Comments

Blog Reader One March 24, 2012 1:02 AM

Supposedly, The Pirate Bay has planned to use small servers mounted on GPS-controlled drones in order to avoid official copyright enforcement actions…

In other news, the US FCC has produced a voluntary “code of conduct” that specifies steps for ISPs to take with regard to detecting and dealing with botnets. (A number of US companies have committed to following the code.)

Years ago, the ZipLip e-mail service provided the ability to send encrypted e-mail messages to other ZipLip users. In fact, the ZipLip service was reviewed by Mr. Schneier among certain other encrypted Web-based e-mail solutions. Later on, however, ZipLip discontinued their free encrypted e-mail service on June 30, 2005. From information given elsewhere, ZipLip stated that “For various reasons, including new U.S. legislation which significantly impacts the individual’s privacy rights, ZipLip is no longer able to provide its free secure email services with any reasonable assurance of privacy and security, particularly in the context of a hosted service.” Though it is not totally clear, they may have been concerned about official demands to compromise the privacy of users (possibly in secret) when providing user messages or user info. Indeed, it may have been better to discontinue operations than to provide a secretly compromised service. (When a service provides security, the issues of honesty and disclosure may be very advantageous as users are concerned.)

Z.Lozinski March 24, 2012 1:25 AM

An interesting security-related story from earlier this week (via /. and the BBC) on early work in Spain, around the time of the Spanish Civil War, on cracking the Enigma.

http://it.slashdot.org/story/12/03/23/1833246/the-spanish-link-in-cracking-the-enigma-code

The original BBC story, which describes work by Dilly Knox on decrypting an Enigma message in 1937 (and which I have never seen described in unclassified sources before) is here:

http://www.bbc.co.uk/news/magazine-17486464

Some interesting implications, that work was going on in the UK in parallel to Marian Rejewski’s work in Poland.

One of the Spanish Enigma machines is going to GCHQ’s museum (and wouldn’t that be fun to see) but Iain Lobban, the GCHQ Director has arranged for the other to go to Bletchley Park.

The point of all this, is that even 75 years on, don’t think the complete story of WW2 crypto is out there.

Z.Lozinski March 24, 2012 1:51 AM

And from Australia, reports that the Attorney-General Nicola Roxon has blocked Chinese network equipment provider Huawei from bidding for contracts with NBNco. (NBNco is he Government owned company building Australia’s $40B nationwide fibre-to-the-home network.)

Original story from the Financial Review. (The FinRev is Australia’s equivalent of the Wall Street Journal and is required reading in business circles.)

http://www.afr.com/p/technology/china_giant_banned_from_nbn_9U9zi1oc3FXBF3BZdRD9mJ

Commentry,which may develop into a legal analysis:

http://delimiter.com.au/2012/03/24/govt-bans-huawei-from-nbn-tenders/

Blog Reader One March 24, 2012 2:21 AM

On March 23, 2012, it appears that the US House of Representatives, namely the Committee on Oversight and Government Reform and the Committee on Transportation and Infrastructure, will hold a joint hearing on certain TSA programs. Members of the public will be able to submit TSA-related questions or stories via a Facebook page. (This was originally mentioned on Slashdot.)

Also mentioned on Slashdot is a story about the issue of robbers stealing cell phones, namely, whether cell phone providers in the US could dissuade such robberies by remotely deactivating phones that are reported as stolen.

Clive Robinson March 24, 2012 8:24 AM

ON Topic 🙂

When you consider that the whale is effectivly the only predator they have when adult (other than cannibalism) I guess the result should not be a surprise as evolution would favour those who could see a whale even a few yards further than their compatriots.

But as pointed out by the SciAmerica article there are other and better ways to spot objects in the murky lightless depths at 500meters whales dolphins and other large aquatic mammals have developed sonar both for hunting and very long distance communications (some whale song can be fairly easily heard at 1000Km when at the right depths etc).

Which begs the question how well do squid hear (if at all) and why have they put so much effort into the eyes and bio-luminessence, for hunting, defence and communications. That is what advantage tipped them in that direction and aquatic mammals towards sound…

Clive Robinson March 24, 2012 11:14 AM

@ Z.Lozinsk, M.V.,

Spanish Civil War Enigmas.

From what I remember the Enigmas used during the Spanish Civil war were “plain rotor” machines and did not have a plugboard were wired in “typwriter order” from the keyboard to the rotors. Also the rotors did not have the alphabetic slip rings and also the fast rotor wass at the opposite end of the rotor set to the later German Enigmas.

The reason for the last particular change was the method used to crack the comercial and Civil War Enigma (method of batons IIRC) which used strips of paper and if memory serves correctly was thought up by a Frenchman.

I guess I’m going to have to look in a box full of dusty old notes I made some years ago to refresh the old “noodle bucket” if anybody want’s to know more.

Petréa Mitchell March 24, 2012 11:23 AM

On the psychology front: Some of you have probably read about a guy who allegedly walked off his base in Afghanistan and went on a shooting rampage against unarmed civilians. There’s been speculation his actions may have been linked to brain damage, of which he has maybe three kinds.

1) PTSD. Reports say he was never diagnosed, but his home base in the US had a problem with underdiagnosing PTSD.

2) An unspecified brain injury on an earlier tour, reported to to have been a concussion at minimum.

3) Football. Collision-intensive sports have lately been strongly linked to CTE (chronic traumatic encephalopathy, also called “dementia pugilistica”). Initially it was thought to be the result of undiagnosed concussions, but now opinion is leaning toward the trigger being the repeated non-concussive hits. Bales played football in high school and college; in high school at least, he was an offensive guard, which is a high-collision position. CTE can only be diagnosed posthumously right now, so there is a very small sample of results from high school and college athletes, but it has been found in at least some of them. (Here, for example.)

Now, all three of these can cause anxiety, irritability, a tendency toward substance abuse, and difficulties with impulse control, leading to violent outbursts. BUT— the violence is almost exclusively directed at the sufferer’s family or whoever happens to be within reach at the time. The type of violence in Bales’s case is just not the kind of thing you expect to see.

So while a lot of the other things that have been dug up about Bales fit the pattern of brain damage– the assault charges, DUI, buying two houses he couldn’t afford and then abandoning one– it’s going to be tough trying to blame his latest actions on brain damage in court, unless they can show he was developing more serious complications leading to dementia or psychosis.

david March 24, 2012 11:57 AM

@ Clive Robinson at March 24, 2012 8:24 AM

My uninformed and uneducated guess would be that the whales developed their sonic capabilities because they are social creatures and communicate with each other over much longer distances in the ocean than sight works.

The squid may have developed optical signaling and sensing because, for purposes of mating and whale avoidance, a system that was effective at short ranges worked well enough, and required much less anatomical modifications to their starting form than a sonic solution would have.

Slightly unrelated to above, have you seen the reports of a study that claims that songbirds sing more loudly in the city than in rural areas, presumably in an attempt to be heard over the din.

Geese, who are social and communicate constantly while flying in pairs or in formation, have a high volume, low frequency call that would travel distances better than a songbirds tweets.
But, they also have the size needed to create that low frequency, which the songbirds don’t have.

Let me take this opportunity to thank you for all your posts here. The quality of all posts here is high, but I do find I especially look forward to yours.

Bobby March 24, 2012 3:38 PM

shhhh. Bruce is studying for his testimony on monday. All posts hence forth should be about the TSA.

M.V. March 24, 2012 4:26 PM

Clive Robinson:
“From what I remember the Enigmas used during the Spanish Civil war were “plain rotor” machines and did not have a plugboard were wired in “typwriter order” from the keyboard to the rotors.”

The linked article on the BBC website actually says that. There are pictures of the two spanish Enigmas, and another picture with two side by side, one with the plugboard and one without.

global March 24, 2012 6:20 PM

@Daniel
Just remember, everything you say can and will be used against you in a court of law. And you are never as anonymous as you think you are.

10 Reasons Why Nothing You Do On The Internet Will EVER Be Private Again

Full Article:

sections within article:

#1 The Federal Government Can Now Retain Your Internet Activity For Five Years – Even If You Have No Links To Terrorism

“In the past, the National Counterterrorism Center could only retain information about you for 180 days if you did not have any links to terrorism. Well, that has now completely changed.”

#2 Potential Employers Are Demanding To See Your Internet Activity

“now, many potential employers are actually demanding the passwords to the Facebook accounts of job applicants.”

#3 Law Enforcement Is Watching You

“If you post something that they don’t like, law enforcement personnel may come knocking on your door.”

#4 Government Agencies Are Watching You

“These agencies have lists of “keywords” that they use to search for posts that they want to look at.”

#5 Barack Obama Is Watching You

“The Obama campaign has launched “truth teams” which will be scouring the Internet for any rumors that are “not true” about Barack Obama during the 2012 presidential campaign.”

#6 They Are Monitoring And Recording All Talk Radio (Including Internet Talk Radio)

“As I have written about previously, the FBI has hired a company in Virginia to systematically record talk radio programs (including Internet talk radio programs) all over the United States. ”

#7 Foreign Governments Are Watching You

“a new bill that has been introduced in Canada would give government authorities unprecedented power to monitor the Internet activities of Canadians”

“The UK government is going even farther than that. A recent UK government report calls for ISPs to remove “extremist material” from the Internet. ”

“French President Nicolas Sarkozy is taking things even farther than that. He recently stated that anyone in France that is caught regularly visiting websites “preaching hatred” will be prosecuted. So what constitutes “extremist material” and what constitutes “preaching hatred”?”

#8 We Are All Being Encouraged To Spy On One Another On The Internet

“The Department of Homeland Security has been heavily promoting the “See Something, Say Something” campaign. The idea is that if you see something “suspicious” that you should report it to the authorities.”

#9 Your ISP Is Watching You

“Most Americans have not even heard about this yet, but the truth is that starting later on this year your ISP will be spying on you to make sure that you are not downloading any copyrighted material.”

#10 The NSA Is Watching Everyone And Everything

“It is safe to assume that any digital communication that you ever make will be intercepted and monitored by the NSA.”

Danie March 24, 2012 7:41 PM

@Global.

I agree with the thrust of that article if you accept it’s assumption: that people play by the rules. But if you don’t play by the rules you can still remain anonymous. Of course, hacking into your neighbor’s wifi limits what you can do on the internet. Still I wouldn’t go so far as to say that anonymity is 100% gone.

Daniel March 25, 2012 4:52 PM

Stewart Baker has a post up at the Volokh Conspiracy entitled “REAL ID-Back from the dead”. It covers some of the testimony from recent congressional hearing on the topic and covers progress that has been made.

Notable highlights:

(1) 4/5 five big data sets are now active among all 50 states.
(2) There has been very little push back from privacy groups on this issue recently.

If you were scared of big data now, you soon will be after reading this post.

Clive Robinson March 26, 2012 12:51 AM

@ Petréa Mitchell,

So while a lot of the other things that have been dug up about Bales fit the pattern of brain damage– the assault charges, DUI, buying two houses he couldn’t afford and then abandoning one– it’s going to be tough trying to blame his latest actions on brain damage in court, unless they can show he was developing more serious complications leading to dementia or psychosis.

And of course that could be shown to be down to the cocktail of drugs and other chemicals soldiers on active duty are required to participate in, often without any kind of information let alone “informed consent”,

http://www.huffingtonpost.com/mobileweb/2012/03/25/robert-bales-malaria-drug_n_1378671.html

It would not be the first time military over liberal use of drugs and pesticides for prophylactic reasons along with all sorts of other skin absorbed chemicals (such as phosphates and nitrates in explosives and other munitions) or inhaled (from paint, varnishes, anti fouling and anti fungal coatings) or ingested (such as preservatives, anti-caking etc in ration packs), have been called into question over their short and long term effects on armed forces personnel physical and mental well being.

Put simply prophylactic drugs such as those for malaria and other natural diseases along with those for chemical warfare are being used in an environment rich in unknown chemicals for which they had never been tested or approved.

In fact one person referred to it in the past as being equivalent to “testing chemical weapons on our own troops”…

Petréa Mitchell March 26, 2012 9:38 AM

And of course that could be shown to be down to the cocktail of drugs and other chemicals soldiers on active duty are required to participate in, often without any kind of information let alone “informed consent”,

Reading some of the linked articles, it appears that mefloquine is hardly used anymore and isn’t given to soldiers with a past TBI. Besides, if he had been given any potentially psychosis-inducing drugs, I’m sure his lawyer would have mentioned it early and often, as he has with the alleged PTSD.

karrde March 26, 2012 10:17 AM

@hoosierdaddy,

I agree. However, I do think that the word “arsenal” is a little overused in the press. Eight firearms is more than a guy can use at once, but there isn’t an appropriate word to describe a collection of weapons that can arm a squad but not a platoon.

The arms listed in the article look like a hodge-podge…keeping a usable ammo supply would be kind of tricky, as it would be a mix of 5 different calibers. Are there stringent limits on legal ammunition purchases in France, like there appear to be on legal purchases of firearms?

Anyway, it looks like the French police have a smuggling problem to deal with, but there are probably many places where a fishing boat can come home with an box full of ‘scrap metal’ picked up somewhere else…

And ammunition can be smuggled with the guns, also.

Duncan March 28, 2012 11:53 AM

(This is “on-topic” wrt Bruce’s post on squid eyes. Not so sure whether this is on-topic wrt security, but it’s interesting anyway.)

Regarding squid eyes, and evolution…

Some of the commenters have been wondering why evolution led to big eyes in squid, rather than other (possibly “better”) adaptations such as sonar. For example: “…why have they put so much effort into the eyes and bio-luminessence, for hunting, defence and communications. That is, what advantage tipped them in that direction and aquatic mammals towards sound…”

Well, think about how evolution works. A randomly occurring mutation that offers a reproductive advantage will tend to propagate. It doesn’t have to be the “best” adaptation to the environment, it just has to offer some advantage. Some pre-squid creature was born with a random mutation for big eyes – that creature and it’s offspring had an improved chance of avoiding being eaten by whales, surviving, and reproducing – so we wind up with big-eyed squid. If that early squid ancestor had happened to be born with especially good hearing, then we might have wound up with squid with sonar… Or maybe two different squid-like species would have emerged, one with sonar and one with big eyes. If they shared an environment, one of these might have out-competed the other, leaving us only with the “best” adaptation – or maybe both forms would have persisted, each filling a particular niche in the ecology.

Remember, it’s not design, it’s random mutation and natural selection.

Clive Robinson March 30, 2012 5:22 AM

OFF Topic:

The ex US “Super Spy” Richaed Clarke was interviewed by the Smithsonian Mag about Stuxnet and other things, but the interviewer did a bad job,

http://www.smithsonianmag.com/history-archaeology/Richard-Clarke-on-Who-Was-Behind-the-Stuxnet-Attack.html?c=y&page=100

You will see from reading the article that there is nothing new Mr Clarke adds that is not already known other than addding dubious reasoning/spin on it. Essentially he trots out what most web sites tell you already which sugests he either knowns no more or he’s following a standard playbook.

The fact that the interviewer appears to be as in awe of Mr Clarke as a three year old on first seeing a “Sanata in a Grotto” does not help.

First off on Stuxnet Mr Clarke states,

“I think it’s pretty clear that the United States government did the Stuxnet attack,”

And his reason given for his belief that the US was behind Stuxnet is,

“that it very much had the feel to it of having been written by or governed by a team of Washington lawyers.”

Which he justifies with,

“What does this incredible Stuxnet thing do? As soon as it gets into the network and wakes up, it verifies it’s in the right network by saying, ‘Am I in a network that’s running a SCADA software control system?’ ‘Yes.’ Second question: ‘Is it running Siemens?’ ‘Yes.’ Third question: ‘Is it running Siemens 7?’ ‘Yes.’ Fourth question‘Is this software contacting an electrical motor made by one of two companies?’”

But he then blows his credibility with,

“Well, if the answer to that was ‘yes,’ there was only one place it could be. Natanz.”

His two step logic is,

Firstly the four publicaly known steps he repeates are what you would expect of “Washington lawyers” sitting in the managment chair.

But this is at best quite flimsy reasoning…

Because it’s exactly the same steps you would use if you were “targeting” the malware and also wanted a “low probability of detection” which any credible “cyber espionage” malware writer with the number of “zero day” and compromised private keys and other techniques would do irrespective of where ever thay came from.

Secondly Mr Clarke reasons that meeting those four requirments means “there was only one place it could be. Natanz.”.

That’s a totaly false conclusion and Mr Clarke should darn well know it, and the interviewer should have as well and not have let him get away with it.

It would have been more accurate for Mr Clarke to say,

Well, if the answer to that was ‘yes,’ there was a good probability it was in a system based on a design by Pakistan’s A.Q.Khan one of which might be Natanz.”

We know that Khan Labs in Switzerland sold “engineering” parts to build centrifuge cascades to atleast six countries and it is believed the basic design to maybe twenty four countries in total.

Of the six buying parts the most notable were Iran, Libya and North Korea. Those being sent to Libya were intercepted and the US got to know all the details and passed them on to Israel etc. We know from what the departing Mosad head said in his leaving speech that a system was built up and tested in Israel (which is where the NY Times made it’s story from).

So we know that there were production systems based on the A.Q.Khan design in Pakistan, Iran, North Korea and test systems in the US and Israel and one or two other countries.

We also know that for reasons that are not provably known Stuxnet ended up in a number of odd looking places if you only consider Iran as the target. So being there has been publicaly said it was a mistake in the Stuxnet design.

As I’ve said before what if Stuxnet was actually aimed elsewhere? Say at a nation that the US certainly considers a significantly more dangerous threat than Iran. And that unlike Iran was almost impossible for the US to get into with spys/agents and not connected to networks outside of the country like the Internet which might have alowed covert access…

Well consider North Korea, it is known that their scientists collaborate with their Iranian counterparts over nucleaar, missile and other technology. Likewise North Korea is supposadly “sealed by sactions” from the western world, however it is known that it trades covertly with and through some countries that Stuxnet appeared in (supposadly as a mistake…).

We know that North Korea certainly believed it was the target of the attack and sent the US a very public “single finger salute”, by very very unexpectadly and publicaly pulling in an international nuclear inspector and rocking his world in a fairly profound way. They took him to an old plutonium production site that was generaly thought to have been decomissioned but now had row after row of centrifugaes numbering in the thousands, that were recognisably advancments on the Khan design. The North Koreans gave the inspector virtually free run to go and examine the centifuges, with one exception it was made bluntly clear to him that he was very definatly being kept away from the control systems.

Now Mr Clarke is almost certainly aware of this and the interviewer should have been so as well. Which begs the question of “why” Mr Clarke just regurgitated stale and very likely incorrect findings in the way he did as it throws doubt on his credibility when he is effectivly still pushing his book and consultancy business on the fact that he is “The Man in the Know”.

But it gets worse on the subject of “cyber espionage” Mr Clarke says of the US,

“We hack our way into foreign governments and collect the information off their networks. The same kind of information a CIA agent in the old days would try to buy from a spy.”

Not exactly a surprise revelation, it’s fairly public knowledge that every country that has the ability to do so is at it, even against their friends, be it on an amateur or professional basis for either political or criminal gain.

The when the reporter asks about commercial IP Mr Clarke blows his credability with,

“Diplomatic, military stuff but not commercial competitor stuff.”

At best it was a very silly attempt to gain the moral high ground for his argument about China, at worst an idiotic attempt to re-write half a century or so of the CIA and other US Agencies activities.

I know from personal experiance having caught them at it the US Government carries out activities against the companies of other nations as it considers them loosely as “National Security” activities.

Even past US Army Major Generals have made it abundantly clear that the US Government uses the US Agencies to aid US Companies to get, maintain or destroy others access to raw materials or markets (Google “Smedly Butler” or look him up on Wiki).

So you would be forgivien for thinking that because Mr Clarke has handed out a very large “crock of shyt” to the interviewer, I think the whole interview is also a “crock”… well actually I don’t apart from trying to “big up” and “white wash” the US most of what he says is actually worth thinking about.

Clive Robinson March 30, 2012 11:02 AM

OFF Topic:

An interesting little snipit on a company that supplies a password cracking utility for iPhones and Android to Law Enforcment and other Government Agencies,

http://www.forbes.com/sites/andygreenberg/2012/03/27/heres-how-law-enforcement-cracks-your-iphones-security-code-video/

Put simply it uses a “jail break” exploit to load brut force cracking software onto the device. So it will find a four digit lock code in a minute or so, but if you use a realy long password it will take a long time, possibly longer than they have to hold you and your phone.

So remember folks no naughty stuff on your phone as they probably don’t need a warrant to search your phone…

Nick P April 1, 2012 6:34 PM

@ Clive on phone attack

I’m surprised we haven’t seen more whole trojaned firmware for the main devices. We see tons of jailbreaking for the most popular phones. In Android, we have a bunch of custom ROM’s. I figure they’d already have a stock-looking ROM with bypasses, spy processes, etc. Plus an easy way to load it. NSA has been pretty good at forced compliance so far.

Clive Robinson April 2, 2012 6:35 AM

@ Nick P,

I’m surprised we haven’t seen more whole trojaned firmware for the main devices… …NSA has been pretty good at forced compliance so far.

Well we know for sure that the NSA know all about the inside of RIM’s Blackberry, from when Obhama took office. He wouldn’t give it up so the NSA hardened it to the required standard.

And the speed they did it at sugests that it was a well known problem they had already been either partialy or fully solved.

We also know since Stuxnet (although both you and I had reasoned it out long before) that people unknown to the companies concerned had direct access to the companies code signing keys one way or another so “jail breaking” is not a requirment when just an “over the air update” of your illicitly signed code will do.

But we could also assume that unless the companies are really sloppy with the security around their code signing keys (which appears to be true for many network operators) that vario agencies also have access to all the core platform source code as well…

But we don’t have to assume it we know that in the US the network operators insisted on all the phones having CarrierIQ “test / snoopware / keylogging” software installed. And for their software to work reliably Carrier IQ must have had access to the core platform source code as well as the developers at the mobile phone companies…

So it’s not unreasonable to suppose that if they wished to the NSA could have done the same as Carrier IQ.

But do they need to?

Let’s put it this way the NSA have deep level access to the mobile phone networks as well as the Internet and land line networks. So they would know of the existance of the Carrier IQ software. Therefor there would be no need for the NSA to do anything except hoover up the data destined for the Carrier IQ servers.

The NSA would therefore have access to the “plain text” of any US Smart Phone including all the users passwords etc irrespective of if the user used a SSL tunnel or not. Which you would have to admit is a nice liittle end run attack at near zero cost for the NSA

Thus doing that would be a near zero risk option for the NSA, where as installing snoopware would not…

So having got a nice big wide open back door into the majority of US phones what about those of “visitors” to the US. These are afterall the people the NSA has always had a legal mandate to snoop on their communications…

Well I guess they could always just over the air install Carrier IQ software onto them as one option, having full deniability because nobody suspects must be a nice option to have 😉

And at the end of the day this is the real issue it would appear that the NSA does not as a general rule target individuals (unless requested to do so). What it does do is target populations on mass, and this involves one heck of a lot of data transfer, which eventually is going to pop up on somebodies radar unless certain precautions are taken.

Thus they need a way to cover the data transfer under some other guise, to do this would suggest that the closer to the “Accounting / billing system” they are the easier it is to keep hidden by simply transfering the cost accross to another account.

So realisticaly I would expect them to go after the telco switches. And as we know from the Greek Olympics this has already been done, and it only came to light after somebody didn’t pay the bill.

The way the Greek attack was done was by using copies of legitimate software from the switch providers, nothing custom other than the configuration scripts. Thus it had full deniability built in from the start (oh and the only person who might have been able to shed light on the investigation died unexpected).

So although I would have expected the NSA to produce the required images etc I would also expect them to only use them as the last resort otherwise they risk giving away the “crown jewels” for nothing (which is what happened with Stuxnet).

David August 25, 2012 2:23 PM

@Z.Lozinski (March 24th this year)

I was at Bletchley Park today. I didn’t specifically notice the Spanish unit, but I think I counted ten Enigmas on display – one of which had it’s perspex cover opened and I was almost close enough to touch it (I managed to refrain!).

I have to admit, this was something of a pilgrimage for me – this was my first ever trip to the UK, and Bletchley was the only place I visited on my 12-hour stop-over.

For anyone reading this blog who has never been, I highly recommend a visit. You’ll see a Bombe operating and also, for a small extras fee, the re-built Collossus.

The dedication of the tour guides is to be commended.

(I’d half-expected to bump into Clive while I was there… but no sign of him!)

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.