This is why the ability to install auditable open source code is essential to the future of security on everything. Most of this stuff should be wiped down to the metal and re-flashed with something trustworthy before use.

I know plenty of US Mil and UK Mil and most dont know this! During Covid lockdown it was even possible to listen into UK MOD teleconference phone-in's (like Zoom conference meeting but only over the phone line) on more than one occasion, nothing really top secret but there are some pretty pissed off military personnel and criminals trying to smooth things over at the top of the UK.

Edit. I will add that the British Govt was lying to the general public in their TV updates because the military phone-in's gave away stuff well in advance of it being announced on TV. This was not some reacting to events on a daily basis thing, this had weeks of planning before info was broadcast.

Personally Covid seemed like the perfect opportunity to carry out planet wide psychological experiments on unsuspecting members of the public.

Well of course, they aren't that incompetent. Probably all governments had contigency plans ( if we get to X cases/Y% hospital occupation we do A or B).

Example? They were certainly systematically understating the risk throughout, and we had several cycles of "everything is fine" -> cases spike -> lockdown.

Had they used a smaller rolling avg that corresponded to the minimum time it took for symptoms to appear ie 2days, the Govt could have reacted more quickly to the spikes, put people into lockdown more quickly, reduced the number of infections and deaths and then got back out of lockdown more quickly.

The Govt and medical experts have blood on their hands!

However it also turned out that essential workers were the main spreaders. The Germans worked out within a few months it spread up to metres at 4 degrees C which is why Chilled Food processing factories got hit. It also survived on hard surfaces better than soft surfaces.

Now whilst the lockdowns were occurring, the Police were catching up with criminals they couldnt locate in the UK. By "fixing" people to a location they could carry out final surveillance to tie up the lose ends with investigations, before getting them. Alot of this was done especially in London.

The military knew everything the Govt was going to announce at least two weeks before it was announced and this was relayed down the chain of command with some stuff coming out during MOD phone in's when we got to listen to Chiefs of Staff and MP or two.

If you took the NHS Covid App, so this brought out into the public domain tech abilities that have until now remained possible but secret. It was also used to shut down businesses, anyone could say they had covid, report it on the NHS phone app and then that would trigger all those people in the vicinity to have to isolate. You could shut down corner shops at their peak times, which has racist elements to it, you could also shut down other businesses during peak time, by just loitering at peak like in shopping centres, then go home and then say to the NHS phone app you have tested positive. At no point were photo's demanded by the NHS phone app and yet the app would have known the phone had camera facilities. An AI could then process the photo and verify its authenticity. This wasnt done, the tech was used for malicious reasons and to bring out in public a higher level of surveillance.

Edit. Should I also mention the Prime Minister was telling everyone to get onto Zoom for their meetings and then later on a zero click zero day exploit in Zoom surface which conveniently had given GCHQ enough time to hoover up data off plenty of systems. LOL

When will people wake up and realise the world is run by criminals?!?

I like playing with data. Rolling averages are simple to do and they are handy at smoothing out weekend spikes. Weekend spikes were a problem in the US because a bunch of people would get tested on the weekend and Monday would show a Spike. People (and Drs) have absolutely used data to lie - but I'm not quite convinced this is an example of "blood on their hands"

>However it also turned out that essential workers were the main spreaders

This is tantological. The people who were active were the ones spreading it. Yes. Fact.

>The military knew everything the Govt was going to announce at least two weeks before it was announced

I like to think that the government was well coordinated. This doesn't seem to be a bad thing. In the US, we had clear disagreement between different gov organizations and I'm not sure that is an improvement over "2 weeks of coordination"

>You could shut down corner shops at their peak times, which has racist elements to it, you could also shut down other businesses during peak time

This sucks. I hadn't anticipated this impact previous to this post and I appreciate you sharing this.

Actually, no. That's not what "rolling average" means at all. It means the average number from the previous seven days. There is no "lag."

It means that on May 9, it is the average from May 2, 3, 4, 5, 6, 7, and 8.

Then on may 10, it is the average from May 3, 4, 5, 6, 7, 8, and 9.

And so on.

Getting something that basic wrong makes me think there are other fundamental flaws in the rest of what you wrote.

1 case on day 0 2 on 1 4 on 2 8 on 3 16 on 4 32 on 5 64 on 6

7 day average is only 18 cases but the next day you have 128 cases and the average is still only 119. If there's a major down turn in case numbers, the average will be slightly higher. This is an extreme example but my point still stands.

Its still a helpful metric when you have infrequent reporting since the incubation time is not consistent, not everyone is getting tested immediately when they feel symptoms, the time a positive test result and official reporting may be delayed, and there are spikes of infections that likely occur on weekends or holidays when people are having social events. The best data would come from daily testing of everyone with immediate reporting but that simply was not possible.

So you can predict the future? OF course the data lags, it also lagged at weekends because the staff keying in the stats only worked Mon - Fri. and they also had keying in mistakes which meant only coming clean _once_ via the BBC news.

Now it just so happens the US and China back in 2015 had wanted to set up a global body to avoid such pandemics but Europe didnt want it, which is why every country did their own thing. You can read the studies from 2015 detailing Covid from a joint effort between Wuhan virology institute & the Uni of Virginia!

The whole thing reeks of stupid criminality at the top.

I had significant misgivings about the app and it's efficacy. It is those misgivings that mean I don't believe this is an accurate representation.

Firstly, and perhaps most importantly, a positive case report on the app had to be backed by a PCR result, which required a code provided on a positive PCR test. A bad actor as you describe would have only one shot at a malicious shut down (and would actually need to be Covid+ to do it).

Secondly, the exposure limit was... generous. Proximity and duration had to be sufficient to form a close contact that would then be advised to self isolate and seek a test. People walking past a bad actor loitering outside a shopping centre would not meet this criteria. The shop keeper would...

...but shop keepers, retail staff et al by and large did not have the app. Employers were actively preventing their employees from downloading the application to prevent having to close for staff shortages while they were advised to isolate.

Ignoring all of this, you get into the crux of the app with the "check ins". All venues were meant to enforce the "check in" procedure - in actuality, it was pretty much only restaurants that did so. Even if you "checked in" to a venue, _you had no ability to check out_ so that if a positive case was reported on the same day you happened to be at a venue, even hours apart, you would be flagged. This meant that every positive venue ping had to be reviewed by a person, who would be tasked with reviewing which of the contacts in the venue should be contact traced. The criteria for doing so was opaque - and without the knowledge of what time people left vs arrived - and the actual device:device exposure being invisible to the contract tracer - we can only surmise that an element of inference and good old fashioned guess work was at play. And as was publicised at the time - the contract tracers found themselves with very little work to do.

>Should I also mention the Prime Minister was telling everyone to get onto Zoom for their meetings and then later on a zero click zero day exploit in Zoom surface which conveniently had given GCHQ enough time to hoover up data off plenty of systems. LOL

The Prime Minister has repeatedly demonstrated himself to be fundamentally incapable of understanding even the most basic aspects of his job, let alone technology. Hanlon's Razor comes to mind here.

All they had to do was do a test, type in the code and say it was positive, this is my point about the NHS app could have also required a photo of the positive test result but it didnt! I was poking around with it, and you could trigger the mobile app into telling you to self isolate simply by having one or two of the leading question symptoms, it was that "cautious".

So if earlier that day I spent my time around loads of people like in a shopping centre, on a military base, in a police station, I could get those people to self isolate by being in their vicinity and the app doing the rest, if they had that app, but the US Military bases here in the UK were doing their own US testing and where it was only a suspicion, they got US personnel to do an NHS test in order to keep the brits happy and the NHS happy. In actual fact Covid was ripping through some RAF USAF bases and the US mil were soiling their pants at how many active personnel were going down, what a way to take out the most powerful military on this planet!

Now it just so happened, you could also reset the app without any problem so you could rinse and repeat the next day!

> ...but shop keepers, retail staff et al by and large did not have the app. Employers were actively preventing their employees from downloading the application to prevent having to close for staff shortages while they were advised to isolate.

That would have been illegal in the UK, cant comment on how bad the US is.

> Hanlon's Razor

Yeah, if you are caught with your hands in the till put it down to Hanlon's Razor and say you found some money on the floor and you were putting it back! LOL

Looking at this globally, its fcuked the Just In Time global business sectors as we have seen with shortages et al and continue to see.

You don’t just burn a vulnerability like that without a target.

It’s pretty common knowledge in many gov’t agencies to not procure devices from Amazon or other unauthorized vendors and connect them to gov’t machines. So I’m surprise to read that.

This is an ongoing problem with many USB peripherals from Amazon and Aliexpress. For personal use I only buy peripherals from Apple, Dell, Belkin or Logitech. Any other brand I consider untrusted.

I also highly recommend virustotal. Anything I download goes through it.

So they are left either not checking their email/answering emails from superiors or they have to buy a CAC reader themselves and use their personal equipment to access their email/government websites.

Hell, they could even buy the best smartcard vendor and spend a couple of millions to increase quality and reduce price.

After a year or so they are the reader of choice for the entire army and everyone are happy, unknowing that US Army now leaks about as much as the Russian Army...

An "ordinary antrivirus" like MS Defender or McAffee (that's what my work PC has) is not able to detect malware from internet. A state actor has no issues installing malware on an accessible computer with Windows

I also need a smart card reader to identify with government services (in this country we are issued chip id cards that are used for online identification) and I just plugged the cheapest one I found on my computer (under Linux) and it just worked. I suppose it's different under Windows?

Even on Linux, OpenSC software apparently supports drivers, such as the generic CCID driver as well as more specific drivers.

The generic spec that both Microsoft and the CCID driver support appears to be https://www.usb.org/document-library/smart-card-ccid-version... from 2005. I imagine the tech hasn't changed that much to need custom drivers, so I'm not sure why they exist, except maybe to do firmware updates or something unusual.

https://ludovicrousseau.blogspot.com/2022/04/30-shades-of-pc... and other such sources seem to indicate that most of this is pretty standard? If you want to write code that uses smart cards, I mean.

That said, if I were doing a from-scratch authentication implementation today, I'd probably pick something like biometrics via FIDO2 instead of smart cards...

Traditional smart cards like CAC and PIV can include a user X.509 certificate on the device. FIDO doesn't include this capability. That means FIDO keys have to be registered separately with each and every service[1]. This is deliberate as FIDO tokens can generate a unique key per service--for services authenticated via a web browser this is precisely what happens. But the choice means FIDO doesn't work well for building a generic, federated PKI system.

FIDO has a laser focus on solving user authentication problems for website operators, all managing their user databases independently. The saliency of this approach has at least as much to do with removing degrees of freedom that vendors could abuse to fragment the hardware space than in the technical security of things. Traditional smart cards never lived up to their promise precisely because companies like Saicoo actively sabotaged interoperability and ecosystem simplicity in attempts to leverage vendor lock in.

[1] Or those services must all be able to contact a shared online user database, or a certificate has to be distributed separately (e.g. as with OpenSSH). (But I don't think a FIDO token can even sign something like an X.509 certificate, at least not without defining a new signature algorithm OID.) Both are problematic for use cases like CAC or national identity cards.

Yes, that's what you would need to do if you wanted this.

OpenSSH comes with tooling that will sign arbitrary files, and can use either conventional SSH key files (for which it has a safety rationale, explaining why this can't weaken their security for their original authentication purpose if the signature algorithm works as intended) or a FIDO device.

I'm not sure how FIDO2 would work for most uses which are not web based, and identification via biometrics is certainly not something I'm looking forward to.

Let's say when you insert the card it makes that card available for signing anything on an RF network. Someone only needs to get within range of a (very low bandwidth) RF connection to use this.

Hell, it's been demonstrated in the past that it doesn't even necessarily require an actual compromised driver. If one of the components acts as an antenna (happens all the time by accident) it may be possible to do that remotely without specific compromised RF components. It'd just be a "bad design" that responds to some frequency.

How can I be sure, for example, a 7in1 plugged in via usb-c does not have a hidden camera, microphone, or keylogger for example? Is there some sane way to check?

# system_profiler SPUSBDataType

They aren't a huge security company so I don't know how easy it is to escape detection however their verbose reporting of application version changes, protocol usage, destination lists, and integration with Virus total gives me some sort of confidence.

Only reason I noticed was because a compiler used in the tutorial issued a warning about this happening, and I had to investigate the tutorial doubly hard to see if this was indeed one of the problematic ones. It sadly was.

I have been hesitant to get a cheap ID reader, because a computer that needs ID clearance is likely a juicy target, and I worry that the company is writing their own malware.

I have the same issue with cameras. I want a low cost IP camera, but don't know any that can be trusted to only stream to where I want.

Somewhat OT, I know, but would appreciate tips ;)

There are literally no IP cameras that you should put in a routed/gatewayed network. All Chinese (there are like three OEMs behind all of them) ones phone home (and have tons of vulnerabilities anyway) and all enterprise ones strongly, strongly recommend you to use an isolated network. IP cameras is one of those cases were an isolated network needs to be used.