Schneier on Security
A blog covering security and security technology.
« Jacob Appelbaum's 29C3 Keynote Speech |
| Automobile Data Surveillance and the Future of Black Boxes »
February 15, 2013
Friday Squid Blogging: More on Flying Squid
Japanese squid researchers have confirmed flying squid can fly, and how they do it. (Note: I have written about flying squid before.)
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on February 15, 2013 at 4:09 PM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Of all the articles lately grappling with the "Too Big to Jail" problem-- large financial institutions and their officers being spared criminal prosecution or serious penalties because of fears of the disruptive effects of doing them real damage-- this one from Rolling Stone is far and away the best, for its clear and nontechnical explanations of several rounds of HSBC malfeasance, the LIBOR scandal, and the overall dilemma.
Fascinating piece on drone attacks, access to "your computer" (and the question of what that is these days), border security, and the 4th and 5th amendments. The fact that a popular, mainstream blog like the Belmont Club is discussing these issues is A Good Thing™.
Droning is not just about due process; it is inextricably connected with the issue of what the State can know and not know. The constraint on condemnation or exculpation is information. And you have to be careful that the state gets not only the parts that get you into trouble but also the parts that get you out of it. If page 1 may doom you and page 2 may save you, how much is in your interest to reveal to the state?
Some say all of it. Why not reveal all to the state if “you have nothing to hide”? The state assumes that whenever it can’t get at something, there is something to hide. In the 11th circuit decision quoted by Kerr, the state based its demand for a password on the fact that parts of the defendants hard disk were encrypted. And therefore they alleged it probable that the defendant had something to hide. But the defendant successfully argued that empty encrypted sections of the disk could be inaccessible. The state had no grounds for presuming that whatever was inaccessible was probably of a criminal nature. It could literally be nothing.
Of course many of us might conclude that one way to completely safe from the drones is to live your life like the Truman Show. In full view. With nothing hidden no guilt can be imputed. You hope. So while the debate over how to regulate drones has been centered around the question of due process, by its nature its resolution will involve to an almost equal degree the 4th and 5th Amendments.
I know this is a long quote, but it's all good ... and as they say, read the whole article.
A kid was carrying a folding military-style shovel (for a class discussion about WWII) on school grounds. Somebody who saw him thought it looked like an axe, so the school was put into lockdown and the police were called in.
Some local people are saying they feel the authorities responded appropriately, presumably on the basis that while it was clearly an overreaction, considering recent events if it had been a real weapon and they did nothing it would be a catastrophe. I guess I'm just not sure why people think this way. Yes it was an overreaction, but is the only alternative not reacting at all? Couldn't the staff member who saw the kid stop him and ask what he was doing? The ordeal could have been resolved in minutes. Before becoming an ordeal even.
re Petrea Mitchell's link
Interesting article about Russia and their dashcams. I heard about dashcam use in the past. I was thinking about Americans doing the same thing. The main risk I came up with was how do we give courts the part that incriminates the other driver, but nothing that incriminates the owner? And without tampering with the video, which might not be allowed?
The scheme was a recording system with certain features. The system would constantly record and compress the video using typical components. However, the storage system would only save so much footage in each file. Each file is encrypted with a separate key. Cryptographic timestamping is optional. Users wanting to capture the moment during a wreck could query the system for just what they need and provide the keys for those videos.
This gives the benefits of editing out unneeded footage without tampering with the original footage. Device-based authentication of video data can also reduce risk of fake videos: everything's traceable to the device itself, with attacking needing to be very sophisticated.
After that, I got more down to earth. ;) I switched my view to the real goal: preserving just a small portion of video, while getting rid of the rest. I remembered how black boxes in airplanes function. Then, I decided the main goal could be achieved by a camera that continuously records the last 5-10 minutes of footage. The owner flips a switch just after an incident to make sure nothing is overwritten further.
The wreck and immediate owner activity will be over in a few minutes. Why 5-10 then? Well, there's usually plenty of trash talking and sometimes fighting just after a wreck. The camera will capture some of it. The owner might be able to use that for a self-defence claim or to catch other party admitted fault.
The asteroid and meteor events are interesting. A rare event was captured by numerous dash cameras and stupidity was captured on CNN when an anchor asked if global warming and the asteroid were related. And recently cameras captured image of a giant squid.
The common thread is the time machine that images and digital storage give us today.
Add ex-LAPD cop Christopher Dorner to the mix and his rants on historic abuses in the LAPD where honest images might have defused a decade of paranoia.
Yet as folk with cameras will note there is an increase in the hostility toward camera carrying folk.
Watch how those in power attempt to control images.
@NickP - helmet cams are popular here among commuting cyclists.
They record an hour or so of VGA footage to an SD card so you overwrite it each day. When you have an accident you have proof of the idiot pulling out in front of you.
@ Petréa Mitchell,
Today's excitement in Chelyabinsk has highlighted the widespread use of dashboard cameras in Russia for protection against fraud...
The bit that struck me most was the Russian regard (or lack thereof of the Police)...
In the US we know corrupt cops will as we know resort to (supposed) legal ways to keep adverse footage unseen...
One such is prosecuting the camera holder with "wire tap" legislation. Others that have been seen for instance in the UK is the deletion of the footage by officers on supposed "Anti-terror" legislation, along with the taking and losing/damage of the cameras involved.
Legaly these days (in the UK) you are supposed to reveal your case and all evidence to the other party otherwise a judge can rule it inadmissible or worse be used against you (this includes evidence you might rely on for your defence).
This way the British Police avoid "criminal convictions" for perjury and at worse face civil litigatiion for which the victim of their abuse rarely has the funds to bring to court. Thus it ends up with the likes of the (supposadly) Independent Police Complaints Commission (IPCC). Which as it is basicaly other (now Ex) Police officers investigating the offending Police officers, their results are not what you would hope for. Perhaps unsurprisingly their results when compared to civil proceadings against the Police indicate why the Police want you to force you down the IPCC route...
@ Nick P,
So the problem I see is a little more than only showing what you want to show for instance in the UK we have legislation in place (RIPA) to force you to decrypt or go to jail for a number of years.
So you need "Policy" in place to show why the system automaticaly deletes and overwrites any video. The cycle helmet cam @nobodyspecial mentiions is one such de facto policy, but the disadvantage is if you lose control of it then it auto deletes what you want kept. For instance if the helmet wearer gets badly injured there is quite a significant chance they will get seperated from the helmet for some time. Whilst with the helmet cam it will probably just stop if it runs out of space it is less clear what will happen if the battery dies. There is a significant chance the FAT entry won't get written correctly which might make recovering it difficult at best.
But the real problems are,
Firstly how to stop your video getting lost / stolen / destroyed before you can use it against whomsoever has attacked you.
Then secondly getting a court to accept it as evidence.
Thirdly and importantly without giving it to those who attacked you so they can build a story to "fit the film" prior to them testifing in court.
To give you an idea why,
Quite a while ago in the UK we had unidentified Met Police officers (in the TSG etc) taking and destroying journalists cameras where the journalist concerned had recorded Met Brutality to peacful protesters. One journalist had made many complaints and the Met just ignored him and then victimized him. So he used one of those early covert video systems and got the Met officers on film which was then broadcast on national television. So the Met rolled out theiir "one rouge officer" line as a defence...
More recently we had a case in the UK of a youngster being dragged into a Poliice van then a Police officer threatening the youngster that if he did not do as he was told they would fit him up for another crime. The Police charged the youngster and it went to court. The Police officers made their statments and denied the "allegations of the defence" made by the youngsters legal representative and then the youngster played back the sound recording he had made on his mobile phone... The judge was not happy about it to put it mildly.
The result is now the Met Police get realy realy nasty if you try to use a mobile phone whilst they are 'talking" to you...
Whilst I know that many Met Police officers are OK there are considerable preasures in the job including Government "Targets" that cause some amongst their number to not be as impartial as they should (see recent "Pleb Gate" incident).
So there is a lot at stake, not just one or two supposadly "rouge officers" but what was once described (with regards to racism in the Met) as a "Canteen Culture" of "Them and Us" or as now often called "Bunker Mentality". And guess what it's still alive and well two generations or more of police officers later.
So the greater the push from the public then the greater the lash back from the Police that can be expected.
Thus you need to have some method of putting your evidence beyond any attempt to destroy it or cover it up, whilst still ensuring a chain of custody and admissability of it to court.
Thus you are most definatly looking at a real time transmission system as part of the equation.
@ Petréa Mitchell,
Of all the articles lately grappling with the "Too Big to Jail" problem-- large financial institutions and their officers being spared criminal prosecution or serious penalties because of fears of the disruptive effects of doing them real damage--
The idea of "Too Big to Fail/Jail" is a myth plain and simple with which the tax payer has been bamboozeld.
If you look behind it there are three main reasons why the myth is perpetrated by those in power,
1, Their Failure to act to regulate.
2, Their guilt in being "bought off".
3, The issue of "Insurer of Last Resort".
Whilst regulation is portrayed by many vested interests as a "Cat and Mouse" game where the Government Cat stifles inovation, thus the market should be unregulated... It should now be obvious to all that, that argument is as faux as the markets these "masters of the universe" created to in effect steal money from anyone and everyone.
We now know that "Whilst the cat was away the mice did play" and boy did they play. With it though went most normal peoples ability to insulate themselves from an unknown future that was being deliberatly manipulated against them.
Why was the Cat away? well he was being wined and dined by the mice, in order that the cat be stupified and too insensible to act as it should.
The mice ensured that the cat stayed stupified by methods that most would consider to be coruption, which not just the elected politicos bought into but the supposed independent civil servents as well.
In one respect the "Market knows best" argument is correct in that the "Market knows what is best for those who run it and collect the rich fees" and also those they chose to divert a little largesse to by flicking a few crumbs off the table in their direction.
The problem is at the end of the day "ponzie schemes" always fail it's just a question of when and who picks up the tab. And when looked at many of the Market offerings would appear little different to ponzie schemes or other scams to the "uneducated eye". And as we are now acutely aware when there is no downside for those runing such schemes there is no check on their proliferation. So who picks up the bill for such behaviour, well certainly not the traders and their bosses who keep not just their ill gotton bonuses but their freedom as well, it's the shareholders, customers and taxpayers.
The "To big tto fail" idiocy started in the UK with Northern Rock, a smallish bank, which Gordon Brown (PM) and Alister Darling (Chancellor) should have let go to the wall rather than bail out. At the time it was portrayed as trying to retain confidence in the banking industry. The reality was anything but...
We have subsiquently found out that the likes of Fred "The Shred" Goodwin and chums had been wining and dinning the pair of them and thus the question arises of just who was the puppet and who was the master. There is good reason to belive that the now very much discredited 'shred' had actually been dictating government policy for very many years either directly or through "special advisors" and those on secondment from industry into the Treasury.
They of course know "where all the bodies are buried" thus the complicitous politicos and civil servants had a great deal to fear.
Added to this we also later found out that under Tony Blair and Gordon Brown the country had been bankrupted beyond any timely recovery. Thus there could be no "Insurer of Last Resort" to make payment.
Thus the stage was set and it turns out that the cat and mouse idea was all wrong, whilst the cat was found to be a nuetered old fle bag grown fat and lazy on handouts the mice were in reality wolves not in sheeps cloathing but the araignments of rats.
You might think about banks "too big to fail/jail", but there's one power triangle that has inserted itself above all others and that is the information technology triangle. Combining information technology degrees with ethical/philosophy/psychology degrees has never been more important.
i guess this is the right place to ask
how does everyone feel about the prisoner X debacl?
seems to me it is the only logical way to deal with media exposed black ops teams
problem is if the teams know what fait awaits them, well it could put a dampner on requitinv.
"@NickP - helmet cams are popular here among commuting cyclists.
They record an hour or so of VGA footage to an SD card so you overwrite it each day. When you have an accident you have proof of the idiot pulling out in front of you."
That's nice. Could just put one in the dash.
@ Clive Robinson
Good to know you Brits have it worse than us. ;) In USA, each police department has its own culture, rules, etc. Each court has its preferences. So, you can be railroaded/threatened in some places or have your rights in others. Generally, the more crime is in an area, the more cops will cut corners.
Real-time transmission sounds like a good idea. A past design of mine for this exact thing put the receiver in the car. It's hidden somewhere. It also has tracking. This serves the purpose of maintaining video and helping locate the car after a theft. Extra paranoid people can have the device connect over cellphones or nearby WiFi to a PC in a home or business.
"You might think about banks "too big to fail/jail", but there's one power triangle that has inserted itself above all others and that is the information technology triangle. Combining information technology degrees with ethical/philosophy/psychology degrees has never been more important."
Unless there's context I'm missing, I disagree. The main power cartels in the US are pharmaceutical, energy, media, "defence," and banking. They bailout situation showed the banking industry owns the government: they overruled the vote of the public and all the information in the world didn't change it. Defence industry was boosted by 9/11-initiated paranoia. They received hundreds of billions in funding, vast powers, etc. Major media's effect, in spite of alternatives available, is still very strong. And so on.
Information is key to having power in a situation. However, the people and companies involved in that are usually just tools for the real power holders. Even the NSA's vast data center will be run by IT guys and analysts who merely "report" to managers. In the commercial sector, IT is almost a commodity. The real winners in information are the largest companies holding the most patents and data.
Here's a story about risks deriving from using a smartphone app in ways that the designer did not intend.
Professional high-stakes poker player Barry Greenstein is warning about a vulnerability in an iPhone app for a gambling game called Open-Face Chinese Poker that can be used to cheat other players. (News story Greenstein's blog post)
It's a complicated card game to play, and playing on an app simplifies it. (It's also easy enough to play with others on one's iPhone in a cardroom while waiting around for a game to start.) So people who play games for money are playing games for money over their iPhones.
Greenstein writes about playing against a particular high-stakes player. In the classic hustle pattern, they start playing for (by Greenstein's standards) cheap and the hustler losing. Then the hustler asked to kick the stakes up. At the high stakes Greenstein lost significantly ... and noticed:
Now, it's not that he beat me, but it's how he beat me. It seemed like after being in trouble he kept getting saved on the river over and over and over. Even though it was believable that he was a better player than I was, I decided I wanted to start keeping track of when he needed to get outs in these situations. When he had to get an out on the river to beat me, I wanted to see what his percentage was.
I started keeping track, and the next 14 times it came up, he hit seven times. Now that's not every time, but it was enough that after that I quit.
I have a nephew who is a programmer and I called him up. I told him I thought I was being cheated, and asked him if he could figure out if there was any way you could see if a person could download this app and perhaps change the cards or do whatever, because I suspected there might be something going on here.
My nephew downloaded the app and once he had a chance to start looking at it he called me back within 30 minutes. He said anyone who's a programmer who knows how to hook up an iPad to another computer could easily cheat using the app.
He said he could see all the cards and do whatever he wanted. I asked him if he could give me a demo, and we played a game and he sent me three kings on top, a flush in the middle, and a straight flush in the back. He explained that anyone who was a programmer or who had a friend who was a programmer could cheat me at the game, no problem. ...
Using a proxy server, with the current version of the app, you can see all thirteen cards of yours and your opponents when each deal is begun. Most cheaters wouldn't spend the time to change the cards as my nephew did. They would know whether their flushes and full houses were going to come in, which allows them to play efficiently like normal Chinese poker. ...
My nephew got in touch with the app's programmers to tell them what they have to do to fix their app. The Apple documentation actually explains how to make an app secure, but when these programmers wrote this Open-Face Chinese Poker app, they didn't know people were going to be playing for lots of money using it. And so they didn't write it in a secure way, because they thought it was just going to be a fun game that people were going to play for free. So it's not even really their fault.
Being cheat-resistant was not in the app's design spec. The game designers did not anticipate that users would be playing the app for money. But users are playing for money, significant enough money to make cheating attractive.
ICT is the new kid on the block. Banking has been around since the birth of coin, ICT is relatively new. ICT is the glue that permeates and surrounds all business protocols and processes in the western world in banking, energy, pharma (and the others you mentioned) and also imprinting its foot on the social world through social media. Maybe I'm running ahead of time with my thoughts, but it seems to me the real power broker is/will be the (military-/)information-security complex. As a decendant of the military-industrial complex, to me it's no surprise its centre of gravity is also in the USA. (Google, Yahoo, Amazon, Microsoft, Apple) Give it a little more time.
To have data on people is to be able to squeeze them. Or influence/persuade them. Therein ('the complex') are to be found better agents/motivators than for example squeezing through coin or fear. Information also squeezes through guilt, shame and a plethora of other primal emotions. I am not wording it very well, but I'm trying to work my way toward Bruce's post on Power and the Internet as well as give it a little more context. Nick P: Do you dare predict the future 100 years from now?
I see what you're saying now, maybe. The second post makes plenty of sense, esp. wrt to influence or squeezing people. I think someone claiming to predict 100 years is stretching the truth to a near breaking point. I'd only claim to predict 5-10 years at a time for general things. My prediction is that the worst of the current trends will continue.
First off have you changed the device you use to make entries on this site?
But back to your question,
how does everyone feel about the prisoner X debacl...
Well first off if you ask anybody in the UK you'll get a blank look as little has been reported on it over here until after the ABC documentry. Most noise is (perhaps not unexpectedly) in Auz.
So an obligitory Wiki link ;-)
And a recent one from the UK"s Guardian (That Bruce used to do the occasional piece for).
One thing that needs to be said is UK newspapers are a bit touchy over Israeli Kidnapping of informants due to what happened in Rome with Mordechai Vanunu who was the man who leaked the fact that Israel had nukes to a UK newspaper who then due to their abismal investigation technique alerted Israeli authorities as to where he was. They then mounted a honeytrap operation and he ended up in an Israeli prison for quite some time.
Even though he is nolonger in prison the rules he is required to live by he might as well be in prison still. So any potential agent for an other Nation or entity is going to know what as a minimum their punishment is going to be like under Israeli hands.
But there are some oddities about Prisoner X's case. Although of Auz birth and dual nationality passport holding his body was sent to Auz, not in Israel, even though he was married with two children.
Further the wife and children appear to have likewise disappeared or have gone into hiding
There is also the question as to how he managed to kill himself in a supposadly suicied proof cell with CCTV watching his every move.
The judge in charge of his case appears more than somewhat troubled by his death, and there is speculation that the guards were ordered to stop watxhing him at all times.
All in all it's an interesting case that I suspect the Israeli Government realy does not want discussed in public or court...
After a little hunting around it gets curiouser and curiouser...
It appears that the prisoner was originaly outed by another Mossad connected individual to an Auz journalist working in Israel.
Apparently he and two other Australians were running some kind of Electronics / Communications company out of Europe selling kit to Iran and one or two other places on the US and Israel "Axis of Evil" lists. Apparently the Journo confirmed the prisoner and one of the other ID's. As the prisoner was still living in Israel at the time the Journo "doorstopped" the prisoner at his home and accused him of being a spy.
You get the impression that originaly it was a Stuxnet related lead.
However what becomes of more interest is the other alledged actions with regards the asssasinatiion of the Hamas leader in Dubi and what was revealed about Auz passports.
It appears that the prisoner had used a legal loop hole in Auz law that enabled him to change his name once a year and get new travel documents. Apparently he had done this four times and thus he was brought to the attention of the Auz secret Service (AISO) who repeatedly questioned the prisoner and was putting significant preasure on him.
So it's aledged the prisoner in effect became caught between the two spy agencies and further unusual allegations made. One of which is he tried to cut a deal with Dubi for protection in return for supplying information on the operatives involved with the Hamas leader assassination. And it was for this that he became a "john doe" prisoner in possibly the most secure facility of it's type in the world.
More oddly it appears thet Auz was well aware that he had been imprisoned, but not via the usual consular channels used when people are in trouble abroad. But via intelligence channels via the ASIS officers in the Auz Diplomatic Mission in Israel.
It looks like both the Auz and Israeli politicians are getting very upset with their respective governments over the "Boy's Own / Boy Scout" behaviour of Mossad...
I had a play with a car-mounted video recording camera - called the CrashCam Pro. It also records audio, but of course most of the time its either the car radio or me yelling at the idiots on the road!
It records to a SD card in 5 minute chunks - thereby allowing you to "not show" the time when you ran a red light 30 minutes earlier, if you so desired!
I think it retails around the $100 mark.
Now, I really must get around the writing the review I promised!
@Kaithe "I think it retails around the $100 mark."
iCar is 99 cents, if you are an apple customer.
DailyRoads is even free, if you have Android. Also look at HD DashCam.
(I have used none of them)
@ Petréa Mitchell,
Florida is still the US income tax fraud champion. The end of the article has some new information on what's being done to make it a little harder.
Oddly in the UK there is a corelation to supposed personal tax fraud and those "silver Foxes" etc.
I wonder if at a certain age you figure, "stuff em I ain't gona live long enough to do my time, and I've nothing worth taking..."
Squid blogging? Is it a style of blogging,
akin to the adaptability of squids? Is it
admiration for the species? Is it SQUID
tech? I say it is all the above...
especially after remembering the movie
"Strange Days" which was a sci/ fi treatment
of SQUID tech directed by Katherine Bigelow
& co-written by James Cameron. They knew
they were on to something but couldn't
bring it off to a decent film. Something
like that tech has been going on for some
Unique identifiers added to computers when logged into free Starbucks and Mc Donald's wifi (usually provided by ATT)
Hi, I am a user of a couple Nirsoft products. One of them is called Wireless network watcher:
I noticed that when logged into Starbucks and McDonalds, the device name changes and has a extended unique identifier added on, usually the store name and city. also the device information also changes to include the unique identifier. The problem is, sometimes when i log off and log into another network, the unique identifier does not always change, it sometimes remains in place. this means that Starbucks and mc donalds/ ATT inserts a identifier on your computer that can identify you on other networks. Anyone experience this?. Also, I noticed that using starbucks networks after hours or going to controversial sites can get you banned from the network, meaning they can ID you somehow. Just an observation. Apologies If this has already been posted here
"I had a play with a car-mounted video recording camera - called the CrashCam Pro. It also records audio, but of course most of the time its either the car radio or me yelling at the idiots on the road!
It records to a SD card in 5 minute chunks - thereby allowing you to "not show" the time when you ran a red light 30 minutes earlier, if you so desired!"
Perfect! Most good ideas do in fact exist on the marketplace already. Saves me some building. ;)
Incidentally, I like the headline on the second squid article: "Japanese researchers confirm squid can fly as fast as Usain Bolt". I hadn't even known Usain Bolt could fly!
I've been reading up on crypto busting methodologies and I came across the concept of a memory dump. I'd like to try it on my own PC to test for vulnerabilities. Does anyone know the best way to do this? Thanks in advance.
A couple of recent articles by Matt Taibbi and Glenn Greenwald on the too big to fail. One must look back at John Kerry and BCCI: No one wanted the bank closed. Kerry was pressured by both parties to back off.
BCCI was an international bank of Middle East origins whose employees asked few questions of their wealthy and powerful customers, making it a favorite of arms merchants, drug dealers, despots such as Noriega, and intelligence agencies. At the CIA, which sometimes used the bank to launder its own activities, it was known as the "Bank of Crooks and Criminals."
Kerry's investigation, launched in 1988, helped to close the bank three years later, but not without upsetting some in Washington's Democratic establishment. Prominent BCCI friends included former Defense Secretary Clark Clifford, former President Jimmy Carter, and his budget director, Bert Lance. When news broke that Clifford's Washington bank was a shell for BCCI -- and how the silver-haired Democrat had handsomely profited in the scheme -- some of Kerry's Senate colleagues grew icy.
"What are you doing to my friend Clark Clifford?" more than one Democratic senator asked Kerry. Kerry's aides recall how Jacqueline Kennedy Onassis and Pamela Harriman, a prominent party fund-raiser, called on the senator, urging him to not to pursue Clifford.
Kerry and his staff were under intense pressure, and Foreign Relations chairman Claiborne Pell, the Democrat from Rhode Island, began to request that Kerry's investigation end. Blum brought the evidence against BCCI to the Justice Department, but was rebuffed. With Kerry's blessing, he left the staff and took the case to New York District Attorney Robert Morgenthau, who filed the indictments leading to the bank's collapse in the summer of 1991.
But, if you ask me about Kerry's qualifications as Secretary Of State, I will answer in an acroynym — BCCI.
Back in the 1980s, the Bank Of Commerce and Credit International was a kind of laundromat for cleaning the money of almost every bad operator on the world stage. It got away with it because it was wired into the political elite in every country in which it did business, including this one. (Recently, HSBC got fined some pocket change for having washed billions in drug money. People raised the appropriate hell over letting the management of HSBC slide without prison time, Trust me on this. BCCI made HSBC look like your local credit union.) Back in 2004, in a profile for this magazine, I talked about what the investigation of BCCI said about John Kerry.
In the Senate, throughout the 1980s, Kerry made his mark spelunking down the darkest caverns of what had become a reinvigorated secret government. He chased the illicit aid to the contra rebels in Nicaragua and the byzantine operations of a bank called BCCI, a sort of international ATM for black ops. And he did so alone, as far outside in the clubby world of the Senate as he ever had been in Massachusetts. "This was a bad case of bubonic plague," says Jack Blum, Kerry's investigator through those years. One prominent Democratic senator tried to sabotage Kerry's investigations, and the Republicans, riding Ronald Reagan's popularity, went after him as harshly as the Nixon people ever did. In fact, it is a kind of unprecedented historical parlay that John Kerry's name appears both on Nixon's White House tapes and in the notebooks of Oliver North. For Kerry, the investigations were pure reform politics, but they also were leavened with a respect for what happens when people are tricked away from their investment in their government. "It's antithetical to everything we are," he explains. "A government with secrets is accountable; a secret government is not. And when that happens, the American people are cheated of what is rightly theirs."
.... When he went after BCCI, he did so against the advice of almost everyone else in Washington. who didn't want their secrets revealed or the bodies dug up. For his entire career, Kerry's political imagination has encompassed the possibilty that his own government may have been complicit in crimes, and that has made people very nervous.
Read more: The Confirmation of John Kerry - Secretary Kerry - Esquire http://www.esquire.com/blogs/politics/...
And then there was Nugan Hand Bank -- drugs, arms trafficking, money laundering in Asia—
THE CRIMES OF PATRIOTS — A TRUE TALE OF DOPE, DIRTY MONEY, AND THE CIA by Jonathan Kwitny
Complete book is online here:
To recap on Dash Cams:
1) 5 minutes recording time. You can show the video of the crash without showing anything else and also without editing the video.
2) Storage of the 5 minute files needs to be on a separate device than the camera so that it can't be tampered with by an adversarial agent. Preferably something that can't be easily confiscated.
3) May be better if the device is hidden/unknown to others except the user. If the police see a camera there might be backlash or preemptive action?
4) The problem of admissibility is a court regulations one but may have a technology solution.
If the police see a camera there might be backlash or preemptive action?
--Why? They do it to us and it's a public location. If they make assumptions that aren't true, that's their problem. I was just involved in a hit-and-run accident where my car was parked along a street and someone slid into it and fled the scene. If I can't prove who did it, I'm stuck with the cost. So perhaps you may want an extra battery to run the camera when you're away from the car. Luckily, I had witnesses and I believe we have found the perp.
--Forgot to add, it may be nice to have cameras in rear-view mirrors instead of just front-facing one to capture sides and backside. You can move a mirror electronically from cabin and I recently had one split open so there's room to add some hardware and route wires.
Good points. I'd add that a panoramic image of the entire outside of the car would be ideal. A few years ago I threw together a concept that used those cheap, high-res, small cameras to do this. The whole setup might cost $500-1000. That's pretty reasonable in a bad area, with valuable assets, brand new car, etc.
Some people will say, "Just get full insurance." Oh yeah, might do that if it's cost effective. I just want some justice done. Too many of these hit and run pricks get away with their crimes. In theory, a fast response might even catch a DUI driver. Those kind of outcomes would be quite rare but they're impossible without an evidence collection mechanism in the car or onscene.
--Yeah, full insurance is a rip off. But yeah, the cops basically shrugged their shoulders at me; and I would be SOL if there wasn't a witness, yet again proving you have to protect yourself when these random things happen (to me too often) and it isn't paranoid overkill. In this instance, protecting yourself is collecting evidence.
The prick also gave me a gift by leaving his car out on his driveway so I could stop by and get what I needed.
"Yeah, full insurance is a rip off. But yeah, the cops basically shrugged their shoulders at me; and I would be SOL if there wasn't a witness, yet again proving you have to protect yourself when these random things happen (to me too often) and it isn't paranoid overkill. In this instance, protecting yourself is collecting evidence."
Oh the irony that you and I would talk about evidence of accidents then I get in a wreck later that day. My car was just smashed up nicely. Other guy's looked worse. The guy lost control and spun facing my direction. He landed there just before I came around the corner and I couldn't stop on the wet streets. We hit [almost] head on.
Fortunately, he was a straight up guy. We both felt it was just a freak accident. The cops got an accurate account. Who knows who will be at fault. It would be much worse if the other party was dishonest and I didn't have the dash cam we've been discussing.
All in all, though, I was feeling great despite the situation and freezing rain/wind.
--Aw man! C'mon..Guess we better talk about only sunshine and butterflies. :)
In the Marin county (California), the sheriff's department acquired a US$370,000 Bearcat G3 armored vehicle, with the cost being covered by a federal homeland security grant. Although Bruce has mentioned that improved emergency response capabilities can benefit multiple locations (not to mention also providing benefits for both natural and man-made disaster situations), not everyone in the area is convinced as to the need for such a vehicle. (A county supervisor mentioned security issues regarding the Golden Gate Bridge and the Richmond oil refinery, along with a case where a section of I-580 was temporarily closed due to a sniper.)
In October 2009, Popular Mechanics did an article on dangers posed by militarization of law enforcement. Among other things, the article talks about the difference between militaries and law enforcement (i.e. law enforcement is about protecting the rights of citizens with a minimum of force) and the subtle aspect where an officer who dresses like a soldier is more likely to act like a soldier (i.e. less regard for civil liberties.)
--None needed. I wouldn't initially wish upon police officers what you say, only after they initially attack me and treat me like an enemy combatant in a warzone (I assume you feel the same way). No one in their right mind (I've talked to soldiers who enjoy blowing people's brains out, it's fun to them) wants to live in a warzone. Officers of the law are treating real oversight as a foreign agent conducting surveillance.
I just want to be left alone and immerse myself w/ all the wonders of aspects of the universe.
Time to get your Heston Blumenthal equipment out and cream an Android phone for it's memory contents even though it's encrypted and locked,
As the artical says more physics than security, but... it's potentialy one step better in an overall attack, which would still need to get the encryption key somehow.
This one does amuse slightly...
It's a bit of netiquette for the chaps from Sophos's Naked Security about not getting naked on line,
It also pays to remember what country you are in, some countries have laws against various private acts which are quite legal in most parts of the world. And whilst such laws might seem daft or silly to you, you could find yourself committing a criminal act that could potentialy lead to jail time.
@ Nick P,
I know you know what a data diode is and the many many ways you can make them.
However I suspect sometimess you have to explain it to people (as I do ad nausium) when talking about Air Gap security and data bridging.
Well I was looking at a security blog I'd not seen befor (they number in the hundreds if not thousands these days ;-) and saw this link to a nice simple explination with nice pictures so that even the most un-IT exec can get to understand how it works,
It even gives a recipie for a roll your own only I think it's way way to expencive but it is simple.
My prefered way before they became "rarer than hens teeth" was two 4port hubs with a crossover cable between them with the RX pair cut and to use the Unix logfile via UDP, with the logfile server in the unsafe network. Prior to that a simple mod or two to the SLIP code given in a well known UNIX Network Programing book to send UDP only over an RS232 cable with the RX cable cut.
Any way enough for the day, it's time to get to the Hospital and see if they want to top off my blood or not yet (such are the joys of anemia as a side effect of other problems) If they do then I'm in for the weekend :-(
@ Clive Robinson
"Well I was looking at a security blog I'd not seen befor (they number in the hundreds if not thousands these days ;-) and saw this link to a nice simple explination with nice pictures so that even the most un-IT exec can get to understand how it works,"
Yeah, the explanations and visuals are great. Good find. It's an interesting coincidence that I was about to respond to a data diode related post on the Nexor guy's blog. I might hold off on that or just reference this post instead.
"It even gives a recipie for a roll your own only I think it's way way to expencive but it is simple. "
Yeah. Your design is nice and simple. Mine was one-way ethernet, with plenty DIY online for it. Fiber, non-DMA IDE and serial were also options. I found inexpensive embedded boards running linux or RTOS's that can take the place of the $300 cards. His setup is way too expensive, although maybe justified in some use cases. The use of OpenBSD is a good choice if free COTS OS is to be used. GENU uses an OpenBSD-derived OS in their security appliances, which include a data diode. I'd harden the crap out of it, though, by getting rid of all unneeded code and using every protection mechanism on security critical functionality. OpenBSD is actually strong on code quality, but weak on protection mechanisms. For readers, XTS-400's STOP, KeyKOS and JX (recent) are examples of OS's with very strong protection mechanisms that differ in nature quite a bit.
Some of the design on page 3, the externalizing of networking via proxies, and use of UDP-based protocols instead of TCP are very similar to designs I've posted here over the years. I particularly like UDT variants for reliable transfer. My designs were superior in the area of assurance. Like Micro-SINA, I prefer using a solid microkernel scheme to isolate the different components into POLA-enforced partitions with their own memory and stuff. An untrusted component would handle the protocol juggling, preparing for transport. A trusted component would convert that into the simpler data diode packets. The data is moved across protection domains so as to invoke kernel protection mechanisms and keep memory separate. Untrusted component compromise doesn't result in easy information leaks or compromise of trusted components. Micro-SINA, as stated, already did this for an IPSec VPN with small TCB. A data diode is potentially much simpler. INTEGRITY-178B in evaluated configuration could do it and was already certified EAL6+. OKL4.Verified on ARM might be decent too.
(Note: Using special purpose hardware nodes for each component with careful interconnection can get microkernel-like assurance w/out needing to be a developer. Cheap chips with all unnecessary stuff disabled can be used. I posted similar designs for decomposition of systems using PCI cards and backplanes on this blog if anyone wants to look into that concept. I also used ARTIGO's for some nodes b/c they have crypto acceleration, TRNG, Intel VT, IDE for non-dma connection, $300 brand new [then], etc.)
Of course, data diodes are but one option. I dare say they're even the most primitive option for what they intend to do: the Navy's Pump designs were way better as they allowed acknowledgements while controlling the covert channel. Pump also inspired my memory partitioning strategy: their design has a buffer between Low and High networks where data moves in a two step process, always hitting the buffer first. Isolation of internal memory from shared buffer memory was done in hardware.
Another hardware-centric design for a guard is Rockwell-Collin's Turnstile guards that use their verified AAMP7G processor to enforce isolation between networks. An AAMP7G-based guard is potentially more flexible b/c it's general purpose & can prevent leaks between protection domains. The A1/EAL6/EAL7 class trusted software on suitable hardware are also a decent option as they are vastly more flexible. GEMSOS comes to mind in particular b/c it was used for guards, VPN's, access control, trusted databases, etc. And that's 1980's-90's technology. ;)
Note: The main benefit of the more general purpose building blocks is they can be upgraded later. Planned properly, this can be done without redoing previous work on the installation or configuration of the deployed protection scheme. Trustworthy, trusted software is malleable to the defenders, but not [likely] the attackers. So, it might start a data diode, then it's a link encryptor, then it's a VPN... and so on. Each leverage the protection mechanisms and optionally previous developer work.
"Any way enough for the day, it's time to get to the Hospital and see if they want to top off my blood or not yet (such are the joys of anemia as a side effect of other problems) If they do then I'm in for the weekend :-("
Good luck to you. Just remember to sneak in the mobile phone so the blog won't miss your presence.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.