While most female squid and octopuses have just one reproductive cycle before they die, vampire squid go through dozens of egg-making cycles in their lifetimes, scientists have found.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
steve37 • April 24, 2015 5:13 PM
Homeland Security Secretary Begs Silicon Valley to Stop the Encryption
http://gizmodo.com/dhs-secretary-begs-silicon-valley-to-stop-the-encryptio-1699273657
steve37 • April 24, 2015 5:14 PM
A professional hacker explains how he dupes people into clicking on malicious links
http://uk.businessinsider.com/how-email-phishing-works-2015-4?linkId=13689779?r=US
rgaff • April 24, 2015 6:06 PM
Please please puuuhleeeease stop putting locks on all your houses and cars and other things too, we need to be able to search all your stuff at will.
Victoria Cross for Inverse Valour • April 24, 2015 6:21 PM
Thanks, Andrew, for the urgent public-service message from the professional fraidy-cats. Please keep us apprised of their latest free-floating anxieties and fretful fits of physical cowardice! It’s a real treat to creep up behind them and say Boo and make them wet their timid pants.
rgaff • April 24, 2015 6:53 PM
@ Victoria Cross for Inverse Valour
It’s not that they’re fraidy-cats, it’s that spreading fear and terror among the general populace is the only way they can justify their giant budgets. Since there isn’t enough actual terrorism to keep the population terrorized, they have to do it themselves, by saying things like “look out, there could be TERRORISM over there, or there, or ANYWHERE…”
Victoria Cross for Inverse Valour • April 24, 2015 7:21 PM
@rgaff, there are doubtless some like that at the top, who know what they’re about. But for the lower ranks, secret police recruit as the military do, for particular traits: obsessive/compulsive but not too bright. Or they’ll look for exploitable weaknesses of character. Then just steep the poor buggers in a miasma of fear and anxiety, and in no time they’re pushing hypervigilant cowardice on the world at large. It works – it’s hard to believe this is the nation that bore up under the blitz. Bunch of bed-wetting eunuchs.
Ole Juul • April 24, 2015 7:27 PM
I saw this the other day on the Daily Nation:
Russian hackers were able to access an unclassified Pentagon computer network earlier this year, US Secretary of Defense Ashton Carter said Thursday.
I guess we’ll be seeing a lot more reports of (alleged) Russian hacking now that the US wants to promote those stories.
Peanuts • April 24, 2015 8:47 PM
I Guess Jhey didint get the memo, this will be the most transparent administration If your a Russian or Iranian or Chinese hacker in history. Just ask anyone in the administration.
rgaff • April 24, 2015 10:58 PM
@ Victoria Cross for Inverse Valour
You have a point about lower ranks.
The top people that know what they’re doing set the policies for those lower ranks though… The more I learn about how the world works the more it really comes down to money. As the old saying goes, it’s the root of all evil, right?
gtm • April 25, 2015 1:20 AM
Starbucks’ payment systems have gone down … widespread systems outage hit Starbucks stores in the United States and Canada … Hmmm?
coolisimo • April 25, 2015 3:07 AM
Security tweet of the week: xaphan @slugbait
“Hacking a plane through in-flight wifi” is the new “launch nuclear missiles by whistling into a phone”
Thoth • April 25, 2015 7:07 AM
@steve37, all
That Homeland Security Secretary and those duped US Govt people by the Warhawks or maybe it’s all a huge Warhawks’ scheme doesn’t realize the stupidity of their requests and the impact.
Here’s a list of some critical infra that requires security and their stupid request to stop encryption is exactly what will happen:
That’s only a short list of many other critical systems. Disarming cryptography means all the above and more wouldn’t even have proper data security. Golden keys, front doors, backdoors and whatever it is to escrow or weaken data security especially in the field of proper practical cryptography and they have not understood that such a dangerous and insane move would threaten their critical infrastructure and thus worsen the US economy and security overall.
If the Chinese, North Koreans, Israelis, Russians, French, Germans, Iranians … and other national security agencies would be given a gift, the gift is the direct downfall of US data security sector so these Nations and their agencies and many others would have a walk-over and have their noses to ensure their own benefits.
You can imagine these nation sponsored hackers having an easy way into critical infrastructures due to deliberate weaknesses in the data security mechanisms.
I wonder if thought was put into accessing the impact of sabotaging data security mechanisms in school and in the field.
Not to mention, a lot of COTS security systems uses open source and closed source software that if sabotaged, could pose a huge national threat in itself and the US Govt uses COTS systems regularly and if the backdoors, frontdoors and golden keys are in these COTS system, their enemies could figure that out as well.
Not to forget, a ton of US Govt security systems uses COTS cryptographic products like smartcards and TPM modules for Govt Systems and these systems are dual purpose products that are applicable to critical public sectors and Govt sectors. The act of weakening these security systems would break the security two folds.
That means you could effectively forge protected features in identification system and that can be a huge headache.
I wonder if the madness of curtailing and controlling public access to proper COTS data security mechanisms could extend to preventing teaching and displaying of data security and cryptographic knowledges and restricting free speech. Hmmmm …..
Andrew Wallace • April 25, 2015 7:12 AM
rgaff, Victoria Cross for Inverse Valour
You do seem to have paranoia or anxiety about something. Perhaps you have a worry that because you’re a security researcher that the Government have an interest in you and that you may be judged to be a threat to national security.
This is completely untrue. The government do not have an interest in you. If the government were to lock up every security researcher there would be no space left in prison.
As long as you study the law and ethics and know what you can and cannot do while conducting your security research there shouldn’t be a problem. You should also keep an eye on news within the community to know what law enforcement agencies are sensitive to.
E.g Don’t tweet on a plane about dropping oxygen masks like Chris Roberts decided to do and you should be fine to carry out your lawful law abidding security research.
We look forward to the publication of your research in due course.
Happy hunting.
Winter • April 25, 2015 8:31 AM
@Andrew Wallace
“As long as you study the law and ethics and know what you can and cannot do while conducting your security research there shouldn’t be a problem. You should also keep an eye on news within the community to know what law enforcement agencies are sensitive to.”
This quote does remind me of the science of Trofim Lysenko
http://nl.wikipedia.org/wiki/Trofim_Lysenko
What we see here is someone from the USA advocating the research ethics under Stalin.
Curious • April 25, 2015 8:55 AM
Though not really computer security news, there has apparently been a robbery of a deposits vault in London recently. It is called the “Hatton Garden heist” in the news. A lot of select stuff is said to have been stolen, and the articles I read pointed out that they had taken off with valuable jewelry.
It would be quite the stretch of me to here try point out that such a robbery might have been done by a state power, but as I read that the alarm was triggered but with no reaction from the police, I just couldn’t help myself and thought that something like this might as well be some shady government work if the targeted deposit boxes were really valuable or really interesting. On second thought, now that I think about it, I guess putting stuff in a bank vault offer questionable levels of privacy.
The thieves bored through a 50cm concrete wall, in order to create a minimal opening into the vault, and is said to have stayed inside the vault for hours.
Andrew Wallace • April 25, 2015 9:41 AM
Winter,
There does seem to be a lot of stress, anxiety and a degree of paranoia on the Schneier blog about what a researcher can and cannot do and those who may be watching them to see that what they can and cannot do is being adhered to. E.g the storage of communications data of all digital interactions in day to day life being stored on databases, seems to have high stress value on this blog. The only reason that data is stored is to save money should an investigation come up. It does not mean you are under suspicion, but true if you are put under investigation your lifestyle can and should be looked into to rule you out of badness.
Andrew
Bob S. • April 25, 2015 9:41 AM
@Andrew Wallace
Re: “The government do not have an interest in you. If the government were to lock up every security researcher there would be no space left in prison.
As long as you study the law and ethics and…”
The hell they don’t have an interest in you, and me and everyone!
Why do you think we are undergoing a worldwide transition toward electronic mass surveillance in the image of NSA Collect-it-ALL? (Laws and Rights be damned.)
Mass surveillance begets mass control. Always has, and that’s why the powers that be want it and won’t let it go,…easily.
Roberts was a fool looking to get slapped…and he did. But, the government didn’t need to drag him off to Siberia ….the word of his misdeed spread like fire throughout the whole world…”we are watching and we will mess with you!” Is there any researcher or anyone else in the world who did not get the message?????
As for locking up researchers or anyone else….if they see it’s necessary they will do it. Governments have unlimited time, power and resources to take out anyone. No question about it.
It’s strictly on a case by case basis now. Publicly crucifying select individuals has a great deterrent effect on the peasantry.
Frankly, I view your post as rather naive and Pollyanna.
The only known antidote for electronic mass surveillance at the moment is mass encryption. Let’s hope some really smart guys are working on it.
Andrew Wallace • April 25, 2015 9:55 AM
Bob S.
Your point about mass collection of data was answered:
Andrew Wallace • April 25, 2015 9:41 AM
There does seem to be a lot of stress, anxiety and a degree of paranoia on the Schneier blog about what a researcher can and cannot do and those who may be watching them to see that what they can and cannot do is being adhered to. E.g the storage of communications data of all digital interactions in day to day life being stored on databases, seems to have high stress value on this blog. The only reason that data is stored is to save money should an investigation come up. It does not mean you are under suspicion, but true if you are put under investigation your lifestyle can and should be looked into to rule you out of badness.
Andrew
Cosby, Stills, John Nash & Loretta Young • April 25, 2015 10:06 AM
The only thing you need to understand what’s going on (and why) are the lyrics to Steppenwolf’s “Monster”.
Andrew Wallace • April 25, 2015 10:21 AM
“Roberts was a fool looking to get slapped…and he did.”
I’m glad we agree on something.
Let me put this to you… If a crazy researcher was heading to an airport and you only had an hour to investigate an individual, you would be thankful for the mass collection programme.
Andrew
Victoria Cross for Inverse Valor • April 25, 2015 10:32 AM
Interesting, this Andrew character posing at 7:12 as some sort of benevolent authority, undercutting vapid reassurances with portentous warnings. Classic emotional manipulation from the cop slice of the bell curve: stay on our good side and you’ll be fine. With an odd, puzzling confidence that people will accept this random internet nitwit as an authority. Reflexively pushing his institutionalized fear back you, that’s a cop tic too. Reminiscent of Skeptical, but no doubt that’s an artifact of the uniform indoctrination in Anglophone bureaucracies, working on homogenized raw material: OCD and not too bright.
Andrew Wallace • April 25, 2015 10:51 AM
Victoria Cross for Inverse Valor,
The narrative of the Schneier blog is he wants you to question the activities of Government.
As soon as someone appears to be speaking for those activities you get offended.
Andrew
albert • April 25, 2015 11:00 AM
@Everyone
.
ALL govt’s are interested in ALL their Citizens. Certain categories are more interesting to them. Here in the US, they are, but not limited to:
.
1. Anyone who talks about terrorism.
2. Anyone who discusses hacking, computer security, and the Intelligence Community.
3. Anyone who criticises the gov’t.
4. Anyone who criticises the corporatocracy.
5. Anyone who engages in, or promotes, protest movements of any kind.
6. Anything else the LE/IC deems important.
.
You can get on The List by ‘lurking’ on certain sites. You don’t even have to participate. Isn’t that wonderful? So, avoid these things, and you’ll be safe*.
.
This doesn’t mean that all Listees are going to be locked up**. We haven’t reached that point….yet. That’s the road we’re on, but its a foggy one. Can’t see too far ahead. ‘There’ can come upon us quite suddenly, then it’ll be too late.
.
I gotta go watch the Bruce Jenner interview….
.
………….
* Sorry, I shouldn’t joke about these serious issues.
** I do believe FEMA has working plans for large-scale ‘detention centers’.
Andrew Wallace • April 25, 2015 11:13 AM
albert,
Those categories seem reasonable. I don’t understand the issue here.
Andrew
Victoria Cross for Inverse Valor • April 25, 2015 11:40 AM
More characteristic indoctrination at 10:51. ‘Activities of government,’ in reductive abstract, not activities of THIS government. You naturally can’t tell the difference – your class and status markers indicate you’re destined for guard labor by your SES, so you’ve been spared the subtleties. But then, Who does learn critical habits of mind these days, aside from St. Paul’s boys and their ilk?
JohnT • April 25, 2015 11:54 AM
I’ve been waiting for the Squid blog.
The NY Times said 4/23 that the Senate has passed a bill expanding the “authorities” eavesdropping powers to fight human trafficking. The expansion is mentioned in the 5th paragraph. The news item is “Senate Approves Stalled Human Trafficking Bill, Clearing Way for Lynch Vote” pg A16, 4/23. Here’s the link if it works.
• • • •
<
ul>
<
ol>
<
blockquote>
<
pre> http://www.nytimes.com/2015/04/23/us/politics/senate-vote-on-human-trafficking-bill.html?_r=0
Does anybody have more info on this expansion of government eavesdropping?
Andrew Wallace • April 25, 2015 11:55 AM
Victoria Cross for Inverse Valor,
You can vote in a different Government if you are unhappy with the current government. That is what democracy is for.
Andrew
Nick P • April 25, 2015 12:27 PM
@ Andrew Wallace
I’m amazed you think it’s reasonable for government to spy on people discussing security or critiquing some aspects of their country. These are harmless actions protected by the First Amendment. The only time we’ve seen law enforcement or intelligence agencies use their power against people in those groups was to (a) suppress dissent or (b) try to prevent exposure of corruption. Surveillance on such people is a cornerstone for a police state. It was present in many regimes we crushed in the past and exists in many today low on the Democracy Index.
So, people have a reason to be anxious about such a position seeing that it’s a police-state technique often used to protect corruption and directly contradicting our rights as upheld by 100+ years of case law. That’s not counting just how much a waste of resources it is. On top of that, let’s remember they promised they were collecting only metadata and only for terrorism investigations. Snowden leaks massively contradicted almost every public statement.
It’s not paranoia when their own leaked documents show them to be pathological liars participating in repeated acts of foreign espionage against allies or secret coercion of domestic firms. That’s pseudo-police state going on digital offensive against everyone with little proven benefit for the risks they’re taking. The costs have been tens of billions in losses to our economy. Every company leaving Five Eye’s territory is playing it smart.
Strangely, though, they still have defenders despite being caught in numerous lies about almost every aspect of these programs. That makes paranoid types here start going over the deep end wondering whose a shill and whose just slow. I’m more focused on concrete details. They show people should be extremely skeptical of anything NSA or FBI says about these programs, encryption, or terrorism. Based on the military’s own intelligence standards, these organizations are intelligence sources of the lowest quality: I rate them at E6 through and through.
A. Sinan Unur • April 25, 2015 12:33 PM
The designers of medical robots need help: The injection attacks we demonstrated were successful due to the fact that valid packets were accepted by the robot
from any source.
Really. They do.
Danger Mouse • April 25, 2015 12:34 PM
Hello Andrew Wallace, welcome to the blog.
In the spirit of transparency, constructive community outreach and collaboration with the security researchers, please give us the details on the Metropolitan Police use of stingrays in London. How, when, where, who? (We know the why.)
rgaff • April 25, 2015 12:47 PM
@ Victoria Cross for Inverse Valor
Skeptical was actually far smarter and hard to pin down, whereas Andrew is much easier to get him to trip over his own words… Of course neither will admit to it, they’ll just ignore you if you have a point that disproves them, and that does make them similar in that way… But one is more like a high level guy that knows exactly what’s going on and what he’s doing and the other is more like a low level guy that’s just swallowed the company line without thinking too much.
Andrew Wallace • April 25, 2015 12:50 PM
If I had 45 minutes to investigate someone before something bad happened.
I would want all the data pre collected to be able to make a quick assessment to pass to Special Branch SO15.
That is the theory behind the mass data collection. It is not about you or I going about our daily routine
Andrew
Productive Elimination • April 25, 2015 12:51 PM
@albert
“This doesn’t mean that all Listees are going to be locked up”
Concentration camps are obsolete.
There are more modern methods for statist control of undesirable individuals.
Psychological manipulation can be used to shutdown precise behaviors while leaving a person in place, able to function for tax paying purposes. These are zersetzung tactics as used by the Stasi, and now by the US.
The statist logic for deploying these methods goes like this: we need to eliminate certain unhealthy elements of society, but why waste the product of their labor? Let us instead eliminate undesirables efficiently for the good of society as a whole.
In history there a couple of examples of such productive elimination. In the 1920’s the Soviets rounded up independent Ukranian farmers who refused to work on collectivised farms. They were sent to work on construction projects. Exact calculations were done to determine how much food input was needed to get so much labor output while the prisoners were being worked to death. These expendable people were called “white coal” by the Soviets.
Nazi concentration camps worked the same way, but not a first. It was regarded as a great innovation when some Nazi official pointed out that much labor was lost to society by the immediate elimination of Jews. After that the camps were organized to extract as much labor as possible in the process.
The lesson in all of this is that if you wait for concentration camps to appear before acting, you will miss the new form of productive elimination that is already being used.
History has moved on.
There will be no Panzers rolling down the El Camino when the DHS comes to Silicon Valley.
A.H.E.I. • April 25, 2015 1:00 PM
If I had 45 minutes to investigate someone before something bad happened, a mass policy of compulsory ball-and-chain and 15 ml. of intravenous barbiturates every morning (to conveniently impair judgement) injected to every man, woman and child would help tremendously.
65535 • April 25, 2015 1:09 PM
@ JohnT
“NY Times said 4/23 that the Senate has passed a bill expanding the “authorities” eavesdropping powers to fight human trafficking. The expansion is mentioned in the 5th paragraph. The news item is “Senate Approves Stalled Human Trafficking Bill, Clearing Way for Lynch Vote” pg A16, 4/23… Does anybody have more info on this expansion of government eavesdropping?”
I am suspicious that this bill maybe tied to the dragnet section of the 215 Act which is set to expire on June 1 of this year. It seems very opportunistic – but who knows.
[Techdirt 215 set to expire]
“This is even though the author of the PATRIOT Act, Rep. Jim Sensenbrenner, has said that the Act is being misinterpreted to allow mass surveillance and while President Obama himself has called for the program to be changed (though he has failed to step up and stop it himself, even though he has the power to do so).
“As we’ve mentioned a few times, however, much of this comes to a head in the next month and a half — because Section 215 of the PATRIOT Act officially sunsets as of June 1st — so if Congress doesn’t pass legislation renewing it, the program dies…Meanwhile, Trevor Timm has a good overview concerning what’s at stake:
‘”The massive phone dragnet is not the only thing Section 215 is used for though. As independent journalist Marcy Wheeler has meticulously documented, Section 215 is likely being used for all sorts of surveillance that the public has no idea about. There are an estimated 180 orders from the secret Fisa court that involve Section 215, but we know only five of them are directed at telecom companies for the NSA phone program. To give you a sense of the scale: the one Fisa order published by the Guardian from the Snowden trove compelled Verizon to hand over every phone record that it had on all its millions of customers. Every single one… the government claims that its other uses of Section 215 are “critical” to national security, it’s extremely hard to take their word for it. After all, the government lied about collecting information on millions of Americans under Section 215 to begin with. Then they claimed the phone surveillance program was “critical” to national security after it was exposed. That wasn’t true either: they later had to admit it has never stopped a single terrorist attack…”’
@ Nick P
“@ Andrew Wallace: I’m amazed you think it’s reasonable for government to spy on people discussing security or critiquing some aspects of their country. These are harmless actions protected by the First Amendment. The only time we’ve seen law enforcement or intelligence agencies use their power against people in those groups was to (a) suppress dissent or (b) try to prevent exposure of corruption… [The NSA and other TLA’s] still have defenders despite being caught in numerous lies about almost every aspect of these programs. That makes paranoid types here start going over the deep end wondering whose a shill and whose just slow. I’m more focused on concrete details. They show people should be extremely skeptical of anything NSA or FBI says about these programs, encryption, or terrorism. Based on the military’s own intelligence standards, these organizations are intelligence sources of the lowest quality: I rate them at E6 through and through.”
I agree. Nick, that was well put. I will not repeat your entire post – but your whole post surely merits reading.
@ Danger Mouse
“Hello Andrew Wallace… In the spirit of transparency, constructive community outreach and collaboration with the security researchers, please give us the details on the Metropolitan Police use of stingrays in London. How, when, where, who?”
Andrew Wallace since you appear to be making a tax free income from security advice and pump these Intelligence Agencies:
“I tweet about physical security and resilience. I provide not-for-profit protective security advice to cross-sector organisations in business environments.”-Andrew Wallace
Why don’t you expound upon the Metropolitan Police use of stingrays in London. You are the expert and are not “paranoid” explaining things – go at it mate.
Andrew Wallace • April 25, 2015 1:29 PM
“The only time we’ve seen law enforcement or intelligence agencies use their power…”
The majority of cases never surface in the public eye. You only see the stuff that reaches the media.
The stuff that reaches the media usually involves some kind of controversy for it to be worth reporting on.
Andrew
moderatorplease • April 25, 2015 1:38 PM
Please remove and block Andrew Wallace from this Blog. His comments are little more than shill, ignorant strawmen arguments. He refrains from responding to the ongoing discourse and instead continues his seemingly internal dialogue. This cherry picking disonance is unwanted and unneeded.
rgaff • April 25, 2015 1:51 PM
@ moderatorplease
I disagree. That is to say, I agree with you that Andrew is shill, but I disagree on asking the moderator to shut him up because of it. This blog so far, as long as I’ve been here, has generally been a model of mostly friendly open discourse, and to stay that way we must not ban people just because we disagree with what they’re saying. Argue with them, sure, censor them, no. Obviously there are lines, but those usually are around not letting it get too nasty, not around not letting certain opinions being voiced.
tyr • April 25, 2015 1:52 PM
I found this cute.
https://medium.com/bad-words/the-asshole-factory-71ff808d887c
Welcome to Wallace world.
I remember when the vision of technology was to make us freer
better informed and a lot happier. It was also to make things
more understandable and government more accountable.
steve37 • April 25, 2015 2:11 PM
What Your Phone Knows But Isn’t Telling You
Adrian Dabrowski, a PhD student at the University of Technology in Vienna, and four of his colleagues laid out a system to identify when there is a StingRay-like device in use nearby
http://motherboard.vice.com/read/what-your-phone-knows-but-isnt-telling-you
steve37 • April 25, 2015 2:16 PM
After Hacks,
A Dark Web Email Provider Says a Government Spied on Its Users
The humble little email service is called SIGAINT, a small but growing email provider for the privacy-minded folks that’s entirely hosted on the dark web and boasts 43,000 users. The service has an obvious paranoid, anti-surveillance ethos, which becomes clear when you visit their site’s contact page.
Nick P • April 25, 2015 2:35 PM
@ rgaff
I agree. No censorship. We’ll just call his BS on new threads with clear evidence. A post or two should suffice. We’ve wasted enough time as it is.
@ tyr
Thanks for the link. Interesting viewpoint. I’ve seen this in my own jobs. The bigger companies can even develop a culture that reinforces and justifies all the nonsense they do. It reminds me of what I learned studying cults, Nazis, and fascists. That’s actually not too much a surprise given fascism was government-directed corporatism. Should’ve taught a democracy what business model not to emulate if we wanted our economy and country to be better across the board.
Good news is I have two counterexamples in that industry: Costco and Publix. Costco treats employees well, pays them well, even avoided advertising to pay employees more, and encourages innovation from within. It’s highly profitable and rates well for its customers. Publix is an employee-owned company that focuses on high profit, quality, and service level. It treats employees similarly to Costco. Unlike Costco, it doubled its workforce during the recession. Result: highest profit and satisfaction rates in entire industry while being 7th largest private company in U.S. at time of writing.
The above companies treat people like people and giving them strong incentives to get more profit. Well, that’s combined with good business strategy and operations as well. Being well-intentioned alone obviously won’t cut it. Yet, even in markets with razor-thin margins, companies that respect and listen to their employees are getting more results. This has also been demonstrated by many companies in diverse industries. Toyota’s shakeup of automotive production by focusing on people and principles probably deserves mention.
So, American industry is full of assholes creating more assholes. Yet, exemplary companies in American and foreign industry show us that’s not only unnecessary: it makes them less money. I hope more companies follow the better examples set by companies above.
Danger Mouse • April 25, 2015 2:48 PM
I see no reason to ban Andrew Wallace (much as I disagree with his views). Plus, I think he was about to tell us the location and contact details for the administrators of London’s IMSI Catchers, weren’t you Andrew?
albert • April 25, 2015 2:53 PM
@Andrew
“…Those categories seem reasonable. I don’t understand the issue here….”
OK, if John Oliver said that, it would be funny, but….
If you quote someone, please use an @ tag with their handle, so we can find it easily.
….
@Productive Elimination
“…Concentration camps are obsolete….”
I was talking about “detention centers”. FEMA. The power of the LE/IC to do whatever they can get away with. The MSM propaganda machine is doing a fine job keeping the public in line. The key point for LE is not to overreact (i.e. Stasi/Nazi actions). The fact that the LE continues to allow their members to shoot unarmed black men is somewhat contradictory, unless the motive is to cause an uprising in black communities, in which case it is highly successful. You can deduce the intended LE response to a large black community uprising. Also, we have 25% unemployment, we don’t need any more labor:) In that sense, ‘labor camps’ are outmoded. Do you think Hitler and the Nazis really believed their own propaganda about the inferiority of the Jews and non-Aryans? Or was a means of popularizing the idea that it was OK to seize their money, possessions, land, and labor, and ultimately kill them. Wasn’t there already an undercurrent of anti-Jewish sentiment across Europe at the time? This is what the Nazi propaganda built on. There’s a similar undercurrent of anti-Muslim sentiment, world-wide, today. Y’all can connect the dots.
.
…
albert • April 25, 2015 3:06 PM
Petraeus get his sentence:
.
http://www.counterpunch.org/2015/04/24/judge-sentences-petraeus-to-75-of-one-speaking-fee/
.
For a legal view of the plea deal, see:
steve37 • April 25, 2015 4:05 PM
BKA chief: State Trojan operational in autumn
Suspects that encrypt their communications on your PC or smartphone, you can no longer rely on the fact that they are not yet spied it in the future. “We develop a tool with which we – after judicial authorization – go to the computer of the alleged offender before its encrypted communications
BKA-Chef: Bundestrojaner im Herbst einsatzbereit
http://www.heise.de/newsticker/meldung/BKA-Chef-Bundestrojaner-im-Herbst-einsatzbereit-2621280.html
BoppingAround • April 25, 2015 4:53 PM
Let me put this to you… If a crazy researcher was heading to an airport and you only
had an hour to investigate an individual, you would be thankful for the mass
collection programme.
To put it simply, if my grandmother had a dick, she would be my grandfather.
Nick P,
Strangely, though, they still have defenders despite being caught in numerous lies
about almost every aspect of these programs.
Altemeyer’s The Authoritarians has been mentioned on this blog several times.
If you have some spare time, read it.
You’re not likely to get anywhere arguing with authoritarians. If you won every
round of a 15 round heavyweight debate with a Double High leader over history,
logic, scientific evidence, the Constitution, you name it, in an auditorium filled with
high RWAs, the audience probably would not change its beliefs one tiny bit.
Authoritarian followers might even cling to their beliefs more tightly, the wronger
they turned out to be. Trying to change highly dogmatic, evidence-immune, group-
gripping people in such a setting is like pissing into the wind.[…]
High RWAs were quite interested in finding out the test was valid IF they
thought they had done well on the scale. But if they had been told they had low self-
esteem, most right-wing authoritarians did not want to see evidence that the test was
valid. Well, wouldn’t everyone do this? No. Most low RWA students wanted to see
the evidence whether they had gotten good news, OR bad news about themselves.[…]
Authoritarian followers aren’t going to question, they’re going to parrot. After
all, in the ethnocentric mind “We are the Good Guys and our opponents are
abominations”–which is precisely the thinking of the Islamic authoritarian followers
who become suicide bombers in Iraq. And if we turn out not to be such good guys, as
news of massacres and the torture and murder of Iraqi prisoners by American soldiers,
by the CIA, and by the arms-length “companies” set up to torture prisoners becomes
known, authoritarian followers simply don’t want to know. It was just a few, lower
level “bad apples.” Didn’t the president say he was sickened by the revelations of
torture, and all American wrong-doers would be punished?[…]
And while most Americans came to realize what a mistake the war in Iraq has
turned out to be, high RWAs lagged far behind. They listen to the news they want to
hear. They surround themselves with people who think like they do. They believe the
leaders who tell them what they want to be told.
Sadly it seems I cannot find the exact piece that describes their behaviour. DEL, DEL, DEL. Found it.
12
When bad news spills out about things that high RWAs support, they want to be
told it isn’t true. So some governments have gotten used to issuing “non-denial
denials” and flimsy counter-arguments, because that’s all it takes and it’s so effortless.
If a well-researched paper by a prestigious scientific body concludes that human
activity is seriously increasing the amount of carbon dioxide in the atmosphere, culprit
governments will say “the evidence is incomplete” and they will find someone,
somewhere, with some sort of credentials, who will dismiss a great number of studies
with a wave of the hand and give them the sound-bite they want.
Do read this book if you can.
Andrew Wallace • April 25, 2015 5:08 PM
“I think he was about to tell us the location and contact details for the administrators of London’s IMSI Catchers.”
I’m sure the Service use all sorts of techniques to detect and deter crime within the Capital as part of their statutory duty to protect the public.
Andrew
Moderator • April 25, 2015 5:23 PM
Andrew is persistent and consistently civil. The fact that he disagrees with many other readers’ positions is no reason to ban him. Whether he might qualify as a “shill” or not is beside the point. The devil’s advocate is welcome as long as he doesn’t get nasty.
Accusations of “shilling” are the equivalent of lay psychiatric diagnoses. It’s all ad hom and doesn’t work as argument.
Who is not behaving these days are the comment spammers who have been flooding this forum with nonsense posts. Many are coming from IPs associated with malicious activity. I’m doing what I can to minimize their occurrence. Please don’t hesitate to call my attention to the latest incarnation.
Mechanical Purple Turk • April 25, 2015 6:40 PM
Andrew messed the bed with his nocturnal emission of 5:08. (Andrew’s quite the Zulu nightowl, have you noticed?) His ‘statutory duty to protect the public’ is legaloid baby talk. If Andrew knew what he was talking about, he would be able to reconcile whatever he’s trying to say with the European Communities Act 1972 and the precedent of the IPT’s first and second Judgment of 5 December 2014. Don’t hold your breath waiting. He can’t explain his nonsense.
Whether Andrew is a USG persona is a worthwhile question. Several of them have posed as anglophone foreigners. Andrew’s twitter feed reads like half-baked pocket litter and his awkward unfamiliarity with state duties and the responsibility to protect makes him sound like a US grunt. That makes Andrew’s simpleminded message worth a closer look as kindergarten propaganda.
Hello World • April 25, 2015 10:38 PM
Don’t shoot the messenger. For he merely deliver messages. @AndrewWallace provides a valuable non-profit service via his twitter feeds, IMHO.
“Why do you think we are undergoing a worldwide transition toward electronic mass surveillance in the image of NSA Collect-it-ALL? (Laws and Rights be damned.)”-Bob S.
My favorite analogy is the arms race back in Cold War days. It is a general census of one-up-man-ship. We’ve built to destroy ourselves a hundred times over, and it will likely be the same that we will build to watch ourselves 100 times over until we eventually realize it.
“I remember when the vision of technology was to make us freer
better informed and a lot happier. “-tyr
Yes and there is still hope for that.
65535 • April 25, 2015 11:06 PM
@ All
Given the number of web sites using Http instead of Https, Fox-IT’s code and Snort firewall seem to have a method of detecting Quantum Insert.
I don’t know if it works. I would ask some of our more proficient posters what they think of the Fox-IT code on the Snort firewall.
http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/
Thoth • April 25, 2015 11:06 PM
@Andrew Wallace
What is your view on Escrow Encryption Standards ? Will we be heading to EES v2.0 with AES as the cipher for a new EES for everyone to use instead of EES v1.0 that uses Skipjack ?
It is quite amusing to notice how the balance of technology and openness of views can create so much anxiety and especially something that worries Governments of so-called Democratic Societies where the Internet and modern computing technologies have been seen by these Democratic Govts’ as threat to civil and national order.
In your view, what do you think the Govts’ can do better to on one hand preserve privacy and quell anxieties instead of pushing more paranoia in the open Security Communities and making people so much more uneasy (as you can tell from the comments in this blog) and on the other hand be capable of doing their jobs as “Civil Servants” of their respective Nations and societies ?
Coyne Tibbets • April 25, 2015 11:20 PM
Remember the scandal wherein the NSA was spying on German Chancellor Angela Merkel?
Well, now we have this: NSA spied on EU politicians and companies with help from German intelligence
All I can do is ROFL: They conned Germany into helping them spy on everyone else, even as they were spying on Germany. I mean, shades of Spy vs Spy.
Clive Robinson • April 26, 2015 12:24 AM
@ Steve37,
The OS is not a reliable place to catch Stingray etc from.
The reason for this is it effectivly gets the data via the SIM, which can be reprogramed etc via the OTA interface, so could be programed to lie to the OS.
Which is what I would expect to happen if a reliable app to detect ISMI catchers was developed, due to the level of investment the authorities have put into the technology….
On a side note you can get “engineering / development” SIMS that work in ordinary –ie non smart– phones that display the same sort of information the prospective app does. Such SIMs are currently not that difficult to get hold of and I’ve five or six of them in my workshop.
For those that want to “roll their own” solution their are “GSM shield boards” for various micro-controler boards popular in the “maker community” such as the Beagle Bone and Raspberry Pi etc. These boards usually have chips on for which the data sheets are available that tell you more than sufficient information to do this.
Oh and the likes of Google already use the cell tower ID info to get an approximate location fix when GSM is either absent or off in a smart phone.
Thus Google has a list of legitimate cell tower IDs which would not include the portable ISMI catchers for obvious reasons.
Perhaps it’s time for those volunteers cycling around taking GPS readings for making maps etc started collecting Cell Tower IDs and putting them up on the web as well…
Wesley Parish • April 26, 2015 5:32 AM
@Andrew Wallace
I think the major reason I could give for not trusting LEOs with an infinite amount of data is their consistent lack of ability to do anything with what they’ve previously made do with:
http://www.stuff.co.nz/national/crime/67904722/coroners-probe-why-did-dunedin-father-edward-livingstone-kill-his-children
http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=11208525
http://www.odt.co.nz/news/dunedin/340047/something-amiss-livingstone
I’m sure others can point you to the case of the Boston bombings, which happened in spite of the two brothers already being known to Russian internal security and this information being passed on to the US authorities.
Plus, one can always use that metaphor of the needle in a haystack; the bigger the haystack, the harder it is to find the needle. The basis for that metaphor is not a given number multiplied by itself: n squared; it’s a given number multiplied by itself multiplied by itself: n cubed. Deciding which dog stole my sausage is easy when it’s one of three; how much easier it is when it’s one of nine; how infinitely easier it must be if it is one of twenty-seven.
Andrew Wallace • April 26, 2015 7:46 AM
“Curious • April 25, 2015 8:55 AM
Though not really computer security news, there has apparently been a robbery of a deposits vault in London recently. It is called the “Hatton Garden heist” in the news.”
You’ll be interested to watch this
http://www.bbc.co.uk/news/magazine-32431557
http://www.youtube.com/watch?v=XOmPqfNVJ9E
http://www.bbc.co.uk/programmes/b05sz78d
Andrew
Charles Linton • April 26, 2015 9:11 AM
Thanks, Andrew for the alarming security news. Please tell us more, especially about Britain’s pervasive rings of child-molesting predators in high positions getting blackmailed by foreign intelligence organizations. The UK’s impressive sources and methods and technical means must provide a lot of important information on that. Thanks again!
JonKnowsNothing • April 26, 2015 12:02 PM
re: @Andrew Wallace
I guess @Skeptical is on vacation. Hope he’s having a good time in Yemen. Great scenery and lots of daily fireworks: the Disneyland of the M/E.
@Andrew Wallace
https://www.schneier.com/blog/archives/2015/04/friday_squid_bl_475.html#c6694453
If I had 45 minutes to investigate someone before something bad happened.
I would want all the data pre collected to be able to make a quick assessment to pass to Special Branch SO15.
That is the theory behind the mass data collection. It is not about you or I going about our daily routine
Andrew: your timetable is a bit off here. iirc the actual timeframe before “something bad happened” isn’t 45 minutes. If it were we wouldn’t be having much of a discussion about it. It’s 1-2 minutes MAX. Preferably less than 30 seconds. How long do you think it takes to detonate a bomb? Ask the folks in Boston.
Since you are referring to Special Branch (UK) you all have very good notions from your Northern Ireland Troubles which date back to pre-Eliz-I and haven’t gotten much better in the last several hundred years. All your centuries of policing hasn’t made a dent there.
This issue is encompassed in “Predictive Policing”. It’s about predicting your future behavior based on your past action and trawling for something, anything that will ID you based on your historical data.
The concept here simple: If Amazon can ID you by your book preferences so can the Police States of the World. If Target can ID and insta-spam pregnancy tests and baby stuff based on a search phrase/word the Police States of the World want to know you just that quickly. The micro-ad-agency-spam-auctions take place so fast that the page can update the ad between the time the page is requested and the time it’s displayed on the screen. The Police States of the World want this ability too. And that’s not 45 minutes by a long shot.
This ability also called a General Warrant. This is outlawed in the USA and was one of the reasons behind the split from our historically joint King and Country. After which it became your King and Country but not ours, thank you very much. You still have this problem with The Anointed Ones, while we get to deal with the Dreidel Game.
I recommend you increase your knowledge base by reading a great book:
Data and Goliath. Author: Bruce Schneier.
@Andrew Wallace
https://www.schneier.com/blog/archives/2015/04/friday_squid_bl_475.html#c6694447
You can vote in a different Government if you are unhappy with the current government. That is what democracy is for.
Indeed we can vote but how are those votes gonna be counted?
I guess you could ask that really up front Tory Pol who managed to delete the Tory Policy Archive along with his shady web business dealings and has now been “accused” of hacking his own Wiki Pages? He would be an expert on how to fix the elections with the following publically known methodology.
https://www.schneier.com/blog/archives/2015/04/an_incredibly_i.html
So how would someone use these vulnerabilities to change an election?
- Take your laptop to a polling place, and sit outside in the parking lot.
- Use a free sniffer to capture the traffic, and use that to figure out the WEP password (which VITA did for us).
- Connect to the voting machine over WiFi.
- If asked for a password, the administrator password is “admin” (VITA provided that).
- Download the Microsoft Access database using Windows Explorer.
- Use a free tool to extract the hardwired key (“shoup”), which VITA also did for us.
- Use Microsoft Access to add, delete, or change any of the votes in the database.
- Upload the modified copy of the Microsoft Access database back to the voting machine.
- Wait for the election results to be published.
Works for votes, works for anything electronic.
If you don’t like that we could offer you some “hair forensic specialists” from the FBI to train your guys better. Our guys did superb for 20 some years. We got a few more of those types hanging out in the FBI/CIA too just in case you need more backup.
References:
General Warrant
In general, customs writs of assistance served as general search warrants that did not expire, allowing customs officials to search anywhere for smuggled goods without having to obtain a specific warrant. These writs became controversial when they were issued by courts in British America in the 1760s, especially the Province of Massachusetts Bay. Controversy over these general writs of assistance inspired the Fourth Amendment to the United States Constitution, which forbids general search warrants in the United States.
Dreidel Game
Each player spins the dreidel once during their turn. Depending on which player side is facing up when it stops spinning, they give or take game pieces from the pot:
a) If נ (nun) is facing up, the player does nothing.
b) If ג (gimel) is facing up, the player gets everything in the pot.
c) If ה (hay) is facing up, the player gets half of the pieces in the pot. (If there are an odd number of pieces in the pot, the player takes the half the pot rounded up to the nearest whole number)
d) If ש (shin) or פ (pei) is facing up, the player adds a game piece to the pot (often accompanied with the chant “Shin, Shin, put one in”). In some game versions a Shin results in adding three game pieces to the pot (one for each stem of the Shin).
If the player is out of pieces, they are either “out” or may ask another player for a “loan”.
singsang • April 26, 2015 12:49 PM
@Andrew
So I think about it this way.
Who has caused more harm, governments in the last 50 years or others. Other includes murderers, pedophiles, terrorist and all the other bad guys. Cambodia? Russia? Cuba? China? Kazakhstan? Saudi Arabia? North Korea?
You may live in America and think that in the last 50 years your government have done more good than harm. But that’s not the case for the rest of us, so even if you try to hold up your country’s government as something to be followed. For us, that have lived or still do under a government that lied, just like yours. It’s hard to tell the good guys the tell lies from the bad guys that tell lies.
I’m not going to argue who are good and who are bad, where the line is or any of it. As long as you can understand where I’m coming from, what fear I feel, then I’ll be satisfied. A lot of different people will come to different conclusions when it’s about social issues.
JonKnowsNothing • April 26, 2015 12:51 PM
The NYTimes (boggles) actually NAMED NAMES in an article that exposes THE CIA US DRONE KILL program is run by those same upstanding Americans that brought you THE TORTURE program and waterboarding as recreational fun.
The drone kill program of precisely targeted and timed assassinations is so accurate that the US has no idea whatsoever of who the bombs are hitting. The best of the best PREDATOR drones flying precision bombing paths with such accuracy that anything they hit counts. It’s such a great feature that the CIA regularly show the SNUFF videos to the Congressional Oversight Committees. Each assassination mission is personally signed off by POTUS Obama with the clear indication that we are supposed to HIT SOMETHING.
note: The drone program uses the best of the best metadata as General Hayden said “We kill people based on metadata”. It uses all the latest tracers, tracers, spy works, satellites, IMSI cell towers and everything the NSA can funnel over to the CIA. The CIA has their own internal systems so they can double check that the NSA doesn’t lie to them about the metadata and other targeting parameters.
Michael D’Andrea was the CIA Officer in charge of convincing Senator DiFi and others that the targeted drone kill program was actually killing their assigned targets and that civilian casualties were in “single digits”.
Mr. D’Andrea was a senior official in the Counterterrorism Center when the agency opened the Salt Pit, a notorious facility in Afghanistan where prisoners were tortured. His counterterrorism officers oversaw the interrogation and waterboarding of Abu Zubaydah, Abd al-Rahim al-Nashiri and Khalid Shaikh Mohammed.
Michael D’Andrea has been replaced by Chris Wood. Wood, was ultimately in charge of Alec Station which ran the interrogation program along with the other Torture Stars. Wood is under investigation for “accidental” targeting of hostages and other SUPRISE! violations.
Best Quote:
When Ms. Feinstein was asked in a meeting with reporters in 2013 why she was so sure she was getting the truth about the drone program while she accused the C.I.A. of lying to her about torture, she seemed surprised.
“That’s a good question, actually,” she said.
Deep Support in Washington for C.I.A.’s Drone Missions
By MARK MAZZETTI and MATT APUZZOAPRIL 25, 2015
http://www.nytimes.com/2015/04/26/us/politics/deep-support-in-washington-for-cias-drone-missions.html?partner=rss&emc=rss&smid=tw-nytimesworld&_r=2
Andrew Wallace • April 26, 2015 12:54 PM
JonKnowsNothing,
There are all sorts of time scales and scenarios after a bomb threat is made.
Mass data collection allows the Government to have all the information they need infront of them to advise SO15 to go out and arrest those involved on behalf of MI5.
Andrew
rgaff • April 26, 2015 2:31 PM
@ Andrew Wallace
So are you British or American? Someone just accused you of being an American, I would think that would be an insult that would be hard not to respond to if you were British…
It’s really a sign of the times we live in when it’s that hard to tell the two apart…
Benni • April 26, 2015 4:47 PM
This little new achivement of germany’s BND might change many things here, for example, it could lead to NSA loosing their access on german networks:
But it was only after the revelations made by whistleblower Edward Snowden that the BND decided to investigate the issue. In October 2013, an investigation came to the conclusion that at least 2,000 of these selectors were aimed at Western European or even German interests.
In spring 2014, the NSA investigative committee in German parliament, the Bundestag, began its work. When reports emerged that EADS and Eurocopter had been surveillance targets, the Left Party and the Greens filed an official request to obtain evidence of the violations.
At the BND, the project group charged with supporting the parliamentary investigative committee once again looked at the NSA selectors. In the end, they discovered fully 40,000 suspicious search parameters, including espionage targets in Western European governments and numerous companies. It was this number that SPIEGEL ONLINE reported on Thursday. The BND project group was also able to confirm suspicions that the NSA had systematically violated German interests. They concluded that the Americans could have perpetrated economic espionage directly under the Germans’ noses.
Only on March 12 of this year did the information end up in the Chancellery. Merkel administration officials immediately recognized its political explosiveness and decided to go on the offensive. On Wednesday, the Parliamentary Control Panel met, a body that is in charge of monitoring Germany’s three intelligence agencies. The heads of the agencies normally deliver their reports in the surveillance-proof meeting room U1.214.
Panel members suspected something was different at this week’s meeting when Chancellery head Peter Altmaier, a cabinet-level position in Germany, indicated that he would be attending. The heads of the parliamentary NSA investigative committee were also invited to attend. BND President Gerhard Schindler, however, was asked to stay away. The day after the meeting, the government announced bluntly that Schindler’s office had displayed “technical and organizational deficits.”
Pint! Pint of wallop. • April 26, 2015 5:50 PM
Good points, Jonknowsnothing, but uniformly above Andrew’s pay grade. Beyond his comprehension. He’s a prole hired to spy on his class and keep his mouth shut about kiddy-raping toffs. His is not to reason why. Andrew was born and bred to take orders.
Pollarded • April 26, 2015 7:13 PM
Common-sense cui bono on NSA’s failure to protect US executive communications
Petrov S. • April 26, 2015 8:15 PM
“Security Researchers” meaning ‘those who find security vulnerabilities in applications’ have a few reasons why governments are interested in them. But there are many different types of these security researchers. It is like most security fields where there is deep government engagement.
There are the very rare few who can perform consistently the impossible.
The “impossible” means it is so improbable that it is not even remotely plausible it could have been performed. Plausible by whom? That is the trick. Plausible by low and high strata of consensus of “experts”.
As long as such researchers are diligent in being discrete, they do not have a problem being caught because nobody could believe that what they do is even possible.
This invisibility is always a reality in security, because ‘the unknown can not be quantified’ but people are inclined to always believe it can be quantified. Even if they logically know they can not accurately quantify the unknown. In security, quantifying the unknown is something that is routinely and rigorously performed. Which only enhances the self-delusion.
But the sort who can do what is highly coveted are acutely aware they are highly coveted if discovered.
The more basic problem being faced by the wider range of security researchers is simply that their governments want to restrict their capacity to freelance, at the very least.
They are themselves increasingly relying on security vulnerabilities for backdoor access to targets, so they increasingly see those who find them and who are not working for them to be a threat.
Their problem here is modern security for computers is very much more stringent and demanding then what these old timers understand. So, the factor of finding security vulnerabilities in products is a mainstream trade core to producing applications. They do not understand this. Every software vendor on the planet understands this, but they do not. Which tells you just how much they know. This sort of politician or higher up has such bad information on such a key aspect of their job, they can be chalked off as a fool.
Still, they can be a dangerous fool, so wariness is quite warranted.
Petrov S.
Petrov S. • April 26, 2015 9:25 PM
@”Andrew Wallace”, aka N3td3v
This appears to be you:
http://seclists.org/fulldisclosure/2009/Jan/356
False persona, real persona, does not matter. I will point out the female poster on that thread is not a female however. So that leaves only detractors and then one false persona standing behind you. However I find it in poor taste to challenge a persona usually. I only comment because there is significant history there. There is even a paper asking “who is n3td3v”. Professional journalists who are well known in the area have chimed in. Let us take this as ample and curious mystery.
Let us work with your expressed front.
Did you join MI5 as you expressed ambitions of doing so?
Let us say you did. Even still that does not give you the capacity to make all inclusive or exclusive judgments about what “government” will or will not do. It will incline you to be “rah rah” team, however. This is expected from junior employees who expect to be surveilled and wish to further their employment. Junior employees are not going to be told anything nor engaged in anything substantial.
If you did join the service, the way you Brits work, you could not say. But you are on here posting, which is dangerous in that perspective. Dangerous for your job. You might leak secrets or end up acting as an ambassador for the service. Either way, that could get you fired. Are you aware of this? Or did you not join?
Petrov S.
Petrov S. • April 26, 2015 9:30 PM
@Benni @NSA Hacked Europe w/ BND’s Story
That is certainly the big story of the week in terms of electronic surveillance. The entire affair is interesting. So BND did not come forward with this information in a timely manner now BND head is stepping down in shame? But is it all really as unintentional as it is played up to be? Was the NSA being trusted too much, and BND not checking the details? But, why is the NSA asking for so much information so often? Is that even remotely legitimate? Were they taking advantage of the flood of requests? Are there more compromises in the BND for the NSA? What is being used with the commercial data being sought for and obtained? Is that passed to American companies, and if so, who and why and what are the terms?
So many questions. 🙂
Petrov S.
Nick P • April 26, 2015 9:47 PM
@ 65535
I’m sorry for not responding to you sooner. I just remembered seeing the post in the Last 100. There’s a lot of technical detail in how those NSA tech’s work and would be mitigated that I’m rusty on. I’d need more time and energy than I have to review a product outside my specialties. The best person to ask about that is Nicholas Weaver: he stays in those trenches with plenty of good writeups. That also gives extra incentive for him to review it. He might have done it already.
@ BoppingAround
Interesting passages. Clive recommended it in the past. I’m probably going to have to force myself to read it soon. Especially since it might not require a lot of deep thinking: a new way of presenting what I’ve already noticed plus things I haven’t.
William Wallace • April 26, 2015 10:04 PM
Hi @Andrew Wallace,
I for one welcome our TLA agents/sub-contractors/minions to Schneier. You’re such lurkers, it’s so nice when you say hi. 😉
I’m very interested in your response to the following items:
1) Respected/trusted security experts (such as our very own Schneier) continually repeat a similar mantra – “A backdoor for security services is a backdoor for everyone else.” Despite this emphatic warning from folks that possess an expert understanding of encryption technology, we hear the security services responding with assurances that a technical solution is achievable. So, please do explain to us the specifics of such a technical solution.
2) The security services say that mass surveillance is vital to stopping terror attacks. Despite the overwhelming evidence to the contrary, let’s pretend for a moment that’s true. Okay then, one use of mass surveillance by the security services is to stop terror attacks. But what else can they use mass surveillance for? For example, please give us your thoughts on mass surveillance being used for purposes of suppressing/silencing/eliminating the following:
Let me be so bold as to make a prediction. If you respond to my inquiry at all, you’ll respond with something along the lines of:
– Be afraid, be very afraid! and/or
– If we want totally security, we’re going to have to make some trade-offs! and/or
– It’s all safe because – Transparency and Oversight!
If your responses are anything along those lines, please know that:
-Total surveillance by our security services is a far greater threat to this nation’s citizenry than any terrorist/criminal threat and
– NO ONE IS ASKING YOU FOR TOTAL SECURITY! – that’s just a TLA talking point and
– Transparency and Oversight! – Bahahahahahahahaaaaaa! …never mind, we’d all just die laughing.
Also, I read all your comments. Your arguments/propaganda are weak because you’ve strayed too far from reality. No one that understands the specifics, and is without a vested interest, believes a word you say. Probably not even within your own ranks. Hope the pay is good, because your selling out your homeland to get it.
Thoth • April 26, 2015 10:08 PM
@Markus Otella, Nick P
Are there any thoughts of redesigning TFC with refitting for Infra-Red communication via uni-directional channels.
Currently, the TFC requires a Pi board connected to a laptop for TxM and RxM. Maybe the Laptops can be replaced by putting everything in the Pi board if possible and also to synchronize the display unit of the RxM and output unit of the TxM so that you effectively will have kinda like a single module but have two separated slots with one for TxM and one for RxM by glueing the TxM Pi board (inside a plastic casing) back to back to a RxM Pi board (also in a plastic casing).
My idea is something along the line of this image: http://www.space-airbusds.com/media/image/ttc-cryptographic04.jpg
(Note: Use a properly secured and forgetful PC before visiting any links of defense contractors)
Another ready concern I still have is secret key protection from physical tampering. The only thing I can think of is COTS smartcards to hold the secret keys but these smartcards should always be treated as untrusted devices due to their unknown nature but noticeable merit of quality for handling weak forms of physical tampering.
How are the smartcards going to be part of the picture as tamper resistance key handling devices but remain in an untrusted zone with capability of processing cryptographic calculations ?
I can imagine one scheme is to use the smartcards to store a Key-Encrypting-Key (KEK) that will protect an SD card filled with OTP keystreams or some form of insecure keystorage mediums like a harddisk or maybe the smartcard have enough space for all the keys in a high quality variant ?
Nick P • April 26, 2015 10:27 PM
@ Petrov S.
re: Andrew Wallace
BOOM! Great find! The Moderator correctly pointed out that merely calling someone a shill is an ad hominem attack and weak. This, on the other hand, is a confession by “Andrew Wallace” that his main function is spying on people for law enforcement. His main ambition is joining the MI5 intelligence service. The person with that name here links to a Twitter feed that incessantly spams newsbits for British police and intelligence. Odds are high that they’re the same person. Such affiliation and goals drives his bias up so high as to make his claims about what evils they might be doing totally unreliable. (as I rated him) That he’s also a digital spy and/or saboteur has its own implications in how we should consider his posts.
Aside from him, the other commenters responses on the mailing list are interesting. Those that looked at his posts and mailing list unanimously considered him a troll. Notice there’s some defense of Skeptical here, despite similar accusations, because he replies in a thoughtful way on the discussions that’s not so different than mass surveillance supporters. Wallace, on the other hand, uses troll debating tactics in every response to those posters without ever addressing any key points. He usually does the same here.
My favorite part of that mailing list was when he was asked a simple question: “why don’t you make your [mailing list] archives available?” This is common and especially for those using open source intelligence like he claimed. So, why does he hide the archives and submissions if all they’d reflect is a knowledgeable security practictioner surrounded by a community of others? He never responded. Matter of fact, he responded to every personal attack, gripe about the quality of his list, and so on with very little delay. That one question made him leave the discussion, even after someone else noticed this and called him on it. Still didn’t answer.
That’s because Andrew Wallace is a fraud. I’ll keep that link handy in case he tries to derail future discussions. A little “Disclosure: Andrew Wallace…” line at the end of a counterpoint should suffice to inform readers he’d prey on.
Thoth • April 26, 2015 10:51 PM
@Nick P, Markus Otella
I am thinking if a sort of high assurance hardware design could be used for trusted data backup. The goal is to not simply backup everything to a dumb harddisk (encrypted or not) but to pass it through a secure setup for backing up (considering the backup data might be untrusted).
Probably the first step might be to use a RxM and a TxM. Over a network, the receiver receives a batch of data to be backed up and version. The data is wrapped (encrypted and compressed if necessary) and then version metadata stored. The data would then be placed onto a specific segment of a disk or hardware storage. If there are errors the RxM detects, it will tell the TxM to simply signal a fail and some error codes and the data forgotten. The main part is when the RxM receives the backup data, it needs to be a trusted secure codebase to evaluate the received backup data (in case the backup data actively tries to corrupte the RxM).
This kind of secure and assured backup might be a good solution against data ransomwares trying to mess around with a target ? It should also prevent data exflitration of backed up data in the other direction.
All these are kind of some random thoughts at the moment.
George • April 26, 2015 11:03 PM
Here’s an article about a real estate company in downtown Detroit filling in the dark spots of their security camera network by installing equipment on buildings they don’t own.
For context, 2/3rds of the way down this article is a map of (some of) the properties that the real estate company in question owns. In summary, it’s a large number (about 60), concentrated in the central business district.
JonKnowsNothing • April 26, 2015 11:57 PM
@Andrew Wallace
https://www.schneier.com/blog/archives/2015/04/friday_squid_bl_475.html#c6694497
There are all sorts of time scales and scenarios after a bomb threat is made.
Mass data collection allows the Government to have all the information they need infront of them to advise SO15 to go out and arrest those involved on behalf of MI5.
Well, now Andrew you can’t have it both ways as Time is of the Essence, it is Infinite but Finite too.
Your claim of was 45 minutes.
That’s 45 minutes to trawl through all of Google’s Archives, all of Facebook’s Archives, all the CIA Archives, all the NSA Archives and then cascade down through the 5EYES and all the databases of their helper-elves. That’s an eternity and really a total waste of both finite and infinite time unless you are having a cuppa or working-to-rule.
I stated that Instant Access is the goal and so much more efficient.
To be useful for such activities you need to have Instant Access especially when:
There’s no need to waste time doing a grep from Cheltenham across the pond-wires to the NSA either in the US or Germany. The RT-packet-lag alone would make your grep out of date. You could use a DDoS type grep-infinite-loop but then the NSA supercomputers wouldn’t be able to work on decrypting stuff because you would be tying up their mega parallel CPUs doing context switching.
No Andrew, you will need Instant Access: localized copies of all databases from every provider/ad-reseller/security service indexed and cross indexed like Ms Lemon’s perfect filing system, right there at your fingertips.
Now going back to your initial premise: Doesn’t this make you feel so much more safe?
*note: The GCHQ was expecting a hiring frenzy after the release of the Alan Turing movie The Imitation Game with Benedict Cumberbatch as Alan Turing. One can imagine that applicants all think they will look like Cumberbatch with the IQ of Turing.
Andrew might be applying for a position there. We should help him. If we don’t, he’ll only get a Zero-Hours Contract with Tesco’s for the rest of his life.
Petrov S. • April 27, 2015 12:41 AM
@NickP
BOOM! Great find!
Thank you for the heart warming praise. I am glad to have been benefit.
The Moderator correctly pointed out that merely calling someone a shill is an ad hominem attack and weak.
I heartedly agree with that sentiment as well.
I appreciate the “devil’s advocate” viewpoint, it keeps forums running with lively debate and opportunities for new discoveries.
I do agree this is difficult when a poster does not respond in kind. At least attempting to engage those of differing opinions in a meaningful discourse.
But, sometimes they can not, or are otherwise not so inclined. If they suffer from both Asperger’s Syndrome and borderline personality disorder, or some other manner of dysfunction or combination of disorders thereof.
You may recall that shooter in LA who posted on bodybuilder forums. He was seen as trolling but he had some severe problems. He just really was that way. Hard for them to see at the time. Easy to see after the guy went full blown crazy.
So, why does he hide the archives and submissions if all they’d reflect is a knowledgeable security practictioner surrounded by a community of others? He never responded. Matter of fact, he responded to every personal attack, gripe about the quality of his list, and so on with very little delay. That one question made him leave the discussion, even after someone else noticed this and called him on it. Still didn’t answer.
That does seem noteworthy.
That’s because Andrew Wallace is a fraud. I’ll keep that link handy in case he tries to derail future discussions. A little “Disclosure: Andrew Wallace…” line at the end of a counterpoint should suffice to inform readers he’d prey on.
I have not performed the research you have performed. I am reluctant to do so. I stumbled onto this. Puzzles are interesting but where do they lead. It sounds like for you there has been some value in this. But to go only so far. Same for me.
He is either as he says he is or that is legend. That is the short of it.
In whatever case he is looking for information. That is a position of weakness to start from. Not all who dig for gold find what they are looking for.
Petrov S.
Clive Robinson • April 27, 2015 2:44 AM
@ JonKnowsNothing, Nick P, Petrov S.,
RE “Andrew Wallace” employment etc.
The current “Andrew Wallace” poster may have given a clue to their employment via their current twitter persona. In it they have mentioned a show and stand number…
As I indicated to @GreenSquirrel an “Andrew Wallace” has posted on this site in the past and linked the name with n3td3v. Further that there were some interesting things related to n3td3v. I did not put up the links because I could not confirm that it is the same “Andrew Wallace” persona although the posting style was very similar.
Digging through other information at that time indicates that others think the “n3td3v Andrew Wallace” persona may well either be Scottish or educated at a university there.
For someone trying to “build an online persona” for what ever reason the “n3td3v Andrew Wallace” and the “twitter Andrew Wallace” personas have left quite a few pointers to a “meatspace persona”, wether that is accidental or deliberate is potentialy an interesting question.
As has been indicated on the Krebs site in the past with “SWATing”, “revenge porn” and “fitting up with drugs and worse” there are those online quite adept at realising the “meatspace” person of an “online persona” and making life hell for not just them but those around them such as fellow employees (hence my warning).
That said there could be other reasons for setting up an online persona that grates on other people… The more cautious of us might consider it to be for various reasons including some sort of honeypot. After all such tactics are known to have been used to find those that are predatory to children, proto terrorists etc.
What ever the reason for the various online personas or if they are actually related, I for one am not going to go digging as in various jurisdictions there are laws pertaining to stalking/harassment with overly broad definitions, which I have no wish to become a test case for.
Further in the US there is legislation about revealing the identity of Gov IC Officers which “Scotter Libby” fell afoul of. If one of these “Andrew Wallace” personas is a “US government shill” as some have indicated, then trying to prove so could run into that legislation, especially under the current “whistle blower crushing” US President / Executive (not that I expect future US administrations to be more lenient in this respect in fact I expect them to be far far worse). It’s not to difficult to plot this downward trend towards an Orwellian future where “shill outing” becomes a serious crime under the “terrorist” or other prevailing demonizing “catchall”. After all you have to remember that todays FUD of “It’s your civic duty to think of the children”… could easily be tommorows legislation, as the Patriot Act did.
Andrew Wallace • April 27, 2015 3:33 AM
Clive Robinson,
I was smeared on public search engines a number of years ago.
I got Full Disclosure Mailing List closed down in the United Kingdom where the smear took place.
They tried to undermine my opinion as a persona rather than accepting that it is my opinion.
I found this offensive so in the end they lost their mailing list because of it.
Andrew
Andrew Wallace • April 27, 2015 4:28 AM
Full-Disclosure Mailing List Shuts Down
By Sean Michael Kerner | Posted 2014-03-19
http://www.eweek.com/blogs/security-watch/full-disclosure-mailing-list-shuts-down.html
Andrew
65535 • April 27, 2015 4:38 AM
This ‘Full Disclosure mailing list’?
[Wikipedia]
“Full disclosure was an unmoderated security mailing list generally used for discussion about information security and disclosure of vulnerabilities. The list was created on 9 July 2002 by Len Rose and was administered by Len Rose, who later handed it off to John Cartwright. After Len Rose shut down netsys.com, the list was hosted and sponsored by Secunia… On 25 March 2014 the Full Disclosure mailing list was “rebooted” by Fyodor.The site is now part of seclists.org and no longer associated with grok.org.uk.” -Wikipedia
http://en.wikipedia.org/wiki/Full_disclosure_%28mailing_list%29
It doesn’t seem to be “shut down”.
65535 • April 27, 2015 4:48 AM
@ Nick P
“I’m sorry for not responding to you sooner. I just remembered seeing the post in the Last 100. There’s a lot of technical detail in how those NSA tech’s work and would be mitigated that I’m rusty on. I’d need more time and energy than I have to review a product outside my specialties.”
I full understand.
I usually wait a number of hours before expecting a response. I know that people on this blog are serious security experts [probably juggling several projects as time permits] and cannot answer every question instantly. Thanks for your reply.
Andrew Wallace • April 27, 2015 4:55 AM
65535,
Completely different mailing list in a different country by a different person.
The person had been keeping a mirror and decided to set up a mailing list under the same name.
The actual Full Disclosure Mailing List is closed in the United Kingdom and its archive deleted from the internet.
Moreover, the list of email addresses was deleted and was not given to the person.
What you see is a different mailing list altogether under the same name continued from a mirror.
It is a “spiritual successor”.
Andrew
X-19 • April 27, 2015 7:29 AM
Andrew, this is X-19. Do not ask who we are. We have been watching you, and we are very impressed by your secret combat and international-intrigue skills. We have a secret covert assignment for you.
A terrorist cabal is threatening life as we know it. You must infiltrate and report back on their plans. Use maximum operational security methods. If you fail, we will disavow any knowledge of your existence. You are on your own.
The target is 4chan.org.
X-19
Petrov is the maestro. That explains it. Andrew is Commandant of the Schizoid Fantasy Police. Sad lonely wannabes are the worst. Soon Andrew’s going to rate his own Encyclopedia Dramatica entry.
steve37 • April 27, 2015 7:50 AM
In response to a Freedom of Information Act lawsuit by The New York Times, the government has declassified a 2009 report by five agencies’ inspectors general about the Stellarwind program, the group of N.S.A. warrantless wiretapping and bulk phone and e-mail records collection activities initiated by President George W. Bush
http://www.nytimes.com/interactive/2015/04/25/us/25stellarwind-ig-report.html
Clive Robinson • April 27, 2015 8:16 AM
@ Andrew Wallace,
I got Full Disclosure Mailing List closed down in the United Kingdom where the smear took place.
Hmm, why you would wish to claim that I realy don’t know, it hardly strikes me as a “badge of honour”, and certainly not something a perspective employer would be likely to find as a pluss point.
But as a claim is it actually factually correct?
From what I remembered at the time Full Disclosure closed down over the behaviour of a person who the then mail list operator refered to as a “researcher”. As far as i can tell you’ve not published any research.
However there was controvosy on the list over Nicholas Lemonias’s “research”. Which was not just criticized but actually questioned by others on the mail list. Some who thought he had not just stolen others work but also factually misrepresented what the work was capable of.
Apparently Nicholas had set up his own “online persona” and “online organisation” and claimed a number of things that either could not be verified or were shown to be factually incorrect. When such things were pointed out he then went on to issue various emails that were considered by the recipients as falsehoods, harrasing, threatening etc.
This behaviour spread out to others after the mail list was closed.
You can read about it and some of Nicholas’s emails here,
I think we need a new term: Security Desearcher = a person that works to hide issues and push them back into obscurity
Judge Dadd • April 27, 2015 10:54 AM
Dear Andrew Wallace,
Sorry to hear that the economy has gotten so bad that M was forced to move into your mom’s basement with you.
Don’t let these mean old real security experts get you down, though. I’m sure the day is coming soon when you can proudly and publicly strut around in that Sam Browne belt, with some butch-looking armbands, maybe a few lightning bolts…..
(Oh. I’m sorry. Am I not suppose to pick them up by their ears like that when they pee on the carpet?)
Markus Ottela • April 27, 2015 11:09 AM
@ Thoth
RE: IR channel
I don’t really see the point. The original data diode used two visible LEDs and phototransistors. Page 7 of the presentation by Douglas Jones shows what I think is somewhat the optimal data diode components as it features no black boxes.
Switching to IR makes it harder to verify operation with bare eyes. I ran some experiments with IR optoforks but their switching speed just wasn’t fast enough. Using proprietary IR black boxes is yet another attack vector (I’m aware this includes optocopulers) into which covert tranceivers can be hidden; I hope Owl Computing Technologies has a high assurance way to verify the origin of chips used in their data diodes operated in one case.
With unlimited budget, I would combine these two: Parts would be similar to that of Jones’, and casing could borrow ideas from Owl with the difference, that Tx and Rx would be separated with inner metal wall that would have two, transparent EMI shield covered holes in it: visible spectrum LEDs would take care of transmission through those holes. I’ll make some fancy 3D renderings when I have the time.
The page 17 of manual shows the setup with RPis. It’s quite a hassle with separate batteries for display, RPi and HWRNG so I recommend sticking with laptops. Regarding casing, cheap injection molded cases might be better than plastic ones as they provide some shielding for the TCBs.
When you take pyhsical attack vectors to picture, the price of end point increases rapidly. You need TEMPEST proof cases for both TCBs, displays and peripherals. While not in use, you need to lock the TCB units to a safe. The safe needs to use physical and electronic key. You need to pour epoxy over the TCB and mix glitter nail polish to glue. This makes it more expensive to produce a duplicate. But then you need to take care of the protection of reference images taken from TCB units. As additional layers, you also need a way to protect the firmware of FDE encrypted storage. Otherwise malware might spread from there to host OS and pull the key back to firmware. We’re back in the cat vs mouse sector of security.
If the NSA bothers to task a close access operation team with their hidden cameras, SIGINT tools to get the keys / plaintexts, they’re not coming back empty handed. I welcome the discussion how users can protect themselves against targeted attacks. But. I’m sticking with my opinion TFC works only against mass surveillance. I make effort to show mass surveillance includes automated, untasked monitoring of end point devices with remote (zero day) exploits. TFC does what OTR/PGP can’t and for $300-600 user gets the security “They’re not seeing what I type unless they bother to task a team / TEMPEST drone after me.”
When the channels above make access to system easy, compromising smart card isn’t necessary. Unfortunately, we’re already at the edge of what users bother to do for their end point security. We could of course, sell custom fitting shields etc, but I’m afraid dealing with the interdiction problem is hard when the NSA injection molds listening devices to computer cases (Appelbaum). It’s hard to assure the customer what he or she picks up from the mail.
RE: secure backup
Indeed, the use of RxM is good as already stored information can not be exfiltrated during backup process. What you can’t protect against, is enemy who knows the system. RxM can always receive malware that wipes everything. So I’d recommend you operate a liveCD on RxM and receive files via UDP cast and fiber-ethernet converters. After that you compress and encrypt the files on RxM using TrueCrypt, and burn them on DVD-R. When you read data, use old DVD-drive with no burn capability. That way malware can’t destroy the files. I’m afraid if malware makes it to the DVD and starts destroying the files, you’ll have to wait until the vulnerability it exploits is patched, before you can reliably recover the data. Storing hashes of compressed files makes is easy to detect if data has been altered, assuming you could trust the authenticity of data at the point hash was computed. Ransomware isn’t probably going to compromise any OS you plug it into: I’m thinking 99.999% of the ransomware sleeping in backups can be dealt by recovering data using OpenBSD.
Benni • April 27, 2015 11:33 AM
@Petrov S: Probably BND does not tell anyone in a written memo what it is doing. For reasons of “plausible deniability”. The leading politicians then can say that they have never seen or signed any file or order on this…
Now the story got more precise:
http://www.spiegel.de/politik/deutschland/nsa-kanzleramt-und-bnd-unter-druck-a-1030873.html
BND informed the office of the chancellor immediately back in 2005 that NSA wants to put names like Eurocopter or EADS into BND’s surveillance systems. BND also informed the german government that “these attempts were successfully stopped…” BND noted that the united states will continue to spy on the german economy. “this can not be prevented”.
It turns out that the idiots at BND have searched the NSA selectors just for german phone numbers or email adresses with .de . Only after Edward Snowden published his files, a BND agent searched the selector lists by his own and immediately found 2000 keywords directed at german policicians or the economy. The agent then just informed his Boss at BND, who did not inform the office of the chancellor.
Only after the NSA investigation comission asked whether they could have the selector lists, a more torough search was done and 40.000 keywords that did not have anything to do with terrorism were found.
The agent who searched through the selector lists will be publicly questioned at the NSA investigation comission this week.
albert • April 27, 2015 12:14 PM
From the Better Late Than Never Dept.
.
@Bruce,
Kudos! I just finished ‘Data And Goliath’. Well done!
.
@Everyone
I can’t recommend this book enough. Bruce does a skillful job in presenting the technical issues in an easy-to-understand way. You all can assure your families and friends that this book will help them understand the issues involved, and (hopefully) appreciate the dangers we’re all facing in this world of unlimited data collection.
.
…
Petrov S. • April 27, 2015 12:18 PM
@Benni
Probably BND does not tell anyone in a written memo what it is doing. For reasons of “plausible deniability”. The leading politicians then can say that they have never seen or signed any file or order on this…
Good observation.
a BND agent searched the selector lists by his own and immediately found 2000 keywords directed at german policicians or the economy. The agent then just informed his Boss at BND, who did not inform the office of the chancellor.
The mixture of political and economic espionage is a bad thing for the americans to be caught in. Will Germany pursue openly to expose this. Is this a string leading to something worse.
If American intelligence is in economic espionage then their hurt point is who are they giving that to. For China this is not a question. For America this is very illegal on many levels.
If NSA helps Boeing, NSA works for Boeing. Not the american people. Non-elected officials can get money from Boeing. Laws are vague and weak.
Political espionage evidence hurts relations with the target country. Political espionage domestically is an attempt at subversion of the state.
Political espionage abroad is strong motivator for angry patriots to dig deeper and expose what has long been accepted and profitable.
And motivator for politicians to win public support. A political landfall, goldmine.
Does NSA help Microsoft? Does Microsoft pay NSA for this. How does Apple feel about this? How does all of the other competitors feel about this? How do all of the small and large business owners and investors feel that the NSA is helping some companies and not others?
But this sorts of crimes can be well hidden. The finances are normally there, though, if it is big. Who is willing to dig into finances.
It is funny. Many traitors have been missed because no one perform good financial analysis. You would think law enforcement and intelligence would really want to see which employees are wealthy.
Individuals may hide money in cash and other material off banks. One may. Two may. Fifty, a hundred? There will be severe mistakes.
Higher ups feel immune. There is little regulation. They are smart but lazy.
OhYeah • April 27, 2015 12:59 PM
albert said, “Wasn’t there already an undercurrent of anti-Jewish sentiment across Europe at the time? This is what the Nazi propaganda built on. There’s a similar undercurrent of anti-Muslim sentiment, world-wide, today. Y’all can connect the dots.”
Absolutely. Fear of Russia was another contributing factor…
Andrew Wallace • April 27, 2015 1:13 PM
Nicholas Lemonias was merely
“The straw that
broke the camel’s back.”
http://seclists.org/fulldisclosure/2014/Mar/332
I was the main complainer about the conduct of those on the mailing list and the lack of action to delete smears over a number of years since the mid 00s.
Once John realised the smears were starting again with a completely seperate person he decided enough was enough.
Andrew
name.withheld.for.obvious.reasons • April 27, 2015 3:04 PM
I have many e-mail addresses that I use for various reasons. Several business only addresses, several public e-mail addresses, and a few single purpose e-mail addresses. Well I just received two virus laden e-mails on one of my single purpose e-mail addresses, and none of my single purpose e-mail addresses receives any spam…they are generally not discoverable. Just wanted to give a shout out to the community that as I see this as a targeted attempt to breach my system(s).
steve37 • April 27, 2015 3:27 PM
I subscribed to the Fulldisclosure@seclists.org
and they sent the password in clear text back.
name.withheld.for.obvious.reasons • April 27, 2015 4:31 PM
A couple of quick notes about NSPD-54/HSPD-23 released under FOIA (case #58987) with DOCID 4123697…
All of the paragraphs marked Secret, Secret/Non-Foreign, and one marked TS are improperly marked. You can tell that their is a perception problem that is part of the document mark-up process. For example, under the Definitions section (marked paragraph 7) that item (a) and (b) are marked as secret, here is the text from these sections:
(a) “computer network attack” or “attack” mean actions taken through the use of computer networks to disrupt, deny, degrade, manipulate, or destroy computers, computer networks, or information residing in computers and computer networks; (S)
(b) “computer network exploitation” or “exploit” means an action that enable operations and intelligence collection capabilities conducted through the use of computer networks to gather from target or adversary automated information systems or networks, (S)
…
(d) “cyber incident” means any attempted or successful access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, security, or availability of data, an application, or an information system without lawful authority; (U)”
Furthermore, the scope of “authority” under the National Infrastructure Protection Plan includes the widest definition, beyond the scope of previous disclosures, which states (paragraph 15, item d):
“…owned or operated by Federal agencies, local, and tribal governments; private industry, academia, and international partners. (U)
Benni • April 27, 2015 4:34 PM
Petrov S. wrote:
“If American intelligence is in economic espionage then their hurt point is who are they giving that to. For China this is not a question. For America this is very illegal on many levels. If NSA helps Boeing, NSA works for Boeing. Not the american people. Non-elected officials can get money from Boeing. Laws are vague and weak. Political espionage evidence hurts relations with the target country. Political espionage domestically is an attempt at subversion of the state.”
Well, they actually admitted to work for the industry:
http://www.heise.de/tp/artikel/7/7747/1.html
http://www.heise.de/tp/artikel/7/7749/1.html
http://www.heise.de/tp/artikel/7/7743/1.html
http://www.heise.de/tp/artikel/7/7752/1.html
“In 1969, economic intelligence was made a U.S. national intelligence priority. According to Gerard Burke, the former Executive Director of the President’s Foreign Intelligence Advisory Board (PFIAB), the board recommended that “henceforth economic intelligence be considered a function of the national security, enjoying a priority equivalent to diplomatic, military, technological intelligence”.[10] Prior to working for PFIAB, Burke had been Chief of Staff for NSA.”
“according to a 1992 study by an intelligence insider, during Admiral Turner’s tenure, the “CIA routinely held briefings at the Commerce Department for U.S. corporate bigwigs”:
“About 40 percent of the requirements that were approved by the President are economic, either in part or in whole. They deal with questions in the whole arena of information needed to level the playing field.”
The operating arm of the new, co-ordinated trade campaign was an “Advocacy Center” established inside the Department of Commerce. According to its web site, the Centre provides “coordinated action by U.S. government agencies to provide maximum assistance in a case […] The Advocacy Center is at the core of the President’s National Export Strategy, and its goal is to ensure opportunities for American companies”.[33] The Centre says of itself:
Since it’s creation in 1993, the Advocacy Center has advocated on behalf of U.S. companies in the aerospace, infrastructure, energy and power, environment and other industries. We have a variety of success stories as a result of our advocacy efforts, showing the various ways the federal government supports U.S. companies in their efforts to secure contracts overseas. Its methods were and are wide ranging:
Assistance can include a visit to a key foreign official by a high-ranking U.S. government official; direct support by U.S. officials (including Commerce and State Department officers) stationed at U.S. embassies; and coordinated action by U.S. government agencies to provide maximum assistance
Jonas Silver • April 27, 2015 4:56 PM
@Andrew Wallace
Andrew, so you are in your late twenties now, and did not make it into law enforcement but remain a full time defender and informant. Have you been trained or self-trained in ‘how to be an informant’? I think your stance is ‘no’. You have not been trained, nor have you been self-trained.
Are you getting responses from the leads you are providing?
As you are not talented in establishing rapport, much less deceptive capabilities required for going undercover, I think you are not getting responses for leads you are providing because the leads are of no value.
Your situation is uncommon, however not if one contrasts this sort of behavior to ‘stalkers’. Simply stalkers usually target a singular person, as opposed to organizations. They act as if they are ardent admirers who are secretly loved in return. But on some level they know they are not loved in return back. So unconsciously they walk a tightrope. And sooner or later they fall from that tightrope.
They would experience intermittent severe anger and depression because they do fall here and there. But, that is not the final fall when their admiration turns to deadly rage.
I am not stating this to mock you nor to push your buttons. I am stating this because you have a chemical imbalance and are requiring medication and counseling. Where are your parents? Have you disconnected with them or do not update them on your behavior? Have you grown angry at them and insist that you feel better without medication?
You know this is true. I am certain you have already received counseling and psychiatric diagnosis.
I am also certain you have had problems with your neighbors. Likely this has required police intervention. You felt you were strongly in the right. But you have problems getting and holding jobs. And it seems everyone is against you. Who can you cling to? Someone who is “something”, organizations, who will ignore you, and so not ever truly reject you.
You did not get much attention when you were younger so you are accustomed to the value of getting negative attention. That is what you get from these socializations. Negative attention, instead of positive attention.
With proper medication you could get positive attention, a solid job, and maybe even some sort of security work. But without it, nothing will work for you. It is that simple. Nothing works. Right or wrong, the meds are what you need to get your life on track.
Andrew Wallace • April 27, 2015 5:20 PM
Jonas Silver,
You must be analysing smears on the internet that you have misinterpreted as me.
Many were deleted by request but many remain on mirror sites from the original mailing list.
Andrew
Petrov S. • April 27, 2015 5:35 PM
@Benni
This is my opinion on why this is not exposed nor major media.
henceforth economic intelligence be considered a function of the national security, enjoying a priority equivalent to diplomatic, military, technological intelligence
Problem can be definition. Like with political intelligence. It is lawful for intelligence agencies to gather and collect open source date on foreign nations political and economic environments. Journalists do this. Governments want to do what journalists do but better. That is very important for them.
What we are discussing is very different. But the terms get confused by people. That does not help exposure.
About 40 percent of the requirements that were approved by the President are economic
I googled that and there are three returns.
according to a 1992 study by an intelligence insider
Anonymous sources without hard evidence are not strong sources. It is their word against everyone else’s word. Nothing on paper. Nothing on file. Digital evidence. Paper evidence. Multiple sources whose identities and so authority is validated.
Validate, validate, validate.
Since it’s creation in 1993, the Advocacy Center has advocated on behalf of U.S. companies in the aerospace, infrastructure, energy and power, environment and other industries.
Plausible.
CIA routinely held briefings at the Commerce Department for U.S. corporate bigwigs
Plausible.
Plausible is not sufficient evidence. Plausible is maybe. Plausible is “it could happen”.
Sources have to be many and with authority. Evidence has to be strong. Evidence has to persuade those who do not want to believe. Evidence has to be strong enough that nothing can be covered up anymore.
These are not criteria for a major story.
Not yet. It will be. If it is widespread it will be much bigger then these.
What is there is a suspicious situation. This happens often and gets covered up.
China has been caught doing this. This does not cause too much problem. There is no explanation, “What companies get that data”. China is far away and known to be bad. Nobody knows nobody cares.
England or Germany? US?
US especially. They are making so much money. And they are cheating? They are assuring that Europe can never beat them at anything? What would be to stop them from undermining the european competition? Decimate accounts. Organize failures. Lose money. Instead of using the surveillance behemoth for terrorism, they are using it for piracy and that against their strongest allies?
Many do not even know who Snowden or Manning are. They do not care.
So they are over zealous against terrorism. 911. What else is new?
No corporations anywhere can compete against the unfair advantage of a nation state level intelligence aimed against them.
The BND and Germany are showing some evidence of this. But I do not think they will pursue. Too much money and too much power to lose.
They will stay to a little information. Whispers, innuendo, suspicions. I hope not. I am surprised by this past week’s story finally coming out. After covering it up.
For years.
I would be very mad and very suspicious if I were German.
I hope enough are and will dig.
Petrov S.
Jonas Silver • April 27, 2015 6:16 PM
@Andrew Wallace
No, kid, it is because of your behavior. It is you. It is not them, it is not me. Own up to your own words and actions.
But you can not. Because that is a symptom of narcissistic personality disorder you suffer from.
https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=narcissism
extreme selfishness, with a grandiose view of one’s own talents and a craving for admiration, as characterizing a personality type.
As for problems at home and such, this is just noticeable from your behavior and is what is going to happen with these disorders.
Maybe you have avoided seeing a psychiatrist. Narcissists definitely try and avoid that. Probably not. Strongly unlikely you have a social life. Narcissists are very anti-social, obviously. You probably blame others for your lack of a social life. Your reality and reality have probably converged in a major incident requiring police intervention. Probably. Maybe not. Why. Because your disorder is highly delusional, anti-social, and if pushed you would act out.
FYI, sure, I could go and post on a surgeon’s forum and tell them how it is without bothering to study at all. When they disagree and attack me over and over again as I spiel out erroneous facts to them and express I know so much better then they do… I could point out that they are simply thinking incorrectly, I am correct, and that they are smearing me.
I could post on some religious or political forum which belongs to the belief systems I disagree with and do that all day — then act surprised when people are against me. What? They do not see me as the expert? They do not bend to my superior vision? They find my refusal to try speak from their viewpoint bad? What is this? They are attacking me. They have a problem. Not me.
But… why…? And this is what you are doing. Which I explain more to the crowd then to you so people will be informed about your condition and not mistake you for an intentional troll.
You have a disease.
You need help.
Andrew Wallace • April 27, 2015 6:39 PM
I’ve worked out what Jonas Silver is doing.
An intentional, premeditated effort to undermine an individual’s reputation, credibility, and character.
Tactics differ from normal discourse or debate in that they do not bear upon the issues or arguments in question.
An attempt to malign an individual with the aim of undermining their credibility.
Often consisting of ad hominem attacks in the form of unverifiable rumours and distortions, half-truths, or even outright lies; often propagated by gossip.
The tactic is often effective because the target’s reputation is tarnished before the truth is known.
It is effective in diverting attention away from the matter in question and onto the specific individual.
The target typically must focus on correcting the false information rather than on the original issue.
Tactics are considered by many to be a low, disingenuous form of discourse; they are nevertheless very common.
http://en.wikipedia.org/wiki/Smear_campaign
Andrew
James Clapper • April 27, 2015 6:47 PM
Wait a minute: no connections nor knowledge, delusions of grandeur – No need for work experience, No need for doing homework, no need for following logic? Diseased mind? Delusional?
Sign that man up, he’s a natural for ODNI!
Clive Robinson • April 27, 2015 7:00 PM
@ Nick P, Thoth, Wael, and others,
You might find this of interest,
https://threatpost.com/fully-secure-systems-dont-exist/112380
It kind of reminds me of the story of the French King, who supposadly scratched a message on a glass window with his diamond ring that effectivly said “The more things change, the more they stay the same”.
Whilst I don’t disagree with Adi Shamir’s laws, I think trying to understand the why of them is actually quite instructive, and will thus provide more secure systems.
With regards the second law of “working around crypto”, this would be expected under the “low hanging fruit principle” that gives the “chain is only as strong as the weakest link”. Well there are ways around the “weak link” issue as I’ve mentioned in the past and these can be applied to systems with a little thought and care, as well as adding mittigation (a chain breaking is only important if the load it is holding becomes damaged by the chain breaking).
However what ever you do there will always be a “lowest fruit” –see first law– the mitigation to this is to “put it out of reach” either in it’s own right, or more importantly in comparison to other fruit.
Which bringscus to the third law which is the exponential cost of finding and removing the next bug. Of the two the second option of raising your low hanging fruit above your competitors is by far the cheaper option, and whilst it will work against “general attacks” it probably won’t work against “directed attacks” which takes you back to non “chain” / serial design and mitigation.
However this third “cost law” has a “flip side” whilst the cost of finding and fixing bugs rises as a power law for “chain” systems the cost of finding and exploiting bugs rises at a slightly higher power law for the attacker of such “chain” systems. Which gives rise to the notion of the first law, as well as “State level attackers will have the resources to break any system”.
Whilst the first law of systems will always have bugs is true, the notion of State level attackers will always have the resources to exploit them is provebly untrue as Crypto has shown.
However there is a more interesting realisation of “sweet spots” when you move away from designing “chain” systems, which you can see this with safety systems in amongst other things cars.
But to see this you need a historical perspective, back in the Victorian era the design of steam engines was artisanal and of the “When it breaks, make it stronger” mentality. Or to put it another way “bolt on more iron”.
It’s easy to see two things from this, firstly the Victorian “chain” design of engines means they will become exponentialy more expensive to build and run, and eventually fail under their own weight. Secondly the Victorian “artisan” aproach is very much how the software industry works currently and has done since before Adi Shamir formulated his laws.
It’s also the way the automotive industry used to solve the car crash problem, only they quickly hit a brick wall due to the “squishy nature of humans” and E=M.V^2. Without going into all the ins and outs of it they realised that they “chain” design of cars had reached a point where it could no longer be cost effective. So they instead used multiple chain or parallel design instead. Whilst initialy more expensive the price rapidly dropped whilst safety kept (and still does) rising. The trick was only to take each component so far up the exponential curve, then mitigate it with other simpler lower mass components. That is the resulting product was far greater than the sum of the parts as the “sweet spots” were found.
The problem with this approach and software is that untill the past decade, Chuck Moore’s law was “keeping the wall at bay”. However the hardware people have got to the point where “chain” design is exponentialy to expensive, and the optomisation of the chain has gone about as far as it can cost wise. The initial solution was to produce parallel designs of these optomised chains. But likewise they have gone about as far as they can. Which gives the current “design lite” of the likes of the parallel RISC systems, significant cost savings over the parallel CISC systems, not just in manufacture but operation as well. That is the hardware “sweet spot” moves with each change.
Unfortunatly the software design process is still very much in the land of the “chain” artisanal design process based on “serial thinking”. Untill this stops the costs will continue to rise exponentially as the only solution is ever more expensive serial optomisations, without “sweet spot” oportunities to pull back down those exponential curves.
As I’ve frequently stated there is the issue of “Efficiency -v- Security” where the general case is the more efficient you make any given system the less secure it is. The special cases are where considerable very costly effort well up the exponential cost curve has been applied to mittigate the security issues, usually by applying extream limits on functionality. Thus the “special cases” are almost invariably single function non general purpose designs that can not leverage COST solutions. Which makes them overly optimized inflexible and of very limited use and thus life expectancy, and not the way we want to go with design processes because they are also “extreamly brittle” systems.
Thus we need to design secure systems in new ways to get not just security but robustness and lower costs as well.
MarkH • April 27, 2015 7:15 PM
MY 2 CENTS (OR, IN DEFERENCE TO OUR UK FRIENDS, 2 PENCE)
As a long-time reader and contributor of numerous comments, I’m troubled by some of the responses to the commenter I shall designate AW (the person participating under the name “Andrew Wallace”).
Also, I’m grateful to the moderator for rejecting a call to ban AW.
I remember that in recent years, someone came into the comment threads advocating a point of view not altogether dissimilar to that of AW, who was banned within a matter of days. That banned commenter seemed intent on provoking fights, and in particular played the slovenly game of distorting the arguments made by other commenters (attributing to others fabricated straw-man arguments they had not asserted). It was for such misbehavior, NOT his opinions, that this earlier commenter was banned.
In the AW comments I have read, the tone is consistently civil, even when responding to others who have been much less so.
Quite a lot of us seem to share to some degree in several attitudes, for example skepticism toward powerful institutions, and a general bias towards liberty when balancing questions of state control.
Of course, it can be pleasant and reassuring to join in a community with others of sympathetic views. However, it is most unhealthy to reject those who challenge such consensus — I am sure the world doesn’t need another “echo chamber” of opinion. If a statement seems wrong to me, I can debate it with reference to fact, reason, particular notions of value, and the like. This process can help me to understand more deeply why I take the positions I do, and whether my premises are doubtful or mistaken.
Ad hominem is a failure of argument.
In particular, the highly personal focus and provocative character of two preceding comments here by “Jonas Silver” are far out of court, and have no place in a forum intended (as I believe this to be) to support the search for truth, and the analysis and discussion of ideas, problems, and solutions.
Armed with the courage of conviction, I need not fear dissent.
Jonas Silver • April 27, 2015 8:40 PM
@Markh / Andrew Wallace
In particular, the highly personal focus and provocative character of two preceding comments here by “Jonas Silver” are far out of court, and have no place in a forum intended (as I believe this to be) to support the search for truth, and the analysis and discussion of ideas, problems, and solutions.
Bullshit. You know what “n3td3v”, google the guy. He is one of the most notorious trolls on the internet. This was a post of necessity. I hate posting on a person but in this case, the manner in which he posts demands it. He claims to be an informant. He makes constant statements which he does not back up. He implies he has inside government knowledge. He claims he is intelligence, in fact. See below. He is not, he is a sociopathic narcissistic sadist.
He needs meds and counseling or he may end up on a rampage. This should be said. He is not a troll, he is a sick person who can not help himself and needs counseling.
http://seclists.org/fulldisclosure/2009/Jan/356
https://www.google.com/webhp?q=n3td3v
His own words convict him worse then what anyone else could say.
Andrew Wallace:
I have always been the person to collect intelligence on the hackers and pass them to the authorities, this all started when I was 18 on Yahoo where I got to be friends with many folks involved with protecting Yahoo’s security and passed them important intelligence about what was going on.
Andrew Wallace:
As i’ve grown up since I was 18 my interests matured now I hope to get into a proper intelligence agency such as MI5 to continue my work as an intelligencer in a professional capacity.
Andrew Wallace:
no longer do people need to wait for a tap on the shoulder to be employed. You can goto their web site and apply for a job https://www.mi5careers.gov.uk/ this is what i’m
going to do as well.
Andrew Wallace:
My mailing list that I formed doesn’t have many active posters on it as the membership base is likely to be intelligencers like me leeching the information that various people post on, like full-disclosure the majority of the list never talk the same happens on n3td3v mailing list group.
Andrew Wallace:
If you want to alert our community of something thats going on you can, because the right people are subscribed: government, business and academia.
Andrew Wallace:
We may not talk but we are listening.
“We”? Andrew Wallace? Delusions of grandeur. Get some help. It is a chemical imbalance.
Enough said on the subject from me. This attention probably will send him into a frenzy of posts designed to get more posts all about him. He loves that attention, even though it is negative.
He literally does not know how to get positive attention.
rgaff • April 27, 2015 8:42 PM
There’s nothing wrong with “low hanging fruit” when the lowest one is waaaay the heck up there…
So let’s make that happen.
Figureitout • April 27, 2015 8:43 PM
Thoth RE: adding IR channel to TFC
–Agree w/ M. Ottela, while fun to think about, that could be a feature anyone can add on their own system if they want to, it’s the beauty of open source (I’m going to try (means I’ll fail somehow almost 100%, but at least learn how not to do something) to layout the HWRNG better (I’ll readily say I’m not prepared design wise, I’m gonna fck something up…) and shield it “good enough” barring insane energies penetrating (I’ll state now, and probably will later, the designer (who documented the design of the circuit magnificently, and I’d feel pretty comfortable using what he engineered) stated this was the first time he’d made an PRNG circuit.), and show a nice module for it w/ *FULL instructions, spoon feed people who need some gerbers before chewing celery); but adds work where one stated goal is EMSEC, and you literally have to be in the room or touch the hardware or ride in via the power lines to get a way in. The optoisolators themselves are have “LED’s” in them, except it’s tucked in a nice dip package that could contain a sizable amount of memory.
Markus Ottela RE: old CDROM’s
–Good point, before I blew up a mini-ITX computer messing w/ wifi PCI cards tear drop I was able to boot up via CD on this computer via IDE w/ an old harvested CDROM; the PC had a nasty malware anyway that I was trying to coax out. I love being pleasantly surprised by these 20+ year old complex devices still work, but their firmware is probably crusty and nasty (not that newer devices are any better, just way way more to do basically same thing).
New file() utility in OpenBSD
https://bitbucket.org/braindamaged/openbsd-src/commits/c421de15c47394de1ea2478edc0aa2c941aab2f8#Lusr.bin/file/magic-load.cT884
–Cuts out quite a bit of risky hacks (as in, butcher cleaver cutting, not a scalpel. I thought I’d seen some truly nasty hacks, someone consciously did this and this was running in OpenBSD before…). I like cutting out some header files (just get what you need from the library if we’re going to be serious…).
While the new implementation reads “on a quick skim” much much nicer and keeps my heart rate down; still some trouble spots and some minor stylistic changes if we’re going to call this “the most secure, best C code in the world”. Nick M. may know how to code, but he doesn’t know how to comment; this isn’t your private hackfest on your PC, this is now public code going into OpenBSD and it’s disrespectful to not put in some comments in the more risky spots to save my time unraveling your hacks (there’s some stupid strings that don’t make any sense whatsoever) in my view (one spot he told us to “accept it for now”, no not good enough).
Now to some fun spots that scream right away:
–WTF?: https://bitbucket.org/braindamaged/openbsd-src/commits/c421de15c47394de1ea2478edc0aa2c941aab2f8#Lusr.bin/file/magic-dump.cT26
–WTF is this?: https://bitbucket.org/braindamaged/openbsd-src/commits/c421de15c47394de1ea2478edc0aa2c941aab2f8#Lusr.bin/file/magic-load.cT111
–What in god-loving fck is this sht?! No, don’t accept: https://bitbucket.org/braindamaged/openbsd-src/commits/c421de15c47394de1ea2478edc0aa2c941aab2f8#Lusr.bin/file/magic-load.cT165
–Ticky tacky syntax issue, do d_0 or d_zero, not d0, like l01 or l11ll1l1l1l as a variable name; just c’mon make it nice, some fonts make it extremely irritating to see the difference: https://bitbucket.org/braindamaged/openbsd-src/commits/c421de15c47394de1ea2478edc0aa2c941aab2f8#Lusr.bin/file/magic-load.cT415
–“hope for the best…”–How about no? When I do this at my work I get raped by bugs, it’s personal now w/ this one: https://bitbucket.org/braindamaged/openbsd-src/commits/c421de15c47394de1ea2478edc0aa2c941aab2f8#Lusr.bin/file/magic-load.cT884
magic.c and magic.h are the worst. Files like that make me cringe w/ the word “magic” sometimes. Our computers really suck that it requires such finagling.
Clive Robinson
Thus we need to design secure systems in new ways to get not just security but robustness and lower costs as well.
–That requires those trying not having their homes, tools, and minds attacked.
Software is “artisanal” b/c we have to work around hardware failures and programmers beneath us, their failures; otherwise you get MEGA FAIL and can’t even begin to think where the bug is and can’t even get something working. Real life isn’t like textbooks; it’s non-intuitive. Also, many colleges these days, if you don’t notice, are turning into research places that need to publish “novel work” to live just like some sort of “free market” competing for limited resources, and actual professors just unload their class duties to sh*tty associate professors and inexperienced TA’s that can’t teach. So tack that on your list too.
Wael • April 27, 2015 9:04 PM
@Clive Robinson, @Nick P, @Thoth, all,
You might find this of interest,…
There’s a lot to say about this subject… Later tonight…. For now, I’d say what Shamir listed is a small subset of “Principles”, and I don’t necessarily agree with all of them.
Nick P • April 27, 2015 9:08 PM
@ MarkH, Buck
Nice assessment. I had to pause here though:
“Of course, it can be pleasant and reassuring to join in a community with others of sympathetic views. However, it is most unhealthy to reject those who challenge such consensus — I am sure the world doesn’t need another “echo chamber” of opinion. ”
The question for me is, “what is a challenge and what is trolling/shilling/whatever?” One category of bad actors in online forums posts lots of short, unsubstantiated claims with no believable attempt to support them. These might be security claims that defy everything known about the topic (AW did several), pushing speculation benefiting one side as fact, or spamming newsbites in support of certain group/topic. Feel free to check out AW’s Twitter feed if you want to see a perfect example of the latter. Contrary to most INFOSEC pro’s feeds, I see virtually no INFOSEC discussion or even human interaction looking through pages of the feed. I would’ve believed it if someone told me it’s maintained by a bot.
“Skeptical” challenges the consensus most prominently. There have been others that did as well, in general or for certain topics. The blog was actually well-known and liked for it in the past. Such people typically assess the situation, present their claims, and often support them with some kind of evidence/argument. People that just repeat stuff or say anything to push a side aren’t really trying to have a discussion. Noting this when assessing whether their posts are trustworthy or beneficial isn’t ad hominem: it’s a standard practice in both journalism and intelligence work. Keeps people from wasting time or being deceived intentionally. I rate him E5 on a standard scale for source analysis. I can only imagine the people AW follows in his feed would come to similar conclusions after comparing the feeds/posts of many INFOSEC professionals to his.
So, the question becomes, do we note the bias or unreliability of a poster such as AW with possible references to that analysis in future comments demonstrating similar issues? Or do we keep treating his posts, including red herring or strawman defenses, like a typical newcomer trying to foster a real discussion? Or some other approach?
Note: I totally agree with you about how inappropriate and aggressive many commenters acted during his initial posts. We had nothing with which to judge his character or reliability at that time other than his feed. (Well, it does imply things as I noted…) Later data showed him to be unreliable and maybe even related to untrustworthy characters with similar posts. I wrote on that. I’m willing to consider changing my approach to him or similar posters in the future if our discussion gives me reason to. I’ll still consider him either unreliable or a fraud as far as INFOSEC experience is concerned based purely on the content of his posts so far.
Große Lüge • April 27, 2015 9:23 PM
@MarkH, you’re right, three cheers for tolerance. But there’s more to this than dissent. People gave Andrew’s facially absurd opinions a chance until it was clear he was incapable of defending them even at the Penn State nose guard F+ level. Consistent, coherent and complete ideas get taken seriously, others get rebutted, and some need to be diagnosed. The diagnosticians have amassed persuasive evidence.
As for civility, it’s routinely abused to police criticism of authoritarian statements like Andrew’s. The most manipulative and deceptive arguments here habitually harp on tone – it’s all they’ve got. Some discourse is ethically contemptible. Some discourse is risible.
Your kindness is commendable. But if you turn this place into Special Ed where everybody gets smiley-face stickers, it serves the interest of states like ours that cannot justify their actions.
MarkH • April 27, 2015 9:26 PM
@Nick P:
For those of us who frequently participate in the comments, I think that the problem is self-solving.
If (by way of example) a commenter shows a pattern of making assertions that are factually incorrect, or shows a failure to understand the concepts under discussion, or participates in dialogue without making reasoned or responsive argumentation …
… then the comments of that person fade into whitespace, n’est ce pas? AW’s comments are already invisible to me.
To give a (perhaps controversial) example, when Bruce makes a post that mentions personal firearms, we can confidently predict Very Many Comments that are anonymous, or with names rarely (or never before) seen here. Numerous of the comments in this category will be Furious Denunciations of things Bruce Never Actually Said In His Post.
My observation is that most frequent commenters don’t waste much time “getting into it” with such off-base commenters.
Nick P • April 27, 2015 9:40 PM
@ Clive Robinson
Let’s look at it point by point. 🙂
“First among the laws was this: Fully secure systems don’t exist now and won’t exist in the future.”
I think this is a meaningless statement. We both know security is always relative to what your protecting, against who, against how, and with an amount of resources on either side. There have been designs that held up well or still do against quite determined adversaries, ranging from endpoints to networks to protocols. This was even more true when the attacker wants stealth, as many spies do. Security measures making tampering set off alarms or leave a trail can work especially well. There have also been great physical security regimes in the area of vaults.
So, looking at what made it and didn’t, I think the truth is full security is achievable relative to certain threats if the threat and target are well understood. Our lack of understanding has contributed to more of the clever flaws than anything else. In systems, security often focused on tactics countering other tactics rather than the stronger method of designing in a way to preserve an invariant across a range of circumstances. The Correct by Construction and similar approaches gaining popularity are doing it the right way. I planned to post some recent work soon.
“Shamir’s second principle of security was that cryptography won’t be broken, it will be bypassed.”
He was half-right if I take it at face value: weak cryptography continues to be broken and strong cryptography is bypassed. Extra credit for him in that implementation and endpoint issues were so numerous that cryptography is rarely attacked. Yet, crypto algorithm and protocol issues continue to turn up. We still need improved methods for both designing such technologies and deciding on how to integrate them with applications. Again, there’s been a few exemplary works in this area recently.
“Finally, Shamir said that as he looked at the security landscape 30 years ago he saw the futility of trying to eliminate every single vulnerability in a given piece of software.”
This is where he, Geer, and i’s* old opinions were way off. Brian Snow was right: fundamentally secure machines need to be designed that make secure software easy. Many old system designers built that concept into their hardware. We’ve seen new hardware doing this, too. Existing approaches, if combined, can eliminate almost every kind of vulnerability at the programming level with relatively little effort. There have also been systems designed with near zero defects. So, we can achieve the goal of zero vulnerabilities in practice by hitting it from every direction: processes, tools, and so on to drive defects close to zero; hardware architectures that prevent the remainder from being vulnerabilities; software/system/distributed architectures to detect and recover from failures of the components.
Not only does Shamir seem wrong about this: reality has brought us so far from his statement that we are closer to its opposite than ever before. Truly an exciting time for high assurance security (or software) engineering right now. And then I remember those multi-billion dollar behemoths working to sabotage anything we build from within. The biggest threat to our designs is the one he didn’t see coming.
Nick P • April 27, 2015 9:56 PM
@ MarkH
Let me bring something up that I weighed into my previous post and seems wise to mention. One reason Clive and I often give detailed counters to false security claims here, other than blog tradition, is that we know there’s a large number of readers that rarely comment. Their skill in this field varies considerably. A presentable fake might mislead or damage quite a few. Any current or future readers of the comments will see the misleading comments followed by ours or any others debunking the statements with evidence.
So, let’s say we do that. Then, the behavior you mention becomes more obvious in how they interact with us. The remaining issue is: Do we start fresh doing this every time that same commenter plays the same game on a new topic? It seems like a lot of time and energy in a situation where the opponent prefers to wear/drown us out. The best even use a civil, patient style to do this. To accomplish one goal and prevent the other problem, my compromise was link to one spot where a debunking occurred anytime the same pattern repeated. Example below.
Warning: Individual X has was previously called out here for pushing provably false information, showing little to no expertise in the field, and using trolling tactics to derail actual discussion on the topic. Details here.
Thoughts?
re gun threads and commenters response to it
Good observation. Yeah, those threads are quite the circus. We just ignore them. They go away. Some are persistent across threads, though. That’s the kind I’m focused on here. The rest we should filter out as you suggest.
Note: My next reply won’t be tonight as I gotta get some sleep.
Figureitout • April 27, 2015 10:24 PM
Nick P
I think the truth is full security is achievable relative to certain threats if the threat and target are well understood.
–Which is slightly a “meaningless” statement too eh? At what point do you say you “understand”? No one understands our computers, nor the code running on them; they just put on “the facade” that they actually do. Is there some kind of “EAL” standard on that I’m supposed to trust? (Just challenging for better debate. And yes I curse like a sailor and get heated, gets people on their toes lol; when blood’s flowing fast to your brain you think faster).
RE: backing up security w/ “facts”
–Facts change, and aren’t always factual (practically never in security, b/c no one can design a system that remains secure indefinitely). I remember you recommending cryptocat when it shortly later came out to have a huge crypto implementation error.
Shamir had the balls to come out and say, even though he’s a crypto-god, that bypassing crypto is becoming more of a security problem than being forced to sludge thru crypto. Bypassing crypto is a computer security issue, not crypto. He hasn’t let his ego get too him even being a part of RSA to say that at his age; it speaks to his character.
Thoth • April 27, 2015 10:41 PM
@Nick P, Clive Robinson, Markus Otella
From what you mentioned about security being relative to whom you are trying to defend against, that means the mechanisms of simple and compact designs that are highly verifiable and provable would be one key point to make auditing security systems easy. Another thing is separation of executables and non-executables, control of data flow directions, inter-chip voting protocols, separation of domains and security layers …
There are a good amount of high assurance (not just high security/strong cipher) approaches that gives quite an edge to security systems designers. The usual ad-hoc system of security (code and think later) probably gave rise to what Adi Shamir had put in his principles.
Markus, do a search for Mils Electronics (Cryptomuseum as well) since they sell OTP-based crypto products if you need some OTP crypto ideas.
Buck • April 27, 2015 10:43 PM
@Jonas Silver
FYI, sure, I could go and post on a surgeon’s forum and tell them how it is without bothering to study at all. When they disagree and attack me over and over again as I spiel out erroneous facts to them and express I know so much better then they do… I could point out that they are simply thinking incorrectly, I am correct, and that they are smearing me.
…
It is a chemical imbalance.
You’d better be careful here, or you may find yourself wandering into territories that you have not studied and do not bother to think out as you should…
Psychiatry’s New Brain-Mind and the Legend of the “Chemical Imbalance”
I am not one who easily loses his temper, but I confess to experiencing markedly increased limbic activity whenever I hear someone proclaim, “Psychiatrists think all mental disorders are due to a chemical imbalance!” In the past 30 years, I don’t believe I have ever heard a knowledgeable, well-trained psychiatrist make such a preposterous claim, except perhaps to mock it.
Buck • April 27, 2015 10:47 PM
Copy & paste that link (or search for the quote). Apparently, if a referer header is set, it then redirects to a membership signup… :-\
Buck • April 27, 2015 11:03 PM
@Nick P
I’d rather not check out a ‘twit’ feed or ‘full disclosure’ mailing list! For that matter, nor do I care about the hearsay around these matters… The words here speak for themselves. If a commenter is incapable or unwilling to defend his or her refuted claims, then no further engagement is required in an esteemed forum of debate. Provide evidence of different viewpoints and ignore belligerence, but please do not stoop to personal assaults and name-calling! Furthermore, if you are going to call shilling/trolling into question, have you considered the very real possibility of a single entity engaging in both sides of the flame-battle..? That’s distracting enough, even without wasting our own words on the war!
mice • April 27, 2015 11:08 PM
Another yan
The worlds fastest computer..
Back in the hay-day I built a cpu completely out of capactors. The capactors were 10pF with on average three in series. The custom board a had about 0.001ohms linking the modules.
The capactors were powered buy 256-0–256volt in one volt steps, by arrangeing the capactors in a network, three to four capactor could implement add,sub function, the average speed of the function was the Time constant of a RC, which was about 0.001*0.000000000003F, about Thz speed
The hardest part was from dec to hex, to do binary logic, and second if statements.
Each function at the end had three caps, one side 256volt, then the ouput of the function, a second capactor, then the ouput which went to other function, then a third cap and then to -33volt.
Too be continued…
Figureitout • April 27, 2015 11:21 PM
mice
–Was it just to learn about how CPU’s work or did you use it for something? How’d you measure the speed? So, “the logic” built into the capacitors? And turn it off the data dies on them eventually?
mice • April 27, 2015 11:37 PM
Figureitout
I just wanted something that quick serially, the Pcbs are $400each and you cant put much logic on them, so it didnt go anywere that could be usefull.
The speed is a electronic constant, the resistance of the pcb track plus the size of the capactor, sets the speed in seconds, before the capactor voltage equals the supply voltage or signal.
To add function have three capactors in series, add a voltage to one end say 51volt, between the first and second cap, add the second input say 64volt, with the last capactor connected to zero volts, in bewtween the second and third cap, related to ground pontenial equals 115volt, ie adds the input..
The information would die after about a second, 51volt would drop to 50.5volt…and the data is lost or not the orginal data.
Jonas Silver • April 27, 2015 11:50 PM
@Buck
You’d better be careful here, or you may find yourself wandering into territories that you have not studied and do not bother to think out as you should…
🙂
“Chemical imbalance” is street slang. The definitions I used are also street slang.
DSM descriptors are that. They are models, but they should not be considered definitive.
Theoretical models are only useful insofar that they might have practical, repeatable results.
Consider the irony here. Am I a psychiatrist? No, I am not. So, who am I to be making professional sounding definitions on a forum. I am a Navy Seal! Joking. 🙂
I argue that a person should at least prove their experience and authority, but have I made pains to do this? I wish to remain anonymous. If I make assertions, on matter which is outside of my knowledge, I wish to be challenged.
I made one claim, that I am not interested in manipulation, but maybe I am one of those sorts who believe all communication is a form of manipulation. Maybe not.
How does the song go? ‘I cried, ‘who killed the kennedy’s’, when after all, it was you and me’.
Can we all not be this way? We should have a “hurrah” for the devil’s advocate viewpoint now and then, should we not?
Not to rankle up buzzwords that may turn on people’s defenses.
But how does anyone know who anyone is online, really? Maybe my entire tactic in approach was merely to bring about defensiveness, when my real suspicion is what is at play here is some manner of real intelligence agent seeking for some dirt on people? After all, maybe his claim to be intelligence is true.
Maybe, if I strongly deny that, I expect that the dichotomy of the lie to possibly bleed out?
Trickiness, deceptiveness? Perhaps. Or maybe just people being people, playing a game. Rolling the dice. Why else is anyone posting here — or anywhere? If the aims are too serious, I do believe one may have missed the point…
But what is interesting to me is how people think. Enlightenment rarely comes from going on the directions we are comfortable with, but on taking paths that are scary, and out of the way.
Communication often requires sacrifices of truth.
Buck • April 28, 2015 12:12 AM
@Jonas Silver
Yes, that sounds a bit more like the you that I’m accustomed to! 😉 Deceptive, manipulative, pompous, the teacher of psychiatry… The point was not missed by myself, but I also find it fascinating – good game gents!
(I could possibly agree that all communication is a form of manipulation 😉
Wael • April 28, 2015 12:36 AM
@Clive Robinson, @Nick P, @Thoth, …
The list of principles listed in this link are:
For the first one, he hasn’t proven that, or even given a heuristic argument to support the “principle” (using the meaning: fundamental truth.) Then again, that’s a broad statement which should only come from someone with omniscient powers. Can you really say Cryptography won’t be broken in 20 million years, or does “in the future” mean “in our lifetime”?
As for the second “principle”, this not a statement I would expect to hear from someone of Shamir’s caliber — someone that did the sort of Cryptanalysis work on attacking A5/1, or Worked extensively on differential cryptanalysis. There are other types of attacks such as: Cube attacks, Higher order Differential cryptanalysis, and, for sure, other publicly unknown methods. This statement (with all due respect, of course,) if he indeed said it, comes across to me as disingenuous. Besides, don’t algorithms get weaker over time?
Third principle, I agree to, and I on more than one occasion advocated “principle” based Security Design rather than “wearing the attacker’s hat” during the design stage… (links omitted for clarity 🙂 )
Vulnerability hunting and fixing is an important part of the security discipline, but it’s a never-ending task. Software is buggy. It has always been that way and will always be that way.
Well, that’s why there are new methods being discussed here… Hint-Hint, C-v-P, wink-wink…
@Nick P,
and i’s
You’re shi*t’n me! And I thought you were cured… 😉
Buck • April 28, 2015 12:44 AM
@Petrov S. & Benni
If American intelligence is in economic espionage then their hurt point is who are they giving that to. For China this is not a question. For America this is very illegal on many levels.
I’m not entirely sure what you mean about China… Perhaps you truly believe it’s really a purely communistic country without any self-interested parties, or maybe you’re just phishin’ here..? As for America, Russia, and most certainly others — there is at least one industry in which the unfair economic advantages of espionage are all too obvious…
Jonas Silver • April 28, 2015 12:51 AM
@Clive Robinson, @Subject of Attribution of Undercover IC Agents
For someone trying to “build an online persona” for what ever reason the “n3td3v Andrew Wallace” and the “twitter Andrew Wallace” personas have left quite a few pointers to a “meatspace persona”, wether that is accidental or deliberate is potentialy an interesting question.
As has been indicated on the Krebs site in the past with “SWATing”, “revenge porn” and “fitting up with drugs and worse” there are those online quite adept at realising the “meatspace” person of an “online persona” and making life hell for not just them but those around them such as fellow employees (hence my warning).
Further in the US there is legislation about revealing the identity of Gov IC Officers which “Scotter Libby” fell afoul of. If one of these “Andrew Wallace” personas is a “US government shill” as some have indicated, then trying to prove so could run into that legislation, especially under the current “whistle blower crushing” US President / Executive (not that I expect future US administrations to be more lenient in this respect in fact I expect them to be far far worse).
These are some very prescient comments, which I believe deserve some expounding on.
Valerie Plame was the case officer of the CIA who was outed. Who outed her? I am not sure. What was Scooter Libby indicted on? Obstruction of justice. Lying to federal officers. Perjury for lying to a grand jury.
Scooter Libby was not the source who leaked Valerie Plame’s name and job. The source did a very bad thing, according to US law and what is obvious, morally. Scooter Libby was the “fall guy” for this leak.
It can here be noted his first name is not his actual first name, but a demeaning nickname. One gets the impression he scooted around for higher ups. He was not really a person. He was a scooter. People ride scooters. They are not cars, they are laughable scooters.
The crime was Valerie Plame, as a case officer for the CIA worked undercover in foreign nations handling agents. By outing her, the leaker put in jeopardy all of the agents she handled in those foreign countries. Some might be tortured, some might be killed. And why? Because it served the political interests of the executive office.
Looking up the matter, an State Department official by the name of “Richard Armitage” actually did the leaking. ‘No one was charged for the leak its’ self’.
This is a very different system then the British system. In the US system, those who have clearance have strict legal constraints on the information they are entrusted with. Libby, while surely having high clearance, was not the leaker. But, he knew who the leaker was and conspired with others to hide this information from federal investigators.
In the eighties, we now know, there was a substantial “mole war” which went on between the Soviets and Western nations. Agents, moles, operating for Western nations revealed agents operating for the Soviets, and vice versa.
This got real people imprisoned, tortured, and killed. People who valiantly – in most cases – risked their lives to try and do what was in-arguably good.
Today, there are “IC” agents who operate online substantially. The nature of the war has substantially changed. Plausibly, there could be such agents who operate even on this forum. Why? One reason could be they are interested in collecting sci-tech assets. As sci-tech is the very nature of the new ‘lay of the land’ in global espionage, this is perhaps not even a secondary landscape or some far flung front. But it very well could be a very front of battle.
In days past, human beings – meatspace humans – were required for the front. Real files had to be taken out of complexes. Or tedious pictures had to be made of these real files. Agents or officers had to be in meatspace place to do their work. They could not take out terrabytes of data at a time. The very definition of information by such things as terrabytes did not even exist then.
It has always, however, been, an information war. Information technology. Information security.
Money, blueprints, intellectual property, battle plans… was paper. Now it is all “1’s and 0’s”. Birth certificates. Driver’s licenses. Work employment. Family history. Papers of incorporation. Monetary records. Family photographs. School papers. How did one prove someone’s identity? Personal references.
Death certificates.
Paper trails.
Now? It can all be invented and constructed in instants.
Or it can be deconstructed. It can be stolen. It can be replicated. What used to be the domain of spies, in terms of false identities, long since has been the domain of everyday people. Anonymity. “Catfishing” is not just a word of practices of identity duplicity for average people not even engaged in spying, but it is multiple television shows.
If you want today to take out the archives of a foreign nation, you need not rely on a disgruntled archived clerk (Mitrokihn), but you simply hack their systems and get it on a file and transmit it across the oceans.
Mitrokihn painstakingly copied by hand, with great pain and over many years, much of these very archives. Today? Well, if the US and Israelis can get into Iranian nuclear systems, probably the secret archives of just about any nation’s intelligence archives have already been well downloaded and transmitted — perhaps by bluetooth dead drops.
Concepts like “noc lists” of the cover names and real identities are a real thing, but also a matter of public fiction and speculation. What is real, what is false? Fictional media defines much of this. If it is in fiction, it probably is not real.
Back to the point: you mention a very scary possibility. Someone copying someone else, copying their writing style, imbuing their conversations with “accidental” clues to lead back to someone in “meatspace”. Maybe to put at risk not only the target, but also their coworkers, and their operations. All of which can be performed relatively anonymously and across shores and across national boundaries.
Meanwhile, intelligence agencies, while having such incredible powers also have incredible risks. Manning downloaded data unperturbed and posted it online. Snowden got probably more information on more secret projects then anyone has done before. Anonymous sources left and right can leak material to journalists with little concern for retribution or discovery. How much moreso might they do to adversarial nations?
The everyday person is aware that the new world of ‘no more secrets’ is already closing tightly upon them. While the governments of the world are often the instigators. And the corporations. Has anyone seen Continuum? A future world where corporations are the government. The difference will and is blurred. Invariably.
What happens when that same transparency comes to governments?
Maryland, btw, this very night is on fire. Maryland, the very state of the US NSA, the powerbase of the US technical intelligence services. Maryland, a major hub of the Navy, and so very close to Virginia, and DC herself.
I point to ‘Sneakers’, a movie I am sure all readers here of any note are very familiar with when I say ‘No More Secrets’. Maybe? That is a term we should dread. Maybe… our authorities and powers are not quite as beautiful as they present themselves with their proverbial clothes. Maybe, naked? They are considerably more dreadful, hateful.
Perhaps the future and the change it requires to get ‘from here to there’ is not such a terrible thing as “global thermonuclear war”, but if that transition is to even a much better place? Well, if this place is much worse then we believe it is – then we so badly want to believe it is – maybe that transition will be much more painful then we are initially willing to accept.
Wael • April 28, 2015 12:59 AM
Errata…
Then again, that’s a broad statement which should only come from someone with omniscient powers. Can you really say Cryptography won’t be broken in 20 million years, or does “in the future” mean “in our lifetime”?
This should have been put under the second principle. Regarding the first principle, I would have liked to see what Shamir’s definition of “Security” looks like.
I am typing this between root canals and an exceptionally heavy work load (hence the above screwup.)
@Clive Robinson,
I’ll end this post with a “cliffhanger”… I’ll have more to say about what I found out about a root canal and how it relates to security — I think you might find it interesting. Dammit, I should have flossed 🙁
Thoth • April 28, 2015 1:02 AM
@Wael, Nick P, H.A. et. al.
I think it should be C + P since neither C nor P alone would be capable of answering lots of security assurance questions alone ?
Wael • April 28, 2015 1:12 AM
@Thoth,
You got a point there! But if we add other constructs it may look like a quadratic formula — who knows what the future is hiding for us!
Jonas Silver • April 28, 2015 1:25 AM
@Buck
Yes, that sounds a bit more like the you that I’m accustomed to! 😉 Deceptive, manipulative, pompous, the teacher of psychiatry… The point was not missed by myself, but I also find it fascinating – good game gents!
(I could possibly agree that all communication is a form of manipulation 😉
I can neither confirm nor deny….
However, for our deep underwater entertainment tonight, I will present the following music video:
https://www.youtube.com/watch?v=Bx9WzKXEnyI
Little Red Riding Hood. Fact or fiction. Discuss.
NLP, “all communication is manipulation”. NLP, and by this I do not mean Natural Language Processing (which is also all so relevant for any such discussion online), but Neuro-Linguistic Programming was pushed onto me in my twenties. And other horrible sales crap, most people would very much prefer not to get into. Especially us technical introverts.
Computer programming, psychology, come on, what is not to like?
Sales, however, is a very traumatic field to push young people into. I actually was forced to do home improvement sales and worse, much worse.
Sales is all about information, I learned. We were con people. Traveling gypsies. Like “the Riches”. Horrible show. I watched it to help deal with my trauma. The sales agent is supposed to confirm the home buyer is a home owner. My dad, my boss, forced me to watch “Tin Men” and eventually, “Glenngary, Glen, Ross”, or however you spell it. Leads. All about the leads. Let us steal the leads.
He held out a newspaper and said, “Wanted by the FBI!”
Thanks, Dad. Who? At the time was Indian.
And he was actually really wanted by the FBI. At the time. Under that identity.
And some other identities.
Or? This is a very clever fiction. I have no dad. My dad is me.
It all can get very confusing.
Whatever the case, my pomposity is an act. It is a favorite role, guise. The Devil/Loki/Lucifer mask. Works very well online, but in person… meh, not so much. ‘The gods are playing a horrible trick on me’, ‘soul of a clown’ is more to the real self.
People are inclined to want to pop bubbles. Pomposity is a big fat fucking bubble.
I had a girlfriend once who would talk about getting a fat little baby and put it in icewater just to squeeze its’ fat. That is just way to weird not to be true.
Squeeze, squeeze, squeeze. She was thirty, I was seventeen. Maybe this was the late nineties or the sixties.
rgaff • April 28, 2015 1:25 AM
@ Buck
have you considered the very real possibility of a single entity engaging in both sides of the flame-battle..? That’s distracting enough, even without wasting our own words on the war!
This thought actually has occurred to me with regards to recent flame wars on here… I have seen this kind of thing happen in other online communities before. When it became clear that two separate personas were the same real life person, then we started looking at all the others that bolstered/supported their lies… and realizing that there were more that were the same person too. It was like a house of cards. 😉
In fact, who’s to say you or I or any of the rest of you are real… hello figments of my imagination… lol ok…
I’m not entirely sure what you mean about China… Perhaps you truly believe it’s really a purely communistic country without any self-interested parties
I think he was saying that everyone expects “communist” dictatorships to be evil, so nobody really cares when they prove themselves to be… whereas some people at least still expect certain other “democratic” countries to be benevolent, and have a cow when they’re obviously not.
name.withheld.for.obvious.reasons • April 28, 2015 1:54 AM
An article by Eben Moglen, The Guardian, 27 May 2014 06:00 EDT, titled “Privacy under attack: the NSA files revealed new threats to democracy” he states the following regarding a U.S. government responsibility:
“…you have a responsibility, a duty, to protect our rights by guarding us against the spying of outsiders.”
I disagree on two levels, the first is that treating everyone with a certain amount of disdain (and that is putting it lightly) is no way to confer confidence in our allies and friends of our intentions. Enemies of the state are a matter all together different.
Secondly, our structure of governance in the United States is born from the consent of an informed citizenry. The U.S. Constitution was written as a permissive rule set, only the enumerated permissions are valid and that the government is restricted by the 10th Amendment to the Bill of Rights from making stuff up related to U.S. Constitutional Law.
There are no derivative rights or powers given to the function of government…government cannot construe one thing to allow some other thing–that’s why the text states “The powers not delegated to the United States by the Constitution…are reserved to the States, or to the people”. This means statutes in law are both inferior and constrained by superior Constitutional law and it explicitly restricts legislative malfeasance. The 10th Amendment to the Bill of Rights of the U.S. Constitution does not allow for equivalency or interpretation–its purpose is to constrain both construct and authority.
For example, from Article 1 Section 8, “To establish Post Offices and post Roads…”, it doesn’t say establish “Post Offices, Pizza Parlors, and post Roads”. One could do the legal masturbation that the government is engaged in by stating the Constitution infers the need for Pizza Parlors as in post offices require attendance by personnel, and personnel, having to attend to the work of the post office, may from time to time need to eat, thus, the Constitution affords the government the right to establish Postal Pizza Parlors. This could be termed the “third party” pizza doctrine.
And lastly, the United States government does not protect our rights–they are constrained and excluded from encumbering them–the Bill of Rights is a restriction, a non-permissive set of rules, restraining the power of government. It does not grant the government the power to “protect” any of us. It in fact is more specific, the most sacred constitutional responsibility of government is to protect the idea of a democratic republic, unless of course we choose to cast it aside.
It is the maintenance of the Union of free people held together by the thread of law that is our charter. I don’t understand our charter to have been revoked, but, the U.S. government acts as if no such charter exists. It doesn’t matter what branch of government, the whole institution is compromised. Congress, the executive, and judiciary cannot operate outside the framework of the U.S. Constitution and demonstrate any level of fidelity to lawful stricture.
We are just as well to make stuff up in an ad-hoc, non-linear, and anarchist collage that could best be described as “social chaos theory” based on the dysfunction we suffer.
Jonas Silver • April 28, 2015 1:56 AM
@rgaff
This thought actually has occurred to me with regards to recent flame wars on here… I have seen this kind of thing happen in other online communities before. When it became clear that two separate personas were the same real life person, then we started looking at all the others that bolstered/supported their lies… and realizing that there were more that were the same person too. It was like a house of cards. 😉
In fact, who’s to say you or I or any of the rest of you are real… hello figments of my imagination… lol ok…
Well, Gobbles was a real shit head. That was a serious internet troll. Multiple people, of course, but there was a main player. He got into it, I heard, at Blackhat. Some Caucasus region dudes who had moved to Jordan and other regions, escaping the Soviet dictatorship.
Kind of like dissident Cubans.
Anonymous is another bad hacker group, though I sometimes think of them as less “Anonymous” and more “Ambiguous”.
Lulzsec was the real central power there, though, in their prime. And look at them. Sabu worked for the FBI while he hacked Stratfor and many foreign embassies. Who called them on that? Dice, Vice, Dailydot.
Vice is not government. Ever read their articles? A bunch of crazy sex crap. That is far from stodgy government work. More like Communists. Modern day Marxists who never lost their faith in Stalin.
HBGary was hacked by Lulzsec before the FBI took Sabu. That was the federal wing of the company which just had recently started to exist before then. The main guy was very distanced from the founders and took the blunt of the damage.
The “B” in that name is for Jamie Butler, head research at Mandiant Security. Ex-uber kin from the NSA.
Iran thinks the US has an earthquake raygun called HAARP. Maybe it creates tornadoes and hurricanes too. And can solve droughts. But California is suffering a serious drought. Is this like MK-Ultra, where they don’t give water where they can to protect super secret technology? Angels strumming their fingers and boom, weather disasters.
Patreus had to pay a 100K fine, so you know that was for real.
I looked up Albert Gonzalez and had problems with keeping that from the other AG, you know, the guy in prison. For hacking Target and all that. He is in prison. We know this because it was in the media and there are real people who were at the real trial who can testify all of this is true. Also, anyone can visit him or write him letters. Just like you can with Santa Claus.
A lot of top name hackers definitely never worked for the NSA as teenagers only to get kicked out for dick pics. No, they are felons with ridiculous records. And sometimes, names. Ahoy, pirates.
Not truth, but maybe useful thinking exercises? If there are to be a lot of circuses coming up, there may also be much bread.
Whatever that means.
Gerard van Vooren • April 28, 2015 2:32 AM
@ Wael, looking at your list:
1) Fully secure systems don’t exist now and won’t exist in the future.
Probably true. But that doesn’t mean the systems can be a lot safer. Having read some papers [1] again, these papers tell me we are doing it wrong today.
2) Cryptography won’t be broken, it will be bypassed.
That’s why the OS, not each application by its self, has to deal with the networking, crypto and authentication [2]. Simplicity is key.
3) The futility of trying to eliminate every single vulnerability in a given piece of software.
In order to bypass a large attack surface it is good to look at the bigger picture and have a root cause analysis.
Btw, a study granted by the EU concludes that: “EU should finance key open source tools” [3] (read the “part 2” document, esp $4.2).
[1] http://www.ethos-os.org/papers.html
[2] http://www.ethos-os.org/~solworth/petullo13ethosSimpleNetworking.pdf
[3] https://joinup.ec.europa.eu/community/osor/news/ep-study-%E2%80%9Ceu-should-finance-key-open-source-tools%E2%80%9D
FULL DISCLOSURE • April 28, 2015 7:13 AM
The truth about the full disclosure mailing list can be found here:
http://www.crimesandfraud.com/
This is the criminal guy Brian Martin who has been posting stuff about recognised professionals.
Brian Martin is friends with Google employees, and John. The vitriolic responses came after their collaboration. Fakes and Lies!
Brian Fartin • April 28, 2015 7:21 AM
The truth about the full disclosure mailing list can be found here:
http://www.crimesandfraud.com/
This is the criminal guy Brian Martin who has been posting stuff about recognised professionals.
Wael • April 28, 2015 8:27 AM
@Gerard van Vooren,
looking at your list:
Ain’t my list. This is supposedly Shamir’s list.
Cryptography won’t be broken
Oh, it probably will, but cheaper to bypass it through other weaknesses. Under some conditions breaking it will be the only possible attack scenario. And if what Shamir claims is true, then there is a lot of money and resources currently being wasted on “trying to break” it, including his own work. Or perhaps he has given up on mathematical methods and started liking “cooler” attacks such as acoustic side channel vectors.
Nick P • April 28, 2015 10:30 AM
@ Buck
Decent advice. The person posing as two sides I didn’t think about. Rarely happens here. I’d probably just have to double up on my refutation then haha.
@ Thoth
“The usual ad-hoc system of security (code and think later) probably gave rise to what Adi Shamir had put in his principles.”
Exactly. Reworded as “throw shit together and hope it’s secure.” Yeah, I would predict vulnerabilities from that process too.
@ Wael
Cured? of what.
@ Gerard van Vooren
I recall you were playing with the Go language and enjoying it. I found this link to a bunch of static analysis and quality tools for Go. I haven’t reviewed them but it’s the only page where they’re all together.
@ All re laws
Contrary to Shamir, Microsoft’s 10 Immutable Laws of Security are still true today. No doubt partly due to their own contributions to keeping them that way. 😉 They got a review later: Part 1 Part 2.
@ name.withheld
One gripe I have is that the government does protect our rights to a degree. The courts ability to punish attacks on our rights are a significant form of deterrence against that. The executive branch’s military provisions also protects our rights by keeping enemies from destroying the country. Congress protects our rights by ensuring laws are consistent with the Constitution. Finally, the people themselves protect their rights by punishing crooked lawmakers with anything from lost votes to bullets (2nd Amendment).
The problem is that none of these are doing their job. The result is a pseudo-police state that allows its citizens “privileges” until it determines a reason to take them away. I’m not loving the new “social contract.”
Clive Robinson • April 28, 2015 12:36 PM
@ Wael,
For the first one, he hasn’t proven that, or even given a heuristic argument to support the “principle” (using the meaning: fundamental truth.) Then again, that’s a broad statement which should only come from someone with omniscient powers. Can you really say Cryptography won’t be broken in 20 million years or does “in the future” mean “in our lifetime”?
I think we have had this or a similar conversation in the past.
I suspect Adi Shamir, has assumed that the explanation / proof is “self evident”.
It’s due to the following,
A, Known Knowns.
B, Unknown Knowns.
C, Unknown Unknowns.
Of specific attacks and classes of attack.
Arguably there is also Known Unknowns, which should resolve quickly to Known Knowns after suitable investigation.
Basically you can only write code that is secure against A and potentialy secure against B. By definition you can not code against C, thus the point that code will be insecure untill the coders become omnipotent which you deem to be unlikely if not impossible (and I can prove it is impossible if you want).
It is due to the above that crypto algorithms do weaken with time or as Bruce prefers to put it Attacks improve with time.
Which brings us to the second law and your comment of,
… There are other types of attacks such as: Cube attacks, Higher order Differential cryptanalysis, and, for sure, other publicly unknown methods. This statement (with all due respect, of course,) if he indeed said it, comes across to me as disingenuous. Besides, don’t algorithms get weaker over time?
Attacks on “well found” logic based crypto algorithms tend to be both time and resource intensive and for any given type of algorithm the work factor doubles up for every bit increase in block width or key width.
The crucial point is the “work factor” new attack methods reduce the work factor for any given bit size and thus weaken the crypto algorithm.
However it’s unlikely that a startling new attack will significantly reduce the work factor of a well found logic based crypto algorithm (mathmatics based algorithms could fail tomorrow if the likes of fast factoring are solved).
With the serial artisanal way most software is currently written with bug estimates as 1 in 5 lines of high level code finding non resource intensive ways to get around the crypto algorithm is probably going to be easier in most respects. Especially when the design of general purpose hardware has so many serial optimizations that either time or power side channels are almost guaranteed (hence my mantra about “Efficiency -v- Security”).
@ Nick P,
With regards Brian Snow’s observations, and for that matter my own work and that of current researchers, whilst hardware can make things more secure, it’s not the issue Adi Shamir is looking at. His third rule/law with regards software holds for human not technical reasons.
That is even if we do get improved hardware tools and methodologies, and use them –which is doubtful– for writting secure code, all that will happen is the size of the code will increase to bring the number of potential bugs/vectors back into the current range they are in.
The reason for this is fairly obvious to those who cut code in most “app houses”. That is writing actuall code is not very time consuming when compared to testing, fault resolving and maintanence of it which are….
Thus the coding “brick wall” is not cutting lines of code but ensuring that the number of faults overall is at an acceptable level. Any tool or methodology that reduces the fault rate will alow more code to be written which marketing/managment will insist on. Which means that the over all number of faults will still be at the “customer” / human acceptable fault rate (which generally does not change, much as you have frequently pointed out).
name.withheld.for.obvious.reasons • April 28, 2015 12:50 PM
@ Nick P
I beg to disagree (and agree, ironically), the cases you state, the courts for example, are charged with testing the constitutional efficacy of legislative statute and law. If a breach to the Bill of Rights, visa via the legislature and law, the courts strike down these strictures. The beauty of this is that if the courts are functional, the rights of the citizenry cannot be compromised. The reality though is quite different from the theory.
vas pup • April 28, 2015 1:32 PM
@all: Dear bloggers, please leave mental disorder diagnostics/labeling to licensed MD in psychiatry only as in all other civilized word; always argue with a point of view, not personality to avoid logical fallacies.
Regarding recent riot in Baltimore: does anybody still against police usage of drones with less than lethal capabilities? As India now on a path to. Logical posting related highly appreciated.
tyr • April 28, 2015 3:34 PM
For your amusement
http://fusion.net/story/125475/ai-weiwei-jacob-appelbaum-and-laura-poitras/
The new Tor browser is out.
Not perfect but at least someone is trying to do something.
I severely miss the olde dayes when a dispute in a newsgroup
was liable to get cross-posted to alt.usenet.kooks, as a
system it lacked perfection but tended to keep rational folk
in some semblance of order.
I recall that psychiatry used to be where people studied to
find out what was wrong with themself, graduated without
finding it, and became the go-to experts for telling the
rest of us what’s wrong.
The committee to investigate the claims of the normal hasn’t
found a single verifiable case of normality after many years
of diligent search.
I was quite bemused to see that GCHQ thought a movie about
Alan Turing would make people want to join up with the
government that drove him to suicide. Maybe they left the
end of his life out of the film.
MarkH • April 28, 2015 4:45 PM
@vas:
Hear hear!
Consider these qualifications:
• formal education in clinical psychopathology and related topics
• education and clinical practicum in psychotherapy
• currently valid certification and/or licensing to practice psychotherapy, issued by accredited professional organizations and/or government agencies of relevant jurisdiction
• continuing education as required by certification and/or license
• ongoing supervision by a qualified colleague
If you have all of these qualifications, then providing a psychiatric diagnosis and recommending specific therapeutic treatment to a person you have never met via a public internet forum is a gross violation of the standards of your profession, extremely inappropriate, and has no place here.
If you DON’T have all of these qualifications, then providing a psychiatric diagnosis and recommending specific therapeutic treatment to any person under any circumstances is absolutely inappropriate, and has no place here.
Wesley Parish • April 28, 2015 6:35 PM
And now for something entirely different …
(A drumroll, a blare of trumpets, the bleating of confused dogs and the yelping and whining of thoroughly terrified sheep)
Andrew Cockburn, How Assassination Sold Drugs and Promoted Terrorism
Having tartly informed DEA officials that their statistics were worthless, mere “random noise,” Rivolo set to work developing a statistical tool that would eliminate the effect of the swings in purity of the samples collected by the undercover agents. Once he had succeeded, some interesting conclusions began to emerge: the pursuit of the kingpins was most certainly having an effect on prices, and by extension supply, but not in the way advertised by the DEA. Far from impeding the flow of cocaine onto the street and up the nostrils of America, it was accelerating it. Eliminating kingpins actually increased supply.
[…]
Confident that the price drop and the kingpin eliminations were linked, Rivolo went looking for an explanation and found it in an arcane economic theory he called monopolistic competition. “It hadn’t been heard of for years,” he explained. “It essentially says if you have two producers of something, there’s a certain price. If you double the number of producers, the price gets cut in half, because they share the market.
[…]
Much of Rivolo’s work on the subject remains classified. This is hardly surprising, given that it not only undercuts the official rationale for the kingpin strategy in the drug wars of the 1990s, but strikes a body blow at the doctrine of high-value targeting that so obsesses the Obama administration in its drone assassination campaigns across the Greater Middle East and parts of Africa today.
Well, Now is the time for all good men to come to the aid of their party and get that classification revoked ASAP. It’s in everybody’s vital interests to have accurate assessments of state policy; it is in nobody’s interests, except of course the short term interests such as those that crashed the financial system in 2008, to have false and misleading assessments of state policy.
Wael • April 28, 2015 10:50 PM
@Clive Robinson,
I think we have had this or a similar conversation in the past.
We did, about thirty four moons and two days ago.
Basically you can only write code that is secure against A and potentialy secure against B. By definition you can not code against C
We agree, protecting against C can be achieved by adhering to principles.
thus the point that code will be insecure untill the coders become omnipotent which you deem to be unlikely if not impossible (and I can prove it is impossible if you want).
I don’t remember making such an argument, but I am still interested in your proof.
It is due to the above that crypto algorithms do weaken with time or as Bruce prefers to put it Attacks improve with time.
It maybe one reason but by no means the only one. When we – Royal “we”, this time – say crypto algorithms weaken over time, we are referring to the algorithm itself, not the code — it is completely independent of the code implementation (code is perfect, but the algorithm is discovered to have weaknesses.) — See bullet 8
Attacks on “well found” logic based crypto algorithms tend to be both time and resource intensive and for any given type of algorithm the work factor doubles up for every bit increase in block width or key width
Yes, although I am not sure about the blanket statement of work factor doubling for every additional bit. That maybe true for “good” algorithms. Take SHA1 for example: It was supposed to have a strength of 80, but after some researchers “weakened” it in 1995, its strength became 63 (too tired to look up the exact numbers.) Again, this has nothing to do with code implementations! It’s an inherent weakness in SHA1 and perfect code wont improve it.
However it’s unlikely that a startling new a […] factoring are solved
So we agree. Keyword is “unlikely” which apparently (I understood) that Shamir translated to “impossible”
With the serial artisan […] (hence my mantra about “Efficiency -v- Security”).
Yes — agreed.
Wael • April 28, 2015 11:01 PM
@Nick P,
Cured? of what.
“Cured” isn’t the appropriate word. I think I should have said: I thought you were rehabilitated from the “I’s” impediment. Do you have any idea what that means? 🙂
Figureitout • April 28, 2015 11:10 PM
mice
–Huh, I figured you just bread/perf boarded it. Use SMT caps then? I mean these tiny things you need a surgeon’s hand to use. On the speed, yeah I figured it was RC constant; just wondered if you actually measured something at THz speed.
A system like that could have (well, kind of does w/ live systems in RAM) security applications to do something then it’s not possible to retain the data on the device. I still like having a ROM burned into RAM that pushes out and takes command of the memory.
Cool stuff. I was going on a lot lately about designing my own PC w/ a Z80 chip. Well, firstly it was going to suck and barely have a command prompt and be able to program small programs; but I was like this kid lol, I wasn’t knowledgeable enough to actually design, not copy a design (and it wouldn’t stop there, for security I’d have to build it in house too, which would introduce more debugging problems as it’s not like normal development where you get some test boards machine-fabbed, w/ smooth sanded board edges), so I’m just doing smaller things again; which is cool b/c there’s always something to hack on. My oldest PC stopped booting again yesterday so ugh…I’ve got a bad feeling about it, like I’m extending the life of a goner… I kind of wanted to test some USB malware to see if it can still infect w/ no USB drivers for it. Still harvest its guts (nice CDROM, floppy disk drive, and power supply) but it was going to be the PC I’d put NASM and old-school assemblers on.
Buck • April 28, 2015 11:11 PM
@Wael
Nice reference you’ve got there… Plus you calculated the moon-count correctly this time too!! 😀
Buck • April 28, 2015 11:26 PM
@tyr
I recall that psychiatry used to be where people studied to find out what was wrong with themself, graduated without finding it, and became the go-to experts for telling the rest of us what’s wrong. The committee to investigate the claims of the normal hasn’t found a single verifiable case of normality after many years of diligent search.
Lolz! 😛 I’ve been wondering for a while… Has any patient in modern history ever entered a psychiatric setting and subsequently been able to walk out without a prescription slip?
Nick P • April 28, 2015 11:49 PM
@ Wael
” Do you have any idea what that means? :)”
I do. More than you know.
mice • April 29, 2015 12:03 AM
Figureitout
You dont need Smd,Smt capactors, you can make Pcb, so just use the copper tracks as capactors.
What are you planning to code in asm.
Wael • April 29, 2015 12:07 AM
@Buck,
you calculated the moon-count correctly this time
Of course! @Minty Frog convinced me that a moon is equivalent to a month. It’s still a debatable subject because a moon could also refer to one year (one October per year) according to @Figureitout, although it’s a different kind of moon 🙂 [1]
Buck • April 29, 2015 12:31 AM
@Wael
Oh, now I see… It suddenly makes perfect sense to me! 😉
Yeah, @Minty Frog beat me to the punch on that one. 😛
Thoth • April 29, 2015 1:23 AM
Apparently, and of course not unsurprisingly, the BND and 5Eyes Warhawks, have been spying on each other and everyone else and I believe some of you already have articles placed up somewhere in this 100+ post comments above.
I have always ranted out at “Nationalistic Security Hype” where someone claims their security products are made in XXX country and thus of “High Quality and High Security”. That’s a dangerous security hype and should always be avoided.
Now the evidences of Germans and 5Eyes collaborating together gets much stronger, it is pretty much more unnerving to procure security products from these collaborating countries (especially those with strong nationalistic hype on their products) ?
Figureitout • April 29, 2015 1:28 AM
mice
–I see, yes that um…makes me nervous about PCB’s, components hidden in their layers; also all the hidden “electrical effects” like unplanned inductors/capacitors (we’ve got an inductor that oscillates and spews out audible noise, it’s a problem in my view and also some regulator, again audible noise which likely has harmonics), but most importantly unintended transmitters or even worse receivers (opening a channel for fault injection, just bleh..)…you just got to see it happen to you before you get it, an errant signal from a power supply affecting measurements that need to be pretty precise (we were just confirming datasheet numbers). I have a hard time trusting any measurements now. Of course chips are much harder to check; basically impossible now.
In asm? The first bootloader startup code that “puts a tent out” and most importantly clears out all the memory so I control it from boot, initializes some other things I want (clocks). So a good memory prober that fails safely and doesn’t poke into where it shouldn’t. I’m leaning towards an MC68K chip at the moment b/c I like it and I’m used to it now but I need the toolchain which they don’t give away…That’s still a ways away though, but I’ll be happy if I can do it (and of course give out “hard spots” “tricks” etc.).
Wael
–Damnit, gets me everytime…too silly lol.
Andrew Wallace • April 29, 2015 5:06 AM
I’ve been to my doctor with the print outs and have been told there is no truth in any of these comments.
Andrew
Clive Robinson • April 29, 2015 5:49 AM
@ Andrew Wallace,
I’ve been to my doctor…
Oh dear, you realy know how to make people question not just you credability, but your judgment as well…
From what I can gather you are resident in England, and any one who lives here knows how the NHS system work especially potential employers…
For those outside the UK, nearly all mental health services in England have been cut back by more than 50% with many services compleatly axed, which is why the likes of MenCap and other charities have been raising huge red flags in not just their publicity but the media and House of Lords.
The current government has effectivly ringfenced what is left for the few existing patients in the system and armed forces personnel sufering from “post conflict PTSD”.
The various organisations representing GP’s have been raising their own red flags saying GPs are not qualified to diagnose let alone prescribe for mental health issues. Thus few if any GPs would make the statments that you indicate your “doctor” has.
This would indicate that if you did indeed see a doctor then in all probability they were not a normal GP, most likely it would be a mental health practitioner that you have an existing doctor-patient relationship with.
Further as the press and many others have indicated getting to see any doctor in England these days in anything under a week except for “medical emergancies” is bordering on impossible.
Thus your statment will come across to prospective employers as at best false…
Further these days even quite small employers do web based background searches on perspective employees, and as has been reported in the press there are specialised agencies that do background checks not just on the web but via other less public sources.
What I’ve been trying politely to tell you is that your comnents not just here but in other places are realy a case of “shooting yourself in the foot” whilst also “making enough rope to hang yourself”.
I think most would advise you that your current path is folly.
But at the end of the day it realy is your choice to make…
Andrew Wallace • April 29, 2015 6:11 AM
I can confirm I suffer from no mental insufficiencies that would affect the likelihood of passing or failing an advanced medical background check,
And have already spoken to a health professional regarding on-line comments.
Andrew
Andrew Wallace • April 29, 2015 6:36 AM
“What I’ve been trying politely to tell you is that your comnents not just here but in other places.”
You must be talking about the smears.
I’ve mentioned several times from the mid 00s where people used my username to impersonate me on Full Disclosure Mailing List.
These smears led to the closure of Full Disclosure Mailing List as the list administrator was bombarded with legal threats from various individuals.
You don’t seem to be understanding the situation Clive.
Andrew
@Andrew Wallace
“What I’ve been trying politely to tell you is that your comnents not just here but in other places.”
You must be talking about the smears.
Are you implying that you have been impersonated here now?
I ask this not to suggest that you missed part of Clive’s statement, but because your constant reiteration about how you shut down the Full Disclosure Mailing List, could be considered as you making a threat upon this forum.
I’m sure that is not what you’d want any potential employers / collegues thinking.
While I agree with the Bruce and the Mod, an alternative view to challange is worthwhile, this discourse regarding your past is ‘off topic’ (thou does remind us our online presence can leave a ghost in many forms).
MarkH • April 29, 2015 12:19 PM
Leave me or I’ll be
Just like the others you will meet
They won’t act as kindly
If they see you on the street
And don’t you scream or make a shout
It’s nothing you can do about
It was there when you came out
It’s a special lack of grace
I can see it in your face
Donald Fagen
Nick P • April 29, 2015 12:54 PM
This is an article on how Rust works with C and vice versa. The Rust team are doing excellent work at solving certain problems at the core of the language. This article shows several benefits:
Another article on Rust’s ownership system, used for pointer and concurrency protection. A different article pointed out that most work on making shared-state concurrency safer focuses on the state part. Rust applies their fix to the sharing part to eliminate race conditions. The result of the ownership system is most of the safety benefits of managed code with runtime performance penalty ranging from zero to low.
Good work, altogether.
Figureitout • April 29, 2015 2:08 PM
Good, really good paper found on /r/lowlevel on implementing a Unix-like OS in Rust. Thanks to Alex Light and CS Dept. at Brown Uni, cool project.
https://scialex.github.io/reenix.pdf
I’ll drop in this quote for the C haters on the bootloader (sect. 2.2) and difficulties w/ it in Rust:
One of the first challenges I had while writing reenix was getting the system to boot at all. Weenix (at the time I started) made use of a custom 16-bit assembly code boot-loader. This boot-loader, unfortunately, did not support loading any kernel images larger than 4 megabytes. This turned into a problem very quickly as it turns out that rustc is far less adept than gcc at creating succinct output. In fact, I was hitting this problem so early I was barely able to make a “Hello World” before having to stop working on rust code. Fixing this problem required rewriting most of the early boot code, all of which was x86 assembly. It also required rewriting parts of the build system to create boot disks that used GRUB17, a common Linux boot-loader, and changing the boot sequence to support the multiboot specification18. This, in and of itself, was not terribly difficult, though the fact that this was absolutely critical to making any sort of attempt to do this project does show that some of the simple hacks that are possible with C cannot be done with rust. With C it is perfectly feasible to keep even a moderately complicated kernel like weenix’s down under 4 megabytes, and in fact almost nobody has ever run into this limit during CS169’s history. With rust, however, this limit was blown through almost immediately. While it is most likely that this is more to do with the rust compiler’s optimizations (or lack thereof) than the language itself, the fact is that optimizations matter to any software developer. Rust’s relative lack of them when compared to more established languages must be considered.
Nick P • April 29, 2015 5:45 PM
@ Figureitout
A neat little project. Your gripe is that Rust, a language designed for modern 32-64bit apps, couldnt produce binaries small enough for a 16-bit machine. You also noticed a cross-platform assembly language with over two decades optimization can produce compact assembler. No surprises for either. Only thing that’s odd is that anyone expected Rust to work in 16-bit mode.
Root problem is that markets thirst for backward compatibility led to a situation where our mainstream hardware starts in 16bit mode so our DOS apps dont break. DOS apps we havent needed for a long time. And that the team started with that instead of a CPU that boots in 32-64bit mode with full hardware access. Might have made things easier.
Andrew Wallace • April 29, 2015 8:41 PM
“You need a new pseudonym.”
You mistaken the situation enitrely.
My name is Andrew and my name is Wallace.
Andrew
Figureitout • April 29, 2015 10:58 PM
Nick P RE: “my gripe”
–Can you quote that, or are you reading too much into nothing again? It was his words. It was a student/research project (and something I didn’t like was no “kill” function for processes, “they ran and stopped on their own volition”, so that’s a pretty big security and for me a user-control issue I wouldn’t want to hinder the end user like that), so I don’t think he necessarily expected it to run on 16bit, just research into if it could and noting something Rust can’t do b/c it’s too bloated and also that GCC has decades of work optimizing and giving better error messages.
Do you think it’s a good idea to learn about CPU’s w/ 32-64bit machines right away instead of simpler machines? Could that turn people into overly-reliant code cutters? Plus working w/ those constraints, is the only way you can appreciate the risky hacks where we are; we’re already spoiled enough as is. Some people think that they should start working immediately w/ the latest and greatest for experience; you can get that pretty cheaply now, barring using some super expensive “real engineering gear”. I say you won’t be able to handle the power…
And I think you can drill down a much deeper root issue w/ our computers; depends how “philosophical” you want to get. I say it’s b/c we don’t know how to do it much differently, thus computers become “backwards compatible” b/c we can’t make fundamentally different PC designs and if it’s a little chunk of code to be compatible for a selling point, “why not?”.
Booting into 32-64bit mode w/ full hardware access may be pretty insecure; I like the idea of having a malware that can’t even get access to other parts of a PC, or having to work a little harder and probably get caught trying. I know you’d prefer to download massive binaries from people “you’ve evaluated” and trust things you can’t actually verify and call that secure.
mice • April 30, 2015 2:13 AM
The steps to go from 16bit to full 32bit on x86, isnt major if you look back, your talking about four lines to set a processor flag, set the descriptor table, a small code to load hdd into 32bit ram address, then call a far jump to that ram address, and your in 32bit mode, from there you could place security systems, maybe a oracle to remove abilty to jump back into realmode, disable a heap of kernel asm instruction or what not.
Steve • April 30, 2015 2:15 AM
My apologies, Andrew.
Jonas Silver • April 30, 2015 5:51 AM
@Psychiatric Debacle is Bad
Yes, I agree. Nobody should be making psychiatric prognosis. In fact, all of us in here agree. Except for Janet. Janet is a complete f***ing psycho.
But, Janet disagreed with us and took this consensus statement to her doctor and he replied, “Janet, you are not the problem. They are the problem.” She was flabbergasted, and we did not have the slightest idea of what he meant.
Whatever the case, we continued to allow having Janet make psychiatric prognosis on each of us.
@Wesley Parish, re ‘kingpin assassination problem’
That is a brilliant paper, thank you for sharing.
Hence why we can have such a black sense of humor.
It is so obvious, yet it does deserve rigorous analysis. But what gets through? Rigorous analysis or obvious, point blank statements? Nothing gets through. Persistence alone pays off, perhaps. And something else, I would argue. When there is endemic moral corrosion, eventually the system its’ self breaks.
For instance, if you remove the heads, then because demand still exists, someone else will take their place. This paper well points out, it is even worse then that, because you have fractured the points of supply, more points means a more competitive marketplace. And hence, the price drops.
Which is exactly why governments over open economies do police their economy against monopolies. Monopolies are unfair against the populace, they cause prices to skyrocket. Breakup the monopolies, and prices plummet. Plus, the open competition ensures quality improves.
So, they do the same thing with terrorism and drugs. Attack the monopolies, supply increases, prices drop, and the supply improves. Does improving supply mean that the populace got better drugs, drugs which are good for them, for instance? No.
Quality improves in a more subtle manner conducive to the economy in question.
As these sorts of recreational drugs are bad for people, as is the terrorism… improving upon these economies is not a good thing proportionally to how they are rightly considered bad things.
What has ended up with is, for instance, ISIS, in the terrorist front. Which even Al Qaeda has condemned for being too draconian. Yet, they have widespread support. Never even mind the problem of how getting rid of Saddam and the Baathist’s helped support that problem in the first place (or how ISIS was ‘Al Qaeda in Iraq’).
Is anyone actually blind to the fact that the “war on drugs” has been entirely detrimental to society? No. Only the remaining supporters who themselves are too deeply invested in their project to see. Same difference with drone assassinations, and similar military tactics.
It all boils down to ‘fighting fire with fire’. Now, it can be unfair to say that firefighters never fight fire with fire, because they do. But, ultimately, you have to take more sensible positions to deal with the problems. As it stands, the US has ended up turning Mexico into a firestorm, not unlike the Middle East.
Like fires that rage, however, is there any real hope of turning back? The vested interests run deep into the system.
There is something basic lacking in the equation. Perhaps it is simply some manner of water.
Jonas Silver • April 30, 2015 6:31 AM
http://boingboing.net/2015/04/28/fbis-crypto-backdoor-plans-r.html
The FBI wants backdoors in all your crypto, and UK Prime Minister David Cameron made backdoors an election promise, but as Stanford lawyer/computer scientist Jonathan Mayer writes, there’s no way to effectively backdoor modern platforms without abolishing the whole idea of computers as we know them, replacing them with an imaginary and totalitarian computing ecosystem that does not exist and probably never will.
Mayer gives the example of how stopping Android users from using crypto would require the abolition of third-party app stores, rolling back the state of the art in Web-based apps, introducing kill-switches to the platform that lets Google delete your apps and the data associated with them, and preventing jailbreaking at all costs.
…
Continue with the hypothetical, though. Imagine that Google could successfully banish secure encryption apps from the official Google Play store. What about apps that are loaded from another app store? The government could feasibly regulate some competitors, like the Amazon Appstore. How, though, would it reach international, free, open source app repositories like F-Droid or Fossdroid? What about apps that a user directly downloads and installs (“sideloads”) from a developer’s website?
The only solution is an app kill switch.3 (Google’s euphemism is “Remote Application Removal.”) Whenever the government discovers a strong encryption app, it would compel Google to nuke the app from Android phones worldwide. That level of government intrusion—reaching into personal devices to remove security software—certainly would not be well received. It raises serious Fourth Amendment issues, since it could be construed as a search of the device or a seizure of device functionality and app data.4 What’s more, the collateral damage would be extensive; innocent users of the app would lose their data.
Designing an effective app kill switch also isn’t so easy. The concept is feasible for app store downloads, since those apps are tagged with a consistent identifier. But a naïve kill switch design is trivial to circumvent with a sideloaded app. The developer could easily generate a random application identifier for each download.5
Nick P • April 30, 2015 10:47 AM
@ mice
The trick to it is that all the code and running memory you need for the bootup must fit in that space. Most modern stuff isn’t designed for it. That’s why Rust apparently had trouble with it. Better to just use a platform that doesn’t require nonsense like that. Most of the RISC platforms will do nicely. Some are cheaper, too. And, fortunately, Rust uses LLVM as its backend: supports quite a few platforms.
Gerard van Vooren • April 30, 2015 12:53 PM
@ Benni
The BND/NSA story is today major news on the German radio.
Well, with all the NON-National Security NSA stories, one can conclude that NSA is the wrong name for this agency, because it is NOT about National Security.
In all my wisdom I figured out an alternative name for the NSA that has a much better fit.
DLS: Dirty Laundry Sniffers
And that’s a name to be proud of!
Thoth • April 30, 2015 9:55 PM
This is a generic usage of a PBE-based encryption scheme to hide a filename using commonly found cryptographic algorithms. The cipher in mind is AES-128/256 in ECB mode. ECB mode is chosen so as not to store IVs for overhead of computation for filenames. For the password hashing algorithm, choose whatever you like e.g. BCRYPT, SCRYPT or the PHE competition hashes (use with care as they are untested) but do not use PBKDF or just outright crypto hashes (very bad idea as it is weak).
/** Encrypting Filename **/
MasterKey = PasswordHash(Username || Password);
FinalFileName = MasterKey.Encrypt(Random(8_bytes) || Filename);
/** Decrypting Filename **/
MasterKey = PasswordHash(Username || Password);
ActualFileName = MasterKey.Decrypt(EncryptedFileName).slice(0,8_bytes);
Maybe some of you have a better algorithm which you can post here too if you want.
owen • May 5, 2015 7:27 PM
Do you want to be a real vampire? Whatever your desire, we can fulfill it! Contact our Mystical Vampire Kingdom at vampirekingdom999@gmail.com for help. Be sure you want it, because there’s no turning back… Our highly skilled vampires can alter your very essence, turning you into a real vampire. contact email: vampirekingdom999@gmail.com for help.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
David Doom • April 24, 2015 4:57 PM
More security news…
http://motherboard.vice.com/read/after-hacks-a-dark-web-email-provider-says-a-government-spied-on-its-users