Friday Squid Blogging: Squid Scalp Massager

Cheap!

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on May 18, 2012 at 4:26 PM • 31 Comments

Comments

dumpMay 18, 2012 10:14 PM

http://www.naturalnews.com/035872_Pentagon_narrative_networks_propaganda.html

"The Pentagon's Defense Advanced Research Projects Agency, or DARPA - the division responsible for all of the Defense Department's cutting-edge technology development - is said to be working on brand-new research that focuses on the neurobiology behind the political violence and, specifically, whether such violence can be mitigated before it even begins."

http://www.wired.com/dangerroom/tag/narrative-networks/
https://www.fbo.gov/index?s=opportunity&mode=form&id=fd625a4022ec38fde2a8f6f1f4628395&tab=core&_cview=0
http://phys.org/news/2011-10-darpa-master-propaganda-narrative-networks.html

Included in article:

http://www.bbc.com/future/story/20120501-building-the-like-me-weapon
https://www.fbo.gov/index?s=opportunity&mode=form&id=fd625a4022ec38fde2a8f6f1f4628395&tab=core&_cview=0

VarjohaltiaMay 19, 2012 8:25 AM

I'll comment on the scalp massager! I've tried the metal variant, and there's a really strange effect -- if you use it yourself, it just massages your scalp. If someone else uses it on you, most people get a very different, hard to explain sensation. Like tickling a reflex point, but not unpleasant.

JohnstonMay 19, 2012 10:50 AM

From the comments above it appears people believe the main security threats are government and big corporations. Agreed.

JackMay 19, 2012 5:28 PM

Two absurd predictions that all data will be stored in the cloud. Really dumb, for about sixteen different reasons, half are related to security. These mindless predictions seem predicated on the idea everyone does the same thing with electronics that they do - play games and go on Facebook to share photos, listen to music. Evidently they don't do anything that requires privacy and security. Why even use SSL/TLS? They should send everything in the open.

http://latimesblogs.latimes.com/technology/2011/12/ten-unneeded-tech-items.html#/2
http://www.nytimes.com/2012/05/17/technology/personaltech/a-computer-users-guide-to-cloud-storage.html?_r=1&src=me&ref=technology

JackMay 19, 2012 5:32 PM

If airport security is effective, why do they warn everyone in the concourse past screening to report unattended bags? What's wrong with an unattended bag? Could it be a bomb? How do they know the fire extinguisher in the cabinet doesn't contain an explosive? And besides, my bags are unattended when I use the restroom on the plane. Dumb. Just don't ask them to explain it.

A Nonny BunnyMay 20, 2012 9:18 AM

@jack
Sounds like a good movie plot, replace all fire-extinguishers with bombs. They have to be serviced/replaced every now and again anyway, so just set up a company that does that sort of thing, then one day replace all of them with bombs.

RobMay 20, 2012 10:49 AM

Thanks ShadowHatesYou for posting the story about the molotov bombers non-plot.

When I read that story, arrested for plotting to build explosive devices (molotov cocktails); it seems like a bit of a stretch to arrest someone for plotting to build something as complicated as gasoline in a glass bottle stuffed with a rag bomb before they actually had a lit bottle in their hand. Following this line of pre-crime reasoning, I think that the FBI should arrest every hillbilly in the US because they are capable of coming up with dangerous plots.

FigureitoutMay 20, 2012 1:08 PM

@ShadowHatesYou

Was going to post that, I thought citizens had the "right to bear arms" in this country..? Hmm, oh well. Uh-oh, I just bought some gasoline (for my lawnmower), beer in glass bottles (it tastes better), and some shirts (uhh, to wear)..should I be expecting some visitors..? Be sure not to knock, but bust my door down please.

You won't find this in the news, but the "bluetooth sniffers" that were installed on 2 speed limit signs along my commute route have since been taken down. A sticker on them said they were for "transportation research", which I think would involve the two cords going across the street that you run over, not a bluetooth sniffer (what if drivers didn't have a phone?) Upon close visual inspection, they have a suitcase with 2 padlocks (where's a coke can when I need one?) Two wires run up along a speed limit sign, and PVC pipe (the antenna) protrudes out and along the sign.

Just a warning if you see some PVC pipe along a speed limit sign, the installers made no effort to disguise the sniffers, so you should be able to spot it easily. There are papers "out there" that demonstrate the capability of sniffing "undiscoverable" devices.

Dirk PraetMay 20, 2012 7:34 PM

@ dump

Which is entirely consistent with the proposed Thornberry/Smith amendment to NDAA which would allow the USG to use propaganda on American citizens, effectively neutralizing acts dating back to 1948 and 1987 that were specifically designed to prohibit government misinformation campaigns against US audiences.

hookerMay 20, 2012 9:52 PM

Secretly forced brain implants Pt 1: Explosive court case
https://www.examiner.com/article/secretly-forced-brain-implants-pt-1-explosive-court-case

Secretly forced brain implant Pt II: MRI scan image and reports of Target, James Walbert
http://www.examiner.com/article/secretly-forced-brain-implant-pt-ii-mri-scan-image-and-reports-of-target-james-walbert

Part III Secretly forced brain implants: Ex-SS FBI agent defends chipped targets
http://www.examiner.com/article/part-iii-secretly-forced-brain-implants-ex-ss-fbi-agent-defends-chipped-targets

Secretly forced brain implants Pt IV: Intel expert on the doctors, children, military research
https://www.examiner.com/article/secretly-forced-brain-implants-pt-iv-intel-expert-on-the-doctors-children-military-research

Secretly chipped man has removal surgery
https://www.examiner.com/article/secretly-chipped-man-has-removal-surgery

Misdiagnosed Patients: Weapons Causing Hallucinations
http://www.examiner.com/article/misdiagnosed-patients-weapons-causing-hallucinations

Technology in-the-wild: controlling the human race
http://www.examiner.com/article/technology-the-wild-controlling-the-human-race

Political take over through technology lost in the big news
http://www.examiner.com/article/political-take-over-through-technology-lost-the-big-news

Congressional Investigation Called For To Stop Energy Based Torture Of Citizens
http://www.examiner.com/article/congressional-investigation-called-for-to-stop-energy-based-torture-of-citizens

Nick PMay 22, 2012 1:23 AM

@ Moderator

Could you please remove hooker's comment (and this one)? It's obviously spam advertising for The Examiner, a tabloid also filled with crap. This blog has standards, you know. Even the squid thread. ;)

Clive RobinsonMay 22, 2012 7:33 AM

@ Yossi,

Sad to say it's not an unexpected development, if you look at the trends over the last few years you will see that the lowest of the "low hanging fruit" have been effectivly mined out and now are very slim pickings at best.

Therefore the crooks have had to up their game slightly and look for new angless to get a competative advantage.

With human nature being what it is I would expect this trend to increase with time.

And it is not a problem I'd expect to go away any time soon due to the basic nature of the Internet.

One of the results of one of the basic freedoms of the design of the internet is "anonymity" which alows parties to act between them but without the normal level of "trust" as trust was deliberatly not built in.

Commerce however like much other of human interaction is at the end of the day based on contracts, and contracts are difficult if not impossible to enforce in an anonymous zero trust or weak trust environment without third parties trusted by both parties entering impartialy into a contract. Thus the Internet is currently a bad fit for e-Comerce and usually leverages a third part (credit card) trust mechanism to enforce the contract on both parties. The problem seen by many are the fourth parties like e-Bay etc who are not impartial and either break or weaken the third party trust to the point it is unenforcable by either of the original parties.

With such a lack of "official trust" it is unsurprising that users get confused and thus become liable to deception. In this respect there is no chance of the problem being resolved as long as the big "official players" remain untrustworthy and in effect involved with a contract in a prejudicial manner.

Petréa MitchellMay 22, 2012 10:15 AM

dump:

I don't see anything there that will provide more power than good propagandists have had all through history. The scientific approach they're bringing to it will help explain successes and failures, but I don't see it bringing the success rate to anything near 100%. Certainly telling a good story makes good propaganda, but it's always going to be overridden when a highly emotional personal experience comes along, like "they shot my friend".

Clive RobinsonMay 23, 2012 6:26 AM

@ Oops,

c: SecureID RSA tokens are apparently completely broken now

Err no more than they ever were, and this story is actually about the "software version" not the hardware version.

Overly simplisticaly the RSA token has a start value (seed) that sets the internal state of a pseudo random number generator which is then clocked every 90 seconds. This is the same for both the hardware token and software application. Thus when the user presses the button on the token or icon on the software app it outputs a number derived from part of the PRNG state. The algorithm by which they work is now "known publicaly" so you can write your own app all you need to make it work is the PRNG "seed" and you can generate the required values your self.

So the entire secrecy of the device rests on not being able to get at or work out the "seed"...

Now with the token the "seed" is effectivly embeded in the device which makes it very difficult to get at.

But with the application software the seed gets stored in some format in a file. So access to the file on the machine will give you the seed (hint this is something I've been waiting for targeted malware with "root kit" level access to appear for almost as long as I knew about the "server" end of the RSA system, which is quite a long time now).

What RSA have tried to do is mitigate is the simple process of copying of the file containing the seed onto another machine. From what has been indicated RSA use a combination of bits of information to make up a key to effectivly encrypte the seed in the file.

Thus the problem of recovring the seed is not as simple as just copying the file, you also need to know the information to make up the key. Sadly for RSA as the researchers have shown, this information is not exactly difficult to get.

So far so good, however I don't agree with the TPM conclusion, because no matter how seductive the idea of TPM is it's implementation using MS OS's means that MS amongst others will still be able to get at the seed either directly or in a usable form. So TPM does not solve the security problem it simply moves it somewhere else.

The correct conclusion is "don't store the seed in any form on a hardware platform that has an uncontroled communications path".

Thus with the PC platform and most smart phone platforms "don't put the seed in any form on it", so don't use the software application version of the RSA token, it cannot be made both secure and usable, use the hardware token only if you want real security.

And RSA should be honest enough to come out and say it to customers, but judging by their previous behaviour the will go with "fudging techniques" and hope the problem goes away so as to get back to "business as usuall".

Clive RobinsonMay 23, 2012 6:45 AM

ON Topic :-)

On looking at the pictures of the device in use...

I can not help but notice the similarity to "Caracticus Potts" from the film "Chitty Chitty Bang Bang" and a view of a smiling buddha...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.