Friday Squid Blogging: Biodegradable Thermoplastic Inspired by Squid Teeth

There's a new 3D-printable biodegradable thermoplastic:

Pennsylvania State University researchers have synthesized a biodegradable thermoplastic that can be used for molding, extrusion, 3D printing, as an adhesive, or a coating using structural proteins from the ring teeth on squid tentacles.

Another article:

The researchers took genes from a squid and put it into E. coli bacteria. "You can insert genes into this organism and while it produces its own genes, [it] produces this extra protein," Demirel explains. He compares the process to making wine or beer, except that instead of the fermentation process producing alcohol, it produces more of the synthesized squid protein.

They began producing the material in a 1-liter tank, but by now have started using a 300-liter tank and can make 30-40 grams a day. In addition, they've made several changes to make the production process cheaper, whittling the cost down from $50 per gram to $100 per kilogram. Demirel says they are looking at using algae instead of bacteria to cut down costs further.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on March 6, 2015 at 4:21 PM • 130 Comments

Comments

AlanSMarch 6, 2015 5:40 PM

You know something really stinks when Ben Wittes (Thoughts on the Petraeus Plea) agrees with the Intercept (Petraeus Plea Deal Reveals Two-Tier Justice System for Leaks):

All that said, the conduct described in this document reads like something more than a misdemeanor plea to me, particularly given the administration’s tough stance towards leakers. Petraeus removed and concealed several notebooks full of code-word classified intelligence—including “the identities of covert officers, war strategy, intelligence capabilities and mechanisms, diplomatic discussions, quotes and deliberative discussions from high-level National Security Council meetings, and [his own] discussions with the President of the United States.” He gave these for a period of time to his biographer, with whom he was also having an affair, at an unsecured private residence. And as director of the CIA, he then lied about the matter to the FBI—a huge aggravating factor, in my view. This was not simple mishandling of classified material. It was something for which other people, lower down, would reasonably expect very severe sanction....At the end of the day, I agree with Maass that the deal “reveals [a] two-tiered justice system for leaks.”

Compare the Petraeus treatment with that of John Kiriakou. The latter got a felony conviction and a thirty month jail sentence for much lesser crimes. But there is more stink here than a two-tiered justice system. In a CIA press release on  the Kiriakau conviction Patreaus wrote:

... it marks an important victory for our Agency, for our Intelligence Community, and for our country.  Oaths do matter, and there are indeed consequences for those who believe they are above the laws that protect our fellow officers and enable American intelligence agencies to operate with the requisite degree of secrecy.

Add to that this observation quoted in Wittes' follow-up post:
Petraeus was a general court martial convening authority for a decade or more. He decided what cases were referred to a court-martial. He decided on the terms of plea deals. He decided what post trial clemency should or should not be given.  He has sent people to jail and ended careers for far less than what he did.

As for the Petraeus hero of the surge narrative that turns out to be more a matter of political expediency than fact. See Our troops did not fail in 2006 and
A (Slightly) Better War: A Narrative and Its Defects. And maybe that's the crux of the matter. We can't sully the hero of the lies we tell ourselves about American involvement in Iraq.

Mr. SmoothMarch 6, 2015 6:32 PM

The quest for more accurate search results propels search engine companies to organize information. In so doing, they are engaged in a filtering and truth finding operation. The many errors of human discourse are canceled or damped by the mediation of automated neural nets.

At some point, search engine companies must come into conflict with the strategic disinformation mission of intelligence agencies.

What happens then?

Do they become agents of disinformation in response to National Security Letters?

Has that already happened?

WalksWithCrowsMarch 6, 2015 7:15 PM

@Alan S

From my perspective, I have zero outrage on the issue, but merely because I view the Patraeus situation as "not what it appears to be".

My perspective is Patraeus was asked to step down and this is the manner in which it worked. There are multiple options in such a situation. One is that he could come up with some manner of plausible excuse. Problem can be, that sort of explanation is too often very shaky, and much doubt might be raised.

If doubt is raised, questions are asked.

This way he left, much less room for asking such questions, by most observers.

Inequitable partings tend to be conclusive for most types of groups. However, one type specifically involved with intel or law enforcement and undercover agents, hostility and inequitable partings may not be at all as what they seem. One term used is "distancing".

Other social groups use distancing constantly. A republican, for instance, can show "how republican they are" by as much as singing the party tunes as they can by degrading the "democrats".

This reeks of artificial distancing.

The whole case reeks. The characters in the cast reek. The FBI agents put on this probably had no idea, and still do not. But, my impression is they were following a little breadcrumb road which led to only one inevitable conclusion. Their superiors were probably just waiting for them to reach that conclusion.

These conclusions? Speculative. Unsourced. Hearsay. Complete conjecture based on a fantastical imagination and zero experience.

But, the underlying "why" is interesting and useful, perhaps.

BooMarch 6, 2015 7:22 PM

Interesting research on security and what you'll put up with.

This is why the government pushes FEAR FEAR FEAR THREAT THREAT THREAT - they're trying to flip the switch that makes you a groveling serf. When they flip the switch you stop thinking about fairness and avoiding harm, and you fixate on ingroup, authority, and purity. Once they flip your switch, you'll put up with all kinds of predatory shit, like a battered spouse. You'll give up all your rights. You'll even tell yourself you like it.

The fear switch works best on people who are not too heavy on the intellect (in the technical terms of the Big Five traits.) That's why you don't want your cops and your troops too smart. You need them to fall for the fear most of all.

So if you're a worthless shit government that doesn't deserve to exist, like the USA, you just turn on the fear to protect the fucked-up status quo.

WalksWithCrowsMarch 6, 2015 7:37 PM

@Mr. Smooth

The many errors of human discourse are canceled or damped by the mediation of automated neural nets.
At some point, search engine companies must come into conflict with the strategic disinformation mission of intelligence agencies.

I am not sure I understand your first thesis there, quoted above. Are you stating that you believe in a sort of democratization of ideas which causes the best ideas to rise to the forefront, if unimpeded by unnatural forces?

If so, I do not entirely disagree, as history has shown this very manner of trend, and a sort of principle might be derived: "weightier", or more true, ... intangible objects (ideas, statements, etc)... have a tendency to rise to the top of the heap.

But on many subjects proper weight is not able to be gauged because there is information lacking. So, for instance, someone who has never before tried chocolate might hear of it and improperly weigh it. They could not know properly and so properly comprehend the weightiness of it, because it is a meaningless word to them.

One could say they are lacking an epiphany.

This is not invariably true because of the way people do communicate. My favorite example of late is in the book of a survivor of a particularly harsh & isolative North Korean camp. He grew up in isolation even more severe then normal North Koreans. But, one day, someone from the greater world - even who had traveled overseas - came and was situated next to him.

Now, he had never heard of "boiled pig" before, having only - at best - tasted cold rat. But, somehow, the stranger's description, his enthusiasm, communicated to him. And this was a primary driver of making him want to escape.

Now, true or not [that person has recently recanted some of his story] the principle does remain true.

The "first world" does not consider that they might be "somewhere else's" North Korea or New Guinea. There is no point of reference, and so how would they know, even if one might conclude that "somewhere else" is, say, "the very far part, very distant future, or very far away".

On the second thesis: Google its' self has political objectives, social objectives. But, yes, of course, governments are engaged in supplanting the accuracy of the system. Well known situation in China and Russia, for instance, or the Middle East & North Africa.

What is left out is the primary method here of handling that. If they never hear of boiled pig, then they will never want it. Quite simple. If they hear of boiled pig in untrue ways, they still are effectively never really hearing of boiled pig.

AnuraMarch 6, 2015 7:50 PM

I'm curious if anyone knows the answer to this. Part of the specification for XTS mode defines how to handle partial blocks. Is this ever necessary when encrypting a disk? It seems like disk sectors are always going to be a multiple of the block size unless the block size is larger than the sector (which XTS can't handle anyway). I was reading a paper analyzing XTS mode, and they spent a fair amount of time discussing ciphertext-stealing, and I'm curious if there is anytime when it actually matters when talking about hard disk encryption.

WalksWithCrowsMarch 6, 2015 8:25 PM

@Boo

Read most of the article, before realizing that the problem I see with their work is they are still operating within a subjective bubble of their own social group, and their primary adversarial social group. I do not think all the conclusions are therefore entirely invalid, but to approach the problems they are attempting to approach they need to include social systems well outside of their own subjective spheres.

For instance, "left" or "liberal" is defined very differently in the US then it is in China, Russia, New Guinea, or wherever... and historically, there is significant change of definition.

Fear, for instance, is a basic instinctual herd motivator, and pretty obviously common to nearly the complete range of US social groups, obviously including here political ones.

This might seem to indicate I am US conservative, if you are US liberal, however I am not. None of the above. Very much so.

BooMarch 6, 2015 10:17 PM

@WWC, Yup. Exactly. Salon takes straightforward empirical research and tries to sanitize it with the standard US statist trick: blame the state's failings on the other party. So statist fear-mongering is not the fault of the state, it's the fault of the Republicans. When threat mania is rock-solid bipartisan consensus. When it dates back to Gladio, to the Red scare, to both terror wars, Reagan's and Bush II's. It's been state policy forever.

Everybody hates this overreaching state. But if you can get Democrats to blame it on Republicans and Republicans to blame it on Democrats, nobody will blame the state. That's the plan. It's isn't working anymore.

8352March 6, 2015 11:04 PM

I'm wondering what you guys think of email provider Zoho.com.

Zoho offers free 5GB email accounts, paid accounts with more storage, as well as a large array of business/enterprise cloud services. Their free services apparently have no ads and no mining of private user data.

According to a Snowden document released by Der Spiegel in December 2014, Zoho mail is actually very hard for the NSA to decrypt and access. NSA rated it 4/5 for difficulty, the same rating they gave Tor, TrueCrypt, and OTR. The document is dated June 2012.

Relevant quotes from the Der Spiegel article:

[...] An NSA presentation for a conference that took place that year lists the encryption programs the Americans failed to crack. In the process, the NSA cryptologists divided their targets into five levels corresponding to the degree of the difficulty of the attack and the outcome, ranging from "trivial" to "catastrophic." [...] Things first become troublesome at the fourth level. The presentation states that the NSA encounters "major" problems in its attempts to decrypt messages sent through heavily encrypted email service providers like Zoho or in monitoring users of the Tor network, which was developed for surfing the web anonymously. [...] The NSA also has "major" problems with Truecrypt, a program for encrypting files on computers. [...] A protocol called Off-the-Record (OTR) for encrypting instant messaging in an end-to-end encryption process also seems to cause the NSA major problems.

Quotes from the top secret NSA presentation:

[Slide 20/40 of the presentation:]
Major: Loss/lack of insight to majority of target communications, presence.
Current Highest Priority Target Use: OTR, Tor, Smartphones, Zoho.com webmail, TrueCrypt.
[...]
[Slide 38/40 of the presentation:]
(TS//SI//REL) Encrypted Webmail Services
- Atabmail, Zoho, Safe-mail, Fastmail, HMA Mail

After the initial Snowden revelations during the summer of 2013, Zoho CEO Sridhar Vembu blogged that he was aware his company was at risk of receiving National Security Letters, just like any service provider, but he also claimed that Zoho had not yet received one at that time.

[...] Our data centers are based in the United States, and we do a sizable chunk of our business here as well. We are, therefore, subject to US law. We do not make the laws, but we are bound by them – whether we agree with them or not. [...] We would love to be able to guarantee the privacy of your data against any government intervention. However, realistically that is not possible. [...] we can assure you that we guarantee your privacy, at least from Zoho itself, if not from the Government. So far we have not faced any situation that has presented us with these conflicts, but we do not assume we will never face it.

I'm not really sure what to think of all this. On one hand, NSA put Zoho right up there with Tor, TrueCrypt, and OTR, which are all very strong. Zoho also doesn't display ads or mine user data, unlike Gmail/Yahoo/Hotmail. And 5GB free storage is relatively generous. On the other hand, Zoho is just one National Security Letter away from being compromised by the government.

On a technical level, what is Zoho doing that other email providers like Google aren't that causes the NSA to hate Zoho's encryption? Is it simply the absence of PRISM datalinks in Zoho's datacenters? After all, both Gmail and Zoho use TLS/SSL, so that can't be it, right?

Can services like Zoho be seen as a compromise between heavily-encrypted services like Lavabit or Protonmail, which make themselves really obvious targets for state-sponsored hacking and surveillance, and anti-private services like Gmail/Yahoo/Hotmail, which mine their users' personal data for ads?

What do you think? Can we all finally get our friends, parents, and relatives off Gmail/Yahoo/Hotmail and onto Zoho?

Mr. SmoothMarch 6, 2015 11:08 PM

@WalksWithCrows "Are you stating that you believe in a sort of democratization of ideas which causes the best ideas to rise to the forefront, if unimpeded by unnatural forces?"

I wouldn't call it a democratization of ideas so much as conservation of truth, similar to how common law converges to human nature over time and inductively finds justice.

To the extent search engines integrate data from many non-colluding sources, then there would be no basis for systemic bias. Except for in the algorithms themselves, where figures of merit would shape results.

And that raises question of whether machines are harvesting data and packaging it for the benefit of customers or for the benefit of our rulers.

sena kavoteMarch 6, 2015 11:38 PM

Program to constantly check other programs

It is good to have web browser in a sandbox or FreeBSD jail in case it gets
possessed by attackers, but even better if web browser can be constantly
checked for signs of attacker possession. The executable parts of process
memory should stay same. If they are changed, it is a sign of really bad bug or
attacker possession. The checking program reads the executable parts up to 60
times per second and compares them to stored data.

This may be easier to do on processes running inside a virtual machine, using
the checking program outside, from the host.

Forming the description about which parts of memory are code and which parts
data (that is supposed to change), may be tricky. I think there needs to be
several training runs with input and use that is meant to change every byte of
data that can ever change.

Data going out from web browser to net is held in a send buffer until the
latest check is cleared.

To make a compromise for performance, the checks could be rarer but in random
times, in random parts of the process memory and in random order.

Nick PMarch 7, 2015 12:05 AM

@ sena

The most modern attacks leverage what code is already in the system by abusing things like pointers. Many attacks abuse pointers. That's why the capability architectures started with pointer protection. Rework any design you have to protect the pointers from unauthorized modification. Also remember that they're useful for efficient message passing and building data structures. The ideal design can do the positives while avoiding the negatives.

FigureitoutMarch 7, 2015 12:59 AM

8352 RE: zoho
--Just another email provider likely using same server hardware, right? You need semi-insane OPSEC and a core trusted group physically watching while others sleep. It's suspicious that they offer 5GB free w/ no ads (would they know if I create 50 free accounts?--Maybe on deep inspection. Still how do they make money then?) I'd block the ads anyway, but their prices make me think they have a decent clientèle.

I'm not sure what to make of it either; best advice is to keep in mind, no matter what online service you use, is that it's *online*. We can elaborate on some decent OPSEC but end-users have to do it themselves adding bits of entropy themselves (I believe in purely user-added stages of entropy in any security scheme to render static analysis worthless).

Digital Radio Advance
--Fldigi is now supported on Android, this makes more support for more digital modes very likely in near future. This is big, we still need a good, compact transceiver w/ USB-OTG support. Why am I posting this here?--Additional communication channels, maybe a new kind of mesh network for robust comms in event of internet shutdown.

http://www.reddit.com/r/amateurradio/comments/2y5zmk/fldigi_now_runs_on_android/

http://www.amateurradio.com/fldigi-ported-over-to-android/

FreeRTOS on Atmel Samd20 SoC
--It works lol; as far as a useful product...that would take some work (I want a device that just wipes USB-sticks (let's just say FAT-filesystem for now), that's it). It can read characters from a terminal program (haven't tried PuTTY, but that's what I'd prefer). You can test it out, and go back to whatever you're doing. It's not elegant at all due to all the requirements working w/ Atmel SoC, but it is nice having this massive IDE navigating code and searching it (programmers know it's so much more fun working in an IDE (that doesn't suck, mind you; but they all do to an extent)). For security I want a minimal toolchain for chips that doesn't need tons of memory, windows OS, etc.

Nice if you want to dig into OS's and see some bare-bones implementations of them (and if you can't whip up all the drivers necessary to do this, you have to rely on someone else); or if you want a challenge to create something useable that few others have done anything w/.

*Note code for example project is in Atmel Studio so don't go looking for code somewhere*

http://www.freertos.org/Atmel_SAMD20_RTOS.html

WalksWithCrowsMarch 7, 2015 1:56 AM

@Mr. Smooth

I wouldn't call it a democratization of ideas so much as conservation of truth, similar to how common law converges to human nature over time and inductively finds justice.

Correct.

I used an Americanism, though think the same thing.

And that raises question of whether machines are harvesting data and packaging it for the benefit of customers or for the benefit of our rulers.

If you speed and get a ticket, it could be said that the police officer was "ruling" you. There is a rule against speeding and he applied the teeth of that rule to you. But, if you are not speeding and get a ticket, he still is "ruling" you, but breaking even more serious rules his own self while doing so.

If society "progresses" then eventually we could expect that those who rule others in such a hypocritical way will 'go the way of the dodo'.

If society does not move in that direction, then there is no "progress" at all.

Is that manner of truth such that there will be progress, or not?

If not, then perhaps there is no truth at all?

But, if you really believe there is truth, according to the definition you gave, then foremost, truth will correct these wrongs, no?


ChrisMarch 7, 2015 2:40 AM

Hi everyone, i stumbled upon something new to me, and i am not exactly sure what it is on a threatscale and how it is used or can be used, i suspect at least somekindof tracking possibility perhaps.

Anyhow i downloaded the latest version of LOKI scanner and scanned my friends laptop and it found somethings i never seen before, and i wonder what these might be.
The scanner calles them Webshell Backdoor Codes within Imagefile, and they are in Firefox cache all of them, i uploaded them to virustotal and have looked at them on hexedit but i dont get more viser anyhow, any comments on the below...

Those files below are the actual "Backdoor Images" as identified in virustotal.com, they all come out clean but the information button says there is something fishy going on.

TOR DOWNLOAD BUTTON:
====================
https://www.torproject.org/images/button-downloadpage.png

TOR DONATE BUTTON:
==================
https://www.torproject.org/images/btn_donateCC_LG.gif

WHITE BACKGROUND:
=================
https://www.torproject.org/images/headerbg.jpg

WE TEACH THE WEB IMAGE:
=======================
https://dtex4kvbppovt.cloudfront.net/images/720121e7462d8c7863b4dd8fa7b5c1089b5f5fb2.33862.png

MORW WAYS TO CUSTOMIZE:
=======================
https://dtex4kvbppovt.cloudfront.net/images/12ada6d5f17a9f361059cb7039c3539871fc797f.22493.png

FIREFOX:
========
https://dtex4kvbppovt.cloudfront.net/images/f76b85478f8e33aea7cdd945588fc205ba093bcf.338695.png

FAVICON FIREFOX:
================
https://mozorg.cdn.mozilla.net/media/img/firefox/favicon-196.png

LINKS:
======
https://www.trustwave.com/Resources/SpiderLabs-Blog/Hiding-Webshell-Backdoor-Code-in-Image-Files/
https://www.bsk-consulting.de/loki-free-ioc-scanner/
https://github.com/Neo23x0/Loki

JestInCaseMarch 7, 2015 3:01 AM

@parabarbarian
I pointed my Win7 test bed at this: revoked.grc.com
Avast popped a info box saying it was blocked because of an expired Cert. After disabling Avast, Firefox likewise would not connect. So…

xizzhuMarch 7, 2015 3:02 AM

I guess the biggest security story you missed this week is to use a private server exclusively as Secretary of State for four years. It's really time to educate people not to do silly things (if we don't talk about politics here).

Clive RobinsonMarch 7, 2015 3:37 AM

@ Anura,

Ask yourself the question "when is a block, not a block?"

The answer is when it's further up the stack.

If you are working down just above the hardware in or below the device driver then a block is usually a block because the layers above have made the file fit. If however you are working up near the application level then the apps have little or notion --and realy should not know-- of a block, and may be continuously updating with small bits of data (log files, WP files and many other "work in progress" apps).

As for the specifics of XTS as always with such things, prod with caution, use with care and always mitigate no matter how little you think your data is worth.

@ sena kavote,

I have previously described this idea as part of Castle v Prison and called it "probabalistic security". Both @ Nick P, and @ Wael will no doubt want to add their views on it.

What I also did was add signature analysis to the actual computational process. To make this possible the applications need to be broken down into small well found parts. Thus the basic parts would be written by those good at secure programing, whilst those developing applications with these parts string them together rather like *nix shell scripting. This in effect makes the applications run in an interpreted rather than compiled, which is a point you were discussing with @ Nick P a few days ago.

As was recently pointed out see "brain bucket" of early CDC systems various aspects of the Prison idea are far from new, as an industry we have retreated away from secure design for various reasons. Some might call it "efficiency" --which I've warned about over and over with "Efficiency v Security",-- and others have pointed the finger at "marketing" with their drive on "specmanship".

The simple fact is that for what ever reason the industry under the control of a few large players has gone for a froth of baubles, not just style over substance, and continue gnawing away at the well laid ICTsec foundations of previous generations.

The result being the ease of cyber attacks by those most would consider criminals be they of "Serious Organised Crime" or the various "Government IC agencies" and their deniable "arms length contractors". Which has become a "plague on the houses" of nearly all computer users, and perhaps understandably people are starting to re-invent solutions of the past in an attempt to oust the unwelcome intruders.

Ole JuulMarch 7, 2015 3:47 AM

@xizzhu: "I guess the biggest security story you missed this week is to use a private server exclusively as Secretary of State for four years."
How does one use a server as Secretary of State? The mind boggles!

WaelMarch 7, 2015 5:31 AM

@Clive Robinson, @sena kavote,

I have previously described this idea as part of Castle v Prison and called it "probabalistic security"

Yes you have, and it can be applied today as well such as in: "Your platform is probably not secure" :) I am ok with the principle, but it shouldn't be the only mechanism...

As for the "program checking program", I think it's been done before. Even some malware did that at one point, I remember a virus called "nail" that ran two executables. If the virus was deleted or the process was stopped, the monitoring part spawned another instance with a random name. This is a rudimentary check, and the one you describe is expected to do more granular checks. The question is why would you trust the "checking" program (warden)? You have a few of them, use voting, then you'll end up with what @Clive Robinson described...

Bob S.March 7, 2015 8:21 AM

I think it's time to give up hope any government or corporation will allow us to have private or secure communication.

Indeed, shortly I will be adjusting my own communications based on that principle. No good can come from letting them have access to our every key stroke.

Political action seems far off, and unlikely. However, there's a chance some oddball nerd(s) will create a technological magic bullet to kill mass surveillance.

We'll know it when it comes, because it will work every time, every where, and be so elegant even a child would understand how it works.

Sean FlanneryMarch 7, 2015 8:50 AM

On additional stories, there's a great article in the current New Yorker detailing how a group of elderly pacifists broke into the Y-12 Nuclear Processing Facility:

http://www.newyorker.com/magazine/2015/03/09/break-in-at-y-12

The group had to pause often to take heart medication but still penetrated each level of security. Of particular interest is in how the company that was given security contracts ignored advice on how to better secure the facility and gamed their performance evaluations to look better. For example, during simulated attacks, which sound like the old game of Laser Tag, they disabled the receivers on their employees so they couldn't be 'shot' by the attackers and scored perfectly. The details were all new to me and pretty interesting.

AlanSMarch 7, 2015 9:45 AM

This week an intelligence agency unmasked a revolution and published a proactive response plan (on CIA site).

The initiatives described below are driven by...the unprecedented pace and impact of technological advancements. When previously faced with such shifts, this Agency proved it can adapt and transform in significant ways....The time has come for us to do so again, which will require bold action....we must be positioned to embrace and leverage the digital revolution to the benefit of all mission areas.

parabarbarianMarch 7, 2015 9:55 AM

@JestInCase. I noticed this while testing the certificates for my employer's proxy server and Citrix environment. I exported the certificate chains from Firefox on Windows, then Firefox on Linux (CentOS) and examined them both using openssl. I have access to the original server certs and keys so I know what I expect to see. I found the server cert extracted on the Windows box had a different modulus and serial number from the original. It was signed by "avast! Web/Mail Shield Root" instead of Go Daddy. Looks like MITM to me.

SoWhatDidYouExpectMarch 7, 2015 11:10 AM

@AlanS:

I read that as "to the benefit" of the spooks mission, most definitely NOT for the greater good of this country, or its citizens or even anybody elsewhere on this planet. By the way, much of those "mission area" benefits are big payouts of tax dollars to the businesses that provide goods and services to the spooks. Those expenses are seldom justified by the results achieved.

WalksWithCrowsMarch 7, 2015 3:44 PM

@Bob S

I think it's time to give up hope any government or corporation will allow us to have private or secure communication. Indeed, shortly I will be adjusting my own communications based on that principle. No good can come from letting them have access to our every key stroke. Political action seems far off, and unlikely. However, there's a chance some oddball nerd(s) will create a technological magic bullet to kill mass surveillance.We'll know it when it comes, because it will work every time, every where, and be so elegant even a child would understand how it works.

One problem with studying these areas, perhaps especially if you work in any area of Information Technology is that you will most assuredly come to the choices of: paranoia versus knowledgeable adaptation.

Only on Chapter 4 of Bruce's book, and I definitely see these sorts of things within my own self, even though so far his descriptions well mirror what goes on in my head wherever I go and whatever I do already. :-)

(I am very interested especially in finishing it to see Bruce's suggestions for improvement, which I have read he has given some good ones. But, not there yet, so not much comment there... except to say I would suggest solving such a problem at this juncture is an unknown to many degrees and so the possibilities stretch out nearly to the limitless, but most assuredly the unknown and the un thought of.)

I, for one, find myself in a most uncomfortable situation when I approach Very Large And Complex Problems and isolate possible solutions to only a few possibilities. It can, unfortunately, with this manner of material enhance the sense of claustrophobic like paranoia.

And one can consider such scenarios as "the net" or "enemy of the state". :-)

Worse, in these fields we tend to rely on caffeine a lot, which does increase anxiety.

Considerations like making taboo in critical circles the concept of "if you are not doing anything there is nothing to worry about" also can do this, even if it has some level of private merit. Similar situation has been seen in the FUD taboo in the IT security fields, where, ironically, even while making it taboo and swearing off it... the very same people also depend on it.

A tightrope walk.


WalksWithCrowsMarch 7, 2015 4:10 PM

@Alan S, @SoWhatDidYouExpect


I read that as "to the benefit" of the spooks mission, most definitely NOT for the greater good of this country, or its citizens or even anybody elsewhere on this planet. By the way, much of those "mission area" benefits are big payouts of tax dollars to the businesses that provide goods and services to the spooks. Those expenses are seldom justified by the results achieved.

My reaction is "whoa", "too little", "way too late". They should have had this going thirty years ago.

Which reminded me of my post in the "democratization" thread where I quoted Count Olaf's Wired and other articles speaking of a "cyber manhattan" project started in April/May of 95 and likely related to some of another poster's Andrew Marshall's comments from around the same period. In which thread I juxtaposed plots from various shows listed in the thread as possibilities for "what that means", dismissing Wired's theory "it was the Equation Group".

And, on doing so, I realized: whoa. Two articles. That is it? Who is to say those articles were not entirely faked? Would not something like a "cyber manhattan project" make just a little bit more of waves in the press (and online)?

Even in 95 there was an internet and it most definitely had the capacity to spread interesting news stories about its' very own realm...


JakeManMarch 7, 2015 4:34 PM

Is Snowden still working for the outfit(s)?

Anyway, why would his former employers (or are they?) worry about elaborate setups with certificates and the associated infrastructure, or messy exploits when they could just do it all passively. They'd Just force the handover of all the private keys, and demand real time databases for ephemeral keys. Very passive, not much infrastructure at the attack surface (but more with collaborating corps). Seems more plausible.

WalksWithCrowsMarch 7, 2015 4:38 PM

@Rolf Weber, @Dirk Praet, etc on verifiability and plausibility of Snowden's disclosures

Rolf's quote:

... the Snowden documents provide no evidence for mass surveillance, at least not in western countries. [...]

Not a single clear wrongdoing was revealed so far.

Dirk's quote, in reference to Rolf's first statement above:

I wonder if there is even one person on this planet sharing that opinion when even former colleagues of Gen. Alexander are telling that his strategy was simply one of "collect it all". And which is clearly reflected in everything we have come to know so far.


Rolf, I have to admit you are a puzzle. I can not understand your motive for perceiving these things in such an unusual way. It might be said "extraordinary claims require extraordinary evidence".

This is especially true considering where this is. Schneier operated as technical consultant for Greenwald, and at the very least, heavily covers in the first four chapters I have read exactly how exactly there has been - as indicated by Snowden's release of information - very much mass surveillance against Americans.

If you took the legal route in argument, that is something else. But, instead you are making these claims.

In your response you noted some precedence for some of the leaks, that is "they are invalid because they were already known", but this - as you must surely well know - is, at best, only a half-truth... and that only on some instances exposed of mass surveillance by the American Police State.

Snowden added and clarified to what was already known, as well as substantially providing documentation for what was not already known.

I should also add that Snowden is clearly a brave hero, and that for democracy. Insinuating that his information was all "already known" is insinuating the possibility that all of this was some manner of complex intelligence operation designed to deceive American adversaries -- one of the foremost who would be interested in exactly that angle is Russia where Snowden is now staying.

Further, it could do damage to domestic efforts (in all of the five eyes), as well as damage to the foreign efforts to properly deal with these problems.

Of which, Germany was a primary target.

Severe mistakes were made, there is no question of that. And they must be corrected. Without Snowden's disclosures, everyone was walking as if in the dark. There was no chance for better solutions to these problems. He put the issue on the table, not just for America, but for all nations.

I think progress is best made by tackling the problem of "how to balance the two contradictory needs, that of the individual, and that of the larger groups of the nations".


BoppingAroundMarch 7, 2015 4:39 PM

Off-topic.

EU Court: e-books are services.

So far it's about taxes mostly but it reeks of Stallman's Right to Read in the longer term.

Facebook wants to bring free web access to 100 countries by end of year

Highlights:

The goal is to introduce people to basic services — like Wikipedia, job and health sites and of course, Facebook — and have them see the value of the Internet and ultimately, purchase a more premium data package.

[...]

Mashable got a little hands on time with the Internet.org app offered in remote countries and noticed the Facebook site is a stripped down version of what we're used to seeing. While users can connect with friends and write on each other's walls, they are prompted to upgrade to a paying data plan to see videos and photos. This also ensures that only a thin layer of data is being used and doesn't present capacity issues for the operating partners.

I find calling this 'Internet' somewhat misleading. Cui bono as the second question; on a facetious and cynical note I assume everything that contains word 'privacy' will be filtered.

WalksWithCrowsMarch 7, 2015 4:55 PM

@JakeMan

Is Snowden still working for the outfit(s)?

Worthy of consideration in a "way out there, consider all possibilities" sort of way, but on deeper consideration, also very much worthy of final and complete dismissal.

In one sense "he is", in the sense of how 'even if you go against nature, you are still acting according to nature', that is his disclosures he felt, from his perspective, which was very informed, needed to be made so badly that he was willing to risk his life to do so.

That is, while painful for many, and treated in a knuckle dragging way by many, nevertheless this is essential to have added this information to discussion.

Call it "God", call it "nature", or whatever, it was necessary. And ultimately for the higher good of all.


Anyway, why would his former employers (or are they?) worry about elaborate setups with certificates and the associated infrastructure, or messy exploits when they could just do it all passively. They'd Just force the handover of all the private keys, and demand real time databases for ephemeral keys. Very passive, not much infrastructure at the attack surface (but more with collaborating corps). Seems more plausible.

I disagree they were unsuccessful systems, because they did work, and plausibly even the corporations involved did not know.

Contrast that with, say, Stuxnet, or the Equation Group's efforts -- very different scenario.

My conclusion is the problem is exactly with something like "more collaborating corporations".

More people know of such a situation, more likely it is to be revealed.

Illegal surveillance is common place for nations. Nowadays their systems for hiding source and methodology material is so sophisticated, nobody can really tell if the information came from a very [but legal] secret source or from an entirely illegal and very secret source.

Why do it legally working with who knows how many employees, when you can do it illegally and no one at the corporation knows about it? Especially when there is some thread of "legality" about it which even gets them out of trouble if they were caught.

BenniMarch 7, 2015 5:10 PM

In germany, BND now admitted that NSA tried to abuse its access for economical espionage:

https://netzpolitik.org/2015/live-blog-aus-dem-geheimdienst-untersuchungsausschuss-dr-urmann-leiter-der-technischen-aufklaerung-des-bnd/

In the US, the professional agents of NSA try to spy on the electronic frontier foundation in a discrete and unobtrusive manner:

https://pbs.twimg.com/media/B_dNCH6UwAArGlP.jpg:orig

(if you spot similar unobtrusive cars nearby your location, dont panic, these are just professional NSA spies who are covertly watching you from their hideout....)

WalksWithCrowsMarch 7, 2015 6:57 PM

@65535

My take is they are saying it is a top priority to try and break, that it is in current use by high priority targets, and it is a difficult problem.

re: http://www.spiegel.de/media/media-35535.pdf

Could be incorrect, though, some of the slides are meshed up, and the details about it are vague. (Maybe more on the newspaper that would help with that.)

Clive RobinsonMarch 7, 2015 7:02 PM

@ JakeMan,

Anyway, why would.... [NSA] ....worry about elaborate setups with certificates and the associated infrastructure, or messy exploits when they could just do it all passively. They'd Just force the handover of all the private keys, and demand real time databases for ephemeral keys. Very passive, not much infrastructure at the attack surface (but more with collaborating corps). Seems more plausible.

All Intelligence Community (IC) agencies worry about Methods and Sources (M&S) all the time, their two main concerns being "loss" and "verification".

That is they firstly fear loss or more recently as the FBI put it "Going Dark" where for some reason one of their M&S becomes unavailable and thus the intel is cut off or nolonger provided. Secondly they generaly want to avoid being fed false information as either part of an adversaries deception activities, or as a conmans get rich scheme.

Thus most IC agencies have "multiple source" policies where they gather data via multiple independent sources and cross check them.

Therefor I would expect the NSA/FBI et al to have three or more ways of obtaining the same data as a Standard Operational Requirment / Procedure.

With regards the certificates etc, whilst this may look messy from some viewpoints, from others it looks more elegant.

The first think to consider is that long experiance tells the likes of both the IC and LE agencies that "compelling" by legislation does not work and will be bitterly contested every which way it can (see cliper chip and key escrow battles from the Clinton era and earlier).

Further consider the purpose of "gaging legislation" in National Security Letters and other "secret court" activities. The intent is to "avoid tipping off" surveillance targets that they are being monitored. That is the IC/LE agencies know that when a target knows they are under surveillance the target changes their activities in response, and thus either the usefulness of the intel being gathered drops appreciably or related activities by the targef stop altogether.

Thus the IC/LE agencied want to be atleast a couple of steps back from the target so there is no direct interaction with the target that might tip them off. But just having one step of isolation is usually considered risky, because most people lie badly or act unnaturally when trying to conceal the likes of a gag order etc. Further being two steps back usually means a broad or unfocused action, which helps hide who the target is from any agents the target might have in the organisation being gaged. That is if you ask for all "business records" from a Telco they have no idea who from amongst all their customers is "the person(s) of interest". Likewise maintaining such orders for extensive periods of time has a couple of benifits, firstly it limits the ability of those gaged to correlate the NSL etc with news items, secondly it makes the practice as a "part of standard operating proceadure" which helps reduce the issue of most people acting unnaturally.

65535March 7, 2015 7:33 PM

@ WalksWithCrows

“My take is they are saying it is a top priority to try and break, that it is in current use by high priority targets, and it is a difficult problem.” – WalksWithCrows

That was my first impression. But, the slides are unclear. Your opinion is valued and I basically agree.

@ Mr. Smooth

“At some point, search engine companies must come into conflict with the strategic disinformation mission of intelligence agencies.” - Mr. Smooth

Unless certain search engine companies are highly rewarded by the NSA via unseen methods.

[Discussion of conflicts of interest and how to uncover said conflicts - see link]

Here is my attempt to see how much revenue Google gets from “premium services” and “other revenue.”

The problem is Google doesn’t do a great job of breaking out revenue by special business lines.

Tangentially, the same thing holds true for Tor. If you look at all sources of revenue, Tor get the vast majority for the US government [some people say 90% of Tor’s revenue is from the US government – others say 45% but who knows].

The same thing may apply to Google but I could not find hard evidence. The odd thing is Google pours money into Youtube but gets little to zero return.

I am wondering if the government is subsidizing YouTube in some manner for pure surveillance purposes [facial recognition, voice recognition and other personal attributes].

I don’t know but why would Google keep a large floundering business segment which returns almost nothing.

That must skew downward Google profits to asset ratios or other important financial ratios… unless something unseen is transpiring [The NSA must have a number of ‘under-the-table’ reward methods for Google’s mass trove of personal data].

See Google discussion:
https://www.schneier.com/blog/archives/2014/11/friday_squid_bl_452.html#c6683835

[next to Zoho Mail]

“8352 RE: zoho Just another email provider likely using same server hardware, right? You need semi-insane OPSEC and a core trusted group physically watching while others sleep.”- Figureitout

OPSEC is the key. Unfortunately, just like the current Hushmail which requires a cell phone number to connect to you and your profile, Zoho requires an existing business domain to be used [I would guess for MX records or A records] which then traces back to you in most instances.

Your OPSEC is gone and the government has your IP location and probably your name.

I clicked on the Free Zoho account setup and it requires a previous business domain. If you don’t have one you can make a new domain – for a price.

This will most likely involve a non-cash “financial transaction” which will identify you personally [possibly via the federal banking system].

If you don’t mind being personally identified, than Zoho mail looks like a good thing for you.

8352March 7, 2015 9:37 PM

@65535

"Unfortunately, [...] Zoho requires an existing business domain to be used [I would guess for MX records or A records] which then traces back to you in most instances. [...] This will most likely involve a non-cash “financial transaction” which will identify you personally [possibly via the federal banking system]. If you don’t mind being personally identified, than Zoho mail looks like a good thing for you."

Not quite.

You can simply sign up for a free @zoho.com email account, just like with Gmail/Yahoo/Hotmail. This has nothing to do with business service or owning your own domain name. The only requirement to sign up for one of these accounts is another email address, where they send a confirmation link. It's not hard to get another free email account elsewhere just to fulfill this requirement. So you can sign up for Zoho email anonymously if necessary.

What you're referring to is Zoho's business service for domain owners who want to setup email accounts at their domain name, such as for employee@companyname.com. Zoho offers free domain hosting with 10 users. In this case, you're right, you would still have to buy a domain name, a transaction that likely involves leaving an identifying paper trail.

So far, Zoho email seems pretty good.

WalksWithCrowsMarch 7, 2015 10:31 PM

@65535

Thanks, though not having read the article, I am not sure. I would not trust, my own self, anything, especially not situations where there is a virtual monopoly on some manner of privacy/security technology. But, then again, my security concerns are relatively limited as simply being an app sec guy at a low key, mundane corporation. (I have worked in research, and at much higher key places, but relish no longer doing so. Same pay, less stress.)

I am not sure much on Google. I participated somewhat in one thread this week about the possibility of hidden angel investors for some of the major companies. I do not think it is, at all, impossible, but such things remain theoretical.

Schneier lists in his book 17 agencies in the US, and speculates on an 18th that might be as yet unknown. I would be highly surprised if either there was not some mystery 18th agency, or perhaps some hidden divisions in one of the lesser considered agencies.

Youtube, I actually just signed up for their beta music service. So, I think that they have held that as a key investment area. The concept of such a system as youtube was very favored by technologists in the late 90s and early 2000s, for instance, see Cory Doctorow's OpenCola.

Not only did they have distributed file sharing systems, but also a system designed to be very much like youtube, and a relevancy based social media platform at the core. Some of that team was also involved in Tor like anonymizing proxy systems.

As I noted in that other thread as this technology's success was predictable, very well - if anyone besides uber smart Sci-Fi writers like Cory and company - I am quite sure the USG would be on top of that. Or... other hidden entities.

I would be surprised if Google does not ultimately position Youtube to compete against NetFlix, Amazon, Hulu, and related services. As it stands, they have a very devoted audience segment.

I am surprised they do not make more from advertising, however. But, know little of that business.

I would tend to think if some of the bigger corporations did have angel investors with covert purposes and working covertly for the USG (or a similar unknown entity), that they probably would utilize that mostly to put key people in places where backdoors can be proverbially left open and the like. If you control the purse strings, you have considerable control over the business.

Though just because 'anything is possible' does not mean 'everything is likely', of course. As Dawkins even put a quote into one of his books, from some other scientist, 'for all we know we could have just come into existence four minutes ago, complete with tears in jeans and fake memories'. And he concluded, as we all tend to, we just have to work with what we are given.

Frankly, one of the issues that does not give me much confidence in the competence of the USG is from the Zero Dark Thirty movie, and the details we have on how they actually caught Bin Laden. Yes, they did utilize some cutting edge tech, but by and large the whole system they had built and relied on was not utilized to find and catch him. In fact, if the details are anywhere near correct: the whole system actually worked against them in those efforts.

WalksWithCrowsMarch 7, 2015 11:26 PM

This is smart:

http://www.theregister.co.uk/2015/03/06/precog_dns_security/

Utilising natural language processing (NLP), the predictive model identifies potentially malicious typo-squatting/targeted phishing domains. APT groups often use spear-phishing techniques and legitimate domain spoofing as an obfuscation technique to carry out their criminal campaigns. NLPRank is designed to detect these fraudulent branded domains that often serve as C2 domains for targeted attacks. Our system utilises heuristics such as NLP, ASN mappings and weightings, WHOIS data patterns, and HTML tag analysis to classify these type of attack domains.

Clive RobinsonMarch 8, 2015 4:48 AM

@ Canute,

Canadian bloke refuses to hand over phone password, gets cuffed.

This attitude of customs/border guards is the first visable sign of what is going to happen with the "Golden Key" "frontdoor" dackdoor issue.

As pointed out in the El Reg artical, the logical conclusion with customs/border guards is,

    In other words, you don't have to hand over your password, but if you want to bring your phone into the US you may well have to.

Re phrased that is 'You don't have a mobile phone with you' when you encounter the customs/border authorities.

Now consider that view not in the some what predictable case of a actually crossing a national border, but being any where where the border authorities deceide they have the right of unhindered "stop and search" (which is currently almost true for the entire US[1]).

Or worse "secret search" which is what a backdoor would give them (from anywhere in the world).

You would have to practice almost super human OpSec or more easily forgo the use of a mobile phone.

But let's assume you can not forego the use of a mobile phone and be able to function in society, which is rapidly becoming true. Thus you decide rather than forego society to practice super human OpSec within it and never say or do anything or go anywhere incriminating, with your mobile phone. Will you be safe?

The simple answer is no.

Because others can via the "air interface" put incriminating evidence on your phone, and you can not stop them. Nor in most cases would you be aware that they had done so or have the ability to detect it in progress. This planting of incriminating evidence can be done relatively easily by the use of systems and information we know that LEO's have deployed and the IC has claimed it has exfiltrated from SIM card suppliers or network operators.

Further in atleast one criminal case it is known from what came out in court that LEOs can modify the SIM card to make it behave differently, so we know they have "write access" to the SIM and thus anything that is subservient to it ( ie the rest of the phone).

But there is another problem, one of the things that is obvious is that once brought into existance a LE and IC agency will fight to keep their existance in one way or another. Currently we see this via the FUD of unspecified "terrorism", however this only goes so far, before people talk of cutting funding (see history of the defence industry). Thus an agency has to somehow justify it's existance, and we know they are not above lying/fudging about it with their supposed number of terrorist plots stopped that on inspection in the light of day wither away. But then there are the dubious stopped terror plots where LE or IC agents have supplied people of questionable IQ/sanity and no resources with ideas, faux contacts, and resources such as the money to pay the faux contacts for faux weapons, just to dramatically arrest them "just in the nick of time".

You thus have to ask the question of just how much further the LE and IC agencies will go to ensure they get funding, we talk of "parallel construction" which is in effect "inventing evidence" about finding evidence, when does this simply become "inventing evidence" just for the purposes of entrapment and getting convictions to look like the agency is actually needed?

So the only safe thing to do if you don't have sufficient leverage to keep you safe, is not to have a mobile phone or anything else that has an accessable "air interface"... which is opting out of society.

Thus the the LE and IC agencies will have a "chilling effect" on technology, and in turn society and it's economic development...

[1] The US decided to make it's "border zone" a hundred miles deep which covers most of the populated areas where most business and industry that are not raw resource based take place.

SoWhatDidYouExpectMarch 8, 2015 7:22 AM

@Clive Robinson:

Your response to Canute is well done and appreciated. However, it gives me pause to reflect on question about motive for this type of seizure and demand for unlocking the phone.

As a universal type of thing, what is to be gained from peforming this action across a large populace? By and large, they gain nothing with regard to criminal or terrorist activity. And, it takes a lot of effort to do what was done in this case (time and expense). Does it mean game over if everyone refused?

Or, is this particular situation, much publicised by the way perhaps as a "showcase" event, to imply they have mitigated a threat. It is likely to be an event, publicised for sure, to influence, intimidate, or control those who would cross borders with "personal tracking devices" in tow.

Remember all the uproar about laptops being confiscated at international entry points and similar proceedings therein. It seems like little or nothing has come of that since we not heard about any criminal and/or terrorist activity discovered from those seizures or inspections. The trick is: don't carry laptops across the border when you can simply transfer all your data electronically ahead of time and use a different computer to access it (see, no fuss at the checkpoints before or after crossing).

I fear much of this type of activity is false alarm FUD, with no revelation about the "false" part.

65535March 8, 2015 7:54 AM

@ WalksWithCrows

“I am not sure much on Google. I participated somewhat in one thread this week about the possibility of hidden angel investors for some of the major companies. I do not think it is, at all, impossible, but such things remain theoretical. Schneier lists in his book 17 agencies in the US, and speculates on an 18th that might be as yet unknown. I would be highly surprised if either there was not some mystery 18th agency, or perhaps some hidden divisions in one of the lesser considered agencies.” -WalksWithCrows


We don’t know because both the USA Intelligence Agencies and Google are extremely powerful and interwoven. Some Google insider will have to spill the beans – if not we probably will not ever know.

One would think Youtube would be cranking out a significant amount of ad revenue given the number of views – who knows. The lack of contribution margin by Youtube is eyebrow rising - unless it is actually bringing in the cash in a unknown manner.

RoadBumpMarch 8, 2015 9:27 AM

There are really no longer any clean connections to the internet. All the big ISPs proxy us to death. Is it too far fetched to see a near future where all the certificate authorities have been co-opted, and each individual exists inside his own tailored web-world bubble, and is granted access to information on a need-to-know basis, where the aforementioned individual does not make the determination of what that is? Soon, methinks. Very soon.

CallMeLateForSupperMarch 8, 2015 10:48 AM

About the Telegraph's report of Canadian man arrested for refusing to disclose the passphrase of his fartphone, "[...] a fine of anywhere between CAN$1,000 and CAN$25,000 (US$19,900, £13,000)"

Um... sorry, no. One Canadian dollar certainly is *not* worth US$19.90. The Telegraph reporter and editor(s) need more algebra drill. :-O

JacobMarch 8, 2015 11:43 AM

NSA mission creep:

First, it was to "id and track terrorists". We are all afraid of terrorists - smooth sailing.

Then, to also catch paedophiles. We all want to protect our children, so go ahead.

Then, to help bust drug dealers. Drug dealers destroy our society. Grab them!

And now, as explained by the former NZ's GCSB Director Sir Bruce Ferguson, they also target (as part of the 5Eyes consortium) "money launderers" and MPAA copyright violators like DOTCOM. YES! those scums may also undermine our capitalistic way of life - burn them!

http://www.scoop.co.nz/stories/HL1503/S00045/former-gcsb-director-admits-to-mass-surveillance-of-nzers.htm


albertMarch 8, 2015 11:50 AM

@WalksWithCrows

"...Of which, Germany was a primary target...."
.
This puzzled me at first, then I realized why. Germany is probably the most powerful 'voice' in the EU. They don't like the Russian sanctions; it's costing them a fortune. They don't like the US-backed BS going on in Ukraine. Like most of the EU, they don't see how they benefit from any of this. And they don't. Only England (I'm specifically leaving out Scotland & Ireland) seems to back the US-"NATO" 'position' on the matter. It might be their big defense industry. If the US loses their EU (NATO) backing on their anti-Russia campaign, they will lose the chance of subjugating Ukraine. You can bet they're heavily monitoring everything the EU/NATO countries are doing, online and off.
.
Europe needs to grow a pair, and break the stranglehold of the US-dominated bankster system, and the backs of the oligarchs. I would love to see Greece set up financial relationships with BRICS, followed by Spain, Italy, and Portugal.
.
Clearly, Russia wasn't Snowdens first choice, but as they say, any port in a storm. Letting him in was a brilliant political move. No, I don't think there are 'intelligence issues' involved. They, like most every technologically advanced country, probably knew most of Snowdens secret stuff already.
.
...

WaelMarch 8, 2015 12:24 PM

@CallMeLateForSupper,

The Telegraph reporter and editor(s) need more algebra drill.

I agree, but for a different reason and a different area of training than Algebra! They need training in communications, I think a class or two in Algebra wouldn't hurt either ;)

a fine of anywhere between CAN$1,000 and CAN$25,000 (US$19,900, £13,0

That part of the article was poorly written. They give a range in Canadian dollars but use the upper range for conversion to US Dollars and British Pounds. They are saying CAN$25,000 x 0.796 = US$19,900. I guess 0.796 was the conversion factor at the time (1 CAN$ = 0.796 US$)

If the numbers given were using the lower limit (1000), then you would be correct. But like I said, if they give a range in one unit, then they should have given a range in the other currency units to keep the mapping easier. They, however mapped a range in one unit to an upper limit of two different units.

Then again, they maybe trying to pull a fast one on the poor guy by increasing his "bail amount" through this range-limit conversion handwaiving...

Philippon was released on bail

PeterMarch 8, 2015 3:17 PM

@Canute

The reason for this stop was reported in the Globe and Mail, and I have seen similar explanations at various times over the years.

The police are "not" allowed to randomly stop you and demand to search you, or get passwords, etc. However, entering a border crossing area is considered a "voluntary" act, and if you choose to enter a restricted area, you are considered to have accepted whatever the rules for that area are.

In Canada, if you are subject to such a search, you can choose to avoid it by walking away and abandoning your attempt to enter the restricted area. In the U.S., this is apparently not the case - you can be searched, etc., if you enter the area, and cannot simply walk away.

I heard that this was a problem a few years ago. The US was going to build a new border check plaza at the Peace Bridge (IIRC) on the Canadian side, because there was land readily available. The planning was apparently well along when this legal issue was discovered. The US was not willing to give up the right to search anyone who entered the area, and the Canadian law could not be avoided, so the plan was dropped.

Unsurprisingly, the Canadian law is ignored when it suits. For example, when I was called for jury duty, I was subject to a check on entering the court building. I could not report without going through the check, and I could be arrested if I failed to report. This conflict has been noted many times, but for some reason judges don't seem to keen on addressing it.

Clive RobinsonMarch 8, 2015 4:15 PM

@ Christain,

Hmm CSC realy think they are above it all...

In the UK one senior MP made comments about them and their performance, in language that was neither diplomatic or parliamentarian, and definitely not that you would expect to hear from a politician when speaking publicaly...

Then there was the SEC investigation about deliberate financial irregularities with regards accounts used for amongst other things taxation.

Then their remarkable ability to make billions and not just pay no tax, but actually get several hundred million in tax rebate...

I'm sure there must be a lot lot more tucked under the carpet in all seventy countries they have offices in, but they don't immediately spring to mind in a way you would want to put on paper ;-) let's just say with well over 70,000 employees world wide, the organisation makes a good cover for all sorts of government agencies / activities considerably more active than just a bit of "admin work" on rendition flights. Oh and there is their rather convenient tie up with Raytheon to manage the US Eastern Test Range which has all sorts of interesting possibilities...

I've had the misfortune to come up against some of their more mainstream corporate style work in the past and to say it was not fit for purpose and slip shod is about as polite as I can be about it...

So on balance I think the Germans are going to win twice out of it, firstly they won't have to get involved further with a distinctly crappy organisation, secondly it will get the US political classes attention fairly promenently given the amount of money CSC spend on lobbying, which will raise the German profile in Washington a lot... especialy after the French / German / Russia talks over the Ukraine which flew in the face of US / NATO activities.

As we have a general election coming up in the UK in a couple of months, it will be interesting to see how and where CSC spend their lobbying money and what the get for it....

WalksWithCrowsMarch 8, 2015 4:25 PM

@65535

We don’t know because both the USA Intelligence Agencies and Google are extremely powerful and interwoven. Some Google insider will have to spill the beans – if not we probably will not ever know.
One would think Youtube would be cranking out a significant amount of ad revenue given the number of views – who knows. The lack of contribution margin by Youtube is eyebrow rising - unless it is actually bringing in the cash in a unknown manner.

At that, I was scratching my head, but remembered you had posted a previous discussion on this in the post I was responding to, so I went and looked at it: https://www.schneier.com/blog/archives/2014/11/friday_squid_bl_452.html#c6683835

That raises a few potentially interesting points:

1. the email, was it real, is it documented? it indicates Eric Schmidt emailed Gen Alexander about a meeting where he called him by first name. Frankly, even that level of intimacy would suggest he had meetings with Gen Alexander, though the email allegedly states that a big meeting was planned.

2. reminder on the Google analytics program where they make available big data to buy. It is inconceivable that some US Agency would not want to be on that even if it were just such things as ad data.

3. the possibility that Google might allow some entities to run code in their adwords program -- you did not say, but it seemed implied that they would be able to run code of their choice in those ads... and this also implies they would have sophisticated targeting capacity as well as - where adwords runs - even in private communications, such as emails

4. possibilities that "other income" Google reports is government run

These are promising research leads for a journalist, but they are just that, of course. Could be none of them pan out. Could be something else pans out. Could be "some" of the above, and so on.

I would be surprised if the USG is not somehow involved with Google, as the PRISM documents also suggested. I actually see it as a bad thing that Google flatly denied any manner of participation there.

You mentioned Google getting out of China being tied to China having caught Google spying for the US, though China never made this sort of allegation whatsoever. Google also got out of China shortly after they had been massively compromised by China.

So, I do not find that point very persuasive. Though, it is true, in such a situation, China would be quiet, and Google would want to raise a plausible sounding excuse. But, the real problem is, I do believe Google really was hacked by China at that time. And, if "Google" was spying on China, the last thing they would want to do is pull out of China and so dry up all the information they could get from there.

Even if that pull out was just a supermassive ruse to China to say "we are not spying", I really do not see how that would have been in their best interests to completely pull out.

In fact, if China thought they were spying, they probably would want to put even more resources on them, and that would be very valuable additional information for analysis. For instance, everyone knows embassies tend to have spies in them, but that never makes people pull out embassies.

Some Google insider will have to spill the beans – if not we probably will not ever know.

These days, there are a lot of ways information gets out. I think something this big would not stay hidden for so long, especially if involving the numbers of people as you are suggesting.

And especially if foreign countries have caught them in the act.

While counterintelligence divisions do like to sit on such news, that, for instance, 'foreign big nation X has performed shocking massive newsworthy hack against our nation", it probably is not in their best interest to do so, forever. Hence, we see how Germany exposed US espionage against them of late, and how KAV pushed the Equation Group story (though probably after sitting on it for years), and Mandiant pushed the China hacks story (again, after years, though for years some stories have come out on US-China cyber espionage wars.

It is also true, however, while China says "we are getting hacked too", they never release stories on this. So maybe they sit on it more then even anyone else? Who knows. And maybe someone can correct me there. But, in this century, I do not recall even one time when China has done this.

And this, even while, news stories have been streaming out about them performing cyberespionage attacks all over the world.

Youtube, I do see as a very viable commercial entity. They have just created a beta program for it, which I know of because I joined it. Payments started in September. Right now, it appears to be simply a music service: ads removed, and now you can run songs with your phone screen off. Before, you had ads, and if you wanted to listen to a song you had to make sure your screen did not turn off.

Direct government involvement I do not tend to see so attractive for an intelligence agency because then there is a very high possibility rate of leaks. Consider Snowden & Manning and how many in IT are supportive of them. A high percentage. Which means the USG definitely must have many more leaks in the form of moles. Disaffected millenials. The US has been engaged in many activities in this century which are ripe to make disaffected employees.

But that is the USG where they are hiring based on such factors as "have you never been arrested" and "have you never smoked pot". Factors a Google surely does not hire on. Never even mind the problem of containing potential outside spies in San Francisco coupled with the enormous employee base of Google.

These stories also would lead credence to the very far fetched possibility that PRISM was simply a ruse hiding something far bigger. If PRISM was just a sophisticated, gutsy - crazy even - distraction, then what else is.

OTOH, however, again, all of this is just at a conspiracy theory level. Which, by my own definition, anyway, gets even into conspiracy theories like "weather manipulation" and "aliens". Though, I would expect Google would be a very important target for agencies, so important they would want assured access. PRISM though indicates covert access, maybe even with zero employee involvement, which seems far, far safer then directly engaging Google.

WalksWithCrowsMarch 8, 2015 4:59 PM

@albert

Interesting analysis on "why Germany".

That is actually a question I have not asked. Considering that, I reflected most analysis on Germany I do get is probably from the economist, so for curiosity's sake I should probably check out what their take has been on this: https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=economist%20germany%20nsa

I actually have not also asked "why Brazil". Nor "why Bermuda & the Caribbean".

Though, not a complete idiot: Brazil is very powerful in South America, US oil interests there are huge; Caribbean is hugely asset rich; Angela Merckel & Germany powerhouses. And, just because some information was leaked, surely does not mean all information was leaked.

But, I suppose stuff for me to look into when I have some time and requirement for such intellectual amusement.


Clearly, Russia wasn't Snowdens first choice, but as they say, any port in a storm. Letting him in was a brilliant political move. No, I don't think there are 'intelligence issues' involved. They, like most every technologically advanced country, probably knew most of Snowdens secret stuff already.

On the last statement, I would have to heartedly agree: if one just looks at the very high percentage of IT folks supportive of Manning and Snowden; considers they are both millenials; considers just how important disaffected employees are to foreign intelligence agencies; considers just in how many severe routes beyond the acceptable the US has taken this millenium, including torture and Iraq war exploitation; and considers the new capacity for espionage continually being made vulnerability by advancements in computers; and that many of the massive 80s and 90s moles actually were very computer literate and used them in the process of espionage; ..... then you can be very sure simply by the numbers that the US probably has an enormous number of moles.

Of the above points, "millenials" are interesting (people tie that back to about 'born by 86', but I could see plenty of older and so more likely "in" folks are also probably turned.

And, while real adversaries like Iran, Russia, or China might pay... such information probably would interest even allies. Like Germany. Allies without a spy treaty, and/or otherwise allies that are just really open to suggestion. Never mind Iran, Russia, China, etc bothering to pose as such allies. Moles for allied nations deeply reduces the whole "betrayal bar", after all... at least, psychologically.


On Snowden & Russia: I think that is definitely the most probably and likely scenario. Personally, I do not consider it iron clad and something to entirely dismiss as a possibility. Could be Snowden was run by Russia. Could be Snowden was run by the US. Could be Snowden was duped by one or the other. Could have been run by Russia and duped by the US, or run by the US and duped by Russia.

Considering the far more likely probability: Snowden does have, in his head, at least, information he decided not to share. Information Greenwald has, so far, decided not to share and will not share unless something untimely happens. Which means Russia probably is very interested in spying on Snowden while he is there, but also is probably very paranoid about the situation. If he was not working for them in the first place, in which case, even the information he did take... he probably took far more, then.

But, all such things are highly improbable conjecture and only useful for one's self to keep open, so a future news story may not hit anyone sideways.

Congruently, Snowden's story is very plausible. The US engaging in mass domestic surveillance, black sites, torture, and screwing up Libya, the Middle East, Afghanistan, and so on... all very "disaffectment rich" material for any patriotic American. Not even including both left and right political disaffectment this millenium... which has continued to run at a very high, feverish pitch -- regardless of who is in office, just about.


gordonMarch 8, 2015 6:13 PM

@ WalksWithCrows

1. the email, was it real, is it documented? it indicates Eric Schmidt emailed Gen Alexander about a meeting where he called him by first name. Frankly, even that level of intimacy would suggest he had meetings with Gen Alexander, though the email allegedly states that a big meeting was planned.

Here's the source of that story:

Exclusive: Emails reveal close Google relationship with NSA
National Security Agency head and Internet giant’s executives have coordinated through high-level policy discussions
May 6, 2014 5:00AM ET
by Jason Leopold

Email exchanges between National Security Agency Director Gen. Keith Alexander and Google executives Sergey Brin and Eric Schmidt suggest a far cozier working relationship between some tech firms and the U.S. government than was implied by Silicon Valley brass after last year’s revelations about NSA spying.

http://america.aljazeera.com/articles/2014/5/6/nsa-chief-google.html

tyrMarch 8, 2015 6:31 PM


This is an interesting concept.

https://github.com/mroth/unindexed

There may be a limit to the practicality
but it sounds suspiciously like the
TAZ advocated by Hakim Bey. Could be
the beginning of mutational security.

If you don't have the key to the next
rebuild there's no way to follow the
website.

Social media for paranoids.

(snide remark I could have sworn CDs were
worth at least 20$ since they are worth
something real.


Dirk PraetMarch 8, 2015 7:30 PM

@ Clive Robinson, @ Christian

Hmm CSC really think they are above it all...

It is a good thing indeed to see that at least some German states have the balls to tell these weasels to go sod themselves. One can only hope that it spreads to the federal level and from there to EU institutions and other member states. And preferably not limited to CSC but to all companies with known ties to foreign intelligence services. It's only when such entities and other corporations either willingly or unwillingly providing backdoors for foreign governments in their products and services are excluded from RFI's and RFQ's that there is going to be a real political discussion on "no spying"-agreements.

GodelMarch 8, 2015 7:41 PM

Snowden has applied for political asylum in Switzerland.

This seems a slightly puzzling choice as while Geneva is no doubt a much more pleasant location than Moscow, I'd have thought the chances of him being snatched off the street and transshipped to the US would be much higher.

http://www.bbc.com/news/world-europe-31763789

SoWhatDidYouExpectMarch 8, 2015 7:46 PM

From Slashdot:

State Employees Say Rules Prevent Open "Climate Change" Discussion In Florida

http://yro.slashdot.org/story/15/03/09/0021230/state-employees-say-rules-prevent-open-climate-change-discussion-in-florida

From the post:

"The Florida Center for Investigative Reporting has an article in the Miami Herald about there being certain words state employees have been ordered to avoid: "We were told not to use the terms 'climate change', 'global warming', or 'sustainability'," said Christopher Byrd, an attorney with the DEP's Office of General Counsel in Tallahassee from 2008 to 2013. "That message was communicated to me and my colleagues by our superiors in the Office of General Counsel."

Censorship as now being approached by some in Congress with regard to use of science and scientific results in the EPA.

Of course, for Florida, there is a lot to lose if "climate change" floods major portions of the state. Now, they wouldn't want to "alarm" any potential investors or sucker...people moving to Florida to buy real estate. As I see it, insurance and all kinds of agencies will be boarding the "get out of town" bus and abandoning those left behind to take care of themselves. Iff you are from Cuba, you may want to go back or at least stay in Cuba. Maybe that is why the current administration is opening the doors to Cuba as that island may have to become the new Florida.

65535March 8, 2015 9:03 PM

@ WalksWithCrows

“That raises a few potentially interesting points [1 – 4]”

Good points, but we still don’t really know much more than what we read.

[Eric Schmidt has a DoD security clearance]

“Speaking in a private session at the Guardian, Schmidt, 58, said: "I have the necessary clearances to have been told, as do other executives in the company, but none of us were briefed.” – Guardian

http://www.theguardian.com/technology/2014/jan/21/google-eric-schmidt-nsa-tapping-knowledge

[Forbes has different take]

"To Al Jazeera, this is evidence of an overly-cozy relationship between Google and the NSA. But hold on a minute. In response, Schmidt actually declines the invitation to the briefing on the grounds that he won’t be on the west coast that week… but this is hardly evidence that the company was all that tight with the NSA. Given that the email exchanges took place months before the revelation that Google’s communications were being tapped – which the company claims it didn’t know – there’s no earthly reason why it shouldn’t take part in a national security initiative.” – Forbes

[next, YouTube’s profitability]

There could be many reasons for YouTube’s lack of profitability. If you look at all Digital Millennium take down notices and the related legal fees to review them that could wipe out all profits – and there are plenty of other expense factors.

If YouTube has a very high potential profitability as a standalone company some investment group would surely pay a premium to buy YouTube – or possible some unknown entity has already done so.

Both Google and the NSA are too big to analyze. We just don’t know the extent of their intelligence intercourse. It’s too opaque.

That being the case, I have drastically reduced my use of Google’s search engine and it’s other services.

I use DuckDuckGo and Ixquick Https [since 2013]. Both work well for my needs. If I need a random search I will reluctantly use Google. The other search engines work well for my needs and don’t give my data to the Government.

WalksWithCrowsMarch 8, 2015 9:06 PM

@gordo, cc @65535

And, that would definitely do it for that story.

[That Google chief intimated 'buddy buddy", first name relationship with Gen Alexander, Mr Makes a Profit from DoD Intel Work in the Most Shady of Ways -- though many of their tops are very much this way, of course. Entirely shady corporate-dod relationships... while... in... office... In context of, "but everyone's doing it", and such things as the disaster of the Iraq Reconstruction efforts, where you have billions of dollars of wasted money and only left behind an entire mess... tsk, tsk...]

@Godel

Snowden has applied for political asylum in Switzerland.
This seems a slightly puzzling choice as while Geneva is no doubt a much more pleasant location than Moscow, I'd have thought the chances of him being snatched off the street and transshipped to the US would be much higher.

That is kind of surprising.

The odd conversation in another thread here where it was claimed that Greenwald was being a "bad journalist" for keeping a "worst case scenario file" for protection against USG and UKG... had me thinking, "Wouldn't Russia be all over Snowden because of such a file, too? Sure, maybe their moles have it all already, but maybe not. Besides, what else did Snowden know which he did not think should be sent out? Snowden did indicate he was not for sending out material which was harmful to foreign intelligence efforts".

I do not think Russia would torture him or anything, but do think they would instead try and get him some friends, probably wiretap everything he has, and somehow get him into good enough graces to talk.

But the disaffectment problem the US faces is so bad. That really is how the USG was able to get so many moles in the past, while, historically, post-50s "Stalin was a bad guy" Khruschev talk, USG moles have almost invariably been "in it for the money". Does well show how doing stuff like black sites, mass surveillance, torture, rampant assassinations, and such have a very high cost. (Edward Lee Howard is one notable exception to that rule, but believe there are one or two others.)

While "we do not know yet", sooner or later these things do come to light. Whatever the case disaffectment is a prime motivator. I can not think of a single Soviet Union or Eastern European spy documented which I have read of who "did it for the money". And when there is disaffectment, because it is not about the money, they will go all out, too. No desire to make bargains or hold out. Like Mitrokihn and Snowden.

For this matter, overclassification, and over the top secrecy, including the cellular structure of these organizations also provide a high cost, however. Not only in "missed key intelligence" ways... but also in ways like: why might a foreign agency even bother to pose as a Germany or France when they really Russia or China? They could pose as one of their own. And even if there were super secret divisions of XYZ agency, or some incredibly mysterious 18th agency... well, who else would know? If they have the capacity to scoot about pretending to be whatever agency they wished, whenever they wished.... simply by having the 'not so terribly difficult to do' capability as creating false files, badges, and the like...

One person does not know what the other person is doing, even on the same team. New people come in, they can not discuss what they did before, even with their own partner. Requests come in and out from anywhere. People are so "patriotic" and gung ho...

As for such things as email direction, phone direction, ip address, and so on... for the clever and the paranoid who might insist on "legitimate" such evidence. Well, of course, this being a technically "up to it" forum, you know how all of that can be faked.

As for persuading someone of one's authenticity, people really go by attitudes expressed. Just because someone is acting like a super hard ass, way very detail oriented pro-pro-pro-USG doesn't mean they are in anyway working for the USG. Maybe they just do that because they understand this. This is the way we people judge others. We try and find their most heartfelt beliefs, their strongest opinions. That says "this is the real you". But, it doesn't. If someone is a fake, they are just method actors, filling up the blankness or Other with something people can relate to and communicate with.

As behavioral studies have well shown: people are extremely poor at many things they think they are very good at. Deeply affected with "change blindness", if you have a stranger come up to them on the street - someone walks by with a mirror or door in between the two, and they replace the first person with someone else entirely - we human beings do not even notice in most instances.

Anyway maybe just me, but I really have gotten the impression that the USG doesn't even know what is going on in their own organizations, much less their own backyard. All that money, all those people.

The modern day pyramids, in a sense. Giant heads in the jungles of south america. Giant structures on Easter Island. Amazing structures in the jungles of Cambodia and Thailand. Stonehenge. The immense structures on some distant island, Nan Midol. Recently, in the outreaches of Shanghai a pool was drained... only to find an immense underground complex with zero record of who did it or where it came from. Why? These things have no meaning for the dead. Is this just what people do? Get together just to get together, and work on supermassive projects which ultimately have no meaning whatsoever? Bizarre behavior.

WalksWithCrowsMarch 8, 2015 9:24 PM

@65535

Thanks for the comments. Maybe that is why I missed the news story.

Probably was doing something else in May, and the story did not continue to get coverage. On Part II now of Bruce's book, and he has, so far, very much to say about USG and Google likely being in bed together.

On security precautions...

Frankly? I have a history, however. :-) When I started to use Yahoo, it got hacked. When I started to use Google, it got hacked. Used a social media site, it got hacked. Used a job site, it got hacked. Dallied about at Ars for a bit, it got hacked.

Changed my credit cards a coupla times past few years because of hacks.

Two places I contracted at got hacked by Anonymous.

If I was anyone special, worked anywhere special, or knew anything special, I would probably start to get paranoid. :-)

The excitement of my day comes from the latest show I am watching, or some crazy cute thing a kid or pet does.

I do take some security precautions, but nothing spy level or anything. Frankly, email wise, gmail is just too damned convenient, as is Google. If some nation really wants to read my discussions about theology and supernatural horror and fantasy... I do not think they would be able to make heads or tails of it, lol.

JacobMarch 8, 2015 9:34 PM

Worth noting from Twitterland:

----------------------------------------
Peter Todd @petertoddbtc · Mar 7

WOW @melshapiro A guy applied to her HW company with a huge gap on his resume, turned out he was working for the NSA on "consumer firmware"

------------------------------------------------

Dirk PraetMarch 8, 2015 9:52 PM

@ Clive, @ Canute, @ SoWhatDidYouExpect, @ Peter

So the only safe thing to do if you don't have sufficient leverage to keep you safe, is not to have a mobile phone or anything else that has an accessable "air interface"... which is opting out of society.

Not necessarily. You can also choose not to carry these devices around all the time and - as a good start - dump about two thirds of all "free" social media, messaging and other services you're on. You'll experience some initial withdrawal symptoms, but after a while you may actually start feeling less stressed since you are no longer constantly connected to the vast hive of people and information out there. You'll find alternative ways to stay in touch where and when required instead of being plugged in all the time.

Your network will shrink considerably until you're basically left with the people and the things that really matter to you, both in the private and professional sphere. As a side-effect, you gain a little privacy and safety since you are no longer leaving behind a permanent digital trail of what you're up to. Similar as when you stop smoking, you will become irritated by the hordes of phubbers around you, secretly wanting to squash their smart phones/ankle bracelets when they leave the table for a leak. You may even find the time to indulge in certain analog activities again, such as going to the pub and talking to real people, or working out at the gym to get rid of the huge belly and ass you developed by lack of physical exercise.

Admittedly, the digital age has brought us many benefits and conveniences which many, if not most of us - willing or unwilling - have come to depend on. But it has also brought us a market induced addiction to information and communication that thriving on top of the current inherently insecure global infrastructure is paving the way for a full surveillance society that is a much bigger risk to democracy and civil liberties than the odd terrorist it is allegedly supposed to protect us from.

FigureitoutMarch 8, 2015 10:22 PM

65535 RE: opsec
--It's only as good as the person you wish to either do business w/ or interact w/ (otherwise just use throwaway phone, computer, memory sticks, and internet connection to interact w/ insecure parties). Generally it should be apparent who's got better OPSEC and the weaker party should default to the other's procedures w/o too much crying (depending on the purpose of the OPSEC of course, if it's for worthless reasons then meh...). It's usually more realistic to set this up after establishing a relationship.

For instance, something bad for the more "security-inclined" (aka those w/ OCD and worry-warts that typically overthink everything bad that can happen until someone has a diabetic coma behind the wheel and plows you over) is I got in contact w/ an old contact who I'd like to have secure comms w/, but she completely ignored my suggestion for encrypted comms...didn't even register. This is the kind of things that just keeps repeating, "auto-security" isn't trustworthy, and "manual-security" is way too time-consuming.

Underhanded Crypto Contest Winner
--Some random contest based off the "Underhanded C Contest" was looking for subtle backdoors in crypto. Think Bruce may blog about this as he was just in a paper about this kind of surreptitiousness...

If you don't want the spoiler for the winner look away now. I encourage you to download the winners file and try to find the bug.

It was apparently a very common bug and much more interesting (to me, other computer scientists/algorithm guys would like 2nd place where someone backdoored a "zero-knowledge protocol").

Both backdoors are approachable for college compE, compSCI, math majors etc. I don't understand it "fully" after reading but that's just me.

Guess where the winning "backdoor bug" was? A header file lol. It was a frickin' declaration of a data type. Other than that the C-code looked pretty normal, nothing like 2nd place where I see some silly sh*t that starts ringing alarm bells.

http://s27.postimg.org/8vyv458i9/s0f7348jadflvlkxvv9293jkadkaoqooiehhgos.png

Dirk Praet RE: opting out
--Yeah...it was pretty rough for me, I lost contact w/ A LOT of people, mostly permanently. I only got a smartphone again b/c every dang time I whip it out to get a number there's this judging going on, especially for recruiters and interviewers. Also, the "group messaging" format wouldn't work on my phone! So everyone would be sending group messages and I couldn't read it...

RE: connecting w/ people in real life
--Did this the other day at a bar, hilarious. Was mostly just reading on my phone being anti-social. Then just met a fellow ex-pat who lived guess where..?--Belgium! Haha! Small world, we had a surprising amount in common, it was a good talk (I was planning on leaving real quick but got dragged into a hour & half chat and another beer or two).

gordoMarch 8, 2015 11:47 PM

OFF Topic

Long before drones, the US tried to automate warfare during the Vietnam War
Andrew Cockburn, Kill Chain: The Rise of the High-Tech Assassins
Mar 9, 2015, 04.34 AM

In this excerpt from Andrew Cockburn's 'Kill Chain: The Rise of the High-Tech Assasins', Cockburn delves into the strategic, historical, and technological developments that led to the widespread use of drones in the 21st century.
[By mid-1967] F-4 fighter-bombers and other aircraft strewed hundreds and then thousands of sensors across the jungle.


Fleets of assorted aircraft were deployed to circle day and night and relay radio signals from the sensors back to Nakhon Phanom, a military base on the west bank of the Mekong River in northeast Thailand that was so secret it officially did not exist.

. . .

http://www.businessinsider.in/Long-before-drones-the-US-tried-to-automate-warfare-during-the-Vietnam-War/articleshow/46498005.cms

FigureitoutMarch 9, 2015 2:03 AM

RE: underhanded crypto exploit
--Damn! Chilling...well done. Ok, so I wonder if a quick fix would be for all the #define's in tinyaesctr.h to just increment normally (w/in limits of 8 bits, maybe even use a separate typecast of "b00000000" for binary) unless that's needed for the crypto (that's what's make this bug really worrisome, I got all kinds of #defines of "magic values" like this)...making me nervous.

Would a simple fix just be (in tinyaesctr.h):
#define MODE_ENCRYPT 0x0001
#define MODE_DECRYPT 0x0002
#define MODE_SETIV 0x0003
#define MODE_GENIV 0x0004
#define MODE_RESETIV 0x0005
#define MODE_SETKEY 0x0006
#define MODE_REKEY 0x0007
#define MODE_KEEPKEY 0x0008

You can even keep the "insecure" "homebrew" boolean typedef..? What about just regular integers, would that work? Maybe adding in checks of (sizeof) before comparing..? Grr, want to know...

The contest would be even better if a fix was stated lol...

WalksWithCrowsMarch 9, 2015 2:04 AM

"OPSEC" comments:

After writing the above, then continuing to read Data & Goliath privacy sections, I popped on here quickly and noticed and statements about "opsec".

It made me feel a little guilty, so I will be a little more open.

Yes, I use gmail, and google. That does not mean I condone their actions, if they are giving everything away, which they may be doing. If I socialized, I would not do this. The fact is I simply do not. Just the way I am. I have like one friend at any time. It isn't because of opsec, it is just because I am solitary and nomadic. I have immediate family, so plenty of socialization there.

I did use facebook for a time. I found a total of four people from my pre-30 life. Four people. At times back then I did socialize here and there, but it was like today's flash mobs kind of. A bunch of friends here, then move on after six months. Long periods of time not socializing at all.

Obviously, I have had some kind of interesting stuff go on, and do work in security, so I am security conscious. But, just haven't needed to adjust much in those ways.

Clive RobinsonMarch 9, 2015 3:13 AM

@ Dirk Praet,

... working out at the gym to get rid of the huge belly and ass you developed by lack of physical exercise.

Have you been hacking CCTV cameras?, or bugged us all?, or just guessing? ;-)

I'll have you know that their is a younger lady in my life known to have been sufficiently enamored of my "attractive bottom" to have overlooked my other defects (of which I can assure you there are many as with all men when viewed by their women folk ;-)

Clive RobinsonMarch 9, 2015 3:27 AM

ON Topic sort of :-)

From the article,

... whittling the cost down from $50 per gram to $100 per kilogram Demirel says they are looking at using algae instead of bacteria to cut down costs further.

On reading "$50 per gram" it made me think "street price" of illegal organic substances, which gave rise to a further thought,

One of the problems with illegal organic substances is the very resource intensive and very inefficient "plant growth" stage of their manufacture. It's also the most easily seen stage by law enforcment.

What if the producers of such illegal organic substances went high tech and instead of traditional plant growth/harvest went for industrial "geneticaly modified algae in a flask" production instead...

65535March 9, 2015 9:52 AM

@ Joe K

[points to Youtube dicussion about Google and J. A.]

https://www.youtube.com/watch?v=OTV_Vz-Ur2M

The intercourse between the NSA and Google is certainly there.


@ WalksWithCrows

Google Gmail is certainly convenient but I doubt it is secure – even with SSL/TLS [bots and advertisers tend to get the contents is some way].

I have a gmail account but not used with mission critical communications [and I have the other big two email vendors… and some semi-secure well known SSL/TLS PGP vendors… and I have access to semi-secure email servers from well known vendors.

But, I still don’t send anything important over the wire unless I think the risk/reward ratio is favorable.

“Youtube, I do see as a very viable commercial entity. They have just created a beta program for it, which I know of because I joined it.” – WalksWithCrows

If you are satisfied with it then use it. The same goes for Gmail.

I hear you about being hacked and it is a real PITarse to straighten out. Krebs keeps on top of things getting hacked.

Those clients were ESPs that send email to customers on behalf of some the biggest firms in the world. Epsilon didn’t name which ESPs were impacted, but the voluminous complaints from consumers about spam indicated that those ESPs served a broad range of major companies, including JP Morgan Chase, U.S. Bank, Barclays, Kroger, McDonalds, Walgreens, and Honda, to name but a few.

See the epsilon case:

https://krebsonsecurity.com/2015/03/feds-indict-three-in-2011-epsilon-hack/

I did really know what ESP was until I looked it up. It is simply Google, Yahoo and some big corporations running there own email servers.

I do note that Wikipeda seems to be skeptical about were the revenue comes from when discussing “Free” email service providers.

“There are paid and free ones, [free ones] possibly sustained by advertising.” – Wikipedia

https://en.wikipedia.org/wiki/E-mail_service_provider#Types

I take that to mean that some of biggest email providers like G@@le may make their money by selling semi-masked contents of individual’s emails – but I could be wrong.

@ Figureitout

"65535 RE: opsec --It's only as good as the person you wish to either do business w/ or interact w/ (otherwise just use throwaway phone, computer, memory sticks, and internet connection to interact w/ insecure parties)." -Figureitout

I agree.

Even if you used something like Lavabit [now gone] or PGP with Gmail over SSL/TLS it is useless if the other person decrypts the message and pastes it into a non-encrypted email system and/or forwards it to one of their friends who doesn’t use encryption – all your opsec and encryption are gone - and your email is in the clear.

Even Hillary’s personal Exchange Server 2010 on a Server 2008 R2 leaked DNS an IP information – and was hacked by Guccifer [via hacking an insecure AOL account on a computer unsecured desktop – an other poor OPSEC and configuration attributes].

“There's still a live server at mail.clintonemail.com. It's running Windows Server 2008 R2 with a valid SSL certificate. And it appears to be colo'd at Internap. Between that and the MXLogic protection, hardly a slapdash setup…”

See
https://news.ycombinator.com/item?id=9149204

"https://mail.clintonemail.com/owa/ also appears to be an Exchange 2010 setup"- btgeekboy

See:
https://news.ycombinator.com/item?id=9149367

or

https://mail.clintonemail.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.clintonemail.com%2fowa%2f

[note the Outlook Web Access at end of both url's - owa]

True, this actual Exchange Server 2010 might not be Hillary’s but it is an example of what she supposedly used.

[excuse all of the grammar and other errors]

Clive RobinsonMarch 9, 2015 11:15 AM

@ vas pup,

I will be watching Horizon tonight, it looks like it will be fascinating.

With regards Venezuela food issue, it's not unexpected. The problem they are trying to solve, won't be solved by fingerprint readers, the food smugglers will simply "move up the food chain" either by corruption or violence. The problem with this is that the coruption is endemic in the civil authorities thus only the worst of violence will get any reponse...

Fundementaly the problem Venezuela has is it is resource rich in just one thing, thus it suffers not just the vagueries of the world markets in that resource, it also has an unbalanced economy with no real industry to balance it up. Which results in a very uneven wealth distribution, and thus political problems.

The way they tried to rectify the political problems by heavily subsidising food means that those outside the country will take advantage of it one way or another (try selling gold at half price and see just how far people will travel to buy it).

In an attempt to stop this the wrong choice was made and thus a faux market was created which started the smuggling to satisfy it. This has now gone beyond a tipping point where the smugglers are dependent on the faux market for their existance and will not give up the status and wealth it brings without a fight...

A look back in the history books shows that "easy" wealth based on just resources is both short lived and squandered Spanish Gold/silver from south America is an object historical example.

The only sensible thing to do with such wealth is to lay down the foundations for education and industry. Used that way it is an investment in the nations future. One or two of the smaller middle east countries are doing this in various ways, unfortunatly in most cases they are taking a to short term view and thus making wrong choices...

MuniesaMarch 9, 2015 12:27 PM

@ Dirk Praet RE: get off social media

Too damn true :D have experienced that muyself. OTOH "Your network will shrink considerably until you're basically left with the people and the things that really matter to you, both in the private and professional sphere. As a side-effect..." your "network" becomes cleaner and thys easier to observe for whoever would be there to watch you. Forgetaboutit. Just kidding. Am I? No? Anyway what you say is generally true and should at least be tried. Who knows, maybe you'll have an epiphany.

WalksWithCrowsMarch 9, 2015 12:53 PM

@65535, Joe K

Thanks for the links and information. I am going to think about moving, but primarily from a conscience standpoint.

There are different threats and different risks, of course, for every person. Main risk I have had from nation-states is mistaken identity.

Bruce's book well goes into this problem: for instance, how the NSA and other agencies will look for patterns of behavior and put innocent people in lists for surveillance, and even in some cases persecute people who are entirely innocent.

In my case that would be something technical: mistaking me for a malicious hacker (merely because I work in computer security and have capacities to find zero day), or mistaking me for some manner of spy (merely because while I have many interests, I have studied espionage and do sometimes post on such subjects).

I am a little hesitant, therefore, to further obfuscate myself. Especially because if they did look and see they would quickly get off such preposterous tracks. In both cases, they would want to be very quiet about it. That is a positive, in my case. If I were active in civil rights, for instance, I could see them actually attacking me and attacking my friends, coworkers, and family.

But in this sort of mistaken identity situation, they would keep a distance and no one would even know they were there or what their purpose was. They would verify everyone is just everyday people, and back off.

If I was Arab and Muslim and felt this was a list to be put under, I would probably get very angry and have a very different mind about things. But, I am not, and I can't really get angry about someone doing so in my situation. If I were in their shoes, I would think the same thing.

WalksWithCrowsMarch 9, 2015 1:30 PM

@Muniesa, @Dirk Praet 'getting off social media'

Too damn true :D have experienced that muyself. OTOH "Your network will shrink considerably until you're basically left with the people and the things that really matter to you, both in the private and professional sphere. As a side-effect..." your "network" becomes cleaner and thys easier to observe for whoever would be there to watch you. Forgetaboutit. Just kidding. Am I? No? Anyway what you say is generally true and should at least be tried. Who knows, maybe you'll have an epiphany.

It actually can become cleaner and so easier to observe. In mistaken identity situations, as I discussed above, that can actually be a positive. I got on facebook for about a year, for instance, and used it. That was how I found four people from my past, or they found me.

I was actually surprised I could not find more, even though I was well aware I ended up going to four different highschools, and three different middle schools. And the school I stayed at the longest, the only one where I really interacted socially moved almost every year.

My FB became a 'whose who' of internet security, amongst other things. Mostly because of ex-coworkers. I could see how someone could investigate, even to the point of looking at everyday conversation and trying to see if there was not some manner of code in it. :/

Or just getting in someone's sights because of someone else and their connections and their work.

Also, with old friends, while only two I was close to, and they both are obviously just everyday people (one works in industrial labor, the other at whole foods); I would not want them to be caught up in anything, even if that was just an obvious dead end road.

For instance, say what if one smoked pot. And then they came under scrutiny because of some kind of 1984 or Brazil type thing. That would not be okay with me.

BoppingAroundMarch 9, 2015 5:24 PM

Off-topic. Whoever posted a link to Scorched Earth Society in one of recent threads, thank you.

I have a memory that someone had already discussed privacy matters from a biology POV, although I am not sure whether it was the same person or different people.

tyrMarch 9, 2015 5:55 PM


In the interest of making the world more secure.

Some EU dignitary says the EU needs its own
army.

I can see this going well as in whose country
will be first to disband its own army, close
its staff school, and open recruiting for the
EU. They'd have to opt out of NATO as a useless
expense. Sounds wonderful but who wants to go
first. UK, Germany, France, sound like the best
places to start, they can set a good example
for the rest.

@Clive
So now the LEO has to start looking for testtubes
under every moderately intelligent kids bed in
addition to head rags and fan belts?

There hasn't been much media snivelling about the
insidious nature of nano and biotech as more are
getting trained in the hotbeds of insurrection
known as schools. In the olde dayes they only had
to worry about people who could make a bomb out
of a glass of water and a battery.

It is a good thing there's a ceasefire in Ukraine
otherwise some neo-nazi nutjob might decide to
fire on the US_NATO taskforce in the area. That's
how a number of world wars have started in the
past. As I read current US deployments. I'd be
really surprised if anybody in the military thinks
WW3 is a good idea right this minute. The media
in USA probably has the typeset already with the
good news about "Nuclear Winter Solves climate
Change Issue by triggering New Ice Age".

I'm not attributing any of this to malice.

Marcos El MaloMarch 9, 2015 6:05 PM

Im totally against GMO plastic. I prefer organic plastic formed in fair trade labs. I bet the e. coli bacteria isn't being paid a fair wage.

SoWhatDidYouExpectMarch 9, 2015 10:14 PM

Scotland Yard Chief: Put CCTV In Every Home To Help Solve Crimes

http://news.slashdot.org/story/15/03/09/1910202/scotland-yard-chief-put-cctv-in-every-home-to-help-solve-crimes

From the post:

"Homeowners should consider fitting CCTV to trap burglars, the country's most senior police officer declared yesterday. Sir Bernard Hogan-Howe said police forces needed more crime scene footage to match against their 12 million images of suspects and offenders. And he called on families and businesses to install cameras at eye level – to exploit advances in facial recognition technology."

So, all the crime in England is in the homes, where presumably the people living there, and the burgulars, thought they had some privacy. The police there apparently aren't doing their job now with CCTV cameras on all the streets outside the homes, so they need to go into the homes. Then the police will get nothing done wtching millions of home (not necessarily live but a little voyerism later). I wonder how those police officers and other members of the general population of regulators feel about being the target of in-home cameras as well as peering into the homes of others for this purpose? That should also mean members of Parliment, Scotland Yard, and maybe even the Queen's palace.

Most likely, it will make the people living in their homes subect to being targeted as criminals rather than protecting them from criminals.

What a moron.

Okay Clive, fire away...

FigureitoutMarch 9, 2015 11:02 PM

65535
--Yep...See another unmentioned benefit using massive email services is *generally* lots of ticky-tacky hack-n-patch protections built up over time that would be too much for someone on their own (unless that's all you want to do, mostly a side project for me, I've finally settled on a use for my beaglebone). But yeah I reprimanded a girl once as she clicky clicky every ad on any site (it was a pair of shoes or something like that lol), so add in a bunch of keylogging malware to the equation...

You just have to set it up and give it to people who don't care but you want to talk to lol. That'll get expensive if you can't make cheap solutions. Also guaranteed people will say "you work for cia?"--man no! I want security, haven't even cranked up the insanity meter yet doing a custom authentication procedure (must blend in...).

RE: guccifer
--Lol, he hacked my state gov't and I saw some rather familiar names of people he "doxed" (barely). He unearthed a potential affair w/ Colin Powell lol (only laugh b/c these people don't give 2 sh*ts about you)...

As steve37 already pointed out (put it here bud) and internet security scene knows about...

DRAM Rowhammer bug
--Great research coming out of Project Zero at Google. Damn...Intense reading, *very* interesting. They built a PoC from this research: http://users.ece.cmu.edu/~yoonguk/papers/kim-isca14.pdf

Got the test running now giving the ram a pounding and no shutdowns as of ~51 mins (I've run some memory tests in the past that shutdown PC instantly which is a little scary so this one seems safe as you can read in code), phew no hits yet (someone on /r/netsec got a hit in ~0.1s...that's f*ckin' scary, that's really damaging exploit level speeds right there).

If you want to test but don't know how (on linux):
1) Go here: https://github.com/google/rowhammer-test
2) Download zip file and save where ever
3) On Linux, open up terminal and 'cd' to directory where saved
4) Utilize "unzip" utility (download if you don't have), simply: unzip rowhammer-test-master.zip
5) cd to directory again (rowhammer-test-master)
6) ./make.sh
7) ./rowhammer_test

And test will start (and now we wait...).

Little code chunks are pretty meaty on quick glance, thought it was funny one of the function names is "HammeredEnough" lol...

So, will unnamed vendors respond and deliver to yet another massive security problem? I don't know the answer yet, ECC keeps getting tossed around. Our computers get raped enough as is, we don't need more hammering...

http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html

Clive RobinsonMarch 10, 2015 12:28 AM

@ SoWhatDidYouExpect,

It's hard to tell when senior police officers are being serious, or using it as a cover for a political attack, whilst apparently remaining neutral for political reasons. They have their own group the Association of Chief Police Officers (ACPO) that has it's various "policy groups", including direction and technology groups.

And in a couple of months in the UK it's General Election time where the country sick of politicos in general and austerity etc caused by the "too big to fail" banks etc, get to pick a new bunch of monkeys in suits to ruin their lives for the next five years.

Both main parties are offering more austerity just in different ways, the current mob in power want to cut taxes for the rich, and alow big corporates to not pay taxes at all, and as they can not raise personal taxes any more for the poor, they are probably going to do it other ways but the result will be the same for both parties, they are going to have to cut expenditure, the question is where...

The police have already seen significant cuts and know they are going to see more and the "efficiency saving" nonsense the politicos trot out tells you it's beyond rational thought, it's now "blaim the victim" so kind of "your still breathing let's cut your thoat some more" tactic. So ACPO know it's time to scream for help from the public. So now we are into the end game of who can capture more "hearts and minds" on polling day...

The current incumbrents in the coalition are spining up their arguments but it looks like the Conservatives are going all out to go it alone. The problem is they are seen as "Trust Fund Posh Boy" out of touch / moronic / thug / heros depending on who you ask. The only thing that is clear is that they can not deliver on any of there promises, nor can the opposition...

The conservative leader David Cameron known as "hug a hoddie" and his chance(llo)r "Gidiot" Osborne are PR folk full of spun up faux style and very little substance. However they cooked up this "Big Society" con which has come back to hawnt them on more than one occasion and many associate it with "mugging" in it's various meanings oh and the Orwellian "Big Brother" Society as well.

So you need to set the supposadly politicaly neutral speech in that political setting, where to save their existance the police will have capture "hearts and minds" on polling day as well.

So you could interpret it as "if you vote for XXX your only hope of staying alive and well is turn your home into a prison at your own expense, because we won't get the money to do our job of protecting you". Oh and with the subtext of "Oh and XXX will demand access for free so that you can be watched 24x7 so that you can be fined / asset stripped for walking around without a shirt on your back all so the rich man can live in his Castle in the Channel Islands".

The thing is though it also makes sense out of the political context in that one of the biggest indirect costs to society is petty crime in terms of house breaking. What for the criminal is half an hour of time in your home will net them maybe 150 quid or about the equivelent of the gross average pay for two days work. But the cost in terms of damage and man hours of police, insurance trades people and the health service can be close to a thousand times that... and some criminals are doing two or three crimes a day just to keep them in illegal chemical substances.

These high cost criminals are often careless and thus facial recognition would provide a quick way to find them and assist in getting them convicted, but even if they do cover their faces their hight build and other charecteristics will enable them to be tracked down quickly and also flaged up in public space CCTV.

And it will also help target "stop-n-search" such that even if they don't catch them "in the act" they can catch them either with the stolen goods on them or "equiped to commit a crime" or with illegal substances or unexplainable money.

Sadly even if it works it just shifts the cost problem on else where such as private prison services... because currently we are not setup to cure the crime problem. Because the politicos don't want to take an overall economic view of crime and the faux markets it creates.

I know this will create howles from vested interests, but if you look at another major social cost "health care" it can be seen that the insurance and other faux health care markets in the "US model" nearly doubles the overal cost, but produces lower out comes on all but basic health care.

That is it can be seen that faux markets exist as "middle men" with the sole intent to take money out for little or no return value to the consumer or end service provider and as a result create a significant cost inflation...

The way to initialy reduce the costs is deal with the faux markets, but that is politicaly unacceptable due to political party funding issues. The ultimate cost reduction is prevention of the causative agents, but this is going to be very long term and thus politicaly unacceptable as well...

Maybe we should start with another solution which is to get rid of the main impediment... the self serving politicians and civil servents ;-)

8352March 10, 2015 12:42 AM

Re: my earlier comments about Zoho.com email.

Having tested Zoho's mailservers, now I'm not so sure about them. Their servers won't accept any ECDHE or DHE ciphers, which means no Forward Secrecy. Even Gmail prefers ECDHE_RSA_AES128_GCM_SHA256. Without FS, if the FBI demands Zoho's SSL keys, then NSA can decrypt everything including any past encrypted communications they recorded (which we know they do). That's what happened to Lavabit. For all we know, NSA may already have Zoho's keys.

This raises an interesting possibility: Could the FBI/NSA make an email provider give up the SSL keys and force that provider to not use forward-secret encryption? Seems like something they would do.

FigureitoutMarch 10, 2015 12:51 AM

RE: Rowhammer bug
--Sounds like a "fault injection"-like attack that's possible w/ software probing (not active RF injections onto memory cells) due to modern manufacturing making chips too small! Software-based "fault-injection" attacks are way more exploitable, bah..no! It's an EMSEC attack due to proximity (and of course it affects other types of memory). Reaching a limit on space, and it's annoying when components are so small you can't even differentiate w/ your eyes and if you got a tiny failure it takes a long time to find! Big chip companies need to focus on new technologies and not just size! Can't even inspect some chips today...It's causing more and more problems...

This makes me wonder now about some chips coming out shortly that are *said* to operate at ~4uA resting (frickin' tiny currents, you could power that for like 15-20 years easy on some high quality batteries). I don't get it...

Clive RobinsonMarch 10, 2015 1:09 AM

With regard the UK and CCTV...

People might be interested in what "UK White Van Man" is reading on the subject,

http://www.express.co.uk/comment/expresscomment/562833/Sir-Bernard-Hogan-Howw-CCTV-camera-homes

However it appears that the original interview given to LBC was a little different than reported by many...

Apparently what the "UK Top Cop" was suggesting was that people who already have or are intending to install private CCTV in workplaces shops and homes, consider puting one or two cameras not high up where they provide little or no identifing information or bio-metrics but at eye level where they would.

Which makes sense, even if the criminals do cover their eyes, nose, mouth and ears, other more usefull general biometrics such as sex, hight, build, set, handedness, gait etc will narrow the suspects down probably more effectively and considerably faster than face recognition which currently appears to get the correct face match at best about 3/4 of the time from web cam pictures.

Clive RobinsonMarch 10, 2015 2:33 AM

@ Figureitout,

... tiny currents, you could power that for like 15-20 years easy on some high quality batteries

First we need the batteries that won't self discharge in 1/5 that time...

In all seriousness energy storage is one of the greatest problems holding man kind back, it's detrimental effects on the world economy is hundreds of times that of malaria, or even smoking...

For instance the loss on transporting electricity from generator to consumer is about 1/4 due to IR losses. Power is I^2R and thus halving current reducess the losses to a quater of what they were. The traditional way was to up the transmission voltage but we have gone about as far as we reasonably can on that. Another alternative is to reduce peek currents to near average currents. That is if you use a 1KW kettle for 2mins every couple of hours you have a 60:1 duty cycle, thus the current would on average be 1/60th and the transmission loss would be reduced to 1/3600 of what it was. To do this it needs cheap highly efficient energy storage, which currently we just don't have.

Such storage would make "green energy" much more viable. I have a friend who has semi-retired to a sunnyier climate, because of the introduction of cheap solar energy their life style had 180'd where as they used to use night time "economy" energy to do laundry, shower, heat water and vacuum the house, they now do it midday when they don't have the near 50% energy storage loss to consider.

Anyway on to "battering RAM" with "Row Hammer", it's not actually a new problem as such. In the early days of Dynamic Ram you had "ras and cas" timing to consider on top of actual memory addressing and DMA making life harder. It was not unknown for adjacent rows to be effected if intensive writing to a short. buffer via DMA was in use. Likewise early high resolution --for then-- display DRAM could get mucked up during updates even though there was logic preventing bus contention between the computer and display logic.

It's one of the reasons parity bit error detecting memory was introduced, but when it comes to security parity checking is not going to be sufficient. Potentialy the worst case security wise is "directly tagged memory" that is words tagged individually with code/data RO/RW flags, which is the sort of harware security @Nick P talks about quite often, I guess we will see his views on rowhammer in a short while.

65535March 10, 2015 5:06 AM

@WalksWithCrows

“I am going to think about moving… Main risk I have had from nation-states is mistaken identity… In my case that would be something technical: mistaking me for a malicious hacker (merely because I work in computer security and have capacities to find zero day), or mistaking me for some manner of spy (… I have studied espionage and do sometimes post on such subjects).” –WalksWithCrows

Good points.

I moved from Google products because of their close relationship with the NSA and other “agencies” with the ability to put you on a list. The move was not over-night.

I use DuckDuckGo and Ixquick Https. Once I got used to each search engine that work fairly well and don’t track “business records” or the “library card” thing.

My customers run web servers that I can use. They have private certs and used Active directory.

That is fine except I have to accept their security templates on any MS “Pro” machine and join their domain.

It works but is a can consume cpu cycles because of the SSL/TLS encryption… and accepting their self-signed certificate. But, I can actually delete emails and attachments – clean out the mail box – as they say. You cannot do that with Gmail or yahoo. I heard Gmail retention was 18 to 20 months and Yahoo forever.

Some of my friends swear by that “secure Canadian email service” which is well known and quite controversial. I tried it before they required you to have a mobile phone number attached to your account [free version] when lavabit closed.

It works about the same as Gmail except lower capacity – hence you have to clean out your mail box from time to time. There is 2 – 3 week log in rule. If you fail to log in after 3 weeks your kicked out of the free account.

But, there are no annoying ads or offensive murder news ads to view. I do like that aspect. But, this is only used for semi-private items – wills, taxes, and legal items.

Last, I have lost my touch with PGP or GPG. I will have to sharpen my skills on that score.

I feel for you regarding the mistaken identity thing. I had one of those cases and it took over a year to re-mediate. ID theft is huge that is why secure email is needed for the average Joe.

I the end I use a "stepped" type secure communications. The low value stuff goes over Gmail but I make sure not to use my name or my recipients’ name [or any other PHY data].

The financial, legal and medical at least go into the secure system in Canada. But, still I make sure that no mission critical data goes over the wire.

For more secure email I use “the Hillary Clinton” method using my friends email servers – but again scrub the PHY data from the email.

The very important stuff goes over the “thumb drive method” of transmitting secure encrypted data. I hope the older versions of True crypt are still solid.

My system is far from perfect but it provides a layered security approach – ask Nick P.

[excuse the grammar other mistakes]

vas pupMarch 10, 2015 10:17 AM

@tyr • March 9, 2015 5:55 PM. I love Swiss concept of defense and military. Sure, mountains are great advantage, but I guess neither Hitler, no Stalin ever had as a plan to invade this small freedom-loving country where somebody was lucky to be born and be citizen of. By the way, they are not member of NATO or any other military alliance (as best of my knowledge). As result, Swiss folks not participating in military adventures thousand miles out of their borders and save lives and health of their citizens. Just observation.

gordoMarch 10, 2015 11:59 AM

Opinion piece:

Washington’s cybersecurity is about surveillance, not security
Congress’ latest legislative attempt promises protection, but it would just let the government spy more easily on us
March 10, 2015 2:00AM ET
by Joshua Kopstein

The term “cybersecurity” has long been a comically ubiquitous utterance in Washington. But recent proposals from Congress, the White House and the intelligence community are straining the word’s meaning to dubious ends.

http://america.aljazeera.com/opinions/2015/3/washingtons-cybersecurity-is-about-surveillance-not-security.html

WalksWithCrowsMarch 10, 2015 12:24 PM

@65535

Well, of course, there are many, many forms of "mistaken identity". :-)

I think one of the more intriguing forms is the such as we place on, for instance, literal currency. Then, if we step back and try and model humans and society along these lines, we can also find many forms of "mistaken identity", in these regards.

My system, it sounds like, is similar to yours. Though, I am a little hard pressed to consider 'what I really consider important'.

A bit not unlike Schneier's excellent analysis of retroactive information: 'reading a diary of years ago a person can find nearly a completely different person'. So, for instance, a number of years ago I had what, for me, was very important conversations in email. But to anyone outside myself and the person I was talking to, it would be incomprehensible. They might sense the importance of it, but would invariably get lost in the incorrect labels, definitions, and such. And so entirely miss what was being said, besides that it seems 'very, very important'.

Likewise, by labels, by seeming details, I continue to engage. What tends to be transferred, however, is rarely - if ever - what is seen, but rather, based upon shared definitions for which no codebook exists.

Worse, the underlining definitions change, dynamically, even if some manner of the "emotional" and "intellectual" values might be perceived by some manner of innate valuation system people seem hardwired with.

Difficult topic, but "for instances" might be made: 'what, truly, is it which makes the value of such and such, for instance, Van Gogh'? I have heard various debates on this, but rarely anything substantive. For instance, one time, it was noted, 'this one has a portion of his dna on it from when he cut off his ear', and another time entirely it was noted, 'this one still has tiny embedded sea sand fragments in it from when he painted it on the beach'.

These are very rare comments, and I think most would not notice or even know of the dna nor the minutely buried fragments of sand.

Even saying it outloud does not change the fact that it really means nothing to an outside observer.

Instead, they would be stuck on simple 'know valuations in society', but a problem here would be selling something by theft where that theft not only entirely devalues it -- it would end them in "jail".

Many things are actually this way. The pyramids are a very good example. According to legend, their value was not directly in their building and sign of a great civilization, but rather in their taking down of that civilization.

We view such ruins in the sands or jungle of great interest, that is, not just because they are inexplicable signs of immense and unnecessary hardship, but also because they stand as tombstones of 'what was'. And what is ever so long since, 'what is now not'.

Subtle matters, to be sure, and perhaps so subtle as to be entirely meaningless. But there can be a vast trade in the poetic circles for that which has entirely no use for a mechanic or engineer.


Nick PMarch 10, 2015 12:32 PM

re row hammering

That issue slipped by me. I'd been recommending ECC RAM, ChipKill, and triple diversity just in case hardware issues pop up. That *might* have handled the issue. What would surely do it are the architectures I've posted that trust nothing outside the SOC. They often do integrity checks on individual pieces of memory before operating on them. The row hammering problem should cause integrity checks to fail. Additionally, these architectures also usually protect confidentiality of each chunk of memory and so leaking data upon compromise is harder.

Clive RobinsonMarch 10, 2015 1:05 PM

@ vas pup,

You forgot the "Gnomes" who's banks look after other people's loot, even Hittler hid his considerable ill goton gains there. Then there is always the "tweeting clocks" and "death by chocolate" secret weapons ;-)

The scarey thing about the swiss is the number of gun collectors with their nuclear bunkers full of weapons. Quite a few years ago I had a close friendship with a girl who's father was still living there and I spent a very pleasent couple of weeks at his holiday home there. She mentioned I was in a regimental shooting team and he invited me out with some of his friends for a little practice session to play with "rusian weapons" to see what we were up against in NATO. So the following day we loaded up enough weapons in the back of the estate to sink it well down on the back wheels and were just driving down the road at a quite sedate pace when the police pulled us over. I thought "oh dear what's he going to do when he looks in the back", well he commented that the vehical looked unbalanced and helped us sort out the loading... very friendly very polite and helpfull and absolutely unsurprised at the load... a very fun day followed and I was not upset when my lady friend beat me at a 500m shoot off (I was only a 892 at 500 back then, and doubt I could hit a bus if it fell on me these days).

gordoMarch 10, 2015 1:48 PM

@ Clive Robinson

Yea; MSM as fourth estate is not doing its job.

Thank goodness for the fifth.

SoWhatDidYouExpectMarch 10, 2015 4:29 PM

Is this a good thing?

http://www.majorgeeks.com/news/story/the_cia_finally_goes_digital.html

Is it for real?

FUD? I bet there is someone in there still using a slide rule (what the hell is that?) 10 years from now.

Ah, yes...Public Relations. You know, the lies they tell to the public to make them look good, but under the covers it is the same old same old buried in the past ancient history of lust for power to feed the greed of the (already) rich.

They wouldn't dare touch anything below the top tier. That would be akin to putting the CIA together with the FBI under Homeland Security (oh what a gut check that would be; I would buy tickets to watch the subsequent infighting; that would put boxing, wrestling, and the ultimate fighter stuff out of business).

SoWhatDidYouExpectMarch 10, 2015 5:08 PM

CIA Tried To Crack Security of Apple Devices

http://apple.slashdot.org/story/15/03/10/1659233/cia-tried-to-crack-security-of-apple-devices

From the post via a story at the Guardian:

The CIA led sophisticated intelligence agency efforts to undermine the encryption used in Apple phones, as well as insert secret surveillance back doors into apps, top-secret documents published by the Intercept online news site have revealed. The newly disclosed documents from the National Security Agency's internal systems show surveillance methods were presented at its secret annual conference, known as the "jamboree."

BuckMarch 10, 2015 5:31 PM

Re: CIA & Apple

I suppose the CIA couldn't/wouldn't ask the NSA, who supposedly have an iPhone implant with a 100% success rate...

tyrMarch 10, 2015 8:13 PM


@ Clive

I'll bet Orwell is kicking himself for not making
Winston Smith buy his equipment to be surveilled
with. He probably wasn't enough of a capitalist to
see the profitability in the action.

@ vas pup

The Germans actually had a contingency plan for the
Swiss. Knowing them, if it was a remote possibility
some junior ossifer on the General Staff had already
done most of the work. Working up the enthusiasm for
taking on the Swiss would stress even the stoutest
warmonger. Last I heard they had nuclear hardened
protection for over 90% of their population. That
and the ability to field almost the entire population
in less than a week makes them very hard to subdue.
And if you win, all you have is a pile of mountains
which you had to empty of population at an unbelievable
cost.

Sounds like a job for the new EU Army, can't have a
rogue state in the centre of the EU setting a bad
example for the rest.

Here we have 47 of our highest in direct and blatant
violation of the law (Logan Act) but it is Ok because
Netanyahu made them do it.

When TrueCrypt critics said to use BitLocker it flagged
it big time. Your trust in Redmond may vary.

I hear the Greeks are planning to expedite the paperwork
and transfer their refugee population to Brussels and
Berlin easing their own burden.

WalksWithCrowsMarch 10, 2015 10:50 PM

@SoWhatDidYouExpect

FUD? I bet there is someone in there still using a slide rule (what the hell is that?) 10 years from now.

Yes, cutting edge.

Yes, missus piston fuggedaboutit made a post on that in one of these threads, I think it was.

The intercept article notes that they are largely still relying on 'already known zero day', hoping to use them before they run out.

And I do not think that is for the plausibile deniability factor, either... lol... more like they have started to figure out how to use nexpose. :O

The last major mole or intelligence coup overseas was.... yes, 1983.

Not sure if that is FUD or good news with really powerful nations running about amok completely blind.

Clive RobinsonMarch 11, 2015 4:26 AM

OFF Topic :

An Evil Device for the curious...

There is a saying that "On the Internet nobody knows you're a dog", but what about the physical world of the modern "sneaker-net"?

Well this USB dog will burn out the nine lives of a curious cats computer,

http://kukuruku.co/hub/diy/usb-killer

Now that is what you call "a real anti-forensic" device ;-)

vas pupMarch 11, 2015 9:50 AM

Dear respected bloggers, I found that interesting:

Breaking physical security/disguise:
http://www.bbc.com/news/world-europe-31830452
Please notice, nobody was physical harmed.

Security in bio object:
http://www.bbc.com/news/science-environment-31819588:
"That's an amazing toolkit that allows them to choose between being hidden or displaying very spectacular colours for communication - and on top of that they have this ability to control their temperature because of the deep iridophores."
"it was "too early to say" exactly what job that second layer is doing for the animal, and more experiments would be required to show that it is providing "passive thermal protection" as the Swiss researchers suggest."
DARPA/IARPA guys, pay attention, please. Clive, love Swiss - can't do anything with that - sorry.

WalksWithCrowsMarch 11, 2015 4:08 PM

@vas pup

from the article:

A year later, a gang of thieves again gained access, this time wearing women's clothing and wigs. They stole almost every jewel on display in the store.

Yeah, lol, not well thought out disguises, however, especially considering the tech available today even to everyday people. (While true, such tech could be a giveaway, the principles behind it are not poorly known, and for decades people have been able to buy latex for molding at any costume shop... never even mind there are so many ways they could order more advanced systems anonymously enough.)

SoWhatDidYouExpectMarch 11, 2015 7:30 PM

Maybe this is old news...

Report: CIA Has Tried for Years to Break Into Apple Gear

http://www.wired.com/2015/03/cia-apple/

Leading off the post:

"The CIA has been working with security researchers to hack into Apple’s technology since long before we all carried Apple devices around in our pockets. "

Earlier, yet maybe still, I thought the spooks were toughting the strength of the abilities (encryption) on Apple products, which would encourage people to use those products, but that they perhaps had already broken into them which would make it easier for the spooks to get the data (that is, trick them into the trap; misdirection).

Thoughts?

Mr SaltMarch 11, 2015 8:21 PM

Is the Secret Service (and probably the rest of the gov't) able to monitor a person's travels perhaps near real-time?

That's at least the idea that seems to appear in below article:

Notorious Russian hacker was nabbed in the Maldives and extradited over 8,800 miles
http://www.businessinsider.com/notorious-russian-hacker-kidnapped-by-us-was-nabbed-in-the-maldives-2015-3

Bloomberg reports that the Secret Service, closely monitoring Seleznev's travels, solicited the help of the Maldivian police superintendent (with whom the State Department has a close relationship) in capturing Seleznev before he boarded his flight home to Russia.

WalksWithCrowsMarch 11, 2015 11:08 PM

@Mr Salt

Depends on the method used. If his phone was bugged it would operate as a highly functional tracker of course. Otherwise he could be followed by, for instance, pings as he passes cell towers. Or etc etc...

The whole case is pretty shady. As is the Russian gov. Notice the article says he is so rich he just leaves money laying around the house. Because of one picture which was posed. Playing that angle downplays the angle of him working with anyone else. Why. Probably instructed to do so, so fsb/svr doesn't think they are on anyone's radar for regime change.

@SoWhatDidYouExpect

I had not heard of us toughen in apple. I do know like all major products they want vulns in it...

NSA is supposed to find and report bugs when they do audits, if the product is bought by any dod... but they are said to hold some back.

And mil and Intel including FBI all have very active bug finding programs.

I think it is two hands doing two different things... but they tend to let misdirection happen as it happens more then active traps.

That way they just work with people's biases, and don't have to lie.

vas pupMarch 12, 2015 9:55 AM

@Mr Salt • March 11, 2015 8:21 PM, I guess Seleznev was using too much social media during his travel making task of his monitoring substantially easy + all travel related information is stored in electronic form and available for five eyes through Echelon program (never heard it was stopped - may be just missed important information).

tyrMarch 12, 2015 5:14 PM


Brin over at IEET is now quoting Bruce.

I have no idea what he means by his
own remarks. A busy public figure can
not spend the same amount of time on
a subject that a cloistered academic
is expected to. Bruce seems to get
enough feedback to keep him from any
egregious errors... : ^ )

Clive RobinsonMarch 12, 2015 8:36 PM

OFF Topic :

The Killer USB story is starting to make the rounds,

http://thehackernews.com/2015/03/killer-usb-explode-computer.html

Although I'd take the idea of making a computer explode with just an electronic USB with a "pinch of salt the size of lott's wife".

Technically it might be possible to make some badly designed computers overheat into thermal "run away" or even "burn out" some components. But aside from putting a reverse voltage on electrolytic capacitors, most components would fuse not explode. Whilst early batteries did burst into flames few if any got even close to exploding, and modern batteries usually have fuses in etc.

I have heard of some "smart batteries" that have micro controller chips for charging --like those in some Apple products-- may have been reprogramed to "smoke the battery" I've yet to see evidence as to the extent of the damage.

WaelMarch 13, 2015 1:18 AM

@Clive Robinson,

Second time you post that link in a week! I also took it with a pinch of salt big enough to turn Lake Superior into the Dead Sea. Smart phone batteries have been known to explode! Some nearly severely hurt users. Some users suffered minor burns, and some were severely injured

Now we can look forward to adding another feature to the specification list. Phones can be made to explode with a remote command if the user is targeted (has happened before)

Clive RobinsonMarch 13, 2015 7:14 AM

@ Wael,

The problem with Li-ion batteries is they have a short shelf life irespective of if they are used or not. The probability they will go into Thermal Runaway (TR) is multifaceted but importantly one facet is as the batteries age, the probability of a TR event increases. Another equally important facet is that ages them rather rapidly is going outside of the held charge curves that also change with age...

There are two ways to deal with this. The first is come up with a "play it safe" charge profile that holds good over the entire battery life. The second is to come up with a whole range of profiles that change as the battery ages, which can go wrong because it's not "fail safe"...

The big problem with the first option is you get a much lower energy density on each charge and a shorter operating life. Thus you might get only 5hours on one charge when the battery could when new give you 8 or more and only a couple of years compared to nearly three. From a marketing and user experience perspective obviously the second option is way better, providing it does not go wrong.

Hence devices with non user servicable batteries such as some note books, smart devices, emergency systems etc go that way because the battery stays inside the device and thus accounting for the ageing is relatively easy with an inbuilt RTC and charging circuit.

The same is not true of devices with user servicable batteries, especialy with second or grey market devices being fitted. There has to be a method of keeping the battery and charger in sync. The way many do this is by putting a tiny microcontroller in the battery pack to store the details with respect to that battery. Unfortunately it is neither foolproof or reliable even when the device manufacturer controls battery production for their devices.

For instance some devices don't have a secondary RTC power supply, and those that do rarely make it "user servicable" thus with infrequently used devices the RTC can stop and the battery age with the environmental issues and time not recorded. Thus the charge profile ends up being wrong for the state of the battery and thus overheating and TR may result...

But is a battery in TR an explosive, the simple answer is no, it's a heat generator that can go to quite extream tempratures if the environmental cooling is not sufficient. So what explodes...

Technically nothing explodes, what happens is an over preasure and containment rupture. In most devices the environmental containment rupture whilst dramatic does not actually cause an explosion. However in the more descriptive sense people will say it "blew up" or "exploded.

Especially as one result of constrained TR is a temprature rise sufficient to pass the ignition point of many plastics etc.

From what I can tell you've more chance of wining a big money lotto twice than it happening in a consumer device that has been designed and operated correctly... But even with second and grey market products the odds of it happening still apear to be up in the million to one range or better. Though the odds do appear to drop significantly if you use both a noname battery and noname external power converter to the charger circuit in the device...

However these odds are for random variables, not deliberate attempts at provoking TR at any given point in time. Thus the use of the microcontrolers does open up a potential security hole, that I believe has been already used as a proof of concept for hiding malwaae on some Apple batteries.

The simple thing is that these "communications links" between system parts are not designed with either security or real reliability in mind thus theoreticaly they could be used to do physical damage ti the aevices and environments they are in.

As I keep banging on about these "links" in smart meters, medical implants, and Internet of Things, and others more recently with vehicals, engineers realy need to up their game and get considerably more "security wise" or go other directions in their designs.

One hundred million to one odds of a random event happening count for nothing if a directing mind makes it a certainty. Very soon those responsible for taking on product liability as a business model are going to wake up to the fact that at some point in the not to distant future a court case is going to find that not having security on these links is culpable negligence, with near unlimited liability being the consiquence and thus the end of their current business model. It may take a number of years but those links will have to be made securable and the sooner the engineers get around to it the better it will be for everyone (apart from maybe the ambulance chasers).

Mr SaltMarch 13, 2015 11:17 AM

@R.B.Banner...

Re "Snowden documents now in a searchable digital archive"

Not sure how safe it is to browse those PDFs but the impression I get from some of them is that that US and UK are so integrated that they are nearly like a single country.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.