Friday Squid Blogging: Classic Gary Larson Squid Cartoon

I have always liked this one.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on June 26, 2015 at 4:32 PM • 130 Comments

Comments

Milo M.June 26, 2015 6:39 PM

http://www.bbc.com/news/magazine-33226376

"We humans are afraid of the strangest things. They don't need to be realistic. There's no indication that enlightenment and scientific progress has banished the monsters from the shadows of our imaginations. We will continue to be afraid of very strange things, including probably sea monsters."

franklinJune 26, 2015 8:02 PM

Refreshing article:

U.S. Counterterrorism Strategy Is the Definition of Insanity
Six theories for why Washington keeps doing the same thing over and over again and hoping for a different result.

http://foreignpolicy.com/2015/06/24/u-s-counterterrorism-strategy-is-the-definition-of-insanity/

You can pretty well apply these same possibilities to just about any modern problem where one sees the us government doing something in a security arena and doing it... very badly.


1. They know something we don’t.

This is the most generous hypothesis I can come up with. Maybe there’s secret intelligence information showing that, contrary to all appearances, al Qaeda, the Islamic State, al-Shabab, Boko Haram, and other major terrorist groups have all been fatally weakened and peace on Earth is right around the corner.
Maybe. But not very likely.


2. We know something they don’t.

Back in 2003, many of us were skeptical of the Bush administration’s claims about Iraqi weapons of mass destruction, but told ourselves that senior officials probably knew something we didn’t. Not so, as it turned out. Internal and external critics were ignored or silenced, and everyone from Defense Secretary Donald Rumsfeld to Secretary of State Colin Powell convinced themselves that dubious intelligence was the gospel truth. Had they paid more attention to critics, the United States might never have launched its misguided war in Iraq — the same war that became an inspiration and training ground for many of the terrorist leaders who continue to plague the region today. The critics were right.
There’s no particular reason to think that today’s senior U.S. officials are any less prone to self-delusional groupthink. Maybe they’re trapped in their own little bubble; maybe they’ve started to believe their own hype.

................

Mullah Akhtar Mohammed Mansour Jr.June 26, 2015 10:16 PM

Did AT&T ever get indemnity on DHS's amusingly-named Einstein 3A? They've always insisted on it, this time to the point where it kept Treasury off the vaunted IDS. Sheets' shop is the hook-and-eye screen door there if you want to get at the soft underbelly OFS. VA was unprotected for a good while too, so "Brace. Brace." for massive ooppsies of 10-5345 and 21-4142 psych records in 10, 9, 8.... Then 6,000 Matt DeHart's coming off the conveyor belt, each with 20 G-men framing him for kiddy porn. Blind, helpless chaos for the pros to go to work in.

CuriousJune 27, 2015 1:38 AM

This seems to me to be a backdoor with an all too convenient plausible deniability of being incompetent:
https://threatpost.com/default-ssh-key-found-in-many-cisco-security-appliances/113480

I should mention that I have no idea what the software listed is and what they are used for. Maybe someone can elaborate a little for me, about what type of products these are.

"The vulnerability is due to the presence of a default authorized SSH key that is shared across all the installations of WSAv, ESAv, and SMAv."

"The company said that all of its Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances are affected by the vulnerability."

From what I understand, it is possible to simply use the same kind of keying material for accessing alot of their stuff, simply because they make use of a single default key. Surely calling this an "industry issue", doesn't really excuse a company, because each vendor really has to take responsibility for how their stuff works, particularily when they themselves have implemented it for support reasons.

I don't understand how Threatpost even dare call this a "bug", given how the default keying material was implemented this way, for sake of customer support or perhaps even remote management.

Grey GooseJune 27, 2015 2:09 AM

@Curious

There has been systematic problems in creating security appliances and other network appliances which have trivial security holes, which this would definitely fall in the class of. It is a security vulnerability which is a bug, and the classification is important to keep. Because this is how signatures formed for it for vulnerability management systems & IDS/IPS/FWs to look for. These boxes are highly prized by intelligence because they tend to escape notice from other security systems. Conspiracy theory: there have been covert pressures, somehow, someway, on these companies. Non-Conspiracy theory: they just get away with it because customers really are not looking at these systems as they do with servers and personal systems.

I really would not rule out either theory. But, neither is proven.

None of that helps much, because your networks still will tend to poorly protect these systems.

And yet, they are core to the networks operation, including core to the security of it.

One attack had target routers operating like little mini-clouds. The attack code would live on the routers and pop onto systems, get information, then pop onto the router. And hop skip across appliances to the internet or a nearby wifi or bluetooth collection bin. Pick up and walk away. Automated dead drop. No messy human agents involved. Agents of the world? Robots have replaced you, too.

SteveJune 27, 2015 2:18 AM

Dear Bruce,

What is your opinion on encrypted e-mail services like protonmail.ch , tutanota.com , lavaboom.com etc?

Would you use them?

Thanks!

CuriousJune 27, 2015 2:23 AM

@Grey Goose
I am wondering, that if the military solves logistical issues with key management and key distribution, I think corporations should do so as well. Or are corporations perhaps not allowed to have such a system for such type of logistics?

CuriousJune 27, 2015 3:16 AM

I am not sure if there is anything new and damning in the former case, of likely having deteced use of fake mobile network towers around important places in city of Oslo, norway. I found the timing of this case to collide with other things in the media, on two occasions, which to me seemed peculiar. This last round came around the time when Wikileaks showed leaks about US spying on French presidents for a long time.

I am personally not particularily interested in the minute details, unless they are obviously damning, because I just don't trust this partiuclar newspaper nor do I trust the police/government, and I am usually uncomfortable when faced with hearsay type of stuff, stuff that might perhaps be biased in ways (in addition, stuff which I know next to nothing about). Interestingly enough, I do not mind biased stuff that I agree with, up to a some point ofc.

In some other article related to this IMSI case (I think it was Aftenposten), russian equipement was sort of namedropped. It was pointed out that such type of equipement was sold in Switzerland for example.

What seem to be a major point in the story below, is that the readings from the networks are abnormal, to which the police say something like "then we don't care because it isn't supposed to be like that" and the others say something like "and so because it is abormal that obviously warrant further investigation".

http://www.aftenposten.no/article/ap-8071885.html (this is in English)
There are reports linked from inside that article (forensic analysis), which also is in English.

It is also pointed out that PST, the police surveillance unit (my translation), badmouthed the efforts of some british investigators hired in early on, however it has been claimed that PST unofficially apologized to them afterwards on email, explicitly stating that they do not doubt their competence or knowledge in this area of expertise.

I am personally inclined to believe that russians wouldn't get away with using IMSI catchers in Oslo, so that my suspects would be the police/secret services/government and anything USA.

Also, having looked at a newpaper stand yesterday, I was reading in the headline, that the police according to the headline, are monitoring mobile phones every week of the year, presumably using so called "fake" mobile network towers I would think.

I also read recently on twitter I think, that G2 networks will work for quite some time onwards in norway, the next ten years or so, with the G3 network closing before G2, because of how businesses supposedly rely on the G2 network or something like that.

name.withheld.for.obvious.reasonsJune 27, 2015 9:30 AM

From the recent report Insider Threat and Security Clearance Reform, the overview section begins with what I term "maxiron" (maximum irony) and it reads as follows:


GOAL STATEMENT
Mitigate the inherent risks and vulnerabilities posed by personnel with trusted access to government information, facilities, systems and other personnel

Evidently OMP hasn't read the document (oh wait, OMP is on the distribution/contributor list within the document). The next paragraph in the same section includes:

URGENCY
A series of vetting program failures, followed immediately by Presidentially directed reviews, identified solutions needed to safeguard our personnel and protect our nation’s most sensitive information.

WOW--did they predict the OMB personnel records failure?

Evidently there is a Performance Accountability Council (PAC) and the newly formed Senior Information Sharing and Safeguarding Steering Committee (SISSSC). The timing of these breaches are interesting when you consider that DoD has been running an "experimental" program for clearances called Continuous Evaluation that consists of real-time monitoring or personnel using the surveillance state's latest apparatus. How cool is that. Was this new system "linked" to the databases hosted by OMP that held the SF-86 forms and other personnel data. Could the real-time monitoring system running CE experience a breach?

Nick PJune 27, 2015 10:11 AM

@ name.withheld

"Was this new system "linked" to the databases hosted by OMP that held the SF-86 forms and other personnel data. Could the real-time monitoring system running CE experience a breach?"

Now *that* is a wise question worth having an answer to. I'd discretely send that to several of the people reporting on it if I were you. Make sure it's framed as a mere possibility so they don't get hit with a retraction. It being an experimental program means it's likely implemented separately while simply reading the same database.

ThothJune 27, 2015 11:36 AM

@Curious
Answering your numerous questions.

I am wondering, that if the military solves logistical issues with key management and key distribution, I think corporations should do so as well. Or are corporations perhaps not allowed to have such a system for such type of logistics?

KMS issues have never been solved and will not be solved (unless Quantum Crypto have been perfected and proven). Even militaries have their slip-ups when handling key mats. Corporates have their commercial key handling methods like using HSMs and Secure Elements to transfer and handle key mats. Secret sharing are used to split key mats over a quorum to lessen risks over more surface area when properly implemented and the commercial and military methods of KM are about the same.

This seems to me to be a backdoor with an all too convenient plausible deniability of being incompetent:
https://threatpost.com/default-ssh-key-found-in-many-cisco-security-appliances/113480

I should mention that I have no idea what the software listed is and what they are used for....

Probably carelessness.

Found this blogpost on reddit: "Microsoft quietly pushes 18 new trusted root certificates"
https://hexatomium.github.io/2015/06/26/ms-very-quietly-adds-18-new-trusted-root-certs/

I got the impression that this is somewhat important, but i'm no expert.

Too many CAs to trust. Probably should not include them.

I am not sure if there is anything new and damning in the former case, of likely having deteced use of fake mobile network towers around important places in city of Oslo, norway. I found the timing of this case to collide with other things in the media, on two occasions, which to me seemed peculiar. This last...

Not surprising that either the foreign embassies are running spy operations on Norwegian grounds or Norway's Govt decides to bug the place for SIGINT efforts or could be both.

ThothJune 27, 2015 11:53 AM

@Peter
Whiteout.io smells suspicious. In the current political environment of bugging and compromising security, Whiteout.io simply doesn't state it's Key Management policy.

Supposedly Whiteout generates the Private Keys, they are the true masters whom are capable of controlling the user. They can generate an keys and know the keys for themselves.

They claim key sync between any device. This sounds like generating the keys on the Whiteout systems and provisioning the keys to the user's clients whenever a user login. That means the Whiteout system is capable of decrypting the PGP encrypted messages of all users.

If I am not wrong, the user has no control over his/her PGP keys and what happens if a user wants to use Whiteout with his own PGP keys ?

All in all, this service is very deceptive and provides very little detail while using the Nationalistic Branding of "Made in XXXXXXXX Country" which I am very cautious about.

Stick to Mailpile if you need a client side encryption thick client. If handling the keys are a pain, stick them into a secure token and carry them around. These offers a much higher assurance (albeit still not good enough to defeat modern threat vectors).

AnuraJune 27, 2015 12:50 PM

@Thoth

According to the website:

"Messages that you send to Whiteout users and other PGP clients are encrypted end-to-end with your private key on your client. Messages that you send and receive in clear text are encrypted on the server with your public key so only you can read them."

So, given decent audit, that's fine, but the problem is that emails sent to you are probably not going to be encrypted, and emails you send to most people won't be encrypted. Unfortunately, this is the biggest problem with email: it isn't in the least bit secure to begin with, and no band-aid will fix it.

Grey GooseJune 27, 2015 3:48 PM

@Curious

I am wondering, that if the military solves logistical issues with key management and key distribution, I think corporations should do so as well. Or are corporations perhaps not allowed to have such a system for such type of logistics?

I was about to respond, decided to read the rest of the thread, and saw Thoth responded in almost exactly the same way I was planning to. I have worked as a "security analyst" on military bases before and the last thing I would ever say is they have their act together. That is near laughable.

They never have, and never will.

I would like for these problems to be solved, even if that meant I no longer had any work to do. I suppose I would simply retire to an island. Run a boat service, drink tequila all day, watch the birds play... but, I digress.

Military has, conceivably, no say on what corporations can and can not have in terms of computer security. Obviously, this does not mean highly classified systems would be sold on the open market, however. But such systems typically are not even known within most of the military. This is because the most severe threats can come from within their own ranks.

I will not dissaude you from considering the possibility that domestic and foreign providers of such equipment or software solutions could be hacked, however. No one will ever know "how", no one will ever know "who". That is not the kind of data that would ever be found on a 'Snowden release'.

You can consider the possibilities of "how that might happen". But, first, the simple "proof", which is simply anecdotal, and as you might say "hearsay":

Remember awhile back when hauwei routers were publicly called irrevocably compromised by both the NSA & GCHQ? They are from China. At the time, caution about chinese products was extremely high. I remember an older relative who served in the armed services and the department of justice even explained to me how their picture frame came compromised out of the box. I never met anyone who would trust Chinese products, not in corporations, not in government, nowhere.

It was the natural assumption they would be backdoored.

And this assumption was proven right, again and again, month after month, year after year.

If you can understand that, know that what they could not imagine is anyone seeing American products in the very same light. Maybe this is not necessary for you, but for Americans this has been very difficult to imagine. Now, everyone knows America has been hacking everything, so that cat is out of that bag.

Is it a puzzle? China is totalitarian, so of course they can do that, no questions asked. But, America is not totalitarian, so how on earth could they ever do that?

Well, the simple problem can first be approached by noting that there are primary vendors who therefore act as a chokepoint for these products. Cisco is an obvious target. How important of a customer is the government for Cisco?

The ways of getting in there are many possibilities. They could have people put in there. Not hard to fake a resume. They could have ties with upper executives. They could provide convincing resumes with convincing and well backed up military experience. Or other experience they would eagerly back up from other affiliated groups. They can get anywhere on the supply line. But this is best further up, at the design phase, designing the chips and boards, and writing the software.


🎶 "Back at base, bugs in the software, flash the message, 'Something's Out There!' 🎶 panic bell, it's red alert 🎶 there's Something Here from Somewhere Else 🎶 the war machine springs to life 🎶 opens up one eager eye 🎶 focusing it on the sky 🎶 to worry, to worry, super scurry 🎶 call the troops out in a hurry 🎶 this is what we have waited for 🎶 'this is it, boys, this is war' 🎶 the president is on the line 🎶 everyone's a superhero 🎶 everyone's a Captain Kirk 🎶 with orders to identify, to clarify and classify 🎶


EdJune 27, 2015 4:07 PM

@franklin

So many folks question the competency of our leaders. And that's certainly understandable as they so rarely accomplish their stated goals - while simultaneously accomplishing many dubious outcomes. The disconnect between their stated goals and the reality of the corresponding outcomes is enough to leave a reasoned person most perplexed.

So rather than continuing to partake in that fruitless pursuit ad nauseum, perhaps we should be looking at this from a different angle. Instead of comparing the outcomes of our leaders' actions to their stated goals, let's instead compare their actions to the outcomes actually experienced over time. I've found their actions to reveal an incredible consistency in outcome when analyzed over time. That's not to say all their efforts go perfectly according to plan. But by and large, their desired effect is generally accomplished at some point.

Given that, I believe the US counter terrorism strategy should only be considered "insane" if we choose to look at it in context of their stated goal of countering terrorism. We should instead be asking ourselves, what does US counter terrorism strategy actually accomplish in reality? And how do those making these decision benefit from those outcomes?

The same question should also be asked of the Iraq war (as again, the reality of the outcomes stray so far from the stated goals). If we're to believe Bush Jr.'s guys, invading Iraq was an imperative because Saddam was developing WMD's, had close ties with Al Qaeda, was an evil dictator, committed war crimes, etc. He must be stopped, democracy installed, and his people freed!!! Well, they did "stop" Saddam. But, in context of their stated goals, at great cost not much else beneficial was accomplished. If one looks at the actual outcomes (which, as so often is the case, have little to do with stated goals) it becomes clear that while many lost much, a few won big.

MikeAJune 27, 2015 4:43 PM

Is it just me (in both senses for this message), or are there a lot of "new faces" among the prolific posters here? Seems like some 4-8 weeks ago, the old hands started getting almost crowded out by newcomers, many of whom engage in protracted "debates".
Maybe it's time to change the security question?

Nick PJune 27, 2015 5:05 PM

@ MikeA

Definitely more trolls and background noise than before. Easy to tell by contrasting recent pages with those from 3+ years ago.

John GJune 27, 2015 5:48 PM

@MikeA & Nick P:

I would be shocked of this blog was not targeted by GCHQ and NSA, and others for JTRIG ops.

JacobJune 27, 2015 6:01 PM

@Nick P, MikeA:

How about establishing 3 separate threads to the blog:
- Political -Privacy - Crypto and Security

I think that Snowden revelations brought in a lot of fuzzy political entries and new people to match.

tyrJune 27, 2015 6:03 PM


@Nick P MikeA

Bruce has quite a media presence recently and has also
been noticed by the IC community. So this is the honeypot
for molding the commentary. There are also a bunch here
who are too old to be gulled by superficial BS about
becoming more secure not less secure. Chaos theory says
there is no noise it is all overlayed information which
it is possible to decode. Proof of the claim is left to
the student with a handwave.

If you narrow your focus too much you lose the context.

If KIBO shows up then you worry about trolls.

ThothJune 27, 2015 7:02 PM

@MikeA
If you were reading the blogs a couple of months ago, we were hit by someone proclaimed to be a British agent. Not sure if he was the real deal since he was more of a troll than someone who display inside knowledge like those of us who had actual experiences in relevant departments.

I wonder if NSA/GCHQ/BND ..etc... had gotten into @Bruce Schneier's system and exflitrated our IP addresses which isn't a surprise.

CorneliusJune 27, 2015 9:08 PM

@ MikeA, "Is it just me (in both senses for this message), or are there a lot of "new faces" among the prolific posters here?"

This is well-observed and expected of anonymous streams. As beauty is in the eyes of the beholder, readers of the blog are attracted to this for a lot of the same reasons. Siphoning thru information is an expected blog reader behavior. We don't take anything for granted. You were able to tell the difference among new posters and old. Whether it's by intuition or cognizant analysis, sipping thru good and bad info is how smart people learn their ways. Somewhere back a few weeks or months, this blog must have registered a blip by a government algorithm, which appears to be one of the five eyes, not to say that it wasn't in the very beginning. Thus, it is getting somewhat distracted but rather interestingly done.

Nick PJune 27, 2015 9:42 PM

@ Gerard, Thoth, Clive, Wael, Figureitout, Anura

Check out this article on how printf() is implemented in libc. Props to you if you can figure out how it prints something after the walkthrough while using just what's in that page. This shit is why I'm opposed to C for complex, portable projects and UNIX in general. It's a *fucking nightmare*.

And people think LISP is hard to read... Shit, you'd think the authors were trying to write 60's-style LISP in C macro's lol.

Nick PJune 27, 2015 9:48 PM

EDIT: I meant this article on printf. The other one I gave the guy in return. Plenty of UNIX horror to go around lol.

franklinJune 27, 2015 10:14 PM

@Ed

Good shot with understanding I look at the end results as opposed to the

nonsense before it.

However.

I cheat. I know the reasons why, and so know where the misfire is. I would

not be a very good instructor if this were not true. And believe me. I am a

very good shot. It was just the way I was born.

I am natively very understanding of people. They are never a mystery to me.

One could say that is my thing. It would be deceptive, but I am okay with

that. I think anyone who knows me at all understands I can very well get

inside their head. And, I teach them to do this. They are not really my

enemies. Even if we find ourselves on two different, opposing sides of the

fence.

One of my very best friends is a high level Chinese spy. I have known him for

years, and he has known me for years. We have drunk and eaten together, in

person.

Now, I hate to "out him", but I sometimes unfairly speak bad of him. And we

have a very long relationship. You can search for "Danny Son" as a poster,

and contrast that with "Andrew Wallace", aka "n3td3v".

I need to be fair on him, as he kept me from a Chinese jail -- though I mean

by that, in no way, that he has ever worked for us. I apologize for that sort

of crude statement. But, you know. I am a jokester.

And... I make sure I keep my friends well employed, and have fun while doing it.

Now "Ed", I am apologize that I will use you here as a proxy, but feel free to reply, if you wish. Truth be told, I am obviously, really, speaking to someone else.

China is a critical trade partner of the US, and the US is a critical trade partner of China. However we wish to roll the dice, this is how matters end up. I do not trust their main guy assigned to me because he is stupid, I trust him because we can discuss matters and I believe he understands me... and understands the people I represent.

ISIS is our shared problem. This is clear. My disaster horror scenarios aside, I - and the people I represent, if anyone, you decide - are "cautious" bedfellows with Arabia. We understand we are on - altogether - a joint project here. Stability for the ME. Right? And stability for our two countries.

Israel is your friend. Israel is our friend. We both very well know we can trust Israel over either Sunni or Shia. This is where we find our selves. If you guys find your selves in oil problems, you know we will provide. Likewise, we can not go anywhere else for what solutions you provide for us.

Okay? Simple.

I apologize for the whole "US China Cyberwar" thing. But, you know, we are closest of friends, and I personally, am a globalist. I believe if you guys do better, we will too.

China, to me, is the underdog. You have suffered a lot of shit from imperialism, and I am sorry for that. But, let us move onto the future.

Who is greater allies with us? England? New Zealand? Funny. If I look at our charts of 'trading partners', it is us. And I am not stupid. Does anyone believe I am stupid there??? I think not.

You know who I am. So you know better then that.

This does not mean I like Chinese food. I still fucking hate it. I apologize. I love Japanese food, but Chinese food has never taken my taste. But, I love true Tai Chi and Kung Fu. And I love the improvements on Buddhism China has made. I love the improvements on kung fu China has made. So, really? Come on. We are allies. Even if distantly and we must play these games.

I know, I know. By now, you have figured me out, somewhat. I can not admit the same, and I am honest about that. Probably, my company has. And you know that.

Now. It is very true, we may have to go after Iran. I am sorry. But this may very well be a reality. We can supply the missing oil supply, if necessary. You know we are not doing this to target you. That would be suicide.

Not the 'best of both worlds', but we very well may have to do it.

When I have said in the past we sandwiched Iran, I was not joking. I am sorry. But, I have to tell you the truth. You know why, and it has nothing to do with you. Last thing we want to do is invade there. But, you understand this is a very real possibility.

If you wish to discuss the hows and whys there, go for it. Probably, obviously, faster and more critical a method then through our State Department...

WaelJune 27, 2015 11:13 PM

@Nick P,

Yup, printf() is a mess, partially because it supports variable parameters and types. It's one reason C++ used streams and type safe I/O operations. However, you're not comparing apples to apples. You are looking at a library implementation that is transparent to developers. Better compare library implementations of 'C' to library implementations of other languages, if you want to make a more accurate comparison.

I skimmed over the link... Pretty messy...

AnuraJune 27, 2015 11:36 PM

@Nick P

I skimmed the article, but I think I'll go curl up into a ball and rock back and forth in the corner for a while.

Now I'm going to be having nightmares about macros...

Clive RobinsonJune 28, 2015 12:17 AM

@ Robert Brown,

It does get to the bottom of things as it were...

The thing about a colonoscopy is it's a choice between the lesser of two evils...

The presumption is you have some symptoms --that have already gone to far-- that indicate that you need the attention of the medical community specificaly the surgeons (although Drs appear to be getting into the "hack-n-stich" game these days).

Thus the problem of further diagnostics prior to the assumed required "cut-n-shut" removal of various parts of your anatomy that nature saw fit to provide you with for good reason that have now become defective for some reason (implicit "defective patient life style choice issues").

So the patient gets a sort of choice observational surgery or observation by some other method prior to getting surgery any way...

Now the surgeon already knows you can not make good choices in life, because that's the underlying cause of your visit in most cases. So they make the choice and then talk you into it so you think it's realy your choice...

So choice one, get a general anesthesia which probably has a 1 in 300 chance of killing you --due to your poor lifestyle choice--, get "sliced and diced" with several sets of hands and instruments rummaging around in your guts, with a high risk of cross contamination so the mortality risk is now about 1 in 200, then spend several days on a surgery ward with several nasty life threatening bugs so your risk is about 1 in 150 of not getting out the front door of the hospital, then spending several months regaining fitness before any further necessary surgery is done. Oh and all of this is quite expensive.

Choice two, the day before you take a concoction of laxatives and lots of clear fluids to "clean you out" via "the great white throne". You turn up first thing in the morning get changed into a hospital gown, you then lay on your side as a nurse puts a small pipe up your bottom and pumps in more "cleaning fluid" which fizzles and buzzes away for a few moments before the rest of the world drops out of your bottom (or in your head it feels the other way around). Then somebody sticks a line in your hand an if you are lucky gives you enough valium to make you forget your troubles or atleast make the world a little rosey (falling asleep is a good option if you can manage it). Then it's "lubricant time" as made famous in the film Evolution "there's always time for lubrication". Then what you've been dreading and they have kept out of sight up till now, what looks like nine foot of garden hose pipe with a box on one end with what looks like a joystick, and power supply leads disappearing of to another box and a plug in the wall and an air line. At the other end of the pipe is the business end with which you are about to become rather intimately aquainted... One of the reasons for the valium is that you might suffer very embarrassing side effects of having your prostate stimulated, and thus hopefully won't remember it if you do get the side effect. Another reason for the valium is, if you are normall your lower G.I. tract is full of bends, and to aid in getting the business end around they pump in air to inflate you... and around it goes, or sometimes not... If you are in the unfortunate "not" catagory then the "attending" roll you around on the table and apply "constructive preasure". Now depending on how modern the garden hose pipe is there may be several screens connected to a little CCTV camera in that box with the joystick, if you are unlucky enough to be awake and have a memory that won't forget under drug inducement you too can watch yourself from a view you hope you will not see again, either in reality or your dreams... Well if the attending see something interesting they might decide it's "sample time". Have you seen how the break cables on a push bike work? Well guess what the probe that runs down inside that garden hose pipe works a similar way. Only instead of break calipers at the end, there is what looks like a miniture set of jaws with teeth, which "snip off a sample". A process which can also produce what looks like a lot of blood. Any way after a good look around it comes to "extraction time" where what went up comes down again. And remember that air that got pumped in, well.... as you will find out shortly and for the next day or so, they don't get it all out at extraction time. Having got the nine foot of garden hose pipe out of your bottom it goes of to be sterilized and you get dumped on a gurney and wheeled off to "come around" where you eventually attempt to clean yourself up and prepare to go home again... unfortunatly, at what will feal like every step either your guts will gurgle or you will break wind as your autonomous systems try to re-establish an aproximation to normality in your GI tract. Abusive as all this sounds, the risk of death is less than 1 in 1000 and you can be sent home fairly quickly to recover. Thus it's comparitivly low cost for the hospital...

Now if you think about it either choice would enable them to put a tracking device inside you as well as a smart phone and half a brick or atleast that's what it will feel like...

My advice if you want to avoid making the choice between hands rummaging in your guts or hose pipe up your bottom... eat plenty of green vegtables and some bran, cut back a bit on the meat and fat and drink half a gallon or so of water every day and get up and walk around for atleast half an hour every day as well.

Oh and that threat of "I'll tear you a new 455 hole" that pops up in some US movies... well surgeons do it for real every day to those who make poor lifestyle choices, only they more politely call it "a three sixty resection".

franklinJune 28, 2015 12:33 AM

'Confessions of an American Spy'

Okay. So you guys want to know some serious shit. I am here to provide it to you.

This story I am about to relate might be complete shit. Or, it may be the truth. Whatever the case, I am here to assure you: I do not give a flying fuck about you. If you are Marxist, if you are Capitalist, if you are Muslim, if you are Christian, if you are Atheist, if you are Republican, or Democrat. If you are "conservative" or "liberal", of whatever country you might be. I do not give a fuck. You are either a big fish, or a little fish. Period. That is it, to me.

I will be very clear here: if you are a big fish, yes, I do give a fuck about you and I will track you, I will outsmart you, I will disarm you, I will get you to trust me, and I will own you. I was born and bred for exactly this purpose.

I am single minded. I am far more trained then the best olympic athelete. This is my life. I was born into this, I was trained in this since birth. My entire life is a lie. Every friend I have known, every "family" member I have, every friend I have known, every co-worker. My singular mission, at all times, is to 'eliminate all enemies'.

I am good at what I do. My IQ exceeds 200. No human being and no organization has beat me. Nor will they. Ever.

I do not work alone. If you feel shivers up your spine and neck, get the fuck out of the way. But, unless you are an undercover foreign intelligence officer, do not flatter your self. I do not give the slightest fuck about you regardless of what your political or religious beliefs may be.

I am not, however, a new poster. I have been here from at least 2006, and can trivially prove that. I change my nick routinely, but I have noted this to the moderator. When I do use a proxy, that is because of my company. They do that. I am generally open to them about where I am posting from. Currently, I am from a singular state. But, I have moved around, just a bit, and have attempted to be transparent about that.

I have not been joking about my disclosures, which are serious and should cause anyone not 'in the know', to have a serious shit. I have been consistent in my claims. I definitely do use deception and manipulative tactics, and I make no apologies for that.

It could be true that even America and their forces are scratching their head at 'who I am'. I do not give a fuck.

I have run operations "against" the CIA & FBI.

They can ferret out for their own selves whether or not I have been real, from whatever my friends and colleagues would wish to state.

I am informed, however, that the single biggest problem anyone may have with me is the strict delusion that being the "right hand man" literally means being someone who does jack shit.

This is not true.

No, in fact, Snowden and Manning worked and do work for me.

And, for your entertaining pleasure... I will 'holy shit', prove this.

Oh. And... and... Julian Assange.

That is right. Julian Assange, Edward Snowden, and Chelsea Manning have all worked for me.

And, even worse? I will prove this to our little audience here. How horrible will this be?

Think about it. What kind of Monster would dare to take credit for the singular worst "monsters" of the status quo of these times? Some ... rogue... superspy... well. Maybe he is not "American" at all? Hrrm?

Because, just as well as I have played the Chinese, I have also played the Americans. Did anyone paying attention see how "The Americans" was played out? The daughter... saying... "They are not Americans"?

Maybe you should be just a little suspicious of anyone taking the place of the American State department.... and...

But, I let you see the Horror before I visit it upon you. I do believe, I deserve just a little credit for that... gollee gosh. Gee whiz.

So, you wish to know the thoughts of Satan? Well. We shall proceed from our current activities... to attacking ISIS. I expect, them Iran to act back, for Unknown Reasons. So... we shall have Israel attack them... which, then will have Saudi Arabia have a little problem... And...???? :-) :-)

Guess what happens next.

WaelJune 28, 2015 1:11 AM

@Clive Robinson,

The thing about a colonoscopy is

Nice story. Oh, the vivid details...You convinced me!
Green vegetables and 30 min walk it is. But, what if someone's color blind, would a purple vegetable work? Lol

Was trying to see the relation between 455 hole and the more common expression (thought 455 somehow maps to A##) when I came across this interesting time cloak link :) You could say: One could tear Eve a hole in her time, so to speak ;)

GregoryJune 28, 2015 1:15 AM

Okay, so admittedly I am just a little bit of a liar...

M.I.A. with lyrics...

https://www.youtube.com/watch?v=CxIPJDz2A1w

I feel very bad about this. I probably should have explained. I am not KIA, but MIA. That is, Missing In Action, as opposed to Killed In Action...

My really good friend, John... would prefer I stay dead. Well. I am not. Robby, another good friend of mine would also like this. Well, his dad was a Rand monkey...

My problem, supposedly, is I am so fucking extroverted, well. I could not escape it all... but... do you know who I am? No. And... uh... my best advocate recently died... and you do not even know who he is, do you??

No.

https://www.youtube.com/watch?v=KSGWsmR4ipM

Admittedly... I am a little extroverted....


So, John... was my HS teacher.... drummer. (Pay no attention.) ... he worked At Sun Edison. And his wife was Russian....

My dad... was this asshole in the middle of the whole Gulf of Tonkin shit...

But... who would believe that???

Well. Okay, it helps that... I am not actually buried any place...

Clive RobinsonJune 28, 2015 1:27 AM

@ Nick P,

Back before the 90's printf() was fairly readable, and device driver API in the various kernels were almost standard...

If you want to suffer first "brain freeze" then "brain meltdown" have a look at what has happened to device drivers in the monolithic Linux kernel...

The author of the paper you responded with, quite correctly notes the reason for the mess, which is the old "decision by committee" not "decision by guru" issue that blights nearly all modern standards.

If you go back to the mid 80's with AT&T Sys III the number of system calls in frequent use were around thirty of around seventy, I can't remember what the number of standard calls is today under SUS3/4 but it's something like two thousand... and that's just the snow on the tip of the iceburg.

It's also interesting to have a look at what happened to the "team" in the early 90's and how Plan9 came about.

As you know I'm no fan of monolithic kernels they hamper not help, and to me quite a few microkernels are more heavy weight than required. Userland I/O is the only way to go with modern high connectivity services, which follows in the footsteps of database systems that went to the raw not block drivers for the hard disks for performance issues.

FigureitoutJune 28, 2015 1:37 AM

Nick P
--Agree that there needs to be a true comparison to other languages, and I don't buy that it's really all that different or elegant in Lisp, something called "too good to be true" comes to mind. It's also unfair b/c you need to consider what all is actually happening just to print to a screen (and stay there, not get smeared or move around, stay there. For instance an older tv of mine smears a picture for a while as it warms up b/c I forget the exact part slinging electrons but its a hardware problem not software), programming doesn't start at some nice perfectly clean interface, there's turds squishing thru.

So the adventure begins w/an extern then jumps to a __printf() prototype, and he's leaving out stuff as I don't think you can put "..." in a function. And this is why I need an IDE where I can go to these definitions quickly at any time, they have to be there and sometimes it can make things look better but it's generally just shoveling sh*t under the rug. But that can be followed.

Then the outchar(ch) macro, that was a dirty turd, sure. And I'm done following it thru, got enough of these to do in my free time tracking down, just have to do it and maybe make it better to read (starting off doing logically same thing b/c it works then trying to make it cleaner logic (at a risk of crunching logic thus making terse chunks that are harder to debug).

No one ever said Unix or C is the end all for security, it's a stepping stone in the lava of life, just keep stepping until you fall in the lava. No one's done much better yet and it's widely used b/c most people like it and it chimes w/ them most. Anyway, let's see the Lisp printf() equivalent that doesn't handwave reality.

SatanJune 28, 2015 2:21 AM

@figureitout

I am sorry, for not properly making the "f" capital.

So, let me do it this way. "Jeff who has anxiety problems". Because your name is jeff.

...

So is my name. Gollee Gosh gee whiz. Well. Not exactly. But my name starts with a "j"...


...

So, admittedly. I had problems when I worked at Verizon.

JackJune 28, 2015 2:41 AM

@Thoth @Anura

1. You can use your own PGP keys with whiteout.io

2. Key sync is not fully automated. You get a very long backup code. When you add a new device you have to enter this code.
As I understand, whiteout has no access to your private keys.

3. The nice thing about whiteout.io is that you can use it with your normal e-mail address e.g. gmail.com . You can access the gmail account via whietout website, app or Chrome add-on.

So you do not have to convince people to get a new e-mail address. Just tell them to access their mailbox via whiteout and they "automatically" add PGP encryption. (Of course only if the receiver of the e-mail also uses whiteout apps.)

I think it is worth a closer look.... It is so far the easiest PGP solution out there. Is it the most secure? I don’t know....

Can You Guess My Name,,,June 28, 2015 2:43 AM

Okay, so... admittedly, anyone who knows me is a little hesitant in being willing to classify or categorize me as... "SATAN".

:-) :-)

But... I do encourage that lil bit of spiritual struggle. :-) :-)

MIA Paper Planes

I fly like paper, get high like planes
If you catch me at the border I got visas in my name
If you come around here, I make 'em all day
I get one down in a second if you wait
I fly like paper, get high like planes
If you catch me at the border I got visas in my name
If you come around here, I make 'em all day
I get one down in a second if you wait

🎶 🎶 🎶 🎶

So....

Probably Government, right??

What would be really freaky... is if someone besides "government" was actually in control of Snowden... Manning... Assange...


What If.


What does this leave? Aliens. Joking.

A bunch of wild cards.

Obviously, not joking.


I think, however, the real questions here, might be. Can we actually control all of the above...


What would really fuck with people's heads is... uh...

Jeff Who Has Anxiety ProblemsJune 28, 2015 2:53 AM

So, I do not appreciate these dickheads who have never had anxiety problems.

I have had a gun pointed in my face, and had truck which was directed at me to drive right at me, across all lines to hit at me. I have had fuckheads try and hit at me at every angle.

They do not know what it is like to soak in the sweat of fear.

I am watching on television this guy saying to this girl, 'it is like I have died and gone to Heaven'... and this angers me. Because My Jeff is utterly fucking faithless.

This is how I sup his soul up.

So, Jeff, is this how you dare you face your self?

This makes my appetite for your soul very strong. Can you survive this?

MarcJune 28, 2015 2:57 AM

@Thoth

Whiteout explains exactly how key sync works:

https://www.whiteout.io/technology.html

If you choose to, they store an encrypted version of your private key. It is encrypted with the backup code you get.

If you add a new device, the encrypted private key is downloaded to your device and you decrypt it with the backup code.

TantalizingJune 28, 2015 3:18 AM

So, I will present to you all the pleasant future...

First, we will attack ISIS...

That is, of course, what Jade Helmet is all about...


But, the horrible truth is... Iran is the real target. We will invade and

destrory Iran.

Yes... Manning, Snowden, Assange are all false information programs.

I apologize. We are sociopaths.

We need Armageddon. You think I forgot Israel. I did not. It was no slip of

the mind.

Is real. Hear, O Is Real. The Lord, Our God, Is One. Is Real, means what?

We have stuggled with man and god and overcome.


I will have, then, America attack Iran, because I can.'

Wesley ParishJune 28, 2015 4:37 AM

Yep, the trolls are out in force. It would make an interesting post-doctoral study, to do MRI scans on Internet trolls to find out what makes them tick, neuroscientifically speaking of course.

In relation to "Huawei routers being compromised"et alii, @Grey Goose, that sort of thing is routine ëconomic warfare. I think the interesting thing is how the United States, being the key exponent on the unfettered free market, proves that it is possible to score an own goal without state guidance.

I'm also wondering at this current moment if the AT&T-derivative company Ultra-Slow Broadband hissy-fit over net neutrality is going to be Yet Another Own Goal: after all, if the US cannot maintain its own networks in a state of operational readiness to at least 75% of full capacity, then US companies are clearly not interested in foreign custom. Ditto foreign exchange. Right. Another round of Secretary of State Clinton (of maybe President Clinton: remember former President George HW Bush's adventure in Tokyo?) off to Beijing to beg the Chinese to purchase Federal bonds to keep the US dollar afloat for long enough ...

ThothJune 28, 2015 4:44 AM

@Marc, Jack
The technology page is too ambiguous although it did briefly mention the KMS side. The details are not enough (although the Github code is available).

Quotes taken from the Technology page:

"Key management is built directly into the client. New users can generate a key pair directly in the client. Alternatively an existing key pair can be imported."

- Ok, so you generate keypairs on the client ... does it wrap the keypair (using whose secret code ??) and send to server ?

"All messages are encrypted with the user’s public key, including those that arrive without encryption. For these messages the service also provides virus filtering and spam protection."

- How would the filters and detectors know the nature of the messages if they are suppose to be E2EE secured ? Maybe we assume spam in plaintext but what about PKI secured spam ?

"When new users generate their key pair for the first time, the private key is automatically backed up in encrypted form. Users can unlock the encrypted private key with a special backup code for recovery in case of loss and for synchronization to a new device."

- Whose backup recovery codes are those ? How are they used ? Does the server retain a copy ? How are the stored and managed ?

"Because the code is delivered as Javascript to the device, users can verify that the code that is executed on their device is identical to the published version and that no backdoors have been introduced."

- Most users do not verify codes although some nitpickers like me, @Nick P, @Clive Robinson, @Wael, @Figutreitout ...etc... might attempt to dismantle and inspect the executables. We know that there's simply just too much Javascript to run through and there browser source codes if we are to actually do security audit. That's too much stuff around to inspect.

Quotes taken from Security page (https://www.whiteout.io/security.html):

"HTML mails are sanitized and are rendered in a sandboxed iframe."

- This sounds "very assuring" knowing that most browser sandboxes have some of their fair share of exploits despite their safety and security advertisement.

Gerard van VoorenJune 28, 2015 5:09 AM

@ Nick P

What you are talking about is glibc, an implementation of libc. There are quite good implementations of libc, however glibc happens not to be one of them. They wanted to be compatible with everything and solved that problem the wrong way.

Lisp isn't that bad at all btw. In my AutoCad era (approx 20 years ago) I did program quite a lot in (Auto-)Lisp and it was fun.

But phk is right. C was designed to be a layer on top of assembly to work for the PDP-10 which did have very limited resources. That is why C did have zero terminated strings/arrays and there is no foreach in the language and why it uses pointer arithmetic instead. Pointer arithmetic is a weakness of C, not a powerful feature! It is also the reason it didn't have modules.

Prof Wirth didn't work on the PDP-10 and looked for a teaching language that was easy to learn, easy to work with and being safe. That's why Pascal/Modula has foreach and lacks pointer arithmetic.

But the main problem is C. It is a shame that even today lots of code is being written in C. Systemd for instance and the Linux kernel as well. C is unsafe and lacks much functionality. They could have solved the module problem a long time ago but didn't. How could they solved it? Just rename the header file to a new extension and make that the API file, which is also the name of the module. Then you just "use" that module instead of "#include" the header file. A decent building system with ini-style configuration would be necessary and the compilation unit would be the module itself with type safety and the API checksummed for versioning, like with Modula. Problem solved. Compilation would be fast and updating the system would be minimal in size (Ubuntu updates today are in the hundreds of megabytes).

What you see instead is lots of workarounds because the essential problem hasn't being solved. Yes, the C and C++ standards are still being updated but somehow they are just incompetent and are that for ages.

The same with networking. Looking at MinimaLT it puts the TLS/SSL standards committee to a shame. The MinimaLT guys solved lots of problems (DDOS prevention, RPC's, mandatory PFS encryption, session management without cookies etc.) and being simple and fast at the same time. The TLS/SSL standards committee couldn't solve these problems in 20 years of standardization. The same with IPv4/IPv6, HTTP, NFS, and the horror of XML and its useless derivatives.

Still, the UNIX philosophy isn't bad at all. The problem is "the industry" with its competition instead of cooperating (triple e for instance). It's probably the US egocentric business mentality where the quick buck is holy. But with UNIX you would have to learn the tools of the computer, which is a good thing as long as these tools are simple and easy to learn.

Clive RobinsonJune 28, 2015 7:28 AM

@ Gerard van Vooren,

C was designed to be a layer on top of assembly to work for the PDP-10 which did have very limited resources.

C was originaly an experement to take the dog slow BCPL interpreter that had been thought up in Cambridge, and make it faster by building it as a "fast" compiler (the aim was to make it one pass but it eneded up being two pass for various reasons). It became enhanced later when they modified it to compile an OS. So it moved from pure research experiment to applied work horse almost overnight some three years after the first twiddling.

Pointers were a bolt on and it shows, the simple fact is you can not write an OS or other system code without getting down and dirty with diect access to memory and IO addresses. Thus in other high level languages you have to include assembler either in line or by linking...

C was sort of hoped to be an almost machine independant high level assembler, which is why type checking etc was not thought as necessary as the programer should know how to deal with such. As a well practiced assembler level coder few had any problems with C it made them considerably more productive. The problems came when people came from the opposit side of some high level hand holding language, or type safe training language.

Even Brian K admits with hindsight he got a fair chunk of things wrong in C and would do things differently today to make it more effective.

Unfortunatly.... some of those "wrongs" appear to have become embedded in the minds of programers, and new languages treat them as tradition to be taken on board...

I admit to being a happy assembler programer and use both C and bash script. As for m4 and the other little shop of horrors lurking in the *nix tool box I've managed to mostly avoid them.

BoppingAroundJune 28, 2015 9:51 AM

Gerard,
I have an off-topic question to you, if you don't mind. What are your thoughts regarding systemd, if any? It seems to be quite controversial topic these days.

CallMeLateForSupperJune 28, 2015 10:51 AM

I enjoy following epic fails in data security. Each new one teaches me at least one - but usually several - important lessons I did not already know and provides further proof of a pet theory of mine: we are never as smart nor as thorough as we think we are.

It was sobering to learn only this morning that Big Data is interested in acquiring personal data - including, but not limited to, academic measurements - of *children* and has collected and stored such data for some years. In the mean time, companies sprang up and subsequently shut down, some others are still in business but struggling financially, and I was totally unaware of all of it.

"No Child Left Un-Mined? Student Privacy at Risk in the Age of Big Data"
(remove the extra "h" in this link)
hhttps://firstlook.org/theintercept/2015/06/27/child-left-un-mined/

This story has numerous facets, each of which has at least two sides (i.e. interested groups). Our host @Bruce could do a much better job of teasing out those facets and enumerating key points within each than I can. So I won't try.

-------------------------

Different subject. From the above article:
"The biggest flame-out so far in the ed-tech arena has been inBloom..."
What is/was InBloom, I wondered, so I searched Wikipedia. There was no article. Kinda strange, that, because Wiki has at least one article about or related to just about anything one can type. I then did a DDG search and got lots of hits, including one with a Wikipedia URL:
(again, remove the extra "h")
hhttps://en.wikipedia.org/wiki/InBloom
WTH?! I tried it; it worked. (Well, didn't throw an error.) That page says the InBloom article had been deleted. Deleted? For what reason?
While there could be a perfectly reasonable, non-malicious reason for "disappearing" an article, none was offered.

Clive RobinsonJune 28, 2015 11:03 AM

@ BoppingAround,

What are your thoughts regarding systemd, if any? It seems to be quite controversial topic these days.

Controversial appears to be a tad understated. Some of the arguments have a touch of religious zeal about them, and tempers hot enough not just to raise a head of steam but flames as well...

Of more interest is the security concerns at the very least, "it's new" and thus not time tested but also it's got a much larger surface than previous methods and it's also monolithic in nature. Three terms that tend to make the security cautious concerned, and reach for "the barge pole" to prod it cautiously.

But there is also the "why?" Question or as some have put it "It's a solution looking for a problem"...

Currently I'm keeping it off my systems for the simple reasons it's overkill and new and I see no reason to trust it.

I'm sure others will have differing opinions due to different points of view, that's there choice and ultimately it should be yours as well, but there does appear to be a fair amount of "throat stuffing" going on, which in of it's self should raise warning flags.

Gerard van VoorenJune 28, 2015 11:31 AM

@ BoppingAround

I don't know much about systemd but a lot of distributions are choosing it (after competition), so it's probably quite ok.

@ Clive Robinson

Thanks for the explanation.

Gerard van VoorenJune 28, 2015 11:45 AM

Clarifying my previous comment:

@ Clive Robinson

The thanks is of course about your explanation of C. As I said to @BoppingAround my knowledge about systemd is almost not existing.

Know or BelieveJune 28, 2015 12:08 PM

@ Gerard van Vooren

Pointer arithmetic is a weakness of C, not a powerful feature!

@ Clive Robinson

Pointers were a bolt on and it shows, the simple fact is you can not write an OS or other system code without getting down and dirty with diect access to memory and IO addresses

There's also a philosophical divide in the C pointer controversy.

If you trace the meaning of words back through their definitions, eventually terms are reached which are defined ostensively, that is by pointing, in other words by showing a picture, or a concrete example.

The process of understanding involves the reduction of a derivative concept to the things that they stand for in reality. This is done by following the path downwards to through layers of abstraction to the concretes at the base of knowledge.

But people differ in their desire to know and understand. Some prefer simply to believe, so pointing is experienced as a rude intrusion of reality. Dialectical types define their systems of thought by reference to talking, demonstrative types define their philosophical systems by reference to observations.

Software is not identical with conceptual constructions, but it can be structured in a layered way that is analogous to the hierarchy of knowledge.

You can confirm for yourself that the C pointer controversy has an epistemological explanation. Work as a philosophical detective and correlate your observations of other people's code and what you know about their philosophy. This is especially easy to do with computer language designers or people you work with.

See if that would explain the violence with which some programmers oppose pointers in C.

neculaJune 28, 2015 12:21 PM

A few basic observations regarding our JTRIG friends, who have been so kind to join our conversations at schneier.com:

-When are they most active?
A. During unstructured or free forms of conversations (e.g. weekend squid posts) (approx. 63% of all troll posts).
B. Shortly after a revelation / leak or in response to a controversial statement / inquiry.

-They do not target individual posters or specific evidence / data. Instead, they seek to disrupt the flow of conversation and discredit the credibility of the medium as a whole.

-Stylometric analysis shows that:
-English is always their native tongue, but various British posters pose as American and vice versa.
-Numerous puppets can be linked back to a single hand.
-They post in bursts, shifting aliases for a short period before disappearing.

-Their rate of success is low. Although they cause frustration among some posters and can draw plenty of attention to themselves, they are easily identified as trolls by other posters and rarely succeed in actually disrupting conversations.

CuriousJune 28, 2015 1:13 PM

I guess this had to happen at some point. I messed up something on my computer I think, heh can't view Twitter in my browser of choice anymore and I have no idea what is wrong and have no idea how to fix it (I think it started when I moved some digital certificates back and forth in windows 7's certificate manager). Might have deleted something by accident, don't think so though. Really annoying.

Btw, as I compare the 2048 bit public keys in the digital certificate for some VeriSign ones, the first 9 hex numbers and the last 5 hex numbers are the same, is this maybe usual? For all I know it might be, just looked a little odd to me, expecting more randomness somehow.

JustinJune 28, 2015 1:38 PM

@ Curious

What exactly are you comparing? What's different and what's the same?

The "last 5 hex numbers," if that's the exponent you are talking about, 0x10001 (or 65537 in decimal) is a very common exponent for a public key. But you also mention "the first 9 hex numbers." If it's exclusively the modulus you are talking about I really have no idea.

CuriousJune 28, 2015 2:57 PM

@Justin
Just to quickly show you the type of number I was looking at in the certificate, under the 'public key (RSA/2048 bits)' part. Sry for the diversion.

To be honest I am not sure what I am looking at. It seem to be 270 pairs of characters, that by themselves look like hex numbers to me. So the first 9 pairs and last 5 pairs looks the same for several certificates I saw.

30 82 01 0a 02 82 01 01 00 af 24 08 08 29 7a 35 9e 60 0c aa e7 4b 3b 4e dc 7c bc 3c 45 1c bb 2b e0 fe 29 02 f9 57 08 a3 64 85 15 27 f5 f1 ad c8 31 89 5d 22 e8 2a aa a6 42 b3 8f f8 b9 55 b7 b1 b7 4b b3 fe 8f 7e 07 57 ec ef 43 db 66 62 15 61 cf 60 0d a4 d8 de f8 e0 c3 62 08 3d 54 13 eb 49 ca 59 54 85 26 e5 2b 8f 1b 9f eb f5 a1 91 c2 33 49 d8 43 63 6a 52 4b d2 8f e8 70 51 4d d1 89 69 7b c7 70 f6 b3 dc 12 74 db 7b 5d 4b 56 d3 96 bf 15 77 a1 b0 f4 a2 25 f2 af 1c 92 67 18 e5 f4 06 04 ef 90 b9 e4 00 e4 dd 3a b5 19 ff 02 ba f4 3c ee e0 8b eb 37 8b ec f4 d7 ac f2 f6 f0 3d af dd 75 91 33 19 1d 1c 40 cb 74 24 19 21 93 d9 14 fe ac 2a 52 c7 8f d5 04 49 e4 8d 63 47 88 3c 69 83 cb fe 47 bd 2b 7e 4f c5 95 ae 0e 9d d4 d1 43 c0 67 73 e3 14 08 7e e5 3f 9f 73 b8 33 0a cf 5d 3f 34 87 96 8a ee 53 e8 25 15 02 03 01 00 01

How am I to read this as being 2048 bits anyway?

JustinJune 28, 2015 3:45 PM

I'm making an educated guess here. You say 270 pairs of hex digits, that is, 270 octets, or bytes. Fourteen of them you say are the same for several certificates.

The remaining 256 pairs of hex digits I am quite sure are the modulus of the public key (that is, the product of the two large primes used in RSA.) You can check that makes up 2048 bits -- 8 bits per pair of hex digits.

See https://en.wikipedia.org/wiki/X.509#Sample_X.509_certificates

The data you are looking at, I believe, is the "Subject Public Key Info" which has three parts, (1) an identifier for the public key algorithm in use (namely RSA/2048 bits) somewhere in those first nine bytes, (2) the modulus, as I described, and (3) the exponent.

The last three pairs of hex digits you posted are clearly the exponent, 65537. There are extra bytes floating around that are encoding the length and presence of the various fields in the public key certificate format. I am not familiar with any particular x.509 certificate format but that is my best guess. Note that the first bit and the last bit of the modulus are ones. (That is, the first hex digit of those 256 pairs is in the range 8-F and the last hex digit among those is odd.)

gordoJune 28, 2015 4:14 PM

General Hayden, among other things, uses the OPM breach to lobby for information sharing in this "Cipher Brief":

Why Can't We Play This Game?
General Michael Hayden | The Cipher Brief | June 24, 2015

It's not only the executive branch that has been late to need. The last two Congresses have failed to pass cyber security legislation that would have given liability protection to firms sharing cyber threat information with one another and with the government.

http://www.thecipherbrief.com/articles/why-cant-we-play-game

In that regard, at the June 24, 2015, House Oversight Committee’s second hearing on the OPM data breach, we have an example of how information sharing can be stymied. To wit, OPM did not share breach information, [in a timely fashion, if at all] as provided by regulation and as contractually obligated, with either U.S. Information Services or Keypoint Government Solutions. Here’s the headline for the YouTube clip: Trey Gowdy Blasts Panel for OPM Data Breach: "What Does Immediately Mean?" Video here. [Length: 06 min 51 sec]

Back to General Hayden's plea. If information sharing is already required by law, what's he complaining about?

See also:

False positive: National Archives files matched OPM signature, but were legit
Sean Gallagher | Ars Technica | Jun 24, 2015

Update: National Archives officials now report that the "indicators of compromise" found on three Archives systems were a false positive, and that no breach has occurred, contrary to a NextGov report yesterday.

http://arstechnica.com/security/2015/06/national-archives-finds-same-malware-that-stole-govt-personnel-data/

Simplified thought process: Different target systems have different system characteristics? I guess my question is, in general, when do indicators of compromise perform well, and when don't they?

tyrJune 28, 2015 5:11 PM


@gordo

If I read that correctly it looks like DHS sent the
malware to NARA. Of course it is par for the course
when the fingerpointing starts. Starfleet Hayden
blames Congress for not fixing the barn door the
gov left open.

@the usual suspects

Loved the Print(f) wormcan. As a naive type I once
wrote some assembler to send memory contents to a
Centronics printer without conversions. It burned
a nice hole in the paper and stressed the machine
pretty hard.

BoppingAroundJune 28, 2015 5:14 PM

Gerard,
It seems it's not just 'a lot' but almost all major distributions have switched to it bar Gentoo and Slackware; for the former it is possible to use both OpenRC (their default init system) and systemd; for the latter Volkerding expressed reservations but he also said the switch is possible in the future. It seems the 'battle' is really over.

Clive,
To add to that, I also think it has not been 'finished' yet. Perhaps the surface will grow even more.
(I didn't know it can do the VM management too now. Who knows what else it will do in the future.)

J. AngletonJune 28, 2015 6:04 PM

@franklin

"Guess what happens next."

Uh, you have another bowl before Mommy gets home?

gordoJune 28, 2015 6:28 PM

@ tyr,

Got it. The national league, err, government may not see a CYA winner this year. I wonder if the American people will do any better in the pitching department.

Clive RobinsonJune 28, 2015 6:42 PM

@ BoppingAround,

I also think it has not been 'finished' yet. Perhaps the surface will grow even more.

It's almost guaranteed to, both the lead developers have indicated it will in perpetuaty be a work in progress. That is they appear to view it as being a life long meal ticket. They both have undesirable charecteristics identified by well known and well respected Linux developers of a form which strongly indicates that the Dunning Kruger effect is alive and well. Especially as alienating the community by ignoring security critical bugs and calling others 455holes in public appears to be their "stock in trade".

The big problem with it is that is way way way to Linux, GNUlib and Gnome specific, which means you are not going to find it on any other *nix varieties such as BSD or Mac OS X etc. Further it's assumptiond are highly focused on an area Linux is weak in, which is desktops, and effectivly rules out it's use in the areas Linux is strong in (embedded, smart devices and servers). It also grates badly against "Unix Philosophy" of small applications doing one function and doing it well, their work gives the "Jack of all trades master of none" saying a fine example.

So why is it popular with "Desktop Distributions", one argument is it saves distro maintainers a lot of work... If this is the reason then Linux is heading for a major "road crash".

Oh it's not just the two distro's you mentioned, most "specialty distros" like Puppy Linux are having nothing what so ever to do with it, because it takes "bloat" to new levels.

Hopefully RedHat will see the dark clouds building on the horizon and take steps to stop Linux getting washed out to sea by it...

FigureitoutJune 28, 2015 9:46 PM

Moderator RE: "Satan" and trolls
--I'd like to formally lodge a complaint against this individual, s/he is making me have flashbacks to bad memories w/ her/his stalker-ish behavior; I wish I could delete that memory or go back in time but I can't. My name starts w/ a 'J' and I have a Verizon phone (I opened myself up here as a defense mechanism when I felt like they were going to kill me after repeated break-ins, stalking, and threats. So a bunch of people on here know exactly who I am and where I live, etc...especially after bloodstains on my bedsheets around my ears and ankles and feeling groggy when I woke up; that really mentally disturbed me and it didn't register until a long time later what the hell that could've been). I've dealt w/ these psychopaths for so long by myself only telling one person in meatspace when I broke down and cried (I used to enjoy blowing their covers and whatnot, I used to play "spy" as a kid and for a time wanted to join CIA until they told me how much falsehoods we have to do and how unprofessional they are today), but it's really a toxic waste of time and I ignore now. Not to mention his/her comments have *zero* intellectual worth and are pure troll-bait. I know you just warned him/her but maybe another warning; I just skip his/her comments anyway but even those 2 seconds are a waste of my time I'd rather have back.

PS: Sorry for cursing, I c*ver it up w/ stars.

Nick P RE: using C for complex projects
--As we've said, how much embedded stuff have you done w/ C? How many chips? My fave is radio chips w/ LCD screens and buttons, you can run just below an OS and do some small application and it should almost totally flow in your head. W/ enough memory on the chip I can do crypto, hashing, PRNG (a bad one but still I'd like to see someone predict it and you can always just "add it to another sausage grinder"), RF comms transferring data from one board to another, interfacing a lot of peripherals (ie: attached to other computers), and as I said a small "menu-like" application for all that. The compiler and build environment is still shaky but you can dig in and it can get murky, but it's not *that* bad considering every computer needs something like a time reference to make sense of anything (this concept confused me for awhile but can be visualized very easy w/ an arduino and a 8-ohm speaker, you can play notes and small jingles on it, just remove all the timings for your little jingle and you get freaky-garbage noises), it needs it until we discover another fundamentally different way to compute b/c I don't buy "this is it". If it needs a time reference for every single thing (or some kind of way of spacing time), it needs to be coddled w/ some init stuff that isn't good on the eye, just isn't.

I say this b/c of course operating systems on motherboards are going to be complex no matter what frickin' language you choose! So much fast signals!

RE: Lisp printing
--Wanted to find some similar article on printing to the screen in Lisp so you could actually do a comparison of the 2 to "the evil virus C", of course I found some articles that love to shield me from what's actually happening in the computer and I can just call a print function and elegantly and magically and safely I got text on screen! How nice! Does it spit out a lollipop too and I can skip-along and laugh like a kiddy?! No, well, I'd have to use the "format" command actually, and specify to not return if I just want to print 1 time, and and gets a little more murkier and weird from here...I liked this line: "Format always returns nil unless its first argument is nil, in which case it prints nothing and returns the string instead of printing it"--U wot m8

But I wanted more, I wanted to see some OS's in Lisp seeking out some of this ugly library code, found a couple, this one hasn't had a release since 1998, and has some version that runs on Linux?

https://en.wikipedia.org/wiki/Genera_%28operating_system%29

http://www.symbolics-dks.com/

But I found this one on github (love github, just get to code quickly) and you can read some of it yourself, *spoiler* some of the comments read "..ugly...FIXME..." macros and of course the very clear to read and won't ever cause bad bugs ")))))))" at the end of some macro; in case you get a seizure trying to count it's 7 parentheses and you can't immediately tell which one goes for what. That is worse than C. I can't describe what's happening well either since I don't know Lisp.

Not to rag on this guy's project either though, directly purely at Lisp language.

https://github.com/froggey/Mezzano/blob/master/system/pprint.lisp

This "printer" is nice too: https://github.com/froggey/Mezzano/blob/master/system/printer.lisp

tyr RE: printer burns
--Lol, what the heck did you do?

CuriousJune 28, 2015 11:53 PM

I solved my issue. Comparing certificates used by my browsers, I see I had apparently moved two essential certificates into the untrused folder in Windows by mistake it seems (highly likely). After trying to make sure the certificates were exactly the same, I moved the two DigiCert certificates back into the 'intermediate' folder.

Heh, glad I don't work as a sys admin, because moving them back seemed a little iffy, given how little I know about certificates.

Nick PJune 29, 2015 12:01 AM

@ Figureitout

"And people think LISP is hard to read... Shit, you'd think the authors were trying to write 60's-style LISP in C macro's lol. " (me)

/\ /\ I'd think that quote would've told you how bad the LISP stuff could get. I appreciate the effort you put into proving my point, though. :P

JustinJune 29, 2015 12:18 AM

@ Figureitout, Moderator

Moderator RE: "Satan" and trolls
--I'd like to formally lodge a complaint against this individual, s/he is making me have flashbacks to bad memories w/ her/his stalker-ish behavior; I wish I could delete that memory or go back in time but I can't. My name starts w/ a 'J'...

For one thing, Figureitout, I have no idea who you are or where you live. (If I ever knew from this forum, which I doubt, I've long since forgotten.) In any case, it is not my business. For another, I have similar bad memories to what you just mentioned. That individual's posts (some of which were directed at me) are more a not-entirely-unwelcome acknowledgment of reality to me than anything. I do not feel threatened by them, and I do not feel that was the intent behind the posts, although I understand if they are triggering to some people. At some point we need to get beyond the trigger stage.

I feel it is up to the moderator if topics such as surveillance techniques and countermeasures (or whatever else) are allowed to be discussed here. I know I don't have much if anything to say on such matters. Realize, too, that not every post is going to be intellectually stimulating to every reader. Certainly mine are not.

tyrJune 29, 2015 2:11 AM


@Figureitout

The program was simple get contents of a memory location
convert to ascii output to printer and Bump memory pointer
and loop. None of that unnecessary stuff like paper advance
print head movement or line feed carriage returns.

It made a horrible racket.

At the time printers were mechanical with minimum electronics
so a programmer had to do all of the movement commands as
well as the data stream. We hadn't got to the peripheral
chip part of the class yet. It just proves everyone has a
mad scheme that will not work. It was Intels ISIS development
system. I think Kildall wrote a good part of it because it
looked a lot like a multi-user version of CP/M. The 8"
floppy interface was horrible though but I didn't know it
at the time. It sounded like a junkyard dog with a bone
every time it did something.

Clive RobinsonJune 29, 2015 3:41 AM

@ Figureitout,

, but it's not *that* bad considering every computer needs something like a time reference to make sense of anything ... ... it needs it until we discover another fundamentally different way to compute b/c I don't buy "this is it". If it needs a time reference for every single thing (or some kind of way of spacing time), it needs to be coddled w/ some init stuff that isn't good on the eye, just isn't.

There are several "times" computers need to know and it can get very complicated when relativity gets involved. The basic classes of time a computer uses are,

1) Firstly it's "clocking rate" that is usually defined by it's external XTAL. Usually used to control internal state changes and keep signals synchronized.
2) The Second is it's local time reference that is how it sees local time passing so it can communicate localy.
3) Third and often not considerd by many is it's relative time to other points it communicates to that are not in it's local time refrence.

The underlying issue is one of communication even if it's to just another logic cell on the same chip. The faster information can be transfered the smaller the local time reference is. There are two types of communication we talk about Synchronous and Asynchronous. And people get confused about them and time. They both need a time refrence to communicate, the difference is in synchronous communication the transmitter at one end of the Shannon Channel provides a time refrence to the receiver at the other end of the channel, in the case of asynchronous communication there is an assumption that both the transmitter and receiver share a common passage of time ie that it is local to them, thus the time duration of symbols can be reasonably estimated.

As anyone who has designed communications systems for systems where the transmitter and receiver are non local and move in different speeds and directions and thus don't have a common passage of time can tell you finding a way to establish a common refrence of time is vital. The simplest way to see this is to think of doppler effects then move up to the consequences of Einstein's thinking which effects GPS systems and mobile phones.

Whilst for single communications paths it can be fairly easily dealt with, not so multi point/channel systems, they realy need to be spacially aware with respect to a common fixed refrence point. Then use this awareness when communicating with the other points in the system by adjusting both it's TX and RX timings accordingly.

People have tried to design logic systems that lacked an external clock reference but even these are "self timed" due to the gate delays and other implicit time refrences. You can get away with it with chain, ladder or cascade logic that has no storage, feed forward or feed back and transition noise can be ignored. That is the logic systems are stateless but such systems are very limited in functionality and thus utility. One of the founding definitions of Turing engines is that they move from state to state, thus they must have an implicit time refrence, thus all computers do.

One of the rules of our physical universe as we see it is that everything physical is constrained by time and forces, so we can not get away from the issues of time, Einstein saw time as the fundemental measure of the universe and it's a view that still predominates even when we don't realise it.

CuriousJune 29, 2015 5:08 AM

Because of my lack of technical insight into the internet, I hardly dare putting forth a non specific problem here, but I can't help myself:

Speaking of timing. Having read what Clive Robinson wrote, it had me wondering; can network traffic be intentionally delayed by some party in the middle, by simply manipulating the notion of the time somehow? (time/clock/timestamps) Could network throttling work in this way by manipulating time and stall traffic? (I guess it currently might be simply infeasible.)

I don't really have a eh good problem to put forth, but reading what was written above made me think of something that I guess had me sort of worried some time ago: of risking having ones traffic routed around into a predictably and unnecessarily-"long"-path, for the purpose of someone having time to spoof/fake a web page to serve you, but now I was thinking it would be simply easier to maybe somehow fake the timing to stall or end your outgoing traffic.

I guess in the end, this vague stuff of mine would have to be a true technical issue to be meaningful, so as to be a truly interesting problem. I would think though that such a vague problem might perhaps be interesting for anything Tor related, which seem to rely on working in a specific manner.

Iirc Tor is promoted as being an anonymity tool, but also not for being a privacy tool, is this not correct? Or did I perhaps get this wrong?

Clive RobinsonJune 29, 2015 6:40 AM

@ Curious,

... had me wondering; can network traffic be intentionally delayed by some party in the middle, by simply manipulating the notion of the time somehow?

Yes fairly easily by increasing the "path length" also known as a "delay line".

Whilst it would at first glance appear fairly pointless, there are some places where it's a major billion dollar attack strategy.

In High Frequency Trading (HFT) time is critical and shaving a few nano seconds --1nS is about 1foot at the speed of light-- can make a real difference. So much so people have tunneled through mountains rather than go around or over them.

I can outline an attack for you which is rumored to has happened. Imagine you have a competitor who has a pathlength 1mS longer --three hundred meters or a drum of coax equivalent-- than you do. With modern computing and networking you could get their trade, make a counter trade and have it at the exchange before them. Do this ten or twenty times a second and make a thousand dollars per trade and you are looking at around a million dollars a day profit you would not otherwise have made...

However the same sort of trick could be carried out by the NSA or other FEYE nations, your web page request gets seen and sent along a long path route in the mean time they send what they want you to see on the short path route, due to the way the network protocols work, you see the first packet to arive which is there's, and the real packet gets dropped silently by your computer. Now imagine that the pages they do this to are for the likes of pubkey certificates, you get the NSA fake one and then they do a standard MITM attack on your traffic...

It's just one of the reasons the PKI of the CA model is broken beyond what you would expect. Thus you should always use a secure second or out of band communications channel for KeyMat, and the only way to get it to work that we know of is "initial hand delivery" to a trusted recipient. Of course the NSA et al could intercept the courier or the recipient is untrustworthy in some way from just being careless through to being a paid agent running a sting on you to frame you in some way (a not unknown tactic by the politicaly inspired arm of the FBI etc).

Clive RobinsonJune 29, 2015 6:57 AM

@ tyr,

At the time printers were mechanical with minimum electronics so a programmer had to do all of the movement commands as well as the data stream. We hadn't got to the peripheral chip part of the class yet.

Been there done that atleast twice, the first time was with a prototype robot arm, some twit decided the safety stop signal should be not hardwired but done by the software... the graunching of hundred dollar geared stepper motors can be a lot noisier than a bowl of Captain Crunch.

The second time was with a dot matrix printer, I was making a "Wether Fax" receiver and print out system using a relativly low cost 80col dot matrix printer in "graphics mode". Unfortunatly the manual was incorectly written thus the head moved before the pins had been retracted, thus they bent, and ripped the print ribbon. The cost of the ribbon I could live with but a replacment printer was about the equivalent of half a weeks gross pay...

As they say "These things are sent to try us" with the silent "and bankrupt" before the "us" ;-)

Clive RobinsonJune 29, 2015 9:22 AM

@ Nick P,

You might like this story,

http://www.dailymail.co.uk/news/article-3142221/CNN-confuses-black-white-flag-covered-sex-toy-symbols-ISIS-London-gay-pride-parade.html

Put simply a Female CNN "journalist" covering the London Gay Pride march, she spotted a black flag carried by a man dressed in black and white. She then had an OMG moment and called it an ISIS flag...

Now I don't know who her optometrist is but she might want to pay a visit to get her perscription checked...

Turns out that the "white arabic writing" she could not make out was actually "shadow images" of sex toys, and it was part of a satirical protest....

As trainee journous are repeatedly told "don't belive your eyes, and check your sources"....

CallMeLateForSupperJune 29, 2015 9:32 AM

@Clive Re: "safety stop" controlled by software instead of hardware

I smiled broadly when I read that. As you said in the same post, "Been there; done that."

Back in the early 80's, two engineers in the dev. part of "the house" were designing an interface card that would connect line printers to the S/370 "channel". They wanted to control the "I'm in deep doo-doo; reset me" line ("Disconnect_In") with a hardware "watchdog timer", independant of the uC; management wanted the line to be controlled by software, for $$ reasons. I joined the designers' in battle, and eventually management yielded.

Model 3262 was tHe first printer to get that card. I did the "channel attachment" portion of the alpha test of that printer. The (uC-controlled) printer was young and buggy and prone to "wander in the weeds". BUT!... thanks to h/w watchdog timer, the printer never hung my channel.

Thanks for the memory. :-)

Nick PJune 29, 2015 10:30 AM

@ necula

Good call. The Last 100 is almost useless now. Know or Believe's post above you is a perfect example of the disruptive trolls: a whole page of text saying absolutely nothing of substance. Moving on.

@ Wael

Fair point. I tried to dig up one for comparison but they're not easy to get a hold of. Maybe when I have more time...

@ Gerard

re modules

Yeah, that's one way they could do it. Solving modules would certainly have simplified man things as Wirth's Modulas showed us.

re MinamaLT vs web standards

Putting them to shame is an understatement. One looks like effort was put in by people that know something. The other looks like shit very distracted people did in their spare time while putting off real work.

re UNIX

That was Kemp's point. At one time, even UNIX was a cathedral. Just took a focus group of people ensuring it stayed what it was supposed to be and improved. To that effect, a person in the HN discussion pointed out DragonFly BSD was doing a lot more than fixing concurrency. Their Wikipedia article (see System Design) shows they're applying a lot of good lessons to it. Might be a great UNIX someday. Meanwhile, another writer implied that OpenBSD is the last true UNIX due to focus on simplicity, proper UNIX style, and consistency.

The original discussion actually centered on a "better" libc called musl. Here's a link to it. Good numbers in the comparison page in terms of what it supports and efficiency. Looked at their printf implementation out of curiousity: same. Did find this file with tons of regex's and state machines for characters. Might be the actual printf implementation. A true monster of a function. The first enum alone attempts to construct a NP-hard problem of source understanding. The next one doubles up on that. And then I quit reading. Library's specs are still nice, though. And with MIT license!


@ Clive Robinson

That's hilarious. Would a gay activist mock anti-gay, religious fundamentalists by using their artistic style on a flag full of dildos and buttplugs? Why certainly! Did the CNN correspondent say something to that effect? Not really. Instead, focused on the ISIS-like nature of the flag, the concern, and that nobody else was concerned. Right to fear-mongering & pushing Administration's tow-line it is!

ughJune 29, 2015 11:19 AM

Regarding:

I'd like to formally lodge a complaint against this individual, s/he is making me have flashbacks to bad memories w/ her/his stalker-ish behavior; I wish I could delete that memory or go back in time but I can't. My name starts w/ a 'J' and I have a Verizon phone (I opened myself up here as a defense mechanism when I felt like they were going to kill me after repeated break-ins, stalking, and threats. So a bunch of people on here know exactly who I am and where I live, etc...especially after bloodstains on my bedsheets around my ears and ankles and feeling groggy when I woke up; that really mentally disturbed me and it didn't register until a long time later what the hell that could've been).

I think some people would be better served to just stay away from this discussion blog, if they actually can be affected to this degree by what other people post here.

In fact if someone would want to pester another person...and they know sufficiently about that other person to identify the 'nick' of that person on a no-logins-required site such as this, then their postings here at schneier.com should be the least worry.

At this site you could easily change your nick, for example. Unless you think the moderator at schneier.com is in cahoots with the stalker:-)...in which case its probably best to spend time on some other sites.

Gerard van VoorenJune 29, 2015 12:57 PM

@ Nick P

When it comes to modules I forgot two things, one is namespaces, which should be of course the name of the module and the other one is macros in the API file. They should be namespaced as well to avoid the header file inclusion order problem. But to make a seamless refactoring possible it should be possible to localize the namespace such as "use module as local;" and let the preprocessor/compiler generate errors with API conflicts. Well, it's just an idea but everyone is free to shoot at it ;-)

About UNIX

I like the UNIX philosophy. Implementation wise... there are not so many good examples of it ;-)

This is a discussion place about security. So let's talk about TCB and the UNIX philosophy. The Linux kernel for instance with its ~15M LOC isn't a good example of UNIX philosophy of doing one thing only and do it well. It is also a massive TCB. And let's face it, it is patched 80's technology. Like Rob Pike said a long time ago "OS design is dead". There are many initiatives to really deal with the shortcomings of current OS design but they are all small scale. Oberon for instance has GC on OS level, not at PL level and MINIX-3 has a reincarnation server to deal with dead servers, plan-9 did have a large array of new technology and now Ethos as well. There are lots more of these really good initiatives. What is missing is a big wave of cooperative breaking new and simplistic technology to really deal with the 80's technology of today. What we are creating instead is DNA. A massive patched codebase that gets larger and larger and that mutates every day. The only big wave we have seen lately is *ouch* systemd and that only deals with PID-1, something that is partially irrelevant with a microkernel OS.

Milo M.June 29, 2015 1:09 PM

@CallMeLateForSupper • June 28, 2015 10:51 AM

A bit of explanation of the delete here, reached from the link you supplied:

https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletion/InBloom

"Looks like it was a student database that failed due to privacy concerns. I don't think a worthwhile article can be made on this topic - it would be just a re-hash of one of the news articles."

THe links 2, 3, and 4 in the Wikipedia page:

April 2014:

http://bits.blogs.nytimes.com/2014/04/21/inbloom-student-data-repository-to-close/

"Financed with $100 million in seed money from the Bill and Melinda Gates Foundation along with the Carnegie Corporation of New York, the venture promised to streamline how teachers and administrators accessed student records."

June 2013:

http://www.washingtonpost.com/blogs/answer-sheet/wp/2013/06/09/privacy-concerns-grow-over-gates-funded-student-database/

and America's version of the Daily Mail (though folded more compactly for reading on the tube) in March 2013:

http://www.nydailynews.com/new-york/student-data-compiling-system-outrages-article-1.1287990

JustinJune 29, 2015 7:55 PM

@ Milo M.

Re: inBloom Wikipedia deletion

As far as the Wikipedia article is concerned, maybe people just don't care. But if you are looking for a conspiracy, sure they wanted a glowing article that "read like an advertisement" while the project was still viable, but when the project failed, some business interests wanted to leave as little record of the failure as possible. Perhaps the idea is seen as still viable, and something that the venture capitalists would want to fund again, if they can put a more positive spin on the privacy aspects and disclaim any connection to the old project.

FigureitoutJune 29, 2015 9:09 PM

Nick P
appreciate the effort you put into proving my point, though
--Thanks it took like 0.000000035 seconds on google, so long as point is that Lisp can be just as bad if not worse than C, depending on the programmer and the logic s/he injects in the CPU. These were macros wrote in 1990's and 2015. And also it's only used in niche communities b/c it doesn't jive w/ majority of human beings who still use C, 40+ years later...Do a better more objective comparison next time that's expected of you.

Justin
--Good I don't know you either (did you sell cars in another life or is that another Justin?). I don't care what worthless trolls say, so long as they don't say my name; I want nothing to do w/ them.

tyr
--Thanks, interesting. Pretty funny what simple screwing around can do lol.

Clive Robinson
--Thanks, interesting as always. You've mentioned needing a reliable time source in past, is an external XTAL it? Like if I can't see the damn crystal to not trust? If you're always relying on some other reference you can't really trust it not to be tampered if the full spectrum of attacks are considered.

Another question, got some school stuff I'm working on and going to finish up a little HWRNG research hopefully while summer lasts (spoiler, it sucked. My assumptions were wrong and I couldn't *obviously* tell I affected output (I was limited by my 1980's radio and my $8 "spectrum analyzer", which is a frickin' joke for real research anyway, but I couldn't get down to bands below 24MHz and trying to get to the harmonic was too far away) but you have to collect so much data to see the patterns and I didn't want to get so comically obvious like pointing a goddamn microwave horn antenna blasting the circuit point blank and "hurr durr, it caused some problems" even though I was touching antennas on power rails to circuit w/ 100W CW, so I'm going to come back to it) but also connecting a radar 2 modules w/ G/FSK (I'm using firmware w/o OOK). I'm going to try w/ arduino first just to see it works which I'm expecting nearly 100%.

Anyway the question, I can't predict all the attacks and deal w/ that in firmware. Using mostly the given protocols (I'm not sure if I'd have to change SPI one which involves like hex opcodes that don't make sense at all immediately), I have a couple ideas. First I want to take in a "password" that's stored in EEPROM that needs to be transmitted before initiating any other comms, this is manually inputted basically anytime you want, weekly, monthly, etc. I think I could make this upwards a 32bit number, or longer (but I can extend that later of course, just want to see this working). Second, for jamming attacks, if "master" initiates and doesn't receive ACK, to keep switching bands and modulation types. On modern systems this is automatic and way more advanced but I want to do it in my basement. This can be done fairly simply w/ switch statements I *believe*.

Lastly, OT. A little observation you and others may like. I like when concepts intertwine w/ each other and especially when equations cross disciplines like chemistry, biology, electronics, etc.. Well was on a boat past week and we have some straps that oscillate in the wind, really annoying. It can be essentially quelled by simply twisting the strap, which you can visualize by the twists inverting and cancelling out the waves. Anyone w/ a desktop computer can look in at the power switch and note the twisted wires to deal w/ RFI/EMI. Interesting to see the concept cross over different mediums; also the constant circular rotation is so prevalent in our universe (look at our planet spinning, orbiting, and our galaxy), it's spooky.

ugh
--I've been dealing w/ this for years so it's not really a new concern I'm not already aware of. You know they don't exactly face me in person, well I confronted one at a bar one time and he got all scared and if I catch one at night one of us is going to die or go to hospital.

No I won't change my nick or go to other sites. This is my social network, pathetic but I don't care; few years I'll probably be gone or when blog goes down permanently. I don't facebook, twitter, instagram, just made a reddit, going to make another github, and have a blog. The troll can go to other sites like 4chan and be a worthless waste of space for all I care; just keep my name out of his/her worthless mouth.

WaelJune 30, 2015 12:29 AM

@Nick P,

Fair point. I tried to dig up one for comparison but they're not easy to get a hold of. Maybe when I have more time...

No need to do it on my account. It was a rhetoric comment.

WaelJune 30, 2015 12:55 AM

@Figureitout,

Anyone w/ a desktop computer can look in at the power switch and note the twisted wires to deal w/ RFI/EMI. Interesting to see the concept cross over different mediums; also the constant circular rotation is so prevalent in our universe (look at our planet spinning, orbiting, and our galaxy), it's spooky.

Because everything in the universe is sinusoidal (I am not sure it's true, but one of my teachers told us that a long time ago.)

And because different disciplines obey the same laws. You'll end up solving the same set of differential equations whether you're doing mechanical engineering or electrical engineering. One of the areas that amazed me a while back was that one can prove trigonometric identities the classic way or using probability or using Fourier / Laplace transforms. I don't remember the details but I am sure you won't have a hard time finding the ways.

Speaking of twisted wires, they do form a transmission line. You may also notice ferrite beads at the ends of the wires, especially high frequency / bandwidth ones such as your monitor cable (mostly embedded in the connector ends) to reduce stray fields.The equations you use for these won't be dealing with Voltages and Currents. They'll be dealing with Electric Fields and Magnetic Fields, because as the frequency goes higher, and the wavelength becomes comparable to the physical dimensions of the circuitry, then Field theory is the way to go.

circular rotation is so prevalent in our universe (look at our planet spinning, orbiting, and our galaxy), it's spooky.

It's doubly spooky ;)

tyrJune 30, 2015 3:31 AM

I'm not sure what to make of this. I'll have to re-read for
the implications but it is good to see this stuff exposed
to scrutiny.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2594754

@ Clive

The specialization that has occurred between abstraction
and mechanization has a lot of built in traps for the unwary.
Software types think it is all deterministic and the mech
aware have seen the timing problems of any useful implementation.

Automagic software just makes the problem worse and layering
it with tech illiterate management is not a help to anyone.
Sometimes a simple mechanical solution is superior to the
software creep induced by the old adage about the man with
a hammer wants every problem to be a nail. Anyone who thinks
that software can solve all problems is a Platonic delusionist.
A machine that combines superb software and hardware is a
joy to use and work with but there has been loads of badly
designed junk foisted on the unaware.

I worked on a lot of metallic ion deposition facsimile machines
but never cared much for the exposed high voltage of their
Rube Goldberg construction. Your plan sounded like a better way
once you got past the timing problems.

The wallet is the limiting factor on some experimentation.

CallMeLateForSupperJune 30, 2015 10:13 AM

Washington Post home page has gone SSL. Remaining pages will transition to SSL over the coming months.

(delete the extra "h")
hhttps://www.washingtonpost.com/blogs/the-switch/wp/2015/06/30/washington-post-starts-to-automatically-encrypt-part-of-web-site-for-visitors/

J on the river Lethe June 30, 2015 12:20 PM

@clive. I held out hope for years. Fiber optic or the Israeli camera pill. Instead now apparently pooping on a stick is enough. No blood or cell culture? No plumbing up the bum. ( Billy Connelly describing the prostate exam is hilarious. ) Btw. Who knew kale is bad for kidneys? And black tea. I figure coffee washes away a lot of ill will. ;)

On topic sorta. With the latest stories of huge hacks. I am beginning to lose confidence that our government is giving as good as it gets in relation to China, Russia, etc. efforts. Too sad for sarcasm or lol.

Clive RobinsonJune 30, 2015 2:14 PM

@ J on the the river Lieth,

With regards "poo on a stick" yes it's fairly low risk unless you try to collect the sample "contortionist style". A colonoscopy has about a 1 in 1000 risk of death, and obviously much greater risk of injury due to perforation or rupture... You can blaim the advance in chemical marker anylsis technology (should be called "poo on a chip" ;) for the reduction in "nine foot garden hose upssies".

As for "black tea" it's all teas including nettle and one or two others (pine needle tea can give you CJD as well). The reason why it's more prevalent with black tea is partly to do with the fermentation process breaking down cell walks, but mainly due to the fact we mostly use tea bags... Basicaly to get the "tea quick" each bag if steeped properly for 3-5mins will make around two liters of tea, but will make about 250ml if steeped for only 10-20secs. But the tea is what is known as "dust" which has effectivly been mechanically cut and milled, the result is the bad parts of the tea come out way faster than the good bits, and worse they tend to float to the top hence that funny blue glint brown scum on top of a "bag in mug" cupper but not when poured from the bottom of a pot. It's why using a proper tea pot, proper tea leaves and proper steeping is so important (oh and a lot less expensive).

As for Kale... why oh why do people hear something is health and then go compleatly over board and do stupid things???

First of eating 3lb of kale a day is ridiculous especially if your mad vegie smoothy diet also includes effectivly cutting back on iodine and selenium...

Anything more than 6onces of any one raw veg at any one time is not a good idea due to dietry leaching effects, likewise 20onces of any one cooked veg.

To get the iodine and selenium up add about a half inch of dulce stem and an almond to the smoothy. Oh and make sure you still eat a balanced diet. Oh and watch out for harrico beans and similar pulses and soya they have the same kidney harming properties.

As the old saying goes "A little bit of what you fancy does you good" but a lot of anything will kill you including to much water. Fad diets from "A list Stars" does not equal common sense or sound nutritional advice.

BenniJune 30, 2015 3:18 PM

news from wikileaks:

Apparently the united states fear to fall behind in renewable energy generation and biotechnology. Therefore they started to steal european feasibility studies in this area....

And by the way, the user skeptical insisted in previous postings here that NSA only spies on companies in order to prevent bribery.

Now can he tell us, why NSA is so interested in technological feasibility studies? That is, research from corporations whether a project can be done?...

This shopping list below does not look like somebody is interested in bribery. This is the shopping list of a looser who has fallen technologically behind....

If china spies on companies, well then this is a development country, and at this stage, such behavior is typical. But the united states are really developed. If they want to get an edge, well there is a simple thing they can do: force every student by law to try a master in the subject where the student did its bachelor. forbid them to make a phd without master, and make the phd a research phase, without lectures and courses (which were all covered in the master). Thereby, the studying time doubles, but the engineers that come from this system are more capable. Until this is not done, European technology industries will always have an edge over the US. Shopping somewhere in internet fibers does not make US get this edge...)

This classified US intelligence "Information Need" spying order mandates long term economic espionage against France in order to obtain details about the economic activities of French companies and the economic policies and decisions of the French government.


EI Classification : SECRET//NOFORN

Originator EEI Classification : SECRET//REL TO USA, AUS, CAN, GBR, NZL

EEI Title : (U//FOUO) Foreign Contracts/Feasibility Studies/Negotiations
Question(s) :

1. (S//REL TO USA, AUS, CAN, GBR, NZL) Report impending French contract proposals or feasibility studies and negotiations for international sales or investments in major projects or systems of significant interest to the foreign host country or $200 million or more in sales and/or services, including financing information or projects of high interest including:

A. Information and telecommunications facilities networks and technology?

B. Electric power, natural gas, and oil facilities and infrastructure to include nuclear power and renewable energy generation?

C. Transportation infrastructure and technology to include ports, airports, high-speed rail, and subways?

D. Environmental technologies used domestically and for export?

E. Health care infrastructure, services, and technologies, including biotechnology developments?

Nick PJune 30, 2015 3:48 PM

@ Benni

On the surface, what you posted doesn't counter Skeptical at all. We already have a number of cases where our spies uncovered foreign governments using bribes or other sneaky measures to get huge contracts. The hosting country usually gave us the contract as a result. Additionally, economic (not industrial) espionage is gathering intelligence on economic activities of target country to help our government or companies do better in negotiations. French do both of these as well.

Your sample and the linked list suggest that's exactly what they're doing. This is doubly true given the focus for various sectors is on details around huge contract awards. There's no evidence they're handing off stolen I.P. Instead, the document suggest they're trying to discern France's position and direction on all sorts of things. This has all sorts of benefits. Also, they even use the term "economic" rather than "industrial," which they use when it's company-specific.

@ All

Now, I haven't combed through the individual documents. Anyone who does and finds something more direct that supports the industrial espionage argument can feel free to post it. I'll call U.S. out on their schemes wherever there's evidence. So far, evidence points the other way around: French stealing I.P. & military secrets from us for decades while we mainly just get political and economic intel on them. Given all their I.P. theft, America found guilty wouldn't give the French a right to gripe until they suspend their own collection program. And they won't haha...

Nick PJune 30, 2015 6:25 PM

@ Clive

You previously proposed a nice idea where a currency was based on a whole collection of physical things with intrinsic value. There's a centralized, alt-currency called Ven that does exactly that. They even add carbon assets to that basket to aid environment as a side effect (clever).

Another interesting one is Freicoin. It uses demurage currency to try to force a more active, safer, equitable economy. Curious what your thoughts are on their concept. Aside from how the elites would smash it to pieces if it started going anywhere. ;)

BenniJune 30, 2015 6:40 PM

@Nick P:
Have you read the document carefully enough?

For example, there are many "or" options. some of these "or's" contain the spying during trade negotiations, but there are other options. If you delete several of these "or's" then you have

"Report impending French feasibility studies for investments in major projects or systems of significant interest to the foreign host country, including:"

"Environmental technologies used domestically"

So, no, they are not only interested in environmental technologies that are sold to foreign countries by France. No, they are interested in "Environmental technologies used domestically" in case they are "of significant interest for" france....


That they have written a text with thousends of "or's" in order to obfuscate their aim is kind of funny, like, "we want to catch bribery or major crimes or terrorism, or everything else of significance. More precisely, we want to analyze terrorists using encryption or encryption used by criminals, or everything else from people using encryption...."


Clive RobinsonJune 30, 2015 7:01 PM

@ Bennie,

Why go to France for the technology... you should know that in most cases for this type of technology the Germans are the world leaders.

Now I'm fairly certain that the likes of Boeing have been the recipients of "industrial espionage" on both Airbus and Rolls Royce, as both the companies also believe.

The question thus becomes "who" actually did the industrial espionage the US Gov or Boeing themselves... If it was Boeing themselves, I would have expected one of the affiliated European Govs to have known about it and said something by now.

Oh in the case of airbus I've been told they have used Crypto AG products as have the European Union... we have good reason to believe the NSA backdoored most of the Crypto AG kit a long long time ago (personaly I can't see why any competent organisation or gov would still use Crypto AG product after various revelations pre and post Snowden, "their choice their loss").

Nick PJune 30, 2015 7:26 PM

I'll simplify it while keeping it equivalent to what they said.

Original:

Report impending French contract proposals or feasibility studies and negotiations for international sales or investments in major projects or systems of significant interest to the foreign host country or $200 million or more in sales and/or services, including financing information or projects of high interest including: [then industry sector descriptions]

Mine:

Report impending French contract proposals, feasibility studies and negotiations for international business activity regarding goods of significant interest to the foreign host country. Report the same for goods totalling $200 million or more in sales and/or services. Report financing information or projects of high interest in these sectors: IT, electric power, transportation, environmental, and healthcare.

Details of my edits: Eliminate first few or's since they're really ands. Change sales or investments to business activity. Change products & systems to goods. Split off sentence with $200 million. Split off last one using same verb with a simplification.

So, they want to know what deals are going down, what people want to buy, what the competition can achieve with their tech, and what the numbers are. Nowhere in this paragraph does it suggest they're stealing the companies I.P.. Everything about it is consistent with getting inside information on a big contract or market trend to try to counter the offer with one's own I.P.. That's the normal game which isn't so bad. Since both sides do it, it keeps the table a bit even unless one's spies suck much more than the other's. ;)

On top of this, I haven't even heard that the French are leading in I.P.. In these categories, American companies are leading in IT, I'm not sure for electric power, nobody's copying France in transportation, not sure on environmental although we have plenty I.P. on that, and America has a leading medical/biotech presence. If we were stealing, we'd be going after countries with competitive or better I.P such as Germany, Japan, and South Korea. Japan and South Korea stole from us for a long time to get there. Germany seems to mostly develop their own stuff and be a target as well. France steals plenty and tries to rig contracts.

Nah, the document tells us nothing. That's why I suggested people dig in for other documents. Look for claims that they're recovering the actual design or implementation of products. The DIA's job, which involves getting designs, words their activities as such in their documents. So, if they're doing it, someone should have documents that don't make us guess.

Clive RobinsonJune 30, 2015 7:27 PM

@ Nick P,

I'll have a look over the week end.

As regards,

Aside from how the elites would smash it to pieces if it started going anywhere.

I don't think they would, as long as they could trade it up or down in various futures markets, to make a few bucks on the side.

The main aim of the elites these days appears to be to stop the plebeians getting their hands on assets that cannot be traced and thus devalued / seized by governments by taxation or prosecution for tax avoidance and the rights striping under racketering legislation.

As you might have noticed the elites through various tax breaks and other legislation they purchased via "campaign funds" pay only token amounts and are immune from the effects of prosecution, the odd fine they do get from time to time, gets passed on to others fairly quickly, and you and I end up paying it one way or another.

One wheeze available to companies is to buy assets not just as fully tax deductable items but to get the money via off shore tax haven banking, where the "faux interest" they pay is also fully tax deductable.

You try saying to the IRS "I'm going to pretend I borrowed a million from myself, and I've decided it's at 10% interest, I want you to take that of any tax I owe" and see how far you get...

Have a look at Apple, Starbucks and Amazon, and just how much they have sloshing around in various off shore accounts, that they got from the US and UK citizens, but can not now bring back to invest in the "workers" because of the level of tax they would have to pay. So it's not just the money but jobs as well... So much for this "trickle down effect" various political baboons keep talking about.

I think Karl Marx had it wrong when he said religion was the opiate of the masses, these days it's consumerism for worthless baubles payed many times over on "easy terms" credit...

BenniJune 30, 2015 8:05 PM

" Look for claims that they're recovering the actual design or implementation of products."

If they were doing that, they would be stupid.

What they want are, for feasibility studies.

Say some company does a feasibility study that windmills can generate more power in a country than nuclear powerstations. Or a feasibility study that electric cars can successfully replace cars driven by fuel....

They are not directly going after the new product. Their spying gets to the phase before the product is ever made, planned or created, before any patents are issued.

They want the blueprints saying that a product is possible.

And then the trade ministry has such a nice institution where US companies can get advise and the american company will get the patent since it acquired enough money to create the product first, in shorter time than france, who came up with that idea....

The second interest is, or course trade negotiations. If a company bribes, they act as whistleblowers in order to make american companies get the contract. And they probably seek the pricing and client list of a company, in order to give the american companies proper advice to whom they can sell and for which prices...

As for the question why they are doing this on france and not on germany: Well that is probably because the files are on france.

Almost certainly, they have a similar sigint requirement list for germany....

J on the river Lethe June 30, 2015 9:32 PM

@clive, NickP

1. Yes, everything in moderation. And in much smaller portions than American portions. Ugg, I have no interest in a 3 lb burger. I'm not a big enough person. And considering all things, vitals quite good.

It is amazing to me how adaptive and self healing the human body is. It takes years of alcohol and diabetes before people start losing parts. The human body and mind can become addicted to anything. I think persistence hunting was a real strategy for early man and wonder if obsessive behavior and taking things too far may be related to it.

2. Basing currency on tangible and I would add intangibles would be good. The tangibles are easier...gold, silver, copper, oil, etc. the intangibles would be trickier and need to reflect "1st" world economies. Maybe items like labor rate, productivity?

3. I really hope that the U.S. Is taking in par with what we are losing in IP to countries such as China. But having intellectual property is not the same as being able to use it. The general public thinks they are. Wrong! China has worked for decades to domestically build high performance fighter jet engines. Same with anti ship missiles. The U.S. Has moved to laser. It takes decades of experience to do certain things. Nuc sub propulsion systems, aircraft carriers, miniaturizing nukes, etc.

The U.S. Moves forward while forcing an opponent to punch above their weight. At the same time they have to wonder if they can pull it off. Caution though. They could swarm with 10k zebra boats.

4. The elites have always gamed the system. I don't think it can be stopped, just curtailed. Until human nature changes anyway. But I remember a quote about judging a society on how they treat the old, prisoners or dissidents, and animals. Might be a good start for evaluating people or organizations?

Mike AmlingJuly 1, 2015 3:53 PM

@Curious Off the top of my head, your 270 bytes are parsed as follows:

30 // What follows is a compound entity.
82 // Two-byte length follows.
01 0a // The entity's length is 010A (base 16) bytes [266 bytes].
02 // Integer's length and value follow. [the entity's first of two components]
82 // Two-byte length follows.
01 01 // Integer's length is 0101 (base 16) bytes [257 bytes].
00 // The first of 257 bytes
af 24 08 08 29 7a 35 9e 60 0c aa e7 4b 3b 4e dc
7c bc 3c 45 1c bb 2b e0 fe 29 02 f9 57 08 a3 64
...
ae 0e 9d d4 d1 43 c0 67 73 e3 14 08 7e e5 3f 9f
73 b8 33 0a cf 5d 3f 34 87 96 8a ee 53 e8 25 15 // The last 16 of 257 bytes
02 // Integer's length and value follow. [the entity's second and final component]
03 // Integer's length is 3 bytes.
01 00 01 // Three-byte integer 10001 (base 16) [65537]

When the compound object is an RSA public key, the first entity of the compound is by convention the integer modulus of the RSA public key. The second entity is the integer exponent of the public key. It's not at all surprising that the first 9 bytes and last 5 bytes are identical among many, many 2048-bit RSA public keys that use 65537 as the exponent. The 256 least significant bytes of the modulus should look fairly random.

JustinJuly 1, 2015 4:51 PM

@Mike Amling

Thanks for the explanation of Curious' question. I was actually getting curious, too. I just knew somebody would have the correct details off the top of their head.

Off the top of your head, is there a technical reference for all this?

FigureitoutJuly 1, 2015 8:02 PM

Wael
Because everything in the universe is sinusoidal
--Hope not, b/c then there is no randomness meaning any system can be deterministically attacked...Two more "freaky" examples is um...think about reproduction viewed from a side angle and if our planet is moving outwards, then it makes a sine wave (depending on how big & juicy the pumpkin a$$ lol, I know how you like them :p). Also, a more personal example is DNA...twin helix spirals.

And yeah the twisted wires have to be perfect, all these "effects"...I'm having "a time" w/ an electric field at the time and what *I believe* to be parasitic capacitance; crazy stuff.

Thank god for serial outputs giving some vision.

Benni
--Silver lining for actual innovators and creators is stealers still have to do a lot of "business operations" to make it worthwhile (to pay for the spying) and also have the expertise to even know what they're dealing w/ otherwise it's still a net loss.

WaelJuly 1, 2015 8:17 PM

@Figureitout,

Lol, you tear me up man! I needed the laugh :)

Ain't nothing random. Randomness is in you mind ;)

Jack LJuly 1, 2015 9:15 PM


The idiots at Google needed provided the government information on who you are actually hanging around with in your photos.

The old system in which users categorize their own photos for their own future use would have been more than sufficient.

The end user does not really see any improvement from this new system. But it does give Google the control of how the photos are tagged and categorized and is superior for all kinds of automated processing and surveillance.

The problem is that in their hurry to implement it they bypassed some of the steps in the AI's training.

Google Photos assigns 'gorilla' tag to photos of black people
http://www.telegraph.co.uk/technology/google/11710136/Google-Photos-assigns-gorilla-tag-to-photos-of-black-people.html


Google has removed the 'gorilla' tag from its new Photos app, after a user noticed it had filed a number of photos of him and his black friend in an automatically generated album named 'gorillas'.

The affected user, computer programmer Jacky Alciné, took to Twitter to post proof of the Google Photos error, along with the question: "What kind of sample image data you collected that would result in this son?

GregWJuly 1, 2015 11:45 PM

At least 14 of the top commercial VPNs (all ones based on OpenVPN) leak IP data via IPv6 traffic leakage or IPv6 DNS hijacking:

http://www.theregister.co.uk/2015/06/30/worlds_best_vpns_fall_flat_in_security_tests/

I suppose now I have to read the original paper to figure out whether/how to fix the plain opensource OpenVPN I setup for that nonprofit a while back... blergh. Looks like they cover that in section 6 of the paper; turning off IPv6 is straightforward but not sure I follow yet how to deal with the IPv6 DNS hijacking.

GregWJuly 1, 2015 11:47 PM

Oops, I see Clive just posted about this; his link points straight to the original paper.

siddJuly 2, 2015 12:32 AM

New snowden dump at the intercept

they like vi and typing :wq! a lot

sidd

WaelJuly 2, 2015 1:11 AM

@Anura,

Pretty good, especially the last one :)

OT: there was once a cartoon of a baby in one of my elementary English books. The book series was called "Look, Listen, and Learn" by Longman. Every time I looked at the picture I laughed even during class (and got kicked out of class several times.) I think this was in fifth grade or so. I cut the picture and stuck it on my wallet until I went to college and I still laughed at it. Lost the picture and trying to get the book again, found it on amazon... One of these days :)

There was also another cartoon that I can't locate: A man sitting next to a woman that looks like a vulture. She was eating an animal's carcass... The man said: Honey, I didn't know that's what you meant when you said you eat like a bird :)

I come with four cartoons and you raise me with three? You must be all in :)

AnuraJuly 2, 2015 1:24 AM

@Wael

You should probably play more poker; raises don't have to match the initial bet.

That said, I haven't read far side in so long; those are my three favorites and I can't really remember more.

Clive RobinsonJuly 2, 2015 8:43 AM

@ All,

It would appear that "ex-service" personnel are not a good fit in large commercial organisations.

Further they suffer not just from the expected bailiwick issues, but also as I've mentioned befor seeing all significant attacks through red tinted glasses and incorrectly assuming China/Russia state level attacks, not what they are more likely to be which is "criminal" attacks routed through computers in the aforementioned states...

http://www.bloomberg.com/news/articles/2015-06-30/jpmorgan-reassigns-security-team-leader-a-year-after-data-breach

@ Bruce,

It might be worth looking into the mis identification of criminal for state level attacks, especially as "gung ho" senior service members want the independence of "going hot" from the executive, IC and LEOs.

The last thing we want is a cruise missile or drone launched weapon blowing up a school full of children simply because the computers got hacked and used as a relay....

Clive RobinsonJuly 2, 2015 11:20 AM

Hmm, 5 PM BST UK time, I know tomorrow is a holiday in the US due to the 4th July falling on Saturday...

But no "daily post" from Bruce yet... does that mean that for this week "Thursday is the new Friday"?

It it does I hope you all have a "Squidly diddly time" for the longish weekend and the weather's fine for the barbi and veranda beer chugs... The UK had a mini heatwave yesterday with "blood heat" tempratures at Wimbledon (tennis) and Heathrow (LHR airport). The heat did not stop play at Wimb and no aircraft have melted into the tarmac as has happed in previous years, so I guess summer here is officialy over without much drama, unless of course it floods again...

Mike AmlingJuly 2, 2015 3:04 PM

@Justin
If I had to do all again, I'd start out at Wikipedia (which didn't exist when I did it the first time). Look for ASN.1 format, BER and DER.

WaelJuly 2, 2015 11:28 PM

@Clive Robinson,

It it does I hope you all have a "Squidly diddly time" for the longish weekend

Some of us won't have a long weekend. Thanks for the sentiment, though!

Clive RobinsonJuly 3, 2015 3:36 AM

@ Wael,

Some of us won't have a long weekend.

True, it's a "US only" and not all get to enjoy it for various reasons such as rescuing and patching up those that do enjoy a little to flamboyantly. Or providing those essential services and support for all forms of infrastructure etc we tend to forget about, without which our lives would be a lot less enjoyable.

However there are also those who's bosses think that sending employees abroad on business to countries where it's not a public holiday is a good wheeze, especially where they don't give either "Time of in lieu" or overtime rates... To those that find themselves in that position I have considerable sympathy. I worked for two companies that thought it was a profitable wheeze, the solution I found was, to book an expensive holiday with a fixed departure / return date that covered the public holiday period. For some reason in both companies the contract had only "for week" notification periods for holiday etc. As some will know there are ways of giving notification to the company admin / Human Remains Dept, such that the "bad boss" tends not to hear about it for a week or two... I gave the "bad boss" the option reimburse me in total or send somebody else, he didn't pay so I played, and the other engineer --who I disliked-- had to disapoint his girl friend and her parents. From that point on I used to start talking about visiting foreign parts over public holiday periods two or three months before hand, and the "bad boss" stoped trying his little wheeze...

At the other company when the Managing Director tried it on and pushed it I got shirty, and said I quit, which was in the middle of an important stratigic project funded by the UK Govt. Funnily my actual boss dragged me in his office for what I thought would be either a dressing down, or horse trading... It was neither, he told me he was sending me home till the end of the week, and the rest of my "notice" was acumalated holiday time, all of which would be paid. So I thought, oh no the "cold shoulder deal", and to my supprise, he then smiled and said that I was to go the following day to speak to somebody at an address he gave me and said dress smart they've got a job for you. I got the job at the equiv of a 45% pay increase, and when I started a couple of weeks later, I found my "new boss" was my "old boss" and the reason he'd sent me home was to give the MD the bad news he was leaving as well... As for the old company I heard a few weeks after that that the MD had "taken early retirment" and that the Chairman of the parent company had taken over. I got it direct from the Chairman, as he contacted me about tidying up the "stratigic project" which I did. So I ended up working all hours for several well paid weeks... Some times life takes a funny turn of advents as the dice roll and click.

Dirk PraetJuly 4, 2015 4:35 AM

@ Larry Mandir

Us here in Europe would like to extend our warmest feelings to our American friends who on that faithful day in history overcame this horrible alien invasion that wiped out Washington DC.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.