Comments

John Macdonald February 27, 2015 4:08 PM

Lenovo just announced that they are going to start removing bloatware, and will have removed it completely by Windows 10.

That, at least, is a strong positive response to the SuperFish fiasco.

Carl February 27, 2015 4:20 PM

pre-installed bloatware has been around since prior AOL days. Lenovo wasn’t the only one doing this.

Anura February 27, 2015 5:11 PM

@John

There’s already been good analysis on attacks (such as relay attacks with passive keyless entry) and counter measures proposed for both active and passive keyless entry systems. It’s pretty easy to secure active systems, although implementations have been less than secure in the past. Doing it with your smartphone isn’t inherently less secure than using a key fob.

Most cars these days I believe use challenge-response systems to prevent replay attacks[citation needed] but I think there are still some problems (there was a report a while back about how anyone with access to the car’s computer can program a key). For relay attacks on passive systems one of the proposals, which might be in use on some cars, measures the latency to determine how far away the key fob is and if it’s not close enough then it doesn’t allow entry.

Buck February 27, 2015 5:30 PM

@Anura

Doing it with your smartphone isn’t inherently less secure than using a key fob.

Lolz! Is that some sort of clever sarcasm..?

Anura February 27, 2015 5:45 PM

@Buck

Key word “inherently” – sure, the implementation matters, but if your car’s authentication key is stored in a cryptoprocessor where the apps can’t get it, and you have either an active system requiring you to press a button or a passive system that checks latency, then there is no real difference to a key fob from a security standpoint.

albert February 27, 2015 6:11 PM

Humans have been known to communicate by flashing as well. Isn’t that how Lolita got into trouble?

Clive Robinson February 27, 2015 6:27 PM

@ Anura,

…. measures the latency to determine how far away the key fob is and if it’s not close enough then it doesn’t allow entry.

The speed of light is approximately 1nS / foot or 2nS round trip, realisticaly your sampling clock for timing would need to be 16 or 20 times as great as your max range time to ensure that variation was not to great.

Thus what sort of range would you be talking about? Bearing in mind a key fob pushing a signal in the uW power range and fractional wavelength antenna is going to max range at 2-3 hundred feet anyway…

Assuming 100ft that would be 0.2uS giving a clock of 80MHz or more…

SoWhatDidYouExpect February 27, 2015 6:31 PM

From Slashdot:

Verizon Posts Message In Morse Code To Mock FCC’s Net Neutrality Ruling

http://yro.slashdot.org/story/15/02/27/2125235/verizon-posts-message-in-morse-code-to-mock-fccs-net-neutrality-ruling

How childish can these corporate executives get?

From the post, the Verizon message:

“Today (Feb.26) the Federal Communications Commission approved an order urged by President Obama that imposes rules on broadband Internet services that were written in the era of the steam locomotive and the telegraph.”

I believe that Verizon wants to go back even further when corporations controlled much of the world and what people could do. Verizon seems to be the “throwback” here.

Oh, for sure, the fight isn’t over. It will just cost them a whole lot more time and money to win (or lose).

Buck February 27, 2015 7:12 PM

@Anura

Key word “implicity” – sure, the implementation matters, but you are implicitly implying that purpose-driven devices are not inherently more secure than the one.ring to rule them all.

Anura February 27, 2015 7:29 PM

@Clive Robinson

I really haven’t read enough on distance bouding protocols to know exactly what the distance you can reasonably achieve are, but keep in mind you are measuring the time for the round trip. The paper I read suggested one meter is an ideal distance, but I think you can afford a bit further than that.

Here’s the paper I read in the past that proposes the distance bounding:

https://eprint.iacr.org/2010/332.pdf

They reference this experiment on distance bounding (I haven’t read it):

https://www.usenix.org/legacy/event/sec10/tech/full_papers/Rasmussen.pdf

Clive Robinson February 27, 2015 7:38 PM

@ Nick P,

I don’t know if you have seen “Make A Lisp” (MAL) but they have implemented in over 26 languages including ‘miniMAL’ that supposadly does it’s thing in less than 1024 bytes of javascript…

https://github.com/kanaka/mal/blob/master/README.md

Should be fun to play with if only I could remember which shelf in the cave has the “Common LISP” book, or did I loan it to someone…. it’s the trouble with getting long in the beard 🙁

Clive Robinson February 27, 2015 7:58 PM

@ Anura,

Just tried downloading the Usnix paper but all I get is “waiting for data connection” which eventually times out…

The abstract says the resolver is good for 1nS turn around… that as they say is “moving faster than a stolen rocket” 😉

Benni February 27, 2015 8:21 PM

Seems that BND tried to sell another trojan through its front companies to foreign governments: http://goo.gl/tdB4xM

meanwhile, every day germany’s foreign intelligence service BND records the content of at least 500.000 phone calls http://goo.gl/qH2Z3m and 220000000 metadata sets from phonecalls are saved: http://goo.gl/TFdFsv furthermore, germany’s domestic intelligence service now wants 2,75 million euros to monitor contact lists from facebook users: http://goo.gl/Gku5hi and german authorities ask public wlan operators to provide technology that the government can monitor wlan users http://goo.gl/jQO7PQ

Bob S. February 27, 2015 9:40 PM

Tim Cook made very supportive statements about our privacy rights in the The Telegraph:

“None of us should accept that the government or a company or anybody should have access to all of our private information. This is a basic human right. We all have a right to privacy. We shouldn’t give it up. We shouldn’t give in to scare-mongering or to people who fundamentally don’t understand the details.”

I believe him. I also believe he is one of the few people around rich and powerful enough to do something about it.

The article also mentions, “…most governments around the world, … need ever-increasing monitoring powers to combat crime and terror”

Notice how the priorities have switched? First comes crime, then comes terror. We are being conditioned to understand massive government surveillance is for the purpose of investigating general crimes by the people.

And, that will work for awhile to catch the very stupid major crime criminals who would get caught anyway. I would think soon enough any reasonably intelligent criminal will either not communicate with electronics, or find ways to obfuscate their communications and whereabouts.

So, as time goes on, the seriousness threshold will go down: Think parking ticket enforcement, red light cam tickets, bridge tolls, dog licenses, odd/even water rationing days, no crime will be too small to unleash the electronic police dogs.

Also, since there will always also be crime, there will always be a justification for big brother sitting on our electronic shoulder.

Unless we do something about it.

Wael February 27, 2015 9:56 PM

@Clive Robinson,

This article about Hamming’s view

You’re correct! It’s of interest. Will read it tonight and share with you what I think. I dealt with Hamming many years ago in signal processing (Hamming windows) I am guessing it’s the same person. There was also, if memory didn’t fail me, a “Hanning” window. The going joke was: Append an “ing” to the name, and it becomes another “window” 🙂

I read a few paragraphs, so I know you know what response this article will trigger in me 😉

sena kavote February 27, 2015 10:34 PM

Interpreters instead of compilers for c and c++

Running c source code interpreted is more safe and secure than running a compiled binary. Running c interpreted has lot worse performance than running the binary on hardware or on virtual machine, but better performance than running the binary in an emulator. c-interpreter can have different interpretation modes for different hardware and OS, instead of different emulators for binaries. If the c source has some assembly mixed in, that needs to be emulated.

Some c and c++ functions can get big performance increase by using an interpretation mode that utilizes 4 or more processor cores in parallel and even openCL computation with a (so called) video card. In those cases, interpreted c or c++ can be even faster than compiled c that does not use those hardware features.

Source code can have markings that ask compilation of some performance critical parts while everything else gets interpreted. Those resource needy parts can be found and marked automatically by using a special profiling mode that keeps statistics of how often parts of a program are used. Similar profiling mode can help detect attacks and crashes within the OS by alerting about unusual stats and patterns of stats, after being run sometime in an automatic learning mode.

Even proprietary closed source software can be used with a c-interpreter by first using a disassembler that converts the binary to a difficult to read c file.

For example, if openSSL had been run interpreted, heartbleed vulnerability would not have been possible.

anonymous123 February 27, 2015 11:01 PM

@Clive Robinson

Clapper has a “no 5h1t Sherlock” moment over Russian cyber activity,

http://www.foxnews.com/us/2015/02/26/us-intelligence-chief-new-classified-intel-suggests-cyber-threat-from-russia/

Maybe he should read this blog… one or two of us have been giving this warning since before the “China APT” collywobbles bloted out most rational thought, and made Mandient famous in it’s own fantasies.

They just say whatever needs PR, and are pretty decent at keeping quiet on a lot of threats because they want to send back false information. My take on it, anyway. I view their KAV releases of late as shots over the bow (from russia with love).

The US seems to be backing off on Ukraine, and they aren’t stupid enough to try and depose the existing Syrian regime, which they have finally come out and admitted, they can’t. Russia is aligned with Iran, though, while the US is working their Sunnis who really hate them.

The US has been well aware of Russian attacks on infrastructure since they have been happening, which has been since they have been connected to the internet. They need breathing room if the politicians want to do anything too challenging to Russia, which probably does mean Russia will pull some of their plugs they have here. The US can’t be on top of all of them. And the intel has to show both some warning to the many corporations potentially involved, as well as show they knew beforehand and so are on the game.

Though, I am sure just stating the kettle is black.

anonymous123 February 27, 2015 11:32 PM

@AndrewJ, @anyone, on Schneier’s Ars Post

Bruce, as usual, makes some very good points. ‘Who controls the media controls the mind’ (JM), and today “the media” often means the dynamic medium of social media.

(Though fictional media, especially in modern cinema just keeps getting stronger, and the advantage of metaphor is it bypasses conscious defenses. Though, I tend to see it as a positive influence, as conscious attempts at manipulation through it, as opposed to raw unconscious ramblings into script often seem to convey a positive, instead of negative message.)

From the article:

A truly sinister social networking platform could manipulate public opinion even more effectively. By amplifying the voices of people it agrees with, and dampening those of people it disagrees with, it could profoundly distort public discourse. China does this with its 50 Cent Party: people hired by the government to post comments on social networking sites supporting, and challenge comments opposing, party positions. Samsung has done much the same thing.

If they can, they will. What does FB really care about?

There is very often a sort of agreed, conscious-unconscious, role played by more static social media, like the remaining blogs and some news sites out there. I notice I tend to hang around sites that post stuff I like… and then find myself getting filled up in spectrums of political (or whatever) awareness when I stay too long. This can be especially true with “rage” sort of news, where they cater to some of your special pet peeves and anger points. It can warp one’s point of view, as if that is all the news out there all of a sudden… and there can be a sort of similation, like, you get into the same groove as everyone else does.

There are unique harms that come from using surveillance data in politics. Election politics is very much a type of marketing, and politicians are starting to use personalized marketing’s capability to discriminate as a way to track voting patterns and better “sell” a candidate or policy position. Candidates and advocacy groups can create ads and fundraising appeals targeted to particular categories: people who earn more than $100,000 a year, gun owners, people who have read news articles on one side of a particular issue, unemployed veterans… anything you can think of. They can target outraged ads to one group of people, and thoughtful policy-based ads to another. They can also finely tune their get-out-the-vote campaigns on Election Day and more efficiently gerrymander districts between elections. This will likely have fundamental effects on democracy and voting.

Potentially scary, but can you really change where people are at and where they are going? I suppose so, basic ‘gain rapport, then lead’ 101. What is not said is often as critically influential as what is said, like with the change seen when we stick to this or that blog or news site. There could be atom bombs going off, but damned it, if you really just want to hear the news about Chicago (random ‘for instance’), that is all you will get.

China is a good example. It isn’t usually so much about injecting news, like the 50 cent army, per se, but about censorship. No Tiananmen Square. God, no.

Two key issues spring to mind about FB and their urgent needs: one, their desire to be able to get more guys in the US from India and China. Two, was their need to downplay their cooperation with the NSA over PRISM.

By killing news on PRISM cooperation, that leaves only denials. Mission success. Not sure about their green card wants and needs….

pseudoanonymous123 February 27, 2015 11:46 PM

@sena kavote

Even proprietary closed source software can be used with a c-interpreter by first using a disassembler that converts the binary to a difficult to read c file.

For example, if openSSL had been run interpreted, heartbleed vulnerability would not have been possible.

You can’t obfuscate it enough to avoid decompiling.

Interpreters are very much prone to the very same errors found in non-interpreted language. Android’s Java source is a rich example of this. Ultimately, because there is very low level code in there, they are calling out – often without any sort of input validation as if the interpreter makes it poof safe – into non-interpreted, very much prone C code.

I guess. Or sloppy coding.

Though, in heartbleed’s case, I would be very surprised if the US Gov and probably other governments did not know about that bug for a very long time, and maybe even made the slip up that made it possible in the first place.

Plausibly deniable backdoor in the form of a security vulnerability. Where is the drawback?

Rick February 27, 2015 11:48 PM

For VPN users, your real IP can be leaked if you use Chrome or Firefox on your Windows or FreeBSD endpoint. If you configure your VPN over your router then you are not affected.

Test your VPN for IP leak (no IP displayed tests negative, otherwise your not-so-anonymous public IP shows in the lower half of the dialog):

https://diafygi.github.io/webrtc-ips/

Hackernews Reports: http://thehackernews.com/2015/02/webrtc-leaks-vpn-ip-address.html

“An extremely critical vulnerability has recently been discovered in WebRTC (Web Real-Time Communication), an open-source standard that enables the browsers to make voice or video calls without needing any plug-ins.”

Apparently, Firefox team knew of it in January, 2014:

https://bugzilla.mozilla.org/show_bug.cgi?id=959893

The fix (via HackerNews):

“Luckily the critical security flaw is quite easy to fix.

For Chrome users :

Google Chrome and other Chromium-based browser users can install the WebRTC Block extension or ScriptSafe, which both reportedly block the vulnerability.

For Firefox Users :

In case of Firefox, the only extensions that block these look ups are JavaScript blocking extensions such as NoScript. To fix, try the following steps:

Type about:config in the browser’s address bar and hit enter.
Confirm you will be careful if the prompt appears.
Search for media.peerconnection.enabled.
Double-click the preference to set it to false.
This turns of WebRTC in Firefox.”

Nick P February 28, 2015 12:41 AM

@ Clive Robinson

That’s a pretty cool concept. The staggering number of implementations proves it. I knew there’d be a Racket implementation as metaprogramming is one of their favorite hobbies. Someone even did a Visual Basic .NET version haha. If I’m not lazy, I might try to submit one designed for security or verification of correctness.

Far as learning, Practical Common LISP is often recommended due to being a nice summary with practical lessons. A more recent book, Land of LISP, does the same while being much more clever and fun in teaching method. It’s also covers modern ground such as features in Clojure. It’s at many local bookstores out here. You might find it at one near you.

@ sena

That concept comes up here and there. The consensus is that it’s a bad idea. The best routes are to add security at the hardware level or embed security into translation to machine code. CheriBSD’s is the top project in the former. The most interesting example of the latter I’ve recently seen is Code Pointer Integrity. There’s prototypes available, too. I think such work can be combined with hardware like CHERI that inherently protects pointers or makes certain security checks cheaper.

Wael February 28, 2015 2:47 AM

@Clive Robinson,

Yup, same Hamming. I watched some of his YouTube videos from the third reference. There are so many things of interest here! Coding theory and compression (reminds me of @MarkH.) Learning to learn and following “principles”, which I suspect is the main reason you believed it would be interesting for me. And that refers to the method I was trying to follow for the security discussions. Principles, patterns, and dare I say the ‘C’ and ‘P’ words (that’s C-v-P, just in case someone with a dirty mind reads along…) Some are living in the distant and grim “Orange” past, and resist living in the future. They reject change…yet others detest present day engineers because they have no clue about analogue and the underlying physics… Between the two of you, my head will explode!!!

I recommend reading this article, it maybe of interest to many.

Wael February 28, 2015 2:57 AM

@Nick P,

Far as learning, Practical Common LISP

I got you Lithp right here, pal! Do you see how a Lisp programmer sees your favorite “Forth”? Or should I say “Fors”? Everything is backwards these days…

Georg Kokte February 28, 2015 4:53 AM

I have not seen this discussed here and I tought this might be of interest:

http://boingboing.net/2015/02/27/your-voice-to-text-speech-is-r.html

“Apple spokesperson Trudy Muller told Wir​ed that the company strips personal information from voice recordings before storing it for analysis it within Apple to improve the software.” Such a response only shifts the issues to who inside the company gets to ‘strip personal information’, since a machine is obviously unable to do it.

In short, we should never forget there are always people behind the algorithms, since most data is antropic in nature. And that when we entrust the algos with our data, we’re implicitly entrusting those people.

uair01 February 28, 2015 5:39 AM

This is an interesting post about Silk Road and an interesting discussion:

The Dread Pirate Roberts as Statebuilder

Ulbricht built the Silk Road marketplace from nothing, pursuing both a political dream and his own self-interest. However, in making a market he found himself building a micro-state, with increasing levels of bureaucracy and rule‑enforcement and, eventually, the threat of violence against the most dangerous rule‑breakers. Trying to build Galt’s Gulch, he ended up reconstructing Hobbes’s Leviathan; he became the very thing he was trying to escape.

http://aeon.co/magazine/technology/on-the-high-seas-of-the-hidden-internet/
http://crookedtimber.org/2015/02/20/the-dread-pirate-roberts-as-statebuilder/

BoppingAround February 28, 2015 9:27 AM

Bob S.,

Tim Cook made very supportive statements about our privacy rights
I believe him.
He seems to be the one fellow from one of Mr.Schneier’s latest entries to me. The one who’d like your data to be secure from anyone but them.

I would think soon enough any reasonably intelligent criminal will either not communicate with electronics, or find ways to obfuscate their communications and whereabouts.
Funny, isn’t it? The very ‘protection’ system punishes the ‘law-abiding’ by stripping them of their rights whilst not being able to do much to criminals.

MiniME February 28, 2015 10:08 AM

I’ve been doing a little leisurely reading this weekend (Kaspersky’s report on IRATEMONK) and it struck me that, although its strongest feature is the ability to modify hard drive firmware, the entire structure seems to rely quite heavily on a Windows architecture in order to actually inject the malware, conceal the data and exfiltrate it. There is a passing mention of OSX and their ability to spoof links to iOS accounts somewhere in the report, but I found no details of *NIX-flavored OSs. How difficult or trivial would it be, in principle, to adapt IRATEMONK to Linux, BSD or UNIX?

Andrew February 28, 2015 10:27 AM

I just realized what’s going to happen. China will backdoor everything, US will keep doing it, other countries having components manufacturers too (Taiwan, Korea) and the whole world will be jammed because of stupidity, since they wont buy backdoored products.

pallas February 28, 2015 10:30 AM

An interesting 31C3 presentation on Tor Hidden Services explains that the algorithms involved in traffic correlation attack have gotten so reliable that anyone with a birds eye view over the network would easily be able to isolate a single packet stream from within a pool of millions. Seeing as the NSA basically pwns the Internet backbone (which in theory suggests that they do not even need to run Tor guard/exit nodes in order to observe and time the traffic going through them — they just need to watch the backbone and be friendly with ISPs), is there any reason why their slides from a couple of years ago state that they are still unable to deanonymize Tor users?

albert February 28, 2015 11:34 AM

@pallas
Disinformation?
.
@SoWhatDidYouExpect
They are blood-sucking parasites. It’s in their DNA. Comparing their behavior to children is an insult to children everywhere. I’m beginning to think that maybe even actual blood-sucking parasites might be offended…
.
@Everyone
Fbers and Twits deserve everything they ‘get’. You’ll be screwed by the system in proportion* to the amount of trust you put in the system.

‘Elections’ are bought and paid for. There’s no need for psychological manipulation. The MSM has everything under control. Need I mention the increasing use of internet-based computerized voting machines? Here, of all places?
.
I gotta go…
.
*it may, by now, be a power function:)

albert February 28, 2015 12:04 PM

@Clive
Excellent article about Hamming. His rules apply to all fields of learning, not just science. ‘His’ Rule #7 also applies to subjects that can be learned, but cannot be taught. Is this all original and unique thinking? No, but these things are important for students to know, and all of us are students. The ignorant person becomes a teacher, but fails to understand the importance of also being a student.
.
As for the ‘personal angle’, he mentions Watson, Crick, and Chargaff, but fails to point out how Rosalind Franklin got totally screwed by the Noble Committee.
.
‘Childish behavior’ is not confined to the corporatocracy.
.

Logical Primacy February 28, 2015 12:56 PM

@Clive “This article about Hamming’s view on life long learning might prove of interest.”

Hamming also wrote an excellent book of value to aspiring cryptographers, “The Art Of Probability”. The presentation is developed in a conceptual way that is easy to understand. Hamming really knows how to teach as well as learn.

Nick P February 28, 2015 1:06 PM

@ Wael

“dare I say the ‘C’ and ‘P’ words (that’s C-v-P, just in case someone with a dirty mind reads along…) Some are living in the distant and grim “Orange” past, and resist living in the future.”

Bro, I’m constantly trying to create change and a future. I think you just upgraded your eyeware to filter out all the color in my posts except Orange. Their style of system has become the smallest part of my recommendations. Their processes just represent good system lifecycle and so I keep updating them. Even so, I keep my mind open for things like Galois’ Goal-based Assurance* scheme.

“I got you Lithp right here, pal! Do you see how a Lisp programmer sees your favorite “Forth”? Or should I say “Fors”? Everything is backwards these days… ”

That’s funny. I thought the mini LISP being implemented in Forth was amusing for that exact reason. It’s like Toyota cars being built with Ford factories or vice versa. Forth might be a better fit for JavaScript targets, though, due to ease of implementation. Functional programming is always more awkward to put on an imperative, language-specific VM.

  • Didn’t include a link because you’re already drowing in papers. Gotta keep you afloat. 😛

B Larsen February 28, 2015 1:30 PM

The disappeared: Chicago police detain Americans at abuse-laden ‘black site’
http://www.theguardian.com/us-news/2015/feb/24/chicago-police-detain-americans-black-site

The Chicago police department operates an off-the-books interrogation compound, rendering Americans unable to be found by family or attorneys while locked inside what lawyers say is the domestic equivalent of a CIA black site.

The facility, a nondescript warehouse on Chicago’s west side known as Homan Square, has long been the scene of secretive work by special police units. Interviews with local attorneys and one protester who spent the better part of a day shackled in Homan Square describe operations that deny access to basic constitutional rights.

Alleged police practices at Homan Square, according to those familiar with the facility who spoke out to the Guardian after its investigation into Chicago police abuse, include:

  • Keeping arrestees out of official booking databases.
  • Beating by police, resulting in head wounds.
  • Shackling for prolonged periods.
  • Denying attorneys access to the “secure” facility.
  • Holding people without legal counsel for between 12 and 24 hours, including people as young as 15.

At least one man was found unresponsive in a Homan Square “interview room” and later pronounced dead.

Clive Robinson February 28, 2015 1:55 PM

The leader of the Russian Opposition was shot in Moscow on Friday night when walking from a restaurant with a female companion (supposadly his Ukranian model girlfriend).

He was sgot four times atleast three of which were in the back, his companion was unharmed but was quickly taken into police custody, his flat was then raided and searched by the police.

This occured shortly after he had announced on the radio he was working on a report that proved that Russian troops were in the Ukraine in sizable numbers.

http://www.theguardian.com/world/2015/feb/27/russian-opposition-politician-boris-nemtsov-shot-dead-moscow-reports

The investigation has been taken over personaly by Mr Putin. Various statments have been issued including blaiming Muslims and the opposition it’s self…

This gangland style killing marks a significant escalation in assasinations of people who Putin Supporters call “5th columnists”.

Many are blaiming Putin for either directly ordering the hit, or creating the environment where those who “wish to impress” will give such orders.

The US is warning that Putin will order troops into the Ukraine to take over other stratigic places.

Also Mr Clapper has indicated that cyber activities originating from Russia are escalating, which may not be unconnected with what is currently occuring in Russia, Syria and the Ukraine.

The Norwegian government has also anounced it is upping it’s air defences due to incursions into it’s air space as Russian planes fly outwards to make incursions into UK, US and other NATO countries air space,

http://www.sldinfo.com/russian-bombers-step-up-incursions-into-european-air-space/

Some people are asking questions about Russia potentialy anexing the arctic, not just for access to resources but also to extend it’s territorial limits down into European and US waters, which would allow it to excert control over international transportation.

http://www.newsweek.com/2015/03/06/what-russia-arctic-308941.html

It looks like things are “hotting up” with Russia moving into a more offensive role towards the West than it has done since before the end of the cold war. Many think that it is likely to include a significant amount of cyber activity as has been seen before over Estonia etc.

Thus as they used to say “Keep your eyes sharp and your powder ready to load for bear”, or in modern parlance “Upgrade your IDS and Firewall rules”, but still keep a weather eye on both the Middle and Far East with Syria / IS and Korea / China now the new year is over.

albert February 28, 2015 3:25 PM

@Nick P
“…’C’ and ‘P’ words…”
.
I do have a dirty mind, but please explain “C’ an ‘P’ for a somewhat dim one. (always enjoy your comments, though I don’t always understand the tech)
.
@B Larsen
Re: Homan facility.
Disappointing, but not surprising. Isn’t this what everyone was warning us about? The militarization of the police? Police forces are quasi-military to begin with, so it’s an easy transformation. It’s even easier to implement illegal and unconstitutional practices just like the military/TLA complex does. ‘Creeping fascism’ is almost an outmoded term.
.
@Clive
Re: Russia
sldinfo, newsweek, seriously? Why not some press releases from Capitol Hill and the State Department? The Guardian seems more balanced, rather than going off half-cocked like the US MSM. Wait ’til the pundits start pontificating; you ain’t heard nothin’ yet.
.
I have to mention our Hypocrite-in-Chief, “…The US president called on Russia’s government to conduct a “prompt, impartial and transparent” investigation, describing Nemtsov as a “tireless advocate” for citizens’ rights and fighting corruption…”.
.
This from a man who never conducted a prompt, impartial and transparent investigation of anything, and was never a tireless advocate for citizens’ rights and fighting corruption.

(laughing break……..break over)
.
Yeah, Russia is a totalitarian state, run by a crook. It’s not that different from most other countries we know. Putin is no fool; he’s proved that in Ukraine, dealing with US-installed puppet gov’t, in dealing with the BS sanction movement, and the constant provocation by US and NATO countries. He hasn’t been provoked, which isn’t what the US wants. The last thing he would do is to assassinate an opposition leader.
“…Nemtsov gave an interview in which he said he was scared that Putin would try to have him killed….”.
Nemtsov painted a target on his own back! Why would he say this? Where would he get this idea? If anything, such a statement would virtually guarantee his safety from Putin. Does anyone think Putin is THAT stupid? Ya think that Ukrainian model picked the restaurant? This has CIA written all over it. You read it here first!
.
…and if you don’t hear from me again, it’s been fun…

Nick P February 28, 2015 5:19 PM

@ albert

Glad you enjoy them. 🙂 The Castle vs Prison (CvP) metaphor was Clive’s way of attempting to create a framework to represent our differing approaches to securing systems. Led to fun and enlightening discussions but the ways the metaphor didn’t fit sidetracked others. So, I told Clive and Wael I’d rather drop it in favor of focusing on designs themselves. Hence, Wael calling it a dirty word or phrase.

Far as designs, I focused on making systems immune to problems by design and rigorous implementation (eg building a castle). Clive focused on containing individual functions (eg prisons) with profiling and monitoring to catch unusual activity. If we’re talking software attacks, I believe proper design and implementation (my approach) can prevent modern attacks we see with little hardware, software, or developer overhead. Just a matter of choosing the right combination of things we know work and tweaking them.

An example is the Burrough’s B5000: it tagged each chunk of memory with a bit saying whether it was code or data. The processor ensured data operations only happened on data. So, by design, opening an email attachment (data) couldn’t result in code execution. The overhead of 1-bit and tag checking is negligible. This one feature knocks out a ridiculously amount of attacks with about no effort. Other issues would need to be addressed for sure. Yet, best to design systems in ways where it’s easy to build robust software rather than hard (read: almost all chips/OS’s).

sena kavote February 28, 2015 5:48 PM

re: interpreting c

First, when I wrote “disassembler” I meant decompiler. That was a bad slip-up. Moderator, please fix that, preferably with the “erase font” so that the previous version is still visible.

I should have written:


Even proprietary closed source software can be used with a c-interpreter by first using a decompiler that converts the binary to a difficult to read c file.

@Nick P

If interpreting c is a bad idea that keeps popping up then we need a good explanation why it is a bad idea.

1.Cheri-like security on processors is a very tall order. Difficult to believe it would get widespread without Intel, AMD, Apple or Nvidia. Maybe… But I admit it does not have to be widespread to make society more secure if most critical systems and people use it.

2.Can I use better protection with compilers? What command line arguments can I use with GCC or LLVM Clang? If I use a Linux distro that compiles from sources as part of installation and update, can I choose that protection there too? Could I put adobe flash player through a decompiler and then compile it with such protections? How much is performance decreased?

Buck February 28, 2015 6:00 PM

@Clive (and tangentially @albert)

I think assassination might be outmoded as well… I’m not a hundred percent sure, but I think a much more deniable/effective method has been built up recently. Perhaps we could ask Dan Rosen..?

Bob S. February 28, 2015 6:06 PM

@BoppingAround

Re: Tim Cook. Yes, it would seem he is one of those who wants our data and wants no one else to have it. Yet, he has made several presentations with the same theme, Apple makes money selling devices, not data. I sort of trust his word on that. You got to trust somebody.

Anecdotal evidence: K. Alexander’s personal device was a Mac.

Re: Sacrificing privacy to make it convenient to investigate/prosecute even the most trivial crime. That’s the way it’s going for certain and we are literally being drowned in propaganda to get us to accept it as the new paradigm. Few seem to notice, or care.

SoWhatDidYouExpect February 28, 2015 6:49 PM

An advancing attack on encryption, targeting iPhone6 apparently:

Secret Marijuana Farm Beneath Brooklyn Cherry Factory Leaves Many Mysteries

http://www.nytimes.com/2015/02/27/nyregion/secret-marijuana-farm-beneath-brooklyn-cherry-factory-leaves-many-mysteries.html

From the article:

“Law enforcement officials are just as perplexed about Mr. Mondella’s motives. Though investigators are sorting through a substantial bounty of evidence, they have no hope of gaining access to the data on Mr. Mondella’s iPhone 6, which, like other new-model iPhones, is encrypted with a user-created code that even Apple says it cannot unlock.”

It would seem that law enforcement is not content to deal with essentially an open/shut case, but since they have nobody to arrest (that guy is dead), they have to look elsewhere to make a public splash.

Let the mystery be…

TheFlasher February 28, 2015 6:51 PM

Friday Squid Blogging: Humboldt Squid Communicate by Flashing Each Other

I didn’t know Humboldt Squid wore long trench coats.

Wesley Parish February 28, 2015 7:21 PM

@Clive Robinson

My reaction to reading the first principle of Hamming’s Life-Long Learning Principles was along the lines of “teach your grandmother to suck eggs?”

It’s obvious. So obvious of course that someone had to call attention to it. But I knew that sort of thing in High School, which is probably why I was so bored with the syllabus and pretty much made up my own. About the only thing I lacked was rigor, but I was so terrified of rigor mortis, that I never allowed myself that luxury.

Ћ February 28, 2015 8:01 PM

@albert, “Russia is a totalitarian state, run by a crook.”

Putin is actually fairly incorruptible. That’s what drives the US spooks crazy. He’s legalistic, not in the US way, “How can I twist this to justify what I want to do?” but in the context of peremptory norms. The USG wants to project its hypocrisy on Putin. But peremptory norms constrain the pscho USG more than Russia. Simply by supporting rule of law, Putin grapevines the US government.

Exactly, re Nemtsov. Putin has an >80% favorability that any US pol would give his left nut for. Why would he bother to whack some guy who can’t even win a mayoral election? It’s ridiculous, purely for the consumption of US goobers who’ve never set foot in Russia. With them, CIA can spin a yarn about how foreign devil Putin kills his refuseniks.

@clive, you’re getting carried away with the excitement of illegal war propaganda. Clapper, that shit plenum, renowned fabulist, tells you Russian cyber activities are increasing, and you take him seriously? He’s like Jonathan Winters in The Russians are coming. Offensive role? WTF are you reading? The Arctic?!?

Russia can fight NATO to a standstill at the brink of ecocide. They’ve contained the Western bloc, and they’re moving on to things that interest them more. US foreign-policy apparatchiks cannot possibly comprehend what Putin’s doing. It’s statecraft, and the spooks have purged all the dips who remember what that is.

Daniel February 28, 2015 8:11 PM

Thanks for the link AndrewJ.

Bruce writes at the end of the essay, Psychological manipulation—based both on personal information and control of the underlying systems—will get better and better. Even worse, it will become so good that we won’t know we’re being manipulated.

There is a term for the condition where an authority figure is able to manipulate one yet one is not capable of knowing one is being manipulated. That term is “childhood”.

Buck February 28, 2015 8:23 PM

Ahhh, stupid javascript! I was searching for the full Hamming article, not realizing that each rule has a dropdown explanation if you click it… Always learning something, I guess! 🙂

Nick P February 28, 2015 11:08 PM

@ sena

re why it’s a bad idea

The problem is that C is designed to introduce problems constantly in code. While not the designer’s intent, it’s a byproduct of the designer’s intent to make the most bare metal language he could. Legacy C code will use pointers, pointer arithmetic, arrays, strings, and so on that can each introduce a vulnerability. Unless you can prove the use is safe, you must insert a protection to kick in when the use happens. You end up running almost as many checks as code to do work in.

re compiler methods

That’s actually the way protecting C apps is usually done. A good example of the overheads can be found in the CCured paper. A more modern tool for you with source code is SoftBound. Another approach is a C to JVM compiler if your underlying OS is something like JX operating system or you use Java web services but need a native library.

Clive Robinson February 28, 2015 11:36 PM

@ Albert,

The problem with quoting media outlets is finding an article that gives sufficient facts without being sufficiently long / boring that it goes over the “stop reading” threshold for most people. For instance,

http://freebeacon.com/national-security/russian-nuclear-bombers-buzz-northern-europe/

As for the issue with the sources motivations, yes these appear to be “tassel tops” waving the flag and beating the drum, but they are the only ones outside of trade journals carrying lists of the more provocotive / incursive flights, and importantly the information that the flights do not carry out international peacetime norms for flight safety in international air space by turning off transponders, not filing flight plans, flying across and in wrong direction in recognised air traffic corridors etc.

Whilst other more raditional news outlets –including the BBC– have mentioned one or two incidents they quite deliberatly lack most details. Such as importantly that the numbers of such flights have vastly increased on just a couple of years ago. Nor do they mention the other “flicking the finger” style activities the Russians are upto like dropping Russian flags out of submarines all over the arctic area that started a few years back.

Such activities may be Putin “flexing his pecs”, but you have to ask at whom the message is being directed and importantly why. It’s too easy to write it off as “old man virility” issues but that is a western effection more than a Russian one.

As for the killing of the opposition leader, it’s anybodies guess as to who did it. However the number of killings of people opposed to Putin is certainly on the rise, and they are all effectively “unsolved” currently. Further the increase in such killings does not appear to have effected Putin’s support, in fact the opposite can be seen that, is Putin’s popularity is also rising. Only time will tell if this current killing will have any real effect on Putin inside of Russia. What is clear is that it will cause increased fear, not just in the opposition but in the old Soviet Republics, where tensions are already high over the Ukraine, and what is seen by many as Putin trying to stop non Russian controled energy supply in the region (which has been his prefered way to “project power” quickly and easily).

As for Clapper, no I don’t believe anything that comes out of his mouth without verification from several sources. However very many people do, which is an issue for the rest of us. Back a few years ago when the War Hawks started on “China APT” I pointed out that APT activities were not uniquely Chinese and that most countries where at it one way or another and amongst others specificaly mentioned both Israel and Russia, and warned that ICTsec people should not take their eye off of these other places just because of all the China APT noise. It’s why I made the “no 5h1t Sherlock” comment about Clapper above.

However what I do listen for when Clapper utters is any changes in what he is saying. As these changed tend to act as smoke signals to other US activities or intents by the War Hawks / IC / current administration. Thus whilst I would dearly love for Clapper to be consigned to the effluent / landfill of history, he does serve as a canary in a cage on some issues.

So I suspect that Russia is now rather more than a “red flag” issue and thus the US people are being “warmed up” for the “main act” to follow. As you note, the current POTUS is like Janus “two faced” at the best of times, but like a toothless tiger he knows the end is neigh and it makes him much less prudent than he might otherwise be. Especially as he has no effective legacy to mark what he stood for in history, and thus is ripe for a derogatory “Penuts Carter” style epitaph. Thus he may well be tempted to “push back” against the activities of China or Russia in some way, both of which have held him and thus the US to be style over substance, and seen by much of the rest of the West as the begining of the US “swan song” on “projecting power” in a meaningful not cowardly way.

The thing is that “projected power” is both an illusion and very costly to maintain, which historicaly turns it into a “paper tiger” (see the shenanigins with the UK and defense spending). Which means at some point others will start to “call the bluff” which is what China and Russia are effectively doing. They can see that the mess in the middle east caused by the inapropriate response by a previous POTUS and his administration to the 9/11 trigger has demonstrated that the US can not live up to the illusion of “puting the world to rights”. Thus in effect they see it as probably the US’s “last hurar”, and are testing it for confirmation and thus a prelude to more significant action.

What may well have emboldened Putin is Syria, where a little support for the entrenched ruling party has prevented the west taking action, which can be seen to have been one of the major causes of the rise of IS. However when you view Russian media it is portraid differently, that is Russian support is stopping the rise of IS in Syria, whilst the US and West are impotent to stop IS rising and taking over Iraq and Kurdish regions. This view is spreading and can already be seen to be having an effect in Turkey.

So what is POTUS to do… well there is little or no push back against China currently, and it’s doubtful that the US citizens would support it for a variety of reasons. Russia however, is still seen as the “old foe” and current instigator and formenter of blood shed and oppression in the Ukraine and other places, and a significant threat to both Europe and NATO. Thus pushback against Russia would be seen more favourably in the US but a lot lot less favourably by the rest of the West (see recent activities of Germany and France for instance).

The problem is as has been seen in the recent past with Russia, is what they previously lacked in physical might, they more than made up for in cyber might. Wether this was due to direct orchestration from Putin or those trying to establish status / favour with him, is debatable, what is not is that he is responsible for the situation that allowed it to occur, and appears to have benifited by it.

The fact that Putin has not changed the situation for the better, in fact the opposite should be taken on board by all ICTsec proffesionals in the West as an indicator that things are going to get a lot worse on the cyber attack front if POTUS does push back.

Now some will argue that the US would win a cyber war currently, and that this may be a sufficient reason to show the US is not a paper tiger on this front, others will argue that the current administration are trying to forment a cyber-war with either China or Russia to prove they are not paper tigers. Hopefully these will remain minority views not just in the NGO population but the political administration as well.

Personaly I think the US needs a cyber war “about as much as it needs a hole in the head”. The outcome of a cyber war would in no way be certain as many commenters hear well know. Importantly the US and the West which are the most dependent on ICT would suffer the most damage irrespective of the final political outcome, thus a US victory would be pyric at best. The simple fact is that the US civilian ICT infrastructure is in no way ready to defend it’s self from any kind of attack and much of the West not much better. Whilst the basic utilities of power and water might well survive with minimal harm, it is unlikely that the overlaying ICT structure will, and the further up you go the less well defended it is. The result would be like a tsunami, the heavy duty stuff will remain but most of the light stuff on top will be swept away or in compleat disarray along with the populous. The light stuff in the cyber case being all but a few commercial organisations, as was dryly noted about hardening the utilities against nuclear attack back in the Thatcher era “It’s all very well having the power available to turn the lights back on, but it’s a wasted effort if there are no places left with lights to turn on”…

Wael February 28, 2015 11:48 PM

@Nick P,

Bro, I’m constantly trying to *create* change and a future. I think you just upgraded your eyeware to filter out all the color in my posts except Orange

I know. The “color” part is just “humor” to avoid dry discussions. The real world has enough stress and dry topics…

Wael February 28, 2015 11:53 PM

Homomorphic encryption is another possibility for future “secure” computing. Suppose you have control over a device that can encrypt / decrypt data, but sends the cipher text for computation to an Untrusted device (a device that the owner lacks control over)… Other ideas come to mind…

Wael March 1, 2015 12:04 AM

@Nick P,

* Didn’t include a link because you’re already drowing in papers. Gotta keep you afloat. 😛

I don’t know how one can keep up with that amount of papers. Did you take a course in speed reading?

I took a course in speed reading. Then I got Reader’s Digest on microfilm. By the time I got the machine set up, I was done. — Steven Wright

Nick P March 1, 2015 12:13 AM

@ Wael

If we ever meet, I might tell you the secret to that. The Steven Wright quote is funny, though, even though we clearly have different approaches to microfilm: I never bothered to set up the machine. He’s so far ahead of me…

Figureitout March 1, 2015 12:50 AM

C/C++ weirdness
–Anyone know what’s happening here? It’s kinda ticking me off I can’t see it lol. I do enjoy these little tricks though.

#include iostream
using namespace std;

int main() {
int x=1, y=1;
int z;
z = x+++y;
cout << z << endl;
return 0;
}

So it’s weird formatting (sh*tty actually), the iostream has >’s around it but won’t print here due to html restrictions and I added ‘int z;’ as he forgot to define in his original so it thankfully won’t compile as he wrote it, but these kind of sneaky things we need to catch. What I thought would happen is x is being added to y after y being incremented before being added, so z should be 3…dafuq?

https://gist.github.com/mikecurry74/933ee1ac4505110c84bb

Next one, this one really gets me! :

#include “stdio.h”
#define else

int main() {
int z = 0, x = ‘T’, y = ‘*’;
z = x—y;
if ( z == 42 ) {
fprintf(stdout, “Hello “);
} else {
fprintf(stdout, “World!\n”);
}
return 0;
}

https://gist.github.com/mikecurry74/0e4f62a29b9af0adf14b

So I know #define -ing a keyword ‘else’ is really fishy, also no one in their right mind would define 84 as ‘T’ or 42 as ‘*’ integer, unless you want to get slapped. But I don’t know what’s happening in the next else. z gets decremented after what should be decrementing y before, so z should be 43…z stays 42 before and after printing hello world and x changes to 83 after printing. So maybe it’s doing x– then -y?

But it works! Compiles no warnings, prints Hello World! perfectly and exits. Wtf…tricky.

These tricks are funny too, like the NaNaNaNaNaNaNa “batman” one in javascript lol: https://www.destroyallsoftware.com/talks/wat but they leave me confused. It’s not a good feeling when it’s not a joke and code runs wrong!

Clive Robinson March 1, 2015 1:16 AM

@ Wael,

Homomorphic encryption is another possibility for future “secure” computing

As might time traveling, both appear equally remote in time 😉

More seriously, homomorpicaly protected computer systems need to clear three hurdles,

1, Must allow all operations required to be Turing compleat.
2, Must be efficient in use of resources.
3, Must be sufficiently fast to provide answers in meaningfull time.

It’s the last one that’s important to it’s success, after all as far as the most financialy important systems are concerned the difference in time to relay information up a mountain and down again cost justifies making a tunnel through it instead.

That is the speed of light time loss at 1nS/foot or 3.33uS/Km on increased path length justifies the ~10,000USD/meter rock tunneling, support and finishing cost through the Pennsylvania mountains for some financial trading systems….

http://finance.yahoo.com/blogs/the-exchange/high-frequency-trading-making-joke-markets-124446937.html

http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/10736960/High-frequency-trading-when-milliseconds-mean-millions.html

Nick P March 1, 2015 1:32 AM

@ Figureitout

It’s funny that you mock our complaints about C/C++’s lack of readability then you post a question about how 4 lines of code works. I’m trying to look back at where people with some experience in a well-designed language got stomped on what four lines mean. Can’t recall. I think you made our case for us haha.

Figureitout March 1, 2015 1:41 AM

Nick P
–Laugh it up fuzzball, I spent all of about 30 minutes after I started drinking using my brain instead of tools to debug. I’ll move on w/ my life and do a million other things w/ C on a million platforms and get my freedom, performance (and I like the syntax of clean C code) and an actual product to speak of instead of your typing up about type systems typity type type worthless.

I bet these kinds of “bug-enabling quirks” would be buried in the mega-turd “actual reality” of making a type system work in Ada or Java (Java…java…seriously?!). But I’m sure the hard parts are abstracted away from you and let the engineers deal w/ actual functioning of the system, eh? Give you your little play pen and better wrap you in 20 layers of bubble wrap too.

Figureitout March 1, 2015 2:22 AM

Nick P
–I’ll wait until someone way smarter than me actually makes a better and more powerful language than C. Until then, I’m not going to force myself to learn annoying sht. Oh man, tagging data w/ a bit, makes me feel soooo secure lol. Already can do that. Fckin’ weak too, there has to be stronger defenses.

BTW: no one in their right mind would do a #define else anything and the really stupid definitions and the fprintf is suspicious and z—y shenanigans. Likewise when you have freedom I can just walk up and punch you in the face or break into almost any house in the US or just camp outside w/ a gun and fire away but only a pussy w/ some important brain parts missing would do it. That’s what a lot of these attacks are really when you can’t make it physically disappear or do it w/o electricity or on metal.

Clive Robinson March 1, 2015 7:27 AM

@ Thoth,

I think it was you who asked the other day if you could use some of my words / ideas.

The answer is yes on two conditions. Firstly some kind of acknowledgment for our host and his blog and myself would be polite. Secondly if you ever meet me buy me a drink ( a nice tea is preferable to coffee 🙂 alternativly if you ever meet our host buy him two drinks, then if and when I meet Bruce he can pass one on.

These buy the way are my “standard terms” to just about anyone who wants to quote me or use my ideas. Which reminds me their are a couple of PhD students who probably owe me a drink, and yes they know who they are as well as I do.

Wael March 1, 2015 8:53 AM

@Clive Robinson,

Must allow all operations required to be Turing compleat

If you take a Turing complete machine and are able to simulate it with homomorphic instruction set and data machine, then it’s Turing complete. It’s a matter of “mapping”.

Must be efficient in use of resources.

Initially it doesn’t. After it’s shown to be Turing complete, one can work on improving efficiency.

Must be sufficiently fast to provide answers in meaningfull time.

Just like above. It’s ok to go through evolutionary steps.
It’s all hypothetical at this point. But the principle is the same! Don’t give information to a device you have no control over. Have the device do what you want without revealing the nature of input, output, or operations. This comes from the definition of security I shared previously.

Wael March 1, 2015 9:04 AM

@Nick P,

If we ever meet, I might tell you the secret

It’s a small world! Daisy if we meet 🙂

65535 March 1, 2015 9:09 AM

@ Benni

“BND tried to sell another Trojan…”- netzpolitik

I note that Advanced German Technology GmbH indicates they can plant a remote access Trojan on mobile phones. This includes key loggers, SSL/TLS stripping; call recording, screen shots, metadata and GPS data and ex-filtration of data at times of low use. Cell phone apparently can get viruses and root kits [ see their sales brochure in pdf format].

I see the company is strong-arming the news paper to redacted the executives pictures. That’s a sign of aggression.

“Dubai office acts as headquarters” which would probably by-pass various arms sales laws. I would guess their Trojan kit get sold first to legit governments and sold again to low-life war lords.

@ Clive
“Russian Opposition was shot in Moscow on Friday night…” –the guardian

Putin is consolidating power quickly. He is not wasting polonium on this enemies – just bullets – unlike the murder of Alexander Litvinenko.

Technical question: Microwave ovens use a quasi faraday cage to contain the microwaves. Is the front panel grid energized or grounded as in some faraday cages?

Wael March 1, 2015 9:17 AM

@Figureitout,

C/C++ weirdness
–Anyone know what’s happening here? It’s kinda ticking me off I can’t see it lol. I do enjoy these little tricks though.

C, and to some extent C++, allow such “abuse”. Some rookie programers think it’s a sign of language mastery to use this “cute” style of coding. Abuse of the language is one of the sources of security issues. And when another schmuck cuts the code without understanding what is going on…

BoppingAround March 1, 2015 10:32 AM

Bob S.,

Apple makes money selling devices, not data.
They could try and make some money selling data too. As others may say, ‘everyone is doing it’. Why forfeit profit? It’s not like ethics mean something to most of the businesses.
The recent HealthKit seems to be lucrative for that kind of deals. OS X Yosemite was caught sending various data back to the mothership.

You got to trust somebody.
Maybe. Why spend your precious trust on someone who’s unlikely to deserve it though?

Anecdotal evidence: K. Alexander’s personal device was a Mac.
Think about it. Someone of his level has a permanent target painted on his back. Does it really matter what he uses?

Wael March 1, 2015 10:42 AM

@Figureitout,

So it’s weird formatting (sh*tty actually), the iostream has >’s around it but won’t print here due to html restrictions

There is often a workaround 😉

To print ‘&lt’ , you’ll need to type ‘&amplt’ or the unicode equivalent: ‘&amp#60’. If you do that, then your code snipped will look like this:

#include &ltiostream&gt
using namespace std;

int main() {
int x=1, y=1;
int z;
z = x+++y;
cout &lt&lt return 0;
}

you can go here or here for symbol lookup…

Nick P March 1, 2015 11:10 AM

@ Figureitout

“I’ll wait until someone way smarter than me actually makes a better and more powerful language than C.”

Where have you been? That’s all language designers do is make stuff better than C lol. A few are even good for low-level: Ada, Modula-3, D programming language, and so on. D language being closest to a properly-designed, modern C. That why if I date a programmer, I make sure I give her some D before the night’s over.

Nick P March 1, 2015 11:14 AM

@ Not Frank

re Moxie saying we should ditch GPG

Here’s my response on his blog:

“All good points if you’re stopping run of the mill hackers or snoops. Some people are worried about Five Eyes, China, Russia, and other High Strength Attackers. Author misses that the only proven approach to surviving them are high assurance security engineering and/or obfuscation + diversity + battle-hardened software. There’s no H.A. FOSS for this so gotta do the latter. GPG is specifically mentioned in leaked slides as a pain in the ass for NSA: true going back to Zimmerman’s PGP. GPG also runs on many hardware architectures and buying old hardware (esp RISC) is a good way to dodge any subversion programs that are going on. So, the best route to high security email is GPG + FOSS OS + diverse, old hardware behind a guard for interface level protection and preventing them hitting the lowest (weak) layers of the old system. Easy to use, cheap, and pretty? No, but high security setups rarely* were.

This, with contractor developed implementations, is one of the ways the NSA’s own black programs protect their information from their opponents. Same is true for Five Eye’s. So, it has both stopped them and they rely on similar approaches. That’s best endorsement an encryption product can get. That so few people use it has more correlations to NSA SIGINT effectiveness than GPG’s. 😉 So, per INFOSEC history’s lessons, we let people develop (and PROVE!) better solutions that don’t have GPG’s problems. Meanwhile, we use GPG, improve its interface, and make solid workarounds to any issues with it that don’t violate security arguments. Only new scheme I’ve seen with strong security properties is Tinfoil Chat. Everything else usually has a weak TCB allowing bypass or an unproven design/implementation they might covertly beat. I’ll stick with what works until situation changes.

*Note: Capability, tagged, and language-based methods can be nearly identical to insecure product in functionality with better, easily-done security. They’re the exception, though.”

Wael March 1, 2015 11:45 AM

@Figureitout,

Was wondering about the “cout return 0;” — Looked at the first link… And the code from your first link would look like this:

#include &ltiostream&gt
using namespace std;

int main() {
int x=1, y=1;
z = x+++y;
cout &lt&lt z &lt&lt endl;
return 0;
}

Figureitout March 1, 2015 12:57 PM

Wael
think it’s a sign of language mastery to use this “cute” style
–I know…We need to be able to see it immediately, the #define else then blank space would be a quick find. It must be defining int as else? I don’t even know lol. There was not even a warning in fairly recent version of GCC or G++ though.

RE: unicode/html stuff
–Yeah didn’t feel like looking it up, annoying text stuff makes me feel like…ļ̴̢̧̡̡̧̛̘̫̯̺̻̮̤͙͚̭̻͔̻̺̞̟̫͓͕̥̠͙̠̙͓̙͉͖̰͈̬̥̭̦͖̪̙͚̮̺̭̰̜͉͍̙̙͎̳͍͎̪̟͔̻̩̮͍̪̟̥̻͉̖̤̬̰͔̘̱̭͕̼̖̩̺͚̙̹̱̮̯͔̙͚̮̖͓͒̀͑́͆̎̀͌͐̓͐̂̈́͆̊͒̐̇̏̉̓̅͐̆͌̏̏́̂͌͊̌̈̈́͒̀͗́̀̅̇̈́̀̋̈́̋̆̒̄̒̇́̀̀͛͗̌̍̋͛͋̽̌̾̉̍͂́̾̋̓̏̉̄̔́̈́̅͋̆̉̍͋̅̈́̚̚͘̚̕͜͜͜͜͠͝͝͠͝͠͝͝͝ͅͅǫ̸̨̧̢̧̢̧̡̨̨̧̛̛̰̼͙̞̳͔̩̲͍̱̣͍̰̫̪̝̯̼͎̞̥͈̦̭̬̪̻̦͓̼̖̦̟̗̭͍̤̼̹̙̟̹̞̮͎̳̻̩̠̣͍̗̥̖̺͉̪̱̠͓͙̙̹͈͈̞̹̰̭̝̥̲̩̪͖̩̙̗̪̥̘̳͍̳̳́̅͋̏͊͂̓̌͌̊͑̎̋̂̈͌́̈́͗͗̈́͗̉̾͆̑̆̀̃̏̇̈́́́̈͒̓̉̈́̆̉̓̀̾̾̌̂̔̃̀́̈́͆̉̅̾̋͑̃̀͊͗́̏͆͌͛͊̑̈͊̀͒̀̃̍̋͐͋̿̄̒́͌̚͘̚͜͜͝͠͝͝͝͝͠͝͝͝͝ͅͅǫ̷̨̡̡̧̧̨̢̧̡̨̨̡̢̧̢̛̮̯̭̺̠͉̳͈̣̪̣̞̮͔̯̹̲̤̞̩̫̣̭̳̼̫͍̟͉̦̮̫̯̻̦͇̲̪̬͔͔̹̹̬͚̣̜̰͔̹̹͍̯͇̖͎̫̮͇̝̞̩̼̞̜̤͈̺̖̰͎̝̥̯̯̪͖͎̣̲̖͔̥̉̃̒͆̑͆͊͐̀̒̉͊͛̈́̀́̎͆̇̾̀̿̓̒͑̔̿͌̍͆̌̈͌͑͒̈͌̊̈̍̅̓̿̿̈́͋́͒̑̾̈́͒̎̀͛̈́̔͐̔̔̒̓̀͑͐̀̓̈́̓̒͆͊̐̏͑̃̒̏̊̇́͑́̅̓́̾̕͘͘̚̕̕̕͝͝͝͝͠ͅķ̴̧̢̨̧̡̨̛̛̛̛̲͖̣̺̭̩̟͇̦͎̬̖̘̦̬̟̺̭͓̠̥͈͖̳͇̺̩̖͔̭̖̬̗̱̰̦̠̯͎̬̥̖̩̺̘̲̻̰̫̯̲͖̼͍͍̙̖͈̫̯̺̦̯̳̤̮͔̺̺̰̲̳͈̳̟̯̰͙̖̞̥̠̩̠̤̳̰̯̑́̄̇̎̅̓̐̒̿́̀͗̌̈́̐́̊̄̾́̎̌̿͐̏̈́̀̊̄̃̈́͗̉̎̋͌̾̍̾̈́̍̒̌̌̈́̈́̀̑̓̆̿̓͛̈́̆̏̍̋͆̃̀͑̉̒̑̆͗̈́̈́̀̄̌̍̒̋̓͊͆̃̌̀͘̕͘̚̕̚͜͜͝͝͠͠͠͠͠͠ͅͅͅ ̵̡̧̧̧̡̡̛̛͓͍̙͕͈̠̻̰̫̖̳̟͖͕͎̪̱̞̯͈̻̖̲̤̯͍̼̳̞̻̝̫̞̰̼̯͍̜̮̺̫̫͓̬͇̰͇̺̞̹̜̥̻̫͔͚̠̲̬̳̻̘̼̰̼̝̼̰̥̹̠̺̠͚͇̜͔̺̥̦̝̣͈͇̣̘͎̰̻̬̻̺͋̊̓̊͒̊̀͑͋͗̌̓̑̇̔͗̌̃̋͆͑̌̑̇̽͋́̂̎̂͊̊̉̔̀͆͒͆͂̒̏̈̎͆̈́̾̽̈́̓̓̓̊̉̆̇̈̀͊̿̆̓̉̅̊́̽̈̓̑͗͋̉́̓͛̃̍͗́͆̅̔͂̃͆̕̚͘͘͜͝͝͝͠͝͝͠͠͝ͅa̶̢̢̢̡̢̨̧̢̡̛̻̝̺͔͍̥͔͓̪͔͇͓̥͓̜̟̰̦͚̘͎̼̱̺̪̙̤̮͚̲͉̝̳̩͇͚̦͕͉͉̰͇͖̩͇̞͔̱͉̲̬̯̜̳̟̖̝̤͖̰̪͇̪̺͓̳̟̣͚͙̱̩̰̦̙̫̟̱̱̜͔̍̽̏̓̈́͐͆̒̾̋̂͂́̉̎͌̋̾͒̃̃͛̂͂̅͐̉̐̊͋̈̆͐͂̋̊̓̓̈̓̌̾̏̿͂͆̌͒͌́̈́͆̿͒̎̍̃͗́̐̆̈͋̉̓̾̂̔̈́̾̈́̊́̓̒̌͌̂̿͐̾͌̽̀̈́́͂͒̕͘͘͘̕̕͜͜͜͜͜͜͝͝͝͝͝ͅͅͅͅt̵̨̧̧̡̢̧̧̢̧̧̛̛͕̫̹͖̗̹̱̖̥͎͇͙̹͇̘̺̺̰̰͈̟̱͇̝̖̳̯͉̲̱̩̞̠̯̙̭̖͙͍̹͓͚͓̘̙̟͕̬̯̮͎̪̭̱͉̳̩̮̞̺͓͕̻̘̯̬͓̱͇͎̥̻͍̣̞̠̠̜͔̪̲̩͚̰͖̋͊͋͛͆͌́̐́̾̂̈́̐͗̊̄̀͋͐̋͛͂̈̓̓̽̆͐̈́̂͌̇͆͛̐̃͐̓͗̍̇̏̓̅́͛̽̀̃̽̔̉̉́͛̋͒̆̍́̋̽̈̋̓̌͋̃̊̆̐̄̓̽͆̽̍̅̾̓̚̕̕̕̕̕͘͘̚͜͜͜͠͝͠͝͝͝͝͝͝ͅͅ ̶̨̧̡̡̡̨̡̨̢̨̢̛̻̥̘̱͙̼͉̝̜͕̦͇̜̪̦̹͇̱͚̥͉̲̞̜͓̞̦̭̝̩̲̖͔̝̗͕̩͍̬͈̥͖̺͚̯̰̜̳̳̥̗̠͎̟͈̟̰͇̺͈̘̗̪̱͎̠̣̝̦͍̬͕̠͕̞̠͍͓̲̫͙̗͉̼̤̅͂̆͋̑̉̓̍͊͂̅͂́̂̌͆̄̂̽̄̾̅̅͂́̓̽͗͗̈̅̆͗̎̉̑̊̒̾̋̈́̆͐́̃̎̋̈̓́̏͌̉́̆̿̀̈́̎̉̀̉̄̄̏̓̃̌̌́̐̈́̽̇̓̀̏͆͒̅͒̍̆̑́̇̈́̚̕͘͘͜͜͜͝͝͝͠͝͝͝͝ͅţ̴̢̢̨̧̢̨̧̨̨̢̢̢̡̧̛̛̛̛̛̛͚̲̭͉͎͕͙̲̹̦̳̤̜̰̜͎̭̻͖͇̜͔̬̟͎̩̞̣͇̯̮̻̲͚͇̫̬̘̣̰̺͈̩͙̤̻͇͍̹̞̠͉̼̭̰̟̖͕̱̰͕͍͖̰̗͈͍̤̰̗̘̭͇̳͚͎̜̬͈̣̗͚̿̇̃̒̓͊̈́̌͑̎͊̋͆̏͊͆͋͂͗̿́̎̑̓̅̿̏̅̓̔̉͗͒̔͑͛͂̑̐͐̊̾̉̐̇̎͒̈́͒̃̽̈́̍̐͌̋̒̒̍̈̔̆͛̽̇̽͂̈́̑͐̒̂̊̋̓̈́̂̐̊̄̚̕͘̕̚̕͜͝͝͝͠͝͝͝͝ͅͅḩ̸̨̧̢̡̨̢̛̲͚͓̬̭̠̤̭̟͇̬͈̞̫̙̹̮͓̣̠̹̦̫̱̲̲̤̻͖̱̠͖̠̹̣͈͙̻̹͙̫̼̩̟͖̞̭͍͕̪͚̝͖̟̥̹̲̗̰̞͉̥͙͍̯͎̼͉̞͖͔̮̖̫̝͈̖̣͖̲͈͖͙̝̲̺̼̗͇̟͇͒̑͆͛͗̎̓̒͗͛̇͗̈́̒̔͌̄͊̇̊̅̓̒̅̀̋̒̈́̏̌̽̃̄́̊̂̔̏̓̓̑̒̌̐̔̂̅͒̽͒͌̽͒̍̾̾̆͂̐̽̒̈́̊͋̆̍̊͌̿̌̉̈̐̎͂̄̍̈̂͒̇̐̎̔̿̀̔͑̑͘̕̕͘̚͝͠͠͠͠ͅͅḭ̵̧̧̢̡̡̨̛̛̛̖̱̬͇̫̺̠̤̹̤͕̹̠̦̥̫͉͍̳̖̟̭̮̻͈̗̜̰̗̮̘̝̙̜̺͖̣̞̼̩̠͍̖̥̠͎̻̱̼̼̬͇̟̟̮̯̺͎̥̝̠͕͎̭̳͚̰̘̯͚̤̯̜̬̬̞͎̜͓̳̲̟͖̳̳͓̃̾̌̎̋̇̈́̍̍̐̍̄̐̈́̐́́͂̒̒̌͛̓̒͊͐̌͒̎̈̽̉̈́̽͂̑̾́͂̾̽͒͒̐̄͑̈̓̋́̐̽̎̄̅̄͑̈́͂̈́̋̍̎͂̅͒͂̍̊̀̎̏̓̃͐̊͛̃̍̍́̂͋͛̇̀̆͘͘͘͘̕͘͘͜͜͜͝͝͝ͅͅͅͅş̷̡̢̢̧̧̧̛̛̛̳̜͍̪̤̠͓̯̮̳̖͕̺̭̳̺͖̭̞̖͇͉͉̘̞͎̜̠͎̺͈̹̹̜͕͓̳̫̻̖̭͚̗͙̩͍̩̱̺̫̼̞͈̻̫͚͈̼͉͉͈̻̬̰̗̖̦͚̹̙̜̰͔͕̗̦̤̟̦̼̟̗̳̘͍̳̳̹̣̆͊̒̅́͑̈́͗̍͆͗̌͐́̀͊̆͑̊̇͌͂̐͛͌̿̀̆̒͋̏̅͐̅̓͆̋̏̾̈̒̽̈́͂̅̔̅̃̄͑́̈́̿̎̆̀́͗̀̉̏̓̔͂͊̐͆͊̀̎̏̄͑̅̋̈̇̽̋̽̚̕̚͘̕̚͜͜͜͝͝͝͠͝͝͝͝͝͝͝ͅ ̸̨̡̢̢̢̢̡̨̭̣̮̜͙̙͔͇̱̮̯̟͉̗̪̻̰͉͇͖̘͈͓͖͍̯͕̖̗̟̦̬̠̰͇̮̺̘͖̦̜̤̠͕̗͓̞̣̜͎̥̝̞͙̰̠̲̳̤͓̳̜̰̰̦̘̦͕̱͖̺̞̻̭̰̰̟͇̻̦͕͍̮̠̗͈͍͖̆̐̓̓͗̋͋̽̈̔͂̉̓͋̏̓̒̉̓͊́͆̄͗̌̃̏̽̋̈̊͋̈̆̂͑͂̆͑͌́̈̔̋̔̀̄̋̄́́́̓̀͋̓̒̇́̅͆̎͒̀̔̎̔̊͋̋̓͂́̿̓̇́̽̋̾̌͌̒̔̚͘̕̚̕̚̚̕͝͠͝͝͝͝͝͝ͅͅͅͅz̶̧̡̨̡̡̧̢̧̛̛̛̖̩̝͎̜̞͉̝͙̻̰̼̖̩̯̯͈̩̣̭͉͖̤̳̳̗̱̘̖͔̘͇͍̥̻̙̲̦͚̻̰͖͉͓̘͕͍͍̖͔͉̪̭̮̯̼͇̲̖̪̼̱̻̗̘̻̙̩͖̱̫̝̝̤͇̗͎͓͎̬̯̦̣͚̪̓̆͂͂̏͊͂̇̀̇͗́̋̓͊̈̃́͐̀͋́̍̈̑͋͗̈́̐̽̿̂̃͗̒̊̄́͂̍͂͗̇̈́̈͋͑͒̆̐̇̈́̌̒͒́́̀̿̿̅̏͊̓̅͊͊͆͒͗̈́̓̆̀̎̄̃͑͛̉̂̄̉͒̀̍́̒͐̀͑̚̚͜͜͜͠͠͝͝ͅͅͅͅa̸̡̢̧̧̢̢̨̨̛̛̩͎̟̦̤͔̳̲̘͓̪̤̟̺͈̭̠̦̹̭̭̬͖̮͕̻͉͚͚̤͔̩̳͔̯̠̗̘̠̝̣͍͖̭͖̖̼͎̟̯̞͖͕͍͕͇̣̠̹͓̰͍̣̰̬̮̗͇̘̮̱̪͕̝͙͕̞̲̮͔͙̬͔̻̦͔̯͓͕̰͗͊̓̿́̏̇̂̎͂͋̌̂̔̍̌̈̎͊̿̽͋̽͒̈́̅̈́͗̋̈̽̾́̎͆͛̀͌́̂̈́͑̀̅́͛̀̏͒̽̾̇̓͒̄͗͑̋̄̀̀̊̃̽̈̐̃͐̄̅̊̓̿̌̌͑̾̑̍͑̃̓͘͘̚̚̚̕͘̕͘͜͝͝͝͝͝͠͝ͅl̶̡̡̢̨̨̢̢̧̧̛̛̛̛͍̩̼̪͉̳͕̮̤͚͕͓͖͈̬̥̜̜̻̘̪̳̦̲̼̹̩̫͇̞̖̘̝̩̪̥͔̯͕̺̼͖͈̫̹͚̝̣͙̰͉͓͔͇̪̳̱̳̦̪͈͍̫̯͎͍̬̞̰̳̞͇̝͍̯̙͈̹̪͎̟͎̠͚̠̯͇̱̟̀̂̊̋́̌͆̓̄̎̄̈́͊͗͊͗̐́̉͆̑͆̃͛̍̂̐̐̿̈̀̄̂͐̍̓̿͊̇̾̃́̍́̋̓̉̐̄̄̃̽̑̄̃̈̔̃̏̽̈́̍̀̇͋̔̍̎̇̌͑̉̐́̾̾̏̈̒̽̐̈́̽̚̕͘͘͘͜͜͝͠͝͠͠͠͠͝g̸̨̨̡̨̡̡̢̡̢̧̧̖̭̭̗̲̳̖̼̞̟͍̖̠̬̫̦͇͖̹̹̻̫̜̪̭͔̯̬͖̠͓̺͖͕̩̖̭͓̟̱̭̥͕̳͈̤͕̞̻͙̖̻̱̪̞̠̝͎̰̲̩͎̪̬͍͓̫͎͔̹̻̥̝̼͇͎͕̙̘͔̠̱̙̥̜̱̟̺̒̿̈́͛̈́̏̋̉̀̏̑̀͛̊̃̌̀̿̍̓̓̆̂̅̍̑͛̋̅̽̆̋̐̐́̀̏̄̾͊̈́̃̋̀̓͊̊́̅̽̄̈́̍͐̋͋̀̐͑̊͛́͗͂̔̆̀̒̓̑͋̇̂̑̔̀͑̍͋̌̀͒̌̓̌̓̀͘̕͘̚̕͘̚̚̚̚̚̕͝ͅơ̵̧̡̢̨̧̢̨̨̨̨̡̛͉̦̖̫̟͚̰̙̥̹̺͚͓͔̰̝̮̠̜͙̱͉̬̼̦͔͙̺̬̹̗̰̣͉̹̫̤̳̹͉̞̱̝͈̤̰̤̥̟͕̭͙̬̞̦̤̦̺͕̼͓̗̝͎̲̞̝̼̫̥̹͇̠̣̣͔̪̞͈̱̬͈̪̲̙̖̄͑̐̽̀̀̇̉͆̾̿̀̾̈̈̅̏͗̽̐͐̔͋͑̆̃̀̑̇͑̓̆̈́͐̂̂͒̽̒̑̾͛͂̅͛̌͌̀͐́́̾͌̇͗̆̽͒̓̿͑́̈̀̉̑͒̈̇͒͊̏̃̄̽̽̇̒̈́̇̈́̏̂̿̽̍̂̕̚̚̕̕̚͜͠͝͠͝͝ͅͅ ̵̡̧̡̧̢̡̡̢̧̛̛̛̛̻̩̖̼̰͚̪̲̝̥̗̞̮͍̱̮̫̼̤͔̲̞͍̳̰̬̪͎̘̻̳͚̯͉̻̱̫̹̘̮͎̥̯͙̣̦̹̞̜͍͓̼̦̥̯͉̮̻̜̼̬̗̹͚̳̜̠͙̥̦͇͖̬̗̖͙̩̰͎̰͈̠͔͕̘̰̫͇̄͆͐̎͗̀͐͋͋̓͛̂͛́̐͒̓͒͆̋̉͛͆̓̐̄̐͒́̏̐̈̆̆̌̿̈͐̂̀̋̿́̃̑͋͌̔̑̓͒̊́̀̐͐̅̌̅͂́̉͊́̂̀͒̂͛͊̀̄̾́̉̽̍̎̈́̊͋̚̕̚̕̕͘̕͘̕͜͜͠͝͝͠͝͝ͅg̶̢̡̧̡̨̡̡̛̛͕̣̮̱̝̹̜̝̫͖̳͚̭̪͚͔̪̺̙̣̭͕̯͕͕͕̠̝̬̯̦͎̥̰̥̙̳͍̬̯͍̫̺̖̣͖̘̪̙̟̳̦̱̫̼̪͙̙̜̮̹̩̯̖̝͖̭̘̼̻͍̣̳̟͓̪̦͇͇̳͔͇̼̜͍̣̜̺̺̰̗͈͋̀̾̆̑͌̃͛͐̒̐͊͋̾̃̊̒̀̋̀̇̈́̆̎̇̉́̾̄̋̈́͗͆̈́̂̈́͆͑̈̊̍̓͋̒͂̋̍͒͒̽̈͗͆̇̿̏̅̏̏̈́̉̓̽̀͒̉͐̋͆̽͗͂͆̚̚̕̕͘̕̚͘̚͘͘̕̕̕͝͝͝͝͝͝͝͝͝͠͝ͅa̸̢̡̡̨̢̧̡̧̢̨̨̧̛̰̙̝̰͔̟̠̺͖͚͍͕̗̲̫̬̺̮͙͇̲͓̬̘̱̳͓̮̞̤̙̥̱̖̳̲̜͓͉͕̦̠̲͉̮̮̹̝̲͇͖͔̭̬̣̞̳̼̫̱̻͇̫͉̻̞͇͕͍̭̥̪̩̼̙͈̙̦̳̟̰͌̇̄̍͗̀̎̐̀̋̈́̄̊͆̈̋̇̽̋̇̓̈́̎̾̓̑̆͛̑̉͛̒̑͂̅̊͆̀̊̏̈́̒̈́́̐̉͊̑͆͌͌͋͋͊̔͋͐͌̏̉͌́̎̊̊́̀͐́̈́͛́̒̅̈̽̇̀́́̐͘̕̕̚̚̕̕͘͜͜͜͜͜͜͝͠͝͝͝͝͠͝͝ͅr̵̨̡̧̢̨̨̧̡̛̛̹̳͓̺̝̰̼̝͇͉̜̙͓̙͙̳͎͓̪͕̻̼̝̘̟̥͓͔͎̫̹̬̳̭̣͇͍̮͉̮̬̜̺̬̝̯̪͖͍͍̝̭̪̼̠̖̟̺̳͇͎̘̱̳͙̬͕̘̦̘̝̙̪͉̩̼̫͓͙̯̮̖̳̳̳̟̈́̓̅̅̈́͆̄̍͒̈͆̀̾̿̔̓̿̈́̿̋̎̉͋̽̒̄̃̋̔́̓̌́̉̆̆̈̾̄̒̿̑̿́́̆͆̽̓̉͒̀̀͑͌̀̀͂͑̈́̀̉̑̔̃̾̐͐̍̎̄́̓͌͂̾͗͗̃̎̉̊̎̄̾̑̈́̇̿̇̌̚͘͘͜͝͝͝͝ͅͅͅͅͅb̷̡̡̡̨̨̧̨̡̡̢̢̛̛̼̯̼̻̰̜͉̦̘̭̟͎̫̘͇̘̝͖̫̥̦̜͕̪̰͇̮̙̝̻͔̙̬̳̱̩̙̳̭͉̺͉̗̦̠̯̪̝̼̳͉̯̼͍͉̤̠̱̟̫̯͇̺̳̲̠̥̠̠͍̮͇̻̹̯̻̖̖͍̮͉͚̬͙͇̮̏́̒̆̌̈͗́̈̀̂͋̔̂̿̈͋͗́͌͆̀͆͒̂̅͗͊̀͒̈́̓͊͊̓̏̒̆́̋̂͑̅̓̈̑̊̃̑͐̌̃̌̋̈͋̇̊͌͌̊́͗̓͗̽̇̇̆̂̇̈́̅̋̐́̃̾̃́̂̂̓̕͘̚̚̕̕̕̚͘͜͜͠͝͝͝͝͝ͅą̵̢̧̢̢̢̡̨̛̻͕̪̙͚̜̫̙̹̻͚͓̠̩̪̤̭̮̺̣̖͍̤̩̥͙̩̗͖͚̣͕͙͈̝͔̞̰͖̤̥̠̯͖̳͕̤̦̥̭̟͓̫͈̳͖͉̞̙̝͇͎͙̹̻͇̘̮̖̲̥͈̯̩̭͔͎͕͉̺̙̯͔̺̼̟̠͆͐̒̍̀͐̂̐͑̋̿̂̂̄̄̆̅̋̔͊̆̓̔̊͋͑̆͑̈́̐̓̀̾͒̊̓̋̾̇̓̉̉́̋̀̓̀͂̈͐̔͊͛͗̍̅̈̂́̾̀̀̀͐͑̃̈̈́̇̀̒̓̔̌̈́́̄͗͆̉́̍͛̿̕̚̚͘̚͜͜͝͝͝͝͠͝͝͠͝ͅͅͅģ̴̧̨̡̡̛̛̛̛̫͖̠̰̱̦̜̲͇̻͔̦̤̹̮̺͖͍͍̘̬̱͖̳̗͕̘̦̻̟̝̳̰̝̝͖̠̥̺̪̠͇̗̱̜͖͍̥̜̪̼͔̯͔̭͍̼͉̱̱̳͔̦̺̺̺̙͚̟̱͖̼̥̤͈̯̹̟͖̺̝̱̟̘̞̞͙̰͚͇̾̾̈̂̄͑̈̈́͌̑͐͆̌̓̉̓̊͐͌͌͐̿̂̈́͑͗̇̊̽̈́̓͛̈́̈́̑̅̇́̄̈́̊͊͛͊̅̈́̾̅̀̏̈́͊͋̿̅͊̽̓̉͒͌̈́̌̾͐͌̎̔̍̈́̓͛̂͐͒̍̔͋̋̄̀͊͗̊̕̚̚̚͘͘̕͘͜͜͠͝͠ͅͅͅę̵̧̧̨̧̡̡̧̢̛͎͍̮͇͉͚̣̹̖̜̹̮̟̬͖͓̤̟̪̱̱͍̜̹̲̪̭͍̤͖̠̺̼̤̹̹̪̬̜̯̗͓̗͔͓̮̙͕͈̭̫̪̟̣͇͖̙̲̳̹͎̹̦͍̬̙̝͕̠̼͎̞̤̝̲̱̫̟̣̮̮̮̮̲̫̦͛̽̆͐̽̍̎͋̃̀̋̃͗̄̏́̈́̒̋̅́̉̈́̈̑̓̉̏̄̓̈͐̎̂́̎͗̋̍̓̄͋̄̀͗͛̓͗̒͐́̽͆̈́͂̄̌̈́͋̄̈́̃̓̇͛͗̂̈̐̇̓̽̋̾̏̀͌̃͆̈́̈́͂̒̓̇̈̒̈̓͘̚̚̕͘̚̕͜͜͜͜͝͝͝ͅ ̸̨̡̨̢̨̡̢̧̨̡̨̢̛̛̦̼̜̥̹͇̦͈̠̘̫͈̬͕̟̥̤̟̬͕͉̣̩̤̼͉̤̹̻̝͚͕̜̣̠̤̗̭̬̠̭̼͙̝̞̺̭̺̟͇̬͕̫̬͇̭̣̺̟̙̟̭̩̼͍̣̩͎̘͎̬͓̖̙̝̩͕̜̫̞̘̤̳̔͂̓̈́̓́̆̽̅̔́͊̈́͐̍̐̽́̊͋͊̇̀̓̉̆͐̿̒̈́̉̄̃̏̃̑̑̋͌̈́̔͆͂̎̆̑̀̓̑̒̇̒̆͌̀͂͊͆͊̊̽̾̐͋̈́̇͛̓̇̔̊̃̿͒̌̆̆͊͋̿͒̔̽̏̀͐̚̚̕̕͘͘͜͜͜͜͠͝͝͝͠͠ͅl̸̢̧̡̨̢̧̛̛̛̲͚̺͚̘͈̹̗̬̗̟͇͉͕͍̥̹̹͉̜̫̬͍̯̝̝̜̤͉̩̰̳̼̤̝̗̭̰̹̱̜̖͈͓̠̝͖͕͚̩̘̯̗̦̘͉̜̫̖̪͎̩̠̻̖͇̻͓̭͕͈̱̬̦̻̦̤̫̘̜̺̞͍̞̼̘̬͓̮̟͕̉̃̾͗́̾̾̍́̉́͊̽͆̅̇̂̉͂̉͂̈̆́͗̊͊̊͗͆͗̾̋̽̽̆̽̏͒̋̈́̾̊̽̓͑̏̔̈́̓̈͆̌̀̓͋͐̀͆͋̎͛̓͑̅̂͐͌̊̇́̔̃̇̽̾̓̇͆̾̐̔̀̾̅̄̕̚͘̚̕̚͜͝͠͝͝͝ͅͅǫ̴̢̧̡̨̨̢̧̨̛̛̛̛̛̭̙̤̠̖͇̺̦͇̭̗̮̞͇̱̲̝̠̫͖͍͉̝̰̫͓̩͙̤̲̝̙̝̲͎̺̠͕̣̤̩̙͎͎̟̭̠̙͔̪̜͇̘̻̰̖͚̳͉̭͉͖͉͚̯̬̜̗̣̠̥͈̗̣̤̠͙͈͕͓̩̭̯̭̯͖͓͔̑̾́͑͌͒̀͊͆̅͋̌̃̈́̌̍͒͊̎̐̈̓̑͑͗̽̈̿̋̃̾̏͋̽́̄̉͂͒̈̏̒̽͐̒̀̍͗̍̊̃̐̎̌͋́͒̃̋̍͆̾́̂̇͆̀͒̀͆̒̊̏̽͐́͒̎̈́̈́̈́̏̂̕̕͘͘̚̚̚̚͘͜͜͠͠͠ͅḻ̷̢̡̢̢̧̧̨̡̧̧̡̧̡͕͙͎̱͙̝̺̝͓̫̟̲̖͚͇̥͇͇͎̟͇̣̣̖̫̮̪̮͈̰̭̺͚̖̪̻̮̹͖̼̹̠̠͚͎̪̹͚̖̲̤̙͓͇͈̥̻̣̗͔̭̬̥̗̟̪͔̣̻̻̺̠͉̭͕̤̮͇̮͈̻̝̫̽͒͋͐͒͆̏̋̎͆͆̀̉̔̇͊̒̃́̊̂́̋͌̄́̌͛͒̈́̔̈́̀̑̏͑͑̆̃̐̇͌͒̂͂̎́̅̂̿̓͑̑͑͗̂͂͗̈͗̎̉͐͆͆̂́̑̆́̐̑͆̏̔͗̇̐͗͊̿̽̀̈́̄̒́͘͘̚͘̚̕̚̕͠͝͝͝͝ͅͅͅ

Yeah it did that there too. Needs that int z; Maybe it’s incrementing x after adding x & y. Probably a precedence issue.

Nick P RE: where I’ve been
–They’re syntaxes suck and I’d really hate looking at that all day. Bleck. Just make better compilers.

Wael March 1, 2015 1:07 PM

Oh crap, I think I unintentionally defaced the blog 🙁
Oh @Moderator, please be merciful!

Wael March 1, 2015 1:40 PM

I think it was @Figureitout, not me! If you change the encoding, it’ll be in his post.
It’s in the section between: “RE: unicode/html stuff
–Yeah didn’t feel like looking it up, annoying text stuff makes me feel like..” and “Yeah it did that there too. Needs that int z; Maybe it’s incrementing x after adding x & y. Probably a precedence issue.”

Jacob March 1, 2015 4:32 PM

I disagree with some and Bruce somewhat. Bruce speaks of the powers that be controlling population with manipulation. That assumes three things. That the people doing the controlling know what they are doing and that competing interests would not restrain them, that media manipulation effectiveness is effective, and that people can not see through the effort. Others err by saying “adults” can always see the game. Trust in media has plummeted because eventually people do see through it. Same thing is currently happening with politicians. I readily admit I have been surprised that politicians, business, agencies have been able to get away with some things for so long. The Germans are very sensitive to spying because not enough time has passed since the Stasi. The U.S. Has gone 40 years since the Church hearing. This is introduction to my real point. I forget if Bruce has addressed the following….I have fallen way behind on my to read list. 🙁

Human beings, society, and government/business run a spectrum. On extreme ends you have what I would call actionable unrestrained psychopaths or sociopaths and on other end you have nonfunctional unrestrained individuals. The psychopaths/socios can only be put away or killed. Someone like Manson is a constant danger to others. They have no restraint or self control. The bottom people need constant supervision or direction. No restraint but no real intentional animosity.

Now who else is left? Well vast middle is somewhat restrained, somewhat aware of shortcomings and generally moral. You have a smaller group of people like mr. Rogers. Quite self restraining, very aware of shortcomings, effort to do better, genuinely no ill will.

Now who is left? I would term them as functional psychopaths and sociopaths. They do not feel empathy or actionable like the majority. They are found more commonly in top tier of industry, government, and business. They do serve a very important function. If not, like the common cold, to paraphrase a show, homo Halibus would have killed the guy with the runny nose. But and this is a big but. What restrains them? I would say two things. Perceived societal expectations and supervision. Now when they are unrestrained, slowly they become unrestrained and bad things are justified.

What happened with the Church hearing? We found an agency that became unrestrained and given free reign. Sound familiar? After 9/11 the U.S. Went to agencies and said, “do whatever it takes” to prevent another attack. It is actually a noble intent. But giving certain types free reign and the tools will and can only warp into something rather secret, unsavory, and I would add, ineffective.

I am opposed to mass surveillance in that mass storage of data is I believe ineffective and too tempting for abuse. Why did they do it? I think they said we might probably not be able to stop an attack very well. But after an attack we can see who they talked to and prevent future attacks from their contacts. However info wants to be free and can/will be used for blackmail, influence, or money. I say that many functioning psych/socio are functioning in high positions and genuinely want to the right things.

How do find them? Micro expressions are helpful. The NSA, Cia, dia etc. Use polies. Not that test is particularly effective but that a skilled interviewer can pick up clues by unexpected questions and surprise. To use my example, the cia is not going to hire mr. Rogers. He is not the kind of person they are looking for. Watching politicians or other types of leaders you can do the same thing. Given that political or business consultants have blunted that a little. If you are paying attention! You can still find it. Obama flashes of anger, false argumentation, or Hillary flat out lying with perfection. I would add some conservative commentators or politicians show same tendencies but I would have go list long. Seeing how Bruce responds when challenged and surprised. He listens carefully. Eyebrow action, brings head back, seeing wheels turn as he considers then responds. Same with this blog nick, clive and others. Good people, in vast majority leaning towards mr Rogers. Lol one reason why I like this blog.

When you are single, how someone treats a waitress is a big clue. Moments of unmasking tell us a great deal. The three letter agencies could do better analyzing or profiling potential bad guys. By definition the ability to commit terrorism will show itself in other areas. It has to. We are harming ourselves when we fail to look carefully and look at their track record, not just including flash moments. But A flash micro expression of anger when the subject of uncovered women comes up might warrant a closer look. The person probably is not dangerous but certainly far more possible than old woman with her colostomy bag and wheelchair in airport. Just saying.

Unmooring our useful psys/socios is dangerous. We unmoored them in response to 9/11. I want to add that they can and do function well. But we need to understand they need the moorings. Sorry this is so verbose but I could have kept going. :/

@Nick, you see my response on squid?

Anura March 1, 2015 5:18 PM

@Figureitout

The first one I don’t see what’s weird, other than the formatting, but x+++y can simply be written “z = x++ + y;”, or “z = x + y; x += 1;” it’s just that C/C++ allow you to make your code really ugly.

For the second, it’s basically the same thing, it’s just that the languages allow implicit conversion between char and int as well as (and this might be illegal) the ability to redefine language keywords to change them to empty strings.

Dirk Praet March 1, 2015 6:08 PM

@ Wael

Oh crap, I think I unintentionally defaced the blog 🙁

I guess that means the first round of drinks is on you when we ALL meet.

@ Nick P, @ Not Frank

re Moxie saying we should ditch GPG ; Here’s my response on his blog:

Exactly my feelings, Nick.

@ BoppingAround, @ Bob S.

OS X Yosemite was caught sending various data back to the mothership.

You can plug some of them. Yosemite Phone Home is a collaborative project to identify additional data collected by (cr)Apple and other third parties.

@ 65535, @ Clive, @ T, @ albert

Russian opposition leader was shot in Moscow on Friday night…

I find the timing a bit odd. Why should Putin order the assassination of a politician who was no threat to him, amidst the ongoing tribulations in Ukraine and just after Qu Xing, China’s ambassador to Belgium, in an unusually strong statement on Thursday had urged Western powers to “abandon the zero-sum mentality” with Russia” ? Although an outspoken vocal critic of Putin, Mr. Mentsov’s support statistics were somewhere along the line of 5%. Him – according to Ukrainian president Porosjenko – getting shot over a “secret report” that would prove the presence of Russian troops in Eastern Ukraine makes little sense because, well, everybody already knew that.

Although we should certainly not dismiss any possibility at this time, my gut feeling is telling me that this has CIA written all over it, and in a deliberate attempt to damage Putin and Russia on the international stage. Combined with DNI Clapper’s statements that there is increased Russian “cyber activity”, @Clive may well have a point that the USG could just be warming up the public to something.

@ TheFlasher

I didn’t know Humboldt Squid wore long trench coats.

Those also sporting hats and sun glasses must be spook squid.

@ Anura, @ Figureitout

The first one I don’t see what’s weird, other than the formatting, but x+++y can simply be written “z = x++ + y;”, or “z = x + y; x += 1;”

That’s how I had interpreted it too, but I haven’t been coding C/C++ in quite a while. Perl is also a wet dream for programmers getting off on making their code unreadable for anyone but themselves.

Terry Cloth March 1, 2015 6:17 PM

@Wael • March 1, 2015 10:42 AM

As shown on my screen, your lt and rt entities are missing a terminal semicolon; if what you want to show is
         <
you type
         &lt;
itnto the comment editor.

Similarly, for >, use &gt;

OK, I’ve checked this in preview; now we’ll see the map’s relation to the territory.

Terry Cloth March 1, 2015 6:19 PM

Yeah, right. I get all the finicky stuff right, then don’t do a final proofread.
s/itnto/into/

SoWhatDidYouExpect March 1, 2015 6:34 PM

Google Wants To Rank Websites Based On Facts Not Links

http://science.slashdot.org/story/15/03/01/213245/google-wants-to-rank-websites-based-on-facts-not-links

From the post:

“The software works by tapping into the Knowledge Vault, the vast store of facts that Google has pulled off the internet.”

So, now we have a new concept on the Internet called “Google Truth”, or whatever is in the Google Knowledge Vault:

http://en.wikipedia.org/wiki/Knowledge_Vault

What do you suppose the fact in that vault will be with regard to the following…Google does no evil -or- Google does evil. And who is to say that it hasn’t been compromised, in particular, for or against Google’s benefit.

Yeah, that’s the ticket – Google Truth.

Wael March 1, 2015 7:23 PM

Terry Cloth,

As shown on my screen, your lt and rt entities are missing a terminal semicolon;

Yes! Good catch. Perhaps the corruption[1] was the side effect of not terminating the HTML or the Unicode with a semicolon!

Yeah, right. I get all the finicky stuff right, then don’t do a final proofread.

Lol! It happens in the best families 😉 It happened to me a few times when I corrected someone else. My post had a similar error. @Figureitout, no less, messed with me about “spelling”, while he himself had the same type of errors in his post. Then shortly after that, @Clive Robinson makes another spelling mistake trying to make fun of both of us. But coming from @Clive Robinson, that’s expected, and compleatly readable 😉

[1] I got a stack overflow showing some pretty interesting conversations between @Moderator and Bruce. Will share it one day 😉 It’s a joke, but I’ll make up a conversation 🙂

Wael March 1, 2015 7:32 PM

@Dirk Praet,

I guess that means the first round of drinks is on you when we ALL meet.

I think that’s a great idea! Me likes it. Just make sure you bring enough chocolates for all of us 🙂 I can eat one of these in a few bites.

Clive Robinson March 1, 2015 7:50 PM

@ 65535,

Technical question: Microwave ovens use a quasi faraday cage to contain the microwaves. Is the front panel grid energized or grounded as in some faraday cages?

Simple answer is neither…

The oven is a form of waveguide / resonant cavity. It would in other usage have no door, which is inconvenient.

However the door represents a real design problem in that if it were a broadband faraday cage you would have to have it “bolt on” which few would go with. Afterall who wants to spend twenty minutes bolting it on just to spend a minute cooking a pound of sausages and a further twenty minutes getting them out by which time they would at best be warm not hot. Further the solutions with “man size” occupiable cages is not practical because it requires a large quite heavy and not easy to operate latching system.

The system actually used is vary frequency and it’s harmonics sensitive. If you short the end of a quaterwave transmission line it appears as an open circuit at that frequency and it’s odd harmonics and a good aproximation to a short at the even harmonics. Thus if you find an old broken microwave oven you will find that there is what looks like a plastic gasket around the door, which many think is there to keep steam in etc. In fact if you remove it you will discover a slot behind it which when measured from the correct point gives the shorted quaterwave line. Thus there is often no or no reliable or usefull electrical connection between the door grill and the rest of the cavity at the frequency of operation, as it’s not required due to the action of the shorted quaterwave line.

This lack of electrical connection means that at other frequencies the door edges act as slot radiators of varying efficiency, so it certainly does not work as a farady shield or cage. A few years ago I decided to experiment and found that one microwave oven only had the equivalent loss of about -17dB in one of the mobile phone bands which would not realy effect the mobile phones operation…

Likewise those table top safes you get in hotels don’t make faraday cages unless you add RF gasket / copper fingers to the door edges.

Unless you are into precision cutting, welding and grinding of certain types of chromium steel and then silver plating the inside walls it’s quite difficult to constrain broadband EM radiation to see the minimum of what is required have a look at an EMC TEM cell though many of those are not hitting -100dB. For TEMPEST / EmSec you are looking to get emission down to as close to the thermal noise floor ( -174dBm in a one hertz bandwidth) as you can. For the likes of some electronic devices that requires a “box within a box” design, with galvanic issolation between the two boxes to prevent circulating currents or feedback loops…

Clive Robinson March 1, 2015 8:40 PM

@ Wael,

Why on earth do they call them “pound pluss” when they are clearly half kilo bars… Oh and if you can eat one with just a few bites, I’d hate to see how much money you fork over to your dentist and doctor, after all what price is synthetic human insulin per 300 unit cartridges in the US?

With regards “old Mac” I was not making fun of either you or Figureitout, I was just trying to make the pair of you laugh a little and step back a little. Mind you if you look further down the page you will find somebody used “Iinear” rather than Linear…

Oh and I guess from some of the off beat links you are pulling up these days your sleep problem has not improved?

I have some rude jokes about sheep and the counting there of, but from previous experience I would “shock the Moderator” and get a yellow card or worse, so I’ll save them for a meatspace chat if you ever drop in on London.

Buck March 1, 2015 9:10 PM

@Clive

Whilst reading about your ‘rude’ jokes, I happened to be listening to:

I see today with a newsprint fray

My night is colored headache gray

Don’t wake me with so much

Coincidence? Yeah, probably… What isn’t!? 😉

Wael March 1, 2015 9:12 PM

@Clive Robinson,

Why on earth do they call them “pound pluss” when they are clearly half kilo bars

It probably has something to do with ½ Kilogram being = to 1lb 1.6370oz. You know, these marketing folk think more than one unit is a catchier name than half of a bigger unit 😉

I was not making fun of either you or Figureitout, I was just trying to make the pair of you laugh a little and step back a little

I know 🙂

I’d hate to see how much money you fork over to your dentist and doctor,

Don’t remind me! I’ve been dodging a root canal for the past year. I hate doctors and dentists (even though I had two doctors in the family, now it’s only one)

sleep problem has not improved?

Nope! That harsh mistress hasn’t dumped me yet

so I’ll save them for a meatspace chat if you ever drop in on London.

In a previous position I traveled between Europe and Tokyo frequently, I stopped by London twice. Now, I don’t travel internationally as much. However, if I do stop by the UK, I’ll make sure to drop you a note.

Wael March 1, 2015 9:14 PM

@Buck,

Coincidence? Yeah, probably… What isn’t!? 😉

Damit, Buck! You’re starting to sound just like @Nick P!

MikeA March 1, 2015 9:50 PM

In Re: tagged architectures:

IIRC, the Burroughs B5500 tagging scheme had a vulnerability where some user-mode instruction (Left shift variant?) could modify the tag bit from some bt in the data portion. “Privilege escalation”, anybody?

The machine described in the “First Draft on EDVAC” was tagged, with an Instruction/data tag that was settable only by the (otherwise unspecified) “loading operation”.

Dave Keppel used to maintain a site about the sort of problems associated with such schemes, notably JIT compilation. Or rather, about an attempt to standardize a safe (-ish) way to “bless” a writable area of memory to flip it from writable data to executable code.

Anura March 1, 2015 11:40 PM

@Clive Robinson

Because the kilogram is the Socialists equivalent of the pound; would you rather have half a Socialist unit or more than one American (AKA The Greatest Country in the World, AKA The Birthplace of Freedom) unit?

Figureitout March 1, 2015 11:47 PM

Anura
–I’ve never seen triple operators like that, guess it should go left to right so it’s infact x++ +y and not x+ ++y. The second one is really wrong though (thankfully it’s easy to spot), I was under impression must be all caps or underscores after a #define and setting a keyword to null string is so wrong…

Anyway thanks.

Dirk Praet
Perl is also a wet dream…
–Yeah it can look absolutely terrible and I wouldn’t want to debug it ever. Yeah must feel good for no one to run your code b/c it’s an inbred disaster.

Wael
Just make sure you bring enough chocolates
–These shells from Brugge were my personal fave, used to get a lot of candy too lol that you can’t get in US! (always rode my bike to a shop to fill up this cone-shaped bag w/ gummies). You haven’t lived until you’ve had a fresh sugar waffle (it has to be from this specific street vendor in a large northern Belgian city too, port town). Cooked perfectly such that the sugar glaze is carmelized for a nice crunch then a gooey dough center. Then knock down a Jupiler (which hasn’t been imported to US that I know of yet, and it should…). And all the frickin’ food is good there, except this place called Quick lol, that place f*ckin’ sucks. There was rumors of “paard” meat in burgers (hint: “neigh!”), just go to the local frituur (they frickin’ made french fries, they’re the best).

Anyway I say we all meet up in Barcelona (partay!) or Sardinia (chill place, isolated too :p).

MikeA
IIRC, the Burroughs B5500 tagging scheme had a vulnerability where some user-mode instruction (Left shift variant?) could modify the tag bit
–Yikes, user-mode compromise of tagging…so strong…

Wael March 2, 2015 12:05 AM

@Figureitout, @Anura,

I’ve never seen triple operators like that, guess it *should* go left to right

This is a good place to learn how to decipher complex expressions. You can also use an open source application called “cdecl” — try it out, if you haven’t. It’s also available in command line on FreeBSD and Linux etc…

Wael March 2, 2015 1:15 AM

@Anura,

AKA The Birthplace of Freedom

Guess what word happens to be an antonym of “freedom”? It starts with a ‘G’.

Clive Robinson March 2, 2015 2:03 AM

@ Figeritout,

… all the frickin’ food is good there, except this place called Quick lol, that place f*ckin’ sucks. There was rumors of “paard” meat in burgers (hint: “neigh!”), just go to the local frituur (they frickin’ made french fries, they’re the best)

Many many moons ago there used to be a Quick in Licester Sq London, back in the 80’s when I was young(er) I used to frequent the area due to the clubs etc (There was one called “Smanthers” further away but the Sq, was central and had China town for early munchies).

We used to know Quick as “sick”, “Frog Burgers” and “Botulism Burgers” for various reasons.

The one thing I can tell you is that they were not made of horse meat, because they would have tasted a lot better if they had…

You would be surprised at just how much “neddy” meat ends up in European fast food and consumer products such as “Frozen burgers”. In the UK just a short while ago a news story broke about “neddy burgers” in the likes of Aldi and other major retail chains.

The thing is they actually tasted better than the usuall “mechanicaly recovered meat” products with extra added cow hide / bits etc we buy in the UK super markets “value” ranges, so were popular untill the story broke. It appears that actually there is quite a demand for “Pony Meat” in Europe and a lot of the equine live stock originated at the time in Ireland and got shipped in various ways all the way across Europe to various processing plants in the far east of Europe to be turned into burgers, then frozen and transported all the way back across Europe to Britain…

Interestingly it appears that paddock horse meat is probbaly healthier (as a dark meat option) than intensively farmed beef.

Any way I’m not as bad as Charles Darwin, but I have eaten all sorts of meat in my travels including some of those “cute and furry or feathered” critters that might otherwise be a small holding pet. Which makes me very different from the average “beef or nought” Brit, so I guess that’s why the French call us what they do 😉

Oh and before you ask my favourite is aged goat meat cooked long and slow and I wish more people would eat it. Because the “Organic chattering classes” with their one upmanship in Goat Cheeses are creating a problem that would probably make them feel quite sick if they actually took a moment to think about it. To get goats milk you need lactating goats, and this only happens after the female goat has given birth. Well male goats are an unwanted byproduct of this cheese making process thus several hundred thousand male goats get killed shortly after birth and become “rag meat” to be disposed of in the usuall EU approved manner…

Buck March 2, 2015 5:33 AM

@Wael

I would tend to think @Nick P would believe that there are plenty of things which are the result of conscious decision-making or stimulus-response reactions! 😉

65535 March 2, 2015 6:24 AM

@ Clive

“A few years ago I decided to experiment and found that one microwave oven only had the equivalent loss of about -17dB in one of the mobile phone bands which would not realy effect the mobile phones operation…”

Thanks for the interesting explanation. I value your expertise in the RF field.

I tried the cell phone in the microwave oven test and the cell phone works [oven is not turned-on for obvious reasons].

I first thought that the cell phone was not actually operating in the microwave range. But, that should make the cell phone wave length longer – more block-able by the interior of a microwave oven – assuming it used a Faraday cage. But, there really is no Faraday cage.

I have been working on another RF experiment which used up most of the weekend but yield interesting results!

[Background]

A client read the story about the police and Feds using radar imaging through residential homes. He is convinced that is happening with him.

See Police use radar to see inside:
https://www.schneier.com/blog/archives/2015/01/police_using_ra.html

The client called me and to me his story. To make it short he has noticed an unusual SUV with blacked out windows now constantly parking close to his residence – then leaving at odd hours.

The suspicious “black window” vehicle would leave shortly after awoke, moved about and left. The vehicle would return a few minutes after he returned.

He says it tended to “watch him” while working on his computer. He has a wired gigabyte home network with fast broad band connection – and uses no wi-fi or other wireless connections because of his heavy stock trading – secrecy is a necessity.

I first proposed a Software-defined radio on his laptop with the appropriate antenna and packet capture software – not that I completely doubted his story and wanted make some extra money. He said that was no feasible because all his laptop machines were given away to siblings in college.

The SDR was out. I then talked to a guy who was a radar operator in the military and a sports car fan who had multiple “radar detectors” including several with the ability to detect LiDAR speed guns – and he lent me a old X-band and K-band through Ka-band radar detector.

I installed it at the client’s residence – to find it was indeed being pinged by what I under stand is a X-band radar device.

To be exact, the device goes off at odd times and odd hours during both day and night. It beeps. This is actually two beeps about one second apart. The beeps then stop. They start up again at odd intervals then stops. We have a recording.

I talked to the “radar guy” and he said it was possible that some sort of motion detector was being used to see movements in the client’s house. He says there are some radar motion detectors that can penetrate walls and motion sense over 40 feet inside a structure –or more.

They need a power source – that would be “black window” SUV… although, a radar unit could have been hidden on the exterior of his house [there is small unit on a board that does the trick – google radar motion detectors].

My radar guy said the NSA would be much more careful and never let that type of unit be detected with a COTS civilian radar detector.

I did my usual tests by putting the radar detector in my car and purposely driving by several of those mobile speed trap devices with the radar gun and camera. The radar detector went off well before I cam within 50 meters of the unit.

Next, I checked to see if there were any motions detectors close-by his house. The answer is no.

And, no apparent radar motion detectors in any of his neighbor’s houses [the radar detector is silent at his house – until the “two beeps” occur at time when the “black window” SUV arrives]. Motion detectors would cause a solid tone or rapid beeps.

The nearest store is about one mile or more away [auto door opener for customers]. When I drive by the store with the store the radar detector beeps quicker and quicker like a Geiger counter as you approach the radar door opener. The tone becomes solid when directly upon it. When driving away the opposite happens [the solid tone stops and the beeps slow down and stop].

I down load the radar detector’s user’s manual. Here are some features.

Operating Bands:
X-band 10.525 GHz ± 25 MHz
K-band 24.150 GHz ± 100 MHz
Ka-band 34.700 GHz ± 1300 MHz

Radar Receiver / Detector Type:
Superheterodyne VTO
Scanning Frequency Discriminator
Digital Signal Processing (DSP)

Programmable Features:
Power-On Indication
Power-On Sequence
Signal Strength Meter

I also check for power interruption or shorts on the detector. None. When the power is interrupted and re-powered the radar detector does a series of power-on beeps quickly and settles down to zero beeps.

Here is the normal operation: K-band produce by a ‘braap’. The X-band noted by a beep. When first encountering radar a slow beeping occurs. The beeps quicken when approaching the radar antenna. When a full radar gun is within 30 meters the tone is solid. The opposite occurs when driving past the radar gun.

I cannot figure out what is going on. He gets one X-band beep and about one second later another X-band beep then it goes silent for minutes or hours. This happens through out the night when the “black-window” SUV is around. It’s probably explainable – but I cannot.

Excuse all of the grammar and other errors. I am tight for time.

Clive Robinson March 2, 2015 7:59 AM

@ 65535,

It’s difficult to tell what the detector is picking up on it might be something it might be nothing or just coincidence.

If there is a van/truck as you describe that turns up shortly after he gets home, and it’s not a coincidence there are a number of things you can look out for.

Firstly build a timetable and plot arival and leave times, and get your friend to vary the times he not only leaves and arives but routes he takes. Also check and see if the van always arives from the same direction. You can use this to “back track” it’s arival route over several days. The reason to do the vans arival route and not it’s departure route is that unless very proffesional the van operators will take few or no precautions on the way in, but even amatures will assume they might be followed leaving, thus take precautions.

Another thing is borrow or rent a thermal imager and set it up in your own “stake out” vehicle. Whilst noise and other things can be muffeled, everything that uses energy is inefficient and thus has a heat signiture, this can be very difficult to impossible to mask. A human is the aproximate equivalent of a 100watt filiment light bulb, profesional grade digital recording equipment tends to be 10-30watts a box, computers a hundred or so laptops 30-70 etc, this heat has to go somewhere. Without double skin compressed air gap cooling and good internal insulation and cooling then the heat will show up.

Speaking of “bodies” they to have their needs respiration and urination being the two of interest because they produce copious quantities of speciffic gasses such as CO2 for which you can obtain “sniffer” equipment.

Further unless the van is from Google it’s going to have a driver, who if they are wise is not going to stay in the van but get out and go somewhere and come back. Again back tracing the arival route should prove of interest, as their might be a local OP house which can be further watched.

Remember for spooks “regular patterns” of behaviour are fatal, thus they tend to “over compensate” their behaviour, and it looks hinky. One such failling is “vacation time”, they will not stop surveillance just because it’s thanks giving or christmas, a trades person just parking up their van would.

The other thing is if the van always arives shortly after your friend does then he is being watched or tailed some how. If it’s by phone or vehical tracking, time to loan the phone to a personal secretary, or use call forwarding and turn it off and put the car into the auto shop to have a tune up etc, and borrow a car or use a mixture of cabs and public transport. If the established van routien breaks down then it’s a fair indication that watching or tailing is in progress. The trick then is working out if it’s electronic or MK1 eyeball and if the latter where they are picking your friend up from. It might be time for your friend to “get fit” by push bike, these are increadibly difficult to follow well and generally need a large team. They are also difficult to put tracking devices on especially if the bike is a fold up type that can be taken into the house or tucked away under the desk in the workplace.

Surveillance is “drudge work” especialy if the mark has very regular behaviour, after a while human nature will set in and they will get lazy and slipshod. Worse they know that they will fairly quickly stand out and their attempts to blend can be used against them. A clasic example of this was in N.I. during the troubles, one person new they were being followed so got a pair of Micky Mouse Ears as a hat, and always wore the same long coat, and used to wander around shops and passages. The tails got into the habbit of watching the “get up not the face” and thus as was latter found out he occasional slipped out of sight whilst a friend of similar build would stand in for him wearing his “get up”….

A friend of mine used to have his “fisherman’s friend” outfit of a bright yellow cycle cape and sowester hat. People would see the outfit not him even when he knocked on their door and spoke to people. The simple fact is people remember what stands out, not what does not. Wear a polo shirt with a company name and number and any witnesses will try to remember those, not the face or stature of the person wearing it, it’s the same principle as fake number plates, uniforms etc.

Hopefully you will be able to backtrack the van or occupants and find out about them, it will almost certainly be easier and give more information than trying to determin if it is radiating EM energy for specific purposes.

BoppingAround March 2, 2015 9:36 AM

[re: Yosemite phone home] Dirk Praet,
Interesting. Perhaps you know if there’s a sister project for Windows?

A stupid off-topic question to you: is it possible for ‘ae’ in your surname to represent ‘ä’ (a-umlaut, should the symbol come unreadable to anyone here), assuming that you hail from a German-speaking country?

Perl is also a wet dream for programmers getting off on making their code unreadable for anyone but themselves.
Haha, not even that. Wait a month or two, see the code. Scratch your forehead.

[re: Existentialists link] AlanS,

J. Edgar Hoover has to know: what the hell is this Existentialism all about anyway – and is it some kind of code for Communism?
They love those kinds of questions, don’t they? Shame I don’t have the time to watch the video.

65535 March 2, 2015 10:07 AM

@ Clive

“…build a timetable and plot arival and leave times, and get your friend to vary the times he not only leaves and arives but routes he takes. Also check and see if the van always arives from the same direction. You can use this to “back track” it’s arival route over several days. The reason to do the vans arival route and not it’s departure route is that unless very proffesional the van operators will take few or no precautions on the way in, but even amatures will assume they might be followed leaving, thus take precautions….

[Interesting counter spy measures]

‘…for spooks “regular patterns” of behaviour are fatal, thus they tend to “over compensate” their behaviour, and it looks hinky. One such failling is “vacation time”, they will not stop surveillance just because it’s thanks giving or christmas, a trades person just parking up their van would. The other thing is if the van always arives shortly after your friend does then he is being watched or tailed some how. If it’s by phone or vehical tracking, time to loan the phone to a personal secretary, or use call forwarding and turn it off and put the car into the auto shop to have a tune up etc, and borrow a car or use a mixture of cabs and public transport…’ – Clive

Good stuff. I will try to convey your message to my client.

As you also note, the cell phone tracking is a real possibility.

I will say that this client seems honest [family guy]. But, he does trade securities heavily which involves money. If he is actually under surveillance it probably is from a competitor who would like to front run his trades – but that just speculation.

[and]

“Hopefully you will be able to backtrack the van or occupants and find out about them, it will almost certainly be easier and give more information than trying to determin if it is radiating EM energy for specific purposes.” – Clive

That is a good idea. It would be fun but probably illegal to attach a GPS device to this “Black window” SUV and track it. But, since it’s illegal and I don’t know the exact equipment needed or the cost – so I will not suggest it.

Now, he lives in a high traffic area [the freeways have 5 to 6 lanes on each side or 10 to 12 lanes of traffic on the total freeway].

It might be best; if and when it is determined he is being tailed, to do so by a private investigator.

Skeptical March 2, 2015 12:03 PM

@Jacob: I don’t quite agree with all of what you wrote, but I enjoyed reading it. Very thoughtful and insightful. Re microexpressions: I agree, but only useful to a point. Is the guy in line angry because he’s thinking about a fight he just had with a colleague, because he’s thinking about a relative who received poor medical treatment, because… on and on, as you point out. More useful when we have a lot of context, but even then… My personal view is that there is no one-size-fits-all technique for spotting threats or for effectively interviewing (or interrogating, for that matter) someone.

Re: persons of higher rank and psychopathy. To some degree, we all have traits we’d associate with psychopaths. All of us can sometimes be manipulative, whether for good ends or for bad ends. I would say that persons who achieve high positions in organizations are more likely than not to have good intuitive senses of the politics of an organization, and to act accordingly. But in many systems, good politics is actually in large part simply being a good (fill-in-the-blank-with-the-appropriate-role: soldier, officer, cop, colleague, friend, etc).

Someone today remarked on the Ides of March, which made me think not of Caesar but of Washington, whose example is relevant here. Though driven by ambition, he had also thoroughly internalized other virtues. I regard his physical courage on the battlefield to be no less important than his moral courage at Newburgh NY, 15 March 1783. The war now over, yet unpaid and neglected despite numerous appeals to Congress, the officers of the Continental Army considered taking more decisive action. As discontent and anger grew, an anonymous letter circulated amongst them, calling for a meeting on 11 March, and advocating that the Army seize what it was not being given. Washington, becoming aware of the letter, issued orders instead for the meeting to be held on 15 March, to be presided over by the senior officer present, and ordered that a report of the meeting be presented to him – thus implying that he would not attend.

Yet on the morning of 15 March, Washington appeared at the meeting, and after the usual formalities, began to address his officers. He held a paper on which was written a short speech he had prepared, but stood for a short time staring at it, silent. The officers, men who had long fought with him, who had taken orders from him as he sat straight on a horse and unflinching under fire, and who had shared in the deprivations of a desperate war fought against an enemy of superior force, waited, puzzled.

Then in a masterful stroke, he said: Gentlemen, you will permit me to put on my spectacles, for I have not only grown gray but almost blind in the service of my country. He took from pocket a pair of spectacles, and putting them on, began his speech. This gesture, by itself, had moved many of the men to tears. He then made an impassioned speech, forthrightly opposing the call for the Army to take arms against the civil government, concluding that, if they stood with him, remained faithful to the civil government and under its authority, [y]ou will give one more distinguished proof of unexampled patriotism and patient virtue, rising superior to the pressure of the most complicated sufferings: and you will, by the dignity of your conduct, afford occasion for posterity to say, when speaking of the glorious example you have exhibited to mankind—”had this day been wanting, the world had never seen the last stage of perfection to which human nature is capable of attaining.”

He then left the meeting. After brief discussion, the officers assembled unanimously adopted resolutions condemning calls for insurrection or the use of force against the civil authorities, while reaffirming their loyalty.

This was a moment when a less principled, more ambitious, man might have seized even greater power. And yet Washington used the good will he had accumulated during those years of hard service and sacrifice not to seize power, but to reject it, in service to a cause he regarded as greater and more important than his own fortune.

Now… not all leaders are going to be men or women of that quality, and more than a few new democracies have failed for want of them in the right places at the right times. But though we need to guard against the lack of virtue in all ranks, and especially in higher ranks, it’s constructive to remember that virtue actually has and does exist throughout the ranks as well.

As to “taking the gloves off” after 9/11, not all restraints were removed. I’d regard the British air raids on Germany in WW2, and the US air raids on Japan, as more significant examples of the gloves coming off than the measures taken by the US, and others, after 9/11. In grappling with the vast uncertainty after that day, the US undertook some programs that, in hindsight, were poorly executed or poorly conceived. But in the most vital respects, it acted within the law, legitimately through its institutions, though it skirted the line – but then, in such circumstances, that is precisely what we would expect our government to do. And after, as the uncertainty diminished, as the danger appeared, if not defeated, then at least contained and the outlines of it limned, the programs that pushed furthest were reduced or ended.

Whether it is now time to reduce existing measures even further is a matter for debate, and we have the luxury of considering it in an atmosphere of relative security. I do see ways that we can improve safeguards against the abuse of power, while simultaneously not depriving government of the means of achieving the very ends for which we, the people, have granted the government power in the first place. However, all things considered, in my opinion, the system in place functioned quite well, both in crisis and in the aftermath. As always, and as will always be the case, there’s still much work to do – but we have an excellent foundation on which to build.

Nick P March 2, 2015 12:27 PM

@ MikeA

re Burrough’s

It wouldn’t surprise me if it had a vulnerability or two: the system was designed before hackers or the INFOSEC field existed. That their architecture works so well in a malicious, user environment without being designed for it is quite amazing. That there were problems just supports the need for a rigorous development process to catch them. And that it has to assume intelligent malice.

re Keppel on tagged architectures

I don’t know about him. I know another guy talked about how they’re wasteful, people would fight over the tag use, and so on. Over time, the results are in thanks to commercial development and academia: that guy was wrong. There have been so many designs with practical tradeoffs it’s hard to even summarize them at this point. The simplest are systems where a tag is used to protect the pointers or code vs data. That can enforce many security policies with ease (eg Object-Capability model). Some (CHERI) combine pointer protection and permissions. There’s also work (SAFE) which enforces many different security policies simultaneously with the same mechanism applied to each memory word.

So, the mechanisms work and do their jobs. As you pointed out, using them right is where the security problems are more likely to turn up. The simplest route for tagged processors is to do a trusted boot-style setup starting with properly tagged firmware. It loads and checks a writable store (eg flash or SD card) that represents the system. That’s pre-tagged or type-checked plus tagged on the spot. Then, the system runs from there with updates or tag modification only being allowed within a tiny component interfacing with validation code that is itself protected by tagging. The interface and validation scheme are where the real risk is.

But, that’s a design level risk. The tagging scheme has already eliminated the low-level coding risk. It makes a big difference in security assessments and arguments.

@ Buck, Wael

“Damit, Buck! You’re starting to sound just like @Nick P!” (Wael)

“I would tend to think @Nick P would believe that there are plenty of things which are the result of conscious decision-making or stimulus-response reactions! ;-)” (Buck)

Unconscious, suspiciously-synchronized firings of neurons in my cognitive, brain have occasionally led me to believe my mind is capable of making conscious, centrally-determined decisions. Yet, the intuitive brain that directs much of my efforts is almost totally an associative machine based on prior stimulus-response. That means its outputs are essentially a series of biased, coincidences between brain patterns and what I sense of the environment. If I happen to act on a deliberate thought, it might purely be a coincidence whereby my cognitive neurons and stimulus-response machine agreed on the same outcome.

Chew on that. 😛

@ Clive

Another example of history repeating. The abstract sounds just like what SGI did on NUMA machines with “Cellular” IRIX operating system. Master node ran full IRIX (UNIX) operating system. It managed the system and did some sequential work. For compute nodes, they created a lightweight kernel called Cellular IRIX to run the apps and maximize efficiency. It did I/O offloading in the form of dedicated nodes for it.

Cray did stuff like that, too. Only read the abstract so I don’t know if they reference the older stuff. If they do and improve on it, then it’s good work. Otherwise, a risk of wasteful re-work.

Skeptical March 2, 2015 12:33 PM

@65535: If your friend lives in a high-traffic area, perhaps he’s simply picking up a radar gun being used intermittently on a nearby highway.

If he’s truly concerned about this SUV, then he should call the local police and have them send a car to check it out. Odds are that it’s probably just a neighbour who simply has a similar schedule, or who is home a lot but leaves to do chores at various times during the day. Lesser odds that it’s someone thinking about breaking into his or a neighbour’s house. Still lesser odds that it’s a government agency conducting surveillance.

Of course if he’s into something illegal… but even then what he’s describing doesn’t make much sense. Sounds like paranoia to me. If anything, I find it odd that he hasn’t called the local PD already.

And yes, placing a GPS on the vehicle to track it is illegal. And if it were placed on the vehicle to confirm your friend’s suspicions that he’s under investigation, it would be illegal in multiple respects.

CallMeLateForSupper March 2, 2015 2:05 PM

@65535

Both the description of your borrowed radar detector and the different audible alerts it emits are consistant with my 1980’s-vintage detector. I know well the “beep…. beep…beep..beeeeeeeeeep” associated with approaching X (long-range) emissions and the “brap…….brap…brap..braaaaaaaaaa” associated with approaching K (short-range) emissions. (Also the BRAAAAAAAAAA breaking total silence, which means Smokey just clocked you at close range.)

The “utterance” you describe – beep, not brap; ~1-sec silence between beeps; total silence thereafter – suggests: X-band; weak(er) burst; short duration. That’s consistant with distant, “always on” radar. You said your customer lives close to a major highway. I’m thinking your detector could be responding to reflections of “always-on” radar carried by LE cars patroling the highway and/or streets in the area.

Miss Manners March 2, 2015 2:22 PM

@65535

Has your client considered putting “his” van up for sale on Craigslist? A few photos posted to imgur, and you could turn every whackjob on the internet loose on them. Start with the UFO people, who would DEFINITELY like to know about that secret UFO-tracking van in the x block of y street. Do any local reporters know that Senator Futch is sneaking into his underaged boyfriend’s house every night? Perhaps it has simply broken down there, and the occupants are in dire need of a taxi. Or a pizza. Perhaps it’s scary for them out on that dark street at night, and they would find being bathed in the warm glow of a powerful spotlight comforting. I wonder what would go through their heads if, say, right around breakfast time, an RC toy car emerged from your client’s driveway, parked in front of them for a few moments, and then zoomed up and stopped right underneath them? What happens if two people park their cars VERY close both in front of and behind them, get out, lock their cars and walk away? Go to Neighbor A: “Listen, I didn’t know if I should say anything, maybe it’s none of my business, but there’s a black van watching YOUR house.” Go to Neighbor B. Rinse and repeat. 911? “No, operator, I can’t get a REAL good look inside, but it LOOKS like two Arab men.” My God, man, the opportunity for pure sadistic fun here is almost boundless.

When uninvited guests drop in, always serve something hot.

Barbie, Midge and George in the Dreamhouse March 2, 2015 3:36 PM

Skep would have finished his 12:03 post sooner, but his copious tears kept shorting out the keyboard. Skep tells a tearful patriotic story. He takes his cheesy George Washington desktop figurine and shakes it around and makes it talk in his best grownup noble patriot voice.

Note that Skep does not tell the story that goes,

“Should any American soldier be so base and infamous as to injure any [prisoner]. . . I do most earnestly enjoin you to bring him to such severe and exemplary punishment as the enormity of the crime may require. Should it extend to death itself, it will not be disproportional to its guilt at such a time and in such a cause… for by such conduct they bring shame, disgrace and ruin to themselves and their country.”

That one would harsh skep’s yankee-doodle sniffles because skep wants to let the torture cowards go. “in hindsight, were poorly executed or poorly conceived.” Skep thinks torture’s OK if you pretend to forget that no exceptional circumstances whatsoever, whether a state of war or a threat of war, internal political instability or any other public emergency, may be invoked as a justification of torture. Skep thinks aggression is OK if you pretend to forget that no consideration of whatever nature, whether political, economic, military or otherwise, may serve as a justification for aggression.

Then, since skep’s heart is bursting with the vicarious exaltation of other people’s integrity, he churns out lots of fulsome poesy for cowards.

“We, the people,” meaning me, Skeptical, the sniveling terror pussy mewling Please Please Protect Me no Matter What!

“What we would expect our government to do,” meaning what frightened servile eunuchs like skep expect his government to do: shitcan the rock-bottom rudiments of civilization to reassure skep’s quaking chicken ass.

“Danger.” You can’t really appreciate how fraught and evocative that word is unless you’re a bedwetting timmie like skep.

Jacob March 2, 2015 4:17 PM

@skeptical
Thanks. I thought afterwards how much more I could have added. I agree humans run a spectrum in each category I listed. I seem to remember reading a psychology text that showed a testing of leaders in politics, business, etc. They showed more tendencies. Makes sense that the kid behind the Starbucks will be less so than a CEO that went to top. All people are simply not wired the same. And good thing.
Yes, it could be heartburn playing across someone’s face. Why follow track record and other things.

Back when I was hiring subcontractors for jobs, if they mistreated my secretary or crossed a line about talking badly about customers….I did not hire them. Like my grandmother said, if they will talk badly about other people to you, they will talk badly about you to other people. Hence the commentary by a certain fun filled lollipop triple dipped in psycho? I would not hire them, or be their friend. Just saying.

Washington was certainly ambitious. In that day to be 6’4″ tall and show up in full military regalia is lobbying for the generalship. The statue of Cinncinatus was intentional as was his actions afterwards.

I rather enjoy watching people. White House secretary unable to keep a straight face as he tells a whopper. Funny. Clapper? With his most untrue untruth? I picked up n the fact he didn’t want to say it and it wouldn’t pass a court standard of truthfulness. Today I watched Netenyahu. I think. He thinks he won argument, pointedly didn’t thank samantha powers, and listed 3 cases where u.s. And Israel didn’t agree. Commentators afterwards talked about how the family metaphor.was the point. Well partly. I don’t have a Samsung smart tv otherwise they would have heard my point. Nope he listed 3 cases where u.s. Said no and Israel did it anyway. That is the point.

As far as this country. Yea, I agree. We have failed to live up to our ideals at times though. I wished we didn’t swing the pendulum so far back and forth. We always seem to over correct. I am basically optimistic long term for both this country and the world. It doesn’t mean it will be easy, fun, or without negative consequences.i may be wrong but i don’t think unbalanced optimism or pessimism is necessarily a survival trait.

Buck March 2, 2015 5:26 PM

@violent sockpuppet

Exemplary punishment may sound like a good gut reaction at first, but we are all well too aware of the contempt it inevitably breeds…

Here’s a tune for ya:

There is plenty of goodness in this world; I hope some day to find it all – I hope the same goes for you!

http://m.youtube.com/watch?v=I2l9jt-OSqI

Dirk Praet March 2, 2015 6:00 PM

@ BoppingAround

is it possible for ‘ae’ in your surname to represent ‘ä’

In old Dutch spelling, “ae” was preferred over “aa” to represent a long “a” as pronounced in “Khan”. In German, the “e” after the “a” is indeed used as a substitute for “a” + umlaut. German uses an “i” to indicate a long “a” or “o”, as for example in a name like Voigt which is read entirely different in German than it would be in English. The “oi” here would be pronounced as in “low”.

Thoth March 2, 2015 7:50 PM

How bad is the EMF leaks from a PC computer ? A cheap radio could have stolen the keys of your secret keys passively in a corner. Nothing new with using radios to sniff EMF leaks over a distance. Just more side channel attack improvements.

Link: http://eprint.iacr.org/2015/170

Figureitout March 3, 2015 12:07 AM

Clive Robinsun
You would be surprised at just how much “neddy” meat
–“Neddy” lol, jesus you brits just come up w/ the most silly words eh? Why don’t you guys learn to speak “proper english”? hides in bunker :p I would say it’s gross but so is just regular meat production, and so much bacteria potential.

Oh and before you ask
–No, I didn’t ask and wasn’t planning to lol…why don’t you add a side of haggis to that too? Mike the goat better stay away from you wide-eyed w/ a knife and fork…

65535
–Interesting experiments, I do hope you find a potential “active eavesdropper” or if they’re just spraying your client w/ RF (I don’t buy that it’s “harmless”). I’ve got just a regular radar, would be interesting what the detector does w/ it. Also keep in mind there’s radars that detect movement away and movement towards.

RE: bug-finding
–Agree w/ Clive that it’s probably best for you and your client’s sanity to seek out an amateur eavesdropper w/ “honeypots” than look for a well placed bug (or random RF, that’s the annoying thing w/ tracking down bugs, all the false alarms). As w/ pretty much everything these days, the advantage is WAY in attacker’s favor (just litter a place w/ bugs). Some good ones are w/in hobbyist range. If client is that worried (and is trading stocks so has some spare cash) he should look into a shield room (w/ external sensors hopefully warning of placing bugs w/in the shield room). Hopefully you can see where this is going…it gets really dumb. Probably best to seek out a multitude of sites to conduct business now (the down and upstream internet connection could be tapped too…).

Wael RE: cries for Moderator
No harm done; it’s actually kind of funny.
–Yeah see Wael? Moderator’s got my back. fist bump

Thoth
–Interesting paper, thanks. Genkin and Tromer’s papers are always good reads (always good to get Shamir on it too). They get to the point, write well, and the math isn’t some needlessly complicated meandering bull meant to trump up complexity for the paper’s sake. This is better than before as the Labview and expensive equipment makes attacks in the wild slightly more unrealistic.

Looks like they’re doing “chosen ciphertext” injection again via Enigmail. So suddenly encrypted spam becomes a potentially much more worrisome thing (unless you read your emails via a set “internet computer” and transfer files to it).

I recall from finding an EMI issue last summer around 100kHz that was a laptop powersupply causing us to make false conclusions on a regulator. It’s in the frickin’ powersupply, that’s what’s transmitting the compromising emanations as is stated in the paper. The solution there is a highly inefficient powersupply wrapped in an unwieldy shield.

I find it very, very interesting that some software countermeasures were implemented in GPG against EMSEC attacks (once again Werner Koch delivers and implemented the countermeasures). That’s just very cool to think about.

I find it hilarious they used some pita bread as a unit of reference, why not a banana for scale? lol

But these EMSEC attacks are devasting to think about, very distracting. You can’t be shielded all the time, and everytime I think about it I see a way around just a shield…

Wael March 3, 2015 12:20 AM

@Figureitout,

Moderator’s got my back. *fist bump*

Oh yea? How did you do it? Crud!… I’ll start again after I lost count finger in your eye
One sheep…

Figureitout March 3, 2015 12:44 AM

Wael
How did you do it?
–What the hell you talkin’ about? Don’t worry about it. Better not be “that”. Get your finger out my eye, ow! No don’t put it there either! :p

Thoth March 3, 2015 2:41 AM

@Clive Robinson
No problem buying you a drink if we somehow manage to meet. Drop me a “message” somehow if you ever come to my place again.

Regarding Russian Opposition leader being assasinated, any chances of NATO having a hand in it although I would more likely believe Putin’s the more likely culprit since he has all the motive it takes to bring down his opponents either in plain sight or not but putting NATO as a small chance of fanning some flames would be interesting though.

Russia’s attempted power expansion is more of a desperate move to counteract the US/UK-led expansion plans to box Russia inside. Interestingly, I don’t seem to notice any recent Islamist activities against Russian interest or maybe I missed out something ? Is Russia somehow helping the Islamist along the way to counteract the 5 Eyes-led party ?

65535 March 3, 2015 5:26 AM

@ Skeptical

“If your friend lives in a high-traffic area, perhaps he’s simply picking up a radar gun being used intermittently on a nearby highway.” –Skeptical

He doesn’t live “near” a major highway – about 1.5 miles a way. When the radar detector is that far from the highway it never goes off – I have tested it. There are other reasons… the X-band is not used by police in his state.

@ CallMeLateForSupper

“…the description of your borrowed radar detector and the different audible alerts it emits are consistant with my 1980’s-vintage detector. I know well the “beep…. beep…beep..beeeeeeeeeep” associated with approaching X (long-range) emissions and the “brap…….brap…brap..braaaaaaaaaa” associated with approaching K (short-range) emissions. (Also the BRAAAAAAAAAA breaking total silence, which means Smokey just clocked you at close range.) The “utterance” you describe – beep, not brap; ~1-sec silence between beeps; total silence thereafter – suggests: X-band; weak(er) burst; short duration. That’s consistant with distant, “always on” radar. “ –CallMeLateForSupper

You know your radar detectors well!

Sure, reflections of radar are possible. The sharp beeps are at less than a second apart.

Your idea is the exact current though I had… until I check with the “radar guy” and he indicates that no police radar is used in the X-band in that area [too may motion detectors using the X-band].

I confirmed the band type by driving by radar speed trap machines – they all were “baarp” or K-band radar. I will say I am not an expert on the subject and I don’t really know the actual statistics – only a guess.

I only found X-band at retail auto door openers – they beep – or are in X-band. Further, no sound is emitted by the radar detector for hours upon hours at his place of residence -only at suspicious times.

@ Miss Manners

“Has your client considered putting “his” van up for sale on Craigslist? A few photos posted to imgur, and you could turn every whackjob on the internet loose on them.” – Miss Manners

Yes, that is a thought. I like the idea. But, that maybe illegal in his state… further legal analysis is need to see if one can photograph a car [that you own or don’t own] and then sell it via the internet.

And, yes there are a variety of tricks to incriminate a auto driver.

I will say that the SUV is “4X-black” meaning at all windows are blacked out with heavy tinting – which is illegal in many cities in his area [drive-by-shootings and the like]. The police usually ticket those cars.

To be exact, the driver’s side window must have light tinting for legal reasons – or the vehicle will be pulled over and ticketed.

Only law enforcement may drive those heavily tinted windowed cars [all windows tinted so the driver is obscured].

@ Figureitout

“I do hope you find a potential “active eavesdropper” or if they’re just spraying your client w/ RF (I don’t buy that it’s “harmless”).” –Figureitout

Yes, so do I.

The beeps are less than one second apart which means some sort on non-speed trap device… and they are on the wrong band range – or so we think.

Excuse all of the grammar and other errors. Thank you.

CallMeLateForSupper March 3, 2015 9:21 AM

DNI Clapper was interviewed by Charlie Rose last night. Wide range of subjects and no hard questions.

Two things stuck with me:

Asked what thing or things he took away from the Snowden thing, Clapper replied that it is clear that his crowd needs to be more transparent. (So, stay the current course – erode privacy and security and freedom of expression – but do it more openly? You just don’t get it, Clapper.)

A little further on Clapper ended his response to a question with (something like) continuing to protect the security and privacy of Americans. (If he even mentioned “privacy” anywhere else in the interview, I don’t remember it.)

name.withheld.for.obvious.reasons March 3, 2015 11:13 AM

The Israeli prime minister suggested that we “shared intelligence”…how can you share something you do not have in your possession?

vas pup March 3, 2015 11:51 AM

For all respected bloggers: ancient wisdom related to security:

On reporting security problem:
“There is no other way to guard yourself against flattery than by making men understand that telling you the truth will not offend you.”
― Niccolò Machiavelli, Machiavelli Niccolo : Prince

On team of security advisers to President:
“The first method for estimating the intelligence of a ruler is to look at the men he has around him.”
― Niccolò Machiavelli, The Prince

On risk assessment:
“All courses of action are risky, so prudence is not in avoiding danger (it’s impossible), but calculating risk and acting decisively. Make mistakes of ambition and not mistakes of sloth. Develop the strength to do bold things, not the strength to suffer.”
― Niccolò Machiavelli

On role of diplomacy versus boots on the ground:
“Never attempt to win by force what can be won by deception.”
― Niccolò Machiavelli, The Prince

On ‘free meal’ and deception:
“Men are so simple of mind, and so much dominated by their immediate needs, that a deceitful man will always find plenty who are ready to be deceived.”
― Niccolò Machiavelli

On changing security and surveillance paradigm:
“It must be remembered that there is nothing more difficult to plan, more doubtful of success, nor more dangerous to manage than a new system. For the initiator has the enmity of all who would profit by the preservation of the old institution and merely lukewarm defenders in those who gain by the new ones. ”
― Niccolò Machiavelli

On security as process:
“Whosoever desires constant success must change his conduct with the times.”
― Niccolò Machiavelli

On prioritizing of defense activity:
“Wisdom consists of knowing how to distinguish the nature of trouble, and in choosing the lesser evil.”
― Niccolò Machiavelli, The Prince

On root folks desire:
“He who becomes a Prince through the favour of the people should always keep on good terms with them; which it is easy for him to do, since all they ask is not to be oppressed”
― Niccolò Machiavelli, The Prince

On after security breach analysis:
“Everyone who wants to know what will happen ought to examine what has happened: everything in this world in any epoch has their replicas in antiquity.”
― Niccolò Machiavelli

On weakest security link:
“One can say this in general of men: they are ungrateful, disloyal, insincere and deceitful, timid of danger and avid of profit…Love is a bond of obligation that these miserable creatures break whenever it suits them to do so; but fear holds them fast by a dread of punishment that never passes.”
― Niccolò Machiavelli

On timely intrusion detection:
“as the physicians say it happens in hectic fever, that in the beginning of the malady it is easy to cure but difficult to detect, but in the course of time, not having been either detected or treated in the beginning, it becomes easy to detect but difficult to cure”
― Niccolò Machiavelli, The Prince

On size and role of the Government:
“Therefore a wise prince ought to adopt such a course that his citizens will always in every sort and kind of circumstance have need of the state and of him, and then he will always find them faithful.”
― Niccolò Machiavelli, The Prince

On ignorance of security expert opinion:
“Men intrinsically do not trust new things that they have not experienced themselves.”
― Niccolò Machiavelli, The Prince

On all police functions around the globe:
“For however strong you may be in respect of your army, it is essential that in entering a new Province you should have the good will of its inhabitants.”
― Niccolò Machiavelli, The Prince

On success of Google, Facebook, others:
“But while it was their opportunities that made these men fortunate, it was their own merit that enabled them to recognize these opportunities and turn them to account, to the glory and prosperity of their country.”
― Niccolò Machiavelli, The Prince

On compromise of opinions:
“there are two distinct viewpoints in every republic: that of the populace and that of the elite. All the laws made in order to foster liberty result from the tensions between them,”
― Niccolò Machiavelli, Selected Political Writings

On education:
“good individuals cannot exist without good education, and good education cannot exist without good laws,”
― Niccolò Machiavelli, Selected Political Writings

On proactive security:
“To defeat Fortune, men must anticipate such evils before they arise, and take prudent steps to avoid them. When the waters have already risen, it is too late to build dikes and embankments.”
― Niccolò Machiavelli, The Prince

vas pup March 3, 2015 12:34 PM

@Clive and all other respected bloggers:
-On Nemtsov murder: Putin never did this. Just recall many years ago during Yeltzin ruling. Russian Attorney General was caught and video recorded into classic intel ‘honey trap’, and removed from his office with disgrace. Putin is smart, and understood that physical removal of political opponent is outdated and just less effective than their political death. Taking into consideration Mr. Nemtsov ‘weakness’ on women, it’ll be easy to compromise him by high level, smart and trained hooker/agent (pardon my definition) like Anna Chapman or Ms. Zatuliviter(Clive you know this last name).
Mr. Nemtsov had many weak points to be legitimately compromise him without even jail time (as other Putin’s opponent got). Conclusion: political death of opponent is much more valuable than physical, and Mr. Putin (smart as a hell) could do his cost-benefit analysis.
On sources of information: more independent sources of information anybody have (I guess Mr. Clapper has upper hand on that) less you depend on each of them. You could have high level of trust to overlapping part of information from all those independent sources on particular subject matter. Key word is independent. As usually, my humble opinion.

Nick P March 3, 2015 1:28 PM

@ name.withheld

Perhaps the NSA has invented a new class of zero-knowledge protocols specifically for collection and storage of information?

CallMeLateForSupper March 3, 2015 4:17 PM

@name.withheld.for.obvious.reasons
You are saying that there is no intelligence data in CIA, FBI, NSA nor in any other parts of the NI structure. Maybe you meant to say something different?

BoppingAround March 3, 2015 4:18 PM

vas pup,
I’ll add a little here, a quote from an ancient Chinese work The Thirty-Six Stratagems:

The perception of perfect preparation leads to relapsed vigilance.
The sight of common occurences leads to slackened suspicion.
Secret machinations are better concealed in the open than in the dark.
Extreme public exposure often contains extreme secrecy.

Clive Robinson March 3, 2015 5:16 PM

@ vas pup,

Ms. Zatuliviter (Clive you know this last name)

Yes if memory serves correctly she was the 25 year old “research assistant” of UK MP Mike “handy” Hancock who was 60. Back in 2011 she was arrested for being a Russian Spy through a contact called “Boris” from the Russian Embassy. She was supposed to have been deported as “a threat to National Security”, but she appealed and won and was allowed to stay in the UK. However she got upset by Putin’s crass manipulation of elections, and went back to Russia to become an election official. What happend to her after that I have no idea. As for Anna “swimsuit” chapman, she got deported from the US, had her UK citizenship revoked and had to go back to Russia, where she became a “Putin Darling” running a “youth group” of questionable nature and close ties to Putin. She later got herself a media position or some such, and got declared person non grater on a diplomatic mission. What is not clear is the involvment of defector Boris Karpichkov, who apparently claimed she had been ordered by the Kremlin to seduce Ed Snowden… As was once remarked “how the other half lives”.

As for Putin using sex to destroy political opponents, I’m skeptical, after all he has an ongoing afair with a woman less than half his age who has supposadly given him a couple of children, and it was this that caused his divorce. The fact he “was playing away” apparently improved his popularity, which depending on who you listen to could be as much as 80% of the Russian population.

Mr Nemtsov had quite a low popularity and thus he was not a political issue for Putin, which as you say makes him an unlikely target (unless it was a chancer trying for “an in” with Putin).

That said most of the other scenarios suggested don’t make much sense either. There is a possibility he had access to daming information about the Russian armed forces in the Ukraine and the police raid on his home suggests this might be a possability.

However, he was a deputy at a time when political corruption was very high, so he almost certainly knew where various “skeletons are buried” which might well make him a significant threat to some.

Putin however has mad a strategic mistake, in that he has in effect put himself in the position of the overall controler of the investigation. This is at best a “loose-draw” position for him currently, though he may well be able to kick the investigation into the long grass.

The murder is an anomaly which is possibly going to make things interesting in the near to long term…

EuropeaTrackers March 3, 2015 6:38 PM

Hi i dont say much here, but i will tell you somethings from europe-
The thin i want to talk about is tracking:
– Number one tracker in europe is APNR (Automatic Number Plate Regocgnizion)
This is made to everyone.
-Number two is camerase both visible and IR
-Number Three these do exist but not everywhere they are nasty
they are transponder readers, and anything that passes the reader ges recorded
they are big installations and they look like long long plates besides a highway
one place where you can see it is in malmoe sweden when after turing towards the harbour on e6 you turn right and immedately after you pass through these massive trasponder readers, if you have your passport in your pocket it can read it!

-Then we come to passive tracking i dont know if it happens in US but in my country it does
and its a european country, anyhows its not a tracker device and it doesnt track everyone!
if you are infcact tracked even knowing the secret its difficult to defent towards it.
Obviously these trackers are individualy pinpointed and there for tacticallly nice.

It works like follows.
A trackee that needs to be tracked prefeerably a vehicle, will be sprayed with a substance that is not only visible only on IR it has a transponder chip in the paint, so a helikopter with special flir can actually pinpoint the exact target that is to be followed.

This has been done in EU 20 years allready and this is how hi targets are followed

EuropeaTrackers March 3, 2015 7:01 PM

Again, nice to read this blog! i havent thought about it in this way before but yes you are ritgt it can be user wronglu sure especially criminals, i have alot of “secrets” i can tell but i think i tried to cover them in the previus post allready, put your passport in a farady cage! that is emphasy! btw these example from a reader in sweden is not a joke, this is real

sena kavote March 3, 2015 8:05 PM

Limiting when data can become executable

This would not be so practical without current huge RAM capacities.

We should have an operating system or mode of using an operating system, in
which data can become executable only on boot. Normal laptop with SSD or intel
NUC with 8GB or 16GB RAM has no trouble getting 2 or 4 gigabytes of executables
in volatile memory on boot. One slight downside is longer boot time. After the
system is started, no new executables can be loaded on memory. Lot of this can
be done with only software, especially with virtual machines. This is similar to
having a write protected hard disk, partition, folder or file. We could have a
hardware switch that if set to ON, prevents any more data being able to turn
executable.

One downside is not being able to put updates to effect while using the
computer for other things, but there are upsides to requiring reboot on
update anyway and some operating systems work that way already. If updates are
rare enough, Linux kernel has been updated and that needs reboot anyway on any Linux
distro, at least for now.

This method of promoting data to executable can be combined with ways of using
a USB memory stick live OS that loads completely on RAM before asking the user
to remove the OS stick and insert stick containing user data. Don’t know if any
distro does that currently. Update files are downloaded to the data
stick. Taking the update to effect could be done with a third stick with a
second OS (side-OS or update-OS) that is booted and loaded to RAM, then asks
removal of it’s stick and insertion of the other 2 sticks. Update files are
taken from the data stick and used on the main OS stick, while off-line.

Also, I guess some interesting hardware contraption could be used, something
that has 2 or more computers connected with each other and internet, on their
ethernet ports and usb-to-ethernet adapter dongle devices or even raspberry pi s
on their general purpose input-output pins… At this moment, I have no idea
what that would mean.

@Nick P

Re: Interpreting c and c++

“Unless you can prove the use is safe, you must insert a protection to kick in when the use happens. You end up running almost as many checks as code to do work in.”

It seems you are just saying that the performance would be less than when using
it compiled. We already knew that.

It is weird that you claimed consensus about interpreting c and c++. For some things it is possible to gain consensus for opposite opinions when in different circles.

I think it would be great to have c and c++ interpreters as one option for running programs in production use and in development.

Nick P March 3, 2015 9:08 PM

@ sena kavote

I’ve mentioned this before. The programs are either loaded from trusted storage or a trusted bootloader is. The simplest implementation, as in Burroughs, is simply to create one bit per word signifying if it’s code or data. Then, the hardware checks that bit during the various operations in parallel with the operation execution themselves. I/O hardware should automatically tag incoming data as Data. CHERI shows you can put the properties into pointers, too.

Another strategy, inspired by an intel tech, is to create a point in memory where everything before it is one category (eg code) and everything after is another (eg data). Code would be read-only. Jumps could be structured to use offsets of a given memory location the processor tracks. The processor tracks it to ensure the jump is always from a code region to a code region. Not sure what the overhead is but it seems feasible and basic protection can be put into MMU probably.

Sandia Secure Processor (aka Score) supported the property you describe for an embedded Java processor. The code is loaded at runtime. After that, no new code can enter the system and it executes with Java safety properties. jopdesign.com has a free, fast, simple Java core for download that might be extended in this way. So, that’s another route.

Yet another is CodeSeal’s control flow integrity approach. The compiler creates a list of all valid jump targets with source and destination. That list becomes an ACL that comes with the binary. The processor is modified to check each jump to make sure it happens. The checks is parallel (IIRC) and cached to reduce performance penalty. Penalty was still significant, though. Tech is also embedded-use only. Another project did something similar except the software did the checks and what was allowed got cached by hardware to reduce number of checks. Penalty was much smaller while supporting Linux.

re interpreting c and c++

“It seems you are just saying that the performance would be less than when using it compiled. We already knew that.”

Don’t be a smartass. Of course we knew extra checks degrade performance. The question is whether it’s an acceptable degradation. Originally, Java was fully interpreted. It was up to 15x slower than C. That’s a Pentium 3-4 acting like a Pentium 1. C++ dominated because nobody trying to replace C could stand a user experience like that. Further, modern interpreted and JIT’d languages don’t have nearly as significant performance penalty as older ones. These are all over the market.

Additionally, the more complex parsing and necessity of many safety checks makes the C/C++ interpreters inherently slower than safe, designed-for-interpretation languages. It’s both slower than the competition while offering less in terms of productivity and safety. Given C/C++’s niche demands speed, this means interpreted C/C++ is rarely going to be acceptable in production.

“It is weird that you claimed consensus about interpreting c and c++. For some things it is possible to gain consensus for opposite opinions when in different circles.”

There’s actually many interpreters for C and C++. That there’s no takeup among either C/C++ programmers or safe, system-language coders indicates an implied consensus that it’s not worthwhile. That solutions like CCured perform so much worse than barely-optimized alternatives hammers more nails into the coffin.

All that said, I posted here in the past about the subject indicating C/C++ interpreters could be good for development (esp prototyping). Eliminating the compile cycle can speed things up a lot. Additionally, instrumented interpreters could be used for static and dynamic analysis plus semi-automated testing. Many possibilities for the development phase. Production use, on the other hand, seems to be an utter failure with compiler work having more success both with making C/C++ safe and optimizing code in safer alternatives.

name.withheld.for.obvious.reasons March 3, 2015 10:19 PM

@ Nick P

Perhaps the NSA has invented a new class of zero-knowledge protocols specifically for collection and storage of information?

Thanks for making my day–hilarious and sad at the same time.

Nick P March 3, 2015 11:31 PM

@ name.withheld

You’re welcome!

@ All

re I/O coprocessors

Jack Ganssle of The Embedded Muse agreed with me in his publication that I/O offloading and interruptless architectures greatly signify predictability. Boost efficiency and sometimes security, as well. I said, even with cost efficiencies, a full I/O offload could be done in embedded scene with a second, cheaper chip for I/O. While reading the lowRISC paper, I found out that NXP indeed offers a product with a high performance MCU for computation + a lower-cost MCU for I/O. Always happy to see The Right Thing in commercial design.

Note: lowRisc adds something to tagged processors that others are missing: minions! That’s right. Your design might have coprocessors but theirs has MINIONS! Because it just sounds more fun that way. Haha.

re Jackpair

I just received an update on the project. Their manufacturer is fine-tuning the process for making the plastic parts. They already have most of the parts in inventory needed for the design. Soon as integrated units are done, they will go to certification labs for emissions requirements. Estimated ship date is now May 2015.

Wael March 4, 2015 12:19 AM

@Nick P,

While reading the lowRISC paper, I found out that NXP indeed offers a product with a high performance MCU for computation + a lower-cost MCU for I/O

Looked at the data sheet and the $300.21 evaluation board. What would you do with it?

Nick P March 4, 2015 10:47 AM

@ Wael

Didn’t realize the evaluation board was that expensive lol. What to do? Anything that requires both computation and I/O that its specs can handle. The point is that a microcontroller exists that offloads I/O handling onto a cheaper coprocessor. Like with mainframe Channel I/O, this increases both the predictability and utilization of the main CPU. If they don’t share a cache, this also reduces covert timing channels between sensitive state and I/O handling programs.

MikeA March 5, 2015 12:37 PM

@Nick P

Sorry I was unclear. Dave Keppel’s work was in trying to standardize an API for “blessing” code. That is, whatever method (tags on individual words, code-only segments, whatever) is available in hardware, the goal was to agree on semantics where, e.g. a JIT complier can say to the system “I am done creating this code area. Please make it executable”. That is, to create a single (hopefully not too onerous) point where the advisability of making code executable can be decided.

For tags, one big improvement might be to differentiate “branch targets” from “stuff which can only be acted upon if fetched sequentially”.

As for separate IO processors, I fondly recall the CDC 6×00 and 7×00, particularly the notion that the CPU was a “brain in a bucket” whose memory mapping and I/O was completely under the control of a supervisory processor. At least until they modified that design to allow CPU-resident supervisory code controlling the memory map. For efficiency, of course.

Benni March 5, 2015 4:32 PM

BND tries to hide secret files from the german parliament:
http://www.spiegel.de/politik/deutschland/nsa-ausschuss-bnd-muss-wegen-akten-panne-nachsitzen-a-1022012.html

Without success of course, since this is a BND operation. They gave massive amounts of bulk data to NSA and that is now out:
https://netzpolitik.org/2015/live-blog-aus-dem-geheimdienst-untersuchungsausschuss-dr-urmann-leiter-der-technischen-aufklaerung-des-bnd/

and they capture more than just their allowed 20 % of all communications, they do a full take:
https://netzpolitik.org/2015/geheimer-pruefbericht-wie-der-bnd-die-gesetzlich-vorgeschriebene-20-prozent-regel-hintertreibt/

At BND’s new building, somebody has opened the water faucets… And now the entire building is underwater, especially the places where they wanted to put their cables and wires…. (with underwater cables, BND has much experience anyway)

http://www.spiegel.de/politik/deutschland/bnd-neubau-in-berlin-unter-wasser-gesetzt-a-1021774.html

New Zealand is also doing a full take on some pacific islands, whatever that is for:

https://firstlook.org/theintercept/2015/03/04/new-zealand-gcsb-surveillance-waihopai-xkeyscore/

Ever send something with germany’s no 1 postal delivery service DHL? A politician tried to send his NSA tapped smartphone with DHL to the office for security in information systems after he found out that he was bugged. The package was interdicted and opened before it reached its destination of course:

http://www.welt.de/politik/deutschland/article138039430/Spionageverdacht-im-Geheimdienst-Ausschuss.html

Nick P March 5, 2015 6:39 PM

@ MikeA

Well, that makes sense. JIT’s present a more complex situation than most. Typed assembly languages and proof-carrying code seem to have the most promise for that.

re branch targets

That’s an interesting idea. The processor might check upon a branch instruction if the target is a permissible jump. Not sure if this is safe as it the jump can come from an arbitrary source with arbitrary data. They might jump to a critical part of the app or kernel. Code vs data tagging seems more cost-efficient for now.

” I fondly recall the CDC 6×00 and 7×00, particularly the notion that the CPU was a “brain in a bucket” whose memory mapping and I/O was completely under the control of a supervisory processor. ”

@ Clive Robinson

The above sounds a bit like your Prison architecture concept. Seems like CDC was going that route a long time ago. Abandoned for efficiency as with most good security architecture.

Wael March 5, 2015 9:43 PM

@Nick P,

<

blockquote>The above sounds a bit like your Prison architecture concept. Seems like CDC was going that route a long time ago. Abandoned for efficiency as with most good security architecture.

Why are you talking about an analogy you hate? You’re such a weasel 🙂

Nick P March 5, 2015 10:18 PM

@ Wael

Haha. It’s the castle metaphor and comparison to prison I don’t like in the metaphor/model/framework. Most tech I reference have attributes of both. His prison metaphor applies to his architecture pretty well, though. Plus, that’s what he named it.

Clive Robinson March 6, 2015 6:25 AM

@ Nick P, Wael,

Which sounds better prisoner in a “prison” or a “brain in a bucket”?

The choice of analogies is kind of limited….

Wael March 6, 2015 7:49 AM

@Clive Robinson,

prisoner in a “prison

As long as it’s not me, then I prefer a prisoner in a prison. If it’s someone else, then I like the brain in a bucket 🙂

Clive Robinson March 6, 2015 1:47 PM

@ Moderator,

I have a feeling (see comment #c6690858) that somebody is back under a new name.

Wael January 26, 2016 12:49 AM

@Nick P,

If we ever meet, I might tell you the secret to that.

You can’t tell me now? I’ve got a ton of papers piled!

Nick P January 26, 2016 10:45 AM

@ Wael

“You can’t tell me now? I’ve got a ton of papers piled!”

Had to look back through the comments to see what you were talking about lol. Are they papers from work you have to read thoroughly or random papers in IT/INFOSEC you’re pruning? I mean, no guarantee I’ll tell you the full thing but maybe a partial. 😉

Nick P January 28, 2016 4:04 PM

“You can’t tell me now? I’ve got a ton of papers piled!”

Finally got my network working and time away from work. Let’s see if I can give you a proper reply. Can’t share whole secret but quite a few tips I use.

Trick: Ignore as much as possible.

The fact that I have 10-15 thousand papers I’ve at least skimmed might make that sound unbelievable. Yet, my original studies on geniuses showed that ignorance was as important as knowledge to smart people. They seemed to depend on what they intentionally forgot or ignored as much as what they knew. There’s certainly potential for missed knowledge and opportunity. That’s why I hoard papers I might never read again just in case a search turns up something later. Yet, learning to not read stuff is vital to reading more important stuff.

So, how to apply it. You could start with the links that show up here or even at DEFCON. Most doesn’t matter. You won’t regret not knowing it. Vulnerability report? If you don’t use it, ignore it. That’s most of them. If you might, then open it, skim to identify if it’s new attack, ignore it if not, and do any updates you need to do. Crooks caught doing X story? Get most of those from Krebs or other sources that report useful stuff in the first place. Then, open to skim fast as possible to see attack circumstance. If it doesn’t apply, ignore it w/ no further reading. If it does, skim back over identifying nature of attack and recommendations while ignoring circumstances and stories. If it’s papers, the abstracts tell you what you need a lot of the time. We’ll get to that later.

For political and other write-ups, go to sources where people useful information. Do some research and work on a vital subject once keeping the references. If it comes up again, skim to identify if it’s new info or potential bias in methods. If new, maybe skim or read it further. If not or bias, then ignore for now. Also ignore any speculative work in science or medicine: it’s usually wrong anyway. Focus on stuff with experimental confirmation or collaboration.

Trick: Google and/or DuckDuckGo.

They’re your friend. Problem is getting right stuff out of them. I’ve noticed that most research ends up using certain buzzwords for that research. There’s also words that show up in better INFOSEC or IT work than most others. Virtualization is an obvious buzzword while “moving target” for diversity-oriented security was harder for me to find. Once you find that, you use quotes in search to filter options down to where it appears. A great example for words improving quality is “TCB:” researchers that don’t consider it in a design usually can’t make secure stuff anyway. 🙂 Two good at finding extra papers with one-line descriptions of their content are “Related Work” and “Survey.” Key words for finding wisdom instead of knowledge comes in “experience report,” “lessons learned,” “case study,” and so on.

Trick: filtering the search

You’ll notice that many things will pop up that aren’t relevant. The – operator is your friend. Researching separation kernels but keep getting VMware or cloud solutions? Do -vmware and/or -cloud. Maybe a good paper will have a VMware or cloud comparison in it. You’ll mostly filter out garbage, though, with a recent paper likely to reference that one by name anyway. You then search for that one by name.

Trick: DTIC for old stuff

Defense Technical Information Center collects technical reports from Defense-funded research. It sometimes has old work in IT and INFOSEC you might not find elsewhere. Tricky to learn to use it but I occasionally get something out of it. Thanks to DOD sourcing, they often have weird names where it’s not obvious that it’s beneficial. Other times, it’s pretty obvious: “The ARMY Secure Operating System ASOS.” 😉

Trick: reading papers

The common idea about reading papers is that you go from beginning to end. That’s incredibly dumb given it (a) might not be relevant to your needs and (b) is often just filler. You should actually do this:

  1. Look at authors and time period. Ignore it immediately if the authors are known to suck or you know for sure topic didn’t mature enough until after that date.
  2. Skim the abstract. If it was good, read it again while actually thinking about the words. Otherwise, next paper.
  3. Skim problem statement looking for matches to what’s in your head. Literally let your eyes just jump over the words pattern-matching on sentences. Skim over design or solution overview for same reason.
  4. Skip to the Conclusion and skim it. Did it conclude with a solution to the problem or parts of it with further work needed? If not a solution, stop reading.

  5. Look at implementation carefully to determine what platform, level of modification, etc. This by itself could confirm it’s worth reading closely or can’t possibly solve your immediate problem. Look for performance or TCB numbers if they have them. Something too slow for you or too complex to integrate may be a disqualifier. On other end, sometimes you’ll see incredible numbers like Code Pointer Integrity’s performance or Micro-SINA’s TCB.

  6. Look at Related Work section carefully. Gloss over what you’ve seen before. Carefully read anything else taking in what’s been done. If you don’t know those papers, take a note of them. Download any that partially or fully solve your problem even if current paper talks like they were inferior. Different operating assumptions from one deployment to the next can change that.

  7. Still worth it at this point? Mark it as high priority taking note of basic problem, concept, OS/platform, performance, and if code is available. Now, stop reading it and move on to the next paper. 🙂

  8. Repeat above steps for as many papers as you can in a time slot. You will now have narrowed things down for the current topic and avenue of interest. You will have a list of high priority papers to evaluate most worth your time. Now, read them fully whenever you can. Make sure you left time to read at least one so you end with fun not work. 🙂

Trick: Do above steps on specific solutions and fundamental techniques.

Easiest to do the above when solving specific problems: separation kernels, language protections, secure filesystems, VPN’s, whatever. You’ll need to spot fundamental work, too, whose keywords and such you’ll pick up over time. Words I see include microkernels, hypervisor, TCB, security protocol, formal verification, “certified” (component or activity here), high assurance, recovery-oriented, obfuscated, covert channel, “secure” + “TCB” + (component here like filesystem)… a number showing up in many papers. Often “DARPA” or “NSF” funded, too, if in the States. Certain authors doing good work will do good work again and again so keep them. Periodically google their names or papers.

Trick: Generate and prune.

Generate a list with Google searches or sites where good stuff shows up regularly like Hacker News. Look at abstract or opening really quick with a skim. Rate it, store it, or dismiss it immediately if obvious at that point. Do that for a whole list of results. I open 10-20 tabs w/ PDF’s and articles at once sometimes. Just go through each one with quick assessments either dismissed immediately or saved to a temp folder for later assessment with prior method. Some, like the 100+ crypto links someone posted, are too much for even me where I’m pruning at the level of the title and not even opening tabs lol.

Trick: Organize with title, tags, and/or full-text search software.

I ran into enough personal troubles that I stopped organizing my collection a few years ago unfortunately. I do a folder for each month of the year and drop them in there. I still do name the file with the paper’s title with minimal dropping of words, the year, and 1-2 author names. File search often finds them with that alone. Tags for recurring words or categories would be better. That plus integration with full-text search would be even better. Then, you can stash stuff away and just search on the topic peridically in response to new circumstances.

So, there’s you a few tricks to help you get through loads of papers. Do keep organizing yours because it can seem impossible to start again after a few years of chaos occurs. 😉 Being selective about what you read, skimming around papers, and dismissing everything that’s truly unimportant are best tactics. Plus, keeping stuff stashed away just in case with dedicated folders for stuff of recurring importance or historical significance. I forgot to add that above. Very important.

Nick P January 28, 2016 4:06 PM

@ Wael

(the above comment was to you: name dropped off for whatever reason)

If you want, I’ll send you some text files of what I collected past 6 months. Mostly hardware focus with many finds in software, language-oriented security, verification, and protocols on top of it. It’s just the paper’s title, year, and author in lists organized by month. You’ll see how much this method gets through even when you have limited time like I’ve had this year. Plus, I’ll send you any specific ones you’re interested in.

Wael January 28, 2016 7:49 PM

@Nick P,

Thanks man, I really appreciate it! I feel my response is inadequate given the amount of tricks you shared!

If you want, I’ll send you some text files of what I collected past 6 months.

Ok 🙂

Clive Robinson January 29, 2016 6:26 AM

@ Wael,

With searching remember that it is multidimensional in nature.

As @Nick P points out searching for terms lick TCB can cut a lot of the chaff from the wheat, but… you have to remember a couple of things,

1, “Terms have life times”.
2, “Terms have position”.

Take TCB much of the interesting work happened befor the term was coined or had much use. Further it’s going out of fashion for a couple of reasons. Firstly it’s becoming overly broad as current work has turned it from an idea into a wide field of endeavor. That is it is becoming an “unstated assumption” when talking about a subset of work in that field. Look at it this way do you expect to find “electric motor” in a paper titled “Optomised stator windings on rising sun formed rare earth magnets”? Secondly terms go out of fashion as authors feel they date their work in others minds on the “heard it all before” principle.

But TCB also has “position”, that is it appears in the upper end of the middle layers in the computing stack. But it is “in the field of security” not “in the field of memory managment” even though the overlap very broadly…

Thus you need to build a multidimensional model of terms and how they relate to each other.

Oh and another thing, it sounds slightly mad but I’ve found it’s worth doing and it’s “fixing key papers, terms and principles in your mind”. The old advice was “write them down in long hand in your lab book / diary”. It’s still valid, but you might try building your own “citation database”. The simplest way to do this is cut-n-past the paper title, authors date etc into a record, and also the abstract into a “free text” field in the papers record. Then pipe the words from the abstraxt into unique and cut out stop words, this then goes in the “broad key words” field. Then in your broad key word list record include the paper’s record number.

BoppingAround January 29, 2016 9:21 AM

[re: Search operators] Nick P,
Don’t forget about AND or ‘+’, as well as double quotes (they usually mean
‘search exactly this and in this order’; consult the help section of your
favourite search engine for further clarification).

These things used to be quite popular at the end of 90s to the mid-00s.

Nick P January 29, 2016 2:49 PM

@ Wael
re files

I was going to highlight the files in the folders then copy and paste those into the text editor. I used to do that on Windows to easily get a list of the files. Can’t do it on Mint: tries and fails to open them haha. Plus ADrive account is still down. So, I screenshotted them into images and posted them to the imgur account. Link here.

Long as people don’t ask for many I’ll try to send any individual files you find interesting. Also, won’t send them if they’re IEEE or ACM only. Some might be despite me using that less.

@ Clive

“But TCB also has “position”, that is it appears in the upper end of the middle layers in the computing stack. But it is “in the field of security” not “in the field of memory managment” even though the overlap very broadly…”

Yeah. There’s different words that commonly appear in different fields. Those papers are usually easier in that memory safety or “absence of” followed by specific errors will often find them. Each category or group has their own lingo due to siloing. So, one must collect pieces of it all.

“The old advice was “write them down in long hand in your lab book / diary”. It’s still valid, but you might try building your own “citation database”. The simplest way to do this is cut-n-past the paper title, authors date etc into a record, and also the abstract into a “free text” field in the papers record.”

That’s effective and compatible with mine. The problems appear when the paper load is huge with many similar works like mine. Hence, me adding a recommendation of tags to it to enable automated search to group them together for further pruning. Adding abstracts as you advise, like my old “Nick’s Notes,” would be helpful. Laziness or overwhelming life issues got the better of me. 😉

@ BoppingAround

Yeah, that was a good trick in the past. I haven’t used it in a long time, though, because of mixed results in terms of support. The quotation mark thing is an explicit AND, though, since it requires it in the content.

Buck January 29, 2016 5:11 PM

@BoppingAround

The + operator was dropped (at least by Google) some number of years ago… It was pretty useful at times when you needed an ‘AND ([word] OR [plural/synonyms])’

Similar functionality can now be emulated through the use of double quotes and the OR operator:

“word” OR “words” OR “phrase” OR “term”

I still wonder why they removed that feature… Perhaps the thesaurus grew too large?

Wael January 29, 2016 9:42 PM

@Clive Robinson, @Nick P,

The old advice was “write them down in long hand in your lab book / diary”. It’s still valid,

That’s a good advice. I can’t count how many times I lost “electronic” notes.

Wael January 29, 2016 9:49 PM

@Nick P,

Also, won’t send them if they’re IEEE or ACM only.

Thanks for the effort! I forgot about copy rights! Better stick with files that you can link to, as you always did in the past.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.