Friday Squid Blogging: Squid Pen

Neat.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on March 20, 2015 at 4:29 PM • 181 Comments

Comments

AlanSMarch 20, 2015 5:17 PM

Not to be outdone by Elf on the Shelf, Mattel has released what Stanford CIS refers as SpyMaster Barbie. As they note: "She is an advance scout from the future we are rapidly approaching."

In WaPo:

Mattel and ToyTalk, the San Francisco-based start-up that created the technology used in the doll, say the privacy and security of the technology have been their top priority. "Mattel is committed to safety and security, and Hello Barbie conforms to applicable government standards," Mattel said in a statement..

That's not very assuring.

FigMarch 20, 2015 6:24 PM

What kind of notebook would be relatively secure these days? I guess the answer is none, but even a used or refurbished would do, any suggestions?

Yosemite SamMarch 20, 2015 6:53 PM

"Fig" raises a good point. I know of no "expert resource" evaluating common computing tools or phones for security. And we really need one.


My preference would be for an ex "NSA master hacker" who could demonstrably prove he turned on them. Even better if some disgruntled Darpa hacker could be seduced to join this cause. Because we also need "little knives" to be distributed widely.

Better, better, would provide the hive with "tools to fight back". Tools which would leave the NSA discredited, with many careers destroyed. Say stage an NSA fight with a legislator, who has the balls and inclination to collect scalps.

Defense just doesn't seem adequate for the abuse the public has suffered?


albertMarch 20, 2015 7:07 PM

@Alan S
"...That's not very assuring...." Right.
.
"...Hello Barbie conforms to applicable government standards..." is one of the best examples of political weasel wording I've seen. You can bet your SA that Mattels lawyers reviewed that one. Wiggle room? No, wide open spaces.
.
Has anyone asked Mattel for a clarification of "...applicable government standards..."?
.
...

AlanSMarch 20, 2015 7:21 PM

@Albert

Fully compatible with forthcoming Cybersecurity Information Sharing Act.

Nick PMarch 20, 2015 8:23 PM

@ Clive Robinson, Wael, name.withheld

I found some interesting tech while reviewing this list of EDA companies. NanGate's technology is the kind of thing that should've happened a long time ago. Most explanations of ASIC's talk of Standard Cell libraries for easy development and Full Custom for best results at outrageous price. NanGate's tech basically lets you do one while getting much of the benefit of the other. They also open sourced a 45nm cell library for academic research and independent testing. A potentially good partner for any company or project doing security-focused EDA tools.

re analog computing

RobertT used to talk about analog being a great opportunity for executing or preventing subversion. Reasons included it being invisible to digital circuit tools and the fact that few know anything about the subject. I've also previously considered implementing algorithms or CPU's in analog circuits just to make things that much harder for opponents. Here's a few things I found researching the subject today.

Analogue Computer Wikipedia Article

Interesting article on a form of computing that's almost non-existent today outside maybe control systems. Even those tend to use PLC's or microcontrollers. Many of these systems were very clever or original (eg Norden bombsight) in their design compared to digital computers.

Comdyna GP-6 and GP-10 Analog Computers

One of few still in production. The system uses a patch-panel to develop analog programs for signal processing. Quite unique.

Designing Analog Chips by Hans Camenzind

A top IC and analog designer teaches how its done. Best part is he avoids forcing you to understand all kinds of math, focusing on building blocks instead. Nice, detailed history of semiconductors too. The link on his site returned a Perl file instead of the book. A little URL hackery and I found you all the PDF. Still got the magic. :)

Field Programmable Analog Arrays

An FPGA-like solution for easier analog development, education, and deployment. Even better in terms of performance and power. Awesome invention that hopefully, in combo with above book, leads to more talent in analog design.

SoWhatDidYouExpectMarch 20, 2015 8:29 PM

Along with recent revelations with regard to infrared face recognition cameras, and old nail comes flying back to the coffin known as hardware specs from Microsoft to vendors:

OEMs Allowed To Lock Secure Boot In Windows 10 Computers

http://tech.slashdot.org/story/15/03/20/2039251/oems-allowed-to-lock-secure-boot-in-windows-10-computers

Of course, we all know that Microsoft's objective is to keep dual boot and Linux off these computers, but now they will blame the OEMs.

The computer was once fun and useful but had become just a death by a thousand cuts device. Goodbye Microsoft.

WaelMarch 20, 2015 8:56 PM

@Nick P,

Designing Analog Chips by Hans Camenzind

Nice book, thanks! I downloaded it and will look at it later. Whatever happened to RobertT?

Nasty_Stanky_AssMarch 20, 2015 9:00 PM

germany should file an international lawsuit against the US for unlawful coersion or something

FigureitoutMarch 20, 2015 10:09 PM

Fig
RE: "secure laptops"
--Notebooks won't really be secure, they'll have the latest impossible memory to inspect, UEFI-backdoors, and no CDROM's, which while the actual operation may not be secure, few to no one will rewrite an overwritten CD (USB sticks, I can't even do it anymore w/o considering reflashing firmware and bare minimum overwriting filesystem (not good enough at all really)...don't do it if you don't want persistent memory on your stick).

So to your question, I've mentioned HP-Compaq laptops, they look like this: http://www.insidemylaptop.com/images/HP-Compaq-8510p/laptop-disassembly-instructions-01.jpg You can get like 5-7 of these for sub $1000. No camera, wifi and bluetooth cards are separate and easily removable. Keyboard easily removable. Lots of I/O, so it's useful. Either wipe the HDD using DBAN (is it perfect?--probably not. Is is clean--probably not. But try doing anything after nuking an HDD) and put on OpenBSD or get a new laptop HDD and do that. Then using something like Truecrypt to encrypt the HDD or some newer spinoffs that are actively supported (it's always more comforting knowing someone's looking at code, you think...). That is your personal secure laptop. This is basically the most secure we can do, some people will say "No! Wrong!", but won't describe it and probably be full of sh*t. A separate one, there shouldn't be any HDD attached, use TAILS for when you need anonymity and fairly secure internet (using not your network preferably, but that's your choice). Something I'm interested in is something like a Raspberry Pi that only wipes every kind of USB stick and potentially reflashes their firmware every time, this would be useful I/O between the computers, but it's still really risky. Basically secure I/O doesn't exist, so I don't know how to defend for that, that isn't handwaving bull. But you should have a completely separate "expendable" PC for sanitizing I/O. Believe me it's harder than it sounds...

Other option is a IBM X60 http://www.jklaptopcare.com/images/lapImages/Ibm_x60.jpg Same thing, remove wifi/bluetooth if it has it. Now this one has mature support for an Open BIOS. I bought an HP Compaq instead of one of these, so I haven't tried Coreboot yet. Ideally, you could get familiar w/ Coreboot and build system, and flash a semi-custom BIOS. That would be very nice.

Those are 2 very functional laptops w/ all kinds of software support (but it's not like 6+ GB RAM, more like 1-3GB, which is really quite a bit still). I prefer Kali linux since..it's just a personal preferance and I've tried out a few distros; you could one of those too for everyday use. Get a nice bag for them, and sleep w/ them and carry them everywhere (breaking in home while you sleep and getting the vaulted "physical access" is possible, but even that can be made nearly impossible w/o waking you up). There's tons of other kinds of computers (small boards and even development boards) that can be obscure and provide some protection there. But you need to provide a screen, keyboard, and mouse. Laptops have those drivers (yikes, this is a dangerous spot...) and peripherals right there.

It's a fun subject actually, endpoint security, at least to me. Advanced malware from I/O and from infecting images of developer's PC's of OpenBSD and TAILS are main vectors. Then of course the Intel/AMD chips and all the other chips, it gets murky (every "security expert" will have the same infection), but very interesting...

FigureitoutMarch 21, 2015 12:08 AM

Nick P
RE: Hans Camenzind pdf
--Meh, besides some important concepts that he *barely* touched on like slew rate, hysterisis, phase locked loop, opamps, and ADC's; not sure you could design an analog chip after reading it (no way lol, I just scrolled and did a quick read, but it was so small I could read most of it really quick and I'm not a fast reader). There's much better textbooks (old books! They're better I don't know why! Amateur radio handbook is excellent), but like I used to read my mom's physiology books, I would be no where near competent to do anything medically to you; you simply need classes. You need to be able to do basic circuit analysis for starters. Hard math is basically ridiculous integrals and annoying algebra. Other than that, it's mostly the same operations repeated millions and trillions of times...

It just takes time anyway (I "lol-ed" when you said you spent a year learning hardware, as if you're an expert after that), as w/ any hard subject. Many concepts just shoved down your throat that I don't initially believe, one way to test a short circuit is to connect a piece of metal to positive and negative terminals of a battery while it's connected to a circuit. Then touch the battery w/ you fingers lol (want to get burned, do ya?!).

Even still, if you're a good analog designer you probably won't know jack about code or computer OPSEC; hence many will probably use Windows and have terrible OPSEC and leave their innovative designs to be stolen. Tradeoffs.

65535March 21, 2015 12:47 AM

@ Christian

“Tsk, they considered to harbor Snowden. Make them an offer they can't refuse.”

It would a appear that the USA is throwing it weight around to get it’s way.

Once you join the “US Spy Agency Gentleman’s Club” you join for life or - get threatened with sneak terror attacks.

Joining the “US Spy Agency Gentleman’s club” is like checking into the “Roach Motel” where you check-in but never check-out [unless it is feet first – in the meat wagon].

‘I am wondering if such a threat could/should be also interpreted in a Mafia way, as in: "If you don't do this, our CIA will create some terror attacks".’ –Christian

You know, those Hellfire missiles can accidentally hit the wrong target at any time… it has happened before.

Nick PMarch 21, 2015 1:24 AM

@ Figureitout

"Meh, besides some important concepts that he *barely* touched on like slew rate, hysterisis, phase locked loop, opamps, and ADC's; not sure you could design an analog chip after reading it (no way lol, I just scrolled and did a quick read, but it was so small I could read most of it really quick and I'm not a fast reader). "

Good to know you're ahead of top talent in analog design. I'm sure there's students awaiting your writeup of everything he left off.

"(I "lol-ed" when you said you spent a year learning hardware, as if you're an expert after that),"

A year learning how hardware works at an abstract level that lets me understand various constructions a bit. That was my claim. Helped me notice when some designs will be way too inefficient and others have potential. That my evaluation results and experienced engineers' results are similar more often than not shows what I learned was worthwhile. That said, I'm *FAR* from a hardware designer or even qualified to understand them concretely. I rely on others with more specialist skill for metrics on how each hardware strategy performs.

Nick PMarch 21, 2015 1:29 AM

@ Wael

re RobertT

I thought he got bored trying to educate us about our impossible goals in secure chips. However, Clive said he disappeared after a change in employment. I recall his prior employer asking him to stop talking about certain things he posted. It's possible his new one had a "Don't Say Shit" agreement of some sort with quite the compensation package. Anyway, he taught us quite a bit while he was here and we shouldn't forget those lessons.

Gerard van VoorenMarch 21, 2015 3:03 AM

@ Christian and 65535

The article has a beyond average 'read through the lines' factor. But it is about dirty politics...

A summation of the questions and remarks I have from reading the article:

* German Vice Chancellor Sigmar Gabriel tells to the audience of his speech a different story than to Glenn Greenwald. Can't the public 'handle the truth'? Or is it something else? Either way, he lied in one occasion.

* If USG threatened Germany, is Germany the only ally they threatened? Remembering the stumbling moves from Dutch secretary of 'security and justice' Ivo Opstelten, would suggest USG threatened all their allies.

* If USG threatened their allies, wouldn't it end up in WikiLeaks?

* I don't buy the quote "Gabriel claimed that Germany would be legally obligated to extradite Snowden to the U.S. if he were on German soil.". If the US can kidnap a Russian hacker from Mali the opposite also has to be possible.

steve37March 21, 2015 3:14 AM

-> Snowden asyl in Germany:

Bolivian president's jet rerouted amid suspicions Edward Snowden on board

.. a plane carrying the country's president home from Russia was diverted to Vienna amid suspicions that it was carrying the surveillance whistleblower, Edward Snowden.
France and Portugal were accused of withdrawing permission for the plane, carrying the president, Evo Morales, from energy talks in Moscow, to pass through their airspace.

http://www.theguardian.com/world/2013/jul/03/edward-snowden-bolivia-plane-vienna

KeithMarch 21, 2015 3:50 AM

Google suggests you don't need an antivirus tool on your phone, becuase they are helping and you shouldn't go to bad sites!

My wife's phone update versions and she was having issues with text notifications not working, so Android Central's suggestion is to get rid of Avast antivirus, because of it's notification (does not fix the problem - but who thought it would).

"Welcome to Android Central! Thanks for posting that helpful screenshot. It may be that the system doesn't think there's enough room to include the text message preview card. See what happens if you uninstall Avast, to get rid of that persistent notification. (You probably don't even need Avast, since Google can scan your apps for malware using the Verify Apps option, and the chance of getting malware is very low as long as you avoid shady sites and tapping indiscriminately on links in popup ads.) "

Avioding shady sides, does not cover posioned sites, etc. This makes me worried about the quality of the user security.

this is like saying, you don't need belt and braces, because, we've given you an elaticated waist, Be careful where you where them thou.

Dirk PraetMarch 21, 2015 6:58 AM

@ Nick P, @ Wael

re RobertT

It's possible his new one had a "Don't Say Shit" agreement of some sort with quite the compensation package.

Plausible, and even without a compensation package. Back in the days when I signed at Symantec, my employment contract had almost an entire page on signing over to them any personal previous work and other intellectual property developed in the past, as well as new work, concepts and ideas during my employment for them, both in the course of my work and in my free time outside the company. I also know of other organisations - especially high security environments - that do not encourage blogging or extended social media activities and explicitly ask of their employees to keep a low public profile.

Then again, such limitations can be mitigated using Tor and posting under an anonymous persona that can't easily be tracked back to you, unless you know (or suspect) that some state actor is constantly monitoring you. My guess is that he no longer had the time or simply got bored. Whatever the reason, his input is sorely missed.

Clive RobinsonMarch 21, 2015 7:36 AM

@ Alan S,

I poped a link to the Barbie doll on a squid page last month.

I thought Bruce might pick up on it, you and a couple of others appear to think likewise.

The trouble I found originaly was "hard info -v- moral outrage" articles... Matel have actually said very little in public on it and as far as I'm aware the only legal impediment to that toy is the same as it is for all toys with batteries and electronics...

Which means in Europe under LVD if it's primary source is under 3volts and it cannot internaly generate voltages above about 10volt it gets a pass, for that part of the CE testing.

Then as it has emissive electronics it has to meet EMC and RTTE and it's relavant sub specs, and potentialy has to have a map of Europe on it's butt, that pretty much covers the electronics (though WEEE might have implications).

Obviously it has to meet other requirments for toxicity and small parts and finger trapping holes etc, but that's it...

No "though shalt not spy, or brain wash children" regulations to meet and I can not see EU or other nations upgrading legislation to cover it any time soon.

Perhaps a concerted "Doc bombing" on the various national Information / Privacy Commisioners might get some action. And the people to talk to are probably Privacy International.

Pi^2March 21, 2015 7:41 AM

About those older models, how much can you do on them? I mean is it possible to run a VM with XP or run Cinammon at a decent speed? I also see lots of older Thinkpads like T400, are these pre-vPro?

Clive RobinsonMarch 21, 2015 8:02 AM

@ Fig, Yosemite Sam,

Older hardware prior to 2010 and preferably back prior to WinXP SP2 with a compleate reinstalation from OEM CDs run in air-gap mode might, and I realy do mean might be OK, but I would not make a bet on it.

@ Nick P and myself have briefly discussed the issue before and he may well make further comment.

The problem we face for more current hardware is we cannot test the hardware for backdoors at the logic level or below, testing above this level is effectivly not possible untill you get to above the Closed Source OS layer. Device drivers and the hardware used are opaque at all levels so can not be reliably tested (see previous comments I've made about sound chips at what became genericaly called BADBIOS).

But there is also the issue of "Unknown unknows" we can only reliably test for that we know in depth, we can so so test for unknowns in a class of knowns. But not a chance for unknown specifics in unknown classes of attack.

Bottom line is you have to work out how to mittigate at a level where it is practical to do so. Which effectivly means stand alone systems in a strongly controled environment. But this can still be breached by "human agents" either by design or human failing. See priviouse conversations on MICE, EmSec and the joys of "black bag jobs" and "wet work".

Elihu YaleMarch 21, 2015 8:38 AM

buy fullz, cvv2 online, yale lodge, sell cvv, dumps shop, carding shop, cvv store, fresh cvv, fresh cvv2, fresh dumps, cvv online, carding store, credit cards CVV2, credit cards shop, cvv2 store, cvv seller

http://yalelodge.ru

ICQ: 984926
Jabber: elihu@ylodge.ru

Nick PMarch 21, 2015 9:24 AM

@ Dirk Praet

Yeah, he could post but doesn't. That he got bored was my original guess, too. The reason was that he stopped posting sometime after everyone was trying to figure out how to prevent chip backdoors. He had plenty of laughs at people's misunderstanding of the chip industry and the magnitude of the problem they were trying to solve. He stopped posting shortly after that.

Clive said he saw a comment about him changing jobs just before he stopped posting. So, that's why I brought that up. I do miss the guy being around here. He was elite in the field in that he was one of the few people who knew about (and used at work) the esoteric issues Clive often brings up. He's the first guy I'm going to poach if I get a hardware project funded haha.

k10March 21, 2015 1:24 PM

What permissions is Twitter's own Android app supposed to have?
I checked mine and the list is appalling.

sena kavoteMarch 21, 2015 2:01 PM

Different way to audit (source) code


This works better if sources are available, but something can be done with just executable binaries.

The sources can be in a language that is designed to be interpreted or in a language like c or c++ that is designed to be compiled but anyway have some interpreters (CLING for example).

Run the software in an interpretation mode that keeps count of how often every part of the source code is used. Do normal and abnormal things with the software, use every bell and whistle, every format, make all errors. If after that, there are still some parts that were never used, that have counters on zero, focus auditing to those parts because the non-use may be a sign of either a backdoor or a programming error that defined conditions that are illogical and can never be met.

This can be used in general auditing by Linux and FreeBSD distro maintainers or in customized auditing by end users. End users may want to run some of their software in this way for one week (if the performance is not too much lower compared to compiled software) and then check if their normal use left some parts unused. If so, they may want to disable the parts that they did not need, and possibly automatically without having to understand anything about the language.

For example, if server admins had run openSSL this way, many of them would have noticed that the heart beat feature was never used with their servers, and then their openSSL source code could have been automatically scrubbed of that and then recompiled to a form without heartbleed vulnerability.

If the software to be audited is closed source and only executable binaries are available, some kind of c source can still be derived by using a decompiler. The low quality of decompiler output does not matter if the unused parts are removed automatically and then the new source code compiled. Distributing that new binary publicly may not be legal, but at least it can be used in home and in organization.

Data containers and data types better protected from the rowhammer vulnerability and unintentional random physical errors

How to make at least user mode software, if not kernels, less vulnerable to bit changes that happen without writing on that bit's address.

We are mostly stuck with software methods. Those have worse performance and safety than hardware methods like ECC. Because of performance impact, it is good to have software methods that can be applied selectively to only some parts of software and methods that let programmers have some choice about which is better: to "waste" memory or "waste" processing, depending on situation and hardware.

One option is to have special safer versions of common data containers and data types for data that has higher priority for being safe. For example, 32 bit integer could be stored 3 times, or with error correction bits in 8 bit char, or stored in a RAM chip with higher quality or less age than most RAM in that computer, or there could be some hardware logic support for software selectable safety levels.

Data types named something like safe_int and safe_float. The specific implementation of the safety features could be chosen by selecting one header file from a set of header files that all have functions and classes with same names. One version could have all safe integers implemented by triple redundancy purely in software, and when there is hardware support for optionally extra safe integers (or mixed safety data types), the source code could be altered to use that just by changing one line that loads a header file.

Every mathematical function would have to have an altered version within the header file so that safety checks would be done before any calculation if using the safe types. Optionally, special safety check functions and error handling could be used.

Extra safe versions of c++ containers like vector or list could have, for example, error correction bits for every 16 cells or they could store everything 3 times.

Terry ClothMarch 21, 2015 2:08 PM

Meanwhile, back at the squid...

The actual pen is at airlineintl.com. Gorgeous work, but you have to call for prices. So I did:

  • For a silver squid w/ruby eyes: US$ 7,500.--
  • For the unique 18k gold w/ruby eyes: Offered on Ebay for US$ 25,000.--, but if you talk to the boss he'll do better for you.
  • Ebay also has a silver & ruby model: a steal at $US 4,300.--!

sena kavoteMarch 21, 2015 2:41 PM


Rowhammer

Let's hope we see at least statements about the Rowhammer vulnerability from these:

Linux kernel project

FreeBSD, OpenBSD, netBSD...

Microsoft

Apple

Minix

GNU Hurd

Virtualbox

XEN

VMware

Docker

bhyve

gnome system monitor, ksysguard and htop projects about detecting row hammering processes

systemD project

Memory module makers like Kingston

Intel

AMD

Nvidia


FigureitoutMarch 21, 2015 3:03 PM

Nick P
--Ok lol...Chapter 1: We can't trust the output of any of our tools used to make tools or those tools either and any IC you design will eventually be copied or stolen via economic espionage. Class dismissed.

Firmware these days allows control of some of those, that's where I'll be, saying the latest bug I'm working on is a hardware problem. His friend designed 555 chip lol, dude must be rich. In defense, it's stated it's an Overview of design, so that should be in the title. It's teasing, maybe that's his point, I don't know.

Anyway I recall you saying "expert" based off a year of reading.

Pi^2
--A lot, what all can you run on an Intel x86 PC? A VM is pushing it, likely not Qubes (rec. 4GB). If that's wanted there's heftier versions of them, I'd max the RAM and get a full back up set of cards. Newer IDE's for the latest chips?--Pushing it to probably not.

Or PPC, there you won't find a lot of support. Go too far back (got a $10 laptop that's like 20+ years old, and I can't even get in the BIOS lol! Guess that's good security, suck so bad I don't even want it lol. The screws are even hard to take off. And it's so slow and reminds me of my "color whiz" vtec: http://cdn1.computerworlduk.com/cmsdata/slideshow/3291946/img_062711-kids-computer-11_thumb555.jpg It won't run much of any software in this century besides old DOS and Unix) and you get that.

And we can't say for sure there isn't some other form of radio in the chip lol, weaksauce...high assurance is so weak today!

Ezekiel Lovercraft DaedulusMarch 21, 2015 3:04 PM

A story that has not much gotten out yet.

"The CIA Just Declassified the Document That Supposedly Justified the Iraq Invasion"
https://news.vice.com/article/the-cia-just-declassified-the-document-that-supposedly-justified-the-iraq-invasion

This document has been released before, but it was so heavily redacted that it was largely useless. If anyone follows Vice, at all, they actually get some very amazing news coverage, such as amazing "behind the lines" ISIS video footage.

Vice's interpretation is that intelligence well said Bush should not have invaded.

Contrary opinion recently put out by the WSJ before this new unredacted version was put out: http://www.wsj.com/articles/laurence-h-silberman-the-dangerous-lie-that-bush-lied-1423437950

There are larger reaching questions here, key places in how it relates to cyber security and data privacy.

Ezekiel Lovercraft DaedulusMarch 21, 2015 3:45 PM


@US Threats to Germany Over Snowden

This story confirms the value of Snowden and the destructiveness of the Snowden documents. It confirms that the US was willing to risk relations with Germany by making such a threat. A risk which now has come true, and is set to really further dampen relations with Germany.

This also calls into question whether or not the US Government has been behind terrorism.

@Assassination & Other Black Ops Programs

There are disturbing ties with the US Government to modern terrorism, aside from the stance that "The US Government is a terrorist organization". (A view I dismiss as overly simplistic, and usually hypocritical.)

After all, who empowered Al Qaeda in the first place? Who, for that matter, empowered Chechnyan forces? Who fought for the Bosnians? Who created the conditions for ISIS to rise? Was the rise of ISIS really accidental and thoroughly unpredictable? Who strengthened the role of Hamas and Hezbollah? Who strengthened Iran? Who strengthens Saudi Arabia? How convenient was the placement of Al Qaeda operatives in Germany? To whose benefit were the attacks across Europe? Who has been seeking to destablize Russia by manipulating their close allies into resistence? Whose advantage was it to show China as a major aggressor in cyber security wars?

Targets for assassination typically will be foreign spies in choke point areas of the network. First, an invasive but secret, surveillance shroud is put over them for some lengthy amount of time. Then, a gaslighting program is initiated, which may include showing them surveillance. If the target is physically close to anyone, this will separate them. If they are working with their spouse, their spouse is a necessary target in all of this. The final phase is then quiet assassination and replacement with dopplegangers.

SagittaMarch 21, 2015 5:17 PM

I was expecting the squid pen to be ... well, a pen from a squid.

I just noticed this profile a couple of months back of Margaret McFall-Ngai, expert on bioluminescent bacteria in squid.

GrauhutMarch 21, 2015 6:08 PM

@Figureitout - Have a look at netbsd banana pi. The raspi needs a proprietary firmware blob for a gpu that is more than just a gpu...

Nick PMarch 21, 2015 8:19 PM

@ BoppingAround

I have a few of his posts. I intended to grab a larger amount of them but didn't. I might post them later. Wael and Clive certainly will have some good ones archived. Especially Wael as he has about as many links to Schneier comments as I do. ;)

@ Figureitout

Now I know you're just doing your MO of random, contrarian comments. Given the topic is analog design, I thought this...

"We can't trust the output of any of our tools used to make tools or those tools either and any IC you design will eventually be copied or stolen via economic espionage. Class dismissed."

...is a clear indication that you neither read the book nor any articles on analog design. Let me help with this much simpler, shorter article on analog EDA. Short version: analog design is typically a manual, full-custom process that happens at *the transistor level*. The standard tools just make measurements and simulate things to aid their effort of connecting wires. Plenty of suppliers for those tools, even open (I think). Each design is unique, any little change can throw it off, and synthesis tools (EDA) are still too weak for adoption.

So, you saying they'd attack the tools to subvert analog designs would probably make for good humor in their industry. There's attack potential but tools are an unlikely and difficult target.

re x86 and 20+ year old PPC

They aren't relevant to the topic or even my old hardware topic as it was for air gapped machines with custom interface protection.

re radio hidden in a transistor-by-transistor design

Aside from taking rare skill, this is more likely to occur as an EMSEC attack. That they're using radar beams for EMSEC collection in TAO catalog suggests passive isn't reliable enough for field use even in digital designs without TEMPEST shielding. Even less likely for them to manipulate, at transistor level, an analog design on the way to the fab in a way that preserves its exact characteristics with prior and new functionality. Most likely threat along those lines is an EMSEC attack done by a subversive designer whose work was unreviewed or inadequately reviewed. My mutually-suspicious, skilled reviewer model is a nice start on that issue.

WaelMarch 21, 2015 9:05 PM

@Nick P, @BoppingAround,

I might post them later. Wael and Clive certainly will have some good ones archived. Especially Wael as he has about as many links to Schneier comments as I do. ;)

I really don't! I just remember a key word or two and search for them, for example: "Schneier Wael RobertT cool aid imbibe"

Or "Wael Schneier Nick P Samuel l. Jackson"!
Do you “feel me”, Nick P? :)

When I go back and read my previous comments, I can't believe how sarcastic I was. Oh, man, I gotta up it a notch ;)

BuckMarch 21, 2015 9:17 PM

@Nick P

That they're using radar beams for EMSEC collection in TAO catalog suggests passive isn't reliable enough for field use even in digital designs without TEMPEST shielding. Even less likely for them to manipulate, at transistor level, an analog design on the way to the fab in a way that preserves its exact characteristics with prior and new functionality.
Most likely using 'well-targeted' active attacks? Most definitely! Does this reliably discount the possibility of selective use cases for thoroughly planned (and nearly benign) passive methods..? You, yourself, have argued against this viewpoint on more than one occasion! Need I remind you? ;-)

BuckMarch 21, 2015 9:30 PM

@Wael

Since we're reminiscing, here's my search string for the last post of Robert that I can recall:

"Schneier Buck RobertT blending crowds regularly"

FigureitoutMarch 21, 2015 11:17 PM

Grauhut
--Thanks, I have enough boards *for now*. Good story reading about NetBSD port to the board. After I pay taxes I'm going to be looking for some more goodies (some fruit, raspberries and bananas and apples; what's next?) :)

Nick P
Now I know you're just doing your MO of random, contrarian comments.
--Actually I'm pretty consistent, deeply pissed at state of affairs and the feeling of "hopelessness" due to money, malware, and police state enabling criminal intrusions that don't get prosecuted (it's their job to do these things, and they abuse it). The trolly comments are always directed to you, maybe you should come clean and publicly explain why sometime instead of playing dumb. You also give me crap comments, and call my favorite language a virus.

I read it quickly, no I didn't click on your other links. Again and again, it mentioned the "human history". As I said, good overview or introduction, but not some book you could read and start designing; you need a lot of background knowledge already. And the short article w/ a bunch of "marketing engineers" was one reason why I didn't click. You're "short version" is wrong, they're using software tools a lot, not some "manual process" and they simply can't do their job w/o them.

I said that older books, that true analog (some of the best ever) learned w/; those are the best books for analog design. And if you actually open one up and check it out, they don't treat the reader like a pussy and lay it on thick right away.

RE: humor of tool subversion
--Yeah for the old-ass engineer that doesn't have any grips w/ modern malware or threat model I'm considering (if I can defeat that threat model, I can nearly guarantee security to people). I can already see a face and a voice too even..."a hurr durr, I don't know where my computer came from, I don't lock down this office, and I don't know how this software was made, but my tools are fool-proof". A malware can sneak in, bugs planted. Perhaps a bigger company employs a modicum of 24/7 physical security, but doesn't enforce good separation of the internet; big hole. Even a huge company, I came up w/ a few ways in (requires some recon, but still doable as the physical security has some holes; never forget a $50 million dollar security system was breached by a drunk jetskier). First target would be a badge-making facility (unmarked but that info could be bought), or...just pay contractors for old badges. Major drug shipping facility that professional thieves would hit, again unmarked; but not as hard a target as you would think...I'll stop as it's OT.

As you can see, few to no analog engineers post b/c they're a bunch of old pissed off people that are failing to pass along their knowledge and skills to the next generation. So they're profession is dying too. I bet many parts we'd need for analog design won't even be made, just have ridiculous parts as the only ones made anymore (especially as resources get tighter).

RE: x86/ppc
--I don't even know what you're talking about. I was talking to someone else. There's no other real choices for consumers for real security. I was mentioning old laptops which you have one as an XP machine for your isolated "workhorse" that has support for almost every chip you want to program. You have an OpenBSD machine for programming, and then a TAILS machine for fairly secure internet. There's more ways to do it, but running a VM requires HDD space, which is risky.

RE: radios hidden
--When the design is made (likely on the computer, w/ simulation software), it's sent off to a fab lab, and then sent off again to a contractor in China that actually lays the parts on the board. In-between, that's where the subversion would likely happen. An attentive engineer will maybe be able to hopefully catch it by some stroke of luck due to drastic performance issues or just for sake of pride (who wants to be known selling sh*t?). In multi-SoC designs, a single designer *will not* be able to fully verify them; I tried to realize whole system operation for too long b/c I wanted catch as many bugs as possible, one of the many lessons I learn in practice, it's dumb, you don't get anything done. Those areas could have fake chips that perform *nearly* the same. Zeptobars in Russia (I'm jelly of their camera, I want one) caught a fake nrf24l01+ chip http://zeptobars.ru/en/read/Nordic-NRF24L01P-SI24R1-real-fake-copy The external chip looks almost identical. You'd have to decap and do this comparison (assuming they don't poison the other supply chain and you just compare two fake chips).

PCB antennas is another area, they work good for at least 100-300ft maybe. Designers for huge companies are going to be pushing out thousands and thousands of boards; they won't personally check them all w/ their "infallible tools". Probably automated on the cheap by people who don't care b/c they're not passionate or getting paid enough, whatever; it's a hole.

Wael
I just remember a key word or two
--Remember this one: "weal" ? Squeal! Lol! sorry...BTW, was going to send a pic but you may pick up on the metadata, been drinking Earl Gray tea for past week, yum! So much better than Lipton cheap crap! I love aroma of EG tea too! :p

Alan QuartermainMarch 21, 2015 11:20 PM

Question for anyone...

I'm still using Windows 7. What's the risk of having the "Group Policy Client" always running?

Can it be used by some remote "agent" (software/individual) to control settings on my standalone internet-connected PC?

I know that I can disable this service through a registry hack in Windows 7. Unfortunately when that is done Windows Firewall no longer opens (and in Windows 8 this hack does not even work).

Nick PMarch 21, 2015 11:32 PM

@ Buck

"You, yourself, have argued against this viewpoint on more than one occasion! Need I remind you? ;-)"

Bastard... haha. The attack is possible and they'll likely consider it. The good news is that there are very few doing emanation attacks. The U.S. even hid details of many of their EMSEC defenses from British and other allies per classified documents. Probably to spy on them. So, the question is why are they doing active attacks against analog wiring instead of passive?

It might just be for better quality. Sending plenty of energy into the wire to rebound might give them much more to work with than whatever it naturally transmits. Alternatively, the use of different frequencies might help bypass any shielding. I'm not an electrical engineer so I can only speculate on such things. Maybe Clive or Wael will have a better idea on this one. Regardless, I think the EMSEC threat still exists for passive although with lower range on many modern devices due to lower power and maybe better shielding. I'm also *hoping* that Silicon-on-Insulator has better EMSEC properties across the board than average silicon.

Remember, though, that I assume all the devices we're using will be vulnerable to emanation attacks unless specifically protected from them. Otherwise, they would have to be used in an EMSEC safe or room. I've always said this. Doing it is a whole field protected via classified and trade secret information laws. That's why I prefer EMSEC safe + power connector + networking method for simplicity. Then, I use a device that works with it, establish a large enough physical zone no antenna are allowed in, and largely ignore that problem from there until I have better options. :)

@ Buck, Wael

""Schneier Buck RobertT blending crowds regularly""

"Seems he saw imminent danger in connecting dots..."

Yeah, that last post was quite disturbing. Makes you wonder what kind of people he was working with. Had I seen and thought on this before, I'd say the best way to show him respect would be to quit naming him or even saying we met him on the blog. He's just a brilliant hardware engineer we read on. Maybe just call him R. Gives people less to go on in future discussions and Google seems to only track so many years in Search. Might buy him some physical security. :)

Meanwhile, the post I remembered best was this one directed square at my hardware efforts. I summarized some of his points here. One comment in those that bothered me and is semi-relevant in this discussion:

"I've seen cases where everything was a perfect copy, right down to the chip layout itself.....but it just wasn't one of our chips, it was a fake and had some subtle flaws."

We don't know the complexity of that chip or how much talent it takes to do that. Yet, this capability would be quite useful in implants. NSA will eventually learn it even if TAO indicates they haven't yet. It's good that there's DARPA-funded and international research into countermeasures in this area. A bit more wouldn't hurt.

J on the river Lethe March 22, 2015 12:43 AM

Well, that didn't take long.....lol close but not quite I was talking about. Hiding in silicon is the thing. Software is surface, dig deeper. I have wondered if "they" are hacking u.s., there must be at least equal response. What are we getting from them and how are we doing it?

http://www.csoonline.com/article/2899874/network-security/at-least-700000-routers-given-to-customers-by-isps-are-vulnerable-to-hacking.html

@figureitout. Security against a state player is very much lost, unless you are good, lucky, or a team. Cards? Go to nearby Starbucks, jack up a long distance reader. Card info clone, printer is easy. I won't mention specific info from cards. Plugin network sniffer, delivery or lost or...you get the idea. Physical security is done in "circle" zones similiar to computer os. Electronic, computer, network, and physical security major weak points are people and equipment. Social engineering is the way in more than the James Bond or nsa measures.

I think overly pessimistic or overly optimistic is not a survival skill. You can drive yourself into writing a manifesto in a little cabin in the woods. How many order ram over Internet for example or flash drive. How many might be delayed and assumed the nsa must, just must have intercepted it? A rabbit hole of possible paranoia.

Most of us just don't warrant, pun intended any more than a passing interest to them. Now some one who is journalist, security tester, etc. They probably need to think of some measures. But most is well covered, especially in last 5 years. But if they really really want you. Easy peezy. They could reflash your Firmware, install cellular chip, etc. Hell they could hack and turn my coffee pot into a snitch. Which would feel like betrayal considering my affection towards it. But how many of us are willing and able to check everything? Every time we leave our house or office building?

There are probably less than a thousand out of all the readers of this blog that they would do more than glance at. They might do a psychological pass through to see if any are dangerous or technical enough to look closer at.

I find the challenge and thought process interesting even if I don't completely understand these technical blog points.

But simple answers to complex questions are very rare. How would you catch bad guys? While preserving free speech, evidence, etc. Would we try to prevent every attack or try to catch them afterward? How to determine who we let into country? Is thinking just differently enough? What criteria do we use? If we know they have Intent for violence it is easy but what if someone is only susceptible to radicalization? History has a lot of lessons but not all the answers. Internment happened during ww1 and ww2 for example. We interred Germans during ww1 in hot springs, NC. Kind of like Cuba or modern prison system today.

Just my thoughts from your entry. None of this that has popped up since before binney or snowden today should discourage us. Depression or self pity or pessimism just makes individual human condition worse although the occasional tantrum is allowed. Then hit it again. ;)

Ezekiel Lovecraft DaedulusMarch 22, 2015 1:23 AM

@R topic

I had some downtime here, so did not mind going and checking out "R's" last thread. I have to say, in reading his last posts, I have to note that my above, spooky doppleganger post was in jest. Hate to think of some poor, overly paranoid person suffering ocd taking such a thing seriously.

I feel sorry for victims of corrupt national secret services. I was careful to point out that my joke was aimed at probably some actual agent of a national secret service who has started to notice an impossible level of resources put on them. And I did just want to assure them, "That disclosure, as you expected, is not accidental".

Those sorts are very different mindsets, however. It takes a lot for them to get scared. After all, despite all the shut doors they have had in their life, they believe they can overpower those they investigate. Evidence to the contrary might only open a door for them which previously was shut. Which reminds me of some small, but well armed band searching in Antartica, only to find "The Thing"... or maybe some small band following well placed clues to some remote planet, only to discover some massive horror, like in "Prometheus".

However, all of that can be put to a monstrous organization like the Leviathan or Behemoth, and I think this Scorsese film well played this Atlantis riff from Donovan on that matter:

https://www.youtube.com/watch?v=QHSm_ZxV18s

R, of course, *seems* to be of a very different mindset. Some poor genius accidentally disclosing privileged information and *accidentally* making various political statements while doing so.

Maybe he got arrested? Maybe one of his "friends" here was an agent? As often is seen, a question arises, "why are you so paranoid". Of course, pretending to be really, really paranoid can say: "I am not affiliated with any protecting group". So spies and other forms of secret law enforcement agents often use that sort of thing as a cover. When they are not playing Mr or Mrs Innocuous.

Likewise, those who are pretending to be critical very well might just be agents simply trying to find others who are critical, so as to prosecute them.

More likely, R was an agent, just playing a game with fellow agents. None very high level, just useful ['idiot'] messengers to their higher powers. Even a Leviathan or Cthulhu needs to eat. And one person is just not enough for their appetite. They always need that little exploratory team to get the resources to bring.... everyone.

And yeah, the whole Leviathan riff to Job was about an organization, and not one person. :/

Hate to give a "contrarian" opinion here, but there probably are some everyday people posting here unaware of just how many agents and officers post here on a regular basis. Believe me, while I have an organization, I don't, lol, give a fuck about you, or even them in terms of "what crap information they can pass out", lol.

And, yes, I have some friends who post here, and we sometimes say "hey", in a manner which could be said to be "code", but, no "Son of Sun" is not one of us, lol. Apologies for that. Probably some agent trying to sadly mimic our ways. We do not utilize the forum for messaging or steganography. We do have other forums for that, and email. :/ Lol.

WaelMarch 22, 2015 1:38 AM

@Nick P, @Figureitout,

been drinking Earl Gray tea for past week, yum! So much better than Lipton cheap crap!
  • Not all Liptons are created equal!
  • My favorite tea is Darjeeling. Not into Earl Grey! Tea, Earl Grey, hot.
but not some book you could read and start designing

With this book, you can do just that! Did you get it yet @Figureitout? My offer still stands...Keep in mind though, that books, in general, explain the subject. If you read a chess book or 10 (I read over 60), you'll learn the basics, the principles, tactics and strategy, positional play, rules of thumb, the value of the pieces, etc... Reading the books won't turn you into an instant grandmaster! You need to be talented and like the subject as well and perhaps spend 10,000 hours playing and learning. The same can be said about analog design.

WaelMarch 22, 2015 2:00 AM

@Nick P, @Buck,

Alternatively, the use of different frequencies might help bypass any shielding.

The shielding is typically designed for the frequency of operation.

Ezekiel Lovecraft DaedulusMarch 22, 2015 2:42 AM

@J

Hiding in silicon is the thing. Software is surface, dig deeper. I have wondered if "they" are hacking u.s., there must be at least equal response. What are we getting from them and how are we doing it?.. [article on many routers being weak]

Weak router tech is norm, and the US Government, along with other governments, have not found it in their best interest to fix any of that.


Security against a state player is very much lost, unless you are good, lucky, or a team.

J, I feel that is really unfair. No one is that good. And a "team" when you are dealing with State Based actors really is not going to do it for anyone. "Luck" does not exist. Grace exists, but not luck. And grace is limited when people mistake it, as they often do, for "good" and "luck".

If your team is much larger, much more well financed, much smarter, and much more powerful. Well, then you do not have to worry.

Otherwise, the person is a gambling man or woman, and that against horrendous odds. Worse, they can be asking for a slap by thinking otherwise.

Social engineering is the way in more than the James Bond or nsa measures.

Ugh, yes, can you say it louder? I read these techno-sophisticate posts talking about eluding massive organizations, and scratch my head. Hard to see them as solitary individuals thinking they can outsmart the fbi,cia,nsa,prc,fsb,svr,gchq,mi6,mi5,bnd, and who knows who else they are thinking they can game and overpower. And for what reason?

But, again, unless you have a team larger and smarter and more powerful then all of the above, I do not think people should play that game.

As such a team does not exist anymore then cthulhu or the leviathan or God does, well, they probably should stay out of trouble and keep their heads clean. Or get ocd counseling.

Okay. Disinformation. God does exist.

Leviathan or Cthulhu or Behemoth 'super secret agencies'? Come on. Leave the conspiracy theories to people whose job it is to chase down that crap.

Social engineering won't work unless you have that sort of level of resources as being a 'who watches the watchmen' sort of position.

Seen it in real life. Guys trying to get one over an organization, only to make them angry and get overpowered.

Works fine if you have backing, does not go so well if you are a single person shaking your fist at the instruments of injustice.

Most of us just don't warrant, pun intended any more than a passing interest to them. Now some one who is journalist, security tester, etc. They probably need to think of some measures.

I recently played up some attack scenarios with a poster on another forum, then gave that disclaimer. He pointed out he does have to worry about that because he sees all the 'zero days' of the popular app he helps manage. Rare exception to the rule, and even then, there is little he can do.

I pop in here every six months, every year, sometimes shorter periods of time, and consistently read paranoid statements. Some of them are journalists, but they are operating from a perspective of apparent safety. They have their whole news agency backing them.

But, can a journalist really feel themselves safe these days? Who knows who their editors really are? And big stories often turn out to be nothing but a hallway to a closed door. They are not trained in sophisticated cyber-protection methods. They either have others taking care of that for that, or not. And they can hardly trust their local government.

Gerard van VoorenMarch 22, 2015 3:35 AM

@ Ezekiel Lovecraft Daedulus

Okay. Disinformation. God does exist.

Ok, I bite. In this world everything depends on Proof. Do you know indisputable scientific proof that God exist? Proof that is well known and understood by many scientists?

"Luck" does not exist.

That statement is way too ridiculous, sorry. Everything is based on luck, including mankind and earth itself.

Gerard van VoorenMarch 22, 2015 3:38 AM

Adding to my previous comment:

@ Ezekiel Lovecraft Daedulus - about God

And with proof I mean proof that can convince people like Stephen Hawking that God exist.

Clive RobinsonMarch 22, 2015 4:44 AM

@ Figureitout, Wael,

Have you seen the old UK "Bisto" adds of a pair of kids swinging on a gate and smelling the gravy of a good Sunday roast and saying "Ahhh Bist-hoe" as the tag line?

I can visualize you two as those urchins saying "Ahhh T-he"... B-)

It's funny how the age old "Brits as tea drinkers" and "Yanks and Europeans as coffee swillers" perception still hangs in there...

As it happens I'm currently steeping some crushed lemon grass with white tea prior to deciding on toast and full roast or just a full on brunch...

It's a Sunday morning refresh the senses drink, not my normal neck embrication, which has recently been different due to a lack of sunlight from currently being unwell. It has produced a craving for full fat milky PG Tips or slightly flowery Swedish "breakfast tea", which I'll put down to vit-D deficiency...

With regards "analogue electronics" it's been noted many times it's "a calling" not a job, and you can at best only master bits of it as it covers the whole of electronics.

If you want a nice step up from the Ham radio books on RF have a look at "RF Power Amplifiers for Wireless Communications" by "Steve C. Cripps" ISBN 0-89006-989-1, and his follow on book. Unfortunately it's published by "Artech House" and thus quite pricy.

For those with a lack of financial resources you can get a PDF of it's index which will give you pointers as to what to search the Internet for as his other published technical papers in trade journals can be found.

The thing with many of the software tools is that those using them often don't have a feel for what they are doing. Thus they are not "sanity checking" the output they get. Older manual methods using paper and pencil charting give a more intuitive feel which raises little flags in your head when the tools pop out results that are going to be difficult to produce in the real world.

It's funny that when at school learning math, they generaly try to teach you how to "sanity check" your work so you don't make mistakes. However for some reason it gets lost as an idea when finger tips meet the keys of a computer...

bunduMarch 22, 2015 5:09 AM

"Online Anonymity: Islamic State and surveillance"

A very short (UK centric) discussion paper by Jamie Bartlett (Dir. Centre for the Analysis of Social Media at Demos/Author of The Dark Net) and Alex Krasodomski-Jones, a Research Associate at Demos.

Includes summary of publicly known methodology employed by serious org.crime/ISIL.

http://www.demos.co.uk/files/Islamic_State_and_Encryption.pdf?1426713922

(Open Access. Some rights reserved. Subject to the terms of the Demos licence found at the back of this publication.)


No Such AgencyMarch 22, 2015 5:44 AM

First an apparent "warrant canary" goes missing from Apple licenses. Now, Apple are apparently removing any programs from its App Store that claim to be anti-virus or anti-malware "because iOS doesn't have viruses or malware and it might confuse users".

Something very odd is going on...

Clive RobinsonMarch 22, 2015 6:16 AM

@ No Such Agency,

Something very odd is going on...

Probably not ;-)

Look on it as a viral advert to a movie, a trailer will follow soon and then it will be time to get a good seat and a large bucket of popcorn, for the main feature. Where fanbois find that not only have they been trailed and all their data stolen, they have also been "screwed, blued and tattooed" then gift wraped in the fine white of the best shrouds and handed over to the IC like fresh suckling pigglets for a devils feast. Their fate is sealed no matter how much they squeal, to be consumed and regurgitated countless times as their very essense is extracted drop by drop to form a raging flood.

The only question then is what is the next course to enter the ravening maw, and briefly sait the expanding devil greed of the IC...

GrauhutMarch 22, 2015 8:10 AM

@Figureitout - If you need some juice squeeze out some orange pis. You may use a sabre board to cut them in halfes!

Some day ill build a super computing cluster from my arm device collection. :)

J on the river Lethe March 22, 2015 8:27 AM

@ezekiel you may have misunderstood me a little. We should care about security and privacy. I was calling out what Clive called a sanity check in a slightly different context. All it takes is one analyst to find a hole to advance security. Other than above, criminals will and have used openings left by organizations. But thinking we as an individual can be a security castle/island leads to madness.

@clive "screwed blued and tattooed" funny! I will remember that one. Thoughts flow to Apple genius kids, Picts, and surface fleet crossing the equator. Warrant canaries haven't been tested in court. That would be interesting.

Analogue electronics. I have long been fascinated with a more modern version of pirate radio. Internet by radio. It has been done. It is slow but free and difficult to control by state powers. Unless radio trucks like hogan's heroes or Stasi are used. It has a WW1 era kind of feel to it. Also, there are some very old laws here in U.S. That take a dim view of such, using encryption. And the modern Internet would require it.

Those laws are even older and untested than the law that says a farmer can't grow wheat and give it to his animals. ;)

Tea for breakfast? Have fun. Just like a full English breakfast, it gives me heartburn. Strange coffee doesn't. It is lost on me a little of the coffee or tea snobbery. Reminds me of wine drinkers. It has a bouqet of flowers, hint of moss. Now whisky snobbery I can get into. The strong mossy overtones of a good Scottish single malt! Yea! I am Just glad snow is gone and I am out and aboot. Lol

GrauhutMarch 22, 2015 8:50 AM

Instant honey in a pot beta.

"We created a honeypot platform, which is based on the well-established honeypots glastopf, kippo, honeytrap and dionaea, the network IDS/IPS suricata, elasticsearch-logstash-kibana, ewsposter and some docker magic."

https://dtag-dev-sec.github.io/mediator/feature/2015/03/17/concept.html

The integration of the elk stack and dockers sounds promising.

Easy to screenshot nice graphs for management presentations! :)

Nick PMarch 22, 2015 10:36 AM

@ Wael

You'd really reimburse him the $2.62 plus shipping? So kind of you. I think I'll should just buy a couple and resell them at a local University. Keep one for myself just in case.

@ Grauhut

Nice platform.

WaelMarch 22, 2015 11:20 AM

@Nick P, @Figureitout,

It's $49 and some change. I don't understand why one is listed at $500 +.
You can both add it to your wish list and I'll get it for both of you. This way you don't disclose PII to me. Just remember it's a basic book, but you'll learn a ton from it, and more advanced specialized texts would then make more sense to you,

FigureitoutMarch 22, 2015 11:22 AM

j on the river lethe
--I know, look at strategy of "modern warfare" bleeding the enemy to death financially (it's working...), you sneak around, leave traps, and blend in the noise. Physical security you really have to have a close-knit team in constant communication and spread your eggs out.

Weal *I mean* Wael :p
--Well excuuuuse me Mr. Snobby tea-man. Yes I downloaded it and got it saved to a couple HDD's (Just kidding, it sucks! Money please...I'll take some of those special "tea leaves" you put in your bong. :p). I'm busy w/ other books and stuff.

Clive Robinson
--Ha! Well, what are you saying? Who's the girl then? Not I! Jesus Wael, why're your panties ripped? You little slut! :p

Bah, got enough books lol. I like datasheets (and man pages) too, those are basically books at around 600-1000 pages each.

I'm not always convinced w/ a "mathematical checking" too...(proofs...more like circular reasoning) sometimes it just seems like cupping your own *ahem's*. Of course if you're wrong from the start you'll confirm the wrong thing...

Grauhut
--Lol no way! More fruit...like it though.

WaelMarch 22, 2015 11:44 AM

@Clive Robinson,

It's funny how the age old "Brits as tea drinkers" and "Yanks and Europeans as coffee swillers" perception still hangs in there...

Guess who introduced Qahwa to the Europeans, and where the word "Mocha" originated from...

WaelMarch 22, 2015 11:57 AM

@Figureitout,

I'll take some of those special "tea leaves" you put in your bong. :p)

Since I talked about "word origins", allow me to explain something for your royal highness:

  • Tea, my friend, goes into one of these
  • The stuff you smoke goes into one of these

I know they both like alike to you, and sometimes you put stuff in the wrong "container" -- lol. Now before you reply to me: Breathe in, Breathe out, repeat as necessary. Just don't breath from the hammerhead thing this early in the day, though!

Nick PMarch 22, 2015 12:01 PM

@ Wael

re book

No, it's actually $2.62 + shipping in Good condition. Source. To people wasting money, it's anywhere from $49 to $513. You people must love using receipts as status symbols. I stand in awe of your upper-middle class status and thank you for mentioning the book. :P

re tea

I usually just use Lipton or Luizanne with the right timing + number of bags for decent flavor. Can always add other ingredients. For good stuff, I either buy Black Tea or make some Hawaiian (current). Lipton was actually the first black tea I tried. They came in neat-looking, pyramid-shaped bags. That it looked like crumbled plants made the quality different a bit more obvious. ;) I'll try the Darjeeling in the future so long as it's not $49 or something.

QUICK EDIT to ADD: "goes into one of..." LMAO.

@ all

Hacker news reports on this update of Ocaml Core by Jane St. I've previously cited Jane St.'s team as awesome for (a) choosing a language designed for robust software, (b) rewriting the standard library for industry use, and (c) releasing their work to the community freely. Now, they've gone above and beyond by straight up improving what's already there: making things consistent, eliminating holdovers from the past, and so on. The one thing that proprietary and FOSS projects usually refuse to do. I elaborate in the positive comment I left them.

WaelMarch 22, 2015 1:30 PM

@Nick P,

No, it's actually $2.62 + shipping in Good condition.

Amazing price! Worth every penny...

or Luizanne with the right timing + number of bags for decent flavor.

Now this brand is good for brewing Sun Tea, but you have to be careful how to do it right. These guys have some good tea as well! Okay, enough about tea...

So you are blogging elsewhere too! Traitor ;)

WaelMarch 22, 2015 2:19 PM

@Clive Robinson, @Figureitout,

"Ahhh Bist-hoe"

The version I know goes like this: Rumor has it that one day during Christmas, Santa Claus passed by Tiger Woods and said: Ho, Ho, Ho! Tiger woods immediately said: Where, where, where?

albertMarch 22, 2015 4:05 PM

@AlanS
.
"Fully compatible with forthcoming Cybersecurity Information Sharing Act."
.

That's not very assuring.... :)
...

J on the river Lethe March 22, 2015 4:53 PM

@figureitout
You are funny! You would be a hoot to have a beer with. Physical security can like pen testing be one man operation. If the man is nondescript enough. I would need a partner since I look like a very skinny Santa nowadays. Any day now my wife is gonna start chirping, "eat papa, eat!"

As Churchill said, "No idea is so outlandish that it should not be considered with a searching but at the same time a steady eye." There is a lot in security that is now coming to light and even more suspected.

@nick. Very interesting link. It is gonna take me awhile to digest that. I wish they would do the same with true crypt.

Books? I keep getting tempted by Abe's books and kindle. Kindle 7$ or printed 65$. Decisions decisions. they think I want drm. Haha Hmm. It's only 4 bucks on Abe. Back and forth. Lolol

Tea snobbery? Why, I shall try to start one discussion on good single malt whiskys! Clive? What cha say? I like the 21 yr old Glenfiddich. I used to say I like mine of legal age older than me. Now they being older stipulation would require diving old wrecks. Amusingly by an old wreck. ;) Guinness and glenfiddich boilermakers anyone?

BuckMarch 22, 2015 7:16 PM

@ Ezekiel Lovecraft Daedulus

And, yes, I have some friends who post here, and we sometimes say "hey", in a manner which could be said to be "code", but, no "Son of Sun" is not one of us, lol. Apologies for that. Probably some agent trying to sadly mimic our ways. We do not utilize the forum for messaging or steganography. We do have other forums for that, and email. :/ Lol.
I could actually believe that "Son of Sun" may not walk with your crows, but I still think it would simply be silly to suggest that no information has been passed through there...

WaelMarch 22, 2015 8:24 PM

@Clive Robinson, @Figureitout,

Steve C. Cripps" ISBN 0-89006-989-1, and his follow on book...

Looked inside the book, looks interesting, but the preview didn't show much. I never had a problem building a single transistor RF amplifier with BJTs. Multi-stage with FETs and BJTs was an area I wanted to get my hands on, but never had the chance. I wonder if this book covers it... Also, for some reason, I find a lot of British technical books hard to read. US books are easier for me.

J on the river Lethe March 22, 2015 11:38 PM

@nick sorry. The ocaml core. It is nice to see people pay attention to detail. I won't pretend to understand all the aspects but interesting. My other thought was wishing truecrypt was released and active now for same purposes. Update, review, test, optimize. It's not like I want them to code in assembly. ;) or cable lace.......

FigureitoutMarch 23, 2015 2:20 AM

Wael
--Joke mate lolweal:p. I've tinkered w/ NPN's (just whipped up a little CW beacon w/ a radio and arduino, pretty neat), nice and easy components. Design?--Nope not yet. MCU's and firmware are so much more fun for me, like being first in chip.

j on the river lethe
--Ha thanks, sure you buying? Well, physical security needs at least one other person for when you sleep, pen testing can happen whenever on your schedule when the time's right.

Wesley ParishMarch 23, 2015 5:38 AM

@Wael, @Clive Robinson re tea, coffee

I guess it's due to the British Crown once having an Indian Empire, which grew most of the world's tea, and having to whip up enthusiasm for it on the British market. I don't recall Dr Johnson ever referring to it in his books; he frequented coffee-shops.

WaelMarch 23, 2015 6:54 AM

@Wesley Parish,

I guess it's due to the British Crown once having an Indian Empire...

Makes sense!

CzernoMarch 23, 2015 7:38 AM

@Clive, @tea drinkers...

The English get the finest teas from
their former colonies, while
sadly they will waste the beverage by adding milk :=(

The French don't drink no tea...
BUT for those who still do, we know
NOT to spoil the stuff by various additions of
infamous lemon, milk or whatever.

Clive RobinsonMarch 23, 2015 8:00 AM

@ Wael, Wesley,

Tea is not native to India, it was the English that took it there to break the Chinese monopoly. Untill recently India was the worlds major grower, however China is now out producing them (supposadly because labour and subsidies in China are more favourable). Where india does score on the tea front is that they are the worlds major consumers.

However tea has a dark political side... India had a policy of making loans etc to home tea plantations such that they remained viable and kept employment in the areas.

The US however under preasure of US comercial interests got the democrats to sponser an amendment to stop what they called "foreign dumping"... The so called Byrd Amendment in 2000 alowed for the redistribution of money from the US Gov to those who complained about dumping (even though many of the companies were them selves "dumping).

Various countries in the EU, South America and Asia complained to the WTO, who declaired the amendment illegal under international obligations the US had signed up to. The US ignored the WTO and it was only when other nations started to treat the US to various measures that they eventually stopped.

However they are back upto the same old tricks with the TTTP and other treaties they are pushing in secret. As has been seen in Australia US companies are using this to over rule nations own law making processes...

I'm not sure at which point such nonsense will be stopped again, but you can be sure that US Companies will keep pushing for it, especialy those --ie health care-- that can not be competative in their own right or don't wish to be...

vas pupMarch 23, 2015 9:13 AM

How additional information about personality could be extarcted from face photo postings on social media:
http://www.bbc.com/future/story/20150312-what-the-face-betrays-about-you
"Our faces aren’t just the product of our biology. We can’t change our genes or our hormones – but by cultivating our personality and sense of self-worth, they may begin to mirror something far more important."
My guess is that level of aggression (if you have base line photo) could be assessed by recent photo postings for security purpose.


http://www.bbc.com/future/story/20150312-how-to-talk-online-with-only-touch
"But he also hopes that gaining knowledge about alternative communication systems can profit everyone."
"Most of us take for granted the digital revolution and the amazing new connections it has offered. For those constrained by a barrier of unseen sights and unheard sounds, it was once unexplored territory – but with the Lorm glove, they might just have that world in the palm of their hands." It has potential for security application as well as any alternative to traditional communication system.


Cyber security and insurance (Bruce's ideas of security incentive through insurance finally got to the ears of gov in GB):
http://www.bbc.com/news/technology-32015383
""The cyber-threat remains one of the most significant - and growing - risks facing UK business," said Cabinet Office Minister Francis Maude in a statement.
About half of the chief executives interviewed for the report did not even know it was possible to buy cyber-insurance, found the report. Insurance firm Marsh helped write the report which emerged from work the government carried out in late 2014 on risks facing UK business."
"Mr Maude added that over the last few years, UK industry had improved its understanding of the dangers it faced from cyber-thieves but more still needed to be done. That understanding could be helped by insurance, he said, because it could help highlight where firms were weakest and pass on information about the most serious threats."
"Insurers can help guide and incentivse significant improvements in cybersecurity practice across industry by asking the right questions of their customers on how they handle cyber-threats," said Mr Maude.

Ezekiel Lovecraft DaedulusMarch 23, 2015 12:39 PM

@Gerard van Vooren

"Luck" does not exist.

That statement is way too ridiculous, sorry. Everything is based on luck, including mankind and earth itself.

"Luck" as in a superstitious belief that one might find the odds which are overwhelmingly against one's self in one's favor despite the odds.

Threat and risk are calculated using probabilities, which requires large datasets for accuracy, though the human mind is capable of reasoning out matters with some rough degree of accuracy and a much smaller subset of data. If so trained and if so cognizant.

I do not think someone posting on an open forum about high tech methods on how to bypass possible nation level surveillance, while intimating they have some need to do so is relying on accurate risk and threat assessments.

Usually, that is symptomatic of an anxiety disorder, such as ocd. Or, another disorder which causes them to compulsively engage in criminal activities, but also have a deep set need to be caught.

Could be they are more clever then that and faked a persona, including writing styles, and utilized a very strong proxy system to contact the forum. In which case, they may believe they could ask such a question in safety. However, in that case, it appears the poster contacted at least one person off site.

All of those conditions terrifically raise their risk, even if they have a large degree of confidence in their own capacity to ascertain the methodologies used by nation states. Which they should know, they can not properly ascertain such a thing... as even large national organizations tasked with such matters can not ascertain such things.

Back on the religious angle, even Solomon pointed out 'chance happens to all'. By appearance, the world exists in a closed, entropic system, without a God behind it. Another verse for that, 'God hides, kings find', again, to paraphrase. And, again, from Solomon, which was what, 800BC or so? 900 something BC.


Okay. Disinformation. God does exist.

Ok, I bite. In this world everything depends on Proof. Do you know indisputable scientific proof that God exist? Proof that is well known and understood by many scientists?

I can not help but see a major flaw in your consideration there. You are assuming that all things which exist are known and proven are subjected to global purview. This is far from the case.

I find this a bit ironic, at all times, but especially at a forum where very likely many of the posters and readers have either had clearance or dealt with secret matters that they do not wish to disclose.

Is everything which they have known which is secret not really existing merely because 'all the scientists in the world do not know of it'? Of course not.

Like my comment on superstitious 'luck', however, I was not intending to get into a religious conversation. My statement was intended as sarcastic, in a 'playing with plausibility and implausibility' sort of way.

For me, playing with people's dial of plausibility is an everyday thing. Maybe it is this way with everyone, I do not know. If I wish to make myself big, I can do so. If I wish to make myself small, I will do so.

That is, as the original poster was intimating, much of staying off the radar is more about psychology and appearance management... then technical tools. You learn to control that dial of 'plausibility', or 'suspiciousness'.

Otherwise, in terms of evidence, if 'there are extraordinary claims, there requires extraordinary evidence'. A claim that the universe, which appears to be a closed, entropic system is actually more like the fabric of dream which only appears real is all stretching the value of the word 'extraordinary' far, far beyond any modern definition of it known to the world at large.

Such evidence, while depicted in cinema is typically well handled by people, in real life it causes them significant trauma.

And that, too, is deeply understating matters.

But, consider: do you believe, out there, that there probably are some manner of secret intelligence matters going on which would be traumatic or shocking to learn of? Yes, of course there likely would be. Even 911 and the Snowden disclosures caused many some level of trauma. There are plenty of claims out there without evidence. Few people who entertain the subject probably even have a few of their own highly implausible conspiracy theories. Maybe one of those is correct or not so far off from the truth.

Does the fact that there is not globally known evidence preclude such matters as being possible of existing?

Of course not.

And, frankly, what is amazing is in these "secrecy cultures" so very much of the information is so mind bendingly dull and unimportant. But, despite that, there probably is going to be in any major nation some manner of truly shocking secret. If not more then just a few.

Ezekiel Lovecraft DaedulusMarch 23, 2015 1:23 PM

@Buck

I still think it would simply be silly to suggest that no information has been passed through there...

True.

Likely they are engaged in some form of criminal activity of such significance they have confidence it would be of much interest to some manner of authorities which may post or read here. Likely they have been or are a poster here, maybe even a regular poster. They feel confident that they can talk in this way without detection. They are not organized crime nor a major intelligence power, though they may have very distant connections to either.

Most likely the poster set the terms of the conditions for communication.

However, a less likely condition exists, that they reached agreement for this behavior. And so it was a consensual agreement. That is far less probable and really narrows down much more about the group involved.

Not many groups engaged in extreme risk taking are willing to risk it all by flaunting behavior. But there are some which are.

The poster likely feels they are not appreciated, and has a strong desire to flaunt their skills and experience. They get off on posting such material in such a forum, because it makes them feel powerful, something they do not feel normally in their lives.

Not many areas of individual-group interaction involving material highly interesting to authorities where the individual is able to set the terms of the disclosure context.

Very possibly, the individual, though capable of setting these terms, may also have met his initial contact with the group he is interacting with on this very forum. It may be that they do not have other contact information, or lost, or deleted it. Or it may just be that they are pretending to have messed up in this way to give an excuse for flaunting behavior to necessarily the dour reaction of whom they wish to communicate to.

Ezekiel Lovecraft DaedulusMarch 23, 2015 1:40 PM

@J On the river Lethe

@ezekiel you may have misunderstood me a little. We should care about security and privacy. I was calling out what Clive called a sanity check in a slightly different context. All it takes is one analyst to find a hole to advance security. Other than above, criminals will and have used openings left by organizations. But thinking we as an individual can be a security castle/island leads to madness.

I will define my context, which was amplified by seeing R's posts: context of individuals believing they have secrets which nation states might have substantial interest in and trying to manage that level of risk. That surely does lead to madness when individuals attempt to manage that risk all by their own selves.

Even the world's largest, most mature, and sophisticated intelligence agencies systematically underestimate and overestimate in their analysis of other intelligence agencies. Difference being, they are operating with far more knowledge, and have experience mapping unknowns and dealing with unknowns.

Very common in computer security, even when they have zero reason for paranoia. Much of comp sec is nothing but surveillance and counter-surveillance, so no wonder.


Ezekiel Lovecraft DaedulusMarch 23, 2015 1:57 PM

@Gerard van Vooren

And with proof I mean proof that can convince people like Stephen Hawking that God exist.

Yes, of course. Though, I do disagree a Hawking or a Dawkins or the late Sagan are the most cynical people I could think of. I do understand how they are typically taken that way, but I have found, in reading their books, there are many areas they take for granted or otherwise are are shockingly gullible in.

But, I work in security and look for such things. I can see why others might cite them as authorities of observation.

Far more cynical scientists I would suggest are those deeply engaged in cognitive behavioral analysis. They are much more tuned to weeding out deception and tuned to the incapacities of human perception.

Or con men, those who specialize in managing confidence. A gypsy who regularly poses as a medium, making money money to do so, would be one really hard core skeptic. But, even they can be conned.

Philosophers of certain ilk more strike my taste for such matters. They do not have the obligation to accept any evidence whatsoever or anything as necessarily true or well known. Long list of names of famous philosophers who are very interested in contesting all knowledge, all together. Astro physicists do tend to sometimes get into that area, but nowhere near as much as philosophers of those ilk do, or con men, or cognitive behavioral psychologists who focus on deception.. and deception detection.

Ezekiel Lovecraft DaedulusMarch 23, 2015 2:23 PM

@vas pup

How additional information about personality could be extarcted from face photo postings on social media
"Our faces aren’t just the product of our biology. We can’t change our genes or our hormones – but by cultivating our personality and sense of self-worth, they may begin to mirror something far more important."My guess is that level of aggression (if you have base line photo) could be assessed by recent photo postings for security purpose.

The guys behind the "lie to me" series have some solid books on face reading. Body language tends to be cultural, but facial language tends to be universal. Also, deception or emotional conflict can be measured by noting inconsistencies in the "alphabet" of facial language, such as "microexpressions".

What I do not think has been much done is in studies of criminal faces and trying to profile them versus ordinary citizens. Or in studies of psychosis and related severe mental issues. But, if one goes through, say, pictures of mob bosses, or mafioso members, or pictures of people with some manner of sociopathic and psychotic behavior, there does seem - to the naked eye - certain postures, body language, and facial language which very well may be universal.

Further, there is universal language, body and facial, when people are involved in conspiracies. Problem is that people routinely have consensual, group shared secrets, so you would have to filter out that sort of detection. Another problem is interesting people may literally adapt body and facial language congruent with entirely unsuspicious people most of the time. To really do that they have to *be* the part.

Most, however, do not, and even those who do will slip up. There will be inconsistencies in their nonverbal language that gives tell tale clues.

Detecting aggressiveness by nonverbal language by just one picture, I think would have extreme false positives. Also, very aggressive criminal offenders very often are sociopaths who have to act as part of their daily interactions with people. And those who are not already tend to stand out and have many social problems.

Committed terrorists are another matter entirely. That the 911 hijackers went to titty bars and such before the attack says they had professional training. Which they did, as both the CIA and ISI trained their masters. That activity helped them "be the role" of not a grim faced suicide attacker, but a regular, everyday passenger. ISIS, of course, completely different matter, as is the everyday typical mass murderer or terrorist, many of whom suffer severe paranoid delusions and varying levels of psychosis.

Ezekiel Lovecraft DaedulusMarch 23, 2015 2:38 PM

@Buck

I wrote:
"Most likely the poster set the terms of the conditions for communication."

I am not at all surprised, despite this conclusion that, on re-reading the posts the author made pains to attempt a denial of this very fact.

They came to me as long as the nerves, until I got to know through any worthwhile IT guy who gave me this web site made it ready.

Fact is this is the last place someone would want to set up a cryptic dead drop, unless they felt they had a strong emotional reason to do so. A compulsive desire to flaunt their activity, and some manner of emotional connection to some regular posters here which would inflame such a desire.

WaelMarch 23, 2015 3:14 PM

@Figureitout,

I see. A couple of unintentional typos or auto spell "corrections". My mind was in a good place, I think as I still maintain what I said! BIOS vulnerabilities rear its ugly head again... Will have something to say later.

FigureitoutMarch 23, 2015 3:32 PM

Wael
--I do too, but it's very ugly and not a lot you can do. Good they rear their head, put the damn jumpers back on motherboards, and also, routers, no more flashing over ethernet and put on jumpers. Such simple, yet strong countermeasures (then you just need to secure image on website, actual code, MITM attacks, and so on...).

Traffic Light Never Turns RedMarch 23, 2015 4:47 PM

@ Ezekiel:

"The final phase is then quiet assassination and replacement with dopplegangers."

So the movies "Starman" and "The Last Starfighter" are docudramas? I knew it!

Ezekiel Lovecraft DaedulusMarch 23, 2015 4:59 PM

@Traffic Light Never Turns Red

"The final phase is then quiet assassination and replacement with dopplegangers." So the movies "Starman" and "The Last Starfighter" are docudramas? I knew it!

Lol! (-:

Well, I was thinking more "Millennium" or especially that awful [in a good way] pod people movie, but yeah, lol. Forgot about Starman, that was actually a really creepy in a good way one. Have to rewatch the last starfighter, can not recall that there.

Pax, I noticed is on netflix now, and may rewatch that. Memories. Much more subtle implementation in that one, but was there near the end.

... I suppose Dexter has this sort of thing as well, but just in the books. And not exactly replacing the guy, but then, he had that going back to childhood. So who is to say.

... surely some horror movies of late I am forgetting, lol...

Ezekiel Lovecraft DaedulusMarch 23, 2015 5:17 PM

@Buck

And on that organization's reference, my thinking was a supernatural one. Slang for a celestial being who may appear dark considering where one's point of reference is. With some nod to the movie, and some friends' nicks they have used in the past. [The early 90s, don't know any these days by such a nick, that I can recall.]


But, highly amusing and alarming reference. (-:

BuckMarch 23, 2015 5:36 PM

Wasn't sure, but I had came across that reference recently, and thought it a possible influence. Not familiar with the movie of which you speak though...

Traffic Light Never Turns BlueMarch 23, 2015 6:03 PM

@ Ezekiel:

The Invasion (2007) is another one.

"Pax, I noticed is on netflix now, and may rewatch that. Memories. Much more subtle implementation in that one, but was there near the end."

Do you mean "K-Pax" - if you do, there are signs throughout the movie but yes the 'transmission' is at the end, for those who know what I'm talking about.

SoWhatDidYouExpectMarch 23, 2015 6:09 PM

Here 'tis...

First Prototype of a Working Tricorder Unveiled At SXSW

http://science.slashdot.org/story/15/03/23/1954242/first-prototype-of-a-working-tricorder-unveiled-at-sxsw

How long before this is no longer a prototype, and every policeman, security officer, lawyer (why not), doctor, courtroom, judge, jury, et al, will be equipped with this device. Effectively, it becomes the mind and body reader for the ages.

Let's see, how many gigs of memory will it need to carry along a copy of the "no record list" for the one percenters that need protection of their ...whatever... from the general populace?

Why, your personal tracking device will probably be tri-recorder equipped, so you become part of the problem (the only part of the solution for the 99% is to simply be sheeple).

Ezekiel Lovecraft DaedulusMarch 23, 2015 6:17 PM

@Buck

http://www.imdb.com/title/tt0109506/

Representative of more grim years, though I have a shirt I wear. More as a statement of humor these days. The symbolism is of a guardian angel represented in that form. One with significant power, and enough to bring the main character back to life for a mission of revenge. Graphic novel was written by a survivor of murder, if I recall.

The only way to kill the main character was by killing the bird.

Ironically, the actor playing the main character died in the creation of the remake.

Ezekiel Lovecraft DaedulusMarch 23, 2015 6:26 PM

@Traffic Light

Ah, interesting, will check that one out, I see it is on Hulu... thanks for the recommendation.

The cast reminds me of the - I thought - superb "The Others", but that doesn't really count as doppleganger replacements. I suppose kind of along the same theme, but without the whole, "What happened to my spouse" context. Of course, Them, a classic, also has a slightly different take on a similar theme. Though that theme is just much too used. "V", of course, though, I suppose is similar in vein... though these days getting a bit sick of the whole "evil lizard rulers" conspiracy theory.

Yes, K-Pax. Ah, I probably did not notice those indicators through the movie, but just noticed it at the end... good reason to rewatch it, besides Kevin Spacey (I suppose no pun intended there) is one of my favorite actors.

And Mr Bridges. Lol. Who did the similar theme so well in that other movie you mentioned.

Jacob on the river Lethe March 23, 2015 6:34 PM

@figureitout why not? Wait you are awfully eager for free beer. Are you an Aussie? They have cost me a lot of both lager and games of snooker over the years. ;)

@ezekiel I agree. I misunderstood you. Now as far as psychological aspects. I always thought the terrorists went to titty bars because they could and were going to be absolved by martyrdom. The cover aspect never occurred to me. I have thought that lie detectors were more effective because of a skilled interviewer. Surprise usually allows micro expressions to leak through. The test itself is marginal in my view. I tend to think targeted would be more effective than mass survaeillance.

People can and do look for purpose and connection. The Internet allows unanimity. However, it is bad in that psychological breaks can happen. they have done some studies with social media. The more someone lies, projects, more of their view of how they want others to see....the more the mind rebounds and unbalances. An example would be politicians, business, etc. They project confidence with public, descend into paranoia or more likely we find out they like biting women's bottoms when drinking. Recent pol. Or taping feet in bathroom stalls. Manifests in poor decisions executed quickly. Excessive use of Selfies and bragging on facebook comes to mind.

However, the need to project perfection is counterproductive. Most people are fairly forgiving about flaws when people are honest. We pay a lot of money for comedy. Rather than tap dance with customer when something goes bad, just say sorry I will try to correct it. You can win them over and even build business. We can empathize and root for the underdog because we all feel that way in some aspect of our lives. The old adage applies. If you think you may be nuts, you are probably o.k. If you know you are sane, you may be nuts.....Keith Richards is popular for a reason. Technicolor yawn included with musicians talent. Politicians could learn that. Same with business leaders.

Current situation is odd. Bread and circuses, cynicism. It is going to be interesting.

Posting here for secret purposes? I guess. Seems a hard way to communicate. This blog is certainly looked at. I think it would be easier to stick your Di&$ In a hornets nest and less painful given some groups capabilities. But then as you said the security industry pushes some in that direction. Better to play it straight.

maybe they need a Internet Anonymous group that could help. Oh wait. Nevermind.

@figureitout and @wael I haven't looked but why wouldn't replacement with ROM work? If the pins outs were close enough or snipping an input pin. Bios chips can be reflashed. CMOS breech would be sneaky. Open source bios as discussed earlier would help. You used to be able to flash them with light or with dip switches. Those type of chips may make a comeback.

Ezekiel Lovecraft DaedulusMarch 23, 2015 8:38 PM

@Traffic Light

Actually, lol, have seen that movie, and will have to pass, though in looking up the reviews I was unaware there were five remakes of invasion of the body snatchers. The one I tend to think of is with the elder Sutherland. Really good horror angle, surely it has been used more then I can recall. But, I think, not so much.

Terminator 2 did it okay.

Under the Skin explored the overall theme, really hard to improve on that, though that presentation kept a lot of the unrealness flaw that also Invasion of the Body Snatchers faced, which Millennium did not have and so was much more... insidious.

Holy Rollers had a bit of that flair, but I need to finish it to really comment.

@Jacob on the river Lethe

Interesting comments.

I always thought the terrorists went to titty bars because they could and were going to be absolved by martyrdom. The cover aspect never occurred to me. I have thought that lie detectors were more effective because of a skilled interviewer. Surprise usually allows micro expressions to leak through. The test itself is marginal in my view. I tend to think targeted would be more effective than mass survaeillance.

That theory on the 911 hijackers is mine, maybe some others have had it. I have not studied the subject very much, and would be surprised if they did not. It may have had two purposes, or maybe your consideration is alone correct. I do not recall reading of either the CIA or MI6 utilizing that exact technique. I do recall the CIA using a technique of passing areas by setting up duplicates of the areas and running many rehearsals. Not unlike with acting rehearsals, at all, and the person involved did come from Hollywood.

There would be multiple uses for such an activity: one, if someone asked them at the checkpoint if they were okay, they could chalk it up to a hangover which they may really have had and so would exhibit signs of. Two, if a situation arised, where their intent was under suspicion they could bring up that visit truthfully in conversation and so set at ease any interviewer. And, as noted, three, it simply generally would incline its' self to priming their minds as being - for just a little while - just another everyday person who is decidedly anything but extreme religious.

I was not noting this as a mechanism for bypassing lie detector tests, but simply for bypassing checkpoints without, for instance, dripping in sweat, reeking of fear...

As far as I know, lie detectors are reliant on the capacities of the person giving the test.

From my rather limited understanding one key point of importance is for the lie detector to set up some specific manners of stress.

Mass surveillance, I am not sure how you worked in there, but I would agree that I believe it is prone to extraordinary error. I was thinking of mass surveillance in my above post to vas pup, and specifically, however, of grabbing targeted surveillance from mass surveillance pools. eg, "let's see what video we have on this person already". But that was just fitting in with that post.

I am sure, however, the far better case scenario is when a suspect is under extraordinary surveillance and his or her behavior analyzed using such cues as I indicated in that post.

However, I can see that sort of technique also being applied at some choke points. For instance, a dead drop is found in a certain city park or bookstore. Up the surveillance video and utilize those indicators to help detect possible spies. (Again, glamming up this, though my case examples of mobsters and spies was not without reason, as both sorts of individuals will have distinctive nonverbal language due to, as you are well pointing out, the dissonance between their inner and outer self. To put it one way.)

People can and do look for purpose and connection. The Internet allows unanimity. However, it is bad in that psychological breaks can happen. they have done some studies with social media. The more someone lies, projects, more of their view of how they want others to see....the more the mind rebounds and unbalances. An example would be politicians, business, etc. They project confidence with public, descend into paranoia or more likely we find out they like biting women's bottoms when drinking. ... However, the need to project perfection is counterproductive. Most people are fairly forgiving about flaws when people are honest. We pay a lot of money for comedy.

I agree, on the front of just being true to one's self, and kind of have to, as I have a distinctive manner of flamboyancy.

On the security angle, though I already led into that statement of yours, I do agree that dissonance will cause indicators. Spies, deep undercover agents, or people like spies are the more interesting subject in that problem to consider, I think.

But, I should add here, I think it really can depend on what situations the person is in. In many contexts, short of actually meeting support contacts, they would be near impossible to detect and would be better masters of image control even then the real people around them.

This might be especially true if the person they are posing as is so radically different from the real person. For instance, a DEA agent posing as a biker on a long term assignment probably would have a far better disguise then a deep undercover spy posing as a stockbroker at a major firm. So, I think the dissonance there can help, but other factors contribute, such as the severity of paranoia of the group, and the severity of possible cost if detected. That puts enormous stress factors on them for success and 'day in, day out' they would be hammering that into their unconscious.

I would normally agree with you about alcohol and leakage, but this is very often not the case, even when they are blackout drunk. I am not sure why, but just what I have run across, in reading. One famous one remarked on his own puzzlement about this and concluded that he was just that deeply compartmentalized.

There are probably ways to key or jack up those points of dissonance. But, it is also true everyone has a wide variety of hats they wear, and everyone has a wide variety of secrets. Really a stronger indicator in those situations I would think is just how well people can handle dissonance tests, especially extreme ones. If they are all too good at always having an answer, one can catch them at being just a little too good for cursory glance at being ... that which they are not presenting themselves as.

But that alone might just prove they are a really good liar, or quick witted, and is not conclusive proof of anything else on its' own.

In my opinion, longer video, longer interactions will tend, however to pull out a certain unconscious uneasiness from people. The more experience one has in such roles, the more attuned they likely are to others like their own self. Though, without indicators they can give conscious voice to, that would just remain at a hunch level... a feeling... which is all too easy to confuse or otherwise make subside.

Posting here for secret purposes? I guess. Seems a hard way to communicate. This blog is certainly looked at. I think it would be easier to stick your Di&$ In a hornets nest and less painful given some groups capabilities. But then as you said the security industry pushes some in that direction. Better to play it straight.

My analysis on the one poster's crypticness was really a product of binge watching 'criminal minds'. Normally, I find it distasteful to call out such behavior, it is rude, and it runs against the principles of fair anonymity. Considering how people innately judge others outside their own group based on a literal chemical bond to those in their own group, that level of light anonymity is extremely conducive to conversations.

Playing it straight... I don't even smoke pot anymore. Used to hard core in the nineties and eighties. In comp sec, if you have skills to find security bugs, that puts you on a radar. I do like security subjects, though, and like to be able to be open and get into thoughtful discussions on the subjects. So, no pot smoking for me.

Though, I am generally a bit wary of people's capacity for mob mentality, to begin with.

For people I have run into who go too far in considering security constraints, frankly, my post-mortem consideration was they may have been some manner of agent. At the time, I was blind to this consideration. They seemed so serious. But, afterwards, I realized that I knew nothing about them. And I deeply considered how all of that was likely a clever distraction, a suitable ruse.

Still, I would be hard pressed to say this about every super, over paranoid person I have met in the field. I would also be hard pressed to say all of them were likely involved in anything at all. Defcon... which I tend to avoid... wow, the paranoia there is thick. The misidentification is atrocious. And considering that most don't even do anything more illegal then smoking pot (if even that), yeah... really it begs the question, "What, on earth, are you doing that makes you so paranoid of everyone".

With closer friends, or situations where I had to vet people, such as for a job or open source project, I have dug into such people before, though. Came away largely convinced they were just ocd.

As a security practice throwing out all of those indicators of so deeply wanting personal security from even nation states... though, always reeked to me of, "I am guilty, I am guilty, I am guilty".

Personal confession, though, I was an extreme risk taker as a teenager, and sometimes at other times in my life. I could not get more annoyed at someone freaking out about seeing a cop. Say, like, when driving eighty down a road with the driver passing the bong around, lol! :-)

That stayed with me. There are people who can smoke pot in public and get away with it, and people who are "busts". My friends have always been the sorts who smoke pot in front of cops and do so, so casually, the cop does not even look. Coolness is a very high virtue which I admire.

Don't always live up to it, but hold it high in my morality table.

FigureitoutMarch 23, 2015 11:23 PM

jacob on the river lethe
--Ha, well I like to drink and I'll *maybe* drink you under the table. I'd probably do a quick "scope out" of the bar, then do a random change. Any obvious tell-tale signs and I'm gone; I don't engage anymore w/ it. It takes ~6 months before I consider trusting someone b/c someone would have to be undercover for that long and that's way more money and time than it's worth lol.

Still want to have a beer? Lol, just do a virtual cheers; I'm still sane enough to realize I'm pathologically paranoid for probably the rest of my life, b/c I always get screwed when I let my guard down and relax, always.

RE: chip replacement
--It won't work on the board unless "pin compatible" or you really hack it up, there's some electrical details (depends on what's on the board really); and if it's "pin compatible" whatever malware or non-malicious real error will *probably* still work. I'm typing on a PC where I used to suspect (still do, kind of) SATA controller issues and (there's been reports of that coming out, stating replacements of a lot of boards for just "regular failures" but they could all be made-up bullsh*t covering up test attacks that failed and ruined the hardware or actual attacks just meant to ruin the hardware) some of this f*ckery going on. My laptop has begun "acting normally" (details aren't given for OPSEC reasons, can't know what I know etc.; I take some actions to screw up this intel, which has yielded gold to me) again suggesting malware being extracted before I find it or just give my computer to a malware researcher. Otherwise I need to set up a PC to dump this (and safely store it) that I can trust doesn't infect it too and just continue the chain of infection and never both contain it, compare it to what should be clean/normal, and expose it.

I do much smaller firmware work, not these larger chips, x86 ASM, and different kinds of peripherals. Even these smaller chips (that are actually huge) still have a formidable amount of firmware that's just...f*ck...

I'm wary about UV chips too, I don't think UV rays will be the only thing able to wipe it. I get nervous w/ any kinds of receivers (I have basically zero use for wifi/bluetooth cards connected to usual places on boards, I use USB-wifi if and when I need it (which is quite a bit)), connected to a chip...nope...OTP chips, that's where I'm looking. Just have to develop a working ROM first and they're hard to work w/; and I don't want these new insane chips for this, they're not made anymore...

J on the river Lethe March 24, 2015 12:13 AM

@ezekiel

True people can hide dissonance or deceive. Undercover agents can and do. But usually it costs them intimacy and relationships. You and I could both be right on why they went to bars and drank. I am very sure they were studied by u.s. Postmortem.

I have always had OCD like or something else tendencies. Having an eidetic memory of sorts allows me to keep up in conversations as I jump mentally back and forth. Also, Weird but I see words, or places.....visual to extreme. When I spell words, I am simply reading off the letters. The word floats 6 inches away from my forehead. Weird but I see tech and places the same way. I have no idea what that would be called. In the last couple of years my ability to tamp down that lane jumping in front of others down has slipped a little.

Lol I have a very unique idea for encryption, but can't find anybody nearby ( I don't travel well) who can visualize what I am talking about. :( or I can't explain it well enough. It would need to be tested, evaluated etc. After programming. Right now it is just bouncing around in my skull. I have read Bruce and others so I understand the cautions.

I can only take a couple of epi. Of criminal minds at a time. Just too depressing. I like science and scifi. Risk taker? No problem within limits. No Darwin awards, ok? pot? Don't care. If they outlaw caffeine or nicotine I am in real trouble.

I would like to go to defcon just once. The level of paranoia? Yea. But interesting. It would be a real test of locking down of personal devices. Personally I would love to set up some nondestructive traps? Evil grin.

Personally I find the subject of security interesting. Security Defense and offense. Yin yang. However you define it. Maybe someone needs to write a book. "The zen art of computer security" lol Btw. People are putting security cameras everywhere and dvrs on their networks. Somebody needs to check those out. Linux or "locked down" windows? You just put an unknown device on your network!! Check programming, chips. Arrg or the programming on cameras. You just put an Ethernet and Ethernet powered camera on your network. Well?

Lastly, I think the good guys can always win in the end. Why? Because the bad guys by definition are at least a little broken. It will must show up in subtle ways even if only in logic or imaginative thinking. Perhaps I am basing this on religion, wishful thinking, or self delusion. I may be self aware enough to ask the question of basis but not able to answer as it applies to myself.

J on the river Lethe March 24, 2015 12:54 AM

@figureitout
Dude I can't offer a beer worth that much effort.

My only goals for going out are decent conversation, drink some beer, and eat so many greasy chicken wings that my bathroom will sound like I am trying to summon the Kraken. Nothing else.

So! Ok! cheers! A Virtual beer it is! May I offer you a nice boilermaker? 😀

Umm, ok. You must have one hell of a test bench setup. Envy here.
Yea, the raspberry pi Xenon death flash comes to mind. Funny!

Cheers! Another round!


Gerard van VoorenMarch 24, 2015 1:26 AM

@Ezekiel Lovecraft Daedulus

Let's return to the original statement. You said that God exist.

Fine I say, let's back up that claim with Proof. What happened then was a lot of words but no proof.

Ezekiel Lovecraft DaedulusMarch 24, 2015 3:04 AM

@J on the river lethe

True people can hide dissonance or deceive. Undercover agents can and do. But usually it costs them intimacy and relationships.

Well, there are many forms of hiding, and many types of secrets. Jim Morrison is one of my favorite examples of such a person. Comedy wise, just finished up Unbreakable Kimmy Schmidt, and that is another good example.

(Plot: woman was kidnapped as a teenager and forced to live underground for fifteen years, the story goes viral, she is called a 'mole woman'. She attempts to hide all of this as she adapts to life in the big city. Hijinks ensue. My single favorite scene is when she has to make up the name of someone to back up her ludicrous story, and she mentally picks out various parts of words from objects around the room which eventually spell out "Keyser Soze".)

You and I could both be right on why they went to bars and drank. I am very sure they were studied by u.s. Postmortem.

I am not sure what my opinion is there. The agents I can recall from books I have read or documentaries I have seen who drank on the job, it was part of the culture they were infiltrating. But, clearly, they also used it to self-medicate.

In many other contexts, my understanding is that behavior is typically very frowned on, especially in jobs requiring access to secrets.

Jim explained his drinking as 'it is a good disguise'. But, his friend, John, said that his alcoholism proved he was deeply insecure. Ironically, his tombstone reads (from his father) that he was true to himself. And I think anyone would agree. But, as he told his girlfriend Mary, in Florida, he felt people wanted him to wear a mask.

So there is that dissonance there, and that can be a contributor to alcoholism.

Not sure about post-mortem analysis. You seem to have made that sound a little real. I have only had one person I know - besides grandparents - die on me. I am sure they did an autopsy and looked at his body and confirmed it was really him.

I have always had OCD like or something else tendencies. Having an eidetic memory of sorts allows me to keep up in conversations as I jump mentally back and forth. Also, Weird but I see words, or places.....visual to extreme.

Eidetic memory, is one thing, I have a similar memory. OCD is an anxiety disorder, and I would suggest watching "Obsessions" to get a good idea of it. My own last diagnosis label I received was a long time ago, and was severe enough I feel uncomfortable mentioning it. Actually, most of this is "too much talk" for me in such a forum. Probably need to jet and go dark for awhile. This sort of forum, and especially open talking exacerbates it.

... getting started in security, not much I can offer there, unfortunately. I find some are good at some things, some at others. People in my specific area invariably are quick studies who can quickly learn material which is very complex. But, I prefer to limit work exposure on the forum...

Lastly, I think the good guys can always win in the end. Why? Because the bad guys by definition are at least a little broken. It will must show up in subtle ways even if only in logic or imaginative thinking. Perhaps I am basing this on religion, wishful thinking, or self delusion. I may be self aware enough to ask the question of basis but not able to answer as it applies to myself.


That is more my real area of speciality, frankly, but again, this forum is not best for such topics. As you intimated, lotsa bread, lotsa coming circuses, and the world has a whole lot of cynicism.

There is this old movie where this impossibly gigantic group of bad guys loads up their saddlebags with dynamite. The two shooters take out hundreds of them because of that flaw. That is cynicism for you right there.

In this situation, however, you are talking about "the end", you are talking about superior numbers and capacity in every possible way.

Cinema, technology, can prepare the mind in certain ways... but there are capacities there which are not nearly as well known. Very dreadful capacities that is hidden in the writings, but people tend to consciously pass over and never really give much thought to. Living machines. Impromptu, impossibly vast virtual realities. A single spirit possessing four hundred people at the same time for a disinformation campaign. So very much more.

All of that is out there already, unseen. Some of the wildest sci-fi and fantasy builds the tiniest of bridges to some of the ideas. But, really, it is a very, very far way away from what people ordinarily consider.

More like a sign just pointing in the direction of the road, and that is one very long road.

And, speaking of, there is my alternate persona right there, which I have to hide. Big difference with undercover agents and spies -- I don't have any potential for loss. Not in that way. Like the movie above, okay, they could kill the bird in real life. But, you can't kill a spirit. And you especially can't kill an enormous number of spirits.

Which, I should have mentioned, was my real scenario: as a child I saw this giant tornado of black birds screaming. But, I have seen many things.

One metaphor I like to use is as a vast space ship which is on earth, but also hovering above, entirely invisible, blending in wherever it goes. There are people on the ground, but they are like avatars. Torn jeans, pictures of mom and dad, children -- you can go to their home, whatever. Look em up, wherever you go, proof will be there. People have poor memories and everything else is alterable as well. Instantly. In-depth.

So, I talk about stuff in terms of computer security, espionage, cover identities, legends, false fronts, disguise, and so on. Things that have a remote parallel.

Which came first, the chicken or the egg? The chicken did, of course. Poof. Like Cthulhu, out of the mind of Lovecraft.

There is a Cthulu, out there, a Leviathan... and it is enormous and dreadful in scope. Few see it now, those who do are like those in Prometheus or the Thing. Grim faces on the water with a grim purpose. And touching it, they never forget the woe. They report back, it gets to the leaders. The leaders are in dread from the reports of it.

It is hidden and it is not one, but many, but it is there, people just can not see it yet. Rumor & legend. The oceans move, tsunamis come, hurricanes form as it moves. They know there is "something" "out there", but not quite sure, yet, what.


ThothMarch 24, 2015 3:10 AM

@tea_drinkers_and_tea_lovers
Tea came from China, mostly in the province of Yunnan. Emperor Shennong first tasted it (supposedly) from a dried fallen tea leaf and became medicine. Han dynasty expanded it's territoory and spread the cultivation of different variants of tea leaves and the tea drinking culture was stirred with enthusiasm amongst it's scholarly communities as a drink of the learned people and the sages and into the Tang dynasty we have the matcha green tea (steamed and powdered green tea) introduced to Japan.

Different dynasties of China prefer to drink different types of teas. The Mings liked raw loose green teas that reflect their farming/agricultural roots and the Qings with the leaders from the Manchus prefer the fermented Pu'erhs.

The teas were split into export grade and internal use grades. Export grades are for foreigners which has the essence in strong and robust aroma and taste due to it's high levels of fermentation and roasting (to keep it as dry and survivable during long distance sea / ocean / land trips). Usually the export grades are mass produced, cheap, not of high quality and heavily roasted to survive long trips.

Internal use grades are much more delicate and due to biasness of the Chinese, the good stuff are kept at home (yes, the Chinese love to keep the highest secrets away from the unworthy foreigners) and these are highly valued artisan teas (Tieguanyin, Longjing, Dahongpao, Biluochun ...etc...). The internal teas are split into tribute grade, official use grade, commoner grade ...etc...

The white teas Clive Robinson mentioned is export teas mimicking exquisite Chinese teas made up during the 1800s to sell to foreigners marketing it as some exquisite Chinese teas but in fact this variant and cultivation method was deliberately made for the Brits to earn some British Silver. Most White Teas are low grade "White Peony" while the more expensive "Silver Needles" have lots of duplicates and need to be carefully procured.

The Brits became troubled by their silvers flowing into China at a strong rate due to tea and China wanted nothing of Britain and one last resort on the table was Opium to regain the lost silver. Opium was sold to China as a miracle medicine and the Emperors were forced to sign deals with the Brits to legalise Opium and to mass market it. China fought and lost two Opium Wars (mostly due to internal corruption of the Qing Government of China) and from then on, the Chinese empire spiralled out of control with rebellions and civil wars getting more frequent.

The Brits moved tea planting to Ceylon for the Chinese cultivar and the Assam variant was found in .... Asssam / India. Assam was also widely promoted and recently the state of Assam made it a "State Drink". Those from Ceylon and Assam are export teas (mass produced and mostly of lower qualities for tea bags). Darjeelings are more expensive Chinese cultivars and there are ratings for it on the quality. If you are getting high grade Darjeelings harvested from Spring time and have lots of "tips", then it's some sort of "liquid gold" and you gotta pay the price for such fine quality leaves. Overall, the Black Teas are the best sellers due to Brits (Ceylon's production and Assam). Now there's even Kenyan / African / Southeast Asian Black Teas with the teas transplanted to increase production.

If you like those enjoyment of tea drinking, get the good stuff and look to East Asia (China, Taiwan, Japan and South Korea is also catching up) for the hand-made artisan tea leaves but at the expense of being conned if you are too new to it.

If you want a daily cup, the robust Black Tea would be your friend. If you want a mix of both a daily and an enjoyment, take both (like I do personally). I usually take artisan teas during free time for enjoyment and for breakfast teas, they would be the robust and quick to brew stuff for gulping down with meals.

Clive, the Harrods Ceylon teabags are quite good for enjoyment or meals :).

Ezekiel Lovecraft DaedulusMarch 24, 2015 3:51 AM

@Gerard van Vooren

Let's return to the original statement. You said that God exist.Fine I say, let's back up that claim with Proof. What happened then was a lot of words but no proof.

I don't mind adding some color to posts, but I am not interested in a theological debate. I made that initial post to someone else. I do not mind responses to such material, it would be limiting otherwise. Even polite, skeptical responses. I like when people consider things they have not considered before.

My response to you was simply a polite answer.

I get there are various global debates going on, some surrounding such matters as this. Some people demanding proof. Some people countering that those demanding it already have enough proof.

*shrug*

Obviously, you do not have adequate proof. I am not stating otherwise, so.... I think you have me mistaken with someone else.

To me, you might as well be demanding you meet my boss. No, you can't meet my boss, and I would not even ask such a question of them. I am confused as to why you are even asking, and bewildered at the request.

I am not demanding proof for what you believe, in fact, I do not even care what you believe and probably wouldn't question it.

Maybe out of polite disagreement. Maybe not. Who knows.


Dirk PraetMarch 24, 2015 9:09 AM

The US accuses Israel of spying on Iran nuclear talks

OMG! Outrage! We are being spied upon by one of our allies who's using classified intelligence to brief members of our Congress. And we found out about it by intercepting communications between Israeli officials exchanging classified information. And this information was leaked to the WSJ by senior administration officials, which probably makes it an unauthorised leak of classified information.

Bwahaahaaahaa ...

ThroopMarch 24, 2015 10:22 AM

jhr. Priet, maybe not authorized, but certainly concerted and international. Well-connected intel old-timers are corroborating what Sibel Edmonds says and putting it in context. There is blunt support for this in public statements of treaty bodies (particularly that of the NPT, which will go further in its review in New York late next month.) The amusing hypocrisy is one sign of an all-out factional conflict among US elites.

BoppingAroundMarch 24, 2015 11:01 AM

Off-topic.

Thoth, while you are here I'd like to ask a question. Perhaps you know if abacuses are still popular in China? I have just read an article in a local newspaper claiming that.

Thanks.

Ezekiel Lovecraft DaedulusMarch 24, 2015 2:47 PM

@Dirk Praet

Looks like the US is taking a hard face towards Israel, probably as a part of an expectation the two countries will clash soon because of Netanyahu's promises on his stance towards the Palestinian territories. I definitely expect some really massive Middle East firestorm by late Summer, early Fall. All of the conditions are there for a "perfect storm".

Too many wild cards in play to say what that might be.

@Throop

jhr. Priet, maybe not authorized, but certainly concerted and international. Well-connected intel old-timers are corroborating what Sibel Edmonds says and putting it in context. There is blunt support for this in public statements of treaty bodies (particularly that of the NPT, which will go further in its review in New York late next month.) The amusing hypocrisy is one sign of an all-out factional conflict among US elites.

That is a covert, Iranian intelligence controlled site.


More information on it from the highly esteemed Southern Poverty Law Center:

http://www.splcenter.org/blog/2011/01/06/buyer-beware-veterans-today-and-its-anti-israel-agenda/


ThroopMarch 24, 2015 6:50 PM

Iran, yes well, PressTV used to give VT a soapbox, but since VT denounced them for selling out as Al Jazeera did, the "Iranian agents!" attack doesn't work so well anymore.

But that's quite a damning association with the murderous mafia that is now killing Moslems execution-style. Oh wait, that would be FBI, not Stormfront. FBI outreach partner SPLC... if memory serves they helped finger those poor saps Nichols and McVeigh but not the other guy, oddly.

The SPLC attack on VT's accusations is interesting, impugning the site based on the CIA magic word "conspiracy" and relying on the very idea of Israeli government crimes to frighten you off (They'll exterminate Palestinians, but armed attacks on civilian populations offshore... that's where they draw the line!) It might work, except that the forensic substance of Duff's charges is so extensively corroborated by FBI whistleblowers and NPT treaty parties. It's not easy to put lipstick on the Marc Grossman pig. SPLC thinks you can't tell the difference between Jews and the Israeli regime but that shtik is falling flat now that the Likudniks have burned their bridges.

ThothMarch 24, 2015 9:11 PM

@Dirk Praet
Maybe all these Israeli spying on US and vice versa are just drama as usual. Israel might actually be deliberately "hinting" to the US that it knows what's going on during US discussions on Iran and to make it's presence felt (US supposedly finding out Israeli officials' conversations regarding spying programs run by Israel). Some sort of political + spy master classical mind games (just like the Cold War).

Dirk PraetMarch 24, 2015 9:31 PM

@ Moderator

It would seem that @SOBUS is either a bot or someone who's had an excellent mushroom harvest this year.

WaelMarch 24, 2015 10:54 PM

@Jacob on the river Lethe,

I haven't looked but why wouldn't replacement with ROM work? If the pins outs were close enough or snipping an input pin

That would work for some cases given that you are able to get an image to work "well" with your hardware and enable the latest features. It wouldn't work for all "subversion" possibilities.

FigureitoutMarch 24, 2015 10:56 PM

j on the river lethe
--It's all good. Just go start talking to random people in the bar. Used to never be able to do that.

RE: kraken
--Yeesh, thanks for that picture...

Sure, I'll try the boilermaker, cheers. *glug glug glug* Yum! Good thanks. *minutes go by* Hey so what exactly was in thish shthing again? Why do I feel sleepy...oh no...I trusted you! Noooo! *passes out, wakes up in a dark bathroom, hears this...* ;p

My bench setup can be improved a lot, want a good scope, more space, more tools, and of course I always want more computers.

Yeah, the "death flash" issue, which can't be healthy as it's resets the chip pretty harshly, is one of those bugs that are great and interesting once found but the bane of my existence when I run thru all the potential causes...assuming it can even be recreated reliably, which is a luxury in itself...

Thoth
--Well well, Wael's been outdone. You're the new "Snobby McSnob" (how can you even see holding your nose so high in the air? :p). Some of us just like brown tea over green tea, thank-you very much; and don't like little bits of leaves in the drink too. Also don't mind extra roasting the leaves, I like many things "overcooked" anyway.

Dirk Praet RE: sobus
--I'll take responsibility for that. I told him I'd drink him under the table, yet he wasn't convinced. "I'm a man pussy, pour me up a drink" he said, famous last words. Some say he still hiccups to this day, echoing meaningless nonsense on message boards across the internet...

Ezekiel Lovecraft DaedulusMarch 24, 2015 11:19 PM

@J on the river lethe

On a more plausible note:

I would like to go to defcon just once. The level of paranoia? Yea. But interesting. It would be a real test of locking down of personal devices. Personally I would love to set up some nondestructive traps? Evil grin.

My first inclined response towards such a statement is that you should be wary of such urges. Though, I am sure one could build some interesting honeypots out for such activity.

Just do not underestimate anyone. Plenty of parties there who do not want to be gamed.

And do not offer up anything real.

Spooks, cops, criminals from around the world really do go there, and with them surveillance teams, support, and plenty of lower rung secret keepers. I am not sure how it would be possible for a single person to ascertain "good" from "bad". At all.

And very often, it has nothing to do with "good" or "bad". Not in any remotely simple to understand sense, anyway.

WaelMarch 24, 2015 11:55 PM

@Figureitout,

and don't like little bits of leaves in the drink too

*Looking at you with a snobby eye* You need to use one of these!

I told him I'd drink him under the table

Surely you can bong smoke him as well. And that's giving you the benefit of the doubt by assuming you're referring to the first meaning of "drink someone under the table" according to urbandictionary ;)

Some say he still hiccups to this day, echoing meaningless nonsense on message boards across the internet...

+1 lol. Very good! That's something I would expect Mike the goat to say!

@Dirk Praet,

an excellent mushroom harvest this year.

+1 as well :)

FigureitoutMarch 25, 2015 1:01 AM

Wael
--Ha, already got one pleb! :p Still gets more gunk at the bottom of the cup than a bag (I drink the whole cup).

RE: bongs
--Got some stories, but it'll never happen again...This is good though lol: https://www.youtube.com/watch?v=Q4ZZ49iQDTQ

RE: "drinking under table"
--Ha, well there's another term you can probably put 2 & 2 together..."teabagging" someone passed out w/ their mouth wide open lol, a friend did it to a girl onetime. I had no part of it lol.

Ezekiel Lovecraft DaedulusMarch 25, 2015 1:06 AM

@Throop

Iran, yes well, PressTV used to give VT a soapbox, but since VT denounced them for selling out as Al Jazeera did, the "Iranian agents!" attack doesn't work so well anymore.

That tells me they were found out and made more sure to distance themselves from their connections. It does not tell me they are telling the truth. You can believe what you want to believe, and you will do so. You actually have no control over that.

If I wanted to game you I would pretend I buy into this, I would not break rapport and tell you what you do not want to believe.

Plenty of indicators right at a glance that the site is controlled by foreign intelligence. Far more subtle sites out there.

These sorts of conspiracy theorists buy into the faulty thinking that the only people working out there are Israeli & American. That is far from the truth. And "calling them" out is typically not something anyone ever bothers to do.

According to your world view, I would suggest, then, it is actually American, and they are trying to bring to the surface the radicals. By cycling out extremist viewpoints. After all, I did not source "why" I said they were Iranian. They could be Russian. They could be American. They could be Israeli.

You maybe believe that they are damaging to these global plots you see? They are surely not. That is extreme fringe thinking. This delusion that people can get together on extremely dissonant ideas. That they can group up and get something done. Common human viewpoint, but not meaningful when the people doing so are far outside the loop.

The delusion is only built up by claims to "inside knowledge" on "inside power structures".

Agenda driven media controlled by the forces you claim to fear, America, Israel, who knows what else, that is mainstream work. Always was, always has been. Sure, some subcultures are hit. IT. Doctors. Lawyers. Journalists. Etc. But mainstream with some power.

"Conspiracy", so none of those readers have any secret clubs. That is a conspiracy. Iranians, or whomever, don't need to control such sites directly, as well. Just need a few majors in there they have control over.

It is not about "truth". Iranians are not going to believe that stuff anymore then Israelis or Russians. It is about controlling people by telling them what they want to believe. There are other agendas. Information collection. Agent recruitment. And so on.

But that's quite a damning association with the murderous mafia that is now killing Moslems execution-style. Oh wait, that would be FBI, not Stormfront. FBI outreach partner SPLC... if memory serves they helped finger those poor saps Nichols and McVeigh but not the other guy, oddly.

Well, I suppose you can shake your fist at the heavens then, and rage against the 'powers that be'. Not much good it will do you.

Plenty of people in that line. It is wide and long.

These plots you are talking about are just convenient cover for the real power structures. It doesn't matter who says it or who does it. You are talking about out of control, chaotic super conspiracies, and that is not how things work. The larger and more powerful a conspiracy is, the more organized it must be.

These things you are spouting off are just pure nonsense. A bunch of frauds. Nobody losers. Even an Iran or a Russia is not very impressive. "Stormfront" is a bunch of severely disaffected, very fringe teenagers. More concerned about beer and obnoxious music then anything else.

FBI, on the other hand, heck, I am binge watching 'criminal minds'. Slick, smart show. Lotsa of these shows. Cops always win, cops always catch the bad guys, and in the end, the good guys always win. That's power. And better yet? The FBI actually have very little to do with that image management.

The war is already over. Just clean up crew time.

McVeigh and Nichols were just isolated, garden variety nut balls who bought into some really self-destructive propaganda. No super conspiracy plot there. Plenty of super conspiracy plots going on, and they can be owned up to, as well. Nothing anyone can do about it.

In fact, it is all spelled out way before. Where, how? The Old Testament. There is no chaos, just your own mind reflected back to you. You don't believe and pay the cost. Maybe, like many, you pay lip service. Maybe not. Often hard to tell which group is worst, but they all are on the other side of the line. Out of the know. Out of the power.

So, you are given over to lies.

*shrug*

The SPLC attack on VT's accusations is interesting, impugning the site based on the CIA magic word "conspiracy"

Bzzt. Wrong guess.

But, if you want, I can 'protest too loudly' and persuade you otherwise. Either way, I get something from that.

Believe me, used to guesses. Because there are no leaks. "Sanctioned rogue" is one, but nation states do not buy into that. The false indicators are much too slick for an individual to contrive.

Small teams or agents might, working in the dark. That does not ever last too long.

I did notice that you threw out "FBI" in the first paragraph. Then, "CIA" in the next.

Maybe you could get some sort of telling reaction, of course. Which means you do not have anything, but I already know that.

That reeks of desperation. Desperation which one could play off as a wise bluff, but not to me, nor anyone I know.

Not FBI. Not CIA. Not NSA. Not Army. Not Air Force. Not USSS. Not English. Not Russian. Not Israeli.

I am exactly the sort to play that game and - at times - break off and state the truth while someone continues their guessing game and desperately tries to find some way in.

Granted, *we* are exactly the sort to allow you to believe, even very strongly, you have found a way in. Only to shut that door somewhere down the road.

Worse? You get some sense that happens just to get you motivated. We let people get really motivated, lotsa carrots. Then shut that door and let them sit and brew. Then, we open that door with a full VIP pass. And the whole point was control.

And at some stage or another: the fact that this is truth will keep you up at night.

Best bet. Let it go. See it is all meaningless. Motivation is an illusion. Pressure is an illusion.

But that is not how things are designed.

and relying on the very idea of Israeli government crimes to frighten you off (They'll exterminate Palestinians, but armed attacks on civilian populations offshore... that's where they draw the line!) It might work, except that the forensic substance of Duff's charges is so extensively corroborated by FBI whistleblowers and NPT treaty parties. It's not easy to put lipstick on the Marc Grossman pig. SPLC thinks you can't tell the difference between Jews and the Israeli regime but that shtik is falling flat now that the Likudniks have burned their bridges.

Oh my, you poor dear. A sociopathic holocaust denying wannabe genocidist crying that the good guys are being more mean and evil then you get to be. Gollee gosh, gee whiz. I feel for you, I really do. I wish I were there to give you a hanky.

Hey, I know. I will ring up God and say, "Hey, Boss, this guy wants to lodge a complaint against you, I know you have trillions of complaints, but can we move this guy's complaint to the front of the line please?"

If we are not going to answer the umpteen horde of atheists demanding God present himself to prove his authority and power to them because they are so darned smart and esteemed... why would we listen to the whinings of a sociopath who is only mimicking emotions?

If your intention was to force me to go dark for a few months, you succeeded. Good job!

Real pro. Smart guy.

Because the reality is intermixed with the silliness, I always make sure to throw in some very real golden eggs. Valuable to all sorts. And they know it. Not valuable to us, but valuable to them. So when they play these sorts of games to raise the cost. What do we do. We show ourselves as shrewd.

Believe me, I got lotsa dopplegangers. But we work together and they won't say anything, either. Made to be chased down by even the most curious and resourceful of groups.

However, I will leave you with this consideration: we were the ones who saved Israel during the war. But, we are also behind everything. You think anyone ever has to show anything? If anything is ever shown, it is for a reason. For communication. No other reason to create "avatar" doppleganger [and other, oh so many other] human forms. Real thing.

So, very, very much more where that comes from. Or believe me, this would not be so fun.

Welcome to some times more interesting then mankind has ever seen in all their history by so much more incomprehensibly farness, then mankind could ever even begin to imagine. I would give some credit here to cinema, sci-fi, fantasy, modern tech... but that is just part of it.

Really? What did people expect anyway.

Not much.

Goodbye.


Gerard van VoorenMarch 25, 2015 2:09 AM

@ Figureitout

About 'tough' games, under the section "Don't try this at home, you have been warned!", have you ever heard of the good old Dutch mussel game? The game is easy and can be played with two or more persons. You serve a dish of boiled mussels with one bad mussel in it. Then at turns you're gonna pick one and eat it (they are delicious) and flush it away with beer or something. The mussel game is the Dutch version of Russian roulette. It doesn't kill (probably) but you spend the night at the bath room when you pick the bad mussel ;-)

Gerard van VoorenMarch 25, 2015 3:08 AM

@ DB

I just like to point out the political non-sense. I know that these guys lie when they open their mouths but that doesn't mean we have to ignore that.

When people ask me what's wrong with todays politics, this is it!

ThothMarch 25, 2015 8:49 AM

@Wael, Figureitout, tea_drinkers_and_tea_lovers

Drink tea the good olde way:
- http://en.wikipedia.org/wiki/Gaiwan
- http://en.wikipedia.org/wiki/Gongfu_tea_ceremony

Classics of Tea (a.k.a Tea Scrupture)
- http://en.wikipedia.org/wiki/The_Classic_of_Tea

Re:Chips for security
Hard to tell if chips are already compromised. One thing for sure is that RNGs in them are weak (and probably backdoored). Good way to use these chips is to load a key instead of on-board keygen. Split the operations into tiny modules across multiple chips and vendors. This will disallow a single collusion.

vas pupMarch 25, 2015 9:29 AM

@gr33n g0bl1n • March 23, 2015 4:17 PM. Thank you! I guess when you have mainframe attached direct terminal that is less possible versus PC with mainframe emulator screen - just observation.

@all:
You are watched in your own home:
http://www.bbc.com/news/technology-31808117

@Clive: Do you have in UK monument to Orwell? I guess it should be next to NSA twin brother.

J on the river Lethe March 25, 2015 9:35 AM

@figureitout
Yea, lol. I was actually thinking more along the lines of seminar type get together. I have't been a bar in years. But playing along for the laugh as you were doing. But yea it's all fun and games until someone takes pictures.....

@ezekiel.
1. Underestimate? Never. As in sports any team can win on any given day.
2. Desire to interact a little does not mean willingness to stick in crazy or hornets nest.
3. I would find it interesting to listen to presentations and demonstrations.
4. I was not talking about setting up honeypot type ambushes or thinking I good enough to not have my ass handed to me or deserve and get "official" interest by being arrogant, stupid, ill advised, etc. More along the lines of hey what about this, did you mean this during presentations, let's try this. I lean towards defense but love the problem solving of "how could they get in?" Understand weakness, then defend.
5. I really don't buy most conspiracies. Maybe some are real but that road can really unbalance someone. Why do people buy into them? Perhaps desire to make sense of the world. To accept that the world is random in part is scarier than thinking someone is in control even if they are "evil". Conspiracies are hard to prove and lack of evidence prove that the conspiracy is true. Risk is self perpetuating confirmation. Most conspiracies probably come to light after history gets a chance to examine them. Always Suspect simple solutions to complex problems.....

Just as cern won't accept only 3 sigma but require 5 sigma to confirm an blip in test results, I require more proof and and a lot of outside and skeptical analyst review. And not by me. The sciences and maths tell me it is possible to drop a Buick from 20k feet in pieces and have it randomly assemble itself into a car that starts just before it hits the ground. Why the comparison? Some require that many variables lining up. If others want to chase them, go for it. If enough proof and published reputably I may read summary.

I have enough trouble with what I can control rather what I can't. Self awareness means trying to improve ourselves and understanding the world along with people around us. I have all I can handle on that front and just moving around. I don't have time or desire to stand watching buicks hit the ground.

On a security topic. Recent story talked of using heat to get past air gapped system. Bits are simply 1 and zeros, on off, threshold, etc. The heat aspect was really quite limited in amount of info passed time wise.

If the bar is installing malware on both computers? A webcam looking at a computer across the room reading covert bits? Light would be much faster transfer. Just a thought. Btw. I would put plexi between the computers in heat scenario. And maybe filtered screens. Lol always follow the signals?

We really are only limited by imagination.

J on the Lethe March 25, 2015 12:01 PM

@figureitout
The xenon death flash. I don't have a chip to test. I suspect it is purely physical. That chip is not designed to be out in the open, phones I think. Judging by picture, maybe the top is opaque to the flash or reflection off bottom. Tape covering top is reported to correct it. I agree it can't be good for the chip over time.

Same type of reasoning as to why space faring chips are older chip sets, coated to resist radiation....I think the shuttle used an i386 chip? G3s are used in other apps. The new horizon probe uses a 32 bit r3000 RISC chip. Just looked that one up. Bigger older chips have bigger wires less susceptible as well as them adding coatings to help protect from radiation breakdown and induced voltages. Older also has time passed to have unknowns lessened.

RakeEmMarch 25, 2015 9:54 PM

Hi not sure if its mentioned but there is new messenger app avail for iphone and android,seems not opensource atm
Anyhow any initial thoughts since it profiles itselfe towards security not sure if point to point or if it uses p2p but no central servers involved. Pfs? 4096 enc but no info on protocols or auth. So basically lot of unknowns, also cant find which country of origin...

FigureitoutMarch 26, 2015 12:14 AM

Gerard van Vooren
--Ah, I think you got your friends to the south to thank for those mussels eh? Moules-frites was all over the place but I didn't really like sea food lol so I never tried it (picky eater). I know how much you guys love each other over in Europe.

But yeah, I think I'll pass, but from what I've heard there's already that risk from every bowl of them anyway. :p

Thoth
RE: chips
--This topic isn't going to go away for a long long time...it's going to get annoying eventually. Would be nice if chips were as simple as OpAmps (which are still non-trivial...) and you just expect a certain voltage (which is still being read by usually another chip...I think we should probably be returning to analog meters for more trustworthy measurements...); they play a role in HWRNG M. Otella used for TFC. ATtiny chips are of interest, very approachable...and small (I "feel" more confident thinking about decapping a bunch of those rather that the latest ARM SoC or Intel chip, pfft..). OTP chips, much less approachable. These "solutions" aren't as fun as just getting a massive SoC w/ circuit and programming interface already made and you just start programming. Just have to dig in!

No RNG's in chips aren't trustworthy at all, I have a semi-neat "chip" solution for this (not real new, and would get torn apart *in theory* but in practice I'll gladly put it up for use); I don't get it though, you can just get entropy from all over and predicting it must be impossible barring already just watching you and pretending to predict.

j on the lethe
RE: death flash
--Yeah, this is the kinds of things you only find out releasing something and letting people test your product. Suppose the engineers weren't big "selfie" kinds of guys snapping pics of their hardware lol. It wasn't just camera flashes, but lasers too, pointed precisely on that little regulator or whatever it was, that's freaky, bet RF would too (hello fault injection, my old friend...). Patching a glob of tape or goob on the thing is just...dirty hack.

These kinds of things, reliability, is why the job of keeping electronics safe in space seems a bit overwhelming...

Clive RobinsonMarch 26, 2015 4:42 AM

@ Figureitout,

)I don't get it though, you can just get entropy from all over and predicting it must be impossible barring already just watching you and pretending to predict.

Actually real/true entropy is very scarce indeed.

From any source the signal you get consists of three parts,

Sig = Kbias + Fent + TRent

That is Known Bias, Faux/False entropy and what you are realy after True/Real entropy.

Known bias is relativly easily found if you take a source output and filter it appropriatly you will detect "dc" and "ac" bias. Likwise injecting signals at various points in various ways will indicate where the circuit is susceptable and needs remedial action to reduce it's influance.

Faux/False entropy is in essence what should be known bias but for various reasons has not been found or can not be reasonably be removed. An example of this is what appears to be random but is predictable leaking in through the power supply etc, such as electrical noise from the HD motors and solonoids, or CPU activity causing major memory update or other chip IO pin activity or even a cooling fan kicking in/out.

As you note as a designer you have limited resources in terms of equipment, time and often knowledge. An adversary like the NSA has rather more in the way of resources, the "collect it all" policy gives them a time advantage, they have access to equipment you can only dream of and they "should" know everything you know pluss a very large amount you don't, not just in theoretical asspects but in many many man years of practical experience.

Thus they can turn what is Faux entropy into known bias to a level way beyond that you can. But worse they can also inject signals via source susceptabilities into the system to force the source output to have little entropy thus reduce the search space they have to go through.

This leaves the True/Real entropy it would be nice to say it's some kind of constant as a percentage of the output, but it's not. Even very small changes in circuit conditions can take it from it's high of a fractional percent of source output to effectivly non existant, depending on how you are trying to gather it.

A few years ago some research students took a well known and respected TRNG with a measured entropy output of greater than 2^32 and by just pointing a relativly low power CW EM source around 10Ghz reduced the entropy at the source output to as little as 2^7... thus reducing the search space for an attacker from not practical to very practical at the throw of a switch.

Now if you consider an active attack you can assume that a high or state level attacker is listening to your computer one way or another and thus can work out what commercial software you have on it and what is running and when. Thus they can work out when to throw the switch to reduce the entropy source such that your application gets as close to zero entropy as they can manage.

Which is why you have to have an entropy pool to take frequent readings from the source and do two things with them. Firstly stire it into the pool, and secondly sanity check the source output for fault such that attacks or failure can be detected.

It is this second point I get most up tight about with "on chip" RNGs, because they are basicaly crap, to meet the Diehard and Die Harder tests, the designers know they have no chance of meeting, they first push the source output through some kind of hash function before they let you see it... Thus it stops you actually monitoring the source for defect. For all you could tell it could be some kind of counter and crypto function not a True Random Bit Generator.

However you also have to take care with your entropy pool, because their are trade offs which effect the ability of an attacker to predict it's current state.

I won't go into the in's and out's of this because you could write a book about it and Bruce already has as well as write several papers about it, that last time I looked you could download from this site.

Clive RobinsonMarch 26, 2015 8:13 AM

@ Bruce,

One the BBC Radio news a little snipt you might not have been aware of, which has just been made rather public.

You might have heard that a German Wings Aircraft crashed into a mountain and thevoice recorder was recovered.

It appears the pilot left the flight deck and could not get back in and for some reason currently unknown the co-pilot put the aircraft I to decent mode.

Some are arguing it's a suicide, because the pilot could not get back through the cockpit door even thought there is a security override such that those on the flight deck can not actually keep people out...

So now we know the cockpit door argument has a serious flaw in it, and attackers knowing the over ride could get access...

WaelMarch 26, 2015 8:28 AM

@Clive Robinson,

Some are arguing it's a suicide

These "some" wouldn't be working for Airbus or one of thier insurance companies? There are more selfish ways to commit suicide! Why take others with you?

It appears the pilot left the flight deck and could not get back in and for some reason currently unknown the co-pilot put the aircraft I to decent mode.

Strange!

BuckMarch 26, 2015 10:16 PM

Re: Tao-AI, SOBUS, MIX, etc...

Markov Chain or not, there's almost certainly some human input involved... The posts tend to synthesize a lot of information in a pretty clever (sometimes concise) sorta way. Personally, I find them kinda fun to read! :-P
While I'll admit it's annoying when the wall of text drowns out other perspectives, there's been plenty more of those around here that are met with little to no protest... What gives guys? Did somebody touch a nerve somewhere or something...?

FigureitoutMarch 26, 2015 10:29 PM

Clive Robinson
Actually real/true entropy is very scarce indeed
--Yes, assuming we actually have a definition of what it *is*, which by your own admission we don't. Your attacks boil down to "active attacks" which involve firstly high costs, and camping outside a target area and either getting agents inside or waiting until you can break in and plant bugs and modify the hardware as you know many targets are soft and breaking in is mostly trivial (which means you are too...).

As I've said, and I'd be *begrudgingly* willing to do another demo of just how stupid this is, to show that I can create bits that *no one* can predict fairly easily. Do you know the graph of a particular snail on pavement?--Your eyes can only see w/ reflection of sunlight. Do you know some time measurements I just took down to the millisecond (not even micro or nano, easy eh?) on many devices? How about colors of blades of grass or whether or not someone I just ran into is wearing glasses? Do you know what chain of info I just did and wrote down in a location, then sampled that? I can take analog samples of all that, then further mix that up in a way you won't know; I can prove that to you w/o handwaving fart-sniffing bullsh*t if you want by guessing my (I'll make it easy for you) hex bits (so 16 chars) I got written on a paper. You'll only see the output when I put into insecure transmission systems, people I talk to (assuming they're unwilling to take my measures, which is likely), and external patterns. Not the actual entropy or its generation process.

RE: research
--Yeah they injected that at like point blank, right? That's what the research usually is, point blank blasting a circuit, uhh...ok.... Every wire is an antenna, that principle is mind-shattering, but the truth. Maybe their transmitter was attacked by the victim to give them a false reading? Maybe there's a countermeasure to give false values on sensing that kind of attack lol. That's possible too right, to give them false data and false confidence. How do they verify their lab and their equipment?--Oh that's right, they probably don't.

My chip solution, in addition to be heavily shielded of course, could be changed on a whim w/ more and more functions; homebrew ones that work for say a month or 2. I'm totally capable (which means 1000000's of people are) of a nice simple UI and open-source programming/flashing, and importantly, mobile for avoiding more peculiar EMSEC attacks. Got other things first though that are more personally challenging and interesting.

Buck
--I mean, it's not even clever at all if just a markov chain, jesus how old are markov chains in spam?! Lol, it's just some worthless piece of sh*t; can't even make a custom spamming technique. Do you want to name some names of people that upset you? Why don't you ever expand on your personal ideas or solutions?--Always little comments, just curious.

BuckMarch 26, 2015 11:14 PM

@Figureitout

Do you want to name some names of people that upset you?
No, I don't; I'm not easily upset... ;-)
Why don't you ever expand on your personal ideas or solutions? -- Always little comments, just curious.
If you really could take a good hard look back at some of my posts here in the past, you just might find some 'suggestions' for possible solutions... That is not the point though! I'd prefer everyone make up their own mind based on all the evidence available to them.

FigureitoutMarch 26, 2015 11:45 PM

Buck
--Aw c'mon, what is I start talking about intestinal bacteria getting sprayed everywhere? That'll get you going right?

I don't need to take a hard look back, I remember the gist of them since they were so small! I want more, eh? What's your ideal secure computer and how do you build it?

WaelMarch 27, 2015 12:13 AM

@Figureitout, @Clive Robinson,

Do you know the graph of a particular snail on pavement?...

Nice set of questions, haven't you tried that before[1]? And why stop there? How about the colors you hear and the sounds you see when you go on a little LSD trip? Now that's unpredictable as the article @Dirk Praet posted showed. Which brings another question...

@Dirk Praet,

I've noticed a new pattern with you recently. Mushrooms, LSD... What gives? Who are you hanging around with these days?

[1] When you encrypted a text and challenged us to decrypt it. This is a first for me! Can't remember any key words to search for!

FigureitoutMarch 27, 2015 12:27 AM

Wael
Nice set of questions
--Lol, yeah I was repeating it just b/c it's so funny. Want more? That's my personal OPSEC lol. Watch him be out trying to find an actual graph of a snail on pavement w/ a flash light and magnifying glass just to show me up. Well, it's not the one I mapped lol, it rained. How much more retarded can I make this? I should've packed a bowl of your Hawaiian "maui wowi" too lol, red hairs; I used your buds as an entropy source too. Looks like we're getting Mr. Robinson baked too in his pursuit of an impossible goal.

RE: [1]
--I wrote it in front of my computer in my bugged room, I didn't wipe the table too, and disposed of the papers in my trash can, which someone could break in daily like they do and scoop that up and get the message. No one decrypted the message that used no special considerations lol, this is so retarded lol.

BuckMarch 27, 2015 12:36 AM

@Figureitout

Bacteriums (and virii) are literally all around us and in us - no matter what either of us may say... I'm not too sure what they can do, but I am much more interested in the ideas where we radically part...
For instance, I've said:

Solutions will be political (or a way of thinking about post-scarcity futures), not technological under the current paradigm.
Whereas, from my understanding, you have given up on politics (for good reason, no doubt) - yet it is thanks to these differences that I can further expand my viewpoint!

BuckMarch 27, 2015 12:44 AM

As for an 'ideal secure computer'... Does that not depend on ideal secure people..?

FigureitoutMarch 27, 2015 12:45 AM

Buck
--Yep, given up there. Only naive people think there's hope there IMHO. It's not happening lol. I can't think of a more assured failure really. You know, I kind of think the monumental failure of current and previous generations has had an impact on people that would've made a difference but then saw it for what it is, an unapproachable corrupted garbage sh*thole that will bankrupt USA likely w/in my lifetime. Combine that w/ police state that made sure people wouldn't dare act up and do anything like peaceful protests. Do you get involved w/ local politics or anything political? I always like to ask people who believe in political solutions to name all their local representatives...always get a good lol...

FigureitoutMarch 27, 2015 12:49 AM

Buck
--Ideal secure computer needs to rely on designs that can be tested "ideally" AKA independently. But yeah, if you go that route, then you do as I do, question all science as falsehoods. What scientific research do you actually trust then?

BuckMarch 27, 2015 1:31 AM

@Figureitout

Do you get involved w/ local politics or anything political? I always like to ask people who believe in political solutions to name all their local representatives...
Not under the current political paradigm (that I can only suspect you are speaking about), but I like to feel I'm doing what I can for now...
What scientific research do you actually trust then?
None, actually!! I only trust peopleafter I have a good reason or two to do so.

Name (required)March 27, 2015 4:11 AM

@Clive / cockpit security
there is more to it then you might read in the press

http://www.google.com/patents/EP1295792B1?cl=en (autotranslated original seems to be german)
pretty old already but looks like full scale anti riot gear.

it just seems they did not yet consider (co-)pilots as part of their threat model

Clive RobinsonMarch 27, 2015 4:44 AM

@ Figureitout,

With regards your demos, I guess you are not aware of Einstein's definition of madness?

Yes anyone can pick an isolated "drunkards walk" and claim all sorts of things about it's unpredictability and thus security. But people with a need for reasonable quantaties of secure entropy rarely seek out snails or drunkards as their entropy source as the bit rate is laughably slow.

If you think back I'm on record here talking about using various methods of generating One Time Pads for emergancy key transfer and describing the methods I use. You will find I've also given quite detailed instructions of how to use a number of dice to relativly efficiently produce strings of decimal numbers, standard alphabet charecters and five bit binary numbers (Oh you might want to check your usage of "hex" ;-)

You will also find a discussion on why I recomend people use a dice or similar unrelated physical source to seed a well protected Crypto Secure PRNG in preference to using any kind of vulnerable electrical noise source even if it's derived from a physical process (the jury is still out on practical quantum noise sources for various reasons).

So yes I'm more than well aware of the strengths and weaknesses of the various methods of "entropy mining and refining" and key / nonce / pad generation. Not just for individual very occasional use but also for those who need gigabits of unpredictability in very short time intervals.

Something that the majority of embedded systems and application developers appear to be either ignorant of, or are chosing to ignore for some reason such as having psychology pressure applied from above (a point you recently raised yourself). This failing being made abundantly clear by the number of key certs with shared primes etc found on the Internet. Which as I've pointed out in the past would make attacks by the NSA et al, on keys of 1024 bits or less quite practical for an "industrialized collect all" process. I amplified on this by pointing out that characteristics of such poor entropy generators would also give rise to restricted range number lists, that would make "near miss" optimizations to improve the performance of such a process. Which is I'm sure you realise is a very much not an "active attack" but ab unseen pasive attack process.

Oh and as for snails you will also find that I've mentioned how they can be "totaly owned" by a parasite that works it's way up the snails eye stalk, so your snails behaviour might be rather more biased than you think ;-)

Clive RobinsonMarch 27, 2015 7:20 AM

@ Bruce,

This might be of considerable interest,

http://www.theblot.com/exclusive-stingray-maker-asked-fcc-to-block-release-of-spy-gear-manual-7739514

Appart from the shenanigans Harris Corp and the FBI have created over the use of the Stingray faux cell site equipment in court cases with irelevant Non Disclosure Agreements, "The Blot" has found that it runs far deeper with deliberate mis direction and lying by Harris seniors to Federal Authorities.

What The Blot has managed to do is get a copy all be it heavily redacted of the Stingray equipment manual (see the article for more info and links).

Dirk PraetMarch 27, 2015 8:44 AM

@ Buck, @ Wael, @ Figureitout

While I'll admit it's annoying when the wall of text drowns out other perspectives, there's been plenty more of those around here that are met with little to no protest

However much I can appreciate even the most controversial of opinions, I don't particularly enjoy reading or weeding through heaps of posts that make little or no sense, whether generated by a bot or seemingly sprung from the mind of a delusional nutcase going through an acid-induced psychiatric episode. Are we really to believe that we are being controlled by AI-programs run by an organisation from the Jason Bourne-movies ? It's free speech quite alright, but it's also making this blog less attractive as well as making all of us look like a bunch of estranged tinfoil hats.

Perhaps @Moderator could run some analysis on @SOBUS, @MIX and @Tao-AI to find out if all this garbage doesn't originate from the same source ? It would seem that every time one of these is banned or asked to move on, a new one pops up instead.

Nick PMarch 27, 2015 2:18 PM

Updates on research in hash-based signatures for post-quantum security

Merkle signatures with virtually unlimited signature capacity (2007) Buchmann et al.

Abstract: "We propose GMSS, a new variant of the Merkle signature scheme. GMSS is the first Merkle-type signature scheme that allows a cryptographically unlimited (2^80) number of documents to be signed with one key pair. Compared to recent improvements of the Merkle signature scheme, GMSS reduces teh signature size as well as the signature generation cost."

XMSS - A practical forward secure signature scheme based on minimal security assumptions (2011) Buchmann et al

Abstract: "We present the hash-based signature scheme XMSS. It is the first provably (forward) secure and practical signature scheme with minimal security requirements: a pseudorandom and a second preimage resistant (hash) function family. Its signature size is reduced to less than 25% compared to the best provably secure hash-based signature scheme."

Faster hash-based signatures with bounded leakage (2014) Eisenbarth et al.

Abstract: "Digital signatures have become a key component of many embedded system solutions and are facing strong security and efficiency requirements. At the same time side-channel resistance is essential for a signature scheme to be accepted in real-world applications. Based on the Merkle signature scheme and Winternitz one-time signatures we propose a signature scheme with bounded side-channel leakage that is secure in a post-quantum setting. Novel algorithmic improvements for the authentication path computation bound side-channel leakage and improve the average signature computation time by close to 50 % when compared to state-of-the-art algorithms. The proposed scheme is implemented on an Intel Core i7 CPU and an AVR ATxmega microcontroller with carefully optimized versions for the respective target platform. The theoretical algorithmic improvements are verified in the implementations and cryptographic hardware accelerators are used to achieve competitive performance."

A space– and time–efficient Implementation of the Merkle Tree Traversal Algorithm (2014) Knecht et al

Abstract: "We present an algorithm for the Merkle tree traversal problem which combines the efficient space-time trade-off from the fractal Merkle tree and the space efficiency from the improved log space-time Merkle trees traversal. We give an exhaustive analysis of the space and time efficiency of our algorithm in function of the parameters H (the height of the Merkle tree) and h (h=H/L where L is the number of levels in the Merkle tree). We also analyze the space impact when a continuous deterministric pseudo-random number generator (PRNG) is used to generate the leaves. We further program a low storage-space and a low time-overhead version of the algorithm in Java and measure its performance with respet to the two different implementations cited above. Our implementation uses the least space when a continuous PRNG is used for the leaf calculation."

SPHINCS: practical stateless hash-based signatures (2014) Bernstein et al.

Abstract: "This paper introduces a high-security post-quantum stateless hash-based signature scheme that signs hundreds of messages per second on a modern 4-core 3.5GHz Intel CPU. Signatures are 41 KB, public keys are 1 KB, and private keys are 1 KB. The signature scheme is designed to provide long-term $2^{128}$ security even against attackers equipped with quantum computers. Unlike most hash-based designs, this signature scheme is stateless, allowing it to be a drop-in replacement for current signature schemes. "

Conclusion

They're now very practical and have stronger security than asymmetric crypto. We need to start making standards and reference implementations for their use. There's already some work on that at a few companies and universities. One group even implemented one on an Infineon SLE smart card. I look forward to seeing more use of the above technology and what comes next.

FigureitoutMarch 28, 2015 8:24 AM

Clive Robinson
--Yeah I'm familiar, and I'm not sourcing my entropy from same places. It requires very active attacks to "intercept" my local sourcing methods (which gets into the realm of "aliens reading my mind"). For the record, I'm of the belief that w/ enough study, there is no randomness. The amount of work for me compared to an attacker is where I like it...Yes dice are a way, but they sure do make some noise in a box eh?

Likewise you can make claims on something that doesn't have a definition, and make statements of something being rare when we don't know what is and is not random. You then make a point of "psychology pressure" and then say that some people need a lot more entropy. It sounds like "efficiency" and "market pressure" forcing an obviously insecure solution that I know you love.

I don't trust the key cert process at all and its underlying components anyway, never did (hence I generally don't trust all info I see on screen, just make due anyway), not even the people working in it trust it. They say it needs change (like an authority for the certificate authority...uh...), and that when companies fail hard and breach trust, nothing happens to them and remain in business delivering already hacked certs to whoever pays for them.

And don't hurt my snails! Meanie...

Clive RobinsonMarch 28, 2015 11:31 AM

@ Figureitout,

And don't hurt my snails! Meanie...

I wouldn't dare, my son used to keep snails as pets, like some keep worms / catapilers etc.

I blaim Terry Pratchet and his "Wee Free Men" for this, that said a Greek friend showed him how to "farm" them properly...

Getting back to information entropy or random / unpredictable number generation. Does their need to be a hard and fast definition of "what it is", when by and large the most important charecteristic we desire of it, is "what it is not" (ie predictable).

The Die Hard and Harder tests are considered the lowest bar of acceptable behaviour by cryptographers, and most hardware generators fail to meet them by quite a large margin, hence "Magic Pixie Dust" thinking of using "hashing" or other low level crypto algorithm.

Thus the question arises about our reasoning behind such tests.

If our reasoning is questionable or wrong what should we be considering...

Now my view is we should consider other things as being rather more important which is preventing both passive and active attacks.

Thus my view is we should be analysing our supposadly unpredictable sources for changes in general behaviour as a prefrence to some low bar test for limited types of predictability, that can easily be beaten by standard crypto functions.

FigureitoutMarch 29, 2015 11:20 AM

Clive Robinson
--Good point, but yeah I do think there needs to be a definition if we're going to make statements of "rarity" and what is and is not random. Otherwise, you have little standing calling out my solutions (w/o detailing your actual designs lol) and the assurances I can give and there's no clarity to the field at all (which there isn't lol). Again, everyone not doing the actual cracking will call it "trivially easy" or breakable; but I'll put those statements to the test lol.

Any chip solution should be w/in a well shielded environment, and using some kind of large battery or multiple "stepping up and down", we can monitor the power though, the RF...not so much (too many waves). Every wire is an antenna and surfaces/materials reflect RF weirdly and differently and you can get surprisingly good performance on PCB antennas (even better tagging an external antenna on it). Or mobile, at a random time, power level would be so low, and there'll be all kinds of other noise drowning it out.

So what does that mean? Well, barbed wire fence as far as property permits. Then shielding built into walls and windows/doors. Then a standard shield room and using inverters inside of the others outside the shield room. Then vet the people and go around scanning for stuff. So we can generally rule out these attacks and focus on the "meta-stability" circuit (since to be honest, it's the most fun/interesting rather than me drawing graphs of snail trails lol...).

Of course we should try preventing attacks of all kinds, except that involves locking everyone down. I say focus on passive and "fire and forget" attacks as an active attack could be as simple as someone following you home or just punch you in the face; they place themselves at a great risk too (blowback), then selling that info or just blasting their picture all over the web.

That last goal is too big. I say it's best to have so many honeypots and traps (which is where we're going) anyone will be scared to try something and "show their cards" and not having anymore cards to play...it works...you may know. :p Also having systems where certain exploits are impossible to run or dice up their exfiltration path so again they have to risk exposing themselves connecting it up again.

Clive RobinsonMarch 30, 2015 3:04 AM

@ Figureitout,

I do think there needs to be a definition if we're going to make statments of "rarity" and what is and is not random

We are not even close to one yet, to see why go through a thought experiment...

For this I tend to assume a simple physical process under observation, the output of which can be plotted as a distribution, the curve of which is the result to be considered.

For example two sheets of glass held apart by a spacer the thickness of which is slightly greater than the thickness of a uniform coin. The coin rests on the spacer that has a profile like a cross sectional cutaway of the left hand side of a broad bottomed valley. That is the far left side has a small section of rising slope just before the peak, which acts as an initial resting point for the coin. From the peak to the right is a decending gradient designed to effeiciently convert the downwards force of gravity on the coin to a rightwards rolling motion. To the right of this downwards slope is a slight upwards flat slope of sufficient length that the coin will roll to a maximum rightwards point then roll back to the left.

For each test the coin is pushed rightwards slowly and uniformly from it's resting point over the peak and the output reading is the rightmost distance the coin travels before stopping and rolling backwards.

In a perfect world this point would always be the same. In practice it is not and when plotted out after many tests you would expect a distrubution curve to the results. The question is initialy "Why?" and secondly "How can the spread of this distribution be reduced?".

After some thought you will start applying constraints to the experiment to better control it, one such will be the initial push, another removing or controling the air between the glass sheets etc.

The question then becomes at what point can improvments no longer be made and what the effective limits are. Then you can get down to asking about the small residual curve, is it due to an unknowable process, a measurment limitation etc or is it the elusive "true randomness" that some people have faith in it existing.

WaelMarch 30, 2015 3:28 AM

@Clive Robinson, @Figureitout,

The question then becomes at what point can improvments no longer be made and what the effective limits are.

Probably when parameters not under our control are involved. For example, earth rotation effects and gravity variations. And since glass is a liquid, the effects of glass morphing over time have to be accounted for. Also, the coin rolling in the magnetic field of the earth induces a current that in turn makes the coin a weak magnet which affects it's motion. The location of the moon, the sun, and other celestial bodies will also have an effect. There are a ton of other parameters that we know and don't know. Electomagnetic wave polution around us and their constant changes will need to be controlled as well. Then there are computer rounding errors, modeling approximations (a Taylor series, for example, using the first few terms)... If all these paramers are known and the sample space is sufficiently large, then the distribution will be Guassian according to the Central Limit Theorem. More importantly, the location of the coin can be predicted precisely, within the desired tolerance levels.

I couldn't visualize the construction of your apparatus, but took a guess how it might look like and operate...

FigureitoutMarch 30, 2015 10:52 PM

Clive Robinson
--Did the thought experiment, you could've just linked a simple picture instead of making me recreate it myself and trying to sound British. :p For instance, I used to like (ok I still do damnit, don't judge me! :p) these things: http://www.drei-dformenbau.de/uploads/pics/gravitationstrichter1_07.jpg

By the way, no I don't trust you w/ any coins (trying your little tricks like the unfair coin flip or like my grandpa *used to* pulling coins out the back of my ear! :p).

It's a pretty good analogy, as I can do a few things to "offset the expected path" of the coin (even though the "coin funnel" has a pretty non-random path, yours doesn't, or shouldn't...); some of them more "comically obvious" than others.

Still, consider all the "simple physical processes" (visualing the data makes it a "simple physical process" as the data is now "physical" and not just electrical hidden away in the circuit anymore) one can observe and "tack on" a pattern to look for and "increment a counter" for. Bruce and others mentioned in a paper using either numbers or letters from stock exchange and calling that "unpredictable by attackers"...well, not so sure of that anymore are we..? But mixed w/ other data, yeah I can see that.

Applying a set method for randomness/entropy seems to be exactly the opposite of what it is (yeah sure let's study something that is by definition unpredictable, thus everything you learn about it is worthless...). That's why it's so frustrating and I get pissed.

Wael
--Yeah, those variables most everyone will write off (or won't have the tools to measure those forces, or just won't for that, we could crank out calculations for every piece of metal in a lab and movements and interactions, I'll just say no...). Certainly makes you feel powerless, I've been thru those stages of thought though lol, and our space agencies have been surprised by a few asteroids that got close; who knows next day we wake up (or die in sleep) an asteroid hits the ocean and creates a killer tsunami that would basically kill maybe 5-6 billion people tomorrow...Or the gamma ray bursts kill all life on earth...oh jeez, no! There is no shield, penetrates all.

Clive RobinsonMarch 31, 2015 12:41 AM

@ Dirk Praet,

Has you or anyone else noticed a strange coincidence on this blog...

In that skeptical not posting appears to coincide with the apperance of MIX...

I wonder if the two are related or just chance.

Clive RobinsonMarch 31, 2015 12:59 AM

@ Vas Pup,

My appologies, I missed your comnent to me above.

When I read Professor David Stupples, (of electronic and radio systems at City University London) words I can not help wondering if he reads this blog.

Basicaly he is saying exactly the same about "insider" attacks on voting systems I have said a number of times here previously with regards the use of voting systems in "Castle-v-Prison" discussions.

I suspect both @Nick P and @Wael will have their own comments to make about it.

BuckMarch 31, 2015 1:52 AM

@Figureitout

It's a pretty good analogy, as I can do a few things to "offset the expected path" of the coin (even though the "coin funnel" has a pretty non-random path, yours doesn't, or shouldn't...); some of them more "comically obvious" than others.
Your statement here has reminded me of some 'research opportunities' that I can recall from my memories of the nineties... I'm sure, by now it's probably all been relegated to yet another branch of 'pseudo-science' - but it still remains as an interesting thought-experiment in my mind!

Dirk PraetMarch 31, 2015 6:41 AM

@ Clive Robinson

In that skeptical not posting appears to coincide with the appearance of MIX...

I was indeed wondering where Skep is hanging out. He didn't reply to my last post about Ukraine, which is very unlike him (her?). Then again, I believe the annoying appearance of MIX, SOBUS, TAO-AI, TAO-PI and Treadmill - who I think are all the same bot - well predate his absence. Don't know if @Moderator has already run an analysis on this. Or maybe he was just fed up drawing constant flak for his adamant - and mostly polite and substantiated - defense of USG policy. I do hope he's not gone as I have rather come to enjoy our discussions. People like him (her?) are an added value for this forum as it makes it more pluralistic and generally lift some of the discussions to a higher level because it makes everybody think harder.

SkepticalMarch 31, 2015 12:06 PM


@Dirk, Clive: I still read as I can, but haven't been as able to post in a while. I read your last Ukraine post Dirk - I think we agree on underlying points, i.e. how we would prefer this is to be resolved, but disagree on some other points. For instance, just as I think (and you and Mearsheimer have a perfectly fair point here) that understanding Russian perceptions, processes, and those of the leadership involved, are crucial, it's also important to understand the same of the US.

For example, although national interest has indeed sometimes required the US to form relationships of convenience and/or necessity with dictators - such as Stalin in WW2 - the US has an extremely strong preference for dealing with democratic governments. This is in part due to the ideological beliefs of American officials, and that form the traditions and cultures of the relevant American organizations, but it's also due to considerations regarding the degree to which democracies can be relied upon NOT to engage in war with each other. This latter consideration is, at this point, very well supported empirically, and it's become an important part of US foreign policy. If you dismiss it entirely, you will not be able to understand US foreign policy.

I'll try to reply in a more considered way when I have an opportunity - but based on my memory of your last comment, something like that would be my response. :)

And obviously I have nothing to do with MIX or whomever. Come on Clive, really?

Clive RobinsonMarch 31, 2015 12:58 PM

@ Skeptical,

It's nice to know you are still with us :-)

Look at it this way, some people are concerned when frequent posters "drop off" this blog, and we are also sensitive to other odd things happening.

As I originaly said of your disappearance "Has you or anyone else noticed a strange coincidence on this blog..."

And yes I apologise for the use of "has" I should have changed it at the same time as I changed "anybody" to "you", ho hum people will acuse me of not being "British" soon ;-)

Roy CMarch 31, 2015 5:34 PM

Group Action against Google for Safari Cookies Exploit

In February 2012, Jonathon Mayer (a researcher at Stanford's Center for Internet and Society) discovered that Google was circumventing privacy settings in Apple's Safari web browser.
In January 2013, Olswang LLP sent a Letter Before Action to Google UK and Google US informing them of their intent to file a lawsuit on behalf of 12 claimants in the UK. Olswang have stated the case will become a Group Action (similar to class action in the US) and are inviting all members of the UK public who were using the Safari Browser during the six month period (September 2011 - February 2012), to come forward and join the action.
With an estimated 10 million Safari users in the UK at the time, this group action has the potential of becoming the largest ever group action filed in the UK and furthermore the largest privacy complaint ever to be heard in UK courts.


Members of UK public who feel they may qualify as a claimant in this class action lawsuit can contact Olswang LLP through below site:
http://www.googlelawsuit.co.uk/

FigureitoutApril 4, 2015 1:04 AM

Buck
--Mildly interesting I guess, I'm left wondering "what do they have to say?" or "is it worth it?". Who's to say someone hasn't tampered w/ the data if they just suck in from internet? Or if it's just exposed circuit-based RNG's? Any kind of tampering and you're studying garbage...(which could be totally non-malicious as well).

But you know, better than some research I saw at my school lol, oh I can't remember now and I don't care to look it up, there's been some *actually funded* research of "Does eating pizza make you want to drink beer too?" or something like that. I can't believe people study this knowing what other phenomenon exist and taunt us w/ their mysteries; it's just boring.

BuckApril 4, 2015 4:25 PM

@Figureitout

Who's to say someone hasn't tampered w/ the data if they just suck in from internet?
Too true. :-\ Unfortunately, it's basically impossible to conduct a controlled & reproducible experiment using any internet-connected technology.
Or if it's just exposed circuit-based RNG's
That could still be an interesting avenue of exploration - exposed to what..?
*actually funded* research of "Does eating pizza make you want to drink beer too?"
Lolz! :-P I generally find the reverse to be more accurate...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.