Friday Squid Blogging: Bobtail Squid Photos

Pretty.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on February 28, 2014 at 4:38 PM • 118 Comments

Comments

yesmeFebruary 28, 2014 4:59 PM

Rethinking the internet

The OSI model 2.0

This is in fact a homage to 9P, a major component of Plan-9 from Bell Labs.
Rob Pike, Ken Thompson, late Dennis Ritchie and the others were right.
9P is simple.

I only added a few minor things.

1) Each protocol should have a new release within 5 years. Also when there are no changes.
2) Only the last two releases of a protocol should be supported. This means that backward compatibility is no longer an issue.
3) Each protocol should have a reference implementation.
3.1) Patent free, written in C, BSD licensed so it can be used in propretary software and FOSS, without #ifdefs and with simple BSD style Makefiles.
3.2) A simple networking stack for everyone.
4) Each encrypted connection should have perfect forward secrecy. That means PHP certificates for each user.
4.1) Simplify TLS.
5) Each protocol based on 9P / Fuse.
5.1) Copying a file from one computer to another is easy with the command line tools. Securing with the normal file/directory permissions.
5.2) Accessing a filesystem from another computer is done with "mount protocol://machine/share"
5.3) No more BSD / network sockets.
5.4) Union mounts makes distributed networking easy again.
5.5) No more HTTPS, FTP, WebDAV, NFS etc.
5.6) HTTP could be simple again. No more (f)cgi, only r/w files.
5.7) Email should be rethought and it could be obsolete.
6) XML should be replaced with JSON.
7) UTF-8 anywhere.

Alice WonderFebruary 28, 2014 5:19 PM

In response to yesme

5.1) Already is easy with scp or using rsync over ssh

5.7) -- e-mail should not be obsolete though it could use some re-thinking.

6) JSON should not replace XML. In some contexts it is appropriate, but not every context. The developer should feel free to use the tool of their choice and XML can be extremely human readable compared to JSON.

7) Amen - UTF-8 has been everywhere in the *nix world for some time, just need to obsolete Windows and we are pretty much golden.

Clive RobinsonFebruary 28, 2014 5:55 PM

@ NobodySpecial,

With regards the link in your "Orwellian" comment, on reading it one sentance struck me,

    However, analysts were shown the faces of people with similar usernames to surveillance targets, potentially dragging in large numbers of innocent people.

I would expect this "similar usernames" to strike a painfull note with a lot of US voters in "JEB" Bush's area, for it was there that many voters were struck off the voter roles for having names similar to those of supposed criminals. The timing of the action and the areas in which it happend made it deeply deeply suspicious as being a diliberate attempt to "fix the vote" in JEB's favour.

The thing that puzzels me most is how we outside the US see reports of US vote rigging being done by Republicans not Democrats. Which beggs the question "Is the international reporting biased or is it the case that Republicans realy are vote rigging at a rate well beyond all others?"...

EvanFebruary 28, 2014 6:38 PM

@yesme
That sounds great - but unfortunately, it's exactly the crux of the problem: business/government/consumer needs are not driven by the software development cycle. If you don't need an upgrade, you aren't going to pay for one regardless of how long it's been, and if you do, you don't want to wait four years for the necessary bugfix. There are still probably more computers running Windows XP than Windows 8.

The real issue is that there needs to be a security rethink in desktop computation. Hitherto the idea has been to prevent an authenticated user from wrecking the system on purpose (whether that intent is accidental or malicious), but these days threats come primarily from code the user doesn't even know is running. That requires an entirely different mindset, most significantly a deviation from the usual "default allow" approach operating systems tend to take.

Clive RobinsonFebruary 28, 2014 6:50 PM

@ yesme, Alice Wonder,

There is a problem with points 6 & 7

JSON uses and should correctly recognise ALL Unicode. UTF-8 is only a subset of Unicde.

Leaving this open potentialy allows various types of attack vectors that are already being exploited in other areas.

My prefrence would be to change JSON from Unicode ALL encodings to Unicode UTF-8 ONLY, which might not be popular with some but atleast would,

A, Close the hole.
B, Simplify code design.
C, Reduce code size.

All of which would be benificial not just to security but also to just about all coders.

There is also an issue with points 2 and 3.

Firstly the problem of legacy code will not be stopped by this measure due to the financial and support issues of application sofware. We are currently seeing this in play with windows XP and "web apps" and will see it over and over again with all "upgrades" in the future. It's a "licence to print money" for the likes of Micro$haft.

Secondly "refrence implementations" are a disaster that is happening, it looks like a good idea but the reality is it's a bad idea. The reason it's bad can be likened to "mechanical slop" in "copy patterns" and "physical standards". If you "work to drawings" the only slop arises from the precision of your tool making. However if you work off of a physical pattern you have additional slop from measurment inaccuracies.

Which also applies to software, that is whilst it's possible to write code to match the refrence it provides no gaurenty that two such independent pieces of code will work together because the two different code cutters may measure the refrence differently.

Further unlike physical patterns that are in the tangible analog world and thus "flow over" unspecified parts, software is intangible information and there is no "analog flow over" behaviour so the potential for holes is realy the certainty of gaping chasms, where security vulnarabilities are currently seen to play unrestrained. A current example of this sort of mess is TLS and all the IPsec issues.

Clive RobinsonFebruary 28, 2014 7:49 PM

OFF Topic :

A 28 year old Brit is facing charges in the US for amongst other things "hacking the Fed Reserve" and releasing PII on them.

http://www.theregister.co.uk/2014/02/28/lauri_love_us_federal_reserve_hacking_charges/

The obvious question is "What the heck were the Fed doing having confidential employee information on an Internet connected server?"

It should be the responsible Fed staff on charges of criminal neglegence, there is absolutly no acceptable reason for having employee PII on a server that can be reached directly or insirectly from the Internet, it's so far from any kind of best practice that it can only be considerd these days as a criminaly negligent act at the most senior of levels in any organisation. It's only by locking up such idiots will people be safer.

Irrespective of what Lauri Love was doing the lack of charges against Fed executives smacks of "shooting the messenger" thinking.

Clive RobinsonFebruary 28, 2014 8:07 PM

OFF Topic :

A piece from the UK's Guardian OnLine about privacy post Snowden and how it relflected on RSA,

http://www.theguardian.com/commentisfree/2014/feb/28/snowden-privacy-products-trustycon-2014

One bit of note was the "blackphone",

http://techcrunch.com/2014/02/26/close-look-at-blackphone/

Which is a lightly modified Android OS phone with some of Silent Circles apps and other security related functions and features added.

Whilst I doubt it's NSA/GCHQ proof it does indicate people are starting to think it's worthwhile investing in privacy.

FigureitoutFebruary 28, 2014 8:17 PM

yesme
--Sounds good, if you can put a project together please do. Bring some sanity back to the internet.

*Exciting News for Open-Source Community*
--Eben Upton over at Broadcom and the RasPi Foundation is making things happen and has decided to open-source the binary blob drivers on BCM21553 SoC and the BCM2835 used in the RasPi.

http://blog.broadcom.com/chip-design/android-for-all-broadcom-gives-developers-keys-to-the-videocore-kingdom/

//Shout out to Mike the goat
--You will probably like this little tidbit b/c I think you have high interest in phones, Android ones in particular:

This release provides the mobile developer community with the chance to do their own tinkering and upgrade their existing 3G mobile devices with newer generations of the Android operating system.

Clive RobinsonFebruary 28, 2014 8:20 PM

@ Figureitout, Nick P, and others,

Some interesting news on the Raspberry Pi front, BroadCom have released public information on the grahics block they use so the current binary blob can be replaced with a more appropriate set of FOSS drivers etc.

And Raspberry are runing a competition to take advantage of the document release,

http://www.raspberrypi.org/archives/6299

Any way a BIG THANK YOU to Broadcom for releasing the documentation :-)

FigureitoutFebruary 28, 2014 8:24 PM

Clive Robinson
--Lol, hey what a coincidence :) It is exciting; I've already got a Pi, I need a USB hub so I have easy file transfer. I won't be taking part in the contest as I have given myself plenty to do (my free time is cherished now).

NobodySpecialFebruary 28, 2014 9:33 PM

@Clive - rather the opposite I'm afraid.
There are a large number of agencies who believe that all security requires is a label saying "secure".

With Blackberry about to go the way of the dodo many 100,000s of government employees in 1000s of agencies are going to need a new "secure" phone and Boeing are going to be the only supplier.

Nick PFebruary 28, 2014 9:44 PM

@ NobodySpecial

Far from the case as there's at least half a dozen companies marketing "secure" smartphones. Far as defense contractors, you can add General Dynamics to the list with their acquisition of OKL4 and mobile security products. Samsung Knox in Korea, Group Bull Hoox in France, Cryptophone in Germany, Tripleton Enigma in Israel, etc. for those businessmen who don't want made in USA.

If anything, Blackberry going away is going to create a huge transition cost and a vacuum for the many competitors. That competing market is either exploding or about to.

Clive RobinsonFebruary 28, 2014 9:45 PM

@ Figureitout,

Yes I'll blaim the three mins time difrence on my post having to skip across the Atlantic ;-)

Having got your Pi you will discover that you have the urge to add harware to it which could lead to pops bangs and sad looks. So if you have a yen to expand I'd first get a buffered expansion board with any buffer chips in sockets oh and feed power from the expansion board to the Pi not the other way as PCB traces make expesive fuses.

FigureitoutMarch 1, 2014 12:31 AM

Clive Robinson
--Haha, you're funny. I'll blame my 4 min difference on "Americans having a fat and latency-filled connection"; I can make almost any European laugh w/ an American "hamburger and fries" joke; my internet connection had to stop in the McDonald's drive-thru first and may have had a slight heart attack.

My plan is DSP applications first; maybe a radio or server. I really like my arduino though...I just want a secure computer to program it with...And I've got 3 other computers; one older one I haven't booted yet for some time. If anyone has an old computer they don't care about or want, but it still works, please send my way. Even a RasPi is too advanced for me right now. Maybe I'll try out some Python on it, b/c it's such a popular language right now.

I found a new subreddit, /r/computerforensics, which is pretty good b/c I want to extract everything from all these chips on my computers. May bring them into my computer lab and see if some of my IDE cables work or USB. Thankfully I should get a fairly empty lab so I can do my experiments and report my results if they're interesting. Hopefully soon I'll have some results on if I can extract actual security-compromising info from the audio ports of my school computers. It's going to be a Friday when I have from 10:30am to 10:30 pm in the lab to do tests.

Wish I could just stop time for a few years and do my experiments so I can get my results now! Grrr so many I want to do....

65535March 1, 2014 1:22 AM

@ Clive R

What is the legal status of encrypted voice and text messaging in the UK?

Clive RobinsonMarch 1, 2014 2:45 AM

@ 65535,

Simple answer is look at Regulation of Investigatory Powers Act (RIPA) and Electronic Communications Act (ECA) and the various Data Protection Acts.

I suspect what you are actually asking for is what rights are the state claiming over any entity HMG wants to look at.

Well the first thing to consider is RIPA claims it applies to any and all networks "connected" to the UK, the wording is such that the scope is "global" for both public and private networks. If HMG agents can reach it somehow from the UK, so if they compramise or somebody else compramises your air-gaped network and GCHQ or any other agency down to a lowly local council worker can "see it" then the snooping is arguably legal.

The second thing to consider is what RIPA says about the use of encryption. Simple fact is if they can get the cipher text any old policeman and most civil servants can make you the offer of "hand over the keys or goto jail for five years without the right to open and fair court proceadings". Oh and as I understand it they can make the request as many times as they like so in theory you can be locked up indefinatly. The only defense is the virtually impossible task of proving you do not have the key in your possession... But worse is this applies not just to encrypted data you send but also encrypted data sent to you (even if you don't receive it). So if a person working for the Met Police was to send a random file to your Gmail account even though you have not accessed it the Met could grab you off the street and demand the key, you won't be able to hand over the key and you won't be able to prove you've not got it so you goto jail. Oh and if you speak to anyone about the "request" including a potential legal representative then you get an automatic sentance as well...

There is of course the arguments about the ECJ and ECHR and various other human rights legislation but HMG appears to be able to find judges who will say anything is "legal" as has recently been seen with "whole life tarriffs".

Then there is the question of how long you are legaly required to keep "electronic communications" and some argue it's indefinatly due to ECA and other legislation. Others argue that ECA also applies to anything in "the cloud" or any other "third party system" so a case could be made for leased equipment or equipment supplied under a SLA from a company you had "outsourced" your IT services to...

The advantage for HMG is there is currently no publicaly known "case law" to indicate what the juditiary think of the legislation, and I suspect HMG would use other legislation such as the Proceeds Of Crime Act (POCA) to rights strip you of any ability to put up a viable defence as they have done to quite a few people so far...

As I've observed in the past in the UK politicians want "justice to have been seen to be given, but not actualy given", others have stated publicaly that Britain is now a hollowed out nation like any other banana republic.

65535March 1, 2014 3:00 AM

“…if they can get the cipher text any old policeman and most civil servants can make you the offer of "hand over the keys or goto jail for five years without the right to open and fair court proceadings". Oh and as I understand it they can make the request as many times as they like so in theory you can be locked up indefinatly… The advantage for HMG is there is currently no publicaly known "case law" to indicate what the juditiary think of the legislation, and I suspect HMG would use other legislation such as the Proceeds Of Crime Act (POCA) to rights strip you of any ability to put up a viable defence…” – Clive R

That sounds very harsh. So, the “blackphone” would be at risk in the UK assuming that you refuse to give the government the passphrase to the phone? What about legitimate uses such as investment banking and the like?

yesmeMarch 1, 2014 3:02 AM

@ everyone who replied:

I am gonna answer the points as I see it.

1) Of course, when a vulnerability is found, the protocol should be updated.
But if you have each protocol updated within maximal 5 years and you only support the last 2 releases, backwards compatibility isn't hindering anymore.
3) "refrence implementations are a disaster that is happening"
Maybe. It could. But it also solves lots of issues.
Especially when it's BSD licensed and only supports the last 2 releases of the protocol.
No more feature creap. And besides that, it's still up to the OS developers to review / implement / update it or not.
4) Typo. It should be "PGP certificates", not PHP...
5.1) "Already is easy with scp or using rsync over ssh". Yes, it's also possible with NFS, SMB, WebDAV etc.
The problem is that _all_ are hard to get right, especially cross platform. With 9P it's easy.
Besides that, all have a _massive_ codebase. 9P is small and simple.
6) "JSON should not replace XML." I think it should. The problem with XML is, well, XML. It's like C++.
Just get rid of it. And of course, I meant a subset of JSON (SJON? Simple JSON).

To SkepticalMarch 1, 2014 3:32 AM

I'll move to this new squid thread since the other's comments have dried off. This is a response to Skeptical saying manipulation, planting false material, etc, isn't used on "inappropriate targets".

When you say "this would be a huge scandal and a serious problem", do you really mean "would be", or do you mean "is" ?

One example, from the case I was talking about:

http://news.yahoo.com/uks-cameron-calls-inquiry-police-smears-183015536.html

This kind of thing apparently went on for on the order of a decade.

And another link about the burrowing of undercover spies in the midst of peaceful campaigners' life:

http://www.globalpost.com/dispatch/news/regions/europe/united-kingdom/130711/britain-police-spying-scandal

LMarch 1, 2014 4:06 AM

@yesme:

1) no-work updates are pointless. Beside, are we talking about rfc-updates or code updates?

2) sounds goon in theory, but are we talking about code releases or protocol releases? what about legacy systems? this requires the complete rewrite and update of everything every 10 years. Ok for your home pc, *NOT* ok for safety critical system. And *do*not*touch*what*works*

You can't force a development model on everybody. at most you can make a "recommended practice" kind of rfc, but people ignore everything.

3) the reference should be patent free, but maybe apache2 is better for its patent protection clause.
3.1) C, no #ifdefs? LOL. you are now forcing a single language, and even a coding standard? good luck. Beside, we are talking about reference implementation. Using C in this case is way too verbose for something that should look a lot more like pseudocode.

4) PFS doesn't imply "PGP certificates", just ephemeral public keys, what the hell?
4.1) How about replacing it? Already working on it :P won't be more simple, though.

5) all protocols...fuse? we do not transfer just files, you know... and the performance would be lower.

I like the "everything is a file" approach, but you are taking it to such an extreme where a lot of dynamic things become difficult or impossible to do, and way too static...Are you trolling?

6) JSON sounds good for the structure, in fact its use is increasing a lot, but now you want to modify a hell of a lot of protocols.

7) UTF-8 sounds good, but some people might object that UTF-32 includes other languages, for example all of chinese/japanese, too.
And what does it mean "anywhere"? I might need to restrict myself to a lower set on applications with very low bandwidth or space requirements.


In short, your view is utopistic, restrictive and requires the collaboration of too many people to work. If we want to talk about utopia, I'd also like everyone to be rich, too.

yesmeMarch 1, 2014 4:51 AM

@L

Of course it is utopia. Do you really think this is gonna happen? I am philosophizing here.

1) "no-work updates are pointless. Beside, are we talking about rfc-updates or code updates?"

It is about that a badly designed protocol could only live that long.

5) "all protocols...fuse? we do not transfer just files, you know... and the performance would be lower.

I like the "everything is a file" approach, but you are taking it to such an extreme where a lot of dynamic things become difficult or impossible to do, and way too static...Are you trolling?"

I am not trolling. The Plan-9 guys put the "everything is a file or filesystem" approach to the extreme. And it worked very well. And I am only talking about the application level.

6) "JSON sounds good for the structure, in fact its use is increasing a lot, but now you want to modify a hell of a lot of protocols."

It's only a rewrite. I think XML is plain wrong.

Clive RobinsonMarch 1, 2014 5:42 AM

@ L

    If we want to talk about utopia, I'd also like everyone to be rich, too

The problem with "everyone being rich" is that by definition "everybody is also poor"...

With regards,

1, I'm assuming it would be both for obvious reasons.

3, Much though I like the idea of "pattent free" it's going to be problematic due to US pattent legislation.

4, I'm curious about "working on it".

5, I agree, if you think back to the failings of AT&T Sys 5 "streams" it was a good idea poorly executed due to resource limitations. The same is likely to apply to any "one size fits all" solution unless it's a suitably extendable primative.

6&7, As I noted above JSON has some issues it inherits from Unicode which will cause security problems, personaly I care not if it's UTF-8 or some other variant as long as it's only one charecter encoding scheam, however Unicode is but one small part of the internationalisation issue which likewise hangs over JSON.

Internationalization is a major major problem that after many years has not been solved either effectivly or reliably which means it's almost guarenteed to harbour security weaknesses[1].

The simple fact is as you alude to, Utopia, is in effect an illusion, and I would add that illusion is what many criminals use to carry out their cons/frauds/etc.

[1] One of the most obvious internationalisation problems being the XX.YY.ZZ and XX.YY.ZZZZ format date codes [2]. Some places it's MM.DD.YYYY others it's DD.MM.YYYY which means 12.01.2013 could be 12th of Jan or 1st of Dec. And please don't say as some have in the past that "the seperator" defines the meaning because humans just don't work that way...

[2] Then people disagree on how the two figure year gets interpreted in four figure years, that is when I say DOB is 14/02/60 you would currently assume the person was born on Vallentines Day in 1960 and thus would be 54 but what about if it was 14/02/10 are they 4 or 104 years old? If you think back to Y2K some people set the conversion epoch in the 1970's but...

[3] Then of course just to put the "cherry on top" some people disagree not just on the year epoch but on the length of the year as well, and even what time zone their part of a country is in and if and when "daylight saving" applies and even in the past as to single or double daylight saving is being used...

Clive RobinsonMarch 1, 2014 6:02 AM

@ 65535,

Yes, it is very harsh and like a lot of realy bad legislation it came care of David Blunket MP under the direction but not protection of Tony Blair PM who was responsable for destroying over a thousand years of juresprudence for the sake of grabbing a few "newspaper headlines" on how "Labour are tough on crime". For instance see rules on hearsay and "pre-trial" gateway protocol. Basicaly any nonsense spouted without any substantiation is allowable and the defendant has little or no right of reply and this is used to decide amongst other things sentancing.

Basicaly when it comes to "surveilance" people in the UK and teritories have absolutly no protection at all and is rated the lowest of just about every --supposedly civilised democratic-- country you can think of.

As for the Blackphone, whilst using it is probably not illegal the use of it could be used against you in a court off law and used in ex-parte judicial proceadings as "reasonable suspicion" for ceasure and other orders and warrents.

And of course the Catch-22 use of RIPA for keys, you don't have...

I'm also waiting to see what the thinking is on PFS systems their use could also be a potential RIPA issue along with "deniable encryption" systems

BenniMarch 1, 2014 6:34 AM

@NobodySpecial,

The interesting point on this webcam things are that this must be connected to the recent slides where gchq says they would be using sexually explicit material for mobbing company employees and talibans

https://www.eff.org/document/07022014-nbc-gchq-honey-trap-cyber-attack

GCHQ says that they runned face recognition on these webcam chats.

So do not even have to get their sexually explicit material by setting up some honey trap of a prostitute and a web cam chat.
They simply can wait until the targeted software engineer, whose photo they downloaded from facebook or linkedin, appears on this webcam chat by himself-

And then they give this to the taliban colleagues, or they blackmail a software engineer, saying him they give this pictures to his wife, if he does not introduce a certain line of code into a crypto api....

This represents a whole new level of industrial espionage. now companies must fear that even their most loyal employees could have been blackmailed by gchq to insert a backdoor or a bug into their product,


Interesting is this slide on page 5, where they say that they do propaganda, deception, mass messaging, pushing stories, and alias development": preferably in Facebook, flickr and youtube

https://www.eff.org/document/07252014-nbc-gchq-honey-trap-cyber-attack-2

Apparently bbc doesnt have a headline on this: http://www.bbc.co.uk/ just a short tech story somewhere hidden on the page. the tech story http://www.bbc.com/news/technology-26367781 repeats several times:

"We are committed to preserving our users' trust and security and continue our efforts to expand encryption across all of our services."

"All of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the Parliamentary Intelligence and Security Committee.

"All our operational processes rigorously support this position."

So it seems that bbc is a part of the network where the secret services spread their "deception, propaganda, mass messaging and pushing stories". The bbc is part of Orwells televisor.

And as yahoo webcams are not enough to get into all living rooms, gchq also indentified xbox360's kinect camera as a spying tool of choice:

http://www.vg247.com/2014/02/28/xbox-360-kinect-sensor-identified-as-potential-surveillance-tool-by-british-spy-agency-gchq/

Somewhere, the analysts must get their amateur porn.

Interesting is the question whether they visited some children without clothing in this yahoo chat. Then, they would be childporn collectors. That would be interesting from a legally perspective.

Nick PMarch 1, 2014 10:08 AM

@ vem

re blackphone

I just took a look at it. It's essentially the Geeksphone and Silent Circle people offering a private phone. The phone is a modified version of Android with hand-picked apps, including SpiderOak and Silent Circle. Call it the Android answer to Cryptophones.

My concerns are as follows:

1. Android is inherently insecure and whatever they're doing amounts to bandaids.

2. We need their source to evaluate the security.

3. The firmware of main chip, baseband or peripherals aren't open either.

4. This all matters given what's in the NSA catalog.

Like Cryptophone, it might still be a good deal because it comes from a team with capable designers (incl Kershaw and Zimmerman). The *relative* security of it compared to a carrier smartphone might be worth buying it. It's also around a fifth the price of a Cryptophone. However, it will not protect you against nation states or anything like that due to their focus on issues I mentioned.

My old conversation with Frank Rieger of Cryptophone discussing issues and potential solutions is below. It's been years and yet plenty still apply to Blackphone. People don't learn, eh?

https://www.schneier.com/blog/archives/2009/12/quantum_cryptog_1.html#c405647

BuckMarch 1, 2014 10:17 AM

@Benni

I made the same connections there, but also took it one step further...

Now I'm really wondering who does their market research for them... How many cave-dwelling suicide-bombers do you think are actually playing Xbox 360 and World of Warcraft?

NobodySpecialMarch 1, 2014 10:22 AM

@benni - for many years the British security services turned a blind eye to a children's home in Northern island that was running a child abuse ring - because they thought it might be a useful inteligence source.
I don't think they are going to be too worried about a few kiddie pics.

And of course none of these images will leak out. After all, all inteligence agency employees are totally trustworthy - except all the ones that turned out to be KGB agents of course.

MikeAMarch 1, 2014 10:57 AM

@Clive on Voter fraud.
As befits their constituencies, Democrats tend to use labor-intensive forms of voter fraud, at a local level. Republicans tend to use capital-intensive forms of voter fraud, at the state or national level. This has two effects on what is reported internationally:

1) Far fewer people are concerned that some local school board was "packed" in favor of teacher unions by an unfortunate set of traffic jams near some poling places than that judiciuos use of "alleged felon" lists were used to deny the vote to a certain demographic state-wide, with the result (thanks to gerrymandering and the electoral College) affecting the US Presidential election.

2) The capital-intensive attacks (rigged voting machines, sending Ohio's results out of state to be filtered before being counted, etc.) tend to be "new", and technically interesting, as opposed to methods of vote-rigging that have been used since Athens and Rome tried their experiments in democracy.

BenniMarch 1, 2014 11:28 AM

@Buck:
"Now I'm really wondering who does their market research for them... How many cave-dwelling suicide-bombers do you think are actually playing Xbox 360 and World of Warcraft?"


Well, according to this slide: https://www.eff.org/document/07252014-nbc-gchq-honey-trap-cyber-attack-2 these sorts of operations, e.g. sextraps, blackmailing etc. were a huge sucess. they were so successfull that they are now 5% of all the GCHQ operations.

Certainly they are not only blackmailing talibans.

They are going after employees of corporations. A software engineer blackmailed that way can be easily made to insert a backdoor into a software. Or he can give them some secrets of the research and development department of the company. or so...

But regarding world of warcraft or xbox360, i really think that the people who came up with that idea, the people who approved that, and the people who work on this projects should undergo a psychiatric examination of their mental health.

Polly-o margarine to lube your chemical light sticksMarch 1, 2014 11:43 AM

Yeah, to-skep, I'm convinced skeptical is a fiendishly clever Chinese persona meant to caricature US government Juche and discredit it.

US officials are not scared of universal-jurisdiction law, no, never, no, they're scared of... protest! That could turn violent!! Nixon and Rockefeller had protesters jumping on their windshield but lil fella Bush, even with his militarized Secret Service protection, is just too much of a sniveling coward to face Swiss grannies with - gasp - shoes!!! Plausible, but false. Deviously, skeptical omits any mention of Dominique Baettig to push his line that only NGOs believe in law.

Then lots of maundering about legally undefined US jargon like terrorism, the historical snicker uniqueness of Blee and Bowman's 9/11 own-goal (nice work infiltrating those hijackers, guys!) Article V, from the charter of NATO, America's fake UN (always dishonestly ignoring the legal force of UN Charter Article 53)

This is the Clapper/Alexander ethos, just lie and lie and lie some more. Watch what happens when they try to lie when US compliance with the ICCPR is reviewed in the Palais des Nations this month. Article 17. Article 6. Article 7. Panty-sniffing, murder, torture, all NSA's best rackets, busted. Global disgrace.

SteveMarch 1, 2014 1:09 PM

@Benni

A software engineer blackmailed that way...

Wait a second there... Given how poorly employees are treated nowadays, vacation days you are not allowed to take, mandatory overtime, 60/80/100 hour work weeks, with corresponding starvation and sleep deprivation, employment contracts that read like your being sold into slavery...

Seems like most employees would gladly sell out their employers just for a chance to even the score. You don't need blackmail, just a way to handle crowds.

Clive RobinsonMarch 1, 2014 1:58 PM

@ MikeA,

Thanks for that, it does fit with the way things are reported.

I must admit to this day I still don't understand the "why of the electoral college" but then I'm not keen on some of the distinctly odd voting systems some people ask for in the UK either (especially when the can easily be shown as a "shoo in" for a parties "old guard" in prefrence to those the voters actually want).

That said I'm not keen on "monkey in a suit" "representational democracy" either as I don't actually beleive it's democratic at all (some Swiss Cantons are actually way way closer to democracy, and I see no reason why technology should not be investigated to make things scale, after all the only losers would be our "monkey in a suit representatives" ;)

NameNotDisplayedMarch 1, 2014 3:24 PM

With all the NSA / GCHQ revelations about the intentional weakening of crypto standards has anyone any ideas on the KASUMI cipher that was chosen as the replacement of the A5/1 and A5/2 ciphers used by the GSM standard?

KASUMI was based on the MISTY1 block cipher but with modifications that have, according to the research referenced on its Wikipedia entry, made it much more amenable to cryptanalysis.

The changes were apparently in order to simplify the implementation in hardware so the question is are the weaknesses in the modified version the result of incompetence or foul play.

In any event the problem is moot for protecting a user against the nation state in which they are in as the encryption is only to the base station and not end to end.

For someone like the NSA however it would have been very desirable to ensure a weak cipher is used as it would facilitate much easier eavesdropping in foreign countries than by having to gain access to the physical network or the base stations.

The academic attacks appear to have requirements that make them impracticable for real world use. What is the likelihood that these have been improved upon by the NSA or GCHQ to allow them to mount actual attacks?

Polly wanna stay homeMarch 1, 2014 4:16 PM

Спасибо Clive, I did not know Francis Boyle was involved there. He's a force of nature, despite US government efforts to stuff him down the memory hole. Boyle's the guy who caught the US government using illegal biological weapons in its secure custody for its 2001 anthrax attack against the domestic civilian population.

There's a lot of these guys, and they're not going away. Spanish examining magistrate Baltasar Garzón, purged to stop his investigation of US government torture and now representing Wikileaks. William Pepper, preparing a comprehensive bill of indictment to shop around to different jurisdictions. Luis Moreno-Ocampo, grinning at how the ICC he built now gets Security Council referrals to prosecute states that are scared to accede, (scared, like the USofA.)

International criminal law is like one of those sticky paper rat traps. The US war apparat gets a foot stuck in Afghanistan, pushes off, gets another foot stuck in Pakisan, and after a while it's squirming around hopelessly stuck, with multiple key members of the civilian-military command structure wrapped up and ready for extradition.

SkepticalMarch 1, 2014 4:19 PM

@ToSkeptical: I'll move to this new squid thread since the other's comments have dried off. This is a response to Skeptical saying manipulation, planting false material, etc, isn't used on "inappropriate targets".

No, I said that the story and slides published at The Intercept about GCHQ did not show any unethical activity by GCHQ.

I did not say that British police forces have never committed an act of abuse.

So, as examples of Major News, Minor News, and Not News in this vein:

Major News: GCHQ planting material on a British politician's Facebook page to discredit him.

Minor News (perhaps should not even be reported): GCHQ planting rumors etc. to divide terrorist group.

Not News: A group of slides discussing how social groups in general may be divided, or key figures might be embarrassed, etc. That's about as scandalous and surprising as an Army Field Manual discussing how groups of people can be ambushed.

The Intercept reported the Not News, but tried to juice the story with nods and hints to Major News, evidence for which was completely lacking. In other words, textbook sensationalist reporting.

name.withheld.for.obvious.reasonsMarch 1, 2014 4:19 PM

Et al,

May I proffer a hypothesis, not a theory, concerning the nature of the "spam" posts to this blog...


  1. As you're aware, the site uses SSL/TLS and provides session-based end-to-end encryption.
  2. The certificate key for schneier.com is a 2Kbit in size, this is probably not easily defeated.
  3. Members and ad-hoc participants could be considered targets under fascistic rules of the road via the U.S. security apparutus.
  4. Seeding blog posts could provide a method to unravel the secure nature of the site (both browsing and posting).
  5. The nature of these posts is quite interesting, the content in general can be characterized as "interesting"
  6. It is possible that their inability to subvert the site's ISP or other transit points requires this approach.

name.withheld.for.obvious.reasonsMarch 1, 2014 5:25 PM

From the FAS security blog, an article that exposes the development of more accurate nuclear munitions.

Here is my response...

I just don't see the value in a laser guided grenade. These are not precision weapons--it's an oxymoron. A precise weapon would take out the fools that promulgate ignorant and arrogant policy that affects Geo-political stability. Instead of providing cover to these idiots, there should be a response from the intelligentsia that is more that just "Oh, that's just wrong!" Failure to address the idiocy that is emblematic of U.S. hegemonic group-think, persons that know better should step up and be heard (not herd).

Nick PMarch 1, 2014 5:31 PM

@ MikeA

Interesting hypothesis. I wonder if there's a reliable site with plenty voting fraud examples from both parties. Could test your hypothesis on it.

To SkepticalMarch 1, 2014 5:34 PM

I see. So the actual abuse has to be done by the right set of people to get you to see the train speeding towards you.

You do realize of course that GCHQ is the "brains", and the police is the "brawns", right ? I wouldn't really expect the GCHQ itself to actually perform the physical stuff they espouse...

"brains" is very relativeMarch 1, 2014 6:58 PM

Now we learn GCHQ is studying how to subvert freedom of association in contempt of ICCPR Article 22?!... So what else is new? Yawn, yawn. They learned it from FBI goons molesting the Occupy kids, and in the creepy autistic way that NSA pioneered, GCHQ are trying to turn it into an algorithm for government drones with defective interpersonal skills.

Problem comes when the homeland Stasi goes looking for actual smart kids. The smart kids take them apart.

http://www.activistpost.com/2013/07/students-destroy-nsa-recruiters-over.html

Nowadays being an NSA creep is about as glamorous as Calley raping VC Boom Booms in Nam,

http://www.bagnewsnotes.com/2013/10/my-lai-sexual-assault-and-the-black-blouse-girl-forty-five-years-later-one-of-america%E2%80%99s-most-iconic-photos-hides-truth-in-plain-sight/

But that was a long time ago. Now NSA creeps will just wank to your daughter's webcam caps.

SkepticalMarch 1, 2014 8:05 PM

@ToSkeptical: Let me put it this way.

Suppose we discover that two police officers in Manchester are found to have ambushed and killed someone.

We also discover that the Army has documents pertaining to various types of ambushes (we learn this by going to the Army's website and looking at their published documents).

Does that mean there is any connection between the two? Of course not. Does it mean that the Army is training police to conduct ambushes on political dissidents and such? Of course not.

There is, afaik, zero evidence of GCHQ, or the NSA, interfering in politics, gathering and using information to blackmail or embarrass politicians, etc.

That doesn't mean that everything they're doing is just fine. It doesn't mean that there aren't real concerns. It just means that, in my view, The Intercept injected more hype than information into our discussion with that article.

And the last thing this discussion needs is more hype! :)

Nick PMarch 1, 2014 9:12 PM

@ Goeballs

I'm not sure about this guy. What he's saying is actually a plausible scenario. It's just that he comes off to me as someone doing this out of ego. Your link is the only thing I've read on him to be fair. With his style and some things he says I wouldn't trust him unless I had more than his word.

Snowden brought the documents and the other leakers made quite believable claims consistent with other leaks. This other leaker needs to be corroborated more before we can use him as an example. I'm sure at least some of what he says is going on because it's in the nature of politicians in control of that system to do such things. They've been caught doing *plenty* outside the NSA. Yet, we can't use things in the debate that are inherently controversial as it will only weaken our position.

Got any corroboration for this guy? Specifics are great if possible.

Goeballs has noeballs atallMarch 1, 2014 10:27 PM

Snowden brought the documents at the expense of his livelihood and his human right to leave and return to his country. Manning was tortured and condemned in a CIA-scripted show trial. John Kiriakou lost his freedom with no documents at all, merely by complying with the Convention Against Torture. The government tried to ruin Bill Binney for going through channels.

The average armchair activist in no position to demand more of Tice. This is a criminal state that he's trying to expose. Ever had collateral access? Ever blown the whistle? If not, you have no idea what's at stake. The guy is taking an enormous risk. If Congress wants to check his bona fides they can have him testify.

It's not civil society that has a problem with credibility, it's our pathologically mendacious shit plenum of a government. So maybe you should wait to set up hoops for him to jump through till the government rebuts his charges.

BuckMarch 1, 2014 11:11 PM

I guess I must've missed this little gem of a joke, both one & two days ago:

NSA head floats idea: What if we only gathered terrorist communications?
"Can we come up with a capability that just gets those that are predicated on a terrorist communication?"
http://arstechnica.com/tech-policy/2014/02/nsa-head-floats-idea-what-if-we-only-gathered-terrorist-communications/
Original source: http://www.armed-services.senate.gov/hearings/us-strategic-command-and-us-cyber-command_02/27/2014 (U.S. Strategic Command and U.S. Cyber Command -- 02/27/2014)
Oh, how quaint ol'Kiethy! Take that in combination with this genius suggestion from the Clap (about 10 days prior):
Clapper: We should have disclosed NSA bulk data collection in 2001
"I probably shouldn’t say this, but I will. Had we been transparent about this from the outset right after 9/11 ..."
http://arstechnica.com/tech-policy/2014/02/clapper-we-should-have-disclosed-nsa-bulk-data-collection-in-2001/
Original source: http://www.thedailybeast.com/articles/2014/02/17/spy-chief-we-should-ve-told-you-we-track-your-calls.html (Spy Chief: We Should've Told You We Track Your Calls)
Hell, they could have had a real chance of succeeding! ... Had that option actually been executed... say, maybe 2 or 3 decades ago?

Can they really now expect us to believe them to be honest & transparent regarding their requirements for people to be added to the list of so-called 'terrorists'!? ;.-P.. (LOLing whist hiding my tears.. )

Clive RobinsonMarch 2, 2014 3:32 AM

@ Name.Witheld...,

    I just don't see the value in a laser guided grenade. These are not precision weapons--it's an oxymoron...

Whilst I agree with your sentiments the B61 is neither laser guided or a grenade.

Infact I'm not quite sure what it's purpose realy is --other than a boy's toy-- because the INS is not very precise and the removal of the parachute means the "in air" time is substantialy reduced meaning either the delivery aircraft has to "lob from a greater hight/distance" or use a lower yeild to ensure the same airframe/pilot survivability.

I know the much talked about "bunker buster" and FAX thermobaric "cave bombs" using smart laser guided systems are not quite the "steller succses" they have been talked-up as for various reasons, including low on target rates in certain battle field conditions and their increasing ineffectivness against newer upgraded hard targets.

So I'm guessing they are going for increased energy and temprature and guidence to get around these issues, and the assumpion that if the combat has switched from standard kinetic weapons to nuclear then GPS and laser are not going to work on the nuclear battlefield...

But not only is nuclear a bit old fashioned like chemical and biological weapons the side effects are likely to far outweigh the benifits in both the shot and long term, thus they are unlikely to get "go permission" and thus are an empty threat.

After all look at the current Ukraine issue with Russian forces invading the Crimea, whilst an invasion of Ukraine's sovreign territory has not yet "officialy" happend it has already occured unofficialy (if news footage is to be beleived). Putin knows full well that the west don't have the forces to commit to deffending the Ukraine from Russian incursion even if they wanted to, and that no continental European nation would alow the nuclear option to be used no matter how limited in scope...

So the upgrade of the B61 does appear to be fairly pointless.

yesmeMarch 2, 2014 3:53 AM

@Clive Robinson,

Talking about a suitably extendable primative, I think nothing beats 9P/Fuse VFS. Look at the Wikipedia article. In Plan-9 and in microkernel OS they use VFS for drivers too.

A VFS is just a representation of data with the use of synthetic files. And it is fast.

But the main benefit is that you can use the standard (command line) tools. Let's say you have a chatfs. The only thing you see in this VFS is one r/w file. And when you write to it it only appends. Under the hood it could be a database system, json file or a plain text file. It doesn't matter. You only see a synthetic file.

So probably all the client apps would work with this without any modification.

What would change is probably the browser network implementation, firewall (VFS protocol based instead of network ports), and configuration files / kernel code.

The second major benefit is that if you can only use the mount command to connect with other computers, is that it is simple. Look at this Wikipedia page about network sockets and the amount of code involved with all these little insane options.

What I would like to see is that internet or any network always has a basic layer that is secure. I think that VFS, combined with standard PFS (I like these 3 letter abbrs) could be an answer for that.

Clive RobinsonMarch 2, 2014 5:00 AM

@ Skeptical

    There is, afaik, zero evidence of GCHQ, or the NSA, interfering in politics gathering and using information to blackmail or embarrass politicians, etc

I can see you are not up on 20th Century UK history which if you are an American is not that surprising. I would sugest you look up what the security services were upto in the 1950's through 80's.

It is well known that various "Conservative" leaders were given reports on surveilance of Labour Party members, union members and anti nuclear and peace organisations. And there appears to be evidence some of it came from the US where the UK Labour party was regarded as a front for the KGB. The surveilance was so obvious that Labour leader and PM Harold Wilson activly sort out ways of dealing with the security services. However the security survices bought their way back into favour over "Pirate Radio" --Which Harold regarded as a US front that lost him an ellection-- and a "rent boy" scandle involving the leader of another political party, where --later home office minister-- Jack Straw acted as "go between" between Harold and other government organisations to collect the details.

When Maggie Thatcher was in power she in effect brewed up civil war by going to war on the Unions. This included full serveilance not only on the Unions --including illegal wire taps and the Mets Special Branch-- but any politicions associated with them. It also included a number of actions to falsify evidence against the Union leaders to make it look like they were corrupt. It came to light because an "Arther Scargill look alike" pretending to be him paniced and ran out of a bank, and it was clear from news footage Mr Scargill was a very great distance away at the time. Sufficet to say "the police failed in their enquires".

I won't bother posting links there are way way to many, just google

"Harold Wilson" surveilance
"Arther Scargill" surveilance
"Margret Thatcher" surveilance

As for,

    Does that mean there is any connection between the two? Of course not Does it mean that the Army is training police to conduct ambushes on political dissidents and such? Of course not

You realy should get out a bit more, I might laugh if it were not so sickly sad.

Whilst it was not the Manchester police (AFAIK) it was certainly very true for the Royal Ulster Constabulary (RUC) who were trained not just by the Army but Security Services and there is evidence aplenty to show that they along with special military groups were activly involved in murdering Irish Catholics who were suspected of being terrorists as late as a dhort while before the successfull peace talks. Not that UK forces murdering Irish Catholics is anything new go back in history to Oliver Cromwell (wiped out upto half the population) and Wiliam of Orange and walk forwards in time.

Even today specialist military units and the security services train the Met Police in all sorts of covert operations and some Met Officers have "died in action" or "gone rouge" and have set people in peacfull protest groups up, given commercial organisations protestors names addresses bank details employment details, photographs etc so that they could be targeted both legaly and illegaly.

As I said you realy ought to ket out more or atleast learn to use a search engine.

To SkepticalMarch 2, 2014 5:33 AM

Sure. One instance can be explained away, and the document as a coincidence.

In the UK though, every single abuse is dismissed as "wasn't policy, just some overeager agent", and that only after it had been denied till it wasn't halfway tenable. This is proof that at least this part of the security services has this policy.

Now, it's true it does not conclusivey proove that other parts of the security forces also have such policy. But, you know, from this document plus the bits I linked to, and passing acquaintance with addition of 2 + 2, this goes beyond reasonable doubt in my mind, especially when you consider historical behavior.

Clive RobinsonMarch 2, 2014 5:46 AM

@ yesme,

Not meaning to be nasty but VFS like NFS et al and quite a few other things are well well beyond their "best before date".

What you I and many others would consider a computer is likewise well beyond their "best before date".

The reason is Moore's law is not a law but an observation from nearly half a century ago.

Whilst filesystems were OK back in the 80's Oracal realised they "hurt performance" so they went to the raw device drivers from the application bypassing the OS.

Today the OS is "in the way" of networking not just on servers that need 10 Million Conncurent Conections but also on multimedia devices, the apps talk direct to the hardware.

But even the hardware as we know it with monumental CISC processors is gone we now have multiple CPU cores multiple GPUs and DSP cores on the mother boards.

The "Central" processor is in the way it just does not scale, what we are moving to is the "Central Switch Unit" with multiple cores hanging off of it.

But even the CSU is devided, one handles "control" the others "switch data".

Nearly all the OS designs and the apps designed for them are holding us back, but not as much as the majority of people that write them.

The future of computing is a myriad of nodes in a parellel or higher dimension form each with it's own computing cores and various levels of cache and memory.

The day of the "one size fits all" computer or OS or even protocol is over even at well below "layer 0" networking.

Likewise "sequential or serial programing" is over the future is parellel not just in algorithms and threads but in processes and appllets.

That's the future you should be looking at not the lessons of the 1960's reheated or restored.

I put up some links for DavidTC about the issues with compilers but the reasoning is the same,

https://www.schneier.com/blog/archives/2014/02/was_the_ios_ssl.html#c4801897

StonecutterMarch 2, 2014 8:08 AM

@Clive

[1] One of the most obvious internationalisation problems being the XX.YY.ZZ and XX.YY.ZZZZ format date codes [2]. Some places it's MM.DD.YYYY others it's DD.MM.YYYY which means 12.01.2013 could be 12th of Jan or 1st of Dec. And please don't say as some have in the past that "the seperator" defines the meaning because humans just don't work that way...

Why, there's an ISO 8601 for that.

Nick PMarch 2, 2014 10:47 AM

@ Clive

And yet the mainframes largely haven't had this problem. That's one reason I've been looking into them. The mainframe solution to massive throughput is called Channel I/O. It's basically a dedicated IO processor that does DMA and runs parts of IO protocols. The processor hands off a job and only gets interrupted when IO is finished. That lets processor do computation close to 100% of its time.

So, the question is can we use Channel I/O to solve these desktop or server throughput problems? It would need to be ported to such an architecture and the OS modified to support it. I'm not sure if that will be easy or hard. Yet, the simplicity and capabilities of the Channel I/O model are quite desirable. We can also beef up its security during the porting effort.

yesmeMarch 2, 2014 10:54 AM

@Clive Robinson,

Sorry, I don't buy it. It's too much science fiction. Altough I believe that everything will scale, I believe that we will always have "devices". I also think that these devices could have ten brands of OS and if we can't solve the problem of connecting these simple and safe, there is no use of scalability whatsoever.

YeahSureMarch 2, 2014 11:13 AM

@clive robinson "The problem with "everyone being rich" is that by definition "everybody is also poor"..."

Was that a facile joke, or do you really believe that? If everybody had enough to well meet their needs, in what sense would they be poor? Would everybody having enough to consider themselves "rich" really be a problem for you?

You have to realize that that is your definition of poverty, not what one finds in a dictionary: "lacking sufficient money to live at a standard considered comfortable or normal in a society."

It is a sad way of looking at wealth, that we must create the poor in order to feel successful ourselves. Psychologically distorted and based on an inability to enjoy things for what they are rather than as some symbol to shore us up against an inner emptiness.

It is a symptom of an all too common borderline or narcissistic disorder that eats up the world and its people in an effort to fill a bottomless hole in the soul that will never be filled. A disease that unfortunately is promoted at every turn by media and the unfortunate rapacious variety of capitalism that would die if the world were at a steady state. As opposed to the salubrious capitalism that simply rewards people for innovation, effort and working together to build on each person's specialized abilities.

I assume and hope that that is a meme that found expression through you rather than your existential condition. There are many more interesting things to do in life than lord oneself over others.

Nick PMarch 2, 2014 11:59 AM

@ Clive, name.withheld

Digging through old systems I found another gem: GEC 4000 series. The Wikipedia article's "Nucleus" section is the interesting part.

https://en.wikipedia.org/wiki/GEC_4000_series

They had enough useful functionality in the hardware and firmware that OS's were naturally decomposed. The firmware also couldn't be changed by software. So, from a POLA and root of trust standpoint, this system had way better security than most modern offerings. Score one for the Brits. ;)

Seeing further in the article there's mention of "compact," "desktop," etc. They made these things small enough that I don't need a spare room, A/C, and power plant? Had me looking on eBay and vintage computing sites to see if I could get a hold of one. Nope. These things practically disappeared.

NameNotDisplayedMarch 2, 2014 12:10 PM

@ YeahSure

I think that to some extent wealth is relative and so Clive is in a sense right that if everyone is rich then everyone is "poor" too.

Over the last couple of centuries we have seen a huge increase in the efficiency of production and technical innovation that has undoubtedly raised the standard of living for the average person. However this economic growth is rather heterogeneous in its effect in that the cost of some goods decreases tremendously while others, particularly services, do not.

For example, it still takes one teacher to teach the same number of students as it did one hundred years ago so in that respect there is no increase in the affordability of such services - see how expensive university education is today. The same is true for barbers, bricklayers, restaurant staff, doctors, etc. They can output no more per person than they did thirty years ago.

This is not true for many areas of manufacturing, eg car production which is now done largely by robot and so the number of embedded man hours in each car is a lot lower than thirty years ago and the labour saved can be used elsewhere in the economy to produce other goods and services.

Thus economic growth can make some goods more affordable but not others. For these latter goods the affordability is defined by the buying power of the purchaser relative to the producer. Thus if you reduce inequality the purchasing power of the rich will decrease and they will become "poor".

The corollary of this is that there are some goods which economic growth cannot make more affordable and thus the supposed trade off of supply side "Reaganomics" and "Thatcherism" where by inequalities don't matter because we will get more economic growth (not that we have) is a false dichotomy.

savings.produce.progressMarch 2, 2014 1:09 PM

@NameNotDisplayed "However this economic growth is rather heterogeneous in its effect in that the cost of some goods decreases tremendously while others, particularly services, do not."

One reason for this hetergeneous effect is that some items are selected to be in the basket of things used to compute the consumer price index and others are not.

The Fed then targets the price of these selected consumer items in pursuit of its stated policy of price stability.

If through technological innovation it becomes cheaper to produce consumer goods, then the Fed simply prints more money to keep the price from falling. In this way it steals away the benefit of economic progress, taking wealth that might otherwise be saved.

The essential metric of economic progress is capital per capita, the sum total of productive wealth available for producing goods. Savings enable the investment in factories and machines that reduce the cost of goods. In a way, machines provide more leverage for human labor, so the more you have the more productive a person can be, and hence more wealthy in general.

The Fed policy of inflation to maintain price stability of certain items undermines the accumulation of savings, and thus the accumulation of capital that is needed for general economic progress.

A commodity money standard like gold or silver would enable economic progress by taking away the Fed's ability to steal wealth through inflation.

SkepticalMarch 2, 2014 4:36 PM

@Clive: I can see you are not up on 20th Century UK history which if you are an American is not that surprising. I would sugest you look up what the security services were upto in the 1950's through 80's.

Clive, and of course eventually at the end of your comment you get back to Cromwell.

But the subject was whether The Intercept article disclosing GCHQ's speculations on how to infiltrate and divide online social groups contained any evidence that GCHQ intends to use such tactics on political groups inside the UK.

The documents discussed in The Intercept article constitute zero evidence of such use, regardless of whether 30 or 40 years ago MI5 wiretapped members of certain organizations.

The surveilance was so obvious that Labour leader and PM Harold Wilson activly sort out ways of dealing with the security services.

Remarkably there's actually a Wikipedia page on Harold Wilson conspiracy theories. They're hardly evidence that GCHQ is today actively manipulating and discrediting peaceful political groups.

Whilst it was not the Manchester police (AFAIK) it was certainly very true for the Royal Ulster Constabulary (RUC) who were trained not just by the Army but Security Services ...

Clive, that's irrelevant. I created a hypothetical to illustrate the point regarding evidence. Let me put it succinctly:

A document that discusses the use of a particular tactic or set of tactics does not establish whether those tactics are being used inappropriately.

A military document discussing the use of a L-shaped ambush, for example, would not tell us that the military is using this tactic upon civilians.

We can agree on that much, no? That is the entirety of the discussion. No need to wade into the UK's long fight against the IRA, much less Oliver Cromwell!

As I said you realy ought to ket out more or atleast learn to use a search engine.

Bit advanced for me I'm afraid. I'm still puzzled by how the monitor illuminates itself without the use of any flame.

Clive RobinsonMarch 2, 2014 5:04 PM

@ Stonecutter,

Did you read my last line --prior to notes--,

    ... because humans just don't work that way...

Just to make it clear obligitory XKCD,

https://xkcd.com/1179/

But ISO has a history of standardS --note the plural-- on time and ISO TC 154/WG05 remains in existance. It started with ISO2014 which obviously was not good enough so after five more itterations we are at ISO8601.

But it won't be the last, I'm sure ;-)

Partly because it's actualy neither computer or human friendly for a number of reasons, not least of which is the issues to do with initial epochs and the cludges involved, etc etc.

Firstly it has two different formats (basic and extended) which have the disadvantage of not uniquly passing without prior agreement (read handshake) between sender and receiver which is a major problem unless the standard using 8601 puts it in a standard contract.

It also has peculiarities in that you can remove fields from lowest to highest, and you can if you so wish decimalise the last field you use to make up for the otherwise lost prescion in the removed fields.

Howwever one of the fields can be a week number but, not all weeks are the same length and week 01 is defined in effect as the week containing 4th of Jan. Thus the first to third of Jan could be in week 53 of the previous year and as a leap year has 52weeks and 2days it's possible to in effect have two week 53's in the year, thus the rules for resolving this in effect break other rules. Which is a good recipie for bugs. Then there is the issue of leap seconds (minutes of 61 or more seconds) which can happen twice a year currently and will increase in frequency with time...

Secondly it uses a "calander system" that likewise has issues (effectivly a reduced Gregorian calender) which does not map into other common calendering systems easily not least is the fact that the 8601 calander has an initial epoch which differs from the underlying (Gregorian) calender it uses. Which is one reason why some people and a lot of computers use Julien seconds and days with normalising epochs to keep dates within integer ranges.

Thirdly thankfully it does not involve "fixed feasts" and "movable feasts" because there are again real nasty issues there due not only to the use of luna calanders but "twiddle factors" that change with various epochs.

Finaly "Don't talk about" converting to GMT (depreciated) or other time systems (of which there are many) such as local siderial time or relatvistic orbital times (which effects GPS and telecomunications including mobile phones, oh and property boundries) as the conversions can involve what are nightmare almost one way functions using sums of sine waves which change with time...

I could go one but these two links will help people who have to get to grips with 8601 and calanders,

http://www.cl.cam.ac.uk/~mgk25/iso-time.html

http://charon.nmsu.edu/~lhuber/leaphist.html

Clive RobinsonMarch 2, 2014 6:53 PM

@ YeahSure,

    Was that a facile joke, or do you really believe that? If everybody had enough to well meet their needs, in what sense would they be poor?

No it was not a joke but a statment about logic and unstated assumptions.

First of all the terms "rich" and "poor" have no meaning without a comparison point. Thus if I set the comparison point at -1 x Gross World Product expressed in some monetry unit then everybody will be above the comparison point and thus rich. If however I set it at the Gross World Product everybody is poor.

However you like so many others equqte a totaly different concept of poverty to poor and thus cause considerable muddle in your thinking. Poverty although sometimes incorectly expressed in monetary terms is nothing what so ever to do with money or fiscal value both of which relate through "man power" to energy which is not a fixed value tangable object. Poverty is to do with the lack of access to tangable resources required to sustain life.

So you could have all the money in the world but if you cannot for some reason buy water or food etc with it then by definition you are in poverty. Likewise you may have all the debt in the world but you have a continous supply of water and grow your own crops, raise your own animals and have the other requirments to sustain life to it's normal limits you are not in poverty.

Why is this distinction betwean monetary "fiscal wealth" and "real wealth" important?

Well money is compleatly non tangable it's just an entry in a ledger and any value can be written there at any time, if you look at the way banks work they creat credit by creating debt on which they charge interest, that is they get something for nothing or magic money into existance against a set of rules (the banks however would argue the provide a service "liquidity" for which they are entitled to renumeration). The flip side of this service is what you might call "the banking industries value added product" is inflation, which all means the money supply is infinite even when it loses credability and there are runs on banks and hyper inflation.

Real wealth is tangible physical objects and their availability is very strictly finite currently, that is there is only so much gold in the world or any other element.

Now as the population is increasing and physical resources are finite we are all actually getting less resource wealthy as individuals (as Mark Twain once observed about investing in land it's good "because they don't make it any more").

However there is another measure to consider and that is "utility" a tonne of iron ore does not have a greate deal of utility other than as a dead weight. However add lime and carbon and supply it with energy you end up with iron which has much more utility, add various other elements into the mix and you get various steels that have even more utility. The various gasses given off end up being utilised by plants that use them with water to build organic chemicals with the energy from the sun that gets traped in the atomic bonds which at some later point become energy supplies as organic or fossil fuels.

Thus it can be seen that our lives are dependent on the input of energy changing the resources we have available to us thus utility is the result of applying energy (work) to resources. Thus increasing utility makes the resources more valuable to us and thus increses real wealth.

Provided we keep the energy and resource cycles controled and in balance we can increase utility, and it's that which grows our economy and standards of living, not the medium of work and resource exchange money.

However there is a problem which is we do destroy some of our resources or put them out side of our ability to control them. You can see this with nuclear reactors and party ballons, both of which are not cycles but drains.

I hope this comment and those of others is sufficient to indicate I'm not narcissistic, or for that matter lording it over people, nor do I have any wish to do so.


Clive RobinsonMarch 2, 2014 8:05 PM

@ Skeptial,

You said,

    There is, afaik, zero evidence of GCHQ, or the NSA, interfering in politics gathering and using information to blackmail or embarrass politicians, etc

I've shown that there is plenty of evidence of exactly that, But, because I've shown you are wrong you are now trying to "shift the goal posts" by in effect saying "that was yesterday I'm talking about today" which is a stupid thing to do. Anyone with any common sense knows it takes time for evidence to appear especialy when those with interest in it never appearing have significant power to prevent it.

Many people who comment on this blog have remarked on the abuses that the various security services have commited in the past and also have sufficient technical and direct knowledge to know how it was done. However also knowing what happens to whistle blowers (one or two have been found 'suicided') we did not take documents and other evidence that would enable the authorities to imprison us for 57 or more years (a fate that potentialy awates Ed Snowden).

You however have all the hallmarks of a neigh sayer who despite standing in a scorching hot room filling with smoke, sheets of fire roaring up past the window, fire alarms going off and people screaming "fire" chose to belive it can not be true because you don't have "absolute proof" and thus would rather beleive it to be a hoax.

That is you appear to believe not in what a reasonable person would consider prudent evidence but demand unreasonably for something that does not exist (and can be shown not to exist) "absolute proof", even the law only asks for "beyond reasonable doubt" as the burden of evidence in capital cases.

As for your "hypothetical argument" I've shown that it's very far from being "hypothetical" such training does go on.

Further you have changed you position on your orginal argument, again to avoid the fact that you are wrong.

Your argument fails even as a hypothetical one.

Part of your argument was published information freely available from a web site. So your two police officers could have read it and used it as training information. Thus the argument could be made that the army were responsible for that part of the police officers training in exactly the same way that the bulk of formal training even in training courses is from published information.

You specificaly said,

    Does that mean there is any connection between the two? Of course not

As I've noted above you would have to show beyond reasonable doubt that the officers did not have access directly or indirectly to the specific ambush document or any other work derived from it to make that claim.

To follow the logiv through a bit, unless the police officers existed in a 100% controled environment you could not rule it out. The fact they commited a murder strongly suggests they were not in such an environment.

Thus a comparison would be made between the tactics used for the murder and those described in the freely available document. If sufficiently detailed and the actions and description were sufficiently close then it could be reasonably said they had access to the document or one derived from it or from one the army document was derived from. To rule out the latter you would look for unique points of refrence that originate in the army document.

Such is the way such things tend to be done in criminal and civil cases with circumstantial evidence.

SkepticalMarch 2, 2014 9:29 PM

@Clive:

If you follow the thread of the conversation between "To Skeptical" and me, you'll see that we're discussing a particular article published at The Intercept. Those are the "goalposts."

No doubt that at various points in history, intelligence agencies have abused their powers.

But there is, as far as I know, zero evidence that the NSA or GCHQ are abusing their powers today in the manner speculated in The Intercept article. If you know of such evidence, please provide a link to a reputable source. I'll certainly appreciate the chance to correct my views.

The Intercept took documents that appear to describe psychological and informational tactics, much as you might find documents describing infantry tactics, and then hyped the story by implying that the documents described tactics being used on legitimate political groups.

You've missed the point of my analogy, so let me try an even clearer one. We stumble upon a military manual describing infantry tactics. We then write an article about this manual, and imply that these tactics may be used upon civilian targets.

Hopefully we can agree that such a story would be stretching a bit beyond the reach of the facts it reports.

That, again, is the entirety of the context of the remarks I've made, and the substance of those remarks.

To SkepticalMarch 3, 2014 3:04 AM

er... maybe you were discussing only a particular article, but my original post was reacting to something you had said in one of your posts. I've just went and looked it up in the previous squid thread. You did indeed reference the article in particular, but then went on to make a general statement:

"What would be big news is if GCHQ or NSA were using such tactics against political organizations in the US or Britain."

This is what caught my eye, given the string of evidence of such tactics being used. My example was one branch of the police, and you took exception at the police being a different branch of law enforcement. Clive supplied the special branch example. There is the communist voter list being retrieved from "secret" ballots.

Now, if your point is merely that "we have no hard evidence this particular document was used by the police, they might have been developing such techniques independently", then fine. But then don't generalize your point to something so obviously against multiple evidence :)

sshdoorMarch 3, 2014 4:52 AM

@yesme

See previous discussions about new protocol proposals, by users sshdoor and
arielb1 on:
https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1710034
https://www.schneier.com/blog/archives/2014/01/ddos_attacks_us.html#c3820306

To summarize:

- limit answer packets to the length of the request packet, before the
connection is established.

- forbid to request anything not necessary (browser font list, brower identity,
allowing to hide under TOR).

It is a pity that, for example, the sshd server needs your password.

TIMMarch 3, 2014 6:32 AM

Is it a good or bad news, that not only the normal citizen are target of surveillance?

German firm G Data Security alleges that newly detected malware known as "Uroburos" was made by the Russian government

On one hand I think this is normal business and any agency tries to spy on others, but on the other hand it's frustrating me, that even them aren't able to protect themself (completely) against maleware.

Sure, I think it's much more complicated to infiltrate high-security networks of military institutions and that it's nearly impossible to get access on top level security documents with maleware, but even the NSA cooks with water (correct me, if I'm wrong).

YeahSureMarch 3, 2014 6:52 AM

@ Clive Robinson

I repeat, you are using your own definition of poor. It is not in the dictionary. Poor people lack the basics of a comfortable life.

Since you responded to:

"If we want to talk about utopia, I'd also like everyone to be rich, too."

the question of feasibility is not on the table. We are talking about utopia.

The simple fact is that that definition of poor is not relative. The definition of rich may be, but not being rich does not mean one is poor.

I'm sorry, but that is logic. And the dictionary.

Clive RobinsonMarch 3, 2014 7:57 AM

@ Tim,

With regards the malware "Uroburos" I am consistantly underwhelmed by the methods these --supposed-- state actors are found to be using.

For instance some years ago I started thinking about the problem of putting malware on voting machines and worked out how to do the "hopping" in various ways. Prior to that I'd thought about how to manage "zombie nets" without using a control server in an anonymous and effectivly untracable "headless" manner so simply blocking access to a DNS entry or IP address would not work nore would defenders be able to trace it back to the bot master. I posted the outline of these ideas on this blog and others. So in effect the ideas were in the public domain long prior to this --supposed-- state level malware.

Interestingly though I also worked out a way to get documents sent back from a remote or isolated host again using an anonymous headless and difficult to trace method. However even though I prototyped and tested it for obvious reasons I chose not to publish it, and to this date I have not seen any evidence that others --state level or otherwise-- are using the method or even anything close.

This disparity caused me to reflect on the why of it and several possabilities came to mind of which some were,

1, The malware authors are not that bright.
2, They are following low hanging fruit methodology.
3, Deliberatly only using published methods.
4, AV companies are not seeing sophisticated a state level malware.
5, Malware is "baked in" by software suppliers.

Whist with general "Government Service" 1 is possible, with the funding and power available getting good freelance workers is not much of an issue. But we also know from some state level malware (hashes ans payload encryption) that 3 has not in the past been a consideration but now might be. We know that "criminal" or non state level malware authors tend to use 2 because of the "shotgun" rather than "directed" nature of their malware. Which brings us to point 4 which is quite likely, AV companies are overloaded with supplies of "unknown" binaries etc most of which rarely if ever get looked at their focus is statistical in nature and their analytical abilities are founded on past experiance. All of which suggests radicaly new method malware used only for directed attacks is going to be below the noise floor for AV companies, especialy if the payload is covert and makes no noticable changes in behaviour of a targets machine.

However since the Ed Snowden revelations ideas that have been discussed "thoreticaly" and largly been relegated to the "to fantastical" bin have turned up obliqely in the TAO and other paperwork when talking about "implants".

Whilst one or two of us one this blog and one or two amature researchers have actually shown implants are possible we largely kow-towed to the "to fantastical" view point. Our failure should be an "object lesson for the future".

TIMMarch 3, 2014 8:44 AM

@YeahSure

You use the definition of a dictionary for a non-Utopia-Environment to state your point of view. That is interesting.

Maybe in Utopia no dictionary would have a definition for poor and rich, because all people are equal in this way. Maybe the old definition would be in use, so you would be right or a new definition in Clive's style, then the point would go to him. I am afraid that we will never know what's the right answer.

Clive RobinsonMarch 3, 2014 9:22 AM

@ YeahSure,


Sorry not realy from one of many similar deffinitions on line,

poor Adjective:


  • 1, Lacking enough money to live comfortably in a society

  • 2, (of a place) Inhabited by people without sufficient money

You can see the major association is "Money" and the minor association is "comfortably" in an unquantified manner with respect to a nebulous class identifier.

Thus my view point on rich and poor fits in very comfortably within this definition, and my assertion of where youchose to set the monetary bar fully justified.

However a definition for poerty is widely open to debate and the concensus of those involved is that dictionary deffinitions are lacking at best.

So you need to look further afield, the United Nations is an organisation that is both of governments and supergovernmental in nature in that it's views and that of it's agencies are broadly representative of the concensus amongst world governments.

One of the more prominant UN agencies is the UN Educational Scientific and Cultural Organisation (UNESCO) and their definition on poverty is as follows,

    Frequently, poverty is defined in either relative or absolute terms. Absolute poverty measures poverty in relation to the amount of money necessary to meet basic needs such as food, clothing, and shelter. The concept of absolute poverty is not concerned with broader quality of life issues or with the overall level of inequality in society. The concept therefore fails to recognise that individuals have important social and cultura needs. This, and similar criticisms, led to the development of the concept of relative poverty. Relative poverty defines poverty in relation to the economic status of other poverty members of the society: people are poor if they fall below prevailing standards of living in a given societal context. An important criticism of both concepts is that they are argely concerned with income and consumption.

You will see the section I've highlighted that, although expressed in monetary measures the actual "needs" are the same as I gave but chose not to use any arbitary measure for and further pointed out why a monetary measure was infact irrelivant.

As for your odd reasoning on "utopia" and "poor" not being "relative" but "rich" maybe, this precludes any measure thus rich and poor cannot be differentiated, which means your reasoning lacks validity.

Clive RobinsonMarch 3, 2014 9:27 AM

@ YeahSure,


Sorry not realy from one of many similar deffinitions on line,

poor Adjective:


  • 1, Lacking enough money to live comfortably in a society

  • 2, (of a place) Inhabited by people without sufficient money

You can see the major association is "Money" and the minor association is "comfortably" in an unquantified manner with respect to a nebulous class identifier.

Thus my view point on rich and poor fits in very comfortably within this definition, and my assertion of where youchose to set the monetary bar fully justified.

However a definition for poerty is widely open to debate and the concensus of those involved is that dictionary deffinitions are lacking at best.

So you need to look further afield, the United Nations is an organisation that is both of governments and supergovernmental in nature in that it's views and that of it's agencies are broadly representative of the concensus amongst world governments.

One of the more prominant UN agencies is the UN Educational Scientific and Cultural Organisation (UNESCO) and their definition on poverty is as follows,

    Frequently, poverty is defined in either relative or absolute terms. Absolute poverty measures poverty in relation to the amount of money necessary to meet basic needs such as food, clothing, and shelter. The concept of absolute poverty is not concerned with broader quality of life issues or with the overall level of inequality in society. The concept therefore fails to recognise that individuals have important social and cultura needs. This, and similar criticisms, led to the development of the concept of relative poverty. Relative poverty defines poverty in relation to the economic status of other poverty members of the society: people are poor if they fall below prevailing standards of living in a given societal context. An important criticism of both concepts is that they are argely concerned with income and consumption.

You will see the section I've highlighted that, although expressed in monetary measures the actual "needs" are the same as I gave but chose not to use any arbitary measure for and further pointed out why a monetary measure was infact irrelivant.

As for your odd reasoning on "utopia" and "poor" not being "relative" but "rich" maybe, this precludes any measure thus rich and poor cannot be differentiated, which means your reasoning lacks validity.

Bob S.March 3, 2014 9:54 AM

Does NSA and GCHQ do political operations?

Of course they do. Listening to Merkel's phone is just one example. (They quit listening to hers, and doubled down listening on her closest contacts, btw.)

Some of the posts here are way too long.

vas pupMarch 3, 2014 3:22 PM

Security of employee's personal data.
Recently in Ukraine 'Berkut' (riot police) stop active fighting after their attackers (for some - 'rebels' for others - 'heroes'/not important for discussion) informed them about possession of the file with all their personal information including home address, family structure, kids, etc.). Some even switch after that the side and join rebels/heroes. That is the lesson to any LEA around the globe how important is to properly (and I mean it - properly as the highest asset) protect personal information of their officers, other employees having access to their critical informational infrastructure, including real identity of CI, SoI and undercover officers. Leak of such information not only jeopardize particular operation, safety and life of LEOs with other involved making them vulnerable and defenseless (put aside Hollywood fairy tails), but may have future long term negative results on viability of their operational productivity as a whole.

SkepticalMarch 3, 2014 3:24 PM

@ToSkeptical: "What would be big news is if GCHQ or NSA were using such tactics against political organizations in the US or Britain."

This is what caught my eye, given the string of evidence of such tactics being used. My example was one branch of the police, and you took exception at the police being a different branch of law enforcement. Clive supplied the special branch example. There is the communist voter list being retrieved from "secret" ballots.

Corrupt actions by police officers, hopefully in low frequency, will always be with us. Those incidents do not substantiate that GCHQ or NSA is using such tactics in the same corrupt fashion. If there's evidence of GCHQ or NSA, or for that matter the FBI, using such tactics corruptly today, I'd love to see it.

Clive introduced examples, some dubious, from decades ago. Obviously my claim is not "government agencies have never in history employed such tactics corruptly." My claim relates to contemporary events.

Look, proponents of reform are going to have to come to grips with the fact that, so far as we know at this point, the NSA has not abused the powers granted to it. In fairness, most already have.

BuckMarch 3, 2014 7:58 PM

Ouch!

Florida Cops’ Secret Weapon: Warrantless Cellphone Tracking
Police in Florida have offered a startling excuse for having used a controversial "stingray" cellphone tracking gadget 200 times without ever telling a judge: the device’s manufacturer made them sign a non-disclosure agreement that they say prevented them from telling the courts.
http://www.wired.com/threatlevel/2014/03/stingray/
Watch out! Those stingrays'll sting ya!

AlanSMarch 3, 2014 9:51 PM

@Skeptical

You wrote: "Obviously my claim is not "government agencies have never in history employed such tactics corruptly."

You make it sound like this is a rare event. In 1975/76 the Church Committee published 14 reports covering abusive practices by the US intelligence services over a period that spanned decades.

Many of the reforms that were put in place after the Church Committee have since been weakened. And the power to conduct surveillance is vastly greater than it was in the period before 1975. You can debate whether the powers are being abused right now or not but the matter is irrelevant. Its in the nature of the beast to lead to abuse. That's why in the US we have the 4th Amendment because writs of assistance were abused and it was well-understood that such powers were inherently abusive. Unfortunately, such basic insights into human behavior are lost on government, whose proclivity it is to extend its own powers in the 'public interest'. As Brandeis wrote, more eloquently, "The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well meaning but without understanding."


SkepticalMarch 4, 2014 8:31 AM

@AlanS: The technical ability to conduct surveillance has certainly increased since 1975, but the legal power of the NSA to do so has not, primarily because of the limits and oversight imposed by FISA. This is true even including the (legally ambiguous) expansion immediately post-9/11, and the legislated expansion in the 2007 Protect America Act and the slightly more limiting 2008 FISA amendments.

We live in a different world than in the early days of the Cold War (which formed a good part of the Church Committee's investigation), when the limits on electronic surveillance conducted for foreign intelligence purposes were vague to non-existent (a state which continued until the late 70s) and there was no judicial review of such surveillance, nor legislative oversight. We're a long way from the days of COINTELPRO as well.

So while I have no trouble finding examples of abuse by the CIA and FBI decades ago, there is a lack of evidence for such abuse by the NSA today.

I did not mean to imply that we should not be cautious and diligent in safeguarding against government abuse. We must be.

Thanks for the Sprint lawsuit link, incidentally. Got quite a laugh as I envisioned a group of accountants in Justice staring dumbfounded at the byzantine bills from Sprint and muttering to each other, "What's that charge for? What's a special service fee? And why are they billing us for texting services?"

The False Claims Act is really an interesting creature in American law, and it's helped accomplish quite a lot of good.

SkepticalMarch 4, 2014 8:34 AM

@Polly: Yeah, how about someone a little more reputable who can provide corroboration. This is the guy who claimed that he worked in overhead surveillance but also saw wiretap orders targeting Obama even before Obama was a Senator, right?

YeahSureMarch 4, 2014 11:17 AM

@ Clive Robinson

Your obtuseness around rich and poor is sad. (And in a broader sense of the word: impoverished.)

Your argument implies that it is impossible for everyone to live with their basic needs met. I do not see the logical necessity of this. It seems to stem from the assumption that everyone is either rich OR poor, which makes as much sense as saying all colors are either black OR white. Although rich and poor (and black and white) are nominally opposites, they are not complementary sets. People who are not rich are not necessarily poor. Your observations about money bring in elements that don't exist in my argument and I have no need to refute.

This argument doesn't interest me in its actually content as much as an example of how ego and inbred assumptions make it almost impossible for even intelligent people to resolve even straightforward questions, allowing for craziness and national chauvinism such as in the current news to hold sway.

In any case I think my reasoning is clear. I am finished with this discussion. QED

Polly gettin psittacosisMarch 4, 2014 11:59 AM

Good luck impugning the credibility of anyone on earth, as a stooge of the 'least untruthful' NSA liars. Guess you got nuthin to counter the substance of his charges. Tice didn't hold on to the orders because he knows NSA mafiya will imprison or torture him if there's proof. He knows he's safe if you can lie your way out.

Are you quite sure there are no copies floating around?

Erich SchmidtMarch 4, 2014 1:30 PM

@Clive
Unfortunately I'm reading all of this entertainment at work, with no popcorn in sight. Nevertheless you're insight and ideas are always great to read!

@YeahSure -- QED? Yeah, sure.

Nick PMarch 4, 2014 4:29 PM

@ polly getting psittacosis

"Guess you got nuthin to counter the substance of his charges. Tice didn't hold on to the orders because he knows NSA mafiya will imprison or torture him if there's proof. He knows he's safe if you can lie your way out. "

If Tice claims a thing, the burden of proof is on him. Nobody has the burden of countering a person's serious, unsubstantiated claims. So far, we've had several leakers at NSA often with documents and/or corroboration. Tice has neither documents nor corroboration. Yet, his claims are more serious than Snowden's.

There's whole industries of people who make money on conferences, books, and TV appearances due to the BS they spout. Tice might be one of them. The burden of proof is on him to show otherwise. Until then, we should disregard his claims as hearsay and focus on bringing Americans' attention to the *substantiated* claims of other leakers.

@ Skeptical

"Yeah, how about someone a little more reputable who can provide corroboration. This is the guy who claimed that he worked in overhead surveillance but also saw wiretap orders targeting Obama even before Obama was a Senator, right?"

You nailed that one. I was reading and shaking my head at about the same thing. I was thinking:

"So they're targeting all these people... with satellites? Guess all that tech in Snowden leaks is kind of redundant if they have satellites that good."

Polly plop plopMarch 4, 2014 7:16 PM

Listen to Judge Judy, 'The burden of proof is on him.' See, this is what happens when FBI picks up losers with third-tier toilet law degrees. All they can do is babble slogans. They're not allowed to ask their Stasi bosses anything because government employees would never commit crimes like torture or blowing the brains out of Todashev execution-style or violating FISA or anything like that.

You are like the worst wheedler ever. Even the dumbest FBI goon with his crap law degree and his drinking problem and his focked up kids and his frigid wife and his self-flagellation whips and chains from Opus Dei, even he can do better than this comically obvious fishing. And the place really went downhill when Hoover went tits-up in his feather boa.

Knott WhittingleyMarch 4, 2014 7:46 PM

Skeptical and Nick P,

I don't find it implausible in the least that somebody could be a specialist in overhead surveillance and (at the same or different times) have access to very different kinds of intelligence. Especially if that somebody has worked for the Air Force, the Office of Naval Intelligence, and the Defense Intelligence Agency.

If you look at the stuff I was a specialist in when I was a graduate student, or different stuff before that in industry, you might wonder "who's this guy to opine authoritatively about x, given he's a y or maybe a z." And if you look at the trajectory of my career post- graduate school, you could say that sort of dismissive crap about whatever I say, based on what I was most known for (or paid for) 5 or 10 years before.

And that's not unusual in my academic field, or in my industrial work. Lots of people do it. Many of the best people in academia do it, and lots of people in industry do it---they find a niche where their skills are usable, often one that's superficially unrelated to what they were previously recognized as good at. Or they develop new skills as changing situations require.

And that's often a great thing.

You talk as though it's just implausible that a satellite imagery specialist might also have access to wiretap data, but if it is actually implausible, there's something deeply wrong with the intelligence community. It should be possible for talented people to rise through the ranks, change their focus, and increase their scope.

If it's not, who the hell runs the show, and where do they come from? Nowhere in particular? The nursery for baby high-ranking generalists?

Nick PMarch 4, 2014 8:23 PM

The MIT Alewife Machine 1999
http://www.cag.lcs.mit.edu/pub/papers/pdf/alewife-paper-proc.pdf

I found this paper to be pretty awesome. It might help in my secure NUMA/MPP architecture explorations. They combined fast message passing, fast context switching, and cache coherent distributed shared memory. Nodes were simple although one or two chips on them aren't. The 16-32 node systems performed fairly well with a max of 128 in a system. They also built VM and MPP prototypes with it that had good preliminary performance. Paper also has obligatory links to other research at the time.

All in all, if segmentation, tagging and/or control flow are added to such a design we might have a badass machine in the making. I'm sure the individual node performance can be updated as well if we use a modern open core like SPARC T1.

ATAC - A 1000-core cache-coherent processor with on-chip *optical* network
http://groups.csail.mit.edu/carbon/docs/atac_pact10.pdf

From same part of MIT. Talk about how things change over time.

ModeratorMarch 4, 2014 9:00 PM

Polly, that's more than enough. If you have something of substance to say, say it without the bluster and abuse. Otherwise I'll be removing your future comments.

Nick PMarch 4, 2014 9:06 PM

@ Knott Whittingley

"If you look at the stuff I was a specialist in when I was a graduate student, or different stuff before that in industry, you might wonder "who's this guy to opine authoritatively about x, given he's a y or maybe a z." And if you look at the trajectory of my career post- graduate school, you could say that sort of dismissive crap about whatever I say, based on what I was most known for (or paid for) 5 or 10 years before." (you)

"I’m a satellite systems specialist, so with the things I was doing with satellites, I found out sort of inadvertently, that American citizens were being spied upon by our base capabilities... initially what I saw was they were targeting news organizations, they were targeting U.S. companies that did international business, they were looking at financial institutions." (Tice)

Nice strawman you've constructed: your scenario is totally different than Tice's. In Tice's testimony, we have a guy who said he was one of the X guys doing X work when, during course of X work, found a bunch of very illegal W/Y/Z stuff that W/Y/Z guys were doing. And we're saying "why does a guy doing X have all this access to W/Y/Z?" My main gripe with him is that he didn't back up serious claims with evidence. Seeming inconsistencies like this don't help.

"You talk as though it's just implausible that a satellite imagery specialist might also have access to wiretap data, but if it is actually implausible, there's something deeply wrong with the intelligence community. "

The issues here are compartmentalization and division of labor. Compartmentalization says the person working on satellites doesn't need access to illegal wiretaps on Senators. Illegal, conspiratorial activity would be extra compartmentalized to keep the persons doing it out of prison. Division of labor, in a nutshell, means that operations in intelligence community are divided among many roles, systems, agencies, physical sites, and so on. This is what led to various intelligence sharing failures and "left hand doesn't know what right hand is doing" phenomenon.

So, what does this all boil down to? Simple: people who do wiretaps and people who work on satellites were usually different people in 2005, often at different places. Their work ends up being used by yet other people with a specific function, like analysts. That a guy working on satellites doesn't have access to wiretaps, especially illegal ones, would be a *success* of the intelligence community at compartmentalization and need to know. That the man had more access to this stuff than any other leaker... including admins like Snowden who maintained these systems... is highly implausible.

A person with implausible access claiming to have unearthed newsworthy treason without corroboration should be dismissed as a fake unless they provide solid evidence supporting their claims. If Tice does regarding blackmailing surveillance, then I'll have his side. So far, he's all talk on that issue and distracting people from abuse we can prove. It's hard enough getting American people and lawmakers to act when we have solid evidence. Adding hearsay to the mix won't help.

If anything, it's the kind of thing that benefits the NSA by undermining efforts to reign them in.

BuckMarch 5, 2014 12:01 AM

@Nick P re: @Knott Whittingley

Woah! Calm down my brother.

Are you so wrapped up in the recent 'leaks' that you've forgotten the world as it was >8 years ago? (Nevermind the cold-war era spy satellites)...

Are you really so set in your ways that you would believe this TAO catalog is truly state-of-the-art; even if we had seen it 10 years ago!?

(Keeping in mind, Klein, who spilt the beans back in '06... All this *stuff* is trivial & obvious, once one assumes a trusted MITM [or Men Everywhere] position).

Or are you so naive that you fail to realize: low-level government contracted employees have no opportunities to easily access and exfiltrate real 'national security' secrets..?

The part where you dismiss satellite-based intercepts is almost priceless; and the part where you imply that the TAOs' catalog of exploits (for sale!) would be among the methods used for Tice's alleged high-priority target(s)... Well, it kind of makes me feel like I've won an award for reading through one of the most obvious reverse-strawmen I've ever seen!

Either option would seem to contradict some of your other recent statements regarding standards finessing/sabotage, so I'm honestly hoping there's an additional opposing idea... Or that this isn't really you posting ;-)

Clive RobinsonMarch 5, 2014 6:40 AM

For those claiming various "straw man", "lack of produced evidence" and similar "Give Proof or be shuned" arguments, perhaps you should read this and contemplate on what it means in terms of the powerfull shuting you up by abusing the legal system,

http://www.theguardian.com/law/2014/mar/04/attorneys-barrett-brown-hyperlink-hacked-material-want-case-dismissed

I would have thought that the Aaron Swartz's untimely demise due to abuse by federal employes would have been sufficient of a wake up call.

FigureitoutMarch 5, 2014 9:26 AM

Clive Robinson
--Yes it is, thanks. Just spent the entire night up and need to change 2 blown tires from a f*cking pothole and am missing my calculus and physics class...Great day...Anyway any "electromagnetic mystery" makes me wonder...there's too many though...

Knott WhittingleyMarch 5, 2014 9:26 AM

Nick P,

My read of Tice (in the transcript of the RT interview) is apparently different from yours. It seems to me that he moves very quickly from telling the interviewer what gave him his initial heads up to talking about all sorts of things he learned some indefinite time later, maybe many years later, when in different job(s) at different intelligence agencies.

I don't know about Tice's jobs and career timeline or trajectory, but it seems perfectly plausible given what little I know that an intelligence "analyst" who is or has been a "satellite systems specialist" would be involved in dealing with lots of wiretaps at some point, or be trying to integrate multiple sources of data, some of which he's not a specialist in. A lot of international phone traffic used to go through satellites, and a "satellite systems specialist" could be a specialist in wiretaps. Even overhead imagery analysis per se often involves knowing something about the subjects the images are being analyzed for. Depending on the kind of analysis, it could be a lot detailed information, trying to use all available other information to constrain possible interpretations of images.

I too am frustrated that Tice didn't have the documentation to prove (or disprove) his claims. I can't tell if he saw what he says he saw. I'll be interested to see if any future Snowden revelations or investigations bear out Tice's claims, or refute them.

Douglas KnightMarch 5, 2014 10:20 AM

People say that it's hard to test TLS because you have implement a TLS server as a testing harness, or something. But if you had set up such a testing framework, wouldn't it be easy to apply the same tests to every implementation of TLS?

That is, black box testing is easy. What requires code specialized to your project is unit testing. Maybe there are parts of your TLS stack that are double-checks and you don't know how to test them from the outside. That's why unit testing is important. But neither of these bugs have this form, do they?

Nick PMarch 5, 2014 10:28 AM

@ Buck

"Woah! Calm down my brother."

I'm alright haha. Maybe I got a bit caried away, though. ;)

"The part where you dismiss satellite-based intercepts is almost priceless"

I don't dismiss them. I pointed them out as a risk, along with countermeasures, over a decade ago. Best sales boost I got on the issue was when Enemy of the State came out.

I dismissed this guy's claim about blackmailing. Whether intel analyst or not, whoever is illegally blackmailing all these high profile people would be working to keep it secret. That satellite operators were in the loop on their phone tapping of Senators who just happened to become President later on... come on. If I can picture Alex Jones saying it, then my guard goes up.

Remember that this wasn't in his original leaks. He said it years later. And this is a guy various psychologists diagnosed on a scale from mentally imbalanced to "psychotic paranoia." So, it could be true, but it also has warning signs in it.

"Or that this isn't really you posting ;-)"

It's me, for sure. One of the things I do here is play devil's advocate on certain issues to make sure we've investigated both sides. I couldn't resist doing that on Tice because of my genuine concerns about him. I previously did that on Snowden, although I ended up backing his leaks.

@ Knott Whittingley

"I don't know about Tice's jobs and career timeline or trajectory, but it seems perfectly plausible given what little I know that an intelligence "analyst" who is or has been a "satellite systems specialist" would be involved in dealing with lots of wiretaps at some point, or be trying to integrate multiple sources of data, some of which he's not a specialist in. "

I actually agree. I'm just wondering why he was talking about speculative risks back when he leaked and several years later he's saying he saw all this blackmail. Why wouldn't he have mentioned that when he was whistleblowing? It certainly could've gotten Congress on his side. Usually, when a person burns out their career the way Tice did, then adds stuff to the story years later, the additions are made up. Usually.

The aggravating thing for me is that I believe what he said is going on. The capabilities they've built, along with historical precedents, mean it's likely that the NSA machines will be abused to get leverage on politicians. Any real evidence of this going on should be civil liberties proponents' top priority. However, the only evidence we have of that comes from a leaker who added it years after his original testimony without any evidence.

More troubling, Snowden's comprehensive access to technical and rather damning information didn't have anything about this. I would *think* Snowden leaks would corroborate Tice if Tice is telling the truth. Yet, they don't. So the point of my posts isn't that Tice can't be telling the truth. It's more that Tice's last claims of blackmail shouldn't be used in our fight for civil liberties as they're effectively hearsay from a mentally troubled individual.

Instead, we should approach Tice and leaker evidence this way:

1. Give credit to Tice for his brave whistleblowing on issues like collection on Americans back in 2005.

2. Ignore his new claims simply because they're unsubstantiated. Look what I've done here and just imagine what NSA's highly paid liars would've said to Congress. ;) Better if a Congressman never brings it up.

3. Focus on Binney, Drake, and Snowden's claims as most people think they're honest and we have nice Powerpoints to work with.

4. Focus on actual instances of deception of Americans and Congress regarding these programs: Clapper's lie, collecting content while saying metadata, etc.

5. Include specific instances of failures and abuse to show safeguards are an illusion.

6. Show, speculatively (unlike Tice), that Congress are at risk by showing all the forms of surveillance that can be put on them, collected nonstop, automatically sent to the interested party, and with no accountability/audits. Use examples like LOVEINT and Hoover's FBI here. Also point out how much power Hoover accumulated while having comparably tiny surveillance capabilities compared to NSA.

The combined effect of this strategy is to focus the minds of oversears and politicians to see the real issues. The choice of the most proven incidents means the conversation can last more than several minutes without someone saying "hearsay" or "paranoid BS!" The included risk of Congress is an incentive for them. This overall strategy is all strength and no weakness. Only the intrinsic difficulty of winning a tough debate can hold it back.

Bringing up debatable claims just weakens our position. That's what set me off about the link to Tice. We already have enough problems proving what we know. I'd rather not have people on our side use testimony that helps the other side. That's all.

BuckMarch 5, 2014 2:22 PM

@Nick P

Thanks for that clarification there. I think I get where you're coming from a little better now. Your last paragraph sums it up pretty nicely to me:

Bringing up debatable claims just weakens our position. That's what set me off about the link to Tice. We already have enough problems proving what we know. I'd rather not have people on our side use testimony that helps the other side.
Although I feel I should point out that this perception can be used to an adversary's advantage... Leaves you more vulnerable to so-called "limited hangout" operations :-\
http://en.wikipedia.org/wiki/Limited_hangout

Nick PMarch 6, 2014 12:46 PM

Bitcoin founder identified!

Interesting story. Here's a non-paywalled link. :)

http://webcache.googleusercontent.com/search?q=cache:eIDjXrkeADYJ:mag.newsweek.com/2014/03/14/bitcoin-satoshi-nakamoto.html

This guy would be a great additions to clean slate redesigns of computers for security. Bitcoin says plenty about his crypto/thinking skills. He also worked on what I'm guessing was classified COMSEC devices. He also built his own computers, whatever that means. Strong in several areas including physics and comp sci. Long experience with privacy and anonymity tech. Also an utter asshole who likes proving that others are idiots compared to him.

Seems to be a perfect fit for improving or beating one of the clean slate designs. Matter of fact, securing the storage and transfer of Bitcoins is the next problem for the currency. A truly secure computer would solve many of their problems and ours. People in Bitcoin development or an established security type [that he might trust] should push him on this. Secure, usable endpoints would do more for his libertarian goals than the currency he made.

Note: I'd bet a few Bitcoins that he already solved some tough aspects of private or secure computing in his previous work. He couldn't share that. Yet, he *could* employ techniques that have since been independently discovered and publicly published. At the least use his mind to shoot down bad options quickly as I did in some projects. Preventing the amateurs from wasting time is as valuable as design/code contributions.

BuckMarch 6, 2014 8:26 PM

I have yet to see this corroborated by any additional sources, but if proven true... Wow, that could really beef up my point here! ;.-P..

'Just Because it is legal doesn't mean we should do it' (US intelligence figures say Europe is acting 'mock surprised' at leaks on NSA)
European intelligence agencies were all aware of the type of covert surveillance undertaken by the US National Security Agency (NSA), a former state department official and current director of the Center for Strategic and International Studies (CSIS) has said. “The European intelligence agencies knew what we were up to, so there was no surprise," said James Lewis, who led a discussion with senior US intelligence figures at the RSA conference, the large international security industry gathering here last week.
http://www.irishtimes.com/business/sectors/technology/just-because-it-is-legal-doesn-t-mean-we-should-do-it-1.1713629
This "James Lewis" fellow certainly seems like the sort of character with the necessary kind of qualifications to speak about such a matter... http://csis.org/expert/james-andrew-lewis
Apparently France knew too. Wonder what Merkel, Morales, et. all think about that... ;-)

Clive RobinsonMarch 7, 2014 1:20 AM

@ Buck,

    “The European intelligence agencies knew what we were up to, so there was no surprise," said James Lewis

Whilst most likely true as a statment it lies well.

You need to remember that the Intel Community sees it's self as "keepers of the faith" compleatly unlike those unreliable untrustworthy easily bought "grubing in the mire" politicians.

Thus the IC jealously guards "methods and sources" from politicians unless it uses "sanitised glimpses" to get the politicians to loosen the purse strings and thus give the IC new empire. The usuall trick for this is to talk about "capability gaps" and how to "mitigate the threat", most of which is nonsense and uses "speculative FUD" much as politicians do with "think of the children".

So yes the European IC serices definatly knew, but probably not the run of the mill politicians.

As I've said several times before, the best way to lie is by telling the truth but from a different perspective. And that line from James Lewis is a classic example.

Clive RobinsonMarch 7, 2014 1:48 AM

@ Nick P,

With regards the --postulated-- founder of bit coin...

Did you see the comment about knowing he was an old timer from the fact his code used RPN...

I guess that's me "outed" as well if you lot hand not already noticed ;-)

yesmeMarch 7, 2014 2:00 AM

@Douglas Knight

Yes, you are right. With unit testing these bugs would have been found. They mixed up the return values and that's easy to check.

But for unit testing it is important that the functions are atomic and stateless. That's also lacking.

The guys from both OpenSSL and GnuTLS didn't knew what they were doing. Otherwise they wouldn't have used all the gimmicks (massive amount of assembly, m4 and crappy makefiles) and sticked only with C, manpages and a strict policy like the OpenSSH guys did.

Clive RobinsonMarch 7, 2014 8:29 AM

OFF Topic :

It's friday and you shhould be able to crack a smile ;-)

This quick description od RSA confernace by Marcus Ranum made me smile, as well as telling you fairly accuratly what you missed (and will have saved you a few thousand bucks as well ;-)

http://media.risky.biz/ranumrsa.mp3

BuckMarch 7, 2014 10:08 AM

@Clive

So yes the European IC serices definatly knew, but probably not the run of the mill politicians.
Quite so! Seems like a pretty sticky situation for the run of the mill politicians (and the rest of us)! Seeing as their 'intelligence' is served by the very same that stand to personally benefit from escalating global cyberwar... Looks like we might be in for a bumpy ride :-\

Nick PMarch 7, 2014 11:09 AM

@ Clive Robinson

"Did you see the comment about knowing he was an old timer from the fact his code used RPN..."

Yes I did. I thought that was funny. I figured they'd also think I was old school due to the influence old papers have on my code and design strategy. Modern devs can't take seeing structured programming in a Pascal-derived language. Just wait till I learn Haskell or ML system programming techniques. They'll love that shit. :)

Note: I once wrote an implementation of QBASIC with good FFI for Win32 on a LISP. The reason was to do interactive and incremental development in LISP. The QBASIC syntax was LISP functions. The dev environment had already included all the useful Win32 functions. I also had functional programming and LISP macros instead of C macros. A pretty printer output a whole QBASIC program. BASIC was type-safe, memory-safe, and readable so avoided many errors. Just imagine the shock, though, when the BASIC "pro's" came over to my terminal and saw all these parentheses on my screen. Reactions were priceless.

Note about note: You know, that system was a pretty decent RAD for a one-man, console app. Been thinking about rebuilding it. A modern incarnation would target a safe subset of C/C++, Java, Ada, or just LLVM for code gen. I'd integrate basically every static checking tool there is, including covert channel analysis. Development would stay incremental and interactive. Quick and dirty analysis on demand (maybe in background while developer types), comprehensive analysis overnight as a batch job. What you think? Worth the time?

re Ranum

Lol. Ranum just tells it like it is.

WhiskersInMenloMay 10, 2014 12:41 PM

Squid....

"Squid that have lost a tentacle seem to be a bit more skittish of sea bass than squid with all of their appendages. Compared with healthy squid, the injured ones start their defensive behaviors, including inking, sooner, when the bass are farther away, researchers report May 8 in Current Biology. The finding suggests that even though the injured squid have a higher risk of being attacked, their injury also makes them more sensitive to predators, increasing their chance of survival. The finding may also explain why behaviors such as anxiety and heightened sensitivity, which appear counterproductive, linger even after a threat is in the distant past, the scientists say."

https://www.sciencenews.org/blog/science-ticker/pain-may-keep-predators-away-squid-anyway

Did Snowden snip a tentacle?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.