Buck August 29, 2014 5:14 PM

How have I just heard of the Gyges malware for the first time today!?

Apparently it’s been invisible, not only to its targets, but also to my usual media channels for learning about this sort of information…

SoWhatDidYouExpect? August 29, 2014 5:51 PM

Gyges was “discovered” by Sentinel Labs. Who are they? Only recently formed, seemingly like the outfit that “discovered” some foreign organization had accumulated 1.2 billion passwords.

It seems unusual that these newly hatched threats come announced by relative unknows. Perhaps looking for business credentials?

More information if you have it…

Buck August 29, 2014 6:13 PM


So, are you suggesting that Sentinel Labs reverse-engineered government-grade malware and attached basic crime-ware functionality to make a name for themselves in the infosec community?

Seems to me, if they were going to go through that much trouble, they may have been a lot better off just using it to steal bank customers’ credentials…

No more information at this time; still absorbing the report!

Adjuvant August 29, 2014 6:54 PM

Some significant releases on isolation OSes recently.

Qubes OS R2RC2

There are currently no more open tickets for the final R2 release, and we hope that what we release today is stable enough and so will be identical, or nearly identical, to the final R2 ISO, which we plan to release after the summer holidays.

My personal experience is that this version is suitable for daily use, unlike RC1 which, as developer Rutkowska reports, experienced persistent problems related to upstream bugs in the usual bête noire, systemd,

There’s also been recent movement on Genode with Genode OS Framework release 14.08

The central theme of version 14.08 is a new GUI architecture that maintains strong security yet scales to highly flexible and dynamic GUIs. Furthermore, the release comes with a port of OpenVPN, networking support for VirtualBox, updated DDE Linux, and vastly improved performance of our custom base-hw kernel.

Buck August 29, 2014 7:11 PM


Not really B2B as you would suggest (and I would love), but as stated in the abstract: BCI2CBI2BCI. Until the CI aspect can be properly secured, I will remain highly suspect of these sorts of technologies… But, by all means, go ahead and hook your brain up to a computer! I wouldn’t wish to prevent anyone from exercising their own free will.

David T August 29, 2014 7:20 PM

Here’s an interesting ..scam?

iStreet Research is posting mangled articles. For instance, here is their semi-coherent coverage of Boeing’s work on NASA’s Commercial Crew project. The language is weird, not event the kind of mistakes a non-native speaker would make. They seem to have transmorgrified this Reuters article.

Here are some of the word-changes:
Reuters: Boeing is competing with Space Exploration Technologies Corp, or SpaceX,
iStreet:Boeing is contending with Space discovery Technologies Corp, or else SpaceX,

Reuters: and privately held Sierra Nevada Corp,
iStreet: and in private apprehended Sierra Nevada Corp,

So I’m guessing – translated to a foreign language and back using Google Translate or such? Some customized, specialized English-mangler? All part of … an interesting click-fraud scheme?

Nova August 29, 2014 8:12 PM


Could be a covert government outfit posed as a commercial company. Common enough. The malware is supposedly from Russia, and Russia likely works with their organized crime directly and indirectly. Sentinel appears to be from Israel which would likely be too difficult to fake, so more likely Mossad.

Such discoveries operate like bonafides for these companies.

Such cover companies generally have multiple layers of employees: those in the know, and those not in the know. That the company is easy enough to control at the top layer makes it pretty simple to pull off without leaks. However, people typically suspect such companies as being government connected.

To have even tighter cover, but less mobility, shadow fund the company and control it indistinctly. Either way, the cover is unlikely to fall, and there is place for key employees to cycle in and out with completely false backgrounds.

Nova August 29, 2014 8:16 PM

@David T

I see that kind of stuff searching all the time. Especially when searching to buy stuff. Appears to me like simply coopting searchs results… what do they call it… SEO — search engine optimization. Could see it also operating in direct fraud situations, watering hole attacks, and such as well…

Nova August 29, 2014 8:28 PM

The JPMorgan hack:

The first reported source:

additional sources:

Currently being attributed mostly to Russian intelligence. I like this statement, “the Russians like to do things that give them options open”. The options they have with stealing that data is disturbing, I would bet. They are known to devise war plans, like any nations, and implement strong backdoor type strategies which they include in their war plans. (eg, scattered weapon caches across europe, analysis of critical infrastructure for destruction in case of war, etc)

Buck August 29, 2014 9:01 PM

@David T

Earlier in the week, when I saw this:

CNN chief: News operation will do less with less

I jokingly suggested that the restructuring may be due to advances in algorithms that turn talking points into full-blown digestible articles! But over the next few days, I noticed a marked increase in the type of garbage you are referring to in my Google News feed. Now, I’m not so sure it’s a joke…

Nick P August 30, 2014 12:20 AM

@ Adjuvant

Thanks for the update. I might try QubesOS if it’s stabilized. It would be a welcome improvement on browser VM schemes with the faster startup times & integration. Excited to see Genode make progress into GUI territory. I like that they’re going in a lot of new directions with a security focus, but leveraging proven isolation & resource schemes for their main security claim.

Benni August 30, 2014 3:36 AM

Regarding Ukraine, it gets more fun than ever.

This article here shows how in secure Ukraine’s nuclear power stations are. Nato is advising Ukraine in securing these, but I think that is not possible. A grenade in these containments below would get an interesting dust cloud:

And there is this: In ukraine, there are these funny companies that service russian nuclear weapons and contribute to parts of them:

Now they have apparently made some kind of funny ultimatum:

According to a german parlamentarian of the green party who speaks with ukrainian politicians:

the company says:

If Russia does not order its troops to leave Ukraine in 5 days, then Pivdenmasch will give all access codes and data from 85% of all Russian nuclear weapons to NATO and USA.

Russia did not react to this, but on wednesday, the woman who was given the task to privatize Pivdenmasch was found shot dead

Apparently, FSB was very careful, as they made the murder look like suicide…

It seems that western ideas of liberalizing the markets have finally arrived in Ukraine. Privatizing companies that manufacture nuclear weapons is really a funny idea.

hoodathunkit August 30, 2014 12:39 PM

David T wrote at 7:20 PM

Here’s an interesting ..scam? iStreet Research is posting mangled articles.For instance, here is their semi-coherent coverage of Boeing’s work on NASA’s Commercial Crew project. The language is weird, not event the kind of mistakes a non-native speaker would make. They seem to have transmorgrified this Reuters article.

It’s crypto; or the beginning tests of a crypto. Before satellite dominance, communication with US submarines was by very low (audio range) frequency radio. By conventional definition (Nyquist) ELF/VLF radio can’t carry much information; the solution was for them to broadcast a lot. Numbers stations are another example; loads of data can carry the same information as shorter messages on standard radio.

The original proposal (back when sci.crypt and sci.crypt.research were viable) was to alter a word processor’s thesaurus and assign meaning/weight to synonyms. One posible advantage is cultural; unlike conventional crypto which is machine based. It is unlikely a machine could have detected ‘mangling’ the way that you did.

The proposal was a radical shift from the direction crypto was on at the time, and roundly poo-poohed, and one of the talented Indian researchers got offended by Napier’s peccave example. With today’s volume of algorithmic publishing this direction is viable. Brian Krebs’ article Lorem Ipsum: Of Good & Evil, Google & China looks like experiments on improvement.

Nick P August 30, 2014 2:27 PM

MIPS brings Raspberry Pi competitor with great SOC

Note: The advantage of a hobbyist MIPS board is that a number of secure chip architectures use either MIPS or SPARC cores. They’re quite similar. So, building a bunch of MINIX3 or Genode-like systems on such boards might do more than give you good tech now: it might give a secure chip architecture a huge head start on deployment later on. I also encourage diversity rather than consolidation in chip industry. So, toss the ARM boards aside and do a major project on a MIPS board. Heck, there’s so many features on this SOC you could reuse it for many different projects.

Los Alamos’s Muon Tomography techniques to be used in Fukujima reactor

Note: It’s interesting that they’re using the technique for imaging. My immediate thought, though, was covert communication. I remember proposing a way to do low[er] cost neutrino detection and/or transmission as it passes through everything. The article says many many things can’t stop muons. I thought it might make for an interesting point to point communications method done similarly to FSO. I Googled to see if any artificial generators have been built and they have. So, generator + detector + line-of-sight = muon communications. Not practical at the moment, but something to remember as tech progresses.

Ronnie August 30, 2014 8:58 PM

From the schadenfreude file:

Hackers stole security check info on at least 25,000 DHS employees

On Aug. 2, Department of Homeland Security officials revealed that the agency’s contractor for conducting security clearance background checks had been hacked, and an unknown number of DHS employees’ personal data from those investigations had been stolen—potentially by a state-sponsored hacker. Now the DHS has a handle on how many records were stolen from contractor USIS: at least 25,000.

Thoth August 30, 2014 9:20 PM

Security only comes when efforts are made.

Important personnels handling nuclear materials like Pivdenmasch’s employees have lax security. Their traces and habits can be tracked by foreign intelligence and assassinated and Russia betting it’s nuclear mats un/safe in another country’s hands is rather un-ingenious.

I wonder when they will start to legally get everyone to wear tracers on themselves so as to be tracked.

Erwin August 31, 2014 8:09 AM

This experiment in quantum physics was reported in the news:
The yellow photons were sent through a cat stencil, and the image showed up in the entangled red photons.

This suggests that a message can be sent via pairs of quantum entangled particles. Such a message would be impossible to intercept because it never travels from point A to point B. Manipulating one set of particles (A) instantly affects the other set (B). No encryption needed. Spooky.

FiddleItOut August 31, 2014 8:09 AM

TAILS opens an official public mailing list with archives!

o Announcement:

o New mailing lists public, archived mailing-list[1] to talk about the non-technical decisions regarding the project.

In addition the page mentions two other new mailing lists, but they are not aimed directly at TAILS users, but for promotion and web/soft/UI.

Click on the “mailing list” [1] link to browse the TAILS USERS Mailing List archives!

Remember to subscribe!!!



o What is TAILS?

DB August 31, 2014 9:11 AM


I wonder when they will start to legally get everyone to wear tracers on themselves so as to be tracked.

They already have. Cell phones. Those who don’t wear them everywhere already kind of stick out, I wonder when that will become illegal.

Benni August 31, 2014 9:38 AM

New NSA article from DER SPIEGEL:

The new slides say that for NSA, terrorists are a lower priority than energy matters or spying on embassies….

Good that we now know that from NSA documents….

“The exchange of data went so far that the NSA even gave Turkey the location of the mobile phones of certain PKK leaders inside Turkey, providing updated information every six hours. During one military operation in Turkey in October 2005, the NSA delivered the location data every hour.

In January 2012, US officials proposed supporting Turkey in their fight against the PKK with diverse measures, including access to a state-of-the-art speech recognition system that enabled real-time analysis of intercepted conversations. The system can even search for keywords and identify the person speaking if a voice sample of that individual has been stored.

One NSA document describes the country bluntly as both a “partner and target.” The very politicians, military officials and intelligence agency officials with whom US officials work closely when conducting actions against the PKK are also considered legitimate spying targets by the NSA.

The degree to which the NSA surveils its partner is made clear in the National Intelligence Priorities Framework (NIPF), a document establishing US intelligence priorities. Updated and presented to the president every six months, the NIPF shows a country’s “standing” from the perspective of the US. In the April 2013 edition, Turkey is listed as one of the countries most frequently targeted by Washington for surveillance, with US intelligence services tasked with collecting data in 19 different areas of interest.

The document places Turkey at the level of Venezuela — and even ahead of Cuba — in terms of US interest in intelligence collection. Information about the “leadership intention” of the Turkish government is given the second-highest priority rating, and information about the military and its infrastructure, foreign policy goals, and energy security are given the third-highest priority rating. The same framework also lists the PKK as an intelligence target, but it is given a much lower priority ranking.”

SystemFailure August 31, 2014 12:04 PM

The Spanish media calling a spade a spade.

For those who can’t read Spanish, in a nutshell: mass surveillance is primarily about gathering financial intelligence. Most of the world is doing it. Spain needs to get up to speed with its European “allies” in this field if it doesn’t want to lose out.

I obviously disagree with the conclusions, but it’s refreshing to see a newspaper calling things by their name and not treating their readers as idiots.

Skeptical August 31, 2014 1:54 PM

@Benni: “The exchange of data went so far that the NSA even gave Turkey the location of the mobile phones of certain PKK leaders inside Turkey, providing updated information every six hours. During one military operation in Turkey in October 2005, the NSA delivered the location data every hour.

Der Spiegel chooses to publish this hot on the heels of news that the US is attempting to coordinate all Kurdish forces, including the PKK, to combat ISIS effectively. While US views on the PKK were well known, that Der Spiegel chooses this moment to unnecessarily publicize details about US-Turkish cooperation is telling.

Moreover it includes in its report fairly specific information about the timing and location of surveillance successes against Turkey, the consequences of which disclosure Der Spiegel cannot assess.

This is not responsible journalism, and it grows more likely that certain individuals have confused anti-Americanism (or perhaps some juvenile form of anarchism) with the humanistic values they believe that they serve.

Curious August 31, 2014 4:12 PM

Q: Does anyone know why I am having such a bad time with secure connections this evening?

Apparently one of my browsers simply accepted a certificate that is associated with secure connection to twitter, youtube, etc.

Looks like any https connection I set up depend on this really weird certificate named:

Only weird thing about that CA seem to be the issuer (Fiddler website) and some unknown thing for extentions: “unknown extension object ID”

Apparently there is a software called Fiddler 2, but afaik I have never had that on my computer.

IT's funny cuz it's true for a change August 31, 2014 5:16 PM

Benni, the reason why NSA spies on Turkey is that pro-american traitors Grossman at DoS and Feith at DoD sold the Turkish government enough nuke stuff to reverse global warming, and the Turks are selling it on to the whole Moslem world. It’s all coming out in gory detail as the NPT treaty parties prepare to meet next year to decide what to do about illegal US government proliferation. The whole world knows this except patriotic dimbulbs like skep. He thinks it was a secret, which makes his Mister Insider shtick extra hilarious.

Benni August 31, 2014 7:22 PM

“This is not responsible journalism, and it grows more likely that certain individuals have confused anti-Americanism (or perhaps some juvenile form of anarchism) with the humanistic values they believe that they serve.”

You should know DER SPIEGEL better. type in its searchmachine Schlapphut (the german word for spook), BND, NSA, GCHQ, Spion, Geheimdienst (the german word for secret service), and you will see, how, since the magazine is in existence, it reveals one secret BND operation per month….

Here, for example is a 15 articles long series with the entire history of BND until 1971 with dozens of secret BND operations revealed:

Some recent SPIEGEL relevations on BND affairs are here, and they are quite nasty (like supporting NAZI terrorists, smuggling Plutonium in a regular airliner, doing bombing attacks on civilian buildings, or placing child pornography on a banker’s computer to make him fired, or that BND agents regularly sell their surveillance data to companies in order to make money on their own, or that they break into houses of innocent germans, that BND agents formed armed terrorist groups in germany and so on..):

This is just a partial list of SPIEGEL BND articles linked on Wikipedia. The entire archive on BND and the domestic intelligence service alone is much longer

Once DER SPIEGEL touched NSA documents, it is clear that over time, most NSA operations will be published. When they are over, of course BND will also publish them. Like it does this with BND.

It has some reason why BND tried to infiltrate DER SPIEGEL with its own agents: which where, however, unable to get the magazine’s content only one day before publication.

When it operates in germany, Spiegel also publishes things from CIA and NSA. For example did you know that germany’s chancellor Brandt was a CIA informant in 1977: . The first photo of the GDR intelligence chief Markus Wolff was revealed in DER SPIEGEL and Spiegel also revealed in 1989 that NSA listened to 1/3 of all german phone calls at that time:

DB August 31, 2014 7:29 PM

@IT’s funny cuz it’s true for a change:

Being anti-democratic and anti-constitution should not constitute “patriotism” in this country…

Nick P August 31, 2014 8:42 PM

@ Nova

re Conspiracy

“What you do not have are: massive operations entirely off the books controlling global events utilizing large numbers of individuals operating in highly covert capacity.”

Off whose books? If it’s private, there are no books except what financial documents regulators can get out of them. If the regulators are paid off, then all their schemes will go unpunished. If it’s government, USAP’s only have 3 people in Congress cleared to know what they’re for (and they take it on faith). Those represent billions a year in activity, which we know because at least the total dollars are recorded.

Two good examples come to mind in government: MKULTRA (previously discussed) and Manhattan Project. Manhattan had almost 130,000 people at its peak doing billions of dollars of work for at least six years. Despite entire towns being built for the program, its details and cover stories stayed secret until their product detonated. The MKULTRA program was hidden from Congress mostly, with only 2 people really knowing what was going on. The rest only knew about their own secret sub-projects. Those involved [per documents] included intelligence personnel, military, prestigious hospitals (incl children’s and veterans’), top-ranking psychiatrists, etc. Yet, it was revealed after the combination of a general Congress shakedown on I.C. and a trusted insider’s supposed suicide on LSD. Had Congress been apathetic like today & there been no insider, the program would’ve gone on. Most insider accounts say it did go on under different names, with even some old names still inaccessible to FOIA requests. And no prison sentences. 🙂

Note: Let’s not forget the whole NSA scandal Snowden leaked. The official version was that they were an organization that was elite at protecting secrets, gathered foreign SIGINT expertly, focused on metadata domestically, are focued on terrorists, have controls to prevent/detect abuses, and helped commercial + government organizations ensure total security of their systems. (Snowden leaks) We find out they’re horrible at protecting secrets, do foreign SIGINT extremely well, gather every kind of data they can domestically, target many different groups (rarely terrorists) with plenty international sharing, have hardly any internal controls, and worked with dozens of companies in secret to weaken all kinds of systems that both parties tell the public are secure. A massive conspiracy of subversion and information gathering that combined private sector and government agencies, with us only knowing because of a few insiders acting on conscience.

For private, I’d look into Big Pharma and Goldman Sachs. Big Pharma is the closest thing to a concept of vertical integration for corruption. They’ve been caught forging studies, paying off researchers, paying for questionable information in textbooks, lying on TV, buying regulators, buying Congresspeople, and using their good lawyers to reduce risk on the rest. There’s so many payoffs that, at one point, the New England Journal of Medicine couldn’t find any “independent” reviewers not being paid off by who they’re reviewing and changed their policy to allow “conflicts of interest” (bribes?) for “independents” limited at $10,000 per company. The sheer number of people involved in this scheme, from companies to educators to doctors, tells us quite a bit about the subject.

Goldman Sachs is special. There’s a nice article on some of their most profitable schemes. They’ve been involved in market rigging, planting their people in regulator positions (Treasury head was their CEO lol), exotic forms of insider trading in high frequency trading, participation in events leading to 2008 crisis, and more. The list goes on for decades with private, local govt, and national govt involvement with plenty of money changing hands. And quite a high cost to the public, higher than anything else that’s ever cost us.

I haven’t even brought up the Bilderberg group which is most likely possibility of what you mention. A secretive meeting of elite business leaders, government leaders, regulators, and reporters from top media outlets that don’t report on anything. (Then why are they there…?) Many of them are also affiliated with groups publicly promote anti-American aims or were involved in major acts of corruption. Let’s got get paranoid, though: probably just a lot of causual conversation and tea drinking going on in there. Probably.


I’ve pulled just a few examples out of thousands that show conspiracy and corruption are quite pervasive. They seem to appear anytime there’s money, power, and potential for secrecy (or no accountability) involved. The U.S. DOD and multinationals rate highest risk in these criteria, with it playing out in practice for decades in scandal after scandal. Such a history means one should always distrust by default their proposals that involve war, plenty profit, or reduction of civil liberties. That their members like Wolfowitz have been video’d bringing classified folders to meetings like Bilderberg with the kind of people there is just… more disconcerting.

So, I personally can’t criticize people who get paranoid about military-intelligence activities or speculate the existence of secret groups with incredible influence on government. (I just named one.) The odds say such groups exist if there’s power, wealthy, secrecy, and continual concentration of all of it into fewer hands. Yet, I pulled this out of the ISIS thread because I have nothing to say about that situation along these lines. I always tell people looking into potential wrongdoing to build on identifiable facts from decent sources, avoiding speculation where possible. This post is about the provable existence of vast govt, private, and hybrid conspiracies. Most tying ISIS to false flag operation sound speculative rather than ground in evidence so far.

Clive Robinson August 31, 2014 8:51 PM

OFF Topic :

You don’t have to be the NSA when entropy is either small or not at all…

Back in the last century, I was explaining the problems with the lack of entropy in the credentials for embeded products to FMCE manufacturers and other “industry” persons.

I’ve also explained it here on a number of occasions, as well as other places…

And it appears the message is still not getting through,

You can be absolutly 100% sure that the likes of the NSA, GCHQ, et al know about these sorts of problems because I know GCHQ technical staff have heard me say them on more than one occasion. Thus I would also further assume that they have and still do check all new embeded products for these issues and thus make them available as exploits within the 5Eyes community within days of a new product being tested…

Nick P August 31, 2014 9:05 PM

@ Clive Robinson

The Chinese try to stealthily backdoor things to steal information. The phones in the US are both backdoored and weakened across the board by NSA. The hardened version of the Chinese phone might be safer than a hardened version of a phone in Five Eye’s territory (physical or area of influence). Oh life’s ironies.

Benni August 31, 2014 10:13 PM

“Russia betting it’s nuclear mats un/safe in another country’s hands is rather un-ingenious.”

1) although 20% of the fuel of russian nuclear reactors comes from Ukraine, its mostly the missiles that this fuss is about. Washington post says that Ukraine delivers the guiding systems of the SS-25 and SS-19 rockets (and that i what decides where the warheads land which is of NATO interest)
And Spiegel says 2/3 of the intercontinental rocket SS-18 are made in Ukraine:

But one should not look down on the Russians poor security of their nuclear missiles.

For twenty years, the developed country america had the following password that had to be typed for launching the minuteman intercontinental missiles: “00000000”

The password was also written on Starting checklists, and low ranking personnel, including civilian workers with no clearance had access to the rockets as well as to the passwords…

Benni August 31, 2014 11:11 PM

One question:
Skeptical wrote:
“Der Spiegel chooses to publish this hot on the heels of news that the US is attempting to coordinate all Kurdish forces, including the PKK, to combat ISIS effectively. ”

Where does the US government officially say that NSA “tries to coordinate PKK” against IS positions?

I think to which groups NSA gives which data is classified.

Perhaps skeptical should admit by now at which NSA division he is/was employed.

Figureitout September 1, 2014 1:05 AM

Bugs in Google Translate Algorithms or Secret Codes..?

Krebs and others have reported on something weird happening in google translate, it’s so weird lol! But it opens up a possible covert comms channel, which can be further strengthened w/ a simple OTP.

It also happened to be part of the badge puzzle at Defcon, in which this team did some amazing puzzle solving.

Hate when these silly things catch my eye lol, but I messed around w/ it some and here’s some funny things I came up w/ that leave me simply saying WTF?! :

lorem ipsum ipsum ipsum Lorem ipsum lorem lorip Lore

lorem ipsum ipsum ipsum Lorem ipsum lorem lorip Lorem iPsum LOrEM ipSUm ipsum ipsum lOrum ipsum ispum lorum lo

Ipsum Ipsum Lore
orem ips
iPsUm lore
ipsu lor ip
lor ipsum lo i
ipSum lor…
lORE ipsum
Lo ipsum i lo ips
lo lor lo is
IPsum lORm ips
mer si lor LOre
ipSuM LoRe lor esum

Software Defined Radio News

Couple things, Michael Ossman, designer of HackRF decided to give out FREE online lessons for using HackRF. I highly recommend them if you’re interested (had some issues w/ the video though freezing), the first one being very handy as you can build your own tunable FM radio station w/ GNU Radio Companion!

Hackaday linked to list compiling lots of SDR’s, very handy if doing a little shopping (I still need to save up some money :p ). Getting the superior performance and reliability means paying for proprietary engineered solutions and manufacturing techniques that cannot be homebrewed unfortunately. I liked the PCI-slot one and also my big feature I’m looking for is frequency range, lots of different ranges, but combining just 2 and you got 0 – 6GHz covered…so sweet. But in terms of a defensive device, getting a Rx-only device like an ethernet-tap would be a handy thing to have, when you need to be sure nothing tampers w/ some important computing.

Nova September 1, 2014 1:26 AM


Thank you, more good examples. But, not really what I was getting at.

Manhattan Project — did have multiple leaks. It was, however, a pinnacle of human achievement. Including human capacity for conspiracy. It was operating in bubble environments, not directly interacting in the wild, continuously. It did effect ‘global events’, but only afterwards when the cat was let out of the bag.

Some of these other examples are well exposed. They may be ongoing, but they are not secrets.

Snowden NSA leaks, I hate to say, were not much of a surprise to me due to previous leaks which already showed me what the NSA was capable of and what sort of ambitions they had. Likewise, for other NSA observers.

I am also not surprised there were leaks. What they were do was morally challenging and told to many people.

(Likewise, the Manhattan Project was morally challenging, and some therefore saw it as an imperative to ensure the Soviet Union also had this technology.)

The problem is akin to the problem of logistics in war: that is, how do you supply large divisions of soldiers in foreign lands? Laypeople often forget about such things. You have to feed them and provide them water. They need munitions. They need medical care. And so on.

You have a conspiracy of five people, no big deal. Ten… twenty… but keep growing that number and it gets increasingly improbable no leaks will occur.

Ahove, on this very thread, I point out ways some cover companies can operate. It is plausible to any reader. Start a new company, and either have shadow funders who have some level of control of the company… or a few full time operatives with false backgrounds in firm leadership positions. Going further and painting such cover companies as being full of people with false backgrounds is something else entirely.

Conversely, it is routine for intelligence agencies to work with companies at high levels and get their operatives secretly put in place. There might even be the creation of legend divisions.

A long term undercover role overseas is something else, though. For one individual, much less a massive army of them. Further supplying them all with false backgrounds … and even worse, with the capacity to blend in and have those backgrounds be verifiable… is nightmarishly unreal.

You would also have a whole heck of a lot of missing people.

You know the line, ‘it is hard to find good people’? 🙂 What about the line, it is hard to find good people willing to effectively die to their old self and live the rest of their life as a ghost overseas? People capable of learning new languages, scary method acting, keeping stories straight… on and on and on.

You have fillings in your teeth? Rich American.

Hard enough for cops to do undercover where they are capable of going home for a weekend every few weeks, and where the criminals come from similar backgrounds as they come from.

Of course, there are people who have faked their own deaths and do exactly these things in wealthy, first world countries. But, far and wide, these agencies rely on far softer cover for foreign workers, and networks of informants (agents/assets).

But, these things do not stop people’s speculation, because when you speculate, you do not have to consider the logistics. The logistics do not exist. Poof. Easy thing to do. Though, I could add even in fiction you do not see these things, including the intentionally absurd examples I gave. Enemy of the State — Small group of rogue NSA agents. Bourne series — same thing. Salt — ditto.

I do believe there very well may be out there full fledged conspiracies of networks of deep cover agents, however. But, evidence of this, or even explanation of logistics is yet to be found. Considerations have to include such things as: how do you get good people who can do all of the above (and will), and are willing to spend half their life at a mundane cover job, while working the other forty hours a week in covert capacity?

Creating pocket lint for individuals may be easy enough, but how do you create that for companies? And how do you supply all the necessary details of strong legends for entire companies?

Going into the desert region gets much further into the absurd. It also assumes you actually have to create enemies. Which you do not have to do. Why risk everything to pose as an enemy when you could simply fund an enemy?

(I doubt the US is doing this with ISIS, though I would be willing to argue that ISIS is a pawn of a much larger game by forces they can not see.)

65535 September 1, 2014 7:09 AM

@ Benni

Good link on the NSA’s spying on Turkey. I wonder how deep that spying goes in other NATO countries.

@ Nick P

“I’d look into Big Pharma and Goldman Sachs. Big Pharma is the closest thing to a concept of vertical integration for corruption.” –Nick P

Well said.

Benni September 1, 2014 7:58 AM

“I wonder how deep that spying goes in other NATO countries.”

Here are SPIEGEL article on that:

In the April 2013 summary, the NSA defines its “intelligence priorities” on a scale ranging from “1” (highest interest) to “5” (lowest interest). Not surprisingly, the top targets include China, Russia, Iran, Pakistan and Afghanistan.

Germany ranks somewhere in the middle on this priority list, together with France and Japan, but above Italy and Spain. Among the issues listed as being of interest are German foreign policy and questions of economic stability as well as threats to the financial system, both given a priority rating of “3.” Other surveillance assignments include subjects like arms exports, new technologies, advanced conventional weapons and international trade, all with a priority of “4.” The US spies apparently feel that counter-espionage and the risk of cyber attacks on US infrastructure coming from Germany are not particularly threatening (priority level “5”). The document lists a total of nine areas to be covered by surveillance in Germany.

According to the list of spying priorities, the European Union is also one of the targets of American surveillance, specifically in six individual areas. The areas assigned a priority level of “3” are EU foreign policy goals, “international trade” and “economic stability.” Lower-priority areas are new technologies, energy security and food security issues.

Countries like Cambodia, Laos and Nepal are apparently more or less irrelevant from a US intelligence perspective, as are most European countries, like Finland, Denmark, Croatia and the Czech Republic.

The report reflects the ambivalent relationship the United States has with many countries. On the one hand, intelligence agencies cooperate with one another and exchange information. On the other hand, Washington spies on many countries, at least to some extent. Only the United Kingdom, Australia, Canada and New Zealand — referred to as the “five eyes,” together with the United States — are seen as true friends, largely off-limits in terms of espionage, and with which there is an open exchange of information.

The NSA classifies about 30 other countries as “3rd parties,” with whom it cooperates, though with reservations. Germany is one of them. “We can, and often do, target the signals of most 3rd party foreign partners,” the secret NSA document reads.

Benni September 1, 2014 8:06 AM

Seems that thanks to DER SPIEGEL, NSA gets some beating again:

Turkey called the US ambassador….

Like with the revelation on Huawei, DER SPIEGEL knows when the right time has come for publishing. I wonder what the PKK fighters will have to say to their NSA spooks who give them the datafeed….

As sceptical noted “Der Spiegel chooses to publish this hot on the heels of news that the US is attempting to coordinate all Kurdish forces, including the PKK, to combat ISIS effectively. “

Skeptical September 1, 2014 9:11 AM

@Benni: 🙂 I’m not associated with the NSA, and the facts I mentioned about US efforts in conjunction with PKK and KRG forces have been widely reported for weeks now. One small correction to what you wrote: you claimed I had said that the US has been providing the PKK with signals intelligence collected by the NSA. I did not say that, and I have not seen any reporting on the nature of what, if any, intelligence that the US is providing.

As an example, I’m going to paste a few quotes from this Washington Post article from a few weeks ago. In the linked article, there are numerous links to other reports; those links are omitted in the portions quoted below.

Tens of thousands of Yazidis, the largely Iraqi ethno-religious minority fleeing the forces of the Islamic State, are slowly reaching safe havens after a week-long crisis that prompted U.S. military airstrikes on positions held by the Islamic State’s emboldened fighters.

They have endured horrors. Dozens of children died of thirst and hunger on the arid peaks of Mount Sinjar, where many Yazidis had run a week ago after the jihadists overran nearby Yazidi towns, executing men and enslaving women as concubines, according to some reports. The journey off the mountain has been arduous and deadly. The Associated Press reports some exhausted mothers “abandoned living babies.”

As explained here, the Sunni extremists consider the Yazidis apostates and therefore deserving of such brutality.

It’s unclear to what extent U.S. airstrikes, combined with humanitarian drops of food and water supplies, directly aided the Yazidis who survived their difficult march toward safety. What has proven more essential has been the role of Kurdish militias on the ground who have helped secure corridors of escape at least for some Yazidis. (The Yazidis are largely Kurdish speaking.)

This initiative doesn’t just involve the pesh merga affiliated with the government of Iraqi Kurdistan, but a whole constellation of Kurdish units drawn from Turkey, Syria, Iraq and Iran. One of the main organizations in the counteroffensive against the Islamic State is the Turkish-based Kurdistan Workers’ Party, known by its acronym, PKK. Because of its history of militancy and violence in Turkey, it is still recognized by the U.S. State Department as a terrorist organization.

The article goes on to describe the PKK and certain related groups in Syria, its origins, “recent fascination” with the number of female fighters in its ranks, etc.

This is but one example. There were numerous firsthand reports of the PKK’s help in guiding the Yazidis through a secured corridor off Mt. Sinjar into Syria, providing aid there, and then guiding them back north to re-enter Kurdish controlled areas of Iraq.

All of this occurred as US special operations and other personnel were on the ground on Mount Sinjar, and elsewhere, obviously.

Indeed, there is even some talk of removing the PKK from the State Department’s list of designated terrorist organizations, though that would depend on other conditions the probability of which occurring I do not know.

In this context, it is very difficult not to see Der Spiegel’s decision, following all of the above reporting in various outlets, to publish a story focusing on details of previous US-Turkish cooperation on the PKK as related to recent events in Kurdistan.

Clive Robinson September 1, 2014 9:16 AM

OFF Topic :

This IS about security but due to nature not man (except for failing to take due precautions).

As some of you might know I have specific interest in HF and satellite communications from interesting parts of the world.

Well NASA’s Solar observatory is raising red flags about solar activity over this past week.

Although of primary concern to infrastructure organisations (comms and power). It should also be of secondary concern to those primarily dependent on those infrastructure services. This includes the other infrastructure suppliers and ICT practitioners.

Put simply, the sun is having a hissy fit at the moment and this is causing corona ejections of very high energy particles. Whilst they have not yet been directly at the earth, the solar wind effects will be seen over the near future. Whilst this may well produce Aurora visable below fifty degrees it will also hit satellites and overhead cables for power and comms. The energies involved have in the past easily exceeded that of the US power grid which has caused brown outs, blackouts and physical infrastructure damage. And that was back in the times when the infrastructure organisations had something aproaching a sensible maintenance regime, as those in the industries know those days are long long past, and maintenance spending has nose dived due to wallnut corridor short term profit optimization more akin to what the rest of us would consider fire sales…

Whilst a direct hit would be of civilization stoping magnitude, that is of quite low probability. What is of much higher probability is a near miss to earths orbit, if we experience one of these you are definatly looking at outages on infrastructure some of which could be the equivalent of multiple lightning strikes near simultaneously which will travel down overhead cables to earth, but will also couple into other infrestructure cables which means you lightning arrester and over voltage for both direct and phantom overloads needs to be upto scratch or you may well get equipment outage if not damage upto irrepairable or fire hazzard…

Thus it might be worth getting out your proceadures and policies for organisational effecting risk (you have got one haven’t you?) And dusting them off and having at the very least a re-read.

For those of a much more cautious nature, who realise that all of western world civilisation is dependent on power and comms. You might want to check the state of the pantry for calorificaly rich tinned, bottled and some dry goods that can be eaten without cooking, as well as having a supply of bottled water (about two gallons of water per person per day is considerd adiquate for drinking, cooking and basic washing). Then there are batteries candles matches and fire extinguishers to consider, along with clean warm clothing and blankets. All of which, those living back in the 1970s power strikes etc should remember, and the more intrepid “Glampers” of today do for enjoyment 😉

Benni September 1, 2014 10:46 AM

New word from Putin:

Putin said to EU commission president Barroso: “If I want, I can take Kiew in two weeks”..

According to Spiegel, Putin wanted to say with this messange to the EU that one should not provoke him with further sanctions…

Taking Kiew in 2 weeks will probably only be possible by the help of nuclear weapons. This goes in line with further provocations where he says he will strengthen its nuclear arsenal and so on which you can find these days on cnn.

At least Putin seems to have invested into something with the gas and oil money from Europe. Unfortunately, it appears to be mostly arms and military that he has upgraded. And he has bought masses of gold, in order to be independent in a crisis, which suggests some long term plan for war-making.

Just what do we do now with this Hitler like person with atomic weapons?
At GDR, there was at least this nice wall where the crazy people were somehow “contained”. I am no expert in History, but I thought Soviet Union did not want to expand that agressively. They had their large warshaw pact. And these troopsy did some adventures in vietnam or afghanistan. But apart from that they did somehow not choose to advance further….

Czerno September 2, 2014 12:35 PM

@Benni, re: Putin on the civil war in Ukrain.

His words have been misreported/mistranslated
by Spiegel and other western press (propaganda!)

What he said : “Had I wanted to overtake Ukrain, I’d be in Kiev within two weeks’ time.”
But of course, he has stressed consistently that Russia has no territorial claims over the Ukrain. OTOH Russia has a natural interest in the protection of the hundreds of thousands or millions of civilians assaulted in most horrific manner, and is asking for a cease-fire and negociations between west and eastern ukrainian parties.

And please, stop throwing references to your late compatriot, Herr Hitler, I don’t even want to start arguing WHO is acting the new Hitler in the dirty war in the Donbass.

Czerno September 2, 2014 12:49 PM

@Bruce :The blog was down during 24+ hours.
The main URL was serving a blank page.
I even feared you’d been removed to Guantanamo bay ;=)

Care to comment on what the problem was,
inasfar as it touches security ?

Curious September 2, 2014 3:01 PM

@ FromFrance
The main website was blank for me earlier today, but now later in the day, it seems to load as expected.

Btw, I think I fixed my weird certificate issue, which I had mentioned previously. I suspect that some stuff that was installed, happened when I ok’ed an update for my bittorrent client or something. I initially removed the certificate from the browser, but later found out I also had to remove it from Windows as well. Don’t know what it was but i’ll give my computer a good wipe soon. Have been planning on doing that for some time anyway, if only to start fresh with a new windows installation. I am no expert on SSL, so I hope nobody is terribly offended by my lack of finess here. 😛

Benni September 2, 2014 3:03 PM

Well, 1) this gets off topic and 2) in case you are some payed troll on putin’s payrol, discussion would be useless anyway, so I will only give one answer:

Putin said

“The problem is not this, but that if I want I’ll take Kiev in two weeks”

That is the quote, and Barroso understood this as a clear threat, with Merkel being cited saying that Putin is “irrational” and “unpredictable” and apparently “aims for an armed confrontation”

And Kazakhstan is apparently also on Putin’s list to get annexed.

You say:
“But of course, he has stressed consistently that Russia has no territorial claims over the Ukrain. ”

Of course not. He just wants this gas fields that would enable Ukraine producing all its gas on its own, and even turn Ukraine into a major gas exporter.

The gas field is exactly at the rebel’s former location in slawjansk, here is the map:

After Ukraine’s first campaign, the gas field that was given to shell mysteriously was freed (perhaps these blackwater mercs who where reported to be seen in Ukraine came from shell, which usually protects itself against angry natives who often complain about the oil on their agricultural fields) and now shell continues operation:

Currently, the rebels sit exactly on the coal bed methane gas field. Like someone told them to just settle over gas fields. But the coal bed methane gas was not given to some company yet, so this is apparently not important enough to put up a real fight:

Note that this gas field lies very deep and only western companies have the abilities to drill to that. So what Russia wants is not to get the gas for its own but that Ukraine will still be paying in future for russian gas. Europeans usually are very skeptical of fracking of shale gas, since they fear that their ground water could be poisoned. In Ukraine, there are, unlike in other european countries not regulations that forbid fracking.

So these Ukrainian shale gas fields represent some kind of “test-bed”. If it turns out that Ukraine’s ground water does not get poisoned, other countries in Europe could start to explore their shale gas fields. And that is what Putin wants to prevent by military means. What he does here is the most stupid behavior that a government can have when it is confronted with a changing environment. The reason for that is simple. If he looses europe as gas customer, he would need the help of the european union, to develop russia. But the EU has made it clear that it wants russia to implement things like the rule of law and freedom of expression and so on. Putin came into government by forged elections. The proposals of EU must seem to him like a threat for his power. Similar it is with NATO. Serbia had a fascist government, that tried to widen its country, with human rights violations. This was not compatible with NATO ideals and NATO even broke the international law to bomb serbia away. Russia is behaving similar like serbia, and that is why Putin views NATO as a threat. And this is true.
If Ukraine becomes EU member and develops well, it is just a matter of time when Russians will stage a Maidan protest, violently removing Putin, demanding EU integration.

Also, Putin wants his hands on these funny ukrainian factories that create the guiding systems for Russia’s intercontinental missiles.

The Ultimatum from Piwdenmash to give all its data to NATO ends tomorrow, on Wednesday, and on Thursday, Ukraine will become an official NATO partner. Nato allies have to share their military information.

In fact it is this NATO law under which the sharing of secret information from BND to GCHQ to NSA usually works.

So this is not a real ultimatum from Piwdenmash. They are compelled to share their data on the guiding system from russian intercontinental missiles by law.

If Nato gets the guiding system of Russia’s missiles, Russia’s nuclear deterrence is basically gone.

On Thursday, NSA can, for a change, begin with something really useful: Hacking into Russian intercontinental missiles.

FromFrance September 2, 2014 3:12 PM

“The blog was down during 24+ hours.” Yeah, 24 hours just after Benni’s post about Putin.

Czerno: the “civilian” started to die in the East of Ukrain after the “Russian servicemen” entered Crimea (read

(and Bruce might wipe the whole discussion).

Skeptical September 2, 2014 3:51 PM

It is dangerous for anyone to misquote or exaggerate the statements of either side at this point. I hope that President Putin was misunderstood or misquoted.

But to the extent President Putin is not understood by the West, and to the extent everyone now wonders as to his actual intentions, he has only himself and Russian propaganda arms to blame.

The statements issued by Russian officials, including President Putin, concerning the presence of Russian forces in Ukraine are frankly incredible. They remind me of the Iraqi Information Minister denying the presence of US tanks in Baghdad even as they rumbled along a few hundred meters from his press conference.

I wonder, truly, whether the Russian Government is aware of the loss of traction of their propaganda, and the disbelief that their continued claims are now provoking in Western minds. The statements have acquired an air of un-reality, as though one were listening to a crazy person.

I wonder whether they realize how much more difficult the Russian Government’s lack of honesty makes it for outside observers to understand Russia’s ultimate intentions.

I wonder whether they realize that if they continue to make claims so clearly false, then Western populations will increasingly wonder just how irrationally Russia might act in the future.

This will have deeply negative consequences for Russia. At a time when bonds and trade should be growing between Russia, and the West, they are instead deteriorating.

A face-saving deal for President Putin would likely involve the presence of UN observers in eastern Ukraine – to guard against the possible abuses of the Russian speaking population which have supposedly required Russian involvement – and some commitment from the Ukrainian Government, and others, concerning the matter.

In turn, the Russian Government would – actually, and not just in word – withdraw from the Ukraine, and cease “special efforts” at subversion and organization.

A responsible leader must ultimately be pragmatic in his goals. Whether President Putin shows himself to be a prudent caretaker of Russia and Russian future, or not, is the choice he now confronts. Sometimes it is the better part of valor to make peace, and rebuild bridges.

Czerno September 2, 2014 4:04 PM

@Benni: let’s agree to disagree. Your insinuation that I’m a sort of Russian agent is simply stupid. Like the rest of your long and somewhat boring manifest. ‘Nough said.

@FromFrance : of course Bruce (or a moderator) might as well wipe all this thread, starting from “Herr” Benni’s inappropriate and even odious comparison of Putine to Hitler, while Putin appears to be the one person trying to help and attempt to stop a criminal civil war from extending and making so many innocent victims, and bring rival Ukrainians fractions to talk to each other without interference from other “interested” (not) parties. My own previous contribution, if I may call it thus, has been to politely ask Herr Beni stop making dubious political statements, which he apparently hasn’t understood are not appropriate for this blog, even on “squid” day, as I understand it.

Czerno September 2, 2014 4:26 PM

@Skeptical : as far as we know, there is no significant presence of armed forces of the Federation of Russia in Ukraine (leaving aside the question of the autonomous region of Crimea)

There are certainly voluntary Russian combattants helping the autonomists, possibly unofficial “advisors” – but then there are many more mercenaries, “advisors” from NATO countries helping the Kiev, quote,”government”, quote. Quotes because the legitimacy of Poroshenko’s government is (to many observers) dubious – note that Putin very wisely does not contest him and even has tried repatedly to talk Poroshenko to reason – which seems an impossible task, I guess it’s because the “West” as you say – the US, especially Joe Biden, in fact – have a vested interest in NOT apeasing the conflict. They want to get the mining resources in the Donbass for themselves. They could care less for the good of the Ukrainians, and Waltzmann aka Poroshenko neither, in my humble uninformed opinion.
We are seeing once again the same game played by the super-rich American who wants to dominate the whole Planet. East Ukrain being their newest playground…

Benni September 2, 2014 5:16 PM

Oh no, Czerno is the typical russian government sockpuppet. When he writes:

“@Skeptical : as far as we know, there is no significant presence of armed forces of the Federation of Russia in Ukraine (leaving aside the question of the autonomous region of Crimea)”

Perhaps you also think that the sattelite images from russian forces in ukraine that NATO released are “from computergames” like lavrov said? This is ridiculous. These are typical images from Digital Globe. Nato can not publish their own images, since then, the enemy would learn that NATO can identify faces, read car number plates, and is able to see the insignias of the soldiers. Hiding below threes or under a clouded sky also does not work with NATO satellites, since they will switch to radar then, looking below the clouds and leafs. And they generate a video stream showing people’s movements. That is not something you want to show to the enemy in a war, but germany has spy satellites with these capabilities that are also used openly for research. That is why I know what they can see with these….

“Benni’s inappropriate and even odious comparison of Putine to Hitler”

Although this is a computer security blog, I think what the Russians are now doing is on topic for several reasons

a) The fact that Nato soon may get data on Russian intercontinental missile systems, which NSA can then try to hack has something to do with computer security.

b) A nuclear power annexing countries is a security thread, and this blog is about security

c) currently, a major cyberwar attempt comes from Russia, where literally thousands of trolls payed by the Russian government appear on every internet forum and comment section, where they place obnoxious stupid propaganda. Since one can observe this on almost any European internet forum and comment section of news magazines, an internet user can simply not escape this massive propaganda effort.

For that reason, setting the record straight, with this combined gas and rebel maps may be of interest for the average internet user that is bombarded with propaganda these days.

regarding my comparison with Putin and Hitler:

Well, Czerno you apparently do not know much about german history. After making the parliament to elect him, Hitler began by strengthening the german economy. Of course this would lead into a war economy. The highways that Hitler build were for fast movement of tanks and so on… Similarly, the economic rise or russia began with Jeltzin. Putin looked which companies made profit and made them state owned. With that, Putin massively upgraded his military, walked out of the conventional arms treaty, developed more modern nukes and so on. He created a propaganda machine, with a personality cult, holds extremely conserative views, and he tried to enlarge russian territory, especially if there is a large oilfield close to russian borders.

Hitler created concentration camps, and he destroyed large parts of the population in eastern europe. But winning an election by forging it and selecting the rivals appropriately, the personality cult, the propaganda system, the creation of a war industry, the spreading of esoteric and conspiracy theories, human rights violations, the enlargement of territory in order to get some kind of “profit”… all that was part of Hitlers system and can now be found in Putin’s russia. Putin has said himself that he thinks him to be on the far right. Putin gave the French fascist politician Marie Le Pen as an example of a politician who “shares his values”. These far right politicians also get interviewed often by Russia today:

“Enemies of freedom on the far right in Europe sensed the changing political climate early on. They immediately understood that, in Putin, someone is speaking who shares their obsessions and aversions. Putin reciprocates by acknowledging these like-minded individuals. “As for the rethinking of values in European countries, yes, I agree that we are witnessing this process,” he told his television interviewer last Thursday, pointing to Victor Orban’s victory in Hungary and the success of Marine Le Pen in France. It was the only positive thing he had to say in the entirety of a four-hour interview.”

Czerno September 2, 2014 6:19 PM

@Herr Beni: obviously you are letting your nerves take over your reason, Sir. Or maybe you really believe in Poroshenko’s lies ?- the rascal lies all the time.

I would hope someone who reads and participates in Bruce Schneier’s blog for quite some time would be more prudent, measured and ..skeptical wrt propaganda, whichever side it comes from.

Buck September 2, 2014 6:20 PM

Oh, get real!
Putin and his KGB cronies have just as much to gain from escalating tensions as NATO and friends do… Now, from the other side, there’s this:

NATO Set to Ratify Pledge on Joint Defense in Case of Major Cyberattack

The change in NATO’s definition of an “armed attack” will leave deliberately unclear what would constitute a cyberattack so large that the alliance might declare that the action against one of its members could lead to response by the entire alliance under Article V of its charter.


blockquote thing attribution is down to a science, and it’s not just a series of PR pieces about ‘China’ or ‘Russia’ diditz…
There is no ‘justice league’ without an ‘evil supervillan’ to further justify & support the cause… It’s quite similar to the two-party political systems that differentiate themselves on superficial issues, all the while both remain fully in support of the the same money makers.

Chris Abbott September 2, 2014 7:31 PM


I’m sure Bruce will cover this. Guys like us can be all like “Duh, don’t put unencrypted selfies on iCloud” but this should be a wake-up moment for the general public. People really do need to be more educated about security. This is also why I’m not a big fan of cloud storage…

Figureitout September 2, 2014 10:28 PM

A Backup Plan in the Event of Schneier Blog Being Shutdown

As “the usuals” are aware, Schneier’s blog went down and despite still being reachable via google, going to the home page returned a blank screen. Now, one thing that isn’t pleasant to talk about, is the possibility of Bruce’s death (I jokingly think, only in the thought not the actual event, what if he died from a ceiling collapsing, as that was a big talking point for the longest time that he trusts building codes and cough vigilant cough checking of them…). Another thing that crosses my mind is how long will Bruce blog for, what if he just decides to shutdown tomorrow..?

I guess this is a good time for me to say, as I’ve been thinking about it for awhile, what kind of backup plans are there in place in the event Schneier’s blog goes down for good? I won’t name all the others, but me in particular, I want and will share my EMSEC-computer design and of course be willing to take a pounding when an enevitable flaw is found. That’s ok for me, how long have other PC-designers been at it, and how many flaws still exist and continue to be found..?

My point is the venue for sharing secure PC design (there will be crypto applications of course) will go down and my blog doesn’t even show up on google even when I search my titles. I keep a low profile otherwise, purposely. In turn, the archives could go down (still archived somewhere), and everyone will lose contact and I don’t know of a comparable site to this blog to share security ideas and fully-engineered products. In other words, the community will fall apart.

So, my first idea is to go towards someone like Mike the goat’s blog []; he still doesn’t have my full trust as he wasn’t willing to physically verify for some reason but I believe (don’t do anything w/o his OK) he would be fine hosting a backup place in case of another temporary or permanent outage. Reason being, he’s confident enough to trust posting his blog on Schneier’s site (hope he’s aware of what I’ve seen and still continue to get attacked by…) and he’s made it pretty clear he wants to be involved in some potential solutions to the security sh*tshow we all have to live thru everyday.

Second idea, is go to []. I won’t be as active (actually won’t be anyway as I just can’t), but it’s a decent alternative. There isn’t as much freedom though.

Third idea, is someone taking the risk (I really don’t give a * but all my connections can’t be trusted as I’m stuck down now. I need to get cash and get mobile again, at least way more than now.) and hosting a site somewhere. Can just start off w/ just simple-text, pure HTML, no exchanging of files, no linking, just time stamping. Exchanging of files can take place elsewhere.

That’s just 3 backups. I of course always enjoy backing up the backups and making total shutdown basically impossible. This is a calling out to the network engineers at the big ISP’s.

Does anyone feel the same way? What would you think/do?

Figureitout September 2, 2014 11:17 PM

/* Additional Edit to Backup Plan */

No, that’s not good enough at all. I can’t afford the time to formulate a better backup plan, I just tried w/in an hour or so, but I know that’s not good enough at all. My backup plan is incredibly weak as it’s reliant on the internet; as in spurting out and leaking everywhere, but not preventing massive falsehoods. Needs some radio which you can blurt out way more freely than internet but still susceptible to falsehoods. Pre-encrypted SMS messages can be added. Still suck and vulnerable to MITM/DoS or worse.

I’m at a loss again. At least I’m willing to admit the weaknesses, they’re just too big these days. One of these days, the blog will go down and disappear for good; that’s all.

Buck September 2, 2014 11:56 PM


It’s really not that big of a deal in the larger scheme of things… Communities will come and go, especially in the digital world; do you remember AIM, MSN, and/or MySpace..?
The minds have gathered here because it’s been quite coherent & conductive for intelligible thought without the usual clouding of partisan politics. When it’s gone, we won’t be lost, we’ll just have to move on to other greener pastures! 😉
Thank you for your space, Bruce – Live long and prosper! ^_^

Backup September 3, 2014 2:11 AM

@Figureitout: It is not legal to have a backup web server showing everyone’s comment posted in the past here: it is not legal without the consent of these everyone, and they are anonymous so this won’t change for past comments.

For future comments, we could ask Bruce Schneier to change the comment form so that it states that everything posted here is considered public domain, except for quotes, that are defined to be the content between marks [quote] and [/quote].

Thoth September 3, 2014 2:34 AM

@Benni, Czerno, Skeptical et. al.
World events do not coincidentally happen just at the turn of a palm or flick of a finger. Russia’s conflict with Ukraine and Georgia is by no means coincidental or basically “saving the innocent Russians there”. Ukraine and Georgia’s reactions are not simply let’s hug Washington and Europe and give them a nice big hug. It’s a very complex politics.

One good example of these complex intrigues I love to reference is the Chinese Three Kingdoms era.. the historical version. If you have not read the Chinese version of Three Kingdoms (not Romance of the Three Kingdoms), do try to find an accurate translated version. It basically shows a whole ton of political, mental, social, economics and human control.

The *stans and *via countries (Latvia, Lithuania, Estonia) and Belarus itself may fall to Russia one by one like falling blocks. Huge gas and oil resources are one of the reasons. Increasing buffer zones loyal to Russia’s cause and as bullet catchers to buffer themselves from NATO countries is another reason. Does Russia need more space ? No… it’s one of the biggest country in the world so that’s one unlikely point. NATO’s presence is frankly freaking Russia out and that’s normal. Russia maybe reacting to NATO’s increasing presence in Eastern Europe and NATO is also freaked out by Russia’s political and military moves just as NATO (especially the USA) is reacting strongly to Chinese presence and China is also reacting strongly to US/Allied presence in the South China Sea.

Benni, here’s something interesting … open Google Maps or some Map Apps and take a look how close Moscow is to Ukraine and Belarus. Both countries are the land based gateways to Moscow (heart of Russia). If any of these gates were to fall into NATO’s hands, it’s over. NATO missiles will be within reach of Russia in a short moment if NATO decides to do something.

The water way around into Russia from Eastern Europe would be the Black Sea and the water way into Russia from Arabian region would be Caspian Sea. The Arabian region / Middle East is deeply entrenched in it’s own revolution due to Muslim ideology and it is rather awkward for NATO or Washington to spread it’s influence fully (and the Anti-American ideology of Muslim Extremist). The only comfortable way in would be the Eastern Europe region.

Conquering Turkey requires good excuses to launch a war and Turkey is a NATO member. Furthermore, most part of Turkey are Muslims and that’s one more enemy they don’t want to make and Turkey is both too far and clipped in between many nations. Extending one’s troops so far off from the center is a military taboo. Ukraine is close to Russia and has direct control over how Russia access the Black Sea via water which is a threat to Russia. 4 ways Russia can deploy it’s navy is either from Caspian Sea, Black Sea, Arctic Circle or Bering Straits region. Black Sea is the closest to Moscow and deploying the Navy from Bering Sea or Arctic Circle would be troublesome as it needs to circle much of land mass just to get to main sea routes.

Russia’s ideology and vision of the Soviet era and the Czars have not yet faded. The visions of the once prosperous and romantic era which are used heavily in propaganda are still alive in the minds. This is not just about Russia having such ideology but that includes other nations like China, Japan, Britain and so on. These old ideas lead to self-justification actions to claim certain lands or seas as their own which lead to disputes. Putin is an old-school style person and it’s unlikely these ideologies can escape him which leads to my conclusion that Eastern Europe is still seen as part of Russia even after the fall of the Russian Empire and Soviet Union.

At the heart of the issue, the security of the land, the greed for resources and the old ideals may have influenced how Russia reacted to NATO influences and policies in Eastern Europe.

This web of intrigues where the leaders are reacting on instinct and emotions and deploying their forces where they perceive they expect encounters. To put it in a metaphorical term, the ropes are tied around the necks of the leaders and one of them pulls or push their rope around their neck, the others feel the pain and that is the reason they reacted out of fear of each other.

To conclude a person, an entity or a nation at fault would be heavily bias or prejudice depending on how one sees the issues. It is the rash decisions, instinctual reactions and the mix of emotions and reminiscence of the old that led to many world events.

In this era of reasoning and intellect, we should sit down and carefully consider our actions and their long term effect and not act according to rash impulse be it in the field of politics or security.

Moscow can either commit to a full scale assault and remove Ukraine and Georgia from the map and follow on on the *stan and *vias and weaken itself by spreading itself too thinly, commit to a real table discussion with actions and Ukraine to be open to both Russia and NATO as a neutral zone that serves the economy of both (highly unlikely but the best option) or annex a handful of land including Crimea but leave the rest of Ukraine on it’s own and stop it’s annexing. Another way is just make noise and get nothing done but that will spoil their image.

Wesley Parish September 3, 2014 5:09 AM

If proof was ever needed that vulnerabilities can’t be monopolized by any one set of attackers:

the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers.
Elcomsoft is just one of a number of forensics firms like Oxygen and Cellebrite that reverse engineer smartphone software to allow government investigators to dump the devices’ data. But Elcomsoft’s program seems to be the most popular among Anon-IB’s crowd, where it’s been used for months prior to the most current leaks, likely in cases where the hacker was able to obtain the target’s password through means other than iBrute.

I think someone’s just walked over the NSA’s grave.

Czerno September 3, 2014 5:10 AM

In this era of reasoning and intellect, we should sit down and carefully consider our actions and their long term effect and not act according to rash impulse be it in the field of politics or security.

Thank you and Amen! to that.

In other news I just saw a moment ago, Poroshenko & Putin shook hands, said to have agreed on cease-fire and further talks aimed at resolving the crisis. Let’s hope they, and all involved parties, succeed in establishing conditions for long lasting peace (even if such an outcome does not fit well with extremists’ and bellicists’ views and goals apparent or hidden.)

Andrew_K September 3, 2014 7:46 AM

Sad thing, I found myself with similar toughts regarding both Bruce and the blog’s contents and comments. I then took a look at I would have started worrying if it would have disappeared from the archive, too.

Sidenote: Are there cases of contents being banned from

Czerno September 3, 2014 7:59 AM

@Andrew_K :
the blog being back to – apparently – normal
sure is good, better still would be to see
a comment by Bruce himself reassuring us that
all’s well that ended well. Is Bruce’s canari
happily singing ? ATM do I know for sure I’m posting to Bruce’s blog, not to someone else’s server ? They got his “certificate”, yeah, right. :=)

Re: AFAIK, contents are removed from (public) view at the request of right owners. It’s everybody’s guess as to whether they also remove contents at their own discretion (self-censoring) and/or at the request of law enforcement (I’d guess they do both)

Clive Robinson September 3, 2014 12:49 PM

OFF Topic :

Fake Mobile phone sites found in US

It apoears that these towers and their associated equipment attack mobile phone about three times every two minutes.

They were discovered by users of the ESD Cryptophon 500 which has a modified Android OS,

The speculation due in part to their locafion is that they are under the control of a US TLA like the Department of Defence etc.

Nova September 3, 2014 1:50 PM

@Benni, Skeptical, Thoth, et al, Russia

“Although this is a computer security blog, I think what the Russians are now doing is on topic for several reasons

c) currently, a major cyberwar attempt comes from Russia, where literally thousands of trolls payed by the Russian government appear on every internet forum and comment section, where they place obnoxious stupid propaganda. Since one can observe this on almost any European internet forum and comment section of news magazines, an internet user can simply not escape this massive propaganda effort.”

A large number of serious attacks have been emanating from Russia for many years, against the US, anyway. This has escalated. Further, Russia has shown the capacity to infilitrate infrastructure and place time bombs in case anything goes wrong. There have been a number of articles about this in the past week.

Russia just pilfered an enormous amount of data from JP Morgan, for instance. That is highly likely to be both a diversion and a warning shot.

Likely, they could try and do something with this data or other data they have compromised… which they could think maybe would just “send a message” but could do severe damage to the global economic infrastructure.

These discussions are highly likely portent to “before the big catastrophe”. But, I add such a statement simply for color. Change has been in the wind for quite some time, and there are many factors at play there.


“open Google Maps or some Map Apps and take a look how close Moscow is to Ukraine and Belarus. Both countries are the land based gateways to Moscow (heart of Russia). If any of these gates were to fall into NATO’s hands, it’s over. NATO missiles will be within reach of Russia in a short moment if NATO decides to do something.”

While you argue the matter is complicated, you also state this. I think this statement well summarizes what is really going on here. It is sad that this is not made clear in more articles.

It is always about geography. Location, location, location.

Nick P September 3, 2014 7:52 PM

re Bruce’s blog down

They do occasional maintenance that takes it down and it’s a free blog that doesn’t provide any uptime guarantee. No need to worry about it unless it lasts over a week. Then a simple email to Bruce would tell us what’s up.

Far as saving the data, the best thing to do would be to web crawl the blog. Just aim a tool at it that downloads every reachable page onto your hard drive. I don’t know if they block that or not. The main risk there is your script hits it with so many requests it causes a DOS or something. So, use one that can limit the number of requests (max one a second), then run it between midnight and 6am. Then, run a standardized MD5 or SHA-1 tool on all the files. The hash of that can be signed and checked by others doing backups.

re Cell Phone interception

A nice PowerPoint-style presentation here:

@ Clive

It shouldn’t surprise anyone as they’re monitoring and MITMing all kinds of things. Remember the 9/11 pager leak? If it can be monitored, someone probably is doing so. The devices are cheaper than the $100,000 stated in the article. Seeing limited homebrew has gotten to $1,500, there might be smaller companies offering the good stuff in the tens of thousands. The TAO catalog had one for $40,000 I think. At that rate, it would be worth putting on military bases and maybe a mobile one in every significant (to them) city.

The real threat that would pose comes from integration. NSA’s cellphone metadata and monitoring combined with IMSI catchers in specific areas could let them focus on just the right people. It might also help them derive attacks that don’t require on an expensive, limited use piece of equipment. Private firms would mainly use them for basic intelligence gathering on targeted business people, esp executives. Government could do a lot more.

Nick P September 3, 2014 7:55 PM


Might be able to get them from Asian suppliers even cheaper. I’m not sure what’s offered there but they do use IMSI catchers. Buy it (from there or here), see if it uses generic components, pull the software/firmware out of it, clone it onto components, and now you can build as many as you want at cost.

Wesley Parish September 3, 2014 8:20 PM

@Nick P

Far as saving the data, the best thing to do would be to web crawl the blog. Just aim a tool at it that downloads every reachable page onto your hard drive. I don’t know if they block that or not. The main risk there is your script hits it with so many requests it causes a DOS or something. So, use one that can limit the number of requests (max one a second), then run it between midnight and 6am.

In other words:

and, of course

Figureitout September 4, 2014 12:42 AM

Communities will come and go…
–True, yeah I used to love MSN lol…sh*ts dead now.

It is not legal to have a backup web server showing everyone’s comment posted in the past here
–Uhh…Sounds like an ignorant law as the content has probably been copied completely 1 million times or way more. This IS the public domain, public internet, what the hell is privacy? Only private domain is your head, which is slowly disappearing as you express feelings w/ facial motions and speech and all of that is getting scooped up. It’s not exactly what I mean anyway, if the archives disappear and guy is served again to delete; still many more sites serving the goods. The point is for the PEOPLE here to shift to another site, or at least another temp. site until a better site is made. Otherwise, lots of people too scared to exchange actual contact details will lose contact.

Sidenote: Are there cases of contents being banned from
–It’ll just disappear and get torrented around w/ malware, but Brewster Kahle got served w/ an NSL and had the balls to go public w/ it.

A quote that stuck w/ me was:

“I did go home that night and over dinner with my family, I said, “Ask me what it was I did today, and remember my answer.” So my son, who was, I don’t know, nine, or something like that, asked me, “Daddy, what did you do today?” And I said, “I can’t tell you.” “

–And that is what it’s like living in a police state, and it’ll get worse even though the intel gathered won’t get better as there’s too many ways around it.

More Musings on a Secure PC Design

Still have a lot of work ahead sigh, but getting the entire system working is coming along slowly. Got other projects and now school to do so…For the sake of having a product you can actually do some things w/, I’m planning on scaling back how deep I go. Going deeper requires a full-blown funded engineering effort w/ a physically protected lab. Any less is a joke and I’m not going to just use this device by myself. So it’ll be essentially some barebones OS, something like XINU [], a C-based OS. Most likely PS/2 keyboard, probably no mouse, but if the GUI isn’t too cumbersome then have mouse. It’s not meant for playing games anyway, meant for crypto keys, actual crypto, and storing IP. But check out that code, it’s meant for a router but it’s so clean and crisp. Plan on using different compilers/assemblers and comparing the .s files. Then trying to seek out as many security faults as I can in the code based on public research; as in textbook insecure coding. This will be one of the most painful parts.

Using a commericial inverter and tested filters for power, a combo of tested and a little something extra for the actual shield around the device once in operation, and I haven’t decided on a smaller LCD screen or a more tradition VGA/LCD screen. Not planning on battery powered, but it may be an added feature. Some extra one-time-programmable PIC MCU’s w/ separate power supply simply spewing noise out and potentially used for CS-PRNG’s. This should all work, I can almost see it.

Beforehand, I’ll probably come on here w/ a build of an beagle-bone based SDR. Handy toy. Better to just get a full blown spectrum analyzer but I’m on a damn budget. This will be outside flashing area, which is a shielded area. My dad’s been considering building an SDR in a little more detail than what I’m planning. If he does, I’ll share some tidbits if he doesn’t decide to try to make some $$$ off it.

Clive Robinson September 4, 2014 1:04 AM

@ Nick P,

Whilst it should not come as a surprise, –as the NSA appears to industrialize all attacks where possible– such equipment and attacks have been portraied untill very recently –even in the TAO catalogue– as “directed attacks” against an “individuals metadata communications” eminating from a target phone, not every persons communications in reach.

Further the attacks were generaly seen as a passive “eavesdropping” against the network communications not black bag jobs against the phone it’s self. Thus many would assume that once out of range of such “eavesdropping” equipment things would be back to “normal operation” for people who were not being specificaly followed and monitored by the equipment in vans etc.

The fact that a US TLA is actively seaking to put malware on every phone in range of these masts, is a whole order of magnitude beyond “evesdropping on call metadata”, it is tantamount to the US Gov declairing cyberwar on all citizens, and that will come as a nasty shock to many individuals.

It further begs the question as to if the NSA et al are also putting malware on every computer that connects to the Internet within the sphere of their network connection operations.

You and I would assume the answer is yes under the unofficial 5Eye motto of “Collect it all, anyhow, anytime, anywhere”. However most users would not, it will further put into peoples minds the question of AV software failing to stop it and thus collusion between the AV vendors and the US Gov…

It will also potentialy bring up the question of “quatering troops with civilians”, in the US there are laws to prevent this. A legal argument could be made that as entities like companies are granted equal status as humans under the “Any person legal or natural” rule entities such as “autonomous software” could likewise be considered equal. Thus the US Gov always claiming “Cyber-warfare” puts then in the position of being guilty of “quatering cyber-troops with civilians”, it’s an area of law I’m sure the US Gov want to avoid discussing currently…

Thoth September 4, 2014 1:17 AM

Yes, geography/location is the key to conflict. Since old, that has always been the conflicting point regardless of the excuses for war.

To wage a war, one needs virtues. A war not supported is a war half lost.

What Ukraine can learn from us in Singapore is diplomatic mission successes. We are good at engaging friendship everywhere in the world. In the early founding of Singapore, an agreement criteria for our independence set by the UK is the removal of the Communist (Chinese Communist whom are Chinese educated). Our government on one hand tried to appease the UK by pushing the Communist out but to not upset China, we left the Chinese banks open despite parties across the straits whom wanted them ousted). On one hand we barely appeased the British and on the other hand we avoided annoying the Chinese. We have managed to do “between the lines” maneuvering resulting in our huge success. Our coffers have enough gold to last many generations and redeem falling economies.

On one hand, Ukraine could allow free access of Russian and NATO as a neutral zone like what we did. By managing themselves in a diplomatic and logical way instead of emotionally charged reactions, they will prosper. It is conflicting to allow both sides of the board to enter Ukraine but this irony can be good for them. Ukraine can make a deal to so they will shepherd the land but Russia can have it or if better, not give up any land. On the worse case they can give Russia the Crimea region but Russia will make no advance as my mentioned threats still exist. Russia, like the US, is making people hate them…. building up negative feelings towards them by their political actions based on insensible policies.

Andrew_K September 4, 2014 1:49 AM

@Benni, Skeptical, Thoth, et al, Russia
Location, Location, Location.

Yes, seems reasonable. But keep in mind that Estonia, Latvia, and Lithuania joined NATO years ago while in comparable distance to Moscow as Kyiv and Minsk.
There must be something special about Ukraine and we’re back at sea access. Russia has its exclave at the Baltic Sea, maybe this will rescue the countries mentioned above.

It now has an exclave in Black Sea, Crimea.

Backup September 4, 2014 4:18 AM

Short: Bruce Schneier, please add a line like “all comments posted here are licensed under CC BY-SA 3.0” in the comments form.

Long: @Figureitout: “–Uhh…Sounds like an ignorant law as the content has probably been copied completely 1 million times or way more. This IS the public domain, public internet, what the hell is privacy?”

No. You are not allowed to copy what you want and do what you want with that if there is not legal notice allowing you to. For an example of such legal notice, look at title “3. Subscriber Content” on …

Without any notice, you can only watch the content. Not save it, neither upload it to your own web site. If disappears and another web site is serving the comments, then it may be sued and will lose in court by anyone pretending to have written comments. Sure it will go to torrent, but it will be illegal to even link to these, illegal for journalists to write about it, … sore end for

Depending on contries, you may have additionnal right (in France, you can copy and show to friend and families anything that has not been copied by a friend or a family member; that works for DVDs, …).

Because of this, can be asked any time to flush the caches of it is enough that one person says that he wrote something that he want to shred.

Bruce, a sentence like “all comments posted here are public domain, except for quotes” would also fit.

Thoth September 4, 2014 6:51 AM

Yes, sea is a high possibility but they will have to rely on Constantinople’s (Turkey) good will if they want their ships to sail out 🙂 . Their current excuse as they currently appear is due to their exclave but soon once they are done with one, they would be on looking for another. The reason is their leadership is marshal influenced (same for the US ?).

All pots and kettles are black regardless 😀 .

BJP September 4, 2014 8:21 AM

@Clive Robinson

“It will also potentialy bring up the question of “quatering troops with civilians”, in the US there are laws to prevent this”

You’re the first person, other than myself, that I have seen bring this up in the context of NSA actions. I have been preaching that line since shortly after Snowden became a recognizable name; mostly to responses of derisive laughter.

Of note: we do not have “laws” to prevent quartering troops with civilians in the US. We have a constitutional amendment (the third amendment) prohibiting that action except in time of war, with the same power and force of our first, second, and other amendments.

Buck September 4, 2014 10:17 AM


Jacob Appelbaum and others were talking about this around the time of a TAO story published in der Spiegel…

Is the NSA Quartering “Digital” Troops Within Our Homes? (January 1, 2014)

But security expert Jacob Appelbaum notes that the NSA may be digitally violating the 3rd Amendment.

That was quite a while ago, and has long been forgotten. The third will end up in the bin of a paper shredder with all of its fellow Bills of Rights… Besides, even if a judge ever did hear this case, they’d probably find in favor of the NSA, because computers are magic little boxes that are somehow immune to the application of old non-computer-related laws!

Nova September 4, 2014 10:43 AM

@Thoth (And Andrew_K)

Oh, you are from Singapore? I have hung out with Thomas Lim from there a coupla times. My mom has a few things from her visit there.

I am not sure how the situation might be compared. Who knows, you could be correct. Ukraine often comes up on my cyberattack radar coupled with Russia. Otherwise, I have studied it here and there, but my own information is incomplete and I am not interested enough. US, Russia, Ukraine, Europe… will do what they feel is necessary and I do not think anyone can change their minds.

I know there was a big anti-communist front there after the october revolution, which was savage.

Russia wanted sea access for Afghanistan… sea access makes and breaks countries.

I am just waiting for the shit to hit the fan, cyber attack wise. Notice the boxes on these home depot cc numbers being sold, saying, “American sanctions 1”:

And there is JPMorgan, but that is nothing compared to the vast web of compromises Russia has sleeping in US and European cyber infrastructure.

Nick P September 4, 2014 12:44 PM

@ backup et al
re Legal issues with backups, esp

Backup is entirely right in saying that you can’t do just whatever you want with online content. The main risk area is that it’s illegal to distribute content without author’s permission. That people often copy articles and share quotes doesn’t make it legal. Matter of fact, there’s one attorney whose made a personal fortune buying copyrights to widely copied news articles, identifying those that copied them to on their web sites, suing them for infringement, and typically getting paid a settlement.

So, let’s look at the situation.

  1. Bruce posts his own articles on this blog that’s open access. This is implicit permission for a user to download his material onto their system.
  2. The comment field is a mechanical process that distributes content to all readers on the blog. So, using it can be argued as implicit permission for content to be distributed to any Schneier blog reader.
  3. Distribution of Schneier’s blog content is illegal without his permission.
  4. Distribution of the comments might be illegal without their permission.

So, receiving is OK if it came from Schneier’s site and distribution of the content is the problem. Now, let’s look at my scheme.

A. Each user downloads the content from the site. This is legal per No. 1 and 2 above.

B. Each user creates a legal backup of the content for his or her use. This backup will be done in a standardized way to facilitate third party verification.

C. Users hash and sign the files. There is a risk it could be considered a derived work. Yet, hashes are used in courts all the time for various purposes. They’re also the equivalent to an identifier, such as a book title/ISBN. So, risk is low here.

D. Users publish their copyrighted work (hash/sig) onto online forums for comparison with others’, with a license included allowing viewing, distribution, and attribution to alias (or public key) used.

In my analysis, my scheme doesn’t violate U.S. copyright law, allows preservation of blog content, has fairly strong verification if content isn’t altered during transmission, and has extra subversion resistance due to decentralization. Let’s also not forget that Bruce doesn’t seem to sue anyone who copies his material while giving him credit and linking to his blog. Hard to imagine Bruce suing you for publishing his public content that got forced off the Internet somehow. I’d just advise you present the content as is to give him credit and recognition in the copies.

And you can always email him to ask for permission to and terms/conditions of mirroring his site. And he might even alter the site to ensure comments are licensed for free distribution and his content gets free distribution with attribution in event it disappears off Internet. Or released to public domain upon becoming an orphaned work. He stays pretty busy but might work something out to eliminate such legal risk.

DB September 4, 2014 2:54 PM

So… with all the nation states of the world busy hacking and pillaging everyone worldwide… I’m glad to see this kind of trend, in order:

1) Thinkpad X60 laptop with open source BIOS, which is also spreading to more models…

2) Novena open source “laptop” which is a full blown open source hardware from scratch… (not just the BIOS)

3) What’s next in this progression? Open source CPUs? Perhaps ones designed with totally new architectures that are designed to be secure? Probably FPGA based… And new securely designed operating systems for them too obviously… I’ve seen a few people commenting on this kind of thing here on this blog, but it seems a really really long ways off as far as being useful to many people widely in any sort of practical way… am I wrong? Is it really coming yet?

Buck September 4, 2014 10:53 PM

Lots of LOLs for Zelda! Of course an organization like the NSA has just as many (if not more) personnel issues as the next conglomerate, but I suppose that they can’t really vent frustrations to friends and family (or Dear Abby) about their issues! Though skimming through a few of the FOIA unclassified docs, I can’t help but wonder if this isn’t all just the thesis project of some poor new interns…

Figureitout September 5, 2014 12:04 AM

–First off I didn’t give you permission to quote me. Should I take you to court now? I’m trying to waste public money.

No. You are not allowed to copy what you want and do what you want with that if there is not legal notice
–Uh oh, I just quoted you. You going to flog me now? What I’m trying to say, yeah that’s nice to try but it’s impossible to enforce. HOWEVER, to your point, main problem I see right away is if I’m well…posting on a blog, my blog, and some assclown just copies everything verbatim and makes a nearly identical blog name and then since I link that on my resume recruiters think I copied it. In which case that would piss me off but I could physically prove it’s me w/ my photos and of course experience. But that’s not what I’m even trying to do or what I’m really saying AGAIN, so stop saying that. I don’t use webcrawlers, it’s rude and I’ll just scrape a bunch of scum I don’t need. I’ve already read and get my info from other places, including books I buy. I’m talking about people scattering when the blog just goes down for good some day.

Is it really coming yet?
–It’s only getting started.

Clive Robinson
–So on my “internet pc” for some reason it’s just now starting to not boot up w/o a reboot and the timezone has been set for London, England. Funny, eh? This isn’t you (as I’ve mentioned before, someone inserted a printout of the town of London in a printout I was doing for school, so my school network is compromised), but some other assclown right? B/c it’s annoying always having to wipe and re-flash again and again and it wastes my time, and I don’t like that. I’m trying to do some things.

Thoth September 5, 2014 3:35 AM

Compromising US economy would plunge the world into more troubles (considering those are due to economic cyber attacks) or any kind of discomfort US feels would be felt worldwide eventually. We are too reliant on the US for almost everything and even Russia would barely survive if they want to attempt a suicide. Cyber warfare would probably not be feasible on a large scale without much consideration. Small scale skirmishes and attacks carried out by supporters or mercenaries to carry out cyber attacks would be possible.

Clive Robinson September 5, 2014 5:37 AM

@ Figuritout,

In reverse order, no it’s not me affecting your work, for two good reasons. Firstly I’ve had that silly game played on me in the past, not just by humans but a bug in a multiuser OS printer spooler / driver as well…. Secondly, I’m of an age where my life expectancy is a good deal less than the length of time the idiots in the US justice system either argue over extradition or hand out in sentencing. So as I don’t want to spend my twilight years being molested by a “Hairy Mary” in a US supermax or worse, it’s not a game I’m going to play.

The question of copyright is an awkward one, it’s only right and fair that I enjoy any rewards for my words, just as I should accept any reaonable punishment for them if I materialy hurt some one with them. However it’s also fair that I don’t use them to create a monopoly over others works, which can be used to hold back the development of society, which is why we have the “fair usage” asspects of copyright law.

However there is a problem, which is derived works of which this blog is just one example. It’s quite acceptable for me to take the words of others put them in a collection and copyright the collection, even though I don’t have the copyright on the original words. The question then arises as to what happens if I decide to sell the derived work…

Well it’s already happened and you can go and look up what happened with Arianna Huffington’s sale of the news web site HufPo to AOL for $315million in cash…

Now I’m not saying Bruce is going to sell this Blog, it’s financial value is quite small as it does not carry advertising or have locked in users, pluss those boats appear to have sailed onto rocky shores but at some point this site will almost certainly be regarded as an “asset” financialy, as it is legaly regarded as such currently.

The thing is the law does not alow for unrestricted communal ownership, as it apparently does not alow justice (directing/ controlling mind issue). Thus there has to be an owning entity of an asset, and the law is most likely to take the simplest route when it comes to liability or assignment of an asset, and it’s Bruce’s name on the “mast head” not just of the site, but all the individual pages within it…

So the question falls as to what rights can the asset holder of a derived work transfer to others in part or full. The law is unclear but the HufPo sale gives some indicators as does the IPO of Facebook etc.

It also gives oportunities as well, there is little to stop you making this blog part of your own derived work, but you would have to add to it materialy in some way either in direct utility or as part of a much larger whole. In essence this is what a search engine does, it takes the site turns it into a searchable index of pointers back to the original site. The question then is “is the searchable index a copy of the site or a derived work” the answer depends on not so much on how the information is stored, but how it is made available to others. It’s similar to a singer and a song sheet, provided the singer has obtained the song sheet legaly, they can sing from it as a derived work, but they cannot photocopy the song sheet and give/sell it to others unless they have been given the right to do so. However there is the doctrine of “first sale” that alows the singer to sell on the original song sheet as a physical item.

Confused, well you should be many legal persons and lobbyists have spent much time and effort to ensure you should be so that they can proffit by it…

Nova September 5, 2014 11:22 AM


discomfort US feels would be felt worldwide eventually. … Cyber warfare would probably not be feasible on a large scale without much consideration. Small scale skirmishes and attacks carried out by supporters or mercenaries to carry out cyber attacks would be possible.

Anything is possible.

One problem is even targeted attacks – because they have never been tested – can cause enormous collateral damage. A good example of this is some of the old worms we used to see, including the Morris worm of old.

Consider natural disasters: they hurt the global economy. But do they hurt it so much as to truly hurt countries far away? When the power went out a few years ago, in the eastern seaboard, did that really effect Russia so much? Did the California brown outs hurt Russia so much? How deeply hurt was Russia by the tsunami in SE Asia? Or by the disaster in Japan? The financial meltdown in 2008 hurt them, but how much, really…

One thing about this sort of outlook: if it gets them what they want, they may not care. Individuals, ultimately, are making decisions here. You are talking about a country that had its’ leaders put their nation through many levels of hell for the sake of progress over the last century.

Individuals, especially sociopathic individuals, as such leaders tend to be, consider themselves “strong” and “leadership material” with “virtue” to be able to make “tough decisions”: in reality, these decisions usually mean they lose very little. In fact, they may have much to gain personally. And if they are still deep in their cognac and caviar, what do they really care if “their” poor suffers a bit more?

Still, Russia did not do such a thing in the Cold War, so why would they now? But, they did make moves which had accidental repercussions.

And things can change.

They did not hack US banks in the Cold War, either. What can be done with cyber warfare is much different then what could be done then. Companies can be targeted and taken down surgically with hacks. Individuals. Mass amounts of information can be stolen like never before, and, as well, dumped to the open market, or used.

There really is not much protection against these things, there are too many targets and too many attack avenues: they can get insider information, they can give insider information, they can get in front of trades. They can get behind trades. They can target major centers of major financial firms. Or target smaller financial firms. They can target individual major brokers. They can get on the wires. Or on the servers, or just the desktops. Mass amounts of money are constantly moving around, in so many networks, it is a rat’s nest… the size of the country.

But, who knows, maybe that won’t happen. There are always possibilities of doom: Benni was pointing out about solar flares, some argue about the apocalypse, there are meteorites and natural disasters, war its’ self is a disaster.

I would not be surprised, however, if Russia does not feel so bold because they do have the US by the jugular.

Figureitout September 6, 2014 2:06 AM

Clive Robinson
–OK, most of the attacks assume an internet connection, my highly infected router, other infected AP’s (I just let them know how easy it is to get an “unknown” AP but generally don’t bother as it’s OPSEC mind&time-wasting). The more time they spend on me (I’m a pacifist researcher and like you I probe & plan things out pretty well where I’ll be fairly stealth when making moves), the weaker they become and leaving other national infrastructure open to other nation-state attacks…not to mention I’ll be spreading that malware far and wide for anyone else to find and re-use it (never done that lol…)…so meh lol.

To reset the time BTW, simple command line: “dpkg-reconfigure tzdata” Then select your timezone. Been to busy to reboot and see if they overwritten and injected something deeper (I’m a victim of BIOS-level and deeper attacks so no surprises if so).

RE: legal field
–You know, in the years it took for me to “find myself”, I seriously considered becoming a lawyer to fight for all kinds of victims of extreme injustice; was initially thinking constitional law but that document is trash now. Then I saw that the ones getting paid are some of the most vindictive, aggressive, disgusting people I could ever imagine. And there’s far too many of them just flauting how they abuse the legal/justice system, I just want to get away from it…

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.