Friday Squid Blogging: Squid Burger

McDonald's has a Halloween-themed burger with a squid-ink bun. Only in Japan.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on October 3, 2014 at 6:19 PM • 88 Comments

Comments

Clive RobinsonOctober 3, 2014 7:33 PM

Just as well it's "only in Japan" I doubt there's enough fresh squid ink around to do all MuckyDs "gristle in a bun" joints.

BenniOctober 3, 2014 7:35 PM


According to our user Skeptical here, NSA is not engaged in industrial espionage.

Now details are coming on "project Eikonal" where NSA and BND monitor the world's largest internet node de-cix in Frankfurt.

Interestingly, BND caught NSA to use this access for spying on the European airplane manufacturer EADS and the helicopter manufacturer Eurocopter http://www.tagesschau.de/inland/bnd-nsa-datenweitergabe-101.html

I want to know what Skeptical thinks on that and for what political goals you need to spy on Eurocopter?

I consider that Blueprints of the Airbus A380 airliner must be really interesting for the Americans, given that Boeing has so much problems with its 787 Dreamliner

http://www.thedailybeast.com/articles/2014/05/28/ntsb-doesn-t-think-the-boeing-787-dreamliner-is-safe-enough-to-fly.html

I think the codename, project "Eikonal" is simply disgusting. Usually, the eikonal equation is a non-linear partial differential equation encountered in problems of wave propagation, when the wave equation is approximated using the WKB theory. It is derivable from Maxwell's equations and provides a link between physical (wave) optics and geometric (ray) optics http://en.wikipedia.org/wiki/Eikonal_equation. Can't these spooks stop, just for one time, using codenames from physics?

ThothOctober 3, 2014 7:51 PM

@Benni
We all know the spooks have really bad names like Egoistical Giraffe... I wonder what kind of name is that.

@Clive Robinson
I wonder how the squid ink bun is tied into Halloween promotions... Hmmm...

BuckOctober 3, 2014 8:13 PM

And because I assume my joke will lose meaning across cultural boundaries, I will now explain (and thereby ruin) the 'comedy' - I am Spartacus
(Don't stick your neck out too far or start digging deep into inconsistencies for any mere personal moral reasons ;-)

AnuraOctober 3, 2014 8:39 PM

@Clive Robinson

I think you are underestimating the American ability to stretch the definition of foods.

RocketDudeOctober 3, 2014 8:57 PM

There have been a bunch of articles this week out of Huntsville, Alabama that goes something like
1) Someone who claimed to be from the NSA called the office of the school Superintendent
2) Based on this phone call, they expel a student
3) They start their own secret surveillance program without telling the school board or the public

There is so much squidy about this story, it is hard to even know where to start.

There are a series of articles, but this is an earlier one
http://www.al.com/news/index.ssf/2014/09/after_warning_from_nsa_huntsvi.html

SmokingHotOctober 3, 2014 9:00 PM

@Benni

Of course the US is involved in industrial espionage. How else do they work with so many major overseas firms and ensure that the people they work with keep quiet? And they have been doing that in the states and overseas for decades. Where are the leaks.

American corporations, possibly even foreign corporations might be offered tantalizing information from competitors in order to allow access and ensure secrecy. By implicating them in crimes, from which they profit, secrecy can be secured without threats or more dreadful and less dependable methods.

This is how the Cosa Nostra has worked for ages. To get in, you have to kill someone. Everyone knows the goods on everyone else, so no one dares talks.

- threats, either direct or indirect, do not make reliable agents
- stuff like catching someone drunk or in the sack, do not make reliable agents
- an intelligence agency sharing information which is illegal, that can
- money alone, no... unless they are implicated by the information they give

Every major intelligence agency even has a division for technology. These are rarely secretive. You can find them listed on their websites. What do they do? Just read science journals? No.

Just befriend key people? No.

FigureitoutOctober 3, 2014 9:24 PM

Bruce
--Classic Japan. BUT, those sidebar stories again lol...and I know it's the "odd news" section, nice to see some other pioneering entrepreneurs bringing what the world needs, an ultimate wanking rubber hand (I thought I had no shame)...Then the freaky red-head chick that looks more scary than sexy, then the chick w/ a kitchen knife stabbing her head...Then I note at the bottom the news site is "headquartered in Washington D.C."--ahh ok, 'nuff said.

I've learned over time, it's best to just take your word for it and not click the links lol...

FYI, looking forward to you coming to Indy, I missed you last time. Of course I have a math test during the day but I'll be there. My question (if I can ask) will be off-topic and pretty straight-forward; better wear your best "poker face" lol.

OT

Cyanogen turns down a Google aquisition attempt: http://www.androidauthority.com/cyanogenmod-google-acq-532914/

Please, if the CEO reads or the CM community...don't f*cking sell out to of all companies, Google. This world doesn't need another sell out. Visited Motorola in Chicago (bought out by Google), Google f*cking fired a lot of engineers and shifted around a bunch of people, so the company is in flux. They will simply buy you out and ruin all your work. I like having a choice for a ROM, and want to soo badly wipe out this f*cking garbage the carriers put default on smartphones. Be your own company and don't sell out.

BuckOctober 3, 2014 9:26 PM

@RocketDude

Hey dude, remember when 'anonymous' like totally blew up that van!?!? Stay fearful my friends! The next 'threat' could be coming to a switchboard near you!!

SmokingHotOctober 3, 2014 11:41 PM

@RocketDude

Wow, that is a very interesting story:

Board members Topper Birney and Laurie McCaulley, contacted for this story last week, said they were unaware of the monitoring program and the board was not briefed. The city system web site contains no operational information on SAFe, but displays a logo and lists three staff members. Those include two security officers and consultant Chris McRae.

McRae's Linked-In profile lists him as a former FBI agent. His full bio lists him as a Montgomery police officer who joined the FBI and then worked as an investigator for TVA and later the Alabama Attorney General. He began consulting with Huntsville City Schools in January.

Good example of some whacky "cops" with a bit of "Jack Bauer" wannabe bullshit in their blood.

Reminds me of the Ferguson morons all decked out in military regalia. What a bunch of wannabe knuckle draggers. Find these boys a brown shirt, and they are all set to go.

Obviously this sad, wannabe cop dork never had a call from "the NSA". That is my take, anyway.

These backwards hicks probably made up the gang they busted up too. Besides listing "FBI" on his linkedin resume. Did they even call to check if such a loser ever really worked for the FBI?

If the story is not entirely fake, it did not get much news coverage, and the writing hardly cited any credible sources. Maybe another Shatter case. Journalists making crap up.

But, amusing. I wouldn't put it past some hick wannabe making up some ludicrous resume and actually getting a job as a "security official" at some school. :P Lol.


SmokingHotOctober 3, 2014 11:57 PM

@What

That does not look like a drunk post, maybe something else?

Wait. That does have one go, "what".


Asteroid scenarios, World Wars, doesn't it all strike one as a bit boring? It would be nice to really see some serious mojo rising for once. Something truly strange. Must civilization fall yet again by simple banality of evil and yet again unruly hordes. Where are the pardoxes and the mind boggling. Where is the magic that challenges the sense of reality. But in dreams, it seems, and fiction, the imaginations of human kind.

No UFOs, no ghosts, no demons, not even blazing asteroids slamming the face of the planet. Just everyday corruption and the slow slide into oblivion. The oblivion from whence all came. Or so some say.

AdjuvantOctober 4, 2014 12:13 AM

@What: I'm using Multprocessing logic.
That's nothing. Try Time Cube logic!

--Adjuvant
Hedge School GrandMaster, >2 level logic
Secret Apprentice, Time Cube Logic (currently on Double Secret Probation)

next big funOctober 4, 2014 3:30 AM

The next big fun: Cloudflare-in-the-middle

Cloudflare will offer SSL CDN for everyones Website.

blog.cloudflare.com/introducing-universal-ssl/


The coming NSA Cloudflare yoke of tomorrow is already on twitter today! :)

twitter.com/FredericJacobs/status/516681868641828864

GrauhutOctober 4, 2014 3:55 AM

@Benni "According to our user Skeptical here, NSA is not engaged in industrial espionage"

There is even a contact office for well organized industrial espionage at the US DoC, the OES - Office of executive support.

This is public available unclassified information. Every service worldwide knows this for shure. This is the channel the empire uses to get its inofficial tributes.


"Intelligence Advisor
Joint Duty Number: NT50-13-0001U
Agency: U.S. Department of Commerce
Grade: GG/GS-13
Location: DC-WASHINGTON
Start Date: 03/01/2013

Duty Description Are you interested in being on the frontline of intelligence support to U.S. senior policyrnakers? Do you want to have hands on insight to how policymakers think and what intelligence they find useful? Are you ready to guide and shape intelligence collection and analytical needs from the policymaker perspective? ... OES is responsible for planning, coordinating and providing all-source intelligence support to senior Department leaders on a variety of issues as they relate to the Department’s mission to foster, promote and develop U.S. domestic and foreign commerce. ... This entails performing duties across the spectrum of the intelligence cycle, including intelligence planning and direction, requirements management, collection, analysis and production, dissemination, use and evaluation in collaboration with senior managers and staff personnel across the Intelligence Community."

http://www.icjointduty.gov/vacancies/nt50-13-0001u.htm

Wesley ParishOctober 4, 2014 4:00 AM

@Benni

Perhaps Skeptical should change his name to Septical?

As far as I can see, the current US position on espionage and surveillance is a response to that whosiewhatsit in the US Federal Govt in the 1990s who lamented the US having this ginormous military and not having the opportunity to use it ... meaning that if the US has got the capability and capacity to do something, then by definition it's got the intention of doing it and has most probably already started ...

GrauhutOctober 4, 2014 4:24 AM

@SmokingHot - "By implicating them in crimes, from which they profit, secrecy can be secured without threats"

Same situation with US congressmen and senators.

They tell the DoC what kind of intelligence the companies in their election araes need, DoC OES preps the intelligence for them, they pass it to the companies.

If they want to get reelected they have to produce jobs for the small people at any price, so they are willing to vote for the INTEL communities budgets.

Dirty hands everywhere...

BenniOctober 4, 2014 5:49 AM

more on project "Eikonal"
http://www.sueddeutsche.de/politik/geheimdienste-codewort-eikonal-der-albtraum-der-bundesregierung-1.2157432-4

Apparently, BND made a contract with the provider Deutsche Telekom. for 6000 Euros per month, Telekom offered BND access to de-cix and BND gave this to NSA. Apparently, communications from Russians where of NSA's highest interest. Unfortunately, they were unable to filter the data from Germans correctly. Since this was clearly illegal, BND did not inform its oversight committee or the German office of the chancellery. However, after BND found that NSA searched for Eurocopter and EADS, and because of the filter unable to protect german communicaton, BND apparently stopped giving de-cix data to the NSA. NSA got angry and sent its vice president John Inglis to Berlin in order to demand "compensation". If not Frankfurt, then BND should offer access to another european fiber. The article says that at this time BND got access to a fiber of global importance, where NSA did not have access. Thanks to BND, NSA became a partner and got the data of this fiber...

Being questioned, BND now uses the same weaselly language than NSA:

In an answer to the NSA investigation commission, state secretary Klaus Dieter Fritsche said on the question whether BND delivered phone and internet data from Frankfurt to NSA from 2005-2007:

"during this time, BND did not give any of the telecommunication data it tapped in Frankfurt to NSA in a fully automated manner"

Yes, BND did not give the data in a "fully automated manner", instead, BND gave this data voluntarily.

GrauhutOctober 4, 2014 7:12 AM

@Benni "for 6000 Euros per month, Telekom offered BND access to de-cix and BND gave this to NSA"

Sorry, but this Sueddeutsche story is nearly complete bullshit. For 6K€/month you get a single 10g fiber link within Frankfurt from Telekom, not more, not less. Telekom is not a member of the De-Cix cooperative, so they can not sell access to the De-Cix routers (not servers). At this price tag this is a single line to transport data from a 10g copy port to another destination within Frankfurt, if the cooperating provider is Telekom. They were writing about russian traffic, maybe a precursor to the EPEG line, but then also Interxion, De-Cix colo provider in Frankfurt, could be the leak.

http://up.picr.de/19709955uo.jpg

RocketDudeOctober 4, 2014 7:41 AM

More on the Huntsville rocket story. It seems there is a company called GEOCOP, that may be making exaggerated (or even false) claims about a connection to NSA. Articles from around the country on local school boards suggest they may be calling and making locals believe they have a connection with NSA.

In this case, the locals way overreacted and have done things like
- start up their own secret program without telling board members or parents
- expelled a top student for having a fake renaissance sword in his trunk
- expelled students who are 18 and took a picture of themselves with a gun (outside school grounds).
- broke up a 'gang' which was really a group of 6 friends (who also happen to be black)

Part of the problem is that they are refusing requests from media outlets for Freedom of Information Act requests with statements which I paraphrase as "If the students know what we are doing, we won't be able to protect the schools". Since they won't respond to FOIA requests, the news reports come across as a series of rumors.

Throw-away handleOctober 4, 2014 10:42 AM

I have a small request. I have been thinking about compartmentalization of the email accounts I use for different services, to mitigate risk in the case of a compromise of a single service. Are there any articles out there for best practices regarding this kind if task? My search skills have been weak as of late.

an OpenBSD guyOctober 4, 2014 10:57 AM

IS GOOGLE USING THE SURVEILLANCE PROGRAM THEY ARE INVOLVED IN TO DRIVE BY FRIGHTENING THEIR USERS?

I am not a big fan of Android but it is the only reasonable choice on my Nexus 7. Last week I installed the K-9 mail user agent on my tablet and configured it to access my email account at Google's by using IMAP. I got surprised when my login was rejected, I was pretty sure all data provided was correct. Then Google sent me an automatic response:

Hi ********,

We recently blocked a sign-in attempt to your Google Account [*******@gmail.com].

Sign in attempt details
Date & Time: Tuesday, September 30, 2014 ??:??:?? PM UTC
Location: city, country

If this wasn't you
Please review your Account Activity page at https://security.google.com/settings/security/activity to see if anything looks suspicious. Whoever tried to sign in to your account knows your password; we recommend that you change it right away.

If this was you
You can switch to an app made by Google such as Gmail to access your account (recommended) or change your settings at https://www.google.com/settings/security/lesssecureapps so that your account is no longer protected by modern security standards.

To learn more, see https://support.google.com/accounts/answer/6010255.

Sincerely,
The Google Accounts team

What the hell? My account will no longer be protected by modern security standards if choose anything that has not been written by Google? To be honest, I certainly prefer the old security standards to the new "cloud-based" security. Old security standards are something I trust on.

After enabling access to "less secure apps" (what a joke when talking about Google's security standard and user protection practices) I received a second email from Google:

Hi *******,

You recently changed your security settings so that your Google Account [*******@gmail.com] is no longer protected by modern security standards.

If you did not make this change
Please review your Account Activity page at https://security.google.com/settings/security/activity to see if anything looks suspicious. Whoever made the change knows your password; we recommend that you change it right away.

If you made this change
Please be aware that it is now easier for an attacker to break into your account. You can make your account safer again by undoing this change at https://www.google.com/settings/security/lesssecureapps then switching to apps made by Google such as Gmail to access your account.

Sincerely,
The Google Accounts team

This one is a dangerous game to play, Google. First, respect the people, they are human beings not your something you can violate to earn money. Second, respect other software projects. You will learn from other software teams if you listen. Third, let us see if your software can compete in quality with these projects you call "inferior".

David TOctober 4, 2014 12:16 PM

The data breach at JP Morgan Chase has been all the news. Reports say that the intruders got PID (name, address, email, phone #) but not passwords, account #, or balances.

If that's true, (and assuming that this is the work of criminals, rather than foreign governments) how will the miscreants monetize the data? For what kind of scam is that info most useful for? What's the blackmarket rate for, say, 1000 records of this kind?

BenniOctober 4, 2014 5:15 PM

@Grauhut:
"Telekom is not a member of the De-Cix cooperative, so they can not sell access to the De-Cix routers (not servers)"

That is the key. Since years Telekom reluctantly refuses to peer at de-cix because they have monitoring equipment there.

It is the hardware of de-cix which telekom provides. The fibers at de-cix are from Deutsche Telekom

Mr. BlueOctober 4, 2014 5:31 PM

@David T

The information has zero black market value. Even if they had got the actual CC numbers that would only have minimal black market value. I haven't seen any recent numbers but a few years ago Kerbs was reporting the BM rate was about a penny a CC number.

The press would have you believe that it is easy to make money off of stolen CC or PID information. It's not, it's difficult and frankly it's not worth the time for most fradusters. They have better ways to make money.

In short, more FUD.

GrauhutOctober 4, 2014 7:42 PM

@Benni "It is the hardware of de-cix which telekom provides. The fibers at de-cix are from Deutsche Telekom"

The fiber biz in Frankfurt was deregulated very early, the Frankfurt fiber ring was set up by Metropolitan Fiber Systems in the 1990s, this is bs. Telekom offers private peering and transit at the Interaxion site where a part of the De-Cix ist hosted (other parts in other colo datacenters in Frankfurt), but afaik Telekom owns nothing directly connected to the De-Cix core routers. Of cause local german De-Cix partners have lines rented from Telekom ending in their routers at De-Cix colo sites, but you can peer there without having any business with Deutsche Telekom, you get fibre from lots of telcos there.

It is not so clear who received the 6k€ a month. BND is allowed to filter up to 20% of the international cross border traffic at the De-Cix, this has to be filtered, tube flics, pr0ne, torrents and spam payload removed. My best bet is the 6k€/m were for renting some racks and electricity for that prefiltering part at the Interxion site. BND should be a T-Systems designed network customer like all feds in Germany, they have one big bill, all inclusive. This is the way the prefiltred data should flow out of the colo room to some processing site, vpn tunnel provided by some sina linux boxes. Same procedure as always in .de

GrauhutOctober 4, 2014 8:06 PM

Mr. Blue: "The information has zero black market value"

Not exactly zero, but low value. There are always some phishers buying this kind of stuff. Broadcast a "Change your password now!" form to them and >30% of the sheeps out there will do it. Ask them to download and run a "security check software" besides filling out the form and >20% will do it, now that they are warned about "the big risk". The difference of 10% has had not time or will ask a service person.

Great for building a botnet, as long as the news are fresh. ;)

BenniOctober 4, 2014 9:37 PM

@Grauhut "It is not so clear who received the 6k€ a month. BND is allowed to filter up to 20% of the international cross border traffic at the De-Cix, this has to be filtered, tube flics, pr0ne, torrents and spam payload removed."

No. BND can copy 20% of the "network capacity". And as usual, 20% of de-cix' network capacity is its current maximum load. That BND is allowed to make a full take of de-cix was noted from the judges of germany's highest court at the NSA investigation comission.

Project rampart-a has, according to Snowden slildes, a capacity of 3.4 Tbit/s (which for some reason coincides exactly with de-cix' maximum load).

I would not be surprised if, after BND suspended NSA de-cix access in 2008, they made a new contract, and the new "fiber of global importance" was again de-cix....
One should note that de-cix has opened nodes in the middle east recently...

I think that de-cix really should expand more to the US. a de-cix node in Washington is what we urgently need....

timOctober 4, 2014 10:08 PM

The usage of SSL doubles on the net from 2 to 4 million in 48 hours and not a word from Bruce?!?!? This move by Cloudflare puts a serious wrench in small time eavesdropping like wiretapping at the ISP level.

GrauhutOctober 5, 2014 3:22 AM

@Benni: "rampart-a has, according to Snowden slildes, a capacity of 3.4 Tbit/s"

Wich of the Rampart-A sites is labled with a capacity of 3.4 Terabit? And where, wich slide?

http://www.statewatch.org/news/2014/jun/usa-nsa-ramparts-2.pdf


US-3237/SMOKYSINK
(no 3rd party partner/joint RAM-T)
DNR & DNI

US-3127/AZUREPHOENIX
DNR & DNI

US-3180/SPINNERET
DNR & DNI

US-982/TRANQUIL – Retired June 2010
DNR & DNI

US-3145/MOONLIGHTPATH
DNI & DNR (September 2010)

US-3190/FIREBIRD
DNR & DNI

US-3153/FALCONSTRIKE
DNR & DNI

US-3178/DULCIMER

BenniOctober 5, 2014 6:47 AM

One should note that the Sueddeutsche article says, formerly, de-cix data went to Pullach first, and then to Bad Aibling where the data was given to NSA analysts.

After BND caught NSA to spy on eurocopter, it seems that they just have changed their mode of operation a bit.

At the NSA investigation comission, the BND spook says that BND is not a contractor of NSA since NSA would not have access to BND servers. Instead, BND gets 4 times a day a list of selectors which BND agents then put into xkeyscore.

Then the BND spooks give the results to NSA: https://netzpolitik.org/2014/live-blog-5-anhoerung-geheimdienst-untersuchungsausschuss-was-machen-nsa-und-bnd-in-bad-aibling/

Of course, BND has still taps at de-cix. It must have that, according to g-10 law.

However, this new method of cooperation seems to be some way to ensure that NSA can not use de-cix data that easily to spy on EADS and Eurocopter, since the selectors are being controlled by BND.


The fact that the americans wanted "compensation" for this "restriction" shows their arrogance.

It is mentioned by Sueddeutsche that BND gave NSA access to another "fiber of global importance". This is probably de-cix in middle east. Even if this is against the german constitution according to the former judges of germany's highest court, BND thinks that outside of germany, data protection laws does not apply because this would be foreign communications.

So for de-cix middle east, BND can be assumed to give NSA raw access...

GrauhutOctober 5, 2014 8:32 AM

@Badusb: Most USB based security threats can be mitigated with some whitelisting and loadable filesystem limitations and in the worst DAU/DAA cases with a hot glue gun / a soldring iron. :)

You seldom need to boot from usb devices or have system partitions on them.

I am more afraid of sas/sata controller based "storage side includes" into a booting kernel or modded shadow files... :)

http://spritesmods.com/?art=hddhack&page=1


@Benni: 3TB worldwide \= 3,4TB in Frankfurt

And if you believe in the content of this pdf

https://netzpolitik.org/wp-upload/2014-06-19_RAMPART-A/foreignpartneraccessbudgetfy2013-redacted.pdf

it gives you an incredible amount of freedom... Always look on the bright side! :)

SatyricalOctober 5, 2014 10:24 AM

Guys, here is the straight dope.

America has not been the dummy in intelligence as they have appeared. The secret services were not created in WWII. They were created in the 19th century and spawned off from the Secret Service into another secret agency initially designed to combat anarchists in the early 20th century. This service was carefully designed so it had no accountability nor visibility to congress or the people.

The way the service was created was that they could easily go from one agency to another. So they could work in the army, they could work in the navy, they could work in the diplomatic services, they could work in the White House. Disguise and control of papers, as well as black box accounting and control of governmental accounting was the foundation of this service.

This service was deeply involved with the Ukraine rebellion against Moscow in the early twentieth century. They were involved in Franklin Roosevelt's intelligence contacts whom he had before and after OSS and the FBI. They were involved in riggin the WWII FBI front business in New York, and making sure it failed. Donovan worked for this service, and Donovan was not selected by accident. Donovan's law firm was a front company for this service. Something they are very good at.

So, in this way, the service ensured future control of FBI secret intelligence and CIA secret intelligence.

Both groups they understood early on would become important. They understood this because they had penetrated foreign intelligence services and realized all nations would eventually have a local intelligence service (FBI) and a foreign intelligence service (CIA). They also understood this with the evolution of the military intelligence services. They were involved in the code cracking efforts in the twenties and thirties in the Army and Navy.

Flash forward decades to the eighties. They were involved in the secret project arming, funding, and training Afghanis and Afghan-Arabs. One goal was to block the Soviet Union from ocean access. The other goal was to work the Afghan-Arabs and guide them towards what they were already working towards: attacks against the US.

They did not plan 911, but they had been long ensuring Al Qaeda would not be caught. Yet. They only knew Al Qaeda was bound to eventually attack America. They did not put much effort into any of this. They were simply seeing the complacency of the US intelligence and law enforcement services and hitting against that.

The Plan was long ranging, as this service operates.

Problem? The Middle East, crown jewel and fountain of extremist Islam. They knew that until extremist Islam was dealt with that they would have continued problems in the world. Their job is to fix such problems. That simple. Not money. Not even power. Just a rigid, generational view of fixing problems for Democracy, for global Democracy and global Liberty and global Justice.

At its' heart, The Plan is very simple. First, the problem is not just Sunni Muslims, but also Shiite Muslims. There is another problem with the two rival powers, Russia and China. Neither have become democratic yet, neither have had open markets, or true human rights.

Russia and China rely on the Shiite Muslims through Iran. So they would guide the US into deeper relations with the Sunni Muslims through Saudi Arabia. These conditions already existed. They did not create them. They did, however, help and continue to help exasperate China, Russia, and Iran. The idea there is to get them ready to go to war, seemingly against the Western powers this service realized they were already hankering to hit out against.

But, none of this is The Plan. Because The Plan is about a means to an end. They merely had to work with, and do work with, existing conditions. The Americans and Westerners have been all too willing to go along with poking at Iran, Russia, and China.

In these efforts they have been working a long time. With China, they had them lambasted by the US for years, then exposed the fact the US had actually been hacking China all along. Their router guy who was the technical mastermind behind that attack they had fake his own death.

This is how they often change legends.

Likewise, they helped ensure intense paranoia against China's hardware, while also helped ensure the Western powers were trojaning their own hardware. And they helped ensure the databases where this knowledge was hidden were widely available and poorly protected knowing sooner of later, China would get that slap in the face.

Russia -- well, another story. Let us not cover all of the history of the world here. But, people can expect something is funky over Ukraine.

None of this is intentionally a diversion, but that is part of the genius of The Plan. If you get nations riled up, they will not think straight and be willing and ready - aching - to rush headlong into more ... crazy plans.

But, what is The Plan here, and how, on earth, could it possibly be good? Very simple. In order for peace to be obtained between Russia, China, the US, the West, Iran, and Saudi Arabia a scapegoat has to be found. A sacrificial lamb has to be sacrificed.

Who is the common enemy of the Sunni, the SHiite, China, Russia? Israel. And what influence must the service (aka, called "the company" because they work out of front companies, the "organization", "the division", "the agency", and so on)... must the service undermine in Western countries? The superstitions of Jews and Christians.

So, by thoroughly exasperating all these conditions, sooner or later they expect Israel to get involved. And it will be drastic enough to justify the West to join together with these supposed enemies and rivals to make an UN effort to go to war with Israel. The core of The Plan against the West is to undermine all Jewish and Christian belief that if this ever happens, there will be failure by the Hand of God coming down and having Israel win. The Plan means that the world, instead, will win thereby patently and loudly proving to all there is no God and there is no Heaven. Thereby changing the global landscape and creating the glorious next thousand years of paradise on earth.

Really, it is so sad to see everyone so deeply underestimating the capacity of humankind including their capacity to work secretly and keep secrets.


This is not satire. :P _>

(Okay, it is. Duh.)

Satyrical, Satirical........

GlistenGlowIsSteelOctober 5, 2014 11:17 AM

@satyrical

What you are saying is not far from true... only many key details are backwards.

We are the ones who work even on Yom Kippur.

Many, who are as one.

Travel. Disguise. Resources. Not hard to create.

In regards to these matters, you can say we work in insurance.

And believe me, we are not Americans.

Not all angels have wings. But all fly.

FigureitoutOctober 5, 2014 12:00 PM

DB RE: CrypTech.is && Novena
--So cool, makes what I'm working on look so lame :(. I'm hoping Novena team doesn't hit any snags for its first release; as I'm sure they know, their manufacturer could f*ck up a batch of boards w/ a variety of problems that are always fun to diagnose; especially when it's not our damn problem, their fault. One thing I (we?) just ran into was a company promising a "lock-in replacement" part that was supposed to be identical, and of course it wasn't, forcing us to spend a full day on a stupid problem running thru code and datasheets looking for the tiny switch in logic needed for the "identical" part b/c of someone else's f*ck up and LIE. Took a few weeks before one in our group even found the issue which was this part causing problems.

But, anyway, sorry lol...about the Novena and that crypto board add-on...they're going to have a hard time securing their tool-chain, but as long as they're up front and honest (and most importantly AWARE of the problem that won't ever go away...); they can keep adding in tests looking for evidence of tampering. For my RNG I'm making, I'll make clear to anyone using that you DON'T SOLELY RELY ON THAT "ENTROPY", you combine and mix-n-mash it w/ others, where that mix-n-mash happens is the critical flaw in my scheme, turning it into digital data too. So I'd like to see a feature to be able to easily add-in outside entropy for their crypto board (yet that adds a very clear side-channel...ugh), also I hope they shield their ring oscillators from the venerable RF injections that's just not cool.

I liked this quote from the project update on V-NAND:

This isn't some lame Intel-style bra-padding exercise. This is full-on process technology bad-assery at its finest. This is Neo decoding the Matrix. This is Mal shooting first. It's a stack of almost 40 individual, active transistors in a single spot. It's a game changer, and it's not vapor ware. Heirloom backers will get a laptop with over 4 trillion of these transistors packed inside, and it will be awesome.

Sorry, I get excited about these kinds of things.

--LOL, frickin' cool...Plus the MyriadRF SDR board they're adding in...sweet jesus! http://myriadrf.org/novena-rf-module-prototypes-in-testing/

OT

Mission Impossible: Hardening Android

Some good posts on hardening your Android phone. Lots of people here are likely already aware and implemented some of these mods, I finally cracked and got a smartphone again *shakes head in disappointment*, so I have some catching up to do. I can finally hear people on the phone again b/c my phone was so sh*tty lol, and no more getting lost b/c I'm so bad w/ directions! Sorry Apple-people, maybe if Apple used some of its $billions to make a tiny open source project for just a tiny subset of phones, they might generate some interest. If anything it's fun and being able to getting familiar w/ how the phone works. I haven't tried them yet but will try some shortly as I have a small stack of old androids to mess w/. Something very silly that was on an old Android Ally, was after factory wiping the device, to get back in you simply had to touch all 4 corners to get past the login screen trying to get you to register the phone; was so hilarious. Then there's other reset methods, like holding 'x' on keypad and the volume and power buttons..."U wut m8?!" Anyway, this guide from torproject.org is probably the best:

https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy

Lots of info to take in and things to try. Also, the Guardian Project is another good resource:

https://guardianproject.info/apps/

xda-developers.com is a site just overflowing w/ ROMs and info; definitely some "leets" cracking phones so quickly and releasing root and also nice features in ROMs.

http://forum.xda-developers.com/showthread.php?t=1954513

DBOctober 5, 2014 2:31 PM

@Figureitout

Replacement parts not really being the same thing is an issue with any hardware design, yep.

The prototype entropy board is using a common through-hole transistor to generate the entropy noise, so that anyone can use a well tested part from any supply chain... At some point they should probably make one where they make it that easy to populate the entire board that way even... We'll see. It at least shows they are thinking about it instead of ignoring it.

Their FPGA design supposedly mixes in other kinds of entropy, and an OS like say Linux can mix in more sources too.

uair01October 5, 2014 2:41 PM

Quote:
But according to Georgetown professor of law Adam Levitin, there's really no way of preventing this type of attack from happening again. "JP Morgan spends crazy amounts of money on IT security and yet they can still be hacked," he said. "There’s really no way you can be connected to the Internet and keep things safe."

Link to article

Gerard van VoorenOctober 5, 2014 3:51 PM

@ uair01

"There’s really no way you can be connected to the Internet and keep things safe."

That line should be:

"There’s really no way you can be connected to the WWW and keep things simple."


IMO banking shouldn't use the WWW. A browser is simply too complex because HTTPS/HTML is too open and requires massive amounts of libraries. The OSses of end-users are also way too complicated and bloated. That's fine for ordinary use where you want to listen to music, watch a video and use a word processor, but for banking a big no-no.

Simplicity is key here. Create a simple, secure networking protocol and minimalistic OS and hardware within a 10 dollar device that only uses text. Is that so hard to do? Apparently it is.


PS Make that device completely Open Source and bank independent.

PPS And get rid of credit cards. That platform is broken and the two big companies behind it are politically connected (think the WikiLeaks blockade). I am glad we don't have credit cards here in Europe (yet).

AnuraOctober 5, 2014 4:36 PM

Are there really situations in which more than 16 bytes of storage is too expensive for a key? Consider AES-128; you could completely get rid of the key schedule and just use a 1280-bit key. Yes, at most you will have theoretically 640-bits of security because of meet in the middle attacks, but no matter what it can't be less secure than AES-128, and it will be faster since you don't have to compute the key schedule (okay, you'll want to for decryption).

Granted, I haven't bothered learning how attacks against AES work, so I don't know if a key-schedule change would stop the attacks (which a random key equal to the key-schedule length is theoretically the best a key-schedule can achieve).

Nick POctober 5, 2014 11:32 PM

@ uair01

I agree with Gerard that he's wrong. You can do it on Internet, maybe the Web. It just takes a bottom-up approach that bakes security in at every layer. Mainly, prevent code injection, treat internet processes/protocols as untrusted, enforce POLA, and prevent leaking of private keys. Early Orange Book A1 systems did this for firewalls, email, VPN's, relational databases, and so on. There were also systems that used tagged or capability processors to enforce such properties at the instruction level.

It can be done. Now more than ever. The problem is that (a) companies that need it aren't doing it, (b) security industry isn't doing it, and (c) there's hardly a market for it. So, crap that runs on crap continues to be produced while a tiny minority attempt high security designs. Even FOSS doesn't do crap in this area, except a few projects: Genode, EROS, JX, and OC.L4 operating systems. Those are all decent starts at the right thing that are built mainly by volunteers.

@ Gerard van Vooren

It's funny you mention that because I described such a device here and Mark Currie's proposal was a $10 USB stick. ;)

@ Figureitout

Novena is great and the FPGA in it (Spartan-6) is a nice one. Many of the opencores.com projects fit on a Spartan-3 with room left over. A Spartan-6 opens plenty of possibilities for putting extra stuff in. :)

re CrypTech

I advocated such a concept here previously due to my philosophy of "look at how NSA etc protect their most valuable stuff, then imitate that with new implementations." The Crypto Modernization Effort upgraded all their equipment. They noticed there were quite a few algorithms to implement in hardware at enormous cost. So, many defense contractors developing their Type 1 systems made a clever choice for their main products: a RISC processor custom designed to implement crypto algorithms fast with good security and EMSEC properties. Then, they just do strong implementations of the algorithms for that processor. If they need new algorithms or protocols, they can simply issue a firmware or software update for the existing hardware.

General Dynamics' AIM chip is a good example. I recall they built a CRYPTOL language backend for the system. That means they specify the algorithm, verify it mathematically, and then do a verified generation of code for the hardware. The hardware itself was verified with different, but rigorous, processes during the Type 1 certification process. Good news is I've already posted academic processors that do the same thing (minus EMSEC or side channel stuff). CRYPTOL is open source now. If people build a retargetable crypto processor, they can port CRYPTOL to it and have same high assurance capability as NSA minus any "improvements" they might slide in. ;)

Note: I'm glad I dug out a link for you because it just noticed two more important design elements. First, it advises fast context switching time. That means they're using microkernels and secure decomposition. Always a good choice. More important, it has a "Type 1 randomizer." Remember how I said they pushed IPSEC on the public as secure, then a modified IPSEC (HAIPE) for internal use? Modified to remove problems? I think it's interesting that Type 1 demands a specific "randomizer" (RNG?). Given previous RNG subversions & issues I think this is a good reminder to build a *very strong* TRNG into the design.

So, the concept is good. The execution... who knows. A dedicated chip that gets the job done will be nice. The problem is you will have to trust no NSA subversion for either your FPGA company's tools (risky) or a small group (easily targeted) + chip suppliers (who knows...) for your ASIC. I'm *very* curious to see, assuming their product is popular, if they survive whatever BULLRUN program has in store for them. And it will almost certainly be vulnerable to targeted, yet not physical, attacks using emanations or side channels.

re Hardening Android

Hardening, yes. Securing... lol. My only aim with Android is containing damage of & recovering from vanilla malware while putting up obstacles for the rest & customizing my experience. The ROMS are a great opportunity for customization, but not necessarily security. There could be more work in that area, especially building off something like OC.L4 + L4Linux. Privacy apps would execute right on the kernel. I know OKL4 got ported to OpenMoko & there's been quite a few commercial designs. So, it's doable if some people decide to do it. So long as there's vanilla firmware and a monolithic Linux TCB the Android phones will be highly vulnerable.

FigureitoutOctober 5, 2014 11:45 PM

Grauhut
--Really the problem isn't USB per se, it's the microcontroller enabling comms that probably (well it does w/ their PoC) has free memory and being reflashed. I don't agree w/ reprogrammable tiny chips, especially for security. Note that their most assured solution involved a fuse line that burns up after one flash. No more code injections then, only in memory other programs can check. Also, just gluing up the USB ports doesn't address other peripherals using USB too...this is really bad...

DB RE: using basic components that builder sources themselves
--This is smart b/c one won't really trust unless you build yourself, as much as you can at least.

Gerard van Vooren
--Yeah it's hard otherwise a lot of people would be doing it. Who are you going to talk to w/ your custom protocol and homebrewed keyboard, screen, etc...that one paranoid guy on schneier.com? Lol...not to mention just how much must happen to get a pixel on a screen. I agree w/ your premise though, hence you'll like my PC :)

FigureitoutOctober 6, 2014 1:24 AM

Nick P
putting extra stuff in. :)
--You know that's not a very good place to put a smiley? :p

look at how NSA etc protect their most valuable stuff, then imitate that with new implementations
--I don't really want to imitate them, you know some spooks are so caught up in the black hole of espionage that they show you what they want you to see; it's best to not look. They can't be trusted, anything, for a long time. "Verified" or "Used" by NSA means not much, just means it has a backdoor; worthless. They're attacking their own citizens for god's sake...then the head just sells out the country, probably selling some taxpayer researched solution...screw all that. I don't want any connection to it, even if it makes me less secure.

RE: Gen Dynamics AIM
--First off, that dude sitting at the PC is just too much lol..Frickin' look normal! Anyway, seriously I don't want a defense contractor chip either, those guys are in bed w/ all the MIC, one big orgy. *Most* engineers I'd probably be cool w/, but the direction of the companies and what they ultimately contribute to is just too wrong.

Also, what the hell is CIK, Fill device, read the wiki page, still don't get it. According to block diagram, what's protocol for comms? DS-101 and DS-102? What the hell is that? How's the comms actually happen in the chip? I don't care enough to search it more right now; probably a simple mod to a normal protocol.

Don't read me as not appreciating a link from your link farm (lol), rather see your solution or what "problems" you're having.

RE: CRYPTOL
--I don't want to learn Cryptol right now, got too many languages already! Annoying syntaxes, why?! I can't do that big, I'm doing small first. Sure, it'll be nice to see, but still won't trust due to too much to verify myself...

RE: weakened standards for the citizens
--Yeah, I remember that HAIPE crap, this is why I don't want to imitate anything from them. Don't even want to see it; too much twisted psychos playing worthless games, I'm done w/ that. Clouds the mind, security can be found w/ science and laws of physics. Only concerned w/ themselves, not helping others be secure, like being open and teaching others in ways that are actually helpful, or just flat out doing work for those that would otherwise get f*cked...

RE: Novena being targeted
--Yeah, I'm curious also if it's already or will be targeted. If bunnie or xobs notice some peculiarities. He's (bunnie at least) is on the "right" side; means targeted. How worthless is that? These guys aren't doing anything terrorist in nature, frickin' making a computer! God, f*ck these people; probably use *legally* gained (not technically) exploits; so basically lawyers using hacks, they'll get their asses served eventually; actually probably already happened. :p

RE: Mission Impossible (Android security)
--Oh I lol too, it's just fun that's all. As much as I hate smartphones (at least when they auto-update and being little data-whores), the things are cool. I can do a lot w/ older ones too compared to older phones which I have to research the OS more and basically limited w/ processing and wifi.

"There could be more work.."--understatement of the day there. SHOULD be more work, how many of these things litter the earth now? Phone security is so embarrassing today, so pathetic. If you haven't shielded and removed as many wifi/bluetooth crap in your "secure PC" then just one coming in your room and you could get a crazy infection, just crazy networks all these phones could make. Truly untraceable paths, malware going in these crazy paths that originated on the other side of the world and came by Bluetooth or close range wifi. This isn't paranoia anymore, it's reality. Stay ignorant to it at your own peril.

Clive RobinsonOctober 6, 2014 4:29 AM

@ Figureitout,

Also, what the hell is CIK, Fill device, read the wiki page, still don't get it.

First remember I'm from over the puddle so the nitty gritty details of what we call a "fill gun" are different to the NSA "Crypto Ignition Key" (CIK) or "fill device" in a number of details.

Most command structures like the armed forces have a central facility for generating, issuing, auditing and destruction of crypto Key Material or KeyMat (as well as monitoring for "sillies"). The NSA does this for certain US Gov entities, but by no means all.

Put very simply the CIK is how the KeyMat is transported and made available to some --often personal-- crypto interface devices. The reason it's called an "ignition key" is from the idea of a car key, that is the interface device won't take you any where if the key is not in the slot. The original idea was that the KeyMat stays in the CIK and never enters the interface device, thus the security of the KeyMat rested on the CIK not the interface device. You can get "smart card" solutions these days that will work like crypto processors for interface devices like mobile phones, and are in effect a CIK.

A fill device / gun is similar in that it contains KeyMat but the crypto devices they are used with are usually part of a country to country Comms Net or link and have associated destruction kits unlike the personal crypto interface devices. These CommsNet devices are usually found in embassies, ships and Command HQs not out in Grunt-Land and have the likes of yeomen with special training to load KeyMat and do the destruction. Thus the devices actually retain a copy of the key internaly and thus will continue to work without the fill device being present. Which is the reason for the destruction kit, however most agencies don't want the kits around as they represent a significant hassard, so more modern systems use a key storage system that can reliably --it's assumed-- destroy the internaly stored KeyMat at the press of a button / flick of a switch, prior to any further destruction for the very few field use devices.

At the lowest and easiest to destroy level KeyMat for NATO standard CommsNet equipment used to be held on chemicaly impregnated punched paper tape --not to be confused with oil impregnated tape-- and in the UK coloured blue. If you look up the UK designated BID710 you will see a big silver lump on the front which is an optical tape reader, as well as a fill gun connector.

I hope that helped.

T!MOctober 6, 2014 10:18 AM

I have two questions about the bashbug/shellshock problem and hope you can give me the answers.

Is it possible that an attacker could create a website with javascript, that changes the user-agent for the connection between the users browser and the proxy-server of the company so that the proxy initiates a reverse-shell to the attacker outside the company?

How would you rate this risk comparing this with directly attacking a webserver of that company?

WhiteRabbitOctober 6, 2014 11:05 AM

http://www.dailydot.com/politics/fbi-hammond-sabu-hack-country-list/

I noticed this story long before it was exposed, and was aching for why no journalist had yet exposed these connections. What I noticed was that these Anonymous hackers hacked both Stratfor & HB Gary while under the FBI direction.

It was very clear that the Fed Branch of HB Gary was baiting Anonymous at the time.

I initially thought this was disinformation. That this simply was a disinformation counterintelligence campaign against foreign powers, where some real information was mixed with false information.

However, these stories that did finally come out such as the above story revealed that, in fact, the operation was aimed at either corrupt portions of the US Government which have been involved in extremely rogue behavior... or that they wanted to get the FBI interested in who was showing some unusual control over their public relations.

In other words, the honeypot project was never aimed at Russia or China, but at certain elements in the US Government.

It really depends on what is going on there:

1. IF they are consistently engaging criminal hackers to hack foreign nations for them (including the "sancosanct" Brits and other "Five Eyes"), then they were walked into a trap, a sting, where these operations were exposed. They would likely be pretty upset about this, which is especially true with rogue elements of government that must justify their behavior by their own selves.

Which leads to obvious conclusions as to the nature of this operation.

2. IF they are actually innocent, this might actually cause some smart detective out there to start looking at who all was really involved. And maybe notice something like, "Hey, you know, that guy really was clearly baiting anonymously, and maybe it wasn't an accident".

This, however, gets on the level of conspiracy theory. Without evidence, no funding. So, at best, people can get wound up and frustrated.

They might wonder, "did we get played". The bigger question here is "why". Nobody gets played on this level without an ultimate objective in mind.


One potential problem in all of this, whatever the case, it says to all the nations: there are no rules. There are no treaties. It is open season for everyone.

That, its' self, might be the objective, to create the conditions of a greatly ramped up international cyber espionage war, where even "five eyes" are starting to attack each other.

It would also force more nations to rely on plausibly deniable "black hat" hackers for their pool of resources.

Why? Distraction. The more they are distracted, the more real work can get done.


EROctober 6, 2014 1:26 PM

About 911...

most people who check a book such as "Towers of Deception: The Media Cover-up of 9/11" (by Barry Zwicker) or a video such as "Loose Change 2nd Edition" would agree that questions raised by the facts discussed in these are not frivolous.

How would something like that be possible? Well, most Americans tend to trust what their government tells them through mass media. This is partially because Americans are conditioned to be more patriotic than people of other nations from a very young age. Just check how often you see the US flag being flown at corporate parking lots in USA, and compare that to how often people in other countries fly their country's flag. Nationalism in America is nearly like a religion.

Another factor is that the US system generally does not tolerate disobedience against authority very well. Here authority is not just the representatives of the government or the law enforcement, but also your own bosses at work (if you have any). Just check the experiences of many whistleblowers. Most people in America are in a situation where they need and want to keep their jobs and do what they are told, no questions asked.

So against this backdrop, a government that is sufficiently underhanded could well pull of a false-flag attack and afterwards claim something else.

It should not surprise people that a member of the Bush family was in power during 9/11. The elder Bush had tendencies to similar abuses of power under the disguise of "democracy" and "human rights", such as the invasion of Panama. See the documentary "The Panama Deception" about that "just cause".

And long before the Panama invasion we had another interesting incident that was likewise sweeped under a carpet: the assassination of JFK. This incident also had connections to the Bush family and a certain government hitman by the name of Hunt. You can check more about this at http://www.thedarklegacy.com/.

Gerard van VoorenOctober 6, 2014 1:31 PM

@ Nick P

I went through that thread (which was rather large).

The funny thing is that "we", the technical people, can think of lots of solutions, but the bigger view we usually ignore/don't see. That bigger view is that it is not hard at all to generate such a device. There is only a motivation required. Steve K probably got it right.

GrauhutOctober 6, 2014 1:42 PM

@Figureitout: "I don't agree w/ reprogrammable tiny chips, especially for security."

Agreed, but you know the price, no more firmware upgrades on offloading nics, broadband controllers in mobile devices, scsi controllers, ssds...

Impossible in a digital economy that delivers new green bananas to customers daily and willingly. Take the manufacturers alpha fw, hack in your signature, f... off, we were faster...

Thats the way it is. Thats why we sometimes need glue guns. There is alway some would like to become an admin who thinks its a good idea to upgrade a signature server from his private years old usb stick that stuck in every imaginable digital hole possible! First thing these kids do with a good pwd is removing locks from their admin console... :)

WhiteRabbitOctober 6, 2014 2:12 PM

On the above post:

http://www.dailydot.com/politics/fbi-hammond-sabu-hack-country-list/

Correction: HBGary hack happened well before (seven months or so) Sabu became controlled by the FBI.


Now, were the target lists given to Sabu for hacking by the FBI?

Monsegur provides more international targets and says he is 'looking for embassies and consulates'. Hammond provides access to two of them. (BS 105029 - 105030)

The FBI & CIA have been hacking embassies and consulates for many years. This is a primary intelligence target because those nations tend to keep their regional head of intelligence there, and they tend to have the largest body of their undercover agents there.

While this may or may not be very compelling to most laypeople, for intelligence folks, this is all 'proof positive' the FBI was controlling Sabu in the list of targets he was hitting.

Monsegur provides a long list of targets from many different international countries including United Kingdom, Australia, Papua New Guinea, Republic of Maldives, Philippines, Laos, Libya, Turkey, Sudan, India, Malaysia, South Africa, Yemen, Iraq, Saudi Arabia, Trinidad and Tobago, Lebanon, Kuwait, Albania, Bosnia and Herzegovina, and Argentina (BS 105061-105063)

It is very interesting that the US is relying on plausibly deniable black hat hackers to hack their "friends", in the "five eyes" with whom they have "no spying" treaties.


It might be noted, however, both Stratfor and Mantech (FBI contracting firm), as well as some other firms very likely set up conditions for them to hack these companies. Though Stratfor reported over 3 million dollars in damage because of the hack.

It is inconceivable that the US would have had them hack US government websites unless they specifically gave them throw away information and some manner of a honeypot environment. So, it very well may be the "five eye" targets also were working on that aspect of the program.


How many other hackers out there are doing this same thing, distanced away from the FBI or other US agencies by a few steps? This behavior is believed to be the norm from Russia and China, though this has yet to be proven or exposed in either country's case.

In the Sabu case, Sabu and his Anonymous compatriots were as big news as possible. They had to pursue this case. So, they had to release these details eventually. They did try, and fail, to redact the details of the countries, and they have refused comments on most aspects of this case.

The details of the countries hacked, why were these details redacted if there was nothing to hide?

Partly, one can see somewhere in that list some intelligence targets for the FBI, at least. That sort of information, is, of course, highly confidential.

Also, one can note that this tells these countries the US is engaging in a very covert intelligence campaign against them.


There remains deniability here, so I doubt this story yet will get much traction in the media. There is not deniability to any of the intelligence services of the countries they hacked, of course. They are not complete idiots.

And, really, that is what matters. Telling those guys they are being attacked by the US gives them strong reason to try and hack the US back.

ThothOctober 6, 2014 10:13 PM

@next big fun, tim
I raised an alarm a while ago here (https://www.schneier.com/blog/archives/2014/09/friday_squid_bl_442.html#c6679122). Guess it's not big of a surprise as everyone's still happily using Cloudflare. I never trusted Cloudflare and the likes at all as I was suspecting something like that long time ago but it seems their release of Keyless SSL proved it.

We have come to an era where Security are attempting to break Security by adding more Security which is not Security :) .

@Figureitout
Putting CIKs in an easy term. If you have a key sitting inside a machine, what are you going to use to encrypt it ? Another key (in the form of a password, key wrapping key and so on). The idea is a KEK but it simply uses some cool looking name like Cryptographic Ignition Key thingy. A fill gun is simply like holding a hard disk or flash drive that has been hardened and secured to transfer your keys with a kill switch on it in case it falls into the wrong hands while transiting to transfer keys.

It is good to learn and read up widely especially on Govt security in military as they require the highest assurance in warfare. You do not need to emulate everything they do but there are always good concepts to borrow.

@all
The necessity of not just crypto with huge keys super algos but also the importance of secure processes and devices are critical as a means to stay as much TLA resistant or at least to keep your privacy and security within your controls as much as possible.

In regards to eBanking or banking, it's busted. I have done some and I can tell you they are just bad at it...

In regards to CAs, it's busted. I have done some and as well can tell you it's as bad as ever...

So when the Banks and CAs get busted by someone, they simply cry foul and use excess force to wipe someone out instead of fixing things and getting it right and working.

The magic silver bullet they thought would safe them is crypto and usually the thing that kills them is NOT CRYPTO... how ironic. It's their processes that's gone wrong. It is their understanding that has gone wrong.

There is nothing much I can do for now other than giving advises down here and posting some samples of newbie security setups just like Clive Robinson and Nick P hoping someone reviews, comments and uses it and not make the same pitfalls.

USBCondom is a nifty stuff (https://www.crowdsupply.com/xipiter/usbcondom). You remove the data wires and leave the power in place so you can charge your device. The only thing it does not protect is power measurement side channel attacks if any. They could store the power in a battery on board and then transfer the power to the charging phone. This way it adds a secondary layer and makes it harder to do power based sidechannels.

FigureitoutOctober 7, 2014 1:04 AM

Clive Robinson && Thoth
I hope that helped.--CR
--Yeah, somewhat. Ok, mildly interesting devices. cryptomuseum.com has some good resources on them (and the DS101/102 protocols, which seem to be based on RS-232 (surprise surprise...)). Was wanting to make something similar (and got new ideas w/ the "E-cigs" burning a tiny piece of thin paper in a nifty case, has to be contained in a screen to allow air flow, just a little, and drop in an ash tray). This page has some good pictures of the devices (US ones): http://www.cryptomuseum.com/crypto/fill.htm#protocols

This page describes the 2 main protocols as well as pin outs, DS-102 is barebones simple, nice. Even look like ham radio connectors. http://cryptomuseum.com/crypto/usa/u229/index.htm

Liked this pic of the KYK-13, tight lines, good manufacturing: http://www.cryptomuseum.com/crypto/usa/kyk13/img/301558/023/full.jpg and this one for CYZ-10 battery pack w/ diode and fuse: http://www.cryptomuseum.com/crypto/usa/cyz10/img/301559/029/full.jpg

Sounds like a lot of damn keys, getting somewhat silly, TEK, FK, CIK...what about a KEKEKEKEKEKEKEKEKEK.....? Eventually you're just doing busy work loading and removing keys...

Thoth
There is nothing much I can do for now other than giving advises down here and posting some samples of newbie security setups
--Horsesh*t. Stop limiting yourself. There's so much more to do it's overwhelming.

Grauhut
--True, damn costs...One thing that is retarded though is router firmware updates via ethernet; I'd rather download the binary to even a corrupted USB then move a jumper to reprogram, than just flash...from the internet...that just strikes me as incredibly naive and not thinking. Even cooler, some of what I do (for a little $$) is you have to push a button the whole time during flash or no-go. So it's physical attack or no update.

GrauhutOctober 7, 2014 2:26 AM

@Figureitout: Good ol dip switch, 0 normal operation, 1 flashing, never both at a time.

That would work, but its not "geeky" and all the half nerds out there would flood the manufacturers with hate mails! If its not realtime internet upgradable its not cool, you know? :)

ThothOctober 7, 2014 3:39 AM

@Figureitout
Key Management have always been the toughest part of crypto that's why so much money and efforts in corporate, research and mil-industry have been trying to figure a way to do key security. Something they figured is multiple hierachical key encrypting keys and it has been used frequently in many crypto products in the mil-industry, govt and corporate sectors to do key management.

Yes, half the time it's about moving keys because the crypto part is quite straight forward (key and data in, ciphertext out) but the key security part has always been a headache.

ConleyOctober 7, 2014 8:52 AM

Professor Lars Ramkilde Knudsen from DTU Compute has invented a new way to encrypt telephone conversations that makes it very difficult to eavesdrop.

Dynamic encryption keeps secrets
http://phys.org/news/2014-10-dynamic-encryption-secrets.html

Prof. Knudsen's explanation about his technology:

"Today, all telephone conversations are encrypted—i.e. converted into gibberish—but they are not encrypted all the way from phone to phone, and if a third party has access to one of the telephone masts through which the call passes, they can listen in," explains Lars Ramkilde Knudsen.
"And even if the conversation is encrypted—in principle—it is still possible to decrypt it provided you have sufficient computer power," he says. This is in no small part due to the fact that the vast majority of telecommunications operators use the same encryption algorithm—the so-called AES, the outcome of a competition launched by the US government in 1997.
"This is where my invention comes in," he says. It expands the AES algorithm with several layers which are never the same.
"When my phone calls you up, it selects a system on which to encrypt the conversation. Technically speaking, it adds more components to the known algorithm. The next time I call you, it chooses a different system and some new components. The clever thing about it is that your phone can decrypt the information without knowing which system you have chosen. It is as if the person you are communicating with is continually changing language and yet you still understand," he says.


Clive RobinsonOctober 7, 2014 11:38 AM

@ Conley,

From what you give of Professor Lars Ramkilde Knudsen's explanation of his "invention" it sounds like the systems that Nick P, myself and various others have given on this blog in the past for those who don't trust "AES" and their own crypto, but still want to "roll their own" to avoid certain weeknesses.

I've recomended in the pas using orthagonal ciphers in series, using one cipher as a "key expander" to replace that on another cipher, or for whitening either the plain text the cipher text or the round sub keys. I've also recomended making these dynamic in nature such that the likes of similar plan text --think images or program source files-- don't get encrypted under the same key.

Nick P has also sugested other techniques which no doubt he can repeate or give links to.

I'm sure that some others will also highlight what they have said.

Later today I'll have a read of the profs stuff for something new, but I'm not hopefull as quite a few of the minds who contribute to this blog one way or another are quite bright ;-)

SmOctober 7, 2014 2:21 PM

@Grauhut

@SmokingHot - "By implicating them in crimes, from which they profit, secrecy can be secured

without threats"

Same situation with US congressmen and senators.

They tell the DoC what kind of intelligence the companies in their election araes need, DoC OES

preps the intelligence for them, they pass it to the companies.

If they want to get reelected they have to produce jobs for the small people at any price, so

they are willing to vote for the INTEL communities budgets.

Dirty hands everywhere...

I take it you mean by "DoC", the "Department of Commerce"?

I do not know, so I can not comment on that.

What I can comment on is that domestic intelligence agencies have secretly surveilled, and very likely do secretly surveil American political leaders. We know this because some whistleblowers have told us they do this.

We also know that this is what Hoover did. And by this way, despite the many enemies Hoover had - 'everyone in Washington was scared of him' - he was able to stay in power all of those years.

One can surmise that somewhere deep down there, that situation is continuing.


An elected politician is a very vulnerable individual to secret surveillance.


I can also note that the FBI investigation which led to the dismissal of the CIA head not long ago should have been full of earmarks of "parallel reconstruction". He got in the way of someone, they knew what was going on, so they got the investigation going. And he got publicly humiliated and had to step down.


So this can work even with non-elected officials.


Where this sort of system implicates its' victims in leadership positions is that they know about it and say and do nothing.

Besides where they may directly profit from it.

Nick POctober 7, 2014 2:25 PM

@ Conley

Thanks for the link. Yeah, that's a highly watered down version of the polymorphic cryptosystems I've posted here for years. Of course, it does improve security if done right so I'm glad to see the idea in a product. I'd hate to see a patent, though.

@ Figureitout

Funny that you wouldn't trust using NSA's best approaches because it's from NSA, yet most standard INFOSEC practices originated in US military-funded research. Do you not use firewalls, supply chain checks, code reviews, crypto, etc either? :P

The reason to study their Type 1 systems is that they're designed to stop TLA's. NSA has stringent requirements to prevent most attacks from EMSEC to hardware to software. The resulting products are not available to most Americans mainly because it would hamper NSA's efforts to spy on us. Fortunately, many design elements are public and can be copied/improved by new implementations not sourced from NSA. Copying their approaches would've prevented dozens of vulnerabilities that we saw exploited in mainstream encryption. That argues my point quite well.

Far as key fill & centralized key mgmt, it doesn't have to be as hard as they make it. You can have a highly protected machine that generates the keys, encrypts them as a file with PGP, and sends them to the client machines. This can be done during installation, patching, or other updates. A regular maintenance activity the user has little involvement with that's managed by simple, carefully written software. This is true for RNG's as well: use a good CRNG on clients and have trusted machine seed them same way as it moves keys. Can also further expand where the clients have a trusted boot mechanism that only boots media signed by trusted machine so that a stronger, simple recovery process is available when clients are hacked.

Many possibilities. Copying their strong design principles & risk avoidance techniques are the main things I advocate. For instance, looking at how they did their Inline Media Encryptor greatly simplified my own solution to that problem as theirs was excellent. As Clive pointed out, things like smart cards or even embedded USB devices can substitute for their non-standard functionality. It can be as simple or complex, manual or automated as one likes. The principles, though, must be copied for success as the alternatives have never proven successful.

SmokingHotOctober 7, 2014 2:58 PM

On the "SM" post above, that is mine, posted before noticing I did not complete my nick.

AnuraOctober 7, 2014 4:31 PM

Special note to law-enforcement agents: The word "state" is a technical term in cryptography. Typical hash-based signature schemes need to record information, called "state", after every signature. Google's Adam Langley refers to this as a "huge foot-cannon" from a security perspective. By saying "eliminate the state" we are advocating a security improvement, namely adopting signature schemes that do not need to record information after every signature. We are not talking about eliminating other types of states. We love most states, especially yours! Also, "hash" is another technical term and has nothing to do with cannabis.
I laughed.

sena kavoteOctober 7, 2014 11:24 PM

Randomizing system call codes

It seems to me, that for someone who knows deeply an operating system like Linux or FreeBSD, it would be a week long project to make a program that searches the kernel binary for every pattern that indicates handling of a system call and changes the codes to something random in a way that every system call is still unique. Then another program searches every userland executable binary for patterns that indicate use of a system call and then changes every code so that they match the new randomized values in the kernel.

After giving an OS installation that kind of treatment from a live DVD, the OS still works exactly as before, but malware does not know what to do.

After that, install and upgrade scripts will have to give the same treatment to every new binary, with the secret randomizing seed.

Randomize all the things!

OS specific executable binary formats must have other arbitrary things too, that have no optimal values / choices but only something that was chosen randomly 20 or 40 years ago when something in that OS was being formed for the first time.

This could be easy for Windows and macOS too.

But more possibilities likely are open with open source software if the user is ready to compile from source.

AlexOctober 7, 2014 11:28 PM

@sowhatdidyouexpect

What you think its the use of gigabytes of hard disk for a simple file reader? Acrobat Reader is the kind of application that should be uninstalled instant and killed with fire, nobody should install that thing, there are many lighter alternative.

sena kavoteOctober 8, 2014 12:13 AM

Ukraine

Germany and France may send military force to guard Ukraine against russian invasion and conquest:

http://www.bloomberg.com/news/2014-10-06/germany-france-may-send-drones-to-ukraine-to-monitor-truce.html

If those drones transmit pictures or video while in air, is that transmission encrypted?

If they just store on SD card or something, for use after landing, is that data encrypted and if so, is the key guaranteed to disappear from RAM after crash or is a public key used?

This may relate to some word play trickery, because if those drones only happen to "so neutrally" observe only the rebels, the transmissions may be intended to be intercepted by Ukraine. Then Germany and France can say "oops, did they intercept all that drone footage, who could have known, im shocked"...

That said, it is good if Ukraine gets that reconnaissance help. I would prefer that it could be given openly.

FigureitoutOctober 8, 2014 12:58 AM

Grauhut
--Good ole dip switch indeed...But still looks like a chip. Why not TWO dip switches lol. Like encrypting encryption keys, have a DIPDIPDIPDIPDIP...switch lol. Where do we stop? Also still looks like a chip, are the switches truely behaving or are they being naughty..? Now how many buttons are made that simply short or open depending on what it's connected to. Why would someone put an additional chip in them? Jumpers are even better, simply cutting the connection visible to the human eye; you'd need some serious RF exploits to bridge those gaps, or thru internet/physical means...meh...this sucks to think about.

On the "geeky" sh*t of updating firmware via the internet, tell me how it's cool to completely own you from the internet and brick your device? Please send me your hate mails all you naive fanboys; that is not cool owning you from an internet firmware update. That is not "hip", not cool! They'd have to work at least making a virus that infects USB memory, then auto-runs when I plug-in to my flashing PC; but also better fit in the .bin file. I've seen enough file size mismatches to know it's already happening...Those warnings can even be falsified so it's just...this is why I'm going Z80 ASM and other isolated embedded devices.

Thoth
--At a certain point, you just have to accept that data has to flow. An example I like to bring up is, for the "physical people" out there, at any point anyone can just stab you walking by or step on the gas and ram your car on the way to work, but they don't generally, b/c that would be a major douche move...They would be affected too, but in the digital world, eventually they would be affected unless they just purely live to attack and live on rice/beans and just have a heart of evil. At a certain point data has to flow, and people can just let it be, or corrupt/mess w/ it and be a douche not actually doing productive science.

Nick P
--I actually don't use a lot of those things at the moment for "various reasons". How am I as an individual supposed to do "supply chain checks"? Main thing is formulate tests using other 'assumed' hardware, then call-out manufacturers when sh*t isn't performing how it should. Damn it's irritating when a solder-job is wrong or frickin' components are backwards...F*cking idiots.

People have a choice to use what I make, but I won't be looking toward the NSA, probably come to some similar conclusions, but they can choose to use their tech or other attempts at open ones.

I'll make my builds open, but like any embedded solution, the builder can add some obfuscations that will make reverse-engineering a major pain; which will be a user-decision that should be offline and a private decision.

BoppingAroundOctober 9, 2014 10:25 AM

Thoth,

Classical 'pot calling the kettle black'. I recall someone (Clapper?) at the NSA used the same tactic against the companies before.

BenniOctober 9, 2014 4:03 PM

NSA monitors contact persons of suspects who are three hops away (if a suspect contacts a pizza vendor, and the pizza vendor contacts his mother, then NSA monitors the mother of the pizza vendor).

Germany's BND does something similar, but with its typical German thoroughness, BND monitors people over 5 hops from its VeraS system https://netzpolitik.org/2014/live-blog-aus-dem-geheimdienst-untersuchungsausschuss-frau-f-und-herr-f-vom-bnd-sollen-aussagen/.

No wonder that NSA wanted a copy of VeraS http://www.spiegel.de/international/world/german-intelligence-sends-massive-amounts-of-data-to-the-nsa-a-914821.html because "In some ways, these tools have features that surpass US SIGINT capabilities":

Additionally, BND hosts illegal databases of meta and content data http://www.heise.de/newsticker/meldung/NSA-Ausschuss-BND-betreibt-gesetzeswidrig-Datenbanken-2414734.html

PetterOctober 9, 2014 5:35 PM

Why collect card numbers when you can go for the ATMs directly.
Malware infected cash machines can be instructed to dispense 40 notes at once, without a credit or debit card.

According to footage from security cameras at the location of the infected ATMs, the attackers were able to manipulate the device and install the malware via a bootable CD.

http://www.bbc.com/news/technology-29537907
http://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/

BenniOctober 10, 2014 6:52 AM

There are, apparently, some countries, where neither NSA or BND have access to every mobile phone. This is why the German government developed a system for a drone https://netzpolitik.org/2013/studie-analysiert-die-funktionsweise-des-spionagesystems-isis-das-eads-fur-die-bundeswehr-baut/ that flies in 15-20 kilometer height, and can collect from there signals of all mobile phones, wireless lan nodes, radio sets, or even household microwaves that are in a radius of 400 kilometers.

With its directional antennas, the drone is able to listen to a specific device selectively. At first, the Americans did not want to deliver the steering system for the drone. But now the German government promised to spend more money and it seems that BND will get that drone: https://netzpolitik.org/2014/serienreife-abhoerplattform-isis-fuer-hochfliegende-drohnen-soll-weitere-viertelmilliarde-kosten/

This is a sad development. In case the drone flies over northern Germany, it will be able to snoop on every mobile phone in Germany without anybody noticing it in 15km height.

SmokingHotOctober 10, 2014 11:03 AM

From another thread, as it was going off topic and someone complained.

@Skeptical

My assertion Skeptical was responding to:

@Smoking: Right now, because of the extraordinary power the US has: the US is really the primary instigator of instability in the Middle East, however. It is obvious that this will cause severe problems there. And they already have caused severe problems there, problems they are refusing to own up to.

Skeptical's summa:

This is completely wrong. Were the US not a presence in the Middle East you'd have severely greater tensions between Saudi Arabia and Iran, and much greater likelihood of a broad regional war.


Datapoint number one backing up the summary.

As to "causing problems" let's get real about ISIL and the US for a moment. The US invaded Iraq, did not provide sufficient forces to occupy in the early years, and allowed an insurgency to spark and then burst into flame.
But in 2007 the US changed strategy. It provided substantially greater resources and embarked upon a different counterinsurgency approached - and it worked. The Shi'ite militias were cowed, and al Qaeda in Iraq was defeated.


That is basically the US line. "Line" as in what some loser dude gives a woman in a bar. Something memorized, something untrue. "Line" as in this is Tier 1 (very low level) diplomatic prattle. Diplomatic prattle is not the truth of the matter. It is about as truthful as some crappy commercial, and people take it as seriously.

More importantly, no one actually believes this line. Maybe the people saying it have some faith in it. But, no Middle Eastern nation of note believes it.

Like any lie, there is *some* truth to it. Where "any lie", means any low level, 'often repeated' diplomatic prattle.

The truth is simple, in the aftermath of a colossal series of mistakes (Iraq did not have either WMD nor ties to terrorism, the predicted lack of resistance was totally wrong, and the capabilities of the US to rebuild and manage the nation were next to nil): well, the US finally was able to have the political impetus to do the Surge -- The Surge (tm).

The Surge, far from being any great stroke of genius as it is presented: was simply what was necessary and not done in the first place.

The scenario could not have been more brainless in scope: the US simply did not send in enough troops in the first place to handle the area. On the battlefield, if you send in too few troops you can lose severely. On the other hand, sending in a surplus of troops can help ensure security.

Not quite as technical nor ingenious as "flanking".

Please note the sarcasm here.

All of this is far from the entire picture. It is far from the picture, at all.

The reality is the US went into Iraq and from start to finish screwed the country up. Not only did they turn the population against any and all infidels, non-Muslims in general, they did all they could to destabilize the country, in general. Including firing enormous numbers of military and police and then not providing them any chance of legitimate work. Which is a big reason for the problem.

There are a lot of points anyone can make on the many ways the US screwed up the region, but frankly, this is all very low level information that is very well available to everyone.

No one should be talking on this matter if they are unaware of it.

Not dismissing these issues, or even freely bringing them up and then dismissing them is patently dishonest. If I go in to buy a couch from someone and there is a gigantic stain on it, and the sales person does not mention it, but talks up the couch -- I probably would not bother to tell them about the stain. I should not need to. There it is, right there.

An honest salesperson goes, "Look, I know about the stain, we both see it, and here's the deal here, this is why we are giving you fifty percent off the price of the couch. It is not anything bad, just was a discoloring from the factory."

Even if he were lying about the origin of the stain, I - or anyone - might be a bit more persuaded.

Brenner? Anyone? War profiteering? Anyone? Among so many other issues...


Perhaps the US withdrew a bit too soon. But the corruption which was permitted to erupt within Iraqi Security Forces, and Maliki's other actions, completely alienated the Sunni population, which provided the remnants of AQI, harboring in the chaos of Syria, with opportunities to find new openings with the Sunni tribes of Anbar and beyond.

These were choices made by Maliki, and the Iraqi Government. They were choices that Iran permitted, if not encouraged. And they are reaping what they have sown.

Maliki was supported by the US, and vetted by the US. That is one problem with that line you are giving.

Another problem with that line is: the US knew that Iraq was naturally divided into three provinces. Sunni, Shia, and Kurd. The Kurds had been promised their province way back in the early twentieth century by Westerners, and never got it.

This is a major reason why some of them have turned to terrorism.

Cheney's memo from the first Gulf War on "why not to go to Baghdad":

If you're going to go in and try to topple Saddam Hussein, you have to go to Baghdad. Once you've got Baghdad, it's not clear what you do with it. It's not clear what kind of government you would put in place of the one that's currently there now. Is it going to be a Shia regime, a Sunni regime or a Kurdish regime? Or one that tilts toward the Baathists, or one that tilts toward the Islamic fundamentalists? How much credibility is that government going to have if it's set up by the United States military when it's there? How long does the United States military have to stay to protect the people that sign on for that government, and what happens to it once we leave?

( http://www.slate.com/articles/news_and_politics/chatterbox/2002/10/dick_cheney_dove.html )

This was before Cheney went to work for Halliburton.


Iraq is important to Iran like Mexico is important to the US. Moreso, Iran has Shia through out the western region of the Middle East, and cutting them off from that support is something Iran would take seriously.

Further, Iraq has key Shia religious sites, and Iran is the Shia mother country.

But that is not the real problem. The real problem is that to not separate the country into the three provinces meant you would have Iraq ruled by Shia, if you were to give them Democracy. Not by Sunnis. Not by Kurds.

From Google: Iraq is 60-65% Shia. 15-20% Sunni. 27% Kurd.

Saddam was token Sunni and had a history of difficulties with Kurds and Shia alike. This difficulty, believe it or not, may have had some repercussions with the population. It probably also did not help that the US was sanctioning and bombing Iraq for many years even before the war.


As for withdrawal, the US never should have been there in the first place.

The US line on Iran is they are the bad guys. Their diplomacy with Iran is non-existent. It is provocative and it aims to alienate them. This helps make them defensive and desperate.

The major problem here is the US is deep in bed with Saudi Arabia and the Sunni. This would be not unlike if the US was deep in bed with the Tea Party, but tried to say kind words about the Democratic Party. They would not and do not. They say nasty things and act rude, to help bolster their Saudi and general Sunni backing.

It is clear from their perspective they can not be friends with both Iran and Saudi Arabia at the same time.


Yes, the US isolated Assad. Along with most of the rest of the planet. If you recall how the Syrian civil war started, and how Assad has conducted it, you'll see why.


I was obviously speaking of how the US had isolated Assad before the protests.

I am aware of "the line" on this story. Assad was a horrible dictator, and the poor Sunnis simply wanted more freedom. They wanted Democracy and television and American goods. They wanted human rights. It had nothing to do with their religion. Which is radical.

At some juncture, it is argued Assad got more serious and did very bad things. Such as indiscriminate bombing, and it is even asserted that he may have used chemical weapons.

True or not, probably true, Assad was alienated, isolated, desperate, and defensive. This is exactly what one would expect to happen with Iran. Or Russia. Or China. If they are treated in the sort of manner the US treats her targets.

The fact is: the US is deep in bed with Saudi Arabia and so the Sunnis. They therefore have had no choice but to be opposed to Shia, and be for Sunni.

Debates were had before US direct involvement. The concern was links to terrorism and Al Qaeda among the rebellious. The US went ahead.

Consider, the US is extremely hedonist in the eyes of Sunni. That is a very tenuous relationship when it comes to the core population. With the upper leadership, they have much benefits. Friends with benefits. But they have to be mindful of their constituency. Or they could rise up and depose them.

These were not just major complaints of Al Qaeda, but they are deep complaints from the religious Sunni population, in general. Over the years.

So, brownie points to the US to help the Sunnis take Syria for them.

Of course, this helped Al Qaeda of Iraq rise. They changed their name to ISIL, and after taking the rebellion by storm, took the Sunni province of Iraq.

Someone might say, "Wait a minute, you said above Iraq did not have ties to Al Qaeda". And this is well known, both the claims of these ties, and the fact that they did not. No, Al Qaeda of Iraq was created as a resistance movement because of the US occupation.

The US has been refusing to intervene more substantially in Syria's civil war for years now. It has been a topic of ongoing debate and discussion. Indeed the current argument between Turkey and the US is that Turkey wants to expand the coalition's intervention to include measures that are clearly aimed at Assad, and the US is refusing to do so. So the idea that the US never stops to ask why it should intervene in another country is nowhere near the truth of the matter.

They are wise not to do so. For one thing, I am hearing it violates international law. Though international law, clearly, has no teeth.

A bigger reason, of course, has been because of the "aiding and abetting terrorists" concern.

But they went ahead and did it, anyway. And now you have that entire region and the region of the Sunni province of Iraq owned by US created terrorists.

I can understand the desperate need to not go all the way to Assad. Because whomever displaces Assad displaces the peace treaty Israel has with Syria. Hamas is Sunni, of course. So, like with disposing of Saddam, or disposing of Qaddafi, there is a sure fire guarantee of truly causing severe problems in the Middle East by empowering Israel's greatest enemies.

And calling Iran one of three components of the "Axis of Evil" did not help in any of that, either.

Which is telling a nation, "Hey, get desperate, get scared, because we are coming for you". That does not make them seek out nuclear weapons to protect themselves, or in anyway destabilize them.

Of course, there is another issue here: Hezbollah and other Shia groups versus Sunni groups. All out Middle Eastern religious war. Stoked and hottened by the US of A.

Why did the US not separate Iraq into three provinces? Saudi Arabia. Saddam was a bulwark against Iran. Saudi Arabia needed some serious cajoling to get behind deposing of Saddam. This is one reason why Rumsfeld reported in his recent expose documentary he did not even hear the second Gulf War was an official "go" until he had a meeting with Cheney and the lower level Saudi Arabian official.

The US would definitely shy away from taking credit for destroying a key Middle Eastern peace treaty and enabling, greatly, Hamas. Too many Americans regard Israel fondly.


SkepticalOctober 10, 2014 12:44 PM


@Smoking: That is basically the US line. "Line" as in what some loser dude gives a woman in a bar. Something memorized, something untrue. "Line" as in this is Tier 1 (very low level) diplomatic prattle. Diplomatic prattle is not the truth of the matter. It is about as truthful as some crappy commercial, and people take it as seriously.

Here, you say that it's false that the US first did not provide sufficient forces to occupy the country, but in 2007 shifted strategy, provided sufficient resources, and restored stability.

You take 6 sentences to say "this is false" but okay. Let's see why you think so.

More importantly, no one actually believes this line. Maybe the people saying it have some faith in it. But, no Middle Eastern nation of note believes it.

Okay, so no one believes "this line" either.

Like any lie, there is *some* truth to it. Where "any lie", means any low level, 'often repeated' diplomatic prattle.

Oh, so there's some truth. All right. And what is it?

The truth is simple, in the aftermath of a colossal series of mistakes (Iraq did not have either WMD nor ties to terrorism, the predicted lack of resistance was totally wrong, and the capabilities of the US to rebuild and manage the nation were next to nil): well, the US finally was able to have the political impetus to do the Surge -- The Surge (tm).

Yes, the surge is indeed part of the change in strategy I referenced. All right.

The Surge, far from being any great stroke of genius as it is presented: was simply what was necessary and not done in the first place.

Here you say that the surge is what was necessary - presumably therefore the correct (one component, actually) strategy.

Do you realize that you've come full circle Smoking?

I state that the US failed to occupy with sufficient troops, which allowed an insurgency to take root, but that in 2007 the US did provide sufficient troops and a different strategy, which worked.

You respond at first by calling this "prattle", and false - but a few paragraphs later you're actually agreeing with it.

There are a lot of points anyone can make on the many ways the US screwed up the region, but frankly, this is all very low level information that is very well available to everyone.

I don't think you followed my argument.

I said that the US DID make a mess of things by providing insufficient resources.

I noted that the US then changed course, and stabilized the country.

When the US left, AQI was no longer an effective force.

So what enabled AQI to harbor and regain strength in Syria while once again infiltrating Iraqi cities and building ties with Sunni tribes?

Answer: Maliki's policies, which alienated Iraqi Sunnis, and (in the case of Syria), indiscriminate arming of rebel groups by other nations, some of which found their way to AQI remnants.

But not the United States. So to claim that the US "caused" ISIL or is responsible for ISIL is simply false.

Maliki was supported by the US, and vetted by the US. That is one problem with that line you are giving.

For U.S. and Top Iraqi, Animosity Is Mutual, a NY Times headline from 4 Nov 2006.

The US "supported" him insofar as he was the PM selected by the Iraqi Government. But he wasn't the preferred choice of the US, and his policies were opposed by the US. Prominent US Senators were calling for the Iraqis to remove him within a year. US criticism of Maliki's policies, which the US viewed as sectarian, divisive, and contributory to the alienation of the Sunnis and Kurds, began early and never let up - right to the point where the US flatly refused to intervene against ISIL unless Maliki was removed.

Another problem with that line is: the US knew that Iraq was naturally divided into three provinces. Sunni, Shia, and Kurd. The Kurds had been promised their province way back in the early twentieth century by Westerners, and never got it.

Hence the US preference for granting substantial autonomy to Sunni and Kurdish provinces - and indeed the Kurdish provinces have been operating as a semi-autonomous entity.

This is a preference which Maliki did not share, and actively fought against.

But that is not the real problem. The real problem is that to not separate the country into the three provinces meant you would have Iraq ruled by Shia, if you were to give them Democracy. Not by Sunnis. Not by Kurds.

Which is why power in Iraq is not completely concentrated in a national government with population-proportional representation.

As for withdrawal, the US never should have been there in the first place.

Which misses the point, again. The US made severe mistakes in the early occupation, but acted to fix those mistakes. What we are witnessing today is largely the consequence of short-sighted, sectarian policy by Maliki and short-sighted, indiscriminate aid to Syrian rebel groups by other nations.

The US line on Iran is they are the bad guys. Their diplomacy with Iran is non-existent. It is provocative and it aims to alienate them. This helps make them defensive and desperate.

All Iran really needs to do is forgo nuclear weapons development. That's it.

The major problem here is the US is deep in bed with Saudi Arabia and the Sunni. This would be not unlike if the US was deep in bed with the Tea Party, but tried to say kind words about the Democratic Party. They would not and do not. They say nasty things and act rude, to help bolster their Saudi and general Sunni backing.

Yes, Iranian efforts to develop a nuclear weapon, Iranian efforts to facilitate insurgency efforts against American personnel in Iraq (killing many of them), Iranian efforts to contract the assassination of the Saudi ambassador in Washington DC, Iranian kidnapping (and sometimes utterly gruesome torture) of Americans and American personnel in Beirut, and so on, have nothing to do with it. It's all about the American relationship with Saudi Arabia.

The US has no problem, and would in fact prefer, good relations with both Iran and Saudi Arabia. For that to happen Iran really only needs to forgo nuclear weapons development.

True or not, probably true, Assad was alienated, isolated, desperate, and defensive. This is exactly what one would expect to happen with Iran. Or Russia. Or China. If they are treated in the sort of manner the US treats her targets.

Sure, America caused Assad to become a brutal dictator. Before that, he was an enlightened man, ruling his country with beneficence. Only when the Americans targeted him and isolated him did he become desperate, and, as a last resort, brutal. Quite the fairy tale.

Debates were had before US direct involvement. The concern was links to terrorism and Al Qaeda among the rebellious. The US went ahead.

No, actually, the US went ahead with non-lethal aid, and with extremely limited provision of military equipment to a couple of vetted groups. And for this restraint, Obama was and is frequently criticized on the grounds that it allowed more extreme groups to become better armed and more powerful.

Of course, this helped Al Qaeda of Iraq rise. They changed their name to ISIL, and after taking the rebellion by storm, took the Sunni province of Iraq.

ISIL's rise in Syria had exactly zero to do with US aid. In fact, the more plausible argument is that it had to do with the lack of US aid to other groups.

Of course, there is another issue here: Hezbollah and other Shia groups versus Sunni groups. All out Middle Eastern religious war. Stoked and hottened by the US of A.

This is where you really miss the mark. Without a US military presence in the Middle East, the antagonism between Iran and Saudi Arabia and the Gulf States would likely be far closer to complete war.

SmokingHotOctober 11, 2014 11:40 AM

@Skeptical

You are consistently misunderstanding what I am saying.

Looking at your response, I see some reasons "why" you are doing this.

For instance, for the invasion, you condemn, and you blame this almost entirely on the Neo-Cons.

And you condemn the collapse of Iraq, and you blame this almost entirely on Maliki.

That, is the meat and substance of where I disagree with you.

That I mentioned anything positive about Maliki and the US's relationship meant you would hyperfocus on that. Clearly, there were also problems.


Maliki was not a puppet. He viewed Iran as a good enough neighbor. He served the Shia whom he represented. This was why I brought up the demographics of Iraq, which is much more important here. And this is why I brought up the unwillingness of the US to divide Iraq into three provinces.


The US basically wanted very unfair representation of the Sunni minority in Iraqi government. They also wanted no good relations between Iraq and Iran. Both of these are entirely hypocritical and unfair expectations.


You can focus in on "real" problems, missing the forest for the trees, if you want. This will continue to persuade your own self. The net effect of this is, 'the US Government is good and noble, as capable as Heaven and her angels', but... 'the problem is always someone else, be it politicians in the US or politicians abroad'.


The net effect is you keep a message you see as appealing to people in US Government. And it is. It speaks to the crowd there on what they want to hear.


If you want to "prove" your rhetorics on the Neo-Cons, you certainly have enough ammo out there for that. Likewise, if you want to "prove" your rhetorics on Maliki, and how he is almost entirely at fault, you also can find plenty of ammo for that. Not as much as for the Neo-Cons, because for the Neo-Cons you have the Democratic Party who worked for you there on that and continue to. Whereas, on Maliki, it is not quite as biased, but biased still.


You are intelligent. You are well read. But, you are biased, and this is the fault in your thinking. Your returns are reflexive, they are defensive. You are prejudiced towards the people who work on behalf of the US Government.


This reminds me of a discussion I was having with my friend. How women will justify the behavior of men regardless of how terrible they are. Men can do the same thing, of course. If the woman is beautiful enough. It won't matter how many guys she sleeps around with if she is so much higher league then the guy -- he will still be her stomping rug.

So, where is the persuasion there? It is impossible. I can even point out your girlfriend is dressed like a skank and is riding around town with her Saudi Arabia lover, her Sunni lover -- but this would not make a difference for you. You well know the US Government is all over the Sunnis and so biased. She has made the Sunnis and Saudi Arabia her man. And you love her and hope she will love you anyway.


But this is not to be.

From this angle, my angle, the US Government disliked Maliki and could not see the situation in Iraq because the US Government was viewing it through the eyes of her lover, the Sunnis. Likewise, with the Neo-Cons.


This remains a relatively covert affair. I mean, it is entirely out in the open, and everyone knows it, but it remains an affair. It is an adulterous relationship. Not that they are married to anyone else, rather very ignored. But they have had pretensions of at least liking to marry someone else and something else.

Some of these pretensions are such things as "human rights", "justice", and "liberty".

If this sounds like "someone else's" tune, it is because it is very well known to be "someone else's" tune.


"In God we trust".


More like, "in Allah, baby, anything for you, I trust".


So, yes, Maliki was irretrievably bad, because he could view Iran as a friend, as the US views Saudi Arabia and Sunnis as a lover. And the Neo-Cons were a convenient scapegoat, though the Democrats went along with the war easily enough. While giving out there some meaningless words, pretensions of skepticism, just enough to keep the crowds at bay.


None of this is fooling anyone. Not anyone that matters. The US could not be more happy to be working with a coalition of Sunni groups. It is like a first date. Unfortunately, they have not considered their lover from a skeptical viewpoint.

And no wonder the US has been so bold on her first date to talk down Iran, because she knows how much Sunnis hate Iran. But the Sunnis do not love her. She is just some throwaway skank to them. Someone to sleep with, so they can control her. And use her fine military prowess to achieve their objectives.


The end result is obvious. Sunni objectives met in Iraq. Sunni objectives met in Syria. Sunni objectives met in the wider Middle East. Al Qaeda and ISIL may be uncomfortable bedfellows, like all of them with the wider Sunni population, or so it may seem. But the sad reality is they are all of the same body. Hamas you can throw in there as well.

The message morphs and changes. There are the truly zealous and there are the less zealous. Zeal is not about reasoning. It is very often about foolishness. Emotion. And emotion is what Hamas, ISIL, and Al Qaeda represent in the Sunni body. Her mind may rebel, but her heart beats faster.


SmokingHotOctober 12, 2014 9:35 AM

On the ISIL, US Screw ups Issue


Anyway, I have thought about this some more, and reluctantly been dragged back into this nonsense: for one, how does this even remotely stay on the topic of this site? Simply because it is security theater.

Iraq was one of the most colossal screw ups in the history of the world. If it was not somehow intentional, as many believe. The major world power went to war against a nation in the most volatile region of the planet on the basis of what ended up to be ludicrous lies.

And this after ten years of bombing and severe strangulation of their nation, also under the exact same false pretenses. Or false information.

Likewise, the story on Iran is not "the US did them evil by helping get Mossadegh into power in 53". The problem and the real story is the US supported the Shah for all of those years knowing he was a severely depraved individual. Mossadegh was going to be in power anyway. Plausibly, this can be believed from the sources we have, whom have no reason to lie, and are not those sorts of people.

While Iran did fight back and give cause for demonization - this is true - they have since then changed administrations and made, like Saddam made, many overtures for peaceful cooperation. In turn, the US has continued to lambast them, savagely, like something you see from teenagers.

"Axis of Evil" is just one very good example of that.

The message is: "we may invade you, we may destroy you". What does this do? From a pure strategic angle, it is far better to pretend to be friends, but keep one's distance, and if a problem arises react to it accordingly.

But, there is another issue at play here: the Sunnis, whom the US are desperately trying to appease.

None of these points, nor any other points matter: the US and their allied nations are dead set on their desperate course to continue to screw up the Middle East even worse then it is already screwed up.

These points mean nothing for getting your favorite party elected, so they are meaningless to those who are biased.

They mean nothing ultimately either for or against any war.

They all lead down to simple and very easily predictable facts: there is no one to replace Assad, nor is there anyone much better to replace ISIL. But, I am not complaining about ISIL. The past is the past. They are a clear menace, and while so is Assad, there is simply no one who can replace him and keep the peace in the region.

Further, the probability is very high the mixing around of the already very volatile region will lead to unforseen, very negative circumstances. Just as it was trivial to predict all the problems in Iraq: the US has not reconstructed any nation since Japan and Germany and they have bombed and promised to reconstruct many, the population was ruled by Sunnis who are the minority there and now asked to be ruled by the majority, the region was not divided into three separate countries to ensure peace and stability for each region, and.... Wahbbist Sunnis are in the driver seat.

Amongst, sadly, many other factors.


Almost any course the US took with Iraq was bound to end up this way. The course they took in decimating the infrastructure and alienating the Shia base and Iran surely helped ensure it. Aiding the Sunni rebels in Syria made sure it happened.

I am not surprised, is anyone surprised? These things are not difficult to see bets.

Did these guys see these things coming? I strongly doubt that.


But, in reality, all of this is but a diversion, anyway, so what does it matter?


P/KOctober 20, 2014 3:19 PM

As some people here discussed the BND operation Eikonal about tapping the Frankfurt internet exchange, I wrote an article about this operation on my weblog, because Eikonal was clearly part of NSA's RAMPART-A program:

http://electrospaces.blogspot.com/2014/10/the-german-operation-eikonal-as-part-of.html

Meanwhile, the Danish paper Information has confirmed that Eikonal was indeed part of RAMPART-A: http://www.information.dk/513128

I also tried to figure out where exactly BND might have tapped the Frankfurt internet exchange, and it stated out that it's unlikely that Deutsche Telekom had a role in that.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.