Friday Squid Blogging: Bobtail Squid Keeps Bacteria to Protect Its Eggs

The Hawaiian Bobtail Squid deposits bacteria on its eggs to keep them safe.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on October 2, 2015 at 4:11 PM • 173 Comments

Comments

Chu QuevedoOctober 2, 2015 4:32 PM

The CIA creates a new department to keep up with developments in IT: the DDI (Directorate of Digital Innovation). In doing so, it has a revelation. Anonymity works both ways:

"As we go about collecting HUMINT, the DDI will help our clandestine officers maintain effective cover in the modern, digital world. For our case officers, the cyber age is very much a double-edged sword. While digital footprints may enable us to track down a suspected terrorist, this “digital dust” can also leave our officers vulnerable.

Think about it: Every one of us leaves a digital trail that an enterprising foreign intelligence service can try to follow—credit card transactions; car rentals; internet searches and purchases; the list goes on and on because, in a sense, we all “live” in a digital world. Our interactions, transactions, and communications are increasingly performed or stored in a digital form."

https://www.cia.gov/news-information/speeches-testimony/2015-speeches-testimony/
deputy-director-cohen-delivers-remarks-on-cia-of-the-future-at-cornell-university.html

ObsoleteGearshiftOctober 2, 2015 4:35 PM

A new—and somewhat unusual—arrival in the whistleblowing (no pun intended) landscape: Football Leaks. It's a Portuguese site hosted in Russia, promising to air the dirty laundry of the multi-million dollar contracts and under-the-table agreements in European football (aka soccer, for our American friends).

http://football-leaks.livejournal.com/

tyrOctober 2, 2015 5:17 PM


From the what could possibly go wrong with this dept.

"Currently, only the US military is fielding (testing?)a battlefield internet; Putting the equivalent of a smart phone in every soldiers hand (or wrist)."

manila rabbitOctober 2, 2015 5:35 PM

Great news as a follow-up from a couple of squid-posts ago (where the privacy implications of EFI/UEFI and Windows 10 were being discussed): Libreboot laptops (substituting Intel's nightmarish ME) are now being shipped worldwide from the USA and UK.

UK: http://minifree.org
USA: https://shop.libiquity.com/

I'm seriously considering placing a substantial order. Has anyone tried them yet? Any success installing and running QubesOS in one of these (they haven't been added to the HCL yet)?

The only aspect that's putting me off at the moment is having them shipped from the USA. Is it worth me sending them a big pack of tamper-evident packaging and asking them to use them to deliver my order, or is that a waste of time when it comes to you-know-who? (I try to reign in my paranoia, but an order of 30+ libreboot laptops delivered to a content-sensitive business in Latin America is probably the kind of thing that gets interdiction officials salivating.)

Bob S.October 2, 2015 6:03 PM

Scottrade Alerts 4.6 Million Brokerage Customers of Breach

Seems this all occurred a couple years ago. Scottrade was clueless until the FBI clued them in. Seems other stock brokers were hacked also.Stay tuned.

One big problem is there is no real penalty for losing the personal data records of millions of people. Indeed, most corporations refuse to do business with you unless they scoop up a dozen or so data points to be sold and shared throughout the corporate/government regime.

There must be legal sanctions imposed on every company that loses personal data. I would start with $1k-10k damages, fines and fees for EACH RECORD lost, damages payable TO THE VICTIM. Also, if gross negligence was afoot, ne'er do well executives should be jailed.

Since when is turning over all your personal data, again, to a credit agency for tracking a penalty for the company or benefit for the victim? Didn't EXPERIAN just very recently lose a ton of records?

--------------------------------------------------------

Re: Putting a tracking phone on every soldier's wrist. Soldiers may be the test bed for mandatory tracking devices on every person. Maybe implants. Maybe a thing like a dog collar. Maybe a ball and chain maybe.

SoWhatDidYouExpectOctober 2, 2015 6:32 PM

@tyr:

So, to keep that network secure, are they going to teach the soldiers Najavo code talking?

@Bob S:

As long as nobody knows about it, the data didn't get breached, wasn't stolen, and didn't get lost. Most likely, it was shared, sold, or given away (the breach is just a cover story to protect their greedy butts). That is what Top Secret and State Secret does for the guvmint folk.

TõnisOctober 2, 2015 7:28 PM

@Wow, interesting article. I still use TrueCrypt for data which I store in encrypted containers on micro sd cards. I'll bet no one I may ever encounter (at least up to state police forensic lab level) will be able to get at that data.

ianfOctober 2, 2015 7:56 PM


Now that Ed @Snowden aims to tweet from Russia (14 times so far; 1.2M followers, but himself only follows @NSAgov ;-)), will that raise the risk of him being found & ultimately hunted down?

After all, what is there to prevent active-service "Haydens" of the nether world who hate his guts for outwitting them, from infiltrating Twitter's infrastructure on the adm. superuser level & surreptitiously trace his dispatches back to the origin? If Cliff Stoll with a little help of his satellite-relay friends could follow "his" Berkeley lab intruder all the way to Germany already in the 80s, it ought to be a piece of cake for current Beastly Boys. I'm sure Ed has thought it through, and made sure to eliminate the risks involved, but… them there are crafty, anal-retentive buggers.

Clive RobinsonOctober 3, 2015 3:56 AM

@ Wow, Tõnis,

That article and several others make it clear it's

1, In the Windows Driver Code.
2, For Privilege Escalation.

We need to know a bit more than that to say for definate, but if you have used another OS then you are probably OK with your micro SD cards.

Windows Drivers are a known security risk due to amongst other things their long and inglorious history and backwards compatability.

As time goes on Microsoft is steadily becoming more and more of a hostage to it's early DOS Designers choices, where security was never a consideration. But even so many of their choices made no sense then or now.

The problem with pushing encryption code into an existing storage media stack is "at what point" for FDE the best place is below the file system code, whilst for file based encryption it's better to have it above the file system code. But what do you do about directories and multiuser access to the same drive, well that is very OS dependent as well as being very messy, then there are journaling and snapshot issues...

Who?October 3, 2015 4:47 AM

@manila rabbit

Are you seriously considering buying a used T400 at the price of a new, unopened, factory sealed with full warranty, T450? What about buying a T400 at its right price (about $100 USD) and reflash the firmware yourself?

As I said before, Intel Management Engine is not the problem here. Just run your machines behind a firewall that blocks incoming connections to ports 16992 (tcp/udp) up to 16995 (tcp/udp).

An alternative BIOS will mean worse hardware support (for some devices inside the laptop no support at all), and will leave open room for other firmware-related backdoors. The BIOS/ECP is not the only firmware that can be backdoored on a laptop, you know it, right? The HDD/SSD drives, network cards, graphics adapters, WAN/WWAN adapters, batteries... all these components have their own firmwares and are in most cases better places to backdoor a computer. Not to say the wildy undocumented "security chip" inside these laptops, or the possibly biased hardware random number generators. OpenBSD lacks support for the security chip, and most hardware based PRNGs, for a very good reason.

I am more worried about the operating system itself... will it run Microsoft Windows or a cheap, unsecure, Linux? You lost.

Seriously, I would buy a modern computer, get its multiple firmwares updated (I must admit Lenovo does a good job here supporting firmware updates on their high-end laptops for up to four years), install the right operating system, one of the few operating systems that truly care about security, and run these computers behind a firewall that blocks access to ports like the AMT ones.

Buying the computer you recommend means that you will pay ten times the price of the hardware you are adquiring, you will run an underpowered laptop with a firmware that can hardly let it boot (and will never fully support the hardware on that ThinkPad), and believe you are secure while you really aren't.

Seriously, Intel ME looks scary, but there are a lot of places where a firmware backdoor may be hidden outside the BIOS/embedded controller.

My suggestion? If you want a ThinkPad buy a new one (T430 or better), get it updated (Lenovo will update the firmware on any ThinkPad manufactured in the last three years to fix the dangerous SMM incursion attack and UEFI "wake after sleep" vulnerabilities), and run it with the right operating system and behind a good firewall. I doubt these expensive X200/T400 laptops will protect you against the SMM incursion attack. On the other side, these are not UEFI computers, and it is good. UEFI may become a good technology, but at its current state there are a lot of bugs being published, so you need to either have an old, non-UEFI, computer or a state of the art one that will get UEFI updates for a few years.

You suggested buying these same expensive modified laptops on this forum one month ago. Sorry, but it looks like a poorly choosen marketing campaign.

I would really wish removing Intel ME support will make our computers secure, but it is not so easy. You need to filter AMT ports at your network boundary, you need to get fully updated firmwares, so non-AMT issues get fixed too, you need to run the right operating systems, and you need to have some OPSEC (at least, common sense) on your daily activities. A poorly written BIOS will not save your day.

ianfOctober 3, 2015 5:04 AM


@ me thinks @Snowden took the precautions needed.

Meaning (in the ball park) what… posting via a set of proxies, reading in different location(s) than responding from off-Twitter-client-saved drafts? He's gotten 47GB of notifications, that's quite a remotely observable amount of traffic to a given end-point.

Who?October 3, 2015 5:08 AM

@ianf

Now that Ed @Snowden aims to tweet from Russia (14 times so far; 1.2M followers, but himself only follows @NSAgov ;-)), will that raise the risk of him being found & ultimately hunted down?

Well, this is one of the Snowden's tweets:

I forgot to turn off notifications. Twitter sent me an email for each: Follow, Favorite, Retweet, DM, 47 gigs of notifications. #lessonlearned

47 GiB of data is too much data... it is not really difficult tracking that flow. And that giant stream of notifications was sent to Snowden's device one day after the existence of his twitter account was publicly known.

Who?October 3, 2015 5:15 AM

@ianf

We concurrently posted same observation about Snowden's device visibility after allowing 47 GiB of notifications arriving to its device.

I really hope Snowden is good at operational security, but I fear the worst.

Hope being wrong, but to me it looks like Snowden is just a mid to high end user, with common sense and lots of ethics. Hope he will stay safe but I really think he is doing some serious operational mistakes right now.

EvanOctober 3, 2015 5:19 AM

@ianf I'd be surprised if they don't know already where Snowden is. He's enough of a cause celebre that offing or seizing him would look bad, and since he's given up custody of the stolen files he's probably not of much use, either. If they were to move against him it would only help galvanize the movement to reform/resist overreach in the intelligence community.

Clive RobinsonOctober 3, 2015 6:14 AM

@ Who?

A poorly written BIOS will not save your day

No it won't but laptops are not the only devices with poor quality BIOS or their equivalent which is why,

Just run your machines behind a firewall that blocks incoming connections to ports 16992 (tcp/udp) up to 16995 (tcp/ udp).

Is fairly usless advice, because a firmware level attacker is actually more likely to have the information about how to root your poorly developed and not locked down firewall than Intel's Managment Engine.

My advice for many years is do your personal and private stuff on an older machine that never gets connected to any kind of network. That is an old style "air-gap". Then use an appropriate "guard technique" to move "protected data at rest" in ASCII armoured format or paper to any network connected equipment ALL of which you should assume is owned by others than yourself.

Whilst this will give you a degree of privacy above that most cyber-criminals will be capable of breaching, it won't protect you from malicious hardware vendors --of which Lenovo has repeatedly proved it's self to be-- or malicious OS developers --which Microsoft has clearly become-- or malicious application developers (of which Oracal and Adobe are two prime suspects). Which is why older hardware and software that predates the bulk of the malicious behaviour is preffered for the air-gapped device.

However if your concerns are attackers who are specifically targeting you, you have greater concerns. Even idiot "gumshoe PIs" can get into your personal space and install surveillance equipment, so you need physical security for those areas. But if your potential attacker and has significant resources at "State level or above" then you realy need to go a lot lot further. Not just by upgrading from an "air-gap" to "energy-gap" system, but also to develop your own hardware and tool chains to produce your firmware, BIOS, OS, Drivers and applications. You also need to know how to setup appropriate ICT surveillance systems, because as with physical systems, no information system is 100% secure, thus you need "alarms and tripwires" to detect all behaviour and continuously analyse it for any kind of anomalous behaviour.

There is however a "Gotcher" for most users, which is the move by Financial / Health and other needed NGOs, Governments and similar organisations to "Online". Whereby they significantly increase your costs and risks to reduce their own. Thus they require you to put personal information online to them in one way or another --see the debacle over the US IRS tax filing for instance-- which even if you do it securely, they will then put you information in insecure online systems --as OPM did-- just to make life easy for attackers. For this sort of madness there is no cure that non offensive technology can bring you, and I'm nolonger sure of the restorative properties of the "blood of patriots" that our forefathers once recommended.

CuriousOctober 3, 2015 6:29 AM

"Pentagon looks to analog monitoring to secure IoT"
https://securityledger.com/2015/10/pentagon-looks-to-analog-monitoring-to-secure-iot/

"In-brief: DARPA is directing $36m for the first stage of a program called LADS – Leveraging the Analog Domain for Security, which is looking into analog methods of cyber threat detection, including power consumption monitoring."

"Winning submissions will be able to “identify and quantify analog channels that convey useful information about the internal state of the device,” and map changes on the device to an analog emissions model that can capture interesting attacker behaviors. For example, changes such as loading unknown firmware or injecting malicious code should lead to noticeable changes in emissions that can be detected. The detection technology must be able to work around various physical constraints such as noise, distance from the device, and so on."

I didn't read it, but the article has a link to a pdf document said to be describing the program.
https://www.fbo.gov/utils/view?id=b57e21927491771f3b89821bfb41c507

CuriousOctober 3, 2015 6:35 AM

"Home routers 'vaccinated' by benign virus"
http://www.bbc.com/news/technology-34423414

"A benevolent virus has been used to harden more than 10,000 home routers against cyber-attacks, says a security firm."

I think this sentence as written by BBC sounds silly as it dosn't specify the firm in the same sentence, seems a little lazy to me. Maybe that part of the article was inserted by some editor afterwards, who knows. This article doesn't seem to have an author attributed to the story. No idea if such an omission is common to articles on BBC's website.

CuriousOctober 3, 2015 6:46 AM

Hitachi Visualization Predictive Crime Analytics (PCA)

The first article I found about this was very silly, it was trying too hard to make a reference to the movie "Minority Report", so I had to look for some other article.

http://www.digitaltrends.com/cool-tech/hitachi-working-on-crime-predicting-technology/

"The system, called Hitachi Visualization Predictive Crime Analytics (PCA), comes from researchers Darrin Lipscomb and Mark Jules, co-founders of the crime-monitoring technology company Avrio and Pantascene. After Hitachi acquired the company last year, Lipscomb and Jules took up the task of developing the revolutionary new tech, opting to make use of machine learning rather than relying on preconceived variables and factors. Because of this, the PCA has the ability to derive patterns from a near-infinite amount of sources, creating behavior patterns often overlooked by the human eye."

I can't help but think that this might be some kind of system for making statistics and for cross referencing statistics, something that ultimately will never be more than some theory about correlations, but not one about causations.

FriedrichOctober 3, 2015 7:43 AM

@ chu

Did the brightest alphabet letter soup guys in the room just work out they don't have an iron-clad panopticon and that the mirror is actually two-way? LOL

Retards.

Suddenly a quote comes to mind:

"When you look into an abyss, the abyss also looks into you."

MichaelOctober 3, 2015 9:06 AM

Re: @Snowden

I think that finding Edward Snowden in Russia was quite affordable even before his verified Twitter account.

He lives in Russia, and has to leave his tracks in many moderate-security government databases.

Now, we are talking about 14 messages. Real person Edward Snowden could just read @Snowden feed using the web interface without logging in, and then ask his acquaintances at Freedom of the Press foundation (he is among the Board members there, after all) to log in and send the next message.

And he is in Russia, where most cheap ways to cover up political links with an attack are already perceived as a sign of a political (attempted) murder. And it is perceived that Putin does want Snowden to have asylum, so local police help with covering up is not easy to guarantee.

I guess there may be a cheap and simple way to create problems for Snowden with renewing his residence permit, but I don't want to give anyone specific ideas — someone could try it…

MichaelOctober 3, 2015 9:11 AM

What are the anti-system-fingerprinting properties of Tails? If I use Wikipedia from my normal system, and sometimes boot Tails to access Wikipedia via Tor, how Wikipedia can check that this is the same me?

Apparently, Tails has benefits for anonymity not only because it is better secured, but just because «a Tor user» is a small enough class to care about OS/Browser fingerprinting if you do more than one thing in the anonymous mode.

Fascist NationOctober 3, 2015 10:10 AM

http://windowssecrets.com/top-story/attempting-to-answer-whether-ms-is-snooping/

Attempting to answer whether Microsoft is snooping
by Susan Bradley
Windows Secrets
Oct. 1, 2015

Microsoft has recently released updates to Windows 7 that allow it to gather more information about our PCs.

But is the company really tracking what we do on our systems? And can this data gathering be turned off? ....

[Effectively MS is adding report back modules to its Win7 OS to bring it more in line with Win8.1, Win10 features. Win7 is receiving little development work from MS at this point---just security updates. Win7 is still outselling Win8.1 and Win10 combined by a wide margin.]

KaleBOctober 3, 2015 11:25 AM

@Fascist Nation & others who may be interested...

The question of how to disable Windows telemetry is also answered in a (rather lengthy) reply to the below question.

How to stop Microsoft from gathering telemetry data from Windows 7, 8, and 8.1
http://superuser.com/questions/972501/how-to-stop-microsoft-from-gathering-telemetry-data-from-windows-7-8-and-8-1

It looks like two 3rd party applications can help in this: Windows 10 Privacy Fixer and O&O ShutUp10.

(I am not affiliated with either software nor have I even tested them. They may or may not have their own privacy issues.)

manila rabbitOctober 3, 2015 11:54 AM

@Who?:

"Seriously, Intel ME looks scary, but there are a lot of places where a firmware backdoor may be hidden outside the BIOS/embedded controller."

Of course they can be hidden elsewhere if an attacker targets you and they are successful. The problem is when the malware comes pre-installed in the system.

"You suggested buying these same expensive modified laptops on this forum one month ago. Sorry, but it looks like a poorly choosen marketing campaign.

Sorry, that wasn't me. I have no affiliation with either of those businesses or with libreboot. I got the idea from an OOT post in an earlier thread this week, written by someone else. In fact, after reading your post I have reconsidered my intention of placing an order. Not because I'm suddenly happy with Intel's ME, but because you gave me the idea of buying a bunch of new Thinkpads locally and paying an IT consultant to download libreboot and flash all my laptops. I will probably save money and it solves the interdiction problem too!

------

@Curious:
Re. routers vaccinated by benevloent virus

Interesting. To me the most relevant bit of the article is: "It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions."

GrauhutOctober 3, 2015 12:13 PM

@Who?: "Intel Management Engine is not the problem here."

Intel Management Engine is an uncontrollable beast and should be disabled wherever possible, same with UEFI and other firmware crap.


BSI is an exhibitor at the 2015 FrOSCon
Bonn, 08.12.2015.

The Federal Office for Information Security (BSI) is an exhibitor at the Free and Open Source Software Conference (FrOSCon) 2015, which takes place at the Bonn-Rhein-Sieg University of Applied Sciences in Sankt Augustin from 22 to 23 August 2015th At the booth of the BSI, the trade fair visitors can obtain information about the software projects of the BSI in the field Free.

Thus, the BSI include the following projects:

...
Coreboot:
Coreboot is a free open source firmware replacement for BIOS as / UEFI with a particular focus on security, stability and speed. Coreboot is a minimalist firmware for x86 and ARM, the opposite UEFI through freely available source code, a small code base, to facilitate the verification, and compliance with high programming standards themselves - MISRA C for use in safety-critical systems - distinguished. In safety-critical devices such as highly secure SINA boxes and specially hardened laptops will Coreboot in the federal administration used. Google Chromebooks use Coreboot to start very quickly. Under http://coreboot.org/ is a list of supported systems and the entire source code to find.

GrauhutOctober 3, 2015 12:55 PM

@Clive: "My advice for many years is do your personal and private stuff on an older machine that never gets connected to any kind of network. That is an old style "air-gap"."

100% airgap is sometimes overkill if you have to transfer data. I prefer old fashioned serial console access. Just plug in and out a serial console cable if you want to transfer something to or from a networked device. Old school zmodem style. Of cause, check hashes and signatures whereever possible. And no bin updates, use source patches and compile locally.

http://www.tldp.org/HOWTO/Remote-Serial-Console-HOWTO/upload.html

DanielOctober 3, 2015 1:00 PM

http://www.washingtonpost.com/politics/watchdog-top-secret-service-official-wanted-information-about-chaffetz-made-public/2015/09/30/ff280378-67ae-11e5-9ef3-fde182507eac_story.html

I'm surprised this hasn't gotten more airplay. It's another example of insiders behaving badly and serves to buttress Lord Acton's maxim.

As for the Libre laptop I'll say what I've said before--those people are kooks. They don't know which way is up and I'm not going to repeat what I've said in prior posts about them except that no security conscious person would pay them ten cents for their laptop.

ianfOctober 3, 2015 1:02 PM


@ Clive […] “do your personal and private stuff on an older machine that never gets connected to any kind of network. That is an old style "air-gap". Then use an appropriate "guard technique" to move "protected data at rest" in ASCII armoured format or paper to any network connected equipment ALL of which you should assume is owned by others than yourself.

    Meaning IN PLAINTEXT what exactly… hard-encrypted ASCII files read into the network terminal via just-burned CDs, or pre-validated USB thumb drives?
    ALTERNATIVELY, for paper input, text to be scanned in via OCR, or machine-decodable QR images?
    (for max A4 paper, a QR symbol's capacity goes up to 8+k characters depending on redundancy level & width of margins)

name.withheld.for.obvious.reasonsOctober 3, 2015 2:08 PM

Given the current status of the U.S. surveillance state I came across this in Thomas Paine's Common Sense

"YOU SHALL MAKE NO LAWS BUT WHAT I PLEASE."

Here Paine is referencing the influence of the King to the affects of law within the colonies. We could, as an equivalence, state that the U.S. has certainly made colonies of the world. When considering how far out of scope U.S. government entities operate I suggest that by way of the first amendment to the U.S. Constitution that the very first sentence reads:
Congress shall make no law...

To my way of thinking, this restrictive statement is applicable to the current situation where functionaries of government believe that they can make any law(s). One has to consider if the current regime, under the auspices of the Patriot Act, FAA, or NDAA, have exceed their authority and have wandered so far off the reservation as to be irrelevant.

Over the last fifteen years I've witness such a divergence from our foundation model of governance as to not be recognizable. In fact, I assert that Thomas Paine's text, Common Sense, is more relevant than it has been since the revolutionary war of 1776. No time in history have we strayed so far from our founding principles.

Ironically, Paine has documented the abrogation of principles in ways to profound for a mention in a blog. Specious as our government and our governance has become, we must be charged to answer this fundamental break from reason and reality. It is time for the citizenry to recognize its role in making account those that would hold us responsible for their crimes.

Clive RobinsonOctober 3, 2015 5:28 PM

@ Grauhut, ianf,

Meaning IN PLAINTEXT what exactly…

It rather depends on the individuals resources and capabilities, hence my 'appropriate "guard technique"' comment.

As I've mentioned before I use a form of ASCII armourd text file that goes into a serial guard / diode of my own design for most data transfer.

The reason for mainly using plain ASCII text in a standard format is so that you can visually inspect what is being sent and received as a payload, the armoring is multilayer and uses two dimensional check sums. This works OK for most occasions, and I try hard never to need to send non human readable data.

As I've advised people in the past "PAPER Paper, NEVER data" is a good way to stop unknown and possibly disastrous meta data leaking with visually formatted data, so yes "Print to paper read through scanner" is another usefull method. One I advise people to use when being forced by "discovery" etc to do. If those doing the forcing want "data" then give them a DVD or two of scanned in images, let them do the OCR and clean up etc if they want to start putting it into DBs etc to work with data mining and inference software.

The thing is that for some strange reason people make the mistake of thinking a three line memo needs a 50Kbyte Word file... My view is bin the fancy formating and send only 200bytes of human readable ASCII instead. A definate case of "Less is More" and at least that way you know what is crossing the wire...

For my sins I still use WordStar for typing up some technical documents. I have some hand cut scripts that convert the wordstar formating tags into HTML tags for other people to see on their systems. If it realy has to be "beautified" then RTF is my second prefrence, whilst not quite the universal format plain ASCII is it's fairly close. Likewise CVS for spreadsheet data and for database records. There are simple ways to enhance these files into an armoured format with checksums etc, or if to be sent "long distance" have robust FEC added.

At the end of the day "minimal format human readable" files limit the amount of space that is available for inband side channels, thus limit hidden meta data leakage. All of which means that "Less data" is "More security" at the end of the day.

Nick POctober 3, 2015 7:01 PM

@ Grauhut

I keep predicting the situation is worse. Hardware designers often reuse proven blocks of silicon I.P. in other products. They're also known to make one block that represents the functions of many products but limits itself to a subset via a factory setting. The two together means we have to assume that any snoopy hardware that powers AMT/vPro is in that whole, product family. It might be in their other chips, too. We don't know if it's disabled in a permanent or reversible way, either.

So, any of processor families with built-in radios or management technology is a risk. A subversion of these would be easy to disguise. It's why I've been recommending open, RISC systems like Gaisler's SPARC stuff. Sure there will be work to make sure AV, browsers, etc work with those. Yet, it's necessary if the existing hardware can't be trusted.

Well, not necessary given there's tricks to work around that. Thinking along the lines of the x86 PCI cards used to offload native x86 apps on old SPARC Sun Blade workstations. IBM did similar stuff with mainframes on cards. There's always the dynamic transation like Transmeta Crusoe or emulation like Loongson x86. I used physical separation with KVM's for trusted vs untrusted. One could make a more compact version of that.

Thing is, I doubt the easy, kludgy solutions would get any adoption by the masses or even most demanding INFOSEC. So, most probable solution is porting Linux and core software to the open-hardware architectures along with financial incentives to produce them.

rOctober 3, 2015 7:20 PM

so they alpha bet was, to 'not' be evil just long enough - to do the right's thing?

bradley was manning the government's networks, and mr ends+now had little effect?

PeanutsOctober 3, 2015 7:57 PM

Here was my exercise for the afternoon, Install a clean windows 7 64, install office 2010, patch only that which does not add risk.

Review the vendors claims and statements on content and purpose at face value for all available patches as of 15-10-03

Here is the re-runnable batch script to detect and recommend removal of windows 10, 8 which have been back ported to windows 7. Risky window 7 and office components were reviewed with the same eye for potential for being early implant attempts and are considered as exploitable avoidable attack surface.

Step 1 run an elevated dos box.

Step 2 - create the script which is called by the main script for individual KB checks.

notepad Check-kb.bat

-create the file and paste the script lines
@echo off
echo '
echo '
echo '
rem echo Checking for %1 %2 %3 %4 %5 %6 %7 %8 %9
rem wmic QFE list full /format:texttablewsys | find "%1"

Step 3 - create the main script which will do quick checks on windows and office payloads using both wmic and systeminfo built in windows command.

notepad checkfor_NPI_patches.bat

-create the file and paste the script lines
REM --- (as of 2015-08-26): edited 10-1-15
REM For office, assume device not on a domain, no SharePoint, no social connector for outlook, no ms sync, no ifilter desktop content file search, no localization files of questionable value, no ms publisher, Ms access or Visio viewer or Silverlight
Rem For reference, the suppressed not installed windows implants was: 8 Silverlight, 26 Office, 1 exploitable version of Skype and 17 Os Implants and or payloads of seriously dubious intent.
REM If you have any of the office components noted above, Consider if they are required by you. Recommendation is to uninstall them if they are not of obvious need to you.
@echo off
cls
echo 'Starting scan
echo '
@echo reminder the windows command to uninstall by KB # is wusa /uninstall /kb:3068708 /quiet /norestart
@echo where you replace the 3068708 placemark with the number of the offending KB to remove from your system.
echo 'This scipt will not modify or remove, that process is up to you and requires your analysis per your needs and risk appetite
echo '
echo 'Get yourself a firewall capable of blocking outbound access from your network to
echo 'vortex-win.data.microsoft.com
echo 'Name: VORTEX-cy2.metron.live.com.nsatc.net
echo 'Address: 64.4.54.254
echo 'Aliases: vortex-win.data.microsoft.com
echo 'vortex-win.data.metron.live.com.nsatc.net
echo 'vortex.data.glbdns2.microsoft.com
echo '
echo 'settings-win.data.microsoft.com
echo 'Non-authoritative answer:
echo 'Name: OneSettings-bn2.metron.live.com.nsatc.net
echo 'Address: 65.55.44.108
echo 'Aliases: settings-win.data.microsoft.com
echo 'settings.data.glbdns2.microsoft.com
echo '
echo 'Anything reported below is somthing you should consider as a known potential privacy exploit or as suspiscious attach surface applicable for manual removal
@echo "for Windows 7, surveillance payload / implant checks."
@echo SystemInfo report
systeminfo | findstr "KB3012973 KB3035583 KB2976978 KB2990214 KB3044374 KB2977759 KB3050265 KB3068707 KB3068708 KB3022345 KB3075249 KB3080149 KB3021917 KB2952664 KB2977759 KB2998812 KB3013531 KB2999226 KB2820331 KB2808679 KB2791765 KB2726535 KB2660075 KB2603229 KB2592687 KB2574819 KB2685813 KB2970228"
echo '
@echo Wmic wmi report
wmic QFE list full /format:texttablewsys | findstr "KB3012973 KB3035583 KB2976978 KB2990214 KB3044374 KB2977759 KB3050265 KB3068707 KB3068708 KB3022345 KB3075249 KB3080149 KB3021917 KB2952664 KB2977759 KB2998812 KB3013531 KB2999226 KB2820331 KB2808679 KB2791765 KB2726535 KB2660075 KB2603229 KB2592687 KB2574819 KB2685813 KB2970228"
echo '
echo '
@echo Surface reduction options for Microsoft office 2010
@echo SystemInfo report
systeminfo | findstr "KB2553406 KB2566445 KB3080333 KB2876229 KB2881021 KB2881025 KB2760601 KB2553308 KB2965297 KB2965301 KB2883019 KB2794737 KB2687275 KB2589352 KB2553140 KB2817396 KB2817369 KB2881026 KB2965300 KB2837601 KB2878281 KB2837602 KB2956205 KB2837587 KB2597088"
echo '
@echo Wmic wmi report
wmic QFE list full /format:texttablewsys | findstr "KB2553406 KB2566445 KB3080333 KB2876229 KB2881021 KB2881025 KB2760601 KB2553308 KB2965297 KB2965301 KB2883019 KB2794737 KB2687275 KB2589352 KB2553140 KB2817396 KB2817369 KB2881026 KB2965300 KB2837601 KB2878281 KB2837602 KB2956205 KB2837587 KB2597088"
echo '
@echo script paused. Continue with redundant individual Alacarte checks by single KB?
echo '
pause
Rem the next (6) REMed out lines must be copied and pasted into file check-kb.bat for the alcarte checks to work.
rem @echo off
rem echo '
rem echo '
rem echo '
rem echo Checking for %1 %2 %3 %4 %5 %6 %7 %8 %9
rem wmic QFE list full /format:texttablewsys | find "%1"
rem
call Check-kb KB3012973 - "Upgrade to Windows 10 Pro"
call Check-kb KB3035583 - "GWX Implant installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1"
call Check-kb KB2976978 - "Compatibility Implant for Windows 8.1 and Windows 8"
call Check-kb KB2990214 - "Implant that enables you to upgrade from Windows 7 to a later version of Windows"
call Check-kb KB3044374 - "W8,8.1 Nagware for W10"
call Check-kb KB2977759 - "W10 Diagnostics Compatibility Telemetry"
call Check-kb KB3050265 - "Windows Implant services Implant to upgrade to W10"
call Check-kb KB3068707 - "Customer experience telemetry point. W7,8,8.1"
call Check-kb KB3068708 - "Implant for customer experience and diagnostic telemetry"
call Check-kb KB3022345 - "Implant for customer experience and diagnostic telemetry [Replaced by KB3068708]"
call Check-kb KB3075249 - "Implant that adds telemetry points to consent.exe in Windows 8.1 and Windows 7"
call Check-kb KB3080149 - "Implant for customer experience and diagnostic telemetry"
call Check-kb KB3021917 - "Implant to Windows 7 SP1 for performance improvements"
call Check-kb KB2952664 - "Compatibility Implant for upgrading Windows 7"
call Check-kb KB2977759 - "This Implant performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program."
call Check-kb KB2998812 - "This Implant enables Windows 7 and Windows Server 2008 R2 to determine application compatibility problems and impacts."
call Check-kb KB3013531 - "Remove warnings when you copy .mkv files to your Windows Phone."
call Check-kb KB2999226 - "Adds thunking layer to call windows 7 call Windows 10 Universal CRT functions which enables windows 10 CRT functionality "
call Check-kb KB2820331 - "Enables Microsoft Nanny to put a hard, soft App or driver block on a non-Microsoft applications"
call Check-kb KB2808679 - "protects an external network from verifying of URI port is open or closed related to "Internal URL port scanning"
call Check-kb KB2791765 - "Enables Microsoft Nanny to put a hard, soft App or driver block on a non-Microsoft applications"
call Check-kb KB2726535 - "Adds WTF 15meg of South Sudan localization bit to the list of countries in Windows. Really necessary if you compute and are a south Sudanese resident"
call Check-kb KB2660075 - "381k to Allow you to change the time and date if the time zone is set to Samoa (UTC+13:00) and KB 2657025 is installed. Sounds like a feature to me"
call Check-kb KB2603229 - "Allows applications to footprint the registered org and registered owner which by default in windows 64 were never tested and yielded wrong info. "
call Check-kb KB2592687 - "Allows USB as a threat vector via RDP version 8. Because USB is just so secure right now."
call Check-kb KB2574819 - "installs DLTS encryption protocol for RDP version 8. Cause another close source encryption protocol would really just help NSA so why?"
call Check-kb KB2685813 - "Back port of windows 8 rev 1.0 of User Mode driver Framework UMDF for apps which deliver windows 8 drivers."
call Check-kb KB2970228 - "Surface reduction: Waste of bits unless you need a new currency symbol for the Russian ruble"
rem echo '
rem echo '
rem echo '
@echo Checking office related
Rem office related
call Check-kb KB2553406 - "If probably should remove Outlook Social Connector, uninstall it. "
call Check-kb KB2566445 - "If your computer is not in a domain using SharePoint with one note, probably should remove the exploitable attack surface."
call Check-kb KB3080333 - "Attack surface reduction ; do not install Silverlight, double your attack surface, double the exploit fun. "
call Check-kb KB2876229 - "Old exploitable version of Skype"
call Check-kb KB2881021 - "Localization (waste of bits) 18.3meg for Lithuanian currency in Visio 1 of 2"
call Check-kb KB2881025 - "Localization (waste of bits) 4.8meg for Lithuanian currency in Visio 2 of 2"
call Check-kb KB2760601 - "If your computer is not in a domain using SharePoint, probably should remove the exploitable attack surface. "
call Check-kb KB2553308 - "If you do not need, do not install or uninstall Outlook Social Connector. "
call Check-kb KB2965297 - "If your computer is not in a domain using SharePoint with one note, probably should remove the exploitable attack surface."
call Check-kb KB2965301 - "If your computer is not in a domain using SharePoint, probably should remove the exploitable attack surface. "
call Check-kb KB2883019 - "If your Microsoft office is successfully licensed, then don’t fix what aint broken."
call Check-kb KB2794737 - "If your computer is not in a domain using SharePoint, probably should remove the exploitable attack surface."
call Check-kb KB2687275 - "if your excel workbooks do not use OLAP database connections in pivot tables, then you won’t need this."
call Check-kb KB2589352 - "if you need correct translation of names in Albanian, Croatian, and Serbian (Latin) Office 2010 your welcome to keep this payload."
call Check-kb KB2553140 - "Adds an in office http lookup to Bing search whenever you add clip art to a document."
call Check-kb KB2817396 - "adds validation for jnlp in InfoPath. Better to not have info path installed. "
call Check-kb KB2817369 - "adds validation for jndi in InfoPath. Better to not have info path installed."
call Check-kb KB2881026 - "Adds ifilter file types to NSA quick file search. Use encryption for content, but don’t put out the welcome mat by indexing ready to exfiltrate (1 of 2)"
Rem if you use Windows desktop search, look for an alternaticve
Rem Opsec note, control panel --> Indexing Options --> Advanced --> file types tab; Many defaults are set to index file content. Set to index file only then disable by un checking it. Unchecking them all might also be prudent if you have an alternate search tool like wingrep, power grep or cygwin grep or other."
call Check-kb KB2965300 - "Updates Microsoft access which, if installed, you should have your head checked (1 of 2)"
call Check-kb KB2837601 - "Updates Microsoft access which, if installed, you should have your head checked (2 of 2)"
call Check-kb KB2878281 – “Adds ifilter file types to NSA quick file search. Use encryption for content, but don’t put out the welcome mat by indexing ready to exfiltrate (2 of 2)"
call Check-kb KB2837602 - "If you dont use or need Microsoft Sync to replicate arbitrary documents to a corporate backup drive, DONT use this. What could possibly go wrong?"
call Check-kb KB2956205 - "Updates related to OneNote with SharePoint are out of scope with SharePoint. "
call Check-kb KB2837587 - "If you do not use Visio viewer, then probably should remove the exploitable attack surface. "
call Check-kb KB2597088 - "If you do not use Visio viewer, then probably should remove the exploitable attack surface. "
Rem Opsec note, if probably should remove .jnlp or jdni file type associations, remove them from your system. Consider this a surface reduction exercise.
@echo end of script
pause

rOctober 3, 2015 8:01 PM

@peanuts,
holy moley dude, ever hear of pastebin ?
thanks for the info :P but how's this...

>> Here was my exercise for the afternoon
>> Install a clean windows 7 64, install office 2010, patch only that which does not add risk...

TLDR version:
Install linux/*BSD & Open/LibreOffice. :P

JustinOctober 3, 2015 8:35 PM

They sell this thing at TJMaxx. It's an "Aluminum RFID Wallet." Among the grand claims being made is:

  • Shields the following types of cards: All new contact-less credit cards, Enhanced Driver's Licenses such as New York, Washington, Michigan, and Vermont, Many transit cards such as the DC Metro and Boston CharlieTM card, TWICTM (Transportation Worker Identification Credential), HID iClass, HID MIFARE(R), HID FlexSmart, DESFire, Indala FlexSmart, Any card ISO 14443A/B or ISO 15693 compatible, All MIFARE(R) and DESFire compatible cards, sQuid cards used in Europe, Military CAC (Common Access Cards), New Government PIV (Personal Identity Verification) cards such as the Linc-Pass, New long range RFID EPC Gen1/Gen2 cards.

Made by this company. Is this what your average shopper at TJMaxx buys these days, or what? Is it even legit? People are going tinfoil-hat crazy.

PeanutsOctober 3, 2015 8:41 PM

@r
If you have a compelling reason to run Windows, trusting a new oppsec to a stronger but not known to you platform like open or free bsd, mint or tails will 1) take longer to migrate than an afternoon. And 2) is step that comes after risk reduction.
I hope the post informs, allows for risk reduction and gives folks options better than stepping off the deep end into an entirely known domain.

I did it not for myself, but for my dad, who would have a harder time risking failure in adapting to say pcbsd.

I want folks to know what's behind the curtain without blunt proclamations which so far go ignored as snobby, or are really missing ease of use, poor driver support, foreign oppsec and maintenance

My dad won't pastebin, and neither will most people who need a simple straightforward clue of what the hell is going on.

Peanuts

rOctober 3, 2015 9:06 PM

@peanuts
hrm, i spent my day getting my transformer to transform into a linux tablet.
personally, i run windows alot myself - i think a good compelling reason for anyone interested is to 'blend in'.

but - if you left your dad a little unpatched... isn't that like feeding him to the wolves?
ESP if he's on an adjacent network to you.

keeping a partial patched windows online would make me nervous (if i wasn't behind a commercial fw). i've been slipping up alot lately on my updates because of all the devices laying around... do you make sure he uses https everywhere/noscript/privacy badger n stuff?

Virtual Machines are fun, and it's alot easier to [x]Disconnect cable than settings up a hardware fw for DPI.

I wonder how slim Qubes 3.0 footprint is...

FigureitoutOctober 3, 2015 9:48 PM

r
think a good compelling reason for anyone interested is to 'blend in'.
--Yep, good usually overlooked OPSEC strategy. Not comfortable though lol. Oh and for good measure Apple too, the i0s9 upgrade for iPads, whoever is the manager making decisions on default settings needs to go f*ck themselves. Every single setting w/ security implications was set wrong.

Peanuts
--Appreciate the scripts, only concerns is it's ill-advisable for inexperienced users to just run elevated scripts w/o some checkable explanation of what you're doing (you know the joke to remove system32 etc. or fiddling around in linux kernel not knowing what you're doing, then again you can't help people doing that and it may be best to learn on their own). And it can look a little like spam. Some people have posted fork bombs here too.

Alien JerkyOctober 3, 2015 11:11 PM

A pad of paper and a pen. very hard to hack, can survive for millennia, and the user interface is very simple to understand.

PeanutsOctober 3, 2015 11:59 PM

Crypto precedes paper pen and stone. Working a pen with effective crypto takes true talent. Adversaries who discover said paper without crypto doom they that write and provide the history that will be remembered.

The scripts were published in last weeks squid post, same reasonable instructions and benign commands. Just more relevant kb's reported after a more thorough process.

Dad has to stand on his own two feet, no shared network, teach a man or dad or mom to catch a fish and they can feed themselves forever

Be self reliant or perish

ianfOctober 4, 2015 12:46 AM


@ Justin Re: Aluminum RFID wallet

    This announcement does not constitute a solicitation for purchase.

ADMINISTRIVIA: for the sake of mobile readers, please space your text links, do not place them next to one another, as that provides too little of touch-target areas for human (never mind calloused) styluses.

Clive RobinsonOctober 4, 2015 1:32 AM

@ Alien Jerky,

A pad of paper and a pen. very hard to hack,

That depends on your viewpoint, or rather that of your attacker.

One problem these days are high resolution security cameras with "long lenses". There was a well known company that discovered that the security cameras in it's work area could be used to "shoulder surf" passwords. Likewise the use of a pen/pencil even viewed obliquely can reveal what you are writing. This is just one of a class of "end run attacks".

Writing under an umbrella is one way to limit the visual end runs (though watch out for reflections).

But there are other issues to do with "information leakage", when you write in a note book you leave an impression on the other pages, thus tearing out a page and burning it does not destroy what was written, as the impression remains. Likewise jotting a note to some one and tearing it out, it will have the impression of what was written on other pages and will show up in ESDA or iodine vapour (or similar) tests.

But it gets worse, most surfaces on which people write will retain either an impression or some other trace of the writing. One way to reduce this is to "write one page at a time on glass and wipe it down", but make sure it is glass without a coating, those with a coating such as the touch screen on your mobile devices still holds an impression.

So in addition to pen and paper, having a glass table top or big photo frame, with an OCD like cleaning habit and an urge to hide under umbrellas whilst doing it helps with writing security.

Clive RobinsonOctober 4, 2015 3:52 AM

@ Nick P,

Another odd coincidence... you post about how not to get powned and I pull your leg over refrencing a "book" you mention. Then a short while later I'm on Gene Spaford's blog and he indirectly recomends a book titled the Florentine Deception [1] when mentioning the Micrisoft "Pownie" attempt....

[1] I know nothing of the author or the book other than it's self published and proceads are being given to a charitable cause. There is blurb on the book website that indicates it is some kind of Cyber-Techno-Thriller that might be of interest to those in the Infosec world...

http://florentinedeception.weebly.com/

If anybody has read it now's the chance to say so ;-)

Clive RobinsonOctober 4, 2015 4:28 AM

Whilst the case of if a journalist is guilty of being a Hacker or stooge for Sabu is fairly dull, one bit is of interest and thus might leader to changes in the way future cases are prosecuted.

At the heart of this is the need by the prosecution to show damages greater than 5000USD, and as several know the prosecution like to fiddle the figures as high as possible because not only does it make good headlines it helps political careers as well.

Well the defence are challenging the prosecutions figures because their are at the very least "smoking gun" emails that indicate that costs have been artificialy raised to make prosecution possible...

Whilst I suspect this massaging of figures supprises no one, the fact that it's effectivly becoming a trial before a trial is a suprise and if the defense win then there are at the very least going to be red faces on the prosecution side if not actual censure.

http://motherboard.vice.com/read/low-level-vandalism-or-high-damage-hacking-day-two-of-the-matthew-keys-trial

Who?October 4, 2015 5:01 AM

@manila rabbit

If you want to buy a ThinkPad and ask someone flash an alternative BIOS on it, make sure the computer your are adquiring is supported by the BIOS you want to use. Libreboot will not run on any ThinkPad -- in fact, you will need an old computer like the X200 and T400 announced by that seller.

Vanda AddessiOctober 4, 2015 6:44 AM

@Justin:
"It's an Aluminum RFID Wallet." (...) "People are going tinfoil-hat crazy."

Actually, it's not that crazy. The subject was discussed a while ago in this blog. Big credit card companies are selling contactless technology to shops that doubles as a payment method and what they euphemistically call "customer loyalty" or "customer interaction analysis" solutions.

https://www.cisco.com/web/about/ac79/docs/innov/RFID_Loyalty_IBSG_0614.pdf

http://www.researchgate.net/profile/Saul_Greenberg/publication/221515294_Rethinking_RFID_awareness_and_control_for_interaction_with_RFID_systems/links/00b49518a263bd7d2a000000.pdf

Coupled with tracking your cellphone's MAC address via wifi, it allows shops to profile customers (even those that stop by the shop window but do not even walk into the store).

Perhaps more worryingly, the same technology is now incorporated into national ID cards all over the world, making it trivial for anyone with a RFID skimmer to read your ID card details as you walk past.

ianfOctober 4, 2015 7:10 AM


Back to Edward Snowden…

@ Evan: […] “since Snowden had divested himself of the appropriated [NOT STOLEN] files, he's probably not of much use

… assume you meant "useful to his current 'hosts'." If so, you're mistaken. Ed carries within him a sizable trove of procedural NSA inner workings insights that the Russians would like to mine. Should he remain there for ages, they may yet extract that from him one way or another—whether it's still of operational value, or not. It could be things that corroborate their earlier knowledge, or that Ed himself doesn't consider secret, but which constitute some hitherto-missing puzzle bits that the Russians are laying. The puzzles that in time lay golden eggs.


Evan: […] “were [the CIA/ the Seals] to move against him, it would only help galvanize the movement to reform/resist overreach in the intelligence community.

Forget any protection factor due to his celebrity or fears of "galvanization." Snowden's US adversaries are way beyond that, couldn't give half a fuck. Remember the Bolivian president's plane from Moscow denied overflight rights by France & Portugal, which, acc. to the State Dept's spokesman woman “were these two foreign governments' wholly independent decisions?” [wonder what Bolivia retaliated with in return]. If the CIA could find a way to snatch & exfiltrate him alive without getting caught by Russian counter-intel, they'd do it.


@ Michael: […] “Real person Edward could just read @Snowden feed on the web without being logged in, and then have his cutout(s) at @FreedomofPress post messages in his name.

Possibly, though the strength of Twitter lies in its ability to read many feeds in parallel, not primarily one's own. Even if he only follows "His Previous Master's Voice" account, and reads Twitter by keywords & hashtags, it is an incredibly inefficient way to do it in a web browser. Fortunately, there are some read-only Twitter-clients that do not require an account (or he might've written a text-UI one himself?) Perhaps his intention is primarily to have a controlled "narrow" presence in a social medium, to be used occasionally, rather than as a daily engagement platform with some among his 1.3M followers.


Michael: “it is perceived that Putin wants Snowden to have asylum

We don't really know what Putin wants… other than that Snowden's sudden appearance in Moscow with revoked passport played right into his perverted Tsarist self-image of being a defender of something & USA-nose-rubber-du-jour. That also happened to be bloody inconvenient to CIA's intelligence gathering ops (of friendly foreign leaders). Now that Angela Merkel et al, nominally kissy-kissy with the Obamas, needs to discuss something of real importance, she does that in a way that the NSA spooks can but gnash their teeth over [clarification: or so I believe, have no proof of that other than once burned…]

Admittedly, as Ed surely is being watched by the FSB from a distance, this acts as a deterrent against physical body snatching attempts (that many a man-eating Russian maiden must've found out… the man is a disgrace for importing a foreign bride, and a blond Amerikanka no less!) But that's not where the danger lies.

    Rather, the longer this particular asylum show goes on, the bigger the public fatigue, and the greater the saturation of the meme that Snowden is our times' Kim Philby, first-traitor-then-defector.

Perhaps that is what lies behind Ed's decision to appear in cyberspace, if in limited manner to begin with. Personally, I also imagine that he's thought this through far ahead & prepared one or more Doomsday (dead-man-grip-triggered) Options (NSA knows what, now shredding the evidence).

65535October 4, 2015 8:38 AM

@ Peanuts

Interesting script. I’ll give it a go.

I assume some of the KB’s are for Office. I have only seen 4 KB’s that are flagged as leaking telemetry data in Win 7 [excluding Office].


Clive RobinsonOctober 4, 2015 9:05 AM

@ Winter,

As a small reminder, it is very well possible to detect not-too- sophisticated surveillance.

Either the journo or the presenter has not got a clue, as there are definate mistakes in there.

And... I've given better advice and the physics behind all of that on this blog long long ago (including mildly upseting Nick P over talking about the use of thermal imagers to find bugs hidden in objects and the wall).

The big mistake in there is about IR leds in cameras, that only applies to the real cheap stuff made by the likes of Australia's Swann. Anyone with half a brain knows that all B&W semiconductor cameras work in the near IR which is the trick with the smartphone camera. However even cheap digital cameras often have IR filters built in to solve certain problems, so won't see the IR leds... further night vision systems work differently and thus are immune to the technique, and night vison optics for cameras whilst not "dirt cheap" are down in the couple of hundred dollar range.

The reliable way to find cameras is to use the simple fact that they are focused on a sensor that also acts like a mirror and you get 180degree internal reflection (so called "red eye"). By the use of multispectral emitters and sensors you can find not just the cameras but enumerate their sensors and any inline filters, including the night vision systems you are likely to come up against. It can also tell the diference between human eyes and silicon sensors so you will know if the suspect camera is a DSLR with a human looking down it waiting to press the button. You can using helical scaning systems spot anything looking at you at over 10meters distance.

As for the AM radio and a drone from a tracking device, that is only true of transmitters that use envelop modulation which produces signals in the 100-5000Hz range, proffesional tracking bug designers know this and use designs outside that range. Ones I've designed use random burst transmission or tailored envelope transmission or Direct Sequence Spread Spectrum, which foils most bug detectors as well.

I've also mentioned that one of the most difficult vehicals to follow is a push bike / cycle, and how following such a person can not be done on foot, or in a car or other motorised vehical, especialy a helicopter. Unfortunatly the world of drones has caught up in the past couple of years so you need to be aware of their limitations (which I'm not going to talk about for obvious reasons ;)

Whilst the information given will work with low end Gumshoe PIs and those who have purchased kit in the likes of high street electrical shops, it won't work against semi-pro and above equipment used by the likes of Kroll...

Any way, longterm blog readers will quickly see the deficiencies of the presentation from information that has been given here over the years.

CallMeLateForSupperOctober 4, 2015 10:00 AM

@Winter
"...Boliva has already ... legalized cocoa leaves."

Paving the way for that "mellow chocolate high". ;-)

Clive RobinsonOctober 4, 2015 10:57 AM

@ CallMeLate...,

Yes "Cocoa" bean / gourd from the Theobroma cacao tree, the pulp of which makes a pleasant chocolate drink. Whilst "Coca" leaves from bushes in the Erythroxylum family make an uplifting tea and an effective pain killer --sometimes used as a food substitute-- and if freebased correctly gives cocaine that at one time ended up in Coca Cola which supposadly eased various digestive and lower abdominal pains (rumour has it that the tea does the same).

Oh the "Theobroma" in the name of the chocolate plant means "Food of the Gods", but ironicaly is also used as the name of the poison in chocolate. A few milligrams of which will kill your pet dog, or cat quite unpleasently. It's also leathal to humans if you can eat about 10Kg of chocolate bars within a relativly short period of time... however like most alkaloid poisons in small doses it has pleasent and medicaly usefull effects. If you want the sciency stuff search for "LDL50 theobromine" otherwise have look at the Wired digested article,

http://www.wired.com/2013/02/the-poisonous-nature-of-chocolate/

ianfOctober 4, 2015 12:14 PM


@ Figureitout, in January 2015 you wrote in connection with the Librem laptop:

Think someone (may have to be me if no one else) can do a crowd funding campaign for a laptop w/ no peripherals like camera, microphone, speaker, wifi/BT and crafts a nice EMSEC box for it all.

Any… news?

ianfOctober 4, 2015 12:39 PM


@ Clive […] “ironically, "Theobroma" is also the name of the poison in chocolate. A few milligrams will kill your pet dog, or cat quite unpleasantly. Also lethal to humans if you can eat about 10kg of chocolate bars within a relatively short period of time...

    Seems a pleasant & relatively cheap way to go. So, know of any recorded instances of suicide by KitKat, or -Snickers? If not, H-E-L-L-O! anyone willing to give it a try, then report back? Oh, wait

Nick POctober 4, 2015 12:41 PM

@ Clive Robinson

"There is blurb on the book website that indicates it is some kind of Cyber-Techno-Thriller that might be of interest to those in the Infosec world..."

Ha! Haven't heard of it. Would be nice to know of a good author who also write technically accurate stuff. Thanks to help from a hacker, the movie Blackhat was the first, modern one to be fairly believable. The best, hands down, is Esmail's Mr Robot. That series used terminals, social engineering, believable visualizations, great character... dude, it's a 180 far as hacking and movies. Season 1 is over. I recommend you buy it or borrow it from the Internet in a legal way.

"including mildly upseting Nick P over talking about the use of thermal imagers to find bugs hidden in objects and the wall"

I don't remember that haha. There were IR filters on sale to give guys X-ray vision for various, professional reasons a long time ago. That's where I learned IR was a threat althought not the extent for all materials.

Your best post on IR was reminding me about the benefits of using it as a transmission device. Kept that in the back of my mind when I think of multi-board designs.

ianfOctober 4, 2015 1:12 PM


@ Winter, CallMeLateForSupper, Clive

… wonder what Bolivia retaliated with in return AGAINST France & Portugal, for treating the President of Bolivia as a common criminal about to foul their airspace with his proximity…

Methinks, come the next large Bolivian development project, OR arms/ ordnance purchases, the French, Austrian and Portuguese firms can kiss their bids goodbye. Were it up to me, I'd seriously keep delaying "for reasons of security" all flights with any official representative from these countries onboard, even only in transit. But what do I know of trade exchanges with these "partners."

Bruce SchneierOctober 4, 2015 1:18 PM

"...he indirectly recomends a book titled the Florentine Deception..."

I read it an enjoyed it.

MichaelOctober 4, 2015 1:27 PM

@ ianf

«We don't really know what Putin wants… »

Very true. But it is not important what her really wants. What matters is what police colonels think police generals think Putin wants.

And if they think that federal security officers will be grateful for these strange Americans getting into hospital with blunt traumas — Putin's opinion will matter only after the fact, when there already will be one more identified carrier of CIA operational knowledge in the hands of Federal Security Service.

Nick POctober 4, 2015 2:57 PM

@ Bruce Schneier

re Florentine Deception

Appreciate the feedback. Might read it.

JacobOctober 4, 2015 3:04 PM

The Constitution is dead. Federal Agents vs. the People.

A US citizen, a mayor of a mid-size city in California, on his return flight home from overseas, was detained at the San Francisco Int'l Airport without any probable cause and had all of his electronic devices confiscated and was not released until he provided his passwords for all of his devices. No warrant at play whatsoever.

http://arstechnica.com/tech-policy/2015/10/small-town-mayor-relinquishes-electronics-and-passwords-to-agents-at-sfo/

rOctober 4, 2015 3:32 PM

Opening an umbrella indoors is said to lead to bad luck...

But thinking about the whole visual tent complex - a wide brim hat - eg. farmers/cowboy might be a good single handed solution. An apron of some sort may qualify too, and would have readily deniable characteristics for those of you who wear suits and or eat at work. A coat or jacket should be pretty effective too and the duster specifically could have this fact amended to it's already known long list of secondary uses.

The thread from last month concerning EMI/Visual shielding Obama and the Security of the Waldorf Astoria Hotel.

Clive RobinsonOctober 4, 2015 4:11 PM

@ Bruce,

Thanks for the replies. I guess I'm going to have to read it now :-)

Clive RobinsonOctober 4, 2015 5:15 PM

@ Michael, ianf,

Putin's opinion will matter only after the fact, when there already will be one more identified carrier of CIA operational knowledge in the hands of Federal Security Service

The Russian's grabbed a CIA bod only a few months ago and put photod of him and what he was carrying up in the news services and on the internet.

Unless it's a NOC the rules of play as far as protection goes is they can rough them up and do more or less what they like until the person says they have diplomatic immunity and with which mission. If the mission or Embassy identifies them then officialy the Russians are supposed to hand the person back to the mission or expel them from the country on the first available civilian international transport back to their home nation.

NOCs however are in effect guilty of treason and thus disappear into a hole, be it a black one, prison one or just the regular six foot deep one. What happens on that journy is unknown but assumed to be quite unpleasent compared to even waterboarding etc the US is known to use.

For instance there are persistant rumors that the Chinese have "live organ harvested" them in the past, as are many condemed criminals and members of a spiritual sect,

https://en.m.wikipedia.org/wiki/Kilgour%E2%80%93Matas_report

China as is normal "strenuously denies" this although they've consistently failed to produce evidence for where the 10,000+ a year organs --many of which are "live harvested"-- they transplant come from. Which causes considerable concern among many human rights NGOs and likewise the UN.

Further it is known that China regularly performs surgical procedures of all sorts without the use of anaesthesia...

What other countries do currently is conjecture however we are aware of what has happened in some countries like Argentina within the last half century, and more recently in the Middle East.

I suspect that there is no country that has not seen torture of some form on it's soil in the last hundred years, irrespective of what the politicians have been told. Such is the nature of the world we live in, where someone will always find an excuse, no matter how often it is shown that torture is an ineffective way of obtaining reliable information from prisoners.

FenichelOctober 4, 2015 5:31 PM

Florentine Deception has a clever central, malware-related idea, but the characters are implausible stick figures speaking robotic dialogue, blundering through a landscape of silly coincidences. At 500 words, it could have been a good entry in Bruce's annual scenario contest, but the author aimed recklessly higher than that.

FigureitoutOctober 4, 2015 5:50 PM

Clive Robinson
--Thanks but I beat you and read it before heh. HN's on my small reading list. If I had some $$ I'd dig in more (really would like a "real" SDR from Flex or something like that, so I can just operate). Nose deep in other stuff though so I don't tempt myself and get distracted yet again (I like low-power 900MHz or 2.4GHz programmable SoC's best. Most secure?--No. Fun?--yes).

ianf
--No, there's too many obstacles and I'm not putting my name on that. First, I need to know there's a profitable market for it (most people who care just do it themselves). Next, I don't know what to do about the screen though there was some kind of reflective film that poster "Iain Moffat" mentioned. Next I'd need some kind of privileged/special relationship w/ a factory to potentially run basic background checks and check for any "new employees", then get product immediately and deliver by hand (hell no I don't want interdiction on shipments w/ my name on it).

Let me mention one other thing I do, since I have reason to believe some "wonderful" people want to sabotage my work, I post a lot of things I say I'll do, then they'd need to "brush up" on it but I may do 180 and do something else, forcing more work to even be able to subvert something. Is it stupid?--Absolutely, I'm not doing it much anymore. I've got some training in evasive action now in case of compromise, and can switch on a dime.

I'm working on Arduino/RasPi/Beaglebone(want to eventually call myself a coreboot dev and make that port stable)/and right now some Atmel chips since I can do some actual work and not just learn another toolchain or to a certain extent their "architecture" (you know, how product lines of chips are basically the same or at least compatible just different memories or a few more clocks etc.). I'll definitely let the blog know if/when I have some kind of deliverable (wish I could do this fulltime as my job) and I keep my eyes peeled for others ideas/deliverables.

SkepticalOctober 4, 2015 6:46 PM


Snowden is safe in Russia so long as his presence serves Putin's purposes, and quite clearly the Russian Government views Snowden as a great asset to its information operations against the United States, as it does aspects of the Wikileaks operation and other media outlets (just as, during the Cold War, it found certain organizations in Europe useful in fanning opposition to the basing of intermediate range nuclear-armed missiles).

And no, the US is not going to practice a form of extraordinary rendition with Snowden, though so far as US law is concerned it could. There actually is a rough set of rules to this kind of thing, based more upon mutual interest and custom than anything else.

That said, as a means of controlling Snowden and as a means of cultivating his psychological favor and dependence, I'm sure that the Russian Government has emphasized the danger of an American sponsored extraordinary rendition, and the need for Russian security, to the man who feared the CIA would contract Chinese gangs to kill him. It would be unsurprising if Snowden's security had even staged some hurried relocations, or occasionally briefed him on "threat" reports (to be delivered as an ego-stroking "professional courtesy" - and perhaps to give him a chance to show off whatever knowledge he might have).

@Clive: The Russian's grabbed a CIA bod only a few months ago and put photod of him and what he was carrying up in the news services and on the internet.

Unusual perhaps, but probably simply payback for what Russia may have viewed as the humiliating arrests of, and publication of the extent to which the FBI compromised, a group of Russian illegals.

Unless it's a NOC the rules of play as far as protection goes is they can rough them up and do more or less what they like until the person says they have diplomatic immunity and with which mission.

Based on what I've read, there are rules of the game regarding NOCs as well, to which each side can be closely attuned. For example, during the late part of the Cold War a judge set bail for two Soviet intelligence officers acting under non-official cover at a higher level than had been customary. The Soviets apparently considered this to be a calculated breach by the US Government, and arrested an American journalist in quick retribution.

Both sides have an interest in keeping the game within limits, and that means treating the officers of foreign intelligence services within those limits, whether under official or non-official cover.

This is in part reflective of the extent to which espionage is considered ordinary and accepted practice among governments - something also reflected by the almost bemused admiration of some American intelligence officials for those who breached the OPM, rather than indignation or condemnation.


ianfOctober 4, 2015 8:09 PM


I was going to let this rest but now that Clive entered the fray[*], must admit that I DO NOT understand what you, Michael, wrote & Clive expanded upon. Are you (both) really suggesting that Ed Snowden—whom we were discussing—official asylum recipient, thus in a sense a guest of the Russian Federation, lives in danger of being sandbagged on a Moscow street by FSB thugs (Федеральная служба безопасности Российской Федерации), so that he'll start spilling the secrets? (And Clive's otherwise erudite contribution doesn't make it any clearer).

If the intention is to win ES's cooperation, what would they gain by such roughing up? Give the Russians some credit in how they treated this high-visibility "deserter" living for a month in limbo at the Shermetevo Airport (per Citizenfour movie: in a windowless room with basic sanitation in the public restrooms, constantly chaperoned by his WikiLeaks companion Sarah Harrison). Surely, in [t]his case, they've acted well above stereotype. Let's agree that Snowden's situation is shaky, without further demonization of it.


Clive: “NOCs however are in effect guilty of treason and thus disappear into a hole, be it a black one, prison one or just the regular six foot deep one. What happens on that journey is unknown but assumed to be quite unpleasant compared to even waterboarding etc the US is [has been --ed.] known to use.

I don't know who those "NOCs" are, can not read your acronym-dense mind over TCP/IP, but the disappearance method you mention is essentially the Nazi "Nacht und Nebel" (Night and Fog) directive of 1941 (in force since ~1936). It allowed the Gestapo to snatch anyone without motive, and disappear him "administrivially" forever. In practice be sent to Dachau without notification to relatives. More or less what US DoD's intended with the first post-2002 Guantanamo detainees, keep their identities secret, until lawyer Matt Diaz blew the whistle, and paid for it with a felony prison sentence.

I won't comment on your alleged Chinese practices, but this your vague-severe

    it is known that China regularly performs surgical procedures of all sorts without the use of anesthesia...
is WAY OVER THE TOP. That's what Joseph Mengele did to pregnant Poles in Auschwitz. Not even DPRK, as nasty a right wing dictatorship as they come, is being accused of that.

[^*] "fray" ye stupid SPELCHQR, not "Frau"!


@ Skeptical

The “extraordinary rendition” of Edward Snowden you claim as the US Govt's right or prerogative, is an euphemism for execution of principle of citizens-as-slaves-of-the-state (rather than some individual's chattel) — or the same condition we end up in when deceased in somehow abnormal fashion (autopsy of corpses, etc), except here applied while the slaves are still alive.

rOctober 4, 2015 8:10 PM

As to the question of mr. endsnow's value...
Simply placing him in a highly paranoid / controlled and or observable state would allow the russians to highlight any training differences between the NSA & FSB. The mere presence of OPSEC leaks information irrespective of any data he stole.

After all, he walked away from the US institutions unnoticed after using wget /w/ pass the hash? I think this is a large part behind the 'restructuring' the other guy was hinting at last month.

Maybe he's 'earning' his keep by improving Ms. Chapman's skills? Her group didn't even randomize their MACs. Any insights provided from the american landscape of targetted ads and identity mining could benefit both their existing and prospective operatives.

OLD HABITS DIE HARD

Dirk PraetOctober 4, 2015 8:50 PM

@ Skeptical

And no, the US is not going to practice a form of extraordinary rendition with Snowden, though so far as US law is concerned it could.

And what law would that exactly be, or are you referring to some secret piece of legislation or secret interpretation thereof? Under international law, it's very reassuring that the territorial integrity of other countries (the US is not at war with) would actually mean squat to the USG, both in digital as in meat space. But hey, I guess the sky is the limit if you can get away with intentionally or even out of sheer stupidity bombing hospitals too.

rOctober 4, 2015 9:06 PM

@dirk, it used to be we used laser guided bombs. more recently we've been using gps guided uav's ??? who's to say that hospital bomb wasn't a gps hijacking dirk?

FGHOctober 4, 2015 11:52 PM

@Jacob - was the constitution ever really alive? If your skin wasn't white, or you lacked a penis? There have always been, and still are, large numbers of inalienable human rights being alienated all around us. Stupid is with us. When they credibly threaten you with the Gulag, you'll wonder why you were ever foolish enough to use Tor. Live Naked. Be Free.

Gerard van VoorenOctober 5, 2015 12:24 AM

@ r,

> who's to say that hospital bomb wasn't a gps hijacking dirk?

They video shoot all the impacts. If the gps was hijacked they would know it after one bomb / missile. The attack lasted 30 minutes according witnesses.

65535October 5, 2015 1:08 AM

@ Jacob

“…a mayor of a mid-size city in California, on his return flight home from overseas, was detained at the San Francisco Int'l Airport without any probable cause…”

http://arstechnica.com/tech-policy/2015/10/small-town-mayor-relinquishes-electronics-and-passwords-to-agents-at-sfo/


This is bad.

It highlights several points:

1] I would guess that Stockton, California Mayor Anthony R. Silva was on a NSA list and was probably XKEYSCORE’d before he stepped off the aircraft.

2] He was intimidated with the Border Search Exception Rule.

https://en.wikipedia.org/wiki/Border_search_exception

[and]

http://arstechnica.com/security/2008/10/aclu-23-of-us-population-lives-in-constitution-free-zone/

[and]

https://www.aclu.org/aclu-factsheet-customs-and-border-protections-100-mile-zone

3] One of his political enemies could have instigated this search or it could have been retaliation to one of his stances regarding privacy. Either way we are seeing examples of so called “National Security issues” trumping political oversight [not to mention “National Security” being used to bludgeon the average citizen].

Gerard van VoorenOctober 5, 2015 3:19 AM

The Doctors Without Borders (MSF) site mentions [1]:

MSF is disgusted by the recent statements coming from some Afghanistan government authorities justifying the attack on its hospital in Kunduz. These statements imply that Afghan and US forces working together decided to raze to the ground a fully functioning hospital – with more than 180 staff and patients inside – because they claim that members of the Taliban were present.
This amounts to an admission of a war crime. This utterly contradicts the initial attempts of the US government to minimise the attack as 'collateral damage'. There can be no justification for this abhorrent attack on our hospital that resulted in the deaths of MSF staff as they worked and patients as they lay in their beds.
MSF reiterates its demand for a full transparent and independent international investigation.
Twelve MSF staff are confirmed killed as well as 10 patients, including three children.
We reiterate that the main hospital building, where medical personnel were caring for patients, was repeatedly and very precisely hit during each aerial raid, while the rest of the compound was left mostly untouched. We condemn this attack, which constitutes a grave violation of International Humanitarian Law.
From 2:08 AM until 3:15 AM local time today (03 October 2015), MSF’s trauma hospital in Kunduz was hit by a series of aerial bombing raids at approximately 15 minute intervals. The main central hospital building, housing the intensive care unit, emergency rooms, and physiotherapy ward, was repeatedly hit very precisely during each aerial raid, while surrounding buildings were left mostly untouched.


There is no question about whether this attack was an (GPS) error. This was a deliberate attack and a war crime. MSF doesn't trust the US investigation and demands an independent investigation.


[1] http://www.msf.org/article/afghanistan-msf-demands-explanations-after-deadly-airstrikes-hit-hospital-kunduz

65535October 5, 2015 4:37 AM

@ Peanuts

Good work on that last .bat set.

Do you have any good scripts that will strip-out sketchy Certificates from the preconfigured certificate store? It seems there are of number of useless or dubious/dangerous certificates in Win 7, Win 8/8.1 [At the OS level].

Wesley ParishOctober 5, 2015 5:13 AM

@Gerard van Vooren

IMHO, GPS precision guidance for munitions removes the fog of war. And full spectrum dominance such that the United States armed Forces can quite accurately be said to exercise over Afghanistan, likewise removes the fog of war.

If the advertisements and operating manuals of these precision guided weapons are ever read in court, the United States Government will stand self-accused of a crime against humanity and a war crime, of mass murder of unarmed civilians in a known unarmed environment.

Clive RobinsonOctober 5, 2015 5:32 AM

@ ianf,

Are you (both) really suggesting that Ed Snowden—whom we were discussing—official asylum recipient, thus in a sense a guest of the Russian Federation, lives in danger of being sandbagged on a Moscow street by FSB thugs

We are discussing several people, Pres Putin, Ed Snowden and people working in foreign intelligence either with diplomatic cover/protection or without which the Russias call "illegals" and the US calls "Non-Official Cover" (NOCs pronounced as "knocks").

Whilst NOCs are not "agents" --ie nationals that have been turned / traitors-- they are usually either "Officers" --ie employees of one of the US Intel Orgs-- or are contractors such as ex-military or IC who have in effect become the Intel equivalent of "guns for hire" and have the advantage of deniability. If the US were to try and "lift Snowden" then it is likely that the first stages would be carried out by NOCs, and it is they and any agents being used who are at risk.

As Skeptical points out in the past there have been informal rules, the reason for this is it serves both sides by not alowing escalation into open conflict. However such rules as they are have only been seen to apply where both sides see themselves as equals in "the great game". Thus these informal rules are not the case with all countries and may not hold with either the US or Russia any more. As both sides have been ratcheting things up so they are clearly in the public eye, escalation has visibley begun.

To add to this Putin is re-establishing the old early Stalin ties to China and thus also North Korea which is going to be problematical for the US and some WASP nations.

As Europe feared back prior to Gulf War II / invasion of Iraq, rather than tie Russia economicaly to Western Europe which would further the peace, prosperity and thus stability, the US & UK have by their short sighted behaviour, driven a wedge in the Middle East. With the expected destabilization and build up of conflict spreading in the old Russian Republics and other Russian "buffer nations".

To add to this we now have the start of a "pissing contest" in Syria, which could easily turn into a proxy war, which would mightily please the US MIC who were very against de-escalation with Iran. Further we are also edging closer to hostility issues in that other old War Hawk stamping ground of the South China Seas...

As the words of the song say "Oh the times thay are a changing...".

With regards China carrying out operations without anesthesia, it's fairly well known in scientific circles and has been in the likes of New Scientist and similar. Further the US are currently investigating local not general anesthesia for operations other than brain surgery where it's been in use for some time. It's also been shown that for very short surgical proceadures on fingers etc that an acient "binding" technique works (think about the stages of "pins&needles").

The reason for the research --which also involves exotic poisons-- is current general anesthetics are bloody dangerous and significantly reduce a patients outcomes, especially if they have a high BMI. Whilst western medicine is working towards blocking the pain paths closer to the operating site, China has investigated the use of what in the west calls "alternative medicine" such as hypnosis and electro acupuncture and various extentions to TENS etc as well as forms of cranial stimulation.

The main concern with what is being done in China is that operations not using conventional anesthesia are performed at much lower financial cost to the patient, and that the pain signals in the nerves are still being sent to the brain. As has been found in the past in the US the fact that a patient does not physicaly react during an operation does not mean the brain is not feeling pain and thus potentialy trauma that will be relived later.

Thus the concern that poorer patients in China may in fact just be grinding their teeth, as they need the operation, and can not aford the higher cost and likewise do not care about potential future psychological issues.

Having myself awoken a couple of times during general anaesthetic and as I'm very likely to need further operations for muscular skeletal issues, it's a subject that is of considerable interest to me. For those that are interested, I've found that in my case spinal blocking causes me way less problems than general, and if the science finds that more localised or non chemical anesthesia works then I would be more than happy to go down those paths. Further being a sufferer of continuous pain and having had bad side effects of CNS pain killers I've found that certain techniques similar to meditation supprisingly do help quite a bit.

ianfOctober 5, 2015 5:33 AM


@ Figureitout

Re: ianf your crowd-funded campaign plans for an EMSEC laptop (not the Librem)

    [Figureitout rephrased] There are too many obstacles… first would need to know the market demand for it… don't know what to do about the screen… next I'd need some kind of privileged/ special relationship w/ a factory to potentially run basic background checks and check for any "new employees", then get product immediately and deliver by hand (hell no I don't want interdiction on shipments w/ my name on it).

I'm glad you've recognized the extent of your incompetence (one of a few wisdoms my father left me), saved yourself and us all lots of bother.

As the Librem laptop is, clearly, primarily an elegant MacBook-lookylike for the diehard Windows/Linux crowd, with some surface non-traceability features thrown in (@$79 extra for the camera/ mic physical off switches), but the hardware snooping backdoors left wide open, I keep looking for something taking privacy bit more seriously than that. I'd even settle for something along the lines of a Tor/Tails-on-a-stick blob (Dirk Praet's response is here), intended to be turn-key-installed onto, perhaps, this particular USB Armory thumb drive, to be used with probably otherwise already compromised public terminals.

    I'm working on Arduino/ RaspberryPi/ Beaglebone (want to eventually call myself a coreboot dev and make that port stable)…

Just remember the fate of Mr. Casaubon.

Gerard van VoorenOctober 5, 2015 6:14 AM

@ Wesley Parish

> IMHO, GPS precision guidance for munitions removes the fog of war.

I agree, with the note that misses are still possible.

(different but related subject)

With "the fog of war" diminishing the saying that "the truth is the first victim of war" still stands. The amount of disinformation when it comes to the war in Syria is astonishing. I doubt whether we will ever hear "the whole truth" and the true intentions of the geopolitics. The "spoils of war" are left out of the discussions at all times. And also what Dirk said about that Turkey is bombing the Kurds without even one word from the politicians (in The Netherlands that is), but that Russia is bombing is all over the news. My gut tells me that the US made a deal with Turkey that they could bomb the Kurds (an alley!) and in return the US could have access to Turkey air space. But I am as bad informed about Syria as most of us. It does have a smell though.

ianfOctober 5, 2015 8:29 AM


@ 65535 […] “we are seeing examples of so called “National Security issues” trumping political oversight [not to mention “National Security” being used to bludgeon the average citizen].

Why don't we call this spade by its real name, which is state despotism, a prerequisite for FASCISM? The latter comes in many shades, from "benevolently" xenophobic (ancient Japan; recent Myanmar) to triumphantly & theatrically overt (Mussolini's Italy).

Anyone wishing to study the mechanisms of how a traditionally laid-back, romantic laissez-faire society gets cowed into acquiescence by physical thuggery and populistic indoctrination could do worse than invest the 5 hours needed for watching the 2-part “1900” movie by Bernardo Bertolucci (1976; get the director's cut, not the US cinematic release of 245 minutes). I know of no better "primer" of a similar scope.

Then you'll see the analogies. Because what is, e.g., the TSA and the police, other than thinly gloved institutionalized thuggery? Today the mayor of a CA city, tomorrow you & me. Hence, USA is a society self-crawling towards fascism. Breathe out.

CallMeLateForSupperOctober 5, 2015 8:53 AM

Regarding the hospital attack, I think it is way too early to speculate about e.g. "GPS hack". The
investigation is on-going; we don't know what attack platform(s) were involved nor what weapon(s) it/they delivered. And though hospital staff have described "bombing attacks", are they competent to differentiate between a bomb blast and a 105mm shell blast? I bring this up because USAF has stated that a C-130 gunship might have done the deed*. For the time being, we need to chill out.


*Some - not all - models of C-130 gunship employ a 105mm howitzer. Only one or two models can deliver rockets.

Dirk PraetOctober 5, 2015 8:58 AM

@ ianf

I'd even settle for something along the lines of a Tor/Tails-on-a-stick blob (Dirk Praet's response is here), intended to be turn-key-installed onto, perhaps, this particular USB Armory thumb drive, ...

Interesting thumb drive. I wonder if any research has been done about the trustworthiness of the hardware components and their supply chain. Over the weekend, I've been working on TAILS installation routines for some additional candidates for inclusion, such as Martus (secure, encrypted BBS for activists) and Pond (asynchronous messenger). Tomb desktop integration is coming up too, beit slowly. Nautilus is a bitch, and quite some modifications are needed to (abandoned) wrapper scripts and the C++ GTK tray applet. The author is really helpful, though.

@ Figureitout

My advice: don't give up but try to focus on certain things you can engineer the living daylights out of, then team up with other people doing the same in their areas of expertise/interest.

@ Gerard Van Vooren

The amount of disinformation when it comes to the war in Syria is astonishing.

Yes it is. The best sources for more or less accurate reporting of the situation on the ground are Al Jazeera and, suprisingly, some 19-year-old Dutch guy called Thomas van Linge, whose IS and Syria maps are now being used by almost everybody in need of factual information instead of state-level propaganda by USUK, Turkish, Gulf State, Russian and Chinese MSM.

My gut tells me that the US made a deal with Turkey that they could bomb the Kurds (an alley!) and in return the US could have access to Turkey air space.

That's pretty much what happened. The US struck a deal with Turkey over access and material supplies to Incirlik airbase for their raids on Da'esh. Erdogan then used it as collateral to get away with cracking down on Kurdish PKK fighters in the area instead of Da'esh. Making the entire situation even more bizarre, is Erdogan being really good friends with Masoud Barzani, the leader of the Iraqi Kurds (KRG) and Peshmerga forces. Both gentlemen are also rumoured to be making a mint of crude oil being smuggled from Da'esh territory to the Turkish port of Ceyhan. From where it alledgedly moves on to Turkish, Iranian, Chinese and British oil brokers.

The current situation in the region is one gigantic clusterf*ck the likes of which have not been seen for at least a century. Imagine this:

1) In the north, Erdogan is bombing Turkish Kurds (PKK), while in the south being good friends with Iraqi Kurds (KRG/Peshmerga), whose leader is ok with his countrymen in the north being bombed to Kingdom Come.

2) The West (US/Europe) is allied with Turkey, Saudi Arabia and the Gulf States, all three of which - and mostly Sunni - have to some degree been sponsoring/financing Da'esh (IS).

3) In Syria, there is now a new alliance emerging between the Assad regime, Russia and Shia forces in Iran and Lebanon. All of which want to get rid of Da'esh and AQ affiliate Jabath Al Nusra, who are also fighting among each other over some stupid matter of allegiance to either caliphate leader Abu Bakr Al-Baghdadi or Mullah Mansur, the Afghan Taliban successor of Mullah Omar.

4) For reasons utterly defying logic, Russia and Iran, according to our western governments and media, are now the enemy for actually combatting the exact terrorist groups those same governments have instilled us with fear about for more than a decade and have used as the main reason for unleashing on the planet the most comprehensive surveillance dragnet in the history of mankind. The US has even formally complained about the Russians bombing "moderate" rebel groups like Al Nusra, which some voices in the administration even consider potential "partner material".

As to my point: none of this has anything to do with a war on terrorism or bringing about "peace, democracy and free trade" in the region. It's all about political control and access to its oil resources. The precarious balance of power was irrepairably upset by the US's ill-considered invasion and occupation of Iraq, which eventually plunged the entire Middle East and Northern Africa in turmoil, leaving a bunch of failed states, millions of casualties and refugees throughout the region.

As long as the US sticks to its disastrous foreign policy of regime change - as we are seeing again with Syria today - and keeps aligning itself with dodgy, two-faced Arab partners in the Gulf States - things are not going to get any better. They're only going to get worse.

ianfOctober 5, 2015 10:49 AM


@ Dirk Praet […] “As long as the US sticks to its disastrous foreign policy of regime change - as we are seeing again with Syria today - and keeps aligning itself with dodgy, two-faced Arab partners in the Gulf States - things are not going to get any better. They're only going to get worse.

A slight correction: the hypocrisy of US foreign policy knows no bounds, nor is it likely to mature into less belligerent shape any time soon. On the other hand, let's not dump all the ills that are happening there exclusively on the USG's table… they and the British were once (from 1900s onward) stupid to meddle in the Middle East, and now we all are paying the price.

Only it's easy to say so in hindsight, or when one doesn't depend on crony capitalism to survive & enrich oneself - both as individuals and as a nation. In any event, the civil war genie in Syria has been let out of the bottle, and there simply aren't any chances anytime soon that it will "resolve itself" in somewhat ceasefire-y way. We need to prepare ourselves that it will detoriate into a "Libya-bis" anarchy, which is when Israel will see it necessary to step in – probably by massive air- and land raids to destroy what's left of the military infrastructure that, if taken over by any fundamentalist forces, will be directly threatening their interests (i.e. Israel will not permit the kind of wholesale abandonment of mil. hardware that the Iraqis let fall into the Da'aesh/ISIS hands).

Hitherto, both Israel and the Ba'athist, warts-n-all-secular, Syria have abided by the ceasefire agreements from the Yom Kippur war (1973), which made the Golan heights border relatively peaceful even with ocassional shelling. It's a no brainer to deduce that Israel will do all to stop the establishment of any rebellious back-to-prophet-times border state, whatever it may take. And the US will gladly ship them all the ordnance they desire, at rock-bottom prices. Everybody in the region knows that, too, who is the “40000 pounds” [metric: 18143.695 kg] gorilla in the region. Strange as it may sound, this alone offers hope for the survival of the Bashar Assad regime. If past realpolitik is anything to go by, they already are enmeshed in secret talks and unisided (Israel to Assad) targeting exchanges.

albertOctober 5, 2015 2:15 PM

You guys are working the trees over pretty good. Now meet the forest:

https://en.wikipedia.org/wiki/The_Grand_Chessboard - Zbigniew Brzezinksi

This is Official US Foreign Policy. I give you Brzezinksis book only because it succinctly states the objectives. All US administrations follow it, regardless of political stripe (Democrats have white and black stripes; Republicans have black and white stripes).

Everything the US does overseas serves to enhance its global hegemony. The 'press on regardless' approach can and does lead to some stupid and idiotic moves, but they are mere hiccups compared the the grand strategy.

I'm not judging anyone here, just pointing out the facts.

The US has a Master Plan, and it's not peace and happiness for every man.

. .. . .. _ _ _

tyrOctober 5, 2015 3:08 PM


Here's a bit of Doctorow on TPP from boingBoing.

As we continue to fight this toxic, corporate-captured trade deal, we need to remember this fact: laws made in secret, with no public oversight or input, are illegitimate. If we're to defend one of the fundamental pillars of modern government, that law should transparently reflect the will of the people, we need to fight back against an agreement that so flagrantly disregards the democratic process.

We will soon see what's actually in this agreement. At long last, the White House won't be able to hide behind the secrecy. And as long as there remains any threat to the Internet and our rights online, EFF, alongside a massive coalition of public interest organizations, will be mobilizing to kill this agreement dead once and for all.

===
Since China and Australia are tied so closely economically
I'm wondering how Oz expects to escape from the anti-China
aspects of this trade treaty. they might find themselves on
the wrong end of deal after so blithely thinking it was a
good deal.

@Clive
There are few feelings to match that waking up during the
course of surgery. Hard to describe if you haven't been
there.


ianfOctober 5, 2015 4:37 PM


Every time I come across a truly paranoid surveillance factoid[*], I am reminded of the control question that Lois Lane asked when first told of Clark Kent's X-ray vision: “What color underwear am I wearing?”

    @ [^*] “in addition to pen and paper, having a glass table top or big photo frame, with an OCD like cleaning habit and an urge to hide under umbrellas whilst doing it helps with writing security.

Keep up The Good Watch!

Dirk PraetOctober 5, 2015 5:05 PM

@ ianf

On the other hand, let's not dump all the ills that are happening there exclusively on the USG's table ...

No argument here that the seeds of evil were sown by the ill-conceived repartition of the former Ottoman empire by then colonial powers France, Britain and Russia. But the US's catastrophical intervention in Iraq was the spark that ultimately blew up the powder keg and re-awakened as a road to power the abomination of Islamic fundamentalism that had been dormant for centuries.

We need to prepare ourselves that it will detoriate into a "Libya-bis" anarchy, which is when Israel will see it necessary to step in ...

It already is. Most analysts agree that the landscape of the Middle East has been irrevocably changed and that it is highly unlikely that either Iraq or Syria wil ever be returned to their original borders. Israel so far has shown remarkable restraint because they have nothing to gain by allowing themselves to be drawn into to the conflict. Which could however change rapidly if Da'esh were to reach Lebanon or the Golan heights.

It stands to reason that Mr. Putin and Mr. Netanyahu have been in contact over Russia's recent initiatives in the region and that especially in the wake of the deal with Iran, Israel has probably obtained quite some "special favours" from the US too. I personally think Israel is quite happy with sustained massive air raids on Da'esh strongholds in the Homs and Raqqa regions.

Although they won't end the conflict, they may eventually demoralize Da'esh forces, reduce the influx of foreign fighters - primarily used as cannon fodder and suicide bombers - and entrench all parties on the ground in a similar way as in Flanders Fields during WWI. Factions cut off from their supply lines will perish or merge with others. The most likely outcome in this scenario, however, is that this stalemate will linger on for years to come while the civilian population will continue to be subjected to atrocities from all parties involved.

Once sufficiently weakened, ground troops will be required to root out Da'esh once and for all, the only alternative being negociations for official recognition of an Islamic Caliphate in parts of Syria and Iraq.

SkepticalOctober 5, 2015 6:20 PM


@Dirk: In Syria, there is now a new alliance emerging between the Assad regime, Russia and Shia forces in Iran and Lebanon. All of which want to get rid of Da'esh and AQ affiliate Jabath Al Nusra, who are also fighting among each other over some stupid matter of allegiance to either caliphate leader Abu Bakr Al-Baghdadi or Mullah Mansur, the Afghan Taliban successor of Mullah Omar.

This alliance isn't new. Russia has been supplying Assad for the duration of the Civil War (according to some, with pilots as well, but I've never seen that claim confirmed anywhere reputable). Iran has had personnel in combat on Assad's behalf, in addition to providing supplies, for the duration of the Civil War.

Indeed, Assad's setbacks over the last several months, and recently improved cooperation among the major partners in the coalition, no doubt forced Russia's hand in Syria. I continue to view Russia's actual intervention as a rather limited one, aimed purely at preserving Assad's regime (or the successor regime) sufficiently to protect its naval base and listening post.

For reasons utterly defying logic, Russia and Iran, according to our western governments and media, are now the enemy for actually combatting the exact terrorist groups those same governments have instilled us with fear about for more than a decade ...

The complaint about Russia is that they are intervening with military force to preserve Assad's regime - not to bring about any kind of truce.

Assad's regime is a major underlying problem in Syria. It is what sparked the Syrian Civil War in the first place, and it is the regime that remains the primary focus of most Syrian rebel groups.

The US has even formally complained about the Russians bombing "moderate" rebel groups like Al Nusra, which some voices in the administration even consider potential "partner material".

No one has complained about anyone bombing al Nusra. You've been reading too much Russia Today. Most of the world HAS complained about Russia bombing other rebel groups purely in a bid to aid Assad. And that's a legitimate complaint, which I suspect you share.

As to my point: none of this has anything to do with a war on terrorism or bringing about "peace, democracy and free trade" in the region. It's all about political control and access to its oil resources.

The US interest is actually quite limited here. That's less the case for the Arab countries, for Iran, for Turkey, most of all for the various peoples of Syria.

Russia's interest is a combination of Putin's domestic political strategy and a questionable desire to preserve Russian ability to project power in the Middle East.

The precarious balance of power was irrepairably upset by the US's ill-considered invasion and occupation of Iraq, which eventually plunged the entire Middle East and Northern Africa in turmoil, leaving a bunch of failed states, millions of casualties and refugees throughout the region.

The causes of the Syrian Civil War have nothing to do with the United States or Iraq. I'm sorry, but that's simply a fact that all of Russia's considerable propaganda cannot drown.

What the US has said - as has France, Britain, Turkey, and most of Syria - is that Assad's departure is essential to an eventual resolution of the Syrian Civil War. Anyone who thinks otherwise simply does not understand the nature of the conflict or the depth of the hatred that exists among the opposing forces in Syria.

As long as the US sticks to its disastrous foreign policy of regime change - as we are seeing again with Syria today - and keeps aligning itself with dodgy, two-faced Arab partners in the Gulf States - things are not going to get any better. They're only going to get worse.

The primary proponents of regime change in Syria are the Syrian rebel groups. The US has been markedly reluctant to become involved at all, seeing a paucity of good partners on the ground, and only intervened - and then only against ISIL forces and not against Assad - once ISIL's provocations and destabilizing advances in Iraq had become too costly to ignore.

So casting this as a US-caused problem is really quite absurd. Then again, so is casting Russia's limited airstrikes as a game-changing event.

Dirk PraetOctober 5, 2015 8:29 PM

@ Skeptical

This alliance isn't new.

Russia and Iran have been supporting Assad from day one. What is new is a more coordinated approach with direct Russian intervention. And of course Putin is trying to preserve his only base left in the Mediterranean. As if the US, or any other nation state's involvement in the region is purely based on defending human rights of people oppressed by brutal dictators.

Assad's regime is a major underlying problem in Syria.

But of course it is. Most, if not all regimes in the entire area are dictatorships that don't give a flying f*ck about human rights. Saudi Arabia is a feudal state under Sharia law where there is no freedom of religion or expression, bloggers get flogged, women have very limited rights and where execution by beheadings and even crucifixion is perfectly normal. They're even known sponsors of both AQ and Da'esh. And yet the US and its western allies have zero problems with them, to the point that they even arranged for Saudi Arabia to head an international Human Rights Commission. That's a total joke. Same attitude towards other esteemed Gulf State allies.

No one has complained about anyone bombing al Nusra.

David Petraeus begs to differ. And where "everybody" is complaining about Russians bombing non-IS groups, I hear very little complaining about Erdogan bombing the cr*p out of Kurdish PKK militias following the Incerlik airbase deal. Because, well, Erdogan is an ally of ours, whereas Russian involvement in the region is obviously a much bigger threat to western interests than a continued Al Qaida presence is.

And yes, I sometimes read RT, RI and lots of other non-USUK media. You should give it a try too. Or do you really believe that our western MSM are any less biased and deceitful than their Chinese or Russian counterparts are? You can't possibly be that naive.

The causes of the Syrian Civil War have nothing to do with the United States or Iraq.

That's where you're completely wrong. You just keep being in denial about it.

Assad's departure is essential to an eventual resolution of the Syrian Civil War.

Certain politicians would like to believe so because it suits their narrative and agenda. Any military analyst will tell you that the Assad regime - at least for now - is crucial in re-stabilizing the area. Toppling Assad will only lead to the black Da'esh flag flying over Damascus, and a repetition of what has happened in Afghanistan, Iraq and Libya. Everybody knows it, but some folk are just way too stubborn to learn from past mistakes. Perhaps they would if suddenly a couple of million of refugees from said countries would be landing on their shores.

The US has been markedly reluctant to become involved at all,

Yeah, right. A Wikileaks cable show that US plans to destabilize Syria go back to least 2006.

CuriousOctober 6, 2015 12:54 AM

@ Albert

I don't remember where the following is from, though there's this saying, that USA doesn't have friends, it only has interests. Sounds even worse if replacing 'USA' with 'America'.

FigureitoutOctober 6, 2015 12:55 AM

ianf
I'm glad you've recognized the extent of your incompetence
--I would probably phrase that differently (what have you done to make that judgement call?) and I'll call my bullsh*t quicker than you can, I really only care about the "right" answer. I'm still recovering from some of the worst years of my life which caused me to have a mindset of making sure someone couldn't tell how I work out a problem(if that makes sense), meaning what you would see and not see and thus being able to sneak by you (so malware...it's malware that sneaks by me that kills me the most, infecting computers you'd be flashing chips w/ so you're stuck w/ the malware...). And you didn't touch the meat of my comments which mostly have to do w/ "environment we're forced to work in".

Jesus christ the joojoo story, terrible. No, any business operation initiated by me would be highly conservative w/ guaranteed money.

I'd even settle for something along the lines of a Tor/Tails-on-a-stick
--Do so at your own risk (or just lower your expectations). USB is not a simple protocol and I think security community should be driving market more for a return of some DB9 serial ports on all PC's which reduces code to check and definitely hardware. Check out this comment on (line 103) https://github.com/obdev/v-usb/blob/master/examples/hid-mouse/firmware/main.c#L103 "Functions that are never used but required by specification"--Why required?...USB malware is maturing and it's a juicy target w/ passwords, code, and a path to airgapped PCs. Dirk's scripts and getting certain applications to run bug-free on Tails is main value added that could be even on disk.

Dirk Praet RE: your advice
--That's a core part of security problem that really irks me.

tyrOctober 6, 2015 1:25 AM

There's a good Adam Curtis documentary called the
Baby and the Baath Water on his BBC blog. It goes
over the details of how the USA Syria mess goes
all the way back to 1949 when they tried to get
democratic elections in Syria and wound up with
a mess that got worse everytime they tried again.
So 66 years later we have the same interventionist
stupidity being tried again and again. The Rus on
the other hand have a clear goal and a clear set
of enemies. ISIS days of expansion are over and
any so-called moderate who is carrying a weapon
is dead meat. Leo Strauss Neocon nitwits are going
to have to find a new place to play their usual
games or get a new method to use.

I'm quite impressed by the deafening silence about
the Saudi attacks on Yemen. You'd think a blatant
aggression on a small neighbor country would raise
some kind of waves but apparently Saudi is the
untouchable and sancrosanct moslem band.

If I was Assad I'd ask the Chinese for some ground
troops to secure the petroleum producing areas of
Syria, they need the practice and could use some
more oil to feed their industry.

ianfOctober 6, 2015 7:38 AM


@ Dirk Praet […] entrench all parties on the ground in a similar way as in Flanders Fields during WWI.

Quit cutting this down to size by looking for historical irrational patterns of war misbehavior. This is tribal warfare on hitherto unprecedented magnitude & scale, and we have yet to develop any descriptive, let alone predictive models for it. All the world's highly-paid spooks and thinky-tanky eggheads AGAIN did not see it coming; or if they did, failed to communicate it upstreams.

Not even the mass-murdering despot Pol Pot went after the Angkor Wat, yet here we have feverish ISIS whippersnappers blowing up ancient ruins for no discernible gain whatsoever, other than épater la bourgeoisie! Indeed, by so doing they directly enlist middle aged patrons-of-arts ladies into goading their general (ret.) husbands to call C-in-C. So I myself abstain from trying to make sense of it over and above a wry reminder that John Le Carré's words of terror beingthe theatre of the real” were again corroborated by the Palmyra blow-up.


Dirk: Once sufficiently weakened, ground troops will be required to root out Da'esh once and for all, the only alternative being negotiations for official recognition of an Islamic Caliphate in parts of Syria and Iraq.

I don't see that happening (Western boots on the ground); rather a perpetual stalemate with one or more, but bigger than before, loosely aligned mini-fiefdoms in the region. With steady oil revenues in their pockets, their military belligerence exchanged for verbal incontinence [vide arc of Yasser Arafat's life]. A state of (also commercial) affairs that all the nearby hegemons Turkey, Israel and Jordan can live with.

Dirk PraetOctober 6, 2015 8:17 AM

In a huge win for European privacy advocates, the European Court of Justice has terminated the 2000 "Safe Harbour" agreement on data transfers from the EU to the US. No appeal is possible against this decision.

The agreement in essence allowed US companies to "self-certify" that digital data of EU citizens transferred from the EU to he US enjoyed adequate privacy protection as required by EU law. This practice was contested by Austrian privacy activist Max Schrems in the light of Edward Snowden's revelations on US mass spying and the complicity of US companies therein.

The decision spells doom for US cloud companies unable to build and operate data centres in the EU, or to provide strong encryption for data both in movement and at rest as to protect against wanton collection by authorities and harvesters. Hopefully, it will also influence the outcome of the current case between Microsoft and the USG over access to data on an MSFT server in Ireland.

Props and gratitude to Edward Snowden, Max Schrems and the brave justices of the EUCJ. It just goes to show that a few brave men can still make a difference.

ianfOctober 6, 2015 8:44 AM


ADMINISTRIVIA

    I seem to have posted a response to @remo's blurb about @Bruce's not-but-hot-cameo in another thread, so please read it there.


@ Dirk… does this NO MORE "Safe Harbour" mean that these behemoths will now have to build their own data centers in Europe? Seems Fuckfacebook has anticipated it some time ago, I saw an article, could have been The Guardian, about their new aircraft-hangar-sized unit in the north of Sweden (the article was mainly about costs of cooling down and how the servers' thermal energy byproduct could be utilized. Also a big new local employer).

Dirk PraetOctober 6, 2015 10:34 AM

@ ianf

All the world's highly-paid spooks and thinky-tanky eggheads AGAIN did not see it coming; or if they did, failed to communicate it upstreams.

I am absolutely convinced that there a lot of capable Pentagon and tink tank analysts out there that actually did see it coming, but whose warnings and reports were suppressed by managers with a vested interest in following the official USG party line.

As to my comparison with Flanders Fields, I was quoting Belgian journalist, war correspondent and author Rudi Vranckx, who over here is a reputed authority on the Middle East. Just back from yet another trip to the front, it's how he describes the current situation on the ground as seen through his own eyes and from talking to Peshmerga fighters and commanders.

I don't see that happening (Western boots on the ground)

Neither do I. It would require a substantial contingent of troops, sustained over a longer period of time, which today is impossible to market either in the US or Europe. Depending on their strategic objectives and outcome of current air raids, the Russians might consider limited deployment of Special Forces to root out Da'esh/Al Nusra in certain key cities and areas as to firmly consolidate Assad's position. Judging from Xinhua's rather favourable coverage of Russian activities in the region, I assume the Chinese would be ok with that too.

As to the endgame, I share your opinion of the permanent presence of an Islamic Caliphate in former parts of Iraq and Syria, and whose leaders - forced by the stalemate - will eventually move on from jihad to politics, at which time they will be officially embraced by other Sunni nations in the region and whomever else wants their oil.

does this NO MORE "Safe Harbour" mean that these behemoths will now have to build their own data centers in Europe?

Big players like MSFT, Google, Facebook and Apple already have them. The burden for them will primarily consist in seperate administrative and legal dealings with privacy commissions and data regulators of every EU member state. It's a different story for small to medium sized US companies. A serious headache for both however will be simultaneous compliance with both EU and US law in areas where they conflict (e.g. MSFT v. USG case)

SkepticalOctober 6, 2015 1:07 PM


@Dirk: I personally think Israel is quite happy with sustained massive air raids on Da'esh strongholds in the Homs and Raqqa regions.

The United States, and a host of other countries, have launched several thousand airstrikes against ISIL in the last year.

Russia has launched a small fraction of a small number of strikes against ISIL. What marks Russia's involvement as different is its direct support of Assad's forces against all rebel groups.

Although they won't end the conflict, they may eventually demoralize Da'esh forces, reduce the influx of foreign fighters - primarily used as cannon fodder and suicide bombers - and entrench all parties on the ground in a similar way as in Flanders Fields during WWI.

Russia is going to do this?

And yet the US and its western allies have zero problems with them [Arab allies]

No one has "zero problems" with them, but neither are they massive roadblocks to the settlement of a 4 year old civil war in which over 250,000 people have died. Assad is.

No one has complained about anyone bombing al Nusra.

David Petraeus begs to differ.

I'm quite sure he doesn't. Petraeus argued that the US should consider making an attempt to peel off what he called - following Graeme Lamb - "reconciliables" from al Nusra, i.e. those not wedded to AQ's core ideology who joined al Nusra out of a lack of other options. In Iraq, Lamb concluded that the population had been given a set of options that made joining extremist groups more palatable than anything else, but that many did so out of necessity; one could peel them off if one changed the options available. And so they did.

That's what Petraeus suggested the US consider - not, as Russia Today would no doubt have you believe, allying with al Nusra. He's suggesting the same strategy used to effect against AQI during his command of forces in Iraq.

And where "everybody" is complaining about Russians bombing non-IS groups, I hear very little complaining about Erdogan bombing the cr*p out of Kurdish PKK militias following the Incerlik airbase deal. Because, well, Erdogan is an ally of ours, whereas Russian involvement in the region is obviously a much bigger threat to western interests than a continued Al Qaida presence is.

Erdogan began bombing PKK sites after the truce between them broke down. He certainly did so opportunistically, for domestic political gains, with an eye towards upcoming elections. But it's more Russian fantasy-land to think that the US had somehow held Erdogan back. What the US has done is insist that Turkey limit strikes to the PKK, and not the (closely linked) YPG units in Syria or - obviously - the KRG in Iraq.

And yes, I sometimes read RT, RI and lots of other non-USUK media. You should give it a try too. Or do you really believe that our western MSM are any less biased and deceitful than their Chinese or Russian counterparts are? You can't possibly be that naive.

I really believe that better Western media outlets ARE in fact less biased and deceptive than the propaganda organs of authoritarian governments.

It is incredibly naive to think otherwise - a kind of easy relativism. There are of course media outlets in the West that are no better than Russian or PRC propaganda organs; but fortunately in the West we have free speech, and a free press, and some people still value good reporting and are willing to pay for it.

Me: The causes of the Syrian Civil War have nothing to do with the United States or Iraq.

You: That's where you're completely wrong. You just keep being in denial about it.

I'm not sure why you find it hard to believe that a divided society kept in check by a brutal authoritarian government has at last come loose. The historical record of the Syrian Civil War is very clear Dirk. Those who protested in 2011 had real grievances; the Syrian Government really did respond with total brutality; and in areas already unfriendly to Assad's regime, that response really did provoke a final break.

Certain politicians would like to believe so because it suits their narrative and agenda. Any military analyst will tell you that the Assad regime - at least for now - is crucial in re-stabilizing the area.

No, you're confusing the Syrian military with the Assad regime. The Syrian military is a necessary component of a settlement, if only to ensure that the Alawites are not slaughtered. Assad however is not.

Yeah, right. A Wikileaks cable show that US plans to destabilize Syria go back to least 2006.

The cable notes that Assad is in a stronger position, and nonetheless describes several underlying weaknesses deriving from the corruption and brutality of Assad's regime, and the divisions within Syrian society. Note well: the weaknesses and the divisions are already there as fundamental forces - the US is at most a bit player in the drama, as the writer of that cable seems to know.

Dirk PraetOctober 6, 2015 6:45 PM

@ Skeptical

What marks Russia's involvement as different is its direct support of Assad's forces against all rebel groups.

Which from a military vantage makes perfect sense. What's your alternative? Toppling Assad and having Da'esh take over? Do you actually believe the Free Syrian Army or some other US supported rebel faction can restore law and order once Assad is gone? Time and time and again this strategy has proven a complete failure in Afghanistan, Iraq and Libya. I for one think it's about time something else is being tried.

No one has "zero problems" with them, but neither are they massive roadblocks to the settlement of a 4 year old civil war ...

But of course they aren't. They want Assad gone too. But that's not the point. The point is that the US is really selective on what constitutes a brutal and authoritarian regime, and what doesn't. Which is actually quite simple: if they're an ally, a regime can basically get away with any sort of abuse and oppression. If you're on the sh*t list, they want you out.

Petraeus argued that the US should consider making an attempt to peel off what he called - following Graeme Lamb - "reconciliables" from al Nusra, i.e. those not wedded to AQ's core ideology who joined al Nusra out of a lack of other options.

"Reconciliables" from Al Nusra/Al Qaida ? So that's something like a Schrödinger terrorist? You put a terrorist in a box who according to this theory is both a friend and an enemy, final state of which is determined by the reality of the time and the place the box is opened. The notion that a Syrian rebel has little choice which group to join is ludicrous. Have a look at this here Wikipedia page. There's dozens of options to choose from.

The idea behind Petraeus's proposal is much simpler: the Division 30 project failed miserably and US influence on the ground is limited to just a few rebel groups whose leverage is too limited to play any substantial role in the ongoing fights. So the US needs to find a partner who can, which is either Da'esh or Al Nusra. Like you say, a tried strategy, outcome of which has proven a disaster time and time and again.

But it's more Russian fantasy-land to think that the US had somehow held Erdogan back

Try reading some Kurdish media. They're all telling the same story: in order to gain Turkey's support, the US backstabbed the Kurds. Again. Turkey has no interest whatsoever in fighting Da'esh. They only want Assad out and weaken as much as possible any Kurdish group, not just the PKK but just as much the YPG and others.

The Syrian military is a necessary component of a settlement, if only to ensure that the Alawites are not slaughtered.

Unless someone at the State Department has some really cunning plan to divide Assad and his military, it's a fantasy strategy. What we need is some fresh ideas here. I have no idea if what the Russians are up to is going to work or not. But I'm willing to give them the benefit of the doubt, since all else has failed so far.

engineering theaterOctober 6, 2015 7:15 PM

The USSR started the farce with Potemkin Villages.
Soon, boondoggles spread throughout the world.
Internet Malware spawned the anti-virus cyber-security
industry.

Mr. Schneier thought leads the meme of Security Theater.
The area or theater moved to the world of dams and levees.

It is based upon the average American flunks the physics
exams of high school senior year.

www.levees.org

CNN shows the helicopter dropping 1000 and 3000 pound
bags of sand into the breach or hole.

From newspaper accounts, entire houses are swept away
by the force of the water. Do the calculation using force
diagram in the horizontal plane.

The govt continues to semi-waste its efforts in Carolinas
News title is "Guard Dropping 1 Ton Sandbags on Breeched Dam."

Can this be the 'magic' of Engineering Physics Theater?

solution hint: Sandbags are not reinforced concrete with
connections to pilings. The friction of the wet, plastic bag
is low.

quote www.forbes.com "To label the 2005 New Orleans Flood
a natural disaster is a distortion. And it is quite convenient for
those who screwed up."

Clive RobinsonOctober 6, 2015 7:50 PM

@ Bruce,

Some years ago you commented that having centralized data bases was a bad idea as it gave a single point for attackers to get at.

Well it's a lesson the US --and presumably other-- government entities failed to heed. So in an "No 541t Sherlock" article Security Magazine points out the US Gov is the biggest Cyber-Security threat,

http://www.securitymagazine.com/articles/86681-survey-says-government-is-the-biggest-cybersecurity-t

I guess there's no percentage in you saying "I told you so!" ;-)

Clive RobinsonOctober 6, 2015 8:01 PM

There might be a little light at the end of the tunnel in encryption wars II.

It would appear that US politicos are standing up and voicing the fact that they think that the FBI's Comey is not giving due consideration to other aspects of encryption and is thus quite simply plain wrong,

http://www.dailydot.com/politics/fbi-ted-lieu-white-house-encryption-debate/

Hopefully this means with a little more preasure Obama may come down against the FBI position.

tyrOctober 6, 2015 9:34 PM

@Clive

I hope they make those citizen scores public so I
can see what the regulars here have scored.

: ^ )

WaelOctober 6, 2015 11:58 PM

@Clive Robinson,

If anybody has read it now's the chance to say so

I finished reading it just now. The Kindle edition wasn't too pricey either, just $1.99. Reminded me of my teenage years (reading this sort of books.) I found a few minor technical problems in it and one major OPSEC problem ;) I bet you'll find more if you read it. There are some inconsistencies in the book as well in addition to some minor "foreign language" "issues". Good novel story with some unexpected turn of events. I can't help but wonder if the author read this blog and decided to publish the book instead of putting it here as a contender for a movie plot contest. Most of the attack vectors were discussed here. Of course political views weren't exactly hidden either :)

I don't want to say more so I don't burn the story for the rest.

Out of the few books you recommended, this one wins. I still haven't finished Between Silk and Cyanid...

Wael October 7, 2015 12:14 AM

@tyr,

so I can see what the regulars here have scored.

It's almost public, but "redacted". Keep posting and badmouthing TLAs and you may earn a vacation (free room and waterboard) with some of the regulars! You're only 200 points short! (read: Platinum member) Oh, they don't include airfare, but you can use the points you collect from posting here (you know, the +1 people give you when they like your post) for milage. Three points will get you a first class crate on the cargo plane that'll take you on your one way dream vacation :)

And here is my pitch: +1

WaelOctober 7, 2015 12:39 AM

@Clive Robinson, and other careful flyers :)

It shows what quite sensitive information is contained in the 2D barcode on the boarding pass

Seems the barcode included more information than is printed on the boarding pass. Why didn't they use an encrypted QR Code instead[1] (if they really needed this extra information on the boarding pass to start with?)

I use passbook, now called "wallet" for boarding passes.

[1] You can download bar code readers and QR Code readers / generators for Android and iOS for free, sometimes comes in handy when shopping, but watch out for the permissions they ask for!

Joe KOctober 7, 2015 2:41 AM

Dirk writes:

And yes, I sometimes read RT, RI and lots of other non-USUK media. You should give it a try too. Or do you really believe that our western MSM are any less biased and deceitful than their Chinese or Russian counterparts are? You can't possibly be that naive.

Skeptical replies:

I really believe that better Western media outlets ARE in fact less biased and deceptive than the propaganda organs of authoritarian governments.

Sincerely? Leave it to Skeptical (self-nominated) to call "incredibly naïve" anyone who doubts his/her sincere belief in Western media's exceptionality:

It is incredibly naive to think otherwise - a kind of easy relativism. There are of course media outlets in the West that are no better than Russian or PRC propaganda organs; but fortunately in the West we have free speech,[…]

Whoa there, Dr Pangloss, stop the press! Tarek Mehanna will be so pleased to hear this!

[…]and a free press,[…]

Gotta love that free press.

[…]and some people still value good reporting and are willing to pay for it.

God knows what this is supposed to mean.

One reads here that "[a]dvertising, which is high-margin, has historically contributed around 80% of American newspapers’ revenues, far more than in most other countries."

On the other hand, perhaps Skeptical is talking about their institution's Stratfor subscription.

Clive RobinsonOctober 7, 2015 4:07 AM

@ Wael,

What you swallowed

You missed out on the next factor down the line...

I can't immediately remember where I read it but a few days ago there was an article about "Your Personal Germ Field". It appears that every biological emission we make is tainted with our own --supposadly-- unique bacteria etc, that hang in the air as we pass them on to others. So remember to add "What you f4rted" to the list.

But the device reminds me of an episode of Babylon 5 many years ago. Towards the end of the episode the station security chief tells one of the ambassadors that the reason they new what he was upto was they put a nano tracking device in his food and could thus know where he was. Just at the end of the episode one of the other station personnel is talking to the chief and says "Did you realy put a tracker in his food?" To which the chief says "no" the other person then asks in a puzzeld way "Well why do you tell him you did?" To which the chief replied "Just think of all the fun he's going to have trying to find and get rid of something that isn't there.... should keep him busy for a while".

Clive RobinsonOctober 7, 2015 4:44 AM

@ Nick P, Wael,

Another language, another link...

http://8th-dev.com/about8th.html#history

From the name you can probably guess somebody thinks it's twice as good as Forth... but it needs a *nix OS and has a big chunk of library dependencies so is not going to be a lot of use for the low end embedded stuff, where Forth has a big advantage.

Gerard van VoorenOctober 7, 2015 5:18 AM

@ Skeptical,

> I really believe that better Western media outlets ARE in fact less biased and deceptive
> than the propaganda organs of authoritarian governments.

Please watch Fair Game (2010) and then report back.

Sometimes I start to think that you are actually a very critical person towards USG politics and by making your absurd claims you want to point out and discuss what is fundamentally wrong.

@ Dirk Praet,

Thanks for your objective and informative comments. That cabal showed some interesting things. Not only about the politics but also about the job and financial status of Syria in 2006. It stated that in 2010 the oil reserves of Syria are running out. That was five years ago.

Btw, last sunday I visited the WW1 museum in Ypres.

@ Clive Robinson,

The first time I saw a recoilless rifle it looked like an missile launch system. Then I saw the hull and I couldn't figure out what the purpose was of all the perforations. It didn't make sense. Then I started a little research and figured out that it's a really clever system. I still wonder why this hasn't been used at large scale by the light infantry and airborne forces in WW2.

Clive RobinsonOctober 7, 2015 5:26 AM

First steps in keeping electric surveillance drones aloft indenfinatly.

The company LaserMotive that won a NASA prize for beaming power over 1Km with a laser has branched out into using it to keep electricaly powered surveillance drones in flight for almost indefinate periods.

Whilst currently a "proof of concept" the system kept the 8Kg Lockheed Stalker UAV aloft in LaserMotion's wind tunnel in Seattle for 48hrs which is 24 times it's normal maximum duration, and when landed the batteries had more charge in them than when the experiment started.

The Popular Mechanics article talks about the limitations of the drone being tethered to a point on the ground. Don't let that fool you in a town or city it would be very easy to set up several of these charging points on building roofs, and in urban and open country areas there is no reason why the "Mother Ship" or "Milchcow" principle could not be used from a much higher altitude if the receiver is mounted on the top of the wings not underneath. This would also have the advantage of their being considerably less chance of the laser interfering with any surveillance package mounted on the drone which would be underneath and facing downwards.

http://www.popularmechanics.com/flight/drones/a7966/how-it-works-laser-beaming-recharges-uav-in-flight-11091133/

Clive RobinsonOctober 7, 2015 5:59 AM

@ Gerard van Vooren,

The first time I saw a recoilless rifle it looked like an missile launch system.

And unfortunatly it suffers from similar problems, primaraly the backwards thrust of very hot gases that will turn you into instant "Donner Kebab" if you stand in the wrong place and it provides a very vivid flash which gives it's location away.

As a very rough rule of thumb, when you fire a round, about one third of the energy pushes the projectile out of the barrel another third goes into the recoil and the final third heats up the gun. So in the case of the original recoilless rifle two thurds of the energy of the charge goes backwards to do the "crispy critter" cook out.

The armhamer design is a "one shot" device and traps all of the hot gasses between the two pistons thus eliminating not just the highly visable flash but also making it usable from much more confined spaces making very usefull for FIBUA where hard points have to be quickly eradicated. It might well be the main reason the UK MOD has decided to make them a standard part of infantry kit, as open country warfare is nolonger the common battle landscape. For open country UK troops have used Shorts shoulder launched missiles which have ranges upwards of 2000 meters, which means that heavy machine gun posts can fairly easily be taken out.

Thus no more of the "salt-n-pepper" head on attacks of dug in positions that proved so suicidal in the Falklands War, and got amongst many others Col H Jones killed.

The other FIBUA must have weapon is a gun that can fire around cover the Israelis have developed a rather nice assult style weapon that can do this, as well as a "long barrel" sniper rifle that does not stand out like the Barrat and similar, thus not drawing disproportianate fire from those you are attacking.

CuriousOctober 7, 2015 7:23 AM

I don't know if the following is entirely new (maybe already revealed in 2014 by the looks of it):

Snowden has been interviewed by BBC. I guess this is a fresh reminder of how insecure mobile phones are. Presumably, the security and/or technology for most mobile phones is simply terrible.

"Edward Snowden interview: 'Smartphones can be taken over'"
http://www.bbc.com/news/uk-34444233

"The former intelligence contractor told the BBC's Panorama that UK intelligence agency GCHQ had the power to hack into phones without their owners' knowledge."

"Mr Snowden talked about GCHQ's "Smurf Suite", a collection of secret intercept capabilities individually named after the little blue imps of Belgian cartoon fame."

I am no expert on this subject matter, so please take the following paragraph a grain of salt. Even though I never was that into problems with computing and security, the whole thing has grown on me the last few years and as an adult detesting things come easy once I make up my own mind about things. End result is that I'm generally annoyed.

Depending on how much vigor is pursued by GCHQ into controlling your mobile phone, I am tempted to think of such things as being indicative of living in a police state in our modern time. The whole thing of Britain/GCHQ basically assuming a right to monitor any communications because of law enforcement needs (me disregarding real/true/relevant/pertinent/sensible national security issues in his turn), while mobile phones being as fragile as they are, and then the state/police then secretly also work on hacking their way into things, it seems to me that such an insecure environment is equal to living in a modern version of a police state. I am myself intrigued by the notion of there possibly being a conspiracy between businesses and state/law enforcement, because the fragility of mobile comms seems too easy and I can hardly believe that the mobile phone industry is incompetent and that businesses don't care about having a fairly secure product. To me this is all kind of weird, it is as if GCHQ/police is both trying too hard, and yet having it easy, at the same time. I guess it boils down to GCHQ effectively being able to do whatever they want, for whatever reason, which may be expected, but perhaps/probably they shouldn't be allowed. I've been a little annoyed by the previous talk about of states having a right to having secrets, just like that. I think they simply shouldn't have such a right as such, as if having a right to secrecy was a power. I can imagine that implementing technology that offer the best security, would deny a state the means to uphold a secrecy regime based on exploiting technology as such (as opposed to keeping knowledge secret).

I don't doubt one can stay mostly unfazed by knowing that comms and computers things are insecure the way they are, but still I think it is interesting to consider what was said on twitter some time ago, something about self censorship being the best censorship, which again is kind of awkward I would say. Having a fear of dying in face with police or military is imo also unacceptable.

I guess in a way it is a good thing, that the notion of relying on backdoored technology and knowing that this in turn probably makes things less secure has been established, otherwise if I were a politician, I would be tempted to backdoor the crap out of anything, and then think that doing such would offer a kind of plausible politics that promises control over the technology that people use, while also promising a fully regulated and controlled police and/or state security regime, that is both necessary, proportionate, and in accordance with law (as if state/police were to be lacking "super powers" that way).

Btw, I am reading that one can expect to get permabanned from this game I'm playing, if you call yourself ISIS, something that seems abit extreme.

CuriousOctober 7, 2015 7:30 AM

To add to what I wrote, for sake of clarity:

The "super powers" I mentioned at the end, would be any kind of "violence" in any form: surveillance, monitoring, hacking, social manipulation, harassment, threats, extortion, incarceration, physical violence, torture, murder and war.

Clive RobinsonOctober 7, 2015 8:55 AM

@ Curious,

"Edward Snowden interview: 'Smartphones can be taken over'"

I've mentioned this several times on this blog long befor the Ed Snowden revelations, because if you read the phone standards you will find it in them in nearly all national standards and all international standards.

To understand how it came about you have to go back in history to the 1800's, when Nation States put themselves in charge of their Postal services, either directly or by regulation to ensure the service was fairly available to all subject to legislation. It's one of the reasons why Post is recognised as "the lawfully accepted way to make notification" of any action etc, and why you can not ban those who deliver the mails from your property.

Having in effect established a monopoly over communication nation states extended it to all new forms of communication. It is why it seems daft for instance that the National Department of Transportation is also responsible for testing compliance on telephones untill you understand the history behind it. The First World War made it clear to most civil servents at senior level that the ability to listen in on communications was a National Security issue and thus the spooks got involved.

In the UK the tapping of telephone lines was (and still is) illegal for most (RIPA made clear who could and could not) but for "Technical and Safety" reasons the technicians and operators of what we now call the POTS had the right to "listen in", "talk into" and "disconnect" all calls. And those old enough may remember having their local calls interupted by an operator to be informed that a long distance or international caller was trying to be connected, thus it was also for "business" reasons as well.

This right was firmly established before fully automatic dialing and digital phone standards were drawn up in the 1960's for the core networks, thus they were included and even though phone companies might now be private entities governments retained these rights. In the 1980's as the old insecure VHF car phones gave way to analogue cellular mobile systems the rights were again carried forwards. Likewise into GSM CDMA and other "edge of network" standards, what was in the core continued out beyond the demark.

With privatisation came the need for tighter accounting of service usage. The fact that early cellular networks could be cracked was a major concern, because of the way legislation was written (ie the consumer was only liable if the call had been placed from behind their demark).

Thus the design of all mobile systems is that the network operator controles your phone connectivity via the Subscriber Interface Modual (SIM) and to ensure it could not be easily spoofed your entire mobile device, even if you own it out right is subserviant to the SIM and the network operator can load via the Over The Air (OTA) interface download software and updates into your phone.

With the advent of Smart Phones the consumer "smart side" of the phone was never issolated in a way that would protect the consumer, only the network provider, phone manufacturer and OS vendor. Thus a smart phone is very insecure by design, and "the myth of going dark" is just that a myth. The only way you can get security is by having carefully designed end to end encryption systems that ensure they are correctly issolated from the phone and network such that the only things that can be done are call disruption/disconection.

Anyone who tells you otherwise has not sufficiently read the standards, or is misleading you for some reason.

From GCHQ and others point of view attacking the smart side of the phone has a number of advantages, firstly it gets around a lot of red tape legislation, secondly it can also get around technical limitations such as high battery usage and easily spotted RF emmissions, thirdly it gives deniability, fourthly it also works reliably across international borders... Oh and as consumers want "voice recognition" the bulk of the software the IC agencies need is their gratis all they have to do is make very minor software hook in's (similar to the *nix shell tee command). But likewise it's not just the voice circuits they get access to, it's GPS, accelerometers, keyboard, camera, screen and any other peripheral like storage and the various hidden bits of flash memory including that in the batteries, so once they get easy access your phone is owned untill it's crushed. The downside is of course the second market, not just in phone resale after upgrade but repaired and reconditioned units, something the "Factory Reset" will not remove...

ianfOctober 7, 2015 9:23 AM


@ Clive the US Gov is the biggest Cyber-Security threat

So what else is new?

[…] “the 2D barcode on the boarding pass could allow an attacker to change your future travel arrangements.

    I presume sabotaging that part of one's boarding pass with referral to enlarged potential future tampering footprint would get one prevented from boarding, escorted out of the secure area, and then needed to be challenged in court for reckless cyber endangerment by that boarding-pass-issuing body, or something.

ianfOctober 7, 2015 9:44 AM

ADMINISTRIVIA @ Bruce

Is the site undergoing some concurrent HEAVY MAINTENANCE (since Tuesday) that prevents posting by constant server shut downs? ("server stopped responding"). Landing page renders sans CSS now and then, but posting is barely possible.

Do others also have these problems or is it just me, at my backbone?

(I managed to post the above after umpteen tries).

ianfOctober 7, 2015 9:50 AM


@ albert wrote: […] This is Official US Foreign Policy I give you Brzezinski's book only because it succinctly states the objectives. All US administrations follow it, regardless of political stripe. […] The US has a Master Plan, and it's not peace and happiness for every man.

Quite, but Zbig was merely adding to the pyre (pile?) started by his predecessors, chief among them Henry Kissinger.

How strange that a 1930s German Jewish refugee and a Polish-Canadian émigré came to formulate mid-XXc U.S. foreign policy, that by and large mirrors cross-pollinated the Neo-Conservative ideas of the American Century. Even though neither managed to stay in saddle for more than 4 years, and both their bosses were booted out of office. The USA's aim to enhance its global hegemony is not a surprise, rather the—who, ME?—sanctimony & righteous indignation over constantly being misunderestimated as were they not a Nation of Imperial Stormtroopers (prior to rein of Nixon, Eisenhower kept Dulles more or less in check, while JFK and LBJ picked nonentities for the State Dept., unable to confront the likes of McNamara).

With that in mind, it is indeed quite a way that the American foreign policy has come within the span of half a century

  • from stagnant WWI-weary, convinced that its two oceans are sufficient as perimeters of defense
  • to depression-era isolationist
  • to officially reluctant caretaker of the British Empire
  • to Benevolent Occupier of Defeated Enemies
  • to welfare incubator (Marshall Plan) and global policeman
  • to underwriter of dictators and despots
  • to secret invader of one, and defeated in a war with a neighboring 3rd world country
  • to Star Wars-bullish
  • to winner in the Capitalist Sweepstakes
  • to extraordinary rendition torturers
  • to perpetually ready to wage 2-front war nation.
  • ObMemeContent: Zbigniew Brzezinski and Henry Kissinger walk into a bar.
    Bartender: what are you guys, a joke?

    ianfOctober 7, 2015 9:59 AM

    ADMINISTRIVIA @ Bruce

    Still incredibly sluggish to post, 3-4 tries needed per post (preview is fast, only submitting kaput)


    @ Dirk Praet

    NO MORE "Safe Harbour"
    … difficult for small to medium sized US companies
    My heart is weeeeping, weeeeping. But also an opportunity for local companies to build up common European-minded net services to compete with the hegemoths. In fact I'm surprised that the EU isn't pushing for the development of old-continental alternatives to offset the commercial clout of the Yanks.

    (Still, I suppose in terms of penetrability by IC, that "Safe Harbour" repeal doesn't change all that much.)

    Markus OttelaOctober 7, 2015 10:56 AM

    I wonder, is it possible to construct a simple memory that's used through serial port. How complex does the device get if we want to be able to use it for AES256 key transport? Is there any way to build it without ICs?

    SkepticalOctober 7, 2015 1:16 PM


    @Dirk: Which from a military vantage makes perfect sense. What's your alternative? Toppling Assad and having Da'esh take over? Do you actually believe the Free Syrian Army or some other US supported rebel faction can restore law and order once Assad is gone? Time and time and again this strategy has proven a complete failure in Afghanistan, Iraq and Libya. I for one think it's about time something else is being tried.

    It's a little funny that you're pointing to Afghanistan, Iraq, and Libya: three places that should tell you that defeating organized forces in combat does not mean the achievement of effective political control.

    Syria is a divided society with a hot civil war, and yet you think that Russian airpower + Syrian Government ground forces = restoration of order. And then, remarkably, you point to the three most recent counterexamples to such a strategy.

    Russia is merely entrenching Assad for the sake of protecting its bases.

    But of course they aren't. They want Assad gone too. But that's not the point. The point is that the US is really selective on what constitutes a brutal and authoritarian regime, and what doesn't. Which is actually quite simple: if they're an ally, a regime can basically get away with any sort of abuse and oppression. If you're on the sh*t list, they want you out.

    The US doesn't have the goal of overthrowing every brutal and authoritarian regime on the planet. Its sole action against Assad consists of a barely funded CIA program to arm and train some rebel forces. That's it. All of its airstrikes have been against ISIL targets (and AQ-related targets), not against the regime.

    The US is certainly selective about whether to engage in attempts to overthrow regimes or to participate in military conflicts, particularly after the long occupation of Iraq. It intervened reluctantly in Libya, after a civil war had erupted, and then at the behest of its European allies. It hasn't intervened against Assad at all.

    At the same time, while pragmatic, the US pushes allies as far as it can to adopt better human rights practices, as the Wikileaks cables bear out with respect to Egypt, to Saudi Arabia, and to other countries.

    The choice in Syria is not between Assad and civil war. So long as you have Assad, then absent the introduction of hundreds of thousands of ground troops, you will continue to have civil war.

    "Reconciliables" from Al Nusra/Al Qaida ? So that's something like a Schrödinger terrorist? You put a terrorist in a box who according to this theory is both a friend and an enemy, final state of which is determined by the reality of the time and the place the box is opened. The notion that a Syrian rebel has little choice which group to join is ludicrous. Have a look at this here Wikipedia page. There's dozens of options to choose from.

    An ordinary Syrian in Raqqa, for example, may have little choice. A group of Syrian fighters surrounded by al Nusra may find itself more inclined to join than to be slaughtered. You write as though any Syrian can simply order off a menu of rebel choices; it doesn't work like that.

    If you want to understand what Petraeus is actually talking about, then I'd read the interview he has given on the subject, or take some time and look up Graeme Lamb.

    You are completely and utterly wrong on this topic.

    The idea behind Petraeus's proposal is much simpler: the Division 30 project failed miserably and US influence on the ground is limited to just a few rebel groups whose leverage is too limited to play any substantial role in the ongoing fights. So the US needs to find a partner who can, which is either Da'esh or Al Nusra.

    That's a ludicrous misunderstanding of Petraeus's argument.

    Dirk, read his actual words or research what he's actually talking about when he refers to reconcilables and irreconcilables.

    It's really remarkable to me that you've swallowed the line that the US is considering allying with ISIL or al Nusra because its secret goal is really just to overthrow Assad - never mind the twists the US went through to AVOID intervening against Assad.

    Try reading some Kurdish media. They're all telling the same story: in order to gain Turkey's support, the US backstabbed the Kurds. Again. Turkey has no interest whatsoever in fighting Da'esh. They only want Assad out and weaken as much as possible any Kurdish group, not just the PKK but just as much the YPG and others.

    Erdogan isn't bombing the YPG or KRG though. The Kurds are rightfully suspicious of Erdogan (though you must remember that Erdogan also helped usher in a truce), and are rightfully suspicious of the world in general given their plight. But the US has provided them, and helped them provide for themselves, a safe haven since the early 1990s.

    Turkey is certainly much more interested in toppling Assad than is the US or Europe, and it has used its position to attempt to leverage the US and Europe in its preferred direction. But while Incirlik is helpful, it's not necessary to US efforts, and the US can operate in Syria and Iraq with or without it.

    Unless someone at the State Department has some really cunning plan to divide Assad and his military, it's a fantasy strategy.

    It's called a coup, and the US has no plan at all to implement one. But you claimed Assad is necessary to a settlement of the civil war. He's not. He's one of the key impediments to it. And everyone, including those within the Syrian Government who have the most to lose, know it. As to how vulnerable that makes him - time will tell. Certainly Russia has not helped here.

    What we need is some fresh ideas here. I have no idea if what the Russians are up to is going to work or not.

    Russia will achieve the goal of temporarily sustaining Assad's position. And the war will go on. Hopefully, Russia will manage to avoid starting any new wars in the process.

    @JoeK:

    Yes, I think that better Western outlets, such as The New York Times, are far more reliable sources than Russian and Chinese state propaganda machines.

    That you think otherwise isn't a sign of sophistication, but rather of a freshman level of naivete about the world.

    Dirk PraetOctober 7, 2015 6:31 PM

    @ Skeptical

    Afghanistan, Iraq, and Libya: three places that should tell you that defeating organized forces in combat does not mean the achievement of effective political control.

    You're missing the point. All three are examples of governments being overthrown by foreign powers that subsequently fail at nation building because the power vacuum they have created leads to a full-blown civil war. What the Russians are now doing in Syria is the exact opposite: supporting the regime in an attempt to regain control, and by attacking all rebel groups, most of which are being sponsored by foreign entities. I believe that's an interesting experiment well worth a shot after four years of a civil war going exactly nowhere.

    The US doesn't have the goal of overthrowing every brutal and authoritarian regime on the planet.

    That's exactly what I said. As long as such regimes play nice with you, nobody really gives a damn. Do I have to refer to South America in days gone by?

    Its sole action against Assad consists of a barely funded CIA program to arm and train some rebel forces

    As usual, it was an abysmal failure. But in my world, half a billion USD is not a small amount of money. If the USG thinks that's peanuts, I'd love to receive that sum into my account, in compensation of which I shall further refrain from writing negative comments on this blog and fly a US flag on my lawn. I will also learn the national anthem.

    At the same time, while pragmatic, the US pushes allies as far as it can to adopt better human rights practices

    In the case of Saudi Arabia, with little success, I'd say. On the scale of authoritarianism, they score much higher than Assad's Syria. But they also have way more oil.

    A group of Syrian fighters surrounded by al Nusra may find itself more inclined to join than to be slaughtered.

    Millions of Syrians have been displaced and have fled the country. But young and able-bodied men willing to take up arms would be unable to make it to a region within Syria to join a rebel movement that corresponds with their personal ideas?

    It's really remarkable to me that you've swallowed the line that the US is considering allying with ISIL or al Nusra because its secret goal is really just to overthrow Assad

    But it is. And I didn't say they'd team up with Da'esh. And I've read the entire interview with Petraeus. The man - with respect - is just completely delusional and stuck in a mindset of questionable strategies that have never worked and never will.

    But the US has provided them, and helped them provide for themselves, a safe haven since the early 1990s.

    You really should read up on Kurdish history a bit. Over the years, the US has betrayed them more than once.

    Kurdistan was denied its right to a nation by France and Britain and repartitoned over four different countries (Turkey, Syria, Iran and Iraq) following the Sykes-Picot treaty after WWI.

    In 1975, Henry Kissinger brought Iraq and Iran to the negotiating table and agreed to stop providing aid and pursuing the goal of Kurdish autonomy. In 1991, Bush Sr. called upon the people of Iraq to rise up against Saddam Hussein. The Kurds did, just to have Bush turn his back on them and allow them to be slaughtered by the Iraqi military. You may remember scenes of Kurdish villages on TV that had been gassed.

    In the wake of an international outcry over these events, the US, France and Britain established a safe haven in some parts of Kurdistan. In return, the Peshmerga helped US troops on the ground in Iraq in 2003, after Bush Jr. had gotten the finger from Turkey. Erdogan now bombing the PKK following the deal over Incerlik doesn't go well anywhere in Kurdistan, where it is generally perceived as yet another betrayal by the US.

    It's called a coup, and the US has no plan at all to implement one.

    I'm certain that you would if you could. I guess it's just harder to find rats in the Syrian government than it was in Ukraine.

    Hopefully, Russia will manage to avoid starting any new wars in the process.

    Something the US and its allies certainly haven't excelled at. But I hope so too.

    Nick POctober 7, 2015 10:36 PM

    @ Clive Robinson

    re 8th

    From the page, I'd think somebody read the wikipedia page on 4GL's, had a Forth on hand, and then thought a combo would be best. The examples are damn near as incomprehensible as Forth in general to a programmer who doesn't do that sort of thing. They might as well do a Racket to P-code compiler, add a JIT, and do that to other ISA's. The language would be more powerful, the "assembler" easier to use, and do more than they claimed despite using *old* technology.

    Or start with REBOL/RED or Nim. Anyway, it was a monstrosity to look at that I don't see revolutionizing mobible and desktop apps anytime soon lol.

    "From the name you can probably guess somebody thinks it's twice as good as Forth... "

    They actually just got it by division of a fraction (1/4):

    "Since we wre working on a second generation of Reva, we decided to divide 1/4 by 2, giving 1/8, or in other words: 8th."

    Does that mean version 2 is half as good as version 1? Let's not ask embarassing questions like that. ;)

    RonOctober 7, 2015 11:42 PM

    I would like to correct a factual error regarding "8th" (http://8th.dev.com)

    It does *not* require a *nix. It runs on Windows, OS X, Linux, Android, iOS and Raspberry Pi.

    It does not require any other libraries in order to run. Even on Linux.

    Nick POctober 8, 2015 12:05 AM

    @ Clive, Wael, Figureitout

    Remember my idea of combining LISP, macros, and a portable, low-level code to make OS's easier to build with DSL's? And mentioning Racket and REBOL/RED doing that? Well, looking into a thread on HN, I accidentally discovered something similar which supports the concepts that got started before I was thinking on it... by none other than Alan Kay. It was apparently a big deal in academia that even I haven't heard of for some reason.

    The system aimed to create a desktop from scratch that allowed the user to understand every portion of it, extend, integrate, present, etc. in around 20,000 lines of code. Idea was to combine exploratory programming, LISP machine flexibility, Oberon-style simplicity, ease-of-learning, and usefulness along lines of desktops they made before. Reading the presentation and then their report gave me a bit of the jaw-dropping focus I got watching the old Engelbart videos. I'm out of time for tonight so I haven't dug up the rest of the papers or seen what happened to the project. Plenty to learn and maybe imitate, though.

    Presentation of Project Goals and Many Details

    5th year progress report with fascinating details (first Google result)

    WaelOctober 8, 2015 2:00 AM

    @Clive Robinson, @Nick P,

    From the name you can probably guess somebody thinks it's twice as good as Forth..

    Or twice as slow, twice as insecure given the library dependencies. I glanced over the objectives and I must have missed the new objective. Good thing there are developments, though!

    WaelOctober 8, 2015 2:04 AM

    @Nick P,

    Remember my idea of combining LISP, macros

    First link is broken. I could find it if I want, but I am too tired. Your posts require a full time job to go through. I still haven't finished the earlier links you shared...

    WaelOctober 8, 2015 2:13 AM

    @Ron, @Clive Robinson,

    It does not require any other libraries in order to run

    I stand corrected... But what objectives are you trying to achieve that weren't addressed by Java, for example?

    RonOctober 8, 2015 6:46 AM

    @Wael -
    The primary impetus for writing 8th was to have a secure platform on which to write a particular data-security application I was interested in writing (and still am, but events took over).

    Java in specific runs inside a VM (insulating from the machine, often running more slowly than native); makes it difficult (and slow) to access non-Java libraries; and it is very verbose. I understand that there are other opinions, but those are mine.

    Further, Java is not available on iOS - applications need to be written in something else (at least, that was historically the case). And finally, Java has had a history of security issues.

    Because I wanted something which ran equally well on mobile, desktop and server systems, I ended up writing my own tool.

    Scratching my own itch, and hopefully helping others at the same time.

    CuriousOctober 8, 2015 6:49 AM

    "The Shappening: freestart collisions for SHA-1"
    https://sites.google.com/site/itstheshappening/

    Someone on twitter also had a link to the following pdf document:
    https://docs.google.com/viewer?url=https%3A%2F%2Fsites.google.com%2Fsite%2Fitstheshappening%2Fshappening_article.pdf%3Fattredirects%3D0

    "We recommend that SHA-1 based signatures should be marked as unsafe much sooner than prescribed by current international policy. Even though freestart collisions do not directly lead to actual collisions for SHA-1, in our case, the experimental data we obtained in the process enable significantly more accurate projections on the real-world cost of actual collisions for SHA-1, compared to previous projections. "

    "In conclusion, our estimates imply SHA-1 collisions to be now (Fall 2015) within the resources of criminal syndicates, two years earlier than previously expected and one year before SHA-1 will be marked as unsafe in modern Internet browsers."

    Nick POctober 8, 2015 9:56 AM

    @ Clive, Wael, Figureitout

    Cancel on those links: have no idea how the submission was so mangled. Here are the two correct links (I think).

    Presentation on Kay's project to redefine computing and desktops

    Progress report with many details from the STEPS team

    @ Wael

    I hear you and agree: my own decline in time was why the output dropped haha. However, this isn't just any paper. It's what famous Alan Kay's been up to. Been a long time since I read or posted his work. And it's quite different.

    @ Ron

    That's at least a sensible reason to do it. Only gripe is that it's Forth-based. That's likely to kill any wide adoption because they rarely get past the syntax. A modification of Red or Nim is the safer bet. They're powerful, easier to read (in theory), and getting quite a bit of community development. Especially Nim. It's on my own backlog.

    ianfOctober 8, 2015 12:07 PM


    @ Nick P. “what famous Alan Kay's been up to. Been a long time since I read or posted his work. And it's quite different.

    It is, but WTF does it all mean? It's PHILOSOPHICK fluff, v. important to make readers confront our inner fears that we're past that level of abstract thinking. First the Vivarium Project (v. interesting learning experiment), now the SelfExploratorium… something. There he first seems to advocate simplification of code, then proposes

      finding, viewing, and wysiwyg-authoring [of] arbitrary hyperlinked, searchable, and allowing “services” multimedia “pages” [AK “quotes”]
    … because that will end up so much simpler. Or something. (PS. didn't know that MobileSafari on iPhone was able to render .ppt in situ, but it did—except for the Scripting Example slide.)

      [Disclosure: 10-odd years ago was chewed out online by Alan for posting some anecdotal tidbit on the “DynaBook,” rather than one based directly on googleable evidence. Because it mattered—a concept being practically a done deal.]

    SkepticalOctober 8, 2015 12:20 PM


    @Dirk: All three are examples of governments being overthrown by foreign powers that subsequently fail at nation building because the power vacuum they have created leads to a full-blown civil war. What the Russians are now doing in Syria is the exact opposite: supporting the regime in an attempt to regain control, and by attacking all rebel groups, most of which are being sponsored by foreign entities. I believe that's an interesting experiment well worth a shot after four years of a civil war going exactly nowhere.

    First of all, Assad is sponsored by foreign entities as well, and has been for some time.

    Second, more importantly, you're placing Syria at the wrong point in the timeline. Syria is not Iraq pre-2003, or Afghanistan pre December 2001 (although frankly Afghanistan pre-2001 isn't exactly a model of a unified state).

    Syria is more like Iraq in 2006, except worse.

    At this point, Assad is simply another sect fighting for power. The Syrian Government has long since lost control over most of the country.

    Russia's increase in military support is significant in some ways - no question.

    But it's not enough to actually restore political order. To do that you need a LOT of ground troops, you need them to actually win the loyalty of the populace (the populace may never LIKE you, of course, but the populace may learn to prefer you to the alternatives - Shi'ite death squads or Sunni extremists or viciously corrupt government officials, or some mixture thereof), and you need to use the force you have to attempt to institute a government that can be viewed as legitimate by the populace.

    It requires enormous effort to do that. Russia's deployment will help Assad win some battles, but it will not enable Assad to win the war. And if you study those three cases, or any other counterinsurgency or civil war, you'll see why.

    That's exactly what I said. As long as such regimes play nice with you, nobody really gives a damn. Do I have to refer to South America in days gone by?

    It's not really a matter of "playing nice" with the US, but a question of US interest. If the US is going to put its people in danger, then - as with any other nation - it prefers to do so only when its interests are at stake.

    It would be a grave mistake to fully separate American interests from American values. The US Government, as a matter of policy, as a matter of culture, really does believe that stable democratic governments are preferable to authoritarian governments, because the former are less likely to wage war against other democratic governments. It insisted upon democratic elections for nations liberated from Nazi Germany for those reasons.

    Nonetheless, the US Government is also fully aware that democracy is not viable everywhere in the world, and that it is better - from a humanitarian vantage, from a self-interest vantage - to work with what is possible and practical.

    So ultimately American foreign policy is simply pragmatic (allowing for the odd results sometimes produced by the mistakes, cognitive biases, etc., of the bureaucracies and domestic politics that actually produce American foreign policy). It will work with, even support, authoritarian governments where necessary. But given a choice, it will choose democratic governmemnts first.

    As usual, it was an abysmal failure. But in my world, half a billion USD is not a small amount of money. If the USG thinks that's peanuts, I'd love to receive that sum into my account, in compensation of which I shall further refrain from writing negative comments on this blog and fly a US flag on my lawn. I will also learn the national anthem.

    You're confusing the Department of Defense program - a 500 million dollar program to arm and train Syrian fighters to undertake action against ISIL - with the reported-on but nonetheless covert CIA program to arm rebel opposition to Assad.

    The DoD program is reportedly a failure in part because, with a significant exception, it's hard to find rebels who want to ignore Assad and fight ISIL. But that significant exception will, I hope, be the recipient of vastly more US support soon.

    The CIA program is actually probably at a higher price tag, and is a bit more difficult to assess. Over the summer rebel groups did make sharp gains against Assad. However, the CIA program is not remotely close to the level of support that Russia is providing to Assad.

    In the case of Saudi Arabia, with little success, I'd say. On the scale of authoritarianism, they score much higher than Assad's Syria.

    How much success do you think is possible to achieve with Saudi Arabia?

    Millions of Syrians have been displaced and have fled the country. But young and able-bodied men willing to take up arms would be unable to make it to a region within Syria to join a rebel movement that corresponds with their personal ideas?

    Think this one through.

    First, do you think it's just a matter of finding the rebel group that corresponds most closely to your personal values? What if that group is one that is likely to be slaughtered - or that is ineffective against an enemy you fear and hate even more, such as Assad's government?

    Second, do you think a military age male can simply wander through war zones until he finds his preferred group? Or that many rebel groups offer a choice to those they encounter? Do you imagine that ISIL sends friendly representatives to the towns and villages it controls, who respect the choice of the individuals who are there?

    Third, do you think those who stay in Syria lack family and community ties and interests? Do you think those ties and interests are not at stake when an individual makes such a decision?

    I'd also suggest that such pragmatic considerations apply not simply to Syrian individuals, but also to other Syrian rebel groups. Some have aligned themselves with hardline Islamist groups more out of practicality than a genuine shared commitment to the vision of those groups.

    But it is. And I didn't say they'd team up with Da'esh. And I've read the entire interview with Petraeus. The man - with respect - is just completely delusional and stuck in a mindset of questionable strategies that have never worked and never will.

    I don't always agree with Petraeus's viewpoint, but he probably has more knowledge about counterinsurgency than you or I will ever acquire. And I'd have to call the strategies he adopted in Iraq successful.

    Getting back to the point of our conversation, he simply did not advocate "teaming up" with al Nusra.

    You really should read up on Kurdish history a bit. Over the years, the US has betrayed them more than once.

    Historically, unfortunately many have - hence the understandable mistrust of the Kurds for the world generally.

    But since the early 1990s, the US has been an extremely strong ally of the Kurds. Not only will that not change, but I expect the US to increase its support.

    I'm certain that you would if you could. I guess it's just harder to find rats in the Syrian government than it was in Ukraine.

    Such interesting language. Why would those who depose Assad necessarily be rats? And are you seriously suggesting that the US sponsored a coup in Ukraine??

    name.withheld.for.obvious.reasonsOctober 8, 2015 1:01 PM

    @ Skeptical

    Oh no, not again! Skeptical it is nice to see you back to your usual old-self.

    So ultimately American foreign policy is simply pragmatic (allowing for the odd results sometimes produced by the mistakes, cognitive biases, etc., of the bureaucracies and domestic politics that actually produce American foreign policy). It will work with, even support, authoritarian governments where necessary. But given a choice, it will choose democratic governmemnts first.
    Okay, I'll bite...

    Your statement cannot stand, even with limited level of scrutiny.

    What you refer to as "democratic governments" is not supported by the evidence. The U.S. tendency is to support autocrats that operate as quasi-democratic state(s). Egypt immediately comes to mind, where the "President" seated for over thirty years and supported by the U.S. that including payments and weapon systems totaling nearly one billion dollars a year. This was/is the price of underwriting the Egyptian democratic government.

    Sure, many states we support hold elections but these events resemble kabuki theatre not a democratic government. Democratic governments have a tendency to reflect the will of its people. The U.S. recently has gotten so far off the track of the democratic railroad and is hardly recognizable. Sure, the U.S. has a troubled past but it has over time managed to expand representative democracy, one time at the cost of civil war. Today, I'd argue that the process of democratic governance is simply an act, an exercise, and a "show horse" but not a more progressive democratic form with more effective representation.

    I commend you to re-read Thomas Paine's Common Sense and replace the King with "Captured U.S. government". Yes, the instruments of a democratic government exists, but the helm has been taken over by rogue corporate pirates.

    Nick POctober 8, 2015 1:35 PM

    @ ianf

    It certainly has philosophical and wtf aspects to it. I was tempted to write it off except the details in it have form. Leave off most philosophy to focus on core goals. These include a system which the user can understand, whose components are simple, whose language is ultra-productive in features delivered vs lines of code needed, that explains to user each thing it does, that allows exploratory programming, that's easily extended, and that supports a cleaner content model than the web's mashup of crap. These have all been, in isolation, demonstrated in other systems such as LISP machines, Oberon, Smalltalk, Amoeba/Globe, and so on. They're trying to put it all together with a maximum of code that one person could understand.

    Better than the Powerpoint is the PDF I included as it gives specific details, source code, diagrams, etc. Their use of DSL's, base languages making them efficient + simple, and ability to cleanly integrate them is one of best parts. There's a formal method project right now trying to do that in their field. Well, one that's been underway and one about to get underway. Red language and Racket are also using integrated DSL model. Kay's team already did it with interesting results from hardware up. So, might be something to learn there even if you ignore the Hypercard, hyper-link stuff and philosophy.

    I suggest you read the PDF if you want specifics more than philosophy. How they handled graphics, particularly, was pretty interesting. They even dredged up BCPL, C's predecessor, for compiler bootstrapping w/ minimal code. Never thought I'd see that again. Just an interesting, thought-provoking paper with tie-in's to mainstream and academic work. Might tell us something. Might be nothing, too. That's just how fundamental, scientific/technological exploration works. :)

    ianfOctober 8, 2015 2:05 PM


    @ Nick P suggests I read the PDF if I want specifics more than philosophy.

    Can't do this, bubba, it's 43 pages of eternal prose, a major academic undertaking where not even the philosophical abstract is clear enough. Life's too short for that.

    ianfOctober 8, 2015 4:15 PM


    @ Figureitout

    I hope you figured it out by now that my use of the term incompetence wasn't a judgement on your professional, or personal abilities[*], but a wry compliment for being competent enough by not proceeding with your EMSEC laptop idea. Presumably due to you realizing the limits of your capability/ knowledge/ and, yes, engineering, financing, production logistical, marketing, and what have you competence in that particular regard. Where one ends, the other begins.

    I know what I'm talking about; been there, done that, and will never forget the advice given to me offhandedly by the head of R&D of a peripheral OEM equipment manufacturer to whom I just pitched my mockup of a "laptop" (before the term was invented) who was giving me a ride back to town because I missed the last train. He said basically this (reconstructed from memory):

      We could buy it from you today, but then what? If you persist and develop it into a usable product, and manage to sell the first batch even though it's not perfect, nobody will hold the quirks against you, an inventor. If, as you say, there's this big demand for it, and on the strength of your success, and ensuing free newspaper buzz, you secure financing from regional and/or state tech.dev. boards or other sources, continue to refine it, AND deliver on today's promises for a year or two, THEN we simply could buy you up, perfect it, make it cheaper, dab our colors in it, and sell as part of our brand.
      You could either stay with us, and write a better manual for it, or we could perhaps use you for some related project; or you could sell out
      [what I hoped for that day], make a small bundle and keep inventing other things.
              But if we buy it for development, we have to invest a lot to make it perfect from day 1. We'd have to have ready sales- and logistical infrastructure in place, etc. Better then you go it alone.
    Needless to say, I folded the project within a week, and felt GRATITUDE that someone made me realize the enthusiasm that so occluded my judgement (a similar product of another make appeared 4 years later, and never made much of a splash).

    any business operation initiated by me would be highly conservative w/ guaranteed money.

    Famous last words before bankruptcy.

    Friends again?

    [^*] abilities of which I know nada, and even if I did, what purpose would it serve to call them names

    Dirk PraetOctober 8, 2015 5:41 PM

    @ Skeptical

    Russia's deployment will help Assad win some battles, but it will not enable Assad to win the war

    I actually kind of agree with your analysis. The main point we disagree on is the role of Assad in any undertaking to restabilize Syria. Yours is that he needs to go, whereas mine is that, for now, he is essential. In the past, toppling regimes has turned out to be disastrous. What I say is that - for now - we give Putin a chance to prove himself, because - as I said before - all else sofar has failed. Especially, and by your own admission, because the US and its allies are in no position whatsoever to effect any substantial change on the ground, either with or without Assad.

    Nonetheless, the US Government is also fully aware that democracy is not viable everywhere in the world, and that it is better - from a humanitarian vantage, from a self-interest vantage - to work with what is possible and practical.

    I get that. And that's exactly what Putin is doing too. He needs a stable Syria with whoever is in charge there on his side. The analogy with Saudi Arabia and US interests in that country in my opinion is quite clear. Make no mistake about it: if ever there is a violent uprising in Saudi Arabia, the house of Saud will react to it in the same ferocious way Assad did in Syria. Just look at what they are doing in Yemen.

    Some have aligned themselves with hardline Islamist groups more out of practicality than a genuine shared commitment to the vision of those groups.

    I disagree. Anyone joining groups like Da'esh and Al Nusra knows what their core ideology is, and will in no time be forced to commit the most heinous of atrocities to show their allegiance. Or get killed. There is no such thing as AQ or Da'esh "reconciliables". Any dealings with such people are a recipe for disaster, and I firmly believe Petraeus is totally wrong on this.

    But since the early 1990s, the US has been an extremely strong ally of the Kurds. Not only will that not change, but I expect the US to increase its support.

    Something I would like to believe too, but given the history of betrayal I described in my previous post, hardly something either myself or the Kurdish people can rely on.

    And are you seriously suggesting that the US sponsored a coup in Ukraine??

    Yes I do. We've discussed that before. Don't you remember?

    FigureitoutOctober 9, 2015 1:01 AM

    Nick P
    Remember my idea
    --Maybe, and I want to see how they interface to hardware. I won't bring up all my concerns which rehash the same old sh*t (they all boil down to precisely how it works w/ absolutely no handwaving) like say the "frank" comment in reference to a "frankenstein"-like design or that the virtual memory all have multiple connections to each other like neurons (which aren't secure, old memories can be manipulated due to storage that seems to get used by same area (based on brain thinking about itself)...)..but the 160 line TCP/IP implementation, that's "enough to run a website", sounds confident; does that make it secure in today's world?

    I don't know why you keep linking me to Lisp code, don't need to tell me about it and I won't have anything interesting to say...I'd bet you I won't do anything in that area so it's not worth me looking into it.

    ianf
    --No I didn't figure that out, no one likes being called incompetent. Sounds like you were pissed at me when all I'm trying to do is rile up security community and get market where it should be (it's bullsh*t people don't want default security, of course we do, it should be purely a matter of not being able to deliver due to not being able to automate strong OPSEC) while trying to add on to really good designs that I couldn't possibly hope to recreate from scratch (I don't really believe "from scratch" designs much more either, since that would be basically not usable today).

    My main questions w/ EMSEC reside around power in, and then how the mesh-wiring that is necessary for air to not collapse in on itself and having electricity flowing out, how to "for-sure" protect that. Then the screen needs to emit data to one's eyes so it's impossible unless you shield the room you're in.

    And that's one of the reasons that I can relax w/ stealing IP somewhat, just turning that into money isn't automatic, you need a lot of business operations that it doesn't matter if it's public or not.

    My selling a product myself is very different from a "real" product, it'd be all mostly hand-built (excluding parts I can't solder, which is a lot these days) for customer. That's the only way I can vouch for some of its security in manufacturing (at least the parts when I get access). So selling something popular has already failed security test due to target it presents and too many eyes/brains to secure against.

    I'm already essentially bankrupt or poor enough to live on the streets, I get public healthcare and am about to go on foodstamps; so not a new feeling.

    Friends again?
    --I guess, after a background check b/c agents used being friends w/ people as a way into your "perimeter".

    CuriousOctober 9, 2015 4:52 AM

    Would it be possible to design a hash function to not be subject to having collisions in theory, or can it perhaps be said that collisions are an inevitability of some, or all hash functions?

    I am thinking that if decisions to rely on hash functions being secure up to a certain point with regard to computation time, I am tempted to think of collisions as being a feature of sorts.

    My understanding of hash functions are very limited, so it would not surprise me if it were to turn out that my question isn't as meaningful as I imagine it to be.

    Clive RobinsonOctober 9, 2015 6:58 AM

    @ curious,

    Would it be possible to design a hash function to not be subject to having collisions in theory, or can it perhaps be said that collisions are an inevitability of some, or all hash functions?

    Not in theory or practice and with a little sideways thinking it's easy to see why.

    The result of all hashes is a fixed bit width field which is indistinguishable from an unsigned integer. Thus think of a hash with only eight bits width, the set of numbers is thus 0...255 that is no matter how many or how big the messages there will only be a maximum of 256 hashes, which means with even the best luck in the world your 257th message hashed will have the same result as one of the preceding 256 messages. In practice you would expect matches to happen around the sixteenth message...

    Which is why a 512bit hash will with random inputs start getting collisions around the 2^256 message...

    It's why some people think that maybe 512bit hashes are to small...

    However the problem with hashes is they are not that easy to design --as Bruce would be happy to tell you--, you kind of have to chose between security and speed the problem is security gets exponentially more difficult to achieve in relative terms. That is based on our current understanding at some bit width there will with a high degree of certainty be an attack method more efficient than sequential or random trials. It may not be a practical attack at the time of discovery, but like stress fractures in a loaded beam you know that any crack is just going to get closer to a break with time... Or as Bruce has put it, attacks never get worse.

    Sancho_POctober 13, 2015 5:26 AM

    @Markus Ottela re "memory" Oct. 7, 10:56 AM

    Sorry I’m late to reply but interested in your reasoning.

    First, for someone to answer your question you’d have to precise it.
    Memory: What retention time you’d request, hours, days, years, decades, …
    Sure you don’t want to have a huge battery pack included, do you?
    AES256: So you are thinking about more than one byte I guess, but how much?
    Could you specify “simple” in context of “memory”?
    A thought about speed? And another about size? Last not least the price?
    Reliability? Error awareness / correction?

    I guess I had too many customers asking like “Can we fly to the moon?” (um, yes, we can, but can you …?) - sorry, no offense intended ;-)

    So while it could be basically possible to build a “simple serial memory … without ICs”, after re-thinking the request you might re-think the “no ICs” part first, because this is the driver to make it both undesirable and infeasible.

    My questions would be:
    Why are ICs to be avoided? What’s bad with (which) ICs?
    Probably most important: What is to be considered an IC in your thinking?

    Clive RobinsonOctober 13, 2015 6:35 AM

    @ Markus, Sancho_P,

    I guess the aim is to make a crupto KeyMat "Fill Gun" or "Ignition Key" device to make the loading of the KeyMat into thr encryptor device easier and in theory more secure.

    The old way to do this which can still be seen on NATO equipment is with a manual draw optical tape reader.

    Whilst making an optical reader is mainly a mechanical issue, actually making the tape is not anywhere as easy as it once was.

    Thus I would suggest using an inkjet and semi transparent paper and use a code similar to that used on the ABA "mag stripe" on credit cards or 1D bar code etc.

    However with 2046 data bits and extra for lead-in/out error correction, self clocking etc you are looking at about 800 DPI which is not likely to work at all reliably with a hand built optical reader where you would be pushing your luck with 10 DPI.

    I can think of several other ways including four track mag stripe bank cards BUT...

    I suspect there is an unstated need for single button push zeroing and similar.

    Thus the reason in the past for using PK where each encryptor has it's own private key known only to it and the KeyGen device not the KeyMat transportation Fill Gun or Ignition Key. In this respect many problems can be solved by the use of Smart Card / SIM Card devices.

    Sancho_POctober 15, 2015 6:37 PM

    @Clive Robinson

    Your hinting at the KOI-18 or similar devices adds a nice touch to the “simple memory” idea ;-)
    Today one would immediately think of using QR-codes for obvious reasons.

    However, we are back at the very basic question:
    Avoiding ICs: Why, at which costs?

    I’m a bit afraid it’s the “can’t inspect” discomfort of black boxes.
    But that would be a very untechnical, diffuse reasoning, close to paranoia.
    ( -> @Markus, if true: Take care, have a break from crypto! )

    Sure I would not recommend to use Sgt. Millers private smartphone with SIM card + QR-app (downloaded for free from the Internet) + USB to serial converter to write the master key into our brand new 120M$ rocket launcher aimed at Moscow, just in case we need to fight “back”.

    Leave a comment

    Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

    Photo of Bruce Schneier by Per Ervland.

    Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.