Friday Squid Blogging: The Evolutionary Purpose of Pain

A new study shows that Doryteuthis pealei in pain -- or whatever passes for pain in that species -- has heightened sensory sensitivity and heightened reactions.

News articles.

The idea, although this is a major extrapolation at this point, is that pain is a security mechanism. It helps us compensate for our injured -- i.e. weakened -- state.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Tags: academic papers, squid

Posted on May 9, 2014 at 4:11 PM • 83 Comments

Comments

Jacob • May 9, 2014 4:44 PM

This is from a colleague:

"I found a nice free program, created by Linoma Software (aka GoAnyWhereMFT) from Nebraska USA, to create and manage my PGP keys, called OpenPGP Studio. While trying out the program, I noticed that when generating the RSA keys the program does not ask you to do anything e.g. move your mouse etc. to increase randomness entered into the entropy pool.
So I posted a guestion to their support forum (very low intensity forum, about one posted question per month) asking about the entropy source for the program, and also added to the post another secondary question about key imports.
The question entered moderation, and no feedback for 3 days.
So I asked them what the status is and within a couple of hours they approved and posted the question BUT they deleted from the source the part about the entropy, answering just the secondary question.

A year ago, I'd probably just repost the entropy question and ask for a comment, but nowadays I just don't trust that program anymore.
The company is small, but sells mainly to enterprise and government agencies."

I wonderd what the forum opinion is on the trust question.

Nick P • May 9, 2014 5:06 PM

@ Jacob

You straight up shouldn't trust closed source crypto. Bugs, false promises, paid subversions and so on abound. Best model is crypto created and reviewed by people who know their trade that can also be compiled by end user. There are both FOSS and proprietary (w/ source included) options that meet that requirement.

Anything else you should consider compromised as its true effectiveness is unknown. There are exceptions but that's the rule.

Pieter • May 9, 2014 6:20 PM

"The company.... sells mainly to enterprise and government agencies." - This alone should be a red flag. Name one (1) safe enterprise program.

Jacob • May 9, 2014 7:03 PM

@Nick P, @Pieter

On the issue of trust:
I have followed the discussion on trust during the last year with a great interest. The prime issue, as I see it, is convenience vs. chance-of-harm - coupled with a good dose of psychology.

We all know that open source is safer. However, both Bruce and I use Windows which is closed and can directly affect anything open-source we do on that computer. But we take much more critical look at security programs than at the infrastructure. Why? because you must trust something as a basic building block, and usually that "something" is either much more convenient than other alternatives (e.g. I know Windows well, but I don't know linux, and even if I do, shall I trust the binary blobs in there which are provided by device vendors, or openBSD is the only trusty choice?). Bruce and I use TrueCrypt which is open, but I dare to say that neither of us examines the source and certainly neither of us compiled it. And If I do compile it, I must trust Visual Studio which is closed.

You tell your 13 yo daughter not to trust strangers, but she must trust to some extent the cab driver who brings her home from a babysitting job, or a policeman (certified and approved by an untrusty local government) to lead her to safety in a rough neighborhood - both of those characters are total strangers.

So it is a tiered approach to trust. The closer we get to the security stuff we care about (i.e. crypto stuff), the more we care about trust, and more sensitive to telltale clues about lack thereof - although we can be killed on the way by the evil infrastructure (i.e. OS and device drivers).

In respect to the openPGP Studio (which is closed), the sensitivity about telltale signs was what triggered my posting. But I think that both you guys are right: gnuPG is open and soemwhat convenience and can serve as a good alternative - certaily more secure, and selling to agencies is another nail in the coffin.

ismar • May 9, 2014 7:20 PM

Could anybody comment on the validity of the https fingerprinting technique as described at

https://www.grc.com/fingerprints.htm

I think that Clive maybe able to help just because his professional background seems close to that of Steve Gibson who is the owner and maintainer of the above mentioned site.

Jacob • May 9, 2014 7:50 PM

@ismar

Yes, this is a valid method to check if you are connected to an intercepting proxy SSL server on your way to your URL destination.

However, it is not that convenient to use - I suggest that you look at the Perspectives add-on to Firefox instead.

Jacob • May 9, 2014 8:38 PM

Some hackers' tricks of the trade that I ran across at various blogs/news sites. Amazingly simple and effective:

1. Develop an attractive gadget for a web server e.g. a counter. Distribute it for free but with a copyright notice that it is free provided the user keeps with the gadget a link-back to the writer's site. If the user clicks on the link he gets a small icon back. Nice.
After some months when you get many websites using your gadget, you switch over the link to a malware carrier. People who use those trusting sites regularly normally approve their javascript too.

2. Variation on (1): you buy an ad spot at a site with a remote ad feed (common in the trade). The feed is initialy benign and get approved by the site owner. After some time you turn the feed malicious, while redirecting checks from the ad hoster to a benign data.

Again, if this is a well respected site regular visitors have their javascript turned active for that site.

3. Targetting a specific corporation:
You visit the neighborhood of the target Corp. building at lunch time, and identify the fast food place / coffee shop popular with the corp. employees.
You set up a portable WiFi AP nearby broadcasing the name of the fast food place and wait. Some employees will log in to their office through your AP, and you get their login credentials for a subsequent raid.

DB • May 9, 2014 10:23 PM

I found this story interesting:

http://www.nytimes.com/2014/05/09/world/africa/schoolgirl-abductions-put-scrutiny-on-us-terrorism-strategy.html?_r=0

Especially in how it related that designating someone or some group as a terrorist, might align us with those who perform human rights abuses...

I found that part of the article ironic. That designation supposedly removes many human rights (such as the right to confront one's accuser and defend one's self, and instead be killed, kidnapped, and held without trial in Guantanamo Bay). Therefore yep it sure does directly encourage human rights abuses (if you consider that rights can't actually be removed, only infringed upon)... in general, not just in this case. This is, of course, a point that our government-controlled press wasn't intending to make.

@ Jacob

wow that's crazy that kind of targeted censorship... I certainly would not only not trust them, but feel pretty certain they are actively doing something against their users, after seeing that kind of heavy handedness. I agree with others about the untrustworthiness of closed source too, but that really takes the cake.

I agree in principle about the issue of convenience vs chance-of-harm... I just look at it like, well.. my security isn't worse today than yesterday just because I've learned today that it always sucked much worse than I ever knew... so I guess I'm not worse off, maybe? But I'm sure looking for something better to be developed to switch to... hoping and wishing maybe... For example, I did just install a new computer for someone, with.. hey.. an open source os now.. and gave him a variety of tools to balance his convenience against his security, including tor browser installed (in addition to some regular ones with startpage/httpseverywhere/etc) and a tails disc too... and explained some how to use them... but I'd really love to see fully open source bioses, firmwares, and microcodes too! and some sort of open hardware design too... and more projects adopting more proper security processes than most open source projects do now too... and the list goes on and on.... so it's progress... we're not "there" yet... but we're moving in the right direction, that's one guy no longer using windows yay.

Your hacker trick of switching to malware later can easily give "deniability" too... as in, "what? it wasn't me, I was hacked, I'm a victim too..."

@ ismar

fingerprinting is valid, as far as detecting changes and differences, in the form of browser-sees-as-valid mitm-attacks approved by certificate authorities or whatever (which we used to think was ridiculously rare but now post snowden it seems they may be more common than we thought)... But there are problems with it from a practical sense. For example, how do you know that you are comparing with the real fingerprint? Was it just the first one you saw? How do you know THAT one was valid? How do you know the grc.com page itself isn't being intercepted by the NSA and the CONTENT being rewritten to show you the wrong fingerprint too? Plugins can certainly help with storing a database of them to compare and warn you of changes, but that doesn't address the issue I just mentioned... Also some changes are legit, like replacing/renewing an expiring cert...

Nick P • May 10, 2014 12:07 AM

@ Jacob

re PGP software

"The prime issue, as I see it, is convenience vs. chance-of-harm - coupled with a good dose of psychology."

It's the issue of a lot of things. Actually, it's a nice description of a whole category of risk assessment in general. It's just not right for this.

We aren't talking Windows, Facebook, cab drivers, etc. We are talking about a technology designed to send private messages. Your actual goal in using PGP is to make your messages private against annoying or devious people. You want to trust that your software does this. Yet, there's a huge litany of various proprietary and U.S.-hosted services doing the opposite for many reasons. There's also more open options that meet your goal that you could (with effort) verify aren't doing a ton of evil things behind closed doors. So, one choice seems more obvious if you are already willing to forgoe some convenience to protect your messages.

"But I think that both you guys are right: gnuPG is open and soemwhat convenience and can serve as a good alternative - certaily more secure, and selling to agencies is another nail in the coffin."

And that's the kind of thinking I was just talking about right there. It's kind of convenient, it's open, and a good alternative to what's risky. It might be secure from targeted attack, might not. Yet, there's a whole host of evil possibilities that are less likely to happen if you take such an option. And if you can use it on a safer OS (eg OpenBSD) all the better. If still on Windows, at least you're forcing the attackers to put more effort into hitting you and can be sure the middleman crypto company isn't selling you out.

Definitely an improvement in assurance over the black box you were talking about. ;)

Curious • May 10, 2014 4:11 AM

I noticed a linkt to this blog article, which seem to revolve around some recent testing for the Heartbleed bug with regard to a specific type of servers unless I am mistaken: https://vivaldi.net/blogs/entry/heartbleed-status-upgrading-to-heartbreak

I do not know what a "SSL/TLS accelerator" is, but this seemed to me to be important somehow.

yesme • May 10, 2014 5:56 AM

ON TOPIC:

About pain.

It became clear to me when I got kicked in the nuts. Well, not at that moment, but after a while I thought why does it hurt so much when you are kicked in the nuts? It doesn't make sense. Except when you think about that it is the male reproduction facility. So it is valuable. And you care more about valuable things when direct and basic feelings, such as pain, are involved.

Chris • May 10, 2014 9:46 AM

Hi Ive been playing now somewhat more with this new Badger Addon for Firefox from EFF.org and I have noticed some weird trackers on some Youtube Videos, the do not exist on every movie.

But ... I guess you could try to see if there is a pattern regarding what movies have them.
The trackers from Badger are located in Linux at the following place /home/username/.mozilla/profile/jetpack/.../jid-xxxx/simplestorage/store.json

I Have never noticed them before but thanks to Badger now I have.
I will give one example below, would be intresting to hear what you guys think of it/them:

Every tracker Ive seen
starts with p2- and then a randombitstream and ends with metric.gstatic.com

Title: Ex-CIA damning verdict on NSA and GCHQ spying (21Nov13)
Link: https://www.youtube.com/watch?v=2-3d-dLW72E
Tracker Hostname: p2-kazhzqohopwvc-5zihsuuvzecnre76-if-v6exp3-v4.metric.gstatic.com
Tracker IP: 62.116.207.38

//Chris

Nick P • May 10, 2014 11:20 AM

Financial core of the transnational corporate class

http://www.projectcensored.org/financial-core-of-the-transnational-corporate-class/

I liked this article. It's about the 161 or so people who control over $20 trillion in assets. It covers their activities and backgrounds. Getting closer to a Theory of Everything for our plutonomy. Best part of the article is that little comes off as a conspiracy theory: one thing just flows naturally from the other.

Note: Data like this is why I laugh at people talking about "the 1%." That's over 3 million people in America. Each firm on this list controls more assets than all of their income combined. The one percent isn't the problem. Those in control are *much* fewer in number.

23rh99 • May 10, 2014 1:34 PM

@yesme "Except when you think about that it is the male reproduction facility. So it is valuable."

True, so pain is of value from a species-centric frame of reference.

But pain and pleasure also provide information vital for the survival of an individual animal. For example, it's painful to eat rocks and pleasurable to eat food.

While the pain/pleasure signals are the default basis of a system of values driven by the needs of survival, those signals can be rewired.

Remarkably, Pavlov was able to demonstrate that a dog could be conditioned to salivate in response to a pain stimulus.

Skeptical • May 10, 2014 10:31 PM

@DB: This is, of course, a point that our government-controlled press wasn't intending to make.

Someday when you're satisfied that you're anonymous you'll have to tell me what you're smoking. The government controlled press that collaborated to write about, and protect, the Snowden leaks, that writes about and protects classified leaks on a regular basis, that has gone to bat against the government in court frequently, that salivates for the next big government scandal, that encompasses every political viewpoint imaginable when you include the digital media... have you ever been to a truly closed society? Somewhere where the media is actually controlled by the government? Night and day. Siberian winter and Floridian summer.

If you intended to make a more moderate point, e.g. that major outlets are influenced by government spin, then you're being more reasonable, but the rhetoric you actually used is quite extreme.

Benni • May 11, 2014 1:09 AM

News from Michael Hayden, ex NSA and CIA:

We Kill People Based on Metadata’

http://www.nybooks.com/blogs/nyrblog/2014/may/10/we-kill-people-based-metadata/

SLR • May 11, 2014 2:14 AM

One only need consider the plight of persons suffering from Congenital insensitivity to pain with anhidrosis (CIPA) to appreciate how important a normal pain response is in life. Sufferers of this condition often chew up the insides of their mouths because they can't feel their teeth biting their tongues. In cold weather frostbite occurs with no warning signs. CIPA is associated with considerably increased morbidity and mortality.

DB • May 11, 2014 3:31 AM

@ Skeptical

have you ever been to a truly closed society? Somewhere where the media is actually controlled by the government? Night and day. Siberian winter and Floridian summer.

Indeed I have. I've mentioned in a thread or two that I have lived in China for a few years. It is like night and day compared to here in the USA. Which is exactly why I get so up in arms when I start seeing the sky darkening over here! Even slightly graying! Let the light shine! Do not go in the direction toward totalitarianism... don't even flirt with it in the slightest! People who do, I totally recommend they go try it first before considering destroying my country.

My point was intended to be a bit more moderate as you say. The government influence on our media in America, while not total, is still at times aggravatingly heavy and and anti democratic. I do say things a bit extreme sometimes, and when I do it's not meant to be highly accurate per se, but to try to wake people up for where things are headed if we do not make sure they stop where they are headed and reverse course a bit. I've seen that darkness, I don't want to go there. Not even the least bit closer to there.

Hopefully that explains a little more where I'm coming from and why I am the way I am? :)

Clive Robinson • May 11, 2014 4:47 AM

OFF Topic :

For those with an interest in TRNGs, this article talks about quantum RNG using a smartphone camera,

https://medium.com/the-physics-arxiv-blog/602f88552b64

Benni • May 11, 2014 5:30 AM

News from the german secret service. As usual, most of its operations end up in DER SPIEGEL, which here reveals that around 2000 former SS Nazi veterans build a secret army of 40.000 men, at start hidden in ecrecy from the german government, which, after it took notice in 1951, ordered the german secret service BND to do the management of this secret army.

http://www.spiegel.de/politik/deutschland/veteranen-von-wehrmacht-und-ss-gruendeten-laut-bnd-geheime-armee-a-968727.html

CIA is also in the news. Finally US soldiers are now doing black ops in Ukraine:

http://www.spiegel.de/politik/ausland/ukraine-krise-400-us-soeldner-von-academi-kaempfen-gegen-separatisten-a-968745.html

And when the russians recently flew their aeroplanes close to ukrainian border, the NSA now told the BND that the russian pilots had the explicit order to cross ukrainian aerospace.

The question is why the nsa does know that. When russia invaded in crimea, the nsa was apparently relatively blind. So either they had their lucky day this time, with encryption set off or an informant in the military, or, and this is the other possibility, the russian aeroplane perhaps was rigged full with spy tech, and the russians might have shared their information with the united states. Thhis would not be that unusual, since Lawrow recently said in an interview that Kerry talks to him on the phone everyday. And then, the americans shared this with their german partners, but when you share something with the BND, you just give it to german newspapers.

In Ukraine, there is this funny reactor in chernobyl http://www.nytimes.com/interactive/2014/04/27/science/chernobyl-capping-a-catastrophe.html?_r=0 where, until the new sarcophagus is in place in 2017, it is extremely easy for an armed group to shoot at the guards, get into the site, and then collect enough material for a dirty bomb. It is easy since the old sarcophagus has inspection stairways that directly lead to the fuel. For this reason it is unlikely that any reasonable superpower haunted by terrorism will tolerate a civil war in ukraine for a long time.

When the US and Russia see an atomic threat somewhere, their secret services are in fact relatively good at working together, for example the nsa trained the fsb how to use modern nsa made bugs in north korea: http://www.spiegel.de/politik/ausland/nordkorea-wie-die-russen-den-amerikanern-beim-spionieren-halfen-a-231490.html and they secured russias former atomic test site in kazachstan where the us drones are still circeling around: http://www.spiegel.de/spiegel/print/d-76551048.html

Skeptical • May 11, 2014 8:13 AM

@Benni: Some of those newspaper reports do nothing more than repeat rumors from Russian state media and a tabloid.

CIA is also in the news. Finally US soldiers are now doing black ops in Ukraine: http://www.spiegel.de/politik/ausland/ukraine-krise-400-us-soeldner-von-academi-kaempfen-gegen-separatisten-a-968745.html

This article cites Russian state media, and this article: http://www.bild.de/politik/ausland/ukraine/us-soeldner-von-blackwater-im-einsatz-34992896.bild.html

It's a very poor Russian information ops attempt to respond to the unmasking of Spetnaz in Eastern Ukraine.

Does Der Spiegel often recycle reports from tabloids like Bild and Russian state media?

And when the russians recently flew their aeroplanes close to ukrainian border, the NSA now told the BND that the russian pilots had the explicit order to cross ukrainian aerospace.

There is nothing in the associated article, http://www.spiegel.de/politik/ausland/usa-wirft-russland-verletzung-des-luftraums-der-ukraine-vor-a-966269.html, stating that NSA had intercepted Russian aircraft communications (or any other communications).

Instead the article notes that the Pentagon speculates that the Russian planes were gathering intelligence on Ukrainian air defense.

waki • May 11, 2014 8:59 AM

@DB

How was it in Chine, can you elaborate?

Juche breath • May 11, 2014 9:32 AM

ave you ever been to a truly closed society? Somewhere where the media is actually controlled by the government?

Huh huh, that's funny. skeptical kisses enough government butt to stay out of trouble so he thinks it's an open society. Government desk jockeys can't discuss Snowden's stuff, or access Manning's stuff, even though the whole world has seen it. John Kiriakou's in prison for denouncing torture as required by the supreme law of the land. Barret Brown's in prison and Lynne Stwewart went to prison for life, for unauthorized freedom of expression. The US vilifies UNESCO precisely because it investigated the mechanics of US government control over media - the USG went nuts because that's supposed to be a big secret, among patriotic morons, anyway.

There are lots of people in Pyongyang who are less brainwashed than sekptical. Any FSB agent is incomparably more in touch with reality.

Austin Powers • May 11, 2014 9:45 AM

waki, China story - in lieu of a printer I would fax stuff to myself in the hotel in a fairly dinky town there. so one time I went to the office and asked for it, they said, no we didn't get anything. cmon, I know you got it, I sent it. No, no, no. 45 minutes. the secret police guy was out to lunch or something. when they finally gave it to me they crumpled it up and said ooh, right it was stuck in the machine as the secret police guy peeked around the corner. another time, just to be a dick I passed the guy waiting in the hall for me and doubled back like three times. when I finally left the hotel there were like 30 guys identically dressed waiting to tail me on the steps.

Clive Robinson • May 11, 2014 1:02 PM

OFF Topic :

Bruce gets a mention in this Cloudflare blog post on how they are slowly depreciating or removing RC4 from their list of Internet traffic ciphers,

http://blog.cloudflare.com/killing-rc4-the-long-goodbye

ARC4/RC4 has been with us for quite a number of years as has DES, we should stop using them both in their unmodified forms for the encryption of traffic on "Shannon Channels" (ie all comms including to internal storage).

Whilst some modified forms of both ciphers are considered safe it is probably wise to depreciate them.

However this gives rise to a problem it puts greater reliance on a single cipher (AES) which whilst the algorithm is theoreticaly secure we know practical implementations are quite vulnerable to time based side channel attacks some of which are known to work across networks.

This kind of leaves things in a bit of a mess... as I and others have said for sometime we do need more than one cipher algorithm, and we also need to be able to chain them in various ways (like 3DES but using other algorithms and even a mix of algorithms). The reason for this is that if chained in the right way they make exploiting time based side channels vastly more difficult.

Anura • May 11, 2014 2:08 PM

@Clive Robinson

I believe ChaCha20 is seeing some use. Although Firefox doesn't support it, Chrome does.

Nick P • May 11, 2014 3:20 PM

@ Clive Robinson

re TRNG

It's interesting research. I still prefer Lavarnd's CCD trick as it's easier to get right and doesn't come with a thoroughly backdoored mobile device. ;)

Anura • May 11, 2014 4:17 PM

Re: Stream Ciphers

One of the ideas I had in the past was to devise a method for creating a series of cryptographic functions based around a single invertible, nonlinear function. The block cipher can be trivially created from it by simply XORing a subkey before and after each call to the invertible function, up to a specified number of rounds. I did come up with different methods to create hash functions and stream ciphers as well, although I'm not good enough at cryptanalysis to even consider publishing them (I can't even find my code/notes right now anyway, probably lost it, it's been a couple of years).

IIRC, the hash function I came up with involved having a block and output size of half the block size, with a state equal to the block size. You XOR each message block m to the first half of the state s_n to get s'_n, then you run it through the function a specified number of times, XORing a constant after each round but the last, and in the last round you XOR s'_n to get s_n+1; s₀ would be a pre-defined constant. This should (and again, I'm not good enoguh at cryptanalysis for you to take my word) provide sufficient protection against both pre-image attacks and collisions. The output is the first half of the state after the final hash.

Ideally you would analyze the structure of the block/stream/hash functions in the general case, and then analyze the function it is based on independently as well as the algorithm as a whole.

Anura • May 11, 2014 4:31 PM

"IIRC, the hash function I came up with involved having a block and output size of half the block size, with a state equal to the block size"

Should read:

"IIRC, the hash function I came up with involved having a block and output size of half the block size of the invertible function, with a state equal to the block size of the invertible function"

For reference, my design had a 512-bit block size.

arielb1 • May 11, 2014 4:41 PM

@Anura

That's almost the sponge construction, used by Keccak aka SHA-3 - except that they limit the input size to half the state size.

Your version has the problem of not being collision resistant -
the messages 0, 0||(f(0, s_0)^s_i) have the same hash.

Benni • May 11, 2014 4:56 PM

In their weekly meeting, BND warns the german government that Russia has influence on Bulgaria. They seem to be in sorrow that Gazprom made an advice to change a law for declaring a pipelina as a simple "connection piece" thereby undermining european regulations:

http://www.spiegel.de/politik/ausland/bulgarien-bundesregierung-fuerchtet-russlands-einfluss-a-968785.html

And of course, when the BND warns the german government, then this gets in the newspapers immediately.

@Skeptical:
Der Spiegel mentions that BND sources told the german government US soldiers were working in Ukraine. Tex explicitly write that this information was given by the BND during the weekly meeting of the secret service whose chairman is Peter Altmair, minister of the chancellory.

And the Bild article that Spiegel cites here is this one:

http://www.bild.de/bild-plus/politik/ausland/wladimir-putin/hat-die-welt-belogen-35913316,view=conversionToLogin.bild.html

Which is behind a paywall, and not the article ypu linked. Usually, the Bild tabloid is extremely conserative, even defending most nsa programs. This is why it often happens that secret service members tell this tabloit a thing or two. When they publish things like that, which is very unusual because of their severe conserative viewpoints, then one can indeed assume they come from government sources.

And by the way, do you have solid proof of russian Speznaz in Ukraine?

These "proofs" here do not count, as journalists have met the alledged "agents", showing that they are no agents what so ever:
www.spiegel.de/politik/ausland/ukraine-krise-wie-usa-und-russland-mit-propaganda-arbeiten-a-966009.html

Instead it more looks like this:
http://www.nytimes.com/2014/05/04/world/europe/behind-the-masks-in-ukraine-many-faces-of-rebellion.html?hpw&rref=world&_r=3

Skeptical wrote:

Instead the article notes that the Pentagon speculates that the Russian planes were gathering intelligence on Ukrainian air defense.

Yes but if the nsa did not intercept anything, or wasn't told anything by the russians, how could the NSA know and tell the BND that the russian pilots had explicit orders to violate ukrainian aerospace? But yes, perhaps it was the CIA not the NSA, since the article only says that BND was informed of the russian pilot orders from the american government.

Benni • May 11, 2014 5:24 PM

And by the way, skeptical, the information that the nsa intercepted russian pilot orders and told this the BND which told it to the german government is in this article, not the one it links to:

http://www.spiegel.de/politik/ausland/ukraine-krise-400-us-soeldner-von-academi-kaempfen-gegen-separatisten-a-968745.html

So Skeptical is correct when he says "There is nothing in the associated article". It is not in the associated article, this is true, but in the article itself.

Funny is the language of the nsa denies, as always...

Anura • May 11, 2014 5:24 PM

@arielb1

That's almost the sponge construction, used by Keccak aka SHA-3 - except that they limit the input size to half the state size

I guess I wasn't clear, but in my construction the message size is also limited to half the state size. So for a 512-bit function, you would have a 512-bit state, a 256-bit message size, and a 256-bit output.

s_n = a_n || b_n
a₀ = (first 256 binary digits of fractional portion of pi)
b₀ = (second 256 binary digits of fractional portion of pi)
s'_n = a'_n || b'_n = f(a_n ^ m_n || b_n)
s_n+1 = a'_n ^ a_n ^ m_n || b'_n ^ b_n

For a message of k blocks, return a_k. If that's the same as Kekkal, I was unaware as I have never looked at the internals, I was inspired by the Davies–Meyer construction, which was designed to turn a block cipher into a hash function (although since I do not use a block cipher, it's not the same).

Benni • May 11, 2014 5:48 PM

With regards to these US Soldiers fighting blackops in Ukraine:

Now Hans Christian Ströbele, the german parlamentarian who met Edward Snowden in person and who is on the oversight board of the BND, says on his facebook page he will ask the german government if that is true, and who exactly is paying these soldiers. Since Ströbele is in the oversight board, the BND must give him access to its files on request....

So CIA and NSA, as a general rule of thumb:
If you do a blackop somewhere, do not share it with the german secret service BND. As if you do so, it might end up in the newspapers.

7 • May 11, 2014 6:09 PM

Turchynov’s chief of staff, Serhiy Pashynskyi: ‘We will not engage in street fights in Slovyansk or elsewhere because that will lead to dozens of unnecessary deaths.’

The de facto Ukraine is letting go its smithereens. It's over.

The US plan was Yugoslavia II: to incite enough atrocities to serve as a pretext for illegal use of force by NATO. In Ukraine, that idea's too stupid even for the washouts of Academi. Now the US backup plan is vilification in breach of the international law of non-interference. To that end Academi is there to provoke whatever violence they can as the Ukraine shrinks down to the exclusion zone.

Anura • May 11, 2014 6:11 PM

I need sleep, now I'm mashing band names with hash functions.

Benni • May 11, 2014 7:21 PM

@7, please put your propaganda somewhere else.

The osze military observers are, at least for the german part, known to be advised by the BND, which tells them where to find "interesting locations": http://www.sueddeutsche.de/politik/spionageverdacht-osze-gesandte-mit-naehe-zum-bnd-1.1949899 . These observers only come into a country on explicit request by the country itself. As with Ukraine, the Ukraine made the request.

But these quys were in russia too. With an american and a canadian "observer". Now think a while why russian government invites american and canadian agents to inspect its own military on ukrainian border:

http://www.spiegel.de/politik/ausland/osze-in-der-ukraine-fragen-an-ministerin-von-der-leyen-a-967579.html

Of course that does not fit the usual propaganda of russian TV shows. It also is not a very good argument to rail support from conserative voters in russia or the us, but there seems certainly more cooperation than these agencies are currently willing to admit.

Benni • May 11, 2014 9:14 PM

@ Non Target" They stole around $17 billion with the Sochi Olympic scams. Then after that they stole Crimea which was worth at least twice as much as the new Olympic village rip off they built to host the games. A nation of criminals! They should be sending Ukraine a check. Maybe lay off the vodka a little."

Well, Exxon, or Shell do not send checks, neither does Goldman Sachs.

And so, Gazprom also does not send any checks. When an oil company sees the opportunity that the european union will pay, the oil company will seize this opportunity immediately, increase its prices and wait for the europeans to pay.

In a letter that Putin sent to european governments, he wrote that the russian government has supported ukraine before, but the european union should step in, since russia can not longer bay billions alone to keep the ukrainian government alive, mentioning that eu uses ukraine with an imbalanced trading sheme that is partly responsible for the current crysis there. He mentioned that gazprom will increase its prizes, but that russia is willing to continue support, writing that there should be talks between russia and the ministers to decide who pays what.

Unfortunately, the assertion with this imbalanced trading sheme of putin is somewhat correct. Especially germany is only interested in exports. Germany got severely critizised by the european union for only exporting things to make more money for its own. So the ukrainians have to pay for german goods, but they hardly sell anything to germany.

http://www.spiegel.de/wirtschaft/soziales/eu-kommission-prueft-deutschlands-exportueberschuss-a-933370.html

The eu took long to answer putin's letter. Perhaps since when it comes to money, it is also somewhat unwilling to spend. But below is the response from europe:

So before one writes that the russians would be thieves who should pay the ukraine some check, one should recognize that putin has offered talks to work together with europe in order to decide who supports what at ukraine.

http://europa.eu/rapid/press-release_STATEMENT-14-132_en.htm

"Mr President,

The European Union agrees on your proposal for consultations with the Russian Federation and Ukraine with regard to security of gas supply and transit. We believe that this approach allows for the most useful process with the Russian Federation and other third parties, as these matters concern Member States' matters as well as the operation of the European Union's single market and touch upon a shared competence of the European Union.

As you point out, the European Union and the Russian Federation are Ukraine 's main trading partners. Let me reiterate that the need to ensure the long-term political and economic stability of Ukraine is therefore a key interest of the European Union and of the Russian Federation as you stated in your letter.

Therefore it is our common interest to quickly engage in talks which will include Ukraine.

However, we do not share your assessment of trade relations between Ukraine and the European Union that, to a large extent, the crisis in Ukraine 's economy has been precipitated by the unbalanced trade with the European Union Member States.

In this regard an IMF-led programme of assistance will be vital in stabilising Ukraine's economy. The success of an IMF-led programme will depend both on Ukraine's commitment to international obligations and reform efforts and on cooperation from all their international partners.

The European Union, together with its international partners under the framework of the planned IMF assistance package, is already providing significant support to Ukraine and its people through substantial macro- financial assistance, generous trade preferences and a variety of other aid measures agreed with the Ukrainian authorities....

Tom239 • May 11, 2014 9:18 PM

A web service that uses forensic techniques to gauge whether or not JPEG images are unmodified digital camera output went live recently at izitru.com. It has a database of camera characteristics (e.g., sensor and software idiosyncrasies) and does a series of tests to try to detect various artifacts of photo manipulation. You can do for yourself what several news reports were too lazy to do: upload a few images and see how well it does or doesn't work.

I give credit to the exceptions, where media outlets did more than just be stenographers for Izitru's press releases. E.g., Popular Photography, who said about Izitru's photo analysis service, "The only problem? In its current form, it just doesn't seem to be doing a very good job of it."

Izitru's FAQ, in response to the question "Why should I trust the results of your image certification?", says "The izitru site was founded by established experts in image processing. Hany Farid, Ph.D. has spent the past 15 years innovating new technologies in the field of image analysis and forensics, and is considered one of the world's leading researchers in this area. His co-founder Kevin Connor spent more than 15 years guiding the evolution of Photoshop software at Adobe." Note that the answer doesn't say anything about how it might have been evaluated, how well it fares in tests, or anything like that. Just trust our product because we are experts.

DB • May 11, 2014 9:30 PM

@ waki

Elaborate in what way? One could write whole series of books about it... and the differences culturally, politically, and general freedom-wise.

Regarding what we were talking about, freedom of the press: Chinese press is totally and completely and openly and obviously owned by the government, and only speaks as a direct mouthpiece for the government. No exceptions, ever. Therefore, to read "truth" from it, you generally read "between the lines"... i.e. if they published a big denial of something, you went "oh, I guess someone has accused them of that".... and then all the "thinking" people made up their own minds from that, and the less educated or knowledgeable just believed it. But with a little practice, you really could become quite adept at this between the lines process, and you could be fairly knowledgeable about what's really going on.

7 • May 11, 2014 10:42 PM

@benni, your viewpoint is invariably apposite, so it saddens me when you call me a Russian propagandist. Yes, OSCE is competent and incorruptible by comparison with, say, NATO. Russia is wise to have focused its dispute resolution efforts on OSCE. The OSCE acquis is well integrated into human rights law and its Vienna and Moscow mechanisms offer capacity-building initiatives that could help with both the violence and the weakness of the de facto Ukraine state. But the US is trying hard to suborn OSCE, along with all other potentially honest brokers, in this case by infiltrating its secretariat. So the missions do not necessarily advance the objectives of the treaty parties.

Domo • May 11, 2014 10:56 PM

Since the NSA disclosures started, I feel pain whenever I think about doing anything that I know some prosecutor somewhere in the United States has destroyed lives over. It's harder for me to think about learning programming without feeling pain. Thinking about anything at all related to hacking makes me feel pain. It's just easier to not think about this stuff anymore.

Congratulations, NSA and the prosecutors you give your ill-gotten evidence to. You've destroyed my spirit to do more in life for fear of you. Lack of trust in the system has resulted in self-inflicted pain to avoid being caught up in the system's schizophrenic use of the judiciary.

Benni • May 12, 2014 12:13 AM

The german comission that investigates the NSA now wants to question snowden in the embassy of another state. They would prefer the embassy of switzerland. Probably because they think that the russians have placed bugs all over the german embassy in moskow:

http://www.heise.de/newsticker/meldung/NSA-Ausschuss-soll-Snowden-in-der-Moskauer-Botschaft-eines-Drittlandes-befragen-2187036.html

So if russia wants to know what snowden has, it should go on and place bugs in the embassy of switzerland.

And if Snowden reads this blog:
It is in his own interest to tell them everything he knows, even things which are not in the press. He should offer the control comission that he can explain the files which are currently in possession of ppoitras and greenwald, if he gets access to them in germany, where the journalists might consider giving him a copy of his things.

Experically, the germans might be interested in industrial espionage, with names of companies, and the things that nsa stole. Also, germany is perhaps interested in the espionage that other countries do, e.g. russia, from which the nsa might have a copy. Of course the parliament is also interested in espionage against the german government.
They are also interested whether the german BND has abused its abilities or is involved in illegal matters.

The parlamentarian comission wants to question snowden at the beginning of july. His asylum ends at the end of july. If snowden provides enough answers, and with this, I mean more than what appeared already in the press up to now, then they might even get him some flight to germany. But he has to make clear that he will be working with the germans, and he has to provide details.

The parlamentarian comission said already that the last interviews by the european parliament have lacked details and new information. If he wants to germany, he might consider to give more precise answers.

If snowden comes to germany, he would not have the right for asylum. As there is no political persecution in the United States. So an extradition process will begin. A judge will have to review his case, but this judge will be bound by a german law that says "no one can be extradited from germany if because of political crime", which would, in snowden's case, lead to a so called "duldung" an acceptance to stay.

@7:
You do not understand what I said. OSCE has two missions. Its main mission in Ukraine is civilian. However, every member of OSCE can also get military observers into its country to investigate suspicious activities. In Slawjansk, these "observers" were captured as spies, after they told at the checkpoints that they just want to visit sights and monjuments, but had cards where they noticed the locations of all checkpoints and ammunition and explosives in their car. Even the german government now says that these inspectors were instructed from the german secret service BND. Russia knew this before, since at Crimea, russia did not allow them to enter. However, at ukrainian border, russia explicitly invited these people, in their case coming from Canada and the USA, to inspect the russian military. That the FSB and CIA are in fact sharing many of their informations can also be seen here: http://www.spiegel.de/politik/ausland/ukraine-krise-400-us-soeldner-von-academi-kaempfen-gegen-separatisten-a-968745.html It is unlikely that the americans could inform the german government that the russian pilots had the order to fly into ukrainian aerospace, if the russians had not explicitly told their us partners that they are conducting spy flights over ukraine.

Clive Robinson • May 12, 2014 4:26 AM

OFF Topic :

For those commenting on the NSA hardware from the Ed Snowden revelations, you might be interested in having a look at this fairly inexpensive commercial product that it about the size of a fingernail and has quite a lot of functionality including WiFi connectivity...

http://electricimp.com/docs/attachments/hardware/datasheets/imp003_LBWA1ZV1CD.pdf

The technology for making even more usefull sureveilance devices is fairly readily available, it's just the start up costs to get an initial production run that's moderatly expensive (but well within the price range of many individuals hobby "vanity projects").

Wesley Parish • May 12, 2014 5:45 AM

ON TOPIC

Regarding Pain as a security mechanism, it's primarily feedback to prevent continued activity causing that pain. IIRC, it's a specialization of single-cell chemical signaling to sibling and descendant cells that the current environment is hostile to such single-cell life. Its current status as a signaling device for a multicelled colony being is to prevent more component cells than absolutely necessary, getting killed off: because if that happens, the colony becomes unviable and dies in toto.

It can be used as a metaphor for a community's responses to adverse events and hostile circumstances. But to do that you need to understand the similarities and differences, otherwise you wind up with a biochemical version of Goodwin's Principle, in which noise predominates over signal.

Mike the goat • May 12, 2014 8:22 AM

Clive: thanks for sharing the link, I have reposted this on my blog as the cloudflare post was short, eloquent and covered all the usual bases.

I too worry about colloquially putting all of our eggs in one basket. Rjindael is thoeretically secure, but there is always that (perhaps healthy in our industry) niggling thought as to how the deck of cards could come crumbling down should it be found some day to be deficient or downright broken. I know that this is highly unlikely, but I imagine RSA figured nobody would factor RSA768.

7 • May 12, 2014 9:20 AM

@benni, Yes, of course, two missions. The mission you refer to as "investigative" is, I suspect, the confidence-building measures under the Vienna Mechanism. These are explicitly political and not investigative in any legal sense. Naturally the Russians are cooperating. This is in large measure their initiative, put forward to counter NATO confrontation. Nonetheless, every US contingent in Ukraine, OSCE included, is stuffed to the gills with US spies acting not for the OSCE but for the USG. Well, maybe they'll put one US straight man with actual subject matter knowledge in some missions, if they have to. So perhaps we are talking past each other. Cooperation coexists with dirty tricks. The US role is maybe 10% cooperation.

Skeptical • May 12, 2014 7:09 PM

@Benni: Usually, the Bild tabloid is extremely conserative, even defending most nsa programs. This is why it often happens that secret service members tell this tabloit a thing or two. When they publish things like that, which is very unusual because of their severe conserative viewpoints, then one can indeed assume they come from government sources.

Tabloids sell sensationalism. An unconfirmed report from an anonymous source in a German tabloid that 400 US mercenaries are running Ukrainian military operations, that just happens to echo an article seeded in the Russian state media and elsewhere, is not credible.

And by the way, do you have solid proof of russian Speznaz in Ukraine?

Benni, are you really in doubt about this?

After Crimea, and given Russian strategic preferences, I'd say it's rather obvious, but here's an article that touches upon some evidence: http://www.bbc.com/news/world-europe-27231649, and there are many others.

There's quite a float of Ukrainian propaganda out there as well, of course, so much of what is encountered about Russian military involvement will be crap.

My own guess is that there is a sizable cadre of Russian operators (inclusive of GRU, certain special military units, and certain intelligence units) which are used to organize and direct the influx of less trained manpower from nearby Russian regions and the volunteers from local populations.

The efforts of that cadre would be coordinated with a broader Russian strategy that includes information and political lines of effort as well.

They pulled it off quite smoothly in Crimea, but even the heavily Russian eastern Ukrainian regions are a different matter.

Gunnar Mortier • May 13, 2014 2:00 AM

@gmortier Don't know if this is true "U.S Federal Agencies Want To Secretly Hack Suspects' Computers for Criminal Evidence" http://thehackernews.com/2014/05/us-federal-agencies-want-to-secretly.html#.U2_EiD1rLUo.twitter

If it is, it is another great leap forward (thinking of China) for the land of the free.

I can see some fascinating debates here:
FBI: Honest judge, we found all this nasty stuff on this computer we hacked, we didn't plant anything!

Clive Robinson • May 13, 2014 5:14 AM

@ Mike the Goat,

Thanks for the reply, I've responded.

As for AES being theoreticaly secure, crypto history shows us probably not, at some point a PhD student is going to come up with an idea and make their name with it (assuming they have not already done so in some government establishment).

As I've said a number of times in the past (long befor Ed Snowden revelations) I think the NSA rigged the NIST AES contest such that the speed requirment would give rise to practicaly insecure implementations that would then due to the requirment of the contest code to be freely available be copied and used by most if not all implementors. As was found shortly after the AES contest it was practical to extract the key across a network connection due to time based issues, and there are still many implementations in use that exhibit time based side channels.

I would like to see most of the final round contestants put in a lot more systems especialy where chaining ciphers is possible.

Mike the goat • May 13, 2014 5:42 AM

Clive: I agree with your thought about the world ultimately settling on a very limited number of ciphers. Diversification is always a good thing and at least makes the spooks job harder. I also accept that - as with many things - the vulnerabilities are often more likely to be in the implementation rather than in the cipher.

Clive Robinson • May 13, 2014 7:38 AM

OFF Topic :

@ Bruce,

I don't know if you've yet seen this report on Estonia's Internet voting system,

https://estoniaevoting.org/press-release/

It does not look at all good espicialy as it easily alows a foreign power to manipulate the vote to their advantage.

Clive Robinson • May 13, 2014 8:46 AM

OFF Topic :

For those who have been around the industry for a few decades this is not the first time someone has said "anti-virus is dead",

http://krebsonsecurity.com/2014/05/antivirus-is-dead-long-live-antivirus

The first example I remember was Dr Solomon selling his business to Norton back in the "Pink Shirt" days, his reasoning in those pre-internet days was that they had worked out how to deal with "Sneaker-Net" based threats... And within a year or two AV went very big time due to the Internet.

Time went by and people forgot about boot sector and simlar "Sneaker-Net" attacks, then as Internet based attacks got hard, Memory Sticks brought the Old School Sneaker attacks back into vogue and AV companies had to play catch up.

Realisticaly there are more attackers out there now than there are those skilled enough to combat them. Worse more mainstream user software is turning into vulnerable "Crapware" as marketing and managment race to the bottom pushing unwanted features that just massivly enlargen the attack surface.

So whilst AV software may appear dead, the minute the industry acts that way the Old School attacks will come back.

The one observation about defence that is always true is "You never know when you spend to much on defence, but you fairly quickly find out when you are not spending enough, if you are lucky enough to survive the first attack."

Clive Robinson • May 13, 2014 8:58 AM

OFF Topic :

Google is not going to be happy...

http://www.reuters.com/article/2014/05/13/eu-google-dataprotection-idUSL6N0NZ23Q20140513

Europes highest court (ECJ) has ruled that search engines like Google are legaly responsible for the results they serve up and thus must take steps to remove information that is prejudicial or harmfull to EU citizens from their search results when they are notified of such harms.

Clive Robinson • May 13, 2014 9:06 AM

OFF Topic :

A little more on why your US ISP may be bad for you the customer,

http://www.vox.com/2014/5/12/5711082/big-cable-says-broadband-investment-is-flourishing-but-their-own-data

Can any one say "Enron Technique" of busines?

Clive Robinson • May 13, 2014 9:14 AM

OFF Topic :

Techcrunch has more on the NSA puts tracking/cracking software and hardware into US routers for export story,

http://techcrunch.com/2014/05/13/nsa-reportedly-intercepts-and-alters-routers-and-servers-exported-from-u-s-to-facilitate-surveillance/

Anura • May 13, 2014 4:22 PM

http://www.theguardian.com/world/2014/may/13/nsa-surveillance-usa-freedom-act-encryption-amendment-zoe-lofgren

Lawmakers intend to attach a provision to the USA Freedom Act to bar the NSA from weakening encryption standards or using zero-day exploits. I doubt it will go anywhere.

Nick P • May 13, 2014 6:26 PM

Slashdot reported about NSF's funding of projects for a new internet with improved security, mobility, etc. I went digging for a page that references the projects themselves. Here's one of them:

http://www.nsf.gov/news/news_summ.jsp?cntn_id=117611

Nick P • May 13, 2014 6:53 PM

Clive referenced a project list I uploaded from NSF. It took me a week to find the darned thing as I couldn't remember name of the program. Anyway, here's NSF's list of projects pertaining to its Secure and Trustworthy Cyberspace program:

http://www.nsf.gov/awardsearch/advancedSearchResult?ProgOrganization=05000000&ProgEleCode=8060&BooleanElement=ANY&BooleanRef=ANY&ActiveAwards=true&#results

Not sure if I'm going to have time to check on them and see what projects have become something worthwhile. So, I'm posting the list here in case any readers feel like looking into it. A quick glance told me the Quark verified browser was a result of this program. That's good.

Figureitout • May 13, 2014 10:23 PM

Bruce
--Highly recommend this video (Part 1) by PBS. The part that really outrages me (on a very personal level) is where they attempt to frame Drake; by labeling unclassified info as classified (they simply crossed it out and labeled it classified). Shows just how weak the oversight is on these prosecutors, and I'm betting those that did that faced no serious jail time. Then 4 other people close to Drake got to experience getting raided, and how that effected and in some cases totally destroyed their lives. One in particular became severely reclusive and lost all his friends and wife; I still question my friends and am suspicious all times of potential agents 24/7, lovely side-effect of this stupid investigation into me that won't stop. Severely outraging. Oh, and the massive secretive dragnet surveillance of all Americans.

If you haven't watched it already, you should. Oh and it may not work on your Tails computer, but windows the "jwplayer" video works. Probably saying something. Oh well.

http://www.pbs.org/wgbh/pages/frontline/united-states-of-secrets/

yesme • May 14, 2014 5:43 AM

What is needed to get rid of that *fucking* spammmer?

Clive Robinson • May 14, 2014 6:37 AM

@ yesme,

Which one of the several that have poped up in a more agressive way since this blog moved?

There are advantages with running a blog on a shared managment location and also disadvantages.

One major disadvantage for a blog owner especialy a popular one is who is going to moderate it and for how many hours a day. It's rather more than a full time job as even though you can automate a large chunk of filtering those doing the spamming are quite adaptive and change their tactics almost as fast as you can get the stats to produce a new filter script to keep them out.

Some time ago several regular posters discussed various potential improvments to the site people might want to see if you hunt the posts out you will see that a few have been implemented or similar functionality added.

Another problem a blog owner has is how much change the current and future users will accept or be rejected by. Rapid change is usually detrimental due in some occasions to unanticupated side effects.

I tend to view the new comments page by default and thus see rather more spam than those who only look at the current threads, and thus I can see what has changed about the spam is not so much the quantity but the type. Previously much of the spam got posted to older threads, this appears to have changed recently, and you are not alone in commenting on what appears to be one or two of these changed behaviour spammers.

yesme • May 14, 2014 6:57 AM

@Clive Robinson

Another question is *why* is this spammer (let's assume it's the brainchild of one person) doing this? This is a technical site targeted at security. I don't think that people here are dumb enough to click the stupid links. Not after seen a couple of them.

Of course it doesn't cost the spammer anything after install. It's only the rest that "suffers" from it.

But one (probably dumb) suggestion. Could OpenID be an answer here? You know that only the nicknames and the key of OpenID is stored here and the authentication being done outside this site?

Clive Robinson • May 14, 2014 8:07 AM

@ yesme,

As for the Why you'ld have to see inside their or their sponsors head.

However in the case of one set of links, it was suggested that somebody was trying to build up a domain name value in search engines to make it a salable commdity.

As for others it looks like someone is pushing "Chinese Knockoffs" to people who are searching for certain supposed luxuray items...

Either way it appears as normal that "money is the root of all sins".

As for authentication one of the nice things about this blog is you don't have to authenticate in some way. Whilst it alows the spaming problem it would also put off quite a few people from posting thus would cause this blog to suffer.

I for one don't even read many sites I used to read because I don't wish to register or typein capatchers or a whole host of other issues like marketing inspired paywalls that turn you into a commodity or having to provide a valid email address that then gets blessed with infomercials you could do with out.

Autolykos • May 14, 2014 8:50 AM

@Skeptical: You're probably right about the general credibility of BILD and SPIEGEL. BILD is, and always has been, the most notorious German tabloid. You can't take them seriously on anything; they don't check sources and will tell blatant lies if it helps their sales.
SPIEGEL still has quite a good reputation (though not as good as ~50 years ago; nowadays ZEIT is generally considered the most reliable), and is unlikely to copy/quote stuff straight from BILD unless they have some secondary sources to back it up. Still, SPIEGEL is not that critical of our government, especially when the Social Democrats are in power.
But in this case, that's actually an argument for the credibility of the story itself. The official line from our government and mainstream media is that Putin is the evil aggressor trying to annex as much of the Ukraine as he can get away with. Sometimes "Russlandversteher" (literally "someone who understands Russia") is even used as an insult. In that context, you can expect stories justifying Putin to have better research than those blaming him for the crisis.
I also remember the stories/pictures about Blackwater/Xe/Academi in the Ukraine from at least a month ago, although it was unclear at the time what their job was. Not that it would tell you much; that country is at the brink of civil war, and there will be plenty atrocities from both sides to report. And you can always expect the mercenaries to fight for the side with the money, that is whoever is backed by Western companies.

Clive Robinson • May 14, 2014 8:57 AM

OFF Topic :

If various people are to be beleived the UK is currently more likely to change Intel Agency oversight than the US as the two parties that represent the majority of MPs.

http://www.theguardian.com/uk-news/2014/may/09/westminster-may-have-to-concede-edward-snowden-had-a-point

However we have a couple of elections comming up and a politicos mind is easily moved to other subjects of self enrichment, so I for one won't be holding my breath on it happening.

Especialy as one of the more slimey of UK politicos is incharge of the Intel Oversight commity and is known to be heavily biased due to his previous behaviour. The fact that his commity has just started it's own enquiry to try and head off other palimentry commities sugests it will be yet another major white wash, which at best will involve the moving of a couple of deck chairs for appearances sake.

Thus we need continued revelations to carry on over the next 18months to three years to keep it in the minds not just of the politicos but the public as well.

Oddly the changes that need happen may well be proposed and be more liberal from the UK Intel commumity it's self than from the politicos. The UK intel community has been more open these past few years than at any time in the past, and the changes made by the intel community its self have been seen by most as positive...

That said in the UK we generaly know rather more about US agencies than we know about our own, so there is a long way to go.

Benni • May 14, 2014 10:29 AM

Here are maps of the natural gas ressources in europe:

http://cryptome.org/2014/03/eu-lng-map.pdf

http://burisma.com/production/

Showing that Ukraine has some of the largest inexplored gas reserves in europe, with large amounts at crimea and eastern ukraine. Of course the son of the US vice president will work hard at this ukrainian gas company, to get his share of this bonanzahttp://burisma.com/hunter-biden-joins-the-team-of-burisma-holdings/ which could be just ruined if russia invades into eastern ukraine.

Eternal September • May 14, 2014 11:30 AM

Bruce, you will probably be interested in this book when it comes out in a few weeks: http://ukcatalogue.oup.com/product/9780199678112.do "Superintelligence: Paths, Dangers, Strategies" written by one of the professors from the Center for Humanity at Oxford.

I recently accepted a position to work on a Lisp based OS for a Quantum prototype computer. So far the AI I have seen being developed on it constantly reminds me of fictional SKYNET.

Skeptical • May 14, 2014 12:45 PM

@Auto: The story doesn't challenge the narrative that Russia is encroaching in Ukraine, though. It's not really contrary to the German Government's position. But it does stir additional alarm by implying US involvement in hostilities against Russian or Russian-sponsored forces. And from a media perspective, that makes for a great hook, even if the story isn't confirmed or is weakly sourced.

Re Blackwater and other private military contractors: while they undertake executive protection, transport/infrastructure security, and training projects, I don't believe I've heard of them accepting contracts in which they would primarily play an offensive role in combat missions, but that doesn't mean anything. Has that been reported anywhere?

It's possible that there's a grain of truth somewhere in the story. It would be rational for the Ukrainian Government to purchase the services of such companies to provide additional training for the military or police, or to provide security for certain persons or things.

@Benni: The US has over 300 trillion cubic feet of proved natural gas reserves. Ukraine has 39. Safe to say that the US isn't interested in Ukraine as a potential source of natural gas. To the extent the US has any interest at all, it would like Ukraine to continue to develop as an independent democracy, as this would foster additional stability in eastern Europe. Russia's interests are deeper and more complicated.

Clive Robinson • May 14, 2014 1:55 PM

@ Benni

I mentioned the gas under the Crimea on this blog a few weeks ago when it first kicked off.

Whilst the US probably does not care about the shale gas Russia almost certainly is. The last thing Putin and his cronies want is for the Ukraine to develop and independant gas supply for themselves or other ex soviet buffer nations or worse yet the EU.

Basicaly Putin has a history of changing gas prices and turning of the supply as a method of political influance and extending the Putin favouring mainly criminal governments in the old buffer nations to stop migration to NATO and the EU.

If people continue to ignore this issue then they are going to get a nasty surprise and Germany is one EU nation Putin wants to bleed dry into his and his cronies coffers. Because if he can bring Germany "to heal" then he can use them to control much of the Eastern part of Europe and due to money supply cripple Sothern Europe into selling food and other products into Russia at vastly reduced rates (Russia has a history of manipulating world markets, the most famous being the New York commodity exchange for grain which involved state level espionage against the exchang, traders car phones, offices and land lines).

As far as Putin is concerned NATO removal / emasculation would be a very desirable step along the way to being dominant power in Europe with a very tight grip on manufacturing resources (much as China has been doing with scarce resources it has a near monopoly on currently).

History shows how damaging such resource control is with 4000years of recorded history of "water rights wars". As I've said bfore the new economic wars will be about Energy and raw resources for the next generation or so then it will revert to water wars again. This may be sooner depending on what happens with regards global warming, food production and population in various countries.

Benni • May 14, 2014 2:14 PM

@Skeptical, can you please stop your lies.

Sceptical wrote " The US has over 300 trillion cubic feet of proved natural gas reserves. Ukraine has 39. Safe to say that the US isn't interested in Ukraine as a potential source of natural gas. To the extent the US has any interest at all, it would like Ukraine to continue to develop as an independent democracy, as this would foster additional stability in eastern Europe. Russia's interests are deeper and more complicated."

http://www.globalresearch.ca/beneath-the-ukraine-crisis-shale-gas/5379228

On Nov. 5, 2013 (just a few weeks before the Maidan demonstrations began in Kiev), Chevron signed a 50-year agreement with the Ukrainian government to develop oil and gas in western Ukraine. According to the New York Times, “The government said that Chevron would spend $350 million on the exploratory phase of the project and that the total investment could reach $10 billion.”

Do you think that Chevron invests 10 billion in Ukraine Gas ressources because it does not care?

The us are similarly interested in ukrainian gas as is russia of course.

Skeptical • May 14, 2014 3:26 PM

@Benni: Try to exercise some courtesy. It's perfectly fine to disagree, but there's no need to claim that I'm lying.

Nothing in my comment is false, much less a lie. Ukraine's natural gas reserves are tiny compared to that available in the US and have no strategic importance to the United States.

You cite Chevron's planned expenditure of $350 million dollars in Ukraine over 3 years (with the potential, over 50 years, for a higher spend).

$350 million over 3 years is a very small fraction of what Chevron spends. The company plans to spend $39.8 BILLION in 2014 alone. In comparison to the US economy as a whole, or even just the oil and gas sector, it is microscopic.

In short Chevron's planned investment is too small to be a real factor in US policy with respect to Ukraine.

@Clive: I agree re potential of projects to reduce EU reliance on Russia. I don't think Russia has any realistic chance of becoming a dominant power in Europe, given Russia's shell of a military and its very vulnerable economy. I'd hope Putin's ambitions are closer to the realm of reality, but on some days, frankly, it's difficult to tell.

Ironically of course the long-term effect of his adventures in Crimea and Donetsk will be to spur the development of natural gas exports from the US to Europe and refocus NATO.

Benni • May 14, 2014 4:29 PM

@ Skeptical:
"In short Chevron's planned investment is too small to be a real factor in US policy with respect to Ukraine."

The country with europes second largest gas reserves, cheaply to explore and ship, because the pipelines are there, in a potentially secure environment because of the proximity to europe, with a large customer nearby....

If the us companies, and therefore its politicians would not be interested in their share of that, then they would be just plainly stupid. If they would not be interested Hunter biden, son of the vice president, would probably not seek to be employed by an ukrainian gas company.

And by the way, your alledged proof of speznaz soldiers im ukraine is extremely weak. I know a colleague who is a good mathematician but was born in this region of eastern ukraine. And I can tell you, he says that 90% of the people are fanatic communists. Yakunovitch came from the Donbass region. The problem with ukraine is that it is so divided that if a president comes from the east, he will face protests in the west and vice versa. Now yakunowich was thrown out by right wing extremists in the west. It is very conceivable, given the radicalization, the worshipping of lenin, and a certain agressiveness that the eastern ukrainians have, that this separatist movement started by them alone. The separatists would not have any chance, would they not find much of their support from the local people there.

The blackwater soldiers, however, were discussed by the german secret service meeting. I'm interested what the german government will answer to Ströbele, who has issued a question to them on this....

Nick P • May 15, 2014 12:18 AM

PUMP - A programmable unit for metadata processing
http://www.crash-safe.org/sites/default/files/pump_hasp2014.pdf

This paper is from the team building the SAFE processor for DARPA's clean slate, secure system designs. They've generalized their tagging system into a metadata processor of sorts. Nice that they keep doing and publishing good work for us. :)

Clive Robinson • May 15, 2014 8:43 AM

@Skeptical,

It's not just Putin's Russian forces that have become "shell" like compared to their "Cold War" status, it's NATOs as well.

The problem is thus which one is more hollowed out in conventional forces, and the answer acording to the likes of Janes and similar is NATO. The reason being the assumption that all serious Eastearn Block threats would be "rouge operators" or terrorists using the old CCCP nuclear weapons. So whilst the US ran around the newly freed republics buying up as much nuclear material as they could NATO conventional forces were considered second tier at best compared to missile defence systems.

Putin and others have taken great exception to having Russias former buffer nations becoming the new front line of NATO missile defence systems and have in response tried political and economic preasure which has been talked about in the Western Press, what however has not is the build up of Russian ground special forces, the assumption being that they were for fighting "terrorists" in Chechnia etc.

However some suspect the build up is in part to deal with China's build up of military forces and in part to make up for the loss of buffer nations and a way to potentialy eliminate the NATO missile defence systems. A very few have argued that such forces might well be used to support activities of other States like Syria or attack those that might be supporting the terrorists that Russia has to deal with, however since the uprising in the Middle East, some have been saying such special forces could be used to take territory which has the support of the population there...

Whilst I think it unlikely Putin will become a major invading force into Europe I can certainly see him "recovering" previous CCCP teritory if it has stratigic value such as energy or other resources, that will continue his political ambitions into Europe.

Western Europe currently is at it's weakest for many decades it has cut back not just on NATO forces but National forces as well to such an extent that some nations don't have effective forces to deal with disorganised internal civil unrest let alone an organisedexternal threat.

Which with the likes of China building up it's external facing military forces extensuvly begs the question of what will the US do if Putin pushes down into parts of Europe or China pushes at regaining control of the South China Sea on which it is criticaly reliant on for around 80% of it's oil supply.

Then there are the issues of North Korea and Iran, personaly I think that they actually want to improve their energy security rather more than they want to start international wars. In both cases the US has been visably agitating to go to war with both nations, making threats in various forms and renaging on treaties and other agrements made.

Thus I don't think the US realy has an eye on Eastern Europe, and the taking over of Crimea by Russia has been a real eye opener for the rest of the world.

The question is thus is this taking of the Crimea by Putin oportunistic behaviour, sending a message behaviour or a portent of future intentions...

With the secondary question of what effect it might have in other parts of the world? Which might well depend on what oportunities some nations might see if the US gets tied up in a new military campaign somewhere.

Skeptical • May 15, 2014 8:49 AM

@Benni: Regarding the size of Ukraine's natural gas reserves, and the significance of Chevron's investment, I gave you the actual numbers. The significance of those numbers is as follows:

--Chevron's investment constitutes a very small percentage of their total annual investments; it's not something that would motivate US Government intervention.

--Ukraine's proved natural gas reserves are not significant to US energy policy.

I understand if you disagree. Deciphering the intentions of states can be inexact (depending on the structure of the state concerned, it may not even be correct in some circumstances to do so!).

Let me point out one more fact if you're unpersuaded by the numbers. US policy towards Ukraine has not changed in many years and in fact long pre-dates Chevron's investment.

US policy over the long-term is to encourage the growth of democratic institutions and rule-of-law. This is not only the right policy morally, but is also in long-term US interests, as democratic states with good rule of law tend not to go to war with each other. Thus the development of such institutions in Eastern Europe will promote overall European stability, peace, and economic growth long into the future.

waki • May 15, 2014 11:25 AM

@DB

Thanks. It would be interesting to know the cultural and 'general freedom-wise' differences. How do they vary from the West?

Skeptical • May 15, 2014 11:38 AM

@Clive: It's not just Putin's Russian forces that have become "shell" like compared to their "Cold War" status, it's NATOs as well.

Well, this depends in some ways on what we're counting as NATO forces. The effective power of NATO as an alliance needs to take into account the entirety of the US military, which obviously is far from a shell. But certainly European military forces have been reduced.

Yes, special operations forces can be used in all of those missions, and, clearly, were used in Crimea and are likely being used in Donetsk and elsewhere.

I agree with this, though I don't think it's a good course of action for Russia.

Yes, I think this is a problem. Perhaps recent Russian actions, though, will push Western Europe to address it.

I think that the US has already begun developing resources and relationships to deal with those contingencies. It would be a grave mistake for China to push militarily (or for Russia to push into a NATO member), though I think both will continue to try to advance their interests through other means.

As the US shifts resources from counterinsurgency missions, and as the US economy continues to recover, the capacity of the US military to respond to more conventional contingencies will increase.

Well, there's a tenuous resolution with Iran, and we'll see how that goes. North Korea is a hard problem, and it's hardly just the US facing it.

The question is thus is this taking of the Crimea by Putin oportunistic behaviour, sending a message behaviour or a portent of future intentions...

These are good questions.

Nick P • May 15, 2014 6:36 PM

The many levels of source code sharing: not just "open" or "closed"

I've noticed in recent debates a false dichotomy: you can have "open source" or proprietary, but not both. A person thinking there's only two possibilities might miss opportunities, esp in a business that's afraid of FOSS, backdoors, or both. The good news is there are many levels of source code availability and review possible. I'm going to briefly run through some of them here.

Source Availability Levels and Security Implications

Let's briefly look at levels of sharing for a given application's source.

1. Totally closed source application.

This is a black box. It might have defects, backdoors, etc. One must trust provider or use various analysis/isolation mechanisms to reduce trust in them. This is the most dangerous type of software if you don't trust the provider.

2. Application with some source available.

This is a black box except for certain components. This is common with cryptographic algorithms, protocols, etc. This allows you to review a subset of the implementation for unintentional flaws or backdoors *in that subset*. Backdooring and unintentional vulnerabilities are still possible in other parts of application.

3. Full source *and documentation + development tools* of application is available.

This is a white box. The application's functionality can be inspected for accidental or deliberate flaws. The documentation will help the readers understand the code, increasing review effectiveness. The tools (or compatible ones) being available ensure a binary can be produced from the source code. If tools & runtime are similarly open, then the whole thing can be vetted. Otherwise, a person is putting their trust into whatever layers are closed, while trusting others to vet what is open.

Various source sharing arrangements and security implications

We can see that the full source must be vetted. Sharing it can happen in many ways. It doesn't have to be "give it to everybody" vs "give it to nobody." That's the false dichotomy I referred to. There are in fact plenty of options that go way back before "Open Source" became a widely known phrase. Surprisingly, there were proprietary companies doing this. Here's a somewhat unstructured list of possibilities. Also assumed is that docs, compilers, etc are shared with anyone who gets source code.

1. No source sharing of privileged code.

The code is kept secret. Only binaries are released. The user must fully trust developer of the code. Backdooring is much easier. The code might or might not get reviewed internally for general vulnerability reduction.

2. The source code is given to a security evaluater, who publishes signed hash of each evaluated deliverable.

This was the first security evaluation model, esp in higher Orange Book levels. An evaluator with full access to code would determine a level of assurance to place in the code, enforce a minimum set of security standards, look for backdoors, and more. If you trust the evaluator, using the version they signed can increase confidence in software. If you don't trust evaluator, then trust level is same as 1. The main drawbacks here are extra cost of product due to evaluation and the likelihood that customer will always be at least one version behind.

3. The source code is given to several security evaluators, who publish signed hash of evaluated deliverables.

This model is similar to modern practice for higher assurance systems under Common Criteria. As higher assurance certification isn't automatically OKed in every country, the government of each country wanting to use the product might ask for a copy of the source code & documentation for their own evaluation. There's typically one evaluator that still does most of the work. The others are a check against it. This increases trust in the system so long as you trust that the evaluators and developer won't work together. One can reduce that risk by using mutually suspicious reviewers. That might even be default in these schemes as such suspicion is a driver for multi-party evaluation in the first place. You're still a version behind.

4. The source code is given to select people, such as users or evaluators, under a non-disclosure agreement.

An early example here was Burroughs B5000's OS (MCP) given in source form to customers for review and/or modification. This allows more validation than 2 or 3 as there is quite simply more labor ("more eyes") and you can pick who to trust. The risk of backdooring is low and potential to reduce defects is greater than previous options. The actual security improvement from this process depends on the number of reviewers, their qualifications, and what part of application each focus on. Having only a few qualified people of unknown identity reviewing a limited portion of the code is essentially equal to No 2 or 3 in trustworthiness.

5. The source code is available to all for review.

This allows the highest potential of security evaluation. Free open-source software (FOSS) is the vast majority of this. There are some commercial offerings whose source code is fully available, but only usable in commercial sector for a price. There are also hybrid models described here in an article mainly focusing on business models. As with 4, the *actual* trustworthiness of this still depends on the review processes and trustworthiness of reviewers just like with 2 and 3. Easier overt backdoor protection than 2 or 3, though.

Reviewers: The critical part in both closed- and open-source evaluations

So, my side says open- vs closed-source doesn't matter much against TLA's if they can find vulnerabilities in it at will. Assuming invulnerable systems can even be produced, what does it take to claim one is there or comes close? A ridiculous amount of thorough analysis of every aspect of security lifecycle by people with expertise in many aspects of hardware, software, and security engineering. So, it's obvious that regardless of source sharing model, the real trust is derived from the reviewers. Here's a few ways of looking at them.

1. Skill. Are they good at whatever they're reviewing? How good? Can they catch really subtle issues, corner cases, and esoteric attacks? Do they have the knowledge and experience?

2. Experience. How many reviews have they done? Were they successful? What is their track record at finding problems? How many were they seen to miss over time?

3. Time. How much time do they have? These analysis take a long time. The more security, the more analysis and the more time to put in. How much time was spent doing a specific aspect of the review?

4. Tools. Does the reviewer have the tools needed to find the problems in the system leading to vulnerabilities? There are tools that can help catch all sorts of subtle bugs such as concurrency errors, pointer problems, and covert channels. Qualifications being eqqual, a reviewer lacking tools to automate aspects of their work might get less done.

5. Commitment. How much do they really care? Will they let certain things slide? Will they gripe about every violation? How much will they tolerate from the developers?

6. Coverage. How much of the project will be reviewed, how thoroughly, and how often? It's common in lower end evaluations (and FOSS) for only so much to be tested. Higher quality efforts put more effort into reviews and testing.

7. Trustworthiness. Will they mislead you to weak your security? Should be number one, but it's often last one people's list in practice. So, I saved it for last. :)

So, looking at these, the worst kind of reviewer will be a saboteur who lies about effort put in, fixes low hanging fruit for reputation, and blesses code with subtle, critical flaws. The worst non-hostile review will be a casual one by a non-expert looking at a few pieces of code merely saying he or she "inspected the app source code and found no problems." High quality & security necessitate a number of mutually distrusting reviewers will good attributes in about every area of this list. They check the product and keep each other honest by doing a certain amount of redundant analysis. Any truly core feature (e.g. TCB) is analyzed by all.

Putting it together

I hope people now see the situation isn't black and white. Proprietary systems' source can be opened to varying degrees. Trustworthiness of closed, open (non-free), and open (free) source depends on both development process and reviewers. There are many combinations of source sharing and review processes that lead to a variety of tradeoffs between trustworthiness and practical aspects of software development. You can have as much of each as you have resources to achieve them regardless of free or non-free, widespread distribution of source or select few, etc. The resources, from the reviewers involved to time/money available to design choices, are always the determining factor of trustworthiness achievable in a given application or system.

Mr. Pragma • May 15, 2014 7:29 PM

Thanks, Nick P

Some short comments.

- Many commercial producers shy away from open-source for a variety of reason. One example is that many can't, don't, or don't want to see and accept the different meanings of "free" (assuming open source must be cost-free, too). Another problem is that many shops feel, quite possibly correctly and based on experience, that open-source will lead to hefty income losses.

- Obscurity -- as one approach next to others -- actually *can* be attractive and helpful. One reason being that open source being easy to look at is also valid for evil guys. Closed source *can* be dissected and analysed, no doubt, but comparatively very few will do that. Experience shows that unless the target is outright hated by many (like adobe or microsoft) chances are that vulnerabilities will have way less chances to be found (and consequently abused) in closed than in open source.

- Well seeing the value of code audits one should realistically note that due to the highly dynamic nature of software (frequent updates, new releases, etc) audits are almost bound to be outdated.

Side note: I'm currently working in that field right now and one of the striking but somewhat ignored points taken away is the following:

It's basically next to nonsensical to create "another Ada" - it simply doesn't address the most urgent problem.

Because the most urgent problem is *not* to achieve an even higher maximum level of reliability, safety, and security in language design but a considerably higher minimum quality level.

Not surprisingly, a very large part of todays security issues are *not* due to the available maximum being too low - the problem is that the minimum and average levels are *way too low*. *This* is the door opener for most vulnerabilities.

So quite probably some simple (but well thought out) questions like "what language(s) have you used? What mechanisms to assure (a hopefully consistently good) quality are in place?" and similar (along with a good look at documentation) tell you 95% of what you need to know for 1% of the price of a full audit. No matter whether closed or open source.

Clive Robinson • May 16, 2014 7:44 AM

OFF Topic :

For those that are still unsure of what DRM is all about, here is an article that gives the Media Player POV,

https://plus.google.com/app/basic/stream/z13qtnxhuojytbjbr04ci3cowrmtehsy324

Clive Robinson • May 16, 2014 7:54 AM

OFF Topic :

ARS Technica quote Bruce quoting Matt Blaze (not sure if Matt was quoting someone else ;-) over new AQ et al home brew encryption,

http://arstechnica.com/security/2014/05/al-qaedas-new-homebrew-crypto-apps-may-make-us-intel-gathering-easier/

I wonder if it will be quoted again to become a proper Chinese Whisper :-)

Benni • May 16, 2014 9:27 AM

@Skeptical:
http://www.presseurop.eu/de/content/article/196671-schwarzes-meer-der-neue-persische-golf
In 2009, the US special rapporteur for energy issues in eurasia, Richard Morningstar, mentioned at the Sea Energy and Economic Forum in Bukarest) that in the Black sea there are important oil fields. The boss of Hunt oil, Tom Cwikla told: "europe has to use its own energy ressources. The president of the governmentally controlled turkish oil company TPAO says that in the black sea, there are vast oil ressources, so much that they could become europes most important oil sources for oil.

So much for the us government not to be interested. The us government itself told that it had interest on this in 2009.

This ukrainian company where Hunter bidden is now employed also has another emoloyee closely related to us government.
http://www.sueddeutsche.de/politik/energieversorgung-sohn-von-us-vizepraesident-biden-steigt-bei-ukrainischem-gaskonzern-ein-1.1965494 Devon Archer, friend of the stepson of John Kerry says that Burisma company now reminds him of Exxon in its early days.

This quote makes only sense, when there are much oil ressources.

This is a chart of the oil fields at crimea:

http://www.kyivpost.com/content/business/ukraine-seeks-energy-majors-for-black-sea-explorat-129039.html

The Yakunowitch government has already signed contracts with shell and exxon. And that certainly was not of Putins liking. Since it would mean that Ukraine, an important customer of russian gas and oil gets independent of russian supplies.

With the annexation of crimea, the contracts of the foreign oil companies are likely to be nullified, and the fields can be harvested by russian gazprom.

However, most of the oil seems to be in Romania, so the move of putin can not prevent much what is currently happening there. After Russian's annexation of crimea, there are calls for a diversification of europe's energy mix. Oil in Romania comes in very handy then.

Name (required):

E-mail Address:

URL:

Fill in the blank: the name of this blog is Schneier on ___________ (required):

Comments:

Allowed HTML: <a href="URL"> • <cite> • • • <ul> <ol> <li> • <blockquote> <pre>

← Putin Requires Russian Bloggers to Register with the Government Internet Subversion →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.

Friday Squid Blogging: The Evolutionary Purpose of Pain

Comments

Leave a comment