Schneier on Security
A blog covering security and security technology.
« Experimental Results: Liars and Outliers Trust Offer |
| The Origins of War »
January 11, 2013
Friday Squid Blogging: Giant Squid Video
Last week, I blogged about an upcoming Discovery Channel program with actual video footage of a live giant squid. ABC News has a tantalizingly short sneak peek.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on January 11, 2013 at 3:59 PM
• 55 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The latest newly theft-prone commodity: Hay! So various low-cost security measures are starting to be employed:
To ward off the hay thieves, farmers are padlocking their gates and painting their bales with their brands. Some are splicing their hay with ribbons that mark their ownership.
Apparently, with every breath, we exhale a plume of identifying chemicals. How long before govmint spooks pick up on this? Dogs already provide this service for exhaling on the other end.
I believe that bales of cotton have long been marked with identification ribbons.
"Apparently, with every breath, we exhale a plume of identifying chemicals."
I'm not seeing any claim there about breath from different people being individually identifiable, just breath in general being distinguishable from ordinary air.
@ Petréa Mitchell,
The latest newly theft-prone commodity: Hay!
Yes it's quite a problem in the UK and worse in Europe.
Even with subsidies farming is in the main a very very low profit endevor. Most of the money is made by either middle men or the major comercial enterprises such a supermarket chains etc.
It does not matter what the type of farming is it's getting hit. For instance timber forestry, one person growing trees for comercial foresting for softwood etc discovered that getting close to Christmass as his stock looked sufficiently like christmass trees it was getting stolen. He was interviewd by the BBC for one of it's farming related programs and he showed a clasical turn of mind when he remarked that "it's like Hamlet".
I've seen reports that in some southern european countries where food is now so expensive and unemployment etc high there is serious organised crime involved with livestock being taken at gun point.
Which kind of sounds ridiculous when you read a report released yesterday in the UK from one of the engineering institutions that shows something llik 50% of usable food is wasted in one way or another...
In the UK and some European countries the politicos are trying to convice us that it's a meritocracy with "we are all in it together" style slogans etc. However even a cursory investigation shows that we are being significantly lied to by the politicos and main stream media, on behalf of the plutocracy who actually want the "euro crisis" etc as a way to consolidate their position and further exploit the 95% or above of citizens.
And it is this "legal crime" of the plutocracy, that leads to much of the "illegal crime" we see...
I know that I'm probably going to cause howls of disagreement, but if you think about a resource limited environment (which we now live in) the "American dream" of unlimited riches for individuals cannot happen except by a small handfull of people "criminaly exploiting" everyone else.
"Apparently, with every breath, we exhale a plume of identifying chemicals."
Yes it's been known for some time that various medical conditions cause various chemicals to show up in the blood and thus breath and sweat, urine etc.
And as most of us have inbalances in our bodies that are similar or infact mild forms of these medical conditions then yes it's quite conceivable that the levels/combinations might be sufficiently different to be considered sufficient for some forms of identification.
Further our saliva contains DNA, thus I'm assuming that as we exhale we actually eveaporate/aerosol sufficient of it to put "DNA" into the air...
I don't know if you are aware or not but in the old East Germany the security services stole peoples underwear and kept it in sealed jars (just like jam jars) because a persons "scent" could in this way be recorded along with small parts of their DNA.
Infact one good reason for soaking your underware in "biological" washing powder for 24Hrs prior to washing, is that the "biologic" part along with some of the bleaches destroy the residual DNA you leave in your underware including body hair, dead skin cells and other far less pleasant secreations etc...
Bruce bloged about a cat being used to smuggle prohibited items into a prison the other day. Well it appears a hacker in Japan straped a memory card onto a cat and sent it to the authorities...
However of much more serious interest to me is an article on concerns with medical records and implants from CSO Online. As some longterm readers know I've been extreamly unhappy with the slipshod ideas of security (or lack thereof) in implantable medical electronics. Well it looks like somebody else agrees, as it gets mentione a couple of times in and amongst the issues to do with health care records.
The story about the Japanese cat has set my implausibility detectors off. I can believe the original prison cat story as it wouldn't be hard to teach the prison cat that food can be obtained from a particular outside location, but how on earth can you train a cat to perform a one time delivery to the police.
I'm inclined to believe it has more to do with covering their tracks over their earlier coercion of 4 uninvolved people to confess.
@ Bruce Clement,
I'm inclined to believe it has more to do with covering their tracks over their earlier coercion of 4 uninvolved people to confess
Getting confessions out of people tends to be the MO of many police forces, and some (as recently aledged in India) tend to be unfussy about how they go about getting them.
It was once pointed out to me and several others that "the more god fearing a culture the more likely it was that people would be tourtured by the authorities" and as you can imagine a quiet lively philisophical debate followed.
And I admit that on looking into it the more I looked the more examples I found. However It turns out to be not religion being the direct cause, but more the cultural state of mind of the people of a nation where authority is "respected" as it's due rather than judging individuals on a case by case basis.
However that being said both cat stories appear improbable on reading, but then you have to remember "witch craft and familiars" from history and the fact that althought cats have an evil reputation they are very close to human affection. For instance the lady in your life would probably not be upset by being likened to the favourable asspects of a cat but a dog?... We talk about sleek, feline grace and the cutness and playfullnes of kittens etc, but dogs tend to be regarded as brutish in terms of strength ferocity and determination with their only socialy benificial charecteristic being loyalty.
Most of us assume dogs can be trained and cats cannot, but the truth is cats can be actualy easier to train than dogs, you just have to find their favourd reward. I have a friend who gets around in a wheel chair, and they have trained their pet cat to fetch small items that they have dropped and also to respond to simple voice commands such as Up and Down.
For me the most improbable part of both stories is the attacing of stuff to a cat, because cats tend to use their fur as a sense organ rather more than other pets do, it's one of the reasons they like rubbing up against things and being stroked etc.
tldr: Nokia implemented a MITM attack by proxying HTTPS traffic using fake certs.
Nokia claim it was for 'efficiency' rather than 'snooping'.
Call me skeptical, but I'm unconvinced.
Why bothering caching on the wrong side of the 'last mile' (i.e. the most expensive link)?
If they really are caching HTTPS for efficiency is this an unintended consequence of websites like fb finally switching to HTTPS?
The trial of Mohamed Mohamud, charged with "attempting to ignite a weapon of mass destruction" for pressing the detonator on a fake bomb provided by the FBI, has started. The defense is going with entrapment; legal experts say chances of the defense winning are slim but probably better in Portland than most places. Full coverage from the local paper here.
Lately I have noticed the ammount of surveillance cameras popping up along highways in Brazil, along with notices about how many speed cameras will be installed throughout the country. This together with the fact that pictures from such acts are shared on internet for 90 days after advice are sent to car owners makes me think of what kind of security we are offered, wether we are speeding or not. I also know that some countries such as Norway have started with average speed measuring along some highways. The technology seems great to take traffic offenders, but still, I question what kind of security is offered to me as a citizen?
Will these cameras reduce responce time in case of accidents on the highways? Will they reduce e frequence of assults along the same highways? Are images from these cameras stored in a way that prevents unauthorized use?
Spy agency ASIO wants powers to hack into personal computers
"SPY agency ASIO wants to hack into Australians' personal computers and commandeer their smartphones to transmit viruses to terrorists.
The Attorney-General's Department is pushing for new powers for the Australian Security Intelligence Organisation to hijack the computers of suspected terrorists.
Two interesting things there:
Using software patents to keep algorithms free until broken, then charging for their use to force companies to switch them out for more secure algorithms.
And DSA keys factored with head couting, no tools. Schneier Facts got competition!
Actual explosives found in New York-- in an antique cannon which has apparently had a cannonball stuck in it (and thus gunpowder behind the ball) for over 200 years. Leading to a pretty good quote from the NYPD:
"We silenced British cannon fire in 1776 and we don't want to hear it again in Central Park," NYPD spokesman Paul Browne said.
Apparently it's not uncommon for old cannon to turn out to be "live"...
And DSA keys factored with head couting, no tools. Schneier Facts got competition
Agh the delightful Nadia Heninger struting her stuff :-)
IIRC She has actually appeared on this blog a couple of timed via papers she has co-written, with the "Mine your P&Q's" from back in the middle of last year and one on "Cold Boot Attacks on Encryption Keys" on DRAM persistence back in 2008.
You can see more of her work at,
Oh and she has a much better Pony Tail than both Bruce and Chuck combined, and as can be seen from the photo she has it in a delightful Skein ;-)
Nadim Kobeissi posted an interesting article regarding young hackers killing themselves and the negative hacker culture that contributes to it.
@ Dirk Praet, Nick P,
For a discussion of the charges brought against Aaron under the CFAA have a look at,
Many in the legal fraternaty who have commented are pointing the finger at the Federal prosecutor Ms Carmen Ortiz, and in the odd sort of diplomatic legalize they use casting aspertions on her mental state and fitness for office (though little is said about Stephen Heymann who in effect was the lead prosecutor).
However a number of people are blaiming preasure from various IP Holding interests for the way Aaron was treated and one has noted that the US Secret Service were invited in by the MIT Police, and at that point all proportionality went out the window.
However whatever the actual facts are the Obama Administration is now in it up to their eyeballs and there is obviously the question of fitness for office against those political appointees at the U.S. DoJ responsible for the Justice Department's "Executive Office for United States Attorneys", which oversees and regulates US Attorneys via the "United States Attorneys' Manual".
But from what has been said by other attorneys in Mass Ms Carman Ortiz has "previous" on "striping rights" from those not possessing the political and financial muscle. That is she plays at best lip service to the requirments of proportionality, and activly persues cases against "the little people" whilst ignoring much worse activity by big people for the perposes of grandstanding her career.The fact that she is actually considered to be considerably worse than her predecessor (a republican appointee) in may peoples eyes is a clear indication she should be removed. However she also stands accused of a politicaly motivated witch hunt over appointments in the probation service, which appear to made her a number of enemies politicaly...
Over on Y-Combinator there is a thread about a Whithouse petition to have her sacked, the arguments are a little polarized but on reading it you get the definate feeling that Ms Carmen Ortiz is going to be getting a phone call or two down the chain of command.
But what do people want and what is proportionate... A man is dead accused of Federal crimes that many think a tribunal of justice would throw out and a tribunal of truth would find against, and that legal proffesionals say were not federal crimes but civil offences and should have been dealt with as such.
But the reality is Ms Carmen Ortiz set the dogs on Aaron via Stephen Heymann who has a reputation for getting disproportionate sentences for quite minor crimes. She ensured that Aaron vass both vilified and hounded way beyond any proportionate measure.
Certainly as a minimum untill a full investigation of what went on in her district under her authority gives satisfactory answers, her perceived behaviour is at best questionable boardering on malicious. Which at the very least calls into question Ms Carmen Ortiz's fitness to be one of the selected U.S Attorneys who are invited to participate in the Attorney General's Advisory Committee (AGAC) of United States Attorneys.
Password recovery questions used to hijack celebrities' email accounts. Compared to less well known people, getting personal information (parents names, schools, childhood info) about celebrities is so much easier.
@ Petréa Mitchell,
With regards the statment from th NYPD spokesman Paul Browne of,
"We silenced British cannon fire in 1776 and we don't want to hear it again in Central Park,"
Opps, it has already happened.
Cannon of this sort are also called guns and as such they are usually heard atleast ten times as far as their effective range. Last year saw the 200th anniversary of the US attacking what we now call Canada that at the time was territory claimed by the British and mainly populated by american civilians.
At the time the English were a little tied up in Europe dealing with a man with pretentions to become the Emperor of Europe. And there were few resources available to defend the territory, which is why it is so surprising that the attacking US troops made so little progress
Well as history tells the european half pint met his Waterloo and the English then had the resources to deal with the US transgretions. The result was the landing of troops in various places along the US eastern seaboard some of which were in DC and in all probability within cannon fire sound range of what is now Central Park. In fact some of these troops marched on Washington and the Whitehouse, where the then US President ran out the back door and across the swaps leaving his wife and servants to face the troops. You can still see the damage the gun fire inflicted on the Whitehouse to this day if you know where to look. Anyway the British had little interest in actually fighting another major conflict so the result was a peace deal where the teritorial boarders were re-established as they had been prior to the US invasion.
However there was one major difference, those American civilians living in the territory that had been attacked (and worse) by the invading US troops and were still alive re-evaluated their position and thus changed their allegiance away from their previous home of America and in effect became the founding fathers of a new nation that became Canada.
Now I don't know if the NYPD spokesman was not paying attention in class, or the school he went to chose not to cover the 1812 war, but all I can say is history is somewhat different to the way he was telling it.
As for muzzle loaded cannon still being loaded, yes it happens and one of the reasons is "spiking the guns". A cannon that can fire a 42pound ball usually weighs in excess of 6000pounds and needs something like thirty horses to move it at just about walking speed. This lack of manoeuvrability ment that unless properly defended by soldiers the gun could easily be taken by a verry small party of attackers coming in on it's flank and over running the position. Now rather than capture the guns for use in the battle the aim was to put them out of use.
The problem with a muzzle loading cannon was how do you fire the charge? This was by a vent that ran down into the end of the bore and was called tthe touch hole.
Now to prevent the cannon being fired the easiest thing to do was seal up the touch hole vent. This was often done with a six inch nail or spike that was driven iremovably into the vent, hence "spiking the gun". Now the question is what do you do with a 6000pound lump of metal that is nolonger of any use as a weapon? Simple you leave it there, which usually ment the cannon was draged after the engagemment to the town square etc to display as a civic trophie.
Now if the gun was spiked after it was loaded but before it was fired you had a problem as you could not easily unload the gun except by firing it.And usually nobody bothered to check as there was nothing they could do about it.
Often as people tend to put rubish down the barrel the barrel would be later blocked with a plug consisti.g of a wooden or metal plug. Thus permanently hiding the fact the cannon has powder and shot inside it...
Re the Nokia mobile browser HTTPS weakness, hasn't this always been true of the Opera Mini browser as well? Not sure what is new here...
OT: Another WTF for the day: Synthetic DNA spray (triggered from an alarm button) that sprays thieves at stores.
From the vendor's website (http://www.selectadna.co.uk/selectadna-anti-intruder-spray.html): "Premises protected with SelectaDNA immediately become hard targets as criminals are petrified of DNA technology - they know that DNA links them to crimes they commit"
You've GOT to love the TSA FUD... Their Friday post states that they discovered at garrote in someone's carry on bag. See the second picture here:
This is NOT a garrote... this is a simple camping wire saw. You can buy the thing at Sears for under $6 USD:
How ridiculous is this?
REAL ID is dead, for now. Late in December DHS announced that only 13 states had implemented REAL ID, and that they are deferring the rest.
A quick count of the population of these 13 states show that they account for about 20% of the US population.
You know that the airlines had to be behind DHS rescinding the previous Jan 13, 2013 deadline. Imagine if on that day 80% of the people in the US couldn't fly with just their driver's license?
A "serrated" garrote at that. They're the worst kind, you know. Our guy is not only a probable assassin, he's an a**hole about it.
So even giant squid don't have privacy any more?
Hmm is anyone else experiencing problems with the pictures on
this blog loading? I'm trying to find out if its a problem on my end or if it's the blog.
Any feed-back would be greatly appreciated.
@AC2 the difference is that Opera clearly explains this in the product and explicitly says "don't use opera mini if you don't trust opera"
Nokia buried this in a firmware update to the embedded browser in their phone.
Doctors/lawyers/accountants/prosecutors subsequently used this to read confidential data without knowing that they had agreed (in a eula checkbox) to hand their clients data to a foreign company.
@ AC2, Nick P,
First off criminals are not scared of DNA marking or particularly about leaving their own DNA around. Due to cost DNA testing of a crime scene is still rare, and done mainly for "crimes against the person" or if it's bring political heat from above down on the LEA.
A recent case of such heat is of a well known "singer" trying to prove he was a man by beating up on two girls who did not want to get with him in a petrol station ( http://www.getsurrey.co.uk/news/s/... )
But the norm in South London and North Surrey is a scene of crime officer to dust for prints and make casts of tool marks with dental alginate and record other obvious physical evidence.
Sometimes if a criminal has not left finger prints but has left behind an item of cloathing such as a hat or glove that might be tested for DNA. This is simply because it is a fair assumption that it's the criminals and the test will not require screening of others.
With regards the "sticky bullet" I would hazzard at a guess that the idea came from the Judge Dred movie staring Sly Stalone.
It is actually unlikely to effect the smarter criminal who knows that having your fingerprints on the outside of a gun can be argued out in court. It's having prints and DNA on the inside especially on the unfired round casings or magazine that's fairly difficult to argue away. So your smarter criminal either cleans and loads with gloves on or gets someboody lower down the food chain to do it for them.
As I've noted before smart criminals evolve around static technology leaving those who are either unknowing or stupid to fall afoul of it.
And the reason even stupid criminals get away with crime is that the crimes they commit are to far down the priority list to receive anything other than a cursory investigation.
What has been tested and found to work well in places like Lewisham, Croyden and other high crime areas of South East London is rapid response to crimes in progress. Effectivly catching the criminal at or very close to the crime scene with the goods on them. Even if the criminal dumps the goods and gets away it causes all but the most stupid or sociopathic to think that it was way to close a call to repeate. Whilst it has caused the local crime rate to drop it is not clear if it is actualy a deterant or just causing the criminals to go somewhere else.
@ Petrea Mitchell,
Speaking of crime rates dropping, you've posted a couple of items in the past about the drop defying "conventional wisdom". Well there may be a good reason there appears to be increasingly good statistical evidence that the level of crime is corelated to Tetraethyllead in petrol for cars (TEL). It is known that lead is a significant neurotoxin and arests brain development in the young and many previous studies have shown a correlation with paint and water pipes.
Well the bigest source of non metalic ingestable lead in the environment was the anti knocking / pinking agent TEL. It's been posited that TEL has had significant effecs on brain development in babies and the very young which was why it is now banned for on-road vehicles and other engines used in urban or city environments (and total bans in many countries). It's now suggested that TEL may well have been responsible for the baby boomer crime wave that is now starting to die back.
What has been seen is a drop in crime starts around 23years after the use of TEL has been banned in a given area. The statistical evidence is actually quite compelling for a number of reasons, judge for yourself,
However we now need to consider what effect the falling crime rate is going to have on society.
Specificaly in the US and in the UK jails are or are in the process of being privatised in one way or another. And certainly in the UK it's likely to be by the horrendously expensive PFI which is hugely debilitating over thirty or fourty year terms, and it's only advantage is in the very short term for the politicos of being "off-book" spending.
Such longterm private facilities will need to be paid for for very long term periods irrespective of if there are prisoners for them or not. The simple solution for the politico's is to remain tough on crime by making even petty crime carry long term jail sentances and to criminalise activities that were not previously crimes. In the mean time start expecting traffic violations to start carrying considerably more expensive fines and within a few years jail time as well.
This sort of behaviour by governments in the past has been found to be compleatly ineffective because it destroys the ability for people to be anything but societal outcasts and thus have to return to crime just to survive. If we as citizens want criminals to be rehabilitated back into society we need to concentrate not on punishment but rehabilitation by education and opportunity. Some countries in Europe have found that taking the short sentance with good rehab training does indeed cut re-offending rates quite significantly, Further studies in the US from the 1970' and 80's show that spending money on good public education in deprived areas actually reduced longterm cost. That is for every dollar spent on education when children where of primary and junior school age (ie pre teen) showed about a 25 to 1 saving. Further every dollar spent on appropriate secondary and college education increased the tax return something like 70 fold.
However such long term investments don't have any positive political value over the usual political lifetime, and actually show negative political value initialy. However what voters should remember and remind the politicos is "quick fixes" are almost always "bodge jobs" that cost a fortune over time (it's like the old joke about a 50dollar pair of boots lasting a life time whilst a 10dollar pair only lasting the winter and the workman would drink 90dollars of beer over the summer rather than save up 50dollars for decent boots).
The reality is that crime is like a disease, it is better to spend a small amount on the right sort of prevention than it is to spend huge amounts to cure those who suffere the disease.
@ Nick P,
The US Gov has been claiming that the DoS attacks on US banks is an Iranian attack.
But as various people have indicated there is no evidence that's been presented to show this is actually the case so there has been a number of people saying it's cyber-saber-rattling by the US or it's a redflag operation etc etc.
So information week asked those who have made investigation to comment and they all pretty much say not only no evidence, but theres actualy not realy any evidence it's state sponsored at all, and atleast on saying it could be done for 1000USD/month or less so could be virtualy anyone with a bit of skill...
So it could conceivably be anyone, and the US Gov blaiming the Iranian State actually makes it counter productive because it makes it in effect a Diplomatic Incident, not a crime that would be investigated in the normal way by LEAs etc.
But what of the claims of "state sponsored", lets look at the historic evidence of such activities,
The US is the only country who has been caught using Cyber weapons against another country and due to various reasons admitted it.
It's been suggested that Russia has used cyber attacks against break away states and those it once occupied, but Russia has denied it's state sponsored.
Likewise China has been accused countless times but again denied it's state sponsored.
South Korea has made many claims that the supposadly economicaly and technicaly backwards North Korea are waging almost continuous cyber-attacks against them.
For all of these claims there is atleast some credible evidence found independently that supports the claims, not so the current US claims against Iran.
But is there any evidence it is actually "state sponsored" well nomore than it could be privatly sponsored.
So for instance you could for arguments sake say it could be Russian Cyber crooks getting smart revenge over the fact that their pharma scam funds are drying up due to the actions of US credit card issuers. The same lack of evidence applies as for the US case for Iran. Likewise you could turn around and then say it's some one with a grudge against the US banks for ruining the western economy, or even trying to manipulate their share price. Again you have the same lack of evidence, but if you think it must be state sponsored, how about it's Chinese rouge agents attempting to destabilize the US banking sector, again the same lack of evidence as for Iran, or you could say... and so on, the list goes on as there is no evidence to show who is actually behind the attacks. Conceivably it's some one who reads this blog, and is sitting there having a good old chuckle over it, that's the great thing about lack of evidence almost anything is equally probable.
Which is all very convenient for the Cyber-War-Hawks who want to come out wild west style with guns ablazing and making noises about going kinetic.
Which brings us around to the old "follow the money" argument, but there's a problem which is "What money?". Which is maybe why some have actually sugested that the people with most to gain from this attack are various people in the US Gov who are on a "fund raiser" to get a bigger slice of the War-On-Terror money.
What worries me is not the fact that such claims may be used as a pretext to a blood and bullets boots on the ground invasion of Iran, but the very old idea of "The boy who cried wolf". If the US Gov keep making claims that they can't or won't substantiate and others cannot find corroborating evidence for, then they US Gov credibility is going to sink even further in the eyes of other Governments and people living in other countries.
Right now you can be sure that some are making jokes comparing the American Eagle with Chicken Little...
HOW many times do we need to have this discussion. Oh sorry, they never really seem to discuss it intelligently. Bruce? I know you have ranted (in an scholarly way) on this before. Just frustrated with security discussions with people and this article kind of tripped my caffeine induced trigger...whoops, I mean ticked, given current 2nd amendment law discussion. ;)
It's like a toddler holding a handful of crap and trying to pat your face with it.....
"You can always count on Americans to do the right thing--after they've tried everything else." ~Winston Churchill
@ Clive Robinson
I appreciate the link. I suspected as much and had been telling people not to buy into the Iran link until we have proof. My line was, "Remember Iraq?" They forget so easily. A historian once joked we live in "the United States of Amnesia. Everything before yesterday is a blank. We have no history." It seems pretty true among the general public, hence the success of propaganda.
"But what of the claims of "state sponsored", lets look at the historic evidence of such activities, The US is the only country who has been caught using Cyber weapons against another country and due to various reasons admitted it. "
"Which is maybe why some have actually sugested that the people with most to gain from this attack are various people in the US Gov who are on a "fund raiser" to get a bigger slice of the War-On-Terror money."
You have a way of saying something without actually saying it. ;) Let me make it clear: false flag operation is a possibility. Our country admits that they do them all the time... overseas. Smart Americans also know the country has a history of pulling stunts to get government more power and media often goes along with it fully. So, here's what my mind is seeing:
1. US wanted to go to war in Iraq & public didn't.
2. US presented many pieces of provably false evidence against Iraq.
3. Public, in fear, accepted a war.
4. US begins claiming Iran is a major threat. (see below for irony)
5. DDOS attacks on some banks happen that anyone might have done.
6. US govt claims Iran is behind it, but presents no evidence.
The most logical possibility is similar to the other big false flag operation in recent history: (1) they're doing it, while pinning it on their enemy; (2) they're not doing it and neither is that enemy, but with media control why not benefit from it? The only thing we can no for sure is to never trust them without independent corroboration of their claims from more trustworthy people.
Tangent on Iran
Iran is one of those countries that I have some sympathy for (but wouldn't help...). They hate us with good reason. Their democractically elected president Mossadeg took control of their resources from BP. BP griped to British, which asked US to help. We sent in the CIA, they caused bloody riots, and Mossadeg was overthrown. A pawn dictator is put in place who rules with utter oppression for a long time. ("Spreading democracy," arean't we?) Eventually, a guy named Khomeni overthrows him and specifically states his outrage at Western involvement in Iran.
So, later, we become friends with Sadam Hussein. We give him half a billion dollars through National Security Directives and such. We finance his long war with Iran, a very bloody one. We eventually turn on him and smash his country to pieces for oil, strategic location, defense industry profits or some combination. We continue covert operations in Iran with Mossad's help, killing people and sabotaging their tech. We deploy the most sophisticated cyberweapons in history against them.
(As for nukes, we're the only country to ever have used them against a civilian population and are among the few trying to legalize small nukes. That means the US is guilty of No 1 and 2 most deadly terrorist attacks in history. Just saying...)
Then, the US government claims Iran's nuclear research is a major threat to us and they are doing dangerous cyberattacks. If true, I can't say we didn't have it coming (word is "blowback"). Of course, after 9/11, over a million Iranians in Tehran did a candlelight vigil for us. Hey, maybe they're not the savages mainstream media portrays. Maybe the US government is just wanting another war over there. If history is an indicator, *we* are the most aggressive and dangerous nationstate in the middle east. Not Iran.
Compleatly OFF Topic :-)
If this is to be belived,
Today you have hit the big "Five 0hh", if so may I wish you many happy returns for today, and also say you are now allowed to start think about having a midlife crisis in a few years time ;-)
Having already passed the Big Five Ohh mark, I can assure you it's not as scary as you might have thought yesterday.
All gentle leg pulling aside have an enjoyable day (even if it's not realy your birthday)
This is tangentaly related to security.
As some of you know I travel through south London as part of my normal daily activities well it's gone rather bad today at a railway station I use to switch onto a bus at is all closed down.
The reason is not the usual terrorist related allerts or somebody being taken ill but because a helicopter has flown into a crane in a part built building in Vauxhall south London just a few hundred yards from the MI building Vauxhall Cross.
According to the reports parts of the wreakage have hit the bus stop area and two cars, so far no reports on casualties etc. You can see pictures of some of the burning wreakage here,
The Guardian Bruce used to write pieces for is doing live updates,
The BBC has a report here,
Not a good start to the day and a shocking reminder that security is a bit broader in scope than we tend to think here...
@Bruce as Clive said happy B-day and many more.
You having a midlife crisis?
I sure hope not. You might crack the internet like a pane of glass, of course hiding your body heat, refer. other discussion.
Or you might lock it down with proper security...... ;-)
"Apparently, with every breath, we exhale a plume of identifying chemicals."
Talking about breath, but we exude for than that...
Weelllll. If I've had pickled eggs and beer, they might get more than they bargained for.......Wait a minute, TSA? Hmm, thinking mean thoughts here...
this might be of interest. With the past problems with FIPS201, card format, and reader issues..I could see this coming. Oh, and not to mention the manufacturer lobby efforts, and lack of agreement on standards..
This has been a disaster from the beginning and only getting worse...Like waiting for a train wreck and saying, "wait for it"....
The gental joke about "start thinking about having a midlife crisis ina few years" when you are fifty is I'm wishing you to live atleat twice that long if not longer.
As for the TWIC yes like the UK National ID card you could see that it was an idea that nobody other than a desk jocky bureaucrat and the card suppliers realy wanted. As was noted in one article it had all the hallmarks of a money raising scheme with no other function.
I suspect that what the DOD are not saying is that it's impossible to actually authenticate a user prior to issuing them with a card as the corroborating paperwork is not up to doing the job (true of 99% of currently proposed ID schemes including all passports).
It was a point Steller Rimington (retired head of MI5) made in Nov 05, but the bureaucrats just stuck their fingers in their ears and went "la lal lal la" and in some cases left their gov payed employment to join the supplying companies to discover they had not job when the current political encumbrants pulled the plug on entering office.
@clive. I know what you were implying and I agree. I was teasing back about bruce in the terms of chuck norris jokes about him. I find them funny and hopefully so does bruce. much respect for him and you too.
Yes, TWIC has been a mess not least of which is due to the reasons you state. Lack of structure, standards, procedures, etc. It is really easy to throw darts at this one.
Advantage is that geeks (not derogatory to me) will always be needed. The thing that bugs me is underutilization to really do things properly. Remember talking to customers and the people paying the bills? People want to buy snake oil as bruce puts it because it solves their problem and they don't have to think..grrr.
i.e. We need a standalone system to be HIPA compliant...Wha? It doesn't contain any and never will have any patient or confidential information..well we need to be HIPA.... :-O
I actually hadn't heard about that one. It's a perfect example of totally wasted money. I could set up quite a few useful capabilities for $400+ million. The part that wasn't surprising was that it was disconnected from DOD's PKI. They have some interesting processes and technologies that integrate to provide a certain level of assurance. TSA didn't have anything like that. They didn't fit in.
@Nick. Yup. I could do quite a bit with that kind of money too.
Here is another. Should have a contest on how many ways this one failed.....
SCADA systems, workstations, USB Ports, old software, procedures, etc.
I have looked at some systems I was afraid to touch for fear of a hard failure. Backups, documentation? Nope. Wiring Plans? nope. Custom software with no programmers' documentation.
Expensive to upgrade/replace and still works 20 yrs after install. But if it ever goes down...
Here is another. Should have a contest on how many ways this one failed....
You beat me to it :-(
I'd seen a link to The Register on two SCADA system fails in US Utilities and the useless ICS-CERT the DHS insists should have primacy... And was following it back to it's Reuters source came here to post it and low and behold...
That said yup it's a sad state of afairs, and happened almost exactly the way I worked out to infect air-gaped voting machines long long befor anyone had heard of Stuxnet. You'ld think nobody read this site ;-)
After all why would they we're terrible here we make predictions on this site that are so good and sufficiently far in advance that ours 'sphericals' are not made of Glass but Diamond :-)
Oh speaking of the DHS (Dept of Hopeless Sexpests) there is a rumour going around that within a year all the "nuddy scanners" are to be removed from airports...
Turns out it's not quite true apparently the TSA is cannceling the contract for the RapeMe scanners
@nick. Being in security industry is a two edged sword. It can make you more paranoid but also makes you aware of problems.
when the scanners first were discussed they said, "no, people behind the curtains have no cell phones, its does not show nudes bodies, and there is no way that pictures can be copies off machines""
oh, really? do they use computers? usb ports? it was funny and sad to observe.
I am less shy than most but insist on patdown. Lesson that hollywood and others don't seem to understand in their personal life.
Never ever take nude pictures and never make such videos!!! :)
@nick. thought about your last post. You are right. This blog is full of gold for people to look at for potential problems and predictions. You and bruce should form a council of 100.
The recent stories show exactly what you are talking about. And the sad part is this blog/posters would take about 30 secs to point out the flaws. Not obscure flaws but "are you f*** stupid?" kind of things.
I think a lot of people read this blog. The problem is that not enough of the nontechnical people or policy makers seem to read it. that may sound harsh, hopefully you understand what I mean..
"I think a lot of people read this blog. The problem is that not enough of the nontechnical people or policy makers seem to read it. that may sound harsh, hopefully you understand what I mean.."
I understand what you mean. The real gold is in the comments. People have less time for that sort of thing. One would have to dig through years of articles googling certain people's names. I think Wael did something like that, although I also think we gave him some of the links. I occasionally post old ones on sites like Krebs.
@ Nick P
I think Wael did something like that, although I also think we gave him some of the links.
Yup! I did that because something you and Clive Robinson said something that caught my eyes. I normally don't have the patience to read long articles. So I never read any of Clive's or your's until the C_v_P discussion. Since then, I read long articles by a few of the commenters here, but not all.
Your history on Iran is simplistic at best and just historically inaccurate in some cases. The Shah was the leader of Iran and appointed Mossadegh as prime minister. Mossadegh was never democratically elected as prime minister, no matter what fiction movies in Hollywood may tell you. Mossadegh then sought to marginalize both the Shah and his opposition. The US government had a role in removing Mossadegh from power, but its role can be exaggerated. The CIA would have never been successful if the Shah didn't haven't substantial popular support or if Mossadegh didn't have substantial opposition among the general public. The Shah was an oppressive ruler, but, if left in place, Mossadegh would have become an equally ruthless dictator.
I appreciate your comments regarding Iran. I'll review the situation a bit more thoroughly in the future. Any suggestions on good sources for information on those events?
I would suggest to get as close to primary sources(first hand accounts) as you can. The ayatollahs were certainly upset in 1979 about western involvement in Iran, but their outrage likely extended far beyond BP oil to a general hatred of secular influences "corrupting" their Islamic culture.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.