Nick P • May 17, 2014 5:08 PM

EDIT: I meant to say “Proton”Mail, not “Proto”mail.

Nick P • May 17, 2014 7:42 PM

@ Clive Robinson

re 2FA attack

“As the victim is engaged in the call by the attacker, the 2FA phone calling service will send the 2FA code to the victims voicemail, immediately.”

They send the 2FA code to voicemail!? What the f***! I’m glad I don’t use any of those kinds of services. I thought there would be issues, but these companies continue to surprise me.

“NOTE: All vulnerable endpoints for Optus Voicemail have been fixed. Including the endpoint I used to bypass their initial fix.”

The second sentence: lol.

@ Jacob

“In their security detail page, they list, among other things, the “self destruct” property of the email while at the recipient inbox. There is no way to do that short of taking over the recipient’s computer (and hoping that there is no backup).”

It’s becoming a common feature in many private communications services. First one I saw it in was Cryptophone. The consensus in the “Ephemeral Messing” thread Bruce did was that it’s not really possible if recipient is malicious, including for reasons you stated. I mainly see this feature as useful to prevent inadvertent disclosures: policy or expectation dictates deleting the email, yet someone forgets or is too lazy. The SnapChat reference means they’re probably doing it for marketing reasons. (shrugs and sighs)

“but they also list on some other pages that they operate also in MA, and as such they can get NSL just as any other US Corp”

Yes, the fact that MA, heck MIT, is involved does add risk in the usual areas. Matter of fact, MIT gets a lot of funding from US govt & companies tight with them. MIT itself might be pushed in some scenario to push their entrepreneurs in an unsafe direction. The Swiss firm might also cooperate with Swiss authorities under legal compulsion, who also sometimes cooperate with American authorities. Nonetheless, their offering and location seems a lot better than, say, mainstream US vendors.

It would be nice if a person could specify that only Swiss servers are used, register as a corporation in a country with strong privacy, and connect only via proxies from that country. The latter two are used to reduce odds that the Swiss government will comply with American requests regarding the email account. This kind of trick used to be common (maybe still is) with offshore schemes.

@ All

DEC Firefly Workstation
ftp://ftp.hpl.external.hp.com/pub/dec/SRC/research-reports/SRC-023.pdf

I just found this interesting machine. It was a multiprocessor workstation that they threw together pretty quickly. The real interesting point is that the OS was written in Modula-2+, a high-level, garbage-collected language. Take that naysayers of automated memory management. So, it might be practical and doable esp with an extra processor dedicated to it. I’ve also found plenty of nice concurrent & hybrid collector designs for such use-cases, including some that will be patent immune (mostly) in near future. And one works on binaries of C/C++ apps without source code or significant performance degradation. That might be useful in and of itself, esp combined with control flow integrity research.

Nick P • May 17, 2014 8:46 PM

@ Student

The grugq’s OPSEC presentation is good fundamentals:
http://www.slideshare.net/grugq/opsec-for-hackers

The important thing to remember about OPSEC is that the principles are more important than the technologies. If the tech or fieldcraft can lead to principle violations, prevent that or don’t use such options. Thinking in terms of OPSEC principles just helps plenty. For instance, this mindset immediately helps you see fallacy in the claim that “it’s OSS so it’s inherently more secure.” Letting enemy know what you use is instant OPSEC violation and led to hacks via 0-days for many apps. So whether it’s closed or OSS, certain OPSEC principles dictate that you deny them the info if possible. Misdirection is nice, too, if it’s sustainable.

A former CIA director also made many nice points:
http://www.oss.net/dynamaster/file_archive/100102/0a947a77d762061cc87ec541c2d2dcc7/2010-01-02%20Dulles%20on%20Tradecraft%20via%20Srodes.pdf

Far as specific tech, there’s plenty of guides on physical security, policies, network security, app security, using crypto, etc. Copying methods that are used successfully, esp by long-time (unconvicted) hackers, is always a decent approach. Many of them do stuff like Grugq recommends.

DOD’s Industrial Security Manual with SAP provisions
http://www.ncms-isp.org/NISPOM_200602_with_ISLs.pdf

It’s a DOD manual so it’s very formal and not as fun to read as a book. Yet, they talk about a breadth of topics with info on how they deal with protecting classified information and projects.

The old cypherpunks books and mailing list archives have plenty of interesting stuff, too. I’d throw in fiction like Robert Ludlum if you want creative ideas for covert messaging, human proxies, etc.

Hope some of this helps.

Nick P • May 18, 2014 1:31 PM

@ Clive Robinson

Thanks for the link as that was an incredibly good essay on the topic. Unless there’s a better one you know, I’m probably going to make a trimmed version of that one my default. The treatment of elites and stars seems very accurate. The part on elite structures is also compatable with Assange’s treatment of how conspiracies form within organizations. Like in Joreen’s essay, the informal and secret forms of communication are a pre-requisite. And lack of accountability allows such groups it to thrive.

I can also imagine, like in my reply to Wael, how such elitism can be used to maintain a group’s integrity. This is a much rarer thing. Yet, there’s definitely examples out there. The fact that the inner group is so tight & dependent on one another aids in ensuring committment to secrecy & integrity of group’s activities. The trick is figuring out how to create positive elitism within groups while also having a formal structure to keeps it in check well enough. I think that’s the recipe for the ideal structured organization. We know the elites will happen, so the founders are better off giving the organization a good start by recognizing this & trying to push elite formation in a good direction.

Nick P • May 18, 2014 2:24 PM

@ Sancho_P

Any discussion of ephemeral messaging must recognize its fatal problem: any plaintext content that goes through a device can be compromised by that device or its user. A self-destructing email sent to a person has to be viewed by that person. If it so much as appears on their monitor, it can be captured and saved by that person in a huge variety of ways. So, ephemeral messaging to hostile recipients should always be considered impossible. Even face-to-face requires technical countermeasures to prevent bugging.

As I thought on it though, I remembered that most security measures US govt uses for classified information were certified to low or medium robustness. It’s definition is preventing “casual or inadvertant attempts to breach security.” They decided they’d be fine if most people were at least cleared for information on a system, knew consequences of a breach, and had technical measures (eg security) mainly there to make it clear the security breach was intentional. And prevent many accidental breaches or leaks.

So, like in the old days, we have a bunch of people emailing each other through a security focused service. Most trust each other in the sense that all want the service to work effectively so each is protected. They send each other emails. From there, one might want an email to disappear after a time (or reading) without burdening the recipient. Self-destructing emails meet that requirement. Side benefit for Protonmail might be mailboxes using less storage. 😉 However, if recipient might be hostile, then the feature can’t be relied on and the message probably should be delivered face to face if at all.

“But, if I understand correctly, the real sensitive and more valuable information, the “header” (often called metadata), is still open to (legaly compelled) government inspection, even between ProtonMail user accounts.”

That’s probably true. It’s a centralized email service. They have this inherent weakness for protocol compatibility and efficiency. The safeguard they picked for this issue is to locate in a country with strong privacy laws and a host with incentives to follow them. Not a guarantee, as I said, but a nice start that probably knocks a huge swath of attackers out of that part of the game. There’s also technical solutions that could work here but I doubt they’re going through that much trouble to protect metadata. They’re probably able to access it and turn it over if forced to. So the question is “Who can force them, under what circumstances, and how likely are they to exercise it?”

Insider opinions would be needed to determine this, with insiders understanding how Swiss TLA’s operate in practice vs in theory. And these insider’s reliability would need to be vetted so we didn’t think they were just saying what Swiss want us to hear. 😉

Nick P • May 19, 2014 12:21 PM

@ Clive

Yes, a very familiar name on the safer curves. Did you notice what names were on the unsafe ones? The names varied, but almost all were US govt groups who draw on expertise of a particular agency. 😉

Nick P • May 20, 2014 12:01 AM

re recycling keys

It’s a very bad idea. You wrote the stuff on paper to remember it and because you could burn the paper to rid yourself of the key. Then, your environmental conscience kicks in, you tear the paper up a bit, and throw it in the recycling bin. Once your opponent knows, they can pay off people in the recycling company to deliver your trash to them. They might be doing it anyway (ie dumpster diving). They’ll spot that some things look random. They put the pieces back together, get your key, and decrypt your data. All because you wanted to recycle to save the environment it’s Game Over.

Oh wait, you guys were talking about a different kind of key recycling. My bad. Yeah, that kind sucks too. 😉

Nick P • May 20, 2014 8:06 PM

@ Clive, Wael

re quantum key distribution

I wonder if they know about the NSA backdoor in the quantum networking products. I doubt BULLRUN would leave them off seeing how much trust people put in them.

I never got the idea of quantum networking. I mean, an assured smartcard chip added to a regular board running key mgmt primitives seems more trustworthy to me. And faster, cheaper, and better cost-per-watt, too. 😉

Not to mention one of the first Orange Book A1-class products (GNTP) was a secure networking product that NSA couldn’t (at the time) beat. We’ve learned bad stuff and good stuff since then with even more products they couldn’t hack. So… why do we need an extremely expensive, low bandwidth, little understood, limited use, key exchange scheme again…? Other than such companies’ profits?

@ Wael

Speaking of smartcards, one chip recently got EAL6+ certified. I was thinking “about time.” Combine with MULTOS or IBM’s Caernarvon, it seems that smartcards are first to achieve highly secure from hardware to OS to running software.

Anyway, I was thinking of Ross Anderson et al’s attacks on them and wondering if a shortcut to reducing invasive attacks is just to shrink it to most cutting edge process. RobertT convinced me that subversion at physical layer is hard as it’s hard enough to get a regular design working, much less doing odd modifications to black boxes. Most smart cards I’ve seen used older process node technology that’s easier to probe. I wonder if a 22-40nm makes it harder to reverse engineer or tamper with.

I can’t find a page saying what process node tech is the current limit in reverse engineering. I did stumble on a ChipWorks paper from 2009 showing they did IC extraction on 2006-era process node tech. I’m sure they’ve gotten better since. I wonder if anyone can reverse 22nm or how long it will take. Maybe next project should target 14nm immediately to give them at least a few years of safety. 😉

@ Clive

re D-Wave

Interesting reading. The claimed speedup of around 3,600 is lame given what we know quantum computers should be capable of. And one guy says it was way faster than a desktop PC. A desktop PC is about the worst way one could execute SIMD or MIMD number crunching. It’s horribly inefficient and lacking in parallel processing. That’s why MPP’s, vector processors and GPU’s were created in the first place.

Anyway, it got me thinking. (“Can’t be good…” I know…) Anyway, I used to be in MPP’s and application-specific processing. It was fun. So, I immediately thought “why don’t we quit worrying about maybe fake quantum computers and just built ultra-efficient SOC for same thing?” Looking into it, I found even academics had produced quite efficient SIMD & MIMD machines. Would go well with one of the budget NUMA machines I posted before. So, I think it’s a big fuss over nothing as people wanting a bad ass datamining machine could design their own chip cheaper than one D-Wave. It does look cool, though.

Path led me to an update on Epiphany processor. They’re doing great. They also have a nice write-up on how to get in chip business without spending $100+ mil on nothing. Excellent advice imho that can benefit readers considering secure SOC development.

“Adapteva brought a new Instruction Set Architecture,Network On Chip infrastructure, four generations of processor chips, and a complete high quality tool chain that includes C/C++/OpenCL support for less than $2.5M.” (Adapteva)

Sweet, eh? Anyway, if I was Google or Lockheed, I’d license or buy-out Adapteva. I’d invest the big money into putting it on a good process technology, getting it to 256-1,024 cores, maybe adding a RISC processor for non-parallel (esp system code), putting four of those motha’s on a board with mgmt processor, and hooking them up to a SGI NUMA machine with its interconnect. I’d also offer a switch & cables to do it cheap & cluster-style. Let’s say each chip is $1k and we’re doing a SGI UV 256-socket machine. The result is $256,000 hardware cost on top of a several million dollar NUMA system for a 256,000+ core machine with up to 64TB RAM whose bandwidth is close to terabit a second at nanosecond latencies. It also does stuff other than annealing and can support other boards b/c it’s SGI chassis.

Way better deal than D-Wave. So, there I’ve posted it and we can expect to see someone copy it into a product in… is it usually 2-3 years that happens after one of us mentions invents something and posts it here? 😉

Nick P • May 21, 2014 2:06 PM

@ Wael

re hardware

Thanks for the links and info. The Gemplus was on 2003 or earlier era process node tech so unfortunately can’t help us past survey of attack methods. Far as HSM, I’m aware of them and they’re quite expensive. Smart-card chips were my idea for a poor man’s HSM. FPGA’s came to mind first, but have no protections against various attacks that smart card IC’s counter. The RNG link is pretty nice, though, as it would be great for Monte Carlo simulations or OTP support.

“Yes, he did! But subversion can happen with very low tech methods as well. I remember a discussion with him regarding Firmware level subversion…”

I’m focusing on the hardware part, for now. If it’s done right, those other issues are more easily solved with solutions that already exist. They just can’t be implemented on mainstream architectures.

re rules of the game

Quite a few people have won or broken even. Odds are just very slim. Only one I’ll agree with is you can’t get out of the game. I live with this fact daily. One can’t move on to other pursuits as that only weakens defensive position & opponents will hit you right then. TLA’s can be quite patient. They’re made up of thousands of people who can rotate jobs, go get a good night’s sleep, etc. The targeted is one or few people who get nailed the second they make a mistake. It’s really a game of numbers and details, with defender having a disadvantage in both.

re GPU’s

There’s supercomputers taking that approach. Yet, in each case, they use GPU’s as accelerators for parallel problems in combination with real CPU’s. The reason is GPU’s processing units aren’t real CPU’s: too limited. Epiphany and similar architectures use real RISC CPU’s with shared memory & high bandwidth I/O. Check their comparison to GPU’s and such. Price*, power, and size look really good to me. Plus you don’t have to learn OpenCL and CUDA: it uses basic C/C++.

• Price isn’t listed as they do limited production runs right now to keep costs down. The first board they sold was $99 so chips are probably cheap.

@ Wael, Mr Pragma

One idea comes to mind from my work in automated software diversity. The idea was to create tools that produce many random, equivalent, and structurally different versions of the same software. So, an attack on one might not work on others. Many physical attacks on chip itself are to extract or insert a value into a specific circuit. I wonder if we could apply diversity idea by designing circuits where the location of critical functionality wasn’t important. The tool would take a proven circuit description, synthesize a tremendous number of instances, apply validation tests to them, and then put that on a wafer. The result would be each batch wafer producing dozens to hundreds of functionally identical chips each requiring a new physical attack for data reading/writing. The result would force the attacker to beat 100 chips for every 1 product they want to target. And figure out how to ID which implementation a given chip in the field uses without setting off anti-tamper protections.

Just a thought.

@ Benni

“This is because in germany we have better engineers, and better technology.”

That’s funnier than last round of pro-European rhetoric. You have more exports and engineers because your country puts more capital into those. Quantity != quality, although both are certainly high in Germany. Our brightest engineers are apparently smarter in practice as they don’t waste time working for regular companies (which do plenty exports). Aiming for profit & interesting work, the best go into one of four kinds of work: defense contracting; R&D public or private; Silicon Valley-style startupts; Wall St.

The main defence contractors get a steady stream of high profit work. They do some exports, but most of their work is for U.S. They pay very well, too. The R&D sector is a mix of non-profit work for public and private sector work focusing on producing I.P. Many of our brightest minds work there on practical (eg biotech) and arbitrary things (eg security architecture). I’ve posted many cutting edge security advances here. Almost every group with usable inventions was in U.S. or Britain. A few were in Europe and only one was in Germany (TU Dresden). Silicon Valley startups are self-explanatory: small, innovating companies trying to make the big time. There’s a ton of them at any given point, many are ad-supported (no actual sales of goods), and almost all focus on domestic market. Finally, there’s Wall St. & finance which vacuums up many of our brightest Comp Sci & engineering types to apply their brains to finance schemes. High-frequency trading gets most attention in press & it alone produces revenues equal to one tenth of all German exports.

The Wall St angle is especially important. You Germans probably value your engineers, what you make, and what volume you sell. Capitalism, the American model, values turning money into more money & doesn’t care how that gets done. Engineers are seen as tools to do that among other tools. Good capitalists don’t try to out-produce or out-sale the competition: they just try to own them while earning a ROE on investment. That’s the focus here. Almost half of all wealth in the world is in hands of 35 asset mgmt firms. Of these, 20 are in U.S. and 2 are in Germany. That’s 23.25 trillion in U.S. vs 3.44 trillion in Germany. So, American’s aren’t really worried about whether or not your engineers are superior. The odds are we own many of them, those that make the tools they use, and those that buy from them. 😉

Of course, both the U.S. and Germany have a new concern in engineering. Where it comes from should surprise you.

” you can read that GCHQ’s tapping of fibers was at 10GBit/s when the german secret service BND was already at 100GBit/s”

Intrusion detection, routing, and zero-latency IPC for 160Gbps line
http://dl.acm.org/citation.cfm?id=2465811

So, a small business of 17 technical staff in New York solved that problem on their first try. And exceeded the German 100Gbps by 60%. Not to mention Intel, SGI, Cray, and Oracle currently dominate the world in processor, memory sizes, and interconnect speeds. They’re U.S. companies. Top makers of tapping equipment for Tier 1 lines are U.S. and British companies. So Spiegel can talk all they want, but the hard evidence says American & British engineers aren’t behind on tech like this: they’re quite ahead in accomplishments & dominate market share. The only hardware company in Germany that I’d call the best is Infineon as they seem to make highest quality smartcard chips. Although, that market is dominated by a French and U.S. firm, respectively, in terms of both sales and sheer volume of offerings produced.

“For expanding this technology, I guess BND wants the additional 300 million euro”

The U.S. tool was developed on a budget, is 1U form-factor, and rackable. So, hitting Tb/s just means using a bunch of them with a load-balancing interconnect that supports that bandwidth. It’s a common solution for this kind of problem. Each U.S. company I mentioned above already has interconnects that fast with ports third party solution providers just plug their equipment into. A dozen rack units + an interconnect switch + profits = probably less than $10 mil for the capability you describe. And that’s assuming company with 160Gbps couldn’t scale it’s offering with extra funding, which I doubt as they currently use rather low-grade chips vs special purpose ASIC’s. As for $300 million for a $10 mil capability… does that cost difference come from German efficiency or beauracracy?

Long story short, all of this national bias and prejudice does us no good. There’s no hard data on whose engineers, developers, etc are more capable and I doubt it would be objective if it existed. It’s just people throwing opinions back and forth stretching what facts exist. There IS hard data on which are more successful in market, but we know that doesn’t imply quality or innovation. The best results actually come from diverse teams of good scientists and engineers building on each others’ work. That’s why companies like IBM that produce tons of I.P. have research groups in many, many countries working independently and collaboratively. All of us combined is greater than the sum of our parts.

That’s why I’ll praise the good work of German security researchers just as quickly as I will American researchers. Even Russian and Chinese researchers although they come from opposing countries. Engineering, software, and security are tough fields with tough problems that we need to solve. Solution will come from efforts from people all over the world. The less energy we spend fighting each other the more energy we can spend fighting Them*. So, it would be nice if the US vs Europe tangents would just end as both sides are composed of people & each has smart ones. Now, if they’d all just donate a certain percentage of their time on open hardware and software INFOSEC solutions I’d be a very happy man with more free time. 🙂

• NSA, GHCQ, BND, and other opponents of liberty/privacy.

Nick P • May 21, 2014 3:26 PM

@ Wael

re rules

I don’t agree with his example of Snowden, though. Snowden was a brilliant technician, con man, AND a trusted insider. The last part is most important. It gives him an opportunity to grab stuff that makes for good insurance. He was also in a Chinese territory by the time they knew he was a problem, making him hard to touch without provoking a powerful nation. And then he was in another superpower’s territory. His situation has a certain rare set of attributes that make his success unlikely to apply to even most skilled outsiders facing a TLA. One doesn’t carry over to the other.

Winning does come at a cost, though. All defense and conflict does. As opponents resources for offense increase, resources for defense necessarily increase as well.

“These tools exist. Search for “code obfuscation” and “White box cryptography” — you’ll find several vendors, and several academic and white papers available. Unfortunatley, I cannot point you directly to any of them ;)”

I know they do as I’ve even built some lol. I also posted some here. What I was saying was ‘are there tools like that for hardware?’ Or any reasons they couldn’t be built for limited purpose of hiding critical circuits’ locations?

@ Benni

re engineering degrees

That explains increase in number of engineers and those holding degrees. Yet, more college != better engineers once again. One of first things companies do here is tell people to “unlearn that BS you learned in college.” I mean, the principles are useful but the skills that really get things done aren’t taught in college. That’s where work experience is better. I’ll take a guy with a Bachelor’s and 2 years work experience over a guy with a Master’s any day. This principle is also why most people in embedded systems and chip design (worldwide far as I can tell) are over 30. And most good firms spend years teaching young college grads how to do things right. So, more college and degrees = more talented engineers doesn’t convince me. I guess I’d have to look into what skills the colleges teach and how many years the grads take to be highly productive engineers. That would be a good indicator.

Far as BND, it seems they’re quite effective. Well, I knew that but you’ve shown me they’re better than I thought. But…

“Apparently, with their billion dollar budget, nsa engineers were not capable to write applications that are as good as the BND tools, so they requested a copy.”

…this has to be on mgmt rather than engineers. I’ve already thrown together a solution on paper using proven components that would probably work. That took just a few minutes with similar projects being done by small teams in six months to a year. (More if custom chips rather than custom boards.) So, why can’t NSA do it with all their money and engineers? It might require access to something they don’t have or they’re not leveraging engineers well in this area. If you look at Trailblazer vs Thinthread, a simple solution was ignored in favor of a billion dollar plus waste of money. I could easily see NSA just being incompetent here, while BND listened to their engineers and got stuff done.

It might surprise you but much defense work here is about generating jobs, money and votes rather than accomplishing anything of value. Just goes back to the horrid capitalism philosophy of everyone being selfish as possible hoping good things come out of it. Yeah, that’s as stupid as it sounds, but it’s the status quo.

Btw, it’s best not to equate what NSA engineers can do vs what American engineers can do. They’re different and to a degree that’s hard to measure as NSA work is classified. American engineers make miracles happen all the time, much like German engineers do. Funding, culture, management, goals of organization, profit margin, end user’s expectation… these have a tremendous effect. So, I rarely compare engineer’s work directly. I’m more likely to compare how well they solved a problem given resources and constraints. That’s the measure of talent.

Nick P • May 22, 2014 1:09 AM

@ Buck

“Perhaps direct neuron-to-neuron quantum entanglement could prove quite useful for secure communications, and if you’re right, I suppose we’ll be seeing that in 2 to 3 years 😛 Or maybe that’s just part of how consciousness works… ”

Lol. I vote you Singularity Saleman of the Month.

“but I’ll add an additional reccomendation to leave available least possible amount of resources required for any specific application… (Push it to the limit, and the effects of “extra code” on hardware will be far more obvious :-)”

I’ve posted the same thing here before so I agree. I’m still not sure if I’m right about that, though. There was something else he pointed out. Each new process technology gives circuits that conceivably can be embedded in older ones invisibly. We wouldn’t know the difference. So, we might seem to make a provably safe design and put it on the whole chip surface. Yet, smaller wavelength structures could be put in that same chip by dishonest manufacturers without us being able to notice. His theme was that, once it’s invented, you can’t uninvent it.

He might be right. And this concern of his was one of reasons he pushed smallest process node technology. So, not just complexity of the node used: it’s also fact that it’s harder to squeeze in extra stuff if the ability to hasn’t been invented yet.

@ Figureitout

“I know I’m just giving you sh*t, seems like a neat board..”

I should’ve known haha.

“And going off what you’ve said in the past “I just post secure ideas that people may build on”, ‘stealing’ your design is exactly what you want.”

Clever. Yes, people can use them. They could still give some credit, though, rather than pretending they invented it themselves. Then, I might get funding to put in better efforts that benefit them and I both.

“Making a leap, but yeah I stole that quote from there. ”

I did enjoy the game. The EMP scene is still my favorite as it’s one of the best visualizations of it. I also like how they tied in MKULTRA-style projects, number stations, and the underwater antenna. Recently, what little gaming time I have goes to Mass Effect 3. A friend told me the storyline (esp enemies grand plan) and character development were awesome. So, I bought all three games then played through them in order. He was right. The final game also has better mechanics and a huge variety in multiplayer. It’s like several games in one. Most time is still work and R&D for me, though.

“-I said diversity is important, can you recommend a computer design for TEMPEST security that is free on the internet or I can buy somewhere?”

My recommended shortcut to this was a field (eg farm) with at least 100 yds visibility in every direction. The building (even a shack) can have a faraday cage, even COTS, with a generator to avoid power line leaks. A cheap spectrum analyzer to detect active attacks might be a bonus. A metal detector is an option for finding any antenna’s that were buried into the ground while you were gone.

The easiest solution, however, is a portable computer that you use while on the move & something you never let leave you. If your OPSEC is decent, you never get hit with anything like emanation attacks. A side benefit is you get used to being mobile and explaining why you’re using your computer in (insert unusual location here). 😉

And remember they’ll hack you with all the other easier opportunities first. Which is why I mentioned them instead of EMSEC.

Nick P • May 22, 2014 11:27 AM

@ Mr Pragma

I’m open to a lot of things. It’s why I wasn’t popular among anything mainstream in America. It’s also why I backed our opponents on certain issues numerous times. Yet, the statement I highlighted was alarming to me as years of evidence makes it clear both Russian and Chinese governments are run by tyrants. America has been run by tyrants for a few decades to a century depending on who you ask. Opposing American imperialism & tyranny while supporting two other evil governments is strange considering the ideals you valued in other posts.

The only part of it that made sense to me was the idea of having another superpower or two to keep U.S. in check. I agree with that having seen where unchecked U.S. power goes: typically into countries carrying bombs and bullets. Not a good thing.

“If, however, liking usa’s — written down as a doctrine! — base line of dominating the world ”

It’s not really USA’s doctrine. It is the doctrine of certain politicians and those that wield our military. There are many politicians and huge numbers of Americans that fight this notion. For instance, most Americans were totally against any invasions of other countries unless they threatened us. Then, the Bush/Cheney regime used a ton of disinformation & complicit media to tie Iraq & Afghanastan to 9/11. The people, still shaken by being shown they aren’t invincible, accepted in fear what their military & intelligence organizations said was the cause. Two horrible wars followed, many realized their error, and there’s now constant attempts by many groups to get us out of Middle East. (Although, as I said, one powerful faction believes strongly in military domination and fights all exits.)

So, like many democracies with powerful institutions, it’s a mix of things going on. Those that love imperialism and war tend to win most of the time as their people dominate military command positions. The media only glosses over it so American’s often can’t see the big picture on the issue without working hard to. The military institutions always make it an all-or-nothing game: you will be weak to attack or you keep big armies that can go on the attack. There’s also speculation, esp post-Snowden, that certain institutions have leverage on those in Congress meant to restrict their activities. Many in Congress didn’t even read the Patriot Act, for instance. They just passed it without question to many American’s surprise. Well, there were two vocal opponents. They coincidentally died on anthrax attacks by unknown terrorists, then Congress passed the law. (Hmm…)

So, I can easily oppose the U.S. government’s behavior and spot the tyranny in it. Yet, it’s not really representative of what Americans as a whole want & its whole operation is supported by massive amounts of secrecy, deception, & financial corruption. If anything, it started out as something we knowingly built for protection during WW2 & Cold War, but took on a life of its own. Pandora’s Box opened and nobody can close it. The people who have tried always ended up crushed (or killed) by their own government.

That’s all I’m saying about that as I agree that the technical discussions are more productive. I’ll add that our political tangent has no bearing on what I think of any technical discussion. The only reason I even stepped into a US & Europe type of discussion is Benni’s post somewhat implied we had nothing to offer for engineering, quality, security, etc. I had to counter that quickly so any European readers might see that certain American groups are very much worth working with. I regularly enjoy the work done on the other continents. I’d rather them get a chance to do the same with ours. Matter of fact, quite a few are doing so as there’s many international INFOSEC projects going on right now.

Nick P • May 22, 2014 11:45 AM

@ Clive Robinson

re software diversity

It’s already being done, with one implemented similar to what you’ve described. Like I told Wael, I was mainly interested in how likely it can be done for chips. Specifically, taking a Verilog design with a critical circuit & producing a bunch of equivalent designs where location of critical circuit is different in each one. Mr Pragma thinks it’s a no-go due to a number of issues. Your thoughts?

re Mexico

This might be the case. American policy, esp economic, shoots itself in the foot nonstop. It wouldn’t suprise me at all if we get hollowed out first. I think the only thing that would stop that is that elites that own the wealth would want to preserve it. If any of this becomes a threat to their investments, they’ll push politicians to deal with it. So far, drug trade and prison populations isn’t an issue to them. They might even be large consumers of drugs for all we know. 😉

@ Aspie

“Look, this gadget I’m working on is a toy. I’m time-rich and cash-poor which, now I come to think of it suits me, so I do what I can with what little I can. I’ll follow other people’s thinking but I want to discover a lot of it for myself. Evolution does this; redundancy is key – and it works. We know this.

So I’ll keep plodding along, doubtless outpaced by far brighter and better resourced people, but the design is something that is a function I’m working on rather than a solution. Meaning it is an idea that can be realised in many ways. That is where I get the pleasure.”

I’ve been there and done that. Fun times. Learning and inventing are their own reward.

Nick P • May 22, 2014 11:32 PM

@ Aspie

A Mazdaspeed3 reference?

Nick P • May 24, 2014 3:52 PM

@ Clive

You know there’s actually emulators and software images for a ton of old systems like that. Many are good enough to replace the physical one. Might help you get rid of some of that junk lying around in your “cave.” 😉

Not to mention let you play with many old school systems or unusual architectures without buying the hardware.