Friday Squid Blogging: Illegal Squid Fishing

While we we're on the subject of squid fishing in Argentina, the country is dealing with foreign boats illegally fishing for squid inside its territorial waters.

So yet again, squid and security collide.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on April 12, 2013 at 4:34 PM • 24 Comments


MailmanApril 12, 2013 5:54 PM

Ironic : the IIROC has lost personal data of 52000 investors. The IIROC is Canada's Investment Industry Regulatory Organization, the equivalent of USA's FINRA. It is in charge of verifying that Canadian brokers have adequate controls in place to prevent market fraud and data leaks, among other things.

Now we can wonder, who's watching the watchmen?

BobbyApril 13, 2013 1:15 AM

Been reading about Shodan search and the danger it poses to vulnerable applications. This is an open path for a bored Malicious attacker to spend the day creating chaos around the globe. It could also be costly to entities that do not take security seriously. 13, 2013 8:35 AM

@Jakub Narębski

[On Iranians building a time machine.]

That is interesting, though the Iranians have no credibility after stating to the world that HAARP is an US earthquake making laser gun.

Or this week's "we will make our own Google Earth because the real Google Earth is really made by spy agencies and is anti-God".

Iran also thinks, officially, it seems, the CIA controls hollywood.

I am not sure what other nonsense they believe offhand, besides that Jews are intrinsically evil and that the US is Satan.

Yet, they also performed a very bad hack on the US... are making nuclear weapons... do run a sizeable country... and have performed a number of acts of terrorism which required considerable skill and organization... and they definitely caused a lot of problems in Lebanon & Syria.

I suppose one can rule out the earthquake ray gun statement because they made it right after China suffered a very bad earthquake. They also talk to China a lot, and may have seen China has some fear about the US.

If the US was going to make some kind of supersecret weapon these days, Alaska would be a good place to make it. Area 51 turned out not to be a very good place.

The religious statements they make fit with a lot of the knuckle draggers, and there can be seen to be some manner of political push for them from that.

The Google earth statement is positively insane, though. One comment I read on that from a contractor who worked in Iran is they have people there who make outrageous claims with need for outrageous budgets and there is no need for final product. They just want excuses to blow money. Not surprising.

I could kind of see the "let us act like we are crazy" side of things. Small countries seem to do this, like individuals, for a negotiational edge. 13, 2013 8:47 AM

Story: IRS can read emails & social media without a search warrant.

"The Internal Revenue Service (IRS) has released statements indicating that it can read taxpayer emails without a search warrant or court order, if they are more than six months old, by simply having an IRS agent authorize an administrative subpoena."

This comes from a loophole in a 1986 law, but the loopholes were shut down in 2007. The Obama Administration was unaware of the issue.


Just "yet another story" that seems to indicate there is a severe problem in the US with agencies illegally surveilling civilians.

I am not as worried about this, though, as I am with agencies that have no onus at all, or have the capability to blanket searches against US citizens under the guise of "National Security".

That is because that is exactly how totalitarian systems justify their immoral operations against citizens. And that is exactly the expressed motive behind Watergate, and the expressed motive behind the FBI's many immoral and illegal surveillance programs from the 40s to the 70s.

Fact is the 9/11 terrorists were not US citizens. There have been *some* terrorists in the US, but that is extremely exceptional and most of them were either involved in other crimes or complete nutcase loners who never would have been caught by surveillance. (I am here only recalling the OK bomber.)

princetonApril 13, 2013 12:13 PM

There are numerous issues with the steg app. It depends on the compression used by FB remaining unchanged. In fact, some believe one reason images are compressed is to prevent this and you should test uploading an already compressed image. Ostensibly it is to reduce the payload size. Also, unless the embedded message is encrypted there's no security in it. And if it is, you will still need to exchange private keys. Perhaps the biggest issue with this is, similar to all encryption, how would you ever know if someone decrypted your hidden message? Can you tell if someone had previously gazed at a particular object? If I were going to use this to communicate with another person, it would only be in conjunction with a code book (private key) agreed upon before hand, like a particular paperback book for sale in any airport store. You could even add to the protocol how to switch books in the course of communication.

paranoia destroys yaApril 13, 2013 1:59 PM

I don't use Wordpress, but some advice for passwords has been to have 8 characters with a mix of special ones.

If they tend to be looking for a certain number of digits, would using 2 characters be less likely to be found by a robot? I'm curious as to if they would bother searching for those few combinations.
Or maybe it is about the same difficulty until they catch on to look for that?

Nick PApril 13, 2013 2:53 PM


"Just "yet another story" that seems to indicate there is a severe problem in the US with agencies illegally surveilling civilians."

Thing about the IRS is that surveillance is hardly a worry compared to things they already do. They've been known to freeze bank account, seize assets, SWAT peoples homes, etc. without any advanced warning. It's hard to afford an attorney without a bank account. They've been acting authoritarian and overpowered for a long time.

The reason they get away with it is that they're the way the federal government separates the massive working and middle classes from their money. That agency's power isn't likely to subside anytime soon.

paranoia destroys yaApril 13, 2013 5:55 PM

Just speculating about whether last week's FTC robocall winner announcement may have started an escalation in getting more computing power.

Could a botnet running off of Wordpress using VOIP be a way to send even more unwanted sales calls?

Jakub NarębskiApril 14, 2013 4:40 AM

@princeton: The Secretbook is a DEMO steg app showing how you can do steg that survives recompression, not something for serious use, and author warns about it.

john joeApril 15, 2013 8:20 AM

good story:

The issue is that North Korea (so far anyway) could do a cybersecurity attack, but it is not so easy to, say, fire a missile.

What is the future of this.

They could have gotten away with it too if it was not for those darned kids.

What if they had given false clues to say it was from another country.

What is the future of this sort of state based hack. What can anyone do about it.

Shawn SmithApril 15, 2013 10:21 AM

The Iranian time machine story was horribly titled. It looks like it was some guy who plotted horoscopes ("using complicated algorithms") to tell the future five to ten years in advance with 98% accuracy. Chances are providing horoscopes is illegal in Iran (it reeks of sorcery) and this poser (with 179 "inventions" at 27) is simply trying to get around that law.

Color me unimpressed.

Nick PApril 19, 2013 11:04 AM

People often talk about legacy systems and their impact on security. This article takes it to the extreme: several businesses or organizations almost totally dependent on 30 year old tech.

The company using the 402... that's ridiculous. However, I found the VAXen on page 2 an interesting proposition. The reason was that one of my solutions for quickly building a secure root of trust was to use an old A1-class system on old hardware (e.g. A1 VAX Security Kernel on high-end VAX). Or old software on emulated old hardware maybe using a write-once FPGA-type device.

Funny as it seemed to me, it's even funnier to see that there's still a market for VAX and there's a company making a product (NuVAX) very similar to what I was going to build. The difference is that whatever I built would have supported code, memory and execution integrity at the hardware level. And have a crypto-coprocessor b/c my 1-20Mhz CPU can't be doing AES all day. ;)

It's hard to predict what will be the next ancient legacy system, ignoring mainframes. I'd venture to say either the AS/400 or VMS Alpha systems. They're both old, they just keep running, and people sometimes forget they're there. However, companies representing these kept upgrading them and offering new paths for hardware.

Thing is that newer hardware is unreliable. We still make reliable "systems," but the components break plenty. Eventually you gotta take the smaller, cheaper systems down for a mobo replacement. Maybe a two mobo design like SGI workstation fix that, though.

I just don't see anything made recently running for 10-20 years with little downtime or spare parts required. That era has passed. Except for the companies in the article. ;)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.