Friday Squid Blogging: Squid T-Shirt

Cute design.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on July 4, 2014 at 4:13 PM • 142 Comments

Comments

Andrew WallaceJuly 4, 2014 5:31 PM

We're starting to see stuff being removed from Google.

Google have been informing news organisations that an article is no longer stored on their web archive.

As a result news organisations can report on the removal same day, rendering the removal pointless and draw extra attention to it.

To properly have something removed. I suggest you request a court order to gag news organisations from further reporting on it.

http://news.stv.tv/west-central/281347-google-removes-stv-article-on-former-scottish-referee-from-search-results/

Andrew

Mike the goatJuly 4, 2014 7:14 PM

Andrew: this always worried me ever since Google has essentially been the 'default' search engine for the internet at large. About ten years ago there was a thriving industry of search providers and even Google was still a fairly new and innocuous company born out of Stanford. Now the situation is much different and unfortunately even a lot of so called 'rival' products just use google APIs behind the scenes. Unfortunately, the alternatives that are available aren't particularly good. I know some are going to mention them by name, so I will come right out and say that by 'alternatives' I mean the likes of yahoo,bing,etc. and the underdogs like ixquick/startpage,duckduckgo,etc.

If you think about it - the whole search engine dependency we all have could be viewed as yet another one of the Internet's points of failure much like the DNS roots or the certification authorities: a small number of organizations that have a large amount of power over the Internet experience of the world. Somehow we have got to change that. A search engine that is autonomous, perhaps functioning using distributed hash tables is one possibility, but I am so overloaded with side projects that I wouldn't even dream of even suggesting that I'd be capable of doing such a thing at this point. Hopefully someone with more time and inclination will one day solve this big, big problem - as it is unsurprising that government understand the issue as well as we do and will exploit it just like, e.g. the music industry with all their DMCA take-down requests to engines.

ThothJuly 4, 2014 10:51 PM

My quick overiew of National Security VS. Personal Security (http://thothtech.blogspot.sg/2014/07/national-security-vs-personal-security.html). Post comments on this thread addressed to me or via the blog comments on the above page.

chemicalwarfareJuly 4, 2014 10:53 PM

Media buzz about 'Invisible IM' which is supposedly intel agency proofed XMPP chat software. Guy from Metasploit and TheGrugq are involved, which is promising but zero source yet so this is vaporware for now http://invisible.im

Major problems, OTR will accept an unlimited number of fragments and not free the memory. Instant DoS. Another problem is how long it will take to propagate the .onion domain throughout tor when thousands of IM nodes are up. It would be better to use i2p and make these eepsites instead of tor hidden services. If worried one could always tunnel i2p through tor, it really doesn't add that much latency (i tried it) and Tor could act as extra padding against timing analysis. Of course there is also the problem of contributing to, downloading or even looking at this software and risking being placed in the NSA's enemy of the state database.

In other news nobody can agree if this is tinfoil or not: http://www.theregister.co.uk/2014/07/03/tinfoil_hatters_spook_says_nsa_can_track_whistleblowers_through_power_lines/ sounds like science fiction.

WaelJuly 5, 2014 1:33 AM

@ Mike the goat,

A search engine that is autonomous, perhaps functioning using distributed hash tables is one possibility,
Great idea! Haven't thought about this one b4! May need to think about an alternative to centralized, controlled "directory services" .

Gerard van VoorenJuly 5, 2014 2:04 AM

With Google and Facebook there is this saying:

You can check out anytime you like, but you can never leave.

BuckJuly 5, 2014 2:14 AM

Have any commenters here achieved the prestige of having his/her phone/iShackle checked for the latest charade yet..?

'Undetectable bomb' threat: US urges increased security on international flights (July 3, 2014)
On Wednesday, Secretary of Homeland Security Jeh Johnson said he directed the Transportation Security Administration to put more security measures in place after sharing "recent and relevant" information with foreign allies.
...
The move was not unexpected, as intelligence agencies, including the Department of Homeland Security and the FBI, have been debating their options for months, and top-level officials met at the White House last week to discuss the issue.
...
The measures may include closer scrutiny of personal electronics and footwear, but government officials would not reveal any specifics.
http://rt.com/usa/170080-heightened-security-international-direct-flights/
Blowin' hot air, legitimate threat, or is it just another SOP intel FLOP...? ( http://www.nytimes.com/2013/09/30/us/qaeda-plot-leak-has-undermined-us-intelligence.html )

Gerard van VoorenJuly 5, 2014 2:48 AM

@Wael, Mike

Now that I think about it a bit more, there are a lot more lines in that song saying exactly what's going on today.

"Welcome to the Hotel California"

"Such a lovely place"
"Such a lovely face"

"Plenty of room at the Hotel California"
"Any time of year"
"You can find it here"

"Bring your alibis"

"Mirrors on the ceiling"

"Relax, " said the night man, "We are programmed to receive."

uair01July 5, 2014 3:17 AM

By Nassim Taleb on his Facebook account.
I have mixed feelings about this, and that makes it interesting:

The magic of the camera in reestablishing civil/ethical behavior. We used to live in small communities; our reputations were directly determined by what we did --we were watched. Today, anonymity brings the ass*le in people. I accidentally discovered a way to change the behavior of unethical and abusive persons.

1) The other day, in the NY subway corridor in front of the list of exits, I hesitated for a few seconds trying to get my bearings... A well dressed man started heaping insults at me "for stopping". Instead of hitting him as I would have done in 1921, I pulled my cell and took his picture while calmly calling him a "Mean idiot abusive to lost persons". He freaked out and ran away from me, hiding his face in his hands.

2) A man in upstate NY got into my parking spot in as I was backing into it. I told him it was against etiquette, he acted as an as**le. Same thing, I silently took his picture and that of his license plate. He rapidly drove away and liberated the parking spot.

3) Near where I live there is a forest path/preserve banned to bicycles as they harm the environment. Two mountain cyclists ride on it every weekend during my 4 PM walk. I admonished them to no avail. The other day I calmly took a dozen of pictures, making sure they noticed. The bigger guy complained, but they they left rapidly. They have never returned.

Of course, I destroyed their pictures. But I never thought handhelds could be such a weapon.

BuckJuly 5, 2014 3:35 AM

@Gerard van Vooren

It's not just the Eagles... Have another hear - listen very closely - to your favorite musical heroes of the cold war era (knowing what you now know)...

I'm personally lovin' all the Sir Bob's (Dylan/Marley/Segeer), as well as the Beatles (obviously), Creedence Clearwater Revival, Dire Straits, Fleetwood Mac, (the one and only) Hendrix, Michael Jackson, John Mellencamp, The Police, Queen, Tom Petty, The Who... and what the hell, even U2!! But I'm just about to check out my old classic favorite again ;-) Hello Talking Heads!!! Can you say... "puzzlin' evidence"??

WaelJuly 5, 2014 3:36 AM

@Gerard van Vooren, @Mike the goat,

Now that I think about it a bit more, there are a lot more lines in that song saying exactly what's going on today.
True! Fascinating choice of the song! We could have a field day with this song ;)

Her mind is Tiffany-twisted, she got the Mercedes BeNDs
What a Nice Surprise (what A nice surprise)

Gerard van VoorenJuly 5, 2014 4:18 AM

@ Wael

Lucy in the Sky with Diamonds

@ Buck

Don't forget Bruce Springsteen.

Iain MoffatJuly 5, 2014 4:33 AM

Regarding google takedowns, the BBC is also affected:

http://www.bbc.co.uk/news/technology-28144406

What is interesting in that case is the comment in the BBC article on the takedown:

"The identity of the person who made the request is not yet known, although it is understood not to have been the subject of the article, ......

Instead, the request relates to the reader comments that appear underneath the story."

If a takedown based on reader comments is allowed to stand it potentially allows anyone to manipulate Google to remove the original news content or blog posts by posting a comment that they then ask to have forgotten. This potentially allows for all kinds of censorship that can not have been envisaged in the original court judgement which started Google on this path.

I can understand that there is a limited need for search engine censorship in the case of personally identifying material that was posted without the data subject's consent or is, or has become inaccurate or harmful. In the UK I think that would be covered by principles 3, 4 and 5 of the data protection act (see: http://ico.org.uk/for_organisations/data_protection/the_guide/the_principles ) applied to the actual web site (as data controller) anyway rather than the search engine. I believe it is really the data controller's responsibility to ensure that if they remove something it is also ejected from Google's cache and the wayback machine (robots.txt?).

I can not see how a reasonable person (does that include lawyers?) can interpret text as personal data when the person requesting the takedown previously knowingly and voluntarily posted it on a public forum. I have always believed that in the real - and therefore also in the digital - world we have to live on the basis that anything we write in a public forum passes beyond our control and will be there forever and we will be judged by it forever. That's not really new - I assume any letters to the newspaper editor from the last few hundred years are all to be found in libraries somewhere and the best statement on the matter I know of is from the Victorian poet Fitzgerald writing as Omar Khyam:-


The Moving Finger writes; and, having writ,
Moves on: nor all your Piety nor Wit
Shall lure it back to cancel half a Line,
Nor all your Tears wash out a Word of it


What is new is the persistence, instant access and searchability of the Internet. I suspect the generation growing up now will just learn to live with it and be guarded in what they write and say on the record, whereas our student writings are trapped in exercise books and long recycled paper magazines that may yet come back to haunt us when Google Books gets round to scanning them.

I think apart from the chilling effect on self-expression faced by this and future generations the main problem is when the goalposts change so risk assessments made at the time of writing/printing/posting based on the expected circulation and lifetime of the material are no longer valid faced with the wayback machine and google books. So much of what was posted in the early years of the Internet may now be regretted, and so much that was written and printed in the 60s and 70s may haunt the authors if it makes the transition from atoms to bits.

The other real concern arising from recent relevations is the extent to which private communication has become part of a secret public record through "collect it all and filter later" interception and the potential for court orders to access privately held data collected through the increasing use of Web 2.0 and cloud services stored by corporations. This is likely to become a problem within the lifetime of many early Internet users as public views of acceptable thought and behaviour evolve and society is increasingly willing to judge historic acts by current standards. I only have to look at the example of my late mother whose passion was fox hunting with horses and hounds - when she was young it was the sport of cabinet ministers and royalty but is now a serious crime. With today's massive and apparently append-only databases the potential to abuse the last two decades of internet content to identify the newly criminal after such a change in public opinion and the law is perhaps the most chilling threat of all.

Iain
Off to lick stamps and post real physical letters written with a pen in ink ;)

WinterJuly 5, 2014 5:20 AM

If I were Google, I would select to honor a few very painful request to "forget". The Scientology article would hurt in Germany as this is considered a criminal organization there.

A few more such deletions and the rules will be changed.

ThothJuly 5, 2014 7:39 AM

I am wondering if other countries would follow the steps Austria took in hunting down all Tor exit nodes and render Tor inoperable anymore.

Putting aside biasness or prejudice for the Tor network and the biasness or prejudice for other secure network services, let's try to dissect the situation.

I wonder if a visit to the ".onion" address Darknet would be more secure than routing out to an external website not secured by some form of web encryption. Theoretically, if the routing terminates within an internal darknet address in Tor, it would still have the security that Tor provides whereas if the target address is somewhere outside Tor, it is a gamble whether the target address is a HTTPS site with proper security or just a normal insecure website.

Spies sitting outside the Tor network listening to the hundreds of exit nodes may observe the traffic sent by the exit nodes to the target website and this is the one fatal weakness of Tor which everyone's suffering and complaining about.

What I would like to theorize here is that not just the Tor service would be taken down, other secure proxy services or encrypted services that do not include backdoors might find victim to political "assassination". The only way to anonymize, hide and secure communications is to send a seemingly legit looking message with a secure message hidden inside via encryption and stenography. In subversive countries, the governments may attempt to disrupt secure traffic and this would force most users to switch back to insecure traffic.

The creation of a mechanics that can encrypt and mask the real nature of a message while having some form of format preservation technique to make the message look harmless to attackers would be the most ideal tool for all users in this era of mass surveillance and terror conducted by the powers that be. The message should be capable of being embedded into seemingly harmless and insecure network protocols (HTTP/FTP without the 'S') that would evade the prying eyes of active and passive attackers. Such protocol should be able to adjust itself to look as though some harmless garble has been sent across the network and not rouse suspicion. To achieve the evasion of surveillance, the protocol should be able to seemingly pretend to be a natural language via format preserving encryption and as little traffic is required for the key exchange, cipher use determination and authentication mechanisms to prevent arousal of suspicions.

One use case would be the embedding of encrypted documents within a HTTP POST that looks like random natural language. The POST data should have a random looking size filled with randomly chosen pads that looks natural to prevent traffic analysis from understanding the true size of the message. A long POST data should be broken down into multiple small random messages to be sent across the insecure network.

The problem that remains is how should the server and client communicate across the insecure channel to establish / signal the establishment of a hidden message service without being noticed. Most protocols have their signaling messages which are very obvious to attackers when they initiate their communications that would arouse the suspicion of the attackers.

Martin BonnerJuly 5, 2014 8:06 AM

The Register has made the point that if Google *have* been issued with a take-down request, all they had to do was bounce it to the relevant national regulator. The regulator would then get to decide whether the take-down was legitimate or not.

There hasn't been enough time for the regulator to have made that decision (bureaucrats don't move that fast), so Google has decided to take down the article on their own say so. They have also decided to tell the prominent news organizations that they have done so.

Does anyone think that Google might be trying to orchestrate a PR campaign against privacy legislation applying to them?

CallMeLateForSupperJuly 5, 2014 10:05 AM

Re: Tor node in Austria

The man was charged with operating "[...] a technical mechanism that made it possible for anonymous persons elsewhere on the Internet to conduct illegal activities [...] and he knew it 'could' be used for such purposes."

WTF. Did Bush/Cheney contaminate everyone's drinking water? The world gets crazier by the day.

[tongue-in-cheek: ON]
News flash: Grandmother in Milders, Austria arrested and charged with operating a technical mechanism (gasoline pump) that made it possible for anonymous persons to conduct illegal activities and that she knew it 'could' be used for such purposes.
[tongue-in-cheek: OFF]

"Guten nackt", Austria. :-O

anonymousJuly 5, 2014 10:30 AM

Analysis of the xkeyscore source:

http://blog.erratasec.com/2014/07/reading-xkeyscore-rules-source.html?m=1

And here is how to exploit xkeyscore:
http://blog.erratasec.com/2014/07/jamming-xkeyscore_4.html?m=1

Includes ways to flood it with huge amounts of bad and useless data.

[quote]

Putting the above code in a web page like this one will cause every visitor to trigger a search for TAILS in the XKeyScore rules. The more people who do this, the less useful it becomes to the NSA (xks-0009) in labeling people as suspicious. Likewise, putting tails.boum.org/ in your webpages will cause the same effect, even when CSS/JavaScript makes such a title invisible.[/quote]

mj12July 5, 2014 11:16 AM

@Mike the goat
Consider YaCy. I think it is almost exactly what you seek.

@secret police
That's great. I have sent them four or five e-mails and got no response.

@uair01
That chap might want to be a tad more careful. In some places he's more likely to get his face and phone smashed.

anonymousJuly 5, 2014 11:23 AM

[code]
#!/bin/bash

MAX_RUN_PER_IP=999 # max 999
STRING_GARBAGE_LENGTH=900 # max 973

NSA_LOVE=$(head -c $STRING_GARBAGE_LENGTH

mask[1]="bridge = %d.0.0.0:443$NSA_LOVE"
mask[2]="bridge = 0.%d.0.0:443$NSA_LOVE"
mask[3]="bridge = 0.0.%d.0:443$NSA_LOVE"
mask[4]="bridge = 0.0.0.%d:443$NSA_LOVE"

echo "https://bridges.torproject.org/"

ugh=1

while [ $ugh -le 4 ]
do
lehm=1
while [ $lehm -lt $MAX_RUN_PER_IP ]
do
let ipvalue="$RANDOM % $lehm"
printf "${mask[$ugh]}\n" "$ipvalue"
let lehm="$lehm+1"
done
let ugh="$ugh+1"
done

exit 0
[/code]

1. write above into file generator.sh
2. chmod 755 generator.sh
3. ./generator.sh > myfile.txt

SomeSecResearcherJuly 5, 2014 1:33 PM

Question to CryptoPrivacy Junkies: I am performing some competitive research on disk encryption systems that may operate as DLPs and anti-APT. Is there anything store bought or open source that anyone would recommend?

Thank you, in advance.


AdjuvantJuly 5, 2014 1:45 PM

@jokergirl:
Reading that Austrian Tor conviction article, this sentence jumped out at me: "The defendant is now facing bankruptcy, and was hospitalized with an apparently wrongly-diagnosed case of paranoid schizophrenia and PTSD." Certainly raises some flags! What on earth is that all about?

torJuly 5, 2014 3:00 PM

Years ago Germany tried locking up exit node hosts with plenty of high profile cases and eventually lost all it's prosecution attempts and gave up.Torservers.net has more info they have been operating exit nodes for years

Alan KaminskyJuly 5, 2014 3:15 PM

I've started a new Password Cracking Competition that may be of interest to readers of this blog. From the web site (http://www.parallelcrypto.com/competition.shtml):

Randall Munroe, author of the xkcd webcomic, came up with a method for choosing hard-to-crack passwords, popularly known as the XKCD Method. Munroe famously generated the password "correct horse battery staple" using this method. I've heard many people -- including eminent security pundit Bruce Schneier, as well as some of my students -- claim that password crackers "are on to this trick" and would have no trouble cracking such passwords. Others, including myself, assert that such passwords are indeed hard to crack.

To settle the question, I have inaugurated this Password Cracking Competition. I challenge you to crack several passwords generated by the XKCD Method, as described below.

My goals for the Password Cracking Competition are to determine how strong XKCD Method passwords really are; to assess the state of the art of password cracking; and to stimulate research into new password cracking methods.

CallMeLateForSupperJuly 5, 2014 3:49 PM

miniLock - " [...] a free and open-source BROWSER PLUG-IN designed to let even Luddites encrypt and decrypt files [...]" (emphasis mine) "In an early version of the Google Chrome plugin tested by WIRED, we were able to drag and drop a file into the program in seconds,[...]" (Astounding!)

"Every time miniLock launches, the user enters only a passphrase[...] From that passphrase, the program derives a public key, which it calls a miniLock ID, and a private key, which the user never sees and is erased when the program closes. Both are the same every time the user enters the passphrase. That trick of generating the same keys again in every session means anyone can use the program on any computer without worrying about safely storing or moving a sensitive private key."

http://www.wired.com/2014/07/minilock-simple-encryption/


Andrew WallaceJuly 5, 2014 4:57 PM

When the internet first started, there was a reason for web directories and web search.

I don't believe that they are relevant anymore. (2014)

People get web links from bill boards, leaflets, magazines, social media, television and other sources now.

There is absolutely no need to feed data into these search companies on a daily to weekly basis.

You can live pretty easily with a non-search lifestyle these days.

Andrew

SkepticalJuly 5, 2014 7:03 PM


A fair amount of discussion has been had as to the utility of certain programs authorized under Section 702 of FISA. While various members of Congress have questioned the utility of the Section 215 telephone metadata program, none has questioned the utility of the Section 702 programs. Far from it, even the most skeptical critics in Congress have noted, however grudgingly, that Section 702 programs are quite effective and have provided intelligence necessary to disrupt terrorist plots.

This week, the Privacy and Civil Liberties Oversight Board (the one that declared the Section 215 program to be useless and illegal) issued their report on Section 702 programs.

Two quotes:

Overall, the Board has found that the information the program collects has been valuable and effective in protecting the nation’s security and producing useful foreign intelligence. The program has operated under a statute that was publicly debated, and the text of the statute outlines the basic structure of the program. Operation of the Section 702 program has been subject to judicial oversight and extensive internal supervision, and the Board has found no evidence of intentional abuse.

Monitoring terrorist networks under Section 702 has enabled the government to learn how they operate, and to understand their priorities, strategies, and tactics. In addition, the program has led the government to identify previously unknown individuals who are involved in international terrorism, and it has played a key role in discovering and disrupting specific terrorist plots aimed at the United States and other countries.

The Report is not wholly uncritical. It notes that "about" collection pushes the program(s) closer to the constitutional boundary, and it suggests additional measures to protect privacy.

It also includes somewhat interesting material that bears on concerns about the use of routing to expose US domestic communications to less regulated collection and analysis (this is the subject of a paper on SSRN that I believe Schneier recently posted about). For example, noting discussion of this concern from a 2011 FISC opinion,

As such, the FISC has noted the government’s concession that in the ordinary course of acquiring single communications, wholly domestic communications could be acquired as much as 0.197% of the time.

Of course I have no idea how accurate that number is or how much it may have changed since 2011, or even how much assurance it necessarily provides. I'm simply noting the existence of the additional material for anyone who wants to read it.

But, based on a skim of the report, it does appear that the procedures used to separate domestic from foreign traffic are likely to be fairly robust.

Obviously, this report does not address concerns that many, including me, have regarding the appropriate policy for non-US communications. The PCLOB will be considering those matters next, I believe. Given the current nature of the international system, I would not expect much change on the extent to which the US Government - as with every other government - asserts its right to intercept foreign communications for reasons of national security.

Oddly enough, I think the solution to that problem actually lies in better cooperation and coordination between intelligence agencies. Obviously such coordination can be used to evade national laws, but it can also be done in such a way as to render those laws even more effective.

BenniJuly 5, 2014 7:31 PM

Flooding xkeyscore will not work.

Xkeyscore collects with Rampart-a 3,4 Tbit/s. Including every mailbomb on the planet.

I guess this search rule for tor and tails users is just there to provide the agents with maximum flexibility. I guess they have similar rules for catching all journalists, or catching all talibans or all embassy personell.

The agents then applies an intersection of all talibans and tor downloaders, or all embassy personell and tor downloaders.

Thereby, mailbombs are automatically excluded.


By the way: We have news from the rare species NSA mole:
http://www.spiegel.de/politik/deutschland/bnd-verfassungsschutz-wollte-agenten-mit-us-hilfe-enttarnen-a-979416.html

Apparently, the german service for protection of the constitution filters all emails sent to russian embassies. The NSA mole made the error of sending an email via google mail to there. Then, a member of the service for protection tried to meet him with a russian email address. When the NSA mole declined the offer, the germans asked in america whether they know this address. They did not get a reply but suddenly, the gmail account was deleted. Then they captured the mole who confessed he had been working for the americans since years. On his computer, they found a weather app. Selecting the New York weather, a crypto program opened. So they even get insight on the cryptography of NSA agents.

The problem is:

the NSA mole was only caught because german agents are reading emails that are sent via gmail.

If the agents in germany would not read everything that you put in gmail, then we would never knew that there exists not only the common european mole but also the rare NSA mole in germany.

And by the way, in my free time, i decided to read up a bit on cryptography. As a mathematical physicist, I usually do only things like algebraic topology and strings and so on.

But now in my spare time, I have begun reading Schneiers book and Stinson's book to get an overview. But perhaps I will soon get to more advanced mathematical stuff there. I also looked at books on quantum cryptography.

My current problem: I know the C and C++ language, and I know a bit of the Windows API. But in order to e.g find books at openssl, or writing own crypto applications, i would need some book about network programming and how to practically using and implementing cryptographic network protocols on windows and linux machines, i.e, the network API's of linux.

Is there any recommendation you could make?

Chris AbbottJuly 5, 2014 8:40 PM

@Skeptical

That's if you can trust the PCLOB. I don't know who is on the board or how they were selected. The other thing is this: the NSA clearly has broken the law before and the FISA Court has never really rejected any of their requests. There is no adversary in the FISA Court, they only hear one side, and it's always in secret. Therefore, we can't even trust that they would do anything PCLOB recommends or trust that they won't break the law/constitution in some other way. They've lost the public's trust, that's the problem.

Chris AbbottJuly 5, 2014 9:30 PM

@Skeptical

Here's the issue about 702:

“Section 702 differs from this traditional FISA electronic surveillance framework
both in the standards applied and in the lack of individualized determinations by the FISC. Under the statute, the Attorney General and Director of National Intelligence make annual certifications authorizing the targeting of non-U.S. persons reasonably believed to be located outside the United States to acquire foreign intelligence information

without specifying to the FISC the particular non-U.S. persons who will be targeted.

Instead of identifying particular individuals to be targeted under Section 702, the certifications identify categories of foreign intelligence information regarding which the Attorney General and Director of National Intelligence authorize acquisition through the targeting of non-U.S. persons reasonably believed to be located abroad. There also is

no requirement that the government demonstrate probable cause to believe that a Section 702 target is a foreign power or agent of a foreign power, as is required
under traditional FISA.”

The bold text above shows a lot, and this whole "reasonably believed" seems like it could have a lot of leeway. We know that the NSA has shared information with law enforcement that was "accidentally" collected and that they have constructed scenarios where it could be reasonably believable that it wasn't obtained through signals intelligence, a clear and blatant violation of the Fourth Amendment at best. Secondly, how can we trust the government to audit itself? This is like if a gang of thieves conducted a huge heist and a few of them were allowed to audit the others and say "nope, everything is fine".

The other problem is, that I don't see a lot of specifics when they talk about limiting or restricting these agencies. It looks like nothing more than window dressing. I could go on and on about the whole thing, but those alone are significant problems with the whole thing.

Nick PJuly 5, 2014 11:09 PM

@ Benni

I'll be honest: your math and physics background would make you more valuable as a formal methods guy. I'll explain.

We already have much work to draw on from cryptographers. We also have some great implementations (eg Bernstein's stuff) for critical stuff and some decent one's for less critical uses. It's probably best to let the cryptographers and coders like at OpenBSD do that stuff. What we don't have are trustworthy, well-documented systems to run the code on. Most OS's are monolithic in design, written with unsafe constructs, and with few security enhancing features. They run on hardware that's just as bad. Although the crypto itself is rarely attacked, it's often bypassed by attacks on such unsafe and overprivileged platforms.

So, let's say you want to contribute. You might work on the design, coding, testing, security analysis, formal verification, documentation, etc. The component might be hardware, firmware, OS, drivers, middleware, useful libraries, or a full app. There are many ways to improve or extend existing work without much esoteric knowledge.

Formal methods is a technique that applies rigorous mathematics to specify and/or verify the properties of systems. One needs to be able to think both as a mathematician and an engineer. There's quite a bit of interesting work already done that could be extended and integrated. I'd aim for that as people who can precisely model, build, and verify systems are in short supply. In fact, most good work over past 10 years was done with aid of academics with 0-2 years experience plus one or more very experienced senior researchers. There's always more work to be done by volunteers or funded R&D.

Examples of formal verification in hardware, an OS (by Microsoft no less!), an old security kernel, and a browser.

65535July 6, 2014 12:08 AM

“Federal prosecutors said that a 31-year-old German was arrested on July 2 on suspicion of spying for an unidentified foreign power [maybe the USA]. Chancellor Angela Merkel’s spokesman, Steffen Seibert, called the case “a serious matter,” declining to elaborate on the prosecutors’ statement.”

http://news.nationalpost.com/2014/07/04/germany-arrests-alleged-double-agent-accused-of-spying-on-berlins-nsa-inquiry-for-the-u-s/

How old is Jacob Appelbaum? Oh, born in 1983. It cannot be the same man. The press would have had to back date the story. I wonder who it was.

BenniJuly 6, 2014 12:40 AM

News from the Washington post:

http://www.washingtonpost.com/world/national-security/in-nsa-intercepted-data-those-not-targeted-far-outnumber-the-foreigners-who-are/2014/07/05/8139adf8-045a-11e4-8572-4b1b969b6322_story.html

Nine of 10 account holders found in a large cache of intercepted conversations, which former NSA contractor Edward Snowden provided in full to The Post, were not the intended surveillance targets but were caught in a net the agency had cast for somebody else.

Many of them were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents. NSA analysts masked, or “minimized,” more than 65,000 such references to protect Americans’ privacy, but The Post found nearly 900 additional e-mail addresses, unmasked in the files, that could be strongly linked to U.S. citizens or U.S.residents.

BenniJuly 6, 2014 1:06 AM

YEEAAAAAH. He did it. Snowden did it. He hacked into NSA's separated operational network.

He did what general Hayden thought he could not:

Hayden:
https://www.youtube.com/watch?v=_d1tw3mEOoE#t=1h07m32s
He had access to NSA's administrative network. He did not have access, thank god, to NSA's operational network

And now we have tha washington post:
http://www.washingtonpost.com/world/national-security/in-nsa-intercepted-data-those-not-targeted-far-outnumber-the-foreigners-who-are/2014/07/05/8139adf8-045a-11e4-8572-4b1b969b6322_story.html

"In order to allow time for analysis and outside reporting, neither Snowden nor The Post has disclosed until now that he obtained and shared the content of intercepted communications. The cache Snowden provided came from domestic NSA operations under the broad authority granted by Congress in 2008 with amendments to the Foreign Intelligence Surveillance Act. FISA content is generally stored in closely controlled data repositories, and for more than a year, senior government officials have depicted it as beyond Snowden’s reach."

Welcome in your nightmares, general Hayden.

BenniJuly 6, 2014 2:38 AM

NSA also seems to monitor Obama quite often:


"More than 1,000 distinct “minimization” terms appear in the files, attempting to mask the identities of “possible,” “potential” and “probable” U.S. persons, along with the names of U.S. beverage companies, universities, fast-food chains and Web-mail hosts.

Some of them border on the absurd, using titles that could apply to only one man. A “minimized U.S. president-elect” begins to appear in the files in early 2009, and references to the current “minimized U.S. president” appear 1,227 times in the following four years."


Also funny is this:

"In their classified internal communications, colleagues and supervisors often remind the analysts that PRISM and Upstream collection have a “lower threshold for foreignness ‘standard of proof’ ” than a traditional surveillance warrant from a FISA judge, requiring only a “reasonable belief” and not probable cause.

One analyst rests her claim that a target is foreign on the fact that his e-mails are written in a foreign language, a quality shared by tens of millions of Americans. Others are allowed to presume that anyone on the chat “buddy list” of a known foreign national is also foreign.

In many other cases, analysts seek and obtain approval to treat an account as “foreign” if someone connects to it from a computer address that seems to be overseas. “The best foreignness explanations have the selector being accessed via a foreign IP address,” an NSA supervisor instructs an allied analyst in Australia."

And I think this is the hearth of the problem of the american surveillance scandal:

Mainly that the people doing this are not sufficiently educated and just so stupid that they should not have been allowed at any position where they have responsibilities. They should only be allowed to clean toilets or serve hot dogs.

The US have to reform their academic system. They have to force everyone to do a master, before they can get reasonable jobs.

That way, people who claim things like "analyst rests her claim that a target is foreign on the fact that his e-mails are written in a foreign language"

Would simply either being better trained or only allowed to serve hot-dogs in a slum. Similarly, Idiots who claim things like " “The best foreignness explanations have the selector being accessed via a foreign IP address,” also would be allowed to perhaps clean toilets, but they would not be allowed to work in a position where they have even just a small responsibility.

ThothJuly 6, 2014 2:50 AM

I wonder how secure are the internals of NSA if Snowden could simply use his contractor position to retrieve almost anything in the intercepted communications he wants. NSA might probably look more like a tortoise with a strong shell on the outside but when flipped over, struggles to survive and get back up.

Most implementations of cryptography are either weak, badly designed usability or simply some form of mess in one way or another. The OpenCryptoAudit project is a step bringing security and cryptography experts with egnineers together to audit both cryptography aspect and structural security aspect of a security implementation. We need more of such projects to ensure security products do exactly what they offer ... proper security.

We also require graphics and usability experts to help make security products as easy to use as possible. GPG4Win is pretty unintuitive and to be honest, Truecrypt is not all too intuitive to new users either.

Here are some of my design recommendations for some security product categories.

Password Managers
=================
- Don't let the users go figure the password database file unless they explicitly state otherwise. I don't want to look around for that "pwd.kdb" file some where on my hard drive.

- Huge long static forms to fill in for a single password. A huge window for almost every other fields the password database can handle (email, http link, password group and category ... etc). Give a clean and short form with a few common fields and if the user wants to group the password in groups or add extensive fields, the user can point at an additional field, fill it up and add it quickly and easily.

- For Java password databases, users do not want to contend with JAVA_HOME, JRE_HOME, Unlimited Strength File and so on and so forth. They want it to simply run. Either install the pre-requisites for users via an installer or dont use libraries that have so much pre-requisite dependencies.

- Password databases should provide functions like database backup, export, import and restore functionality in a simple to use interface. The backup/restore/import/export files are best created in a common database format like an encrypted CSV file protected by user password. The exported data should be able to decrypt without the use of any specific tools to ease compatibility. It should be easy to export/import/backup/restore with a one-click button and a password field to protect/authorize the action.

- Password Database Syncing should be allowed even across different softwares and versions as long as the common protocol versions are correct. It should be easy to use like a one click button. If there are conflicting passwords, the programs should display them in an easy to read table for the user to decide or allow versioning of passwords.

- Too many icons and too few action descriptors to accompany the button icons in a GUI makes it a bad idea. Too much words on a button like "Encrypt this database file" is also a bad idea. Make it short, sweet, simple and understandable with a nice icon of appropriate size.

- Auto-locking of password databases are a common feature. It should not scare the users by throwing technical words like "Database is going to be locked in XXX seconds due to inactivity of blah blah blah". It will scare them and make them uninstall.


File and Email Encryption Utilities
===================================
- The user doesn't want to use a command line to encrypt files (most cases).

- Users want to only see a set of huge "ENCRYPT", "DECRYPT", "SIGN", "VERIFY" buttons. Asking the user to browse the filesystem for keys to perform cryptographic actions simply puts them off and not use it anymore. A "choose your key" advanced option should be provided for technical users to browse for their keys.

- Key generation and revoking should also be as simple as clicking the button.

- Changing current working keys (keys currently in use) should be as simple as pointing to a table of keys in storage or go to a filesystem to point to a key file and entering a password to unlock the keys for use.

- Encrypted files may retain their filenames and extensions or randomized for added security but the user must be able to easily retrieve the same file to decrypt whenever the user wants to use the file.

- Verification of files and email signatures should be carried out automatically and the error or warning messages should be easy to understand. Whenever a GPG/PGP email comes into the inbox, users should not need to click "VERIFY" to execute the email verification process.


HSM and External Security Device Integration
============================================
Smart crypto cards and tokens, mini HSMs, full fledged HSMs, external secure key management devices maybe used in conjunction with multiple security products. These external security devices are used to provide key security and management for security products. Whenever a secret needs to be decrypted, the ciphertext would be transmitted into the external security device to be decrypted by the cryptographic chip within the external security device and the decryption key that is stored in the external security device. Only the plaintext is return to the security program on the host machine. Programs may make use of these devices to add a secondary layer of security (keys not inside the host machine but in a secure ESD) and it should be easy to operate as simply entering the password to unlock and authorize the ESD to process the necessary data.

BenniJuly 6, 2014 4:47 AM

@Toth:

The best application for strong cryptography that I've seen so far is retroshare and truecrypt. The rest, I found them simply awful.


"wonder how secure are the internals of NSA if Snowden could simply use his contractor position to retrieve almost anything in the intercepted communications he wants. NSA might probably look more like a tortoise with a strong shell on the outside but when flipped over, struggles to survive and get back up."

Well, as Binney said at a german conference, http://www.heise.de/newsticker/meldung/Ehemaliger-NSA-Technikchef-Der-NSA-gehoert-das-Netzwerk-2188605.html

that around the NSA, there are these "contractors" and "consultants" who have access to NSA data. And these consultants just want to get another contract.

Binney accuses the NSA to allow industrial espionage on a large scale, where contractors can create better offers that are used outbid competitors.

NSA data therefore has to be assumed not to be secured at all. But we have to assume that countless "security consultants" have access to it, giving classified NSA data for money to every US corporation which pays enough.

No, the NSA itself does not give any classified data to domestic US companies. The NSA only does economic espionage and gives this information to the US government, which then uses it in international trade negotiations, in order to help domestic US companies.

But the NSA has contractors and consultants who have access to NSA data. And they give it to domestic companies.

But well, it is good that some brave NSA people stand up now.

Binney said here that leaking information to the press is a regular operation, which they call "third rail" at NSA: https://netzpolitik.org/2014/live-blog-4-anhoerung-im-nsa-untersuchungsausschuss/

In this interview, Snowden lawyer Radack says:

http://www.spiegel.de/international/world/interview-with-nsa-experts-on-us-spying-in-germany-a-979215.html

"Sometimes people show up anonymously at our events and then whisper in my ear: "I work at NSA. I support everything you do."

Spiegel writes here:

http://www.spiegel.de/international/germany/new-snowden-revelations-on-nsa-spying-in-germany-a-975441.html

"This week's reports are also based on documents and information from other sources."

Note the plural: sources, not just one other source....

BenniJuly 6, 2014 6:01 AM

The print version of the spiegel article https://magazin.spiegel.de/digital/index_SP.html#SP/2014/28/127985733 on NSA's BND mole notes that the russians have similar antennas on their german embassies as the americans recently. Apparently they thought that they must step up in order to prevent an "antenna gap", so we currently see an "antenna race".

But it also reveals that the german services "intercepted" the emails not from spying on the german population but either from tapping the phone lines that emerge from the russian embassy directly, or by russian "informants" at the embassy themselves.

Nice FSB campaign after all, blowing the cover of an NSA mole at the BND, in order to increase hatred and suspicion of the german government and parliament against the NSA. Really professional.

ThothJuly 6, 2014 6:10 AM

@Benni
What I meant was usability problems not cryptographic and security problems with Truecrypt and Retroshare.

I have tried to get non-technical friends to use these platforms and within minutes, they would rather use insecure methods. Probably a usability cleanup would be something that would push the agenda of "Encrypt everything" for those mass crypto advocates.

I can't comment on the security of these two security tools despite being a long time user of both Retroshare and Truecrypt. Guess it would be nice if an audit on Retroshare could be done besides doing the audit for Truecrypt.

BenniJuly 6, 2014 6:25 AM

"I have tried to get non-technical friends to use these platforms and within minutes, they would rather use insecure methods."

When they can not use retroshare, shen they should really go to a computer course at a local university. Preferably, they should start with a course of Linux systems.

I mean, retroshare and truecrypt are easily to configure gui solutions.

You do not even have to skim through long man pages or write your own config scripts. That is as easy as it can get. People who can't do this simply have to learn to use a computer. What retroshare is somewhat lacking, this is true, is a good documentation.

But a security audit of retroshare and truecrypt would be most welcomed, indeed.

anonymousJuly 6, 2014 8:05 AM

> Benni • July 5, 2014 7:31 PM
> Flooding xkeyscore will not work.

Sure it will.

> Xkeyscore collects with Rampart-a 3,4 Tbit/s.

Cool. But irrelevant.
I'm not proposing DDOSing xkeyscore. I'm proposing inserting lots of bullshit into their database. When thousands of popular web sites with hundreds of millions of visitors start automatically adding all their users to xkeyscore by embedding an automated google search for "tails" and other extremists search words into their web pages, then that is like throwing sand into the NSA gears.
It takes lots of money, hardware, time, energy and human ressources to store, clean up, process all that data. Bullshit flooding works.
Q.E.D.

anonJuly 6, 2014 9:06 AM

Adjuvant • July 5, 2014 1:29 PM

@Mike, mj12: Regarding distributed search, in addition to YaCy, see also Seeks. And a Wikipedia category roundup. From experience dicking around with them a year or two back, neither was anywhere near ready for primetime.


I found SEEKS to work quite well, sometime back and then all the running instances of it vanished. YAcy if you fiddle with the settings can also work quite well, but it depends on what has been indexed by users, so if there were 100,000 people using it it would be better.

I'm quite shocked sometimes when I read comments places like this, many times it appears to me people are not staying up on current events, GOogLe is and has been censoring searches along time, if we all remember it was far ahead of everyone else years ago, and now days it pulls about the same crap you get from yahoo or bling. A few years back there was a huge union thing happening out in Washington State I think it was, someone posted it on Facebook, so I went to see what was going on, Google refused to pull up the story,it pulled up old stories on the topic from 2006-2007 nothing current. I did about 100 searches and got nothing with different key words, the only way it pulled the story was pasting the exact title that was posted on facebook. Studies have also shown that Google seaches change depending on what box you search from


Adjuvant • July 5, 2014 1:45 PM

@jokergirl:
Reading that Austrian Tor conviction article, this sentence jumped out at me: "The defendant is now facing bankruptcy, and was hospitalized with an apparently wrongly-diagnosed case of paranoid schizophrenia and PTSD." Certainly raises some flags! What on earth is that all about?

This one is simple, like I said I think people are not keeping up on current events, anyone thinking about privacy or security must be mentally ill because there is no reason for them to be worried. If you look into this they have tied together Gun rights people with any other kind of security minded thinking, and also 911 truthers and a host of other things. The news media it trying to put one big label on everyone

BenniJuly 6, 2014 9:23 AM

@anonymous:

The fact that they have the linux journal readers on their surveillance:
http://daserste.ndr.de/panorama/xkeyscorerules100.txt

note the "or" in
$TAILS_websites=('tails.boum.org/') or ('linuxjournal.com/content/linux*');

suggests that this rule is never ment to be executed allone.

One has to assume that NSA has several such broad rules, just for analysts who can use them multiple times in several combined searches. And that xkeyscore only starts collection if several of these rules are used combined.

These rules will probably not collect anything, unless they are combined with others. Assume they have another similar rule for embassy personnel, then an agent selects the "embassy personnel" AND "tails user" rule, and then xkeyscore possibly starts to collect. But since your mailbomb is not in embassy personell, your bomb would be discarded by the system.

In order to build a successful mailbomb for this, we would need the entire set of xkeyscore rules, and we would need the information on how they are working together and what must be set to start the actual collection. The single file available is not sufficient to create a mailbomb.


It is different with the german BND. In germany, everything is ordered from higher levels, and the stupid politicians decided that BND must use a wordlist to search for e-mails.

For example, BND is ordered by law to search for emails that contain the words "atom" and "snow". It is rumored that BND often searches for technical names and descriptions of weapon systems, since proliferation is a political problem in germany, which is a large arms exporter.

http://www.spiegel.de/spiegel/vorab/anwalt-klagt-gegen-durchleuchtung
-von-e-mails-durch-den-bnd-a-960203.html

http://www.spiegel.de/politik/deutschland/elektronischer-staubsauger-
wie-der-bnd-lauscht-a-31411.html

And BND has a different approach than NSA:

http://goo.gl/GPOrxJ

"Where NSA primarily relies on equipment for selection and analyst
minimization for privacy protection, the BND relies on analysts to
manually scan traffic for selection and then equipment to filter data
for privacy protection. Full use of NSA DNI processing systems and
analysts methodologies at JSA will be key to influencing the BND to
allter their stratigic DNI processing approach"

Yes, in germany, we work toroughly. In 2010, german agents had to carefully read 37 million emails. They found 12 emails were of interest to BND.

BND collects at de-cix at full take and on germany's domestic email providers. de-cix is the largest internet node in the world.

It should be fairly easy to create an e-mail account in germany or the US and send an email that will go through de-cix. Note that this is then given into xkeyscore and shared with NSA by the german agents. But unlike NSA, we know that BND was ordered to search after a fixed wordlist of codenames, names and technical descriptions of weapons, drugs, and terrorist related things.....

I would begin by creating emails accounts saudi arabia or russia and then accounts at german providers, which I would operate with a botnet who are holding appropriate technical conversations.

SkepticalJuly 6, 2014 11:02 AM

@Chris Abbott: That's if you can trust the PCLOB. I don't know who is on the board or how they were selected.

Biographies of the PCLOB members are available at their www.pclob.gov and elsewhere. They've taken quite critical positions on NSA activities before, such as when they declared that, in their view, the Section 215 metadata program was illegal and useless. Their highly critical report of the Section 215 program received a lot of press and attention.

I think the PCLOB is trustworthy, given their membership and the nature of previous reports.

One can question whether they received sufficient access to draw the conclusions they did, of course.

The bold text above shows a lot, and this whole "reasonably believed" seems like it could have a lot of leeway. We know that the NSA has shared information with law enforcement that was "accidentally" collected and that they have constructed scenarios where it could be reasonably believable that it wasn't obtained through signals intelligence, a clear and blatant violation of the Fourth Amendment at best.

The issue you're raising regarding parallel construction is quite serious, but it doesn't really involve the NSA and it's beyond the scope of what the PCLOB examined in the report.

Secondly, how can we trust the government to audit itself? This is like if a gang of thieves conducted a huge heist and a few of them were allowed to audit the others and say "nope, everything is fine".

Or as DB put it: PCLOB = foxes declaring the henhouse safe.

I'd recommend you look at the five members of the PCLOB. They're hardly shills for the NSA. They include high level members of the Open Society Institute and the Center for Democracy and Technology.

I'd assess the PCLOB as currently trustworthy given the composition of its membership and the nature of its previous reports.

The harder question is: was everything necessary shared with them? This is more difficult to assess, and really would require becoming familiar with the PCLOB's membership, the representations made to the PCLOB concerning the disclosures, who made the representations, the subject being investigated by the PCLOB, motivation and ability of persons or institutions to deceive the PCLOB, and so forth.

Given the size and prominence of the program being investigated by the PCLOB, the heavy involvement of the Department of Justice and legal departments from other agencies, and the fact that the program is already a regulated program, subject to regular reviews by the FISC and other entities, I think it highly unlikely that the PCLOB was deceived in its review. The difficulty of such a deception would be high, and the risks/costs would be enormous.

Keep in mind that the PCLOB's report is on Section 702 programs. It's not intended to address the full panoply of issues and concerns arising from signals intelligence activities.

Nick PJuly 6, 2014 11:22 AM

@ Skeptical

Will people found to be willingly violating the rules go to prison, their programs shutdown, or their funding pulled? If not, then it's faux accountability and we should assume they'll do whatever they want while lying about it. The intelligence agencies have plenty of track record there.

The big concession they should make is real accountability. When I see violators and heads of the organization being grilled in a prosecution attempt I'll believe accountability exists.

mj12July 6, 2014 12:04 PM

@Benni


But in order to e.g find books at openssl, or writing own crypto applications, i would need some book about network programming and how to practically using and implementing cryptographic network protocols on windows and linux machines, i.e, the network API's of linux.

Is there any recommendation you could make?

Books by William Stevens, I think.

KnottWhittingleyJuly 6, 2014 12:39 PM

Skeptical:

The issue you're raising regarding parallel construction is quite serious, but it doesn't really involve the NSA and it's beyond the scope of what the PCLOB examined in the report.

I'd say it very much involves the NSA. The issue of what the NSA should collect or retain can't be separate from where that data then goes and how it's used---especially given the government's own arguments about how it's okay to acquire all that stuff as long as they don't do certain ill-defined thing with it.

Today's Washington Post article is relevant to that:

In NSA-intercepted data, those not targeted far outnumber the foreigners who are.

It just keeps getting clearer that the intelligence community have been grossly misleading us as to how many people are surveilled, who they are, what's collected, what's done with it, and who can access it for what purposes. (E.g., just a month or two ago we were told that Snowden didn't have access to the kind of stuff that the Post is reporting on today.)

The pattern over the last year shows that if they say they're not doing something, but it's possible for them to do, it's likely they're totally doing that.

Biographies of the PCLOB members are available at their www.pclob.gov and elsewhere. They've taken quite critical positions on NSA activities before, such as when they declared that, in their view, the Section 215 metadata program was illegal and useless. Their highly critical report of the Section 215 program received a lot of press and attention.

I find their biographies and actual voting histories a lot less reassuring than you seem to. Do recall that of the five board members, three voted for the highly critical 215 report, but two wrote dissents. It was a near thing.

I don't think there's any reason to trust the PCLOB much.

I agree that the 215 report does seem to show that they're better than I expected---in some cases, by one vote.

Lüge des TagesJuly 6, 2014 1:09 PM

Golf clap for an especially sleazy trick at 11:02. Wave the name of the Center for Democracy and Technology to wrap your government voyeurs in its reputation for integrity, then lie by omission about how you pushed them aside on the fake rigged panel.

Want to know what CDT actually thinks?

https://cdt.org/press/pclob-report-fails-to-offer-necessary-702-reforms/
https://cdt.org/insight/cdt-comments-to-pclob-on-section-702-reform/

Not even good enough for government work.

mj12July 6, 2014 1:42 PM

@Thoth


NSA might probably look more like a tortoise with a strong shell on the outside but when flipped over, struggles to survive and get back up.

http://www.privacysurgeon.org/blog/incision/a-leaked-nsa-memo-reveals-the-agencys-darkest-secret/
Exactly this quote: 'Some of you have asked whether we achieve measurable results. This depends on your definition of “results”. We make people feel measurably safer even if we can’t prove they are any measurably more secure. This is not a contentious philosophy. Britain has about two million CCTV cameras justified by that precise reasoning. '

BuckJuly 6, 2014 2:01 PM

@mj12

HA! Not sure if this is a clever hoax or real, but...

Make sure to bring your own food, based on the cuisine of our primary target country for that week.
I've always felt that that little detail could really be quite essential for those in this line of work!

BuckJuly 6, 2014 2:12 PM

- The Russian Federation is more complex. At a political level there's a lot of grandstanding. Operationally though, we share intelligence with Russia on anyone who is a mutual target (and that, ironically, includes most of the Russian Federation). China is our main mutual target because it refuses to share the economic intelligence data it gathers about either Russia or America. All of us, however, have agreed to share intelligence data on the French.
This tidbit seems intriguing, complex, and dare I say? Honestly quite plausible...

DBJuly 6, 2014 2:23 PM

Human rights activists have always been suspicious that any Obama administration appointed panel like the PCLOB would naturally be hand picked to make the administration look as good as possible. The fact that the previous report said something critical was a total shock to everyone, that it could possibly be so bad that even such a group would do that. The latest one is more what we expect from them. Hence I said:

PCLOB = foxes declaring the henhouse safe.

This is what we've always expected.

BuckJuly 6, 2014 2:58 PM

More details re: TSA phone-scans ( https://www.schneier.com/blog/archives/2014/07/friday_squid_bl_431.html#c6673799 )

Enhanced security measures at certain airports overseas
As the traveling public knows, all electronic devices are screened by security officers. During the security examination, officers may also ask that owners power up some devices, including cell phones. Powerless devices will not be permitted onboard the aircraft. The traveler may also undergo additional screening.
https://www.tsa.gov/press/releases/2014/07/06/enhanced-security-measures-certain-airports-overseas
Might this piece of information possibly imply or even simply suggest a capability to fingerprint almost all powered phones, irregardless of the operating state that the user expects it to be in..?

WaelJuly 6, 2014 3:42 PM

@Buck,

Might this piece of information possibly imply or even simply suggest a capability to fingerprint almost all powered phones, irregardless of the operating
Yes! This is doable, regardless of the OS running and irrespective of the phone type.

DBJuly 6, 2014 4:08 PM

If hard-to-detect bombs can be built into shoes, why not underwear? Will we all need to be literally strip searched next in order to "feel safe"?

Andrew WallaceJuly 6, 2014 4:20 PM

I believe Bruce is a good person but the community he has built is that of persons who want to circumvent the government.

Andrew

NobodySpecialJuly 6, 2014 4:42 PM

Back in the olden (pre-TSA) days I was asked to turn on a massive Toshiba laptop, although to be fair that laptop could easily have contained a bomb and perhaps an armored regiment.

It was running Linux and booted to a command prompt.
No turn it ON he insisted.
It is on!
English didn't seem to be the officer's 1st language (actually speech didn't seem to be his first language)
I eventually worked out he wanted to see pictures, so "startx" and move the cursor around and he was satisfied.

Presumably his training in detecting advanced covert IEDs had been been shown a copy of Windows and told that a moving mouse cursor meant not a bomb.

Nick PJuly 6, 2014 4:51 PM

@ NobodySpecial

Exactly: who would trust the "stability" of Windows and Win32 GUI in their detonators?

DBJuly 6, 2014 4:56 PM

@ NobodySpecial

LOL... Back in those days I once brought a desktop through security and they wanted it turned on... Internationally... Needless to say after spending a lot of time finding the converter and cords and only being greeted with a couple front panel lights and some fan sounds they finally let it go...

Clive RobinsonJuly 6, 2014 5:16 PM

OFF Topic:

I don't know if anyone else caught this massive abuse by Microsoft?

http://arstechnica.com/security/2014/07/order-restored-to-universe-as-microsoft-surrenders-confiscated-no-ip-domains/

Basicaly Microsoft's legal department came up with a new legal argument that enabled them to sieze a hugh quantity of Domain Names that had no IP address attached, on the argument that they were being used to hide bot net control channels, which by far the overwhelming majority with certainty were not.

Thus Microsoft either lied to the judge or failed to comprehend the effect of what they were asking, could not be bothered to think about it or in any other way check the legitimacy of the argument they were making in secret. The result a whole lot of innocent people doing quite legitimate activities they could not reasonably do any other way were significantly hurt or inconvenienced because of Microsoft's actions.

This is not alturism gone arye, the simple fact is that the majority of machines that form botnets use a Microsoft OS, that Microsoft continuously fail to fix or accept responsibility for and obvioulsly believe that their many failings are not to blaim...

As an analogy, if a car manufacturer failed to fit door, ignition and stearing locks on the cars and as a result the cars were being frequently stolen and used to commit other crimes, do you seriously think a judge would rule that the manufacturer could go around wheel clamping the cars, and thus depriving permanently the use of the cars to their owners?

Personally I think not, which begs the question of why this judge granted Microsoft it's wish to do this.

SkepticalJuly 6, 2014 5:50 PM

@DB: Human rights activists have always been suspicious that any Obama administration appointed panel like the PCLOB would naturally be hand picked to make the administration look as good as possible. The fact that the previous report said something critical was a total shock to everyone, that it could possibly be so bad that even such a group would do that. The latest one is more what we expect from them.

Healthy skepticism, even suspicion, is fine and often wise, but it should be affected by evidence to the contrary. If not our suspicion becomes merely a shield against facts that conflict with our beliefs.

With that in mind, I'd urge you to actually look at the biographies of the people on the PCLOB. Patricia Wald, for example, is a former federal appellate judge who has worked for the Open Society Justice Initiative and the Constitution Project. There are others who will be clearly more sympathetic to the view from intelligence and law enforcement agencies, but it's actually a balanced set of individuals with good backgrounds.

Nor is the report on 702 surveillance without criticisms (or disagreements within the PCLOB - Wald and another member, for example, recommended safeguards on how the FBI may access 702 data beyond that recommended by the entire panel).

Taking together these two reports, and what I've heard and read from those serving on the PCLOB, I think it's fair to say that they've established their credibility. One need not always agree with them (I don't) to say that they are not a mere rubber stamp.

@Nick P: Will people found to be willingly violating the rules go to prison, their programs shutdown, or their funding pulled? If not, then it's faux accountability and we should assume they'll do whatever they want while lying about it. The intelligence agencies have plenty of track record there.

I'm in favor of your kind of accountability, but you have the incentives backwards. If you can be found willfully violating rules and NOT go to prison, NOT have your programs shut down, and NOT have funding pulled, then you have incentive NOT to lie. No one loves lies more than journalists and prosecutors, and with good reason.

Clive RobinsonJuly 6, 2014 6:08 PM

@ Nick P,

Another "PayPal tries to kill off by witholding money" story for you,

http://gigaom.com/2014/07/01/paypal-freezes-account-of-secure-email-startup-protonmail-asking-is-it-legal/

ProtonMail is a "secure Email" crowd sourced start up in Switzerland, started in CERN by people from MIT, Harvard and CERN who have had enough of US Gov spying.

PayPal froze their account without warning and after initialy not responding --untill Internet stories became signifficant-- eventualy cited "technical difficulties" which appears to be a bit of a nonsense considering nobody else was effected.

Further although a Swiss Company it appears PayPal were claiming ProtonMail had not consulted the government... Which is again not a reason, as many know the Swiss Government regards encryption like any other business, and although the US Gov regards encryption as something to get it's "panties in a wad" over the development is done in Switzerland not the US so there would be no need for the US Gov to be informed or consulted.

If it can be shown that the US Gov was behind this blocking of funds, then it would be a clear indicator that they were involved with "economic espionage" contrary to their claims otherwise.

Lüge des TagesJuly 6, 2014 6:43 PM

Wald. How stupid does the NSA think you are?

Remember when those intel plants tried to blow off privacy law, the supreme law of the land with which US law at all levels must be brought into compliance, along with the federal and state common law of privacy? Remember how Wald saved the day with her devastating legal arguments and hard-hitting rhetoric?

Wald wasn't even there.

http://www.c-span.org/video/?318372-3/hearing-govt-surveillance-programs-part-3

It isn't there to see anymore. Naturally, the government weasels took the puppet show down.

Wald wasn't even there.

Every word's a lie. Every comma, every period's a lie.

IncredulousJuly 6, 2014 8:31 PM

@Andrew Wallace

Before you ask us to think, why don't YOU think and actually articulate what the problem is rather than plaintively accusing us of circumventing the government?

First of all, we are an international group, so what government are you talking about? Are you saying that the US is a world government and that nobody has a right to address espionage against themselves by foreign powers? Even the US doesn't say that.

Where is the problem? I don't observe any laws being broken here. Nobody is circumventing anything that any government is actually willing to admit it is doing. Tor? Government sponsored. Free speech? Freedom of the press? Championed by most of our governments.

You seem to be a security professional. Surely you can string some words together. Do you really think the US would be better off if nobody learned anything about security? Do you realize how much money the US pays to support training people in cybersecurity? Why would they do that if they just wanted us to play dumb?

I have received government funded security training and they never asked me not to read wikileaks or Snowden's documents. They just asked me not to do illegal hacking. But they trained me how to do it because you can't defend yourself, or anyone else, with ignorance.

Do we have opinions about the government? Yes. But that is our right and the supposed basis of what most of our governments stand for. Would you prefer a world where speech about government doesn't happen? Then I submit you are actually more dangerous than any government program.

011000101001July 6, 2014 9:30 PM

While building a homebrew hardware random number generator, I ran across this little beauty, a simple noisy oscillator circuit that uses just one transistor:

https://www.youtube.com/watch?v=rpGOKGrcpAk

I tried it out with a few different types of transistors and found a few in my parts bin that work just fine.

Check it out!

ThothJuly 6, 2014 10:01 PM

@NobodySpecial
What happens if my kids drained daddy's mummy's laptop batteries in-flight playing games ?

In computer forensics training, we are taught to do cold boot attacks, knock off power and do searches. One of the reason we knock off the power besides facilitating in cold boot attacks and not shocking ourselves when we acquire the internals, is also to prevent power from running internals that may trigger digital and mechanical traps that may blow us up into pieces or wipe the hard disk and RAM.

It's quite controversial that they want you to power it up which is against the fundamental principles we operate in our cyber forensics environment. If they want a boot up screen, just boot them into a spare boot sector with an unused OS.

DBJuly 6, 2014 10:04 PM

@ Skeptical

If you can be found willfully violating rules and NOT go to prison, NOT have your programs shut down, and NOT have funding pulled, then you have incentive NOT to lie.

You have it backwards. If you can get away with doing whatever you want and have no repercussions at all (such as prison, programs shut down, funding pulled, etc), you have every incentive to lie as much as you can. Especially if you have no absolute "morals" to live up to, anything goes if you can get away with it and there's no cost.

DBJuly 6, 2014 10:12 PM

@ Thoth

The theory behind the "want to see it boot up" idea, is that if a complete real computer is really in that computer case, then there must not be physical room enough for a bomb too...

Which is why I thought it odd when the desktop's only evidence was whirring of a fan and a few blinky lights... not a lot of evidence there, but whatever, I got through, that's all that really mattered to me at the time.

I think this whole concept of there not being enough room is quite false though, it's just more "security theater" as others have called airport security. It's meant as a distraction and to make you "feel" safer, not to actually bring real security.

BuckJuly 6, 2014 11:06 PM

@Wael

While I somewhat suspect that you're just yankin' my chain, I can't help it but to think that you cut off my quote quite prematurely... Or possibly you're just 'passing along' obvious "intel" in a more subtle manner! ;-)

Although I'd already assume that the software is the some of the softest s%!# involved in the situation, I still catch myself considering the consequences of leaving out the full details... The original question really has nothing to do with any Devices or Operating Systems in particular, but for the so-called 'operational-procedures' - if the phone is in airplane mode - or off - how should that be perceived as being any different from a phone that won't turn on..? And then one starts to ponder the minimal hidden storage requirements of the supposedly secret new explosive, and why you would even bother to hide it in an electronic device (that are obviously already highly suspect in the grand scheme of things today)...

WaelJuly 7, 2014 12:48 AM

@Buck,

Nope! Not yankin' your chain -- at least not yet ;)

Or possibly you're just 'passing along' obvious "intel" in a more subtle manner! ;-)
Was passing something subtle. It has to do with your use of the word "irregardless". An ex-collegue used this word excessively, and I was wondering if you are him, probably not. That's the reason I used the word "regardless" and the word "irrespective" -- which you have fuzed together to come up with "irregardless" :)

At one point in my carrier, I worked on cell phones. And I travelled a lot with them on me. Sometimes I would carry a dozen phones, and not all of them were in operating condition -- they were prototypes, and some were completely disassembled. I don't remember ever being asked to turn any of them on, although I was asked once to turn a laptop on and once more to turn another "operational" phone on. Sometimes I took such devices to international locations (to work with carriers on some “issues".) and never had problems at the airport. The devices went through an x-ray machine anyway! Then there are other machines that detect traces of “interesting stuff”. So the “turn the device on” test is for “other reasons” they have not made clear.

My take on this TSA regulation is it’s a preventative measure, perhaps a psychological one. Or maybe it's a defense mechanism against a "compound threat", not a simple “threat" — and I’ll leave it at that. It may not have to do with explosives at all, it could be a measure against drugs, narcotics, or a new form of smuggling. I have a funny story to relate that I heard a while back. During the time of Saddam's rule, there was an Iraqi law that no one may take foreign currency outside of Iraq. Well, a report came that a certain passenger had a large sum of US dollars and he was smuggling it out of Iraq to Egypt. He was stopped by the security guards at the airport in Baghdad. The guy was carrying only one big bag wrapped with a rope. So the guards searched his bag and found nothing. After they got tired, they told the suspect: Look, we know you have the money, where have you hidden it? He said I have nothing! They strip searched him and found nothing. They told him you had better tell us where the money is! He said, look guys, you searched everywhere, you strip searched me and you found nothing! After they gave up they said, if you tell us we'll let you go unharmed, we swear. He said swear by Saddam's head you will not take it and not harm me. They did so. So the guy showed them where he hid the money. He had unwrapped the rope and carefully put the $100 bills in the long rope, and then re-braided the rope and wrapped the rope round the bag. They let him go! After all, if news went to Saddam that someone swore by his name and didn't keep their word, they'd be in deep doodo.

Who knows, maybe someone is stuffing diamonds in the phone? Can you feel the tug on your chain now? :)

BuckJuly 7, 2014 1:15 AM

@Wael

No, I'm certainly not the specific colleague in question (I'm far too young to have ever been in that position)... Though I did consider and was quite close to using the word "irrespective"... Thanks for the anecdote! These insights are always appreciated!!!

BuckJuly 7, 2014 1:28 AM

Oh, BTW... I'm about to retire from the blog in order to more fully concentrate on the enjoyment of living a long, happy, healthy life. So if I suddenly disappear, don't be too concerned... It's all just part of the plan! ;-) You could more properly validate my claim with a legitimate PGP (or similar) key... had I ever posted one! :-D

WaelJuly 7, 2014 1:32 AM

@Buck,
No problemo! Glad you took it well :)
If I find no one to "make fun of", I make fun of myself;)
Enjoy your life dude!

Wesley ParishJuly 7, 2014 1:50 AM

@Wael, that's a version of one of the Mullah Nasrudin's stories, about him smuggling donkeys. He was smuggling them quite openly, in full view, taking them in one direction and not taking them in the other, and the border guards never noticed.

Something new: Well, I think I've encountered proof that the NSA and various other "? Intelligence ?" agencies are interested in anyone who downloads TAILS. To wit, I downloaded TAILS a day or so ago. I was also downloading, via wget, a set of Public Domain Neuroscience and Neurology books from archive.org. My average download rate from Archive.org is generally 150-250 kB/s; following my download of TAILS, it dropped to 20 kB/s at the max.

For all NSA, BND, GCHQ and other drones reading this blog's comments, I am educated in the neurosciences. I saw a BBC news article the other day about the neural changes addiction causes, and the identity between the changes of a drug addict and those of a porn addict. I velieve I have a defendable thesis that Peeping Tom-itis is likewise an addiction, and would love to defend it using any number of you as my experimental subjects. I also believe I have a defendable thesis that the habit of the NSA and the like in storing every piece of data it can get its hands on, is a form of perseveration. Again, I would love to defend this thesis using the known behaviours and policies of your organizations.

I'm not a trained neurologist, so I won't be asking to perform nerological interventions to cure you. I'll leave that to trained neurologists. But it's what you've been asking for through your antisocial behaviours.

WaelJuly 7, 2014 2:07 AM

@Wesley Parish,

My average download rate from Archive.org is generally 150-250 kB/s; following my download of TAILS, it dropped to 20 kB/s at the max.
I don't use tails, PGP, TOR, or TrueCrypt. But I am guessing the downgrade in your download speed is a side effect of using TAILS? Just downloading tails and not installing or using it causing a downgrade in download speed is unexplainable!

Gerard van VoorenJuly 7, 2014 2:15 AM

@ Clive Robinson

About PayPal trying to kill ProtonMail by witholding money.

"If it can be shown that the US Gov was behind this blocking of funds, then it would be a clear indicator that they were involved with "economic espionage" contrary to their claims otherwise."

To my not very well informed ears it sounds like someone with authority is pulling some strings because he doesn't like what's going on.

The same happened with Wikileaks.

According Wikipedia: "Since the publications of CableGate, WikiLeaks has experienced an unprecedented global financial blockade by major finance companies including Mastercard, Visa and PayPal although there has been no legal accusation of any wrongdoing."

Come on, that has "no fly list" including "gag orders" written all over. In other words it's ordinary GBCE, that is Governmental Blackmail, Corruption and Extortion.

But the more you read about this kind of things, the more you realize that what's going on today is something that NEEDS to be disclosed. The abuse of power in the US is too massive and the lying just has to stop. There just has to be accountability or it WILL end up as a banana republic rather sooner than later.

WinterJuly 7, 2014 3:36 AM

And the backlash against Google's campaign to derail the "right to be forgotten" is coming:

http://www.theregister.co.uk/2014/07/04/google_peston_bbc_delisting_not_compliant_w_public_interest_law_says_expert/

No matter which way you slice it, Google has at best misinterpreted the law, and wrongly de-linked Peston's legitimate story. As this piece is written, it appears that the advertising monolith is now re-linking to articles it had de-listed: it may not be a coincidence that google.co.uk went down for approximately 10 minutes shortly before 11am UK time.

The price of this week's PR stunt is mounting.

ArkhJuly 7, 2014 4:21 AM

@Mike the goat

I'll repeat what I already put in some other comment about search engines: with the rise of computing power and storage, I think we will end up with our own personnal search engines.

Some appliance which will be like our shadow on the net, collecting and organizing data for ourselves with our own interest and configuration.

Clive RobinsonJuly 7, 2014 5:26 AM

@ Wael,

With regards,

At one point in my carrier, I worked on cell phones.

Is that a typo or are you dropping the hint you own your own major telecommunications company and sometimes get your hands dirty down with us plebs ;-)

@ Mike the Goat,

Sadly for the better jobs it's either "who you know" for the money, or back in the day "what you know" when you are the only person in the know, and lots of money is to be made by others at your expense.

Simon Baron-Cohen, has various arguments for this which is a jazzed up version of the idea of a societal normal distribution with psychopaths on one tail and ASD on the other.

Which tends to pan out with the psychopaths running organisations for their benifit and ASD types doing the ground breaking and serious work that actually does something to move society forwards. With the so called NTs in the middle doing something that does little for society or themselves.

The late Douglas Adams nailed it with the three Arks theory ;-)

Scott "SFITCS" FergusonJuly 7, 2014 5:36 AM

@Arkh

...with the rise of computing power and storage, I think we will end up with our own personal search engines.

Wouldn't that presuppose that the growth in the size of the internet isn't larger than the growth in computing power and storage? And...


Some appliance which will be like our shadow on the net, collecting and organizing data for ourselves with our own interest and configuration.

... that site admins will change their current policy of trying to stop "bots of no value"[*1] from crawling their sites.

[*1]
Server loads and traffic costs money. No - the web ain't free. Really.
If the visitor isn't the target audience they're not really wanted. If the visitor is a bot (your personal web spider) that won't bring target traffic they're very unwelcome.

Note: you're not the first person to dream of their personal search engine (and there are many good Open Source projects you can use for that purpose), and not the first to fail to consider the objections most site admins have to your idea. Some dreamers even go so far as to spoof a browser id to try and get around bot blocks - with predictable results. Saving useful web pages and later searching them with your personal search engine is useful (bookmarks not so much), doesn't upset site admins, and can also be useful for finding useful results from other search engines.

Apropos of nothing, I can't comment on the "Internet of things" (or imagine an "internet" without things)

WaelJuly 7, 2014 6:19 AM

@Clive Robinson,

Is that a typo or are you dropping the hint you own your own major telecommunications company...
If it's a typo, then my brain is too foggy to fix it. Oh, I wish I owned my company! I would have retired by now:) But I found out that, in reality, I own nothing, just like the rest of most people!

mj12July 7, 2014 11:26 AM

@Buck
Looks like I made a fool out of myself.
The quote about CCTV is still good, no matter whether it's satire or not.

Nick PJuly 7, 2014 11:48 AM

@ Clive Robinson

I believe I mentioned here before that ProtonMail was made by people in US and therefore could be affected covertly. Then, you send me this. I think it adds more credibility to my claim of "truly secure systems can't be built in America, or by American citizens, without subversion due to overt and covert TLA influence."

On a related note, I have a MyKolab email account now that I bought through PayPal with no problems. Should MyKolab users be worried that one had PayPal trouble and one didn't? And the mental game continues!

@ Buck

"Oh, BTW... I'm about to retire from the blog in order to more fully concentrate on the enjoyment of living a long, happy, healthy life. So if I suddenly disappear, don't be too concerned... It's all just part of the plan! ;-) You could more properly validate my claim with a legitimate PGP (or similar) key... had I ever posted one! :-D"

NOOOOO! Oh well, go live your happy and healthy life. Been real fun talking to you on here. I will miss it. Especially security advice like this that's so good it's forever enshrined in my link archive.

AnuraJuly 7, 2014 11:51 AM

@Winter

"When Google receives a request to de-link, it must consider whether any damage to the person making the request is outweighed by a relevant public interest in keeping the link. In the case of [Merrill Lynch chairman] Stan O'Neal [original here], it's a no-brainer, there's a clear public interest in that information remaining available."

That seems like a problem - who's to say what's in the public interest or not? In the end, this seems like something that can result in a very large number of court cases, to which it seems Google might be footing the bill. The silly part is that the articles themselves remain up, and there are other search engines out there. It seems like a lot of cost for a little gain.

Although I agree that it does make sense that someone be able to rid the internet of themselves, I'm pretty confident this is not the way to go about it, or that it's even practical.

Iain MoffatJuly 7, 2014 3:10 PM

@Anura: Certainly in the UK I believe principles 3, 4 and 5 of the data protection act allow the individual to address problems of inaccurate or outdated information with the "data controller" (i.e. website, blog or whatever) directly if the data controller has a legal presence in the UK. On reflection since my earlier post I can see that is too limited if the data is controlled by a legal entity with no UK presence which is quite likely in the real web 2.0 world (consider this blog!).

There is also a problem due to automated data scraping if information continues to exist in (for example) Google's cache or the wayback machine after being removed by the end user from the original site. Mechanisms to address this automatically (such as robots.txt) are not always available to someone in that position (for example if they did not control a website even if they were able to delete a post or profile through the site's user interface).

Search engines (or rather their owners and operators) tend to have a legal presence nearly everywhere so are an easy target for litigation and enforcement even if they are only an index and cache. This is of course largely useless if the information remains viewable to those who know where to find it, and is still visible to searches conducted from outside the EU (or via TOR?) and there is nothing to stop the URL being re-posted.

So I see it as being at best privacy theatre at least as silly as attempts to ban books in the UK that are on open sale in the USA, while carrying the risk that it will allow de-facto censorship by complaint if search providers operate defensively and take down first and ask questions later as Google appear to have done in the BBC/Peston case. I appreciate that they may have done it to make a point but the danger of making a point is that it may prove the feasibility of doing exactly what they hoped to highlight as absurd, at least until the courts have clarified the matter.

Iain

IndependentJuly 7, 2014 5:58 PM

@ Thoth: (July 5, 2014 7:39 AM)

The only way to anonymize, hide and secure communications is to send a seemingly legit looking message with a secure message hidden inside via encryption and stenography.

Didn't you mean steganography?

ThothJuly 8, 2014 8:15 AM

@Independent
Ah thanks for the correction. Just love the browser spelling correction :D .

Joe KJuly 8, 2014 11:41 PM

@DB

hey I have an idea... how about we as a people just throw off all pretense of any sort of democracy and human rights and just openly have a harsh dictatorship! problem solved. no need to worry about abuses then.

Can we still has the sekrit laws, though?

Nothing says tyranny like sekrit laws
do. What a concept!

@Anyone who remembers a TV show called Get Smart...

http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/10942304/Security-to-be-stepped-up-at-UK-airports-amid-terror-fears.html

The increased security measures -- reported to include closer scrutiny of personal electronics and footwear -- come amid fears individuals with Western passports who have travelled to Syria and Iraq to fight with Islamist extremists could be used to smuggle devices on to planes.

Scott "SFITCS" FergusonJuly 9, 2014 3:38 AM

Extreme claims (son's "kidnap may be for exchange with Snowden"), but serious accusation "Russian charged with cybercrimes and taken to Guam". Is this the future fate for those accused by the US of "cybercrime"?
We've already seen Microsoft seize No-IP domains on spurious charges (I don't see anyone seizing Hotmail/Outlook/Live - and they have been the source of far more "cybercrimes" than No-IP).

Clive RobinsonJuly 9, 2014 4:14 AM

OFF Topic :

As predicted, from a security aspect the Internet of Things (IoT) is off to a bad start.

This article shows how Smart LED light bulbs give away a WiFi key by storing it encrypted under AES and static key[1],

http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/

[1] I thought this danger was well known as it's what VNC did with DES way back in the 1990s. I guess it shows just how quickly even simple security knowledge is forgotten or never learned.

AnuraJuly 9, 2014 5:06 AM

There's been a lot of talk about internet of things, but very little effort to prepare for it. For one, we need plug-and-play, idiot resistant protocols for connecting these devices to a network that makes it so that the developers don't have to roll their own. Second, we need to realize that these devices will be hacked, and so instead of having them on the same LAN as your computer, they should be segregated on a VLAN purely for controllable devices. Devices that are controllable should not be able to open a connection to any other device - if you do this, you could theoretically have a public-key based access point for controllable devices and then they don't even need your password.

CallMeLateForSupperJuly 9, 2014 8:00 AM

@Clive

How old were today's IOT entrepreneurs in the 1990's, when that crypo lesson you point to was being learned (by others)? There you go. I know that you and some others here already know what I'm about to say, but it has to be said: Security measures, if any, all too often are slapped on with spit and a hail Mary, without sufficient testing, just before general availability.

Re: IOT in general
While reading the arsTechnica article, the following occurred to me, in quick succession and in this order:
(1) IOT is pretty new yet, so the ... um... field is not yet a huge, stinking mess (just a small, stinking mess).
)2_ Because of (1), there would be little catch-up for the person who decides to track, review/assess each IOT device as it arrives and publish a thumbs up/down with details in a publicly accessable place.

It is said that a picture is worth a thousand words. In this case a spreadsheet could be worth a thousand words. I suspect that, eventually, the IOT picture would show a bunch of insecure solutions looking for problems.

Clive RobinsonJuly 9, 2014 9:21 AM

@ Callmelateforsupper,

Hmm let me think,.. they were probably not even " the apple of their fathers eye" back then.

But that's the scary thing, mankind is supposed to not quite make the mistakes of the preceding generations, by studying what they did wrong. If in security we are not teaching/learning from just one generation befor then what hope is there for us?

Clive RobinsonJuly 9, 2014 9:30 AM

Is anybody else getting "Internal server errors" when they try to post?

Clive RobinsonJuly 9, 2014 9:34 AM

DRONE STRIKES WOMAN IN AUSTRALIA...

It would appear that a woman athlete participating in a sporting event was hit in the head by a camera drone.

https://au.news.yahoo.com/thewest/wa/a/22435997/triathlete-injured-in-drone-incident/

The stories conflict and the drone operator thinks it was hacked simply because it had not crashed before in the year that he has owned it.

Further he is claiming the drone did not hit her but the woman got scared and fell over. She has said ambulance staff pulled parts of the drone propeller out of her head prior to stitching up the wound.

Either way it can safely be claimed that the drone was flying to close to the athletes for it to be considered safe.

Clive RobinsonJuly 9, 2014 9:39 AM

Hmm chop a few lines of the bottom of the comment and it posts this time. SO,

@ Moderator,

Have there been any changes to the server in the past twelve to twenty four hours?


ModeratorJuly 9, 2014 11:26 AM

Have there been any changes to the server in the past twelve to twenty four hours?

Not that I'm aware of, but I'll see what happens when I try to post a very long comment while logged out.

ModeratorJuly 9, 2014 11:40 AM

Well, it worked for me with as much as 10,000 words pasted in. (Sorry to anyone who saw that wall of text before I removed it.) Let me know if it happens again, though.

BuckJuly 10, 2014 11:00 AM

Sorry if I'm interrupting this lively discussion about headlines, but if this root isn't revoked immediately, this is bad...

Crypto certificates impersonating Google and Yahoo pose threat to Windows users (July 9, 2014)
Matters for Microsoft may be considerably more difficult. The CCA issues huge numbers of legitimate certificates. Revoking the entire root certificate in Windows comes at the risk of breaking large parts of the Internet.
http://arstechnica.com/security/2014/07/crypto-certificates-impersonating-google-and-yahoo-pose-threat-to-windows-users/

Nick PJuly 10, 2014 9:16 PM

@ readers into processor designs

(esp Clive and RobertT if he still reads)

A FPGA softcore processor implemented on a DSP block
http://www.ntu.edu.sg/home/sfahmy/files/papers/fpt2012-cheah.pdf

A previous discussion on acquiring non-subverted chips led one person to suggest DSP's. In theory, one could use them for general purpose computation with some effort. These researchers did exactly that, leveraging the DSP's being built into FPGA's. That much of the processor work is done in the DSP itself keeps the hardware design simple. It also performs well relative to a mainstream soft core. Clever work. People trying to put software on real DSP's might learn something from it.

A Study of the Speedups and Competitiveness of FPGA
Soft Processor Cores using Dynamic Hardware/Software
Partitioning
http://www.ann.ece.ufl.edu/courses/eel6935_11fal/slides/Presentation2.pdf

This I found in the process. It's basically a hardware JIT for soft core processors on FPGA. There's a main processor (MicroBlaze), a profiler that monitors it, and reconfigurable logic for custom circuits. Software instructions are initially executed on main processor. If the profiler notices a hotspot in the code, it automatically converts it into a custom circuit, loads that circuit into the reconfigurable logic, and shifts execution of that function to the circuit. The result is that the software runs faster and uses less power as the clock rate can be lower. There's been a lot of designs like this over the years that I didn't really post here. It's a neat enough concept that I figure I should post at least one.

WaelJuly 11, 2014 1:46 AM

@ Nick P,

readers into processor designs...
I read this link with mixed feelings. It touched on an aspect of our C-v-P discussion which I was planing on sharing at sometime. I will later share in some detail what I had in mind in addition to the "brain CPU" link you previously shared. My mixed feelings stem from the fact that this link takes away or overlaps to some extent with what I had in mind. I referred to it previously as an "emuvisor"... Stay tuned...

You and your links!!!

Gerard van VoorenJuly 11, 2014 12:07 PM

News. Ironsides is a new free DNS implementation written in Ada and formally verified with SPARK [1]. The academic paper that comes with it is a good read. It explains much more than only the software itself. "Ironsides was originally developed by the US Air Force Academy, Department of Computer Science."

They claim some strong features:
- 3x faster than BIND on their system.
- "provably invulnerable to remote code execution exploits and single-packet denial of service attacks."

They also say:
"IRONSIDES is over three times faster than BIND on Linux. Given IRONSIDES’ superior security posture, we find these results significant. They show that one need not sacrifice security for performance in software design."


[1] http://ironsides.martincarlisle.com/

Nick PJuly 12, 2014 12:19 AM

@ Wael

I hope you're not taking the research too personally as there are probably many things implemented similar to your emuvisor. The mainframe and minicomputer market, esp AS/400 and VAX, come to mind immediately. AS/400 had a portable instruction set that allowed the same application (including most of OS) to run on very different hardware. The Alpha line's microcode and PALcode design allowed changes in those to effectively emulate (three?) different processors. A number of mainframe vendors make modern hardware pretend to be older hardware. Transmeta combined a RISC core and binary translation tech to emulate x86 among others. And then there's hardware JIT's, virtualized architectures going back decades, and so on.

Quite easy to imagine that many useful concepts have been explored and even tried in a product given all this work. I'd also imagine such work led to patents or good attacks on a new patent as well. So, nothing to let bother you. Anyway, many more designs to explore and fun to be had in such things.

Re brain CPU

I think IBM recently said it's next target is a chip that embodies around a billion neurons and trillions of connections. Quite a leap up from what we have now. Yet, they've started understanding the problem enough to build the many neurocomputing machines they've built. They're also experts at building supercomputers. Combining the two, they might just succeed at their goal. I can only imagine the implications if combined with recent developments in unsupervised learning and large neurals nets.

@ Gerard

I'm impressed you caught it as I think I'm the only one that shared it on a blog before this lol. I even liked their project enough that I sent it to Dan Kaminsky with a suggestion he give it some publicity and/or put his Phreebird DNSSEC tool in front of it. Got no reply. (shrugs) The one problem I saw in their report was that the compiler could break security. That's always a risk, but happened here. This led me to propose building a certifying Ada/SPARK compiler or a trustworthy mapping from Ada to a language with a certifying compiler (e.g. CompCert C). I even considered mapping it to a Modula or Oberon variant with Ada's representation types, control flow, etc. All the complexity filtered out to ease compiler verification, which Wirth languages do naturally.

In any case, it's good to see they're applying high integrity tools for a job demanding it. It's also Air Force people funded by DARPA working to improve our security. Always nice to see U.S. govt funded projects taking us in a good direction. AdaCore and Altran Praxis, two excellent players in high integrity software, also supported the work. Props to them. The leader in this category, though, is probably Secure64 DNS on their SourceT OS. Too bad for them Itanium is in jeopardy. So, yet another solid processor foundation failing leads us back to leveraging superior software tools like SPARK. IRONSIDES is a good example of that.

Nick PJuly 12, 2014 12:53 AM

@ Bruce

You've been taking a lot of heat for the titles. I sure don't care about how your present content as I'm a proponent of your right to speak freely, esp on your own blog. The issue is worth mentioning, though, as you undoubtedly like your fame and always appealed to a niche that only wanted sensationalism when you were busting out bad products. ;) Otherwise, they (and I) liked that you did things differently from most other blogs. I might be projecting my own views, but I'm doing what I can to accurately assess others'. I think that your niche that you turned into a crowd of followers [of your blog] liked things that other way.

So, your persona or blog might do better avoiding the titles that are aggravating them. You might be undermining what differentiates your blog to that (large?) segment of the audience. If you do any wild titles, I suggest saving it for the cases your audience loves (eg Doghousing fake security) or for when you tie into a media presentation you do on a channel/site that responds well to that. The latter is for getting potential new readers and might not happen enough to annoy those regulars that are complaining about it.

WaelJuly 12, 2014 1:00 AM

@Nick P,

I hope you're not taking the research too personally as there are probably many things implemented similar to your emuvisor.

"Emuvisor" is not the best name, but the first one that came to mind. I'll share the idea later when I have a chance to elaborate, probably before the weekend is over. Need to sort my thoughts a bit. The idea is kind of related to what you mentioned, but not exactly. I still suspect you'll whip up a paper or a link that talks about something very similar, if not identical. Nothing personal here, we're just sharing information and learning from one another. Also, we'll help someone with more time and resources get rich, while we continue to live paycheck-to-paycheck ;)

Branching off a bit, what does anyone intrested think of the Dwave quantum computer?

WaelJuly 12, 2014 1:08 AM

@ Nick P,

I think my browser did some weird stuff resulting in a post rather than an edit...
Happened more than once with me. Now I edit my posts in an external editor, then when I am satisfied, I copy and paste it. Learned that the hard way in one of my "long" posts that was lost. Sometimes when I am using a not-so-smart-device, the whole post is either posted or lost when I open another browser tab, or navigate browser history...
I also book-mark my todo list to keep track of what I have in my queue. Thanks to your links, I am getting stack overflows, and my editor is posting arbitrary posts on my behalf ;)

Nick PJuly 12, 2014 1:23 AM

@ Wael

re links and posts

"Happened more than once with me. Now I edit my posts in an external editor, then when I am satisfied, I copy and paste it."

That's how I usually do it. Then, I sometimes want to see it with the preview function how it is, lazily change what's in the text box rather than my text editing app, and a fraction of the time it screws up. Doing it in some kind of standalone app is the best way to deal with this. Yet, I got lazy and relied on web technology plus a laptop touchpad. Apparently, a very dangerous combination.

re links

My lawyer says I have nothing to do with people's problems with links. He says I've been merely typing HTML text into web forms this whole time and it's your fault for using a client that interprets it as links rather than censoring the burdensome things. :P

re D-Wave

I responded to that here after a number of allegations that they were full of it and what could an engineer do. Apparently, quite a lot without them. ;)

WaelJuly 12, 2014 1:36 AM

@Nick P,

I responded to that here...
Oh, oh! How degrading! Must be getting senile!!!
Wael: -1 :(

WaelJuly 12, 2014 2:28 AM

@Nick P,

My lawyer says I have nothing...
Good lawyer... Was thinking at one point to write a smart phone app for this blog, with some cool features including a "local preview". Wizard type application where you can filter for interesting posts or people, bookmark todo lists, automatic block quotes and formatting, Authentication and signing so that spoofing is minimized, a kick-ass user interface , etc... So much to do, so little time. Was going to make it open source so others can vet the code... Any PMs on this blog that can keep track of the feature list and write a good specification? ;)

Nick PJuly 12, 2014 12:59 PM

@ Wael

That sounds interesting. I've thought about coding it up, too, maybe as a plugin to an existing word processor (combined with a scraper). Name.withheld made a comment once suggesting he might have a script scraping the blog regularly.

There was a discussion here between many people long ago about changing this blog into a threaded forum so people could track discussions better. When it was clear Bruce wasn't changing the software (it's Movable Type), I suggested adding a little reply link next to names that autofilled their name w/ timestamp in comment box and sent them an email notification. I also found out that Movable Type had plugins for stuff like this. That got nowhere, but was a simple enough compromise.

Going back in your direction, one could make a local version of the site that was threaded and supported notifications. It would regularly scrape Last 100 comments. Update which threads have changed, then pull each one. It would look for "@ name" and some heuristics to tell which posts were replies to the thread and which were tangent conversations. It would indent and group the tangents together. (Or maybe just color code them in a box.) It would also look for messages with user's screen name to put in a "you have new replies" notification.

And I'm too lazy to code it all unless the new Wolfram Programming Language lives up to its hype.

WaelJuly 12, 2014 2:28 PM

@Nick P,
I like and thought of the features you listed. This is meant to be a mobile app for smart phones / pads. If I have some free time, I'll start something or, better yet, hopefully someone here will take it over.

WaelJuly 13, 2014 2:13 AM

@Nick P, @Clive Robinson, @all
Re "emuvisor", C-v-P...
Here is the short version...
HAL: Hardware Abstraction Layer
New / expanded usage of a term, PAL: Platform Abstraction Layer
Suppose you have a system with a few thousand cores - GPUs, DSPs, RISC CPUs, and such. As opposed to Symmetric Multiprocessing, The lowest level connections are a default setup with dynamic controllable connections between these various HW components. The “emuvisors”'s role is to:

  1. Act as a PAL to create a given platform configuration for the upper layers of the stack
  2. It can emulate various CPU instruction sets
  3. It can create “Independent Architecture instruction” sets, ala LLVM
  4. Can act like QEMU as well.
You want to create an x86 or an ARM platform? No problem, give the “emuvisor” a configuration file that specifies the required HW configuration: Number of CPUs and Architecture, amount of memory, DMA configurations and restrictions, ABAC on resources as well. Want a java VM? Create the right connections and the right HW configuration. It can also act in learning mode where the connections between the HW components are “learned” and optimized (like the brain cells do) over time for performance and security. The default stack will look like this:
HW - Emuvisor - PAL - HAL - kernel - Usermode
It’s a software defined HW configuration that's controlled by the owner of the device or the owner of the program. Sandboxing, and memory / platform separation of duties, roles, and access controls are built in the emu visor and are configurable by the owner. IPC can also be secured through encryption. @Clive Robinson can define his "voting system" as a configuration file input to the emuvisor. The warden is a functionality that is definable! I want this many "cores" to act as a police on the protocols, CPU input / output verifications, etc... @Nick P can also define his DMA restrictions, interrupt controls, which CPU handles interrupts, USB access, MMIO, etc... -- all through ABAC (Attribute Based Access Control" properties of various configurations. You can also use this configuration to run multiple Operating Systems side by side, or have appliances that run directly on the emuvisor (just like what can be done with a hypervisor)...

The owner is in better control as long as configuration files are protected. If some HW is subverted, other configurations can verify that (through voting and @Clive Robinson's "probabilistic security" mechanisms)...

Nick PJuly 13, 2014 10:22 AM

@ Wael

I can see how the paper I linked was stepping in your design's territory. ;) Your description of the emuvisor is so far too vague for me to go with. At first, you're talking about simulating whole hardware platforms somewhat like Wind River SIMICS or OVPsim (but with hardware acceleration?). Then, what you describe later sounds more like a combo of a firmware hypervisor with typical platform virtualization software. So, we need more detail.

If the first is similar to SIMICS with security and management extensions, then what do you expect the hardware underneath to look like? Modern components are pretty complex, esp the GPU you mentioned. (A GPU might take up a whole mid- to high-end FPGA.) I'm guessing you're using at least one good FPGA on a board with many hardwired peripherals and RAM. The models get turned into hardware via synthesis, it's uploaded onto the board, and then you have a new platform. There's a lot of this in the verification and academic communities. Small, simple SOC's and stuff might take a regular FGPA. Depending on your design complexity, it might take one low-end FPGA or several more expensive ones.

Btw, as you think of the answers to these questions you might keep in mind the strategy FPGA vendors have been using: a combo of hard and soft elements. Examples include putting ASIC DSP slices, PowerPC processors, and so on in the FPGA's. So, they run unemulated, but you loose that chip space. There's also the SGI et al approach of having multi-socket boards which can take processors, GPU's, or FPGA's. So, you can mix virtualizable and purpose built hardware on same board with high performance. Maybe build in a PCI IOMMU into each socket, too, so you can choose between socket-to-socket I/O and communicating via shared memory. Now we essentially have my secure MPP/NUMA design minus global shared memory.

Need more elaboration on how that HAL/PAL/Emuvisor layer is supposed to work and be implemented, along with what differentiates it from the current method of synthesizing hardware models onto FPGA boards with I/O and memory. Once I grok that part, I can think on it and dig through academic research (keywords: reconfigurable computing, FPGA's) to see if someone's built something like it. I'm temporarily dropping the "learns like a brain" requirement from my analysis.

WaelJuly 13, 2014 8:41 PM

@Nick P,

Your description of the emuvisor is so far too vague [...] I'm temporarily dropping the "learns like a brain" requirement from my analysis.
Yes, the short version is. Re "brain": good choice. I just wanted to post something before the weekend was over as I promised. We'll continue later....

WaelJuly 13, 2014 8:53 PM

@Benni, @Gweihir, and the rest of the German folks,
Congratulations to Deutschland for winning the 2014 world cup! I saw Angela Merkel attending, no cell phone either :)
Your team played exceptionally well and "deserfed" to "vin" :)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.