Friday Squid Blogging: Squid Stir-Fry

Spicy squid masala stir-fry. Easy and delicious.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on March 13, 2015 at 5:29 PM • 116 Comments

Comments

SoWhatDidYouExpectMarch 13, 2015 6:07 PM

Mass Surveillance: Can We Blame It All On the Government?

http://yro.slashdot.org/story/15/03/13/2235234/mass-surveillance-can-we-blame-it-all-on-the-government

From the last line of the post:
-------------------------------
Ed Snowden has stated that mass surveillance is "about economic spying, social control, and diplomatic manipulation. They're about power." A sentiment which has been echoed by others. Who, then, stands to gain from mass surveillance?
-------------------------------
I believe Big Money hopes to gain more money, but will they? Big Power will certainly gain more power but what value is that in a soon-to-be value-less society?

konstMarch 13, 2015 6:33 PM

Just one question to Bruce Schneier:

What in the world made you decide to use squid as the Friday posts for uncovered security news??

albertMarch 13, 2015 8:24 PM

In finally got around to checking out the new CBS TV series, CSI:Cyber, episode 2. The good news is, I didn't have to go out of my way to watch it. The bad news is, I watched it anyway.
.
OK, it's bad(like the original CSIs), but not really bad (like Castle, The (current) Mentalist). The formula is standardized: a hard-nosed boss (female, can be male), a handsome, action-hero type (male, but 'Person Of Interest' has male and female action heroes!), a buttoned-down drone type, a techie from the 'hood, a goth-chick techie, a geek techie, you get the idea.
.
If you can suspend disbelief, for example, that techies are doing field work (chasing the bad guys), you're left with the tech. Not one, but two terrorist acts. The first, a runaway roller coaster that kills and maims people; the second, a runaway subway train, which is stopped by the action-hero. Both are controlled by PLCs. In the first case, the bad guy gains access to the roller-coaster control system, and plugs a custom module with Bluetooth(tm) access into its backplane. He is thus able to control the PLC remotely. I have two problems with this: 1. It's highly unlikely. 2. It's almost impossible. In order for this to work, the following steps need to be followed:
1. PLC backplanes are proprietary, so a LOT of reverse engineering needs to be done.
2. Many PLCs have modules that allow programming of the PLC CPU. A serial interface to the Bluetooth(tm) might work. You would need the password to access the programming interface, then you would need programming software. This is not trivial. Neither is interpreting the ladder logic in the PLC. Most don't store comments.
3. If you managed to get this far, you must overcome the hardwired safety systems. All control systems for machine controls (here in the States) have fail safe systems. Loss of power, or an emergency stop button, should cause all braking systems to engage. Safety systems must be powered to be deactivated. End-of-track brake systems should engage automatically, regardless of control signals. Designers never rely solely on PLCs for safety. A properly designed control system for this roller coaster would have prevented this incident, and this plot device.
.
I've worked with PLCs for many years. The are extremely reliable systems. They have to be; life and limb are the stakes, but you still need independent safety systems.
.
As for the subway, the hero saves the train by hanging on with one hand and pulling out the Bluetooth(tm) card with a coat hanger. Don't ask me how he knew what it looked like, or how he managed to open a sealed enclosure with one hand and no tools, underneath the car. And no one thought to kill the power? At least they didn't tell him to cut the red wire....but there will be other episodes...
.
Don't bother tweeting the screenwriters, it's entertainment.
.
...

BuckMarch 13, 2015 9:14 PM

@albert

Disgusting! Where are all the heartfelt stories about those heros trying to use their technology to make the world a better place, rather than simply reacting to the baddie of the day?

(Lol... been listening to The Who ;-)

FigureitoutMarch 13, 2015 10:59 PM

konst // NobodySpecial RE: bruce's squid obsession
--Haha, as NS stated, we'll have to kill you. So don't ask again. #1 rule of Squid Club, do not speak of Squid Club.

albert
--First off, c'mon man, did you really expect it to be not laughable? Just watch one of the CCC talks or some defcon video, way more worth your time.

Anyway, onto attacking embedded systems (PLC's in your case). I agree and see it a similar way (for EXTERNAL attackers w/ "zero knowledge" of the system). Bare minimum of some kind of VPN should be used for any web access (which, well, any web access isn't good for security). Feds won't be hacking hard w/ brand-spanking new techniques, they use mandated backdoors, threaten, bug, coerce and break-in w/o threat of law enforcement at night or day if need be. They're much easier to "smoke out" b/c they're so arrogant and not used to having to hide (one OPSEC fail and that may be all it takes...), you can't teach/learn some things; you have it or you don't. It's the random freak intent on hacking your product that also has impeccable OPSEC on initial approach is my concern (mostly b/c we'll get reports of issues then try to test and find nothing). I'd like to think it's rare, but there won't be much data on them. As an attacker, you have the obvious advantage if we're putting out fires elsewhere or trying to remain in business. If I can defend against that threat level, I'll sleep easier (even though same impossible threats remain).

From hardware changes to software changes (I was just struggling all day today wasting my f*ckin' time w/ a new version of an IDE that a salesperson said wouldn't screw up my old version, he was f*ckin' wrong and I knew he would be and I spent a day repairing the damage of modern IDE's auto-installing and uninstalling and screwing up your settings while exposing the PC to the internet, thankfully ending on a good note w/ a working flash) you can't flash (just one) chip w/o a specific version of IDE w/ some more specific changes. Homebrew programmers, while really interesting aren't really friendly (or sometimes useful if for just one chip when you can program entire classes of chips w/ commercial ones) and you have to get all the protocol/electrical details right or you fail. As an example of annoying details that will slow someone down, there's this "shocking USB-stick" in the tech news lately, well I got similar symptoms messing w/ another board (you could smell burning metal and it'd freeze your computer, never seen that before). I have no clue what's going on (besides being able to reproduce the problem on 2 PC's) unless I trace the entire goddamn circuit (oh thanks, hide some chips under the LCD screen, that's where those FTDI chips are I bet) and find either a short or is it a software issue..? The thing w/ diagnosing a problem is you can't be too "rough" either or you may make matters worse.

For me, it's the developing environment (likely Windows PC which all the software is being developed for still mostly (it's getting better I think, especially if MS keeps putting out sh*t like Win8)), and these new IDE's want internet access to work and blah...and I need to transfer files, that's not an option if you want something done. I think so much better on an offline IDE where my risks are infected IDE's or "fire-n-forget" malware. So malware getting in is a constant threat that's just basically unstoppable risk b/c making a modern PC from scratch is out of question (compatible w/ what?--Nothing.). RF too, it's basically impossible to "foolproof" due to "physics", FCC putting your protocols up on their site, and long-range probing (at least a mile or two) 24 hours a day, 365 days a year. It's not easy to jam or fake, but I just don't like it remaining the same for so long (stop points of user-added entropy are needed, so a flexible yet solid protocol would be nice, but unrealistic.)...Sophisticated/proprietary encryption/protocols require heavy memory and power that is out of the question (I don't even have a persistent clock source like most every other programmer w/ modern PC's or internet). It was fun and interesting working out a solution around that (but it's not *super* solid).

However, like a hard bug, catching a hard attacker is very, very satisfying...really no feeling like it. Got another major bug racking my brain that I can't wait to find and destroy.

tyrMarch 14, 2015 12:22 AM


I'm sure Hammond would like everyone to shut up
and go away. This debate isn't over yet.

In the interim the Swedes have finally decided to
interview Assange. Since the statute of limitations
is about to run out they decided maybe a little
motion in the justice machinery is in order.
If Hammond had done something about the disgraceful
treatment of Julian maybe people would listen to
him about surveillance.

You hear a lot of crap these days about "the rule
of law" from governments but rarely see them act
on such a thing. This is probably just coincidental
to their vast rush to protect us from the truth.

Interfering in their right to do as they please
unchecked by any vestige of humanity or dignity
means the debate will remain open until they begin
to curb their egregious behaviors or until they
start paying for it out of their own pocket.

Wesley ParishMarch 14, 2015 3:13 AM

Anybody notice something weird about the recent events in Ferguson? Someone completely out of the blue took potshots at the police during a peaceful protest march.

My first - and later - thought was, "How Israeli!"

Gush Shalom has noticed on more than one occasion the IDF and/or Border Police using stone-throwing agents provocateurs to disrupt peaceful protest. And I've recently read of various US police depts sending people over to Israel for "anti-Pterorist" training.

Of course, the agents provocateurs in Ferguson missed the point completely. They're supposed to be carrying 105cm portable howitzers on their backs - if they can't carry them under their arms - in order to blend in with the crowd ... ideally they'd be carrying 105km portable howitzers, but technical difficulties ....

Ole JuulMarch 14, 2015 3:47 AM

@albert: I just thought I should tell you that I keep a file of memorable and useful quotes on my browsing computer. Why should you care? Well, you came up with an absolutely brilliant quote that describes a lot of our society and hints at many of our social ills. I just love this:
"The good news is, I didn't have to go out of my way to watch it. The bad news is, I watched it anyway."

Ole JuulMarch 14, 2015 4:04 AM

@SoWhatDidYouExpect:
"Mass Surveillance: Can We Blame It All On the Government?"

Yes.

"I believe Big Money hopes to gain more money, but will they? Big Power will certainly gain more power but what value is that in a soon-to-be value-less society?"

I think you're right that Big Money hopes to gain, and perhaps they will, but their efforts are like spam, we will learn to deal with it and avoid it as required. Their intent is only greed which is not the worst of sins. In the end (hopefully sooner than later) their efforts at surveillance may well lose them money.

However, at this particular point in time I think the problem is government because (as I see it) their intent is actually evil. We have reached a point where it is the people versus the government. This is a natural cycle in human history, so I'm not too bent out of shape about it, but it is a reality nevertheless. Governments should not have any power of their own. The power should rest with the people, who then vest it in the government. The other way around, as we're seeing now, is pure evil.


Clive RobinsonMarch 14, 2015 6:11 AM

OFF Topic :

This week one of my favorite authors Terry Prattchet died aged 66, having socialised with him in the past I can say he was as much fun in real life as his fiction is.

Another author who died long before his time and again a fun person socialy is Douglas Adams. Back in 2000 he made some future predictions for BBC Radio 4.

Today Radio 4 had a program looking back at his predictions and makes for an interesting half hour. You should be able to download and listen to it later today via,

http://www.bbc.co.uk/programmes/b0557671

chadwickMarch 14, 2015 6:33 AM

Autistici, an amazing online rights & pro-privacy group, are being DDOSed as we speak, probably by a government that does not appreciate their work. Please show the Autistici guys some love, ideally by donating to their project:

http://wi7qkxyrdpu5cmvr.onion/en/donate.html
https://www.autistici.org/en/donate.html

Autistici provide server space, VPN access and private e-mail accounts to those who need them most without charging a cent. They are running their services as volunteers on a shoestring budget.

Only the hidden service is currently accessible, due to the ongoing DDOS.

CallMeLateForSupperMarch 14, 2015 7:01 AM

@albert

"Don't ask me how he knew what it looked like,[...]"

Obvious: it had a *bright* blue light. (groan) Blue, as in bluetooth, its comm. method. (groan again) Same as the rollercoaster hack.

I posit that blue is the new red for malware "Heartbeat", "Active", "Armed", etc. indicators. Detonators from 20th century urgently chirped or beeped just before doing their thing; look for 21st century detonators to announce criticality via embedded MP4 player with Surround Sound.

Dirk PraetMarch 14, 2015 7:14 AM

Time to create new GPG-keys again ?

Extracting decryption keys from RSA and ElGamal implementations without altering or having control of a computer: http://www.techrepublic.com/article/computer-stored-encryption-keys-are-not-safe-from-side-channel-attacks/

@ Clive

I was saddened by Terry Pratchett's dead too. Loved his work. One of my favorite quotes is still "Stupid men are often capable of things the clever would not dare to contemplate...". Not to mention his take on the EU-US divide: "That seems to point up a significant difference between Europeans and Americans. A European says: "I can't understand this, what's wrong with me?" An American says: "I can't understand this, what's wrong with him?"

sena kavoteMarch 14, 2015 9:28 AM

Hash of a computation

If a program has a complex computation just to answer yes or no, verifying that by making another computer do the same computation may not be so useful. If the program also gives a hash of all the data that moved inside it and functions / instructions used for that computation, then there is a way to hand-verify that the computations were same.

Every function / instruction would have a bit string that would be just added on the internal data stream that is being hashed.

How this could be implemented? One way could be an interpreter that can be run in a special interpretation mode that hashes it's workings on-the-fly.

I have a hunch that this hashing of computations could be very useful for security and also safety in case of physical errors during computation. Any ideas how to use it?

sha256 could be the hash.

re: Program to check other program

Continuing from last week.

Why would I trust the checking program more than the web browser it is constantly checking for signs of being possessed by an attacker?

It is not facing the internet and it is much simpler. It does not parse data, it just compares data to known good data.

But I think the checking program has the downside of needing to run as root to get complete read access to memory of other process.

Some checking can be done just by using the kind of info that ksysguard, gnome system monitor, top or htop can provide about processes. Programs like that should have automatic termination criteria feature. Maybe there is a software for that already, in Linux repos?

Voting protocols are not especially needed with this. 3 checking programs voting about terminating a web browser process has very little security benefit compared to one checking program working alone.

re: Interpreting c and c++ ( with CLING )

Short looking around made me think this is the most promising interpreter for running c++ software in production use:

https://root.cern.ch/drupal/content/cling

But for real-time cryptography, maybe not, because it just might introduce timing side-channels. Experts on cryptography implementation need to look in to this before anyone runs full openSSL or libreSSL with it.

Alan KaminskyMarch 14, 2015 9:37 AM

How ironic that former U.S. Secretary of State Hillary Clinton only did what regular readers of Bruce's blog recommend, namely set up her own email server, and now she's getting pilloried in the press for it.

(Also a nice headline: "Hillary Pilloried.")

GrauhutMarch 14, 2015 9:44 AM

@ole juul Big Money: "Their intent is only greed which is not the worst of sins... However, at this particular point in time I think the problem is government because (as I see it) their intent is actually evil."

You cannot separate these, info is money, big-money.bribes.gov.

And greed in a world of "too big to fail"s is a deadly sin.

SQUEAKYFERRETMarch 14, 2015 10:59 AM

On one hand,

Obama Criticizes China's 'Backdoor' Counterterrorism Law'

"Obama criticized a new Chinese counterterrorism law that makes it necessary for all U.S. technology companies to provide the [Chinese] government with the keys to users' data if they want to sell their products in China."

On the other hand,

"NSA director wants gov't access to encrypted communications"

"The U.S. should be able to craft a policy that allows the NSA and law enforcement agencies to read encrypted data when they need to[read: whenever they feel like it], NSA director Michael Rogers said during an appearance at a cybersecurity policy event Monday."

If the glove fits....then what?

The US government demands exceptional unfettered access to encrypted data, while demanding Non-Empire countries ....forget about it.

It seems to me, militarization and anarcho-capitalism of the internet is ruining it for the vast majority of users.

Clive RobinsonMarch 14, 2015 11:08 AM

@ Dirk Praet,

Both Terry and Douglas were a loss not just personaly but to the world of literature. Unfortunately most awards for literature are judged by those who take themselves way to seriously, and few of the books they award are read by people for enjoyment. Both the works of Terry and Douglas being gentle humour and comment on the human condition were read and enjoyed by millions world wide and put into many other media, and had a large "fan following" any ScFi television program would be envious of. I suspect their works will still be read and enjoyed for generations to come, whilst those with award plaudits will rarely be read in the authors life times, and in some cases hated by those forced to read them as part of "required education"...

Back to security and the little side channel issue you mention.

I'm very unsprised I've banged on about this for some time, it's interesting to note some of the researchers comments,

Basically the researchers mention that the emissions are at such a low level, prevention is impractical because:

    Any leakage remnants can often be amplified by suitable manipulation as we do in our chosen-ciphertext attack;
    and Leakage is often an inevitable side effect of essential performance- enhancing mechanisms.

Their first point is a much more general case than of the "Selected text" attack they have used. If you consider the likes of DPA and other signal side channels the two things required, are a known trigger point and an averaging process to remove other unrelated signals. The simple case that is easy to understand is "averaging out noise".

The second point I've banged on about for years with "Efficiency-v-Security" we see this causing time based side channels over and over again. It also causes other domain side channels which have yet to see exploitation in the "academic or non governmental" sphere.

As for the Faraday shielding, yes it has limits and in most cases a single shielding layer is good only for 20-50dB of screaning. The reason for this is a misunderstanding of what is going on. If you think of the shield as a "preasure vessel" any signal energy generated has to either be absorbed or bounce around untill it finds a way to leak out. Effective EMC/I systems work by using both absorbtion and sheilding layers sandwiched up like the laminates in bullet proof glass and clothing. Importantly seams have to be overlaped carefully. And support structures need to be thought out carefully as does the routing in and out of power and signals and grounding.

However as normal "you can take a horse to water, but..." designers and engineers as well as code cutters need to realise that "specmanship" means jack to anyone other than marketing droids. Secure design has thanks to 5Eye misdeads has started to get the attention in exec level corridors because their more switched on customers are voting with their feet...

HighCastleMarch 14, 2015 12:05 PM

@Ole Juul "However, at this particular point in time I think the problem is government because (as I see it) their intent is actually evil."

Over the last year I've seen many reasons proposed for mass surveillance, but so far no one has explained it as an emergent cultural phenomena with a philosophic cause.

There are a couple of books that provide material to support this idea.

Here's a quick introduction for those who may not have heard of them.

"The Ominous Parallels" by Leonard Peikoff (1982)

In brilliantly reasoned prose, Peikoff argues that the deepest roots of German Nazism lie not in existential crises, but in ideas — not in Germany's military defeat in World War I or the economic disasters of the Weimar Republic that followed, but in the philosophy that dominated pre-Nazi Germany. Although it was mediated by crises, Peikoff demonstrates that German Nazism was the inevitable climax of a centuries-long philosophic development, preaching three fundamental ideas: the worship of unreason, the demand for self-sacrifice and the elevation of society or the state above the individual.
"These ideas," Peikoff says, "are the essence of Nazism and they are exactly what our leading universities are now spreading throughout this country. This is the basic cause of all the other parallels."

"Hitler's Beneficiaries: Plunder, Racial War, and the Nazi Welfare State" by Gotz Aly

A "provocative" account of great "intellectual significance," illuminating the economic workings of the Third Reich--and the reasons ordinary Germans supported the Nazi state (The New York Times Book Review)

In this groundbreaking book, historian Götz Aly addresses one of modern history's greatest conundrums: How did Hitler win the allegiance of ordinary Germans? The answer is as shocking as it is persuasive: by engaging in a campaign of theft on an almost unimaginable scale--and by channeling the proceeds into generous social programs--Hitler literally "bought" his people's consent.

Drawing on secret files and financial records, Aly shows that while Jews and citizens of occupied lands suffered crippling taxation, mass looting, enslavement, and destruction, most Germans enjoyed an improved standard of living. Buoyed by millions of packages soldiers sent from the front, Germans also benefited from the systematic plunder of Jewish possessions. Any qualms were swept away by waves of tax breaks and government handouts.

albertMarch 14, 2015 12:32 PM

@Figureitout
In the old days, we used a simple password for PLC programming. The only way to program those things was to stand in front of it with your programmer/computer plugged in. An 'attack' was highly unlikely. Today, PLCs can be programmed across the world. We used PC Anywhere. Of course, both sides need to run the software, but it's just like being there. Now, it's even more simple. We need to move away from this, and start isolating control systems before it's too late. The IC is a reacting system; useless for prevention. Public utilities (electricity, phone, gas) need safety regulations for access of control systems; actual laws the will be enforced.
.
@Ole Juul
I'm glad you enjoyed it:)
.
@CallMeLateForSupper
:) I'm ready. They'll have to cut the BLUE wire. I'd play a recording of the "1812 Overture", just before it went off, or maybe "Nearer My God To Thee".
.
...

VMarch 14, 2015 2:25 PM

@Alan Kaminsky
This is a Teachable Moment. When you come across someone complaining about Hillary's personal mail server explain that she was doing what everyone ought to be doing.

JacobMarch 14, 2015 2:38 PM

@figureitout. Ouch I could feel that heat of frustration. Everybody has been there. You must have pressed your finger prints into the keyboard. The last time I felt that frustrated was trying to prove a data converter was programmed wrong for me by a supplier. They insisted it was right I said no. I broke out a 95 machine and did raw bit by bit, showing them on skype. Overnight right one. Time was big factor. Hyper terminal. Lolol

@albert. Yup! I had a hard wire disconnect built in to some systems. Unless they wanted, no one was coming in. Well hopefully. ;) gotta love really old plcs with 10?amp throw relays. Lolol

Twitter is trying to push phone numbers to verify accounts. Obviously this could be a problem for activists using Tor. Hmm? Burn phones? Or if I was the paranoid kind. Make a phone with a raspberry pi, phone card. Home brew only for Twitter account. It might work but I am not that paranoid yet.... :)

SoWhatDidYouExpectMarch 14, 2015 4:32 PM

How much of this stuff are the 3 letter spooks bankrolling?

http://www.cbsnews.com/news/report-cia-money-given-to-al-qaeda/

Some have claimed we are behind Arab spring, ISIS, Boko Harum, Charly Hebdo, and all manner of insurrection around the world. In particular, we are fomenting war for the sake of military industrial profits.

The Russion leader should be glad that all the wars are keeping the heat off him.

albertMarch 14, 2015 4:44 PM

@Jacob
"...gotta love really old plcs with 10?amp throw relays....". The first PLC I saw was Modicon. All I/O was 120V; so 256 points cost you a 3-door panel! Relay logic was hard to reprogram, but think about it, relay logic is a massively parallel, real time system; there is no scan time.
.
@V, @Alan, et.al.
Hil'ry threw a monkey wrench into the works. How are the Republicans going to spy on her if she doesn't play by the rules? Maybe someone should call Angela Merkel....
Watergate was so old school; now we have Hackergate.
.
@Alan, @All
This is more than creepy, it's going to be dangerous. Are there no limits to greed? Could we leave the kids out of the mess we're making? I can imagine all the pedophiles flocking to work at ToyTalk, or trying to hack their systems. Even non-pedophiles who just want to mess with impressionable young minds. The LE/IC is gonna love this, "Just put me in your Daddys office before you go to bed, OK?". Is this what they mean when they say they'll use the data: "...for other research and development and data analysis purposes...."? And 90% of those dolls will be purchased by credit cards. Credit cards + IP addresses = .... y'all do the math.
.
This is not going to turn out well....
...

albertMarch 14, 2015 4:58 PM

@Buck
"...making the world a better place..." That's so boring. Folks want 'in-your-face' entertainment (or sex, or preferably, both:) I wonder if young folks have any idea about what the world is really like, judging by the movies and TV they see (and video games they play - I'll bet they'd find flying military drones boring as well, even though they'd get to kill real people) . I should find some surveys...
.
...

FigureitoutMarch 14, 2015 5:37 PM

albert
--It's pretty much how sectors of flash memory are programmed. You need a programmer (and the programmer can be reprogrammed...yo dawg) w/ correct timing/voltages etc. and also power the chip you're programming. Some people do some great work reverse engineering flashing process and make some programmers but it's really flaky lol...I'll probably try making one w/ arduino nano for avr. Other hard things to reverse engineer are something like a set dip switch or array of jumpers; also wipe off the white print on the chip, that's the number one first clue I think of any hardware hacking.

Talked w/ my dad about locking down our products more, basically said it's a bunch of jerk-offs, hacking some of the things we do, he doesn't think hacking happens as much. More or less saying anyone can hack something if they want, he was too poor to be screwing around and not have a job so he doesn't get it since his "hacks" became patents. What'd be interesting is the dynamics in security companies (are they operating/paying for "the best" security at all times and also making enough money (by being vulnerable) to stay in business or do they more or less suck too?). What do they sell too lol? Consulting words or actual products out there waiting to be penetrated...Gov'ts can just raise taxes so they don't feel those pressures of remaining in business and you can see that too (one sign I remember from a gov office is something along the lines of "your reward for doing the best/hardest work is...more work", really motivating).

I really really don't agree w/ remote access of critical infrastructure (hardly even need wire snippers to break the "lock" to the box), it's people making decisions maybe b/c their bored. We have the wrong people making these decisions. Otherwise make like an array of 8X8 dip switches or programming PW of sorts or just jumper the programming lines; worst they can see then is something like power consumption info which I'm sure is as exciting as it sounds.

jacob
--Yes I was very mad (but can't go off swearing in the office lol). I even specifically said "no" to update sections of old version and it did it anyway and only open my old files in new version, then screw them up and add KB's of crude to them. Probably say "no this chip sucks" to salesperson lol. I could present to him on it anyway (and just tell me what files are created where instead of using cludgy tool that will fail me or auto-go-nuts screwing up files like it did that too before).

This is why I bare minimum triple back-up everything I do, saved me here.

Like working w/ older IDE's (like Vim for small PoC's and tinkering as it's nice for that but not handling massive amounts of files, and I like using a mouse) that don't do all this auto-update cludgy bull, frickin' *ask* and follow it. Fill the whole damn screen up w/ buttons and side bars 'til I got a little window for code!...Keep going for "flashy" over function.

RE: supplier issues
--Sorry lol, hyperterminal is pretty good though (hasn't failed me *yet*, give it time...), and cool name lol. I started putting my name in code (there was this really good coder who "marked" everything w/ email and phone number lol), then someone joked that "that's the first person someone's gonna call for support" so took it out lol.

RE: phones numbers
--Sites are catching on to the free SMS, you can also hide behind VPN/Tor and use some sites/apps for outwards texting too. Stores have these SMS kits now too, and arduino GSM (but it's 2G).

Damaged ChipMarch 14, 2015 6:42 PM

I read some comment by Clive that these days you can't buy a laptop that hasn't been backdoored someway or another. This thought has been pestering me for that last couple of years and I wondered if I am just paranoid and nobody else thinks so. I would like to hear other opinions on the subject and what you can do to mitigate the risks of an "officially backdoored" laptop. I guess the obvious answer is to rule out all vPro Intels, or even all Intels, but is that enough?

YELLOWMOONMarch 14, 2015 6:46 PM

Hushmail now REQUIRES a verifiable cell phone number to create an account. I'm not sure if EFF is aware of it because they still recommend Hushmail service.

The electronic island grows a bit smaller.

Scott "SFITCS" FergusonMarch 14, 2015 6:48 PM

Digital Identification - on your "smart" phone

A paradigm shift in identity documents? Yes, that's sarcasm (, satire, and irony(?))

Will this really save money? At what cost? (for extra points guess which company will implement it*1).

...NSW Minister for Finance and Services Dominic Perrottet said the government would task its Digital Council, chaired by the Customer Service Commissioner Mike Pratt, to develop a roadmap for taking all licences digital. They would work through security, privacy and regulatory issues, he said. (emphasis mine)

I'm surprised similar US schemes haven't been mentioned in this column.


*1 Spoiler:

*cough*Morpho Trust *cough*

st37March 14, 2015 7:07 PM

Psssst: Wanna Buy a Used Spy Website?

There was NewJunk4U.com and Monster-Ads.net, CoffeeHausBlog.com and SuddenPlot.com. But, these sad-sounding domains actually were artful creations of the National Security Agency: They were fronts for distributing and controlling government malware around the world.

http://www.wired.com/2015/03/nsa_domains/

JacobMarch 14, 2015 7:55 PM

@figureitout. Yup been there. Secretary was used to mild bursts of anger. If it was gonna singe her ears I stepped into warehouse where I could rant in solitude. I never outburst to or at customers. :) over in minutes, deep breath over, hit it again.

Suppliers or customers. Take your pick. Kind of like trying to get an oem disk from geek squad on weekend. Long story. My go to guys office was closed on sat. Night. I just needed disc. Had codes. He said no, they didn't have any!! I genuinely sincerely wanted to rip his presumptuous pencil mustache off. Sigh, deep breath. Wound up spending 300 for 10 dollar disc. Submit for repayment. I really was angry. I hate geek squad and little Apple geniuses too.

@st37. I rather the coffeehaus one for obvious reasons. But would anyone be interested in an old cripple's mental meandering? Lol

JacobMarch 14, 2015 8:14 PM

@damagedchip. More can pile in on this one. But the short answer is depends who is after you and how valuable info is. If state player and they really really want to compromise your computer, network or device security------you are soooo screwed. Kiddy scripts or minor crime drive bys? Basic security and common sense. Most people simply aren't a high value target. Someone may pop up a little on alerts, then move back down. Better able criminals would require more security knowledge and better practices. Not buying right off the bat helps. Things like Lenovo did pop up when experts had time to analyse. I always wait being naturally cautious and researching anything I buy. Lol

Steps can be taken to lower their ability to vacuum information with balance of useability and security. Most people leak so much information just living with no thought that trying to dodge the Post Office cameras are irrelevant. Recent story of covert cameras in po parking lots.

If a state player reflashes your hard drive......or my thought outside box is back doored cpu hard wired in by microcode. Not sure I answered well enough for you. But Taking step back helps perspective.

BuckMarch 14, 2015 11:05 PM

@albert

"...making the world a better place..." That's so boring. Folks want 'in-your-face' entertainment (or sex, or preferably, both:)
Are any of these ideas truly mutually exclusive..? Why should we believe that the act of saving the world must necessarily be devoid of human sexuality!? Furthermore, why is it that we must inherently discount the 'action' story..? Is it not quite plausible to think that there are plenty of 'evil-doers' determined to do whatever it takes to retain their status-quo?

FigureitoutMarch 15, 2015 12:21 AM

jacob
--Yeah, I don't like hearing other people get angry either, don't want to ruin their day too describing what I want to do to writers of these "auto-pilot" features...

Oh and you don't like geek squad eh? Don't like getting charged for what can be done easy for nearly free? What about their cute VW beetles though!? :p

Damaged Chip
--No, you're far from paranoid. To say I'm interested in secure hardware (to run secure software eventually, but you need one first) is an understatement. Obsessed is a better word. Problem in a nutshell: Money. And it's practically impossible as we know computers today, too many things you have to be expert on to verify and supply chain is way too scattered.

Too much for me, though I'll help efforts that have a chance. Solve those issues and we have a chance...Then build up compatible software so it's not a worthless hunk of metal.

Clive Robinson
--Have a link for you finally that you *may* not have worked out back in the '80s. As you say "you may find this of intrest..."

http://www.france24.com/en/20150312-japan-space-scientists-make-wireless-energy-breakthrough/

k10March 15, 2015 12:45 AM

What is the humanware equivalent of selling zero day exploits, and would it have the same legal status?

Ole JuulMarch 15, 2015 2:07 AM

@BoppingAround: "International Privacy Index Map Has this map been updated any time recently?"

I see it says "Last updated: 5 years ago" further down where it lists the actual stats which are labelled "Privacy Score 2007". (Therefore: 15 - 7 = 5) lol

Anyway, I'm guessing it hasn't gotten any better. In fact I suggest they add a new category and change the red to blinking red. And there's more that is wrong. Canada should be red. When that map was made (back in the old days) everybody thought Canada was such a nice place, with a Privacy Commissioner and all, but that just goes to show that nobody really knows what's going on and base their reports on trivial data points. I would also note that separating this out by country is not very meaningful when you include the web. Too bad that's what we're doing here. Remember that there are three W's and the first two aren't going to go away any time soon. I'm thinking of cookies and corporate databases and such. We're all swimming in the same tank.

BTW, if anybody likes that map (I do) then this Global Data Protection Handbook may also be of interest.


s u b l i m i n a lMarch 15, 2015 3:29 AM

@k10 And what would be the human perception analog to QUANTUM packet injection?

CuriousMarch 15, 2015 6:03 AM

Some guy from GCHQ said in an interview on tv (together with G. Greewald), something like that the UK don't have "blanket surveillance".

The only reason someone would probably want to deny this in a western country, is because there is no reference to any explicit intention to surveil everyone, everywhere, all-the-time, but this does not really imo excuse the UK and other government from so called "blanket surveillance", because if the basis of the investigations are data and metadata, that by government directive is effectively recorded/stored/collected with corporations, then such imaginary "haystacks" (not real) might as well be considered the proverbial coverage of the metaphorical blanketed area.

The situation with current storage of data/metadata by coroporations and the subsequent snooping on people, I find analogous to a situation in which someone has a time machine, and for no reason at all they can go anywhere (as per the time machine cliche), anytime, and perform an investigation. Just because the corporations have data/metadata stored, doesn't mean it has to be like this, and especially not if personal 'privacy' needs for the individuals and people in general is to be regarded and guaranteed.

I would think that todays practice of dredging up stored data/metadata is equivalent to what one would consider unwarranted searches. The 'investigative' part of the investigative work is something of an oxymoron in this way, where the source data/metadata isn't just "real" as a part of everyday reality, something in the environment, a case or phenomenon if you will , such data is foremost "ficional" before anything real, being data and all, and so one might consider such "cases" to be invalid cases, not being the proverbial sought after needle in the imaginary haystack, but the incidental cut and paste case of criminal activity. Probably best to consider such data/metadata 'personal' in the first place, before some high court come up with some fancy excuse for coming up with terms that decree that personal things in some situations, aren't really personal, but something owned by others (like owned by corporations).

I understand that the police and the government tend to laude strong investigative powers in the media, for their sake of necessity, ofc, once this 'because we must' is just "because we can", then the necessity doesn't really have any meaning to it.

Should then perhaps the police be allowed to simply be 'curious' and see if they can find someone to prosecute on a whim, because of any type of concern? Pretty sure it would look odd to most people, if the police only looked for crimes in select neighbourhoods, ethnicities, agegroup or fashion, because what would their motive? To simply punish crimes? How about making underhand surveillance (off metadata) to make such efforts not noticable, and perhaps not noticable at all, ever?

Claims that the police must have the tools to fight crime, cannot possibly mean that the police *must* have all tools to fight crime, partly because 'crime' would be a generalization, and it's meaning coming about as something utterly speculative outside a court room, and it seem reasonable that doing 'anything/everything' isn't what the police would want (not that desperate, ambitious), so the 'because we must' part is likely replaced with "because we (already) can", and so there would be a disjoint in any claim about necessity. A proper argument could be that surviellance is "so convenient", that the police must make use of it. If they illegally doing those things, this is very bad, and has nothing to do with necessity, but conveniency. The same way in (probably) having stopped the police being allowed to simply beat up people to conveniently make them docile or extract information, I think allowing police to conveniently make use of illicit surveillance material should be disallowed as well, for the matter of personal privacy and living in a civil society.

And here I think of the often silly discussions in media about how torture doesn't help. It is a nice effort, but I am sure torture isn't merely something that happens to gather facts, and so it would be beside the point to claim, that torture doesn't work, simply because one doesn't believe in being able to extract facts from someone being tortured, but I am sure they get alot of meta data out of torture, why haven't anyone bothered to simply point this out already?!? They do get useful/convenient meta data out of torture right?

Police and goverments everywhere should be asked: Would you perhaps enjoy having blanket surveillance? Wouldn't that be nice for the police? Be honest!

If on the other hand, they were to go investigate a specific clue, which then implicated a person, because of there being a connection stemming from an understanding of causality and not just correlation, then things would get real again, as far as investigative means goes, otherwise the whole basis of correlation aren't really "connections" or "clues", but speculative associsations made to "find some dirt on someone" or to "find someone that can be prosecuted". Looking for 'something in particular' (case related), ought to be thought of as being wholly different from looking for 'anything in particular' (meta data related).

I would think that one would normally accept the notion of the police investigating and prosecuting the guilty of a murder, but to just see what happens if you dig into something seem to me to be more of a crusade and a witch hunt. Some like the military/IC probably do whatever they want (my thoughts anyway), so the real issue would be to consider civil society, and then one would/could come to realize that there is a danger, or a reality of sorts, in which civil society turns into some kind of quiet police state. Once a police state is thought to be run by civil society, then surely that would sound very wrong to most people I think.

mozMarch 15, 2015 7:39 AM

@k10 - A1) identifying new marketing and political influence techniques A2) No. Selling zero day exploits might become regulated or otherwise restricted so that only the government is allowed to have them. Exploiting humans will always be a protected activity largely exempt from regulation.

JacobMarch 15, 2015 9:16 AM

@figureitout. Nope I have a preference for 60s and 70s cars. Cars I drove in my youth. Lol

Did you see covert cameras supposedly found at Post Offices?
Vacuuming of information by way of license plate and facial recognition is now reaching a saturation point of being noticed.

I have suspicions of hardware compromise of ISPs if anyone is looking for a Defcon presentation idea. Hidden partitions and need to tap chips ;) just a nagging thought.

Scott "SFITCS" FergusonMarch 15, 2015 9:24 AM

@s u b l i m i n a l

And what would be the human perception analog to QUANTUM packet injection?

Interesting question. Perhaps:-

  • Marketing. Desire shaping, distraction and distortion. We ran a few ideas past our researchers, work-shopped it, profiled our target audience and formed some study groups + that attractive [insert gender here] person you just "bumped" into with the really interesting insights, who found made you feel special - works for us. Now you aren't certain about [insert thing here], plus you can't find the web page you read it on.
  • Public relations (perception shaping and distraction - e.g. FUD)
  • Mass media (Murdock, Fox etc, and other forms of disinformation, distraction, and stupidifiers)
  • Social media (trolling, forum flooding, dumb noise)
  • engineered and non-engineered "shiny things"
  • "The Joneses" I'd expand on that but it won't fit in a Tweet, plus I don't have time (tl;dr)
  • various chemical and electronic means(?) - 350 channels of ADHT 24/7. Is this being filmed? What's my motivation? (give me a hint)
  • various forms of MIM variations

Nick PMarch 15, 2015 10:36 AM

@ Buck

"Why should we believe that the act of saving the world must necessarily be devoid of human sexuality!?"

Indeed. For example, a secure CPU might be funded as charity from the revenues of this product. Or the porn industry might collectively invent malware-proof computers just for DRM purposes. Or, most likely, the attractive male who *plays* the guy who saved the world in the movie would reap endless rewards of sexuality. The guy who saved the world would get some online comments, a few photos, and maybe a date.

BoppingAroundMarch 15, 2015 11:23 AM

Ole Juul,
I see that too but perhaps there's an updated map somewhere else. The map my link points to is from 2012, I think.
I agree that it probably hasn't improved.

albertMarch 15, 2015 1:22 PM

@Buck
"...Why should we believe that the act of saving the world must necessarily be devoid of human sexuality!?..."
.
Let me clarify my statement. I said: "...Folks want 'in-your-face' entertainment (or sex, or preferably, both:)...". I meant: "Folks want 'in-your-face' entertainment (preferably with sex included:) Probably didn't need to make that distinction, as most all 'in-your-face' entertainment includes sex anyway.
.
I don't discount 'action' stories. I discount unrealistic action stories, overloaded with CGI, fake sound FX, and physically impossible stunts. Hollywood continues to blur the line between fantasy and reality and it's getting ridiculous. It's a serious problem for younger and/or more impressionable viewers.
.
.
@Nick P
From the beginning, porn sites always had the fastest servers:) The Onion strikes again. Even the comments are funny (iSuck). BTW, have you seen Fleshlite?
....

FigureitoutMarch 15, 2015 1:31 PM

jacob
--I already operate under assumption of "covert cameras" in lots of places, so not really shocking for me. I spotted drones (the big reaper-style small plane ones) operating before it officially came out they were testing them in the US, *that* was a personal shock for me as I thought they were "war-zone" machines; nope they fly over suburban America. I'm sure it captures a bunch of interesting things lol...like people dropping off mail, (yawn!), maybe the occasional butt-scratch lol.

Also I'm sure you read the cameras in rental cars link too? Lol, pretty simple counter measure on such an obvious camera, black electrical tape. I guess that rules out "road head" in the rental car...damn!

So a dangerous way to fry the circuits is a HERF gun (I've had a slight idea instead of trying to find bugs the traditional way in a building, just walk around w/ a HERF gun spraying the walls, should kill any bugs. Also check this out lol, an astronaut uses a red laser (can't be green, which sucks b/c I have a green laser) to turn off a street light: http://www.diyphotography.net/using-lasers-to-shut-down-street-lights-and-get-better-space-photos/

Picture giving you idea if you block youtube: http://www.diyphotography.net/wordpress/wp-content/uploads/2015/02/don-pettit-street-light.jpg

TimMarch 15, 2015 4:20 PM

A major outcome of intense mass surveillance is total submission to authority and conformity to whatever conduct standard the ruling class establishes.

I see that developing very quickly, everywhere. How many of you not only self-censor your words and behavior in public due to surveillance, but also in the privacy of your own home while, for example, sending a personal iMessage to a friend?

Are there certain words and phrases you totally avoid anymore just because they may be recorded and used against you? Are you careful to make sure you don't make any move in the store which might be misinterpreted in the CC TV replay?

True, most people would deny they are morphing towards becoming brain dead humanoid robots doing the bidding of master. But, that's all part of the plan: let them think they are still in control of their own words, deeds and destiny.

Mass surveillance and personal freedom are not compatible in the least. There is no half loaf. There is no trade off.

When you see a pretty decent country like Canada quickly flip to the dark side as it has in just the last couple years, for no particular reason, the depth of our loss becomes clear.

Surrendering to fear and convenience has a very high price.

wMarch 15, 2015 6:37 PM

FileZilla now bundle a malware into their installer.
Mozilla recently publish malware as a open source project on github.

WaelMarch 15, 2015 8:05 PM

@Nick P,

Indeed. For example, a secure CPU might be funded as charity from the revenues...

Never had the impression your were a believer of the "End justifies the means"! And you complained previously about the yoghurt? Lol!

JacobMarch 15, 2015 8:16 PM

@figureitout interesting. There is an advantage us old timers have. Many of us know how things work and why. A youngster sees a camera. It really is a CCD, sensitive to certain freq, x number of lines of resolution, etc. Kind of like an episode of ncis. Yea, I know but I like yelling at tv about zooming on an atm camera shot to read a license plate. They are scrambling to stop a hacker live going through their firewall, insert tech mumbo jumbo. Gibbs reaching over and unplugs the computer.

Phone goes bad, chuck it. Hmm. Replace eMMC, reflash some chips. Good to go. It is not necessarily time versus money worth it. But knowing how is handy. Like replacing capacitors in tv. Which ties to.....

@tim @newstoneage.
Americans have self censored for years. I have tried not to say "bomb!" On the phone for about 10 years. I don't want any hassle or waste their time. Is that self censorship? Sure. But you have a point. People have a tendency to not want to stick their heads up over the top of the foxhole if it is going to get blown clean off. After Joe the plumber, why would anyone want to talk to pres or his reps? Then someone is hurt because people don't like them. Not picking political sides here, just first example that comes to mind. Flip side is a story is told on Fox, problem fixed. But many with no media help flounder. Not right, but just is. Although it does tick me off sometimes concerning disabled vets.

Americans also tend to get worked up. I have hope. TPTB, I hate that phrase, Obviously have brittle power because they react so quickly to the crowd or uproar.

V is definitely a great social commentary. But one lesson is a small spark can topple corruption. Well, if it's followed by large explosions accompanied by the 1812 overture. Whoops, so much for my self censorship. ;)

Personally I am partial to Wagner as played by Tyr Anastazi reading in Andromeda series. :)

BuckMarch 15, 2015 8:40 PM

@albert

Let me clarify my statement
Just so we're clear, I'm not attempting to argue with you... I am only trying to 'flesh' out some ideas! ;-)
I should find some surveys...
Uh oh..! This one just came through on my end: American Millennials are among the world's least skilled (March 10, 2015)
"We really thought [U.S.] Millennials would do better than the general adult population, either compared to older coworkers in the U.S. or to the same age group in other countries," says Madeline Goodman, an ETS researcher who worked on the study. "But they didn't. In fact, their scores were abysmal."
Then again, so-called 'standardized' testing does generally leave a lot to be desired...

LeonMMarch 15, 2015 8:57 PM

@Tim:

"...I see that developing very quickly, everywhere. How many of you not only self-censor your words and behavior in public due to surveillance, but also in the privacy of your own home while, for example, sending a personal iMessage to a friend?..."

The first time I caught myself second-guessing the use of a specific word in a conversation because of potential government surveillance, I resolved that I would NOT self-censor. I will freely send e-mails that use words like 'bomb' and 'ISIS.' I will freely use words such as 'explosion' and 'airport' on message boards. I will freely use words such as 'NSA' and 'Columbine' on the phone. I will even intentionally add such words to my communications so as to generate noise.

Nick PMarch 16, 2015 12:51 AM

@ Wael

Usually in extreme circumstances only. Far as yoghurt, you must be referring to this video you likely sponsored. Not sure what else you might have meant.

nothing_elseMarch 16, 2015 7:56 AM

Glenn Greenwald has been awarded with the "Siebenpfeiffer-Preis", donated with 10.000 Euros. The German Federal Minister for Economic Affairs and Energy, Siegmar Gabriel, hold the praise speech yesterday in Homburg / Saar.
The renowned Siebenpfeiffer-Preis was first awarded in 1989 in remembrance to Philipp Jakob Siebenpfeiffer (an early fighter for free press and freedom of speech in Germany) and decorates journalists taking care of democratic values.

http://www.zeit.de/news/2015-03/15/deutschland-us-enthuellungsjournalist-greenwald-erhaelt-siebenpfeiffer-preis-15174807

SoWhatDidYouExpectMarch 16, 2015 10:03 AM

Stingray

http://www.nytimes.com/2015/03/16/business/a-police-gadget-tracks-phones-shhh-its-secret.html?_r=0

Okay, many have known about stingray for years. While the claim to use it is supposedly covered by these non-disclosure agreements, this has proven to be without substance and base. In fact, publicizing these devices and their use by local law enforcement would have been a greater deterrent to crime than the mechanism itself. There is more to this than meets the eye.

In my opinion, the non-disclosure is more about subverting the authority the local government officials. This is proven by the one case cited where the non-disclosure agreement that had to be signed, couldn't be seen until after the device was demonstrated. This showed that document carried more worth to the controlling parties than the device that the document covered. The biggest factor of the non-disclosure seemed to be to not disclose anything about (the content of) the non-disclosure!

This is a control factor, probably more important than the device. The non-disclosure is illegal. It makes Federal intrusion into local affairs, almost greater than that imposed by high level government agencies such as Health, Education & Welfare, the EPA, FCC, FTC & such.

Now, the question becomes, how many other such arrangements exist?

It is reminiscent of "state secrets". As long as nobody knows about it, you can get away with doing something illegal. The "secret" part is to protect the guilt of the participants. This is the task of the program, not the device.

SJMarch 16, 2015 11:11 AM

@WesleyParish,

RE: shots fired at Police in Ferguson

Police claim to have found the culprit.

http://www.usatoday.com/story/news/nation/2015/03/15/ferguson-police-shooting-arrest/24808987/

A man with an arrest record, and convictions for CC fraud and receiving stolen property.

They claim that (A) the perp confessed to shooting, but (B) perp also claims he wasn't aiming at Police.

A leader of the local protests claims to have had a conversation with the perp before everything went down, but that the perp wasn't a member of the protests.

This news doesn't lead me to believe that the gunshots were dirty tricks by the Police to allow them to demonize/hurt the protesters.

At a guess, I'd say that someone with a chip on his shoulder decided he wanted to hurt someone at the protest. Likely, he wanted to hurt some Policeman, even if he is now claiming otherwise.

albertMarch 16, 2015 11:54 AM

@Buck
"...Then again, so-called 'standardized' testing does generally leave a lot to be desired..."
.
This is true, but I imagine tests could be written based on what employers want.
Then you'd need to account for cultural differences. Sadly, the US should have placed much higher. I'm not the only one critical of our educational system. It's simply indicative of the general cultural malaise we're in right now. Our economic system is based on nothing but a fantasy, as is our educational system.
.
The era of US preeminence is coming to an end - W.J.Clinton said something similar. Economically, educationally, and soon, militarily...
.
https://www.youtube.com/watch?v=PGO42gvCSPI
.
...

vas pupMarch 16, 2015 12:05 PM

@all on pleasure(sex) and saving world. Latest research on our closest relatives (chimps) discovered that there are two patterns of behavior: chimpanzee based on aggression and fight (Freud would say based on Thanatos) and bonobo based on love and sex (Eros). In the latter cases when conflict popped up with adjacent group, she-bonobo make love with 'enemies' and pacified them (no 'rape' - they do it at will for the peace and mutual prosperity). See, most US movies involved violance, but most French/Italian - love. Just observation.

@all on frustration on government. I guess future belong to independent politicians as soon as most of the electorate start listening to them and finally vote for something good, not less evil. Please watch the latest video as proof of my point:
http://www.c-span.org/video/?324736-1/senator-bernie-sanders-ivt-remarks-national-press-club

Nick PMarch 16, 2015 12:14 PM

@ albert

Yeah, I've seen it. Clever design. It's probably what I'd buy if I was into such things. I'll stick with the real thing for now haha.

Another JustinMarch 16, 2015 12:26 PM

http://www.nytimes.com/2015/03/17/business/dealbook/book-review-of-data-and-goliath-by-bruce-schneier.html

In short, the reviewer disapproves.

"Part of Mr. Schneier’s argument against surveillance is that it will excessively deter a brand of law-breaking that spurs social innovation. For this proposition he cites no less an authority than Frank Zappa: “Without deviation from the norm, progress is not possible.”

Mr. Schneier is also fond of referencing the life and ideas of the Rev. Dr. Martin Luther King Jr., who understood the value of lawbreaking. But King drew on a proud tradition of civil disobedience that reaches all the way back to Socrates, who he cited repeatedly in his “Letter From a Birmingham Jail.”

The fundamental premise of this line of thought is that a citizen who breaks an unjust law must serve as an example and accept the consequences. Socrates, it will be recalled, sternly refused the offer of his friends to escape from jail and avoid execution.

This is called having the courage of one’s convictions and is a fundamental responsibility of citizenship. Mr. Schneier, by contrast, seems to think that those with laudable convictions should simply be given a pass.He even proposes a law that would allow juries to judge when “conscience-driven” lawbreaking is justified."

Miaow.

Nick PMarch 16, 2015 12:57 PM

"Mr. Schneier, by contrast, seems to think that those with laudable convictions should simply be given a pass.He even proposes a law that would allow juries to judge when “conscience-driven” lawbreaking is justified."

That already exists. It's called jury nullification*. It also makes sense as forcing people to suffer for resisting corrupt law is ridiculous. That's not morally righteous: it's simply accepting a beat down for doing the right thing. If anything, the law should force the violators in government to suffer the consequences of their abuse. It's actually supposed to do that in theory but does the opposite in practice.

* Doesn't work for *military* leakers tried in their court system.

AnuraMarch 16, 2015 2:57 PM

@Another Justin

The only reason to break an unjust law is to make yourself a martyr, amiright?

tyrMarch 16, 2015 4:16 PM


You cannot free anyone who wishes to be a slave
you cannot enslave anyone who wishes to be free.

Unjust laws violate the social contract making
it null and void, the slippery slope on which
all rule of law teeters. A real citizen is
obligated to dis-obey unjust laws at every
opportunity. The last time we had the great
debate over this point in USA it cost an
enormous number of lives (American Civil War).

Obedience to unjust laws makes you liable for
a rope around your neck later (Nuremberg Trials).

Find Eben Moglen "Snowden and the future" for
a long winded and carefully argued coverage
of these points.

I find Bruce the kind of citizen we are proud
of, we need a lot more like him and a lot less
who are only following orders out of being
misguided by authority.

SoWhatDidYouExpectMarch 16, 2015 6:41 PM

ICE Tells Reporter Its Secretive Drone Program Isn't Newsworthy

http://yro.slashdot.org/story/15/03/16/2043219/ice-tells-reporter-its-secretive-drone-program-isnt-newsworthy

It is so un-newswothy that they ignored the Striersand Effect and told people they don't want their stuff covered.

Why don't they want it covered? Well, probably because IT IS NEWSWORTHY! They can't handle the heat.

Actually it is same old same old. Making it secret (the ICE wish) just protects the guilty from being held accountable for their abuse of the program.

AnuraMarch 16, 2015 8:34 PM

@

It's pretty easy to verify:

nslookup -type=MX clintonemail.com

clintonemail.com mail exchanger = 10 clintonemail.com.inbound10.mxlogicmx.net.
clintonemail.com mail exchanger = 10 clintonemail.com.inbound10.mxlogic.net.

BuckMarch 16, 2015 8:51 PM

@tyr

While I definitely disagree with some of his statements, it is overall a very powerful piece! Here's a particularly good quotation:

The empire of the United States, the one that secured itself by listening to everything, was the empire of exported liberty. What we had to offer all around the world was freedom -- after colonization, after European theft, after the forms of twentieth-century horror we haven't even talked about yet -- we offered liberty; we offered freedom.
In the twentieth century we were prepared to sacrifice many of the world's great cities, and to accept the sacrifice of tens of millions of human lives, in order to secure our selves against forms of government we called "totalitarianism," in which the State grew so powerful and so invasive that it recognized no longer any border of private life, and brought itself into everything that its subjects did. Where the State listened to every telephone conversation, and kept a list of everybody every troublemaker knew.
So let us unfortunately tell the truth as it appeared to the people who worked in the system: When the morality of freedom was withdrawn, our State began fastening the procedures of totalitarianism on the substance of democratic society.
My 'serendipitous' musical connection to the reading seems to be:
Trouble in transit? Got through the roadblock! We blend in with the crowd... We got computers, we're tapping phone lines; I know that that ain't allowed!

BuckMarch 16, 2015 9:10 PM

@Anura

Pretty easy to verify DNS records!? Lolz!

However, if true, it does indeed add another interesting twist to the bizarre story of John McAfee...

AnuraMarch 17, 2015 2:25 AM

@Buck

I don't get it? Are you suggesting it's more complicated than that to verify the accuracy of the story?

Clive RobinsonMarch 17, 2015 3:19 AM

@ Anura,

The only reason to break an unjust law is to make yourself a martyr, amiright?

Er no.

There are plenty of unjust laws that intrude into non crime areas of life and make them a crime for various reasons.

For instance in the UK showing a little compassion can get yo into trouble. The simpest being giving money or assistance to a street person is a crime. Similar crimes are found all the way up to assisted suicide.

Further you might remember hearing about a famous US legal case where what we now call "creationism" was contested.

Well as many currently know there are parts of the world where just about any non sanctioned religious statment is a crime.

What about women where laws effectivly make them, second class citizens or worse "chattels" or slaves of the male members of their families.

Many unjust laws are for control not crime, their purpose is to establish an elite of some form over others. The laws are there for punitive action including show trials to serve as a warning to others not to step out of line.

Steping out of line need not be because you wish to be a martyr or hero, or even criticize the lawyer but simply out of need for oneself or others...

CallMeLateForSupperMarch 17, 2015 9:29 AM

"... curiouser and curiouser" This can't be good.

(emphasis mine)
"An Internet scan carried out one week after FREAK came to light has turned up evidence suggesting the weakness may not be so difficult to exploit after all. Of the 22.7 million servers found to support TLS encryption, 2.2 million—or 9.7 percent of them—continued to offer the export-grade 512-bit keys. MORE TROUBLING STILL, the team of researchers from Royal Holloway University of London found large clusters of repeated moduli inside the keys' mathematical DNA. In the most extreme case, A SINGLE 512-BIT MODULUS APPEARED 28,394 TIMES in the survey,"

"HTTPS-crippling FREAK attacks become cheaper and easier to carry out"

vas pupMarch 17, 2015 9:48 AM

@Clive Robinson • March 17, 2015 3:19 AM, I agree on unjust laws, but laws basically enforced basic morality dominating in society by government. As time passed, Bruce pointed to that in Chapter 6 of his last book (as best as my memory), moral/legal acceptance of particular things changed as well from unacceptable to more than acceptable (e.g. assisted suicide). Moreover, in US some states legalized pot, some states legalized gambling, some states legalized assisted suicide even prostitution is allowed in Nevada. Meaning you can't apply same size fits all with morality and laws which enforced by government or at least claiming freedom and regulate at the same time victimless behavior as you pointed in your post. Moreover, you can't force your moral paradigm on other people/countries by force (post-colonial wars). They do have a right to their own vision of morality, speed of its transformation to universal human values. Conclusion:
freedom not equal to uniformity - I guess.

SoWhatDidYouExpectMarch 17, 2015 10:26 AM

Judicial Committee Approves FBI Plan To Expand Hacking Powers

http://yro.slashdot.org/story/15/03/17/001225/judicial-committee-approves-fbi-plan-to-expand-hacking-powers

From the Slashdot post:
-----------------------
A judicial advisory panel Monday quietly approved a rule change that will broaden the FBI's hacking authority despite fears raised by Google that the amended language represents a "monumental" constitutional concern. The Judicial Conference Advisory Committee on Criminal Rules voted 11-1 to modify an arcane federal rule to allow judges more flexibility in how they approve search warrants for electronic data, according to a Justice Department spokesman. Known as Rule 41, the existing provision generally allows judges to approve search warrants only for material within the geographic bounds of their judicial district. But the rule change, as requested by the department, would allow judges to grant warrants for remote searches of computers located outside their district or when the location is unknown.
------------------------
I suppose the behind the scenes, this is to take pressure off the NSA so they don't have to supply said requested information (gosh, that would mean cooperating with the other agencies, but they probably supply the information anyway but now the finger can be pointed at the FBI as being culpable for violating citizen's rights). Ditto for the CIA.

"...arcane federal rule" for who? (whom?)

SoWhatDidYouExpectMarch 17, 2015 10:45 AM

More on stingray...

How Police Fight To Keep Use of Stingrays Secret

http://yro.slashdot.org/story/15/03/16/2329254/how-police-fight-to-keep-use-of-stingrays-secret

I wonder about Harris Corporation. Were they created specifically as a non-goverment organization to spread the use of the device and enforce the "secrecy" component of its use, something that would be considered improper for a government agency to do? Maybe not the company but just the device.

Based on a wiki entry, they seem to have some long standing as a company, though the wiki entry implies it may be diluted by someone with close connections to the company or the device itself.

You can searh for stingray in the wiki entry to get a historical picture of it and related devices. One still has to wonder what prompted them to get into that business (i.e., the "incentive").

stungMarch 17, 2015 12:32 PM

Search and seizure, better buy a lawyer, we know you're a member, saw you undercover...

With more debt comes more defaults and that creates demand for the public school to prison pipeline. Throw around the word terrorist and get more funding. Talk up the stocks and talk down the bridge jumpers. All the gadgets are security free for your own safety. We ran out of people with money before we ran out of oil. That works because we are out of money to fix the roads and bridges. More stuff is closing. America: It used to work.

Fred Z. DobbsMarch 17, 2015 4:29 PM

Windows 10 says “Hello” to logging in with your face and the end of passwords
Face, iris, and fingerprint authentication on device and online.

http://arstechnica.com/information-technology/2015/03/windows-10-says-hello-to-logging-in-with-your-face-and-the-end-of-passwords/

http://blogs.windows.com/business/2015/02/13/microsoft-announces-fido-support-coming-to-windows-10/

Windows 10 will let you log in to your PC, tablet, phone, or even website with nothing more than your finger or face by using a pair of new features called Windows Hello and codename "Passport."

Windows Hello is a new integrated biometric system for passwordless authentication on Windows devices. Windows 10 users will be able to log in using their faces, their fingerprints—already common on many laptops—or their eyeballs, using iris recognition. The system will support automatic sign-in simply by sitting in front of the PC, Kinect-style....

SoWhatDidYouExpectMarch 17, 2015 4:58 PM

Microsoft "Passport"...its back!

I can remember a time when Microsoft passport contained the infamous "all your data are belong to us" clause. One would think that Microsoft would have finally abandoned the "passport" moniker. Yet, what Microsoft seems to truly desire continues with us today...they really want to influence, intimidate, and control their customers or anybody associated with use of a computer or computer related device (phones, recorders, set-top boxes, consoles, et al).

All of this is being done while they decry being "forced" to feed data to the 3 letter agencies. They want to be a business that sucks up content and data, FOR THEMSELVES (they are probably limited in usage of the data they are "forced" to pass along).

One should avoid Windows Hello and codename "Passport". I suspect it is not in the consumer's best interest. Microsoft wouldn't be pushing this unless it is in their best interest.

W h i t e R a b b i tMarch 17, 2015 7:40 PM

The downfall of humankind is in their nations. Just as individually they run by instinct, so too, do they run by instinct collectively, and that at the national level.

It is about power, sure. It is as an addiction. It is especially bad in the ruling sectors of nations. Those are power addicts who are always vying for more power they can get individually. But, it is important to understand that they also think and operate collectively. So, nationally, they are always also working together to strive for more power.

So, when they perceive a superior power to their own, they are led by their instincts to try and gain that superior power. Very predictable. This is especially true if they are incapable of perceiving that superior power's strength. In this way, they mistake their blindness for strength. A very bad situation to find themselves in.

"Investigative journalists" tend to have a sense for these things, operating as they do for their nation. They do not know the full details, but get word back, and "sense" Something Very Big Is Going On. After all, it is every journalist's desire to be on the Big Story. And the Biggest Story of All is not going to entirely elude their senses.

There is also the element of threat involved. So you have both 'fight' and 'flight' instincts involved. They do not know what it is. They are confident they can overpower it. Yet, they also understand if they do not, they will be completely overpowered. Though, they do not know how.

It is sad, but they amply deserve it. It is their own aggression which has blinded them into such an insane pursuit. Almost ironic, the symptoms are a 'near madness for information'. But they will not accept the truth, just what they want to hear. The more they drink, the more they thirst, and the more they are propelled onto their lamentable course of self-destruction.

I will not state which nations are the aggressors and which nations are not. The Something Else is simply operating as a proxy through the defensive nations. This is not a nation vs nation matter, as it may appear. Believe or not, you are not going to stop your thirst. And that is just a little more of the water.

Dirk PraetMarch 17, 2015 8:40 PM

@ Fred Z. Dobbs

Face, iris, and fingerprint authentication on device and online.

Authorities will love this. No more need for the 5$ wrench or other rubber-hose cryptanalysis. Just put the owner in front of his device, and off you go. It's gonna be very hard to pretend you have forgotten your face.

Whiskers in MenloMarch 18, 2015 12:46 AM

Squid are fine....

Bruce said something like: "To claim that Google protects your privacy better than anyone else is to profoundly misunderstand why Google stores your data for free in the first place."

This may have a slightly different context shade. For Google to have a serious security breach the
cash cow that they are milking might jump the fence.

Google has information from individuals AND information about the business of almost anyone
that Google Search finds and information about the business behind each addword etc.

So when Schmidt tells people that security is important he is not blowing smoke.
In this regard the NSA and other TLAs need to take a lesson. The secrets of these
agencies are important.

TLA secrets fall into two classes. A) their secrets and B) the data that they gather.
For the NSA or CIA to breach data secrets for a Whitehouse political gain treads on both classes of
secrets. The trouble is compounded when illegal actions are shielded by secrecy laws.

The challenge for congress, the courts and the executive branch is not the "big data" but the
layers of secrecy about how it gets used and misused.

Clive RobinsonMarch 18, 2015 2:41 AM

@ Dirk Praet, Fred Z. Dobbs,

Face, iris, and fingerprint authentication on device and online.

Just think of the oportunities this opens up for FBI et al.

Think not of a "golden key" or "front door" but a "golden face" built into the system. Importantly a "golden face" does not have to be a real person or a real face, just some abstract product of the filters in the recognition software.

But there is a secondary and rather more sinister aspect...

The only time in my life I have had my fingerprint taken by a government LEO was on crossing the US border as one of the first through VISIT. Thus my right to self determination has been broken because one of my unchangable bio-metrics has been taken out of my control.

Windows 10 will thus take your other bio-metrics out of your control, in a way that can no doubt be "harvested" by them and others...

But importantly we know that such systems have false positives and negatives, and that it is due in part to the lack of information actually recorded in the recognition systems. Thus an argument for storing more information than would be otherwise required is very easily made. What is the betting it will be enough to make a "good efit image" that can be recognised by humans like LEOs, or be compatible with CCTV systems etc, that can not just track people but can also record time and location indefinitely.

Thus the authorities will have not just phone records but bio-metric records in their "everyone's a proto-criminal" time machine.

It is such a bad idea on all levels that I cann't help wondering just what marketing or tech head thought it was a good idea...

SoWhatDidYouExpectMarch 18, 2015 6:30 AM

@Clive:

Microsoft marketing tech didn't think Windows Hello was a good idea, the guvmint thinks it is a TERRIFIC idea and thus, Windows Hello is born, and Microsoft will deliver it.

If there was ever a way to kill Win10, this is it.

And, they even have the ArsTechnica writer, Peter (notso) Bright, applauding this feature:

http://arstechnica.com/information-technology/2015/03/windows-10-says-hello-to-logging-in-with-your-face-and-the-end-of-passwords/

From the last paragraph:

"While fingerprint readers are more common, they're still typically found on enterprise-oriented machines rather than consumer ones. And presently, not a single Windows Phone ships with a fingerprint reader, even though Windows 10 on phones will also support Hello and Passport. Wider availability of this hardware will be invaluable in improving password security, and it appears that Windows 10 will be providing the necessary software support to make this technology mainstream. We just hope that the OEMs do their part and build biometric devices into more systems."

Better get your Win8 machines now while you still can.

BoppingAroundMarch 18, 2015 10:24 AM

[re: MS passport gimmick] Dirk Praet,
Marketers might love this too. The article tells the data 'never goes through the network'. Well it might do so one day. Just like the Wi-Fi passwords on Android. And then it would be stupid not to sell the database to anyone interested.
I read the stores do already roll out in-store facial recognition systems. What a nice addition would be to have that db.

Tin-foil level 10 post but I'm not sure about anything these days.

WhatDidYouExpectMarch 18, 2015 10:37 AM

Another view with regard to Windows Hello and Passport:

http://www.ibtimes.co.uk/windows-hello-microsoft-biometric-security-wants-replace-passwords-your-finger-face-1492509

From the last part of the post, in part:
----------------------------------------
Essentially by authenticating that the owner (or trusted user) is using the Windows 10 device, Passport will create an profile which will be used on a variety of websites and apps. It will mean that because there are no passwords, the only way for a hacker to breach the system is by stealing the device in question.

"Windows 10 will ask you to verify that you have possession of your device before it authenticates on your behalf, with a PIN or Windows Hello on devices with biometric sensors.
----------------------------------------
This makes your "authentification and/or authorization" tied to a specific device, apparently the computer, phone, or connected piece of equipment you are using.

This implies for each such capable device you have, there will be a separate "authentification and/or authorization" for the SAME network service you are connecting to (such as your email, your cloud service, your Amazon account or whatever). This likely implies separate accounts on each accessible service, one for each different device. Is Microsoft saying this is what users want, or is this what Microsoft (or their overlords) are requiring for users? Are we now being funneled down to single unique devices? One per person? That would be impractical if not stupid.

In my former day job, I could actually use any device in the organization to access my account and data, which was on a central server (thus, devices did not have to be carried with you when you visited different locations or went off-shore). No longer.

JonasMarch 18, 2015 12:04 PM

'Voodoo' Hackers: Stealing Secrets From Snowden's Favorite OS Is Easier Than You'd Think

http://www.forbes.com/sites/thomasbrewster/2015/03/18/hacking-tails-with-rootkits/

A snip of the article:


Kallenberg and Kovah have created a tool that automates the identification and exploitation of BIOS bugs, a number of which they will detail at CanSecWest. Using their own bespoke malware, they have repeatedly been able to gain access to System Management Mode (SMM), a part of the computer used by firmware that’s entirely separate from other processes, but can read everything going through a machine’s memory.

“Once the payload is delivered, we have an agent running in SMM,” said Kallenberg during a demo session with FORBES. “The thing about SMM is that it runs independent of the operating system, the operating system has no visibility into system management mode, it’s a protected region that can’t be read or written by the OS – Tails can’t read or write to it – but it has access to all of memory.”

BoppingAroundMarch 18, 2015 5:36 PM

*performs summon Moderator spell*
Looks like our friend MMIX has returned.

Clive RobinsonMarch 18, 2015 6:23 PM

@ Interesting,

I would not be surprised at all to find funding from both the US and Russia going to IS...

The US and Russia have been fighting "proxie wars" longer than you or I have been alive. Thus various factions get paid to fight other factions and there is little or no oversight by the super powers.

IS is not in any way a single group, it's an amalgamation of many groups or more correctly sects of groups.

Some years ago it was noticed that some opposing groups were actually a single group "milking both sides" for resources...

So it's very far from "unknown", in fact it is so common it's effectively "normal"...

It even plays the same in non war situations, Russia supplies designs of a nuclear power plant, chinese and other nations people build the design, and the US has in the past supplied the fuel.

Sancho_PMarch 18, 2015 7:14 PM

@ Clive Robinson re Win10 authentication

I’m afraid it’s not a question of a good versus bad idea.
It is “Yes, we can”. Better, let’s call it “Yes, they can”.

And this may be the advantage:
Yes, we can, too.
Due to bugs and bad software there will be people to circumvent / abuse that “security”.

The day will come when unsupported IT data is generally dismissed by court.

”Windows 10 will ask you to verify that you have possession of your device …”
Possession of what? My device? Their device?

SoWhatDidYouExpectMarch 18, 2015 7:25 PM

@Clive:

If they ask if you have possession of your device and that is a dialog with a Yes/No response, then this whole thing is a fail. Under the covers, Passport must confirm that the device and the face recognition belong together. If the question is posed as Yes/No, the crooks will always say yes and where is the security in that?

Zero Day SpecialistMarch 19, 2015 5:42 AM

@Humanware Zero Day

Okay, humanware zero day, what is the corollary: I find this as odd statement. Software has errors because they people who write them are full of errors. People are constantly full of erroneous beliefs and yet learn to operate as if those beliefs are true. It is a deep delusional state, really, and effects everyone, high and low.

Do their many delusions have "security" ramifications? Of course. In fact, many of their delusions they keep because they like to feel secure. They shun self-criticality and group criticality, even critical thought to feel secure. Yet, that security, of course, is as much an illusion as their deep set beliefs are delusions.

Does this cause problems for them? Obviously. It has extreme ramifications for their own personal happiness and their very life. Sooner or later their delusions hit against reality, and they find complete loss. They 'gained the world, but lost their soul'.

While they 'have the world', they believe they are 'someone', but they are not. When they discover that was a lie, they lose not only 'the world' but also their entire sense of being. If that is not a critical security vulnerability, I do not know what is.

vas pupMarch 19, 2015 11:05 AM

@Clive Robinson • March 18, 2015 6:23 PM:
"Some years ago it was noticed that some opposing groups were actually a single group "milking both sides" for resources..." and then turn their weapons towards the 'cow' they were milking.

HASH and eggsMarch 19, 2015 11:12 AM

@Sena Kavote
Subject: Computational Hash
Generally, you would have to standardize input for whitespace, delimiters, and the presentation of the operations. In linux, you could simply use a math app and shell script your parsing.

1)Error-check input; cleanse/fix/deny
1.5) Hash the input string and log to file
2)If you want to verify middle computations, within a custom program, every function would need input error-checking. Most programmers do that except for pre-compiled libraries, which means you would have to re-write even basic computational libraries. It would greatly slow down an application or script. I assume the point of this would be to check if the application has been intercepted or something like that, say, from some hacker's sandbox. Doing this only opens you up to having the log file altered. Malware would do this if that was your thought process. Otherwise, no. Why waste time hashing throughput, logging within a computation?
3) Hash the output and log.

If you standardize the input with error-checking, that is most of your battle. You can log everything, then hash the log. Tons of options. I don't see your mission there. If you have interception risk, you have more important security priorities to handle. Start with physical security and work your way inward.

Professional security-wise, the only option for violation is to try and hash verify memory pagefile access for in-memory hack? Helheimr. Easier in linux, I would like to not care about that. I bet there is some common-sensed wisdom missing.

Prevention and diagnostic slows down any process, which is why 50% of security is still on the tail-end of the problem. Don't cut your wrists over that philosophy. If gaping security holes on the OS were actually addressed, a good portion of the IT industry would lose it's job and the government would go nuts trying to penetrate for digital evidence.

My 2 cents: I recently bought a Windows Phone. Because it sandboxes every app, and forces people to pay for the studio before making money on an app, it is hated by hackers and anti-Microsoft people. As a result, it is the least hacked phone thus far. I love linux also, but people are blatantly information planting when, in fact, it is a great phone. This phone, with its encrypted SD, proves that Microsoft can make a secure client OS. They just choose not to, opting for fluff and gui instead. ReFS is not consumer ready, but it lacks alternate data streams which needed to die eons ago. I still have to use netsh to disable Teredo. It is a culture of making business, the antithesis to being efficient and secure.

SoWhatDidYouExpectMarch 19, 2015 1:00 PM

Next up...the "Do Not Face list"

Google: Our New System For Recognizing Faces Is the Best

http://yro.slashdot.org/story/15/03/19/178252/google-our-new-system-for-recognizing-faces-is-the-best

From the post, in part:

"FaceNet achieved nearly 100-percent accuracy on a popular facial-recognition dataset called Labeled Faces in the Wild, which includes more than 13,000 pictures of faces from across the web. Trained on a massive 260-million-image dataset, FaceNet performed with better than 86 percent accuracy."

Really??? Since when is "86 percent accuracy" the same as "nearly 100-percent accuracy"? Not in my book. Not in anyone's book, excpet those pushing FUD. Yes, Google is using "marketing" tactics to influence, intimidate, and maybe even control their targets.

This tidbit, coupled with Windows Hello and Passport, and its timing, make me certain that this is pure marketing hype to keep their offerings (questionable as they are) in the eyes of the public. There is no love lost between Google and Microsoft.

Now, I am also just as certain there will be a "do not face list" where the overlords and their immediate subjucates WILL NOT HAVE their faces such as to avoid the embarassement of being recognized by either Google, Microsoft, or any of the spooks.

Zero Day SpecialistMarch 19, 2015 4:46 PM

@Interesting @Clive Robinson

Hi now this reading was a new one, its rather intresting to read since if any truth at all in it the whole ISIS thing becomes even more complicated http://en.delfi.lt/central-eastern-europe/putins-russia-do-traces-of-kgb-fsb-and-gru-lead-to-islamic-state.d?id=66856642

In the Middle East today, Russia is serving US interests effectively. They are doing this by siding with their economic partner, Iran. The US is incapable of siding with both Shia and Sunni in the efforts against ISIS largely because of deep Sunni and Israeli ties. However, the US needs Lebanon to be stable, and they need Assad to remain in power, or the entire region collapses.

Also, the US, while working with Sunnis needs Shia as a counterbalance for their very "allies".

You can expect a very major Middle East flare up this summer, so matters will change.

ISIS is very much not for the Russian regime's interests. And they are not blind to that. Nor is anyone else. That is not a "message", Russia does what Russia does. Aiding ISIS would be paramount to helping ensure Sunni domination in the region and only increase economic and military harm to Iran. Further, stronger flare up, which is highly likely, demands stronger Allied presence in the area, which is the last thing Russia would want.

The US has much blame for the rise of ISIS. However, that is clearly simply because of neglect and mismanagement in the region.

ISIS invariably will cause more severe problems in the region. This will invariably work out favorably to some actors, not favorably to others. And only at great cost.


@SoWhatDidYouExpect

Ed Snowden has stated that mass surveillance is "about economic spying, social control, and diplomatic manipulation. They're about power." A sentiment which has been echoed by others. Who, then, stands to gain from mass surveillance?.. I believe Big Money hopes to gain more money, but will they? Big Power will certainly gain more power but what value is that in a soon-to-be value-less society?

Big Money and Big Power work together but as enemies pretending to be friends.

They are natural enemies. Typically, one of the other would be slated to win, and go extinct. The winner is going to be big power, which translates into "intelligence". Law enforcement and military can be included in big power, but intelligence rules them. In no small part this is because intelligence can operate under cover at high levels of law enforcement and military for cover, funding, and control reasons.

Note I do not include politicians here in the mix, which would be laughable to include. People domestically and foreign will argue it is all about the politicians, but they believe they have control by the election process.

The aggressive domestic and intelligence programs which have been exposed have been very light on substantial evidence for economic intelligence and other forms of significantly worrisome intelligence programs.

The US appears to be overzealous in their desire to fight terrorism, so the economic and other foreign and domestic negative impact has been relatively minor. What the US tends to not mention is that foreign intelligence is a very major part of their concern in these actions.

This includes the "shocking" political espionage disclosures which seem transparent in attempts to merely get better information for diplomatic efforts.

People can put these points in their considerations, or not. Assuming this means there may not be sinister motivations involved because of these facts is also laughable. Even more laughable then believing power is in the hands of politicians or political parties. While this makes the problem significantly more difficult to understand, don't shortcut thinking just because the problem is more mysterious then it appears on the surface.

Unfortunately, many engaged in these issues, however, are unlikely to consider ideas outside of their own group's norms, or consider ideas which otherwise might not be publicaly palatable.

On the US becoming "valueless", while that is an useful consideration to take, and outside the norm, so laudable, ultimately stopping there is also not going to predict the future. But, that is one consideration that can lead to other possibilities which can be useful. The phrase I would use in that direction is "the world being turned upside down". Or, a major reordering of all social structures.

I think anyone can consider just how badly that is needed, and notice how this often surfaces in popular consciousness. Such as through the obsession in "post-apocalypse" and "dystopian futures" in fiction. Also, cognizance, in general of the world being deeply sick in ways which people usually have difficulty putting their finger on.

@konst

What in the world made you decide to use squid as the Friday posts for uncovered security news??

I do not know. So this may be one of those cases where someone is as interpreting a lyric or writing very differently then how the writer sees it.

However I would point out that there is core symbolism in the concept of a massive, horrible underwater beast called "The Leviathan".

http://en.wikipedia.org/wiki/Leviathan

9 Any hope of subduing him is false; the mere sight of him is overpowering. 10 No-one is fierce enough to rouse him. Who then is able to stand against me? ..31 He makes the depths churn like a boiling cauldron and stirs up the sea like a pot of ointment...33 Nothing on earth is his equal—a creature without fear.34 He looks down on all that are haughty; he is king over all that are proud.

While it is unlikely "leviathan" is anything directly related to squids, squids can be related to the "leviathan". Squids also produce ink as a defensive mechanism which causes them to effectively become invisible. Ink is potentially symbolic for a thread where people post freely, eg, write.

"Underwater" is a powerful term, and indicating "deep underwater" is a related, but also very powerful symbol. It could be said to be related to people's concepts of "underground". People going deep underwater require sophisticated equipment and they find themselves in a world very, very different from "up above". In fact, if they rise from the deep too quickly they can threaten their very lives. And likewise, they only go down with extraordinary preparation and change.

In one related poem, people of power are presented as people who operate "on the water", and are depicted as sea traders. That same author also uses the term "ocean" effectively for nations and peoples of the nations.

Typically power changes are considered from "up above", "higher up". However, much of what is done and decreed higher up actually effects the "down below". And the "higher up" have to have some manner of presence and control "down below" to do this.

This symbolism also ties into the "leviathan" symbolism. The leviathan's greatness purpose is noted in the above poem's lines as pointing to the power of the higher up, for instance. Though "higher up" often means in everyday parlance across nations and languages such things as "supervisors", or other equally non-deeply-mysterious entities.


Wesley ParishMarch 20, 2015 4:51 AM

@SJ

Thanks, but I'm not convinced. The FBI's run up a big tally of ramming doofuses through "Pterorists-R-Us" school then arresting them to prove the FBI's value to the ever-present threat of Pterorism.

The shooting in Ferguson doesn't deviate much from that script.

The "renegade cop" used to be a staple of American TV and has even appeared in NZ film as the doofus Ray Foley who Bruno Lawrence's character Al Shaw shows up in "Smash Palace"; now you have para-military police presenting themselves as the genial Plod of the likes of BBC's "The Bill".

There's something not quite right about this picture. Do Not Adjust Your Sets.

RickMarch 20, 2015 10:15 AM

SoWhatDidYouExpect • March 19, 2015 1:00 PM


"Trained on a massive 260-million-image dataset, FaceNet performed with better than 86 percent accuracy."

Well Google always hypes up their IT accomplishments. They have to, or maybe that's in their nature, since they are just an advertizing company.

They don't really have any revenue since they do not actually produce much of anything for sale and very few (if any) companies pay them licensing fees for their inventions.

So their core business is their advertizements (that's 85+ per cent of their revenue). Which incidentally doubles as a surveillance tool and a user-profile-gathering-excuse.

SoWhatDidYouExpectMarch 20, 2015 11:45 AM

First, the Microsoft announcement about Windows Hello & face recognition.

Then, close on the heels of Microsoft, comes the Google announcement about their "better" face recognition.

Now, the guvmint is taking off with this...

Leaked Document Reveals Upcoming Biometric Experiments At US Customs

http://news.slashdot.org/story/15/03/20/0115202/leaked-document-reveals-upcoming-biometric-experiments-at-us-customs

Eventually, we might expect this to arrive at all border locations and international entry/exit points, then all TSA points, moving to all federal buildings, state buildings, perhaps even local government buildings, and eventually used by all police organizations. Stadiums, theaters, rail travel, bus stations, taxi-cabs (that should put Uber out of business), and one might eventually expect state border crossings. I suspect that ReadID photos taken for drivers licenses are providing the searchable match database for the comparisons. Quite the high profit margin there for the vendors of this equipment.

Brings new meaning to the phrase "build it and they will come".

1984 anyone?

Nick PMarch 20, 2015 3:22 PM

How FBI created a terrorist

https://firstlook.org/theintercept/2015/03/16/howthefbicreatedaterrorist/

As usual, the recordings and evidence that the FBI was more guilty than the defendant were either sealed or heavily redacted. The jury could only see FBI's version of events. They cite cases like this as justification for mass surveillance and police state power along with their expanded funding. That the FBI is willing to create terrorists for political reasons is worth remembering when considering claims that U.S. government might let terrorist attacks happen on purpose for power (eg 9/11, ISIS).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.