Comments

Winfred Etuk October 30, 2015 4:45 PM

The European Parliament sends a sternly-worded message to the Commission about (lack of) advances in the protection of personal data from government abuse and dragnet espionage against civilians:

http://www.europarl.europa.eu/news/en/news-room/content/20151022IPR98818/html/Mass-surveillance-EU-citizens%27-rights-still-in-danger-says-Parliament

Some significant highlights:

-Europe needs a long-term alternative to Safe Harbor and it needs it soon.
-EU member state governments are encouraged to drop all charges against Snowden and offer him political asylum.
-The “fundamental rights of EU citizens remain at risk.”
-EU member state governments are criticized for their inactivity and “very inadequate” response to the Snowden revelations and the Commission’s report of 2014.
-The Parliament is concerned by the increase in mass surveillance within the EU. The level of detail is damning, they don’t mince their words: France, the UK and the Netherlands are singled out as worrying examples. Germany is believed to be in collusion with the USA, providing the NSA access to internet and telecom data from Europe (a very serious allegation coming from the Parliament).
-The resolution also reiterates a call to suspend the Terrorist Finance Tracking Programme (TFTP) agreement with the US.

So, what’s the catch? The catch is that this is a non-legislative resolution, so it carries no legal weight. There is nothing stopping EU member states from carrying on as usual, or even ramping up their mass surveillance programs in total contempt of this resolution.

Happy Peen October 30, 2015 4:48 PM

This week’s installment on the UK’s abuse of anti-terror legislation:

British police use anti-terror law to seize a journalist’s laptop in order to uncover a source used for a BBC documentary on the terrorist group ISIL:

http://www.nytimes.com/aponline/2015/10/29/world/europe/ap-eu-britain-journalist-terrorism.html

There is growing concern that anti-terror laws in the UK are being used by the government to suppress reports and perspectives from journalists and academics that are not aligned with the government’s public discourse on sensitive subjects. The extraordinarily broad wording of the Terrorism Act and the vast powers it confers on law enforcement bodies mean that the police can choose to seize virtually any material that is loosely related to national security (in its broadest sense), thwarting the independence of journalists and freedom of thought of research bodies.

http://www.washingtontimes.com/news/2015/oct/29/secunder-kermanis-laptop-seized-under-uk-terrorism/

Perhaps the most revealing detail is that the BBC (at her majesty’s service) could have challenged the judge’s order in court but decided not to, leaving their journalist and the source completely exposed.

John McAfee: CISA will not Stop a Single Important Hack, let alone Cyberterrorism October 30, 2015 4:53 PM

“On 27 October, the US Senate passed a version of the Cybersecurity Information Act (CISA) that allows companies to share any and all information about their user base with the Department of Homeland Security, who could then pass it on to any other agency. This is a free pass that allows our largest gatherers of information on individual citizens to share info with the government, and they will be given broad immunity even if they have violated privacy laws in the process.”

Waiting for the next mentally challenged 14 year old to be bantered on corporate news. LOL!

http://www.ibtimes.co.uk/john-mcafee-cisa-will-not-stop-single-important-hack-let-alone-cyberterrorism-1526336

GCHQ Terror Squad October 30, 2015 5:50 PM

British Journalist tip:

TAILS…. TAILS….. TAILS….

Why the hell are you storing crap on your MacBook Air for the goon squad to go over?

Did you not learn from the Snowden journalists? Learn good opsec.

Download TAILS (anonymously), install to a USB with a non-persistent volume, create an anonymous account using the encrypted tools at your fingerprint & store you little baby in a special hiding place that no one else is familiar with.

The goon squad will then have to deal with an amnesic system & prove that you have in fact, had any contact with anybody at all.

The goon squad is not invincible, in fact, I recall some 20 something year old punk from Hawaii who recently ripped off more than 1 million docs from the yankie spooks using the same tools…

ianf October 30, 2015 6:16 PM

OT
    This originally intended as a comment in the thread “What do we do with disgraced academics” on Philip Greenspun’s Weblog, but, as comments there were closed, and this is of a general and entertaining value, I am posting it here. Not censorship; simply enacting the promise of the Internet Routes Around Obstacles adage [written 29 October 2015, minimally expanded for this blog].

The debate has moved onto greener pastures, but I can’t stop thinking about this “post-disgrace recycling of middle-aged male academics” theme (it’s not about me, I was never in academia, my dearest is). Male academics, because, although there also have been occasional women “disgracées,” the ones I recall involve all literary transgressions, plagiarism, grant fraud/ research falsification, sloppiness and the like (mainly outside the USA; and with repercussions unknown). I do not recall a single media-spectacular case of a sexually-tainted female academic’s fall from grace. So either such “sexual impropriety” kind of disgraces are somehow tied to the XY chromosomes, or we’re dealing with a social phenomenon – you be the judge.

    In the course of that lazy-boy research, I did however recall another male academic whose post-disgrace fortunes seem significant in the light of Sam Ky‘s earlier contributions.

Long story short: in 2012 then 68yo distinguished tenured physics “particle phenomenologist” at a North Carolina university Paul Frampton feels lonely, wants to spawn his genes so they won’t go a-waste, decides to find a mate online. He falls for half his age former Ms. World Bikini Champion “Denise Milani” with impressive mammaries, is immune to warnings that she’s too good to be true, and that he may be texting a scammer. They flirt on the telephone (I would have remembered if also over Skype), the professor beams at his colleagues, who try to still his enthusiasm—all to no avail. After all, he’s not getting any younger, the unbearable urges he feels need to be relieved, and the mix of his brain and her looks sounds promising (apparently the professor never heard what Albert Einstein is supposed to have replied to some vaudeville starlet’s similar proposal).

After mere 11 weeks of chat, “she” asks him to meet her in Bolivia, where she’s doing a photo job. He flies in, is met by some middle aged guy who gives him “Denise’s” suitcase, who had to fly back to Europe. He waits 36 hours in La Paz for an electronic ticket to Brussels from “her,” which never materializes (have the scammers decided that can but be a DEA plant?). Finally he elects to fly back home via Argentina.

He gets busted in transit with 2kg of coke hidden in the lining. Interviewed in custody by journalists, he demonstrates on the back of an envelope how statistically close he is to a Nobel prize (so-and-so many papers and citations frequency in comparison with other laureates, etc). Awaiting trial, he is put on unpaid leave by the Uni, that will, however, contribute to his defense. In court, the prosecutor unveils some texts and jottings down where the accused tried to calculate the value of 2000g of coke = $400,000, as were he to sell it gram by gram himself. He claims it was done post-arrest, the police claim before the bust (let’s give him the benefit of the doubt). His ex-wife says he’s like a child, interested only in esoteric physics… (“He’s naïve – he lives in the stars, at university, in calculations. He wouldn’t know what human beings can do, he wouldn’t even think about it” – that must be why she’s an ex.) One has to wonder how someone like him survived the academic dog-eat-dog ziggurat.

He gets sentenced to 4 years 8 months in prison, with an option to (accounts vary) either to be released on bail, or transferred to a US jail after half that time. When that happens last year, and he comes back to NC, the Uni board notifies him of terminating his (otherwise unbreakable) tenure. The naive, procreation-hungry, lover boy sues for the back pay, and wins some $100k+/ year for the 3 years that he was away from the faculty (he claims to have tutored students over the phone from prison in Argentina, but no account that I read offered any corroboration of that). He wins on some technicality, which I am not competent enough to convey properly. Seems like the tenure gave him all the edge he needed. Not sure if he’s still in the USA, or gone back to his native UK.

That’s it in a nutshell. My instinctive reaction is that he got off lightly; were he busted on arrival in the USA, he’d be much worse off tenure-wise, and shaking the bars for a long time (catnip for all prosecutors: Educated White Defendant, as in “Bonfire of the Vanities” by Tom Wolfe). Now in retirement; I wouldn’t worry about his continued peer esteem as he has, after all, become a criminological sensation, been written up in the New! York! Times!. He has written a memoir, which I won’t be reading, as it can but be one big moaning (I’ve read way too much about him already).

Ah, Kiddeminster, lovely place, narrow boats flow slowly by…

Alien Jerky October 30, 2015 6:45 PM

A little bit of the lighter side:

Re-Imagined horror stories for millennials from Vice

http://www.vice.com/read/six-horror-stories-updated-for-the-year-of-our-lord-2015-909

DRACULA IS A DIFFICULT BRUNCH GUEST

WE CANNOT GET ANY 4G AND I THINK THIS AXE MURDERER IS GOING TO KILL US

YOU ARE STUCK AT A PARTY WITH A GIRL DRESSED AS A VAMPIRE WHO WANTS TO TELL YOU HOW UBER IS ACTUALLY BAD

OH NO, A MUMMY

A BRAVE WEREWOLF BECOMES CLICKBAIT

THIS GHOST FROM THE PAST IS THE WORST ROOMMATE EVER

Daniel October 30, 2015 7:59 PM

@GCHQ Terror Squad

Yes, I do believe that GCHQ would be promoting TAILS.

  1. TAILS is subject to Bad USB

https://srlabs.de/badusb/

  1. is full of bugs

https://tails.boum.org/support/known_issues/index.en.html

  1. continues to have security holes

https://tails.boum.org/security/Numerous_security_holes_in_1.5.1/index.en.html

  1. has been hacked in the past

http://www.theregister.co.uk/2014/07/23/exodus_intelligence_tails_video/

  1. Remains woefully unfinished

https://labs.riseup.net/code/projects/tails/roadmap

So yes, please proceed and use TAILS. I’m sure the NSA would be delighted.

October 30, 2015 9:23 PM

Thanks, Daniel, for the intensely despondent post.

Adducing the software development process to prove that resistance is futile would be silly, if it didn’t precisely suit the various NATO Gestapos. When someone holds a war game do you tell them to surrender cause the red team might have done things?

You’ve dug up a mixed bag of security holes and irrelevant bugs. In particular, that iframe trick exploiting i2p depends on idiot targets who don’t know enough to use separate browsers for internet and darknet. That consideration has been well known since the days of yore when Freenet was all there was.

There’s an intermittent but vocal contingent here that bases security discourse on the self-defeating premise that TAO will find a way. In the actual world of life, people look at things differently.

Take attacks on the Achilles heel of heels, our horribly porous wireless firmware. Realistically, how does it go? For persistence, the attacker needs root to access the signing key. Can’t get that, darn it, the target has the sense to use a password that’s not PASSWORD. So what, never say die, the attacker fuzzes a beacon or something. Then he fumbles around and finds a trampoline. Now he just needs to get to the kernel! He attacks an application running in userland, some crap swiss-cheese browser, that’s the ticket! But ioctl capabilities are blocked. He goes back to the drawing board and tries something else. All capabilities are blocked. Lather rise repeat through a VM also hemmed in with seccomp, caps, and jails, with complementary applications watching for log alerts or changed files or process anomalies, and a hardened kernel sitting there laughing at him.

That is how security is done, with barriers in series and monitoring systems in parallel. It’s the hoary onion-skin concept: give him lots of stuff to trip on and watch the fun. Mighty TAO can throw money at the problem, but the overwhelming majority of their staff are uniformed button-pushers, as Snowden said and he would know. Their bag of tricks only works if it’s secret and we trust them.

Tailored attacks do not scale, so the more people who take steps to impede illegal surveillance, the more hopeless it gets. When whole continents take countermeasures, as with Europe and CELAC, it’s over.

943615 October 30, 2015 10:23 PM

Anyone have some last-minute Halloween costume ideas that involve Snowden-leaked documents and scaring people with the truth about their own tyrannical government?

My Name is Alex October 30, 2015 11:12 PM

☺ • October 30, 2015 9:23 PM
“Tailored attacks do not scale, so the more people who take steps to impede illegal surveillance, the more hopeless it gets. When whole continents take countermeasures, as with Europe and CELAC, it’s over.”

As strategem of war, marginalization is often used to identify and separate targets, learned that from COD. That’s pitting the cream of the corp against mvp targets. Once you got your name out there, speak in front of a conference, name carded with big data, that’s it. No need get at them all, the cream of the crop is sufficient enough. Rinse and repeat. It’s a shaping of sorts that works like a water conductor, landscaped to channel the few into point of view. Then pull the surveillance trigger. Some folks expect to the surveilled. They don’t have to know it to know it.

cablecut October 30, 2015 11:59 PM

I’d like to know what any of the experts on here think of the relatively new PGP encrypted email service ProtonMail.

Here are the basics on their security setup:

  • All their servers are based in Switzerland, which is apparently a much more privacy-friendly country and the laws make it harder for both domestic and foreign authorities to get data access.
  • Their primary datacenter is in a former military bunker underground in a mountain with armed guards. The center apparently has some strict security and auditing practises.
  • They use the OpenPGP.js JavaScript crypto library.
  • Your browser generates and encrypts a 2048 bit RSA private key locally. It’s sent to their servers for storage so you can download it every time you log in, even from different machines.
  • There’s an account password and a separate password for the private key.
  • All crypto operations happen locally in the browser, not on the servers.
  • Encryption is on by default for ProtonMail-to-ProtonMail user communication.
  • They’re working on enabling encryption for communicating externally with people who don’t use ProtonMail by setting up an interface for importing public keys.

As we know from Moxie Marlinspike’s critique of Lavabit’s failures, there’s a huge difference between “can’t access user data” and “won’t access user data,” and whether can’t truly is the case for a given system. ProtonMail claims they can’t access user data, but I wonder: how true is this claim?

I don’t doubt the ProtonMail creators’ total sincerity in developing a platform that’s as private as possible. But with so many authoritarian governments worldwide putting intense pressure on Internet/telecom companies to subvert their systems, and many of the companies complying, I find it hard to believe that an organization like ProtonMail could escape that completely. For example, a possible scenario would be that someday ProtonMail faces the choice of either complying with a foreign government’s demand for data or else having their site completely blocked within that country.

So I’d like to hear opinions from some of the people on this site who are more familiar with these types of challenges. What are the weaknesses in ProtonMail’s system, both technically and politically? Is the system significantly inferior to traditional “local-only” PGP? Is this the system we’ve all been waiting for so we can finally set up our parents, relatives, and non-techie friends with secure email once and for all?

(Disclaimer: I’m not affilated with ProtonMail in any way.)

cablecut October 31, 2015 12:37 AM

@AndrewJ

I know, pretty neat right? And the Mr. Robot team got ProtonMail to implement a new security feature at their request too.

tyr October 31, 2015 12:50 AM

Here’s your scary Halloween movie.

https://thoughtmaybe.com/fillet-oh-fish/

One part of staying secure is to stay alive by awareness
of your situation. Pay particular attention to the part
where conflict of interest and government collide with
Monsanto. The only thing he didn’t pick up on is the
defoliants that are washed into the Mekong when it
rains. If you want a horror double feature there’s a
peach done by Pilger about Viet Nam chemical warfare
on the same site.

Tor could use some beta testers for the addition of
skype style programs over Tor browser. We can’t wait
for perfect we need some usability now.

Clive Robinson October 31, 2015 2:05 AM

@ 943615,

Anyone have some last-minute Halloween costume ideas that involve Snowden…

Costums / fancy dress are a problem for a person of my stature…

For an idea as to why watch the James Bond movie “Moonraker” where Jaws is dressed in carnival dress the head of which could be seen as a “Snowden horror mask”.

Wael October 31, 2015 2:20 AM

speaking of Hallaween, the other day I went to the supermarket and bought some candy and rat poison. The clerk gave me a really strange look. Can you believe that crap? 🙂

joem October 31, 2015 2:41 AM

@wael you should have also bought some rope and lube to really mess with their scrutiny of your purchases. see how long it’d take for them to call the police. i bet they’d be pressing the silent alarm button under the counter so hard.

Wael October 31, 2015 2:55 AM

@joem,

Yea, that would do it. But whatever you do, never buy fertilizer and diesel fuel. That’ll get you in big mess. Ahhhh… combinations of things you buy that’ll get in trouble…

Curious October 31, 2015 3:45 AM

Off topic: (Random thought about elliptic curve crypto, from someone that doesn’t know much about it)

I am wondering, is there perhaps any interesting connection between elliptic curve crypto and the way some curves are drawn? Specifically, I am thinking of things like b-splines and nurbs curves.
https://en.wikipedia.org/wiki/B-spline

It is there worth noticing, that such curves have control points outside the curve defining the curve’s shape.

Curious October 31, 2015 3:51 AM

“DMCA Ruling Ensures You Can’t Be Sued For Hacking Your Car, Your Games Or Your iPhone”
http://www.forbes.com/sites/thomasbrewster/2015/10/27/right-to-tinker-victory/

“There was a big win for the digital rights community today, with a ruling that ensured it was legal for anyone to tinker with their motor, their iPhone or whatever technology they’d purchased. But the freedoms will only last for three years, when the fight between anti-tinkering corporations and activists will resume, absent any major legislative changes.”

ianf October 31, 2015 3:55 AM

@ cablecut […] “a possible scenario would be that someday ProtonMail faces the choice of either complying with a foreign government’s demand for data or else having their site completely blocked within that country.

A somewhat plausible script, but presumably the provider would notify all subscribers, and specifically those from the target country, of that outcome. And even were that to happen suddenly without warning, user data would presumably still be safe. I said “somewhat,” because from the IC point of view, ability to gather the incoming (even if currently unencryptable) data would be more valuable, than merely blocking their entry (then again the second doesn’t prevent the first—but as that data never reached the addressee, how could they ever be held liable for their reception?). Also, wouldn’t the PM’s encrypted “traffickers” automagically flag their existence as potential secret hoarders to their repressive government?

I will evaluate the service, but then there’s always the risk that the NSA already MITM-resides in my router, my iPhone, my upstream server. So, were I to plot anything, I wouldn’t be plotting in this multiple-3rd-party-forwarder fashion anyway.

    ADMINISTRIVIA. I shouldn’t have to thank you for clearly bulleting the points, but you should know it hasn’t passed me by: every extra minute that you spent on formatting that post is visible RIGHT UP THERE ON THE SCREEN[*]. So sad so few otherwise highly intelligent people here pay so little attention to information ergonomy, hardly a rocket science.

@ AndrewJ […] ProtonMail’s geek creed due to deployment in the Mr. Robot TV series

I know some here think the world of that TV series because it correctly uses the buzzwords, names tech protocols, etc, but—guys!—go back to polishing that bash-everything script, leave film criticism to those who can see beyond the meaning of /dev/null. I could barely sit through 15 minutes of the first episode, 5 minutes of subsequent ones, so irritated I got at its wooden, stereotypic storytelling, and other common ills of episodic cinema. So in my eyes, the incestuous connection of “Mr. Robot” to the ProtonMail speaks more against, than for the latter. Frankly, for a film targeted at the general public, I have more respect for the idiot “It’s a Unix system, I know that!” scene in Jurassic Park, (a.k.a. unix for morons), than this drama’s allegedly wink-wink cryptographic mindset for the cryptographically minded viewer. Get this though your thick skulls: cryptography is not for everyone, so trying to popularize it automagically leads to Dan Brown’s country: the author singlehandedly responsible for lowering the median IQ of his books’ readers.. But that’s me, who badly misses the occasional but oh-so-illuminative dispatches of broog: alien film critic, and “Joe Bob Goes To The Drive-In” by Joe Bob Briggs (1987) well before that.

[^*] prior art: rephrase of a quote from “All That Jazz” (1979) by Bob Fosse. [s/minute/dollar/g]

Curious October 31, 2015 4:03 AM

“Mass surveillance: EU citizens’ rights still in danger, says Parliament”
http://www.europarl.europa.eu/news/en/news-room/content/20151022IPR98818/html/Mass-surveillance-EU-citizens'-rights-still-in-danger-says-Parliament

“Too little has been done to safeguard citizens’ fundamental rights following revelations of electronic mass surveillance, say MEPs in a resolution voted on Thursday. They urge the EU Commission to ensure that all data transfers to the US are subject to an “effective level of protection” and ask EU member states to grant protection to Edward Snowden, as a “human rights defender”. Parliament also raises concerns about surveillance laws in several EU countries.”

Curious October 31, 2015 4:04 AM

“VICTORY: State Department Decides Not to Classify “Cyber Products” as “Munitions””
https://www.eff.org/deeplinks/2015/10/victory-state-department-decides-not-classify-cyber-products-munitions

“This week, the U.S. Department of State’s Defense Trade Advisory Group (DTAG) met to decide whether to classify “cyber products” as munitions, placing them in the same export control regime as hand grenades and fighter planes. Thankfully, common sense won out and the DTAG recommended that “cyber products” not be added to the control list.”

Clive Robinson October 31, 2015 4:44 AM

@ Wael, Joem,

You forgot to include the razor blades… Every knows your not serious unless you have old fashioned single blade Gillettes. OH and a big clear plastic sheet…

And to look the part either wildass hair and penetrating “Doc Brown” stare and old combat jacket or immaculately tailored suit, highly shined shoes clean cut looks and a faux english accent, you could cut glass with.

Otherwise how are Hollywood going to portray you as being different when they do the arrest by gun toting heavy handed cops who then pistol whip and otherwise brutalize you. Remember Hollywood have that agreement with the Cop Unions, that in film good or bad cops have to be “lean and fit”. Not like the five chin barrel bellied reality of the doughnut chow hound farting, belching and wheezing as they walk you see cadging a coffee at your local down town NYC 7/11.

ianf October 31, 2015 5:25 AM

In today’s Guardian (newsletter):

Motorola Moto 360 (2015) review: what the original should have been
★★★★☆ 4/5 stars

    Latest round smartwatch from Motorola comes in more sizes and colours, lasts a good day with the screen on and takes standard watch straps

http://www.theguardian.com/technology/2015/oct/30/motorola-moto-360-2015-review-what-the-original-should-have-been

Shaker Aamer to seek damages after 14 years in Guantánamo Bay without trial

    Freed prisoner’s legal team indicates action will be taken against British government over its alleged complicity in his mistreatment

http://www.theguardian.com/world/2015/oct/30/shaker-aamer-to-seek-damages-over-guantanamo-bay-incarcaration

How is not a token USG representative, and the Briton(s) complicit in holding anyone prisoner without charges NOT SUBJECTED to the same kind of inhumane treatment by e.g. the Isis? I see, their filmic decapitations are considered more barbaric, because we in the West truly honor the human life—be it behind bars, without recourse, and on the say-so of hooded, equally nameless captors

Stolen credit card details available for £1 each online

    Guardian finds batch of 100 stolen cards on sale for £98 on ‘dark web’ amid heightened fears about identity theft in wake of TalkTalk hack

http://www.theguardian.com/technology/2015/oct/30/stolen-credit-card-details-available-1-pound-each-online

Espionage: James Bond’s got a Licence to Shill: lobbying for the snooper’s charter

    [Marina Hyde] 007 is back and so – with spytastic synchronicity between cinema and state – is a GCHQ publicity drive. Snowden Asfaka and the fourth nipple will have to wait

http://www.theguardian.com/commentisfree/2015/oct/30/james-bond-spectre-gchq-licence-to-shill-fourth-nipple

Clive James: Reports of my death: ‘People congratulate me for staying busy, as if that were a formula for extending life’

http://www.theguardian.com/lifeandstyle/2015/oct/31/clive-james-reports-of-my-death

A few OT words from the UK’s resident literary-critic-in-dying, one doesn’t live by crypto squid alone

ianf October 31, 2015 7:07 AM

@ Clive Robinson

I don’t think professor Frampton devoted any thought to his appearance, being concerned chiefly with sowing his “brain oats,” if well past their sell-by date. So close to a Nobel prize, of course he’d by a dish to anyone!

Regarding Henry, one really can’t blame him for being a bimbo magnet (just as was the case with Ayn Rand in the other direction), but I’ll wait for the second, more important volume of Niall Fergusson’s hagiography to find out more about it (also himself an intellectual bimbo magnet ;-))

    Personal contact of the Nth kind: 15+ years ago, midweek afternoon, I walk through practically empty halls of a Vienna contemporary art museum, sit in front of a piece. Suddenly I am surrounded by four obviously American crew-cut suits accompanied by a museum guide, asked firmly to leave. I am practically frogmarched to a side exit where an embarrassed official refunds my ticket, begs for forgiveness, gives me a coffee voucher for the restaurant in the annex, and hopes I’ll return (I didn’t). Nobody tells me anything, but there are 3 or 4 black SUVs or oversized sedans in the driveway, and a police cordon in the street. I think bomb scare? Later that day I find out in the press that Henry Kissinger was in town to give a lecture, then did the culture-vulture thing. I wish the coffee voucher was signed by him, it’d now be worth a fortune on eBay!

BTW. your link just delivers an index page; fortunately you’re dealing with someone privy to the black arts of ad-hoc www-urlencoding-decoding. The correct Kissinger Mental Floss (where’s the companion site Mental Flush when we need it?) link was:
http://m.mentalfloss.com/article.php?id=26022

Windows 10 Free ShutUp program October 31, 2015 7:47 AM

By studying and only allowing manual updates for the last three years, I never ‘upgraded’ to Windows 10. I’ve also disabled tons of intrustive stuff using the Group Policy Editor in Win 8.0 Professional version. CCleaner is essential too.

But if i was stuck with this 10 crap, I run Shutup at least every day by adding it into the Win startup folder or creating a task to run every hour.

From Germany:
“O&O ShutUp10 means you have full control over which comfort functions under Windows 10 you wish to use, and you decide when the passing on of your data goes too far.

Using a very simple interface, you decide how Windows 10 should respect your privacy by deciding which unwanted functions should be deactivated.

O&O ShutUp10 is entirely free and does not have to be installed – it can be simply run directly and immediately on your PC. And it will not install or download retrospectively unwanted or unnecessary software, like so many other programs do these days!”

http://www.oo-software.com/en/shutup10

Matt October 31, 2015 8:25 AM

@ Brandon and to all

Please take note that IBM cybersecurity counsel Andrew Tannenbaum is a different person from Professor Andrew S. Tanenbaum who created MINIX operating system.

ianf October 31, 2015 9:11 AM

@ Wael, joem, Clive

never buy fertilizer and diesel fuel. That’ll get you in big mess.

This needs a qualifier in the form of a quantifier. If you buy them with an invoice in large enough quantities, say a ton of one, and a liquid container pallet‘s worth of the other, AND have them delivered to your industrial estate premises, nobody will bat an eye. Provided you’re not Anders Behring Breivik, because then the wardens would not accept the shipments without the Director’s of Prisons advance instruction.

r October 31, 2015 9:13 AM

@943615, it’s a little late – but you could organize a bunch of people to go as julian assainge.

who else is recognizably on interpol or the fbi’s most wanted list?

Daniel October 31, 2015 10:34 AM

As far as I see it your post simply confirms my point.

(1) Targeted attacks do not scale.

True. But not helpful if the NSA is targeting YOU. So once again we return to the hoary old issue of threat models.

(2) separate browsers for opennet and darkent.

Exactly. And there is nothing about TAILS that via osmosis teaches a person good op sec. Better to use Windows 10 with great op sec than TAILS with terrible op sec.

(3) VMs.

Tails does not use VMs. That’s Qubes.

So let’ parse your point. TAILS is great software of the expert user who practices effective op sec and has no worries about getting targeted by the NSA. OK. I agree. I also think in that case TAILS is mostly security theater. A person who isn’t worried about the NSA and who have the self-control to practice good op sec doesn’t really need TAILS anyway. TAILS is just convenience.

Figureitout October 31, 2015 11:05 AM

Daniel
–Smiley face is right. And NO computer than can use USB is safe from BadUSB, it’s another one of those problems just being left alone now b/c it’s so devastating. So that’s a bullsh*t argument.
But not helpful if the NSA is targeting YOU
–Yes it does. TAILS is one of a very few tools we have now that aren’t invincible (hurr durr none are) but greatly aid in security if you bother to do your homework and put in the effort. They are not made of magic, your home gets bugged then you simply have to do things on-the-go. Extreme OPSEC dictates a physical person following you which sticks out plain as day.

And there is nothing about TAILS
–Didn’t address the original question/point. You don’t use TAILS all the time for signature-based tracking and using regular internet to blend in.

Better to use Windows 10
–Not convinced, some OS’s can be so bad they’re better left unused security-wise.

TAILS is just convenience.
–Yep, that’s point of good defaults scripted in to not waste time on stupid config sh*t. People who can do better than TAILS, by all means step up. Has to be x86-compatible too lol or you have to make your own computer from first principles, that convenient?

crystal spade October 31, 2015 11:24 AM

Re. “Better to use Windows 10 than TAILS”

Sure, as an experienced climber I refuse to wear anything but flipflops while I’m hanging from a cliff. It allows me to avoid that treacherous false sense of security that comes with high-grip boots.

R. Wiggums October 31, 2015 11:45 AM

@Pushy Microsoft

I’ve happily used the Windows OS since Win98. But all this telemetry/sneaky update shenanigans was the straw for me. I recently converted all my family’s machines from Windows to Linux Mint (with the exception of one that we’re going to keep around for offline use IF a need should ever arise). I’ll still be forced to use Windows because my clients do. If not for that, I’d never use Windows again. Mint is designed to be very intuitive for Windows users and it shows. I get that it’s not the most secure OS. But it’s much more secure than Windows – and simply because it’s “NOT Windows” gives me a great deal of satisfaction. I consider Linux Mint a “gateway-OS” for disenchanted Windows users. I’ve learned a lot making the switch and look forward to exploring other OS’s in the future.

And this isn’t just a problem with Microsoft. The problem is systemic. I’m tired of all my family’s personal information being “the product” and all this surveillance makes me feel exponentially less safe. I have no intention of going to live under a rock. But I’m also not going to support products/services that harvest my info and/or hand it over to whomever comes knocking. I realized that simply by using these products/services I was supporting them. I know opting out of their information gang rape isn’t always feasible. But where it is feasible for me, I’m doing it. Convenience is over-rated and most free services aren’t free at all.

So, Microsoft, no thanks. You can keep you shiny new OS. Screw you guys, I’m goin’ home.

Alien Jerky October 31, 2015 12:54 PM

Oh, the end of civilization has come.

https://www.techdirt.com/articles/20151030/07031932676/law-enforcement-traveling-anywhere-to-anywhere-is-suspicious-behavior.shtml

Want to travel from anywhere to anywhere in the United States without being hassled by law enforcement officers? Good luck with that, citizen.

An interesting footnote in an asset forfeiture filing that made the assertion that traveling from Chicago to Los Angeles is inherently suspicious.

Chicago is a known consumer city for narcotics and Los Angeles is a known source city where narcotics can be purchased.

Also of note: suspect had a backpack, an item used to carry stuff — something no legitimate traveler would possess.

Daniel October 31, 2015 1:51 PM

Not convinced, some OS’s can be so bad they’re better left unused security-wise.

I agree. Like TAILS.

The fundamental issue is that one cannot evaluate the security of a system independent of the user and the use to which it is put.

The argument for TAILS people are making is Lilliputian in character–can’t kill the giant so wrap him in the chains of a billion yahoos using TAILS. We know how well that worked out for the Lilliputs; it’s not going to work out well against the NSA or the other Five Eyes.

If Swift has any relevance to this debate it is in the voyage to La Puta. We should be hoping that the NSA’s desire to go beyond ECC and into quantum computing is yet another example of the fruitless pursuit of basic science and will be as useful as extracting sunbeams from cucumbers. One key part of Swift point about technology is that it can lead to self-exhaustion. There’s no need to kill the NSA–let it fritter its way into obscurity.

Nick P October 31, 2015 5:27 PM

@ herman

The actions of a single, scheming company in Switzerland are representative of both what all Swiss companies will do and what the government will mandate? That’s quite a leap.

AJWM October 31, 2015 5:42 PM

A ton of ammonium nitrate fertilizer isn’t that much. About 33 bags (@30kg, 66lb). As a student I did a stint as a farmhand during planting season, we’d load that much (a ton) on the wagon once or twice a day. Farmer must have had thirty tons or so in the barn. Some plants (this was a tobacco farm) are very nitrogen intensive.

Plenty of diesel fuel, too, for the tractors and such.

October 31, 2015 6:49 PM

@Daniel 10:34

re (1) When we’re talking about scale, the point is not that NSA can’t target you; the point is that NSA can’t target everybody. So thinking about the problem from the viewpoint of an isolated individual you naturally conclude, you have no privacy, get over it. Thinking about the problem from a civil society perspective, you conclude that resisting surveillance is everybody’s civic duty, like voting or recycling, only less futile.

re (2) Tails is not idiot proof, true. Nothing can stop a real idiot. But then idiots don’t care about their privacy anyway.

re (3) Tails doesn’t use VMs? Sure it does, if you want it to. But anyway the original point was broader, that TAO’s too hard if you resist it. Few of us are worth the trouble, if we’re not soft targets. So just don’t be the soft target, let somebody else be it.

Let’s unparse and reparse. Tails is not for the expert user. People who know what they’re doing can do better than Tails. They’ll use it as one of many tools. And people who know what they’re doing are too much work for NSA. These are government drones, after all, if they were any good they’d go be investment bankers, ripping off millions a pop. There’s a reason why NSA’s spying on third-world UN diplomats and not on me, who is more of a threat: because it’s easy.

My Name is Alex October 31, 2015 7:06 PM

@ ☺ • October 31, 2015 6:49 PM

“re (1) When we’re talking about scale, the point is not that NSA can’t target you; the point is that NSA can’t target everybody”

That’s the point I made. They only have to target the cream of the crops, thinking of named spawns in Everquest. There’s only so few of them. Easy targets for men in black shades. Once the named are wired up, it’s like a trickle down effect, like big data with relations linkedins comms whatsapps, they get the whole enchilada of peoples on a fish string.

@ Clive Robinson

“Remember Hollywood have that agreement with the Cop Unions, that in film good or bad cops have to be “lean and fit”.”

Sir, you must have been watching one too many re-runs of The French Connection, or they’ve gone from dunkin donuts to chipotle, but thats another hollywood issue with the food & beverage unions.

ianf October 31, 2015 7:25 PM

@ AJWM – ‘Course I KNEW THAT, what do you take me for. I said I had greater respect for that movie scene (depiction of “the computer”) there, than for ever so buzzword-infested dramaturgy in Mr. Robot. Movies are governed by their own laws of narrative coherence, needn’t be factual such as long as the viewer gets the message. In contrast to that Mr. Robot is simply pandering to audience’s appetite for feeling sophisticated. It’s the plots, stupid(undef);

October 31, 2015 7:28 PM

@ Your name is Alex, You’re right, the US government is strongly oriented toward decapitation to repress civil society. That’s why they shot Malcolm X and Fred Hampton and MLK. That’s why they shot Scott Olsen in the head. But Occupy still gave them fits because with a non-hierarchical organization the government couldn’t figure out who to kill. They have the same problem with the G-77 because it’s acephalous and densely connected. The US government can only relate to autocratic structures – they immediately set up dictators in all their satellites. So not being autocratic is half the battle.

AndrewJ October 31, 2015 9:23 PM

For those interested in Snowden related Halloween costumes, here’s what he actually did – https://twitter.com/lsjourneys/status/660198993474002945/photo/1. (Side note, WTF is with the FBI head office still being named after someone who abused their power to amongst other things blackmail Martin Luther King Jr? Here in Australia all we do is name a pool after a former Prime Minister who drowned. True Story.)

Another amusing costume was a take off of the Edward Scissorhands/Snowden interview from a couple of weeks ago – https://twitter.com/Theremina/status/658365085279105024.

Justin November 1, 2015 12:39 AM

@ ianf

… “post-disgrace recycling of middle-aged male academics” … …

You know, academia is an incredibly boring subject.

National Security vs Bottom Line November 1, 2015 3:04 AM

With the passage of the CISA law the American Congress has taken away the final freedoms and liberties declared in the American Constitution.
Will this end the gargantuan Secret War on Terrorism started by psychopath Dick Cheney (and boss George)?

Who is more a threat?
A hand-fed 14 year old or PhD’s quietly transferring America’s best technology to our adversaries?

The American corporate elite have no inherent allegiance to any country or America’s National Security. There only duty is to increase shareholder value. What is the American Congress doing here?
What is the Department of Justice and State doing to stop the flow of technology?

Consider the revolving door between industry and government and corporate lobbyists.
Or the USA Supreme Court allowing hedge funds to puppetize political candidates.
Or American High Tech companies lobbying for and installing foreign nationals in the highest technical corporate positions.
Do the Chinese or Russians allow or follow these practices?

Are American citizens ironically paying the price both economically and now under mass surveillance?

On one hand this perverse system of corporate ruling government is throwing up a smoke-screen to legalize their data-mining of citizens. These CISA profits guarantee continued corporate success.
No matter if serious terrorist threats comes from outside the United States and beyond the reach of USA laws.

In their other hand they are transferring American technology to our adversaries as documented in this NYT article:
http://www.nytimes.com/2015/11/01/world/middleeast/battle-heats-up-over-exports-of-surveillance-technology.html

name.withheld.for.obvious.reasons November 1, 2015 3:25 AM

@ Curious

Thankfully, common sense won out and the DTAG recommended that “cyber products” not be added to the control list.”

Just quoting your quote.

Et al

Okay, so EFF is happy with this result? I’d say that cyber-people (hackers) are still classified as ENEMY COMBATANTS.

LEADING ME TO…

DoJ and DoD still have a lot to answer to for “legal” or “extra-legal” killings and “summary execution” and political/cultural “assassinations”. Not to mention the fact that DoD has labeled, using nebulous language, hackers as “enemy combatants”.

When did the war on terror extend its scope from those that acted, planned, or aid and abetted terrorists responsible for the September 11, 2001 attacks on the United States.

Enemy combatant only makes sense if your operating under a declaration of war (oh, I am sorry I meant AUMF, which I understand to mean Armed Unilateralism, Misusing / Misappropriating Freedom(s)).

When does your status as a hacker nominate you, automatically, to enemy of the state while additionally rendering your access to the Judiciary irrelevant?

Trial, you don’t need no stinking trial to be executed! So, Die, hacker, Die.

My Name is Alex November 1, 2015 4:18 AM

@ ☺ • October 31, 2015 7:28 PM
“But Occupy still gave them fits because with a non-hierarchical organization”

Occupy is like TOR, a means to an end. There’s no point to neutralize or remove because they can be subverted to be useful to anyone who can. We’ve seen what’s been done around the world. Don’t think Yahoo, Google, and Facebook are entirely neutral either. Everybody has their own agendas. It’s just a matter of looking around you.

ianf November 1, 2015 6:11 AM

You couldn’t make this up…

from The Economist:

PS. good folks, don’t get ideas from this, the penalty for bad prose in this forum will continue to be more bad prose, so don’t you even try.

Brawny Blinker November 1, 2015 7:17 AM

Re: http://www.nytimes.com/2015/11/01/world/middleeast/battle-heats-up-over-exports-of-surveillance-technology.html

“To go along with their tanks, assault helicopters and fighter jets, repressive governments are now seeking the latest routers, servers and software from Silicon Valley or Europe.”

This underscores the nature of the problem: if a vulnerability is found or a proof of concept is developed, someone somewhere will eventually exploit it. The amount of talent and investment devoted to it all over the world make it inevitable. Legislation and export controls offer little protection in this scenario. We need to come to terms with the idea that NOBUS is flawed. In a world connected by global networks, attempting to stop ideas and computer code from traveling through frontiers is a pointless exercise. It’s a matter of time: it might be the Russians, it might be the Israelis, it might be China, it might be organized crime, it might be the Europeans, it might be a private company. The point is, someone somewhere will eventually get there. Think Heartbleed, think router port 32764, think BIOS malware.

We need to shift the balance and focus on defense, because by developing the offensive side of cyber-warfare we have been making ourselves more vulnerable, widening the attack surface and losing a lot of credibility inside and outside our nations. We have been shooting ourselves on the foot. To mitigate this is it important that we listen to take the advice of experts like Bruce and roll out end to end encryption by default, we need to stop subverting standards and we need to understand once and for all that golden keys and backdoors are essentially in-built vulnerabilities ready to be exploited by anyone who is persistent or talented enough — egg on the face with a timer attached. They’re bad for national security and, most crucially, they’re bad for the public infrastructure and the citizens that the national security agencies are there to defend.

ianf November 1, 2015 7:41 AM

Another gray day, another Guardian newsletter:

HACKING | Ghosts in the machine: the real hackers hiding behind the cliches of TalkTalk and Mr Robot

    This week’s tabloid headlines about the teenager who allegedly broke into TalkTalk’s website invoked the usual formula: reclusive, antisocial, young, male. But hackers are more complicated than that – and the people pursuing them say the stereotype is a problem

http://www.theguardian.com/technology/2015/oct/31/real-hackers-hiding-behind-the-cliches-of-talktalk-and-mr-robot

SURVEILLANCE | The Observer
Theresa May forced to backtrack over plan to ‘snoop’ on internet use

    Ministers rule out ban on encryption but civil rights group Liberty says climbdown is ‘just spin’

http://www.theguardian.com/world/2015/oct/31/theresa-may-backtracks-on-internet-snooping

Vodafone customers’ bank details ‘accessed in hack’, company says

    Hackers may have stolen the personal details of up to 2,000 mobile phone customers, Vodafone admits days after TalkTalk scandal

http://www.theguardian.com/business/2015/oct/31/vodafone-customers-bank-details-accessed-in-hack-company-says

Keith Erisman November 1, 2015 8:33 AM

@ianf

Ghosts in the machine: the real hackers hiding behind the cliches of TalkTalk and Mr Robot
Excellent article, quite a few gems in there!

Vodafone customers’ bank details ‘accessed in hack’, company says
What do they expect when the backbone of CMC for virtually all small, medium and large-sized businesses is a protocol (SMTP) that defaults to clear-text, uses headers that any script kiddy can spoof, is able to carry binaries with no in-built cryptographic verification, is designed to upload text and data into clients’ boxes by default, operates in an environment that makes no provision for sandboxing, and is used routinely to send password reset codes, personal data and credit card details all over the world. I mean, what could go wronng, right?

Peter K November 1, 2015 8:35 AM

@ National Security vs Bottom Line

“There only duty is to increase shareholder value.”

That’s a common misconception of corporate interest, IMHO. Remember Accounting 101, bond holders are at odds with shareholders. Looking beyond bonds, we get into the sell side who may also hold shares. At the street level, shareholding isn’t a zero sum game as it appears to be. The only duty, that we are sure of, is according to game theory. Every men for himselves, and that will change according to game plan as a matter of strategy. Race to the bottom is also another common misconception, without a refereeing party, such as government, no chance of reaching the finishing line.

In the Shadow of November 1, 2015 8:43 AM

On the little “how far do you go discussion”. Good comments from both sides, I will actually say. However, a primary point is missed from the side arguing against understanding the situation when you are personally targeted by a nation state.

Happy Face:

There’s an intermittent but vocal contingent here that bases security discourse on the self-defeating premise that TAO will find a way.

When we’re talking about scale, the point is not that NSA can’t target you; the point is that NSA can’t target everybody.

Figureitout:

They are not made of magic, your home gets bugged then you simply have to do things on-the-go. Extreme OPSEC dictates a physical person following you which sticks out plain as day.

What the other side of the argument is talking about is when you are targeted by a nation state. Just that. It is about handling your own risk and knowing your own risk. For recommendations for “everyone”, where that means people not likely to be targeted by a nation state, that is something else entirely.

Caveats are, for instance, organizations where your organization is targeted by a nation state but there is only so much you can do. It is not personal and usually no lives are in danger.

Why would an individual be concerned about being targeted by a nation state? Usually you would not. I am certain most who think they are, are surely not, and simply caught up in conspiracy theory. They literally have no value, and so are over estimating their risk.

The approach is entirely different with individuals and nation states. And I am really talking here about intelligence, not law enforcement. The number one rule there is not to get on the radar. Plan B is to get off the radar, if you are. In general. The number two rule is not to write anything or say anything anywhere, at anytime. Scope back as necessary from that, as you obviously have to write and say something, somewhere, some time.

To keep the statement short.

And, no, there would not be “one person following you”, and they won’t be obvious unless they want to be. Even when surveillance required frequent people power, it was never just one person.

Point is, a number of people give other types of advice, and seem to imply offering advice to individuals who are interesting to nation states on a serious level. But that advice would be very damaging to them, if they are told they can out tech or evade them once on their radar.

Consider, for instance, Snowden’s situation. Using the USB stick OS would have helped him as he was getting ready to flee only because he was going to flee. So much may not have been on his computer. Which he left at home. When he took off overseas. It had minimal usefulness to protect some trails left on anything he left behind. That is it. He was off the radar at that time.

He did not rely on that or trust it once he got on the radar. He did not rely on anything but fleeing at that juncture.

This is all very real world. Underestimating risk happens to everyone who has not been under that risk and trained to handle it. Look at Patraeus and Brennan, even, for instance.

Helen November 1, 2015 8:46 AM

@ Bruce Schneier

In your latest Harvard talk (I think it was on October 9), you declared that you could talk an hour about abuse (of surveillance). Please do so in the near future.

Privacy advocates need good examples why excessive surveillance is bad. For surveillance advocates, it is too easy to come up with movie-plot threats like “terrorists will kill your children”.

I hope you can give privacy advocates good examples of surveillance abuse in one of your next talks.

I would very much appreciate that! 🙂

Peter K November 1, 2015 8:59 AM

@ In The Shadow of

“This is all very real world. Underestimating risk happens to everyone who has not been under that risk and trained to handle it. Look at Patraeus and Brennan, even, for instance.”

There’s a difference between “being on the radar” and “being data mined”. The latter appears to be objective of present days. Being data mined means everyone is on the radar, all the time, everywhere.

erect sushi November 1, 2015 9:10 AM

From http://www.theguardian.com/world/2015/oct/31/theresa-may-backtracks-on-internet-snooping

A government source: “We need to give people the reassurance that not only are [new surveillance powers] needed, but that they are only ever used in a necessary, proportionate and accountable way.”

This is precisely the kind of waffly nonsense that the GCHQ lives off. Translation: “we shall filter as much shit off the internet as we can, as frequently as we can, from as wide a population as we can, we will profile and track everyone to within an inch of their life and we will abuse every loophole in the communications system that we can, in a way that is completely compatible with what we understand as a proportionate and accountable system of dragnet surveillance and population control.”

In the Shadow of November 1, 2015 9:16 AM

“Democracies die in darkness.” wrote:

Interesting WARNING of ‘secret government’

From the article, about Bob Woodward of Watergate fame:

He was much clearer when talking about the presidential race and government and what he called the tendency in America toward more “secret government.” “What should we worry about is secret government. If you look at Nixon, all of Watergate, it’s secret government gone wild,” said Woodward, whose newest book, “The Last of the President’s Men” is about deputy White House chief of staff Alexander Butterfield.

Last week Skeptical tried to misrepresent me by claiming I was “nearly hysterically” “warning” about a “dual state”. His point was character assassination because he was fighting the losing end of a clear argument that was entirely unrelated. Basic sophistry people often rely on. (Excellent book on such things “You Are Not So Smart”. Good reading.)

Truth is, and I think it is understood by people who work in intellectual security areas, or have, I simply try and point out more then two or three angles of difficult unknowns. Often that means bringing up more far flung possibilities. Angle thirty three. Angle twenty. And so on. Stretch people’s mind. Because when you work in intellectual security areas, your first five to ten years is all about “wrapping your mind” around very difficult issues.

It is about opening the narrow mind to a mile wide mind. So you can understand reality. That is it.

What I believe Woodward is talking about there is simply that there are enormous problems that happen when “secret America” gets too big and too out of control. Which is very true. This is true with every nation. There is an excellent book about the subject called “Top Secret America”, well worth reading for anyone concerned.

This does not mean there are not controlling influences people do not directly see. There certainly are. You see the wind blow the branches on trees, but you do not see the wind its’ self.

AndrewJ wrote:

Side note, WTF is with the FBI head office still being named after someone who abused their power to amongst other things blackmail Martin Luther King Jr?

I strongly agree. It is extremely poor taste. Especially for an investigative agency that is aimed to bringing down criminals. We now know J Edgar Hoover was a criminal. He was very much a criminal, and the record is very clear. If anyone doubts this, they should pick up some books written on him. There are two good ones recently out in the past few years. Do your homework. The best is called “Enemies”, by far, and well documents his crimes which go far beyond his enormously distasteful cointelpro program and actions like what he did with MLK Jr.

They changed with the confederate flag, they can certainly change the name on that building.

There is no possible response or argument against this, either. This is not conspiracy level stuff. His crimes were exposed by the US Government in the seventies. Some more details have come out since, but the bulk of it was exposed decades ago.

It has not been made widely known. You have to actually pick up books to read of it. I have not seen even a documentary covering it, and Eastwood’s movie shamefully dealt with it poorly despite Eastwood’s excellent record of films.

Cointelpro’s shamefulness is known well by tech aficionados, but apart from the appalling issues there, that was just the tip of the iceberg.

I think there is popular sentiment involved there, but this is deeply misplaced.

In the Shadow of November 1, 2015 9:23 AM

@Peter K

There’s a difference between “being on the radar” and “being data mined”. The latter appears to be objective of present days. Being data mined means everyone is on the radar, all the time, everywhere.

That is exactly the distinction here.

I only mention criticism on here – being an infrequent poster over the years, though I tend to post a lot when I stop by – when I see advice being offered to singular individuals about securing their systems. That is a very specific situation.

Sure, they could be criminals seeking advice. Or they may be dissidents or journalists considered dissident, they may be legitimate. There is no reason to give them a false sense of security.

I have worked with dissidents, and the line is very clear. Which is why I bother to state such things.

There are security moves you can make to stay off the radar for those dissidents who are have the luxury of being in a crowd. That is different. As well.

Risk analysis is a huge part of security. One size does not fit all.

However, generally, it is always best to have layered security, regardless of your situation. Even if everything under all those layers is entirely innocuous.

Staying off the radar against data mining generally will be much more about what you state online or on the phone as opposed to what you state in private. Advice tailored that is very distinct and important as well.

Peter K November 1, 2015 9:28 AM

@ In The Shadow Of

” You see the wind blow the branches on trees, but you do not see the wind its’ self.”

Invisible as it is, winds are powerful enough to shape stones. This brings us to the third misconception. An invisible hand is not that of the governments’. It is of people, as governments are shaped by the people. Which people is often up for debate.

“Cointelpro’s shamefulness is known well by tech aficionados, but apart from the appalling issues there, that was just the tip of the iceberg. ”

It’s a subject most often left open for discussions because there is no clear answer. There are people right on this blog comments who still talk of cointel pro’s as they exist in present days. Nothing is ever proven and any talk of it could be cointel in its own self.

In the Shadow of November 1, 2015 9:42 AM

@PeterK

It’s a subject most often left open for discussions because there is no clear answer. There are people right on this blog comments who still talk of cointel pro’s as they exist in present days. Nothing is ever proven and any talk of it could be cointel in its own self.

I am not aware of anyone that would defend cointelpro. Would love to find someone who would, because easy arguments can always be fun. If there is anyone who thinks it was a good idea and well implemented, they realize that is too shameful to mention in public because they would get skewered.

It is worth bringing up in context, because it is the most people tend to know about the abuses of Hoover’s FBI. But, Hoover’s abuses were legion and span decades far, far beyond just the sixties.

I am happy to bring up sources if you disbelieve that, though I pointed out NY Times selling best selling book “Enemies” which can be found at any book store, online or off.

If you are suggesting people mentioning it could be a spy or have been a spy, that is a different topic. And a specific accusation. If you are thinking my advice seems a little too professional, you would be correct. No shame in that. Depends what a person does or did is all.

But, the point of those statements was singular: the FBI would do very well to take Hoover off the name of their DC building. Hoover should further not be a role model nor hero for federal law enforcement. This is very pertinent in regards to abuse of surveillance.

” You see the wind blow the branches on trees, but you do not see the wind its’ self.” Invisible as it is, winds are powerful enough to shape stones. This brings us to the third misconception. An invisible hand is not that of the governments’. It is of people, as governments are shaped by the people. Which people is often up for debate.

Point there was simply that it is “up for debate”, though I would point out that debate tends to be useless. Because the facts will be unknown.

There are certainly places where facts can be discussed. For instance, with political contributions or defense contractor ties, and countless other areas visible to the public.

But, you won’t find evidence on a B613 unless you are B613 or a B613 gives you that evidence. And that won’t happen.

In the Shadow of November 1, 2015 9:55 AM

ianf wrote:

than for ever so buzzword-infested dramaturgy in Mr. Robot.

I know some here think the world of that TV series because it correctly uses the buzzwords, names tech protocols, etc, but—guys!—go back to polishing that bash-everything script, leave film criticism to those who can see beyond the meaning of /dev/null. I could barely sit through 15 minutes of the first episode, 5 minutes of subsequent ones, so irritated I got at its wooden, stereotypic storytelling, and other common ills of episodic cinema.

Mr Robot is actually great stuff. But, not for everyone.

Very realistic, and it did not depict all hackers as young, male, reclusive. There were numerous hackers presented in there of a wide variety of backgrounds.

Realistic can certainly matter, some would definitely argue “bad acting”‘s very problem is they are not realistic. And bad movies are not realistic. Even though movies are very often about stretching realism and presenting the decidedly unreal, as Mr Robot does certainly as well. It is fiction. But there is a difference between an impressionist painting and a badly drawn cartoon.

Television wise, where the best stuff has been recently, much of the best work the past year has been a solid dose of intense realism mixed with considerable fantasy. Some notables that come to mind: legends, the americans, hannibal, deustchland 83, jonathan strange and mr norrel, fargo, true detectives.

Joe Bob Briggs was popular twenty years ago in obscure circles in a very specific region of the US, but otherwise no one would know of his work. That was over twenty years ago.

Figureitout November 1, 2015 10:41 AM

In the Shadow of
–We’re interested in security to stop these attacks, when the static tools get attacked you as a human need to step back and only engage in different places. The attacker can only see via internet connected devices (usually). We assume the internet is poisoned and getting worse, our computers getting locked w/ non-open ones and non-open crypto. So you have to step back and obfuscate data and put it in. There’s no real attack on that besides following you everywhere (where keymat and codes are created), like say a parking garage. Even having a camera there it’d have to be sufficient resolution and the right angle to get the writing, but some cameras are getting better but they have to cover the whole place and stored for some time.

And no it’s not worth trying to spy on it, only static labs/workspaces will produce products worth spying on. You can’t be too concerned w/ spying if you’re a do-er and want to deliver something actually novel and well-designed, it’ll just cloud your head. The books are there to read and get the basics so you can actually design on your own accord, but spiers and cheaters will just scoop cream off the top w/ old easily predictable attacks and not know how it really works.

And yeah it won’t be just one person, they switch off. And you won’t catch them all. They give off tell-tale signs w/o realizing it, like bringing in untrained civilians or poorly trained LEO’s in investigations to do their dirty deeds (big mistake, that helped me so much). For instance one thing I notice is a cop gets called at my gym whenever some spooks want to work out then I look for patterns like who comes only when a cop is there. Good protection too, having some senile rent-a-cop. Not like I couldn’t pull the gun from the joker’s holster while he’s lifting in his uniform lol; that’s if I was an actual threat and not someone who wants to empower individuals. They also either don’t use the lockers or use open ones covered by a camera; b/c a simple way into any locker is to tell the front desk you forgot your combination and they’ll open up the locker. I wouldn’t be surprised if there was some backdoor combination too.

Those are some non-technical means of ID’ing spooks/LEOs or at least security-conscious people but they’re good b/c you could have the strongest electrical defenses but give up clues that can’t be covered up. Another is emotions, professional spies don’t let it affect them and move on but the rookies do and it gives you up.

There’s underestimating risk and there’s being way too confident for your abilities (spooks). Along the way people get owned and sneak by, and see what works and what doesn’t. At the end of the day these are worthless pissing matches and wastes of life so I’ve mostly disengaged, save the money and spend it on science so we have some hope for future.

name.withheld.for.obvious.reasons November 1, 2015 12:13 PM

So, let me see if get this straight…

A thirteen year old “social engineer” (the kid was erroneously labeled a hacker–he’s hasn’t been convicted as one-who am I to prejudge) can access CIA, military, or civilian intelligence information, systems, or data?

How the U.S government, by use of legalese might see the world is explored using an analogous story where none of those portrayed resemble anyone living or dead. No animals where harmed in the drafting of this fiction (I had vegetables for dinner whilst I draft this story.

  1. Teenager (probably with acne); capable/has access to cellular telephony, mobile computing, and other equipment:
    2. TOTAL EQUIPMENT COSTS: > $10,000.00
EMPLOYEES (FTE)      : ZERO
  2. U.S. Gov and Friends; Inordinately large budgets, huge programs, and enough employees and contractors to occupy many of the countries they are fighting against.
  1. The seventeen or so U.S. Government agencies charged with intelligence and/or national security;
  2. Of the identified, among them CIA, DHS, DISA, parenthetically DoD, DSS, FBI, Fusion Centers, Geo-spatial Reconnaissance, ONR, and NSA; are granted and authorized to defend, secure, or protect domestic or national security assets from those defined in Section 1.
  3. Authorities granted to entities described in Section 2.B shall include, but are not limited to:
  1. Predisposition for matters related to those described in Section 1.
  2. Direct authority to allocate charter, purchase, contract, steal, subvert, lie, harass, or torture in support of Section 2.A

<

pre>
TOTAL EQUIPMENT COSTS[1]: < $250,000,000,000.00 (PER YEAR)
EMPLOYEES (FTE) : < 500,000

name.wtihheld.for.obvious.reasons November 1, 2015 12:18 PM

@ MODERATOR

Seems the text enclosed within a pre HTML tag were stripped from post…

Should look like this….

<

pre>
TOTAL EQUIPMENT COSTS: $250,000,000,000.00 (PER YEAR, PLUS)
EMPLOYEES (FTE) : 500,000 (PLUS)

In the Shadow of November 1, 2015 12:18 PM

@Figureitout

Thanks for sharing. Brave of you to do so. As I said ‘one size does not fit all’, and everyone has to do their own, realistic, risk analysis. In the US alone, there are countless governmental organizations. What, 21, 17, ‘in the open’ intelligence agencies. Federal. And how many sub sections. How many state and local. And every country has this. But, just sticking to the US, you also have a lot of countries law enforcement and intelligence working here, diplomatic cover, officially, and otherwise.

Poor tradecraft, or opsec, is the norm, by far for these, as well.

I have certainly come across plenty of people very bad at tailing. Basic stuff like making eye contact is one dead ringer. Especially when you catch their eye and they got that ‘deer in the headlight’, only more serious look to it, like ‘oh shit, I got made’, lol.

But there are the ones good at it, too. And certainly there are some posters here, maybe even some regulars, who could fall under that. Probably, usually? Just because they come under the cross hairs of someone’s sci tech intelligence division, or economic espionage.

I do think even in those extreme cases, people may get some vibe. Hair on the back of their neck kind of thing. The unconscious mind processes so much more then what the conscious can. It can piece together all sorts of tiny observations from the corner of the eye and operate at high degrees of efficiency, tying together barely perceptible observations into a coherent stream. It doesn’t have to rely on language and other conscious components like feelings to process things. [But it will alert the person with feelings, or even statements of observation.]

But really that is because consciously they don’t know what to look for. No experience, no training.

And usually, they will find some reason to ignore it, chalk it off.

Never proven to happen to you before, no reason to really listen to such “pings of intuition”. Or “gut feelings”. You hear, for instance, how “seasoned detectives” have strong “gut feelings”. Because in security, it get experience. Stuff happens, and it repeats. You get to learn what to look for, consciously. But you also get to rely a lot more sensitively on your unconscious and what it observes and alerts you about.

If you have never been in a car accident, kind of thing, you don’t really get sensitive to the dangers. If you have, like you have, your mind has it marked as a high priority. And those processes run at a higher priority far more frequently.

But, everyday experience, day in, day out, year after year, and that kind of situation… altogether create something much different then just dealing with a singular event.

The people that concern me, aren’t as your own self, but those for whom everything is simply theoretical. But they are in real danger. They know it, but they can’t get the experience of what they should do, because it just is theoretical.

Clive Robinson November 1, 2015 1:41 PM

@ ianf,

With regards Theresa May’s supposed climb down, I would say it’s actually the worst of all worlds for those the police chose to abuse.

The rules are, police can access what web sights you have been to, but need a warrant to get further information. So supposadly good for privacy, every one smiles the flash bulbs pop and after the pictures printed it’s old news and backs get turned. It’s then you find the devil playing in the details…

We know that web pages are dynamic and can be redirected without the average user having control over it. We also know the likes of the NSA, GCHQ, etc can and do inject data into your inbound stream, that can re-direct you to another site, or compleatly hide what is being download with a faux page etc. Oh and don’t forget they can make your home router do things you will never see…

Thus it’s no great problem for them to do both. That is they hit your browser with a redirect to an ISIL site, but actually serve you a page similar or the same to the one you expect… Or they get your router to make the request, and drop anything passing through to you that might tip you off.

Now what does your ISP see, well it sees your original page request and any the router might make. They probably will not see the returned injected redirect, so they also see your browser (not you) requesting the ISIL page, but again not the faux page that gets injected back to you. You on the other hand probably don’t see the change in URL in your browser bar or any other indicator.

How do you an unknowing average web user tell the police it was not you that sent the request to the ISIL page, that your ISP records say you did?

You can not, but worse even if your ISP did keep the actuall content data streams, you like the police can not get at them without the police getting a warrant… Which they don’t need to do, and because they did not get the content they don’t have anything to “disclose” to your defence team…

Neither you nore your defence team have any entitlement to the data from the ISP that might clear your name, you have to appeal to a judge for a court order. Which if granted you would as part of the order have to hand over to the prosecution. Thus your defence team will at best regard that route as Russian Roulette with only one empty chamber…

Your only real defence is to record all your Internet traffic on your side of the router, in a way that can not be tampered with. But if you do the police get to take it away from you when they conduct their search, in all it’s glory without limitation. Thus the police do not need to approach a judge, for a warrant.

Sometimes what actually looks like a limitation on the investigators is anything but, and actually ends up hurting the defence more than if the limitation was not there.

As for the likes of the NSA GCHQ et al “fitting you up” do not make the mistake of thinking they would not. It is a matter of record that the FBI falsified evidence about supposed child porn which they gave to the UK authorities, who then used it not just to put preasure on defendents but actually in court (operation ore). Further there is evidence to show that they were aware that the FBI evidence had been called into question but kept on using it… The man in charge of operation ore in the UK already had question marks about his previous conduct, yet he got away with it yet again…

zaphod November 1, 2015 3:32 PM

@Clive

“Oh and don’t forget they can make your home router do things you will never see…”

Are you able to elaborate on that a little and any defences? Would a open source (eg dd-wrt) firmware provide protection?

Z.
(Thanks in advance)

herman November 1, 2015 3:58 PM

@Nick P:
Crypto AG is Swiss registered and Swiss based, but German owned. So they do whatever the German government tells them to. In today’s free trade world, the fact that a company is based in some or other neutral country doesn’t mean much.

tyr November 1, 2015 5:17 PM

If we instituted the death penalty for writing books
while in prison we would have been spared a couple of
scumbags. Mein Kampf and Ang Tahanan were both done
while in jail and both were “my struggle”.

What I see in todays comments is that it is all about
framing and mindset. Unless your Venn overlaps quite
well you can’t comprehend what the other is on about.
Assuming Game theory is very man for himself sounds
like Otto in a Fish called Wanda. Von Neumanns book
is available at archive.org since it is the seminal
work in the field by a guy who a classmate said he did
not think he was human, reading it might change your
viewpoint.

If you assume that processes have effects that reach
beyond the immediately causal, you can also note that
the heroes of the nation state become entrapped in that
false narrative because of their environment. Secret
spookery is toxic to the mind, toxic to ethical and
legal behaviors. Add to that the warp which individuals
bring by desiring such a job in the first place and you
have the perfect formulae for political tragedy. Now we
have funded and technologized this psychiatric wormcan
and are struggling to get the lid back on before we get
a part in Gilliams Brazil as the victim. Not of some
magic act on our own part, just because we happen to be
there.

The horrid clashes between the generations of the 1960s
that spawned COINTELPRO were because of the hypocrisy of
the culture which mouthed lofty ideals without ever putting
them into practice. Once the younger generation started to
put them into practice Hoover and the boys lost their mind
along with their handlers and exterminated by any means all
who were identified as high profile. The CIAs drug tests
and subsequent involvement in trafficing for social control
didn’t help either. LSD is a drug that causes psychotic and
aberrant behaviors in people who have not taken it. Then
you get Nixon who has spawned an entire half century of the
mad nitwits and criminals around his throne into today.

The corporation who are a superorganism have now achieved a
weird personhood with legally upheld “rights” have grabbed
control of the political and legal processes by some divine
arcane right of money. You don’t have to look far to see it.
Now we have a confluence of the secret invisible state and
our corporation overlords who think military actions are the
profitable growth industries to invest in. Confuscius says
No tree grows to heaven, so there are limits to any process.

The necessary curbs are, be less evil, be more humancentric
in your decisions, and treat each other better. Your rational
mind is not just for limited usage in a specialist area.

ianf November 1, 2015 5:35 PM

@ Clive Robinson (cc: zaphod)

I know most of it—IN PRINCIPLE, not in the detail that you supplied, and am of course principally worried, even though I’m not in the UK, so Theresa May may or may not have the hots for me—I’d prefer not just to be on the safe side. The question that I keep asking myself is would the router-MITM scenario that you described be applied at random, or to anyone without some prior definitely-must-be-up-to-no-good trigger. And if so, would my writing occasional anti-NSA/ pro-Snowden/ vehemently counter-totalitarian-mindset diatribes here constitute such triggers. Because from the POV of my remotely-detectable daily electronic footprint, this is the sole subversive, potentially big-bro/sis-society-destabilizing activity that I engage in (partly of course as an outlet for my recently diagnosed vacuous verbosity directed at any fecund female of the species within earshot[*], which so disturbed the diagnosticians here, that they couldn’t come up with anything intel to say—but mum’s the word).

For reasons that I believe you’re familiar with, following 2 eye operations, I can no longer read/ work off a computer screen, can but use that which I can hold 12-15cm from my nose: a smartphone. I thought I’d go bananas not being able to review, compose and edit text in less than page-sized chunks, but it turned out I could adapt, and, due to staggered life circumstances, was able to go back to books etc (which pose their own weight-on-chest problems ;-)) I’m telling you all this in order to describe that, even were I intent on doing something nasty acc. to the local equiv. of that May woman, my physical possibilities of doing that would soon bottom out. Of course, any spook that elected to teach this whippersnapper geezer a lesson for whatever reason could construct an elaborate trail of evidence pointing to my ISP-recorded “illicit ISIL activities,” but then why would he go to all that trouble, when all she’d need would be to plant some children’s prØn on my iPad (all other gear being mothballed offline), or even claim to have found some in a book that I just returned to a (fully automated return) library.

    So that’s about that provocation-threat vector that I am conscious of… I’m no Perry Mason, but suspect that, were I to fight in court for my freedom, I’d prove not-too-palatable for the seldom verbal eagle-y opposition [at least in comparison with court cases that I followed where obviously innocent people went down because they were unable to express themselves logically, let alone clearly.]

Finishing soon. That said, 3 weeks ago I experienced sequential difficulties in accessing and posting to this very, and only this site (checked its status first via isup.com of course). The same for 2-3 days. The symptoms were inconsistent with backbone maintenance, as other traffic was unaffected. This had to be schneier-comcentric. Only BoppingAround bothered to confirm being unaffected. Then it went back to normal.

I waited it out, thought not much more of it, but on the available sketchy experience could say that, was some cheeky sod trying then to infect my IP-over-TV-cable router, and/or Apple TimeCapsule WiFi, map my LAN, or similar, this is how it might have manifested itself. I can not say if the routers “reset themselves” during those days to start up some payloads as I could have been sleeping when it happened, but it might well have done. And there the matter rests for now, until some new broom at the State Metadata Only Recording Agency decides that I am not that interesting after all—or cables back in Morse that I UNDERVALUE MYSELF. Tell me what you think of it.

PS. Still have a couple responses to you in the pipeline.

@ zaphod

dd-wrt has been discussed here aplenty, the consensus being it’s not unimpregnable against a dedicated attack.

[^*] Norman Mailer: “Why do we write? We write in order to win love and affection of beautiful women.”

Grauhut November 1, 2015 6:05 PM

@in the shadow of “The number one rule there is not to get on the radar. Plan B is to get off the radar, if you are. In general.”

If you are in some kind of biz you are automagickally on the radar.

So you have to feed the beast with what it expects to see. Stay on the radar and have a continuous radar reflection matrix.

Today you need at least three identities, your offical one, your official inofficial one and the secure one.

I like webkit a lot, guess why and then guess what my Grauhut identity is. Beastfood or not? Do i really like webkit? Maybe i prefer other kinds of tools. Nobody knows. Maybe even me myself and i are not sure what i really like! 🙂

Peter K November 1, 2015 7:14 PM

@ In the Shadow Of

“Point there was simply that it is “up for debate”, though I would point out that debate tends to be useless. Because the facts will be unknown.”

Hence the second greatest mystery of modern mankind, with whom the mystery of Schneier’s blog shy in comparison.

@ Figureitout

“The attacker can only see via internet connected devices (usually). We assume the internet is poisoned and getting worse, our computers getting locked w/ non-open ones and non-open crypto. So you have to step back and obfuscate data and put it in. ”

It sounds like you’re speaking of the internet as a secret hideout among men of sorts. Fair to say that’s not what it was designed for and shouldn’t be used as such, without due diligence. 🙂

@ Clive Robinson

“As for the likes of the NSA GCHQ et al “fitting you up” do not make the mistake of thinking they would not. ”

I don’t have any doubts about that they do. But furtunately, the typical spook are subject to more layers of cross examination than an average facebook employee.

Dirk Praet November 1, 2015 7:26 PM

@ Daniel

The fundamental issue is that one cannot evaluate the security of a system independent of the user and the use to which it is put.

Yes, you can. It’s called a protection profile (PP), and which is the baseline for most security evaluations/certifications such as EAL.

TAILS is just convenience.

No, stuff like TAILS and Whonix try to strike a better balance between convenience on one hand, and privacy-security-anonimity built in by default on the other. Neither claims to be bullet-proof, but at a bare minimum they tunnel all of your traffic over Tor without having to worry what data Google, Apple, Microsoft, Facebook & co. are collecting about you and sharing with their government “partners”. And they come with a fine set of apps, most of them easy to set up for secure use even by an average computer user.

I’m at the moment spending quite some time on TAILS, mostly by making available a set of additional security/privacy-oriented applications that may benefit parts of its target audience without incurring the pain of (safely) downloading, installing, compiling and configuring them themselves. What security-enhancing activities have you been up to lately?

And there is nothing about TAILS that via osmosis teaches a person good op sec. Better to use Windows 10 with great op sec than TAILS with terrible op sec.

That’s because those are two different skill sets, mate, just about as unrelated as application development and systems administration. Someone who’s bad at opsec will be just as bad with it on any operating system, rendering this particular argument against TAILS moot, to say the least. And you can’t possibly be serious about using Windows 10 for anything sensitive, even if you were the King of Opsec.

Clive Robinson November 1, 2015 10:20 PM

@ Zaphod,

As I’ve indicated before, it is not possible to say if a system is secure nor will it ever be possible to do so.

All you can really say is you’ve tested it in certain ways and it has passed those tests on a particular set of hardware at a specific date and time. Which in reality is saying next to nothing, which is just one reason “Code Signing” does not do what many people think it does.

Further back in the 1930’s a mathematician came to an unfortunate conclusion about logic systems. Without going into details the takeaway is that no single computing device can tell if it is secure or not. Thus the bulk of computer based systems are “insecure by design”. This includes all the SoC computers you will find on “Home Router” hardware.

As I’ve indicated before the solution to these problems is “instrumentation and mitigation”. Thus the “Garden Path” design which uses two different routers, data diodes and extensive logging and analysis.

The down side of the garden path is that it does not protect the external router, thus additional instrumentation is required that for most home routers is extreamly difficult to do.

From the asspect of this type of attack, legal liability for the demarc is what is important. That is if your ISP provides your home router on which side of it is the demarc. If it’s the phone socket then you are open, if it’s the network socket on the router then it’s the ISP. There are UK legal presidents based on who is liable for the cost of calls that hing on where the demarc is. Put simply you are only liable for the cost of a call if and only if it can be shown that the call originated from the consumer, not supplier side of the demarc.

The issue with Theresa May’s piece of nonsense is she has in effect moved the liability point well away from the demarc deep into the supplier side. Which gives a gaping chasm –not a crack– over which the consumer has absolutly no control but carries full liability… Such a chasm is an open invitation play space from which an attack can be mounted against the consumer. Trying to explain this to the legislaton drafters and their political masters is a waste of time not because they don’t have the capacity to understand the issue, but that they blatantly disregard it because it does not suit their purposes.

@ ianf,

The fact that the issue exists means that every consumer can be attacked this way plain and simple, thus it is a target rich environment.

Which means the attacker has both the advantage and the choice. Which means from the potential targets point of view the best defence is not to be “low hanging fruit” or “fruit that’s rewarding to consume”.

Which brings us back to the three basic personal security points, that nature has taught us,

1, Don’t make yourself a target.
2, Have obvious deterrents.
3, Have unpredictable defence.

The first and second are camouflage tactics of try not to be seen and if you are seen appear to not be an easy meal. The third is a survival tactic, either for the individual or species. That is if an attacker does take a byte they get at the very least a nasty taste in the mouth, if not considerable pain, ranging up to death.

From a species point of view the Mutually Assured Destruction deterant is the ultimate form of defence. That is any attempt to make an attack will result in death for the attacker irrespective of if the prey dies or not. That is the defence system of “The Poison Arrow Frogs” they use MAD as stage three but by being brightly coloured they give due warning at stage two. Other creatures then have a choice, in stage one, do they look like a leaf or a poison arrow frog in colouring…

As another person has observed about “staying off the radar” it might be a bad tactic, if you are expected normaly to be on the radar. A part of it is “fit in with the crowd” and take your chances on the numbers game. Another part of it is be highly visable such that any attack against you will draw a great deal of unwanted attention to the attacker irrespective of what happens to you.

I can not tell people what the best choice is for them, but from my perspective in a very target rich environment the odds of you being selected randomly are small unless you go out of your way to be a “tasty morsel”. But the risk is there so taking some unknown to an attacker defensive steps are advisable. Which is what the instrumentation asspect of the garden path design is about.

Figureitout November 1, 2015 11:15 PM

In the Shadow of
As I said ‘one size does not fit all’
–Yep, you don’t need to tell me that, common sense eh? And like I said, we here are interested in dominating the best attackers and the highest threat models b/c we’re too paranoid, catching out the best means no one else can even come close, we need that assurance. It’s a satisfying feeling too, catching some of the people/attacks that used to own you w/ ease…no more, not even drop of sweat. More esoteric and physical attacks necessary. But no rest b/c threats constantly evolving.

The people that concern me, aren’t as your own self
–Good, no need to say it. I’m not a threat to anyone, never was. Defensive measures are way more challenging and interesting, and I’m opensourcing some of my stuff, using primarily opensource stuff (targeting RasPi, Beaglebone and Arduino due to huge communities and…well…it’s fun too b/c Arduino is like embedded scripting and super easy serial output).

Peter K
It sounds like
–Not sure I get the joke, but uh…”among men”? Ok shtlord :p. Just haven’t ever felt like I’ve had a clean internet connection. Definitely not my home connection and my family gets pissed at me for even *considering a nearly uncrackable wifi password let alone blocking ports, setting up firewalls, VPN’s, and various other ‘net sec hardening measures. But I’ll be ready when I get my own connection[s] all to myself. :p

Question to the Crypto Gods
(The kind that actually implement systems)
–Trying to come up w/ a better way to automatically set the IV on a little RF system that needs to be pseudo random, but I’m on an Arduino. Looks like I can set an unsigned long (max 4294967295 values) variable. So what I’m thinking is to have it constantly counting/running in background and to save its value on a detection and then reset back to zero, and that’s the new IV for the next exchange. I’ll have to transmit that to any receiver to keep everything in sync, using the older preset IV, which should be protected by an encrypted connection.

Sound good? Fatal flaw? Something really sweet is…this could mean that potential attackers would be seeding the IV LOL, good.

Clive Robinson November 1, 2015 11:34 PM

@ Grahut,

Today you need at least three identities, your offical one, your official inofficial one and the secure one.

You need way more than that.

It’s a question of “roles” and the fact that web browsers and similar do not support them. It’s something I have moaned about from time to time for quite a few years.

Put simply, on average an individual has parents, a spouse, children, hobbies and a job. Each of which is related to not just the individual but a combination of the idividual and one or more of the other entities.

Thus you are a not just a child to your parents, you are also the husband of their daughter in law and parent to their grandchildren. Each is actually a seperate role that has overlaps with the other roles. Whilst we usually appear to have no problem with these complex roles, we have yet to develop the required technology to support them.

Personaly I don’t believe it’s down to a limitation of technology but a limitation of will. That is those who design the technology appear to suffer from the same perversion of those in power, in that they do not wish to acknowledge that an individual has many roles in life only some of which have any other overlap [1]. Thus their technology ideal for a person is a single number not a multifaceted individual. And unfortunately this pervertion has a very negative impact on our privacy, security and mental health as it forces the teardown of social walls and seperatrd trust models we need for our wellbeing.

[1] That is you may be a manager at work, the secretary of your local football club and member of your local library as well as having a couple of bank accounts and credit cards.

tyr November 2, 2015 1:01 AM

@Clive

Your internal neural modules get reconfigured on the fly
to accomadate each new role. Since unused functions do
atrophy, these also resist being unused. Once you couple
that internal continuous rearrangement with the web of
external connections that make up your life everything
gets complicated. Since the cultural narrative is simple
you get a lot of friction at the interface. Eventually
you have to discard the epistemological cartoonery of
your culture in favour of pragmatism. That traps you
into your own knowledge which might not have all the
answers either. The whole point is not to give up the
fight. The idea that you can control every part of
the security landscape only leads to madness. The
nation state spooks are busy making themselves a lot
of enemies, for them to hang around here trying to
make a few more is really dumb. Hounding Aaron Schwartz
to death was an incredibly bad idea which backfired
badly. There’s a chinese proverb about disturbing the
scholar which implies you should attack a tiger since
it is safer. We have been subjected to a rash of the
dumbest ideas lately under the guise of making more
things safer, no one is about to trust them until the
damage gets repaired. No amount of increased snooping
will fix that loss of trust.

You have to admire the irony of the Turks managing to
push an Islamic invasion force into the EU. Even better
it was NATO which started them on the move. Most have
been looking at the Saudi/Sunni vs Iran/Shiite clash
over middle east dominance and forgetting that the
Turks were dominant there before WW1. Similar to going
into Afghanistan without reading the history of the
past there.

I did find the idea of Murray Bookchin the anarchist
thinker being the philosophical underpinning of the
Kurdish PKK quite intriguing. Strange world we’re
living in.

@ianf
Improvise, adapt, overcome and know you are appreciated.

Gerard van Vooren November 2, 2015 1:40 AM

@ Clive,

Personaly I don’t believe it’s down to a limitation of technology but a limitation of will.

I disagree with that to be honest. If “secure” networking, that includes the web as well, would be in the form of ECC in the “box” model of DBJ where both endpoints have a keyset, the only thing to change an identity is a change of keyset. A secstore that is combined with a computer login account (think Plan-9), could help with that. That would deal with all the login forms you see in web sites, where every web designer has to reinvent the wheel. You want a new identity? Just create a new keyset. Browsers could have colored tabs to indicate the identity and with ECC the key length is short (both pub and priv are 32 bytes) so they could be printed out on paper and in case you lose one it could be recreated.

Rick Harry November 2, 2015 2:06 AM

@ Clive Robinson, “Personaly I don’t believe it’s down to a limitation of technology but a limitation of will.”

There has been no evidence which suggest shortage of astroturfing as profession or recreational, unless I’ve mistaken. New keysets likely won’t circumvent the fixed endpoint either. You may have roles with different browser/OS combo but your ISP, as you previous post, see it coming from the same mac. There are wartermarks, er fingerprints, wherever footprints are made. Despite the mystery of Jekyll remain unsolved, Mr Hydes have no longer places to hide. What evil lurks under broad daylight…

Persumably Alive November 2, 2015 4:15 AM

The New World Order is as chaotic as the Old World Order, but don’t tell anyone, it all depends on people still believing they have some sort of control over completely random and unpredictable events. Fortunately 9 out of 10 people are idiots which should give us all some sort of strange comfort.

ianf November 2, 2015 6:18 AM

I read The Guardian’s newsletter so you won’t have to:

Counter-terrorism policy
Online surveillance bill ‘will fall without judicial oversight’

Former shadow home secretary David Davis says investigatory powers bill will have to let judges’ authorise warrants

http://www.theguardian.com/politics/2015/nov/01/online-surveillance-bill-will-fall-without-judicial-oversight-david-davis

Companion: the app that walks you home at night

An app that turns your friends into digital chaperones (via GPS tracking) aims to reassure those travelling alone late at night. We put it to the test

http://www.theguardian.com/technology/shortcuts/2015/nov/01/companion-app-keep-you-safe-walk-home

Apple spins impressive narrative of success, but are there holes in the story?

There’s no question that Apple has had a legendary run and often exceeds Wall Street expectations. A company, however, is more than its numbers. Here’s why

http://www.theguardian.com/technology/2015/nov/01/apple-success-narrative-wall-street-expectations

Biography | The Observer
Jeremy Gavron: ‘My mother was a woman who looked for solutions. Suicide was a solution’

Why did Hannah Gavron, a brilliant writer and lecturer, take her own life aged 29? Why did her husband refuse to discuss her death with their two boys? Her son, Jeremy Gavron, talks about unravelling these mysteries in a cathartic book

http://www.theguardian.com/books/2015/nov/01/hannah-gavron-a-woman-on-the-edge-of-time

ianf November 2, 2015 6:38 AM

Wrote MarkH (in modified order)

I won’t debate the international situation on this thread. If anyone is interested in a discussion on the topic [Ukraïne] that is anchored in objective facts and critical analysis, perhaps we can find a suitable place for that.

    For the moment we can not, and, besides, this forum won’t suffer irreparably from YAOTD (the ACRNM lovers here will have no trouble decoding this ad-hoc ACRNMZTION ;-)) However, I am moving it to this OT-friendlier Squid territory! [BTW. outside dry Tottenham Hotspurs : Chelsea FC “Nil:Nil” there are no objective facts. Also Ayn Rand had the monopoly on Objectivism.]

[…] “My historical background information comes from academic historians whose impartiality (on their professional topics) is soundly established.

Please name these sources in passing, as merely saying to be relying on something undefined makes your point into a rhetorical device. Your decisive “impartiality of academic historians” is just an opinion, not some assurance of one true dominion of unassailable insights into the subject matter[*]. Historians are like the rest of people: they have foibles, pet theories, political baggage, institutional and metaphysical dislikes, etc. Not the automatic paragons of virtue that you imply (observe that this is a generalized, not a personified argument). Then there are historians writing for other historians, and those who write for book-buyers… disparagingly called “journalists” or “publicists” by the academic ones. My sentiments are with the popularizers, and in the case of (specifically your topic of interest) Ukraïne: Timothy Snyder, Adam Michnik, Anne Applebaum, the general Central-European-ist Timothy Garton Ash, plus Geert Mak and Marci Shore for color (I also recall a magazine piece on the end of Soviet Russia by Tony Judt, but can not place it).

FTR MarkH is “passionately committed to the principle that the territorial integrity, independence, and sovereignty of every UN member state must be held inviolable, excepting only certain extreme situations of human rights violations or aggression against neighbors.

Lovely. Did that also apply to the formally independent UN member state Ukraïne when it was part of Soviet Russia (alongside another of its pocket-republics in the UN, the Belarus). Prior to the dissolve of the USSR in 1991, that was the only “independence” that the Ukraïnians ever “experienced.” Granted, I am not tainted by in-your-facing the mental conditions on the streets of Kiev or Moscow. Hence I don’t have a vested position to defend—other than being taken for a (“vacuously verbose” as per here recent diagnosis) kook.

That said, let me tell you something about what—as I’ve come to conclude—do the Ukraïnians want: they don’t know what they want. They have so much historical baggage to deal with, from way before Tsarist Russia, the 30s Holodomor, and WWII Nazi-allied quasi-autonomy, that they don’t know where to begin to unravel it. As a now-independent nation, they simply haven’t had the time to catalog, let alone grade, all the ills of the past that they need to attend to. Nominally a resource-rich nation, they manage it so badly, while being economically and energetically tied to Russian Federation (and vice-versa), that that independence is not much bigger than it was in Soviet times (in this respect the firmly pro-Russia-come-hell-or-high-water Lukashenko regime in next door Belarus isn’t fooling itself).

From my Western (safe for now) vantage point, the Ukraïnians have yet to develop a coherent vision of their place in future Europe. Ironically, the overt Russian aggression forced them to start (on) that process—as neither your cherished Euromaidan, nor the Orange Revolution, has led to anything above more chaos and confusion, and the emergence of local thugs ensuring “security” of these chauvinistically-minded gatherings. Thugs now folded into informal vigilante militias that patrol nighttime streets of cities demanding bumagi (papers) from any darker-skinned or Oriental-looking pedestrian. Beating some up to underline the degree of their “welcome.”

So on the whole, much as I hate the ongoing Putinada, I tend to take a long view of the situation in Central Europe, its still post-Habsburgian convulsions. Once freed of the Tsarist yoke (last Russian troops leaving in 1993), Poland couldn’t wait to join the EU, join the NATO, and is now wooing the USA to become its forward base as a precaution to future Imperial Russian “embrace” (the Americans will have their depôts there; also in Romania, and surprisingly in traditionally pro-Russian Bulgaria). The NATOs new fast response task force HQ has been placed in Szczecin/Stettin, on the Baltic border with Germany, mere 5 minutes away by F-16s (stationed 2 minutes flight time further away) from Scandinavia. Etc.

Nothing remotely of that sort has been overtly attempted east of Poland and three miniature Baltic states by any Western nation. Nevertheless, the way it looks to me, with the key European landmass Ukraïne mismanaging itself to the point of a civil war, Putin grabbed the opportunity that manifested itself, and wrenched the prime real estate of the Crimea, once assigned away by an edict, back into the Russian dacha-land. Did that in a bloodless—even you, MarkH, must admit it—form of a warning to the West: this is where the sphere of eternal Russian influence begins. The Ukraïnians had better learn how to tame the beast from within.

(whether that my unemotional POV can be read as a defense of Russian imperial mindset or not I leave for non-Russians to decide.)

[^*] regarding the alleged impartiality of academic historians… an example from nearby nick of the woods. Following publications of “Neighbors” (2001), about horrific massacres of local Jews by their Polish neighbors in (just after operation Barbarossa 1941) wartime Eastern Polish borderlands; and “Fear” (2006), on the condition of the returning Jewish survivors there after 1945, both by Jan T. Gross of Princeton, I was surprised to learn that these wartime crimes, as horrid as any of ideologically-driven Nazi Holocaust, and later officially sanctioned acrimony, went unpublished for 55 years after the war. Then I learned that not a few Polish contemporary authorities on history in these very regions were conducting studies, writing books, arranging international symposia etc for at least 25 years without EVER alluding to in the open, let alone attempting to document those pogroms. To the catholic nation Poland—forget the “communist” patina—they simply were beyond indigestible confrontations of not solely being victims of the Nazis, but also in places co-perpetrators. The amount of vomit meted out to Gross, and later another “foreign” historian Jan Grabowski who wrote about “Judenjagt” (WWII Poles hunting Jews in hiding in the countryside for glory and bounty), also he with tenure at U. of Ottawa, Canada, was out of this world—and it will take at least 3 more generations, grand-grandchildren of the perps to have died out, before the Polish nation can look itself in the mirror and admit its collective complicity after the fact. And in this very respect (=modern times “Unchristian” culpability), the Ukraïnians also have lots of fascist “ghosts” of their own, and so far no incentive to exorcise them. No wonder then that there are court historians, and such with private agenda. End of historian impartiality digression.

ianf November 2, 2015 7:05 AM

ADMINISTRIVIA: those wishing to delve deeper into the background to my preceeding contribution to MarkH’s—Dirk Praet’s discussion, can read those items in turn (in earlier ones just a paragraph or two). My comment to Dirk follows after the list.

Dirk Praet • March 14, 2015 10:05 PM

MarkH • October 30, 2015 11:08 PM

MarkH • October 31, 2015 5:14 AM

Dirk Praet • November 1, 2015 6:04 PM

MarkH • November 1, 2015 7:33 PM

Dirk Praet • November 1, 2015 8:24 PM

@ Dirk Praet • yesterday 6:04 PM

Ukraine is just another example of US “regime change” policy that blew up in everybody’s face and completely destabilized yet another country.

It never went that far, the Ukraïnian oligarchs were too busy enriching themselves in the time window when Russia left it alone—and then it blew up.

@ [yesterday 8:24 PM]

[…] the Ukrainian bodybuilder shopkeeper of Russian descent where I’m buying my food supplements sees things entirely different…

Had you tried to shoplift these food supplements just to judge their effectiveness as supplements?

… than my middle-class neighbour girl from Kiev who’s working in the film industry. The only thing they actually agree on is that both the US and Russia should have kept their noses out of their affairs.

Nah, neither can see beyond their noses… Ukraïne is not an island, but a key puzzle part in the map of Europe. This notion of going it alone is very romantic, but an unrealistic one. So, if not with Russia, its future can only lie with its Western (and transformation-wise a success story) neighbor Poland, its once-colonial overlord (XVI-XVIIc). For that to happen, however, the Ukraïnians need to downgrade its nationalist hero Stephen Bandera in whose name WWII Ukraïnians couldn’t wait to ethnically-cleanse the Motherland from native Jews and Poles, as bloody as any this side of Rwanda.

Meanwhile in present-day Poland, the European migrant crisis has awakened the question of preparedness for potential projected 500,000 Ukraïnian refugees in a fortnight should the armed conflict across the border escalate and shift westwards. There already are some 100-200k Ukraïnian emigrants there, tending jobs that the Poles no longer want, warts ‘n all they share the same Slavic roots.

It is not too far-fetched to imagine that, were such forced mass influx to take place, and the Poles do not negate that opportunity (which is not assured), it could be the civic education chance for future democratic leaders of Ukraïne (after all Adam Michnik and others did build up a framework for a civic society during Communist party rule, which stood ready to take over in 1989… I don’t see that civic-society-up-from-below-spirit in Ukraïne, or else it doesn’t “sip out”).

ObLocalVignetteContentEverything Is Illuminated the movie.

Peter K November 2, 2015 8:36 AM

@ tyr said:
If you assume that processes have effects that reach
beyond the immediately causal, you can also note that
the heroes of the nation state become entrapped in that
false narrative because of their environment. Secret
spookery is toxic to the mind, toxic to ethical and
legal behaviors.

I’m going to assume “heroes of the nation state” is a figurative speech.

I don’t believe there are heroes, only mysteries. I don’t visit this blog to worship a hero, but instead to be intrigued by his tenure. Secrets often aspire curiosity or it can inspire innovation when put into the right context, or mind set. What is toxic is lethal to some but legal to others, as you seem to be pretty well-versed in recreational drugs. Secret spookery, isn’t what inspired countless discussions of the Schneier’s blog? I understand your point, I think.

Clive Robinson November 2, 2015 9:13 AM

@ Figureitout,

So what I’m thinking is to have it constantly counting/running in background and to save its value on a detection and then reset back to zero, and that’s the new IV for the next exchange.

Err no, reseting will create a bias towards the lower number range, in a way an external observer can take advantage of

You would do better to encrypt the value and then load that into the counter. Or use a seperate CTR crypto-counter to generate the new value to load.

Clive Robinson November 2, 2015 9:32 AM

@ Gerard van Vooren,

I disagree with that to be honest.

Err, I think there is some confusion here…

You went on to describe one technical solution, which would work in concert with other technical solutions. But you forgot to mention it was not available to the majority of users as the web browser developers had not put it in.

That is for some reason the developers “lacked the will” to add such available technical features so they could be used.

@ Rick Harry,

You may have roles with different browser/OS combo but your ISP, as you previous post, see it coming from the same mac.

This is a “choke point” issue for which there are known but currently deficient in implementation solutions.

For instance ToR and many VPN systems rob the ISP of meaningfull data due to encryption of content and a conbectivity information other than the single IP address of the ToR/VPN entry point.

However both ToR and VPN systems are deficient in that they do not take sufficient steps to prevent traffic analysis. The steps to make the fix are quite well known, but are not inplemented by the developers.

That is the developers “lack the will” to use the available technology.

In the Shadow of Ravens November 2, 2015 9:44 AM

Peter K wrote:

“Point there was simply that it is “up for debate”, though I would point out that debate tends to be useless. Because the facts will be unknown.”Hence the second greatest mystery of modern mankind, with whom the mystery of Schneier’s blog shy in comparison.

In context, which the snippet poorly shows, that mystery would be ‘what secretly goes on deep in the shadows of controlling corporate and governmental influence’. A significant problem with debates on the matter, is people can not know, do not know, or they can not prove they know. With some very rare exceptions.

So debates and any other manner of discussion [including news reports, statements by pundits, and so on] generally involves very distant speculation.

A point I would stress here for readers is that the unbelievable does happen, and there are matters which go on which you would not believe even if told. This can be difficult for a lot of people to wrap their minds around. But, for many, they can perform some thought exercises to do so: for instance, for those with unusual intellects, such as a number of the posters here, you surely know there is much you can not speak to ‘everyday people’ about because they either would not understand, or straight up not believe you on. You are certainly not alone in that. But, just about anyone can search their experience and find some matters so statistically improbable, that they can not easily discuss it with strangers, and maybe even some matters too unbelievable to even discuss with friends.

Likewise, there are some things that go on in a decidedly controlling way in the ‘corridors of power’, that you simply will not heard about ‘in the news’. And fact is, one of the best pieces of advice I ever got as a young person was not to believe what you read in the news.

There certainly are statistically highly improbable individuals, or individuals with extremely rare capacities, and moreso, there are collections of such individuals who get together in corporate, in private, in government. And do stuff. And to some degree, there are even statistically improbable training systems to help produce more. Anyone can ascertain examples ‘like this’, just considering what can be seen, such as elite groups of scientists, or even more seemingly mundane, elite groupings of the super wealthy.

@Z/Zaphod, @anyone

on router security, attack and defense:

Besides what was said. Including that there is not 100% security for routers at this time. Granted, I do not think anything is 100% secure. I do believe going the custom route is most likely to get you the best security. Make sure you have a strong password, no additional accounts, and as few services running on it as possible.

I have dabbled with wrt and been tossing about considerations for writing security software “for it”. I have not yet looked into what solutions may be available for it, recently. The last time I looked, it was dismal for all routers, hence partly for my idea. I do not mind throwing out some design models, but some include: a system which alerts the network at any access immediately (one way of doing this besides a direct client/server tcp type connection is by slightly disguised ordinary network traffic); a system which pipes out to another system (could even be tcp connection to home/work system client/server) all traffic for second degree inspections. That inspection could be for analysis against network traffic not seen, but should be seen on other routers, or on other systems, thereby revealing rootkits; and some minor, small encapsulated, advanced endpoint type solutions; tripwire like file integrity solutions; whitelist binary type solutions; anti-wifi attack code; etc.

Any of that is open for influence, freely, if it gives anyone ideas. I am usually simply too lazy to write up stuff, reality: just have better things to do.

Sooner or later, someone will write some of those solutions, regardless. They are inevitable type of solutions. Though some of these sorts of solutions can run on other network devices.

Compromise of routers typically are through simply bad mistakes such as leaving extraneous services up like web management solutions, as well as through default passwords and bad passwords and usernames.

Zero day is typically found in the extraneous services. They are poorly QA’d, usually no security “qa” at all, no security analysis. And zero day that is full disclosed ends up mainstream for script kiddies. Updates are difficult to do is another major issue, and often not done at all by end users. Updates by vendors are slow, if at all.

You can deeply mitigate all those basic problems on your router — you can certainly do so even better with open source, custom router you carefully learn and set up.

If you are a noob to router attacks, an excellent way to educate your self is get a wifi pineapple and explore. Use it. Relatively low brow, but hands on experience is good, and it has a range of attacks. Largely focused on wifi, but wifi is important, and many principles are the same or similar.

Some of the very worst attacks are poorly known. Barnaby Jack, for instance, showed in the early 2000s how code can be written for routers to search incoming traffic for windows executables being downloaded by downstream systems — any such download is then trojanized at the router and so high chance of all downstream systems are compromised.

There are many variations on that theme.

Routers can also serve as “middle men” for unique rootkits on downstream systems. A good one is one which alters the systems trusted store, so all encrypted traffic which relies on the trusted store is able to be broken.

Reliance on downstream systems and encryption is a critical facet of router security and these sorts of problems. End to end encryption. And remember, besides your own router, there are many systems your unencrypted traffic passes from here to there.

Unfortunately, if the downstream system is compromised, there are many potential changes to how it handles ‘end to end encryption’ which could make it appear to work, but the integrity of it be entirely broken. Besides just alterations of the trusted store.

In the Shadow of Ravens November 2, 2015 10:39 AM

@Figureitout

Getting involved in opensource, is very commendable. I had some great experiences doing so when younger. It is very rewarding to see that while often the projects went nowhere, just as often they influenced future projects. For me, I prefer the knowledge that gives me, as opposed to money or acclaim.

That said, I know, for my own self, I consider myself more of a “people person”, though my “day job” typically is highly technical. Thankfully, a natural quick study, who grew up among other quick studies, so also received extensive training in that early on.

I note this because it does mean that I often have gotten to jump into a lot of scary groups and work, and then visit others, here and there. So, have met a lot of people in the vuln finding space, in the space of creating and using cutting edge systems, and also visited a number of the more odd situations. Including some of the more scary ground zeros of major hacks out there: such as heartland, and chicago nasdaq, unnamed defense contractor that got hacked, unnamed major financial company, unnamed military base, etc. Talked extensively with others from a wide variety of perspectives. Vuln finders, system creators, won’t even obliquely name, but a lot.

Some observations: one, that nearly needs not be said is it is only going to get worse, and the main factor there is because offensive technology is maturing in a way that makes it far more accessible to more users. Secondarily to this is awareness of the value of attack is spreading deeper into governmental and corporate mental landscapes. Secondarily only because it is very related.

Finding security vulnerabilities of significant value (‘difficult to find’ critical vulnerabilities in ‘high use’/’critical use’ applications) was traditionally very difficult. Ten and fifteen years ago, there were custom, proprietary systems developed in research labs which made this process substantially easier. Very slowly this made it to government. Now, it is at the stage it is bleeding into the mainstream. And in about five years, it will be available and used widely in the mainstream. Which means governments, as well as corporations.

This means the pool of available high level security bug finders which traditionally has been very small, will fast expand. So even people with far more common natural skill sets can be brought in to find the vulnerabilities. Which effectively means ‘backdoors everywhere’.

That tech is a type of ‘greyboxing’, where SAST (automated code review) and DAST (black box testing like fuzzing) are mixed with hooked in processes allowing what effectively comes out to be truly automated SAST analysis. Typical term used today is “RASP”, it is erroneously called “new”.

It is also true the exact same trend is happening in protective solutions against ‘previously unknown attacks’ (be these previously unknown vulnerabilities, exploits, or malware). However, much of that technology remains out of grasp of the everyday consumer, and much of it is too cutting edge for most governmental and corporate organizations at this time.

There are other strong protective trends, a key one is also obscure, which is the move to ‘monetize risk’. On the surface, this can seem unimportant, but it is critical. It means being able to express in financially and scientifically accurate terms the true risk open vulnerabilities mean to corporations. In insurance like level accuracy, and in dollar value that leaves little open for debate. That means defensive security will invariably grow. Right now, it practically grows by voodoo.

IMO, would love to see developers pushing to open source, free consumer/corporate/other groups advanced defensive products. Smartphone security is bad; anonymity security has countless wide open niches even still; secure email services (look at the waiting list for proton, and speaking of, dig back a year or two and look at the flaws found in it), never mind the lack of services that provide nyms; router security, wired and wireless; router security; network and system anti-rootkit security; etc.

Probably should get off my butt and do some (again), my own self, but just noting the above, as well.

Finally, in all of this, the ‘monetization of attack’ has been nowhere near as exploited as it can be. That is for sure. Not in terms of governmental espionage (gov vs gov), not in terms of corporate espionage (immense boom to expect there, imagine if every company realized the value of copying processes and procedures, not just IP, of their competitors), in terms of “hacktivists”, and so on. In terms of end user criminal consumers (everyone with even minor moral failings wants to know others secrets and are willing to pay), and certainly real criminals, professional and wannabes.

‘Information apocalypse’ is a term. And I do not mean by that ‘happens like lightning so all see it across the world at the same time’, though one can expect those sorts of disasters, and certainly ‘a big one’. But, so often it is like a season. Slow, gradual change over a ‘long’ period of time that people hardly even notice as it happens, until they are surprised, because ‘it is winter’, at the first big snow.

Derisible November 2, 2015 12:13 PM

Curious.

Guide to readng comments @ Schneier:
(0 Use a scroll wheel or PageDown.)
1 Completely ignore anyone who doesn’t understand the mass in mass surveillance.
2 Completely ignore anyone who thinks they’re not a target.
3 Completely ignore everyone who has a sustained habit of writing extremely long comments. They’re not nearly as smart as they think.
4 Completely ignore apologists.
5 Completely ignore replies to 1-4.
6 Mostly ignore link spamming.
7 Notice the names of offenders, ignore everything they write.

Remove a vast amount of noise with little or no signal loss.

If that gave you ample free time you could read source documents, comprehend, learn, and do according to actual comprehension.

@[Hint, I_P I_C, King’s B__g]
Young, inexperienced, you can’t avoid it. Reconsider the validity of other people’s games. Consider making your own game different enough to afford repeated losses. Thank you for the insightful point made last week that was lost on everybody. Pearls, swine, so forth. Trust no one.

Dirk Praet November 2, 2015 5:26 PM

@ ianf

Had you tried to shoplift these food supplements just to judge their effectiveness as supplements?

Vlad is a personal friend and in local MMA-circles known as “The Bonecrusher”. The last guy caught shoplifting at this place was a cocky Moroccan who barely made it to the hospital. It’s not recommended.

That said, let me tell you something about what do the Ukraïnians want: they don’t know what they want.

Astute analysis. Assuming everyone has done his homework, I believe we can at least agree that Ukraine – unlike Poland – is not a homogenous nation but a quite diverse country with multiple ethnicities, historical backgrounds, interests and allegiances.

Just like the Belgian Revolution in 1830, Euromaidan was NOT a nation-wide popular uprising against an oppressive regime, but a well-orchestrated coup by a small group of politicians and special interest groups backed by ultra-nationalists and the US. Like you say, the country was totally mismanaged by corrupt oligarchs and apparatchiks leaning towards Russia, only to be replaced by more of the same but leaning towards the West.

I have never condoned Putin’s military aggression, but from a strategic and geo-political vantage, I do understand his position, seizure of the Crimea and intervention in the so-called rebel regions. As they say in French: “Il faut saisir les opportunités quand elles se présentent.”

What is not clear, however, is @MarkH’s actual analysis of the issue.

Dirk Praet November 2, 2015 5:39 PM

@ Rick Harry

You may have roles with different browser/OS combo but your ISP, as you previous post, see it coming from the same mac.

Note that TAILS spoofs all of your MAC-addresses by default.

OFI November 2, 2015 7:40 PM

@Dirk, when you refer to Russian annexation of the Crimea as “aggression,” you’re saying it’s in manifest breach of the UN Charter. How do you reconcile that with the ICJ opinion, Accordance with international law of the unilateral declaration of independence in respect of Kosovo?

http://www.icj-cij.org/docket/files/141/16010.pdf

That decision established the precedent that general international law contains no applicable prohibition of declarations of independence. Under that principle, Russia acted in compliance with international law including the UN Charter when it accepted Crimea’s accession by referendum.

Dirk Praet November 2, 2015 9:05 PM

@ OFI

when you refer to Russian annexation of the Crimea as “aggression,” you’re saying it’s in manifest breach of the UN Charter.

No I didn’t. There are several views on the subject. The right to self-determination and unilateral declaration of independence is one of them. Others invoke the 1994 Budapest Memorandum on the sovereignty and territorial integrity of Ukraine – signed by Russia – to call the referendum void and the entry of the Crimea and Sevastopol into the Russian Federation illegal.

Given the outcome of the referendum, the minimal bloodshed during Russian take-over, and – to the best of my knowledge – absence of any current reports of unrest in both areas, I guess it’s safe to say that a large majority of the Crimea/Sevastopol population was more than happy to break away from Ukraine and join Russia. As I said, Putin saw a golden opportunity and took it. For the Ukrainian government, there was exactly zero point to escalate the situation into a full-blown war they had no chance of winning anyway, especially with the majority of the local population having turned against them.

Winds of the Bot November 2, 2015 9:14 PM

@ In the Shadow of Ravens said:
“‘Information apocalypse’ is a term. And I do not mean by that ‘happens like lightning so all see it across the world at the same time’, though one can expect those sorts of disasters, and certainly ‘a big one’.”

Life goes on after big data… if and when it happens big data will sprung back even stronger because information is ephemeral, all it takes is a new generator and new sets of logics. I’m not too worried about that.

“There are other strong protective trends, a key one is also obscure, which is the move to ‘monetize risk’. On the surface, this can seem unimportant, but it is critical. It means being able to express in financially and scientifically accurate terms the true risk open vulnerabilities mean to corporations.”

That’s where the real money is, plz excuse the cliche. But mostly I think to funnel the fundings. Lots of money to be made there legit. But like most exotic cars, as ferrari’s are expensive to repair, it may brew a whole new set of apocalypse, which will be timely repaired of course.

@ Derisible

“Guide to readng comments @ Schneier:”

Amen to that.

@ Clive Robinson

“For instance ToR and many VPN systems rob the ISP of meaningfull data due to encryption of content and a conbectivity information other than the single IP address of the ToR/VPN entry point.”

As a matter of choke points. A clever tactic, perhaps?

Figureitout November 3, 2015 1:24 AM

Clive Robinson
–Well I’m getting microsecond resolution on a timer. This “counter” (test program for nRF24 that just sends this timer value back and forth) when wrapping around went right away to around ~171000. So an attacker would really need some tricks to bias that, or it would be biased during an attack until attacker left or if attacker left something to force continuous reset (monitoring it should detect that, as w/ this chip you can transmit to 6 devices at once). It takes around, well I’ll probably time it, but maybe 10-15 min to cycle thru max value or ~4.2 billion, and restarting to zero at some specific microsecond will change that cycle. Encrypting the value again leads to turtles no? Still need something pseudorandom.

So I see the attack (one could also easily obfuscate this to restart somewhere else which is my goal, really flexible, but it’s still a bias) but seems a bit hard to pull off.

In the Shadow of Ravens
–Thanks, yeah you should rejoin them. Especially your area, some of the open source tools are best in the business, which is amazing and counterintuitive.

And I know it’s getting bad, if infrastructure starts dropping…How many people battery-backup their desktops? Computer labs in most places would go down. This needs to be impossible and laughable, not feasible.

Good point RE: IP vs. processes/procedures. Agreed, turning just IP into money isn’t automatic. There’s lots of business operations and customer support for starters. Some sketchball group won’t have lots of customers when they have some IP they stole but haven’t worked w/ it enough so they can’t troubleshoot at all. Then there’s actually identifying the “IP”, all of us know there’s lots of tricks one can keep quiet and someone stealing something will have some weird bugs.

So meh, I don’t like this future where we continue focusing on offense, won’t be anything left to attack w/.

Clive Robinson November 3, 2015 2:00 AM

FEDS are still chasing Apple even though the person who’s phone they want decrypted has pled guilty, and a judge has questioned their action.

http://arstechnica.com/tech-policy/2015/11/feds-explain-sort-of-why-they-really-want-data-on-seized-iphone-5s/

I’m begining to think the FEDS are getting to the point of “Abuse of Process” which combined with the wonton waste of tax payers money is steping ever closer to “malfeasance in public office”.

Clive Robinson November 3, 2015 2:24 AM

@ Winds of a bot,

Choke points are always bad news when it comes to security, it’s part of the reason why the NSA and other FiveEyes can “collect it all” because your traffic has to go through the choke points they control.

There are known solutions which basically boil down to encrypting the traffic and source and destination information and using a “data concentrator” to navigate the choke points with fixed rate traffic.

Obviously picking the point or method of feeding in and out of the data concentrator is important otherwise they will just create a choke point on the other side of it and monitor that instead.

The fact that the ToR developers have been well aware of the issues to do with traffic analysis since day one and have not done anything to deal with it, is one reason I stear well clear of it.

ianf November 3, 2015 2:35 AM

[Tuesday 3 Nov 2015] The Guardian today newsletter edited by the sound of (yet to be read) headlines.

Sinai plane crash: no direct evidence of terrorism, says US intelligence chief

V&A rejects offer to showcase Margaret Thatcher’s clothing

Rising deaths among white middle-aged Americans could exceed Aids toll in US

I Love Dick: the book about relationships everyone should read

Thomas Cook yet to fix safety issues years after Corfu deaths – report

Facebook relaxes ‘real name’ policy in face of protest

BONUS: YOU COULDN’T MAKE THIS UP

Australia Immigration: Human teeth found in a meal served to asylum seekers

    Those who have read “The Life of Pi” will no doubt recall the floating island with the strange tree dweller meerkats-lox fishing ecology, in which human teeth played a decisive rôle

Slime Mold with Mustard November 3, 2015 3:06 AM

@ In the Shadow of Ravens

“imagine if every company realized the value of copying processes and procedures, not just IP, of their competitors”.

You are a couple of centuries behind on this. Having actualy practiced espionage on competing firms, we learned: “How the fuck do they stay in business? – Oh, it’s the bribes”. We have tons of dirt on them, but nobody wants to pull the trigger. We have a few skeletons in our own closet.

Also: By any chance do you work near an opera? Your style seems very familiar to me.

Clive Robinson November 3, 2015 3:06 AM

@ Figureitout,

A counter is a very low entropy device, the little it gets comes from the uncertainty on the clock driving it. It gets none from the seed value you use.

On the usuall “the enemy knows the system” assumption to remove the little entropy the counter has all they have to do is find some way to synchronise their clock to your counters clock. Due to the way most SoCs are designed that probably will not be very difficult.

Thus the only thing they are looking to do after that is determine the state of the counter, then the system is fully broken.

You therefore need to make their ability to determine the state of the counter as difficult as possible, by decoupling it from what ever it is you are doing.

The usual way to decouple the state is to put it through an encryption process, which although it does not do anything for the entropy does make the search task more difficult.

That is they either have to find/guess the key you use, or as you are only using a 32bit counter, fill an array with the output from the crypto function to build up the sequence and then use that.

The solution to the building up of the sequence is to not reset the counter, that just makes the sequence shorter, but to re-seed the counter, and also change the output sequence from the encryption process.

You can change the output sequence of the encryption process in one of two ways, change the input or change the key. As you are only using a 32bit counter changing the input would be a faster option.

For arguments sake you feed the counter output into the bottom 32bits of the crypto block but some of the other inputs come from a 64bit stored value. Provided you change this stored value each time you re-seed the counter, you are effectivly changing your 32bit counter to a 96bit counter, which would be way to long a sequence for an enemy to gather or use.

It’s up to you which way you do it but you have to decouple the determanistic short length counter from what you are using it for, because it realy has no entropy value…

Clive Robinson November 3, 2015 3:52 AM

@ ianf,

With regards finding human teeth in food, it could be worse, unlike other human derived products, they are easy to find in your food and remove…

It’s well known that when you visit a prison you don’t eat the food because it’s prepared by the inmates, who would “add a little spice” to it by way of waste body products.

I used to work in the oil industry and had to visit rigs and drilling points in various parts of the globe, which back then were mainly maned by rough and ready expats from the US and European nations.

I was told a couple of apocryphal story as to why you don’t upset the staff that feed you and keep your living conditions pleasant.

At one site they had a roustabout crew who were American and an Italian chef. The Americans used to “take the mick” out of the chef mercilessly, till one day he had enough. At lunch he came out and spoke to the Americans ad they were eating the main course and asked if they had liked the soup. They nodded and said yes and the chef went on to point out that they also liked their “funny jokes” and said he also liked “funny jokes” as well, such as “pissing in the soup” and watching “funny jokers” drinking it… Apparently the Americans got the message and the jokes stopped.

Another story was about finding things like snakes and other unpleasant wild life in your accommodation if you upset the cleaning staff etc.

Whilst those stories were probably made up, I know of a few that definatly not made up from my time wearing the green as I witnessed them first hand.

One of them was probably accidental but it gives you an idea of what could be done. We were out on excercise and the RQ’s assistant Nicky Dela Seara got pressed into cooking breakfast one morning as some of the cooks had done stag that night. She was given the task of frying eggs, and I must admit the eggs were beautifly fried they looked really good the best sunny side up I’d seen (out side my own kitchen 😉

Any way the first person to eat a bit of one nearly threw up and said they were disgusting, and other voices quickly agreed. Sgt Maj Williams did not believe them and took a mouthfull and his face was a picture to be seen… Now it turns out that the UK’s MOD procurement got in various things like cooking oil in large containers, thus it was quite common to decant small quantities into smaller containers like two litre fizzy drinks bottles to cut down on weight and size. It also turns out they also bought on the cheap… So the likes of cleaning materials were basic, unperfumed and uncoloured.

What NDLS had done was to use the bottle of what she was told was cooking oil, but was actually dish washing liquid, which because it was cheap was about the same colour and thickness as cooking oil…

Curious November 3, 2015 4:05 AM

“Internet firms to be banned from offering unbreakable encryption under new laws”

http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11970391/Internet-firms-to-be-banned-from-offering-out-of-reach-communications-under-new-laws.html

It must sounds nice to think of the internet as ideally to never become a “space” for “terrorists, criminals, and child abductors” to communicate safely, though it seem obvious to me that this sentiment as stated, is imaginary terror, and not very realistic, given how terrible the internet seem to be with regard to lack of privacy and security. Also, the notion of “space” here seem like a forced idea, as if the very existence of such things must not become possible, and not so much about “space” being anything concrete to be subject to legislation, but something that sounds nice to the media and the public.

I also think it must be convenient to hide behind the Queen’s violence, in working for the state to rule the land, and invade some other countries.

It is in the article pointed out how people in general is of no interest to the police and the security services, thought it seems obvious to me that such would be glossing over the that the police and security services will likely intend to monitor and surveil anyone and anywhere. The sentiment that people aren’t interested in intruding on the lives of innocent, seem like a fictional statement with no basis in reality, as if the very example of a thing they explicitly don’t want to do, is really a description of a caricature, of “evil” if you will.

Reacting to a simple quotation or paraphrase in the media, might not do anyone justice (a the paper/journalist might be wrong, or having simplified an answer from someone, or given it a twist), but regardless I think it is fitting nonetheless to point out that this perceived lack of sincerity is tantamount to being lies, because of how I think of such a quip is being untruthful.

Btw, I vaguely recall there being some local news in norway about the parliament members being monitored without their knowledge, but unfortunately, I’ve forgotten most of the details. I only heard it briefly mentioned on the radio. Something to do with their mobile phones being subject to monitoring and surveillance by the security section iirc.

ianf November 3, 2015 4:21 AM

@ Clive Robinson […] is beginning to think the FEDS are getting to the point of “Abuse of Process” which combined with the wonton waste of tax payers money is stepping ever closer to “malfeasance in public office”.

Fortunately for the “FEDS” (btw. there’s no such four-letter TLA in USGOV GAO public rolls, but maybe in the Secret Annex?) what you or anyone else thinks of its actions has no bearing on its actions. Dogs bark, the caravan shuffles by.

My equally-discountable take on that is that having been exposed as utter nincompoops and bumbling subverters of the US’s lofty declarations of freedoms, and found out that they are getting away with it by their Congressional overseers, these-whoever-they-be-FEDS are now in the process of testing the extent of the envelope of what they will be able to get away with in the future. After all, they are the designated guardians of the Americans against Boeing 767-borne foreign terrorists! So as long as they don’t demand access to named Congress/wo/men’s iGizmos, they should be OK. Elementary, my dear Robinson.

    As for Apple, “if you’ve got them by the short-hairs, their crypto keys will follow.

ianf November 3, 2015 4:32 AM

@ Dirk Praet “Vlad is known as “The Bonecrusher” … cocky Moroccan shoplifter barely made it to the hospital.

I see, first your people import Russian-Ukraïnian thugs to keep your Muslim immigrants subdued, then your people reward them with licenses to hawk potentially-body-altering, empirically untested “food supplements,” then you extoll their allegedly hard-working existence as virtuous. We’ve seen such “Eastern promises” before.

Ukraine – unlike Poland – is not a homogenous nation but a quite diverse country with multiple ethnicities, historical backgrounds, interests and allegiances.

It’s both more complex, and less convoluted than that. For ages, the by and large agrarian, until 1863 or so indentured, farm tenants of a feudal mindset never thought of themselves as anything other than “locals.” Nationality was an unknown quality, ethnicity mainly a semaphore of one’s religious and class allegiance; what mattered was which language you spoke. Lviv (then Lwow or Lemberg) was largely Polish and Jewish; Charkhiv largely Russian, etc. (farther East more and more Kosaks, and other folks of Oriental origins). The lady in a food hall stall where I bought olives was from Odessa, I assumed Russian, turned out she was Greek, with several generations rooting there.

The first effective land reform in these parts came post Russian revolution and the war of 1920-1921, followed a few years later by the campaign against just-enfranchised former indentured peasants–but now all of a sudden “kulaks” (meaning: you had one more cow than your next door neighbor), followed closely by NEP, New Economic Policy, read: confiscations of all farm produce “because the kulaks surely stashed away the rest of it,” which led to Holodomor, the late 20s-mid 30s famine that killed off 5MM Ukraïnians, caused cannibalism (acc. to some history narratives), and “assorted” ills. That’s enough to make anyone want to go out and take it out on the Jews!

I’m not going to expand on the Polish by and large ethnic homogeneity because the Poles v. well know whom “personally” they have to thank for that (not at all uncommon praise heard throughout the Nazi occupation, recorded in countless diaries).

Just like the Belgian Revolution in 1830, Euromaidan was NOT a nation-wide popular uprising against an oppressive regime

Funny you should mention it, the second time in life I ever hear about it; the previous one just a few weeks ago in passing in the context of the origins of Pan-European fiscal and taxation policies (a conference I half-tv-watched. Don’t ask).

What is not clear is @MarkH’s actual analysis of the issue.

Let’s not forego the replique… the lady is sharpening her goose quill to deliver one decisive take-that-dirks-and-ianfs-in-putin’s-pocket arrrrgh!ument.

Chive Amicable November 3, 2015 6:02 AM

@ ianf
“”FEDS” (btw. there’s no such four-letter TLA in USGOV GAO public rolls, but maybe in the Secret Annex?)”

It’s whoever bothered to showed up with the jackets, and that’s a whole slaw of them, so hard to remember so you call them feds, like a collective anonymous, or so it was told by a friend who’s into networking, but I’m sure it runs deeper than that as you enlightened.

@ In the Shadow of Ravens
“Finding security vulnerabilities of significant value (‘difficult to find’ critical vulnerabilities in ‘high use’/’critical use’ applications) was traditionally very difficult.”

Wow. I think I understand some of what you said, though I don’t work in your field. It looks like the playing field got levelled a bit on the supplier side, which was traditionally monopolized by a select few nations and standards bodies. Still lots to be catched up by others, and when that does the field will likely be further dispersed as you depicted. I hope good folks like you are working hard to avoid us going down that road of information collapse. Thanks for sharing.

Dirk Praet November 3, 2015 7:34 AM

@ ianf

I see, first your people import Russian-Ukraïnian thugs to keep your Muslim immigrants subdued …

No we don’t. Belgium is a popular destination country for immigrants and asylum seekers from all over the world. In my home town, 6 out of 10 children don’t speek Dutch/Flemish at home. Shoplifters are generally dealt with rather severely irrespective of nationality or ethnicity because petty crime is hardly ever prosecuted, fines are never collected and prisons are full anyway. Which inevitably leads to vigilante justice unless as a shopkeeper you want to get robbed blind on a daily basis.

As to my protein food supplements, it’s either that or stuffing myself with meat, eggs and fish all day long when cross-fitting 5 times a week. Which I can’t be bothered with.

Funny you should mention it, the second time in life I ever hear about it

It’s a popular myth that the desperate Belgian people rose up against the cruel Dutch oppressor following an emotional performance of Daniel Auber’s opera “La Muette de Portici” in Brussels. In reality, the uprising was instigated by the Catholic Church and a Brussels upper-class bourgeoisie eyeing stronger ties with Paris and wanting to get rid of the political dominance of the North, its protestant king William’s freedom of religion act and linguistic reforms making Dutch the official language in the (Dutch-speaking) Flemish provincies.

The common people – especially in Flanders – did not benefit in any way from this revolution and many Flemish nationalists to date consider Belgium a historical mistake.

Clive Robinson November 3, 2015 8:31 AM

@ Dirk Praet,

… many Flemish nationalists to date consider Belgium a historical mistake.

Somebody I used to know, woke up married on day in Holland, and his rather lovely wife was born down that way.

She made a comment about Belgium being a nation divided by history and language, but united by the love of good beer.

I’ve visted a few times in my life, but to be honest, both sides are friendly enough to visitors, so it’s difficult to tell the underlying politics.

I suspect that both sides do rub along, because Belgium has some of the highest population densities in the world[1]

Though the most anoying thing about Belgium from my point of view were cartons of milk products, if you pick the carton which most looks like milk in English, you get something that you realy would not want to put in your tea…

Normaly for a person in a foreign country supermarkets are a god send, you go in pick what you need que up smile politely at the cashier and read the till display to get the right money, smile politely when handing it over and leave with your bags and recipt.

The other god send is Chinese and Indian Restaurants, except for London, they always have some one who can speak English. Who at quiet times will happily chat with you to improve their English, and tell you all sorts of things about the area.

Some years ago I was in Upsala (north of Stockholm) in the Uni there, I stoped at a little news agents one morning to get a can of soft drink and, the bloke behind the till recognised me from when I’d been in school… We met up later and he told me some very worth while things to know…

Apart from Madrid, I’ve found that if you atleast try a few words in the local or national language, they will take pitty on you and meet you half way…

Though the one nation that taught me the most “rude words” (out side of Auz where it’s an artform) was Norway, even when being polite it can be said in a way that sounds rude 😉

[1] For those going to say that’s wrong, go look it up, I did a few years ago and it was quite a surprise.

OFI November 3, 2015 8:36 AM

@Dirk, The facts and the law are disputed by US and its satellites but they’re perfectly clear. When you say aggression, them’s fightin words, as the cracker militarists would say. By UN Res. 3314 (XXIX) aggression is first use of force.

https://www1.umn.edu/humanrts/instree/GAres3314.html

In fact, the first use of force was the sniper massacre on Maidan, and we all know who did that. The Crimean peoples’ accession was pacific. Per Article 4 the Security Council has authority to stretch the definition to include peaceful irredentism of this sort, but they did not.

The command structure in Kiev was aggrieved, but its legal status as a successor state was not established and when it resorted to armed attacks against its civilian population it forfeited any claim to sovereignty. You’re right that Russia contained the threat to peace quite effectively with proportional countermeasures. So no grave consequences, rather the reverse, and no aggression.

If the US had a legal leg to stand on they would take it to the ICJ. They won’t. US bureaucrats know they would get chewed up and spit out by real jurists. Aggression’s just a big word for Kerry to say as he fecklessly shakes his fist.

Curious November 3, 2015 10:08 AM

In a article that doesn’t explain the details, there’s a local story about how a school pupil had gotten himself supposedly limited access to a web based SMS messaging service that his school was using via a Google search. And so every pupil received an SMS with a message about how the pupils had to take the day off, with the explanation of how the school was closed for the day after a break in. The 18 year old pupil claimed that it was a mistake that the SMS he sent ended up being sent to everybody. 🙂

In the Shadow of Ravens November 3, 2015 11:24 AM

@Slime Mold with Mustard

“imagine if every company realized the value of copying processes and procedures, not just IP, of their competitors”.You are a couple of centuries behind on this. Having actualy practiced espionage on competing firms, we learned: “How the fuck do they stay in business? – Oh, it’s the bribes”. We have tons of dirt on them, but nobody wants to pull the trigger. We have a few skeletons in our own closet.

Dirty deeds done dirt cheap…

Yeah, corporate espionage has, of course, been around. Copying what others do is partly how we learn to do just about anything. Just noting that in the old days of spying you use minox and copiers, and today you just download the data and transfer it over the internet, or such things as bluetooth dead drop transfers — or whatever. Paper never had as much as what computers have, either.

Will the future be “Continuum” like, where corporations are the state? They certainly have tremendous pull today in democracies and non-democracies alike.

And, yeah, information technology espionage has been happening, but certainly this is just the tip of what will be a very big upside down pyramid, or a trickle from the little crack in the dam.

Bribery can be the deciding factor for some businesses, surely, but there are countless other factors when you scope out to include all businesses, everywhere.

Also: By any chance do you work near an opera? Your style seems very familiar to me.

No sir, not currently. One job I did a few years ago was not very far from one, about five, ten minute walk. But, information security is a small world in some branches.

@Chive Amicable

Wow. I think I understand some of what you said, though I don’t work in your field. It looks like the playing field got levelled a bit on the supplier side, which was traditionally monopolized by a select few nations and standards bodies. Still lots to be catched up by others, and when that does the field will likely be further dispersed as you depicted. I hope good folks like you are working hard to avoid us going down that road of information collapse. Thanks for sharing.

Yes sir, offense and defense are actually very tied up together in information security. When I say, “apocalypse”, however, I do not mean it in the doom and gloom sense of the word, as some can take it from movies with that word in the title. I just mean it as very intense revelations.

Like the Chinese curse of “living in interesting times”, or how “change is hard”… intense revelations very often have negatives and positives about them.

@Winds of the Bot

Life goes on after big data… if and when it happens big data will sprung back even stronger because information is ephemeral, all it takes is a new generator and new sets of logics. I’m not too worried about that.

Yes, of course. Though, see above on how I view that word “apocalypse”…

How we process food and drugs is uncannily like how we process words. It is core to our being. There are very powerful possibilities there.

That’s where the real money is, plz excuse the cliche. But mostly I think to funnel the fundings. Lots of money to be made there legit. But like most exotic cars, as ferrari’s are expensive to repair, it may brew a whole new set of apocalypse, which will be timely repaired of course.

Yeah. Look at the US government and how they spend their security budgets.

But, on the other hand, there needs to be accurate risk assessments performed in a way that gets down to the dollar, so companies, individuals, properly spend on security what they should according to their potential loss value. And then there is outright insurance, literal insurance.

Dirk Praet November 3, 2015 11:28 AM

@ OFI

If the US had a legal leg to stand on they would take it to the ICJ.

Doubtful. Ever since the ICJ ruled that the US’s covert war against Nicaragua was in violation of international law, they withdrew from compulsory jurisdiction in 1986. Bringing a case to a court where by definition you won’t take no for an answer makes one a gigantic hypocrite on the international stage. I’m also not sure if they would have any legal standing since – at least officially – they are not involved.

In an ideal world cases like this would indeed be settled before the ICJ, but as long as there are nations refusing to abide by its decisions or using their veto power in the Security Council to prevent them from being enforced, there’s little point.

@ Clive

She made a comment about Belgium being a nation divided by history and language, but united by the love of good beer.

Both the North (Flanders) and the South (Wallonia) have a common ethnicity, culture and history. The main problem is good-for-nothing politicos exploiting the linguistic divide for personal gain. Historically, Flanders was a poor, agricultural area and Wallonia a rich industrial region with a huge coal and steel industry. Although the majority of the population was (and still is) Flemish and Dutch speaking, the dominant language of the Brussels-based ruling class was French, used in business and administration throughout the country. For long, Flemings were treated as second-rate citizens and Flemish (a Dutch dialect) considered a peasant language nobody in his right mind would want to pick up.

All of that changed in the 2nd half of the previous century when Flanders developed a thriving economy of its own whereas the antiquated industry in the South went completely to the dogs, leaving an economic wasteland dominated by an Eastern Europe-like socialist party rife with corruption and abuse, unable to adapt to modern times or to attract investors.

As a result, and for the last decades, countless billions of euros in transfers have been steadily flowing from Flanders to Wallonia and Brussels, where at the same time the Brussels region has consistently been trying to expand itself further into Flanders, unrooting Flemish as the primary language. Which in its turn has given rise to nationalist Flemish parties demanding strict enforcement of language laws and more regional autonomy.

Although the current administration (fortunately) is primarily focussing on the economy, the ghost of the linguistic divide is always lurking around the corner, ready to completely paralyse the country at any given time. In my opinion, the only way to permanently get rid of the problem is by transforming the country into a Swiss-like federation with semi-autonomous regions that at the federal level only act as one for those matters multilaterally agreed upon. But which is the ultimate horror scenario for both Brussels and Walloon politicians as this would mean them becoming responsible and accountable for their budgets and deficits.

So yes, it’s kinda complicated.

Curious November 3, 2015 11:59 AM

“Nine Out of Ten of the Internet’s Top Websites Are Leaking Your Data”
http://motherboard.vice.com/read/9-out-of-10-of-the-internets-top-websites-are-leaking-your-data

“I always find it funny when old TV shows will have a gag where somebody on the screen can ‘see’ into your living room—it’s obviously silly with old technology, but that’s really how the web works! For every two eyes looking at a screen there are probably ten or more looking back at them.”

Being watched, presumably metaphorically and not literally. 🙂

It is claimed that Google is the biggest offender in not respecting do-not-track signals.

In the Shadow of Ravens November 3, 2015 1:44 PM

@Figureitout

Thanks, yeah you should rejoin them. Especially your area, some of the open source tools are best in the business, which is amazing and counterintuitive.

Thanks. I think I get burned out. When I started, I wasn’t doing this everyday, all day long, month after month. So, I like to watch tv or write fiction or philosophy or read when I am off work. My niche is very solid, so I always have a job. But, it is very true, I see lotsa stuff lacking out there and it pains me. I can help people and have fun while doing it (conference presentations and such are very fun, well, the parties after and socializing and such).

Some sketchball group won’t have lots of customers when they have some IP they stole but haven’t worked w/ it enough so they can’t troubleshoot at all.

Yes, very good point. I heard some horror stories, or very funny stories, about Russia’s old sci tech espionage… during the cold war.

Then there’s actually identifying the “IP”, all of us know there’s lots of tricks one can keep quiet and someone stealing something will have some weird bugs.

Another very good point… and one I am very much about. People mistakes jewels for baubles and baubles for jewels so often. We all do.

So meh, I don’t like this future where we continue focusing on offense, won’t be anything left to attack w/.

Well, one thing I like about this industry is attack and defense are so closely tied up. So, those attack tools evolving? They help us immensely in defense. And they tend to be very expensive, so really you don’t get enormous abuse. They secure corporations applications, and those are the very same applications everyone else uses. Companies looking to secure their products is how and why these products get made and get improved.

Peter K November 3, 2015 8:08 PM

@ Clive Robinson, “The fact that the ToR developers have been well aware of the issues to do with traffic analysis since day one and have not done anything to deal with it, is one reason I stear well clear of it.”

What would you use or recommend using? I’ve read in the past that you and several posters on this blog commented on using a sort of combination of cellular phones and personal relay, like a trusted VPN or hosted by a good friend. The problem with phones is that obviously they travel thru the air; VPNs being a choke point; and friend being just that a friend. None of which satisfy the truly paranoid, which I’m not and am fine with using public relays thru my wifi. Of course, folks like yourself are subject to more curious pokings than others.

These cell devices all seem rather tiny to my, as my eyes couldn’t keep up with the fonts over the years I’ve had to bump it up a few sizes, so I prefer using a computer.

Figureitout November 3, 2015 11:40 PM

Clive Robinson
counter is a very low entropy device
–The uncertain times an attacker (or me, or my nosey cat) approaches a radar is the entropy, in microseconds; not just the counter alone. Did you already know that? Unless I’m dealing w/ Neo from the Matrix, I’m not too concerned w/ someone physically timing that out. They still failed to be detected at that point, have to attack the radar first. I won’t just use a counter at set intervals. I haven’t implemented the crypto yet but can see taking a value on a detect, then switching the IV out.

So we’re back to EMSEC and powerline attacks, and “just” having to synchronize to a clock inside the chip is not so trivial; b/c so many people know how to do that right? And my response (not kidding, I need see it happen first) would be shielding and buying up at least 10 ATmega328p’s (~$34, not cool) and flashing w/ same code and placing 5 each outside shield, just different crypto keys but it doesn’t matter since they won’t have an nRF connected to them and they’ll just have 5 different counters going, and I’ll add a little antenna on them too egging an attacker to get that worthless signal.

The main hole (besides being 2.4GHz, so yes interference w/ this severely overcrowded band is concern, as I want to “frequency hop” as well) I see right now is syncing via the RF, and having an easy recon point assuming enemy knows almost every detail, yes I’m opening up the entire project and using easily sourceable and popular chips. Up to 6 devices can be communicated w/ at once (apparently, I can’t test that now). That is the obvious way of syncing, not via the ATmega counter signal (though some do mention (non-specifically) power supply noise being a potential issue w/ ATmega, and I probably need to add a cap to the nRF). So I need to make sure they talk only to ID’s, even though that can still be copied from endpoint programming it. So make the ID an array too I suppose until it gets too ridiculous/laughable.

But I agree that just re-seeding counter is better than setting back to zero. Encrypting that seed is just shifting my crypto issue back though I think. I’ll probably just have to feed in a few huge arrays of some externally generated bits manually on a schedule which sucks. So many goddamn gotcha’s.

In the Shadow of Ravens
attack and defense are so closely tied up
–True I guess. I’m concerned most w/ endpoint sec. most though. In that regard, defense should be able to secure a core like a BIOS that should be basically impossible to crack, or able to restore (not rootkitted and corrupted forever). Latest I’m hearing is Chromebooks w/ Chrome OS, I know at least a few of them can run coreboot too. I want one just for coreboot. Based off the couple minutes playing around at stores I didn’t really like the OS, would rather have a debian-flavor. Something like veracrypt on that as well, that’s not only nice, but here now in production and fairly cheap actually.

Clive Robinson November 4, 2015 12:54 AM

@ Peter K,

What would you use or recommend using?

I don’t make general recommendations, but give specific soloutions to specific problems.

There are a couple of reasons for this. The first is I don’t and can’t know what the majority of people need (as opposed to want). Secondly the attack surface is evolving so fast it’s like watching water hard boil in a pot. This is because as soon as a solution becomes more obvious it gets attacked one way or another by those that have sufficient interest.

The first and hardest part is identifying if you are a specific target and to who / why.

The problem with not doing the assement first is everyone is a target of opportunity at all levels, you only have to instrument up an ISP interface and connect a fresh store bought computer to see that. This gives rise to the issue that any non proffessionaly hardend computer is has a high probability that it is going to get malware on it before the user has finished downloading the updates and patches online. The problem with most updates and patches is “they close the doors and windows, but don’t evict the squatters”. I won’t go into the details but a major problem is you can prove that it’s not possible for a single computer to determine if it’s infected with malware. And with manufactures and suppliers having an interest in installing software you can not remove before you get the computer (Lenovo, and Carrier IQ being the most well-known of many, unless you consider MS Office, Productivity and AV software which I do). You can see that there is a fairly good chance you are “owned befor you buy” or very shortly there afterwards as you try to protect yourself. Oh and by “computer” I also mean smart phones etc.

So the sorry state of affairs is the chances are you’ve been tagged in some way, unless you assume the system you use is hostile from first powerup.

Don’t make the mistake of thinking that it’s only “National Agencies” tagging people, there are rather more criminals out there and on average they tend to be smarter than those working on the “Public Purse” / “Tax Take”. Just the type of machine you have purchased tells a lot about your potential as a target and why. Graduates on humanities courses tend not to have the latest and greatest high dollar kit, where as those with money or valuable information do… It’s kind of like criminals breaking into homes based on what car is in the drive, or the size of the plasma TV they can see on in the front room as they walk by after dark.

Thus an obvious piece of advice is two computers, use the crappy old low spec one on line on the assumption it will be infested and never connect the good / work / sensitive computer on line ever.

Personally I never connect my PCs to the outside world, I use an older smart phone for that which only ever gets non work / financial / sensitive traffic on it (I don’t consider using this blog as anything other than shouting in a global public place, so I don’t put up stuff if it’s even very remotely sensitive). I don’t “live on line” and go out of my way not to do so, it’s a piece of advice many more people should think about quite a bit more before they press the on button the first time.

The problem then is how to get stuff on and off your good PC… Well my advice on this is usually in human readable text only form and preferably “Paper, paper NEVER data”, then encrypt it and then send that. It can seem like to much hard work, but you have to remember there are lot’s of people out there looking for you to make a mistake. But you can be assured now that “collect it all” real does mean what it says on the tin, the FiveEyes at the very least are building a “Global Way Back” machine which will keep every slip and mistake you ever make by phone or computer. They may never use it but it’s there nether the less. Likewise there are criminals actively looking for even the tinyist crack into which to drive a wedge to get paydirt. But worst of all are the lawyers and “electronic discovery” they will go through every bit they can get and that very much means all of it. If you’ve ever had to go through it unprepared you will remember it in cold sweat most nights for the rest of your life. One person I helped described it in various ways the politest of which was “like an eternity of acrimonious divorces”.

So it’s a three step process your nice machine produces text an intermediate system encrypts and the third crappy old low spec computer sends the encrypted files in an anonymous way. But remember all the links should be in human readable form.

Thus the weasel word “anonymous” appears and this is where things get both difficult and volatile. There are four anonymous stages to consider,

1, Anonymous connection.
2, Anonymous data transmitting.
4, Anonymous data routing.
3, Anonymous data receiving.

All are difficult at best currently because none of the technology we currently have was designed to do it.

Humans are creatures of habit, and have selfish tendencies as well as being relatively poor. All of which works against anonymous connection.

People talk about using free WiFi hot spots in cafes etc, but the reality is most are not independent of each other. That is they are parts of franchises or use a common service provider. So in the UK you have the examples of MuckyD’s, and well known coffee shops, they either route back across their own network back to a central point, or they get the likes of BT to provide the WiFi access. These give obvious choke points and potentially logging (now a requirment in the UK) thus it’s your end point you need to ensure is anonymous. That is you don’t use a commercial OS, you use the equivalent of a CDROM only OS that does not store anything and a WiFi device where you can change all the numbers, that get logged.

Whilst you can effectivly and care get an abonymous connection the next step is where the technology is going to let you down, thus care needs to be excercised. You need an anonymous mix network with multiple disparate IP addresses. Which unfortunately means the likes of ToR. You use this to send the encrypted files to an “anonymous drop box” of which there are a few. You then need to either go to another WiFi point and send the file location information to the recipient by an anonymous method, some of which I’ve discussed in the past, or use something like a pager service which you contact from a different geolocation, or you have a pre-aranged schedual, or even post a SnailMail letter…

As you can see there are ways, but they are very awkward if you want to remain well below the currently encroaching surveilance level.

The issue is that because the technology is deficient you have to go through hoops and loops to remain just a random log entry.

tyr November 4, 2015 1:21 AM

@ Clive, et al

Here’s an interesting idea for no physical moving part
storage systems.

http://scitation.aip.org/content/aip/journal/apl/107/14/10.1063/1.4932057

Partially does away with the power consumption and heat
buildup of racetrack memories.

One of these days something like this is going to do the
next great breakthrough because there is a lot going on
in the labs of the optonics and nanotech world.

I see the US state department has egg on its face again
over the claim that russians are bombing Syrian hospitals.
The Rus have a pretty good recon satellite in place and
aren’t afraid to show the pictures to the press. The old
game of making ugly accusations at random desn’t work in
an interconnected world that likes facts more than the
usual spin.

I thought the rundown on Belgium was interesting but like
the Ukraine discussions tended to focus on near history.
Expanding the scope back to 1700 presents a much muddier
picture of both places. I still like the Chinese proverb
about the scholar overturning your empire with a stroke
of his pen. Assuming this is the best of all possible
worlds exposes government bureaucrats to endless mockery.

ianf November 4, 2015 3:25 AM

I read The Guardian, so you won’t have to. Today, a lightly commented version for a change, mostly of the you couldn’t make this up variety.

Former reviewer of anti-terror laws co-owns firm with ex-MI6 chief
Lord Carlile, who often defends work of intelligence services, has earned £400,000 from consultancy formed with Sir John Scarlett in 2012
So what else is new?

Google Translate error sees Spanish town advertise clitoris festival
Food festival organisers say they are ‘quite surprised’ to learn event in honour of Galician speciality grelo had been badly mistranslated.
Hey! don’t complain. Compared to some other body parts and/or effluvia, clitoris is quite palatable.

Theresa May calls for internet companies to store details of website visits
Home secretary tries to sweeten snooper’s charter by stating that police will need judicial approval to access internet connection records.
If this is sweetening, I wonder what seasoning, peppering and marinating would taste like.

#killallwhitemen row: charges dropped against student diversity officer
Police confirm Bahar Mustafa will no longer face charges of sending a threatening and grossly offensive message.
Ha! So #whitemen have dethroned #blackmen and #brownmen in the superfluous and/or dangerous gender category. Given that rape allegedly is equal to death, and were that a male ‘diversity officer’, what if the hashtag was #rapeallwhitewomen?

Oxford University criticised for accepting oligarch’s £75m donation
Institution should ‘stop selling its reputation to Putin’s associates’ and rethink cash from Len Blavatnik, critics say
I don’t have a problem with that. Oxford accepts the geld, then gives grants for immersive historical research of type “How multimillionaires’ fortunes are made in post-Soviet Russia,” complete with numbered bank accounts in Cyprus. I assume this to have been an unconditional, ‘no provisions attached’ donation.

US cinemas ban lightsabers at Star Wars: The Force Awakens screenings
Security concerns following shootings in Louisiana and Colorado prompt Cinemark and AMC to prohibit masks and fake weaponry
Right, everybody now, shift to the Vuvuzela ordnance. Voice our appreciation for the filmmakers. Cinemas can’t stop that.

Moscow library of Ukrainian literature raided by ‘anti-extremist’ police
Observers say facility was targeted, and its director charged with inciting ethnic hatred, as a result of current cross-border tensions
The police should have raided it with light sabers for added effect!

Lastly, and anything but flippantly:

Robin Williams’ widow: ‘It was not depression’ that killed him

    Practically every single article about suicide-in-the-news everywhere is followed by a footnote with numbers to some Prevention Hotline or other. Listen up ye dickheads: people who IN SILENCE are contemplating terminating their lives, as Robin Williams was, do not want to hear you trying to talk them out of it, so they continue to live in anguish as do the rest of us, until the Good Lord… fuck that.

    There are reasons they see no other option, it’s not a lightly-reached decision (existence of know-better-alecs like you may be one of these reasons). They want someone to give them the number to a doctor, who will prescribe them A Peaceful Pill, so they can die at ease, supine, in e.g. Hilton Hotel’s comfy bed (why foul up own nest for the survivors?). Instead of having to hang themselves in the attic, or, worse, making a basket case out of some hapless, random subway driver. Can you supply them that number—”You can not“? Then STFU.

Peter K November 4, 2015 3:34 AM

@ Clive Robinson, “Whilst you can effectivly and care get an abonymous connection the next step is where the technology is going to let you down, thus care needs to be excercised. You need an anonymous mix network with multiple disparate IP addresses. Which unfortunately means the likes of ToR. You use this to send the encrypted files to an “anonymous drop box” of which there are a few.”

Thanks but TBH I don’t have any files to drop, so I will assume the latter part of your post does not apply to me, but perhaps someone else will find useful, say Mr. Brennan. Most of the previous parts seem to be adequate for my desire to browse anonymously because I don’t want people looking at what I read online and I don’t find ToR particularly trusting so I usually boot it off TAILS. And as the phrase I most often hear whisper to me, “sorry but I gotta bigger fish to fry”. 😐

Dirk Praet November 4, 2015 5:53 AM

@ Clive

The fact that the ToR developers have been well aware of the issues to do with traffic analysis since day one and have not done anything to deal with it, is one reason I stear well clear of it.

I know you’ve elaborated on this issue on several occasions here, but I can’t seem to find them back in the archives. At the risk of pushing the envelope, but could I possibly interest you in a joint effort to draft a technical document outlining both the problem(s) and suggesting solutions ? I’d be more than happy to do all the work and engage with the Tor developers.

A former Sun Microsystems colleague of mine, the illustrous Alec Muffett, recently collaborated with Jake Appelbaum on RFC7686 to get .onion accepted as an official, special purpose TLD and they actually succeeded. With which I only want to illustrate that the (understaffed) Tor development crew really is open to comments and suggestions, especially when coming from people with certain credentials. I’m pretty sure Alec can vouch for me and that @Bruce would have no problem acknowledging to @ioerror your vast subject matter expertise.

No imposition whatsoever, of course, but the more CISA’s and Snoopers Charters we get rammed down our throats, the more I believe it’s time for those amongst us than can make a difference to stand up and at least try to do so. If anyone else is interested, please feel free to chime in.

ianf November 4, 2015 7:07 AM

@ Dirk Praet

READ MY ASCII “first your people import Russian-Ukraïnian thugs to keep your Muslim immigrants subdued …
w.a.s a j.o.k.e, o.k?

stuffing myself with meat, eggs and fish all day long when cross-fitting 5 times a week.

What’s wrong with Permanent Sofa Residence, on; flipping the channels of one’s wall-covering TV, on/off? Lots of exercise, not to mention constant need to grapple with mental quandaries over which buttons do what. Man, I could write a book if I could be bothered.

The common people – especially in Flanders – did not benefit in any way from this [1830] revolution and many Flemish nationalists to date consider Belgium a historical mistake.

No ordinary people ever gained much from any revolution, although they may have felt to finally be a part of something bigger, nobler, world-changing-for-the-better at the time. Hence the shift among the cognoscenti towards gradual (in conservatives’ eyes always instant) evolutionary paths of development. Of course, that is never as sexy and purificatory cathartic as violent upheavals. Hence the known problem of revolutionary movements either fizzling out (“Arab Spring” in Egypt), or degenerating into a terror of their own (The French Revolution; October 1917 Lenin’s workers’ takeover of February’s bourgeois Kerensky dethroning the Tsar; practically all the others). Perhaps the best any social revolution can hope for is coming to represent the haves-not in permanent opposition to the government-haves in its domain, the long wished-for one that somehow can never live up to its promises, fulfill its demands (e.g. “Solidarity” in Poland, etc).

[…] So yes, it’s kinda complicated

Tell me what isn’t RHETORICAL Q.

Winds of a Bot November 4, 2015 8:06 AM

@ In the Shadow of Ravens

“A point I would stress here for readers is that the unbelievable does happen, and there are matters which go on which you would not believe even if told.”

“Anyone can ascertain examples ‘like this’, just considering what can be seen, such as elite groups of scientists, or even more seemingly mundane, elite groupings of the super wealthy.”

Some folks just have the nose for those types of things. It doesn’t mean they are smart or uncanny skilled. It just so things tend to happen on the same wavelength or some men just live lifes with extraordinary encounters. It may be flat wrong or lunacy, nobody knows except the parties who collide, after which it is all ephemerally vanish.

It’s the crossing paths of strangers who just so happened to make an eye contact. Some folks knew, some don’t. I feel this is pretty much like the security of things, though I don’t work there. As time approach an end, what gets left behind is a legacy by pen of historians. Vulnerabilities are like flashes in the pen, once patched its ephemeral existance is set on a count down to de-exist. A hundred years pass, no one will remember. It’s like a secret book of history, only to be bear witness by those who experience it, and those will slowly pass away too. So let’s all have a little moment to bear salut to history of our time. Because though vulnerabilities will continue to exist, they will make no mark in the history of men.

Clive Robinson November 4, 2015 8:54 AM

@ Dirk Praet,

At the risk of pushing the envelope, but could I possibly interest you in a joint effort to draft a technical document outlining both the problem(s) and suggesting solutions ?

The basic antitraffic analysis steps to start with are fairly well known.

1, Get rid of the user gateways.
2, Use fixed rate signaling.
3, Use padding on all traffic.

That is the users computer actually becomes part of the network and has two or more fixed rate fixed bandwidth channels to two or more other network nodes. The TX&RX sub channels likewise have fixed rates that are the equivalent of each other. An easy way to do this is to set up the equivalent of a tiny token ring which is padded with null data before encryption when a real data packet does not need to be sent.

In effect the users traffic becomes hidden, but is still susceptible to some traffic analysis…

Thus in addition,

4, Modulate data latency through nodes.

Have a think on that to start with.

Dirk Praet November 4, 2015 9:24 AM

@ ianf

What’s wrong with Permanent Sofa Residence, on; flipping the channels of one’s wall-covering TV, on/off?

Been there, done that, developed a belly, got utterly bored with it. And being physically fit works wonders for the mind too.

In the Shadow of Ravens November 4, 2015 11:32 AM

@Figureitout

I have not worked with dissidents in true totalitarian systems for awhile, but when I did, there were certain technical measures I would research. For them, it is also, however, very much about with whom they talk to, what they say, what they write, wherever they are.

Like with criminals, and how they get caught, it is usually because of socialization, talking, trusting, and lack of planning.

Your worst enemy is your own self.

I can not recommend “the best OS” or system to use. I will point out that Android systems have a significant chokepoint in that the username and password system, the authentication and authorization system is so global and key to the entire system’s security. It is tied to remote, and it is also tied to their domains, their websites.

So one could literally find a “mere” XSS bug on a far flung google site which google forgot about, for instance, and use that to automatically compromise any android system remotely from merely viewing a webpage, and in some cases, merely viewing an email. Or SMS or other.

Even worse, because of how the Google system operates, a remote user can command via a website uploads to your android system by default.

This does not mean I believe their security is horrible, by any means. But, just noting, don’t think anything is secure. Especially when mainstream has a good value judgment of it — wide is the road to destruction, and it is the road most travel on. To find the best security, you have to go off into the wilderness and find a road less traveled.

In the Shadow of Ravens November 4, 2015 12:05 PM

@Winds of a Bot

Some folks just have the nose for those types of things. It doesn’t mean they are smart or uncanny skilled. It just so things tend to happen on the same wavelength or some men just live lifes with extraordinary encounters. It may be flat wrong or lunacy, nobody knows except the parties who collide, after which it is all ephemerally vanish.

It’s the crossing paths of strangers who just so happened to make an eye contact. Some folks knew, some don’t. I feel this is pretty much like the security of things, though I don’t work there. As time approach an end, what gets left behind is a legacy by pen of historians. Vulnerabilities are like flashes in the pen, once patched its ephemeral existance is set on a count down to de-exist. A hundred years pass, no one will remember. It’s like a secret book of history, only to be bear witness by those who experience it, and those will slowly pass away too. So let’s all have a little moment to bear salut to history of our time. Because though vulnerabilities will continue to exist, they will make no mark in the history of men.

What I personally most like about this field is it allows me to speak about human nature in a metaphoric way. We are autobiographical in our products, and with computer systems we have created systems that well mirror our own internal constructs in ways that exceed even our own modern understanding.

The real vulnerabilities in people can very well mirror non-social engineering vulnerabilities, but in reality, they are all effectively social engineering types of vulnerabilities. Because this is how we take in and receive information. Some information can be extremely damaging.

So, for instance, compromising a system and getting root or system level control over a system with an undetectable rootkit… can be compared to someone falling into drug usage from a peer, or falling into a cult, or a cult like religious, political, or other belief system. Or falling into a very compliant, submissive relationship with a dominant.

People can come to believe things that literally effect their health with nocebo like effects, the negative effects of placebos. They can come to believe things which are not true that effect their relationships in ways other then coming under control of someone else… such as getting into habits that are dangerous and self-destructive for them.

Even on the normal scale, they can under perform, finding themselves stuck in self-destructive habits, relationships, and bad careers. Or they can excel and have great relationships, great career, and freedom from self-destructive habits and other behaviors. All is tied to what a person believes and what a person believes is all tied to the information in their heart they put confidence in.

With computer systems the information that computer systems “puts confidence in” is the informational instructions that are executed. Computer systems execute long strands of binary information one instruction at a time, with specific user privilege levels… from low to high privilege levels… not at all unlike how our bodies process food and drugs, and not at all unlike how we psychologically and emotionally process information.

This is a very rare time in the world. It is the eve of a new and great season. We want to see much positive change happen, and we certainly are right there, at that door. We can wish to rush things, but we should savor this moment.

to the tune of Jesus Jones, ‘Right Here, Right Now’ 🙂

https://www.youtube.com/watch?v=lwpjsToHzAE

and, rem this is the end of the world as we know it and i feel fine

https://www.youtube.com/watch?v=Z0GFRcFm-aY

In the Shadow of Ravens November 4, 2015 12:42 PM

@Alan S

Regarding revelations on Britain’s dragnet surveillance system

It is a slippery slope towards totalitarianism they are taking there, in many ways certainly exceeding even some of the direction the US is going.

I think all too often people in democratic governments get too nationalistic, and do not regard the substance or spirit of what side they are on and what they should be patriotic about. Instead, they get locked into significant bias and repeat the trends we see in inarguably totalitarian countries today and in the past.

Freedom is a new thing for nations. Nations are like crack addicts off it, and just recently. Two hundred some odd years ago is certainly most recently, though much can be said of earlier advances like the printing press, the reformation, the magna carta.

Another article I read recently:
Nazi nightmares make Germans fearful of ‘doing an Edward Snowden’
http://www.ibtimes.co.uk/nazi-nightmares-make-germans-fearful-doing-edward-snowden-1477481

tyr November 4, 2015 3:48 PM

I’d think that by now the Germans can relax since the few
Nazis still alive are in the olde folkes homes. I can see
why they didn’t want any whistleblowers in the aftermath
since those cheering crowds suddenly started singing the
I Vas not a Nazi Polka.

Nobody wants to look at PAPERCLIP in USA either for similar
reasons. It is still a major embarassment to the world.
Even the UN has lost its legitimacy by snuggling up to
Pol Pot and revamping its language on genocide. Hypocrisy
seems to be the current noblest virtue of the ruling
classes, but I’m sure it isn’t called anything so baldly
apparent by post modernes. It might make someone feel
bad about themself.

In the Shadow of Ravens November 4, 2015 4:36 PM

posted this first one in the doxxing thread after this, but repeating here:

Doxxing & Ransomware Extortion Now a Thing

They even used the same pic I use on the subject (the Monty Python “Blackmail” skit of old)…

http://www.theregister.co.uk/2015/11/04/chimera_ransomware_publish_online/

And, some other good articles from the most excellent Register security section on the recent British laws…

http://www.theregister.co.uk/2015/11/04/gchq_smart_collection_nsa_man_bill_binney/
http://www.theregister.co.uk/2015/11/04/ukgov_request_filter_in_snooping_bill/
http://www.theregister.co.uk/2015/11/04/investigatory_powers_bill/

@tyr

I am surprised by that, my own self. Though Germany has had a significant rash of problems with Neo-Nazis in ensuing years.

I have yet to pick up the recent, excellent looking book on paperclip, have to remember to do that soon.

Really, this sort of whistleblowing is nothing like what was happening in old Nazi or Communist regimes, sad to see that has cast a pallor on things.

Especially considering that the dragnet style eavesdropping/wiretapping exactly is the sort of activity one sees from totalitarian systems.

Coconut November 4, 2015 7:16 PM

@ ianf
“Hence the known problem of revolutionary movements either fizzling out (“Arab Spring” in Egypt)”

We’ve seen the same went way of Occupy Wherever.

Ordinary people have jobs and families, they cannot occupy public venue for prolong’d periods of time unless properly coordinated in rotations. Tough task to reach. Eventfully, they figured peaceful demonstrations accomplish not a thing, so they either gone home or turned to violence as we saw in Ferguson.

Revolutionary movements is a broader umbrella term that cover more than public gatherings. There’s a grassroots aspect and deep coordination, as seen in the puppet shows of the past. There’s the string and those pulling the strings. The years after resulting to going way of the French speaks for itself.

@ Ravens
“posted this first one in the doxxing thread after this, but repeating here:”

Counter intelligence is a subject like birds of a same feather to me. The things we really care about are the end results, not the intermediate loop arounds. Hence, the other dude’s saying left no marks in history of wo/men.

In the Shadow of a Murder of Ravens November 5, 2015 12:26 AM

@Coconut

Counter intelligence is a subject like birds of a same feather to me. The things we really care about are the end results, not the intermediate loop arounds. Hence, the other dude’s saying left no marks in history of wo/men.

It attracts certain types with the promise of power.

The prospect of controlling nations for the super smart is a hefty aroma.

ianf November 5, 2015 1:14 AM

In The Guardian’s newsletter of Thursday, 5 November 2015

SURVEILLANCE | Comment is free
The surveillance bill is as big a threat to state security as to individual liberty
Simon Jenkins: Nothing digital is secure, so the massive proposed extension of state powers in the ‘snooper’s charter’ could backfire [1m video of Theresa May in Parliament]
http://www.theguardian.com/commentisfree/2015/nov/04/surveillance-bill-state-security-snoopers-charter

George Bush Sr says ‘iron-ass’ Cheney and ‘arrogant’ Rumsfeld damaged America
Former president claims their reaction to 9/11 attacks were too hawkish, used excessive force and damaged his son, according to biography
http://www.theguardian.com/us-news/2015/nov/05/george-bush-senior-iron-ass-cheney-arrogant-rumsfeld-damaged-america

    One-time US President George HW Bush calls his two-time US President-son George W. Bush incompetent, though he does it by proxy name-calling, forgets that the LawyerSlayer Cheney originally was in his cabinet.

SURVEILLANCE bill triggers alarm over sweeping powers for spies
Theresa May makes dramatic admission that ministers have directed firms to hand over communications data of UK citizens on day that redrafted bill is unveiled
http://www.theguardian.com/world/2015/nov/04/broad-support-gives-way-to-alarm-over-mays-surveillance-bill

    Somebody please gift this woman a copy of George Orwell’s “1984,” LARGE PRINT edition.

ENERGY: Why your phone battery is rubbish
It’s technology’s biggest puzzle: although smartphones, laptops and even electric cars get lighter, cheaper and double in power every few years, they still die when you most need them. How close are we to perfecting a ‘super battery’ that charges at lightning speeds and lasts for days?
http://www.theguardian.com/technology/2015/nov/04/why-your-phone-battery-is-rubbish

    I don’t know how to put it, but my iPhone 4 battery isn’t rubbish, after 4.5 years use still holds 4-5 hours worth of electronic juice.

LONDON PROPERTY: People camp out overnight for chance to buy affordable London flat
Day-long queue on streets of west London to put down deposit on flats which won’t be ready until 2017
http://www.theguardian.com/money/2015/nov/05/homebuyers-camp-out-overnight-for-chance-to-buy-affordable-flat

    [a development in Hounslow, west London where prices start at £199,000 for a 301ft² studio flat (~28m² or 5×5.6m size for £7107/ m²) or £355,000 for a one-bedroom apartment.]

Arnold November 5, 2015 4:25 AM

@ ianf “George Bush Sr says ‘iron-ass’ Cheney and ‘arrogant’ Rumsfeld damaged America”

Too little too late. Donald Trump had hijacked their caucus by posing the compromise.

ianf November 5, 2015 6:31 AM

Hey, @ Arnold don’t count out The Donald… he may yet become your next Prez, your next C-in-C, your… everything. Stranger things have happened. Here’s a scenario I penned in another context:

“[…] DIGRESSION: time for a thought experiment. Let’s say The Donald wins the nomination, then the election, becomes the POTUS. One of his campaign promises is curbing (if not outright deportation of) the Mexican “influx.” The newly-victorious, full of oomph! Donald starts to implement his promises, first voluntary whole family resettlement south of the border (travel and permanent exit bonuses paid by the taxpayers like you); then ever harsher methods (rounding up of Mex-looking people on the streets, etc).

    There is a ready-made scenario for that outlined in the now-unclassified document “The Plot Against America” penned by one Philip Roth… [just “s/Jews/Mexicans/g” it]. I assume The Donald will first be impressed with its sales figures, far bigger than his own “Things The Donald’s Father Never Told Me,” then have it summarized into a Talking Bullets Powerpoint.

Assume The Presidential Donald manages to empty the USA of that superfluous, welfare-parasitary work force to bring the overall costs down… you think it would make your, and people in your elevated social class’, life easier? Because the tax burden would become smaller? You answer that to ‘self. End of thought experiment. ”

Curious November 5, 2015 7:22 AM

To add to what I wrote:
I mean I’ve always assumed that there had been an https connection when being logged into amazon, but I guess I am surprised to see that there is no secure connection for when being logged in and browsing for stuff on Amazon. Maybe it is just used for payment.

Arnold November 5, 2015 7:38 AM

@ ianf

You pointed out the key weakness in Donald Trump’s presidential bid. You can’t win without the latino vote. He’s gonna have to do better to filter Mexicans from latinos or he’s not going to beat Hillary Clinton. However, the votes may be closer than you expect.

ianf November 5, 2015 11:39 AM

@ Arnold, the first time I became aware of The Donald was when the SPY Magazine called him “the short-fingered vulgarian” in early 90s. So that’s what he’s still to me. He knows I know it and I know he knows that he can not win, that’s why he now can be such a “fresh wind” in the debate. But, as I said, stranger things have happened in American politics, and in the mean time I am grateful for his wrecking the sordid 2-party system and corrupt election process to pieces.

In the end, after the coming Hillary intermission, THERE WILL BE SOMEONE to pick things up… I have an inkling, a tiny-tingly wrinkle in the force field, that the future US Redeemer is already in his teens, and undergoing rigorous leadership training under guidance of Mr. Yoda on Tatooine.

ianf November 5, 2015 5:27 PM

@ Dirk Praet “being physically fit works wonders for the mind too.

I do not question your lifestyle choices, merely wonder how you can combine vigorous everyday crossfit training (3 hours?) with protein-granular food supplements replacing traditional nutrition from fish, meat and veg. Isn’t it rather tedious to be eating such every day?

I don’t do meat, but eat fish, fowl and eggs for the proteins apparently needed for the eyesight—my main I/O interface. I should be keeping away from sugar carbs, but decided on balance that I get grumpy without chocolate nearby, so I don’t fight the munchies anymore. I find that if I know I can still them, I don’t feel them as much as before (elementary psychology?)

Exercise for fitness’ sake doesn’t do it for me any more… I gave up cycling largely because it felt so mindless, no intellectual challenge whatsoever (and I wouldn’t be cycling while listening to audiobooks etc due to traffic safety awareness anyway). And then there is always the question: suppose I managed to regain my idealized 25-year old’s figure. Then what, preen myself in front of not-uninterested ready-to-be-wooed females? Been there done that already. So my current strategy is maintenance of present health status balance at a glance—rhyme accidental.

Lots of people who are both younger and fitter than me keep dropping dead, and I suspect that the constant stress of achievement in their lives has something to do with it. So maybe my physical sofa-coasting in tandem with constant intellectual “prospecting” is just as good a recipe for managed longevity as your fighting the natural body decay? (no offense intended).

Dirk Praet November 5, 2015 9:16 PM

@ ianf

I … merely wonder how you can combine vigorous everyday crossfit training (3 hours?) with protein-granular food supplements replacing traditional nutrition from fish, meat and veg. Isn’t it rather tedious to be eating such every day?

Crossfit is a combination of intense cardio-vascular exercise (running, rope skipping, burpees, boxjumps etc.), traditional strength training and heavy lifting. You really can’t do that 5 days a week for three hours straight, more like between 60 and 90 minutes per session. The food supplements I do are basically protein shakes which supplement but not replace a healthy and nutritious diet. I eat well, but simply don’t have the time to eat six times a day, so I go for 3 meals plus protein shakes.

I took it up with a friend of mine about three years ago because I was getting a bit chubby and after a while got totally addicted to it, not so much to get that perfect beach body but because it clears the mind and produces all these funny chemicals that make you feel good. But I admit that the collateral effects of being checked out by women half my age or being mistaken for a bouncer at clubs is kinda pleasant, not to mention the fact that I sometimes get hired by friends to keep an eye on their offspring when they’re throwing parties at the local pub. Meaning everybody – expect unwelcome guests – can feel safe and I get to drink Jack Daniel’s for free all night long.

Nick P November 6, 2015 4:37 AM

@ Dirk Praet

Funny you mention one of the highlights of the Mid-South: we were just discussing that part of the treaty recently. Glad not everyone in Europe hates on our whiskey. 😉

Dirk Praet November 6, 2015 5:09 AM

@ Nick P

Glad not everyone in Europe hates on our whiskey.

However much I appreciate fine Irish and Scottish single malt, Jack is what I drink on a night out. Has been for the past decades and unlikely to ever change.

In the Shadow of Ravens November 6, 2015 9:07 AM

A coupla good articles on the British surveillance actions:

British Government Will Unsucessfully Ban End to End Encryption
http://boingboing.net/2015/11/05/british-government-will-unsuc.html

Seven Major Takeaways from the UK Surveillance Rules
https://theintercept.com/2015/11/05/seven-major-takeaways-from-the-u-k-s-proposed-surveillance-rules/

Does the UK Government Know What a VPN Is
https://thestack.com/security/2015/11/04/draft-investigatory-powers-bill-vpn-theresa-may/

A few of my own takeaways: they seem very interested in targeting their own journalists. I take it no small part of that is because they want to seem tough to the United States, as they lost a lot of face that way in the wake of Snowden, being the home of Glenn Greenwald. They have also lost a lot of face because of other exposures by journalists.

This is normal, of course, to observers of totalitarian powers. Journalists are very often who they hit at first. And against journalists are who they reserve their strongest rage for. The problem here, though, of course, is Britain is supposed to be a democracy, a “free” nation, with rights for freedom of press, speech, and belief. Isn’t it?

There is also hitting at the power for intelligence to snoop upon politicians. Historically, surveillance aggressive domestic intelligence powers are very strong on surveilling foremost their own politicians and enacting blackmail and other forms of control operations against them. This is the cheapest route to increased funding and resources. And the fastest — it ensures the job gets done.

Finally, there are extensive domestic controls in place, which reminds totalitarian watchers of any other totalitarian regime. The government sees its’ self as the moral leader watching after the shameful, ignorant puppies of the people who always have their tendency to go to porn sites. They need the superior moral understandings of the superiors in government to protect them from their own sinful desires.

The reality, of course, is that this is simply to curtail what they see and hear. Where moral failings are found most of all in populace tends to be in their governmental leaders. From Saudi to China regimes, from North Korea… and now to Britain (?!).. people are smarter then that. Usually.

Likewise, these surveillance proposals do not adequately even do the job. They are technically unrealistic, as if written by a child. One very solid and strong solution for anyone in Great Britain to evade the prying eyes of their authorities are public VPN solutions.

Good VPN choice links for our British friends:
https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/
http://mobile.pcmag.com/security/36650-the-best-vpn-services-for-2015?origref=

Hopefully, the Brits will wake up and see ‘this is what Stalin wanted for you’, ‘this is what Hitler wanted for you’. Sometimes when people get into fights, they end up with some who come to admire their attackers. A sort of stockholm syndrome. In the US and Britain, for instance, we have seen Neo-Nazis arising, after the WWII where so many of our countryfolk bled and gave their lives to defeat the Axis powers. Of course, many of those children today supporting fascism and communist sort of measures were actually from those regimes… their parents or ancestors were quiet supporters… or this is simply their way of rebelling against their forefathers.

Figureitout November 6, 2015 11:44 PM

In the Shadow of Ravens
–I’m not going to touch the “cloak-n-dagger” stuff much anymore. Had my fill. Don’t have time for it anymore. One can kill anyone from behind at any time, reality. Just letting you know, feel free to chat w/ others about it.

On android stuff, a smartphone has to be assumed mostly compromised (what a mind trip to think, we’ve crossed a boundary of ever having secure PC’s again, if they ever connect online) and just used as a social tool. Does NoScript block the XSS attack? I keep older phones to use as “wifi-phones” incase I start a little security venture and setup the secure remote comms (only business I see myself starting, very small, tops 5 people, self-starters, etc.).

Don’t hear a lot about google hacking (their systems, internal ones), weird the evil corp supports much more open stuff (android, chromebooks w/ coreboot, chromium, summer of code, etc.). Wonder what it would be like if Apple opened up more of its building procedures and code, especially iOS.

Dirk Praet
–Just saying would love to see continued improvements on Tor if they can be made (and if you’re up for the project, maybe after a few bench presses, jack daniels, and BJ’s from the neighborhood milfs lol :p). I recall lots of complaints about speed and now Tor is pretty fast so…there needs to be more complaints about traffic analysis I guess (in other words, more true anonymity). Crypto is good enough for a few years I believe.

Dirk Praet November 7, 2015 4:00 PM

@ Figureitout

I recall lots of complaints about speed and now Tor is pretty fast so…there needs to be more complaints about traffic analysis I guess (in other words, more true anonymity).

I’ve been reading up a bit on Tor traffic analysis papers and related comments on the Tor blog. While downplaying the feasability of some of the attacks described, it would seem the Tor people are well-aware of a number of problems and potential remedies/mitigations. Most of which, however, would apparently imply a dramatic increase in bandwidth usage and a significant slowdown of the network. So as usual, it boils down to keeping a precarious balance between security and usability. From what I can make of it, Tor would require a significant uptake in users and relay nodes for the desired modifications to be implemented without slowing the network down to a crawl.

Clive Robinson November 7, 2015 6:26 PM

@ Dirk Praet,

I’ve been reading up a bit on Tor traffic analysis papers and related comments on the Tor blog.

I hope you have not indulged to much in the mathatical papers, they can cause pains in and behind the temples…

The reality is “Rome was not built in a day” and ToR is migrating away from cave dwelling to mud huts, whilst we want skyscrapers.

The big problem is fundementaly the design of ToR was wrong in that it was aimed at minimal covert traffic not overt main stream traffic. That is “low observability” client traffic, as opposed to what we now know which is “every point is watched via choke points”, so covert is not realisticaly possible.

The design thus needs to change from covert to overt usage, and user end clients need to be part of the anonymous traffic carrying system. This is so the users packets are mixed in with other users in transit packets in a way that makes an observers job very difficult to differentiate the packets and perform either time based or packet length based correlation side channel attacks (and yes I know there are other attack methods, vut one layer at a time).

From my point of view what is needed is to build a fixed rate token passing network ontop of encrypted fixed packet length TCP. The topology being point to point token ring links and store and forward nodes, where all nodes can be originating (requesting client), switching (store/forwarding) or terminating (responding server). Further there needs to be a way that nodes can enter or leave at will and also perform rate / bandwidth changing over relatively short time intervals (say short ramp up long ramp down). Which has implications for routing behaviours, which also has security implications.

That is on any given point to point link the observable traffic out matches the observable traffic in. The node has also to store and forward so that the sum of the link traffic into nodes is approximately balanced in any given time frame to avoid higher layer attacks. Obviously this causes certain problems amongst which are loss of efficiency and increase in bandwidth and/or latency. However this can be offset to a degree by prioritizing traffic (which is currently considered to be an Internet “No No”). That is the likes of video/voice are higher prioriry than “chat” type interactive text messaging, which in turn is higher priority than mainly static web browsing, which is higher than file transfer etc with non interactive text messaging and Email being towards the bottom of the priority list. This provides a best fit traffic shaping model.

Whilst there is a lot more to it, laying the foundations for the lowest layer and working up is an obvious way to go.

Figureitout November 7, 2015 8:25 PM

Dirk Praet
it would seem the Tor people are well-aware of a number of problems
–Yeah, bet they hear this day-in-day-out and think of it themselves, but it comes down to how to actually implement. Maybe they could have two different Tors, a more efficient/user friendly one, and a more latent one enforcing exact timing for all packets.

Not something I’m looking to help with, but want to see more work in. There isn’t much competition or options in this space besides VPN’s.

Banana Sunday November 8, 2015 7:12 AM

@ Clive Robinson

“From my point of view what is needed is to build a fixed rate token passing network ontop of encrypted fixed packet length TCP.”

You’re looking at this from a stand point, but what of the local route where such traffic may be subject to be blocked or tagged? Such design details has been used to circumvent blockade, as to mimic the regulars. A singularity of length is recipe for closer scrutiny, which ToR was designed to circumvent, or so it claimed.

ianf November 10, 2015 8:33 AM

@ tyrHounding Aaron Schwartz to death was an incredibly bad idea which backfired badly.

That wasn’t so much an idea, as a logical outcome of the USA’s punitive mindset (read: Americans eating their young). A few highly-placed individuals in the Justice racket decided to teach the yearling a lesson, dangled multi-year prison sentences in front of him, as were he stealing Crown Jewels for resale on eBay. It backfired only in the sense of the relatives’ grief and misery—while none of those who went after Aaron (with the support of the letter of the law which just happens to not be uniformly enforced) was held to account.

    How many journalists covering FUTURE COURT CASES will always remind the reading public of the infamous co-contributors to Aaron Swartz’s demise, the U.S. Attorney for Massachusetts Carmen Ortiz, and her lead prosecutor Stephen Heymann? After all, Ortiz later successfully charged THE BOSTON BOMBER, which practically assures her a place among the saintly, next to Mother Teresa! So Aaron was at worst a roadkill on her road to glory.

[…] “You have to admire the irony of the Turks managing to push an Islamic invasion force into the EU.

Admire the chutzpah, the irony being merely a byproduct of that. I don’t think they realized what golden opportunity to sock it to their traditional enemy, the Greeks, they were presented with, or they’d have instigated the Syrian mass-exodus earlier. Then the developments overtook them, and they could sort-of wash their hands of it. Sort-of, because they still house >1.5M refugees within borders, only now underwritten in part by the EU. One thing seems clear though, the remaining Syrians there are too well educated and rooted to become the New Eternally Stuck in Limbo Palestinians (Arabs). They’ll either go back home, or move elsewhere.

NATO started them on the move. Most have been looking at the Saudi/ Sunni vs Iran/ Shiite clash over middle east dominance and forgetting that the Turks were dominant there before WW1.

Much as I’d like to pin everything on stupid Western bullies thinking they can meddle in the Middle East scot-free (hence not merely the NATO, and USA’s culpability even greater than that), I think there were other forces afoot in the region which could only end up tits up for the West. Rumsfeld, Bush, et al dreamt of a lean, cost-effective Saddam-Be-Gone campaign. Which they managed to achieve, because nobody local was prepared to die for Saddam—but then the USA had no other clue than to make a democracy out of it, and without proper de-Baa’thification. Instead of keeping Saddam’s forces occupied—e.g. with restoring the infrastructure—while gradually introducing the society to democracy-warts-n-all, the Americans disbanded the army and let the soldiers fend for themselves best they could. Instead of razing Abu Ghraib to the ground as a gesture, they used it for sado-maso house parties, and let the partygoers brag about it all over the world. So I’d say, well before NATO got involved in Syria, the civilian Yanks proved just as stupid as the uniformed ones.

Nobody knew a thing. And then, as soon as they left Iraq to its own devices, the tribal lording-over-other-tribes tradition reasserted itself. The first thing the new independent Iraqi government did was to release the Baa’th party and other troublemakers as a goodwill gesture. This begat the ISIS, the foundations of which were prepared by these previously held in custody in these very camps.

Not wanting to repeat myself, here’s the pertinent fragment of a related question that I answered elsewhere:

Philg: (2) Could [affluence leading to overestimation of control] explain why we thought that we could clean things up in Iraq and Afghanistan?

[ianf] No. Not above the usual American suspects of the “gung-ho,” “can-do,” and the frontier “might makes right” mentality enacted by Donald Rumsfeld & the Neocon boys then (and still) en vogue in Washington, D.C. It’s easier to explain the failure: the White Man has not learned the lesson that he can not subdue the Brown Man for too long (vide Vietnam). Stranger still, the British who were spectacularly beaten in Afghanistan already in the 1840s [a single survivor out of a 16500-strong retreating force] have forgotten that as well.

@ tyr • November 4, 2015 1:21 AM

I thought the rundown on Belgium was interesting but like the Ukraine discussions tended to focus on near history.

The problem with history is that it is not unilinear and has no starting point. So no matter how far back you go, and how wide-ranging your outlook, in the end you’ll have to filter out lots and lots of things, or you’ll never be able to tell the segment that you want to share. It’s… elementary, my dear Watson.

Expanding the scope back to 1700 presents a much muddier picture of both places.

The concepts that are so clear-cut to us, polity, citizenship, ethnicity, nationality, are really a very thin varnish on the history of humankind, which goes back only some 200,000 years or so (it’s a rare gift to be able to sum it all up succinctly, as in the case of “Sapiens” by Yuval Noah Harari, only 400 pages!). Moreover, these ideas are still alien to the majority of our genus, and not older in the West than a few hundred years. In Europe and to some extent even in both Americas, the demarcation lines for most of recorded history lines were those of class, poverty/ wealth divide.

In Central/ Eastern Europe no last names were in use outside “aristocracy” up till c:a 1880, when the first gendarmes arrived in villages, sat down behind field desks (alas, no IKEA; transported with their legs up in the air) in the shadow of local churches or synagogues, and had the parishioners line up to ask each head of family in turn their occupations or affiliations. That’s how they got their last names, by an official’s digestive whimsy (similarly, later, when some of them stepped ashore in Ellis Island, and had their unpronounceable names such as Piekarz turned into Baker). In Europe there were no passports before past the outbreak of WWI in August 1914, when it first became vital to formally distinguish tourist friend from foe.

I still like the Chinese proverb about the scholar overturning your empire with a stroke of his pen. Assuming this is the best of all possible worlds exposes government bureaucrats to endless mockery.

If that is the same as “the pen is mightier than the sword” in the Western tradition, then your assumption is too narrow: it simply speaks of that ideas (spread by the power of the pen) are stronger than any armies with swords. Which they are.

@ tyr • November 9, 2015 8:32 PM

There were so many threads there, that I wouldn’t know where to begin… any particular segment, or quote, that you’d like to direct my ATTN to? (I’m quite familiar with the Famous Writers’ School racket exposed 1970 by Jessica “Decca” Mitford 1° voto Romilly 2° voto Treuhaft.

Patriot November 10, 2015 9:14 AM

@Daniel

TAILS is just one effort being made towards the goal of guaranteeing free speech and privacy. Let’s support them. Let’s improve TOR and let’s support TAILS.

They admit weaknesses in their system, and they are busy fixing those. That is strength. Looks to me as if they are doing a fine job.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.