Friday Squid Blogging: Squid Bikes

Squid Bikes is a California brand. Article from Velo News.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 28, 2014 at 4:04 PM • 126 Comments

Comments

GodelNovember 28, 2014 5:08 PM

"A growing fleet of smart cars may add their street camera views to those of the surveillance camera networks already covering many major cities. That could open the door for a new technology that enables different video cameras to “talk” with one another and track the same individual person across many different camera views—possibly giving rise to Google Earth style maps that can display pedestrian and vehicle traffic."

http://spectrum.ieee.org/cars-that-think/computing/networks/car-camera-network-could-enable-virtual-maps-of-pedestrians?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+IeeeSpectrum+%28IEEE+Spectrum%29

machineNovember 28, 2014 5:50 PM

Several Linux distros have started rolling out btrfs as the default file system. One of the features folks are getting excited about in blogs is the ability to boot from a read-only snapshot. Not so so sure How much protection this will actually offer against malware. In particular malware that targets the bios / mbr.

Clive RobinsonNovember 28, 2014 7:10 PM

@ Machine,

One of the features folks are getting excited about in blogs is the ability to boot from a read-only snapshot

Personaly I don't see it as any more exiting than booting of any other immutable media such as a CD/DVD ROM or even punched paper tape...

The basic OS or it's loader gets read into RAM and executed, not the image on the read only media.

The only difference read only has is it stops the boot image of the OS or loader being changed by malware or for that matter the SysOp or users.

Now the question those getting excited won't have asked is this "Is the 'read only' state hard or soft?". That is is the media genuinely immutable or is it just the firmware / software of the drivers etc hiding the fact that the media is actually still fully mutable? If it's the latter --which I suspect it is-- then malware could effect action against the driver and thus regain the ability to write to the media...

So in reality rather less to get excited about than a read only CD/DVD or paper tape...

DanielNovember 28, 2014 7:16 PM

@BoppingAround

Thanks for that link. I strongly encourage any novices who read Bruce's blog to read the first response to the linked post. I wish I had written it. In fact, as I was reading I kept wondering if somehow someone had hacked my brain and emptied its contents onto Cryptome. It is a little paranoid, sure, but in the end I think it's honest and direct. Start with a threat analysis. Keep your attack surface as small as possible. Don't trust anything and even better, just stay off the computer :-P

Chris AbbottNovember 28, 2014 8:04 PM

I'm not so surprised by this, it makes sense and pieces a few things together for me, and it's not exactly the latest news. However, out of boredom, I was on one of my NIX machines last night and clicking around clickbait. I clicked some clickbait on a clickbait page which led me to another clickbait page that started behaving oddly. It was unsuccessfully attempting to install malware I concluded. I'm obviously not the first to discover this. I think this is what leads to a lot of people I work for being compromised.

http://www.belch.com/blog/2014/08/13/clickbait-sites-serve-malware/

Apparently, the payload on that one was Kryptic, similar to CryptoLocker, which we all love of course.

Chris AbbottNovember 28, 2014 8:16 PM

@Clive, machine:

I was talking to someone on here the other day about an "ephemeral OS" during a discussion about VM's. Someone told him the problem with booting an OS with read-only media is that when a vulnerability is found, it can't be patched. So even if you boot up a clean OS, you're still just as vulnerable. Unless, of course, you can wait to get a new disc in the mail every week to survive zero-days. It's not like that would hamper your productivity or anything.

@WhatDidYouExpect:

I can't recall exactly what it was, but there was something I read on this blog about that. You don't really even need the Internet of Things. Malware on a smartphone is the best way to whack someone. Have you looked at all the malware you can plant on phones to either "track your child" or one piece of software I saw (that of course advertised itself as legit if you have the victim's consent) That basically enables you to turn on the cams, mics, grant you access to their GPS location, give you turn-by-turn directions to where they currently are, download all call logs, history, even tap calls and SMS. I wish I could remember what it was called, but it was basically a type of "cheating detection/deterrent" malware. Something you don't need to use in a good relationship (or shouldn't use ever).

AndrewNovember 28, 2014 8:50 PM

"Security Experts Believe the Internet of Things Will Be Used To Kill Someone", @Chriss Abbott
Smartphone, the supreme remote killing machine, how about making the battery explode or turning the electromagnetic radiation at certain level till causing cancers?

FigureitoutNovember 28, 2014 9:20 PM

Clive Robinson
--Guess I better return the favor...Looks like you have a journalist fan (maybe you can give her a way to contact you, sure just give her an email address b/c she's *a girl*, OMG I'm so jelly! :p ) And she singled out a thread where in our "relationship" I continue to play the young curious boy always asking questions and you the "big daddy" giving more to chew on than I can handle. I won't be that little boy anymore! I'm a big boy now! I can use my huggie diapers myself now! haha :p

Here's the link, it's on Michael Ossman's work towards making opensource cheap tools that do mostly same as some of these gov't solutions that probably cost 100X more lol: Let's Play NSA! The Hackers Open-Sourcing Top Secret Spy Tools

http://motherboard.vice.com/read/michael-ossmann-and-the-nsa-playset

I'll even quote the bit that's relevant for you lol:

A security specialist who goes by the name Clive Robinson, and who appears to be familiar with the NSA's implants, echoed this concern in ​one of many comments on Bruce Schneier's blog in June. “The annoying thing" for experts who have been trained in the government's secret surveillance tools, "is not being able to talk about things until some independent researcher has put a paper into the public domain. If it’s from a classified source that's been leaked like the Ed Snowden revelations it still can not be talked about or even looked at.”

FigureitoutNovember 28, 2014 9:38 PM

machine//Clive Robinson//Chris Abbott RE: immutable media
--I've done enough tests to know liveUSBs are anything but. I wonder about a USB-CDROM drive, probably same USB risks now due to BadUSB. Only way CDROM's are getting off from attacks on it is probably highly proprietary nature of tech. and complexity (like what would happen if you restricted what it read or the speed, etc). They (USB sticks) can be manipulated and have persistent changes and store downloaded programs in the frickin' flash drive instead of just RAM. I imagine same w/ SD cards. Only it sucks when you can't reuse CD/DVD's, so I may look into some of the smaller CD's.

This problem doesn't just "go away" by using immutable media too. Where did the initial creation of the media happen? How do you make updates? Probably on an insecure internet connection? Is that router firmware flashable over the internet, it is isn't it? What happens when you update (are the updates truly better or worse)? Is the internet connection secure? Is the file un-altered? Questions, questions...

Markus OttelaNovember 28, 2014 9:59 PM

@Chris Abbott:

Even LiveCD with known vulnerability can enhance security from the perspective of confidentiality. Suppose you operate the liveCD like this:

1. Boot up liveCD and connect it to internet without hard drives.
2. Obtain whatever data you need from internet: emails, articles etc.
3. Disconnect network, mount hard drive and store files on it, process them etc.
4. Dismount and remove drive physically.
5. Reboot, rinse and repeat.

Although this doesn't prevent malware from affecting file integrity and availability, it makes obtaining information about what data is stored and whether data is being stored at all, somewhat impossible - reducing the chance of retrospective profiling.

For publishing and sending information, you can follow this routine:

1. Boot up liveCD, mount hard drive and copy information on tiny thumb drive.
2. Dismount and remove hard drive, reboot.
3. Copy file from thumb drive to computer, dismount and remove thumb drive.
4. Connect liveCD to internet, upload file.
5. Power off liveCD.
6. DBAN the thumb drive.

I don't think you can make it harder than this for adversary to exfiltrate additional files.
If you're sending files, make sure they're encrypted before you copy them on thumb drive (step 1). AFAIK Tails wipes RAM between sessions so it should be the safest option: Tor routing should reduce the risk of immediate OS compromise when you connect the computer online.

ThothNovember 28, 2014 11:01 PM

Some of the things to look out for when you operate an air-gapped machine:
- Audio Sockets (Do not attach if not needed). Removal improves security.
- Video Sockets (Do not attach if not needed). Removal improves security.
- LED Signaling (Shielded or place in an awkward manner to prevent leaking).
- Fan noises (Try to not use something with fan power or mute it as much as possible).
- USB Socket (Not welcomed at all).
- Card slots (Not welcomed at all).
- Keyboard/Mouse ports (Check for abnormal traps).
- Built-in CD/DVD R Drive should be muted if possible.
- Additional power sockets (Do not attached if not needed). Removal improves security.

If there are better ideas, help edit the above list.

AngelNovember 29, 2014 12:55 AM

Ferguson:

Six or nine shots. The guy was either a complete coward or he was a murderous Mother Fucker.

That is the mindset of your average doofus in intel.


AngelNovember 29, 2014 1:02 AM

Look, guys and gals, let us walk through the end of the world here for you...


So, we burn the hell up of the Middle East... make it as chaotic as possible...

Israel finds her self in a position to fire back, and she does.


The UN gets involved.


The US finally has her hands tied, and also had to say "yay".


Syria was down, Lebanon, Jordan, Egypt....


We do not really care.


All of these useless discussions and debates? They were useless.

Meaningless. Guys and gals trying to be the righteous ones. Without knowing left from right, right from wrong.


You can not hit a bullseye if you do not know whwre the bullseye is.


And yes, all this other political talk? Is useless and vanity.

Scott "SFITCS" FergusonNovember 29, 2014 3:14 AM

@Angel

Look, guys and gals, let us walk through the end of the world here for you...[hyperbole, logical leap, hyperbole, logical leap, etc]

Take a look at the sky tonight. Marvel at all those stars, and consider the fact that many of them have long ceased to exist.

Then ponder the undeniable reality that our sun will twinkle out of existence one day, and with it - all life on this planet.

Now ask yourself why get out of bed, why even wait for the inevitable end of everything? And also, ask yourself why waste, um, your time posting to this forum given that you believe it's "all pointless"?

Don't take that the wrong way.



Kind regards

galvaniNovember 29, 2014 5:33 AM

A BtrFS RO snapshot should not be thought of as a security layer. For one thing, any user with root access has read-write access to /dev even during the snapshot's RO state, which means game-over. (The first thing malware will attempt is, of course, privilege escalation.)

name.withheld.for.obvious.reasonsNovember 29, 2014 6:09 AM

Apologizes for my absence...fighting dragons and what not...

While reviewing a few of the CRS reports (was looking at R40138, produced in 2011) it became obvious there are issues still to be flushed out with the whole fascist national security apparatus.

I was unaware that the so called FISA Amendment Act (FAA) that is to sunset in 2015 has a few provisos that give me pause. The first is the ability of the FBI to collect personal medical records--the stated constraint--only used for identification purposes.

WHAT??? Why are medical records necessary for identification?

Congressional Research Service -- R40138

In response to these concerns, a library-specific amendment was made to the § 215 procedures by the USA PATRIOT Improvement and Reauthorization Act of 2005. Under this amendment, if the records sought are “library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, tax return records, educational records, or medical records containing information that would identify a person,” the application must be approved by one of three high-ranking FBI officers[1].

[1] Applications for these records could be made only by the Director of the Federal Bureau of Investigation, the Deputy Director of the Federal Bureau of Investigation, or the Executive Assistant Director for National Security. This
authority cannot be further delegated. 50 U.S.C. § 1861(a)(3) (2008).

...AND THE SECOND--THE SUNSET PROVISION...

From CRS report R40138:

However, a grandfather clause applies to each of the three provisions.[2] The grandfather clauses authorize the continued effect of the amendments with respect to investigations that began, or potential offenses that took place, before the provision’s sunset date.

[2] None of the extensions have affected the grandfather provisions.

Does this mean that if a "program" is part of an "investigation" the collection and surveillance systems in place will remain?

name.withheld.for.obvious.reasonsNovember 29, 2014 6:28 AM

@ Thoth
On an air-gapped system I would suggest the following:

1.) Embedded system platform, can still get socketed EEPROMS on various PPC/i486 boards! I'm currently deploying a network stack/filter using a mid 1980's computer system (boots from PROM).
2.) Run headless, use either a serial interface, terminal, or a dedicated workstation to access the host platform. (An xterm/shell session to the host could minimize the impact of a compromise unless one grabs session data/keylogging.)
3.) Another tactic would be to use BOOTP on the embedded platform with a inline monitoring/auditing system(s) (stream audit the host, each post to boot can be analyzed for attempts to modify the OS/binaries that is transparent).

If you're serious (board, or completely anally retentive) a host could be surrounded by a number of dedicated auditing systems to insure operational integrity. From bus, I/O, and storage subsystems dedicated auditing instrumentation may be used to perform compromise detection and integrity checks in realtime. I would use dedicated FPGA-based platforms running various realtime OS's to minimize common component compromises.

name.withheld.for.obvious.reasonsNovember 29, 2014 6:41 AM

Does anyone find any irony in the following series of events (and I'm forgetting a few others):

1.) Harry Reid finds religion, brings the the USA FREEDOM ACT to the floor for a vote...
2.) Senator Diana Feinstein breaks with Chambliss on vote...
3.) Chuck Hagel tenders his resignation...
4.) When the 114th Congress convenes in January, the intelligence committees will be chaired exclusively by republicans...

Conjecture on whether the national fascist security apparatus ISN'T being used for political/power in the halls of our government could be considered a non-sequitur.

Clive RobinsonNovember 29, 2014 10:08 AM

@ Name.Withheld...,

If you're serious (board, or completely anally retentive) a host could be surrounded by a number of dedicated auditing systems to insure operational integrity.

Err, these days I'd say "moderatly incautious" not "serious" ;-)

Seriously though I've used "dedicated auditing systems" for some time.

The reason is to prevent error checking being used as a covert channel backwards through a Data Diode / sluice / pump.

You have three independant systems A is the secure isolated system which connects to the insecure system B via a data diode. System C is connected to the B side of the data diode, and checks the data from System A against checksums / acks etc from System B, system C has limited storage so can provide limited error correction as well as raising alarms. System A therefor never realy sees system B or C it just launches data into the data diode and gets no return.

JacobNovember 29, 2014 12:17 PM

An interesting paper (at least to Nick P :-)) titled "The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments", by the NSA (1998).

Abstract and source link at
http://www.cs.utah.edu/flux/fluke/html/inevit-abs.html

In short: without a secure OS, we are all insecure. But having a secure OS does not imply that you are safe: malicious users and applications, covert channel exploitation, unsafe execution paths - long list of traps.

John ButterfieldNovember 29, 2014 12:20 PM

@name.withheld.for.obvious.reasons

"WHAT??? Why are medical records necessary for identification?"

Imagine you are found dead in the woods and are so badly decomposed that the only way to identify you is by dental records or DNA.

Dave MNovember 29, 2014 1:01 PM

@name.withheld.for.obvious.reasons

"WHAT??? Why are medical records necessary for identification?"

Imagine a subject who has been taken into custody and refuses to provide a name other than the one that matches his ID that is believed to be false.

Nick PNovember 29, 2014 2:20 PM

@ Jacob

Good to read it again. A classic from the days when NSA was somewhat helpful and researchers were focused on highly assured secure systems. The section on Java in particular was very prophetic.

The main change I'd make to it is adding more focus on hardware. All the chips, firmware, etc must be designed both to be secure themselves and make upper layers easier to secure. U.S. Govt and academia are once again in the lead via DARPA clean slate programs.

And theres plenty of us independents working on stuff too. I've been encouraging everybody involved in INFOSEC to try to ensure their efforts can integrate.

Bob S.November 29, 2014 3:49 PM

It was clear to me from the beginning the emphasis of the HIPPA Act to digitize medical records was to make them available to government agents with the tap of a key.

It's another way to track all of us with the added bonus of a whole treasure trove of biometric identifiers.

These days when the medical person is sitting there typing away madly on the computer while asking completely irrelevant even inane questions I lie like hell. The only things I am remotely truthful about is the specific medical issue dujour.

Nick PNovember 29, 2014 5:35 PM

@ A Cursed Sailor

His justifications for that are weak. They partner with State department where there's mutual benefit and probably leak them information.

Yet, Google's business was built on their patented PageRank algorithm and meta search technique that made them give better results than anyone else. Then, they came up with clever advertising schemes and value-added services for users (esp Gmail). The result was a goldmine for advertisers that earned them billions and allowed quite an IPO.

They're not rich from the government: they just ran a great business. And then they probably make extra under the table from the government. ;)

thevoidNovember 29, 2014 5:56 PM

@NickP

Yet, Google's business was built on their patented PageRank algorithm and meta search technique that made them give better results than anyone else.

i've never believed google's search was any good at all, ever. back in the
day before compaq took over digital, i used altavista, and it was great!
(i've still never seen a ~ (near) operator on any other search engine).

but google.. i can NEVER find what i want with google pretty much ever. once
i even searched for a string, it told me there was no match, but there were
some that were 'close'. somewhere deep on page three, they highlighted the
EXACT STRING i was looking for, that they said didn't exist. this is only
ONE example. i think the problem is they try to guess what you want, but it
never is what i want, and refining the search criteria seems to have no
effect on what THEY BELIEVE YOU WANT.

my opinion on how they dominated the seach engine market is simply because
their name sounds like baby talk (at least to english speakers), which many
people seem to find amusing to say... google google. like much else it was
branding rather than quality that got them where they are.

Clive RobinsonNovember 29, 2014 7:14 PM

With regards Google and the DoJ and other US Gov agencies, and for that matter the UK Gov as well. If you look at it from a business perspective being in tight with select members of these agencies is good business especialy when you can "two way street" information flows.

Many questions were being asked about Googles relationship to various government agencies --including the NSA-- quite some time ago.

From a purely simplistic point of view Google wants money, and the likes of the NSA have buckets full of the stuff. In some ways it would appear that Googles tech is better than the NSAs so Google has value over and above any data the NSA et al might be interested in.

I can see certain business relationships, especialy relating to non US persons being quite a lucrative market opportunity for various agencies...

Which is why I was surprised that the NSA was --allegedly-- tapping into data comms cables to do with Googles back end servers without Google staff being aware of it.

Which ever way you look at it there is quite a bit that does not add up.

Nick PNovember 29, 2014 7:44 PM

@ thevoid

I've had that problem on a few things here and there. Usually caused by terms that could be on almost anything combined with the popularity contest nature of page rank and all the sites trying to game the system (aka "search engine optimization"). That said, almost every time I Google something it's on the first page. I sometimes have to scroll down a 2-3 pages (out of a million possibles). At least as good as Altavista or Excite were while better than Yahoo or Lycos.

And I know it was better because I did vast amounts of research using meta-search engines that ran searches against many general or special purpose search engines. You got to see them individually or a combination of their collective top results. Google was often as good as results I got that way, except more convenient. Only times I recall not using Google were the few times it produced jack, Yahoo for their organized directories (not search), and Vivisimo (now IBM's) for its clustering technique's ability to automatically site map a lot of web pages. I was looking forward to MeaningMaster and a Cyc-based search engine, but those options never materialized. Haven't had a need for Wolfram, although it seems superior for finding trivial.

Not to mention Google added calculators, conversions, maps, images, Apps, etc. They're on top of things because they have good results, a *very* simple interface compared to competition at that time period, and integrate all kinds of other free stuff with mass storage. They then let advertisers and governments use that information in various ways for profit. Works for all kinds of companies. Just ask Facebook.

Note: I looked up meta search engines again as I thought about trying some. I remembered Powerset, typed in powerset.com to see if they'd bankrupted, and amusingly Bing.com loaded. Maybe Powerset wasn't a 100% failure after all. Haha.

@ Clive Robinson

"From a purely simplistic point of view Google wants money, and the likes of the NSA have buckets full of the stuff. In some ways it would appear that Googles tech is better than the NSAs so Google has value over and above any data the NSA et al might be interested in."

Well said. This is common with companies contracting to the government in general. Healthcare.gov scandal shows you can do a crappy job and still make tens of millions so long as you're a major campaign contributer. Few can keep that level of non-quality up in pure private sector work.

"Which is why I was surprised that the NSA was --allegedly-- tapping into data comms cables to do with Googles back end servers without Google staff being aware of it."

Recall that telecoms have long cooperated with the government, often with subsidies or financial reimbursement. Companies like Google have been buying up fiber and creating their own backbones. It could be that Google was only competing to a limited degree and NSA wanted more visibility into their traffic. Alternatively, it was for deniability: increase trust in U.S. products by making most users of their capabilities think it was all hacking and eavesdropping rather than backdoors. It could also be both or neither. ;)

JacobNovember 29, 2014 7:51 PM

@ Clive
"Which ever way you look at it there is quite a bit that does not add up."

It does add up. It is the manifestation of the scorpion and the frog fable.

Scott "SFITCS" FergusonNovember 29, 2014 9:55 PM

@thevoid

i've still never seen a ~ (near) operator on any other search engine

Perhaps you haven't been looking in the same places? Will NEAR do? (different dog, same leg action). Google does do Boolean (and more) - it's just not well documented (they cater to the lowest common denominator) - but others can learn from the URL.

I switched from altvista because Google gave vastly improved search results and functionability - but mostly because it search more of the web (by several factors). But that's just me - and I don't use Google for everything, what ever search engine that get's you the results you're happy with. - I'm not going to comment on the rest of your comments.

Choice is good (and shareholders are the root of all company evil??).

Kind regards

DamianNovember 29, 2014 9:58 PM

@ Sailor

Google's revenue is largely contributed by publicly traded companies and the private sector. Department of State makes very little contribution to it, if any at all. NSA has very little influence at Google, if any at all, except the use of legal threats. Interestingly, Assange's paper trail stops at CoFR, a private non-profit think tank.

thevoidNovember 29, 2014 10:18 PM

@NickP

I've had that problem on a few things here and there. Usually caused by terms that could be on almost anything combined with the popularity contest nature of page rank and all the sites trying to game the system (aka "search engine optimization").

i think this has been my main problem, almost nothing i am interested in is
'popular'.

That said, almost every time I Google something it's on the first page. I sometimes have to scroll down a 2-3 pages (out of a million possibles). At least as good as Altavista or Excite were while better than Yahoo or Lycos.

i admit that when i first used google, i guess around 15 years ago, i did
get some good results. that didn't last long however.

as to better, i still want my ~ (near) operator! never understood why noone
else implemented this, as it was a great way to narrow results ie word1 ~ word2
where the default was 10 words apart... this would eliminate most bullshit
searches i think, since for instance a blog post may have any number of
false positives because those words may be used, but (very) separately.

And I know it was better because I did vast amounts of research using meta-search engines that ran searches against many general or special purpose search engines. You got to see them individually or a combination of their collective top results. Google was often as good as results I got that way, except more convenient. Only times I recall not using Google were the few times it produced jack, Yahoo for their organized directories (not search), and Vivisimo (now IBM's) for its clustering technique's ability to automatically site map a lot of web pages. I was looking forward to MeaningMaster and a Cyc-based search engine, but those options never materialized. Haven't had a need for Wolfram, although it seems superior for finding trivial.

i'll take your word for it, maybe its a matter of (my) luck. it wouldn't be
the first time that something that works fine for everyone else doesn't work
for me! it may also depend on the subject, what precisely were you
researching? it also could have to do with profiling. maybe if you had
searched as you instead of thru a meta-search, it may have given different
results.

i know for a fact though that google sometimes ignores my search terms, and
i try to use particular rarer/technical words, hoping to come up with more
relevant results.

in the case i cited about the matching non-match, i can't imagine how
mere page ranking says a string does not match. it said THERE WAS NO MATCH,
but then returned an exact match, highlighted (but not at the first page.)

pages that match all the words are displayed below those that only match
ONE word, this has happened a number of times, and i've searched the page
source for the other word. nothing. i generally expect that when i put in
a few terms, that the first few pages will actually HAVE those terms, and
a number of times it hasn't.

another time i searched for something, and it omitted some results. after
going thru all the results, and not finding what i want, i chose to show
the omitted results. what i was searching for was THE FIRST ONE, and the
url and content were nothing like the other pages that 'matched' (thus
not 'similar results').

this happens to me at least the majority of the times i bother to use it,
which is why i really don't anymore.

i question their coding.

then there is the censorship. once i got a result where it said that it
was censoring some results, with a link to 'chilling_effects.html'. i
clicked on it, and it was blank. went back and reloaded the page and the
message was gone. wish i had saved it.

(for the record, what i was looking up was 'secret life of plants' and it
actually displayed it the first time i did the search. it was when i went
back later to do it again that it gave that message, and then i never saw
it again, the page or the message. i did find that particular page again
eventually in my history.)


it would also be nice if they could search exact strings, rather than
guessing the root of the word i want, and displaying irrelevant results.
(an exact match option for instance). i definitely understand the usefulness
of something like this, but still. especially with technical issues, you
want an exact match ie 'xpdf' for instance matches any 'pdf'.

when things are made to be user-friendly, they usually suffer in other
areas (which people here know).


Not to mention Google added calculators, conversions, maps, images, Apps, etc. They're on top of things because they have good results, a *very* simple interface compared to competition at that time period, and integrate all kinds of other free stuff with mass storage. They then let advertisers and governments use that information in various ways for profit. Works for all kinds of companies. Just ask Facebook.

definitely have a point there, but they didn't START with all that, and
they weren't the first in a lot of those (babelfish, mapquest, etc). they
merely got the eyes. and i still think they got to that point because of
branding. no matter how good their search engine may be, people hear about
it because the name was appealing. just look at the baby/child-talk used in
advirtisements on tv, it definitely works.

'a rose by any other name...' may be true from a technical standpoint, but
if people hear it called a stink-bud that is what they will often smell..
if the name didn't appeal to people, noone would have used it.

Note: I looked up meta search engines again as I thought about trying some. I remembered Powerset, typed in powerset.com to see if they'd bankrupted, and amusingly Bing.com loaded. Maybe Powerset wasn't a 100% failure after all. Haha.

well, isn't that the internet business model? make a name for yourself and
hope someone buys you up.

DamianNovember 29, 2014 10:36 PM

The true value of Google was vaguely touched by Assange, ES, LM, et al. in the transcript posted on Wikileaks website, of their interview, as ES drilled Assange on the technical merits of information hash tree and relative influence. The others questioned Assange on integrity of wikileaks in the presence of "link farm"-like manipulation perpetrated by special interest groups.

JakkeNovember 29, 2014 10:51 PM

New largest number factored on a quantum device is 56,153
http://phys.org/news/2014-11-largest-factored-quantum-device.html

Researchers have set a new record for the quantum factorization of the largest number to date, 56,153, smashing the previous record of 143 that was set in 2012.
They have shown that the exact same room-temperature nuclear magnetic resonance (NMR) experiment used to factor 143 can actually factor an entire class of numbers, although this was not known until now.
Because this computation, which is based on a minimization algorithm involving 4 qubits, does not require prior knowledge of the answer, it outperforms all implementations of Shor's algorithm to date, which do require prior knowledge of the answer.
Expanding on this method, the researchers also theoretically show how the same minimization algorithm can be used to factor even larger numbers, such as 291,311, with only 6 qubits.

thevoidNovember 29, 2014 10:59 PM

@Scott F.

Perhaps you haven't been looking in the same places? Will NEAR do? (different dog, same leg action). Google does do Boolean (and more) - it's just not well documented (they cater to the lowest common denominator) - but others can learn from the URL.

maybe i wasn't! thanks for the link (and the url), that will definitely be
useful if/when i need to use google. its been many years since i tried
looking, and i see what you mean by undocumented, even that support page i
cannot find any reference to it. (and also some of the rules on that page
are not always reflected in actual search results.)

i may have to adjust my opinion of them a slightly (but not too much, it's
still undocumented, plus the other problems i have had.)

actually, i may just try this out now. there is something i've been wanting
to search for that this may help with, that i know i couldn't find before..

when did you switch from altavista? it ceased to be useful after compaq
took over, which is why i don't use it anymore either.

Wesley ParishNovember 30, 2014 2:34 AM

Just been reading Extreme Metaphors: Selected Interviews with JG Ballard, 1967-2008 and he talks quite a bit about the current surveillance environment, being one of the prescient writers who understood what was happening. You should read it, @Bruce, it's right up your alley.

65535November 30, 2014 2:51 AM

@ Denis, Nick, thevoid, Clive and others

[Re: Giggle and the government]

The nexus between Giggle and the USA intelligence community is there – but, I have only seen tangential proof.

I vaguely remember the email brought to light where Gen. Keith Alexander proposed a meeting with 15 – 20 top Silicon Valley executives including Giggle’s Schmidt [on several occasion around 2009 to 2012]. I think Schmidt replied on a first name basis to Alexander that he “would be on a trip” and could not attend. That doesn’t necessarily mean Schmidt did not eventually meet with Gen. Alexander [but nobody seems to have records of any meetings].

Other people have noted that the NSA and other agencies frequently monitor ScrewTube for intelligence and possibly facial recognition captures. It is true that the Agency probably does it – either secretly – or not.

Google doesn’t breakout ScrewTube’s earning so we cannot look into the mess:

'…Google does not provide detailed figures for YouTube's running costs, and YouTube's revenues in 2007 were noted as "not material" in a regulatory filing...'

https://en.wikipedia.org/wiki/Google#Acquisitions_and_partnerships

Obviously, Giggles one-million servers processing one billion searches each day would make a good target for the NSA – as would Giggle’s “earth” and “urchin software/GiggleAnalytics” and possible doubldicks tracking cookies.

Naturally, a joint effort between NASA’s Ames Research Center and Giggle to build a huge research complex raises suspicions – and Giggle street view cars which seems to do more than just picturing streets.

Giggle’s glass(es) and telephone listings did not help reduce suspicions either. I believe Giggle has sanitized most of the telephone listings by now [I won’t go into Giggle’s mobile communication products or Giggle’s server side products including parts of Chrome which probably have tracking abilities].

Some financial analysts had concerns early on after Giggles IPO and financial statements because “other revenues” were high [during 2004 – 2005 some people suggested that 30% of revenues could have come from the government].

If you take a look at Giggles financial data for the period ended in 2013 you will see “other revenue” at 4972 * one million [4.97 billion] which is high but only about 8% – 9% of revenue. So, Giggle doesn’t depend upon the government for the bulk of its revenue – but that doesn’t mean the government doesn’t depend upon Giggle for its information.

See page 53 to 54
http://www.sec.gov/Archives/edgar/data/1288776/000128877614000020/goog2013123110-k.htm

If you do a simple text search for “privacy” in the above document you will find about 7 – 8 hits [which could mean Giggle is sensitive about it user’s privacy – or it could mean Giggle violated it’s user’s and if that information became public Giggle would be very sensitive].

Some small players have complained that Giggle Analitics is tilted towards the Big Players and is unfair.

“Whether you’re a data scientist or a marketing manager, Google Analytics Premium makes the key numbers accessible and useful for everyone in your group. When data is deeper and easier to understand, everyone can find the answers they’re looking for — and the ones they’re not.”

http://www.google.com/analytics/premium/

Even though Giggle has applied HTTPS to their connections – and presumably to their lines between data centers – some suspect that the NSA can just buy their way inside as a “premium” advertiser and get any unencrypted information they desire – but who knows.

I know China [PRC] kicked Giggle out. I can only guess why [cough… spying or possibly economic spying – that’s just a guess].

[Excuse the spelling errors and grammar. I don’t have time to fix them]

thevoidNovember 30, 2014 3:04 AM

@Scott F.

well, if NEAR used to work, it doesn't seem to now. it could have been an
experimental option that was silently phased out, maybe the reason it isn't
documented.

the url you posted though shows perfectly the problem i have with google,
the results had this:

Aug 19, 2014 ... Clive Robinson August 19, 2014 9:17 AM. @ Bruce, .... You have to come near me and risk me finding you; and that's good for attackers to know.

Mar 12, 2014 ... It costs them next to nothing, and criminals worth
a damn will sit on stolen info for
a year. ... Clive Robinson August 21, 2014 11:48 AM. @ Alfie ...

"SFITCS" Ferguson June 22,
2013 10:44 PM .... The reasoning of putting the safety interlocks
as close to the

the NEAR you put in the search query was translated into 'next to' and
'close to'. exactly one of my problems with google. although playing with
it some more, if you put it in quotes it doesn't do any fuzzy matching.

so i tried a query with just 'near' (no quotes) and another with "near",
the latter did do an exact match. the same query without quotes came up
with this:

terms (not ITSec terms) that any point outside the suthentication scope is being honest.

so near gets translated into 'outside' as well. the others made some sense,
this one..

i know though that "exact matching" does not always work either however..

FigureitoutNovember 30, 2014 3:12 AM

thevoid
--Uhh, either you don't know how to google (not very hard...) or...you just hate google (plenty of reasons to). Ignoring all the privacy and evilness of google, they provide a superior search engine and its extensive use shows that pretty clearly...Alta Vista, seriously? Lol...

It's a "free" service, you don't have to use it (but the search bar may be in your browser, or you got an android phone, or use youtube...). You can also feed them crap searches, or provide them more personal ones so the algorithms can get a better grip on what exactly you're searching for...

Benni
--Wow, €1.2bn project and they lose hardrives and other equipment. These are defense contractors right? So pathetic, I could secure these for a fraction of that cost, $100K and those won't be touched b/c they'll be physically guarded 24/7, only a gun fight could get them.

thevoidNovember 30, 2014 4:04 AM

@Figureitout

--Uhh, either you don't know how to google (not very hard...) or...you just hate google (plenty of reasons to).

well, i know how to, but the hate thing may play a part!

Ignoring all the privacy and evilness of google, they provide a superior search engine and its extensive use shows that pretty clearly

don't think extensive use is really any proof of superiority, i can hardly
think of a product that's widely used that isn't really crap, especially
when it comes to computers.

you just reminded me though of simpsons, from a future episode, lisa says:

"google, you may have enslaved half the world, but you're still a damn fine
search engine."

...Alta Vista, seriously? Lol...

hey, 15 years ago, i could find whatever i was looking for on altavista, not
much since then though. now google really is superior to it.

It's a "free" service, you don't have to use it

and i almost never do. much of it to do with the " part of "free"

(but the search bar may be in your browser, or you got an android phone, or use youtube...). You can also feed them crap searches, or provide them more personal ones so the algorithms can get a better grip on what exactly you're searching for...

not in my browser, i almost never leave my text console. never had a cell
phone, very good chance i never will (actually, the plans are, when its a
cold day in hell... then maybe)

Nick PNovember 30, 2014 10:40 AM

@ 65535

Of course they're in bed with each other. I'm not arguing that. I originally opposed a claim along the lines of NSA or State practically owning Google. Or being a huge part of its income. Neither is true. Google might be making piles of money from all sorts of public sector organizations. But they dominate by and were built on advertising revenue from their products, services, and intellectual property. Governments are just extra money in their pockets.

And while interesting, those financial documents don't tell us anything about money coming in from the government. Other revenues could be any number of things. They might make $10 mil or $4 bil from government with data like that. Useless. All the docs confirm is they are an economic powerhouse these days with profits over $10 billion.

And that they're one of the few companies that have both the brains and money to build secure computers. And don't like everyone else. ;)

Nick PNovember 30, 2014 10:47 AM

@ Figureitout

Even 10 years ago, search engines had varying quality for any given search. They also competed on features like advanced search operators allowed. The interfaces could be very different. Back then, Altavista was a good search engine with an easy to use interface. Google was a metasearch engine at the time (IIRC) that was slowly building its own index of the web as it pulled searches from competitors' engines. And then there were specialized engines like ProQuest. A professional doing research had to be familiar with many search engines and master the techniques of forcing useful information out of them.

These days, Google does most of that. It took billions of dollars and hundreds of geniuses working 10+ years to get to that point though.

AINovember 30, 2014 11:25 AM

Scientist develops uncrackable code for nuclear weapons
http://phys.org/news/2014-11-scientist-uncrackable-code-nuclear-weapons.html


Mark Hart, a scientist and engineer in Lawrence Livermore National Laboratory's (LLNL) Defense Technologies Division, has been awarded the 2015 Surety Transformation Initiative (STI) Award from the National Nuclear Security Administration's (NNSA) Enhanced Surety Program.
...

Hart's winning proposal is for Intrinsic Use Control (IUC), a concept that is capable of providing improved quantifiable safety and use control within a nuclear weapon.
...

"An IUC-class weapon would function reliably as intended, when intended, exclusively under authorization by the National Command Authority," Hart said. "The component use control that IUC provides is sufficiently robust to defeat any unauthorized attempt to make these components function, even by the people who designed and built the arming, firing and initiation components."

This is accomplished by designing the components to function in a way that cannot be replicated by any individual. Using the IUC concept, weapon components would be initialized and made secure during assembly by using the weapon's fluctuating radiation field to generate unique component IDs and use-control numbers, only known to the weapon. Any anomaly in their verification, caused by removal or replacement of any protected component, will cause all protected components to be unusable.

JustinNovember 30, 2014 1:51 PM

As far as the link between Google and NSA, there is that PRISM program that was leaked, whereby the NSA has access to private consumer data stored at MS, Yahoo, Google, FB, Apple, etc.

The NSA is collecting this data and sharing it with the FBI and other law enforcement agencies at those so-called "fusion centers," and they don't want us to know about it, so the police use "parallel construction" to invent another source for it when they want to use it to prosecute crimes in court. The NSA has this vision of "Global Cryptologic Dominance" but it seems a large part of that is that our nation's government wants to have dominance over its own citizens...we apparently lead the world in mass incarceration. It looks like our incarceration rate peaked at in 2007, and has declined slightly since then, so there must be a lot of political pressure to keep those private prisons full.

It seems ironic that those companies offer encryption to connect to their services, and then so freely turn our data over to the government. There is really no point to encryption when neither endpoint is secure. I don't know that our government has so much "cryptologic dominance" as just plain dominance over our private lives through all this spying.

I think about how technology has advanced over the years and enabled ever greater government intrusion into our private lives, and there are no real limits to this except our Constitution and those in government with the character to abide by it. A few years late, and some of the details differ, but it really is beginning to feel like 1984.

Clive RobinsonNovember 30, 2014 4:03 PM

@ AI,

In effect "fingerprinting the bomb"...

Why am I suddenly reminded of that 1960's lowish budget SiFi movie "Dark Star" where the sun buster bombs require artificial intelligence and one refuses to go back in the bomb bay, or not explode...

FigureitoutNovember 30, 2014 5:17 PM

thevoid RE: popularity != superiority
--Touche. I wasn't a huge searcher back in the day, I did use alta vista, ask jeeves, dogpile, etc (I'm forgetting a bunch..). Then google came along and I switched really quick, just way better (felt to me).

RE: text browser and no phone
--I finally caved on getting a smartphone, but how do you do w/o a phone? It's partially an emergency thing for me too, get lost somewhere, etc. If someone asks your # you just give email? And being on a text browser all the time, it takes more time...

Way to hang in there, socially I couldn't afford to not use certain tech. (you put yourself at a disadvantage by not using what's available). Gave up facebook, quit twitter real quick, tumblr sucked; reddit is good for now and I got a blog and linkedin for employment reasons. But people tell me I should get a facebook :/

Nick P
--Well, I wasn't a professional researcher then so I didn't know; probably on MSN messenger (cringe lol). Now I don't even need to use much of any special searching techniques; the all seeing eye google will get it for me almost every time. It's like an impulsive non-thinking action now to google something. :/

BoppingAroundNovember 30, 2014 5:21 PM

Justin,

> A few years late, and some of the details differ, but it really is beginning to feel like 1984.

If the g-men are stupid, then yes. I would not wager on that. They have to act subtler so they can poke other countries for being 'undemocratic' and try to appear as if they are the good guys.

What do we know about China? What I have heard about China is that they put titanic efforts into making the surveillance unnoticeable to most 'average' citizens so nobody would discuss it. Any attempts to openly discuss this particular 'problem' would be followed with severe repercussions proportional to the persuasiveness of your point. Another observation is that by exercising this total background control and from time to time delivering harsh demonstrational punishments to delinquents the Chinese government try to develop the habit of self-censoring in Chinese citizens.

These two observations sort of contradict each other. For the former I have some info that unless you are persuasive with your arguments, you can post almost whatever you want, you can even criticise the party etc. The Chinese government might know that the 1984-style approach may be not as efficient as more subtle ones. The latter hints they still rely on force and fear. Am I wrong here?

Sadly, I cannot assess the reliability of the source that provided this info.

BoppingAroundNovember 30, 2014 5:25 PM

[Off-topic] Figureitout,

> But people tell me I should get a facebook :/

I am curious: for what?

I have a number of acquaintances of various ages living in the States and Canada. A solid portion of them seem to make do quite fine without FB.

Bob StaudenmaierNovember 30, 2014 5:34 PM


I am seriously wondering how Bruce's security question:

"Fill in the blank: the name of this blog is Schneier on ___________ (required)"

is managing the 'Bots!

FigureitoutNovember 30, 2014 5:43 PM

BoppingAround
--A part of it is they want to "add a new friend" I think. Also all the photos and stuff, I tell people my phone # or an email is enough, but no...Like girls putting relationship status on it, can't do it w/ me lol; it doesn't compute in their heads lol...

I operate fine too though, can't crack my addition to google though. :/

Sancho_PNovember 30, 2014 6:25 PM

@ Clive Robinson, Nick P

“Which is why I was surprised that the NSA was --allegedly-- tapping into data comms cables to do with Googles back end servers without Google staff being aware of it.” Clive Robinson

Ouch, this is disingenuous, you were the first to know the reason ;-)
(if the rumor is true at all, I doubt it)

In real SECURITY the term “trust” is unknown.

This is why they are always one step ahead of us ordinary citizens.

.
@ Bob Staudenmaier

From some blogs in the EU I can say the simplest question still works here since years.

LemmeNovember 30, 2014 6:47 PM

I would like to know what everyone thinks about this book by Kim Zetter, apparently a best seller these days

Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon

WaelNovember 30, 2014 7:16 PM

@Bob Staudenmaier,

I am seriously wondering how Bruce's security question:...
Same here. This means the people running bots are script kiddies. Whatever works, I have no complaints. I was skeptical this tactic would hold longer than a few days and expected the moderator to change the challenge question periodically once a predetermined threshold of spam level was reached.

Long time ago, Echostar (Dish network using Nagravision crypto smart cards) kept the two decryption keys static for a couple of years. When hackers were able to decrypt the stream (using Atmel and Atmega micro controllers on extender cards that simulate the smart card or by updating the ROM on the cards through one of the backdoors they discovered,) Dishnetwork started rotating keys. By that time, hackers wrere able to log the stream and detect key rotation operations. Then Dishnet started changing one of the keys every two seconds (if I remember correctly.) By then, the hacking algorithm was modified to auto update the keys as well. Also keys were posted realtime on some hackers sites. One of them was dr7.com. There was a blogger there who reminds me of @Figureitout, and his name was "Automan", who apparently liked to watch certain channels while smoking stuff from his "bong"! I don't mean @Figureitout has a "bong" -- he just wrote using a similar style :) This was back in the early 90's.

BenniNovember 30, 2014 7:23 PM

https://netzpolitik.org/2014/live-blog-aus-dem-geheimdienst-untersuchungsausschuss-dr-stefan-burbaum-ehemaliger-g-10-jurist-des-bnd/

Acquiring a full take of the data from all german providers is, in the opinion of BND not a "collection"...

BND would not use tricks. Instead, they only do what they are allowed to, "with wanted side effects..."

Asked whether BND wants only data from germans, or everything instead, the spook says "wanting both (i.e all data from germans AND everything) does not exclude each other..."

There would have been no clashes with NSA, since both BND and NSA would have the same interests. In Bad Aibling, BND and NSA spooks are even educated together...

BND can tap 20% of the "network capacity" of german network providers, which means they make a full take of all domestic providers.

The spook finds it OK if BND gets a national security letter for a specific foreign target, monitors a provider, and then takes 10 calls from the target and also every other data that flows through the networks of the provider...

Moreover, they filter out germans, according to g10 law. Who is german or not is found out mainly by comparing the IP address.

This g10 data can only used for purposes of fighting terrorism or proliferation. But the data that is not selected by the g10 filter is called "routine data". And with this routine data, they think they can do everything.

The routine data is given to NSA automatically. They tried to hide this from the german providers from which they get their data. BND even gives data from foreigners to non-five eyes countries...

Apparently de-cix agreed to share data with BND only after it got a letter from the chancellery. The letter allowed BND to get the data, and BND then gave all data from foreigners to NSA...

In general, data that have no selectors get deleted immediately, but only when both communication partners are in germany. If there is one foreigner there, they keep that data. For example, americans do not get removed by filters, if no german ip address is involved...

A german may work for a foreign organization. Then BND taps everything, since this german then does not fall under g10 law. For example, BND is allowed to tap journalists working for a foreign magazine. The spook says he knows nothing about BND monitoring thousands of phone calls from workers of the world hunger help charity organization, even though BND admitted to have that data.

Asked whether non germans do not have privacy rights, the spook says, you would have privacy rights only when you are in germany or when you communicate with germans.

Asked whether foreigners have basic rights at all, and if BND would be allowed to kidnap foreigners, the spook says that the german law for the protection of communications would not hold for foreigners...

Asked that there were former judges from germany's highest court who had a different opinion, the spook says that he has the opinion of the highest court, but this court had not made a statement on that yet....

So it seems one has to sue them to clarify certain points

WaelNovember 30, 2014 7:46 PM

@Benni,

BND would not use tricks. Instead, they only do what they are allowed to, "with wanted side effects..."
This is predominantly caused by culture difference. In Germany, I think -- but could be wrong, if a politician puts a law in effect, say no one can drive more than 200Km/hr between 6AM and 8AAM and the citizens didn't like that, most of them will obey the law. But next term that politician will be axed. If the same situation were to happen in the US, a larger percentage of people would not abide by that law, and the politician would probably be there the next term.

Whoa! I counted seven "spooks" in your post! BND (Snow White) and the seven spooks (Dopey, Sleepy, Bashful, Grumpy, Doc, Happy, and Sneezy.) Good idea for a comedy movie script! I think I can write one and retire :)

WaelNovember 30, 2014 8:54 PM

Whoa! I counted seven "spooks...
"Snowden and the seven spooks" would be a catchier title. I'll wait till next year's movie script competition :)

Clive RobinsonDecember 1, 2014 12:28 AM

@ Wael,

I don't think "snow white" would rest easy on Ed Snowdens shoulders, so maybe a gothic horror movie evoking such classics as Poe's "Pit and the Pendulum" called "Snowblack and the seven spokes of hell".

To give it box office appeal maybe turn it into a fantasy and get Anjalina Jolie to do her "Bitch Witch" role (from Male-insufficient ;) as the person who pulls Alexanders strings, and put him in a gimp suit like they did for the evil tourturer in "FarScape".

Yup I recon it's lot lot more likely to succeed than the film on Asange (did anybody actually watch it?).

65535December 1, 2014 12:41 AM

@ Benni

I could only get about 25% of that question and answer document translated.

The title translates to:

Live blog from the intelligence committee of inquiry: "use legal powers with undesirable side effects"

Your second sentence says:

BND would not use tricks. Instead, they only do what they are allowed to, "with wanted side effects..."

Could you clarify that sentence? Did you mean “unwanted” side effects?

There is a huge difference between "wanted side effects" and "unwanted side effects."

WaelDecember 1, 2014 1:08 AM

@65535,
I believe Benni's translation is accurate. Don't use google translate; use this one instead:
Www.leo.org

Paste this into it: mit erwünschten Nebeneffekten
Google makes an "assumption" and "corrects the text entered" :)

WaelDecember 1, 2014 1:17 AM

@Clive Robinson,

the film on Asange (did anybody actually watch it?).
I watched it, but it seems I forgot most of it. Need to watch it again. I used to have a good memory, but I noticed that I forget most of the movies these days. Other things I can retain. Crap, I used to play blindfold chess at one point, but not anymore...

Gerard van VoorenDecember 1, 2014 1:18 AM

@ BoppingAround - November 30, 2014 5:21 PM

s/China/USA/g

Motivation:
- USA is not a democracy
- Snowden lives in Russia today
- 100,000 NSLs delivered by FBI guys
- Spying the EU Committee (both in Belgium and inside the UN building) for a considerable amount of time

Now that the word is out they don't deny it, but the Bush administration tried very hard (think the NY Times) and today the Obama administration is treating whistle blowers like dirt.

65535December 1, 2014 1:57 AM

@ Nick P

“Of course they're in bed with each other [Giggle + NS@].” –Nick P

That is true.

“Other revenues could be any number of things. They might make $10 mil or $4 bil from government with data like that. Useless. All the docs confirm is they are an economic powerhouse these days with profits over $10 billion.” – Nick P

Yes, due to size and method of accounting “other revenue” one cannot determine where said revenue came from.

Further complicating Giggle's 10K document is the possibility of netting of other revenue with the costs associated with producing said revenue. We don’t know if “other revenue" is gross revenue [gross checks or wire transfers from the government to Giggle].

Giggle's "other revenue" number could represent the offsetting costs of labor [including legal fees] and equipment to collect and collate said data for the NS@ [or other Agencies].

One oddity is the fact that ScrewTube in not included in the breakout of divisions of Giggle. One would assume that Giggle would want to show at least some income from SkrewTube – but, Giggle indicates that ScrewTube is “not material” in its financial data.

One would assume if ScrewTube did not produce a reasonable Return On Investment [ROI] that Giggle would divest it from it portfolio - like the Motorola acquisition. It's possible that ScrewTube is a large intelligence treasure trove. So, it is better to keep ScrewTube than divesting it.

JustinDecember 1, 2014 2:08 AM

@ Gerard van Vooren

s/China/USA/g

I don't know, if we want to point fingers at individual countries, we can, Australia, for instance, but it's really a worldwide problem.

It's ironic that Snowden lives in Russia: not a peep from him about SORM-2; just a formulaic exchange with Putin where the Russian president baldly denies anything of the sort.

People who think they're free of surveillance anywhere in the world are deluded. I guess it's a tense world situation between the Second Cold War and the Islamic State. Why the intense build-up of surveillance capabilities all over the world in recent years? Something worse than 9/11 to come?

Gerard van VoorenDecember 1, 2014 2:44 AM

@ Justin • December 1, 2014 2:08 AM

I don't know, if we want to point fingers at individual countries, we can, Australia, for instance, but it's really a worldwide problem.

No, it is above all an US problem. To be specific a remnant of the Cold War era that is now being focused to todays big scare.

There is no other country putting this amount of money into dragnet surveillance (NSA) than the US. Also no other country harmed the security of the internet / computing more than the US, again thanks to the NSA (and the C language).

People who think they're free of surveillance anywhere in the world are deluded. I guess it's a tense world situation between the Second Cold War and the Islamic State. Why the intense build-up of surveillance capabilities all over the world in recent years? Something worse than 9/11 to come?

I think you watch too many news. Ebola scared you too, I guess.

Btw, in case you don't know it, G.W.Bush himself dismissed the alarming info about the 9/11 threat.

WaelDecember 1, 2014 2:54 AM

@65535,
Google translate got me in trouble few times especially with Japanese and Chinese. I learnt the hard way.

thevoidDecember 1, 2014 6:09 AM

@Figureitout

--I finally caved on getting a smartphone, but how do you do w/o a phone? It's partially an emergency thing for me too, get lost somewhere, etc. If someone asks your # you just give email?

actually, i went over a decade without email either, got my first one in
forever a few months ago. i've gotten by so far without a phone, and what
does one REALLY need it for? i still remember they were the province of only
the rich, and the rest of us still managed to get by somehow..

also, i don't like being tracked everywhere. i assume for instance that all
my phone conversations are being recorded, and that they already know most
things about me and my beliefs, (do you think saying 'fuck the nsa' would get
you tagged? especially before most people had ever heard of nsa? i assume it
at least adds a few points), but there are still limits on how much i want
them to know if i can at all help it.

plus i like the idea that i can theoretically have a conversation without
assuming i am bugged. (although i assume any conversation i have is bugged
since i assume everybody has a cell phone.)

And being on a text browser all the time, it takes more time...

it shouldn't. all i have to do is load the page, which is at most a few
hundred kilos, don't have to download all the graphics. and my browser (w3m)
renders the page pretty well. mostly i just want to read anyway.

Way to hang in there, socially I couldn't afford to not use certain tech. (you put yourself at a disadvantage by not using what's available).

that's how they get you. humans are very social creatures, and being rejected
by the group (especially family) usually keeps people in line. that's the
trap, not many can avoid it, and usually then at a cost. so i guess there are
some advantages to having aspergers!

in my case, i don't have much family, and even then i'm not particularly
close to them, and if my friends didn't accept me as i am, they wouldn't be
my friends...

in the end, it's a matter of being willing to accept those disadvantages.
easy enough for me personally, since i try to live as simply as possible.
(can't remember what the year was when i was last at a movie theatre. when
was the first matrix?)

i am sure it will only get harder to not conform, but i always try to find
ways around things anyway. if i can't, i just do without. (as simple and
hard as that!)

BenniDecember 1, 2014 6:50 AM

@Justin: Snowden talked about sorm a bit: He said "I knew he [Putin] was doing the same [than Obama]." In fact that is one reason why Snowden has to go out of russia, then he can reveal what NSA sees in russian networks. For NSA, sorm is a nice target....

@65535
My translation is correct. Perhaps it would be better to say "with desired side effects"...
The interrogated spook is a BND lawyer. With this sentence, he asked a question whether it would be a "trick" to get some kind of national security letter for a single, specific target connected to a provider, and then use this to tap the entire communication of that provider (say, they were allowed to tap the communications of some terrorist using Vodafone, and then they grab all Vodafone data in germany with their letter)....

Getting everything, that is the new "targeted surveillance" of BND. This is quite problematic. It means that if you would restrict BND in the future to do only "targeted surveillance", they would just do what they do now. They are actually prepared for this... They currently use security letters for single targets in order to grab mass data of internet providers...

Mike the goat (horn equipped)December 1, 2014 9:39 AM

Figureitout re no cell phone: yes, it is incredibly hard these days to just abandon a cell phone. I guess if people were especially concerned and they lived in a medium density area they could organize a group of locals to deploy a metro mesh network. People can turn off the cellular radio of their device, switch on WiFi and then authenticate and then use whatever app they choose for VoIP or instant messaging (hopefully they choose wisely). How the mesh is setup is also critical - use 802.1x/WPA2 auth for the "outer" layer rather than leaving it as an open network as many MANs do for privacy reasons. You could also add a second layer, ie an OpenVPN or IPSEC VPN that ran inside the first layer.

But - no matter how deployed - you're not going to avoid surveillance by the Gman in the SIGINT car. Let's face it he will know the MAC of the wireless radio in your cell phone in no time at all and will be able to plot your comings and goings. Even so it is vastly preferable than the level of opacity that cell phone tech provides. At least you won't have an entry in the HMR nor have a stream of both data and switched calls which if tagged can be diverted to your adversary for analysis (yes we are assuming govt level adversary). Yes radiolocation is still possible using RSSI of the WiFi strength *but* they will have to bring their SIGINT vans down and use up resources to determine this.

BoppingAroundDecember 1, 2014 9:40 AM

Benni,

> Asked whether non germans do not have privacy rights, the spook says, you would have privacy rights only when you are in germany or when you communicate with germans.

[Sarcasm] Well, that's a step forwards, compared to what the GCHQ spook was saying.

ThothDecember 1, 2014 8:28 PM

@Nick P
The reason assurance never actually took root in people's mind is because of the benefits of no/low assurance (convenience and speed). It is a disease that have plagued the industry and the education with tonnes of IT people educated with that mindset of no/low assurance and also the thought that crypto is the magic silver bullet (when it is not).

On one hand, the Govt. wants to snap the back of high assurance and on the other hand they want to leverage on COTS high assurance. The weapons dealer takes his super sharp spear and beats against his super sturdy shield while making claims. That's what has become of the industry. In Chinese, it's called Zi Xiang Mao Dun (Beating own's Spear against own's Shield).

Deeply sick and deeply disturbing.

I am not gonna be surprise to see a ton of no/low assurance stuff making into the marketplace because of the lack of sufficient high assurance products out there available (due to Witch Hunt on high assurance).

JustinDecember 2, 2014 1:04 AM

@ Thoth, Nick P

It's hard to know where the government stands in regard to high-assurance software. DARPA supposedly envisions

... a set of publicly available tools integrated into a high-assurance software workbench, which will be widely distributed for use in both the commercial and defense software sectors. HACMS intends to use these tools to (1) generate open-source, high-assurance, and operating system and control system components ...

And there's that open-source "seL4" that should give them a start in that direction, but there has to be a catch somewhere, because I just don't see how the NSA would countenance a real, ground-up, open-source high-assurance system that the public could use for arbitrary purposes.

Myself, I feel that the open-source part of it is necessary (though not sufficient) for high assurance because otherwise, well, we're back to trusting the vendor that it has no backdoor ;-) But a lot of these defense contractors may have philosophies not very friendly to open source, and open source people on the other hand seem not that interested in high assurance so this may not take off.

And no, crypto is not a silver bullet when you have either no assurance or a low level of assurance for the systems on the endpoints that do the crypto and/or have access to the plaintext. However, properly applied crypto does enable one to transfer data between high-assurance endpoints over low-assurance pathways, and still maintain a high level of assurance over that data for its confidentiality and integrity, (though not a priori for its successful transmission.)

I like the analogy of beating one's own spear against one's own shield. In this case the weapons shop wants to simultaneously sell a spear that can pierce any shield, and a shield that can stop any spear. I don't think the government really sees the contradiction here.

FigureitoutDecember 2, 2014 2:15 AM

Wael
--Whatever bong-smoking person you're talking about isn't me; so coincidence or "you're seeing things", put the bong down monkey brain! :p

thevoid RE: no email
--How...? I mean, no need to answer for personal reasons, but do you have coworkers you need to talk to or you just do it all at work? Perhaps from earlier age when there was no internet you set up your work life? I've only known 1 person how didn't own a cell and he was pretty sociable otherwise. People will look at you funny if you tell them even a tiny moderately secure protocol to follow for contact. What sucks is once the account is compromised, you don't want to lose all your contacts so you may tell them a new address, which will just link the chain to the old attack.

And in this sh*t economy, you have to put your name out and contact people in extremely insecure ways...F*cking dumb, then they get nervous if you try to set up just semi-secure comms...And since it's become so taboo to set up secure comms, it becomes more fun lol...makes me want to concoct more twisted ways to...

On the text browser, I mean, so much crap on web. I suppose lots of sites not worth reading get too much crude loading anyway. Text sites are better usually...I'd want a VIM-based browser, that's my fave text editor, or even GVIM rather than Emacs. I need a few more computers for that though for a separate browsing.

Mike the goat (boner in hand? :p)
--The cell is useful to store documents to read (kind of hard, almost need a tablet) or pictures as the cameras are getting ridiculous; obviously I don't care what people see me reading if I can't prevent it anymore so long as the documents aren't altered, which will really piss me off. For my blog I want to get good pics of hardware as I was getting blurry ones before so I was going to use a magnifying glass and my phone camera and I thought it'd work then on reddit someone used binoculars and a camera to get a close up pic; so that's sweet, it probably will. Just want a microscope camera but maybe I can just put the camera lens up to the microscope lens lol...

Working on a OpenVPN (just had another vuln... https://forums.openvpn.net/topic17625.html ) setup amongst my other projects combined w/ a logging PC w/ Wireshark using a homemade net tap. What I really want is true one-way data flow, but that'll take some time dealing w/ UDP. Then need to research securing the connection "from the start", really separating my connections and trying to make a router firmware non-upgradeable w/o holding a button. I have a few cells which I still need to root (got to be careful) and they can be separate encrypting devices or mobile encrypted storage (better than my graphing calc lol) or even simple proxies. Was working on a TP-Link router, which was only $20 and had nice antenna connectors for a yagi, but it wouldn't use DHCP, kept wanting static IP and wouldn't connect to my AP. Would only get packets transmitted but not received (but then transmitted like 20 packets, WTF...)...Can't work on until winter break cuz school...grr...f*cking surface integrals.

And the SIGINT guy in the van down the street, I can feed him porno crap and other crap (fart in their bugs); but also there's a lot of radio chips now and you can flash away the ID's. Not ideal nor straightforward and easy but it'll get the job done. The specs of the radio can be found on FCC website anyway (got a key fob freq. that way and protocol hints). Regardless the Gmen can be avoided by constantly moving and maintaining OPSEC; and it's not like I have much anything threatening to say besides working secure tech that can be used by the Gmen themselves...My ordinary life is too boring to be spied on unless you're obsessed w/ me and mentally ill, Idk...

Clive RobinsonDecember 2, 2014 3:04 AM

@ Thoth,

The reasons for low assurance are many, and in the early days the cost was effectivly "impossibly high" to do high assurance in the available computer hardware, or to be practicaly usable.

As time went on computer hardware costs dropped and speed went up, but even for the most secretive of Government Organisations they did not "waste the gains" on high assurance. Part of the reason for this was that the "legacy security systems" put in place because high assurance was so impossibly high priced. They had gone for "perimeter security" putting fully guarded pressurized conduits etc in as it was considerably cheaper... and thus upgrading the center hardware made no real difference to the security. Thus wasting increased memory and CPU cycles on high assurance was not going to get much favour...

Each time high assurance could have come on the scene in the last century there was always either a legacy system or other external measures that would be a cheaper option. But to make it worse the users got the "bells and whistles" the marketing guys were giving to sell commodity systems, and there are many old sayings/saws about not taking candy from children, they were not going to give them up especialy when they could argue it made them more productive.

There was also another hidden problem that still exists to some extent today and that is "mixed security levels" in a heterogeneous environment. The problem is the more we discover about security the more difficult to impossible this becomes due to the likes of side channels etc. Seemingly the only practical or cost effective soloution boils down again to perimeter security where one security level network is physical seperated and guarded from all other networks. Where traffic has to cross from one network to another it is often done by protocol specific guards, pumps or sluices. And it is at these rare points high assurance has found it's niche and is likely to remain for not just cost and practical user reasons but physical security reasons as well.

One reason of which is perimeter security is still despite the eye wateringly high cost of SCIFs and other EmSec and physical security a more reliable, understandable and practical as well as maintainable way of guaranteeing the required level of security than ensuring not just that every device is high assurance but covert channel free as well.

The current reality is high assurance is only effective in highly constrained devices used to provide very limited functionality. Thus only appropriate where "Chinese Walls" are required to be crossed in a controled and secure way.

The simple fact is that "end point security" is very hard to do at the best of times. And the more functionality in the end point the greater the complexity becomes (because of the N^2-N relationship set issues).

As for communications security although Ed Snowden is correct with the "encryption done right" comment, few people realise just how difficult the "done right" bit is, and this includes many academic cryptograhers. Comparatively speaking making a crypto algorithm "theoreticaly secure" is much easier than making it "practically secure" in one let alone all implementations, and it's this issue that is the current way the NSA, GCHQ etcs "keep the lights on" and have done since long prior to WWII as I've indicated in the past.

Which is probably known to the FBI as well which is part of the reason they might be trying "ancient law" on the likes of Apple. Also it's an interesting PR ploy, if the FBI don't "touch the slab" and get Apple to do it, then any failing is Apples which ever way you want to spin it. Just recently in the UK we have had Malcolm "rockets" Rifkind --chairman of the UK Intelligence and Security Committee-- blaiming Facebook for the fact that an off duty soldier was hacked to death. In his twisted little logic it was not the failure of the UK IC who had the murderers under surveillance for some time, but that of Facebook because they did not monitor all the Facebook accounts and voluntary had over a message (which in all reasonable probability would not have stopped the attack from happening anyway). Unfortunatly most of the UK press swallowed the Rifkind nonsence and blaimed Facebook.

I fully expect such "end user service provider" attacks by politicos with vested / on the take interests to continue. Such that the companied either fall in line with the "nut job / on the take" views of the likes of Rifkind and May or they get demonized, such that they go out of business due either to popular revulsion or that there is no popular campaign against changes to the law that would force the companies into line...

This "government access issue" has been going on for some considerable time, as can be seen by such companies not being given "common carrier" status and thus getting treated as "publishers" with joint responsability for what users say and do. Various government representatives trot out the "think of the children" or other such emotional blackmail for what are often false or extream edge cases as a way to distort the public view point away from rational consideration.

WaelDecember 2, 2014 3:07 AM

@Figureitout,
M-m-m-Monkey brain? Moi? Lol.
Re: Surface integrals: wait until you see hyperbolic functions. Cosh! They are a synch ;)

Text sites are better usually...I'd want a VIM-based browser, that's my fave text editor
Where were you in the early Nineties? You would have loved Gopher, Archie, and Veronica!

Clive RobinsonDecember 2, 2014 3:42 AM

@ Wael,

So now you are classified as a bong smoking monkey brained individual with an unhealthy interest in Coshes, expect a white van in your future any time soon ;-)

Mind you it could have been worse if I'd used "reptile brain", you would be "scally and slithery" not "cutesy and cuddly" :-)

Mind you somebody on this blog once thought I looked like a Klingon... The reality is I'm told by a close lady friend, that I look more like Voltan from "Flash Gordon" but a bit larger and more cuddly than Brian Blessed... still not sure if it's a compliment or an insult...

WaelDecember 2, 2014 5:32 AM

@Clive Robinson,

expect a white van in your future any time soon ;-)
And I see a pain specialist with a couple of steroid injections that may help ease your pain in the near future. Perhaps you should beat your destiny and go see one :)

Mind you it could have been worse if I'd used "reptile brain", you would be "scally and slithery" not "cutesy and cuddly" :-)
And looks too... Neither brain, nor looks? I say spread your love and leave that for another person :)

Nick PDecember 2, 2014 9:18 AM

@ Justin, Thoth

The government's position is a paradox. It's resolved instantly when you remember "the U.S. government" only exists on paper: the reality is it's a number of individuals and agencies with their own goals, funding, rules, etc. There are organizations that want to improve security of our products or at least the government's. There's been a steady stream of papers and products produced to that end with government funding (esp DARPA and NSF). There's also organizations that want everything either insecure or backdoored (esp NSA/FBI/CIA). Both types of organizations operate simultaneously. We benefit from this schism because at least one might help us.

There's one more side to it. The legislation that allows NSA to compel backdoors means that they can compromise even high assurance systems if they're sold in the U.S. The licensing requirement can be used to do the same on those exported. The ISA and CIA partnerships are used on the foreign targets. So, the NSA isn't so worried about organizations that fund high assurance systems if they can just tell the vendor to put a backdoor in. Or members of the open source team to slip in some vulnerabilities that look like coding mistakes. Or get one of their 20+ supporting governments to use their own laws or organizations against an individual to derail their project.

Clive RobinsonDecember 2, 2014 4:42 PM

@ Wael,

Hmm you are now admitting to being a Sin-her with a Cosh, can it get any worse? ;-)

As for somebody giving me the needle, the last time they did that sort of thing was nearly my last day of mortal existance, a bunch of clots formed and went straight for the vitals... so it's not something I care to repeat in a hurry.

With regards "looks" if you look "cutesy and cuddly" your probably home and dry with an regular "squeeze" to keep you warm ;-)

NateDecember 2, 2014 4:49 PM

Ars Technica is reporting on a new report from 'Cylance' claiming critical infrastructure networks in 16 countries have been rooted by hackers. The discover is codenamed 'Operation Cleaver' and the finger is being pointed at Iran.

http://arstechnica.com/security/2014/12/critical-networks-in-us-15-nations-completely-owned-by-iran-backed-hackers/

An 86-page PDF report here:

http://www.cylance.com/operation-cleaver/
http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf

"Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States. "

"Operation Cleaver has, over the past several years, conducted a significant global surveillance and infiltration campaign. To date it has successfully evaded detection by existing security technologies. The group is believed to work from Tehran, Iran, although auxiliary team members were identified in other locations including the Netherlands, Canada, and the UK. The group successfully leveraged both publicly available, and customized tools to attack and compromise targets around the globe. The targets include military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments."

"Persian hacker names are used throughout the campaign including: Salman Ghazikhani, Bahman Mohebbi, Kaj, Parviz, Alireza, and numerous others.
•Numerous domains used in the campaign were registered in Iran.
•Infrastructure leveraged in the attack was registered in Iran to the corporate entity Tarh Andishan, which translates to “invention” or “innovation” in Farsi.
•Source netblocks and ASNs are registered to Iran.
•Hacker tools warn when their external IP address traces back to Iran.
•The infrastructure is hosted through Netafraz.com, an Iranian provider out of Isfahan, Iran.
•The infrastructure utilized in the campaign is too significant to be a lone individual or a small group. We believe this work was sponsored by Iran

Is this the second shot in the cyberwar started by Stuxnet/Duqu, or an NSA/GCHQ false flag?

JuliusDecember 2, 2014 6:09 PM

@ Nate

The keyword is ''circumstantial evidence.'' North Korea is blamed, using the same logic, for Sony Pictures.

Another phrase that comes to mind is ''Never let a good crisis go to waste.''

JuliusDecember 2, 2014 6:21 PM

@ Figureitout

''Guy in the van down the street'' is the only person, I can think of in this entire neighborhood, who doesn't carry a cellphone. Bye the way, girls don't like those type of jobs.

JustinDecember 2, 2014 6:56 PM

@ Nick P

Thoth just mentioned that.

28 U.S. Code § 1651 (a)

The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.

If they have a search warrant, and it is "necessary or appropriate, etc." they apparently can order a third party with this writ to provide reasonable assistance in carrying out the search warrant. But if Apple or Google doesn't leave a back door in the device encryption and nobody can get in, then this writ isn't going to help.

And I don't see how this All Writs Act can force Apple or Google to provide a back door in the device in advance of any suspicion or probable cause. They are trying to apply this old law, and they're putting the cart before the horse.

ThothDecember 2, 2014 8:58 PM

@Nick P
Hey I did, I did (waves hands) :D .

But it seems it is much circumstantial. They can use an old law but if you notice the rule is very abstract and not detailed. It was made in the 1700s with no concept of modern digital security technologies and a period where crypto are mostly obscure and only known to well funded militaries and Governments.

It is just yet another PR to bring out some spotlight again. Same old tricks. If the smart phone cryptographic keys are properly secured where the device or the phone makers can proof zero knowledge of the encryption keys and the encryption keys are properly managed, even if Apple/Google/Samsung/HTC/Motorola ...etc... were to be smacked with decryption orders, they will not have the keys to do so and for users to reveal their keys might run up against the US Constitution (in US territories).

The only way they could successfully implement and force decryption is via backdoors and golden keys and that would bring us back to the many backdoor/golden keys topic in this blog.

It will be massive thoughtcrime witch hunt and it's gonna be another Minority Report kind of situation.

ThothDecember 2, 2014 10:54 PM

@Benni
In a mood for sarcasm:

"NSA has a "natural interest" in hacking police databases that they developed themselves for european police departments"

Which should be:

"NSA has a "natural love" in revisiting their dear police databases that they developed for their "kids" ".

:D . Sounds so much better. It ain't hacking because they made them anyway. They just use a spare key to enter the lawn.

WaelDecember 2, 2014 11:22 PM

@Clive Robinson,

Hmm you are now admitting to being a Sin-her with a Cosh, can it get any worse? ;-)
Par for the course! Isn't that what primitive (cave) man did? Speaking of "caves" -- like the one you have, you're really lucky your name isn't dave, or I would have paid you back in full with a complete set of limericks. That's how it can get worse ;)

WaelDecember 3, 2014 1:16 AM

So how do you handle deaf/dumb "bad guys" that communicate in sign language? Wait a second, there is an idea! Forget voice to text. How about video cameras that read lips? That oughta be more efficient and can also easily target an individual. New technology: Lips to text (or even lips-to-voice). Gives a new meaning to the term: "From your mouth to god's ear". Now it'll be: "From your mouth to the ___'s ear" (your favorite Spook organization goes in the blanks)

Clive RobinsonDecember 3, 2014 2:04 AM

@ Wael,

The pictures a fake for thee reasons,

1, I have a beard.
2, Blond hair was unknown back then.
3, It was back then as we still see in what we call "primitive" cultures the women that selected/subdued the men.

Oh and the second lime in the limerick should be,

    Kept a Red Dwarf in his cave

Any way you could accuse me of being tight fisted, books do actually make reasonable insulation, thus "Knowldge duth protect in many ways..." :-)

Mind you your sockpupet name does remind me of a line from the Dire Straights song Money For Nothing.

WaelDecember 3, 2014 3:32 AM

@Clive Robinson,
Increasing security by expanding the search space, as always...
This Red Dwarf book?
This line: Bangin' on the bongoes like a chimpanzee?

WaelDecember 3, 2014 3:38 AM

Dang! I meant to put this:

So how do you handle deaf/dumb...
in the "The Future of Auditory Surveillance" thread!

MapesDecember 3, 2014 4:17 PM

@ Bob S re: HIPPA. As someone who works in the medical software industry I feel that HIPPA is actually written decently and no, I seriously doubt it's for government data mining. I work for a company who makes a HIPPA messaging system. The law mandates security but, the type and how its implemented is left to industry best practices.

sena kavoteDecember 3, 2014 5:08 PM

Faster way to view risky emails with unaltered OS

One could boot up live DVD Knoppix or TAILS Linux after every email. But faster way is to use 3 computers and network boot. One fileserver boots up computer A and B. First email gets viewed in A, then A is rebooted while second email is viewed in B, then B is rebooted while third email is viewed in A... This 2 phase cycle repeats until all emails are handled.

Maybe have hard disks on A and B just for sometimes checking if some malware has altered them in an attack attempt. Put to A and B Ubuntu Linux that looks at least slightly used.

To have a better chance of getting newer malware infected and trapped, use also, in dual-boot, a more fresh Linux distro like Arch or Manjaro. Save bit-to-bit copies of those hard drives to external drives (stored in a closet or under a mattres or buried in desert or forest...). Compare sha512 hashes sometimes and if there is mismatch, use the exact copies to locate the malware.

File servers as "firewalls"

Related to previous. File server with 1 or 10 gigabit ethernet could act as firewall for your hard disk. Write and read permissions for /boot, /usr/bin, /etc, /var, and /home directories / folders could be enforced very reliably and flexibly. Logs and summaries of reads and writes would be much more trustworthy than with local storage. File server could be raspberry pi with 500 GB external spinning hard disk = 100 to 200 euros or dollars. Or cheapest Intel NUC with that disk = 300 to 500 euros or dollars.

Nick PDecember 3, 2014 6:32 PM

@ sena kavote

re email

The instance per email idea is too inconvenient. It would have to be a system with instant boot (of browser and all) from read-only flash. The various virtualization and sandboxing schemes being researched are better for something like you describe.

re file server

This idea has been done before in a number of ways. Shows it can be good. The problem is the easy route is to use a file server like NFS and they have issues. It would have to be a custom job. One product put a reference monitor in a device in front of the hard disk that did access control for reads/writes per partition, password unlock, recovery, etc. Others like jVPS improve security of disk security (including availability) by putting security-critical components in a protection domain on top of microkernel to reduce TCB. Another option is to put the protection in a dedicated SOC whose hardware circuitry automatically applies protections, but can be controlled by user via onboard trusted path.

Many options. The important thing is that the protection mechanisms must be simple, the TCB small, the new construction at least as safe as a regular (battle-hardened) filesystem, block known attacks, and a trusted way to interact with the administrator.

ThothDecember 3, 2014 9:58 PM

@sena kavote, Nick P
Wouldn't it be better if a trusted hypervisor with a trusted microkernel boots discarding images of OSes and each email instance per image instance. I am referring to seL4 with multiple Linux instance spawning. Of course seL4 should not be treated as a silver bullet so a trusted hardware, lifecycle and all those comes in to make it CC EAL 7+ but for now, the poor man's option is probably to try and get a seL4 on some DIY chipboard although it wouldn't be high on the CC EAL levels but at least it is something.

ThothDecember 4, 2014 3:35 AM

@Adjuvant
I have considered about the legality of use of firearms. In some countries it's pretty unlikely to own one (use a stick would be possible). Damage to "property" and all that laws.

Sticky issue as usual.

thevoidDecember 4, 2014 7:06 AM

@Figureitout

it all depends on what you are willing to do without. it's still possible to fall through the cracks, for the time being.

in my case, it helps that i live like a monk (and thats about the only way you probably can). "he who possesses little is that much the less posessed." nietzsche said.

honestly though, i actually enjoy getting by with less, i make do with what i have, and do everything myself if i can. i was born poor, so i have some training, but even when i was making good money it was something i embraced.

i don't 'work' right now (in the 'real world'), partly because i have elders to care for (mom&gmom), but also, there are some types of work i am not interested in. i have aspergers, which means among other things sensory sensitivies and social difficulties, so working in something like an office is physically straining for me (and mentally, i can't stand god damned bullshit human drama). i used to get crushing headaches (among other things), and years on (and away) i am much better, and i certainly am not going back to that. hard labor is easier, much less straining (not a joke).

there are also many ethical and moral restrictions i have about working within the system, but that's another story.

but setting aside people who work for the sake of it (work as an end to itself), and considering work done for a job, such work is a means to live one's life (the 'pursuit of happiness').

enjoying life doesn't (shouldn't) have to require the system.

i mostly rely on knowledge to glean/scavenge, and one can live pretty well with the proper knowledge. for instance my favorite tea is sassafras*, which i wouldn't even know where to buy, but it grows almost like a weed.

there are also some berries (worth looking up) called 'japanese wineberry', a very sweet and juicy rasperry. everyone i have ever given any to have absolutely loved them, and you should see how excited the neighborhood kids get over them when i bring them some from the woods. no store sells them, and everybody tells me that they are better than anything they've ever gotten at stores.

you can live pretty well without the system.

even medicine... my neighbor was prescribed milk thistle, a common weed. if people knew that they could cure themselves with a weed growing out of the cracks of the highway, where would the pharmaceutical companies be?

then there's trash picking.. there's often a stigma attached to scavengers, but since some tend to be among the most intelligent and even beautiful creatures in nature, i ignore it. hell, if i don't pick it, it just ends up in a landfill anyway.

i live in a pretty good neighborhood too, so some people throw some interesting stuff out. found a complete encyclopdia set in like-new condition. just got a giant hi-def tv a couple months ago, although i really don't know what to do with it, since i only really watch documentaries. not to mention computer equipment, flower pots, etc even found some good books on serial (port) programming.

(a side note: the best stuff is always on top or in boxes, and it's pretty sanitary, all things considered. electronics particularly are usually the last things to go out, and are usually just laid on top)

so after all of this, if you pay for only what you absolutly need to, you don't need much money. besides food, the last thing i bought was a hard drive.

granted, i don't have to worry about some expenses right now. which gives me some freedom to study, so that's what i invest my time in.

there are resources all around if you have the proper knowledge to identify/exploit them. i know enough about minerals that i can find valuable ones (as i have). there are valuable things all around, but nobody knows how to identify them. people walk by medicinal plants all the time, sometimes they 'weed them out' of their gardens, none the wiser.

knowledge is power.

my aim is ultimately extract myself from this collapsing world. been studying biology and soil science too, moving forward i plan to do farming. still have more learning to do though...


*a side note, sassafras was also the main commodity sought after by the english leading to the jamestown colony.

BenniDecember 4, 2014 7:41 PM

NSA hacked itself into 70% of all cellphone networks in the world. It is spying on the employees of cellphone companies and the gsm association in order to get information about cellphone encryption. That way, NSA can decrypt communications from cell phone networks long before they reach the market:

https://firstlook.org/…/…/04/nsa-auroragold-hack-cellphones/

2/3 of the traffic that BND intercepts is apparently from filesharers http://goo.gl/CE9v8E And now one can only hope that they do give this information to the hundreds of copyright lawyers and law enforcement agencies in germany.

And the NSA investigation comission found another spook lying to them

http://www.heise.de/newsticker/meldung/Neuer-Eklat-im-NSA-Ausschuss-BND-Agent-der-Luege-bezichtigt-2481082.html

ThothDecember 4, 2014 9:02 PM

The Powers That Be feels that we, the grunts, do not deserve freedom and security so they start to attack almost everything and that includes mobile service providers.

Link: http://www.theregister.co.uk/2014/12/04/snowden_files_show_nsas_auroragold_pwned_70_of_worlds_mobile_networks/

A5/3 stream cippher should have been cracked by NSA/GCHQ/BND ..etc.. a long time ago. I think it's just smoke and mirror thingy sugggesting to us that A5/3 has not been cracked by them yet. Mobile carriers should switch to more robust Salsa/Chacha stream cipher technology and stay away from weaker technologies. If it's for low powered/RFID stuff, Trivium and Grain should do the trick for stream ciphers and PRESENT cipher for block cipher modes or maybe setting PRESENT in CTR mode for streaming block cipher (emulating stream cipher) mode.

NSA's TTTC slogan:"Predict – Plan – Prevent". Hmmm.. predict latest security innovation, plan on countering/inhibiting security innovation, prevent security innovation and achieve world hegemony.

BenniDecember 5, 2014 2:29 AM

@Toth, In these comments

https://www.schneier.com/blog/archives/2014/11/friday_squid_bl_452.html#c6684084

I have written something on this. Interesting is the example with Africom demanding access to Libyan phones that is managed by NSA.

Africom is the NSA station that creates the disposal matrix and executes the drone strikes for Africa....

So basically this network of hacked cellphone providers is a large threat. "We kill based on metadata", said general Hayden. The US have stealth drones. They could, in principle, intercept a call of somebody in an European or Asian country and then fly a stealth drone at night to this location in order to fire a missile...

Every one of these cellphone networks was hacked because it is believed by NSA to connect to "target" persons. The word "target" is meant literally here, and what is done to these targets can be considered to be a police call only in less severe cases...

They have created a worldwide network that enables them to launch assassinations

ThothDecember 5, 2014 3:10 AM

@Benni
Maybe they could modify it to launch ICBMs (hehe :) ) or some other missile systems to just eliminate indiscriminately simply based on cellphone signals. That's dangerous... very dangerous.

We should just use desk phones over landlines.

BoppingAroundDecember 5, 2014 9:58 AM

> The Powers That Be feels that we, the grunts, do not deserve freedom and security so they start to attack almost everything and that includes mobile service providers.

I am quite impressed by the grand insolence of these relatively small groups crapping on the whole world and getting away with it. I am even more astonished by endorsement of these actions by those who the insolent ones crap on.

Thanks for the links.

FigureitoutDecember 6, 2014 1:42 PM

thevoid
--Oh believe me, you don't have to tell me about "doing without". I still no doubt have far too many "crutches" and "weaknesses" that prevent me from living w/ pride, which I can only widdle down slowly over time. The only way to "live like a monk" is w/ a strong mind and meditation. Visiting my grandma I get to see what it's like getting off the grid (even though it's developed a lot and we even got a neighbor house now..). I think it's a strategic piece of land for the apocalypse as it has first a running stream right thru it, then 2 natural springs to tap (used to be where drinking water was from, straight from nature no chems/filters). Also has a lower level and elevated field, my vision is a bunker built into that hill, and also putting antenna up there for comms. Under thin soil though is lots of bedrock. Has two primary entry points to monitor for vast majority of intruders; others can be taken care of w/ bear traps & nails on a board (ouch..).

Yet here we are, conversing over the largest most insane and insecure network ever...And the younger you are, the more screwed you get. As others know, more and more school work is getting online (have to use Adobe Flash) and some are even linking w/ facebook...

RE: scavenging
--There's enough wild berries on that land I was telling you to get bucket fulls of black/red berries, just have to get them before the birds. Landscapers I used to work w/, we pulled weeds all day, but apparently there was an edible weed and they made something w/ it, didn't try it lol. Guess where the chair I'm sitting on now came...from roadside, I only worry about what previous owner did w/ it...Also a working lawn mower which still works like 2 years later. It's just re-using something still good, and save money. However I am a bit of a hoarder when it comes to electronics, and I always want more...need certain knick-knacks usually(cables and connectors). So hamfests/computer expos I have to take only cash so I don't spend too much.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.