Friday Squid Blogging: Giant Squid Video

Giant squid caught on video.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on April 3, 2015 at 4:17 PM • 116 Comments

Comments

TeRaApril 4, 2015 5:39 AM

Am I the only one who thinks that the whispersystems guys are missing the point with the direction they're taking textsecure (and redphone, for that matter)?

1. They seem to be going out of their way to lock users into google (first by refusing to release their apk on f-droid, now by making the app useless without google services in the phone). I don't know about you, but in my books google and privacy do not mix.

2. They're going down the data-only route to prevent SMS leaks, which is great. What's not so great is that all new signups must be processed by some California-based company, who records your number and sends you a code. In essence, this provides the NSA (listening in the background) with a convenient record of precisely who you are and how often you communicate with every one of your contacts (who are also conveniently linked to their individual phone numbers) whenever you use textsecure after registration.

Jonathan WilsonApril 4, 2015 7:48 AM

Someone http://motherboard.vice.com/read/how-to-make-a-bitcoin-address-with-a-ti-89-calculator has created a nice piece of code for the venerable TI-89 Calculator for generating secure parameters for Bitcoin.
The lack of any kind of randomness is overcome by using several rolls of a physical die (a d12 to be specific) as inputs into the program.

I think this is a great idea assuming the code itself is strong and does a good job of turning those dice rolls into a sufficiently random set of keys.

In fact, using old obsolete hardware that is unlikely to contain backdoors or easy ways to compromise them seems like a good way to go for security applications like this.

Something like an original Nintendo Game Boy would also be a good choice for this kind of thing. Its made by Nintendo. (Japan isn't as big on the whole spying thing as other countries like the USA). Its very old and simple hardware with no connectivity to the outside world (hardware that is highly unlikely to have been a target for spy compromising back in the day when the thing was made). Its hardware is well understood. (including through emulators) Running your own software on one isn't rocket science thanks to flash carts of various sorts. And there are so many of them out there that getting hold of one is relatively easy (and because there are so many of them, anyone buying one to use for this purpose wont stand out)

Maybe there are other common pieces of hardware that are similarly good targets to use for these sorts of operations.

CallMeLateForSupperApril 4, 2015 8:23 AM

@Jonathan Wilson
"Maybe there are other common pieces of hardware that are similarly good targets to use for these sorts of operations."

Finally! A use for the Texas Instruments SR-52 (nudge-nudge, wink-wink). That beast dates from 1975. (This long-time RPN bigot couldn't resist a dig.)

One of my professors, owner of a then-new HP-67, said of algebraic entry, "Just THINK of the millions of SR-52 program steps wasted by parentheses."

ajitaMApril 4, 2015 8:46 AM

Implantable medical devices are not only vulnreable to malicious attacks but they can be used for hiding/smuggling data as well!

Image heart peacemaker or insulin pump with side channel communication on it's control (I/O) interface and hidden storage on it. Yeey.

uair01April 4, 2015 9:04 AM

This should get more attention. It's a good thing if designers and artists get more involved with crypto. This could improve the useability.

https://cryptodesign.org/

The Crypto Design Challenge is an open call to all young designers and artists in the Netherlands and Belgium to develop new ideas and to submit inspiring plans and proposals (before 1 August 2015) to make the encryption of digital images and information accessible to all.

With this challenge, we aim to offer insight in the mysterious world of cryptography and privacy, made accessible by design.

FigureitoutApril 4, 2015 9:49 AM

TeRa
--Sounded to me they were having too many problems making it work and are "giving up", I bet it's something like every OS update breaks the code it ways you can't even imagine then you spend like a month finding that, which delays other development...kind of like browser code.

I would say people interested in "secure texting" should look into SDR and digital radio instead of using *known* surveilled networks like the internet and phone networks.

Jonathan Wilson
--Yep, that was my thinking too (and quite a few others here) some enterprising individual *supposedly* implemented AES and TDES on TI-84 in basic lol. TI calculators have a large community at ticalc.org, there's even an OS being developed (there's others, but this one would resemble more an OS I think), KnightOS. Pretty chill guys working on it. Basically it just outputs 32 hex chars and can only input 32 hex chars. For that, it takes the TI84 around like 5-15 min for AES and like 5 or less for TDES. I would use it for short messages, amongst a couple others; but you'll need lots of batteries lol. I would say a number of other dev kits, not to mention the all the RasPi, beaglebone, arduino stuff now fills that void as well. B/c you can start programming right away (but yeah still the newer chips, not good...).

Also old smart phones, or even just regular phones and PDA's, some people bust open the weird OS and make a little working toolchain to either make apps or full-blown ROMs and OS's. Fun stuff.

CallMeLateForSupper
--Jesus, RPN-MasterRace checking in eh? Parentheses are nice! Wrap around and snuggly prevent false computations, just don't get carried away like Lisp lol. And *maybe* if I didn't spend my entire childhood being brought up on algebraic entry on *TI-approved only* calculators RPN wouldn't be so annoying lol.

ajitaM
--*Every single flash chip* could be used to transfer data. Whether it be flash, EEPROM, SRAM (which you keep powered via coin cell), MicroSD; all of those too lol. There's a boatload of sh*t flying under the radar.

st37
--Maybe people should email her this lol (that is, if she knows how to open an email, that's probably pushing it), [PDF warning] http://www.freeinfosociety.com/pdfs/misc/anarchistcookbook2000.pdf

I don't get why people care about old hacks losing their sense of reality...

k11April 4, 2015 10:29 AM

Could journalists use a warrant canary to indicate whether they had been compromised, or is it complicated enough that they'd need a whole flock of them?
And an unrelated question, how could you tell if your browser's returning MITM fodder, if traceroute never completes?

MikeAApril 4, 2015 11:16 AM

From what I remember of the Anarchist's Cookbook, it could be useful to weed out the gullible wannabe terrorists. Hm, maybe the point of the ban is to make sure they stay alive long enough to stumble onto a "mentor" working for the TLAs, thus providing a nice "Massive Terrorist Group rounded up" story to feed the press. Anyway, DiFi is pretty much opposed to education in general, unless it's taxpayer money being funneled via student loans into diploma mills,

As for SDR and digital radio. I was messing with my TV antenna and stumbled across a fairly strong signal on the old VHF Channel three (no longer used with the move to digital TV) Interestingly, the signal appears to be ATSC modulated, but with no "channels". That is, the bit-stream doesn't decode to anything sensible. South SF bay area, pointed North, if anybody wants to check it out. Nice match for the image of a Linux console screen on one of the channels of my brother-in-law's Comcast service.

k11April 4, 2015 11:31 AM

Are there social exploits that we don't yet have good defenses against, and if you thought you saw one, who would you report it to?

albertApril 4, 2015 11:36 AM

@st37
:) Time to get rid of all the old fossils inCongruous. Might younger Congress-critters have a clue? Feinstein doesn't understand the Internet, and she doesn't appear to have a clue about the 1st Amendment either. It wouldn't surprise me if the whole 'terrorist' case mentioned is another FBI setup operation. Cab drivers and disgruntled women? Is that the best they can do? There must be thousands of unhappy Muslim men that are willing to be sucked in by one of these sting operations...
.
@Figureitout
Those 'old hacks' are still running things, that's why.
.
...

FigureitoutApril 4, 2015 12:57 PM

MikeA
--Yep lol, doesn't give "full implementations" and steps, just nice hints. Also plenty of the bomb-making stuff is like "don't shake this, could blow your finger off"--lol...nope. There's already enough risk w/ say cleaning chemicals getting mixed and creating poisonous gas, I've had my fun w/ fireworks. Let nature work its course I guess, just hope the explosion is small enough to just blow their limbs off.

Yeah I found a similar channel on VHF or UHF on an old TV, just a weather channel. Really neat thinking what's actually happening. Something I really want to try eventually (when I can get my Windows PC's set up correctly, can't rid this malware w/o taking some extremist measures I can't afford now.) is the slow-scan images from some satellite w/ RTL-SDR. Then lots of sensors attached to radios are always fun, quick to "get working" then build up the applications w/ handy programmable interfaces (which is the best part).

albert
--They don't actually do anything besides drink metamucil and give speeches a 3 year old can see thru and get a $220,000 salary and full health insurance. Seriously people, go to a statehouse and watch what these worthless hacks do all day. What I'm saying is it really doesn't matter what she or other legislators think b/c she can't *actually* do anything about it lol. Just raise taxes and drag the population down, about it.

Paul W.April 4, 2015 1:11 PM

I had a response to the other squid blogging post that got deleted, but I'll post it anyway:

A lot of people are all excited about this [RNA editing in squid] without knowing the first thing about how genes actually work, and why this is likely to be a somewhat interesting complication of the basic story without being a breathtaking revelation.

Genes are basically computational rules for a "production system" (rule-based) computer.

The genome is a computer program, and the mechanisms for gene expression are a computer---but NOT the kind of computer that many people are familiar with. It isn't a sequential von Neumann machine or a Turing machine, but a "production system" computer. (Most people who try to explain genes in basic computational terms get this more or less wrong.)

Production systems were invented by Emil Post even before Turing invented Turing machines, and way before von Neumann machines, which von Neumann didn't invent. (Or you could say they were invented many millions of years ago by nature, and Post reinvented them.) IMO production systems are usually a better of way of thinking about fundamentals of computation anyhow, and it turns out they're an excellent fit to what genes do. And IMO that's VERY interesting.

A typical gene is an if-then rule like

IF (A and B and not C) THEN (D and E and F)

This isn't an IF-THEN statement like in a sequential programming language like C or Pascal. It's more like a logical rule, saying that if you know A and B are true but C isn't, then you can conclude that D and E and F are true. And a bunch of these rules can be firing at the same time.

(About 90 percent of genes are purely computational rules like this, used just to turn other genes on or off, or more generally to make them fire more or less often.)

The left-hand side of the rule is a set of conditions for the rule to fire, and the right hand side is a set of "propositions" that the gene "asserts" if its preconditions are satisfied and the rule fires.

The left-hand side is implemented by the "control region" of the gene, which has binding sites for signaling molecules---if the right molecules are floating around, they will dock to those binding sites and either promote or inhibit the gene from being expressed---i.e., make it more or less likely to fire.

The right-hand side of the rule is implemented by the "coding region" of the gene, which is mainly a sequence of DNA bases that are transcribed to an eqivalent RNA sequence. That RNA sequence is usually transcribe to a sequence of amino acids making up a particular protein. Most such proteins are just signaling molecules that affect other whether other genes are expressed (i.e., whether other rules' preconditions are satisfied so that they can fire).

The protein typically folds up into a relatively compact lump, with bumps of various shapes poking out. The shapes of the bumps are what's really important---they implement the "propositions" that the rule "asserts". So each "proposition" (A, B, etc.) in a rule is implemented by a particular bump shape. There are many thousands of distinct bump shapes.

One complicating factor in this story is that when a gene is transcribed---i.e., its coding region is basically copied to make corresponding RNA sequence---the resulting RNA may not be translated to a protein. The RNA itself may serve as a signaling molecule, because it may itself have bumps of the right shape, so that it can dock to genes' promoting or inhibiting sites.

Given all this---a pretty powerful production system "programming language"---it's unclear what RNA editing is mostly used for, or whether it adds much to the power or expressiveness of the basic rule-firing programming language. That's a pretty interesting computational system already, and one which few people have even the most basic understanding of AS a computational system.

(Most molecular biologists do not know about Post's production systems, much less "massively parallel stochastic fuzzy control systems"---they think of a "computer" as something that executes programs sequentially by default, and do not realize they are looking at a computer at all.)

RNA editing may turn out to be pretty dull in those terms---never doing anything that couldn't be done about as well with propositional rules as described above---and its prevalence in squid may be an artifact of something wrong with squids' basic genetic program. It may be an ugly hack that evolved to fix something that other organisms fixed in a better way, within the basic rule-firing "programming paradigm."

Or it could turn out to be really interesting, adding something basic and really useful to the basic programming language, so that evolution can solve programming problems more generally and elegantly. THAT would be very cool, but as I understand it, nobody has any clue at this point whether that's true.

IT EmployeeApril 4, 2015 1:52 PM

A few weeks ago, I started a full time job as a 'tech employee' with a North American based company that provides IT support, email hosting, domain and Windows AD hosting (Azure), and remote/onsite tech support for small to medium sized businesses. I'll keep the name anonymous, but know that the company employes somewhere between 50 and 100 people across a handful of offices. The size of the clients range from 2 to 700 employees and are almost entirely US-based companies.

I was honestly appalled by the realization that not only is security a dead-last contender for resources at ALL levels on the organizational chart (generating revenue is number one, follow closely by profit), but that the employees are shockingly ignorant of the NSA's activities in a post-Snowden environment.

One might expect the average 22 year old Tier 1 technician to perhaps be more indoctrinated into a belief system lacking privacy expectations, but even the older, more experienced datacenter engineers are woefully ignorant, and worse, apathetic to the importance of the anti-Orwellian cause. I literally heard in conversation with a datacenter engineer, "I'm not doing anything wrong, so, I have nothing to hide." My heart sank a little. In this instance, the lack of critical thinking was disappointing, and, the overall reactions I've observed have been demotivating.

A grassroots champion cannot stand on a stage and affect change without an audience. I sense those with front row tickets have left the coliseum and returned home to sleep.

ajitamApril 4, 2015 2:19 PM

Figureitout, you missed the point! Medical devices are less suspicious and it would be unethical doing security checks while keeping patient alive/healthy.

BuckApril 4, 2015 3:03 PM

@IT Employee

I literally heard in conversation with a datacenter engineer, "I'm not doing anything wrong, so, I have nothing to hide." My heart sank a little.
Hope I don't make your heart sink any more, but without an audience - even if you really do have nothing to hide - something could easily be 'planted' on you for one reason or another...

IT EmployeeApril 4, 2015 3:25 PM

@ Buck

"something could easily be 'planted' on you for one reason or another..."

Absolute power corrupts absolutely. It's inevitable. My worst fear is to witness it all come to fruition, brazenly, openly, and in full public view without being challenged.

BuckApril 4, 2015 3:40 PM

@IT Employee

While I absolutely agree with that statement, I think instead of reacting by saying: "I'm not doing anything wrong, so, I have nothing to hide" is the wrong attitude; perhaps you could be more proactive by sharing what you really feel..?

BoppingAroundApril 4, 2015 4:37 PM

Off-topic.

Buck,
I was reading a book chapter on expressing your real thoughts and feelings the other day. Sort of psychology book. It said that despite the fear of being denounced or rejected saying what you really think is generally beneficial; for smart people won't judge you for your opinions and you really shouldn't be bothered by what fools think about you. Another benefit, it stated, is of actually exposing the 'fools'.

Haven't made my mind on that. A book is a book — author's personal experience and worldview shape his perceptions and judgements. An author may be not completely objective in his theses. And life is more complicated than that, given that each has his own circumstances to act upon.

Would be interesting to have some input from older commenters. What their life has shown them on the topic.

Clive RobinsonApril 4, 2015 5:27 PM

@ MikeA,

From what I remember of the Anarchist's Cookbook, it could be useful to weed out the gullible wannabe terrorists.

If I remember correctly, this "Darwin Award" aspect of the Anarchists Handbook has been discussed on this blog before...

I vaguely remember someone commenting on the inadvisability of using the books sugestion for strengthaning acid by distilling a more dilute form using two beer bottles...

At the end of the day all explosives are just a chemical way to store energy, with in their case the desirable aspect of rapid energy release. I guess it does not occure to some that just as storing energy in mechanical ways, sometimes "the spring pops out when winding up"...

Without going into details, somebody I knew at a Uni I worked at had obtained some crystals on filter paper, and as they had several times before had left the papers to dry on the bench over lunch. However on returning from lunch discovered no more filter papers, holes in the bench, equipment in disarray and a number of upset people, realised to late that "spring sunshine" through a window can give an extra energy kick that can get you a lot of blowback... As my friend ruefuly noted, sometimes habit beats both common sense and knowledge...

That said Sir Fred Hoyle experemented with chemistry when quite young, and did some quite dangerous experiments. At an interview he was relating how he had done the experimint when one of the interviewers asked him how he had purged the equipment of oxygen before starting the experiment, a very difficult and involved task. Fred replied that he had not, he had loosly fitted the corks, and slowly started the experiment, when he had had the expected flash of flame, he knew the oxygen was used up so just pushed the corks in tight and carried on. Apparently one interviewer looked agast, whilst another simply said after a little thought "Yes I guess that would do it".

Sometimes things are dangerous, and sometimes they are not, circumstances have a lot to do with it. Afterall if the story about the discovery of gunpowder is true, the Chinese Alchemist either got lucky or had the right circumstances to get a flash not a bang. Oddly perhaps with our modern "Health and Safety" led viewpoint, we tend to forget historicaly most usefull scientific discoveries were "by luck and circumstances"...

any mooseApril 4, 2015 6:04 PM

Bruce, how many years ahead of the public / academia / industry do you think the NSA is? I would guess at least 20 years ahead.

I doubt they allow any software or hardware anywhere to go to market or get dispersed if it even makes it difficult for them to spy. A massive portion of their effort is probably focused on eliminating or bypassing future anonymity and encryption software, so that when it comes out, there's a smooth transition and they continue to get the data.

Maybe they already have quantum decrypt capabilities. Code names like "quantum hand" could have meaning – not necessarily that the tool called "quantum hand" requires any sort of quantum computing, but that the people who came up with the code name had been studying quantum physics and quantum comp sci.

https://www.quora.com/How-advanced-is-NSA-cryptography-relative-to-academic-cryptography

Clive RobinsonApril 4, 2015 6:20 PM

@ BoppingAround,

It said that despite the fear of being denounced or rejected saying what you really think is generally beneficial; for smart people won't judge you for your opinions and you really shouldn't be bothered by what fools think about you. Another benefit, it stated, is of actually exposing the 'fools'.

From experiance I would advise against it.

There is a reason engineers make the world but don't run it, you will hear them accused of "not suffering fools gladly" by those on the side lines, and as "bloody impertinent/insufferable" by those who hold the purse strings.

It further does not help when people confuse response or chance with knowledge and assume wisdom is reserved for the aged.

Whilst age might give you some perspective and piles, it does not magicaly make you wise (though your look of pain just sitting there might convince others you are inscrutable). The simple fact is that by the time most people are fourty, they have long given up academic learning and are in effect "set in their ways" or atleast the tools they use to work. That is they believe themselves to be "Masters" not "Apprentices".

Such people do not like the young telling them they don't know their job. They may not be fools, but nor are they smart, because they are not sufficiently learned to know that there is much they don't know that others with knowledge might teach them.

There is also the issue of how various peoples knowledge is spread, is it narrow and deep, or wide and shallow. A smart person importantly has not just both, but also realises the same applies to others. That is they realse that someone may be talking from deep knowledge, or shallow knowledge and need to determin which.

Smart people also tend to be like "Renaissance Man" with a sufficient depth of knowledge in various fields of endevor that enables them to take the tools of one field and apply it to another. They may not be experts in any field but the cross fertilization of ideas makes them appear to be as insightfull. This also tends to give them a humility that the books author thinks others may not have.

FlApril 4, 2015 9:26 PM

Say what you will, but that comment about the engineer who (thought that) had nothing to hide doesn't come as a surprise. There are too many people like him in IT, stubborn in their beliefs, antisocial and often unpleasant in an idiotic way. The result is that they often can't tell the impact of technology on everyday life.

BuckApril 4, 2015 9:48 PM

@BoppingAround & Clive Robinson

Care to share an author, ISBN, or title with the rest of us..? I think I may know one or two that could benefit from such a book...

BuckApril 4, 2015 10:33 PM

@k11

Are there social exploits that we don't yet have good defenses against, and if you thought you saw one, who would you report it to?
Yes. Scream it loud and proud to anyone who may listen! Otherwise, only those who stand to substantially & unfairly gain will take advantage of said social engineering techniques...

6EQUJ5April 4, 2015 11:27 PM

@IT Employee

Smaller companies are very weak in security, generally. Larger companies engage in security budgets for a wide range of business reasons. Government and industry enforced regulations are some of the primary drivers of enhanced security in businesses. Without any of these drivers, security expenditure will be extremely low, "reactive", instead of "proactive".


6EQUJ5April 5, 2015 12:04 AM

@Clive Robinson, @aging

Most grow old. A very few grow wise. Many suffer, with no gains. A very few suffer and gain character.

Bodies decay, minds decay, spirits break.

But, not all.

Truly, staying alive trumps all.

6EQUJ5April 5, 2015 12:34 AM

@st37, @China Hacking Github

I noticed that story. It seems outlandish. Why does China continue to attack from their own soil, when they could put some effort into it, and attack from elsewhere? Why would any nation even bother engaging in a temporary annoyance like 'denial of service'? But, I am reminded of wars China fought in the 19th century, where they could not even depend on the quality of the gunpowder.

Contrast that, for instance, against the joint US-Israeli Stuxnet project which decimated Iranian nuclear systems. Not dissimilar, though with far less blowback, with the joint US-Israeli Dubai assassination. Why is China so backwards? I do not know.


6EQUJ5April 5, 2015 12:54 AM

@k11

"Are there social exploits that we don't yet have good defenses against, and if you thought you saw one, who would you report it to?"

Is there a 1%? Are there people and groups with power who remain secret?

I hate to quote from television, but I was watching this week's episode of "The Following". Much of the show is about very visible murderers who exploit the media. This episode focused on an individual who "stayed beneath the waters". It was a really worked out, impressive thesis. The idea was while there was the very visible mass murderer who started an "Anonymous" like movement, then there was his mentor. And his mentor's best student. Three layers underneath the surface. And much philosophizing about how the individual is a "shark" and should resist attempts to enjoy the sun, or those who would strive to bring him up above the waves.

They had a good point. Power and secrecy tend to go together.

My point is, those who find social exploits tend to use them, and not report them. There are those who report these bugs, but there is no one to fix them.


tyrApril 5, 2015 1:18 AM


@Clive

The filter paper stuff sounds like nitrogen triiodide
easy to make but only a damn fool makes it in large
batches.

Once dry it goes off with any energy input, sound,
light , heat or vibration. It used to be a stable
of every chemistry course as a demo of energetic
atomic bonds.

A society that wishes to repress all knowledge is
doomed to fail in a technical world because other
cultures will run over you. The one wisdom that age
is supposed to bring is that research and development
pays enormous dividends to the investor.

The one real advantage to living long if you're the
curious type is that you can make the connections
between totally disparate fields that the narrowly
focused miss.

For example the steam jets of Enceladus are a good
example of how a microwave heats water. Since it
passes through the host planets magnetic field
with opposite polarities on each orbit.

Another example of fitting puzzle pieces is that
Krakatoa blew in 535, the Greeks (byzantine) said
that the sun only shone for 4 hours a day around
noon. Crops failed, tribes moved looking for food.
Historians called this the dark ages and you don't
see any european recovery until 900. One history
says Arthur was killed in 539 fighting the Saxon
invasion which adds one more piece to the puzzle.

Without the volcano data the historical records
make no coherent sense.

You can't know everything but by casting a wide net
and being nosy you can get some coherence from a
lot of what would otherwise be mysterious.

As an ancient my advice to the young is learn how
to say "I don't know" when you don't and don't try
to be the one man band of bullshit music.

One other thing I cribbed from Feynman, if you're
not doing experiments it isn't science. So use that
as your criteria to judge the validity of anything
which claims to be science.

6EQUJ5April 5, 2015 1:21 AM

@st37, 'removal of anarchist's cookbook call by senator'

Yes, I noticed this story as well. Of course, the united call by intel heads against public usage of encryption is the bigger story these days, but is similar in idiocy.

What people should find disturbing about this is Feinstein has had some level of power in the Senate in regards to oversight on intelligence matters. This shows just how completely clueless she is. (Though, I, for one, find the hyper focus these days on "counter-terrorism" being equated with "counter-intelligence" absurd. Much related to the "counter-narco" "War on Drugs", and its' painful cluelessness.)

Yet, for her, and her team, it is sophisticated posturing. The book, it might be noted, is deeply weak and was written by a teenager. My favorite example is its' instructions on how to get high by special processing of banana peels.

One of my coworkers noted to me his annoyance at living by her SF office and being forced to hear her tirades there. I contrast that against her noble struggles to fight against a caught incursion of the CIA against some of her systems in Washington.

This story is a bit less painful to me then the story this past week or so of the DHS panel head who exclaimed he has never used crypto, and is shocked that people are using it. He has never even used email, he proudly admitted. Intel heads across the board, across the nations, are denouncing it, why, he denounces it, too.

Yes, let us all engage in governmental censorship, and forego this whole "crypto" horror.

I found some solace in finally checking out "the Kingsman". Similar lunacy. All of the heads buying into some scheme to preserve their tenuous positions. They understand the negative ramifications against everyone else, but how could they resist? Hilarity ensues as they receive their well deserved rewards.

Well, the good news is these idiots are very advanced in age. I am not sure if it is "good news" or not, if one might point out they are not really in charge. I suppose that depends on one's perspective.

FigureitoutApril 5, 2015 2:57 AM

ajitam
--Ok sorry. I'll just agree. Yeah, it would be unethical ripping someone's chest open randomly and "plugging in the programming cable". Don't trust wireless "debugging info" besides the simplest of commands and info on non-standard bands.

IT Employee
--Whatever, you can at least be prepared if an attack hits. Just back up "your area".

MarkH
BRITISH WOMEN RECALL THEIR ROLE IN WW II SIGINT
--Ok lol, my grandmother nearing her time won't say what she did at X10. A lot of nukes came from this area...(hence lots of medical payouts for all the cancer in the region...). Someone else talked (he just died....), basically setting up antenna stations for Vietnam war and then computer security at a nuclear lab. They could just be "sending you for a ride", and not be "all the way here" too...Or could be "I followed the law and was actually gathering intel on foreign entities, actual threats, and had utmost respect for American citizens"...

Gerard van VoorenApril 5, 2015 4:36 AM

My little raw, simplistic, non-religious Easter message: Stop the War on Drugs.

Instead criminalize politicians that support the War on Drugs.

Like all wars the War on Drugs is a racket.

A few people in Washington decide that the youth should wear a uniform. Which color doesn't matter: green, blue or orange. As long as the poor wear a uniform they are under their control.

Nixon started this war. RR expanded it exponentially and Bush jr drinks a beer or cocktail while supporting this war.

The Iraq war was all about hypocrisy. The War on Drugs even more.

As a Dutch guy, I don't really care about all the deliberate fuck-ups of the US, but even here in The Netherlands, US 'push' is noticeable. Tobacco and alcohol are everywhere, but if you want to buy weed you have to identify yourself.

The War on Drugs is beyond stupid. It is a major criminal act. It is hypocrite.

Jonathan WilsonApril 5, 2015 8:27 AM

I wonder how hard it would be for someone to make something that looks like an implantable pacemaker or other medical device to someone like a customs or TSA agent staring at it on a body scanner machine but is in reality a data storage device full of criminal or sensitive data (the sort of thing customs is looking for when they seize laptops and phones and make copies of all the data on them).

With the customs and security agencies in the USA increasingly seizing (and copying the data from) phones, tablets, laptops and other devices being brought into the USA (or even internally via all sorts of dodgy methods) using implanted data storage seems like the way of the future for anyone with something to hide.

Done properly it would be impossible for even the best customs or TSA agent to detect that the person has anything other than a heart pacemaker or other implanted medical electronics short of taking that person away and doing medical tests or even surgery to examine the device.

You could go further and encrypt the contents of the device using a randomly generated key (maybe some randomly chosen frames from a TV broadcast could make good sources of randomness... :)

It may not be the world of William Gibson with data storage wired directly into the human brain but the idea of physical steganography to hide data in places even the best boarder guards will never find it is something that is going to happen, its not a matter of "if" but "when".

CallMeLateForSupperApril 5, 2015 8:56 AM

"Microsoft open-source Windows definitely possible"

Re-purposing a line from the movie "Enigma", "Well yes, I KNOW it's possible... ANYthing is possible... but is it LIKELY?"

hermanApril 5, 2015 9:20 AM

@Thoth: Marc Russinovich is the guy that wrote the Sysinternals utilities which was then bought by MS. While he is not the CEO, he has is well respected. MS uses a lot of open source programs: BSD, Linux, .Net, Mono...

For many years, the DNS used in Active Directory servers was an old copy from BSD - probably still is.

So MS is no stranger to FOSS - they use it wherever they find it convenient.

BoppingAroundApril 5, 2015 9:43 AM

Clive Robinson,
I have been expecting your post :-)
I shall enquire further into this 'Renaissance Man'. Thanks for the direction.

Buck,
I could but is there a point doing so? The book has not been translated to English. Bulgarian only.
If this will be of any use to you, the book seemed to be heavily based on Eric Berne's ideas, namely transactional analysis.

Thoth,
Fear the Danaans even those bearing gifts. 'Microsoft embracing' sounds sinister enough on its own if one reminds oneself the infamous Embrace, Extend, Extinguish.

Nick PApril 5, 2015 9:47 AM

@ Thoth

They'll consider it. I've always told them they could open the source and still charge for it. Lots of companies do that. Anyone producing a knockoff using their source can be hit with copyright violations. There's some risk in there but most of their money should continue to flow due to lock-in. They'd have to clean up their source code a bit to remove all the vulgarity and comments indicating authors don't understand the code. Might undermine confidence despite its overall quality. ;)

@ herman

Yeah, Russinovich is quite talented. I recommend his Windows Internals books for anyone that wants to understand Windows enough to increase its security or make a knockoff of it (ie ReactOS). His work was very helpful to security engineers and black hats alike.

CallMeLateForSupperApril 5, 2015 9:54 AM

HTTPS Everywhere has a nice ring to it, but I have to wonder why bother: only three (3) of my top fourteen (14) sites support HTTPS.

And one of the three, KrebsOnSecurity, is annoyingly iffy. Instead of a padlock icon I get an upside-down "yield sign" with a "!" in it, and mouse-over informs me "this site does not supply identity information". Also, the site loads *very* slowly; I can't think of any other site that is as slow. I observe all of this with:
- TOR Browser in Tails (I see tons of 443 in Network Map)
- both of two different KDE browsers (names of which I do not recall) without TOR

(ISTR that I saw these things with Firefox as well but not sure because it's on a HDD that I rarely boot.)

BuckApril 5, 2015 10:05 AM

Perhaps at some point in the future if I have a translator or an opportunity to learn Bulgarian... In the meantime, I'll seek more information about transactional analysis. Thanks! :-)

SkepticalApril 5, 2015 10:14 AM


My movie-threat was pure fiction, of course, but it's worth noting that there's more we need to consider than "the individual" and "the government" when deciding upon a good balance between limiting the power of government by technological means and limiting the power of government by institutional and political means.

Limiting the power of government by technological means also means limiting the power of government to police itself. Anticorruption and public transparency are harder to effect if officials, and those who would corrupt them, can shield their communications from lawful warrants and investigation.

We should also remember that aside from the more exciting threats like terrorism, the investigation and prosecution of "white collar" crimes relies extensively on information collected from computers, smartphones, and communications. As the wealthy, and wealthy companies, continue to accrue greater power - a function of technology, production mobility (organized labour faces daunting challenges in a world of free trade and cheap transportation), and the limits of national laws - one would expect those that commit criminal acts to become more adept at concealing their crimes.

This consideration applies not just to questions of information security, but to other domains as well. For example, would you want massive corporations to be able to transfer vast sums of money in a manner invisible to any government?

It is in many ways far easier to assure transparency and safeguards against abuse of power by government than it is to do the same with respect to abuses by very powerful private actors. Indeed, one of the lessons of the Snowden leaks is that the law and compliance regimes can be quite effective. Whether the Section 215 metadata program withstands further judicial scrutiny or not, it is a program the judicial approval for which was sought as necessary before it was implemented. We also see the FISC, notwithstanding the deference to the judgments of the intelligence community it had to pay, ordering extensive audits and examinations of certain programs, to good effect. We can in fact limit or extend the scope of what the intelligence community can do by law, regardless of whether one believes that the current scope is too broad or too narrow or just right.

In short, in considering information security policy, it is myopic to focus only upon possible government abuse. One must consider the vast amount of power that private companies and private capital wields in our society today, how much less protection relative to just a few decades ago the individual has against that power, and the extent to which that power is likely to grow in the future.

SeeWhatMovesMeApril 5, 2015 10:17 AM

This Is Big: A Robo-Car Just Drove Across the Country

http://www.wired.com/2015/04/delphi-autonomous-car-cross-country/

How long before Robo-Cars are being packed with explosives and programmed with a place to go to explode?

I guess that would be used by chicken jihadists. In other words, those not willing to die for the cause.

And, it won't be THEIR Robo-Car but one that belongs to somebody else.

Terror threat plot? Could be.

Clive RobinsonApril 5, 2015 10:46 AM

@ Jonathan Wilson,

I wonder how hard it would be for someone to make something that looks like an implantable pacemaker or other medical device [IMD] to someone like a customs or TSA agent staring at it on a body scanner machine but is in reality a data storage device...

The answer depends on "Who's doing it?".

If it is the manufacturer of a standard IMD probably quite simply, all they would need is an uprated PCB with the existing electronics and communications, and one or more micro surface mount flash memory devices and a software upgrade to connect it to the comms. The hard part would be finding a surgery team to put it in the chosen carrier and getting all the paperwork correct.

The thing is the US is going IMD crazy due to the insurance companies and they are pushing these devices into people at what appears to be just about any opportunity. The result is the device and operations getting less costly so increasing the insurance companies desires to fit them.

This is becoming a concern to internationaly recognised cardiologists for various reasons. One of which is that we might fall into the "replacment hip" trap or worse the cosmetic breast implant trap. That is as the cost drops the quality drops, and more operations will have to be performed to replace defective or early end of life devices. Obviously this requires invasive surgery which has significant risks involved for the patient thus there is a crossover point on the graph where the probabiliy of life extension with an IMD is reduced to that of the unassisted probability.

As for other organisations making totaly fake IMD the risk and cost would be quite high. It's taken many years and much investment to design items like batteries that are safe to implant, likewise protective coatings on electronics and leads etc. Then there is finding a competent medical team to fit the device in a way that would look correct to a cardiologist looking at X-Rays or scans. But there is also the problem of the patient... Many heart conditions can be seen from noninvasive tests such as ECG or various simple physical tests. If the patient did not show an appropriate biological condition then warning flags would be raised.

It might be easier to implant a uMem card / RFID else where in the body, the incision required would be very small and would heal in days and there are many out of the way places to put it where the non medical scanners used in airports would not pick it up.

For instance I had a metal plate in my jaw, and this to my surprise did not set off the magnetometers or other scanners at the time.

Which has made me think in the past of Dental equipment such as braces, bridges, plates, crowns and even dentures as a place to hide a striped down uMem card.

Then of course there is "the joy that is body piercing" some pieces of body studs ear rings and other more personal part piercings are certainly large enough to contain either striped down uMem cards or RFID devices...

BuckApril 5, 2015 11:26 AM

@Skeptical

I would propose more media exposure about how those in the intelligence community have been helping average citizens to recover in the wake of the financial crisis. This could drum up far more support from the public than the 'too big to jail' or 'black v. white' issues we have grown so accustomed to. I realize that this may be quite difficult due to that vast amount of power commanded by private media conglomerates, but not impossible I think..

My treatment titled The Rogers LaughingstockApril 5, 2015 12:18 PM

Skeptical's here with the latest propaganda from the beltway parasites.

Now you need CCPR-illegal surveillance so NSA can protect you from corruption, like the corruption that Bill Binney reported that time when NSA tried to destroy Binney for reporting it. You also need CCPR-illegal surveillance so NSA can protect you from white collar crime, like the crooked banker thieves and frauds that Alexander went to work for.

Get it through your ass-kissing Stasi skull. We don't want your protection. You're criminal scumbags. What we want is a 10^18 n/cm^2 SREMP strike on Lat N 39° 6' 20" Lon W 76° 45' 48"

GrauhutApril 5, 2015 12:22 PM

@SeeWhatMovesMe: "I guess that would be used by chicken jihadists. In other words, those not willing to die for the cause."

And CIA or air force drone operators are chicken agents / soldiers, right? :D

Slime Mold with MustardApril 5, 2015 12:40 PM

I never thought THAT would happen: I agree with 50% of @skeptical's comment. I do note that this was not written by the same person as long time followers of this blog would identify as @skeptical. The writing style is decidedly different. I believe this reinforces the allegation that @skeptical is an avatar of the IC: In this case, likely GCHQ or whatever. None-the-less, the argument makes half sense. I appreciate the effort to treat the readership as semi-aware primates.

Bob S.April 5, 2015 1:14 PM

Obama's Emergency!!! Order!!! was appropriately announced while in the midst of some cyber kerfuffle with the Chinese. I read the actual order, it's mostly impenetrable legalese. Except, it appears if certain bureaucrats decide someone has caused "harm" to a computer, their entire financial assets can be seized by the government.

It's all legal you know.

From my perspective in the cyber trench, it appears the government has granted itself new secret mass surveillance powers of a very granular nature which we will not learn about specifically until the next Snowden.

Looking back, it's almost laughable our President, the Constitutional scholar, and "winner" of the Nobel Peace Prize, has done as much or more damage to our Constitutional rights (and the rest of the world) than his failed predecessor, and maybe most of the other predecessors, too.

Bruce has tried to explain how the various government and corporate hyenas are fighting among themselves for control our data, promising safety if you only submit to their toothy smile, but demanding you not trust the other guy.

Let's face it, internet users are no more than a tasty morsel to the hyena pack. Our electronic lives are under constant massive attack. The choices are run, hide, fight or lay down.

Which one will you choose?

Clive RobinsonApril 5, 2015 1:57 PM

@ Bob.S,

The idea behind BO's latest stupidity is simple it's called "stripping of rights".

The way it works is they seize all of your assets prior to starting proceadings against you. You then have no way to defend yourself as competent legal assistance in this sort of matter is expensive.

You then have two options, capitulate and do the time they first offer or "off yourself".

It does not matter if you are guilty or not because they will find ways of stoping you get your story out. Even if you do by an impossibly small probability do get found innocent in court, don't think you are going to get your assets back. They will find some way not just of hanging onto them, but repeatedly comming after you each time you pick yourself up.

This is because "You have to be seen to be guilty" for political advancment reasons and the fact you may be innocent is totaly irrelevant you have to be punished the public would not accept otherwise, because they would lose faith in the "land of the free" government, and that can not be allowed to happen, otherwise how could the corrupt govern.

tyrApril 5, 2015 2:01 PM


@Thoth

As I read their announcement MS has finally woken up
to what has been known for years.

As long as their customer base was the clueless they
have been rolling in Scrooge McDucks vault. As the
number of sophisticated comp users grew, those migrated
to a more reliable OS. Unable to exterminate Unii, they
now have to grudgingly admit it is better.

I imagine Gary Kildall having a great laugh over this
turn of events.

I'd like to see them get DOS 3.3 to run under Xenix,
then I'll use their Linux version.

William MartinApril 5, 2015 3:12 PM

@CallMeLateForSupper

Re-purposing a line from the movie "Enigma", "Well yes, I KNOW it's possible... ANYthing is possible... but is it LIKELY?"

This may be true within the mathematical domain involved in cracking a cipher, but is an error when generalized to everything else.

Asserting that anything is possible contradicts the observation that things act in accordance with their nature. The physical nature of things imposes constraints on what is an what is not possible. For example, copper conducts electricity due to its nature, but glass acts differently because of what it is.

Moreover, "ANYthing is possible" is an arbitrary assertion put forward without evidence.

The burden of proof is on he who makes a positive assertion, and so without facts to support it, there is no reason to accept the statement that "ANYthing is possible".

This onus of proof principle underlies the legal rule that a person is innocent until proven guilty. This also explains why probable cause and particularized suspicion are needed to authorize a legal search under the Constitution.

The 4th Amendment therefore depends on a causal understanding of the world where some things are possible and others are not.

6EQUJ5April 5, 2015 4:43 PM

@Skeptical

Limiting the power of government by technological means also means limiting the power of government to police itself. Anticorruption and public transparency are harder to effect if officials, and those who would corrupt them, can shield their communications from lawful warrants and investigation.

Those statements contradict each other. And, 'self-policing' is an daunting subject by and of its' own. Your statement there deflates any confidence I might have in your understanding of that subject.

This consideration applies not just to questions of information security, but to other domains as well. For example, would you want massive corporations to be able to transfer vast sums of money in a manner invisible to any government?

And one news story this week is on how 26 billion dollars went missing from the Afghanistan efforts.

This is not out of the norm, this is the norm.

Unlike on television, when money is diverted to other projects, it normally is not detected at all. Waste helps those efforts. When such money is diverted, it normally is never returned. Mistakes of the eighties, such as overcharging on hammers, or the Iran-Contra affair were just the tip of the iceberg. Black budgets existed since the Manhattan Project and well before. The mistakes of the eighties only gave room for assessment and improvement.

In short, in considering information security policy, it is myopic to focus only upon possible government abuse. One must consider the vast amount of power that private companies and private capital wields in our society today, how much less protection relative to just a few decades ago the individual has against that power, and the extent to which that power is likely to grow in the future.

What is more scary? Government abuse through known government organizations? Or government abuse through unknown government organizations which might include corporations?

I wonder where such an adventure would begin. It is like attempting to climb a mountain one knows is the largest when one is blind. Or the mountain is invisible. Good idea to first try and map an area one wishes to try and conquer first. Attempting to create an organization to operate against organizations already created starts you out in a very weak spot.


6EQUJ5April 5, 2015 5:47 PM

@William Martin

The burden of proof is on he who makes a positive assertion, and so without facts to support it, there is no reason to accept the statement that "ANYthing is possible".


The burden of proof is very often on the one who needs to have the answer. Not on the one giving the question in the first place. It is unfortunate, but true.

Just because you do not know something does not make it untrue.

6EQUJ5April 5, 2015 6:20 PM

@tyr

The one real advantage to living long if you're the curious type is that you can make the connections between totally disparate fields that the narrowly focused miss.
As an ancient my advice to the young is learn how to say "I don't know" when you don't and don't try to be the one man band of bullshit music.

There are some excellent one person music groups, but there is a distinctive disadvantage at being only one person. I often see one person bands attempting to create some group. Let us organize. Let us get together. Let us speak one language.

Then the people coming down to smash their work also use this language. And that without explanation.

Who is "we". Who is "us".


The idea of some human like being or many living for a very long time is not entirely new to human consciousness. Aside from concepts of "gods" and "goddesses" or other "spiritual beings", they have been rumors of vampires, and other sorts of magical creatures. Fae.

Bram Stoker, I would suggest, however, solidified the concept at the very ending edge of the 19th century. HG Wells expanded on the topic, a little. Anne Rice, however, is one good indicator of the real wave of that concept which would come, and now saturates public consciousness. Since then, there are so many variants on the theme, it is difficult to say the idea is unknown to anyone.

There is far more exposure and saturation in the first world countries. And like anything introduced to public consciousness, it is not thoroughly spread through the entire world. But, it is less saturated where the masses already are deeply "magical thinkers", and more saturated where they are far from this.

Does this mean there is a conspiracy? Is there a coincidence between the evolution of photo technology and the desire for immortals who have group consciousness to push out some form of defensive strategy? Or, if there are immortals who have some alien form of group consciousness, might they act now that everyone is getting together, again?

These areas, however, are in the realm of magical thinking. And for non-immortals, who have no evidence whatsoever of immortality, it is not worth wasting their few moments they have even beginning to think about.

They just want rock and roll.


6EQUJ5April 5, 2015 7:01 PM

Covert data hiding and exchanging.

There are very many new and exciting avenues in terms of covert data handling and exchange.

The most daunting chokepoint is for those who wish to infiltrate and exfiltrate data from secure networks or other systems unconnected to the internet.

Another daunting chokepoint is for spies operating on foreign shores who may be under suspicion for being spies. How can they communicate if they are under suspicion. Because they have to work under the assumption that they may be under surveillance which is sophisticated enough they have no hopes of detecting.

There is another problem in the state of affairs. How can networks of spies operate with assurance that a mole may not expose their identity.

You might say "I am not a spy". Snowden, technically, was not a mole nor a spy. Bloggers in Egypt, technically, were not moles nor spies. "Dissidents" everywhere have to operate "as if" they are spies and moles. This includes professional journalists and amateur journalists.

On television, many core new technologies remain ignored. Likewise, they often remain ignored in professional and amateur assessments that are public sourced, and private sourced.

- Short range communications have greatly been expanded, and with it burst transmissions. This can be anything from bluetooth to proprietary protocols to simply connecting to someone's wifi while driving by their house. Or flying by it. Problem remains: radio emissions are made.

- The idea of sitting in front of someone's house in a van, or having a sophisticated surveillance team following them is out of date. Besides GPS technology, which may include simply reading GPS satellite data which is everywhere, there is also wifi and cell phone location data analysis. All of these systems can be surmounted and expected. A more difficult to surmount system is one which utilizes motion detection. A car goes forward fifty feet, takes a left here, takes a right there, and so on.

- Video and other instrumentation devices are miniature even for the general public without much expense. Data storage is also miniature. An undetectible system can be set up at a neighbor's house without their knowledge. This can give schedules and information, even from a distance on the target home. From there, a safe time window can be made for wiring that home.

Downside many video systems, if not all, are detectable. Likewise, microphone technology.

Connections into existing CCTV systems, facial recognition technology, gait recognition technology all exist, however. Problem is tying the systems together. For a high value target, however, the expenses are worthwhile. And far less then the expenditures required for old human surveillance operations.

- Miniature systems for remotely bugging a house are available, but detection systems remain for that, as well. It can depend on the system used. A remote microphone of substantial effectiveness can be used, or a variety of beams can be used. The beams are more easily detectable then passive monitoring systems.

- In all cases, if not most, listed above, where a counter-method is noted, it can also be said, counter-methods can be expensive and unreliable. For instance, jamming gps signals, jamming wifi signals, jamming cell tower signals. The solution rarely is jamming, and more usually forging realistic data. And there are safeguards against that.

The more technical and expensive the counter methodology, the more likely it has revealing technical exploits for at the very least discovery. Even basic confirmation methods could be used at relatively little expense. For instance, the question "is someone ever surmounting tracking data systems" can be answered by a very wide variety of means which rely on multiple methods of tracking for cross-analysis evidence.

- The vast majority of surveillance targets will not be able to detect any of these methodologies. Even if they work for a highly funded and experienced nation state.

- Steganography, someone mentioned. Steganography remains strong, but can have weaknesses. If the original is found, comparisons against the suspect can be made. Unlike cryptography, steganography adds substantial weight to a message, but can evade cryptographic detection systems which look for high entropy. What is new about steganography is very often not the method, but the means. There are so many countless new means, including surmounting public data systems like satellites.

For example, satellite television. Everyone gets it, but maybe only a very few get a different message entirely meant for them. Not unlike "numbers stations" of old across shortwave.

Only much more well hidden. Who can go through all shows, all data streaming everywhere?

If sudden noise happens, who is to say it is a secret message and not just solar waves?

- Many old techniques remain strong. Moles, by public knowledge, are typically caught by other moles. Dissidents typically are caught by trusted individuals who are turned informants. Secrecy and maintaining conspiracy remain the foremost guidelines. False moles, or triple agents, usually escape detection. Their value is very high in protecting true double agents. Or dissidents.

- Disguise technology is very advanced today. In the cold war, it was relied on for evading surveillance in the most hostile of environments. Today, even the general public can purchase or reverse engineer disguise methodology which provides lifelike, close inspection disguise which can be relied on for long periods of time without difficulty and quickly changed. This undermines most surveillance and counter-surveillance techniques.

There are many ways to hide this technology. One way is by making a pretense of changing disguise and showing obvious disguise in front of CCTV in order to hide far more daunting disguise methodologies. As one test project showed, this methodology works to surpassing effect.

Not only did all 32 test operatives escape without detection, but those tasked with detection were left convinced they had their real faces, fingerprints, dna, and gait.

DanielApril 5, 2015 7:08 PM

The standard advice is that one does not use SSDs for encrypted data. IIRC Nick P and I had an extended discussion about this many moons ago. In short, the reason why is that an SSD disk controller uses a process called "wear leveling" to extend the life of the drive. The problem with wear leveling on silicon is that, after a period of time, the magnetic orientation of the silicon atoms become "fuzzy" such that it induces a "memory effect". This means that the drive retains unencrypted data yet it looks to the OS as if it's encrypted but can be read with specialized tools. Think of it like a fingerprint that can't be seen with the naked eye but can be seen under floresecent light. What data is subject to the memory effect is arbitrary but theoretically could contain important data to an adversary.

BuckApril 5, 2015 7:17 PM

@William Martin

I'll raise you a question and a quotation!

Which of the following do you think is the least likely scenario:

  • A possibility for the existence of alternate/parallel/multiple universes
  • Some chance that those worlds could have different cosmological constants and laws of physics
  • The possible discovery of a method to communicate information about an alternate reality
.?.
But the probability rules of quantum mechanics -- and, in particular, the actual smallness of ħ in the real world -- show that if you walked into a solid wall every second, you would have to wait longer than the current age of the universe to have a good chance of passing through it on one of your attempts. With eternal patience (and longevity), though, you could -- sooner or later -- emerge on the other side.

65535April 5, 2015 7:25 PM

@ st37, MikeA, Clive and others

“Senator calls for The Anarchist Cookbook to be “removed from the Internet”
Dianne Feinstein doesn't seem to know the book is sold on Amazon…” – st37

The whole thing reeks of a well choreographed setup by FBI to make another to “stop another terrorist attack on our soil” dog and pony show. Feinstein looks the dirtiest of them all given here knowledge of the situation.

“…yesterday the FBI "uncovered" yet another of its own terrorist plots, the latest in a very long line of "terrorist plots" the FBI has "uncovered" -- in which the details always show that it was an undercover FBI "informant" (often doing this to get off leniently for some other issue), who… goads hapless, naive people, into a "plot" that had no real chance of ever happening… the wannabe terrorists thanking the undercover agent for introducing The Anarchist's Cookbook to her…” –Techdirt [a Https site]

https://www.techdirt.com/articles/20150402/15274630528/fbi-uncovers-another-its-own-plots-senator-feinstein-responds-saying-we-should-censor-internet.shtml

Also, from the complaint [the second wannabe terrorists suspect is given a terrorist’s magazine by the FBI agent:

On or about December 24, 2014, the UC [FBI operative] visited VELENTZAS and brought the Spring 2014 issue of Inspire magazine, as previously requested by VELENTZAS.

https://www.documentcloud.org/documents/1700764/velentzas-and-siddiqui-complaint.pdf

From what I make of the techdirt stories the wannabe terrorists [was radicalized and probably deserved suspicion] were given a copy of the Anarchist Cook Book and then arrested. Next, Feinstein [D-CA] publically calls for a banning of the book. That stinks of sensationalism and manipulation!

‘Most Of The 'Evidence' Against Philadelphia Woman/ISIS Wannabe Is Tweets She Made’ –teckdirt

https://www.techdirt.com/articles/20150403/10464330539/most-evidence-against-philadelphia-womanisis-wannabe-is-tweets-she-made.shtml

[See actual complaint in article]


@ Bob S. and Clive

Obama presidential order is a back-door legal maneuver that will probably harm the USA. If China is sanction with monetary tariffs on their good reaching our Walmart and Target stores it is going to do two or more negative things.

1] A price increase in goods will be inflationary.
2] The inflated goods will harm the poorest shoppers [the ones who shop at Walmart].

That is a dumb thing for Obama to do. Maybe some super "card skimmer" out of Russia deserves a slap on the side of the head but China makes a poor target.

@ tyr

“@Thoth As I read their announcement MS has finally woken up to what has been known for years. As long as their customer base was the clueless they have been rolling in Scrooge McDucks vault. As the number of sophisticated comp users grew, those migrated to a more reliable OS. Unable to exterminate Unii, they now have to grudgingly admit it is better.” –tyr

Yes, I mostly agree.

MS has been moving toward *nix style programming for years. Why not go the whole way.

The biggest grudge I have with MS is that their R&D testing department seems to be their early adopters. The early adopter of MS’s products always gets the shaft. After enough complaints a patch or a service pack then comes out to fix all of the complaints.

The end result is that R&D testing costs are born by MS’s customers… which gives MS higher profits.

6EQUJ5April 5, 2015 7:29 PM

@Slime Mold with Mustard

My read is skeptical made the post. His angle of thrust remains the same. His writing style was changed to reflect someone else's writing style.

Skeptical's argumentation is typically forcefully always for the existing US government status quo. He makes an appeal here even against the 1% and for the government. A typical 'divide and conquer' strategy. This implies some form of direction. That does not mean that implication is true, but may be for mere effect.

His argumentation for propaganda purposes remains weak. Yet, he is an highly intelligent individual. Which remains the contradictory oddity about himself. Normally, he screams "I work for the US government". It reminds me of a statement made about the British spy Zigzag, how he radiated the message, "I am MI6". Though, only when in country. Out of country he was very accomplished at stealth.

Spies do not scream "I am a spy". Undercover counterintelligence officers might when utilizing a very strange methodology, at times.

Maybe he is Indonesian and wants US spy cred with important technical sources. Maybe he is both the identity "skeptical" and the troll which attacks skeptical to increase his credentials as being so very American and so very much an American spy.

Or maybe like most he simply posts here because of the very sharp minds found here, and does so for amusement. He appears to be a true believer who does not dally about with entertainment for sheer intellectual reasons. But that very well may not be so.

I can not say I agree with fifty percent of what he says, as much of his arguments are ludicrous. His quality of mind defies that. That contradiction, above all, says he is not as he appears to be. But who is, unless one really gets to know someone.

William MartinApril 5, 2015 7:31 PM

@6EQUJ5

The burden of proof is very often on the one who needs to have the answer.

This takes the onus of proof principle out of the multi-person, dialectical setting in which is usually considered and places it into a more basic setting.

For example, an individual on a desert island would need answers to questions about what food was edible and also assume the burden for proving that it was.

The onus of proof principle would still apply since the person doing the eating should wait till after the person doing the proving has finished before accepting a hypothesis as positively proven.

Regarding your other point, nothing follows from an arbitrary assertion, and so it isn't necessary to refute a groundless claim. The appropriate response is to say nothing. Anything else just gives it a standing that it has not earned.

PetterApril 5, 2015 7:43 PM

Techdirt have a piece on the Cyber Security EO and what implications it might have on both journalism as well as encryption services.

"And the EO creates a “material support” category similar to the one that, in the terrorism context, has been ripe for abuse. Its targets include those who have “provided … material, or technological support for, or goods or services in support of” such significant hacks. Does that include encryption providers? Does it include other privacy protections?"

https://www.techdirt.com/articles/20150401/17284130517/under-presidents-new-cybersecurity-executive-order-is-wikileaks-now-evil-cyberhacker-releasing-trade-deal.shtml#comments

6EQUJ5April 5, 2015 7:58 PM

@65535

The whole thing reeks of a well choreographed setup by FBI to make another to “stop another terrorist attack on our soil” dog and pony show. Feinstein looks the dirtiest of them all given here knowledge of the situation.
“…yesterday the FBI "uncovered" yet another of its own terrorist plots, the latest in a very long line of "terrorist plots" the FBI has "uncovered" -- in which the details always show that it was an undercover FBI "informant" (often doing this to get off leniently for some other issue), who… goads hapless, naive people, into a "plot" that had no real chance of ever happening… the wannabe terrorists thanking the undercover agent for introducing The Anarchist's Cookbook to her…” –Techdirt [a Https site]

It is hard for anyone observing these matters to come to another conclusion.

Feinstein is an interesting animal because she requires the very left wing vote from San Francisco, but also derives any meaningful power from her oversight on intelligence.

She manages to offend both parties, yet retains her position with both.

This means she is a sell out for both.

How San Francisco keeps voting her in I do not understand. How she maintains any manner of credibility with US intelligence (including the FBI), I also do not understand.

For that matter, why does she bother to keep trying, this, too, is difficult to understand.

The mystery is she seems to have no manner of principles whatsoever. Nevermind the fact that she is aged enough to be at death's very door. So why on earth is she bothering? I suppose she has many successes and, if anything, either is walking proof that San Francisco's voting systems are compromised or they are complete hypocritical idiots.

Has there been a substantial FBI case against "terrorism" of late which has been anything but entirely fiction? I can not think of a single case. People should be far more concerned about chemistry phds then readers of anarchist cookbook, if they wish to go the censorship route.

Plenty of probably valid censorship possible in the US, if one contrasts against Euro means and mores. Hate speech is the obvious target there, which is used for recruitment and building up. But, that it remains open largely means the suspects remain visible, as opposed to underground.

Someone is doing something that is working. But this can not be credited to cases that are scary in their lack of evidence. "M" of the "M" in "MI6" and "MI5" did this way already way back when in the 19th century. So did many European agencies experiment in these ways. Probably the Czarist forces were the best. It is counterproductive. It is blind.

The Brits are fortunate they did not end up like Germany, France, and Russia. All of whose pains in the 20th century can be at least partly attributed to their reliance on immoral and unethical methods and procedures in their intelligence services.

They, like Israel, only escaped such disaster by detecting and disowning such disreputable methods. Yes, the business can be black, but there is a difference between black and downright 'playing for the other team'.

65535April 5, 2015 8:33 PM

@ 6EQUJ5
“She manages to offend both parties, yet retains her position with both. This means she is a sell out for both.”

I agree. Your post brings up more questions about our voting system and the IC involvement with high ranking members of the Senate who supposedly over see them. I am not happy with the close association of Feinstein and the NSA.

[Next]

I have a technical question.

I was looking to the above DOJ case. Why does the Firefox plug-in “Flagfox” indicate the DOJ is being served from Russia?

Banner by Flagfox:

“Note: Flagfox has determined that this web server is in Russian Federation, however the address ends in “.gov” (United States). Flagfox locates servers using their IP addresses via an internal database and does not rely on TLD codes such as this. Servers need not be located in the original nation of the site and thus this is not likely to be an error.” –flagfox

http://www.justice.gov/opa/pr/philadelphia-woman-arrested-attempting-provide-material-support-isil

Why would the DOJ be routing it’s PR pages through a Russian Server?

The page shows what looks to be the real DOJ banner and logo. It has text that appears to be written by American lawyers. What gives?

See:
http://www.justice.gov/opa/pr/philadelphia-woman-arrested-attempting-provide-material-support-isil

Next, test - I took the DoJ url [above] that was clear text and added HTTPS to the beginning:

https://www.justice.gov/opa/pr/philadelphia-woman-arrested-attempting-provide-material-support-isil

I get a certificate error:

[Firefox]

“This Connection is Untrusted

“You have asked Firefox to connect securely to www.justice.gov, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.

“What Should I Do?

“Technical details [button - clicked]:

www.justice.gov uses an invalid security certificate. The certificate is only valid for the following names: *.akamaihd.net, *.akamaihd-staging.net, a248.e.akamai.net, *.akamaized.net, *.akamaized-staging.net (Error code: ssl_error_bad_cert_domain)

“I Understand the Risks [button – clicked]

“If you understand what's going on, you can tell Firefox to start trusting this site's identification. Even if you trust the site, this error could mean that someone is tampering with your connection.

“Don't add an exception unless you know there's a good reason why this site doesn't use trusted identification.” –firefox

Should I add an exception?

6EQUJ5April 5, 2015 8:59 PM

@William Martin

This takes the onus of proof principle out of the multi-person, dialectical setting in which is usually considered and places it into a more basic setting.
Regarding your other point, nothing follows from an arbitrary assertion, and so it isn't necessary to refute a groundless claim. The appropriate response is to say nothing. Anything else just gives it a standing that it has not earned.

I worked through your island metaphor, similar to the poisoning metaphor some use. I had to break it down into more simplistic terms to understand it. That tells me you likely have more difficult to believe claims to make then I do. Which is rare. (Though not in my own circles.)

I see your point.

I was concerned you might be thinking, which is a common problem in security, 'just because someone makes a positive assertion and refuses to give conclusive evidence means that their assertion is untrue'.

My inclination there is this borders on "magical thinking" and is common to very many of the security flaws in thinking out there.

"Enigma" case is one good example, as are many others from WWII in related cases.

In security, very often there may be false and otherwise misleading evidence. There is a wide difference, as well, between evidence which points in a direction, and evidence which is conclusive.

Very often human beings have to rely on inconclusive evidence. Very often, evidence may support multiple conclusions, but be conclusive on no singular one. Evidence can also be conclusive on conclusions which have not yet been considered.

Anyway, very interesting point.

For my own self, I am usually juggling so many theories, I often forget to focus on 'who made the claim, and what claim did they make'. So, an useful point for my own self.

GrauhutApril 5, 2015 9:08 PM

@65535: Reads as if Akamai has a problem in human resource management. :)

en.wikipedia.org/wiki/Akamai_Technologies#Primary_domains

Lesson to be learned by Akamai key account management: Pay real, get real admins, fire n00b admin simulations... ;)

65535April 5, 2015 9:15 PM

@ Grauhut

“Lesson to be learned by Akamai key account management: Pay real, get real admins, fire n00b admin simulations... ;)”

Lol, this the truth.

Now, what about the management of “Flagfox”? Pink slips?

6EQUJ5April 5, 2015 9:21 PM

@65535

I agree. Your post brings up more questions about our voting system and the IC involvement with high ranking members of the Senate who supposedly over see them. I am not happy with the close association of Feinstein and the NSA.

I have no idea. I am not even sure what her close associations there are.

Disclaimer: While I find the NSA's recent exposures interesting, I do not see them as some kind of dreadful, omnipresent, omnipowerful agency. Such things I tend to view as marketing, and far from the truth. I view human intelligence as far more interesting.

Technical intelligence can be very powerful, but there is an all important human weak link there. If the surveillance is detected, and adequately used against them via sophisticated "human intelligence", then that undervalues even the world's most built up system entirely. Potentially.

I was looking to the above DOJ case. Why does the Firefox plug-in “Flagfox” indicate the DOJ is being served from Russia?

No idea about the mechanics of the plugin, but there was evidence a few weeks ago Russia rerouted a thin slice of British and American traffic to their direction. (Technically, Kiev, but Russia is known to often operate technical operations out of Ukraine and other old satellite countries. Ukraine is further unlikely to have been motivated or capable of doing so.)

In this instance, why Russia would be interested in such an effort is beyond me. Maybe you are a target. Considering topic material here, I could see all sorts of innocent people swept up in Russian dragnets.

I doubt they have much interest in surmounting that webpage by and of its' own self.


65535April 5, 2015 9:47 PM

@ 6EQUJ5

I think it is CDN issue… or at least I hope it is. That is to say it is cheaper to cache it and route it out of Russia then the USA. It’s creepy to see a Russian flag on the DOJ’s web address.

I this brings up the accuracy of the NSA foreign to American contact data base and the TIDE data base... Not to mention the BGP routers possibly being manipulated.

For all I know this data is being copied, cataloged and stored by both Russia and American intelligence agencies.

Nick PApril 5, 2015 9:56 PM

@ Skeptical

I agree with 6EQUJ5 on the government surveillance side of things. Any aspect of that hasn't worked out in practice. Instead, it turned into corruption and expanded police sate. However, you're plot was greatly written and used the same thing I posted here from a brainstorming session: getting the elites to help in their self-interest. This whole month is exhausting in terms of my job but I've meant to get your input on that a bit more. I'll take a stab at it.

A previous discussion here led me to consider getting the elites to fund strong security for *their* benefit. The government won't do it because they prefer a police state, a surveillance state, or something in between. The private sector won't do it spontaneously for both datamining and cost reduction reasons. The average person lacks the money or will. Crooks would be too suspicious of a product saying they didn't cooperate with law enforcement. So, I though, what kind of people have money, power, and worry about the State? The elites.

My problem was their solution, though. The powerful elites have pushed for a lot of what we have because it benefits them. Imperialism clearing out obstacles for business, politicians passing laws for them, the enforcers often giving their companies special treatment, surveillance state to maintain stability of the system, and so on. Doubt they'd want it to change much. Far as their guilt, they have legalized corruption (lobbyists), special privilege, and trusted third parties to greatly reduce their risk. Whatever they've been doing has worked for decades with few slips that have had any effect.

So, the question is: how do we convince elites that they need to leverage their power to force accountability and restrictions into the surveillance state? I'm talking real accountability like you or I live with. The kind of assurance that they won't get away with abuse that a person with tens of millions on the line might trust. Appealing to their sense of control and referencing precedents such as Hoover were my thoughts. Need something better though.

Note: This applies whether the result is strong, undefeatable encryption or encryption with L.I. Spy agencies activities being kept in check by others in power with serious consequences is foundational and necessary to be safe from them.

6EQUJ5April 5, 2015 10:05 PM

@65535

BGP is easy to manipulate. If someone is inside a telco network, there typically will be a BGP web app interface somewhere. And, like any web application, it will have flaws in it.

Nations are within their own telco networks, and they surely have it as a priority to get into other nations telco networks, which is not very difficult to do.

There is, as you know, really bad security with that protocol beyond that. But redirections can be detected. Russia may not have even performed that recent bgp redirection, but maybe someone else did to look like Russia.

I do not know much about content delivery systems, so can not comment there.

DOJ I can only comment Russia is not their friend, and it has been that way for decades. Nor is the DOJ Russia's friend.

I do not think any truly sensitive database would be stored on doj.gov, however. "TIDE", I do not consider truly sensitive. Deeply crap information. Are any of the Russians responsible for the false flag operations involving terrorism there? FSB operatives, SVR? I doubt it.

But, if they could compromise the site, of course, then they could compromise key systems to help make moles in the DOJ's various agencies, or gain technical foothold to systems that may have direct access to closed off networks.

Granted, considering the not so distant revelation of the US having internet access to such databases as the one used for clearance investigations... well. Gah. Who knows.

ThothApril 5, 2015 10:09 PM

@Clive Robinson, Jonathan Wilson
There are increasing amounts of medical implants being IoT enabled and have Wireless management (that includes Bluetooth and RF) which gives a huge avenue of attack. Some have resorted to secure coprocessors for security but most of these companies are still oblivious. You can try to access their remote network (wirelessly) and probably I wouldn't be surprise you could upload some data or even cause rather life threatening stuff to a person.

@BoppingAround
Tuatha de Danann, reminds me of the Tolkien's version of Sauron in his Gift Bearer form (Annatar) to trick the blinded messes. That's the usual tactic most powerful corps and govts use I believe ?

k11April 5, 2015 10:17 PM

Would it be illegal for a person not in government to use an IMSI catcher to intercept a target individual's comms?

6EQUJ5April 5, 2015 10:23 PM

@k11

Would it be illegal for a person not in government to use an IMSI catcher to intercept a target individual's comms?

It is illegal for someone in government even to do so without a proper warrant.

It is definitely illegal for someone outside of government to do this. Often, the same laws apply.

Though, as this changes key information which makes it to telcos, it is highly likely the government does see and track exactly such anomalies through those telcos. So, if you want to put your self on that sort of list... even though you likely will not be prosecuted... well, that is the primary risk there.

FigureitoutApril 5, 2015 10:36 PM

k11
--Yeah, if you get caught...the "authentication" and "negotiation" turned out to be a complete joke. Kind of a random yet oddly specific question lol. Here's a good opportunity to show yet again what a complete crap-show the legal system is that you can't even look up the law yourself to see if it's illegal. A massive crap-show of interpretations and unorganized laws no one reads or even knows about lol, retarded.

65535April 5, 2015 10:44 PM

@ Grauhutm and 6EQUJ5

I searched around and apparently the CDN’s are the issue with Bad IP locations.

For example, the IRS has bad IP location

[Kreb’s on security]

"Peter
March 30, 2015 at 5:35 am
Looking at url: https://sa.www4.irs.gov/icce-core/load/gettrans/pages/availableTranscripts.xhtml to register for IRS transcripts. Site is in in the Netherlands ! I am using flagfox extension in firefox to give me country location of server. I looked up uisng another firefox extension definitely Netherlands. Main IRS website US. Very disconcerting. Site still technical difficulties message..."

https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/comment-page-1/#comment-375567

[and]

Dave
March 30, 2015 at 6:29 am

"Please lookup how CDN’s and DDoS protection work. They use Anycast too meaning that IP to location data is utterly useless, because that one IP is actually serviced by many locations globally, simultaneously and routing protocols dictate the shortest path between you and the CDN.

"FWIW Akamai have several service windows this week too meaning that your geographically local pop may be unavailable.
Happy hunting"

https://krebsonsecurity.com/2015/03/sign-up-at-irs-gov-before-crooks-do-it-for-you/comment-page-1/#comment-375705

Although, Bruce’s always shows an American flag. Never Bruce’s site not. Which does bring up questions about IP locations and any nation’s IC tracking data base for “so-called meta-data” including IP locations.

When tapping in a fiber cable any good IC would double check the real location of said email or IM or chat when capturing a TCP segment… hopefully [who known’s about UDP transmissions].

6EQUJ5April 5, 2015 10:50 PM

@Figureitout

Here's a good opportunity to show yet again what a complete crap-show the legal system is that you can't even look up the law yourself to see if it's illegal. A massive crap-show of interpretations and unorganized laws no one reads or even knows about lol, retarded.

To be fair, I think if you are going through the trouble of making your own stingray, you have a 'reasonable expectation' that you are breaking the law if you actually use it...

I think getting videos in public is much more 'under question'. There, such matters can be complex. A lot of the law is about, however, intent.

Why the fuck would you expect spying on someone's cell phone traffic by forcing MITM, for instance, would be legal? Who would do that?

A lot of the law is also about 'not what is on paper', but 'what someone is willing to bother to try and prosecute you for'. After all, 'on paper', you can get in the can for ripping off your mattress tag or chaining your cow to a public light post...

Really, IMNSHO, these agencies unlawfully using stingrays should be the ones thinking twice, though I will gladly raise the issue of 'how difficult it is to self-police'. Fact is, you know, if you are a cop, and you break the law in bad conscience, you are gonna get caught. Sooner or later.

So much of what is exposed these days, unfortunately, are just over zealous "cops" who mean well, so no one much bothers. That line can, as you know, get blurred...


FigureitoutApril 5, 2015 11:09 PM

6EQUJ5
--Maybe I'm conducting my own investigations b/c I don't trust cops or other private eyes to do a thorough enough investigation or I'm looking out for a loved one or just testing to see what kinds of hooks are on my own phone. Note I've never done it, hypothetically is all I'm saying.

Who would do that?
--The f*cking gov't and its corrupted agents w/ legal immunity for their actions.

Fact is, you know, if you are a cop, and you break the law in bad conscience, you are gonna get caught. Sooner or later.
--Bullsh*t. One guy straight choked a guy to death on camera and got away w/ it. So many times, choke to death, killing people, stalking, terrible decisions...they get no criminal charges or worse "paid leave" and then back to business as usual.

Sorry, citizens need to have some power too. It's not going to end well when enough people get pissed to just walk up on cops and cap them in their cars as has already happened quite a few times. Then there's no one protecting the elites and we can redistribute the wealth b/c our generation is poor and doesn't give a f*ck.

6EQUJ5April 5, 2015 11:17 PM

@65535

I think you need to cut the gordian knot there.

Krebs is a high quality site, but Krebs is highly confrontational and often deals with "organized crime" who you can rightly assume is highly likely to have government connections. I mean there, specifically, Russian government.

As you are not a spy nor any manner of agent, who cares.

What system do you use to connect? Is it your own, or a company system? Your company may have a proxy on there, even without your knowledge.

In the last BGP attack, a slice of traffic was taken for a long period of time. There are so many other ways to MITM internet traffic. Router compromises are routine. Connections to Krebs or Schneier should not be considered secure even if you are using a tor or other "darknet" proxy. If a nation state views you as suspect, they will know your IP and try and MITM you to try and evaluate you.

I think you know all of this...


6EQUJ5April 5, 2015 11:58 PM

@Figureitout

Maybe I'm conducting my own investigations b/c I don't trust cops or other private eyes to do a thorough enough investigation or I'm looking out for a loved one or just testing to see what kinds of hooks are on my own phone. Note I've never done it, hypothetically is all I'm saying.

I do not mind saying using a stingray will get you "on a list". If you are comfortable with your motives in that, then what is the stress. So, some uber black ops agency has you on a list.

You know this going into that. That is all you are telling me here.

Are you worth their time? From what you are saying? No.

Who would do that?--The f*cking gov't and its corrupted agents w/ legal immunity for their actions.

Reality is "government" is not a monolith. If a cop is using a stingray over zealously to hound a drug dealer, probably no one will bother with them.

If a cop is being paid by a criminal organization ultimately working for a foreign nation to try and spy on a highly covert FBI, CIA, or Other operation? And they are getting paid for this? Highly likely they made a very bad move. Probably they were being played the entire time. So, they don't wake up one morning and this never makes the papers, does this surprise you?

If a domestic, city agency is abusing their power, how difficult is it really to throw them to the wolves without any revealing of secret sources? Say, they are being overzealous as a cover, again, for something much more ominous.

I think anyone who studies this area can make these assumptions. Or wonder 'is there anybody out there at all'. Naively, if they believe that there is no one out there beating down those who fall to pride and abuse of power.

Fact is, you know, if you are a cop, and you break the law in bad conscience, you are gonna get caught. Sooner or later.--Bullsh*t. One guy straight choked a guy to death on camera and got away w/ it. So many times, choke to death, killing people, stalking, terrible decisions...they get no criminal charges or worse "paid leave" and then back to business as usual.

You and Job both. This gets into that area. I would leave you with studying that response, instead of providing something new.

And believe me, before the first "Mission Impossible" movie, a Job mailing list was one of the first places I signed up with when I got into this area of computer security.

Do you want to be that Ferguson cop? Do you want to trade places with Zimmerman? Would you like to be some cop who choked a suspect to death on video?

Sorry, citizens need to have some power too. It's not going to end well when enough people get pissed to just walk up on cops and cap them in their cars as has already happened quite a few times. Then there's no one protecting the elites and we can redistribute the wealth b/c our generation is poor and doesn't give a f*ck.

Money comes with responsibility, and power much more so. Things are not good in this world and this age. That is "duh" territory. Things are changing and will change. If you want to be a billionare, however, and believe that is the road to happiness, you are wrong. If you want power, and believe that is the road to happiness, you are also wrong.

Yes, you can work more and take on more responsibility. I have a lot of power and responsibility. I would not trade places with someone who has less. But, I also go through an enormous amount of pain, and do not have the freedoms of ignorance many others have with less responsibility and less power.

Do I and everyone I "know" work for those in worse circumstances? Absolutely, yes.

"Know" in quotes just to signify people I trust and really know. As opposed to just acquaintances or whatever.

You have a conscience and know these things, I find it hard to believe your pretensions of ignorance here.

6EQUJ5April 6, 2015 12:38 AM

@Figureitout

FYI, someone with a nick "Figureitout" on this sort of forum? That is the kind of nick I grasp to. What is this nick I am using? Figure it out. But, reality is, I am just "some guy".

"William Martin" made a good point. About claims, assertions, and proofs.

What claims am I making? What evidence do I provide? For one, my reasoning is shown to be highly sharp. I know that the Dubai Assassination was a joint US-Israeli operation, and bothered to mention that. I can make such an assertion without being concerned about doing so over a highly scary assassination action. Dagan was fired for that. Maybe that is why Patraeus was fired, I do not know. If so, that was dumb.

The organization involved was not, however, directly CIA.

Just because one tentacle is shown, does not mean that is the whole beast.

I do delight in pointing out not a single operative was exposed. Some say 27, some say 26, the ruling argument is they all used their real faces and were Mossad. All I have read feel very confident all operatives are now inactive. There is a singular mistake in that reasoning which is that they were not in disguise the whole time. They were.

I implied that the "mistake" of sitting as tennis players for four hours in the hotel or changing disguises in front of a obvious CCTV was all not a mistake at all. It was not.

I also made statements about a nation's capacity to hack BGP protocol, with specific details on that.

On the BGP protocol hacking, that is something some know my details are correct on. On the Dubai Assassination, those who are aware of these matters as facts, they know this is the truth. Anyone outside, they could not believe this, as the main thinkers on this are so biased and given to delusions.

There is circumstantial evidence: Duh, disguise technology is that advanced. It is well documented it was far less advanced in the eighties, and there is ample evidence even ordinary citizens can do sophisticated disguises these days. Dagan's firing cover story was entirely weak and involved both the US and Israel. The cover story was clearly useful for Israel's greater aims. The 'let go' happened not so distantly after that assassination. While Mossad is very capable in disguise, they have never used such methodology before to such a fantastic degree.

Where are Israeli movies? Oh yeah. There are none.

Where is Hollywood? Oh yeah. The US.

Who would post such things online, with such confidence, and aware of such details?

Why... is another question altogether.

I will not answer that, nor do I need to.

As for details on illegal usage of stingray tech? Probably revolves around inside knowledge of how telcos and very black ops work. As for pointing out that it is possible a domestic police station in the US has had one or more officers working for a foreign nation and used such technology to spy on highly covert, federal programs operating in their city? That is unsubstantiated and theoretical.

It does sound kind of specific, however.

Did somebody just 'not wake up somewhere', and they were, say, working for some foreign nation that was previously giddy on exposing something very deep?

Well, only us and that foreign nation would know, right?

Admittedly, I am a honeypot. They know this, I know this. So, that is part of that game.

We create chokepoints. We control information release, and know who we are motivating and why. They know this. But, they have to try, anyway.


Clive RobinsonApril 6, 2015 2:34 AM

@ K11,

Would it be illegal for a person not in government to use an IMSI catcher to intercept a target individual's comms?

The answer to that question realy depends on what you mean by "to intercept a target individuals comms" and what jurisdiction you are in.

You can go out and buy such equipment for a few hundred USD and use it legaly for call re-routing etc, to cover "poor service area" and other purposes... in theory you don't even need the permission of the "phone owner" because often it's ambiguous at best to the phone user.

The law usually says little specifically about communications systems and tucks them under "licencing conditions", and in some jurisdictions what you do "within the borders of your own property" is not covered under licencing conditions and the restraints they would otherwise provide.

If you are refering to intercepting "the contents of a communication" again the law can be ambiguous and depends on where you are in many jurisdictions. It's why it's legal in many jurisdictions for an employer, landlord or other provider --or their permitted agent-- of a communications service to record the contents of a communication, provided it is made within the borders of the property. Otherwise amongst other things "answer phones" etc would not be legal. However it's most definatly not legal for others to do so.

There is also a problem with the definition of a "communication", for instance how do you decide when a communication ceases to be a communication in transit?... For instance the cassette in an answer phone, is in an ambiguous state, because in some jurisdictions the call only ceases to be in transit when the recipient has heard it and not before, thus the tape can hold communications that are both "in transit" and "not in transit"...

Oh and then there is Copyright law to consider, technically every uterance you or anyone else makes to another is a "work" and thus subject to Copyright law, which gives the "artists" rights that can not be arbitrarily taken away not just under local jurisdiction legislation but international legislation...

The law on communications is messy and necessarily so for many good and proper reasons. The downside is of course loop holes and edge cases many of which appear to make no sense.

Which is why in some jurisdictions they would try to prosecute via what appears to be unrelated legislation such as that pertaining to "radio interferance" or "jamming" which are considerably less messy.

65535April 6, 2015 6:32 AM

@ 6EQUJ5

“…Connections to Krebs or Schneier should not be considered secure even if you are using a tor or other "darknet" proxy. If a nation state views you as suspect, they will know your IP and try and MITM you to try and evaluate you. I think you know all of this...”

Yes, I know. On the individual systems I work on [at least on the LANs] I know if there is an SSL stripping device installed [MITM]. As for the other items you mentioned [BGP manipulation and an other attacks], I would like to drill down into this area but I have work to do – so it will have to wait till later. I got to go for now.

GrauhutApril 6, 2015 8:35 AM

@65535: "Why does the Firefox plug-in “Flagfox” indicate the DOJ is being served from Russia?"

Could mean IP number space reallocation. Maybe some western provider changed the use of an IP block he formerly used in russia, but after all that economic warfare he does not need them there anymore... ;)


Some weeks ago the was a passenger questioned at an airport by homesec because of "middle east IP address usage", this was also a provider who had changed his internal address space. If homesec is behind with such changes, why should FlafFox be faster?

whois -h whois.arin.net and rtfrfcs! :)

Doug DApril 6, 2015 9:08 AM

Hey, did you see that Nintendo will soon be selling a toy squid with an embedded RFID chip?

It's an "Amiibo" that pairs with a cephalopod-themed game called "Splatoon", and you use the toy squid with an RFID reader to unlock content for the game that can't be unlocked any other way... if their security is tight enough. Squids and crypto at the same time!

GrauhutApril 6, 2015 9:09 AM

@6EQUJ5: "I also made statements about a nation's capacity to hack BGP protocol, with specific details on that. On the BGP protocol hacking, that is something some know my details are correct on."

BGP doesnt need to be hacked, its a protocol thats based on trust, so its insecure by design. It originates from a time when you called a collegue by phone and asked him to announce your ASN cause your MAE East line went down. No major changes since then afaik.


“Connections to Krebs or Schneier should not be considered secure"

Driving a car should not be considered secure.

You dont need free speech if you are not willing to use this fundamental right.

So my pseudonym here is part of my semi open identity. I have others if i need them.

Moose & Squirrel Must DieApril 6, 2015 9:57 AM

Watch for renewed US cyberattack on Iran to wreck the NPT agreement. Remember, NSA cyberwarriors Boris and Natasha already tried to blow up Iran. Their illegal sneak attack went pffft. The fuse on their big black cartoon bomb fizzled out. Making lemons out of lemonade, the US government bragged about their harmless toy, so it served its real purpose: undermining non-proliferation negotiations with dishonorable bad faith.

GrauhutApril 6, 2015 11:44 AM

Incredibly FUNNY Snowden interview by John Oliver on Government Surveillance! :)

"This is the most visible line in the sand for people: Can. They. See. My. D*ck?"

https://youtu.be/XEVlyP4_11M


June 1 is Patriot Act renewal day. Share this with your representatives...

SkepticalApril 6, 2015 1:02 PM


@6EQ:

I wrote: Limiting the power of government by technological means also means limiting the power of government to police itself. Anticorruption and public transparency are harder to effect if officials, and those who would corrupt them, can shield their communications from lawful warrants and investigation.

Your response: Those statements contradict each other. And, 'self-policing' is an daunting subject by and of its' own. Your statement there deflates any confidence I might have in your understanding of that subject.

There's nothing contradictory about those statements that I can see. One must remember that "government" is not some monolithic entity. It's divided into many segments. Some of those segments, e.g. the FBI's Public Integrity Section (PIN), have interests that are antithetical to corrupt officials in other segments.

So, let's say you have Corrupt Official A in some other segment. A is going to want to conceal communications and information that might reveal his corrupt acts. To that end, he'll communicate outside monitored government channels. If the channels he uses are immune to lawful search, then it will be far more difficult to investigate his corrupt actions.

This applies as well, of course, to communications between high-level officials and powerful private actors who wish to influence those officials via incentives and/or threats that are not quite legal - such things become much more difficult to investigate if they can be done in a manner secure from lawful searches.

The US is one of the less corrupt governments on the planet, but corruption is still a serious problem, and it will always be a serious threat. Undermining investigative tools will make it harder to catch very sophisticated actors engaging in corruption.

That's not a conclusive factor in determining what information security policy should look like. It doesn't compel the conclusion that we must have lawful intercept capabilities.

However, it is an important factor to include in our consideration, and it's one that is usually unmentioned.

I'd apply the same reasoning to various forms of corporate malfeasance and white collar crimes. These are not the attention-grabbing threats of asshole fanatics who would love to cram themselves full of high explosives and hop on a flight. But in many ways they're just as important, especially if you consider how much power private corporations have over individual lives.

As to your confidence in what I know, I really don't care. I write here under a pseudonym and let my arguments and points stand or fall on their own merits. You may freely assume that my posts are the unusual result of a monkey randomly hitting keys.

I wrote: This consideration applies not just to questions of information security, but to other domains as well. For example, would you want massive corporations to be able to transfer vast sums of money in a manner invisible to any government?

You responded: And one news story this week is on how 26 billion dollars went missing from the Afghanistan efforts. This is not out of the norm, this is the norm.

Uh, no, flying in massive amounts of cash to distribute within an immensely corrupt political structure facing a resilient insurgency is not the norm for the societies in which most of us live. Gathering receipts for that kind of operation is going to be difficult - and the opportunities for corruption will be rife (and not a few have been prosecuted in connection with that). But it's a problem particular to a special and unusual set of circumstances.

So I don't see how that contradicts my point.

What is more scary? Government abuse through known government organizations? Or government abuse through unknown government organizations which might include corporations?

We are much better able to monitor what our government does than we are able to monitor what private firms do. Safeguarding against government abuse is immensely important, but it's also something we can accomplish via laws and institutions. To give a very stark example, your safeguard against a police officer abusing his power is not a personal firearm but anticorruption units with adequate funding and control, transparency requirements, and a good legal system.

But private companies are much more difficult. Did Company X attempt to exert undue influence over an EPA investigation? Did Company Y deliberately conceal its knowledge about the toxicity of an additive it included in a product? Did Company Z bribe a local official to rezone an area?

Unless you have a government able to effectively conduct anticorruption investigations, and able to effectively investigate and monitor sophisticated, and powerful, private actors, you have a real problem.

Yet placing a hard technological limitation on government is precisely the sort of thing that benefits those powerful private actors most, while doing the least to benefit anticorruption efforts.

FernandoApril 6, 2015 1:12 PM

Executive Order Banning Donations to Snowden

I've seen this in several off-brand blogs but nothing in the mainstream media (expectedly) or the more reputable independent media (unexpectedly).

Basically the articles claim that the legalese says that it is now a crime to donate to Snowden. An Oregon man did it anyway and posted his credentials on this Reddit thread.

I don't have any tech lawyer friends so any feedback on the truth of this making donations illegal is appreciated. Also if this is legal can't you basically just make donation to anyone's defense fund illegal? As far as I know Snowden hasn't been convicted of anything.

Dirk PraetApril 6, 2015 8:35 PM

@ 6EQUJ5, @ Grauhut, @ 65535

BGP doesnt need to be hacked, its a protocol that's based on trust, so its insecure by design ...

True, but it has gotten better over the years. There's PKI-based S-BGP to secure communication with neighbours and some other ways to protect against route poisoning.

Those who can't afford expensive Cisco et al gear (or simply don't trust it) can also secure a session between two neighbours with MD5 checksums and a pre-shared key. Just set up a Quagga router on a stock Linux kernel (or tweak a FreeBSD box to support TCP MD5). On both sides, it takes only 5 simple commands in the vtysh CLI-shell to exchange routes through authenticated sessions. In essence, every outgoing packet in a TCP session carries an MD5 digest of the packet contents and a secret key, and the digest is automatically validated by the other end point. This makes it reasonably hard for an attacker to guess either the checksum or the key.

ajitaMApril 7, 2015 4:33 AM

Jonathan Wilson, pretending you have a real medical device or in case when you do have real medical condition it would be unethical to examin/explit such device by governmental authorities while it keeps you healthy/alive.

Clive Robinson, I mostly agree with you. Checking blood sugar (with IR method) or monitoring heartbeat or passively lsitening if the peacmaker is active are all completely non invasive techniques. Finding medical team would be also a problem. Not for paperwork but for invasive operations without medical condition. But at the same time in undeveloped areas this is possible and way to go for terrorists! In Kosovo illegal medical teams translapnted organs from captured solders ... And finally I agree that minimal RFID/memory device is better option.

k11, in many EU counrites is perfectly legal to use IMSI catcher limited on your own communication channels/communications. Proof for that are self exposed researchers in Germany, Italy, Slovenia, Sweden and even Norway (AIFAIK).

Wesley ParishApril 7, 2015 5:02 AM

Yawn!!! Here I go again. @Skeptical, some of the time I can agree with your statements, because they do sometimes reflect reality to an extent. Other times they resemble statements of mediaeval theologians attempting to find justification for something stupid by committing arbitrary dissection upon an unforgiving text.

You're missing out one major actor in the Government versus Big Business scenario. Mind you, nearly everybody in the Western World has (deliberately) forgotten them as well - the lower class, the working class, the left wing intellectuals who attempt to organize them to counterbalance both those other centres of power the State aka Arbitrary Power and Big Business aka Inherited Corruption. In the 21stc Western World, the lower classes tend to include the (formerly) middle classes - by design: the UK in the nineteenth and the US in twentieth centuries owed their economic power to the middle classes, which distributed it more widely than the upper classes ever could have done. The upper classes post Gypper and Iron Lady have clawed back most of that power, with the inevitable result that both UK and US economies have suffered.

Strong encryption strengthens the hand of the middle and lower classes exponentially; the State aka Arbitrary Power and Big Business aka Inherited Corruption, don't need strong encryption to anything like the same degree, because they have other means of gaining their ends: war is policy taken to the umpteenth degree, and we know from the brutal suppressions of workers protests in the nineteenth century and the long-standing libels and character defamations that followed, that both the State and Big Business felt quite happy with declaring war upon their own citizens and workers.

Of course, both the State and Big Business in the Western World have been busy trying to block off investigation into the Left of the political spectrum: McCarthy was merely the most visible example of such corruption.

So you may have some difficulty in investigating the Left in all its myriad permutations, but Proust is not Marx, nor is William Morris ...

65535April 7, 2015 12:00 PM

@ Dirk Praet

“Those who can't afford expensive Cisco et al gear (or simply don't trust it) can also secure a session between two neighbours with MD5 checksums and a pre-shared key. Just set up a Quagga router on a stock Linux kernel (or tweak a FreeBSD box to support TCP MD5). On both sides, it takes only 5 simple commands in the vtysh CLI-shell to exchange routes through authenticated sessions… every outgoing packet in a TCP session carries an MD5 digest of the packet contents and a secret key, and the digest is automatically validated by the other end point. This makes it reasonably hard for an attacker to guess either the checksum or the key.”

That is of some comfort to know. We are not totally scammed. How widely is it used?

Wesley ParishApril 7, 2015 6:26 PM

Ooops! above, in previous post, s/Proust/Proudhon

wires crossed, didn't stop to fact-check. my bad. Proust was an author, Proudhon was an anarchist.

Dirk PraetApril 7, 2015 6:56 PM

@ 65535

That is of some comfort to know. We are not totally scammed. How widely is it used?

It's pretty commonplace at smaller telco's, ISP's and (F)OSS networking environments with an aversion to proprietary and expensive routing gear such as Cisco.

65535April 7, 2015 8:24 PM

@ Dirk Praet
“It's pretty commonplace at smaller telco's, ISP's and (F)OSS networking environments with an aversion to proprietary and expensive routing gear such as Cisco.”

This is good to hear.

I am somewhat concerned about the DOJ, FBI, and IRS sites are in the news:

[Krebs on Security]

'FBI Warns of Fake Govt Sites, ISIS Defacements'

'The FBI also issued an unrelated PSA advising people to be wary of fake government Web sites set up to take advantage of search engine optimization techniques that try to get the sites listed prominently in search results when searching for government services online. The FBI explains the scam thusly:
“Victims use a search engine to search for government services such as obtaining an Employer Identification Number (EIN) or replacement social security card. The fraudulent criminal websites are the first to appear in search results, prompting the victims to click on the fraudulent government services website. The victim completes the required fraudulently posted forms for the government service they need. The victim submits the form online, believing they are providing their PII to government agencies such as the Internal Revenue Service, Social Security Administration, or similar agency based on the service they need... the forms are completed and submitted, the fraudulent website usually requires a fee to complete the service requested. The fees typically range from $29 to $199 based on the government service requested. Once the fees are paid the victim is notified they need to send their birth certificate, driver’s license, employee badge, or other personal items to a specified address. The victim is then told to wait a few days to several weeks for processing.”' -Krebs On Security

https://krebsonsecurity.com/2015/04/fbi-warns-of-fake-govt-sites-isis-defacements/#more-30622

I wonder if this is DNS poisoning or BGP router attacks or just social engineering scams.

FigureitoutApril 7, 2015 9:39 PM

6EQUJ5
--Yes I'm familiar w/ the list and nervous agents that need to go back to school and do a correct approach of a target, it's boring and a very lazy way of doing "national security". Good, they've wasted enough time on me and won't find a damn thing; I just want to be an embedded engineer and live my life w/o them interfering w/ my research and life. I want new strong secure devices configured and engineered best I can w/o just letting in this ultra annoying malware (that will get exposed eventually, it's one of my missions now) infecting (secure internet monitors/routers, secure offline programming PC's, secured EMSEC, and most importantly secure I/O that halts all code according to my protocols).

That is the kind of nick I grasp to.
--Let it go Nova. No tricks needed bud.

Admittedly, I am a honeypot.
--So you're a professional troll? Really satisfying life eh?

/***** OT from trolley *****/
Mildly interesting historical (ie: not very technical) link via phone OPSEC link: http://users.telenet.be/d.rijmenants/en/tempest.htm

It's way behind the times, but it's cute. Got one timeless quote right: The development and operation of secure communications equipment will always remain a technical challenge.

orleifApril 8, 2015 8:52 AM

Hi just read part of pdf on cryptome, document is about nsa countermeasures and in it, it lists some elements of problems or like adv3rsarys:
among that list somewhere between a terrorist and organized crime elements it lists

International Press
Organizations that gather and distribute news, at times illegally, selling their
services to both print and entertainment media. Involved in gathering information
on everything and anyone at any given time.

Intresting view of adversarys in a democratic? state

SoWhatDidTheyExpectApril 8, 2015 1:42 PM

Biometrics Are Making Espionage Harder

http://science.slashdot.org/story/15/04/08/1450252/biometrics-are-making-espionage-harder

From the Slashdot post:

"In the age of iris scans and facial recognition software, biometrics experts like to point out: The eyes don't lie. And that has made tradecraft all the more difficult for U.S. spies. After billions of dollars of investment — largely by the U.S. government — the routine collection and analysis of fingerprints, iris scans, and facial images are helping to ferret out terrorists and immigration fraudsters all over the world. But it has also made it harder for undercover agents to remain anonymous."

And, they didn't think about this ahead of time? Or is this just FUD (meaning, with everything compromised, they can plant false biometrics in place of the ones captured so identities are not revealed).

Wait, how are the other guys getting the biometrics of our spies anyway? Well, they aren't, just like we DON'T have the biometrics of any terrorists (which is apparently why we haven't caught any, but just remember, they will compare your biometrics against some -supposedly terrorist- database to determine if you are a terrorist but you can't see the entry which makes you guilty).

Its seems what is good for the goose is good for the gander.

By the way, I don't believe the claim about ferreting out terrorists.

tyrApril 8, 2015 3:55 PM


Packed with hyperbolic text and annoying graphics.

http://www.defenseone.com/feature/bioweapons/

Here's another rung up on the ladder of paranoia.

As I recall my biological training the real threat
is in an increased population who live in close
proximity. This makes the normal evolutionary
course of natural mutation have an easier method
of evolving a pathogen and spreading it. Couple
that with the epistemological cartoons most use
as a substitute for thinking and you have a magic
recipe for the human population making a nicely
done example of a J curve population plot. For
historical example see 1918 influenza epidemic.
Note that there were no random mad scientists
involved, only the reality of how biology works.

I'm sure that those who thought V was a documentary
will disagree.

k12April 9, 2015 11:31 AM

If you phone someone, and get half a ring and then sounds of the ocean, what does it mean?

tyrApril 9, 2015 4:05 PM


I can hardly wait for the collateral damage from
the French TV system hack. They are already on a
path to repressive measures that make Orwell seem
a pollyanna.

I'm also curious about DC losing its powergrid.

We seem to be living in the chinese curse of way
too interesting times these days.

Clive RobinsonApril 10, 2015 7:36 AM

As Tyr mentioned above ISIS took out French TV5 servers and Facebook page amongst other things.

Interestingly it looks like it was not done by native Arabic speakers, which combined with the fact that they appear to have access to the identy documents of French military personnel, suggests that the attackers may be rather "close to home" in France possibly the Parisian outskirts where there is reputed to be a major militant "muslim"[1] enclave of rather pathetic second and third generation "radicals" who for their own inadequacies belive incorrectly they would be some kind of heros in a caliphate rather than just "life's failures" they currently are.

You can get an American view point at,

http://www.latimes.com/world/europe/la-fg-france-islamic-state-hackers-tv5-20150409-story.html

And a UK viewpoint at,

http://www.theguardian.com/world/2015/apr/09/french-tv-network-tv5monde-hijacked-by-pro-isis-hackers

The current publicaly anounced ideas is the usual "Phishing Attack" story, however, I most certainly would not rule out an actual insider attack, either directly or indirectly. Which must be somewhat worrying for TV5Monde staff working in the Paris offices as it implies they have one or more sympathizers or active members of radical organisations working with them.

[1] I say "muslim" not because they are in any way representative of the millions of Muslims world wide or the faith in general, but because as any criminal/political group with sick, sadistic, violent and oppressive intent they claim religion as an excuse for their depraved inhuman behaviour. To such people it does not matter what the religion is, just as long as it provides the old "god told me to" excuse and a method of recruiting further people without moral compass to mold into their degeneracy.

Clive RobinsonApril 10, 2015 8:36 AM

A question people need to be asking rather more than they are is,

"When is an insider not an insider and how do you tell?"

Put simply it's dificult if not impossible to determine accurately, because there is no reliable physicaly identifiable link back to an individual (don't mutter bio-metrics because they can all be beaten depending on an attackers skill and chosen point of attack).

We thus use "information based credentials" of various "factors". Like all information they can be perfectly copied at virtually zero cost so "stealing" them is simply limited to getting access to them and copying/using them whilst they are current.

Outside of human insider attacks this can be done in three ways via an existing malware vector, through social engineering and last but by no means least through prediction. Of these three usually the first two can be found by suitable analysis of logs to find the vectors used such as malware or phishing emails etc.

It's the third method that is becoming rather more prevalent these days which is actually rather worrying because it's difficult and expensive to fix and can be almost imposible to spot if the attacker takes care.

Depending on who you believe the use of bogus authentication is now believed to be behind between 30-70% of all major and persistant attacks that is the use of malware is dropping significantly. Thus scanning systems for malware may only pick up an attack around one time in four and looking for signs in logs or for exfiltration of data may only tell you about incautious attackers or those who's end game is already coming to an end.

Thus the question is "how do you predict?" the credentials, unfortunatly it's rather simpler than it should be due to a number of reasons.

Firstly even though it's been known longer than the Internet has existed is the mistake of having login/user names that are predictable from peoples names or Email addresses etc etc. There is a secondary problem in that unlike passwords these are still seen as "static" and not to be changed, which is a mistake that's often effectivly hard coded into the OS or System design.

The second problem is "the secret you know or have" often this is the password which is either human memorable or human typeable. They generaly come as either "One Time" or "fixed time" usage, in the first case these are "generated" and issued to the user in some way (printed list, via SMS or from a token).

There are various ways to get at these one time passwords, but many have a distinct failing they are not TRULY randomly generated, they are in fact the result of a secret "seed" and a determanistic algorithm as well as some kind of other input that is all to often predictable such as time.

Unfortunatly with tokens such algoritms are compromised by design issues such as battery life, and these compromises are such that attackers can predict the one time password...

If this sounds improbable, I can understand the feeling, however the reality is with State Level APT it is being seen,

http://www.darkreading.com/vulnerabilities---threats/solving-the-right-problem-stop-adversaries-not-just-their-tools/a/d-id/1319840

HiddenExpectationsApril 10, 2015 11:35 AM

The DEA Disinformation Campaign To Hide Surveillance Techniques

http://yro.slashdot.org/story/15/04/10/1442209/the-dea-disinformation-campaign-to-hide-surveillance-techniques

From the Slashdot post:

"The DEA database itself seems to have been shut down in 2013, but not before the government argued that it should be fine not only to engage in this collection, but to attempt to hide it during court cases. The courts agreed, which means this sort of surveillance could very well happen again — and the EFF is trying to prevent that."

Why, yes, of course, hide it during court cases. Why? Because the "evidence" garnered is probably non-existent or tells a much bigger tale than they want to reveal. Most importantly, it probably would show that the information gathered is worthless for drug enforcement but perhaps valuable for other purposes that they don't want revealed (or the revealed contents would likely yield unwanted rulings).

"State Secrets" are primarily to protect those holding the secrets and to protect them as opposed to the PR about dealing with someone else's crimes.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.