Friday Squid Blogging: Squid Chair

Squid chair.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on May 8, 2015 at 4:04 PM • 179 Comments

Comments

rdmMay 8, 2015 6:37 PM

But...

(1) build process for modern browsers is so compromised most people can't build at all except starting from compromised systems (for example, try building current chromium or firefox from sources on OpenBSD).

(2) At the time I am writing this, the twitter link to this page claims that this page is malware.

rdmMay 8, 2015 6:49 PM

(Also, somewhat ironic that these corporations losing these contracts outsource to other countries - many of which have repressive regimes which presumably are less moral than even our government and which have a history of government sponsored spying... But for some reason that topic is not being mentioned in these contexts, and I expect that outsource induced problems will not be fixed by legislation...)

ThothMay 8, 2015 7:25 PM

@rdm
The Military/Security/Industrial Complex (MSI) profits from sales regardless it harms civilians or not. They would simply invoke stuff like Nationalistic feelings, wildly summoned imaginations of civil disorder and all kinds of proposals to sell their wares. There are cases where certain MSI companies and their contractors managed to scare the Government agencies and help dictate new national laws and regulations and make new guidelines and standards that are simply broken.

The fact is the Governments around the world are trying to keep their budget and manpower lean so outsource is the road ahead therefore the MSIs that promote and sell their wares without morals would always be doing very well in businesses to these Governments (knowing very well their fears and hopes).

Take a look at how these MSIs do their sales pitching to their clients. Take a look at webpages (using routing network of course) to view Thales, General Dynamics, Palantir, Hacking Team, Boeing and many other of these MSIs sales pitching.

BenniMay 8, 2015 8:07 PM

New interview with Edward Snowden in DER Spiegel:

Snowden says that NSA analysts underlie no oversight. They can search after what they want, without any oversight or assesment. He says that industrial espionage from NSA is a reality.

http://www.spiegel.de/politik/deutschland/edward-snowden-warnt-vor-geheimdienst-industriespionage-a-1032858.html

Meanwhile, DER SPIEGEL reveals that the list of NSA selectors that were directed against german interests would not have been 12.000. No, it was 40.000. And they were sorted out just because of Edward Snowden.

871205May 8, 2015 8:41 PM

So now that David Cameron has been re-elected, will he actually carry out his promise to ban all encryption online?

BenniMay 8, 2015 8:49 PM

The german government now has a leaker from within Merkel's inner circles who sends confident emails between Merkel staff and the United States to the press:


http://www.tagesschau.de/inland/nospy-101.html

Dear Karen we demand an official confirmation of our american friends that their activities on german ground are legal according to german law.

Answer: "The question whether german law is respected on german ground has to be clarified through a careful assesment of german law in consultancy from experts. Here, the focus is whether our activities are legal with respect to american law. Our experts do not feel able to assess whether german law is observed"..


Then, indeed, James Clapper made the offer to sign an agreement like they did for Bad Aibling that their activities would not be directed against german interests. But he said that he does not have the political power to decide this, since it depends on the white house.


Then they had some text and the german side wrote:
"My first impression is that the text does not meet our expectations since it does not exclude the possibilities that the US spy on germans without our consent or our knowledge"

Answer: "You are right. This will not become a no spy agreement."


Interesting is the lack of knowledge about german law. At first they write "Our experts do not feel able to assess whether german law is observed". And only after discussions they refuse to sign a no spy agreement. Apparently they did not even know that spying for foreign powers is forbidden here and means 5 years jailtime.

But it is also interesting that the serivces themselves would not have anything against that. And it depends on washington which gives them their orders. Washington then probably feared that if they have a no spy agreement with germany, then they they will be under demand to sign such a treaty with other countries. And that they would loose their ability to spy on the german economy and its politicians.

ButtnMay 8, 2015 9:00 PM

Canada nearly finished passing their own version of the Patriot Act on Wednesday, Bill C-51 the "Anti-terrorism Act." The vote was 183 yeas to 96 nays. The only things that could stop it now are the Senate, which is all conservative and in favor of the bill, and the Governor General. Canada is now becoming a total surveillance state.

More info:
http://www.huffingtonpost.ca/2015/05/06/bil-c-51-anti-terrorism-passes-vote_n_7227520.html
https://bccla.org/2015/03/8-things-you-need-to-know-about-bill-c-51/
https://stopc51.ca
https://openparliament.ca/bills/41-2/C-51/

65535May 8, 2015 10:00 PM


"Bruce says here he wants mass surveillance powers given to the FBI as a form of population control." - Andrew Wallace

Where in the clip did Bruce say that?

I listened to the entire clip and I never heard anything except Bruce wanting to break up the NSA. Where did you get that sentence?

NSA pervsMay 8, 2015 10:32 PM

@Benni re "Interesting is the lack of knowledge about german law."

Doch. Interesting is the contempt of German law - or any legitimate law. Klapper's position is textbook arbitrary interference. Even in terms of US law he can't justify sucking up everything just in case and saying, 'but I didn't peek at you,' the US courts have spoken. German law is not hard to figure out, since the minimal requirement is ECHR Article 8 (or ICCPR Article 17, to which both countries are states party and with which domestic law must be brought into compliance.) The European Court of Human Rights has already slapped down GCHQ for breaching that. As Klapper shits on the law he keeps piling up pecuniary and other state responsibility.

It's clear to everyone that NSA is out of control, and if the US government can't rein it in, the international community will. Question is whether the Obama administration can avoid the humiliation of admitting it's not in charge. Everybody knows Obama is a puppet ruler but it will be embarrassing when he has to admit it to the world at the Universal Periodic Review next week in Geneva. The Saudis will be in his troika, bringing him up to human-rights snuff: How humiliating is that?

rgaffMay 8, 2015 10:54 PM

"The Saudis will be in his troika, bringing him up to human-rights snuff: How humiliating is that?"

It's ok, the state-controlled news agencies in the Democratic People's Republic of America will never let that leak out. If nobody mentions it or hears of it, it didn't happen. Just like trees falling in forests and emperor's clothes and things.

More Human Than HumanMay 9, 2015 1:49 AM

Facebook's Internet for the Poor Removes All Privacy
(No SSL for the poor, no privacy rights agreement, governments free-for-all fest on data of the poor)
http://www.wired.com/2015/05/opinion-internet-org-facebooknet/

NSA Mass Domestic Surveillance Program Ruled Illegal
(But Don't Get Your Hopes Up, and Don't Think the Law Will Be Enforced)
http://www.wired.com/2015/05/breaking-news-federal-court-rules-nsa-bulk-data-collection-illegal/

Australia Slammed By Snowden for Draconian Internet Data Slurping
http://www.theguardian.com/us-news/2015/may/09/edward-snowden-says-australias-new-data-retention-laws-are-dangerous

And, Cameron elected in England. Which No More Privacy in England.
http://boingboing.net/2015/01/13/what-david-cameron-just-propos.html

One Victory for Mass Domestic Surveillance, the FBI alerted Garland Police About a Shooter Hours Before He Tried. Only, it was not illegal mass domestic surveillance. They simply followed his twitter feed.

http://www.nbcnews.com/news/us-news/fbi-says-it-alerted-garland-police-about-elton-simpson-n355526


Is it possible that these systems are working?

Are they sacrificing minority discontent to hide this secret?

Why is mass domestic surveillance selling so widespread when the product has been so dismal according to their own public reports?

"Secret surveillance" is in the very top tier of secret material for nations, up there with priorities like "nuclear weapons containment". And surprisingly few other categories.

When you argue against these systems effectiveness are you actually helping to strengthen the security of the secrecy of these very systems you are intending to argue against?

And maybe this is exactly what you should be doing.

All of this is either an instinctual reaction to a increasingly volatile world.

Or it is some grand, master plan of some master 'Dark Lord'.

Like this guy.

https://www.youtube.com/watch?v=PN64sN4oswA

Andrew WallaceMay 9, 2015 2:50 AM

65535

"I never heard anything except Bruce wanting to break up the NSA."

My interpretation was that he wanted to break up the NSA by handing the mass collection power to FBI instead.

Andrew

rgaffMay 9, 2015 3:48 AM

"Bruce says... ...as a form of population control."

Is Bruce now saying the stupid should all be forced to do medical procedures that make them sterile or what? ;)

~thcMay 9, 2015 4:10 AM

Beyond The Camera Panopticon: A very good talk from the re:publica 15 by Aral Balkan. He focuses on our perception of mass surveillance and what we really are to all the Eric Schmidts and Mark Zuckerbergs out there: Dumb f*cks.

CuriousMay 9, 2015 4:26 AM

Btw, the article I linked suggested the following:

"Refer to the workarounds section to solve this problem in your setup and please warn others around you."

Going around simply warning other people is perhaps not the best "opsec" I can imagine, but maybe such is not really an interesting concern for most people.

rgaffMay 9, 2015 4:36 AM

@Curious

It's useful for those who use TAILS for their email...

CuriousMay 9, 2015 4:49 AM

@ rgaff
I thought so. I just know so little about this that I kept my writing simple. :P

ThothMay 9, 2015 7:09 AM

@Curious
I think it is simply a design problem with the current mailing standards where the draft are left unencrypted and the copying of email to sending queue before the encrypted gets send is mostly for assurance that at least a copy is sitting on the server and can be retrieved when needed to be re-send. I am not an expert in IMAP technology so someone could explain the copying of plaintext emails onto the sending queue if my explanation is wrong.

One workaround if you own the server physically) is a complete encryption of the email server datastore including the queues. Some sort of whole system (including storage and memory) encryption. Using a secure hardware crypto module would add to the advantages.

Claws Mail should allow the creation of a portable profile that includes an encrypted volume for a VFS to handle the drafts (stored on the computer encrypted) and also to store a copy of the sending plaintext email in the encrypted volume and once it is successfully sent, it would just delete the encrypted volume's copy or if the server crashes, the copy is still secured locally. This would require code changes at Claws Mail side.

The one way to prevent such low assurance method of email client security behaviours is to simply create a higher assurance client from ground up with some form of formal/semi-formal concepts and proofs to it's security and design (CC EAL 5+ and above design and implementation) but that is not going to be easy to do and takes lots of time and resources.

BoppingAroundMay 9, 2015 9:32 AM

871205,
Aha. Looks like the link I was searching several hours before but failed to acquire. Thanks.

albertMay 9, 2015 10:34 AM

@871205
That would be cool! It would be the beginning of the end for UK businesses, and the end of the UK as a useful tool for US interests in the EU.
.
I want to see Greece, Italy, Spain, Portugal say EFU to the EU, and Germany and France realign themselves with the China/Russia/India axis (along with the GISP group). With Europe leading the way, Australia and New Zealand will be encouraged to follow.
.
Do I have to spell out what this will mean for the US?
.
...

gordoMay 9, 2015 11:00 AM

Lots of noise in the news media, post-decision ACLU v. Clapper. In my view, the below blog post and its accompanying links cut to the chase.

In Holding NSA Spying Illegal, the Second Circuit Treats Data as Property
By JIM HARPER | CATO AT LIBERTY Blog | MAY 7, 2015

Two points from different parts of the opinion that can help structure our thinking about constitutional protection for communications data and other digital information. Data is property, which can be unconstitutionally seized.

http://www.cato.org/blog/holding-nsa-spying-illegal-second-circuit-treats-data-property

NSA pervsMay 9, 2015 11:03 AM

@rgaff, "the state-controlled news agencies in the Democratic People's Republic of America will never let that leak out."

Sadly true. Outer-party members will be subjected to state-scripted propaganda in Times and Post articles that boil six hours of compliance review down to two or three standard catchphrases.

The whole outside world, of course, knows they can just click on the live proceedings Monday May 11 (but at 3 AM ET so the US proles will be asleep.) Mass surveillance is one of the formal priorities subject to required US response (up there with gun violence, Guantanamo Bay, and impunity.) It's a grilling like the government would never get at home.

BuckMay 9, 2015 11:07 AM

@AlanS

I can't seem to load emptywheel... Got an alternate source or a summary?

rgaffMay 9, 2015 1:01 PM

In http://www.cato.org/blog/holding-nsa-spying-illegal-second-circuit-treats-data-property
it says, "the court parried the government’s argument that the ACLU suffers no offense until its data is searched."

This is like as if, essentially, the police raid my house and take all my stuff, but they are blindfolded and don't actually LOOK at what they stole, nothing was taken. And they can freely do it without a warrant of any kind or even any remote suspicion of wrongdoing too, since they're not actually taking my stuff. They just have it there in a big government storage locker IN CASE they might need to "take" it later (i.e. rifle through it and actually look at it this time). Oh, and this also applies if robots break in and take my stuff, it's not taken either, since no human eyes looked at it too.

BenniMay 9, 2015 1:35 PM

@NSA pervs

Well the exchange was between Christoph Heusgen from the german chancellory and Obamas aide Karen Donfried. And it was clapper who proposed something like a no spy agreement, but he said that he is not in powers and that this must be decided from washington. And it was Washington (Karen Donfried) who refused. This indicates that its not the NSA who is out of control, but these american politicians who give NSA explicit orders to spy on europe and the economy.

JustIgnoreA.W.May 9, 2015 1:57 PM

Just ignore A.W. He is of no consequence. He attempts to induce divisiveness on this blog.

NSA pervsMay 9, 2015 2:10 PM

@Benni, It's a conundrum. "The spies take orders from the President" has been official US dogma since the Church and Pike Committees. They always agree - that seems to support the hypothesis. But look at the crucial fleeting cases where they don't see eye to eye. Who prevails? Obama once bruited justice for torturers, and look what happened. If Obama hadn't knuckled under, a lone wolf would have blown his brains out in a jiffy.

Nick PMay 9, 2015 2:25 PM

"If you watch Schneier carefully you will notice he is against the NSA but pro FBI." (Andrew Wallace)

If you watch Andrew Wallace carefully, you'll notice he's clearly a troll or sophist with a pro-government agenda. The simplest Google search shows that Bruce repeatedly calls out the FBI for irresponsibility, deception of American people + Congress, and even manufacturing of terrorists. Bruce knows there's a need for law enforcement and a legal structure backing that. He occasionally speaks within their framework in an attempt to get the other side to make compromises on their [ridiculous] position. Given context of past statements, though, this by no means indicates Bruce is pro-FBI or supports mass collection.

That Andrew expounds on a "pro-FBI" video segment while ignoring entire essays that contradict his interpretation says more about him than Bruce. That kind of selective reporting to push a crafted image is a hallmark of sophistry, disinformation, and propaganda. The leaked slides showing online disinformation campaigns by GCHQ should make people more concerned about his sophistry given his Twitter feeds are mostly ads for government activities. Most of his posts here indeed fit well into their four D's: Deny, Disrupt, Degrade and Deceive.

AlanSMay 9, 2015 3:36 PM

@Buck

(Note for those who may have forgotten, Wyden was the senator who forced Clapper into lying (go to 6 minute point in the video), pre-Snowden (bonus video: Hayden cursing Wyden for doing what he did). He plays the system to reveal what's going on if you read between the lines.)

Here's the first part from EmptyWheel with link to Daily Dot:

"As the Daily Dot reported, Senators Wyden, Heinrich, and Hirono wrote John Brennan a letter trying to get him to admit that he lied about hacking the Senate Intelligence Committee.

But, as often happens with Wyden-authored letters, they also included this oblique paragraph at the end:

Additionally, we are attaching a separate classified letter regarding inaccurate public statements that you made on another topic in March 2015. We ask that you correct the public record regarding these statements immediately.

A game!!! Find the lies Brennan told in March!!!"

AlanSMay 9, 2015 3:48 PM

Speaking about people shinning a light on dark areas, something from Ars Technica:

Did judge who ruled NSA phone dragnet illegal call Snowden a whistleblower?

This relates to the legal ruling on section 215 earlier this week.

[Judge Robert] Sack didn't outright use the term whistleblower, but he came close, writing in a concurring opinion that the litigation on the dragnet "calls to mind the disclosures of Daniel Ellsberg that gave rise to the legendary 'Pentagon Papers' litigation."....Then in a footnote, next to the word "leak," the judge said he put quotation marks around the word to refer to how he viewed the term: "[T]he use of the term ʺleakʺ to identify unauthorized disclosures in this context may be unhelpful. It misleadingly suggests a system that is broken. Some unauthorized disclosures may be harmful indeed. But others likely contribute to the general welfare . . . . Secretive bureaucratic agencies, like hermetically sealed houses, often benefit from a breath of fresh air. (PDF)"

BuckMay 9, 2015 4:00 PM

@AlanS

Thanks! I looked up that letter from the Senators after posting my question and figured this was probably the game... Only one lie though..? It'll probably be tough to choose, but I'm ready to play! :-D

Nuh-uhMay 9, 2015 4:05 PM

Yeah, if Bruce was really pro-FBI, he would be supporting FBI's prime directive, which is covering up CIA crimes. Like Spike Bowman destroying the anthrax strains, or Tom Thurman framing Libya for Lockerbie, or the whole force intimidating witnesses to the JFK coup and shutting up Mohammed Atta's buddies, or John Zent springing Ali Mohamed out of jail in Canada, or Aaron McFarlane killing and deporting Tam Tsarnaev's friends to hide his handlers, or Manuel Perez exfiltrating Saudi 9/11 masterminds from Tampa in HP32.

AlanSMay 9, 2015 4:18 PM

@Buck

Marci come up with three or four possibilities on Emptywheel. The game might be harder if it was find what he says that is true.

Eric S.May 9, 2015 5:16 PM

@ Andrew Wallace
"We don't need medical procedures when the population already voluntarily carry a mobile phone at all times."

'fraid not. We won't need those Hillary Clinton chip implants into our bodies as she pushed them pre-date the iPhone.

tyrMay 9, 2015 5:30 PM


Apparently Gates has run out of fingers and can't untie his
shoes so there will be no Windows 11 and above.

Bruce probably is a fan of the thought of J. Edgar Hoover
in his pink tutu since it reinforced the FBIs image.

johnny dillonMay 9, 2015 5:37 PM

@ Nick P, "He occasionally speaks within their framework in an attempt to get the other side to make compromises on their [ridiculous] position."

Help me understand what good does it do to break up? I don't see how that changes anything and I don't want to get into another mass surveillance debate regarding merits. As far as I know, the watch came to be known as Computer Watch (as some here may relate to). It was deemed necessary to catch the bad guys of computer crimes, but as far as I understand was not to be a tool of mass surveillance.

` `May 9, 2015 6:00 PM

"was not to be a tool of mass surveillance"?

Remember OMNIVORE/Carnivore/DCS1000/Naurus Insight? The only constraints were technical. FBI always took everything they could until 9/11 when they took everything they could.

Nick PMay 9, 2015 8:29 PM

@ johnny dillon

It was Bruce's opinion, not mine. I'd only be guessing. There's two options that periodically show up in discussions on what compromises we can do post-9/11 without a full rollback. Something they *won't do*. So, let's look at how things were.

The FBI was an organization that targeted Americans suspected of crimes. They had to gather evidence, get warrants for individuals, take people to court, try them, and maybe they were convicted. Many escaped due to procedural issues or violations of rights. The military-intelligence organizations targeted foreigners with no notion of rights, warrants, due process, and so on. Operations on enemies included infiltrations, sabotage, blackmail, kidnapping, torture, and murder. They also did this with legally-protected secrecy and criminal immunity. The Posse Comitatus Act and court interpretations prohibited the U.S. military or intelligence services from targeting Americans.

Then, in 2001, the FBI and CIA fail to act on intelligence they had. Actually, many organizations failed across the board. The result: 3,000+ dead Americans and a national state of terror. Option A (our side) was a thorough investigation of their failure, termination of employment for deserving, prosecution for truly deserving, stronger accountability for the organizations, and possibly a reduction of power/money given they wasted it. Option B (Bush/Cheney side) was no investigation, promotion of some that failed the most, more legal powers for failing organizations, more secrecy for the same, more money, and less due process. Seeing history, our side figured this was a power grab seizing the moment and had little to do with terrorism. They'd been attempting the same stuff for decades now anyway. Most of America and Congress disagreed: new laws granted most of their wishes along with turning military-intelligence on Americans in restricted ways. Much deception, leaks of abuse, immunity to abuse, and so on followed.

Let's get back to your question now that the context is there. The first idea many brought up (aside from rollback) is to divide them. The FBI would have extra authority for getting information on or taking action against terrorists. Constitutional rights, esp trials with due process, would still apply. The military-intelligence sector would still focus their "extrajudicial" authority and tools on foreign targets. Like Posse Comitatus, Americans would not be a legitimate target of U.S. military or spies. Both sides would collaborate and share information more effectively for authorized situations such as terrorism. Yet, what happens to Americans would still be as consistent as possible with our established principles.

The second idea, which Bruce mentioned once, was to break up the NSA itself. The NSA has two missions: primary mission of using SIGINT to gain intelligence to aid U.S.; secondary mission of protecting communication and information systems of defense sector (not us!). That defense and commercial sectors use a lot of the same stuff means the benefits might have rolled over. That NSA's main mission gives incentives to weaken everything means they'll subvert even their own efforts at information assurance. As for us, they will only be a threat to our information security. So, some suggest to break NSA responsibilities into two organizations with separate budget, leadership, and missions. I added that this can only help if the organization doing INFOSEC is outside of law enforcement, military, and intelligence aspects of the government. An organization setup and led like GAO with DARPA/NSF-style R&D would be ideal.

So, those are the two strategies I've read for splitting things up and reducing risk these organizations pose. They actually complement one another instead of compete. The last benefit, and main justification, was that they're things Congress might actually accept as they serve both sides interests to a large degree. Call discussions on such things a necessary evil: get us a little closer to intended destination now and maybe more later. That's how I've thought of things.

johnny dillonMay 9, 2015 8:59 PM

@ Nick P

Thanks for the long post, but what you suggest of creating two separate entities is like what we have currently with DEA and FBI. It is nonsensical to believe that no cooperation exist between them. Having two distinct leadership only gives more incentive to scrub each other's back or punt the blame. I still don't see how that accomplish what Bruce claims.

Nick PMay 9, 2015 9:23 PM

@ johnny dillon

You're missing the key difference: the NSA and CIA would not be allowed to target Americans at all. Sure they'd try to sneak and do it here and there. Maybe share what they find. Yet, previously, about all sources say NSA analysts went to great lengths to comply with policies limiting what they'd do with American's domestic information. That's the opposite of the current situation where they collect about everything and use FBI to compel companies to help them per Patriot Act. The DEA, like FBI, is a law enforcement organization that still must collect evidence, have warrants, get individual wiretaps, do things in trial, and so on. Plus, with a still restricted FBI and DEA, you don't get those other wonderful things organizations such as CIA's NCS do to their enemies.

Ever hear of FBI or DEA doing rectal feeding of suspects held without trial? At the least, the case would be likely be dismissed and the defendant might get a nice settlement. At worst, America would flip out and resignations would result. Military and spooks coming after you is always worse than cops doing it. Better to keep them out of the domestic situation.

Note: I forgot to add above that TSA and DHS should've never happened. We didn't need them.

"two distinct leadership only gives more incentive to scrub each other's back or punt the blame"

It's a risk. Yet, GAO regularly calls out the U.S. government on their BS. So have other organizations or teams designated to do so in places where they had real autonomy. The real effort here goes into mission requirements, incentives, whose leading, and the organization's culture. Certain places wouldn't care to subvert anything and others would fight you over it. At a minimum, we need an organization like that that law enforcement can't touch, no control by NSA (rules out NIST), and with a legal mandate to provide INFOSEC help for all of us.

Andrew WallaceMay 9, 2015 11:17 PM

It is better that all departments within the organisation are working together in an open plan office space than breaking up departments within the organisation and sending them off to seperate buildings.

That is how the government are working these days in the United Kingdom. You have a multi agency approach who work side by side each other and are leaning over each other.

It is a lot better not to be broken up. If you've worked in police or intelligence service you would understand why its better to work together and be involved with each other.

Andrew

BuckMay 9, 2015 11:32 PM

@AlanS
Lolz:-P Indeed!!

BRENNAN: That's hogwash. If anybody believes that we're withholding documents because we believe that would be embarrassing, that is just absolutely wrong.
This is my pick, taking the letter's context into consideration...

Andrew WallaceMay 10, 2015 12:03 AM

The reason 9/11 happened is in part because there wasn't a multi agency approach.

Law enforcement weren't talking to intelligence service and intelligence service weren't talking to law enforcement and were in seperate buildings in a closed office environment.

I can tell you in the United Kingdom all that has changed. We've got open plan office space.

We've got multi agency in one building leaning over each other taking an interest in each others work.

That is how it should be done and that is what is happening in the United Kingdom.

That way it is far less likely 9/11 will ever happen again.

Andrew

name.withheld.for.obvious.reasonsMay 10, 2015 12:21 AM

My take on the current structure that is the IC community, the DoD, federal civil agencies, inspector generals and independent agencies, and state or municipal law enforcement can be summarized as follows:

Federal law enforcement. protection services, and courts must be a string of authorities and agencies that to specific federal statutes and authorities--not as a replacement or augmentation to existing state and local authorities. The federal government has continuously eroded the effectiveness and responsiveness of state or local authorities, the use of federal programs and spending has made local agencies little more than whores to federal mandates. The encroachment of federal egotists into local spaces has reached a near climax, independent reports claim a factual basis of a Posse Comitatus operation under the DoD theory termed "Mastering the Human Domain".

The major shift from locally responsive civil and criminal justice systems is decimating our communities and reduces both the fair application of justice and the efficacy of law.

I suggest a little research--we may be in the breach...

See you at the bunker, remember the pass code challenge/response phrases.

Nick PMay 10, 2015 1:08 AM

@ name.withheld

Many of us have an incredible amount of respect for you. You put that at risk citing a fraud who destroys over time all who trust in him. Probably better if you avoid such sources in the future. Find reliable sources who are promoting the truth and expand on their work. I've seen too many follow Jones' lead to end up absorbing their whole lives in his propaganda. To no positive effect either. I've never seen him have a positive effect over long haul.

Andrew WallaceMay 10, 2015 1:22 AM

If the United States are doing the same as the United Kingdom there will be law enforcement and intelligence service in the same building as a multi agency approach.

Secondments where staff move around should also be promoted so its not the same staff for life in the same locus and are moving around the country to different cities.

That is the model we have in the United Kingdom and is the sensible approach for the United States to follow.

To break up the NSA or any other talk is suicide for another 9/11 to happen. Keep your organisation together and take a multi agency approach including secondments.

Andrew

WaelMay 10, 2015 1:46 AM

@Andrew Wallace,

That is the model we have in the United Kingdom and is the sensible approach for the United States to follow.

Now that you gave us the whole Kit and Kaboodle on security organization optimizations, I wouldn't be surprised if the United States Intelligence Community scrambled to follow your flawless instructions :)

Andrew WallaceMay 10, 2015 2:01 AM

"I wouldn't be surprised if the United States Intelligence Community scrambled to follow your flawless instructions :)"

Wael,

Do they read Schneier's blog?

Andrew

WaelMay 10, 2015 2:26 AM

@Andrew Wallace,

Do they read Schneier's blog?

Na! I seriously doubt it; they collect cite metadata, tops ;)

BystanderMay 10, 2015 2:40 AM

There is a hint of Zersetzung in A.W.'s comments.

In a not so distant past there was a case of grouping all LEO and intelligence organizations together - does anyone remember the Reichssicherheitshauptamt? (German because the english article is sub-standard)
In the short period of its existence it went through three major reorganizations.
Large bureaucratic organizations have a tendency to take on a life of their own.
Such an organization is also a formidable tool for other purposes than just law enforcement.

BystanderMay 10, 2015 2:53 AM

@Omri

The weakness in Open Smart Grid Protocol authentication/encryption is sad and dumb.
IEEE can do better...

Eight Armed WillyMay 10, 2015 3:02 AM

Andrew,

You are correct. The FBI is not an intelligence agency. They tried that during the second world war with an enormous New York cover company. It was a hilariously dismal failure. They closed that work in 1946.

They even called it the SIS.

http://www.fbi.gov/about-us/intelligence/timeline

The CIA took some lessons from their failed pursuits, as well as from their own, the Brits, and others, and compiled a more comprehensive write up of such endeavors here:

http://www.foia.cia.gov/sites/default/files/document_conversions/89801/DOC_0000608982.pdf

Which I mention so you might contrast that reasonable approach to intelligence against the comparatively horrible results of the FBI, documented here:

https://archive.org/stream/FBI-Special-Intelligence-Service-History/SIS-FBI-History_djvu.txt

And, oh my, there used to be a FOIA paper. Now just three results for the SIS' old company. Three results in google.

https://www.google.com/#q=%22Importers+and+Exporters+Service+Company%22

Of course, you can take a gander at the edbrooke paper and notice it was FOIA 95, yet curiously mentioned in an early eighties paper -- probably, considering the content, a kgb product of the time.

http://www.multinationalmonitor.org/hyper/issues/1982/04/kaiser.html

Hoover forbid undercover work. He felt that the business of dirty tricks and indecent behavior was unbecoming for federal agents. I forget the exact quote.

Yes, the Brits, like everyone else, are so very, very far ahead of the US in intelligence.

The US did not even have any spies in the 20th century before WWII. It was not considered gentlemanly. Of course, one can wonder if this was, in fact, true, considering much earlier secrect service and state department papers out there. Somewhere. Floating around.


Eight Armed Willy

PS and do please check out my url!

name.withheld.for.obvious.reasonsMay 10, 2015 3:07 AM

@ Nick P

Many of us have an incredible amount of respect for you. You put that at risk citing a fraud who destroys over time all who trust in him.

I sincerely appreciate your sentiment, when posting I make an effort to clear the information to the degree possible (some of my first person experiences cannot be easily corroborated) are prefaced with the appropriate caveat. The link I provided, the Jones site, references a segment aired on C-SPAN several days ago about a domestic training center--with the feature of training military and civilian personnel in "domestic terrorism operations". See the following link, "Mastering the Human Domain" that is time indexed...its a DoD symposium presentation.

What I found on the Jones site surprised me; quotes from sources, fully named material records/sources (scrapes from the on-line text included), displaying the text of record, and text highlighting during the program. There is a minimum of "opinion" based text and I would always assume others would be capable of vetting the source for themselves. I see it as a starting point for people looking to understand the domestic coupe that has overturned our civilian government...the junta is the de-facto LEA for U.S. cities and towns.

The program hosted by David Night demonstrated professional journalism, compare this program to other media sites and you'd be surprised. I'm not endorsing the Alex Jones channel, but I do recommend others look at this particular program (aired earlier this week) and consider that it may represent a positive divergence from prior "conspiracy" type reporting.

65535May 10, 2015 3:27 AM

@ Andrew Wallace

You seem to be an expert in both the legal and intelligence field.

Do you concur that IMSI catchers impinge upon the UK population’s rights when used by the UK police in secret? Do you agree that IMSI catchers used by the Metro Police in the UK are a form of population control?

Do you believe blanket use of IMSI catchers on UK civilians by both National and local police agencies is illegal? Have you been involved in the use of IMSI catchers and do you believe they are perfectly legal in the UK? Should the UK only use IMSI catchers at the National level for national counter spying?

“Matthew Rice, advocacy officer for Privacy International, told The Times: 'You cannot maintain this level of secrecy and claim that we still have policing by consent. 'This technology is not capable of targeting an individual. The latest IMSI catchers can unmask entire groups involved in protests, intercept all their messages and block all their calls.'”

“[UK] Police numbers show that officers used 'property interference' techniques 2,689 times in the last year, but this data will include conventional bug microphones and other such devices… IMSI catchers work by jumping into this stream of data, allowing the device to monitor everything that is sent between mobiles and a specific phone mast. Police will… be able to see a handset's IMSI - or International Mobile Subscriber Identity - along with the International Mobile Equipment Identifier (IMEI), allowing them to identify the owner. ISMI catchers then have the ability to monitor data sent to and from the handset, listen in to phone calls, block mobile signal, or send fake text message to or from the phone…the devices are relatively new, their use is not covered by a specific law, and instead falls under the Police Act 1997 which is usually used to allow police to install bugs in someone's home… use of such devices can be approved by an officer of chief constable rank, without the need for a judge or government minister to approve. Scotland Yard and the NCA have both refused to discuss when or why they use the devices, and what type of data they gather." -dailymail

http://www.dailymail.co.uk/news/article-2816771/Police-using-controversial-snooping-technology-hack-thousands-innocent-people-s-mobile-phones.html

Wesley ParishMay 10, 2015 3:46 AM

@65535

I think Our Dear (alt Overly Expensive) Friend Andrew Wallace (etc) would read The Daily Mail if it was titled The Daily Female and included the Page Three Prince in fully rampant glory on ... wait for it ... Page Three!!!

Gerard van VoorenMay 10, 2015 3:55 AM

@ Andrew Wallace

It is obvious you are a troll and you even stink at that part.

My advice to everyone is to stop feeding trolls.

Joe KMay 10, 2015 6:28 AM

@Buck

I can't seem to load emptywheel... Got an alternate source or a summary?

As a workaround, if you happen to have it installed, curl works for me.

ThumbnailMay 10, 2015 6:47 AM

"Answer: 'You are right. This will not become a no spy agreement.'"

Considering this is high-level correspondence between two supposed allies (for one thing, the USA is running half its drone missions from within Germany!) the tone exudes an unbelievable level of arrogance and self-righteousness. It reminds me of the defensive pomposity of those historical figures who, at the time, knew they were in the wrong but simultaneously had the conviction that they were entitled to get away with it (see, for a taster, the statements of 18th c. slave traders in London, 20th c. white supremacists in the South or 21st c. bankers in Morgan Stanley).

CuriousMay 10, 2015 6:56 AM

The digital certificate for my https connection to my bank has this type of connection, should I worry?
"tls 1.0 rc4_128 md5 rsa"

ThothMay 10, 2015 7:07 AM

@Curious
It is worrying that banks still use very bad cipher suites like RC4 and MD5 but the main thing is people don't attack the HTTPS connections in term of ciphers but what people attack are around the security systems like the end points (user computers) and if they can spoof a certificate (if the bank's certificate is not properly secured).

Looking at the situation the Western countries are now currently in, it is best not to notify the bank as apathy has always been the main stay of most Western societies (in mhy opinion) and remains mostly true.

Andrew WallaceMay 10, 2015 7:46 AM

65535,

It is the statutory duty of the Police and NCA to detect and deter crime and to use every tool at their disposal as part of that.

Andrew

Andrew WallaceMay 10, 2015 9:49 AM

I'm against the break up of the NSA as already explained.

It is better to have the information assurance and data collection arms taking an interest in each others work in the same building as an open office environment.

I believe Bruce has got it wrong as far as a break up is concerned.

I do agree elements of NSA powers should be extended to law enforcement, e.g serious and organised crime investigations at the FBI.

To break up the NSA would be to weaken and to weaken is to put public safety at risk.

Andrew

BenniMay 10, 2015 10:25 AM

BND helped NSA to spy on Siemens. NSA wanted to know about surveillance technologies that Siemens had sold to russia:

http://www.spiegel.de/politik/deutschland/bnd-affaere-angeblich-siemens-im-nsa-auftrag-ausspioniert-a-1033035.html

(That sounds, by the way, as a typical BND contract. In the past, BND used Siemens to create a manufacturer of bugged crypto devices. Probably, the surveillance technology that Siemens sold to russia was bugged, too.)

Furthermore, NSA says that if germany will publish the selector list, NSA will reduce its exchange to terror warnings. It will not deliver satellite images from crysis regions or in case germans get abducted somewhere. This sounds actually like a joke. Germany developed own spy satellites because NSA did not gave them the satellite images they wanted before.... If NSA stops giving images, then germany just might start a few launches... We have an optical industry that can give probably better resolutions than american counterparts

Similarly to NSA, other services have called BND. They are in sorrow that so many BND operations are getting revealed and strive to stop cooperation BND "cooperates" with 451 services from 167 countries.... Such a large data sharing culture had they....

ThothMay 10, 2015 10:34 AM

@Henrik
The Youtube video of the Congress hearing at about 1:35:00 hrs into the video, Conley talked about enterprise grade security maintaining as they are and the handheld personal devices to be soft spots for law enforcement.

If that is the case, he is assuming organisational fraud and using secure means to hide organisational wrongdoings whereas personal wrongdoings have to be public and easily exposed. That is very wrong.

The ease of laying hands on a commercial strength secure element is just...that easy. It is called dual-use technology for a reason because the military grade crypto-chip can be used for civilian purposes and the chip does not know the user. The TPM chip inside an iPhone would have similar designs to that of a HSM for larger organisations but it is not restricted to just a personal device or a server rack mounted organisation security device which Conley assumes organisations will not do wrong or play against the rules of the law and creating weak personal endpoints means a broken security link to the stronger "financial security systems" in the context of financial security systems and not limited to just that.

@all
The current state of crypto-chips these days assumes a trusted model (TPM style) and now chips have advanced to a state they include multiple processors within a crypto-chip to check the state of each other (something like @Clive Robinson's Prison architecture). Infineon's Integrity Guard (https://www.infineon.com/dgdl/IntegrityGuard_Whitepaper_09.2012.pdf?fileId=db3a304339bdde1f0139c0f8b72504f6) seems to be using multiple self-checking chips with the entire system being encrypted including pathways and data.

I wonder if the next step for chips is to include high assurance military-style red-black separation which already existed but uncommon in the commercial market since it is much easier to make an entire traditional chip that houses the red and black keys together in a perceived trusted environment but with lower assurances. Maybe a red-black chip might become more common due to chips becoming cheaper and technology becoming more capable and of course we should not blindly just trust any other chips off the shelf.

Satanic Lizard ManMay 10, 2015 11:04 AM

Alex Jones is subject to lots of indiscriminate vilification. The quality is uneven, but Jones' site gives a hearing to dissidents who are silenced in US media such as Chris Busby and Francis Boyle. As name.withheld points out, his site also links directly to obscure official documentation. Very often the most vehement 'loony' slurs are aimed at sites that link to documented fact. The officially-sanctioned approach is to mint little catchphrases that substitute for evidence and inductive logic: in purest form this is the Andrew Wallace/Skeptical pink noise.

Andrew WallaceMay 10, 2015 11:15 AM

What I know about Alex Jones is when the public get close to the truth of a conspiracy he is rolled out to mock, exaggerate or divert attention from it.

Or if there is a high risk of the public getting close to a conspiracy he is preemptively rolled out.

Andrew

tyrMay 10, 2015 2:32 PM


If I recall correctly, the red black separation
means red only has one input channel to black
and has a separate power supply. To implement this
in a modern device you'd have to make red power
rechargable batteries running a separate device
and only with a single port entry to the black
device.

The usual voodoo for shielding red from EM and
acoustic leaks or other arcana of modern probing
should get you a reasonable level of assurance.

Given modern comp architecture this would be as
useful as the roman cylinder cipher which might
still avoid most of the nosey authorities. The
sudden appearance of odd wooden cylinders in a
spy pocket might take awhile to puzzle out.

Bob S.May 10, 2015 4:19 PM

@Thoth

RE: "...high assurance military-style red-black separation which already existed but uncommon in the commercial market ..."

For certain I don't know what that's all about, but there must be military grade secure hardware and I am wondering why we peasants can't have that too?

Is it against the law to have secure hardware?

Andrew WallaceMay 10, 2015 4:42 PM

Bruce,

I've been looking at more of your You Tube videos about Data and Goliath.

You mention about corporate and government capabilities but not that of criminals.

What can the middle man do: e.g the well funded criminal enterprise within mafia.

The criminal enterprise preys on all three:

The corporate world, the government world and the public yet it doesn't seem worth mentioning in the book.

What is corporate and government surveillance teaching organised criminals?

Andrew

rgaffMay 10, 2015 5:48 PM

@ Bob S

All us peasants are "adversaries," "targets," "criminals," and "terrorists".. we owe our very existence to their majesty's allowing us to live one more day, out of their grace and benevolence.

rgaffMay 10, 2015 5:50 PM

@ Sancho_P

I've found that if I need to set the general record straight for other readers, don't address the troll by name, then it's less likely to argue back and forth :)

AlanSMay 10, 2015 6:00 PM

@Buck

That one is a whopper. They lie so much they constantly lie about not lying.

I look at these type of events as performances in which public narratives of what happened are constructed. It's not a very good performance if the viewer isn't drawn in but is instead continually aware of it being a performance and is therefore always asking why is he saying that? What purpose does it serve? What's he hiding behind the curtain? They must hate people like Wyden, who are constantly hinting at stuff hidden behind the curtain.

Andrew WallaceMay 10, 2015 6:09 PM

I believe the biggest threat is not corporate or government but that of organised criminals yet it is not talked about as much.

Andrew

Andrew WallaceMay 10, 2015 6:30 PM

Corporate or government is not a threat: it is highly regulated. What we need to look at as an industry is what the well funded criminals are doing.

Andrew

Nick PMay 10, 2015 7:07 PM

@ Bob S

Red-black is shorthand for plaintext-ciphertext separation. They might be kept separate at software, kernel, hardware, or even electrical layers. The plaintext is not allowed to leak. The crypto core and interfaces are rigorously designed to show (a) correctness and (b) leak resistance. The best of these are Type 1 certified. Also, they might use TEMPEST certified shielding to stop circuits themselves from emanating secrets. Both of these are illegal to sell to the public or even tell how they work.

Good news is that there's no law against using it if we figure it out and do it ourselves: nobody with a clearance and no use of classified data. Most aspects of rigorous design at software level are public and some hardware stuff too. Academics and hackers are just learning EMSEC, which puts us decades behind. A COTS system could be designed with existing knowledge of security and electrical engineering to stop many threats. You might even be able to put most of it in one chip seeing defense contractors have.

This is one of my biggest ways of arguing that NSA deliberately leaves us insecure. The Russians and Israelis use EMSEC attacks. Many are bypassing existing VPN's and crypto. NSA and defense contracters have stuff that resists much or all of that. Yet, they ensure we can't have it and even encourage the use of insecure alternatives. Such behavior is a serious part of our cybersecurity problem.

BillyMay 10, 2015 7:08 PM

@ Andrew Wallace
"I believe the biggest threat is not corporate or government but that of organised criminals yet it is not talked about as much."

It will be talked about when there's incentive to report. Apparently, there is no added value to such reportings. The media like most is a business.

"It is better that all departments within the organisation are working together in an open plan office space than breaking up departments within the organisation and sending them off to seperate buildings."

Ever heard of video conferencing?

Andrew WallaceMay 10, 2015 7:18 PM

Billy,

Is there any secure video conferencing left for the government to use? Just about everything is broken or gets broken.

Andrew

JustinMay 10, 2015 7:20 PM

@Andrew Wallace, regarding your first comment:

Bruce says here he wants mass surveillance powers given to the FBI as a form of population control.

I think you're taking Bruce way out of context here. I think his point in that video was that a military agency has no business conducting mass surveillance of its own country's population -- that is the job of the police. You said in another post in another thread that Bruce appears anti-NSA, but pro-FBI. That may be true: he has advocated breaking up the NSA, but I don't think he has advocated breaking up and disbanding the FBI. On the other hand he certainly doesn't agree with everything James Comey asks for as head of the FBI.

The sad part is that these agencies can't seem to respect the rights enumerated in our Constitution's Bill of Rights. People fought and died for those rights, and they just aren't respected anymore. They have over time been chipped away by the judicial branch of our government, trampled on by the executive branch, and ignored by the legislative branch. My hope and prayer is that our country would return to those principles it was founded upon, and that every one of those rights enumerated in the Constitution would be respected for everyone.

Clive RobinsonMay 10, 2015 7:32 PM

@ Bob S.,

Is it against the law to have secure hardware?

If you are in the US the simple answer is yes.

In other jurisdictions it depends, for instance France encrypted comms be illegal for many years.

Securing hardware is not difficult as a theoretical process, however getting it right practicaly is a very different matter.

If you go back far enough on this blog you will find a number of conversations between @Nick P myself and several others covering all sorts of practical issues including "dead man's switch" crypto KeyMat erase and thermite equipment destruction and how to securely destroy CDs/DVDs in microwave ovens. I also once gave a very long list of TEMPEST / EmSec considerations and occasional updates as previously secret methods became publicaly obvious.

The thing is most design rules are "rules of thumb" not "laws of nature" and you need to understand the "why" to use them effectivly.

For instance "always clock the inputs and the outputs" and "always fail hard and long on error" appear odd untill you realise they are to stop any given system block being transparent to covert channels, in either the forwards or more importantly the backwards direction.

Why is backwards more important, well it's because you can inject faults at the output and get them to work back into a system and make a new covert channel where none previously existed.

Few security designers get taught basic TEMPEST which is mainly for passive attacks. Even less get taught the more general EmSec which includes a limited amount of information about accidental active attacks involving EM carriers getting cross modulated. If any get taught about active adaptive fault injection attacks I and one or two others pioneered back in the 1980's against microcontrolers etc, it will surprise me as it's fairly obvious the likes of the NSA's TAO don't want that knowledge out there as the view it as one of their "golden eggs" and they don't want you changing the gooses diet so it stops laying the "pure gold" they have become addicted to.

As I've indicated in the past much of such design is actually common sense and can be worked out from first principles by an enquiring mind that can "think hinky".

The biggest hurdle to get across first is "not being efficient", efficiency opens up high bandwidth channels that can be used to hemorrhage information via time and power side channels. However the problem is not just being inefficient as that solves nothing, the trick is being "constructivly inefficient" where it matters, and that requires a lot of knowledge that few have ever considered. One such piece of knowledge is knowing about transducers and their charecteristics. Transducers by definition convert one form of energy into another few people realise that in general they are bidirectional. That is a motor can also be a generator, a speaker can also be a microphone and a light emitting diode a photodiode.

But what about inductors, few modern design enginers realise that they also act as both speakers and microphones. Older engineers realised that RF oscillators would act like radio mics where free wound coils fractionaly changed their inductance and thus the oscillators frequency due to mechanical vibration. There solution back then was to pour wax on them to damp out the vibration. But very few engineers realise a couple of other things. Firstly that inductors with cores cause the cores to vibrate due to magnetoconstriction thus they act as speakers. Secondly the cores in many inductors change their permiability under the influance of a magnetic field and thus effect the current flowing in the coil. This can cause a changing magnetic field to change the inductance which will therefore modulate the current, and if the current is oscillating it can cause the waveform to be distorted and thus change the harmonic content. Finally consider that the inductor can be considered either the input or output winding of a transformer, this opens up all sorts of posabilities for a creative attacker.

ThothMay 10, 2015 7:32 PM

@Nick P, Bob S, rgaff
The ability to construct a red-black separation core is another step towards a much more assured security chip and what me and Nick P meant by assurance is you know very well if the black part of (public input portion) the chip is compromised, the red part (sensitive crypto core) is still safe due to technology in place to ensure the secrets are safe.

The traditional chip building and designing for crypto-chips assumes that the chip and it's OS and software in one core or multiple cores are all secure and no other physical attempts within the chip to get within it.

If you observe the smartcard chip pins (ISO-7816), it has no clear definition of black and red input and output pins to the chip. If you observe the block diagram layout of the AIM series of chips used for Type 1 equipment (http://www.gdc4s.com/documents/products/embedded/aim/gd-aim-w.pdf) they have a PT pair and a CT pair which is Plaintext and Ciphertext handling zone. This is a clear definition point of red-black separation. Simply put, the red segment is securely segregate on the chip physically by some circuitry means (probably even a chip level data diode of sorts) so that the black segment of the chip (which allows public input where attacks can originate) if compromised can be dealt with without endangering the red segment.

This kind of put the eggs into compartmentalized basket approach ensures better chip level security and recently more crypto-chips are coming out of the market with multiple cores and self-checking like the Infineon's.

Andrew WallaceMay 10, 2015 7:58 PM

"Willie • May 10, 2015 7:23 PM

PS and do please check out my url!

lol.. are you nuts"

I was suspicious when he said that :)

Andrew

65535May 10, 2015 10:23 PM

“It is the statutory duty of the Police and NCA to detect and deter crime and to use every tool at their disposal as part of that.” – A. Wallace

You indicate it is legal and ethical “…To Use Every Tool at Their Disposal…” including IMSI catchers at every corner. That is an Extremist position.

Why stop there? I guess you think Brass Knuckles, Blackjacks, Water-boarding and Rendition are legal ‘tools’ at their disposal.

If not, where do you draw the line between said “tools” and personal rights in the Magna Carta and other UK/EU laws developed over the years?

Nick PMay 10, 2015 10:36 PM

@ name.withheld

Thanks for the reply and giving well-articulated reasons for using the reference. The brief part of the clip I watched showed it would be long and was in the rhetoric-heavy style Jones uses. Disturbing, but survivable if the sources are OK. I'll watch the whole thing in next few days when I have time to spare.

@ all
re Alex Jones

Project Censored has a nice article on him here. The amount of damage he's done to real work on exposing corruption is incalculable. I know so many young hackers/activists with the right skills to take action that are wasting their time on diversions he created. Even if you're using articles focusing on links/evidence, be sure to watch out for his tactic of picking just the links that support his view and ignoring anything else. It's almost better to make your own presentation or video with whatever solid sources he cites. His stuff will be more popular but at least yours won't be derailing needed focus.

@ Thoth

Good summary of my post and additions.

BuckMay 10, 2015 10:52 PM

@name.withheld

Pasha and Kayani were responsible for ensuring that Pakistan's army and air defence command would not track or engage with the US helicopters used on the mission.
...the goal was to ensure that no stray Pakistani fighter plane on border patrol spotted the intruders and took action to stop them...
Too many people in the Pakistani chain of command know about the mission. He and Kayani had to tell the whole story to the directors of the air defence command and to a few local commanders.
I sure do hope that most other governments are at least as honest with their military watchers! Such a shame that border patrol has to be lied to and have their resources wasted so...

(Full Disclosure: I absolutely agree with what @Andrew Wallace has to say about Alex Jones)

Nick PMay 10, 2015 11:00 PM

@ Buck

"Full Disclosure: I absolutely agree with what @Andrew Wallace has to say about Alex Jones"

Me too. Unfortunately, statements such as that are a hook to keep people's attention for the derailing that makes up the majority of his posts. A classic trick that existed long before the Web.

BuckMay 10, 2015 11:15 PM

@Nick P

Agreed! However, one must present a reasonable argument once in a while to remain relevant ;-) We all do it...

rgaffMay 11, 2015 2:18 AM

@ Buck

"However, one must present a reasonable argument once in a while to remain relevant ;-) We all do it..."

lol so true... sometimes I stop mocking long enough to do it too :)

Michael And Ingrid HerouxMay 11, 2015 2:37 AM

@Nick P

"Me too. Unfortunately, statements such as that are a hook to keep people's attention for the derailing that makes up the majority of his posts. A classic trick that existed long before the Web."

Of coarse, I think Andrew Wallace is posting with a few different IP's from a few different providers on a few different divices talking to himself with a few different usernames. hehehe

S. SmithMay 11, 2015 3:52 AM

"a! I seriously doubt it; they collect cite metadata, tops ;)" -Wael


why of course... ya gotta buy the book to get the data!

The Nameless OneMay 11, 2015 6:55 AM

Willie • May 10, 2015 7:23 PM
PS and do please check out my url!
lol.. are you nuts

Har har har har.... the link https://www.youtube.com/watch?v=_aAyEPi2vVI

Though, I suppose, the linking directly to fbi and cia papers on deep cover systems, mixed with that may be in poor taste.

And, yes, the FBI has been doing undercover - and even specifically anti-terrorist work - since its' founding. The terrorist problem is not new. It was very big at the turn of the last century and well into the 1920s. Besides that it has popped up here and there since.

There is an enormous gap between law enforcement and intelligence work, and a huge gap between intelligence work and counterintelligence work... and yet another huge gap with counterterrorism work. Yet, it is amazing to see how often agencies just dive right in, thinking it is all basically the same thing. They would not even start flipping burgers at McDonald's without training, so what are people thinking? That they have seen enough of it all on television to know what to do?

The biggest news story this week on related news is:
http://boingboing.net/2015/05/10/what-did-the-courts-just-do-th.html

Which is another excellent write up, this one taking the seasoned EFF's viewpoint.

This is a big win.

Needless to say, almost. And this article has some very poignant ways of putting it. It is absolutely anti-constitutional to be surveilling everyone. When there are legitimate terrorist threats, they will speak, communication is necessary for political and religious movements like that. You can not go more against the law then breaking these sorts of laws in the US. The Founding is all about being wary of governmental corruption.

When the populace sees the government breaking such core laws like these, they are encouraged to commit crimes their own selves. This and the torture and rendition systems must go. The financial crisis and the iraq war were bad enough. Combine all of that with a president who rode in on a platform of positive change and did nothing? You end up in a very bad situation.

name.withheld.for.obvious.reasonsMay 11, 2015 7:13 AM

The following debate, Nye and Ham engage in a nearly proper Oxford style event, and is a great example of the series of arguments and disclosures that occur on Bruce's blog site from time to time. More than once I have expressed my complete appreciation of Bruce's generosity, patience, and attention when it comes to providing a forum for security experts and the like. The infrequent abuse of his generosity is obvious and can produce a venom that is poisonous to the topic or to a greater understanding. Squelching uncomfortable and disagreeable speech cannot be allowed to drown out the voices of those least heard. But I digress, the issue here is how to engage or maintain a complex problem space and avoid focusing on the "personalities" and not the issues or challenges.

The value of reasoned discourse cannot be overstated and the fact that others test the normative function of advocacy and/or debate (aka Skeptical, Wallace) is important. I will always advocate the right of persons to make, express, or challenge topical subjects that are respectful and intellectually honest manner. The Nye/Ham debate is so troublesome that it is difficult to watch--it takes a deliberate effort to view/review. I have challenged individuals to test their scientific bona-fides, watch the debate end-to-end and make useful observations. All that have seen it have become highly emotional as the debate is derailed frequently by rhetoric, devices of language, and the misuse of scientific principles. Both participants fail, for different reasons, to make competent arguments and demonstrates that the debate little to advance the topic(s).

To see how debate

AW scepticMay 11, 2015 8:02 AM

I think AW is just a very souped up version of ELIZA. Got all the hallmarks.

WaelMay 11, 2015 8:26 AM

@Thoth,

I already have a few smart phones with more processing power :)

AlanSMay 11, 2015 12:19 PM

Hersh story in London Review of Books (link provided by others above). Whitehouse and CIA claim Hersh is talking nonsense. Not sure they are in any position to win the credibility game at this point.

Hersh ends with:

High-level lying nevertheless remains the modus operandi of US policy, along with secret prisons, drone attacks, Special Forces night raids, bypassing the chain of command, and cutting out those who might say no.

Seems about right.

WaelMay 11, 2015 12:22 PM

@S. Smith,

why of course... ya gotta buy the book to get the data!

That, I am sure they will ;)

egadMay 11, 2015 1:59 PM

Does the Postal Inspection Service do any sort of penetration testing, or is it easier to just outsource that function to crooks?
I can think of situations where authorities' assumption of others' good faith might leave humans open to attack.

The NamelessMay 11, 2015 6:50 PM

@Alan S

I saw that, but have to wince on the lecturing spies about lying. That is a big part of what they do. Call it whatever you will, and there is a line.

But rendition, torture should be gone. Drones are already moving to the pentagon.

I do not think all domestic spying should be gone. There will always be a need for counterintelligence and counterterrorist spying domestically. But there should be targets. Not everyone should be spied on all the time and that information retained forever. FBI, CIA, NSA will continue to be involved in these matters.


AlanSMay 11, 2015 7:13 PM

@The Nameless

True, spies lie but but not always or there would be no point. However, they've been caught doing it so many times recently their claim that they are not in this case isn't very credible. And in this case the story is as much about Obama and the Whitehouse lying as the CIA.

No idea what the truth is in this case but know who I don't trust.

AlanSMay 11, 2015 7:18 PM

@The Nameless

I think more interesting part of the story, assuming it is accurate, is not so much the lying as their incompetence. That's quite believable.

J on the river Lethe May 11, 2015 8:10 PM

This kind of click bait bugs me. Like a recent u.k. Story about an asteroid.

http://www.washingtonpost.com/blogs/innovations/wp/2015/05/11/quantum-computing-is-about-to-overturn-cybersecuritys-balance-of-power/

I really feel these people should be made to sit in corner timeout for a period of reflection and self examination. I expect such things for Celebrity picture but not my science or computer articles.

Question? Wouldn't it make sense for them keep an eye on security experts. Free research maybe? Contract out without paying for it. Kinda drips with irony when you think about it. Naw. Not a chance.

Nick PMay 11, 2015 8:35 PM

@ J

It's annoying but their goal is to get clicks. That's their job and that's what people read apparently. Those promoting realistic information rarely get attention at all. Reinforces the annoying option more. Once again, I blame reader's preferences and/or human nature.

Note: That you linked to it ensures it will get more views and maybe rewards. Ironic, eh? :P

The NamelessMay 11, 2015 11:15 PM

@Alan S

Yes, I strongly agree. But then I tend to see such things as 'like an illness'. How can it be corrected? How can it be avoided? What are the underlining causes?

Army ants self correct very well when tackling new problems which require many to do so. Americans make excellent technology and art, problems which require many to work together very well to do so....

So why these colossal points of failure? Besides just "hubris"... why?

rgaffMay 12, 2015 12:37 AM

@ The Nameless

"So why these colossal points of failure? Besides just "hubris"... why?"

Because people in general are not inherently good. That's why we can't by default wholeheartedly trust strangers, for example.

rgaffMay 12, 2015 3:45 AM

Sure, because we all know that Microsoft is the one to build the safest stuff... just like how they altered Skype to be MITM'ed by the NSA, and they put keyloggers and such things in every computer... See these prison bars? they're for our own good, of course.

The NamelessMay 12, 2015 7:13 AM

@rgaff

Putting evil in terms of incompetence is simply being more specific. This is necessary to get acknowledgment of the error and to fix the error, both personally and corporately. It is also useful in terms of visibility, such as we would want here, where we do not have the capacity to get acknowledgment of the errors or fix them.

A difference between, say, making "Avengers" movie, and coming up with solutions for dealing with terrorism - such as drone strikes and rendition and torture have involved - are many in terms of figuring out where the failure points are. The same could be said with comparing making that movie versus planning for the invasion of Iraq, or figuring out how to rebuild Iraq.

Not saying the Avengers movie is good, I have not even seen it yet, but the point is that the special effects are said to be very good, and the production value was well presented.

Why can groups do that, and yet similar groups from the same society can engage in such colossal failures such as the financial disaster of 08, the Iraq War, or putting in terms of failures instead of just "bad"... the systems of "rendition", "torture", and "drone strikes".

Ultimately, you have to get at the details, but the hubris, or pride, does stand out. Something else which stands out: there are no solid feedback loops, like what you have in the movie industry. If a movie fails, there is a lot of cost involved for those who made it. But in these situations, failure often was a cost the people involved did not have to pay.

And they knew this going in. They did not have to be right. Even if they were wrong, they felt they could get away without paying the consequences of the mistake.

So, the system itself is broken, and one can look at that to see many "reasons why". A major one is that they are operating as if their work should be like magic, when, in fact, it should be treated more like a science or carefully thought out art.

Lack of proper thinking, then, is a common trait.

Poor and absent reasoning.

Not idiots incapable of reasoning or planning, but instinctual creatures operating by base instincts instead of operating like human beings with the capacity to logically plot out events.

A systematic problem of overestimating the capacity of one's own self and fellows before engaging in projects is another conclusion one can come to. But more specifically assuming that one's capacity is of a near magical bearing or that instinctual behavior is of nearly the same substance as reasoned out behavior.

ZenzeroMay 12, 2015 9:52 AM

Any bets on the UK not reintroducing the Snoopers charter now the conservatives are settling in. Given that Theresa May has been reappointed home secretary I think it’s inevitable. I don’t think I will be taking that bet.

In other news:
Russia and China sign a cyber-security pact
https://nakedsecurity.sophos.com/2015/05/11/russia-and-china-sign-cyber-security-pact-vow-not-to-hack-each-other/

Gulf nations want a cyber-security pact with the US
http://thehill.com/policy/cybersecurity/overnights/241696-overnight-cybersecurity-gulf-nations-want-cyber-pact-with-us

Unfortunately for the “little people” out there, this means absolutely nothing, but the NSA will get more data to ingest into XKeyscore

Countries will still sensor, countries will still try to hover up as much private information as they possibly can, countries will still spy on their own people in the name of “security” and “defence” and lie to their populations about it.

AlanSMay 12, 2015 9:55 AM

@The Nameless

Failure, it seems to me, isn't their problem, quite the contrary.  The system thrives on failure. It needs crises (real or manufactured) to justify risk management which in turn justifies expansion of the political/security apparatus, which in turn creates more crises and more expansion. The whole point is that the apparatus isn't accountable to the public or constrained by law because states of exception exist outside the norms of liberal democracy.

AlanSMay 12, 2015 10:05 AM

@Zenzero

Haven't they already said they would reintroduce the snoopers charter? They've also said they are going to abolish the Human Rights Act but there are complications in them doing that because it intertwines with the Scotland Act (among other things).

The NamelessMay 12, 2015 1:36 PM

@Alan S

Failure, it seems to me, isn't their problem, quite the contrary. The system thrives on failure. It needs crises (real or manufactured) to justify risk management which in turn justifies expansion of the political/security apparatus, which in turn creates more crises and more expansion.

Yes, that raises a good point. There is always a reason for behavior, even if that behavior might be called a failure under one perspective.

What strikes me about these sorts of actions (the Iraq War, the horrible efforts at reconstruction in Iraq, rendition and torture, drone strikes, etc) is they are like crass, animalistic moves which assert dominance.

What is ironic is that a lot of thinking went behind much of the technology, and many of the leaders are well trained.

There is always a reason for even instinctual behavior, but that does not mean that sort of behavior is wise to engage in. Usually, we have to pull back from instinctual behavior, and consider wider reaching ramifications before acting. This is, for instance, what often separates people who commit criminal acts from those who do not.

Operating on that level is a very good way to get one's self destroyed. It tends to be the primary way to manipulate criminals, and definitely makes for extremely bad chess players.


AngelMay 12, 2015 3:33 PM

Jeffrey Sterling case... looks like a good article on his case:

http://www.thenation.com/article/181919/government-war-against-reporter-james-risen

But neither Risen nor Sterling had anything to do with the serious damage to sources and methods in Iran that the CIA actually suffered during the Bush years. Rather than being caused by journalism or whistleblowing, that damage was entirely self-inflicted. In 2004, an officer at the agency’s headquarters in Virginia mistakenly sent data to an agent that “could be used to identify virtually every spy the CIA had inside Iran,” Risen reported in his book. The mistake morphed into spook disaster when it turned out that the supposed CIA agent on the receiving end was a double agent.
For nearly four years, the Obama administration has been on record with the broad claim that whistleblowing to inform the public is apt to be worse than spying to aid a foreign power. In a January 2011 brief against Sterling, the Justice Department declared that his alleged disclosures “may be viewed as more pernicious than the typical espionage case where a spy sells classified information for money.” That stance implicitly views the people of the United States as a potential enemy force to be deprived of key information, and whistleblowers as hostile agents.
To date, the Obama administration has charged nine people with violating the ninety-seven-year-old Espionage Act—far more than all other administrations combined. But those numbers tell only part of the story. In recent years, many whistleblowers have endured Espionage Act investigations and other coercive measures short of actual prosecution. Such legal actions are part of an approach that sees investigative journalism in the national-security realm as a dire threat.


BuckMay 12, 2015 5:26 PM

I'm just gonna leave this here:

At some point, a new crossroad will be reached. There will be outsiders who communicate in ways that exceed the parameters of the State's algorithms.
Which is to say, what these people transmit and receive will be picked up and stored, but what it means will be a puzzle.
Why? Because they will be working with new languages whose terms move beyond, for example, the acceptable and known spectrum of human emotions.
Such emotions would be referred to through metaphor or through symbols that can't be translated down into ordinary languages.
At that point, the spying agencies will decide their limited algorithms should do more than interpret meaning: their formulas should govern and dictate what kind of communication is permissible.
https://outsidetherealitymachine.wordpress.com/2015/05/11/the-cosmic-surveillance-state/
Interpret it as you please! ;-)

The Nameless OneMay 12, 2015 5:53 PM

NSA Top Pundits Making Big Mullah from NSA
https://firstlook.org/theintercept/2015/05/12/intelligence-industry-cash-flows-media-echo-chamber-defending-nsa-surveillance/

Not exactly news, considering how flagrantly Clapper, Alexander, and either other pundit I have seen has ties to defense contractors and clearly receives considerable money from them -- heck, Cheney helped lead the US into war against Iraq claiming Iraq had Al Qaeda ties, was behind 911, and on the verge of nuclear weapons, while openly having deep ties to the company that would profit the most from that invasion, Halliburton. People accept this stuff. But, the article is good read, anyway, helps put these folks in context for the naive.

--

This following story is even more interesting. Looks like NBC is just reporting it, from a Seymour Hersh claim, though the following article is about how it was broken in 2011 by a less famous name *(and so apparently ignored because of that).

https://firstlook.org/theintercept/2015/05/11/former-professor-reported-basics-hershs-bin-laden-story-2011-seemingly-different-sources/

Bin Laden was killed by Navy SEALs on May 2, 2011. Three months later, on August 7, Hillhouse posted a story on her blog “The Spy Who Billed Me” stating that (1) the U.S. did not learn about bin Laden’s location from tracking an al Qaeda courier, but from a member of the Pakistani intelligence service who wanted to collect the $25 million reward the U.S. had offered for bin Laden; (2) Saudi Arabia was paying Pakistan to keep bin Laden under the equivalent of house arrest; (3) Pakistan was pressured by the U.S. to stand down its military to allow the U.S. raid to proceed unhindered; and (4) the U.S. had planned to claim that bin Laden had been killed in a drone strike in the border regions of Afghanistan and Pakistan, but was forced to abandon this when one of the Navy SEAL helicopters crashed.
The Intercept cannot corroborate the reporting of either Hillhouse or Hersh, or their statements about the sources for their articles, nor can we rule out the possibility that Hersh’s sources based their beliefs on Hillhouse’s writing. In reporting that appears to back up major elements of that of Hillhouse and Hersh, NBC today asserted that a Pakistani intelligence officer “walk in” told the CIA about bin Laden’s location in the year before the raid on his compound.

http://www.nbcnews.com/news/world/pakistanis-knew-where-bin-laden-was-say-us-sources-n357306


Hersh's story:

http://www.lrb.co.uk/v37/n10/seymour-m-hersh/the-killing-of-osama-bin-laden


The NamelessMay 12, 2015 6:42 PM

@Buck

Interesting links.

I have not read everything there, but some. I watched Inception this weekend, which reminded me of how it referred to such things. I was told about Inception coming out as it would be 'bigger then the matrix' on the job. I suppose it was, in some ways. It clearly uses strong hypnotic techniques within it, especially Erickson's layered metaphor technique. Basically, mass hypnosis right there.

(The layered metaphor technique is essential for Ericksonian 'conversational hypnosis'... how much more so capable via such amazing cgi?)

But what is the end message put through that? Perhaps something to do with giving up something one would definitely not want to give up? Perhaps investments or inheritances? Perhaps, ultimately, about investments we make, psychologically and emotionally, into the framework of understanding we have of "the world", ie, everything 'out there' and how everything is perceived?

Morpheus was always an interesting name for a character to me, because the Sandman was such a key figure in this modern bridge about reality... maybe a bridge from here to somewhere else, in popular consciousness. Via fictional mediums.

It started out relatively small, in tiny-ish doses, with concepts like Sandman by Gaiman, the initial Total Recall... 98 on saw a strong surge with the Truman Show, the Matrix, the 13th Floor, Dark City... been going strong ever sense, so now there are shows constantly on dealing with reality - and the perceiver of reality, the identity, the self, the main character - as being 'not as they seem'.

To argue that there is nothing coordinated there, that there is no bridge being built, I think would be slow and blind. But, by whom, and why? Perhaps it is just the collective unconscious awakening and speaking out towards a new birth, age, and moment of birth far greater then the mere word "evolution" implies? Transcendence? Transformation? Transfiguration? Ecstatic Rapture? Change.

Hacking and computer security definitely are at play here. Just a few decades ago, trying to conceive of the sorts of virtual worlds we now have as so trivial, they are a dime a dozen at the local shops... would have been near incomprehensible. We can now understand the concept of how such juvenile gaming technology from such an infant of a technology area can create such worlds, manage them, run them... who is to say that we are first and we are last in such endeavors?

That is, that maybe not all of this is not "words" being created for language to reach out from the nethersphere into our world, so we may grasp the beginning of understanding as a bridge leading us to somewhere.... inexplicable, unexplainable?

But, finally, to stay on topic... how does all of this relate to surveillance, computer security, cryptography, hacking? Because, perhaps...? Perhaps these concepts and this very field of "information technology" is the spiritual tie in to the reality of our very flesh... after all what is dna its' self but long strings of information... a bridge, somewhere in here, perhaps, between the golden flask of eternal life via just information? ... and between the rotten flesh spinning away so many strands of ancient stories it reads therein, like countless unwinding scrolls breaking off the corpse of the flesh into sunlight flesh?

A bit of poetry in there. I hope it is not mistaken for our random speaking interlocutors.


TNO

BuckMay 12, 2015 10:07 PM

@The Nameless

I didn't care so much for Inception, but I can still appreciate it for what it was. I saw Interstellar for the first time about a month ago, and I was very impressed... It's amazing what can be accomplished with a good script and some special effects!

I don't think we're straying to far off topic; over on another thread, @Bystander just posted a link to an excellent example of what can be done with a terrible script if you lay down $250 million dollars for the special effects! ;-)

My Name Is NobodyMay 13, 2015 2:54 AM

@Buck

I don't think we're straying to far off topic; over on another thread, @Bystander just posted a link to an excellent example of what can be done with a terrible script if you lay down $250 million dollars for the special effects! ;-)

One aspect of all of that is differentiating access: there has to be good information access control. Key aspects of that, "authentication" and "authorization". Authentication acknowledges the identity, authorization details trust of the identity for dispersal of information.

Cognizance of adversity is a major factor in these considerations. One reason why nobody speaks of "Inception" as being malicious propaganda - even if I might point out that it uses manipulative processes detailed in ericksonian hypnosis - is because it also continues that theme through out of potential adversities and adversaries.

"Hypnosis", it should be noted, is just a word. Very little is understood about the concept. What we do understand comes from what study we have performed. There is, on the subject, like many subjects - certainly like with hacking, information security, conspiracies, health, living longer - much disinformation. Taking in to one's core wrong information is like eating poison.

You could end up a mindless zombie of some political agenda, or some religious agenda. A corpse by the wayside, an useful idiot. No means richer, no means wiser, and all because you did not take to heart diligent information security concerns. Finding the right information, moreso, the right information streams.

System level access, direct conduits to The Unconscious, Root... requires strong access controls against disinformation -- the buffer overflows, sql injection, cross site scripting, and other security vulnerabilities of the soul scape. Mind and heart.

Inner person, beyond the flesh.

So, far moreso dangerous then mere untrained thieves as a concern, are nation state level adversaries intent on bringing into the corporate mind meld, the Borg, all who dare try and eject from their Matrix, the World.

But? On the other hand, there can be individual hackers who are very skilled and have the capacity for near nation state based level sophistication. Still, what we look for in terms of sophistication is with a very strenuous eye, sophistication far beyond what we see "out there". Sophistication that can truly prolong life and lead to a far better place.

Sophistication of product far beyond that possible even for all of the first world countries and the height of their most secret technology put together. Because you know they do not really have aliens doing their biding at Roswell. As their pictures well show, they are not on the road to living forever. Those are not disguises. And if there is any doubt, even a cursory glance at their words and actions prove it. Because people can judge by that standard, contrary to how scammers would proclaim.

A big problem remains: if they are not in control, then who is? Nobody offers anything for free in this world. We do trust doctors, we do trust nurses, we do trust cops - in some situations - we do trust even politicians in some situations. If information streams exist which prolong life, like rewiring the dna - not material food, but informational food, genetic splicing, the holy grail of words, an 'informational' 'live forever' pill - what is the cost? What is the price? And why must it be so secretive, why so hidden, why so well guarded?

We trust bus drivers, airline pilots. We trust airport security, to a degree, to a certain degree we trust our fellow people.

The Fountain of Youth, the Holy Grail, the Green Eggs and Ham of hidden informational streams. Like a network one finds and hooks into. A good metaphor is depicted by the wise Daniel Suarez, in Daemon and Freedom. Wear certain glasses, for instance, and see the virtual overlay across reality as designed by an all too loving but gone - not here - master software designer.

On global conquest. Taking over the world. Smashing the powers of the nations like an iron rod against clay pots.

What a horrific thing to say? Anarchy? Communism? No. To not be less disturbing.

Like "Fight Club", where our spiritual inner person awoken in shared dream space does 'what must be done' when we can not do it? Ultimately freeding everyone from the mountains of debt they have piled up, zeroing their credit entirely? Freedom from debt. Forgiven.

Access control with the nations is something quite different from access control with individuals. Individuals get hacked with low level script kiddy tools day and night. Getting some access control with root/system level access of a nation is one thing. They don't go and join the Davidians or start fishing with the Kingdom's Gate, or even into Multi-Level Marketing Ponzi schemes. But we surely saw nations get hacked by sophisticated attackers in the last century, with open source doctrines and well worked out, peer reveiwed hacker code written by Nietsczhe and Marx and even Paine. Spurious sources, perhaps well meaning, but used for clearly malicious purposes.

Now we see full well information control, information security, is not just with poorly secured third world nation systems, but also right here in the first world where the big, glossy technology resides. Even well written code like that by Washington and Jefferson and Paine has severe security holes in it.

But ultimately, there remains confidence. There are a lot of checks and balances, and the diversity of global systems is key. You can't get together Mac OS X, Linux, Unix, Android, Windows, on and on and on, warring political code schemes and religious schemes, and union them altogether. New code does not just come from anywhere, new technology does not just appear in a day. Aliens are not arriving to reboot the planet, and if they are? They would be well warded against.

Then again, unless they are us, already here, not 'seen as coming down from the sky', but 'within' and 'among us' already. Who kept diversity of code culture for security purposes, instead of a monolithic, 'hack everything with one virus' system. Any great work, after all, is kept hidden while in progress, like Michelangelo, hid the Sistine Chapel painting. You sweep away the curtain at once, you pull off the band aid quickly.

The bridge is built, but unconscious, unaware, secretive, then is expanded outwardly. Change is traumatic. Going into an operation, in the operation, anesthesia is used. Your foot, your legs, your body does not get scared. Your mind does. It happens in sleep, the big problem is resources for rest and change, healing afterwards. But the technology is in place, like the hospital is where the patient find's their self. If they are nervous about that, there is anti-anxiety medication also designed and ready for them.

So, there is code for you.

For anyone. Maybe just for myself. Are modern hospitals more persuasive to us then old shaman doctors? Depends on the context. We are cautious, seasoned buyers of sophistication, with good eye against counterfeit information. Wary against poisoned bread. But armed with endless fish and loaves.

Constant TeenMay 13, 2015 3:35 AM

Many good security articles and news this week, besides the more unusual fare.

Excellent article at the often informative Atlantic, "Snowden Vindicated", on the recent court decision throwing down the hammer against the wrong headed mass domestic surveillance program, finally stating it was - as we have known in the industry all too well - wrong, illegal. Dishonest, abusive use of the language of the law. In deep contempt of the constitution:

http://www.theatlantic.com/politics/archive/2015/05/the-vindication-of-edward-snowden/392741/

Clive RobinsonMay 13, 2015 6:14 AM

@ Constant Teen,

The Atlantic article you link to did not mention an important fact the US Gov has not want brought up...

The study of 20th Century history shows there was a problem after WWII, the US wanted to "hang em high" anyone involved with the Nazi Party and more specifically those that had carried out what most would consider inhuman actions against civilians etc.

There was however a problem, which was those that had carried out these actions had carried them out on the orders of those above them. It was upto that point an alowable defence as not carrying out orders was mutiny for which the penalt in war was summary execution.

So the US decided to retrospectivly change the rules to "lawfull orders" and so the executions started and the hangman kept busy.

However there is a problem, how do you decide what is lawfull and what is unlawfull, and are you sufficiently fit and informed to make that judgment. They answer as we have seen is nobody is courts sway their opinions on argument and supposition as to state of mind, which usually is prejudicial in the favour of the prosecution.

George W Bush under Presidential authority declaired the US to be in a state of war after 9/11, and this is still in effect.

This put the US Federal authorities on a "war footing" where disobeying orders is "mutiny"...

Because of US insistance of "lawfull" the seniors in the NSA etc have had to declare that their orders were lawfull to avoid war crimes charges of them and all those downwards in the chain of command.

This court decision is thus very awkward because many in the NSA and other US Federal agencies have whilst in a state of war followed what have now been pronounced unlawfull orders that they should not have followed...

Thus they are war criminals and can be tried at an international tribunal and if found guilty could still face either the death penalty (because the US has not revoked it) or life in isolated imprisonment (similar to what the US has implemented in select prisons).

It's all a bit of a mess, and as the artical notes the US Gov et al are almost certain to appeal or in otherways nullify the courts decision.

All because the US chose seventy years ago to mess with well established rules of conduct whilst at war for the sake of political grandstanding and show trials...

Proving once again popularist choices almost always turn around and not just become unpopular but bite those that push the popularist cause drumed up for political showmanship...

Markus OttelaMay 13, 2015 8:58 AM

@ Thoth:

CHIP comes with integrated wifi so using it as TCB platform is insecure. However, $9 for NH - not bad. Although, while the hardware is 'open source' having to build everything around it is messy and a problem for most end users. The Pocket CHIP might be viable though the screen resolution has room for improvement.

ThomasMay 13, 2015 9:41 AM

@ Nobody, "One reason why nobody speaks of "Inception" as being malicious propaganda"

People who hate propaganda aren't going to movies anyways. To me it's just a movie. The rest of your post is kind of interesting.

name.withheld.for.obvious.reasonsMay 13, 2015 1:51 PM

Today, 13 May 2015, at 1135 PDT during the house session, James Sensenbrenner (the author of the Patriot, PAA, and judicary member) called the actions taken under section 215 as "illegal" during the floor debate of the USA Freedom Act. This should settle the argument that others have claimed that actions taken by the NSA were legal. It is unbelievable that individuals would defend a program that was approved using a secret rational...violating basic jurist prudence.

There is more to do, the fact that Snowden powered up the flashlight and pointed the beam of the light in a direction that made visible the illegal activities of the U.S. government, it remains our task to make and insure that constitutional law is restored. Those that subjugate foundational law with inferior statute and un-defensible secret rulings must recognize the error of their ways--citizen's must not be made fools by idiots.

My Name Is NobodyMay 13, 2015 3:17 PM

@Thomas

People who hate propaganda aren't going to movies anyways. To me it's just a movie. The rest of your post is kind of interesting.

Ah, who doesn't like "propaganda", but someone who thinks the media is operated by malicious forces beyond their understanding I suppose would not even want to watch anything at all. I think that gets into the realm of schizophrenia, though.

Your statement, however, reminds me of a comment by the wonderful modern father of many of these films out there, Philip K Dick. (While maybe only 'tens' of films are directly inspired by his work, it can be argued his influence is far more deep in modern cinema then just that.) He pointed out how many shows (early eighties comment) show cops invariably as the good guys and criminals as the bad guys and that this is potentially propaganda. Albeit, PKD did go crazy before he died. (Ironically, "Thomas", he believed himself to be the first century "Thomas" of the gospels before he died.)

I am enjoyed, however, someone read that post and enjoyed it, however. Thank you for the comment. While the material is difficult to cover, for years now, I have been able to draw parallels between information security for computers and information security for people... but rarely have had a chance to actually write much of it out in public.

Outside of a very small circle of people I work with.

Full disclosure: much of my past ten years of work has been in actual code reading. :-) I perform security code analysis. Big part of my job, anyway. Though, often use those skills for other security related work. Offtime hobbies include dream analysis, literary, and film analysis. The more fun stuff, though, is in finding jewels and then figuring out how to use them. When you get good at dissecting code, you get good at reusing code.

While I enjoyed Buck's "Michael Rappoport's Links", and probably will delve into them further, I do not engage in much paranoid thinking. There are conspiracies, to be sure, and I have studied that well, but I have ascertained human beings have profound limits to the capacities of the sophistication of what they can achieve. This is especially clear when one digs deep into highly challenging material such as what I just indicated I favor. I am not in the slightest surprised to find truly brilliant auteurs going mad in going too far into these matters.

"Unbreakable", has the more realistic sort of analysis, a Joseph Campbell, Jungian type of analysis. There are commonalities between "myths", and truths there to be found by analyzing the commonalities. Ultimately, though, this is about simply where the human unconscious mind lives and thrives, and not so much the human conscious mind.

On a forum where there is much suspicion about hidden government activities, capabilities, of unknown limits and sophistication... of course... this can be a more dangerous or implausible area to get into such areas. And often can get off topic.

But, I do combine the two very much, and it comes natural for a strong reason: it seems we have been designing computers, including many of our most advanced information security systems... based very strongly on our own systems for processing information.

This is surely performed consciously, but also is performed unconsciously. That is, we very often are unaware of our our own influences on the medium, we have believed ourselves to be painting landscapes, for instance, but find ourselves painting self-portraits. If one looks more closely.

In fact, I would argue, we can not help but paint self-portraits -- even though we understand very little *consciously* about how we look like in that way. (Eg, we understand, actually, very little about the workings of our unconscious mind, but invariably put into the picture much of it in our works. Not unlike how a serial killer accidentally leaks much about their own self in their work. "He that has eyes to see and ears to hear may convince himself that no mortal can keep a secret. If his lips are silent, he chatters with his fingertips; betrayal oozes out of him at every pore.” -- Freud.)


Constant TeenMay 13, 2015 4:15 PM

@Clive

Thank you. Interesting comments. Unfortunately, I am not well studied on that evolution of war crime law. A foremost comment which arises in me is 'what is your opinion of 'Operation Paperclip''? I have not read the recent book, but I am curious on your take of how the US took in many Nazi scientists and utilized their expertise.


Thus they are war criminals and can be tried at an international tribunal and if found guilty could still face either the death penalty (because the US has not revoked it) or life in isolated imprisonment (similar to what the US has implemented in select prisons).

Yes, this is a consideration I often run into when studying these stories. These are war crimes. But, the global political environment means you are probably decades off from prosecution, if history is to continue at the pace it has these past few decades.

All because the US chose seventy years ago to mess with well established rules of conduct whilst at war for the sake of political grandstanding and show trials... Proving once again popularist choices almost always turn around and not just become unpopular but bite those that push the popularist cause drumed up for political showmanship...


Again, not so much my forte. And, I suppose in both considering these situations as probable 'war crimes', and in considering how they are unlikely to be prosecuted, I probably have a much more european then american view.

I am more interested in seeing paths righted, as it stands right now, I think we are a long way off from that in many ways. Much of that is not because of moral climate, but instead because of continuing worsening conditions. This exchange between America, some American allies, and elements in the Muslim nations ... as well as continued stressors on Russia and China [and I might as well throw in there Mexico problems, and domestic US problems unrelated directly to Islam]... means the global environment will likely continue to degrade and there remains an extremely high chance for a global incident which will wipe these slates temporarily clean.

What you have, however, is very much not a thinking war, but a war of guts on basic territorial levels. This is about instinctual reactions, and both parties have sunk to a lower level of humanity. I do not think they have the capacity to pull themselves out of the proverbial mud before something truly catastrophic happens.

The conditions in the Middle East are just too volatile. What you have is effectively a civil war through the entire geographic area. It can be viewed as deep and long fractures stretching out from many points and practically from sea to sea.

It seems quiet enough right now. Iran is consenting enough for negotiations. Assad is agreed to be kept in place, and with him stability with Israel. Bombing has been making wins against ISIS. Potentially Very Bad stories like that maybe Saudi Arabia was paying Pakistan to hide Osama Bin Laden are not torched in popular consciousness. Saudi Arabia seems well enough on a course towards stability, despite their internal realities. Jordan remains a strong and stable ally against extremism, it seems. The Iraq War problems have been uncovered and well accepted by both major strata of societies behind it.

Problems of civilian casualities with drone strikes and legal ramifications, as well as popular dissent caused by them in the areas remain quiet enough for the West. These areas are known and accepted as being matters of potential prosecution, even if that seems extremely unlikely now.

There is a lot of comfort in believing that there have been serious problems, and these problems have been addressed. Further, that there is nothing else too serious hidden. While there is clearly strong holding of rank in the US Government on many of these issues, we have seen this before. That breaks, over time. Sentiment changes.

However, while I state everything seems quiet, I also state the rifts are there, not just in the Middle East and North Africa, and West Asia, and the islands, Indonesia, for instance. But, also there are strong fracture lines in society. And while it can now seem all the worst has come out, this is unlikely.

So, I do not think we will even get to that point of seriously talking about war crimes, prosecution, and the like. Even if we do, it would be likely to be decades from now. For me, such things are not much an interest. Evil, to me, is a condition to be dealt with like a fire or injury. And the problem is that the way much of the core parts of the world are being run is not by mind, by intellect, and by healthy systems of analysis, but instead by gut level instincts.

This has the components of a teenage male gangwar, or the emotionalism of a domestic altercation, in other words. It is extremely unstable and I do not believe there will be adequate cooling off period for people to regain their senses.

If all of that makes sense to you, or you have further comment, I am listening.


NamelessMay 13, 2015 4:30 PM

@J on the river Lethe

Republican Sen. Bob Corker of Tennessee said Wednesday that "it's beyond belief how little data is a part of the program."

Tennessee. Republican. Senator. These guys are idiots. Often when they even are privy to these programs, they can't even solicit the advise of their legal counsel or aides. It makes their information useless. Some of the comments coming from some of these senators are some of the most arrogant, idiotic statements I have seen mouthed from human beings.

It can be difficult to understand, when you work in the area, but this work is way beyond their level of comprehension. They don't have any understanding of these matters. I don't know about you, but for me to be where I am has required immense decades of studying and empirical research work. Politics is a full time job and by no means requires even an above average IQ.

While they can have multiple counsel, they very often do not. And even still, they are still the brains making the decisions. They are manipulated by a wide variety of outside sources, including intelligence agencies, some of whom it is their job to manipulate people.

Far more words then this guy deserves. Another poster here was well pointing out how they are nowhere even close to figuring out how to parse the data. William Martin, I believe was their name. I can not agree more. They are decades, if that, from being anywhere with that. Exception? On targeted surveillance. Which can be highly valuable for terrorist suspects. Because terrorist suspects belong to a political movement of belief, so they speak what they believe by nature.

But going for everyone's data is just wrong and shows a path towards corruption, in direct violation and clear violation of the core of the constitution. I do not see how they can stomach that.


NamelessMay 13, 2015 4:43 PM

@J on the river Lethe

Research like this is why I am cautious about quantum computing. Not skeptical, just very cautious. How any times have we seen a crypto cracked or weakened? Unforeseen attacks due to us not understanding the physics here or it just not working period?

Very interesting article. But, of course, one should remain skeptical. There are many long standing unknowns in these models of physics. I have not seen much change since working in school on that area back in the mid eighties when string theory was the cover of scientific america. We thought it would all explode, not unlike as it seemed with computers, but it has remained very stagnant. In comparison with the discoveries in dna and computers.

Crypto, different matter, for me, then trying to understand, for instance, gravity. I take such systems with extreme skepticism. I do break code partly for my living. :-) Crypto is not an area I have looked deeply into. I would not be surprised if there are not far more serious errors then people are aware of either coded in or discovered very early and kept covered up. Nothing should be trusted from my standpoint.

But for all practical purposes, I stick to what is well accepted and vetted, and look for implementation problems. Even that is a major time sink, and implementation is best kept static, eg, use best case implementation methodologies used. In attack scenarios, typically, there are so many ways around crypto, before and after the data is encrypted, actually attacking crypto also seems too much a time waste. For practical purposes, defensively and offensively. But for some that is their area of speciality.

Unified theory of energy, though, could really solve a lot of important global problems. Far beyond just energy resources.

Like 3d printing via teleportation! (Ala Gibson :-).)


BuckMay 13, 2015 5:35 PM

@My Name Is Nobody

There are conspiracies, to be sure, and I have studied that well, but I have ascertained human beings have profound limits to the capacities of the sophistication of what they can achieve.
Humans may not be that sophisticated, but large numbers of them over long periods of time are capable of constructing incredibly complex systems, are they not?

Never ascribe to conspiracy theories, that which can be adequately explained by a multitude of interconnected groups in a relentless pursuit of more money for me and mine! ;-)

ThothMay 13, 2015 7:17 PM

@Markus Ottela
The CHIP's biggest weak point as you said are the integrated wifi and bluetooth feature. Not sure if it could be disabled physically though but it shows a $9 board can be made in mass numbers and if this were a wifi-less and bluetooth-less board, it could have been a much more convenient form factor for TFC.

I can imagine two of those pocket calculators as the screens and keyboards for the TFC TxM and RxM modules.

U was looking through the CPU core (http://www.allwinnertech.com/en/clq/processora/A13.html) and good thing the wifi and bluetooth modules are not integrated into the CPU core from what was described so anyone who wants to use the CHIP have to look around and somehow disable/remove the wifi and bluetooth but I can imagine it's not going to work out nice or it's going to be impossible to most circumstances ?

Nick PMay 13, 2015 8:50 PM

@ Bruce, all

My late review of Ross Anderson's "Meeting Snowden in Princeton"
(original article)

I just realized I forgot to review the post. Lol. Ok, here goes.

"wiretaps on the communications between data centres were something nobody thought of"

That was always a threat in terms of government. They've been tapping dedicated lines and fiber for a long time. The government has also used highly secure link encryptors between sites for a long time. So, my assumption should be the default: any carrier line is vulnerable to tapping by the local government or any other attackers with enough resources to tap a line. Independent security consultants also occasionally run into Ethernet taps by hackers and even malicious insiders. Further reinforces the principle.

"Second, we also got some reassurance; for example, TLS works, unless the agencies have managed to steal or coerce the private keys, or hack the end systems."

That is indeed... some... re-assurance.

"And it’s a matter of record that Ed trusted his life to Tor, because he saw from the other side that it worked. "

There were substantial debates here on this subject. Even Tor says it might be cracked by an adversary with NSA-like visibility. Yet, the result of the debates were several slides indicated severe difficulty with breaking Tor if it was used correctly. One noted that Tor combined with other strong technologies was a dead end for them at that time. So, this claim passes for now.

"Third, the leaks give us a clear view of an intelligence analyst’s workflow. "

Most of this is expected. The workflow for NSA analysts was described by Bamford and others. Looks similar. The alliances between countries for intelligence sharing are a matter of public record, even with a Wikipedia page. There's nothing new here except the number of sources, amount of data, and amount of storage. That has implications for what the organization is capable of on a global scale.

"As for crypto capabilities, a lot of stuff is decrypted automatically on ingest (e.g. using a “stolen cert”, presumably a private key obtained through hacking)."

Less re-assurance on TLS.

" but properly implemented crypto keeps the agency out; gpg ciphertexts with RSA 1024 were returned as fails. "

Predicted by Bruce and other cryptographers. They attack everything around the algorithm if it's a strong one. The leaks indicate those battle-tested in public by cryptographers and hackers are indeed strong. I'll add that this further vindicates the crypto competitions, such as AES, along with peer review by talented breakers. I expected them to produce "good enough" algorithms that would be broken and replaced by brilliant cryptographers over time. Instead, the results have been great with most unbroken in practice after quite a while.

Of special mention, these ciphers still deliver despite quite the beatdown over a long period of time: IDEA (24 years old), Blowfish (22 years old), and RC5 (21 years old). Triple DES was also a nice hack to strengthen an existing algorithm.

"However there is no evidence at all of active attacks on cryptographic protocols, or of any break-and-poison attack on crypto links."

Re-assuring. I predicted this was possible, although not certain, given that NSA's COMSEC uses an IPSEC variant called HAIPE. Many aspects of the two are the same at the protocol level. They just removed the weaknesses in that one. Gilmore's post on IPSEC weakening provides hints for how non-standard implementations can improve the security of the protocol. Plus, *rigor* in implementation process. Obviously.

" By routinely hacking companies of interest, the agencies are comprehensively undermining the security of critical infrastructure, and claim it’s a “nobody but us” capability. however that’s not going to last; other countries will catch up."

That's inaccurate: it talks about something that's been going on like it might start happening in the future. There are already plenty of examples of other nation states and black hats using the same methods to hit everything from government organizations to banks to Google to defense contractors. Terabytes of information have been stolen from Five Eye's organizations using these techniques. So, the proper viewpoint is that the Five Eye's intelligence organizations are intentionally letting their businesses be devastated by foreign attack so that their own collection efforts can continue without interruption. That's why I accuse them of aiding and abetting the enemy.

"Would opportunistic encryption help, such as using unauthenticated Diffie-Hellman everwhere? Quite probably; but governments might then simply compel the big service forms to make the seeds predictable. "

Or just build backdoors or save key material. Much legislation is being considered and some passed along these lines.

"At present, key theft is probably more common than key compulsion in US operations (though other countries may be different)."

Hard to tell on that one. The ECI leak say FBI compels U.S. companies to SIGINT-enable their products for FISA warrants or whatever else. All the biggest players are involved. This is on top of intelligence (esp NSA) and law enforcement (esp DEA) oragnizations straight up paying for access to useful information. So, the compulson risk is unknown and it's better to have crypto outside of Five Eye's jursidiction for that reason. Picking the right jurisdiction is another discussion entirely. We just know Five Eyes are among the worst democracies for SIGINT collection and abuse.

"If the US government ever does use compelled certs, it’s more likely to be the FBI than the NSA, because of the latter’s focus on foreign targets."

NSA targets Americans, too. Statistically, the FBI is more likely. Yet, NSA also passes their data to FBI and other enforcers for parallel construction. So, this distinction seems meaningless. We might as well think of them as one group working together to find evidence of guilt in our communications.

"The problem with this is that systems like Skype will give access not just to the FBI but to all sorts of really unsavoury police forces."

This is true. Yet, it can be resolved by the choice of jurisdiction. Iceland has no crypto restrictions that I'm aware of. Switzerland has tight controls on this. Others in Europe vary. The control of the crypto should be kept in such countries other than the despotic regime the user worries about. More complex situations potentially have other solutions but this is a fairly simple solution to this one. I'll add that the use of anonymity approaches are critical in such states to avoid having the key tortured out of you.

"FBI operations can be opaque because of the care they take with parallel construction; the Lavabit case was maybe an example. "

That's a definite possibility. Levison claimed to offer bank-grade security to his customers: a regular platform using SSL connections with a shared private key. Calling that "bank-grade" rather than basic SSL is misleading enough. That he likely used server OS's they had zero-days on means there's a real possibility that they hacked the system or had every opportunity too. So, the protection mechanisms for confidentiality and integrity must still be highly assured to stop... parallel construction. Readers probably expected "hacking," but in police states we must consider them together these days.

Hackers used to use our PC's to commit or hide crimes. Individuals used their PC's to hide secrets, protect valuable operations, or even commit crimes. Now, the police and intelligence agencies have strong methods of stealing secrets, disrupting valuable operations, or even committing crimes in one's name. They're solidly in the threat profile.

"The NSA is even more cautious than the FBI, and won’t use top exploits against clueful targets unless it really matters. Intelligence services are at least aware of the risk of losing a capability"

"Using network intrusion detection against bad actors is very much like the attack / defence evolution seen in the anti-virus business."

"Cooperation with companies on network intrusion detection is tied up with liability games."

Totally true. Many nation-state-level attackers have been busted anyway. This includes the NSA apparently via the Equation Group report. Despite their stunning stealth, even they could be beaten with established, COTS forensics and monitoring. That should re-assure us a bit on the detection and recovery side of things. A non-profit, coalition of anti-surveillance companies could also share monitoring information like we see with big companies in general. Yet, top security pro's could turn this data into pattern-finders and countermeasures to block whatever techniques are in use.

" Lots of good crypto never got widely adopted as it was too hard to use; think of PGP."

True. New, usable solutions are stepping up to the plate. They need more peer review. Academics trying to prove themselves in cryptography, security engineering, or even programming should focus on at least one each as part of their work.

"Engineers who design stuff for whistleblowers and journalists must be really thoughtful and careful if they want to ensure their users won’t die when they screw up. "

This is true. Those who do have solutions that's "too hard to use." There's going to be inherent difficulty regardless given the range of threats. So, the trick is two-fold: identifying the risks and potential design strategies to protect the whistleblowers/journalists; making all of that easy to use. Much harder than either in isolation. Adding compartmentalization makes it even harder. How are they going to use that strategy pervasively if a PGP tutorial is too hard?

"The goal should be that no single error should be fatal, and so long as their failures aren’t compounded the users will stay alive. "

That's seems improbable or impossible for most mainstream and COTS platforms. Any that have significant vulnerability to code injection will be totally nuked upon a single failure. Significant timing channels usually take 1-3 failures. That's disturbing given that amateurs attacking Chrome are chaining 5-6 bugs together to form exploits... found in a week or so. Certain physical isolation schemes can help. Yet, they're not cheap, shiny, and convenient. They might also suffer from loss of availability when attacked, albeit with the benefit that those attacks waste 0-days on the platform. I've proposed techniques to semi-automatically identify the defect upon such an attack.

"For example, password managers are great,"

I've always considered them false security against hackers. Common case for PC attack is that malware is injected onto the machine along with a keylogger. It intercepts (a) your individual passwords or (b) your master password for the password manager. It also intercepts the plaintext. The benefits were using more complex passwords, making them unique per site, more secure storage on disk (esp against theft), and more secure backup (eg for device failure). The extra security against malware and hackers, though, should be zero if that attack vector is used.

"Quite simply, the NSA doesn’t care about policy. Their OGC has 100 lawyers whose job is to “enable the mission”; to figure out loopholes or new interpretations of the law that let stuff get done."

True, along with his examples and scary implications.

"Jurisdiction is a big soft spot."

The good news, which I illustrated above, is that both sides can work this issue. It's not a good dynamic for us given that they have more power.

"The deepest problem is that the system architecture that has evolved in recent years holds masses of information on many people with no intelligence value, but with vast potential for political abuse. "

Well-said.

" People who intern with a clearance get a “lifetime obligation” when they go through indoctrination (yes, that’s what it’s called), and this includes pre-publication review of anything relevant they write. "

It's why a number of us have avoided getting clearances. I suggest others do the same if they're trying to build stuff that can resist mass surveillance.

"The export control mechanisms are also used as an early warning mechanism, to tip off the agency that kit X will be shipped to country Y on date Z. Then the technicians can insert an implant without anyone at the exporting company knowing a thing."

Nice observation. This is why A1-class systems required "trusted trucks" for distribution of the evaluated hardware. I've also promoted using a combination of vetted software, locally procured equipment, and diversity of implementation details to throw them off if you can't prevent customs or shipping from subverting a pre-owned device. This isn't cheap but spies use even simpler schemes with success.

"They will make the same security arguments as our governments and use the same techniques, but without the same standards of care. "

The last part is a good call and vitally important. Many foreign government have (a) lower protection requirements for the data, (b) looser usage requirements, and sometimes (c) active espionage campaigns against Five Eyes companies. Sharing backdoor access with such governments is disaster waiting to happen. Especially if they escalate privilege from a limited backdoor to full control as we've seen in remote administration tool's vulnerabilities.

"Eventually something scary will happen, and then infrastructure companies will care more, but it’s doubtful that anyone will do a sufficiently coordinated attack on enough diverse plant through different firewalls and so on to pose a major threat to life. "

Maybe. For cyberwar in general, I've noticed two things: (a) most vicious people who would want to destroy us physically are too incompetent to do it... so far; (b) those that can do it, which U.S. scares us about, don't care to do it as they financially and/or politically benefit from our overall stability. Top cyberwarriors are China, Russia, Japan, and Israel. All are trade partners that benefit considerably from all the I.P. they suck out of us. No real threat there... unless you have I.P. ;)

" We have to accept that some people are pro-NSA while others are pro-humanity. "

Lol. Nice wordplay.

" It’s best to develop a culture where people with and without clearances agree that crypto must be open and robust."

True but too vague to debate possibilities.

"Secret laws are pure poison; government lawyers claim authority and act on it, and we don’t know about it. Transparency about what governments can and can’t do is vital."

True.

"However it is possible to layer new communications systems on top of what already exists"

I've posted dozens of designs for free online to do just that. I've also shared countless academic works solving a tremendous number of problems. Encrypted communication over untrusted networks is one of the most thoroughly solved problems in the security community. As Ross says, the solution is to implement what we know works in ways that keep the untrustworthy parties truly untrusted. There's also many with the opinion that we should develop as many decentralized versions as possible which reduce the risks of centralization and coercion especially. Whether we do one or both, there are proven paths to greatly improve the resilience of our systems and the social/economic activities they support. We should do this.

My Name Is NobodyMay 13, 2015 9:22 PM

@Buck

There are conspiracies, to be sure, and I have studied that well, but I have ascertained human beings have profound limits to the capacities of the sophistication of what they can achieve.Humans may not be that sophisticated, but large numbers of them over long periods of time are capable of constructing incredibly complex systems, are they not?Never ascribe to conspiracy theories, that which can be adequately explained by a multitude of interconnected groups in a relentless pursuit of more money for me and mine! ;-)

And they have a much more sophisticated network over their heads chasing them down to get their debts collected owed to that group.


https://www.youtube.com/watch?v=61AfGNlXf9M


The Nameless OneMay 14, 2015 1:15 AM

I buffer overflow minds... :-)

@You have not covered EHR

Okay, you are recently retired. This does make sense. I know recent, because you speak of pci-dss. But, yes, CC firms audit firms over pci-dss...

I think you should focus on church at this stage in your life, and evade political issues.


@Nick P

I believe you meant this post for the other thread.

The n3td3v crazy thread. :-/ And FYI, yes, I have changed my name a few times in this thread, and the above is mostly me. One reason I post here. I am difficult to hide, too lazy to bother really strangulating the way I write and think... and mostly am just interested in evading Sherlock Crazies.

On your comments...

That was always a threat in terms of government. They've been tapping dedicated lines and fiber for a long time. The government has also used highly secure link encryptors between sites for a long time. So, my assumption should be the default: any carrier line is vulnerable to tapping by the local government or any other attackers with enough resources to tap a line. Independent security consultants also occasionally run into Ethernet taps by hackers and even malicious insiders. Further reinforces the principle.

WIFI makes this ubiquitous. It isn't about hard wires running everywhere anymore then it is about files in file cabinets. Or guys in vans. Everything is remote, everything is in the air. And the government, anyway, owns the underlying wires to everything.

Totally true. Many nation-state-level attackers have been busted anyway. This includes the NSA apparently via the Equation Group report. Despite their stunning stealth, even they could be beaten with established, COTS forensics and monitoring. That should re-assure us a bit on the detection and recovery side of things. A non-profit, coalition of anti-surveillance companies could also share monitoring information like we see with big companies in general. Yet, top security pro's could turn this data into pattern-finders and countermeasures to block whatever techniques are in use.

The "equation group" was reported by Kaspersky, whose name comes from a man that trained as the KGB then started his company. No funding? Russia is a spookacracy. Here is the reality: where are all of these hacked systems? Like with all these other disclosures, where are the reports? The disclosures? Where is anybody saying, "They got me"?

Where are all the poor innocents saying, "I was hacked by the equation group. I worked for the Dali Lama. And I got hacked by a nation state." It simply is not there.

Where, for that matter, is Russia or China saying, "Hey, look everyone, here is what the US stole from us? Here are the companies the US hacked into here! See!" Yet, you see this all across the nations Russia and China have hacked. Why are they just not showing their case examples?

Because it is bullshit.

You run Kaspersky, you run a rootkit straight to Russia.

NSA targets Americans, too. Statistically, the FBI is more likely. Yet, NSA also passes their data to FBI and other enforcers for parallel construction. So, this distinction seems meaningless. We might as well think of them as one group working together to find evidence of guilt in our communications.

Here is what I will agree on: zero evidence for the value of domestic surveillance. The program, its' self? Is bunk. It runs contrary to the god damned constitution. Excuse my french.

But who is really behind any of this? I agree, people get mixed up. They do not understand who is who or what agency is what and who does what. That is grating to me.

I will also admit something startling here: I am been for some programs like this. Important caveats here? What they did they did widespread. It was not black ops. It was shared all across everywhere. It was not covert.

Covert, there, is a critical word. Covert means deniable. Covert means it is probably illegal. What they did, they did legally. It is okay. It can be shared everywhere. No one will go to jail for this. No reason for secrecy.

Covert means it is illegal, everyone knowing about understands this, and they keep it secret so they and their coworkers do not go to jail.

Parallel construction? Not the weak sort. The kind that works. The careful kind. Leads, I think, is a better term.

I understand there can definitely be pause here.

"The NSA is even more cautious than the FBI, and won’t use top exploits against clueful targets unless it really matters. Intelligence services are at least aware of the risk of losing a capability"

This irks me. It gets back into this netherworld of guesswork. Snowden was in his late twenties. He was a contractor. He did not live under a cover. His work was under an extremely light cover. Light for everyday people, very visible for foreign nations.

He had some real stories from his CIA work. He had some real stories from his work as a contractor. But he was not deep. He was not born into this. And he was an analyst. That, even in the CIA, is very low rung. Case officer? Different story. Analyst? You will always be low rung, regardless of how smart you are.

NSA? Far from either CIA or FBI in terms of human intelligence.

FBI, you will see constant disparaging remarks in these matters. I chalk it up, constantly, to disinformation. You would be wrong not to also do so.

I will talk about Hoover in a dress, or how Hoover never had undercover. That is all a lie. The DEA, they learned from the FBI.

NSA? They are all about tech. Tech is very, very far from the necessary human intelligence areas. Linguistics, crypto breakers, extremely insular jobs. Turing would not have lasted at all in a a human intelligence job, despite how incredibly brilliant he was technically.


FigureitoutMay 14, 2015 1:24 AM

Thoth // Markus Ottela RE: integrated wifi/BT
--This is my nightmare. Every single chip that is currently manufactured all having some sort of radio in it. For the *most part*, you can mitigate this as it generally needs some external components and an antenna to work in the real world (will be on PCB, which you can then hack on depending on the type and make it better w/ a wire soldered on) and also if you have dev-level access to the chip you can delete every trace of firmware needed for it. Still, the hardware's there, just waiting for a cheeky bastard like Clive Robinson to obsess over and find a way to make it a functional radio again that can either inject or leak data and maybe code (the absolute worst).

RE: pocket calculators for TxM & RxM
--I think something along these lines will take TFC to another level (it's already highly above most all public chat/file transfer (not sure how robust file transfer is, as I don't computers to spare to try it)), imagine same high level design w/ chips, firmware, and the entire process designed for security. It'll get really strong soon, and people like me will go thru and simplify build process for everyone (still working on RNG people, it'll be a slight twist on it; regardless of the design, you can use this process for future RNG designs so long as you take care of output power or you'll blow out chips).

I'm still awaiting KnightOS (I've peeped in on their IRC, they're cool), I want to get involved but so much to do. I do have multiple calculators I'd be willing to try it out on and if I can build it (software wise), all the better. I may try to find some bugs in it as I believe it's more of a hack project than a secure one; but still, there won't be much exploits for it besides Z80-based ones. Attacks will be much different, unless just chaining off larger machines via USB cables.

ThothMay 14, 2015 4:17 AM

@Nick P
The bank grade security thing ... we should all consider it as good as like the most of us but having more cash and resources to throw at. Most of them don't know what they are dealing with and most of them have not very good security or security conscious people either. Some of their security managers I have worked with are simply unrealistic. Oh and about using the one private key for the whole organisation, if it's not for the compliance check list in place, they do love to just do away to problematic key rotation and use a single key.

So far, most of them barely meet the compliance standards they have to meet just to get a passing rate to continue their businesses.

NamelessMay 14, 2015 7:21 AM

House Passes USA Freedom Act, NSA Domestic Spying Curtailed

http://www.wired.com/2015/05/house-passes-usa-freedom-act/

The bill instead calls for records to be retained by telecoms and forces the NSA to obtain court orders from the Foreign Intelligence Surveillance Court to gain access to them. It also requires the agency to use specific search terms to narrow its access to only relevant records.
The bill, however, isn’t in the clear just yet. It now goes to the Senate for a vote.
Civil liberties groups like the Electronic Frontier Foundation and others are divided in their support of the bill. Many say it’s better than nothing, but hope that the Senate will add wording to strengthen protections before passage.
EFF had supported the legislation until last week when a federal appeals court ruled that the bulk collection of phone data is illegal. In that decision, the Second Circuit Court of Appeals found that the collection of Americans’ phone metadata was never authorized by Section 215 of the Patriot Act, as the intelligence community had insisted. EFF has now said that the ruling should embolden the Senate to roll back the bill to a previous 2013 version that provides stronger reforms.

Whatever the case, they are screwed when the legal suits start rolling in. Anyone can sue them now. Wiretapping everyone in the US is akin to searching every house in the US. Hard to get more anti-constitutional then that.

Older story, but I had just read this beauty, how an irate congressman blasts cops trying to argue that companies are only helping criminals by having strong crypto:
http://arstechnica.com/tech-policy/2015/04/irate-congressman-gives-cops-easy-rule-just-follow-the-damn-constitution/

Kind of like saying "driving sober helps drunk drivers", or "locking your home helps robbers". Or change the "helps" to "is", as it means the same thing: "safe driving is dangerous driving", "not murdering is murdering", "Democracy is fascism".

As long as they keep talking and acting like Stalin or Ill Young, you can keep calling them a duck.


BoppingAroundMay 14, 2015 9:41 AM

> Here's the difference: Apple and Google don't have coercive power.

On the other hand, their 'partners' do.

Not having the coercive power does not make what they do any better. Still stinks.

NamelessMay 14, 2015 10:22 AM

from the article on tussles in the house over cop/intel demands to take away encryption from american products (yes, I worded that that way):

http://arstechnica.com/tech-policy/2015/04/irate-congressman-gives-cops-easy-rule-just-follow-the-damn-constitution/

It's a fundamental misunderstanding of the problem. Why do you think Apple and Google are doing this? It's because the public is demanding it. People like me: privacy advocates. A public does not want an out-of-control surveillance state. It is the public that is asking for this. Apple and Google didn't do this because they thought they would make less money. This is a private sector response to government overreach.
Then you make another statement that somehow these companies are not credible because they collect private data. Here's the difference: Apple and Google don't have coercive power. District attorneys do, the FBI does, the NSA does, and to me it's very simple to draw a privacy balance when it comes to law enforcement and privacy: just follow the damn Constitution.


@BoppingAround

Here's the difference: Apple and Google don't have coercive power. On the other hand, their 'partners' do.Not having the coercive power does not make what they do any better. Still stinks.

It is leagues and leagues away from government coercion, however. These guys are misinforming the public about one of the most critical protections afforded to consumers: encryption. Those are just two big names. Where would they stop. As one article well pointed out this idea of government mandated encryption backdoors would 'break the internet'. There is plausible and strong regulations, oversight, and public input on what corporations do. You have zero assurance with what governments do.

Secret laws? Secret courts? Government is so insanely stove piped with secrecy, they don't even know what they are doing. There is no way to prevent government from using such backdoors to eventually start profiting from it. Who is the most dangerous threat to corporations right now? Nation states. America seems to have not entered that business yet, or other Democracies. As far as we know, which is not much. Because we can not know. It would be secret if it was done.

But nothing would prevent them from doing exactly this if this was done.

In the meantime, these guys are telling consumers encryption is bad for their safety. That is a load of bullshit.

Dangerous bullshit.

Not even to get into the real scary dangers: governments have a tendency to start to use this sort of capability to persecute people based on such things as 'what they believe' and on lifestyle choices. Do we really want all future Martin Luther King Jrs to be prone to government control like what Hoover did and attempted to do?

Could be happening now for all anyone knows. Nobody knew it happened at the time.

Nick PMay 14, 2015 12:49 PM

re wifi and wires

WiFi certainly makes it easier for them, yet not ubiqitous. It's actually more difficult for them to hit WiFi nodes because they're all over the place. Better to tap the Tier 1 and Tier 2 ISP's with specialized equipment to see everything. Then cross-reference what you see to a list of known wifi nodes with associated location, speed, personal/business, and other details.

And the wires are privately owned by various companies. The government only owns the wires and fiber they themselves install. You'll know the difference if you accidentally cut an unmarked cable during construction.

re equation group

Kaspersky is the one source for the information. I'd like to see some peer review on this. But, this is fairly common in this field. So, you have to look at the data and responses. You noted that haven't seen many responses from big companies. That is weird and troubling. The riddle is solved when you just read the report: their methods are nearly God-like in stealth (per Kaspersky), they'll dump an operation at slightest hint of detection, they erase all traces, and their targets aren't the kind running great monitoring operations. That they heavily rely on HD firmware infection already made 99% of targets out there unable to resist or spot them.

So, it's believable it might happen without many reporting the compromise. The Russian and Chinese hackers use traditional methods on companies with lots of auditing and contracts with managed security. They get detected at some point but that's because they don't care about detection: nobody does crap about the TB they stole. NSA's TAO and others care about detection to the point of using every technique at their disposal to prevent it. Their targets don't have as much security investment either. So, it's believable it could happen. On top of it, a number of these countries wouldn't admit the U.S. was beating them invisibly for over a decade.

re covert

"Covert means it is illegal, everyone knowing about understands this, and they keep it secret so they and their coworkers do not go to jail."

I'm not sure what your point is. The U.S. has overt, clandestine, and covert operations. Clandestine means they're hidden, legal here, and maybe illegal in foreign country. Covert operations are clandestine operations designed to be deniable rather than just secret. Clandestine operation plus a smokescreen. There's plenty of history of covert operations that should've never happened. They need more accountability for sure.

But, don't make the mistake of extrapolating this too much. Like prior discussions here showed, most countries in the world treat espionage different from other military and intelligence activities. They tend to make it legal for them to do and illegal for everyone else to do against them. A spy caught doesn't start WW3: the spy is punished and the event might be used for political leverage. We get caught dropping bombs and it's a totally different story. So, the discussion of what they do in secret with SIGINT and HUMINT should stay separate from covert operations in general. The former is quite broad and with little restrictions. The latter is highly restricted and sometimes even needs Presidential approval if it's high risk.

re NSA capabilities

You brought up random points on Snowden, NSA, DEA and so on. I don't see a coheren statement to reply to.

@ Figureitout

re pocket calculators

I told you before they're good for subversion resistance given they're nature. They might do well for TFC with the right connectors. Yet, I hesitate to recommend them for one reason: TI's continued inflation of their prices means many alternatives are cheaper. Things such as the PI keep pushing costs down. Not to mention all the boards with microcontrollers that *don't* include wifi, etc just to keep costs down. They're looking to be best option for Send and Receive with a cheap Linux box for Transmission node.

Btw, KnightOS looks cool. I'd have loved to play with it on my old TI's back in school. I had a TI-83 and a TI-92 (favorite). My 92 had so much screen, keyboard, and resources to play with. That mixed with KnightOS or a KolibriOS knockoff would've rocked.

@ Thoth

I agree for many banks. It depends on the bank, though. A number have implemented many network protections, internal controls, monitoring, logs, and so on. Quite a bit more than the average company uses. Plus, their dependence on HSM's and mainframes for many operations makes those unlikely to be hit by vast majority of hackers who lack the expertise. So, whether a good bank or a half-assed bank, just putting SSL on email servers didn't seem to justify the claim. Looked like marketing BS to me.

Plus, a truly secure email service would be using mail guards and plenty of custom code/endpoints. The cost of those are considerable. So, you can tell if an email service is leveraging secure equipment largely by how much they charge. That means that my Kolab account can be hit by hackers regardless of their committment to protecting me. So, I leverage them for transport and will use a guard for receiving if I want real security. And GPG, of course.

Nick PMay 14, 2015 1:12 PM

I received an email today to "Add Skype Credit to Western Union." Probably just spam or a marketing tactic. Yet, I couldn't help but notice two things. One, Western Union is the main way that scammers and black market moves money for online purchases. Two, Skype has been an NSA front and FBI target for a while. Gotta wonder if LEO's encourage offerings like this that match their targets to their technologies. I'm predicting a strong correlation between people who take this offer and people who end up in prison. ;)

NamelessMay 14, 2015 2:38 PM

@Nick P


wired & wireless

Yes, on "wired", I meant the government "owns" the wires in the sort of hacker sense of the word "owned". I realize people could be skeptical of that, and I will not support that statement with evidence. But one can consider how the government makes great pains to do this abroad, which sometimes make public visibility.

On "wireless", that I am considering more from an attack angle which is, of course, far more localized. Obviously, between getting up close and personal versus remote, they would generally far more prefer remote, one would reckon.

And it can be noted the cloud is another major target in this, especially as networks move away from the classic DMZ model to a more open model. Such as what Coca Cola and Google are doing.

Equation group
Kaspersky is the one source for the information. I'd like to see some peer review on this. But, this is fairly common in this field.

Yes, it is common.

God-like in stealth (per Kaspersky), they'll dump an operation at slightest hint of detection, they erase all traces, and their targets aren't the kind running great monitoring operations. That they heavily rely on HD firmware infection already made 99% of targets out there unable to resist or spot them.


But, they were detected. And Kaspersky would have had an obligation to inform them and discuss these issues with them. They did show a map of infected customers. I could see how they may have anonymously mapped customers and maybe only informed enterprise level customers, though in such a situation that seems especially poor behavior.

While they were very stealthy systems they are not the first stealthy systems by any means, and far from the first rootkits and related apt systems in the wild. Different means, but not detected for some time means not detected for some time.

When I talk to people I hear them tell me about getting hacked by China or Russia. Plenty of news stories have come out with corporate viewpoints and corporate victims over the years. I have seen this from countries all across the map. We all have. Not a difficult search to perform. It is newsworthy. Countries and companies and individuals want to speak up. Not all, but they are surely out there.

So, it's believable it might happen without many reporting the compromise. The Russian and Chinese hackers use traditional methods on companies with lots of auditing and contracts with managed security. They get detected at some point but that's because they don't care about detection: nobody does crap about the TB they stole. NSA's TAO and others care about detection to the point of using every technique at their disposal to prevent it. Their targets don't have as much security investment either. So, it's believable it could happen. On top of it, a number of these countries wouldn't admit the U.S. was beating them invisibly for over a decade.

One angle you do not mention is 'maybe this did not make my news feed or yours news feed'. But I do get news from these countries on that infection map. I would have to look more closely, but ... looking it up...

http://mms.businesswire.com/media/20150216005573/en/453447/5/2159519_EQ_Victims_map.jpg

India makes it on the high infection, United Kingdom makes it on the Medium infection point. Who got hit there? United Kingdom? The icons say "Islamic Scholars", "Other/Unknown", and *finance*.

But, since that is up, look at that target list. Is that the US target list? With those priorities? I suppose, probably not, as you would have to account for Kaspersky AV usage in that sort of sample. Russia is high on that list. But Russia is going to be where saturation of KAV is highest, right?

Here's a problem: So KAV shared these signatures with other AV vendors, right? Maybe contrast their maps, if they have made any against KAV.

Might help illuminate more on the issue.

Whatever the case, surely, someone might have been informed by KAV and someone might have wanted to come forward and say, "Hey, I am English, I am IT Security at a primary financial company here. Did the US or whomever was behind this attack hack us? Why?"

Hey, and I am not saying anything spooky is going on here. Well, I am. But they have a right to keep silent on these matters, sure. Anybody does. But surely some of the actual victims corroborating these stories would make good press for them? Not all of the victims across such a wide spectrum would keep silent. That just does not make sense. Stuxnet was not like that, either.

There are a lot of unanswered questions here.

A lot about this does not make sense.

And can you really say things are so different in corporations and other organizations in the US and other Democratic states (Taiwan, South Korea, etc) that our security consultants here would have data, and they would not? That their security is so radically different? I can say, it definitely is not. I have at the very least talked shop with people from some of these countries, that is for sure. Some corporate, some government. They are not on the moon. You know this -- people in the industry on lists and at global conferences anyway are from all around the world.

It will be interesting to see what information comes out. Because you know, that should happen. Some kind of information about all of this should come out. Research done, great. What about all the other AV vendors who used these shared KAV signatures. Stuxnet, you know, got proven by a number of ways. Snowden disclosures got this. Many leaks get this. This is a big story. But, you know what? I almost expect it to vanish.

Are there even live samples out there to test against?

If you have mcafee or other systems, can you detect it? Some of these targets are in the US. What about that. Who was that? From the specifications alone (though I have not delved into the documentation), you can create detection tools.

This all also reminds me of the Snowden and German TAO disclosures. I get China not coming up front about their router compromises. China always keeps tight lipped and vague. But what about everyone else?

Maybe too valuable to let the US - or whomever the attacker was - not have confirmation about where the attack was? So they will not be sure what sources which are compromised have intel which can continue to be trusted? Put that cost on them?

But there are holes in that theory.

A lot.

And if KAV has not shared this information so other vendors can perform detection, that, especially would be very remarkable and lead to some troubling conclusions.

incoherent comments

Sorry, had some to drink. Ignore. Not even pretending to be very professional. Har har har.

^_^

TNOMay 14, 2015 2:46 PM

@Nick P

I received an email today to "Add Skype Credit to Western Union." Probably just spam or a marketing tactic. Yet, I couldn't help but notice two things. One, Western Union is the main way that scammers and black market moves money for online purchases. Two, Skype has been an NSA front and FBI target for a while. Gotta wonder if LEO's encourage offerings like this that match their targets to their technologies. I'm predicting a strong correlation between people who take this offer and people who end up in prison. ;)


Why take them to court when they can just steal money?


http://www.abqjournal.com/580107/news/dea-agents-seize-16000-from-aspiring-music-video-producer.html

Maybe he should have taken traveler’s checks.
But it’s too late for that now. All the money – $16,000 in cash – that Joseph Rivers said he had saved and relatives had given him to launch his dream in Hollywood is gone, seized during his trip out West not by thieves but by Drug Enforcement Administration agents during a stop at the Amtrak train station in Albuquerque.
An incident some might argue is still theft, just with the government’s blessing.
Rivers, 22, wasn’t detained and has not been charged with any crime since his money was taken last month.
That doesn’t matter. Under a federal law enforcement tool called civil asset forfeiture, he need never be arrested or convicted of a crime for the government to take away his cash, cars or property – and keep it.
Agencies like the DEA can confiscate money or property if they have a hunch, a suspicion, a notion that maybe, possibly, perhaps the items are connected with narcotics. Or something else illegal.
Or maybe the fact that the person holding a bunch of cash is a young black man is good enough.

BoppingAroundMay 14, 2015 4:23 PM

Nameless,

That's why I mentioned partners — the government exactly. Now there's probably an excess of coercive power.

> There is plausible and strong regulations, oversight, and public input on what
> corporations do. You have zero assurance with what governments do.

Funny. I have heard exactly the opposite too. That is, you may try to pry some information from the government using FOIA but from a corporation? Tough luck.

Given the public/private surveillance partnership (government outsourcing surveillance to private sector as an example; this blog does certainly have several entries on the topic), the situation becomes even more complex — as the FOIA example above states, you cannot FOIA a corporation. Go figure what's being done there. Another possible example, immunity from prosecution granted to telecoms for participating in government's mass surveillance programmes.

Perhaps AT&T or Verizon or any other corp cannot barge into your house and take you into prison but the government can. And the data will be conveniently provided by some of the corps. Then there are personal profit motives — these have been covered on this blog too — not as bad as going to jail, yet obviously nothing good.

NamelessMay 14, 2015 6:05 PM

@BoppingAround

That's why I mentioned partners — the government exactly. Now there's probably an excess of coercive power.

Yes, no disagreement there.

It seems the "let's have a legal backdoor in everything" approach is at least partially a reaction to that issue, though this has come up before the prism disclosures, to be sure.

>That is, you may try to pry some information from the government using FOIA but from a corporation? Tough luck.

I don't know. I have never worked in government. I can throw out some statistics and statements on SAPs and CAPs.

SAP-- Special Access Program, CAP -- Controlled Access Program. CAP's, CIA parlance version of compartmentalized programs, SAP's, the Pentagon's version of compartmentalized programs.

"There's only one person in the entire universe that has visibility on all SAPs -- that's God". James R Clapper, when he was Director of Pentagon Intelligence Programs. ('Top Secret America').

There are a lot. And then there are many governmental agencies with secret programs and many contracting firms also engaged. Number of Americans with clearance, 5.1 million. ( https://www.google.com/webhp?#q=number+americans+with+clearance ).

Then you have secret laws, secret courts?

You have secret orders given to companies and individuals that they really can not even argue against or even talk about.

Contrasting that against corporations... hard to do. If you are not talking about goverment coercion but only about corporations and their privacy invasions. So, maybe you were only talking about that, and I misunderstood.

From sheer corporations angle, however, no government involved, you have a tremendous number of factors for talking. People can leave. They can leak to the media. They can leak to competitors. They can outright go to the media and do interviews. They can get hired by competitors. They can sue. Their products can be reverse engineered -- with Google, it is open source. Android, anyway.

Products lacking end to end encryption can be tested. It can be asked to be proven. There are competitive options and strong regulations against monopolistic behavior.

Many points of failure. Many weaknesses. But there are ways to address that. Weaknesses, if bad enough, can either lead to a valid law suit, or can lead to a strong competitive advantage for a competitor.

At the backend, it is true. They could be doing something very bad with that data. But, excepting the government has them coerced, most of those possibilities are extremely dangerous for them to engage in. If exposed, they can get sued, for one. Not much reason not to expose them these days. It is a highly competitive field and someone can change companies and expose them at the same time. Many avenues for anonymous exposure.

Contrast that with whistle blowing on the government....

(I say some of that last bit with some delicacy, recalling corporate whistleblowing cases where the whistleblower suffered quite a bit. However, those were different companies, different conditions. If an engineer or executive, at say, Google, found out Google was secretly selling everyone's private health data for profit illegally, for instance, many avenues there for them to take. The tech field and the tech journalist field is very sympathetic to such conditions.)

ZenzeroMay 14, 2015 7:11 PM

@CryptoLock

back again N3td3v... Please sell yourself and your sites elsewhere

@Moderator While I would never ask for an honest voice to be silenced can you please keep an eye on this one so other threads don't degenerate

Bobby R.May 14, 2015 7:14 PM

@ Nameless

"There is plausible and strong regulations, oversight, and public input on what corporations do. You have zero assurance with what governments do."

Corporations, cooperatively, can exert enough influence to lobby legislations or put trade agreements in place to extend such laws across borders. The system works as much as in their favor as it does for governments. This explains much of the cartel-like behavior of major business interest groups, a necessary good of capitalism.

The only difference is we can choose to buy products from a different corporation but we cannot choose governance by a different government. Voting a different political party into office is feasible under democratic elections but even so it takes more than just that to change an existing legal framework. We are pretty much stuck with what we have, so we either make good and be happy with it or find some avenues to vent complains.

Bobby R.May 14, 2015 7:30 PM

@ Nameless

"Who is the most dangerous threat to corporations right now? Nation states. America seems to have not entered that business yet, or other Democracies."

The converse, but perhaps equally valid, to that statement would have been "Who is the most dangerous threat to nation states right now? Corporations." That is a stance I would not attempt to defend here, but I find it hard to argue against.

BTW, thanks for sharing your thoughts. I personally think your line of reasoning very closely resemble that of Glenn Greenwuld and perhaps other journalists of equal fame, not trying to put words in anybody's mouth. Their stance on these issues, as appeared to me, seem to have polarized the debate on civil disobedience and "whistle blowing." The whole issue is still very vague to me.

ModeratorMay 14, 2015 7:42 PM

"Why are my posts being deleted ? @moderator can you please refrain from delisting my posts."

Defamatory statements will be immediately removed. Please air your grudge elsewhere.

NamelessMay 14, 2015 8:27 PM

@Bobby R

BTW, thanks for sharing your thoughts. I personally think your line of reasoning very closely resemble that of Glenn Greenwuld and perhaps other journalists of equal fame, not trying to put words in anybody's mouth. Their stance on these issues, as appeared to me, seem to have polarized the debate on civil disobedience and "whistle blowing." The whole issue is still very vague to me.

Yeah, well, thank you, but a disclaimer: I am not Greenwald. I am wearing a Greenwald like hat on that issue here, but my viewpoints are more complex. I think this post, above, gets *closer* to my real perspective: https://www.schneier.com/blog/archives/2015/05/friday_squid_bl_477.html#c6695717

Basically, it is very strange and full of codes, cryptic, puzzles.

I believe I do, however, love what is right and hate what is wrong. But these sorts of issues can be much more complex then just black and white.

To describe how I look at both parties, I look at it like I sit down and watch a nature documentary of animals in the wild. Which, I actually did while writing here. On tigers in the jungle.

We are pretty much stuck with what we have, so we either make good and be happy with it or find some avenues to vent complains.

Yeah, and you pick your battles. This is not my field, though it is distantly related. I like to write on these sorts of topics because it keeps me intellectually and emotionally limber and there are a lot of challenging, brilliant posters here.

Schneier, actually attracts me, too, though, as he does the other readers. Readers, myself included, definitely go this or that extreme, but he is a mainstream, reasoned voice. I recommend Data and Goliath if you want to dig into the subject more. It is dizzying and comprehensive. It is reasoned, and does not get to extremes.

I agree with your assessment about corporations and government in the first post.

The converse, but perhaps equally valid, to that statement would have been "Who is the most dangerous threat to nation states right now? Corporations." That is a stance I would not attempt to defend here, but I find it hard to argue against.

I do not think so, but may not follow you here on what you are saying. Have you seen Continuum? Heh. :-) In that sort of way, there is definitely a competitive dichotomy there.

I believe the best case is where government and corporations work together. But, obviously, within metered lines and with the constitution in mind. I usually have worked at corporations, and government is an important point of defense there. Foreign governments are the threat we see there, the scariest threat. Maybe that was what confused you about what I said.

Organized crime is another very concerning threat, but I believe the primary organized crime which is that threat is typically ultimately nation state backed.

So, the local government - wherever you are - has responsibility there to aid corporations, as what is going on is nation states versus foreign companies, very much so. And of all kinds.

All kinds of corporations, I mean.


FigureitoutMay 14, 2015 10:43 PM

Nick P RE: calcs
--Yeah I remember, I told you to show the waitress that you calculated her tip, w/ "80085" lol; maybe it'll get you a date haha. I finally found this damn cable I'd been searching for for the older versions of TI-83 for this proprietary serial port they have (ugghh....). Still used a primarily windows program to send programs to the calculator (and I did it over windows, so this malware that's killing me may have a hook in that too now). Newer ones have the regular USB port, and I put an AES and DES program on it, and its got my little worthless program that calculates a cylinder's area lol. That's cool that they have an entire development environment built into it. I really like these calculators, and am slightly wary to f them up if the OS isn't worth it.

But yes, their price is ridiculous, it's been way too expensive for far too long; absolutely you can get way way more value for your $insert_currency(curr) w/ the latest RPi (way easier to be up and running in minutes compared to beaglebone which has scattered development and the board is more flaky). Personally I like arduino's on linux for fun (don't require that admin-priviledge driver in windows) and regular modern computers w/ multiple gigs of RAM (I have a long and arduous recovery journey ahead of me and some other bullsh*t administrative stuff to do...always...grr).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.