If the people with access to Room 641A want you, you're toast unless you're ready to make some REALLY big digital lifestyle changes that most people would not be amenable to, because you would have to be extremely paranoid on multiple fronts all the time. That kind of heightened vigilance is exhausting and really not worth it.
Sorry for assuming you'd be able to extrapolate from one example. It could be at any level of the funnel from your local machine to the wider Internet. Closer to home: this sort of fingerprinting could defeat things like MAC randomization in a PSK-authed business/university setting if those IT departments had some reason to want to track you.
I once worked at a company where the Security team were very proud of this and all the other tricks they used to catch leakers by figuring out who was on campus, where, at what time, usually via fingerprinting personal devices carried alongside corporate devices.
Ah, so, in addition to turning off automatic updates (everyone knows patches are for wimps! The real threat is supply chain compromise, not 1-days!), you also have taken all of the other necessary steps to protect yourself from the NSA? What if they just compel Microsoft to backdoor Windows/WinGet against you?
And these updaters almost universally use HTTPS, which network-based adversaries can't see except for SNI, and even that's going away...?
> What if they just compel Microsoft to backdoor Windows/WinGet against you?
You are confusing cause with effect. Leaking this type of fingerprint data over time is what allows users of Palantir-like systems to decide you're somebody worth individually targeting.
It doesn't beg the question, it raises it. Begging the question is a type of logical fallacy in which you assume the truth of your conclusion. It doesn't mean something "begs for the question to be asked."
I have no idea why this incorrect use of the term drives me so nuts; however, you'd think a blog post about English words and Wordle wouldn't make this mistake.
At what point did dictionaries providing descriptive views of the English languages turn into a prescriptive one that emboldens people to just point to repeated wrong usage rather than admit they were wrong?
I think the idea was NYT was trying to imply they were running out.
To me, "begging the question" doesn't mean assuming the conclusion in particular, it just means that some of the premises used are less obvious than they are being passed off as. Assuming the conclusion is merely an especially egregious form of that.
I frequently push back on people being hair-trigger about calling things AI, but even I’ve gotta admit, that’s exactly what Claude code says if you ask it to do a security review and it finds something. I’ve seen this numerous times.
I can detect it pretty well, but that was just one example.
No person starts a summary that way, it's over-the-top and meaningless. I have seen AI do that many times when summarizing something related to security, though. Claude often says "CRITICAL:" or "CRITICAL VULNERABILITY:" or similar, especially when you jam the context window full of junk.
I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
Regarding force, this article says:
> The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.
And later that they entered through an unlocked door, which they (it sounds like) kept unlatched by inserting something between the latch and the doorjamb. Not unreasonable.
> I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
This is a job where having impaired judgment is a terrible idea.
If someone needs alcohol to do a job that involves taking the role of a criminal and summoning the police, drinking alcohol before it is a terrible choice no matter how you look at it. If they can't do the job without alcohol, they shouldn't be doing the job at all. Maintaining unimpaired judgment is a baseline expectation for a job like this.
I doubt judgement is heavily impaired at 0.05 BAC. That is at or below the legal limit to drive a car.
And it really is more of a red herring since they were obviously not visibly intoxicated and they didn't actually do anything illegal. Their BAC is more of an issue between them and their employer, and has no bearing on their false arrest.
> I doubt judgement is heavily impaired at 0.05 BAC. That is at or below the legal limit to drive a car.
0.05% BAC will result in a DUI in many countries. Regardless, any impairment on a job where you're doing things guaranteed to summon the cops is a very bad idea.
BAC also declines linearly over time. I doubt (hope?) they weren't drinking on the job, but a 0.05% BAC measured after their arrest means their BAC would have been higher when they started breaking into the building earlier in the night.
Maybe? Virtually everywhere in the US is 0.08. I don't think it's a good idea for physical pentesters to drink anything before a gig, for whatever that's worth, so hopefully we're just shooting the shit about different countries rules.
The "legal limit" is terribly misunderstood, but 0.08% is just legal threshold where the state doesn't need to prove impairment and the offense is upgraded to an automatic criminal DUI. A driver in an accident with a BAC of 0.03% could still be charged with a DUI if impairment can be proven but most prosecutors' offices have more important things to work on.
It's also terribly misunderstood by pedants since you can be charged with a DUI with a 0.00 BAC by doing drugs. The point isn't that it's a definitive line in the sand between impairment and not, but if people are trusted to drive a car (generally or broadly speaking, not pedantically speaking), being above or below said limit is a reasonable litmus test for "visibly/obviously impaired" or not.
The level of impairment doesn't matter. They are impaired. There is no standard or testing which reveals the minimum level of impairment that one can safely do the job. So, you don't do it impaired, at any level, period.
> and has no bearing on their false arrest.
Two people that have obviously been drinking, hiding from police, and then making up fantastic sounding stories as to why they're in a tax payer owned facility outside of working hours. The police had good reason to effect an arrest so it can't be "false arrest."
I don't see how that relates to, say, software engineering or physical pentesting though. And 1/3 people is still a fairly significant number that do not suffer ill effects. I also said heavily impaired—not that they were categorically not suffering from any effect of the alcohol.
My point is not that they definitely should have done it. It is simply that, in this context, it's really not a big deal & is not really germane to the discussion at all. They did nothing wrong, stone cold sober or not.
That’s not what your link says; impairment at 0.02 BAC is measurable, but a fraction of standard day-to-day variation for a person. It’s roughly equivalent to missing coffee at breakfast.
Is drinking common for physical pentesters? I just do boring software stuff but I’m pretty sure drinking on the job would be a fireable offense for me.
And even if their BAC was technically under the legal limit, their ability to e.g. drive was impaired. So it seems unprofessional.
Their ability to drive being impaired is somewhat dubious since they are under the legal limit in all of the states I have heard of.
W/r/t drinking and working, I personally dislike the puritanical zero tolerance for alcohol approach that people here in the US seem to take by default. Most people can have one or two drinks and work just fine, with obvious exceptions.
I don't think we should judge people who have to travel to a boring small town in Iowa and have to go to work in the middle of the night for having a drink or two.
If you can't have just a drink or two, or have to do it every day, that's a bigger issue that goes beyond work vs. simply having a drink and doing work on occasion.
Physical pentest scenarios are highly likely to end with an alarm tripping and the police arriving, except in cases where the alarm wasn't armed, didn't have connectivity, or was broken.
An encounter with the police was virtually guaranteed in this case. Drinking before the job was highly unusual and irresponsible.
> I'm not saying it's the most professional choice, but if I were about to burgle a courthouse as part of my work, I'd like a beer or two to calm my nerves beforehand.
I feel like if you do something for a living, you shouldn't need to calm your nerves for it.
I'd have more "eager" than "anxious" nerves, and I wouldn't need a beer for that. The fun thing about pentesting is that it doesn't matter if you get caught, although it's more fun if you don't.
Hard agree about "forcing", though. The very word implies, you know, non-trivial amounts of force. Like technically walking toward a door in a normal human room at standard temperature and pressure means you're applying non-zero amounts of force to it, so arguments like "they applied any force at all" can be ignored as goofy.
It's terrifying that this is even possible in the present day.
And what a brave man. I'm glad things worked out in the end for him, but it's rather unsatisfying that things didn't work out for anyone else and it doesn't sound like there's much hope at the moment.
OCB can be a bit faster than GCM, the only reason GCM took over is because OCB was patented. That patent has now lapsed, but since everyone uses GCM the performance advantage of OCB isn't likely worth switching for. Especially since GCM has hardware acceleration, and IIRC OCB can't benefit from that so it may actually decrease performance on modern CPUs.
IIRC GCM offers additional authenticated data whereas OCB doesn't (or you would have to roll it yourself), right? That would be another reason to pick GCM over OCB.
OCB3 also allows associated data (AD). Rogaway's faq[1] describes the history of the versions. OCB1 didn't have AD, OCB2 tried to fix that but was less efficient. OCB3 is the final version of OCB, and is a proper AEAD cipher. After OCB3 was created OCB2 was broken, but OCB1 and OCB3 remain secure. OCB3 is provably secure, and at least 2x as fast as GCM without hardware acceleration. In theory it'd be faster with hardware acceleration, but that's only likely in an FPGA or ASIC implementation since GCM is fast enough and accelerated in modern CPUs. Intel & AMD aren't going to spend the die area on OCB.
I like OCB, it's an elegant construction, but I'm more likely to use and recommend GCM because GCM is good enough and allows much easier interop since it's more widely used. Since AEGIS is nicer as a high-performance cipher system, and Ascon is better for constrained systems OCB doesn't really have a niche where it's the best choice.
Guessers don't believe Askers are asking in bad faith at all. If Guessers did believe that, it would be way easier for them to say no to Askers. It's precisely because the Guesser believes in the sincerity of the request that it becomes painful to deny it.
Indeed. It's the immediate assumption that since you're asking me, it must be important to you - otherwise you wouldn't be asking in the first place.
I want to be the kind of person that helps others where it matters, and here you are, asking, thus proving it matters. Refusing becomes really uncomfortable, so I'd rather go out of my way to make it possible for me to agree, or failing that, to help your underlying need as much as I can.
I realize now this is a form of typical mind fallacy - I wouldn't ask you for something if it wasn't really fucking important or I had any other option available, therefore I naturally assume that your act of asking already proves the request is very important to you.
That's the really painful part. They ask you for something, you say 'yes' thinking it's important for the person, only to learn that it wasn't that important at all. It's like giving something that you don't want to give to someone that doesn't need it. Really annoying.
So how would you recommend communicating desires that are less strong than "important"?
I try to include the priority level of my requests inside the question itself, personally. As in, "Hey do you think you could xyz if it's not too much trouble? Not a high priority for me, but it would be convenient is all." Do you recommend something like that?
St. Augustine: "an unjust law is no law at all."
John Marshall, in Marbury v. Madison: "a law repugnant to the constitution is void."
This is actually a fairly well established principle in common law. So, yes.
reply