Friday Squid Blogging: Squid Photos

"Terrifying" squid photos.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on October 16, 2015 at 4:20 PM • 157 Comments

Comments

Bob S.October 16, 2015 8:25 PM

Like the so called Patriot Act, and the so called Freedom Act, the Cybersecurity Act (CISA) is another brazen attack on the rights of American citizens to deny us our formerly inalienable rights to due process, private property and freedom from warrantless searches.

Here is a couple paragraphs from the summary of the bill right from congress:

CISA,

"Permits state, tribal, or local agencies to use shared indicators (with the consent of the entity sharing the indicators) to prevent, investigate, or prosecute offenses relating to: (1) an imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction; or (2) crimes involving serious violent felonies, fraud and identity theft, espionage and censorship, or trade secrets.

Exempts from antitrust laws private entities that, for cybersecurity purposes, exchange or provide: (1) cyber threat indicators; or (2) assistance relating to the prevention, investigation, or mitigation of cybersecurity threats. Makes such exemption inapplicable to price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning."

Thus the tribal police can tap the cyber pipes to bust underage kids buying liquor, a kind of fraud. Notice mass warrantless and un-reviewed access to domestic internet data becomes legal for censorship and trade secret crimes, too.

Next, define "serious economic harm". A bit broad don't you think? In short, the new law is a unlimited fishing license for all police and corporations to look, take and use anything they want against the people.

Meanwhile, the corporations can simply close their eyes and hand over the data to police, military, foreign governmetns, etc, because they are guaranteed secrecy and immunity for generating the data flow.

Sure, an "open letter protesting the bill was sent by the Computer and Communications Industry Association (CCIA), an industry body whose members include Microsoft, Google, Facebook, Amazon, Nvidia, eBay, and Yahoo!"

http://www.theregister.co.uk/2015/10/16/tech_cisa_datasharing_law/

But, are their objections about privacy or common business sense that people won't use their stuff once they realize a (the?) major purpose of their goods and services is to promote granular STASI-like mass surveillance, on the whole world?

But, it's too late to object. The bill is designated as a high priority for passage by Congress. Only one of fifteen members of the intelligence committee was opposed to the current CISA write-up.

That member, Senator Wyden said CISA is "a surveillance bill by another name". My opinion is CISA is the last nail in the coffin of our electronic property rights. Anything we do electronically can and will be used against us once it passes.

People should start preparing themselves right now by changing just about everything they do on the internet or electronically. But, mostly they won't.

Paul HarperOctober 16, 2015 8:52 PM

"I'm thinking about switching OS to Linux. Any recommendations?"

I personally use Debian. I've gone off Ubuntu for the reasons stated by Micah Lee. https://micahflee.com/2013/01/why-im-leaving-ubuntu-for-debian/

You can download the Free Debian Administrator's Handbook in pdf, eReader and Kindle formats:

https://debian-handbook.info/

Here is a short guide to get your desktop working with proprietary multimedia codecs etc. You probably can skip installing the Bulgarian dictionary though!

http://batsov.com/articles/2011/07/04/debian-tips/

or

QubeOS Qubes is a security-oriented, open-source operating system for personal computers. This is complex but it is well documented.

https://www.qubes-os.org/

Or dual boot both of them them. Just substitute Debian for Ubuntu.

https://micahflee.com/2014/04/dual-booting-qubes-and-ubuntu-with-encrypted-disks/

If you were a Windoze power user you could also consider

Slackware - See the free Slackware book. Even if you don't use Slackware it is worth reading. Slackware have a great community. If you are a Windows power user and can follow instructions you might like Slackware

http://www.slackware.com/

If you take the Slackware route you should follow Alienbob AKA Eric Hamleers blog. There are useful information links on the right side.

http://alien.slackbook.org/blog/

http://alien.slackbook.org/blog/

David HendersonOctober 16, 2015 9:35 PM

Paul Harper: about a year ago I decided to move from OSX to something else because Apple took down their warrant canary page. Its been discussed on this forum.

I was also concerned about the interruptions in development when OSX/Macports insisted I spend 3 days recompiling gcc just because an upgraded lyx came along with a desired update in doxygen.

I briefly experimented with FreeBSD, Gentoo Linux, CentOS Linux, and Debian distros, but settled on Debian. The main reason for Debian is that they publish a solid application suite that advances only when most applications are ready. I'm writing software that depends on a dependable set of libraries and applications.

I'm satisfied that I made the switch from OSX/Macports to Linux/Debian aptitude and have improved my productivity. The main factor is that I can readily choose what applications stay at their current rev level and what applications get upgraded.

It also helps that the publishing style readily lends itself to an airgapped system. Just burn the distro dvd's you need, then install software as needed knowing exactly the provenance.

My home git server is so airgapped. Its a piece of mind saver.

P.S.-
I recently experimented with Qubes-os v3.0. Debian is available as a xen hypervisor sub-OS. It ran on my (limited to 4 gb, no ssd) hardware, but it was so slow as to be irritating. For the moment I'm sticking with straight Debian on an encrypted LVM. When I upgrade my laptop I'll consider hardware requirements for Qubes.

Joe KOctober 17, 2015 12:17 AM

@ Anon, Paul Harper, David Henderson

To Anon, who wrote:

I'm thinking about switching OS to Linux. Any recommendations?

First of all, with respect to Debian, in addition to the Debian Administrator's Manual, recommended by
Paul H, there is also the Debian Reference. And the debian-user mailing list debian-user@lists.debian.org/. But wait, there's more.

For a user who has stuck with MSWindows all this time, it may not be
obvious, but (if I am not mistaken) Paul H's post implicitly suggests
that Ubuntu (or, alternatively, Lubuntu or Xubuntu) is a relatively
new-user friendly linux distribution. In my experience (several years
ago), that suggestion is true.

But it must be said that Ubuntu's new-user friendliness now comes with a
cost, which Micah Lee's blogpost (cited by Paul) and its subsequent links summarise well.

So, to the generic user looking to migrate from MSWindows to linux, I
recommend to aim for Debian, but to consider Ubuntu (or, perhaps
preferably, Xubuntu or Lubuntu) as an intermediate stepping stone in
case Debian proves initially to be too challenging of a change.

Ubuntu is a modified version of Debian, which is why it makes sense to
use it as a stepping-stone to Debian. But it is so modified by a
company (Canonical) which has proven itself willing, able, and ready
to unapologetically compromise users' privacy (and hence security) via
its modifications for its own selfish purposes. Hence (I presume) the
prior posters' recommendations to just use Debian, instead.

To be clear: I despise Canonical, and hence Ubuntu, for
their utter contempt for users' privacy. But if a migrant from
MSWindows needs an easy introduction to linux (and to Debian in
particular), it bears mentioning that Ubuntu do actively look for
converts, and it does show.

So, seriously. If you do use Ubuntu as a first linux distro, ASAP
switch to Debian. IMHO, you will lose absolutely nothing of value, and
you will learn a lot worth learning.

PS: To see a whole boatload of about-to-be-former Ubuntu users sending
Canonical their last regards, check out this classic bug report.

ianfOctober 17, 2015 3:25 AM


OT: sexism in IT

@ Clive wrote in last week's culinary recipe:

[…] “Remember though that no matter how bad Hollywood sexism appears, the IT industry appears as bad. So much so that in the UK interviews with those attending Uni suggest just the apparent image is stopping women considering IT as a career path, even though there is a desperate shortage of IT qualified staff and employers are getting desperate for even entry level staff.
If I understood that correctly, it is the image of prevalent sexism that causes women to not even attempt careers in IT. Is that so, then the society is doing (these) women A COLOSSAL SERVICE by steering them away from the bumpy road ahead, and towards other, less hardware-dreary occupations. Commenter Izzie L. on another blog has some things to say about that + very entertaining short discussion in response to the blogger's otherwise never-asked, intriguing questions, such as:
    If women stay away from IT [because of sexism already felt at the Uni], wouldn’t we expect to find a large enrollment in CS departments at colleges that are 100% female? (co-ed being there still something of a novelty).
I happen to believe that career paths are more dependent on (informed as well as haphazard and emotional, but still) RATIONAL choices that an individual makes, than on later intangible obstacles encountered along the way. This applies equally to both sexes, but only women are allowed to blame men, or "the society," for once made bad choices (and again, and again, and again). And yet…

The women that I worked with, peers and suits, tended to "gravitate" towards softer, more time-flexible, more human-talky, independent assignments, moving sideways and up as in-house educators, recruiters and administrators, away from physical relocation-challenging field work or weary line maintenance/ programming, etc. (a couple exceptions). Perhaps they had the nose for jobs less prone to be outsourced in the future (now). More than half of those who entered the workplace with me left after some years for greener pastures (secretary of a trade commission; education researcher; VP of a babysitter agency; purebred kennel owner; a company listed as “marketing of exclusive clothes and silk flowers”); men did too, but moved more within the same circle. A couple technically gifted ones were brain-drained to the USA; one during a conference, later put in charge of a multinational's QA dept.. Another, a technical PhD, was flown over to New York, New York! for a weekend-long interview, offered an obscenely well-paying multi-year contract—which she declined on the grounds that her husband wouldn't be able to find a job commensurate to his [non-tech] qualifications (she's now heading a mid-sized research institution). Whether my narrow sample represents a true picture of the state of IT affairs (on the Continent, thus largely unaffected by UK's social-class stigmas), I do not know, but I do know that women are not some passive players in their careers.

Thus my vocational experience does not support such a broad brush opinion as that of Clive's. I can't see the alleged "women's lot" in IT to be so much harder than men's (it is certainly more complained about), but I suppose that's because of my Normative Sex Blindness—sick some Gender Theorists on me to sort me out. Women are engineers of their own success, as well as of failure – anything less than that, and we'd effectively be talking of Lesser Humans. From that follows that anyone assigning women the rôle of workplace or life-choice victims is in effect promoting the dreaded sexism.

NameOctober 17, 2015 4:08 AM

Can any Tor experts tell me (with confidence!) whether or not it's safe to run a standard "bundled" Tor Browser at the same time as running a regular updated Firefox client on the same Windows 7 PC? My regular Firefox uses NoScript with every enabled script being manually checked against its crowdsourced white/black lists before being Ok'd.

It seems like it "should" be safe, but I have no confidence in that "guess". I would be much better off if I could access YouTube and surf securely at the same time.

Mindi MaquartOctober 17, 2015 6:24 AM

@Name:

TBB and Firefox Mozilla have different user profiles and operate independently of each other. They should not interfere with each other. However, if either of them is compromised the other one will follow. For better security I would suggest at the very least running TBB sandboxed in a VM, ideally in an environment like QubesOS. For even better security, consider booting into a Tails Live CD.

By the way, all recent versions of Firefox dial home to google the first time you run them, installing a cookie in your brand new settings. I would seriously consider switching to IceCat.

stingy magazineOctober 17, 2015 7:20 AM

@Mike Leake:

Assume you have already been compromised. Just get a warm fuzzy feeling at the thought that some poor sod in Arlington is wasting hundreds of thousands of tax dollars watching you download pr0n and order online groceries. If you're into that sort of thing, the cat and mouse game is quite fun: wipe discs, change devices, open new acounts, flash your OS ... it makes it very expensive very quickly. Great fun when you have nothing to lose!

blakeOctober 17, 2015 9:56 AM

@ianf

> wouldn’t we expect to find a large enrollment in CS departments at colleges that are 100% female?

No, I wouldn't, because they might be making a long term (20 year) decision against "considering IT as a career path" (actual words you quoted) rather than a short term (3 year) decision about what or where to study.

It's not "I want to get into this industry but I guess I'm going to have to deal with the sexism later", it's instead "I don't want to enter this industry because of the sexism."

> only women are allowed to blame men, or "the society," for once made bad choices

Wait, are you saying that if a woman chooses a particular career and experiences discrimination while in that industry then that's *her* fault for making a bad choice?

Orchestral CicadaOctober 17, 2015 11:04 AM

@Name
"I would be much better off if I could access YouTube and surf securely at the same time."

torsocks and youtube-dl

ianfOctober 17, 2015 1:05 PM


@ blake

ad #1 this was a not unwarranted hypothetical question given in response to a generalizing statement of the alleged reason for why women en masse stay away from enrolling in "as sexist as Hollywood" CS-level courses, not of their subsequent careers. So, to spell it out: are women rushing to presumably not-sexist CS departments of all-female colleges?

are you saying that if a woman chooses a particular career and experiences discrimination while in that industry then that's *her* fault for making a bad choice?

No, you are saying it, except you've framed it as if I said that, which is rhetorical demagoguery.

DanielOctober 17, 2015 1:30 PM

I am a fan of FOSS but I do think that people sometimes have unrealistic expectations of it. Here is the fundamental dilemma. On one hand a software developer needs money both for himself and his project. But as soon as he has money that is a weapon that can be used against him by people in authority because he now has something of value that needs to be protected. This is the course Ubuntu has taken--we can make a better project by selling our users down the river. So in this case free really isn't free--someone is paying for it.

On the other hand truly free software is going to be made by amateurs--kids in college, a pro working in his free time, the autodidact, ect. The problem here is that these FOSS project often lack coordination, are filled with bugs, and are entirely dependent on volunteers who can and do leave without warning. So these types of FOSS such as Debian and Fedora mean more work for the end user and a higher tolerance for problem solving.

Several people have mentioned Qubes and I have raised doubts about its particulars before, even though I like the concept. But in this context let me raise another one viz. that Qubes has a very small core development team and compared to other projects a tiny user base. Who really knows what the future of that project holds? It is by no means established.

The end point is that there is not such thing as "Windows for FREE". The end users pays somehow--either with their cash, with their privacy, or with their own time invested. People should think carefully about what they value and where they want to invest their resources. Because every FOSS user ultimately has to deal with TNSTAAFL

ianfOctober 17, 2015 2:13 PM


OT: Raiders of the Lost Web

Long story short: in 1961 an accident happens in the town of Greeley, Colorado, 20 kids are killed in a schoolbus-train collision. 45 years later, in 2006, a local reporter spends a year to follow up the case, publishes a 34-part series which “causes a sensation,” ending up among Pulitzer finalists. The columns together with related picture and videos are put on the Web, laboriously encoded as Flash objects. In 2009 the newspaper folds, its archives disappear from the Web.

The reporter has saved a copy of it on a DVD, but can not upload it due to various rights issues. When these are sorted out, the Flash all but folds up (2015). Together with his son, the reporter painstakingly recreates the articles, this time relying on the portable HTML. Does he use this opportunity to adapt it to the RWD, a multi-platform presentational format? Nope, everything is to “appear just as it did when it was first published," which means emulating the Flash experience (tablets, iPhonesBeGone!)

    Full story in The Atlantic, which also decries the impermanence of Internetty content.

ObSecContext. What's with Greeley, Colorado? First it conducts lewd social dancing in 1949-era church basements, that SO SHOCKS mature agricultural student Sayyid Qutb, that he has no option but to rejuvenate the Muslim Brotherhood, and inspire Al Qaida—and now this?

Gerard van VoorenOctober 17, 2015 2:20 PM

@ Daniel,

> I am a fan of FOSS but I do think that people sometimes have unrealistic expectations of it.

You are partially right but not entirely. Minix3 for instance is being financed with grants and Red Hat is a billion dollar open source company. OpenBSD core developers are paid. The Linux kernel is being developed with mostly paid developers. There are also software projects that are being developed with people who just like to code. Debian is such a project.

albertOctober 17, 2015 2:21 PM

RE: UBUNTU,

An unsatisfied user since before 8.04(IIRC, the last version that worked with webcams). I am evaluating other distros. I'll try Debian last, but I want:

1. Something that installs!
2. and boots!
3. and runs out of the box!

The list includes OpenSuSe , Fedora, Red Hat, ???

Advice: Lose your Nvidia card, substitute something else until you get Ubuntu working. I've never had more trouble with installations than with Ubuntu releases. Frankly, I don't think they know what they're doing. You'll go through a lot of trouble and time and then you'll have Unity, so your real computer will look just like a smartphone; WOW!. Then, after you blow away Unity, you'll need to remove all the Canonical BS. _I_ don't think it's worth the trouble.

. .. .. _ _ _


Nick POctober 17, 2015 3:07 PM

@ fhissen

I posted on that (your?) blog an security analysis of the many models of source sharing and review. I believe I argue convincingly that the popular way of thinking on the subject is very far from the truth. There's not proprietary/closed vs FOSS/open: many forms in between both with some deployed in real world. Additionally, the openness of source has little to do with its security or trustworthiness while that's instead measured by competence of its reviewer and how much user trusts them. Same happens with FOSS as we see in TrueCrypt audit.

So, there are benefits of open or free source. The biggest ones, though, don't come automatically with FOSS like it's proponents often claim. Those can be had by either secret or open source by using diverse, trustworthy reviewers plus ability to verify users have what they had. If anything, FOSS has mostly just resulted in freeloading with best projects having paid (proprietary) developers doing a lot of the work. Dual-licensed or just open-proprietary with good EULA could've had a similar effect while maintaining necessary funds for development.

In high assurance security, the situation is worse for their claims because only proprietary companies pulled it off. Still zero FOSS to hit high assurance with most nowhere near even medium. So, burden of proof is on them there to show their model will work. Been hard enough with teams of specialists working in same direction full time...

The few exceptions, in the medium category, are either pro's or seasoned amateurs from academia that spend some of their time doing it. NaCl, Genode, Muen, etc come to mind. The others are proprietary works that just got open-sourceD afterward. Not same as FOSS development model.

Miguel SanchezOctober 17, 2015 3:59 PM

@ Bob S.

I agree with you. And, there probably is a solid relationship between the Obama Administration stepping back from banging the "we have to have that data" drum with the appearance of the sureness of the passage of this bill.

Ultimately, a secret surveillance, total information awareness program is inevitable, and we can surely note a few primary and dangerous factors that will also be inevitable with such systems:

1. to maintain and build up such systems requires extensive funding, resources, and so extensive governmental & corporate support
2. intrinsically secret surveillance of individuals and groups of corporations and governments provides exactly the right material to ensure that support happens
3. these two factors, together, means inevitably the usage of such domestic secret surveillance data in conjunction with the most severely black of ops systems imaginable: systems of intelligence entirely 'off the books' which are designed to engage in rampant extortion and other means of social coercion even to and including domestic assassinations, economic espionage of all kinds, sabotage of all kinds, kidnappings, and torture for control


Worse, there is no way to stop the rise of these sorts of organizations. It is just too easy to drain money from large corporations and government with secret surveillance, and it is too easy to remain stealth.


People are shockingly naive to suppose such things are not already going on.

On one hand, the viewpoint seems to take American intelligence and law enforcement as some kind of choir kids. And, on the other hand, we see people imagining much darker scenarios.


Miguel SanchezOctober 17, 2015 4:13 PM

@ ianf

... in general, but also on this, on sexism in IT...

Thus my vocational experience does not support such a broad brush opinion as that of Clive's. I can't see the alleged "women's lot" in IT to be so much harder than men's (it is certainly more complained about), but I suppose that's because of my Normative Sex Blindness—sick some Gender Theorists on me to sort me out. Women are engineers of their own success, as well as of failure – anything less than that, and we'd effectively be talking of Lesser Humans. From that follows that anyone assigning women the rôle of workplace or life-choice victims is in effect promoting the dreaded sexism.

I think one problem to note is that we can not take meaningful data samples from our own experience to relate for such problems. It is too subjective, and our own data samples will invariably be meaningless for many other reasons, not the least is the general lack of true randomness of the data or representation of larger swathes of the industry.

I think the main thing is for people to realize that they are, innately, biased against people who are different then their own selves. And they have to be aware of that bias, and adapt accordingly to take in new information.

We have seen this time and time again in this last century, especially, and will continue to see it: as people are further educated about looking at their own internal and other people's internal, rather then the superficial external.

There are reactive groups that are surely unsettling against such changes, and these are clearly very unreasonable groups. It is not good to be found to be numbered amongst such groups, as all people are aware of who have studied these matters, historically.


jeromeOctober 17, 2015 4:27 PM

This blog is what I've always been looking for.
I've studied cephalopods for almost three decades and the provided imagery and richness of the articles is without comparisons with other blogs and scientific journals.
I deeply regret that you seem to interleave those great articles with crpytographic news without much interest; would you please focus exclusively on celphalopods?

Thanks in advance.

DanielOctober 17, 2015 6:09 PM

Sexism in IT, like sexism in the gaming world, like sexism in science, is like the Easter Bunny: everyone claims to have found its eggs and yet no one alive has seen the source.

tyrOctober 17, 2015 10:04 PM


I blame Ada Lovelace for the beginning of sexism in IT.
Then Grace Hopper who had the gall to keep making the
mediocre male feel like a dumbass.

keinerOctober 18, 2015 1:27 AM

openSuse is a good and stable alternative to windows. Just choose during setup NOT to have BTRFS as the file system for the root partition. EXT3 or something is recommended.

If you don't like systemd, go to PC-BSD, although a much tougher ride :-D

Clive RobinsonOctober 18, 2015 4:35 AM

@ tyr,

There is quite a bit more to the story than the Guardian article indicates.

From other news sources the ex-girlfriend actually committed a fairly violent out of control assault against Ms Westlake that trapped her and endangered her life. Ms Westlake was thus panicked under "flight or fight stimulus" which would have been worsened by her Autistic Spectrum Disorder, and was thus acting in self defence. Thus it's questionable as to if the CPS should have actually taken it to court. Further from other things that have been reported Ms Westlake was let down badly by her defence representatives.

ianfOctober 18, 2015 5:02 AM


@ David Henderson

[…] Apple's takedown of their warrant canary page previously discussed on this forum.

Any particular discussion about it from among these from “about a year ago?”


@ Daniel

Let's not mix subject: sexism in instance: the gaming world with that (or absence of it) in IT and science. For one, in gaming that gets conflated with known malbehavior of actual end-users, hormone-dripping teenage players. But visit any garage gaming startup, and you'll see 3 male hipster coders and at least one female wannabe-punk designer of the monsters they are conjuring up. Because even 20-something whippersnappers understand the need to appeal to female fantasy worlds visitors that constitute a sizable portion of their market.


@ jerome regrets that @Bruce interleaves great articles about celphalopods with cryptographic news without much interest…

Yeah, it beggars belief why he does that, could be to deflect attention from his recently uncovered perch in the mammalian order.

Time for a “Kraken vs. Rikki Tikki Tavi” blockbuster.


@ tyr I wouldn't like to be known as inter-species conspiracy theories monger or something, but doesn't it look a bit like the meerkats and the capuchin monkeys, each confined to their separate ZOO enclosure, have staged a fight by proxy? Clearly, any meerkat-keeper has to have equally fierce temperament to survive. Only why does this remind me of the Lisa Nowak love triangle?

    BTW. that llama-keeper was lucky none of his charges took a shine to him… I hear they're mean buggers, they kick and spit their stomach juices out… one farmer in Norway even keeps castrated llamas as guards against wolf attacks on his free-ranging sheep. 0 lost lambs.

@ Clive

That explains why the injured victim “was given a final warning and banned from Zoological Society of London events for two years”. Perhaps she was the real Lisa Nowak here ;-))

DanielOctober 18, 2015 10:30 AM

@David Henderson.

Female gamers make up the majority of the market. More gamers are females between the ages of 25-45 than any other demographic. In fact the number of females in that age group are double the number of male teenagers.

Gamers Gate is not a serious controversy to anyone with slight knowledge of gaming statistics. Contrary to your hormonally driven teenager thesis gamers gate was driven by female hormonal hysteria (see how easy it is to play that game?)

Just like the Easter Bunny people see what they want see whether it is there or not. That is exactly how gaming and science and IT are related--they are all perceived by certain hysterical females as bastions of male power and thus by definition must be in the business of taking advantage of females, because in their tragic world view males have no other purpose than to exploit females.

It's nonsense, of course, and in any sane world these females would be given the mental help they so desperately need. But it sells papers and generates click views and for Google etc that's all that matters. The most amazing thing about the Ellen Pao saga is that she proved to be incompetent at leading not one but two different major organizations and an impartial jury of her peers found her sexism claims legally bogus. Yet has even one member of her posse been willing to admit that they backed the wrong horse and that there is no there there? No, of course not, all these set backs to Pao prove is that the Easter Bunny is EVERYWHERE.

How odd it is that when conservative spin their conspiracy theories the liberals rightly mock them as wearing tin foil hats. But when liberals spin their own conspiracy theories it is the great big cultural truth that no one will admit to seeing.

I'll stand firmly by my orginal statement. Everyone claims to see evidence of the Easter Bunny yet no one actually sees the Easter Bunny. So maybe, just maybe, that means that the Easter Bunny doesn't exist and they are seeing evidence of something else.


Nick POctober 18, 2015 11:38 AM

@ Daniel

Your post is the Easter Bunny or at least a Scarecrow argument whose made of straw. Back in the real world, people have been trying to run the numbers on things rather than just speculate. Plenty of researchers looked at organizations that measured credentials and on the job performance along with having data on salaries and promotions. In most organizations, women made less than men even if they performed as well as or better than them. The women were less likely to be promoted to senior leadership positions even if they were good leaders in a middle position. The harassment ratio was also way different with the men in authority positions often trying some form of abuse which they wouldn't try on men of course. One did the proven, clever trick of sending identical resumes to many companies that differed only in male or female names. Predictably, the women got very few followups compared to men that almost always did. Finally, depictions in online commentary and media, which largely only happen to women, suggest people expect women to be in this position rather than think it's wrong to push them into it.

So, pretty much all empirical studies, meta-studies, and anecdotes all show pervasive discrimination and even behavioral conditioning to a degree. Rather than Easter Bunny, they show many specific sources in terms of organizations and motivations. They all consistently have about the same specific in terms of the abuse they perpetuate. This is true regardless of whether a man, woman, liberal, or conservative looks at good data. The only exception, which you mentioned, are people on either side who push false datapoints or ridiculous interpretations plus much rhetoric to promote their political agenda. There are many of them for sure but everyone taking realistic approaches are reaching same, damning conclusions.

So, we should take action and deal with it. A positive example here are the Nordic countries. They realized their practices were discriminating against one of their biggest, national assets: their women. They didn't pretend like it doesn't happen, blame the women, invoke the Easter Bunny, etc. They took action by establishing voluntary quotas to get more [qualified] women in top positions of industry and government. The results for those oragnizations very positive, the split is a lot better than before, and everyone keeps it going for benfits and ethics despite the quotas being over. The United States should do the same. I'll add that even greedy, sexist capitalists should do it given that many of the top companies for women to work at are consistently among top in revenues and profit. Turns out that including all the brainpower and types of thinking available can increase intellectual and economic output. Who'd have thought...

Note: Here's a recent example from Silicon Valley that shows pervasive exclusion while citing another organization that had that and solved a lot of it with great results.

Now, I should end with one that's a point of agreement. The GamerGate situation was a good example of the political side. The magazines and online articles were so skewed in favor of the feminists and P.C. crowd that one would think the controversy existed solely to bash a few, innocent women. A friend sent me a nice vid countering much of that in a way with specific claims and counter-examples that any "objective" reporting of the situation should've had. I particularly like how he illustrates that the content is a response to demand (including women), not an industry bias, that forces people to present certain things if they want to succeed. Anyone doing opposite stays poor or goes bankrupt. I loved how he illustrated that the feminist's own games break plenty of rules in their own papers and articles to make more money for them. Rampant hypocrisy among those pushing this ideology for political reasons and media/politicians on other side way to cowardly to call them on it, as you said. This sort of thing needs to stop.

Note: Far from stopping, it appears yet again in the Mozilla Brotli situation. Shorthand for Brotli extension was .bro. Straight-forward, easy to type, and easy to remember. Feminists, etc explode about how offensive that was. Far as I see, they added evil to a benign situation and acted as control freaks to force others to adhere to their own worldview and preferences. Mozilla caved. It might make sense given Mozilla's demographic of contributors and the hit they'd take for not appearing sensitive. That I had to acknowledge that further reinforces why people should resist *that* stuff wherever possible so the next company won't have to cave to it. Best comment in the article to show how ridiculous it is was this one that applied same logic to other tools.

Nick POctober 18, 2015 12:08 PM

@ Another_Debian

Mint is a good alternative to Ubuntu for people who want its ease-of-use without its BS. I've used it plenty. There's also a PPC version of Mint for people wanting to air gap with old, PPC Mac's.

ianfOctober 18, 2015 12:24 PM


Balkanization of the Net

@ Clive in in last week's squid:

The US Gov is going to find itself in the position of being on the receiving end of legislation that applies across it's entire jurisdiction whether it likes it or not.

It is unclear what the result will be but "Balkanisation of the Internet" is a distinct possibility.
Funny you should utter the B-word… I've been thinking about it lately, if not in exact this grave context of potential breaking-up of the Internet into European and American (overlapping?) magisteria. Rather, about what's already happening with parts of the web, where more and more major websites now practically require client apps (hence also the newest devices) to fully take advantage of their web presence. If that is not ongoing Balkanization of the web, then I don't know what is.

One client app for every site, each with its own UX wrapped in same old GUI. Get the app or live with gradually downgraded functionality, as e.g. has been happening with once perfectly MobileSafari-usable Medium medium. Madness. How long is it before they push through a new scheme, “httapp://schneier.com” say, which will redirect incoming data stream automagically to the onboard app of said domain's name? (right now they can but ask).

    While I could understand the financial and security incentives for applications for "doing business over the Internet" cases, the news-media deliver largely text and pictures, with occasional video or sound embed or two. Why then have they now decided that making the reader captive in an app will be their Answered Revenue Prayers? Captive customers are unhappy customers

Whether on the web, or past the threshold of launching and logging into a dedicated app, it's still the same old text & pictures. When Apple started levying the 30% tax on all app-borne subscriptions etc., the Financial Times expired its small-footprint AppStore app, and replaced it with own HTML5 web ditto. Piece-of-cake: the back-end does all the heavy lifting and delivers just the required snippets to the web client. Which app.FT.com obviously works as good (or as bad) as any resident binary app that depends on back-end supplied content would for the casual reader and subscriber alike, I had hoped this would start a trend away from binary news-apps, but, alas…

Given the need to maintain text-copy database, the cost of writing & maintaining a single platform-independent web client easily should undercut that of keeping afloat several dedicated smartphone and tablet apps. The Google Reader also was a web app of immense, yet to the end-user invisible, complexity, and it worked wonders! At the same time, it can not be unknown to news publishers that pushing the readers into own walled gardens will lower the overall exposure rate of their content, the start of a slippery slope of market saturation. So I truly am at a loss to understand this mad rush towards dedicated (and seldom offline!) apps that is now all the rage.

(feel better now)

Miguel SanchezOctober 18, 2015 3:35 PM

@Daniel

I'll stand firmly by my orginal statement. Everyone claims to see evidence of the Easter Bunny yet no one actually sees the Easter Bunny. So maybe, just maybe, that means that the Easter Bunny doesn't exist and they are seeing evidence of something else.

It is not hard to google the various "men's movements" and get plenty of samples of sexism in IT. It is also not hard to find real, live racism alive online.

There are a number of attributes both belief systems have in common. A major one here is that having racist or sexist beliefs is so indefensible and shameful, so they curb what they say outside of their own groups.

It is kind of like how Scientologists don't go around talking about aliens, or Mormons don't brag to everyone about their penchant for wearing thermal underwear.

Sexism and racism, I hate to say, is hard wired in people, physically. What separates us from the animals? We can actually rise above our physical limitations by the power of our mind to reason. We can see our own limitations and take them under consideration, admitting our own faults. Or we can deny our faults, and continue the lie.

Why is racism hard wired in people? Because of bonding chemicals in our physiology which bonds us to the groups we bind to. We tend to like more of the group we bind to, and dislike those groups more different then our own.

Sex is a major component of that bonding factor.

Sex is even more core to physiology. Much of the realities of sex people keep implicit, not explict. Unconscious, automatic; not, conscious, reasoned.

Testosterone is a major driver. People I see argue about all these negative attributes being claimed of men, and they often are describing basic attributes, or symptoms, of testosterone.

Ultimately, the solution probably will be about moderating natural testosterone levels in people, so as to reduce conflict, aggression.

Only leaders should be in the male role, and everyone else should be chemically and probably physiologically neutered or feminized so we can have a much healthier, productive society without wars, violent crimes, or conflict.

And, fyi, it is true, violent female offenders who are rare, either are victims of testosterone driven males, or have overly high levels of testosterone their own selves.

All these individual differences that drive selfish ambitions are exactly the primary problem in the world.


T. DuncanOctober 18, 2015 7:21 PM

I've read the "NSA" has placed backdoors in the top 10? 15? 20? Linux distros.

Still better than MS but how would I know. How would anyone know.

Twitter, now with MemoryHole®October 18, 2015 8:29 PM

Twitter has a covert censorship feature: they shut you up just long enough that the world passes you by. They used it to censor Jacob Applebaum, concealing JSOC and CIA war crimes - in the US but not in Germany, so it's clearly US government controlled.

http://members.efn.org/~paulmd/OwnWork/AdventuresinCensorship.pdf

One more reason to use Tor - you can circumvent US propaganda by exiting the Tor network in grown-up countries where people have rights.

Clive RobinsonOctober 18, 2015 9:44 PM

@ Magnus,

I presume the "bug" works on stomach acid, so maybe if the patient keeps the pill in their mouth and drinks lemonade etc the pill will squawk at the doctor.

ianfOctober 18, 2015 10:44 PM


@ Clive, ah, but there's a logi.c.k.a.l hole in your whole: the doctor will, of course, test the acidity and/or salinity of the liquid served the patient together with the pill, using special companion litmus test patch, then stand by and wait on the NHS payroll for the squeak (could also precision-weight the patient before and after). Else any practical-joker-patient could pretend to swallow it, then use it on an unsuspecting 3rd party to make it squeak!

(that's me temporarily giving the blowhard @Skeptical moniker a rest).

Puzzle Finally Makes SenseOctober 19, 2015 5:25 AM

A shocking article about Eisenhower, Castro, New York Times, CIA Director Allen Dulles and plenty of motive for JFK’s demise.
No one internally (including the POTUS) can control the CIA and NSA. Even powerful ally Diane Feinstein was discredited as they battled her through known techniques of eavesdropping, lying and misinformation. They are above any law.

Externally the Chinese, Russia and now Europe are fighting The Beast (which Eisenhower warned of) with considerable success. Today they consume huge resources yet (as Congress complains) the five eyes signals Intelligence are increasingly rendered ineffective.
The collateral damage is isolation of American High-Tech over The Internet. This trend is expected to worsen long term as the Internet is rewired to stay outside of American reaches.
To keep busy, the mass surveillance of Americans will only on worsen under our National Curse.
http://www.democracynow.org/blog/2015/10/14/the_rise_of_america_s_secret

65535October 19, 2015 6:53 AM


@Bob S.

“Like the so called Patriot Act, and the so called Freedom Act, the Cybersecurity Act (CISA) is another brazen attack on the rights of American citizens to deny us our formerly inalienable rights to due process, private property and freedom from warrantless searches… Senator Wyden said CISA is "a surveillance bill by another name". My opinion is CISA is the last nail in the coffin of our electronic property rights. Anything we do electronically can and will be used against us once it passes.”

I agree. CISA is a Tech DataMiner’s dream. The problem is the privacy minded tech sector is politically out gunned by Big Government and Data miners. That would now include M$.

More to the point, are getting crushed by the “Government, CISA, NSA, and the Tech DataMiners.” It’s politically frustrating to fight those entities - very frustrating.

I will say that sooner or later some big law firm is going to find out they have been data-minded and losing cases [Or, possibly an important Judge]. That will probably be a tipping point.

“MS wants to pay me to use their stuff. What could go wrong?” Bob S.

It is obvious that M$ desperately wants to push it’s Spy-dows 10 malware to anybody with and internet connection –despite short term losses.

But the numbers show Windows 10 at lower than expected position given M$ is handing it out for free – for forcing people upgrade.

“In August, Windows 10 declared 5.2 percent of the desktop market, and while that’s still not even close to Windows 7’s 57.7 percent market share, it’s certainly nearing Windows 8.1’s 11.4 percent. Most impressive, though, is that Windows 10 is already more commonplace than Apple’s OS X Yosemite featured on the Mac, responsible for only 4.8 percent of the market… This should come as no surprise to anyone familiar with Windows 10 since the operating system opts to return to the basics rather than offering anything substantially unique. The reinvention of the Start Menu was a pleasant revival of a historic computing artifact, but privacy concerns would leave most Linux users wary to convert.. the free upgrade factor and it’s pretty clear why Windows 10 has caught on so quickly. Now concerning for Microsoft should be devising new means of convincing even more users to rollover to its recently released desktop OS. Otherwise, as Redmond is surely aware, anyone who hasn’t upgraded yet probably hasn’t found a reason to do so..”-digital trends

http://www.digitaltrends.com/computing/windows-10-more-popular-than-os-x-yosemite/

[And raw desktop numbers from NetMarketShare]:

Windows 7 56.53%
Windows XP 12.21%
Windows 8.1 10.72%
Windows 10 6.63%
Mac OS X 10.10 4.91%
Windows 8 2.60%
Linux 1.74%
Windows Vista 1.73%
Mac OS X 10.9 1.21%
Mac OS X 10.6 0.48%

http://netmarketshare.com/report.aspx?qprid=10&qptimeframe=M&qpsp=201&qpch=350&qpmr=24&qpdt=1&qpct=3&qpcustomd=0&qpcid=fw269501&qpf=1

Note that Win 10 is not doing that well even when it is free.

Clive R., might have something by sticking windows XP for certain uses.

LMDE2October 19, 2015 9:39 AM

Re: the person asking about Linux Mint Debian Edition (LMDE) - it is a very solid platform, stable, faster than standard Mint in my experience.

The ease of the Mint desktop with the power/security of the Debian package base = best of both worlds for low-mid range users.

Straight Debian might be strictly better for power users who migrate from Windoze in the first instance i.e. too many areas to make mistakes and it is unforgiving by comparison to LMDE2 (I know from lots of painful newbie experience).

The manual partitioning required to install LMDE2 might put off a bunch of users, but well worth it in the end (standard Mint auto partitions and will install alongside existing O/S for you).

For Windows refugees with no Linux experience, standard Linux Mint is by far the easiest path of migration - I agree that it should be a stepping stone to other distros given Ubuntu's history. Also, Ubuntu's desktop frankly looks like shit - a demented version of Windoze 8.1

OpenSUSE is another distro worth considering and relatively easy to set up.

Even if the NSA own the top 20 distros, that is still better than having Microshaft's hands in your local folders 100% of the time based on their spyware. And you can always go full secure-tard and run TAILS or Qubes.

Further, I see there are hundreds of distros available. With the constant updating, new protocols, kernel updates and so on; I imagine it is a lot of work for the NSA criminal cartel.


CuriousOctober 19, 2015 2:43 PM

I am thinking that maybe it will somehow be convenient for Hillary Clinton, if the top CIA man was found to have done something irregular. It's a silly thought though.

Markus OttelaOctober 19, 2015 3:05 PM

I started a new project that analyses TLS of top 1M domains (according to alexa.com). The idea is to publish list of domains that are vulnerable to logjam, that use DHE1024, RC4, SHA1/MD5 fingerprints for certs etc.

JacobOctober 19, 2015 3:36 PM

@Marcus Ottela

I wonder if the IPv4 address scanning done by the Univ. of Michigan has already covered that.
You may want to look at
https://zmap.io and https://scans.io

The scanning code is open source and extremely fast (covering the full address space, with one machine, in less than an hour)

JacobOctober 19, 2015 3:42 PM

If any of you administer an Oracle product, tomorrow will be a busy day. It looks like their whole portfolio has major holes in it, including RCE, and tomorrow is the patch day.

MySQL is listed too:
"This Critical Patch Update contains 30 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password."

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

WaelOctober 19, 2015 4:25 PM

@Curious,

it will somehow be convenient for Hillary Clinton.

Out with it! What are you insinuating? She had a hand in this? :)

ianfOctober 19, 2015 5:35 PM


This just in:

New York, 19 Oct - Ever vigilant to emerging new airborne threats, the Transportation Security Authority (JFK and Newark regional hub branches) today announced the launch of a new feasibility study to convince air travelers with complete sharp dentures to let these rest in dedicated, for the duration of the flight sealed, sterile containers. “Our mission to ensure passenger safety on the ground and in the air means that we can not stand aside when new in-flight terror vectors appear, even if that first happens outside our jurisdiction,” said Senior Supervisor Jessica Hardy, the East coast spokeswoman for the Authority during a press conference attended by metropolitan and national media. She was referring to a recent incident with deadly outcome, when an unstable individual onboard an Aer Lingus flight started biting fellow passengers, had to be physically restrained, and was pronounced dead on emergency landing in County Cork, Ireland. “We keep an eye out for potential new air-safety disruption models, just as international terror groups skim the pages of The New York Times [NYSE: NYT] looking for chinks in our armor, and then send out volunteer suicide emissaries to probe the envelope of our readiness. Therefore, we must try new approaches to stave off such new dangers, and there putting sharp dentures in escrow, voluntary to begin with, at least has to be considered," concluded Ms. Hardy. Asked whether anyone of the initiative's 5 men and women strong steering committee relied on dentures, she promised to find that out and respond upon the study's conclusion in a month's time.

Clive RobinsonOctober 19, 2015 5:48 PM

@ Bruce,

This might be of some interest to you,

http://www.wired.com/2015/10/x-ray-scans-expose-an-ingenious-chip-and-pin-card-hack/

Basically the group at the UKs Cambridge Computer Lab under Ross J. Anderson showed it was possible to do a Man In The Middle attack on a Chip-n-Pin card and reader. Because their prototype was large and clunky, EVM the owners and operators of Chip-n-Pin dismissed the idea and in their usual negligent manner failed to take any measures to prevent it being used.

A group of French criminals however used a tiny hobbyist chip system to build the attack system into stolen Chip-n-Pin cards that even if looked at did not appear noteworthy. After getting away with nearly 0.7Million dollars equivalent the group were caught due to very poor OpSec. Only after a technical investigation by researchers did it become clear what the group had done, and then some time after that EVM put limited precautions in place.

Of note is Wired's comments about a more limited form of Chip-n-Pin coming to the US, it may well be a hint that it is quite a bit less secure than the European version. Thus susceptible to this attack, if so then I'd expect to see "magic cards" start to be advertised in the US.

AnuraOctober 19, 2015 6:03 PM

@Clive Robinson

My credit card issuer just sent me a "chip and signature" card (which should just be called a "chip" card), which is basically the same as a chip and pin, but without the pin. It doesn't protect against your card being stolen, just cloned. It will otherwise have all of the security limitations of chip and pin.

Clive RobinsonOctober 19, 2015 6:14 PM

@ Anura,

Are you in Europe --where Chip-n-Spin is supposed to be more secure-- or somewhere else (where it would be less secure)?

AnuraOctober 19, 2015 6:21 PM

@Clive Robinson

I'm in the US. And yeah, they are saying "chip and signature" is much more secure, but for now you can just clone the magnetic strip since no terminals require a chip (but some do have optional chip readers!). And, of course, you can still buy online using only the account number associated with the card.

AnuraOctober 19, 2015 7:09 PM

A good alternative:

Super-Secure Digital Wallet:

An electronic device containing a keypad, display, a physical interface that attaches to the terminal, and a chip that provides that stores ECDH credentials signed by various banks (which the bank stores your ECDH public keys, that are generated on your PC) and credit card companies and does encryption, but does not allow you to read the keys. The credentials are unique to a device, and thus can be revoked while allowing a secondary device to function. Credentials are encrypted using a passcode typed on the keypad. The wallet generates a counter as a transaction id. A transaction would occur like so:

1) Wallet connects to terminal, receives a message containing amount to be charged, which is signed using the merchant's credentials
2) Wallet displays the invoice and the customer chooses which account to charge to
3) Customer enters secret to decrypt credentials
4) The wallet then appends a SHA-256 hash of your public key, and the unique transaction ID to the message
5) The whole message is then signed, and is transmitted to the terminal along with your signed public key so it can be pre-verified by the terminal
6) The terminal can either hold the transaction to transmit later (offline mode), or transmit it right away, in which it will contact the bank and authenticate or charge the transaction (online mode)
7) Upon receiving the transaction, the bank looks up the account information based on the SHA-256 hash, and verifies the signature, and verifies that the transaction ID has not repeated

It's simple, no RNGs necessary, beyond the SHA-256 hash, no personal information is provided (this won't happen in reality), should be a pretty solid design with minimal potential implementation issues.

Dirk PraetOctober 19, 2015 7:52 PM

@ Wael, @ Curious

it will somehow be convenient for Hillary Clinton.

In the sense that she can now claim there's other high-ranking officials doing the same?

Everyone who's ever worked in policies and procedures knows that it's not the low-level staff that's causing non-compliance issues, but management types with a sense of entitlement who think they are above the rules and demand exceptions and exemptions for pretty much anything they do. The higher you go on the ladder, the worse it gets.

But from what I've read, the news titles are a bit over the top. Nobody hacked the CIA. These guys just socially engineered their way into the director's personal mail account due to sloppiness on the part of Verizon staff. I do hope they (securely) dropped off some of that stuff at The Intercept.

@ ianf

the Transportation Security Authority (JFK and Newark regional hub branches) today announced the launch of a new feasibility study to convince air travelers with complete sharp dentures to let these rest in dedicated, for the duration of the flight sealed, sterile containers

At this particular level of stupidity and paranoia, one cannot help but imagine a very lively debate during which at least one mentally challenged TSA official will bring up the need to put known vampires on the no-fly list too.

@ Twitter, now with MemoryHole®

Twitter is really coming into its own as a CIA asset, censoring observer accounts of a clever US war crime

There has indeed been quite some recent talk about alleged Twitter censorship, not only about these US raids on Aleppo, but also about the drone report. From this article:

"Dietrich concludes that the tweet removals may be part of the rollout of a feature that lets Twitter identify abusive tweets and “limit their reach.” According to a company blog post from April, the feature is currently in testing, and takes “a wide range of signals and context that frequently correlates with abuse” into account when identifying suspected abusive tweets. ".

WaelOctober 19, 2015 8:27 PM

@Dirk Praet, @Curious,

In the sense that she can now claim there's other high-ranking officials doing the same?

Of course! Misery loves company :)

But from what I've read, the news titles are a bit over the top. Nobody hacked the CIA.

True! Social engineering an MNO plus sloppy OPSEC violations with work/personal email "cross talk".

due to sloppiness on the part of Verizon staff

Unfortunately, that's not the case. Account takeover is more common than you think, and it's utilized in other forms of fraud.

Cretaceous vampyromorphid TusoteuthisOctober 19, 2015 9:22 PM

Dear participants and readers,

Squid blog contribution

What the fuck did you just fucking say about me, you little squid? I’ll have you know I graduated top of my class in the Squidbeak Splatoon, and I’ve been involved in numerous secret raids on Octo Valley, and I have over 300 confirmed splats. I am trained in Inkbrush warfare and I’m the top charger in the entire Inkopolis armed forces. You are nothing to me but just another inkling. I will wipe you the fuck out with precision the likes of which has never been seen before on this Earth, mark my fucking words. You think you can get away with saying that shit to me over the Internet? Think again, fucker. As we speak I am contacting my secret network of spies across the USA and your IP is being traced right now so you better prepare for the storm, maggot. The storm that wipes out the pathetic little thing you call your game. You’re fucking dead, squid. I can be anywhere, anytime, and I can kill you in over seven hundred ways, and that’s just with my bare tentacles. Not only am I extensively trained in unarmed combat, but I have access to the entire arsenal of the Squidbeak Platoon and I will use it to its full extent to wipe your miserable tentacles off the face of the continent, you little inker. If only you could have known what unholy retribution your little “clever” comment was about to bring down upon you, maybe you would have held your fucking tongue. But you couldn’t, you didn’t, and now you’re paying the price, you goddamn idiot. I will shit fury all over you and you will drown in it. You’re fucking dead, squiddo.

JustinOctober 19, 2015 10:49 PM

@Wael

Private emails hacked of CIA director and DHS secretary
http://www.cbsnews.com/news/cia-director-and-dhs-secretary-emails-hacked/

WASHINGTON, D.C. -- The personal emails of two of the highest-ranking national security officials have been hacked. Those being CIA Director John Brennan and Homeland Security Secretary Jeh Johnson.

An anonymous hacker has been bragging about breaking into the accounts. Now, multiple law enforcement sources have told CBS News the breaches actually occurred.

Somebody should moderate that last comment by Cretaceous vampyromorphid Tusoteuthis, by the way.

WaelOctober 19, 2015 11:46 PM

@Justin,

Although the attack vector is well-known and simple enough for a "script kiddy" to conduct, only time will tell who the "attacker" really is. For the time being, I guess we're supposed to believe he's a teenager because he claimed he is. Maybe it's originating from behind the bamboo curtain. I don't see how this "attack" helps the attacker's cause! Hard to believe anything these days.

CuriousOctober 20, 2015 12:34 AM

@Wael

No, I did honestly not insinuate that Hillary Clinton "had a hand in this" (whatever that means), I just imagined there to be an environment of people in high places not taking things seriously, and so that the general and cynical notion of mine was that the more exposure irregularities get, the lighter the slap they get on the wrist.

I am no lawyer (I am also a European), and so don't have much knowledge about "law" (I do have a little), though if I had to try formulate some concrete problem with high ranking officials involved in irregularities, then I can sketch up this idea of there possibly being a new praxis of sorts coming about in rulings, as if the presence of a new nuance to things helped water down the perceived wrong doing by a court judge.

Clive RobinsonOctober 20, 2015 1:53 AM

@ Wael,

It appears that the personal email accounts in some cases go back nearly ten years... Makes you wonder why they have not been hacked before {sounds of rustling bamboo off stage left }

There is way to little information to say who, what, why and it could be a complete con.

@ Curious,

Yup it's the Baboon theory of management. Not just that "the higher they climb the more of their undesirable features become visible" but the wider the splatter and the more people get tarnished when they "541t themselves for being shown to be being a dumb 455".

It appears that most of these "senior folk" are to busy "being seen to be busy" networking etc to actually give any attention to details.

Mind you directors of the CIA have a history of doing really really stupid things with mixing up highly classified/restricted and personal when it comes to ICT. Then getting no more than a slap on the wrist if that, whilst peons down the bottom get their lives destroyed over unclassified information archiving etc. A trap Hillary Clinton was alleged to have fallen into on her mail server.

WaelOctober 20, 2015 2:25 AM

@Clive Robinson,

Ten years! I must have missed that.

{sounds of rustling bamboo off stage left }

Good thing you heard it too because I thought I was hearing things. It has a similar sound print as the OPM incident :)

WaelOctober 20, 2015 2:39 AM

@Clive Robinson, @Curious,

doing really really stupid things

I see your "mixing up highly classified/restricted and personal when it comes to ICT. " and raise you this: Michael Hayden

I must have a daisy of a hand :)

WaelOctober 20, 2015 2:54 AM

@Anura,

An electronic device containing a keypad, display, a physical interface that attaches to the terminal...

Good thinking!

in which it will contact the bank and authenticate or charge the transaction (online mode)

Look at the three and four party models in the payment industry. There are also legacy limitations with ISO-8583. You may also reference Liability Shift

should be a pretty solid design with minimal potential implementation issues.

There are implementation hurdles as you may surmise from the above links.

WinterOctober 20, 2015 5:18 AM

The Amsterdam Privacy Conference will open on Friday 23 October with a Talk by Max Schrems, among others.

You, can still register for our opening event on Friday
http://www.uva.nl/en/news-events/amsterdam-privacy-conference/amsterdam-privacy-conference/cpitem/link/apc-2015
and for the special keynote session with Bill Binney on Sunday evening
http://www.uva.nl/en/news-events/evening-programme-apc/evening-programme-apc/cpitem/link/evening-program-25-october-apc

APC2015 final program is published here:

http://www.apc2015.net/sites/default/files/pdffiles/APC2015%20Final%20Program_0.pdf

There are several changes, the most important one being that for our opening event on Friday 23 October, we will not only have a keynote by Julie Brill, not only a talk by Max Schrems, but also a special presentation by Hollands Minister of the Interior and Kingdom Relations Ronald Plasterk!

Dirk PraetOctober 20, 2015 5:55 AM

@ Winter

... not only a talk by Max Schrems, but also a special presentation by Hollands Minister of the Interior and Kingdom Relations Ronald Plasterk!

Excelllent! Do we need to bring tar and feathers ourselves or will the organisation be providing them?

@ Clive

It appears that most of these "senior folk" are too busy "being seen to be busy" networking etc to actually give any attention to details.

In my experience, there are two types of managers. The competent ones are people managers or visionaries leading by example, whereas the second category spends 100% of his/her time attending meetings, forwarding emails from other managers and putting green, yellow and red dots in spreadsheets. In a conservative estimate, the latter outnumber the former by a 10 to 1 ratio.

WinterOctober 20, 2015 6:12 AM

@Dirk
"Excelllent! Do we need to bring tar and feathers ourselves or will the organisation be providing them?"

I a afraid these are all polite company. And there will be security.

I think there is enough fun watching whether dear Ronald will shoot himself in the foot again. But he will be aware that the audience is less than convinced about official privacy policies.

It is sad that I won't be able to make it there myself to watch.

Clive RobinsonOctober 20, 2015 6:24 AM

@ Anura, Wael,

If you search back far enough on this blog, you will find that we discussed what would be needed for such a device.

I laid out what was required, two items of which appeared at the time to be radically new thinking. The first was not to just authenticate the channel and leave it at that, but to actually authenticate each transaction in the channel.

The second was what appeared on the surface to be an air gap, that is the device did not connect to the communication equipment. But that was not the primary idea behind it, which was a tighter security restriction than air-gapping which was to actually put the human into the authentication chain to avoid end run attacks. Which is something the device you describe is probably vulnerable to.

I thought this device up based on earlier work using mobile phones as a side channel that had started to go wrong....

Back in the 1990's when online banking involved a direct dial-in to your bank, it was clear that it was not going to remain tenable due to the costs involved and the rise of the Internet. A consequence of which was the security risks would go up drastically. This was "obvious" to all but the banks as impersonation fraud had already happened with direct dial-in.

So I developed a "side channel" system to authenticate the user, using the other rising technology star of the time mobile phones. I knew the system needed to use a side channel to authenticate from the earlier work [1]. Others liked the idea and on solving the SMS secondary use issue started to put it into practice. Unfortunately due to the lack of real security in the phone side problems had started to appear....

Well as you will find on reading my earlier postings, I realised that humans were going to have issues with the volume of accurate typing that a reasonable level of security in the authentication required against computer based attacks. So I came up with what felt like a good idea at the time which was a strategy that played to human strengths and computer weaknesses "Capatchas"....

You may by now notice this re-occurring theme of the attackers out smarting the designers... Well the attackers started to use very very cheap off shore labour, whose sole purpose was to read and type in capatchers. So that part of the idea was a bust.

The problem then falls --as in the device you describe-- to having lower security standards by having a connection between the side channel and the communications system. This immediately removes the air-gapping security, and worse removes the human from the authentication chain allowing known end run attacks to work.

You will also find this discussed in other posts on this blog between me and Nick P and a third person (whose name I cannot remember). They were discussing a device much as you describe that would authenticate transactions, but had the failing --in my view-- of having a connection to the untrusted communicating computer.

For various reasons I've decided that the term "air-gap" is both inaccurate and outmoded and should thus be renamed an "energy-gap". The obvious reason is the ideas behind the audio channel of BadBIOS and less well known audio attacks. But also I've worked out other attack channels including mechanical vibration and quite some time ago optical channels as well both of which work against smart phones.

One reason for thinking out these other channels can be found way back on the Cambridge Labs lightbluetouchpaper.org blog. One of the researchers there came up with the idea of rather than using an electrical connection they would use an array of coloured dots on the untrusted computer screen and a camera in the device. They had built mockups and found funding etc... I explained on the blog how I would go about attacking it with a hidden channel that used an almost imperceptible to the human change of intensity to hide a channel within their optical channel. I've not heard any more about the project, so I might have given it the "kiss of death" over and above the usual start up failure rate.

The moral is that security is not just hard but very hard when it comes to motivated attackers, and I really don't think the device as described has sufficient security to not be successfully attacked.

[1] Back in the 1980's I'd had the misfortune to come up against some of the much heralded and commercially disastrous electronic wallets both in the UK and French markets. These worked in an "off line mode" not an "on line mode" so could be defrauded, if you could get around the physical and software protections without leaving physical evidence of tampering. Which unfortunately it was. I'd found you could attack them wallets using low powered RF signals --think of it as both DPA and Fault injection in one-- a rather devastating attack method which I'd worked out a few years earlier, from an even earlier chance discovery I'd made with a computer and two way radio. The upshot was it was clear that to get the required security you would have to be both online and have a secure side channel for authentication.

Microsoft Admits Forcing Windows 10 SpywareOctober 20, 2015 7:27 AM

Belligerent Facebook and now M$ violate customer trust and privacy then ask for forgiveness afterword.

The Europe Union should fine these arrogant American ba*tards billions. These self-appointed rulers push the envelope to data-mine citizens most personal information simply to monetize it.

An example needs to be made as M$ ulterior goal is to take advantage of children and seniors. They segments are unable to make an informed choice and may still trust Microsoft.

http://www.maximumpc.com/microsoft-not-forcing-windows-10-upgrades/

BoppingAroundOctober 20, 2015 9:21 AM

re: Windows 10

By the way. It seems that Windows 'Defender' now will bug people with 'personal files review' requests before sending it to the HQ.

As you may have guessed already, there was no 'Fuck you, I don't want to give you any data' button :-)

Reminded the usual 'don't ask users questions they cannot answer' cliche I am mildly interested if this subtle move is aimed at ensuring complacency with such tracking.

Markus OttelaOctober 20, 2015 9:24 AM

@ Manie Tieger

I've had a lot of problems with preview function on this site. It seems to stop working if one does iterative editing of posts with it. I did my best to ensure everything worked but it seems I failed. Damn.

Here is the URL.

@ Jacob
the scans.io looks very interesting. I'll have to take a closer look. Thanks for posting it.

Gerard van VoorenOctober 20, 2015 10:25 AM

@ Winter, Dirk,

> ... not only a talk by Max Schrems, but also a special presentation by Hollands Minister of
> the Interior and Kingdom Relations Ronald Plasterk!

I'll be wearing a ski mask, sunglasses, latex gloves and carry a bucket full of rotten tomatoes and eggs (maybe some stink bombs as well). Gotta have some ammo. ;-)

> I think there is enough fun watching whether dear Ronald will shoot himself in the foot
> again. But he will be aware that the audience is less than convinced about official privacy
> policies.

Plasterk is too clever to shoot himself in the foot. But he is also that kind of guy that could completely change his mind after he has finished his "tour". He is too power hungry in my eyes.

BoppingAroundOctober 20, 2015 1:52 PM

re: APC 2015

Facebook, Google, MS, Palantir as whatever noble metal and fancy mineral sponsors for a privacy conf. A bit ironic isn't it?

Thanks for the link anyway.

ianfOctober 20, 2015 2:03 PM


Wrote @ Clive Robinson:

If you search back far enough on this blog, you will find that we discussed what would be needed for such a device. […] You will also find this discussed in other posts on this blog between me and Nick P and a third person (whose name I cannot remember).

    Any …keywords? timeframes? for the particular blogposts that you (alone) have in mind? “Search back far enough” is like an instruction to find something on the Internet. Tried this once on this blog… took me 2 days to sift through potential Ducky hits, at the end of which I've forgotten the context.

WaelOctober 20, 2015 3:43 PM

@Anura,

We could always go off topic in the squid post and start discussing the merits

Thanks for the reminder.

ianfOctober 20, 2015 3:49 PM


@ Wael, I believe you meant to write “cross my palm with silver," rather than “grease it with grease,” but it ain't gonna happen as I'm not a grazer, but all of a ruminant.

harddriveencryp7777October 20, 2015 4:08 PM

excerpts are from internet access. refer to originals
2 *title: No Excuses' As Western Digital Leaves Gaping
3 Crypto Flaws In Hard Drives

15 PROF. WOODWARD SAID THERE WAS SIMPLY “NO EXCUSE”
16 FOR THE MYRIAD OVERSIGHTS.

20 *title: got HW crypto? On the (in)security of a
21 Self-Encrypting Drive series

33 *title: got HW crypto? On the (in)security of a

80 *Summary
85 3.) All 6 vulnerable to unauthorized FW
87 *EOF****************************
1 http://www.forbes.com/sites/thomasbrewster/2015/10/20/western-digital-security-sucking-bad/

2 *title: No Excuses' As Western Digital Leaves Gaping
3 Crypto Flaws In Hard Drives
4 *auth: Thomas Fox-Brewster

5 "What’s worse, despite working with the researchers
6 to learn more about the weaknesses, Westen Digital
7 told FORBES it has only evaluated the research and
8 did not say whether it had any plans to issue fixes.
9 This is easily bruteforce-able.” With that value,
10 it would be far easier for the hackers to guess
11 the right key and get at data on the hard drive.
12 It was also discovered the key used to protect the
13 DEK was encrypted with a key stored in the firmware.

14 www.rsaconference.com/speakers/alan-woodward
15 PROF. WOODWARD SAID THERE WAS SIMPLY “NO EXCUSE”
14 www.rsaconference.com/speakers/alan-woodward
15 PROF. WOODWARD SAID THERE WAS SIMPLY “NO EXCUSE”
16 FOR THE MYRIAD OVERSIGHTS.
17 ****************************

18 https://eprint.iacr.org/2015/1002.pdf
19 www.forbes.com
20 *title: got HW crypto? On the (in)security of a
21 Self-Encrypting Drive series

22 *date: 28th September, 2015
23 *Abstract
24 WD My Passport (MP) series

25 Section 3 shows security weaknesses and security
26 threats that are identical for every WD My
27 Passport that we encountered.
28 In detail we show a way to dump the encrypted Data
29 Encryption Key (eDEK) and VCD manipulation.
30 *scope: JMicron, Symwave, PLX chip, Initio chips.
31 ****************************

32 http://hardwear.io/wp-content/uploads/2015/10/got-HW-crypto-slides_hardwear_gunnar-christian.pdf
33 *title: got HW crypto? On the (in)security of a
34 Self-Encrypting Drive series

35 *Research motivation: is HW crypto more secure?
36 *Speakers intro Gunnar Alendal, Christian Kison:

37 *Western Digital My Passport / Book
38 Self-encrypting external HDD series*

39 crypto done in either:

40 1. 1st-gen : USB/FW-to-SATA bridge
41 2. 2nd-gen : HDD itself
42 *Different USB bridges researched
43 Vendor, Model (1st-gen/2nd-gen), Architecture

44 *Overall security design

45 User PW ⇒ Key-Encryption-Key (KEK):

46 KDF(salt+PW) = KEK

47 salt + KDF iterations are constant in SWices

48 KEK protects Data-Encryption-Key (DEK)

49 DEK = holy long-term HW AES Key

50 *The protected DEK - eDEK

51 *Authentication - JMS538S/INIC-1607E

52 *Mandatory HW encryption

53 *data recovery

54 no pw + broken USB bridge? no problem:

55 *Retrieve the eDEK: “no eeprom for you”

55 *Retrieve the eDEK: “no eeprom for you”

56 no EEPROM on boot..

57 Retrieve the eDEK

58 INIC-1607E - “no eeprom for you” + 3-byte

59 FW patch to dump eDEK

60 *Attackers progress...

61 *Model
62 *Breaking auth. - aka. backdoors
63 Two 1st-gen chips fail on authentication
64 *SW6316 authentication/backdoor
65 *2nd-gen bridges with no AES
66 *INIC-3608 backdoor
67 Dump EEPROM ⇒ Get KEK ⇒ authenticate
68 ..or get KEK with secret VSC ⇒ authenticate
69 **break auth. crack DEK
70 JMS538S, SW6316, OXUF943SE
71 INIC-1607E, INIC-3608, JMS569
72 *result: JMS538S and INIC-1607E still standing tall
73 *Recap: Authentication - JMS538S
74 DEK creation by device “erase”
75 JMS538S on-board RNG
76 JMS538S “erase” attack ..
77 JMS538S factory DEK attack
78 badUSB and evil-maid?
79 No FW signing ⇒ security problems

80 *Summary
81 1.) All 6 bridges analyzed had serious security
82 vulnerabilities

83 2.)3 bridges have backdoors, 2 weak key

84 setup, 1 broken auth.

85 3.) All 6 vulnerable to unauthorized FW

86 patching ⇒ badUSB, evil-maid, ..

87 *EOF****************************

WaelOctober 20, 2015 4:13 PM

@ianf,

No! I meant: With gold and grotes they grease my hand

cross my palm with silver

Not even silver, you cheap bast###? I have no choice but to leave you in the hands of @Clive Robinson! Simmer in your soup!

I wasn't even hoping for material gain. Just that you call me by a title worthy of my status, say for the next few posts! Something like "Sir", "Master", or whatever honorific title of your choice. Lol ;)

ianfOctober 20, 2015 4:26 PM


@ Wael, you've already overdosed on binge watching Game of Thrones, now you want me to prostrate myself in this virtual space-time continuum of ours? Will consider it.

tyrOctober 20, 2015 4:37 PM


https://boingboing.net/2015/10/20/every-email-nsa-says-it-got-af.html

Here's a classic example of why Alexander got the nickname
Spandam. You'd think an organization with billions of $tax
would be able to respond to a simple request in a more
timely fashion. If it takes them that long to run a grep
on their incoming mail for the word suggestion no wonder
they are continually crying " we didn't see this coming"
on their real job. What I find scarier is that no one
wants to help them. 14 suggestions, Hitler could have done
better asking the jewish community for help.

Here's a suggestion for the spooks, Show some results or
lose your budgets and your jobs !!

Sad Times IndeedOctober 20, 2015 5:11 PM

The New York Times documents:
‘Hedge Funds have biggest outflow since the third quarter of 2008 in the depths of the financial crisis'
They are hurting because they exasperated the pain in the Chinese stock market and effectively were given cease-and-desist orders by the Chinese regulators.
The American financial press refuses to associate the two publicly.
Why?
Because High Frequency Traders are still allowed to plunder the American stock exchanges using several well know techniques. For example, they can buy/sell the same stock thousands of times a second and only trade in the Dark Market.
The bottom line is Hedge Funds viewed the China stock market as an opportunity just waiting to be exploited. When their actions destabilized the world’s financial markets, the Chines authorities started data-mining these Hedge Fund traders. LOL!
They left China with their tails between their legs. Now the Chinese stock market has stabilized and in fact rising slowly.

Only The Donald correctly stated The Hedge Funds control the Presidential candidates, especially Bush and Clinton. The Hedge funds fund the data-mining of citizens throughout the world. They also buy rights to inexpensive drugs then raising the prices 5000%. As a result for 2016, health insurance companies are greatly restricting pharmaceutical drugs. If a drug becomes too expensive it will not be listed in formularies. Tell that to someone who’s dying?

Hedge funds devastate and destroy ever market they enter such as politics, privacy and security, health care, commodities, food and real-estate.

Walk of Shame
Wall St hedge funds are an out-of-control American excess. They join the CIA who setup JFK’s demise. Lastly, no law, judge or President can stop the NSA mass surveillance.
Wern't we supposed to be morally 'better' than the Chinese or Russians?

Nick POctober 20, 2015 7:54 PM

@ Wael, Clive Robinson, name.withheld

Still looking at good, all-around texts on HW design for newcomers that ask and possibly me if I get more detailed. In The Embedded Muse, Ganssle gives a positive review of The Art of Electronics, 3rd ed. The table of contents looks as thorough and incremental as he says with it being one of few I see to mention optocouplers. The reviews, esp from qualified people, look really good.

So, is this the best resource to recommend people as a start-to-direction-of-finish guide for the whole field (minus RF)? Or would someone need to have read something else before this is effective? A few reviews suggest they don't need anything else past this and Google. But you know how reviews from unknown people can be. :)

WaelOctober 20, 2015 8:29 PM

@Nick P,

Re books: You mean you haven't bought this book yet? Trust me, it's an excellent starting book. Horwitz and Hill is a book that was in my curriculum and was a "supplementary" book, not the main one!

WaelOctober 20, 2015 8:44 PM

@Nick P,

We called "The Art of Electronics" Horowitz and Hill, back then. And the book I recommended is a much better introductory text.

Miguel SanchezOctober 20, 2015 9:09 PM

@"Puzzle Finally Makes Sense", and other annoying spammy names

A shocking article about Eisenhower, Castro, New York Times, CIA Director Allen Dulles and plenty of motive for JFK’s demise.
The Europe Union should fine these arrogant American ba*tards billions. These self-appointed rulers push the envelope to data-mine citizens most personal information simply to monetize it.
Better hope China doesn't show off their mad contact-chaining skillz like they showed off their OPM hacker lulz, or CIA is gonna stand for Caught In the Act.


Oh it is far, far worse then even you could ever believe. In fact, folks like you are just used to tamp down on the truth. Make it look cartoonish. They target you and mess with your mind, so you will come up with crazier and crazier conspiracy theories. That is a great way to hide the truth.

But, the reality is people's minds are being prepared for full disclosure through Hollywood. For decades now. The outlandish and impossible is constantly put to them, so they are raised with it. Great efforts were made to expand the capabilities of CGI and video games, so people in America, first, could get very used to it. Then, the truth is released, first, through America and the leading edge people at the very far end of tech... and then, through the rest of the free world, and finally, the entire world.

Intelligence was taken under control decades ago. The point of intelligence here is to operate both as a cover for this effort, and to provide the information about this effort to the rest of the world in such a way they will keep quiet about it. After all, they will not be able to easily chalk it off as some highly sophisticated ruse easily.

The perfect silent witness to the heads of the nations. Intelligence and law enforcement are literally like the eyes and ears of nations. So, they whisper to them, driving the mind mad. Before the people even know what is being said and shown... it is... too ... late...


^_^ ^_^

There's some Leviathan Cthulu monster madness for you this week of Halllowwww's Eeeevvvee.

Wooooooo.

M.


Nick POctober 20, 2015 9:14 PM

@ Wael

I was waiting for it to come down from $2.62 + shipping to $1.18 + shipping. :P

Nah, I just forgot about it. Thanks for the reminder. I saw reviews of 2nd edition after posting and they also said it's more a cookbook than intro text. So, one can start with nothing but the book you recommended and get really going with electronics? And then combine it with Horwitz/Hill and AFFL (RF) to mostly slam dunk the whole subject? Aside from tips you learn in more advanced or specialist books, that is.

If so, I'll go ahead and buy the one plus recommend the other.

Original SinOctober 20, 2015 10:12 PM

@Sad Times Indeed opined "Wern't we supposed to be morally 'better' than the Chinese or Russians?"

The PATRIOT Act was Satan's gateway. Now the Chinese and Russians have been granted by God the power to be morally better than 'mericans. But not the Canadians. I mean really...

WaelOctober 20, 2015 10:17 PM

@Nick P,

I was waiting for it to come down from $2.62 + shipping to $1.18 + shipping

And I thought @ianf was cheap! Man, it's so hard to stay pleasant these days. Where did I put my blood pressure medicine? You know what, I'll resurrect my sockpuppet just for you!

said it's more a cookbook than intro text. So, one can start with nothing but the book you recommended and get really going with electronics?

I had a nasty habit long time ago of stopping by bookstores and libraries to find the best text on the subject of interest. In electronics, this is the book I found with the right balance between theory and practice. It's decidedly not a cook book, and anyone who says it's a cookbook is a kook! period The author has a unique style, although he uses some outdated theories such as "left brain / right brain" learning, which has been debunked, but this has no effect on the content.

Yes, it's a book that will get you started with the minimal amount of effort. I was never impressed with "The Art of Electronics", by the way. I know some here praised it, but that's my opinion after looking at many books.

RF (a subject that was near and dear my heart) is a different beast. It requires more theory and math. At high enough frequencies, you'll stop using circuit theory and you'll use field theory (Electromagnetics, Maxwells equations, etc...) This happens when the wavelength of operation becomes comparable to the physical size of the components (resistors, transistors, traces on the board which need to be treated as transmission lines, etc...) You'll also use a lot of approximations and charts (like a Smith chart.) When the frequency gets even higher, then you'll be in classified information zone that's tightly guarded -- so "they" say.

There are a few RF / Microwave / Optical Electronics books I can recommend, but you need to get this book first and see if you can trust me with the others -- you have nothing to loose (implying that my offer extends to you as well.) Also you'll need to invest many years on this subject to become "competent" in "Radio Frequency". This is not the case with "Electronic Principles". You can easily read the whole text and understand it in a few weeks.

Nick POctober 20, 2015 10:39 PM

@ Wael

In case it wasn't clear, it was Art of Electronics that reviewers said was more of a cookbook than an intro text. Regardless, your assessment of Electronic Principles having right amount of theory vs practice was what I was wondering.

"RF (a subject that was near and dear my heart) is a different beast. It requires more theory and math. At high enough frequencies, you'll stop using circuit theory and you'll use field theory (Electromagnetics, Maxwells equations, etc...)"

Holy crap. Might just keep using specialists on that for a long, long time...

"There are a few RF / Microwave / Optical Electronics books I can recommend, but you need to get this book first and see if you can trust me with the others -- you have nothing to loose (implying that my offer extends to you as well.)"

We'll see: I just dropped $7 or so total on it. :)

"You can easily read the whole text and understand it in a few weeks."

Now that's the kind of thing a lazy generalist like me needs. ;)

WaelOctober 20, 2015 11:02 PM

@Nick P,

right amount of theory vs practice was what I was wondering.

Minimal amount of theory. You'll be able to design and build amplifiers, oscillators, and other discrete component projects in a short time. Then when you read more advanced books, the math, models, and so called advanced concepts will make much more sense.

Holy crap. Might just keep using specialists on that for a long, long time

Specialists in this area are becoming scarce. They tend to be people who work at chip manufacturers. Even RF engineers at device manufacturers, for example cell phones, do a minimal amount of true RF work. They usually use the reference design given to them by the manufacturer, then do things like impedance matching, calibrations, layout design, power optimizations, shielding, minor antenna designs, etc...

Once you read the book you bought, I'll share other intro books that will grease the skids for your RF next adventure. There are quite a few things you can do without help from "specialists" :)

Now that's the kind of thing a lazy generalist like me needs.

I don't think you're lazy. Let me know how it works out.

ianfOctober 20, 2015 11:18 PM


@ tyr […] finds it scarier is that no one wants to help [the NSA]. 14 suggestions, Hitler could have done better asking the jewish community for help.

Watch it (slippery argument slope ahead… as if what Hitler did wasn't "good enough.") And the Jewish communities throughout occupied Europe, not used not to cooperate with government, did what they thought would lower the damage in the face of Moloch.

    In hindsight, they'd have fared better had they done what Syrian refugees and other African, Middle Eastern and Balkan migrants, do today: "swarm" the borders, force bystanders to confront their humanity. What Mexicans and other South Americans, seeing what's possible in Europe, may yet come to attempt to in NM, Tx, Ca… only to be machine-gunned?

ianfOctober 20, 2015 11:42 PM


Here are some links, probably not what @Clive Robinson had in mind

Thanks, Wael (in upright position). We should poll our heads together, come up with a “WTF did Clive mean” board game (to begin with), break the tedium of this medium. You negotiate the copyright terms, I'll do the prelim. design. Who knows, those things have a tendency to snowball… we could yet have a new yellow and black bestseller on our hands: “Schneier for Dummies: Your Guide To The Meandering Thoughts In The Blog Forum,” or something.

WaelOctober 21, 2015 12:16 AM

@ianf,

we could yet have a new yellow and black bestseller on our hands

What an exhilarating idea! Funny you should say that! Last year I tried a similar idea, in yellow and black as well! @Buck: stop thinking and tell me what you think about this "co-incidence", colors and all :)

Are you familiar with Cliff's Notes? You know, the summary texts of big literature[*] pieces? The ones you read the night before the exam you're ill-prepared to take? Well, there is also the Clive's notes. It's the inverse. He takes an input of a few characters and outputs a huge piece of literature..

It went nowhere! Maybe your idea is a little more marketable. Speaking of that, I think @Bruce should hold a conference with us bloggers once a year or so. He also proposed that last time I saw him[1] ;) We can use that meeting to market your idea :)

[1] And if he forgot, I'll increase the dose :)
[*] And I get to correct a typo as well!

ianfOctober 21, 2015 12:31 AM


@ Wael muddying up the mind of Nick P.

Minimal amount of theory. You'll be able to design and build amplifiers, oscillators, and other discrete component projects in a short time. Then when you read more advanced books, the math, models, and so called advanced concepts will make much more sense.

Given all modern electronics, analog as well as digital, first being done up on a computer, there ought to be some Electronics Design Lab programs allowing one to experiment with I/O and components at selectable granular levels (logic gates to diodes to whole named ICs), preferably by modifying in-program existing designs and checking their output on the emulated scope; in effect bypassing the hands-on PCB breadboard stage until the intended effect has been achieved. For that, however, to happen, more than your minimal amounts of theory would first be needed—which, when you think about it, can not be jumped over if one is to persevere.

    ObLitContext: “in the 1970s digital electronics had Steve Wozniak's attention for about 5 minutes.” [paraphrased]

ianfOctober 21, 2015 1:00 AM


Alas, Wael, I'm here for the theory, not for practice. I no longer have anyone like-minded to experiment with, hence the "cooking the el-meth alone" risks for dead-ends and disappointments are too great.

WaelOctober 21, 2015 1:13 AM

@ianf,

Lol! Dead ends and disappointments are part and parcel of life -- a big part of life!

Theory, eh? Tell me something: what do you think the interaction is between Security, Cheating, and Regulations? Let's add something to the mix: Random Number Generators!

ianfOctober 21, 2015 2:16 AM


You want me to tell you what I think the interaction is between Security, Cheating, and Regulations? Of the interaction between Security, Cheating, and Regulations I don't think. Satisfied?

JacobOctober 21, 2015 2:35 AM

From the blog of Brad Smith, Microsoft’s president and chief legal officer:

"... individuals in the tech sector increasingly have been talking about privacy. Just a week before the European decision (re Safe Harbour - J.), Apple CEO Tim Cook recognized explicitly that privacy is a fundamental human right. I said the same thing on behalf of Microsoft in a speech in Brussels this past January. Microsoft CEO Satya Nadella said clearly over a year ago that we want technology to advance, but timeless values should endure. And privacy is a timeless value that deserves to endure."

And then they pushed out WIN 10...

CuriousOctober 21, 2015 4:22 AM

About, insecure Western Digital external harddrives:

"Got HW crypto? On the (in)security of a Self-Encrypting Drive series"
https://eprint.iacr.org/2015/1002.pdf

"The Western Digital My Passport and My Book devices are external hard drive series connecting to host computers using USB 2.0, USB 3.0, Thunderbolt or Firewire, depending on model. These consumer off-the-shelf hard drives are available world wide. Many of the models advertise the benefit of hardware implemented encryption. These hard drives comes pre-formatted, pre-encrypted and are supported by various free software from Western Digital, both for Windows and Mac, to manage and secure the hard disks. Setting a password to protect user-data is one important security feature."

"In this paper we have analyzed different models from the external HDD My Passport series made by Western Digital. Overall we analyzed 6 different hardware models spread and well-distributed in the global market. We show the security concept intended from WD and present vulnerabilities on different hardware models. These findings range from easy eDEK leakages to perform off-line password bruteforce to complete backdoors and plain KEK storage, resulting in complete security bypass."

ianfOctober 21, 2015 4:42 AM


@ jacob: movie script time.

INT. (artificial light) IN AN INDUSTRIAL CELLAR

(A HOODED, cloaked figure is struggling against invisible restraints while a speech is being read through a crackling PA system. Strange echoes all around. )

    [From the speaker]: "... individuals in the tech sector increasingly have been talking about privacy. Just a week before the European decision, Apple CEO Tim Cook recognized explicitly that privacy is a fundamental human right. I said the same thing on behalf of Microsoft in a speech in Brussels this past January. Microsoft CEO Satya Nadella said clearly over a year ago that we want technology to advance, but timeless values should endure. And privacy is a timeless value that deserves to endure."

(A masked figure CAPTOR1 appears from the right, switches off the sound, touches HOODED)

CAPTOR1: You recognize these words?

HOODED: [muffled response] Yes.

CAPTOR1: I can't hear you, do you re cog ni ze these words?, answer Yes or No.

HOODED: Yes. Yes!

CAPTOR1: I will remove the blindfold, then let you come up with arguments how you square these lofty promises with that privacy rape that is Windows 10. If you convince me, you walk. If you do not, you'll be here watching video uptake of yourself from that conference till you die of old age. Your next of kin, or descendants, will then be notified via a hacked "important security update" to whatever Windows version that's optionally being downloaded in the background.

HOODED: I choose the blindfold.

CAPTOR1: That's not on the menu. You can only pick from the spelled-out options, as per the Microsoft Windows 10 User Interaction Manual, current edition.

qtWeOctober 21, 2015 9:05 AM

Chalk up another NSA war crime: attack on Kunduz hospital as part of the NSA plan or policy of indiscriminate SIGINT massacre

http://turcopolier.typepad.com/sic_semper_tyrannis/2015/10/us-bombing-of-kunduz-hospital-looks-more-like-a-war-crime-each-day-by-willy-b.html

So next time cowardly scumbag Rogers crosses the border, every UN member nation is obligated to prosecute or extradite him under Rome Statute Article 8.2.b.xxiv or corresponding universal-jurisdiction law with no statute of limitations. All of us individually are obligated to incapacitate the worm for detention, whenever he comes out of hiding and we spot him.

SkepticalOctober 21, 2015 5:56 PM


Interesting thread...

On Linux, while I must express my usual disclaimer of complete technical ignorance, there are a number of options that work well as desktop systems and anyone thinking about beginning to use a Linux system may as well give several a try. I'd purpose a non-essential laptop, about which you have little care as to its eventual fate, to use as an experimental workbench, or you can use virtualization software on a system you care more about.

If you grew up on a commercial GUI oriented OS, then perhaps walking through the process of installing LFS or Arch and the initial packages necessary to have a working system with a functioning X11, graphical login, and windows manager or desktop environment would be educational and useful. You'll find that there are many - perhaps too many - options. At a minimum though, you'll find yourself with a sense of the landscape after a week or two. If you're very comfortable building from source (and somehow escaped any familiarity with Linux at all while acquiring such comfort), then Gentoo may be a profitable option here as well.

Otherwise the major differences between distros suited to desktop systems lie largely in the ease, extent, and means by which, non open source software is made available and how promptly (and automatically) updates are provided, how actively the distro is developed, between emphases on one desktop environment or another, and of course in the nature of the packaging software that lies at the trunks of the major distros (e.g. rpm vs deb).

Depending on the use case and with significant exceptions, in my wholly ignorant opinion, a Linux distro will not necessarily hold much security advantage over a maintained Windows system with a reasonably intelligent operator behind the keyboard.

For many, the bottom line is that certain Windows software is simply essential to communicating effectively and to getting work done. And, despite my misgivings about where Microsoft may be headed from a user-privacy vantage (though I believe this is more up in the air than some here have opined), there actually is a lot to like about Windows and Windows development. I'm even considering giving up my punch cards and adopting it.

As to other options, such as Qubes... my ignorance here is even more profound than wrt other topics, and so I have little to say other than that the developers appear well motivated, committed, and sophisticated - all judgments I am in no way qualified to make and for which I lack anything approaching sufficient evidence. But the use-case for Qubes is in part as a replacement for physically separated systems, and for one to buy into it as such a replacement, one must have a very high degree of confidence in its use of virtualization to achieve isolation of processes from one another. Since I am unable to assess the arguments of the developers for the soundness of their concepts, other than noting that they seem sound if one accepts certain assumptions - and my inability is meaningless - I await testing/reviews from external organizations.

From a convenience vantage, on any well powered system Qubes is quite slick and easy to operate. And if you know more about virtualization and the ability to achieve isolation between machine instances running on top of Xen than I do - a claim which any of my three German Shepherds could probably signal with fair credibility - then you may find it equally impressive from a security vantage.

Of course, there are always Robert Morris's three rules of security that obviate all of the above.

I should also mention that none of the above will be of much help if you are engaged in any criminal enterprise which has attracted the attention of law enforcement. Take some of the brightest minds and most experienced researchers in the applicable fields, add the strong motivation of helping shut down an operation that is harming others, and mix the ingredients of Western government support, and the half-life of the security of any system accelerates appreciably.

And as to Wikileaks posting the personal information of Brennan - the organization seems to be little changed from the one which, if I recall correctly, at one point harvested user content from an exit node it operated (I may of course be mistaken). That is to say, it is an organization which continues to fall significantly short of reasonable standards of ethics and honor. Its actual conduct makes a mockery of anything laudable in its claimed aspirations.

Miguel SanchezOctober 21, 2015 7:39 PM

@Skeptical, and to observers

...viz-a-viz Windows or Linux if engaged in a crime...

I should also mention that none of the above will be of much help if you are engaged in any criminal enterprise which has attracted the attention of law enforcement. Take some of the brightest minds and most experienced researchers in the applicable fields, add the strong motivation of helping shut down an operation that is harming others, and mix the ingredients of Western government support, and the half-life of the security of any system accelerates appreciably.

As often as people on this forum speak of their extensive efforts at secrecy, I think that one can actually assume that none of them engage in any manner of crime whatsoever. So, it is kind of a show. What is there to be so secret about? Why engage one's mind so relentlessly towards such secrecy? Week after week, month after month, as if oblivious to the fact that this is performed in public. Perhaps one could say it is some form of highly entertaining security theater.

After all, not all security theater should be surmised as bad, anymore then should it be surmised that all manner of obscurity is bad for security.

to the aside:

I find, here, Skeptical's insistence that anyone is engaged in Bad Things from these angles as very amusing. At best, the political discourse on this blog is mild. If you wish to find extreme political discourse, go and look at the comments of any major news site.

Those matters said, which is better against an encroaching nation state, be it a western power, or asian, or otherwise? Well, in these factors, obscurity is largely what matters. Nobody is looking for anyone who remains off their radar. The war is won and kept won, because there is zero effort invested in breaking their security to begin with.

And as to Wikileaks posting the personal information of Brennan - the organization seems to be little changed from the one which, if I recall correctly, at one point harvested user content from an exit node it operated (I may of course be mistaken). That is to say, it is an organization which continues to fall significantly short of reasonable standards of ethics and honor. Its actual conduct makes a mockery of anything laudable in its claimed aspirations.

The only real news issue with wikileaks and the "cia hack" is, yet again, a demonstration of the horrible job performed by US intel leaders. Wikileaks is absolutely inconsequential to the story. Blamining Wikileaks is the work of those who already do not understand how computers work at a fundamental level. If it were released via pastebin, no one would be making the 'medium the message'.

As with Snowden, as with OPM, as with the failure of the intelligence regarding WMD in Iraq - as with so very much - yet, again, we see just how un-intelligent America's intelligence infrastructure truly is.

(Not that it matters much. It only matters if you are the sort that actually believes it is daylight where you are standing, when it is, in fact, darkest night.)

If there is anything even mildly interesting in the story beyond what has so far appeared it is how everyone takes it at face value. Who is this stoner teenager, and why was Brennan's SF86 form in his AOL account? Isn't it just a little odd that SF86 forms have been leaked from 20 million plus Americans just recently under Brennan's watch? A little coincidental?

If the little car that is driving around aimlessly in circles before us which is American intelligence stops, fully expect a whole bunch of very big clowns to get out of it.


SkepticalOctober 21, 2015 8:14 PM

@Miguel: I find, here, Skeptical's insistence that anyone is engaged in Bad Things from these angles as very amusing.

I did not insist on anything of the sort. Instead I noted the irrelevance of the discussion to any who might be engaged in such enterprises. We seem to agree on this point, given your later remarks about obscurity, which might make your amusement the source of bemusement to some.

The only real news issue with wikileaks and the "cia hack" is, yet again, a demonstration of the horrible job performed by US intel leaders. Wikileaks is absolutely inconsequential to the story. Blamining Wikileaks is the work of those who already do not understand how computers work at a fundamental level. If it were released via pastebin, no one would be making the 'medium the message'.

Ah yes, the fallacy of "the story", as though there is only one aspect of a series of events that we should focus upon. Whether the widespread adoption of this fallacy derives from the infection of our minds with concepts of public relations or from simple carelessness is an interesting question.

There are at least several aspects to "the story." There is Brennan's use of the account to save old drafts of documents dating several years ago (presumably forgotten); there is the manner in which the account was able to be (repeatedly, allegedly) compromised; there is the decision of Wikileaks, having come into possession of emails taken from the compromised account, to publish them.

As with Snowden, as with OPM, as with the failure of the intelligence regarding WMD in Iraq - as with so very much - yet, again, we see just how un-intelligent America's intelligence infrastructure truly is.

You've managed to take 4 remarkably different episodes spanning over at least 13 years and coalesce them into a judgment of the capabilities of what must be one the largest and most well-funded collection of intelligence agencies on the planet.

But if you say so...

DanielOctober 21, 2015 8:28 PM

Ah yes, the fallacy of "the story", as though there is only one aspect of a series of events that we should focus upon. Whether the widespread adoption of this fallacy derives from the infection of our minds with concepts of public relations or from simple carelessness is an interesting question.

https://www.youtube.com/watch?v=P0jiALPCtH8


Has something to say on this point.

Dirk PraetOctober 21, 2015 8:51 PM

@ Skeptical

On Linux, while I must express my usual disclaimer of complete technical ignorance, ...

In which case you are the only non-technical person I know who has actually heared about stuff like Qubes and Xen whilst also knowing the difference between .rpm and .deb packaging systems 8-) Either you've been paying some serious attention to some of the discussions here, or you've taken some kind of management class on this topic.

... a Linux distro will not necessarily hold much security advantage over a maintained Windows system with a reasonably intelligent operator behind the keyboard.

Depends on the distribution you go with. Although a stock Fedora or OpenSuSE installation has quite an attack surface, from a security angle I will still prefer them over a vanilla Windows installation. And with the exception of Ubuntu, I'll prefer any Debian-based distro over Red Hat/SuSE. Which in their turn I will discard for a well-installed and configured BSD system. And we can go on.

In my experience, the average Windows/OS X user has no clue whatsoever how to improve security on his/her machine, and which in essence even goes for the average desktop technician and company IT guy too. And even though both MSFT and Apple have significantly improved default security over the years, a privacy-conscious person has no reason whatsoever to go anywhere near known data miners and PRISM associates.

For many, the bottom line is that certain Windows software is simply essential to communicating effectively and to getting work done.

Actually, no. This is a myth about as persistent as Macs not being vulnerable to viruses and malware. Admittedly, there is a serious learning curve when transitioning from Windows/OS X to Linux, but after a while you will find that you don't need either for personal, regular day-to-day communications and average computer usage but for convenience purposes. For work, it's a different thing. A designer needs his Adobe Suite, an architect his Autocad and Vector Works stuff. Little point trying to get those to work on Mono/Wine. While LibreOffice may suit your every need, it can still be rather cumbersome when everyone else in the company is on Microsoft Office.

Which is why I maintain a strict separation between "work" and private machines/VM's.

And as to Wikileaks posting the personal information of Brennan ...

It's what they do. We may question their motives and MO, but the matter of the fact remains that Mr. Brennan is in clear violation of security policies an ordinary employee or contracter gets sacked for and loses his security clearances over.

Gerard van VoorenOctober 22, 2015 3:07 AM

@ Skeptical,

About the Brennan SF86 AOL leaks,

Dirk has a point. The media is picking up the result, not the start of the story.

The questions that should be asked and investigated is who put the data onto AOL, why, when, where, how and what the consequences of this action will be.

To me, it looks like USG is still on a crusade to kill Wikileaks and leaker's in general, but if Brennan is the guy who put the data on AOL himself, he is a leaker as well and he should know better.

About OS's,

Just use Windows when you have nothing to hide.

@ Miguel Sanchez,

About "females in charge",

> Ultimately, the solution probably will be about moderating natural testosterone levels in
> people, so as to reduce conflict, aggression.

> Only leaders should be in the male role, and everyone else should be chemically and
> probably physiologically neutered or feminized so we can have a much healthier,
> productive society without wars, violent crimes, or conflict.

Well, *real* leaders take a taste of their own medicine. Hitler for instance really believed in what he did. He was a fanatic, idealist, brave and not scared. He also didn't drink, smoke, have sex and didn't eat meat.

So if you desire your ideal world, go see a doctor and get rid of your balls.

Don't count me in with your movement.

CuriousOctober 22, 2015 3:24 AM

Mailing list discussion about some kind of redirection feature with TLS.

https://mailarchive.ietf.org/arch/search/?email_list=tls&gbt=1&index=nkOAo8dR5tiZugW4pTgyLq7U240

I am not the best to present this, so I hope I didn't misunderstand what they are discussing: I got the impression that this might be about having some future TLS protocol allowing redirects on secure https connections, but then it seem to be pointed out that this would allow man-in-the-middle attacks.

CuriousOctober 22, 2015 5:24 AM

I see that big national online newspaper in norway (national broadcasting corp) has an article about the recent CIA John Brennan email leak, and imo effectively ends up putting a predictable anti Assange & nothing to see here, spin on it. This is possible by simply pasting brief articles from the local telegram news service (similar to reuters), with not real editorial content themselves.

The text makes the point that the leak is not about top secret documents, but instead sensitive information, and adds that there is a 47 page document that in addition to revealing a questionaire for security clearance from 2008, that the documents also mentions details about Brennan's family and his private life, and adding a reference to Assange by making the misleading decription in which Assange is described as having fled from rape accusations and thus ending up in the Equadorian embassy in London. The end of the article points out that the hacker is 13 years old that expresses sympathies for the palistinian cause.

Somewhere inbetween the lines of text, they added a hyperlink to a nrk story of 1. oct 2015 about a document dump from Wikileaks, sort of patting themselves on the back about that document dump re. threat reporting in the war in Afghanistan, adding that they don't have the intent of reviewing all of it. Another hyperlink was inserted about a 2012 nrk story, about a general John Allen, having lots of potentially indecent emails to a woman named Jill Kelley.

65535October 22, 2015 5:51 AM

@ Bob S.

[More on CISA]

Emptywheel notes that a new anti-scrub add-on admendment reguarding personal data by the DHS effectively causes unmasked personal data to flow to the Federal Government and it’s agencies (NSA, FBI and so on). This is akin to a full-take fiber tap of American Citizen's data. This provision should cause privacy advocates much pain.

[Emptywheel]

“…if you had any doubts the Intelligence Committee is ordering up what it wants in this bill, the language permitting them a veto on privacy protections should alleviate you of those doubts.

"On top of NSA and FBI’s veto authority, there’s an intentional logical problem here. DHS is one of the “appropriate Federal agencies,” but DHS is the entity that would presumably do the scrub. Yet if it can’t retain data before any other agency, it’s not clear how it could do a scrub… this seems designed to lead people to believe there might be a scrub (or rather, that under CISA, DHS would continue to do the privacy scrub they are currently doing) when, for several reasons, that also seems to be ruled out by the bill.”-emptywheel

If Emptywheel is correct, all of us should be concerned. We, [including the EFF, ACLU and so], should contact our Senators and let them know the average citizen doesn’t want his data shared with the entire Federal Government.


https://www.emptywheel.net/2015/10/22/the-pro-scrub-language-added-to-cisa-is-designed-to-eliminate-dhs-scrub/

Miguel SanchezOctober 22, 2015 8:32 AM

@Gerard van Vooren

Well, *real* leaders take a taste of their own medicine. Hitler for instance really believed in what he did. He was a fanatic, idealist, brave and not scared. He also didn't drink, smoke, have sex and didn't eat meat.
So if you desire your ideal world, go see a doctor and get rid of your balls.
Don't count me in with your movement.


I was joking. I apologize. I was giggling so bad, I wanted to end that with "joking", but then, that so often kills the humor of it.

There is some truth to it, but such a truth is something people have never heard before and should consider ongoing.

That truth does not mean the answer is to poison the water with testosterone blockers, or treat every pregnant woman.

It is also true there are other biological factors which cause bias and so fallibility. Such as human incapacity to process information as well as they could or think they do.

Oxytocin is a natural occurring chemical used to bond people together, but it also has adverse reactions with those dissimilar to those you are bonded with.

If one wants to 'play God' with society, one might as well move out to an island and change one's name to Dr Moreau.

Or, we could put everyone in tanks that control their minds, taking a cue from the Daleks in Dr Who.

(Though, sadly, it is all too true, that if testosterone blockers were in the water, there would be so much less problems.)


Miguel SanchezOctober 22, 2015 8:47 AM

@Curious

I see that big national online newspaper in norway (national broadcasting corp) has an article about the recent CIA John Brennan email leak, and imo effectively ends up putting a predictable anti Assange & nothing to see here, spin on it. This is possible by simply pasting brief articles from the local telegram news service (similar to reuters), with not real editorial content themselves.

It should be noted people have a horrific bias towards authority. I think this is the reason for much media bias, as opposed to conscious conspiracy. It is, rather, unconscious conspiracy. Just as kids in high school are not consciously conspiring to make football players and cheerleaders tops, but unconsciously they sure do.

While America is surely not authority over Norway, much of their government would be treated as if but an extension of Norwegian government. Just as when Americans might read a news story about Norwegian cops investigating a murder and listen to their detective's opinions as authoritative, so too backwards.

Further, there is another problem with the CIA hack news story, beside that I believe the source is unvetted (is it really a 13 year old hacker)... which is that not much information has been put up.

Name, address, phone number. What is that. SF86 data. What one can probably get from wikipedia.

A position paper from seven years ago on Iran?

A draft position paper at that?

One which argues for the new President at the time to take a softer stance, as they did?

John Brennan, spectre of the cybersphereOctober 22, 2015 9:10 AM

More Komedy Gold from Brennan's grampa computer and his AOL cyberwar command center:

Reid: "The HIST data indicates there are 1.8mm "name nominations" in the dataset ... That just seems excessive - it's 7% of the IZ population!!"

Pickett: "Excessive is right... Many of the analysts on the project agree that the criteria is too broad and catches subjects who really shouldn't be nominated."

And that's the contractors, who live off greased MIPRs from the crooked dimbulbs of CIA. Even they know Clapper's Stasi's a pathetic joke. It's 'Ndrangheta with no market discipline.

Time to do some zero-based budgeting. First step, a couple dozen ship-launched Kalibr SS-N-30As for Langley, the Farm, Camp Swampy, No Man's Island, the fusion centers where they turn the cops into Junior Spy Cadets, Mena and Venice Airports, and the CIA pedophile blackmail seraglios that Epstein runs for them. Nowadays they're all disabled jarheads who got their brains scrambled by IEDs. Just put em out of their misery.

Gerard van VoorenOctober 22, 2015 10:49 AM

@ Miguel Sanchez,

> I was joking. I apologize. I was giggling so bad, I wanted to end that with "joking", but
> then, that so often kills the humor of it.

The problem with irregular posters is that you don't know "who" they are. At the risk of feeding a troll I decided to take a shot to figure out what you meant. Well anyway just forget it, it was a nice laugh. About the rest of your argument, I hear.

boo hoo hoo Fadda help me I'm nutsOctober 22, 2015 10:54 AM

Poor poor John Brennan, kicked in the privacy nuts! How very unfair to the unsung heroes who burned Wilson's wife.

Gee, wonder why Brennan went to a shrink. Maybe Mister Holytoes has a sad about shipping Maher Arar off to Syria get his penis slit apart like a bloomin' onion. What kind of mackerel-snapper are you? Just go confess.

Dominoes vobiscuits, wavety wave, Your penance is 60 million Hail Marys in the Norgerhaven chapel.

Miguel SanchezOctober 22, 2015 3:14 PM

@Gerard van Vooren

The problem with irregular posters is that you don't know "who" they are. At the risk of feeding a troll I decided to take a shot to figure out what you meant. Well anyway just forget it, it was a nice laugh. About the rest of your argument, I hear.

I have yet to even figure out who I am, my own self. :-)

Who are you, really?

I once had my wife look at one of these threads and try and guess which one I was. She chose Skeptical. I was flabbergasted. But, the reality is, all too often I talk as if I am from England or something. Or like that guy in Sleepy Hollow. A little too formal.

(I personally believe Skeptical is trolling me, because he does write like how I often write. I obviously usually have very different opinions then his. Which makes his posts all the more annoying.)

But... vive la difference.

What is our DNA for our soul? Is it found in the way we collect and spin out letters and numbers on paper, or in electronic form?

Hrrmm. ;-)

ianfOctober 22, 2015 6:00 PM


@ Gerard van Vooren […] “The problem with irregular posters is that you don't know "who" they are. At the risk of feeding a troll I decided to take a shot to figure out what you [Miguel Sanchez] meant. Well anyway just forget it, it was a nice laugh.

I don't have your powers of perception, nor, thanks to life-long study of the oeuvre of that famed cryptographer Sherlock Holmes, your apparent brakes on deduction. I don't find it hard to decode who that Sanchez pseudonym is, even though Mr. False Modesty here says QUOTE I have yet to even figure out who I am, my own self ENDQUOTE.

In short: he's full of it, thinks 'self the bee's knees of the intellect.

The proof of that is in the pudding (recipe on request): unable to convince @Skeptical of how wrong he is, and earlier becoming an object for my hyperbole, he uses the first thoughtlet that comes to his mind to hit back:

    MS: “you [=Skeptical] and ianf can argue amongst your selves, if you are not the same person, which I think you are”.

(That despite the fact that even his own wife thought @Skeptical sounded just like her Miguel… the same turgid prose, same convoluted reasoning, same inability to reflect over what one has written. The act of expression like that of excreting, except here from the thought bowel).

As Dire Straits sung on CityFM: “you meet all kinds in this line of work.”

BTW. FTR I don't engage with Skeptical… what would be the point? QED.

Miguel SanchezOctober 22, 2015 7:33 PM

@ianf, et al

I don't have your powers of perception, nor, thanks to life-long study of the oeuvre of that famed cryptographer Sherlock Holmes, your apparent brakes on deduction. I don't find it hard to decode who that Sanchez pseudonym is, even though Mr. False Modesty here says QUOTE I have yet to even figure out who I am, my own self ENDQUOTE.
In short: he's full of it, thinks 'self the bee's knees of the intellect.


The only one making claims of intellect here is your own self. You are the only one making any claims of intellectual prowess here. I might note, you are off on a frenzy. This is a security forum, and merely chaining together two pieces of highly circumstantial evidence to produce a "fact" is very weak.

There is an unspoken gentleman's code here, which I do hold to. As anyone can put anyone else's name, I surely do not take advantage of that and claim to be someone I am not. So, no, I am certainly not "Skeptical".

FYI, I have made this exact same claim once before in the past. The story about my wife. But, I did not state it in the same way.

However, I am not going to list out nicks I have used to post here over the years. That is against protocol.

That would destroy the security of every single nick.

I do change my nicks routinely, but I try and keep a regular nick going when I stay for awhile.

This, too, I have said before, in another way.

That chains together maybe five nicks, which is a throwaway.

But, I also do not engage in trying to deliberate the true identity of any poster. I find that in poor taste. Should we not have anonymity at such a site? Anyway, what would our non-anonymity be? A nick?

As for your hyperbolic post, it was hyperbole. And...? Real simple point many do not get, that they can grab all the data in the world, but that does not mean they can do anything with it. It is trying to drink from a firehose. It misdirects them. And, I well pointed out it misdirects them by the very definition of the attempt: instead of putting all those resources on good targets, then scope out to try and include not just one or two other targets. But everyone on the planet.

I do believe that is a very important point to make against the domestic surveillance systems, and against the wanton international surveillance systems. Because they don't care about privacy. They do care about results. And they get the opposite of results by focusing in those directions.

Nothing intellectual about it.

And as for persuading Skeptical on anything? He does not do that. Skeptical is also surely not real, as everyone has certainly at least figured that out.

That is, it is an act some guy is doing for some unknown reason.

That... is my sherlock holmes two cents on any such matter.


Miguel SanchezOctober 22, 2015 7:35 PM

Correction:

But, I also do not engage in trying to deliberate the true identity of any poster. I find that in poor taste. Should we not have anonymity at such a site? Anyway, what would our non-anonymity be? A nick?

Obviously, not beyond a statement or two, is what I mean.

Nick POctober 22, 2015 11:46 PM

@ Clive Robinson

re NSA announcement on ECC & post-Quantum

Replied to it while feeling vindication about being one of only people sounding warning on ECC for years. Remember me getting mocked here for polyciphers, split asymmetric, and anti-ECC while each crumbled with one attack after another? And now NSA says leave it all if it's classical and asymmetric plus (that I know) no solid recommendation for post-Quantum. Everyone is freaking out but I think this is a perfect "known unknown" that shouldn't be confusing. I wrote it up as follows.

"It's a pretty straightforward situation for anyone whose done high assurance security long enough. I've already posted about problems and solutions in asymmetric crypto on forums ranging from Bruce Schneier's blog to Hacker News recently. The risk was obvious before anyone even encouraged uptake of ECC despite the laughs and counterpoints I got. So, here it is again.

Most important: Watch what NSA use *themselves* for most critical stuff and what they've put into it. That was usually Suite A or B algorithms run through rigorous Type 1 requirements focusing on elimination of all protocol weakness (IPsec vs HAIPE), careful (often hardware) RNG's, minimal TCB's, enumeration of every state of design w/ errors states proven fail-safe, repeat at each layer, thorough analysis of implementation for flaws, and EMSEC. Already says most stuff on market is insecure, helped me predict many TAO attacks, and tells us what to focus on. But what about ECC itself?

They didn't publish enough to reverse engineer that. So, here's the possibilities.

1. Classical algorithms are safe from classical attacks.

2. Classical algorithms are safe from quantum attacks.

3. "Post-quantum" algorithms are safe from classical attacks.

4. "Post-quantum" algorithms are safe from quantum attacks.

At any point, their recommendations will reflect their beliefs on these for Type 1 at the least and Suite B if they're not playing a BULLRUN scam. Their best recommendation was Suite A or B symmetric ciphers with FIREFLY protocol (Photurius variant) in product. That means they trusted both types of crypto when implementation and configuration had correct properties. This implied they believed 1 and 2 were correct while giving us no data on 3 or 4.

Note: I didn't trust ECC specifically at this point because assessing the math's security wasn't as clear as RSA, etc. Plus, we knew from their fight with strong crypto they couldn't beat the prior stuff any better than public cryptographers. So, why not use what's proven? My motto is "tried and true beats novel or new" for high assurance. I recommended against ECC wherever possible as the risk was unknown from my vantage point.

Recently, NSA has advised against ECC (surprise!) and talked of the need for post-Quantum alogirithms. That means ECC is not safe from classical, quantum or both attacks. Carefully note that them saying it's about post-Quantum doesn't really mean the risk is quantum: it could be a classical risk that existing or proposed post-quantum systems don't have w/ knocking out future, quantum issues being icing on cake. They're known for misdirection on both defense and offense.

What we know:

1. Classical algorithms, esp ECC, are potentially broken now or within some time frame.

2. They're neither really pushing nor fighting existing, post-Quantum schemes. They're also researching more.

Note: The post-Quantum schemes have risk of classical attack as not enough analysis has been done in general and there have been some negative results. One needs classical and quantum security. Them seeming on the bench counts as a risk unless someone has specific recommendations from them I haven't seen yet.

3. They encourage strong, symmetric ciphers.

4. They're still heavily funding mathematical methods and tooling that find flaws in protocols, algorithms, implementations, microcode, and hardware.

The security recommendations follow naturally from that and corroborate my older ones. The oldest (and best) was to use symmetric (eg PSK, TTP, HSM's) wherever possible. Most security across the board. The next was obfuscation and computational complexity added to proven, classical scheme if performance or cryptosystem choice were issues. Next was secret splitting of key to be exchanged/signed with one or more each of classical-resistant and quantum-resistant algorithms. Most recent was splitting among as many as feasible with different paths of attack (eg RSA, NTRU, McEliece). Newest is a hybrid that uses asymmetric crypto that's strong against classical attack, immune to quantum, and fast. Probably try putting it into a journal or something instead of failed strategy of forums, etc. Just combines some proven stuff if you're wondering: nothing new like usual for real security.

In any case, there's no reason for conspiracy theory. Just look at what depends on what in their claims. They've been worried about quantum attacks on the main algorithms with evidence they might be achieved. There's been classical issues on at least one post-Quantum algorithm. There's also general principle of assuming things insecure until thorough, peer review. Further, their defensive arm already told us (and contractors) to prepare to ditch the classical algorithms. They also reinforced that symmetric stuff works.

Result: (a) using symmetric is strongest, (b) using main asymmetric is weak 1-2 ways, (c) using post-quantum might be weak 1-2 ways.

Easy conclusion: combine the three for best results or at least the latter two with one classical and one quantum. Use their key sizes or higher with highly assured implementation for each. Looking at the foundation of their claims, one doesn't need tons of pages of math or argument to understand the situation or solve it. It's a "known unknown" where you can infer enough of the problem to solve it without further details. So, we should just try to implement the only known solutions while cryptographers work out the rest of the details over time and maybe invent asymmetric stuff that will last. I have my doubts but wish our talented cryptographers the best..."

Clive RobinsonOctober 23, 2015 7:52 AM

@ Nick P,

There is a small problem behind the argument of "Watch what the NSA does", in that their mode of operation is very different to that of the bulk of internet users in one very important area Key Management (KeyMan).

One of the NSA's responsibilities directly and indirectly is the management of all Key Material (KeyMat) for the US Government and has been since before asymmetric cryptogtaphy was known. Thus whilst asymmetric encryption may be useful to the NSA in some non KeyMan ways it is by no means essential to the entireties of the NSA duties for the USG in fact very much the opposite.

The same is far from true with the Internet. Although it does not appear it a lot of the time, the Internet's essential foundation is E-Commerce which currently is built fundamentally on Asymmetric cryptography. Although E-Commerce could with difficulty change, other Internet activities could not. Thus any change away from asymmetric crypto would currently be with a near complete loss of anonymity and privacy to all but a few who could surmount the complexities and difficulties and set up their own private symmetric KeyMan systems.

KeyMan / KeyGen is an area --you may have guessed-- I have an active interest in. But unfortunately many others either ignore KeyMan / KeyGen or incorrectly assume it's a solved problem. As Bruce noted some years ago, sufficient was known about basic conventional crypto algorithms and protocols that it was time for researchers to move on to the much harder problem of KeyMan.

like most other asymmetric crypto EC is really only going to see use as a low level KeyMan algorithm. But it's use is in effect replicating a known solution with a new low level algorithm, not coming up with an alternative solution (which we badly need).

Our current KeyMan architectures are hierarchical, such as the likes of Kerberos or PKI or using asymmetric algorithms such as DHE, RSA or EC.

The arguments both for and against hierarchical KeyMan have fallen on how you define and invest trust in the two or more parties involved. Which ever way you look at it the obvious thing is the closer to the top of the hierarchy you subvert trust the more damage you can do.

Thus the like of centralized authoritarian organisations --such as dictators, police states, IC-- and similar autocratic entities is hierarchical. As history shows that is bad for real democracy in the past, the present and we can assume into the future, until we come up with non hierarchical solutions that give similar if not better benefits without the issues.

The NSA for obvious reasons have no issues that require them to use non hierarchical systems for KeyMan etc. Thus their only real interests are in attacking or discouraging non hierarchical systems.

Therefore the NSA's behaviour that might be valid in other areas can not be carried forward into KeyMan areas.

And from my perspective KeyMan is the real elephant crapping not just in the room but the whole household of the Internet community.

Miguel SanchezOctober 23, 2015 10:18 AM

'quantum cryptography & possible NSA misdirect'

My impression has been they very well may already have quantum cryptography. I know that is a highly implausible pill for anyone to swallow. From these recent reports, I read an indicator that 'they do not have it' is their budget is not so large towards it. I am quite sure there are other indicators that they do not have it.

But, this is an inevitable technology like the bomb was, and they were good enough to keep pretty well quiet on the bomb. I have many criticisms on US intelligence, though I am well aware they are only human. But, they did do by my estimate an amazingly good job on the bomb and that way back when there was not really even an intelligence service. Yes, the Soviets knew, but that was a very rare situation where an adversary country had the capacity to get 'idealist' level moles. Ones who were too good for money.

Now, put that in your pipe and smoke it. But, really, do it. Consider, they may have had it before the Utah building. The Utah building may have been an impetus from this. And, you may be saying quantum computing is theoretical and nothing has panned out yet... but, what do you think they would do if something did pan out? Very well, they could drop untold money right there and then, and start a disinformation campaign about how far off everyone was.

This would probably also mean they would do as they did with the bomb: they would have disinformation, domestic, and internationally; and they would have programs to chase down and destroy or otherwise ruin any competing program. Ala, Moe Berg and the heavy water plant saboteurs and such.

Not unlike Influx, by Daniel Saurez, one of the better sci fi writers these days, for sure... where there is future tech and a very powerful organization guided to protect it:

http://thedaemon.com/

This is the future of true counterintelligence in a world of ever expanding corporate influence and information espionage.

Miguel SanchezOctober 23, 2015 10:41 AM

@John Galt IV

business as usual around the world http://www.theregister.co.uk/2015/10/22/behind_the_headlines_apt_researchers_face_wrath_of_spy_agencies/

I noticed that article, and it is interesting... but much too vague on details.

I find security bugs and related work, and have been in some intelligence work as a necessity. It may be possible some agencies are intentionally harassing some researchers, but the evidence submitted is entirely absent. They do not elaborate at all. However, because of some of the statements in the article, I do not entirely rule out the article and their sources.

What will happen with anyone who gets involved in intelligence matters is they can come under the microscope. This often by foreign intelligence. Who are they? Are they really just unaffiliated researchers? Are they deep covert government of their country? And so on.

People should be aware that intelligence agencies have some unicorns they chase after, and they will expend enormous resources to do so. One of those unicorns is more details on their most covert agencies and divisions, especially ones off the books. So, for instance, 'illegals' programs and the like, as well as their domestic equivalents.

So, a researcher writing on such an attack might very well raise the ire of an intelligence agency. They might find it implausible that they and their company are unaffiliated.

Harassment very usually is in another category entirely, and it is a knuckle dragger's tactic except in the most rare of circumstances. They see the domestic civilian as being unpatriotic or even attacking their program, and they send them a message.

At one conference a heavy set oddly quiet but tightly wound appearing guy appeared. He wore, remarkably, leather gloves through the conference. Later I heard from a major researcher who was not domestic to the conference that the man confronted him, threatened to 'kill him in his sleep' if he released anymore security vulnerabilities.

We were aghast.

Matter of fact, it should be understood this was probably someone off the rails. That researcher was with his dad, ex-SBS (special boat service). Ever since then, when he came to the states he was with his dad and usually some of his dad's buddies.

I do not think anyone would have created an operation to harass that researcher officially, especially not as that researcher - and frankly so many - tend to have government ties.

(Very, very common either researchers worked at some time for intelligence, or one or more of their parents did, even if through defense contractors. It is just that mindset. Intelligence and comp sec. You grow up in it, you have the genetics, you go into the career.)


Nick POctober 23, 2015 10:44 AM

@ Clive Robinson

"Thus whilst asymmetric encryption may be useful to the NSA in some non KeyMan ways it is by no means essential to the entireties of the NSA duties for the USG in fact very much the opposite. "

"Thus the like of centralized authoritarian organisations --such as dictators, police states, IC-- and similar autocratic entities is hierarchical. The NSA for obvious reasons have no issues that require them to use non hierarchical systems for KeyMan etc. Thus their only real interests are in attacking or discouraging non hierarchical systems. "

These are your main points. I agree that their key management is hierarchical and what they prefer. However, they do *not* fight non-hierarchical designs: DOD and NSA fund lots of research into them, including for operational use. The reason being all the coalitions, etc that aren't easily put into hierarchies in battlefields. Additionally, program verification is shifting a little bit because it's really more like a graph than a hierarchy in real-world systems. So, people are fighting with their models to shove them into one mold or another.

In any case, there is an interpretation of my theory that fits with KEYMAT. We have to separate stuff that's from an organizations goals or nature from what's inherent to the problem domain. So, if we do that, we find the following:

1. Any hierarchical organization can implement a model like EKMS that gets the job done and centralizes cost/operations.

2. Generation and management of KEYMAT on dedicated, highly secure systems.

3. Movement of KEYMAT to users physically with secure devices that protect it.

4. Alternatively, use of well-implemented protocol to do this.

5. Customized versions of proven algorithms for obfuscation.

6. Physical protection of devices containing algorithms or KEYMAT.

7. Accounting for who had possession of these devices.

8. Legal agreements with stiff penalties for breaches of policies related to the devices or KEYMAT.

9. Background checks or other personnel security measures for anyone in the administrative position.

10. Security cameras and guards observing what people do with backend equipment.

11. Physical and EMSEC protection of that equipment.

Now, these are something we can work with. You forgot to mention that the NSA hierachical approach can be implemented by many organizations because they're similarly hierarchical. If non-hierarchical, there are many more techniques to copy wherever possible. Each prevent plenty of risks. One can choose how much he or she wants to adopt.

Although, I mainly tell people to copy NSA in terms of making protocols less risky and their implementations more robust. Plus not trusting the Internet. Biggest lessons to learn. ;)

John Galt IVOctober 23, 2015 12:46 PM


a couple of links in this article

http://blogs.sciencemag.org/pipeline/archives/2015/10/22/cheap-diverse-accessible-and-novel-not-all-at-the-same-time

reminded me of the intractability of searching the entire parameter space of device states for undocumented features aka backdoors. I found a good article in the academic literature that pointed out what I recall to be five classes of backdoors - some trigger undocumented features with a code that is common to all copies of the hardware, some trigger undocumented features with a code that is tied to time, clock counts, etc., and some trigger undocumented features that are tied to device serial number. the ones that I can't recall may be combinations of the previous three.

the parameter space of very small molecules for use as pharmaceuticals has been explored fairly well, but the space becomes exponentially larger as more atoms are added

http://blogs.sciencemag.org/pipeline/archives/2009/01/21/the_hideous_numbers_of_compounds

"One estimate done by this fragment approach and considering only stable structures came in between 10 to the twentieth and ten to the twenty-fourth compounds that could potentially be prepared using known synthetic methods. (See here for another “how many compounds are possible?” paper, from a different angle – the group that did that work has followed it up recently, which will be the subject of another post sometime). Needless to say, that is considerably larger than the total number of organic compounds ever described in reality. There’s not enough carbon, oxygen, and nitrogen on earth to prepare a vial of each of these, and where would you put the vials? The terrifying thing is that this is actually one of the lower estimates, and thus perhaps a very reasonable and conservative one. You can find ten-to-the-sixtieth estimates out there, which is a figure that cannot be dealt with by human efforts."

these are the kinds of numbers you get when you ask, "how device state trajectories would have to be checked to find all of the possible triggers for undocumented features?"

these spaces have not been explored uniformly and are intractable for thorough searching with conventional technology. we might hope that quantum computers will allow modeling of those compounds and their interactions in living systems.

this is a nice example of visualization of the sort that might be useful in finding important features in data sets

http://blogs.sciencemag.org/pipeline/archives/2014/09/22/chemical_space

65535October 23, 2015 1:56 PM

@ Bob S.

[It has been 1 day but US legislation can mover faster than expected. Keep close eye on the CISA situation]

Is CISA the OK the NSA needs to spy on US citizens? [Soon to be passed].

Here is an analysis by emptywheel:

‘Did FISC approve a cyber certificate but with sharp restrictions on retention and dissemination?’

“Neither ProPublica/NYT nor Mayer claimed NSA had obtained an upstream cyber certificate (though many other people have assumed it did). We actually don’t know, and the evidence is mixed…the government was scrambling to implement new upstream minimization procedures to satisfy Bates’ order, NSA had another upstream violation. That might reflect informing Bates, for the first time (there’s no sign they did inform him during the 2011 discussion, though the 2011 minimization procedures may reflect that they already had), they had been using upstream to collect on cyber signatures, or one which might represent some other kind of illegal upstream collection. When the government got Congress to reauthorize FAA that year, it did not inform them they were using or intended to use upstream collection to collect cyber signatures. Significantly, even as Congress began debating FAA, they considered but rejected the first of the predecessor bills to CISA…

"…my guess is that the FISC did approve cyber collection, but did so with some significant limitations on it, akin to, or perhaps even more restrictive, than the restrictions on multiple communication transactions (MCTs) required in 2011"


https://www.emptywheel.net/2015/10/23/is-cisa-the-upstream-cyber-certificate-nsa-wanted-but-didnt-really-get/


That is a tricky question! What new powers will the government have?

999999999October 23, 2015 3:48 PM

And then there is this:

http://www.stanforddaily.com/2015/10/19/edward-snowden-not-a-hero/
Edward Snowden: Not a hero
October 19, 2015
James Stephens james214@stanford.edu
I am sorry to say that my opposition will not be writing the column with me this week. I am looking forward to discussing another issue with him in two weeks. The topic we had planned to discuss this week was Edward Snowden and whether or not we ought to consider him a hero.
Edward Snowden, a computer scientist and former CIA employee, unveiled several National Security agency (NSA) programs as well as a large number of documents and data to three major media outlets, most notably The Washington Post. Since then, Snowden has become a figure of debate and controversy. Some argue that he went through the proper channels of attempting to redress the issues he saw when he came across surveillance programs he felt were immoral, while others, myself included, argue that he was not justified in dumping sensitive information onto the media.
Snowden caused operational and economic harm in his actions. The threats that the U.S. had been tracking have since learned about the surveillance and adapted. According to former NSA General Counsel Rajesh De, threats have changed strategies in the counterintelligence community because of Snowden’s actions. There are sophisticated international cyber threats, and there is a bit of mosaic theory at work here.
In mosaic theory, which appropriately describes how Snowden caused operational harm, several small pieces being aligned at the right time make sense of a greater picture. Programs that had nothing to do with American privacy interests were discontinued, the perfect example being a program used to collect real time intelligence for troops in Afghanistan. So, operationally, Snowden caused harm. Economically, Germany-U.S. relations have now been strained in discussions with ISIS and the economy. International businesses are using this negative cybersecurity attention to essentially beat down the American transatlantic system of data transfer. And as everyone from Stanford probably knows, big data has become the business of business.
Alternatively, he did shed light on the “Section 215 program” that definitely expresses a gap between what public law is and what the public understands. However, what statement are we making by lauding Snowden as a great civil-disobedient citizen who began his correspondence with the media under the pseudonym Cincinnatus?
In Livy’s third book of the History of Rome, we learn that Cincinnatus was a statesman and a diligent farmer who was appointed dictator for 16 days before returning to his farm. In what way can Snowden call himself Cincinnatus? We are not in an early Roman institutional construct in which a dictator is necessary in times of upheaval. The U.S. is a democratic republic, and I do not see the democratic tenets pursued and applied in one man’s making a decision for the entire nation.
After the announcement of three movies, several books and countless articles, is this celebrity who fled the country a hero? Are we to examine the relationship between Socrates, Ghandi, Thoreau and King and their strife and include Snowden among them? I would like to allow Thoreau to conclude this week’s column, as he stated, “Under a government which imprisons any unjustly, the true place for a just man is also a prison.”

SkepticalOctober 23, 2015 8:10 PM


@Galt: these are the kinds of numbers you get when you ask, "how device state trajectories would have to be checked to find all of the possible triggers for undocumented features?"

Indeed, I think the practical impossibility of checking every possible state of a particular electronic device forms part of NASA's criteria for what constitutes a complex electronic device.

But perhaps a kind of modularity and testing at the build level would enable one to handle giant branches closer to their root?

@Gerard: Wikileaks has made itself into one aspect of the story by publishing highly personal details that most reputable outlets would avoid. But of course that's in part how Wikileaks raises money. If it doesn't garner public attention, it withers; and to garner public attention, it must either have some truly scandalous material (nothing I've read about in Brennan's AOL account remotely qualifies), or it must act at least somewhat outrageously.

But, the better media outlets have certainly focused on the question of what Brennan had on his account, whether it proper, the gravity of the mistake, what it says about the conduct of public officials generally, etc etc etc.

@Dirk: In which case you are the only non-technical person I know who has actually heared about stuff like Qubes and Xen whilst also knowing the difference between .rpm and .deb packaging systems 8-) Either you've been paying some serious attention to some of the discussions here, or you've taken some kind of management class on this topic.

A little learning is a dangerous thing - I have the good fortune here to know enough that I know quite little. I'll make an analogy to international relations, which pops up here often enough. It's a subject easy to talk about, but one deceptively difficult to understand without absorbing some of the basic literature, understanding contemporary methodological debates and arguments about the best overall framework in which to understand a given set of phenomena, etc.

Folks show up here all the time with completely absurd narratives about how governments work or what's "really" going on somewhere - they have just enough facts (or what they suppose to be, anyway), and just too little background knowledge to assess whether the theory weaving those facts together is plausible.

So while I may enjoy certain technical subjects, I try to avoid fooling myself into thinking that I know more than I do and I'll certainly avoid giving anyone else the impression that I do. I am quite ignorant of many things the names of which I glimpse here and there, on dimly lit signs in the night as I pass through.

Re: the perennial Linux vs Windows security comparison:

Depends on the distribution you go with.

I'd even hazard to say that it depends period. What functionality do you need? Are you going to configure, or adopt a suitable, SElinux policy? How "safe" are you - and can you be - while operating the system? How well do you know Windows, its weaknesses, and how to protect them (e.g. EMET)? How well do you know Linux? Is physical security of the device achievable against threats against which you wish to prepare?

Although a stock Fedora or OpenSuSE installation has quite an attack surface, from a security angle I will still prefer them over a vanilla Windows installation. And with the exception of Ubuntu, I'll prefer any Debian-based distro over Red Hat/SuSE. Which in their turn I will discard for a well-installed and configured BSD system. And we can go on.

The advantage of the enterprise versions of Red Hat and SuSE is the support - a naive user can get expert level help with configuration. So if money were no object, I don't think I'd be indifferent. I can get an extremely well configured system should I use them. As to the BSDs... the things that I understand about them, at a very superficial level, have been largely adopted by other OSes, no? Or is it a trust in the process and approach of a project like OpenBSD that inclines you, rather than particular design attributes or features? I certainly admire and like what I hear about those projects, and hope they continue. But outside of special use cases related to licensing, I wonder how much of a decision to use a BSD comes down to taste.

In my experience, the average Windows/OS X user has no clue whatsoever how to improve security on his/her machine, and which in essence even goes for the average desktop technician and company IT guy too. And even though both MSFT and Apple have significantly improved default security over the years, a privacy-conscious person has no reason whatsoever to go anywhere near known data miners and PRISM associates.

Which raises an interesting question that others here are far, far better able to answer than I am: how much does that user need to know in order to improve security? Stacks, heaps, overflows, security tokens and security contexts, privilege rings? Or perhaps all the average user needs to know is a small set of practices and concepts highly abstracted from the seemingly endless dimensional extensions of technical turtles, entangled in a quantum sense with God knows what other stacks of species which frequent metaphors and urban myths. Really - who has the time for all those turtles, unless you truly enjoy soup or the view or study these things professionally in some aspect?

Actually, no. This is a myth about as persistent as Macs not being vulnerable to viruses and malware. Admittedly, there is a serious learning curve when transitioning from Windows/OS X to Linux, but after a while you will find that you don't need either for personal, regular day-to-day communications and average computer usage but for convenience purposes. For work, it's a different thing.

Yes, but most of us would include work as part of regular day-to-day communications and computer use.

Which is why I maintain a strict separation between "work" and private machines/VM's.

Sure - always a good idea in general, even at less sophisticated levels than virtualization.

And as to Wikileaks posting the personal information of Brennan ...

It's what they do. We may question their motives and MO, but the matter of the fact remains that Mr. Brennan is in clear violation of security policies an ordinary employee or contracter gets sacked for and loses his security clearances over.

Maybe - it depends in part on what was in those drafts and when he wrote them. More importantly, it's entirely possible to report that aspect of the story without dumping his emails and partially completed SF86 on to your servers for everyone to peruse.

I think transparency of policy - and just as vitally, and far more difficult to achieve, understanding of policy - is vital to a functional democracy. And I believe that a free press is essential to that enterprise; and I think that whistleblowers are an important protection against corruption and abuse.

But Wikileaks just goes so far beyond any of those things as to make me seriously question whether their values are anything more than a moldy mix of half-baked anarchism, outdated pop-neocolonialist theories of the world, anti-Americanism that receives funding from one of the most authoritarian governments on the planet, and sheer ego.

I'm sure for Wikileaks Brennan represents some kind of awful, evil figure. In reality he's an individual in the public service of a legitimate democracy with robust protections for individual rights, who is not corrupt, and who has not broken any laws. There are reasonable arguments against the counterterrorist strategy Brennan backs; but there are also very reasonable arguments for it. And let's be clear: in the real world, i.e. the world of practical possibilities, the alternatives to targeted aerial strikes are bloodier and far more complicated.

Once upon a time I might have said - this small footprint approach is simply political gamesmanship pretending to be effective policy, and the price is counted in billions of dollars of resources and numerous lives injured, wounded, and destroyed, pointlessly, in the service of small wars that merely manage and never resolve the core problems. [NB - I know better today].

But in a democracy you don't always get your favored policy. Once you've lost the ability to understand the perspective of those with whom you disagree, once you rationalize treating them and their private information far outside the norms of any reasonable ethics, then you're no longer an authentic democratic participant. You're someone who puts up with democracy because you must, and you treat all your opponents accordingly. In which case, when you act like what you've become, and I see it, then I will find it offensive.

I obviously have no problem discussing Brennan. But I don't think Wikileaks should get a pass here either.

John Galt IVOctober 23, 2015 8:14 PM


@999999999

there is one glaring flaw in the Thoreau comparison. we may note that the Massachusetts state Constitution provides

https://malegislature.gov/Laws/Constitution

...every subject shall have a right to produce all proofs, that may be favorable to him; to meet the witnesses against him face to face, and to be fully heard in his defense by himself, or his council at his election. And no subject shall be arrested, imprisoned, despoiled, or deprived of his property, immunities, or privileges, put out of the protection of the law, exiled, or deprived of his life, liberty, or estate, but by the judgment of his peers, or the law of the land.

these protections were available to Thoreau and he would have used any court appearance as an opportunity to share his views with the jury, spectators and the public. were such protections as a public jury trial available to Mr. Snowden, he has indicated that he would take a chance with a jury of his peers. unfortunately for Mr. Snowden and the other 99%, many of the protections of the United States Constitution, purchased in the blood of our forebears, have been systematically dismantled.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.