Friday Squid Blogging: Recreational Squid Fishing in Washington State

There is year-round recreational squid fishing from the Strait of Juan de Fuca to south Puget Sound.

A nighttime sport that requires simple, inexpensive fishing tackle, squid fishing-or jigging-typically takes place on the many piers and docks throughout the Puget Sound region

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 12, 2014 at 4:32 PM • 149 Comments


AlanSDecember 12, 2014 4:58 PM

So much for reform and reigning in the NSA. While everyone was distracted by the Torture report, it appears the Senate Intelligence Committee slipped an amendment into the Intelligence Bill.

I already referenced this in last week's Friday Squid post here but should probably be here as it happened this week.

Not much coverage in the media. Here are additional some links:
Congress Quietly Bolsters NSA Spying in Intelligence Bill
Congress passes expansion of surveillance without a warrant or oversight

DanielDecember 12, 2014 5:17 PM

@Alan S....TY. I was wondering what specific machination was being hidden by the release of the torture report and now I know. Bastards.

In any event, the state of Iowas is making their driver's licenses digital.

I just keep thinking to myself why would any sane person put such sensitive information as their height, weight, picture, and ID number all in a place that everyone agrees is inherently insecure. It seems almost criminal in its recklessness.

RickDecember 12, 2014 6:23 PM


I came here to post the same news, and I am glad to see it posted as the first comment on this week's 'Friday forum'. It is vitally important that everyone be aware of this development.

I'm not an attorney, but I can't imagine that such language passes muster in the Supreme Court. But then again, the powers that be might prevent a test of its legality from ever progressing that far, and in the mean time, a lot of damage will have been caused.

Oh, and for what it's worth: Diane Feinstein, chair of the US Senate Intelligence Committee is upset about a congressional IT asset being beached by the CIA, calling the act "unconstitutional". Such hubris. Dystopian, even. She would do better with an exorcism than a vacation. Time to stock up on batteries and water purifiers; we can't survive as a nation with leaders like this in positions of real responsibility.

Nick PDecember 12, 2014 7:02 PM

@ Rick, AlanS

I just finished reading the full Feinstein statement that's embedded in that link. It's worth reading because it give detail on the CIA's "hack" of Congressional systems. It's also well-written in general and I hope it inspires some action to rein the spooks in a bit. I said before that Congress would have to be hit some way and take it personally before they'd do anything. Still no guarantees.

At least you know yo're FreeDecember 12, 2014 8:06 PM

The CIA torture report makes it perfectly clear who runs this country. CIA puts out a 500 page report on their crimes against humanity without ever saying whodunit. They choreograph hammy amateur blowjob speeches from their putative boss Barack Obama, their oversight body, and the fourth estate. The proles get a couple of news cycles to go tsk tsk or OMFG or whatever, the Himmlers and Goerings and Mengeles at Langley pretend to give a shit, and your local CIA liaison at the state police barracks or the police station or the fusion center issues the cops some more tanks. Brennan gets another medal to play with in the vault. Cheney makes exaggerated jerkoff gestures in your face and laughs until he gets a coughing spasm and has to stop.

Casual FridayDecember 12, 2014 8:07 PM

The theatrics that have gone on with the report on CIA Enhanced Interrogation Techniques have been disappointing to me. We all knew what was happening back when it actually was happening. Making an issue of it this far after the fact seems like political theater. Right or wrong it's in the past and for anyone who was in the know back then to stand up and get all self righteous now seems misplaced. I'm not saying the treatment of those prisoners was the correct approach, but I don't see what we have to gain by bringing it back to the forefront geo-politically.

RickDecember 12, 2014 8:27 PM


I, too, read the 11 page Feinstein statement. What struck me (initially) was 1) her office seems to be fighting a turf war with the CIA; I presume that the grandstanding quotes in the media about the computer breaches being unconstitutional are part of her strategy to gather political inertia against her enemy, 2) some of the subtle phrasing indicates to me that her office suffers from a genuine and disconcerting desire for control, and, to be more blunt, a dangerously large ego but can, at times, wield the power to back it up.

In reference to point 1, specifically, the CIA is launching its own allegations to create a smokescreen:

From page 8: "In place of asking any questions, the CIA’s unauthorized search of the committee computers was followed by an allegation—which we have now seen repeated anonymously in the press—that the committee staff had somehow obtained the document through unauthorized or criminal means, perhaps to include hacking into the CIA’s computer network"

Your speculation that Congress would have to be "hit" before action is taken is astute. Congress is too isolated from the genuine constituents to behave as a constituent might. Surely, the enemy of my enemy is my friend. Right? One way to satisfy the intelligence community's appetite for the 4th amendment is to have two enemies devour one another as we all observe from the gallery, nodding in approval. A better plan couldn't have been designed. If it works.

However, I don't mean to detract from the conversation, but rather, I need to make a cynical observation that Congress has never-- and likely will never-- want to be treated as an average constituent is treated:

You'll have to force them to take their medicine. Or turn them to cannibalism.

I am reminded of this:

"...if the citizens neglect their Duty and place unprincipled men in office, the government will soon be corrupted; laws will be made, not for the public good so much as for selfish or local purposes; corrupt or incompetent men will be appointed to execute the Laws; the public revenues will be squandered on unworthy men; and the rights of the citizen will be violated or disregarded."

Noah Webster (1758-1843)

GCHQ Elm Guest House StationDecember 12, 2014 9:46 PM

@Thoth, Don't worry about GCHQ. GCHQ, like NSA, needs two kinds of people, creeps and dupes: power-mad creeps to collect your children's sexts and claw their way to the top; and well-meaning dupes to be snookered into crime by compartmented tasking. UK has plenty of creeps - well-born pedophiles run the country. They have all the dupes they need - the UK conned Scotland (the part of the country with whisky and oil to sell) got them to stay in their pathetic little NATO satellite state and hold still for more and more austerity.

65535December 13, 2014 4:23 AM

@ AlanS

I agree. This bill is very troubling.

I see a pattern of abuse whereby we are distracted with the “CIA torture” report and then hit with an eleventh-hoour "2015 Intelligence Authorization Act" which is crammed down our collective throats.

‘John Conyers warned that the provision "grants the executive branch virtually unlimited access to the communications of every American."’ – nextgov

It looks like he was correct.

Amash observes that "In exchange for the data retention requirements that the executive already follows, Section 309 provides a novel statutory basis for the executive branch’s capture and use of Americans’ private communications." ...Amash tells us that "The section contemplates that those private communications of Americans, obtained without a court order, may be transferred to domestic law enforcement for criminal investigations."


“Criminal investigations, such as... how long before the entertainment industry convinces law enforcement agencies to take a very broad interpretation of "criminal investigations" when considering how to use these newly-enacted capabilities to conduct "criminal investigations" (into alleged copyright infringement?) Or anything else, for that matter.” –cyberlaw.stanford

More alarming is the language in Sec. 309 allowing warrantless recording and retention of “enciphered communication” which assumes all mobile phone ciphers A5/1 to A5/3 and all HTTPS communications from every individual in the USA [possibly including: lawyers, doctors, bankers, politicians and local law enforcement].

Sec. 309 [new language]

"Covered communication

"The term covered communication means any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication, including communications in electronic storage…


"The procedures required by paragraph (1) shall apply to any intelligence collection activity not otherwise authorized by court order (including an order or certification issued by a court established under subsection (a) or (b) of section 103 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803)), subpoena, or similar legal process that is reasonably anticipated to result in the acquisition of a covered communication to or from a United States person and shall permit the acquisition, retention, and dissemination of covered communications subject to the limitation in subparagraph (B)…

"Limitation on retention

"A covered communication shall not be retained in excess of 5 years, unless—

"(i) the communication has been affirmatively determined, in whole or in part, to constitute foreign intelligence or counterintelligence or is necessary to understand or assess foreign intelligence or counterintelligence;

"(ii) the communication is reasonably believed to constitute evidence of a crime and is retained by a law enforcement agency;

"(iii) the communication is enciphered or reasonably believed to have a secret meaning..."

See pdf approximately at page 20 to 27

The above language would appear to codify the “presidential powers of spying” in a new untouchable method.

Further, all encrypted conversation, such as this website, would be held by an unknown entity for five or more years [and so would any electronic communication which is compressed or enciphered with SSL/TLS, SSH and documents compressed and zipped with a password, sent via phone, fax or any other "enciphered" protocols].

This is a huge swath of communications! The attack surface is huge and an inviting target for abuse [and a target of criminals].

It interesting that the government senses the need for third party storage vendors possibly due to the sheer volume of electronic communications collected and stored for five years – or more.

[side note]

I note the government thinking of basing its “security clearance level” on credit scores:

Sec. 308

"(4) recommendations for how the intelligence community could utilize private sector risk indices, such as credit risk scores, to make determinations about employee access to sensitive information."

Page 20 of FY 2015 IAA pdf

I guess that you have to have high credit rating to get a security clearance!

The only practical way this abusive legislation could be stopped is a "constitutional show-down" between the Judiciary and over-reaching Presidential powers - now endorsed by the Congress. This mess will be hard to clean up.

Gerard van VoorenDecember 13, 2014 5:21 AM

@ Casual Friday

"The theatrics that have gone on with the report on CIA Enhanced Interrogation Techniques have been disappointing to me. We all knew what was happening back when it actually was happening. Making an issue of it this far after the fact seems like political theater. Right or wrong it's in the past and for anyone who was in the know back then to stand up and get all self righteous now seems misplaced. I'm not saying the treatment of those prisoners was the correct approach, but I don't see what we have to gain by bringing it back to the forefront geo-politically."

It is indeed in the past now. I admit I didn't read the report but from what I heard of it is that it went way beyond than what was known back then.

I have two worries about the general pardon that Obama laid down:

1) Not prosecuting the guys involved (not the executioners but the guys that signed the orders) could be used as an excuse for anyone else doing the same. The only thing you have to do is labeling someone a terrorist. But most of all is that the imago of the US "land of the free" is really damaged.

2) What will happen when another incident such as 9/11 occurs? It is inevitable that such an incident will take place, that's for sure, but not prosecuting the guys involved and setting a new policy allows the same to happen in the future.

So it is indeed a thing of the past but that doesn't mean it can't happen again. On the contrary.

ThothDecember 13, 2014 6:14 AM

They just want all forms of communications (according to the new bill) in an indirect manner. Typing a plaintext message can be translated as "enciphered communications" if they are crazy enough (100% chance they would do that anyway).

Bob S.December 13, 2014 6:34 AM

NSA doubled down and won the jackpot:

The new budget allows unlimited warrantless spying on all Americans which can (and will) be shared with law enforcement. There was no debate, it was submitted secretly in the massive budget document.

I thought Obama would change things, instead he fell in line quickly. I thought the Snowden Revelations might change things, instead it got worse.

If it stands after the Senate and President get a chance to change it, I likely won't be back. America is over. Got to protect me and mine.

ThothDecember 13, 2014 7:50 AM

@Bob S
NSA to Obama: Mr Pres. please sign this document.
Obama to NSA: Not yet. The nation's not ready. Too much discontent.
NSA to Obama: We will take care of them. Don't worry.
Obama to NSA: I worry a lot.
NSA to Obama: Don't worry, we will handle it.
(Presses an auto-signing machine and authorizes the President's signature onf document)
NSA to Obama: We are done. Thank you.
Obama to NSA: How can you .....
NSA to Obama: Your Obamaberry ... those dirty little secrets... hehehe...
NSA to Obama: Be mindful of your actions, Mr Pres. We are watching...

Have fun :D

ThothDecember 13, 2014 7:59 AM

What could be done is to secure the mobile network station via a protocol change. Signing the stations. Loading a piece of authorized CRL and authorized station signatures. Every station carries it's own CC EAL 6+ tamper resistant crypto module with signatures inside. Locally bought phones would be preloaded into SIM card (hopefully it has space) or a secure element in the phone with the master list and signatures. Phones coming in from overseas upon connecting to network would have to request for a list. The protocol can run on dual modes (standard GSM or the signed version mentioned here). It is kind of DNSSEC for GSM along that line but it needs national wide support to operate.

Not so casualDecember 13, 2014 9:20 AM

Casual Friday is parroting CIA propaganda. The first tell: he can't bring himself to say torture. Next, a Big Lie: that torture is in the past. On Obama's watch FBI agents sat around while Gulet Mohamed got tortured. The US government still delegates torture with a CAT-illegal non-refoulement policy. US policy still permits specific forms of torture including sleep deprivation and any kind of mental torture.

Then CF throws in some willful obtuseness for suckers. He doesn't see what "we" have to gain. You torturers have nothing to gain. Torture has no statute of limitations. Any jurisdiction in the world can prosecute US torturers. Hold your breath until you turn blue, the US government's torture problem is not going away. What he tries to call political theater is justice grinding very slow and very very fine. It's the outside world dragging the USG kicking and screaming to comply with the law.

BoppingAroundDecember 13, 2014 10:03 AM


Been reading Havel's The Power of The Powerless for a while. I have spotted at least one riveting aspect in it.

The author narrates that in a post-totalitarian system (in his own vernacular this means a totalitarian system but totalitarian in a different way than those of the past; as he puts it later, 'when totalitarianism met consumerist society') the sphere of truth is hidden beneath the texture of lies and thus mostly invisible and deadly dangerous to those in power; the time it surfaces it can destabilise (and obliterate) the whole system of lies where rituals and signs have superseded the 'real' reality.

He provides the example of the Prague Spring, claiming it was not just a clash between two groups but 'the final act and the inevitable consequence of a long drama originally played out chiefly in the theatre of the spirit and the conscience of society. And that somewhere at the beginning of this drama, there were individuals who were willing to live within the truth, even when things were at their worst. These people had no access to real power, nor did they aspire to it. The sphere in which they were living the truth was not necessarily even that of political thought. They could equally have been poets, painters, musicians, or simply ordinary citizens who were able to maintain their human dignity.'

Is it possible that what the TLAs of today are trying to do is to penetrate this hidden sphere?


I saw you mentioning Smith's The Wealth of Nations in the comments of one of posts here. How suitable is it for a layman?

Nick PDecember 13, 2014 10:56 AM

@ mesrik

My guess is Five Eyes, a part of Norway's government, Israel, or Russia. There's few organizations that both have and will widely deploy high end IMSI catchers. Especially in a country like Norway. Shifts suspicion to internal opponents of the Parliament or the NSA in my opinion. Norway's defense contractors are also quite capable with crypto equipment similar to what NSA has developed, maybe with their expertise too. If there's any power struggle, such capabilities might be turned against lawmakers.

I also found that their response was weak. The article doesn't indicate that they tried to catch the operators in the act. An example would be to mess with a piece of equipment, wait for an operator to show up, get the repair on video, grab the person, and then interrogate them. The investigation barely involved the police at all. Norway, operating like this, will remain an easy target for most espionage activities.

yt1we4gDecember 13, 2014 11:16 AM

Anyone want to comment on this new "facebook-killer" social network, Ello? ( Is it the real deal? Do they really care about your privacy or is it just a joke? And what are the chances of it being NSL'd?

yt1we4gDecember 13, 2014 11:26 AM

Also, why is nobody interested in Diaspora as a social network? I don't get it — doesn't Diaspora do the best job of solving all the issues with Facebook?

JacobDecember 13, 2014 11:34 AM

One practical plan of action is to make life more difficult for US administrators who had participated in the CIA's illegal torture cases to visit Europe. This can easily be done in the UK, for example, by private groups or affected individuals who may seek warrants for their arrest.

A known precedent involved some high level Israeli officials, who eventually managed to get into London only after securing a diplomatic immunity. Some other Israeli Army Generals who could not secure their diplomatic immunity just cancelled their UK visits.

CallMeLateForSupperDecember 13, 2014 12:16 PM

I run hot and cold on Sen. John McCain. I am well to the left of him on most issues but occasionally he and I agree. Last night was one of the latter. As a guest of Charlie Rose, Sen. McCain reiterated his opinion of the CIA torture report. It was thoughtful, even and measured. Hysterics-free. I liked what I heard, up to a point. My heart fell when he spoke to the question of prosecutions for crimes. We should not prosecute, he said. We should move forward, not backward. The U.S. has acknowledged wrongful behavior to the world and now we need to move on (he said). He excused criminals, saying "they meant well"; he excused criminal behavior, saying (essentially) that post-9/11 was a scary time.

"Move forward, not backward." That is exactly what Condi Rice said back in the old days when Congress pressed her to answer questions she and her boss had decided she would not answer.
It derives from the very mechanism employed by desperate children since forever to avoid a sanction: steer the conversation. "Can I go out and play now?" It is transparently disingenuous, and the only attention it deserves is derision.

The U.S. spent a huge sum and worked for years to punish WWII war crimes, both German and Japanese. It replayed in Irag. Criminals will be hunted down and brought to justice, we continue to vow. But what about the dark-skinned man who died of exposure while chained to a floor in a cold room at Gitmo? Where is his justice? Sorry; no; move forward. I don't understand two-faced justice. Nor does the rest of the world.

Nick PDecember 13, 2014 12:43 PM

@ wt1we4g

My original review of Diaspora project from October 2011:

"Diaspora is a joke. The thing is being designed, analyzed and implemented primarily by amateurs. A truly safe social network must be designed by people with expertise in cryptography, protocol analysis, secure software design, and low-defect implementation. Throw some testing and UI people in there to boot. I like that there's people trying on this, but I wouldn't trust anything that project produces. The independent reviews we've gotten so far confirmed my suspicions.

As for secure/private social networking, I don't know if there's really a way to do it that would take off. Non-paid internet services depend mainly on ad revenue. An advantage of current social networking sites is that analysis allows targeted advertising & brings in lots of revenue. Take that away & you get very little revenue in comparison. This is a problem if you are running a secure web service with tons of cryptography in it, which takes MUCH more resources to achieve performance of something like FB.

I just don't currently see a way to do it in light of the business model. I also haven't been thinking hard about it either, so maybe there is a non-intuitive solution that evades me. Thoughts?"

It all came to pass and one of those involved killed himself. Understanding the situation, requirements, and market deeply is a pre-requisite for developing a solution that will sell and with strong security properties. What it takes to do strong security in centralized web architectures is well-understood. What will make a Facebook killer while retaining these properties, esp in 3rd party apps/plugins, is far from understood. The Diaspora developers lacked both capabilities and were doomed to fail.

The simpler test is to take a look at how people use Facebook and ask youself if they'd give up Facebook for the alternative. There's also the lock-in effect of having years worth of pictures, videos, lifetime events, etc that they'd have to manually move or throw away. Facebook, like backend COBOL on mainframes, is designed for lock-in and is probably the web's best example of a legacy application in the making. And they're always adding to the effect.

Private social networking will be a niche market at best. Possibly part of a paid service. Not much happening in that sector, though, outside of some emails, proxies, crypto apps, and discussion forums. Just an app/service here and there with a small audience. No integration (Facebook's strong suit).

GrauhutDecember 13, 2014 1:09 PM

@CallMeLateForSupper: "I don't understand two-faced justice. Nor does the rest of the world."

The world understands quite well, it's like in this classic Abba hit: "The winner takes it all"

Look at all the wall street fraudulent banksters that were bailed out with one time payments. They should have gone to jail if there would be something like a "rule of law".

Next time they get in trouble again the Banks will be bailed out again with your tax payers money and they will get their "punitive payments" back.

We live in a funny time, this time the fascist wolfs wear demorat sheep furs.

Law has become decoration.

And the big lie has reached such an enormous amount, they can not afford to bring someone to justice who could speak out there. And the number of "immunes" is growing daily, i am shure.

Its all about faking numbers in times of an "economic recovery" without increased energy consumption and prices...

SkepticalDecember 13, 2014 1:48 PM

@AlanS re Section 309 of Intelligence Authorization Act:

The analysis of that section put forward by an opportunistic libertarian Representative is completely wrong.

It's so wrong that I view it as either deliberate deception or gross stupidity on his part.

Earlier this year a former State Department official wrote an op-ed published in The Washington Post. In it, he detailed his concerns regarding Executive Order 12333.

Specifically, he wrote that:

[U.S.] persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person’s communications are “incidentally” collected (an NSA term of art) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

His concern was that, unlike collection authorized pursuant to provisions under the FISA Act or the Patriot Act, collection undertaken under Executive Order 12333 was not subject to any oversight and that communications of Americans gathered incidentally could be held without any legal limitation.

Section 309 begins to address those concerns by, for the first time, setting forth legal restrictions on such communications gathered under EO 12333.

Some believe that those restrictions do not go far enough, and that's fine. But it is absolutely incorrect to claim that Section 309 attempts to authorize new powers of collection, much less that someone tried to "sneak" the provision into the bill in order to do so. Section 309 adds legal limits where previously there were none.

yt1we4gDecember 13, 2014 2:18 PM

@Nick P

Thanks for sharing your thoughts on Diaspora. So from what you're saying, it seems there aren't any social networks with good cryptographic/secure implementations, and it'll probably be a while before we ever see one, if at all. In that situation, do you (or anyone else who wants to comment on this) think it's best to simply not use any "social networking" type of web service? For users who will never understand PGP over email due to its complexity, what is the next best thing?

JustinDecember 13, 2014 2:32 PM

@ Skeptical

I was going to disagree with you, but after reading section 309 of that bill (the text of which was linked in one of the articles,) I think you're mostly right on this one.

But I wouldn't say that previously there were no limits on this collection of communications under EO 12333---we presumably have always had and still have the 4th Amendment---I only wish it (along with the rest of the Bill of Rights) were respected rather than all but abrogated by nihilistic judicial interpretation.

Big Lie #11,304,849December 13, 2014 3:08 PM

Skeptical's back with another megawhopper, presumably because with this one he one's so full of shit that even if he used another name we'd know him anywhere.

"legal limits where previously there were none"

Knowing that the Big Lie depends critically on robotic repetition, skeptical doubles down on his willful pig-ignorance of the supreme law of the land. He's hoping you forgot that Article VI is in the constitution. He hopes that you don't know about the Charming Betsy case or the legislative intent of ICCPR ratification, or what the binding treaty says. He hopes that you don't know where to find out what it means. The US signed on the dotted line, Congress voted for it and accepted ongoing independent compliance review, so skeptical's telling you the law he wants to break does not exist.

In short, government vermin think you're stupid. They want to hang on to their useless makework jobs so they lie through their teeth. About torture. About the law. About everything.

DanielDecember 13, 2014 3:13 PM


Well, we know it's important because you have crawled back out of the woodwork. Your post is a nice attempt to deflect the issue. Yes, of course Section 309 puts limits where there were none before. It also expands jurisdiction where there was none before. It's not an either/or thing and you well know it.

fa98wDecember 13, 2014 3:45 PM

@BoppingAround re: "the sphere of truth is hidden beneath the texture of lies"

"So, so you think you can tell
Heaven from Hell,
Blue skies from pain.
Can you tell a green field
From a cold steel rail?
A smile from a veil?
Do you think you can tell?

Did they get you to trade
Your heroes for ghosts?
Hot ashes for trees?
Hot air for a cool breeze?
Cold comfort for change?
And did you exchange
A walk on part in the war
For a lead role in a cage?" ~ Pink Floyd


SkepticalDecember 13, 2014 4:33 PM

@Justin: I agree.

@Daniel: It does not expand jurisdiction. I'm not sure why you think it does.

@Big Lie: None of which has anything to do with Section 309. But don't let relevance stand in the way of yet another comment about the righteous power of the ICCPR and int'l law.

Nick PDecember 13, 2014 4:37 PM

@ yt1we4g

Social networking is silo'd and designed to harvest information. So, I'd say security conscious should avoid it. However, there was once an interesting product where they made a browser plugin that autoencrypted stuff in Facebook, Twitter, etc. Anyone you allowed to see your posts would as the plugin would decrypt it seemlessly. There's potential issues to all of this but the concept is decent and similar to OTR.

#11,304,849aDecember 13, 2014 5:03 PM

A breakthrough! Pathological liar skeptical is constrained to acknowledge that the law he doesn't like exists. Second line of defense for our token security parasite is to assert, with no evidence (he doesn't even seem to know what links are) some garbled argument related to something being relevant. It may be a lame attempt at an arch brushoff, which might work if he had an extra half-sigma of IQ but he doesn't and hell, it's good enough for government work after all. This of course is why you sad sacks lose and lose, in the ICJ, in Iraq, in Afghanistan, in Ukraine, everywhere but in your little cubicle. There every loser is Outstanding in every review.

Bob S.December 13, 2014 5:07 PM

The Intelligence Act codifies EO12333 and thus indeed does make mass collection of warrantless data all legal by Act of Congress.

Sec. 309

—The procedures required by paragraph (1) shall apply to any intelligence collection activity not otherwise authorized by court order (including an order or certification issued by a court established under subsection (a) or (b) of section 103 of the Foreign IntelligenceSurveillance Act of 1978 (50 U.S.C. 1803)), sub-poena, or similar legal process that is reasonably anticipated to result in the acquisition of a cov-ered communication (now carefully parse this part:) to or from a United States person (that's all Americans) and shall permit the acquisition, retention, and dissemination of covered communica-tions subject to the limitation in subparagraph


The procedures apply to collection activity ...not authorized by a court ....reasonably anticipated to result in the acquisition of a cov-ered communication to or from a United States person ....and shall permit the acquisition, retention, and dissemination of covered communica-tions

Now let's boil it down to plain English:

This new law passed by Congress and signed by the President permanently shall permit the acquisition, retention, and dissemination of covered communica-tions not authorized by a court.

(They don't need a court anymore I guess.)

When I first read the new law I too thought it was "OK".

But, the act does indeed make it federal law that the government can collect warrantless data on every American, keep it for 5 years or forever depending on their own rules, and use it for all manner of purposes including "crime" prosecutions or whatever they feel like.

In short, just as predicted the law makes legal all the illegal stuff they have done for perpetuity.

In particular the FBI was handed a whole new mission of warrantless mass domestic surveillance of Americans.
If I am wrong, let NSA, FBI, the President, Congress say so...I don't think they will.
Meanwhile, the "court" was simply penciled out of it all, so it doesn't matter what they say.

The act is a masterpiece of Orwellian double speak.

yt1we4gDecember 13, 2014 5:12 PM

So I found some more info on this new Ello social network, and it doesn't seem so great after all.

These articles all point out how Ello has around half a mil in venture funding, which will inevitably influence its business decisions towards profitability over user satisfaction. Also, one article points out how it's still a "proprietary network" like Facebook, where you can't connect with users on other networks, it's very hard to leave the network to move to a different one, and the code is all closed-source so you have no idea what they're really doing. In the end, Ello is basically like Facebook, just without the ads (for now).

ABA rejectsDecember 13, 2014 6:13 PM

@Bob S, that's pretty typical of the University of Phoenix grade law they churn out in the SCIFs. Any old word salad will do... as long as 200 different civil-service drones got a chance to red-pencil commas in and out. So the government security parasites pile up more and more crap Stasi law in blithe ignorance of the necessity and proportionality tests to which this country and its allies acceded. American chumps mostly don't know any better but all this officially-sanctioned espionage and sabotage is poking big rips in that poor bedraggled scarecrow NATO. (The same dynamic crippled NATO in Afghanistan as ridiculous US torture rules made our "partners" unwilling to hold prisoners. They had real laws, you see, so they couldn't sink to US levels and get away with it, so European forces played hot potato with detainees, who wound up getting exterminated by warlords in a historic war-crime spree.) Putin and Xi are watching with glee as beltway dumbshits wreck their own bloc.

AlanSDecember 13, 2014 6:50 PM


"...opportunistic libertarian Representative...grossly stupid ". Hmm. Something makes we think your powder is wet when you start by throwing around insults.

He wasn't the only one objecting to the added language.

To your "adds legal limits where previously there were none" add:
adds statutory authority for dubious executive order when previously there was none.

And as far as the supposed limits that were added, the person from the ACLU quoted in the first article I linked to above:
"...these restrictions are far from adequate, contain enormous loopholes..."

And finally: Why slip this in at the last minute without any debate if it is all so above board? Lots of people are critical of the Senate Intelligence Committee, who apparently slipped this in, for cheer-leading rather than doing what they are supposed to be doing, which is effective oversight. Must have wanted to restore public trust and prove all those critics wrong, eh?

JacobDecember 13, 2014 7:08 PM

So does this law render parallel construction mute?
It seems that from now on, anything the NSA can collect may appear in a criminal cases before the courts.

Nick PDecember 13, 2014 7:12 PM

@ Grauhut

It's an interesting project. I have no real opinion of its security at the moment because it would take a lot of analysis. Might do so in the future but it has a lot of components that interact, under control of many different parties. Such complexity prevents me from throwing together a quick prelim analysis.

GrauhutDecember 13, 2014 7:28 PM

@Nick P: I have to set up some social networking early next year and have to make a design decision. At least the buddycloud / xmpp guys seem to be security aware.!topic/prosody-users/qAKRn0fzxDk

ThothDecember 13, 2014 7:31 PM

@Secure and Private Social Networking et. al.
It is not theoretically possible to do social networking without revealing part of whole of you data. We have to look into aspects of physical hardware, software, people, processes and procedures, motivations ... many more...

Something very informal and spontaneous below (not a proper theorem):

You can see a participant, P as a set of data D where the sub-elements of D would be his personas. In order to communicate with a participant, sub-elements of D must be revealed (thus his personas). If more than enough participants requests sub-elements of D, you can say that you have effectively constructed D with close reliability. D can include fake or real personas.

Let's put it this way that all the participants are Lilith (malicious entity) that attempts to construct D of P. Let's model P as a random oracle with an access control list of A and the random oracle as R. A participant is Px where x is the participant number (not according to order).

If we rate A on a scale to allow access to R, then if A is tune to the strictest levels, R would be completely inaccessible (might as well not be a social network participant). Varying controls of A would allow R be queried by other Px. Vice versas, Px who queried can be queried by other Px according to their A as they are also a random oracle R. Pt is defined as the target of attack.

We can build a list of relationship and data of a targeted Pt by having every other Px in the network query Pt. If all Px could query and retrieve Pt as R then it would be varying degrees of D1..n sub-elements of Pt's which all the Px would have to take their knowledge of Pt and put together to get D or close to a complete D.

From the above thought experiment, we can see that privacy cannot be fully achieved in any considerable efforts in a social network. Thus, if privacy is valued, information must be controlled to reduce the amount of mappings to acquire D.

free the gruntsDecember 13, 2014 8:30 PM

So now that the CIA abuse report is out, and we see it all came down from the top, with the oh we got caught with our pants down so you see, we just had, i mean had too, torture to get back on top excuse. (because we're incompotent or lazy or both, ((I don't think anyone could forsee terrorists using airplanes...)))

The question is: When are lindsay and the other MP's who were directly ordered to 'soften up' those Arab men for questioning by the men who didn't wear uniforms, but instead blue jeans and button down shirts going to be pardoned and freeed?

You remember her, the young lady pointed at the naked men's genitals with a fag in her mouth? If this was all a top down organization, and the generals and president and exucutives all admit they did it, they had to it, why are the only people in jail the young poor dumb ones at the bottom of the ladder?

The news world is all up in arms about some bullshit report from rolling stone mag about a rape that did or didnt happen. Where the fuck are all the journalists?

edit to the aboveDecember 13, 2014 8:39 PM

From a security point of view, how do we design a system where todays problem cannot happen? The founders obvsiouly were a well thinking group, isolating and playing the branches off of one another. Almosts as if each branch of gov was its own untrusted compuiter cell, that we needed to do work on info, but we can't quite trust.

So what went wrong? Is it the advance of tech? Has it become too easy, too fast, to collect and collate info? Has the force multiplier become too great? is there such leverage againsnt the have nots that control, which is what the gov is and why it was always fractured and limited, can feel free to seek permanant domain?
How much longer until we stop with the pretense of elections, and explanations, and just get on with the jack boot thuggeray.

I don't see a design answer. I think its just inevietable, weather roads and the time of transportaion with Rome, or too much control over too much data, the states maybe at an end...

Nick PDecember 13, 2014 8:56 PM

@ edit

The Founder's design assumes the people will play an active role in preventing, detecting, or correcting problems. They might use their money, votes, lawsuits, or guns in worst case scenario against corrupt government. In our country, the people mostly (a) don't participate or (b) participate in ways that maintain a fertile environment for corruption. The result is concentration of power without effective accountability into hands such as NSA/FBI/CIA. The people's behavior is what needs to change first as the government can always just use force against the dissenters, esp privacy tech builders.

AlanSDecember 13, 2014 9:36 PM


Wealth is a big book. I haven't read it cover to cover. And it's probably a bit of a slog to read cover to cover but it is broken up into volumes and parts and the writing is much more accessible than you might think. I think you need a good grasp of the historical context to make sense of what he is saying.

I got interested in Smith because Wealth is cited and quoted relentlessly by economists, politicians (on both the left and the right) and in the media. So what's that all about? The interesting thing is that a lot of the quotes are selective and lots of what Smith is claimed to have written or argued doesn't match what's in the book. And the meaning of what he was saying is often butchered as it is taken out of historical context. And that includes statements made about Smith by distinguished academics at elite universities, some with a Nobel Prize in economics to their name. Don't trust them. Take a look for yourself. Wealth is available on line here and probably elsewhere.

So here's an example. You'll often see discussion of Smith's theory or concept of the invisible hand. There is no theory or concept of the invisible hand in the book. The phrase the invisible hand appears only once (IV.2.9) and hundreds of pages into the book. It's a metaphor. It was a commonly used metaphor in the 18th C. Smith uses it once in each of his books in different ways. Whenever you you hear or read someone talking about Smith's concept of invisible hand your BS detector should be emitting a loud scream. Adam Smith's invisible hand concept doesn't come into existence until more than a hundred years after the book's publication. And it doesn't really take off until after WWII. Since 1948 most people appear to have gotten their "invisible hand" concept from Paul Samuelson's Economics textbook. This textbook is the best selling economics textbook of all time. And Samuelson selectively quotes and mangles Smith in it. But as the publisher writes in their blurb: it "ignited the Samuelson revolution--a movement which has endured for half a century, and influenced millions of young minds in hundreds of the world's best learning institutions." Not sure that's a great endorsement of the value of the $50K a year you'll pay for an economics degree at some of those institutions (not a few of which are snorting Koch). What's going on is that for the most part economists, bankers, politicians etc. are trotting out Smith's supposed ideas ritualistically to legitimate whatever they think needs legitimating.

Rumble rumble crack crumbleDecember 13, 2014 9:37 PM

Extra! Extra! US satellite Britain steps on its crank trying to suck up to NSA!

'Sophia in ‘t Veld, a Dutch politician who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept that she believes the British government should face sanctions if the latest disclosures are proven.

'“Compensating Belgacom should be the very least it should do,” int’ Veld said. “But I am more concerned about accountability for breaking the law, violating fundamental rights, and eroding our democratic systems.”'

Reparations: compensation, restitution, satisfaction or countermeasures. With interest. Ka-ching! $$$! State responsibility for internationally wrongful acts Chapter II. Put that in your Budget Box, Osborne. Multiply it by 193 ICJ or PCA member nations. GCHQ rain man Iain Lobban is gonna cost ya.

sfd89December 13, 2014 10:23 PM

@Jacob re: 'It seems that from now on, anything the NSA can collect may appear in a criminal cases before the courts.'

Or it may simply legalize zersetzung signature strikes, bypassing courts altogether.

And justify pre-crime conditioning.

They may be normalizing the idea that punishment can be detached from due process.

MrCDecember 13, 2014 11:44 PM

Bob S. is right on the money with his parsing of this monstrosity.

309(b)(1) requires "each head of an element of the intelligence community [to] adopt procedures."

309(b)(3) contains two substantive requirements for what those procedures. This crime against the English language is the heart of the provision: "The procedures... shall apply to any intelligence collection activity not otherwise authorized by court order (including an order or certification issued by a court established under subsection (a) or (b) of seetion 103 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1803)), subpoena, or similar legal process that is reasonably anticipated to result in the acquisition of a covered communication to or from a United States person and shall permit the acquisition, retention, and dissemination of covered communications subject to the limitation in subparagraph(B).

So, let's parse this ugly, ugly mess. We've basically got two verb clauses. Stripped down, this sentence says "The procedures shall apply [to some stuff] and shall permit [some stuff]." Let's handle these clauses one at a time:

What do the procedures apply to? "The procedures... shall apply to any intelligence collection activity not otherwise authorized by court order..., subpoena, or similar legal process that is reasonably anticipated to result in the acquisition of a covered communication to or from a United States person." So, basically, they apply to warrantless spying on Americans.

What do the procedures permit? "The procedures... shall permit the acquisition, retention, and dissemination of covered communications." What's a "covered communication"? That's defined in 309(a)(1) -- "'covered communication' means any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication, including communications in electronic storage." So, in short, the procedures permit acquiring (i.e. intercepting), retaining, and disseminating basically any telephone call or electronic communication to or from an American.

Now, you may have noticed a bit of sleight of hand here. Congress does not come out and straightforwardly say "OK, intelligence agencies are authorized to spy on all American's telephone calls and e-mails." Instead, they require the intelligence agencies to adopt procedures, and say that the procedures shall permit them to spy on all American's telephone calls and e-mails. It that strikes you as backasswards, that's because it is. The opaque language is doubtlessly an effort to "hide the ball." Nevertheless, a court tasked with interpreting this language is going to have to find that Congress implicitly granted authority for this spying when it required the intelligence agencies to adopt procedures that permit it. (The contrary would be absurd -- Congress instructing the agencies to adopt procedures that say they are permitted to do something they actually cannot do.) More immediately, the intelligence agencies are going to interpret this as a grant of authority.

But wait, what about that part that says "subject to the limitation in subparagraph(B)"? There's limitations on this! We're saved! Um, nope. Go look at subparagraph (B) First, of the three acts permitted -- acquiring, retaining, and disseminating -- the limitations only apply to retention. There are zero limits on acquisition -- meaning zero limits on when and how the government can spy on your communications. And there are zero limits on dissemination -- meaning that the NSA can share information with the IRS, the local cops, the DMV, and even Walmart. (None of which have legitimate national security functions.) Finally, the limitations on retention aren't meaningful. The baseline is 5 years -- which is a pretty damn long time to keep every communication by every American. Then come the exceptions that allow permanent retention. Right off the bat, we should see 309(b)(3)(B)(iii) allows permanent retention of anything encrypted. So that's, at the very least, all https traffic, all cellphone traffic, and most e-mail. (Note that there's no exception to the exception for encrypted communications that were subsequently decrypted.) And then there is 309(b)(3)(B)(vii) which basically boils down to "if the intelligence agency feels like it"

So in sum, this provision authorizes unlimited interception of all telephone and electronic communications of all Americans, without a warrant (or any other court approval).

Two closing notes:

First, let us not forget that, although Congress may have passed this bill, it is anathema to the Constitution. The interception of private communications is a search. With exceptions few and narrow, the Fourth Amendment forbids searches, except pursuant to a warrant issued upon probably cause. Even under the most lenient of exceptions, generally only available in exigent circumstances, a search still requires a reasonable suspicion based on specific and articulable facts that a particular person has committed (or is about to commit) a particular crime. It is plain, beyond argument, that the Constitution forbids what Congress purports to authorize in this bill.

Second, I shall respond to the arguments raised by our resident maybe-troll-maybe-NSA-sockpuppet Skeptical, because they appear to be the emerging TLA talking points. With respect to the argument that this provision does not authorize new powers of collection, it does for the reasons explained above. With respect to the argument that this provision actually adds legal limits where previously there were none, it does not for two reasons. First, the warrantless mass surveillance conducted to date IS illegal. Period. (Constitution, remember?) No further law is required. If Congress really felt like saying something on the issue, the correct thing to say would be "Just to be clear, warrantless mass surveillance is illegal; stop doing it." Second, as explained above, there are no meaningful limits in this provision -- no limits on collection, no limits on dissemination or use, and the "limits" on retention are Swiss cheese.

sena kavoteDecember 14, 2014 12:20 AM

Hash collector software

Hash collector / automatic checksum listing software with a system for public databases could be huge improvement in security for little cost and complexity.

It searches recursively the whole filesystem in all folders and subfolders for executable files and makes sha512 hashes of them. That is at most half hour waiting. Then the list of hashes is handled either off-line or on-line. There could be one or more on-line databases where the hash listing file could be uploaded. Or user could download the latest database file that has all hashes of executables from official repositories of ten most popular Linux distributions plus freeBSD, OpenBSD and Windows. The file would not be that big. Then every hash is checked. That takes maybe seconds or minutes. If there is mismatch, on-line database site could also include the original executable files in it's response message if license allows.

Theoretically the hash collector could be used like any software installed from repo, to the same OS installation, automatically in schedule once per day, but is there reason to believe that the malware to be found would not alter the hash collector where it resides (for example in /usr/bin) ? That is why the hash collector is meant to be used for partitions of other Linux installation or other OS, either from a live system or by mounting the physical storage media of other OS installation to a Linux that has the hash collector installed from a repo.

The file that contains the correct hashes could be formed by a peer to peer process and disseminated like files in bittorrent. If the malware attack is not widespread enough, the malware influenced results would be in minority.


Processing card accelerated encryption and big cables

New intercontinental submerged data cable is going to be laid on sea bottom between Brazil and Europe because of scandalous revelations about spying. There is high chance that a wiretapping devide will be installed on it. The device filters in and stores small part of the flowing data to terabytes of hard disks. That data is then regularly collected by a ship / boat that uses a submarine robot. The wiretap device is powered by plutonium-238 or the data collection ship's robot also changes batteries.

That is why that kind of cables, whether going thru sneaky countrie's land or international waters, need encryption-decryption facilities at both ends.

Lets say it's 1000 gigabits traffic like at least one trans-atlantic cable. What say encryption and hardware specialists?: If using 100 computers with 10 gigabit network cards, could they encrypt enough if they use encryption accelerated by so-called "graphics" cards using openCL or CUDA? All or most new 3D "gaming" "graphics" cards can do openCL stream processing that has not necessarily anything to do with graphics (CUDA is Nvidia thing). Bitcoin has used openCL computing massively. Seems like the encryption hardware on one end for that inter-continental cable would cost about 50000 euros.

Is there a special encryption format designed for openCL or just special implementation of some common cipher for openCL?


Movie / tv plots

New Breaking bad spinoff called "better call Saul" is coming. From what I have heard, it has great potential for some infosec related plots, despite happening in 2002 at least in first season. Breaking bad was really good, as good as Star trek the next generation, and by the way, as a strange sidenote comparison, both had lots of infosec elements and high tech gadgets integral to plot.

Maybe someone has right contacts or is able to write fan letters to right parties about these thougts: Imagine, both Better call Saul and some hypothetical new star trek series or movie could involve: public key encryption, digital signatures, hashes, certificate authorities, zero knowledge proof, legality-based demands for information and secrecy (like national security letters to Lavabit )

Has any tv series already had a Lavabit-like case as a plot? It would be awesome if Saul Goodman got that kind of case.

ThothDecember 14, 2014 12:58 AM

@sena kavote
Who is going to guarantee the hash files ? It is not hard to hash files and spread them. It is hard to setup trust relationships.

Crypto-facilities at both ends of fibre cable channels ? Might just infiltrate the encryptors (most encryptors are backdoored anyway) or probably just buy the companies over. What if the crypto stuff are Government shell company fronts ?

What people need are proper education and tools on security. End-to-end encryption is only as good as the OPSEC and the integrity of the hardware and software. Most hardwares and softwares are exflitration-friendly.

You can't stop USS Jimmy Carter from doing it's job in the open seas (unless a declaration of war via nation states) but what you can do is push more information on the proper operations of security and better knowledge so people can decide.

What can be done is to route the cables through the waters of friendly states and maintain proper diplomatic ties and set strict guidelines and naval patrols to protect and deter offending vessels from violating national waters. It might be very difficult on this one as the US war eagles would drag a long axe and ensure friendly nations turn sour enemies to get what they want.

Markus OttelaDecember 14, 2014 1:18 AM

A few thoughts on private social media.

If the chat side is excluded for now, most features of Facebook could use PGP-encrypted emails as back end. Let's imagine Fakebook, a Thunderbird plugin the GUI of which looks (almost) exactly like Facebook. Differences are under the hood:

Add contact
Ask for (name == public key) IRL, send PGP encrypted friend request mail.

Accept contact request
Send a return mail that contains HTML for a profile, bundled with pictures, status updates, likes, shares etc. of some specific profile of that user.

Both users authorize their friend individually, similar to XMPP.

The contact also sends all digitally signed public keys of their public friends to user so he can add them as well, although the local client warns about lower security rating.

The nice thing is, this makes obtaining trustworthy keyring a status symbol, although I can see how people might abuse it.

Publish something on your/friends wall
Send email and ask to forward the content of it to friends as well. Easier to control recipients with black/white/opt-in contact lists.

Send message, calendar update, link, invite
Create an email with specific content.

Send IM
Send OTR-chat message with XMPP.

Create group conversation
Use mpOTR like Crypto Cat.

Refresh profiles
Check for mail.

Piggy backs on existing gratis protocols? Yes.
Supports data-diode PGP-key exfiltration protection? Yes.

The system doesn't have to use PGP/(mp)OTR but I wanted to simplify this example.

One immediate problem is lack of deniability with publications a user might not want someone not in friend list to see - this problem also exists in Facebook.

Your thoughts?

ThothDecember 14, 2014 2:47 AM

The problems are related to the "walls" or publicly published PIIs. whatever is published cannot be easily reverted due to the way internet media works. Crypto is possible over P2P or F2F protocols but crypto is just an aspect. Tracking people via other means and mapping them is the real problem.

An example of encrypted chat side channel attacks includes screenshots. It is hard to stop screenshot attacks like what if the legitimate user take a photo and post online ?

Probably the only thing is just logical security sense by controlling leaking PIIs to some extend.

Gerard van VoorenDecember 14, 2014 5:05 AM


Of course it is possible to have a "privacy concerned" social network.

What you need is a secure and anonymous decentralized peer to peer network such as GnuNet. In such a network you can have an app (that runs on your own computer) or web page in where you can decide to who / which subgroup you share your particular info with. Identifying is easy. You just share your public keys ab front in person. The consequences of a p2p network is that you need to have a data pool on your computer where data is being mirrored so that the network still can work when lots of computers are turned off.

The big problem however is not technical at all. It is that such a network can never compete with the likes of Facebook and Google. This kind of companies *do* deliver. They have unlimited resources to tackle any problem, including the hard ware, stunning visual effects, latency, legal, bribing and advertising of their products. And they have already won. Their installed base is massive. It will take decades for that to change. Just look at how long it took for Linux to win the desktop (...) Be honest, everyone uses Windows or Apple and everyone uses Google and Facebook (not me actually). Changing that with a small group of volunteers working in their free time without any serious funding... it will take a while.

65535December 14, 2014 5:59 AM

@ Thoth

“They just want all forms of communications (according to the new bill) in an indirect manner.” –Thoth

Yes, that is what I see.

Further, the length of time for “retention of data” is to be determined by those same intelligence agencies. What at crock of crap!

@ Bob S

“NSA doubled down and won the jackpot.” –Bob S

It sure looks that way to me.

“The Intelligence Act codifies EO12333 and thus indeed does make mass collection of warrantless data all legal by Act of Congress.” – Bob S

That is basically the case. It has to be unconstitutional! But, I am not sure how to reverse this travesty!

@ MrC

‘What do the procedures permit? "The procedures... shall permit the acquisition, retention, and dissemination of covered communications." What's a "covered communication"? That's defined in 309(a)(1) -- "'covered communication' means any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication, including communications in electronic storage." So, in short, the procedures permit acquiring (i.e. intercepting), retaining, and disseminating basically any telephone call or electronic communication to or from an American… you may have noticed a bit of sleight of hand here. Congress does not come out and straightforwardly say "OK, intelligence agencies are authorized to spy on all American's telephone calls and e-mails." Instead, they require the intelligence agencies to adopt procedures, and say that the procedures shall permit them to spy on all American's telephone calls and e-mails. It that strikes you as backasswards, that's because it is. The opaque language is doubtlessly an effort to "hide the ball." Nevertheless, a court tasked with interpreting this language is going to have to find that Congress implicitly granted authority for this spying when it required the intelligence agencies to adopt procedures that permit it.' –MrC

Nail on the head! That is exactly the way I read this steaming pile of legal dung. The “intelligence agencies” get to make their own rules and change them as they see fit - behind closed doors!

Worse, the length of “retention” and the determination of “enciphered data” is defined by those very same intelligence agencies.

This appears to void most of the Fourth, Fifth and parts of the First Amendments of the US Constitution – not to mention the Press Reporter's right to confidential informants - and probably voids various ‘statute of limitations’ regarding criminal prosecutions.

It’s the worst outcome for the Average Joe. It is a huge fishing expedition for Non-National Security violations!

I cannot imagine a better outcome for the Intelligence Community/Law Enforcement Establishment - let a lone the recording industry’s “Digital rights management” laws.

The only positive outcome of this pile of cram-down legislation is the remote possibility that some powerful Judge or Politician will become entrapped in this abusive communication drag net, get enraged and somehow reverse this travesty.

ThothDecember 14, 2014 6:08 AM

@Gerard van Vooren
Privacy can come if the following can be solved.

User X has Pubkey modulus 0xE1 0x4F 0xFE 0xD4 ... (2048 bits). User X has attributes of friends User A, B, C. They have each other's Pubkeys. Each user has a set of user attributes like their nickname, probably a photo ?, an email, some short Mood messages ... etc ...

Now all the PIIs are tied to a set of modulus for a Pubkey. How does a User X keeps A, B, C as friends without the tagging PIIs ? It would be even worse if the PIIs contain Wall messages (FB style). A person could probably not put a photo, not put an email, not use a reasonable nickname, not add Mood messages and not post any Wall messages and that would reduce the attack surface but that is exactly what most people are unlikely to do on FB or social networks.

That is how social network works. Inherently insecure in design because it tempts users to post Wall messages and such. You can use public RSA or ECC key but once names, emails, Moods, pictures, messages, PIIs starts appearing... it can be harvested.

A deeper attack would be to trap a friend voluntarily or not to divulge or to fake a friendship. Compromising computers to observe and send back whatever glimpsed from a compromised computer, using human social engineering and whatever other known or unknown attacks. This is applicable for Bitcoins or whatever *coins it is in any other incarnation. As long as there is a static main identifier like a key ID with trailing attributes, it becomes easy to start generating a relationship map.

This is probably how NSA/GCHQ/BND ... etc ... grabs all the link data over fibre cables or Google trunk link and all those TAO catalogs talk about.

I won't expect anyone to deploy data diodes all the time (it's not reasonable). Ask a journalist (Glenn Greenwald) to use PGP and it's like the worst experience he had for crypto despite Snowden teaching him how to use a PGP.

So the main thing I am pointing at is ... crypto and distributed social technologies are good on the technical basis of crypto and distributed security. It does nothing to solve the problem I brought up in the first place which is how to make an identifier not an identifier (which is the main focus on most data collection by NSA/GCHQ/BND ... HSAs) on how they spy and correlate people from their social activities.

In summary, crypto and distributed security is OK and fine but the big staggering issue that I feel is hindering privacy is not solved whereby identifiers can be correlated with little efforts on the scale of being able to sit on major trunk links and listen in with the likes of those Powers That Be.

Gerard van VoorenDecember 14, 2014 6:23 AM

@ Thoth

I am probably dumb but I can't understand why it can't work. The only thing you share in the network for identifying purposes is your pubkey. You don't share anything else. And you exchange pubkeys in person with the people you like. Then you decide which part of your personal information you share with these persons. For the rest the network is anonymous.

ThothDecember 14, 2014 6:44 AM

@Gerard van Vooren
Multiple level threat schemes inlcuding computer infiltration, social engineering. The distributed crypto network works for privacy to a limited degree with low assurance to it's design. It simply rely on network based security with cryptography.

No technology can prevent social engineering. Running on insecure hardware and software is a huge problem (yes it is indeed impractical to use anything more than Win/*Nix/OSX).

Dan E.December 14, 2014 8:52 AM

Forgive me but I just don't see privacy as the utmost priority of social networking applications beyond the standard privacy options offered by facebook, google+, whatsapp, linkedin and others.

If you have familiy photos, video, or other media that you want to keep access to a few, store them in a file locker with priviledges.

Most social networking pages are used for self-promotional purposes such as landing a job, public relations for public figures, showing off one's wealth and latest accomplishments, etc. I doubt their users really care about privacy as most posters here do to the point that they'd quit using the service.

If you think a facebook person might be faking it or pretending to be someone else, pick up the phone or meet in person to verify. Some of you are taking these social networks way too seriously. Just treat it like myspace, then you really got nothing to grind your teeth about.

SkepticalDecember 14, 2014 8:56 AM

@MrC, Bob S, et al: re Section 309

I see the problem you're all having.

There are existing limits in law, constitutional and statutory, on surveillance of private communications.

Where the bill states [t]he procedures... shall apply to any intelligence collection activity not otherwise authorized by court order..., subpoena, or similar legal process that is reasonably anticipated to result in the acquisition of a covered communication to or from a United States person, the bill is referring obviously to lawful intelligence collection activity.

Reading the bill as itself authorizing any intelligence collection not otherwise authorized by court order, subpoena, or similar legal process results in an absurd interpretation - that the law authorizes everything not otherwise authorized. For many reasons, this is not an interpretation any court will make. Any practicing lawyer or judge will, and should, find such an interpretation bizarre.

If you want to really understand Section 309, begin with the title, where the purpose is quite clearly stated: PROCEDURES FOR THE RETENTION OF INCIDENTALLY ACQUIRED COMMUNICATIONS.

It is precisely the lack of law regarding the regulation and oversight of the retention of incidentally acquired communications collected under EO 12333 that drew criticism from a former State Department official in July (which I quoted in an earlier comment in this thread).

The section focuses upon incidentally acquired communications because there is already law in place that limits the intentional targeting of US persons and the collection of their private communications.

H. HankDecember 14, 2014 9:05 AM

@ Skeptical

Then we must go back to the question of how do we "incidentally acquire" a piece of communication?

By the word "acquire" I assume communication is intercepted and stored somewhere.

By the word "incidentally" I assume that means "unauthorized" or "warrantless" ?

am I understanding this correctly?

ThothDecember 14, 2014 10:02 AM

@Dan E
As the common saying, if you post something online, be very sure that it will circulate around. In short, be careful of what you put out there.

BenniDecember 14, 2014 10:06 AM

Regin malware contains codenames of Snowden documents:

New codenames:


Apparently, Belgacom never completely removed the malware from their systems.

And Cisco is NSA:

"Either way, the malware investigators at Belgacom never got a chance to study the routers. After the infection of the Cisco routers was found, the company issued an order that no one could tamper with them. Belgacom bosses insisted that only employees from Cisco could handle the routers, which caused unease among some of the investigators.

“You could ask many security companies to investigate those routers,” one of the investigators told The Intercept. By bringing in Cisco employees to do the investigation, “you can’t perform an independent inspection,” said the source, who spoke on condition of anonymity because he was not authorized to speak to the media"

Big Lie 11,304,849a Rev. 2December 14, 2014 10:21 AM

Incidentally acquired communications. As NSA documents and executive statements prove, there are no incidentally acquired communications. NSA's policy and posture is Collect it all. The NSA weasels who sneaked this stinker into the bill bei Nacht und Nebel, they think you forgot.

So Skeptical comes back to try a new and improved lie: that NSA's legally untenable surveillance of all correspondence calls for regulation, and not prohibition as required by the supreme law of the land.

Gee, a guy with absolutely zero integrity can make a lot more money as a banker. So skep, why are you sucking the taxpayer's tit? Can't do the math? It's only Gaussian copulas.

BoppingAroundDecember 14, 2014 10:49 AM


Thank you.

> You'll often see discussion of Smith's theory or concept of the invisible hand.

I do, yes.

> Whenever you you hear or read someone talking about Smith's concept of invisible hand your BS detector should be emitting a loud scream.

It does indeed. :-) I have noticed that the interpretations vary greatly, and mostly, to suit the views of those who use it.

Mike (just plain Mike)December 14, 2014 10:53 AM

@Skeptical – well – actually that seems pretty clear. I’d say your original claim that this particular law-thingy has narrow scope and just adds (mild) constraints where there were none before is still sounding fairly credible to me. Sure – you’re probably a horrible sock-puppet of the government-military-industrial-what-ever and you are like just so evil etc. etc. etc. etc.... But, anyhow, if your position continues to hold up I am very much looking forward to seeing how some others here handle the being-wrong thing. Good test of character I always think.

name.withheld.for.obvious.reasonsDecember 14, 2014 10:56 AM

In reading the recently passed Intel Authorization Act, the pieces of the puzzle become clear. As I have repeatedly warned, the DoD is actively engaged in subverting civilian authority. The military asserts its role not just in war but in civilian governance. This is the last nail in the coffin of the democratic experiment, the last breath of the republic. Dissent in an environment where the government leverages military power over the citizen will become impossible. Redress for injustice becomes improbable.

Summary Observations on HR 4681, the Intelligence Authorization Act for Fiscal Year 2015

Legislative Goal(s) and Issues

Section 328, Assessment of the Efficacy of Memoranda of Understanding to Facilitate Intelligence Sharing

Hypothetical/Potential Objective(s):
Remove constraints in sharing intelligence with domestic non-Federal government entities outside of the Joint Terrorism Task Force--thus authorities derived from cited EO 12333 cannot apply as Presidential authorities are not public law--Presidential power(s) are limited under authorities enumerated in the 2001 AUMF. The language is purposely separable, dis-associated from "approved" use of military force/intelligence, skirting the traditional boundary between the strictures of governance and the force of the military. Just as a king dispatches soldiers to vanquish his personally foes, the federal government covertly imposes its will upon the civil population.

Potential Motive(s):
As with the proposed CIS[P]A bill, the federal government shall remove restraints that provides MILITARY INTELLIGENCE to civilian government(s) and municipalities--a chain characterized as the following:

DoD is the Authoritative Agency and the DNI within the DoD, directs CIA, NSA, DHS, and FBI

The effect, classified intelligence (sources and methods) shared with/by civilian authorities, will achieve the following:

1.) Impact on Law and Judicial Procedures; criminal, civil, or other litigant-based actions permits civil authorities to take actions (arrest, constrain, impose fines and penalties) directed at individual citizens--no direct, testable, or refutable claims can be made in open court (classified) secret evidence. Historically, civilian defense attorneys are denied access to material claims and evidence collected/surveiled. This section in affect obviates restraints on Article Three courts and state courts under this statute.

2.) The use of shadow evidence permits the DoD to obscure its involvement in civil legal proceedings, proceedures, or enforcement. This section does not differentiate DoD authorities from military procedural laws or courts, instead it proxies derivative military court authorities to Article Three and state courts.

3.) Employing what amounts to hearsay, military involvement in civil governance subjects civilians to the priorities of the military.

Section 309, Procedures for tne Retention of Incidentally Acquired Communications
Language Issue:

(a) Definition in this section.
(1) Covered Communications. The term "covered communications" means any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication, including communications in electronic storage.


Section 307, Management and Oversight of Financial Intelligence (continuation of the crimes against the citizenry)

Section 303, amended Section 108A NATIONAL INTELLIGENCE STRATEGY
Intelligence activities states as a national strategy, effectively collapses the scope of foreign authorities to a scope that is national.

I will follow up with a "Big Picture" hypothesis later, need to attend to the challenges that is putting a meal or two.

AlanSDecember 14, 2014 11:31 AM


You wrote "Earlier this year a former State Department official wrote an op-ed published in The Washington Post. In it, he detailed his concerns regarding Executive Order 12333....His concern was that, unlike collection authorized pursuant to provisions under the FISA Act or the Patriot Act, collection undertaken under Executive Order 12333 was not subject to any oversight and that communications of Americans gathered incidentally could be held without any legal limitation. Section 309 begins to address those concerns by, for the first time, setting forth legal restrictions on such communications gathered under EO 12333."

So here is what this former State Department official, John Napier Tye, has to say about the recently passed intelligence bill (HR 4681) and section 309:

“It is good that Congress is trying to regulate 12333 activities,” Tye says. “But the language in this bill just endorses a terrible system that allows the NSA to take virtually everything Americans do online and use it however it wants according to the rules it writes.” He says that includes sharing the intercepts with foreign governments and domestic law enforcement."

“The NSA can take everything an American does online [and] write its own rules for how to share it with foreign governments and with the FBI, allowing a huge amount of American data to [be used to] prosecute Americans with no court oversight," Tye says.

There’s no specification in the legislation of crimes that would qualify communications for distribution to law enforcement. “The executive branch writes its own rules,” Tye says, with the FBI using parallel construction to obscure the true origin of some criminal investigations.

Also see:
Meet Executive Order 12333: The Reagan rule that lets the NSA spy on Americans John Napier Tye, WP, July 18, 2014 (your link to this article above appears to be broken)

Reagan-Era Order on Surveillance Violates Rights, Says Departing Aide NYT AUG. 13, 2014

Nick PDecember 14, 2014 11:35 AM

@ sena kavote

@ Gerard, Thoth

I just spent 10 minutes in vain trying to find a good article I read on Facebook's dominance. I at least remember the thesis: it does a ton of stuff for you, does it well to half ass, integrates all of it, and it's all free (with paid extras). A better Facebook isn't a better social networking site: it's an entire platform matching the Facebook experience and then doing better. Quite a tall order.

A more recent article also pointed out that Facebook constantly experiments on its users and invests a ton in R&D. They understand their users better than about any company, down to the colors they're most receptive to. Further, they wisely keep acquiring their best competitors (eg Friendster) and new fads (eg Snapchat, attempted WhatsApp) that try to steal their users. They also get people to put as much data as possible into their services to (a) prevent a transition and (b) squeeze more revenue out than competition.

So, it's quite a formidible company with brilliant management and engineers doing everything right. They've already lasted 10 years with only growing dominance, which is unbelievable in this market. I'd love to see a challenger defeat them, but just have trouble imagining what it would look like.

@ Dan E.

"Most social networking pages are used for self-promotional purposes such as landing a job, public relations for public figures, showing off one's wealth and latest accomplishments, etc. I doubt their users really care about privacy as most posters here do to the point that they'd quit using the service."

Good point. Their main market was actually college types. These are people whose culture includes gossip, photos, events, games, etc. If you look at their offerings, they're still about an ideal match for college culture. They also appeal to the types of people you mentioned. These types of people aren't privacy conscious and aren't going away any time soon. So, their customer base has good longevity properties.

It's not a loyal demographic, though, so they can be challenged as we see with stuff like Snapchat, Tumbler, and WhatsApp. The good news is that, whether services make it or not, there's an endless stream of innovation in this field as rivals try to make a better social networking experience. For instance, I used to promote MyYearbook as it did about the same thing, could replace costly yearbooks, make reunions easier, and had less evil management. It was a good idea. "Path" was clever too as it's more for people like me: track a small number of people that actually matter.

DanielDecember 14, 2014 12:50 PM

Skeptical writes, "For many reasons, this is not an interpretation any court will make."

LOL. Oh wait, you are serious. Let me laugh even harder. It doesn't even matter whether it's the FISC or SCOTUS. Look, I'm probably one of the few people who has actually bothered to read Yoo's and Lederman's legal briefs. The Executive will justify anything it wants to justify in long drawn out legal briefs and memos. SCOTUS will do nothing in the name of "national security". We heard just this weekend Scalia proclaiming that "torture is not unconstitutional". People thought he was only referring to Gitmo but really he means "tortured readings of statues by the executive to justify white being black and purple being orange."

Here is how much I trust the courts to "do the right thing". None. All the evidence points the other way.

Nick PDecember 14, 2014 1:02 PM

Galois Inc's formal specification and proof of BASE64 (in C)

I like how they do high assurance implementations of useful things (eg ASN.1, BASE64) and then teach others how to do it. IIRC, Kaminsky showed that a BASE64 conversion can knock out some web attacks as a side effect. So, Galois just indirectly built an EAL7 defense against those attacks. The kind of accident one can be proud of. ;)

Nick PDecember 14, 2014 2:02 PM

Agile Framework for High Assurance or Regulated Systems Development

There was previously concern over whether Agile methods were appropriate for high assurance system development. This paper shows Agile methods have already been applied in this field and empirical evidence that they still deliver on promises. The author proposes an Agile High Assurance Software Lifecycle for medical device development. The author goes into detail for each step of the process.

Overall, I think the evidence for Agile is strong enough that new high assurance developments should try his framework and measure the outcomes. If consistently (a) effective and (b) better than status quo approaches, then mass adoption by high assurance industries should follow.

This will also tie in nicely with the Incremental Assurance philosophy that says to develop systems in a way where individual components can be assured overtime. That was a practical compromise to allow a business to have money coming in to further development and assurance activities. Adding agile might also offset the feeling that high assurance development is a huge upfront burden. Experts could break a given proposal into features, security requirements, coding guidelines, integration guidelines, and user stories. Then, contributors could just take it one user story at a time.


Clive RobinsonDecember 14, 2014 2:53 PM

@ Alan_S, BoppingAround,

Whenever you you hear or read someone talking about Smith's concept of invisible hand your BS detector should be emitting a loud scream.

Whilst I agree Smith did not ascribe a meaning to the term specific or otherwise, it does not mean that it does not exist now or then.

History indicates that Smith had a very nasty shock whilst writing the Wealth of Nations, and quite literally rewrote it after a crisis of faith in the market that in effect stripped the scales from his eyes.

The invisable hand of that time can still be seen today and it's the 'aligned malign self interset of market insiders', which is a rarified form of greed combined with a lacking in ethics.

One such example to consider was Lloyds Insurance and the LMX spiral, where "new money" was "suckered in" by traders and members of the Lloyeds Council who even judges described as "not having the morals of an allycat". To make it worse the wife of a now convicted criminal and self fantasist the then Lord Archer, --who was a senior member of the then UK Conservative party-- was apointed to be Chairman of the names hardship committee and her atitude was "bleed them dry" and only suicide or bankruptcy was the way out. I have reason to remember this because I was asked to consider becoming a Lloyds "external name". It was only my over cautiousness due to the fact various quite technical questions I had from working in the oil industry were not honestly answered that I thought "something fishy not for me".

I still regard it as "one of my nine lives" and it's just one of the reasons I'm opposed to "self regulation".

You can read more on Lloyds at,

So remember any time you hear people talk of "self regulation" your "run for the hills" or "Dalek Exterminate" reflexes should kick in, because it is just one of the myriad of knuckles with which the modern "invisable hand" will slap you down with. And as with other "human failings" if you get hurt it is you not those who wield that "invisable hand" that will be seen publicly to be at fault...

Nick PDecember 14, 2014 4:30 PM

New papers on higher assurance software/system development

(I discovered some of these on Galois' blog/talks page and some by Googling terms referenced by them. Their blog is well worth the occasional read.)


Abstract: "EasyCrypt is a computer-assisted framework for proving the security of cryptographic constructions. However, there is a significant gap between security proofs done in the usual provable security style and cryptographic implementations used in practice; as a consequence, real-world cryptography is sometimes considered as “one of the many ongoing disaster areas in security. We have recently extended EasyCrypt with support for reasoning about C implementations, and exploited the CompCert verified compiler to carry the security proof to executable code. Moreover, we have developed verified type-based information flow analyses on assembly code to ensure that executable code is protected against cache-based side-channel attacks."

Nick's note: could be used in conjunction with CRYPTOL. Both should be immediately enhanced and extended by academia.

NICTA's Termite-2

Abstract: "Automatic device driver synthesis is a radical approach
to creating drivers faster and with fewer defects by generating them automatically based on hardware device specifications. We present the design and implementation of a new driver synthesis toolkit, called Termite-2. Termite-2 is the first tool to combine the power of automation with the flexibility of conventional development. It is also the first practical synthesis tool based on abstraction refinement. Finally, it is the first synthesis tool to support automated debugging of input specifications. We demonstrate the practicality of Termite-2 by synthesizing drivers for a number of I/O devices representative of a typical embedded platform."

Nick's note: Device driver synthesis is a good idea. This type of tool, if able to do its job robustly, could solve two problems in the area of trustworthy device drivers. First, it could automatically produce drivers for open hardware designs. Second, tools like these could be developed for non-mainstream OS's whose developers could hand to proprietary hardware firms and get a binary blob back. This lets hardware developers keep their designs closed, maybe make some money, and encourage development of new OS's.

LiquidHaskell and Liquid Type verification page

Abstract of LiquidTypes paper: "In this dissertation, we present Liquid Types, an automated approach to software verification based on inferring and checking expressive refinement types, data types which are augmented with logical predicates, which can be used to express and verify sophisticated program invariants. We show how Liquid Types divides the task of program verification between type-based and logic-based reasoning to infer precise invariants of unboundedly-large data structures. Further, we show how the liquid types technique is suited both to high-level, pure functional languages and low-level, imperative languages with mutable state, allowing for the verification of programmings running the full range from applications to systems programs. The Liquid Types technique has been implemented in type checkers for both the OCaml and C languages and applied to a number of challenging programs taken from the literature and from the wild. We highlight experimental results that show that the refinement type inference performed by Liquid Types can be used to verify crucial safety properties of real-world programs without imposing an undue verification-related overhead on the programmer."

Nick's note: Looks promising as one of their papers showed it proved a number of useful properties (eg memory safety, correctness) on a bunch of Haskell code with little annotation. Combined with NICTA, Galois, and HASP work, this could take verified system design very far.

Toward Principled Browser Security

"To ensure the confidentiality and integrity of web content, modern web browsers enforce isolation between content and scripts from different domains with the same-origin policy (SOP). However, many web applications require cross-origin sharing of code and data. This conflict between isolation and sharing has led to an adhoc implementation of the SOP that has proven vulnerable to such attacks as cross-site scripting, cross-site request forgery, and browser privacy leaks. In this paper, we argue that information flow control (IFC) not only subsumes the same-origin policy but is also more flexible and sound. IFC not only provides stronger confidentiality and integrity for today’s web sites, but also better supports complex sites such as mashups, which are notoriously difficult to implement securely under the SOP."

A combination of essays on state of the art in embedded, runtime assurance

SMACCMPilot - an open software and hardware autopilot system for small UAV's using high assurance software methods

All in all, some great reading. Still haven't got to read it all myself.

SoWhatDidYouExpectDecember 14, 2014 5:13 PM

We all know about the No-Fly list. What about the possible Do-Not-Spy list brought to mind by this discussion:

How do the political and corporate overlords keep their junk out of the corporate data collection and the spy agency data collection? The corporate answer is easy...they control their own and give a pass to each other.

Most certainly, there has to be a Do-Not-Spy list. And, from the spy agency standpoint, if they collect the data of the corporate and political overlords, they probably maintain a do-not-analyze list to avoid repercussions (most likely it works the opposite way; the collected data is analyzed and ramifications of the content therein staves off repercussions - think in terms of the present administration's change of heart from pre-election political promises).

BoppingAroundDecember 14, 2014 5:15 PM

[re: challenging Facebook] Nick P,

Considering *where* we are discussing this stuff, I do wonder in what way exactly this yet unknown challenger has to be better than FB. And taking into account the previous
ly mentioned where-aspect, one might say it must be better from the privacy/security POV.

Yet, what if it has to be even more cunningly invasive in order to surpass FB? I have
not seen any at least somewhat major shifts in attitudes since Snowden/FB experiments/any other privacy-security-related troubles so maybe the thought is not as mad as it seemed to be at first time.

Clive Robinson,

Thanks for your info too.

Bob S.December 14, 2014 5:29 PM


—In this section:14(1) COVERED COMMUNICATION

—The term "covered communication" means any nonpublic telephone or electronic communication acquired without the consent of a person who is a party to the communication, including communications in electronic storage.

That's EVERYTHING folks. Doesn't say anything about foreigners, terrorism, exceptions to the rule or anything. They can and will take it all. Nonpublic means (formerly) private, get it?

Elsewhere in the same law:

"The procedures apply to collection activity ... ....and shall permit the acquisition, retention, and dissemination of covered communications".

There was no debate, no discussion, it just passed and is the law of the land now. It's already signed by the President of the USA, the Constitutional scholar.

Besides the horrendous implications of our newly minted Orwellian police state, there's the obvious realization democracy and representative government has failed us all.

It's over.

I am having a hard time deciding what to do about this. Without doubt politically active dissenters will become targets for elimination, one way or another. And they can work in absolute military grade secrecy, all the time.

How naive for me to think the Snowden Revelations might lead to some positive changes. It went the other way...they made it all open and official.

I have to think about this awhile.....

Wesley ParishDecember 14, 2014 7:02 PM

About Smith's The Wealth of Nations? Here's a good place to find it.

Incidentally Acquired Communications

Definition of adjective "incidental" - something besides the (alleged) main focus, eg. "I mowed your lawns, lady. Running over your dog was incidental, a side benefit."

Definition of adverb "incidentally" see above. eg. "I've got a gobstopper for the poppet. It'll keep her happy, and incidentally, keep her quiet for long enough for me to seduce her mum."

How do you "incidentally" acquire communications? I suspect it's like this: If I'm walking down the street, I accidentally acquire communications. If I'm stalking the poppet's mum, and am peeping in her boudoir window while she's discussing matters with her current squeeze, that would be "incidentally" acquiring communications.

Interesting. Betrayed by the words chosen.

E. B. HobbsDecember 14, 2014 7:18 PM

@Thoth:"@sena kavote
Who is going to guarantee the hash files ? It is not hard to hash files and spread them. It is hard to setup trust relationships."

In journalistic terms, how do you trust a news article to depict what has really happened?

1) reputation of journalist, news editor, and source
2) access to other reader's opinions, this includes censorship of reader feedbacks
3) one's own education and experience, to discern truth, fiction, the in-betweens, and astroturfings
4) access to other news sources for correlation of facts

so, as you said education of users is important in crypto, i think the only way to maintain integrity is thru community self-regulation, which may include but not limited to centralized certification.

but, as others point out, self regulation is in danger of aligned insiders. this is where education (not indoctrination) is important as aligned insiders tend to maintain a high level of secrecy regarding their know-hows.

AlanSDecember 14, 2014 8:04 PM


The invisible hand of that time can still be seen today and it's the 'aligned malign self interest of market insiders', which is a rarefied form of greed combined with a lacking in ethics.

Not sure what that has to do with Smith. In his earlier book he was critical of people who argued "private vices were public benefits". In Wealth the passage that's often quoted as being about the importance of selfishness is about the importance of considering the self-interest of others, cooperation. And in various places he points out areas where the pursuit of self-interest is harmful to the public interest and should be subject to regulation. See Adam Smith: Selfishness or Self-Interest? for discussion.

...just one of the reasons I'm opposed to "self regulation".

Smith was hardly a fan of self-regulation in the 18th C. banking industry so using Smith to justify deregulation or self-regulation of financial sector in the 20th C and 21st C, as Alan Greenspan and others did, is a bit of a stretch. Read it for yourself here. There's a very explicit statement about the need to regulate the issuing and receiving of "promissory notes" at 2.2.94.

I don't think Smith ever wrote about Lloyd's but he did write about the company whose ships Llyod's insured: The East India Company. The book is an attack on mercantilism as exemplified by the East India Company.

Nick PDecember 14, 2014 8:06 PM

@ BoppingAround

My interpretation of your post is:

1. Majority still doesn't care much about Facebook, NSA, or surveillance in general.

2. Surveillance is important to the advertising model.

3. A Facebook replacement might need to be better in a number of ways to succeed.

4. A Facebook replacement, due to advertising, might need to be as invasive or more invasive to succeed.

Yes, I've considered the fact that NSA eavesdropping and people expecting things free might necessitate a centralized, snooping alternative to get real traction. This isn't the end of the world: use something else for end to end protection of communication. Markus Ottela already gave you one solution. Encrypted IM or email on hardened machines is another. However, there might still be something we can do with social networking.

Here's some potential differentiators:

Legal. The service has a privacy policy that says what it will do with your data. The policy is quite reasonable compared to Facebook, lacking sneaky stuff. The system would also have a way of classifying how submissions are to be shared. Unlike Facebook, this method would have sane defaults, be comprehensible, rarely change, and be enforced by every layer of the system. Special provisions might exist to say certain things, like private messages, are never analyzed.

Encryption. The system might encrypt all submissions and keep the keys in memory. It does this seemlessly with per user protections. The keys are periodically backed up into their own database or stored encrypted with the submission itself. Deleting posts results in the deletion of the keys and data. Only your app (and NSA if mandated) have the keys if it's a private message. The provider and others have a copy if it's something shared. The retention policy puts a high end on how long data will be available despite backups. The storage backend never gets the keys.

Anonymous data mining. The advertisers want to understand customers enough to decide what they might buy. The company might do a special deal with advertisers where the analysis is run locally on company operated machines. Advertisers send in analysis, description and algorithms, they want to run. These are vetted for their privacy-preserving properties and purpose. If they pass vetting, the algorithm is implemented in a secure and authenticated service that advertisers can call on. The service pulls the data + keys from storage, does the analysis on plaintext, keeps storing results of analysis encrypted in database, erases plaintext + keys when done, and sends the results back to advertisers. The ad delivery itself, especially IP targeting, might be done by service provider to ensure advertisers only see pseudonymous ID's rather than actual IP's. Both parties get what they want (mostly) with reduced risk.

Platform safety and efficiency. This is better for apps than web service. However, the platform being made with a higher assurance standard using safe, but native, technologies has benefits. The system is less likely to be hacked, crash, use up much of the network, or run slowly. Apps might also be required to run on a specific platform with enhanced safety, reliability, and efficiency. App makers just pay for more nodes to be installed as their app increases in popularity. Side benefit is a continuous stream of investment into at least one secure datacenter product.

Business edition. A paid business edition might be offered that runs encrypted, logged, on a secure platform, with SLA's, whatever. More control is given over the features. Might have an API at this point. Depending on price package, advertising and datamining might be anywhere from the same to limited to none. These can connect with the personal accounts if desired. Useful functionality, from email to messaging to file storage, would be offered. This might even be provided by providing a front end to several existing services much like Blackphone is doing with Android, SpiderOak, SilentCircle, etc.

Open source, but proprietary. Some of them are competiting on source openness for trustworthiness. Others do it more for increased acceptance by FOSS community and free code submissions. I previously noted here that you can keep code proprietary and open for review at the same time. Having it open lets people spot flaws, debug it better, extend it better if it has an API, etc. If people contribute a good feature, give them recognition on the site, free service, a gift, etc.

So, there's quite a few differentiators one can use for a better Facebook that's still centralized, ad driven, backdoored, convenient, cheap to operate, and fun to use.

Quick Edit: Early Web had many sites with forums that asked you to describe your interests. This gave advertisers a bit more precise ads without constantly spying on you. So, something along these lines is also a possibility.

name.withheld.for.obvious.reasonsDecember 14, 2014 10:53 PM

@ Bob S.

There was no debate, no discussion, it just passed and is the law of the land now. It's already signed by the President of the USA, the Constitutional scholar.

As of 2349 EST 14 Dec 2014 no major newspaper, on-line, is covering the story of the IAA of 2015. I believe has a piece on the surveillance legislation that probably represents the greater infringement to civil liberties in the history of the United States.

JonKnowsNothingDecember 14, 2014 11:08 PM


Several V E R Y Interesting... tidbits from the latest Regin-Belgacom linkages.

  • Once Cisco Routers are ID as a source of infection they call the whole investigation off until the Regin auto-destruct cycle completes but not all of it is gone.
  • Only Cisco Employees are allowed to touch the routers.
    Could these be the same employees they use in the Bahamas?
  • Cisco "knows less than" JonKnowsNothing about any hacks on their routers.

The Big AVs have already fallen on their swords about not telling anyone about Regin State Sponsored Malware with a set of statements only worth of laughing at. Like: We didn't want to interfer with a State Ops... as in Which State where you thinking of? A planetary one or a delusional one?

It was SO easy to target the Engineers and access the entire Belgacom network.

  • Harvest IPs going in/out of Belgacom (generic harvest)
  • Harvest Email/Contact names from LinkedIn with Belgacom connections (open sesame)
  • Cross reference against their BILLION cookie database consisting of Google, Yahoo and LinkedIn cookies to verify identity (we know who you are Mr Smith)
  • Setup MITM with faked LinkedIn page for the 70+ Engineers with Admin Access. (waiting for the big fish)
  • Accessed the Exchange Email Servers and implanted the malware using stolen SSL certificates and ghosting in as a Microsoft Update. (Who's backdoor is that?)

And what's even better: The Belgacom bosses said "Nothing Happened"....

Maybe they should review the video on TREASUREMAP called CHOKEPOINT?

Treasure Map: The NSA Breach of Telekom and Other German Firms

65535December 15, 2014 1:51 AM

@ Bob S, H. Hank, Big Lie 11,304,849a Rev. 2, name.withheld.for.obvious.reasons, Daniel and others:

Sec. 309 is extremely broad and highly abusive! I cannot imagine that certain high level attorneys, politicians or judges on the progressive side of the fence will not be entrapped or negatively affected. We have been betrayed by members of our own team.

There is some ambiguity as to which Senator inserted the abusive language in the bill. It appears to be Diane Feinstein D-CA. Her amendment to the H.R.4681 has just an “in the nature of a substitute” clause [all others do].



If those links don't work see "It was Feinstein"

@ SoWhatDidYouExpect

“We all know about the No-Fly list. What about the possible Do-Not-Spy list…” –SWDYE

I am sure there is a “Do-Not-Spy list” somewhere. But, I have not seen one.

Tangentially, there is from of VIP credit rating that allows politicians, judges, businessmen and celebrities to scrub their permanent record of negative items.

“According to David Szwak, a partner in Bodenheimer, Jones & Szwak which specializes in insurance law and litigation against credit bureaus, some credit bureaus in the United States maintain a VIP database of special consumers such as members of Congress, judges, actors and celebrities...” -Wikipedia

See Controversy, 75% down:

I will note that expanding the reach of the military-industrial complex to private data could effect credit scores [FICO and newer types of credit scores] that relate to employment – or the denial of employment to low credit score job applicants.

Although most newer forms of credit scores are front end loaded – that is the newer the data the more important it become in said score. There is an “identity score” that feeds into to credit scores [and ID fraud prevention] which effect every person with a Social Security number. That identity score uses all sources of data including social media data and is propitiatory to each credit score corporation.

“Identity scoring was originally developed for use by financial services firms, to measure the fraud risk for new customers opening accounts. Typical external credit and fraud checks often fail to detect erroneous background information… Identity scoring is also being tested as a means for financial institutions to comply with criminal investigations and anti-terrorism measures such as the Bank Secrecy Act (BSA) and the USA PATRIOT Act. Usage of fraud verification tools and third-party authentication systems to verify identities and “red flag” suspicious activity is greatly enhanced by identity scoring… These records can generally be broken down into three categories: Public records, private records, and credit records.

"Public records can include (but are not limited to) any of the following sources:
• Federal, state and local government records
• Financial records like bankruptcies, liens and judgments
• Law enforcement records for felony and misdemeanor convictions
• Private (non-credit) records can include (but are not limited to) any of the following sources:
• Bill and utility payments
• Collected personal information from marketers or affiliates
• Information provided to subscription-based Internet services
• Billing information from medical services
• Private background checks conducted by human resource departments"


"Each identity scoring system uses individual data components to generate their score, meaning that results can vary wildly even for the same individual.
Typical identity score components can include (but are not limited to):
• Name components, Personally identifying information such as name, address, etc.
• Behavioral use pattern components, Analyzed patterns of behavior from information.
• Internet components, Personally identifying information found on the Internet, such as Web sites, blogs, chat rooms, etc.
• Hacker and fraud components"


I guess this could be useful in convincing those “who have nothing to hide…” For example, one could explain to them that what they say on line could negatively affect their credit score or job opportunity in the future. That may or may not work in all cases /

Big data can be used against anybody. This data could also affect various politician, judges, lawyers and bankers in unexpected ways in the future.


Clive RobinsonDecember 15, 2014 4:45 AM

@ AlanS,

I think my first para of,

    Whilst I agree Smith did not ascribe a meaning to the term specific or otherwise, it does not mean that it does not exist now or then.

Did not get my meaning across (the joys of trying to be overly brief).

As far as I'm aware Smith only used the words "Invisable Hand" as a phrase in the same way you or I might use "pulling strings", "politicaly correct" or other phrase in common usage currently. The fact that each time Smith used it the usage was different does not help those wishing to ascribe specific meaning to the phrase.

Though some argue that Smith was in effect an aethist and that "invisable hand" was a refrence to the workings of the world / universe those at the time attributed to God, (in a similar manner that insurance companies use "act of god"). It is more likely Smith used it to refere to more "human failings and their unintended consequences" in a generalised way.

In general when we use such phrases we don't usually give any specific meaning to the phrase because we assume it is clear to the user at the time of our writing. Unless we are historians we may not realise or care that the meaning of a phrase changes with time, as for instance the Victorian "Going Gay", the Edwardian and later "Bachelor Gay", or "manufacturer" and many others.

However, returning to Smith, even though the various effects that have more recently been ascribed by others to the phrase "invisible hand" may or may not have the contextual meaning Smith originaly intended when he used the phrase, some of the effects were certainly known to have existed prior to Smith's time (see the Scotish Company and the 1707 act of union) and do not arise from any "conspiracy of action" the phrase "invisable hand" may now have ascribed to it (I've actually seen it used for different meanings that are in effect opposits of each other).

I went on to give the most likely effect a short description, --which you quoted-- and an example (Lloyds) of one such effect from today that was prevelant in and befor Smith's time.

However what the description does not indicate is whether what the "insiders" do in self intereset is for the public good or not. It can be argued that insiders harming investors could be for the public good even though the investors come to some considerable harm (which is a point a US judge ruled in favour of in the case of US Lloyds names and industrial/environmental claims).

It's a view point that had some interest to Smith apparent in his earlier work, and much of Smith's work warned against actual conspiracy or monopolies where dishonest trades people agreed to distort what he saw as the natural course of a market.

Even today you see point and counter point articles on Smith and his work, and in some respects he has become like Shakespeare in that the original meaning of the works is by and large dwarfed by the later analysis of the works....

Mike (just plain Mike)December 15, 2014 5:44 AM

@Nick P, Bopping: I’ve been thinking for some time that a big differentiator for a FaceBook competitor would be to have no advertising at all. This is a bit of a hobby-horse of mine so I rant about it at most opportunities. Anyhow – market forces and all that – give the people what they want. Biggest thing FB users complain about? Adverts. We don’t like all the adverts - moan, moan. Sure, people would have to pay – not very much though – server costs falling every year and all that – I’m trying to think outside the box. Everyone says people just won’t pay – but – paradigms fall from time to time – maybe “you can’t compete with free” is the next paradigm to fall. Surely you can compete with free if paid-for is better (no adverts) and is sufficiently low-cost (I don’t know – $1 per year say). Actually, to me FB still looks pretty tacky – always has done – it kind of reeks of the fact that the users aren’t the paying customers, so it’s UI and UX have that barely ‘good enough’ feel – but what can you expect really – it’s not like the users are paying for it. Android is a bit like that too in my opinion – but I’ll admit I’m picky. If you never have, I suggest reading this (short) entry from the WhatsApp blog (that’s the actually very successful no-advertising pay-$1-per-year-for-service rapidly-growing company FB bought/strangled-at-birth recently for ~ $20 beeeeeeeelion) – it was posted before they were, um... embraced... by FB:

SasparillaDecember 15, 2014 7:55 AM

Thank you to all the folks who have high-lighted & parsed the new Intelligence Authorization Act 2015 which authorizes NSA/FBI etc. colleciton of all U.S. citizen (otherwise known as suspects) electronic communications - and basically keep them forever (can't wait till the next Nixon, Hoover or McCarthy comes into power who knows how to make hay out of those levers that have been laid at his/her feet).

Frightening (really), that this is going unreported, even on most tech sites that have been following Snowden and all the secret evil of warrantless communication collection etc.. There's just nothing about it in most places (Slashdot was the only place where I saw it). For those that don't know, the Senate passed it before the House - so this "law" is waiting to be signed by the President (if he hasn't already done so).

Here's the vote in the House H.R. 4681, so you can see if your Representative voted for warrant-less mass citizen communications collections & let them know what you think (the vote is ugly, but at least some folks didn't vote for it):

Clive RobinsonDecember 15, 2014 8:24 AM

@ Mike (just plain Mike),

The problem with payment is four fold, the first is it's very expensive to setup (compared to the cost of the service). Many users either don't want to pay or can not pay with a CC or other traceable/risky way. Tax authorities where ever you supply service are going to want paying. And you also need to set up a legal network to deal with incorect charging, and default etc.

Thus you might have to consider non traditional methods of payment as well further complicating the payment process.

I looked into "user payment" systems some years ago and there are three basic models,

1, subscription (monthly / annual).
2, pre-pay usage (by service usage blocks).
3, as you go usage (by micro charging).

Into which ever model you then have to add discounts, offers and other inducments.

The only people who appear to have payment systems that can handle the requirments are those of the international telephone companies.

Payment systems are "zero income", "maximum liability" systems you have to get right from day one or die under litigation, from users or tax authorities.

But even "free to use" services are getting the attention of tax authorities due to the way they structure to avoide tax there are new "Google Taxes" being put onto statutes which even international payment services will fall foul of.

BoppingAroundDecember 15, 2014 9:50 AM

Bob S.,

> How naive for me to think the Snowden Revelations might lead to some positive changes. It went the other way...they made it all open and official.

Just like the swedish FRA.

Nick P,

> 1. Majority still doesn't care much about Facebook, NSA, or surveillance in general.

I think so. I'd love to be proven wrong, to be honest.

> 4. A Facebook replacement, due to advertising, might need to be as invasive or more invasive to succeed.

Maybe not only due to advertising. Personalisation. Quite hot topic; I have seen half of a dozen of articles regarding it and its potential implications.

As to the rest of your post — I'll think about it for a while. Thanks.

Nick PDecember 15, 2014 12:36 PM

@ Mike

That would be great if it could be done. I loved the WhatsApp post. That attitude is why I was recommending them for mobile before they got famous. Along with sticking it to phone companies' texting services. The thing is that a messaging service is nothing compared to Facebook in terms of operational expense. In theory, you can configure an IM service to do things end-to-end with third party just doing setup or NAT traversal part.

Facebook stores text, images, email, and video for millions of people. It also hosts apps. On top of that, it lets you send messages and do calls. The amount of data that runs through and stays on the service is enormous at any number of users compared to apps that do one thing. There's also the cost of the bandwidth which can easily hit $30,000+ a month for a leased line. Then the data center itself.

So, cost for a massively scalable and versatile online service has to be huge. I doubt users will pay for it. Many people have tried to get users to pay for services like that in the past. Typical rates for a bunch of integrated software were around $20-50 a month. Most of those companies collapsed they had so few users. Some switched to ad model and are still around. So, my posts assumes users will still be greedy assholes that don't want to pay for good service, but will gripe about the advertising that does.

Mike (just plain Mike)December 15, 2014 12:42 PM

@Clive: Thanks for your thoughtful reply. Are you saying that – though not *impossible* - direct payment for internet services is most likely never going to happen then?

There’s Spotify – they have a free tier and they have a paid for subscription – they say they are growing subscriptions rapidly – I’d say the subscription cost is actually far too much at the moment for most people to adopt – but like I say, despite that, they are growing paying subscribers - but I think the subscription cost will fall over time anyway (and I think that must be the plan anyhow) so long as the streaming music model takes off. Spotify has music industry backing though – so a lot of initial investment. Incidentally, do we really think Google are going (dragging their feet all the way) into a paid subscription music model out of the goodness of their own hearts? I think Google are reluctantly moving towards getting people to pay for content because if things like Spotify succeed then all the rights-holders will drop Google/YouTube like cold sick.

There was also, as I was saying, WhatsApp. I never used it myself – but apparently they were (and still are I think) taking $1 or something per year from people – I think after an initial free period. They were going for quite a while and growing very fast before they got embraced and I suspect the reason they were embraced to the tune of $20 billion (I mean... $20 *billion* man... that is a *lot* of money for a poxy little messaging-app company) was probably because they were starting to look like their no-advertising model could actually work and thus perhaps be a huge threat to FB and other add-centric services. I think it’s the precedent more than anything - if we all see that it's possible then the "you can't compete with free" paradigm is demonstrably busted.

I also think humanity is kind of doomed to a rather dreary/garish add-splattered personal-information-looting future if it really is never going to be possible to develop internet services that can be funded directly by the people who actually use them. I can't help thinking Nature will find a way (and for sure – if it does- government will find a way to tax it!)

Mike (just plain Mike)December 15, 2014 12:56 PM

@Nick P Thanks - I take your point - but - back-of-envelope stuff here. How many users does FB claim to have – let’s say 1.3 billion active monthly users. So if they charge $1 per month then that’s order of a billion per month for an ideologically motivated social networking service to spend on running costs. How much would it actually cost to *run* FB? Twelve billion per year? Does anyone have a rough order-of-magnitude estimate for that (you wouldn’t have to do all the advertising and associated user data mining obviously). Companies like FB and Google publish some numbers from time to time after all. The cost of running these services is likely falling ever year isn’t it? Perhaps at some point a kind of event horizon is crossed where the cost-per-user of actually running the things without adverts meets the cost users would actually be prepared to pay to not have adverts. Does anyone really know where we are with respect to that horizon – like – maybe we actually crossed it some time ago?

name.withheld.for.obvious.reasonsDecember 15, 2014 1:32 PM

Where the hell is the press on HR 4681. The shockingly blatant unconstitutional law is being met with silence? The library of congress ( X509.3 error, CU is incorrect: and is now directed to is reporting the status of the bill as in confernce or resolving.

No indication that the President has signed the bill. I don't know if it is part of the cromnibus as that process is foreign to me.

Gerard van VoorenDecember 15, 2014 2:11 PM

@ Clive Robinson

When you said that the US has become a banana republic I thought some people would disagree. But nothing.

@ All

Btw, if you want to see the former US executive branch -- continuously -- lying through their teeth about the Iraq war, go watch "Fair Game" (2010). It keeps amazing me that these guys did get away with it.

Banana Republic indeed.

Clive RobinsonDecember 15, 2014 2:29 PM

@ Mike (just plain Mike),

Thanks for your thoughtful reply. Are you saying that – though not *impossible* - direct payment for internet services is most likely never going to happen then?

If it is left to the market, a race to the bottom will occur, and contrary to what many think "free services" are currently very far from the bottom. Thus you would start seeing "tiered service" by the telcos as they seek to reassert their previous dominant position of providing lousy service at vastly over cranked prices. One such "bad" would be "packet charging" not just by number but by priority of paid for QOS. The much vaunted "neutrality" would be gone like the "wings of a moth in a candle flame".

However Governments are not making much on corporate tax, and less and less as time goes by. And worse than that as worse than slave wages establish for the majority, personal tax will likewise become rapidly smaller. The current tax top up of "fines for everything" is only going to provide at best a very small stop gap as people age and their cost to society rises. Back a few years ago the EU parliment had a report for taxation to be applied to data transfers. The viewpoint was that wealth would move from physical object manufacture to information transportation. You can see this same viewpoint when people start talking about the politics of 3D Printers. The logical position for Goverments is thus to move taxation levy to where they can control it for increasing tax take, thus data taxation is inevitable at some point. To do this both ends of a communication would have to pay tax, obviously this will fall to the end consumers of data not the data suppliers, thus services would have to be paid for.

So yes I suspect "paid for" will ultimately be the model pushed by legislation much to the joy of the corporates who will lobby for a very benificial asymmetry whilst using it as a new faux market to further raise profit. Oh and in the process the race to the bottom will increase in pace...

DanielDecember 15, 2014 2:37 PM

"I don't know if it is part of the cromnibus"


It was. The President has signed it into law.

Nick PDecember 15, 2014 2:58 PM

@ all

re WhatsApp

Thanks to acquisition, we finally have their balance sheet. I'm ignoring almost anything stock related as the acquisition complicates that. I'm focusing on revenue coming in, operating expenses, and net income to see what its health was. Look at page 4 "Statements of Operations." It seems they took at $54 million net loss on $3.8 mil of revenue in 2012 and a $138 mil loss from $10 mil in revenue in 2013. Unless I'm misreading this, it seems that their operational cost was tremendous and could slow their market rise by forcing their rates up, maybe even tank them without financing. They really needed this acquisition.

@ Mike

They spend a lot of money. Annual report (p45) puts cost of operations at $4.5 billion total. Total revenue is $5 billion. Factor in that they have brilliant engineers that kept the cost down and performance up across the board. Average datacenter would've cost *way* more to do the same thing.

Good news is that Facebook open sourced much of their critical software and even hardware designs. Another company open sourced high capacity storage systems which could be used. Then there's always cutting a deal with a mainframe or transaction appliance vendor to tie the leasing fees to company profits. I don't know anyone that tried that but I've always thought *someone* would cut that deal for the extra profit. So, the hardware can probably be done at similar or not much higher prices than Facebook's own. Software development & marketing would be where real costs are as Facebook put enormous amounts of labor into this platform.

So, what about just charging everyone a dollar? *If* all their active users did it, then the revenue would be over $12 billion. I doubt all of them would pay. Simple math says they need at least 375 million users at $1 a month to stay in business. Of course, Facebook's costs grow every year so they might need more like 500-700 million just in case. Early on nobody would've gone for this so they went with the ad model. Any competitor would be charging users money to do a lot less than what Facebook offers for free. However, a company with Facebook's size, features, userbase and so on might be able to switch from advertising to paid. This leads to the concept of using advertising to build the service up, then survey users about a transition at a certain price point, and then maybe do the transition.

So, there's possibilities for alternative companies springing up. An example would've been a company like Friendster or MySpace doing it when Facebook was villified in the news for pulling crap on users. Other sites could've differentiated with the paid model to say they have no ads and work for users. Likewise, companies might not try to compete with Facebook at all and instead target a smaller niche of people who pay for privacy. That's my usual recommendation.

Really, though, most people discussing ad-free overlook the biggest problem: the app ecosystem. Facebook is successful because of their platform and all the people making apps for it. App developers get all that inside access to people's accounts along with chance to upsell customers (freemium model). Facebook switching to paid and private would cause the app developers to leave. Any Facebook competitor focused on privacy needs to come up with a way to get people to make lots of apps without access to customers' profiles or ad revenue. Maybe they'll just charge for apps like mobile or maybe it's a new area for FOSS. This problem has to be solved and have a believable implementation before anyone even starts buying the datacenters.

Good news is companies are trying. Some are proprietary, some are FOSS, and some people (including me) are just bundling separate services. Maybe one will make it. I do my part by constantly posting ideas for everything from their legal situation to keeping bandwidth low to easily securing web applications to securing endpoints/comms. If they paid me well, I'd also do security engineering for one of these startups and help them implement these ideas. Meanwhile, I just post and observe. So far, observations show nothing ad-free, privacy-centered comparable to Facebook's features and adoption rate. Most people I just visit, call, text, or email though. ;)

Note: Found this funny video when updating myself on Friendster.

name.withheld.for.obvious.reasonsDecember 15, 2014 3:00 PM

Holy crap, 2:58 EST the congressional record on renders the text of the bill HR 4681 sans Section 309.

There is an active disinformation campaign and the government is engaged in state sponsoered propoganda.

Nick PDecember 15, 2014 3:12 PM

@ Daniel, name.withheld

Section 309 in summary says: "(Sec. 309) Directs the heads of the DNI, CIA, DIA, NSA, NRO, and NGA to ensure that there is a full financial audit of their respective entities each year and that each audit contains an unqualified opinion of the entity's financial statements. Requires the chief financial officer of each entity to provide an annual audit report to Congress."

Yet, in the text, it's mostly about incidental communication collection and retention. The summary and text don't match on a key point. If author assumed Congresspeople would just read summary, then that would've let them slip something through. This could be deliberate deception of Congress by the bill's author or a mistake. In any case, any reader that can contact a rep reliably should let them know immediately that they've been mislead and might want to cancel that in another bill. Or encourage a veto until it's changed.

name.withheld.for.obvious.reasonsDecember 15, 2014 3:15 PM

UPDATE: 1414 EST, new text of bill and file name.

Bill Text
old file name: BILLS-113hr4681eas.pdf
new file name: BILLS-113hr4681enr.pdf

Casual FridayDecember 15, 2014 3:16 PM

@Not so casual

My views are not shaped by the CIA. I am not by any means afraid to call it torture. Any time someone is trying to get information out of an individual by using causing intense or prolonged physical or psychological discomfort in the hope that the individual will talk so as to ending their suffering, I really don't see that as anything other than torture. Rather than getting into a global discussion of past events, I'd just rather they went immediately to a true permanent ban on any such action in the future. I'd also like to see the creation of a severe criminal consequence for political leaders who present congress or the American people with false evidence used as a justification for war. If they can't convince the people based on actual facts, then they shouldn't be able to take large scale military action. Congress, it seems to me has spent more time considering misreporting of Obamacare numbers than they did on any public analysis of the misleading data presented to lead us into conflict in Iraq. I understand how it would be too embarrassing for us to go apologizing for a misguided war, but after Vietnam and Iraq it would be really nice to have some safeguard against future deceit.

Mike (just plain Mike)December 15, 2014 4:12 PM

@Nick P: OK – so I think we’re saying that maybe the event-horizon is passable and maybe even has been passed – at least at scale – even though it appears WhatsApp weren’t actually on the verge of demonstrating that (though I guess it would be interesting to see how their costs would have scaled per-user for a prolonged burst of exponential growth and if – had they got big enough – would they have been a going concern or not – but I guess we’ll never know now – $20 billion does seem like quite a lot to pay for a company that’s about to croak under its own weight – maybe there was some sort of frantic bidding war of which we are un-aware?) Anyhow – as you imply – hysteresis – even if users would pay $1 per month (and frankly I agree with you that is probably still too high for mass-market FB like service) it’s one thing to switch to that once you have a massive user base and quite another to try to grow a massive user base starting from nothing. I also take your point about the app-eco-system... however – and I think you’re probably hinting at this also – I observe lots of monkeys, young and old, and for sure they do use apps on their phones and other platforms but... there’s an awful lot of mostly just some sort of variant of text or voice messaging – with a bit of persistence – and they post/persist photos and videos – construct elaborate online-shrines to themselves (made of photos, text and video)... and they listen to music, watch video/films and read web-pages and books – there’s casual gaming for sure – but surely you can make money from fremium casual gaming without knowing the inside leg measurements of all of your user’s friends and family – or maybe I’m being naive – but yes – maybe you can make *more* money if you know those inside leg measurements – but anyhow your point stands – starting an app eco-system from scratch is hard to do – just ask Microsoft with regard to WinPho. As you suggest also, I think if Nature does find a way it will be via more niche/focused pay-for no-adds and/or better privacy version of existing narrower services, or possibly some new niche thing we’ve not thought of yet – and perhaps if a few of them go stellar-exponential then the scope for inter-operability between such services and perhaps even – gasp – a bit of a real market could perhaps arise (though I don’t think Clive is optimistic about that!) Perhaps inter-operability could also end up making sense with regard to (micro) payment systems and/or pre-pay credit within/between these services – if only because *if* there were a market I think people would want that (something tangentially related to this has happened with mobile-phone providers in some parts of the world) – but I guess this is getting very speculative. I have always seen the requirement for a direct relationship between users (paying) and the services they get in return as a necessary (but surely not sufficient) condition to deliver incentives/funding/rationale for development of the kinds of technologies and ‘doing things properly’ that you and many others here expertly and patiently advocate – and I think the (negative) relationship between the current free/advertising-funded way of doing things and the issues of privacy and security (often considered here) is under-discussed – at least in the broader culture. Thanks for such a full reply Nick.

JacobDecember 15, 2014 5:19 PM

Another biggie today: Microsoft and some supporting industry heavyweights have filed legal briefs against the US GOV demand to hand over emails stored at Dublin, Ireland.

MS has already lost on 2 appeals, but is going full steam ahead with a third, including an all-out media blast. See a good vido PR:

Deafening silence from Google, who has distanced itself from the pack.

A wide variety of major corporations did join in for the appeal:

"Apple, Amazon, Verizon, Cisco, Salesforce, HP, eBay, Infor, AT&T, and Rackspace filed their own briefs in support of Microsoft's stances. They were joined by organizations such as the U.S. Chamber of Commerce, the National Association of Manufacturers, the Center for Democracy & Technology, the American Civil Liberties Union, and the Electronic Frontier Foundation. A number of major media companies have also supported Microsoft with their own briefs, including CNN, ABC, Fox News, Forbes, the Washington Post, the New York Daily News and others."

Who has said that corporations control the administration? Evil is as Evil does.

Mike (just plain Mike)December 15, 2014 5:33 PM

@Clive – whoa – I’m having trouble unpicking this as I think you’ve thought about it a lot more than I have. Indulge me while I attempt to explain back to you what I think you've just told me (sorry - dyslexic thing - winds people up sometimes - guessing you probably understand though):

1. Leave it to the market and telecos will start charging per packet and/or will also charge more for better QoS packets.

So – we – the great unwashed – we think the telecos just need to accept that they are providers of dumb pipes to connect us to the non-teleco provided services we wish to interact with – there is no shame in this (though perhaps not as much money as there could be) – it is a worthy and technically challenging endeavor (providing a reliable good-coverage pipe) – but – I think what you’re saying is they just can’t accept this – they own those damn-pipes – and given half a chance they’re going to squeeze them and filter them and get up to all sorts of no good in order to hold sway over how we the great unwashed at the ends of the pipes interact with the services at the other end. Yes – I agree – left to the market I think that would most likely happen.

However, it’s a funny thing, though not entirely related, but just last week I spent quite a bit of time trying to find a mobile provider in the UK that will actually genuinely charge on a pay-as-you-go basis for the data I use. Most of them have labyrinthine deliberately-confusing marketing-word plastered schemes and tie-ins with this and that, but they basically amount to disguising a subscription-like services as a pay-as-you-go service. It's pathetic basically. It got me reflecting – presumably most people actually do rather like the idea of pay-as-you-go (only paying for what you use), but the providers like the idea of subscription-like systems. What really gets me is the way they try to pretend that what they’re offering me is what I want – rather than what they want me to have – and that I should most likely be thrilled by this – every single vibrant well-turned-out smiling person in a teleco poster/advert/web-banner is always looking absolutely and deeply thrilled. Or – maybe it’s just me – maybe it’s just me that quite likes the idea of paying only for the data I use? Anyhow – I think I found what I wanted eventually – and I was very relieved – and I gave the person in the shop the ‘all I want is a dumb data pipe where I can pay for the data I use’ spiel and she agreed with me – so at least in this case it seems like the existence of a market maybe did work a little bit – but I’m certainly no free-market evangelist. Pick and mix - what ever works - Icelandic fisheries etc.

2. Governments – always eager to find things to tax particularity when systemic reasons for falling revenues.

Yes. As it has and always shall be. So – I think what you’re saying is they’ll want to make an all new-fangled kind of ‘info’ tax or something to go with this new-fangled thing that they’ve finally noticed where people are spending more and more time gawping into and pawing at machines with screens and all the associated paraphernalia that facilitates that. That would not surprise me. There’s users (the great unwashed at one end of the pipes) there’s the pipe providers – who get paid by the users already – and there’s the service providers at the other end of the pipes who generally don’t get paid directly by the users – but do get paid by advertisers. You’re saying – I think – that given that governments are already ‘conventionally’ taxing the pipe providers and the service providers as much as they possibly can then there isn’t an obvious source of new money in the system – so it is in both the governments' and the service providers interests to somehow contrive to get the users to also pay the service providers – because – hey-presto - *new* money then enters the system – so potentially a new source of tax revenue. Genius. OK – well – I must admit I never thought of that before. I’ll have to cogitate. Thank you – very thought provoking Clive (sorry - re-reading that last bit before posting it might sound like I'm being facetious - but I'm not - I think your point of view here is genuinely interesting and not something I'd considered previously).

Nick PDecember 15, 2014 5:44 PM

@ pdkl95

That was a great video. Thanks! Yeah, that pretty much sums up the business model. And the masses go "Hell yeah! Let's give them more control over our livelihoods and a bunch of blackmail material. The cops, crooks, and advertisers should love that!"

@ Mike

re WhatApp

They're a strategic investment by Facebook. The best hypothesis I've seen is that they're afraid of loosing revenues to new trends and so are snapping up market leaders in those trends. Their large market cap lets them do acquisitions with stock rather than money. So, they're acquiring these properties, letting them develop on their own, letting them integrate with Facebook, letting them develop their own monetization strategy, and then focusing on turning them into a cash cow when they each hit 1 billion users (per Facebook). It's a clever strategy but $22 billion seems steep. Time will tell.

re apps

Yeah most are the same thing. The easiest method is making it easy for app developers to integrate with your site and then convincing them to do this. A growing user base + an API + a payment handling might be a simple route. Then, the developers already have some incentive to do it themself. My concept was to straight up pay for the integration for a small number of highly quality apps. Make some money, pay some app vendors. Might even reduce development costs if the apps/services provide the features you needed and integrate well into the user interface.

You hit the nail on the head with Microsoft Windows Phone. I was thinking of that and Blackberry Playbook as I was writing. Despite tons of work by both, with Blackberry's QNX-based rewrite being amazing, almost all the apps out there are iOS and Android because of huge userbase plus increased monetization opportunities. The ad-free, privacy-focused alternative platforms will have similar issues. You'd think if it was easy to surmount then someone at Microsoft or RIM might have done it. Maybe.

There's a few crowdfunding sites (esp Kickstarter) doing innovative things. Can't remember the name but one is crowdfunding code. An ad-free social network might also launch a similar campaign where features are put up and people can offer to fund the creation. Give the money and specs over to a firm with good developers to turn into code that goes into the platform. This keeps the main development team lean and focused on important stuff early on. Features still get added if people want them enough. The funders names can be put on a special page honoring everyone that contributed to the service and how much.

I'm not even getting into discussions on payment systems because that's a tricky topic. Especially considering payment processors and banks paying off politicians to prevent competition. I liked the arrival of Square and its no BS approach to things. Bitcoin is more a gambling tool than a currency choice. One idea I came up with is to try to convince a bank to offer financial processing with a fixed transaction cost instead of a percentage, small to no monthly fee, equipment provided, and so on if the company's account is with the bank. If they mainly make money from investments and especially if they're a coop, then this might be a chance to provide a differentiator plus a public service. On top of it, the system might use better security methods than antiquated processing networks.

Mike (just plain Mike)December 15, 2014 7:01 PM

@Nick P: Yes (as you can probably tell I have a bit of spare time on my hands - I'll try to stop hassling you) - you say ‘don’t get me into a discussion on payment systems’ – though you do then discuss them a bit - hooray! It’s a minefield for sure - but I think payment systems are really at the root of all of this. So much more would be possible if there were a satisfactory very low friction way for people to make small payments – and I’m sure that’s not an overly easy problem to solve – but as you say – it seems like there are many vested interests lobbying to stop that from happening – unfortunately, as well as much of the existing financial services industry I think also the advertising-funded behemoth internet service providers aren’t keen on it happening either – which is a shame in some respects because they presumably have the kind of infrastructure (though possibly not ethos) that could make it happen – I’ve thought for a while that Google might suddenly pivot on this at some point... but I’m not holding my breath – and I’m also not entirely comfortable with the idea of something like Google running the new-information-economy international payments system. I think the key innovation here (with regard to any new-world of internet services) is likely to be payments related though – the key innovations are often where no one is looking – everyone says I’m crazy when I say I think the future/our-salvation is through actually paying (not very much) for stuff – though... obviously... the most likely reason for that is that I *am* crazy – but glossing over that – I suspect it will come in from left-field. I spent some time looking into bitcoin – yes – there’s the whole speculative side – and the anonymity/criminality buy-line etc. etc... but that aside it’s interesting to see how something even as flawed as bitcoin, that has none the less solved (at least temporarily) some of the basic requirements seems to be surviving the repeated pronouncements of its imminent demise – makes me think there is a need that’s being addressed at least partially (not just for people (not-actually) anonymously buying drugs!) – Nature feeling its way towards something that needs to happen eventually. I mean, really, bitcoin is kind of preposterous if you step back from it – but it’s still trundling along... that block-chain getting longer and longer – one massive audit trail! I digress. So – yes – payments. Shame you didn’t get into a discussion about them – but I can understand why!

FigureitoutDecember 16, 2014 1:24 AM

To the People Crying about Full Access to Comms (309 etc.)
--F*cking DUH! Act like this is news...They get caught up in the dragnet too! Act like you've read all the laws and predicted how they'll be interpreted, it's not possible. The political/legal hope some people still hold, get a f*cking grip on reality, there's little hope there. The good lawyers that do fight, they will be targeted and ostracized, it's how the system works. If you're going to curl up in a ball and cry about the legal system not protecting you, just cut your losses and focus on other areas of your life. The entire system needs to be re-organized, which will start when it inevitably collapses due to incompetent/non-existent leadership and people not believing in it. Prepare for collapse w/ food/water/energy/bullets/gun reserves and survival skills.

Stop relying on the press to report this, YOU'RE THE PRESS. Stop relying on incompetent losers to step up, they won't. It's you, and like-minded people. How can YOU organize a group and accomplish tasks in this hell environment? The press will be completely irrelevant in due time as computers and anyone w/ immediate on the scene reporting can do their job.

One low-mental thing you as an individual can do, if you want to make dragnet surveillance even more of a boring activity, is to poison the well by setting up email accounts and mail pointless garbage to them monthly. Also set up a blog using the TOR network, making it useless garbage or maybe somewhat useful (baring in mind it can be manipulated to potentially give out false, harmful info). "Buh buh buh the TOR network, I'll be identified as a porno-turrist"--You can already have TOR traffic and worse routed thru your network by attackers, and can be framed easy.

You should already be operating w/ this reality in mind, else you're going to find out the hard way when you get attacked; badly. The mindset is the biggest step, afterwards you can start hardening your systems to the best we have to offer and then begin expanding on that even more. I've managed to convince where I'm working at now (as a lowly peasant newbie dev) to make multiple back ups even though it's not my immediate responsibility. And I just found out we've been physically hit multiple times...As in some motherf*ckers have broken windows and stole computers and other IP multiple times...

You don't know 100% sure the path of the comms coming in and going out.

Immediate Steps to take when you've been compromised
--Immediately shutdown all your internet connected PC's, unplug the router if you own it, make back ups to store for use for dedicated PC's that can accept an infection. Leave it unplugged until you reflash the firmware in the router or purchase a new router; however the attackers may have gotten enough identifying info on you and your connection to just relaunch attacks when back online. If you need an internet connection for further research and emergency procedures, make sure it's using your mobile data or a public wifi network where you made notes of what to research and acquire software you need. You should if you haven't already make boot discs NOW to wipe harddrives and reinstall OS's. Malware that delves deeper than the HDD, that PC is probably f*cked and needs to be relegated to isolated activities; same goes w/ other memory devices, biggest being USB sticks. This is basic backup procedure and OPSEC. The media you made the boot discs w/ could be just as compromised.

Begin looking into one-way networking and file transfer, there's material out there and when I implement a system I'll post exactly how to set it up. Will take some money and lots of patience. Make an encrypted USB stick for passwords that are way too long to remember to take to unknown/unsafe machines and have at least one plaintext backup in case of emergency that you hide like none other. If you can't do this, then ASK someone who can, they probably want to help you (but bear in mind they can potentially backdoor another potentially already backdoored program); doing it yourself cuts down the backdoor->backdoor->backdoor pointers.

Every account you currently have, begin making plans on how it's going to change. This will probably start w/ warning all contacts you will be changing addresses using the infected account. Someone gets your email account they can send and delete emails on a whim; making false threats and deleting important emails and corrupting comms. Copy files and data you want to back up from the accounts (to the disk which you access w/ the PC which you can accept an infection from an infected file), change passwords, get new credit/debit cards (start using prepaid cards and setting up accounts w/ limited funds solely for paying bills).

From here on out, you can either try to continue a normal life, bearing in mind this bull you just did for another attack. Or push your defenses further. Choice is yours.

OT: Final Projects from MIT 6.858: Computer Systems Security class
--Few approachable college-level security projects, main one for me is the encrypted file systems, as that blows my mind a bit.

OT: Snort 3.0 released
--They want people hacking it, so...

--*Finally* got around to playing w/ my Beaglebone Black, very nifty, initially didn't look like my USB wifi dongles were supported, but I think they are. What I want to do is have wifi come in, then ethernet going on backside to another PC, and have a firewall on the Beaglebone. This would for me save another PC that I'm trying to do this but also be a small handy thing for connecting to all the untrustworthy networks on the go where you're trying to do some personally identifiable work. The board has *A TON* of I/O to potentially route the traffic via a better filter. Will update if I get anything actually useful working.

ThothDecember 16, 2014 1:48 AM

Cool to be playing with Beaglebone. How about loading it with seL4 to bring it into a CC EAL 7+ kernel for mid-assurance considering the board was never built for high assurance.

FigureitoutDecember 16, 2014 2:37 AM

--Yeah that'd be nice, means I have to dig into ANOTHER chip...a very complicated one at that. Probably best for me to make my own custom distro w/ Buildroot or Yocto and flash that first. I don't want to brick the board. Beaglebone still has a lot of unchartered territory compared to RasPi. But people have made SDR's w/ it and even a logic analyzer...sweet. I also like the 4 LED's on the 4 incoming microUSB lines, you can see which lines are toggling, but they need to be opto-isolated for EMSEC for me lol.

Confused, as my board revision (A5C) should only have 2GB onboard MMC memory; the "2GB" file to flash it is 3.7GB...It comes preflashed, but wanted to flash it again, and it failed 1st time; maybe due to my "live" environment and saving the file to RAM messed up the file. When I went to SSH into board after first flash it was flashing up scary error like "WARNING, SOMEONE IS MITM-ING YOU RIGHT NOW!", then after flashing again (takes like 20 min) it was back to normal. Typical unreliable embedded dev...Recommend not using the "GateOne" browser way to the board, very slow and annoying, just straight SSH into board and it's nice and quick.

But yeah default image comes w/ a bunch of crap I don't want like random .jpgs, and lacking some added wifi drivers. Tempted to put Debian on it but I've got a lot of Debian already lol. Someone's also put OpenBSD on it too:

Bottom line is it's a fairly hardcore Linux embedded environment, which is ok w/ me, just takes time to do stuff (pushing my skillset) and I'm wayyy too busy as it is. Probably do some other things first. The documentation site[s] needs some help too (which I could help I suppose), the links are messed up and that leads me to worry about the images they leave on their site, like I just flashed a malware in it.

Clive RobinsonDecember 16, 2014 3:22 AM

@ Figureitout,

It's funny that you should mention MIT... my son has taken an interest in the Apollo Guidence System (AGC) which was built with a couple of thousand identical ICs that were dual tripple input NOR gates and --used in the Block II-- 36K words of "rope memory" ROM and 4K words of "core memory" RWM.

Aside from the hard ware what has raised his curiosity is the fact that it was highly resiliant to problems that would kill many modern computers and their OSs stone dead. Which is not a good thing when you are sitting atop a pillar of flame. The AGC was realy the first computer of it's time to work in this high assurance way, and it proved it's worth on the Appollo XI and XIV missions. In the case of 11 it alowed the lander to get down safely even though it was overwhelemed by false data from one of the radar units.

The hardware and software was developed at MIT. Importantly the software was developed under the lead of Margaret H. Hamilton who amongst other things has been atributed to the coining of the expression "software engineering".

Unlike most who have subsiquently used the term "software engineer" whilst actually being "code cutter" artisans at best, Ms Hamilton realy did use mathmatics and sound engineering practice.

She developed a process "Development before the fact" (DBTF) that gave rise to a system "Universal System Language" (USL) that has show good results, and unlike many other systems it actually is useable in ways that work rather well and removes many cross platform barriers. A number of years ago I worked with a person who used the process for designing medical electronics, and the very low defect / rework rate was surprising. Then the world went "re-use" crazy driven by management we were first driven "OO Mad" and then regressed from engineering to artisanal behaviour that gave us RAD, templates and agile, all of which still do not appear as good and take a lot lot longer to sort out during test and real world exposure.

Anyway it's an interesting if mainly forgotten way of getting things right, and should realy have a solid place in the high assurance toolbox. You can read more at,

I don't know if @Nick P has looked at it or not, I suspect not either way I'm sure he will have comments to make ;-)

MartellDecember 16, 2014 3:38 AM

@ Mike,

I think we're on the right track here. Follow the trail of money, everything becomes clear.

The issue involving subscription vs. pay-as-you-go is as much technical as it is marketing. As a consumer, I don't have a problem with a third party getting involved, like Google, Paypal, or Apple, but will service providers or merchants accept such payments? There's another issue of billing and collection. As far as we see, subscription based models won't turn a profit, but may build enough user base to warrant a buy-out, unless it presents significant perceived discount, e.g. Netflix.

Mike (just plain Mike)December 16, 2014 10:26 AM

@Martell: Interesting – I’m very intrigued when you say “As far as we see, subscription based models won't turn a profit, but may build enough user base to warrant a buy-out...” Makes me ponder who we might be – or maybe just a figure of speech. Anyhow – I think I understand what you mean about the technical aspects of subscriptions vs. pay-as-you-go for sure - I guess I was indulging in a bit of grand-standing on account of having been made so angry by the marketing side of it. On new payment systems generally – I think service providers and merchants will accept payments if (1) they have reasonable confidence they will be readily ‘clearable’ one way or another into something they can spend freely and (2) the rake-off of the payment processing system involved is less than that taken by the current incumbent payment processing networks. I think as long as those two are met then merchants would accept payment in Pobble-Beads, angel-hair or intra-galactic-Zillons, mediated by Google, Disney or even Sir Digby Chicken Caesar. A lot of merchants/businesses aren’t as risk averse as most people think – less risk averse than most consumers I'd say really (but then my dad was a haggling Yorkshire-man - he'd even do it in 'big' stores - and once he got talking to someone with the authority to change the price it often worked) - after all – most business involves a degree of punting by having to buy-stock/invest up front without being sure people will buy at any given price – or even buy at all – so I think many would at least be prepared to give a new payment system a try just on the off chance that it might be worth it for lower transaction fees and/or more sales. I think the very fact that bitcoin – despite its undoubted hat-stand-ness – has had the degree of general uptake it has is basically down to that – much of the media coverage of bitcoin is from the consumer angle, but generally consumers are shielded from the unsavory costs/underbelly of the existing payment system, but it’s the potentially lower transaction fees for the merchants that – it seems to me is one of the most interesting parts of the whole bitcoin story – I’m no bitcoin shill though – I just think it’s a bit unfairly maligned sometimes – not that it doesn’t deserve a degree of maligning – it’s just that in my view it’s often maligned in the mainstream for the wrong reasons. Anyhow – my main worry with Google is just that they already have a terrifyingly large amount of soft power with regard to the information they have on all of us – so if they end up also managing/processing a large percentage of our financial transactions as well then that would send the terrifyingly-large-amount-of-soft-power meter right into the red and beyond for me (infrared maybe, microwaves even) – but I do so very much want there to be a proper low-friction universal micro-payments system (for the good of humanity basically – no kidding) that if Google said they were going to do it I think I’d probably just say OK – and hope for the best – not that Google has any interest in my opinion – or possibly in the good of humanity – who knows – time will tell I guess.

Nick PDecember 16, 2014 2:18 PM

@ Clive Robinson

Thanks for the link and how the hell did I not find this during a decade plus of software engineering research!? Their main 2008 paper on it describes incredible benefits that pretty much solve almost every problem software engineering research is *still* trying to solve. If true, that's amazing. Then they get into the details and I'm left really damned confused. To be honest, I don't think my current math and abstract thinking skills let me wrap my mind around what's in the paper. I'd need to see someone use the methodology building an actual program and watch it step by step before I can comment on it.

What I can say is it definitely is a route to high assurance given it's (a) mathematically based, (b) endlessly flexible, (c) builds in protections/policies, (d) can support automatic code/test generation, and (e) has produced near zero defect software in the field for years. The last point comes from the testimonials which involve many important application domains, a number of companies worth listening to, consistent agreement that the tool does what it describes, and repeated uses of the word revolutionary. How the hell I've never heard of this I don't know.

Yet, claims like in the paper and testimonials backing them up demand that I allocate some time trying to understand this thing over the next few months. I plan to hand it to some local software developers with math background and pure mathematicians with software experience. I'll also give them a list of important attributes and heuristics in robust system development. Hopefully, they'll understand it well enough to evaluate it against my criteria and dumb it down enough for me to understand. ;)

There is a distinct possibility here that Margaret Hamilton has laid the foundation for solving high assurance systems, software, hardware, and security engineering all with one highly integrated tool. Maybe. Here's hoping.

SkepticalDecember 16, 2014 3:33 PM

@Daniel: LOL. Oh wait, you are serious. Let me laugh even harder. It doesn't even matter whether it's the FISC or SCOTUS. Look, I'm probably one of the few people who has actually bothered to read Yoo's and Lederman's legal briefs. The Executive will justify anything it wants to justify in long drawn out legal briefs and memos. SCOTUS will do nothing in the name of "national security". We heard just this weekend Scalia proclaiming that "torture is not unconstitutional". People thought he was only referring to Gitmo but really he means "tortured readings of statues by the executive to justify white being black and purple being orange."

It's great that you stay so informed, but here it appears that exposure to legal controversy has led you astray as to how law more often works.

Most law, applied to most circumstances, leads to a clear result. In part this is because, despite divergence on important issues, there are commonly held norms within the legal community as to how to read and apply statutes.

One of those norms is to avoid interpretations of a law, where possible, that would render the law clearly unconstitutional, incoherent, or absurd.

The interpretation of this law being given by yourself, and others here, would have Section 309 as quite literally authorizing every possible form of intelligence collection, including those which are in gross and undeniable violation of the Constitution and other statutes.

If we were compelled by the wording of the statute to accept such an interpretation, I'd shrug and note that such a law will never survive judicial scrutiny.

But the wording of the law does not require us to make such an absurd interpretation. Instead, based on the stated purpose of Section 309, we can clearly infer that it is referring to lawful (and existing) intelligence collection other than that being conducted on the authority of a warrant or subpoena - one example would be intelligence collection under EO 12333.

This is not really an open question, legally. All 9 justices on the US Supreme Court would quite easily reject the alarmist and absurd interpretation put forth by some in these comments - as would any court in the country. There is much less legal question here than one could find in the matters explored by Yoo or Bybee (and there wasn't as much legal question there as either of those two hoped).

And that, by the way, is why this bill has attracted so little media attention. Journalists who report on legal matters usually talk to lawyers before running a story - and those who did would have been told for the most part, "yeah, actually the bill is imposing new restrictions, not granting new powers."

The entire affair is quite funny, really. With the national security establishment ducking for cover as the Torture Report explodes into the media, one of the leading forces behind that report adds a provision to a law which seeks to regulate an area of intelligence collection that often has received little attention. And the immediate response of a tea party libertarian is to claim that the Senator was attempting to vastly expand federal power. How her eyes must have rolled when she received that phone call.

DannyDecember 16, 2014 6:17 PM

@ Mike, "Anyhow – my main worry with Google is just that they already have a terrifyingly large amount of soft power with regard to the information they have on all of us – so if they end up also managing/processing a large percentage of our financial transactions as well then that would send the terrifyingly-large-amount-of-soft-power meter right into the red and beyond for me (infrared maybe, microwaves even"

A merge of social network and payments is very interesting. It's an even bigger spaghetti mass as it crosses national borders. Honestly, I don't see much push for this domestically, as I'm based in U.S. The reason may be obvious to some, but mostly because what has worked is already working so well.

As this goes to the global stage, companies like Google and Facebook are treading in dangerous waters. As some locality, who are friendly to us, may feel comfy with foreign infusion of social network subculture, but not other aspects of their established quo.

Thus, so far, such systems could only thrive thru unchartered "dark markets," as the value of e.g. bitcoins hinges on their very survival.

BuckDecember 16, 2014 9:22 PM

Thank goodness that the true legal scholars have seeped out of the woodwork to save us all!

Section 309 doesn't quite literally authorize every possible form of intelligence collection (not just including nor limited to those in gross violation of the Constitution).

Instead, based on the vague legalese of Section 309, we can probably presume that it is referring to 'lawful' (and recently existent) warrantless incidental 'intelligence' collection; I.E.: EO 12333.

Thanks to the bought & sold judiciary, this is not really an open question, legally. All 9 justices on the US Supreme Court would quite easily accept the alarmist and absurd parallelly constructed arguments put forth by some corrupt prosecutors - as would any court in the wild-west. There is much less legal question here than one could find in the matters explored by you or me (and there wasn't as much legal question there as any honest criminal defense attorneys had hoped).

And that, by the way, is why this bill has attracted so little media attention. Journalists who report on legal matters usually talk to their company lawyers before running a story - and those who did would have been told for the most part, "yeah, actually the bill is getting around 4th-amendment restrictions, not by negating hundreds of years old, powers; but merely side-stepping them with never before publically-debated investigatory methods... Although you must remain mindful that you are legally obligated to *not* report as such, since doing so would alienate certain key advertisers' agendas & violate our always necessary principles of fiduciary duty!"

The entire affair is quite funny, really. With the national security establishment ducking for cover as the Torture Report explodes into the media, one of the leading forces behind that report adds a provision to a law which seeks to legitimize an area of 'intelligence sharing' that often has occurred with little attention. And the immediate response of a controlled-dissent party is to claim that The People are attempting to divert democracy. How our eyes must have rolled when we read The Federalist papers for the first time.

AlanSDecember 17, 2014 10:30 AM

The 2014 Cato Institute Surveillance Conference. This took place last Friday. Videos are: here.

I haven't watched much yet but in the video of the first panel Charlie Savage interviews John Napier Tye about Executive Order 12333 and how he became a whistleblower last year. Lots of other interesting people on the panels and there is an appearance by Snowden at the end.

NileDecember 17, 2014 11:51 AM

Looks like I'm late to the game here.

The most damaging information that could possibly be extracted from a corporate entity isn't personal data, or unreleased movies, or embarrassing nondisclosure agreements from the legal department. It isn't even even critical IP like source code.

It's financial information that allows the compilation of 'country-by-country' tax accounts.

Here's why: the majority of US corporations play a 'shell game' with their profits, trading across borders into whatever offshore jurisdiction offers low or zero tax. As there isn't any obligation to break out the actual country-by-country profitability and the underlying logic of cross-border transfer pricing - let alone reveal the details of 'financing agreements' that pay excessive interest to 'bomdholders' that are actually wholly-owned subsidiaries in an offshore tax haven - the companies who do it get away with it.

That wouldn't work if (say) the German tax authorities had all the information they required to reconstruct the underlying profitability of Sony's operations inside Germany, and the beneficiaries of all the payments sent offshore.

This is why 'tax justice' and anti money-laundering campaigners are promoting country-by-country reporting.

A multinational corporation the size of Sony generates hundreds of millions of Euros of operating profits inside Germany; I doubt that they pay tens or or even single-digit millions in taxes there.

You can say the same for Microsoft, and Amazon, and Google, and Apple, and probably the major banks.

The American authorities won't take action based on stolen (and therefore inadmissible) information; the United Kingdom and other jurisdictions who seek to profit from tax evasion and money-laundering won't bother; but Germany and other governments in Europe can and will pay serious money for information that allows them to recover unpaid taxes.

Childish and vindictive 'black hats' damage little people by exposing their bank details and medical records: I'll believe that there's a serious agenda when they dig out the financial data and make a corporation pay the tax they actually owe on the profits that they actually make. Because *that* is serious damage.

AlanSDecember 17, 2014 11:59 AM

More on Cato conference: According to Marcy Wheeler, who spoke after Tye on Panel 1, the panel ran out of time and didn't get to discuss Section 309. However, Wheeler does have a blog post that covers later exchanges in the conference on Section 309 on Panel 3 (31:55 and 57:45 marks): Section 309: A Band-Aid for a Gaping Wound in Democracy. From her post:

But instead of extending FISA (which is already inadequate to the technology of bulk collection), Congress instead moved [through section 309] to impose some retention limits but not use limits on this data. Indeed, the permitted reasons for retention, and Litt’s insistence that this doesn’t change what they’re already doing, suggests they’re already using this data for broad purposes, though the really unlimited use of it would be limited to metadata analysis.

At the very least, this means the government is able to engage in metadata analysis of Americans for far more uses than permitted under FISA, and do so without the First Amendment review required under FISA. It means NSA can construct the dossiers based on metadata on Americans so long as they do it with EO 12333 data. The use of EO 12333 also provides a way for the Attorney General to authorize spying on content that will only, with the new provision, receive outside oversight after 5 years.

...there exists abundant record that the IC is not claiming new affirmative authorities. But why should they? What they are instead now confirming is they have already been using US person data collected under EO 12333 — and not just metadata.

name.withheld.for.obvious.reasonsDecember 17, 2014 3:16 PM

I don't think people understand the extent and scope of what happenened in the land of "pretend" democracy--the shining piece of fecal matter on a hill.

CI(S)PA, SOPA, and the Patriot Act (permenently) enshrined in law without even a committee meeting/vote. The deliberate subtrafuge used to control information about the section(s) of the bill that are problematic. There is much to be concerned with--this is the type of infrastructure to maintain a world-wide hegemony.

NateDecember 18, 2014 4:31 PM

@Nick P, Clive Robinson: Yay, I'm glad someone else has discovered Margaret Hamilton's DBTF / Universal System Language! Her name came across my feeds a couple weeks ago so I looked her up and... yeah. I read some of her USL papers and they're blowing my mind.

It's absolutely insane how many programmers today believe 'there's mathematically no way to do high assurance because The Halting Problem, and/or it's prohibitively expensive'. And yet, all this research in the 1970s was showing how to do it. And even though it's literally rocket science, it doesn't sound nearly as scary as the baroque labyrinths of clumsy APIs we use on the modern Web.

We've lost so much knowledge, and we've forgotten that we even knew it in the first place. We really need to relearn our history. But the computing industry is paradoxically awful at doing history. See, for example: Roland/Shiman "Strategic Computing" and Mahoney/Haigh, "Histories of Computing".

tyrDecember 18, 2014 4:49 PM

Here's an interesting opinion piece on the current state of the world.

It seems the rush to make everyone an adolescent moron has assumed new
proportions in the internet age.

I remember an episode in militery leadership school. A junior officer
found a quote in a book. "the enlisted man is sly and crafty and can
not be trusted". He used to read this to the troops on his ship at
morning quarters, the result was that they became sly and crafty and
untrustworthy. The current situation of distrust and censorship has
the same effect. It would be a lot better world if you were trusted
until you actually did something to damage your credibility. Hardly
a plea for utopian pie in the sky but distrust breeds its own brand
of things to fear.

You can't fix a society which has been ruined from the top down with
a technical solution. All you can do is prepare to ride out the storm
when this planet does one of its usual tricks. A quick look at the
history of empires will show that there is a lot of rubble leftover
from hubris.

Nick PDecember 18, 2014 6:06 PM

@ Nate

I'm going to ask Wael and name.withheld to check her papers out in the next Friday thread. Wael has formal engineering education. name.withheld is strong in engineering and algorithms, while also working on a systems methodology. Both will be better at evaluating this and name.withheld might not have to put as much effort into his framework. Clive posted it but strangely hasn't said much about it. Hopefully that means he's still reading it, looking for examples, and trying to get a demo of 001. ;)

The one thing I disagree with is that it's the only formal, engineering method. There's quite a few that resemble an engineering process. Many can be combined in a straightforward workflow with plenty of automation. I was working on one myself compatible with EAL6+. The thing that makes this unique is it's claim to be one tool to do it all. Quite a claim, but with testimonials to back it. If true, it's quite an accomplishment that should be celebrated, adopted, and built on.

Thanks for the two book links. I'll try to read them when I can. Found only a sample of one but all of the other. That I once did AI work (esp automatic programming) just makes finding Strategic Programming even more fun. Especially finding it and Margeret's own contribution to automatic programming at the same time. :)

WaelDecember 18, 2014 9:30 PM

@Nick P,

I'm going to ask Wael and name.withheld to check her papers out in the next Friday thread...
Thanks for the heads up! I am not done reading your previous lists yet ;)

Nick PDecember 18, 2014 10:36 PM

@ Wael

It's worth putting them all on hold. I'll post a few in order, then a link to others, and let you go from there. Friday though.

FigureitoutDecember 19, 2014 12:28 AM

Clive Robinson
--Just finished my finals (ugh...nervous about results...) so sorry for delay.
funny that you should mention MIT... my son has taken an interest in the Apollo Guidence System (AGC) which was built with a couple of thousand identical ICs
--Well, quite a diversion there if I must say! :) Good though, not frickin' politics "whoop di doo" there's no hope there. Just need to be prepared for its collapse and not be scared of it...

The "rope memory" is interesting, but I wouldn't be too fond of manually coiling up all those transformers. Just making 8 200-round inductors by hand for a renewable energy project was rather annoying, rather using a tiny motor and plastic piece for clean coils. Making a PoC little rope, I'll probably do it sometime. Funny it's nicknamed "LOL memory", little old lady memory. That's the kind of silliness I can get behind! :) Also curious about its EMSEC properties (intuition is noisy as hell) if it's a bunch of transformers, as a transformer for AC coming in ramps down voltage, then rectify to DC, then ramp back up and back down again and repeat to defend against some DPA attacks.

On the radar error encountered by NASA, well I've heard something regarding radar which is troubling w/ space crafts; they weren't tested for radar EMI up until like 2001 ( paper by Brian Kent )...Like seriously, WTF?! You think NASA, you know they test everything like crazy, but not radar directed towards their space craft...Luckily there were no serious holes, but that was just luck. He gave a good talk and how he had to conduct his tests in the 24 hours until launch when all the components were in and if they touched certain things in the ship he could get cancer...

So that there was a radar problem seems like a bit of an issue at NASA even though on further analysis I'm sure there's better reasons why they hadn't tested that and that there were failures w/ their radar on Apollo 11, I think...

But on reading about the failure, it sounds like something that would easily be prevented today, but I DO wonder how exactly priority setting of interrupts is implemented in detail. I do that at my work and we aren't launching payloads into space lol. In fact it sounds like they did a reset of the micro which is considered a bit of a "hack" and "cheating" and not a very elegant solution...So I'm not convinced we don't have better solutions straight from low cost COTS.

While I agree "code cutting" is a problem, b/c coding is barely taught at all, they just kind of "let you go" on big projects before drilling basics in your head w/ more memory management. And your tool chain can change in a trice forcing you to learn more implementation details unlike hardware dev, which the tools just get better but basic knowledge remains relevant longer. So it's best to just code a ton using great books available but you also need to focus on physics, math, and circuits if you want to do full on systems; so it's a constant battle for memory in your brain (and why I'm a strong believer in documenting tricky bugs/errors/fixes right when you discover them to refer to later and eventually working that into usable knowledge for whoever's next trying to implement what you're doing; unless you want people to suffer thru the bugs lol :/). And I'm not convinced by DTBF lol, yeah before the fact you find a bug you can't work around...Sounds too good to be true.

But I was sick of hearing the "We are the Messiah, watch my hands wave so gracefully" and wanted to see the damn code. Still don't understand the code nor how it was assembled and what their tool chain for that was. And I really can't just go off and look into it a lot as I'm too committed, that's a big problem of mine is overcommitting. But here's some good links on it, apparently someone emulated it virtually:

Site w/ the links but I'll link code samples too:

Sample 1 (Comanche, Command module of AGC):

Sample 2 (Lunar Module Guidance Equations (*be sure to note line 1375, "TRASHY LITTLE SUBROUTINES"*, sounds elegant):

Sample 3 (Lunar Module firmware for Abort Guidance System (AGS), Flight Program 8):

yaYUL, the assembler of this code:

Regardless, obviously a huge accomplishment firstly even launching a payload into space, letting alone landing it on a foreign body successfully. Recently the group that landed a probe on an asteroid, crazy..., so cool. Vector equations in 3D space suddenly become so exciting lol.

Way OT--Android 4.4 Spectrum Analyzer w/ RTL-SDR for FREE

Finally got the RF Analyzer app running on my Android phone. It works! Hell ya! This is so cool. So all you need to do is install the RTL2832u driver from Martin Marinov (free) and then get the APK from RF Analyzer github (RFAnalyzer.apk) and install from unknown sources. Of course you need an RTL-SDR dongle and OTG-USB cable. But it works! And even though it's coded in java and crashed on me and still has some bugs, this is even better than GQRX. It's a touch screen scrollable spectrum analyzer on your phone! So easy!

You can download the app for $1.01 or if you want to know how let me know (I'll blog it on internet). I'm probably going to send $5+ bucks his way and maybe try to work w/ him getting more demodulation modes working. Messing around w/ Android Studio was pissing me off, but today is a good day lol.

AlanSDecember 21, 2014 9:29 PM


My apologies for a rather belated reply. He used the term as a metaphor in a quite specific way. Here's the text from the book, the only place in the entire book he uses the phrase invisible hand:

By preferring the support of domestic to that of foreign industry, he intends only his own security; and by directing that industry in such a manner as its produce may be of the greatest value, he intends only his own gain, and he is in this, as in many other cases, led by an invisible hand to promote an end which was no part of his intention. Nor is it always the worse for the society that it was no part of it. By pursuing his own interest he frequently promotes that of the society more effectually than when he really intends to promote it. I have never known much good done by those who affected to trade for the public good. It is an affectation, indeed, not very common among merchants, and very few words need be employed in dissuading them from it. (emphasis added)

Couple of things to note: He's not making a general claim as some economists would have you believe. He's making a specific claim, one about the unintended consequences of individuals' preference (less risk for them) for investing in domestic industry versus foreign. He doesn't say the pursuit of self-interest always has unintended benefits for society or even most of the time. And in Wealth he gives clear examples of instances when the pursuit of self-interest can have bad or catastrophic unintended consequences for society (see example cited above relating to promissory notes).

I agree that the phrase is now used in lots of different ways. And I suspect that most of the people who use it, and link their use back to Smith, have never read a line of his book. I sort of agree that the "original meaning of the works is by and large dwarfed by the later analysis of the works". I'd add some qualifications. It depends on the community one's referring to. Historians, philosophers and others read Smith's works and engage in legitimate arguments about the meaning of the texts. But a lot of the popular citations and references to Smith are hardly worthy of the term "analysis".

The Chicago School and neoclassical economics claim Smith as a founding father. As I wrote above, I think that has more to do with legitimizing their own ideas than any substantive commonality. Their ideological, authoritarian, market utopianism doesn't have much in common with Smith. What they promote has more in common with behaviors Smith criticized. The financial collapse in 2008 exposed the dark 'free market' machinations for what they were.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.