A side note: I think there's an unmet need for algorithms that can convert photos of these random patterns into text (or something similar) that can be stored in a database and searched quickly for matching patterns. I've tried image similarity algorithms like the ones used by e.g. Google Reverse Image Search, but they seem poorly suited for this task. I ended up writing my own crude algorithm in the paper above that converts a pattern into a set of strings, and it works OK, but surely there are better ways to do this.

Examples (aha, including a teaser to an upcoming product called “Verifibre”!) can be seen here:

https://securityfibres.com/

Instead of a lookup table, that number could be signed and the signature printed onto the bank note itself. It would be impractical to either deduce the signing key or duplicate the pattern of fibers in a way that the signature was still valid.

I don’t know if there’s a signature algorithm though that is resilient to lossy and unreliable input data and which can also produce short enough output that could be printed on the face of a bank note.

Perceptual color representation gets a bit harder but if you're only looking at gamut differences on cameras/screens/printed media I think it's feasible.

Alternatively, if you know a lot about the source image you can train a NN for the specific application.

The manufacturer wouldn't know if there are conflicts or if the user wanted to check a pill twice.

And if you have a standard algorithm which converts a sprinkles picture or three into a hash. Then now you have a precise target for the machine to benchmark against.

Now police are going to be looking for nail polish and other clues

> For all spy cameras.. raw image.. encoding and compression.. takes place in an inbuilt read-write memory whose operations cause electromagnetic radiation (EMR).. Whenever the visual scene changes, bursts of video data processing.. aggravate the memory workload, bringing responsive EMR patterns. ESauron can detect spy cameras by intentionally stimulating scene changes and then sensing the surge of EMRs.. Experiments with 50 camera products show that ESauron can detect all spy cameras with an accuracy of 100% after only 4 stimuli, the detection range can exceed 20 meters even in the presence of blockages, and all spy cameras can be accurately located.

> The latest smartphones employ low-power DDR techniques [49][50] and integrate Faraday cages internally to mitigate electromagnetic radiation (EMR) leakage [51]. The combination of the two measures significantly increase difficulty to detect smart- phone cameras’ memory EMRs using the current ESauron prototype.

Conductive inks can shield specific components, https://www.idtechex.com/en/research-report/conductive-ink-m...

  Spray-on inks are targeting package-level EMI shielding.. Jetted inks are also being proposed for in-package EMI isolation between individual dies in a multi-die package especially for high-frequency devices. Some suppliers propose micron-sized, prioritising cost and maturity. Flat flakes offer higher conductivity if aligned well. Others develop nano or even particle-free inks, offering the thinnest solution.. Most offer a hybrid solution, siting somewhere between full nano to full micro and full spherical to full flake.. Some.. mechanisms to fine-tune layer thickness post-deposition to locally boost performance in EMI hotspots.

“Failed to Add Pass An error occurred while adding the pass to Wallet. Please try again later.”

Brave on latest iOS. Lockdown mode enabled for 6 months.

There’s something not right about that PDF.

That user has been posting a lot of links to pdf’s every day hosted on wordpress platforms and more. I haven’t began scanning those yet.

That's a pre-pub PDF hosted by the Usenix Security 24 conference, which takes place in two weeks. If a respected 30-year old security conference is posting hostile PDFs, that would be newsworthy.

> VirusTotal behavior analysis

What did it say exactly? Just tried a VT scan and it reported a score of 0 out of 95 (green), with zero detailed findings. That was the only/first/last submission of the URL, https://www.virustotal.com/gui/url/f7259d6da00636ec8632741d3...

> That user has been posting a lot of links to pdf’s every day hosted on wordpress platforms and more

Examples, please? I posted the Usenix Security paper. A quick scan of my submissions shows no PDFs in the last two weeks, and one other PDF in the last day, hosted on HP.com.

Looking at all the behavioural analysis on VT makes it look like malware, but considering my lockdown iOS was being weird, this PDF is making me worry that it’s some sort of cross platform malware capable of attacking both Windows and iOS - which I have never heard malware being able to do before.

I am super curious of how this PDF behaves on MacOS, Linux and Android now but it seems VT only executes it in a Windows environment.

I could be so wrong about this, but if I am not, then this would be rather serious indeed for a lot of HN users.

I wouldn’t even know where to start in looking at that PDF for some sort of iOS exploit payload, my guess is it would be extremely difficult to find (if it exists).

There is also your non-reproducible report that the PDF was incorrectly loaded as an Apple Wallet pass, which would require a web server MIME type of:

  application/vnd.apple.pkpass

  The engine had been removed, “but its mounting brackets, as well as the fuel and oxidizer tanks, were still in place,” recalled Finer. That was when they hit a problem. The only way to see inside the machinery was to remove a four-way electrical outlet, but it was encased behind a plastic seal bearing a Soviet stamp. The team needed to leave the spacecraft exactly as they found it. But if the Soviets noticed a missing seal, the game would be up. Could they make a replacement in the middle of the night?
   … “My technicians were working all that night,” Zambernardi recalled. “That night we developed 280 photographs. We also had 60 samples of valves. We had samples of the fluid, rocketry fluid, or what have you.”
   As they put the assembly back together, the CIA car returned: inside was a perfect counterfeit Soviet seal. They could now reseal the panel and conceal their theft.

I’d like to think that the counterfeit was the result of an early prototype of 3D printing. But in reality, it was probably the work of a mole or the office of disguise.

> Zambernardi also controlled a team of mercenaries he called Rudos—“tough guys”—from Mexico’s corrupt and violent Federal Judicial Police. They made treasonous Americans “disappear,” according to Mexican journalist and TV personality Jaime Maussan, who interviewed Zambernardi for a 2017 book about the mission, Operación LightFire.

the extrajudicial killings of american citizens under the directions of an american institution are mentioned so casually, one is tempted to skipped them and move to the interesting part of the story.

CIA has the main seals defeat capability in USG.

https://youtube.com/watch?v=zZBR9iQ7DRA3D

The main character has a series of mechanisms (door latch height, paper in between door and wall, mechanical pencil lead in door hinge)

One out of place tamper seal, can ignore. But all 3 broken? Someone was in the room.

Personally used the paper trick when I was young and living with parents and siblings. Would easily know when somebody entered and trifled through my things.

Also used that mechanical lead pencil trick with my “secret” drawer where I had created a false bottom lol.

He was also known to be into anime, so he could well have seen that scene too

There's good podcasts out there about PIs, spies, military intelligence, and good ol' police work. So I still love the content. The last one I finished was yesterday, about the murder of Dutch politician Pim Fortuyn. The murderer, who was pretty much caught red handed, was curiously living next to a former top criminal which was omitted from the police report to protect this person against public outcry. This person a few years later happened to live near an Islamic terrorist. So the question arose if the former top criminal gave the weapon to the murderer, or whether he was an informant for the AIVD (back then BVD). Of course, the former top criminal passed away whilst the podcast was being made (classic plot twist). Regardless, a fascinating story, albeit inconclusive.

> Close your door and stick a single hair across the gap - so you will know if anyone went in.

Duh.

Are you implying the existense of opsec-techniques that are only usably by "good guys"...?

Companies can only void the warranty on specific items that you damage. As long as you don't damage anything when opening up electronics, ask them to put in writing why they are voiding your warranty (chances are they'll "help you just this one time" instead).

The FTC is finally cracking down on companies that use such warnings.

(Magnuson-Moss Warranty Act - same law that lets you or third parties do work on your vehicles without voiding the manufacturer warranty.)

Considering the nature of hard drives, I think that would fall under damage caused by opening.

My understanding is that they are not in a vacuum, but they are super-clean. The air/gas inside is an important part by preventing the read/write head from touching the platters as they rotate. If a consumer opens it up, then dust is introduced which will cause problems.

That xbox took forever to save for, so voiding the warranty wasn't an option. Luckily, the ole hairdryer defeated the tamper evident destruction of the sticker.

I love things like that. Microsoft pays for manufacturing of a security sticker to prevent tampering. On a device that runs a hypervisor (wild at the time) to prevent tampering.

And some dude on the internet realizes that you can just heat it up with a hair dryer and carefully peel it back with tweezers, than flash firmware to your DVD drive that reports "yep, this is an official Xbox 360 disk" to the locked-down-and-totally-secure OS.

Like is the NSA covering their laptop screws in glitter nail polish? Are covert CIA agents? SOF?

Who needs this level of secrecy that would not have the physical security in place to protect the device in the first place?

I imagine the target audience for this type of security would be journalists and cybersecurity researchers whom governments might target. I'm sure other jobs could use this information to protect themselves better.

Large government agencies can afford to design systems that probably do not need these requirements, and they also probably wouldn't have any sensitive information on any unattended device.

(Also lol I did the 2013 glitter nail polish talk w Eric Michaud. I feel old now.)

I am not going to detail everything that happens to these servers, but glitter epoxy and other annoying seals on the places the server might be accessed are some of the physical protection features.

Anna Merlan, Tim Marchman, those 404 Media folks probably. Reporting on crime syndicates probably leads you to be paranoid.

If the border guard notices glitter-covered screws on Ordinary Joe's laptop, that might tip off the Imperial Guards to keep a close eye on him during his stay.

She asked very shyly, if it wasn’t too much trouble etc., if she could look under the cooler as well. It might sound silly but I think it was completely understandable. While unlikely, she wanted to eliminate the possibility that the purse was in our area, before moving on.

I think a lot of tamper seals are like this. If you have a leak and need to decide if it was either from an unscrupulous employee in the office or from someone else at home tampering with your laptop then being able to definitively eliminate the latter will help you focus on the other possibilities.

Depends on the author.

Some authors are well-known for the thoroughness of their research. Some spy novels have been so accurate that ex-intelligence people have approached the authors to ask them how they knew certain things, and to offer them more information that would be useful for new manuscripts.

Many years ago law enforcement (french DCRI now called DGSI) illegally placed a keylogger on my laptop, they placed it when I bought it online from materiel.net and placed it before I took delivery of it. it is 100% certain in my mind.

So never ever buy a laptop or hardware online if you think you might be exposed to this, buy it from a store.

I was going to build a hardware keylogger for laptops just for fun and as a proof-of-concept to show how easily this could be done.

They even came to arrest me a few month later, I am not making this stuff up!

But the whole story is very crazy, I should write a complete blog post on it and what their shady techniques are.

Please do. If you have any new details not in the public-domain and are safely able to disclose them I am certain many other readers would be interested. :-)

It was done to him simply because he's a famous belgian cryptographer.

And we're talking about people who made frontpage of mainstream media newspaper: hardly the kind of publications that shall report all the various states' wrongdoings (typically they'll instead be complicit and try to cover up misdeeds).

It's not as if these thing do not happen nor if as if there aren't persons of interests here on HN.

On the other hand, I'd think they'd pay attention to actual tampering evidence.

(An interesting parallel is in the mobile ecosystem where things like untethered jailbreaks, i.e. persistent ones, for high end targets are nearly non-existent. Similarly, existing attacks from things like Cellebrite for high-end devices like Pixel/iPhones are generally classified in terms of things like whether they are vulnerable before or after first unlock of the device where boot chain security is strongest, and there's nearly nothing in terms of persistent compromise, downgrade/replay attacks, etc.)

Not just the police: if your data or the data of the organization you work for is considered valuable enough[0], you also have to worry about thieves, foreign spies/saboteurs, corporate espionage, a wayward relative looking for banking passwords or Bitcoin to fund their drug/gambling habit, or a particularly obsessive ex.

[0] Mine isn't, and paranoia isn't one of my vices, so this is all academic to me.

For most of us the police where we live aren't that corrupt (though it's par for the course of internet discourse to pretend there's one monolithic "the police"), and most of us statistically speaking aren't in the minority groups that get disproportionately targeted.

If that isn't you—if police where you live and travel are corrupt or if you're a minority who gets disproportionate enforcement—then sure, it's the police.

If our police are corrupt (they most certainly are), then it is entirely certain that the police in America, with a much worse record of abuses, is corrupt too.

The fundamental misunderstanding that is unfortunately quite the norm in internet discourse is the idea that America has a police force. It does not. The US has a bewildering array of about 18000 federal, state, county, and local police forces that operate independently, have varying degrees of accountability to entirely different governments, and can't really be spoken about in aggregate without severely oversimplifying things.

Of course, that doesn't stop people from trying to do so anyway, which is how you get comments like this where people generalize their own experience with a different country's police force on a different continent and then assume from media coverage alone that "America's" is obviously worse.

They're also wrong to do so, because police forces vary widely by jurisdiction and cannot be generalized. I don't only object to people from other countries doing it, it's just particularly uninformed when they do.

I say this as a resident of a small city with a police force that has never had any controversy whatsoever, but whose officers feel acutely the generalized hatred directed at everyone in blue that has become vogue in a large segment of the country.

Just because your police forces are awful doesn't mean they all are.

And the corollary is "Just because your police force is good, doesn't mean they all are", surely?

I'm making no claims about the quality of any police force in particular other than the one in my city. I'm only arguing that you can't generize from one to all and that the widespread criticism of "the police" without specifying which department or agency you're talking about is both imprecise and harmful.

It's not even a $5 wrench scenario, because they don't care: the point of jack booted thugs is you simply apply force to every problem and potential problem, and dare anyone to stop you.

But on another note, in many countries (where digital privacy isn't already illegal) law enforcement is pushing for encryption backdoors and the like, so that kind of wiretapping will be their go-to, and in the police's ideal world they will simply be able to remotely log in to any phone, operating system, or CPU firmware and rummage around to their heart's content.

Until that comes to pass (heaven forbid), I doubt they will usually make the effort to check anyone's screws for nail polish. They're all about the brute force.

> It's not even a $5 wrench scenario

It's a $0 "type in your password or we're sticking you in a cell and leaving for the weekend" scenario.

Missing the point: the point is - they're not listening at all. They don't care. You're not a problem to be taken seriously and carefully investigated. You're going to be stuck in the cell and forgotten about anyway. Your equipment will be destroyed. No one is looking.

The above just sound like outlying bad examples of millions of humans in stressful situations, many times every day.

https://dustidentity.com/

I'm looking at using this for certain shipping and packaging needs.

> A dust of nanoscale diamonds, blended with one of several possible polymers, is applied to a part or component. Thousands of randomly distributed crystals create a distinct fingerprint, which can’t be reverse-engineered or cloned.. identification is informed not only by the position of each crystal, but also the orientation of each crystal in relation to all the others.. number of possible distinct fingerprints: more than 10^230.. the dust comes from engineered, nitrogen-vacancy diamonds, in which some carbon atoms are replaced with nitrogen ones.. "The random nature of how [nanocrystals] fall, roll and tumble creates a fingerprint that is unique in the universe.”

Could do something like a robotic arm style of device which carefully places each color though.

Are there any other, more convenient techniques to defend against evil maid attacks?

Edit: Also, even though we have been discussing only computers so far, the random mosaic method can protect anything. The top level comment shows how a similar approach can be used in pharmacology.

Automatically clear some memory when the laptop is opened so the BIOS can tell.

Put important parts inside an epoxy. Add some transformer wire in the epoxy that will break when somebody tries to tamper with it.

I'm not trying to be exhaustive. But stuff like that.

https://arifkin.com/

A locking briefcase (a cylinder key lock with 7 pins? - not sure of the correct terminology here)) may not stop an expert locksmith, but otherwise you can tell if the contents have been accessed. I have a fabric one (heavy duty fabric, cannot be torn by hand) with a zipper that is locked by key. I keep my notebook computer in it when I travel, either in the trunk of my car or my hotel room.

Or, when I took a multi-day train trip a few years ago, every time I had to leave my "roomette" (open access) and travel a few train cars away for a meal or sightseeing, I made sure the laptop was in the locked briefcase.

However it's worth not also gaining a false sense of security vs. state actors who buy software and hardware exploits from shops like Zerodium generally don't always require intrusive physical access to implant malware or extract information, or who use the local carriers to do the dirty work for them.

I wonder who the anarchists are that are afraid of "incrimination and network mapping" and what it is they're doing them that makes them afraid of that

In general one of the defining features of a state is a monopoly on legitimate violence. It stands to reason that challenging a state then involves violence, and sees violence used in retribution.