Friday Squid Blogging: Tree Yarn-Bombed

This tree in San Mateo, CA, has been turned into a giant blue squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 8, 2013 at 4:10 PM • 80 Comments

Comments

FigureitoutNovember 8, 2013 9:49 PM

Tim Hoddy
--Yeah I had a good laugh at that story. So are they going to place one of the sensors immediately after all residence sewage outpoints, or are they just going to put it in big collection points? How many false positives will these systems have? I'm sure we've all "dropped a few bombs" before. Nonetheless, not a project I would work on nor "implement" lol. Also, an agent can sneak in your house and put those chemicals in you toilet, flush, and more false evidence.

Mary Kahle
--It was a "link-ception", a link within a link within a link. Here's the link, I think: http://www.thisiscolossal.com/2013/10/...

Who does that, really? Tree sweater lol...humans...

kashmarekNovember 8, 2013 10:17 PM

Tim Hoddy:

There was a post or web article about a similar system, that would swim the sewers sniffing out residue from controlled substances, and log the locations via gps coordinates (from underground sewer pipes nonetheless). I think it was FUD. There have been no stories about evidence from such devices used for detection or prosecution or conviction. This story about detecting bomb making factories depends on such chemical residue reaching a sewer system, and in locations where sewer systems are not prevalent, good luck with that.

The best detection is when that bomb making place blows up.

Keith IrwinNovember 8, 2013 11:17 PM

I thought that this story was interesting and scary, but that the author completely failed to consider the possibility that many of the open VNC servers running could be backdoors left by an attacker who had compromised the system. Assuming that all of them were due to misconfiguration doesn't seem to be supported by any evidence.

BuckNovember 8, 2013 11:35 PM

Imagine you had groups of people doing each of the following:


  • Coding custom code obfuscation techniques (for avoiding signature-based av)

  • Convincing service providers to provide access/plant backdoors (or doing it anyways via injection at the ISP with the use of forged/stolen SSL keys)

  • Planting backdoors in widely used software (for plausible deniability)

  • Planting lesser used hardware backdoors (for pesky specimens)

  • Finding/purchasing (acquiring?) 0-day exploits (for privilege escalation)

  • Fingerprinting distinct signatures (for tia cross-platform)

  • Fluently speaking foreign languages (for disguising origin)

  • Developing novel exfiltration methods (for all possible scenarios)

  • Developing frameworks to tie it all together (for use by teams of actively exploiting operators)

Of course, one would have multiples of such teams on retainer. This has a dual benefit; after a team is outed you have plenty of fallbacks / when multiple (controlled) compartmentalized teams are playing cat & mouse with each other, the (umbrella) organization's power is further consolidated as each deeper level of the game is reached.

If'n you don't know by now...
The security researchers are the targeted individuals.
RNG sabotage is a nice exercise in academia, but welcome to the real world! ;-)
The workstations at which one performs their work is a far more fruitful target... What would you be more interested in? The specific lol katz vidz watched by Joe Internet, or the step-by-step evolution of Bob Hacker's latest super-secure communication protocol..?

My supposition would be that the TAOs are just toyin' with him. Perhaps with the intention of causing a media ruckus... Show us a little bit, but not too much! This could have two advantageous outcomes that I can ponder...


  1. Discredit the idea that sound= exfiltration to satiate those with the weird inaect/tinnitus-like ringing

  2. To focus attention towards audio output, in order to avert detection of other alternatives... RF? Ubiquitous WIFI? 4g?

Mike the goatNovember 9, 2013 12:19 AM

kashmark: controlled substances sounds even more ludicrous. How many false positives would you get from people using licit opioids for pain or amphetamines? Re detecting reagents from meth manufacture in air and wastewater you'd assume that any organized criminal group would a) use some kind of exhaust scrubber (even activated charcoal?) so neighbors don't smell anything strange and b) wouldn't be crazy enough to tip anything, even solvents down the drain. In short I believe it is like the UK television detection vans - F.U.D.

FigureitoutNovember 9, 2013 12:19 AM

Buck
--Imagine? How about just think about it b/c most of it is real. Now have some freaky dreams and wake up in nightsweats, or just don't sleep so you can watch an entry point all night taking note of angles for gunshots and waiting to kill intruders...Fall asleep, wake up to blood stains on your bed sheets indicating possible injections of something.

They don't understand what true paranoia is, 24/7 paranoia, they don't know what it is w/ the legal protection of gov't and intel support; while it can destroy you it can raise you above most all. Monsters can be created, thus perhaps trying to justify their existence, if they actually kill someone and not just observe; and laugh.

FigureitoutNovember 9, 2013 1:13 AM

Bruce
--The "Public shoud qestion Schneier, Snowden and NSA" attack by Richard Marshall and Andre Brisson was absolutely hilarious. Just too much to rip to shreds...Just be sure to never ever buy anything from Whitenoise Laboratories. This page takes the cake. What ciphers have these two created? None.

God, too much to make fun of...Booz Allen Hamilton, you mean the company that got owned by Anonymous? lol, I didn't realize their email addresses ended w/ "bah.com". Bah, lol.

André Jacques Brisson is a cybersecurity expert who is considered a visionary by many in his field. Born in Canada and raised in the United States, he remains deeply attached to California where he grew up loving beach, sea and sun. As a dual citizen, he returned to Canada after completing his MBA and has devoted his professional life to patenting new security modalities to protect our digital world: this includes the patent on the strongest encryption algorithm in history.
--Can't.Stop.Laughing.

A f*cking MBA is going to secure my data?! Get lost.

Ok, I'm done. Bruce, see I've said what needs to be said and now you don't have to get your name dirty. These guys are assclowns.

Thomas_HNovember 9, 2013 1:41 AM

Dutch secret services AIVD and MIVD order 17 million euros worth of forbidden telecommunication spying gear in anticipation of changes to a law that have not even been discussed in parliament (!) yet:

http://www.nu.nl/prism/3624132/...
http://www.volkskrant.nl/vk/nl/2686/Binnenland/...

(articles in Dutch)

The (supposedly independent) entity supervising the two services tries to preemptively validate this acquisition by stating that the law is "backwards and needs to be changed [to allow this stuff to be used]".

This is a blatant and totally unacceptable disregard of democracy.

Mike the goatNovember 9, 2013 2:15 AM

Figureitout: isn't it disgusting that such a baseless personal attack on Bruce would appear on CNN's website? Surely some of this drivel comes close to crossing a line when it comes to libel. I was going to make a nice long blog post about these, uhh self proclaimed security "experts" but figured I would just be giving the trolls some more fuel and air time.

Mike the goatNovember 9, 2013 2:18 AM

Figureitout: I forgot to mention that this story has been subtly edited and "toned down" since it was posted, and has a disclaimer that it was "not vetted by CNN".

Mike the goatNovember 9, 2013 4:33 AM

Waywiser: I guess it illustrates that we base a lot of our "facts" on suppositions. Just as the bulk of evidence led to the courts long ago to agree that prints are unique we use an RSA key confident that the integer factorization "problem" hasn't been solved by some algorithm nobody but, say the NSA knows about. This isn't as ludicrous as it first sounds - many breakthroughs in math were considered impossible (not even theoretically solvable) prior to their discovery.

65535November 9, 2013 6:02 AM

@ Figure.I.O.

If you take a look at Whitenoise Laboratories' CRM customers/partners you will see Microsoft, Facebook, Twitter, Equifax, Oracle and so on. These are some of high profile companies that have gotten in bed with the NSA. Further, Bruce has been critical of cloud companies which may have sold-out to the NSA. It would be interesting to know if Whitenoise has helped the NSA. It appears that Whitenoise has an ax to grind with Bruce.

http://www.insideview.com/...

Mike the goatNovember 9, 2013 7:38 AM

65535: he definitely seems to have an issue with Bruce, that's for sure. In a post he practically accuses Bruce of being irrelevant in his field. That is particularly laughable as Bruce is somewhat of an infosec celebrity and /everyone/ knows Bruce's work. On the other hand I don't know who this guy is, and I don't know what his agenda is but he appears to be a quintessential irrelevant nobody vying for attention.

Figureitout: my apologies.. Some of your comments you made on my articles were erroneously flagged as spam. I have white listed you so it hopefully doesn't happen again.

AndreasNovember 9, 2013 9:42 AM

Sono, a noise cancelation and isolation device that sticks on your window

http://www.extremetech.com/extreme/...

"Sono works by vibrating a window in a pattern counter to the vibrations caused by the ambient noise, essentially turning the surface into a noise-canceling speaker. During prototype testing, Sono’s transducer used active noise canceling to successfully lower the audio signal by 12 decibels — which would probably do a good job of blocking out quieter sounds in the 30-80 dB range, but you’d still definitely hear traffic and other loud sounds."

DanielNovember 9, 2013 3:13 PM

Andreas

Skeptical of the utility of the device. First, while it blocks the noise coming from the window it doesn't do anything to block the noise coming through the walls. If the sound is loud enough or the wall thin enough it will be useless. But even more importantly, let's assume it works as stated. All one's ears will do is become more sensitive to other noises.

There has been several studies looking at what audiologists call "hearing normalization" that demonstrate that human ears work like a big antenna that get conditioned to a certain sound level. If the ambient sound falls below normal, the brain simply turns up the gain. This because one doesn't hear with their ears but with their brain. As one audiologist put it: unless the noise is so loud it actually has the ability to damage the ear it is an emotional or psychological problem.

ereshkigalNovember 9, 2013 4:03 PM

re risk-based authentication: Any info available to the computer is good to use there. Note that my old scheme (see www.gce.com) does risk-based authorization, which can be based also on code being used or priv level (too many privs being a possible indication of abuse) as well as time, user location, etc.

If you figure log(# correct auths / incorrect auth) as both a measure of what the sensitivity of the operation being auth'd is, and a measure of how strong a particular auth piece of evidence is, you can directly compare the required strength to the sum of the evidence strengths. (This relates directly to probabilities.) In this form, the values are just numbers, so systems using kludge-o systems of "authentication level" can be replaced with something that makes mathematical sense. (Generalizing "correct" to correct accept and correct reject is not that hard; they are usually easier to measure & calibrate separately.)
There are other considerations one should keep in mind, most notably that any scheme might be "brittle" (break suddenly due to something that happens. Remember the RSA breakin...). You should rely on multiple measures so that not all will break at once...
- gce

65535November 9, 2013 6:13 PM

@MikeTG

Andre Brisson does have an unhealthy obsession with Bruce. Brisson has a security company up north that does some type authentication work. I don’t know his motives but I suspect Brisson probably is a competitor of Bruce. He sounds like a petty person.

FigureitoutNovember 9, 2013 6:21 PM

Mike the goat
--It's disgusting yes, maybe as much as this gem. I only read articles Bruce writes for them from his site, not CNN.

The writer then goes on calling us "sycophants" and "chicken little" which I have a name for him but (deep breaths, happy thoughts) I'll have the Moderator know I took a run and a walk. I don't know what you call a gov't shutdown, national debt greater than GDP, resource scarcity for NASA missions, encroaching police state; guess it's "all sunshine and blue skies" for this... guy. He says their product is resistant to all side channel attacks so he doesn't even know the definition of a side channel attack.

I wonder if I should send abrisson@wnlabs.com an email from my lovely yahoo.com acct about my "worst security problem" (revs up flamethrower) lol.

65535
--Hmm, yeah they have deep gov't backgrounds. So they probably don't have the threat model I do.

CallMeLateForSupper
--Yeah, I'm not trusting some MBA or public affairs blowhard to consider all the threats to my data. I'll take the borderline nutcase security expert or a team of competent engineers anyday.

BryanNovember 9, 2013 6:39 PM

@Tim Hoddy


"Scientists are developing a new way of detecting bomb making factories - by using sensors in sewage systems to detect chemicals used in making explosives"
Can they be serious?

Yep. You don't need to do all entry points to the sewer. Just put it at most major junctions. When a junction gets a hit, place a bunch of them at upstream junctions. Lather rinse, repeat until you've narrowed it down to the block. They've been doing similar for years for finding dumping of hazardous wastes down sewers. I know I've seen reports of some automated sampling machines for sewers.

@Waywiser Tundish

Human DNA may not be quite as unique as is generally asserted.

Could really screw with DNA testing if your DNA in your skin is different than in your mouth. Yeah, the differences will be little, but...
On a side note, the standard electrophoresis test used for DNA testing by law enforcement is bung. What they do is chop the DNA up into short strands using chemicals that split it at specific spots, replicate those strands allot. Then they put the sample into a gel, and apply an electrical field. The amount the DNA strand moves depends on its length. All DNA strands of the same length will move the same amount. Knowing how it works, any fool can see it is totally bung for establishing a positive identity. The patterns produced are not only not unique to an individual, but with the right sample kit, any pattern can be matched by selecting strands of known length.

Dirk PraetNovember 9, 2013 6:47 PM

@ Mike the goat

kashmarek: controlled substances sounds even more ludicrous.

No, it isn't. Over here samples are taken on a regular basis from sewer stations and water purification facilities, and they are among other stuff tested for cocaine metabolites such as benzoylecgonine.

In 2011, a comparative study of illicit drug use in 19 European cities through sewage analysis showed that my home town was scoring even higher for cocaine than Amsterdam and London. Based on the study results, the cocaine consumption in Europe was estimated at about 355 kilo per day.

Mike the goatNovember 9, 2013 7:57 PM

Dirk: I wasn't considering cocaine which would have a very detectable signature. Very interesting. I guess you could also check for heroin based on monoacetylmorphine and its metabolites (pharmaceutical morphine would not have this impurity, caused by incomplete acetylation to diamorphine). I guess you are out of luck with drugs that /are/ used for dual purposes, e.g. a patient taking oxycodone legitimately, or a user purchasing oxycodone from a dealer.

CarlsonNovember 10, 2013 11:12 AM

Figureitout:

Several of your posts express to me a 'gang stalking' and 'gas-lighting' type of scenario occurring in your life.

Have you been a victim of this....

Origins and Techniques of Monarch Mind Control

http://vigilantcitizen.com/hidden-knowledge/...

Monarch Programming is a method of mind control used by numerous organizations for covert purposes. It is a continuation of [...]

and...

Space Preservation Act of 2001

"Such terms include exotic weapons systems such as-- (i) electronic, psychotronic, or information weapons;"

https://www.fas.org/sgp/congress/2001/hr2977.html

this poor guy lives under a bridge:

NewWorldWar.org, where you'll find information on a technologically advanced, covert program of persecution and control, that has been happening for decades all over the world, and is covered-up by our societal institutions.
http://www.newworldwar.org/

Slog ReaderNovember 10, 2013 2:33 PM

Whoops, I didn't see the post directly above mine. I even searched! Sorry for the duplicate.

Mike the goatNovember 10, 2013 6:12 PM

Slog reader (and OP): I suppose that the city are entitled to leverage 802.11 like any other business/area. I know many cities have established metropolitan area networks on either 2.4 or 5 (usually on 5 or a licensed band for telemetry) for purposes such as supplying subsidized Internet to people in their area, telemetry for people meters and traffic counters and even as a way to get CCTV feeds back to their base. While the latter two purposes could be considered privacy invading, there are completely understandable reasons why the police dept would want to develop a mesh network. I can think of three: a) avoid the expense of using a commercial carrier for their data feeds (for license lookups to the DMV, etc) and their voice traffic b) provide increased throughput to traditional repeater based despatch systems without relying on traditional cellular base stations which may crash during an emergency (or be destroyed by the enemy in the case of an attack) or c) lower TCO by being able to use COTS wireless equipment rather than specially spec's goodies from Motorola.

Playing devil's advocate you could argue that any mesh network could be used to eavesdrop and that even a single person from a high vantage point in the city with a directional antenna on a rotator could get a rough approximation as to the locations of stations and clients nearby. At a more fundamental level users carrying smart phones are already being tracked by their network operator and at least with WiFi they have a choice (disabling it, or at least not leaving it on unnecessarily probing).

Unfortunately there is nothing stopping someone from sniffing your cellular traffic and using your IMSI to uniquely identify you and track your movements as you wander through an area without even the cooperation of the cellular provider. In fact there are tracking systems already being used in malls which do just that (and arguably do a better job than this proposed 2.4 mesh as online a subset of devices will have WiFi enabled but all will have cellular radios).

Until we get new protocols that deal with this problem we will have these issues. One easy solution would be to randomize the station identifier that clients use when connecting to an AP. The true MAC can be sent within the encrypted tunnel avoiding the MAC being sent in the clear. At least with this concept only the AP would be known (which isn't an issue seeing as APs are - by design - static and visible).

AlanSNovember 10, 2013 9:02 PM

I took a ride in the subway this week and at the gates there were people wearing TSA jackets. They had tables with large square boxes on them and little screens on top. Didn't seem to be doing anything except making themselves noticed. Subway wasn't running. Presumably because all the money is being spent on 'security'.

Clive RobinsonNovember 10, 2013 10:44 PM

@ Mike the Goat,

    Unfortunately there is nothing stopping someone from sniffing your cellular traffic and using your IMSI to uniquely identify you and track your traffic and using your IMSI to uniquely identify you and track your movements as you wander through an area without even the cooperation of the cellular provider.

It's already being done in various ways for quite a number of years (over eight to my knowledge). One such use is for "traffic managment" of vehicals, which can range from replacing the traditional "traffic census" people sitting on the road side in all weathers with "click counters", to feeding directly into systems that control traffic lights. This latter idea is popular in European countries because it can get central government funding as a "green measure" as it "reduces the carbon foot print" which in turn can be used as either an "offset" or to trade on the "carbon market"....

However such tracking works a lot more easily if you are 'inside the network" of the cellular providerall you need to do is "tap the hand-over data" that gets sent back to the network center. This can be done with a single network tap pulling off SS7 data and filtering it of to a low end Sun sparc server.

The hardest part of setting up such a system 10years ago was showing how effective your data reliability was whilst making the system "anonymous" to the required level. Back then even in the US this was considered important and added a lot of load onto the system. Primarilly because they wanted the anonymisation done on each handover message not on the vastly reduced data set output...

I guess these days they are less worried in part for the reasons you mention.

Clive RobinsonNovember 10, 2013 11:17 PM

@ AlanS,

    I took a ride in the subway this week and at the gates there were people wearing TSA jackets. They had tables with large square boxes on them and little screens on top.

Every time I hear about the "Terrorist Supporters Asoc" and their overpriced and mainly usless systems, I cann't help thinking about "how fragile" they might be...

As I've mentioned before you can if you have some time on your hands a couple of hundred dollars and a bit of information (that you can download), convert a UPS, a Microwave Oven and sheet metal into a portable HERF Gun. Or just go and buy a 12V "camper-van / mobile home" Microwave oven and just do the metal work for the "horn antenna".

We know such devices have been used for "taking out" CCTV cameras near ATM machines, but get treated most times as "simple equipment failure" by repair techs... I cann't help but wonder what they would do to those "Expensive TSA boxes"...

But more importantly would the TSA droids have the training to realise they were in the middle of an "electronic warfare" action?

And if --and it's a very big if-- and when TSA managment found out what they would say and do...

Mike the goatNovember 11, 2013 3:28 AM

Clive: yes I have heard about them using sniffers to estimate the number of shoppers in a mall but there are even more fascinating systems that use an array of sensors to track movement into and out of "zones". Ahh the "carbon market". I am going to start a fairy dust trading scheme ... Some leftist leaning European government might just buy into it.

Re your HERF gun proposal - I love it! I got a horrible microwave burn on my forehead while working in front of an antenna array I was assured was "de-energized and isolated". It was actually a sudden beam of heat and funnily enough, sound (sounded like something was reverberating and I could hear it in my ear) and I realized at that point it was still transmitting and got the hell out of the way, almost falling off the roof in the process. Anyway, you wouldn't want to accidentally aim that magnetron at anything living (except a TSA agent, as I have evidence they are actually not living but a type of robot).

Clive RobinsonNovember 11, 2013 7:21 AM

OFF Topic :

Hmm it appears that "Dark Mail" may be in danger of becoming another Lavabit fail, if as some have indicated it will be built an what is in effect an Open Source release of the original Lavabit code...

To see what the problem is have a look at Moxie Marlinspike's comments on lavabit as was,

http://www.thoughtcrime.org/blog/...

CallMeLateForSupperNovember 11, 2013 7:40 AM

@ Clive

A rebuttal by Levison, on ArsTechnica,
"Op-Ed: LavaBit's founder responds to cryptographer's criticism",
posted on 11/7, two days after Moxie's,

Sorry, no link. My open source browser's Copy/Paste functions are coughing up blood this morning. :-(

kalmatthewNovember 11, 2013 10:24 AM

This struck me as an interesting case of trying to close the stable door not just after the horse has bolted but after the stable has burnt down. These items are freely available and can be ordered by the 1000 from any number of suppliers. Asking end users to store them securely seems a little pointless.

Nick PNovember 11, 2013 11:03 AM

@ CallMeLateforSupper

Here's the link to Levison's rebuttal
http://arstechnica.com/security/2013/11/...

@ Clive

So, in all, the owner of a service that used SSL and crypto storage failed to anticipate the opponent going for his SSL key. He thinks he has "secure memory" because it wipes on error or stops a vanilla debugger. Yet it would be easily bypassed in a myriad of ways by those in his threat model. He had considered being forced to backdoor his program, but *hoped* it would work out in his favor in court. (!) And he missed Perfect Forward Secrecy.

And now, he's building the email service that Americans will be able to trust to protect against LEO and TLA snooping. Sign me up! ;)

Brian M.November 11, 2013 11:34 AM

@kalmatthew:
This struck me as an interesting case of trying to close the stable door not just after the horse has bolted but after the stable has burnt down.

Wow! A warning about instant ice pack theft. How about an alert for people wearing turbans, too? One of the commenters for that suggested just to go out and buy stump remover, so I did a search and looked up the MSDS. Yep! "100% Potassium Nitrate" for the ingredients, nothing else needed, and it's available by the pound. Sheez. Cold packs, stump remover, what else?

(Personally, I use a Hi-Lift jack for stumps. Much quicker.)

ScottNovember 11, 2013 1:57 PM

Yup, a little stump remover, sugar, and iron oxide and you have yourself some fine model rocket fuel.

MikeANovember 11, 2013 2:00 PM

@BrianM

Great. I can no longer get CuS (Stump Killer), because too many morons were dumping stupid amounts of it in the garden water-features. Now I can't blow them up either?

As for sewage: a friend found some affordable office space for his startup. After a few weeks, the water was cut off one day. Other tenants quickly brought him up to speed "Yeah, the cops always shut off the water to the block before they raid a meth lab."

ScottNovember 11, 2013 3:02 PM

Random thought... I wonder how well a list of all domain names would serve as a dictionary for password cracking.

BryanNovember 11, 2013 9:19 PM

@Scott

Random thought... I wonder how well a list of all domain names would serve as a dictionary for password cracking.
Rather nicely. Company names too.

FigureitoutNovember 11, 2013 9:58 PM

Brian M/Scott/MikeA
--You can also just drill holes in stumps and let them rot out; slow but natural. Funnily enough I tried to dig out a large stump, good anger management exercise, but not really making much progress (roots too big). If I had some "boom" may blow out the deck too. And for those keeping score at home, iron oxide is just rust.

You could also try to do a cool carving, a local ski resort did that but drunken skiers kept throwing rental poles and beer cans at it that it got destroyed.

FigureitoutNovember 11, 2013 10:38 PM

Carlson
--Perhaps. I have many agents under my watch as we speak so we can continue to play this stupid game until they quit. I consider it more of a failed investigation. In the greater scheme of life and the universe, my life is mostly meaningless. So I don't care if they kill me, but they are noticeably incompetent so they won't live beyond the death of our species as they bring down others.

ScottNovember 12, 2013 12:38 AM

@Figureitout

Yes, rust is iron oxide, but typically when making model rocket fuel you want to make sure it's fairly pure and finely powdered; you can buy it at online for pretty cheap.

Mike the goatNovember 12, 2013 1:21 AM

Scott: there was an eBay seller that was selling iron oxide and aluminium powder, along with other interesting things like potassium perchlorate and magnesium ribbon (100' reels). Didn't last long though before he disappeared. Sellerid was raremetals or something similar.

Clive RobinsonNovember 12, 2013 1:49 AM

@ Nick P,

Whilst Lavabit's founder got it wrong in various ways it highlights a problem with "Online Storage" which is actually the greater part of existing EMail systems and nearly all non peer to peer communications.

It's why we should think about not just an "email" system but a "communications" system.

The sailient parts are,

1, Secure and anonymous comms between all parts.
2, Secure Directory managment.
3, In transit negotiation and transitory storage.
4, Distributed secure and anonymous storage.
5, Secure local storage.
6, Legacy and legal issues.

Further we need to look at how to make the communications "end point computationaly expensive". If it takes a million CPU cycles or more per charecter to encode and decode the text it will make the NSA move their observation point elsewhere up the stack or out from the center --hopefully where it can be more visable-- or both such that it is only viable to monitor individuals not populations. And likewise if done properly it will ruin the SPAM model of advertising (as has been talked about before).

The downside is such measures have to be designed, tested built and run. And this involves the considerable expenditure of resources across the entire life cycle.

ScottNovember 12, 2013 1:50 AM

@Mike the goat

The iron oxide, aluminum powder, and magnesium ribbon you can still get from other sellers on ebay. Hell, you can get it on amazon. I'm not sure about potassium perchlorate, but if it's anything like ammonium perchlorate, it's probably harder to obtain (see the PEPCON disaster for an example of that stuff). I'd bet you can get it from a lab supplier, however.

Mike the goatNovember 12, 2013 2:50 AM

Scott: in the 80s you could get anything (including reagents used in drug synthesis) from your friendly lab supplier. It is a crying shame as a lot of people just enjoy backyard chemistry and aren't doing anything illegal. Case in point - used to be able to buy medical grade N2O and can now only get the denatured automotive grade. Doesn't bother me too much as I am only using it for my model rockets but seems crazy as you can acquire smallish quantities in cream whippers. What do they think it will achieve? (BTW No longer build them but nitrous and HDPE hybrid rockets were awesome fun to build, test and fly and provided additional challenges as to meter the compressed N2O.)

Clive: exactly. Agree with you on all points. We need to avoid metadata compromising communications (prob via some kind of DHT) and perhaps use some kind of proof of work concept (like hashcash but different) to ensure that sending an email takes some "effort" to avoid spam or abuse.

Mike the goatNovember 12, 2013 6:15 AM

In case anyone is interested in the developing situation re CVE-2013-3918 (IE 0day) FireEye has a decent write up on their blog. I wrote today that I believe that this one is going to get interesting given the chosen targets.

CallMeLateForSupperNovember 12, 2013 9:34 AM

@ Mike the goat "...in the 80s you could get anything... from your friendly lab supplier"

"Back then" was indeed great; too bad it's not produced anymore. '-) My personal "back then" began in the early 1960's. At one of the mom-and-pop drug stores in my mid-west town any kid could pick one of several size jars of "flowers of sulfer" and "salt peter" right off the shelf.... Several of dad's barbeque briquettes, crushed, provided carbon. The stentorian noises I made were *the* thing that catapulted me into a serious study of chemisty.

In the late 1970's, in a different state, town and life, I was looking for a local source of potassium dichromate (I was making wood stains from scratch). A friend directed me to an old brick warehouse in the next town, where I found a Shangra La of natural compounds. If nature made it, they sold it... in any quantity you wanted. Yes, they stocked potassium dichromate; I bought one pound of the brilliant orange granules, kept it in clear glass, on my desk, next to a pencil jar. (I love the color orange). Also an impulse buy of fifteen pounds (yep, 6.8 kg) of ferric chloride (for etching PC boards, of which I've made hundreds), because it was dirt cheap. Did they stock potassium nitrate? Yes; comforting bit of nostalgia that, but while I still handled black powder (I shoot primative firearms), I no longer made my own (which is kinda a shame, really).

Mike the goatNovember 12, 2013 11:01 AM

Callmelate: I remember making dichromate volcanoes when I was a kid! Apparently they aren't allowed to do that demo anymore, even under a fume hood. Crazy times, eh?

Nick PNovember 13, 2013 2:05 PM

Nice story about the "second OS" in phones that controls the baseband stack.

http://www.osnews.com/story/27416/...

This has been well known among mobile engineers and security types for a while. Isolation kernels I promoted here in the past such as OKL4 have baseband stack isolation as a specific goal on their web sites. Clive and I previously discussed here some of the risks associated with the modems. There are still surprises in the article for security types, though, such as this gem:

" For instance, you can turn on auto-answer, using the Hayes command set. This is a command language for modems designed in 1981, and it still works on modern baseband processors found in smartphones today (!). The auto-answer can be made silent and invisible, too. "

Problems such as insecure baseband stack are why I critique any "secure mobile solution" as untrustworthy. Many are targeted at dealing with black hats and TLA's. These attackers can reverse engineer software to find obvious bugs. The article shows that there are *plenty* of obvious bugs allowing remote over the air exploits. So, no mobile solution with one of these stacks is secure unless the stack is untrusted in the design.

Dirk PraetNovember 13, 2013 8:43 PM

This Wired article made me smile today: NSA Transparency Hurts Americans’ Privacy, Feds Say With Straight Face.

And since all good things come in pairs:
The USPTO granted Facebook a patent in May for its Automated Writ Response System. The patent covers technical methods to more efficiently share the personal data of users with law enforcement agencies in response to lawful government requests via APIs and secured portals installed at company-controlled locations. Wasn't Zuckerberg that guy who flatly denied that Facebook was ever part of any program to give the US or any other government direct access to their servers ?

GarfieldNovember 13, 2013 9:08 PM

@Dirk Praet:
The USPTO granted Facebook a patent in May for its Automated Writ Response System.
...
Wasn't Zuckerberg that guy who flatly denied that Facebook was ever part of any program to give the US or any other government direct access to their servers ?

Good catch. Just proves you were correct in case you never fully trusted that sort of statements from FB. I sure never did. And that includes the same claims from Google as well.

Nick PNovember 13, 2013 9:18 PM

@ Dirk Praet

Re Wired article

Wow. Should go in the News of the Weird "Unclear on the Concept" section.

Re Zuckerberg lying

Brings to mind something in the Lavabit court documents. Levison mentioned him complying with the pen register would damage his business because his users' privacy would be compromised. FBI rep argued that it wouldn't because his users wouldn't know and he wasn't allowed to say anyway. The court agreed. Knowing about court rulings like this, easy to think that Zuckerberg might have both been allowed to and even encouraged to lie about the program.

Plus, as I've previously stated, one can lie about participation in certain national security matters by law for security/effectiveness of the program.

Re facebook patent

That's unfortunate because an idea I was looking into recently was patenting some aspect of what they're all doing (incl real-time lawful intercepts), then hiring a patent troll to sue the crap out of them. We all know the patent courts are extremely pro patent holder. Making it all much more expensive for them might make them more willing to fight it. Course, it was more a fun idea than my plan for the next year or two. ;)

(Plus NSA would just slap a secrecy order on it to make it into a so-called black patent. If it wasn't dismissed outright.)

BuckNovember 14, 2013 12:37 AM

@any android aficionados in da house

So my ATRIX II (love how auto-correct auto-capitalizes that!) I suppose I've had a good couple years with it; warranty's certainly expired; its replacement probably fully subsidized already; but still I have yet to replace it's firmware...

Well yeah, the warranty was one thing... but mind you, I've re-flashed several devices so far in my young life- one mp3 player, some phones, and a router (or two?) Never experienced the infamous "bricked device" phenomenon that I've read so much about (one of those phone flashes involved a severed USB link mid-flash)! Now maybe that's just luck, maybe that's just me better comprehending tech manuals than the average forum poster, maybe it's just propaganda to prevent you from eliminating corporate branding (and so much more :-D thanks CIQ!)

No, the real reason I avoiding doing this was because of the proprietary hardware blobs. Perhaps things have changed by now, but it's been many months (up to a year?) since I last checked, but it seemed to me that I'd be taking a huge performance hit to install a cyanogen mod- or any custom rom for that matter... I had even heard of an open source SELinux-(or something)-based android OS that was secured by the NSA! Since AT&T stopped providing any system updates after 6 months, that would have provided much needed peace of mind. 2+ years ago, I would have assumed the NSA could read any communication of mine they wished, but better off being subject to their backdoors & secured against others VS. dealing with unknown adversaries & NSA contractors deploying their short-life-cycle exploits without enough stress testing!
OK... Perhaps I would have even taken the loss of camera quality, GPS utility, or whatever- but alas! Android SDK not supported on BSD. :-( and Linux virtualization didn't seem to have the right hardware support )-:

Now, the problem for me is (as a professional web-developer within a small-medium sized business), I use this phone for personal & business related functions... How am I to secure the personal information and passwords of customers if I can't 100% certainly do the same for myself? Lord, I really hope you're not using the same password for multiple important accounts- but as I'm sure we all know, it happens... Each account/company breached is but another stepping stone to the next private/corporate data theft.

Now with multiple state/mafia/private/public/basement/(AI?) actors in the game, with such vast resources being pumped into their plays, I would have to be a total ArrogantGiraffe to believe I could catch one of these advanced attacks in action... Security would have to be my full time job. No, I really would need a large team of security experts, or simply a lot of luck!
Meanwhile, in reality, I have customers with needs to be satisfied in order to continue casing my paycheck... Security can wait (or consist solely of the lowest hanging fruit). There's no telling who's hackin whom... The cases reported are just the tip of the iceberg of the cases detected, which are just a drop in the pond of the intrusions that occur. To my knowledge, the only cases with real attribution & prosecution were those of defendants basically being conned by informants (or those who thought they were releasing seemingly innocent/important data!?)

Anyways, to bring it back around full circle - if anyone's still with me here - after my phone battery died, I plugged it back in and got this message:

AP Fastboot Flash Mode (S)
0A.65
Batttery OK
OK to program
Connect USB
Data Cable

Does this mean my device has been rooted/re-flashed, or can this just happen in the proper circumstances?
If the former:


  1. Does this mean my device was foobar'd the last time I USB'd it to the laptop?

  2. Or can this happen "on-phone"??

FigureitoutNovember 14, 2013 1:09 AM

Buck
--Few things; can't answer your other questions now sorry. You haven't lived 'til you bricked a device beyond how you know to fix. I recently accidentally reset an old android which I wonder how to get back in now b/c I want to put it to work. If "I" were a customer, I would want to see the person securing my data using *at most* a dumb phone, and I shouldn't get easy physical access to their pc. Next is the comms, how open are they? I saw close to me that for a neigborhood they put them under concrete paths (which I had easy access too before burial...) but there are boxes all over neighborhoods wide open; maybe up on your house a simple splice is all it takes.

Also, don't think you're not a worthy target of a ridiculous investigation. Meaning they move in your neighborhood or just simply wait early in the morning for you to go to work, then "set up shop" all legally. You have to be very focused on tiny hints to verify that you are. I personally made sure that their work is garbage lol.

WaelNovember 14, 2013 1:24 AM

@ Buck
It means your bootloader is booting in fastboot mode. Maybe you have a key stuck, or your last flash image was corrupted. Try to get a UART log, you'll get more hints. Connect your phone to the pc and use a terminal emulator like minicom.

FigureitoutNovember 14, 2013 1:42 AM

Bruce
--In the "news" section, your latest post showed you told a bunch of engineers (from IETF) that the internet is a surveillance state. You drew a blank on what to be done about it b/c there's still a lot of good info on the internet. Then I liked how you called them out; I wonder if an entirely new means of computing needs to be invented. (Let's waste more time inventing an entirely new means of computation to fight surveillance and maybe in the process die on the planet not cooperating w/ each other.)

In your latest 11/8/13 op-ed I found it funny you used that phrase "sunshine is the best disinfectant"; I remember it from the archives lol. You see that only works when you know something bad is happening in an obvious way, otherwise you are shining light on everything. Also, comparing Yahoo! and Apple fighting surveillance orders to Lavabit is not right. Lavabit actually fought while the other companies are still untrustworthy; mostly b/c they're too big.

Clive RobinsonNovember 14, 2013 3:40 AM

@ Nick P,

The OS article was wrong in a couple of places...

Firstly there are 3 OS's the other being on the SIM. Secondly the Baseband OS is controled by the SIM.

Other than that it's more or less right.

What it did not mention is the mish-mash of standards that go into making GSM was "got at" by GCHQ/MI5 back in the late 1960's via what was the General Post Office (GPO). The "silent answer" mentioned is not a bug but a required feature and if you implement a basband unit that does not do it then it won't get certified.

Basicaly back in the 1950's the GPO Telephones Research establishment at Dollis Hill (and later Martlesham Heath) started evolving the work of WWII engineers like Tommy Flowers into the digital age with what became known as "System X". This caused some concern in "The Establishment" that the ability to place "lawfull intercepts on lines" would be lost. The actuality was not fear of losing traditional wire taps but the secret SF system (see Peter Wright's book Spycatcher for a very vague description of this RF Flooding device) that turned the telephone into a bugging device that would work irrespective of if the phone handset was "on hook" or not. Thus the notion of the "silent answer" came about.

As Europe got into "digital telephony" various standards bodies got involved one of which was CCITT another was the ITU. The GPO representatives of the time had what was in effect "top table" seats on these commities and "finnesed" through GCHQ/MI5 requirments into ISDN and SS7 and thus were firmly entrenched where they still are today...

What many people don't realise is that in the original WWII end BRUSA (later UKUSA) "Special Relationship" Britain was the "senior partner" and remained so for some time. The arangment was Britain would supply brains, property, political influance and the US would supply manufacturing. It was because of "Empire" that various eastern european (and later Russia) intel services recruited spys through the British Communist Party in the 1930's but largely ignored the US which was strongly issolationist and had little or no influance in Europe.

Whilst Britain remained nominaly the senior partner the scandle of Burgess and Mclaine and later Philby knocked it back. But it was not untill the begining of the 1960's with Cuba that there was a major change that put the US down the electronic reconisance path rather than on the ground human inteligence that Britain retained. For some reason the US likewise did not do well diplomaticaly and various home political issues and there highly visable effects started a world view that the US Gov is reaping and using to beat it's own citizens.

So much of the committy "finessing" fell to the UK and other Five Eye Nations...

None of this is news however I like several others who havewitnessed it first hand have talked about it publicaly for many years. The bits we have missed were filled in privatly by others who (since Peter Wright) could not talk publicaly and in many cases (Tony Sale and Service friends) are nolonger with us.

Mike the goatNovember 14, 2013 4:08 AM

Clive/Nick: ... yes I found out with a friend's cell BTS emulator just how "secure" these basebands are (we got a phone to crash by sending corrupt GPRS packets). is a wonder that we haven't had an expose on E911. Being able to triangulate position is one thing (many carriers send a flood of malformed class 0 SMS packets to keep the phone chatting to aid radiolocation) but E911 GPS is another. Through undocumented voodoo the phone's GPS coordinates are sent back to the tower.

I looked through the Android source of my N4 and found the handler for the presidential/amber alerts (which are sent via cell broadcast and prettied up by a little app called CellBroadcastReceiver - also there to ensure that prez alerts can't be disabled) but couldn't find the E911 beacon code in userland. This most certainly is in the baseband blob.

FigureitoutNovember 15, 2013 12:24 AM

░░░░░███████ ]▄▄▄▄▄▄▄▄ Bob is building an army.
▂▄▅█████████▅▄▃▂ ☻/︻╦╤─ This tank & Bob are against Google+
Il███████████████████]. /▌ Copy and Paste this all over
◥⊙▲⊙▲⊙▲⊙▲⊙▲⊙▲⊙◤.. / \ YouTube if you are with us.


--Lots of spam all over youtube; they are getting hit hard over trying to force users to use real identities to make comments. Here's a sample.

Nick PNovember 15, 2013 12:32 AM

@ Figureitout

Dude, that's awesome text art. It almost looks like an image. People unfamiliar with text art would be Googling their butts off trying to figure out "how did that one guy get images in his comments and I can't?" Haha.

FigureitoutNovember 15, 2013 12:53 AM

Nick P
--Yeah, the spammers are really owning youtube right now...hilarious. Can't say I'm really against it when they spam entities w/ way too much info anyway.

I've got a frickin' ascii animation project in java that needs to save, load, and go thru at least 10 frames of saved ascii art and I have pretty much zero clue what I'm doing or what the code is but it's due tomorrow at 11pm. I'm screwed. It doesn't even interest me much but it's annoying b/c I just want C-programming. It's pretty bad b/c I don't really like OOP, rather it be all in 1 file.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..