Friday Squid Blogging: Mummers Play Featuring Giant Squid

"St. George, the Dragon, and the Squid: A Preservation Mumming," by the American Folklife Center.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 26, 2014 at 4:32 PM • 90 Comments


Cyber GuyDecember 26, 2014 5:24 PM

In the spirit of Bruce Schneier’s movie-plot threat, this one is about DPRK: The CIA, taking inspiration from, and Bruce Schneier’s movie-plot threat contest literally, collaborates with SPE to social engineer DPRK by create a film which is intended to provoke DPRK into hacking honeypots planted by the CIA in SPE’s intranet, which contain fabricated data containing fake financial and PII information, thereby gaining information on DPRK’s cyber capabilities. Upon release, the movie contains numerous references to “honeypot” to further humiliate DPRK by letting them know they have been gamed.

Clive RobinsonDecember 26, 2014 6:17 PM

ON Topic :-)

Hmmm, Hope O’Keeffe apears to have had her bottom well eyed for her part as the squid....

NobodySpecialDecember 26, 2014 6:25 PM

In a brilliant plan/movie-plot the NSA/CIA/FBI/MMB decide that instead of picking a new axis-of-evil country to blame for each incident they will simply invent a country.
Relying on the typical American/Fox viewer knowledge of geography they decide to invent North Korea - following an earlier C19 operation that invented North Dakota

ThothDecember 26, 2014 6:27 PM

Youtube says: "This video is not available."

Maybe you meant: ""

Maybe @Bruce should name his future ciphers with the name "Squid" or something like that along the line since he love squid so much.

Corey CopelandDecember 26, 2014 8:08 PM

Great post. Kind of reminds me of the film "Bill and Ted's Excellent Adventure."

AnuraDecember 26, 2014 8:11 PM


Strange, works for me. Maybe it is restricted by location. And I could only find one one upload of that song on Youtube.

Nick PDecember 26, 2014 10:30 PM

@ Thoth

If he did that, anyone searching for his Squid cipher would probably get 50+ pages of results containing his Squid threads that mentioned "secure," "encrypted," or "algorithm." Probably not an effective choice in practice. ;)

ThothDecember 26, 2014 11:21 PM

Putin hiding behind his curtains giggling at USA vs. NK bout. Something close to what most of us here believed to be someone other than NK.

@Nick P
Maybe cuttlefish or octopus cipher. That would be a little closer :D .

Nick PDecember 26, 2014 11:40 PM

@ Thoth

Octopi are cool but IBM had the Octopiler. I thought what fish name is original, easy to spell, catchy, and mentally associated with protection/self-defense? First one that popped into my head was a souvenir I picked up at a beach that crowds liked and could be used in a home invasion: a blowfish the women named "Puffy." I immediately thought: "That clever bastard. He's already made a good cipher with the best name. Coming up with the next one might take some work." (sighs) Oh well lol.

AnuraDecember 27, 2014 1:51 AM

Actually, "Illex" is better. It is easier to remember how to spell, I'm confident I can pronounce it properly, and it ends in x, which makes it cool.

AlexDecember 27, 2014 1:55 AM

I liked your first ever webinar, Bruce. Didn't sound like you enjoyed it though. Hoping, on behalf of all infosec professionals, that prediction made regarding Sony hack bringing more attention to infosec in the board member meetings comes true. So far none of the "big" breaches made the C-suite take notice.

Clive RobinsonDecember 27, 2014 4:27 AM

@ Philip,

No, nor am I likely to, I'm not keen on certain types of failed to be funny / puerile humour, and to be honest the thought of being trapped in a dark place with hundreds of people that do, would be a modern take on Dante for me.

Further those that have seen it prior to the "public release" of the SPE hack rate it not as good as a turkey and thus a definate "miss if you can".

Further as I'm not a US citizen I won't be seeing it for "national pride" reasons in the faux belief that spending the equivalent of 100USD would some how be fighting "terrorism"...

Now if they were to film the SPE C-level execs getting the original Dante's Inferno treatment I might go and watch that quite a few times, especially if the US politico's they have corrupted are in there getting a share of the same :-) And I suspect there would be quite a few ex-sony people with me enjoying it in 3D with suround sound for the extra bit of realism. I wonder where you would have to que up to be considered for a part as the Devil or one of the minions, I've a feeling the line would be very long B-)

@ Anura, Nick P, Thoth and others,

You should all know by now that a successfull cipher needs two names, firstly a "vanity name" which is unpronounceable and apparently woven from the designers names/initials. The second one a TLA of something that sounds authoratative and carries a "rouge agencies" seal of approval, for some kind of side channel or other back door, such as AES which realy stands for "Almost Everyone Sh4ft3d"...

Balbo BogginsDecember 27, 2014 7:23 AM

AES is secure if implemented properly.

But anyway all this government spying is stuffing with the workings of the net. Monitoring of DNS is interfering with normal operation so your queries should be encrypted or at least salted with enough of random faked queries to add to their collection of useless information and perrsonal details they are trying to mass on everyone. Many governments are pretty inept at storing information securely or setting up secure networks to begin with. If people are fine with their own government spying on them, they may want to consider the many other entities who may get their hands on that information and who they might sell it to or where it might get posted.

ThothDecember 27, 2014 8:11 AM

@Balbo Boggins
Most crypto are good if used properly :). Fact is most programmers don't make the cut and make up stuff.

"But anyway all this government spying is stuffing with the workings of the net. Monitoring of DNS is interfering with normal operation so your queries should be encrypted or at least salted with enough of random faked queries to add to their collection of useless information and perrsonal details they are trying to mass on everyone."

This is one of the ideas being brought up. Generating fake traffic and loading them with real traffic. None or few of us got it up yet because no one's going to run a server where the ROI does not make some sense. We don't know if it works.

"Many governments are pretty inept at storing information securely or setting up secure networks to begin with. If people are fine with their own government spying on them, they may want to consider the many other entities who may get their hands on that information and who they might sell it to or where it might get posted."

That is very true of many Govt. They prey on their people and they get preyed on by the big boys up the food chain. Governments attempt to exercise high assurance security but mostly scrape pass or fail it. Reason is they rely on COTS and COTS stuff are badly infected with the NSA/GCHQ/BND...etc... flu virus that kills them eventually. Their "security consultants" mostly rely on cash to convince the Govt.

ThothDecember 27, 2014 8:39 AM

@Clive Robinson
Just to expand on your theory of SPE hacks, would it be true that if Russia successfully extend their influence into the Korean Peninsula, it would increase their war coffers with gold and be used to regain Warsaw territory ?

I remembered somewhere I read this year about Russia trying to build it's gold coffers in case of Washington aggression.

Russia is courting the East to milk the cash but China's watching too. Russia investing in Korean Peninsula and India ( What could India help Russia with other than buying Russian weapons and act as a counterbalance to keep China in check ? We know that China isn't so friendly with Russia and would take opportunities to cut down Russia for it's own interest if possible unless India keeps China busy.

Last paragraph of that article where it says Russia is seeking closer ties with Turkey. Good move on their part. I did predict that Turkey would be crucial to Russian naval operations if they turn against Russia in the Black Sea. Turkey holds a strangle hold at Istanbul and they can lock the Russians into Black Sea and make them inoperable in naval warfares if needed. The Russians can resolve to friendship and manipulations to take over all countries in the Black Sea coastal regions or resort to force. Since Turkey is a pretty strong country and a part of NATO, pissing Turkey off is possible but risk pissing NATO. So one way is use friendship.

Whereas for Georgia and Ukraine would be the other way around. They are weak and not really worth a look. These two countries can try to join NATO but Russia would simply overrun them by force with a high likelihood. It is only sooner or later Georgia and Ukraine would be to fall under the first wave of reinstating the Post Soviet Union Russia Federation of Putin.

I am not siding with NATO or those Western warhawks. I am just throwing up possible ideas of Russia's current moves in the sense it somehow matches my predictions somewhat I made months ago when they invaded Crimea.

They could in a way reinstate the USSR looking at the current situation and actions... I would say a bid to have a new version of USSR appear and another bout of Cold War... much colder than the previous major wars ???

US/UK/West Europe are making a ton of wrong moves. Lots of economic crisis and lots of unrest amongst the civilians and politicians. US and UK pretty much expanded too much energy on the Mid East war and they cannot effectively keep the possible reforming of the USSR in a modern flavour in place. Countries are not even comfortable with their appearances and influences anymore and especially an air of distrust of Washington.

Final stand for Crimea and Georgia to prepare themselves is to reform their Government to suit the people (popularity), proper and generous governance. Being slithering snake-like in politics to not promise and not reject. Make more friends with the neighbouring *stans and former Warsaw turned democratic countries. This will help them on the front of their people and their politics to live a little longer for now since popular image is what brings nationalism that would enforce border protection. Next step is using friendships among East Europe to form some kind of alliance amongst themselves (not to be like West Europe's EU which largely failed) and to strengthen their armed forces amongst themselves. Combined Eastern Europe protective drills and of such. Next would be to increase information security anticipating infiltration by Five Eyes or Russia which are all HSAs anyway. Individual security should be important instead of like the Western Europe and US/UK's warhawkish view on how citizens "owe" the Govt and must be weaker than the Govt. Proliferation of proper security in essence is as good as a gun behind each house's door to protect against HSAs and this is where Govt support is needed. More expressive freedom and tolerance as well is needed to knit all the Eastern Europe together. Neither the NATO nor EU nor anyone would "protect" Eastern Europe from Russia's onslaught and vice versa. They gotta do it themselves. South America allied themselves with each other and this should be the concept for Eastern Europe.

GrauhutDecember 27, 2014 9:11 AM

@Nick ;) 31c3 lecture: Trustworthy secure modular operating system engineering

Mirage OS is a (BSD-licensed) research project at University of Cambridge and released in December 2013 a 1.0 version. In 2014, 2.0 got released with full support on arm, a clean-slate TLS implementation, and the branchable data store Irmin. We (Hannes and David) developed a TLS stack from scratch (including cryptographic primitives, X.509, ASN.1), which we will present.

We intentionally breaks with the UNIX philosophy. Instead of using a programming language designed to replace platform-specific assembly code we use the functional programming language OCaml with higher-order functions, a composable module system, pattern matching, a sophisticated type system.

JustWonderingDecember 27, 2014 9:12 AM

Has anyone put together a small EMP device that can be used to disable drones? I am not worried about the larger military types but the small ones that are in the class of carrying a camera and/or stingray (or other listening/tracking) types of equipment. Maybe a strong radio jamming/disruptive signal would do just as well.

Or, perhaps it is time for small local radar systems that can detect the presence of such drones. You know, housetop mounted (out of sight in the attic of course) with a range of a few hundred yards out to a mile maybe.

Of course, we haven't been able to build suitable detection mechanisms for our internet connected devices yet, but the time has come to be ever more watchful.

"Just because you are paranoid doesn't mean they aren't out to get you"

ThothDecember 27, 2014 9:24 AM

Expensive stuff:

More practical than an EMP radiator to blast drones which might accidentally knock out low flying aircraft and may turn into a nasty offense.

Much more cheaper option than an EMP is to just pump the damn drone filled with shotgun lead (if it's legal).

Another option might be drone comms hacking but I have never seen one open sourced yet unless someone has one.

ThothDecember 27, 2014 9:28 AM

Interesting OS. Seems like inaccessible here (Singapore) but accessible with encrypted routing networks.

Active packet disruption from local ISPs ?

BoppingAroundDecember 27, 2014 9:30 AM


Thoth and other asians here,

I have a question regarding the asian 'computing culture' if it can be called that way. How different is it?

I have only heard about sheer popularity of pirated software (PC, mobile) and sideloading/alternative markets (mobile). Is this true? What are some other quirks if there are any?

Thanks in advance.

Dirk PraetDecember 27, 2014 9:36 AM

@ Thoth, @ JustWondering

Another option might be drone comms hacking but I have never seen one open sourced yet unless someone has one.

Check out Samy Kamkar's SkyJack.

ThothDecember 27, 2014 9:53 AM

I won't pretend to represent their mindsets of all asians but it's a culture of trying to save money wherever possible. We call it the "kiasu" culture which means scared of losing culture here. Loads of pirated stuff in Asia because of culture. Copying have never been so badly penalized until the West came in with their culture. Almost every other thing is subjected to copying.

Recently I have seen copying done even in the Government agencies. Range from copying electronics systems to something as simple as bathing foam and soap... lol...

If you want to sell your stuff here, either follow the culture or make sure your stuff is really good at preventing forging and reverse engineering because the Govts may take interest as well and you can't technically go against them otherwise you want them to be pissed.

Is there something you are specifically interested ? E.g. penetrating into local market here ?

GrauhutDecember 27, 2014 10:01 AM

@Toth: Some people dont like the CCC ;)
Send them a message if censored in sg.

Maybe because they bring knowledge to the public some dont wont to be seen in public. About the SS7 protocol for instance.

"lecture: SS7: Locate. Track. Manipulate.
You have a tracking device in your pocket"

Nick PDecember 27, 2014 11:01 AM

@ Grauhut

Yeah, I've posted some of their work before. It's a good project and good to know it's still going. Might prod Tolmach et al to port it to the high assurance runtime (Haskell-based) that they're making if they finish it. They also have a systems dialect of Haskell, Habit, that should improve performance. Ocaml and Haskell are just similar enough to ease porting by skilled users of both languages.

@ Thoth

They might be blocking it. It would be a bad move, though, given that their solicitation for better security and networking tech is much more likely to succeed if presentations like this make it to Singapore. Like Grauhut said, though, such presentations also include methods to defeat surveillance state activities and push a culture that undermines them. Internet presentations are a double edged sword for a very controlling country.

GrauhutDecember 27, 2014 3:52 PM

@Nick P: Whats the prob with ocaml compared to haskell?

Some more funny 31c3 stuff

BadBios explained (without naming it)

Freed low cost GSM chip

Nick PDecember 27, 2014 4:17 PM

@ Grauhut

Haskell's referential transparency allows optimizations and analysis that would be difficult to do in Ocaml. It's standard library is better. It has a number of concurrency mechanisms that are great in practice. There are quite a few ways to use a theorem prover with it, esp Isabelle/HOL. It's been used in a few high assurance security projects. Finally, there's lots of academic work extending it in all kinds of ways.

So, Ocaml is good stuff but Haskell seems better in near term and future.

ChucklesDecember 27, 2014 4:42 PM

NY Times op-ed The Slow Death of 'Do Not Track'
by Fred B. Campbell Jr.

[This] would harm competition in the online ad market by turning "Do Not Track" into "Do Not Track for small ad companies only." Google, Facebook and other large companies that operate both first- and third-party businesses would be able to use data they gather through their first-party relationships to compete in the third-party ad market. Smaller ad tech companies would be at a severe competitive disadvantage and could even be driven out of the market.
Fred B. Campbell Jr. is executive director of the Center for Boundless Innovation in Technology and a former chief of the Federal Communications Commission’s Wireless Telecommunications Bureau.

BoppingAroundDecember 27, 2014 4:42 PM


> Is there something you are specifically interested ? E.g. penetrating into local market here ?

Just general interest. Seen the copying reference here and there, decided to enquire if there are any other quirks. Unfortunately, search engines do a pretty bad job at helping me with this (my queries being shit is a possibility too).

Can it be called a culture of hackers?


Bob S.December 27, 2014 6:16 PM

Drones will become a Biblical plague of locusts withing a few short years.

We've had remote controlled little planes for years, but only lately the technology has got to the point of making them wildly popular, especially based on their camera capabilities and of course the police must have them to weaponize.

The government is pushing them to have yet another little control freak power base, to make the police and military happy and of course payoff drone manufacturers generous with their...donations.

As for defense the options are limited, but available. Despite claims to the contrary, grandpas old shotgun will do just fine with goose or duck loads out to 200 feet or so, at least in the countryside.

Surely some smart wag will invent a RF jammer that will send them right to the cement.

At close range a water hose, a rock, a slingshot, even a paint ball gun would work.

Last and my favorite is simple: Drone War. Buy three or four of the biggest and cheapest you can find to use as sacrificial attack drones. Be prepared to say "oops, so sorry", convincingly.

ThothDecember 27, 2014 7:00 PM

You can call it hacking industry in regards to Asian culture of hacking. One good example is the Tea Industry. Yes, the cup of tea you drink daily. Tea is simply Camellia Sinensis, a bitter plant. How you add the flavours is by the techniques to coax and manipulate the flavours of the tea leaves during production. Some people would scent it with flowers and some would roast or steam the tea leaves. In order to work in the Tea Industry you need to learn the basics and then branch off. Copying is usually the first step before innovating. I am not glamourizing the effects of copying just in case some agents are sitting here reading. Just saying that one example of industry you need to learn by copying is tea.

@Nick P
Yea, it's hard to tell what was going on. Some security websites are blocked on the ISP level and it's kind of shooting themselves in the foot to do so. The SG Govt aspires to be a power in electronics security system and attempts to mimic by creating their own HSMs but supposedly failed (industry story circulating in the local HSM indsutry).

CCC is not directly censored but just raises eyebrows.

Nick P, you can try to sell your high assurance stuff to them and I am very sure they do pretty much appreciate (plus they will attempt to reverse engineer and produce their own copied version) and you do better run quickly after selling. Talk about copying, even the local Govt resort to that. It's only a matter of whose doing what. If it's the Govt doing the copying, it's all legitimate (we copied gun designs and AFV designs btw) :D .

Just like any Govt, they are only concerned with saving their own backsides. Rather pathetic despite their goal of strong digital security which is mostly a bubble. Never really happened. The security market are simply fillers that contain Govt contracts or "innovative security items" that are not even secure.

@Anti-Drones et. al.
Shotguns would work. If they fly abit higher, grab a 7.62 and point away from humans and check with local laws if it's allowed. Maybe a net-gun to capture drones for a softer approach ?

Will surrounding the house with a long net be efficient to prevent them from straying too close ?

Besides the usual, taking a shotgun and pelleting them or hacking them, what are the other anti-drones measures available ?

The model of business of the Internet is to track. Not surprised it is dying off. More robust methods like sideloading browser plugin scripts to block certain Javascript elements would be pretty useful. Adblock Plus does not block all ads using the rationale that websites need to earn money and of course Google paid Adblock Plus a visit and they hold hands together. Only way out is a stronger filtering / protection plugin for scripts (or disable Java/Flash/Silverlight/JS altogether).

Another way is a high assurance browser in a high assurance language. Built from down up and gives you absolute control over every behaviour. If you notice, browsers attempt to hide website behaviours (not sure why) from the casual users and the developers via API calls.

Nick PDecember 27, 2014 7:38 PM

@ Thoth

"Nick P, you can try to sell your high assurance stuff to them and I am very sure they do pretty much appreciate (plus they will attempt to reverse engineer and produce their own copied version) and you do better run quickly after selling."

I figured as much. Aside from irking my government, that they'd copy and ruin the investment is why I'm unlikely to sell to them. There's a better model that I'm not ready to publish for high assurance INFOSEC in general. However, the Asian culture angle might require me revisiting it. It's already more suited to that issue than regular models in the short term. Long term is where they all fail.

ThothDecember 27, 2014 8:26 PM

@Nick P
Just a forward warning that it has been known that the SG Govt have a thirst for nationalistic pride and to achieve that they will dismantle strategic goods, re-engineer their variants and claim their own stake. They have done that to the FN MAG machine gun, the Steyr AUG style of rifles and they have been looking into secure machines and suppposedly have dismantled HSMs to learn their inner workings but failed to do a good job. SG Govt have a strong nationalistic pride just like the Germans (made in XXX country stamp) and get all giddy happily. You can capitalize on that part.

Clive RobinsonDecember 27, 2014 9:11 PM

@ Bob S,

Have you thought of a cross between chaff/window and a party popper?

That is instead of shotgun pellets you have very fine wires / threads / strips fired from a canister that form clouds that drop down onto the drones lift propellers fouling and jamming them causing a catistrophic loss of lift... I'm told the US developed such a weapon using conductive carbon fiber filliment to take out over head power infrastructure during the gulf war. I suspect even clouds of "rice flour" will if suitably done, cause a micro drone real problems quite quickly. Oh and "non dairy creamer" does make a fun Fuel Air Explosive (FAE / FAX), you just need to develop a delivery and deployment system.

Personaly if you can put up with them grow some of those troublesome Laylanadii trees [1] that grow upto three feet a year at the corners of your property, and use them to hide steel poles that suspend a gossamer or similar fruit tree protection nets. With suitable wires and signals on them to form a proximity detector you would fairly reliably detect air bourn objects close (fifteen feet or so) to it.

More HiTec would be a small "blimp" with some kind of 50 Ghz or above pulse emitter to use for "millimetric offset radar" the technology for which is now within "home hobbyist" reach.

And completely "off the wall" how about a couple of kilowatt IR lasers used for cutting steel with an apropriate set of new optics to blind/destroy detected drones. Obviously this would be both expensive and dangerous, but has the advantage of little or no noise and no projectiles to worry about where they land causing environmental issues.

If you just want to blind any cameras then a modified "disco laser" system will do that, you can get the bits quite easily including uprated lasers for outdoor shows etc, a friend has one where writting rude messages on clouds and buildings several hundred meters away is quite easy.

Though for close in deactivation converting a half kilowatt microwave oven into a HERF gun would not be technically to challenging for a home hobbyist. Though it presents some hazzards, in that it will cook nervous tissue rather faster than it will electronics... but you don't want to live forever do you?...

I had thought about using a "clay pigeon" launcher to fire up disks with small fragmentation devices in them to act like "anti-aircraft" fire, but I doubt it would be legal anywhere...

Ideas are easy, developing reliable, deployable and safe --to the user and bystander-- systems is a lot lot harder.


GrauhutDecember 27, 2014 9:25 PM

@Clive: A raspi or cubie board under the roof top running 2.4g wlan ap jamming software should be enough in most cases. Anything more would be overkill.

We all should log anomalies in consumer frequency ranges around us anyway, sdr is our friend... ;)

Nick PDecember 28, 2014 2:31 AM

@ Thoth

He's not a cover for U.S. He was too damaging to their interests. Might have been for some other agency, reformed, and so on. I'm awaiting peer review on this material before I make any judgments on it.

Note: Well, there was this theory. Err, movie plot winner. A clever possibility though. ;)

Actually SkepticalDecember 28, 2014 2:57 AM

@Nick P

It would be interesting to see the U.S. journalists grill a pardoned Snowden on U.S. soil. I think national security would be served well by such a scenario. Outside that, I could speculate Snowden as a massive state psy-op, and/or historically an IRC troll, and/or a person somewhat like myself. IT, used to be libertarian, saw the massive unpunished historical and present injustices, and became more of a democrat. And guessing that as I get older and see the continuing rather awe-inspiring global cultural shifts going on in these recent decades, will likely edge closer to conservativism.

Clive RobinsonDecember 28, 2014 2:58 AM

@ Nick P,

What do you all think of this story?

Well that question has been asked before...

Let's look at politico's for a moment first,

In the US it's perceived that politicos need to be both religious and conservative and have a strong family life. And that's what they aim to project to the voters. Well a look at the real statistics and the results of questionnaires says that the reality is considerably less than 1% of the population live that way. And the actuality of political scandals sujest that most politicos don't either, they just pretend to...

Worse it makes them hypocrites as well, take certain leading edge medical research, they usually vote the way they think the 1%s would, untill it's one of their own, then for a short while they vote nearer to their true beliefs that it could be them next. It's the same with gun control.

Are they voting and appearing to behave the way they do to keep their jobs or the way they think society should? and does that make them normal --self deluded-- people or not.

Think about what you think now as a father of teenage girls and what you thought as a teenage boy about teenagers having sex...

Or as a --supposedly-- happily maried man in your who talks to his wife about the latest political sex scandal and how shocked / horrified / etc you are about it, whilst secretly hardouring fantasies dabout a young woman in your office... especialy if you have the power or wealth sufficient to have an extramarital affair or mistress etc...

All you can realy say is that we change our views as our life changes and we maintain a public face for status reasons whilst desiring or fore filling a different private life in part or full.

Worse when we condem those who have been caught not living up to their public persona we condem them, for doing what we secretly do or wish we could do to maintain our public persona... Thus the reality must be we condem them not for what they do but for being caught doining it.

I've also noticed in life those that condem loudly are trying harder than most to cover up their own private feelings / actions.

Those that are most likely to be genuinely in that 1% --that others try to pretend they are-- generally don't complain they just feel saddened and quietly forgive others for their failings.

To be honest I don't realy care if a politico is cheating on his wife, because the chances are in a way she is cheating on him as well, and they are both well aware of it and it suits them both to maintain the public pretence. You only have to look at the history of French politics to realise it's actually more normal than not which is possibly why they have stronger privacy legislation. Likewise moments in British political history. What interests me in politicos is not their private lives, unless they are hurting people, but what they are doing for me and the other voters, that is are they doing their job as I would expect them to. After all it's the job they do that we pay them for, not what they get upto out of work hours in the --supposed-- privacy of their "private lives".

Which brings us back to Ed Snowden, arguably he did not do the job some people believe he was paid to do, however I suspect his actuall work reviews showed he did his job well which was why he was able to work his way up to where he was.

Which brings up the question of "harms" did he hurt anybody, well that's the wrong question to ask. We accept as society that some harms are benificial to society as a whole, it's why we allow spying on our potential and actual enemies in the first place both inside and outside of our society. Thus it's a question in general not of absolute harms but relitive harms, that is did Ed Snowden over all do more harm than good?

Personally in the general case I think the scales are tipped over to good not harm.

But what about individual harms, did he harm individuals, well yes he did but they were those individuals who society had put trust in and they had abused it, so arguably those individuals had it comming to them. What about agents etc, well as far as I've seen probably not. Some are trying very hard to make the argument that he has by revealing "methods", well I'm sorry that argument does not hold water, as far as I can tell there were no methods revealed by Ed Snowden that were not known by people in the public domain, which the majority had chosen to ignore. Thus if in the public domain, the only people potentialy being harmed by showing that the NSA are using these methods are the targets of the methods and those using the methods.

Well by and large the only people that are subject to these methods that are harmed are the American general public. The agencies of our --supposed-- enemy nations etc are more than likely to be aware directly or indirectly of these methods and have already where possible mittigated against them prior to Ed Snowden revealing anything.

Which leaves those who are using the methods against the American public in a blanket manner, that is those in the NSA. Well arguably those that pay them via the tax on their hard earned wages don't think this is a part of the job they should be doing let alone be payed for. So I suspect the American tax payers would see those in the NSA using the methods on them as the NSA "biting the hand that feeds it". Thus see the NSA staff involved ending up joining the ranks of the unemployed as a good not a harm.

Will the Ed Snowden revelations "harm innocents" well every time society changes innocents get harmed, that is the way of the world, as we don't live in a vacuum of fantasy. Thus if the Snowden revelations do change society then yes people will be harmed, but on balance probably many less than if those changes are not made.

I'm not going to get into the politicaly inspired "think of the children" arguments because the people that bring them up will not accept the society inspired "Cops as Killers", "Politicos on the take" and several other similar arguments as valid thus showing their significant bias to "authoritarian" thinking. Further all such "political" for/against arguments in the past have rightfully upset the Moderator as they just descend into what looks like school yard name calling. And further as you once warned me "Don't feed the trolls" it only makes them greedy :-)

Bob S.December 28, 2014 8:34 AM

@ Clive
Re: Drone Defensive Measures (DDM)

I like this idea: "a canister that form clouds that drop down onto the drones lift propellers fouling and jamming them causing a catistrophic loss of lift."

Classic small scale Ack Ack. However, until that's perfected, #2 shot and a 12 gauge would be a good fallback plan.

I did some research. There are jamming devices (spark generators) going back to the 19th century. The problem is, the old style jammers would knock out ALL RF within a one mile radius. That might not be entirely legal or welcomed by folks.

There is something called a comb generator that can be tuned a bit better and is less powerful. Seems to me it only needs a range of 500 feet or so.

I forget to mention nets. Simple nylon fish net would foul the props nicely. Also, two or more Defensive Mode Drones could be enlisted to create a literal drag net.

Drone Wars: It's on.

HermanDecember 28, 2014 11:12 AM

Drone wars: It all depends on what you are up against. Hobby toys all seem to use 2.4 GHz links. So one could jam them rather easily, but it would also jam your own and your neighbour's WiFi. It would also be easy to shoot a hobby drone full of little holes with an air pellet gun, or blow it out of the sky in a single shot with a paintball gun, but why bother? Let people have their fun. The craze will blow over in a year or two when something better comes along.

BenniDecember 28, 2014 1:46 PM

New Spiegel articles on NSA:

"The Snowden documents reveal the encryption programs the NSA has succeeded in cracking, but, importantly, also the ones that are still likely to be secure."

And by the way: NSA and GCHQ attacked the european union with Regin malware:

And whom they chose as drone targets is also revealed by Spiegel. Up to now the german government has refused its participation in drone assassinations. That will be more difficult now:

albertDecember 28, 2014 2:45 PM

@Bob S, drone guys,
Guns are effective, but you will pay for the damages. And what's worse, there will be a video of you shooting it*. :)
The RF jammer is more effective. It need run for only a few seconds, longer if you retrieve it yourself. Intermittent RF interference, happens all the time. Warn the perps, return the drone. Too bad it was damaged by the crash, and those electronics are awfully fragile. :)
Hopefully, the courts will rule drone cases as invasion of privacy, or trespassing, or endangerment, but there needs to be a court case first.
Guns would be more fun, but stay with the ECMs.
Happy New Year Everyone!
I gotta go...
*if you're a police officer, go ahead and shoot. Police seem to have some immunity against video evidence.

BenniDecember 28, 2014 2:47 PM

Hacker photographed the german defense minister and from that he constructed her fingerprint that he can now reconstruct with an attrappe:

Same thing should be possible with iris scans, he says.

And here is the lecture from the CCC yesterday where it is shown that you only need a phone number from a target somewhere in the world, and you remotely can manipulate the phone, track the subject and intercept sms and voice conversations:

After a large german provider (probably deutsche telekom) fixed their system, the ss7 location requests dropped by 80% in germany:

BenniDecember 28, 2014 3:23 PM

If talibans want to blow up a building, here is the obvious method:

Get a small laptop and record your name in a soundfile. Connect your phone to the computer, and deposit that on the house you want to blow up.
Let the computer make some phone call in the next hours while it is replaying the soundfile...

In the next 24 hours the house will be blown up by an incoming drone:

"The document also reveals how vague the basis for deadly operations apparently was. In the voice recognition procedure, it was sufficient if a suspect identified himself by name once during the monitored conversation. Within the next 24 hours, this voice recognition was treated as "positive target identification" and, therefore, as legitimate grounds for an airstrike. This greatly increased the risk of civilian casualties."

ThothDecember 29, 2014 1:31 AM

In regards to this link:

Good to know our knowledge of Skype is correct whereby they have already stomped Skype's "secure comms" into just yet another commercially controlled and backdoored comms not worth the "secure comms" phrase in it.

"Things become "catastrophic" for the NSA at level five - when, for example, a subject uses a combination of Tor, another anonymization service, the instant messaging system CSpace and a system for Internet telephony (voice over IP) called ZRTP."

What we know is if you layer multiple layers of cryptographically secure communications in a routing network that is encrypted to an extent (which we have already suggested in this blog), you get something even harder to break. Regardless it's ZRTP, Tor, Freenet, PGP, OTR ...etc... if it's properly used and in a cascading setup, it is going to make live much more difficult. Another way to make life even more difficult is to intergrate @Clive Robinson's "Fleet Broadcast" method.

"The intelligence services are particularly interested in the moment when a user types his or her password."

Why is anybody storing passwords or hashed passwords these days ? Probably because passwords are easy stuff to code (server) and remember (client). I would suggest using PKI login or use something that cryptographically ratchets (passes back and forth) a nonce manipulated under a series of algos relating to a auth code permutated from a password. This way the ratchet nonce would be kind of useless if intercepted and the nonce (as it's name suggest is as a random) would make replay attacks hard and discarded after it's usefulness.

CzernoDecember 29, 2014 6:50 AM

A discussion of the new "patriot act a la française". In French, sorry : try Google translate. Frightening!

RichDecember 29, 2014 8:11 AM says the Sony Pix hack was not North Korea but a group of 6, one of whom is a Sony IT layoffee.

GrauhutDecember 29, 2014 10:39 AM

@Benni: "After a large german provider (probably deutsche telekom) fixed their system, the ss7 location requests dropped by 80% in germany"

Would be nice to see the drop logs! :D

Anon LurkettDecember 29, 2014 4:00 PM

Looks like the Bluffdale facility went live last week.

Feed from Phx. DNS server tables subverted and slowing to a crawl.

GrauhutDecember 30, 2014 3:13 AM

31c3: Badbios howto :)

Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer

Thunderstrike: EFI bootkits for Apple MacBooks

ThothDecember 30, 2014 3:19 AM

@Nick P
Extracted from the Acknowledgements page of CRYPTOL manual:

"funded by, and lots of design input was provided by the team at the NSA’s Trusted Systems Research Group"

Hmmmm... NSA contributed to CRYPTOL ? That sounds very very interesting.

Nick PDecember 30, 2014 10:56 AM

@ Thoth

NSA funds a decent bit of work by contractors that sometimes benefits the general public. The CRYPTOL software was developed by Galois, an *awesome* company of bright people. They were funded by NSA and others. They used CRYPTOL internally for some projects. Then, seeing it wasn't critical to their business model, they generously released it to the public.

In the past, a lot of the best work was funded by the military. They and defense contractors invented INFOSEC, actually. The Orange Book, the TCB concept, and so on we owe to them. NSA IAD sometimes funds good work: CRYPTOL; Rockwell Collins' SHADE toolkit. The goal in each case is to come up with secure solutions for defense sector and sometimes public sector.

While they burn our online dwellings to the ground, they're still trying to build castles for themselves to feel safe in. ;)

PasswordSafeQuestionDecember 30, 2014 3:26 PM

I am using version 3.27. I see that version 3.35 is now posted (MajorGeeks for one). Is there any reason to change (maybe the latest is the 3 letter agency back-doored version? grin ).

ThothDecember 30, 2014 8:21 PM

@Nick P
How ironic that their attempts to reduce us to ashes and to make themselves feel like kings in iron walled castles actually reverse the tide and allowed us to propagate assurance technologies. Not saying I don't appreciate those efforts but it's kind of ironic in a sense.

Nick PDecember 30, 2014 9:49 PM

@ Thoth

A delightful irony. I've often posted here that NSA has a case of multiple personality disorder with their dual mission. True for the government in general. Works for me, though.

Btw, check your inbox as I sent you a nice paper about the INFOSEC implications of giraffes. A must read.

Clive RobinsonDecember 30, 2014 10:50 PM

Aghh... the subject of Castles...

Castles for all their grandeur are originaly fortified defences, however as such they are only at best a tempory respite from minor attackers.

They can quickly and easily become prisons when those outside decide to make them so.

And history shows that those inside a castle when let out of their prison rarely keep their word, so perhaps to keep the peace their castles should not become prisons but mausoleums instead...

From an outside perspective Fort Meade is already well on the way, with the king rats scuttling away down the sewers to make nests anew in pastures new...

WaelDecember 30, 2014 11:45 PM

@Clive Robinson,

Aghh... the subject of Castles...
You say "Aghh", I say "Yumm"... Hmmm... You prefer "Cathedral and Bazar", or "Fortress and Bastion"? You know how to get my attention :)

however as such they are only at best a tempory respite from minor attackers.
Temporary maybe sufficient. If the pyramids are categorized as a form of castles to protect "assets" (dead assets), then they succeeded temporarily; a few thousand years. In information security world a castle may have a viable defense lifetime of a few hours or less. When the defenses are weakened, the castle may metamorphosis into a different structure with a new TTL (Time To Live) before an attack is statistically successful. When a castle is transformed into a prison in a siege situation, then the design of the castle was flawed! It needs to act as a "Diode" when needed. Tunnels (VPN or otherwise), other structures around the castle (Network zones, Firewalls,..) are part and parcel of the overall design. Castles are a component in a way, a model in another. Fort Meade is not a castle, as far as I know. Rats would model what? Whistle blowers? The sewer is the biased media, I guess :)

Nick PDecember 31, 2014 12:34 AM

@ Wael, Clive

Why did I even use that word here lol...? Well, I shouldn't be too concerned: the philosophy I espoused has been moved to hardware-software over time and is winning if you look at recent projects' assurance claims. Clive's "prison" model isn't working so well because the compromise of systems typically leads attackers to dominate them. Not to mention multitudes of mini CPU's aren't cost effective even today. The SAFE, CHERI, and so on projects take up what he called the Castle methodology. They've been shown resistant to numerous issues with plenty of flexibility, performance, and cost advantages. So far, the "Castles" are standing and being extended with modern amenities.

Good to know I at least partially bet in the right direction. :)

@ Wael

I'm sure you'll enjoy that I spent my free time past day or two playing a game where I was forced to specialize between two classes. The one I chose was "Bastion." Although common in INFOSEC circles, I probably haven't seen that in a heading in around a year. Then, after putting much energy into a Bastion, you coincidentally pop up with that. Ain't* that funny?

* Oh hell here come the grammar police!

WaelDecember 31, 2014 1:14 AM

@Nick P, @Clive Robinson,

I left off by saying Castles and Prisons are complimentary and facilitate different mechanisms or models of protection, at the high level.

Then, after putting much energy into a Bastion, you coincidentally pop up with that. Ain't* that funny?
Yes, of course! As "funny" as Avocados and other "interesting coincidences" are ;) BTW, "ain't" is now acceptable proper English, so said my English professor many moons ago. And I had a lot of respect for him. He specialized in word origins -- something I have intrest in. He taught me the origins of the word "disaster". He said: long time ago, people believed in astrology (Aster). When the stars were misaligned (diss), then it was a "disaster". Hopefully there is no matching coincidence with me bringing this up ;)

Clive RobinsonDecember 31, 2014 1:55 AM

@ Wael,

Perhaps you can ask the Prof about the word I find most irritating "init" it appears to have no meaning that is either fixed or comprehensible, but like a gutteral clearing of the throat appears to have become a fixture in the likes of "Estuary Essex" and "Sarf L'non" vocabularies, and like pustulent boils appears to be spreading unchecked by what would have been "Ouff" culture of a decade or so ago that gave us the parody of "talk to the hand" becoming norm-speak.

As for "the rats" leaving Fort Med(iocrity) think not of the persecuted whistleblowers but those who have decided they are worth atleast a million a month to undo the mess they created but only for a select few...

WaelDecember 31, 2014 2:35 AM

@Clive Robinson,

I would believe my prof is not alive. He was over 50 in the early eighties. He's likely "pushing up daisies" as you would say on your side of the pond. So I am left with speculations: I take it "Sarf L'non" is slang for South London. And I would also think "init" is a contraction of "isn't it". Funny that the word "sarf" means "grammar" in Arabic. To be more precise, it means the rules of deriving a word from the root, it's often translated as "morphology".

Gerard van VoorenDecember 31, 2014 2:46 AM

Talking about language and "language purists" aka "language cops".

My native language, Dutch, is full of shite. It stinks. And each time that "they" come up with the latest print saying "this is the new Dutch" they make it worse, while saying they simplified it (not). For the Dutch speaking people over here, a clear example is the "tussen n". They said it shouldn't be used except in a dozen or so exceptions... The "nationaal dictee" is also a clear example of how ridiculously wrong our language actually is.

The problem is quite simple. The guys working on the new print are language purists or better said language fetishists. You can't depend on them to make drastic changes to the language so that it would really improve. They love it too much. With only adding 2 words (klein and toen) to the vocabulary the language Dutch would really simplify, making countless of tricky stuff obsolete and scrapping thousands of words that were made "to satisfy the compiler" as to speak.

But the professors that write the latest print of how the Dutch language should look like just can't do that. You need a guy such as Isaac Newton to do that kind of things. A guy who has no ties with language but who makes experiments and look at the issue in a scientifically way.

So speaking of "language cops" I just think they have learned too much and forgot to think what the essence of language actually is.

WaelDecember 31, 2014 3:37 AM

@Gerard van Vooren,

I once was walking in a tourist area and heard two people speak. The language sounded very different and had sounds like Arabic and German. I couldn't guess what it was, so I asked my friend what language do you think that is? He didn't know either, so I asked them. They said "Dutch". I have a collegue who's Dutch and I ask him every now and then how do you say such and such in Dutch... The most difficult language I found was Swedish, especially the vowels. It took me six months to properly pronounce the word "seven" (it's easier to pronounce in Stockholm, sounds like "shoe".)The funny thing is that it contains all the sounds in English, but it ends with a sound that English never ends in; it's the vowel in "church". That's how "seven" ends in Swedish, although you'd think it ends with an "L". Try This Swedish tongue-twister... I once missed a train to Stockholm from Malmö because I missheard the time (the seven got me). Japanese grammar was very different than other languages I have seen. As for languages changing, don't feel sad, it's global: Germany officially lost its longest word: "Rindfleischetikettierungsüberwachungsaufgabenübertragungsgesetz" -- try pronouncing that! A while back I also heard Getmany is getting rid of the "ß" letter (equivalent to a double 's') but I don't know how that ended. In short, all languages are changing one way or another -- they have to! Who should be in charge? I think a team of linguists and domain experts in the fields requiring the changes. Language and culture are tightly coupled; lose the language and you lose the culture...

Clive RobinsonDecember 31, 2014 5:25 AM

@ Wael,

Oh no, does this mean the Germans have repealed their Beef Flesh labeling law?

Mind you it was pointed out to me a few years ago by a very nice German young lady from Bocham, that in reality the longest German word was like infinity because unlike many languages a German number does not have spaces in it when written as the individual words become concatenated into a single word...

Oddly as you mentioned Swedish we were in Sweden at the time...

So Steffi if you are reading this "hi".

Dirk PraetDecember 31, 2014 5:46 AM

@ Gerard van Vooren

For the Dutch speaking people over here, a clear example is the "tussen n". They said it shouldn't be used except in a dozen or so exceptions...

I beg to differ. The current rules for use of the so-called 'tussen-n', although a bit complicated, were at least an improvement as compared to the situation before when there were no rules whatsoever and you basically had to make an educated guess, which especially for non-native speakers learning Dutch was nothing short of a nightmare. Then again, you do have a point that they are changing spelling stuff way too often, to the point that you can almost guess someone's age from his writing.

@ Wael

The language sounded very different and had sounds like Arabic and German

From what you describe, it might also have been some Flemish dialect instead of standard Dutch as spoken in the Netherlands. In Flanders, the northern region of Belgium, Dutch is the official language as well, beit that hardly anyone (except on radio and TV) speaks the standard Dutch. Flemish dialects differ in that they share a common grammar and vocabulary with Dutch but that the pronunciation is so different that Dutch people (from The Netherlands) can hardly understand them. Which is also a huge problem for anyone learning Dutch in Flanders as what they learn in school will still not make them understand the local shopkeeper where they are getting their groceries.

Funny that the word "sarf" means "grammar" in Arabic.

One thing in Flemish that always baffles newcomers from Arabic descent (or was it Berber?) over here is when they are being greeted with "Dag Meneer" (Hello Sir), which apparently sounds to them as "Dach Mounir", translating to "Mounir has fainted".

Gerard van VoorenDecember 31, 2014 6:39 AM

@ Dirk Praet

I think @Wael refers to the Dutch "harde G" that also exist in Jewish and Arabic language.

WaelDecember 31, 2014 11:08 AM

@Dirk Praet,

"Dag Meneer" (Hello Sir), which apparently sounds to them as "Dach Mounir", translating to "Mounir has fainted".
It translates to literally: Dizzy became Mounir. So it means: Mounir became dizzy. "Mounir" means enlightened or a source of light -- either photons or knowledge.

Arabic descent (or was it Berber?)
Arabic would be the language. The descent doesn't matter.

@Gerard van Vooren,
I think @Wael refers to the Dutch "harde G" that also exist in Jewish and Arabic language.

You are both correct from the example @Dirk Praet gave. I would think the language is called "Hebrew", though; one of the three known semetic languages that share some roots: Arabic, Aramaic, and Hebrew. And the letter in reference sounds like this: It's the letter at the top left corner.

Dirk PraetDecember 31, 2014 11:46 AM

@ Wael

Then that would indeed be the hard G @Gerard van Vooren is talking about. Common for Dutch and Frisian as spoken in the Netherlands and as also pronounced in one Flemish province (West Flanders).

WaelDecember 31, 2014 2:50 PM

@Clive Robinson,

Oddly as you mentioned Swedish we were in Sweden at the time...
Wait a second! You were in Sweden when I mentioned the word? You and @Nick P are either pulling my leg, or I have some sort of Extrasensory perception. Makes me feel like saying what a rush!

BoppingAroundDecember 31, 2014 4:51 PM


Happy New Year, folks. May we finally find some peace and strength against those who wish us doom.

Clive RobinsonDecember 31, 2014 5:36 PM

@ Wael,

No, Steffi and I were in Gamla Stan (Stockholm old town) at the time of the conversation, which was some years ago. A further coincidence is that our walk took us past the St George and the Dragon bronze statue there which if you read the top of this page it mentions St George and the dragon as part of the mummers play.

If my memory serves me well the statue has a plaque that gives the origin of the St George and the Dragon story as comming from the middle east via what is Turkey. It's a fairly major tourist attraction so there is bound to be a picture or two of it on the internet. Perhaps less well known was another bronze statue we saw opposite the Royal Opera house which is of a workman having half climbed out of a manhole in the street, I don't know if it has artistic merit or not but it made us smile, which is more than can be said of most street bronzes that are mainly of people long dead who few actualy know why they were commemorated.

Speaking of the long dead being commemorated and hitting eleven on the "that's odd-o-meter", much to my surprise the son (Thomas) of one of my distant ancestors, who's own son (Fredrik) is virtualy unknown in the UK, but his enoboled name A.F.Chapman and face pop up all over Stockholm including a large white sailing ship also named after him which is now a youth hostel. His fame and title came about because he designed the Swedish Navy ships which made Sweden a major European power of the time... it's an odd thing to discover when on a university course abroad but hey these odd things do happen...

ThothJanuary 1, 2015 1:39 AM

FBI's action is as good as kind of direct insult to the Court's and the Constitution's face. Might as well those agencies take over the Court, form their own Government (just like some Southeast Asian states) and take up a totalitarian regime and pretty much end of story. No need for all the formalities and hypocrisies.

This is where the people must take their own responsibilities to protect themselves as much as possible within their means.

Wesley ParishJanuary 7, 2015 5:32 PM

@Bob S. @ Clive
Re: Drone Defensive Measures (DDM)

Speaking of spark generators, I was wondering, what the frequency range of an average spark gap generator would be? and what the average frequency range of the control systems of our target, the ubiquitous and iniquitous drone, might be?

I was also thinking, the spark generator is omnidirectional as far as I know: however, it should be possible to direct that radiation using a horn antenna. (I did think of using a yagi, but that'd only direct about ten percent of the radiation, and leave the rest to interfere.)

So what do you think? A spark generator (spark plug) inside a horn antenna? At what wattage?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.