Anti-Vaxxers vs Vaxxers -- Another False Dichotomy

Undoubtedly we live in the age of false dichotomies… Somehow people are all talking (and fighting) about subjects with no substance.

Dear vaxxers and anti-vaxxers, your fight is ridiculous, and it is not because you are both partially right, it is because you are both completely wrong.

Have any one of you ever tried to DEFINE the subject of your debate? What do you think a vaccine is? And what to you think the category «vaccines» is? How can you make a utility/risk claim about ALL vaccines, piling together a smallpox vaccine that demonstrably saved the humanity and a flu vaccine that have never entered any testing whatsoever! Do these two share any INNATE properties at all? Can you formulate a property that all vaccines possess on their own, a property that can be observed in the vaccines themselves, all vaccines and nowhere else? This would be a characteristic property that gives you the least moral ground to speak about the «vaccines» as an object (entity). Until then, both of you vaxxers and anti-vaxxers, are engaged into a typical case of false entitification — there is no such entity «vaccines» that you pretend to be talking about. Therefore ANY CLAIM ABOUT ALL VACCINES IS GUARANTEED TO BE WRONG.

But there is still more hilarity in the «debate». Here is a logical scheme of the anti-vaxxer standing:
In a government-run hospital my child was given a shot, that was documented as vaccination. Shortly after the event the child became sick (as never before).
Let's assume we have a sufficient amount of the episodes like that (properly documented («there is no evidence» fanboys can go fuck themselves)).

How is this a reason to blame the sickness on vaccines? Let's control for all other factors… all those kids were perfectly healthy before the injection and so on and so on. If we determine beyond reasonable doubt that the sickness was caused by this particular injection, how is it a reason to blame vaccines? In order to blame vaccines on the ground described above, you must assume that the government-run hospital DID NOT lie to you about the injected substance!!!

So the anti-vaxxers' claim of the vaccines' malice is based upon the trust to the govt! The same govt that under a false pretense of vaccination and medical treatment injected kids with plutonium, gave people syphilis, created a polio outbreak (not even for scientific nor military purposes, just for fun). The govt that has broken the trust of the people over 9000 times, this govt the anti-vaxxers trust! — «govt said it was a vaccine, duh, vaccines are bad» — what a joke!

An open letter to mr. John Kelly the Homeland Security Secretary

Dear mr. Kelly,
do you realize that you lose the ability to attribute a suspect's social media account to the said suspect immediately after obtaining a password to the said account?
Once you own the password, the account is attributed to YOU, shithead, thus rendering all your claims about the suspect's alleged activity associated with the account completely inconsiderable.

Resign immediately! You know _NOTHING_ about security nor elementary logic, you are utterly unqualified for the Homeland Security Secretary position.

Internet Works!

First was Brexit, then Trump, now The Italian referendum has happened… and Jean-Claude Junker is calling for EU leaders to infringe on the peoples' right to vote. This is the first manifestation of Internet working as an information system for the people.


"One Brand of Firewall"

Gatrner sent me an ad of a quite disturbing report ( ) which advocates using «one firewall brand» to reduce complexity.

Sorry, guys, one brand of WHAT?

There is no such thing as «general purpose firewall» that fits all. It is a mythical device (and this myth was supported by Gartner for years).
What you call «firewall» is actually one of three (or more) things:

1) A border/datacenter segmenation device. Think high throughput, ASICs, fault tolerance and basic IPS capabilities.
2) An «office» firewall. Think moderate throughput, egress filtering, in-depth protocol inspection, IAM integration and logging capabilities
3) WAF. Enough said, WAF is completely different beast, having almost nothing in common with any of those.

Ah, and a VPN server. It is not a firewall (though it should have basic firewall capabilities). Not falls into any of those categories.

Dear Gartner, have you ever tried to market a pipe-wrench-hair-dryer? You should, you have a talent for that.

The One Thing Has Overlooked

The simplest and most important fact about computers — COMPUTERS ARE TURING COMPLETE

Because of that, we can not know what program runs on a given computer (without disassembling this computer to atoms).

The only possible source of an answer to this question is the computer itself, which in turn can be programmed to give ANY ANSWERS (due to its Turing completeness). A system program+computer can present itself to an observer as anything arbitrarily far from the real internal state of the system.

That's enough for any amount of fraud to be completely undetectable. NO AMOUNT OF REGULATIONS CAN CHANGE IT!!! A program can always be invisibly replaced/altered.

The law defines the elections as a particular process. Computers arbitrarily change this process — this is not legal (in a very literal sense of «legal»). Computers make the regulations inapplicable and the entire electoral process unregulated — lawless!

The computers should be banned from the vote counting process regardless of the actual fraudulent activity of any parties.

The Final Note On The Elections

Synopsis: There are no elections in USA.

It is not a hyperbole and it is not a political nor ethical statement. I am talking specifically about the procedure of elections as an information process. By using a «voting» machine you do not give your vote to any of candidates, you give your vote to whomever controls the machine. Giving your vote away is NOT electing.

In case you are concerned about data security or voter fraud issues: those concerns are irrelevant, the computerized procedure in use does not endanger the elections, it ELIMINATES them from existence. From the InfoSec perspective the information process that has taken place of the elections (be it hacked or not) is NOT the elections — not even a surrogate! — it is something else, that, most importantly, has nothing to do with your vote.
Read more →

Why The InfoSec Discourse Is Entirely Composed Of Fallacies?

The deepest root of all the misunderstandings that constitute the InfoSec discourse nowadays is that the normal people («security experts» included) do not understand what is software, and its fundamental difference from the physical world we live in.

The entire realm of software is purely artificial.

Not only programs and functions, not only bugs and security holes, but also all the notions and intentions, all phenomena in the realm of software, even those perceived as «natural», are created by a man.

There are no natural laws that a program must follow and obey. While your computer does follow all the laws of physics, your programs do not at all. This very distinction makes a computer useful for us. The purpose and the only purpose of your computer's existence is to create a virtual TABULA RASA world, the world devoid of any laws, the world completely disconnected from the physical reality, the world that you are supposed to populate with laws of your own creation.

In other words, a computer can produce any output from any input — this is the definition and the characteristic property of a computer. This is what they always forget, and I stress ALWAYS.

REMEMBER THAT! If you want to improve your «safety», «cyber security», whatever. Every time you assume any expectation to a program of someone else's creation. Remember that! Every time you are disappointed: I gave this stupid machine a perfect input! Remember what a computer is: a machine that produces any output from any input — no restrictions at all. If you remember it well, first you will stop acting surprised when you wonder into a trap, second you will become more challenging prey, third you will stop believing InfoSec selling stories.

On The Public Discourse

The trouble of all serious social troubles is that they do not allow for a prolix bloated discussion that normal people value so much. Muslims want us dead. Hitlary committed a high treason. Douchebank is a fraud. Credit cards are not secure. 2+2==4 — there is no room for a discussion!!! Here are some prooflinks, case closed, the public is bored and ignores the issue in question.

On the other hand, the lack of evidence, the absence of solid research method, the absurdity of the subject — open the gates for creativity and rhetoric and demagoguery and entertainment of all sorts. One may write volumes on Bigfoot, UFO, ghosts, gods, multiculturalism, oppression, patriarchy, microaggression. And I assure you those volumes will sell magnificently — people love talking much more than thinking.

On hypocrisy and spyware

I said it earlier this century, "state-sponsored malware/spyware developers ARE de facto blackhats".

There is no «legitimate» third side to receive zero days. Either you give a priority to your software vendor (and contribute to the defensive side) or you do not and contribute to the bad guys. Yes, bad.

Not that I blame vulnerability researchers for being immoral. I am a free market advocate: if a software vendor is not willing to pay a competitive price for vulnerability information, it certainly deserves the consequences. I just hate hypocrites that fail to admit the obvious fact that they are no different to blackhats — because «we sell to government and law enforcement only» clause makes no real difference.

But, wait!

They ARE different.

The ideal black market for zero day exploits is free and open for anyone, including software vendors searching for the exploits in their software. You, as a seller, do not want to sell your exploit to the vendor of the vulnerable software, because you are interested in the exploit's longevity. But on the black market there is no way for you to know if a buyer works for the vendor (directly or indirectly).

Contrary to that, the real market (thoroughly regulated by the government) completely rigs the game to the detriment of the software vendors. First, a software vendor is explicitly banned from participation (by this «we sell only to law enforcement»), no legitimate purchases for a vendor, tough luck. Second, it is open for trusted brokers who make huge profits from the fact they got government approvals (see HBGary leak to find out how hard some people try to set a foot there with quite limited success).

Needless to say, newly proposed so-called «cyber arms regulations» only worsen the situation, making free black market for zero day exploits illegal in favor of government-approved brokers.

So they are not «just» blackhats. They are the most vicious breed. They found a perfect exploit for the government. They use regulations to defeat their victims.

Smartphone is a computer (actually, not, but it should be)

There is a simple remedy to many information security woes about smartphones.

And it is simple. And extremely unpopular. Vendors, operators definitely won't like it.

Just it: turn a smartphone to a computer. No, not like now. Really.

A computer does not run «firmware» bundled by «vendor» and «certified to use». It runs operating system, supplementary components like libraries and device drivers, and applications, both system and users'.

And there are updates. When there is a bug, an update is issued, not by the computer vendor, but by the OS or other software vendor. While «firmware» which FCC et al should care of is the tiny thing that runs inside broadband module you user probably never think of at all.

I've seen people arguing that it would break things. Due to device fragmentation people will get broken updates, brick their phones and overload repair centers. Come on. Never seen bundled OTA firmware update doing that? It is actually safer if the update is going to be granular and won't touch things it does not need to.

But you won't ever seen unfixed remote code execution bug to stay for years or even forever if your phone vendor decides that it no longer necessary to support this model.

I want my smartphone to be a real computer. With OS, applications, and no unremovable bloatware that is burned in by the vendor or (worse) MNO. Do you?

UPDATE: and surely initiatives like this will get middle finger as they deserve and no questions could be raised. You may run anything you want on your COMPUTER.