Comments

Ezequiel August 16, 2013 5:01 PM

And you know what? It is really tasty. My grandma uses it for a squid stew. I can never have enough of it. (Google “chipirones en su tinta”)

David T August 16, 2013 6:41 PM

SpashID is a password wallet offered by splashdata.com. I have used it since Palm Pilot days – about a decade. This week, they upgraded to version 7, which has a cloud-storage option. Previously, a user’s master-password resided only on the local machine; now it is hashed locally and the hash is uploaded to SplashData’s cloud – automatically, whether the user wants to or not.

Users are not happy! Apparently, quite a few of the users are pretty security-conscious, and at least as savvy as the SplashData guy who is publicly defending the move. Check out this talk thread, where Justin (the SplashData guy) explains what they did and why, and why they believe it’s safe. Then a horde of dissatisfied users say that they aren’t buying it.

http://forum.splashdata.com/showthread.php?81399-Shocking-Masterpassword-will-automatically-send-in-background-to-splash-id-server

For myself, I plan to move to Password Safe later this month.

Daniel August 16, 2013 7:08 PM

@David

The guy from Splashdata is correct, as near as I can tell. (I didn’t read the whole thread.) The only way that storing the hash on their server is an issue is if there was some way to crack the hash. I assume, however, that the hash is some decent cipher.

One poster writes, “Totally agree. Storing even a hash of the master password online where it is inevitable that hackers will get to it, is completely unacceptable!” That is clearly wrong since the hash is stored on-line for every major password site from Gmail to Yahoo. There isn’t anything new or radical that Splashdata is doing.

AFASIK there has never been a case where the hashes have been broken after they have been stolen. IIRC this happened to Blizzard a number of years ago where their servers were hacked and the hashes stolen and I never heard any claim that those hashes were ever cracked. Someone can come along and correct me if I am wrong on that score.

IMO that whole thread is a big overreaction.

Figureitout August 16, 2013 8:50 PM

Bruce Re: Your latest Op-Ed
–Seems as if the phrase “You’re too smart for your own good” is relevant. Do we really need a microprocessor and an ethernet port and of course F-in Bluetooth in your toilet? That’s really creepy I’m sorry; I know the auto flush is nice but a camera can be put in there.

I don’t like Bluetooth and I don’t like how it’s increasing being fabbed into everything, I don’t want it and will search out products that eliminate it.

Someone could really annoy you w/ RF and illegal amounts of power. It only takes around 300W in our home (my dad sold his nice amp due to this severe interference) to really mess w/ your stuff (ie the lights start to flicker) and at 100W your speakers and headphones will pick up the transmissions, sometimes it’s a cool distortion but it’ll be annoying.

Anyone who has found a 0-day f*cking around randomly knows that this is scary b/c they’re so weird and random; you won’t be prepared nor know what is happening when one is sic’ed on you. B/c someone did something to my mom’s pc and me nor my dad can figure it out which means potentially all our pc’s could be bricked scrap buckets…

As has already be talked about a lot, all the microprocessors in cars (which I don’t want to mess w/ b/c I don’t want to break my car) is where now we’re talking can really kill you w/ errors…Not to mention your water supply having massive amounts of chemicals dumped; f*ck this there needs to be solid nonelectronic protections to these things.

cmurphy August 16, 2013 11:15 PM

I don’t understand how people depend on a password manager that only stores locally. How are passwords used on a tablet, or other mobile device? Or work and personal computers? I’ve been using LastPass for about a year, and ended up upgrading to the non-free version so I can have access to passwords from a mobile device on the rare occasion when I need to. I even have access to my passwords when booting from Linux live media in those even rarer cases where I’m using a computer system of unknown provenance and need to pay a bill.

Figureitout August 17, 2013 12:02 AM

svt
–I used to agree w/ Bruce on this subject, but now I’m of the opposite opinion. Practically zero confidence in these massive systems that need literally thousands of people to administer just for software. Stupid move on our part, trying to do too much and trying to be, again, smarter than we really are and getting owned by entropy. The authors suggestions only mentioned software too so he clearly doesn’t have a clue about known and unknown side channels that can get in all systems that have current and voltage in them.

Sometimes I like to just pull the bedsheets over my head and curl in the fetal position; if we don’t stop relying on complex systems beyond our understanding we will sincerely regret it, mark my words.

Jarda August 17, 2013 2:48 AM

In Italy you can buy “nero di sepia” which is used in making pasta or risotto. But I’m not quite sure how good it would be in icecream as it has somewhat a fishy taste.

Haddur Hlöðvarsson August 17, 2013 4:43 AM

“I don’t understand how people depend on a password manager” […]

Neither do I, they are vulnerable to several attacks, including TEMPEST.

It’s better to retain them on paper in a secure location and should the need arise, consume the papers. Yes, that is correct, eat them. Faster and more effective than any wipe program. Locate paper and ink which are not poisonous to consume but won’t fade with time.

Perseid August 17, 2013 4:54 AM

@David and Daniel:

That thread is such a sad debate. I believe none of the participants (I read so far) really has a grasp of the security properties of such password hashing. Also it’s a great example for bad communication about technology using cryptography:

“””No matter what you are saying about hash or salt, I don’t even know what that is.
It’s obvious you DID take my password otherwise I wouldn’t be able to login on some webclientpage of yours that I didn’t ask for.”””

“””It’s a ONE-WAY hash. There is no way back. It’s not your password, and your password cannot be obtained from it. “””

“”””Google “cracking hashes” and discover how wrong you are… “””

“””– no doubt some having googled “break one-way hash” or something similar. Well I know that there are weak hashes and there are strong hashes, in just the same way that there are weak door locks and strong door locks”””

“””I was at The Blackhat/DEFCON21 […]. And one group showed off a box about the size of an older desktop PC that could crack SHA256 and lesser hashes in a day or less. It only takes one mistake on your part to lose the hashes you’ve stored, and unless they are hashed using SHA512 or better hash algorithm, they will be trivially crackable…”””

“””In order to gauge the strength of the hash you used, can you tell us the algorithm and hash size? How many bits of salt have been added before computing the hash?”””

Assuming they had some magic way to force every user to use passwords with at least 128 bit of entropy and thus even a single iteration of sha1 would be secure, would there even be a way to convince the user that storing a hash of the master passwords on server does not mean all their passwords are in the hand of criminals?

Clive Robinson August 17, 2013 5:26 AM

@ svt,

The age old problem of “hype” in an area with a “paucity of information” on which choices are made…

The problem cuts both ways, overreaction and underreaction, rarely is a response appropriate due to the lack of meaningfull information.

For instance, a few people have been raising red flags about what technology can do for mass surveilance for many years (I have for instance for nearly a quater of a century with DBs and other systems).

The response in general was “who cares” or “conspiracy theory” because of insufficient meaningfull information to the listener, who does not want to know anyway and thus rejects what is frequently factuall data. The result to those that do more than raise flags is at the least social ostracism but it can be a lot worse as history has shown.

Such has been the state of play in many WASP nations with regards mass surveilance for over half a century…

Now we have a little more –what we belive is valid– meaningfull information via Ed Snowden and now we have an almost lynch party mentality to our unelected government seniors who have apparently not just broken the “Sacred Trust” but constitutional law as well…

Thus a rapid switch from underreaction to overreaction in sufficient numbers of the population that the unelected now feel threatend. The result maybe significant “push back” resulting in social de-cohesion and further “push back” causing further social de-cohesion and potentialy civil unrest.

In effect Ed Snowdens meaningfull information has acted as a tipping point and the equilibrium of US society has moved some what.

Now as far as we can tell the “hype” of cyber attacks are based on fact, and there have been sufficient acts of APT by many nations. Further we have seen a lot of cyber crime such that is now in effect a major business sector in it’s own right.

What we can say is that in the main our online activities are weakly protected from harm, and we are not currently pre-disposed to improve our defences even though we have known how to for around half a century.

The ICT society is in some respects like the Roman Empire, it survives on “bread and circuses for the masses” with “greed, infighting and coruption for the ruling classes”.

Now the question arises what and when will be the meaningfull information that causes the tipping point? And will it be sufficient to topple the Empire?

The answer lies of course with “push back”, we know this from history. The question then arises of if it will be an over or under reaction, as the chances are very slim it will be proportionate.

Thus we need to discuss and put in place sensible and hopefully proportianate laws and treaties prior to a tipping point causing “lynch mob” mentality.

Now I’ve consistantly argued that cyber war / weapons / armageden are the ideas of those that seak to achive significant benifit, and trumpeted by the “War Hawks” of this world who only see benifit in strife. Which is why I’ve consistantly said that the reality is cyber crime, of which cyber espionage / sabatoge are just a small part and like nearly every other crime should be dealt with by accountable civilian authorities such as the police and judiciary, not the military or other unaccountable organisations such as the “Inteligance” entities such as the US NSA, CIA, FBI, or executive including the DOJ.

The key to proportionate response is knowing that all your actions will be accountable and judged impartialy, which is what good oversight is about.

name.withheld.for.obvious.reasons August 17, 2013 5:36 AM

This is my response to the deputy AG when he mentions the legality of programs under section 215 of the USA PATRIOT ACT.

Somehow the freedom of assembly eludes you, when the government can determine associations between ALL citizens it has gone well beyond the bounds of the first amendment. When people are concerned about what they might expose to an “unknown” system they will invariably exercise self censorship and curtail their associations especially if they are controversial…as might happen with a tea party member is seeking legal tax assistance or calling or emailing other tea party members. Are you a complete arse? This has an enormous intangible impact (people in this circumstances will not report these problems) and forcible suppresses political dissent and discourse! The damage may be incalculable, a class action (the sovereign versus US AG, congress, and the Executive) would only be a start.

Clive Robinson August 17, 2013 6:57 AM

@ David, Daniel, et al,

Storing anything in the “cloud” is not a good idea if you have either no need to or other ways of achieving the same end effect. That is basic common sense.

As for hashes they might be “one way functions” currently but two things are known,

Firstly, the unix password system was one way and the resulting hashed passwords were effectivly public. But it succumbed to a dictionary attack, so the shadow password system made the hashes non public.

Secondly there is a question hanging over one way hashes, there have been a couple of ways demonstrated by which collisions can be found much more efficiently than brute force searching. As Bruce has noted in the past attacks don’t get worse with time, thus there is the very real posability that other shortcuts will be found for all hashes.

Then there is the question of “entropy” hashes don’t make it but they do limit it. That is if the entropy of your password is small, a hash does not increase the entropy of the password it mearly acts as a substitution cipher with a fixed size word output (it’s why dictionary attacks and rainbow tables work so devistatingly). However if the entropy of your password exceeds that of the hash then the hash will reduce the password entropy to the effective entropy of the hash.

Now password system designers assume all passwords are low entropy and to be found in a dictionary. So they introduce a “salt” (to spice things up), which whilst it reduces the likely hood of a rainbow table dictionary attack has a subtal problem.

The salt should it’s self be high entropy and not be reused so in effect it needs to be a “number used only once” or a good quality “nonce”. If it’s not then it opens up other potential attack vectors.

As indicated the “nonce” is a ‘number used only once’ which presents some very real issues in practical systems,

Firstly due to storage issues you cannot store every nonce you’ve sofar used so it rules out the use of a True Random Number Generator (TRNG) from use.

So you have to use a Pesudo Random Number Generator (PRNG) which uses a determanistic algorithm to select –apparently randomly– the numbers from the set off all numbers possible from the generator. But a PRNG has it’s own issues, in effect the PRNG is a stream cipher and sufferes from all of the stream cipher issues.

One of which is each time the PRNG outputs a number the size of the remaining set is reduced by one, and at some point the output of the PRNG becomes more predictable (think of it like a deck of cards being dealt out face up, if you’ve seen four aces you know there are no more aces to be dealt, but having only seen three you know what the fourth will be). So this means that the PRNG can only be used for less than half it’s output range, before the probability of guessing the next number rises above 0.5.

A simple description of a stream cipher or PRNG is a counter (state array) that is encrypted to produce the next output bit, word or number. And all PRNG’s as do stream ciphers depend entirely for their security propeties on the contents of the state array remaining secret. Which means that the initial start value (seed) has in of it’s self, have to be a nonce (as does the encryption key). Which gives another problem.

For a system that is not of wide use you can hide the awkward issue of the seed value being a nonce behind the probability of a TRNG reasonably well. But the more widely used the more likely it is that any given number will be used twice. The “birthday paradox” indicates when this is likely to happen and very roughly it’s the square root of the largest number size. So in a binary system the square root of the maximum number of a 2^n bit word is 2^0.5n. So in effect the bit size of the nonce in a general use system has to be twice what you would consider for a “one off” system.

The above issues are just a few of the issues involved and they all present avenues for attack when the hash value is stored in effect publicaly. So even if they cannot be attacked effectivly today, it by no means rules out an effective means of attack next week or month.

So finding another way to achieve the same objective, but without making what common sense says should remain secret public, would be a better alternative than “cloud” storage.

Scott "SFITCS" Ferguson August 17, 2013 7:11 AM

@Clive Robinson

The problem cuts both ways, overreaction and underreaction, rarely is a response appropriate due to the lack of meaningfull information.

Lack of meaningfull information is not why people react wrongly (IMO) as it overlooks why people don’t gather more information. Ignorance might be a state were born into, but after that it takes studious avoidance to maintain. It’s contradictory but I suspect for most people, most of the time, they are:- lazy; easily distracted; and blinded to their own ignorance – so they “intuit”. The need to understand is so deep that without it comes cognitive disonance. Whilst we are all capable, at least occasionally of rational thinking and accepting that all areas of knowledge are non-intuitive – for the most part we refuse to believe that intuition is not always wrong. Like extrapolation, statistics, and balancing losses against gains, the belief in intuition is a major failing of humans.

With technology and it’s application the amount of ignorance is huge and all pervasive. This leads to large amounts of decisions and beliefs being based on intuition – and anything that challenges that intuition (belief) challenges the idea that our intuition is to be trusted. If we are wrong about somethings perhaps we need to reconsider other things… which is why the presentation of facts that contradict beliefs doesn’t sway the believer (quite the reverse) – either the person making the challenge is wrong (a tin-foil hatter) or the implications are trivial (it’s not important – go back to sleep, drink beer, watch television, get fat). I call it the “what else” problem – if you admit to being wrong in a “belief” what else do you wrongly believe. Which goes back to the lazyiness problem…

Much of this has to do with what Bruce and others talk about the problems of trust – it’s often down to perception. But mostly it’s about how that perception challenges deep emotional investments in one’s intuition. Intuition – the ability to make connections between unrelated things, the same thing that characterizes psychosis or poor understanding of causality.
In addition to that there’s what I call the “what next” problem – if we are wrong about a belief – what do we do about it. Throw in ego, because to not understand technology and it’s implications is a sign of failure and you get what I call “agressive armchair apathy” – i.e. I’ll fight you for my right to do absolutely nothing. And I’ll confabulate justifications (the view is so much better from a higher moral ground). i.e. yes, you are right about the spying – but it’s better than children being eaten, and what do you have to hide anyway? Huh!

In some instances we avoid things we don’t understand, but keeping up with the Jones, and the superstitious need for talismans/fetishes mean we embrace technology of which we are ignorant (got to have it because we got to have it, and inanimate objects are sexy).

Not a disagreement with what you’ve written, just my own thoughts.

Aldous Huxley had some sort of thoughts about it too (Brave New World Revisited) but, oh wait, I’m missing tonight’s episode of Big Brother – and the lotto draw (I could be an millionare!). Got to go, more important… (a little treat as a reward).

Nick P August 17, 2013 10:00 AM

@ cmurphy

“I don’t understand how people depend on a password manager that only stores locally. How are passwords used on a tablet, or other mobile device? Or work and personal computers? I’ve been using LastPass for about a year, and ended up upgrading to the non-free version so I can have access to passwords from a mobile device on the rare occasion when I need to. I even have access to my passwords when booting from Linux live media in those even rarer cases where I’m using a computer system of unknown provenance and need to pay a bill.”

Here you go. It uses only well-protected local secrets. The secrets are stored in an encrypted file you can sync across devices. It runs on Windows, Mac, Linux, etc. with ports to the likes of iPhone/iPad.

http://keepass.info/features.html

And if you trust your password file encryption enough, you can just email it to yourself whenever it’s updated. It’s how I move a lot of thoroughly encrypted files between devices if I don’t have a better option set up. Kinda lame that in 2013 that’s still one of the best options.

Clive Robinson August 17, 2013 11:29 AM

OFF Topic :

As I suspected and initialy predicted the shuting down of lavabit by the owner would be viewed as a contempt of court and as such he could be looking at significant jail time if the Feds were stupid enough to turn him into a modern day martyr,

http://www.techdirt.com/articles/20130816/14533924213/feds-threaten-to-arrest-lavabit-founder-shutting-down-his-service.shtml

But the Feds are that stupid if this is anything to go by,

http://www.mcclatchydc.com/2013/08/16/199590/seeing-threats-feds-target-instructors.html

Apparently the Feds are targeting people who teach polygraph defeating tactics…

What is not clear is if it’s a direct attack on the trainers or to use it as an excuse to go after their business records to get the names of those who have had such training (and then presumably persecute them all to save Barak ‘the control freak’ Obama face).

And just to make it worse for US TLA’s there are reports that Ed Snowden was lifting NSA secrets while he was working at Dell for quite some time before he moved to Booz H,

http://www.reuters.com/article/2013/08/15/usa-security-snowden-dell-idUSL2N0GF11220130815

Mind you there are rumours around that DISA want to use NSA technology to gather and analyse data. I’m not sure they know what they are going to get out of the relationship but a very very long handeld spoon might be advisable. Any way the Devil of the NSA and it’s mistress the Dept of Justice are trying to white wash the activities from being illegal under the constitution to weasily legal under their curious definitions and self justifications,

http://www.washingtonpost.com/world/national-security/the-intelligence-communitys-side-of-the-collection-programs-debate/2013/08/14/02674a96-043b-11e3-9259-e2aafe5a5f84_story.html

Needless to say few other news outlets have bothered mentioning the two “reports” (after all why give space to 455-fodder material). They instead are seaking further revelations of NSA and Co lying,

http://www.forbes.com/sites/jennifergranick/2013/08/14/nsa-dea-irs-lie-about-fact-that-americans-are-routinely-spied-on-by-our-government-time-for-a-special-prosecutor-2/

Something tells me that Obama is lucky this came out in his second term, because if it had come during his first term he would have been ‘to toxic to touch’ and thus confined to wandering the political deserts rather than running for re-election.

Bryan August 17, 2013 3:32 PM

Over at TechDirt, I just read that LavaBit’s Levison is being threatened with prosecution for effectively refusing to turn over ALL users of his email service (by shutting it down).

http://www.techdirt.com/articles/20130816/14533924213/feds-threaten-to-arrest-lavabit-founder-shutting-down-his-service.shtml

Since his past cooperation with LEOs over a couple dozen times in individual cases shows cooperation with authorities, and he is now gagged by court order from discussing if he has a court order causing his action, one can only conclude that the Feds wanted a general back door OR wanted provision for bypassing encryption for a particular user (currently impossible due to the encryption architecture).

It would have been hard to believe that the Feds would be able to obtain a court order that violates the 4th Amendment’s ban on general warrants until this month, but it is harder to believe that they wanted access to a particular user’s messages with the current disclosures of Hoovering up everything. (And the programming effort involved to obtain a particular user’s secrets while maintaining the secrets for everyone else would be truly large.)

It is also hard to believe that stored encrypted email is a “business record” that can justify a court order from a secret court.

Unlimited gag orders need to cease. Secret legal justifications and unlimited secret court orders need to cease. The Feds are losing the war because of them.

cmurphy August 17, 2013 4:13 PM

@Nick P

Well to go with Keepass it sounds like everything that’s completely seamless, integrated and automatic with LastPass, I’d lose and have to email encrypted files around to different devices, and somehow keep everything sync’d manually. That’s a PITA. I just don’t see the advantage. And by emailing the file around, it isn’t in fact local stored. Copies of the encrypted data base are ending up on servers, non-locally, in the course of the manual syncing process.

In either case if we’re trusting the database is encrypted, it shouldn’t matter how many copies of it there are or where they are. If we don’t trust that, then we might as well write the passwords down and keep them in a locked fire safe, locally.

Petréa Mitchell August 17, 2013 4:34 PM

Peggy Noonan is writing the best nontechnical commentary I’ve seen on the NSA revelations. This column on privacy is a particularly good one to recommend to your non-geek friends.

There’s a great summary of the situational problem of limiting the NSA in this one:

People who work for the government, including inevitably those who work in national security, will not decide their powers are too broad. They can’t—they’re focused on a real foe, they have a mission and it tends to leave them in time thinking their powers aren’t broad enough. They will not declare they need more civilian control or oversight—those dizzy, self-serving politicians just gum up the works. They will not decide to limit their use of the capabilities at their fingertips, especially when the stakes seem so high.

She frames this as the conservative reason to be worried, but it would seem to work fine for anyone.

Godel August 17, 2013 7:19 PM

@Nick P and cmurph

Another advantage of KeePass is that it does extensive key stretching out of the box, and the number of rounds can be increased by the user. My KeePass database now takes 4-5 seconds to unlock after the key has been entered. Commercial password managers may do this, but with their usually inadequate documentation it’s hard to tell.

The main disadvantage of KeePass is that the autofill facilities are a bit primitive. There are a number of add-ons for Firefox to help this situation of which KeeFox and KeeForm are two.

As to TEMPEST, I imagine Neo Safe keys (in windows) in Ghost Hover mode would make things difficult for the eavesdropper.

Bruce Schneier August 17, 2013 10:19 PM

“Friday Squid should be posted earlier in the day IMHO.”

It’s always in the 4:00 hour — Central Time. Unless I forget.

at bruce August 18, 2013 9:22 AM

at bruce:

What a great comment!

Its always 4 o’clock! Except when it isn;t.

made me chuckle

Clive Robinson August 18, 2013 9:48 AM

OFF Topic :

Is the Fed Reserve stealing other countries gold reserves?

It’s bubbeling up as a news story again in various parts of the world, due in part to Ed Snowden revealing what even the German Government was not aware of that their communications security organisation is in bed with the NSA.

The stealing of other nations gold sounds rediculous but more and more rumours appear to have some basis in fact (figures don’t balance). So late last year one nation said for good and proper reasons it wanted to repatriate it’s gold.

But the FedReserve said Germany cannot take it’s gold out for atleast seven years,

http://lionsdenmedia.hubpages.com/hub/Germany-Demands-Return-of-Gold-Held-by-US-Federal-Reserve-ButHow-it-Affects-Your-Wallet

http://australian-conservative-truth.blogspot.co.uk/2013/07/usa-federal-reserve-steals-germanys.html

So the Germans not unreasonably demanded to inspect their gold and were in effect prevented from doing so, in that Fed Reserve staff only alowed the german inspectors to look through a door several feet away from what they were told was partly German gold.

Needless to say after Goldman Sachs were caught selling false / fake gold certificates and other US financial institutions have likewise been seen on the edges of various shenanigens involving missing bullion and adulterated bullion, confidence in US financial organisations and their handeling of gold is on a downwards spiral.

But it appears the Fed Reserve has stolen gold from countries before, but western media has not cared to comment on it,

http://nsnbc.me/2013/04/18/federal-reserve-refuses-to-submit-to-an-audit-of-germanys-gold-held-in-u-s-vaults-2/

But it appears that although this had slipped out of the news Mr Snowdens revelations are causing it to come back into the lime light.

But with more interesting stories, one being the Fed Reserve has actually sold the gold off on the asuption they will buy it. Back if and when the price drops. Another is the US has sold it’s gold stocks from Fort Knox and it is likewise empty. Either way there are calls arising for both reserves to be properly audited, something that has not been done before.

Oh and now Russia is running with the story as well…

Petréa Mitchell August 18, 2013 11:45 AM

Unspecified federal agencies are attempting to prosecute people for teaching polygraph-fooling techniques.

The story does note that polygraphs aren’t terribly reliable anyway, which leads to this great quote:

Citing the scientific skepticism, one attorney compared the prosecution of polygraph instructors to indicting someone for practicing voodoo.

“If someone stabs a voodoo doll in the heart with a pin and the victim they intended to kill drops dead of a heart attack, are they guilty of murder?” asked Gene Iredale, a California attorney who often represents federal defendants. “What if the person who dropped dead believed in voodoo?”

I wonder if they’re planning to go after Penn & Teller, or anyone from Showtime, over this show, which included detailed instructions on the topic. (And look, it’s available on iTunes right now! Quick, arrest Apple!) I’m sure P&T would welcome the publicity.

Clive Robinson August 18, 2013 12:52 PM

@ Bryan, Petréa Mitchell,

Did you miss my above posting about both the Lavabit owner and the Feds going after lie detector trainers?

Any way you’ve both amplified nicely with your comments.

AlanS August 18, 2013 5:10 PM

More over-reach:
British Authorities detain Glenn Greenwald’s partner for 9 hours under Schedule 7 of the Terrorism Act of 2000.
http://www.theguardian.com/commentisfree/2013/aug/18/david-miranda-detained-uk-nsa

“The stated purpose of this law, as the name suggests, is to question people about terrorism. The detention power, claims the UK government, is used “to determine whether that person is or has been involved in the commission, preparation or instigation of acts of terrorism.” But they obviously had zero suspicion that David was associated with a terrorist organization or involved in any terrorist plot. Instead, they spent their time interrogating him about the NSA reporting which Laura Poitras, the Guardian and I are doing, as well the content of the electronic products he was carrying. They completely abused their own terrorism law for reasons having nothing whatsoever to do with terrorism: a potent reminder of how often governments lie when they claim that they need powers to stop “the terrorists”, and how dangerous it is to vest unchecked power with political officials in its name.

NobodySpecial August 18, 2013 7:13 PM

Given that he was a perfectly innocent Brazilian traveling through London he got off lucky.

Dirk Praet August 18, 2013 8:38 PM

@ AlanS

It’s just one of these stories that even Hollywood can’t make up: detaining a guy called Miranda under a terrorist act that strips him from his right to a lawyer.

It would seem the US and their UK poodle recently have become hell-bent on ticking off South American nations. This is not gonna go down well in Brazil, especially in the wake of the Morales incident and Snowden’s revelations on US mass spying in that country. Some folks may also still remember the tragic case of Jean Charles de Menezes, the Brazilian electrician who was shot dead by the Met Police at Stockwell tube station in 2005. I’m already looking forward to the undoubtedly very interesting arguments David Cameron and Theresa May will come up with to justify their actions.

Figureitout August 18, 2013 8:48 PM

AlanS
–As more and more people begin to experience this harassment, you all will see I’m not some crazy nutter spouting off conspiracy theory; that this harassment has been going for years for me outside legality and so how do you fight illegality? Illegally.

I personally wonder how many people have either not been aware of being penetrated or if they are too terrified to speak out.

Figureitout August 18, 2013 8:53 PM

Might I also add that it’s pathetic that the investigative journalism the US needs is coming from the UK. Then again one journalist recently died from peculiar circumstances and the ones actually asking real questions get ostracized…Just pathetic.

Figureitout August 18, 2013 9:07 PM

Also, they should just encrypt random crap, massive amounts and carry it everywhere they go. Oh man, the fun we can have.

Figureitout August 18, 2013 9:19 PM

I will also laugh in any hit[wo]man’s face unless they snipe me from behind or in my sleep. F*ck you all you know where to find me and you will eventually see real justice. Not just some kid owning the very tools you don’t understand.

AC2 August 18, 2013 10:53 PM

@Figureitout

” it’s pathetic
that the investigative journalism the
US needs is coming from the UK”

When you say UK, I think you only mean the Guardian.

For example see linked how BBC has reported this (under World – Latin America no less!)

m.bbc.co.uk/news/world-latin-america-23750289

Fullminster Bucker August 19, 2013 12:37 AM

Hi,
I am new to security engineering, trying to learn and find my way. I have a rather simple question and hope that someone can enlighten me.

If you use PGP, is it possible to remember your private key or is it simply too long?

What about AES-128bits? How many characters would the private key need from the keyboard given that you use both lower characters, highter characters and symbols?

Scott "SFITCS" Ferguson August 19, 2013 1:22 AM

@Fullminster Bucker

If you use PGP, is it possible to remember your private key?

That’s in addition to your passphase.

Yes. But not easily. You’d probably want to use mnemonics and the Loci method.
There are a few tools you could use to convert the private key into mnemonic codes for that purpose.

A workable alternative might be to simply invent a special passphrase (which would mean you have to remember two passphrases). Then write out your private key and interleave your special passphrase into it. Your private key is now obscured and can tattooed or written somewhere – only you know what needs to be removed from the obscured key to make it usable.


What about AES-128bits? How many characters would the private key need from the keyboard given that you use both lower characters, highter characters and symbols?

Unencrypted? 32 hex 😉

JV August 19, 2013 8:26 AM

Posted in Electronics Products on-line magazine:

Man buys GPS jammer to duck employer, jams his local airport instead
http://www.electronicproducts.com/RF_and_Microwave_Components/RF_and_Microwave/Man_buys_GPS_jammer_to_duck_employer_jams_his_local_airport_instead.aspx

In short: He was using a GPS jammer in his car to avoid being tracked by his employer and drove by an airport that was testing a new GPS-based guidance system. Feds tracked him down, fined him and he was fired from his job. The GPS system is now in use.

Seems like that was too easy an attack on an airport. Makes me wonder if we are too trusting that our GPS measurements are accurate?

Figureitout August 19, 2013 7:48 PM

AC2
–I’m confused. Doesn’t the BBC stand for “British Broadcasting Corporation”?

Figureitout August 19, 2013 9:43 PM

Not that anyone besides arduino uno ATmega328p owners will find interesting, but modifying the “blink” example code “off and on” LED blinking between port 12 and 13; one can simply plug in a jumper cable and have port 13 and the external LED light up at the same time even though it’s not supposed to.

I love my arduino and all the hardware, but bugs galore, such is the joy of modern technology.

Alex August 20, 2013 1:34 AM

@JV:
Even a boy scout with a basic understanding of RF and radios could easily shut down a large airport if so desired. Practically everything about airports and airplanes runs on VHF. Even more interesting/vulnerable is that aircraft comms run using AM, so they are very susceptible to interference. I’m sure plenty of power companies over the years have unintentionally jammed an airport when insulators start to break down. Similarly, you should hear the chaos which happens when someone’s microphone gets stuck on. I heard this happen on one of the JFK airport channels one day. Quite a mess.

There’s also no provision to authenticate communictions either. If someone wanted to “play air traffic controlman”, it’d be very easy to do. Many planes broadcast their position using ADS-B, which is easily received & decoded using a standard PC. Just build yourself DIY radio transmitter, tune it to the magic frequencies, get a nice loud linear amp, and you’re set. In such case, hopefully the boy scout’s gonads have dropped, otherwise pilots would easily know that it’s a boy and not a man at the ATC controls.

Also, anything digital generally is unencrypted and lacks any checksum. Want to really make an ATC tower sweat? Start sending a bunch of false planes heading his way.

So, why hasn’t it happened yet? Because people are generally sane. Thinking about it, I often have enough electronic gear in my carry-on to pull off such an attack. Never had TSA question any of it, but they certainly have thrown a hissy fit over water, medications, power cords, and iPads.

You can hijack an airplane using a box cutter; you can kill someone using your belt. Just because these things can happen doesn’t mean they will happen. Dangerous people are the issue.

Figureitout August 20, 2013 1:55 AM

Alex
–I know. It’s truly incredible how hard RF engineers could own so many people but this has simply not happened; maybe they are too smart to know that it could eventually be traced back to them.

Maybe…maybe they are just too ethical to ruin many people’s day. Really we could ruin your day so hard, god it would be so easy.

Thomas_H August 20, 2013 2:32 AM

http://www.bbc.co.uk/news/uk-23761918

“The US government has said British officials gave it a “heads up” about the detention of the partner of a journalist who published information from US whistleblower Edward Snowden.

But it said the decision to detain David Miranda was a British one taken “independent of our direction”.”

Sooooooo…if the latter was the case, why even bother informing the USA?

This bit is a nice example of “not actually answering the question”:

“Scotland Yard, which has not said on what grounds he was detained, said in a statement on Monday night that the “examination” of Mr Miranda was “subject to a detailed decision-making process”.

“The procedure was reviewed throughout to ensure the examination was both necessary and proportionate.

“Our assessment is that the use of the power in this case was legally and procedurally sound.

“Contrary to some reports, the man was offered legal representation while under examination and a solicitor attended.

“No complaint has been received by the MPS at this time.””

More on the above: http://www.bbc.co.uk/news/uk-23763625

Nick P August 20, 2013 10:06 AM

@ Scott Ferguson

Darn, that sucks. Groklaw was a good resource. These people need to man/woman up and stop shutting their stuff down. Every time they do they (1) have no effect on risk TLA’s pose, (2) have little to no effect on voters that can change things, and (3) reduce opportunities for decent, liberty-loving folk. So far, people have lost two privacy respecting email services and a great legal blog.

So, the next group of people wanting these services will have to trust more obscure offerings run by people whose character may not be well known. I’m sure that will turn out great for most of them. (sarcasm)

Note: The Groklaw dude got an email in Switzerland afterward. He pointed out he did that b/c they have different laws. He must not know much about the history of cooperation between US and Swiss LEO’s. And the occasional instances of US fronting with Swiss companies. Decent example of the kind of thing I was talking about: the services run by Americans have one known risk, whereas the others have many risks most people don’t understand.

Scott "SFITCS" Ferguson August 20, 2013 11:17 AM

@Nick P

These people need to man/woman up and stop shutting their stuff down.

Trying to get a complete picture for my own understanding, and I haven’t had time to do all the research and thinking required but:-

1. PJ has spent 10 years copping flack, and perhaps she doesn’t feel up to rubber hose/snorkelling/potty training treatment. Not everybody longs for the elevated view that comes with being nailed to a cross.

2. She is making a statement and a brave stand. Sometimes a tactical retreat is a good idea. Especially when perceiving is denial of war – and this is a war. No war is ever delayed, avoided, or denied to advantage.

3. She may be considering how many people are incapable of high security communications – much of her, um, success is due to whistle-blowers. That feeling of responsibility may also extend to those who visit her site. What any of us do now may be used against us in the future – and the future is impossible to factor into risk management.

4. Some of the proposed (not by you) technical solutions won’t work – the project needs the visitors not just contributors. If it’s blocked it’s pointless, likewise if it moves to the dark web.

NOTE: she hasn’t vanished so it’s possible she may resurrect the site, and there’s no reason someone else couldn’t fork the project.

I disagree with only two things you say:- PJ’s gender (a moot issue), and the advantage of non-US soil. The latter is not something I’d rely on for privacy for a number of reasons.

The points I made above are not arguments – just factors you may not have considered in your righteous indignation (which I share).

Not so long ago a lot of Germans took to the streets in protest of their governments invasion of privacy – a lot of Germans, and not just for an afternoon. But the crimes against them don’t compare to the current surveillance.
That it’s also part of black bag mystery tourism regime doesn’t explain the lack of actual complaint (I’ve just finished reading Way of the Knive and I’m reminded this is not just about spying).
Maybe it’s all those people who are too busy believing they’re millionaires in waiting (the brain can’t do altruism and greed simultaneously).
I dunno – but Aldous Huxley (Brave New World Revisited) and Bill Hicks had part of the problem sussed (shiny things and an extra serve of stupid).

OT. I’m wondering if I should start GPG signing my posts as a matter of course(?)

CallMeLateForSupper August 20, 2013 11:31 AM

@ Nick P
“These people need to man/woman up and stop shutting their stuff down.”

I understand your feeling. But shutting down a business sends a strong message to both clients and governments: we won’t be complicit in compromising our clients’ metadata and content, and to that end we give up our livelihood.

Think about that second point; how willing are you to quit your job on principle? I think you’ll agree that the prospect does give pause.

“The Groklaw dude got an email in Switzerland afterward.”

That “due” is a dudette, actually (Pamela).

Nick P August 20, 2013 3:30 PM

@ both commenters

” PJ’s gender (a moot issue)”
“That “due” is a dudette, actually (Pamela).”

Oops. The few times I was on Groklaw I was just skimming content real quick. Never even read the name. If she reads this, I sincerely apologize for that mistake.

@ Scott Ferguson

“PJ has spent 10 years copping flack, and perhaps she doesn’t feel up to rubber hose/snorkelling/potty training treatment. Not everybody longs for the elevated view that comes with being nailed to a cross.”

That would be the most sensible reason to shutdown. It’s truly her choice about whether to take the continued pressure and make the sacrifices. If she does, then that’s awesome. If she doesn’t, at least she did what she could for a long time. I probably wouldn’t hold such a decision against her all things considered.

“What any of us do now may be used against us in the future – and the future is impossible to factor into risk management.”

Similar to your first point. Another good one. I can speak to the fact that the anxiety such a situation brings is more than many people would want to live with.

“the advantage of non-US soil. The latter is not something I’d rely on for privacy for a number of reasons.”

I apologize if I wasn’t clear: I was saying about the same thing. Numerous supposedly safe services or companies in foreign countries have been compromised in the past, sometimes were eve fronts. Plus LEO’s have cooperated under pressure. Both have happened in Switzerland despite its seemingly better laws. So, like you said, non-US soil != safe. I’ll qualify, though, that it can be one of many links in the security chain for a subversion resistant service. Just not the only link. 😉

Re complaints, precedents, etc.

I’ve studied the public’s reaction to this stuff for a long time. I once hear a conspiracy nut say something that might have some truth in it: a strategy of constant distraction. The idea that the public in this country is constantly exposed to news stories, highly emotional political issues, financial issues, local problems, etc. They have too much immediately in front of them to be interested in or worried about. The distant, theoretical and other possibilities are fleeting moments or coversation over dinner (or beer) for them at best.

So, they externalize it, put it off, or justify it. This action is the path of least effort compared to “changing the law,” “fighting the system,” or however they might perceive it. Those in control, esp of media, keep this going because it suits them. The strategy might be incidental or the result of a conspiracy by those in power. It doesn’t really matter: the sad truth is that it’s working.

A future renaissance or resistance will be up against an opponent with mastery of perception management, massive surveillance systems, control of most media outlets, and maybe restrictions on the Internet in near future. The minority will have to unify their efforts and break that perception control despite those tools of control. They will also have to charge the public enough emotionally to act in a big way. It will be… difficult at best.

@ CallMeLateforSupper

” But shutting down a business sends a strong message to both clients and governments: we won’t be complicit in compromising our clients’ metadata and content, and to that end we give up our livelihood. ”

The actual message is they will take steps to not cooperate with law enforcement investigations or a powerful intelligence agency snooping to stop the nation’s enemies. That’s how the voting public would look at it. They might even ask how many innocent Americans these programs are killing or devastating. To the public, the harm is theoretical at this point and the shutdowns would probably result in something along the lines of “sucks for them,” “they got some balls,” or (more common) “when’s the next season of blah start?”

Breakdown of the situation:

  1. Most of the public don’t care [enough to even write a letter].
  2. Most of the public kept using services of both known and potentially complicit vendors.
    (That’s an implicit vote, btw.)
  3. The proponents of strong privacy against government have stayed a vocal minority with little political effect.
  4. A number of providers that support them are shutting down.

Then end result is logically that the shutdowns will only affect the people wanting privacy and such services. Shutdowns will have zero impact on the voting majority that use complicit, “law-abiding” services.

So, I get why many are doing it. My gripe is that it hurts things rather than helps.

“The only thing that’s necessary for the triumph of sneaky companies is for good companies to do nothing [because they shut down.]”
– Anonymous, except to NSA

Clive Robinson August 20, 2013 4:57 PM

@ Nick P,

From reading PJ’s last entry, I suspect her bigest concern was not for herself but for all those sending her “inside” information which GrokLaw used to such great effect, and the potential harm that would befall them.

I used to know some “right villains” who had “rehabilitated themselves” when I was doing contract work for various Gov related organisations, and I was having a sociable chat with one of them one day. Well it kind of got round to family, and he mentioned why he did not have a wife or kids even though he was effectivly legitimate. His reason was “It’s easy being brave when it’s your balls their torching with the oxy-cutter, but how brave do you have to be when they hold the torch to your childs face? It’s easier to not give them the oportunity”…

He had a point, and it’s one many people don’t think about till it’s to late.

If you think back one of the reasons Ed Snowden said he put his hands up to the leaks was to avoid having other people put through being interogated. Personaly I tend to belive this more than I do the claims he was grandstanding for fame or notoriety. Simply because amongst other things he could have claimed more fame / notoriety by staying at home and waiting till the Gov hounds were realy baying and then coming out, and also he would have harmed the NSA a lot more as well by waiting.

I suspect Snowden had factored his escape route etc and then only after the ball got rolling and had time to think did he realise what was going to happen to others. And by putting his hands up to protect them he ruined his own escape plan.

Nick P August 20, 2013 6:21 PM

@ Clive Robinson

“His reason was “It’s easy being brave when it’s your balls their torching with the oxy-cutter, but how brave do you have to be when they hold the torch to your childs face? It’s easier to not give them the oportunity”…”

Yeah, it’s one of my motivations for staying out of the spotlight and avoiding causing a ruckus. My family and I have defended ourselves against plenty of society’s bad boys living in one of US’s most dangerous areas. Not all individuals or families were as lucky. I know what could come our way in a worst case scenario. I try to avoid trouble where I can. We’ve even retreated a few times where the cost of resisting didn’t make any sense.

Of course, let’s keep in mind that this kind of thing would be extremely rare with our current threat profile. We’re talking about a spy agency that rarely targets dissenters in a violent or deadly way: they save that for the “terrorists.” Also, the whistleblowers know they might get caught doing what they are doing. It’s them taking on the risk and initiating action. So, it doesn’t seem a service provider or blog writer should feel too responsible for anything that happens. Most of the risk for their collaborators is really out of their hands anyway. As for them, the risk is zero with compliance (+ good PR team if disclosed) and non-life-threatening if non-compliant.

Dirk Praet August 20, 2013 8:33 PM

@ Nick P

So, it doesn’t seem a service provider or blog writer should feel too responsible for anything that happens.

In the US, the law differentiates between a journalist and a blogger, where the latter cannot claim protection by the same shield laws the former would be entitled to. (eg. the 2011 District Court of Oregon’s verdict in the case of Obsidian Finance Group, LLC vs. (investigative blogger) Crystal Cox) . In quite some countries, the same distinction is made or efforts are on their way to pass similar legislation curtailing bloggers rights. In 2011, the UK’s Barnet Council made a complaint against a local blogger that, if set as precedent, could even have criminalised the work of citizen journalist/bloggers across the country.

I’m sure Pamela Jones must have considered this as well. If she truely believes that her investigative work in the current reality of mass surveillance, corporate buy-in and seemingly omnipotent legal coercion/persecution capabilities, is not only putting herself in harm’s way, but just as much her family (cfr. Miranda) and her informers/collaborators, then calling it quits IMHO is morally and ethically justified.

However much I regret her decision and those of Zimmerman and Levison, I cannot blame them for refusing to take up a fight they know they can’t possibly win, probably ruining their lives and that of others in the process. There’s a thin line between bravery and stupidity, especially when the situation is grim and the odds are against you. What we need today are politicians, civil liberties organisations, big corporations and an independent press to turn this around. I’m reasonably sure that the moment they do, the smaller players giving up for now will fall back in line. If they don’t, then privacy and civil liberties will become the prerogative of a privileged ruling class with our western pseudo-democracies having completed their journey to the dark side of totalitarianism.

Scott "SFITCS" Ferguson August 20, 2013 9:03 PM

@Nick P

“What any of us do now may be used against us in the future – and the future is impossible to factor into risk management.”

… I can speak to the fact that the anxiety such a situation brings is more than many people would want to live with.

That’s an issue I hadn’t considered, and reviewing the cases of those in similar situations it’s a critical point.

What I meant was that it’s impossible to factor the effects of the unknown – which most of the future is. We can extrapolate from history but it’s only a guide to trends. Consider that while we don’t have flying cars and hoverboards we do have a lot of technology that wasn’t predicted 10 years ago – and a lot of technology/political changes that weren’t expected so soon.
So it’s hard to rule out more pervasive tracking and identification techniques being enforced, “induced” (look at me/don’t want to miss out). e.g. It’s conceivable that fashion trends could take Fffacebook identification and mobile phone technology to a point where voluntary RFID implants become popular (or enforced by parents worried about abductions).

While the technology for bullsht detectors doesn’t seem to be available yet, the demand for bullsht bomb detectors is. So while the ability to read minds with ECG may not be possible in the future – or to “calculate” someone’s potential for being a problem, it doesn’t mean that those techniques/technology won’t be embraced or employed. And then there’s employment…. how important will a social profile become? The downside of pervasive social networking and electronic communications is that not only do it lead to (belief in) the ability to predict – but if someone does practice secure communications (covert activity) they’ll need to also fake a convincing overt profile.

I once heard a conspiracy nut say something that might have some truth in it: a strategy of constant distraction.

Yes!
The shiny things Aldous Huxley refers to (though not in those words). Gil Scott Heron and Bill Hicks pointed it out too. Sadly it’s unlikely they’re the only ones to have figured that out (Medium is the Message?).

Go back to bed, America, your government has figured out how it all transpired. Go back to bed America, your government is in control. Here, here’s American Gladiators. Watch this, shut up, go back to bed America, here is American Gladiators, here is 56 channels of it! Watch these pituitary retards bang their f-iretru-cking skulls together and congratulate you on the living in the land of freedom. Here you go America – you are free to do what we tell you! You are free to do what we tell you!
~Bill Hicks


The idea that the public in this country is constantly exposed to news stories, highly emotional political issues, financial issues, local problems, etc. They have too much immediately in front of them to be interested in or worried about. The distant, theoretical and other possibilities are fleeting moments or conversation over dinner (or beer) for them at best.

You watch the news these days? It’s unbelievable. You think you just walk out your door, you’re immediately gonna be raped by some crack-addicted, AIDS-infected pitbull.
~Bill Hicks


A future renaissance or resistance will be up against an opponent with mastery of perception management, massive surveillance systems, control of most media outlets, and maybe restrictions on the Internet in near future. The minority will have to unify their efforts and break that perception control despite those tools of control. They will also have to charge the public enough emotionally to act in a big way. It will be… difficult at best.

Yes! An important point many armchair warriors playing to the threat miss.
Education is the key – outsourcing responsibility is, and always has been, the cause of the problem. Self-education is the answer (IMO).

“I was in Nashville, Tennessee last year. After the show I went to a Waffle House. I’m not proud of it, I was hungry. And I’m alone, I’m eating and I’m reading a book, right? Waitress walks over to me: ‘Hey, whatcha readin’ for?’ Isn’t that the weirdest f-iretr-uckin’ question you’ve ever heard? Not what am I reading, but what am I reading FOR? Well, goddamnit, ya stumped me! Why do I read? Well . . . hmmm…I dunno…I guess I read for a lot of reasons and the main one is so I don’t end up being a f-iretr-uckin’ waffle waitress.”
~Bill Hicks
 (ever wondered why some menus have pictures?)

So I suspect any hope of effective change is years or decades away and lies with children. It’s tempting to believe that people can be rallied to man the barricades – but it won’t solve a problem (France had 3 revolutions – fat lot of good that did), just do the work of the repressive regime for them. There is no enemy of substance to confront and any bloody revolution will just shed the blood of their neighbours (police and armies are in the same situation as citizens).
I’m not without hope – and strongly believe Internet freedom is the answer. Instruction/indoctrination is not – it’s just a different dog with the same leg action (listen to me, I’ll think for you, I won’t sell out, power doesn’t corrupt, outsource responsibility).

IMO Making it possible for future generations to fix the problem is our responsibility – that means focusing on keeping the Internet (information) free, and where ever possible weakening the opposition by bringing them onside (indirect/deflected opposition).

In my previous post I said Especially when perceiving is denial of war – I meant to write “Especially when continuing is perceived as denial of war”

A final word on PJ, having slept on the idea I believe she, like Lavabit and Silent Circle, have done the right thing. They’ve drawn a line and basically said – the water is getting warmer – get out of the pot.
It doesn’t mean you can’t climb back in. Just making the point that it is getting warmer.

You (Clive, and others) made a number of other great points, sorry I don’t have more time to comment on them.

Clive Robinson August 20, 2013 11:46 PM

@ Scott,

With regards “fake bomb detectors” you might want to add this to you list of news clippings,

http://m.bbc.co.uk/news/uk-england-23768203

It’s taking a devil of a long time but the UK is slowely stoping this and prosecuting the principles.

However it’s only two of an estimated six UK affiliated companies so far.

Clive Robinson August 21, 2013 12:42 AM

@ Scott,

With regards various “brain scans” for “truth detection” I believe that this came up in a court case in India and was accepted by the court despite out cry (I can’t immediatly find a link).

However if you look at one of my posts above you will see that the Feds are trying to “legitimise” the use of “lie detectors” by going after people who offer training on how to “fool them”. Personaly I suspect so they can get the “client lists” to subject those on them to “extrnded/extrodinary testing” to get them found guilty of something so as to prevent future embarisment over the “out sourced security vetting” which has been “covered up” by the Ed Snowden story.

On a related note, we know that a polygraph lie detector is looking at “physiological readings” for changes, and it’s the “opinion” of the operator as to if they show a lie or not.

Well have you thought about what would happen if a test subject could be subjected to another input –other than questions– that could effect their physiological readings?

Yup it could give rise to all sorts of false “opinion” from supposed polygraph expert interpreters.

For some time now it’s been sugested that even minor stimuli like the russeling of papers or small movments by questioner or interpreter can cause such changes in a test subject without the test subject having a concious memory of such stimuli.

Well in recent times there is therapy being developped that directly stimulats the brain by using directed EM radiation and there is plenty of evidence that such stimulation causes physiological changes ranging upto full on twitching and jerking as though subject to an electric shock with effects lasting for considerable periods.

I wonder how long it will be before some unscruplious person will use a “brain wave reading” cap to actualy hide a low level stimulation device to achieve the desired results in polygraph traces?…

In my experiance if there is a test of any kind then there is a way to “game the system” to fix the results befor the test. And whilst it is possible to add additional safeguards to prevent such “gaming” they are rarely used due to additional expense / complexity / reliability issues.

And in the UK where “outsourcing” has made “forensic testing” overly cost sensitive via “competative bidding”, almost the first thing I expect will be dropped is “safeguards” and record keeping that are not mandaited by legislation or required court practice (forensic examiners like all “expert witnesses” who present “opinion” are considered “officers of the court” and as such are –supposedly– bound by court practice).

Noam August 21, 2013 1:33 AM

@ Nick P

I’ve studied the public’s reaction to this stuff for a long time. I once hear a conspiracy nut say something that might have some truth in it: a strategy of constant distraction. The idea that the public in this country is constantly exposed to news stories, highly emotional political issues, financial issues, local problems, etc. They have too much immediately in front of them to be interested in or worried about. The distant, theoretical and other possibilities are fleeting moments or coversation over dinner (or beer) for them at best.

It surely is not surprising that there is ‘a war on for your mind’. Much of what is getting attention are just charades.

Noam Chomsky published a book back in 1988 addressing these issues :”Manufacturing Consent: The political economy of the mass media”.

Scott "SFITCS" Ferguson August 21, 2013 5:39 AM

@ Clive Robinson

With regards “fake bomb detectors” you might want to add this to your list of news clippings,

My personal Internet Archive1
🙂 :/
That’s the guy behind the device I linked on Wikipedia.


It’s taking a devil of a long time but the UK is slowly stopping this and prosecuting the principles.

Export was banned in 2010, but as you say, actually enforcing it took a lot longer. Here in Australia we had a fella sell magnets that improved fuel efficiency – even the PM bought into it. Anchoring (there are explosive detectors, right?) and Focus.


With regards various “brain scans” for “truth detection” I believe that this came up in a court case in India and was accepted by the court despite out cry (I can’t immediately find a link).

Yes! Despite it being the same country that houses the NBRC people like Champadi Raman Mukundan make a lot of money and gain significant power from, um, dubious technology like BEOS (no the other one – Brain Electrical Oscillations Signature). What is hardest to understand is they actually believe it – like all good con artists. Colleagues marvelled at the gullibility of India but got offended when I suggested the huge amount of resources IBM was putting into the same idea was little different. Not much more than slickly packaged phrenology powered by the same technology as the ADE 651 and the CIA studies into psychic viewing (gullibility and wishful thinking).

There’s a lot of money in delusion.


Personally I suspect so they can get the “client lists” to subject those on them to “extended/extraordinary testing” to get them found guilty of something so as to prevent future embarrassment over the “out sourced security vetting” which has been “covered up” by the Ed Snowden story.

Agreed. It’s also a case of why paying for results generates phantom work. Much like compensating Pakistan for hunting “terrorists”.


On a related note, we know that a polygraph lie detector is looking at “physiological readings” for changes, and it’s the “opinion” of the operator as to if they show a lie or not.

Surely they’d happily make themselves unemployed if they thought their work was worthless? Right? Unless they deluded themselves due to the major emotional investment they made in their own ability….


I wonder how long it will be before some unscrupulous person will use a “brain wave reading” cap to actually hide a low level stimulation device to achieve the desired results in polygraph traces?…

About as long as it takes someone to listen to James Randi or Derryn Brown’s explanations? Or to read the same sources he learnt those processes from. e.g. “reading someone’s mind to get their PIN” (neurolinguistics and kinetics?).


In my experience if there is a test of any kind then there is a way to “game the system” to fix the results before the test. And whilst it is possible to add additional safeguards to prevent such “gaming” they are rarely used due to additional expense / complexity / reliability issues.

I suspect you’ve been reading the Israeli research. Pity the rest of the world is 80 years behind.

As you and Bruce have pointed out previously, once the false positives rise above a certain level the process is worse than useless. And people these processes are designed to catch are most likely to be able to game it.
But like shrinks who “understand” serial killers and pederasts – the practitioners/developers/benefactors are first to delude themselves that what’s the result of authoritative coercion is respect for real ability. The financial and social benefits only enhance the cognitive bias.

1 another project that has had to deal with government orders
“Ask me what it was I did today, and remember my answer.” So my son, who was, I don’t know, nine, or something like that, asked me, “Daddy, what did you do today?” And I said, “I can’t tell you.”

Makes me wonder how long before muppet puppet Wikimedia authors are replaced with an outright blocking of the project…

CallMeLateForSupper August 21, 2013 7:22 AM

@ Clive Robinson
“… out sourced security vetting” which has been “covered up” by the Ed Snowden story.”

I am glad you mentioned that (out-sourcing), because I’ve been meaning to ask in this blog 1) if any investigative body has begin looking into this particular outsourcing circle jerk and 2) when the heck did USG begin out-sourcing background investigations?

The fact that BI are out-sourced really-really surprised me because my own BI for a military TS clearance was accomplished by OSI. (‘Course, that was decades ago.)

“Sure, we can install a Taco Bell and McDonalds in each of your firebases. Ya want Starbucks too? Did I mention that we also do background investigations?” (Makes me sick.)

Nick P August 21, 2013 10:03 AM

@ Dirk Praet

Good points. I especially agree that the people in power are the only one’s that can turn it around. If they started to for any reason, then the smaller players could indeed pick up the ball and run with it. The masses tend to go along with their favorite people anyway. Their votes would come in if influential politicians started fighting government secrecy and power.

I think the only reason it hasn’t happened is that politicians’ focus is like Wall St’s: entirely too short term. Priority No 1 is getting elected, No 2 is re-election, and No 3 is avoiding issues that make them loose their privileges. Congressmen playing the game can acquire resources that will benefit them and their families for a long time. Most will not trade that for constant fear to tackle a rising enemy that might cause them trouble later. Or might cause the next Congress trouble.

@ Scott Ferguson

“The shiny things Aldous Huxley refers to (though not in those words). Gil Scott Heron and Bill Hicks pointed it out too.”

I might look up some more of their stuff. Carlin seems to close in on it from another angle with “meaningless choices” concept:

“Americans are led to feel free through the exercise of meaningless choices. There are only two political parties. There is a reduction of the number of media companies. Banking has been reduced to only a handful of banks. Oil companies. These are important, and you’re given very little choice. But you can get 31 flavors of ice cream… isle or window, paper or plastic, coke or pepsi… ” (Carlin)

Re the Waffle Housing Reading thing

One of those things I want to laugh at, but then not at the same time. Funny thought about the menus with pictures. I’m not sure it’s there straight for stupid audiences: most people that go to a Waffle House know what eggs, sausage, omlets, etc are. My first guess would be to leave a visual impression on the reader to create a demand for the product. Much like fast food places putting in plasma TV’s to show juicy burgers. If some people can’t read, then that’s a bonus benefit.

“IMO Making it possible for future generations to fix the problem is our responsibility – that means focusing on keeping the Internet (information) free, and where ever possible weakening the opposition by bringing them onside (indirect/deflected opposition).”

It would seem so. Although, the future generations might say it was our responsibility to fix the problem too. 😉 I recall a guy on The Corporation documentary said we create these problems that future generations fix with no benefit for them. He called it “intergenerational tyranny.” But then he added “it’s really a form of taxation without representation. That’s not a good thing.” I like that metaphor.

“A final word on PJ, having slept on the idea I believe she, like Lavabit and Silent Circle, have done the right thing. They’ve drawn a line and basically said – the water is getting warmer – get out of the pot.
It doesn’t mean you can’t climb back in. Just making the point that it is getting warmer.”

You got a point. I just hope we don’t loose any more privacy-oriented providers and good writers in the meantime, though.

@ Noam

“Noam Chomsky published a book back in 1988 addressing these issues :”Manufacturing Consent: The political economy of the mass media”.”

I keep forgetting to read that. Thanks for the reminder.

Clive Robinson August 21, 2013 2:49 PM

OFF Topic :

The court has decided how long Bradly Manning is to be jailed for, and whilst it’s not longer than he can reasonably be expected to live for, it is still a significant period of time even if parole is granted (which in all likelyhood is not to be given).

Of more immediate interest is what various spokes persons have had to say. Those with current Governmental interests are still spining the line of how much damage has been done and in some cases calling for the sentance to be reviewed (ie they mean lengthend). Whilst those without obvious or any Governmental interests are basicaly saying the sentance is disproportianate and he is being used to “send a message” which some say has failed because of the revelations by Ed Snowden.

Perhaps more interesting is what they think the American people think, again those with Government interests say that in general the US citizenry think he’s a criminal and deserves what he gets…

Put simply they are “over egging the puding” and I suspect that in fact most US citizens actualy neither care or even think about it beyond the last news bite.

name.withheld.for.obvious.reasons August 21, 2013 6:26 PM

WAY OFF TOPIC:
Court finds NSA operating outside the scope of the 4th amendment and their own rules.
The bad news, there are a raft of violations, not just the one that was mentioned in the release that Wyden published earlier this year.

From the Court:
“In March, 2009, the Court concluded that its authorization of the NSA’s bulk acquistion of telelphone call detail records from ********* is the so called “big business records” matter “ha[d] been premised on a flawed depiction of hwo the NSA uses [the acquired] metadata,” and that “[t]his misperception by the FISC existed from the inception of its authorized collection in May 2006, buttressed by repeated inaccurate statements made in the government’s submissions, and despite a government-devised and Court-mandated oversight regime.” Docket ******** Contrary to the government’s repeated assurances, NSA had been routinely running queries of the metadata using query terms that did not meet the required standard for querying. The Court concluded that this requirement had been “so frequently and systematically violated that it can fairly be said that this critical element of the overall…regime has never functioned effectively.”

Dirk Praet August 21, 2013 6:44 PM

OT

Most hilarious security fail of the year: German prosecutors are probing how a bodybuilder of Turkish descent named as Volkan T. was able to board an empty government jet used by Chancellor Angela Merkel. Wearing only underpants and high on drugs, he danced on a wing, sprayed foam around and pushed cockpit buttons. His antics put the plane out of action for several weeks and caused an estimated €100,000 ($133,720) in damage.

@ name.withheld.for.obvious.reasons

EFF has posted the secret findings from the unconstitutional surveillance sought under 702

I just finished reading through the as usual heavily redacted report. Check out the mind-blowing footnote on page 16:

Contrary to the government’s repeated assurances, NSA had been routinely running queries of the metadata using querying terms that did not meet the required standard for querying. The Court concluded that this requirement had been “so frequently and systemically violated that it can fairly be said that this critical element of the overall … regime has never functioned effectively”

As usual, nobody was punished for what is being referred to as “honest mistakes that are inevitable in complex programs”. Kinda bodes well for the next time(s) the NSA breaks the law.

Jay Patterson August 22, 2013 2:38 AM

Re: Groklaw’s shuttering

This can only be a win for Microsoft.

Archive the site while it’s still up.

Clive Robinson August 22, 2013 3:03 AM

OFF Topic :

This is a realy realy such a stupid idea…

Due to President Obama enabaling it, you will get a government issued “Online ID” you will have to use to deal with any Federal agency,

http://www.forbes.com/sites/tomgroenfeldt/2013/08/21/ditch-your-passwords-us-gov-to-issue-secure-online-ids/

I suspect that it will quickly become a “universal identifier” and thus become the next disaster after Social Security Number use as an identifier / authenticator / default password etc etc. And will thus become an ID card with all the attendant faults of a centralised system.

Clive Robinson August 22, 2013 3:43 AM

OFF Topic :

Ever fancy building your own drone?

But decided building/coding an autopilot to demanding?

Well royalty free GNU Linux based AirwareOS has come to your rescue,

http://linuxgizmos.com/linux-based-autopilots-target-commercial-uavs/

Apparently the FAA has in the last few days aproved two drones using this system…

So I wonder how long it will be befor it has real security implications as people Weaponise their DIY drones to chase out the anoying neighbors cat / dog / children…

name.withheld.for.obvious.reasons August 22, 2013 4:10 AM

Observations regarding the FISC Opinion

  1. The court is acting in an after the fact manner, the way I read the legistation, both the Patriot Act and the FAA, was that approval was to be sought within a certain time frame. Changes to an application should kick in a new approval process. Instead, the court enters into what appears to be a discovery process that requires the government to produce testimony on a certificate for an operation. This to me is the cart before the horse. Why does the government get to execute an action–and then seek approval? Or, why does the government using an issued certificate get to modify the parameters that were certified and then wait for the court to make a determination as to the legality of the changes.

This is akin to being a car driver without a license, the motor vehicle department approves your right to drive and will at some time in the future determine if you have the necessary skills to be a licensed driver. And, if you go blind after the licensed is issued (or “certified”), it remains on the motor vehicle department to assert that your skills are not up to the requirements. Again, here is a demonstration of the exercise in law, in the reverse. If I am accused of a crime, I’m arrested, and I get to wait for the delivery of justice. Here, the government acts badly, it tells the courts to wait because its not ready and the government returns to acting badly. What universe does this make sense? Oh yeah, the one where idiots are in charge. THIS IS WORSE THAN ANY RUBBER STAMPING COURT–THIS IS OVERSIGHT FOR THE HEARING IMPAIRED.

  1. Where are the oversight committees? The house and senate must have had access to the opinion–the failures documented by the opinion are so far outside the scope of the law that even the court is stating that the law has been violated by using the “Color of Law” argument concerning queries. THIS IS HUGE!

  2. Though much of it is redacted, there are technical arguments about how networks operate (how can this be secret) and the government lies about their ability to determine various aspects of the routing information of messages or emails.

  3. Snowden is totally vindicated (he didn’t lie), the document mentions the use of PRISM, and reveals even more information was not in the public domain. THE CONTENT WAS COLLECTED. What happened to the TO/FROM statements?

Clive Robinson August 22, 2013 7:37 AM

OFF Topic :

No I don’t know if there is an element of Tit-for-Tat in this but it would appear there are “in built security back-doors” in MS Win8 that has caused the German Gov to say “Do NOT Use” to.

It also may have issues to do with hardware issues that have caused the US Gov to say NO to the use of Leveno laptops, as the same problem may be giving both the US and China “back-door” access.

http://investmentwatchblog.com/leaked-german-government-warns-key-entities-not-to-use-windows-8-links-the-nsa/

Put simply it’s all to do with MS signing up and leaping into protected DRM via the “Trusted Computing Group” initiative “Trusted Platform Modual” chip set, and version 2 where a user cann’t opt out, thus who ever gets to set the key first controls all subordinate keys and alowable actions on the hardware.

As has been noted frequently befor MS’s supposed reason was the US Entertainment Industry demand for DRM, but even way back then it was pointed out that TCG TPM features were well over and above these needs, and rumours were circulating about MS and NSA tie-up even before that…

Hopefuly somebody in the EU will get their act together and call for TCG TPM to be made illegal under existing “trade-barrier” legislation.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.