Schneier on Security

Jonas Silver • April 27, 2015 4:56 PM

@Andrew Wallace

Andrew, so you are in your late twenties now, and did not make it into law enforcement but remain a full time defender and informant. Have you been trained or self-trained in 'how to be an informant'? I think your stance is 'no'. You have not been trained, nor have you been self-trained.

Are you getting responses from the leads you are providing?

As you are not talented in establishing rapport, much less deceptive capabilities required for going undercover, I think you are not getting responses for leads you are providing because the leads are of no value.

Your situation is uncommon, however not if one contrasts this sort of behavior to 'stalkers'. Simply stalkers usually target a singular person, as opposed to organizations. They act as if they are ardent admirers who are secretly loved in return. But on some level they know they are not loved in return back. So unconsciously they walk a tightrope. And sooner or later they fall from that tightrope.

They would experience intermittent severe anger and depression because they do fall here and there. But, that is not the final fall when their admiration turns to deadly rage.

I am not stating this to mock you nor to push your buttons. I am stating this because you have a chemical imbalance and are requiring medication and counseling. Where are your parents? Have you disconnected with them or do not update them on your behavior? Have you grown angry at them and insist that you feel better without medication?

You know this is true. I am certain you have already received counseling and psychiatric diagnosis.

I am also certain you have had problems with your neighbors. Likely this has required police intervention. You felt you were strongly in the right. But you have problems getting and holding jobs. And it seems everyone is against you. Who can you cling to? Someone who is "something", organizations, who will ignore you, and so not ever truly reject you.

You did not get much attention when you were younger so you are accustomed to the value of getting negative attention. That is what you get from these socializations. Negative attention, instead of positive attention.

With proper medication you could get positive attention, a solid job, and maybe even some sort of security work. But without it, nothing will work for you. It is that simple. Nothing works. Right or wrong, the meds are what you need to get your life on track.

Jonas Silver • April 27, 2015 6:16 PM

@Andrew Wallace

No, kid, it is because of your behavior. It is you. It is not them, it is not me. Own up to your own words and actions.

But you can not. Because that is a symptom of narcissistic personality disorder you suffer from.

1. you spend enormous amounts of time posting on forums against the majority consensus view, when you receive complaints you are oblivious to "why" and believe they are all simply against you and inferior to you
2. you have not studied and do not bother to think out as you should the material, but you believe this is not necessary because it is you. You are are an expert. No need for work experience. No need for doing your homework. No need for following logic.
3. also, your speech consistently conveys a flat affect
4. you make statements indicating you believe events which had nothing to do with you had everything to do with you, showing delusions of grandeur
5. you are obsessed with believing yourself a literal spokesperson for government, and other authorities, though you have no connections nor knowledge

https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=narcissism

extreme selfishness, with a grandiose view of one's own talents and a craving for admiration, as characterizing a personality type.

As for problems at home and such, this is just noticeable from your behavior and is what is going to happen with these disorders.

Maybe you have avoided seeing a psychiatrist. Narcissists definitely try and avoid that. Probably not. Strongly unlikely you have a social life. Narcissists are very anti-social, obviously. You probably blame others for your lack of a social life. Your reality and reality have probably converged in a major incident requiring police intervention. Probably. Maybe not. Why. Because your disorder is highly delusional, anti-social, and if pushed you would act out.

FYI, sure, I could go and post on a surgeon's forum and tell them how it is without bothering to study at all. When they disagree and attack me over and over again as I spiel out erroneous facts to them and express I know so much better then they do... I could point out that they are simply thinking incorrectly, I am correct, and that they are smearing me.

I could post on some religious or political forum which belongs to the belief systems I disagree with and do that all day -- then act surprised when people are against me. What? They do not see me as the expert? They do not bend to my superior vision? They find my refusal to try speak from their viewpoint bad? What is this? They are attacking me. They have a problem. Not me.

But... why...? And this is what you are doing. Which I explain more to the crowd then to you so people will be informed about your condition and not mistake you for an intentional troll.

You have a disease.

You need help.

Jonas Silver • April 27, 2015 8:40 PM

@Markh / Andrew Wallace

In particular, the highly personal focus and provocative character of two preceding comments here by "Jonas Silver" are far out of court, and have no place in a forum intended (as I believe this to be) to support the search for truth, and the analysis and discussion of ideas, problems, and solutions.

Bullshit. You know what "n3td3v", google the guy. He is one of the most notorious trolls on the internet. This was a post of necessity. I hate posting on a person but in this case, the manner in which he posts demands it. He claims to be an informant. He makes constant statements which he does not back up. He implies he has inside government knowledge. He claims he is intelligence, in fact. See below. He is not, he is a sociopathic narcissistic sadist.

He needs meds and counseling or he may end up on a rampage. This should be said. He is not a troll, he is a sick person who can not help himself and needs counseling.

http://seclists.org/fulldisclosure/2009/Jan/356

https://www.google.com/webhp?q=n3td3v

His own words convict him worse then what anyone else could say.

Andrew Wallace:

I have always been the person to collect intelligence on the hackers and pass them to the authorities, this all started when I was 18 on Yahoo where I got to be friends with many folks involved with protecting Yahoo's security and passed them important intelligence about what was going on.

Andrew Wallace:

As i've grown up since I was 18 my interests matured now I hope to get into a proper intelligence agency such as MI5 to continue my work as an intelligencer in a professional capacity.

Andrew Wallace:

no longer do people need to wait for a tap on the shoulder to be employed. You can goto their web site and apply for a job https://www.mi5careers.gov.uk/ this is what i'm
going to do as well.

Andrew Wallace:

My mailing list that I formed doesn't have many active posters on it as the membership base is likely to be intelligencers like me leeching the information that various people post on, like full-disclosure the majority of the list never talk the same happens on n3td3v mailing list group.

Andrew Wallace:

If you want to alert our community of something thats going on you can, because the right people are subscribed: government, business and academia.

Andrew Wallace:

We may not talk but we are listening.

"We"? Andrew Wallace? Delusions of grandeur. Get some help. It is a chemical imbalance.

Enough said on the subject from me. This attention probably will send him into a frenzy of posts designed to get more posts all about him. He loves that attention, even though it is negative.

He literally does not know how to get positive attention.

Jonas Silver • April 27, 2015 11:50 PM

@Buck

You'd better be careful here, or you may find yourself wandering into territories that you have not studied and do not bother to think out as you should...

:-)

"Chemical imbalance" is street slang. The definitions I used are also street slang.

DSM descriptors are that. They are models, but they should not be considered definitive.

Theoretical models are only useful insofar that they might have practical, repeatable results.

Consider the irony here. Am I a psychiatrist? No, I am not. So, who am I to be making professional sounding definitions on a forum. I am a Navy Seal! Joking. :-)

I argue that a person should at least prove their experience and authority, but have I made pains to do this? I wish to remain anonymous. If I make assertions, on matter which is outside of my knowledge, I wish to be challenged.

I made one claim, that I am not interested in manipulation, but maybe I am one of those sorts who believe all communication is a form of manipulation. Maybe not.

How does the song go? 'I cried, 'who killed the kennedy's', when after all, it was you and me'.

Can we all not be this way? We should have a "hurrah" for the devil's advocate viewpoint now and then, should we not?

Not to rankle up buzzwords that may turn on people's defenses.

But how does anyone know who anyone is online, really? Maybe my entire tactic in approach was merely to bring about defensiveness, when my real suspicion is what is at play here is some manner of real intelligence agent seeking for some dirt on people? After all, maybe his claim to be intelligence is true.

Maybe, if I strongly deny that, I expect that the dichotomy of the lie to possibly bleed out?

Trickiness, deceptiveness? Perhaps. Or maybe just people being people, playing a game. Rolling the dice. Why else is anyone posting here -- or anywhere? If the aims are too serious, I do believe one may have missed the point...

But what is interesting to me is how people think. Enlightenment rarely comes from going on the directions we are comfortable with, but on taking paths that are scary, and out of the way.

Communication often requires sacrifices of truth.

Jonas Silver • April 28, 2015 12:51 AM

@Clive Robinson, @Subject of Attribution of Undercover IC Agents

For someone trying to "build an online persona" for what ever reason the "n3td3v Andrew Wallace" and the "twitter Andrew Wallace" personas have left quite a few pointers to a "meatspace persona", wether that is accidental or deliberate is potentialy an interesting question.

As has been indicated on the Krebs site in the past with "SWATing", "revenge porn" and "fitting up with drugs and worse" there are those online quite adept at realising the "meatspace" person of an "online persona" and making life hell for not just them but those around them such as fellow employees (hence my warning).

Further in the US there is legislation about revealing the identity of Gov IC Officers which "Scotter Libby" fell afoul of. If one of these "Andrew Wallace" personas is a "US government shill" as some have indicated, then trying to prove so could run into that legislation, especially under the current "whistle blower crushing" US President / Executive (not that I expect future US administrations to be more lenient in this respect in fact I expect them to be far far worse).

These are some very prescient comments, which I believe deserve some expounding on.

Valerie Plame was the case officer of the CIA who was outed. Who outed her? I am not sure. What was Scooter Libby indicted on? Obstruction of justice. Lying to federal officers. Perjury for lying to a grand jury.

Scooter Libby was not the source who leaked Valerie Plame's name and job. The source did a very bad thing, according to US law and what is obvious, morally. Scooter Libby was the "fall guy" for this leak.

It can here be noted his first name is not his actual first name, but a demeaning nickname. One gets the impression he scooted around for higher ups. He was not really a person. He was a scooter. People ride scooters. They are not cars, they are laughable scooters.

The crime was Valerie Plame, as a case officer for the CIA worked undercover in foreign nations handling agents. By outing her, the leaker put in jeopardy all of the agents she handled in those foreign countries. Some might be tortured, some might be killed. And why? Because it served the political interests of the executive office.

Looking up the matter, an State Department official by the name of "Richard Armitage" actually did the leaking. 'No one was charged for the leak its' self'.

This is a very different system then the British system. In the US system, those who have clearance have strict legal constraints on the information they are entrusted with. Libby, while surely having high clearance, was not the leaker. But, he knew who the leaker was and conspired with others to hide this information from federal investigators.

In the eighties, we now know, there was a substantial "mole war" which went on between the Soviets and Western nations. Agents, moles, operating for Western nations revealed agents operating for the Soviets, and vice versa.

This got real people imprisoned, tortured, and killed. People who valiantly - in most cases - risked their lives to try and do what was in-arguably good.

Today, there are "IC" agents who operate online substantially. The nature of the war has substantially changed. Plausibly, there could be such agents who operate even on this forum. Why? One reason could be they are interested in collecting sci-tech assets. As sci-tech is the very nature of the new 'lay of the land' in global espionage, this is perhaps not even a secondary landscape or some far flung front. But it very well could be a very front of battle.

In days past, human beings - meatspace humans - were required for the front. Real files had to be taken out of complexes. Or tedious pictures had to be made of these real files. Agents or officers had to be in meatspace place to do their work. They could not take out terrabytes of data at a time. The very definition of information by such things as terrabytes did not even exist then.

It has always, however, been, an information war. Information technology. Information security.

Money, blueprints, intellectual property, battle plans... was paper. Now it is all "1's and 0's". Birth certificates. Driver's licenses. Work employment. Family history. Papers of incorporation. Monetary records. Family photographs. School papers. How did one prove someone's identity? Personal references.

Death certificates.

Paper trails.

Now? It can all be invented and constructed in instants.

Or it can be deconstructed. It can be stolen. It can be replicated. What used to be the domain of spies, in terms of false identities, long since has been the domain of everyday people. Anonymity. "Catfishing" is not just a word of practices of identity duplicity for average people not even engaged in spying, but it is multiple television shows.

If you want today to take out the archives of a foreign nation, you need not rely on a disgruntled archived clerk (Mitrokihn), but you simply hack their systems and get it on a file and transmit it across the oceans.

Mitrokihn painstakingly copied by hand, with great pain and over many years, much of these very archives. Today? Well, if the US and Israelis can get into Iranian nuclear systems, probably the secret archives of just about any nation's intelligence archives have already been well downloaded and transmitted -- perhaps by bluetooth dead drops.

Concepts like "noc lists" of the cover names and real identities are a real thing, but also a matter of public fiction and speculation. What is real, what is false? Fictional media defines much of this. If it is in fiction, it probably is not real.

Back to the point: you mention a very scary possibility. Someone copying someone else, copying their writing style, imbuing their conversations with "accidental" clues to lead back to someone in "meatspace". Maybe to put at risk not only the target, but also their coworkers, and their operations. All of which can be performed relatively anonymously and across shores and across national boundaries.

Meanwhile, intelligence agencies, while having such incredible powers also have incredible risks. Manning downloaded data unperturbed and posted it online. Snowden got probably more information on more secret projects then anyone has done before. Anonymous sources left and right can leak material to journalists with little concern for retribution or discovery. How much moreso might they do to adversarial nations?

The everyday person is aware that the new world of 'no more secrets' is already closing tightly upon them. While the governments of the world are often the instigators. And the corporations. Has anyone seen Continuum? A future world where corporations are the government. The difference will and is blurred. Invariably.

What happens when that same transparency comes to governments?

Maryland, btw, this very night is on fire. Maryland, the very state of the US NSA, the powerbase of the US technical intelligence services. Maryland, a major hub of the Navy, and so very close to Virginia, and DC herself.

I point to 'Sneakers', a movie I am sure all readers here of any note are very familiar with when I say 'No More Secrets'. Maybe? That is a term we should dread. Maybe... our authorities and powers are not quite as beautiful as they present themselves with their proverbial clothes. Maybe, naked? They are considerably more dreadful, hateful.

Perhaps the future and the change it requires to get 'from here to there' is not such a terrible thing as "global thermonuclear war", but if that transition is to even a much better place? Well, if this place is much worse then we believe it is - then we so badly want to believe it is - maybe that transition will be much more painful then we are initially willing to accept.

Jonas Silver • April 28, 2015 1:25 AM

@Buck

Yes, that sounds a bit more like the you that I'm accustomed to! ;-) Deceptive, manipulative, pompous, the teacher of psychiatry... The point was not missed by myself, but I also find it fascinating - good game gents!

(I could possibly agree that all communication is a form of manipulation ;)

I can neither confirm nor deny....

However, for our deep underwater entertainment tonight, I will present the following music video:

https://www.youtube.com/watch?v=Bx9WzKXEnyI

Little Red Riding Hood. Fact or fiction. Discuss.

NLP, "all communication is manipulation". NLP, and by this I do not mean Natural Language Processing (which is also all so relevant for any such discussion online), but Neuro-Linguistic Programming was pushed onto me in my twenties. And other horrible sales crap, most people would very much prefer not to get into. Especially us technical introverts.

Computer programming, psychology, come on, what is not to like?

Sales, however, is a very traumatic field to push young people into. I actually was forced to do home improvement sales and worse, much worse.

Sales is all about information, I learned. We were con people. Traveling gypsies. Like "the Riches". Horrible show. I watched it to help deal with my trauma. The sales agent is supposed to confirm the home buyer is a home owner. My dad, my boss, forced me to watch "Tin Men" and eventually, "Glenngary, Glen, Ross", or however you spell it. Leads. All about the leads. Let us steal the leads.

He held out a newspaper and said, "Wanted by the FBI!"

Thanks, Dad. Who? At the time was Indian.

And he was actually really wanted by the FBI. At the time. Under that identity.

And some other identities.

Or? This is a very clever fiction. I have no dad. My dad is me.

It all can get very confusing.

Whatever the case, my pomposity is an act. It is a favorite role, guise. The Devil/Loki/Lucifer mask. Works very well online, but in person... meh, not so much. 'The gods are playing a horrible trick on me', 'soul of a clown' is more to the real self.

People are inclined to want to pop bubbles. Pomposity is a big fat fucking bubble.

I had a girlfriend once who would talk about getting a fat little baby and put it in icewater just to squeeze its' fat. That is just way to weird not to be true.

Squeeze, squeeze, squeeze. She was thirty, I was seventeen. Maybe this was the late nineties or the sixties.

Jonas Silver • April 28, 2015 1:56 AM

@rgaff

This thought actually has occurred to me with regards to recent flame wars on here... I have seen this kind of thing happen in other online communities before. When it became clear that two separate personas were the same real life person, then we started looking at all the others that bolstered/supported their lies... and realizing that there were more that were the same person too. It was like a house of cards. ;)

In fact, who's to say you or I or any of the rest of you are real... hello figments of my imagination... lol ok...

Well, Gobbles was a real shit head. That was a serious internet troll. Multiple people, of course, but there was a main player. He got into it, I heard, at Blackhat. Some Caucasus region dudes who had moved to Jordan and other regions, escaping the Soviet dictatorship.

Kind of like dissident Cubans.

Anonymous is another bad hacker group, though I sometimes think of them as less "Anonymous" and more "Ambiguous".

Lulzsec was the real central power there, though, in their prime. And look at them. Sabu worked for the FBI while he hacked Stratfor and many foreign embassies. Who called them on that? Dice, Vice, Dailydot.

Vice is not government. Ever read their articles? A bunch of crazy sex crap. That is far from stodgy government work. More like Communists. Modern day Marxists who never lost their faith in Stalin.

HBGary was hacked by Lulzsec before the FBI took Sabu. That was the federal wing of the company which just had recently started to exist before then. The main guy was very distanced from the founders and took the blunt of the damage.

The "B" in that name is for Jamie Butler, head research at Mandiant Security. Ex-uber kin from the NSA.

Iran thinks the US has an earthquake raygun called HAARP. Maybe it creates tornadoes and hurricanes too. And can solve droughts. But California is suffering a serious drought. Is this like MK-Ultra, where they don't give water where they can to protect super secret technology? Angels strumming their fingers and boom, weather disasters.

Patreus had to pay a 100K fine, so you know that was for real.

I looked up Albert Gonzalez and had problems with keeping that from the other AG, you know, the guy in prison. For hacking Target and all that. He is in prison. We know this because it was in the media and there are real people who were at the real trial who can testify all of this is true. Also, anyone can visit him or write him letters. Just like you can with Santa Claus.

https://coub.com/view/5dvay

A lot of top name hackers definitely never worked for the NSA as teenagers only to get kicked out for dick pics. No, they are felons with ridiculous records. And sometimes, names. Ahoy, pirates.

Not truth, but maybe useful thinking exercises? If there are to be a lot of circuses coming up, there may also be much bread.

Whatever that means.

Jonas Silver • April 30, 2015 5:51 AM

@Psychiatric Debacle is Bad

Yes, I agree. Nobody should be making psychiatric prognosis. In fact, all of us in here agree. Except for Janet. Janet is a complete f***ing psycho.

But, Janet disagreed with us and took this consensus statement to her doctor and he replied, "Janet, you are not the problem. *They* are the problem." She was flabbergasted, and we did not have the slightest idea of what he meant.

Whatever the case, we continued to allow having Janet make psychiatric prognosis on each of us.

@Wesley Parish, re 'kingpin assassination problem'

That is a brilliant paper, thank you for sharing.

Hence why we can have such a black sense of humor.

It is so obvious, yet it does deserve rigorous analysis. But what gets through? Rigorous analysis or obvious, point blank statements? Nothing gets through. Persistence alone pays off, perhaps. And something else, I would argue. When there is endemic moral corrosion, eventually the system its' self breaks.

For instance, if you remove the heads, then because demand still exists, someone else will take their place. This paper well points out, it is even worse then that, because you have fractured the points of supply, more points means a more competitive marketplace. And hence, the price drops.

Which is exactly why governments over open economies do police their economy against monopolies. Monopolies are unfair against the populace, they cause prices to skyrocket. Breakup the monopolies, and prices plummet. Plus, the open competition ensures quality improves.

So, they do the same thing with terrorism and drugs. Attack the monopolies, supply increases, prices drop, and the supply improves. Does improving supply mean that the populace got better drugs, drugs which are good for them, for instance? No.

Quality improves in a more subtle manner conducive to the economy in question.

As these sorts of recreational drugs are bad for people, as is the terrorism... improving upon these economies is not a good thing proportionally to how they are rightly considered bad things.

What has ended up with is, for instance, ISIS, in the terrorist front. Which even Al Qaeda has condemned for being too draconian. Yet, they have widespread support. Never even mind the problem of how getting rid of Saddam and the Baathist's helped support that problem in the first place (or how ISIS was 'Al Qaeda in Iraq').

Is anyone actually blind to the fact that the "war on drugs" has been entirely detrimental to society? No. Only the remaining supporters who themselves are too deeply invested in their project to see. Same difference with drone assassinations, and similar military tactics.

It all boils down to 'fighting fire with fire'. Now, it can be unfair to say that firefighters never fight fire with fire, because they do. But, ultimately, you have to take more sensible positions to deal with the problems. As it stands, the US has ended up turning Mexico into a firestorm, not unlike the Middle East.

Like fires that rage, however, is there any real hope of turning back? The vested interests run deep into the system.

There is something basic lacking in the equation. Perhaps it is simply some manner of water.

Jonas Silver • April 30, 2015 6:31 AM

http://boingboing.net/2015/04/28/fbis-crypto-backdoor-plans-r.html

The FBI wants backdoors in all your crypto, and UK Prime Minister David Cameron made backdoors an election promise, but as Stanford lawyer/computer scientist Jonathan Mayer writes, there's no way to effectively backdoor modern platforms without abolishing the whole idea of computers as we know them, replacing them with an imaginary and totalitarian computing ecosystem that does not exist and probably never will.

Mayer gives the example of how stopping Android users from using crypto would require the abolition of third-party app stores, rolling back the state of the art in Web-based apps, introducing kill-switches to the platform that lets Google delete your apps and the data associated with them, and preventing jailbreaking at all costs.

...

Continue with the hypothetical, though. Imagine that Google could successfully banish secure encryption apps from the official Google Play store. What about apps that are loaded from another app store? The government could feasibly regulate some competitors, like the Amazon Appstore. How, though, would it reach international, free, open source app repositories like F-Droid or Fossdroid? What about apps that a user directly downloads and installs (“sideloads”) from a developer’s website?

The only solution is an app kill switch.3 (Google’s euphemism is “Remote Application Removal.”) Whenever the government discovers a strong encryption app, it would compel Google to nuke the app from Android phones worldwide. That level of government intrusion—reaching into personal devices to remove security software—certainly would not be well received. It raises serious Fourth Amendment issues, since it could be construed as a search of the device or a seizure of device functionality and app data.4 What’s more, the collateral damage would be extensive; innocent users of the app would lose their data.

Designing an effective app kill switch also isn’t so easy. The concept is feasible for app store downloads, since those apps are tagged with a consistent identifier. But a naïve kill switch design is trivial to circumvent with a sideloaded app. The developer could easily generate a random application identifier for each download.5