Friday Squid Blogging: Squid Hoodie

This is neat.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on April 17, 2015 at 4:31 PM • 114 Comments

Comments

Milo M.April 17, 2015 4:50 PM

Here's a criminal case that features rootkits, USB drives, surveillance cameras, telephone records, pseudo random number generators -- what's not to like?

The defendant was the Director of Security for the Multi-State Lottery Association (MUSL), which runs Powerball, Mega Millions, and several other lotteries. As a condition of that job, he was prohibited by Iowa state law from purchasing lottery tickets or winning the lottery.

http://www.desmoinesregister.com/story/news/2015/04/11/prosecutors-evidence-indicates-lottery-vendor-employee-tampered-equipment/25629733/

" ' . . . the State is aware that there is actually no evidence that Defendant tampered with the RNG computers or program,' the defense wrote in its motion.

Prosecutors countered this motion by claiming they have a 'prima facie,' or at first glance, case that Tipton tampered with lottery equipment.

In their reply to the defense's motion, prosecutors argued that Tipton's co-workers said he 'was "obsessed" with root kits, a type of computer program that can be installed quickly, set to do just about anything, and then self-destruct without a trace.' The prosecution claimed a witness will testify that Tipton told him before December 2010 that he had a self-destructing root kit.

Prosecutors also argued in their reply that Tipton was in the draw room on Nov. 20, 2010, 'ostensibly to change the time on the computers.' The prosecution alleged the cameras in the room on that date recorded about one second per minute instead of how they normally operate, recording every second a person is in the room.

'Four of the five individuals who have access to control the camera's settings will testify they did not change the cameras' recording instructions; the fifth person is Defendant,' the prosecution wrote.

It is a reasonable deduction to infer that Defendant tampered with the camera equipment to have an opportunity to insert a thumbdrive into the RNG tower without detection.""

https://en.wikipedia.org/wiki/Hot_Lotto

"Unlike Powerball, the Hot Lotto drawings are not televised; its drawings use a random number generator (RNG), instead of ball-drawing machines."

Hard to believe this game uses a PRNG. Powerball and Mega Millions still use balls of some kind.

More stories:

http://arstechnica.com/tech-policy/2015/04/prosecutors-suspect-man-hacked-lottery-computers-to-score-winning-ticket/

https://www.techdirt.com/articles/20150414/06370530650/former-security-director-lottery-charged-with-tampering-equipment-before-secretly-buying-143-million-winning-ticket.shtml

http://www.desmoinesregister.com/story/news/crime-and-courts/2015/01/15/lottery-vendor-employee-charged-hot-lotto-case/21828771/

http://www.desmoinesregister.com/story/news/crime-and-courts/2015/04/13/hot-lotto-ticket-trial-delayed/25715155/

BenniApril 17, 2015 4:55 PM

the german government wants to legalize its spying on communication satelites:
http://www.spiegel.de/netzwelt/netzpolitik/bundesregierung-plant-gesetz-zur-spionage-im-weltraum-a-1027963.html
germanys domestic secret service has a new department to monitor the internet;
https://netzpolitik.org/2015/secret-department-we-present-the-new-german-domestic-secret-service-unit-to-extend-internet-surveillance/

"A system for the collection, processing and analysis of bulk internet data should be developed in cooperation with external partners. This shall enable BfV to analyze bulk data and combine relevant information. The aim is to detect previously unknown and hidden connections between relevant persons and groups on the internet."

And they want to legalize BND's data collection by passing a law to save location data for four weeks and other metadata of phonecalls for ten weeks:

https://netzpolitik.org/2015/das-sind-die-neuen-plaene-zur-wiedereinfuehrung-der-vorratsdatenspeicherung/

They say the want to use it to fight against severe crimes....

In 2008, there was a similar legislation.

Deutsche Telekom now admitted thatin 2008, it gave 71.932 IP-adresses to police and 2.095.304 ip adresses from filesharers to copyright lawyers http://www.heise.de/newsticker/meldung/a-i3-BSI-Kongress-Vorratsdatenspeicherung-ist-kein-Allheilmittel-2610418.html

The henchmen of the copyright lawyers from Deutsche Telekom support the plans for the new legislation. Deutsche Telecom says that it were then able to send the governemt a huge bill for this service: http://www.golem.de/news/ueberwachung-deutsche-telekom-begruesst-neue-vorratsdatenspeicherung-1504-113536.html

AlanSApril 17, 2015 4:59 PM

This week Julian Assange told a conference in Glasgow that he believes that the Scottish National Party (SNP) was spied on by the British intelligence services during last year's Scottish independence referendum. The former deputy leader of the SNP made similar claims last year. And this week, a former British ambassador claims that a false flag campaign has begun in the lead up to the UK general election (follow-up comments here).

Paranoid, self-serving, crazy? True or not, these assertions do raise an interesting question. Where do the loyalties of servants of the state lie when part of the population poses a democratic threat to the existence of the state and the establishment?

We know from the official files that MI5 infiltrated and spied on the SNP in the 1950s. At the time the British establishment was worried about the serious threat to state legitimacy posed by Scots retrieving bits of rock from Westminster. We also know that the British Civil Service, which is supposed to stay impartial during elections, was involved in dirty tricks last year with the cooperation of the BBC (not very successfully) and again recently (also backfired). Sir Nicholas Macpherson, the senior civil servant at Her Majesty's Treasury, has stated, rather indiscreetly for a British civil servant, that:

...in such an “extreme” case as last year’s referendum, in which “people are seeking to destroy the fabric of the state” and to “impugn its territorial integrity”, the normal rules of civil service impartiality did not apply.

So are we to trust--a requirement given the secrecy and lack of public accountability--that senior public servants of Sir Nicholas's stature in the intelligence services aren't of like mind and prone to similar actions? Or does the public school boy and Oxbridge-educated set have a hard time watching the hoi polloi vote the 'wrong' way?

Jonathan WilsonApril 17, 2015 5:11 PM

Relying on a computer system for a lottery seems like a stupid idea, its much harder to tamper with physical balls spinning in a machine :)

DonaldApril 17, 2015 5:32 PM

woah! Madeline L’Engle’s granddaughter found a section from her classical children's book "A Wrinkle in Time" that had been cut. And it just happens to be VERY appropriate for this blog:

" “But I still don’t see why security isn’t a good thing. Why, Father?”

“I’ve come to the conclusion,” Mr. Murry said slowly that it’s the greatest evil there is. Suppose your great great grandmother, and all those like her, had worried about security? They’d never have gone across the land in flimsy covered wagons. Our country has been greatest when it has been most insecure. This sick longing for security is a dangerous thing, Meg as insidious as the strontium 90 from our nuclear explosions . . . You can’t feel it or touch it. But it’s there. So is the panicky searching for conformity, for security.”"

http://graphics.wsj.com/documents/doc-cloud-embedder/?sidebar=1#1881486-a-wrinkle-in-time-excerpt

http://io9.com/theres-a-brand-new-section-of-a-wrinkle-in-time-that-yo-1698500480

Markus OttelaApril 17, 2015 5:41 PM

TFC upgraded to 0.5.4.

@ Nick P:
The constant transmission to hide metadata about when communication is taking place is finally implemented: Senders of both CEV and OTP versions now have option to enable multiprocessing where one process handles inputs and files and adds them to a queue. Another process checks the queue at regular intervals and if queue is empty, noise commands and messages are sent from the device randomly with equal ratio to recipient and local RxM. Some commands seemed to confuse turn based constant transmission so this was the next best thing. The only downside is, the user may have to wait a few seconds before 'the coin lands on' desired packet type and message/command is sent. Works with long messages and files, but groups, paste mode and contact switching had to be disabled until I can figure out how to implement them.

@ All:
Fixed a lot of bugs, improved convenience, upgraded Keccak hash function implementation (new one uses what seems to be a new padding scheme), Twofish CTR etc.

The installer now verifies SHA512 checksums of downloaded files, installer itself is signed with 4k RSA key stored in waterfall secured computer. The public key can be found from MIT PGP key server with my name, although there's absolutely no guarantee you dont't get TLS-MITM attacked and fed a bogus key.

The somewhat full update log is available here.

BooApril 17, 2015 7:13 PM

All the defense systems are growing smaller, faster and more automated. They are beyond our ability to control them. We can't even find them with all this surveillance. We're losing big stuff too, like aircraft. Because of a few lone wolves we're subjected to more searches and seizures. Without the revenue from the advanced auction of stolen goods and the expensive liars living would be simple and cheap.

[Return on Investment] for an attack that cost less than estimated $10,000 to accomplish? Rough estimate: 1.4 million percent. Welcome to modern war.
https://netwar.wordpress.com/2007/09/17/disrupting-networks/

Try getting a 15-20% return on an honest investment. The investors need subsidy to keep the zombie corporations running. Lose 15% and get federal stimulus payments. Get in on the trillions in wealth liquidation. It's an economy that doesn't work for you, you work for it. With more investors they can get the operators to cover their losses and keep their winnings.

Watch for more stuff closing, longer lines for things, higher prices, water shortages, broke pensions/states, empty banks, road/bridge closings etc...

Don't blame me.

Nick PApril 17, 2015 8:00 PM

@ Anon

Ah, the leaks feature a brochure about a cloud built on the INTEGRITY-178B RTOS I used to promote. It must be confidential as it's not on INTEGRITY Global Security's meth-driven website. Funny thing is that, rather than stopping the attackers, it collected dust to simply become educational material for those that owned the network. Assuming they actually considered it rather than being smartass hackers.

@ Markus Ottela

Good improvements. Military systems used fixed length and rate communication in high security COMSEC to kill off covert channels. Yours fixing the rate gets it a step closer to that security level. Do the protocol messages and data chunks have fixed *lengths* yet? They should know absolutely nothing except maybe that the protocol is initiated. The error responses should give them nothing about the keys, too. Check on those things.

"The installer now verifies SHA512 checksums of downloaded files, installer itself is signed with 4k RSA key stored in waterfall secured computer."

How was the waterfall strong enough to drown out the enemy while allowing you access? Did you just toss a rugged computer into one with limited wireless communication? Did you dig a tunnel through the rock that you didn't disclose? Is it a dam where access opportunities are limited to when they shut off certain flows? I've always found waterfalls themselves to be more a risk to the equipment and operator than enemies my tech defended against. How did you tame one enough for physical security?

Or did you mean air gapped? ;)

BooApril 17, 2015 9:02 PM

A for effort. The leak strategy doesn't work. You got Manning in jail, the wiki nut in Bolivia and Snowden in Russia. Youth is wasted on the young. Then there are the older and supposedly wiser encouraging more of the same. Have all the snipers wear blaze orange outfits too. Ballpark strategies: 'To sum up: 1. The cosmos is a gigantic fly-wheel making 10000 revolutions a minute. 2. Man is a sick fly taking a dizzy ride on it.

cinnamonbApril 17, 2015 10:22 PM

Hi all -

Thought you all might have some thoughts on this: I'm in South Jersey and I was aghast that a PA Univ. (West Chester) recently advertised on Phila. tv that their computer science program is certifies by the NSA. I could hardly believe an institution would actually use that as a selling point.

I'm also wondering if this was separate or different from being a "Center of Academic Excellence" - I found that list online and they were on that one.

So what to make of this? (and let me know if anyone wants the appropriate links...)

And thanks for that link, dustbuster. I might add to your observation, in the spirit of smart dust - guess they want to make us crumbs :-)

Nick PApril 17, 2015 11:13 PM

@ cinnamonb

The NSA was long considered our top organization in terms of understanding security. From COTS garbage to high assurance systems, it's they that have to sign off on the result of the Common Criteria evaluation. They also consult and make all kinds of standards throughout government (eg exports). Not a surprise that they came up with standards for teaching INFOSEC and many schools tried to say their courses were up to them. Plus is that it helps get government INFOSEC jobs. It's nothing to worry about except to say it's not what real hackers and security engineers would recommend you learn: it's a mix of useful stuff and academic bullshit that won't make for good workers.

That's actually typical of colleges degrees in the subject. Nothing new there. ;)

Markus OttelaApril 17, 2015 11:14 PM

@ Nick P:

RE: Packet lengths
So TxM outputs only two types of packets, commands have '[ctrl]' header, messages have [mesg] header. This is required so NH can tell the two apart. With python syntax the exiting packets are as follows:

message = '[mesg]%s~?TFC_%s|%s~%s\n' % (xmpp, b64e(ctext+MAC), keyID, CRC32)

command = '[ctrl]' + '%s|%s~%s\n' % ( b64e(ctext+MAC), keyID, CRC32)

The maximum length of payload is 140 chars by default. All messages that exceed the limit will first be appended with SHA3-256 hash of content, after which they are be split to as many 137 char packets as are needed. This also applies to files: they are handled as just if they were another long message. The only difference is the second byte of header prepended to each 137 byte packet, that tells whether it's a file or a message. The first header byte tells whether the packet is first, appended or last packet of long transmission.

Thus, elements in the part list of long message are 139 chars at most. this applies for every encrypted message and command. Padding 139 byte messages to 140 is easier as no dummy block needs to be appended as second packet.

Tl;dr: ALL files, messages and commands are sent individually as packets that have been padded to 140 chars if necessary. Thus, all ciphertexts have equal length.

The only packets that differentiate from the length are unencrypted commands that affect NH such as the clear screen command. For constant transmission, this command is also transmitted as encrypted as not to alert NH about the command being issued.

RE: Protocol initialization
As there is no key exchange, pre-sent nonces etc., the only protocol initialization is when when messages start flowing towards XMPP server.

RE: Errors
TxM ouputs no error messages to NH. Rx.py verifies MAC with constant time function even though it returns nothing to NH. Since the user gets a notification for every failed MAC and the event is stored to separate log, all existential forgeries must succeed at first try to remain undetected.

Naturally, if Tx.py crashes, messages of won't be sent any more. If user needs to obfuscate this, the random_sleep boolean can be enabled and max_sleep_time might be raised to say, 3600. This causes random sleeps between sent packets that my last up to an hour, giving statistically speaking enough time to recover from crash, without crash being noticed by adversary. This setting is possible but again, it's a trade-off between security and convenience as 'instant messaging' turns into 'every now and then messaging'. Some people only need mail like features so the sleep time can be cranked to several hours (or days).

Re: Waterfalls and terms
(It's a trained Lebanese waterfall that knows it's game. I have full confidence it and it's herd of squids will protect any keys and coins I might throw at it.)

So, yeah, I generally see airgapped computers as something that is taken off the grid for good. It's has been preloaded with everything and it is used as independent system with only input and output being the user. Airgapped computer is useful for keeping a journal no one else should ever read.

(Offline computers that have bidirectional sneakernet channels and are secure only to limited extent.)

When the computer is behind automated unidirectional data channel, I like to call it waterfall secured (three cascade waterfall and bottle mail has been a good allegory to explain TFC). There's also the Waterfall Security Solutions company that sells data diodes. So I count the system as waterfall secured even though I extracted data from it as QR code (will probably from now on do it by hand as signatures aren't that long -- and while the private key couldn't have fit into the QR codes, I don't want to risk slow leaks from the device).

I hope this covers everything you wanted to know

cinnamonbApril 18, 2015 1:19 AM

@Nick P -

Thanks for the reply. I'm glad you say it's not something to be concerned about, but I have to admit it gave me pause. Not being a real tecchie myself, I'm not at all sure about what COTS is or Common Criteria evaluations. It does give me pause, though that you say they sign off on those Common Criteria evaluations. Having such a nefarious agency have that power - well, it makes me wonder, anyway :-)

"it's a mix of useful stuff and academic bullshit that won't make for good workers.

That's actually typical of colleges degrees in the subject. Nothing new there. ;) "

Quite an interesting observation...I actually remember taking a programming course for a machine that was already obsolete :-) And that was one of the last computer classes I ever had - and would you believe we submitted our programs on punched cards? Yup, my last programming experiences happened in the days of the dinosaurs :-)


Wesley ParishApril 18, 2015 6:54 AM

Finally! A definition of Terrorism everyone can agree on!

As is well known, the problem with discussing "terrorism" is that no one can agree on the most appropriate definition - everybody's hoping that somehow their favourite "freedom" or "slavery" fighters will be able to slip through the definition.

Well, now, courtesy of some very helpful gentry, I have been given a definition of "terrorism" that no one can fault - except of course the mindbogglingly literal:

That is what Terrorism is: a gigantic crocodile, smashing the next paragraph

Ben April 18, 2015 6:55 AM

We all know, now, the primary purpose of NSA is to defeat electronic security systems to provide data for it's customers: the military, federal executive agencies, allied corporations and friendly foreign governments.

The charade of involving itself in COMSEC activities among civilians aka the enemy is highly distasteful to knowledgeable victims, but of course, very successful too. Talk about security theater.

Defeating electronic security is a big business/big government deal. Billions of dollars and millions of employees are involved. Our dysfunctional government has been corrupted to ensure the survival and growth of mass surveillance.

A small minority of persons oppose corruption of our former Constitutional rights, possibly 20% of the population, but that's not enough to generate momentum for change. One reason there is so little concern is there are usually no obvious, concrete harms noticed from insecure communication, typically no more inconvenience than having a credit card replaced every other year or so.

The Mass Surveillance Plague is parasitic in nature, taking only a painless drop or two of data here and there thus ensuring weakened and docile survival of the host, while the parasite thrives.

Eliminating the disease at this point would be very difficult.


65535April 18, 2015 7:26 AM

@ cinnamonb

The NSA certified colleges and Universities [recruiting zones] are rather plentiful in the “coastal state” where Google resides. They do stick out with a relatively high number mil persons. It is somewhat like going to a University with an ROTC program - not that much of a big deal.

65535April 18, 2015 8:36 AM

@ Cive

Duly bookmarked.

I consider myself a proud “Structured Procrastinator” by spending hours on this site reading “white papers” instead of fixing computers/network gear and earning more money.

Time is a valuable commodity. One should waste it wisely /

65535April 18, 2015 10:00 AM

@ Markus Ottela and Nick P

Re: TFC

That is an interesting setup. I have a few questions about TFC and “minimum system requirements” and other questions.

Figure 19: TFC setup with two Raspberry Pi computers, page 17 of the TFC Manual:

1] What are the white 'rectangular monitor' looking things in the slide?

2] What would be the approximate cost of the setup in the slide?

Figure 20: TFC setup with two laptops, page 18 of the TFC manual:

3] What are the minimum system requirements of the three laptops [Processor RAM, and Screen resolution]?

4] What would be a real life laptop model used in this slide?

5] Is this rig portable?

https://www.cs.helsinki.fi/u/oottela/tfc-manual.pdf

I know you people are busy. I will check back in a few hours.

ThothApril 18, 2015 10:03 AM

@AlanS
The SNP should have always expected themselves to be monitored by the national intel agencies. Any political country in any country in the world that is not the main political power in a specific country and is seen as an "opposing" party must always assume it is under surveillance.

Surveillance in itself is getting cheaper and getting more "Open Sourced" and distributed. Everyone leaks bits and pieces or huge chunks of information about themselves via social networking and with technological advances, everyone expects they are under monitoring by someone else.

@Humma Hummba
Any system that claims to be secure but cannot proof itself falls upon itself. I doubt Apple publishes how it's encryption chips and features work which does not allow open reviews so I am guessing it is not going to be that robust. And on top of that, we have to remember the "secure crypto-chips" have to all be considered compromised and backdoored.

Only trust left is build your own stuff from scratch (transistors and resistors level). Rather pathetic but that's how much trust we lost.

@dustbuster
Most smartcard chips are using 32 bit RISC processors (latest models). Not going to be surprised a 64bit might make it in there soon.

@Markus Otella
Channels need to be oblivious in terms of what's sent over the line and also when the message was sent. You need not only constant time-based sending, but you also need to send dummy messages frequently so an observer does not know what's send over the line and when which message or how significant the message was sent over the line at what time.

Message must be padded before encryption and the message must all be of constant length with significant length (128 bytes message length or more inclusive of headers and flags). Reason is sometime someone might simply send something like:

Alice: Hi Bob, login password here.
Alice: p$A5dRoW
Bob: Ok got it

Imagine this kind of communication over chat. The 8 byte password sent over the channel might give a thousand or more over permutations under bruteforce but the catch is if someone has the resources to dump at it, the 8 byte password over the channel (if the length is guessed and the content's nature is known somehow) would have weaker security (although taking into account the headers and flags,it would be much longer than plain 8 bytes password encrypted over the line). The main essence is if you can make the message longer and uniform, it gives more security against many sorts of attempted message side-channel analysis.

Another thing is to consider not just sending over XMPP servers but other channels. That would be more convenient in a more flexible setting.

@Benni
I guess it's kind of known since a while that Germany's Govt is multi-faced. On one side it tries to push for security efforts and prides itself as privacy orientated but on the other side the spying agencies and faces makes somewhat some attempts to cover their tracks of their fancies and intrigues of subversion and spy games (and also following obediently the American Warhawks). (Fill in the blank) --------- brand security product made in Germany. Strong privacy and security orientated. (Alarms rings all over). Nationalistic promotion of products always sounds loud alarms in my head.

AlanSApril 18, 2015 11:12 AM

@Thoth

I agree but it is not just surveillance. What's being claimed here are dirty tricks and false flag activities aimed at changing public opinion and altering voting behavior.

What we've had since the Snowden revelations are claims that the surveillance / security state is about protecting us from terrorists, organized crime, etc. and poses no threat to the liberal democratic state. And there is no evidence, it is claimed, that the security state is behaving the way we know it did in the past. And there are controls and oversight to prevent all those bad things happening. So, my question, is, given what's going on in the UK with the rise of the SNP, are those claims really credible? Do we have an actual example here of the sort of activities Snowden claims we should be worried about?

WaelApril 18, 2015 11:36 AM

@Clive Robinson,and Fellow unstructured procrastinators

On "Structured Procrastination"...

Pretty good article, and I can relate to it. Sounds logical, analytic, and convincing. At least Robert Benchley and John Perry have some integrity as opposed to the incompetent scumbags that believe and act on "Perception" is more important than "Reality" -- an appaling, wide-spread trait that I loath and can't cope with. I learnt a few things from it and will put it to test [1]. Thanks for sharing, you're a perceptive man! Ok, 'nough serious crap...

I have to admit that I find this forum to be equally a source of amusement [2] as a source information sharing (as if that's not already clear.) And sometimes I drop a post or ten when I get tired of working on "important" things at the wee hours of the morning.

I've been meaning to post this for some time but...

How ironic! You freakin' structure-procrastinated this? :)

[1] Starting now, posting here on a nice sunny day of the weekend while working on "important things" with "deadlines due yesterday". Speaking of these sorts of deadlines, whenever I get assigned a task and ask what's the timeline? I get the almost consistent reply "yesterday". Now I say: Oh, man! It's already late... A couple more weeks ain't two bad, what's an extra line on a zebra... enough structured-procrastination for now, time to go down the list of todos... Geez I have to construct the list first, arrrgh, that can wait ;)

[2] Which sometimes gets me in trouble. During one of the meetings at a previous company, let’s call it X, where the inside joke was everything (computers and related stuff) we made "sucked". Was sitting in a meeting with some unknown people, and the room was silent so I said: Did you hear that we finally shipped a product that doesn’t suck? Everyone who knew the joke smiled. The others said: which product is that? I said we made a Vacuum cleaner :)

David SloaneApril 18, 2015 1:29 PM

American Enterprise Institute gathers tech evidence for fear of Iran/war with Iran

In case you were worried that only *domestic* politics clouds information security debates, fear not. We're happy to attach cyber-threat-danger warnings to any potential adversaries - not just the big, obvious ones.

https://www.linkedin.com/pulse/initial-report-project-pistachio-harvest-mayur-agnihotri

https://www.aei.org/wp-content/uploads/2015/04/Growing-Cyberthreat-From-Iran-final.pdf

FigureitoutApril 18, 2015 1:40 PM

Markus Ottela
--Good work. Now it's fun adding changes when you know the code base well eh? Saving building that HWRNG for summer. :)

Design Software
--Since my school botched the PSPICE installation on windows 8 and still hasn't installed the parts libraries you need (and you can't install LTSpice w/o admin privileges), I was screwed trying to test some simple circuits and my answers I get. Where's your personal PC you ask? I don't carry a normal laptop w/ me usually, run live, if it's windows on a HDD it gets infected w/ a system exploit then malware makes it annoying to work and I usually keep re-installing since I don't want to buy another version of windows (malware still stays) so I don't do it on my personal laptops.

Then I found Multisim by National Instruments on the lab computers. Was able to build a circuit w/o reading any manuals (well sneaked a peak on a small one) and get the graphs we needed to get. First impression is pretty good, looks like you can simulate *a ton* (chips too, not even sure how that works...) quickly in software. Check it out if your school/employer has it; free version will be temporary or probably suck, and paid is around $3k-4k.

LTSpice is free and nice, but this "seems" better...

http://www.ni.com/multisim/

100Hz to 10MHz Signal Generator
--Neat article in QST, the magic happens in the DDS module from Analog Devices. Looks like generally just windows support again which uses VB and DLL's if you connect it to your computer. I need a signal generator so I may add this to my ever expanding project list. Here's a free description of the goods, not the article:

https://sites.google.com/site/dds25infosite/home/100-hz-to-10-mhz-signal-generator

This is also what is really needed for your own custom SDR, the DDS VFO module; there'll still be plenty of issues getting the signals cleanly where they need to be and programming annoyances but this is probably the most important component in the radio.

But what does this have to do w/ security?!

And this is what I'm saying, for a very few people, would be nice for very unique "out of band" authentication (I'm thinking security people who are logging in remotely, you can at least authenticate (not prove there aren't attackers listening, but you could just exchange another code via out of band to shake them off too by meeting someone else (in digital or physical realm)) in real time that you're connected on internet). Very large frequency/phase shifts that can't get received by people who don't know and can't know the protocol. And lastly, there are ways to transfer files over the air (not wifi/cell phones, other modes), that's where I'd like to be, but they'll be known and thus subject to injection/modification if they get too popular; obscured ones can probably sneak a few files essentially unseen by all but the senders.

Some people are doing what I'm thinking, not sure about this guy's results though: http://yo9irf.blogspot.com/2013/03/developing-hf-transceiver-around-arduino.html

Also there's this transceiver dongle, only thing is getting real range w/o a huge antenna and not "cheating" going to a local cell tower then going via wires. I don't think I'm going to get one, but interesting.

http://www.hides.com.tw/product_cg74469_eng.html

Lots of toys today, wish there was just as much time/brainpower...

tyrApril 18, 2015 3:11 PM


@ Clive

I had a coffee cup that said thank you for not wasting my time.

It was because I was quite capable of wasting it myself on
those things I liked to do instead of the supposedly
necessary. It turned out that I was the only one who ever
completed the preventive maintenance schedule on time and
I hated that part of the job.

If you're always busy management tends to avoid bothering you.
So the article is a classic piece of advice.

The real advantage of a big backlog of things to read is you
never have to be bored.


SkepticalApril 18, 2015 3:53 PM

Re lottery drawings via computer vs other means:

Just a few half-baked thoughts. I can't help but think this illustrates the dilemma posed by the human necessity of being able to abstract away from the complexity of a given system and interact with it on more simple terms.

On the one hand, abstraction is fundamental to being able to build useful and reliable complex systems out of complex systems. In other words, it is fundamental to much of technological progress.

On the other hand, the near complete lack of visibility into those underlying systems for most users allows for all kinds of problems and vulnerabilities to fester. Few users examine how their browsers authenticate a given site, what the app permissions on their mobile devices really mean, what information is transmitted to others when they connect to a website or send an email via a "free" provider, etc.

We need better windows into the systems on which we depend. And by this I don't mean complete transparency, but rather a selective transparency, the equivalent of a gauge on an instrument panel.

But providing gauges that are meaningful to the average user, especially for monitoring complex systems that more expert users understand via a medium of terminology and concepts alien to the average user, is extremely difficult. A green padlock is a highly simplistic type of gauge in certain web browsers. It leverages an existing metaphor understood by average users in a way that requires one to understand very little about web browsers or networks or cryptography to understand the intended meaning of the gauge.

Still better would be gauges for the gauge - an instrument panel, understandable by the average user, for the very simple green padlock. And then gauges for each of those gauges - and so on, to whatever level a user wished to look. With each transition would come an explanation of the necessary underlying concepts, enabling and encouraging self-education.

We have those gauges in a certain form of course, but they require a large investment of time to learn, well-designed maps of the cognitive terrain are scarce, and they cater to a fairly limited audience. And even then, depending on the device or system in question, they may be mostly unavailable.

I would love to see more technical transparency built into the systems we use. To take an easy and common example, let users of many types of mobile devices see not just the vague permissions an app requests to operate, but also what data an app actually accesses and whether and where it sends that data, and let them see these things in a meaningful way (i.e. not simply a dump of packets or a list of files accessed - though those should be available as well). Ultimately the final judge of whether a system is behaving desirably is a human being. Perhaps we should invest a little more effort in making visible and understandable the system behavior that would enable the user to make a meaningful judgment.

That won't solve the problem of software that is engineered to avoid or mislead such gauges, and such gauges would constitute a system or systems in themselves (which raises the usual interesting problems), but it might shorten the life-span of many bugs and a large amount of undesirable behavior. Hiding underlying behavior from a user is the easy part; translating that behavior into language a user understands, with progressively sharper levels of focus, is hard.

Keeping You SafeApril 18, 2015 4:08 PM

Gee, turns out we do need internet surveillance to protect us! Our protectors just caught a vicious ring of terrorist assassins in the act. The assassins: NATO. The cybersleuth: a sharp-eyed German commie.

Markus OttelaApril 18, 2015 5:57 PM

@ 65535:

1. Just that, generic monitors.

2. A rough estimate for RPi setup is $300 excluding tools, $500-600 with cheap netbooks. If you have to buy tools, that will also raise the price.

3. I've managed to use TFC with $20 4" monitors that had 320x240 resolution: It did caused fatigue to eyes. Resolution isn't that important as it's a terminal program; if you can fit ~80 readable chars to screen you should be good.

For OTP version the requirements are negligible: The only things that require computation is overwriting files: OTP is probably the fastest encryption algorithm and the one time MAC is also extremely fast. The CEV version is slower, but my $200 netbook runs it with no notable delays.

4. You can use any laptop that runs Kubuntu (IIRC it's more lightweight than Ubuntu and works. I haven't tried out all distros but at least Debian, Lubuntu and Xubuntu had a weird error with PyQt4 bindings that prevented NH.py from running). The constant transmission with CEV version at high repeat rates takes much more computing power from both sender and recipient but for general use, I don't think there will be problems.

5. Why not. Ideal portable solution would be three ultrabooks with TxM and RxM having wireless devices, mics and speakers removed. alongside those you only need four corded USB-RS232 adapters and the two data diodes: keys can be pre-generated at home. The NH can connect to public Wi-Fi or one thethered by your smart phone that bridges it to LTE or whatever.

GregoryApril 18, 2015 6:37 PM

@AlanS

Where do the loyalties of servants of the state lie when part of the population poses a democratic threat to the existence of the state and the establishment?
So are we to trust--a requirement given the secrecy and lack of public accountability--that senior public servants of Sir Nicholas's stature in the intelligence services aren't of like mind and prone to similar actions? Or does the public school boy and Oxbridge-educated set have a hard time watching the hoi polloi vote the 'wrong' way?


Governments are simply pooled resources of individuals which allow individuals to enjoy products they themselves can not individually obtain. Just as individuals tend to group together to form societies, the strongest in those societies will tend to group together to create an elite. This allows them to have unequal share of the overall society's product. What motivates them to do this? The very thing that motivates individuals to group together in the first place.

It does not matter what route is taken. Democracy, anarchy, communism. It will always end up the same way.

Governments are like drug dealing kingpins. You can remove them, jail them, expose them, does not matter. Someone else will take their place. You can attack supply sites and supply delivery networks, but there will be another network formed and another source of supply.

Where is a permanent solution there? There is none. There are only temporary solutions which provide temporary solace.

If there were a drug invented with ample, assured supply which provided greater pleasure and no side effects, that would work.


What we've had since the Snowden revelations are claims that the surveillance / security state is about protecting us from terrorists, organized crime, etc. and poses no threat to the liberal democratic state. And there is no evidence, it is claimed, that the security state is behaving the way we know it did in the past. And there are controls and oversight to prevent all those bad things happening. So, my question, is, given what's going on in the UK with the rise of the SNP, are those claims really credible? Do we have an actual example here of the sort of activities Snowden claims we should be worried about?


There are many points of exposure which prove that corruption is rampant.

It does not really matter if anyone sees just how bad it is. Exposure is just another way of removal. Secrecy is just 'security by obscurity' and one level of protection for the corruption. You can actually expose the entire corruption infrastructure, and that can aid in fixing it or replacing it. But, you will eventually end up sooner or later with the very same problem again.

BooApril 18, 2015 7:05 PM

Democracy always turns into suicide. It consumes all the resource that it claims to protect and then without resources it becomes a protection racket. Suicide means more sales for the highly profitable funeral industry. You can convert empty superstores into cremation centers. Welcome to Death Depot! Iraq is getting deadlier, so with exported gloom you can be an international chain with investors. Get in on the water marketing too! Suck the wells dry and sell water to the survivors and services to the dried and bled. With the ownership society you can sell farms cheap with no water for body disposal. With fewer people you'll need less food and can get a farmland conservation grant and get paid government money not to grow anything. Without water nothing will grow except the national debt.

Markus OttelaApril 18, 2015 7:07 PM

@ Thoth:

RE: Timing

Yo do not need constant time sending, you just need to completely isolate any variances inputs might have on TxM output. Here's my reasoning:

In following examples m is for message, c is for command, number n.nn is the interval of n.nn seconds between packets. We'll assume the adversary can precisely time messages on NH:

Let's first leave commands out of the equation and say messages have two second delays:
m 2.00 m 2.00 m 2.00 m 2.00 m 2.00 m 2.00 m 2.00 m

That's the theory. If a message was sent, it's in one of those, rest are dummy messages. Now when you add long messages to queue, loading will take time.
m 2.00 m 2.00 m 2.00 m 2.03 m 2.00 m 2.00 m 2.00 m

Guess where the loading took place and communication happened with high probability.
Now, let's add random jitter between 0 and 0.3 seconds between every packet:
m 2.21 m 2.29 m 2.21 m 2.19 m 2.13 m 2.03 m 2.22 m

It's harder now, right? So now, let's add commands:
m 2.18 c 2.11 m 2.29 c 2.09 m 2.17 c 2.15 m 2.03 c

Works in theory, but I can't get following problem eliminated:
m 2.18 c 2.11 m 2.29 c 2.09 c 2.17 m 2.15 c 2.03 m

Sending messages and commands occasionally caused repetitions in packet types. Now let's change the implementation so that between each packet (even between long messages) we throw a coin that chooses the type of sent packet:
m 2.18 c 2.11 c 2.29 m 2.09 m 2.17 m 2.15 c 2.03 c

Now the adversary can't figure errors, but if after sending the 3rd packet
the sender issued a command, he had to wait for packet 7 for it to be delivered.

Now, let's add a lot of random sleep so the breaks are not that constant any more:
m 411 c 1124 c 2211 m 1511 m 1440 M 543 c 86400 m

So attacker might assume M was last message and TxM was powered off 10 minutes after it but who knows, maybe the message was typed after M was sent and the sender had to wait for 24 hours 10 minutes before next message packet was output. So there's nothing constant time here, but there is no channel for attacker to deduce when communication takes place, only that it probably sometimes does.

RE: Padding
All messages and commands are padded to 140 bytes before encryption.
It wasn't obvious from the message I sent to Nick but I get the risks you presented.

RE: XMPP
TFC is really not dependant on XMPP, Pidgin supports tons of protocols, it's
cross platform, fairly popular and bundled with Tails which is important.

@ Figureitout:

Can't wait to hear your results! Be sure to document the building process. Also yes, programming is becoming increasingly fun when you know the code so well you can almost immediately pinpoint the reason for error.

ThothApril 18, 2015 7:22 PM

@AlanS
Surveillance of opposing parties is the precursor. If you take a look at my country (Singapore), the main party has active measures in ensuring the sealing of power to just one party.

A few years ago during the previous General Election, an opposing party managed to win a "Grass Root" from the hands of the main party and the backlash was very severe. To ensure that the opposing party would be incapable of governing a region it won, the governing building (called a Town Council) was supposedly left to it's minimum. No aids were supplied and they had to engage their own maintenance contractors. The slightest mistakes (as this was the first time in history an opposing party ruling a region) and they made mistakes. The smallest mistakes were blown up in front of Parliament and local media and were not given a rest. The main party also uses favouring rules and powers they enshrined into law without the general consensus and council of the citizens (so-called democratic to enshrine laws without council of civilians) to ensure the eternal banishment and destruction of opposing parties who dared step forward. Severe lawsuits to ensure monetary destruction were implemented very successfully.

We have to thanks the British for leaving behind a legacy of broken laws that were so yummy for abusers to lay waste to democracy before they pulled back home.

Singapore is just the tip of the iceberg. Look around more of Asia and Middle East and you will realize those Western nations and democracies are slowly becoming entrenched in the Asian mindset of destroy thy enemies and not leave the roots behind in both politics and real-life where the enemy is ... democracy itself they claim to promote and protect...

How ironic....

Evidence of false flag operations are rather subtle and looks unnoticeable. Missing laptops and portable devices are the first signs of trouble. If a politician suddenly knows a lot more of his opponents' personal details then that is a sign of heightened surveillance mounting to possible false flags and black ops very soon. Most people would not publish tiny incidences like losing portable devices and computing equipments nor would they acknowledge to claims of weird emails and communications from unknown sources they have never met but those are tell-tale signs that they are in someone's crosshair.

ThothApril 18, 2015 7:37 PM

@Markus Otella
Some tactics of using TFC would be to incorporate fleet broadcast (kind of UDP broadcast) or point to point routing via stuff like TOR so messaging over common IM channels that uses heavily on client-server architecture models under such heavy loads TFC outputs would best avoid a client-server model. You can chomp the messages and scatter them around and broadcast or chomp up over multiple point-to-point because if a IM Server operator were to see heavy loads (via traffic obfuscation that TFC uses), they are sure not gonna be very happy and that's where peering based point-to-point and broadcast methods are so much better and the portability of the protocol would help immensely here.

Regarding random message transmission and constant message transmissions, both are good for use in the field and both are effective and valid. For constant transmission, you need 2 additional buffers. You write message to a primary buffer and then transfer to an outgoing buffer. The outgoing buffer will always send off messages from it's stack at regular intervals and that's it's only job. The primary buffer will always attempt to slot messages into the outgoing buffer's stack as quickly as possible to populate as much of the outgoing buffer as possible. This way the time would always be in sync more frequently ?

Of course the use of so much buffers and problems with timers are irritating and bulky so a randomly timed message transmission would be useful. What I meant by randomly timed transmission is to create dummy packets and real packets and send them over the channel. Because of the existence of the dummy packets, an observer can't tell which is the real one and you don't need to put the machine to sleep for like 24 hours (too long) to send off a message. If you can mix in dummy packets and randomly send them over an estimated time period of even send random variations of dummy packets before sending real packets or real packets before dummy packets, either way would have been hugely confusing to an observer as he needs to take in both the dummy and real packets before sending.

And now that comes to the huge issue of key usage....

Since you are using the keystreams for dummy packets as well, you need to have more than enough keymats to do your encryption and decryption. It would be tempting to use a PRNG to generate all the keystream mats like incrementing counters and then XOR-ing or something like that which may or may not impact security buyt it's something to consider not taken lightly.

65535April 18, 2015 7:40 PM

@ Markus Ottela

“Just that, generic monitors.”

Thanks I thought so but could not see any back lighting [ they look very thin]. I saw the power supplies but could not see the wattage needed.

“$500-600 with cheap netbooks.”

That sounds in the range. I would need tools for soldering the data diodes, HWRNG and removal of radio transceivers, blue tooth & wifi and speakers and camera [if mounted to the screen]. But, $600 seems do-able.

"I've managed to use TFC with $20 4" monitors that had 320x240 resolution: It did caused fatigue to eyes. Resolution isn't that important as it's a terminal program; if you can fit ~80 readable chars to screen you should be good.”

Were these surplus monitors or new monitors?

“You can use any laptop that runs Kubuntu (IIRC it's more lightweight than Ubuntu and works. I haven't tried out all distros but at least Debian, Lubuntu and Xubuntu had a weird error with PyQt4 bindings that prevented NH.py from running). The constant transmission with CEV version at high repeat rates takes much more computing power from both sender and recipient but for general use.”

Would a PIII on an old IBM netbook[s] due? If it runs on a PIII does it have to use a specific level of processor [700 Mhz to 1.1 Ghz. I assume AMD is out of the picture].

In the slides I did not see the power blocks for the 2 laptop combo. I am assuming the rig should run a time that exceeds battery life of the laptops.

“Ideal portable solution would be three ultrabooks with TxM and RxM having wireless devices, mics and speakers removed. alongside those you only need four corded USB-RS232 adapters and the two data diodes: keys can be pre-generated at home. The NH can connect to public Wi-Fi or one thethered by your smart phone that bridges it to LTE or whatever.”

Very cool! How many power blocks would be needed assuming the entire portable device runs longer than battery life?

SkepticalApril 18, 2015 8:12 PM


In another illustration of Snowden's brilliance in trusting the judgment of journalists free of his own bias, a newspaper in New Zealand, along with of course The Intercept, has published an account of a collaboration between New Zealand and NSA to - shocker - intercept Chinese diplomatic communications.

I'm curious. At what point does Snowden say to journalists who publish information like this, I did not give you those documents to expose legitimate intelligence operations conducted against an authoritarian government. Publishing this material is wrong. And if we're never at that point, what does that say about Snowden?

Then there's the article Benni references, which pointlessly reveals significant information about US military operations on the slim justification that because a satellite relay station on a US base in Germany is involved, there are legal implications as to whether the communications involved were directed towards a lawful end. Never mind the utter vacuity of this position - in the course of making this argument, they felt the need to discuss various details of military network architecture and capabilities.

This isn't whistle-blowing. This isn't justified. It's a gross example of what happens when activists/journalists obtain classified information - they use it to whatever ends seem best to them, and their personal policy preferences.

And note to Snowden - these journalists are accountable for none of those policy preferences and none of their speech. If they're wrong, they pay no price - they're rewarded for the story and the attention, not the wisdom of their views. In other words, they are precisely the people you DO NOT want making decisions about what classified information is published and what is not. Ultimately the responsibility was yours.

GregoryApril 18, 2015 9:40 PM

http://arstechnica.com/tech-policy/2015/04/fbi-cant-cut-internet-and-pose-as-cable-guy-to-search-property-judge-says/

FBI can’t cut Internet and pose as cable guy to search property, judge says
The government claimed the search was legal because the suspects invited the agents into the room to fix the Internet. US District Judge Andrew P. Gordon wasn't buying it. He ruled that if the government could get away with such tactics like those .... then the government would have carte blanche power to search just about any property.


So, no warrant, just cut the cable, then say you are the cable guy. And you invite the cable guy in to fix your cable. Which you broke. And because the cable guy is not just the cable guy, but the FBI, he magically has the right to search your place.

So, any cable guy has the right to search your place if you invite him in. By that logic. Anyone you let in for whatever reason has the right to search your place.

Not criminal and not pissing on the constitution at all.

How often is this going on that is not reported. And what are the chances it will continue to go on despite the ruling.


GregoryApril 18, 2015 10:14 PM

@Skeptical

I'm curious. At what point does Snowden say to journalists who publish information like this, I did not give you those documents to expose legitimate intelligence operations conducted against an authoritarian government. Publishing this material is wrong. And if we're never at that point, what does that say about Snowden?

Looks like New Zealand broke two treaties they signed to perform this operation. Can not say I care much, but then, I also do not care that Snowden broke US laws to do his disclosures.

Who does. A bunch of fat cats having heart attacks that someone interrupted their pissing party over the constitution?

Those kinds of operations are just wastes of money anyway. They are self-destructive.

drone operation exposed


Drone operations are one of the biggest examples in human history of people engaging in wanton murder for no purpose at all. Highly self-destructive. Some kind of modern human sacrifice cult. Material reasoning for it is business contracts where money and favors end up in the pockets of officials.

It fights fire with fire under the auspices of 'well they are Muslims and don't like us'. They sure don't like you when you fly drones all around their country killing people.

Love and peace and justice. Go team.

Oh, wait. They are hate and war and crime. Sorry. Wrong team.


Oh God... What Have I Done?April 18, 2015 10:20 PM

Skeptical's in one of his effeminate tizzies again, this time because somebody ratted out the US government for intercepting Chinese diplomatic communications in breach of the Vienna Convention on Diplomatic Relations Article 27(2), which his revered government signed on the dotted line and enacted into US law. Skeptical never heard of that.

Then he's trying to make you genuflect and cross yourself to 'US military operations,' which is evidently some kind of magic words for dumbshit beltway losers like Skeptical. Dumbshit beltway losers like Skeptical click their heels and salute for 'military operations' by cowardly commuter drone pussies even when they breach Rome Statute Article 8.2.c.i and the corresponding provisions of universal-jurisdiction law. Skeptical never heard of that stuff either.

Skeptical's ineffectual stampy-foot beetface tantrum exactly conforms to the US government's ineffectual stampy-foot beetface tantrum. Waah-baby, Waah, Waah! You can't get at Snowden no matter how much he waggles his dick in your face. He can jizz on your flag and there's nothing you can do. Russia's bloc has more nukes than you. Their industrial base is more competent and less crooked than yours. Their platforms and systems are cheaper and better. Their nomenklatura are smarter than you. They know the law and they enforce it on your flabby timmie ass.

Suck it, loser.

BuckApril 18, 2015 10:24 PM

RE: Sony Leaks

They were notified by a reporter on February 11, 2014 that hackers had admin access to an spe ftp server, and it was being used to serve malicious redirects. Not much follow-up that I could find there... The only other breaches I've seen so far involve third-party partners. Though there are a few audit reports that I found too boring to read...

For being so gung ho about anti-piracy efforts, they sure to play fast and loose with the copyrights of others! (Though, I suppose that's just how these things go - do as I say, not as I do):

Today, I was happy to see I wasn't the only one to find some humor in this subtle irony! :-D Slashdot link to The Daily Dot

Overall, the signal-to-noise ratio is far too low for my liking. I'm done digging for now...

FigureitoutApril 18, 2015 10:33 PM

Markus Ottela
--Of the RNG or the SDR? I'd be patient w/ the SDR, for my custom designs, sh*t even just working, I'm a real "nagging nancy"; raising questions I can't answer or even know how to get the answer and quadruple check every thing I do (eg. during a soccer referee class, I asked what the official rules would be if the referee got electrocuted by lightning strike, and um the guy was just like "well we'll call the match during that time" lol, who will?! The ref that just got electrocuted?!). Hopefully this leads to quality-products and I found the bugs before they get released...

I can't wait to try out the RNG and look at it w/ my (sh*tty scope :( ). So I noticed some meaty chunks of C code w/ a name that looked familiar, that Italian designer of the RNG you used. How easy was it to get the entropy to your computer? That's a concern of mine, getting the entropy onto the computer. But yeah don't worry, I got you bro! :p Hopefully I can squeeze that circuit into little shield box, and shielded cables, and it'll just be a little "tack-on" you can chew on that will harden TFC slightly (depends still on where original power comes from...ugh lol, but I figure you don't want even non-malicious noise affecting the circuit). I've been slacking on my blog, but when summer comes it'll be back in business. I enjoy reading detailed project logs very much, so I do the same (just takes a lot of effort, probably more than the damn project!). I spoon feed the reader, "open wide, here comes the airplane" lol. I figure if you can do it yourself you wouldn't be reading my blog in the first place, and if you are you just want to build it and get up and running w/o "theoretical" and "pseudo-code" etc.

programming is becoming increasingly fun when you know the code so well you can almost immediately pinpoint the reason for error.
--Yeah exactly! Way fun...annihilate those bugs.

Gregory
How often is this going on that is not reported.
--Quite a bit, they "fan the flames", then wait for retaliation and prosecute on that. Fortunately, they don't know what it means to be paranoid (the crippling kind that never rests, where you get anxiety attacks and feel like dying...) since they can walk around and not get prosecuted for their crimes, so they can be found fairly simply w/ traps. Unfortunately, they can commit crimes and not get prosecuted; this will continue until the US becomes an unlivable police state sh*thole; but there isn't much better places to move as all countries are heading this way.

People looking for evidence, very simple. Say a bunch of keywords on your social media accounts. They'll have a hard time determining you're an actual threat so they'll put some agents on you. Then continue playing around until they break into your home while you're at school/work and continue to do so again and again and again for no reason. Then again. Then they just use a nonthreat as a bullsh*t reason to continue their worthless job of doing nothing tracking nonthreats, wasting taxpayer dollars better spent at NASA actually bettering our future...

FigureitoutApril 18, 2015 10:53 PM

Small document illustrating why EMSEC design is so hard (note it's dated 1999) [PDF warning for the mobile people and smartphones that by default download a pdf w/o asking]. Found via /r/rtlsdr, enjoyable read if you like this, otherwise, don't click it.

http://www.ti.com/lit/an/szza009/szza009.pdf

cinnamonbApril 18, 2015 10:56 PM

@65535 -

Thanks for your reply. I didn't really take notice, but I do think a lot of the Univ. and colleges on that list I saw were coastal. Interesting.

@Gregory - thanks for posting that link and blurb on the judge's ruling. Wish more of them had that kind of courage. @figureitout, I try to be optimistic, but inmy cynical moments I wonder if for sure you're correct.

NSAIApril 18, 2015 11:30 PM

“America might hate the NSA right now,” a Lebanese intelligence official told the news service, “but they were able to actually hear the calls and warn us what was said.” https://medium.com/war-is-boring/leaks-and-consequences-dab158e91a15

"Everybody hate us, we don't care." Guy at a football game

Reading the leaks is more boring than war. It can be spun though into entertainment. The average spider uses more logic and imagination than most people. Yemen is out of gasoline. Water isn't looking like it'll last long either.

FigureitoutApril 18, 2015 11:39 PM

cinnamonb
--Appreciate the skepticism, I'm always skeptical myself of anyone and anything. Have you run my tests I told you to? Do you have any evidence to the contrary (even if it's just personal experience, I assume you wouldn't lie..). Do you have experience w/ these things is basically what I'm asking. There's a few people who could back me up but it would violate their "mission" or employers "contracts". I'm done w/ this, I have no interest helping here or working to help here, too many bad memories that haunt me.

I was encouraging a 2nd American revolution on social media to overthrow our current gov't and put in true representatives of the people (again...as our "republic" has staled and gotten corrupted w/ no blood spilled where it's needed). This of course got the gov't's attention. I assumed I would be safe due to "the constitution", that it wouldn't be all a bunch of bullsh*t, which it is now to me. You don't really have rights. And since they hire some of the "bottom of the barrel" "yes wo/men", that they don't train well just like every single profession today, they were easily found, no matter who. This has been on going for upwards of 5 years now; I'm thinking it will finally be ending as all the agents have mostly been disappointed w/ how boring it is (sorry guys, take that up w/ your employer).

Keep being optimistic though, if you want me to scare you I can (if you give me the info, which well, you probably won't know as I've practiced my approaches for a long time now..); but I'm mostly done w/ these games as I'm trying to focus on things that actually matter (not social games).

OT
--Nifty way to beat email spammers on websites, just do a base64 encoding of the address lol, then just keep mixing that sh*t up. Example here: echo bXl3aW5nODFAZ21haWwuY29tCg== | base64 -d Best email-spammer protection I've seen yet (besides pub keys).

Markus OttelaApril 19, 2015 12:04 AM

@ Thoth:

I'm hoping I can find someone willing to provide the service. Personal XMPP servers are also an option if user has static IP address -- Newer versions of pidgin require the server cert to be signed by CA so unless user wants to spend additional money, older version of Pidgin should be used. I'll look into the buffers when I have the time, thanks for the suggestion! The 24 hour period was just to illustrate the point that long breaks might not indicate anything to adversary. When message is added to queue, the next message packet will be that message, so there's no reason to send dummy packets before the message -- whether there exists a message, it should not affect the frequency of message packets compared to command packets.

"--as he needs to take in both the dummy and real packets before sending." I'm not sure I understand what you mean, sorry.

So like I wrote to update log, using the CEV version is recommended. The CEV version rotates keys by running them through Keccak-256 hash function after every message, similar to SCIMP protocol used in Zimmermann's Silent Text. This way key material never exhausts. It's problematic because if receiver is turned off for some time, it'll take time to 'catch up' by hashing the key from previous session. Enabling the constant transmission for OTP version should probably not be done yet I added the option as some users might find it practical if they have fast HWRNGs, large keyfiles and can meet at regular intervals.

@ 65535:

You can get the screens from dx.com. The 3D models are somewhat incomplete so the screens look somewhat blocky. Anyway, the laptops should probably be kept on battery power during use to eliminate covert channels via PSU and power lines. I'm sure the OTP version works great as RPi has around same clock and performance, can't vouch for CEV version. You can try TFC on it before selecting on budget and investments: just select the local testing option in installer. If the system needs to be on constantly, you need to be able to charge batteries for devices faster than they exhaust. Also make sure the laptop has second battery bay so you can swap in new battery before you take the old one out. I'm not sure ultrabooks provide those, many business laptops do.

@ Figureitout
If you have the raspberry Pi, just run the installer with TxM installer, it'll download python programs and the two .c files, compile them and add execute permissions and after that, you can generate keyfiles by running "python genKey.py -h". You can also just launch the compiled entropy obtainer by running ./getEntropy. It'll output ones and zeros to HWRNGEntropy file. The entropy should be whitened and converted to bytes so using genKey is recommended.

WaelApril 19, 2015 12:15 AM

@Figureitout,

Small document illustrating why EMSEC design is so hard

Nice short paper. Electromagnetic fundamentals haven't changed much, so this paper I would think is still valid today.

ThomasApril 19, 2015 12:22 AM

A different story from New Zealand


New Zealand is a "sitting duck" for a terror attack and should consider bag checks of shoppers and moviegoers, and increased surveillance in popular public places, a global expert in extreme events says.'

FigureitoutApril 19, 2015 12:49 AM

Markus Ottela
--Yes I have 1 RasPi (the older one), a problem for me, not you is I got a touch screen for christmas for it which I want to use, which kinda sucks as is (spacing for regular software, off; I'd need to adjust it for this screen); it needs a custom UI and large buttons doing some pretty simple task. I want to use this screen, this is my problem w/ something like RasPi and beaglebone, finding a use for it I think is sufficient.

So I'm assuming this is via USB? The physical connections is my main question. We did some pretty nice testing one time on what I would call "truly serial" debugging at work (we'd scroll thru a .txt file for values that would represent what something is doing electrically, it involved like 3 transistors and maybe 4 resistors; which connect via a TTL converter to Serial converter, which then connect to USB to a terminal program. This is the kind of thing I want for my random numbers.

But I haven't tried what you said yet so we'll see (probably not going to buy some more RasPi's and computers for awhile as I have enough for right now).

Wael
--Yeah, it's a nice read. I still wonder why chips have "reserved" pins on them, what are they doing?

GregoryApril 19, 2015 12:58 AM

@Figureitout

You referring to the article about the informant? That was pretty bad shit. Read that yesterday. I felt sorry for the guy, "I don't like the word 'informant', I like to consider myself a 'civilian operative'". That is really fucking sad. I am not sure if what it all showed about the "cops" doing this shit wasn't even worse.

I gotta say it, but, "I don't know how they live with themselves". If I am in a bad mood and get overly cranky at my wife, even, I feel like shit afterwards. I have done a lot of good things. Risky shit. It makes me feel good about myself. No pretend, no bullshit. End of the day, I feel really fucking awesome. Excuse my french.

I risked, I hurt, I worked my ass off, and success or failure, it feels good.

Fear. I know all about it. And that is another thing. If you do not know fear you have not risked. I have had sons of bitches attempt to ram me off the road on a highway. I have had a gun pointed in my face. I have shit way way beyond that I can not even say, it would not make any sense. I know what it is like to drip in sweat with fear. I know what it is like to keep a poker face and still my heart and then, when I am finally home in some fucking rental - long term suite - to drink my ass off until I fall asleep bitching to a coworker.

OCD, PSTD, all over the place and WTF. I perform self surgery on myself. I see myself starting to visualize cars hitting me on the highway, I get on there and drive. I drive until the images go away. I get anxiety visions of this or that, I keep at it, because I do not give a fuck. I have priorities and a malfunctioning system ain't it.

But, yeah, whatever. If there are assholes out there playing batman with a badge while being lily livered, whatever. I am sure they feel like shit. I am sure they compensate and fake it. But that ain't a good place to be.

People looking for evidence, very simple. Say a bunch of keywords on your social media accounts. They'll have a hard time determining you're an actual threat so they'll put some agents on you.

I would not be surprised. Mall cops in disguise as Real FBI Special Agents. Holy shit - and excuse my french, but this is real - do they even have a dick? If you want to be a mall cop, go be a fucking mall cop. Play the lottery, maybe you will win. Informants are doing their job, and no wonder they get crap information. They pay them while they sit around with their feet on their desk.

I have much more respect for a mall cop like Blart then I do for a mall cop dressed up in some fake ass costume.

Put on lipstick, put on high heels, and go be a woman. When your kid is dressed up like spiderman, tell him, "This is exactly like my fucking job".

"I dress up in a suit and a badge and pretend I deserve it".

I do not know, what can one expect from being born from the ass of J Edgar Hoover, really?

GregoryApril 19, 2015 1:18 AM

@NSAI

“America might hate the NSA right now,” a Lebanese intelligence official told the news service, “but they were able to actually hear the calls and warn us what was said.” https://medium.com/war-is-boring/leaks-and-consequences-dab158e91a15
"Everybody hate us, we don't care." Guy at a football game
Reading the leaks is more boring than war. It can be spun though into entertainment. The average spider uses more logic and imagination than most people.

"NSAI", I gotta luv yah. I love WANNABES. You guys are so fucking funny. [**okay, working on my use of vulgar language, apologies.**]

No, but seriously. So cute! Wannabe, wannabe, wannabe. I feel like "boo" now. I get where he is coming from with this kind of thing.

Look, the NSA are not spies. They are nerds. They never were spies, they are not spies now, and they never will be spies. They are support. They set up wiring. They might hack something. You are never, ever going to see a true to life movie about ANYONE in the NSA. They are incredibly boring people who do incredibly boring things. But, they make for a very useful idiot patsy.

So, when you grow up you want to be a Real NSA Spy.

What are you doing right now? What kind of job is it you are doing that you are daydreaming about this and getting anxious and angry about those damned critics? Oh no. They are defaming my holy of holies. When I was eight years old, I dreamed of being a NSA spy. Now I am nineteen, I can only hope and - dear God - pray, maybe, just maybe, I can work for the NSA. I will walk on clouds to the office from my parking spot two miles away, and sing with the angels hymns, because, Holy God, I have a badge! A real fucking badge!

And then you go and try and find something Very Important To Do, only there isn't anything!

But, that is not real, is it. You are probably between 25 and 35 years old.

Well, here is that talk your daddy never gave you. 99.9999% of intelligence is completely useless. But if you want to speak authoritatively on a subject, it might be a good idea to actually study it, just a little? Instead of believing just what you want to hear, like a sucker?

Because in the Real World, people who are hungry for information are very, very good at seeing people for who they are. They have to be. And, yes, "The Real World" is slang for Something Something.


GregoryApril 19, 2015 1:43 AM

@cinnabomb/cinnamonb

@Gregory - thanks for posting that link and blurb on the judge's ruling. Wish more of them had that kind of courage.

Thx, glad to be a service. Read your posts above (I am avoiding work my boss has tasked me with while partying). There is an element of the NSA which has been focused on security infrastructure. They were doing code security before almost anyone else. The problem with these organizations is not that 'no one cares', nor 'no one is competent', nothing like that. There are always going to be plenty of good people, and even good organizations. But, people are human. They are weak and full of flaws.

Really, despite my lambasting of a poster above about the NSA, there are plenty of highly skilled professionals there who do a good job. Is it the best use of taxpayer money? No. Some of it is very good use. Most is not.

But most of the hell you see in the media, truly is the NSA being an 'useful idiot' for other government organizations. They are not people oriented groups. So, they get used by organizations that are more people oriented and wiser in social manipulation.

That does not mean those groups tend to be competent. Like almost any organization, a very small percentage will be very competent. But, competence is a two edged sword. The managers and many groups may not be 'socially competent' in terms of 'doing the right thing', but they typically will be very socially competent in terms of being dangerous, cunning animals who can roll with the good ones.

FigureitoutApril 19, 2015 1:52 AM

Gregory
--I don't like this...not going to continue after this. Too many bad memories, angry...now I'm angry. Angry, now my night is ruined on worthless malicious people. You don't know what these people can do to you, they're f*cked up; they have the gall to reveal themselves in public, giving up themselves and providing me w/ info I can sell to others. They will f*ck w/ you, they can afford to move into any house right next to you and break in your home at will (follow you all over at least continental US, haven't tested worldwide yet), then steal whatever ideas you have (so you have to go to ultra extreme mode for security implementations and hand them off to people that will protect them and release them silently). I hate them all so much, I will never do anything productive by choice for them. I can't say any more.

WaelApril 19, 2015 2:21 AM

@Figureitout,

what are they doing?

Sometimes nothing, sometimes it's not for public knowledge.

GregoryApril 19, 2015 2:35 AM

@Figureitout

Yet, here are you and here am I.

I am sitting here drinking coke and rum. It is Saturday night. I started to blab to you about "my week", but ended up deleting the whole thing. Oh, I could post it. Very few would be capable of believing it. Those who could, I want to talk to.

I don't give a fuck about those who couldn't. They are soft. They are not capable of anything. They have real parents and real siblings and a real background. Real wives or husbands and real kids. Seven hundred hours of training. Two thousand hours of training.

They had a childhood. They had middle school. They had high school. They had college.

They have real parents and real grandparents. Cousins, uncles, aunts. That are real.

So, when they fuck up? When they put their shoes up on their desk and say "fuck you"?

They have the sharks to answer to.

Born to kill.

They only know hunger.

"Hi Honey, I am home", does not happen.

Nothing is real, ever.

So.... my professional opinion as a Doctor, is to supply your self with some damned good marijuana and weed, put your feet up, and say, "Fuck it".

Have just a little trust that evil will always get theirs.

Pick up a glass, have a toast, and raise the Motherfucking Kraken. ;-)

:-) :-)

GregoryApril 19, 2015 2:37 AM

@Figureitout

Critical correction:

"marijuana and weed". Meant "weed" and BOOZE. :-)


Believe me, I am very aware everyone thinks no one is ever doing their job when houses are full of termites and rust. But, there really is more then people know.

SkepticalApril 19, 2015 7:18 AM


@Multinym: Diplomatic Relations Article 27(2)

Sorry, nothing here is in violation of either treaty. Perhaps you ought rely on a more reliable guide as to the law?

breach Rome Statute Article 8.2.c.i

No violation here either. A very valiant effort on your part though, especially with all that grown-up vocabulary.

@Gregory: A bunch of fat cats having heart attacks that someone interrupted their pissing party over the constitution?

It's unconstitutional for the US to spy on the Chinese Government?

Those kinds of operations are just wastes of money anyway. They are self-destructive.

Neat that you're able to tell that all efforts to intercept the communications of a foreign government are just wastes of money.

Drone operations are one of the biggest examples in human history of people engaging in wanton murder for no purpose at all. Highly self-destructive. Some kind of modern human sacrifice cult. Material reasoning for it is business contracts where money and favors end up in the pockets of officials.

One of the "biggest examples in human history"? How much history have you read?

The purpose of these military strikes are quite clear: deny certain terrorist organizations safe haven, and degrade their leadership and other capabilities.

It fights fire with fire under the auspices of 'well they are Muslims and don't like us'.

Yes, that's it. The US spends months on end flying around Yemen and elsewhere because they just want to find Muslims to kill. Brilliant. Reality is a little more complicated.

ASVAB SS 42½April 19, 2015 8:59 AM

All you guys are skilled professionals in exacting, competitive fields. Nonetheless, now and then you need to communicate with low-normals. So practice with Skeptical.

Sure, Skeptical sounds like a liar parroting the standard US government deny-it-all trick, but give him the benefit of the doubt. Inviolate is a big word! Try to sound it out, it's really long. Maybe he thinks it's a color. Or a flower. And 8.2.c.i, where do they get all that stuff? It doesn't say! So he just makes shit up, can't support any of it, doesn't try.

He's trying sarcasm now. It only sounds ponderous and lame because you can't see the face he's making. He's still working on the basic, 'Huh, like fun.' When he can, he'll advance to ripostes that are funny or convey information.

Skeptical is the voice of the US government, only slightly dumbed down. Now you why Bibi holds it in open contempt. Here is why the SCO and CELAC mock it as a laughingstock. Why the G-77 and G-192 ignore it and do their own thing. The bottom of the bottom of the barrel.

ThothApril 19, 2015 9:33 AM

@Canute
It is not surprising that such weak encryption is used in the field and I am guessing it's done by non-domain engineers trying to do security and encryption which is not their specialty.

NQ Mobile Vault's behaviour is considered minor if you compare it to more serious use cases like Government and Enterprise grade security which can hinge on certain security products that needs to work as expected. The sad thing is many encryption libraries (closed source) sold to banks and Govt agencies (unsuspecting Govt agencies who dont have domain expertise somehow) fall for these kind of stuff and I know of cases where these badly made/weak encryption products are currently operating in sensitive environments including banks, forex trading and so forth and even supposed experts from companies well known for security standards (which I will not name) being hired to do project management can be fooled as well because they do not ask enough good questions !!!

If the product is open source, it's much much better as you can look through the codes and vet them yourself.

If the project is closed source in some extend, you need to think hard on what you should expect and what they should provide.

If the product has open source codes, you have the entitlement to ask for the vendors to list the open source projects they use and they need to answer otherwise fault them if you are a Project Manager.

Here's a list to "piss off" the vendors but save yourself from trouble.

- What encryption algorithm are they using ? AES ? DES ? TripleDES ? Is it NIST Suite B algorithm ?

- What is the encryption key length being used. Many of those sales person would confuse the key length with block length but they are not the same so be careful of this one.

- What is the mode of encryption being used ? CBC ? ECB (Which means no mode essentially) ? OFB ? GCM (Note that GCM is usually put together with AES for stream security but can be used with other 128 bit block ciphers) ?

- What is the padding mode ? Zero pad ? PKCS 5/7 pad (about the same) ?

- Is message digest used or how is the message secured from being tampered ? Is it simply a SHA-1/2 hash of the encrypted message or is it a MAC keyed message security or is it a message digest (SHA1/2 or even MD5 in legacy systems) and then signed with a keypair ? Beware this part gets a huge ton of nonsense from sales person who don't know what they are talking about or even the engineers. I have seen engineers (non-domain programmers given security codes to cut) trip over this when I ask them deeper into details.

- How is replay attack prevented for secure messaging over a network channel ? Many of them would be stun at this part due to lack of replay attack resistance but the weak version would be to pass around nonces encrypted. The stronger ones would be cryptographic games with the nonces encrypted (you send me a nonce and I hash it and send back signed with a MAC or PKI key and rinse and repeat).

- Key exchange methods and establishment of secure channels and preventing spoofed secure channels are usually spat out by sales people from slides which they have very little clue how it works and cannot answer properly.

- In regards to hardware security modules or hardware-based security, you can ask for the FIPS-140-1 or FIPS-140-2 Levels. The -1 is version 1 of FIPS-140 and -2 is version 2. They have somewhat differing requirements. The current FIPS 140-2 Levels which Level 1 is awarded just by implementing NIST Suite B algorithms and Level 2 for tamper evidence and Level 3 for some form of tamper resistance and Level 4 for EMSEC security. Tamper evidence would mean anything from those 3D tamper stickers to epoxy potting for hardware chips to complex software algorithms to protect memory from easily de-obfuscating software-based trip circuits. Tamper detection and reaction for FIPS 140-2 Level 3 would mean you have to at least react to detected tamper either with the most basic like zeroizing keys from memory which is the most common tactic. Level 4 must be secure against environmental attacks like temperature, voltage, memory changes and of course to protect against DPA/SPA and fault attacks and EM radiation.

Vendors like to brag but if you ask them the tamper circuitry matching their FIPS level, they would start to work harder. You might not become friends with the vendors and get good pricing because you make them work harder but you make yourself more secure by rooting out bad products from your purchase list.

- In regards to the CC EAL levels, @Nick P would be very knowledgeable about it. For what I know, MS Windows, Linux, Thales and Safenet HSMs are all rated at CC EAL 4+ despite Windows and Linux are not considered security products and the security products which are the HSMs are also given CC EAL 4+. The likely reason is due to how much formalization is given into the product design (ad hoc design with the added features for security or highly well scripted and well planned security with tonnes of formalized proofs and documentations - CC EAL 6/7 as the best).

I have spoken to an Encryption-at-rest vendor and when I asked the CC EAL, it was like the first time the sales person ever heard of such a term and could not reply and for the FIPS level, the sales person tried hard to use the generic "Hey it's FIPS 140 ceritfied" when I tried to asked for the exact FIPS 140 level and the promotion slides were confusing between FIPS 140-1 (version 1) and FIPS 140-2 (version 2).

- If you are purchasing hardware security products, you need to know the cryptographic security processor (crypto-chip) used. The place of chip manufacturing would be a nice to know information. Knowing the chip model, you can go online to search for them if possible. It would be nice to know if the chip is a fully integrated processor with security functions (like the ARM style TrustZone) where you run a secure environment, insecure environment and also a crypto-processor all packed into a single IC chip. Another variant is a normal processor with a security co-processor (TPM modules) which @Wael seems very familiar with.

I know all these small points (there are many more to consider than my above list) would put the hurt on vendors and make them really piss but it's better everyone knows what they are purchasing than to regret the spent cash later and for the vendor to save themselves the trouble of unhappy customers or even legal lawsuits.

Most people simply fall for nice advertising schemes (of course they are not literate on security) which even the "experts" of the field may also trip over.

Security is hard to get right and the good ones are usually hounded by Govt Agencies wishing to manipulate these good products for their own selfish ends and bitter squabbles on the global arena.

Ollie JonesApril 19, 2015 9:52 AM

http://www.gao.gov/assets/670/669627.pdf


This US General Accounting Office report is interesting. Some dopes in the popular press picked up on it saying "passenger wifi is linked to airplane control", because vague mention of that was made in the abstract. But, of course, the report isn't about that at all.

It's more interesting in its recommendation that the FAA develop a holistic "agency-wide threat model" for its NextGen IP-based air traffic control system.

Haven't we outgrown the idea that the developers of a large-scale system should also be responsible for testing it? Haven't we understood, for a long time now, that developers have blind spots about their own work?

The danger of blind spots is only amplified by large bureaucratic organizations spending tons of money. If the FAA has "a" threat model, won't potential threats lying outside that model's scope get ignored or suppressed.

Public safety might better served be by a bug-bounty system, or by retaining several teams of outsiders to penetration-test a system like this.

But it will take some serious organization discipline to pull this off. Every software developer knows there's a twinge of embarrassment when the QA krewe finds a defect. Hopefully the NextGen team will be similarly embarrassed by the most ingenious of their pen-testing teams. And hopefully their organization will have the good sense not to punish them, but to support them in the repair of those defects.

MarcusApril 19, 2015 10:42 AM

@skeptical


I did not give you those documents to expose legitimate intelligence operations conducted against an authoritarian government. Publishing this material is wrong.

Agreed.

The thing the Snowden documents haven't shown is the government engaging in clearly criminal acts that everyone could relate to on a visceral level the way the revelations about COINTELPRO did.

For example, no disabling of political opponent's lives, with some big caveats.

Clearly, the trumped up internal performance reviews and subsequent firings or forcing out of would be whistle blowers and also the double-standard prosecution of leakers shows that they do persecute those whom they see as "against" them while overlooking the same behaviors by those who are "for" them.

https://en.wikipedia.org/wiki/Jesselyn_Radack

But as far as has been shown, the NSA is not framing, murdering, disappearing, kidnapping or smearing non-terrorists, just regular citizens engaging their Constitutional rights with no arguable connection to, say, pilfered documents (Assange) etc.

I can think of many counter arguments - what HB Gary Federal was preparing to to do to Greenwald for the Chamber of Commerce

http://www.nakedcapitalism.com/2011/02/chamber-of-commerce-law-firm-studied-disinformation-smear-and-coercion-campaign-against-opponents.html

and of course there's a pattern of charging inconvenient people with "sex crimes" Assange, Scott Ritter,

https://en.wikipedia.org/wiki/Scott_Ritter

and Strauss Kahn, whose offense seems to be having suggested replacing the dollar as the international reserve currency..

http://www.theguardian.com/business/2011/feb/10/imf-boss-calls-for-world-currency

http://www.wopular.com/jailed-imf-chief-resigns-maintains-his-innocence-0

https://en.wikipedia.org/wiki/Dominique_Strauss-Kahn_sexual_assault_case

http://www.reuters.com/article/2015/02/16/us-france-strausskahn-idUSKBN0LK1QH20150216

but no one actually knows who was behind that and this is my point. There is no smoking gun of the sort people can clearly and unambiguously identify with.

The revelation that they're archiving all our activities online absolutely has worrisome future scenarios associated with it and given known human behavior and how those in power views their would be usurpers, democratic and otherwise, those scenarios are very likely to be realized. And they were clearly trying to hide this from not just the electorate but Congress also.

This in a lot of people's opinion is subverting the rule of law, of subverting the consent of the governed. Secret interpretations of secret laws being implemented in secret .. it's tough to make a case that this is OK in a democracy.

But nothing that been revealed by Snowden's documents yet shows a kind of anti-democratic, police-state smoking gun of the sort that inspired the Church Commission and ed to the creation of the FISA court in the first place.

The release of secrets for the sake of releasing secrets is counter productive across the board and to all parties. WE have real national security interests which are being compromised.

There is no shortage of lunatics and lunatic movements which would love to work their way in the world and no shortage of people wiling to sign on to those movements. Even in so called developed nations amongst educated people who supposedly maintain their intellectual and personal lives within something resembling rationality, we have Scientology:

http://www.usnews.com/news/entertainment/articles/2015/04/13/hbo-scientology-film-proves-popular-for-network

So guess what goes on in Waziristan and Yemen and elsewhere and what it is they'd love to do given a chance. These forces don't just "go away" or "stay over there". They're not isolationists. It's just a fact about the world.


Look, if crimes are being committed or the basic way our democracy is being run has been subverted, however "legally" (FISA court says it's OK!) then we need to know about that and let the whistle blowers come forth. Most people, even in the Executive and the NSA, would agree with that .. there is no good poll numbers for living under the Rule of Men, defacto or explicit.

But the leaking of secrets with no possible connection to above is totally gratuitous and destructive to our real national interests.

Hoyt ZidnickApril 19, 2015 11:04 AM

@ Ollie Jones:

Haven't we understood, for a long time now, that _____?

Yes. But we can milk this for another billion if we pretend we haven't.

FTFY

Martin WalshApril 19, 2015 11:14 AM

Sounds like you believe sound technology will always be recognizable to you, it has to be something you've seen before; it's familiar to you and that in itself is good and sound. It also reminds me of these people who drive into swamps and drive off cliffs because they followed their GPS and did exactly what it said.

albertApril 19, 2015 11:21 AM

@Ollie
The FAA has an extremely poor record when it comes to ignoring flight safety problems and NTSB recommendations. It usually takes some serious crashes to get them moving. This is most likely due to excessive corporate influence. Airlines don't want to spend more money on aircraft.
.
Modern passenger aircraft already have remote control capability. Couple that to a good system that knows where everyone is, and you could eliminate 'crazy pilot' scenarios, mid air collisions, flying into the ground, incorrect landing approaches, etc.. Hackable control system are another issue.
.
Remote fly-by-wire systems are a tempting target, not only for terrorists, but nation-states as well. Secure design is super critical, I agree.
.
..

paranoia destroys yaApril 19, 2015 11:26 AM

Telephone spam is cheap to send.
The article briefly mentions phone spoofing without naming the technique of hiding the number being calling from.

http://arstechnica.com/information-technology/2015/04/the-new-spam-interactive-robo-calls-from-the-cloud-as-cheap-as-e-mail/


When blue boxes in the 1970s allowed for free phone calls, the telecoms defeated the hack by rebuilding the phone system to no longer use audio tones to control functions. Today they just add more equipment to handle the increased traffic. Some days I get a half dozen robocalls compared to only 1 or 2 desired calls. At some point we may face a DOS of the phone system from these unwanted sales pitches.

Lawmakers try to regulate without understanding technology. The telemarketer may be out of their reach in another country anyway. Solutions may be to work with the tech industry to better understand how to identify spoofed numbers.

I admit not having the skills to solve this but learned a few things from working with someone that might since he built a private phone switchboard for the neighborhood kids while still a teenager.

tyrApril 19, 2015 2:04 PM


Cory Doctorow has an expose of ISIS on boingboing, supposedly
charts their cyberwar capabilities.

I'm reminded of the newsguy Tim and his marvelous drawing of
Osamas hideout cave complete with reactor power and swivel
chair for cat stroking.

I always suspect neatly drawn charts the same way I am suspect
of neatly drawn arguments. Others love flowcharts and the
software they produce is unmitigated crap. There may be a
connection in that assumption.

Mike (just plain Mike)April 19, 2015 2:26 PM

@albert

You (or possibly someone else) have, I think, mentioned this before:

Modern passenger aircraft already have remote control capability

Last year I spent quite a bit of (my spare) time getting my head around the technicalities of the satellite data from the unaccountably lost aircraft MH370. As I'm sure you can imagine there are many conspiracy theories surrounding this subject.

During blog discussions it seemed to be the opinion of those who claimed to know about these things that remote control capability, though often proposed, has always been opposed by pilots and others, and has never actually been implemented. I'd be interested to clarify if you're saying only that it is possible, or maybe even implemented in principle - or if you are saying that it is currently deployed, and currently capable of being activated on aircraft flying right now.

FigureitoutApril 19, 2015 3:39 PM

Ollie Jones
--People are already trying: https://securityledger.com/2015/04/hacker-on-a-plane-fbi-seizes-researchers-gear/

Coming across another story about the FM radio chip in all smartphones now (integrated all in one chip, remove it and no wifi). Found a "real-ish" datasheet finally for the BCM4330 here: http://www.datasheet-pdf.com/datasheet/BroadcomCorporation/785814/BCM4330.pdf.html, so many "no's"...the FM radio is connected to an ARM M3 cortex and bus lines for RAM, which there's a potential path to other areas. The power regulators are programmable (I've noticed occasionally my phone burns quite a bit of battery and gets really warm for a day or so, probably a malware); some ass could just waste power. I'm familiar w/ these "power modes", seems it's similar for these more complex chips. Aside from removing the damn thing if you don't want it, it'd be nice to physically pin them since I can hardly trust software on a smartphone and I'm not sure if these are just settings in a flash rom, or how to change them (for instance, looking into when you switch off wifi and data, *maybe* it puts it in "doze mode"), but you can still text and get calls.

On-chip mp3 encoding looks interesting...
"In this mode of operation, the device can record the FM audio to MP3, then output the MP3 data over the HCI interface." The "air hopper" attack used RDS http://en.wikipedia.org/wiki/Radio_Data_System for an attack via the FM portion of the chip! http://en.wikipedia.org/wiki/99.9FM_radio_malware

The PSM (programmable state machine) in the WLAN chunk of the chip (this chip, each radio has its own ROM/RAM, non trivial amounts, so many places for malware to hide!) is a microcontroller that fetches instructions from microcode memory. Read about it if you want, that's another prime place for attack.

If you can get to the appropriate places, you could maybe hook up a current meter to each block and have a beeper go off or warning if it gets around 50-60 mA (receive on), or 250-300 mA (transmitting); but that's doubtful, way too small probably, the SoC looks like surface mount pads.

albertApril 19, 2015 4:03 PM

@Mike
I'm guessing here.
We know Flight Control Computers (FCCs) can land a plane. I've seen demos. It's probably not trivial, but an additional "wireless" interface to the FCC, is all that would be required. I'll bet dollars to donuts that that capability is already at hand, and ready to be implemented, and that the avionics guys are ahead of the curve. If it is now implemented in the aircraft, it's a well-kept secret, and correctly so. Full implementation may require only external equipment.
.
Good pilots object when they lose control of the systems they are responsible for. I agree. Give me a Sullenberger over a computer any day! Computers are great, but systems architects can't 'program in' all the 'what ifs'. Air France 447 crashed, not because of an air speed sensor failure, but because the pilots didn't know what to do in that scenario, or didn't recognize the scenario (nose up, 85% throttle). Better pilot training can help. Detailed study of the human/machine interface is _essential_. Every sensor failure needs a immediate and accurate warning, with mitigation procedures annunciated from the system, not in a manual somewhere. If the transponder couldn't have been switched off, Malaysia Air 370 could have been traced to wherever it ended up.
.
These systems are already complex. Adding radio control is yet another layer of complexity. It also adds the possibility of 'bad pilots' being anywhere in the world, instead of the cockpit. How far can we go in stopping bad pilots? Can automation do it? Or are suicidal bombers, pilots, and shooters symptoms of deeper systemic problems in humanity itself?
.
...

SkepticalApril 19, 2015 5:46 PM

@Marcus: I mostly agree with you, though I don't think Ritter, Assange, or Strauss-Kahn have been framed.

I do wonder about Snowden's actual motivations from time to time - was he naive, is his ideology more radical than he's revealed, was he duped, etc. I try to give him the benefit of the doubt, but when stories like those are published, it makes me pause.

@ASVAB: Inviolate is a big word! Try to sound it out, it's really long. Maybe he thinks it's a color. Or a flower.

You've managed to quote a single word from one of the treaties you referenced. Very well done. The journey of a thousand miles, after all, begins with a single step.

And 8.2.c.i, where do they get all that stuff? It doesn't say! So he just makes shit up, can't support any of it, doesn't try.

You fell down a bit here, I'm afraid. When you want to make a serious effort to mount an argument, I'll take you seriously. I'll even start you off: "I think UAV strikes in [country] are war crimes or their equivalent because [reasons]...."

Skeptical is the voice of the US government, only slightly dumbed down. Now you why Bibi holds it in open contempt. Here is why the SCO and CELAC mock it as a laughingstock. Why the G-77 and G-192 ignore it and do their own thing.

On second thought, I may have set a very high bar here in promising to take you seriously if you attempt an actual argument. You'll understand, no doubt, if I lower it for myself.

Sancho_PApril 19, 2015 6:02 PM

@ Figureitout 1:40 PM

re NI’s Multisim electronics design software:
Check out (Mouser’s) free MultiSIM BLUE version, e.g.
http://uk.mouser.com/multisimblue/


@ Skeptical 8:12 PM
”… Ultimately the responsibility was yours.” (Snowdens)

Nope.
Doing the wrong thing is wrong, not the revealing or talking about.
To classify wrongdoing only makes it worse.
Spies are responsible for spying.
It’s wrong, one doesn’t need to call it “hacking” to make it wrong.
Mind you: It’s also wrong when the US engages in spying (if not in war).

http://www.thedailybeast.com/articles/2015/04/08/obama-to-putin-stop-hacking-me.html

But everything is under (US) control:
“We know what you are up to, and how you are doing it.”

“dramatic rise … since the sanctions regime was put in place against them last year”

Why does it remind me to the terror scene?

Leads to drone operations:
Murder is murder, also when it’s done by the US.

Yes, it’s complicated, but aggression isn’t going to solve that puzzle, on the contrary.

AlanSApril 19, 2015 7:28 PM

@Gregory

Well, there is always the problem of factionalism. Ideally, there is some type of check on it. This is what Hume, Madison and others tried to address. There isn't a solution; it's a constant struggle.

The Richard Boehlke Meritorious Service MedalApril 19, 2015 8:28 PM

Lookit fact-free abstract bullshitter Skeptical trying to hand out work assignments like a big shot: ignore the overwhelming NGO and UNO evidence while demanding that it be boiled down to 7th-grade level or whatever it is you need. Manipulative weasel FAIL. In an actual meritocratic organization, you'd be road kill. For your own personal hopes and dreams, though, you're right on track with the no vestige of integrity thing.

So far so sad. But rub Skep's nose in US state isolation and disgrace and he decompensates right back to Sniffy Sniffington flouncing away. He just can't handle it when the backwater ass he kisses becomes irrelevant to the civilized world.

Pro tip: compulsive reversion to neurotic affectation of superiority, it don't work so good if you're dumb.

NSAIApril 19, 2015 8:40 PM

Like anything else, the smart thing to do is sue the NSA. This Snowden case is worth billions in losses. The only way to find out what's going on is through the legal process. They were providing poisoned water at the military bases. The criminals and contractors denied everything. The Swiss cheese blimp is providing Swiss cheese security in DC and covering an area the size of Texas. Billions and billions in failure.

Nick PApril 19, 2015 8:46 PM

@ Skeptical

"And note to Snowden - these journalists are accountable for none of those policy preferences and none of their speech. If they're wrong, they pay no price - they're rewarded for the story and the attention, not the wisdom of their views. In other words, they are precisely the people you DO NOT want making decisions about what classified information is published and what is not. Ultimately the responsibility was yours."

I still agree with this assessment. Even the few sources focused on journalism rather than sensationalism have the wrong incentives. Snowden admitted he did it for selfish reasons.

That said, I dont think he'd get a fair trial or justice if he returned. Running is quite justified when you piss off those wielding Espionage Act and State Secrets defense in combination. Those investigations and trials have been a sick joke for the whistleblowers.

NSAIApril 19, 2015 9:21 PM

"In an op-ed in The New York Times, Tretikov and Wikipedia founder Jimmy Wales argue that NSA surveillance not only harms US citizens, but also those working in oppressive regimes overseas" https://www.theverge.com/2015/3/10/8181651/wikipedia-sues-nsa-surveillance

I don't know. Usually the fraud and debt go up together and then boom, something snaps and then comes the crash.

Also: Meet the NSA's disturbing Earth Day mascot, Dunk
Dunk is a trash can taken from the stuff of nightmares and repurposed by the NSA
https://www.theverge.com/2015/4/19/8453531/nsa-mascot-dunk-earth-day

Your cash ain't nothin' but trash.

Here we go.
Yeah, you may have heart about the gangster of love and the space cowboy, but I'm gonna whip a cat on you right now who's had more trouble, trials and tribulations.

NSAIApril 19, 2015 9:42 PM

Just to make a hit with that chick
I tried to get a Cadillac right quick
The man at the place he looked so strange
I had 900 bucks and some change

We disagreed
I tried to plead
Well, he said I ain't a chicken
And I don't need your feed

Your cash ain't nothin' but trash
Your cash ain't nothin' but trash
Your cash ain't nothin' but trash
Well, baby you're crawling way past your speed

They sent fools 4500 bucks for new Cadillacs and lost a couple billion bucks. Create jobs in Detroit by losing billions. Then steal data to protect everybody. We can make plastic cards with old milk jugs and use them for trade because the cash is nothing but trash. Don't air raid DC, ride in on horses and deposit a pile of crap on the lawn. Bag it and tell people to smoke it for a high for Earth day. Yeah man it's good shit!

Markus OttelaApril 19, 2015 10:59 PM

@ Nick P, Thoth:

Damn. I began to wonder how the headers affect padding when length of message reaches max packet size. Turns out 138/139 byte messages had dummy blocks after all and so if communication had happened to be of that length, it would've shown to the adversary as longer ciphertext. That issue is now fixed and I even added an assert function to padding method to make sure this error is gone for good; I feel ashamed I didn't do this long time ago. Also, crashes with long messages arose due to improper refactoring of variables when aiming for the PEP8 recommendations, that's fixed now. I also wrote a tester to check various types of inputs and fixed any errors and crashes that occured when user gives bad parameters to commands.

ThothApril 20, 2015 12:37 AM

@Markus Otella
It is always a good consideration to plan out the message format in advance and have some redundancy in the packets where you can dump in random data for padding and when you need the redundant space, you simply convert the available space for something else like extra message headers and flags.

Some thoughts on advanced protection against leveraging predictable header data patterns to attempt to do chosen plaintext attacks might be to use a combination of well formatted and controlled data structure formatting and randomly padding before and/or after a data structure format.

Something like:







This isn't a necessity for now but would be a nice feature to have.

ThothApril 20, 2015 12:38 AM

@Markus Otella
Forgot the post would automatically filter off invalid tags so here's another try at it...

Something like:

{random-length-pad-data/}
{packet-data-struct}
{header-flags/}
{data-length/}
{data-content/}
{/packet-data-struct}
{random-length-pad-data/}

This isn't a necessity for now but would be a nice feature to have.

Clive RobinsonApril 20, 2015 12:46 AM

@ Sancho_P,

Doing the wrong thing is wrong, not the revealing or talking about. To classify wrongdoing only makes it worse. Spies are responsible for spying. It’s wrong, one doesn’t need to call it “hacking” to make it wrong.

When I was young I was told like most others of my age "Two wrongs do not make a right", but compulsory "Bible Studies" quickly showed that "The wrath of God" and "Eye for an Eye" were the actual reality of peoples thinking and behaviour and has been for as long as history has been recorded.

A large part of the US is "Christian" in a way many others can not comprehend and there is the notion taught from an early age that God is "perfection" and thus there can be no wrong, and no wrong can be done by God or those "acting in his name". Then there is the reenforcment of this and the transferance process, such that many Americans instinctively give the same thinking / view point to the US LEOs and other Federal agencies. Thus when a police officer shots an unarmed civilian (as happens way to frequently) the mental attitude is not "What are the actual facts" but the "blaim the victim" thinking of "The perp deserved it".

Even when it's shown beyond reasonable doubt the LEO has behaved as a murderer and lied and other LEOs have lied to cover for them, the PR machine gets started... And the usuall nonsense starts which goes through the "judgment call", "work stress" etc excuses to finally the institution protecting "rouge actor". But even then the officer concerned is unlikely to receive a criminal sanction that is acceptable for the crimes they committed, and nothing like that of a non LEO committing a murder would receive.

Whilst a few US citizens are only to aware that they have "no rights" with the LEOs they come across, they are also aware that it's not issolated individuals acting as "stressed out rouge agents making poor judgment calls" it's "built into the system from top down" through out the justice system not just the LEOs. The bulk of the rest of the US citizenry however either do not want to see it as being anything other than the victims fault or buy into the PR machine view, with the result the "institutional wrong" problem becomes more entrenched.

Do you honestly think that these people who can not accept what happens in the US justice system in more or less plain sight are even remotely close to accepting what the more covert of the US Federal agencies are upto?

The simple answer is no, they have not yet got to the point of being able to think on "My Country right or wrong", because they just can not get to grips with the notion of "institutional wrong" and that their country could committ wrong. And you can see from the US press --that does make it out of the US-- that the US press are not yet ready to face the issue either.

Thus there can be no "grown up discussion" on the fact that "two wrongs can indeed make a right" when revealing "institutional wrong", that facing up to it is the only way it can start to be resolved.

What is worse however is the faux "Oh My God" Victorian stage dramatics, of "assisting the enemy by revealing our secrets"... If US people genuinely believe that other nation states are not aware of US capabilities then they are beyond deluding themselves. If they further believe that the US Gov only does what it does for "good" then they are way beyond being deluded they must be retarded.

Which is why I find many of the "blaim the messenger" reactions we see not just sad and pathetic but akin to a two year olds thinking processes on being caught committing some transgression.

Many in the US should forget the idea of "Man up" and should try "grow up" first.

Mike (just plain Mike)April 20, 2015 5:14 PM

@albert - Thanks for the reply. The (rather depressing) reasoning/conspiracy-theorisation of some people was that even if the technology can’t reliably land an aircraft by remote control you can still justify a system to remotely block pilot control in a 9/11 scenario: If all the people on the aircraft are going to die anyway (because a hijacker/deranged-pilot intends to fly the aircraft into something on the ground) then the ability to remotely deny the hijacker/pilot control of the aircraft, and then to remotely direct its course/altitude in a rudimentary fashion would be good enough to save the lives of potential targets on the ground, and you can also get the thing out of the way of other air-traffic. If your remote control technology isn’t then capable of landing the aircraft then you send it off somewhere where it won’t hurt anyone (other than those on-board obviously) when it eventually runs out of fuel and drops out of the sky. I definitely don’t want to re-start MH370 speculation – just want to give you the context of why I was asking.

Sancho_PApril 20, 2015 6:22 PM

@ Clive Robinson

Well, the twofold morality of “religious” people always made me wonder.

But I think that National-Capitalism is stronger than faith and will survive all efforts of any Deity (see Sunni - Shia). Probably that’s the reason why catholics are condemning same sex relationship (being human) while blessing weapons (purely business).

Therefore my reply @Skeptical (no personal offense intended, I think he’s perfectly arguing in behalf of the majority of white Americans, much better than most of them could) didn’t have religion in mind, more the NaCi - mindset.
There was one rare moment where he seemed to admire the other side when he cited Jay Gould on 9/11:
https://www.schneier.com/blog/archives/2015/04/friday_squid_bl_472.html#c6693482

- OK, I don’t know if it really was “our” @Skeptical, but I still have some hope ;-)

Nick PApril 20, 2015 9:48 PM

@ Sancho_P

Yeah, that really was a great quote by Skeptical. I hoped myself it was the same person.

FigureitoutApril 20, 2015 11:04 PM

Sancho_P RE: multisim blue
--Gracias amigo. XP support still even, nice. I consider not taking a crap in their database (they want some info from me) if they give away good software (guessing, haven't used). Still left wondering...what's the catch? I don't buy the whole "kumbaya" thing from large engineering companies.

Gerard van VoorenApril 21, 2015 2:38 AM

@ Clive Robinson

What is worse however is the faux "Oh My God" Victorian stage dramatics, of "assisting the enemy by revealing our secrets"... If US people genuinely believe that other nation states are not aware of US capabilities then they are beyond deluding themselves. If they further believe that the US Gov only does what it does for "good" then they are way beyond being deluded they must be retarded.

After saying that, I would reconsider that visit to Alabama [1][2] ;-)


[1] Top Gear in Alabama: https://www.youtube.com/watch?v=pKcJ-0bAHB4
[2] The background story: https://www.youtube.com/watch?v=ynbITr_eoFE

Wesley ParishApril 21, 2015 2:59 AM

@Clive Robinson et alii

re: "My Country right or wrong"

The phrase is apparently part of a larger statement: The Senator from Wisconsin cannot frighten me by exclaiming, “My country, right or wrong.” In one sense I say so too. My country; and my country is the great American Republic. My country, right or wrong; if right, to be kept right; and if wrong, to be set right.

FWLIW, I've just been reading Black Like Me by John Howard Griffin. It strikes me that the surveillance state that we've all become aware of, is something quite familiar to most African-Americans. Likewise the drone strikes by those drones the militarized police departments. I mean, it's all there in uh, black and white ...

This is of course one of the reasons why I can't take S[k]eptical seriously any more. He's not particularly knowledgeable about his own country. I'm used to people displaying that sort of ignorance to be scornful if they can be bothered to react. He's lost that Special K, and got that other Special K ...

MindControlApril 21, 2015 6:00 AM

The one item that does not yet have sustainable existance is mind control. But, we are getting there. One example:
----------------------------------------
'MyEarth' energy-tracking app encourages sustainable behaviors

http://www.sciencedaily.com/releases/2015/04/150420182413.htm?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+sciencedaily+%28Latest+Science+News+--+ScienceDaily%29
----------------------------------------
On that web page under Related Stories, there are other examples.

Just how fat, dumb, and lazy have we become? Worse yet, how much more so are we making future generations the same? When we never learn to do something, what happens when our electronic assistant isn't there to do it for us?

And to make matters worse, we are becoming dependent on these devices, so much so that instead of using our brains for thinking, that instead of them serving us, the devices have become the master and we have become the slave.

In the above example, we need to learn about sustainable behaviors and execute such actions by ourselves rather than having some device tell us what to do, when to do it, and how to do it. If we don't understand, then how can we trust that the "mind control" device understands. If we always believe the device, then we are letting those that program the device control our minds. Hey, that is what "they" want ("they" being the all inclusive "they", the overlords).

Go to the end game, which entails philosophy, politics, and religion. Oh, what does the device tell us to do? The book Spy TV has an example of how this is being done, but even faster now with our personal tracking devices in charge of everything we do. We don't need headsets or have embedded chips. The damage is done.

Game over...

Nick PApril 21, 2015 10:35 AM

@ Gerard

The Alabama link was great. I've lived in enough redneck towns to say their response was accurate. The rednecks were merciful on them as that was a "muddin' truck" built for offroad and running into stuff. Shooting past them instead of into them was a victory dance. Also, had the fools entered the store, their tires might have gotten a bit lower to the ground as well.

People screwing with rednecks better know how to fight, be armed, and have friends with same qualities.

Sancho_PApril 21, 2015 11:03 AM

@ Figureitout

¿ “ they want some info …” OK I have a db full of pseudonyms for these kind of things, if they want I could even send them IDs (you know, in the EU it is illegal to make and send copies of official picIDs via “untrusted” correspondence so that must be faked, sorry).
Of course I have a different account to order. Checking my IP they’d learn that several machines / people use the same IP, somewhat strange.

No worries, they have more data than they’d ever need.
They are not any TLA. They want to be your favorite vendor.
You are a respected and valid customer, if not today then probably tomorrow.

@ Wesley Parish

“He's not particularly knowledgeable about his own country.”
No, that’s not fair. On the contrary. To ignore him would mean to ignore Amer - - - uuups, sorry, Alabama.


@ MindControl

LOL.
I hope it wouldn’t take long time to re-learn on which end of our digestive apparatus we have to enter the food.

Yesterday I was called in from the street into our pharmacy, the POS wasn’t working and a lady was asking for insulin for her son. There was no Internet connection, so I told them to use pencil and paper for the moment.
Imagine that for several hours, or in a bigger pharmacy.
This application is not designed for offline use! (rem: we have “electronic” prescriptions)

Gerard van VoorenApril 21, 2015 11:32 AM

@ Nick P

It was an old Top Gear item. I liked the explanation video (which I didn't see before) as well. That episode told us that provoking rednecks isn't a wise thing to do ;-)

gordoApril 22, 2015 1:35 PM

European Rights Body Again Rejects Mass Surveillance
Natasha Lomas | TechCrunch | 2015/04/22

Europe’s top rights body, the Parliamentary Assembly of the Council of Europe (PACE), has crystalized its censure of mass surveillance as a threat to fundamental human rights and to democracy itself by adopting a draft resolution in which it reiterates deep concerns over the practice of intelligence agencies systematically harvesting untargeted communications data, without adequate legal regulation or technical protection.


[....]

While the Council of Europe does not legislate, it issues advice and recommendations that can filter down into European legal standards, charters and conventions. It also counts the influential European Court of Human Rights as one of its institutions.

http://techcrunch.com/2015/04/22/european-rights-body-again-rejects-mass-surveillance/

I guess we'll see how that filter works...

EU data protection reform triggers privacy warning
Civil rights groups say EU proposals undermine basic privacy protections
Loek Essers | IDG News Service | Apr 21, 2015

European Union data-protection reform proposals could undermine basic privacy rights globally, a growing chorus of critics say.


More than 60 civil rights groups from all corners of the world including Europe, Africa, the U.S, Central and South America, Asia and Australia are calling on the European Commission to stop what they said is an effort to undermine people's right to privacy.

The organizations are "deeply concerned" about changes to the data protection reform package being made by European countries gathered in the Council of the EU, one of the European Unions three law-making bodies.

The way things are going, privacy protection could end up being weaker than it is now, the groups said in an email on Tuesday to the commission, the EU's executive and regulatory arm. Current data protections are based on a 1995 directive, now considered outdated.

http://www.computerworld.com/article/2912622/data-privacy/eu-data-protection-reform-triggers-privacy-warning.html

JustPlainCreepyApril 22, 2015 11:46 PM

This is just plain creepy:

Swallowing Your Password

http://it.slashdot.org/story/15/04/22/2054257/swallowing-your-password

This can't be a security device or password replacement. Anybody can build a device to read the output from the ingested tool, and simply play back that output whenever needed for identification, authorization, or access control. Such a device has to have some sort of control on when it releases its information for use, otherwise it will be much like an unprotected RFID tag that can be read by anybody. Without such a control, you would need one heck of a faraday cage to keep it from being abused. The ingested devices would surely be outnumbered by the count of "readers" of that data, by a very large margin.

Oh, and yes, you won't see any terrorists swallowing these things. And, what about "fake" devices that put out false information?

Security theater I believe.

Heavily CaffeinatedApril 23, 2015 3:34 PM

GM, Ford, And Others Want to Make Working on Your Own Car Illegal
https://www.yahoo.com/autos/s/gm-ford-others-want-working-own-car-illegal-160000229.html

What GM, and even tractor companies like John Deere, argues is that you, as an owner, don’t actually own your car. Rather, you’re sort of just borrowing it for an extended amount of time and paying for the rights to use the technology. If it sounds ridiculous— it is. But it gets even more ludicrous.
According to the Electronic Frontier Foundation, John Deere argued that “letting people modify car computer systems will result in them pirating music through the on-board entertainment system.”

BoppingAroundApril 23, 2015 4:20 PM

> According to the Electronic Frontier Foundation, John Deere argued that “letting people
> modify car computer systems will result in them pirating music through the on-board
> entertainment system.”

And the automotive companies' concern here is — what?
Looks like someone else is involved.

BenniApril 23, 2015 8:40 PM

There has happened someting in germany that could be a major blow to NSA.


First de-cix has issued a statement that it found the surveillance of BND to be illegal for years. It was forced by "power play" of the german chancellery to give full takes of many fibers to BND, and now it will go to court. De-cix says that it previously did not want to do this because the german government always told them about terrorism. But there were always doubts, since they tap fibers of domestic providers that go from Frankfurt to Berlin. De-cix says that if necessary, it will go to the highest court. And ex judges of this court want to support de-cix in their lawsuit.
http://www.spiegel.de/netzwelt/netzpolitik/de-cix-betreiber-von-knotenpunkt-will-gegen-bnd-klagen-a-1030148.html

Since NSA does not seem to have direct access at de-cix, it relies on BND to provide that. Every day BND downloads a list of selectors from NSA, gives them into their systems and then delivers the results to NSA.

As good germans, BND does never throw anything away. A secret search is an administrative act. In germany, administrative acts are things that have to be documented in every detail (for the same reason, one knows so much about the holocaust, because german clerks keep a record of everything). And so, BND has saved all the selector lists for years.


The german government now found that at least 40.000 of these selectors are directed against european companies and politicians. And it was found that BND knew this since 2008, kept that a secret, and did not stop it.

http://www.spiegel.de/politik/deutschland/ueberwachung-neue-spionageaffaere-erschuettert-bnd-a-1030191.html

Poor BND, now it is confronted with politicians who find that their own service is used to target them. Perhaps that might led to some changes....

I think we are in need of some leaker to provide us with the full list of selectors. The german governent as already asked at NSA whether it is allowed to give that list to the german parliament. It recived no answer. So we need a leaker who publishes that list on wikileaks....

tyrApril 23, 2015 9:55 PM


I see Petraeus is off the hook with a nice token slap
on the wrist. I'll bet Chelsea is pleased with the
even handed justice system.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.