After a decade of heavily government-sponsored bullshit about quantum computers, we are finally discovering the truth. RSA is NOT secure, not even against normal computers. Here is the paper.
RSA is Broken
Dark Side of HP Inc.
I buy a lot of equipment from HP. The quality when you buy is excellent.
The Internet is full of complaints about HPJumpStarts which people cannot uninstall and which serves no useful purpose rather than destrying our hardware: it uses A LOT of CPU and will considerably reduce the life of our batteries, which BTW are semi-hard to replace.
Please HP stop this criminal activity. This without any doubt programmed obsolescence and the penalty in French law is 2 years of prison.
It would be useful to examine the travel schedule of the CEO of HP Inc. I bet he is already avoiding French airports and ever coming to France, fearing being arrested and sent to prison.
A lot of people will be happy: 900 euros for a set of cartridges for their printers. In comparison Carlos Ghosn has done nothing wrong except being from a foreigner and therefore vulnerable.
Crypto Currency Alt Coins are Booming
Best period in crypto history ever.
ADDED 6 Feb 2021: traders who trade altcoins will be interested in this.
Crypto is Now Worth 1 Trillion Dollars and Why -Strangely- It Makes A Lot of Sense to Compare Bitcoin to Gold
Yes, the market cap of all crypto currencies combined has reached 1 Trillion US dollars, see also top line ticker here. I have predicted this 3 years ago, after the market collapsed, and now it is a fact: we are past 1T$, however much market cap valuations of this kind are highly questionable.
Unrealistic inflation of figures reported is common in competitive technology sector: look at all advertisements about speed of computer hard drives… totally unrealistic figures and fake news. However we accept the bitcoin market cap benchmark, simply because everybody uses and understands it. It is a de facto standard.
If we compare it to gold and some bankers actually agree with that, the total market cap of all gold on our planet is about 3 trillion (estimates vary). Gold is also subject to HODLing by US and Russian government etc. A tiny quantity of gold is actually ever exchanging hands: similar to bitcoin. An artificial valuable commodity manipulated by powerful actors.
Conspiracy theories suggest that All Time High (ATH) should happen on 9 January, anniversary of the bitcoin Genesis block, and here we are: bitcoin crosses 40 K exactly 3 years after reaching 20K. This confirms the idea that these markets are manipulated (by banks, governments and rich investors). Market manipulation is basically allowed!
Now both bitcoin and gold are actually valuable BECAUSE these powerful actors care about them and because of their tremendous brand value and popularity. Hundreds of millions have been spent on software development and on mining hardware etc. This alone explains the intrinsic value of bitcoin.
So far as of 2021 bitcoin lags behind gold. 12 years after creation bitcoin is still young. In fact, way fewer investors and bankers believe in bitcoin than in Gold, and it is going to stay that way in 2021. Bitcoin is a hard sell in the world of investment managers but eventually people see that no, Gold is not a great investment either but both can be used for portfolio diversification. We probably need another big cycle, wait until 2025 or 2030 for digital currency to become more important than gold. And the winner will probably not be bitcoin, but something technically vastly superior. The Google of cryptocurrency, doing the job right and achieving worldwide dominance… which has probably not yet been invented…
This will however inevitably happen in my opinion. One day crypto currency will reach 3 trillion and gold will continue being eroded. I can hardly imagine otherwise just for practical reason: digital currencies and gold are simply siting at two opposite sides of the spectrum on practicality and relevance in the modern economy.
In the long run, the winner is the digital currency. It will inevitably take over the world and pass the 3 trillion mark and I expect that this will happen in the next decade: before say 9 January of 2030.
An Anomalous Differential Attack on a Block Cipher
In this attack a differential propagates with difficulty for some 20, 40 and up to 64 rounds. We can say that the propagation encounters some “friction”, because the non-linear functions do not always behave as the attacker would like them to behave. Everything looks normal and this is what happens for all block ciphers all the time.
But then for 65, 80, 128 and more rounds, the propagation becomes easier and easier, the friction disappears, the differentials are reproduced MORE easily. This is for EXACTLY the same cipher spec, with different keys though. At the end of the day we discover that this block cipher configuration is not secure no matter how large is the number of rounds, and for any key.
Interestingly when we study what happens locally, say for up to 32 rounds, nothing unusual is observed and the ciphers exhibits no unusual behavior when the number of rounds is small.
This result was presented at ICISC 2020 in Seoul, Korea on 3 December 2020. We call this type of behavior “Non-Markovian propagation” and it is quite rare.
In addition we are able to transform a bug, or an outlier, something which researchers normally discard as inconvenient and problematic, into a feature. We show that this property helps the attacker, and it helps absolutely a lot, to the point that the cipher is never actually secure.
Some most interesting results in cryptanalysis are when something quite unexpected happens… contrary to the intuition ans contrary to the philosophy of 99.999% of ciphers ever made or studied: where authors systematically and maybe naively assume that probabilities do multiply and that they will decrease exponentially when you iterate the cipher. If so, it is sufficient to test a reduced-round version for high probability differentials. Here the probabilities decrease initially at an exponential rate, but later they behave abnormally and stay bounded by a small constant forever. A cipher can be insecure, even though it has no large probability differentials locally: it is a global long-term property only visible for a larger number of rounds like 64 or more, and only for very few special differences.
Here are the slides presented in normal / extended version.
And here is a recorded video of my presentation.
Remembering Val Curtis
With great sadness we are are remembering our colleague professor Val Curtis from London School of Hygiene and Tropical Medicine. She left us on 19 October 2020.
For a long time she was involved in the questions of hygiene and education in developing countries.
In July 2020 she became famous when she has described in an article published in the Guardian how
“the NHS has given up” on her and others, and anticipating that she will be the one of “35,000 extra cancer deaths” of this year in the UK.
She also said that she would like to see a plan for a better NHS, one that does not “needlessly lose lives”.
Val Curtis is no longer here but her ideas and her ideals will live forever.
A teacher who perished on the very same front of global public health to which she dedicated her life. Like French high school teacher Samuel Paty, she was a quiet hero, and then an unfortunate collateral victim on the public education front. They will join a pantheon of great teachers who seemingly are not here anymore, but in fact they taught THE most valuable and important lessons about life. We should never forget them.
Hacking a Linux PC at a Close Distance without Being Connected to a Network
The attack allows the attacker to execute arbitrary code on another PC running Linux. The exploit is possible due to an extremely serious vulnerability in Bluetooth stack inside Linux. The attacker literally can run an application of his choice on the other PC. The exploit was found by Andy Nguyen, a security researcher at Google. More info here.
What do We Learn From This
I have never EVER in the last 20 years believed that Linux could possibly ever be a secure trusted OS. The ecosystem is basically flawed.
First, it is clear that no security engineer have ever been involved in the design and maintenance of Linux, or it was already too late… Linux lacks any sort of defense in depth, and too many privileges are aggregated in too few places. This is a fatal mix from which it will maybe never recover.
Secondly, it is built around dangerous subversive ideology. It is based on the idea of free voluntary labor, which is in fact entirely illegal in many countries, e.g. in France, but is in fact tolerated (and frequently even promoted). Moreover the developers themselves sometimes behave like total losers. Some developers commit suicide on day one, through terms of various so called free software licenses they accept and promote. Then, all these super naive shame workers are ever asking for, is to be popular and famous, and for their names to be mentioned, which acknowledgment they don’t even get typically, work is just reused and authors are not always cited.
At the same time other people make a lot of money by reusing their work, to build and run powerful computer systems which are at the center of our economy, and which are huge profit makers.
It is NOT true that if I shared knowledge or some code with you I do not lost anything. There is an opportunity cost, human life is valuable, expertise is valuable. Almost every advanced business/tech activity is like this nowadays: it creates intangible goods which COULD be shared for free, or they COULD can benefit from sort of protection against theft and abuse.
In Linux we have an organised theft of intellectual property and it is a conspiracy against the same coders which are making Linux. Developers are tricked into working for some shrewd manipulators without being paid.
Is Open Source Secure?
In fact, possibly the contrary can be claimed. Open source means that malicious code can be injected by anyone. The long history of Linux shows that preventive security engineering failed at all times, and nobody noticed for 10 years or so. See for example here.
The supply chain infiltration is an interesting attack against Linux, against which it is, by design and by ideology, not defended (or not well). We should not and cannot trust open source developers. If they are not paid “officially”, why do they work so hard? One answer is of course, passion and hidden subsidies. But then another answer is that they are VERY likely to be recipients of some dark money from criminal or rogue state sources. Even when they are paid by Google out of altruism, this never was altruism. This was manipulation and exploitation worse than child labour, because in fact this is slave labor in disguise. There is a huge imbalance of power and information and profits made by Google from the tech developed and funded by others are here to prove, that the whole Linux community have probably been abused and infiltrated by influencer developers: Google will contribute a bit but of course they benefit a lot more. Profits or rather social and technical benefits from Linux development are basically privatized, and important work is supported by a larger unpaid community.
Facebook, is a business which is quite recent. It started making money only since around 2005, and not long ago, nobody was quite sure how it is possible that Facebook will ever be profitable. They have succeeded because they have literally hacked our society for their benefit: humans are hackable. They also have hacked our political system (by lobbying politicians behind the scenes) and our legal system (the whole planet was tricked into accepting the T&C based in California or similar). People were tricked to abandon their sovereignty and massively relinquished to be protected by their own governments laws and regulators. Facebook and similar Internet giant corporations have in particular hacked our social instincts and enrolled billions of naive individuals into a powerful money making machine.
In this process they were of course inspired by and imitated Linux! They have simply extended this perverse and subversive model, to a larger ecosystem of voluntary submission, digital censorship, manipulation and enslavement, for the sake of Facebook making a lot of money. Almost every aspect of our life is now prostituted for some Internet data hungry business to prosper at our expense. Transparency, or rather a one way transparency of the underdog population, implies that security such as strong cryptography is problematic, as it could potentially threaten the transparency which is an immense money maker.
Strong cryptography needs to be canalized for the benefit of the rich and powerful, but a larger population should rather be building and running systems which are somewhat rigged. Many open source projects have been built with powerful influencer participation which have worked hard in order to deceive a larger group of contributors and developers about who and how needs these systems and particular features, and who will profit from exploiting them, which is mainly large corporations. Being naive candid and generous contributors, and proud to be so, is at the very center of all this world of community developer tech. The situation is similar with how the press have evolved in the last 20 years. Nearly 100% of the press worldwide is in the pockets of corporate sponsors and journalists have very little freedom. The same applies to the so called benevolent computer tech. We are deceived about what we do, have hidden sponsor participants with deep pockets, and yet we somewhat naively believe that this tech is going to be neutral (and not malicious).
An interesting question is what is the impact of all this on information security. Maybe open source is secure because bugs are likely to be discovered? In fact opening your source code is sometimes just a placebo remedy in the area security. Security bugs are subtle type, and they are fundamentally extremely hard to find, and the amount of code to inspect and its complexity grows every day. We live in the world where a lot is hidden in plain sight and we are given a fake sense of security.
The problem of supply chain infiltration is particularly acute in bitcoin, when we do not even know who the developers are, you go there at your own risks and perils, and no one is blamed when something bad happens. Even though the mysterious Satoshi wrote just 2% of bitcoin code, all major and critical security decisions were made by this anonymous entity.
In reality , open source (e.g IBM PC, DES cryptography, SHA-256 etc) is almost never here for security reasons. It is rather a business decision, which is about managing the supply chain precisely. Open source allows businesses and governments to collaborate. However not all businesses and not all governments are equal, some benefit from this process, other are forced into submission and lose money. The winner takes it all again and again.
More critical discussion of open source, see slides 32-41 here. Open source is THE FAKE security mantra, and the real security principle is open design, [Saltzer and Schroeder 1975] and the two are NOT at all the same, see slide 51 here.
In 2005 Ross Anderson already claimed that open source and closed source are equivalent, see slide 57 here. Today and learning a bit more from history, and all the elaborate security deceptions we have known, and this dumb propaganda saying that Linux was very secure etc, for which have fallen so easily for decades, we should probably be a bit wiser.
Open source software can be truly dangerous, cf. slide 38 here. It makes it very easy to modify the software, which works both ways. It lowers entry barriers for improvement, but also for malicious versions to be produced (for example there have been many malicious versions of TrueCrypt). We help simultaneously those who want to improve security (yet poorly funded) and those who want to degrade it (typically more motivated and better funded). Given the imbalance in funding and motivation, and also because hacking is more fun than just building things, quite possibly, this is a working hypothesis, those who want to degrade the security of various systems will always prevail.
EU Court of Justice Ruling Against UK France and Belgium — and Why This is Not As Great News As It May Seem
Mass surveillance programs run by the UK, French and Belgian governments are simply illegal: this is in essence the new ruling of the European Court of Justice CJEU, as of yesterday 6 of August 2020.
We learn that governments are NOT allowed to operate massive databases of what everyone does just in case some crime would be committed or a terrorist would be identified later. Instead, they are expected to carry out targeted surveillance and data retention – identifying specific people or accounts or phone numbers to focus on. More info about it from register.
This is a small victory. NOT something which will improve our privacy. The highly controversial activity will now shift elsewhere in three ways.
First many of the same data gathering activities is already done, with more secrecy, involving more secret agents, who are now clearly authorized to commit crimes, and are much harder to hold accountable, and this will be a mess.
Secondly some clever privacy friendly technology might eventually be used. For example in the healthcare sector. But there is little hope for that.
Then and finally we have privatization of surveillance: this ruling will further reinforce private mass surveillance monopolists. More mass surveillance will be done by foreign commercial firms such as Google Facebook or TikTok. Eventually by some new emerging more specialized players, such as Palantir.
A Battle which is Lost, Later Becomes Obsolete…
In general the combat against data theft and data sharing is nowadays becoming obsolete in my opinion. Why??? Why governments are not allowed to do what Google and Facebook and so many other do? An interesting question. This ruling will just accelerate the emergence of new monopolists, who will not only steal our data but also exploit it for the benefit of others, while keeping them inside their data centers, secretly, and also breaking the law as usual. Thus further accelerating the deployment of an Orwellian-type Big Brother cloud, which however will no longer share or sell the data easily or cheaply. It will rather exploit the data for profit, sell prediction and influence capabilities, while keeping them and monopolizing them.
Overall the exploitation of our data and our lives by mafias will continue. Why call these mafias? Is it rather a tool and a network benefiting anyone? These are not tools you use, they are using you, striving for your attention. They spent money to buy you, to acquire you and you sometimes we think we have chosen them, but they have rather chosen us. Most businesses nowadays spent money upfront to acquire so called customers, and they intend then to keep these people captive, and treat them very badly. The problem is that electronic commerce and all influencer (e.g. advertising) technology, is primarily acting on behalf business, not individuals, and really with a strong bias towards dishonest businesses and unhealthy dark interests. For example it is about promoting unhealthy life choices in order to sell remedies and promoting consumerism and narcissism. It is about inventing humans new occupations where we create the problem, and cure the problem for profit. It is in general manipulating human race to become weaker more stupid and more dependent on these so called tools. The idea is that humans should return to living like slaves: being perfect employees and buying and doing what is in the interest of the industry and the wealthy elite. Interestingly slavery is nowadays disguised as freedom of choice. However with disinformation and persuasive tech, algorithms always win against humans and people are systematically making the exact choices which do not benefit them.
Again governments are losing control, and losing their ability to collect the same data, and to know what is really going on on this planet. This is potentially dangerous, and the world is moving the the brink where there will be only one center of power: it will be Big Brother system of computers pretending to be at our service, and at the service of business, and governments, but in reality this is simply very clever malware, malicious software playing all sort of games against everybody, basically cheating.
The core of the question is that governments/individuals and businesses do not have the same life cycle.
- Business are expected to be created and destroyed. They have limited liability. Sometimes they are destroyed because they do some unethical and do harmful activity, and they have perverse incentives. They should obey to laws and regulations, not make them.
- Governments and individuals are expected to carry on, no matter what, and we have rights, and a political processes which favor this.
Humans have inalienable rights, which Google and Facebook do not have. Governments are expected to fight for these rights and police crime, and regulate companies such as Google and Facebook. Sometimes, we need to break them, as these companies are simply harmful according to many people in US congress. Even when the harm was exaggerated, it is very important that we actually scrutinize what businesses do with our data.
Overall there is no reason to be so happy when governments are further eroded and are losing any type of cognitive ability to understand the world, which might involve gathering data and understanding human behavior at scale. Both individuals and governments are marginalized nowadays, in our mass surveillance-based modern economy. Mass surveillance has become the main thing here, it is simply at the center of the modern economy. Currently we are building highly centralized privately run Big Brother systems, where opaque omniscient data centers are at the commanding heights of the economy. It is easy to see that this is bound to degenerate, into a system of organized oppression of humans and businesses alike, with algorithms and artificial intelligence being smarter than anybody else, or just abusing the transparency and asymmetry of information. Here governments have lost relevance and they are unable to defend us (against this massive scale algorithmic abuse).
A dark cloud is in the making. Literally.
Celebrating the Birthday of Marian Rejewski at ‘Ecole Normale Supérieure, rue d’Ulm, Paris
Crypto Mining At Nasdaq
Two stocks related to crypto mining exploded on Nasdaq in the recent days. RIOT is worth 5x the price of March and has doubled since July 2020, and MARA had quadrupled since July 2020 (which was followed by a correction).
At the same time there are countless indicators which indicate that we are in an exceptional moment in crypto currency history:
- We are in the middle of big wave of appreciation of crypto assets, which has a lot to do with mining reward halving of May 2020. Since May 2020 the hash rate has remained flat and has always remained below the levels of May 2020. However if we predict that the bitcoin price will eventually soar, then a lot more bitcoin miners could be made, and put in active service, which was NOT happening so far.
- In March, falling bitcoin price halved the daily combined income of miners. Then it recovered and it halved again simply on the day of halving. It is has not recovered yet because the price of bitcoin needs to double for it to recover. As a result many miners do not sell their bitcoins hoping for higher prices tomorrow. This is demonstrated here and here. However, it is easy to manipulate such figures but moving bitcoins to temporary accounts belonging to the same person. Overall it seems that 2 millions of bitcoins are put aside waiting for higher prices to come.
- Volumes of Bitcoins held on exchanges are the lowest since June 2019. This means that prices are likely to be sensitive to the demand and sometimes will go up due to the shortage of bitcoins (locked at other places).
- The Fed balance sheet has stopped expanding since approx. May 20 and remains stable, see here. For now we have K-shaped rally with a bifurcation. The bifurcation is that some stocks go north, other stay moderate. The US tech stocks are now bigger than the entire stock market in EU+UK+Switzerland.
- Moreover it gets even more crazy. As bets against the US stock market are at the lowest level since 2004, markets are able to continue crazy bull run with very high valuations. Many fear that the stock market will collapse.
- Interestingly that the percentage of amateur traders and investors in the stock market has more than doubled since 2019. The Buffet indicator of stock market cap divided by GDP has reached a higher level than before the collapse of the dotcom bubble in 2000.
- Gold price passed 2000$, and bitcoin claims to compete with gold and has some correlation to Gold as refuge for investors who cannot find anything interesting to buy.
- Warren Buffet has surprised the planet: apparently he still holds more than 100 G$ in cash as of May 2020 and still today. He did not buy shares in March 2020 like most people did! It is seems like the biggest mistake he ever made (unless the future events prove him right and precisely shares collapse to yet lower levels than in March 2020).
