Friday Squid Blogging: Squid Vision

Some squid can see aspects of light that are invisible to humans, including polarized light.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on March 2, 2012 at 4:41 PM • 52 Comments

Comments

kashmarekMarch 2, 2012 5:07 PM

Startup wants to peek through your home video cameras

www.schneier.com/blog/archives/2012/03/friday_squid_bl_315.html#comments

DavidMarch 2, 2012 5:10 PM

I'd love to see the videos of polarised light rendered as colour. Anyone got any links?

Carl 'SAI' MitchellMarch 2, 2012 5:41 PM

Polarized light can be seen by humans, in certain situations, without any equipment.
Mainly, our blue light-sensing cones are sensitive to polarization. Haidinger's brush is the most common manifestation of this. It's pretty easy to see when you know to look for it.

http://en.wikipedia.org/wiki/Haidinger's_brush

JimMarch 2, 2012 6:40 PM

"Some squid can see aspects of light that are invisible to humans ..."

Cf. "The Damned Thing", by Ambrose Bierce.

RobertTMarch 2, 2012 8:49 PM

OT "breaking bad"
I'm not sure how many have seen the US TV series "Breaking Bad" it's about an honest 50year old Chemistry teacher you gets diagnosed with cancer and decides to make some serious money, before he dies, by cooking Meth.

Since it is Friday, I thought I'd ask the question:
How many security professionals reach a point in their life where they really consider "breaking bad"?

I know that I was recently approached with a proposal, to reveal what I know about the internal workings and weaknesses of certain secure processors. Lets just say that their interest in hardware exploits was not academic.

I didn't want anything to do with their enterprise, in part because the gents seemed much more adept at busting bones than exploiting hardware weaknesses. I also found it disturbing that the two Asians men present were missing the last joint of their little fingers. Anyway they concluded the "business meeting" by suggesting I take one of their "girlfriends" upstairs to properly consider the proposal.

So I'm just wondering, How common is this?
Security professionals "breaking bad"!

Petréa MitchellMarch 2, 2012 9:33 PM

I'm not sure if Bruce has gotten this "meta" yet, but for those with an interest in the faults of the human brain, here's a study finding that hard-to-pronounce names appear to give their bearers a status penalty (PDF). As the paper notes, there's prior research finding that names which are "weird" or seem less familiar tend to evoke less positive feelings, but this is the first study trying to look just at the inherent difficulty of the name itself.

The human brain consumes a huge amount of bodily resources in normal operation, so it's always looking for ways to save energy, and one of them is to simply not take more resource-intensive paths if it doesn't have to. (If it does have to, it starts constructing pathways to perform the task more efficiently.) The premise here is that the added cognitive effort of processing a name where the pronunciation is less obvious is enough to trigger this effect, causing the brain to shy away from accessing it. Then the availability heuristic takes over from there.

bcsMarch 2, 2012 10:36 PM

http://www.popsci.com/science/article/2012-02/boy-who-played-fusion?page=all

""""
We land in Reno and make our way toward the baggage claim. “I hope that box held up,” Taylor says, as we approach the carousel. “And if it didn’t, I hope they give us back the radioactive goodies scattered all over the airplane.” Soon the box appears, adorned with a bright strip of tape and a note inside explaining that the package has been opened and inspected by the TSA. “They had no idea,” Taylor says, smiling, “what they were looking at.”
""""

confusedMarch 3, 2012 1:09 AM

With regard to the hack of JPL, why is it that the dastardly Chinese can do EVERYTHING except hide their initial IP address in Mainland China?

Clive RobinsonMarch 3, 2012 1:16 AM

@ Petréa,

As the paper notes, there's prior research finding that names which are"weird" or seem less familiar tend to evoke less positive feelings, but this is the first study trying to look just at the inherent difficulty of the name itself.

Just one of the reasons I put some serious thought into chosing names for my offspring.

Others were,

Not to pick a name that could easily be miss pronounced deliberatly (a young lady I used to know was called "Emma" but got called "Em" or "Ember" in her teens much to her anoyance).

Not to pick names where the initials spell words or other names ("JEB" being GW Bush's brother and also easily mispronounced as "pleb").

Not to pick nanes that had unfortunate contractions (I used to work with a person called "William Powers" not unsurprisingly he called himself "Liam" and got upset if you called him "Willy").

Not to pick names that have phonems that are not in major languages (My own name "Clive" cannot be pronounced by well over half the people in the world, including many who speak english as a second language).

Not to pick names that are rare but only slightly different to other more common names (again with "Clive" tmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm
Not to pick names low down in the alphabet for both first names and last names (so no Zackeris etc).

However there is also another problem with selecting names of offspring yet to put in an appearance, whilst initialy refering to them in gender neutral terms such as "the alien space prawn" or worse (which can come back to haunt you), what if you didn't look at the scan to know if it's a girl or boy... It's potentialy going to be double the trouble.

Do you do the daft thing and pick just one name such as Nigel and then do a last minute change after the birth to "Nigella" (she might be a "domestic goddess" but her father the politician Nigel Lawson did her no favours in her early life with that name), or worse stick with "a boy called Sue". Or maybe pick a Welsh or Celtic name where you just change the ending or jender neutral such as Francis or Marion, which might have the disadvantage of being assumed male in one country but femail in another.

Clive RobinsonMarch 3, 2012 1:55 AM

@ Petréa,

Sorry about the "tmmmm..." above the key board driver in this mobile did it's usual bad habit trick.

It should have read,

"times I've been called Cliff", Chris or even Clegg defies belief, but surprisingly if you google "clive robinson" there are quite a few of us just in England..."

Oh and also,

Not to pick names that are also places or sound like places ("Paris Hilton" is thus triply cruel, a city, a hotel and thus a place where conceivably the child was conceived).

The old "What's in a name" question might pop up in romantic plays, books and films in one form or another with regular monotony, but it has a serious side to it.

As Bruce has probably been told his name is not the ideal form for book covers and posters, but as he once noted years ago his last name is sufficiently rare to be almost unique on the Internet. And of more recent times he might also have been told that this makes it an almost perfect "brand name"...

There is a lot of money to be made in names, and there are even people who get payed very large sums of money to advise you on how to change your name to best effect (there is a British model who of recent times has become an actress, who although in the past was a very busy model she was effectivly unknown till she changed her name...)

And yes there is even a short ScFi story written many many years ago (IIRC Isaac Azimov "What's in a name") about an unknown government research scientist who was not getting the recognition his wife thinks he is entitled to... So after some persuasion goes off to see one such name consultant who advises him to change just a single letter (IIRC s to z) used as an initial and keep reminding people to use it. The story gives a "back story" as to how it alerts the "security services" who although finding no real sign of concern decide to play it safe and move him off to a well paying profs job in some ivy league university.

RobertTMarch 3, 2012 2:12 AM


If you're not fishing here, I recommend using a covert recording device with video and audio, some type of tiny device, and handing over all communications with them to the local and/or federal authorities."

Excellent advice but who would I take such a recording too? and at what personal risk? Maybe they were with the gov't....

BTW the meeting happened in a country where I am neither a citizen nor a resident

Clive RobinsonMarch 3, 2012 3:20 AM

@ BCS,

It's a nice read, the shame is when I was young my parents although alowing me to do many things (including at the age of eight choping the end of my finger off with a craft knife) they got more restrictive as I got older.

One reason was I was responsible (indirectly) for a kid blowing himself and his fathers garden shed up. I had been reading about electrostatic hazards in the milling industry and had learnt about what we would now call an FAE or FAX. I explained it to some of my frieds who just would not belive that a pound bag of flour could be made to explode like a stick of dynamite. So after some goading I finaly told them about how the dust in flour silos could explode taking down massive concreat structure in the process and showed them pictures of a US grain silo that had virtualy destroyed a dockside.

Well the young idiot a few days later went into his dads shed with a bag of flour he had "borrowed" from his mums kitchen along with a box of matches. And apparently threw the flour in the air and lit a match, the resulting explosion was quite small but enough to blow out the glass and his ear drums and give him minor flash burns.

He of course got sympathy whilst I got the blaim...

A couple of years later I and another friend played around with nitro chalk fertilizer coal dust and diesel oil (mainly "borrowed" from a farm) and made a small but highly rewarding explosion. So...

We got an old 45 gallon oil drum and designed a mechanical firing device using a nail, spring, broken hacksaw blade, modified shotgun cartridge and a very very long length of 100lb break fishing line. In perhaps the most quiet field of the farm we dug a whole in the middle into which we put the oil drum which we filled with the nitro chalk mixture. We carefully armed the device and retreated behind a wall and pulled the fishing line.

We did not hear it explode we felt it with our whole bodies through the ground. a large gought of flame rose up and up and up making a large oily mushroom cloud over what felt like many minutes and then dirt started to rain down. Shell shocked and near deaf we ran like a couple of drunks away from the scene. Fully expecting to see police firemen and ambulances rushing madly to the scene we were quite disapointed that nothing of that sort happened.

Apparently the farmer was informed that there was a crater in his field and the police eventually turned up and it was initialy put down to being a WWII unexploded bomb that had finaly done it's stuff. Only some time later did people work out it was not.

The farmer decided that it was to much trouble to fill in the crater and it quickly became a pond, which was still there a few years ago the last time I looked. Although it looks a lot bigger than I remember and was quite well stocked with carp and expectant anglers trying to "catch the big one".

My friend and I quickly went on to investigate how to make the old fashioned gas cylinders into bombs and we finally worked out the best way available to us was to take out a lot of the gas and then put in O2 from a gas cutter set. Highly dangerous but makes a satisfying bang.

We also tried unsuccessfuly to turn little "gas lighter" refill cylinders into rocket motors and resorted to various mixtures including ground up fertilizer and sugar, rubber and managed to melt one or two home made venturies in the process of getting significant thrust (as my friend later went on to prove to his kids, boild sweets and nitrous oxide makes a dam good source of thrust ;-)

My friend went on to develop a passion for rockets and via the army become a demolition expert. I after being persuaded to "slow down" finaly went into sports, build boats and canoes and went on to study electronics and design computers a short stint wearing the green which made me keenly aware of crypto and Elint and where the Falklands are and the rest as they say is history.

The question now is what do I do with my offspring now that the age of curiosity is turning into experiment...

Clive RobinsonMarch 3, 2012 5:43 AM

@ RobertT,

BTW the meeting happened in a country where I am neither a citizen nor a resident

My father (a WWII vet) handed on a few sage pieces of advice to me in his time. One of which is,

When you sense trouble the best form of defence is to be somewhere else, the further the better.

As for "Breaking Bad" his most important advice to me (about "perfect crime") might also be of interest,

"If you are smart enough to commit the perfect crime, you are more than smart enough to earn more money honestly"

His point being that no crime is perfect, it will always be detected at some point and if of a significant value will be investigated. The question then becomes one of the resources and politics arrayed against you as to if they catch up with you or not and importantly when.

Thus the important things against you are time resources and politics. In the normal sense of things you would view a "life time" as being greater than "investigation time" and devaluation of illicit gain against inflation over time making illicit gain no more than a years wages. If you think about the great train robbery of 1963 considerably less than a life time ago witha take of 2.4million. After spliting 17 ways gives ~142K which is considerably less than a modern directors wages without a bonus. It becomes clear that the proceads of the crime need to be invested carefully if time is not to make them worthless.

And that's the problem the proceads are little more than "seed money" that needs to be accounted for in some way, and that's a lot harder than committing the crime, and something few crooks appear to think about.

However if you know your time is short then such things become irrelevant because time is now on your side not that of those who have been robbed or their investigators or political paymasters.

So yes if I knew I had only six month left to live my viewpoint would be one heck of a sight different to that of assuming I've 20-50years left.

Which brings me onto another point my father taught me which is the old Scottish point of "Me and Mine, Right or Wrong" not the rather stupid English equivalent of "My country right or wrong".

It's your family and friends that are all you realy have at the end of the day, they are the ones who will carry your memory forwards after death and who will make you an ancestor not a dead end. If they have the resources they will carry your name forwards, thus giving them a good start in life is the best most of us can do. As for your country they will just rob you and them before the first shovel of dirt hits the casket, if not before by stealing the pennies from your eyes.

So yes I could see why somebody with the knowledge might well set up a meth lab knowing that six month was all they had to make their family more secure.

richrumbleMarch 3, 2012 5:48 AM

TSA asks woman to prove her breast pump is real at Lihue Airport
http://www.ksdk.com/news/article/307441/28/TSA-asks-woman-to-prove-her-breast-pump-is-real
I can't believe she goes along with the demand in the first place, the postion of "authority" is certainly misused here, clearly this TSA emp was misguided, nonetheless should never have happened for several reasons.
security theater... http://www.tsa.gov/travelers/airtravel/children/formula.shtm
http://blog.tsa.gov/2012/01/tsa-week-in-review-brush-with-death.html
Imagine what still goes through... and we are all fine...
-rich

MarkHMarch 3, 2012 10:48 AM

@Clive Robinson:

I enjoyed reading your boyhood reminiscences ... now I have a better notion of how Clive got to be Clive ;) The pyrotechnics I participated in were at less terrifying energy levels.

And it just occurred to me ... is that Clive Robinson, as in Heath Robinson?

Cheers!

Nick PMarch 3, 2012 11:30 AM

@ RobertT

Interesting question. I don't know who the other guy responding was. How serious can you take someone with a long rant & addressing a reputable member of the Schneier community with this statement: "Given the nature of this forum and general audience, I doubt it. It's more likely you're on a fishing trip here. If you are serious, again, something I doubt, you would, in my opinion, " (rolls eyes) Now for my response.

I've honestly thought of it plenty. Even Bruce has, as he's stated in interviews. The ethical issues aren't as black and white as some would have you believe. Specifically, you can always target the bad folks if you're worried about who you hurt. (a la Dexter or me destroying certain black hat sites back in the day). So, it really comes down to your personal ethical position & risk.

Risk is where it's interesting. I have extremely bad luck & would probably fail in crime quickly b/c of it. Additionally, Bruce has pointed out the reason we are as good as we are is b/c we can make mistakes w/out severe negative consequences. A pentester gets caught and produces a "get out of jail free" card. A criminal gets caught & receives a "get a free trip to jail" card. So, you can't make mistakes in execution of your plan, traceability, and money laundering.

This requires a level of paranoia, planning, knowledge, etc. that most security pro's aren't capable of. They might get away with a one-off thing, especially if they can make it untraceable. In your case, for example, you would have to convince the court that the leak was unlikely from you. You might get away with it. They might be recording you all along and use it to blackmail you into free/cheap further information. I'd recommend against dealing with mafioso in general.

The safest kind of crime is something that's remote, physically and digitally. You do the hacks or ACH fraud through unwitting proxies. The money is transferred through money mules & the guys on the receiving end are immigrants with good fake IDs & who are too scared of you to do anything. The money is laundered through one or more cash-only businesses. You pay taxes on it where necessary & have good books of all legit business activity. You can still get caught, though. So, in the end, it's a risk management decision & I'd rather not live with the constant paranoia. How bout you?

Pick NoseMarch 3, 2012 2:27 PM

"(rolls eyes)"

Classy how some people demonize the OP to prop themselves up and lend false cred to their post. For shame.

Jenny JunoMarch 3, 2012 5:06 PM

FWIW - the american phrase was originally of significantly different meaning:

"My country right or wrong. If right, to be kept right. If wrong, to be set right."

And also FWIW, I think the idea of "Me and Mine, Right or Wrong" is socially destructive tribalism.

A blog readerMarch 3, 2012 5:58 PM

In Japan, two researchers developed a gun that "jams" (i.e. silences) speech through delayed auditory feedback.

The privacy policy for a certain Firefox browser add-on is quite humorous, stating among other things that "while most other companies are concerned with protecting your privacy, we care about profiteering and violating it when expedient or useful." This was originally mentioned by David Ross.

RobertTMarch 3, 2012 9:06 PM

@NickP
"I'd rather not live with the constant paranoia. How bout you?"

Interesting, the paranoia I believe I could live with, after all I'll be very removed from the execution of any crime. It seems to me that they would have a vested interest in keeping my identity secret, along the lines of I stumbled upon this vulnerability and didn't really know what I was doing, seems a better defense than I paid this guy lots of money to provide detailed information.

If I were interested I'd insist on payment through some quasi legitimate enterprise. For instance, in China, it is very common to bribe, to low level officials by paying for a big meal at their wife's / uncles restaurant. The meal costs 10 times (or more) what any sane person would pay. The money ends up where it needs too and you get what you want. It is difficult to prove it is a bribe, the official normally just insists on a meeting at the restaurant to discuss the matter. All official, the meeting definitely took place you paid for the meal, which was as expected. No crime...

In this case I was more scared of the partners, my feeling was that they had an expectation that I could crack these systems in seconds or at most minutes, rather than days or weeks. So I think they might come looking for a refund...

As for the black/white (right /wrong) issue:
I've completely lost faith in the general business community due to the absence of prosecutions for derivatives crimes leading up to the GFC. It is insane to suggest that I as an individual can offer to insure (guarantee) something that I have no financial capability to pay for. That's fraud, plain and simple. so most of Wall st belongs in the big house for their misdeeds, yet so far 4 years later we have ZERO prosecutions.

Until the WS thieves are punished, I have few misgivings about involving myself in some of the greyer areas.


TRobertMarch 3, 2012 11:07 PM

"Until the WS thieves are punished, I have few misgivings about involving myself in some of the greyer areas."

From your writing style and above exchange, I call Cointelpro/Feddy.

RobertTMarch 4, 2012 6:05 AM

"Cointelpro"
wow thats a term I have not heard in over 30 years.

I guess it should not be a surprised if the Cointelpro concept makes a come back, because America is a long way down that track already, but the word making a come-back, I don't think so. These days someone will shrink the word to come catchy 5 letter acronym, or just invent a new TLA.


Nick PMarch 4, 2012 2:19 PM

@ RobertT

He's a troll. Best to not even respond to them. Anyway, back to the discussion.

"Interesting, the paranoia I believe I could live with, after all I'll be very removed from the execution of any crime."

That's where you gotta watch out. Giving them the information, which is I.P. or a trade secret, can be counted as espionage. In the US, for example, espionage is punishable by a *mandatory* 10 year sentence, 15 if government. If they have evidence of you agreeing to it, they've got you by the balls. (Depending on the laws of the country you were in and reside in, as both can come into play.)

Also, untraceability is harder than it seems. One little mistake & feds/Interpol traces you. I can't give too many details on that b/c I don't want to appear aiding & abeiting. It's just tricky.

So, I'd recommend against taking their offer unless you know they're not cops (seems so) & you know they have nothing on you. Now, for the next step of the analysis.

You indicated they already broke a guys finger. That puts them into coercive mobster territory. Don't think for a moment they would hesitate to do the same thing to you. If it's an international organization & they have some smart folks, they might be able to find you. If it's not, they won't be a threat unless you come back into their territory, which will be offlimits to you for business or pleasure. Then, there's the risk you mentioned.

Honestly, it's not safe to work with mobsters as they always try to control or extort their workers. I won't work for the mob. I'll make products, sell online services, etc. Some customers might be crooks. Idk. I won't straight up form an alliance with them or anything b/c history shows their partners suffer in the long run. Just my 2 cents.

DavidMarch 4, 2012 4:18 PM

Bruce,

congratulations for the “Security Bloggers Hall of Fame award" (along with Brian Krebs) at the RSA conference.

Stack underflowMarch 4, 2012 5:46 PM

@daniel
"Wired has an article about something I've been preaching covertly for years: you don't need antivirus software."

Doing the same since 2007... antivirus are useless, even with the so called "proactive/heuristic security mess".


RobertTMarch 4, 2012 7:05 PM

@NickP

You need not worry because I'm of the same opinion as Clive, namely that I can make much more honestly than I can dishonestly, especially since my time horizon to remain part of this world is multiple decades. I don't fancy spending my retirement years as some homeboys "bieatch"

Now if I only had 1 year to live, the risk reward calculation might be a little different.

Regarding the US commercial espionage laws, I know that they have been broadened tremendously in the last 10 years, but the new breadth of the laws seems untested. The few cases that I have read about all seem to dissolve and result in some plea deal.

The breadth of these laws raises serious concerns, in my mind, about indentured servitude. Lets say an experienced engineer joins a US company bringing with him knowledge about some market / product design. Now lets assume that after 2 years with this US company he moves on to the next big thing, which might be one of the emerging Chinese companies. The question in my mind is does he own the natural progression of all his previous work? or does the US employer own all the natural extensions to the work that he did for them. Now what about when the work he did for the US company is a natural extension of the knowledge he had when he arrived at the US company.

It's a tricky area, engineers gain experience and absorb that experience, they can't forget it, it is what they know and this knowledge is what the new employer is paying them for.

It's a simple equation in my mind if the old employer values the engineer highly than he will offer enough to keep them (free market system) otherwise he needs to accept the loss of the technical talent AND possible dissemination of proprietary information. This is something that modern companies need to plan into their business execution models.

Clive RobinsonMarch 4, 2012 9:59 PM

@ Mark H,

is that Clive Robinson, as in Heath Robinson?

Oh that I had his drafting skills...

Even as old as I am (ie older than Bruce) even I'm not as old as Heath Robinson would be. As far as I'm aware we are not related except in spirit, and as my father had collections of his books which I did indead look at when I was young.

One of his drawings that always stuck in my mind when I was young was of a marital bed with a flag pole above it going not verticaly but near horizontaly out of the bedroom bay window to which a pully system had been fitted and a mechanism to open and close the window to allow the passage of a crib...

When younger I thought it was a bit Greek inspired (from leaving their new born on a hillside over night) but when It came to my turn to be a "new parent" I can assure you the drawing kept comming upper most in my mind in the wee small hours ;-)

Clive RobinsonMarch 4, 2012 11:26 PM

@ RobertT,

It's a tricky area, engineers gain experience and absorb that experience, they can' forget it, it is what they know and this knowledge is what the new employer is paying them for

In Japan they recognise (since the inventor of the blue LED) that an employee that makes the fundemental input to the invention is entitled to a share of the profit.

In the UK the situation is a lot worse as the assumption has always been that professional knowledge was gained by employment, even in the case of accademics (see Ross J. Anderson's comments on his web site about the shenanigens that went on at Cambridge Uni).

This assumption is wrong in just about every case I know of "original thought". The person comming up with the idea did it because the employer was defficient in expertise in that area, and thus the employee had invariable gone well outside the employers domain of expertise to achieve the result. However the legal brethren claim that "it is still the employers right because it was their unique set of defficiences that gave rise to the need for the invention"...

Thus the UK courts have in the past recognised a period of time after ceasing to be employed over which the employer still has rights... Which is also why employers in the UK can get away with employment contracts that forbid employees working in the same field of endevor for almost any period of time without recompense to the employee (other than salary already paid).

It might account for why some bright young engineers suddenly migrate from the UK jurisdictional writ to other countries and either work for another employer with a more reasonable attitude or set up on their own.

The simple fact is that most large science and engineering style employers now realise that money can only be made by monopoly of IP by the likes of patent etc. But... the IP is not caught in storage such as paper documents or electronic storage it's in employees heads, some rare few of whom provide fertile ground where the seeds of IP live and evolve. In times past this was achieved simply by employment contract that turned those rare employees into the "poison fruit" that lawyers just love (hence clean / chinese room design methodology). But being able to hop juresdiction kills that.

The employers actually want in their avaricious way to own your head once and for all so that they not you can profit by those rare abilities, just like the entertainment industry wants to do with artists.

The stupid thing on the employers part is that their short term attitude in walnut corridor is doing more damage than they realise. In order to maximise short term gain they "outsource" to various cheap labour markets outside of their jurisdiction and thus give the IP away. Some countries (Taiwan in the past, India and China being the most well known) thus get the IP crown jewels for nothing because those in walnut corridor effectivly give it away to those countries for nothing. Even large corporations in the Oil and Chemical industries have recently found that having a majority share of plant and equipment in a foreign country is worthless if the courts in that country won't enforce it...

And that's the salutory lesson for these avaricious employers and their over paid "Masters of the Universe" lawyers, they cann't play their game when they have the bat and the ball taken away from them, they become as those monkeys in the zoo doing the "chimps tea party, bun fight" throwing food at each other to show who is best...

So as we have recently seen with the likes of Apple, Google, HTC, Microsoft, Motorola, Samsung et al you have to go for the next best option which is to slug it out by preventing product crossing borders (which might account amongst other reasons why Apple are setting up a manufacturing plant in Texas).

But... there is another fly in the ointment, which is how do you find and prove IP infringment in modern chips etc, especialy as there is usually more than a couple of ways to "skin the cat"...

Oddly I think we are begining to see the end game on IP ownership in it's current form, society is more and more seeing it as an impediment to stability and economic success and the price of defending IP against "inventive minds" goes up faster than the profits from trying to exploit "inventive minds".

It probably won't play out fully in your or my life time but the US market place is becoming less and less strategic by the day as other larger markets open up.

What will realy kick it into the long grass is when the US dollar ceases to be the primary international trading currency. Oddly the US has the UK to thank for the fact it has not happened yet. If Tony Blair had not decided to throw in with the "Iraq WMD" then it is unlikely that GWBush would have been able to invade Iraq with US troops. Many think the war was just about the US getting it's hands on Iraq's oil by setting up a new US friendly dictatorship there. But there was another probably more important reason, Sadam had made approaches to various EU countries about selling Iraq oil in Euros not US Dollars. This was in return for getting trade sanctions lifted, however, the side effect of the worlds second largest producer of oil switching to Euros would be to "knee cap" the US Dollar. The US economy is almost entirely proped up on the fact that the world trades in it's currency, in all likely hood the US economy heavily dependent on oil and with a badly oversuscribed currency would have become caught in a new "oil price war". The likes of OPEC etc would very likely for their own defence likewise have switched to Euros which would have had the knock on effect of making the US a very large buyer of Euros and kicking the dollar over the tipping point of no return.

Now China has started to open up it's currency in a few years I suspect we will see it play out against the Dollar and Euro, China has made it clear that it does not regard the current US dominant position as being anything more than a minor and historicaly unnatural blip that they intend to correct. And to be quite honest the Chinese have almost always played the "long term" tactics not the West's "short term" tactics, thus if I wanted to place a "long bet" it would not be on the West and most definitely not the US.

Clive RobinsonMarch 5, 2012 12:46 AM

@ RobertT,

cointelpro

Hmm the (less than by a long way) upright and honest J.E.Hoover, said he put an end to it in 71, however evidence dug out suggests it was going strong into the 80's in one way or another under a different name.

Then of course Ronnie Reagan gave the FBI virtualy free reign again with "Counter Terrorism" and it's still going strong. Whether it was RR's idea or one given to him by UK PM Maggie Thatcher (who was a real dab hand at using the MI's for this to break strikes and unions) under their "special relationship" love in is a mater of debate.

These days it's done with the "plausible denyability" of third part private "freelancer" organisations not subject to FOI or other annoying issues. Many of whom appear to have significant connections to senior members of GWBushes administration, who came into the light whilst also picking up big fat Iraq "close support" pay checks...

And I suspect that a number of the FBI's more recent "terrorist plots" are running from the same old play book.

Most WASP nations including those down south have run such ops. Though it would appear the Kiwis definatly got cold feet about such stuff when the French put a hole in the side of a Green Peace vessel.

RobertTMarch 5, 2012 3:02 AM

@CliveR
"cointelpro
Hmm the (less than by a long way)"

Don't get me wrong I agree the concept is alive and well, and being "out-sourced" as you suggest. It's just the term "Cointelpor" that I have not seen used for 30 years.

Re: IP ownership / knowledge control, I fully accept the concept of IP ownership and the rights of the owner to enforce a monopoly, but this is totally different from attempting to control the future employment rights of the engineers that created the IP.

I have seen close friends harassed by a certain TLA because they chose to leave a US company and peruse their careers elsewhere. This is WRONG, its morally wrong. If the particular employee is that valuable, than companies need to put their money where their mouth is! Instead they hide behind the threat of criminal prosecution, worse still their bidding is done by gov't TLA's under patriot act regulations.

It's a complete joke when they are firing someone, just before pension age, for incompetence (so there is no redundancy pay or possible age discrimination lawsuit) and than they turn around and tell him he is not allowed to do the only job he is qualified for, under the threat of a 10 year imprisonment. AND yes I have known someone in exactly this situation.

Clive RobinsonMarch 5, 2012 5:23 AM

@ RobertT,

Re: IP ownership / knowledge control, I fully accept the concept of IP ownership and the rights of the owner to enforce a monopoly, but this is totally different from attempting to control the future employment rights of the engineers that created the IP

Ah but that's the problem the IP is in the exemployees head, you cannot have a monopoly if the employee leaves (not that anybody should have any kind of monopoly as it's by definition a restrictive practice against society which is why we have laws against it in other areas).

As far as we can tell the original intent of patents was to reward the inventor for their effort and investment of resources. Copyright again to reward the originator of a work. Unfortunatly the law of unintended consiquences happened and a whole new artifical "good" was created and thus a "market for the good neither of which was desirable.

But a second consiquence of this artificial market is it has to be defended, not just for comercial but leagal reasons as well (other wise you "vacate"). And this iss where the fun and games start, as you say it's difficult for the inventor(s) to forget when they came up with the idea in the first place.
But for the exemployer that IP in the employees head is their "good" and using it is theft. As far as they are concerned the exemployee can go scrub the grease traps in MuckyD's or go live on welfare milk it's all part of being an expendable wage slave, that they signed up for...

The fact that it is wrong by any rational measure is not the exemployers worry, it's delivering on "share holder value" that concerns them and thus they have a moral duty to the share holders to ensure that the employee burns in hell if it stops the bottom line being effected, lest the share holders sue them...

With a psychopathic attitude like that enshrined in US company law, it's surprising that ex employees don't just get put up against a wall and shot.

But as those politicos that suck the teat of corporate largesse will tell you "It's what you the voter want's for the American Dream".

Personaly having suffered on the wrong end of this nonsense a couple of times myself, I've got a biased opinion (who'd have guesed ;-)

So I'm of the view that the idea belongs to the inventor not their employer plain and simple.

However no man is an island thus the employer (if they can show reasonable input) gets first bid on making an offer for the right to use, if anyone else outbids the employer they get to play and the employer gets a kick back of say 20% of the bid.

But importantly after say the first three years the model switches from a closed market to an open market, that is neither the employer or the employee can stop others using the idea as long as those using it pay a reasonable fee for doing so (where the reasonable fee is based on an industry norm).

Oh and no re-asignment of basic rights, that is the IP cannot be sold only licenced, this should make the likes of patent trolls more difficult.

I know the details are arguable and there are holes you could push a mountain through, but what is not arguable is that the current IP system does not work for the employee or society, and arguably not for the employer either.

Clive RobinsonMarch 5, 2012 6:44 AM

OFF Topic:

Although it would appear that GitHub has been hit by a fairly serious vulnerability,

https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation

That's not the real story behind the problem, it is one of "disclosure -v- action" in the "reasonable disclosure" debate. There appears to be a difference of opinion on what "reasonable" means to various people...

Apparently there is a reported security problem with "Ruby on Rails" (RoR) that the RoR developers decided to rebuf/ignore for some reason.

Apparently the "hacker" (Egor Homakov) is the discover of the vulnerability and had reported it to GitHub,

https://github.com/rails/rails/issues/5228

After it was rebuffed/ignored by the RoR developers and GitHub ignored it as well. So Egor went on to exploit the problem on GitHub as a demonstration and predictably the brown stuff hit the fan fairly hard...

Egor has a blog on which he has discussed his actions,

http://homakov.blogspot.com/2012/03/egor-stop-hacking-gh.html

Of course there are other issues involved in the US a breach of "Terms/conditions of use" is effectivly a crime, but in just about every other part of the globe it's not. Also Russia alows for experimentation reverse engineering etc the US effectivly does not (or it's ambiguous).

Clive RobinsonMarch 5, 2012 7:21 AM

OFF Topic:

Some of you may know about the UK Cambridge Computer Labs blog ( http://www.lightbluetouchpaper.org )

Well they have started something they call "Three paper Thursday", the idea is simple a researcher puts up three current good papers on a given topic for people to use as backgroud/updating information.

So far there have been three,

1, Cloudy with a chance of Priacy,
http://www.lightbluetouchpaper.org/2012/02/16/cloudy-with-a-chance-of-privacy/

2, Capability Systems,
http://www.lightbluetouchpaper.org/2012/02/23/three-paper-thursday-capability-systems/

3, Android Malware Intelligence.
http://www.lightbluetouchpaper.org/2012/03/01/three-paper-thursday-android-malware-intelligence/

Petréa MitchellMarch 5, 2012 11:43 AM

Any one rember the Therac-25 that fried people with radiation because of a software error?

Well it looks like those looking into the safety of some of the scanners used by the DHS/TSA have not either,

The Therac-25 problems arose from the complexity of delivering two different kinds or radiation with very different energies. And it wasn't just a software problem-- there should have been a physical interlock to keep the electron beam from functioning without the filter in place.

AFAIK, the TSA scanners are built to do just one thing with one energy range, which would seem to remove the potential for massive radiation overdoses.

And yeah, I did say "seem". If the makers actually did include a "turn radiation up to ridiculous life-threatening levels" mode, well, it wouldn't be the very first known instance of idiotic industrial design...

llewellyMarch 5, 2012 12:30 PM

RobertT, could it be you encountered amateur filmmakers, and failed to notice the camera people?

MarkHMarch 5, 2012 1:02 PM

@Petréa Mitchell:

I haven't seen detailed information on these machines, but as far as I understand, their radiation dose control depends on short exposure times and rapid scanning.

Accordingly, any failure mode that could lead to the X ray source staying on for an extended time, especially without moving, could result in a partial-body exposure much higher than the design level -- perhaps, by several powers of ten.

As to the Therac 25, it wasn't a filter but rather a sort of "target" -- the beam had to be energized in either mode, but at much lower currents when the target wasn't in the beam path. Any supervisory device independent of the machine's main control might have prevented the negligent homicides that resulted from the Therac.

David HarmonMarch 5, 2012 5:23 PM

Clive, one quibble with your comments on names: Paris Hilton's name does not happen to match the hotel; she is one of the heiresses of the Hilton family, made wealthy by their hotel chain.

RobertTMarch 5, 2012 7:27 PM

@Ilewelly,
" could it be you encountered amateur filmmakers...."

You know what, I never thought of that possibility, but now that you mention it, it probably makes more sense than anything else.

They basically didn't know anything about hardware hacking, or software hacking for that matter. They also made sure that I saw their missing little finger tips and caught a glimpse of their body tat's. The whole bit about taking one of the girls upstairs, "to think about it" was strange, although that's not completely unheard of in Asian business dealings. Normally it is a little more subtle, you go for drinks after the deal, and one or more of the KTV girls climbs all over you and tells you how "hot" you make them. Now I'm certainly no Adonis and at my age about the only hot thing in my bed is a water bottle. But I guess I still have an ego, because this kind of treatment still has a way of raising the animal spirits.


RonnieMarch 5, 2012 10:03 PM

http://arstechnica.com/business/news/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network.ars

When Jayson E. Street broke into the branch office of a national bank in May of last year, the branch manager could not have been more helpful. Dressed like a technician, Street walked in and said he was there to measure "power fluctuations on the power circuit." To do this, he'd need to plug a small white device that looked like a power adapter onto the wall.

The power fluctuation story was total BS, of course. Street had been hired by the bank to test out security at 10 of its West Coast branch offices. He was conducting what's called a penetration test. This is where security experts pretend to be bad guys in order to spot problems.

In this test, bank employees were only too willing to help out. They let Street go anywhere he wanted—near the teller windows, in the vault—and plug in his little white device, called a Pwn Plug.

Clive RobinsonMarch 6, 2012 4:43 PM

OFF Topic:

Do you know what e-Discovery is?

Who worries about e-Discovery in your organisation?

And do they include the "cloud" in that?

What's the betting they don't?

And what of social media such as facebook when an employee nolonger works for your organisation ?

Have a read of,

http://m.computerworld.com/s/article/9224800/E_discovery_in_the_cloud_Not_so_easy?taxonomyId=158&pageNumber=1

And having read it then realy get to grips with the subject of electronic discovery and find out how a smart lawyer can use it to "begger your organisation" with just a couple of simple court requests.

Whitney HoustonMarch 6, 2012 5:08 PM

March 6, 2012

### BREAKING NEWS ! ### ADOBE PRESENTS: ###

Adobe SWF Investigator

Perform quick, comprehensive, analysis of SWF applications

- http://labs.adobe.com/technologies/swfinvestigator/

Download and Discuss:
- http://labs.adobe.com/downloads/swfinvestigator.html
Discuss SWF Investigator:
- http://forums.adobe.com/community/labs/swfinvestigator/

Adobe® SWF Investigator is the only comprehensive, cross-platform, GUI-based set of tools, which enables quality engineers, developers and security researchers to quickly analyze SWF files to improve the quality and security of their applications. With SWF Investigator, you can perform both static and dynamic analysis of SWF applications with just one toolset. SWF Investigator lets you quickly inspect every aspect of a SWF file from viewing the individual bits all the way through to dynamically interacting with a running SWF.

Clive RobinsonMarch 6, 2012 5:45 PM

@ Confused,

With regard to the hack of JPL, why is it that the dastardly Chinese can do EVERYTHING except hide their initial IP address in Mainland China

Sorry I missed your question tucked away underneath a big posting ;-)

Simple answer is we don't know, because,

1, They may not care as they cann't be prosecuted.

2, They may not care as they are not in China but just end-pointing through it.

3, We may be being told "a load of..." by the authorities for political reasons.

4, It may be a smoke screen to hide other more discrete activities.

And it's this last one I'd give some thought to if I were you.

Because I have in my time thought up a number of attacks that appear to be "brain dead script kiddie" attacks, the purpose of which is to hide the real activity...

As an example if you have a hunt around you will find that there are a number of people running "honey nets" to trap and analyse the latest attacks.

For an attacker this is a bit of a problem because it means their latest and greatest attack-vector will become "known" to the (supposed) "good guys" rather quicker than the attacker would like.

So how does an attacker find out if the network of interest is a "honey net" or not?

Well one way is to enumerate the network in some way that reveals a charecteristic of "honey nets" that you would not expect in "non honey net" networks.

One such charecteristic used to be the use of virtual machines. Because running a fake network with real hosts is very very expensive, most honey nets use just one or two machines with virtual machine software faking many hosts on the network. As the machines are not actually doing anything in the way of computation you can get quite a lot of VMs on one real machine.

So how do you tell which machines are real and which are virtual, well there are many ways which an inventive mind can think up, but there is one I've mentioned before as it shows where people "faking things" often get it wrong...

The first thing to note is that the virtual machines share the same hardware and this means that certain things such as clocks are shared amongst the virtual machines as the designers of VM systems would not have reason and therefor not consider putting in anything to make the VMs different. It's a bit like soldiers marching to a drum, even though they are in different places their feet hit the ground at the same time, they are all in "lock step" (which is where the term originates from).

The question is knowing this as the attacker how do you take advantage of it?

Well at the low level there is something called "TCP Timestamps" which basically provide a "tick" on the network which is derived directly from the system clock. On seperate machines these would be of slightly different frequency and would drift up and down with respect to each other so they would not correlate with each other. However on virtual machines they all use the same clock and are thus all in "lock step" with each other and 100% correlate...

Thus if you get ssufficient timestamps from the network over a period of time you can quickly tell is the hostss on that network are in "lock step" or not. If they are then there is a very much increased probability that you have found a honey net.

The problem is that getting the timestamps involves sending lots of packets, so the easiest way to disguise what you are doing is to make it look like a script kiddy scanning the network. Because the chances are the honey net administrator/researcher has set it up that such activity (that is of little interest to them) gets filtered out, thus they miss the opportunity of catching their network being enumerated. It's the subtal form of attack that hides behind the obvious.

Thus unless as the honey net admin you take certain extra measures to detect it the attacker will know there is something wrong with your network and in all probability give it a miss as being to risky to lose their latest zero day etc on.

Sometimes being "bleading obvious" is by far the best way to hide what you are realy doing in "plain sight".

Clive RobinsonMarch 6, 2012 6:25 PM

@ David Harmon

Paris Hilton's name does no happen to match the hotel; she is one of the heiresses of the Hilton family, made wealthy by their hotel chain

There are five Hilton hotels in Paris, one of which is. situated on the rather grand Avenue de Suffren close to the Eiffel Tower. Although officialy the Hotel Hilton Paris it is so often called the "Paris Hilton" by those who's first language is English that most French taxi drivers will either take you there (if bloody minded) or ask for clarification.

The point I was making is the family had hotels in Paris long before she was born and all the hotels carry the family name therefor her parents should have known what was likley to happen, if they called one of their children the name of a place where they had a hotel.

It would be the same if a member of the Astor family decided to call one of their offspring "Athens" or somebody with the last name of Sheraton followed the David&Posh Beckhams example and called their son Brooklyn...

meMarch 7, 2012 6:07 AM

"As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered."

Can someone tell me for sure if he's being funny or not? When I read it I laughed and I need to know if that's the appropriate response. My brain is reserving energy right now.

Clive RobinsonMarch 7, 2012 7:18 AM

@ me,

Can someone tell me for sure if he's being funny or not?

Probably not.

A little history many years ago people would plonk "story leads for Bruce" down into what they thought would be the most current thread or Email them to him.

Neither is a good solution, the first can derail the thread compleatly the second fills Bruce's inbox.

As the Friday Squid page was always low bandwidth, and at the end of the week it occasionaly got "Friday Funnies" posted into it to give people a smile at the end of the week.

I started dropping "story leads in" in the week following as a solution to the two problems above and suggested it to one or two people who had stories they thought would be interesting.

A year or so ago @ Nick P, one or two other regular posters and myself had a chat at the bottom of one or two threads on what we would like to see and we did chew over the idea of a seperate leads page and a few other things (all of which would have involved extra work for Bruce / Moderator) and also would increase the risk of unwanted postings or malware. So unsurprisingly they did not progress beyond "wish list" chats.

Bruce has now adopted the idea of using the Friday Squid page, but... whether that is through choice or just grudging acceptance of "what is" I don't know. And as I'm partly to blaim for it I'm not going to ask.

What I do know is that Bruce either does look at them or gets the same story from other routes as those that are not just "news worthy" but have real longterm interest to readers of this blog do make it into the main postings sometimes quickly sometimes not for a week or two.

I've been asked a few times why I don't have a blog, and the simple answer is it's a lot of hard work in many ways. But the real issue is "finding stories" that are new or have a particular content slant is very hard work without "stringers" and getting worse because "professional sites" vacuum them up and regurgitate them usually with little or no change let alone original added input. Which actually lowers the coin of more specialised blogs.

As you might not know Bruce was once a restaurant critic and I have often wondered if he should have a "dish of the week" or "recipe of the week" page as for some reason not (yet) investigated people with a significant interest in ICT Sec also have not just a specialised interest in music including composing and playing but also in creating and cooking good food as well...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..