More on the NSA's Capabilities

Ross Anderson summarizes a meeting in Princeton where Edward Snowden was "present."

Third, the leaks give us a clear view of an intelligence analyst's workflow. She will mainly look in Xkeyscore which is the Google of 5eyes comint; it's a federated system hoovering up masses of stuff not just from 5eyes own assets but from other countries where the NSA cooperates or pays for access. Data are "ingested" into a vast rolling buffer; an analyst can run a federated search, using a selector (such as an IP address) or fingerprint (something that can be matched against the traffic). There are other such systems: "Dancing oasis" is the middle eastern version. Some xkeyscore assets are actually compromised third-party systems; there are multiple cases of rooted SMS servers that are queried in place and the results exfiltrated. Others involve vast infrastructure, like Tempora. If data in Xkeyscore are marked as of interest, they're moved to Pinwale to be memorialised for 5+ years. This is one function of the MDRs (massive data repositories, now more tactfully renamed mission data repositories) like Utah. At present storage is behind ingestion. Xkeyscore buffer times just depend on volumes and what storage they managed to install, plus what they manage to filter out.

As for crypto capabilities, a lot of stuff is decrypted automatically on ingest (e.g. using a "stolen cert," presumably a private key obtained through hacking). Else the analyst sends the ciphertext to CES and they either decrypt it or say they can't. There's no evidence of a "wow" cryptanalysis; it was key theft, or an implant, or a predicted RNG or supply-chain interference. Cryptanalysis has been seen of RC4, but not of elliptic curve crypto, and there's no sign of exploits against other commonly used algorithms. Of course, the vendors of some products have been coopted, notably skype. Homegrown crypto is routinely problematic, but properly implemented crypto keeps the agency out; gpg ciphertexts with RSA 1024 were returned as fails.

[...]

What else might we learn from the disclosures when designing and implementing crypto? Well, read the disclosures and use your brain. Why did GCHQ bother stealing all the SIM card keys for Iceland from Gemalto, unless they have access to the local GSM radio links? Just look at the roof panels on US or UK embassies, that look like concrete but are actually transparent to RF. So when designing a protocol ask yourself whether a local listener is a serious consideration.

[...]

On the policy front, one of the eye-openers was the scale of intelligence sharing -- it's not just 5 eyes, but 15 or 35 or even 65 once you count all the countries sharing stuff with the NSA. So how does governance work? Quite simply, the NSA doesn't care about policy. Their OGC has 100 lawyers whose job is to "enable the mission"; to figure out loopholes or new interpretations of the law that let stuff get done. How do you restrain this? Could you use courts in other countries, that have stronger human-rights law? The precedents are not encouraging. New Zealand's GCSB was sharing intel with Bangladesh agencies while the NZ government was investigating them for human-rights abuses. Ramstein in Germany is involved in all the drone killings, as fibre is needed to keep latency down low enough for remote vehicle pilots. The problem is that the intelligence agencies figure out ways to shield the authorities from culpability, and this should not happen.

[...]

The spooks' lawyers play games saying for example that they dumped content, but if you know IP address and file size you often have it; and IP address is a good enough pseudonym for most intel / LE use. They deny that they outsource to do legal arbitrage (e.g. NSA spies on Brits and GCHQ returns the favour by spying on Americans). Are they telling the truth? In theory there will be an MOU between NSA and the partner agency stipulating respect for each others' laws, but there can be caveats, such as a classified version which says "this is not a binding legal document." The sad fact is that law and legislators are losing the capability to hold people in the intelligence world to account, and also losing the appetite for it.

Worth reading in full.

Posted on May 11, 2015 at 6:26 AM • 227 Comments

Comments

LelandMay 11, 2015 8:33 AM

| "The problem is that the intelligence agencies figure out ways to shield the authorities from culpability, and this should not happen."

:

or more precisely: '... government employees figure out ways to shield themselves from culpability, but why does this happen ? '

This is an inherent problem of all government activity (especially with elected officials, like US Congress) and not merely limited to intelligence agencies. Who watches the Watchers?

The NSA/GCHQ/etc is not the fundamental problem-- they are basically just hired help-- but what is the (obviously faulty) system that put them into power?

No solution is possible without understanding the core system problem. These severe intelligence abuses were quite predictable generally, and the basics have been known for many decades... well before Snowden updated us with such intricate technical details.

Andrew WallaceMay 11, 2015 8:46 AM

"Who watches the Watchers?"

Staff of intelligence agencies watch each other and other intelligence agencies watch each other and oversight committees watch the activities and respond to complaints as well as the legislation that sets out the legal framework.

Andrew

BeepeepeepMay 11, 2015 8:57 AM

@Andrew

That's all well and good, except legal definitions are classified and obviously unintuitive interpretations are used in private while pretending to use the more colloquial usage publicity.

This lets them lie to Congress and make a mockery of the legal system in the process.

Andrew WallaceMay 11, 2015 9:29 AM

It is not within the interest of staff to allow a bad apple to operate,

As it compromises their own personal position and safety and that of the integrity of the entire organisation.

I can assure you there is no loyality among ranks and any wrong doing would be quickly noticed and reported.

Moreover,

Foreign services whose interests are not that of the UK-US would straight away highlight bad doing.

The activities of the watchers are thoroughly watched from all angles.

Andrew

VMay 11, 2015 9:40 AM

@Andrew
> It is not within the interest of staff to allow a bad apple to operate,
(etc.)

And that's how we got Ed Snowden.

ZenzeroMay 11, 2015 9:43 AM

@Andrew

How exactly can you "assure" us, you show a clear ignorance on the working of the security services, the security industry in general and from an earlier comment you made, basic SIGINT.

Have a read of this article as it lights your comment for what it was, devisive trolling:
http://www.theguardian.com/commentisfree/2015/feb/07/gchq-court-surveillance-ruling-complicit-press-tell-the-truth

GCHQ were sharing data illegally with the NSA for 7 years. This is just one of the shared programs and the only one been looked at by the tribunal. You would want to be very dim witted to believe this was a one off case.

Andrew WallaceMay 11, 2015 10:01 AM

"V • May 11, 2015 9:40 AM

@Andrew
> It is not within the interest of staff to allow a bad apple to operate,
(etc.)

And that's how we got Ed Snowden."

Snowden did not act with others and he kept what he was doing close to his chest.

If other staff had noticed him he would have been reported straight away.

Mr Snowden was acting alone. If he acted with others it would be public by now.

Andrew

Martin WalshMay 11, 2015 10:57 AM

Snowden wasn't involved in cryptanalysis and we know from other sources he had no access, no contact with other divisions. So, for this and other reasons I believe that any and all statements regarding encryption, this algorithm vs that algorithm, are entirely HIS opinion. He does not have any special knowledge about cryptanalysis at the NSA. The often-repeated Snowden statement that "properly implemented cryptography works" is no more and no less a valid statement than if someone commenting on this blog had made it. When Snowden came forward, he was overwhelmed with attention and fame. It is too tempting to interject what you believe to be true, into the mass of information you know with certainty first hand. It is EXACTLY like a police report. Cops interject "facts" they're sure must be true, weaving them into the verifiable. They think no one will notice.

Martin WalshMay 11, 2015 11:12 AM

Just ask yourself, if Snowden knew anything about cryptanalysis at the NSA, then why didn't he expose the known vulnerabilities that were being actively exploited at the time, yet were publicized only later, after the Snowden disclosures were made, and without Snowden's help. It's because he didn't know.

What Snowden divulged was so beyond all that was already public until then, he could have interjected something about extraterrestrials and many would have believed it, probably.

Why should I attach credibility to Snowden's assessment of NSA cryptanalysis capabilities simply because his experience internally, was that they did not pass on everything they did? Especially when it is otherwise known that the NSA doesn't even expose their capabilities to other agencies, even the Executive Branch? Why should they? Would you believe some kid who worked behind the counter, necessarily knew everything the owner of the store was up to? Don't be a fool.

Andrew WallaceMay 11, 2015 11:43 AM

My take on the Snowden affair:

Snowden was warned that his cover had been compromised as a Russian agent and was advised to leave the country quickly.

He panicked and took some files off a random server on fleeing so that his years of deep cover would be worth something.

He was actually within the position on a bigger mission that had been compromised.

He fled the US with only some random files. He was probably tapping out more damaging secret intelligence to a handler on a regular basis.

Andrew

Martin WalshMay 11, 2015 11:50 AM

I defy anyone to specify exactly what is meant by "properly implemented." Is it like saying "everything will work right as long as no one makes a mistake?" I'm thinking of an drunken and incompetent surgeon who killed a dozen heart patients "it's not my fault, I sterilized the scalpel every time."

Notice, "homegrown" is a pejorative term here. I think this is another clue. I understand what Snowden wants people to think. That's clear. And this is evidence he deliberately interjected a term evocative of an idea which he believes would be met with immediate agreement. It's bullshit.

Lev BronsteinMay 11, 2015 11:56 AM

@Andrew re: snowden affair

You intend us to believe the Russians care about a spy's fate after he's compromised? A spy who isn't even a Russian? So to prevent him from being caught they warned him?
Would you like to buy a bridge into Manhattan?

rgaffMay 11, 2015 12:07 PM

@ Bruce

This story seems to have struck a nerve with our local NSA/GCHQ apologist... keep them coming!

Andrew WallaceMay 11, 2015 12:14 PM

Lev Bronstein,

The whole Snowden thing looks panicked to me. They were random files not really worth the personal sacrifice per se.

He went to Hong Kong to begin with, another sign of panic... before arriving in Russia.

If these random files were the only thing behind what has gone on I'll be surprised.

Andrew

JustinMay 11, 2015 12:39 PM

@ Lev Bronstein

Obviously the Russians do care enough about Snowden to offer him asylum from the U.S. and let him stay in the country. We know the Russians have an active spy network in the U.S.---it didn't go away with the Soviet Union---Anna Chapman and her gang, and undoubtedly others that haven't been caught. My question is if Snowden wasn't spying for the Russians, then why in the world do they care so much about him? And all those files he absconded with, very few of which have been published by the media, are you expecting me to believe he didn't turn all of those over to the Russians (random files or not)?

rgaffMay 11, 2015 12:50 PM

@ Martin Walsh

"properly implemented" literally is like saying "everything will work right as long as no one makes a mistake"

But more than that, it's really just pointing out that mistakes are far more common than anyone realized, and that all it takes is ONE mistake, and the intelligence community is really good at finding those mistakes and abusing them (or planting more so-called "mistakes" and abusing them).

Your likening it to "drunken and incompetent surgeon who killed a dozen heart patients"... erm.. Have you seen very many programmers in action? Subsistence on beer and old pizza, overweight, up all night, unshaven and slovenly, mom's basement... these are not completely uncommon, and do not create perfect steady surgeon's hands nor perfect clear thinking minds. Snowden is pointing out that we need to get our stuff together more if we're going to have any hope of defending ourselves against this kind of hostile activity.

82de478ea93bdd87May 11, 2015 12:56 PM

After reading the summary posted by Ross Anderson I can only say it is a wonderful outline of the events of the last two years.

Snowded did (does yet!) a great contribution to humanity; at first my complains were the lack of technical documentation, it is a concern to me yet, but he gave the tools required to fight not only the current surveillance state but also future threats. There is a great value in a global outline of security threats imposed by government agencies.

Carefully reading Anderson's post we are able to answer a lot of questions that someone may have missed in the documents released recently. For example... is AES compromised? It is recommended by the NSA! The answer must be clear after reading the summary. No, it has not been compromised. The National Security Agency knows that the war against cryptography has been lost (except for weak algorithms largely known to the community like RC4), so they have no problems recommending strong cryptography. They do not fight against maths but against broken implementations. This one is the reason we must choose the right (open source) tools. Intelligence agencies target the implementation, wrong designs (AES in ECB mode) and, of course, the ends themselves on an end-to-end encrypted channel.

I see the NSA suggesting strong ciphers, but they would probably never suggest using OpenBSD.

An excellent outline that clearly show what intelligence agencies may and may not do.

rgaffMay 11, 2015 12:56 PM

The Russians care about anything that is in their interests. Anything that makes the USA look foolish is in their interests, because it makes them look better and more powerful.

The Snowden story taken at face value, without the whole "he must be a Russian spy" theory, makes the USA look foolish and incompetent. Therefore being a spy for them specifically is not necessarily required for them to be interested in him and to want to protect him.

82de478ea93bdd87May 11, 2015 1:00 PM

@Andrew Wallace

Who are you working for... exactly?

Wow, you really look like some sort of dark psyop against security community! Are you for real?

Tony H.May 11, 2015 1:00 PM

@Andrew Wallace

"He went to Hong Kong to begin with, another sign of panic... before arriving in Russia."

Can you Google "beg the question"? While you're there, perhaps you could also look up "140 characters"...

JustinMay 11, 2015 1:19 PM

@ Andrew

"To keep Snowden in a secure location will be costing the Russian authorities millions of £."

That's the thing. And what's he doing for money over there? He's not exactly going to have a "normal" well-paid job, and yet he has access to all this expensive audio-video robotic remote conferencing technology. No, he is being well taken care of by the Russians.

Clive RobinsonMay 11, 2015 1:25 PM

For those puzzled by,

Just look at the roof panels on US or UK embassies, that look ike concrete but are actually transparent to RF.

Most non metals are transparent to EM radiation at some range of frequencies but by no means all.

Reinforced concrete has a habit of blocking UHF and below due to the reinforcing metal rebar.

Some materials such as plastic and glass are transparent to EM radiation over much greater ranges which is one of the reasons "golf ball" housings for microwave systems are often made of glass reinforced plastic (fiberglass).

One of the joys of glass reinforced plastic is that it's surface can quite easily be made to look like other materials such as concrete, brick or tile common in the construction of buildings.

However whilst in the visible spectrum it might look like concrete in the IR and often UV spectrum it looks decidedly different. Such EM transparent panals have another problem, in that they lack the thermal mass of real building materials thus they can quite easily be spotted by a thermal imager.

The only reason for the pannels existance is to shield from view the equipment that is placed behind them. However that is of limited utility if somebody cares to put even a modicum of effort in.

All resonant antenna systems suffer from the same problem that eyes do in photographs, any EM energy in their acceptance bandwidth behaves differently to that outside it's bandwidth, and thus an active EM scan can show up not just the antenna bandwidth but the bandwidth of any receiving or transmission equipment behind it.

Yes there are ways to limit the effect of such scans by use of broadband circulators but it's easy to make small mistakes during servicing etc that can give the game away.

Suffice it to say that nearly all embassies and other diplomatic missions are also listening posts to what ever is "in the air" and as countries tend to have "diplomatic quaters" in their capitol cities missions tend to be spying not just on the host nations domestic traffic but other missions as well.

JustinMay 11, 2015 1:52 PM

"The only reason for the pannels existance is to shield from view the equipment that is placed behind them."
I don't know, that part may be purely cosmetic; a bunch of ugly radio equipment may simply be objectionable to the neighborhood. Also the equipment itself would tend to last longer shielded from weather and from birds roosting on it and pecking at it. And the more it's out of sight, the more it's out of mind.

Andrew WallaceMay 11, 2015 2:04 PM

My guess:

If such equipment does exist it is only for counter espionage purposes incase foreign services are trying to eavesdrop on the embassy.

The panels will be helping to jam radio frequencies.

Andrew

Andrew WallaceMay 11, 2015 2:15 PM

I'm being impersonated by someone.

I'm completely against whistleblowers such as Snowden, Manning and Assange.

I ask everyone to ignore the post at "May 11, 2015 2:01 PM".

Andrew

rgaffMay 11, 2015 2:21 PM

@ Andrew (real one)

Relax. This forum has no authentication/login for your posts at all, therefore, you should not get so involved and trusting in it that impersonation makes you freak out. Just point it out and move on, don't fret or post multiple times. If the impersonator is posting multiple times on your behalf, let the moderator sort it out, if they wish...

Andrew WallaceMay 11, 2015 2:22 PM

The person at "May 11, 2015 2:21 PM" is someone impersonating me.

I've asked the person to stop and will be contacting Bruce.

Andrew

Andrew WallaceMay 11, 2015 2:25 PM

The person at "May 11, 2015 2:23 PM" is someone impersonating me.

I've asked them to stop or legal action will be taken. I will also contact Bruce to get the posts removed.

Andrew

999999999May 11, 2015 2:46 PM

@Andrew Wallace

If you are such an "expert" can't you dox the impersonator quite easily?

Clive RobinsonMay 11, 2015 2:51 PM

@ Andrew Wallace[1...n],

This is not the first time this blog has had an "I'm Sparticus" moment.

The solution is to be gracious not defensive and ride the wave.

JacobMay 11, 2015 3:11 PM

Prof. Anderson provided a great summary.

Some new stuff (at least for me) is worth noting:
1. The long-term subversion by cryptomoles
2. The possible undermining of the economic viability of some US companies by weasling into their products by interdicion.

"There are also specific programmes to recruit cryptographers, with a view to having friendly insiders in companies that might use or deploy crypto."

"The export control mechanisms are also used as an early warning mechanism, to tip off the agency that kit X will be shipped to country Y on date Z. Then the technicians can insert an implant without anyone at the exporting company knowing a thing. This is usually much better than getting stuff Trojanned by the vendor."

3. Not new, but still the most repugnant standing of all:
"Bear in mind that anyone outside the USA has zero rights under US law. "

LokMay 11, 2015 3:12 PM

This is interesting:

And it’s a matter of record that Ed trusted his life to Tor, because he saw from the other side that it worked.

@ Andrew Wallace
Imitation is sincerest form of flattery.

@ all
Just a thought...
I consider each and every post ephemeral, like our little existence in universe of moments. I read every post for its content, not for its messenger. it's cyberspace...

AndyMay 11, 2015 3:26 PM

If Snowden's cover was blown as a Russian agent, why hasn't the US govt. confirmed such? That would discredit him and strongly sway public opinion of him. That they haven't is telling.

01May 11, 2015 3:29 PM

Lol, Andrew Wallace....Not that anyone cares.....
...but why don't you push a PGP key to MIT's keyserver (https://pgp.mit.edu/submithelp.html) publish key fingerprint on Twitturd and sign your posts here?

Impersonation (sorta-kindish) solved with technology, bam!

Nick PMay 11, 2015 3:41 PM

@ Martin Walsh

The known vulnerabilities argument was interesting but overall you're looking at it wrong. Snowden had CIA training on COMSEC and NSA training on COMSEC + SIGINT. Being an analysts and working with others, he would be in a position to see what kinds of security was working and what wasn't. Even more, he was downloading and reading files about the capabilities of pretty much every group NSA had. In virtually all of them, they attack the implementation of the algorithm, subvert the encryption product (proprietary/closed), or bypass it with an endpoint attack. In many, they rate privacy or encryption tech by their difficulty with things like GPG rated as, paraphrased, "we give up." So, this overwhelmingly shows that certain algorithms and software have solid security if used correctly. Even more when combined with other methods.

On the other end, NSA endorses the same algorithms we use for classified information. The devices using them on sensitive networks must be Type 1 or 2 certified. The certification mostly focuses on implementation details because that's where all the attacks are. This implicitly argues that properly implemented crypto works because it's what the NSA trusts to protect themselves from nation state attackers.

So, Snowden knows NSA trusts the algorithms and attacks others' implementations. He also knows well-designed software that uses such algorithms are blocking SIGINT. He can also see that research and hacking outside NSA reflect this same trend. He then advises that the use of properly-implemented crypto is effective against mass collection. His argument stands on its own evidence and he doesn't need to be a cryptographer to make it. In fact, many cryptographers have been making the same argument for years.

Note: One area this may not apply to, now or later, is public key crypto. It's why I encourage cryptographers of highest talent to put their brainpower into giving us whatever alternatives they can and assess existing alternatives. For instance, there's been a ton of work on Merkle Tree's which sign messages using hashing algorithms instead of math affected by factoring.

"I defy anyone to specify exactly what is meant by "properly implemented."

The implementation of the algorithm does exactly what the specification says. Nothing more, nothing less. The process and techniques required for achieving this are numerous: secure RNG; strong isolation mechanism between plaintext and ciphertext; interfaces to crypto core that don't break that; formal specification of the algorithm including error states and recovery; strong argument that code implements the algorithm; strong argument binary implements higher-level source code; similar specs and arguments for the processor or circuitry; covert channel analysis of interfaces, internal state, and hardware; emanation and side channel analysis of hardware.

And that's just the crypto core. Key management makes it more fun. :)

Note: Cutting edge example that satisfies most of my requirements.

@ rgaff

Good take on it.

@ Justin

I doubt they care about Snowden. They claimed to know most or all of what he published. Given their infiltration skill, they probably did know a good chunk of it albeit not all. The main benefit is what I'd expect from Putin: giving America the double middle finger. It's also inexpensive given that Snowden has a job at a newspaper and a (cheap?) house shown on the documentary. So, it might cost nothing to keep him. Far as surveillance, the security services already waste so much money spying on people that watching him is probably one of the few sensible expenditures.

And they might be squeezing him for intelligence or security advice, too. I think it's mainly just to piss America off. Putin is famous for his attempts to start or win pissing contests.

@ all

re panels to hide equipment

Remember that one of an embassy's primary goals in intelligence collection. NSA has SIGINT equipment at most of them. Both NSA and Russia have used EMSEC attacks via equipment attached to embassies, usually on top or the edge of the roof. Even seeing what the antenna or equipment looks like might (a) leak classified attacks or (b) tell how to defend against it. So, there's plenty of reason for them to cover up the equipment. So, probability dictates that they are probably covering up attack or communications equipment.

rgaffMay 11, 2015 3:54 PM

@ Andrew Wallace

The more you protest, the more the impersonator gets his jollies from you. If you don't let it get to you, he'll get bored and move on. Just relax, and don't let it get to you, and don't protest so much.

@ Jacob

3. Not new, but still the most repugnant standing of all: "Bear in mind that anyone outside the USA has zero rights under US law."

I agree completely. What this really means is: the USA preaches worldwide about how other "evil" countries need to respect human rights... yet, the USA itself declares the USA itself will violate every possible human right known to mankind, as long as it's to a non "US Person"... If I tell China, for example, that it needs to respect human rights of its population, but I don't need to respect any human rights of Chinese population myself... er... what? what kind of double talk is that? It's totally evil and repugnant, and this is the modern form of slavery i.e. all other country citizens are slaves to the USA, according to the USA. I can not be more ashamed to be a citizen of such a country.

Fred PMay 11, 2015 4:04 PM

@Jacob - "...anyone outside the USA has zero rights under US law" is not entirely accurate. As far as I can tell, from the Supreme Court's perspective, for non-citizens, that's unsettled in the general case - in no small part because cases involving rights of aliens outside of U.S. - controlled territory usually fail due to lack of jurisdiction.

If you're interested in a slightly more accurate statement, I'd look to Justice Kennedy's opinion IV B in BOUMEDIENE v. BUSH https://www.law.cornell.edu/supct/html/06-1195.ZO.html "It is true that before today the Court has never held that noncitizens detained by our Government in territory over which another country maintains de jure sovereignty have any rights under our Constitution... ...in a territory that, while technically not part of the United States, is under the complete and total control of our Government. Under these circumstances the lack of a precedent on point is no barrier to our holding." (They then proceed to rule on narrow grounds.)

If you'd prefer a lawyer's point of view, I'd look at http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?article=1302&context=facpub "...the notion that foreign nationals outside our borders enjoy no constitutional protection has often been overstated." As a warning, like many law review articles, this one goes from settled law to unsettled law (i.e. what the author would like to be true) and back.

DaikiriMay 11, 2015 4:08 PM

"STOP impersonating me or I'll tell Bruce!"

I've got to say, you've handled that most gracefully. Your INFOSEC cred has increased tremendously, Andrew Wallace.

rgaffMay 11, 2015 4:15 PM

@ Fred P

Does it really matter what lawyer opinions are, or even COURT opinions... when the US government SUCCESSFULLY kills almost every court case for decades by whipping out the "National Security" and "Terrorism" trump cards? What matters is what actually happens. And as far as I can tell, reports are pretty much saying anything goes. Kidnapping, Assassinations, Torture, Terrorism... all these are things the US government is routinely doing around the world! (and don't tell me that a whole country's population being terrified of drones flying overhead every day doing "double strikes" to kill off medical assistance isn't a form of terrorism!)

Nick PMay 11, 2015 4:15 PM

@ Jacob, rgaff

I disagree on the rights thing. The Constitution is a contract between the people of this country and their government. It comes with both rights and responsibilities. Foreigners typically don't agree to responsibilities of citizens, the total principles, or the contract itself. Automatically giving them our rights doesn't make sense. Many times, they'll be from a country that itself doesn't even believe in rights. For instance, Clive helped me understand the British system by saying they legislated against certain wrongs rather than tried to preserve interpretations of rights. Then, there's the dictatorships, communists, theocracies, and so on.

So, I'd give them two things: privileges to get stuff done and protections from being wronged. There's already legal support for both. Driving, gun ownership, overseas travel, and many other activities are considered privileges with restrictions or requirements. There are also laws against various types of harm one can do to someone. Most of what concerns foreigners can be covered by these two alone. That's probably even closer to their native, legal system. Going all the way to rights, we might subset them for people over here based on their background, the reason they're here, if they're a resident, and if they're aiming for citizenship.

Most of the world doesn't give foreigners rights or equal treatment to natives. Most also require effort to be put in to get the rewards of citizenship. I think we should pay them in kind. We should simply give them reasonable protections from harm or bad business. Their stay and protections are privileges, though.

I'm mad as hell and I'm not going to take it anymore!May 11, 2015 4:17 PM

I'm growing tired of this back and forth AW and other poster(s) who are contributing nothing to the discussion here other than personal conversations which should be taken to private email/IM/anywhere else but here.

I'm also tired of posters who do this:

to get more people to read their posts.

They split up the content rather than forming

paragraphs.

Can we please return to real discussions and not this personal talk? In a few years when people look back on these comments, they're really not going to give a shit about all of this back and forth nonsense. If you look at former blog comments in past blog posts, they are filled with intelligent discussion. Let's not allow this medium to turn into various web forums where users start attacking each other and drop the discussions of real topics which MEAN SOMETHING. I almost feel like I'm reading the same person's posts under different names, talking to themselves. Seriously, get a life folks.

ModeratorMay 11, 2015 4:20 PM

Multiple impersonations noted and deleted. Will Andrew Wallace's impersonators please stop and move on to more of that scintillating conversation this blog is known for.

Martin WalshMay 11, 2015 4:21 PM

Consensus? There is no consensus and it's always been every man for himself. Notice how all the "experts" pile on AFTER a vulnerability is publicized.

Here's a taste of the insanity http://www.zdnet.com/article/smart-grid-group-rolls-out-its-own-flawed-crypto-risking-device-security/

Where in the World does this guy think all the well-proven crypto comes from? Was it found in some ancient ruins? And 'crypto-club'? Where does that term originate? From a journalist and science-fiction writer, that's where.

Everything that works was once new. Here are a couple of far far more intelligent essays on implementations.

http://bristolcrypto.blogspot.com/2015/01/designers-ask-not-what-youre.html

http://bristolcrypto.blogspot.com/2015/01/real-world-crypto-2015-error-prone.html

I don't care how many slide shows Snowden sat in on.

rgaffMay 11, 2015 4:29 PM

@ Nick P

When I argue for human rights for non US Persons, you might notice I don't use the word "Constitutional" in front of it. There's a reason for that, and you're getting warm to it, but you're still arguing with me.

There's a more basic thing than "our laws in our jurisdiction provide x punishments for y violation" when it comes to human rights. Human rights should be rights to all people, regardless of jurisdiction, merely by virtue of being human. Otherwise they're not human rights, they're jurisdictional rights. People who confuse the two are really heading toward a "there is no such thing as a human right" argument. And there are terms for humans without any rights at all: slaves, prisoners, etc. Are all people outside our jurisdiction our slaves or prisoners? Should they be?

LightBlueTouchReadingMay 11, 2015 5:12 PM

@rgaff

http://www.ushistory.org/declaration/document/

Rights that are obvious to anyone, given to man and woman from God, how novel.

If we, as a people, we just begin from first priniciples and give a quick and dirty litmus test to any law or action:

1. Does this restrict the rights to life, liberty, or pursuit of happiness?
2. If so, don't do it.

Of course, this isn't how the world works, is it? The trolls/apoligists will becry that the Declarition of INd isn't a codified law organ, and the leader of the free world will kill, kill, kill whomever, wherever he wishes.

Spying on everyone, nipping terroists in the bud with liberal FBI help, lies, lies, lies, and power.

I feel safer! I must say so, else I get the hose again. We are all still just animals, discarding the fur and wrapping ourselves in parchment-filled with such glorious thoughts and ideals, laundered and pressed of course! How else can we look in the mirror, without appearing so clean and civilized!

rgaffMay 11, 2015 5:43 PM

@ LightBlueTouchReading

If we are all merely animals without fur, then we are all slaves, the weak always enslaved by everyone stronger, and there is no such thing as a free people. Never has been, and never will be. And there is no such thing as a "human right."

I can respect that opinion, but I reject taking it as my own. The reason why "human rights" should not need to be codified into law to be valid, is because if people have them, they inherently have them whether any law says they do or not. Any laws or declarations or constitutions that attempt to delineate them are merely restating rights that people already have, not actually granting anything new.

Sancho_PMay 11, 2015 5:46 PM

@ rgaff

“I can not be more ashamed to be a citizen of such a country.”
Relax. It’s only because (obviously) you are not a nationalist. That’s rare nowadays, but not a problem if you don’t tell.


However:
I’m not happy with your “humans without any rights at all: slaves, prisoners, etc.”.
Prisoners (must) have, and slaves are inhuman + illegal - but only in “our” thinking.
This leads me back to the term “nationalist” which is only suitable for “our” thinking.

So let me rephrase: I can not be more ashamed to be a human.

rgaffMay 11, 2015 6:17 PM

@ Sancho_P

I'm not sure what you're saying there, you're abbreviating too much for me to get it. Are you saying that we need not worry about any "human rights" for peoples of the earth, as long as their local government doesn't worry about it for their own citizens either?

Why did we bother with WWII then? Why criticize any country for mass murdering their own people? In fact, why didn't we actually help Hitler then? I mean, he was the local government at the time.

Daniel P.May 11, 2015 6:45 PM

@rgaff

Winners get to write the history, so take it with a grain of salt. Humans are capable of tremendous deeds as long as justification is strong enough. Laws & religions are strong examples of such justification. Very few citizenry buys "human right" as reason to war because making war is inhumane (unless you are named Kissinger) ;-) .

DanielMay 11, 2015 7:08 PM

Martin Walsh:

What Snowden divulged was so beyond all that was already public until then, he could have interjected something about extraterrestrials and many would have believed it, probably.

Probably,

Thus, it is content (data) that we must digest, rather than attaching credibility, and feelings, to names. There is a certain truth but one must find it upon him/herself.

tyrMay 11, 2015 7:36 PM


If you assume the Rus aren't stupid it's easy to
see why Ed Snowden is a lovely piece of bait.

All they have to do is watch who shows up in the
neighborhood and whisk them off to the basement
for a bit of rubber hose work. You have a perfect
honeypot and absolutely no reason to trust Ed.

Anyone looney enough to think he's a Russian spy
needs to read a bit of history about real spies
from Russia. I imagine by now he's a lot less
naive, the same thing that has happened to Assange.
Things are very metastable than they appear in
human affairs and it takes some real efforts to
make them change against the inertia of those who
fear changes above all else.

Their argument is always the same, it would be the
end of civilization if. The fact that historically
it has been false in every case has never penetrated
their thick skulls.

3. Not new, but still the most repugnant standing of all: "Bear in mind that anyone outside the USA has zero rights under US law."

The first time I read this I saw NSA instead of USA.
Given the recent chain of circumstances (since WW1)
that about sums it up.

rgaffMay 11, 2015 7:43 PM

Look, I'm not saying that there aren't terrible things going on in the world... I'm saying if you simply give up and say "there's no such thing as ideals, we should all just kill off whoever we can just cause we're strong enough to do so" then we are Hitler. We have met the enemy, and he is us.

No, rather, there have to be some ideals. Even if they aren't always followed, or even if they're in fact rarely followed, we still have to look at them and do our best. This is the only thing that keeps us slightly better than Hitler.

Nick PMay 11, 2015 7:48 PM

@ Martin Walsh

Your reply seems to be red herrings to my detailed response on proper crypto.

Your first link is a post about a homebrew, encryption tech designed by industry that. It eventually received review by encryption experts and was shown to be crap. Article repeats mantra that this is why experts recommend leveraging what's been designed or reviewed by experts in that field. Takeaway: if you don't have experienced help in crypto, don't try to design crypto technology because you will fail. That goes without saying on this blog and only agrees with my post.

Your second link references DJB pointing out two things: designs can be hard to implement correctly; more complex schemes often get less review. The first I referenced in my above post. High assurance (EAL6-7) standards say one must drastically simplify the design's components and interfaces to model about everything it can do. The documentation must give all necessary details to independently verify its properties, implementation, tests, and so on. Further, such a design is easier to port and review. That helps in No 2 but No 2 is mostly another red herring: how often people review specific software has nothing to do with how proper implementations are built in general or what Snowden knows. Plenty of review can aid in mitigating mass collection: leaks + Snowden say about GPG/Tor.

The third link is a red herring about usability. I'll consider it anyway. On the surface, it seems to have merit. Yet, it calls BS on itself with the very example the author uses: people can't be expected to remember or store passwords for each site. All secure alternatives to passwords that have been attempted failed to get widespread adoption because *the users* didn't want them. The reasons included cost, convenience, backward compatibility with insecure stuff, and so on. Many companies went bankrupt think design was the problem and others still around stay in niches (eg enterprise, compliance market). So, the average developer uses the free, simple (in practice), compatible with about everything, and somewhat inconvenient solution: a password. That's the correct choice given the alternative is (a) low to zero market share, (b) massive loss of profit, and (c) possible bankruptcy.

The users were the failures because, as usual, they would never buy or sacrifice to improve their security. Instead, security engineers have to work in a straight-jacket to come up with something that *might* protect them while maintaining compatibility with insecure hardware, insecure firmware, insecure OS, insecure middleware, insecure tools, insecure apps, and... The Internet. I think it's impossible but there's still a gigantic number of people trying. And failing.

Back to Snowden, my arguments still stand. There's established ways to turn a good design into a good implementation. There's evidence from NSA, their partners, and defense contractors that such methods are highly resistant to attack. All Five Eyes use such methods or systems for most critical activities. The leaks also show that some products, via good design and review, give NSA difficulty despite not being high assurance. The leaks also show that easily avoidable choices in tech and implementations lead to vast majority of compromises. Private industry corroborates... all of that. So, Snowden's stance on properly implementing crypto remains supported by mountains of evidence and increases his own credibility.

And yours becomes more suspicious as I know of no trustworthy alternatives to using encryption without battle-tested, well-implemented algorithms. Homebrew and obscure stuff usually failed. Custom protocols usually failed. What in fact are you suggesting we should do instead of carefully implement good algorithms and protocols for encryption?

@ rgaff

Good point until you got to slaves or prisoners. Seriously? A person without rights but freedom to act within basic rules is not a slave. Doing it your way, even Americans are slaves that are forced by threats of violence to act within court's interpretation. Anyone in a place with social norms that have consequences is also a slave. Basically, everyone except certain billionaire, power-brokers living in remote areas would be slaves. Kind of trivializes slavery.

Going back to your good points, I think your distinction sounds good. The problem is, *in practice*, the two are equivalent. There's no such thing as human rights: we made that stuff up. There can only be human rights if most or all humans practice those specific rights. History shows human nature defaults on the opposite and goes in many directions from there. There are instead rules that each country implements, locally or internationally. They vary by jurisdiction, individual, context, and consequences of ignoring/removing them. American rules talk of rights, privileges, and things that are clearly wrong. Other countries have their labels. They're all just rules decided place by place.

Thing is, with so much variance and government competition, we can't have a single set of rights. Foreigners certainly don't want us imposing our standards or principles on them. And vice versa. So, "rights" are jurisdictional rules with varying application. We should keep that in mind in deciding how many "rights" foreigners get here. That said, America or another country could set a positive example by treating all people equally aside from voting, military access, and so on. I'd go for that just to see if good things result.

rgaffMay 11, 2015 8:27 PM

@Nick P

"A person without rights but freedom to act within basic rules is not a slave. Doing it your way, even Americans are slaves that are forced by threats of violence to act within court's interpretation."

"Free people" does not mean anarchy. For a free society to exist, freedom must always be limited wherever it butts up against another's freedom, otherwise nobody is free. This is a common basic misunderstanding about what "freedom" is.

But a person with no "human rights" at all, only the gracious generosity of his almighty government allowing him limited misnamed "freedom" is not free, he's on parole, so to speak. That's a dictatorship, and his country is his prison.

"American rules talk of rights, privileges, and things that are clearly wrong."

Then all of American society is illegitimate. It should never have rebelled against the British king. That was the "government" at the time. It should have bowed and said "oh welp, we're the subjects, he's the king, end of story"

"Thing is, with so much variance and government competition, we can't have a single set of rights."

All this "everyone else's rights are different" talk is meaningless. What matters is what you think, and then YOU must treat others that way... not the way they treat you. If you talk about rights and freedom, then act as a hypocrite, then you clearly don't believe in those things, you just believe in anarchy and tyranny with you at the top. This is personal for each person on earth, and each person needs to decide what kind of person they will be: one who cherishes freedom, or one who just wants to be a cruel dictator their first opportunity.

Lots are choosing the latter, even here on this blog. I'm simply arguing more should choose the former.

Andrew WallaceMay 11, 2015 8:32 PM

With the Snowden case.

The government knows everyone on the planet against and for surveillance by now.

That is the only real motivation in the bigger picture I can see.

"How can we find out who is for and against us"... we can release a bunch of documents that we can talk up as secret and important and then monitor everyone who thought it was a good thing.

Andrew

JustinMay 11, 2015 8:47 PM

@ Nick P

"There's no such thing as human rights: we made that stuff up."

No. I believe that humans are endowed by their Creator with certain unalienable Rights.

If you believe that there are no human rights, then there is no morality, and nothing but social acceptability to determine right and wrong. And then it really doesn't matter what you do as long as you don't get caught. So I don't trust you if you don't believe that I have unalienable rights, because then you will violate my rights if you think you can get away with it.

@ Andrew Wallace

It isn't as simple as being for or against surveillance. There is a place for fighting crime and terrorism, but this should be done while respecting a reasonable and universal human right to privacy.

Andrew WallaceMay 11, 2015 8:53 PM

Justin,

"It isn't as simple as being for or against surveillance."

Maybe it is and we just don't realise it.

We don't know the motivation behind whoever is pulling Snowden's strings.

They may just want to provoke you to be for or against surveillance and find out who all the privacy advocates are.

Andrew

Daniel P.May 11, 2015 8:56 PM

@ rgaff

"I'm simply arguing more should choose the former."

That argument may tread too close to "commie territory" in which they believe democracy can only function under the barrel of a gun (funny many democratic bureaucrats think the same way) :) .

rgaffMay 11, 2015 9:07 PM

@ Daniel P

How is arguing for human rights and freedom "commit territory"?

EricMay 11, 2015 9:12 PM

@ Andrew Wallace

"That is the only real motivation in the bigger picture I can see."

Too bold a move to be a strategem, or shall we say gambit or "whatever you call it in chess".

lol... I like the way you're going off on all tangents of possibilities.

Nick PMay 11, 2015 9:15 PM

@ rgaff

"But a person with no "human rights" at all, only the gracious generosity of his almighty government allowing him limited misnamed "freedom" is not free, he's on parole, so to speak."

My point is that they are anyway. The government determines the interpretation of those rights and can circumvent a number by alleging a wrong. So, a government with the concept is better for us than one without it. Yet, the reality of it is subject to how the concept is implemented.

"Then all of American society is illegitimate. It should never have rebelled against the British king. "

Not true. People can bargain or fight for more rights, privileges, and things. The British King forced a terrible situation on their colonists. The response was to overthrow him to negotiate new terms with a new organization. This benefited us.

"What matters is what you think, and then YOU must treat others that way... not the way they treat you."

What you think is a start. How others act is also important. Example: Most Western firms believe in I.P. protection while Asian countries are big on copying. Treating the Asian partners the same as Americans on trade secrets will likely result in your shit stolen super fast. You loose everything but at least you acted like everyone had the right to their inventions.

The world doesn't work that way. Between nations, it's give and take. There's also cultural differences. If we don't factor that in AND THEY DO, then we'll be operating at a disadvantage to them. Worse, we'll just be their victims. Another example: most of them griping about "no rights" offer less to their own citizens, even less to Americans, and actively spy on our companies. To heck with idealism in a world like that. I respect people practicing their principles but my principles stay a bit practical too.

@ Justin

"If you believe that there are no human rights, then there is no morality, and nothing but social acceptability to determine right and wrong."

That's totally not true and doesn't reflect that good principles developed in largely atheist organizations. Confucius's writings promote treating people well, don't demand worship, promise no eternal life, and have a large following. The main Founding Fathers, minus one, were deists who thought an impersonal God created the universe and left it to its own devices. Yet, both groups of people and religious works such as the Bible have encouraged murder, rape, genocide, slavery, and so on. As opposite of "human rights" inscribed by a creator as I can imagine.

So, religion doesn't lead to human rights reliably. A lack of religion can sometimes do it. The only consistent pattern is people believed something, got others to do the same, agreed on rules for behavior, and then enforced them. So, we're back to stuff people make up. And, surprise, everyone's thoughts and conversations with deities came up with different divine "truths!" Nah, they were just man-made ideas and rules. Some good, some bad, and some horrific. Just like human nature itself.

Nick PMay 11, 2015 9:25 PM

EDIT: That statement was ambiguous. I meant "both groups of people and religious works" to mean groups of people outside of religion plus religious works rather than the two groups I mentioned before the statement. Didn't catch it in brief revision.

rgaffMay 11, 2015 10:13 PM

"What you think is a start. How others act is also important. Example: Most Western firms believe in I.P. protection while Asian countries are big on copying."

The old proverb "do unto others as you would have them do unto you" does not mean "well, I'm a trustworthy person, therefore I should COMPLETELY trust everyone else, even if they prove themselves untrustworthy"... the reason certain Asian societies believe in copying is because they believe very strongly in "power comes from the barrel of a gun" (Mao Zedong) which is similar to "survival of the fittest" (Herbert Spencer) at all costs in every business dealing with strangers or outsiders of some kind. The "do unto others" proverb I mentioned above is very much foreign to them. So does this mean we should just shoot them all in the head at our first chance, because that's their principle? No... it means, we should duck! Obviously. Just because they don't have the same "moral standards" as we do doesn't mean we should have no morals at all, it just means that we should act defensively with them, while still treating their people generally as we believe humans should be (by our standards), whether they treat themselves or us that way or not.

"To heck with idealism in a world like that. I respect people practicing their principles but my principles stay a bit practical too."

Saying "to heck with idealism" is exactly why this world is such a terrible place to begin with. You can choose to make it better or worse. Sometimes making it better can even be more valuable than personal self preservation.

Andrew WallaceMay 11, 2015 10:37 PM

Eric

"Too bold a move to be a strategem, or shall we say gambit or "whatever you call it in chess."

Not if you want to know who is for and against on a global scale. It is exactly the move that would be needed.

Andrew

rgaffMay 11, 2015 10:48 PM

@ Andrew Wallace

How you feelin good buddy? You feel better now after the moderator took care of things? See? No need to worry too much, things blow over.

Wesley ParishMay 12, 2015 3:25 AM

@Everybody (who gives a stuff :)

Re: Human Rights

Rights refer to expectations of acceptable behaviour within a given social context. Human rights refer to restraints upon state behaviour that the state has accepted, either willingly or under constraint from superior forces, the British Empire's crusade against the slave trade being a prime example.

You can think of human rights as constituting a form of definition of humanity, as each right comes with concurrent, related obligations. For example, the right to not have your reputation harmed by either action (slander, libel, or other forms of defamation of character) or omission (denial of redress) comes with the obligation that you do not harm the reputation of others. To put it more colourfully, your freedom to swing your fist ends where my nose begins.

Human rights are also a moral issue. This amongst other things, means that the people who preach it most fervently are thus constrained from abusing those self-same rights. Or in abusing them they lose the trust, the social standing they seek by proclaiming those rights. I mean, no one trusts a woman's rights activist also wanted for rape ... and no one trusts a state preaching human rights that tortures opponents ...

Clive RobinsonMay 12, 2015 4:11 AM

As far as we can tell nature does not provide rights.

Unconstrained freedom for one person is tyranny for others, thus morals are about balancing freedoms. Over time morals found unwanting become codified and thus law with penalties for non compliance.

Many confuse morals and religion, that is a failing of their perspective. History shows us that religion is in fact about tyranny and control of others.

Whilst resources are unconstrained freedom is generaly not an issue, however when resources do become constrained survival of "me and mine" becomes an issue. Unfortunaly it has an issue of "table scraps" being subservient for table scripts is often easier than no food. This leads in turn to patronage and authoritarian behaviour and authoritarian followers who push authority onto others, thus maintaining a hierarchical structur that either is or soon will become a tyranny by action if not name.

On trick those who are well practiced in tyranny is to find an excuse for their behaviour that can not be argued against. That is "force of might" becomes "force is right" initialy by the argument of "following orders" by "god told me to" or devine right. This becomes devolved into prejudicial legislation, where even arguing against the legislation is a crime.

We can see this happening all over the world. It will get worse untill enough realise the only way to deal with a tyrant is not to appease but decapitate, and thus the worst of all events happens civil war, where society fractures into multitudes of compeating tyrannies.

It has been argued that this is the result of evolution in a constrained environment.

At the end of the day human rights, how we treat prisoners, captives and others provides an indicator of not just how civilized we are but also how far we are from martial law and civil war.

NSAPuppetsGoCrazyMay 12, 2015 4:27 AM

Can I suggest to the readers that the NSA trolling has grown intense on this forum to disguise a key point above i.e. THIS ->

There's no evidence of a "wow" cryptanalysis; it was key theft, or an implant, or a predicted RNG or supply-chain interference. Cryptanalysis has been seen of RC4, but not of elliptic curve crypto, and there's no sign of exploits against other commonly used algorithms. Of course, the vendors of some products have been coopted, notably skype. Homegrown crypto is routinely problematic, but properly implemented crypto keeps the agency out; gpg ciphertexts with RSA 1024 were returned as fails.

In other words, if we cut through the whining of the paid state actors who stand out like dogs balls, we can note:

1. Strong crypto works
2. Measures which use zero third-party trust scare the three letter knob jockeys
3. Open source = good, proprietary crap = backdoored
4. Typical programs like OTR, ZRTP, Tor, VPNs (to a degree) screw with their ability to decipher your shit
5. It follows from point 4, that they must use extra effort and time to personally hack your computer/server, steal encryption keys, use malware etc etc if they want to otherwise know about your communications

Given the spooks aren't going anywhere anytime soon, or being defunded, their job must be made exponentially harder via common adoption of strong crypto protocols at all levels, in all software, and eventually in full open source hardware designs (Nevina etc) if we are to take our electronic liberty back.

Forget the Andrew Wallace totalitarian-fellating kabuki theater, and stick to what's important...

rgaffMay 12, 2015 4:51 AM

@ Clive Robinson

"At the end of the day human rights, how we treat prisoners, captives and others provides an indicator of not just how civilized we are but also how far we are from martial law and civil war."

Now that's an insightful summary.

@ NSAPuppetsGoCrazy

Strong crypto works and implementations are weak is not really new news. Though I'm glad to see people talking about it, maybe it will sink in and things will move forward in that area...

Andrew WallaceMay 12, 2015 5:38 AM

I'm pro Police and Government but I don't deserve to be branded a troll because the majority on here are anti government activitsts.

I support the government's efforts as a law abiding citizen and think the mass surveillance and airport measures have put criminals on the backfoot and acts as a deterrent to low to middle sized criminals.

As for the organised criminals. We have specialised units taking care of them.

Andrew

Gerard van VoorenMay 12, 2015 6:12 AM

@ Clive Robinson

"Many confuse morals and religion, that is a failing of their perspective. History shows us that religion is in fact about tyranny and control of others."

A clear example of that is the anti abortion movement, which literally means saying no to desperate women in need.

Btw, Jeb Bush is anti abortion.

Gerard van VoorenMay 12, 2015 6:25 AM

@ Andrew Wallace

"I'm pro Police and Government but I don't deserve to be branded a troll because the majority on here are anti government activitsts."

Well, I still consider you a troll and a smelly one.

Why? You never back your statements up with facts and your position is undisputed pro gov. I don't consider myself better than any other but I am willing to learn and I have learned *A LOT* here.

Most people tend to go to the right when they are getting older. With me it is the opposite and primarily because of all the hypocrisy involved in right-wing politics.

My advice to you is to learn as well.

And my other advice still stands: Don't feed the trolls.

Andrew WallaceMay 12, 2015 6:38 AM

"Most people tend to go to the right when they are getting older. With me it is the opposite."

Why admit such? A forum of anti government messages is sure to attract some pro government folks and thus attracting attention of the people you want to avoid.

I could equally call you a troll if I really wanted to.

Andrew

Gerard van VoorenMay 12, 2015 6:42 AM

@ Andrew Wallace

"I could equally call you a troll if I really wanted to."

Please do. Back it up with facts please.

rgaffMay 12, 2015 7:00 AM

People who are actually thinking about things, not just regurgitating what they've been told, do not consider themselves always right. They believe they can learn from others, including those of opposite viewpoints. Andrew Wallace, do you believe you can learn from us? is that why you are here? I believe I can learn from the rest of you all, that's why I'm here.

ZenzeroMay 12, 2015 8:16 AM

@Andrew Wallace

"I'm pro Police and Government but I don't deserve to be branded a troll because the majority on here are anti government activitsts."

Been critical of a government's actions does not make someone an anti-government activist. Citizens of all nations have a right to look at and be sceptical of questionable government actions, in fact it might be said that it's our obligation to do so.

The troll comments are because you come here where people are discussing security and the political shenanigans which can affect security and spam divisive comments which you never back up with facts and refuse to discuss with anyone who concisely disagrees with you with facts and references.

If you showed a willingness to discuss, an open minded approach to discussion and with at least a possibility of learning something new from it, people would be more open. As it is, you simply take away from discussion not add anything new to it, hence you have the appearance of a troll.


“As for the organised criminals. We have specialised units taking care of them.”

You make it sounds as if your part of the government apparatus with the “we have” as opposed to “they have”, but if you were you wouldn’t be here in this “hotbed of revolution”. Also if you are gainfully employed with HMICS, congratulation’s on the new job and exceedingly fast promotion.

By the way, why do you model yourself after a troll from 2006 or are you in fact the same person?
http://www.securityfocus.com/news/11419

ZenzeroMay 12, 2015 9:02 AM

@ Martin Walsh

“Just ask yourself, if Snowden knew anything about cryptanalysis at the NSA, then why didn't he expose the known vulnerabilities that were being actively exploited at the time, yet were publicized only later, after the Snowden disclosures were made, and without Snowden's help. It's because he didn't know.”

Snowden said not long after the documents started getting published. This was when he no longer had access to the documents: “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.” You can see from the document below that it correlate’s to what he said and what he in fact used. This shows he did know. Also he not only worked as a contractor for the NSA but also the CIA. He would see the intelligence passing back and forth and would have had extensive training as a field operator in OPSEC and encryption.

The simple fact that he contacted people through the NSA/GCHQ/BND surveillance without anything triggering shows us that he was in fact quite adapt at encryption.

NSA PDF from a SIGDEV conference explaining some products they have major issues with (around page 20)
http://www.spiegel.de/media/media-35535.pdf

Full article from Spiegel
http://www.spiegel.de/international/germany/inside-the-nsa-s-war-on-internet-security-a-1010361.html

The NSA, GCHQ and the other x eye cohorts have no magic wand, they hack/crack/steal keys, they co-opt companies, they install backdoors, attack end-points or they try to attack implementations as they can’t attack the cryptography itself. Been careful and been a target would require them to take more extreme measures which greatly increases their risk of discovery and they are risk averse at the best of times.

Andrew WallaceMay 12, 2015 10:27 AM

"You wouldn’t be here in this “hotbed of revolution”."

I'm not sure there is a revolution.

There is a criminal wanted on charges relating to the Espionage Act who faces 30 years in jail if found guilty.

He acted alone and not with others therefore there is not a revolution.

Andrew

ZenzeroMay 12, 2015 10:55 AM

@Andrew Wallace

You didn't respond to my query or again add anything or try to engage, I wonder why...

You say the following:
"He acted alone and not with others therefore there is not a revolution."

but earlier you posted that you believe

"Snowden was warned that his cover had been compromised as a Russian agent"

and also

"He was probably tapping out more damaging secret intelligence to a handler"

So you'r saying he acted alone but was also part of a large spy ring!

As you are continuously inconsistent, state obviously in factual information as proven fact, refuse to engage in any discussion, appear to have a Pre-Copernicus attitude, post divisive comments with relevant facts and sources and blatantly misinterpret Bruce's comments and actually attributed comments to him when he clearly didn’t state them. I can only deduce that you are nothing but a troll.

Andrew WallaceMay 12, 2015 11:16 AM

You're attacking my integrity on some false online nickname against a real name known person who is easily traced to where I live and other information if you look close enough. You however could be anyone trying to smear me for political purposes because I don't agree with your stance on surveillance.

Andrew

Nick PMay 12, 2015 12:26 PM

@ rgaff

"Just because they don't have the same "moral standards" as we do doesn't mean we should have no morals at all, it just means that we should act defensively with them"

Treating them differently from other citizens in terms of what they can do here? That's my point exactly. A two tiered system might be designed to get locals ahead or protect from malicious, foreign actors. Many uses.

"Saying "to heck with idealism" is exactly why this world is such a terrible place to begin with. You can choose to make it better or worse."

Not really. Idealism has rarely if ever done anything positive in this world. The world is a terrible place because of human nature. The improvements we've had looked at an ideal, then watered it down to a form that human nature will tolerate. Those worked while all idealistic efforts failed. If anything, I'd say a lot of our smart people wasting time on idealism instead of practical reforms contributes to how much our world sucks.

Their solutions are guaranteed to fail from the start, they often know that, and then they say they're doing it "on principle." I thought the highest principle and goal was a better world. If idealism doesn't work, they should abandon it in favor of principled and pragmatic approach. They don't. So, idealists are hypocrites only care about ideas they're pushing rather than making sacrifices that benefit us as a whole. I'm glad the Founding Fathers were pragmatists that pushed some good principles in their work. *That* got results for a while.

@ Wesley Parish

That's a good theoretical treatment of it. Don't forget to add the category to your first paragraph where the rights are lip service that are weakly enforced. This is more common with international treaties.

@ Andrew Wallace

"I'm pro Police and Government but I don't deserve to be branded a troll because the majority on here are anti government activitsts."

There you go again with the trolling. The majority of us are pro-Government by being ardent supporters of the Constitution (U.S.) or balanced legal systems (foreign). These benefit police plus citizens. We call out government's attempts to ignore their responsibilities, deceive their people, give immunity to partners in crime, and so on. You are a troll because you consistently push false or misleading information in short statements that only derail discussion. You also never address any key points made to you. Trolls depend on such dismissal tactics to avoid any real discussion. You're also extremely pro-police in all situations, even when evidence of their corruption is posted.

And I don't think I've even seen someone on 4chan or Reddit claim that there's no evidence politicians break the law. You are unique in believing that. And posting it on a forum that regularly shows politicians breaking the law or deceiving people. Troll tactic, yet again.

"You've grabbed various sentences out of context with the posts they belong."

You're posts are usually short proclamations without evidence or context. Trolls aiming to disrupt do that 90+% of the time. Nobody can cite your context if you don't provide any in blanket statements. Your revisionism on this issue is yet another troll tactic.

@ NSAPuppetsGoCrazy

"Can I suggest to the readers that the NSA trolling has grown intense on this forum to disguise a key point above i.e. THIS -> There's no evidence of a "wow" cryptanalysis; it was key theft, or an implant, or a predicted RNG or supply-chain interference."

Good point. It's actually two things. One is the new tactic of British and American intelligence agencies to plant people on significant forums to manipulate and disrupt those forums. The other is the old tactic, aka the Big Lie, of trying to drown out the competition with troll-like repetition of false claims. This technique, devised by Gobbels in Nazi Germany, was useful to Bush/Cheney Administration in pushing terrorism fears, WMD's, cyber-threats, and so on. The intelligence agencies (and independent trolls) currently think the same technique will work on online forums to get everyone marching to their beat.

Meanwhile, I'm working on ways of dealing with that. It must be as simple and easy as the trolls own one to two line posts are.

SanpakuMay 12, 2015 12:26 PM

Reading back on comments to date, I'm struck with one off the wall thought:

At this moment in time, it doesn't really matter if the crypto in question (elliptical curves, primes) is actually broken or not, does it? Hypothetically, assuming there was in fact a catastrophic break, it's hard for me to imagine a circumstance in which acting on any intercepted information would be worth the risk of inadvertently revealing that such a break existed.

We saw this effect many times over the years. Consider ENIGMA in WW-II, when we let rather a few allied ships go to the bottom rather than tip our hand to the Kreigsmarine that we had access to their cleartext.

So one way of looking at this is, unless one is discussing something of amazing criticality, one might as well assume that the hard problem hasn't been breached, yes?

Andrew WallaceMay 12, 2015 12:36 PM

Nick P, I can assure you I'm a real person and nothing to do with trolling.

Is it a coincidence you have completely different political views from me and are attempting to smear me?

You are using the tactic of labelling me as a form of bullying and smear to undermine and marginise my opinions in the thread.

Andrew

HistamineMay 12, 2015 1:19 PM

@Andrew Wallace:

"[I] think the mass surveillance and airport measures have put criminals on the backfoot and acts as a deterrent to low to middle sized criminals."

Proof, please.

@Nick P:

"Thing is, with so much variance and government competition, we can't have a single set of rights."

We arguably do, and it's been around for decades: The Universal Declaration of Human Rights, available at http://www.un.org/en/documents/udhr/. It is part of the UN's International Bill of Human Rights.

Andrew WallaceMay 12, 2015 1:20 PM

"One is the new tactic of British and American intelligence agencies to plant people on significant forums to manipulate and disrupt those forums."

Who would probably use some random online nickname to do it. I'm using my real name and fully tracable to my home town and other locus information.

Someone working for an intelligence agency to purposely do such activity would not be tracable to their intended recipient.

Andrew

Nick PMay 12, 2015 1:42 PM

@ Andrew Wallace

You are indeed a real person, have different views, and maybe are traceable to your home. It doesn't change anything I said about you. That your posts use troll tactics to support police states and derail discussions of their improprieties led to the label of troll. You also distract most posts with tangent claims backed by no evidence or directly contradicted by public evidence. That UK intelligence organizations that you support pay or ask people to do the very same things leads one to wonder of your intent or background. Ignoring that angle, others noticed your use of troll tactics and deception regardless of which side of the debates they're on.

Also, the reaction to you is not typical to how dissent is addressed here. That's usually discussion, debate, and/or a few idiots showing up to shout stuff (sighs). Yet, you actually avoid discussion and debate with your troll-like proclamations and dodges of key points. That means your not here for that. The most consistent result of your conversational style is distraction from key points and disruption of discussion in general. So, we call you by the title you've worked hard to earn: troll.

Feel free to drop those tactics anytime in exchange for actually making claims supported by evidence while citing that evidence. It will improve your credibility. Right now though, you have none as a security professional or even a participant in the spying debates. You're just a "security professional" nobody's heard of using troll tactics on key debates with a Twitter feed full of police and intelligence events.

Andrew WallaceMay 12, 2015 1:52 PM

My only tactic at the moment is to defend myself for the barrage of text from you in your attempt to build a momentum against me from other users.

Andrew

BystanderMay 12, 2015 2:46 PM

@ Andrew Wallace

Talking about perception of your posts here:

"One is the new tactic of British and American intelligence agencies to plant people on significant forums to manipulate and disrupt those forums."

This is pretty old - just google the word: sockpuppet
You no longer need a real person for that...

Who would probably use some random online nickname to do it. I'm using my real name and fully tracable to my home town and other locus information.

Google the words: legend espionage

Someone working for an intelligence agency to purposely do such activity would not be tracable to their intended recipient.

A legend could add some credibility...

Your perception by most here has been well explained by others.
I do not see in any way that you have taken an advice like the good one from Nick P.


Re: Catching the bad guys through total surveillance:

There was a war game exercise in 2002, called Millennium Challenge 2002.
The goal was to test the superiority of net-centric warfare combined with extensive SIGINT capabilites.
The test was a fail before some rules were set up to make blue win.

Why is this worth mentioning? Bad guys who are not too stupid had plenty of time to draw their conclusions since and not just only recently...

Nick PMay 12, 2015 3:02 PM

@ Andrew Wallace

Recognizing troll tactics and pointing them out is not bullying. Trolling itself is universally recognized by forums as a form of mental bullying and attack. Your own claims sometimes border on slander and definitely constitute fraud if you indeed read Snowden leaks. That your conversational style fits a number of points in common checklists, including points 11-13 here, on forum trolling is evidence for the classification of a troll. Assessing source credibility and intent is also standard in the intelligence field, including organizations you endorse. My original assessment of you (E5) used a non-British, but similar, methodology that they'd endorse and involved a systematic assessment of everything you posted. Funny how you support police and intelligence methods, which include assessment of sources, but think that assessing and reporting your credibility is "bullying."

"My only tactic at the moment is to defend myself for the barrage of text from you in your attempt to build a momentum against me from other users."

You could try another tactic: post only things you know can be backed by evidence and post evidence if you're challenged. If others post evidence, discuss the evidence rather than dancing around it, bringing up red herrings, or repeating the false claim as if it doesn't exist. Also, merely repeating the same claims without evidence shows you to be (a) untrustworthy as a source or (b) possibly malicious as a troll. We've had people show up just disagreeing with us. Then, there's people using troll-tactics like I linked to above who present no evidence of their claims, refuse to discuss evidence against them, and post in quite a high volume compared to others. That's why I classified you as definitely a troll with a non-zero probability of being a British government shill.

Staying on point discussing evidence and avoiding trolling behaviors I linked to will, by themselves, work wonders for your credibility.

Andrew WallaceMay 12, 2015 3:10 PM

Nick P has been reading far too much into things.

I'm an ordinary citizen who supports the police and government in their relentless fight against criminals.

I fully support mass surveillance as its cheaper for the government to store everything and look someone up retrospectively than sending out foot surveillance to profile someone at the time someone is under suspicion.

Mr Snowden will be arrested and deported back to the United States once his Russian visa runs out.

Andrew

Nick PMay 12, 2015 3:30 PM

@ Andrew Wallace

"Nick P has been reading far too much into things. "

I just read your posts, both original and replies in discussions. I compare the information you give and presentation style with regular (disagreeing) posters, security professionals, and then trolls. Also, just compared them to checklists on forums fighting trolls. Only one comparison fits most posts.

"I'm an ordinary citizen who supports the police and government in their relentless fight against criminals. "

Perfect example of No 12 on linked page. You've ignored every key issue I've brought up about your posts while introducing a new claim which is irrelevant: most trolls are citizens with day jobs, specific political interests, and so on.

"I fully support mass surveillance as its cheaper for the government to store everything and look someone up retrospectively than sending out foot surveillance to profile someone at the time someone is under suspicion."

Good work. You're improving. You've provided a argument for using mass collection: reducing cost or delay of police work after a crime is committed. People might counter with other claims, which non-trolls will discuss (eg value propositions of risk vs reward). Keep on this path and you're on the way to being considered...

"Mr Snowden will be arrested and deported back to the United States once his Russian visa runs out."

No 12 again... irrelevant to the assessment of your reliability, lack of evidence for claims, and so on. I'm accusing you of dodging discussion points on several threads with strawmen or red herrings. You then defend yourself with two red herrings. Lol. I'm keeping a link to this thread as your building a case against you better than I can.

rgaffMay 12, 2015 3:30 PM

@ Andrew Wallace

"I fully support mass surveillance as its cheaper for the government to store everything and look someone up retrospectively than sending out foot surveillance to profile someone at the time someone is under suspicion."

Do you care to discuss this? Perhaps review some evidence pro and con that statement? Or do you just want to put it out there, claim it, and move on?

rgaffMay 12, 2015 3:39 PM

@ Andrew Wallace

Come on buddy, it's a simple yes or no question...

Nick PMay 12, 2015 3:41 PM

@ Bystander

Thanks for the link! I didn't even know about that exercise. I love Van Riper's use of tactics. He'd be fun to play a strategy game against. That an Iran-style enemy with little weaponry defeated both our playbook and high-tech gear is disturbing. That they then rigged the game to win, followed by claiming it validated U.S. military doctrine, further shows the corruption and deceit practiced at the highest levels of the military. That's essentially the same thing we've accused NSA of with their mass collection claims and FBI of regarding how much encryption threatens them. So, that's three busted with evidence of pervasive lying to the military, the President, Congress, and the American people.

Anyone saying it's accidental or an isolated case at this point has little credibility. The amount of money they'll waste on ineffective approaches also undermines the cost reductions that a few people claim will happen. There's not much evidence for that in government in general lol.

Andrew WallaceMay 12, 2015 3:42 PM

Any intentional false communication, either written or spoken, that harms a person's reputation; decreases the respect, regard, or confidence in which a person is held; or induces disparaging, hostile, or disagreeable opinions or feelings against a person.

Defamation may be a criminal or civil charge. It encompasses both written statements, known as libel, and spoken statements, called slander.

http://legal-dictionary.thefreedictionary.com/Defamation+of+character

Andrew

rgaffMay 12, 2015 3:47 PM

@ Andrew Wallace

HEY WHY ARE YOU IGNORING ME? come on man... are you willing to discuss pro and con evidence to your statement or not? yes or no.

rgaffMay 12, 2015 3:59 PM

@ Nick P

"Meanwhile, I'm working on ways of dealing with that."

Perhaps I've stumbled upon a way here? But it requires sitting here glued to the screen for an hour or two pressing refresh...

ZenzeroMay 12, 2015 4:06 PM

@Andrew Wallace

you said in another post:

"Bruce says here he wants mass surveillance powers given to the FBI as a form of population control."

unless you can show me a direct source for this (which you can't because Bruce never said it), which one is it when considering your criteria?

"Any intentional false communication, either written or spoken, that harms a person's reputation; decreases the respect, regard, or confidence in which a person is held; or induces disparaging, hostile, or disagreeable opinions or feelings against a person.

Another "intentional false communication" From another post:

"I got Full Disclosure Mailing List closed down in the United Kingdom where the smear took place."

That's also a blatant lie as John Cartwright had just had enough after quite a long time of dealing with it, please get your facts correct before starting to troll.

Your credibility is not getting any better @Andrew Wallace

rgaffMay 12, 2015 4:16 PM

@ Andrew Wallace

Come on... will you just answer me? You once said:

"I fully support mass surveillance as its cheaper for the government to store everything and look someone up retrospectively than sending out foot surveillance to profile someone at the time someone is under suspicion."

Would you care to discuss evidence for or against this statement?

This is a simple yes or no question.

Fred PMay 12, 2015 4:20 PM

@rgaff - Most of my point was that typically cases dealing with U.S. constitutional provisions on foreigners that aren't in the U.S.A. fail due to jurisdictional grounds. Because of this the case law (at least at the Supreme Court level) is very thin. I then elaborated with the best references I could find; my apologies if that was unclear.

I agree that the Federal government does hide behind the state secrets privilege in courts. Too frequently, in camera examination of the evidence is not performed. I should note that some of the relatively recent, famous cases that were thrown out due to this privilege in 2006-2007 (American Civil Liberties Union v. National Security Agency, Jane Doe et al. v. CIA, El Masri v. Tenet) ; I'm hopeful that the executive branch has pared back some in its use. That said, we should consider better checks to this privilege.

As far as I can tell, Andrew Wallace has yet to offer anything substantive to this conversation. I wouldn't expect that to change.

BoppingAroundMay 12, 2015 4:22 PM

[re: forum trolling] Nick P,
Interesting. From what I have read it seems that sometimes I, perhaps unwillingly and/or not exactly consciously, may be using the very same techniques in my posts.

I find this observation disturbing.

rgaffMay 12, 2015 4:25 PM

@ Andrew Wallace

You have been repeatedly invited to discuss just one of your points, yet you flat out refuse to discuss it, or even acknowledge the invite. If not troll-like, what do YOU call your behavior where you ignore an invite to DISCUSS THE VERY TOPIC THIS BLOG IS ABOUT???

If you don't want to be called a "troll" anymore... then let's discuss!

"I fully support mass surveillance as its cheaper for the government to store everything and look someone up retrospectively than sending out foot surveillance to profile someone at the time someone is under suspicion."

Care to debate it, with evidence pro and against this statement?

Nick PMay 12, 2015 4:27 PM

@ Andrew Wallace

My courtroom appearances have worked out well so far given I stay within the bounds of the law. Most of my opponents, including a Fortune 100 company, folded in pre-trial negotiations after seeing how their false accusations wouldn't survive the scrutiny of a trial. You didn't have to cite what defamation is: I both understand it and previously studied case law on the subject. I also have templates available for defense and offense in the event I wanted to reduce trial cost on an easy case or do small claims court.

Looking at your claim, you'd have to prove I *knowingly* provided false information about you and had malicious intent whereby I didn't care about the truth of my posts or by implication yours. My posts in this thread and others clearly show the opposite given a detailed, evidence-based approach citing court-accepted methodologies. You'd also have to prove the owner of the forum didn't respond to claims of harassment, which his Moderator already did for you and others. You'd also have to survive my counter where I allege defamatory remarks you've made, potentially charge you with fraud for several of your claims, and sue you for personal damages and my time investigating you. Further, there's expert witnesses available for the subject who will articulate how your posts use disinformation or trolling tactics to harm online discourse as they did in prior legal successes. I'll optionally have one of the counterintelligence professionals I know show up to to confirm the importance and validity of my source assessment approach. Finally, there's 250,000 readers as witnesses to your trolling behavior with a number having posted statements against you and a few that might do depositions.

I'm sure various mailing lists are afraid of your vague legal threats. Yet, having top-notch legal counsel on the topic, I know your case is very weak and the personal risk on your end is tremendous. Especially in the two likely jurisdictions where it will be tried. You might as well refrain from making any more legal threats as they'll buy you nothing given the evidence against your credibility and success rate of our local lawyers possessing such quality evidence. That you continue to refrain from discussing the issues with multiple people and went straight to legal threats is just further evidence for my counter-claim. You should cease your legal threats while you're ahead and the troll-like activity on top of that.

Note: I'm going to go ahead and notarize a copy of all of this through a third party in case you try to have it taken down via court order. Far as I can tell, I have legal arguments and eye witnesses to justify all of my claims about you so I'm not worried about them being preserved. You, on the other hand, haven't produced evidence of any claim beyond vague definitions online and have presented numerous defamatory statements about everyone from Bruce to NSA to me. Feel free anytime to start discussing issues on the security blog instead of making unjustified claims or legal threats to its readers.

Note 2: "Trolling" is the action of derailing a discussion with a deceitful or unethical conversational style. It does *not* mean someone is a real person. The use of fake personas is one among many techniques trolls may (or may not) use. That you can't tell the difference between the established definition of trolling and the claim that you are a non-existent person (whatever that is) further deposes your credibility in court on the subject. Again, you're wasting your time trying to use legal threats to suppress dissenting opinions or evaluations of your credibility.

rgaffMay 12, 2015 4:31 PM

@ BoppingAround

Some effective techniques can be used for good too, not just evil.. Not all of them, the end does not always justify the means. But some, sure.

rgaffMay 12, 2015 4:32 PM

@ Andrew Wallace

Come one man.. you still haven't answered my question...

Andrew WallaceMay 12, 2015 4:50 PM

Just incase Nick P composed his message before seeing this:

Andrew Wallace • May 12, 2015 4:21 PM

You've been repeatedly told I'm a real person and nothing to do with trolling, yet you continue to use the damaging label after being told you have got it wrong.

"Statements made with knowledge that they were false or with reckless disregard of whether they were false."

http://legal-dictionary.thefreedictionary.com/Defamation+of+character

Andrew

He has been given every opportunity to cease.

Andrew

Nick PMay 12, 2015 4:52 PM

"Walk away from the keyboard."

I didn't. Instead, I filed a copy of every claim you've made on this site with three separate notaries, two American and one Swiss. It's a nice collection including your recent, false claim that I said you aren't a real person. Now that the evidence is safely stored, I'll "walk away from the keyboard" as you've wasted enough of my time and I have much better things to do with the rest of it.

Feel free to also spend the rest of your day more wisely and comfortably.

rgaffMay 12, 2015 5:19 PM

@Andrew Wallace

How can you POSSIBLY not be a troll, when you IGNORE AND REFUSE to discuss the topic of this blog with me and debate that one statement of yours... you just get off on this tangent of legal arguments and won't come back.. That's the very definition of "derailing" which is what trolling is!

Come back to this blog and discuss that statement of yours instead. In case you don't have a copy anymore, here it is again:

"I fully support mass surveillance as its cheaper for the government to store everything and look someone up retrospectively than sending out foot surveillance to profile someone at the time someone is under suspicion."

That one! You said it. Let's discuss it! Evidence for and against it.

Andrew WallaceMay 12, 2015 5:32 PM

rgaff

The topic was

NSA's Capabilities

My comment

"I fully support mass surveillance as its cheaper for the government to store everything and look someone up retrospectively than sending out foot surveillance to profile someone at the time someone is under suspicion."

I haven't "Rerailed" anything apart from disagreeing with people with a grudge against mass surveillance.

Andrew

rgaffMay 12, 2015 5:39 PM

@ Andrew Wallace

OMG you actually responded to me.... how many hours has it been here that you've been ignoring me!

Ok... if you haven't derailed the blog (which is about security and security agencies).. then let's discuss your statement. Agree to discuss pro and con evidence of it? Or you want to refuse?

rgaffMay 12, 2015 5:42 PM

In order to not be a troll, you NEED to discuss things, not just randomly interject objections...

Andrew WallaceMay 12, 2015 5:49 PM

QL,

That is Full Disclosure Mailing List that is now closed in the United Kingdom because of their behaviour toward me and others.

Andrew

rgaffMay 12, 2015 5:51 PM

@ Andrew Wallace

Come on man... you still haven't said you're willing to discuss a SINGLE PIECE OF EVIDENCE pro or against your statement... why are you still ignoring this question?

Clive RobinsonMay 12, 2015 5:57 PM

@ rgaff,

I would not hold your breath... you might go blue then green and stink the place up ;-)

If you remember he has made comment he is living within the UK and made a claim about there not being dishonest politicians, and I pointed out that several judges would disagree with him.

You may or may not know that UK MPs had an "expense scandal" and many ceased to be MPs and some were arrested, charged, tried, convicted and jailed. A couple of others have been jailed for presenting false evidence whilst under oath, whilst others appear to have taken bribes, commited indecency or sex acts against minors back in times past.

Well a UK magazine (Private Eye) did a simple calculation that concluded that the rate of offending in UK MPs was four times that of the UK national average...

He has had plenty of time to respond, even if it's just asking for verifiable facts... the fact that he has not done so is shall we say "interesting"...

One a side note, have you seen a leopard without or changed spots?

rgaffMay 12, 2015 6:01 PM

@ Clive good points, but I'm making a point too... and he's a person, if he's not completely on the funny farm, someone should teach him how to behave. If someone argues with you and has a good point (or even might or might not have one in this case), don't just ignore them, consider it, discuss it a little, etc, who knows you might learn something.

Sancho_PMay 12, 2015 6:23 PM

@ rgaff (11, 06:17 PM)

Sorry for the confusion, I’ll try to explain.
(I have a basic issue with the term “human rights” as “rights” would have to be granted by some authority, assuming there would be an accepted authority for the peoples of the world. But that’s leading to far away and only tangent to my point.)

Taken to the extreme, your “… citizen of such a country” would point at a “national” issue, as it would be only a (e.g.) US problem to strip others from (some of) their “rights” [1].
But it is not.
We all do it, we all are racists, more or less. White, black, yellow, east, west, north, south, whatever. I can not be more ashamed …

But my “our thinking” should point at the huge religious differences that still divide humans and go far beyond nations, just for a fictional figure that is intended to show us the way to - yeah, what?
Even slaves may be legal in case they are from other believes.

And we won’t find a global solution (peace) before our global end.
This is why I am deeply ashamed to be a human.

(sorry, didn’t read all following postings because lack of time, will do!)

[1] I’d rather name it “respect”, not right, as noted above.
We (the crown of creation … haha) should respect each other.

ZenzeroMay 12, 2015 6:48 PM

@ Andrew Wallace

"That is Full Disclosure Mailing List that is now closed in the United Kingdom because of their behaviour toward me and others."

Completely untrue or please provide proof or yet again evade a simple dispute with a meaningless bullying allegation. Personally I'm feeling threatened by your behaviour, are you bullying me? *end sarcasm

Your behaviour is very similar to the individual "security researcher" who's work was called as nothing by experts in the field in the old full disclosure mailing list, I wonder...

@QL

Yes indeed his name does come up on a more the regular basis and seemingly always people attribute trolling to him.

Also I see he's changed his name link from his n3td3v twitter account, I wonder why...

Nameless AngelMay 12, 2015 7:00 PM


@Zenzero

AW@"Bruce says here he wants mass surveillance powers given to the FBI as a form of population control."
unless you can show me a direct source for this (which you can't because Bruce never said it), which one is it when considering your criteria?


Good catch, just as I was catching up on this thread and seeing that: AW **seems** to go about, trolling lists, using his real name, so he can eventually file charges and hope that by this means he can get warrants issued to get the brits the capacity to dig up information on posters. Weird 'defamation' laws.


Andrew WallaceMay 12, 2015 7:03 PM

This blog thread is a bunch of nicknames attacking the integrity of someone using their real name with no proof of their authenticity.

Andrew

ZenzeroMay 12, 2015 7:10 PM

@Andrew Wallace

It was Nicholas Lemonias who had been making threats to get the posts against him taken down. The posts which overall were valid about his supposed discovery. Lemonias is a bit of a fantasist, exaggerator and like your self has a pre Copernican mentality.

"In so many words he indicated it was essentially the emotional wear and tear of running the list." John Cartwright on why he had enough.

If you were a member of the list, which I suspect you were (I still have quite a large spool of mail from there interestingly) so are you indeed the original N3td3v (well not the original one as he actual knew something), but the one that assumed the name?

Hello HelloMay 12, 2015 7:23 PM

@ ZenZero
"The simple fact that he contacted people through the NSA/GCHQ/BND surveillance without anything triggering shows us that he was in fact quite adapt at encryption."

To some, this is the fishy part. I'll go on a tangent to say there are two kinds of people, one that see glass half full, one that see it half empty. :-)

@ Andrew Wallace
" real name and link "

That's been the dilemma since the interwoven web launched to public. It's a lot easier to get people to voluntarily provide such informations than it is to passively, in **** own words, "profile" :-).

*legal disclaimer- all of above are my humble opinion.

ZenzeroMay 12, 2015 7:31 PM

Did I tickle a nerve?

I've posted quotes and links to sources on quite a few things now, you have yet to post 1 verifiable fact/source/quote. All you've stated are seemingly divisive comments meant to disrupt. If you want to discuss any item I've mentioned then please feel free too. You have made a broad sweeping statement you closed Full disclosure, show me where this is shown as fact. Yes a N3td3v was a partial reason for John's closure of the mailing list, due to N3td3v's unrelenting trolling, making of new personalities and in one case trying to make a martyr of himself by saying everyone else on the list was trolling him...

If making broad statement's, back them up with something other then self belief and try retain humility in that you might in fact be completely wrong.

Unfortunately as @Clive Robinson sagely mentioned, "On a side note, have you seen a leopard without or changed spots?"

Andrew WallaceMay 12, 2015 7:34 PM

I will debate you once you switch to your real name and link to your Facebook profile or similar service to prove your authenticity.

Andrew

ZenzeroMay 12, 2015 7:48 PM

@Andrew Wallace

On a security and privacy blog, asking someone to post their real name and facebook is, to be honest a bit of a cheap way out of a discussion. Surely your point's are as valid knowing me or not?

ZenzeroMay 12, 2015 7:53 PM

@anonymity

very true, I had considered that it might be a form of "forum swatting". Probably wouldn't be the first time either

Nick PMay 12, 2015 8:07 PM

I checked the discussion on my phone and stuff was getting entertaining again. I couldn't resist coming back to this one. I'm getting up at 4:30am for an unusual job and it's 7:45pm over here. I just did some brief research to see who shutdown Full Disclosure since people kept bringing it up. The results are entertaining given the recent discussion.

John on Full Disclosure shutdown
http://lists.grok.org.uk/

Note: Shutdown request came from a researcher within the community that made many complaints. Implies it was legal threats.

"gsuberland" read the F.D. messages before the closure and reported this summary:
http://www.reddit.com/r/netsec/comments/20sxd2/full_disclosure_mailing_list_closes/cg6gdbr

Note: Nicholas Lemonias gets into a heated discussion about (essentially) whether he has any skill. He threatens legal action.

I look at Lemonias.

Nicholas Lemonias's Google+ page
https://plus.google.com/101495348944817588474/about

Note: Claims to be "an internationally acknowledged, and award-winning information security expert." [who has 11 followers and I had never heard of] Owns AISC. Names awards and certificates from major companies. Link to his site is dead.

Another link on a different page led to this nonfunctional site:
http://www.advancedinfosecurity.com/

security_curmudgeon writes on the shutdown with a copy of the email that led to it
http://blog.osvdb.org/tag/nicholas-lemonias/

Note: He mentions that only two were supsects due to their battles with list: 'netdev' (andrew.wallace@rocketmail.com) and Nicholas Lemonias. Andrew Wallace, of Schneier.com fame, says he's not netdev. He also says he shutdown FD. Yet, this report indicates that Nicholas Lemonias hit it with copyright infringement and that cause the shutdown. No blame is placed on netdev or andrew.wallace@rocketmail.com.

Finally, I find jerichoattrition's full writeup on Lemonias
http://attrition.org/postal/asshats/nicholas_lemonias/

Note: This is very interesting given recent experiences on schneier's blog. He posts many short, dodgy comments on FD list. He's accused basically of fraud and trolling. He later hits it for copyright violation and FD head shuts it down. Upon Attrition's post, he emails security_curmudgeon threats to take down "false information" about "us" (whoever other is). He warns that "online harassment is a serious crime." He threatens to call local police department. He sends a DMCA request to take down the site that contains numerous errors and perjury. security_curmudgeon blocks it by pointing this out, cc'ing that email to Nicholas Lemonias. That was the end of it.

BACK TO SCHNEIER EVENTS

So, Andrew Wallace is an unknown "security professional" posting short, often dodgy statements here. He's been accused of trolling by many. He warns them to stop posting false claims about him and says he took down FD for that. He lets me know that online harassment is a serious crime. He threatens a defamation suit and libel. All of this certainly doesn't make him Nicholas Lemonias so much as someone who acts *very* similarly. Shared bad habits, perhaps?

The fun part: Andrew Wallace claims to have shutdown Full Disclosure using legal threats of defamation, yet we know from emails Nicholas Lemonias *attempted* to shut it down over copyright infringement. The person running it got tired of headaches and shut it down. So, effectively, Nicholas Lemonias shut it down. Then, Nicholas Lemonias (per Attrition) tried and failed to take down security_curmudgeon's reports on him because he didn't understand the basics of DMCA notices. That's despite all the tutorials online. And as a liar, per the Attrition review of the DMCA claim.

So, back to Andrew Wallace. What shall we make of his claims that he shutdown FD, is not n3td3v, and is not Lemonias (uses real name)? Possibilities are that (a) he made a fraudulent statement taking credit for Nicholas Lemonias's legal attack on FD, (b) he is Nicholas Lemonias but made a fraudulent statement about his name, or (c) he participated with Lemonias in the shutdown as an employee, lawyer, supporter or so on... the "us" Lemonias referred to. Two of these constitute fraudulent statements and the other might have implications for his security expertise. So, if I think Wallace is honest, then he and Lemonias must be tight collaborators to the point that Lemonias threatens to sue and Andrew can claim the result. Otherwise, he's a liar and he didn't shutdown crap.

QED.

ZenzeroMay 12, 2015 8:14 PM

@Hello Hello

Very true my glass if half full I think with a lovely scotch whiskey

it could be considered "fishy" though by some but at least my reasoning why it's not.

* He used crypto and had been trained how to by CIA/NSA
* He knew what they had issues with crypto wise (since been documented from an NSA slide)
* The US & UK governments reaction to leaks (such as the internal memos ordering personal to not view the documents, the public humiliation making denials to be later proven to be wrong, the initial confusion they had)
* Multiple police forces (including us/uk) which had issues decrypting properly implemented truecrypt volumes/gpg mails, caused them to attack the endpoints as they couldn't break the crypto)

Probably more I've forgotten due the partially empty 1/2 full glass ;)

ZenzeroMay 12, 2015 8:22 PM

@Nick P

coincidently my names John.

Very good write up and summery which I think encapsulates what at least I was thinking.

Also there was no shutdown order just jaded admin tired that a community member was attacking.

I have the full Lemonias spool if you require Nick

ZenzeroMay 12, 2015 8:28 PM

@Nick P

After comments such as it's previous request for my facebook and now yours,

"I have no reason to respond to Nick P until he posts what his full name is along with a verifiable Facebook profile."

I think it's accurate to say it's just a troll, so best as a community to ignore it till it goes away.

Andrew WallaceMay 12, 2015 8:31 PM

I'll happily debate you here when you provide real name or full name along with a link to your verifiable Facebook profile or similar service.

Keep in mind defamation of character still applies to anything you assert under your unverified blog post name.

Andrew

ZenzeroMay 12, 2015 8:40 PM

just because you court social media doesn't mean others do, assumption is a dangerous thing.

If you are incapable of having a discussion what is your purpose on a discussion forum?

By the way your hollow threats are better suited elsewhere.

Andrew WallaceMay 12, 2015 8:42 PM

"Assumption is a dangerous thing."

You best tell the person or person(s) smearing me on multiple nicknames in this blog thread that.

Andrew

ZenzeroMay 12, 2015 8:56 PM

No, I was telling you that, your who that post was intended for, was there some confusion?

multiple nicknames, good old n3td3v's favourite pastime. I've noticed that your twitter account subscriptions coincidently are the same as when you were linking your blog name with N3td3v's twitter. (btw did the NL alias not work out for you?)

You have made a lot of comments but have still not engaged in conversation/discussion on this forum, just an observation.

Your smearing people as bullies for asking you to discuss your comments, your the one refusing to engage in that.

Andrew WallaceMay 12, 2015 9:02 PM

I've given you the benefit of the doubt that you are a real person and given you the opportunity to switch to real name or full name.

Andrew

ZenzeroMay 12, 2015 9:13 PM

You haven't commented on @anonymity's comment

"There is no evidence that is your real name."

or my follow up comment
"very true, I had considered that it might be a form of "forum swatting"."

and in regards to your main comment:

No, I've given YOU the benefit of the doubt that you might actually have a point to discuss but you clearly don't N3td3v. Pretty sad to be honest for someone pretending to be a security researcher, as I said your not the original N3td3v (he was a troll but had knowledge and could actually be funny)

Nick PMay 12, 2015 9:33 PM

@ Zenzero

I have Lemonias's stuff too, if you mean blog posts. The reason I believe he is primary cause is:

1. John said it was "one researcher," one of their own, that was the tipping point.

2. This email by Lemonias that was shared with security_curmudgeon.

The Blog of Andrew "n3td3v" Wallace

I'm glad you mentioned it, though. A second look at the page brought something to my attention: Andrew n3td3v Wallace responded on his blog to that specific post about wrongs the list did him. *That* Andrew Wallace must have been some kind of coward with something to hide because deleted the blog off the net after scrutiny reached it. The problem: he forgot to include that one little file to block a certain spider (archive.org) from latching onto it. The. Worst. INFOSEC. Student. Ever.

The Wayback Machine's copy of his blog post is here. Strange he speaks in the third person: usually indicates mental illness or breakdowns. Notice the heading: "Andrew Wallace is a... blah blah... in Glasgow." Where is this Andrew Wallace operating in per Twitter feed? Glasgow. This Andrew Wallace keeps referencing bullying, a term I've rarely seen a security researcher even use much less threaten make legal threats over. The guy is unusual. Turns out, Andrew n3td3v Wallace wrote a post about similar subject.

I'm not quoting it directly since the author didn't mention the license. Let me do a fair use summary. The author believed he was going to be someone in the security field. He created a list that allegedly was full of BS and sockpuppets. He wasn't accepted into other lists because he had no provable talent and only spoke the language of sophistry. He got blasted for his lack of talent in both information security and sophistry. In his mind, rather than admonition, he was experiencing a horrible and unnecessary beatdown by... cyberbullies!

It was all too much. Andrew n3td3v Wallace never finished his degree. The trauma of being shown a fraud and troll led him to hard drinking instead. That he couldn't earn respect without displaying talent made him so anxious he couldn't even find work. So, instead of learning security, he set out to... write a blog. A blog which would tell his horror story. Also, one that might get him back what they took and transform his whole career. And he deleted it after a real security professional linked to it.

LMAO. Andrew "n3td3v" Wallace... not to be confused with our Andrew Wallace of similar background, origin, mailing list participation, legal threat, and bullying outreach... was among the biggest failures in the history of the security community. Well, there was that one criminal hacker who promised he would leave the Internet in protest to the hate he was receiving for his lack of talent or morals. If we ever see Andrew n3td3v Wallace, it will have been an uphill battle for him to put the bottle down long enough to get back on the web and pretend to be a security expert [again]. We should applaud his courage... before showing him the door at every opportunity.

@ Andrew "not him" Wallace

"Cyberbullying is the use of technology such as mobile phones and the internet to bully other people." (Andrew Wallace of Schneier replying to criticism)

"Cyber bullying is any form of bullying which takes place online or through your mobile phone." (n3td3v's very last statement)

Meanwhile, if you're not n3td3v, you might want to stop acting just like him. That will only lead you to student debt, anxiety, alcoholism, and frenzied emails to The Wayback Machine to remove content. That wouldn't even be worth a summary of a biography. You can do better, man! I know! So long as you're not him. I have no further comment on that misguided, hateful, deranged person that is n3td3v.

@ all interested

Periodically check on those Wayback Machine links to be sure they're still there. Just in case. ;)

ZenzeroMay 12, 2015 9:48 PM

@Nick P

just to clarity (not to you but to others who read this) the full disclosure list wasn't shutdown by shutdown order, it was stopped from frustration and fatigue from harassment over a long period of time and what's worse, attacks from within the community itself (not the companies trying to scramble to save face (in this instance)).

ZenzeroMay 12, 2015 10:01 PM

@Nick P

you found that too , excellent :)

Hopefully you can see why with knowing his penchant for crying bully, his refusal to actually even talk about what he's posting was to me a warning sign and an immediate marker of trolling, his history (or at least history he's taking on) predates him.

As I said earlier he's not the original N3td3v, he's like some immature kid coming in saying his Sabu, just a wanna be

@Nick P thanks for posting, I'm a little restricted due to both ill health and geographical location (for different reasons entirely)

Nick PMay 12, 2015 10:02 PM

@ Zenzero

It was shutdown for that reason. But, as I linked to John's post, there was *one reasearcher* who was on a legal attack and the last headache he wanted to deal with. So, the researcher only gets part of the blame. Yet, whoever he was, played a significant role enough that it was a big part of the final statement. Attrition seems to have ID'd him, been hit with same crap immediately, and brushed him off. So, I blamed Lemonias's legal attack more than others and noted Andrew "alcoholic fake with no degree" Wallace supported the closing with one of his two blog posts. Only two before calling it quits. That's a fight, alright.

ZenzeroMay 12, 2015 10:05 PM

@Andrew Wallace (N3td3v)

"I recommend that Bruce implements a Facebook login for blog thread posts."

I recommend that a security and privacy discussion board disregard your recommendation as it's nonsensical, impractical, against the principle of the forum and frankly idiotic.

Nick PMay 12, 2015 10:11 PM

@ Zenzero

Just caught the other post. Yeah, it's possible Andrew "Not n3td3v" Wallace is a copycat or friend of Glasgow's worst contribution to INFOSEC. Can't be sure. But, you're welcome and thanks for bringing those extra links to my attention. One is how I ID'd N.L. and that led to the first AW of no proven skill. Here I was ready to send a summary judgment request and you helped me figure out he's not worth even that. Nice.

Note: I wish this forum had Facebook authentication. I'd have gotten a court order to return all results on a graph search of entries containing n3td3v. I'm sure the results would've been interesting. Not that I'm worried about being an American making statements on American soil and servers with potential British citizens crying "Lawsuit! We'll use our recently weakened libel laws and recent American supreme court rulings against many foreigners filing suit against Americans! Yeah, that will get them!" #notthinking

ZwnzeroMay 12, 2015 10:13 PM

@ Nick P

indeed just 2 posts and 1 a waffling diatribe about himself.

It was Lemonias's legal attack (I believe) that broke the camels back, when some parts of the community is trying to hit you as hard as the companies your actually trying to help, yeah, that's a killer

FigureitoutMay 12, 2015 10:18 PM

Nick P RE: n3td3v (l33t sp34k...really?)
--And...that got pretty sad. I think you've said enough now. As someone who struggles w/ some mental stuff which I've sadly put on display for the world (some of it my fault I brought on myself from previously not standing up for myself and letting people continue walking all over other people, but lots of it the work of others who have some illness themselves).

He obviously won't get hired and doesn't have what it takes. Just don't respond to them when they "get like that", it's best for all parties involved (as this thread has turned into a major turd).

Nick PMay 12, 2015 10:21 PM

re Andrew "Need Facebook Accounts" Wallace

Come to think of it, he might be one of those people that can literally only hack Facebook accounts thanks to the abundance of tutorials online. I mean, a security pro knows Facebook's real name policy is easily bypassed and the page can be loaded from various IP's. A Facebook account, if a private type has one, doesn't imply any kind of authentication or ID. Only a less experience hacker would be foolish enough to demand Facebook for authentication. Actually, he's the first I've seen do that.

It has to be some checklist BS given I've never seen real security pro's demand Facebook for positive ID. Maybe he saw it in a "Dealing with Cyberbullying" course. Maybe it was on a TV show. Maybe brainstorming between shots of cheap whiskey. Just strange that he's the only one here that's ever wanted that for ID purposes. And we've had A LOT of security professionals visit.

ZenzeroMay 12, 2015 10:25 PM

@Figureitout

yes it has become turd, but someone trolling and selling snake oil on a security forum has to be addressed, if someone is naïve and is open minded, great, come in and listen and contribute and discuss. When someone comes in to just troll and just ask for facebook addresses before discussion, that's just sad

as a matter of interest did you read the old FD ML?

FigureitoutMay 12, 2015 10:32 PM

Zenzero
--Yeah, but what's he selling? Sounds like he's looking for employment, I sure as hell wouldn't buy any security product from him. So many people kept feeding it, just ignore it and eventually it's just spam.

Yes I did, and the blog (which was better for me). I don't want to waste too much time on it at same time, it's just mucking up comments page w/ worthless comments that are no fun to read, that's all too.

Andrew WallaceMay 12, 2015 10:38 PM

To the fictitious nickname people:

Are you going to be doing this in every thread on this blog?

If so Bruce will end up banning you.

Andrew

Nick PMay 12, 2015 10:40 PM

@ Zwnzero

I agree with you and Zenzero on that part. The weight of it gets to you. I've experienced this myself in other circumstances. I just like calling out jerks that went the extra mile and whose BS keeps showing up.

@ Figureitout

"n3td3v (l33t sp34k...really?)"

That's what he used, yes. I do it as a joke and tribute to good ole days. People that do it for pride are usually sending a message: "I'm amateur."

"And...that got pretty sad. I think you've said enough now. "

Hopefully. It was sad. A waste of human potential no matter how you look at it. Maybe he'll learn a lesson and start doing things right. It's never too late to better yourself.

"As someone who struggles w/ some mental stuff which I've sadly put on display for the world"

Yes... but at least you try to do productive things with your mind and don't try the crap he's tried. You sure didn't try to threaten people's freedom like he did. That's why you didn't deserve a full-on investigation and assault like we've had to do here. My conscience wouldn't have allowed it.

"Just don't respond to them when they "get like that", it's best for all parties involved (as this thread has turned into a major turd)."

Zenzero apparently just made my reply for me. That failed, aggressive fake was rubbing turd over the whole blog. Had to hit he and it with the firehose to get rid of the smell. If they don't use reason, what's left is basic deterrence and accountability.

ZenzeroMay 12, 2015 10:45 PM

@Nick P

we and many others here know asking for fb auth to discuss a conversation is BS at the highest level on a security/privacy website. He's not a shill and not a good troll.

On a side note for Glasgow, their coder dojo's are taking off quite nicely so not all's bad from that end of the woods.

On another note, I do wish this conversation had taken place on the Squid post.


@Figureitout

"So many people kept feeding it", I agree in general and made a similar comment but there are people who come onto Bruce's blog from varying security perspectives, and I wouldn't want to thing that, his BS waffle is what that person takes away with them. If someone goes outside their comfort zone to try educate themselves, does anyone want a message like his, been the only voice with no dissenters?

ZenzeroiMay 12, 2015 10:52 PM

@Andrew Wallace

"You've made out a well known security person using his real name is some sort of internet troll"

A well know "security person", "security person", really. No your not, you have contributed a sum total of absolute zero to the security world, how does that make you important?

ZenzeroMay 12, 2015 11:10 PM

As has been mentioned many times, discuss what you comment on, this isn't twitter, this is a discussion blog. Posts here don't get blocked because you say something stupid...

Calling on Bruce when you realise hollow threats of law enforcement wont work is not discussion, just saying.

You've misquoted Bruce, have you asked Bruce what he thought about your misquotations btw @Andrew Wallace?

In the many posts you have made, you have not posted or really replied to any question put to you. You instead tend towards the calling of bully etc to apparently hide behind, your hoping @moderator will pop in and help you to continue your trolling by helping the poor bullied one.

You have a history of trolling from many other sites and I've met you before so I know your Modus operandi

Andrew WallaceMay 12, 2015 11:11 PM

A full on investigation???

You've smeared me from start to finish nothing said is accurate and you've used a nickname to do it.

The only reason I haven't replied is because you refused to switch to your real name and link to your Facebook profile.

Andrew

Nick PMay 12, 2015 11:13 PM

@ Andrew Wallace

"Bruce I suggest you some how lock this thread or do something about it."

The thread has uncovered evidence you're a fraud in more ways than one. It's already been notarized by three separate sources, along with your twin's site, in case your foolish enough to try the matter in court. It will also likely happen in American court under American law and your own statements will show you to be a fake, security professional or troll. Good luck.

As an aside, you went from encouraging someone to "walk away from the keyboard" due to your imminent win in court to asking people to register with Facebook and demanding people be banned. It's good that you realized you have no case in general and less likely against Americans calling your BS. Now, I encourage you to type "about:blank," forget this site existed, walk away from your keyboard, get some sleep, and never return. So many will be appreciative.

ZenzeroMay 12, 2015 11:31 PM

Andrew you are not Bruce, don't make comments on his behalf.

Your trolling a discussion forum by commenting and refusing to discuss your comment without facebook addresses. That's moronic to be polite, also presumptuous that everyone that posts here should have a facebook account.

What you should do, go back, make your blog again and make having a facebook account a requirement. Simple, and I'm sure as a security researcher not an issue in short effect. Please feel free to post your "discussion" blog here so we can, erm visit and discuss

Andrew WallaceMay 12, 2015 11:35 PM

I've had to put up with these kind of online attacks for years from people who are probably criminals hiding on nicknames.

It is a sad state of affairs.

They were given the opportunity to use their real name and link to their Facebook profile to have sincere and genuine talks about security.

That never happened.

Andrew

Nick PMay 12, 2015 11:37 PM

@ Andrew Wallace

"If you do this in other threads Bruce will ban you."

That's the weirdest statement I've seen on the subject in a while. You mean we'll get banned for cluttering up other threads but not the one where your true colors shine? Or this one too? Who knows what will happen there but I don't plan to clobber threads as you have. It's not necessary. We have enough data on both Andrews and one Nicholas to show their true colors. Most come from their own remarks.

As you're too slow to figure out, my original plan was to uncover whatever real claims you had (none), find data on who you might be (sad possibilities), and then let you show how fraudulent you are with your own claims. Your ego forced you to take the bait and you showed that you have absolutely nothing to back up your claims except legal threats with questionable jurisdiction. All these discussions and evidence, yet only one person hasn't said crap of substance except for threats and dodges. That's the person I originally claimed was just a fraud: Andrew "I Stay Trolling" Wallace.

You should get a new hobby. This one of bullshitting security pro's... you aren't so good at.

FigureitoutMay 12, 2015 11:45 PM

Nick P
It's never too late to better yourself.
--Actually, at a certain point, it can be...

That's why you didn't deserve a full-on investigation and assault like we've had to do here.
--I've had that, and it's a major sh*tstain on my life that I can still smell and haunts me to this day; I couldn't sleep in my bedroom for a year or so, I slept on the floor in a different room (w/ doors that I could hear intruders..). It was the wrong thing to do in every aspect, but still happened and inflamed my anxiety to extreme levels. Regardless, what I want is to make simplified step-by-step instructions for good/strong true security for people *who want it*, those who don't, you will.

Zenzero
does anyone want a message like his
--If someone is retarded enough to believe some of the trollish statements, then they're probably not worth caring about until they become a brainwashed suicide bomber or something on that level where they need to be killed.

n3td3v
A full on investigation???
--You don't want that, trust me there are many good private investigators that will track you down. Shut your mouth before someone starts digging further, they will find you. The legal system will not protect you from malware or other methods...Once someone knows your face and where you live, there's little you can do, and you may not even notice it...

Andrew WallaceMay 12, 2015 11:50 PM

"You don't want that, trust me there are many good private investigators that will track you down. Shut your mouth before someone starts digging further, they will find you. The legal system will not protect you from malware or other methods...Once someone knows your face and where you live, there's little you can do, and you may not even notice it..."

I don't understand. I'm a real person who is known on and offline. You are completely smearing me and have got the entire wrong end of the stick and seem to have got me mixed up with criminals who were impersonating me on Full Disclosure Mailing List.

I got the list closed down because of the people impersonating me, probably criminals who know me off line from the security world.

This whole thread is bizarre.

Andrew

Nick PMay 12, 2015 11:58 PM

@ Figureitout

"Regardless, what I want is to make simplified step-by-step instructions for good/strong true security for people *who want it*, those who don't, you will."

Ouch lol. Reality: my stuff is closer to what people want than your stuff. It failed. So, I've made stuff people who wanted it denied. That means the stuff you're making will have even less effect. Security vs convienence usually works that way.

@ Andrew Wallace

"you are probably a criminal who has a grudge against people in security."

Actually, people like me in high assurance face attacks by U.S. government if we make secure devices in Five Eye's territory and/or export them. The Snowden leaks show that there are also covert programs that exist to screw with us. NSA actually says I'm law abiding if I weaken things to the point that criminals everywhere might benefit from it. That you don't know of BULLRUN and FBI's work with NSA shows you're way out of the loop. And they didn't put me down criminally... why would you?

"I got the list closed down because of the people impersonating me, probably criminals who know me off line from the security world."

We have solid evidence another person closed the list. You're lying again. That's twice you've used bizarre to describe critical inquiry on this blog that you don't understand. I archived and notarized your other "bizarre" claim sometime after I did the others. There's nothing bizarre about people on a blog calling out a litigious, aggressive fraud. That happens in groups across the world, believe me.

Nick PMay 13, 2015 12:03 AM

Ok, it's good night for real this time. I've lost enough sleep. I'll pay for it soon lol. That's the cost of doing what's right: making sure Andrew 'n3td3v' Wallace can't easily torment others without many eyewitnesses waiting to destroy him in court.

Andrew WallaceMay 13, 2015 12:06 AM

I don't understand. There was someone on Full Disclosure Mailing List called n3td3v is that related to this thread and why I'm mentioned?

I thought at first this was a smear on purpose but maybe you think its real?

Andrew

FigureitoutMay 13, 2015 12:12 AM

I don't understand. I'm a real person who is known on and offline.
--That's great, me too. I know some of the people on here by their faces, and I can identify readers too and can backtrack some investigator's tracks b/c they were sloppy telling too many people too much; bringing them into this f*cked up botched investigation. Based just on *that*. Guess how many more clues I can get using some other tools?

Maybe they were impersonating you b/c you add nothing to a conversation but worthless noise? Bruce's blog is a mix between technical and conversation, but pure worthless noise gets me pissed too (I make some *bad* jokes, I can kill that too and we can just be robots, fine by me). Then crawling back to the legal system, b*tch move. Is that supposed to be a threat? They don't even know...never mind.

Nick P
That means the stuff you're making will have even less effect
-- :( Well, all I need is some close friends to use it and if I find a suitable "cipher chick" who can occasionally, keyword *occasionally* hack me lol. That's all I can do w/o being authoritarian "Use this sh*t motherf*cker!". Nature only cares about itself anyway...

Andrew WallaceMay 13, 2015 12:18 AM

"-That's great, me too. I know some of the people on here by their faces, and I can identify readers too and can backtrack some investigator's tracks b/c they were sloppy telling too many people too much; bringing them into this f*cked up botched investigation. Based just on *that*. Guess how many more clues I can get using some other tools?"

I don't understand I'm known on line and offline. My home town is available as well by looking at my Twitter page followers.

Andrew

Andrew WallaceMay 13, 2015 12:19 AM

You've completely got the wrong end of the stick I'm affraid. I'm known both on line and off line. Fully use my real name and allow people to know exactly where I live with ease.

Andrew

rgaffMay 13, 2015 12:38 AM

wow.. just wow...

@ old timers still going on this thread:

make sure you don't let the new guy get you worked up enough to get yourself banned... none of us benefit from that...

Good Evening SirsMay 13, 2015 1:00 AM

@ Andrew Wallace
I don't understand this thread at all its bizarre.

How cute,

Everyone likes a good mystery story for bed times.

Have a good life, Andrew.

:)

anonymityMay 13, 2015 3:29 AM

@Bystander

Google the words: legend espionage

Hah! Google the show "Legends", starring excellent actor Sean Bean.

There are plenty of people who live with fake backgrounds. Catfishing is a thing. Talhotblond excellent survey of how even poorly skilled amateur civilians are living online as people they are not. http://www.imdb.com/title/tt1370889/ One of the best documentaries on comp sec people can actually watch. Surprising. Like the little noticed "Legends" show.

Very easy to just become someone "official" or "real" by taking in details of their facebook, linkedin and other systems... there are entire schools on method acting, of "accidentally" bleeding out false clues here and there, "accidental" making it all the more real. Even many systems for altering sentence structure, ways of writing, to jimmy up forensic linguistic systems. If not of the human design, of the human mind.

How do you prove who you are. On forums like this, like the 'old days', by the information you have to give. Not on flashy resumes. We are skeptical on information by our nature, well trained at being wary of bad information, diligent and respectful of good.

Observation: the problem child relies on an Andy Warhol technique of communication. Say more by saying less. Warhol famously explained he was not very popular until he forced himself to become more short in words and obscure in statements.


tyrMay 13, 2015 4:25 AM


I told an Irish friend after seeing Braveheart
that I knew the movie would be all lies because
it claimed a Wallace had learned to read.

I actually think our treasure here is Zuckerberg
in disguise trying to push Facebook on people
who know better.

When I see our treasure produce something of value
instead of Andrew Beckwith one liners then I'll
start paying attention. If he's serious about the
legal threats then Bruce knows a very good lawyer
named Eben Moglen who can implement Figureitouts
plan for Wallace.

There's a descriptive word for people who call
others criminals for legal behavior the word is
STUPID, and if there's one thing that will make
you stand out in this crowd that has to be it.


Nick PMay 13, 2015 5:09 AM

@ Andrew Wallace

You know what you're doing. You know what you've done. Yet, you stay here doing more of it and making threats on top of it. You deserve all that you've gotten. The next time you troll a discussion or mislead someone, I'm linking back to this thread in the comment. No big discussion or anything will follow: just the one link that you're not worth but is necessary to prevent you wasting people's time.

Clive RobinsonMay 13, 2015 5:11 AM

@ Nick P,

As I said to Greensquirrel when the name "Andrew Wallace" reecently appeared on this site I was reminded that someone who had similar behaviour and used the same "Andrew Wallace" name before on this site.

A quick google on this site showed what I had thought was true and also the link to the name "Andrew Wallace" and n3td3v.

The only question outstanding was if it was just one or more than one meatspace person behind the name.

I googled further and found all that you have said you found and some more besides. I found the Uni information and a bit more (deleted google groups) and concluded that the past n3td3v persona was an attempt to become "known" potentialy for the purpose of employment.

Which is why despite the uncertainty of the meatspace person(s) I advised the current "Andrew Wallace" to think about their credibility with perspective employers.

However my advice was ignored which suggests either the current person choses to ignore their own future (a sign of personality disorder) or is actually chosing to damage another person who actually has "Andrew Wallace" as a real name.

However if that is the case there is the question I've raised in the past of collateral damage. I know that there are atleast five other persons in security in the UK that share my name, thus I have to be mindfull --even if they are not-- that others may not be aware that atleast six people share the name and that collateral reputation damage can arise.

It's a problem I've been aware of for longer than this blog has "officialy" existed, and is just another reason why I have chosen despite requests to do so, not to have my own blog.

It's also clear that Bruce has become mindfull of reputational damage via blogs, due to being a lot more circumspect than he used to be in times past.

Others have given up their blogs and lists because of those wishing to cause harm for bragging rights or ego food. I am increasingly concerned that this is becoming "organised" in a similar way to sites in Russia and old Communist States around Russia, much of which appears to be "arms length" "fully deniable" political suppression.

Needless to say I'm not unsprised but deeply saddened by the anouncments of the Conservative Party today of their intent to bring back not just "the snoopers charter" but other undemocratic legislation supposadly to stop "radicalism" but is actually ideal to suppress all forms of "not officialy recomended" free speach.

Including it would appear pointing out that the political system we currently have in the UK is actually not democracy in any way, but just an outdated illusion of what democracy actually is...

Andrew WallaceMay 13, 2015 6:37 AM

I've repeatedly called for the online trolls on this thread to switch to their real name and link to their Facebook profile to give them the benefit of the doubt.

The individuals have been unable to do so.

They have searched online from public search engines where they have found posts from other online trolls from a number of years ago and have post them.

This seems to be an attack from online trolls who have searched on public search engines from what other online trolls have written to continue a campaign of trolling.

The online trolls in this thread and from a number of years ago share the same characteristics of jealousy about my role in the industry and their disrespect for authority.

Andrew

Andrew WallaceMay 13, 2015 7:14 AM

Clive Robinson • May 13, 2015 5:11 AM

Conservative Party today of their intent to bring back not just "the snoopers charter"

Yes we plan to push forward with the Communications Data Bill now that we have a majority in the House of Commons after the General Election a few days ago.

This is to update data laws so we can better identify individuals online who refuse to use their real name and link to their Facebook profile.

We wish ISPs to retain data about online trolls and criminals who come to our attention.

Andrew

QLMay 13, 2015 7:29 AM

"The online trolls in this thread and from a number of years ago share the same characteristics of jealousy about my role in the industry and their disrespect for authority."

Ahww. Diddums. Did those nasty bloggers say something you don't like Andrew? Perhaps we should make disagreements illegal?

Nobody here owes you anything. If you want to post here, there is a possibility that somebody will disagree with you. The Internet must be a terribly rough place for those with brittle egos.

Andrew WallaceMay 13, 2015 7:41 AM

"Perhaps we should make disagreements illegal?"

This thread hasn't been a disagreement its been persistent online trolls who have intentionally wished to insert certain data into public search engine results when my name is searched.

Andrew

ModeratorMay 13, 2015 8:48 AM

Visitors to this blog are under no obligation to provide their "real name" to participate in discussions.

ThomasMay 13, 2015 10:06 AM

@ anonymity, "Very easy to just become someone "official" or "real" by taking in details of their facebook, linkedin and other systems... "

Sites like Facebook have real name policies which means using a fake name may break not only their user agreements but local law(s) of jurisdiction. Furthermroe, calling people out for not linking to a facebook page is utter absurdity especially under the comment section of a blog post.

"Even many systems for altering sentence structure, ways of writing, to jimmy up forensic linguistic systems. If not of the human design, of the human mind."

There appears to be a conscious effort to not only linguistically analyze these blog(s) in retrospect but also index them in private knowledge bases. That goes to say a lot about the quality and intrinsic nature of these blog(s) and their visiting posters.

"the problem child relies on an Andy Warhol technique of communication. Say more by saying less. Warhol famously explained he was not very popular until he forced himself to become more short in words and obscure in statements."

An observation says these posts are "popular" by view counts. Intrigued, rather, negatively or positively they tend to appease or displease enough to spur talks.

I give the moderators a lot of credit for maintaining a blog like this. It's certainly a job for pro's and "please dont try this at home."

BoppingAroundMay 13, 2015 11:07 AM

rgaff,
I tend to think that my posts I had written about earlier may have caused more bad than good. On a less negative note, there is a rather major chance they had no effect whatsoever. I hope so.

Guess I'll have to watch my tongue and re-read the infamous FBI Forum Trolling Guide, lest I fall into this trap again.

AW,
> If you are not a criminal start using your real name and link to your Facebook
> profile.

You have just made my day. Thank you.

Sincerely yours, a jolly trolly full of criminals behind fictitious nick-names.

Sancho_PMay 13, 2015 1:40 PM

Sorry, couldn’t read all comments after rgaff 11, 06:17 PM. Too much BS in between.

Please repeat after me:

Don’t feed the troll.
No single comment, no reply. Nada.

One can easily ignore postings from a single troll.
But it really gets hard to follow a serious discussion when usually relevant posters start arguing with meaningless or random “contributions”, regardless whether these postings originate from a software or a plain fool.

Not the troll, the troll feeders taint forums.

Please, do not …

BystanderMay 13, 2015 3:42 PM

@ Nick P

Thanks for the link! I didn't even know about that exercise. I love Van Riper's use of tactics. He'd be fun to play a strategy game against.

You are welcome. I read about it shortly after it happened. I was impressed by the wise use of the possibilities he had in this war game.
He'd be certainly fun to play against in a stratey game, but better to have him on your side when it really counts...

The outcome of this war game shows nicely that it is an error to solely rely on on mass surveillance as the opponent might move on to different tactics that invalidate the perceived advantage.

Another interesting thing to study could be the history of the police work to defeat the Red Army Faction. These was the first application of mass surveillance tactics in Germany I am aware of.

Marcos El MaloMay 13, 2015 3:55 PM

It would not surprise me if the impostor was the "original" posing/posting as an impostor to stir suit up. That was the first thing that occurred to me.

This thread was mildly entertaining, and yet if it was someone's intent to derail the conversation on security, they succeeded. Hopefully they won the battle and lost the war, and we won't see another successful derailing.

@ figureitout

I like your contributions, although I don't always follow the technicalities (same with some of the other "star" commenters here). Please don't stop posting.

@ all

As a curious lay person I find this community and the discussions here interesting and informative. I hope the moderator will remove the "saboteur" for his childish behavior, which is the opposite of interesting and informative.

anonymityMay 13, 2015 4:53 PM

@Thomas

Furthermroe, calling people out for not linking to a facebook page is utter absurdity especially under the comment section of a blog post.

That is a common tactic of his. He makes as absurd of statements as possible. He could be fake or simply an absurd person.

"Even many systems for altering sentence structure, ways of writing, to jimmy up forensic linguistic systems. If not of the human design, of the human mind."There appears to be a conscious effort to not only linguistically analyze these blog(s) in retrospect but also index them in private knowledge bases. That goes to say a lot about the quality and intrinsic nature of these blog(s) and their visiting posters.

Yep, why it is a very interesting blog. Giants always attract smaller animals to live off their trails.

Nick PMay 13, 2015 6:36 PM

@ Clive Robinson

There was certainly a risk of collateral damage. I jumped the gun with the first accusation a while back on circumstantial evidence. Then, he claimed to have taken down Full Disclosure. I found that this was a lie. Additionally, follow-ups produced two people with similar lack of credentials, troll-like behavior, and legal threats. One, Andrew 'n3td3v' Wallace referenced cyberbullying using almost the same line as this one. It could be a smear job by trolls or coincidence. However, he is literally the only person I've ever seen on the Internet that meets all these criteria (incl the name). Plus, he's an asshole with almost zero positive value here. So, I fired away.

@ Sancho_P

That's typically good advice. This one uses legal threats on opponent, though. Plus, there was a tradition on this blog of putting snake oil writers or companies In The Doghouse. So, Andrew Wallace's nose is being shoved in his own mess in a doghouse I just built around him. The battle had to happen on *some* thread. This one was... very sadly given the topic's importance... already swamped by trolls. I decided I'd keep it all on this thread, keep a link to it, and just drop that next time he trolls with a message to ignore him. Important to have evidence, though, especially for a guy wise enough to file lawsuits in courts that have no jurisdiction over me in this context. ;)

@ Andrew Wallace

re Q&A about Andrew "Well-known Security Professional" Wallace

That said, I think you should be given a fair chance. You claim to be a security professional who is "well-known" throughout London and Glasgow. You claim Andrew Wallace is your real name, you participate in large security events, and are implied tight with police/intelligence per Twitter. Being a professional, you'd like to have a good rep with widespread notice. You never know which of the silent readers of various blogs is a manager looking for talent. Let's get some basic information on you.

What certificates do you have? What degrees do you have from what Universities?

What are your specific skills in terms of security? What would you do for your consulting fee or salary?

Which organizations have you verifiably done information security work for? And who do we email for verification?

Where is *your* blog that has your essays, tips, and designs in the field?

Do you have any papers in peer-reviewed journals or analysis posted to high profile security sites that had positive reception?

Do you have any published patents you would like to show off? Or unpublished trade secrets of little commercial value that you'd share for public benefit and/or advertising your skill?

(I've done the latter online for 7+ years here and elsewhere. Me first, now you.)

Would you give us a link to your personal Facebook and/or LinkedIn page?

(Facebook and LinkedIn can be bullshitted. Yet, Twitter is most easily bullshitted and you've already demanded discussions happen with a traceable, Facebook account. Hence, you must have one and share on principle.)

We can begin assessing your claims of identity, reputation, and skill once these basic questions are out of the way. With all the alleged trolling, I'm sure a well-known person such as yourself would appreciate the chance to show who you really are, what you've contributed to the field, and why you're worth the time or money. Unless you are a troll: would lead to a reply not fitting of even LinkedIn, much less a "security rockstar's" blog. I'm ending this post by giving you the benefit of the doubt that we're about to see some verifiable information leading to an impressive new member of this reputable, INFOSEC forum.

Waiting on you, Mr. Wallace.

ZenzeroMay 13, 2015 7:13 PM

@Nick P

"Yet, Twitter is most easily bullshitted and you've already demanded discussions happen with a traceable"

Up until 2 days ago his twitter was linked to @n3td3v then changed to @andrewsecurity, oddly the exact same subscriptions were in place.

If you look back to some of his previous posts (in other threads) on this forum he says himself he's n3td3v, but yet denies it later. He's not the original, just a troll taking on another trolls name, I don't personally believe he's Scottish or any of the back story, which if you look is very shallow. Quite a few years ago I had a conversation with a N3td3v on IRC and while a troll at the time, showed knowledge of the industry and wasn't in any way like our current incarnation.

65535May 13, 2015 7:47 PM

@ Zenzero

“Up until 2 days ago his twitter was linked to @n3td3v then changed to @andrewsecurity, oddly the exact same subscriptions were in place. If you look back to some of his previous posts (in other threads) on this forum he says himself he's n3td3v, but yet denies it later.” –Zenzero

I agree that it is strange or well choreographed.

I took a look at n3td3v on this blog and googl'd him. He looks like a provocateur. He may be in the business of defamation litigation like some other high profile criminals.

It’s possible he does have a consulting contract with the Agency or MI6. His impersonators could be just his buddies using a proxy – a false flag operation to boost his 'victim' position [and legal position to sue]. He has boasted that he shut down certain forums in the past – and is now following the same pattern.

I would just steer clear of him. Either way he is trouble.

ZwnzeroMay 13, 2015 8:04 PM

@65535

He's just a troll under a better trolls name. Just a wannabe. Probably a dreg from B who couldn't make it there so tries elsewhere.

He boasts but has done nothing except annoy people, the mailing list that closed was more to do with NL been a muppet then N3td3v's shenanigans.

N3td3v's MO by the way is multiple personalities, possible a reflection on mental stability?

anonymityMay 13, 2015 9:36 PM

@ZenZero

Up until 2 days ago his twitter was linked to @n3td3v then changed to @andrewsecurity, oddly the exact same subscriptions were in place.

Yes, I noticed he was now denying he is n3td3v, whereas before he was not. Not surprising he went so far as to change his twitter link. That contradiction proves he is a liar.

Quite a few years ago I had a conversation with a N3td3v on IRC and while a troll at the time, showed knowledge of the industry and wasn't in any way like our current incarnation.

That is the most pertinent information on the subject I have read. However, I am not sure if you are correct. The original n3td3v was also like this. What knowledge of "the industry"? The original "n3td3v" was also a poseur who pretended to be a security researcher who longed to be an english cop, and was not, at least, a security researcher. He had zero credentials and could not speak on the subject coherently, at all. Conversely, it is not hard for anyone who does have experience in that specific field to prove their bona fides. It is a very technical area and there are small social circles involved.

Nick PMay 13, 2015 10:00 PM

@ 65535

"He looks like a provocateur. He may be in the business of defamation litigation like some other high profile criminals. "

I actually considered this possibility before I responded to him. He'd be decimated in an American court under the circumstances. I think that people in INFOSEC or pro bono law in Britain should teach the guy a lesson with their legal system. Maybe several in a row that include liens on his property to claim the judgement award. If they do that sort of thing over there.

I understand if others want to steer clear. Especially in U.K. given he's litigious and that's a suitable jurisdiction. We'll in the U.S. and others using proxies/Tor will handle the publishing. Brit's can handle smashing him in their courts. A nice division of labor and risk, I think. ;)

@ Zenzero

Good catch. I've added it to the collection. It's actually two different profiles and n3td3v is still there. Here they are side-by-side for comparison: n3td3v and AndrewSecurity. Some slight similarities there.

@ SubZero

Another troll whose links I'm not bothering with. The information I dug up on Lemonias lean toward him being a fraud in how he presents himself with questionable publications, no respect in security community, no website any longer, and no verifiable credentials. His only accomplishment is taking down a mailing list by giving the owner headaches and lawsuits. There's kids in the chan's that do that kind of shit once a day with barely any skill.

Unlike NL, Brian posted evidence backing up his claims including the guy's emails and dodgy online statements. Brian has a blog. He does write-ups on security, tech, etc. People have heard about him. And so on. Easy choice between the two on whose reporting is more trustworthy.

All Nicholas Lemonias wanted was undeserved fame and fortune via limited technical work, disinformation, troll tactics, and lawsuits. What he got was little of both plus a DMCA rejection because he can't handle something that simple either. Funny shit. You should worship someone with real skill.

Nick PMay 13, 2015 10:13 PM

@ anonymous

"Conversely, it is not hard for anyone who does have experience in that specific field to prove their bona fides. It is a very technical area and there are small social circles involved."

I agree. I was in a specialized part of it operating under NDA (not classified) where I couldn't give details of most of my work. Plenty of people wondered about me because I was outside normal circles and criticized many of their security approaches. Understandable. My simple solution was a list of my designs, analyses, essays, and so on that I posted in places like this. A person reading several or more of them can tell I know what I'm talking about or am ahead of the curve. Such evidence, in writing or doing, is the minimum I myself expect from someone to prove knowledge or talent.

The questions I asked Andrew are a rehash of my old interviewing attempt for security researchers. As you can see, each gives room to refine into specific questions to assess real-world knowledge or skills with minimal work. It's just a few, simple questions any security professional should be able to answer without worry (aside from FB profile lol). Andrew Wallace, a supposed professional, should be able to put us a bit at ease with a single reply.

Instead, we've seen a horde of trolls pop up to defend two INFOSEC frauds. Their writing style is similar. These are either further evidence dude's a troll or the very career-destroying troll's Andrew "not n3td3v" Wallace warned us about. His answer to my questions is still the start of clearing his name. I fondly recall how energetic he was: always at his PC or on his smartphone to reply within an hour, sometimes minutes, of anything I posted. I'm sure he's just getting links together to all his publications, patents, enlightening blog posts, and corporate referrals. He should be back with that stuff any minute now.

anonymityMay 14, 2015 12:07 AM

@Nick P

I was in a specialized part of it operating under NDA (not classified) where I couldn't give details of most of my work. Plenty of people wondered about me because I was outside normal circles and criticized many of their security approaches

I have seen plenty of interactions "like that" in security research fields. I will note you make careful claims here, as well. You are careful to state you worked in a "specialized part of it". You are careful to note 'you operated under a NDA', and you specifically know enough to separate that claim from stating you were working under clearance. An important distinction.

The questions I asked Andrew are a rehash of my old interviewing attempt for security researchers. As you can see, each gives room to refine into specific questions to assess real-world knowledge or skills with minimal work. It's just a few, simple questions any security professional should be able to answer without worry (aside from FB profile lol). Andrew Wallace, a supposed professional, should be able to put us a bit at ease with a single reply.

You write all of this with the cadence of a single breath. No pause, no hesitation. With confidence, though you point out you have suffered some skepticism, that you have been in a position to hire and interview security researchers. With confidence you relate the questions could be asked with ease. Did you ask your self these questions? No. You have asked others these questions, and have answered similar questions.


Your questions on certificates and universities, and reliance on writings and blogs and such are the only matters which give me any pause. Security researchers make their names by the security vulnerabilities they find. That is also one of the first questions to ask.

Guys like n3td3v, are not security researchers. I did not pay much attention to that list during the time of his posting, but when I did, I immediately noted he had no security vulnerabilities to his name. So, zero respect from me. Us, our guys? We are who we are by the security vulnerabilities we have found. Those are our chalk marks on the bed post in our field.

Plenty of poseurs riding on our coat tails. Talkers. They do not even know what the race is about.

FigureitoutMay 14, 2015 1:55 AM

Marcos El Malo
although I don't always follow the technicalities
--Then we fail. Appreciate kind words, I love helping people. I've done a couple tutorials here and my blog is dedicated to that (I'm going to change it though to not just that); it's hard to document every little thing, it's so much to type out. I empathisize w/ this in poorly documented code. The thing w/ technology (high-level-electricity based, not lower chemisty into theoretical physics of newer particles..) is once you get the lowest details you get it. I can't get enough of it now, finally found what I want to do.

I'll be spewing out my designs and builds as long as the blog is around (they'll be small enough to account for potential serious errors), that make sense to me and I approve of (not that it means much, personal opinion, but I am hard to please), hopefully I'm not alone. There's just always areas where you have to rely on toolchains and such and that's where you get hosed security-wise.

anonymity
A "snitch" to the "feds"? What is that language? That is ancient.
--Actually it's not, pretty stable over a long time. Depends on your background and what you're trying to do. Other than that, yup......

Moderator
--I owe you a beer or 12. Thanks mate. I think we're 4chan now.

ModeratorMay 14, 2015 3:02 AM

Well, this thread is starting to look like that. I think it's time to close this post to comments.

Comments on this entry have been closed.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.