Friday Squid Blogging: Giant Squid Washes Up in New Zealand

The latest one.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on May 22, 2015 at 4:39 PM • 307 Comments

Comments

name.withheld.for.obvious.reasonsMay 22, 2015 4:49 PM

Comey is on the push; overstating the "largest risk" being social media and encrypted communications emphasizing the agenda that the IC community sees as paramount. This is not a formal risk-based analysis of issues that represent national security interests. The way I see it, the IC and governments are engaged in establishing state-based protection rackets. It is obvious when one looks at what bank regulations want to do with the expansion of SWIFT and asset forfeiture. What happened to due process?

Comey stated that idiots would write down their plots--he claims that criminals are now using "digital literacy" as a form of a threat vector (my words, paraphrasing). I guess he is claiming that the IC relied on stupidity to gain the advantage--and now the tables are turned? Comey is indirectly stating that the IC community is populated with idiots. This is the first time I believe Comey has exercised intellectually honesty...

Jonathan WilsonMay 22, 2015 5:56 PM

The Australian government has introduced new rules regarding the export of "dual-use goods" (which includes cryptography) and it could have a big effect on open source software, research, discussion, academic teaching and more.

http://theconversation.com/paranoid-defence-controls-could-criminalise-teaching-encryption-41238 is one article I found.

If you are an Australian, you should be concerned about this. I for one am most likely going to write my local MP about this (as soon as I can figure out the best way to do so that is)

I have written (and write) software that features cryptography and am concerned what this might mean for me.

Andrew WallaceMay 22, 2015 5:57 PM

I wish a public apology from Chris Roberts @Sidragon1 on Twitter.

Sorry for being an asshat and putting hundreds of passengers including flight crew at risk and for wasting taxpayers money on the FBI having to investigate my asshat antics.

Andrew

Clive RobinsonMay 22, 2015 6:09 PM

@ albert,

The military has a couple of problems when it comes to "cyber-warriors.

Firstly the actual aptitude and intelligence required and secondly a worthwhile career structure to retain those with ability. Oh and there is also the "burr under the blanket" issue of medals...

There are three basic types required, "button stabbers", "admin/managment" and "creatives".

You can regard the "button stabbers" as "script followers" be it offensive or defencive, the amount of "analytics" involved is not that high, whilst not "monkey see monkey do" you would expect anyone who had graduated from college to be able to do it, but quickly find it uninspiring. The "creatives" are a problem whilst you can teach the basics over a period of years it's still very much a "gift", thus they are not common. The admin and managment types are much like they are in other branches of the military.

The problem is "career structure", button stabbers are by and large not much above NCO level and the brass know this, thus there is not realy a career path to follow. The creative types are not traditional officer material but expect pay grades up in the more senior officer renumeration rates or they will move out to industry.

The hidden problem is "fit to fight" the military tend to have an age cut off based on rank, and don't keep the lower ranks much over thirty and even senior non commissioned are generally shown the door in their forties. Which means any expertiese goes with them.

Arguably to be good at security you need a depth and bredth of experience that's uncommon even in thirty year olds and you are still "improving" in your fifties and sixties, long after all but the most senior of officers have been put out to grass.

The traditional way of keeping expertise in technical subjects in the military is, early in their careers they move out into industry and become consultants. This works because the consultants are not filling "combat roles". The problem with cyber-warriors is that the military wants them as combat roles even if some are more akin to consultant roles. Part of the reason for this appears to be related to the thorny issue of medals, the top brass have already put their foot right in it with drone pilots and crews. The biggest risk they face is a car crash driving home after a shift, nobody shoots at them and they don't do anything "heroic" by the usual standard used for medals. There have been jokes in the more normal military about the cyber-warriors REMFs getting "purple hearts for tripping over power cords"...

It's a "brave new world" or rather it isn't and it's causing issues before it's got started.

ThothMay 22, 2015 7:30 PM

@Nick P
Continuing off from the previous Squid post comments regarding Type-1/High Assurance equipment.

It is not going to be easy to find an equipment not of European/USA/Russia/China in origin. These are big powerhouses in technology and budgets in a way.

Considering the reach of UKUSA influences, it is unlikely there are much variants of these sort of stuff and from the recent revelations of BND/Germany needing to obey NSA's orders to send back selectors to target European targets in exchange for certain equipment or technology, we can tell that Germany may not be on the cutting edge of those technologies in the military field ?

The other big semi-conductor and electronics company we all know would be NXP/Phillips working for the Dutch and they are in contact and collaboration with NSA so that would be assumed to be using UKUSA technology. Back to square 1 ?

Russia/China/India probably follow other routes but we all know they are good at copying products they captured via espionage or on the field although they may have their innovations somewhere.

These are all my guesswork.

The quantum encryption that Quintessence Lab uses might simply be assumed that keystreams are securely transported wrapped in symmetric keys or by some conventional ways and already present at destination location.

It's qCrypt-xStream product (essentially it's HSM since it's a Key Manager product) in it's PDF white paper (http://www.quintessencelabs.com/wp-content/uploads/2015/04/20150409_QLabs_qCrypt_final.pdf) states that it has an "Encrypted keystore with TPM root of trust" which means you need this thing (essentially a HSM to store and manage OTP keystream mats) at your "secure facilities" so that you can somehow decrypt the "miraculously" secured device in transit on the field.

What I can imagine is a set of keystreams container assigned to a device and if it got captured, they simply marked it so no one would reuse that particular container of keystreams.

I would prefer to think that the academics and industry are way ahead in designs and similar as you theorized, the military is simply good at piecing the COTS materials and slamming down the NDA/Official Secrets Act/Hush Hush hammer and reinforce secrecy even if the knowledge might benefit more people (over-classification) and as we can see, the COTS suppliers like General Dynamics and the likes are very good at keeping their relations with their cash supplier (NSA).

Regarding an open source FPGA security chip or security appliance totally open sourced.

It needs to:
- Can be fully audit-able of the process of manufacturing and the chip (very hard).
- Open blueprint (very easy).
- Non-patentable and to be in public domain (medium difficulty).
- Immune to subversion from HSAs/Nation Warhawks (very hard. Look at pt #1).
- Immune to patent threats (very hard. Look at pt #2, 3).

What can be done:
- Manufacturing of chip, designing and setting of mask to be done in permissive countries (Iceland & Swiss only).
- Use open patent protection pools if exist. Something similar to patent protection pools to supposedly protect Android.
- Distribution centers of security products should not be hindered by crypto laws (Iceland & Swiss only again).

The rest cannot be done effectively.

Bob S.May 22, 2015 8:16 PM

I'm sorry, but I don't believe there is such a thing as cyber war.

In real wars people die, are maimed, buildings and property destroyed, territory occupied, looted, pillaged, prisoners taken, abused and all the rest.

No one even gets a paper cut in cyber war. Not even drone warriors.

In the end there is one absolutely positively unequivocal way to "win" cyber war. Here it is free of charge:

Pull the plug.

Humanity survived millions of years without iPhones. It could be done again. Some people still remember how to, for example, read a map or a real book made of paper. It's not that hard.

Indeed the nut of the problem is not computers and their power, it's transporting data over the wire or in the air that's the problem. Thus, I can still read an iBook, without being connected to the net, ghastly as that may seem.

Spreadsheets will still work, data bases will still hold data.

Yes, an air gap is an absolute defense to cyber war. It's really that easy.

Maybe we ALL should take a step back. It would not be fatal, or even hurt much.

Frankly, a majority of bad guys will figure this out pretty soon. The best bad guys already have. Government spying is only going to catch the most stupid and careless bad guys (or governments), and the truth is they would have been caught anyway because they are...stupid.

In the meantime, I would like to get my rights back to a life free of government intrusion, liberty to think, speak and act without being tracked and the pursuit of being left alone.

I don't think that's too much to ask. Do you?

Nick PMay 22, 2015 8:25 PM

@ Thoth

re companies

For fabs, this is the list I've been going on. Need to look at fab location and owning company's location. So, if worried about Asians and Europe, focus on U.S. companies and plants that they trust the most. If worried about U.S., try to find foreign companies and plants outside of countries heavily involved in espionage. That barely qualifies as a short list. There's a bunch in your country of unknown trustworthiness.

Most interesting fab opportunities (after mask is secured): Silteraa (Malaysia), UMC (Taiwan), Vanguard International (Taiwan), Atlis (France), STMicroelectronics (French-Italian), Intel/AMD (USA), Micron (USA), Freescale (USA), SMIC (China), Fujitsu (Japan), Infineon (Germany), and X-Fab (Germany).

For the design, there's plenty of fabless semiconductors to choose from. If an I.P. agreement can be reached, I think a partnership with Gemalto is worth considering given they've been a target. Samsung, too, given security could be baked into their chips design and they're already dominant.

"Russia/China/India probably follow other routes but we all know they are good at copying products they captured via espionage or on the field although they may have their innovations somewhere."

Might as well do a partnership with them where they do the labor and each participant gets exclusive distribution in their country. They'll steal the crap anyway like they did mainframes, Alpha, Itanium, Cisco, etc. Might as well let them put their own resources into it.

re Quintessence Lab

Hilarious. I expected some crap such as that. As usual, they turn a line encryption problem into a key distribution problem for customers that barely understand either.

re FPGA

Fully auditable manufacturing won't happen. The auditing will have very little insight into the process and must leverage that maximally. My scheme does that. Still plenty of risk. Good thinking on Switzerland and Iceland: they're in my plan. So many tradeoffs between them in terms of costs and ASIC's are very cost-sensitive.

Non-patentable won't happen: there's patents on everything from the concepts to specific technologies. Every attempt to replace FPGA architectures with something similar has failed. So, it will be covered by patents one way or another. I considered putting the company in San Marino, but import bans is opponent's likely counter. Open patent protection is a great idea but I doubt there'd be leverage on FPGA vendors.

Distribution centers in unhindered countries is a good idea. The start is looking at stable democracies that haven't signed the Wassenaar Arrangement or have easy interpretations of it. Iceland has no controls and is a good country. Brazil, surprisingly, didn't have controls and NSA's activities might increase their support. Decent country for business. Malaysia has no regs and has a fab. Switzerland is Wassenaar but allows general export to 25 countries. Venezuela has no restrictions, is unlikely to backdoor for most countries, and can solidify a fabless semiconductor's reputation for bravery.

"the rest cannot be done effectively"

What are you referring to?

Loser tearsMay 22, 2015 8:29 PM

"Pull the plug."

Words to live by. Russian military doctrine has traditionally stressed nomograms so the troops can still function when the power is cut. This permits decentralized initiative inconceivable to NATO C3 fetishists. If you give the Soviets any shit with cyberwar, they're going to fry you with HEMP and start the real war. You'll never know what hit you.

Andrew WallaceMay 22, 2015 8:30 PM

"I would like to get my rights back to a life free of government intrusion, liberty to think, speak and act without being tracked and the pursuit of being left alone."

How do you know it is *actually* happening?

It might be the biggest post 9/11 bluff ever.

Andrew

Andrew WallaceMay 22, 2015 8:37 PM

As for the Snowden documents that might be part of the NSA trying to get inside your mind... as part of the biggest post 9/11 bluff ever.

Andrew

ZenzeroMay 22, 2015 8:49 PM

@ Clive Robinson

couldn't agree with you more in general, however emergent tech the younger people with inside knowledge know more about that particular tech. Security principles apply and people longer doing the slog know that score. Basic principles of security (should) pervade through all emerging tech. Unfortunately that's quite often not the case

@ name.withheld.for.obvious.reasons

"Comey is on the push; overstating the "largest risk" being social media and encrypted communications"

he said he was depressed with the letter he got recently, was depressing to him, because getting a letter signed by experts in the field, far and above his knowledge, is in translation, inconvenient.

To quote him "I read this letter and I think that these folks don't see what I see, or they're not fair minded,".

lines like "We urge you to reject any proposal that U.S. companies deliberately weaken the security of their products." are depressing to the FBI Director...
Kinda time to get a bit scared

(link to letter as PDF here: https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf )

Maria von KretschamnMay 22, 2015 9:25 PM

@Nick P. 're companies' is pure gold. one possible way to access the fab capacity is through the G-77, which can make the connections. G-77 is promoting what they call global knowledge partnerships as part of the Havana Programme of Action. They're right in New York, and so is the Cuban delegation, which is among the most plugged-in members. If you dropped a white paper over their transom, they would know what you mean. Or the civil society people could give you a soapbox. Renata Avila is following coordinated CELAC efforts along with NGOs Derechos Digitales and Oficina Antivigilancia.

No really, frickin slow clap. Hope to see you taking the global south by storm with your dog-and-pony show. It would pop Rogers' head like a zit.

ThothMay 22, 2015 10:10 PM

@Nick P
I gave a list of generic threats and also a very generic countermeasure list. Whatever the countermeasure list does not cover is unlikely to be feasible .. thus ... cannot be done.

Speaking about Brazil, more Defense Contractors are going there these days. Good money with all the South American situations and the need for Western influence drives these Def Contractors there.

The patents would always be one of the first few steps to shutdown cold a security enterprise due to too many security patents out there. The open patent pool I mentioned would be a useful defense if the patent pool is really strong and deep and lots of good backings which again ... is less than likely to occur until something big happens to change the industry. That's what happened when Google's Android became a patent target and an Android open patent pool was created. Need something drastic to create events to occur.

Malaysia is good place for the fabs to go as Singapore's cost of living and pay per employee just became marked up yet again (not a bad thing or maybe a bad thing depending). Venezuela is part of the country I had considered (actually I took S.A. countries into consideration on a general scale including Peru) and we know the S.A. countries do not have much close ties or may even have disputes with the West themselves.

One good example is Thales' expansion into S.A. regions via Brazil. Very sure guessing that the expansion isn't all about just sales :) .

P/KMay 22, 2015 10:17 PM

The most recent hearings of the German parliamentary investigation committee on the cooperation between NSA and BND provided some new and interesting insights:

Apparently the selectors that NSA sends to BND come in the form of an "equation", which appears to be a record containing all the names, phone numbers and internet addresses (and their variations) related to a particular target. One equation can include up to 100 different selectors.

As was revealed by the press and the hearings, BND only checked these selectors for German participants, not for European ones. Only since November 2013, BND has a filter to keep addresses of European governments and EU institutions out of its own selector list.

Internal inquiries found only very few indications for what could be seen as economical espionage. The suspicious selectors were mainly about European government agencies.

Many more details on this whole selector affair are here:
http://electrospaces.blogspot.com/2015/05/german-bnd-didnt-care-much-about.html

JonKnowsNothingMay 22, 2015 10:19 PM

Anyone have suggestion for a Text Only Browser?

I'm looking to dump Firefox due their intrusive new DRM addition and IE because it's IE and I would like something reliable old and stale.

I don't need JavaScript which I turn on/off anyway. I don't need DRM either, I don't Netflix and I own all my own media. I don't need any buddylists or event signups or other social media, I don't do FB, Twitter either.

I just want plain text and all other crap stripped out of the page. I don't even care if the pictures show - since those are rigged too.

I don't want to have to write my own, fork my own or compile my own. Something dumb and stupid will do.

Anything out there like this that hasn't been compromised by Andrew and Friends?


Just an Ordinary BlokeMay 22, 2015 10:52 PM


@Clive Robinson

That is a fantastic breakdown of how things work, it sounds like.

I have to wonder, however, if it is not a deeper problem with hackers? That is there are a wide variety of "creative" types, but a hacker creative type seems to me to be a very specific animal indeed. Not the kind inclined to want to join government. Not in this environment. Not any that have the slightest moral backbone, that is.

Though, I suspect it may be something else which defines the hacker sort, and something not at all inclined to the rigid stodginess found in militaries.

@Andrew Wallace

As there has been domestic surveillance on all Americans, people have very good reason to believe that the government has been doing in secret attacks like what we saw with Cointelpro.

Snowden documents are well proven in the destructiveness of their disclosures, not only by the US Government, but also by many third party Governments like Germany, Britain, Brazil, and etc.

So, no, Snowden was not some sophisticated scam.

I find it odd of you to even suggest such governmental maliciousness is possible, unless, of course, you are yourself engaging in a bit of maliciousness there? Hrrm?


NSA Got MITM For Android Apps

http://arstechnica.com/information-technology/2015/05/theres-an-app-for-that-how-nsa-allies-exploit-mobile-app-stores/

Summary: this, combined with other exposed exploitation methods means they could get MITM between an android client and an android app store to alter or switch out executable binaries being downloaded in order to provide a trojaned version, complete with newly meaningless certificate and all.

Kind of comes on the heels of this report:

Android "Factory Reset" Has Actually Not Been Deleting Data

http://arstechnica.com/security/2015/05/flawed-android-factory-reset-leaves-crypto-and-login-keys-ripe-for-picking/

So, all those phones people have been turning in have had their data on them all along. For the article it appears that factory reset simply has not been properly zeroing out all the previous used bytes. Which has long been a well understood 'no go'.

Worse, because your decryption key is ultimately just another file, even if you had full disk encryption, your data would be lost to any potential attacker.

While no tell tale NSA handprints are on this, do note that there is a monopoly on the business of returning used phones.

And how did everyone miss the fact that 'factory reset' was not doing a proper job at deletion?

And now for something completely different:

Lest we forget the only bad ones out there are among the Democratic states.

Chinese Army newspaper calls for military role in Internet culture war
Claims West and "ideological traitors" use Internet to weaken Party's authority.

http://arstechnica.com/tech-policy/2015/05/chinese-army-newspaper-calls-for-military-role-in-internet-culture-war/

In the view of the PLA Daily, Western powers and Chinese "ideological traitors" have used the Internet to wage war on the Party: "Their fundamental objective is to confuse us with 'universal values', disturb us with 'constitutional democracy', and eventually overthrow our country through 'color revolution'," the article stated—an allusion to the "Orange Revolution" in Ukraine and other popular uprisings against Communist authoritarian governments in the former Soviet Bloc. "Regime collapse that can occur overnight often starts from long-term ideological erosion."

Ha ha hah. A bit of a forced laugh there, it is just a little bit difficult to swallow that anybody can believe such tripe. After all, is not the primary adversary of a communist state the communist state?

I suppose they should get out their history books....


But, of course, as we are seeing, that rule does remain true for Democratic States, as well.

ThothMay 22, 2015 11:17 PM

@Just an Ordinary Bloke
In regards to the failed wiping of phone data by Android, I wouldn't even recommend trading up or giving up the phone at all. Phone level "wiping" of contents be it internal memory or SD cards are kind of pointless as the paper pointed out.

To dispose a phone, you need hardware tools to break into the phone physically (e.g. pliers and screwdrivers) or even a bench saw and a bench drill and you can start working your way.

Remove thew LCD screen first because you dont want glass to splatter. Look for the CPU and the memory chips and put the bench drill to work with sufficient diameter drill sizes.

Subject SD card to same drill treatment.

You are done. Dump the contents either in a single location or multiple separate locations.

In-regards to key storage for crypto keys, either use the TPM module in the ARM CPU core or use an external key storage smart card in a NFC / Contactless card or tag or in a microSD card size (that means you cannot mount a flash memory microSD if you are using a smart card microSD).

There are options to buy a smartcard reader that has a micro USB plug suitable for portable smartphone payment option which you can use a Contact smartcard for key storage.

If these secure elements are uncomfortable because you are worried of backdoors, then don't use it for sensitive activities and use physical destruction of handsets when not needed.

ThothMay 22, 2015 11:19 PM

@Buck, JonKnowsNothing

Download File:
$ curl

OR

$ wget

Read File:
$ cat xxxxxx_file

OR

$ nano/vim/vi/gedit/... xxxxxx_file

JMay 22, 2015 11:57 PM

@Thoth

I actually do not keep any sensitive data on my phone. But, since I have you and your expertise...

Some questions.

1. Isn't it that "factory reset" long ways back was supposed to and made claims to 'securely delete' the full contents of the phone memory?

Or was that claim just never made?

I have worked with file systems before, and I am cognizant of the problems of orphaned data lost in the file system which can be picked up by tools like Encase designed to browse the raw contents. It seems remarkable that this oversight actually happened. They never securely deleted all the memory, at all?

2. Can you not go into the system, say by debug mode over cable, and simply automatically overwrite all of the data? Or is there another problem at hand there?

3. How did Google and everyone else miss this for so long?

FigureitoutMay 23, 2015 1:09 AM

JonKnowsNothing
--Recommended it before, w3m. It's a very intuitive text browser, can start using w/ no manual (which means it may have too much maybe, but it'd be a nice step down to eventually lynx).

(W/ internet):

'sudo apt-get install w3m'

[open terminal]

'w3m schneier.com'

Pretty intuitive for surfing around, different sites will be better (javascript ones, nope). Takes longer doing everything though you know? Mouse is limited, I can do things much faster w/ keyboard && mouse && GUI.

CuriousMay 23, 2015 2:56 AM

Being someone not really into crypto, it still seem obvious to me: that it is better to rely on the security with proper implementation of public key cryptography with a large enough key without the use of elliptic curve cryptography, instead of using ECC for sake of speed. Simply because I would rather go for a known secure route than the hype of "new big thing".

I am wondering when it would become really inconvenient having huge key sizes for crypto stuff.

I think I would personally have no issue emotionally with having to wait 30-60 seconds for crypto stuff to work for me, for things that I only use once or twice a day, or for concurrent stuff that doesn't require further interaction. I would have to know that this stuff actually offered the security I wanted or needed though, before simply buying into whatever popular solution that might be offered to me, by my browser, bank, or anyone really.

Assuming there aren't any technical show stoppers in implenting secure crypto, would my browser company deny me such a stronger security?

I think the people making internet browsers should be tasked to inform the user about cryptography, and I strongly dislike that the people working with my favourite browser (Opera) doesn't seem to care.

thevoidMay 23, 2015 3:13 AM

@JohnKnowsNothing, Figureitout re text-browser

i second w3m, which is what i am using right now. openbsd installs it just as easily as linux, all you have to do is:

sudo pkg_add w3m

i run it in a chroot jail as well, for extra security, with no problems (you need vi & gunzip for it to work properly, but otherwise...)

the benefit over lynx is that it actually formats the page so it is arranged roughly as it would be on a graphical system. i have been using it for years, but more and more sites are requiring javascript, which makes them inaccessable. sometimes i can read the code to figure out how to get to a page, but sometimes the code is made unreadable. (half the time they are not even doing anything in javascript that couldn't be done in basic html...)

and who needs a mouse? there is no interface faster than a keyboard.

ThothMay 23, 2015 3:26 AM

@J
The paper includes a good mention of how the actual memory cell may avoid being overwritten because flash memory have limited writes on their cells and constantly using a particular cell would cause wear and tear. Firmwares and high level applications would mitigate the wear and tear by shifting the data to rotate between memory cells and this would cause the erasure or wiping to be very inaccurate. Imagine you copy a file from XXX location of cell to another location or perform a few write operations and saving the file, the algorithm for minimizing memory cell wear and tear might kick in and shift the data to another cell block and at the moment you "zeroize" the data, you only remove one of the copies at an instance in time. Not to forget, applications tend to keep caches too.

How are you going to "secure wipe" in a logical fashion the memory cells ? The only way is to have direct access to every single memory cell to reset it's state but that would unlikely be possible to a large extend as the underlying OS/FS/firmware algorithms might kick in.

The recent fallout between Apple, Google and NSA et. al. regarding Full Disk Encryption is to simply encrypt the entire filesystem so that no matter how you move your data around, it would still be stored in encrypted form.

So in essence, software-based secure wipe for flash memory or disk platters is vulnerable to a certain degree unless you use Full Disk Encryption from the first day the system boots. Flash memory as it is (with the cell level write wear and tear) are very vulnerable to forensic examination regardless of the type of software wiping tool used.

I always advocate physical destruction due to the fact it is the most proper way to securely dispose of stuff.

Talking about using system debug mode to wipe it or let's say you have access to the firmware to do a complete clean out, electronics and electrical designs as it is has a chance of simply not working by either not delivering enough charge to certain cells or missing some during a mass wipe. You may have a better chance with firmware level wiping but there is always that small window of missing.

@Clive Robinson
Maybe you can somehow elaborate on firmware level wiping and using electrical wiping of flash cells ?

@J
How did Google miss it ? I think Google isn't expecting it to be 100% secure and only bothers that a normal API call to the phone cannot retrieve it back.

@Curious
Huge key sizes for crypto are common these days. Many high end smartcards support key sizes up to 4096 bit keys for RSA and probably even 512 bit ECC keys (referencing Infineon's high end smart card chip catalogue) and on top of that these high end smartcards are rated at CC EAL 6+ security level (7 ~ 7+ is the highest).

Crypto is not part of the main browser business. Their business model is about rendering webpages and usability. Security comes in as an after-thought for most of them or even all of them otherwise there wouldn't be so many browser loopholes. They could technically use very strong crypto but why would they do that when the majority just want good enough crypto and strong crypto means slower web browsing speed but the main thing you should be asking is why they don't give you an option to specify the crypto parameters :) .

Mind you RSA 4096 key generation would probably take about 20 minutes or so for a conventional PowerPC architecture crypto-chip (which is used in the rack mounted Thales nCipher HSM) and about 1000 or less RSA 4096 bits ModExp per second. Put in simple terms, bigger keys, lesser speed by probably square root of previous key size.

Wesley ParishMay 23, 2015 3:51 AM

Forget Pterorists descended from Pterosaurs swooping down from suddenly unfriendly skies and lunching on one, the real risk we all face is an inability to gauge risk!

https://medium.com/starts-with-a-bang/throwback-thursday-are-asteroids-dangerous-1ce5dec7cb0b

(You have a much greater risk of dying from a lightning strike, plane crash, earthquake, dog bite or accidental fireworks discharge than you have of dying from an asteroid strike.)

In fact, you have a much greater chance of being bitten by a politician and dying of complications than you have of being devoured by a Pterorist. Comforting thoughts for Americans facing Yet Another Election Debacle. And will the the Insurance companies insure you against being bitten by a politician? Hell no, they won't even insure you against being bitten by a rabid insurance salesman!

Bob S.May 23, 2015 5:01 AM

Let the skullduggery commence!

Patriot Act extension and Freedom Act failed in the Senate 57-42.

But, McConnel is calling for a session on Sunday May 31, for one more vote. I would assume by some administrative trickery they will get something passed.

BTW, the threat of terrorism is no longer a concern. (Good news?). The is the new mind bending logic:

"White House spokesman Josh Earnest urged the Senate to act. "The way to eliminate the risk of these critically important national security authorities from lapsing is to pass the USA Freedom Act,..." ~AP

Terrorism is OUT!

The new risk/threat/excuse is losing "national security authorities" in and of themselves. (What's important is having the power.)

The Freedom Act of course, is not true reform at all, but akin to rearranging the deck chairs.

In other news, TPP fast track passed. hmmmmmmmm.

Andrew WallaceMay 23, 2015 5:55 AM

@Just an Ordinary Bloke

@Bob S.

@Everyone

As long as you *think* there is surveillance then the job is done.

Psychology of security is a studied subject.

Andrew

ThothMay 23, 2015 8:06 AM

@J, all
I finally had time to sit down and properly read the paper so here's a couple of points to point out.

Anderson's team assumes:
- General encryption key storage in files.
- Keys are stored either plain or derived from salt and user password.
- TPM or hardware security modules are rarely used (crypto-chip usage).
- Authentication soft tokens and codes stored in configuration data segments in plain text
- Banking apps store sensitive data in phones in plain.

Known situations (may or may not be applicable despite existence of such standards):
- EMV and PCI-DSS does mandate banking and financial data handling of phones. Whether it is adopted or not by Financial Instituitions (FIs) is unknown. Any app that handles monetary transasctions by FIs must pass penetration testing and standards of EMV and PCI-DSS or the failure to comply to security policies would mean the FI is punishable by law and by sanctions.

- ARM cores contain TrustZone (TPM/Crypto-chip) modules and most Qualcomm Snapdragon cores found in many types of smartphone handsets are ARM TrustZone enabled. That means keys can be stored and generated securely in the hardware crypto-chip of the Qualcomm Snapdragon. The TPM modules of the ARM cores also include capabilities of Secure Execution of critical codes. FIs, sensitive apps can load their sensitive executable codes, crypto keys, license keys and so forth into the Secure Execution environment of the handset's ARM Trustzone. Android library does have API interfaces to allow interaction and discovery of these secure environments and allow usage.

Why are they not used except probably FIs ? People probably don't know much about them. Education is the key.

- Assumption that encryption keys and sensitive passwords are stored plaintext is naive but true. They do happen and it's unfortunate some people are oblivious of proper Password Base Encryption requiring a user password and some salt to be formatted into cryptographic keys or the oblivious knowledge that most handsets are running some form of ARM cores with ARM TrustZone enabled !!!

- Authentication codes and soft tokens are not regarded as critical by most app developers and store them in plaintext. That is very unfortunate as it is as good as storing passwords in plaintext.

To put it simply, Anderson et. al. is probably worried that the Factory Reset does not cleanly wipe out phone contents with simplistic assumptions of cryptographic keys stored in plaintext. Anderson et. al. did not take into account of PCI-DSS and EMV standards requirements for FIs to secure their data and the FIs are in a "hungry spree" to find secure solutions for their products which include the usage (proper or improper) of the ARM TrustZone in Qualcomm Snapdragon's ARM core chips and other ARM core chips in the market equipped onto handsets.

Recent security clamp down on FIs application requiring end-to-end encrypted applications across the globe is a positive sight but whether the FIs can fully deliver end-to-end encryption on their applications and proper security (including protection against mobile key and screen loggers) is another problem of it's own.

In simple, it is a mix bag of blessings and disaster. The good thing we know (in the security community) is that people are more knowledgeable on security and are finding ways to not store plaintext keys and passwords (which Anderson et. al. portray as the worst case which is understandable from a security research point). EMV, PCI-DSS, FIs are pushing the introduction of TPM modules/ARM TrustZone into the mobile computing space.

Host-Card Emulation (HCE) technologies are maturing as well. What HCE does is allow the sharing of your SIM card's additional secure key storage spae and secure execution space with your authorized application developers (your SIM card must support it and your Telco must use their own Issuer Security Domain 3DES keys (SIM Card master keys) to help you load and sign your application). Note that some micro payments via smartphones are using HCE and Thales also start to support HCE with integration into their HSMs thus enabling more micro payments and secure transactions.

The bad thing is whether the FIs would implement these security proper and whether penetration testing can detect flaws is another issue. I have seen badly implemented security logics, badly implemented homebrewed crypto and couple more bad security codes either not carefully drafted, made and/or tested slip into real world sensitive FI apps and I can only shake my head (can't name the app, technique and FIs due to my current job).

Enough talking about all the bad stuff and my interpretations of Anderson et. al. paper and intentions. Where do we go from now ?

Same as Anderson et. al., I would recommend FDE + TPM module/ARM TrustZone/crypto-chip. The keys are stored in the hardware chip and FDE to be used from first initialization of handset.

If you don't trust the hardware chip, use a tweak key. To construct a tweak key, you simply take value A and do a mathematical operation with value B. In simple terms, you split the actual encryption key into parts (secret sharing) but to reduce complexity and the cumbersome of secret sharing, you introduce a tweak where the semi-trusted hardware module holds 1 half of a key and you memorize another half of a key and to derive the actual key, you calculate the key in the hardware and the key you memorize for the actual key. The entire calculation should be done in the hardware chip because exposing the tweak in the main memory can be dangerous to keyloggers albeit the hardware chip being semi-trusted unless you can perform an ORAM computation for the actual key.

Google should make key and password protection more obvious and do more to educate on such security features.

Google should introduce some form of security wallets to store credentials and enforce it's use and have it protected by the hardware chip or a PBE-based encryption key hardened by doing a cascade of BCRYPT + SCRYPT (PBE-BCRYPT-SCRYPT-CASCADE-MODE).

External secure element should become easier to integrate into handset to provide additional protection.

Logical secure deletion is not very possible due to varying filesystem, OS and firmware methods of handling data on the flash storage. Again, the importance of FDE needs to be highlighted.

If FDE cannot be trivially done, another method is to allow developers to program in the creation and usage of encrypted VFS more easily so that files are stored encrypted from the beginning.

Developers need to be fully aware of the importance of encrypted files as a means of secure wiping because a lost encryption key (assuming no program backdoor) would meant your data is as good as not recoverable (wiped securely) and this is much more effective than logical wiping of data.

************
NOTE + DISCLAIMER: If you are using these security hardware (ARM chips) to secure yourself to evade Governments, you might be in for a surprise/non-surprise because you can consider the chips backdoored. You are better off using BCRYPT + SCRYPT PBE encryption of your master key than use a hardware module to protect keys. The combination of PBE-BCRYPT-SCRYPT-CASCADE-MODE is so that BCRYPT would foil CPU acceleration attacks while cascading with SCRYPT foil GPU attacks (brute force types) making it suitable to delay GPU and CPU attacks.

65535May 23, 2015 8:29 AM

@ Bob S

The skullduggery has started.

As you noticed that the Senate will reconvene of Sunday the thirty-first when everybody will be on vacation to do the dirty work.

Secondly, Emptywheel says Richard Burr a Republican, has popped open a bill that will actually expand Section 215.

[Emptywheel]

"Richard Burr finally released the bill he pulled out of his ass. This will be a working thread.

"(29)The bill treats data from Section 215 as if it were EO 12333. As a threshold level, this s weaker minimization than under the existing program (then so was USA F-ReDux). But right now nothing under EO 12333 ever gets disclosed to defendants. So this creates a black hole, meaning this stuff will never be forcibly reviewed for constitutionality."

https://www.emptywheel.net/2015/05/22/working-thread-burrs-11-bullet-points/

I say dump Section 215 and be done with it. It's a travesty.

BenniMay 23, 2015 9:34 AM

News from James Clapper:
http://www.spiegel.de/politik/deutschland/us-geheimdienste-ueberdenken-kooperation-mit-deutschland-a-1035279.html

Because secret documents from the NSA investigation comission always make it to the press, Clapper has ordered the american secret services to assess where they can end the cooperation with BND.

"What the german government does is more dangerous than the Snowden revelations" says an official and points to the question whether the german chancellery wants to give the selectors that NSA gave to BND in bad aibling to the NSA investigation comission in the german parliament....


This is a sign that the large stasi file really should get on wikileaks

BoppingAroundMay 23, 2015 10:04 AM

JonKnowsNothing,
lynx, w3m, elinks2. w3m can even display images properly, I think.

Bob S.,
If 'terrorism' is not a threat anymore as you write, who will be the new bogeyman?

FigureitoutMay 23, 2015 1:54 PM

thevoid
--I like to stream music via u-tube (pretty much never download anymore...), insecure I know; haven't tried that w/ w3m lol...Treated as an insecure session anyway.

and who needs a mouse? there is no interface faster than a keyboard.
--Hmm, debatable mate. I can do the BIOS bootscreens and other programs like that w/ no mouse but I feel kind of like someone cut off my arm if I don't have a mouse.

rgaffMay 23, 2015 2:54 PM

@ BoppingAround

He's not really saying that "terrorism isn't a threat anymore"... he's saying that they're finally starting to drop the pretense that everything is about terrorism, and just admit openly that it's really about power. So.. effectively, to answer your question, simply "OMG WE'RE LOSING OUR POWER" is the new bogeyman all by itself! Instead of "all your children will DIE" it's "all your mighty leaders will be POWERLESS!"

Or maybe it's just a one-time slip-up and they'll go back to the "terrorism terrorism" mantra? The thing is, people are getting a bit used to hearing that word overused and it doesn't even evoke so much fear anymore as it used to... i.e. western governments over time are less and less able to continue to terrorize their own populations by repeating the word so much, and milk it for more power. So as the word loses effectiveness, maybe it really will be dropped more. Let's just hope any "spring back" doesn't entail rivers of blood flowing down every street...

JMay 23, 2015 3:10 PM

"J" was a typo, but guess I will stick with that.


@Andrew Wallace

As long as you *think* there is surveillance then the job is done.Psychology of security is a studied subject.

Psychology of Security 101.

Alice and Eve are enemies. Eve is a cook. Alice really wants Eve's food. Alice goes to Eve's restaurant and buys food from Eve. But Alice realizes she can not eat it. It might be poisoned.

So, Alice comes back another day. Alice dons a disguise. Eve brings Alice her food. Alice believes Eve can not see through her disguise. So Alice eats the food Eve gives her.

If Eve saw through Alice's disguise, then the food is poisoned.

If Eve did not see through Alice's disguise, then the food is not poisoned, but good.


Food is information. Eating is believing. The disguise is the secrecy of the surveillance. If that secrecy is broken, then the poison is eaten. If that secrecy is maintained, then good food is gotten.


CyberBleedsOnToPhysical@cyberbleedphysical.comMay 23, 2015 3:12 PM








Dear Computer Woman: Do You Feel Safe?
not advice, legal disclaimera, possible fiction

1 theme: cyber TENDS TO BLEED OVER TO physical security
2 1.)openssl heartbleed - Internet is 'free and open'
3 2.)ID theft - 'low risk, high gain'
4 3.)zipcar theft - 'no, the parking attendant who
3 2.)ID theft - 'low risk, high gain'
4 3.)zipcar theft - 'no, the parking attendant who
5 is minimum wage is NOT likely to pick out the
6 thief in a police lineup.'
7 4.)possible 'METAL WEAPON rental' possible illegal
8 'gun ownership and loss' continues to rise in USA
9 5.)fast paint on zipcar logo - 'hard to tell the
10 rental cars'

11 6.)every 43 seconds a car is stolen in the U.S.
12 and why are there so many serial car thieves?
13 legal loophole
14 quote: "It's called joyriding. It's a misdeamnor,
15 and I could take that vehicle, having a key to the
16 vehicle that belongs to that vehicle."
17 http://abcnews.go.com/Business/things-car-thieves/story?id=20938096

18 7.)endgame scenarios include: smash and grab tactic.
http://www.berkeleyside.com/2014/05/09/car-smashes-into-apple-store-on-berkeleys-4th-street/
19 7a.)obtain 'burner car' like zipcar.
20 7b.)crash through security gates at store
21 7c.)fast grab and distribute
22 7d.)surveillance video of license plate is worthless
23 7e.)evade capture for serial endeavor
24 7f.)ecosystem economics to middleman who 'rents out the car'
25 for specific project or 'job'

26 http://nypost.com/2015/03/09/thieves-are-stealing-zipcars-across-the-city/
27 Thieves are stealing Zipcars across the city
28 nationwide trend
27 Thieves are stealing Zipcars across the city
28 nationwide trend
29 March 9, 2015
30 Auto thieves have swiped at least 20 Zipcars — mostly luxury
31 vehicles such as Mercedes-Benzes, BMWs and Audis — from
32 lower Manhattan parking lots since July.
33 When their bogus cards didn’t work, the crooks complained
34 to the attendants, who work for the individual lots and
35 and NOT ZIPCAR.


JMay 23, 2015 3:28 PM

@Thoth

Wow, that was a terrific writeup, thank you. I do not understand all of the ins and outs, but got a number of good points.

Marcos El MaloMay 23, 2015 4:45 PM

@J

Don't feed the troll, please. You know to whom I'm referring? The guy that makes claims and statements he won't back up, who pretends to be a security professional, who has apparently left a trail of trolls on other security discussion sites?

Andrew WallaceMay 23, 2015 4:45 PM

@All

I'm in the physical security indsutry after psending ten YEARS in cyber.

There is something called "natural surveillance"

That means designing buldings, shopping centres and town squares so that there is a natural surveillance so that crimnals feel there being watched but *not really*.

Andrew

BenniMay 23, 2015 5:33 PM

There is someone who really can hack airplanes:

http://www.spiegel.de/international/business/hackers-warn-passenger-planes-vulnerable-to-cyber-attacks-a-1035172.html

@P/K
"Internal inquiries found only very few indications for what could be seen as economical espionage. The suspicious selectors were mainly about European government agencies."

Unfortunately that is not really true.

BND says that in 40% of the cases it can not find out who is targeted by these selectors:

http://www.spiegel.de/politik/deutschland/bnd-affaere-weitere-listen-mit-brisanten-suchbegriffen-a-1035018.html

and their number is at 8,2 million now: http://www.zeit.de/digital/datenschutz/2015-05/bnd-affaere-selektoren-nsa-liste

So there can be many employees of european companies in those selectors. But BND certainly does not know the IP address of every sysadmin working for a german company....

And that is why I said the best thing where this selector list can land is on wikileaks. Then everyone can search after his own ip, cookie, facebook-id, forum nickname or email address. What NSA really aims for can only be uncovered in a community based approach. This can not be done by the german government since they can not interrogate those who created this list...


Clive RobinsonMay 23, 2015 5:58 PM

Was >"China APT" all hot air and nonsense?

Some of us certainly feel it was a very blinkered "seeing by red glasses" approach by the likes of Mandiant which appeared to ignore all other, often more significant threat nations.

However some go further to note that China was not realy a military threat at all,

http://thediplomat.com/2015/05/are-we-exaggerating-chinas-cyber-threat/

And that China has only very recently started to get military cyber capabilities, in part to support other activities like those in the South China Sea,

http://thediplomat.com/2015/05/beijings-formidable-strategy-in-the-south-china-sea/

If you have the De je Vue fealing it could be you've read a Tom Clancy novel that --like 9/11-- has a plot line that now appears to have fortold the events.

SkepticalMay 23, 2015 5:59 PM


@Ordinary Bloke: I have to wonder, however, if it is not a deeper problem with hackers? That is there are a wide variety of "creative" types, but a hacker creative type seems to me to be a very specific animal indeed. Not the kind inclined to want to join government. Not in this environment. Not any that have the slightest moral backbone, that is.

"Hacker creative type" means what here?

There's nothing unethical about serving in the US military, the UK military, etc. Nor is there anything unethical about serving in their intelligence or law enforcement agencies.

There is certainly policy controversy about very particular laws. But what "hacker creative type" individuals would do in a cyber-warfare context has almost nothing to do with those laws.

The individual tasked with finding a way into a foreign intelligence or international terrorist network is going to be faced with challenges that have zero to do with Section 215. Ditto for the individual tasked with securing tactical networks in the field, or any of a wide variety of other missions.

One will NEVER agree with every policy implemented by a government - especially not in a democracy, where many policies are necessarily formed by compromise. Nothing revealed by Snowden rises to the level of a policy so unethical that it outweighs all of the good that is done by other policies.

In other words, one can be passionately opposed to the telephone metadata program, while also being passionately committed to the defense of one's country. Good intelligence, and secured communications and systems, can be the difference between peace and war, between life and death, on both small and large scales. History has not stopped, and among its many lessons is that what seems almost inconceivable to us today is often more a a reflection of the limitation of our imagination than it is a limitation of reality.

However much one may disagree with certain specific policies, overall the US actually does protect individual rights and a democratic way of life. There are ugly sides to US policies, and to US culture, there are failures in some instances to measure up to US principles, as is the case for every government and for every culture. But for all those imperfections, it is far and away a better and preferable system to that of its enemies or potential enemies; it is susceptible to improvement; and it is worth fighting for, and even should the necessity arise, dying for.

JustinMay 23, 2015 6:19 PM

@ Skeptical

That's a great post, especially for the Memorial Day weekend. I am glad that you are recognizing some of the things you do recognize.

Clive RobinsonMay 23, 2015 6:21 PM

@ Benni,

This snippet from the article had me sadly shaking my head,

The BSI does not, however, agree with Teso that such weaknesses can easily be exploited. "Even a successful attack, we believe, might be enough to annoy the pilots, but not enough to take over control of the aircraft."

Remember that jet aircraft have crashed due to anoying displays on cockpit instruments that then confused the pilots who then made fatal mistakes...

The problem is that pilots believe what their instruments tell them almost without question, so much so they have also become dependent on them and either don't know how to, or fail to, sanity check odd instrument values before acting on them.

ThothMay 23, 2015 6:42 PM

@Figureitout
From previous squid threat:

"They may be honeypots."

Yes they might be. You need to be prepared if they are and you need to know how to position yourself so that you only show them what you want them to see.

Clive RobinsonMay 23, 2015 6:54 PM

@ Skeptical,

There's nothing unethical about serving in the US military, the UK military, etc. Nor is there anything unethical about serving in their intelligence or law enforcement agencies

Please don't confuse "ethics and morals" with "laws and legislation" they are very very different animals.

Firstly "laws and legislation" are a last resort to enforce by punitive action adherence to viewpoints held by a few on the many. Secondly "ethics and morals" are held by individuals as a code to live by whilst they may have commonality with others ethics and morals at the surface, they are often on digging deeper found to be unique to individuals. This uniqueness is one of the reasons organisations have "ethics commities" to try and ensure people sing from the same song sheet.

One of the big issues with cyber-warfare is it's by and large not going to be those under flag targeting others under flag, but infrastructure. Which in the main will harm those individuals of a nation not under flag that are usually called civilians or collateral damage.

Thus whilst some may consider it lawfull because currently we don't have international law to prevent it, they would find it both unethical and immoral by their personal standards.

As it happens there are treaties that both the US and UK have signed upto along with other nations that should prevent civilians being attacked by those under flag. However with the industrialisation of science for warfare over the past century this has been steadily rendered less and less of an impediment to those commanding those under flag.

Arguably the original definition of terrorism was for the use of those under flag or arms of one sovereign nation attacking those of either that or other sovereign nation who were neither armed or under flag.

Thus those indulging in cyber-warfare are in reality terrorists in deed if not name, --irrespective of if they are under flag or arms,-- and I think many would agree that the behaviour of terrorists is both unethical and immoral.

Ordinary BlokeMay 23, 2015 8:03 PM

@Skeptical

Your response is appropriate, but do not confuse my opinions with what a twenty something hacker's opinions would be. It was from that viewpoint I made that statement. If that was not clear from my statement, well, it was only a paragraph.

There is also another important aspect of what I was saying, that we are talking about a hacker.

A hacker is going to get engaged into such work knowing they will do dirty work.

That is a very important part of that problem. To even begin with that is a difficult moral problem. Where are talented twenty something hackers going to find "no question" moral, legal work? All over the place, in corporate. Corporate research, security vendor companies, security consultancies, and many different possible areas in corporate security teams.

So, say, the US Government approaches them to work for them. They approach them because of their skill. What will be on their mind, if they are not at least somewhat knee deep in conspiracy theories, as many twenty something IT people are. Especially fresh out of college.

They are going to have watched some of the popular documentaries out there.

1. Rendition. Illegal detainment of innocent people at black sites and Guantanamo Bay.
2. The torture program, how that was implemented, and how that was run, and how it was attempted to be covered up.
3. The Iraq War. The bad intelligence that got the US in there, and the horrible job in reconstruction and occupation. The bad job in leaving. Above all, it had nothing to do with 911 or terrorists.
4. They probably will understand the US poor efforts at reconstruction and occupation helped lead to ISIS.
5. The excessive civilian causalities of the Iraq War, the Afghanistan War, and the drone program.
6. The hacking of Angela Merkel, Brazil, some other countries. Excessive hacking of friendlies.
7. Domestic surveillance, sure, I think that would be on their list.
8. Then you have a whole range of police corruption, racism, and brutality problems going on, domestically.
9. Domestically, they are going to be apprised of many of the corrupt investigations that have gone on out there using "parallel reconstruction", or being too extreme on some defendants that might loosely be said to have been "hackers". They are also going to be aware of the numerous effectively entrapment programs against Muslims, and probably some of the domestic surveillance abuses against Muslims.
10. The truly extraordinary way that no one meaingfully involved in anything bad is prosecuted. A bunch of teflon dons. Problem is societies need meaningful, true scapegoats to get rid of the errors. Arrest, prosecution, trial. Not just for whistleblowers and retarded Muslims caught in entrapment. Otherwise, the whole government's credibility is effected, domestically and abroad. There is zero distancing from the errors.


Worse, if they are political, what are they going to be? They are going to be either liberal to left wing, or they are going to be libertarian. And if libertarian-conservative, they are going to be aware of the severe glut problem of the intelligence-military-industrial complex.

If they are apolitical, well, a good chance a lot of those are sociopaths. Engaged in criminal work, without regard of victimization. They would join, if they felt that it would be safe.

So, that is a lot of bad marks against them joining.

Joining the military, that is even worse. US Military is too orthodox and rigid for hacker genius types. Intelligence, no. Defense contractors for intelligence and possibly military? No.

The pool of credible candidates, considering even cursory knowledge of the above is going to be very small from an already very small pool of truly talented candidates.

I do not even think the sixties would have been a worse environment.

They are not stupid. Who would they hack? Just consider what would run through their mind.

A number of groups really fucked up credibility.


Again, to be clear, my views are far more complex. But they are also irrelevant to what I was saying. I definitely do not believe anyone twenty something would have to lack moral backbone to join law enforcement, intelligence, or military. I do not believe that young servicepeople in the Air Force would make a wrong choice to go into the Cyber Division. At all. But they are not hackers to begin with, and do not understand the power of the capacity of what their talents can provide. They are probably joining because family had joined, and are not even thinking about any of the above.

If this was the Cold War, different story. If this was WWII. Heck, if this was just post-911, that would have been a great hiring time.

Obviously, it would not be this way for every very talented twenty something (or teen) hacker. I think the exception there would be if their parents did the same sort of thing, or otherwise worked for government. That is actually not so rare for hackers. The intelligence and mindset is definitely genetic, from what I have seen.

Unquestionably they can use their skills for good in corporate. And really for good, unquestionable good. The kind of good that makes them keep strong self-esteem and to maintain happiness. The pay is going to be usually far better, as well.


Nick PMay 23, 2015 8:16 PM

@ Maria von Kretschamn

I appreciate it. Yes, the G-77 are one of the routes with the highest potential and possibly most difficulty. Our hardware guy and I bought thought of using a few in that group. I didn't think of G-77 itself, so thanks for that. :) My problem is that quite a few in this list are worse than the Five Eyes in terms of regime abuse. I'd have to pick a subset I could tolerate in conscience or have to work with out of necessity. Picking the right ones might be tricky.

" Renata Avila is following coordinated CELAC efforts along with NGOs Derechos Digitales and Oficina Antivigilancia."

CELAC has potential, esp given U.S. targets many of them. A few, such as Brazil and Venezuela, have the revenue to back the projects. Renata is interesting: writer, activist, apparently ideological, and beautiful. The tech scene has an abundance of technical skills, but not people or speaking skills. She might make a nice face and voice for a trustworthy computing initiative in the area on top of whatever hands-on work she does. I've never heard of her, though. What made you mention her specifically?

"No really, frickin slow clap. Hope to see you taking the global south by storm with your dog-and-pony show. It would pop Rogers' head like a zit."

His squemish and worried faces would be priceless. Far as doing it, I've run many scenarios in my head. If the result is secure and has good production yield, then the scenarios all end about the same way: NSA director makes phone calls, State department puts political/economic pressure on source country, Wassennar countries may apply trade restrictions on that product, CIA's National Clandistine Service begins taking a more direct role, and organized crime optionally does the same. There needs to be a *strong* committment at the highest levels of these countries' governments and preferrably plenty for America to loose in trade. They'll have to leverage this in negotiations to hold off anything NATO might do.

That's my prediction, anyway. If strong pressure or attacks don't happen, then the offering was likely subverted. It's how I've always looked at it.

@ Thoth

"Good money with all the South American situations and the need for Western influence drives these Def Contractors there."

Most likely. It also provides cover for spies.

"The open patent pool I mentioned would be a useful defense if the patent pool is really strong and deep and lots of good backings which again"

You're missing it. It's not "we have patents" on one side versus that on the other. To target a company, one needs patents that covert their products or services specifically. So, you'd need patents on FPGA fabric, I/O tech they use, process nodes they use, EDA techniques they use, and so on. You can have a 1,000 good patents that don't cover this stuff and it's no better than having 0. So, each potential patent threat in an industry sector must be met with a countermeasure that applies to them and with similar weight to their own. So, broad, deep, etc apply but the patents have to be specific to the target's business.

"Malaysia is good place for the fabs to go as Singapore's cost of living and pay per employee just became marked up yet again (not a bad thing or maybe a bad thing depending)."

I'm considering both. What's your thoughts on odds of corruption in Singapore fabs? I know all skim money, might grab devices for resell (claiming bad yield), and so on. I'm instead talking about subversion. Singapore allegedly is better in this category than most and I couldn't imagine Malaysia being better. Well, there is the possibility of "I value my great job compared to people making T-Shirts. Better not get caught doing bad things."

"(actually I took S.A. countries into consideration on a general scale including Peru)"

I considered Peru, too. Didn't realize how huge their GDP was until I checked just now. Definitely potential on financing side. Not sure what to make of them without a lot of research. I just haven't really kept up to date on South American and African countries except for a few. One I really considered in the past was Panama, a popular offshore spot. The thing I liked about about them was how they got the better end of the Panama Canal deal. Things like that *might* mean they are less likely to roll over for U.S. intelligence, esp if they depend on the result.

tyrMay 23, 2015 8:30 PM

@Clive

There's an apocryphal story of an intercept station
picking up a Rus General, arguing with his cockpit
warning system just before his fatal crash.

The report from the black box on that south Atlantic
crash was also pretty nasty, pilot and copilot doing
opposite things with the controls. The old proverb
about too many cooks ruining a stew applied there.

There was also an RTFM fail a couple of years ago
by a middle eastern lot taking over their shiny
new executive Airbus, locking the brakes and running
it up to full power on the ground. Then some loon
decided the alarum system was annoying, switched it
off and the airplanes comp decided it was airborne.
The comp released the brakes and the shiny new
plane slammed into the perimeter concrete barrier
breaking off the nose and turning the plane into
garbage.

The aircraft business tries to maintain a squeeky
clean facade because the average person is already
scared shitless by the idea of flying through the
air, so they keep a low profile if possible.

Here's an idle thought, how about we allow all this
bulk surveillance on the condition that in five
years the collected data is opened to the public for
access. If they can't find a threat to national
security in five years they should be fired and the
public can sift through the bulk for their favorite
elected officials non public actions. Makes the
governors a lot more transparent without impacting
the mad gangs of spooks.

Ordinary BlokeMay 23, 2015 8:53 PM

@Clive Robinson

Was >"China APT" all hot air and nonsense? Some of us certainly feel it was a very blinkered "seeing by red glasses" approach by the likes of Mandiant which appeared to ignore all other, often more significant threat nations.
....


I don't really get a sense that anyone is much worried about China anymore. Press headlines aside or posturing by diplomats. If China wanted to fuck the US, they could just start dropping bonds.

Late 90s-2010~ they were a big concern. Much of that well before anybody decided to go to the press.

It is very clear now that China was all about industrial espionage. But they have a legal route to do that. Every company that moves manufacturing over there, they will study what they do and how and duplicate it with their own companies.

They are not really an enemy to begin with, and they have some severe challenges, economically, over the next ten to twenty years that is very visible. They have some strong economic challenges right now.

China is also largely defensive. They have no ideology for global domination. They are not cutthroat expansionists. They are just trying to survive. I mean, they will try and hack and spy on everything they can, but it is not like they are going to kill people while doing it or start a war.

What I have heard from the industry is that the threat has died down. I did hear, during those years, consistent reports from all across corporate and DoD. While Mandiant is not the most unbiased source by any means, it did jive with what I had heard and seen from conferences and socializing with peers.

Not exactly a scientific way to gather statistical data, but I would be surprised if I was wrong.

It can be noted, that back then, while it seemed to just be largely industrial espionage, and that which have little to no economic or defensive impact on anyone, it was also an unknown. So that it was an unknown raised the concern level. Not entirely unreasonably, there was a massive amount of activity going on.

Organized crime and sophisticated hacking for profit, on the other hand, has really matured. And then there is the slightly tenuous situation with Iran, North Korea, and to a lesser but very concerned problem, ISIS and ISIS supporters. Relations are not the best with Russia.

ThothMay 23, 2015 9:13 PM

@Nick P
Regarding Singapore as a fab plant, it can be both a risk and a gain. The local Government here would greatly love to have some higher assurances for their security products and are very willing to aid whoever that can deliver such products to them ... at the cost where the individual bears it upon themselves ... :) .

Will Singapore yield to foreign policies and pressure to backdoor security products produced in Singapore and sold overseas (outside Singapore), yes ... that's if the product does not have critical use in the local ministries. If you can include a way to not differentiate the deployment and usage of the security product whereby the local Government (becomes addicted on the product) and also for civilian use then you might be a bit safer but no promises. The local Govt is rather fickle minded so you need to find a way to get into their good books (ahem ... legal connections ... ahem).

If you are dealing with nation states, one of the best tactic is to drum up Nationalism by saying ... Secured and Made in XXXXXXX Country and Deployed in XXXXXXX Country. They might think thrice before asking for a backdoor possibility but you need to ensure your product cannot be differentiate whereby there's a Govt version, Civilian version, Export version ... No way. With the possibility of making varying design and flavours, they will not miss the chance to have a SG Govt only version and backdooring everyone else including backdooring NSA and sell to US Govt or backdooring GCHQ and sell to UK Govt.

Will the SG Govt gobble up designs when someone is successful ? It really depends. If the design cannot be easily reverse engineered or copied, they would not have the appetite to gobble it up. A couple of failed SG security ventures by the SG Govt likely failed due to failures. There are cases where easy designs were simply gobbled by the SG Govt (the designers and inventors were locals which made the use of SG laws much more effective) and in the end those inventors and designers (whom are locals) that resisted the SG Govt effort to gobble up the simple designs were made undone and trampled in the "Court of Law" so-called as an act against the SG Govt.

Your best bet if you want to fab here is to be harder to coerce for the designs of your blueprint, fab the non-critical parts here and make the products as blackbox and as hard to penetrate. You should note that you should not stay in SG for more than a couple of months if you want to fab here to protect yourself from any coercion and have a trusted aide to take care of things here.

Some products that seemingly withstood the test here are Thales, SafeNet, Harris ...etc. Of course those are famous security brands and have withstood test of time for decades, let alone the unsophisticated efforts here to attempt a reverse engineer. The locals here learnt their lessons not to pick on the big boys' stuff (Thales, SafeNet, Harris...) and went for easier local made designs and inventions.

I know my own creations are not any safer from being gobbled so my best bet is put it in public domain with GNU compatible licenses whenever possible so that the coercion would have to be directed onto the public level (Github, Bitbucket..etc..). The locals get a free copy and everyone gets a free copy and everyone is happy :) (hopefully).

Regarding Malaysia, I don't know much about their capabilities but I know they have ties to the Russians and use a good deal of Russian equipment (because Singapore uses NATO compatible equipment) as some sort of regional see-saw or swing. They do not seem (may not be accurate) to be more capable than SG regarding reverse engineering and gobbling designs (let alone SG failed to effectively reverse engineer a good deal of stuff) which makes me think that SG would be the more dangerous of the two nations if you choose to fab.

Regardless, I would repeat again gladly, make your blackboxes as black as blackholes and make them indistinguishable from usage and not allow variants otherwise if the fabbing national Govt decides to want it's own variant, you are gonna be in deep trouble.

Nick PMay 23, 2015 9:23 PM

@ Ordinary Bloke

"Mudge" is working on the government's insider threat program. Marine Corp intelligence has long used young hackers. NSA pulls them out of academia. All, esp Pentagon, are pulling them right out of schools with extra encouragement such as Maryland Cyber Challenge. Many also join the military because it pays, certain jobs add to the resume, and they can leave after a their their four years or so.

So, the truth is far opposite of your position on hackers joining their side. They're certainly a small percentage. Yet, the rising number of people capable of learning the skill and relatively small number of jobs available means they should fill most of them easily. On the job training makes up for some of the skill gap. Most positions are script kiddy work, anyway.

Best to start with what's actually happening and then work from there toward the solution. Leads to the assumption that plenty will join them. That means anything they might attack must be considered and protected. And now we're full circle to the main solution: real INFOSEC and OPSEC at every level.

Nick PMay 23, 2015 9:28 PM

@ Thoth

Appreciate the tips and analysis. I'll save them for further thinking on the subject.

Maria von KretschamnMay 23, 2015 10:39 PM

Renata Avila is a force of nature, that's what. Ground your pitch in human-rights authorities, and she could catapult it like an anthrax-ridden cow into all supranational redoubts.

As for Rogers' phone calls, no one's taking them in the global south. Wassenaar is bleeding out, thanks to NSA. NCS is ripe for another purge. And organized crime is now in a position to nationalize the trusted-computing industry and make you Commissar Nick. So fuck 'em. It sounds like you're ready to get a riseup etherpad or something and enlist the policy entrepreneurs. It might not be a business plan yet, but it could be a foundation grant app or a deliverable for who knows what brass-plate shell company. You can start selling this stuff at an early stage, IMO.

Ordinary BlokeMay 23, 2015 10:45 PM

@Nick P

So, the truth is far opposite of your position on hackers joining their side. They're certainly a small percentage. Yet, the rising number of people capable of learning the skill and relatively small number of jobs available means they should fill most of them easily. On the job training makes up for some of the skill gap. Most positions are script kiddy work, anyway.

Yes, I am sure there are armies of technical specialists "script kiddy" work, and extremely sophisticated tools beyond what is on the market. Virtualization and processing power can be applied to some of these systems. The US Government has no shortage of powerful systems.

For tailored operations, for "Equation Group" level work, for finding of the most difficult to find security vulnerabilities, writing the best malware, coordinating the best level of attack, they do need a very rare combination of natural talent.

That need would only be growing. But, I respect your comments. And I do agree, the vast majority of work can be done by technical specialists with minimal natural talent.

Best to start with what's actually happening and then work from there toward the solution. Leads to the assumption that plenty will join them. That means anything they might attack must be considered and protected. And now we're full circle to the main solution: real INFOSEC and OPSEC at every level.

I am not stating otherwise. Every firm has to bear this in mind, even domestic US firms, especially if they ship internationally. (Or if they are in competition with an US firm that likely has a strong intelligence connection.)

I would reckon that the US is probably very interested in industrial espionage and extortion data. It is not easy to control executives and other very important people.

That there are few leaks on such activity is meaningless. That sort of activity is rarely going to be written down. It won't end up on a power point for internal funding. All team members will have been incriminated themselves and probably scare tactics are used on them, including reminding them they are potentially under surveillance their own self any time. They also have to bond very deeply and so come to share the same values, as groups like this naturally evolve to become.

The demand for that kind of information is huge. There is also demand for keeping up some companies, and keeping down other companies. There are demands for backdoor placement and for many other reasons to get corporations and other entities to cooperate with their needs.

name.withheld.for.obvious.reasonsMay 24, 2015 1:12 AM

UNBELIEVEABLE--IF THIS ISN'T A REASON TO STOP ALL DOMESTIC, AND MUCH OF THE GLOBAL, SURVEILLANCE REGIME--I DON'T WHAT IS!!!

From the DoJ Office of Inspector General, a report titled:

A Review of the FBI's Use of Section 215 Orders: Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009

Executive Summary (Page V)

"Given the significance of minimization procedures in the Reauthorization Act, we do not believe it should have taken 7 years for the Department to develop minimization procedures or 5 years to address the OIG recommendation that the Department comply with statutory requirement to develop specific minimization procedures designed for business records. Nevertheless, as we describe in our report, we conclude that the Final Procedures the Department and the FBI have addressed the three recommendations in the OIG's March 2008 report. With respect to our recommendation that the Department develop final standard minimization procedures, we consider the recommendation to be closed."

name.withheld.for.obvious.reasonsMay 24, 2015 1:32 AM

On issues regarding the glorification of cyber warfare and the demonetization of hackers there are legal and perceptual problems. First, under NSPD/54 and PPD 20 the Executive, more specifically the Department Secretary of any IC, may engage in offense cyber-warfare operations. The authority to "DECLARE WAR" has been illegally devolved down to the Department head level. Additionally, PPD 20 designates "ALL COMPUTERS AND NETWORKS" as potential targets or proxy forces for use in any operation (offensive, surveillance, defensive--though not emphasized).

I used to believe there was a clandestine operation to harm or kill elements of the hacker group Anonymous, those associated or sympathetic with Wikileaks, and other "talented" hackers. Then I found it...

The Army Field Manual 3-38, section 3-46, describes "hackers" as "enemy combatants"...thus potentially subject to domestic KILL orders.

air-gappers anonymousMay 24, 2015 1:33 AM

Tone: An experimental Chrome extension for instant sharing over audio

"To get started, first install the Tone extension for Chrome. Then simply open a tab with the URL you want to share, make sure your volume is on, and press the Tone button. Your machine will then emit a short sequence of beeps. Nearby machines receive a clickable notification that will open the same tab. Getting everyone on the same page has never been so easy!"

- Source:
http://googleresearch.blogspot.de/2015/05/tone-experimental-chrome-extension-for.html

- Also: BadBIOS
https://www.reddit.com/r/badbios

ThothMay 24, 2015 2:38 AM

@air-gappers anonymous
That's side-channel data transmission. You need to HMAC + Encrypt the data as well just in case someone with the similar software gets the beeps and tones. Oh and make sure the software is not vulnerable to someone using crafted beeps and tones to hack in.

rgaffMay 24, 2015 3:29 AM

@air-gappers anonymous

Just a thought... if you had an "air gapped" machine for security purposes, you might want to disable the microphone and speakers at the physical wiring level? And any other hardware that you don't absolutely need for the given air-gap-needing task, frankly.

Note that this does NOT guarantee that there still isn't some kind of electronics that can be used to transmit or receive in ways that you don't intend.. I mean, even a monitor "transmits" data to your eyes and a keyboard "receives" data from your fingers, so you can't usually totally disconnect all ways without getting rid of all usefulness as well. You just want to limit them as much as you can, and know the risks and be careful about what's left.

Sancho_PMay 24, 2015 6:11 AM

@ Clive Robinson (23, 6:45 PM directed @ Skeptical)

I’ve grabbed my inkjet to print your comment, thanks!

ThothMay 24, 2015 6:42 AM

@Clive Robinson
Does wrapping connector cable ribbons in copper give it EMSEC capabilities ?

Here's an image of a AEP Keyper HSM's secure module box with it's connector ribbon seemingly wrapped in copper (for unknown reasons) inside AEP Keyper's Common Criteria evaluation public document.

What does the copper wrapping do ?

JacobMay 24, 2015 8:58 AM

@Clive
You short essay on the difference between laws and moral is exemplary. Thanks.

Nick PMay 24, 2015 10:13 AM

@ Maria von Kretschamn

Sounds good. I'll think on it and see how they can be tied in.

Clive RobinsonMay 24, 2015 10:41 AM

@ Thoth,

Adding a copper screen does a number of things depending not just on the cable but how it is terminated, as well as the type of signal that are put into the cable.

The usual use is either or both a "voltage screen" or to provide a "stable refrence", the latter is some what similar to the ground plane(s) in "microstrip" designs used for high frequency and above circuit operation on PCBs and other substrates. Whilst balanced signals on parallel or twisted pairs are often considered not to need either a shield or refrence, in practice kinks, bends and closely adjacent unbalanced conductors will effect the field balance and thus energy will transfer.

But shielding can be funny in behaviour, for instance look at the design of an electrostaticaly shielded loop antenna. The loop is usually entirely shielded except for a 1% or so gap, which alows it to actually act as a more effective antena than an unsheilded loop.

Thus a "hookup cable" between two subunits in a system may or may not benifit from having the copper shield depending on how it is terminated at either end. And in some circumstances could make energy transfer issues worse not better, such are the joys of "near field" issues. Along with this there is also the issue of "earth loops" to be considered, where signal return paths go in multiple ways, the result being loops form which act in all sorts of frequency dependent ways. The usual way to stop this is to mount fully shielded sub units in a "galvanicaly issolated way" thus the copper screen could be the only earth back from the sub unit shown.

It's difficult to tell without a lot further information.

But if you are designing a secure unit remember there are in effect three "grounds" you should consider, the power return, the signal return and the case or shield.

For good EMSec the general rules of thumb are keep all grounds / returns either galvanicaly issolated or connected only at a single physical point. Any cables carrying power should be of the same length and directly adjacent to each other and have independent shielding around them earthed at a single point at the PSU low impedence point. Signals going from unit to unit should idealy be fully balanced on twisted pair cable and be balanced opto or transformer issolated at one end to stop signal loops forming, again they should be sheilded in a galvanicaly issolated way. Chasis screaning should either be fully issolated from the internal circuits or if double insulated safety issolation is not possible connected back to the low impedence point of the primary PSU. There should be only one point where power enters the system and the primary PSU should be at this location, secondary PSUs must connect back to the primary through only one reliable set of electrical connections that connect to the chasis earth at the low impedence safety point back at the primary PSU.

In many respects EmSec grounding and signal routing are little different from those used in "Radio Shacks" used on boats and high power transmitter stations where the "RF gets everywhere" unless specificaly prevented.

Jonathan WilsonMay 24, 2015 10:53 AM

"Thus whilst some may consider it lawfull because currently we don't have international law to prevent it, they would find it both unethical and immoral by their personal standards."

You'd be surprised how so many cadets signed up just for the "thrills". The recruiters are also not shy with that type of advertising. Thirst for blood, kill for thrills, and that warm & fuzzy feeling root deep in primates. Laws, ethics, morals, & legisltation are mere learned knowledge. Primordial impulses aren't easily de-programmed. Therefore I seriously doubt there is any trouble for our dear defenders to recruit.

Jonathan WilsonMay 24, 2015 11:18 AM

"I'm sorry, but I don't believe there is such a thing as cyber war."

The concept of war appears to have been romanticized. There are many different types of "war". War on Drugs, War on Terror, Currency War, Economic War, and Cold War are some examples of this. That doesn't change the fact that these wars may or may not be interconnected leaving lots for our imagination. :)

Nick PMay 24, 2015 11:27 AM

Interesting article on GitHub giving basic advice for crypto. I got it from Hacker News, where I've been having plenty fun. :) I left a critique of a few points on HN. Here it is so I don't have to retype it:

""Avoid cipher cascades." I've pushed and successfully used cascades in highly assured work for years. Cryptographers talk down about it but "meet in the middle" is best attack they can cite. So, they're full of it & anyone who cascaded might have avoided many algorithm/mode breaks. My polymorphic cipher works as follows: three strong algorithms applied out of almost 10 potentials; algorithms are randomly selected with exception that each pass is a new algorithm; separate keys; separate, initial, counter values; process driven by a large, shared secret. Breaking it without the secret requires breaking all three and no cryptographer has proven otherwise despite massive speculation.

I'll briefly mention scrypt because it's ironically great advice. I asked cryptographers for over a decade to deliver a slow-by-design hash function that couldn't be sped up. They, for years on end, criticized me (see Schneier's blog comments) saying it was foolish and we just need to iterate a fast one. I expected problems and hackers delivered them. I had to homebrew a cryptosystem that input a regular HMAC scheme into another scheme: (a) generated a large, random array in memory, (b) did impossible to speed up operations on random parts of it, (c) iterated that excessively, and (d) finished with a proper HMAC. Array size always higher than GPU or FPGA onboard memory in case opponents used them. Eventually in a discussion, a Schneier commenter told me about scrypt and I finally got to ditch the inefficient homebrew. A true outlier in the crypto field.

Avoid RSA: bad advice for commercial if NSA is opponent. All his risks are true. NaCl is great and my default recommendation. Yet, he doesn't mention that NSA has another reason for pushing ECC: they own 26 patents on it that they license conditionally on the implementation details along with ability to restrict export. We know what NSA's goal for crypto is and therefore I avoid ECC commercially like the plague. I just used RSA implementations and constructions pre-made by experts with review by experts. Esp GPG, as NSA haven't even broken it. They use it internally, actually.

For asymmetric signatures, see above. All points apply. I'll just add that, for post-quantum, there's been tremendous process in Merkle signatures with things such as unlimited signatures. Their security just depends on a hash function, there's no known quantum attacks on them, and they're doing pretty good against classical attacks, too. So, I'm following and doing private R&D on standardizing Merkle signatures plus hardware to accelerate it on either end.

He says use OpenSSL and avoid MatrixSSL, PolarSSL, etc. He said some vague stuff about their quality. Problem: anyone following the git comments of OpenBSD team that tore through OpenSSL knows that IT WAS S***. It was about the worst quality code they've run into with so much complexity and potential to be exploited that the NSA would be proud of it. I'd be surprised if Matrix, Polar, etc are worse and less structured than that. If OpenSSL is really the best, then we're in a bad situation and need to fund a clean-slate design by experts like Galois and Altran-Praxis.

Although I'm focused on problematic points, his last piece of advice deserves special mention: use TLS. These protocols have proven difficult to implement properly. TLS and their ilk have had many problems along with massive effort to smash them. Against that backdrop, it's actually done pretty well and using it like he suggests is best option for COTS security. Medium to high assurance systems can always use variants custom-designed for that level. Most don't need that, though. "

EDIT: Should've said the Merkle signatures only depend on a hash function and the signature scheme itself. Naturally, the scheme introduces new risks over the hash function. Yet, I like constructions based on symmetric encryption and hashing because their security has been easier to reason about. They seem to get stronger over time while the asymmetric alternatives seem to get weaker. I'd rather avoid them where possible.

SkepticalMay 24, 2015 11:54 AM


@Clive: Please don't confuse "ethics and morals" with "laws and legislation" they are very very different animals.

Nowhere did I confuse the two. But you seem to think that we cannot evaluate laws from a vantage of ethics, which is simply incorrect.

One can have laws which would be ethical to follow, i.e. laws such that one is not ethically obligated to disobey them, and laws which would be ethically obligatory to follow, i.e. laws that one is ethically bound to obey, and laws which would be ethically obligatory to disobey.

The point is that none of the policies and laws at issue are such that it would be unethical for an individual to serve in the US or UK armed forces. Instead, on balance, the US and UK are both legitimate democratic governments, with systems worth improving and fighting for.

Secondly "ethics and morals" are held by individuals as a code to live by whilst they may have commonality with others ethics and morals at the surface, they are often on digging deeper found to be unique to individuals. This uniqueness is one of the reasons organisations have "ethics commities" to try and ensure people sing from the same song sheet.

The shared ethical ground of human beings is not superficial, but rather fundamental; it is part of human nature. There are divergences between individuals, especially between individuals of different societies and cultures, but the evolutionary substrate is the same. That is what enables human beings to coordinate behavior, to understand one another, and to construct reasonably functional societies.

Also in consequence of evolution, and the manner in which evolution occurs, there is significant variation as well - sometimes with quite horrible results, including the construction of dysfunctional societies.

One of the big issues with cyber-warfare is it's by and large not going to be those under flag targeting others under flag, but infrastructure. Which in the main will harm those individuals of a nation not under flag that are usually called civilians or collateral damage.

Thus whilst some may consider it lawfull because currently we don't have international law to prevent it, they would find it both unethical and immoral by their personal standards.

It involves accessing, exploiting, and possibly disrupting or destroying, "cyber" systems that are legitimate targets. Cyber elements of enemy command, communications, and control capabilities would be high on the list.


@Ordinary Bloke: So, say, the US Government approaches them to work for them. They approach them because of their skill. What will be on their mind, if they are not at least somewhat knee deep in conspiracy theories, as many twenty something IT people are. Especially fresh out of college.

You're forgetting, in your list of scandals, that the scandals are surrounded by a far greater number of stories concerning what the US military gets right. The US military is one of the most trusted, positively viewed institutions in the United States - there are good reasons for that, and those reasons aren't going away any time soon. Indeed, many of the scandals you mentioned simply have nothing to do with the US military.

I don't really get a sense that anyone is much worried about China anymore. Press headlines aside or posturing by diplomats. If China wanted to fuck the US, they could just start dropping bonds.

You'd be incorrect. As to whether anyone is worried about China, run a search for recent stories on the Spratly Islands or the South China Sea.

As to their selling of US bonds, it would have little effect on the US and destabilizing effects on the Chinese Government. They own those bonds for reasons relating to their own financial stability and credit.

Markus OttelaMay 24, 2015 1:39 PM

TFC 0.5.5 Fresh from the oven.

So I found another vulnerability in the constant transmission feature; between each long message only one command would be sent at most. This issue has now been fixed.

After a request, I added further message authentication for CEV: In addition to GMAC it now does encrypt-then-MAC style authentication using HMAC-SHA2-512 (512-bit key) and SHA3-512 MAC (1144-bit key) before GCM authenticates and decrypts the ciphertext.

I upgraded all keys to 512-bit ones so cyclic hashing of keys won't reduce security over long period of time (there is no key negotiation in TFC).

I also upgraded hashes from Keccak-256 to Keccak-512 and at the same time the Keccak-CTR key size was upgraded to 512-bits. So 1280-bits of symmetric key security in total.

As for key generation, CEV now has constant 2kHz sampling speed (1.5M samples are loaded in total), three vN whitening passes and between each of those, Keccak-512 compression with 2:1 ratio (1024 bits in, 512 out). User can now input different entropy from keyboard for each of the eight 512-bit keys generated.

Also fixed lots of bugs and typos, and as usual, updated whitepaper and manual where necessary.

UI was tweaked slightly: I added cleaner completion messages and some startup animation for the lulz (disable option available in settings).

BenniMay 24, 2015 3:01 PM

What is this?

http://www.theguardian.com/us-news/2015/may/23/nsa-bulk-phone-records-collection-usa-freedom-act-senate

"NSA bulk phone records collection to end despite USA Freedom Act failure"

Is this only suspended temporarily, say e.g. for 3 weeks until it is covertly started again?

And what do the Copyright lawyers do now? Assuming they want the postal adress of someone using bittorrent. If NSA does not collect this data anymore and can't share it with the FBI, to whom should the copyright lawyers go now?
Are the providers now hosting this data and the layers have to go to court for thousands of cases?

Does that mean one is now free in the US to launch bittorrent and finally copy all the content linked at piratebay?

Ordinary BlokeMay 24, 2015 3:18 PM

@Clive Robinson

John Nash and wife

Truly great man. His economic model really helped bring into many fields of sciences a better model then what people were leaning towards, one where reciprocity is shown to be "the way" over the inaccurate models of sheer "selfishness".

@Jonathan Wilson

Thirst for blood, kill for thrills, and that warm & fuzzy feeling root deep in primates. Laws, ethics, morals, & legisltation are mere learned knowledge. Primordial impulses aren't easily de-programmed.

I respect your viewpoint, but from my viewpoint it is worse. I have a more primitive viewpoint and far less "modern" then that one, where human beings might be compared to all sorts of animals, and even insects. And individuality is involved there. Which, to me, is one of the more fascinating aspects of human beings, though to a lesser degree animals. Some human beings seem more like cats, in their behavior, some like some manner of birds, some like bears, some like wolves, some like combinations in between. And so on.

Not all become true killers and psychopaths, and those who do you normally can look at their past and see strong influences that pushed them that way. Even if others had the same problems in their childhood and did not grow up to become psychopaths.

One especially sees this as being true in middle and late teenage subcultures where aggression of a wide variety of forms is encouraged. Obviously, another major influence there is the vast war machine, which does turn many into psychopaths and encourages savage behavior both in the direct participants and in the larger society trained to embrace that manner of behavior.

This is why as civilized as first world society appears, they actually end up killing far more people, more savagely then, for instance, second and third world countries. They delude themselves about their own actions, on one level, by pointing to their "enemies" social structures and behavior, and by proclaiming freedom of speech, religion, and the press... which operates as a profound "cover" for the very lack of news and information from those regions they oppress.

Obviously, society has only evolved in appearance above that of the societies of the past. They have a form of modern civility, but operate still as cheerleaders for violence. And I am sure, far more then modern society might condemn those of the past, future society will condemn these societies.

If this sort of mindset is the future, then there is no future, and they most surely will not be able to "inherit the earth". Because there would be no people and no earth to inherit.

Forcing such dramatic global change, unfortunately, is not easy. Nobody wants to learn the truth about these matters, because of the self-righteous fake image they keep of themselves in their mind. Even though they know, deep down, that if there would be a mirror of the soul, their own image would be reprehensible, terrifying in its' ugliness.


albertMay 24, 2015 3:33 PM

@Jonathan Wilson,
.
Wars are armies fighting armies. That's it. The things the PR folks come up with are just that; PR speak. It's propaganda. What is a 'war' on drugs? on terrorism? The concept is absurd. A real war is an all or nothing proposition. In a real war, civil liberties are suspended, illegal and immoral acts go unpunished, or even condoned. Parties fight until one side surrenders, or is destroyed. Do you see this happening in any of the so called 'wars' today? Do you see any possibility of 'winning' any of these 'wars'? The fact is, that all most all 'wars' today are about money (a result of power) or retribution. (Before the fall of the Reich, Hitler was thought to be the richest man in Europe)
.
By couching these conflicts as 'wars' we open the path for treating them like real wars. Witness the militarization of police in the US. Drugs and terrorism are LE territory. So are economic situations. What was the 'Cold War' all about? Was it a war against an idea?
.
That's mind-bogglingly nonsensical.
.
Good luck with your fight for strong crpyto in AU. From what I've heard, you guys are also suffering from extreme security measures, disastrous economic 'strategies', and all sorts of other fascist measures that the US, UK, etc. are having forced upon them.
........
.
@Clive,
If I were commanding any kind of force in the military, I'd want my people to be dedicated military people, not civies. 'Command and Control' is actually practiced in the military. Now the problem isn't really the military, it's the politicians that control it. Forcing soldiers into unnecessary wars, committing illegal acts, and strategies that can't succeed, is not the way to run an army. A former boss told me his philosophy: "I don't care if you're not happy, but I do care if your wife's not happy." Soldiers don't need to be happy, but they need to feel moral and ethical, and are there for good reasons. None of these conditions apply to the present 'conflicts'. (I hate using euphemisms)
.
Regarding cyber-'warfare'. The same applies to contractors working for the military (in any capacity). It's hard to work for moral cannibals. You don't want Snowdens and Mannings, but you insist on forcing them to respond. As far as pay is concerned, there are ways to compensate talented individuals. You put 'em in Top Secret black programs, bump them up in rank and pay grade. You enlist older, smarter people. You're not training them, they're training you. You have them for fewer years, but more productive ones. And there are other motivation besides money.
.
...

Gerard van VoorenMay 24, 2015 4:20 PM

@ Albert

"The fact is, that all most all 'wars' today are about money (a result of power) or retribution. (Before the fall of the Reich, Hitler was thought to be the richest man in Europe)"

Nitpicking: AFAIK Hitler didn't care about money at all. He only wanted to deal. Yes, he was a millionaire because of the mandatory 'Mein Kampf', but that is it. Correct me if I am wrong.

Ordinary BlokeMay 24, 2015 4:26 PM

@Skeptical

You're forgetting, in your list of scandals, that the scandals are surrounded by a far greater number of stories concerning what the US military gets right. The US military is one of the most trusted, positively viewed institutions in the United States - there are good reasons for that, and those reasons aren't going away any time soon. Indeed, many of the scandals you mentioned simply have nothing to do with the US military.

It is difficult to speak to someone outside of their subjective personal and social bubbles, and it can be easy to forget that establishing rapport is as much of language as is the specific construct of their words and grammar. If I do not bother to try and establish rapport with you, that is, then you will find what I am saying alien and incomprehensible. You will reject it as "not you" and "not of your group" and take nothing from it.

Thankfully, "for instance", part of your subjective bubble does include some level of comprehension of the concept of "subjectivity of the individual and the culture they belong to", of the concept of "rapport" as an aspect of leading and a necessary communicational bridge to utilize and move forward to "new ideas and new cultural mores".

So, that slightly linguisitic irritant aside which only barely has any aspect of rapport, down to more your language:

Memorial Day is tomorrow, so it can strike you as reprehensible to not praise the sacrifices of the military, or to disparage American's military culture. One might point out that there are many people in the military or who have served in the military during wartime who have fought the good cause and have remained untouched, morally, and personally, due to their very cultural bubble of subjectivity.

They fought and do fight for a better world, where war is not necessary, a world where might will no longer make right, a world where confusion and death is not the rule. They disdained the days of actual battle, and only prepared in peace time for defensive protection of their beautiful lands of peace, prosperity, justice, and modern wonderments.

While they might speak in couched terms on what this latest modern problem has been, let us face facts. It is a crusade to change the savage world of Islam that threatens the more civilized, modern world with utter annihilation and the savagery of Sharia.

It beats back fire with fire, attacking at the very heart of the problem of Islamist terrorism.

Christians among you, of which a sizeable portion of the population allegiances their selves with may harken back to the tales of the Old Testament and the savagery therein, where God Himself spoke to the people in terms they could understand, not just by direct speaking, but also by affirming the cultural principles of the time: a world of vast and horrible superstitious cults, where one society might as easily attack and destroy another society, and rape was a privilege of the hungry warriors, and murder was a necessity.

There is no requested discontinuity between Old Testament times people and people of the future. In fact, it was requested for those "dispensationalists" to accept crusading, marauding, inquisitions with their brutal torture, and flatlining primitive cultures, robbing them of their entire societies in order to pave the New World on the top of their skulls.

After all, the victor controls history, for they conquer it by sheer murderous aggression, and can trample the crimes by how they hide the skeletons under their beds and closets. Firmly, willingly closing their eyes and shutting their ears to reasonable debate, while trumpeting evidence of just how free their societies are to be critical of their regimes... even while hiding any manner of substantial reporting of the devastation they cause in foreign lands. No civilian casualities, no ripping down of societies and replacing them with husks ripe for the most savage to take place, no horrors of modern weapons of war and soldiers ripping apart their families. And much trumpeting of their societies own ruthless savagery, of terrorism, of Sharia at its' most extreme and bizarre, of their horrible behavior to each other, and their terrible grasp of immorality.

Even if you stack up the savagery side by side, by the end results, the first world nations stack is far, far higher then theirs could ever hope to be.

The propaganda is insidious and deep and wide, as complete in what is said and shown and heard, as it is awe staggering in what is not said, what is not shown, and what is not heard.

As fastidious as they dress their dead and decorate their mausoleums, "cleanliness" and appearance decorates their conscious mind when they view their world, their society, and their cultural morality.

Only, the problem is, it is as fake as the appearance they pay to the dead, and as shallow, hiding over their minds and hearts a vast lie which is shaky and can never enjoy the sure and deep confidence of more peaceful, honest, and loving peoples.

War begets war, violence begets violence, and even if this is a quote from their own book of the future, why should humankind ever be held to the standards of their future, of "adulthood", and not be kept back to the time of the distant past and that savagery.

Can't they stay restless teenagers forever, where barbarity, war, and violence are forever?

Consider the "humankind" "parent model", where ages of humankind are as the development stages of individual human beings. As small children, their parents talked to them as small children. That would be the days of wild superstitions and restless, aggressive urges. As teenagers, they became increasingly aggressive and unwieldy, starting to separate from their parents. They became dark, experimenting. But, they also started to make themselves appear more as adults would appear. The meek and powerful of some distant, future society that is beyond such human inanities and horrors.

Seperating from the ideals of their parents, they wanted to forge an identity against what they knew was right and true, while, paradoxically, appearing more and more as adults. They dressed more grown up, though also experimented with rebellious dress, they talked more grown up, but their behaviors were a mix between childhood and adulthood, so they also engaged in brutality which in their childhood was but pretend.

And, very, very contrary to their mental delusion of their self, they actually have grown up impulses, but without grown up impulse control. That is, they are very much not the adults they think they are, and often exhibit behavior that makes their parents want to kick them out far more then they ever exhibited as mere children. So godforsaken lands, altogether like 'the Lord of the Flies'.

Children know they are not adults, but teenagers do not. Still, though, deep down, their confidence and self-esteem is heavily shaky.

In summary, of such a strange sermon, things are not okay. How the difficulties of the Middle East, North Africa, Asia, and the home countries should have been addressed is by peace, patience, and lovingkindness. By information and education, and by material support and encouragement, economic, financial, moral.

People should have been led by peace, not by war and lies. Saddam Hussein was never a threat, and while abominable he never did such damage to his country as the allied nations did. Not by very, very far. He was scared, scared of the nightmares he saw those countries of promising, and expected those nightmares. He lied and pretended to have killing capacities he did not have. And he and his country, they were welcomed with unspeakable horrors. That was the message sent to the region and the peoples of the surrounding regions. A horrible message.

Andrew WallaceMay 24, 2015 4:28 PM

The problem with cyber war is it is hella boring. The lights in your house go out... like a normal power cut.

There isn't a lot to *see*.

Andrew

Michael And Ingrid HerouxMay 24, 2015 5:08 PM

CSIS 3008 WARRANTS HARPER CHENEY HALIBURTON 5EYES CORRUPTION

Great news, my family and I just found out our daughters weren't murdered by Canadian Intelligence like they wanted us to believe, they are still alive and doing well living in Alberta and working for DICK CHENEY'S HALIBURTON. I guess you can't get more bigger a conspiracy than that.

http://pinsta.me/bonkavane

http://pinsta.me/lala_izzy_vee

MORE TO COME SOON, THANKS FOR READING, FOLLOW THE MONEY.

Michael And Ingrid Heroux

http://michaelandingridheroux.blogspot.ca/

http://30-08-warrant-corruption.blogspot.ca/

tyrMay 24, 2015 5:14 PM

@Thoth

One thing to be aware of, for a shielding to be effective
it needs to be grounded on one end. So you can use a copper
foil wrap that way. Grounding both ends makes it ineffective.
In technical parlance emissions are shunted to ground instead
of reradiated.

You can also get some nasty effects by routng power and the
return path separately it effectively builds a nice noise
radiator particularly for AC supplies.

Too bad about the Nash family an ugly way to end a long
career.

Andrew WallaceMay 24, 2015 5:26 PM

I mentioned "natural surveillance2 in a previous post. I believe that is the society we are building.

http://en.wikipedia.org/wiki/Natural_surveillance

If you *think* you're being watched then the Government don't need to do anything but keep pumping out information about it periodically and from time to time release seemingly "leaked" data to keep certain technical communities informed.

Andrew

SkepticalMay 24, 2015 5:47 PM


@Ordinary Bloke: Memorial Day is tomorrow, so it can strike you as reprehensible to not praise the sacrifices of the military, or to disparage American's military culture.

I think you've lost the thread somewhere.

You made an empirical claim: "hacker creative type" individuals would not work for the US military or government because they would find it unethical to do so.

You bolstered this claim by noting several controversial policy decisions made by the US Government over the last 13 years.

I responded by pointing out that, notwithstanding those controversial policy decisions, the US military is actually the most trusted, and respected, institution in the United States. That's not a statement of my personal view of the US military; it's what polls have found for quite some time.

In other words, the widespread respect for the US military is an empirical fact which is problematic for your thesis.

Moreover, as democracies in Eastern Europe look more anxiously to NATO for protection; as democracies in East Asia look more anxiously to the United States for protection; as al Qaeda and ISIS affiliated groups continue to commit atrocities that even human rights groups have described obliquely, so nauseating is the reality; that respect will grow, not diminish. It will grow with every new technological achievement; every raid and every rescue; every ton of aid supplies dropped to those in need.

You can chatter on about the Old Testament and the terrible things done by the "first world" in the past. The "first world" has absolutely done terrible things in the past. But that is history. The "first world" isn't fighting in the Syrian Civil War; the "first world" didn't kill 5.4 million people in the Second Congo War. As with your statements about whether anyone perceives China to be a potential rising threat, you are misinformed here as well.

Andrew WallaceMay 24, 2015 5:57 PM

My conclusion is:

We aren't being watched as much as the Government would like you to think but it is within the Government's interest to make you think it.

Only the most sophisticated and most well known criminals are the ones being watched.

Your average citizen, hell no, there aren't enough hours in a day to care.

Andrew

Ordinary BlokeMay 24, 2015 6:34 PM

@Skeptical

I responded by pointing out that, notwithstanding those controversial policy decisions, the US military is actually the most trusted, and respected, institution in the United States. That's not a statement of my personal view of the US military; it's what polls have found for quite some time. In other words, the widespread respect for the US military is an empirical fact which is problematic for your thesis.

You are absolutely correct, I talked up rapport and shared societal beliefs, claimed I would speak from that perspective, and then decidedly did not. So, now I will get to that.

The American military, in many more ways then people can possibly hope to imagine stands at the front lines of the future, for liberty and justice, for civilian rule Democracy, and human rights.

Where to start? The Korean War was not a disaster, as some believe, but a societal necessity, to send a loud and clear message to the very large global threat of global totalitarianism via Communism.

The Vietnam War, was also along these lines. Pundits, in seemingly 20/20 or 1000/1000 hindsight can look back and say, "Ho Chi Minh actually idealized America and eager for peace talks, but was rebuffed. He only became a Communist by necessity, sick of the corruption of poorly managed colonial Vietnam." But that is simply conjecture, and the combined forces of the Chinese and Soviet communist powers were solidly behind both wars. They were the aggressor and if their aggression continued unchallenged in Southeast Asia, the world as we know it today, would be far more like the lost island nation of North Korea, then what it is.

That neither war was decidedly won means nothing. Communism, at that time, literally required that level of horrific response, not unlike knocking a bully in the nose.

People like to say "this or that" "won" the Cold War. Or they like to hyperspeculate about "what might have been", but this is all from the armchair comfort of delusional hindsight and the conceit of intellectual posturing, of a desire to appear superior. Talk, meaningless talk.

The reality "the Cold War" was fought on many very hot fronts, and everything combined actually helped lead to the dissolution of that very real threatening horror.

Likewise, people get 'up in arms' over the Iraq and even Afghanistan wars. They shouted "blood for oil", or "Bush is the Antichrist". They have been disillusioned with the fact that the claims to get into Iraq were, in fact, fraudulent. How much bickering was made over the forged letter - seemingly, ultimately from the Mossad - and the false tales of yellow cake from Africa... or the lying double agent who really did used to work at a high level for Saddam Hussein, and afterwards admitted his lies, with true pride, saying, "I helped get rid of that tyrant and those tyrants who supported him, the Sunni minority".

The truth of the matter is the whole region was as a dam which was busting, and a finger had to be put in the hole, before it became a crack. This was evidenced by decades of Sunni and Shia led terrorism, up to and culminating 911, a monstrosity of religious and social perversity. One which was unanimously celebrated in the Islamist world, and ironically, at the very same time knowingly lied about -- blaming it on their favorite, hated enemies while, at the same time, celebrating it and saying, "This is surely proof that our godly fighters truly are backed by God".

Nevermind that one of the planes decidedly failed to make its' objective. Or that enormous Saudi and other money, nation state backing, financing, training - was put for well over a decade towards Al Qaeda.

So what of pretenses? Hrrm? People do not want to hear *that* truth.

Further, it is not even that military planners were unaware of the ruse. Wolfowitz himself, for instance, told Vanity Fair during the lead up that they felt they needed to shift global military presence from old Cold War and global settings, and from Saudi Arabia, to Iraq. And Afghanistan.

Sadly, you do have to actually anesthetize a person to operate, and the view of cutting open a body during an operation can be very, very ugly, indeed. Moreso, one could point out then the hidden problem in the body its' self.

That same rule decidedly does not belong to this speech here. There is nothing else hidden.

So, now how is the situation? In many ways, it does appear worse then it was before. So unexpected. Iran is sandwiched, but no one will attack Iran. Saudi Arabia is a close, friendly ally. Just in case "not", they are in a decidedly bad bargaining position.

The two primary warring nations are, in fact, separated, like two idiots in a bar fight, with the US and allied nations stepping in between.

ISIS is getting creamed, left and right. Hardly a day goes by without news reports of more of their dead leaders.

Iran is backing down from their apocalyptic threats and agreeing to terms and conditions that keep themselves from blowing themselves up, or escalating the regional wars they are fighting.

Saudi Arabia is held tight, and great benefit is provided by the saner, more liberal, elements of their ruling people, while their more rabid minorities, like with Iran, both realize they do have a gun to their head. Just in case they get the wrong ideas.

Meanwhile, unfortunately, people can not know the full truth, and even over the very noble war, they can not be told it was with better reason then they could possibly understand.

But, I will also point out, over all of this thick layer, of ignorance and "deception", there is another truth even deeper then these things.

It is useless to speak on such layers, because it does not make the target. Some of it might enlighten a person's deeper perceptions of which they are unconscious of, in fact, of that I am sure. But, consciously, they can be alarmed.

Two polar opposite systems can not be both true, can they?

Yet, individuality, distance, complexity, perspective demands just, exactly, that. No "rock" as a word is actually the rock its' self, and words and perceptions of "what is", are always filtered through a vast array of partial truths. Inaccuracies. Lesser evils over greater evils. So dim is our human capacity to engage all things as they really are.

Tin Hat WarriorMay 24, 2015 6:35 PM

...thus explaining why they built the $2 billion data center in: Bluff-dale. It's all fake.

Andrew WallaceMay 24, 2015 6:53 PM

"Tin Hat Warrior • May 24, 2015 6:35 PM

...thus explaining why they built the $2 billion data center in: Bluff-dale. It's all fake."

As I said as long as you think it their job is done.

Andrew

GodelMay 24, 2015 7:08 PM

@ Andrew Wallace "Only the most sophisticated and most well known criminals are the ones being watched.

Your average citizen, hell no, there aren't enough hours in a day to care."

With ubiquitous data surveillance (meta data, phone tower records, license plate readers etc.) coupled with long term storage, there's no need to have individuals personally watching the public all the time.

Their entire lives are available for review in retrospect at any time, just waiting for the whims of our FUTURE governments and security agencies,as well as those in the present. And that doesn't touch on the increasing ability of automated systems to scan the data for the humans.

Thank you for your Service. Eat your mush.May 24, 2015 7:25 PM

Here we go again. Grandpa Skeptical, sniffling into his beer at the VFW, fantasizes about dying for a state guilty of serial aggression and concomitant war crimes, and the crime against humanity of systematic and widespread torture. He calls it a system, not a state, to obscure the criminal culpability of his civilian/military command structure. Government-style, Skeptical makes up the meaningless term "individual rights" and the cheesy Fifties poesy "democratic way of life." He wouldn't know a right if it bit him on the ass, and he's proudly ignorant of the world standard for democracy and how the US fails to meet it. He dreams up enemies - and then potential enemies, because even he dimly perceives that no country threatens the US - and pilin' on the words, declares the US not just better but preferable, too!

If you asked Skeptical about four persistent situations of gravity and emergency involving serious breaches of the US government's solemn pledges, he wouldn't know what you're talking about. He wouldn't know what they are. He would never guess that they are torture and murder with impunity, surveillance, the Guantanamo death camp, and gun violence. He couldn't tell you why there's only four (because that's the agreed maximum number per review, so they only picked the worst.) In July the whole world will be watching the US government stewing in public infamy that would mortify anarchic 3rd-world shitholes. It will go right over Skeptical's head. The only other patriots pure as Skep are squishing around in loaded diapers, waving little flags in Collins Veterans Home.

HypnosMay 24, 2015 7:47 PM

@Skeptical

I don't really get a sense that anyone is much worried about China anymore. Press headlines aside or posturing by diplomats. If China wanted to fuck the US, they could just start dropping bonds.
You'd be incorrect. As to whether anyone is worried about China, run a search for recent stories on the Spratly Islands or the South China Sea.
As to their selling of US bonds, it would have little effect on the US and destabilizing effects on the Chinese Government. They own those bonds for reasons relating to their own financial stability and credit.

Oh, I can saber rattle, too. But, first a brief prelude.

WWII had some dominant themes about it, which have deeply impregnated themselves in the conscious of societies most involved. Yet, East and West perceptions differ on these fronts.

In both cases, whether one speaks of the West or the East, I would point out what especially impressed their consciousness, usually subconsciously, was not so much of the journey or even the beginning, but 'how it ended'.

Both fronts ended after a deeply elaborate and successful disinformation program - really vast array of programs - that went on for many years across Allied nations.

For the West, that centered around disinformation about D-Day, especially in regards to deception about that known inevitability and so on the location and timing of it.

For the East, an actually comparable program was engaged, and was every bit as scary in its' level of secrecy and end effect, if not much more scary.

I won't go into the full history of those programs, but will point out that the details, so much, do not matter to the impact on popular consciousness. All that secrecy and planning was as if something hidden deep in the unconscious, and the ultimate effect was results that were staggeringly effective and seemingly 'out of nowhere'. Even more disturbingly, in a sense, it could be pointed out that the Normandy landing operated almost like further secrecy, or unknowning, as had they but waited and understood, they could have simply kept the Nazis running about and finally used the bomb on them.

Reasoning, really does not matter on this level of human consciousness, fast calculations are performed without the unnecessary bias of consciousness.

Debates often do not illuminate, but instead cover up, pushing back knowledge well outside of the necessity of what the conscious mind must understand.

However, the intelligence forces of both the West and the East are deeply studied in these histories, and regard them well. Like as those programs operated, they operate in the vast world well outside of popular consciousness. And what is presented as "truth" to popular consciousness, is very often... not.

So, in the West, there is great cognizance of the necessity of deception in regards to obtaining secrets, secrecy regarding that knowledge, and secrecy above all regarding such things as "times" and "dates".

Whereas, in the East, there is much consideration about their view of events, a horrific continuation of colonial horrors, matched only by the terrific display of the atomic bomb. Of course, Japan, however, has a bit different view of matters, sublimates it deeply, and we all Westerners (and Easterners) alike get to enjoy their sublimated fantasies of futuristic technology, strange morality, and incredible power nearly incomprehensibly held by mere human beings.

Back to saber rattling...

Clive was right. The whole APT, Chinese hacking threat, was an elaborated constructed fraud.

But it did not begin with the Mandiant paper and resulting brouhaha. It began many years before, and painfully, as all vast deception programs must begin. Indeed, the appearance was as China aggressively hacking friendlies and the US. Sources were conjured, and strong evidence was supplied, secrecy was kept not just over the truth, but of the truth above that, two deep layers of deception.

Consider, however, this scenario more closely: the primary target of deception was US corporations and yes, DoD, and intelligence infrastructure. They were not faking their concerns about that threat. They do not have that capacity, it would have leaked, and there would have been tell tale clues even in the main pundits' body and facial language -- much less an unrealism in their overall posturing in reaction to these matters.

Likewise, when Michael Rogers recently spoke about priorities, he mentioned nation state proxies as a severe threat, pointing to how likely North Korea disguised their actions in the Sony hack. But, what if he meant something else, too, like, maybe, he was aware of even more disturbing scenarios then what he was mentioning? Like that maybe the Equation Group was not something he or his supervisors could attribute, internally. The targets seemed right, and the tell tale clues forensics provided definitely pointed to multiple extremely plausible previously found US cyber attacks. But, what if no one actually knows who was behind it?

Both of these scenarios would trap the parties in an uneasy silence. The game of counterintelligence is poker, after all, and neither side wants to show how bad or how good their hands actually are. Even if that is a poorly chosen decision.

Besides, how lame would denials appear? And how could China possibly trust US Intelligence to come to them and say, "Look, we really were not attacking you". Or Michael Rogers and others saying, "Look, people of the world, I know this looks very bad, but believe me, we did not do this".

Not a lot of credibility left.

However, of course, all of this is just fiction. How can anyone be sure? No one would be such an idiot to state such things if they were true, because then that would get on them both the might and sophistication of the two most powerful nations on earth. (Even as a convenient scapegoat, for these very tales of deception, that would be absurd, as clearly these things are the works of two very intelligence active nations trying to justify their 'raison d'existence'.)

Point? None really, just jettisoned considerations from thinking matters out, and whatever subtle entertainment value such considerations may provide for anyone silly enough to read such a yarn.

HypnosMay 24, 2015 7:50 PM

Only the most sophisticated and most well known criminals are the ones being watched.

That is true, nations watch each other extremely carefully.

:P

ThothMay 24, 2015 8:05 PM

@Nick P, all
Regrading cascading ciphers, no known publication to actually have theorems to attack and fracture/break cascading cipher schemes.

A nice cascading cipher paper (not yet read).

Link: https://eprint.iacr.org/2009/093.pdf

Cascading ciphers are always rather helpful and I have always been using them very frequently as well.

According to the blog "avoid: AES-CBC, AES-CTR by itself". Always use a symmetric or asymmetric signing or some form of authenticated encryption. It applies to all symmetric ciphering schemes regardless.

Avoid "HMAC-SHA1". Yes it is fractured but this is one of the most common hashes in almost all system. It is about time to retire these old crypto functions but it is still slightly relevant. Think on the line of smartcards (high ends will have SHA2 hashes but low ends have only SHA1 and MD5). You could write your own SHA2 hashes into the samrtcard applets but that is going to consume good amount of EEPROM and RAM spaces in low end versions. In the context of the Github "advisory", software-based crypto on normal desktop CPUs or server CPUs are capable of delivery SHA2 and SHA3 which is what is targetted for so no excuses for desktop/server softwares. In the embedded world, that is starting to change with cheaper availability of high-end chips but the consideration for low-end chips still needs to be in the mind.

Random ID. Depends on the CPU and usage again. But in general, use a longer ID to prevent collision.

Password handling can be hardened with password hashing schemes or they can be encrypted with a secret key in a HSM or both. For those who imply they can bruteforce the secret key to retrieve the encrypted password (assuming the encryption is properly done), I am very doubtful because you need to bruteforce the AES-256 or 256 bit key and on top of that, the industry standard for encrypting passwords is to use unique and random 256 bit keys to encrypt passwords. Adding password hashing via BCRYPT and SCRYPT would always be very welcomed too.

Avoiding RSA is one of the biggest loophole in this advisory. The nature of ECC itself is somewhat ... unknown and is too new on the block. RSA is well proven and studied and almost every other crypto-processor will support RSA flat out. Most ECC ALUs maybe built on top of the existing RSA ALU to tap it's well designed and proven circuits. Just avoid the smaller key sizes of RSA (less than 2048 bits) and use proper ESA PKCS1.5 and even better with OAEP.

DH Groups are tricky. You want it fast or you want it slow. 1024 bit groups are still used in banking environment and HSMs but are considered weak (for internal secured environments). Of course the bigger the keys the stronger but the slower. A trade-off. Not all crypto-processors are equipped with DH ALUs but they can still be done with some BigInteger math ALUs available on most crypto-processors. If it's for the desktop and server CPUs, just use something stronger.

TLS/SSL libraries. No idea what's he talking about. No proofs either. How to explain the problems with OpenSSL ?

Last point on the client-server app security... TLS is still the web crypto out there. Most problems are due to legacy issues and it's time the old stuff be taken out. Keep the RSA with bigger keys as it's still valid.

JustinMay 24, 2015 8:13 PM

@ Eat your mush.

'... the meaningless term "individual rights" ...'

That's an insult to every citizen of the U.S. and the rest of the world. Your "world standard for democracy" seems more reflective of such democracies as the
Democratic People's Republic of Korea, because you obviously object to the "democratic way of life" in the United States.

Andrew WallaceMay 24, 2015 9:26 PM

The government would NEVER talk up their capabilities to their humble citizen... no not now not ever.

That database is for storing YOUR and EVERYONES data believe it believe it.

WE KNOW WHO YOU ARE AND IF YOU F*CK WITH US WE'LL COME FOR YOU.

Yours sincerely,

The Government

Thanks you for your service. Eat your mush.May 24, 2015 9:28 PM

Sad to say, Justin, you don't know what you're talking about. Individual rights is a term with no legal meaning. Civil rights, that means something, just not much. Human rights, those are more rigorously defined. Individual rights, that's mush that Skeptical pulled out his ass for morons. Enjoy them.

The world standard for democracy, the one the US accepted as a binding legal commitment, and fails to meet, Do you know what it is? Of course you don't, you're a backwoods hick who never set foot outside your nice safe country, at least not on your own. Right? You're another government victim, a pious cringing serf.

JustinMay 24, 2015 9:59 PM

@ Eat your mush.

Well, all your sophistry about human rights means you don't have any concern for them whatsoever, because any rights humans have, they have as individuals.

And the U.N.'s "Universal Declaration of Human Rights," if that's what you're talking about, can't very well be called binding on any nation with veto power in the U.N., which would include the U.S., Russia, and China among others. It doesn't include the right to representative government, either, or the right to bear arms. It only makes vague mentions of rights for those facing the criminal justice system.

But it does include the right to paid vacation from your job.

For actual human rights, I prefer our Constitution and Bill of Rights, which are actually binding on the U.S.

FigureitoutMay 24, 2015 10:08 PM

Thanks you for your service. Eat your mush.
you're a backwoods hick
--Pretty mean unsubstantiated comment (unless you hacked him). Justin's pretty reasonable. Maybe quit feeding troll's w/ worthless posts eh? All "rights" are human mind creations that can only be enforced by a brain until we program computers and sensors to do it.

name.withheld.for.obvious.reasonsMay 24, 2015 11:22 PM

Both the New York Times and Washington Post carried articles today, 23 May 2015, noting that the U.S. Senate failed to either pass the U.S. Freedom Act or a short term re-authorization of sunset provisions of the Patriot Act. Sunday, 31 May 2015, the U.S. Senate is in session for the sole purpose of revisiting the expiring legislation. It is my hope that the U.S. Senate finds the will, moral fortitude, and a sense of history that leads them to do the right thing--let the provisions sunset. Better yet, repel the Patriot Act return to the rule of law--not the rule of secrets.

We are so far a foul of our founding principles that if the framers were here, today, they would think that we'd lost the revolutionary war and King George had triumphed.

65535May 25, 2015 12:06 AM

@ name.withheld.for.obvious.reasons

Bob S. and I have commented on this extremely important vote [in this thread].

As you note there will be a “special” Senate session on Sunday which is a holiday [and a perfect day to manipulate the votes]. I would guess that the Senate will suddenly reauthorize section 215 out of the public’s view.

Emptywheel has been following the proceedings which appear to that gone into Saturday morning. The Burr amendment failed. But, there is some complex behind the scenes action going on.

[emptywheel]

“By far the most likely outcome at this point is that enough Senators — likely candidates are Mark Kirk, Angus King, John McCain, Joni Ernst, or Susan Collins — flip their vote on USA F-ReDux, which will then be rushed to President Obama just hours before Section 215 (and with it, Lone Wolf and Roving Wiretaps) expires on June 1. But even that (because of when McConnell scheduled it) probably requires Paul to agree to an immediate vote.”

“USA F-ReDux had far more support than the short-term reauthorization. Both McConnell and Rand Paul voted against both, for very different reasons. The difference in the vote results, however, was that Joe Donnelly (D), Jeff Flake (R), Ron Johnson (R), James Lankford (R), Bill Nelson (D), Tim Scott (R), and Dan Sullivan (R) voted yes to both. McConnell’s preferred option didn’t even get a majority of the vote, because he lost a chunk of his members.” -Emptywheel

https://www.emptywheel.net/2015/05/23/mitch-mcconnell-and-richard-burrs-authoritarian-power-grab-fails/

I expect an outcome where the NSA and FBI get most of the 215 re-branded under a new name with the bulk collection still in place and the roving wiretaps.

I am surprised that the press is silent on this extremely important vote [held on a holiday].

65535May 25, 2015 12:40 AM

@ Benni

“What is this?”

The failed re-authorization vote of Section 215 will be repeated out of the public’s eye on Sunday the thirty-first [a holiday in the States]. It is not over and there are a lot of under-the-table dealings to be done.

See the prior posts by Bob S and I.


FigureitoutMay 25, 2015 1:00 AM

Couple Interesting OS's and a Linker Introfor those looking to build their own toolchains

Anyone who'd care has probably seen, but in case you didn't, qboot: https://github.com/bonzini/qboot

OS based off MenuetOS (which is apparently not open source) for your old old PC's. Looks like their looking for developers for more drivers for GSoC 2015 (may be too late now). All in assembly. Took only few minutes to find comments mentioning some "dirty hack", and speed is its main design goal I think...

http://kolibrios.org/en/index

Digestable set of essays on Linkers: http://lwn.net/Articles/276782/

JustinMay 25, 2015 2:31 AM

@ Eat your mush.

Eat your own mush.

Any rights humans have, they have as individuals.

My rights aren't here for me to "enjoy". They are here because those that violate them are in the wrong and will forever remain in the wrong for doing so. Those on the other hand who defend, uphold, and fight for my rights are in the right.

Some of my rights, but not all of them, are enumerated in the U.S. Constitution and Bill of Rights. The U.N.'s Universal Declaration of Human Rights which you seem to be hinting at, is a poor substitute for the Constitution. It doesn't mention the right to trial by jury, or the right to bear arms, for example. Instead it has a bunch of other issues that cheapen the very idea of rights, such as the "right" to rest and leisure, an adequate standard of living, social protection for children born out of wedlock, participation in cultural life and the arts, etc, etc. Some of these things are nice to have, but they really need to be worked for rather than demanded from other people.

The clincher to that document is this:

(3) These rights and freedoms may in no case be exercised contrary to the purposes and principles of the United Nations.

...as if to say, "Remember, we gave you these rights, and we can take them away, too..." I prefer my rights to be unalienable, recognizing that they are not unalienable because no one will violate them, but they are unalienable because those that violate them are forever in the wrong for doing so.

Gerard van VoorenMay 25, 2015 2:44 AM

@ Thoth, Nick P - about fixing TLS

I think that mandatory PKI would fix quite a few issues. Wouldn't it be nice to log into your browser instead of log into numerous sites? If the browser contains a keystore this could be possible. It would also fix the cookie crap. You want a different identity? Select a different keyset. Also it fixes PFS, makes MITM harder and makes mass surveillance harder.

We also have to deal with energy consumption. Cascading crypto it good for specific purposes, but for general communication IMO not a good thing. It also costs time. And do we really need 256 bit crypto?

Other aspects that would be nice to fix when it comes to TLS: DDOS prevention, prevention of side channel attacks, tunneling, session management, and that we can rely that TLS itself if mandatory when it comes to networking in the first place.

TLS is fundamentally broken. Let's face it. It is time for MinimaLT.

Clive RobinsonMay 25, 2015 3:33 AM

@ Justin, ALL,

It doesn't include the right to representative government, either, or the right to bear arms.

"Representative Democracy" is not Democracy, what we can currently have is at it's best a vote for a "monkey in a suit" who will then have their decisions swayed / made by those with the Power/Money to be noticed, which does not include "We the people" but some tiny self apointed subset.

More importantly you are voting for this monkey in a suit, not substantive issues.

Currently the very bad chunk of legislation called the Patriot Act is going through it's "Sunset", which would I suspect get a popular vote. However rather than let it go the US elected representatives have gone into what might be called "secret session" out of sight of those who elected them to try to keep the unknown represive secret legislation alive, for those with power and influence.

Representation politics is in no way democracy as the Ancient Greeks understood it, it was a messy cludge brought in for expediency when meaningfull communications could take days over what we would consider the short distance of fifty miles.

Those times are long past, meaningfull communications can happen in fractions of a second to any part of a sovereign nation and for that matter the rest of the world if we so desired, and our Democratic process for good or bad needs to reflect that by being brought closer to the people. Because it is now technicaly possible for people to vote directly on issues simply and quickly.

However do you think that those with power and influence who we would in no way ellect will alow us that Democratic freedom? I suspect not because they like the system they've got where they effectivly control the legislators and thus the law, and if you've bothered to look at US tax legislation in the past three or four decades it's fairly clear that aside from a few sweetners tax legislation benifits just a handfull of people less than 1% of 1% and everybody else pays for it. That's what "Representational Democracy" gets you, the most undemocratic system there is, and even Winston Chirchill knew that and said so and he's been died a half century ago.

As for "the right to bear arms", they have that where ISIS is, does it do the people who live there any good?

Wesley ParishMay 25, 2015 3:40 AM

@all

Don't feed the troll. You know who I am talking about. He's been sent to Coventry, back in time to 1940. Maybe in a Heinkel 111 bomb-bay ...

re: War. like Pterorism and Terrorism, it's currently a vacant term. It means anything. When everything tastes like chicken, what does chicken taste like?

re: Human Rights. These are a set of enforceable restraints upon state power. And a major part of them is that they apply across the board, without discrimination except for very special, very particular cases. That is what is meant by the word "Human" - these are intended to be rights that are inalienable from being human, that the state is only permitted to put aside temporarily for emergency situations.

How do these human rights affect the security debate?

Firstly, during the "Cold War", the United States and its cohorts used the abuses of the Soviet Union and its cohorts as a major reason for others to steer clear of USSR blandishments, and the like. As a result they created expectations that I see as actionable against them: if the United States made sure the world knew that Soviet spying on the average Soviet Joe Bloggs in the average street was a criminal abuse of state power, then it's only the neurologically deficient, the memory challenged, the moral cripples, that fail to see that similar US spying on the average FiveEyes Joe Sixpack in the average street is likewise a criminal abuse of state power.

Secondly, the concept of "Human Rights" took root because they actually worked. The United Kingdom fell into the habit of constitutionalism, of the "rule of law", of freedom of speech before and after speaking, and similar luxuries, and became immensely wealthy and powerful, so much so that the rest of the world sat up and took notice. While France, for example, used internal surveillance and fell to revolution then collapsed upon itself with the Terror.

Thirdly, one of the prized attributes of a successful state is stability. Read The Crusades Through Arab Eyes by Amin Maalouf to get a picture of this stability through foreign eyes. One of the factors contributing to stability is reliability, dependability, of humans trying their level best to approximate the mathematical function: one input, one output. Knowing what you get if you provide undesired input into an oppressive regime may be a close approximation of the function, but you don't get a second chance to do it again, which is rather terrible if you're warning against something like an environmental threat, so societies that penalize freedom of speech tend to run up against their limitations rather quickly, no matter what the reason alleged - pterorism, security theatre, electioneering debacles, whatever.

So a society that is "secured to the eyeballs" tends to forfeit the stability it is attempting to get, because it can't see where it's putting its feet.

And that's where human rights and privacy and security intersect.

END RANT

Clive RobinsonMay 25, 2015 3:57 AM

@ Gerard van Vooren,

Cascading crypto it['s] good for specific purposes, but for general communication IMO not a good thing. It also costs time. And do we really need 256 bit crypto?

Yes and no, cascading two 128bit ciphers together might give you 256bits of KeyMat and look like it gives ~256bits of brute force, but does it? Most probably not, it might give as little as 129bits equivalance.

The problem is key size is not realy an indicator of strength or work equivalence these days and has not been for some time, and if Quantum Computing happens in our life time, we may well require cipher systems with 100Kbit keys to get the equivalence in security we "might" currently have.

Whilst cascading does add delay and computational cost, with care it buys you the resilience that no current common single crypto algorithm can. Importantlt it buys you time when new attacks become practical, and with the world "going embedded" via Smart Meters and IoT, we will certainly require that time as the debacle that was WEP still shows updating embedded hardware means a decade or more in time and a lot of unwanted toxic landfill.

It's one of the reasons why I used to call for NIST to "step up to the plate" on "frameworks", however with various "select interests" trying to pervert the process to their own ends, it looks like we will have to have the trauma before the cure...

ThothMay 25, 2015 4:05 AM

@Gerard van Vooren, Nick P, Clive Robinson, all
The problem is not about how each application handles security by itself. The problem is the root of security and trust is close to non-existent in most system.

In simple, you don't have a "security culture" mindset baked into how things are made/designed/tested/handled. Lack of such a mindset, all the machines and applications aren't secure from the ground up.

I wouldn't expect my browser to handle security and also my websites should not need to be expert in security.

I expect the underlying framework to be secured in advance so that everything running above it is already secured.

What I would propose is a security center module and the applications would tap into this central security module (governed by per user for humans and per machines for machine entities).

Wesley ParishMay 25, 2015 4:07 AM

@Clive Robinson

As for "the right to bear arms",

Surely you mean this?

(I wrote it in outraged response to the Sandy Hook Massacre.)

CuriousMay 25, 2015 4:48 AM

Hrm, ticking off the option for TLS 1.2 and 1.3 in my Opera browser on my computer (preferences/advanced/security/protocols), doesn't save with me closing my browser (no save button regardless), only "TLS 1" will stick.

gordoMay 25, 2015 4:50 AM

@65535

...Sunday the thirty-first [a holiday in the States].

For accuracy, though Sunday is a non-weekday/work-week day, i.e., a weekend day, and a good time to generally avoid public notice, e.g., late-Friday night press releases, and the like, the closest U.S. national holiday to the upcoming May 31st date, is happening right now, i.e., Memorial Day weekend. So no, everyone is out of town, visiting, etc., this weekend. Next weekend is a weekend-as-usual.

Due to the nature of the issue, e.g., it's dividing both political parties and making for some strange bedfellows, the story has been getting some play in the States. I guess we'll see how things go this week.

CuriousMay 25, 2015 5:10 AM

Correction: There is an "ok" button for saving the settings I mentioned, so I was wrong in writing that there wasn't any save button. Regardless, my computer doesn't seem to save these settings for me on my computer.

My Win7 install is obviously broken, and/or buggy (saving of clock settings are buggy for example, task manager often crash, a browser all of a sudden started to always have a long delay on startup), but I can't find my win7 install cd and will have to wait for Windows 10 with its directx12 stuff to have a fresh OS install.

Justin tooMay 25, 2015 5:17 AM

@ eat your mush
"Of course you don't, you're a backwoods hick who never set foot outside your nice safe country, at least not on your own. Right?"

Me? Debatable. Backwoods hicks kicked some alien ass. Jealous

@Justin
"Well, all your sophistry about human rights means you don't have any concern for them whatsoever, because any rights humans have, they have as individuals.
And the U.N.'s "Universal Declaration of Human Rights," "

Again we are getting into the semantics of things. U.N. is not a governing body. Its manied resolutions are selectively enforced by the strong and able. And believe me there are plenty of people who detest a one world government. If we have to make bargains for human rights, who are we bargaining with? I mean we are all human ...right?

AnuraMay 25, 2015 5:49 AM

@Clive Robinson

Representative Democracy can work, but the way we do it is flawed on almost every level. My concern with direct democracy is that you end up with only the retired population consistently voting, and those devoting most of their time to work and school finding no time to vote on every issue, thus introducing massive sampling bias.

1) If you do not have proportional representation, then your legislators are not representative of the population and you do not really have representative democracy

2) It needs to be easy to get elected. If it is difficult to get elected, it means that only a select few will be elected and your legislature will not be representative of the population. On top of this, the more difficult to get elected, the more influential those with money will be, and the less representative the legislature will be

3) The legislature needs to be structured so as to minimize the influence of any individual.

4) We need transparency. The way bills are written today is designed to allow the politicians to add provisions to please their donors, while preventing blow-back because they know their constituents will be unhappy with them. Every addition to every bill should, by law, have the name of the representative that attached it to the bill, as well as the person who actually wrote it, who they and the politicians did so on whose behalf of, and if that person represents someone else, who that person represented, and so on and so forth.

For point 2, easier to get elected does mean proportional representation, but more specifically it means that we need to get it through multi-winner elections, and we need more representatives. Multi-winner elections through methods like STV don't require party approval of candidates, meaning representatives are more likely to represent the voters rather than the party. On top of that, the more representatives you have, the easier they will get elected, and more importantly the more they will be statistically representative of the population. I would suggest that the US needs anywhere from 5000-10,000 representatives in congress. As a nice number, I would say that there should be 1 representative per 50,000 people, with a minimum of five representatives per district.

So. how can congress function with so many representatives, you asked? Well, it should work like a direct democracy. No committees, no individuals that have to bring a bill forward, no consensus among a majority party (which, even if 60% of a party that represents 60% of the population supports a bill, it means at the very most 36% of the population is, by proxy, deciding on whether a bill should be voted on). Any representative should be able to propose a bill, and it should be brought up for a vote as long as a petition is signed by a large enough portion of the representatives (say 20%-30%, with signatures by a majority of representatives being the only way to stop the vote). This also means that it's a lot more difficult to hold legislation hostage for the sake of getting provisions added to make some donors happy.

AnuraMay 25, 2015 5:52 AM

One thing I missed:

The public should also be allowed to petition for a bill that allows them to bypass the legislature entirely and vote directly during the next election as a ballot measure, like many (most? all?) states do.

WaelMay 25, 2015 6:01 AM

@Clive Robinson, @Gerard van Vooren,

but does it? Most probably not, it might give as little as 129bits equivalance.

What's to stop AES going the DES route and becoming a 3AES just like 3DES with a key bundle (E,D,E)? How about XAES; X => 3 ... Then again, it maybe worthwhile to evaluate the strength of an encryption function that is composed of a secret sequence of key sizes, algorithms, and type of operation for each "round"; (E,D) operations ...

Oh, it's not key sizes that matter! It's the key space that counts. Yes, yes... I know that, the readers know that, and even you know that :)

and if Quantum Computing happens in our life time, we may well require cipher systems with 100Kbit keys to get the equivalence in security we "might" currently have.

That resembles a complex OTP scheme. This discussion assumes the attack is limited to a mathematical one and the end points are secure or inaccessible by the opponent.

WaelMay 25, 2015 6:16 AM

@Anura,

Representative Democracy can work...

Nice scheme. The "problem" isn't so much rooted to the number and distribution of the representatives! It's more related to the integrity of the representatives regardless of their numbers. What you propose can be viewed as an optimization suggestion ... IMHPNO; PN = Politically Naïve.

AnuraMay 25, 2015 6:33 AM

The way I see it, politicians aren't inherently devoid of integrity, but the way the system works gives the most power to those with the least integrity. First is in the election, where those who can get the most money are the most likely to be elected. Your right that I don't completely solve this problem, but I think I do a damned good job and don't see a way to get closer. The second is in congress, where party leadership is god. You don't get a real position of power (e.g. senate majority leader, speaker of the house, committee member) unless you are in good with the party leadership, this is a problem I completely solve by eliminating positions of power.

AnuraMay 25, 2015 6:45 AM

Wow, that was horribly worded. I should be pilloried until I starve to death for that.

I meant "You're right."

Thank you for your service. Take your Zyprexa.May 25, 2015 6:56 AM

@Justin re 2:31

Para 1: Amusing.

Para 2: False. Peoples also have rights.

Para 3: Gibberish.

Para 4: 24-carat US statist propaganda as parroted by classic propaganda victims. If you understood your right to education, instead of having to go into lifelong hock for it or kill wogs for 5 years, then you would know better. It's cute that you think you have a right to trial by jury. Exercise that right with pride when you're plea-bargaining down from trumped-up charges with a 90-year sentence.

Para 5: More pure statist propaganda, particularly the notion that the UN purposes and principles include taking away your rights. How do you know what UN purposes and principles are? Have you read the UN Charter? The question answers itself. And what is this "forever in the wrong" business? Clearly no one ever taught you the historical and logical relationship of rights to Kant's categorical imperative. This is what happens when schools give people technical training and call it education.

It's not my job to unmiseducate you but here, knock yourself out proving you live in the greatest gosh-darn country in the world.

name.withheld.for.obvious.reasonsMay 25, 2015 8:11 AM

@ Nick P

Expect that NSA has yours now.

Two things; the version I sent Bruce (a pre-release draft) did not reveal design architecture components (high level version) and I assume that my key mat is clean. I have the appropriate air-gapped document management system(s). And, the document is purposely targeted for the open source, creative commons, arena--though the community is not immune to influence, the ability to have disclosure is important. I also understand that Bruce is the most likely target for illegal government action(s). But what do you do? Exposing the idea(s) is more important, the classic risk model doesn't apply. And, others may take away important concepts that can be applied outside the described framework.

There may be an opportunity for me to pass a copy along to you in the near future--temporary key exchange an option.

Gerard van VoorenMay 25, 2015 9:11 AM

@ Clive Robinson

"Cascading crypto it['s] good for specific purposes, but for general communication IMO not a good thing. It also costs time. And do we really need 256 bit crypto?"

'It' was a typo and 'if' (later on in my post) too. Both should be 'is'.

"Yes and no, cascading two 128bit ciphers together might give you 256bits of KeyMat and look like it gives ~256bits of brute force, but does it? Most probably not, it might give as little as 129bits equivalance."

I agree. I only said it because Nick P mentioned it. I don't think it should be used for ordinary communications. The thing is, is 64-bit crypto broken today? 128-bit crypto is so much stronger and should be enough until quantum computing.

But that all said, I only wanted to mention that TLS doesn't solve a lot of issues in networking.

name.withheld.for.obvious.reasonsMay 25, 2015 9:31 AM

The more I read of the Office of the Inspector General (OIG), the United States of the Department of Justice (DoJ), the more difficult it is to understand how legislators get away with authoring this miscarriage of justice.

Of the metrics enumerated by the report (number of 215 requests from FBI offices, legal categories such as CI, CT, and PFI as well as the number of US persons targeted), it is the text of that report that reveals more interesting information. Much of the report is redacted, numbers that have nothing to due with maintaining national security, such as the number of U.S. persons targeted (disclosure of just this number would not expose other information such as the number of foreign or total targets) is absent and would have gone a long way to address public concerns. Why would the number of domestic targets be classified? Maybe it has something to do with the following:

From the report, section iv, page 31, this text appears...

Second, the classified directive for determining U.S. person status provides that [remainder redacted].

One has to ask...why is a "legal" determination not only redacted but is specifically classified? A legal test, in a court with a jury, would be impossible when this type of government action is permissible. How is this allowed to stand?

name.withheld.for.obvious.reasonsMay 25, 2015 9:38 AM

@ Wesley Parish

So a society that is "secured to the eyeballs" tends to forfeit the stability it is attempting to get, because it can't see where it's putting its feet.

WELL SAID!!!

Gerard van VoorenMay 25, 2015 9:46 AM

@ Clive and Anura - about direct democracy

Interesting idea. Let the people vote for laws or other issues.
The only problem I see with internet voting is that securing the entire process is probably really hard.


(Entering the realms of fantasy...)

I can think of a standard form with four options when it comes to voting for a law:

1) yes
2) no
3) no, because too complex
4) no, because it contains not understandable lawyer text


(And now taking the next step into the realms of fantasy...)

Adding to that, let's make voting mandatory. And let's say one vote a month for local, state, and federal law or other issues. People should not have to spend much time on the issues, so the issues have to be understandable.

Nick PMay 25, 2015 10:23 AM

@ Gerard van Vooren

Cascading crypto is for those that want the extra security. It's worth extra time to them. Plus, one can always use a hardware appliance or cascade using accelerated primitives.

Regarding 256-bit, yes you do if you're a government. The reason is that quantum attacks are expected to knock security in half. A 128-bit cipher would be a 64-bit cipher. Since data must be protected for decades, it's better to start using 256-bit crypto rather than trying to guess the rate of advance for a known risk.

As for TLS, yes there is a lot to work on or replace. MinimaLT is one option.

@ Thoth

Yes, they're missing a root of security. This is critical for any system that calls itself secure. At least there's lots of work in this area and even commercial offerings.

@ Wael

"What's to stop AES going the DES route and becoming a 3AES just like 3DES with a key bundle (E,D,E)?"

Nothing. I've used it before. There could be cryptanalytic risk in it, though. Anytime the same, exact cipher is used in the cascade there's room for interactions like the meet in the middle attack. That's why I like separate ciphers. 3DES shows that 3AES might work, though.

"Nice scheme. The "problem" isn't so much rooted to the number and distribution of the representatives! It's more related to the integrity of the representatives regardless of their numbers."

Nicely put. Add media cooperation with representatives, then you have a subversion that can control the voting public effectively and potentially indefinitely. We're seeing this with the Hersh report most recently.

@ name.withheld

" the version I sent Bruce (a pre-release draft) did not reveal design architecture components (high level version) and I assume that my key mat is clean. I have the appropriate air-gapped document management system(s)."

You're too skilled not to take some precautions. I assumed as much.

" I also understand that Bruce is the most likely target for illegal government action(s). But what do you do? "

You do exactly what you did. I told you about that risk in case the material was time-sensitive. If so, you might need to speed up your work. If not, then proceed as planned.

Gerard van VoorenMay 25, 2015 10:59 AM

@ Nick P

About post quantum crypto, read this and this, especially the parts of the Technical work packages. Look who and what companies are involved. This is the real deal.

Nick PMay 25, 2015 11:54 AM

@ Gerard

Is there something about the who that bothers you? Looks like a collection of companies and universities that stand to gain from inventing good standards. They'll gain anything from money to prestige (with grants). NXP will likely include it in their products. INRIA might at least publish theirs for us to implement.

To me, the project is all good news. There will be peer-review and hardware implementations of existing protocols that desperately need it. There will also be new work in an area that desperately needs it. There's also others doing work in same areas. I look forward to seeing their results.

Gerard van VoorenMay 25, 2015 12:41 PM

@ Nick P

"Is there something about the who that bothers you?"

No, not at all. It is the opposite. I respect these guys a lot.

to the Better Angels of the UnconsciousMay 25, 2015 12:47 PM

@'do not feed the troll'

"Andrew Wallace" is nothing like how he makes himself out to be, much like "Slime Mold" and some other posters. (Nobody chooses such a nick, who has such intelligence, without bearing in mind just how far away from "slime mold" they actually are.)

Difference is "Slime Mold's" argumentation is much closer to his real beliefs then "Andrew Wallace's" argumentation is. AW is simply acting a necessary "Devil's Advocate", and his persona raises some good points: despite how stupid he makes himself appear, at times, he breaks away from both that and how seriously he pretends to take himself. (For instance, when confronted with him having potential serious mental disorders he claimed he printed out the page, took it to his doctor, and his doctor said it is all untrue. Complete fabrication. Yet he is so good people can actually not be sure about that.)

It is also noteworthy to point out reams of people have attempted to pin down the "real" 'Andrew Wallace' and have been unable to do so. That is part of his message. It is a paradox.

Likewise, Skeptical is showing himself as very intelligent and well read, so why does he leave such gigantic gaping holes in his argumentation practically begging people to respond to?

I post this especially to draw note to AW's last post. Every single line was well calculated and well thought out. It is method acting at its' finest.

Each and every line has a singular, implied but not directly stated message: that he is not "government". (Only the database line would not make sense to anyone else.)

His reaction of alarm was not entirely faked. It was a deepening of cover brought upon *not* by some doubts that someone was or was not "government", but because it appeared apparent that there seemed some cognizance of a ... 'direction of communication potentially to his real self'. I have to be vague on that.

I might also point out something else about "Skeptical", has it never struck anyone how ironic his name is? I mean this is a forum of skeptics, and he comes on, not as a skeptic, but as an impossibly hardened 'true believer'. His name could not be more opposite then his persona.

Not that any of this truly matters, as you pretty much have to act with people by the role they take on, anyway. But it is something else to be oblivious to the fact that it is just stagecraft. I just do not think it is fair to anyone who is at the least wondering, unconsciously, at the many incongruities here.

The merging to stagecraft removes that layer of communication that takes one's role or any appearances too seriously. It gives a comfortable distancing, which is much more align in how people "really think" and "are". And it opens mind, opens heart.


Dialectic MorpheusMay 25, 2015 1:56 PM

@'first world countries superior to second and third world countries', 'political systems', 'legal system'


I sometimes view it basically as all a collective, social and individual, sociopathic narcissism. The more crime, the more outrages which are committed, the stronger that disease gets. Because it affirms the sickness' delusional belief. That they are "the First World", and the center of the universe.

Empathy dissipates for the sociopathic narcissist with every new outrage. The illusion of power grows with every new outrage. It feeds the delusion of power, of all encompassing self.

Everyone else is increasingly depersonalized. Be they poor african americans, domestically, or be they anyone else not of the status quo. Everyone gets to participate, not just the diabolical ones leading the charge, but everyone who buys into the delusion.

The price for the delusion is, for one, increasing disconnect from a meaningful reality. That is, because of the ever increasing depersonalization, what empathy, love, awareness of others they have keeps shrinking.

It is a cold, cardboard universe, but one which they will defend with their life. And paradoxically, in their narcissism, where they increase their own sense of self... they actually decrease the size of their own world. Because increasingly everyone else is not real, not a human being.

In meaningful terms, the truth against the delusion is not something they want to hear. So they are coddled constantly with delusions that keep their eyes away from the consequences of their actions, or the real state of their being.

The more they believe the lie the sociopathic narcissism tells them, the more strongly they react to attempts to wake them up out of their self-destructive, and definitely others-destructive, delusion.

But, of course, in such a world nothing makes sense. So no wonder there are travesties all across the board. And, thankfully, a lot of people do not buy into that vast scam.

There is at least the pretension of rights that they have the right not to buy into it.

It is a contagious meme, a social virus, a disease of the heart and mind. It is transmitted by words and other forms of communication. Zombiefied.

I think the sufferers may be cured if they can be taught that other people outside their group are very much real people. Like the Grinch, maybe their heart can grow back. But, that is highly theoretical.

JustinMay 25, 2015 2:37 PM

@ Better Angels of the Unconscious

Yes, it is clear that "Andrew Wallace" is deliberately taking a "devil's advocate" position on many issues.

Usually when "Skeptical" posts here, there is another distinctive poster who mocks and ridicules him in a rather colorful manner. I wonder if the two are connected somehow.

What's the purpose of this?

  • to generate discussion on the blog?
  • to suss out the true opinions of security-minded people?
  • to influence others' opinions?

What's the purpose of any discussion?

@ Dialectic Morpheus

Re: second and third world countries

Originally the second world countries were those aligned with USSR, and the third world countries were unaligned during the Cold War. Now with the fall of Crimea, eastern Ukraine in turmoil, and the sanctions enacted against Russia, we have a new Cold War. The suddenness of the action in Crimea and the bitter objection to the Euromaidan protests brought to the forefront of the world's attention the vital importance to Russian politics of bringing and keeping those unaligned nations into alignment with Russia.

Russia has lost the ideology of communism which kept the USSR together and replaced it with crony capitalism, but in practice, little has changed. The propaganda continues to flow. The idea of individual rights --- pre-existing, endowed by one's Creator, unalienable, inviolable --- is anathema to that propaganda.

BuckMay 25, 2015 2:55 PM

(Only the database line would not make sense to anyone else.)
Spilling some more secrets here, are we..? Why the insistence on keeping everybody else in the dark when any credible threat-actor will see straight through the ruse?

Oceania has always been at War with EurasiaMay 25, 2015 3:33 PM

@Justin "The idea of individual [sic] rights --- pre-existing, endowed by one's Creator, unalienable, inviolable --- is anathema"

A/HRC/WG.6/4/RUS/1 of 10 November 2008 : NATIONAL REPORT SUBMITTED IN ACCORDANCE WITH PARAGRAPH 15 (A) OF THE ANNEX TO HUMAN RIGHTS COUNCIL RESOLUTION 5/1

"III. LEGAL UNDERPINNINGS OF HUMAN RIGHTS AND FREEDOMS
6. Recognizing the importance of constructive international cooperation in the promotion and protection of human rights, the Russian Federation has become a party to the following cardinal international human rights instruments: the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, the International Covenant on Economic, Social and Cultural Rights, the International Convention on the Elimination of All Forms of Racial Discrimination, the Convention on the Elimination of All Forms of Discrimination against Women, the Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, the Convention on the Prevention and Punishment of the Crime of Genocide, the European Convention for the Protection of Human Rights and Fundamental Freedoms, and many others.
7. In 2008 Russia signed the United Nations Convention on the Rights of the Child and ratified the Optional Protocol to the Convention on the Rights of the Child on the involvement of children in armed conflict.
8. Besides the generally recognized principles and standards of international law, international conventions to which the Russian Federation is a party take precedence over national legislation.
9. Rulings by the European Court of Human Rights are binding on the Russian Federation.
10. There are constant visits to Russia by the United Nations human rights special procedures. The most recent visits were: in 2006, by the Special Rapporteur of the Human Rights Council on contemporary forms of racism racial discrimination, xenophobia and related intolerance, Mr. Doudou Diène, and in 2008, by the Council’s Special Rapporteur on the independence of judges and lawyers, Mr. Leandro Despouy.
11. Russia is a world leader in numbers of reports submitted to the United Nations treaty bodies.
12. A resolution entitled “Inadmissibility of certain practices that contribute to fuelling contemporary forms of racism, racial discrimination, xenophobia and related intolerance” has been adopted thanks to Russian initiatives at the sixtieth, sixty-first and sixty-second sessions of the United Nations General Assembly.
13. Close cooperation has been established with the Office of the United Nations High Commissioner for Human Rights. The High Commissioner has visited Russia twice in recent years. Since 2006, Russia has made an annual voluntary contribution of $2 million to the OHCHR budget. Implementation of a framework agreement on cooperation between OHCHR and the Russian Federation for 2007 and beyond began in late 2007.
A. Aims and objectives of State human rights policy
14. The Constitution establishes that the State shall recognize, respect and defend human rights and freedoms, which are acknowledged as being of the utmost importance.
15. The human and civil rights and freedoms guaranteed by the Constitution are not subject to revision. They are inalienable, are the right of every person by birth, and are directly enforceable.
16. Russian law and its application in practice are in keeping with international legal instruments for the observance and protection of human rights and with the rulings of the European Court of Human Rights.
B. Protection and promotion of human rights (protection mechanisms)
17. Human rights and freedoms are protected by the legislature, the executive and the judiciary. The President of the Russian Federation is the guarantor of the Constitution and of human and civil rights and freedoms.
18. The office of the Commissioner for Human Rights (Ombudsman) was established to ensure that the State protects human rights and freedoms and that Russian State bodies, local administrations and officials obs
erve and respect them. The Commissioner is independent, and is not subordinate to any State bodies or officials."

Justin is so brainwashed, he never heard of any of this stuff. Poor benighted prole.

JustinMay 25, 2015 5:05 PM

Re: Oceania

And while Russia is busy filing U.N. reports, men like Alexander Litvinenko, Boris Nemtsov, Akhmednabi Akhmednabiyev, and Timur Kuashev aren't exactly given a fair trial by jury. And their murders aren't exactly investigated in good faith. As for that High Commissioner, well I suppose he doesn't want to end up like those men, so what power does he really have in Russia? Russia has veto power over U.N. resolutions anyway.

tyrMay 25, 2015 5:22 PM


I always like the views of those who have never been
in the so-called third world and if they were stayed
in the air conditioned safe space set aside for the
lords of creation. If you went into the reality you'd
see that their aspirations aren't the horrible plans
to make the world a shithole their greedy leaders are
implementing.

The whole conceptual framework is divide and conquer
and when you throw our military into those places it
just gets worse. Once you buy the myth it colours all
your actions. The instant you perceive someone as the
inferior your actions towards them change. It is an
amazement to me that more members of the first world
manage to survive their own arrogance, that in itself
is proof that the third worlders are a lot more humane
individuals. Either that or they know what insanity is
when they see it and are moved to pity benighted fools.

The real reason to be armed is simply to be able to
shoot back.

I once had a well meaning missionary describe headhunters
I was going to visit as being childlike. My own take
on them was that they were a lot nicer than first world
so called adults but there was nothing childish about it.

Mr. CharringtonMay 25, 2015 5:53 PM

@Justin Timberlake You will have an opportunity to prove just how awful Russia is, compared with your beloved Big Brother, in July when the US receives letter grades, A-D2, on a consistent and comprehensive scale rating its four situations of gravity and emergency in breach of binding human rights.

Your own ruling junta has the veto, but that doesn't worry you. You've never looked to see who those vetoes killed. You never noticed when they revoked your constitution after 9/11 and replaced it with COG. You never noticed when you lost your privacy rights, trial rights, freedom from torture, freedom of assembly, and right to life. You poor gullible dupe. You'd have shit for rights if the civilized world wasn't watching out for your helpless brainwashed ass, like so,

http://www.ushrnetwork.org/sites/ushrnetwork.org/files/iccpr_concluding_obs_2014.pdf

http://www.ushrnetwork.org/sites/ushrnetwork.org/files/cat_concludingobservations_2014.pdf

Your high need for national affiliation and identity is indistinguishable from stupidity.

Justin (not Timberlake)May 25, 2015 6:32 PM

@ Mr. Charrington

You change pseudonyms so many times it's hard to follow.

U.S. Congress is a junta and the Constitution has been revoked. That sounds like what liberals would call a right-wing conspiracy theory.

The thing about the U.S., is that here one can talk about U.S. violations of human rights without fear of revenge. Not so in other countries.

Mr. CharringtonMay 25, 2015 7:08 PM

Have you ever set foot in any of these other countries?

Do you read things, sometimes? What sort of things?

How does one learn the things you have come to know?

Nick PMay 25, 2015 7:35 PM

@ Justin

re Andrew Wallace specifically

Andrew Wallace and some others (eg "better angels") are trolls. We have had plenty of devil's advocate discussions here over many years. The discussions bring up points, counterpoints, and so on fleshing out the topic plenty. Then, post-Snowden, there's new people showing up that drop tons of short or long comments of barely any substance. They often don't address any counters aimed at them except one here or there. They often talk about tangents that have little to do with the points of discussion. Talking to them results in little added to overall discussion. They'll occasionally make decent points as a hook or credibility building tool: a common tactic in intermediate-level trolling to preserve interest.

"The male" in question is a good example. I've already called him out here. His responses were consistent with trolling: ignoring the points, making false claims, making threats, backing down from threats when bluff called, making new threats, and so on. A person even begged him repeatedly to discuss a claim he made and to no avail. We eventually found a page in Internet Archive with his name, same claims, same threats and so on. I later uncovered evidence that's he's a liar and in business with another fraud. After repeated dodging, I gave him an opportunity to prove the slightest thing about his security background or credentials. Andrew Wallace went silent at that point to be replaced by sockpuppets. And so on until the thread was closed.

Concluding, he's definitely not devil's advocate, a person representing common counterpoints, or even trying to discuss most subjects. That his Twitter feed reads like a mailing list for British police and intelligence reminded us of similar provocateurs. I doubt he's theirs, though, because he's one of the most obvious trolls we've ever had. He's a troll that aims for maximum attention and disruption of online resources dedicated to privacy and security technology with an extremely pro-police bent.

It's best just not to ever reply to him so we focus on discussions the blog is known for. Maybe one link or note with a reference to his trolling, threats, and fraudulent activity so others know not to waste their time. That's why I'm writing this: it's what we can link to with all the other links in one place.

Nick PMay 25, 2015 7:44 PM

@ Gerard

Oh, ok, I'm glad we're on the same page then. Regardless of who creates what, INRIA's researchers and toolset both have a track-record in producing nearly flawless software. Their people can certainly specify, verify to a large degree, and implement whatever the rest come up with. I mean, they have cryptographers but their best work is in Xavier Leroy's Gallium team.

@ all
(Example of how to deal with known trolls)

re Andrew Wallace

He's a troll as detailed here. He's cluttered enough threads. Best to just ignore him for sake of high quality discussions.

ZenzeroMay 25, 2015 7:55 PM

@ Nick P

Without commenting or adding anything for obvious reasons, very good summary.

Danny BoyMay 25, 2015 7:59 PM

@ "Better Angels"

It is also noteworthy to point out reams of people have attempted to pin down the "real" 'Andrew Wallace' and have been unable to do so. That is part of his message. It is a paradox.

Likewise, Skeptical is showing himself as very intelligent and well read, so why does he leave such gigantic gaping holes in his argumentation practically begging people to respond to?

It is for this reason I do no think in my limited mental capacity that you, and your friends, are affiliated with "the male." But I don't care to know if you were or not. It's just an interesting mystery that we can sleep on.

The main purpose of these "persona"'s appear to work for the benefit, or lackof, provoking discussions. Afterall, life is rather boring, no matter how grandeur oneself is, with no one to converse with.

I wish I could write like you do. :)

Nick PMay 25, 2015 8:02 PM

@ Snake Oil (from other thread)
re EncryptStick and TurboCrypt Doghouse crypto

What connection was there between Sandisk and EncryptStick? Or were they just a hit in search results or ads?

Good catch on EncryptStick's 512-bit current and 1,024-bit future AES cryptography. Lol what fakes. And TurboCrypt? That company that knocked off my polymorphic cipher with their own version? They don't just sell lemons: they turn them into Organic, Gluten-free Lemonade. :)

Nice finds. One is indeed legendary in the world of crypto fraud and the newcomer looks like a promising contender for the flyweight title.

ThothMay 25, 2015 9:58 PM

@Nick P
Too many snake oil trying to get businesses when the world is starving for more security.

Hopefully someone writes something on making security product purchase decisions.

Recent tightening of security product (especially cryptography product) export and import to/from UK. It seems like UK is implicitly making crypto/security import/export (especially export) so much harder recently that if it continues, the UK's security market might soon experience problems with getting sales.

FigureitoutMay 25, 2015 10:56 PM

Thoth
need to be prepared
--I've done extensive self-training here and think quite a bit how I want to redo my "battlestation". Certainly don't want to get this bad: http://www.computerhistory.org/atchm//wp-content/uploads/2012/08/williams-workbench.jpg , more something like this: http://i.imgur.com/I1lZQ1S.jpg but w/ much more shielding. :) I want a high speed "good enough" 'net connection for surfing and a much slower one monitored extensively used for file transfer. I'm stuck on how to do the actual parsing and what exactly can be kept and what can be cut out of ethernet drivers; and then how to do firewall monitoring b/c I can't be overrun w/ logs of sh*t but can't be lenient either; grrr stuck. Modifications so all programming pins on modems and routers are not touchable; no more of this garbage flashing over ethernet, has to stop. Just got a new PC I can offload a lot of my programming/projects on, which frees up a laptop to finally "do right from the start". "It's the one", my baby until I get some BIOS flashing cables. :)

Clive Robinson // Thoth RE: electrical isolation (galvanic and otherwise)
--A while back, poster Iain Moffat said to "isolate both ways". Still not sure what that means, if that means to rectify twice or just having a second transformer after ramping down to whatever your standard power is. Complicates design a lot rather than just normal have same GND.

keep all grounds / returns either galvanicaly issolated or connected only at a single physical point
--Isn't that not galvanically isolated then though?

Clive Robinson RE: evaluating emissions of HWRNG
--Begun 1st rounds of testing HWRNG used in TFC w/ my "spectrum analyzer" touching the "digital out" w/ the antenna. I want to know what bands need to be shielded or even better potentially eliminated in circuit. So far, little blurps; no dead-ringers yet. Circuit is here so you can't fault me for not giving enough detail :p http://holdenc.altervista.org/avalanche/images/random-generator-avalanche.png . Have tested a few of the harmonics of "transition frequencies" and frequencies of "noise voltages" listed on datasheets of 2N3904/2N3906 and TL082.

Any practical analysis hints (I can use some equipment at work afterhours, as I'm limited at my home lab) or is the circuit a hopeless cause? Planning on shielding the whole thing anyway. I also will be testing shortly if RF is (goddamnit better not) getting on input wires to arduino, this would be problematic on default TFC installs if no shielding between RNG and Raspberry Pi sampling it. Don't send me on a chase of Slartibartfast quotes please! :p

SkepticalMay 25, 2015 11:19 PM


Wtf is it recently with this BS Russian propaganda?

PseudoFoolingNoOne, you picked the wrong audience for this. Drop that crap in the comments sections on CNN or RT or somewhere.

Russia arrests anyone who is evenly openly gay. In most of the civilized world, acceptance of gays and lesbians, and of persons of different races and religions is growing. In Russia, intolerance is the only thing that's growing.

Russia has hardly any independent press to speak of. It requires bloggers to register. It runs full taps on every connection. Putin is a strongman is all but name. Investigative journalists are murdered; businessmen out of favor are imprisoned and die from maltreatment; dissidents abroad are poisoned with polonium, and those responsible later elected to the government.

Russia makes no pretense of caring in the least about democracy or human rights. The idea of counting the number of reports it submits to the UN as proof otherwise sounds like something straight out of the silliest days of Soviet bureaucracy. It's astounding to me that you would bother claiming otherwise. I cannot overstate the degree of utter scorn and contempt with which I hold the ignorant, ill-informed, quite frankly moronic views on this subject you have expressed in this thread.

PseudoActivist, I have been around this world more times than you've probably left whatever little urban enclave in the Commonwealth country you happen to reside in. I personally know the worth and strength of individuals from many nations, from many walks of life - including those with oppressive and corrupt governments. I have known brilliant men and women in former Soviet republics who hoped for freedom and opportunity, and found instead a new prison of corruption and authoritarian kleptocracy. You can posture here until your screen is covered with spittle from incoherent rage at being presented with reality. It means nothing to me, nor to anyone who knows the world.

The reality is this: even in its failures, the US has attempted to institute democratic forms of government. And for those nations currently threatened by the likes of Russia, and China, the US is the ultimate guarantor of their security and their own self-determination.

Because unlike the utterly sordid history of Russia in Eastern Europe, the US both funded the rebuilding of, and then put its own blood on the line to protect, sovereign and democratic nations. Estonia, Latvia, Lithuania, Poland, and others, are not worried that the US seeks to rule them. Neither is Taiwan, Japan, Vietnam, Singapore, Georgia, and many others.

The US can't reform the world, and frankly there is no policy to do so. The fight against international terrorism is a long, low-intensity war that will continue until order and peace returns to the regions from whence these abominations are born. In the meantime, though, you can fully expect the US to focus the bulk of its attention on longer term, truly strategic issues.

What do I mean by that? I mean that the US isn't going to permit Russia to intimidate new democracies in Eastern Europe, and it isn't going to permit China to assert sovereignty over thousands of square miles of international waters and airspace. It isn't going to permit a nuclear arms race to begin the Middle East. It will continue to develop the high-tech weapons, along the strategy and tactics that make use of them, aimed at those strategic challenges. You can listen to the twaddle on Russia Today about HEMP and turbo-prop Russian bombers on patrol. They're about 4 decades behind in technology and at least as many in training. And despite the rich load of manure they shovel into your welcoming mouth every day, the generals of the nation you admire but seem to know almost nothing about - most of whom are actually professionals - know better. In fact they probably despise the pointlessly bellicose propaganda produced by those who know nothing of war as much as I do.

Integrating China peacefully, constructively, into the global order will require intelligence of the highest quality. Minimizing the bloodshed Russia perpetrates in the name of domestic aggrandizement will require the same. Ensuring that we can target terrorists precisely, with maximum effect, will require the same. And those things will require hackers of the first order - those able to devise ways into the systems of authoritarian regimes, to detect their plans, to map their corruption, and to allow the democracies of the world to steer us towards progress and peace - and, failing that, towards a quicker, less bloody, victory in war.

I say again: history has not ended. The halcyon days of the Cold War's end have passed, and the challenges before us are as great as those which confronted us after the ends of the world wars.

As that truth becomes more clear, there will be no lack of volunteers willing to help. Because our imperfect governments and systems represent the best hope for humanity's future, the best protection of individual rights, and though they carry the scars of failures and flaws - from the awful mistakes of the Vietnam War to the early mistakes of the Iraq War - they bear also the glory and promise of having melded individual rights into the laws of the most powerful countries on this earth.

So, friend, continue to spit at your screen in rage. Continue to spew the meaningless resolutions of an undemocratic organization as though they represented truth. History marches on, and the graveyard of the corrupt regimes you so despicably defend shall be answer enough.

ThothMay 25, 2015 11:26 PM

@Figureitout
Regarding:
want a high speed "good enough" 'net connection for surfing and a much slower one monitored extensively used for file transfer. I'm stuck on how to do the actual parsing and what exactly can be kept and what can be cut out of ethernet drivers; and then how to do firewall monitoring b/c I can't be overrun w/ logs of sh*t but can't be lenient either; grrr stuck

You can use a Separation Classification System that specifies a set of classification say unclass, restricted, confi, secret, top-secret, cosmic-ts ..etc .. or setup a priority classification rating (if you hate the military classification levels) by rating 1 (least critical) to 7 (most critical).

The Separation Classification System (SCS) uses a separation kernel (seL4 or stuff like that on a Type-1 hypervisor) and you have two connections, one is Ethernet and one is serial cable. The class level 1 to 3 will be allowed through Ethernet whereas the class 4 to 7 will only be allowed onto serial cable. Each classification has also to use it's "Classification Secret Key" which is a set of symmetric keys shared between the SCS held in a keystore per separation module. This will effective allow you to keep the number of cables down while still remaining logically separated over the shared cables.

You can also adopt a TFC-like model on top of the SCS if you want.

Figureitout, http://www.computerhistory.org/atchm//wp-content/uploads/2012/08/williams-workbench.jpg, looks like Clive Robinson's home lab (I can imagine something along that line).

Shielding RPi and crypto researches ? You need some layers of EMSEC blankets and situate all these sensitive stuff in a Faraday's Room (not Cage). Have a layer of air gap between 2 layers of walls and each inner layer of walls have more EMSEC blankets. This would be rather useful :D .

to the Darker Angels of The UnconsciousMay 25, 2015 11:47 PM

@Buck

(Only the database line would not make sense to anyone else.) Spilling some more secrets here, are we..? Why the insistence on keeping everybody else in the dark when any credible threat-actor will see straight through the ruse?

Not how it might appear... and when matters can be really layered, I do not think it is necessarily a ruse to outside observers, though they may see it that way. There is secrecy involved and security.... but I think the matter is more difficult to explain...

People have layers. We have our conscious mind, then our unconscious mind. We have many layers of decreasing down superficiality until "who we are".

One of the most fascinating things these days is the prevalence of television shows and movies where there are alternate identities going on.

On screen, it seems all so very simple. But the reality behind that is very deeply layered.

For instance, you have a person who has a job as an actor and in their job as an actor they play someone... that someone has an alternate identity they live in... and that alternate identity is what the audience sees. They forget there is an actor there, and beyond that, a person is not even an actor. They are a person. Just like Jim the cook is not a cook. It is just a uniform he puts on and a role he plays and a job he works.

When you are talking about interactions between two or more people at that very utmost level, then... things are most definitely not how they may appear to be.

I also would not say that the vagueness of what is being said can be definitively colored in by obvious ways. It is also not necessarily "secrecy for security". But, consider, conscious mind... unconscious mind. The unconscious mind takes in an enormous amount of information and the conscious mind or self is just a small pinprick in comparison. The conscious person can be very limited, therefore, in knowledge, and have a very wide range of superficiality they actually believe is "all there is to them". But the unconscious is the dressed down self.

Point being: why does the unconscious mind not tell the conscious mind everything it knows?

Definitely, there is often protection or security involved there, but often other factors as well. For instance, the conscious mind is like a role its' self, and telling it something outside of that role could cause the conscious mind to reject what is being said. And if it can not reject it, it might start to become fractured, broken down, as it laboriously attempts to cope with the new information.

I mean, how many times can you tell someone something totally true, and you know they won't accept it because it does not fit into their current understanding and models of the "universe" or their own self?

It isn't like people go around sucking up truth at the nozzle. Far from it. The tendency is to stick to that "truth" one has already well bought into and keep feeding that truth.

At a core level, I consider all of this language. I am not going to go into a foreign culture and violate all of their rules, customs, expectations just to make a point, would I? One has to talk from their understanding so they can hear you.

But, re-reading this, going back to the audience level: the audience sees the matter two levels deep. On a much more dim, distant level they may be cognizant of the actor. They usually try and not think about that. Where it can get really fuzzy is how that second to last level? Does not matter. They confuse the actor or actress with the roles they play. It is absurd. I mean, heck, I like John McClaine. I usually like movies with Bruce Willis in it, and frankly, if I met Bruce Willis in person, it would be hard for me to separate the man from the roles I have seen him play.

Probably a major reason I avoid following celebrity trivia...

Is all of that fucked up? Of course it is fucked up. Unfucking believably mind bendedly fucked up.

Security relevant? This I will admit. Computer security relevant? Don't even get me started. Whole nother layer right there with that.

But, beyond that, the unconscious mind does protect the person, so a lot of times the unconscious mind can intrude into conversations to throw off others in a very myriad number of ways.

Is all of this just a cagey non-response? I can see how it can appear to be that way, but if so, consider how well thought out it all is. So, maybe not as it appears.

And do note: maybes, not necessarilys and such are indirect methods to speak to a person's deeper understanding and bypass skepticism. Otherwise, people can reject it right off.

They get the message, but not consciously. Which is often of more limited value.

Dialectic HypnosMay 26, 2015 12:04 AM

@Danny Boy

It is for this reason I do no think in my limited mental capacity that you, and your friends, are affiliated with "the male." But I don't care to know if you were or not. It's just an interesting mystery that we can sleep on.
The main purpose of these "persona"'s appear to work for the benefit, or lackof, provoking discussions. Afterall, life is rather boring, no matter how grandeur oneself is, with no one to converse with.

Yeah, I noticed another poster said that, and I say it sometimes myself.

But communication is also a form of trade. We buy into ideas and we sell ideas. And that can often be very multilayered. Why do we buy into anything, we probably hope to get something from it.

A good model is if you have a problem or wish to achieve a goal, well, it can be difficult to even begin to imagine where "there" is. For me, it is often distant imagery, metaphors, like "I am on an airplane to an island".

So, you might go, for instance, to a hypnotist. A hypnotist - a good one - is very effective at helping you reach your goals. Sounds ominous, right? But, the reality is that is just a word, and a very often misunderstood word. We really have very little idea of what it all is beyond the models we have constructed and shared. More to the point, we go into trances all the time, including when watching television, writing, or riding the bus. Or an airplane.

Point is that "trance" - "trance" communication much more then what might be expected can actually be done. But whose kidding who? We are all information. DNA is information. Food could be said to be information we break down, reading it. There are whole religions about obtaining such things as immortality by information. Problem is so much crap information. But, good information? It can change your life.

So, education. School. Even if I write, I am often either directly or indirectly hearing back input. Corrections, additions. But no doubt about it, I am on a journey, a search. Maybe you are too. I want to get beyond "all this". Confidence for that? Been getting more and more beyond it all over the years. Like a rock or a veil, eventually the whole damned thing finally comes down. You finally land on the island.

Spies, security, privacy, hackers, governments, politics... just superficial.

The Great Menacing Other. And discovering that there isn't a Great Menacing Other. Even simple stuff like that can totally explode down one's Matrix like walls.

FigureitoutMay 26, 2015 12:40 AM

Thoth
you have two connections, one is Ethernet and one is serial cable
--Familiar w/ something like this, problem is, is it enough to rely on a flash ROM to separate the connections that there's no possible way for ethernet data/code to slip on over into level 7.

You can also adopt a TFC-like model
--Yeah, like that model; as well as "net-taps" and either crossing ethernet/serial cables or just straight cutting them. Then it's basically protocol hacks or ridiculous side channels to breach that. This causes protocol weirdness though; less error checking, get weirdness where it's hard to classify actual bugs and catching an attack, frickin' annoying.

Shielding RPi and crypto researches ?
--Yeah, but all the exposed wires too! That's the antennas, you may think they're incorrect lengths unless the connections on the board make the right length for that wavelength... Since TFC needs like 4 separate computers in the same room, if they're laptops, those power bricks can be TERRIBLE noisemakers (you'd probably want to use older laptops if you're serious about security too, making this potentially worse). Otherwise it'd be the wallwarts for RPi (if really light, means pretty efficient "switcher" probably spewing sh*t). If the noise rides in on the sample pins for the HWRNG then it may affect those values w/ very predictable repeating sine wave values. Super irritating, it never goes away.

BuckMay 26, 2015 1:01 AM

I mean, how many times can you tell someone something totally true, and you know they won't accept it because it does not fit into their current understanding and models of the "universe" or their own self?
That's fair enough, but I really wasn't meaning to speak in terms of unconsciousness... I was referring more to the little make-work we're all wasting our lives on for a paycheck or for pretend security. I mean, who do those people believe -- 'sources'??

If all parties are investing their maximal resources to spy and steal from the others, how can we ever hope to solve our deeper problems?

ThothMay 26, 2015 1:33 AM

@Figureitout
That is the reason a high assurance kernel using Type-1 hypervisor is used. If you want to physically split the data into physical buffers on physically separated memory chips, that can be done but you need to customize the firmware which is much more complex.

Protocol hacks. That's where you do datapath encryption.

It is hard to fulfill everything and that's the reason most of the security are rather relative to the mission and also to the physical size and logical size of deployment, the resources necessary and so forth.

For my suggestion, you can just get a custom board with GPIO pins, setup two serial adapter via GPIO and use a board with 2 Ethernet adapter or just use the GPIO again for the other Ethernet. You might love to customize a casing in plastic or metal or some composite material to house you electronics too.

You have a console serial, Level 4-7 serial I/O, Level 1-3 Ethernet I/O and a generic remote Ethernet access to do non-administrative stuff like user requesting and ticketing all within the possibility of probably a single RPi or an ARM board.

Load up some high assurance kernels onto it and script a control system, access processing system to handle each of the level's access and also a trusted keystore per level and of course the pipelining system for the I/O.

Anything more complex is going to cost so much more than what your pockets can afford and also talk about your complaining around of cumbersome electronics, cables and noises that you hate.

ThomasMay 26, 2015 2:23 AM

That was a great speech by Skeptical. I couldn't agree more with what he said. Shame on the poster(s) who compared him to AW!

Dreamer of StuffMay 26, 2015 2:52 AM

@Buck

That's fair enough, but I really wasn't meaning to speak in terms of unconsciousness...

Ah, but it is relevant, even if I jumped ahead a bit. Because you asked a good question. It reminded me of a big rabbit hole time in my life. On the job. It was like "everyone is so obvious". And "why don't you just tell me". But I had to keep doing my work. And they kept talking to me in work terms. It was so frustrating.

I mean, a rabbit hole is just a rabbit hole. A hole in the ground rabbits go into. And work might have deeper significances for us as human beings.

I saw down the rabbit hole, and saw there was more to everything being said. I was not stupid. So why doesn't anyone just say it.

I mean, what is computer programming or code analysis or network security testing? How mind numbingly dull can anything get? Who cares about profit margins or future attack vectors? Firewalls and malware, rootkits, and virtualized systems.

I thought maybe, everything is bugged or something. That is why they would insist in saying one thing but meaning another.

And there were layers of possibilities. It was very difficult. It was like reality its' self would start to bend to show me my own guesses back at me, but stretching them out to make the impossible. Or otherwise ludicrous.

I guess you probably can't relate but that is why I went that direction. It reminded me of that time. The point being is the communication was multilayered. Consciously, I wasn't getting everything, but unconsciously I was. Getting to the point to where my unconscious could explain what my conscious needed to know took quite some time.

I mean, you know the old hackneyed saying, "The answers are within you"? Well, sometimes it really is. And it can just take some time and reflection. Maybe there is a deeper meaning to that mundane shepard's job, or your business as a handyman. Maybe there is more behind all of that computer code and network applications, some deeper meaning, that we are just not seeing.

Of course, alphabets are alphabets. You can make gibberish with them or you can write a symphony. A really good book. And almost anything can become, ultimately, a sort of alphabet. It can sometimes take awhile for it all to click.

Nowadays, when I get direct assignments, I am less likely to get really bothered, "what is the deeper meaning to this". I just wait and see how it plays out. Everything eventually plays out. It makes sense sooner or later. It can be mundane work, but even the most mundane of work can eventually spell out something far higher, far more rewarding. As one expects, if one expects. (I suppose.)


I was referring more to the little make-work we're all wasting our lives on for a paycheck or for pretend security. I mean, who do those people believe - 'sources'??

I am very serious about my pretend. I get very good pay in terms of rewarding information, and the very kind of rewarding information I so look for. Then, there is everything else, the mundane. But is it. We communicate on so many layers, and saying something important often might need a follow in, backdrop, more ordinary and mundane stuff. Conversations, just being people enjoying each other's companies.

So much stuff I do not get until later. I would like to say "it is the mundane mixed with the sometimes very sublime". But is it? Maybe my unconscious mind is taking in the other information and needs it for processing the obviously sublime.

But, I am not joking about the "pretend". Because everything practically is. I totally can get into my work. I can put a lot of passion and focus into. Or with video games, even. And what is more pretend then video games. Or a book.


On sources, not sure what you mean. If you are much of a critical reader, you know a lot about vetting sources. I remember when I finally got online, I was aghast at the kinds of crap people were telling me. Unsourced internet crap.

If you have ever learned any remarkable value possible for information, you are going to have cognizance of bad information and cognizance of good information. And minding sources in whatever you read or study is always critical.

But, of course, not so easily obtainable in worlds hidden in rabbit holes. :-) Who is anyone? Noone is as they appear. House of mirrors. You can come up with complicated strategies, test them, then realize afterwards it was all completely worthless. A brief, fleeting vanity.

This is bad online. It can be very bad in person when the person is "out there" somewhere. You don't know who they are. They could be anyone. Their agenda could be anything.

But, ultimately, it is about not just always having input coming in. Sit around and think. They say "how can you sleep at night". It is a saying. It is not just for people with a guilty conscience. But for people who have a very much to think about. If you avoid it, well, you lay down, and boom.

Writing stuff down, I find helps thinking. Working it out on paper. Just thinking in the "air" can be difficult. Thoughts come and go. Where do they come from, where do they go to? Why do we even need to think things out? The thoughts just come and go. What, does something change within us through such a mysterious process.

Yet, if you look down at the microscopic level of human biology, our bodies don't think in this way with food. It just takes it in, breaks it up, processes it, reading it like a lock and key, or eyes on a page with the various sequences of words and letters. It does not say, "Where are you going" or "where did you come from". It makes it into energy. Power. Capacity to do something. Information does the same thing, but it is almost like our conscious mind thinking it out is where the process of breaking it up into energy is. Our microscope. Our mind.

Bread is just bread. Water is just water. Yet, one could say, effectively, as mundane as it is, it gives us energy to stay alive. Same kind of thing can be with information, where there is the often mundane and rare sublime.


If all parties are investing their maximal resources to spy and steal from the others, how can we ever hope to solve our deeper problems?

My world view is very different from that. And this does get back to the unconscious. One way of saying it to be "politically" correct is that people aren't really as in charge as they think they might be. Systems work themselves out naturally. People not only do not have "the answers", they don't even know the right questions to ask.

You can have one single technological innovation in who knows what realm, and it can be globally game changing. So much of who we are and what we do is not who we think we are and what we think we are doing. Like with thoughts. Do you think in parallel? Do you have multiple chains of thoughts running through your head at the same time? Maybe fifty, a hundred? Thousands? It is amazing we can drive a car even and think at the same time. And how irrelevant our thoughts are while we driving to driving.

But, we want to know for sure. What do we want to know for sure? I would suggest we watch out for failures of imagination on those questions, and aim higher. Wouldn't it be great if the absolutely impossible change happened and it was completely fantastic beyond our wildest dreams? And if reality is just about anything but a closed, entirely entropic system, then that exactly is pretty well guaranteed.

Spying in general, I think is just mundane work. Countries reach out, they need information to operate, like our bodies need food, and they try and get what information they can.

That kind of spying is very much like journalism. Investigative journalism. You want the big story. It is amazing, because even if we consider the world's big stories, with some distancing, as "big" as it was when we first read or heard or saw it, eventually it just might become words on paper. Some events far away that ultimately seem to have no impact on ourselves at all.

People slowing down for every accident... they have no reason to, if there is room for cops and emergency personnel, which there very often is. They just want to see a grisly possibility. An important message. This is real. This happened. You, too, could be in that situation. It does not change the world. It has no obvious impact on them. It is none of their business.

But they do it.

On the scoped out, eagle's eye view of matters... digging for information, searching for good information is pretty much the same in every field. Sand everywhere. Grass. You have to dig into far, difficult mountains to get the jewels. And in the bigger scheme of things, even those jewels are really worthless to you, personally.

A machine operating, an animal living. No magic curtain where it is pulled away and suddenly there is a magical new world. That is an entirely different field and field set. Anyone working on a magical new world is working behind the curtain. The rest of the world hums on, and the two do not come together like that.

People can protest, group up, they can vote and sloganeer, all of that is also not how the world changes. That is the world operating and that is it. An illusion of change. Real change does not happen that way, not at all.

For that you have to rely on 'deus ex machina'.

From the wiki:

The term has evolved to mean a plot device whereby a seemingly unsolvable problem is suddenly and abruptly resolved by the contrived and unexpected intervention of some new event, character, ability or object. Depending on how it is done, it can be intended to move the story forward when the writer has "painted himself into a corner" and sees no other way out, to surprise the audience, to bring the tale to a happy ending, or as a comedic device.


ZenzeroMay 26, 2015 4:55 AM

@Nick P

"Too many snake oil trying to get businesses when the world is starving for more security."

Unfortunately very true and since Ed's revelations, more people are looking for products to help secure their privacy, which in effect is creating a market for scammers. Bring back the Doghouse posts!

https://www.schneier.com/cgi-bin/mt/mt-search.cgi?search=doghouse&__mode=tag&IncludeBlogs=2&limit=10&page=1

And on that,

@Bruce

Have you finished completely with the Doghouse posts or are you just too busy to get back to them? It was fascinating to see them looked at with a critical eye.

Wesley ParishMay 26, 2015 4:55 AM

@S[k]eptical

Nice speech. Wish I was that polished. Just a point or so:

The fight against international terrorism is a long, low-intensity war that will continue until order and peace returns to the regions from whence these abominations are born.

see my comment on "War" above. If everything tastes like chicken, what does chicken itself taste like?

Again, "terrorism". What does "Terrorism" mean? During the Cold War the US was absolutely certain that State Terror was part of the definition. Now that the Cold War is over, the US has openly adopted State Terror as well as openly using "official enemies" including ones on the State Dept's list of states supporting International Terrorism such as Syria, to practice abominations such as torture. Again, Israel has quite openly practiced State Terror against the Palestinians, and has committed acts across international boundaries, notably in the Lebanon, that would black-list it as practicing international state terrorism if it were any other state other than Israel.

So the official FBI definition of "Terrorism" is overlaid and obliterated by the definition of "Terrorism" as seen in US actions, which is heavily ethnicity- and religion-based: specifically defining "Terrorism" as something exclusively committed by Muslims and Arabs. Nothing new in that: some apolitical relatives of mine in Europe lost their lives during the 1940s due to a similar definition that made "Jewish Communist" as knee-jerk as "Islamic Terrorist" is today.

So to continue an undefined "war" or "fight" against a "terrorism" undefined except in ethnic and religious terms, is to continue on to genocide. solitudinem faciunt, pacem appellant (they make a desert, and call it peace) to quote Tactitus (possibly misquoting someone).

Just for once I wish the US Federal Govt. would take Michael Jackson as inspiration and

[start] with the man in the mirror
[and ask] him to change his ways
And no message could have been any clearer
If you want to make the world a better place
Take a look at yourself, and then make a change

GregWMay 26, 2015 6:02 AM

For others interested in the intersection of security and psychology (in this case with organizational/societal dynamics involved), you might find the following article interesting: (bold text mine):

http://www.theatlantic.com/magazine/archive/2015/06/why-it-pays-to-be-a-jerk/392066/

... Dutch researchers staged and filmed each scene as part of a 2011 study designed to examine “norm violations.” Research stretching back to at least 1972 had shown that power corrupts, or at least disinhibits. High-powered people are more likely to take an extra cookie from a common plate, chew with their mouths open, spread crumbs, stereotype, patronize, interrupt, ignore the feelings of others, invade their personal space, and claim credit for their contributions. “But we also thought it could be the other way around,” Gerben van Kleef, the study’s lead author, told me. He wanted to know whether breaking rules could help people ascend to power in the first place.
Yes, he found. The norm-violating version of the man in the video was, in the eyes of viewers, more likely to wield power than his politer self. And in a series of follow-up studies involving different pairs of videos, participants, responding to prompts, made statements such as “I would like this person as my boss” and “I would give this person a promotion.” The conditions had to be right (more on this later), but when they were, rule breakers were more likely to be put in charge. ...
...At first blush, the [second, different] study seems simple. Two people are told a cover story about a task they’re going to perform. One of them—a male confederate used in each pair throughout the study—steals coffee from a pot on a researcher’s desk. What effect does his stealing have on the other person’s willingness to put him in charge?
The answer: It depends. If he simply steals one cup of coffee for himself, his power affordance shrinks slightly. If, on the other hand, he steals the pot and pours cups for himself and the other person, his power affordance spikes sharply. People want this man as their leader.
I related this to Adam Grant. “What about the person who gets resources for the group without stealing coffee?” he asked. “That’s a comparison I would like to see.”
It was a comparison, actually, that van Kleef had run. When the man did just that—poured coffee for the other person without stealing it—his ratings collapsed. Massively. He became less suited for leadership, in the eyes of others, than any other version of himself. ...
[The article draws to a conclusion, qualifying that the above jerkiness doesn't pay when repeated exposure to the jerk is involved...]
... Which is to say: being a jerk will fail most people most of the time.
Yet in at least three situations, a touch of jerkiness can be helpful. The first is if your job, or some element of it, involves a series of onetime encounters in which reputational blowback has minimal effect. The second is in that evanescent moment after a group has formed but its hierarchy has not. (Think the first day of summer camp.) The third—not fully explored here, but worth mentioning—is when the group’s survival is in question, speed is essential, and a paralyzing existential doubt is in the air.


One does wonder whether psych effects such as this influenced 9/11-era leadership choices which in turn led to norm violations like torture or unconstitutional bulk interception or torture.

Shades of why Keith B. Alexander was picked (and why he didn't work out)?

How would we fix this? Repeated exposure to leadership candidates I suppose?

I'm not sure if our response that third scenario is/should be "fixed"- society probably should do a breadth-first search of leadership/norms when facing existential crises... but perhaps the problem is that we too easily believe we have such a crisis. Which is another whole subject entirely.

GregWMay 26, 2015 6:05 AM

For others interested in the intersection of security and psychology (in this case with organizational/societal dynamics involved), you might find the following article interesting: (bold text mine):

http://www.theatlantic.com/magazine/archive/2015/06/why-it-pays-to-be-a-jerk/392066/

... Dutch researchers staged and filmed each scene as part of a 2011 study designed to examine “norm violations.” Research stretching back to at least 1972 had shown that power corrupts, or at least disinhibits. High-powered people are more likely to take an extra cookie from a common plate, chew with their mouths open, spread crumbs, stereotype, patronize, interrupt, ignore the feelings of others, invade their personal space, and claim credit for their contributions. “But we also thought it could be the other way around,” Gerben van Kleef, the study’s lead author, told me. He wanted to know whether breaking rules could help people ascend to power in the first place.
Yes, he found. The norm-violating version of the man in the video was, in the eyes of viewers, more likely to wield power than his politer self. And in a series of follow-up studies involving different pairs of videos, participants, responding to prompts, made statements such as “I would like this person as my boss” and “I would give this person a promotion.” The conditions had to be right (more on this later), but when they were, rule breakers were more likely to be put in charge. ...
...At first blush, the [second, different] study seems simple. Two people are told a cover story about a task they’re going to perform. One of them—a male confederate used in each pair throughout the study—steals coffee from a pot on a researcher’s desk. What effect does his stealing have on the other person’s willingness to put him in charge?
The answer: It depends. If he simply steals one cup of coffee for himself, his power affordance shrinks slightly. If, on the other hand, he steals the pot and pours cups for himself and the other person, his power affordance spikes sharply. People want this man as their leader.
I related this to Adam Grant. “What about the person who gets resources for the group without stealing coffee?” he asked. “That’s a comparison I would like to see.”
It was a comparison, actually, that van Kleef had run. When the man did just that—poured coffee for the other person without stealing it—his ratings collapsed. Massively. He became less suited for leadership, in the eyes of others, than any other version of himself. ...
[The article draws to a conclusion, qualifying that the above jerkiness doesn't pay when repeated exposure to the jerk is involved...]
... Which is to say: being a jerk will fail most people most of the time.
Yet in at least three situations, a touch of jerkiness can be helpful. The first is if your job, or some element of it, involves a series of onetime encounters in which reputational blowback has minimal effect. The second is in that evanescent moment after a group has formed but its hierarchy has not. (Think the first day of summer camp.) The third—not fully explored here, but worth mentioning—is when the group’s survival is in question, speed is essential, and a paralyzing existential doubt is in the air.


One does wonder whether psych effects such as this influenced 9/11-era leadership choices which in turn led to norm violations like torture or unconstitutional bulk interception or torture.

Shades of why Keith B. Alexander was picked (and why he didn't work out)?

How would we fix this systematically? Repeated exposure to leadership candidates I suppose?

I'm not sure if our response that third scenario is/should be "fixed"- society probably should do a breadth-first search of leadership/norms when facing existential crises... but perhaps the problem is that we too easily believe we have such a crisis? Which is another whole subject entirely.

ZenzeroMay 26, 2015 9:31 AM

Philip Zimmermann (pgp fame) is to move himself and Silent Circle from the US to Switzerland due to fears about government policies.

http://www.theguardian.com/technology/2015/may/25/philip-zimmermann-king-encryption-reveals-fears-privacy

“Every dystopian society has excessive surveillance, but now we see even western democracies like the US and England moving that way,” he warns. “We have to roll this back. People who are not suspected of committing crimes should not have information collected and stored in a database. We don’t want to become like North Korea.”

I wonder how many more companies will leave the US and England due to the governments constant and pervasive attacks against privacy.

SCORRRRRRRRE!May 26, 2015 12:02 PM

Ha, knew that would drive Skeptical up the wall. Nothing drives Skeptical up the wall like documented fact.

Look at all that frickin Blahblahblah! Kept him busy for like 8 hours, Yay Me! Poor fucker nearly stroked out: extra points for Me!!! for Skeptical's hilarious neurotic projection: "spit at your screen in rage," "spittle from incoherent rage."

Skep's enemy is full of shit. The designated enemy is always full of shit. Inconveniently, this enemy has submitted to objective, independent scrutiny in ways that USA! USA! USA! will not. Skeptical's beloved Big Brother evades the binding commitments and international review that Russia accepts. Skeptical's Big Brother hides its derelictions of state duties from UN special procedures and regional oversight by allies. Big Brother explicitly denies its people rights that Russia embeds in its institutions. Point for point, Russia outscores the US government on compliance with human rights and rule of law, and dipshit patriots like Skeptical can't handle it. They hate sucking worse than Russia.

Skeptical's current Big Lie is based on US coercive interference in breach of peremptory norms of international law. The US tries to destabilize Russia, with terror (e.g. Chechnya), civil-society manipulation, or coups (e.g. Ukraine), then vilifies Russia for any response that can be construed as repression. Nary a fact, nary a link, needless to say. Wall-to-wall slogans, like he was taught.

Skeptical tries to pull rank with his purported world travels, inside his safe statis bubble, cowering behind metal detectors, scared of his shadow, peeking out to find more and more scary threats. Like all statists, you're a pussy. Your interaction with the world is pathetically stilted. That's why you go from fuckup to fuckup and get your ass kicked by skinny brown people with no underpants, and you cannot figure out why.

Best of all: "I SAY AGAIN." What a dick.

Dreamer of NonfictionMay 26, 2015 2:28 PM

@GregW

One does wonder whether psych effects such as this influenced 9/11-era leadership choices which in turn led to norm violations like torture or unconstitutional bulk interception or torture.
How would we fix this systematically? Repeated exposure to leadership candidates I suppose?
I'm not sure if our response that third scenario is/should be "fixed"- society probably should do a breadth-first search of leadership/norms when facing existential crises... but perhaps the problem is that we too easily believe we have such a crisis? Which is another whole subject entirely.

I was amused to finish writing stating that people really are not in control, as we think we are, and that there is little use to attempting to forcefully "fix" everything... only to see Skeptical finished about the same time a blurb about how everything is fixable, and there is a lot to do.

Of course, it is, to some degree, this way on any forum where politics, justice, and the like is discussed. Sometimes it is the liberal or left wing solution, sometimes it is the conservative or libertarian solution. And so many plans and possibilities in-between, and maybe not even thought of.

Of course, by what I was saying, however, even that is a part of "how things must be", and while I think there is a delusion of power. there is activity, and from activity produces... well. Something.

What I do believe matters most of all is motivation, intention to change. But, it can be difficult to get that picture correct. So often, it turns out, the real motivation has nothing to do with righteous dreams of a loving heart, but with hidden, personal, selfish motives. Even if it might be spurned by terrible conditions irritating to everyone suffering under it.

More to the point: is it possible for human beings to consciously and truly architect the future? Considering how difficult it is for people to architect their own personal "now" much less personal "future", and considering how... possibly, they may think of how earth will be after they are gone is far less caring and concerned terms then they may want to themselves believe, much less tell anyone else... I have doubts.

But even there one is still going to lack possibilities that anyone really wants, and more importantly, the power and resources to do anything about it.

For instance, the nations have enormous expenditures and capacities to do war, but beyond that not so much else. No massive desalination systems in the Middle East with irrigation plumbing running straight across the vast scope of the desert. No endless supply of food to make everyone well fed across the globe. Heck, even with their combined military might, they simply watch genocides go on, and are either powerless to stop them or simply do not have the will to do so.

People have been able to increase their lives a bit longer, but mostly just for the rich, and that in only the "first world" countries.

Ironic how Nash died this weekend, in a sense. To a certain degree, I believe that "first worlders" do not believe it is possible for the vast masses of the "other worlds" to have a healthy, strong economy. That, in their mind, there must be a very small minority of those in wealth and material power, and the rest in ignorance, starvation, disease, and the other pains of mass poverty.

That surely is not anyone's primary interest, anyway. Nobody spent billions on food aid programs, or much less trying to fix any problems domestically. From potholes to police corruption, to grave problems with the economy. Unemployment is relatively down in America, but wages are not so high, and what one can buy is not so much. Much of the population does live in poverty. For instance, in Baltimore it is something like 30%.

Maybe even worse, the "first worlders" see the other worlders as despicable Others, who are intent on destruction. They pay no mind to their own histories of starting wars that did not need to be begun in the first place.

And somehow, wash their hands clean of all such activity, forgetting it is even possible for their entire political, military, and intelligence systems to be so wrong. Whether it was right or wrong.

Kidnapping, torture, destruction of civilized societies, mass murder, the height of technology designed for murder... mass domestic surveillance... incredibly global cyber spying, including an enormous amount against friendly nations...

Nobody will be prosecuted nor go to jail for any of that. Not anyone actually behind it all.

The very same sort of thing happened post-Watergate, Church/Pike, FBI breakin... only people that ended up even remotely prosecuted or going to jail were fall guys. A very small nominal others, and not a few of those went on to trade their capital to become popular political pundits.

Of course, as you can see above, there is a much larger forgetting. People forget it was "interventions" to begin with that really was at the start of all these problems all across these nations. It goes by many names over the millenia, but these days is well remembered with the relatively newish name of just the past five hundred some odd years of "colonialism".

But there is much to mine in behavioral psychology which could really scare the hell out of people in terms of our own incapabilities. Yes, of course, for one, they often have a very poor taste in leadership. Often this is because the leadership engages so often individuals that have some manner of lust for power often based on some fundamental self-esteem problem.

Even beyond basic cognitive inabilities. We complete the picture, we have a tremendous difficulty in staying unbiased. There is expansive "change blindness", which can be explained as a sort of elaboration of the "completing the picture" problem. As noted above, we really do not even know much at all about how we tick.

For instance, the unconscious (as some term the "subconscious") is actually in the strongest control of our actual thinking. By default our conscious mind is a sort of role or dressed up "being" that is in no small part fitted with uniforms of bias so we can socially communicate in very dynamic ways.

People do not ask, "Where do my thoughts come from, from where does this current line of internal thinking I am running across my mental heart eyes come from, and where does it go". Surely, a lot is necessary consumption fed from their unconscious' greater observations, and then, after being made conscious is archived in a memory accessible position - accessible for the conscious, that is. It was always accessible by the unconscious.

Contrast that to computers capable of running many operations in parallel. But I point that out not to say computers are superior to human beings in analysis, of course, they are not. Rather, to simply point out we are, consciously, anyway, single threaded machines.

Online democracy is one proposed future solution. I would agree that in many ways the freedom of the internet has started to enforce a more rigorous group thinking process, a consensus opinion more open to debate from more quarters, where at the very least, at least that which is universally condemned might be agreed upon. Less burning of witches, more education the global cloud of online users?

Take it to the cloud! Where "the cloud" is the global online population. Don't have the facts right? To the cloud. Bias is weeded out by the sheer numbers. Information is distilled by the strong demand for "at a glance but hyper accurate summaries".

"Rapture of the Nerds" solves the Gigantic King Kong of a the remaining problem with that potential solution: the problem of mortality and how that will inevitably and deeply bias people towards "here and now" quick fix solutions. Combine the cloud solution with immortality by the digitization of human beings.

Of course, all of this is silliness because: no one will allow this to happen.

Nevermind that we are probably hundreds if not thousands or tens of thousands or more years away from having the capacity to digitize our "souls" to some ethereal outerspace web.

Trillions and trillions a year on war machinery. What does that direction provide over the whole "peace and love" direction? Of either sharing and helping domestically or internationally? Not enough drama. That is the problem.

Without that unnecessary drama of violence, war, and horrible problems... then there is not as much possibility for leaders to capitalize on the drama and posture themselves as soap opera heroes for the masses.

Ah, the desert of these godforsaken lands. Wandering, wandering, under still living Roman trumpets blaring. We should all work out our minds, bodies, and especially our personal political appearances, and become a superforce. Like comets that burn out quickly, but clean the place up for the long term.

DIY world.


Rosa KlebbMay 26, 2015 3:39 PM

Justin, like Skeptical, will do anything to escape the evidence adverted on this thread. Let's see what new knots they're tying in their cranks!

Skeptical - last seen acting out his Walter Mitty spy fantasies of 'We know who you are,' slips up in his agitation and exposes the fruits of his obsessive sleuthing: his enemies are from... [Gasp!] ...The Commonwealth. Oh dear. That Junior Spy Cadet merit badge is slipping from his grasp. And Justin pretends that the facts he doesn't like must be evil Russian facts, reported by evil Russians under Секретно Kremlin directive XT-93 stroke 2.

This demonstrates the loony self-absorption of US government asskissers like Skeptical and Justin. For Russians, as for 80% of the world's population, the US is a nuisance, irrelevant to the work of grownup countries. Skeptical thinks saying the same pledge of allegiance 100 times makes him a masterdebater. Justin makes shit up without a care in the world. The outside world is not going to waste time trying to convince you brainwashed tools. No one gives a shit what you think. If anyone makes fools of you, it's for sport.

Later, when we're in the mood, we'll do to the USA what we did to the USSR. Knock it over with a feather.

BoppingAroundMay 26, 2015 4:48 PM

Dreamer,
> People do not ask, "Where do my thoughts come from, from where does this current line
> of internal thinking I am running across my mental heart eyes come from, and where
> does it go".

Funny you should mention this. It's been some time for myself asking these questions. The current answer seems to be that 'my' thinking is not really mine most of the times, perhaps totally not mine [A], if there is anything about that can be mine.

Simply put, I seem to be just a husk.

This leaves me at the crossroads, as (a) I am nothing. What may I be if I am but a shell? (b) I can be anything. A shell can contain anything, whatever you decide to put in it. Your conditioning will be in the way though, narrowing the selection of what you may put in it.

---------------------------

[A] I have not back-tracked enough to assert that but I suspect the remainder may reflect, again, not my own thoughts but those conditioned by local culture and environment.

P.S. I would wager that this post is itself completely unoriginal, as is this post-scriptum.

BoppingAroundMay 26, 2015 4:55 PM

Correction:

> [A] I have not back-tracked enough to assert that but I suspect the remainder may reflect,
> again, not my own thoughts but those resulting from conditioning by local culture and
> environment.

JustinMay 26, 2015 5:15 PM

Yet more propaganda, this time in the persona of a silly Russian lady who can't help but knock herself out with the feather in her own hat.

Nick PMay 26, 2015 5:31 PM

@ Skeptical

Extremely well-written opinion piece on the evils of Russia, the evils of China, and the propaganda of the United States. You left off installing dictatorships, imperialistically dominating the smaller countries to get their support (including assassinations), mass murder in larger one's over false pretenses, working with countries known to sponsor terrorism while proclaiming a war on terrorism, aid corrupt financiers who cost us $1+ trillion, prosecuting anyone revealing corruption, using cops/military on protesters rather than the evils they're protesting, and explicitly/implicitly pardoning many of the most corrupt.

Reading your post, though, I'd think there's whole marches from Central America to Europe to Africa where people proclaim the greatness of the U.S. and thank it for all its good deeds. Then, looking back at international media, I see that there's been marches about America for sure. They weren't saying what you thought they were saying, though. Your selective sense of justice despite being educated on the matter is what shows out your intentions here.

America is certainly better to its people than China or Russia in some ways but far behind other democracies in other ways. I mean, many others beat us on every conceivable metric except how much wealth the richest few get for themselves, how many are in prison, number of patents issued to protect monopolies/oligopolies/trolls, and how much shit we can get away with in speech/publishing. That last part is *awesome*. Still, I might sacrifice a little of it to get good education, healthcare, less chance of going to prison due to prosecutor's immunity, no worries of black sites, less risk of kidnapping/death in certain countries due to government's abuses, and so on. Gotta recognize the problems to fix them and intentionally not recognizing them comes off as pro-U.S. manipulation.

@ Zenzero

It's a good move in the sense that it's better than the U.S. As I said before, though, Switzerland does have export controls and intercept rules on online services. They're hesitant to use them. Yet, they're available. Iceland would appear to be a better location given no regulations on crypto. Both are good in terms of crime and connectivity. Both a expensive places to live for an American. And, finally, America regularly pulls strings to disrupt citizens operating abroad in ways they don't like.

All together, it's hard to say what value these moves to Switzerland have if each company is owned and operated by an American citizen. This is doubly true for a company that included in its advertising that many of its key people were former, Navy SEALs. Even if Zimmerman were anti-backdoor, are his ex-Navy buddies going to be the same if SOCOM asks them "to help protect America from X secret threat using encryption?" This has always concerned me. I'd avoid SilentCircle unless alternatives aren't workable and it is. Then, I'd still assume Five Eyes are listening just because they're good at flipping people.

Nick PMay 26, 2015 5:47 PM

@ Zenzero

Just noticed this:

"Unfortunately very true and since Ed's revelations, more people are looking for products to help secure their privacy, which in effect is creating a market for scammers. Bring back the Doghouse posts!"

This is true. Yet, the answer isn't Doghouse posts: it's a list of products for each need along with evaluation of their effectiveness and potential risks. Hacking, leaking, subversion, misconfiguration, risky compatibilities... all of it. Basically, a lightweight version of the Common Criteria's Evaluation Assurance Levels and Protection Profiles. Instead of government, this list is maintained by known INFOSEC experts in a wiki style with a forum-style commenting section for dissenting opinion.

I wrote some recommendations here.

Clive RobinsonMay 26, 2015 5:51 PM

@ BoppingAround,

The current answer seems to be that'my' thinking is not really mine most of the times, perhaps totally not mine [A], if there is anything about that can be mine

Even Newton by his own admission "stood on the shoulders of giants".

Few thoughts are truly original in whole, usually they are a new perspective or addition to others thoughts.

Is this a problem, not realy all solid walls have good foundations and well laid courses of bricks supporting the "cap stones" that also serve to lock the bricks more firmly in place.

I would possit that it is not possible to have a truly original thought without having worked your way through the thoughts of others and testing them for soundness.

Further even though the end product of yoir thinking may be the same conclusion as anothers, you may well have arived at it by a different route, thus further validating the conclusion.

I once had what I thought was an original idea, when chatting on the phone to a friend on the phone about a "death watch beetle" problem they were having in the oak beams of their centuries old cottage. I jokingly suggested "microwaving" the grubs in situ, no sooner than the words had left my mouth when I had a very palpable "gut reaction" as did my friend, he said I should patent it. Well twenty minutes later I was experimenting with pieces of wood and bits of frozen mince/forcemeat, and a couple of hours later had basic drawings and claims drawn up, which I faxed across to him the following morning. He had spent the night doing various online database searches and discovered sadly that someone in the US had been granted a patent less than a year earlier.

Sometimes ideas "just come of age" and several people get that gut feeling around the same time.

As @Wael will confirm, getting your name on a patent is sometimes hard work even you work for an organisation that believes in getting as many patents as possible, and thus have the requisit IP vultures on staff.

It's been said their are two types of patent, those that are new and those that are derived, and new patents never make money for the inventors only some derived patents do.

So you could say that "original thought seldom pays", the sad reality is such thoughts are usually "ahead of their time". But from a personal point I'd rather people used my ideas without having to pay me money (though a bit of recognition and a drink would be nice ;-) I know it sounds "Anti-American" and all that tripe, but I do actually belive in "a rising tide floats all boats", thus a little altruism moves ahead all of society not a self selecting few. Thus hopefully sufficient others will feel likwise and I will benifit from their thoughts on a "goes around, comes around" basis, which the likes of FOSS does do.

ZenzeroMay 26, 2015 7:51 PM

@ Nick P

the fact he's American himself doesn't worry me but I wasn't aware he was using ex Mil as "advertising" that is indeed potentially a cause for concern. I think he wouldn't go that route but employees, well, breads buttered and all that. Depending on risk factors I think your assumption is definitely prudent.

"This is true. Yet, the answer isn't Doghouse posts: it's a list of products for each need along with evaluation of their effectiveness and potential risks."

That would be an excellent resource and maybe something Bruce could look at, it would be a wonderful addition to the blog. I do like the old doghouse posts (maybe nostalgic admittedly), Wolfgang if you remember him was quite hilarious over the years with his claims.

@ Justin

"These people are paid, and they work for the Kremlin. I wonder why they picked this blog."

Are you surprised that an oppressive government uses propaganda? us, uk and others do it to, its SOP for them

ThothMay 26, 2015 7:55 PM

@Nick P
We need higher assurance phones in masses in the market although considering the Warhawks might do all it takes to not allow it to happen. Currently, Samsung with all it's ability to do Fort KNOX is rated at CC EAL 1 (https://www.commoncriteriaportal.org/files/epfiles/st_vid10596-vr.pdf).

A fork off of the CC EAL to truely Community Criteria (Not "Common Amongst Governments" thus the "Common" Criteria) should be established. No single Government should be able to manipulate the criteria list (which the US Warhawks have the ability to control CC for now).

What is needed in an assured smartphone.
- Open chipset architecture and cores.
- Open source and auditable separation security kernels via Type-1 hypervisors as the base kernel running multiple modes.
- Hardware-based trusted paths between peripherals, sensors and display.
- MMUs, multiple self-checking cores, self-encrypting paths and datastores, encrypted calculations on cores, voting ... all the chip-based good stuff.
- FPGA segment for security codes (luxury portion).
- Some sort of ARM TrustZone with security functions onboard chip core (already existing but not at high assurance levels - less than CC EAL 5)
- Physical removal of cameras, sensors, microphones and peripherals (luxury but good).

Those are just a few of the suggested criteria.

Wesley ParishMay 26, 2015 8:03 PM

Mea culpa: My bad.

I humbly apologize to all Latinamericano readers of this blog.

In my last post I neglected to mention the US treatment of Latin America as being equally as bad as Russian treatment of Eastern Europe. Needless to say, one could go on with examples of the systematic abuse of smaller, less powerful countries by bigger, more powerful countries, together with the rider that this tends to occur in neighbourhoods, except when neighbours are nearly equal in power so the bigger can't abuse the smaller: Canada plus the British Empire against US expansionism a la "Manifest Destiny" in comparison to Mexico (alone) against US "Manifest Destiny" during the 1800s. Or Spain and Denmark under the influence of Britain and France during the Napoleonic Wars.

If Americans can't see that, then so much the worse for the reputation of the much-hyped US education sector.

At least we now know that @S[k]eptical isn't employed by the US State Dept.; he?/it? might know more about me if he did. But that rant against random Commonwealth subjects was splendid, if rather off-target and so frankly amusing. What Commonwealth members owe fealty to the Queen of England and are yet so deeply within a primary US Sphere of Influence to the extent that the US Information Agency loaded up their primary schools with US primary school materials during the seventies?

Nick PMay 26, 2015 8:47 PM

@ Thoth

re Samsung

Oh... my... God... I had no idea it was EAL1. There was a conference paper a while back debating whether to euthanize EAL1. Presented in Korea haha. Then, one of my favorite smartphone vendors evaluates their Fort Knox solution at EAL1. Lmao. I bet it's a marketing stunt: EAL1 lets them say "security certified by Common Criteria" with readers just guessing it was a good level. Might also be cost-savings where they need a CC cert to sell it but the EAL wasn't specified.

re CC

"No single Government should be able to manipulate the criteria list (which the US Warhawks have the ability to control CC for now)."

That's a good point. It's why I specified private.

re phones

Decent criteria. Don't get too lost in the specifics of CPU, I/O, and their security. Be flexible as there are many model. See my secure smartphone post here. Wael's assessment above is good too. That you can physically remove the components with ease is a good idea and I'll add it to my future postings on the subject. Projects such as Google Ara might be leveraged for this.

EDIT to ADD: I tried to see if the EAL1 cert was an early cert to be followed by a better one. It's not. Further, it seems the Protection Profile itself decided on an EAL1 target. Samsung just went with it. So, that shows the blame is with the CC on allowing such a low assurance process to protect mobiles. Not Samsung using an EAL1 cert to claim to be certified secure under the... wait, what the hell is this? Samsung... claiming to be... with an EAL1... (sighs)

This industry stays f***ed up...

ThothMay 26, 2015 9:09 PM

@Nick P
I was rather shock to see Samsung + Fort KNOX with only EAL 1 couple days ago when I was considering to compare smartphones and their EAL levels. Very shock and I had to re-check the EAL document a couple of times re-reading it for a day or two. Can't believe it.

The basic criteria to specifically target down on the CPU/core is because most of the computing is going into the core. We can take a look at ARM and it's TrustZone and again ... it's a security technology and I double-check implementations of the ARM TrustZone and it did not survive the EAL 4+ and above for most of the implementations or should I put it in a way that almost none got any EALs. Talk about "TrustZone" :). You need at least EAL 5+ for Enterprise and Government grade applications (smartcards).

Too be honest, we had too much assumptions when someone rolls in a security product and simply trust it. After the Samsung Fort KNOX, I dare not put too much hope until I see multiple references and CC EAL results and even EAL results can be very vague.

This industry is crapped if you realize and I believe @Clive Robinson and @Wael have seen more than our shares and witnessed their downfalls.

Regarding the creation of security-centric smartphones, the first step is to choose a phone manufacturer and Geeksphone would be a good thing to look at for now. They are open and seemingly flexible.

Next step is port seL4 onto mobile ARM and mobile Intel cores fully. More resources needed in that direction.

SkepticalMay 26, 2015 9:22 PM


@Nick P: Reading your post, though, I'd think there's whole marches from Central America to Europe to Africa where people proclaim the greatness of the U.S. and thank it for all its good deeds. Then, looking back at international media, I see that there's been marches about America for sure. They weren't saying what you thought they were saying, though. Your selective sense of justice despite being educated on the matter is what shows out your intentions here.

Then you didn't read the post very carefully. The US has throughout its history failed by the very principles that rest at its heart. This was a tiny nation of 13 colonies, that proclaimed to the world to the equality of men and challenged the better trained, better equipped, better numbered, British military to make good on that proclamation - all the while struggling with the evil slavery in its very midst. And it ultimately required the deaths of 500,000 Americans to settle the matter - and generations of work to begin to put that legacy to rest.

This was a nation that, in the years leading to WW2, worked hard to repair relations with its southern neighbors which had been ravaged by ill-thought policies and military actions; a nation which dreamed of a world, after WW2, in which the vestiges of European colonialism would fall away, allowing each people to rule themselves, to determine their own destinies - a narrative that, for obvious reasons, resonates deeply with Americans.

And instead, we faced the Cold War - a long, drawn-out struggle in twilight and shadows, with inescapable nuclear peril at every turn. It was a geopolitical challenge greater than any other nation had faced, and one with which the US had little experience. Deals with devils were made, when it thought necessary to prevent a greater evil. In fighting to preserve a sphere of freedom and security, the US sometimes fell short of its own principles - as all nations, in the conduct of a war they believe desperate, do.

But that is only a part of the story, Nick, and moreover it is a chapter that is past. The citizens of Latvia, of Lithuania, of Estonia, of Poland, and of many others, do not see oppression in the presence of US forces - they see security against those who would rob them of it. The Kurds do not wince at the sight of US warplanes - they cheer, as they have for decades. The Bosnians do not shudder at the sight of an American platoon appearing over a ridge. The Yazidis know well what an American flag over a camp means. And the hunted - the Lord's Resistance Army in the Congo, al-Shabaab in Somalia, al Qaeda in Yemen, ISIS in Iraq and Syria, and others - may not comprehend the meaning of that flag, but they know too well the power that stands behind it. And in East Asia, the Philippines draws closer to the nation with which it once was at war; as do the Japanese, who themselves were guilty of horrific atrocities against Americans, yet who now visit, peacefully, respectfully, along with American tourists, at Pearl Harbor, and whose military grows in strength, and in integration with US forces, by the year. South Korea, Singapore, and others - they draw closer, as they know which nation can be trusted, which nation has no desire to oppress them or rule them. They know, unlike you and others, that this is not the 19th century nor the early 20th century.

In other words Nick, the US has improved. It has maintained the upward trajectory that was the promise of its very establishment. It has enlarged the rights of its citizens, and it has expanded the sphere of democracy and freedom in the world. As in all human endeavors, the march forward was unsteady, riven with setbacks, and ultimately a collective, not an individual, undertaking; but a collective undertaking born from a shared belief in the right of self-determination, of the rights of individuals, of the obligation we all hold towards those who went before us, and those who will come after.

But you of course believe that the US perpetrated 9/11, don't you? And our bizarre friend - who for various reasons I suspect to be writing from a former British colony (a tenuous hypothesis in which I place very little confidence) - seems quite taken with the proud respect for human rights and law shown by Russia, which marks him as either mentally ill or a paid shill.

So I don't expect either of you to understand the greater context in which the crimes and failings of the US exist, nor to grasp that a powerful nation may both be guilty of failure and worse, while still being ultimately meritorious in its values and goals.

Those who are more reasonable; those who see clearly; those to whom the future belongs; they understand these complicated truths. And that, ultimately, is all that matters.

And the people who can grasp such complex truths, who are unimpressed by the conventional bashing of the US one reads so often in these forums? Yes, they are the "hacker creative types."

Someone asked why I have the name Skeptical, when clearly I have views more in keeping with the mainstream. The answer is twofold: first, my views in THIS community are unconventional. Those who so easily buy into the worst theories about the US and the NSA - these are the conventional thinkers, the conformists, those who find the like-minded and insulate themselves from critical thought. And second, my views in many ways are not mainstream, or at least not what many here seem to believe is mainstream.

Dreamer of StuffMay 26, 2015 9:29 PM

@BoppingAround

I think Clive pretty well beat me to that punch, and he even has the same format I like to use of mixing sound, straight observations with real life metaphor. (And no irony there for the subject matter, much less, this thread.)

But, in a wild artist, mad scientist mood today...

In extrapolation from my posts, I would argue that the "conscious mind" is very much a creature of socialization. It is exceedingly complex in that way. Which is probably why artists, inventors, and the like who are so much further ahead in their time... very often have had strong socialization problems.

With art, or ideas, as opposed to with inventions, tangibles, it might be a bit different. If you express theoretical ideas which are a hundred years ahead of its' time, who could understand it, even if it is true? But, hey, you have a teleportation machine and a mind reading ray gun. Not like you really need to solicit or rely on anyone else's opinions.

:-)

Theoretical ideas, I think, are best for practice. Can you put them somehow into practice and so prove your theoretical ideas. You can tell people your ideas, but your ideas would be so far ahead of where anyone else is at: they could not make head nor tails of it.

Because the "socialization" is lost, the many aspects of language that go so much further then just words and grammar. Into biases, cultural mores, cultural perspectives... shared perspectives of the times, the nation, the politics, the belief systems... belief systems, not in terms of "I believe in this", but in terms of beliefs which are shared by **expectations** and **doubts**.

A person can not possibly do this! A person is entirely incapable of doing that!

You have to drink this, drink that, eat this way, dress that way... people are constantly affirming and grooming and banishing beliefs based on expectations of what people can and can not do. Not in terms of morality is what I am thinking, but in terms of human capacity.

An olympic athelete can only actually run so many miles per hour faster then you. Or KMH. Or whatever. Or maybe they can lift only so much more weight then you can. A giant will probably only be, oh, six five inches, maybe seven foot. A prolific writer can only be so much more prolific then an ordinary writer, and how will their quality of writing start to suffer? Age... average age... a person can only live so much longer then you on average. And you can go on and on and on this way.

Rebels, innovators, geniuses, whatever their names... only go just so much further then what anyone else does. Not all that much, really. Especially nothing like what we see in today's cinema, where people have a special fascination with the entirely impossible.

One young child might start to approach books, "I must read ever word and every sentence, as I am taught". Another might not have received that message. :-) They might just go ahead and start reading as fast as they can see the page and remember all of it!

For the rest of their lives people will be telling them just how unusual, remarkable that is. But they won't lose the ability nor doubt it. They have already done it, so how can they go back?

Now, exactly true or not, that is not the point, as this is most definitely a way we operate -- if it is at the least true that what we believe we can do is very much related to what we see others can do. And what they tell us. Directly and indirectly. Indirectly and directly, because they themselves believe it.

And all of this quickly gets into la-la land. Because we do not believe. We know. Never mind that psychologically, there is no real difference. Feelings of confidence, logic with no holes in it. It goes beyond "just" socialization eventually at some layer, it gets into something else.

We do not just stand on the shoulders of others in terms of what we learn from them, as for expectations, doubts, beliefs, knowledge...that is, not just on their individual and shared perceptions of reality... but on our own perceptions of reality which seem to confirm theirs. And for all we know, reality is as congruent in its' messages of what we can and can not do - of who and what we can and can not be - as those messages from society.

A stone, in front of you is not going to just disappear if you try and will it to. If you prick your skin, you will bleed. That is not me telling you my beliefs. That is me telling you what I know. And that later bit is just rhetoric. Belief, knowledge. Same thing. Many sources, one source. External sources we observe with our own eyes and ears, which we can feel and touch. The longer I sit in my chair, the more deeply I consider how real it is.

But... all of this is implying... doing that which is impossible is, its' self, true innovation. Where "impossible" is defined by "what everyone says is possible" and "what 'reality' its' self says is possible". Not so much by what anyone or anything "says" is impossible... because impossible its' self is just far too open ended.

This is all also saying doing true innovation is true individuality.

Back to another aspect of this: is it really true that geniuses far ahead of their time often end up breaking down their "conscious mind" to go beyond what others have been able to do, if only by three feet. And not by miles. Because no one can ever go ahead of anyone else in anything by **too** far.

I think this is well known. We could start with Nash? He went crazy. Philip K Dick. Van Gogh. Einstein was actually pretty bonkers on a number of levels, though did remain largely coherent. Clive mentioned Isaac Newton. That poor guy went really nutso. Heck, "A Beautiful Mind" with his room full of papers on his obscure and obsessive search for hidden bible codes.

I suppose Da Vinci did not, I can not recall that he did. But he was not so many leagues, actually, ahead of his time in many things. He had a number of very brilliant contemporaries in the same area of artistic work, anyway.

But, does true individuality really mean true innovation? You have an unique face. Cut off the head, to be brutal, people could not tell your body from many others, nor much about you. DNA, fingerprints, denistry records, sure. But it is your face that humanizes you. Though, it is true, so many dopplegangers out there for some sorts of faces.

So, what, your background? Your socialization? There you have commonalities which enable you to communicate with others. But only you had all of your individual life events, and people. Only you stand where you stand right now, and if you eat a piece of bread, no one else is also eating that piece of bread, and no one else is going to break it down into energy into the same way you do.

That sounds kind of cheesy, cause it is. It is full of it. But, what is not, is we take in all the information we do take in... we search for it... and while we may not be *too distant* in our paths of searching out and taking in information: altogether all of these *not so distantly shared commonalities* actually start to become our own unique code.

Same alphabet, same words, if you will... but our sequencing of it internally will invariably be DNA like specific and individual. (Though yes, of course, not so diverse as to be unable to "mate" your specific outgoing information with others, and so be incapable of producing even more unique like information.)

"Shoulders of giants", 'shoulders of each other', we build upwardly and outwardly, one brick on another. How can anyone invent a device - literally create one - a thousand year ahead of its' time, without the minute technology, the dna of the full system, also required to construct it? Towers to the sky do not have gaps in them. Buildings can not miss lower floors. Fiction and theory can jump far ahead, but too far, well, one still has to keep it in a readable language. And it, unfortunately, might not be so popular.

If someone from vastly far away and vastly long ago and vastly far in the future were to communicate with us, they would have to shrink way, way, way down into our intricately faceted forms even just to have conversation. They would have to have form, to speak our language, and to say anything beyond just "Hi", they would have to include in that form a similar background -- if only for engaged conversational purposes.

Would they fail to perceive our individuality, being so innovatively far ahead? And is so true individuality locked into our capacity for innovation? It is a bit hard to tell one type of dog apart from another dog of the same type, and very hard to see an ant or cockroach as being individuals. One mountain we can discern from another, perhaps, but not hardly between grains of sand. And while every snowflake may be different, in any meaningful terms, I do not think that really matters.

And, laboriously lastly, I am not saying that if we can merely screw up our conscious mind, like breaking a dam, break on into some great form of consciousness where anything would be possible for us, ala Dark City style. The whole "be still in your mind and find union with the universe line". Or, the Brujo, "magic happens by stilling the inner voice". Because we know so extremely little about what "the unconscious mind" is. All "unconscious" means, basically, is "unknown", after all. It could be the quite conscious mind of the universe. It could just be an illusionary construct that is created by ourselves in order to achieve objectives otherwise impossible, but well within the bounds of known capacities.

What can be observed, however, beyond the ideas of flatlining our conscious understandings, is that the more we are in a state of "not knowing", the more capable we are of perceiving new information. When we know something, we can absolutely not hear anything contradictory to that which we already know. So, no wonder, so many cultures across the world see that as the true objective for human progression... and have had beliefs that is the way, whatever way that is, towards leaping ahead much further then what anyone or anything around says is possible.

So, no, while we might feel like mere shells, we are individual, but in a crowd, we feel very different then we do when we are alone in a room. Even if no one else could see our individuality, it is you yourself which *is* your individuality realizing these very things... maybe it can make one feel "not so individual" knowing anything you are likely to be realizing at any possible moment *probably* is being realized by **at the very least** one other of the many myriad people out there, albeit if unique enough of a realization... probably in another, but entirely compatible form.

And what, from you, is not truly innovative? It does not lose its' innovation just because someone else can and has done it. Burp. Yell. Say something. Take a piss, go to sleep. That is innovative you doing unique you thing at your unique time and place.

It came out of nothing. Even if it is not unique.

If two say the word "cow" at the very same time, they both, effectively, said it out of nothing.

I do think, however, it is a correct impulse, most assuredly, to strive for greater innovation, even if the least of our actions such as our beating hearts should not be.

And that is entirely impossible without realizing just how same we can be.

If you existed in a vacuum, you would not at all be aware of your lack of uniqueness. Everything you say and do would be seen to you as entirely innovative and distinctly "you". Without any challenge from the knowledge you have from your knowledge of the mirror of others. Devil's advocate: maybe that is all people really look for to zero out the conscious mind and see everything fresh. To forget the horror that we are not the first, the horror that we are not alone. The horror, that, indeed, we are not truly individual *but* in our corporate self. But a small piece of a gigantic being, and that being is us (even if we have little cognizance of what or who that rest of us really is at all).

name.withheld.for.obvious.reasonsMay 26, 2015 10:08 PM

@ Skeptical...

I have to give you credit for the most coherent diatribe to date, it is impressive but flawed. Your inability to the see the "Good, Bad, and the Ugly" (que Clint Eastwood) is in parallel with your off-hand observation of Nick P's critiques.

There is little in the form rigorous analysis offered here--a blog entry is not a "White Paper". At best, the suppositions, hypothesis, and sometime theories expressed here are ad-hoc. May I add that your "bias" is showing through and belies the assertion you make claiming your objective participation. WE are all susceptible, capable, and guilty of predisposing and attenuating specific elements of the topics discussed.

My issue with you--you're inability to maintain an oxford stylized debate. An exercise that you have dismissed when confronted by many on this blog--including Clive and Nick--consists of "taste like troll" banter.

Laughingstock PlenipotentiaryMay 26, 2015 10:48 PM

It's that time again: Skeptical trundles home from his fatass chickenshit desk job, gets a snootfull, and dreams he's Honest Abe from olden days. The prose gets purple as the fog rolls in (they bear also! Backward ran sentences until reeled the mind!) Forsooth! Zounds! He gets telepathic waves of love from all the grateful little native children of the world until he flops into bed with alcoholic sleep apnea whappin his uvula like a punching bag. And he doesn't ever have to face a fact.

WaelMay 26, 2015 11:09 PM

@Clive Robinson, @BoppingAround,

Sometimes ideas "just come of age" and several people get that gut feeling around the same time.

Elementary, my dear Watson! Two main reasons: [1]

  1. Necessitas artis magistra
  2. Mater artium necessitas

He had spent the night doing various online database searches and discovered sadly that someone in the US had been granted a patent less than a year earlier.

Well, he shouldn't have done that! Leave the search for the patent attorneys...

getting your name on a patent is sometimes hard work even you work for an organisation that believes in getting as many patents as possible, and thus have the requisit IP vultures on staff.

Yes. But the difficulty isn't the technical part! It's the "political" one. I have a lot to say about that, but I'd rather not -- it's a CLM (Career Limiting Move) at best.

[1] I looked these up. I don't have them comitted to memory...

Slime Mold with Mustard May 26, 2015 11:11 PM

@to the Better Angels of the Unconscious

errr.. What did I do? Really, I comment here about once a week. Pretty lethargic for a troll.


"'Slime Mold's' argumentation is much closer to his real beliefs then..."
Damn, I thought they were my real beliefs. (Incidentally, I'm married to a shrink, and I feel obliged to inform you that the whole Freudian construct is pretty much dead. Both the American Psychiatric Association and the American Psychological Association retain Psychoanalytic Divisions "in recognition of its historic importance", but less than 1% of practitioners use psychoanalysis.)

I am thinking of changing my screen name: How does -

SAVE CATS on video grab you?

to the Better Angels of the UnconsciousMay 26, 2015 11:17 PM

@Slime Mold with Mustard

I was not saying you were a troll.

Damn, I thought they were my real beliefs.

I was actually intending to point to the poster that often responds to Skeptical. Apologies, I think I got the name confused.

Not entirely sure I agree with you that everyone also speaks exactly their truest belief at all times, however. I mean, consider that we speak to be heard, and typically with at least some level of social reference or social relativity is applied.

I definitely did not say anything bad of you, I pointed out that only someone good would take the extraordinary effort to come up with a name like that. Obviously, not a truism, but a general observation which is reliably true compared against your normally good posts.

But, my intention was not, in context, nor at heart, to argue you are disingenuous, but merely that people might be more complex and at times even seemingly contradictory then how they may appear to be.

WaelMay 26, 2015 11:28 PM

@Thoth,

This industry is crapped if you realize and I believe @Clive Robinson and @Wael have seen more than our shares and witnessed their downfalls.

Umm, did you think I was kidding? Here is an updated specifications list of a typical EAL-3 smart phone :)

2.4GHz Quad Core ARM Application CPU (ACPU)
Latest Version of OS (so I don't pick on a specific OS)
1000 Zero day exploit vulnerabilities
5000 Backdoors
1300 Front doors
5 persistent location snitches that cannot be silenced
13 Compromised keys
200 rogue root certificates
100+ probes to exfiltrate private information (surroundings, Hotpot SSID and passwords, Bluetooth MAC addresses, contact lists, emails, SMS, directory structures, photos, voice mails,...)
Preferred lists http://en.m.wikipedia.org/wiki/Preferred_Roaming_List (IMSI catcher camping preference)
5-sensor side channel leak facilities
300 identifiable (small footprint :)) fingerprints for tracking purposes
Remote control services for Microphone and camera
Environment awareness and reporting system (who you are you meeting with, how far your friends are, which hotspots you are close to, how fast you are driving, which is your preferred route,...)
Multimedia tracking services (what books you purchased, how many pages you (claim) you read...
Bazillion software bugs with an unknown number of security holes
7 Un-patched known weak protocols
17 highly predictable and deterministic TRNG used for "secure" operations

FigureitoutMay 26, 2015 11:35 PM

Thoth
That is the reason a high assurance kernel using Type-1 hypervisor is used
--Yeah but the implementation is rarely publicized, which probably means some risky hacks were required in "tricky spots" b/c the theoretical "should-be's" break down b/w toolchain failures and physical defects. They're mostly all ugly w/ "goatse" security holes if they're useful; can't engineer perfection.

On ARM boards, even just putting FreeRTOS (which has a lot of support now) on a board required some very nasty hacks (granted it was interacting w/ a keyboard thru Windows, so...); something goes wrong and you better eat your wheaties and keep a punching bag nearby...I get these eval. boards that serve a tiny purpose of testing companies claims then they're just everywhere; well now we have "huge" SoC's on them w/ pinout and even USB chips...figured use them for something...

That's where you do datapath encryption
--Yeah, was wondering what's the point of encrypting, say pixels if they just get displayed in cleartext eventually. Suppose it's just more noise.

going to cost so much more
--Yep, it's what it comes down to, again money. Also my construction skills; putting out quality takes money and time pure and simple.

Thoth // Nick P RE: fort know eal 1 evaluation
--They say "no evidence of developer testing required in assurance activities for this product" as well as the "Detailed Test Report"--which is what any self-respecting investigator or security researcher will want to see-- is proprietary. That's some bullsh*t eh? Release the damn reports to see just how "rigorous" the testing is...

Regardless, I thought we've pretty much thrown out regarding a smartphone as anything but secure; I like using it for quick notes instead of millions of slips of paper like I usually do. Mine was having battery issues, light sensor issues (kept going back and forth) and time issues (clock kept going way out of sync) right away until I turned off all those; just encrypted and said "screw it". But we rely on it for 911 for "safety" on such an insecure device pre-loaded w/ such criminally useless bloatware and pre-set settings malicious to security and privacy. Only hope is wiping firmware and using it for non-critical activities and non-critical backups; physically disabling components gets risky you'll break something else, like trying to remove wifi radios embedded in CPU chips...

WaelMay 27, 2015 12:34 AM

@Nick P,

Wael's assessment above is good too.

It took an hour to format. It's gotta be better than good?

ThothMay 27, 2015 12:54 AM

@Wael, Nick P, Figureitout, Secure Phone et. al.
Good to know the failure of CC EAL yet again or maybe the EAL was only level 3 which is why the resulting phone that Wael mentions is simply ... full of holes beyond rescue.

Of course the EAL results are only good for referencing of purchase choices but should include technical reports that are openly publicized.

Again, anything lower than EAL 4+ is purely unacceptable for security because if a Windows OS or Linux can be evaluated to EAL 4+ and a "Secure Phone" is lower, that sounds very wrong.

Any devices being used for security needs to be fully open and honest for review. Blackphone (not sure how open are they), Blackberry, Samsung (with/out KNOX) ... if they want to be proven secure, they need to be open.

Regarding ruling out phones being secure, the reason it can't be fully secured is due to the industry itself. There are very little desire to keep phones secure except for the elite few using highly modified Type 1 crypto-phones by high levels. Also, the current political scene is trying to discourage and interfere with secure development and sales (especially the UKUSA Warhawks). There needs to be a lot of work to be done to strip any electronic device down to it's building blocks and start working security into it but the current lack of appetite for high assurance security and the highly charged political situations are preventing much progress in the security field.

A sweeping statement by itself is understandable but inaccurate. More precisely, why a smartphone or any device cannot be secure is as above I have mentioned (lack of appetite and politics).

Using the seL4's or some other high assurance provable kernel in high level modelling languages would be a good start to model how the environment should work. Next step is to move on to the lower devices to map it against the modeled environment.

It will definitely cost a good deal of resources and not everyone can fund such a project and to add onto the pain of fundings and resources, agreements stipulating the contract might prevent full or partial disclosures and not allow it to be open source as intended due to supposed National Security issues.

The reason I deliberately pointed to Geeksphone is because it is a small enterprise and by it's nature, it would be rather mobile and open (hopefully) to a good extend. Blackphone uses the Geeksphone to produce their mobile devices and it should be of some assurance of trust at least but it's hard to quantify.

The secured datapath on the phone is to prevent unauthorized components from messing with it. Read up on the concept of ARM Trusted Path (http://www.liwenhaosuper.com/blog/wp-content/uploads/2014/06/trust-ui.pdf) concept (just the concept and ideas).

Any device can be turn into a secure device but the cost will be high.

@Figureitout, your previous issue requiring Ethernet access for differing classifications can be technically done and made close to CC EAL 7 IF AND ONLY IF you use lots of money and resource but my SCS idea attempts to put it close to CC EAL 5 or a little more with easy to access stuff like additional kits to mount onto the GPIO of a RPi with serial cables and additional Ethernet. The same argument can be made for phones or secure servers and computers but how much resource are you willing to dump at it ?

Clive RobinsonMay 27, 2015 5:21 AM

@ Gerard van Vooren,

Like you I think that there are to many people that are trying to make the blog unusable in one way or another to drive others away.

Whilst it has happened occasionaly in the past, currently the number and style suggests it's not just random happenstance.

What I don't know is if it's a case of less blogs overall for such people to practice their mindlessness causing them to be more concentrated on the few remaining open blogs, or if the attacks have a concerted "directing mind" behind them and are running some policy.

Whilst the former may be likely, we know that atleast one of the UN Security Council Permanent members has activly used cyber-vanadalism against it's immediate neighbors and another has used disinformation and similar tactics against religions and other organisations it sees as a threat.

We also know from recent leaks that other permenent members have SigInt tools designed specifically to attack online polls etc for "security reasons" that actually boil down to "political interferance" by propergander.

It is interesting to note that "irregular warfare" and "PsyOps" first went into major use at the time of WWII --as radio underpined-- and it was designed primarily to "attack civilians 'hearts and minds'" not those of armed forces.

Since then we have seen the irregular "SOE" tactics be taken to heart by those who now get overly classiffed as "terrorists", but less obviously the increase in PsyOps, especially within nations.

Thus there is quite a real chance that the likes of the UK and US have started a "disinformation campaign" against computer security to further a political agender (both the UK's Cameron and US's Obama have publicaly stated they want to be rid of civilian privacy and crypto).

Either way, I hope you will "hang in" and not let the disruptive elements win, as has been pointed out you have to fight to keep your freedoms and rights.

Clive RobinsonMay 27, 2015 5:47 AM

@ Nick P, Thoth, Wael, etc,

Whilst phone security is an issue for a variety of reasons, there are deeper issues that if not addressed will make anything done at a higher level moot.

In the past I've pointed out that for the likes of security tokens they have to be not just immutable but verifiably so to the user in an easily comprehendable way.

However I've also shown that the elimination of exploitable flaws is an ongoing process as our knowledge of attack vectors both specific and in general increases. This means that to remain secure security tokens have to be able to be upgraded to take the improved knowledge into account.

Now a fully immutable device can not it's self be upgraded it can only become landfill as it is replaced, such upgrading is not desirable at any leval due to the costs, not just financial but resource and environment as well. Pluss from the security asspect the issues of transfer and cleanup of secrets etc.

To avoid this then immutability needs to be switchable, that is a token needs to be fully immutable, except when it is being upgraded. Whilst there are various ways to do this they all have costs and security weaknesses. Obviously the cheapest is for the token to "pull down a patch" from a server over the internet...

However I'm also on record of repeatedly saying this is a bad idea because it's not secure. I've even detailed why code signing is a bad idea, and in more recent times we have had it demonstrated that a sufficiently motivated and resourced oponent will find little difficulty of getting around the likes of code signing.

Like KeyMat managment, this SecPatch managment is fundemental to the building of secure systems, and they may very well be the same problem. However despite years of saying we need the standard frameworks to alow this it's a problem that is more well known for being avoided rather than addressed.

If we don't keep bringing it to peoples attention by discussing it then we are maintaining the "head in the sand status quo" which all to well suits the likes of the NSA, GCHQ, et al, as they will always be able to exploit systems because it is an insecure fundemental.

Clive RobinsonMay 27, 2015 6:07 AM

@ Nick P, Thoth, interested others,

A list of "recomended" secure items might sound like a good idea but it's probably not, which is why EAL etc is actually not that good either.

The reason is as we know "security is hard" and this has consequences just one of which is "reputational".

We should realise that with the best will in the world we cannot design usefull "fully secure" systems, due to several reasons the most impossible of which is securing against "future attacks" which are currently unknown.

Whilst some in the industry nod sagely at this, in the world were the products are to be used it's not an accepted given.

Thus as a "security expert" putting your name down to certify a piece of equipment is in effect throwing your reputation away at some point in the future unless you are quite old or the gods of good fortune smile on you. Worse the more well known you are the more likely others are to attack the systems, because of "Jack the giant slayer" mentality, in that you gain attention and thus reputation by showing those with existing reputation were wrong...

This is the "build em up today, tear em down tommorow" attitude of the press and others that the public love to see, and it's apparently the true fortune of "fame" in these days of "kiss-n-tell" and "reality TV".

SandmanMay 27, 2015 6:34 AM

@Skeptical

Someone asked why I have the name Skeptical, when clearly I have views more in keeping with the mainstream. The answer is twofold: first, my views in THIS community are unconventional. Those who so easily buy into the worst theories about the US and the NSA - these are the conventional thinkers, the conformists, those who find the like-minded and insulate themselves from critical thought. And second, my views in many ways are not mainstream, or at least not what many here seem to believe is mainstream.

That was me. You are a sophisticated troll, a sophisticated fake. That is about it. Okay, a hyper smart individual. I will give you that.

But you of course believe that the US perpetrated 9/11, don't you? And our bizarre friend - who for various reasons I suspect to be writing from a former British colony (a tenuous hypothesis in which I place very little confidence) - seems quite taken with the proud respect for human rights and law shown by Russia, which marks him as either mentally ill or a paid shill.

Your two's "bizarre friend", is not a Russian spy as you are implying, anymore then you work for the US Government, lol.

And Andrew Wallace is not a Chinese spy. Despite his telltale grammatical errors and spelling issues. He is not an Asian pretending to be an Asian pretending to be a Scot. It is absurd, as is your persona.

As for Nick's 911 beliefs, that is about the only "extremist" thing on this forum, and that is entirely out of his normal character and actually a pretty common conspiracy theory all around the world.

I am continually astonished that anyone takes you seriously. You definitely are hyper smart, as are the primary people who do respond to you. But you clearly use your hyper smartness for an absurd goading with this hyper-"patriotic" American persona. You litter your posts with outrageous inconsistencies, subtly implied boasts and accusations. It would be entirely comical if you were just a few leagues less subtle in your demeanor as a serious intellectual.

AnuraMay 27, 2015 6:51 AM

@Clive Robinson

I disagree that it's worthless. Future attacks are one thing, but so many of these systems are built so poorly that they don't even take steps to prevent security problems that we have known how to avoid for decades (look at some of those "internet of things" devices - HP did an analysis and 70% of them didn't even encrypt internet traffic). Having something is better than nothing; the only risk is that people will be lulled into a false sense of security, and won't take necessary extra protections.

JacobMay 27, 2015 7:16 AM

@ Nick P at al

It is worth noting that any IT equipment having CC EAL level > 6 is included in the BIS controlled list and is subject to Wassenaar afreement's regulations.

So, if you build a high assurance device, the US Gov will erect barriers around you.

AnuraMay 27, 2015 7:26 AM

@Jacob

Although I'm not that familiar with BIS controls, but isn't that only on exports? If so, that is the same for any software containing strong encryption.

ThothMay 27, 2015 7:43 AM

@Jacob
Wassenaar agreement for a list of nations that have willingly signed the agreement. I might want to clarify that different countries have differing levels of interpretations as Nick P and some of us have pointed out in the past. UK and USA have the most troublesome export controls and are more than willing to as you said, erect barriers around you.

What me and Nick P propose is to feed on each nation's desires and Nationalism to suit to their taste accordingly. Knowledge itself has no boundaries except if a person is willing to study a system. The USA tried to prevent PGP and it seems like PGP and it's alternate which is the OpenPGP and GPG are all over the place now and almost every Linux installation has one inside. Talk about "export control". How are they going to hunt down every Linux distro and remove GPG/PGP/OpenPGP and suit it to their so-called "export control". That would be very interesting indeed.

@Clive Robinson, Nick P, Wael, Figureitout and all
We can simply focus on the technicalities of secure systems as what we have always done and ignore the trolls :) . We are better off doing something more constructive as what we have always done ... by sharing our ideas and knowledge. Some of us are getting advanced in age and it will be nice if knowledge can be transferred down to the younger generations to continue on while letting the trolls get ignored.

@Clive Robinson
Agreed that patching securely has always been a problem. Do we trust the immobile codebase that prevents patching or trust the patching has always been a point of contention. What if some sort of trusted root codebase that is very tiny (kind of like a secure bootloader) and easily verifiable due to it's size would not allow remote updates unless it is flashed (which also includes wiping all the Cryptographic Security Providers) physical onsite. The remote codebase could update could be executed on partitioned modules ?

ThothMay 27, 2015 7:49 AM

@Jacob
I forget to mention, I noticed you used the word "US Govt". And for that, I would also relate it to the UK Govt since both USA and UK are best buddies that make full use of each other.

We have to understand that so-called export controls are hard to implement and not everyone will listen to them and not all channels can be controlled. Dark Webs, Peering Networks, Sharing Networks, Online Groups, Forums, passing a friend the cryptographic software or hardware on physical meet ups ... there are so many ways to get something done.

Export controls never stopped Iran and NK from getting their own nuclear capabilities but only inconvenience the good guys doing security businesses.

I don't want to get into the technicalities of export control as it is very politically charged and highly complex and fickle but it is some kind of weird thing that is a failure from the start.

gordoMay 27, 2015 8:04 AM

A Growth Spurt
Posts From the Editors | Merriam-Webster Unabridged | May 26, 2015

It’s happened again: this dictionary has gotten bigger.

As of last week, it’s grown by more than 1,700 entries, and existing entries have expanded by more than 700 new senses. We’ve added 3,200 examples that provide contextual information, and another 200 entries for some of the words people most frequently look up have been updated and enhanced.

Some of the new entries are for terms you’ve heard of and some likely aren’t. We thought we’d offer you a sampling of both.

http://unabridged.merriam-webster.com/blog/2015/05/a-growth-spurt/

The sampling of new entries at the above link range from "colossal squid" to "WTF".

Smoking HotMay 27, 2015 9:43 AM

http://arstechnica.com/security/2015/05/canary-box-aims-to-lure-hackers-into-honeypots-before-they-make-headlines/

Does not look so good, but attempts to address..

lateral network visibility

Fuzzy ideas questions

Wouldn't a better system would look for IP accesses in the lateral network, at centralized locations such as in front of internal dns. It should keep it simple and avoid much more then reporting on potentially forged traffic, or other direct attacks against this sort of system. It should focus on mapping IP connections at the IP layer, and report that to a central reporting engine which focus is a graphical color coded map. This map provides color coding and shading according to access patterns. System to system patterns that are heavy should be shaded such, and gradual down to very rare access. This is essentially an anomalous detection engine. The simplicity of the focus is key, avoiding the devil in the details of deeper packet inspection systems that can unnecessarily cry wolf.

This system should also provide a clear lateral network map, and a consistent one, and would immediately provide the useful functionality of reporting new devices.

Some manner of tuning would be required for wireless access networks where access is relatively open, such as 'guest' networks. For that network, another device should also be employed, one specifically tuned against attacks against its' router thereby greatly reducing the possible threshold of internal wifi attacks. (As almost all of these attacks known actually are easily signatured, but too often there is simply no listening for these sorts of attacks at all.)

.

Fuzzy note questions on handset security

1. shouldn't there be a rootkit and whitelist analysis system from outside the phone easily available to detect anomalies from an outside system, including anomalies contrasted from 'what is reported about privileges per application on the handset' to 'what is actual applications privileges as seen from outside the system', as well as size and md5 of applications as reported from outside the system to what is reported from internal views... and sweeping of in memory data to focus on string and encrypted data?
2. what are the possibilities of handset to system via usb attack spreading? Wouldn't that be a primary attack point for nation states?
3. aren't burner phones via cash/prepaid best for communication, and often discared, but what are attack avenues/detection avenues for that? Surely governments have deeply focused on such usage patterns? Who but drug dealers/spies/etc would use and then throw away burner phones with consistent patterned behavior? And what phones would be more valuable for bugging right off from the buy then burner phones?
4. considering the strong telco presence, wouldn't voip be best, but like with burner phones wouldn't the heavy reliance on voip and lack of reliance on ordinary telco traffic be a strong indicator for an interesting character?
As there is a specific indication of ip for phones, whether that is over the cellular network or wifi (generally will be the same underlying telco)
5. besides a stingray sort of system, is there any reliable way to have a personal upstream sniffer to detect all possible outgoing traffic over the cell network for potential 'separate system' data analysis to attempt to find anomalous/suspicious unencrypted or encrypted data? Is there any way this can be done virtually and more simply then via a stingray sort of system?

Nick PMay 27, 2015 11:11 AM

@ Skeptical

Inspiring stuff but still misleading.

"This was a tiny nation of 13 colonies, that proclaimed to the world to the equality of men and challenged the better trained, better equipped, better numbered, British military"

A nation that did... with significant help from others. A team effort spearheaded by the colonists to fight England. Give them some credit.

"This was a nation that, in the years leading to WW2, worked hard to repair relations with its southern neighbors which had been ravaged by ill-thought policies and military actions; a nation which dreamed of a world, after WW2, in which the vestiges of European colonialism would fall away, allowing each people to rule themselves, to determine their own destinies - a narrative that, for obvious reasons, resonates deeply with Americans."

This was a nation that had already staged wars and smashed many Southern neighbors for money. The deals they gained through such extortion would continue. They had already set up a pretext for WW1 via Lusitania that's still misreported to high school students to this day. They choked Germany with the post-WW1 negotiations in a *very* colonialist way. The result was plenty anti-American support for the next party, the Nazi's. And all the imperialists, including America and now Nazi Germany, were still playing games through the world to push their foreign policy.

" we faced the Cold War - a long, drawn-out struggle in twilight and shadows, with inescapable nuclear peril at every turn."

A war where various imperialist powers continued attempts to turn nations such as Korea and Vietnam into colonies for their benefit. A time where the U.S. overthrew elected governments to steal their oil (source: CIA), installed oppressive regimes from Iran to Chile, and launched covert military operations throughout the world pushing its agenda on them. Rather than save us from commies, we see the U.S. government (esp CIA) trying to use any means necessary to squeeze other countries into positions that benefit us in the short and long term. And fighting communism. All in all, colonialism in full swing.

"But that is only a part of the story, Nick, and moreover it is a chapter that is past."

Nah, it's in the present. The CIA used to fund radical organizations to fight proxy wars against superpowers, including radicals they say did 9/11. Today, they funded and equipped similar people for politics with the result being ISIS. The U.S. government used to try to dominate the Middle East and their oil fields, esp Iran, by overthrowing regimes. Recently, we've seen three phony wars aimed at Iraq despite us having partners with WMD's and sponsoring terrorism. The FBI and CIA in the Hoover years violated civils rights, abused surveillance, and used torture to stop threats they identified (without due process). The Bush-Cheney Administration's FBI and CIA did the same except on a larger scale. People who did such abuses used to be grilled by Congress with no real punishment and therefore abuses continued. People behind forged Iraq intelligence and misleading torture reports were grilled by Congress with no real punishment and abuses continue.

So, Skeptical, these things are not merely chapters in the past: they're the M.O. of imperialist America the continues to appear in new forms and with little consequence. They happen regardless of our level of risk to foreign enemies or even economic situation. When military or intelligence gets leeway, they use their assets against everyone they think will be politically or economically profitable. That's what they did pre-WW1 in countries below us. That's what they're doing post-9/11 to... almost every country in the world if you count mass surveillance. That a large number decided the economic benefits of one-sided deals are better than fighting the U.S. military isn't an endorsement of our methods: it's just saying that we're the least evil (to them) of the evil empires.

Doesn't have to be that way. Yet, before it can improve, America needs to drop myths such as yours with associated cherry-picking that we're some valiant country trying to change the world for the better. Leaks such as the Wolfowitz Doctrine and Snowden files show that America is an imperialist country trying to dominate the world economically and militarily in a way that forces it all to run their way. I surely like that imperialism more than Russia's. China's seems a bit better because they just get trade deals and steal I.P. rather than straight up invade countries across the world. It's all imperialism, though. The very opposite of heroic.

"But you of course believe that the US perpetrated 9/11, don't you?"

And BOOM! You couldn't get through a well-written post without a common, sophist technique: identify extremest topic, associate opponent with topic without context, and use audience reaction to topic to dismiss all further claims from opponent. A clever ploy that will work on audiences with weak minds or who showed up to cheerlead their position rather than understand the facts being debated. You then tried to further poison my image as a source by associating me with an unknown person ("our" british friend?) whose opinions I didn't read or endorse. I wasn't cheap enough to use such tactics on you. I'll do one for illustration to readers, though:

"But you of course believe we went to Iraq over 9/11 and all those WMD's despite most of U.S. government re-canting that as lies or incompetence, don't you? And your bizarre corroborator Andrew Wallace - a known troll whose other claims were proven fraudulent by leaked emails - seems to think U.S. intelligence agencies have exemplary behavior in civil rights despite leaks on mass collection, torture, and murder by metadata."

"So I don't expect either of you to understand the greater context in which the crimes and failings of the US exist, nor to grasp that a powerful nation may both be guilty of failure and worse, while still being ultimately nefarious in its true values and goals."

See how that works, Skeptical? It looks true to a reader that doesn't check his or her facts. It weakens your position. It makes you worth dismissal. Yet, it isn't an honest or fair approach to the discussion given its clearly an attempt to dismiss you entirely rather than the claims in dispute. So, unlike you, I'm saying the above two quotes are a piece of sophistry on my part to illustrate how you approach debate, that they are not to be taken as truth, and any readers wanting my more true points should look at claims made before I referenced your troll tactics.

Meanwhile, you're sophist techniques have improved. You've used two, disinformation tactics in your comment: associate opponent charges with old news; admit to fall-back position. The second is common in job interviewing where the interviewer asks about weaknesses and the interviewee establishes trust by confessing to weaknesses... cherry-picked for their minor effect. Your post cherry-picks good and the bad into one image of America that people might gripe at but ultimately respect. It leaves many horrors, deceit and corruption while accepting a few... that were all in the past. Your combination of these two could indeed lead many people to think of America as a troubled, but great, nation with so much to offer all its potential partners. Despite all of that being a giant strawman.

Hence, I'm awarding you the Congressional Medal of Sophistry for going above and beyond in using its techniques to promote U.S. interests in terms of foreign policy and revisionist history. You keep talking like that and our defense contractors might score another $100+ billion in revenue on a war. And that time, we might even loose less than 6,000 people with no ISIS-like threat.

Nick PMay 27, 2015 12:46 PM

replies in order

@ Figureitout

A good idea but not happening: EAL1 doesn't rigorous testing and hence there's probably nothing to release. The Cygnacom description says EAL1 requires: a version number; how to install it; informal description of what it does; informal argument that it implements that; guides for admin and users; basic testing of the security features against the informal descriptions. Aka the... weakest... assurance claim... ever. Total "bullshit" like you said.

Although, as I pointed out, many companies that internally use good development processes get a lower certification to save money and get those government contracts. The buyers are more likely to look at their brochures, reviews of them, or demo's than CC certs. At any level below EAL6, it's all a show and even EAL6-7 only buys you whats in the stated requirements.

"Regardless, I thought we've pretty much thrown out regarding a smartphone as anything but secure; I like using it for quick notes instead of millions of slips of paper like I usually do. "

Yeah. Same here. Anything I use it for I assume is recorded indefinitely. Given what they have on me, I can go ahead and use it for plenty as it won't change my level of risk. I just avoid such devices for anything new I do that's security-critical.

@ Wael

"It took an hour to format. It's gotta be better than good?"

Oh, it was great. Good is just one of my default words. I swore I gave your frameworks due praise in that thread or in the past.

@ Thoth

Check out NICTA's Trustworthy Embedded Systems work and OKL4 tools. They've simplified a lot of it by creating a CORBA-style framework to integrate pieces of applications running in different protection domains. An assured toolset to do that combined with the components we need could produce a whole system with higher than COTS assurance.

Far as Trusted Path, that's another nice piece of work in this area. Trusted path has been a requirement for a long time. See also Dresden's Nitpicker GUI and EROS Trusted Windowing System (I think it was called).

@ Clive

Good point on reputation. We actually dodge some of this effect by the standards. We throw our reputation on a set of evolving standards, guidelines, and so on. We show how they prevent or catch many problems in uncertified products. We also publish data on new attacks, try to provide guidance for existing products to dodge that risk, publicly work on ways to mitigate it more thoroughly, incorporate it into our criteria, and have existing certified products deal with that to keep certification. Rather than recommending bad products, we're seen as people doing what we can and fighting the good fight for our users. This has proven true with a number of companies in the security industry despite them doing *a lot less* for their customers.

So, I think some model along those lines will help deal with negative consequences of tying evaluation criteria with evaluators' reputations. I can say for sure that our successes will outweigh our failures and we'll be able to graphically illustrate that in comparison with competing organizations.

@ Jacob

Good call on EAL6+ being on the restrictions list. It's why I told Thoth to use Iceland instead of Switzerland for such parts: they're not on that list. Plus, we've seen exceptions for more open stuff because borders couldn't contain it. Tor got an exception for their controlled aspects because U.S. export law makes an exemption for tools combating censorship. One idea I had for doing stuff here is to make extensive tools for censorship resistance that can be tweaked to do more than that by open software published elsewhere. The kind of tweaks my organization wouldn't really have time to fight or prevent. ;)

I gave the details on export restrictions, including high assurance security, in this post. The discussion there was interesting. Many unknowns was what I got out of it.

@ Gerard
(@ Thoth)

"We can simply focus on the technicalities of secure systems as what we have always done and ignore the trolls :) . We are better off doing something more constructive as what we have always done ... " (Thoth)

Exactly. I call them out where they're distracting discussion and will start hyperlinking them like I did Andrew Wallace. That will shorten it. Past that, we need to put at least 80-90% of our energy into discussions with the people contributing the most. I'll also add that it might be worthwhile to develop a front-end for pulling the site's contents, whitelisting certain names/conversations, blacklisting others, and posting replies back. This could be useful in general for blogs with commenting policies that bring in trolls as a side effect.

@ Smoking Hot

It's a nice alternative to admin- or wallet-intensive honeypots for businesses that would usually buy them. I think it's good for keeping out the riff-raff like most such technologies. The best bet is a combination of prevention, detection, and recovery. So, my commercial model looks something like this:

1. Trusted systems and network with strong endpoint security, minimal functionality for critical apps, no risky hardware, dedicated wires, no Internet connection, a data diode for incoming data from untrusted sources, and a guard (or write-only media) for examining/signing/releasing outgoing data.

2. Untrusted systems for Internet, apps that need them, and so on that use their own network.

3. A thin client or KVM switch to easily switch between them.

4. Software on both that lets use of diodes or guards happen with nothing more complex than drag and drop, albeit with restrictions on formats & probable scanning.

5. Monitoring and recovery on both sides with untrusted side's critical data also protected by trusted systems for stronger recovery.

6. Optional honeypots imitating both common and site-specific functionality which use strongest detection and recovery tech.

This overall setup keeps things simple. The users do critical things on the machines that are the most trustworthy. They have a method to bring in data they need to the stronger endpoints. They have a robust method to release what they intend to release and nothing more. They have higher chance of detecting compromises of trusted systems because their traffic is authenticated & easier to analyze than traditional clients. The extra hardware is minimal with each user costing $500-1000 plus $5,000 min for the guards plus whatever the normal cost is. The amount of security, performance, and so on above the baseline would drive the price up further.

Yet, this setup would be much more resilient to common infiltrations (even APT's) without much extra difficulty or money. Plus, I'd rather drop $5,000 on a guard with application-layer protection than a honeypot any day. My money will go a lot further even with a knockoff of a high assurance guard. It can probably also run a honeypot if you tweak existing, open software for that. :)

Note: Here's Boeings clever offering in this area. Both they and I were inspired by prior MLS, MILS, and physical separation work. Their scheme is more complex but has aspects worth imitating.

Clive RobinsonMay 27, 2015 6:09 PM

@ Figureitout,

You've probably "out grown" doing fun projects for a while, but that should not stop you reading about othere peoples who have got over that initial "to busy to die" hump that people get into when starting out earning a professional wage.

So this might be of relaxing interest,

http://www.stavros.io/posts/irotary-saga/

The short version is he takes an old style rotary phone and builds in a GSM mobile phone.

Nick PMay 27, 2015 6:21 PM

@ Clive

I read about that, too. Pretty cool. And, yes, I do miss slamming the phone down on someone. I need to get another landline for that. Not to mention, there are Vtech phones for $5 that are almost certainly designed for that. :)

Clive RobinsonMay 27, 2015 7:10 PM

@ Nick P,

Yes "slaming the phone" had a certain pleasure to it, that let's be honest modern phones are just not built for :-(

But it could be worse, some of my ancestors are Scottish and to be honest have a bit of a reputation down the years as amoungst other things god cursing cattle thieves...

Well as cattle misapropriation became subject to harsher deterrent they had to find other ways to vent pent up feelings. One such way was a yowling or cussing tree. Basicaly you would go and find some inofensive and totally innocent tree and subject it to verbal and occasionaly physical abuse untill you got what was a'ling yer out of your system.

According to family legend on of my relatives was possessed of a fearfull temper and as many cuss words as would curdle the milk in fourty cows udders. One night after a bad day even though it was blowing a storm she was put out of the house by her husband because of a cob she had got on. She went to yowle at the appointed tree and was just getting into her stride when the tree was split assunder by a bolt from the tempestuous skies. This unfortunatly did not improve her temper and she returned home to give her husband the news in a few choice words. Where upon he sent her back with a flea in her ear as she had not thought to pick up some of the fallen branches for fire wood. Its said that she came back with wood but hid the salt for a week so as to ruin his porridge (oatmeal breakfast).

Mind you she was only a few generations down from the clan chief who on an overnight cattle raid caught his son making a pillow out of snow and kicked him to death for being so bl**dy soft...

Generaly the only time I get anoyed is when it's my own fault, most notably was when I fell three hundred foot down glen co I was so busy cursing and kicking out at my own stupidity I forgot to hurt myself on the way down and thus had only a few bumps and scrapes to show for it.

I must admit that the supposed "executive stress relief" tools never did much for me and modern office furniture is not up to getting even the smallest of stress relief balls thrown at it, thus there's no fun in venting ones feelings, and a good cuss is also "verboten" in the modern office by those...&*#$% of the Human Remains office B-)

uhohMay 27, 2015 7:18 PM

@Bruce Schneier:

Remember the amicus briefs by computer scientists, that the EFF filed with the federal circuit and now the supreme court, in the appeals of Oracle v. Google case? (I think you were a signatory to at least one of them?)

Well, the U.S. government filed a brief arguing the other way. If the Supreme Court listens to them, it will probably turn out to be a disaster not only for the U.S. software industry, but also for many other industries that write and use in-house software.

https://www.techdirt.com/articles/20150526/16550931121/obama-administration-files-totally-clueless-argument-concerning-software-copyrights-supreme-court-case.shtml

Nick PMay 27, 2015 7:34 PM

@ Clive Robinson

Seems our families are both a little crazy. And hilarious. ;) Regarding phones, the frailty of modern electronics hasn't stopped some people from treating them like rotary phones. I feel sorry for the developer. It's why I plan to stay away from crazy customers like that where possible.

ThothMay 27, 2015 7:39 PM

Hmmm... iRotary phones behind guards and data diodes. That sounds nice :) .

Or maybe just for the fun of it as a plain iRotary phone which no one would suspect so much.

ThothMay 27, 2015 8:56 PM

@Anura
This is where code signing comes to some use to testify authenticity of the binaries. On the Sourceforge pages, you can set it to a HTTPS personal website where you setup a public code signing key as well.

This way, if Sourceforge wants to make an installer, it needs you to sign the binaries.

Who knows what stuff Sourceforge might insert into the installers.

Good to know Sourceforge is playing with the users' trust and it's time to move over to Bitbucket and Github if they continue their behaviours.

AnuraMay 27, 2015 9:06 PM

@Thoth

What percentage of users do you think actually check to make sure the binaries have the correct signature? It's all about getting the ads to the most people, not necessarily getting them to the most experienced users.

tyrMay 27, 2015 9:11 PM


http://www.nano-archimedes.com/download/Sellier_JCP-2015.pdf

This is supposed to make the jump from quantum mechanics to
the macro world a trivial step. If so it may be the long
awaited GUT.

I am always amused by the mad schemes which are supposed to
limit mathematics and physical sciences to some national
subsets of nations. The only place you see any rationality
is in copyright law where you can't copyright facts.

Export controls might stop the commercialization of the tech
across anational boundary or keep specific equipment at home
if the law is followed, but you can't stop the math and we
all live in the same physical world.

I heard a rumour that the Saudis have already bought their
nukes from the Pakistanis but haven't taken delivery yet.
If true it is a nice example of how commerce can subvert
any well meaning gloss on human behaviors.

There was also a neat item about a benchtop high power UV
laser for nano level probing. I'd hate to be around that
if the users aren't real safety conscious.

ThothMay 27, 2015 10:32 PM

@Anura
It really depends on how motivated the users are. The addition of codesigning is simply to make it harder for Sourceforge to impersonate binaries or for anyone else to attempt to impersonate binaries.

What are the likelihood the codes and binaries you post elsewhere cannot be impersonated with ease without a code signature ?

There are cases where code repository websites might simply grab a free copy of your binaries and decide to publish them on their websites with their own installers (which you may or may not approve explicitly) and codesigning would be useful for security cautious people to double-check.

Clive RobinsonMay 27, 2015 10:44 PM

@ tyr,

There was also a neat item about a benchtop high power UV laser for nano level probing. I'd hate to be around that if the users aren't real safety conscious.

High power UV lasers are about the easiest to make of home made lasers. In essense they are little more than a long channel spark gap and can be made with little more than standard home garage / shed tools, and practical guides to home brew TEA lasers can be found fairly easily on the internet,

http://www.sparkbangbuzz.com/tealaser/tealaser7.htm

AnuraMay 27, 2015 11:30 PM

@Thoth

I'm not saying that codesigning isn't a good thing, but that for the average user a trusted distribution channel is much more important as they are unlikely to check the signature.

FigureitoutMay 27, 2015 11:31 PM

Thoth RE: ethernet access
--Hope we're on same page; a part of me feels "the standard implementation" of ethernet chips and code is corrupted and there's some lurking protocol hacks still. I want a board laid out that has simple jumpers on programming pins and a lock on the firmware similar to what Microchip does (they're the industry's strongest for code protection that isn't encrypted I believe, until we can do better and actually deliver (one can obfuscate code as well)...and probably using a similar thing for blocking pins w/ a low leakage FET ( *PDF warning* http://www.infineon.com/dgdl/Infineon-BSC067N06LS3-DS-v02_04-en.pdf?fileId=db3a30431ddc9372011ebb01e1b37fb6 )that get a electromechanical signal of sorts only, that's a big goal for me, no remote firmware flashing possible period is the goal); so any simple reboot can shake attackers still getting in off assuredly. So it'd probably be somewhere around EAL 5 or 5.5 if evaluated (I want it to be semi-useful so I'd personally sacrifice some security for that if I'm going to use it everyday) b/c I can't implement perfect OPSEC, but I'd add on strong OPSEC and careful usage. Still stuff lurking b/c of complex logic and true hardware design being so hard and specialized...I don't know what to do about that besides going back to NE555 chips and op-amps lol (the ATTiny is a surprisingly powerful but small chip too).

Nick P
--Those descriptions told me a whole lot of nothing, kind of like their report on fort knox on WHY it was EAL1. Kind of pisses me off giving me the reach-around when they could just be clear and get to the point. It's words, you have to quantify each of those words, "systematic covert channel analysis" is impossible straight up. If they're keeping reports secret, then what about their credentials? Is this a company's business or what? It is, isn't it? If so, that um...is a bit of a problem eh?

Clive Robinson
You've probably "out grown"
--Nevah! Look how childish and silly I can be (online...). Yeah I am busy (don't mind getting lost in my work as long as it's interesting; actually applying some concepts from physics now which is nice, I'm an "applied" kind of guy if you haven't noticed :p), get home, workout and eat and have 3 hours tops to do whatever and I work hard, not screw around. I've got too many projects too (one priority is replacing these capacitors on a motherboard that my dad said likely heat from CPU caused them to burst slightly and start oozing dielectric or whatever) I want to do, that's my big problem, then not finishing them if something cool pops up; thankfully *that* has died down and I can go back and finish ones I meant to (FSK thing being high on list, gonna connect a radar to it and not screw w/ a virtual serial port in windows) and reduce that list to things I really want to do. Yeah, interesting, just prefer something other than GSM; different protocols. Got a little transmitter/receiver thingy for arduino, don't know what to do w/ it yet; dinky thing, short range. Going to hook up a "real" radio before summer ends to a desktop PC I just got and got a handy coax connector nearby, finally some more computing power I needed, bazinga. :)

ThothMay 28, 2015 1:00 AM

@Figureitout
I mentioned two ways to get the system. Either implement it onboard a standard RPi or something like that or make your own high assurance electronics. If you want to standard from scratch (option 2 - make own electronics), you will need tonnes of fundings and time to get it started and to maintain the project, you also need a ton of fundings and time too.

This is applicable for all security devices as well. Either make them from outright scratch with your own photomask and layouts or use someone else which means you need to have a semi-trusted relationship somewhere along the line.

Relative security depends on requirements (quote @Clive Robinson).

WaelMay 28, 2015 1:30 AM

@Nick P,

Oh, it was great. Good is just one of my default words. I swore I gave your frameworks due praise in that thread or in the past.

Was just messin' with you ;)

WaelMay 28, 2015 1:44 AM

@Clive Robinson, @Nick P, @Thoth, et all,

Now a fully immutable device can not it's self be upgraded it can only become landfill as it is replaced

No one proposed a fully immutable device. Certain parts need to be immutable and would act as a "root of trust". Now nothing is truly immutable since the universe we live in is "mutating".
An immutable bootblock in the BIOS or an immutable primary or secondary boot loader in an embedded device can achieve a level of security while allowing system upgrades.

I've even detailed why code signing is a bad idea

But how else would you guarantee the integrity or authenticity of the payload? You have to propose a better method, otherwise code signing would be the only method we have, even if it's a bad idea!

tyrMay 28, 2015 2:05 AM

@Clive Robinson

Thanks for reminding me about that site. I've got a set of
plans somewhere for an axialflow CO2 job you can build
for the garage. Hardly suitable for nanotech work though.

Did you catch the latest US military fuck-up ? Shipping
live anthrax around the planet hardly makes eveybody more
secure. The real question is why they have so much live
stuff laying around ?

rgaffMay 28, 2015 4:06 AM

@tyr

"The real question is why they have so much live stuff laying around?"

Well, see, they don't anymore... the stockpile keeps getting smaller when they keep giving so much away and spreading it around the planet :)

Wesley ParishMay 28, 2015 5:07 AM

@Nick P

I suspect it is me our dear friend @S[k]eptical is conflating with the pro-Russian poster above. I do live in a Commonwealth nation: think "Nuclear Weapon Free 1984" and you'll have the coordinates. But I learned back then not to ever let myself be stampeded into a position (Rabidly pro-Russian just because I disagreed with the US position, or rabidly pro-US because I disagreed with the Russian position) and to always check for nuances. @S[k]eptical hasn't done his homework, as he showed rather painfully clearly during a recent discussion on complexity - he shows no patience with reality.

Ordinarily I would cheer on someone genuinely being the "Devil's Advocate"; but even the Devil's Advocate has to show patience with reality.

Clive RobinsonMay 28, 2015 7:19 AM

@ tyr, rgaff, Zenzero,

Shipping live anthrax around the planet hardly makes everyone more secure.

Think of it as a new varient on the old "shell game", rather than find the pea, you have to find the empty drum...

Actually it's more a threat rather than a weapon of real use, whilst it can be to a limited extent weaponised there are issues with deployment. Firstly the delivery mechanisms are realy not effective, and many are easily stopped by low levels of irradiation and the current medical response is getting more effective with time.

And it's the last couple of issues that should give you the real heads up. Whilst it's of little use against first world nations due to their having both detection and medical technology to make anthrax ineffective, the same cannot be said for third world nations, countries heavily dependent on base level agrarian subsistance and unstable regions like the current middle east.

When the Russians invaded Afghanistan they ended up looking for ways to deal with the non urban population that regarded killing and mutilating russian soldiers as a way to pass the time, they considered the use of biological weapons, but instead went for chemical warfare --cyanide in water supplies etc-- and cheap thermobaryic / oxygen robbing fuel air explosives and similar to kill off livestock and burn crops etc. Anthrax belongs in this class of those weapons suitable against farmers, in effect modern day "siege tactics" of "starve them into submission".

Nick PMay 28, 2015 10:17 AM

@ Wael

"But how else would you guarantee the integrity or authenticity of the payload? You have to propose a better method, otherwise code signing would be the only method we have, even if it's a bad idea!"

I agree. It's also the standard everyone agreed on under the label "Trusted Distribution." The only thing better was "trusted trucks:" a software delivery scheme with its own risks and steep pricing.

Maybe they can just mail us carrier pidgeons that fly back with their software. I'm not sure how secure it is but it would make for good news when PETA finds out.

@ Wesley Parish

re Skeptical

I think he has done his homework, has an agenda, and is therefore selective. Or maybe he hasn't done his homework in practice by using heavily biased sources. Either way, my replies to him are mainly for other readers.

re your country

Ah, a fun country to live in supposedly. I once read an article that your government was trying to push businesses into trying to make more money. From what I read, your culture was kind of laid back, business owners had reasonable targets for success, and they just weren't that greedy. Led the GDP to be lower than it would with American-style thinking. Probably the debt, too, lol. I was just curious if there were any truth to that?

Of course, I couldn't move there for my activities due to your country's priorities in intelligence and civil liberties. Might visit for fun one day, though.

@ Clive

"Anthrax belongs in this class of those weapons suitable against farmers, in effect modern day "siege tactics" of "starve them into submission"."

No, anthrax is a biological weapon. That gives it the risk of blowback in a way that grows and spreads. It's not suitable for anything except scare tactics, deterrence, killing opponents of the Patriot Act, and maybe vaccine research on the side. Like all bio-weapons, it's best that it's never used.

ZenzeroMay 28, 2015 10:50 AM

@ Nick P

"Maybe they can just mail us carrier pidgeons that fly back with their software."

I can see the next leak now

"Operation HAWKSTORM - Combat ready Red tailed hawks, fitted with GPS and laser guidance for in air pigeon interdiction" :)

Nick PMay 28, 2015 11:20 AM

@ Zenzero

Haha nice codename. We don't have to guess the countermeasure: history already solved this problem.

JacobMay 28, 2015 2:46 PM

PM Cameron was dead serious.

RIP RIPA 2000, welcome the new Investigatory Powers Bill, a supercharged Snoopers' Charter:

http://www.telegraph.co.uk/news/politics/queens-speech/11634567/Google-and-Whatsapp-will-be-forced-to-hand-messages-to-MI5.html

A noteworthy quote:

"Robert Hannigan, Director of GCHQ, has accused internet companies of being “in denial” over fanatics exploiting their networks and said they had become “the command and control networks of choice” for terrorists. "

rgaffMay 28, 2015 3:27 PM

@ Jacob

re: Investigatory Powers Bill

Gotta love those Brits... Anti human rights, and proud of it, and want more of that.

BenniMay 28, 2015 3:27 PM

@Skeptical:
If you know so much (for example, you did tell us previously that the NSA does its hardware manipulations in germany at its military bases there, which was not in the Snowden files):

Can you tell us more about why NSA spies on people developing laser and nano and computer technologies in germany? At least this is what BND president Schindler told the government, that you would be so interested in nano technology and lasers:

https://netzpolitik.org/2015/internes-dokument-belegt-bnd-und-bundeskanzleramt-wussten-von-wirtschaftsspionage-der-usa-gegen-deutschland/

Can't you develop even this on your own?


By the way these here are lists of fibers that BND has spied on for NSA:

https://netzpolitik.org/2015/interne-e-mail-bnd-und-deutsche-telekom-haben-auch-oesterreich-tschechien-und-luxemburg-abgehoert/

https://netzpolitik.org/2015/luxemburg-erstattet-anzeigen-gegen-unbekannt-in-sachen-bnd-ueberwachung/


https://netzpolitik.org/2015/swisscom-bnd/

https://netzpolitik.org/2015/bnd-nsa-europa-ueberwachung-was-der-bnd-in-den-niederlanden-ausspioniert-hat/

Clive RobinsonMay 28, 2015 4:16 PM

@ Jacob, rgaff,

RIP RIPA 2000...

RIPA 2000 will not die as only a very small part deals with security service evesdropping. The bits that alow some jumped up little council twerp to get at your private financial and health records, and put you under surveillance simply because you "move house with children" or are "suspected of puting a tea bag in the wrong bin" will still be needed.

As for the new aims and objectives, David Cameron is either badly advised or increadably stupid, maybe both. The idea to get the likes of Twitter and Facebook to hand over the plain text of encrypted traffic is a bit of a non starter, as it assumes that the US companies actually have control over the encryption people might chose to use. If the law passes I can see it taking less than a couple of weeks befor "plug-ins" become available to do DH key exchange and then use AES256 in some mode to send the traffic across twitter or facebook.

The thing is that in RIPA2000 there is already the legislation to get at this traffic, so this asspect of the Snooper's Charter is moot anyway. Which probably means it's "Grandstanding" to stop other more subtal aspects getting talked about, such as banning the use of private crypto, so very very close scrutiny is required on any drafts etc as soon as they become available.

tyrMay 28, 2015 4:50 PM

@ Clive Robinson

"RIPA 2000 will not die as only a very small part deals with security service evesdropping. The bits that alow some jumped up little council twerp to get at your private financial and health records, and put you under surveillance simply because you "move house with children" or are "suspected of puting a tea bag in the wrong bin" will still be needed."

I suddenly suspect you of reading the latest thread on Charlie Stross Blog.

If I recall correctly the British Isles has an anthrax weapon test site that
was contaminated during WW1 and has been completely unsafe for humans since.
Something like contaminated with the stuff a foot deep. Scorched Earth sin't
even close to that. There's been paranoia for years over engineered bio
weaponry coming out of one of these projects. So far no real hard evidence
but it does make you wonder just how sloppy they are in handling nasty
things.

They seem to be equally careless with nukes a few years ago the AF flew a
loaded B52 across the country and then noticed they still had the warheads
on. 60 people got fired over that stunt.

Industry suffers from the same problem.

"there are idiots everywhere"
T. McKenna

You'd like to think that the more dangerous the material the more safety
motivated the personnel. With the Net so ubiquitous you'd like to hope
making it safer would have some priority as well.

WaelMay 28, 2015 10:46 PM

@Nick P,

I'm not sure how secure it is but it would make for good news when PETA finds out.

Nothing wrong with using pigeons for mail delivery... They don't go postal! Keep in mind this is coming from someone who doesn't mind roasted stuffed pigeons :)

ThothMay 28, 2015 10:48 PM

@all
re: Investigatory Powers Bill
OTR Chat should have been a main-stay in daily communications but due to the lack of awareness and consumer appetite for end-to-end ephemeral privacy chats, we are still stuck in old technologies where the security is done in server-side (SSL/TLS based server cryptos) or even no crypto.

What should communications providers provide in their privacy centric API is a way to easily integrate security modules by third parties into their communication suites with the security functions not held by the communications providers but by the client side security modules.

Open sourcing of communications protocols like WhatsApp will definitely allow better designing and integrating of security modules into the protocols and be more widely adopted.

Mobile phone based secure communications (especially the ChatSecure and Open Whisper Systems secure comms suite) should be crossed platform and more security developers, researchers and engineers should join in to systematically audit and maintain these publicly available open source secure comms suites.

Secure comms suites and messaging apps should also tap the capability of hardware-based security to use cryptographic tokens to do the heavy lifting of cryptographic functions and maintenance of cryptographic keys but there are cases where the hardware is doubted of it's integrity (backdoored hardware chips) and the next step would be to use TFC-like modules.

TFC-like modules should be more aggressively researched to make it much more simpler to setup for non-technical users and requires nothing but plugging in cables instead of soldering because end users may not want or even know how to solder.

Chipboards supporting an ARM chip with serial interfaces, ethernet ports and a few USB ports would be nice for development and with the exclusion of audio, bluetooth, wireless and unnecessary capabilities. The chipboard should be as generic as possible so that export controls cannot classify such generic boards as weapons or CCI items and the designs and implementations should be open sourced fully.

These are some of my thoughts on the directions of secure computing at a beginning phase to adapt to current political climates.

More advanced researches like using bare transistors and back to basics methods of creating electronics can be handled when the climate have stabilized and everybody are beginning to use some form of end-to-end communications over a somewhat more secured platform.

Clive RobinsonMay 29, 2015 1:19 AM

@ tyr,

I suddenly suspect you of reading the latest thread on Charlie Stross Blog.

No I hadn't [1], untill that is you mentioned it and I went to look... all I can say is there are definitely more "evil thoughts" in the comments section there than I've seen collected together ever before. I would urge others to go read it,

http://www.antipope.org/charlie/blog-static/2015/05/the-evil-business-plan-of-evil.html

As for the anthrax tests it was a Scotish island that was used. The problem with anthrax is of course that it's also a "salted earth" weapon, with the spores surviving in soil for hundreds of years.

As for "mis-haps" with Bio-agents, take a closer look at the Foot-n-Mouth crisis the UK had when Tony Blair was in power (and making things a lot lot worse). As the first out break died back a second outbreak happened and was traced back to a Government lab... Then there was the BSE outbreak, with a Government lab doing research, where they could not tell cows brains from sheeps brains so their research was meaningless... So yup they can mis-handle things in ways you can not credit...

[1] I was not aware of Chalie's blog, even though I have met him a longtime ago, it was back when I could still buy Terry Prattchet a pint of beer "with ancestry" and swap a few rude jokes without being mobbed. Not being a "writer" but a "techno-nerd" I knew of Charlie through his computer coloumns, so the conversation turned from the inadequacies of "local government" to those of computer hardware and their more aberant failings that Terry had suffered late one evening when playing a game... back then it was a small world and I knew other columnists like Robert Schiffren and Steve Gold, and got into a few security scrapes with Bruce's old employer. Being somewhat introverted I failed to capitalize on the position I was in even though Terry did observe in his occasionaly blunt way I was wasting my talent and should write. For my sins I instead buried my head by getting more technical and ended up doing stuff in petro-chem and telecomm industries, which got others the rewards...

Alan StriegelMay 29, 2015 9:58 AM

Text that crashes iPhones and other iOS and OS X devices. Apparently caused by a library that improperly handles the unicode character string.

mooMay 29, 2015 1:16 PM

http://arstechnica.com/security/2015/05/crypto-flaws-in-blockchain-android-app-sent-bitcoins-to-the-wrong-address

Hilariously bad key generation in an Android bitcoin app, led to many users generating keys for the same wallet, leading most of them to lose their money to at least one enterprising person (who has syphoned off at least $8000 so far).

They were (1) using HTTP to get random numbers from a website, and (2) completely failing to collect local entropy from the device itself on at least some Android devices (4.1 and earlier). I didn't look at the code itself, but other commenters have said it is pretty bad.

A great comment from the Arstechnica article: "Bitcoin cannot fail, it can only be failed."

Joe KMay 29, 2015 4:40 PM

@Gerard van Vooren

If I can do it, you can too.

#!/bin/bash
#
# bs_earplugs - view bschneier's blog posts with whitelisted commenters only
#
# example:
# $ bs_earplugs friday_squid_bl_481.html "Clive Robinson" "Nick P" "Gerard van Vooren" "Thoth" "Wael"
#
# synopsis:
# bs_earplugs file commenter...
#
# description:
#
# given a schneier blog post (say, example.html) and a list of
# commenters (see above, for example), produces example.extract.html,
# deleting comments not made by commenters listed on command line.

# generate name for edited version
article="$(echo -n $1| sed 's/\(\.[^.]*\)$/\.extract\1/')"

# edited version is initially identical to original
cp $1 $article
shift

# make a regex that matches the desired commenters' names,
# as they appear in the blog markup
participants=''
for participant in "$@"
do if [ -z $participants ]
then participants="$(echo -n $participant |tr A-Z\ a-z- |tr -d .)"
else participants=${participants}'\|'"$(echo -n $participant |tr A-Z\ a-z- |tr -d .)"
fi
done

# here there be censorship; and thus, inevitably, ugliness and violence.
sed -n -i "0,/id=\"comments\"/ p;\
\%^<article><div class=\"comment by-\(${participants}\)\" id=\"c[0-9]*\">%,\%^</div></article>% p ;\
/class=\"subscribe-comments\"/,$ p; " ${article}

ThothMay 29, 2015 7:23 PM

@Joe K
Thanks so much for the whitelist :) .

Good to know good and solid technical discussions are valued here which makes me, Nick P, Gerard, Clive Robinson, Wael et. al. who discuss heavily into technical aspects of security (guessing) very glad.

Nick PMay 29, 2015 7:32 PM

@ Joe K.

Haha nice! Might test it out later. You might want to put "Bruce Schneier" and "Moderator" on that list, though. ;)

Nick PMay 29, 2015 11:26 PM

@ Thoth

Been having fun on Hacker News recently under the handle "nickpsecurity." Rep is getting up there and even got some quality feedback on some non-security topics. Check it out if you haven't.

BuckMay 30, 2015 12:26 AM

@tyr & @Clive Robinson

Re: The Evil Business Plan

I saw a strange theme there... That it is my country, or for my lesser class, I'm not too sure... What I do know is that cashless transactions are already enforced upon the less fortunate. Debtor's prisons are real; those on probation in my town are forced through it via subsidized rent-collecting private corporations. They literally will not accept cash payments -- all debts public and private -- E pluribus unum -- whatever that means... You've gotta buy a money order to stay out of jail.

Wesley ParishMay 30, 2015 2:57 AM

@Nick P

A lot of truth in my country being laid back, though it has picked up a (relative) lot of speed since the "early" days. A lot depends on where you live, and your expectations, contacts, and the like.

@Glean

Noticed that Slashdot article. My immediate thought was, "Good Lord! Putin's turned into a Republican!" Seriously, Putin's wheels are spinning in a rut if he thinks that's a good use of propaganda. As far as I can recall, I've only ever made one pro-Putin comment, and that was during the Dubbya years, when even Putin's Russia looked better than Dubbya's America.

The best propaganda's subtle, and you don't even notice it until you've already bought it. Dr Linebarger commented in his book "Psychological Warfare" that the US managed that with its commercial press during the Second World War - it was so obviously non-governmental that everybody bought into it. He also mentioned for praise a British "black propaganda" radio station that had the Americans fooled into thinking it was an actual German rebel station - it was that good. I've just finished "Churchill's Wizards", which puts the Second World War in a rather different light to that which I'd seen it previously.

I'm still undecided about where Prof Tolkien fitted in, but his words in the LotR foreword about "conducting or at least reporting the war" and Gandalf's insistence on noticing the precise wording used by Fangorn (Treebeard) leaves me suspecting that he was involved in at least one of the British "black propaganda" radio stations, probably one of the Catholic ones.

Putin's a rank amateur. Don't know how long he'll last, or how much (or little) power he'll have at the end ...

Clive RobinsonMay 30, 2015 4:20 AM

@ Wesly Parish,

He also mentioned for praise a British "black propaganda" radio station that had the Americans fooled into thinking it was an actual German rebel station - it was that good.

That was the work of Sefton Delmer, and it was transmitted from what at the time was the worlds most powerfull transmitter built by RCA and failed to meet licence requirments and was purchesed cheaply and shipped to the UK and installed in SE England. Due to a popular ditty of the time "The largest Aspidistra in the world" it ended up being called Aspidistra, Bruce blogged about it a few years ago.

The radio broadcast you refere to was actually broadcast on two different frequencies at different times of day. The recordings were made onto recording discs and sent by motorcycle despatch rider.

Due to a turn of fortune in the war it was decided it was time to end the station. So a set of records were made of the station being over run and the operators being machine gunned down. This was transmitted on the appointed day, unfortunatly due to an error in communications it was transmitted twice, thus "blowing the cover", however it appears nobody cared...

Aspidistra stayed in service for many years run by the "Diplomatic Wireless Service" which ran many BBC World Service transmitters around the world. Many people worked on Aspidistra and some later became involved with the UK Pirate Radio scene that started in the 1960's and was due to the UK Prime Minister Harold Wilson responsible for the "Marine Offenses Act" the most draconian legislation of it's time and still stands as a stain on the UK Body Politic.

ThothMay 30, 2015 7:51 AM

@Curious
It is a known security issue to be hacked just by looking at pictures, listening to MP3, watching some videos and so on. These images contain executables that a codec processor attempts to decode and process them to usable format. Errors in these codec processors when handling these executables inherently gives rise to flaws that attackers can make good use of.

thevoidMay 30, 2015 8:34 AM

@Curious, @Thoth

while that particular exploit uses code, static pictures have been used in
the past to exploit systems thru flaws in the image viewer. off the top of
my head i seem to recall xloadimage having had such a problem in the (fairly
distant by now) past. basically you have to assume you can't trust ANYTHING.
i mitigate this myself by chrooting everything i can. some run virtual
machines. some run separate machines. you're never really safe. hardware
can be exploited which can bypass the OS/kernel, which in those cases means
you can't do anything about it.

Clive RobinsonMay 30, 2015 8:48 AM

@ Curious,

For an attack to work it needs two things,

1, The "payload" code.
2, A way for the payload to be executed on the target machine.

It's the second issue where the problem actually resides, as the "payload" code is just bits as is any other data you might chose to load.

There are two types of payload code that can be used, directly executable code and interpreted code.

Most people assume that attacks are based around directly executable code that gets loaded into memory then some vulnerability vectors the CPU Program Counter to it and the CPU then executes the code. If this were the only way to get attack code to execute there would be various ways it could be stopped such as always loading data into nonexecutable memory.

Depending on who you listen to and how they classify attacks interpreted code is the more likely form of attack these days. Very loosely interpreted code causes the CPU to vector off to existing executable code within the computer, as the attack code is interpreted in some way it does not directly execute therefore the code can be in nonexecutable memory.

For this to work the program running on the computer must have some method by which it's flow can be modified by the data it reads and this flow can be controled in some way to cause existing code to be executed.

In the case of the browser in the article this is a full blown interpreter for JavaScript. Similar issues have arisen in the past with Postscript files where the actual file to be printed is a Fourth like program. Likewise Word and Excell files.

The trick is getting the computer program to stop treating the attack file as just data but as code, once that is accomplished it's just a matter of writing the payload.

FigureitoutMay 30, 2015 10:29 AM

Thoth
I mentioned two ways to get the system
--Yeah I hear you; it's missing lots of details though of regular product development (except as we note, I can't afford to keep making costly board revisions). I want to pre-emp that as much as possible (w/ my personal projects, that means maybe upwards of a year or more of thought until I can "see out" the design and it's very feasible). And unless I get into larger embedded companies (it's my goal to someday work for one of "the big boys" and then I'll probably be talking to some of these guys and maybe they can squeeze thru some personal projects, I don't know...).

TFC-like modules should be more aggressively researched to make it much more simpler to setup
--Yeah I try to get that across to Markus but he doesn't seem to agree that it's important enough, so I'd probably have to make a "port" of TFC w/ a step-by-step manual that's 2-3X larger than the current one (he could've added pinouts for 2n3904/6's and TL082 op-amps too). Very typical of security industry too (hence remember Greenwald et. al not knowing how to use GPG, even Nick P and yourself were having some issues lol...); so this continues the circle-jerk of "they never use secure products" but it's b/c "no one knows how to properly use it" lol b/c no one tells them, even though everyone knows you were all noobs at one point (and we still all are in many aspects)...it's stupid. Studious documentation is very annoying, but it looks and feels good when it's done. And of course anyone who doesn't need the manual can simply ignore it!

Anyway, enough chatting from me for a little; we're all basically gonna have to go to work and show-and-tell since there isn't much a business model here yet and it can be easily subverted. I still want to see RF noise from the HWRNG (note that there are probably literally *thousands* of ways to make this kind of PRNG, it's not an area of study for me but I'm sure there's probably better ones) but it seems to be way below 25MHz so I'll try to get that (I even added some unnecessary antennas to it lol), then probably just do perfboard layout and shield but I bet that circuit could be laid out in a coin-sized circuit...Here's to success (cheers), I want to see many more well laid out and engineered security solutions I can build at home!

name.withheld.for.obvious.reasonsMay 30, 2015 12:20 PM

@ Clive Robinson

Similar issues have arisen in the past with Postscript files where the actual file to be printed is a Fourth like program.

Is that the 4th of July programming language or a language that is one forth interpretive? My favorite is Prolog--back tracing and recursion on par with Lisp and shares simple operator and string expressions. For performance in application space Fortran and MASM, OCCAM for parallelism, and C++ on projects that have external visibility (source level). But I have digressed, going off topic and wandering into the woods without a compass. :)

Clive RobinsonMay 30, 2015 12:27 PM

@ Figureitout,

... then probably just do perfboard layout and shield but I bet that circuit could be laid out in a coin-sized circuit...Here's to success (cheers), I want to see many more well laid out and engineered security solutions I can build at home!

The art of "home brew" boards and how to make them is a subject I could write a small book on ;-)

However these days due to the way chips come packaged you are almost forced to go direct to PCB even for "first experiment" let alone actual prototypes Ball Grid Arrays being a case in point. My solution to that for baseband circuitry was to make small double sided "fan out" PCBs which convert them to something you can atleast get a fine tip soldering iron and 40awg/tcw to. I laid them out as single sided over solid ground plane so they would be usefull upto atleast VHF, and for "dead bug" construction on plain PCB. I also made proper PCBs for standard circuit blocks like RF filters using Toko coils and likewise Op-Amps and Switched Capacitor Filters, oscillators etc in 0.6in DIL format which would drop in perf or strip board quickly and easily.

However like it or lump it you have to go down the PCB route at some point in anything other than a total "one off" and there are various ways to do it from draft it up via pen&ink and photo reduce, tape on acetate or CAD with output via laser printer or Gerber. There is even a trick with transfering the reverse image from a photocopy/laser printer output using an iron you would normaly use for doing your shirts (see home print T-shirt making) thus enabaling you to avoid photo resist.

The latest way is to "print direct" using a modified inkjet printer or if you are patient modified router table. I know someone who has modified an inkjet engine with some fancy metalwork and they have no trouble producing single sided SMD boards and BGA boards, as they have pointed out to me success is more in the ink&etch than in the printing and they "bake dry" the board and etch it whilst it's still hot.

I must admit I'm at that stage in life where getting boards made via Ali-Barba suppliers and waiting on air courier is the prefered way, especially as some charge by "standard size" not boards thus putting little prototype fan out boards etc in is effectivly zero cost.

But I must admit I still think back to my early days of "wire wrap" tripple Euro-cards with bit slice circuitry and 68K CPUs for I/O controlers, where making a circuit change could take less time than rebooting the system...

gordoMay 30, 2015 12:49 PM

C-SPAN
MAY 31, 2015
Senate Session

The Senate convenes Sunday at 4:00 p.m. ET and is expected to resume initial debate on H.R. 2048, a House-passed bill to extend expiring PATRIOT Act surveillance provisions, which would also make changes to the NSA’s bulk data collection.

Airing LIVE Sunday, May 31 4:00pm EDT on C-SPAN 2

Airing Details

May 31, 2015 | 4:00pm EDT | C-SPAN 2
Jun 01, 2015 | 12:11am EDT | C-SPAN 1
Jun 01, 2015 | 4:15am EDT | C-SPAN 1

http://www.c-span.org/video/?326227-1/us-senate-debate-nsa-surveillance

Following any Leader remarks, the Senate will resume consideration of the motion to proceed to H.R.2048, USA Freedom Act. Roll call votes are possible after 6:00pm during Sunday’s session.

https://democrats.senate.gov/2015/05/31/schedule-for-pro-forma-sessions-and-sunday-may-31-2015/

Joe KMay 30, 2015 12:53 PM

@All

The whitelist script, as posted above, contains two (identical) errors.

In this pair of lines…

then participants="$(echo -n $participant |tr A-Z\  a-z- |tr -d .)"
else participants=${participants}'\|'"$(echo -n $participant |tr A-Z\  a-z- |tr -d .)"

…there must be at least two spaces separating A-Z\ from a-z-.

@rgaff

Yeah, sorry about that. I tried to include you, but David Cameron was insistent.

@Nick P "You might want to put "Bruce Schneier" and "Moderator" on that list, though. ;)"

I'll see what can be done. Not sure the boss will approve, though.

@Thoth "Good to know good and solid technical discussions are valued here[…]"

Surely they are.

But even if they were not, to quote an underappreciated piece of Mary Shelley fan-fiction, "How can you deny that which is in your nature to give?"

Best wishes.

Clive RobinsonMay 30, 2015 1:01 PM

@ Name.Withheld...,


The PostScript family of languages --depending on who's version and for what-- are generaly an interpreted, stack-based language quite similar to Forth. However for various reasons it has strong dynamic typing and perversly data structures similar to those in Lisp (data structures is something Forth needed but did not fit in with the ethos). Although Adobe originaly designed PostScript for raster printers, it was modified by various people at various times --including Apple and Microsoft-- to work with different hardware issues. It even got modified for interactive graphics terminals most notably on the NeXT Cube and briefly Sun had NeWS before succumbing to the evil that is X11...

And yes I incorectly spelt the name Forth with the correctly spelt Fourth.... yes I hang my head in shame not ;-)

Nick PMay 30, 2015 1:13 PM

@ Curious, Thoth

I'll further say that *any* file which is processed can be malware. This includes text files. It surprised me how many answers I found in Google saying text files were immune to malware. The only risk they thought of were non-text files with a text extension that Windows would run with a different program. The reality is that many vulnerabilities have been due to poor string processing or buffer issues (eg char buffers). A text file must be untrusted as well if the editor does any sophisticated processing on it or hasn't been around a while.

Notepad... seems OK so far. I've always used it for visual inspection as it seems to do no real processing to the point that it will just load a 200MB file as text and crash due to no memory. It has no brains and hence little to target. Such simple text editors are also easy to isolate with known methods and one might use something like CCured on an open-source alternative. Might still be usable with the added overhead. Compile that with CompCert and then you'd be largely immune to malware from text files.

And that's just what it takes to secure text files with little parsing! I imagine all these other document, configuration, etc formats might be fun to get control of. Actually, we don't have to imagine. I also just learned you can embed VRML in PDF's without added functionality. Talk about bringing back good memories of trying to build a Virtual WWW while simultaneously showing me a future exploit. A slight buzzkill there.

Sidenote: The Intel MMU is Turing-Complete

Paper on computing with IOMMU traps here. Again, clever stuff I cheer on with painful implications about our infrastructure. Good example why I prefer MPU's over MMU's and also segmented architectures.

GleanMay 30, 2015 2:01 PM

@Wesley Parish

Putin's a rank amateur. Don't know how long he'll last, or how much (or little) power he'll have at the end

:-)

Ham fisted propaganda often persuades someone of the exact opposite. It can allow people to see that the propagandist is attempting to manipulate in a subverted fashion their beliefs, and so their critical and protective agencies will take over.


The best propaganda's subtle, and you don't even notice it until you've already bought it.

I definitely agree that what to look for is the 'end result'. Unfortunately, as observations on ourselves is subjective, that can be hard, at times, to detect.

Interesting observations on Tolkien and the radio station.


When people are highly focused, they are also into a highly suggestible state. But, starting, keeping, strengthening that state requires deep trust. There are natural and deeply mysterious processes at work there which are beyond the capacity for people to easily hack up. With Tolkien, like any modern writer of fiction, if their storyline already goes along with what sort of things the audience is already trusting towards, then they surely would open up to a deeply focused lower level connection there, when reading the book.

Tolkien is an especially interesting subject on this topic. Tolkien expressively disagreed with his good friend, CS Lewis, and his sort of ham fisted workings out of metaphor in the Chronicle of Narnia series.

They both expressed their deepest beliefs on paper, in a highly engaging format, but Tolkien trusted more on the same processes of his mind that create his stories of his dreams at night... whereas Lewis shied just a bit away from that.

From the late forties, to now, considerable work has been done in exploring these deeper levels of human capacities. Metaphor is well understood at being profound at communication on that deeper level of concentration. Many ins and outs of that deeper state of communication are also well understood.

But, this is also the reason it is so secure: that level of communication involves the lower level processes of the mind which speak and read an entirely different language that is deeply drenched in code... put another way, the writer their own self gets into a deeply focused state while doing their writing and out naturally comes that language. Popping out of that state to try and insert conscious propaganda actually also will pop the reader out of the state when they read it. So, which is more engaging? Tolkien's series or Lewis' series? Tolkien, of course.

I like the Lewis work, but it surely does pop one out of that deeply focused, page turning state here and there. It is an important stone in the steps that had before it the work of L Frank Baum, and before his work, the work of Charles Lutwidge Dodson.

Almost ironically, while there is, today, good understanding of that underlining technology, there is actually a lot of evidence that it is not being "exploited" for consciously malicious purposes. In nature, one can see, however, patterns of exploitation: deprivation of sleep, food can make such a state even more profound then normal. So profound, the "Stockholm Syndrome" sort of conversion can be induced. But the physical weakening of the body is meaningless without the addition of the actual manipulation of the trance state. Where can one see this? For one, in mystics, globally, for millenia, from east to west. But, it can also be seen in "Stockholm Syndrome" cases, and in "Patty Hearst" cases.

There are, however, important factors in that recipe that must be included, above all the genuine and deep motivation of the people doing it that they believe it is for the person's own, higher good.

So, that is a common denominator. Doing that kind of thing intentionally, means, as we also well know, that there will be leakage the person's higher faculties will pick up alarming them to the deception and bad intention. eg, micro expressions, etc.

In nature, this is also observed in mass movements in areas where the ideology is distinctly backwards in some strong ways from what was there before. A common denominator there is often sudden and lengthy economic conditions that lead to physical deprivation. eg, ISIS rise in Iraq, Nazi rise in Germany, Bolshevik rise in Russia, etc.

GleanMay 30, 2015 2:31 PM

Regarding 'Innocuous seeming attack routes, regarding vulnerabilities and exploitation'


The thing about image files, which have been well targeted and many vulnerabilities found over the past twenty some odd years is because they handle so much complex data. There is so much processing performed, that the coders themselves often had difficulty closing out all possible potential angles of crash or attack.

This continued on, even as understanding about memory based security vulnerabilities became well understood, and with it, the resulting security processes to tap down on exploitation. Because, ultimately, it all leads down through the spaghetti code to 'potentially vulnerable apis'. With the rise of mandated code review scanners and their increasing sophistication, finding potential areas where code might enter poorly or completely unchecked into those potentially dangerous apis became far easier.

But, not every company does this well, and quite often censoring systems can become so complex themselves they still leave error conditions possible. This is why it is 'best practice' to stick with libraries that are well peer approved for controlling data from the source to the sink, and why, in most cases, it is best to try and keep the data validation routines as clearly and simply written as possible... and as close to the potentially dangerous api calls as possible. As opposed to much further up the chain.

("Source" is parlance for potential malicious user input... "sink" is parlance for the potentially dangerous api. Between the two are the call paths, or mapped out path the data will take from the source to the sink.)

(The problem with having protection routines far from the sink is especially apparent when there might be many, many sources... and a singular sink. It can become a true mess.)

Much of the scarier attacks today, however, do rely on higher level code that is far less prone to memory exploitation attacks. Hence, the recent bug post saying "it is a vulnerability like it was 1999", an old stack based buffer overflow.

The higher level languages do, however, call into the lower level languages, and often the sink access is exposed without any native validation routines. The higher level language programmer is too distant from the problems of the past, and too unfamiliar with the native language they are calling into... and boom. It happens again.

But... higher level languages have introduced, really expanded, on the higher level exploitation methods. Because they are doing so much processing and so often doing lower level work... they are more powerful, and wherever there is more extensibility, there is more potential for that power being used against the user. These sorts of attacks are, however, difficult to detect because they often involve exploit code that is very difficult to discern between "it" and ordinary, good use case scenarios.

It is also more difficult to automate the searching for, because many of the attacks rely on "business logic". The real problem, however, is at a lower level, of higher level languages: at the continual creation of new languages, new libraries, new... apis. And with these new apis newly potentially dangerous apis, whose danger has not yet been well tested and well explored. So they never even make it to the upper level scanning chains, and rules for proper usage and potential bad usage are poorly understood.

GleanMay 30, 2015 2:48 PM

@my previous two posts, quick post-thought

Yes, the two posts are connected, because 'art does proceed from nature'. The problem is: it is ham fisted, or is it truly from nature. Coders stay up all night, some of them shell shocked with various drugs to help them reduce the pains... like writers, in a highly focused state, and like researchers, they get very good at getting very deep in that productive state. So there is no coincidence, if one considers matters from that angle, that the evolution of software and hacking proceeds along with the evolution of other communication technologies.

Finally, what I was trying to describe in the first post about the security mechanisms of the deeper state of communication is that the deeper state not just operates on a deeply "coded" mechanism which analysis often evades meaning from even those who attempt it... but it naturally performs a sort of 'turing test' on that potential incoming communication.

eg, When CS Lewis would use Aslan the Lion and make it quite obvious he was consciously screwing with the work, that will fail the 'turing test'. That test can also be considered like modern cryptography, especially public-private key, where there are sophisticated mathematics involved, and estimations about the potential for malfeasance in breaking that mathematics.

eg, when we view movies or read books, we know we might be influenced, or even may suspect that maybe someone wrote this with malicious purposes in mind. Like the conspiracy theory, "The CIA owns Hollywood". Why do we typically reject this belief? Because of the utter sophistication in the detail of the story. One can conclude the author(s) by no means consciously constructed it using deliberate malicious intent.

This is why you often "pop out of" shows or movies when you see exactly that sort of embedding through product placement. For instance, Microsoft has paid for product placement of the Windows OS in a number of shows and movies. You can see the actors making a bit of an unnecessary show about using it. Or Pepsi, or Coke, or so many other product placements which, of course, really do ruin the experience.


Nick PMay 30, 2015 3:27 PM

@ Justin

Great catch! Hence, isolation by default even for text editors.

SkepticalMay 30, 2015 5:18 PM


Quite a few comments since last -

@Benni: I have no connection whatsoever with any of the things that are discussed here, and I have no inside or classified knowledge of any kind regarding any of the things discussed here. If I did, I would not be here. It's that simple. No idea what discussion you're remembering re Germany and altering hardware.


@Nick: I did not intend to smear you by associating you with a certain individual who from time to time sends little bursts of obscenity-laden comments sprinkled with references to int'l law or an occasionally fawning remark about Putin or Russia. To the extent I did, or even carelessly appeared to do so, I apologize. I enjoy our discussions, and I value your perspective. Now, look, I am under the impression that you think the US either perpetrated 9/11 or deliberately permitted it, that demolitions were used in the WTC, etc. If I'm wrong about attributing those beliefs to you, then I'll gladly apologize again. But if you do believe that stuff, then clearly you have a very, very different view of how the world works than I do - so it's actually relevant to the discussion.

Okay, now on to the substantive stuff. All the material in italics is from Nick's earlier comment.

This was a nation that had already staged wars and smashed many Southern neighbors for money. The deals they gained through such extortion would continue.

US treatment of Latin American countries was atrocious. Of that, there is no question. And there are far worse failures and crimes in US history.

But nations change, and are capable of progress. In some ways, the story of the US is one in which the tensions between its principles and aspirations, and its actual conduct and policies, were confronted and, imperfectly, always imperfectly, improved. The US is a nation that began its formal existence by declaring that all men are created equal - even while upholding the practice of slavery. That tension was so enormous that even the original framers of the US Constitution foresaw a day of reckoning, and it required the Civil War to end the practice, and generations of work after to remedy its effects.

In another century, the US and Mexico fought wars against one another. In this century, they cooperate on military matters, and on many other things as well.

And of course, more recently, we've seen the dramatic steps forward in the relationship between Cuba and the United States - steps which shall continue.

As to the Cold War, the US made some bad decisions, and implemented some bad policies, during that time. It very actively participated in the coup in Iran, and it undertook covert actions in Guatemala and and elsewhere. It sometimes provided military assistance to repressive regimes, when those regimes were seen as obstacles to enemies of the US.

Of course that's only part of the story - actually a very small part of the story. The US also staked its very existence on the defense of democratic nations in Europe. It helped rebuild West Germany and Japan as independent, democratic nations - not vassal states, not as vanquished enemies to be punished. It provided the protection necessary for South Korea to evolve into a prosperous democracy, rather than the fiefdom of a Soviet supported dictator.

Even in the worst of its mistakes today, the US generally aims for the right outcome. The Iraq War was a mistake. But the US didn't attempt to install a dictator; it didn't claim Iraqi oil as a prize. Instead it poured more people into Iraq in an effort to actually enable a democratic government. During the occupation it actually held elections, and fought - and died - to ensure they occurred. It honored the results, even when the winner was clearly in Iran's pocket and a likely disaster for any hope of a unified Iraq. And when asked, it withdrew its forces.

I can find fault with many aspects of what the US did. And I have. But it has nothing to do with imperialism. Your view of US foreign policy belongs to a different century. Trying to understand the Iraq War with a theory that the US wanted to control Iraqi oil, or trying to understand US policy in Eastern Europe with a theory that the US wants to control natural gas deposits, is like trying to understand Putin's foreign policy by reading Marx.

So, Skeptical, these things are not merely chapters in the past: they're the M.O. of imperialist America the continues to appear in new forms and with little consequence.

South Korea, Japan, the Philippines, Latvia, Lithuania, Estonia, Poland, Germany, Norway, and many others, are all independent democracies Nick. Their independence, and their security, rest upon American military power and American commitment to their defense. They know that the existence of an America military base, or an American military unit, does not mean the loss of their independence. It guarantees that independence.

And today, as China claims 80% of the South China Sea as its own and has begun to militarize it, as Russia threatens to move nuclear weapons into Crimea and continues its attempt to intimidate Eastern Europe, as the Middle East moves closer to a nuclear arms race, American power in the world becomes even more important. It is important not only to American security, but to the security of a great many democratic nations across the world.

So, to turn back to the question, do I think that anyone should feel the least bit hesitant about serving the US military or intelligence agencies? Unless you're a pacifist, then no.

Quite frankly, the better intelligence that the US is able to obtain from efforts in the cyber-domain, and the better protection that the US is able to provide in the cyber-domain, the less chance of actual war, and the better chance for a truly free and progressive planet. And that applies from the micro-scale - how accurately can the US target ISIS leadership - to the macro-scale - how accurately can the US understand China's, or Russia's, true intentions.

tyrMay 30, 2015 6:35 PM

@Glean

One point about Tolkein and Lewis the great war (WW1) did
massive psych damage to them and their generation. In the
same way Hitler was effected by being blinded by poison
gas in the same conflict. It is very stylish these days
to assume the now we live in has no connections to the
past. The past forged the now we live in. These days you
hear crap about moving forward and seeking closure as if
by wishing it away the past would be banished. Good luck
with that.

My favorite Putin propaganda is him riding a Grizzly bear,
it is the image every leader wishes he had with the public.

@Clive

Keep an eye out for Catalina Diamond she wants everybody
to work for understanding, probably a subtle form of the
art of propaganda. I'm not voting for Stross or his band
of minions after reading that thread.

I watched what Ang Cui managed to do a couple of times on
video, at that point I knew that the capability and layered
complexity of the modern tech made securing it almost an
impossible task. Narrowing the attack surface is the only
real solution that stands a chance. I've still got my
wirewrap tools but have no great desire to see it make a
comeback. I'm an advocate of simple, while the added on
capability has benefits, simple text encoded in ASCII
has done a lot without all the add-ons. Might be nostalgia
for highly capable OS that fits in 3K and you could
secure it if you wanted to. The browser as bloated
interpreter is the worst possible model to use for the
attack surface of choice exposed to the Net. Far too much
wrong with that idea. I imagine that at some point the
Net will be abandoned in favour of a better system that
gets built on endpoint P2P total encryption. How to get
the keys physically delivered is the only real obstacle
at this point.

It is worth thinking about.

Clive RobinsonMay 30, 2015 7:53 PM

@ tyr,

I imagine that at some point the Net will be abandoned in favour of a better system that gets built on endpoint P2P total encryption. How to get the keys physically delivered is the only real obstacle at this point.

As I mentioned the other day, the secure KeyMat problem and the secure UpDate/ Patch Managment problem are the biggest unsolved issues we have facing us currently. If you solve one then you will probably solve the other.

Currently all KeyMat managment systems revolve around an out of band side channel and trust in the non exposure / coruption of credentials to/by an adversary. Neither is reliable and certainly will not work for a p2p network where there can be no out of band side channels...

Currently we don't have a solution nor has anyone indicated there is a theoretical way it might be achieved. However the same was true in the past for both asymetric key systems and DH(M) key exchange systems, so I'm not saying it's not possible just "currently unknown".

Nick PMay 30, 2015 8:26 PM

@ tyr

Reading this article, my favorite quote among all the entertainment was this line:

"The story is so fantastic it doesn't matter whether it's true or not. If it's true it's better than our politicians, who are decidedly less accurate with guns. And if it's a lie then it's still a better story than any of our politicians can muster, and certainly more comforting. Realizing you're in the capable hands of a man who defeats tigers in his spare time is reassuring. Hell, it's practically an honor to have your country dominated by a man like that. "

U.S. politicians' images are truly lame compared to his. He plays every angle. If our politicians are going to be dirty, I'd at least like to have their back on occasion saying "Hell yeah, I can't believe he did that. Maybe he didn't because it was so awesome. Or maybe he did. Who knows!" I'd like to be proud and amazed of them at least once a year. Just doesn't (or rarely) happens. The Russians seem to have a monopoly on that stuff.

Since Roosevelt, at least. ;)

Nick PMay 30, 2015 8:59 PM

@ tyr

"Might be nostalgia for highly capable OS that fits in 3K and you could secure it if you wanted to."

What OS was that and what could it actually do compared to a modern OS? I think anything really usable and modern will be measured in mega- even if we trim the fat. So, the trick will be using subversion-resistant development processes I've outlined along with inherently safe/secure software and hardware platforms. Basically, it has to be as easy as possible to get it right. I'd also say the most trusted, low-level layers should be implemented and reviewed by experts.

BuckMay 30, 2015 10:06 PM

@Nick P

What OS was that and what could it actually do compared to a modern OS? I think anything really usable and modern will be measured in mega- even if we trim the fat.
Multimedia web-browsing aside, I'd suspect much of the bloat is directly attributable to the plug-and-play mentality... I doubt it would hamper ease-of-use too much by asking "Which device are you trying to use?" before loading up the necessary modules. Though I suppose, the tricky part is probably doing so in such a way that requires real human input, not easily faked by malware (and/or social engineering -- i.e.: call from tech support, fake dialogs, 'marketing'). Have you spent some time to properly weigh the pros and cons of easy use vs. user education?

GleanMay 30, 2015 10:06 PM

@tyr

The past forged the now we live in. These days you hear crap about moving forward and seeking closure as if by wishing it away the past would be banished. Good luck with that.

Yes, my point is there are both points of rot which continues to get worse, but there are also beneficial structures that are built upon. I am a believer in those beneficial purposes, but I am alarmed at the rot. However, I do see purposes for the rot, and ultimately see how they actually benefit the beneficial forces.

I do think people should strive to see as clearly as possible both.

This subject, from another level, I was considering yesterday, reading ForeignPolicy and the Atlantic on issues like "China's actions in the South Seas" and "ISIS". (Russia is not coming up much at all these days). I found it interesting how most of these articles seemed to express at first a realization of the seriousness of the troubles - which bothered me - but then how most of them also led into warnings and dismissals of hawk belief systems pointing out just how bad the failure was with these exact leanings via the Iraq War leadup. Which refreshed me.

Hitler, from what I was saying, effectively was able to communicate his deeply felt and focus created psychosis to his nation due to the bad situation his nation found its' self in at the time. While I am sure Lewis and Tolkien had various adversities in their lives, they would have been unfortunate if they did not, I do not and have not detected any true malicious bearings in their fictional writings. I do find them beneficial, but they are also very old tech. The tech today is far superior.

But the tech today is built on the tech of the past.

Heck, I even well enjoyed this past year many hours in the virtual world of 'Shadows of Mordor', and have over the years spent undue amount of time in World of Warcraft, the later which is deeply influenced by Tolkien. And I do see that manner of experience as distinctly beneficial. Explaining 'how' and 'why' is difficult and time consuming, though I would be surprised if anyone did not sense that on some deep level.

As for really getting down into dissecting underlining meanings from deeply written fiction, and attempting to find some manner of malicious force underlining it, that is surely possible but exceedingly difficult to do. I do believe, however, for people who are so inclined, it is, of course, like anything, not difficult to do. But, I simply am absent of being able to find anything I find as truly malicious in well worked fiction, anymore then I can find in poring over dreams and dream analysis.

Where the fucks up and psychoses are dangerous are in the more conscious level.

Orwell had a bad time of it all, and he came out with some incredibly profound fiction. Animal Farm was a bit overwrought, but 1984 is mesmerizing, and pure.

Likewise, Kafka, though I am not as big of a fan of his, but from the distance his symbolisms have effected later works, like Brazil.

It is true, I typically do not pay much mind, however, to works like L Rob Hubbards, and in horror, I generally am looking for something conscious raising, as in anything else. I am sure that sex dreams and other dreams of little import and much entropy have as little meaning to them as they seem, but then, people almost never wonder about the meaning of dim dreams or dreams that appear to have no import.

BuckMay 30, 2015 10:32 PM

@Glean

Orwell had a bad time of it all, and he came out with some incredibly profound fiction. Animal Farm was a bit overwrought, but 1984 is mesmerizing, and pure.
All I see are Wells' Eloi & Morlocks... :-\

GleanMay 30, 2015 10:47 PM

@Buck

All I see are Wells' Eloi & Morlocks... :-\

Ah, pbbht, heh. :-)

Yeah... well, that one was something else. I made the bad mistake, probably, of once listening to it on tape when I was very young, while kind of dozing off... probably morphed into some kind of monstrosity in my unconscious.

"The future" stories are, of course, a way of communicating experientially messages of both promise and warning. So they give us capacity, cognition, to change course from bad directions and keep that hand held firmly on the wheel away from troubles, as we may already be doing.

As opposed to "this will happen and there is nothing you can do about it" type future stories. Those do exist... but for reasons of authentication. Telling them apart from warning future stories is near impossible. One should always assume and at least attempt to believe there are two roads. And choose the better one.

As for blissfully beautiful, innocent people being eaten by monsters at the beck and helm of an even more grotesque class of psychic maniacs.... well, heh, just really not happening.

Won't say there are not psychic monsters. There may be. I won't say there are not the pure, there are. Definitely can not say there are no instinctual only driven cannibals. And will not say those psychic monsters may not eat them. But, I do not believe they eat the pure and the poor.

BuckMay 30, 2015 11:24 PM

@Glean

But, I do not believe they eat the pure and the poor.
Maybe from where you're standing, but that's not how I've seen it... I honestly hope the future proves me wrong, but what are we waiting for!?

GleanMay 31, 2015 12:01 AM

@Buck

Maybe from where you're standing, but that's not how I've seen it...

I mean in the 'ultimate scheme of things'. I mean in *intention* and in *nature*. I can not, consciously, with my limited physical construct, for instance, operate by 'a means to an end'. I can not assume I am so smart nor so capable, that I am so knowledgeable. What I can observe, or try and observe, is the underlining patterns in "nature" or "the universe", however. And, from my findings, it is not some vast "virtual reality" where we are appetizers for multidimensional beings far beyond form.

Well, not exactly.

There is error, inherent, in our limited form, just as there is error inherent in our world of limitations. (And this is the definition of ourselves and the world, superficially.) That error does operate as a sort of food. We ourselves see it anytime we watch a good revenge movie. We see it when assholes get their comeuppance and we delight in it. We see it when little children learn something positive, when the sick get better, when someone who was very sad suddenly becomes very happy. So we know it is there. And it is better and bigger then us. And it is also "a thing". A substance of power.

You can either have hope or no hope. I believe it is most wise to have hope. And to see that the beneficial powers are logically the highest powers. That death is as being in a dream without being aware it is a dream, and that there is a form of life that is far more then the life we now know.

So, no, I do not view the extremely rare pure to be at the bottom end of things. Even if they might suffer, and even die. While the very impure causing the suffering and get much wealth and seeming happiness.

I honestly hope the future proves me wrong, but what are we waiting for!?

I am very much enjoying matters as they are playing out. If anything, I am savoring the now as it is, and there is always much to do and understand.

It is always nice to "get there", but when one knows one is "on the way", then, is a time to savor the moment.

Can't say how many times I have looked back at periods of starvation in my life, and then the next period of joy... where in the period of starvation, I did not see the trend and appreciate more fully that time for what it was. To have a kind of personal funeral and celebration for the future.

But, the world has so very much going on. So very many moving pieces. So much that has to be in place. Very, very big machines turn very, very slowly. The clockwork, while painfully close to midnight, each and every moment, each detail, is definitely something to be savored while it remains.


BuckMay 31, 2015 12:23 AM

@Glean

I think I have a grasp of what you're hinting at... We've had similar meta-conversations in the recent past, but I'll need more subconscious thought time to put my ideas into further text.

GleanMay 31, 2015 1:22 AM

@Buck

I think I have a grasp of what you're hinting at... We've had similar meta-conversations in the recent past, but I'll need more subconscious thought time to put my ideas into further text.

This kind of conversation does not much fit here, here is my url for the future:
http://cloudexplorations.tumblr.com/

GleanMay 31, 2015 1:31 AM

@Buck

Oh, and I do want to hear your ideas, when you process matters. It is easy for one tumblr user to contact another from there, and I will probably put up a nym email contact. I am in a phase of research where I find, for myself, I really have to write stuff out. But, this is getting too far away from privacy, encryption, or computer security issues to really justify posting much here.

Clive RobinsonMay 31, 2015 2:41 AM

@ Nick P, tyr,

Speaking of sites you might enjoy reading...

This one blends fact and fantasy interpretation to the point Sefton Delmer would have been proud of,

http://20committee.com/

A historical note : The '20 Committee' was a British organisation during WWII, it gets it's name from a silly school boy type observation/joke (which I've mentioned before was rife in the UK ICs atleast untill the 1990's). If you write 20 in Roman numerals you get XX which could be read as cross cross or 'Double Cross' which was what the committee was in charge of. That is providing faux but believable information to the enemy, to cause them to waste resources or deploy them incorrectly, which amongst other things included Sefton Delmer's "Black Propaganda", which in many ways gave rise to MKULTRA and COINTELPRO, and other illegal / questionable activities by US Gov agencies, where those without real restraint believed "the end justified the means", which sadly we still see today.

tyrMay 31, 2015 3:04 AM


That 3K OS was CP/M with a zcpr3 user interface. The limited
storage size and speed made it a disk thrash monster for any
serious work.

Most of those problems have been solved today because of the
storage advances. You'd have to give up the fancy colored
pop-ups for the screen and go back to real memory mapped
display. Bear in mind this was with a 2K CPU clock speed.
Cut over to modern silicon speeds and it might be a lot
more useful. As near as I can determine from a distance a
lot of the modern speed-ups are because of the bloated
nature of the way things are done. I haven't looked lately
but someone might be running an RPG2 emulator on modern iron.

We used to some fairly intensive real time process control
wth a multi-processor system using 1K clocked CPUs that
talked to each other via memory mapping during cycle
stealing events. The security problems were still the
same as now. But there wasn't much devoted to them just
simple passwords and crossed fingers. Everybody thought
that their own scheme was safe using public record stuff
easy to remember and the arguments are still going on.

@Glean
Some of the saddest film I have ever seen was a movie of
British troops marching up to the battle of the Somme.
That was one event that distorted Lewis and Tolkein.
WW1 generated some horrible propaganda at the time and
that is still being reported as the whole truth. Not much
room left for any possible alternate view.

Personally I'd like to see the goalposts moved ahead at
least a century so that all can see where we are supposed
to be trying to go. The idea that the next fiscal quarter
is the limits to planning is ridiculous.

BoppingAroundMay 31, 2015 9:37 AM

Off-topic, re: fiction

I've had some free time I decided to spend on re-reading Wilson's Eye in the Pyramid. It had been entertaining until I stumbled upon the following excerpt:

"For instance, if the Illuminati control America already, what's the purpose of the assassinations?"

"Their grip on Washington is still pretty precarious. They've been able to socialize the economy. But if they showed their hand now and went totalitarian all the way, there would be a revolution. Middle- readers would rise up with right-wingers, and left- libertarians, and the Illuminati aren't powerful enough to withstand that kind of massive revolution. But they can rule by fraud, and by fraud eventually acquire access to the tools they need to finish the job of killing off the Constitution."

"What sort of tools?"

"More stringent security measures. Universal electronic surveillance. No -knock laws. Stop and frisk laws. Government inspection of first-class mail. Automatic fingerprinting, photographing, blood tests, and urinalysis of any person arrested before he is charged with a crime. A law making it unlawful to resist even unlawful arrest. Laws establishing detention camps for potential subversives. Gun control laws. Restrictions on travel. The assassinations, you see, establish the need for such laws in the public mind. Instead of realizing that there is a conspiracy, conducted by a handful of men, the people reason— or are manipulated into reasoning— that the entire populace must have its freedom restricted in order to protect the leaders. The people agree that they themselves can't be trusted.

.. line break for readability ..

Targets for assassination will be mavericks of left or right who are either not part of the Illuminati conspiracy or have been marked as unreliable. The Kennedy brothers and Martin Luther King, for example, were capable of mobilizing a somewhat libertarian left-right-black-white populist movement. But the assassinations that have occurred so far are nothing compared to what will take place. The next wave will be carried out by the Mafia, who will be paid in Illuminati gold."

"Not Moscow gold," said George with a smile.

"The puppets in the Kremlin have no idea that they and the puppets in the White House are working for the same people. The Illuminati control all sorts of organizations and national governments without any of them being aware that others are also controlled. Each group thinks it is competing with the others, while actually each is playing its part in the Illuminati plan. Even the Morituri— the six-person affinity groups which splintered from the SDS Weathermen, because the Weathermen seemed too cautious— are under the control of the Illuminati. They think they're working to bring down the government, but actually they are strengthening its hand. The Black Panthers are also infiltrated. Everything is infiltrated. At present rate, within the next few years the Illuminati will have the American people under tighter surveillance than Hitler had the Germans. And the beauty of it is, the majority of the Americans will have been so frightened by Illuminati-backed terrorist incidents that they will beg to be controlled as a masochist begs for the whip."

Perhaps I did not notice this excerpt when I was reading the novel for the first time (when was that, like 10 years ago?). Yet, taking out the Illuminati parts (which I cannot ascertain how true or false they are for now), it would seem to be a keen observation of current, then-future trends from the beginning of 70s. Would, as the ideas generally came from 'paranoid rants about imagined conspiracies' sent to Playboy magazine, and the novel being written on premise as if 'all these nuts were right'. OTOH, perhaps the trends were evident back then already.

Ain't so funny it seems now.

Clive RobinsonMay 31, 2015 11:17 AM

Is NKorea the "new China" when talking of APT?

http://www.bbc.com/news/technology-32925495

I would say that Prof Kim is over egging the pudding in several ways both in supposed man power and it's supposed costs, and the rest of the story does not hang together to well. After all if as he claims the NK Cyber troops are outside of NK in China, then what would disconnecting NK from the Internet do?

Whilst I don't doubt NK is working on Stuxnet, as they were one of the likely targets and clearly demonstrated that they knew that. The whole NK - SK cyber attack idea and statments have obvious flaws.

The main point being "Why would China let NK cyber troops operate from within it's borders and give technical support etc?" After all China has it's own cyber troops, and there would be a danger of the two sets of troops treading on each others toes.

The only obvious reason is the US Pacific Fleet in the South China Seas, and China appears to be dealing with that issue the way they want to with little let or hinderance from the US.

Further if NK cyber troops are working from within other states borders, it very much weakens the argument NK was behind the SPE attack.

Time to get out the "lazy boy" chairs make a sack of pop-corn, kick back and watch the show, and see if we can guess the plot line before it unfolds ;-)

Clive RobinsonMay 31, 2015 11:35 AM

Are American's realy getting it wrong on crime risk?

http://www.theregister.co.uk/2014/10/22/americans_more_afraid_of_identity_theft_that_getting_killed_in_a_shooting/

Apart from fearing ID theft more than Gun Crime, American Citizens appear to not have an understanding of what US crime stats say. This appears to be in part due to media and other FUD caused by talking up what are realy very very low risks for the average American, whilst not talking about more likely risks that can be mitigated relativly cheaply.

Clive RobinsonMay 31, 2015 12:24 PM

Is Coursera killing Open MOOCs?

https://courserajunkie.wordpress.com/2015/05/26/courseras-free-statements-of-accomplisments-die-a-quiet-death/

It would appear that Coursera are killing of the "Honor Code" path on MOOCs and faorcing people down the "surveillance on your system with no security" path.

Worse for those that do these courses from Android and other Smart Phones, they will nolonger be allowed to.

Maybe it's time to "Dump Coursera PDQ" so they get the message loud and clear...

Clive RobinsonMay 31, 2015 12:35 PM

@ Nick P,

One of the only benifts of being "bed ridden" --due to nasty chest infection and other nasties-- is browsing the web.

The following page nearly caused me to choke when chuckling at Lego's dilemma turned to wracking cough,

http://www.exquisitetweets.com/tweets?eids=SOlZp2L8I8.SOl4CsO6YC.SOmhNAiuES.SOmlJ2T2Gq.SOmpjeGn1w.SOmwta15gX.SOmB4207kO.SOmJPgkOFU.SOmOl1j08a.SOmW0jPTRA.SOm72fKFfE.SOncwNl2SP.SOnlkgH05k.SOntnuAhGw.SOqg0uZR8K.SOqkXGJtbU.SOqrXBJruS

Hopefully it will only make you chuckle.

GleanMay 31, 2015 1:19 PM

@tyr

Some of the saddest film I have ever seen was a movie of British troops marching up to the battle of the Somme. That was one event that distorted Lewis and Tolkein. WW1 generated some horrible propaganda at the time and that is still being reported as the whole truth. Not much room left for any possible alternate view.

I am struggling a bit to see where you are coming from. What first comes to mind is maybe the whole heroic adversary strong concept in both the Chronicles of Narnia and Tolkein series are its' self a sort of darkness, propaganda... as maybe people can be badly influenced by thinking in that "us vs them" glasses.

Or maybe people could step away from the books and look at the history, and quickly place the filter of the fiction over the history they experienced. And so, without realizing it, instantly seeing Germany as all bad and Britain as all good.

Maybe, on an even worse level, people could end up seeing their enemies as monsters and "total evil", instead of listening to them, seeing them as people. Not depersonalizing them.

But, there was evil during the time, and there is evil now. Call it whatever one wants. I don't really focus on any of that, my own self. I view it as part of the evolution of society which has self-correction points. German culture, I view, as having at quarters and points tremendous good, for instance, in the arts, in the philosophies... in the sciences. But there was a corruption there, as there was very visible today in all the cultures of the time.

Still, I think one can overly focus on the experiential message of "fighting some distant, monsterous wrong". For me, Narnia is interesting for the concept of the angle of pushing through the coats and cloaks into another world (thereby challenging the 'reality is all real' angle). Tolkien has many points of interest to me, but a major one is the ring that makes you invisible, and the power of that being so intense that it is corrupting. All one wants to do is be invisible. One, if one is invisible, can do anything.

Historically, I do see a lot of wrong in that time in Britain, and not a little bit the warmongering against Germany. But it was also the colonial superpower... and was just starting to get to have some level of rights for people not in the upper stratosphere of society...

I am not the sort, however, to go "that evil was specifically German" or "British" or whatever. I view that sort of thing as specifically human.

And frankly, like in this current series of disasters, Germany is the good guy, to some degree, though that they even did agree to spy on so many other friendly countries is deeply troublesome. Why were they spying on Belgium? Why were they spying on corporations of so many European countries with the NSA? That reeks of bullshit. Especially when the excuse is given is "terrorism", seriously, WTF? How is spying on major European industries being spying for "terrorism"?? How do people say that and others buy it without feeling sick to their stomachs?

But they are investigating and hopefully will be continuing to do so. They did make it public. And Merkel does seem really pissed that she was hacked like that, as she should.


Personally I'd like to see the goalposts moved ahead at least a century so that all can see where we are supposed to be trying to go. The idea that the next fiscal quarter is the limits to planning is ridiculous.

I do not view humankind (I do not say "mankind" as I view that as sexist), as being in charge. I view them as asleep. So, I do not view them as being in control or even having "free will". Anymore then we are awake when we are dreaming or have free will while we are dreaming. Sure, our unconscious controls us and out events. But if we are our unconscious, then we are still asleep. As we do not know we are.

canaryMay 31, 2015 1:26 PM

No new Friday Squid Post? Oh noes! This is your canary warning....

BoppingAroundMay 31, 2015 4:27 PM

Glean,
Then what's the wake-up recipe, if you have one?

(Been picking a lot of 'free will deniers' signals for several months. Did anything specific happen to trigger this wave or is it just another flaw of my perceptions?)

GleanMay 31, 2015 6:29 PM

@BoppingAround

Then what's the wake-up recipe, if you have one?

The unconscious is in control of that. What people can do, if they are interested, is try and peer behind the scenes. Where "people" is our conscious selves, mind. It can be useful to be ahead of the curve. That can prepare you.

It is the unconscious which ultimately leads us. It is kind of interesting in the context of this forum, because this model means that there is effectively a 'secret society', and 'secret selves' and that right under our own noses. It means the 'conspiracy' is us.

There is our conscious self, which is full of our little quirks and regionalism. We like certain sports, certain shows, movies, wear certain clothes, work in certain areas, have a long list of preferences and biases.

Then, there is our unconscious self, which really is in control of everything. It speaks and hears from others unconscious selves. It is a foreign language. Unconscious selves speak code through conscious selves, so conscious selves do not even hear any of it. They have their own thinking patterns, goals, and aspirations, and are free of all the many restraints our own conscious selves are covered with.

One can even think of it like a model of alien beings on top of us, walking us around, allowing us to have our illusions of 'free will' and other safe niceties. Of course, they are not literally alien, but us.

This is a model, and just that. I have picked this up over the decades from working out what my unconscious has made available to my conscious, and what others unconscious have made to my conscious. But, it is also clear that there is much more beyond that model... however, I do believe it is a very good 'first step' model.

I do believe more strange stuff then this. That there is a 'collective unconscious', for instance, only that is usually really more about individual's own unconscious' speaking to each other. They even get us to group up and create sort of 'let us tell this to everyone else's unconscious' via fictional media, mostly. That is they have their own groups and their own organizations and their own methods of getting us altogether, and their own methods of getting out wide messages.

But, there is also what appears to be along the lines of the more original concept of the 'collective unconscious', which shows that there is a master unconscious - really, a better term there gets into 'a master reality and a master self' - that is of its' own substance like the substance of the mind.

And there are beings of that immaterial place, and that immaterial place can speak to us and materialize whatever is necessary to 'wake people up'.

That is, however, something that should be considered on apocalyptic terms, and extremely traumatic.

(Been picking a lot of 'free will deniers' signals for several months. Did anything specific happen to trigger this wave or is it just another flaw of my perceptions?)

I say there is a 'paradox of the appearance of free will'. My views have not changed there much over the years. This recent statement, however, does surprise me. For me, I look at it (as if someone else wrote it), and am contemplating it.

I think it is conceited to believe we know everything even about our own selves. So much in life is not a choice. You go to a restaurant, order what you want. Maybe there is real freedom there. It can feel like it. Even if you always order in at least the same kind of way.

Maybe you are with someone new and want to order in a different kind of way.

I am free to do all sorts of things I like to do, and study all sorts of things I like to study. But get real. It is like a parent who sets you up with a fetching spouse they know you can not resist.

Usually when I talk to people who don't see themselves as this way, I hear about how they made and make all the right choices. Because they are so superior, morally, and intellectually. And how all Those Others do not. And how they should be condemned, because if they were smarter and more moral, they would make the same choices.

Maybe that is not how it is. Maybe I just keep running into that scenario to impress me on the "truth" of it.

Maybe we like to say we are free, or some do, to argue that ... well, something else. But if someone is free, then what is to worry. Go and fly about and do what one wants to, because there is no unconscious mind actually guiding you about like a spy who doesn't even know they are a spy. It is all conscious, everything is really well understood. Actually, I am not really sure what that thought process is... because I can not recall ever having it.

From people I talk to, it is always in context of "those other bad people".

It sounds like you have a context of that which I am not familiar with.

Nick PMay 31, 2015 9:37 PM

@ tyr

Ah, CP/M. That OS fit in 3K because it barely did anything. Although, it was impressive what they did with 3k. If you like those, check out this 8-bit OS if you haven't seen it. Uses some extra memory but they go *really* far with it for an 8-bit.

@ Clive Robinson

"One of the only benifts of being "bed ridden" --due to nasty chest infection and other nasties-- is browsing the web."

You know they install it in homes now, too? You don't have to keep getting yourself sick just to browse the web. :P

re 20 committee

THAT is an interesting site. My first reaction was "a lot of talk and little evidence backing it up." Let's trust the guys intuition to back *almost everything he says*. Looking at the Snowden section shows his true colors. He first is sure of the Beijing connection. Then, clearly it's a Russian operation. He goes all righteous anger on Snowden for his foreign leaks: the traitor that did so much damage to our operations and deserves the most severe punishment. Yet, he barely touches the wrongdoing Snowden revealed, doesn't call for severe punishment for *those* offenders in those articles, implies reforms were just around the corner thanks to people like him, and blames Snowden's leaks for *those* failures too. You'd think this guy was or is in U.S. intelligence.

Oh wait, he was. Is? You never leave. :)

Note: I did like how he caught that Snowden said "the NSA" and said "Nobody says "the" in front of NSA." Reminds me of similar thing in The Good Shepherd, that semi-disinformation film CIA loves. I've seen them do both yet his accusation was easily countered: Snowden was *not* NSA but received tasking from them. Of course he wouldn't talk like an insider. A counter-intelligence "pro" like this guy should know that.

re The Dick Hunters

Man, that was hilarious. I showed it to a bunch of people lol. I could imagine all kinds of trouble coming from that job description. I'd put LEGO Dick Hunter on my tax return. IRS auditor would show up asking if I was in the male pornography industry and what it had to do with LEGO's. I'd tell them "No, I just do it in a popular children's game for their safety. I show up in their world looking for dicks that shouldn't be there." FBI shows up. I explain I was taken out of context: I merely try to stop children online from seeing dicks by... comparing everything they build to a dick. I show the FBI videos of the dicks we found and the kids building them along with us taking them down. Conversation gets more awkward by the time it gets to my boss. After seeing our massive unit (err division) working hard, the FBI realizes there's no harm and heads home having learned a few new tricks of their own.

After it all passes, I decide I'll just write "quality assurance" on my tax return next year. Assuming I still have the job.

BoppingAroundJune 1, 2015 4:39 PM

Glean,
Not the context of 'those other bad people'. It is just as if suddenly a lot of similar signals started to pop here and there, and these signals were about there is no free will or the free will being an illusion.

I have witnessed people getting 'infected' with ideas several times. When someone bestows such an idea, whether through a blog, an article, whatever, and his 'followers' start to spread it. I noted it being mindless to an extent, perhaps even mindless in its essence, a bit too often that it should have been.

My question thereby is more of whether there is some influential will behind these 'signals' that nudged them to appear; whether it's mindful or mindless; and finally if my perceptions did a poor service to me.

I suspect the answer to the latter question is positive. Perhaps something had triggered my attention therefore enabling it to see what it could not (or did not want to) see before.

GleanJune 1, 2015 8:58 PM

@BoppingAround

My question thereby is more of whether there is some influential will behind these 'signals' that nudged them to appear; whether it's mindful or mindless; and finally if my perceptions did a poor service to me.
I suspect the answer to the latter question is positive. Perhaps something had triggered my attention therefore enabling it to see what it could not (or did not want to) see before.

It is just how we operate as human beings. Usually, these sorts of situations are kept encoded. Because that is the language the unconscious mind speaks and listens to. It does not want the conscious mind to know what it is doing. No joke. One reason is literally for security: if people can get direct suggestions to the unconscious in such a manner without the hoops of encoding the unconscious mind demands for reception, then they could totally fuck up everything. (As fucked up as things may appear, 'everything is under controls'.)

Granted, these are just words... "unconscious mind", "conscious mind", "unconscious self", "conscious self", and they are deceptive. But the model is very sound, even if it is not - is actually far - from the whole truth.

For instance, if the unconscious mind is the part of which which really understands everything going on, and the unconscious mind is the part of us which is controlling us beyond our own knowledge (usually)... then isn't the unconscious mind the conscious one of the two? And then isn't it the conscious mind which is the one which is really unconscious? Lol. (But I am serious...)

Still, for all practical effects because "it" is unconscious to our conscious mind and we consciously operate in our conscious mind... we call our conscious mind the "conscious" one, and our "unconscious" mind, the unconscious one.

FYI, just noticed a new Netflix show which kind of gets into some of this stuff coming out June 5... Sense8, and no less, by the Wachowskis...

(Then again, do note, that many cinema shows get into this stuff.... cinema is a preferred type of communication between unconscious minds... much more powerful then even books or other forms of art... but this "strain" of cinema, is specifically designed for the unconscious to be able to take more control by giving, paradoxically it sounds, to the conscious.)

And what would trigger your *conscious* attention in this sort of scenario is exactly your unconscious mind. Your unconscious mind is "the one" who gives you those cues, puts you in "moments of realization", and generally guides you.

I mean, this strain is towards the "wake up" call. It has been going on for years now, and I have noticed the trend greatly exploding. It started very slowly way back in the 19th century... and then started to explode in a near exponential way from the late 60s to today.

Upside down pyramid type progression.

So, for those attracted to 'mind bending' cinema, art, alternative culture, philosophy, cutting edge sci-fi, and so on... they will tend to be near the front seat of the action.

It is the backdoor entrance. Not whatever varieties of "front door" entrance everyone else expects.

"Front door" entrance scenarios... are all reeking of "conscious mind" interference. Again, here is the conscious mind's approach to art: "Hey, so, for fifty thou, can I put into your show a product placement for my company's product?" It is crap. They are sidelined.

As for "conscious mind" "bad looks" or whatever, entirely irrelevant. We are not our conscious mind anyway, so how we appear to some zealot legalist does not matter in the slightest. It is who we are, underneath, that matters.


'Dressed in red/ to fit right in'...

The unconscious mind is *all* about disguise. It has to be. To avoid people from screwing everything up.

Granted... Bit of a bigger picture there on the "disguise" angle... as we ourselves are "something else", disguised to fit in.


GleanJune 1, 2015 9:18 PM

@BoppingAround

Oh, and this, I did not address directly, but it well deserves it:

My question thereby is more of whether there is some influential will behind these 'signals' that nudged them to appear; whether it's mindful or mindless; and finally if my perceptions did a poor service to me.

It is people at their smartest, if not even much smarter then their conscious self.

People's unconscious minds literally pick up on hidden cues in many formats. There also seems to be a sort of 'timed release' behavior. So, for instance, they could be receiving messages for years, such as through popular culture, but then certain messages start to come along which, in synchronicity, tell them all to start saying or doing a specific new message. It is really rather elaborate.

Or, put another way, they have been getting trained for years, and then there is a certain juncture where they are about to be 'good to go'.

Music, fiction, fictional shows, fictional movies, but also through the non-fictional mediums. Just the more interesting stuff does not tend to be there, but it is cued in as well.

On "people at their smartest", and I mean by there raw smarts. Apart from knowledge. For instance, my kids have not read the thousands and thousands of books I have read. Nor had the decades of impactful experience I have had. But, damned, if there are not plenty of times they can outsmart me anyway. They are not smarter then me. But they are as smart as me.

My advantage on experience, patience, knowledge gives me enough control. But, I do not even try to fight many battles.

gordoJune 1, 2015 10:22 PM

A guide through Senate amendments to the USA FREEDOM Act
Mike Godwin and Nathan Leamer | R Street | JUNE 1, 2015

As most anyone interested now knows, Congress last night now allowed Section 215 of the PATRIOT Act to sunset. This expiration appears to be a short-lived symbolic victory for privacy advocates, as the Senate is poised to move forward to restart the programs in question.

http://www.rstreet.org/2015/06/01/a-guide-through-senate-amendments-to-the-usa-freedom-act/

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.