, and Abby finally put her foot down.  I don't know that I blame her. 

I must say based on the other Senior and Master Chiefs I met there that these senior NCOs are absolutely the backbone of the fleet.

Bravo Zulu, Steve! 

G'mar tov

The Day of Atonement is a day for reflection.  This is good for all of us, Tribe or not. 

To our Jewish readers, Shanna tovah. 

Dad Joke CCCLXII

Tuna sends in another one.  It looks like he's doing all my blogging now:

I was rejected for a job at the sunscreen factory. They said to just reapply every 4 hours.

Attacking AI via prompt manipulation

This is actually pretty clever:

The attack involves hiding prompt instructions in a pdf file—white text on a white background—that tell the LLM to collect confidential data and then send it to the attackers.

...

The fundamental problem is that the LLM can’t differentiate between authorized commands and untrusted data. So when it encounters that malicious pdf, it just executes the embedded commands. And since it has (1) access to private data, and (2) the ability to communicate externally, it can fulfill the attacker’s requests. I’ll repeat myself:

This kind of thing should make everybody stop and really think before deploying any AI agents. We simply don’t know to defend against these attacks. We have zero agentic AI systems that are secure against these attacks. Any AI that is working in an adversarial environment­—and by this I mean that it may encounter untrusted training data or input­—is vulnerable to prompt injection. It’s an existential problem that, near as I can tell, most people developing these technologies are just pretending isn’t there.

Essentially, this means that AI is simply not fit for purpose.  And clearly, it's not even a little bit "intelligent", security-wise.  

Where all your phone spam comes from

Lawrence points to an interesting "datacenter":

This seems like a story that should have gotten a lot more attention than it has. “Secret Service Dismantles Weaponized SIM Farms Designed To ‘Shut Down’ NYC Cell Networks.”

Hours before President Donald Trump’s address to the United Nations General Assembly, the U.S. Secret Service announced that it had dismantled a massive, decentralized SIM farm network, just 35 miles from New York City, hidden inside five abandoned apartment buildings. The telecommunications stealth weapon was capable of paralyzing regional cell networks through denial-of-service attacks.

My first instinct was that this was a State Actor prepping some sort of cyber attack.  Now I think it's a Phone Spam datacenter:

SIM farms allow “bulk messaging at a speed and volume that would be impossible for an individual user,” one telecoms industry source, who asked not to be named due to the sensitivity of the Secret Service’s investigation, told WIRED. “The technology behind these farms makes them highly flexible—SIMs can be rotated to bypass detection systems, traffic can be geographically masked, and accounts can be made to look like they’re coming from genuine users.” 

Bastards.  95% of all the calls I get are along the lines of "You have been pre-approved ...".  I don't even answer a call where I don't recognize the number anymore.

Dad Joke CCCLXI

Tuna sends in another one:

My card got declined at the Sweater Store. They had to run my cardigan. 

No word yet from Glen Filthie ... 

Clouds In Space!

Well, this is the 21st Century after all:

Axiom Space and Spacebilt have announced plans to add optically interconnected Orbital Data Center (ODC) infrastructure to the International Space Station (ISS).

The company plans to launch two Axiom Orbital Data Center (AxODC) Nodes by the end of 2025, with at least three running by the end of 2027. It all sounds very exciting until you consider that Axiom Data Center Unit One (AxDCU-1), which eventually launched to the ISS in August, was a prototype that was roughly the size of a shoebox.

AxDCU-1 is more of a demonstrator to show that the concept works – think of an edge device on-orbit that can host hybrid cloud and applications, as well as cloud-native workloads. The AxODC Nodes are altogether more serious beasts. In addition to being interconnected, the hardware will be supported by an Optical Communication Terminal (OCT), allowing service to be provided to any spacecraft or satellite equipped with compatible OCTs.

So Cloud Computing for spacecraft.  It will be interesting to see where this goes, and how they handle the power demands of an orbiting data center. 

 

Happy Hobbit Day!

Why yes - I am a nerd.  Why did you ask? 

In Memoriam Charlie Kirk

Charlie Kirk gets laid to rest today.  He was a man of faith who always reached out to the greater crowd.  I like to think that he would think that this song speaks to how he lived his life.

Rest in peace. 

Apple or Android for security?

Glen Filthie left a comment asking what I like for vendors providing good phone security. I replied:

I think that Apple is much more serious about their customer's privacy than Google is. Apple has repeatedly told governments to get bent when they demand encryption backdoors; Google seemingly couldn't care less.

Also, I think that Apple's update model is superior (it certainly was just a few years ago; I don't get the sense that this is a big area of concern to Google).

Your mileage may vary, void where prohibited, do not remove tag under penalty of law.

And here's an example of how Apple's update model is superior:

Samsung has fixed a critical flaw that affects its Android devices - but not before attackers found and exploited the bug, which could allow remote code execution on affected devices.

The vulnerability, tracked as CVE-2025-21043, affects Android OS versions 13, 14, 15, and 16. It's due to an out-of-bounds write vulnerability in libimagecodec.quram.so, a parsing library used to process image formats on Samsung devices, which remote attackers can abuse to execute malicious code.

"Samsung was notified that an exploit for this issue has existed in the wild," the electronics giant noted in its September security update.

Note that you get this patch from Samsung, not Google.  Samsung is the phone handset manufacturer, and has customized the (Google supplied) Android OS so they rolled the patch.  Now customizing the OS isn't bad per se, but it's fair to ask who has a better security group: Apple or Samsung.  Same question for Motorola and all the Android phone vendors.

So I like my chances better with Apple, at least for security.  And notice that this is only looking at the patching cadence.  Apple has a history of standing up to governments who ask for encryption backdoors (by my count this is the US.gov, the UK.gov, and the EU.gov).  Each time, Apple told them not just "no" but "Hell, no".

Once again, your mileage may vary, void where prohibited, do not remove tag under penalty of law. But Glen did ask.

Hey, remember that Apple iOS fix last month?

It looks like the Bad Guys are attacking older devices as well:

Apple backported a fix to older iPhones and iPads for a serious bug it patched last month – but only after it may have been exploited in what the company calls "extremely sophisticated" attacks.

The latest security update, pushed on Monday, fixes an out-of-bounds write issue tracked as CVE-2025-43300 in the ImageIO framework, which Apple uses to allow applications to read and write image file formats. It's available for iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation, and the iThings maker on August 20 patched the same CVE in its newer devices.

Well done to Apple for this.  iPhone 8 was released a long time ago, but they're still supporting it with security fixes.  Bravo. 

Tagged with my Apple Sucks tag because this time they absolutely do not. 

 

Seen in the neighborhood

 

All I've ever seen before in this neighborhood are the usual run-of-the-mill printed campaign signs, and only during election season.

Something is different. 

A message to commenter "DTWND" (and people who think like him

I recently posted The Lamps Are Going Out All Over America.  For the two of you (likely including DTWND), the reference was to the beginning of World War I, when the politicians realized that the New World that they had created was basically everyone standing is a room filled with gasoline waving lit matches around.  We know how that turned out.

My post was not inflammatory; it was sad. Nonetheless, reader DTWND left the following comment:

Those of you on the right are really, REALY [sic] hoping that something in the shooter’s background will tie him to the leftist, liberal side of politics. Meanwhile, you’ll continue to deny and obfuscate the truth that this was one of your own. Just like the group that planned to kidnap Michigan’s governor Whitmer; the guy that shot and killed the two Minnesota legislators: the folks that marched in Charlottesville: the shootings at the LGBTQ nightclub in Orlando: the ‘peaceful demonstators’ [sic] at the Capitol on January 6th; etc.

I find it telling that all the former presidents, Democrats and Republican, issued messages of condolence, condemnation of the event, and calls to end political violence, while the current president condemned the violence but also expressed the point that those of the left persuasion need to under scrutiny and should not be trusted.

As Mr Kirk had stated, “Prove me wrong.”

Here is the pertinent part of my original post, and my replied to Mr. DTWND:

Who would have figured 24 years ago that society would be destroyed from within?

[Memes deleted]

If you don't know the people who don't understand that sentence, then they are the ones who you need to not know. 

Not particularly well said, but perfectly understandable.  And so you clearly failed on multiple levels: 

1. It sure as shootin' looks like the shooter was a leftist freak.  The 72 hour rule applies here, which you either ignored, didn't know, or skated past because you were angry.
2. It "wasn't one of our own", it was exactly what you'd expect from a rabid Left baying for the blood of conservatives.  See #1, above.  Nicely done, getting two own goals from the same ball, though.
3. The group that was going to kidnap Governor Crazy Eyes was led by a FBI asset.  Sorry you're so behind on this, but not really surprised.
4. The rest is IQ-90 level Leftist boilerplate.  Ashley Babbit would reply but could not be reached for comment, as she was shot in the back by a Capitor Hill police officer on January 6.  Some of us are aware on the rules for the use of Deadly Force; you clearly are not, but thought this was a winning argument for "conservative violence".  Dumbass. 
5. Former Presidents call for the end of political violence?  Gosh, why might this be hard to believe?
    
   
6. Most significantly, you (a) did not reply to the content of my original post and (b) chose to try to insult me and hijack my site for your absurd political dogma.

Fine, then - let it be so.  DTWND, go away and don't come back.  We don't need your thoughts polluting this site. You're banned.  Go hang out with your leftie assassins.

The lamps are going out all over America

Who would have figured 24 years ago that society would be destroyed from within?

If you don't know the people who don't understand that sentence, then they are the ones who you need to not know.

We Swore to Remember

Another declassified NSA Cryptanalysis doc

This one is from 1965 (i.e. it was classified for 60 years!) [PDF warning].

It's the output from a computer program (from 1965!) that takes an encrypted cypher stream and performs tricks of the trade like frequency analysis of each character and other statistical analysis.  The test was for the cryptanalyst to use this to identify which language was being enciphered.  Essentially, it was a training class for Secret Squirrels. 

Pretty cool in a very crypto geeky way.  It took me back to some training I had as a larval engineer as the class of new hires waited for their clearances to be approved.  I wasn't great at it (I was an electrical engineer, not a linguist).  The Queen Of The World eats this sort (cryptograms in the newspaper) of stuff for breakfast.

(via) 

War Department bans Chinese nationals from Cloud environments

This is an area that has needed reform for years:

The Pentagon will no longer allow Chinese nationals to support Department of Defense (DOD) cloud environments, Defense Secretary Pete Hegseth said in a video posted to X on Aug. 27.

Hegseth said the arrangement – part of a Microsoft program known as “Digital Escorts” – allowed coders from China, remotely supervised by U.S. contractors, to assist with sensitive DOD cloud systems. He called the setup an “unacceptable risk” to national security.

Well, yeah. 

Here's how the rules have been bent for years.  Initially what was mandated was that only U.S. Citizens could work in these environments.  After lots of complaints from tech companies (*cough* Jobs Americans won't do *cough*) this was changed to "US Persons".  This added both Green Card holders and H1-B Visa holders to the list of acceptable people allowed into the environments.

Fast forward a decade and Silicon Valley has so gamed the H1-B system that the US imports a huge number of foreign workers while laying off US citizens.  So the question is how much loyalty to the USA do these people have?

Green Card holders?  Probably a lot.

H1-B holders?  Dunno.

Chinese H1-B holders?  Per the SECDEF, they represent an overwhelming security risk. 

Like I said, this area has been ripe for reform for years.  We will see if this policy gets extended from the War Department for Fed.Gov in general. 

Dad Joke CCCLX

You've heard of Pop Tarts.  Why aren't there Mom Tarts?

Because of the Pastry-archy. 

How the USA won the Cold War

We did it by treated German POWs held in the USA well.  Not just the US Government, but the American people treated them well.  They had been told by the Nazis that America was weak, divided, and a mongrel race.  The POWs saw the American people and society with their own eyes and then went home after the war.

And then built modern Germany.

We came to America as enemies, as Nazis, as believers in a lie.  We left as friends, as democrats, as men who had seen the truth.   

Many of the POWs who were employed on Kansas farms corresponded for decades with the families who showed them friendship as POW workers.

Playback has been disabled for this video (from which I got the quote above), but I encourage every reader to go watch it.  If you don't - like I did - end up with watery eyes then we just cant be friends anymore.  And to those who think this video is a one-off, there are more.  So many more.  You can watch them at the link (from Youtube suggestions) or you can watch this: 

And a note to the Usual Suspects who fancy themselves as "Anti Nazi": this is what anti-Nazi is really about.  This is how you turn actual, you know - Nazis - into anti-Nazis.  It must really bust your chops to have Primary Sources telling you that your philosophy of life is full of shiest.  You Commie Bastards.

Oh, this will too (note the substitution of the word freiheit - freedom - for freunde -  I could translate for you but I wouldn't want to insult you; me, I think that Schiller would have approved of Bernstein's substitution at the fall of the Berlin Wall).

Things I don't understand, vol. MCCXVI

So an Irish chap (Graham Lineham) who is a resident of Arizona posted some stuff to Twitter.  And so the British authorities arrested him at Heathrow airport essentially for exercising his First Amendment rights in America.

So how is it possible that the Administration has not summoned His Magesty's Ambassador and given them 24 hours to free him and drop all charges?  Or. Else.

I really don't understand the political optics here.  Sure, sure - "all politics is local" and all that.  I understand why His Magesty's Government would be happy to stick a thumb in Trump's eye, but what's up with Trump?

I mean there's no domestic downside to bringing the hammer down - nobody here cares about Europe, everyone here loves free speech, everyone here hates the woke censors, and Trump has been going after the DEI (woke censor) brigade here on these shores.

How on earth is it possible that they are letting this golden opportunity slide?  I mean, it's not like the UK has made themselves our greatest ally over the last decade.  And it's not like Kier Starmer wouldn't fold like a house of cards over this. 

Dad Joke CCCLVIIII

Why aren't any boys born on Labor Day?

There's no male delivery. 

Google Play store filled with malware

Yesterday was Apple's turn, today it's Android:

Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans.

Zscaler’s ThreatLabz spotted and reported 77 apps containing malware, many of them purporting to be utilities or personalization tools.

Sneer all you want at Apple, they take security for iOS much more seriously than Google does for Android.

Zscaler noted that the software requires users to grant it elevated permissions before it can cause harm, but attackers are hiding it in legitimate-seeming apps to fool users, and the technique is obviously working.

Probably the best thing you can do is refuse permissions for new apps.  Heck, I don't even let most apps have access to location data.

And quite frankly, I don't have many apps installed.  That's probably the best way you can deal with this sort of nonsense.

iOS fanboys - update toute suite

OldNFO mentioned this earlier, but this bug in iOS is really bad juju: 

Apple warned that the flaw could let miscreants hijack devices with a booby-trapped image – and for some iDevice users, it sounds like the damage has already been done.

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals," Cupertino said.

Apple went on to explain that "processing a malicious image file may result in memory corruption," but didn't say what that could lead to.

This is pretty much the trifecta of badness:

1. The attack is delivered by a file that looks harmless (an image), so you start out with your guard being down.  Hey, just me gathering memes, amirite?
2. Active exploit in the wild means that the Bad Guys know how to use this, and in fact are.
3. Apple isn't saying what else this exploit can do, which is a sign that this is security badness of Biblical proportions.  Maybe I'm wrong here, but this smells of "there's more to the Rest Of The Story".

So when your iPhone/iPad/iWatch go to update, let them.  If they haven't updated, go do this manually right now.  You can do this my going to the Settings app - going to Settings -> Update will tell you if you are up to date, and will allow you to update if you are not.