Friday Squid Blogging: The Longfin Inshore Squid Regularly Rewrites Its Own DNA

Wow.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on April 10, 2015 at 4:16 PM • 148 Comments

Comments

JurjenApril 4, 2015 6:03 AM

Basically, this is editing of object code.
It looks like Mr evolution doesn't know much about secure programming.
I wonder how it can be so robust.

Cressida's DickApril 10, 2015 6:27 PM

Good pro-and-con on transitioning state responsibility for electronic sabotage from customary to conventional international law. The ICJ and arbitral panels can enforce it either way. The main difference is the forum for public disgrace: charter bodies or treaty bodies. The transition is further along for electronic spying.

At some point, domestic civil society will rub the US government's nose in the law with a court case like 856 F.2d 929 (D.C. Cir. 1988). The international community will take countermeasures. The pressure will gradually mount past the pain threshold, no matter how corrupted the regime.

Daniel CarrApril 10, 2015 8:30 PM

Paul Krugman (a prominent economist) has a blog-post on wearables. In it he argues that people will want the surveillance that wearables enable, and that people do not value their personal privacy that much.

It's an argument that I haven't seen in the anti-surveillance tech community and is quite convincing. Basically, people want what rich people have, and rich people have no personal privacy. They are surrounded by servants who know everything about them.

"Consider the Varian rule, which says that you can forecast the future by looking at what the rich have today — that is, that what affluent people will want in the future is, in general, something like what only the truly rich can afford right now." [...]

"lack of privacy is actually part of the experience of being rich — the chauffeur, the maids, and the doorman know all, but are paid not to tell, and the same will be be true of their upper-middle-class digital versions. The rich already live in a kind of privatized surveillance state; now the opportunity to live in a gilded fishbowl is being (somewhat) democratized."

http://krugman.blogs.nytimes.com/2015/04/10/apple-and-the-self-surveillance-state

ThothApril 10, 2015 8:58 PM

@Anon1
If it uses a DPA and SPA certified chip to do PKI operations, it should be "safe" but I am guessing they are using software defined algorithms instead of DPA/SPA protection certified crypto-chips.

Nick PApril 10, 2015 9:15 PM

Assurance news: New technology in software verification

Correct-by-Construction Program Derivation from Specifications to Assembly Language

"We present a Coq-based system to certify the entire process of implementing declarative mathematical specifications with efficient assembly code. That is, we produce formal assembly code libraries with proofs, in the style of Hoare logic, demonstrating compatibility with relational specifications in higher-order logic. Most code-generation paths from high-level languages involve the introduction of garbage collection and other runtime support for source-level abstractions, but we generate code suitable for resource-constrained embedded systems, using manual memory management and in-place updating of heap-allocated data structures. We start from very high-level source code, applying the Fiat framework to refine set-theory expressions into functional programs; then we further apply Fiat’s refinement tools to translate functional programs into Facade, a simple imperative language without a heap or aliasing; and finally we plug into the assembly-generation features of the Bedrock framework, where we link with handwritten data-structure implementations and their associated proofs. Each program refinement leads to a proved Hoare-logic specification for an assembly function, with no trust dependencies on any aspect of our synthesis process,
which is highly automated."

Nick's note: From specs down to the assembler code. The strategy is conceptually similar to both the 001 Toolkit we discussed here and my own functional-to-imperative metaprogramming technique I've been working on. Mine didn't have full formal verification built into it, though. Great stuff.

A Formally-verified C Static Analyzer

"This paper reports on the design and soundness proof, using the Coq proof assistant, of Verasco, a static analyzer based on abstract interpretation for most of the ISO C 1999 language (excluding recursion and dynamic allocation). Verasco establishes the absence of run-time errors in the analyzed programs. It enjoys a modular architecture that supports the extensible combination of multiple abstract domains, both relational and non-relational. Verasco integrates with the CompCert formally-verified C compiler so that not only the soundness of the analysis results is guaranteed with mathematical certitude, but also the fact that these guarantees carry over to the compiled code."

Nick's note: Xavier Leroy's people and other French researchers deliver yet another practical piece of cutting edge research. Many gripe about verification tools themselves not being verified. This is another step toward resolving that issue. The French are on a winning streak as far as software assurance tools go.

Deep Specifications and Certified Abstraction Layers

"Modern computer systems consist of a multitude of abstraction layers (eg OS kernels, hypervisors, device drivers, network protocols), each of which defines an interface that hides the implementation details of a particular set of functionality. Client programs built on top of each layer can be understood solely based on the interface, independent of layer implementation. Despite their obvious importance, abstraction layers have mostly been treated as a system concept; they have almost never been formally specified or verified. This makes it difficult to establish strong correctness properties, and to scale program verification across multiple layers.

In this paper, we present a novel language-based accoutn of abstraction layers and show that they correspond to a strong form of abstraction over a particularly rich class of specifications which we call deep specifications. Just as data abstraction in typed functional languages leads to the important representation independence property, abstraction over deep specification is characterized by an important implementation independence property: any two implementations of the same deep specification must have contextually equivalent behaviors. We present a new layer calculus showing how to formally specify, program, verify, and compose abstraction layers. We show how to instantiate the layer calculus in realistic programming languages such as C and assembly, and how to adapt the CompCert verified compiler to compile certified C layers such that they can be linked with assembly layers. Using these new languages and tools, we have successfully developed multiple certified OS kernels in the Coq proof assistant, the most realistic of which consists of 37 abstraction layers, took less than one person year to develop, and can boot a version of Linux as a guest."

Nick's note: In the U.S., the FLINT group has always been on the cutting edge of both theoretical and practical verification technology. I've posted their work before. Now, they intend to do for specifications what Wirth's Modula did for sequential programming. That they take inspiration from PSOS's abstraction is smart. Their scheme and related work remind me a lot of the FLEX machine's Ten15 VM and its language integration technique. That history is repeating itself in new form is good this time given we totally lost that gem. I hope the new form will be at least as powerful. It's also amenable to formal verification. :)

WikiCFP - A Wiki for Calls for Papers (formal methods search)

Nick's note: I get a lot of papers by looking up the accepted papers sections of various conferences. Usually starts with a call for papers. Sometimes, you get to see the paper that's set to be presented in the future. Yet, a site like this might help in looking for what was already presented at way too many conferences to keep track of. I only found a subset of these in a quick search, for instance.

BuckApril 10, 2015 10:05 PM

@Daniel Carr

It's an argument that I haven't seen in the anti-surveillance tech community and is quite convincing. Basically, people want what rich people have, and rich people have no personal privacy. They are surrounded by servants who know everything about them.
You obviously haven't been around very long... The earliest reference - off the top of my head - dates back to 1932... Might I also suggest searching for:
site:schneier.com "convenience * security" OR "convenience * privacy" OR "convenience * liberty" OR "convenience * freedom"
Here's a brief highlight of what I've just found:(protip: take the inverse of 'convenience' with the other words, and add each on as another 'OR' clause to find even more)

You're 'servant' theory will hold; only as long as your masters' legitimacy and projection of power remain impenetrable.

Clive RobinsonApril 10, 2015 10:38 PM

OFF Topic :

A couple of things that might be of interest,

Firstly, the EFF is having a chew at the DEA over it's "parallel construction"

http://popehat.com/2015/04/09/dea-orchestrates-disinformation-campaign-to-conceal-surveillance-powers

Secondly some of you might have heard of the "RootPipe" priv esc back door in Apple's OS X Admin Framework. Well there is a nicely written walkthrough of how it was found by Emil Kvarnhammar (the person who found it) and some Proof of Concept code,

https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

Oh and Apple has only fixed the problem in the most recent versions of OS X so you might need ti upgrade...

BuckApril 10, 2015 10:56 PM

@Clive

Oh and Apple has only fixed the problem in the most recent versions of OS X so you might need ti upgrade...
Oh, whoopty doo! So what... We can all be vulnerable to 'only' the latest & greatest of the state-sponsored/baked-in vulnerabilities..? What's the point!?

ThothApril 11, 2015 12:10 AM

@Clive Robinson
It's just part of their "bureaucracy". ICANN does work for the "International" as it's an American organisation. Not surprised they would ask the Feds.

A truely "International" team will not just ask the Feds but put it up for open voting.

Clive RobinsonApril 11, 2015 12:18 AM

@ Buck,

We can all be vulnerable to 'only the latest & greatest of the state-sponsored/baked-in vulnerabilities..? What's the point!?

The point was the nice walk through, which is useful for people who want to know how such failings are found, or to shove under other peoples noses as and when they need to be brought up to speed on such security vulnerabilities (real world examples can get through when you come up against the "prove it" denial mentality).

But you do have a couple of points, the first being 'if state sponsored rear entry is happening when did it start?'.

Secondly when it comes to "baked in" just how bad can it get.... I guess you might remember the VNC "baked in DES key" for obscuring passwords?

Well it looks like Oracle's programers have not read the memo...,

https://blog.netspi.com/decrypting-weblogic-passwords/

BuckApril 11, 2015 1:01 AM

@Clive

OK, I see where you're coming from now... Sorry for the snap judgment! ;-)

Clive RobinsonApril 11, 2015 1:02 AM

Another couple of articles readers might be interested in,

Firstly further to my above about the DEA Wired has an article giving background and as the title suggests some forward thinking,

http://www.wired.com/2015/04/want-see-domestic-spyings-future-follow-drug-war/

Secondly one that will probably cause some mileage about how US journalists are still getting Iraqi WMD wrong over a decade later,

https://firstlook.org/theintercept/2015/04/10/twelve-years-later-u-s-media-still-cant-get-iraqi-wmd-story-right/


CuriousApril 11, 2015 2:08 AM

I am reading on a Swedish computer news site, that there is/was something funny going on with a addon of sorts for Google chrome (named "Webpage Screenshot"). An addon since removed as I understand it.

Google is said to have removed that particular addon after dn.se (online business magazine) printed a story previously:
http://www.dn.se/ekonomi/hemlig-kod-spionerar-pa-svenskars-surfvanor/ (article in Swedish)
http://www.dn.se/ekonomi/teknik/google-stoppar-spionprogram/ (article in Swedish)

The Swedish articles claim that:
- The addon had recorded the surfing activity in the browser.
- The addon had uploaded that data to a server in USA every single minute.
- The addon was downloading additional code that did the forementioned things after installation, and had it activated a week after install of the addon.
- Developers say that they record general browsing behavior, for selling data to a third party, using the money for improving the software.
- The addon was used by 1.2 million users.
- Swedish businesses have had information leaks (not specificed)

The first article mention something about how the addon collects data on encrypted connections, but it is unclear to me what it means, I guess it might mean that the addon collected webpage url's and/or something.

Apparently the newspaper had been in contact with both the developer of the addon and Google. Google apparently did not want to discuss this case.

I guess it is rather obvious that something like this, to some extend at least, would work as plausible deniability for an organized effort into doing espionage. As if someone ended up saying "Oh, sorry, the addon is not so good, my bad."

tyrApril 11, 2015 2:30 AM


@Clive

Thanks for those links. I know the family used to eat
their dead and keep the skulls on the mantelplace.
They also displayed enemies skulls in the exterior
walls. Probably had some other quaint British Isle
customs, the size of Carnarvon Castle being used as
a check on enthusiasms.

I commend the entrepreneurial spirit of .sucks for
fleecing the over sensitive celebrity, it says a
lot about humanity when you have to own your own
domain that says you suck.

The US media is also unaware of the Sullivan Act
that banned assault weapons in the US in 1934.
that hasn't stopped them from endlessly talking
about them. The definition of WMD is getting the
same sloppy treatment. I recall the consternation
of those who encountered microcomputers and didn't
like it when the machine did what they told it
instead of what they meant. The press has had a
problem for years in that if you knew about the
incident there were amazing logic gaps in the
coverage. This has gotten worse as they now have
discouraged nosy journalists and down-sized the
staff. Reporting these days is finding weird YT
clips to show, or in the case of RT finding a
story to spin by selective reporting.


@Steve37

I found that hilarious, if it turns out ISIS l33t
Haxor skills is watching YouTube the experts need
a crying facepalm over the lowered drawbridge.

I fought against that kind of idiocity for years
in government, but never managed to make much of
a dent in the average managerial cloddy.

WaelApril 11, 2015 2:51 AM

@Clive Robinson,

Unusual tastes, eh? First thing that caught my eyes:

"The poet-undertaker, Thomas Lynch, points out in 'Bodies in Motion and at Rest' that both sex and death are "horizontal mysteries” that possess similarly disconcerting effects." - Katherine Ramsland

She didn't read Kama Sutra, I recon. I am sure @Figureitout can change her mind overnight.

Paleolithic humans, better known as ‘cave-men’

They aren't talking about someone with a dead tree cave, are they?

Interesting and informative article. Didn't realize cannibalism was so wide spread! But fear not, you can still find out out how a human tastes like. It’s commonly known that pork tastes like human flesh. This is second hand information! I have eaten neither ;)

GrauhutApril 11, 2015 3:54 AM

@Jacob, Trogdor: "GCoC" could simply be a hacked adserver linked on Baidu (happens every day) or "The greatest PR cannon" of NSA China division... :)

We cannot really know!

But we all know its f... easy to use a js iframe generator on a high traffic site to ddos a smaller site. Use a database based or other high load page as target, like a search page for instance. Script kiddies usual first fun hack. Did things like that for fun 15 years ago.

(Thats why modern forum software today usually secures search input pages with captchas for anonymous users and limits search frequency. Wide spread bad joke.)

Clive RobinsonApril 11, 2015 4:52 AM

@ Wael,

Interesting and informative article. Didn't realize cannibalism was so wide spread!

Yeah I found out about it about a quater of a century ago via the "Edwina 'curried eggs'" scandal. Basicaly she was set up by civil servants over bugs in eggs, she made some factual statments but "big farm industry" saw a significant drop in sales and went on the warpath in a way that said they had been forwarned. The result was her ministerial position was untenable and she got the boot.

She later published a book that went into a lot of big farm industries dirty little secrets like chickes being feed their own waste as it makes them grow faster, likewise massive overuse of antibiotics because it made animals grow faster... ... and something called "Scrappie" in sheep.

Apparently if you feed herbivours like sheep bits of other dead sheep from the food processing industry waste they grow faster and fatter etc. All well and good but it spreads a form of CJD at the same time which is what scrappie is effectivly. However do the same to cattle and you get Bovine CJD or "Mad Cow Disease" which is then believed to be passed on to humans as varient CJD. The result of which made british farming fall from one of the most respected in animal husbandary to the parhia of the world. Which was a little unfair on the farmers because they had no idea what the likes of the major grain companies were putting into their animal feed products. It's also the same grain companies that appear to be killing millions with "corn syrup" and similar food adatives that cause significant and longterm health issues and early deaths...

A Nonny BunnyApril 11, 2015 6:50 AM

@kaninchen

A prison where the cell locks are electronic and the default state in the event of a blackout is open. What can go wrong?
A fire breaks out and all the inmates die because the electrical system fails and the doors won't open. No wait..


There's probably middle ground somewhere. But a power outage should not make it too difficult and time consuming to open cells in case of emergency, so default state = open makes some sense.

But it sure sucks when your power grid is unreliable and your backup power generators don't work properly.

albertApril 11, 2015 11:24 AM

@tyr
"... RT finding a story to spin by selective reporting....".
Why single out RT for 'selective reporting'? At least they don't repeat the same lies the US MSM does. The US MSM (and their EU lackeys) are the poster boys for 'selective reporting'.
Face it, we're all going to have to go outside and see what color the sky is.
.
@A Nonny Bunny, @kaninchen,
Dead prisoners are bad for the Prison Business. As with all automation, more computerization means fewer employees, and lower costs*.
With the advent of microprocessors, computerization became the fad du jour. (Now, it's networkization). Micro-controllers can do remarkable things (anti-lock brakes, fuel injection, machine control), but there are dangerous limitations when things don't function as planned (see the first dozen links on DDG, search: "Therac 25"). There are many other horror stories. The computer fad has become embedded in our culture, so much so, that we have developed a dangerous reliance on them. Many aircraft accidents are cause by pilots failure to understand their relationship to the flight control computers, and when and how the pilot should take control of the aircraft. Planes can fly themselves. A layperson can, with proper instructions from the ground, fly and land a modern commercial jet, using the autopilot. (actually, this can be done remotely as well).
.
@Clive Robinson,
Hopefully, the history books will get it right. And hopefully, we don't train historians like we train jernalists. Re: Mad Cow Disease. Nature keeps telling us, but we don't listen. Simple observation: Cows don't eat dead cows. Could there be a reason for this? Carrion feeders don't get CJD. The takeaway is obvious: Agribusiness (or any business) doesn't give a rats ass about human (or animal) health unless it affects the Bottom Line.
.
...
*I spent most of my working life in industrial automation. I knew I was helping to put folks out of jobs, but I also knew I was helping to lower the cost and increase the quality of products. Who could afford to buy a car that was entirely hand made? (See Falcon F7)
Hand built is great for guitars....
...

Nick PApril 11, 2015 12:35 PM

@ Clive

Yes, the Oracle team's work was an EPIC FAIL. I agree on Apple and will go further to say their security shouldn't be trusted *at all* for years. After all, this was the company whose server OS components allowed administrative access upon login if one merely supplied a password. Not *the* password: *any* password resulted in approval without being checked. That's the kind of security engineering nation states, organized crime, and disgruntled employees can count on.

tyrApril 11, 2015 1:27 PM


@ Albert

Poor RT was being used as an example because I find
them less odious. I also like Adam Curtis documentaries
but don't believe anything I can't get a second source
verification for.

If you start believing everything you wind up like
Cruz the presidential hopeful who makes cast iron
pots look like Einstein by comparison.

I recommend Bill Hicks on media, particularly TV.

Totally off topic:
The SF community is all a flutter over the Hugo
awards, because some fans who others don't like had
the gall to enter the selection process. The rhetoric
on both sides is quite interesting if you bring
popcorn and consider it entertainment. Ad hominems
have been falling like rain from both sides while
the sensible gringe in embarassment for the highly
exercised of both camps.

Nick PApril 11, 2015 2:44 PM

John Oliver on Surveillance, Snowden, and a Solution

This show (30min & NSFW) was great. My first John Oliver show. He nicely mixed boring, complex issues with humor in a way that might keep people watching. His interviews with Americans are depressing: largely confirm what I've been saying on this site for a while [1]. Oliver hits Snowden hard in a discussion, even showing him those same interviews. His solution is akin to my recommendation to make the situation very personal and real-world for Americans to understand. His is a lot funnier, though. He certainly brings out Snowden's human side, both worries and sense of humor, repeatedly throughout the interview. Gonna watch some more of his videos.

[1] The Intercept also noticed that angle in their review here. Matter of fact, it's one of the many responses I predicted in previous posts. I argued that their techniques would kill the debate, keep the public ignorant, and current awareness approaches wouldn't achieve jack. The uphill battle we're facing is a lot bigger than the surveillance debate itself. Changing that might require changing the American people or mainstream media. Good luck.

Note: I originally saw a reference to this show glancing through the "Last 100 comments." I couldn't find it in Google even narrowing it to this site and small time range. Youtube gave me 2-4min clips searching for it. So, I reposted it so people would have the whole interview without the hassle of digging for it. My thanks to whoever originally posted it here.

albertApril 11, 2015 3:41 PM

@tyr
I loved Bill Hicks. Brilliant stuff. He died way too young. RIP, Bill.
.
I read about the Hugo awards imbroglio. What a joke. The same sort of thing happens everywhere. Remember Gamergate? Various tech groups. OK, gamers I can understand, but science fiction? What's next, tiddlywink players? The blogosphere and twttr. Many of such issues actually end in lawsuits and police actions.
.
I've been reading Popehat.com for a while now. It's a lawyers blog about 1st(and 4th) Amendment issues. It's amazing how few folks (including LE and judges) understand what protected speech is. The legal (and illegal) actions of the instigators is often unbelievable. It's also sad that folks cave under pressure groups. School administrations drift about like dandelion seeds. Think of the children! And these are _colleges_!
.
I like blogs where the rules a simple: no personal attacks, no profanity (but I don't have a problem with profanity). groklaw.net (RIP) was the best. PJ wouldn't even allow insinuations of profanity !@#@$%^&* in comments. It's amazing how forced civility nurtures a more intelligent discourse.
.
I found that 'knowing' the author helps. Ya kinda know where Chomsky, Hedges, Nader, come from. Writers for CounterPunch. I don't follow MSM (including PBS). Frankly, I find the positions of neocons (there are few real conservatives left) so untenable as to be self-satire. When the Democrats swung to the Center (Clinton, Obama) the Republicans had no choice but to go further to the Right. What a joke.
.
Though I totally disagree with their hawkish philosophies, two guys I always listen to are Kissinger and Brzezinski. Their analyses and predictions are useful, if not spot on.
.
The best we can hope for is to find folks who at least _understand_ what's happening.
...
...

albertApril 11, 2015 4:17 PM

@Jurjen
Actually, he's reprogramming his source code (assembly language). The RNA does the assembly and 'linking'. OK, that's way over simplified for such a remarkable process.
.
For fun, try writing a simple program that replicates itself. Output could include text displays to track the instance and other factors. It would created the source, say 'C' code, then compile, assemble, and link that code. The next step is to make your program 'change' the ouput source code a little, so the result is slightly different when executed, but still recognizable as a variant of the original. The next step is to include code for the variants in your original source, but commented out. Now work out various external inputs (e.g. command line arguments) that will activate or deactivate that commented out code. A selection of inputs might reference 'bad' code causing a program 'failure', that is, the program would fail to create the variant. Last step might be creating more than one output program, each of which can spawn itself automatically. Random selection of input arguments to the variants might determine which survive and which die. This may not end well:)
.
...

Nick PApril 11, 2015 5:13 PM

@ albert

Had you changed it a bit, you would've just nicely described an installer for an executable infected with a computer virus. ;) Maybe plenty of artificial life software or even Core War.

Many of us have built somewhat similar software under labels such as polymorphic code, adaptive systems, and genetic programming. The reason such methods aren't prevalent in software engineering is that we're not OK with massive amounts of failure. Nature (and its evolution) will kill off billions of its old creatures or features. We want very specific one's to work reliably with incremental, focused upgrades. Mixing the two domains is difficult and usually applies the adaptive stuff in a limited way (eg optimization).

Still interesting to see efforts in this area. If you want something on source code, then look into "software diversity" and "moving target" papers. Those keywords should get you practical examples of the type of tech you're describing. I know I've read similar stuff before that was built into compilers or source-to-source translation ("term rewriting?") systems.

Clive RobinsonApril 11, 2015 6:00 PM

@ Albert,

For fun, try writing a simple program that replicates itself.

Been there sort of done that...

I wrote "evolving code" on an Apple ][ in assembler, I started back in the late 1970's, and kept improving it through the 80's. I think I might still have got it on disk some where.

My first attempt was to take a "Game of Life" program and add a randomizer to change the weights. The random step size I allowed decreased with each generation. When the idea of the Annealing algorithm came up aound 84 I moved over to the idea.

I must admit that when it came to actually making the program self modifing, I cheated a bit. Rather than just randomly selecting instructions, I randomly selected blocks of code that I knew would work (think of Mozart's "Minuet generator").

I eventually ended up with a combined annealing and genetic algorithm which became the basis of a system to find algorithms to minimize wastage when cutting two dimentional and three dimentional wood panels and blocks from standard parts for wood and metal fabricators from "job lists".

Some of the code it generated was quite efficient but if you looked at the code produced you would have little or no chance of understanding why...

One of these days I might dig it out and rework it to make crypto algorithms instead just for the fun of it...

Nick PApril 11, 2015 7:33 PM

@ Gerard, Clive, Wael

A nice post arguing that C++ template metaprogramming is basically functional programming. A limited form of typed, functional programming with horrific syntax. He gives plenty of specific examples of a program in Haskell followed by the equivalent using C++ TMP. I expect this to become more true with the new standard.

Another interesting read I found was this paper on incrementally constructing a Scheme compiler. It assumes no knowledge of building compilers or even x86 assembler: just the small amount of Scheme you learn in eg The Little Schemer. Yet, it teaches the person how to incrementally work from the tiniest language + compiler all the way up to a good subset of a standard Scheme. Each step tells the programmer just what they need to know. Important to note this document is the summary of a tutorial that isn't online anymore outside the Wayback Machine. I consider it a good inspiration for a modern effort at a similar approach.

Just for fun, while looking up linker literature (always behind), I found this gem. The goal is to produce the tiniest executable for a one-statement, C program. The writer works from one technique to the next, delving deep into pure hackery as he progresses. The work is clever. Unsurprising he also ported Brainfuck to Linux. Yet, like the author, I couldn't help but be disturbed that Linux would even load the damned thing. His success in the final iterations makes a lot of my points for me about why we should ditch both Intel x86 and the Linux kernel when doing secure, system design.

And if that's not mindbending enough, check out Unlambda: an application of the INTERCAL style to a lambda calculus language that doesn't have lambda. Both are nightmares lol.

AnuraApril 11, 2015 8:16 PM

Some of you might find this interesting. I've been playing around with cipher designs, and came up with a block cipher that has a few different features:

1) Built in MAC
2) Built in mode of operation
3) Allows encryption of partial blocks which does not require padding

Basically, each block is encrypted independently in ECB mode, but a different tweak value is used (derived from a nonce and counter) so that no two blocks will encrypt the same. The nice thing about this is that after half the rounds have gone through encryption, you can take the intermediate cipher-text and XOR it to a state before encrypting a final time, and you have a pretty simple and working message authentication code. Padding has to be consistent, but in this case the cipher doesn't need padding.

The encryption has several steps:

Key mixing via XOR
Multiplication mod 257 by tweak^subkey (1 is added to each number being multiplied so it is in the range 1...256, and then after multiplication, 1 is subtracted from the value)
Rotation of each byte
Multiplication by a 16x16 matrix (ring of integers modulo 256).

When encrypting partial-length blocks, you simply zero the extra bytes after each round. Since every square nxn submatrix making up the first n columns and first n rows is invertible, when decrypting we need to choose the appropriate submatrix.

The advantages of the design are this:
1) No padding algorithms required
2) No mode of operations required
3) MAC is provided at little extra cost
4) Encryption and decryption, even with MAC calculation are fully parallelizable

The disadvantage is this:
1) Really really slow to the point where it is impractical (60Mbps encryption, 40Mbps decryption on i7 4810MQ; although I've put no effort into optimization, you are not going to see the 20-fold increase this would need to be considered to have decent performance) due to performing encryption on single byte words. There is really no way around that
2) Lookup table used for inverse multiplication modulo 257 could lead to timing attacks
3) The cipher doesn't have a name

Of course, by getting rid of the idea of a partial-block-length encryption, you can apply the tweak/mac concept to any cipher construction so you don't have the performance issues that this one has. Really, though, just padding with a one followed by a number of zeros is not that big of a deal, so I'm kind of putting a lot of effort into solving a problem that is not really a problem (but it did solve a much more important problem: boredom).

C code is here (reads from stdin, writes to stdout, encryption prepends random nonce and appends MAC - hard-coded to 128-bit all-zero key):

http://pastebin.com/2FGaLVA9

DISCLAMER: I am not qualified to do cryptanalysis, so you should assume the security is about as good as your average caesar cipher.

ThothApril 11, 2015 8:35 PM

@Clive Robinson

Quote:"One of these days I might dig it out and rework it to make crypto algorithms instead just for the fun of it..." (https://www.schneier.com/blog/archives/2015/04/friday_squid_bl_472.html#c6693348)

Hmmm... I was recently thinking of creating a sort of simple self-generating circuit to create some dummy rounds and useless functions and read-writes to byte arrays to try and throw off power analysis by introducing active noise that self-generates itself. It has to be tiny enough to fit into constrained devices like smartcards and tiny chips in the event a software implementation of algorithm should be used when the chip's hardware algorithm is suspected of foul play.

Correct me if I am wrong...

A chip does read/write operations to byte arrays and also does functions (computations like XORs or shifts). A simple insecure random would suffice for the self-deciding mechanism.

So we assume three states of operation:
State 1 - IO read/write
State 2 - Computation
State 3 - IO read/write AND Computation

And also when to execute the operation:
Execute 1 - Before crypto execution
Execute 2 - After crypto execution

Here's a pseudo-code link: http://pastebin.com/cM0HnCvL

The idea is to make it as confusing but as simple.

ThothApril 11, 2015 8:43 PM

@Anura
Maybe you can set a specification for a 128 bit unique mac key and 128 bit crypt key or a 128 bit mac key and 256 bit crypt key. Either way once that is done, you will effectively have something of a Type 1 crypto algorithm if it proofs strong under plentiful reviews :D . If each block is encrypted differently from each other, I doubt it would be called ECB mode. You can give your mode a new name :) .

The Real Nick PApril 11, 2015 8:54 PM

@Clive Robinson

That's why I went strict vegetarian (vegan/whole unprocessed foods only). I never get food-bourne illnesses anymore; unlike many of my friends. Of course I have to supplement vitamin B12 weekly, but that isn't anything major. Small price to pay for modern sanitation. (B12 is made by microbes.)

Cows fed to cows, chicken crap fed to chickens and cows. Drinking the milk of another species past the age of two? It's just sickening to me.

Probably the scariest thing is the chicken->pig->human vector for the flu. The factory farming industry just flat out promotes disease on so many levels.

EOR (end of rant)

gordoApril 12, 2015 12:13 AM

@ Nick P

Re: John Oliver on Surveillance, Snowden, and a Solution

Margaret Thatcher is 110% sexy: Let Edward Snowden teach you how to choose passwords
Saturday, April 11, 2015
By Dave Molloy, Irish Examiner

As a follow-up to last week's excellent interview with infamous security expert Edward Snowden, Last Week Tonight with John Oliver released some extra footage that didn't make the first cut: how to choose passwords.

http://www.irishexaminer.com/examviral/technology-and-gaming/margaret-thatcher-is-110-sexy-let-edward-snowden-teach-you-how-to-choose-passwords-323482.html

Direct link to video [02:57] on YouTube:
https://www.youtube.com/watch?v=yzGzB-yYKcc

Enjoy..!

WaelApril 12, 2015 2:41 AM

@Nick P,

These papers gave me a headache. Didn't continue past two paragraphs each...

@Clive Robinson,
Re: Self-modifying code: I don't have strong opinions on them, but developers who write self modifying code should be shot :)

65535April 12, 2015 5:23 AM

@ Clive Robinson

‘Firstly, the EFF is having a chew at the DEA over it's "parallel construction"’

Good link Clive!

”Four things: 1] Your government is watching you in ways you may not suspect. 2] Your government lies to you — both generally, and in specific instances (like criminal prosecutions) where it has the greatest duty to be truthful. 3] The government tells you that aggressive surveillance is necessary to protect you from terrorists, but uses the surveillance data to prosecute domestic crimes, and lies about the surveillance. 4] The War on Drugs means never having to say you are sorry. “- Popehat

http://popehat.com/2015/04/09/dea-orchestrates-disinformation-campaign-to-conceal-surveillance-powers

I believe lawyers at the Human Rights Watch now have realized how much they have been scammed with “parallel construction” tricks by the DEA/NSA.

Once, lawyers realize that both their “confidential” and “non- confidential” phone data is vacuumed up they can clearly see how the game is rigged against them.

All the DEA has to do is discover who the lawyer called and how long the conversations was and the said lawyer’s game plan is revealed [say finding the number to an expert witness on a certain subject in a upcoming case]. Once that is done then the DEA can used “parallel construction” to defeat their case.

I wonder how many lawyers’ careers have been ruined with this mass surveillance and parallel construction? Think of the number of lawyers with losing track record and declining client lists. I would guess this career destruction via dragnet spying/parallel construction game is quite high.

It doesn’t stop at lawyer’s career's either. Think of a stock trader who basically has only three options to make money – Buy, Hold, or Sell.
Any, DEA/NSA surveillance of this stock trader’s phone calls could easily lead to his competitors front-running his trades.

I would guess there a quite a number of DEA/NSA compensated agents in the stock/bond market. Some of these DEA/NSA agents might take advantage of their superior information spy machine to make some profitable trades.

This, parallel construction trick could easily give people inside the government huge advantages over the working Joe in many cases. The powerful remain in power.

This is a travesty. Mass surveillance and parallel construction must stop now.

mike~ackerApril 12, 2015 7:27 AM

government wishes to arrogate to itself right to access all communications

Government Demand

Excerpt

“I don’t want a back door,” Rogers, the director of the nation’s top electronic spy agency, said during a speech at Princeton University, using a tech industry term for covert measures to bypass device security. “I want a front door. And I want the front door to have multiple locks. Big locks.”

it occurs to me as this dialog continues..... government has better leverage in dealing with a commercial entity than it has in dealing with OSF, FSF, EFF, &c

where you just have a bunch of guy hacking code there is less opportunity for agencies to apply pressure,-- save that regulations facilitating such actions would be passed,-- heaven forbid!

ThothApril 12, 2015 8:15 AM

@mike~acker
They can demand as much as they like on setting up front doors, back doors, big locks or golden keys. It is impossible to do one properly.

A few sample hurdles the Govt Agencies would have cope with includes the following:
- Who to control the golden keys ?
- Can those people be really trusted ?
- Auditing mechanisms ?
- Security mechanisms ?
- Who trusts them ?
- Methods to prevent bypass of golden keys ?

There are many ways to bypass those golden keys as many of us have revealed. The simplest way is to secure the data somewhere else before transmitting over a monitored channel. Oblivious algorithms are getting so much better these days where an observer may have to resort to brute force efforts to defeat the oblivious algorithms.

FigureitoutApril 12, 2015 8:31 AM

Clive Robinson RE: eating the dead
--Uh what the hell, trolling me? I didn't want to know that! Computers or radio, only links I want lol. Maybe you like this..? I know you like milk, want some "secret sauce" cookies too? :p (only read URL, been warned lol) http://www.dailymail.co.uk/news/article-2507718/Miramonte-teacher-Mark-Berndt-fed-blindfolded-students-semen-cookies.html

Wael RE: horizontal mysteries
--It's really not that mysterious. Quite simple physical algorithm (like muscle memory, and locating pressure points of large arteries). I don't know, that girl has the look of a "super freak" though lol.

Nick PApril 12, 2015 9:03 AM

@ Wael

The academic ones I posted above or the articles/sites that came after?

FigureitoutApril 12, 2015 9:16 AM

Thoth RE: DPA protections in code
--Check this out, pretty nice read: http://johoe.mooo.com/trezor-power-analysis/ He's using a €62 oscilloscope, so...I'd rather test his fix w/ a real scope...

Basically, for DPA and timing analysis, every operation needs to draw nearly same power and take same amount of time. This would make such an inefficient product...not to mention totally irregular design...I'm picturing lots of unneeded while{} delays for timing and something like asm _nop bunch of times w/ a scope until you do what you need to and they're basically same. The "power loops" would need some sort of random or pseudo random change too otherwise it would filterable noise.

Final product would of course be a cludgy, annoying, slow thing that can't do a lot of different things b/c that would leak what it's doing.

steve37April 12, 2015 9:25 AM

China’s Great Cannon


This post describes our analysis of China’s “Great Cannon,” our term for an attack tool that we identify as separate from, but co-located with, the Great Firewall of China. The first known usage of the Great Cannon is in the recent large-scale novel DDoS attack on both GitHub and servers used by GreatFire.org.


https://citizenlab.org/2015/04/chinas-great-cannon/

https://krebsonsecurity.com/2015/04/dont-be-fodder-for-chinas-great-cannon/

albertApril 12, 2015 10:23 AM

@Nick P, @Clive,
.
As a metaphor for DNA, it comes close, but I left out other options. Unsuccessful 'mutations' can still create proteins, which could be functional, non-functional, or dangerous. We probably need to add protein creation, in addition to the DNA replication. The trick is to mimic DNA damage, by subjecting your code to random modifications not pre-programmed by you. Sometimes the program would crash, sometimes it would generate output, but the output would crash. Sometimes the output can replicate, but the replicants* crash at some point. IIRC, DNA also has 'repair' capabilities. This would be very interesting to simulate. The information for repair would need to be in the code. I don't understand the details of the process well enough, but it sounds like fun.
.
To say that our program is a small subset of the system is a big understatement. With billions of cells, we are very complex systems. Lucky for us, the error rate is low, otherwise we wouldn't be having this discussion:)
.
Best,
..............
* sometimes I'm smarter than my SpelChek!

Nick PApril 12, 2015 11:19 AM

@ albert

" Unsuccessful 'mutations' can still create proteins, which could be functional, non-functional, or dangerous. We probably need to add protein creation, in addition to the DNA replication. "

So, it has to be a random change of unknown effect on the program. Drunken amateurs submitting code to FOSS projects, perhaps? Or an Artificial, Inebriated Intelligence (A.I.I.) taking their place?

The-DARPA-TrackApril 12, 2015 12:02 PM

Watch DARPA Artificial Intelligence Search For Crime On the "Dark Web"

http://yro.slashdot.org/story/15/04/12/1518238/watch-darpa-artificial-intelligence-search-for-crime-on-the-dark-web

From the Slashdot post:

"Of late, DARPA has shown a growing interest in open sourcing its technology, even if its most terrifying creations, like army robot wildcats designed to reach speeds of 50Mph, are understandably kept private. In a week’s time, the wider world will be able to tinker with components of the military research body’s in-development search tool for the dark web. The Memex technology, named after an mechanical mnemonic dreamt up just as the Second World War was coming to a close, has already been put to use by a number of law enforcement agencies, who are looking to counter crime taking place on networks like Tor, where Hidden Services are protected by the privacy-enhancing, encrypted hosting, often for good, often for bad. In its first year, the focus at Memex has been on tracking human trafficking, but the project's scope stretches considerably wider."

WaelApril 12, 2015 1:23 PM

@Nick P,

A nice post arguing that C++ template metaprogramming is basically functional programming

The classification isn't that interesting to me. I adopt a double standard when it comes to Security because the classification leads to better understanding. For a programming language.. . Meh...

I skipped the other papers on compilers because I'm not good with them, and it's not an area I want to look at.

WaelApril 12, 2015 1:36 PM

@Figureitout, @Thoth,

I'm picturing lots of unneeded while{} delays for timing and something like asm _nop bunch of times w/ a scope until you do what you need to and they're basically same

That won't constitute a formidable barrier. Empty loops can be detected from DPA perspective or removed by an optimizing compiler. Random code injection that mimics Crypo operations is usually utilized. Constant power consumption would be ideal, but inefficient as you say unless the implementation is exceptionally clever to optimize performance while keeping power and throughput constant. Refer to this thread with @Clive Robinson., I suspect he'll have something to say on the matter.

EldoranApril 12, 2015 2:06 PM

"It lives!"

The clipper chip is back... http://www.washingtonpost.com/world/national-security/as-encryption-spreads-us-worries-about-access-to-data-for-investigations/2015/04/10/7c1c7518-d401-11e4-a62f-ee745911a4ff_story.html?postshare=531428699926574
So basically the NSA wants back the old key escrow idea with the clipper chip. The whole concept is flawed - not to mention the specific implementation (why would the implementation without flaws this time?).
And then comes the really interesting question - why should only the US have access worldwide?
Just recently they were quite annoyed when china had a similar idea...

SkepticalApril 12, 2015 2:15 PM


@Nick P: re Oliver Interviews Snowden

It was funny throughout, but the underlying serious arguments meant to be conveyed are almost uniformly based on false premises.

Oliver is however the only interviewer I've watched who has pushed the issue of Snowden's actions beyond Snowden's talking points. Remarkably he also managed to elicit more emotional responses from Snowden than any other interviewer I've seen.

Probably the most refreshingly honest interview of Snowden I've seen as to the ethics of Snowden's actions. Snowden's clearly restrained from answering fully by legal considerations, but it was nice to see obvious evasions followed up on rather than wordlessly allowed to pass without comment.

As to the serious arguments underlying Oliver's humor:

1 - he repeats the absurd applications-accepted/applications-rejected statistic about the FISC to show that the FISC is a rubber-stamp. Because that statistic reflects only final applications, and ignores the long process preceding the final application, during which the DOJ will get a very good idea as to whether a final application is worth submitting, the statistic tells us nothing as to how much, or how little, independence with which the FISC acts.

Let's be clear. It does a disservice to the public discussion to distort existing institutions that limit surveillance activities falling under their purview. It detracts from the discussion by forcing everyone to deal with clearly bad arguments rather than allowing full focus on genuinely good arguments.

2 - Oliver quotes a portion of Section 215 allowing access to tangible items related to an investigation of terrorism as though it were some strange and obviously awful power. In fact it's the same power wielded by any grand jury conducting an investigation of anything. The oddity of Section 215 is really in the FISC's acceptance of an argument that entire databases of telephony metadata are relevant to ongoing investigations, and the FISC's establishment of procedures designed to limit the government's access to the set of those databases to actually relevant queries.

The clear goal of the FISC's decision is to permit the government no more access than they would have in the context of any other investigation while at the same time enabling that lawful access to occur much more quickly than would be the case were those several databases not "pre-collected" (my term) in a sense.

It's a creative approach, with strengths and weaknesses, but it's also one that genuinely attempts to maximize both the protections against government abuse and the efficacy of government protection against terrorist acts.

There are good arguments against the wisdom of this program, as well as good arguments for it.

But there are no easy answers.

Ironically, Oliver, after telling us how complex these issues are, after emphasizing that there are no easy answers, then proceeds to attempt to both simplify the issues and deliver easy answers.

3 - What's with the self-pity about a "10 and a half hour" flight to Moscow, no doubt in at least business class? And okay, this wasn't part of any of Oliver's arguments, but he could have shown some balls (yes, joke intended).

4 - Interviews of tourists in Times Square, NYC. Greenwald makes a mighty effort to salvage a serious argument from this, but even Greenwald's take misses a question that any serious political strategist or analyst would have asked: how many of those interviewed are registered voters?

Let me put this another way: of those persons who would be informed by Oliver's suggested strategy, and who would otherwise be uninformed, what percentage votes and where do they vote?

And the reason that the NSA surveillance story as a whole hasn't caused more outrage or uproar is in part because it's not a scandal story, which is how it was initially sold to the public.

The NSA surveillance story is a policy story, and a complicated, tough one to tell.

I actually think those with the greatest commitment to using the story to push reforms did themselves, and everyone, a disservice by trying to push this as a scandal and centering the debate around whether laws or civil rights were violated. The NSA actually seems to have done an excellent, and by all appearances earnest, job of responsibly complying with the law.

Once attention was exhausted by the question of whether there was a scandal, there was little left for the question of policy (outside of those who cared about the policy question before Snowden's leaks).

steve37April 12, 2015 4:11 PM

Mary had a crypto scheme,
she kept it in escrow.
Everything that Mary knew
the Feds were sure to know.

TillLawDoUsPartApril 12, 2015 4:34 PM

The NSA Wants Tech Companies To Give It "Front Door" Access To Encrypted Data

http://yro.slashdot.org/story/15/04/12/1826250/the-nsa-wants-tech-companies-to-give-it-front-door-access-to-encrypted-data

First, it was unknown sleuthing (until Snowden).

Then back doors were object of their affection.

Now the comona is parted and it is only the front door they are after.

It will probably surface as an attempted constitutional amendment. Outrageous? Why, no more so than what has already been done!

ThisIsKillingHumanityApril 12, 2015 5:47 PM

Microsoft and Miele Team Collaborate To Cook Up an IoT Revolution

http://tech.slashdot.org/story/15/04/12/2028244/microsoft-and-miele-team-collaborate-to-cook-up-an-iot-revolution

From the Slashdot post:

"When people talk about the Internet of Things, there are often semi-joking references to fridges that know when you've run out of milk and ovens that know how to cook whatever you put in them. Forget the jokes; this is now a reality. We've already seen a generation of smart appliances, and Microsoft wants to be part of what happens next. At Hannover Messe today, Miele — of oven, vacuum cleaner and washing machine fame — announces it is working on a new breed of appliances based on Microsoft Azure Internet of Things (IoT) services What does this mean? Ultimately it means you'll be able to find a recipe online, have the ingredient list and preparation instructions sent to your mobile device, and your smart oven will be automatically configured with the correct settings."

We already know how malware affects out PCs. We also know that our personal tracking devices are the underbelly of those that want to influence, intimidate, and control us. Automobile info-tainment & automation are the current big drive to achieve this end. Do we really want EVERY device in our lives to run by somebody else? Have we grown that INEPT???

First of all, there is NOTHING "smart" about ANY of the IoT devices that are in existence or proclaimed to soon be in existence. Thermostats...dangerous if not the equivalent of the existing problems with control automation for utility networks and factories. So called "smart" TVs are high risk invasions of privacy with their live microphones and cameras. Who needs "smart" refrigerators, coffee pots, freezers, stoves, etc. NOBODY! That is, perhaps only those that want to accept the designation of "sheeple", those what can't live without someone else telling them what to do or doing it for them (the perpetually lazy or inept).

As we have seen so far, most if not all of these IoT devices are insecure, with regard to how they run and what is done with the data. What is next...indoor environment monitoring and body attached recorders. The end game of course is being chipped, and the ultimate brain scanning reader (and not even a penny for your thoughts).

We have one thing in our favor...if Microsoft is behind this effort, as it is with past such efforts, big time failure is to be expected. However, they have already implanted "listening/watching/identifying/recording" with the upcoming Win10 release, so they are in lock step with the actions taken that led up to the last world war, only this time, it isn't just a segment of the population but the entire population (save the 1 percenters or those on the "do-not whatever" lists).

Without the ability to live on your own, be independent and free, there seems little reason to live, even for the 1 percenters.

albertApril 12, 2015 6:52 PM

@Nick P
"...So, it has to be a random change of unknown effect on the program...."
.
Upon sober reflection....yes, but not the program. The program must be an interpreter of data, which data is the genetic code. Yes, a failure to compile or run is similar to non-functional DNA, but we need more research on DNA function. It is probably true that most mutations are totally destructive. Certainly, random changes in the _machine code_ could lead to some interesting, non-catastrophic results.
.
It would seem to me that very small breaks in DNA structures could have major effects on replication. Non-functional alcoholics (NFAs) can't write compilable code, but compiling is an extra step, which doesn't match the DNA example, AFAIK. Assembler is closer, but it's harder to write even simple programs. We don't want compiler errors, so we need to simulate everything. In addition to replicating the source code, our DNA program needs to create a specific protein as well. A file containing a string of numbers might suffice. Now we can determine if the protein is 'correct'. Then there's the DNA 'self-repair' issue....
We can simulate DNA as a data file, but we need code to 'run' it. DNA does this automagically. How can this be _duplicated_?
.
OT. I recall writing fuzzy logic code in 'C' and relay ladder logic (RLL). Simple control systems for temperature, speed, etc. They we very robust and self-correcting. You could remove remarkably large amounts of code, and they still worked. It still amazes me today. A quick test for the code was to print out 3D plots of the data outputs; the familiar 'hillside' graph. Errors showed as bumps or dips in the surface.
.
...

BuckApril 12, 2015 7:06 PM

@Skeptical

Once attention was exhausted by the question of whether there was a scandal, there was little left for the question of policy (outside of those who cared about the policy question before Snowden's leaks).
There may be more of us than you think, and there's probably plenty of others who've taken a step back, ex post facto, to reexamine the state of their worlds...

Clive RobinsonApril 12, 2015 7:12 PM

@ ThisIsKillingHumanity,

What concerns me most is not the information leak from individual IoT devices, but that the leak from several IoT devices can be used to infere other information thus it's total is very much greater than the sum of the individual sources.

As an example, your smart fridge and cooker indicate what is potentialy going in one end of your GI tract. Your smart toilet will give an indication of what is comming out of your GI tract. Combined these will give an indication of GI transit time and absorbtion, which will reveal over time not just your life style but general health and more specifically stress levels etc.

Whilst it might sound far fetched, some people have shown that such information can find certain types of illness long long before they would show up with the standard health checks. Thus it's not just your health insurer who would be interested in this your employer might as well.

But how about others? It's known that certain US Gov agencies have in the past carried out "bio-warfare" experiments on the US population at various times in the past, including releasing "lightbulb" flasks of biological agents in the New York Metro/subway system.

But what about LEO's? Would such monitoring be of benifit to them? I suspect the answer is "yes" in the same way the current mass surveillance systems benifit the DEA / NSA etc. That is it would be used to get increases in funding, but in reality would not be an effective use of tax resources.

The problem is that even if you don't give credence to the above scenario there are an almost unlimited number of other scenarios in the future only some of which we can guess at.

All we realy know is that the likes of the NSA will want full access to any and all the data from IoT devices via their "front doors and golden keys". What they will do with that data we can only guess at, but you can be sure of one thing the likes of Rodgers and his advisors already have their eye on the potential prizes of such vastly increased "big data".

Yrneh KcirtapApril 12, 2015 7:19 PM

Typically Skeptical parrots official nonsense with the glassy-eyed fervor of the brightest little Pioneer in Juche class. But there's more here than conformist mediocrity. Take, "The NSA actually seems to have done an excellent, and by all appearances earnest, job of responsibly complying with the law."

Skeptical's simple-minded fixation on "the law" is common among third-rate beltway hacks that can't crack the white-shoe firms. 'The law' means, more or less, America, that is, bullshit and hand-waving, sort of like motherhood and apple pie. That's just how dimbulbs think, imprecisely.

But when Skeptical refers to 'the law,' he distorts it most exactly. He doesn't want you to think about the supreme law of the land. He lies when he's cornered on that, or else he flounces off. By "the law," Skeptical wants you to think only of the corrupt and illegal snarl of agency red tape that provides for the following:

If someone you know ever talks to anyone of interest, you can be subjected to NSA's full range of "analytical tradecraft" indefinitely, absent any suspicion of wrongdoing.

He likes that, the groveling worm. And not because he can't work out the combinatoric scope of the overreach (he can't, but it wouldn't matter if he could.) He's like Winston after they sicced the rats on his face, he loves Big Brother. Skeptical bends meekly over for any old cavity search. He waves his cheesy little American flag, as long as it's safe. He thinks that you should be a cringing slave like him.

Clive RobinsonApril 12, 2015 7:28 PM

@ Albert, Nick P,

Upon sober reflection....yes, but not the program. The program must be an interpreter of data, which data is the genetic code.

Think not of an "interpreter" but a "compiler", because at the end of the day what you are realy aiming at is a minimal function Turing Machine (like Brain F*ck) that can augment it's self.

That is certain minimum functions are a given such as the Turing Machine reading of tape symbols or the more concreate example of the hard wired RTL that microcode is built on top of in CPUs.

These exist in the biological sense of very basic protien synthesis, which then builds the more complicated tools that process RNA and DNA upto the epigenetic systems.

BuckApril 12, 2015 7:47 PM

@Clive Robinson

Personally, I do give credence... While in reality, I do not think of it as an effective use of resources. Furthermore, I don't believe that the information can find -- but only suggest!

Funnily enough, a recent tidbit from you may have saved us from a dreadful hospital experience. Though, the strangest part is, I didn't even think of it at the time! It was my wife, with a sorta independent 'foresight' who had suggested the idea only a few hours prior...

Then again, I've come to find that nutrition is only part of the equation; love and affection are equally (if not more) important!

The EndApril 12, 2015 8:09 PM

@mike~acker

government wishes to arrogate to itself right to access all communications

Do totalitarian means imply totalitarian ends?

Can you think of any other reason for building a system of mass surveillance?

A "national security" that entails the violation of individual rights reveals the character of the government to be statist.

The phrase "national security" then functions as "racial purity" functioned in the Third Reich, a thought-stopping justification for aggression.

We are at a pivotal point in history where individuals may cease to exist as individuals.

Don't let it go down like that.

Here's a quote from the book "IBM and the Holocaust" (page 50) that expresses the fascist conception of the state as an organism with the citizens as cells:

That day, while standing next to the personal representative of Watson and IBM, with numerous Nazi Party officials in attendence, Heidinger publicly announced how in tune he and Dahomag were with the Nazi race scientists who saw population statistics as the key to eradicating the unhealthy, inferior segments of society.
"The physician examines the human body and determines whether... all organs are working to the benefit of the entire organism," asserted Heidinger to a crowd of Nazi officials. "We [Dahomag] are very much like the physician, in that we dissect, cell by cell, the German cultural body. We report every individual characteristic... on a little card. These are not dead cards, quite the contrary, they prove later on that they come to life when the cards are sorted at a rate of 25,000 per hour according to certain characteristics. These characteristics are grouped like the organs of our cultural body, and they will be calculated and determined with the help of our tabulating machine.
"We are proud that we may assist in such task, a task that provides our nation's Physician [Adolf Hitler] with the material he needs for his examinations. Our Physician can then determine whether the calculated values are in harmony with health of our people. It also means that if such is not the case, our Physician can take corrective procedures to correct the sick circumstances... Our characteristics are deeply rooted in our race. Therefore, we much cherish them like a holy shrine which we will - and must - keep pure. We have the deepest trust in our Physician and will follow his instructions in blind faith, because we know that he will lead our people to a great future. ..."


ThothApril 12, 2015 9:40 PM

@Wael, Figureitout
I doubt empty operations would even make a convincing case. Trying to make operation looks linearly the same over an oscilloscope would be a nice idea but maybe much more difficult to implement.

I posted above in this threat some ideas to @Clive Robinson regarding generating background noises from the software.

My approach would be random length data I/O and also random operations (with possibly operational timing randomness if possible).

This way on a scope, it would look much more plausible and confusing and harder to pick at while simplifying the coder's life ?

Probably I need more time to think about it as I am trying to implement some software crypto implementations on portable devices and need to find a way to obfuscate the operations and data from being measured by a oscilloscope without making it too complex for a tiny smartcard chip.

ThothApril 12, 2015 9:48 PM

@Wael, Figureitout
I forget to mention that data I/O obfuscation must be efficient and used sparingly on smartcard chips due to limited write limits on the EEPROM flash chip.

I am thinking if the write operations can write random length random data while a legitimate I/O is being carried out whereby the length of the total data written is longer than the actual data.

Some thoughts and feedbacks ?

AnuraApril 12, 2015 9:55 PM

@Thoth

If I was going to write specs for a serious cipher, it would probably be something like this:

http://pastebin.com/XZQ4TVLD

Which does everything the previous cipher does, but requires padding and doesn't have the performance issues (encrypts at 1Gbps with no effort on optimization, which doesn't mean much if the cipher is not secure, of course, which I still don't have the abilities to prove). It's a pure Feistel cipher, with a 256-bit block size.

@Wael

Re: Self-modifying code: I don't have strong opinions on them, but developers who write self modifying code should be shot :)

Genetic algorithms are the future. I don't know about security, but this is pretty amazing stuff:

http://www.damninteresting.com/on-the-origin-of-circuits/

How else can you write programs that work, relying on circuit paths that don't seem to actually do anything, but somehow do because of the electromagnetic flux?

Rex84April 12, 2015 9:57 PM

"Paul Krugman (a prominent economist) has a blog-post on wearables. In it he argues that people will want the surveillance that wearables enable, and that people do not value their personal privacy that much."

People will swap. You aren't who you are could lead to lots of collections that are basically worthless. Hey, they've got billions budgeted for it though. Prediction: It'll fall into quicksand because there's more stupidity than planning! Even the best plans don't survive after the first shot is fired or random stupidity and we have lots of shots fired and stupidity. More planning won't be of much use. If you don't have a sword, sell your cloak and buy one. Fight with clubs and projectiles. Save fuel, drive golf carts!

ThothApril 12, 2015 10:17 PM

@Anura
Maybe you could take some time to setup a differential analysis of the ciphertext and plaintext pairs as the first step for cryptanalysis and do some write-up. I see it's a likely potential.

Nick PApril 12, 2015 10:22 PM

@ Skeptical

re Oliver pushing Snowden

We agree on this. I'm glad you also found it fun and enlightening. Snowden's body language, face, and eyes said more about how he felt in that interview than in most of the others combined. It was specifically because of Oliver's more aggressive style. He wasn't hard-charging with purely the intent to derail Snowden as much of his U.S. media opponents might have done. He put just enough pressure on him on key points to attempt a genuine response. That's why I'm going to watch some more of his interviews. :)

re arguments

1. I agree on the rubber-stamping. Our discussions show that court is unusual. It deals with a narrow range of stuff with well-understood criteria and plenty of communication with those asking for stuff. However, it still operates on secret interpretations of law that aren't tested like in the legal system as a whole. Further, the consequences of defying the FISC don't come close to those of pissing off a federal court and prosecutor. So, if not a rubber stamp, it's a toothless court whose bark is louder than its bite. It also never bites (imprisons/fires).

2. He dramatizes it a bit. Yet, outside of NSA, the data is collected in a targeted way under criteria that can be challenged. The data can be evaluated and challenged. The tools' own reliability can be evaluated and challenged. A person's individual rights are considered by the judge in the process while relying on plenty of case law established by diverse courts. And so on. The NSA situation is... nothing like that. That they're doing a lot more with Section 215 than they publicly admitted should cause more worry.

This is where the real drama comes in: NSA, unlike a judge, is a quasi-military organization with secrecy and effective immunity to prosecution. Having a group like that look at everyone at once trying to find reasons to consider them a terrorist or criminal is quite different than about every police investigation or trial I've ever seen. That's cause for concern.

"Ironically, Oliver, after telling us how complex these issues are, after emphasizing that there are no easy answers, then proceeds to attempt to both simplify the issues and deliver easy answers."

It seems hypocritical but it's not: it's a paradox. After that, he interviews people to find that most people didn't give a shit. So much for a debate on the complexity. Then, he tries to find something that matters to them to get them involved and focuses on it. Policitians and marketing types do the same thing because it works.

3. He sure did whine a lot. Yet, he managed to show some balls at a time Snowden was least expecting it. Led to one of the best, more subtle jokes: "I can't believe you would show that to everyone. Wait, I could totally believe you'd do that."

4. That's a great point. I have something to add here. I've done similar interviews for almost a decade on a range of these topics. Most people I know, same or opposite politics, know who Snowden is. Many others range from what you see in the interview to people that know a bit more. So, I have my fingers on the pulse of the situation.

I'll easily say that people don't give a shit. Even of those that do, only a subset would use their vote against corrupt politicians or those that oppose civil liberties. The reason is a clever technique both sides use where they create constant distractions with debates focusing on emotional issues. A politician that's strongly for civil liberties will not get votes because he said X or had stance Y on issue Z. The media participates in this process by aiding it directly and intentionally not covering the best angles of specific topics. Even when the angles happen, we see the media interviewer try to divert the interview with questions that avoid it, edit it to be short, or kill it with some bullshit story (example in Oliver vid). This isn't rare: it's the norm.

So, with such techniques, the voter paying attention will often miss key infortmation due to having so many distractions and probably information overload on politics in general. The educated voters really researching the issues while combating media and personal bias are so rare I doubt they can even swing an election. The majority of voters barely give a shit past watching their shows and their commentators that say what they want to hear. As both sides lie on these issues, then incidentally most of the voting public will be voting based misinformation or disinformation. The effect is the same as Oliver's crowd in practice: nothing changes significantly.

"And the reason that the NSA surveillance story as a whole hasn't caused more outrage or uproar is in part because it's not a scandal story, which is how it was initially sold to the public.The NSA surveillance story is a policy story, and a complicated, tough one to tell."

It's both. It's mostly a scandal because it's a huge collection of lies and fraud that go back over a decade. It started with 9/11: a rare type of murder that killed 3,000 individuals that officials *eventually* admitted they had enough power, intelligence and security measures to stop. Originally, though, they lied that the terrorists were all over the place, the success was a lack of surveillance/power/money, they needed things like Patriot Act to stop the next one, and the powers were granted without debate or even time to read it.

One lie after another proceeded to come from the administrations, including wars leading to many times more dead Americans than the terrorists. Recently, they've tried to expand it by pushing lies such as encryption stopping all kinds of investigations (it doesn't) and them having more surveillance/backdoors being solution to hackers (it isn't). That would be built on top of a massive dragnet of surveillance with more capabilities than the Stasi, sharing with law enforcement, no due process, secrecy, and immunity. All of that power concentrated into the hands of the kinds of organizations whose incompetence led to 9/11 in the first place. And all of it built on a foundation of lies extended by lies.

If that's not a national scandal, I don't know what is.

gordoApril 12, 2015 10:49 PM

@mike~acker, @Thoth, and @The End on,

Just my .02 cents:

Theoretically, mass surveillance is a basis for discrimination of any kind.

IMHO, and, to borrow a phrase, for lack of a better one, this pursuit of total information awareness is the impending moral hazard of our age. See also: third party doctrine, Fourth Amendment, etc. Given the sheer depth, breadth or scale of the policies or digital dossiers envisaged, in at least some minds, phrases like "anything you say can and will be used against you" begin to take on new meaning.

What's also interesting to me is that since the last crypto wars all that the gov's seem to have accomplished are protocol-standards corruption, supply-chain intercepts, hacking-the-stacks, and making hay [last definition especially]. This may be gov's last chance or their last play.

In some ways we may be looking at incipient balkanization between Citizen and State, new social norms or new checks and balances. Though not an exact analog, an example of this, from the "physical security" world, might be citizens armed with their cell phone cams to monitor policing, i.e., the thin blue line.

As another aside, what are all those cc cams doing everywhere, anyway? -- My answer: They're not everywhere. As so, a lot's been missed, but now their freelance cousins are going mobile. I suppose 'cop camming' is a new form of surveilling the State for bad actors in its employ. To protect and to serve...is going self-serve, and, in a service economy, well, like encryption going mainstream(?), it makes sense that persons are using and want to have those kinds of protections both against and from their (public and private) service providers.

Nick PApril 12, 2015 10:51 PM

@ Wael

"The classification isn't that interesting to me. I adopt a double standard when it comes to Security because the classification leads to better understanding. For a programming language.. . Meh..."

I see. For me, it confirms two opposite things. For mass adoption and supporting legacy code, people are better off trying to integrate functional metaprogramming into an existing language. On the flip side, people designing new languages for robust systems should focus on making languages like Haskell more efficient for low-level code. After all, even fans of C-like languages eventually settled on a knockoff of Haskell to solve their abstraction problems. Might as well take the next step and get rid of the crud they used it with.

Perhaps do what C did but with a language like Go and cleaner syntax.

@ albert

Good elaboration.

"We can simulate DNA as a data file, but we need code to 'run' it. DNA does this automagically. How can this be _duplicated_?"

You need something that can operate as code and data. That's LISP. Also what's used in Genetic Programming for that reason.

"They we very robust and self-correcting. You could remove remarkably large amounts of code, and they still worked. "

How the hell did you do that? My fuzzy logic systems required both the code and logical rules to function. Take pieces out, the system breaks. What design or coding strategies did your work use to allow chunks of its code to be non-essential?

@ NotANational

Good point. It's actually both: a national scandal here and a world scandal everywhere else. The reason it has to be both separately is that most Americans don't give a shit about what their spy agencies do to foreign targets. Just how it is. Also true for many foreign countries and *their* spy agencies.

Nick PApril 12, 2015 10:52 PM

@ Wael

EDIT: Do what *C++* did but with a language like Go and cleaner metaprogramming syntax. Julia is an example that's closer to that.

ThothApril 12, 2015 11:36 PM

@gordo, all
Democracy is a process where the citizenry makes informed decisions on the processes and governance where a small group of representative takes up governance roles to represent the populace.

In such a definition, the representatives are "servants", thus the word "civil servants" of the populace.

The current circumstances is that the population has given up willingly or unwillingly their power for processes and these "servants" of the population become masters of the slave population.

One tactic is to clamp down in the name of National Security starting with the application of mass surveillance to weed out the so-called "scum of societies" and for the so-called "better future" that they always promise but failed to deliver with tonnes of excuses like encryption and all those nonsense.

Campaigns to distort, control and deny information, processes, resources and means that would empower the masses in regards to stronger privacy and personal security measures (high assurance and high security computing as an example). Backdoors, frontdoors, golden keys, media blackout, black-ops, psy-ops and other means are used to control the populace.

By controlling the populace, you establish your power base in the name of National Security so that the population cannot carry out democratic processes that will weaken a selected group's power base that is embedded into (multi-) national power control by democratic means.

By seeking to use favourable trade, economic and military processes, the control of not just the local population but also the world's decisions would always be in favour of a selected few.

The Internet itself as a rather popular and success medium to liberalize such information and dissolve central control has been seen as a much bigger threat to their control in the name of so-called National Security and other seemingly selfless nation agendas that have underlying "currents" and "deals".

The current surveillance mechanisms are finding it hard to break up highly robust cryptographic protocols commonly deployed to protect privacy and personal security.

The first move to totally bring to the ground this privacy and personal security to have total access (in a zero sum game of privacy vs. national security) proposes all kinds of nasty schemes the undermine our trust of digital security technologies like backdoors, frontdoors, golden keys and the likes.

With the free access to everyone's thoughts and information, they can put to work their mechanisms to take over total control of the population's behaviours and make everyone and everything extremely predictable and uniform. No one would be able to move "out-of-the-box" or "step-out-of-line" to engage in democratic processes to make decisions and the few "elites" whom have been so good at capitalizing on human emotions and thoughts to get to where they are would always stay in power without being challenged.

That is the so-called National Security they (the "elites") want us to subscribe to...

Rex84April 12, 2015 11:42 PM

Scandal: http://sfappeal.com/2015/04/sprint-agrees-to-pay-15-5m-in-federal-surveillance-lawsuit/

With all the NSA collection of everything why are corporations being paid? Welcome welcome to the USA...we're partying fools in the autumn of a heyday. We're running out of everything, but we can't afford to quit.

We got the little black car, the little black dress
We got the guru and the trainer and the full court press
We got the software, hard drive, CD ROM
We got the exploitation.com

We got the pager, cell phone, bootleg methaqualone
The media, the message "You are what you own"
We got the agent, lawyer, lapdog, voyeur
Talk show, book deal, round mouth, square meal

WaelApril 13, 2015 12:00 AM

@Thoth, @Figureitout,

On DPA...
Take a look at what these fellows do with DPA. They know what they are doing. I interviewed with them a few years ago and solved a few of their "tough" questions, I still remember one of them :) It was about timing attacks.

AnuraApril 13, 2015 12:07 AM

@Thoth

I have too many projects on my table to sit down and learn serious cryptanalysis (I can break pencil and paper ciphers, I can't break DES). I've been working on a paper for a voting method (a system for proportional representation via multi-member districts and approval voting), I've been learning Ada, and I've been planning on developing a fairly complicated task scheduler in Ada (that's based on the task scheduling requirements of several past companies, e.g. job a runs once a month, job c runs after job b, which is triggered by event e, job d runs daily, but can't run at the same time as job c, etc.).

Maybe in a year or two I'll have the time, but for now, it's just a bit of fun rather than a priority.

WaelApril 13, 2015 12:11 AM

@Anura,

Genetic algorithms are the future. I don't know about security, but this is pretty amazing stuff:

I don't doubt that it's one possible future path. The link isn't working for me at the moment, so I'll reply when I can read it (if I have the chance.) The only valid use (security-wise) I can think of for self-modifying-code is obfuscation.

Nick PApril 13, 2015 12:21 AM

@ Wael

Ahh, the company I referenced here in the past as vetting both the Intel and VIA random number generators. Post-2013, they become even more interesting yeah? ;)

FigureitoutApril 13, 2015 12:23 AM

Wael
--Yeah, it's an infrastructure design problem that's probably impossible for all but the simplest products. The empty while loops (waiting on a condition that'd have to be same one just scattered) were for timing purposes, the nops (I'd be interested in the basic instructions across chips, their signatures) for power analysis(they'll have a signature), I still need time to look into initializing clocks more as I can shield and use an offline shielded gas power generator to deal w/ DPA.

Thoth
--It sounds like large loops need to be avoided. I have a hard time envisioning "real" randomness being automated w/o some tedious human intervention. Yes flash chips have some pretty small write limits, and if you look into smart cards some more (look at bunnie and xobs investigations into some) you may find some disturbing things w/ how reading memory is actually really messy (just like all computers) and mediated via another microcontroller that can be programmed to point to larger or smaller chunks of memory, unless you pay out the ass for the highest quality(still not sure...).

But yeah I haven't investigated the noise issue enough so it's just conjecture on my part.I wish I could get paid to work on these things when I'm fresh instead of limited free time, meh...

WaelApril 13, 2015 12:25 AM

@Thoth,

Some thoughts and feedbacks ?

I know the first thing that comes to kind is "randomization", but it usually isn't the full answer -- It could be part of the answer.

WaelApril 13, 2015 12:32 AM

@Nick P,

they become even more interesting yeah? ;)

Yes! But they were always interesting :) Checkout some of their videos extracting encryption keys from running laptops by analyzing electommagnetic radiation.

WaelApril 13, 2015 12:48 AM

@Nick P,

To me, the programming language is just a tool. I'll use the one that suits the need. I have my biases, but these are only personal preferences.

AnuraApril 13, 2015 12:48 AM

@Wael

Here's an excerpt that captures the gist of it:

The informatics researcher began his experiment by selecting a straightforward task for the chip to complete: he decided that it must reliably differentiate between two particular audio tones. A traditional sound processor with its hundreds of thousands of pre-programmed logic blocks would have no trouble filling such a request, but Thompson wanted to ensure that his hardware evolved a novel solution. To that end, he employed a chip only ten cells wide and ten cells across-- a mere 100 logic gates. He also strayed from convention by omitting the system clock, thereby stripping the chip of its ability to synchronize its digital resources in the traditional way.


He cooked up a batch of primordial data-soup by generating fifty random blobs of ones and zeros. One by one his computer loaded these digital genomes into the FPGA chip, played the two distinct audio tones, and rated each genome's fitness according to how closely its output satisfied pre-set criteria. Unsurprisingly, none of the initial randomized configuration programs came anywhere close. Even the top performers were so profoundly inadequate that the computer had to choose its favorites based on tiny nuances. The genetic algorithm eliminated the worst of the bunch, and the best were allowed to mingle their virtual DNA by swapping fragments of source code with their partners. Occasional mutations were introduced into the fruit of their digital loins when the control program randomly changed a one or a zero here and there.

For the first hundred generations or so, there were few indications that the circuit-spawn were any improvement over their random-blob ancestors. But soon the chip began to show some encouraging twitches. By generation #220 the FPGA was essentially mimicking the input it received, a reaction which was a far cry from the desired result but evidence of progress nonetheless. The chip's performance improved in minuscule increments as the non-stop electronic orgy produced a parade of increasingly competent offspring. Around generation #650, the chip had developed some sensitivity to the 1kHz waveform, and by generation #1,400 its success rate in identifying either tone had increased to more than 50%.

Finally, after just over 4,000 generations, test system settled upon the best program. When Dr. Thompson played the 1kHz tone, the microchip unfailingly reacted by decreasing its power output to zero volts. When he played the 10kHz tone, the output jumped up to five volts. He pushed the chip even farther by requiring it to react to vocal "stop" and "go" commands, a task it met with a few hundred more generations of evolution. As predicted, the principle of natural selection could successfully produce specialized circuits using a fraction of the resources a human would have required. And no one had the foggiest notion how it worked.

Dr. Thompson peered inside his perfect offspring to gain insight into its methods, but what he found inside was baffling. The plucky chip was utilizing only thirty-seven of its one hundred logic gates, and most of them were arranged in a curious collection of feedback loops. Five individual logic cells were functionally disconnected from the rest-- with no pathways that would allow them to influence the output-- yet when the researcher disabled any one of them the chip lost its ability to discriminate the tones. Furthermore, the final program did not work reliably when it was loaded onto other FPGAs of the same type.

It seems that evolution had not merely selected the best code for the task, it had also advocated those programs which took advantage of the electromagnetic quirks of that specific microchip environment. The five separate logic cells were clearly crucial to the chip's operation, but they were interacting with the main circuitry through some unorthodox method-- most likely via the subtle magnetic fields that are created when electrons flow through circuitry, an effect known as magnetic flux. There was also evidence that the circuit was not relying solely on the transistors' absolute ON and OFF positions like a typical chip; it was capitalizing upon analogue shades of gray along with the digital black and white.


http://www.damninteresting.com/on-the-origin-of-circuits/

WaelApril 13, 2015 1:18 AM

@Anura,

Pretty fascinating stuff. The only thing I have a hard time believing is this:

was not relying solely on the transistors' absolute ON and OFF positions like a typical chip; it was capitalizing upon analogue shades of gray along with the digital black and white.

And no system clock either! Then this:

As predicted, the principle of natural selection could successfully produce specialized circuits using a fraction of the resources a human would have required

How does this qualify as "natural selection"? It's an adapting algorithm or maybe even an evolving algorithm governed by the initial laws and data. It's like a converging series with each term of the series (corresponding to a new generation) adding more accuracy to the result. It does have a mathematical end result it can't improve on. Don't get me wrong, it's fascinating. I just don't agree with the "conclusion"

kbaegisApril 13, 2015 1:22 AM

So, three novel ideas:

One is the inception of a new program to specifically target creative genius:
The NSA has enough data to infer the existence of individuals who contain creative genius. Follow these people and steal their ideas.

Two is the creation of automated drones which could use automated algorithms to cause ruckus with the federal institutions which threaten the fabric of our society.

Third is the use of manipulative tactics to marginalize key demographics by instituting a fear of self-efficacy. This would be tantamount to creating a culture of children in an adult population.

WaelApril 13, 2015 1:22 AM

@Anura,

I take that back. It mimics "natural selection" -- natural here being the computer running a program developed by a human being. The random stuff and the mingling with partners produces variants that are selected based on some criteria... I'll think more about this...

tyrApril 13, 2015 1:28 AM


@ the interested:

Is it just me or is the only real justification for repressive
measures deliverance from the real problems?

So far I haven't seen any evidence that the surveillance bunch
has done anything except make problems worse

I don't expect any grandiose utopian scheme but a modicum of
simple competence might be nice. As I see it the whole thing
reeks of CYA, bureaucratic infighting, and mad schemes that
only aggravate and make things worse.

A sane government would carve the budgets to minimum, put most
of these useless parasites onto the sidewalk with a bad resume
and a tin cup and a pack of pencils. That would give those left
a real incentive to produce some results once in awhile.

I don't consider stopping some Somali cab driver from sending
money home a result. I also don't think converting the middle
east into failed states a valid result. Trying to make the
Russians into boogeymen like the goode olde dayes may be fun
for the useless Brit spooks but it hardly constitutes solving
the current problems either.

At least most of the people here have some grasp of the real
problems and want some real solutions.

AnuraApril 13, 2015 1:31 AM

Natural Selection is probably incorrect terminology; I think it's much much closer to selective breeding where you specifically choose based on specific traits over short periods of time, rather than natural selection which is something that occurs over millions of years based on diverging and competitive species.

WaelApril 13, 2015 1:44 AM

@Anura,

You're spot on. Selective breeding is a precise characterization of this process. Still doesn't diminish its "charm".

WaelApril 13, 2015 2:36 AM

@Nick P,

Maybe I can remind you now to elaborate on what you meant. Not trying to debate the subject -- just interested in your point of view (politics isn't my favorite subject)

name.withheld.for.obvious.reasonsApril 13, 2015 4:56 AM

@ Thoth

With the free access to everyone's thoughts and information, they can put to work their mechanisms to take over total control of the population's behaviours and make everyone and everything extremely predictable and uniform. No one would be able to move "out-of-the-box" or "step-out-of-line" to engage in democratic processes to make decisions and the few "elites" whom have been so good at capitalizing on human emotions and thoughts to get to where they are would always stay in power without being challenged

The MIC/SIC have gone as far as producing a model that includes a 24/7 physical and electronic monitoring and tracking system of anyone/everyone anywhere on the planet. I showed a document to a friend that included a diagram where U.S. platforms and networks crossing the planet without respect to borders or national sovereignty and international law for the purpose of total situational awareness.

For example, using of Wifi routers and access points as bi static radar(s). Using the FM channels for beacons, passive surveillance antenna(s) can map neighborhood, corner shop, house, or room and detect movement within the local field of view (depends on the beacon signal strength). There are a few white papers from IEEE that describe a series of mapping radar(s) taking advantage of commercial and residential FM sources to produce detailed analysis and real-time surveillance. It gets more interesting when combined with what is planned for FirstNET (FCC public safety network yet to be deployed).

Clive RobinsonApril 13, 2015 8:16 AM

OFF Topic :

Oh look the US Executive has blaimed China, North Korea and now Russia for the fact they can waltz in "to steal IP".

http://www.thedailybeast.com/articles/2015/04/08/obama-to-putin-stop-hacking-me.html

http://www.securitycurrent.com/en/writers/mark-rasch/shoot-first-no-questions-later-exec-order-allows-us-unilateral-cybercrime-sanctions

Perhaps US Prez BO should get a grip on the fact that it's US companies that have left the majority of the US vulnerable. And perhaps check and see if it's US Gov agencies via secret courts etc that has made US companies take such a path...

It's fairly obvious to outside observers that the US position and actions are like that of a small child in the park saying "it's my bat and my ball and I'm going home" just because the game is not going the way they want.

How long I wonder before BO gets around to blaiming EU countries...

As people have observed "People who live in Glass Houses should not throw stones".

That said it appears that air-gap crossing attack frame works are becoming a more common method over the past decade,

https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html

I must admit I do wonder why it's taken so long for them to be developed and detected... It's not something you can just wave a hand at and argue away by blaiming "low hanging fruit".

Nick PApril 13, 2015 10:52 AM

@ Wael

The 'human condition' was causing you problems. The human condition, aka how most brains work (esp collectively), is the cause of the vast majority of humanity's problems. A lot of death and suffering had to happen to get things as civilized as we are now. Still pervasive evil if one actually looks. Part of human nature that keeps it going is selfishness and apathy.

So, let's look at how it impacts some situations. Poisoning the environment will sicken or kill people in short and long term. Even most doing it would rather not. Yet, those that do it have selfish motivations to continue dumping the stuff instead of processing it somehow. Many others benefit from the product that's created. Politicians might benefit from the legal bribes they're given to look the other way. The people in general hear about it but would rather not fight over what doesn't directly impact them. This is the human condition in action.

Another example is in INFOSEC. People know they put critical data into the machines. They know there are hackers that might steal, sell, or destroy it. They might have been taught very simple rules to prevent a lot of problems: good passwords, backups, avoid questionable attachments, and so on. Yet, you'll find that they did shitty passwords, they haven't done backups in forever (even if it's pushbutton), they opened an attachment promising to triple their penis size for $19.95, and so on. All the good tech and tactics we made are once again defeated by human nature.

More recently, we have this happening with politics. We have public officials lying in ways that kill thousands of Americans, misappropriate their money, and verbally slap them in the face. The Snowden leaks showed more of the same along with losses in tens of billions with foreigners afraid to buy American goods. This is more than enough to start voting in new politicians and throwing existing ones in jail. Yet, only a small chunk even vote much less care about these issues. Unlike Iceland, there's been no move on the government at all. So, corruption and erosion of liberty will continue due to human nature plus American nature.

Hope it isn't a spoiler, but the bad guy in Sherlock Holmes 2 said it extremely well (start at 1:40). Although I already knew, his statement hit me about as hard as it did the main character. You don't just have to beat the corrupt, the security issue, and so on. You have to beat that plus human nature itself. This can be accomplished in many limited scenarios. The bigger one's are still Ph.D.'s and history books yet to be written.

So, I keep saying to activists assuming human nature will be on their side: "good luck."

Note: The censorship angle of the Iceland link seems to be true. It was work even finding that story, most were non-mainstream sources, a number said the revolution was a hoax, and so on. Strangest search results in a while. All the organizations normally top in search didn't cover it at all. One exception was a mainstream source with a headline indicating Iceland collapsed. It actually did the opposite. Yet, combined with the human condition, such reporting (or lack of) would ensure years ago that Americans didn't get ideas in their head like jailing bankers and overthrowing dirty government.

Nick PApril 13, 2015 11:03 AM

@ name.withheld

I expected that research to continue and improve. I remember the active attacks already accomplished quite a bit going back ten years. It was only a matter of time before researchers capitalized on the increase in EM sources in houses. More reason to limit wireless and use older technology in my house...

@ Clive

So, IRONSIDES DNS advertised a solution formally proven to be immune to single packet DOS. Apple sells millions of copies of a product guaranteeing the opposite. Again.

Apparently, such tactics are how you make a ton of profit.

albertApril 13, 2015 11:09 AM

@Nick P

"...My fuzzy logic systems required both the code and logical rules to function..."
.
Certainly, there are portions of FL code absolutely required. Code that takes the input, and code that writes the output. The code that evaluates the rules is quite resilient. The finer the 'granularity'* of your rule set, the more resilient it is. I'm talking about 'taking out' the code, not mangling it (but I never tried mangling; but I did make errors in rule evaluation values). This property of FL was mentioned in the literature. I had no code examples to copy (drat!), only Bart Koskos book "Neural Networks And Fuzzy Systems"(1992), a heavy read for the math-challenged programmer. I made errors in the rule evaluation code (the RLL version was the easiest to mess up), but it still worked. A standard FL controller functions like a PD controller. I never got around to adding an I (integral) function to it. It still amazes me how those FL control loops worked with no tuning!
.
...
* this is more obvious when your controller outputs an analog value.

Nick PApril 13, 2015 12:35 PM

@ albert

I see what you mean. That's interesting stuff. I'd have been similarly amazed that it still worked.

Mike (just plain Mike)April 13, 2015 1:06 PM

@Nick P

OK – maybe it’s because I’m dyslexic - and I'll probably just end up sounding like a complete arse here - but I think the ‘human nature’ line often espoused by... humans... is inclined to be a bit parochial.

I don’t see dog governments, cats running hospitals – I don’t see art made by sloths or semiconductors designed by gibbons – no slug architects – etc. I’m not putting your species on a pedestal or anything (they’re mostly shit at holding their breath for example) but if you were going to go for something to characterise ‘human nature’ I’d pick something other than laziness or selfishness because on the scale of things humans are in fact extraordinarily socially co-operative and able to divert large amounts of personal resources to tasks that have no immediate short term benefit to themselves (in expectation of longer term rewards) – they are able regularly to achieve levels of cooperation between un-related individuals unparalleled in the rest of Nature (even selfless soldier ants are closely related to those for whom they lay down their lives). So – the fact that humans have not yet achieved utterly perfect levels of optimal socially-mediate altruism or that they sometimes make mistakes in their cost-benefit calculus for various behaviours seems only the sort of thing humans themselves would be inclined to characterise as ‘human nature’.

The way I see it, humanity actually operates against a massive but mostly un-noticed background of regular work and elaborate co-operative behaviour that, mostly, artfully balances societal and individual needs. Imagine stepping back – observing humans from afar and comparing them with – say – cats, or even wolves. The humans are mostly busy busy busy – getting in and out of cars – doing stuff with computers – going to shops – building houses they personally will never live in – tending or preparing food they will never eat themselves (well... and also complaining about how hard/miserable their lives are too). What you are talking about here – even across the broad sweep of human history and certainly since the dawn of complex civilisations – all this dreadful selfishness and misbehaviour that you’re seeing – it’s a second-order effect – ripples on the pond – it exists against the backdrop of a massive sea of organisation and nett co-operative behaviour.

For some time now I’ve thought that maybe this is the reason why all these perennial issues like “why oh why can’t we eliminate hunger?” or “oh we’re so stupid and horrible destroying our own environment” generally never seem to get sorted – maybe humanity needs to think more about the pond and how that bit works rather than fixating on the naughty ripples. A less innately ripply pond is required perhaps? I know it’s much more fun to go on and on about how dreadful people are – but maybe an acknowledgement of the stark reality that most of the time with regard to most things people and the societally based systems that mediate their ability to co-operate for mutual benefit actually work(s) rather well – and certainly pisses rings around any other species in terms of the scale and complexity of what it can achieve.

I think it’s maybe a bit like gravity – to an extent one of the big achievements at the time of Newton (and others) was that they noticed gravity was there in the first place – it’s really hard to notice things that are omnipresent – and really difficult to imagine how such things might ‘work’ or how things might be if they were different – and I think maybe that’s how it is with true human nature – that which is actually rather characteristic/unique to humans compared to other species is their capacity for complex co-operation and an ability to work at stuff with no immediate short term benefit – and this is actually pretty much the opposite of what most humans are complaining about when they bemoan ‘human nature’!

Veni Vidi VbutthurtApril 13, 2015 4:27 PM

@Nick P., at 10:52 you cite all these depredations and then blame... human nature. Like

- poisoning the environment, i.e. state policy to let private users of the national weath externalize costs;
- legal bribes, i.e. state policy to institutionalize abuse of function;
- people in general hear about it but would rather not fight, i.e. state policy of impunity and suppressing free expression of the will of the electors;
- infosec, i.e. state policy promoting and even forcing exploitable vulnerabilities;
- politics [apathy], i.e. policy of impunity;
- corruption and erosion of liberty: more than policy, a vital interest of the US government.

That happens to be the line taken by every US glossy magazine and editorial page - complain about repression and predation, then blame the victims. Latin Americans see it differently. They have a saying: Fue el Estado. It was the state. That's why they can organize rings around Americans, and why they have done a lot to regain their self-determination (Keeping the US out of CELAC, refusing to participate in US torture, sticking together with US punching bags like Cuba or Venezuela.)

Strictly speaking, the problems you cite are not human nature but a breach of the state's Responsibility to Protect. You remember, R2P - that's why the US government arranged for Qaddafy to get raped with a bayonet while Hillary crowed over his hemorrhaging asshole.

Now, fucking US heads of state with bayonets is not standard procedure - capacity building and suasion come first, and if necessary, other measures including intervention - but it works better than blaming your whole species for the crimes and derelictions of the state.

So when you're ready to stop beating yourself up, let me know, I'll bring my bayonet.

Mike (just plain Mike)April 13, 2015 4:32 PM

@tyr

Well - again I think that view is kind of parochial - "we're so horrible - we just damage and destroy ourselves and everything else - there must be something wrong".

The dull fact is that - more than likely anyway - humans and all the things they've made are just as natural (and fu*ked up) a product of the evolutionary process as any other species Nature's picaresque train-wreck has so far brought forth - so Pop-Tarts and nuclear subs and microprocessors and 'pollution' are just as natural a product of the evolutionary process as anthills (as I understand it social ants now account for approx 1/3 of animal biomass in many equatorial forest regions - so presumably quite a few things had to go under a bus to make room for them when they first appeared) - and there was the oxygen-ification of the atmosphere - that was a long time ago - natural process resulting from new forms of life - big ecological change there! I'm not saying such things are necessarily a good thing - or 'OK' in any general sense - but they happen - and they are 'natural' according to the usual meaning.

I think this idea that humans are somehow uniquely damaged - uniquely destructive and uniquely able to do things that are 'un-natural' - against Mother Nature's otherwise perfectly beautiful balanced plans - is actually a bit of an off-shoot of the religious ideas of the supremacy or otherwise special-ness of man. For sure there are special, unique, interesting new things about humans - and their potential global environmental impact is huge - but really - if you were to parachute a load of rabbits onto Lettuce Island then they'd have a population explosion - they'd rapidly eat all the lettuces - and then their population would crash and likely Lettuce Island would no longer have a rabbit population at all (and it would have to be renamed too probably as there would also likely be no more lettuces either - maybe something like Baron-Of-All-Vegetation Island). This sort of thing would apply to most species if you dropped them into that sort of situation in which they weren't already in a reasonable equilibrium with everything else - but humans are actually one of the few examples where they at least *could* stand a chance of avoiding that sort of thing - "Hey guys - maybe we shouldn't eat all the lettuces at once?" - rabbits just don't have those sorts of conversations. I'm not saying humans aren't a bit special - but I think actually it may be better to think about their special-ness in an optimistic rather then pessimistic way - and that way of looking at it may actually be, in some senses, more objectively accurate.

The problem with this way of thinking is that it means something *can* be done - so throwing one's hands up in melodramatic despair and going on and on about how hopeless and selfish and self-destructive and doomed and specially fu*ked up humans are - and thus not even trying - is less defensible.

SkepticalApril 13, 2015 5:38 PM


@Ymeh: 'The law' means, more or less, America, that is, bullshit and hand-waving, sort of like motherhood and apple pie. That's just how dimbulbs think, imprecisely.

Yes, I remember seeing that referenced in the FISC disclosures. All the citations were to "bullshit and hand-waving", with "motherhood and apple pie" in the footnotes.

Ah, actually wait a second. I'm thinking of your comment. The rest of us are talking about the law. Sorry, it's just so easy to confuse what you write with intelligent and rational discourse.

And not because he can't work out the combinatoric scope of the overreach (he can't, but it wouldn't matter if he could.) He's like Winston after they sicced the rats on his face, he loves Big Brother. Skeptical bends meekly over for any old cavity search. He waves his cheesy little American flag, as long as it's safe. He thinks that you should be a cringing slave like him.

You certainly have the rhetorical overreach covered. But I appreciate your illustration of the problem I raised. By making the focus these silly exaggerations, you actually weaken the reasonable arguments that might be made by others. Even here though I'm very favorably interpreting your posts, which are little more than personal attacks.

SkepticalApril 13, 2015 6:07 PM


@Mike: Your post immediately reminded me of an op-ed by Stephen Jay Gould, published shortly after 9/11.

It's worth quoting nearly in its entirety:

The patterns of human history mix decency and depravity in equal measure. We often assume, therefore, that such a fine balance of results must emerge from societies made of decent and depraved people in equal numbers. But we need to expose and celebrate the fallacy of this conclusion so that, in this moment of crisis, we may reaffirm an essential truth too easily forgotten, and regain some crucial comfort too readily forgone. Good and kind people outnumber all others by thousands to one. The tragedy of human history lies in the enormous potential for destruction in rare acts of evil, not in the high frequency of evil people. Complex systems can only be built step by step, whereas destruction requires but an instant. Thus, in what I like to call the Great Asymmetry, every spectacular incident of evil will be balanced by 10,000 acts of kindness, too often unnoted and invisible as the ''ordinary'' efforts of a vast majority.

We have a duty, almost a holy responsibility, to record and honor the victorious weight of these innumerable little kindnesses, when an unprecedented act of evil so threatens to distort our perception of ordinary human behavior. I have stood at ground zero, stunned by the twisted ruins of the largest human structure ever destroyed in a catastrophic moment. (I will discount the claims of a few biblical literalists for the Tower of Babel.) And I have contemplated a single day of carnage that our nation has not suffered since battles that still evoke passions and tears, nearly 150 years later: Antietam, Gettysburg, Cold Harbor. The scene is insufferably sad, but not at all depressing. Rather, ground zero can only be described, in the lost meaning of a grand old word, as ''sublime,'' in the sense of awe inspired by solemnity.

In human terms, ground zero is the focal point for a vast web of bustling goodness, channeling uncountable deeds of kindness from an entire planet -- the acts that must be recorded to reaffirm the overwhelming weight of human decency. The rubble of ground zero stands mute, while a beehive of human activity churns within, and radiates outward, as everyone makes a selfless contribution, big or tiny according to means and skills, but each of equal worth. My wife and stepdaughter established a depot on Spring Street to collect and ferry needed items in short supply, including face masks and shoe inserts, to the workers at ground zero. Word spreads like a fire of goodness, and people stream in, bringing gifts from a pocketful of batteries to a $10,000 purchase of hard hats, made on the spot at a local supply house and delivered right to us.

I will cite but one tiny story, among so many, to add to the count that will overwhelm the power of any terrorist's act. And by such tales, multiplied many millionfold, let those few depraved people finally understand why their vision of inspired fear cannot prevail over ordinary decency. ...

Clive RobinsonApril 13, 2015 6:42 PM

@ Those with an interest in human failings,

Humans are warm blooded animals, mainly lacking in fur, genetic diversity and physical specialisation, and over the past 10,000 years have also lost most of our digestive enzimes. So what once would have been part of our normal diet is now indigestible... so much so, that most whole foods are now only digestable in "mans first stomach" called the cooking pot.

Also what you might call our evolutionary advantage of large brains, would now kill about 1/3 of women in the west in child birth if it was not for the likes of "birthing spoons" and other intervention.

Where we score is our ability to make "force multipliers", whilst we are not alone in being "tool users" we have learnt over the same 10,000 years to not just use sticks and stones as tools we have progressed through bone and antlers to make compound or multi-component tools. Our force multipliers have progressed from simple leavers to the point where one person can easily control and direct machines with 500 times our work capability at around twenty times our weight or less.

It's this ability to make force multipliers way beyond the capabilities of bone muscle and sinue that makes us dangerous not just to our selved but also to the rest of the plants and animals on this planet.

When we look at "greed" it's actually not inherant in all humans, however it acts as a tipping point. In some respects it's "the English Disease" even though it was a lack of resources in Europe that caused it, the English exported it around the rest of the world rather more than other European nations.

The important point about greed is that it takes a certain mentality bordering on psychopathy to start it, it acts as a tipping point to others who see the benifit of hording resources in excess of need at the expense of others. Thus it is mainly a learned behaviour in most people.

Nick PApril 13, 2015 6:43 PM

@ all

I was about to give a detailed response to your posts when a family emergency came up. Not sure how long I'll be away. Will get those replies to you eventually though.

Aloveacs suicum suiagApril 13, 2015 8:02 PM

Shorter skeptical,

1. I know you are but what am I? [Flounces off in triumph] (Hey, better schoolyard nyah-nyah-nyah than trying to keep lying about the supreme law of the land. You always fail at that.)

2. Straining to condescend while avoiding the point at all costs. Picture a boot crushing Skeptical's face forever. And Skeptical licking it.

A compliant, submissive office worm is here to tell us how to think.

Tiny TimmieApril 13, 2015 8:32 PM

Hey look, Skeptical's getting all tearful and emotional on us.

I shall cite but one tiny tale, amongst so many, to add to the count that will overwhelm blah blah blah sniffle blah blah sob sobbity sob sob......

Ooh, goody! Tell us the one about how Khalid al-Mihdhar and Nawaf al-Hazmi floundered around America all but wearing شهيد sandwich boards but the World's Most Conspicuous Jihadis got their ass saved by US government protection 35 (thirty-five) times, even after the government expected imminent terrorist attack. That one's hilarious. It's like a frickin cartoon.

http://www.amazon.com/Disconnecting-Dots-How-Allowed-Happen/dp/0984185852

Gullible dipshit.

tyrApril 14, 2015 1:57 AM


@those who are interested in fixing human failings

I once had a passionate christian lad tell me there was
a flaw in evolutionary theory.

Since if you introduce fancy goldfish into the wild in
a short time the only goldfish you found were the neatly
streamlined common goldfish. It's a process as inexorable
as continental plates grinding and as pitiless but also
it seems to be mis-understood drastically by most people.

His example was a perfect description of evolution and
he couldn't see or understand it.

You can disagree with Wright but it's not possible to
escape from the consequences if he's right. He also is
a real scientist who is doing the experiments. Poor
Skep needs to read a bit more history, if you dig into
the older stuff you'l find out why Hobbes described
human life as nasty brutish and short. Most of the
goodness Skep cited is the results of science, not some
angelic inner soul radiance.

If we could feel what we are doing, we would stop doing
it immediately.

No amount of mealy mouthed spin will excuse the bombing
into ruin people who would rather be left alone. No amount
of pious yapping will cover up the fact that Mrs Grundy
is the spirit of the surveillance state. You can't ever
appease the paranoid enough to make them feel safe, all
they do is get crazier and more draconian.

It has been a long time since the impulse to bash the
brains out of any stranger has served a useful purpose.
We need to get over it, and not by playing peeping tom
at every opportunity.

Mike (just plain Mike)April 14, 2015 4:01 AM

@tyr

Wright may be a scientist, but what he's talking about in your reference, though expressed in suitably technical language, is not science - it is informed speculation, and we can all do that.

Understanding of the brain is pretty pathetic right now. I am personally acquainted with people researching into invertebrates, and they can't even understand how the very small number of neurons that are involved in the movement of a fly's leg work. There's lots of people (right across the spectrum from fascistic lie-detector salesmen to re-constructed hippies like Wright) who have a vested interest in selling their shtick by using a lot of technical language saying things like 'the human brain works like this...' or using speculative toy-models like the 'left-brain-right-brain' fairy tale - but at the fundamental neuron/wiring level it's all still very much at the stamp-collecting stage, and at the higher level it's all still mostly border-line phrenology (fMRI) and speculation built around behavioral and perceptual studies - some of which is good stuff (lots and *lots* of self-serving politically-biased-one-way-or-the-other dross though) - but all 'mechanistic' explanations at the higher level can only ever be speculative/toy models at the moment - and this is acknowledged by the people with integrity doing decent research in these areas.

Humans are what they are - I know that is fatuous - but the idea that there is a way they 'should' be, some sort of 'naturall-ness' from which they have deviated, some perfect state from which they have somehow strayed is, at least in the context of existing evolutionary-theory/biology not really meaningful. It's hardly unprecedented for species to do things that are self-destructive, or for individuals to be aggressive, or for 'mal-adaptation' to exist - the whole idea of adaptation is a sliding scale; drop a load of continental species onto a pristine volcanic island and you'll likely get something new after a while - they'll radiate - get into niches - by doing so they will create further niches - after a while it will all look lovely and equilibrated, but when they first arrived were they 'adapted' or 'meant-for' that new environment? The idea that Nature is perfect - that it's products are normally all lovely and beautiful - is evidently and plainly wrong - Nature is nasty, brutish, short-sighted, intensely pragmatic, and at root the machinery of self-replication/persistence is fundamentally selfish. One of the few places you will find lovely-hippy-fluff type behaviors between non-related individuals is in highly socially organised critters like humans. Everything else, at least from an anthropocentric point of view, is scarily heartlessly mercenary in its attitude to those that do not share at least some of their genes.

Also - I really do think we need to knock on the head this idea that early humans were in some way all lovely and in-tune with their environment. My understanding of the available evidence (you know - the science thing) is that where ever you look around the world the arrival of early humans coincides with the disappearance of large swathes of mega-fauna (there you go - authoritative sounding technical language - I can do that too!) It's all down to that clever force-multiplication/tool-making Clive is on about, and all the co-operative organisation between un-related individuals that humans can do. Of course - after a while - you end up with groups of humans looking like they're living in lovely Avatar-like fluff-hippy harmony with their environment, but that's only because you're not seeing the groups that trashed everything and wiped themselves out because they couldn't get into equilibrium (survivor-ship bias), and the ones you do see that are persisting have already wiped out all the delicious easy-to-catch stuff, so you just don't see those critters any more and don't clock the preceding orgy of xenoside. Discovering new tools, trashing the environment, and wiping things out is not a new thing for humanity.

There is so much talk in your reference of what may have been 'meant to be'. That, to me, is actually the sort of naughty 'left-brain thinking' they are otherwise mostly decrying. 'meant to be' according to who?

Mike (just plain Mike)April 14, 2015 4:57 AM

@tyr - incidentally - I just watched another of Wright's videos. Am I right in thinking he is basically attributing humanities' problems to people not eating enough fruit?

I actually eat loads of fruit - more or less survive on fruit, nuts, eggs and fish (Mmmmmm fish....) I'd say I'm probably quite unusual in that almost all of my carb intake is fructose from fruit - has been for years and years - and yet... I'm a complete bastard ;-)

SkepticalApril 14, 2015 11:32 AM


@Aloveacs: I know you are but what am I? [Flounces off in triumph] (Hey, better schoolyard nyah-nyah-nyah than trying to keep lying about the supreme law of the land. You always fail at that.)

When you're done flouncing, please enlighten us as to the supreme law of the land.

sandwich boards but the World's Most Conspicuous Jihadis got their ass saved by US government protection 35 (thirty-five) times, even after the government expected imminent terrorist attack. That one's hilarious. It's like a frickin cartoon.

It's sad that anyone would buy into such nonsense.

@tyr: Poor Skep needs to read a bit more history, if you dig into
the older stuff you'l find out why Hobbes described
human life as nasty brutish and short. Most of the
goodness Skep cited is the results of science, not some
angelic inner soul radiance.

I was quoting Gould, tyr. Those words aren't mine.

There are historical periods and specific circumstances in which human beings have acted, or have been subjected to worse treatment, than others. You're missing the broader point about cooperative behavior among human beings, however, especially in comparison to other species.

No amount of mealy mouthed spin will excuse the bombing
into ruin people who would rather be left alone. No amount
of pious yapping will cover up the fact that Mrs Grundy
is the spirit of the surveillance state. You can't ever
appease the paranoid enough to make them feel safe, all
they do is get crazier and more draconian.

Gould's op-ed was written and published before the US began military operations in Afghanistan. The general proposition that human beings are more cooperative than not does not tell us whether a particular conflict is either entered into justly by one side (or any) or conducted justly by one side (or any), much less tell us whether the rather particular surveillance programs run by the US are justified or preferable.

Many who would agree with all or part of Gould's essay would also disagree about particular policies.

It has been a long time since the impulse to bash the
brains out of any stranger has served a useful purpose.
We need to get over it, and not by playing peeping tom
at every opportunity.

Obviously strawmen arguments.

Mike (just plain Mike)April 14, 2015 12:04 PM

@Nick P – please don’t feel obliged to reply on my account – my rambly rants tend to be a bit un-focussed anyway – and I’m not exactly on-topic. You need to attend to your emergency.

albertApril 14, 2015 12:40 PM

@Mike(,

"...The idea that Nature is perfect - that it's products are normally all lovely and beautiful - is evidently and plainly wrong - Nature is nasty, brutish, short-sighted, intensely pragmatic, and at root the machinery of self-replication/persistence is fundamentally selfish...."
.
Neither statement is correct...or incorrect.
.
Both are based on _human_ perception. If 'Nature' were a sentient being (and many think of her* as such), she* wouldn't give a rats ass about what humans thought. Nature establishes equilibrium, always. Unfortunately for us, not necessarily on a human time scale. Now that we've reached the point in our devolution where we can easily unbalance environmental equilibrium, we can see things happening on a human time scale. Is our technological development a fatal flaw? Our Achilles Heel? We now have the capability to wipe out most of humanity rather quickly (nuclear weapons), or rather slowly, (radioactive contamination, chemical pollution, drugs, and -we're so clever- EM pollution). We are quite efficient at creating an environment of continuous emotional stress levels sufficient to kill small mammals, not to mention the wanton killing of large numbers of our own species. It's rare in Nature, killing for no reason, or for fun.
,
Did you happen to see "World Without Humans" on NGC? Or "Radioactive Wolves" on PBS.
.
...
*should be in quotes, I know.

Earl Pitts, International Man of MysteryApril 14, 2015 1:03 PM

@Skep Done it 10 times. Went over your head. Don't try to go back and find it, you're too stupid.

The best thing about rubbing Skeptical's nose in evidence and facts, like that 8:32 book link he's running from, it makes him put on his fey Edwardian gentleman act. You can hear the prissy little sniff that goes with 'Such nonsense.' Harsh on his secular religion of kissing beltway ass, and he goes all Baron Corvo on you.

Can't do facts, can't do inductive logic, but he's hangin in there with the winsome self-esteem of a Dunning-Kruger poster boy. The perfect beltway scapegoat for your next catastrophic failure.

tyrApril 14, 2015 2:53 PM


I think that one of the problems that muddies the water in
these discussions is related to time scales. If you think
that Ussher was right and that civilization is the measure
of human existence then no amount of facts or reason will
sway you from your delusions.

In addition the idea that nature is red in fang and claw
with no cooperative effort may be very poetic but it isn't
factual.

Current understanding of the brain is miles ahead of the
outmoded ideas of the past, but it irritates those who are
used to spouting the outmoded crap from the past to the
point they reject it. Rod Brooks made the major breakthrough
by experimentation and that insight has been extended by
Ramachandran. The nervous system is task specific modules
that loosely cooperate, and nobody wants to accept it.

Brooks noticed that it is impossible for an insect to be
able to function with a central processor unit decision
maker. There wasn't enough neural matter to work that way.
Then he built robots in which the legs did only leg decisions
and they worked.

Recent measurements have shown that human decision making
lags behind the body starting to implement the action by as
much as six seconds in some cases. That means the part that
is supposed to be in charge is just a passive reporter not
the prime motivator and that's a tough nut to swallow for
the lords of creation pinnacles of intellect whose major
accomplishment recently is to shit in their own nest.

In the geological record civilization is as thin as a sheet
of paper on the massive stack of the record of life.

There's also a place in the shale for failed species. Humans
since becoming civilized haven't any guarantee that they
will make the cut. A great help might be to start understanding
ourselves instead of shying away from unpleasant facts that
effect our possiblity of survival.

I do recommend that the desire for simplistic answers should
be held in check and that simplistic descriptions should be
assumed to be bogus.

Mike (just plain Mike)April 14, 2015 2:53 PM

@albert

Agreed that the adjectives I used to describe the Utterly Indifferent Mother are drawn from an anthropocentric view/value-system – but I guess I’m trying to take on what I see as an overly parochial (and negative) view of humans of themselves – so without being overly metta, I suppose I’m trying to make judgments even handedly; if people think people are selfish and un-caring then they should also grant that Nature is selfish and uncaring too – and if anything Nature and most of her critters are rather more selfish and un-caring in general than people are (or at least can be) in particular.

On human self-destruction and hubris: I think it’s actually a kind of metta-hubris for humans to think that they are even likely to perish at their own hand – another reflection of their idea of themselves as rather special. It’s almost as if they think that surely the only thing of sufficient import that could take-them-out would be their own folly. However, I think it’s actually rather more likely that humans will succumb to any one of the many-and-varied tried-and-tested routes to extinction followed by (almost) countless species before them. Not hugely easy to wipe humans out though – I’ll grant that – they’re very widely distributed – able to eat almost anything (even with a minimum of culture/technology) – though they can’t easily mitigate some of the more non-negotiable vulnerabilities of being mega-fauna.

I lack the necessary gravitas to put this as eloquently as I'd like, but if I were humanity I’d shut the fu*k up with the whining/self-loathing and start investing more in rockets and telescopes – all that spacey stuff – because I think humanity, if it is to truly advance, also needs to be less self-obsessed and self-regarding and should really get out a bit more. Soon, preferably – because The Universe is a dangerous place, particularly if you’re stuck in one place doing one kind of thing for too long (there’s monstrous perturbations lined up for everyone and everything sooner or later in the Utterly Indifferent Mother’s scarily long tail) and I suspect humanities’ rather grandiose idea of a demise at its own hand is likely the least of its worries.

Ransomware Decryptor - NHTCU & Kaspersky LabApril 14, 2015 3:13 PM

"Are you a ransomware victim? The National High Tech Crime Unit (NHTCU) of the Netherlands’ police, the Netherlands’ National Prosecutors Office and Kaspersky Lab have been working together to fight the CoinVault ransomware campaign. During our joint investigation we have been able to obtain data that can help you to decrypt the files being held hostage on your PC. We provide both decryption keys and the decryption application. For more information please see this how-to. Please note that this is an ongoing investigation and new keys will be added in the future."

https://noransom.kaspersky.com/

https://blog.kaspersky.com/ransomware-cyber-extortion/
https://securelist.com/blog/virus-watch/67699/a-nightmare-on-malware-street/
https://noransom.kaspersky.com/static/kaspersky-coinvault-decryptor.exe
https://noransom.kaspersky.com/static/convault-decrypt-manual.pdf

###

"Files encrypted by CoinVault ransomware? New free tool may decrypt them

Victims of the CoinVault ransomware might be able to decrypt their files with a free tool released by Kaspersky Lab together with the Dutch police."

http://www.pcworld.com/article/2909292/files-encrypted-by-coinvault-ransomware-new-free-tool-may-decrypt-them.html

Mike (just plain Mike)April 14, 2015 3:30 PM

@tyr

Sure – the nervous system is loosely coupled task specific modules – I can accept that, as far as it goes. Many in the field do – but accepting that as a general framework of understanding is not quite the same as saying we understand how the brain works.

Yes - loosely coupled task specific modules - that sort of setup is what you’d expect FFS if these things evolved via evolution’s expedient hacks-upon-hacks. I think it’s only the noobs who think nervous systems must be like computers or centrally organised human hierarchies with a little man at the top looking at the screen deciding what to do. No – of course not. Perception into Action – and back again - a continuum.

Ramachandran is so cool isn't he – I was very influenced by his Reith Lectures: Consciousness will likely be a bag of tricks – not one special secret magic source/spark/algorithm – just like the basic machinery of life has proved to be a bag of tricks – all enzymes and nucleic acids and lipids and ribosomes. Yes – cool – no problem with that – though again I think the more maths/CS/classic-AI types who mostly don’t think about the evolutionary angles are still hoping to find the secret sauce for making consciousness (well, they were – they’re all mostly doing Big Data now I think) – and yes – I can make a machine that does things like the leg of a fly using my current ideas about how neurons and nerves work (and I can make Big Dog that’s a bit like a Dog in some very narrow aspects too) – but at least at the moment apparently we still can’t figure out how the actual fly neurons and their actual wiring make the actual fly leg do what it does – but we will likely get there – but maybe our difficulty means we’re still missing something (which would actually be even more interesting if it is the case). It’s all very interesting – all very exciting – but there’s still a very long way to go – and I think the general public perception of how well things are currently understood is mostly wrong. Things are still not well understood – and certainly not even getting close to being well enough understood for people on The Left or The Right to be justified in spouting on about social policy based on neuroscience.

As for nature red in tooth and claw. Sure – there is some huggy-fluff too – here and there in amongst all the blood – I mean – we’re all adults here – we can cope with things not having to be exclusively one thing or the other can’t we? However, in the absence of compelling evidence to the contrary:

The World rolls round for ever
Like a mill
It grinds out death and life
And good and ill
It has no purpose
Heart or mind
Or will

;-)

SoWhatDidYouExpectApril 14, 2015 3:42 PM

MIT's Picture Language Lets Computers Recognize Faces Through Inference

http://developers.slashdot.org/story/15/04/14/1950228/mits-picture-language-lets-computers-recognize-faces-through-inference

From the Slashdot post:

"MIT researchers are working on a new programming language called Picture, which could radically reduce the amount of coding needed to help computers recognize objects in images and video. It is a prototype of how a relatively novel form of programming, called probabilistic programming, could reduce the amount of code needed for such complex tasks. In one test of the new language, the researchers were able to cut thousands of lines of code in one image recognition program down to fewer than 50."

I expect this allows anyone on the planet to be identified as a terrorist while cutting the cost of the computer processing to gain this "information". Plausible deniability is now gone. Under the influence...of the 3 letter agencies???

FigureitoutApril 14, 2015 8:15 PM

Clive Robinson RE: HFT microwave networks
--Huh, pretty neat, thanks (better than biscuits w/ dead people lol). Never knew that existed. Wanted to know some about the links and protocols, here's a bit (microseconds, pretty good):
----A microwave link can split bandwidth up into 10Mbps increments.
----The microwave link has an aggregate of 100Mbps.
----Every 64 byte packet send over these links takes 6 microseconds and change to serialize.
----Each participant sends 64 byte frames of trade data to the service.
----At 10Mbps clients can only send 1 packet every 60 or so microseconds.

Noted they believe they can't be hacked lol, well...I don't know...lol. Microwaves are probably my favorite too (internet, can cook w/ them lol, useful...).

GregWApril 15, 2015 3:03 PM

A Banker's view of Verizon's comprehensive breach report for 2015:
http://www.americanbanker.com/news/bank-technology/what-banks-need-to-know-from-verizons-comprehensive-breach-report-1073744-1.html?pg=2

The original report from Verizon:
http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/

Most surprising factoid for me: "Risk I/O looked at more than 200 million software vulnerability exploitations in 2014"... "Almost all — 99.9% -- of exploited vulnerabilities were compromised more than a year after those vulnerabilities had been published and presumably patches issued."

Nick PApril 16, 2015 3:43 PM

@ all

Still rough times in the family. This is a quick rather than thorough response. I'll try to get to the rest of you as I have time.

@ Mike (just plain Mike)

Human nature has good and bad. I'm focusing on the bad as it relates to security because that's what's relevant. It was actually Bruce's excellent essay on the psychology of security that originally got me thinking on this angle. That's well-supported theory. So, what's the results? Well, we don't see high security spontaneously happening in proprietary, FOSS, or anything else. Even those that are highly motivated to do it with the time or money either (a) rarely do it or (b) cut corners for various reasons. End users will often avoid so much as entering a password or doing a backup that requires two quick steps in name of convenience.

That these trends happen in almost every kind of device and situation regardless of its attributes indicate a deeper explanation than the technology. The only thing common to all of these situations is how the human mind makes tradeoffs. We'd expect that to be fairly diverse but with risk it isn't. Most will make a tradeoff against security the vast majority of the time. Even when the risk is high and the cost (time/money) of security is almost nonexistent. They still trade against it.

So, how to deal with THAT? Well, as I told Wael, that's trying to beat human nature itself rather than the bad guys. The recent Verizon report reinforces the futility in that. It's why I try to design around people when doing security engineering. Gotta make it idiot-proof to prevent them from screwing it up and seemless to reduce the risk of them working around it. Only so much one can do when his or her customers barely themselves care about their own protection.

WaelApril 16, 2015 10:57 PM

@Nick P,

So, how to deal with [...] that's trying to beat human nature itself rather than the bad guys

Thanks for the reply! Hope all is well.

FigureitoutApril 16, 2015 11:18 PM

Bruce RE: http://www.networkworld.com/article/2909212/security0/schneier-on-really-bad-iot-security-it-s-going-to-come-crashing-down.html

--You should worry most about *internet* connected devices, the "IoT" doesn't all involve internet. But that's where the money is (in my area...the most complex product (we're looking at newer micro's (more potential vulnerabilities) as we're running out of space) and internet-connected device brings in the most cash, $millions...).

As you note "It’s the embedded people. Some are trying.", yes I'm one of them. I've pushed and have gotten a few security measures implemented where I'm at (more are coming, w/ more on standby when "the big hack" comes...). The big thing in the embedded world, is we (egotistical assholes sometimes) need to see our products getting hacked to sh*t. When we get evidence of hacking our products to sh*t, I think we have leadership that understands we need to lock things down more than what we're doing; otherwise engineering is going to do it ourselves b/c it's causing way too many headaches.

As it stands, the main threat model is kind of ridiculous on the thing I'm doing now. It's too evil, who would send a blind person walking into on-coming traffic to die based on false signals? Other than that, they need to crack an RF protocol. Other than that, you're a f*cking wank-off w/ mental issues that needed to do some excessive things to get at our stuff that simply isn't worth the risk (of me or someone worse catching you).

RE: https://www.schneier.com/essays/archives/2015/04/could_your_plane_be_.html
--I think this is one of the most important "sound bites" you've said in a while:

We can't repeat the mistakes of the early days of the PC and then the Internet, where we initially ignored security and then spent years playing catch-up.

--The internet has become basically a hopeless thing we rely on way too much. It's too insane, there could be no one or active attackers on the other end at all times, no trustworthy file repositories at all; and there's way too much connected to it still, way too much. Retards will learn the hard way I guess.

And our systems are too complex, but a bunch of people who don't know how anything remotely works thinks it's "new" or "innovative" when it's mostly tweaks and optimizations to old designs and integrating old components smaller and smaller, not new; then it becomes something we all become reliant or spoiled on so "there's no going back"....

No individual can work w/ it all at once. You have to peck at it like a bird otherwise you just get overwhelmed by "the blob" and can't deliver a product you needed done yesterday. And this excessiveness getting caught up in the weeds, it leads to no one being able to design from scratch themselves b/c there's no point competing w/ these optimized products, pointless. You're probably going to do the same thing to get the performance people want.

Personal Prediction: Engineers will become "experts" on *single* SoC's, keep specializing. Generalized research will become much harder, too many details.

FigureitoutApril 16, 2015 11:43 PM

Bruce
--Forgot to mention, sometimes vulnerabilities come from "up chain", ie: "Not my problem". We get this sh*t all the time. I did a little more digging on a disgusting bug that would embarrass the hell out of me if I can't fix it b/c it's so ugly and nonintuitive (I was just joking around, it's so dumb, and it worked what I did for some unknown reason, which is the worst reason...) and goddamn simple thing I'm trying to do but I found comments mentioning issues getting GCC compiling correctly, won't mention specifics (which are largely missing too) but there were issues getting true ANSI C compiler and this *could* be why this isn't working (who's going to pay me to start digging into the compiler of the toolchain, it'll be next year when I'm done w/ that...). Otherwise I'll just make my own function (was warned not to but we'll see).

WaelApril 17, 2015 12:04 AM

@Figureitout,

Retards will learn the hard way I guess.

The ones I encountered don't learn!

but a bunch of people who don't know how anything remotely works thinks it's "new" or "innovative"

Unfortunately there are a lot of them. Worse yet, they roll their own "more secure" crypto stuff. The expression Epileptic Curve Crapography comes to mind...

Personal Prediction: Engineers will become "experts" on *single* SoC's, keep specializing. Generalized research will become much harder, too many details.

A specialist is one who knows more and more about less and less until he knows absolutely everything about nothing; a generalist is one who knows less and less about more and more until she knows absolutely nothing about everything.

BooApril 17, 2015 12:28 AM

The city is secure and the road to the city is a minefield and mine flies. You are an investor (city folk) or an operator (field folk). Stop the Russian advance.

Los Angeles: Russian film officials have blocked the release of Tom Hardy's new film, 'Child 44', in which he portrays a disgraced soviet agent ..

Now the agents are AI and can't be banned, blocked or outsmarted. The disgraced agent actually represents hundreds of soviet agents. Russia: The New North Korea! Coming soon, Killing Putin by famed war reporter Bill!

BooApril 17, 2015 12:48 AM

"Putin 3.0 has no positive agenda and state propagandists are trying to hide that fact, along with the human and financial costs of war, with vile rhetoric about threats emanating from Ukraine, the West and traitors and other “fifth columnists.”" http://www.latimes.com/opinion/op-ed/la-oe-0315-stronski-putin-nemtsov-russia-stability-20150315-story.html

Do cult Russian zombie flicks. State is burning money and all the dead killed by Putin rise up and take Moscow over and it's the city of the living dead. Get a fifth and write. Putin 4.4 with dead bikers and drones. I'm a 6th Columnist!

Gerard van VoorenApril 17, 2015 1:55 AM

@ Figureitout

"... Otherwise I'll just make my own function (was warned not to but we'll see)."

I thought the term is 'technical dept'.

Do you know why you were warned *not* to make that function? I guess it is because it is a workaround. In C a workaround is very easy to make. You just create / modify a macro in a header file and a little #ifdef. The problem however is that the workaround itself will start its own life. It will get fixes, patches, a version 2.0, even more complexity, some cursing, maintenance, packaging, documentation etc.. So in the end it will cost *a lot* more work than just fixing the original bug at the core.

Bob Beck has a nice thing to say about this subject: http://www.openbsd.org/papers/bsdcan14-libressl/mgp00018.html

Clive RobinsonApril 17, 2015 5:45 AM

@ Figureitout, Wael,

I tend to look on the use of IoT devices like playing a game of Russian Roulette... the only diference between the two being the number of chambers in the revolver and the number of bullets...

There are two ways to play the game of Russian Roulette traditionaly, the first is one spin pull the trigger pass the gun to the next person who is only allowed to pull the trigger. The second way is that each player is alowed to spin anew before they pull the trigger. The first guarenties "blood on the furniture" within the number of chambers, the second version in theory may never end.

In the second version to each player they appear to have good odds of not being the losser ie 1- (1/num of chambers), thus the more chambers the less chance of being a loser. In the first version each successeve user has worse odds untill lossing is a certainty.

As has been pointed out by those with an interest in "Newtonian Roulette" how you spin effects the odds quite a bit as well.

Thus for the average single (computer/bullet) game, the internet user's odds of lossing the game and getting owned depends on how many chambers (quality of OS and Apps) and their skill at spinning (configuring the machine).

However the IoT makes the game more like, having more than one bullet going in the gun as well as reducing the number of chambers, thus the skill of spining rapidly becomes immaterial and blood will hit the wall almost a fraction of a second after the the first pull of the trigger, if you don't accidently blow your foot of first just picking the gun up due to the unreliability of the design (of the IoT device).

Thus IoT is not a game I'm going to play if I have any choice, which we may not have with the way some politicos have latched onto Smart meters and Smart devices to "be green" but in reality give the utilities another way to avoid spending money on maintenance and infrastructure up grades to meet demand...

FigureitoutApril 18, 2015 11:17 AM

Wael
--Kinda hard to see if someone learned (can you read minds too?) unless you base it all on observable behaviors.

RE: rolling own crypto
--I think that's different, but yeah similar thing. I'm talking actual new science, actual new designs, new components. There was a good thread on hacker news where one guy was trying to get a point across to old school people who mindlessly repeat "don't roll your own" and weren't listening to his point (and probably won't be able to crack weak crypto). Something they probably don't think about is the "crypto du jour", those designers aren't going to live forever, then since they didn't nurture any new ones, crypto research will get stale and put behind.

I don't mind it so long as it's temporary and you never use it again and cut off chains w/ OPSEC to stop chain leaching.

Gerard van Vooren
--Yeah, imagine the cringe of battle-hardened engineer thinking about correctly newbie's code w/ terrible bugs that'll bite us in the ass, that's why. So you know all the typical C functions that are just a library include and calling away (strcmp, atoi, putchar, sleep..), one of those is what I want to write since theirs isn't working. Been kind of neat to see a lot of "homebrew" of these functions converting, pretty nifty tricks (but not sure on the security, but there's very few realistic opportunities to run code on a micro w/o an injected hook in dev PC).

But yeah, I'm still gonna write one; just had some other issues to get to first (which someone new came in and solved pretty handily, was impressed; I'm hoping we do our next products "righter").

RE: #ifdef, #endif
--Yeah we have a lot of those, and have like chains of macros pointing to data structures w/ pointers down to the first initialization of pins, clocks, etc. we can see. Something that confused me (still does) is we have macros w/ same values (like 1,2,3,4...1,2,3,4...), and I don't get why we don't make it different numbers b/c I thought it'd cause funky bugs (but I guess it's mostly resolved by just not using that variable at that time). But maybe there's a little hidden trick that forces these to be actually different numbers.

RE: comic
--Funny, but I think it's a big responsibility to put on an OS to get your entropy. I think that's an external personal responsibility on you to securely load entropy you need (so "secure" I/O, that fantasy...). Or just use "good enough" entropy if you need ridiculous amounts all the time.

Clive Robinson
--There's another game, called the game of life. In life, if you take no risks and don't make any money, you'll die alone a pathetic loser. So there's that gun barrel to your head all the time too, and all its chambers have a bullet.

There's one positive thing about the IoT, it can make personal physical security pretty easy to setup (think cameras, sensors, microphones, etc.). Then you just need to have backups and warnings if power goes down or channel to get the warning isn't corrupted, and if you're storing logs, again not corrupted w/o noticing it. So basically any attacker that isn't looking to get caught, should realize there's a potential pinhole camera and sensors everywhere they step foot; so just be careful and think twice who you mess w/.

I gave up social media and my smart phone for awhile and that gun got cocked as I lost a lot of my connections and all my computers infected so I wouldn't even log into my school accounts from home, affecting my grades. Freaking out how to get files from A to B w/o getting infected or seen. I can't afford to be secure by myself, there's not much point, unless to "make a point" to someone[s]; which ends up being a worthless game w/ both parties leaving w/ mental illness.

But yeah, we're just "buying time" w/ trivial bullsh*t, not substantial innovation (maybe there's a limit, or maybe our brains are mush) b/c those w/ money won't spend it (or if they do, just charge more taxes and increase prices, squeezing everyone else to death) and be selfish until they bring us down w/ their worthlessness and our day will come when we really do run out of resources, power goes off, water/sewage stops (look at the stadium during hurricane Katrina for what happens society breaks down and people start squatting everywhere); even if you outlive the big death there won't be anything to harvest and the air will just be cancer-air anyway. Fun times.

Clive RobinsonApril 18, 2015 9:12 PM

@ Figureitout,

Life always has a fully loaded gun to the head of the living, the only unknown is not "if" but "when" it pulls the trigger, in the words of the song "Baby we were born to die".

With respect to rolling your own crypto, it's a catch twenty two situation in that it's inadvisable if you don't know what you are doing, and you only know when you did not know enough is when it goes wrong for you...

Arguably the open community "experts" did not know what they were doing with AES, in theory it's secure "for data at rest" but in practice is not secure when in use when used in any form of "connected way" an adversary can get to monitor...

So in my view AES is not fit for purpose in practical implementations in the majority of use cases. For people that disagree that's your right of free speach, I'm excercising mine by saying it's not fit for purpose. Further if you read any NSA documentation on equipment such as their IME where they use AES it's only classified for "data at rest"...

So even the experts don't get it right and as you have observed the world moves on and as Bruce has been known to comment "attacks only get better" and as others have noted attacks are practical not theoretical and applied where ever weaknesses can be found.

That asside people can design their own "limited use" crypto quite successfully if they follow certain rules which have been established over time. For example take an existing "stream cipher" and use it's output to replace the key schedual of a block cipher. Within reasonable limits the hybrid will be stronger than either of the ciphers on their own.

The downside is it's not going to be fast and efficient... further striping it down in some way to increase speed or efficiency is most likely going to degrade the security margin.

So as a "rule of thumb" in the general case you can have "security" or "efficiency" not both. It's the rare case where you get both, and you need many eyes and rigorous testing to prove you have them.

And that's the rub, as a "lone designer" you don't get "many eyes" or "rigorours testing" thus each step towards efficiency you take is "one of faith" you are not weakening security in some known or unknown way.

But even when you have your crypto design you then have to do the testing for all modes you are going to use.

Which is why my advice is take existing tested cipher designs and build them into new cipher systems, the easiest way is by just simply chaining existing ciphers together.

The result is not a fundamental new cipher but a conservative chain cipher which is generally more than sufficient for most uses.

That is you are not straying from the "known path" into the "unknown". However with a little care you can walk a little bit to the side of the "known path" with certain hybrid systems such as replacing the key scheduling of a block cipher with another cipher either block or stream.

At the end of the day "you lay your money down" and "the wheel spins" sometimes you will win, more often you will loose.

FigureitoutApril 18, 2015 11:19 PM

Clive Robinson
--The way I'm approaching crypto design is more of a "OTP design" way. Since we can't really trust any "publicly approved" crypto since "the experts" can't even keep out malicious idiots recommending changes that render the cipher broken.

For things that are publicized and aren't changing much, I'd recommend public crypto (on the assumption, that paranoid people know that info probably isn't actually secure).

For personal things, I'm recommending (to me, myself and I; I don't get paid to do this) either tweaks to public ciphers that render automated tools worthless and require some painful cryptanalysis (where you are NEVER guaranteed to know the true plaintext, just guesses, assuming the messengers didn't design these messages to throw you off...and the game continues...).

I don't need a lot of testing when I'm pitching away and modifying ciphers every week. Using appropriate OPSEC which you should be, the info be transmitted should already be protected from crap crypto; or of minimal value longterm.

RE: cipher chains
--Oh I'm sure we'll get some more of the same "don't roll your own" "trust me, I know better", people making fun of your chains but not being able to actually crack a message w/ it. That's what old school crypto designers aren't getting, we can't trust anything due to corrupted NIST standards and competitions, so shortterm "throwaway" "crypto" will become more prevelant.

Mike (just plain Mike)April 19, 2015 12:12 PM

Hello Nick

Sorry – this has ended up a bit of a monster.

I feel your pain with regard to the general attitude of most people to data security. You can tell what we have at the moment for dealing with this is bad because we still use the word technology to describe it.

Douglass Adams: Technology is a word that describes something that doesn’t work yet.

It was very interesting to read that article of Bruce’s – thanks for linking it. I think I vaguely remember it from back then (I’ve been on the train, with gaps, since the Cryptogram days). It was also interesting re-reading it as I think my position on some of the issues discussed has shifted a bit.

Yes – Nature loves heuristics – they’re cheap to implement. There’s the classic (from Dawkins’ River Out Of Eden I think) about the deaf turkey that would repeatedly murderously attack its own chicks after they hatched – it appears there is a simple turkey-rule: ‘mercilessly attack anything in the nest that moves if it doesn’t make a noise like a baby turkey.’

I’m sure humans use heuristics too. Indeed, I’m now not even sure many people think there is that clear a dividing line between a sufficiently large bag of heuristics and ‘objective rational thought’ (a lot of current AI people seem a bit coy about that at the moment.) I think my view is more that objective rational thought is perhaps something a human stands much more chance of achieving if it is supported by a mass of accumulated culture, knowledge, history and wisdom of the humans that have gone before it, all combined with active adversarial discussion with the living humans that surround it. Perhaps what we call ‘objective rational thought’ is an emergent property of a culture made of lots of monkey brains all jabbering at each other, but the monkey brains themselves are basically just running a pile of heuristics; the monkeys think they are capable of objective rational thought by themselves, but in-fact they are no more capable of this than a gate in a PC’s CPU is ‘capable’ of running COD.

Odd, isn’t it, how much time and energy humans sometimes spend discussing things on the internet xkcd://386. All this typing is not very conducive to increasing individual selective fitness is it? Shouldn’t I be using my time foraging for berries or trying to seduce women of child-bearing age? Would you say my inclination to rant on the internet is just some sub-optimal side-effect of our industrialised culture, or might it not be more of a reflection of the profound sociality of humans? Maybe things like interaction with other humans – exchange of knowledge and beliefs, ideas – gossip – arguing – status – reputation – fairness – trust – might these things not actually be really important to humans – so important that they will expend lots of time and energy – forgo food, comfort – life even. Could these things be innate – built in by evolution – the necessary hard coded machinery to facilitate the advanced level of human sociality?

I would respectfully suggest that anyone who complains about humans being bad at cost-benefit analysis or risk evaluation should be careful what they wish for. The judgement that these behaviours are ‘sub optimal’ or ‘cognitively biased’ is almost always framed in terms of their utility with regard to short-term personal/individual advantage. Perhaps a lot of this sub-optimality for the individual in the short term is about optimality in the longer term for society. One word we have for characterising someone who efficiently optimises their short-term personal gain is ‘sociopathic’. Almost by definition you can’t have a society in which everyone is constantly optimising their short-term personal gain – not even a police state. You wouldn't expect social animals always to maximise their short term individual benefits – so although some human heuristics may indeed be ill-adapted it may well be that a lot of them make more sense once you admit wider criteria than ‘does it maximise immediate personal gain’.

Humans sometimes lay down their lives for other non-related humans. Humans spend hours and hours curating and maintaining shrines to themselves on FaceBook. Humans will often endure serious material costs in order to ‘get back’ at others who have wronged them, or to meet out retribution to those who have wronged others or are acting ‘unfairly’. These aren’t trivial phenomena on top of an otherwise individualistic species – I would argue that these social/societal behaviours are central in humans – and yet, the framing of much of the interpretation of the behavioural research (of the kind quoted in Bruce’s piece, at least at that time anyway) is along the lines of: (a) the built in stuff must surely be adapted to a lone or small-genetically-related-group animal often having to run-away from lions (sometimes tigers) and (b) some of the stuff people do doesn’t make sense if viewed in terms of maximising short-term personal gain – so this must be because of the un-natural environment of a modern industrialised world.

Such a framing, for instance, takes little account of how the behaviour choice of the subject might be perceived/judged by others – including the experimenter. People worry big time about looking stupid, mean, selfish, irresponsible or inconsistent. Also, the actual scenario is of course seldom the stated scenario – the actual scenario is usually a college kid who’s consented to take part in some research answering some researcher’s questions – it’s not actuallywould you kill 100 people to save 1000?’ – it’s someone with a clipboard asking you that question in some office/lab because you had some free time on your hands – the only likely material consequences of your answers will be how they reflect on your character in the opinion of the researcher or anyone else who gets to see what you said (and how quickly you can get it all over with and go home). Also, I suspect that people will often take account of how likely a given scenario like ‘or you get $100 in two years’ would actually be to happen given that the real world runs on people rather than rules.

The idea that humans, if only they were perfectly adapted to their current circumstances, should be perfectly rational – that they would always competently pursue individual utility maximisation – that is insane as a model for humans – it flies in the face of the overwhelmingly obvious fact that humans are highly social. That such a view could have ever been taken seriously – and that it still often is – seems to me very parochial. When humans look at social insects – ants say – they say things like: ‘yes, the reason that ant is laying down its life for the colony is because of this or that pheromone’. Imagine an exo-exobilogist looking at humans: ‘yes, the reason that human is laying down its life is because it is being controlled by the sound waves emitted by the other humans’ – the exo-exobiologist sees humans projecting sound waves at each other and exchanging numerical tokens – organising themselves – specialising – deferring rewards and doing things that aren’t to their immediate individual advantage (an extreme example being knowingly risking death in war). The humans, of course, think of all of this in terms of concepts like language, money, duty, patriotism, honour, respect, justice etc. The exo-exobiologist just sees lips shaping sound waves and the resultant behaviours – and any competent biologist knows that this is the sort of thing you would expect to see in social animals: lots of interaction and information exchange, lots of machinery for context dependent control/modulation/coordination of behavior between individuals.

Also – it is important to be disciplined with evolutionary arguments. Evolution does not select for the short term gain of the individual. Evolution doesn’t give a sh*t one way or the other about the individual. Generally Nature is not trying to make individuals happier or their lives longer or better (ask a salmon) – it is just doing what it does – which is physics at root – the unavoidable realities of the replication game played out in our physically constrained universe. Darwin’s great insight – evolution by natural selection – is an essentially simple idea, but it has many complex and counter-intuitive consequences when you follow it through (like chess perhaps – or Go) – but its core simplicity leads many people to think they understand it and its implications better than they actually do. The generally accepted rule – which follows from the basic mechanism of how life reproduces – is that if you can’t explain why a given thing (trait, behaviour etc.) might lead to the preferential persistence of the gene or genes which encode for it then you have a serious problem in invoking evolutionary theory as an explanation/support for why that given trait/behaviour exists. For sure – things which benefit genes sometimes also benefit individuals, groups or species – and sometimes they don’t – but the gene-centric view is the first point of call for most evolutionary biologists – not because of reactionary dogma – but because it is based on current understanding of the machinery of life, the mechanisms of heredity and the physical constraints imposed on replicating things in a finite system subject to the vicissitudes of thermodynamics (there is finite free energy coming in, there is finite stuff to build bodies with – not everyone can persist and reproduce without limit).

This is the really exciting thing though. There are still fascinating and open problems and arguments (many of them decades old and still extremely hand-baggy among biologists) as to how to account for the evolutionarily stable development and maintenance of sociality. This is particularly interesting in the case of humans because they show such high levels of co-operation between un-related individuals. Many of the arguments are rather counter-intuitive – and – just as in the field of security – the ‘first thing you think of’ often turns out to be wrong. I think greater understanding of how humans got to be as amazingly social as they are – and how they manage to stay that way – is likely to have a big impact.

The scary reality might be that societies – as so far evolved at least – may function at their best (best serve the genes that regulate them) when the people in these societies are not functioning at their most individually rational/well-informed. This is a depressing prospect – and I don’t like the idea – but, of course, Nature doesn’t care about that! The risk/cost/benefit of a given activity for society may not be the same as the risk/cost/benefit to the individuals undertaking that activity (heroics leading to certain death being a fairly good example).

Perhaps some of the ‘biases’ in humans are to do with getting groups of people to agree about what to do – even if what they agree on is not necessarily optimal/rational – it may be ‘good enough’ – and that may be better than the alternative if the alternative is that the people would not be able to agree (or would take too long to agree) over the truth/optimal-solution. Alternatively, maybe some of the heuristics are to do with how you build a society in which some people can specialise in finding the truth while the others will just take their word for it – or maybe it’s all to do with machinery for iterative societal problem solving – so perhaps initial over-reaction to rare but unusual/scary events might in some way be mirroring similar phenomena that seem to happen in immune and nervous systems before they converge over time on a more appropriate response.

To try to get back on (your) topic:

(1) People often seem over willing to give out passwords. If I’m setting up a machine/device for someone I’ll say ‘could you just type in your password at this point – I’ll avert my eyes’ – and they’ll usually say something like ‘oh – it’s OK – I trust you – it’s blah-blah-blah’ Maybe they’re just being stupid and/or making poor judgments because they are living in a city rather than collecting berries and frequently having to run away from tigers... or maybe part of what is happening is that people are programmed to signal and build trust with each other, and to foster a reputation for themselves as trustworthy – and this can be achieved, at some risk, by making a trusting opening move. Saying ‘no – I won’t tell you my password’ is not that far away from saying ‘I don’t trust you’. Problem being (as I’m sure you’d agree) that signalling a window of trust by temporary grating someone control of your in-need-of-repair car (and thus giving them the key) is reversible in a way that telling someone your password is not (if you aren’t capable of changing it that is, which almost by definition in this case such people are not because that’s why they needed me to find the bit of UI on their device where you need to type the password in the first place).

(2) Personal computing devices (for want of a better phrase) have been around for – what – 30, 35 years. In the early days they were very marginal – just home computers – no global network. If I plot a graph of ‘how bad will it really be if everything on my computing device(s) were destroyed/stolen/exposed-to-the-world’ against time then I will see that as the decades have passed that line has been going up pretty rapidly – even more so for corporates (though they started with IT quite a bit before individuals). I think it is taking society a while to adjust to this rapid change, and it is not helping that there are powerful commercial interests trying to persuade everyone to spatter far and wide anything and everything they have ever done/said/written/searched/thought/felt/photographed/eaten or otherwise used their computing devices to record – share, and enjoy (and Google/FaceBook etc. are probably pushing at an open door with that). Anyhow – I think that having your house broken into or your car stolen is still, for most people, many times worse than a hacker trashing or raiding one of their personal computing devices. And yet – as you imply – the physical security solutions (physical locks and keys) we have for houses and cars are much better developed and less effort to use than the security solutions we have at the moment for computing devices and remote data. It’s the wrong way round – the things we seem apparently to care least about (our computers/data) are the hardest work to secure. I think it’s beginning to dawn that having your bank-account drained is something that can happen to people – but the finance industry is still managing to keep a lid on how bad that actually is. The stories people tell me are still mostly of a friend of a friend who had their details stolen and the evil hackers took some money, and it was all very stressful, but the bank/card-company kissed it all better and refunded them, and now it’s OK.

(3) As for the corporates: As a human, the attitude/opinion of your peers is very important. Not only is it important to take into account the official rules (the rules of the leaders and the police-types), it is also important to take into account the general attitude of your non-governing peers with regard to how good/bad/serious/stupid those rules actually are (I remember school). So, in the corporate context I think it’s still true (and I guess you must know far more about this than me) that people still tend to show far less care in following corporate IT security guidelines than they would with regard to, say, setting the physical alarm system when leaving the building. I think part of that is a carry though from general societal attitudes to personal IT security ((2) above) – a cultural sense that basically everyone is a bit crap at it, and that computers and their contents are still somehow not as serious or important compared to real world physical stuff. So, if something bad happens at my workplace and it was my fault for not changing my password as often as I should, then all my peers will look at me and think ‘there but for the grace of god go I’ rather than ‘oh how dreadfully irresponsible of him – what a bad person – I’ll never give him the benefit of the doubt or do him a favour ever again’.

So – (finaly!) – I think issues of privacy and thus personal data security are most likely to require an acknowledgement of the social nature of humans when trying to interpret how/why people make the judgements/choose-the-pay-offs that they do. If you’re not a social animal then privacy doesn’t really have that much meaning – so I think interpreting behavioural studies in terms of the short term fitness benefits for an individualistic hunter-gatherer who spends a lot of time running away from lions isn’t likely to be helpful, and I’m not surprised that the insights gained into people’s ‘security/privacy accounting’ from analyses based on this perspective don’t help much. I’ve not read Liars and Outliers (published 2012 – so that’s four years I guess after the article you referenced) but I think this sort of societal and more enlightened evolutionary perspective is part of where Bruce was trying to take people with that book.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.