The worst idea in history?

Earth laser

Or we could not

It could prove to be:

A pair of MIT researchers has proposed a radical method for making our presence known in the universe.

In a new feasibility study, the team says it could be possible to use laser technology as a beacon to attract the attention of alien astronomers, much like a planetary-scale porch light.

Using a laser focused through a huge telescope, the researchers say this ‘porch light’ could be seen from as far as 20,000 light-years away.

In a paper published in the Astrophysical Journal, the MIT team describes how a high-powered 1 to 2-megawatt laser could be aimed toward space through a 30 to 45-meter telescope to create a detectable beacon.

With this configuration, the infrared radiation from the system would be strong enough for an intelligent species to differentiate it from the sun.

Granted, this is just a feasibility study rather than an actual proposal.

I think Stephen Hawking had the right idea about contacting aliens:

“One day, we might receive a signal from a planet like this, but we should be wary of answering back,” he in the documentary, “Stephen Hawking’s Favourite Places.”

“Meeting an advanced civilization could be like Native Americans encountering Columbus. That didn’t turn out so well.”

He claimed alien life could be “rapacious marauders roaming the cosmos in search of resources to plunder, and planets to conquer and colonize.”

My concern would be catching the attention of an aggressive von Neumann probe launched by a xenophobic alien civilization. Such a probe would have a search and destroy mission to identify signs of intelligent life throughout the galaxy, and exterminate it. Aiming a giant laser beacon at space would be like announcing your position to the enemy. Sometimes you just need to lay low.

Is Bloomberg peddling fake news about Chinese hardware hacking?

Infosec hardware implants

The state of infosec right now (Credit: Colin O’Flynn)

The jury is still out, but this isn’t looking great for Bloomberg:

The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication. […]

Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign. […]

On the possible failure of adequate fact checking, earlier this week one of the security experts that Bloomberg spoke to in order to explain how the claimed spy chip would actually work, Joe Fitzpatrick, gave an interview to Aussie veteran infosec journalist Patrick Gray in which Fitzpatrick said he had told the Bloomberg spy-chip reporters of his doubts that it was feasible and that he was “uncomfortable” with the final article.

An NSA official is also pushing back:

Rob Joyce, Senior Advisor for Cybersecurity Strategy at the NSA, is the latest official to question the accuracy of Bloomberg Businessweek’s bombshell “The Big Hack” report about Chinese spies compromising the U.S. tech supply chain.

“I have pretty good understanding about what we’re worried about and what we’re working on from my position. I don’t see it,” said Joyce, speaking at a U.S. Chamber of Commerce cyber summit in Washington, D.C. today, according to a subscriber-only Politico report viewed by MacRumors.

“I’ve got all sorts of commercial industry freaking out and just losing their minds about this concern, and nobody’s found anything,” Joyce added.

Twitter user Hector Martin (@marcan42) had a fierce response to Bloomberg’s second story on the alleged Chinese hardware hacking:

Ah, I see, Bloomberg. So instead of a (partial) retraction of your at least half if not fully bullshit China implant story, you’re going to now publish *one guy’s* claim of Ethernet jack implants. When you had <5 days to check anything he provided.

Remember when a certain other security researcher was convinced his Ethernet jacks had implants? Remember all this “evidence”? How *we* knew it was BS? Now consider whether Bloomberg’s technically clueless journalists would know it’s BS.

Seriously, this is just pathetic now. They just went from “1 year and multiple sources” to “<5 days and one guy”. This is just negligence.

https://t.co/eReEXegOHZ

Why is it that every time something like this happens nobody has any hard documentation or analysis results? Ah yes, the best cop-out. “We don’t have it any more, we can’t give you more details”.

So now we have *software* detecting *analog* stuff like the “power consumption” of a *network*.

None of those words go together. At all.

Basically every Ethernet jack I’ve seen in anything but cheapo consumer routers/switches has been metal. How the hell is this an IOC?

Nevermind that… Ethernet jacks don’t have power pins. Where is this module (that uses so much power that it gets hot) magically powering itself from? Nobody runs PoE out to servers. Did they modify the board design to add power pins too?

Commenting on the above thread, Joe Fitzpatrick had this to say:

I was contacted and declined to give comment for this story. I explained this wasn’t the first time this year someone was making this claim.

@marcan42 has experience debunking claims of ‘backdoored’ ethernet jacks. Details in this story are almost identical to last time.

Sepio systems also shared a document with me yesterday. It had juicy details about rogue hardware.

It was a marketing 1-pager.

Whatever the truth of the  matter, Yossi Appleboum, the ex-Israeli intelligence guy cited in Bloomberg’s follow-up story, gets the last word:

We found it in different vendors, not just Supermicro. We found it not just in servers, in different variations, but hardware manipulation on different interfaces, mostly in network related. We found it in different devices connected to the network, even Ethernet switches. I am talking about really big what are considered to be major American brands, many compromised through the same method.

This is why I think that Supermicro has nothing to do with that. In many cases, by the way, it is not through manufacturing, it is after through the supply chain.

People think of the supply chain in a very narrow sense between the manufacturer and the customer. Supply chain never ends. There are technicians, there are integrators, there are people that work in your facilities. We have seen after installation, after the fact attacks where someone switched something already installed. This is why Supermicro would have no idea what happens later in the supply chain. […]

We have a problem. The problem is the hardware supply chain. All of us are dealing with what happened to Supermicro, and whether Amazon knew or did not know. That is not the main issue for me. The main issue is that we have a problem. It is global. This is why I think Supermicro is suffering from the big players. I am talking about the really big players who know that they have the same problem, and they are kind of using the story right now to throw Supermicro under the bus instead of coming out and saying that it is a global problem, let’s fix it and find a solution.

More evidence of massive Chinese hardware hack

Bloomberg has a new story out about China’s alleged tampering with the global hardware supply chain, revealing that an unnamed, major US telecom company discovered a malicious implant in a Supermicro server back in August. The source of the story seems credible (Bloomberg’s previous story on the Supermicro hacking did not name sources.)

If true, the scale of the potential damage from this hardware hacking is almost incomprehensible.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

Brian Krebs has an insightful post about the issue on his security blog. Of particular interest:

The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.

More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.

And he identifies the crux of the issue:

Like it or not, the vast majority of electronics are made in China, and this is unlikely to change anytime soon. The central issue is that we don’t have any other choice right now. The reason is that by nearly all accounts it would be punishingly expensive to replicate that manufacturing process here in the United States. […]

Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”

The original Bloomberg piece, as he points out, also addresses what he calls “this elephant in the room.” Quote from that piece:

The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies. Early on, Apple, for instance, made many of its most sophisticated electronics domestically. Then in 1992, it closed a state-of-the-art plant for motherboard and computer assembly in Fremont, Calif., and sent much of that work overseas.

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories.

As time goes on, the evidence mounts that offshoring advanced manufacturing to low-cost countries in Asia was an epochal blunder by the US. Now the US is abjectly dependent on a hardware supply chain that may be deeply compromised and there is no obvious way to fix or even detect its vulnerabilities. However, to call this “an insurmountably hard problem” is an exaggeration; it is merely staggeringly hard.

The solution would almost certainly have to involve moving a large amount of high-tech production back to the US. This would be terrifyingly expensive, but the US may not have a choice, and the economic benefits of creating all those new jobs and factories could be enormous.

Anything that has been offshored can be reshored. Anything that was invented in the US can be made in the US. If I’m wrong, please explain how.

Spy fail

Burn After Reading GRU

Suspected GRU operative

The GRU, what happened to you?

It must go down as one of the most embarrassing months ever for Russia’s military intelligence.

In the 30 days since Theresa May revealed the cover identities of the Salisbury poison suspects, the secretive GRU (now GU) has been publicly exposed by rival intelligence agencies and online sleuths, with an assist from Russia’s own president.

Despite attempts to stonewall public inquiry, the GRU’s dissection has been clinical. The agency has always had a reputation for daring, bolstered by its affiliation with special forces commando units and agents who have seen live combat.

But in dispatching agents to the Netherlands who could, just using Google, be easily exposed as graduates of an elite GRU academy, the agency appears reckless and absurdly sloppy.

In response to the surreal interview with the Skripal poisoning suspects, I wrote: “I thought Russian intelligence operatives were supposed to be smart? What is going on here?” It gets worse:

[…] And then came Thursday’s bombshell: four men outed by Dutch investigators for attempting to hack into the Organisation for the Prohibition of Chemical Weapons (as well as Malaysia’s investigation into a downed jetliner).

The alleged spies were caught carrying enough telephones to fill an electronics store. Moreover, like all meticulous Russians on a business trip, they held on to their taxi receipts from GRU headquarters.

At a glance, it’s hard to square such ridiculous incompetence with the idea that Putin and his operatives are crafty enough to destroy Western democracy. In any case, the GRU’s epic fails do seem to indicate the declining value of human intelligence in the age of the internet.

US hardware supply chain compromised by Chinese spies

Supermicro

Holy moly, this is huge. A unit of the People’s Liberation Army secretly inserted tiny, malicious microchips into motherboards that were manufactured in Chinese factories for the US-based company Supermicro. These motherboards were used in expensive servers supplied to Amazon, Apple, the Department of Defense, the CIA, and the US Navy, among others. From a Bloomberg Businessweek investigation:

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

This is really bad.* Say goodbye to US reliance on Chinese components. It will take time to reorient the global supply chain, but the effort is already underway. This scandal, which has been known (of course) to the Obama and Trump administrations, will only strengthen the case for manufacturing sensitive technologies in the US.

[…] Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

In the meantime, Mike Pence accuses China of a host of sins including interfering in the US democratic process:

Vice President Mike Pence escalated Washington’s pressure campaign against Beijing on Thursday by accusing China of “malign” efforts to undermine President Donald Trump ahead of next month’s congressional elections and reckless military actions in the South China Sea.

In what was billed as a major policy address, Pence sought to build on Trump’s speech at the United Nations last week in which he alleged that China was trying to interfere in the pivotal Nov. 6 midterm elections. Neither Trump nor Pence provided hard evidence of Chinese meddling.

That’s not quite right, as Pence mentions, for example, the widely noted Chinese advertising supplement in Iowa. From the transcript:

And China is also directly appealing to the American voters. Last week, the Chinese government paid to have a multipage supplement inserted into the Des Moines Register –- the paper of record of the home state of our Ambassador to China, and a pivotal state in 2018 and 2020. The supplement, designed to look like the news articles, cast our trade policies as reckless and harmful to Iowans.

I pointed out this bit of propaganda on September 23, referencing a tweet by Bloomberg’s Jennifer Jacobs. Trump then tweeted about on September 26. Read my blog to see the future!

Pence also calls on Google to “immediately end development of the ‘Dragonfly’ app that will strengthen Communist Party censorship and compromise the privacy of Chinese customers.” More about Dragonfly here.

===

*Only fair to link to Supermicro’s response to the Bloomberg piece:

SAN JOSE, Calif., October 4, 2018 — Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems.

In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found.

Each company mentioned in the article (Supermicro, Apple, Amazon and Elemental) has issued strong statements denying the claims […]

Google fails to not be evil

Google devil

“Google” by William Blake

Now we know why Google has scrubbed almost all mention of “Don’t be evil” from its code of conduct:

Google bosses have forced employees to delete a confidential memo circulating inside the company that revealed explosive details about a plan to launch a censored search engine in China, The Intercept has learned.

The memo, authored by a Google engineer who was asked to work on the project, disclosed that the search system, codenamed Dragonfly, would require users to log in to perform searches, track their location — and share the resulting history with a Chinese partner who would have “unilateral access” to the data. […]

The memo identifies at least 215 employees who appear to have been tasked with working full-time on Dragonfly, a number it says is “larger than many Google projects.” It says that source code associated with the project dates back to May 2017, and “many infrastructure parts predate” that. Moreover, screenshots of the app “show a project in a pretty advanced state,” the memo declares.

Most of the details about the project “have been secret from the start,” the memo says, adding that “after the existence of Dragonfly leaked, engineers working on the project were also quick to hide all of their code.”

It’s pretty simple, if you want to operate in China you have to play by the CPC’s rules. There is no way for Google to do that while successfully upholding the values it pretends to care about. Hence the secrecy.

The Internet of Dumbass Things (IoDT)

Big Brother Alexa is watching you

Writing in Forbes (a few years ago), Theo Priestley threw cold water on the “Internet of Things” craze:

This time last year Gartner said that by 2022 a typical family home, in a mature affluent market, could contain several hundred smart objects by 2022. Several hundred. […]

But if we examine the market as it is today apathy is rife because the current trend by OEM companies is to “stick a chip in it” in order to connect it to the internet, without any real value to the consumer. In fact, the only ones getting excited by the Internet of Things are the vendors.

Take Samsung’s offerings at the recent IFA exhibition. Samsung now have a new SmartThings hub to connect the many devices in your home. There were examples like;

  • The smart oven that waited for you to be on your way home before starting to heat your dinner.
  • The home that switched on lights as you approached.
  • Samsung also added a touch of personality to their SmartThings platform; you can start the morning by texting the app “good morning”, and your house will bid you farewell as you leave.

The immediate response to these was – Why ? (especially the last one!)

What software and hardware vendors fail to answer is why is their connected device necessary for a consumer to own and what value does it ultimately bring ? Consider the ‘smart oven’ above. It won’t actually prepare the food for you the night before. You have to do that. So the convenience is…. ?

I know of a family that has a cutting-edge Samsung microwave/oven combo that cannot even display the clock for more than 60 minutes at a time. Apparently, this is because the screen is actually a tablet computer that needs to sleep. In their disgust, the family has not even bothered to set the clock to the correct time. Also, as far as they can tell, the Wi-Fi connectivity is completely useless and adds no value to their cooking experience. In effect, then, their lavishly priced “smart” appliance is arguably rather stupid.

I thought of this when reading of Amazon’s latest efforts to create an omni-connected happy digital republic:

Amazon is using a surprise hardware event in Seattle today to introduce a bunch of new devices with its Alexa voice assistant built in.

Why it matters: Amazon is in a race with Google (and to a lesser degree Microsoft and Apple) to make its assistant as ubiquitous as possible.

So far, the company has announced, per CNBC:

  • Amazon Basic Microwave, which will cost $59.99.
  • Echo Wall Clock, at $30, to set timers and such.

[Etc…]

  • New Alexa capabilities. She’ll be able to tell when you’re whispering — and she’ll whisper back. She’ll also act on “hunches,” so if you tell her “good night,” she might turn off your lights and check if your doors are locked.

Creepy! More to the point, how does this invasive consumer technology actually benefit humanity? Are we really better off being able to whisper to our devices, or to control our kitchen lights from 100 miles away?

Entropy

The total entropy of an isolated system, such as the universe, can never decrease over time. This has some unfortunate consequences. For example, cleaning my room will decrease the level of disorder locally, but only by producing large amounts of waste heat that will increase the overall level of entropy (unavailable thermodynamic energy) in the universe.

Therefore, I have decided to help keep entropy at bay by sitting around today and doing nothing at all.

By my calculations, I have prolonged the life of the universe by approximately one googolth of a second.

You’re welcome.

*

PS: I thought this was my own idea, but here’s a good article exploring it in more depth.

Training

Every age has its rituals. In the Age of Google, we have the Ritual of the reCAPTCHA, a compulsory visual test that requires a carbon-based organism to prove its sentience to a computer by selecting squares that seem to contain grainy images of a specified object. The organism must do this correctly in order to demonstrate to the computer’s satisfaction that it (the organism) possesses the mental faculties of invariant recognition, segmentation, and parsing, in which attributes humans tend to excel over computers. If the organism passes the test, it is permitted to continue with its intended task on the website.

That problem is that many human beings who are more or less sentient find the average reCAPTCHA to be hard and frustrating, owing to the intentionally crappy quality of the images, poor visibility of the objects, as well as certain definitional problems that the average internet user is ill-equipped to deal with. For example, should the user, tasked with identifying “street signs,” click on a square that contains part of a sign post? Then there are questions of process. Does the user click Verify immediately after clicking all the relevant squares, or wait for new images to materialize in the squares that have been clicked? None of this is clear, none of it is explained. The user twists in a fog of doubt and confusion, and frequently fails the test.

Google reCAPTCHA evil

Choose wisely (Source)

The reCAPTCHA is the reductio ad absurdum of modern life, a grudging surrender of countless man-hours of labor (over 100 million reCAPTCHAs are displayed every day) to feed the ravenous maw of an emerging artificial superintelligence. Because, of course, by completing these image recognition tasks, the human user is training Google’s vast machine learning datasets. TechRadar thanks you for your service in helping develop self-driving cars.

But while we are training Google’s neural networks, the machines are simultaneously training us — teaching us to be more compliant, more deferential to the machines, and more conversant in machine logic… in short, remaking humanity in their own image. The future is a slouched hominid clicking on a fuzzy image of a taco shop — forever.

“These people are complete narcissists”

Google leadership seminar

Google leadership seminar (source)

I enjoyed this rant against Big Tech, which besides being funny, also contains the kernel of a very interesting idea for how to address the growing crisis around data privacy and ownership:

Bannon also added this gem about Tesla:

I do not have a dog in this fight, but Musk seems increasingly unhinged to me, and the little stunt he pulled with his abandoned buyout plan was undeniably shady. But… are you not entertained?