Friday Squid Blogging: "Squid Jiggin' Ground"

Classic song written by Arthur Scammell and performed by Hank Snow.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on January 16, 2015 at 4:44 PM • 114 Comments

Comments

News ReaderJanuary 16, 2015 5:08 PM

Re banning encryption. The latest NSA leaks from the Guardian state:

"The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world."

It appears that they've looked for vulnerabilities in Kaspersky:

"GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency."

Source

VincentJanuary 16, 2015 5:19 PM

There's a story in the New York Times about a new site called Hacker's List where people can hire hackers for things like stealing client lists from the databases of competitors and helping jealous partners breaking into their boyfriend's Facebook accounts. My comments are here.

SoWhatDidYouExpectJanuary 16, 2015 5:45 PM

@Vincent:

So, how do you pay those hackers? By bitcoin, credit card, untrackable transaction...oh, sorry, the 3 letter agencies have all of this data, they can and ultimately will find you. At least that is what they want you to think.

But really, how do you pay these guys without getting caught (your or them)?

paranoia destroys yaJanuary 16, 2015 6:23 PM

Almost 20,000 French websites were hacked this week including small sites such as a Paris Pizza parlor.
It may not be related, but GoDaddy is hasn't updated the web content management system software Joomla from version 2.5 which stopped being supported last month.

MrFoxJanuary 16, 2015 7:16 PM

TSA new year's miracle:

I was travelling by plane on January 1st. I never thought I'd say this, but - the TSA checkpoint was actually a pleasant experience!

None of the usual crap - everyone could leave their shoes on and laptops in their bags. They used magnetometers instead of the porn-scanners, no pat-downs. They basically reverted to pre-911 security, and it took all of 30 seconds to go through security. (This was at IAH).

Is the TSA experimenting with less insane security procedures? Or was this a fluke? Has anyone else seen this?

To be sure, the miracle didn't last long - other flights (different airports), less than a week later, it was back to the good old security theater...

Nick PJanuary 16, 2015 7:23 PM

@Sancho_P

"Arrested for using secure e-mail."

Lies! There is no such thing as secure e-mail.

Jonathan WilsonJanuary 16, 2015 7:33 PM

http://www.washingtonpost.com/investigations/holder-ends-seized-asset-sharing-process-that-split-billions-with-local-state-police/2015/01/16/0e7ca058-99d4-11e4-bcfb-059ec7a93ddc_story.html
The feds have just closed a loophole that allowed state and local police agencies to use federal asset forfeiture laws to seize (and retain) cash, cars and other assets even without proof of a crime.

There are some limited exemptions but nothing that will give the police a way to keep doing the crap they are doing now (unless state laws exist that let them do the seizure at the state level but many states have laws that make it harder to seize assets from those not charged/convicted of a crime which is why state agencies were using the federal loopholes to do it)

WaelJanuary 16, 2015 7:34 PM

@MrFox,

The randomizer chose to let you go through the TSA preheck line. You can register here: http://www.tsa.gov/tsa-precheck

I like the free massage, though ;) last time I whipped out a small bottle of oil and asked him if can use it for the massage. The guy started laughing :) Another time I was asked if I prefer private screening. I said is it better inside and gave him a wink :) lol!

DanielJanuary 16, 2015 8:04 PM

@Alan S.

Another good find by you! I thought that analysis of Wittes was excellent up until the end. Where he goes astray is when he writes, "When everyone’s responsible, then nobody is." That is only true, however, if one denies an efficacy to collective guilt. The denial of collective guilt and its converse--the insistence on individual responsibility--rests deep in the American psyche but Wittes instance on it is strange in two regards.

First, societies are conceived first and foremost as group endeavors--they allow people to engage in activities that they would not be able to accomplish as individuals. One would think that if people group together for benefits they should also be held accountable as a group for loses as well. Americans are strange in that in some contexts they argue for socializing losses and individuating gains (capitalism) and yet in other contexts they argue for the socializing benefits and individuating losses (Presidential power).

Second, there has been a steady erosion in the notion of individual accountability and a more wide raging acceptance of collective guilt in American life. One sees this most clearly in the criminal justice context 8 U.S. Code § 3553 where a person's life experience is often used as mitigating evidence at sentencing. We really do give people a break because they grew up in a bad neighborhood. We also see the discourse of collective guilt in discussion of race and sex and "white male privilege". Americans are not nearly as uncomfortable with the notion of collective guilt as Wittes assumes.

Hamilton was Burkeian conservative and the notion of collective guilt would have been anathema to him. I'd argue, however, that not only does individual responsibility rarely make sense that American doesn't even believe in it much--the trend is in the other direction. When everyone is responsible, everyone is accountable.

ThothJanuary 16, 2015 8:09 PM

@Re: Arrested for using "secure" email
As Nick P pointed out, it's hard to consider mails on someone's servers as secure and also if you host your own email service on someone's servers it's still insecure anyway.

One thing is we don't know if any of those who use RiseUp emails have used any form of pseudo-anonymity tools to mask their traffic to RiseUp. If they didn't, that's plain bad. If they did, that's even worse .... the Spanish spies may have a hand or have aid from NSA to peek into TOR.

What can be done for setting up a "secure" email server ? My suggestion (and opinion) is to run your email server and have a Retroshare installed on the email server (a unique account) and another Retroshare (yet another unique account) on your home server. Emails sent to the email server would have a script to dump it whole into Retroshare made to sync with your Retroshare on the home server and then pipes it out over the Retroshare pseudo-anonymous network into your email folder and the email in the email server is then wiped. Of course running the email servers in hostile nations (in perspective of privacy and security) would also be a huge taboo. This way you only need to access your home network to pick up your routed and piped email which may bypass the hassle of accessing "highly criminialized" services like RiseUp. Oh and you can setup your device tamper protection mechanisms on your home server as well.

This is not the best idea since it's going to take a huge fuss and it needs domain experts' help to setup the system properly.

Looking at how global Government Tyranny is spreading, the only road to a much more plausibly deniable protocol would be a practical version of the Clive Robinson's fleet broadcast. Maybe those interested in making the Clive Robinson's fleet broadcast protocol could dump some ideas on how the practical version should work.

Should we assume the users are running off stock machines with probably not so high assurance OSes (at least BSDs and Qubes) to start off with threat modelling first ?

Abstract Threat Modelling for the Robinson Fleet Broadcast Protocol (RFBP - Unless Clive does not want his name in it which could be changed):
- Traffic Anaylsis of Datagram packages / Message privacy and integrity
- Flow detection of source and origin points
- Fail Over and Critical Mass network nodes control protection

More thoughts would be added later.

@January 16, 2015 8:28 PM

A new free program has launched called "Peerio" which doubles as an encrypted file storage/sharing service and a platform for e-mail/IM communication. It's being talked about as being at least as secure as GPG mail, but by contrast very user-friendly. I haven't seen too many actual technical details even though it was audited already by a firm in Germany.

http://www.wired.com/2015/01/peerio-free-encryption-app/

http://www.tomshardware.com/news/peerio-easy-end-to-end-email,28392.html

MrFoxJanuary 16, 2015 8:43 PM

@Wael,

Nope, no randomizer and no TSA-pre - That was the amazing thing, *nobody* at that checkpoint had to deal with porn-scanners and, uhm, massages, or any of the other niceties of modern air travel. Absolutely no lines as a result.

I did come off an international flight, so maybe they scaled back screening of passengers that were already screened anyway? (even that would be a remarkable step forward!) As far as I can tell, though, there was nothing special about this checkpoint and it was accessible for everyone travelling through that terminal.

BuckJanuary 16, 2015 9:53 PM

@SoWhatDidYouExpect

But really, how do you pay these guys without getting caught (your or them)?
Hint: (you don't) it's a honeypot. The feds can take your money, then charge you with a crime, and then take the rest of your assets if you have any left at that point... If someone's feeling really ambitious, they can setup a patsy go-between and actually collect on the spoils of your 'conspiracy' to commit criminal hacking too! ;-)

BuckJanuary 16, 2015 10:05 PM

@paranoia destroys ya

Almost 20,000 French websites were hacked this week including small sites such as a Paris Pizza parlor.
I don't know what to make of the media's take on this yet, but if I had to guess, it's a PR tactic... The technical details are sparse, but if the main headliners (FRANCE SEES 19,000 CYBERATTACKS SINCE TERROR RAMPAGE) are to be believed, then I've still yet to see any reason why this (minor DOS?) is a hacking attempt, and not some mis-configured default network service...

Nick PJanuary 16, 2015 10:30 PM

That wasn't me. I'm guessing payback from Wael. Least it's true in the general case. There have been multiple secure email methods, though. It's one of the earlier applications of both high assurance (eg mail guards w/ seamless crypto) and cypherpunk efforts (i.e. PGP/GPG).

BuckJanuary 16, 2015 10:40 PM

@MrFox

Nope, no randomizer and no TSA-pre - That was the amazing thing, *nobody* at that checkpoint had to deal with porn-scanners and, uhm, massages, or any of the other niceties of modern air travel. Absolutely no lines as a result.
I think I'm with Wael here when I say, it sounds to me like some targeted advertisement... Frequent flyer, flying on an under-booked flight..? Maybe you're not on any watchlists..? Great! So are all your fellow passengers!! Wouldn't you like to pay a little bit extra to get this treatment every time!?

Nick PJanuary 17, 2015 12:32 AM

re Peerio

Always good to see new developments. Yet, it being an app from Nadim bothers me due to an event deleted from Internet history: his "evisceration" by Canadian intelligence services, hackers, and whoever else. He was paranoid, seemed to barely make it through the process, deleted his long blog post, and asked people not to talk about it. Post-Snowden, it's hard not to talk about something like that if the person is supplying crypto. So my usual disclaimer applies: assume Canadian intelligence and Five Eyes might have access to his stuff. Past that, it might be usable and secure against a variety of threats. Only evaluation *and trusted distribution* will tell. ;)

AlexJanuary 17, 2015 12:43 AM

A nice Security Feeds list:

Schneier on Security
Ars Technica
WIRED
The Akamai Blog
Naked Security
The Hacker News
Krebs on Security
Liquidmatrix Security Digest
The State of Security
F-Secure Antivirus Research Weblog
Darknet - The Darkside
Graham Cluley

You can import the .opml file in a Feedly account, the full content here:

http://pastebin.com/EfzD8R5J

(create locally a new file named "security.opml", paste the content from pastebin.com in it, import that file in feedly, profit)

WaelJanuary 17, 2015 1:07 AM

@Nick P,

That wasn't me. I'm guessing payback from Wael. Least it's true in the general case.
No, Nick P. It wasn't me. This isn't my style, you should know me better by now! And payback for what?

Jean MeslierJanuary 17, 2015 4:21 AM

@SoWhatDidYouExpect
@Buck

There's a story in the New York Times about a new site called Hacker's List where people can hire hackers for things like stealing client lists from the databases of competitors and helping jealous partners breaking into their boyfriend's Facebook accounts. My comments are here.

I must say... my initial reaction is "Why would the feds care?" Everyone knows the feds hate anyone who's tech-savvy or otherwise threatening. But the people using this website are no threat whatsoever. Besides, spying on ex-girlfriends is right up in the NSA's wheelhouse. The kind of cheap entrapment you're suggesting is more typical of local cops, but I don't see them being tech-savvy enough to set this up.

RyanJanuary 17, 2015 5:54 AM

@SoWhatDidYouExpect

There's a thing called "cash." It allows you to make anonymous payments, with the only limitation that it has to be physically transported.

Clive RobinsonJanuary 17, 2015 6:41 AM

@ Ryan,

"cash." It allows you to make anonymous payments

Only in limited practice, not in theory, unless you are talking coins.

Each note carries a serial number that is --supposedly-- unique which makes it traceable through finance, retail and other organisations if the authorities wish to make it so.

It has been indicated by industry insiders that various countries interested in "plastic notes" have also expressed an intrest in embeded RFID like electronics...

So it may not be long before cash becomes traceable to quite a fine level...

Oh and the real reason will not be terrorism or serious crime that will probably be the reasons given publicaly, but petty tax avoidence, where rights striping and proceads of crime legislation will be used very profitably to take all other assets via fines or fees.

BoppingAroundJanuary 17, 2015 9:55 AM

say something,

> Verizon, which in 2008 insisted that consumer privacy protections weren't necessary because public shame would keep them honest
> because public shame would keep them honest

Companies are not people. They don't have any shame.

Nick P,
That makes it even better: arrested for using something allegedly secure.

Thoth,
Remind me what that fleet broadcast method is about please. I would rather nag search engines for that but my connection seems to be shaky today.

Buck, MrFox,
[Paranoia] Or maybe they have finally mastered the data they have been acquiring for so long to determine the passengers were not worth any special attention.

Sancho_PJanuary 17, 2015 10:35 AM

Ben Wittes wrote a response to @Bruce Schneier at LAWFARE:
http://www.lawfareblog.com/2015/01/a-response-to-bruce-schneier-and-a-cautious-defense-of-energy-in-the-executive/

“Consider a much scarier one: President Obama has the authority to launch, say, a preemptive nuclear strike on Moscow—on his own, without judicial review, and without congressional involvement. The only real check on the exercise of this authority is the willingness of the military to carry out the order, and don’t bet that it wouldn’t be done. Given that Russia would respond with a nuclear attack against us, this is effectively an unreviewable power to destroy much of the world. It’s a completely terrifying power to vest in a single man.


And to my mind, at least, there’s only one thing scarier than a presidency that has it: a president that doesn’t have it.”

The scariest thing here is Ben Wittes’ simplistic approach of the idea of authority.
He’s right in pointing out that a strong executive is mandatory.
But he’s wrong that Bruce’ “Accountability as a Security System” is in contrast to that principle.

Sadly Wittes article goes on and on to broaden the error, ignoring that we do not live in the world of 1800.

Hamilton isn’t wrong, on the contrary.
However, Gorge Washington, even on his “strongest” day, couldn’t have destroyed
the whole world within hours because of one single irrevocable failure.

Only technicians may realize the term “single failure” in it’s full weight and the context of modern technology.
It is not the risky point that, for dozens of reasons, a single human may fail, the real challenge is the whole chain of input and output.

Because the consequences of single failure are so extreme today in contrast to “the good old times” we would really need politicians and lawyers to wake up and say:
Hello to 8 billion human beings on this single nutshell called our world.”

When Obama wants to know what Putin is talking about he should simply ask him !


Ben Wittes wrote: ”When everyone’s responsible, then nobody is.”
That’s no contrast to today’s ‘When the President is responsible, then nobody is accountable’.

But innocent people all over the world die and no one can stop that.

MidasJanuary 17, 2015 10:42 AM

@Clive Robinson
Bills already have RFIDs. This goes for euros, dollars and pounds. They don't need to be plastic, RFIDs fit fine in paper money. Hitachi makes most of them (I'd imagine they're making a fortune through secret contracts with the ECB, Bank of England, etc.). Want to test it for yourself? Stick a bunch of bills/notes (same value) in the microwave for approx 30 secs until a little spark comes out. Stop the microwave straight away and inspect the tiny square hole burnt in the same place. That's where your RFID was. NB: it's not the metallic band (the metallic band should be immune to microwaves).

Sancho_PJanuary 17, 2015 10:50 AM

@ Sally Shears

I can’t read that because it tears me apart.
Seriously, where are we today?

CallMeLateForSupperJanuary 17, 2015 10:55 AM

I don't get it. Christopher Lee Cornell, a 20 year-old Ohio man, has been arrested and charged with (emphasis mine) "ATTEMPTING to kill officers and employees of the United States".
http://www.justice.gov/sites/default/files/opa/press-releases/attachments/2015/01/15/cornell_complaint.pdf

While Cornell alledgedly did *discuss*, both online and in person, using pipe bombs and firearms to kill in Washington D.C., he never set foot in D.C. No bomb was planted nor detonated. No shot was fired. So where is the "attempt"? I don't see it. *Intent*, yes. Conspiracy? Possibly. But I would argue that there is a lot of light between "intent" and "attempt".

I intend to raze my garage. I have a plan but I haven't acted on it. So have I nonetheless attempted to knock down my garage? I say no.

sena kavoteJanuary 17, 2015 11:37 AM

Compatibility layer used for defensive obfuscation against buffer overflow attacks


This is not specifically about FreeBSD, it is just used as an example.

Please tell whether this is a good idea for defensive obfuscation.

FreeBSD has Linux compatibility layer software that allows using Linux software binaries on FreeBSD. It converts Linux system calls to FreeBSD system calls. I imagine that as with translating languages, the conversion is not always simple replace, but with the system calls that have a simple straightforward replace conversion from Linux to FreeBSD and vice versa, we could do this obfuscation:

Have a program that searches a Linux binary for system calls, and replaces them consistenly with something else. For example, have a random string of bits T, that is XORed with the system call codes to produce new obfuscated codes. Then convert the Linux compatibility layer software to understand those codes, in this example by XORing it's codes with the same random string T.

Then, attacker trying buffer overflow attack could not use system calls even within a FreeBSD jail.

In Linux itself, I guess Linux soon needs to have massive use of a Linux compatibility layer within Linux to have a legacy mode so that old binaries can work with new formats of the kernel. I think at least 32 bit time codes need to be converted to 64 bit (which openBSD has already done).

Nick PJanuary 17, 2015 11:47 AM

@ Wael

"No, Nick P. It wasn't me. This isn't my style, you should know me better by now! And payback for what? "

You sometimes do little one liner rebuttals with a humorous style. You don't do it often enough for me to spot a pattern to be sure it's you. We had just messed with you about posting your [non-working] email address and so I thought you had picked at me in return. Anyway, not you, who knows, and don't really care that much.

Nick PJanuary 17, 2015 1:19 PM

On second thought, it was probably Thoth. He's been waiting for an opportunity to mess with me.

AlanSJanuary 17, 2015 1:59 PM

For a critique to the arguments Wittes uses in A Response to Bruce Schneier and a Cautious Defense of Energy in the Executive see: William E. Scheuerman. Rethinking Crisis Government. Paper prepared for delivery at the 2002 Annual Meeting of the American Political Science Association, Boston, August 29-September 1, 2002. This takes apart the Hamiltonian and the 'need for speed' arguments as they are applied in the post 9/11 context.

For a critique of the checks and balances argument in Jack Goldstein's book, which is favorably cited by Wittes, see: Scheuerman, William E. Barack Obama’s War on Terror. SSRN Scholarly Paper. Rochester, NY: Social Science Research Network, September 25, 2012.

Mr.CJanuary 17, 2015 2:12 PM

@ CallMeLateForSupper

While various jurisdictions have codified slightly different wordings, the general common law rule is that "attempt" crimes consist of intent plus either "dangerous proximity" or a "substantial step" towards actually committing the crime. Since he never even made it to DC, it's pretty clear he didn't achieve "dangerous proximity." But what about taking a "substantial step"? The criminal complaint gets to this around paragraph 8(j) and after. Apparently he (1) researched the target buildings online, (2) researched how to build pipe bombs online, and (3) bought a gun. There is case law to the effect that any one of these things alone is not a "substantial step." In combination? Maybe... I view it as a weak case. To guarantee a conviction, they should have let him travel to DC before busting him. I'm sure they'll get their conviction anyway by shouting "terrorism!" at the top of their lungs.

"Conspiracy" crimes require at least two conspirators (more in some jurisdictions and some circumstances) and, in most jurisdictions, the undercover cops/informants don't count. Since this was just the one defendant plus one undercover informant, it's not a conspiracy.

A deeper mystery is why, given Congress's profound unpopularity, the cops even bothered to stop this guy. [

Mr.CJanuary 17, 2015 2:13 PM

That last bracket was supposed to say "{ (Just in case anyone was fool enough to take it seriously.)

MrC.January 17, 2015 2:14 PM

Apparently, I'm the fool. I keep using a left angle bracket...
Supposed to say "[%lt;- joke]"

paranoia destroys yaJanuary 17, 2015 2:49 PM

Buck: Operator error sound plausable but other articles state that some websites were defaced with Islamic images and propaganda.
As for the other issue I mentioned, as a part time webmaster I'm having my clients switch service from GoDaddy to one that updates any software they install for me so there is one less thing to worry about.

RickJanuary 17, 2015 3:54 PM

Spiegel article on NSA's offensive strategies. Declares/concludes that:

* surveillance is merely "Phase 0" in the overarching plan (although separate and distinct, too)
* thoughts on attack attribution match those of Bruce Schneier's previous comments
* collateral damage to the public is likely heavy in the described offensive scenarios

http://www.spiegel.de/international/world/new-snowden-docs-indicate-scope-of-nsa-preparations-for-cyber-battle-a-1013409.html

My rhetorical rant/thought for the day after reading this article: the *permanent* solutions privacy advocates seek are not technical, I think that they are instead political.

The establishment of an Orwellian nightmare for us all suits the politicians too well for them to relinquish the reigns with mere pleas for constitutional protection. Most people with jobs are too distracted with the banal (yet alluring?) trappings of the 1st World's lifestyle-- think of distractions and baubles and meaningless temptations-- to even consider genuine revolution as Thomas Jefferson suggested: "I hold it that a little rebellion now and then is a good thing, and as necessary in the political world as storms in the physical."

Instead, real, meaningful change will not occur until conditions have become truly dystopian and thereafter implode. Even the politicians cannot ignore certain immutable laws governing physics as well as social engineering. We can then pick up the pieces and start anew, hopefully with a well constructed constitution with real teeth for those who attempt to subvert it. Now I'm depressed; I think I need a few cocktails after taking the "red" pill.

Oh, and Thomas Jefferson?... had he lived today and made the same proclamation as I quoted, does anyone doubt that he would be placed under surveillance and listed on the "no fly" list? Maybe even handed over the TAO.

BoppingAroundJanuary 17, 2015 4:38 PM

I should have clarified myself but my connection died right after I had posted.

"Nick P,
That makes it even better: arrested for using something allegedly secure." means they got arrested for trying to go for secure solutions (even if those aren't secure).

BuckJanuary 17, 2015 5:22 PM

@paranoia destroys ya

Didn't see any reference to the defacements until today, but I still think it's silly to toss around a number like 19,000 without providing any additional details... Most websites probably experience more attacks than that on a weekly basis. It doesn't really sound all that alarming to me. Kids have been defacing and overloading sites since pretty much the birth of the web. Little effort is necessary :-P

ThothJanuary 17, 2015 6:43 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@BoppingAround
The Broadcast Method is simply a way to do a UDP style Multicast in an area to broadcast a message and someone picks it up and repeats a broadcast again and again. This would make the finding of the source and destination much harder.

@Midas
Wouldn't waving an RFID reader around the notes detect the RFID implants in the cash ?

@Nick P

"On second thought, it was probably Thoth. He's been waiting for an opportunity to mess with me."

I am not sure what you are talking about ?

Is someone spoofing one of us here ? Use digital signatures.

@all
My public key is in the URL.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUuwFXAAoJEIiF+ZVvv8Gd+5oIALk4rKdpAaiduG58yqQe71Ps
Aqggwq+ksvCg6fU+AiQoufOFc96pPXM7m/iGMPIBMwopFBmnY4/V+JhU3MfvsxS0
gMqDAy0diruG6fExe0CsXsWJpXFFoSXJb8MK3zD9WrjSUCVmK3EqCw3rkGYTNLxt
c2lLMg6XUE2onSjaqV/3uU+WYWOdkBtz2OFGEUN/K6OM5V2cCw9I7leOIJEMplGz
+tygnGbmrpmXEfgQYhvikKpY0Ow5lDidttGWMuZMjVFiA5L0X+GTTh1o1OfEpXhS
jLORxQbZbJtLAWXe/gktSm5Q94xyvJ0V1z8uIGwk0+prU9f15pnUR3g/ECtX1t0=
=yVQf
-----END PGP SIGNATURE-----

Clive RobinsonJanuary 17, 2015 7:47 PM

@ Daniel,

Oh gawd, Obama and Cameron, doing an "intel two step" just as Bush and Blair did with the "dodgy dossier" and "45 minute, WMD Scare" that gave rise to the Iraq invasion...

Worse the article quotes thar discredited waste of flesh Stewart Barker, making his nonsensical technical pronouncments. I hope that those in need of respectable legal advice give him a wide berth, as he is most definatly a significant part of the problem ( he used to be a counsel for the NSA about the time the changing of the meaning of words and other disreputable behaviour started).

ThothJanuary 17, 2015 8:02 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@Clive Robinson, Daniel
What do we expect when Mr.Pres and Her Maj's darling boy are so badly ignorant and their ministers are all poisoned by their greed. I think the Sony hacks did not clearly bring the home message to Obama that security ... abslute security, is utmost ... not half baked backdoor/frontdoor security which reeks snake oil.

Wonder how long would it take Obama to realize his security directives he is trying to implement directly conflicts with his siding of Her Maj's darling boy.

Hopefully their nonsense don't spill over world wide and affect others with their infectous nonsense.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUuxQaAAoJEIiF+ZVvv8GdK3AIAK4KAnGemQDs0QEMBuR6VOnE
Lzull1MiJY5aRKjoEpU0pzmF9xqYtm8DYpxXiz/0MreLF9rblEpMonHis9AQzAnH
cBdiCXVlnI1RAZ9b/jbGzaAIVqoQx0mO3yW4BepZTPwtmSVwS4+jIVQDQsZHtY6D
ncW5OaBq4U8EZQtRjjYl9zs/MW5LEbo7q8zkjhNstDYUGHf72dhZARUNAortWXka
oNz1a9zdy4s9a8opH6UvLmv7FYojnvVubm2UcXvZB6ifJfxPUHNwo64koNR4wTeK
sA7xDlnEFrLAs9pjcRXpNHfTJYFO8hdD/FytCNAdm3xc9LO33+jdg2ydFTTwr64=
=09qr
-----END PGP SIGNATURE-----

Milo M.January 17, 2015 8:10 PM

@Sally Shears:

Thanks for the link. A heartfelt essay.

More on the Media Eight:

http://www.slate.com/articles/news_and_politics/jurisprudence/2014/01/representing_the_fbi_media_burglars_in_secret_for_40_years_what_i_learned.html

"In our history, nonviolent civil disobedience has sometimes proved to be prophetic. The 18th-century tea partiers at the nation’s founding also violated basic property and theft laws to protest oppressive and undemocratic taxation. The Underground Railroad’s assistance to escaped slaves was illegal. So were many protest actions of the civil rights movement and of Martin Luther King Jr."

http://www.washingtonpost.com/opinions/review-the-burglary-the-discovery-of-j-edgar-hoovers-secret-fbi-by-betty-medsger/2014/01/23/92221976-7c55-11e3-93c1-0e888170b723_story.html

" . . . five sets of the 14 most explosive memos were mailed by 'Liberty Publications' to two liberal members of Congress and writers at three leading national newspapers. Four of the recipients quickly handed the packages over to the FBI."

http://bulletin.swarthmore.edu/fall-2014-issue-1/spying-swarthmore

Like "The Lives of Others", but without subtitles.

And the last one to come in from the cold:

http://www.thenation.com/article/181878/breaking-43-years-silence-last-fbi-burglar-tells-story-her-years-underground

BuckJanuary 17, 2015 8:57 PM

RE: The latest from Der Spiegel

If the infected hosts appear to be within the United States, the relevant information will be forwarded to the FBI Office of Victim Assistance.
FOIA army attack!! I, for one, have never heard a heroic story of the FBI notifying an otherwise helpless victim of having been hacked...

RosebudJanuary 17, 2015 9:42 PM

@Rick

Thanks for the link ....

'Intelligence agencies have adopted "plausible deniability" as their guiding principle for Internet operations. To ensure their ability to do so, they seek to make it impossible to trace the author of the attack.'

Anonymous work, a work of art or literature that has an unnamed or unknown creator or author.

Anonymous IV, a 13th-century English student of medieval music theory whose works are a major source for modern scholars of that era.

Anonymous 4, female a cappella quartet, based in New York City.

"Anonymous" (CSI: Crime Scene Investigation), a 2000 episode of the first season of CSI: Crime Scene Investigation

Anonymous (TV series), a 2006 Irish television show fronted by Jason Byrne

"Anonymous" (NCIS: Los Angeles), a 2010 episode of the second season of NCIS: Los Angeles

Anonymous (film), a 2011 film about the identity of the author of William Shakespeare's plays


Nick PJanuary 17, 2015 10:40 PM

@ Thoth

Yeah, someone is spoofing my name. The "Lies!... email" comment and the one that you quoted didn't come from me. I'm just ignoring it as I doubt most regular readers are even going to verify the signature. That's why Mike the Goat and I came up with compact blog signature schemes. Aside from his prototype, they're not implemented yet so (shrugs).

WaelJanuary 18, 2015 12:21 AM

@Nick P, @Thoth, @Mike the goat,

That's why Mike the Goat and I came up with compact blog signature schemes.
It makes sense to show some proof of authenticity in addition to reserving names or handles to guarantee uniqueness. I can also see a counter argument for adding the proposed scheme such as overhead, and the possible loss of "deniability". Ease of use and transparency will be a factor as well. I wonder what @Moderator's view on this subject is!

ThothJanuary 18, 2015 1:40 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@Wael, Bruce Schneier, Moderator
I wonder if it is possible to add a function to reserve names for the sake of accountability and integrity of the names being used.

Most users should be able to use any names except the reserved names (for those who have signed up).

The login mechanism could be the use of passwords or a Client cert login via SSL/TLS.

The use of Client SSL/TLS login would require the user to bind a unique name to a certificate and Bruce gotta run a CA.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUu2NqAAoJEIiF+ZVvv8GdScIH/0qzrjS0WBmf2YEDvBiJwQFc
zeus4HRLKIUuc+WqS9OjACz8aHf/LcROr5FTan9O7HLIkyc8ck+O+K88wvgZcJM2
F/2HFJUvHULhu6AfhBi9LSvoj8fRsisDWrKO5JCPz7Ky9jG/2p6zpUJkVwuFOvgj
dI6AYV69KsMidvoLfv+4w6s6AKGApPrJnaTaEUxmZv8rojOUbd0nhcWTM1a5bTKV
sTSsvFqNiVissBjY3+Qm2jLjjlhfHx7xgRv1t0LHr3COYCsawWUfnagOHaTA9zm2
WCbXz0P56KaHl5UfpyNOpZeCps3s6n4iGtK/0tzSP8S3EEX+MvEbZfZz/hcQ8pc=
=m5vU
-----END PGP SIGNATURE-----

FigureitoutJanuary 18, 2015 2:36 AM

Wael RE: name fraud
--Doesn't actually authenticate in my opinion, is the signature stored on a server or website just like PGP keys? I've done it once (being really silly) and can show again that there isn't much you can do beyond externally exchanging a verification secret, which here that's just not practical whatsoever.

Real easy to start some real stupid sh*t just keep posting same name (I'm the real me, no me!). People have freedom to be worthless. That's the price of the freedom granted to posting here. Remove it by adding an account name, password, token, really annoying CAPTCHA, etc. And some random f*ck can frame people putting an identity to a name, and people have to start having alibis ready all the time.

It's a risk posting a lasting moniker here, likewise getting up and doing anything. Other option is to withdraw and be anti-social, I did that w/ facebook and in this day and age lose contact w/ a lot of people I'd rather not have...

Ole JuulJanuary 18, 2015 3:21 AM

@Nick P @Wael
Although I'm quite new around here, I noticed that earlier comment by Nick P didn't seem to ring true. I'm glad I didn't respond with a negative comment as I was about to do. :)

So, how would a blog signature scheme look? I'm curious, because I like it when blogs don't require registration, something which I find distasteful.

65535January 18, 2015 4:07 AM

@ Sancho_P

“Ben Wittes wrote a response to @Bruce Schneier at LAWFARE:... The scariest thing here is Ben Wittes’ simplistic approach of the idea of authority…”

That is true.

What Ben Wittes uses is common debating technique where the most "extreme" example is use to bait the other party [Bruce S.] into a ill-rational exchange.

Basically it is an extreme debating tactic which involves using the most egregious example possible “ Should Obama be able to intercept Vladimir Putin’s” phone conversations? This example is an extreme debating tactic.

The other side of the debate is: "Should Obama be able to intercept all private communications of Angela Merkel, Nicolas Hollande, Cameron, Peña Nieto, Pietro Grasso, or Rousseff?

The obvious answer is no!

Ben Wittes is using extreme debating tactics [lawyer tactics] to advance his position that the President should have super investigative powers. That is a logical fallacy. There should be limits on the "Presidents" Powers.

In fact, I agree with Bruce that there should be some court control over certain spying activities that involve friends and innocent people of the USA - even if they impinge upon certain "Presidential" spying powers.

If an out-of-control President disenfranchises his friends then the game is ruined for us.

Feel to agree or disagree on this topic.

MidasJanuary 18, 2015 4:17 AM

@Thoth
"Wouldn't waving an RFID reader around the notes detect the RFID implants in the cash ?"

Yes, that's the idea. If you have a RFID scanner and use the right frequency, you should be able to read it. Airports are already doing this in order to trace how much cash people are taking in and out (mostly out!) of the country, and even read the serial numbers.

If I owned a large chain of supermarkets it would make a lot of sense for me to install a reader in my cashiers as well (both for security and to track the purchases of customers paying in cash). I do not know for sure how extensively this is being done in the private sector, but I can only imagine that it is soon going to become fairly common, based on the fact that most large shops already have RFID in anti-theft labels. The tracking systems developed and advertised on websites like this suggest it is already more widespread than many of us realize.

Michael HerouxJanuary 18, 2015 4:30 AM

MICHAEL AND INGRID HEROUX michaelheroux1967@gmail.com

http://michaelandingridheroux.wordpress.com

https://plus.google.com/109414718225592332058/about

We saw you on the news the other day talking about the centcom hack. You are right it was probably just kids but with all the freedoms being taken away from citizen's it was probably the 5 eyes stiring up more fears. It sounded like a major terror event the way the media was talkng about it especially after the terror attack in europe. The government loves the fear that these events cause for political reasons. Something big like a terror attack will happen and it seems like alot of small things like that will follow that helps re-enforce the fear. The media will play that stuff in a loop which makes it even worse, over and over again. I don't understand how north korea could of done the sony hack either. North korean internet is monitored so closely by the nsa and cse that they could of stopped them from doing something like that in a second. All they would have to do is flick a switch like turning off a light and their internet would be down in a second. It was good to see you on the news setting the story straight. Thanks

Clive RobinsonJanuary 18, 2015 4:35 AM

@ figureitout, Nick P, Wael,

Speaking of "Mike the Goat" has anyone seen or heard from him recently?

His last post to his web site was back in early Sept last year, which is over five months ago.

I hope he has not gone the way of RobertT.

Clive RobinsonJanuary 18, 2015 5:52 AM

@ Thoth,

With regards the frequency of RFIDs in "eThread" and bank notes there is actually not a lot of info out there (security by obscurity perhaps)

The last time I saw anything public was this article back in 2003,

http://www.computerworld.com/article/2569398/mobile-wireless/hitachi-develops-rfid-chip-for-bank-notes--documents.html

The chip was being designed to work at 2.4GHz.

It's been that long that such chips "will have started shaving" by now. The problem is I hear "anecdotal evidence" but not "hard evidence" from those involved in security printing and paper making.

I know back then the Germans were getting worried about the "Camembert Euro" and were driving "on holiday" with bags loaded in high denomination Euro notes to put it in non Euro nation bank accounts. The German Gov got paranoid about this as they did back in the days of the "Camembert Mark" [1] and put preasure on the EU to make the notes not just more traceable but easy to search for at boarders...

[1] So called because many Germans thought at the time that their currency was about to colapse due to EU political aspirations, thus it had the same problems as the Camembert cheese. Which is of French origin, is superficially hard untill you cut into it when it's revealed to have liquidity issues that raise a stink [2]

[2] Camembert cheese has a short life and is only edible from three to five weeks after the curds are put in molds. As it "matures" isovaleric acid (dirty sock smell) builds up slightly faster than ammonia. Thus the limited "ripe time" of the desired used sock smell the French find desirable is overcome by the poisonous "window cleaner" smell of ammonia at which point few sane people would eat it. One way to make the isovaleric acid stage more palatable to many people is to wrap the cheese in well buttered filo pastry and either bake it or deep fry it. The heat makes the center more liquid and enhances it's creamy texture and taste. The recipe can be improved (a lot ;-) by first spreading a preserve like cranberry, crab apple or quince over the outside of the cheese befor wrapping in the filo pastry. The original of the baking recipe was just to put the cheese as it is sold wrapped in paper in a light wooden container into a slow oven take it out and eat with crusty french bread and some kind of pickle or relish. It is said this is how the French WWI soldiers prefered to eat it, as they were issued with it in vast quantities, it's said that this point in time is the origin of the term "Cheese eating surrender monkeys". However don't try this baking method at home unless you are sure the cheese is paper wrapped, many modern pasturised milk
Camemberts are wrapped in a plastic that only looks like it might be paper, oh and remember to first lift the cheese out of the box and put it back in with the paper opening upper most in the box...

WaelJanuary 18, 2015 6:24 AM

@Clive Robinson,

Re. Mike the goat: I am wondering the same thing!

I hope he has not gone the way of RobertT.

Which way would that be?

triensJanuary 18, 2015 6:37 AM

@Midas, Thoth, Clive Robinson

I don't know about paper money, but credit and debit cards are actively being used in the private sector to track and profile customers. We're not talking about customers making a purchase and having their card read, we're talking tracking punters as soon as they walk through the shop's door. It's not a secret scheme either, the info is out there for anyone who wants to read it. Mastercard calls the system Paypass, Visa calls it Paywave, etc. The function is officially presented to card users as a "tap and pay" solution, but retailers know it as "Customer Interaction" analysis. The range from which the card can be read is way higher than needed for payment. This is by design, in order to entice retailers to adopt the card, as this gives the shop the added option of using the payment method as a customer tracking and profiling system. RFID readers are cheap and a range of up to 100 ft is easily achievable in a basic commercial set (tip: a 100 ft range is not just for "tap and pay").

-Some real examples of deployment:

-http://www.rfidjournal.com/articles/view?1073
-https://econsultancy.com/nma-archive/47228-burberry-to-use-social-data-and-rfid-to-build-customer-profiles-in-store
-http://nxp-rfid.com/wp-content/uploads/2013/06/RFID-fashion-Consumer-Interaction_final-version.pdf

-How to protect yourself:

You can get a wallet or credit card envelope with metal lining cheaply from ebay.

I guess most of you folks already know, but shops are also doing this with your phone's IMEI and MAC address (so switch it off if you're not using it).

WaelJanuary 18, 2015 6:47 AM

@Ole Juul,

I like it when blogs don't require registration, something which I find distasteful.
I'm sure there are other ways. A first-use / first-claim name reservation mechanism may work as well. May require initial device finger printing followed by device authentication and mapping the user to several known devices. I forgot where @Nick P and @Mike the goat left off with the signature discussion...


One thing I can tell you: Including a PGP signature visibly in posts is quite distracting. I am hinting to @Thoth... Well, not a hint any longer.

BoppingAroundJanuary 18, 2015 9:41 AM

Thoth, Midas, triens,
You have my gratitude.

Clive Robinson,
What happened to RobertT?

Clive RobinsonJanuary 18, 2015 10:07 AM

@ BoppingAround, Wael,

What happened to RobertT?

He talked about changing location and employment, then effectivly disappeared and has not since returned...

Clive RobinsonJanuary 18, 2015 10:55 AM

@ triens,

You might want to add this link to your collection,

http://www.proxclone.com/Long_Range_Cloner.html

The LF --as opposed to HF, UHF or SHF-- cards can be energised and read over quite a considerable area if you know how to set things up with loop antennas.

A while ago I designed a loop antenna using "ribbon cable" designed to fit around a door frame, I found that using a dyplexer circuit and alternate transmission I could get it to do both the LF and MF cards effectivly simultaneously.

If people want to hunt around on the internet they will find reading & cloning software for Adruino and PIC chips...

I've not had a reason to take interest in the UHF or SHF RFIDs yet but I know ways of finding them even if they use different frequencies ( Google a GDO and how it works ).

Also there are ways around the 1/(r^2) drop off issue if you look at TEM waveguide cells and Helmholtz Coils, in the latter in what is called the "central octopus" the field uniformity is generally within 1%.

Nick PJanuary 18, 2015 11:32 AM

@ Ole Juul

Here is my compact signature scheme. The whole discussion was good and Mike actually implemented a prototype of his. It's on the blog his name links to.

@ Clive

He was busy dealing with a lot of stuff back then. He's probably moved onto other things. At least he's still got a blog to reach him through. I'll email him soon enough to see what's up.

RickJanuary 18, 2015 3:26 PM

@ Dennisc

"What's the deal with OpenSSH?"

Honestly, your guess is as good as mine. I just observe, read, and process like most others who engage this forum. I did read the *.pdf regarding the attempts to subvert OpenSSH. From a cursory glance at the liner notes toward the end, it would seem that a young researcher working for the NSA is trying to subvert the code by implanting a public key and spoofing the routine to authorize it as legit. What alarms me is the use of a wrapper around the distributable since we all now know that the use of such is a common technique by the NSA when they engage in a MITM attack. You end up downloading the modified executable and likely never know about the payload deposited on your box.

Being a routine privacy advocate, I've been suspicious of this technique for a while, and so with important (or likely targeted) executables, I download them several times from a variety of sources and IPs, and then match the hashes. If they differ, I know something 'funny' is going on. Conversely, if the hashes don't differ, that is still not proof that something 'funny' is NOT going on-- it might mean that the NSA MITMs the entire sourced site.


@ Rosebud,

Ironically, you left off this definition from your Wikipedia list:

https://en.wikipedia.org/wiki/Anonymous_%28group%29

Sancho_PJanuary 18, 2015 3:58 PM


@ Midas

Do you have anything more than rumors about chips in cash?


@ triens

“RFID readers are cheap and a range of up to 100 ft is easily achievable in a basic commercial set”

Do you have any information regarding a reliable range of more than 3 ft (PayPass 13.56MHz)?
We can’t achieve 30 inch in real conditions and would need it dearly.
… Let alone having two cards close to each other like in a wallet.

Sancho_PJanuary 18, 2015 4:08 PM


Re: Nick fraud (nice, isn’t it?), suggestion:

(public known) Username and (privately known) Email must match (whatever you use as your “Email” secret).
However, lot of work for the admin to construct and build up the db (more than 5 matches last year and the nickname is yours).

It needs a method to deal with disputes (moderator’s work), though ...

Sancho_PJanuary 18, 2015 4:21 PM

@ 65535

Yes, only I’d expect that readers of lawfare don’t fall for that, and, by knowing his audience,
Ben Wittes wouldn’t make a fool out of himself.

For the question:”Should Obama be able to intercept Vladimir Putin’s” phone conversations?”
every sensible human would answer “Of course not, why should he?”.

For the not so sensible we have to translate the question to the simple mindset:
“Should your partner be able to intercept your phone conversations?”

Sancho_PJanuary 18, 2015 4:35 PM

@ Clive Robinson, Daniel, Thoth

OMG !
I think today I made a similar mistake to the following when connecting my RasPi to the Internet:

http://www.telegraph.co.uk/news/picturegalleries/11243593/Matt-cartoons.html?frame=3148178

!!! Suddenly I found a text-file that seems to be out of BO’s email draft folder:

---------

@ AQ leaders:
Do not hesitate to use our cloud services, be it paid or free.
I can reassure you we will take care of your messages and data, nothing will be lost.

@ Evil:
Please, Mr. Putin, do not refrain from using Amazon, Facebook, Microsoft and your iPhone.
It would ruin our business and kick thousands of spies out of work.

@ Sweety:
Dear Angela, please accept this Verizon SIM card as a present from our heart. You may use it for free, worldwide, for all private calls to your hairdresser and alike.

Don’t forget: We, the US, need your privacy to keep our economy alive.

Sincerely, B & D
(in alphabetical order, Dave wanted to be first, but …)

---------

- Now I don’t know do they still have a copy or should I send it back before I flee to Moscow?

WDJanuary 18, 2015 5:28 PM

Any thoughts as to the resistance of cjdns to government or private criminals? I'm almost to the point of "chucking it all" and returning to manual typewriters....but was hoping this scheme might present a way to provide secure telephone service for our family.

Freedombox, retroshare (many others) have kinda let us down here. Does cjdns offer a viable way to "get off the internet" while still using it?

Nick PJanuary 18, 2015 5:30 PM

@ Rick

The article doesn't say parallel construction was discontinued. It explained the DEA's bulk metadata collection, says it was discontinued, and explains parallel construction was used to hide its existence. It doesn't say that was discontinued. Further, NSA's programs and cooperation with DEA still exist so they must be using it.

RickJanuary 18, 2015 6:02 PM

@ Nick P

Good call. I reread the article and see that you are correct. Perhaps wishful thinking on my part. Thank you!

Nick PJanuary 18, 2015 6:15 PM

@ WD

Like MinimalLT, it's an interesting project taking many new steps toward pervasive security. The other thing they have in common is they're using methods that haven't had much analysis and probably on vulnerable endpoints. The surveillance state actors have tremendous resources to put into turning that risk into actual attacks. So, these projects need more work on assurance arguments for their protocols and implementations.

Meanwhile, there's existing projects that make endpoints and protocols more secure. Those could be leveraged by those supporting these project. Likewise, you can use them by themselves in the ways that have been previously done securely: mail guards/envelopes, link encryptors, network gateways, and so on. Then, integrate good FOSS apps with that on diverse hardware and OS stacks. Easiest approach right now.

65535January 18, 2015 7:48 PM

“Should your partner be able to intercept your phone conversations?” - Sancho_P

This is a good point. This simplifies the argument.

I believe that there will have to be a Constitutional Show-down between the President's Powers and the High Courts interpretation of the US Constitution.

With the ability to weponize the internet it is clear that “agencies” which directly report to the President could start a war – if they have not done so to some degree.

This venue of power is intertwined with the War Powers act, The First and Fourth amendment and of course the infamous Executive Orders.

Tangentially, the “third party” doctrine is out dated and should be reexamined and up-dated. Also, the ability of the FBI to issue NSL+Gag orders without a judge's signature is plain abusive.

I believe that Presidential Powers should have proper checks and balances… and this doesn’t mean some K Street power broker writing checks to the President and upping his bank balance.

DaveKJanuary 18, 2015 8:18 PM

John McAfee thinks GoP is a real hacker group and is not North Korean, claims to have been in touch with them:

www.ibtimes.co.uk/john-mcafee-i-know-who-hacked-sony-pictures-it-wasnt-north-korea-1483581

CuriousJanuary 19, 2015 6:17 AM

As a layman, I wonder, is there anything like a "seed theory" in computer security or number theory?

The general idea, in my head, is that, as long as a particular number is a number that can be associated with having been related to seeded number, such non-random numbers will always be suspect of being a part of a pattern in some respect. Whether or not it would/could be useful in detecting patterns later on, I have no idea, but perhaps the range of random numbers, would no longer be the full range, but a limited one, maybe related to a particular date/timestamp perhaps, or something else that perhaps might be useful.

Clive RobinsonJanuary 19, 2015 10:26 AM

OFF Topic :

This might be of interest to readers,

http://techcrunch.com/2015/01/16/the-hypocrisy-of-u-s-cyber-policy/

The argument is that the internet will become fractured on national lines, because of the US "two faced" policy on the Internet. But worse the biggest losser if this does happen will be the US.

As the author points out the US has the most to lose and the least to gain from the most likely outcome of it's behaviour.

Which obviously begs the question as to why the US acts against it's own National Security... In theory it would be treasonous behaviour if this was carried out by individuals or corporations based in the US, as opposed to Government agencies under the shield of the executive.

The harm such policies have to the US National Security are already becoming visable in lost oportunity costs to both the national economy but worse in national standing in the eyes of the rest of the world.

Nick PJanuary 19, 2015 5:34 PM

@ BoppingAround

Re Eternal Mainframe essay post-Snowden

"Here is the author's reply:

I doubt that secret backdoors would be necessary for mainframes because the kind of institutions that buy them have been in bed with the government for generations. That's speaking of American companies, though. Non-American mainframe customers may have concerns about secret backdoors in IBM mainframes. Once again, though, such institutions will be tied to governments that fall under the Pax Americana, so such backdoors would be superfluous.

As for the mainracks or servers or so forth, Stanislav Datskovskiy wrote about FLUXBABBITT a year ago ( http://www.loper-os.org/?p=1441 ). I'm not surprised. See also https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html but, since you're a security researcher, you must already know about that.

People would laugh at old predictions from Thomas J. Watson Sr. or whoever that the world would only need a few computers. Now that we have the cloud, the old fogies may get the last laugh. No one likes to be a sysadmin; so we out-source the computer janitor jobs, the uptime assurance, and so forth to Amazon, or Google, or someone else. Extend the trend line and, for all practical purposes, only a few large computers will exist. After that, cracking those computers will happen by bureaucratic decree rather than by hackers' ingenuity.

I hope that this is enough to answer the questions of your commenter. Don't be afraid to ask me for more."

Funny that I was in one of the discussions he linked to. He also insisted I post his email if someone had questions: rudolf AT winestockwebdesign DOT com.

WaelJanuary 19, 2015 5:54 PM

@Nick P,

Now that we have the cloud, the old fogies may get the last laugh.

Nice mixture of word choices!

Another GuyJanuary 19, 2015 6:36 PM

@ Sancho_P

I'm not a wikileaks supporter but half of these visitors are probably queuing to see whether they've been included in the periodic expose. Being vigilant of something isn't the same as being a criminal of interest; but also as potential victim.

FigureitoutJanuary 19, 2015 9:54 PM

clive robinson RE Mike the goat
--He mentioned some pretty messed up things like landlord problems, getting sick, and also has made mention of a family and wanting to move to Cali. As you know, you can email him. He emailed me w/o PGP (which I told him not to, I want to hear from him in a truly protected way which means a physically exchanged secret, which he would neither confirm nor deny he could do; also I can't create a GPG email address securely on PC's and internet connections I currently use and would give up my plans too doing something else), so just put up an email address or contact him w/ a throwaway.

If I had a family I'm responsible for and tried to remain secure (and teach my kids secure practices unlike what I got, freeforall), I probably wouldn't read the blog and be too busy.

BuckJanuary 19, 2015 10:31 PM

Can anyone recommend some decent color, low-light, wireless (6+ hr. battery) camera options?

Sancho_PJanuary 20, 2015 4:08 PM

@ Another Guy

re: “wikileaks visitor” tag and predictable consequences for your career.

The question would be whether that makes any difference or not.
I’m afraid those who are watching visitors are a bit too simple minded to distinguish between probable motives of visit.

Instead sensible people would have been interested in the reason of the leaks.
I do not mean the question “Who was the damned leaker?” - that’s the wrong point to start at.

The very first would be:
“Why was there any material ‘worth’ of public leaking?”,
or simply put “Why do we collect stuff that is embarrassing if publicly visible?”. [1]

The second, to me even more important aspect is:
How come that unripe kids end up in such a dire and pressing situation? Why didn’t we realize that this kid was in extreme danger? Do we pay millions to unsensible brass, to stupid warheads, to a hierarchy of mechanical idiots?
Do we expect these kids to learn for life, develop companionship, to respect authorities because of the authorities’ high standards and competence?
Are there any signs of insane, dishonourable mood within the troops? [2]
Who is accountable for destroying our kids’ future?
Are we really surprised to find these youngsters broken, disorientated, difficult to integrate back home? [3]

Granted, it is hard to run an endless war without sincere motivation, but I can not silently accept to ruin kids and youngsters on both sides of the frontline just for keeping the dirty business alive. [4]


[1] Dozens of related questions beg for answers.
[2] E.g. some photo documents, sex insults, love affaire at the top of the top.
[3] Also see Bowe Bergdahl. Has anyone read his last email?
[4] We have so many old brass lying around, let’s send them down instead!

Nick PJanuary 20, 2015 5:24 PM

New FOSS laptop that's more stylish than Novena
https://www.crowdsupply.com/purism/librem-laptop

PL/I soldiers on with a new compiler update from IBM haha
http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=ca&infotype=an&supplier=897&letternum=ENUS215-014

For homebrewers here

NanoX Window System's architecture might help those rolling their own GUI's
http://www.nanogui.org/

People bootstrapping safer platforms might code review & use RTEMS
http://en.wikipedia.org/wiki/RTEMS

ViewML web browser operates in 2MB footprint
http://www.nanogui.org/ViewMLDesign.html

Let's take another look at Propeller given Forth and a Pascal subset are already on it
http://parallax.com/microcontrollers/propeller-1-open-source

Or people can just clone Magic-1 or a similar machine with security enhancements
http://www.homebrewcpu.com/

ThothJanuary 20, 2015 6:32 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@Hugh Jass

Well that's one way to setup a "secure" email server but it's just another low assurance thing.

If it's not something very very critical or not wanting to be picky, that one you suggested would do.

If you really need to have assurance, the usual culprits are the hardware and software.

Software gets bloats and few of these software are properly audited and assured (logically/mathematically).

Hardware troubles includes firmware and hardware architecture.

Anything in-between like the compilers and loaders and libraries and what not are also another injection point.

Security is mostly about how much you are willing to sacrifice to be secure (in exchange for inconvenience to a degree).

If anyone ever setup an encrypting mail service or a PKI infra, you would realize there is a lot of attack surface despite it's so called secure labels on the marketting product.

You just need to look harder to easily start desigining your tools to defeat those so-called secure mechansims.

Security products have two ways down the path. Those created by real experts and those cobbled by non-domain guys.

A lot of so-called secure products are ususally done by non-domain guys and for the crypto-chips, I believe it's the same thing. They aren't that secure afterall (if you ignore the backdoors).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUvvNmAAoJEIiF+ZVvv8GdO28H/j4YS8/Pi3Mxtcs3o+1pydHP
OAzX4S5lIB+FWyfwLiApOkYWA6YDM77Zmh/dcdUptTSrkiQbNFz+Fnm5n3A5LB1n
Pycdxpvufa+wvIrU6rvmdpAfsoaQKjMv12n2VstxxSuOr8BC/HfH2DTMMQ+JaA0y
uJPUyb4OPjn4i1k8P1/3kLGwepA9StFe1TwjET/2xw0cNo3V7dVSNbmq+3fEUZS+
7khYPox/sj9hDoccAUviv27nn55aamedWAoxMRI3LysoTfWHatfde4OsdSyBvCBL
9S3ZhPnMPq8nZ1Vy1gltApZT4/mAhkxK95KIpEE49usLQWpV9qvGy0S/bKOvvww=
=CQgv
-----END PGP SIGNATURE-----

Gerard van VoorenJanuary 21, 2015 2:31 AM

Obama is a hypocrite.

This is what he said in the 2015 State of the Union:

"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids."

Despite this words the US itself is doing everything but.

Remember the 'golden rule'? "One should treat others as one would like others to treat oneself."

I am getting really tired of this rhetoric 'patriotic' crap. And always bring in the 'American families, especially our kids' stuff. Be fucking realistic, get rid of these flags for once, and say what needs to be said.

And stop being an asshole when it comes to whistle blowers!

https://www.youtube.com/watch?v=6_zwB6GLpo4

FigureitoutJanuary 21, 2015 2:35 AM

Nick P RE: ViewML

Currently, the ViewML browser runs in about 2MB of RAM while having a codefile size of around 800k.

http://i.imgur.com/FV7jmhu.gif

RE: Librem laptop
--Neat but BIOS still isn't completely "free" and they make no mention of all the inevitable embedded chips for oh say the camera you don't need, or the I/O like say the HDD controller, ethernet, USB, HDMI, camera...

Think someone (may have to be me if no one else) can do a crowd funding campaign for a laptop w/ no peripherals like camera, microphone, speaker, wifi/BT and crafts a nice EMSEC box for it all.

Sounds like they make it easy to replace parts, which is good, want an easily hackable machine.

Wesley ParishJanuary 21, 2015 3:39 AM

Hey @everybody

Remeber a few weeks, months, years, decades, millenia, aeons ago, we discussed The Art of Self-Defense Against Drones?

Apparently the Imperial US Army has woken up to the fact that some mothers do 'ave 'em

ht tp://nationalinterest.org/feature/how-the-us-army-plans-defeat-the-unthinkable-drone-swarms-12057
ht tp://www.acq.osd.mil/osbp/sbir/solicitations/sbir20151/army151.htm

A15-012 TITLE: Counter-UAS Technologies for Swarming UASs
OBJECTIVE: Develop and demonstrate a low-cost and lightweight countermeasure system that can be used to detect, disrupt, disable, and neutralize enemy unmanned aerial systems (UASs) platforms in swarming scenario.

and is urgently desirous of our assistance in surmounting the threat posed by drone strikes against its own assets.

As the BBC once informed us, some mothers do 'ave 'em. I think the people with the most useful concepts on this discussion forum happen to be disqualified from partaking in any such development by virtue of the fact they are not US citizens:

If the offeror proposes to use a foreign national(s) [any person who is NOT a citizen or national of the United States, a lawful permanent resident, or a protected individual as defined by 8 U.S.C. 1324b (a) (3) – refer to Section 3.5 of this solicitation for definitions of “lawful permanent resident” and “protected individual”] as key personnel, they must be clearly identified. For foreign nationals, you must provide country of origin, the type of visa or work permit under which they are performing and an explanation of their anticipated level of involvement on this project. Please ensure no Privacy Act information is included in this submittal.

For some strange reason I feel greatly relieved. When the US finally gets around to declaring that the use of drones against unarmed civilians is a war crime and a crime against humanity, and finds its officers up before the ICC for crimes against humanity committed in the Yemen, Iraq, Pakistan, Afghanistan, etc, anything I say on the topic of defense against drones on ths or any other forum, will have no relevance to US DoD war crimes and crimes against humanity.

DougJanuary 21, 2015 5:56 AM

@ Gerard van Vooren

The devil is in the details. These speeches are written in such a way that you can't really argue with what he said except spouting "hey that's not what you said last night!"

sena kavoteJanuary 21, 2015 6:53 AM

Could it be that encryption key defined by program functionality in c++ source code would enable faster encryption? Have a c++ source code writing program that takes a normal bit string as key and then automatically forms a source code based on that key.

The cipher could be something existing or something specifically invented for this kind of hardcoded key+algorithm combination.

Maybe this has some other benefit besides speed / efficiency?

JacobJanuary 21, 2015 5:30 PM

From: the "Council of the European Union"
General Secretariat,Brussels, 17 January 2015

Subject: EU CTC input for the preparation of the informal meeting of Justice and Home Affairs Ministers in Riga on 29 January 2015 "

Page 10:

"Since the Snowden revelations, internet and telecommunications companies have started to use often de-centralized encryption which increasingly makes lawful interception by the relevantnational authorities technically difficult or even impossible.
The Commission should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide under certain conditions as set out in the relevant national laws and in full compliance with
fundamental rights access of the relevant national authorities to communications (i.e. share encryption keys)."

http://statewatch.org/news/2015/jan/eu-council-ct-ds-1035-15.pdf

Dirk PraetJanuary 21, 2015 6:27 PM

@ Jacob

The Commission should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide under certain conditions as set out in the relevant national laws and in full compliance with
fundamental rights access of the relevant national authorities to communications (i.e. share encryption keys)."

Whoever drafted this statement should get his head out of his *ss. There is no such thing as "fundamental rights access of relevant authorities to communications". It's the people who have fundamental rights to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures. But I think someone else already coined that phrase.

JacobJanuary 21, 2015 8:39 PM

@ Dirk Praet

I brought the paragraph verbatim, but the writer used commas too sparingly. Is should be read like this (with my 2 commas added):

The Commission should be invited to explore rules obliging internet and telecommunications companies operating in the EU to provide, under certain conditions as set out in the relevant national laws and in full compliance with
fundamental rights, access of the relevant national authorities to communications (i.e. share encryption keys).

Nick PJanuary 23, 2015 12:20 PM

I did a quick look at the "Humies" awards to see what human competitive inventions researchers have evolved recently. Two stand out for security community.

Evolvable Malware
(paper)

Abstract: "The concept of artificial evolution has been applied to numerous real world applications in different domains. In this paper, we use this concept in the domain of virology to evolve computer viruses. We call this domain as “Evolvable Malware”. To this end, we propose an evolutionary framework that consists of three modules: (1) a code analyzer that generates a high-level genotype representation of a virus from its machine code, (2) a genetic algorithm that uses the standard selection, cross-over and mutation operators to evolve viruses, and (3) the code generator converts the genotype of a newly evolved virus to its machinelevel code. In this paper, we validate the notion of evolution in viruses on a well-known virus family, called Bagle.

The results of our proof-of-concept study show that we have successfully evolved new viruses–previously unknown and known-variants of Bagle –starting from a random population of individuals. To the best of our knowledge, this is the first empirical work on evolution of computer viruses. In future, we want to improve this proof-of-concept framework into a full-blown virus evolution engine."

Note: A full-blow virus evolution engine. I figure some professionals that work on patching and signatures will loose sleep when malware authors discover this stuff. ;)

A Systematic Study of Automated Program Repair: Fixing 55 out of 105 bugs for $8 Each
(paper)

Abstract: "There are more bugs in real-world programs than human programmers can realistically address. This paper evaluates two research questions: “What fraction of bugs can be repaired automatically?” and “How much does it cost to repair a bug automatically?” In previous work, we presented GenProg, which uses genetic programming to repair defects in off-the-shelf C programs. To answer these questions, we: (1) propose novel algorithmic improvements to GenProg that allow it to scale to large programs and find repairs 68% more often, (2) exploit GenProg’s inherent parallelism using cloud computing resources to provide grounded, human-competitive cost measurements, and (3) generate a large, indicative benchmark set to use for systematic evaluations. We evaluate GenProg on 105 defects from 8 open-source programs totaling 5.1 million lines of code and involving 10,193 test cases.

GenProg automatically repairs 55 of those 105 defects. To our knowledge, this evaluation is the largest available of its kind, and is often two orders of magnitude larger than previous work in terms of code or test suite size or defect count. Public cloud computing prices allow our 105 runs to be reproduced for $403; a successful repair completes in 96 minutes and costs $7.32, on average."

Note: Personally I think advanced static analysis tools combined with templates and metaprogramming would be a better solution. With right subsets and coding style, there's already tools that can can about every major problem. So, you just template the solutions to those problems, load up a list of problems, and have the tool use the template to automatically transform the program into an equivalent one without the problem. If I were doing evolution, I'd use it for generators (code, tests, etc) that have to juggle multiple success criteria and find good enough solutions. Seems a better fit for such tools than software repair, which should be more surgical.

BaaaaaJanuary 23, 2015 4:07 PM

Eric Schmidt: Our Perception of the Internet Will Fade

http://tech.slashdot.org/story/15/01/23/1336249/eric-schmidt-our-perception-of-the-internet-will-fade

What does this remind me of? Instead of "may the force be with you", it is more like "you are with the force", be it for you, against you, or you simply being used by the force.

I don't appreciate such a thing. It has one aspect that the overlords will absolutely control...the overlords will NEVER allow the Internet to be part of THEIR presence "all the time". In fact, "none of the time" would be more like it. And, such presence for the rest of us probably implies implanted chips or at least mind reading scanners (tin foil hats, where are you when we need you?) "With your permission..."? Who is he kidding?

From the web page:

Concluded Schmidt: “A highly personalized, highly interactive and very, very interesting world emerges.”

His statement really should say

A highly PUBLIC, highly FRIGHTENING, and very, very SCARY world emerges.

I trust that he considers himself one of the overlords and would NEVER consent to put himself in the same position that he expects EVERYONE else to voluntarily put themselves in (and when voluntary doesn't do the trick, this is where we will be forced). His thoughts go far beyond the 1984 of Orwell, and makes him someone to be feared, avoided, and ostracized for such an uncaring vile proposition. His outlook treats us all as "sheeple", led to slaughter.

He made many other statements that should be rejected on their face value as well.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.