Friday Squid Blogging: Squid Spawning in South Australian Waters

Divers are counting them:

Squid gather and mate with as many partners as possible, then die, in an annual ritual off Rapid Head on the Fleurieu Peninsula, south of Adelaide.

Department of Environment divers will check the waters and gather data on how many eggs are left by the spawning squid.

No word on how many are expected. Ten? Ten billion? I have no idea.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on November 20, 2015 at 4:30 PM • 132 Comments

Comments

sena kavoteNovember 20, 2015 10:33 PM

What should not come as surprise about self driving cars

Let's try to lay out some predictions about self driving cars, so that when things occur or are revealed, people and politicians won't react in panic, or that things can be prevented or prepared for.

Self driving cars will be used to transport bombs and drugs (in addition to pizza). Passengers will urinate on public cars and paint graffitis on their inside and outside. These will cause calls for security measures. Since the cars have to have cameras pointing at every direction anyway, recording passenger faces when they get in would be mostly just a software question. But passengers could cover their faces when they go inside. For that, there could also be inside cameras, but passengers could cover their faces during the trip and while painting graffitis etc.

Public cars will probably get so much urination in them, that it is best to design them for optimal liquid flow and ventilation.

Sex workers will do their services in public cars, some times even when they are moving.

Assassins will use public cars to avoid police and to enable shooting while moving. Targets of assassins will use public cars to avoid assassins and to take cover while the car is moving.

Self driving car can bring a bomb to a parking lot next to a target, but there is less need for parking space when self driving cars are common enough, so access too close can be blocked by barriers (for example, big stones, blocks of concrete or hesco barriers). Looks like some more terrorist victims are the price of traffic safety and freedom of movement.

Self driving car can bring wounded or sick passenger to emergency room or next to an ambulance. But, self driving car can also drive unconscious passenger 100 kilometers away from habitation in a situation where human controlled car would have just stopped in traffic and passenger taken by ambulance.

If a passenger gets shot from an open window while autopilot is on, determining the shooting location can be difficult. If the car has a microphone, there is that argument for recording sounds. There is some reason to have special assassin avoidance driving mode that is triggered by gunfire or special button.

Microphones inside self driving cars will probably get justified by possibility to have voice commands. Car companies will try to offer systems where the voice is sent for processing on remote servers. But it would be foolish to trust not to be eavesdropped. Plus car control is much more critical than some Siri or Cortana search. Plus cars have to work without internet connection. Even if the sounds are processed locally in the car, there will be vulnerabilities, car maker or car operator companies will get busted for selling conversation transcripts to marketing companies and it will get revealed that some softwares are saving transcripts on local disk in a way that looks like programming errors. Half of the cars on road will have default passwords still in effect.

There will be debate about mandatory backdoors on cars that enable stopping or slowing down by police. Regardless of that, many cars will have backdoors that seem to be remaining from some debugging phase by mistake.

Trips on public cars could be paid with pre paid cards that can be bought with cash ( and also can be used for buses, ferries and trains). Some public cars could have coin slots so that passengers can pay by inserting coins.

Questions arise about the role of civilian self driving cars during a time of war with front lines and battlefields. Just the possibility and preparation for land war between neighboring countries that both have large civilian use of self driving cars and trucks, complicates matters. As of now, many countries have plans for massive commandeering of civilian cars for transporting troops and supplies to and in front lines. How that is reconciled with large use of self driving cars? Same thing with self driving boats and drones. Self driving civilian cars in civilian use during time of war can be complicated if front line / invading army suddenly crosses with driving path.

Also, questions about floods, volcanoes and earthquakes...

HamidNovember 21, 2015 5:00 AM

Staying in Australia

Quantum computers a step closer to reality after silicon coding breakthrough


LNovember 21, 2015 5:25 AM

Lots of people might think that giving the police keys to unlock any encryption will be a good thing.

Don't bother explaining the technical difficulties.
Don't tell them that governments should not be trusted that much.

Just remember them what happened with the TSA and their "TSA approved" locks, which had
a master key that only the TSA was supposed to have.

That key, which was photographed because they were proud of it, and put it on the internet.
That photograph, from which people made working copies of the master key.


They can't handle a physical key, should we trust them with complicated encryption?

JacobNovember 21, 2015 7:15 AM

From Twitter: Daniel Lin ‏@DLin71 Nov 19

What we know about Paris terrorists
-Not Syrian
-Not refugees
-No encryption

What the US is focusing on
-Syrians
-Refugees
-Encryption

==================================

We tend to associate sophistication and advanced operational palnning and methods to the Paris terrorists due to the scale of atrocities perpetrated. Encryption, for example. Far from the truth.

From the Telegraph:
-------------------------
Abdelhamid Amaaoud, the suspected "commander" of last Friday's Paris attacks, wandered the streets after firing at innocent people in Paris bars with no real plan B, according to Le Monde.

Eventually, it reports, he phoned his cousin, Hasna Aitboulahcen, saying he needed two changes of clothes and a place to stay.

The call to the cousin was how police located Amaaoud, Le Monde says, citing unnamed sources.

The apparently amateurish dénouement suggests the terror team may not have been as well-organised as previously thought. "Rudimentary logistics, with no safe flat, no support teams - we appear to be far from classic urban guerilla warfare," one source close to the inquiry told the paper.
---------------------------------

Doctor Office Signature WarningNovember 21, 2015 8:32 AM

Today Wall Street is after your most sensitive HIPAA Personal Health Information (PHI) by offering free money saving services to medical practices. All they need is to get you to sign one release, one time. Most people are so addicted to their cell phones they can’t be bothered and sign whatever the doctor staff asks. Without thinking they sign away ALL their medical records to Wall St (and now through CISA) and the spies, insurance companies and future employers.

Young people especially don’t realize that one medical diagnosis like STD’s, counseling sessions, or OB/GYN records can effectively/unofficially be used to curtail or end your career.

How The Scam Works
On your first doctor visit they ask you to sign (with people waiting behind you) while the receptionist “doesn’t have time” to answer serious privacy questions! If you can find the office privacy policy see if they use “business associates” to market ‘alternative treatments’ that may be of interest to you. LOL!

Never authorize unaffiliated third parties, or give Social Security numbers. Fight all data-mining!
At the office only fill out paper applications. Get paper copies to research terms and phone numbers over the Internet. Never complete medical forms on-line, as just the meta-data can harm your family members’ future.
Only use paper prescriptions or faxes from office to pharmacy.
Don’t give out your email as it goes straight to Wall St.
Just the fact that you are seeing a cancer specialist is enough to cause harm. The younger you are the more ‘damage’ they will do to you.

Parents there is no greater way to harm your children than to have their illness be leaked to Wall St, because you are addicted to your damn cell phone. Admittedly it’s an awkward situation asking these questions when a family member is ill, but Wall St/Big-Data will keep your PHI forever.
Ask for all correspondence to be sent via US Mail as it’s the safest.
Now there are on-line exceptions. I use several tracking blockers like Ghostery, and uBlock Origin to see how many third parties the medical provider allows. Both my bank (Chase) and medical insurance (BCBS) used to allow advertisers, but stopped after being hacked. Blinded by $$$?
Quest Diagnostics has never allowed trackers and is safe for ordinary citizens to log on too – if your browser is fairly safe and use a VPN.
The Internet may be the most convenient for lazy patients, but it can easily cause greater harm than the illness being treated. The worst part is the patient will be clueless to secret decisions made against their family years later. By ignorantly signing, you voluntarily agreed that your own most sensitive medical data can be used against you.

Here is an aggressive example of PHI being made public by initially signing authorizing third party appointment reminders at the doctors office. Remember once released, medical history can NEVER be retracted:
https://www.healow.com/apps/jsp/webview/termsOfUse.html
"The Site may include sponsored advertising and You hereby agree and understand that by downloading and using the Site, you consent to the presence of sponsored ads and services on the Site, which advertising will be placed at Healow's sole discretion. Such ads may be placed vertically on the left or right side, or horizontally on the bottom, of any displayed page on the Site. Sponsored ads shall at all times be clearly delineated from other content on the Site through the use of boxes surrounding the advertisement, a different colored background or other similar means and shall contain a header with the words similar to "Advertisement or Sponsorship".

In addition to the foregoing advertising, Healow, through the Site or the contact information You have provided, may contact You regarding certain offers, products or services of Healow or other of its partners that Healow believes may be beneficial to You. You understand and agree that Healow may contact You in this manner. You may also be asked to grant an authorization for (i) Healow to use Your PHI in connection with its business partners and the advertising, offers, products or services that may be directed to You, and (ii) Healow to "push" notifications to You through Your mobile device. You may decide to authorize Healow to act in these manners by accepting such terms in the process of downloading and signing up for the Site. You will also have the authority to opt out of such use at any time by contacting Healow."

CallMeLateForSupperNovember 21, 2015 9:08 AM

Heads up, Anonymous. New target for you. Forget the DDOS sledgehammer; mind-f__k the help desk guys.

"ISIS Has Help Desk for Terrorists Staffed Around the Clock"
http://www.nbcnews.com/storyline/paris-terror-attacks/isis-has-help-desk-terrorists-staffed-around-clock-n464391

Brian Krebs takes a different tack:
"Imagine the epic trolling opportunities available to a bored or disgruntled Jihadi Help Desk operator."
http://krebsonsecurity.com/2015/11/isis-jihadi-helpdesk-customer-log-nov-20/

CallMeLateForSupperNovember 21, 2015 9:41 AM

Reprise: Oops! We're sorry.

"two Georgia residents filed a class action complaint against Secretary of State Brian P. Kemp for allegedly sending CDs containing personal data belonging to 6 million voters to 12 media organizations, political parties, and other groups, including Georgia GunOwner Magazine."

While the story says "alledgedly" sent, it also states. "The Atlanta Journal-Constitution verified these claims by accessing one of the discs and looking up one of the paper’s staffers. Sure enough, his social security number and driver’s license number appeared."

..."CD went out to subscribers with voters' social security numbers, dates of birth, and drivers license numbers attached to their names."

But don't worry, kids. .."the loss of information occurred because of a simple mistake." Well, thank &diety that the mistake was not (shudder) sophisticated; that would be cause for alarm. :-O

THe Georgia Secretary of State explained: "In October, a clerical error in the IT Division led to these discs containing personal identifying information that should not have been included. The IT person responsible has been terminated for breaking internal rules governing the release of this information."

m41lm4nNovember 21, 2015 9:51 AM

Adobe Flash Direct Download Links Page To Be Decommissioned on Jan 22, 2016

For a long time now, people have enjoyed using the simple "distribution3" page for direct downloads of Adobe Flash.

But, like most good things, the end is near. A warning has been posted and they point people to the http://get.adobe.com/flashplayer link instead, or for "Enterprise users" http://www.adobe.com/products/players/flash-player-distribution.html

Here is the warning:

#######

"Adobe Flash Player Distribution

WARNING

This page and the download links will be decommissioned on January 22nd, 2016.

If you are not an enterprise user, please visit get.adobe.com/flashplayer to download Adobe Flash Player for your system.

Enterprise users must have a valid license to download and distribute Adobe Flash Player binaries. Instructions and further details can be found at www.adobe.com/products/players/flash-player-distribution.html.

Please note that starting December 1st, 2015 you will be required to create an AdobeID to request an enterprise distribution license."

https://www.adobe.com/products/flashplayer/distribution3.html

#######

Clive RobinsonNovember 21, 2015 10:36 AM

For those with a yen to build a CPU.

Have a look at,

http://grapsus.net/74/

It provides information on using more modern thus available and cheaper 74 TTL chips to build a Harvard architecture RISC CPU with the eight instructions required for the BrainF**k mini language.

Who?November 21, 2015 12:07 PM

@ Jacob, @ FRONTDOOR

Thanks a lot, Jacob, for the arstechnica reference. Indeed, it is much better written than the NYT one I suggested. Well, I have nothing against NYT, but it is clear the advantage of a technology focused publication like arstechnica when explaining these matters. Obviously no one should trust NSA, or Obama, words. I understand Obama is in a very challenging position, but he clearly disappointed me in the last years. I had much higher expectatives about him when he arrived to the White House.

Chrome (Chromium too) is a tool that frightens me a lot. I prefer not running browsers, when I do I run them on an hypervisor and choose Firefox (with secure settings enabled, and Disconnect + AdBlock Plus + Lightbeam extensions at least). Firefox version 42.0 has some interesting tracking protection features.

Google not only despises security, it is clearly on the side of privacy wrongdoers.

We need laws that protect consumers declaring illegal any unauthorized data collection and that requires hardware and software vendors to provide security updates for at least five years, ideally ten years, (I am looking at you, UEFI!).

GrauhutNovember 21, 2015 12:07 PM

@all, bruce: "Ismail Kizir claims that that his "Hohha Dynamic XOR Encryption Algorithm" is "practically impossible to break", is production ready, and is ~80% faster than the fastest mode of AES. The code is dual-licensed under the GPL and MIT license.

Before getting too excited about this Hohha encryption algorithm, it's probably too good to be true and several developers have already taken various issue with the code per this kernel mailing list thread"

http://lkml.iu.edu/hypermail/linux/kernel/1511.2/02062.html
http://www.phoronix.com/scan.php?page=news_item&px=Dev-Fast-Unbreakable-Encrypt

Who?November 21, 2015 12:17 PM

@ Grauhut

We will see how this new encryption algorithm performs in real world. Until then, I do not trust at all on it. Do we have even a single serious cryptoanalysis of the algorithm?

FRONTDOORNovember 21, 2015 12:26 PM

@Who, when you look at the long list of patches Torbrowser needs to sanitize Firefox, it's clear you can't trust Mozilla at all. Firefox extensions offer useful capabilities but the extensions are the new attack surface of choice. Icecat is somewhat less treacherous but really, Tails (safe and unsafe) and Torbrowser are all you ever need. That way you won't constantly be under the hood, ripping out Mozilla's latest spyware.

GrauhutNovember 21, 2015 12:27 PM

@all, bruce: New crypto breaking fun for the CCC from German Telekom and Fraunhofer Institute. :)

A new x.509 infrastructure for ease of crypto, called "Volksverschlüsselung" or "peoples/folks encryption"...

http://www.telecompaper.com/news/deutsche-telekom-fraunhofer-to-launch-encryption-service--1114512

Normally whenever Telekom does something with "Volk" in its buzzword someone is f...d, see "Volksaktie" or "peoples share" wich meant socializing the Telekom debt from German reunification to the people. But of cause, it was sold as a profit maschine, so this could be a frontdoor sales system... ;)

Who?November 21, 2015 1:39 PM

@ FRONTDOOR

Thanks for the tip. I do not really trust on Firefox, this one is the reason I run with these --and only these-- extensions ever on a virtual machine. I know, setting up Firefox is challenging at best (even worse when running a browser through tor is the target). It does not only involves touching about:settings, it requires playing with about:config also.

I do not really trust Tails. I use it as a reference to see how tools are configured, but my choice platform is OpenBSD (either -stable, for some critical production computers, or -current). Linux is a good family of operating systems, but does not fit my requirements.

Who?November 21, 2015 1:42 PM

@ FRONTDOOR

I am curious... what patches are you talking about? If these patches really remove dangerous features there is a chance to get some of them applied to OpenBSD's port.

Nick PNovember 21, 2015 1:59 PM

@ Clive Robinson

re educational CPU's

Here's another one with an amusing name that teaches important lessons with just 22 TTL chips.

@ Grauhut

Interesting work. The hardware guru that used to frequent the blog suggested GPU's as alternatives to CPU's if CPU subversion was the concern. I kind of wrote it off at the time due to the difficulty of working with them. Modern ones are more general-purpose and useful. However, they're also made in America with increasing use in HPC, defense, networking, etc. As in, not low risk of subversion anymore.

Clive RobinsonNovember 21, 2015 6:40 PM

@ Nick P,

The prob with the PISC is four 181's and eight 172's, if you try and find some your eyes might water harder than if some one pulled your wallet out of a lower orifice.

I've a few but even I'm asking $150 each as they are mil spec and still in hermetic packaging. Just be thankfull they are not in the 29000 range, the mil spec version of those I want real money for as they are worth more than their weight in 999fine. Such is the game of having a "Computer Museum" worth of spares in the loft and other places. Mind you my early IAx86's lost value when NASA pulled the STS, so it's swings and roundabouts.

But you probably aware of that. As the article pointed out DIY CPUs are not easy to do these days as the chips you need to breadboard with are rarer than hens teeth. So VHDL and FPGAs are the closest most students get if they are lucky...

However there is another way for those with a little patience and carefull thought. You can use AND-OR or OR-AND matrix chips such as PALs (getting scarce) or RAM/ROM. I've had fun using nS speed SRAM chips that you can load with a little PIC chip with USB connection. The cost of playing this way is quite minimal, you can also with a little thought make the same circuit do other interesting tricks such as a fully digital 10.7MHz digital IF line up to feed into a high quality sound card to further process on a PC. Thus you don't have to spend a fortune on the care and feeding of specialised chips and laying out expensive custom PCBs etc.

Jonathan WilsonNovember 21, 2015 6:59 PM

@Nick P
The one linked to by Clive specifically commented on the existence of other TTL homebrew CPUs but commented that they all used obsolete (and hard to obtain) chips like the 74181 ALU and 74172 register file and that such CPUs have limited educational value since its very hard to actually get those chips.

The one linked to by Clive is nice because it uses chips that are available from anywhere and its dead simple to understand how it works.

GrauhutNovember 21, 2015 8:06 PM

@frontdoor,@Who "BSD desktops in general are worthless for privacy (as opposed to security)"

For Freebsd derivatives:

security/tor An anonymizing overlay network for TCP
security/tor-devel An anonymizing overlay network for TCP
security/trans-proxy-tor Transparent proxy used to redirect TCP connections into Tor

Install from ports or try to pkg_add a binary pkg.

Details about installing software: https://www.freebsd.org/doc/handbook/book.html

tyrNovember 21, 2015 8:41 PM


LOL So now I'm sitting on a hoard of valuable prehistoric
silicon, and I thought it was just junk museum pieces of
the comp revolution.
I should have seen it coming when 8080s went from 8.95 to
150 USD in a week.

FRONTDOORNovember 21, 2015 10:00 PM

@Grauhut, thank you. Several times I tried and concluded life's too short, but if it ever actually worked as promised it might offer useful redundancy so some day I'll try again.

Np237November 22, 2015 3:31 AM

There have been a lot articles written in France about the efficiency of the public service response during and after the terrorist attack of last week. There have been large amounts of policemen, firemen, rescue crews and medical crews set into place in less than an hour, with the result of:
- promptly killing the terrorists (which is the most efficient way of limiting the number of deaths);
- evacuating all wounded at once, dispatching them in all hospitals;
- having full medical crews ready to operate on all immediate emergencies (only 3 of all the wounded brought to hospitals have died).

See for example in French:
http://www.atlantico.fr/decryptage/trois-morts-seulement-dans-hopitaux-incroyable-performance-medecine-francaise-apres-13-novembre-guy-andre-pelouze-stephane-gayet-2447825.html

This goes in line with what you always said about terrorism: you can’t predict the target, you can’t protect all of them, you can’t know about all potential terrorists, but you can be efficient by investing in emergency response.

Nick PNovember 22, 2015 5:19 AM

@ Clive Robinson

That's a good critique and solution. There are still PAL chips being sold by big companies. The Scheme processor Burger built with DDD toolkit eventually ran on a small FPGA and some PAL's. So, there's precedent.

Clapper Redux: US spy chief Highly Unusual Daily Intelligence ManipulationsNovember 22, 2015 5:19 AM

The Department of Defense Inspector General has a major investigation into why ISIL intelligence from Central Command is repeatedly found bogus.
It turns out confirmed liar James Clapper, the director of national intelligence, talks in private every day with the head of US Central Command’s intelligence wing, Army Major General Steven Grove – “which is highly, highly unusual”, according to a former intelligence official.

Simply put America is cursed with evil, corrupt leaders at the highest levels. Being above the law they can hurt our nation with no consequences, especially with presidential backing. Psychopath Cheney manipulated war intelligence to Bush, while Clapper’s ISIL spin must have Obama’s blessing.
Is it no wonder why Putin does not respect living-a-lie Obama?

http://www.theguardian.com/us-news/2015/sep/10/james-clapper-pentagon-military-official

Nick PNovember 22, 2015 5:26 AM

@ steve

They're actually post-historic silicon as they'll probably be the only ones reliable enough to run after Global Meltdown 20nn. :P

Meanwhile, they're easier to understand and have much less odds of subversion than FPGA's. There's already been one backdoor found in those. An advantage of 350nm or above is that you can decap and visually inspect some of them to detect modifications. Visual inspection stops being feasible around 250nm which FPGA's passed a while back.

@ tyr

That price jump must have caused quite a stir. Yeah, good to keep your old hardware in case it comes in handy. Depends on what you keep, though. The rule of thumb I've developed in my studies of embedded systems is that the most worthwhile stuff will be whatever military is using in systems that will go obsolete. No guarantee but military people are always on eBay trying to find parts that aren't made any more.

Clive RobinsonNovember 22, 2015 7:31 AM

@ Jacob,

Of those parts listed non are mil spec or gold lead ceramic package. In Europe it's doubtful you could sell due to PbFree legislation. Also some may be second hand at best (many are pulled from DIL sockets but also some from old PCBs and only given a cursory test despite having a real bad time being desoldered, cleaned and reformed).

All of which makes a very significant difference to the price, and also to the performance in some cases (buyer beware, where there's a market with lots of profit in it there will always be scammers and crooks)...

The 181 with just under eighty gates does not make it into the MSI category. Thus when you normalise the price per gate you quickly see why they are not used much. Also most "old stock" got sold off in the 80's and 90's and were quickly crushed and melted down for their very high precious metal content.

But it gets worse... to do an 8bit data, 16bit address processor you need two 181's plus several other control "glue logic" and shift chips. That's all before you add four or more 172's register files and their glue logic.

Once you have this nest of around 20 TTL packages, then you need to start thinking about the RTL and instruction decode control logic. You get a trade off between RISC and CISC designs and the quantity and speed of cache memory and core memory. Old style went CISC then as cache tech improved RISC. But these days it's both, with a RISC Harvard core and level 1 caches, then a CISC instruction decode segmentation --poor man's MMU-- and data layer queuing/reordering and level 2 cach all wrapped up in a Harvard to von Neuman bus multiplexor to save on external pin count and pin driver/protection real estate and gain extra flexability (as well as security head aches).

To give you an idea of what was involved, the Z80 8bit CPU was actually a 4bit ALU with some very interesting "dynamic logic tricks" pulled (hence the minimum 0.2MHz clk speed). But even then it would need a hundred or so TTL chips to replicate. The 16bit 68000 design prototype I was shown years ago, was wire wrapped and filled three full size Euro Cards and could barely hit a 1MHz clock speed reliably using AMD 2900 parts. The first 68K chip hit 10MHz performance in the correct packaging.

Importantly though when you normalise the gate price on the glue logic you are up and beyond the 10cent/gate cost... Modern 8bit CPU's way in at 1500-4500 gate equivalent depending on who's figures you believe. But the chip price brings the gate cost in at less than 1/40th of a cent. If you could buy the bare CPU, which you can't. Now you get a lot of free memory and IO which multiples the gate count by several orders of magnitude and thus brings the gate cost down, way way way lower than that, such it's not used as a measure any longer (remember to knock a dollar of the price for the packaging).

I've built boards using modern SRAM chips and PIC micro controlers to load them, that can emulate most of a 68K at a considerably greater performance than it's possible to build with TTL. Importantly if you make a mistake in your design logic, you just hit reset resynth the memory map in software in a few seconds... and reload.

Which is why I don't recommend anyone trying a TTL only chip solution for anything other than for bragging rights or to entertain others. Look at it this way, for the cost alone you could get a decent off road bike and have a healthy outdoor hobby that would do more for your body and mind than sitting hunched up, going short sighted and bloodshot, breathing in solder fumes and being in worse health than a two pack a day smoker...

And for those that realy must build a hobby ALU/CPU can I suggest you design a "1Bit static serial ALU" with still readily available and thus cheap parts and use it to teach / entertain with. I've built one with relays led displays and a 0.5sec clock which gets used at science / technology shows etc to show what a "school project" can be, and even mobile phone clutching teenagers stare in fascination at it working to add just a couple of numbers...

CallMeLateForSupperNovember 22, 2015 7:55 AM

@Grauhut
"Normally whenever Telekom does something with 'Volk' in its buzzword someone is f...d, "

Strange how that works, isn't it? The U.S.suffers from the same type of problem; two root buzzwords that are commonly abused in this manner are "free" and "patriot".

I'm reminded that a West German student explained to me years ago that both "BRD" and "DDR" were lies: BDR didn't belong to the people and DDR wasn't democratic.

(I wonder if there is a German version of "Beware of Honest John the used car salesman".)

65535November 22, 2015 9:28 AM

@ Jacob and other browser experts

Browsers seem like a target rich environment for hidden spyware. Most browsers are single entry fields for both the URL and the search text. I would guess that those keystrokes entered are AJAX’d to the mothership.

I have in the past recommended my clients use Firefox. The reason I do so is because Firefox still has the two input fields for URLs and search entries - which I believe to be somewhat safer.

But:

“Are Firefox extensions any better?

“To be honest, no. We’ve seen examples of extensions, like:
“Ant Video Downloader (>409 000 users)
“That addon sends all pages you’re visiting over to them, including the location.hash values. The Mozilla Addons Marketplace have a bigger description box for the privacy policies though, even though the policies constantly tries to convince you that the URLs you’re visiting – that they are gathering – are not private information. Well, access-tokens giving access to your Facebook data is by definition private indeed.” –labs detectify

See bottom of page:
http://labs.detectify.com/post/133528218381/chrome-extensions-aka-total-absence-of-privacy

This seems to indicate that Firefox is morphing into a spyware browser and cannot be trusted. Does anybody have a work around? Say using the about:config settings? Any suggestions on securing Firefox?

[Next to flash and Adobe Acrobat DC]

@ m41lm4n and others

“Here is the warning:
#######
"Adobe Flash Player Distribution
“WARNING
“This page and the download links will be decommissioned on January 22nd, 2016.
“If you are not an enterprise user, please visit get.adobe.com/flashplayer to download Adobe Flash Player for your system.” – Adobe via m41lm4n

Most of my clients are small business owners with limited budgets and less than 75 boxes [mostly Windows 7]. Some are on domains but most are in workgroups.

I “encourage” or strongly “suggest” that they not use Adobe Flash player with Windows systems or flash plugins – too big of a security risk. But, most clients still use flash and Acrobat Reader [Free versions – but a few clients have Adobe Pro/enterprise and so on].

I notice one client with the new version of Adobe Acrobat Reader DC which nags them to connect to the “cloud” for “ease of use” among different platforms [The DC version is now the defacto free pdf reader from Adobe].

I am guessing that the new Acrobat Reader DC does scan and communicate with the mothership while the user is on the internet. This is bad.

Many of my clients has payroll and tax data stored in pdf format. In theory, Adobe Acrobat Reader DC could record sensitive information such as Social Security numbers, Names, Addresses, ages and various tax data and send said data to the mothership.

Can any Adobe Expert confirm that the Acrobat Reader DC does have this ability to transfer sensitive data to the “Cloud” which then can be data-mined and/or used by the government for spying?

Is there anyway to “harden” Adobe Acrobat Reader DC? If not, should Acrobat Reader DC be uninstalled and an older version of Adobe reader installed? Should Adobe software be junked altogether?

Yes, I have recommended my clients switch to FoxIT reader. But, some tax programs and accounting programs need the current [or fairly current] versions of Acrobat Reader to print various Tax and accounting data for said Tax/accounting software [I believe the issue in the high number of fonts and so that Adobe Acrobat Reader embeds – but I could be mistaken – hence FoxIt reader is out of the picture for some clients].

Anybody care to discuss the widely used Adobe Flash and Acrobat Reader and how to secure it in a Windows 7 environment?


JacobNovember 22, 2015 11:26 AM

@ 65535
This is too big a subject for this forum.
However, I'll list below some of my own personal thoughts which condense historical POV with lots of collected news items, blog entries, and general web chatter.

Please note that without a comprehensive analysis of the software, people just provide their opinion according to their own personal priorities, so you can't easily fit those into your own scale of reference.


1. Among the 3 major browsers I'm familiar with, I consider Firefox to be the most private. Although Mozilla inches away toward the commercial aspects of the business, they still provide you with options to disable such features (for example, I use the EME-Free edition, and disable the WebRTR functionality in about:config).
Strengthen your client privacy by teaching them to flush all the cookies and the flash persistent objects at the end of the session. Teach them about the Private Mode.

2. The devil is in the add-ons. You generaly don't know who is behind an add-on, and even if you do, the developer may sell out to an evil corp. that will take over your private info on the next add-on update. Happened in the past. Keep add-ons to a minimum, and train your customers how to selectively enable NoScript's blocked entries or Ghostery's trackers if the need arises.

3. I don't trust Adobe at all, but I do use Flash on "Ask to Activate" mode, and make sure that I update it ASAP when a new bug fixing version hits the wire. I use Foxit instead of Adobe Reader. To print reports to PDF I use PdfFactory (PDF printer driver - can be selected from the "Print" menu of almost any common program). I don't know how to harden Reader, but don't use older versions of Reader due to security-related bugs.

As a recommendation, I suggest that you try the Pale Moon browser. I use it side-by-side with firefox. It is a Firefox derivative but much more conservative in design philosophy. The lead developer is careful not in include, as much as possible, any privacy compromising feature or any new glitzy firefox feature that doesn't add much to functionality. I like his traditional dev approach. The imprortant Firefox addons are compatible with it. The only negative is that you may occasionally (rare) run into site incompatibility - in that case use FF - or that it takes a few days to fix security bugs after FF implements the fix.

Curious ListenerNovember 22, 2015 12:09 PM

I would sure appreciate a detailed "how to" on optimal methods to setup a private family PBX. Completely isolated from the internet - but still using the internet for transport.

Some of the work with cjdns concerning "private internets" inspires, but I'm also wondering if these strongswan modules would perform the same function: http://www.xoware.com/.

I'm thinking that a separate firewalled network for the PBX server would do the trick, but am struggling with endpoints and VOIP latency. If anyone has insights as to how one might positively verify endpoint condition/security, and to how one might deal with VOIP latency problems inherent with home hosting - those insights would be much appreciated.

Essentially this would be a private voice only internet with 5 stations secured by IPsec or https. Zfone is not well supported by "regular phone" hardware...so I'm looking for alternate schemes which don't require PCs at all. "Keep it simple Stupid" is certainly a design goal.

JustinNovember 22, 2015 1:08 PM

@Clive Robinson

Totally off-topic:

"... breathing in solder fumes and being in worse health than a two pack a day smoker..."

I'm sorry if I asked this before, but what is your opinion regarding the possible growth of "tin whiskers" from RoHS-compliant silver-bearing lead-free electronic solder?

Dirk PraetNovember 22, 2015 1:20 PM

@ Jacob

The apparently amateurish dénouement suggests the terror team may not have been as well-organised as previously thought.

When the first reports came in, the attacks - by their sheer number - had all the looks of a well-planned, well-coordinated and professionally executed operation. From what we know now, the Paris "lion mujahideen" were a bunch of dumbass losers with an incompetent field commander whose primary skill - until a couple of days ago - seemed to have been evading capture.

They cowardly chose soft targets and - fortunately - didn't manage to get into the Stade de France, probably because they forgot to buy tickets. Two of them then got cold feet and blew themselves up outside the stadium, managing to kill only one (1) passer-by. From a terrorist vantage, the only well-chosen venue was the Bataclan. From the top off my head, I can sum up at least a dozen much more interesting targets in Paris on a Friday evening than the bars and restaurants they attacked.

Convinced that they were all going to die, there was apparently no exit plan. The "terrorist mastermind" called a relative and found refuge at the house of a known murderer. The suspected bomb maker, a 19 year-old from Antillian origin, turned himself in. Contrary to what most US/UK MSM made of it, none of this even remotely sounds like a professional job. As usual, they just reiterated the same government sponsored narrative we've been hearing again and again ever since 9/11.

JustinNovember 22, 2015 1:40 PM

@Dirk Praet

Convinced that they were all going to die, there was apparently no exit plan.

That's because the ones actually carrying out the attacks are considered disposable by their superiors. There is no need for professionals as long as there are amateurs willing to die or get caught. If they need training, they will be drilled just enough to carry out their given task. Their superiors are not going to waste the time teaching them not to get caught.

WaelNovember 22, 2015 2:04 PM

@Justin, @Dirk Praet,

If they need training, they will be drilled just enough to carry out their given task.

Fortunately trainers, for some unknown reason, are getting scarcer by the day. Rumor has it that they need a few rehearsals to "learn".

ianfNovember 22, 2015 2:19 PM


This is so totally OFF the squid topic, but so squarely ON computer security one, that it can but belong here. It ties in to so many threads both in the past, as well as the more recent (e.g better systems security by hardware simplification/ devolution(?)), that I wouldn't know which ones to link to. FYI the author Philip Greenspun, once a star programmer of the ArsDigita fame/infamy, subsequently hitched his wagon to a helicopter, and is now a professional pilot of everything inorganic a(f)light but the Concorde, Space Shuttle, and The Flying Carpet. But old interests die hard, so read his short dispatch from the Hackers Conference in California.

    What’s on the minds of computer programmers today? Security, security, security

    After spending 48 hours with some of the world's most skilled programmers, it was possible to make some generalizations about what's on their minds. About half of the time blocks included a session on security, consistent with Zurich's prediction that, by 2019, the cost of securing the Internet will exceed the value of the Internet. […]

@ Dirk Praet could sum up at least a dozen much more interesting targets in Paris on a Friday evening than the bars and restaurants they attacked.

Only a dozen? Paris is one giant heap of venues, and places filled with Americans of all shapes at all hours of the day. If there ever is a "2001/9/12 repeat", it might happen there, not across the Pond.

[btw. preview of coming distractions @ Outspelled is in the works].

tyrNovember 22, 2015 3:45 PM

I'm waiting for the talking heads to present the cutaway
of the Paris masterminds hideout with nuclear reactor,
its own well, elevators, bat cave, and laboratories full
of dwarven minions tirelessly plotting the demise of the
west.
No point in making things real when you can spin endless
fantasy as an excuse for treating others badly.

Not to say that the other side of the cluster doesn't
have its own Disney version of the glorious future in
reviving the Caliphate.

Nothing new from a history perspective the Japanese
ordinary soldiers used to carry dried squid amulets to
make them bulletproof. A tenuous grasp on reality is a
good stage for theatre and dramatic swirling about.

Nick PNovember 22, 2015 6:03 PM

@ steve

Just a joke about all the bubbles and crazy problems building up everywhere that could hypothetically lead to major collapses or destructive waves in markets. Nothing specific although still with serious implications for many.

Dirk PraetNovember 22, 2015 6:27 PM

@ 65535

Anybody care to discuss the widely used Adobe Flash and Acrobat Reader and how to secure it in a Windows 7 environment?

You can't secure stuff that that has more holes in it than a Swiss cheese. You can only try to mitigate it. In Windows environments, I usually put in place an IT policy that bans the use of Flash, Acrobat Reader and Java. For which you need management buy-in. If for whatever reason management does not agree with the policy, it is noted in official meeting minutes, as are the reasons for declining the proposal. As an IT manager or CISO, you need to cover your *ss too.

Users requiring any of these in the line of their normal daily duties need to fill in a form stating what exactly they need it for, and which needs to be signed off for by their direct manager. If no workable alternatives can be found (like Foxit .pdf reader), they're assigned to a GPO that controls installation, upgrades and settings. Deployment and updates can also be done through Windows Update Services or SCCM. when the user is assigned a new role within the company, a reassessment is made for all the applications he/she is allowed to use.

Clive RobinsonNovember 22, 2015 7:00 PM

@ Justin,

Tin and cadmium are two metals that have caused many problems in solder over the thousand odd years man has been soldering.

Tin rot has "unknown components" but what is known is that it sufferes from an allotropic change at the bottom end of acceptable non specialised clothing temperatures (14 +-3C). That is tin is known to go from a silvery metalic conductivr form to a dull metalic grey crystal/powdery non conductive form. Which has been specifically known by organ pipe makers since medieval times. As with all amalgams of metals (including the fillings in peoples teeth) there is a great deal we do not know.

When the RoSH rules were originaly discussed the makers of musical instruments said that the removal of lead from soft solders would be a mistake the industry would quickly regret for exactly this reason... History has tales to tell with "uniform buttons" although it is unlikely that Napoleon's soldiers died due to "tin rot" in their buttons, tin buttons in warehouse storage are known to have been destroyed by "tin rot". What is not known is why it appears to spread like a disease and little or no research could be the main factor rather than false recording of past events.

The specialised use of tin is also known to be an issue with other electronic components containing purer forms of tin such as LCDs where thin layers of tin are laid on glass so as to be near invisable to the human eye but still be conductive.

We need research done, as the lack of knowledge has cost us big time already. Atleast one very expensive satellite has been known to fail due to the odd effects of tin. Thus caused it to be baned from use, and thus replaced with other metals that can add 100Kg of weight to a standard space payload, which adds a mind boggeling cost to launches.

But there is also the primary issue of "what happened", it is suspected that a tin wisker caused the computer to fail due to "shorting out". Tin wiskers have been found in both conputers and communications equipment that our moder society is built on... Other recent evidence indicates similar tin whiskers have caused "sensor failures" in vehicles and thus accidents with fatal outcomes. Do you want to sit in the seat of a car which might have a non mechanical brakes failure at 70Kph? How about an aircraft with auto-pilot or engine/flight control failure? What about having a medical implant such as a pace maker fail? Or smart meter in your home that decides it's 40 above when it's actually 40 below and forcefully cuts the power to the heating? So definitely it is a subject that falls into "computer security" just on technical grounds.

But how about political as well?

The existance of tin rot in it's various forms has been known about for some time, and yes the warnings have been ignored for what some consider are incorrect "political" choices. As is normal in such choices "science" was not involved in the outcome and as a result the wrong choices have probably been made...

Whilst there is nothing new in this history tells us yet again that using knee jerk politics and not considered and reputable science to change societal behaviour is going to cause ever increasing problems with time (such is the way of the world).

Oh and further highlights a problem in politics in general. There is a standard political argument that "The men of science will find soloutions" well they don't get the chance pute and simple. Because "the men of quick profit buy the legislation" more often than not. But perhaps worse bad legislation happens because we also "think of the children" and plan by worst case scenarios thought up by those with an agender and not science, mathmatics or more importantly reason. That is an "outlier event" causes a news story which in turn causes not just FUD but a sense of agrievement and thus an agenda.

People with an unreasoned agenda are suprisingly quite common but they also tend more towards extreamism, which attracts in others "looking for a cause". As has been seen in more recent times the Internet alows them to feed on each others needs which attracts in others with psychopathic / sociopathic intent and cause what we now call "radicalisation" and terrorist type activities.

So whilst at first it might appear that "tin rot" has little to do with computer security, it can be seen it's only one or two degrees of freedom away from it, both technically and politically, and further similar things can with a little FUD thrown in the mix become just one more degree away from violent activism and thus tip over into terrorism. Which has been seen in the past with medical and other research in the west.

This is known to people in authority, there is a standing joke about the UK Home Office. When a new Minister of State is appointed they ask the obvious question about what is likely to be an issue etc. Supposadly the Civil Servant in charge invites them to look out of the window at the weather and predict when it will next be blue skies, grey or even stormy weather, and comment that even the weathermen don't know from one day to the next.

We even have a saying about a "butterfly's wings" in some distant place causing storms above our heads. The point being that even the tiniest least likely thing could become the next "cause celeb" for a "nutter with a bomb". Hence the saying about "Three sign posts to disaster". The first can only be seen with hindsight, the second only to the worldly wise and acutely observant, the third obvious to all but those of the dimest of perception or intimately involved.

It is this first and second step that "collect it and store it all" is supposed to make easier. Hence the "time machine" effect they are trying to build at vast expense. This comes from the same flawed arguments that can be found in the supposed advantages of "High Frequency Trading". Which give rise to the appearance that knowing things just miliseconds before your competitors gives you a massive advantage. The problem with this is reality, HFT is a faux market place with it's own faux rules based on different assumptions than the real world but tainted by the idea they are related in ways they actually are not. Using the ideas outside of the faux environment will more often than not lead to failure or less frequently a world of hurt for the innocent, with success being no more or less than predicted by a roll of the appropriate number of dice. But how many dice? We have no idea if it's twenty, a hundred, a thousand or million dice... But with just ten giving odds of over one in sixty million we can see that even vast stores of data and computing power is not going to be even remotely of help in getting a timely solution. That is assuming of course that we knew what were the right questions to ask in the first place... Which for obvious reasons we don't...

Dirk PraetNovember 22, 2015 7:21 PM

@ Justin

There is no need for professionals as long as there are amateurs willing to die or get caught.

Yes, but even recruiting, brainwashing and training low-level operatives takes time and resources. However much it may be a strategic decision to consider these expendable, leaving field commanders to their own devices is sending the wrong message to middle management types any executive needs to successfully execute on strategy. If there had been a contingency plan to extract Abaaoud, the man would have become an even more valuable asset to Da'esh and even more dangerous to society for all the practical lessons learned during the attacks.

Clive RobinsonNovember 22, 2015 9:18 PM

@ Dirk Praet, Justin,

In the past there has been an argument that terrorist commanders do not want survivors from attacks coming back to haunt them.

That is they are only suitable to be martyred not congratulated. Their mentality is unsuited to becoming teachers, and their minds will dwell on what is in effect their failure to fall in battle and ascend to heaven in a state of grace, which was their personal objective instilled in them during radicalization. Thus they might start to question their teachers and that makes them a danger to their superiors, that can not be allowed...

But there is another asspect, a dead terrorist is often a dead end as far as enquires go. Because little was known about them other than they dropped out of sight some time previously, without ever having made it onto the radar, now they are just bits of a body in a bag destined for an unmarked hole in the ground.

But being a live known criminal and very much target zero on every bodies radar is a significant problem. The sort of support network required for that is orders of magnitude more difficult as there are no safe havens these days for marked men, death and destruction follow their footsteps. There are reasons why drones are known as reapers and it has dark humor behind it, not lost on those who run the terrorist training or those that assist them. These people have lives, families, freinds and importantly a sense of self worth of being sufficiently important to the cause to justify rather more than their continued existance.

The simple fact is those who run terrorist networks these days don't have the ability to train opratives to the required level of OpSec that they can survive on the radar. Nor do they have the ability to train those who would need to act as deep cover recovery specialists, even big states have real troubles here which is why NOC officers are rare and contractors payed in ways that you or I could only dream of (think the best of "insider trading" and full tax cover).

Getting involved with such terrorist organisations is not a glamorous life or a life at all, it's a death sentance these days. There is soon going to be no way home for jihadists, they will not be wanted there or at home. They will be stateless and without assets to survive upon.

The reality is their usefulness is non existant there other than as cannon fodder or equivalent of a slave. They are "marked for death or explotation" one way or another the moment they arive and will be shunned, killed imprisoned or effectively enslaved if they try to stay, or imprisoned if they try to return.

That is their journey once started is a termination of their existing life, with no way back and as for forward... like most westerners they don't have the life skills to survive in a world they can not comprehend or have the resources to buy protection in, and where religious piety will not put food in their belly, but will get them stoned to death if deemed insuficiently pious.

So how they are going to survive where they have no appropriate life skills or welfare or family support, don't fit in with the culture or speak the language as anything other than an outsider, is something they have obviously not considered. I guess neither have they considered disease, infections or accidents in a part of the world where a minor cut can kill you for want of clean water, a bottle of antiseptic, sterile stiches, a handfull of pills or a health care worker. Where many more young women die in complications of child birth and malnutrition needlessly than die in accidents. Where guns and knives settle arguments and people just disappear with barely a comment with out a family to push and bribe what passes for authorities to get questions asked, let alone answered.

JustinNovember 23, 2015 1:03 AM

@Clive Robinson

"Tin rot" or I guess they call it on Wikipedia, "tin pest," is an odd problem. It would seem to me that the lead-free silver-bearing solders on the market simply have too high a tin content (~96%) to avoid those problems peculiar to tin. Silver and copper do not alloy with tin as well as does lead. Bismuth alloys better with tin, but it also forms whiskers.

It makes me wonder if it isn't a case of "engineered obsolescence" which would not surprise me in modern electronics, and the RoHS requirements would serve as the enforcement mechanism of the cartel's refusal to manufacture reliable, long-lasting electronics. Unless a good substitute for tin-lead solder is found, but there seems to be little effort directed toward finding one.

I think you are right on with your post about the terrorist commanders' strategies. Hopefully some potential recruits will read that and realize how their loyalties are being cynically manipulated.

Frank SNovember 23, 2015 1:12 AM

Elliptic Curve Cryptography page 63 backdoor

After reading the Koblitz & Menezes paper dealing with the ECC & NSA weird case I have been searching a little bit for some more data related with it. And then I came to this:

https://www.linkedin.com/pulse/page-63-backdoor-elliptic-curve-cryptography-kevin-acres

For sure there has been a lot of debate related with the crypto strength of the NSA curves (and standardized curves in general: http://safecurves.cr.yp.to). But this ’63 page issue’ is suggesting deliberately weak curves included in the standard (and now we have some experience based on the EC_DRBG).

I have not gone into math details in the “Discrete Logarithms …” paper or if it is really related or applicable to NIST ECC curves. At first glance it looks interesting enough, but on the other side it looks pretty improbable that if this points to something real it could have been unnoticed for so long.

Does the linkedin post make any sense?

Or it is just some kind of obscure coincidence in the ‘a’ ‘b’ nomenclature between the paper and the standard?

WinterNovember 23, 2015 2:45 AM

@Dirk & Clive
"If there had been a contingency plan to extract Abaaoud, the man would have become an even more valuable asset to Da'esh and even more dangerous to society for all the practical lessons learned during the attacks."

I think the Belgian government made the same analysis as Clive and came to the conclusion that Abaaoud will not try to get back to Syria. The only way forward for him is to get killed in action. The same holds for any operatives still in Brussels.

What you see now is Belgian society bracing for a suicide action like in Paris that will come if the operatives are not found. That means they must deny them a crowd to attack. Hence the total shutdown of Brussels. I am also sure they are scrutinizing everyone who travels to other cities.

Who?November 23, 2015 3:55 AM

@ Frank S

It is odd. Kevin Acres publishes this Linkedin post in april 2015... three months later the NSA bumps its Suite B Cryptography algorithms. It is really odd.

See a pattern here?November 23, 2015 5:41 AM

For Skeptical and other apologists of US-grown, ISIS-branded terrorism:

Leaked US-UK intelligence files - IN 1957 - showing your paymasters hard at work with the same Syria strategy! I.e. fuck it up by staging clashes to provide a pretext for intervention. And guess what, they UK was fellating the USG even back then - they must get awful tired?:

"In order to facilitate the action of liberative [sic] forces... a special effort should be made to eliminate certain key individuals [and] to proceed with internal disturbances in Syria. CIA is prepared, and SIS (MI6) will attempt to mount minor sabotage and coup de main [sic] incidents within Syria, working through contacts with individuals... a necessary degree of fear... frontier and [staged] border clashes [will] provide a pretext for intervention... the CIA and SIS should use... capabilities in both psychological and action fields to augment tension."

Does the MSM:

- not have search engines available to them?
- never taken history?
- never heard of Pol Pot (another US war-machine creation from bombing adventures)?
- not fully aware that Turkey has been the go to man for funding ISIS for years now?
- completely gullible and beholden to the elite (yes)?

Follow the money, honeys!

Those with an IQ above 80 would prefer the fascists at least confess they pull the strings for once - happily supporting genocidal activities as a pretext for further military $ - since their hands are all over it.

Yeah but, no but, yeah but, MIC says NO! to encryption

Bwa ha ha! Simply retarded.

I'm sure Hitlary Clinton or Donald Chump will follow the same meat-grinder path.

In 50 years, we will again have leaked CIA documents saying the exact same thing about the early 21st century.

And some Judas like Skeptical will still be defending the oligarchs / muddying the waters / casting suspicion upon the citizens, while the puppet-masters of global terrorism remain firmly where they always have been - in the White House / Pentagon.

John Galt IVNovember 23, 2015 7:01 AM


I dug into the tin pest story a couple of times in recent years as part of looking into RoHS solders. I don't have the cites handy, but the conclusion that I found is that even a few percent of other alloying metals is enough to stop the phase transition. I believe that largely stops whisker formation too. Silver is notorious for electromigration in moist environments, but I haven't seen that mentioned in the context of lead-free solders.

I didn't see anyone mention that (some) life, safety, health applications are exempted from the lead-free requirement. I think that both telecom and DoD have exemptions available.

As noted, the tin pest story added insult to injury for Napoleon's troops as they faced the Russian winter. If I understand correctly, the most important cause of death was dysentery, but fever and weakness are a bad start when the temperatures are well below freezing. Apparently, this is one of the most famous multidimensional graphs ever made. I may have posted it before. If I didn't, I should have.

http://www.edwardtufte.com/tufte/posters

Dirk PraetNovember 23, 2015 7:25 AM

@ Winter, @ Clive

I think the Belgian government made the same analysis as Clive and came to the conclusion that Abaaoud will not try to get back to Syria.

Abaaoud was blown to pieces during the St. Denis raids. It's Saleh Abdeslam Belgian authorities are worried about. This douchebag and co-owner of a bar that got closed for drug dealing apparently chickened out of blowing himself up on November 13th but instead asked two friends to come and pick him up and drive him back to Belgium. He's still at large and believed to be in the possession of an explosive belt he may yet use against some soft target in the Brussels area. Hence the complete shutdown.

@ See a pattern here?

Leaked US-UK intelligence files - IN 1957 - showing your paymasters hard at work with the same Syria strategy

References please.

Yeah but, no but, yeah but, MIC says NO! to encryption

Is that you, Vicky Pollard ?

Clive RobinsonNovember 23, 2015 7:44 AM

@ John Gault IV,

As with all EU technical directives there is an exemption for "National Security". Which is why the authorities can get to play with tazers and the like (that fail things like the basic LVD and EMCD) and actually don't have to follow the "blue book requirments" CE marking etc etc, which the rest of us have to.

The Telecoms industry excemption is far from industry wide, it realy only exempts certain limited use high voltage high power equipment where the likes of flash over could be effectively explosive in nature. So whilst the power devices are exempt, the control systems abd computers used in the rest of the system are not.

The medical exemptions are not realy exemptions, because other more exacting standards were in place long prior to RoHS.

There are as you say other exemptions but as I've not been involved with those industries I did not take any great interest in them. But I vaguely remember musical instruments and some locomotive bearings were exempt for various reasons that might be due to "historic" reasoning, as are "restoration / repair" which is why I still have and use leaded solders.

One thing you don't get to see a lot about is "leaching" PbFree solders all work at higher tempratutes and also leach copper from PCB tracks etc. This means "re-work" is a major failure mode that has to be refactored into both MTTF and MTTR figures and hence reliability and availability figures. But also has the side effect of making undesirable scrapage figures higher by as much as 5% of production numbers, making QA even more important. This has a knock on effect in that lots of PCBs used to be "hand assembled" in the far east etc which had a consequence of re-work. Thus hand assembly has become a "blight" and unemployment a result... Causing other knock on effects effecting emoloyment all the way into the likes of Uni courses and technical education. Thus the law of "unintended consequences" has had one or three outings on RoHS...

John Galt IVNovember 23, 2015 7:53 AM


from the daily news compendium, filled with biting wit

http://www.nakedcapitalism.com/2015/11/links-112315.html
...
Why the Internet of Things Should Be a Bank Thing American Banker.

http://www.americanbanker.com/news/bank-technology/why-the-internet-of-things-should-be-a-bank-thing-1077911-1.html

“If you’re paying for groceries with your refrigerator, as a banker I want to have my credentials in your refrigerator making that payment.” What could go wrong?
...
Big Brother Is Watching You Watch

Swedish rape warrant for Wikileaks’ Assange cancelled BBC.
http://www.bbc.com/news/world-europe-11049316

Maybe Obama’s concluded a snatch team while Assange is on the way to Heathrow will be more effective, since Assange now can’t be rendered?

65535November 23, 2015 8:42 AM

@ Jacob
Excuse the late reply. My Monday started early.

Yes, it browsers, flash, and windows is a huge subject but that is what a lot of people use.

All of your three paragraphs were very helpful.

I do agree that foxit is much more secure. The problem is some complex IRS forms don’t print correctly with it. But, for viewing documents foxit works great.

I agree that private mode is helpful. And, I will give the EME free version a go. Thanks

https://ftp.mozilla.org/pub/firefox/releases/38.0/win32-EME-free/en-US/

“…Keep add-ons to a minimum, and train your customers how to selectively enable NoScript's blocked entries or Ghostery's trackers if the need arises.”

I do agree that add-on could be very sketch. Some of my customers do use NoScript and Ghostery. I understand that certain add-ons like Add Block Plus may do some SSL stripping – which is bad.

“I don't trust Adobe at all, but I do use Flash on "Ask to Activate" mode, and make sure that I update it ASAP when a new bug fixing version hits the wire.”

I don’t trust Adobe either. The problem is the current Acrobat Reader update jumps to “Acrobat DC” which has a cloud element – or is mostly server side from Adobe.

Thanks for the tip of PdfFactory and Pale Moon. All three paragraphs were helpful.

@ Dirk Praet

I agree with the statement, “You can't secure stuff that that has more holes in it than a Swiss cheese. You can only try to mitigate it.” That is what I am looking for.

Yup, java/Java script + flash + windows is hard to lock down. But, any lock down is better than none.

“If no workable alternatives can be found (like Foxit .pdf reader), they're assigned to a GPO that controls installation, upgrades and settings. Deployment and updates can also be done through Windows Update Services or SCCM. when the user is assigned a new role within the company, a reassessment is made for all the applications he/she is allowed to use.”

That is a good point. I should encourage my clients utilize GPO’s more often as a security measure. I'll give it a go. Almost all of the boxes are Win 7 pro or higher, so GPOs are doable [a few Linux boxes for specialized use].

“If for whatever reason management does not agree with the policy, it is noted in official meeting minutes, as are the reasons for declining the proposal."

I never thought to document my disagreement with management. But, that option is available even in a small business environment. I will gently start documentation of obvious unsafe security practices. This could not only cover my arse but it could also remind the owners of blatant security risks that need correcting [before they end up in court]. Thanks.

Clive RobinsonNovember 23, 2015 8:56 AM

@ Dirk,

He's still at large and believed to be in the possession of an explosive belt he may yet use against some soft target in the Brussels area.

Has there been any word on the type of explosive in use?

It's just that some homemade explosives age very rapidly, becoming either to insensitive and thus not going high order, or to sensitive and going high order if you just look at them hard.

Thus if made with either non comercial explosives or detonators the belt could now be or will be soon of no use to him in attacking a target.

I could be wrong, but just maybe he's waking up to the "real world" and realised he's a bit brighter than the mindless programed cannon fodder. And just blowing yourself up as a couple of the Paris attackers did at the football stadium is not the way to go...

Perhaps mad as it sounds he might ask for and get special protection. HE must know that the authorities will kill him if he makes just one mistake, but that they would rather have a long chat. He also probably realises that his former colleagues want him dead so he can not have those chats... Thus he may realise or be told he's now in the same position "as a silver fob watch at a pickpockets convention".

CrusaderNovember 23, 2015 9:16 AM

@To Our Boys!

Anonymous Hacking Group Takes Down 20,000 ISIS Twitter accounts http://thehackernews.com/2015/11/anonymous-hacker-isis_21.html

I am sure that gives you a feel good moment, but it should be noted civilians should not attempt to engage in operations against ISIS.

This will do more harm then good and interfere with existing operations.

This reporting was very bad. One clue is the article does not explain by 'what they mean by takedown'. DoS? (Which is temporary?) Broke all the account passwords, went in there, and changed them? (Which is very strange.)

And so on.

http://bgr.com/2015/11/23/anonymous-vs-isis-twitter-accounts-banned/
http://www.theguardian.com/us-news/2015/sep/10/james-clapper-pentagon-military-official

Over the years, there have been very few Anonymous operations which were really hacking and not just "let's show up and run an application to fire packets at a system".

This has given many former Anonymous participants and many admirers of Anonymous significant over estimation of their own abilities. And of their own understanding of hacking. Not a good way to enter a war in, cyber or otherwise.

Good to be against ISIS, not good to stop first and study before charging the front lines.


CrusaderNovember 23, 2015 9:39 AM

@Clapper Redux

US spy chief Highly Unusual Daily Intelligence Manipulations The Department of Defense Inspector General has a major investigation into why ISIL intelligence from Central Command is repeatedly found bogus. It turns out confirmed liar James Clapper, the director of national intelligence, talks in private every day with the head of US Central Command’s intelligence wing, Army Major General Steven Grove – “which is highly, highly unusual”, according to a former intelligence official.
http://www.theguardian.com/us-news/2015/sep/10/james-clapper-pentagon-military-official

Unfortunately that story relies on entirely anonymous sources, and this includes the claim that this Army general is under investigation.

Not the best example of Guardian reporting. Looking up the details of it reveals more specific details, including that Groce is the head of Army Intelligence. Which means he is an important contact for Clapper to speak to.

But, it could be, to put on one's conspiracy theory hat: Maybe the Army has a secret group in it working 'behind the scenes' to set up a coup.

This group has lasso'd in Clapper, who is really just a PR guy for American intelligence. Why? The motive? To have a consistent overly optimistic assessment given for the battle against ISIS. Why? To give ISIS the time to fuel attacks so that the resulting backlash will be appropriately severe. Or, perhaps, to use said attacks to undermine public confidence in the existing status quo in America.

Reality, Clapper probably spends significant time talk with a lot of intelligence officials. Army intelligence is definitely significant.

Being "investigated" and "doing something wrong" are very different things, so often.


CallMeLateForSupperNovember 23, 2015 9:46 AM

Yahoo is withholding emails of a subset of its users who employ what Yahoo calls "ad blockers". “This is a test we’re running for a small number of Yahoo Mail users in the U.S.”

A test you're running *for* users? As in "at the request of users" or "as a proxy for users" or "for the benefit of users"? Yeah, like anyone wants their email held for ransom.

https://boingboing.net/2015/11/20/yahoo-blocks-some-users-from-a.html

CrusaderNovember 23, 2015 9:48 AM

@See a pattern here?

[Basically states that the US, via the CIA primarily, during the Cold War, ran various operations against various regimes across the world, including destablizing them]

That was the Cold War. And that was largely directed against pro-Communist groups. It is easy in retrospect to argue the threat was over estimated and make other such calculations.

"Cambodia".

It is difficult to argue that the American influence on the rise of Cambodia's Pol Pot was not accidental, and more a part of poor oversight and poor planning then good planning.

It might also be noted that many Western Leftists, Noam Chomsky foremost, perhaps, apologized for Pol Pot and denied his crimes. This frustrated efforts of survivors significantly. I do not believe Chomsky ever apologized for that either.

"ISIS".

Likewise, more like poor planning. Going in and getting Saddam was one thing. The intelligence was bad, was another. The world was shown that intelligence, and it was clearly inadequate at the time. And that was absolutely proven afterwards.

The American regime simply thought way too much of their own capabilities. There were some vested interests there, like Halliburton and other defense contractors being relied on for clean up and occupation.

When I heard that they were going to *not* divide the region into three: one for Sunni, one for Shia, one for Kurds... I knew it was going to fail, right off. Really bad idea. But, fact is, they probably just did not give it any thought.

Then, you had the American people and the West clamoring for early withdrawal.

Even now, what could stop ISIS is a powerful strike. They are very weak in many core ways. They are significantly lacking appropriate medical care. Professionals do not want to stay there. Their members are pedophiles, rapists, and sexual slave traders.

But, nobody will stomach a powerful strike, it would mean many civilian causalities.


Nick PNovember 23, 2015 9:52 AM

@ Grauhut

That's disturbing. Actually, just crazy that I can get something around the world for $300 or so. You'd think that they'd do a price-fixing cartel in that industry to set a minimum price and compete on other stuff just for *survival*. Apparently not. Those diversifying will probably last but the others could collapse. Will be interesting to see the effect on price and the market.

@ Clive Robinson

re ransomware

That's a real treat. The one commenter senses a honeypot but thinks that's "too far-fetched really." Should've trusted the instincts. Return same number always because dice roll guaranteed it was random... lmao finally see the canonical example of retarded randomness get deployed. Sent the key in the clear on top of that.

re FISC court

Just as I told Skeptical. The accountability, data, and judges' effect are bullshit. Watch nothing happen as a result other than some gripes because it's not a real court or accountability. NSA has effective immunity.

@ CallMeLateforSupper

"Yahoo is withholding emails of a subset of its users who employ what Yahoo calls "ad blockers". “This is a test we’re running for a small number of Yahoo Mail users in the U.S.”"

That's an interesting move. I've always said using ad-blockers for ad-supported services is basically a legal form of piracy. How to deal with that has usually just been increased annoyance of ads and tracking. Yahoo is testing the simpler route of simply not serving those who don't contribute to its bottom line. It's a fair approach but I'd say giving a warning ahead of time would be more ethical. Then again, I just called those people pirates. Do pirates deserve a fair or selfless response? ;)

CrusaderNovember 23, 2015 9:53 AM

@Justin

Convinced that they were all going to die, there was apparently no exit plan.

That's because the ones actually carrying out the attacks are considered disposable by their superiors. There is no need for professionals as long as there are amateurs willing to die or get caught. If they need training, they will be drilled just enough to carry out their given task. Their superiors are not going to waste the time teaching them not to get caught.

That is a guess, and one based on little knowledge of ISIS.

ISIS is, in general, a complete mess. They do not know what they are doing in many regards. They are lacking experienced people in all areas which require them. They do not have any "superiors" that have superior knowledge in pulling off such an operation. There are some who are gaining battle experience currently. There are very few who had some military training previously from Iraq. None of these are qualifications for 'knowing how to plan and enact a urban military operation'.

This does not mean the threat is low anywhere.

Even that retarded kid in Connecticut did some significant damage when he went alone on his murder-suicide spree.

Mr MisterNovember 23, 2015 12:45 PM

About an eDellRoot certificate shipped with Dell laptops...

Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish
https://www.reddit.com/r/technology/comments/3twmfv/dell_ships_laptops_with_rogue_root_ca_exactly/

UPDATE: I've been reading that a lot of people are skeptical in the sense that this CA can't actually do anything because the CA has no capabilities. I did some more research and found out that this CA can indeed sign server certificates. I've updated the list of files above to include a certificate issued by the CA with file name "badgoogle.crt", which you can also see in this screenshot. For those that are unfamiliar with how this works, a network attacker could use this CA do sign his or her own fake certificates for use on real websites and an affected Dell user would be none the wiser unless they happened to check the website's certificate chain. This CA could also be used to sign code to run on people's machines, but I haven't tested this out yet.

BenniNovember 23, 2015 1:33 PM

Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish

"I got a shiny new XPS 15 laptop from Dell, and while attempting to troubleshoot a problem, I discovered that it came pre-loaded with a self-signed root CA (Certificate Authority) by the name of eDellRoot. With it came its private key, marked as non-exportable. However, it is still possible to obtain a raw copy of the private key by using several tools available"

https://www.reddit.com/r/technology/comments/3twmfv/dell_ships_laptops_with_rogue_root_ca_exactly/

Heise has tested it:
http://www.heise.de/newsticker/meldung/Dell-Rechner-mit-Hintertuer-zur-Verschluesselung-von-Windows-Systemen-3015015.html

Affects all browsers using microsofts crypto API, like Internet Explorer, Edge und Chrome.

BenniNovember 23, 2015 1:37 PM

http://www.spiegel.de/international/world/nsa-secret-toolbox-ant-unit-offers-spy-gadgets-for-every-need-a-941006.html

ANT offers malware and hardware for use on computers made by Cisco, Dell, Juniper, Hewlett-Packard and Chinese company Huawei.

"Cisco does not work with any government to modify our equipment, nor to implement any so-called security 'back doors' in our products," the company said in a statement

A representative of Hewlett-Packard wrote that the company was not aware of any of the information presented in the report and that it did "not believe any of it to be true."

Contacted by SPIEGEL reporters, officials at Juniper Networks and Huawei also said they had no knowledge of any such modifications.

!!!!!!!Meanwhile, Dell officials said the company "respects and complies with the laws of all countries in which it operates.!!!!!!!!!!!!

Nick PNovember 23, 2015 2:17 PM

System and Security Paper Release

Building Dependable Systems: The OpenVMS Approach (1994)

Found this when looking for an article on their development process. Nice set of information that still benefits today although many techniques have been exceeded individually. Interestingly, the case study shows OpenVMS were doing "lights out" datacenters in late 80's. I thought that was a bit more modern thing. Nope. Just history repeating and another win for VMS. :)

Micro-reboot: A technique for cheap recovery (2004)

This is an interesting paper that expands on the periodic reboot technique. The idea is to focus reboots on individual components, make them quick, and ensure they don't disrupt anything. Turns out to be effective in client/server or web stacks for many types of errors. The breakdown on various types of errors is nice.

The design and implementation of micro-drivers (2008)

While we're at it, let's deal with some driver issues in monolithic kernels. Most approaches are heavyweight. This simple one reminds me of JX's split driver architecture that does something similar, albeit with big part in type-safe Java. Eliminating a huge chunk of code from kernel combined with compiler security techniques & reincarnation server would be a nice result. If fast-path is small, could use lightweight, formal verification on it.

A high performance, kernel-less operating system architecture (2013)

I haven't read this yet past skimming. I'll leave it to others for now. Collected it as the kernel-less OS niche is getting more attention.

RockJIT: Securing Just-In-Time Compilation Using Modular Control-Flow Integrity (2014)

Protects your PC from JIT issues with control-flow integrity. Proven on Chrome JS with around 14.6% overhead. I could see such a method combined with more full-on techniques like SoftBound or even lower overhead methods such as Code Pointer Integrity (1-10% overhead).

Declarative, Temporal, and Practical Programming with Capabilities (2013)

Capsicum lets one apply the capability model to further enforce POLA in FreeBSD programs. The problem is you have to re-write the programs to do that. The capweave tool, LLVM-based, takes the program and a declarative spec then does that for you. :)

AutoCorres - formal verification of C code without the pain (2014)

This came out of the seL4 verification work. In that, they proved the equivalence of a formal specification of Haskell code with a formal spec of low-level, C code. One difficulty is producing specs for C code. This tool does that automatically and with provable correctness. They show it drastically reduces effort with experiments on microkernels and the Schorr-Waite algorithm. I think tools like this might be modified to work with lighter methods like Altran/Praxis's Z specs to SPARK or C code. Or even to feed tools such as Frama-C or Astree.

Compiling PCRE to FPGA for accelerating SNORT IDS (2007)

Network intrusion detection and datamining both need fast pattern matching. This usually happens with regular expressions and FSM's. Accelerating them with FPGA can be useful. This paper describes how to generate hardware from PCRE's. Their speedup was over 300x vs software. :)

Theory of programs by Bertrand Meyer (2015)

I'm not mathematically inclined enough to follow this. Meyer is the bright mind behind Eiffel language and Design by Contract. Tries to reduce correct programming down to simple, mathematical description. I'll let the math wizards tell me what they think the paper accomplishes.

User interaction design for secure systems (2002)

A little reminder about a topic that doesn't get enough attention. Good examples.

Introduction to functional programming by Harrison (1996)

John Harrison's book goes into incredible detail on compiler implementations of functional programming, esp of Haskell type. Commenters where I found it kept using the word "timeless" so I assume it's really good. ;) Anyone attempting to understand, improve, or secure them needs to know things like this. So, great that the book is free now.

Practical foundations for programming languages Harper (2012)

For people trying to make better ones or better understand existing ones. Haven't read this but table of contents looks very thorough.

All for now as I have less time today than I thought. Have fun. :)

Note: Most of my research has been on FPGA and ASIC lifecycle techniques. Got tons of papers on each aspect of those flows with intent that FOSS developers might build out of them. Can post some of those if people want but held off given there seems little experience or interest here on that end. Doesn't help that the overall process is a Mega-Hard problem composed of other Mega-Hard problems. That's before you consider subversion. ;)

BenniNovember 23, 2015 2:54 PM

BND has given incomplete files to the NSA investigation commission. But from what they have, they can tell not only french companies were targeted....

http://www.tagesschau.de/inland/nsa-selektoren-107.html

Where do CIA agents get german passports from? Well from BND:

https://netzpolitik.org/2015/tarnidentitaeten-ahnungslosigkeit-der-bundesregierung-und-doppeltarnung-von-us-geheimdienstlern-beim-bnd/

BND says, however, that it does not know how many and to which people it as given these false identities...

News from Belgia:

http://www.focus.de/digital/multimedia/verdacht-des-belgischen-innenministers-kommuniziert-der-is-ueber-eine-spielekonsole_id_5090222.html

"It is more difficult to monitor playstation4 than whatsapp, says the minister"...

There was this recent terror attack at a mali hotel....
http://www.spiegel.de/politik/ausland/mali-der-loewe-der-wueste-und-seine-terrorbrigade-a-1063875.html

The terrorist was a BND agent once:
http://www.spiegel.de/politik/ausland/mali-islamistenfuehrer-war-helfer-der-bundesregierung-a-878572.html

In a recent Interview, BND is quoted that they know sources who have more blood on their hands than the agents from germany have in their veins. "But if such people are important actors in a country, then we must work with them"

http://www.spiegel.de/politik/deutschland/bnd-chef-gerhard-schindler-warnt-vor-neuer-is-strategie-a-1064014.html

Dirk PraetNovember 23, 2015 3:08 PM

@ Clive

Has there been any word on the type of explosive in use?

I guess authorities have a reasonably good or at least approximative idea of what was used in Paris both from examining remains and Da'esh manuals that can be found on the internet.

From the little I know of IED's and home-brew explosives, much of that stuff tends to be really unstable and I lost all interest in it somewhere in my early twenties when two friends of mine both lost a hand and one of them his left eye. The Anarchist Cookbook was still widely available in those days and neither of them realised that mucking about with red phosphorus and potassium chlorate was a really stupid idea. Needless to say they weren't exactly the sharpest knives in the drawer.

Perhaps mad as it sounds he might ask for and get special protection.

Far as I know, neither the French or Belgian legal system has a plea bargain or witness protection program in place for the acts he's suspected to be involved in. If found guilty, he's facing life in prison, which I'm sure he knows too. As he's managed to evade capture for more than a week now, it's highly likely that he's getting help and still hoping to make his way to the Middle East somehow. Which I doubt is going to happen because he's become too much of a liability for any valuable operative to get involved with.

If I were Da'esh central command, I'd by now have sent him an order down the chain to either go out in a blaze of glory - like he promised to do - or get executed for treason to the cause. From a terrorist vantage, disappearing him would even make sense in that burrying a corpse is easier than hiding a fugitive. Any way the dice roll, this guy is finished. The best thing us can hope for is that he doesn't grow a pair of balls after all and takes more innocent people with him. Which is exactly what Belgian authorities are afraid of.

@ 65535

I will gently start documentation of obvious unsafe security practices.

The best way to go about it is by proposing a short audit and business impact analysis showing management the potential monetary, legal and reputational consequences of data theft, destruction, corruption or unavailability thereof. And how implementation of certain controls can mitigate the risk of this happening.

Never go into technical details. Nobody understands them anyway and anything IT or IT security related is by definition perceived as a cost with little or no return on investment unless you can present a solid business case that not doing it carries a high risk of costing more. If you get answers like "this can't happen here", "if it happens we just go bust" or "I'm moving to a country we don't have an extradition treaty with", note it down, stop bothering and move from a payroll to a contractor capacity. You'll be making a mint in cleaning up the mess the day the proverbial sh*t hits the fan.

@ Crusader

They do not have any "superiors" that have superior knowledge in pulling off such an operation. There are some who are gaining battle experience currently. There are very few who had some military training previously from Iraq.

Actually, they do. Most of the Da'esh military brass are officers from the former Iraqi army. Attacks like the ones we've seen in Paris don't serve strategic military goals in the areas they control. They're strictly marketing, hence don't warrant jeopardizing valuable assets that can be put to a better use elsewhere.

but it should be noted civilians should not attempt to engage in operations against ISIS.

I beg to differ. Although the citizenry should never interfere with police or military operations, alert civilians willing to risk their own lives were material in preventing the Thalys attack as well as the shoe and underware bombers from succeeding.

CallMeLateForSupperNovember 23, 2015 4:09 PM

@Nick P

"I'd say giving a warning ahead of time would be more ethical."

It could be argued that Yahoo's modus is the warning: the test group is a subset of all users who employ what Yahoo says are ad blockers - not every user who employs them - and Yahoo has publicly acknowledged the "test".

IMO, the whole online ad thing has become noxious and is out of control.

CzernoNovember 23, 2015 5:42 PM

Explosive belt found ?

According to French media, an explosive belt that could have been Salah Abdeslam's was found abandoned in a trash can in a discreet street of a Paris suburb. It said to be a model "identical to" those used by last Friday's terrorists...

CzernoNovember 23, 2015 5:47 PM

The header of my above comment should read
"Explosive belt found ?" - of course.
Sorry.
@Blogmaster : Not an excuse for my typing mistake but : can't the site's software let commentors post-edit for typos during a small 'grace period' ? It would be nice !

tyrNovember 23, 2015 7:09 PM


Re: Belt

So the dumbass finally woke up to the fact that wearing
an explosive belt around in the hornets nest of police
and miltary theatre would be a dead giveawy that he was
the one.

Homemade explosives are not the only ones that deteriorate
over time. Commercial stuff has to be routinely turned
over or you get a very nasty condition if you wait too
long your storage becomes a giant bomb with a hairtrigger
fuse. There are old ones and bold ones, but there are no
old bold ones.

CzernoNovember 24, 2015 6:52 AM

Explosive belts :

The procuror in charge of the inquiry François Molin says, the explosive belts or waists worn by the Paris kamikazees were made "of TATP, batteries and a push-button detonator, and included a load of metal bolts..."

@Clive, maybe : any comments on TATP as the "primary" explosive ?

Clive RobinsonNovember 24, 2015 10:58 AM

@ Czerno,

You definitely don't want to experiment with those compounds in your mum's kitchen !

Not if you want to keep the roof on the house...

Acetone is a quite volatile fuel, and is not difficult to get hold of, as it's used as a solvent for many things, including acting as a "cold weld glue" for many plastics.

You also do not want to breath in the fumes as to quote some manufactures "It has known toxicological disadvantages" which is a nice way to say it kills you quickly by inhibition of biological processes such as resperation slightly more slowly by other lower dose inhabitions or at microscopic longterm doses by causing cancer etc...

Hydrogen peroxide is really nasty stuff and during WWII the Germans used it as an oxidiser for rocket fuel... Basicaly it does not play well with anything organic. Whilst low concentrations are not dificult to get hold of, the high concentrations are quite difficult.

Over the years "recipes" to concentrate it have surfaced in things like the "Anarchists Cookbook". People following them have usually not survived the process unharmed.

Needless to say the result of brewing up this fuel and oxidizer with the appropriate acid and low temprature is one with one heck of a lot of energy stored in it's chemical bonds. But... Interestingly when it does explode it tends to form acetone and ozone, not oxidation of the fuel. I'm told it was at one time considered for use in Fuel Air explosives by the Russians because of this.

Further if it is not stored correctly it subimates with a loss of around 50% in around 250hours. Also the sublimation is quite an unstable process and can cause spontanious detonation. Which means that although it's a primary explosive --you could use in detenators and firing caps-- it's not stable enough to be used as any imperfection in sealing could end up in spontaneous detonation as could just leaving it on a shelf...

Which brings us around to what has not been talked about, which is the kind of detonator they used. This is the key component in bombs in the same way a match is to a bonfire or barbeque. Whilst "hot ignition wire" can be made with old fashioned flashlight bulbs it takes skill and practice to get them to be reliable with most primary explosives. That is it's not just heat you are looking for but the right sort of temprature rise, to fast and the wire will not transfer sufficient energy before it burns out, to slow and you don't get the primary explosive to give the required pulse to the main charge to ensure a high order result. Acetone peroxide is a little more forgiving in this respect but as previously noted it's asking for trouble doing so due to sublimation.

At one point the main advantage to acetone peroxide other than the easy access to precursors was it had no nitrogen content, which the majority of CAM devices looked for when detecting explosives. However acetone peroxide smells strongly of "bleach" or "acetone" thus it's quite easy to detect due to the sublimation or wetting evaporation it requires.

Jason Richardson-WhiteNovember 24, 2015 11:19 AM

Has anyone ever asked whether Snowden is a false flag operation?

I know, I know – it’s a ***crazy*** idea, so who *cares* if anyone has asked?

I’ll ask another crazy but related question. Is it possible that the NSA has an as-yet-unsuspected *enormous* technical superiority in cryptography over the rest of the world – private or public, West or East?

Bruce has thought about this second question. I apologize that I can’t find the reference but, in one place (his blog, I *think*), he argues that the NSA can’t have this superiority, because if it did, it would have intercepted Snowden’s communications and prevented the release of a lot of valuable data. I remember being struck by this because Bruce is *so* logical. He almost *never* commits errors in reasoning. But he did here. It’s a question-begging argument.

Let’s think it through. The NSA can’t have an enormous technical edge, because they would have been able to capture Snowden (in his transition to Moscow) by decrypting his personal communications. The suppressed premise here, of course, is that the US *would* have captured Snowden if it could have. But this begs the question. If the NSA*did* have a *sufficiently* great technical superiority, then they might have let Snowden go *on purpose*. We can’t show that they don’t have this technical ability by assuming that they don’t. That’s begging the question.

Such a false flag would have the benefits of giving its enemies a false sense of what they can do to get around the NSA, of how they can avoid being caught. Knowing how (or thinking one knows how) the NSA works, one might hope to plan a way to pass information reliably without being caught. Still using cryptography, of course, but knowing the pitfalls of the various programs disclosed by the Snowden materials.

Is it likely that the NSA has such a great advantage that the Snowden materials might be mere *bait*?

I don’t know, but I know this:

Possibly, there is an "interesting" formula for OEIS Entry A161642 [“interesting” in the sense of Lehmer -- see [1] D. H. Lehmer, AMM 92, 449 (1985)]. Call such a formula T(n,k). So we can write, T(n,k) = C(n,k) / GCD (n,k). But it follows immediately that GCD (n,k) = C(n,k) / T(n,k) (by simple algebra). Then, in terms of computational complexity, O(GCD(n,k)) = O{min[k,(n-k)]} / O(1). (See this paper.) But worst-case complexity of Extended GCD is in P if O[GCD(n,k)] is as above.

More simply, if there is a Lehmer-interesting formula for T(n,k), then there is an algorithm more efficient than Euclid’s for finding GCD of ***really*** large pairs of numbers -- sufficiently *more* efficient to put Extended GCD in P.

But Extended GCD is NP-Complete, so if it is in P, then P = NP (by some well-known proofs).

If the NSA had a constructive proof that P = NP prior to Snowden’s fleeing the USA, then it very well could have used the Snowden material as bait.

Nick PNovember 24, 2015 12:24 PM

@ Bruce, Clive, Wael

New results in DRAM chip failures: hard, not soft, errors are more prevalent

It's been suspected by some given what insiders in RAM manufacturing say about the rush to get them out the door once they past testing. So much not checked that plenty of issues could be left in them. Not to mention deep sub-micron effects of advanced nodes make it hard to get chips to work and maintain that in general.

This write-up gives us some actual data based on real world systems. It shows the vast majority of the failures were straight hardware and often the *same* hardware. Shows that blacklisting those pieces stops vast majority of issues with little RAM lost (eg 1MB per system). Major result.

Probable source paper. Here's another.

WaelNovember 24, 2015 3:36 PM

@Nick P,

Excellent write up. I can relate to some of the discussion points there. I also thought Cosmic rays and alpha particles are the major cause of bit-flips and other memory errors.

After all, if most errors come from random events such as cosmic rays, each DRAM memory chip should have an equal chance of being struck, leading to a roughly uniform distribution of errors throughout the monitored systems. But that wasn’t happening.

I think that's a questionable assumption. It depends on the geometry and the objects in the trajectory of particles.

It’s unlikely, of course, that the same location on a device would be hit twice by an errant nuclear particle. Extremely unlikely

Also questionable without supporting data

Indeed, applying sensible page-retirement policies in large data centers and supercomputing facilities would not only prevent the majority of machine crashes, it would also save the owners money.

Makes sense...

In that sense, DRAM chips are a little like people: Their faults are not so much in their stars as in themselves. And like so many people, they can function perfectly well once they compensate for a few small flaws.

So true! I wonder if people can learn something from Silicon someday.

CrusaderNovember 24, 2015 3:48 PM

@Dirk Praet

They do not have any "superiors" that have superior knowledge in pulling off such an operation. There are some who are gaining battle experience currently. There are very few who had some military training previously from Iraq.

Actually, they do. Most of the Da'esh military brass are officers from the former Iraqi army. Attacks like the ones we've seen in Paris don't serve strategic military goals in the areas they control. They're strictly marketing, hence don't warrant jeopardizing valuable assets that can be put to a better use elsewhere.

That is a guess some have made. The US disbanded the Iraq army. Many were Sunni. Daesh is Sunni. Daesh is not complete retards in battle. Therefore, they likely have some Iraqi military commanders... is how the thinking goes. The added advantage there is it helps whop political points in the West. Bush and company made even more mistakes.

Only Saddam's secular Baathists may have difficulty getting along with Daesh's insane Sunni religiousness.

http://time.com/3900753/isis-iraq-syria-army-united-states-military/
From Time magazine, 2015 May:

“The plan was that the army would be the foundation of rebuilding the Iraqi military,” he says. “Many of the Sunnis who were chased out ended up on the other side and are probably ISIS fighters and leaders now.” One expert estimates that more than 25 of ISIS’s top 40 leaders once served in the Iraqi military.

Emphasis added.

Though, not the point. The point is I was making, they don't know how to run terrorist operations.

They tracked down the leader of the Paris attacks by a Paris attackers phone number in his left behind cell phone. Not exactly the pinnacle of professionalism.

"Okay, boss, I am hanging up now, time to go and murder some Parisians".

Boss smiles and does not wonder if his buddy's phone call might actually reveal his location.


but it should be noted civilians should not attempt to engage in operations against ISIS.

I beg to differ. Although the citizenry should never interfere with police or military operations, alert civilians willing to risk their own lives were material in preventing the Thalys attack as well as the shoe and underware bombers from succeeding.

More wildly out of context to twist a "win" for you then the last one.

I was obviously meaning attacks like what Anonymous was doing, or attacks such as civilians have done against Sikhs, ordinary Muslims, and others. I would add Daesh to the list here, but usually they don't actually perform attacks against Daesh or Islamist violence supporters because they are too hard to find for them.

Hence the word "operation", and the context of "Anonymous" leveraging illegal attacks against Daesh accounts.


Maybe you should think about viewing discussions as a "win" for your ego, and focus more on politeness and accuracy.

Or is it just to be annoying? "Oh gee whiz, I can twist this random person's statements out of context and pretend to be too stupid to understand what they were saying, because that will make me appear smart."

I never get why people do that.

Seems like lose lose for them.


Maybe the stupid nick I chose threw you off. Problem is, that didn't mean I wanted anyone to choose even stupider courses of action.


Clive RobinsonNovember 24, 2015 4:21 PM

@ Wael,

So true! I wonder if people can learn something from Silicon someday.

How about political people learning to be "transparent"...

@ Nick P, Wael,

The odd thing about the article is the observation about rows has been made before. About a third of a century ago, I mentioned it a few months back when the "Row Hammer" attack was talked about here.

So the two might be connected in some manner.

Nick PNovember 24, 2015 4:27 PM

@ Clive Robinson

That's funny. The best one I've heard on Skynet scenario referenced a different company. Included in this vid which creatively had Ray Kurzweil and Alex Jones in same show lol.

Nick PNovember 24, 2015 4:50 PM

@ Wael

"So true! I wonder if people can learn something from Silicon someday."

To be organized in synchrony and pull in the same direction toward getting work done?

@ Clive

I doubt it as the time gap was too long. This was probably independent invention. Slow, slow ass independent invention given I'd have eventually guessed it with what I've learned about ASIC physics at DSM levels. I'm amazed the memory chips work as well as they do.

Nick PNovember 24, 2015 4:56 PM

@ Wael

Forgot to add on these points:

"I think that's a questionable assumption. It depends on the geometry and the objects in the trajectory of particles.

It’s unlikely, of course, that the same location on a device would be hit twice by an errant nuclear particle. Extremely unlikely

Also questionable without supporting data"

You have more experience here but I still gotta question it. :) The rays are coming in from many directions towards huge grids of memory where individual elements leading to these SEU's are *tiny*. Odds of hitting any one is slim. A shower of rays/particles going in certain directions should disperse a bit more in effects and on many machines in a rack. Should be irregular, too, rather than constant for the life of the hardware (bigger assumption here). Very, specific parts of these contraptions constantly failing while probable soft errors had a totally different, irregular distribution would seem to contradict what we'd expect. So, that these few pieces are hardware faults that keep kicking in seems like a reasonable assumption to me.

Dirk PraetNovember 24, 2015 5:07 PM

@ Crusader

Maybe you should think about viewing discussions as a "win" for your ego, and focus more on politeness and accuracy.

Re-reading my comments, I believe I did reply both politely and accurately to some of your statements. Which is more than can be said about your return, so I'm not going to dignify you with a follow-up, neither on the facts or on your demeanor.

Clive RobinsonNovember 24, 2015 5:13 PM

@ Crusader,

That is a guess some have made. The US disbanded the Iraq army. Many were Sunni. Daesh is Sunni.

It's quite a bit more than a guess. These people have not been in hidding, and on some cases their position has been verified.

The problem I have, is if you are going to send a drone in to kill people both intentionally and with expected collateral damage. Why go after a military insignificance like "jahadi john" when you can go after the known commanders and leaders.

In terms of Return On Investment on a drone strike, offing a military commander who can not be easily replaced and offing a psycho with a sword who is a ten a penny nonentity, the military commander should win hands down, but for some reason --political mileage perhaps-- did not.

As for Anonymous, well it does look like a PR stunt more than a serious indent into IS's operations. But these things rarely happen in a vacuum so there may be some form of blow back down the line.

We have seen this with Iran as a result of Stuxnet. Whoever the Iranian hackers are, they are getting more and more proficient and they have caused real problems (Saudi Oil, erasing of 30,000 computers is a fair accomplishment in any persons book).

I can see the advantage of IS recruiting hackers in western nations to attack localy, a thought that appears to only just be occuring to US top brass...

WaelNovember 24, 2015 5:19 PM

@Clive Robinson,

How about political people learning to be "transparent

Unlikely, you know it and I know it. I can relate two stories of my early interactions with "politicians" in college days, but they are a bit long and will likely offend others here. Besides, silicon isn't transparent :)

WaelNovember 24, 2015 5:27 PM

@Nick P,

A shower of rays/particles going in certain directions should disperse a bit more in effects and on many machines in a rack. Should be irregula

I meant questionable in the sense that it wasn't sufficiently "proven". I would have thought that they would try to move the machine around or rearrange the DDRAM to validate thier hypothesis. Perhaps the physical location of the DIMM has an effect. They haven't shown that they conclusively tested for that.

tyrNovember 24, 2015 6:58 PM

@Wael, Nick P.

You have to accept a certain level of determinism to say
that incoming radiation is patternable or predictable.
Given the limited nature of the research data (Curie to
now in time) making definite rules of thumb might not be
a great idea. I seem to recall a Utah detector getting
a particle that exceeded everything seen before by a
large margin. Almost blew the detector off the wall with
a single particle event.

The last time I looked at a data buss line with an analog
scope, I'm surprised anything works. The old sharpened
square waves seem to have disappeared in the noise and
hash. Probably it is Clarkes Law, the more advanced tech
starts looking more like magic the further you go.

WaelNovember 24, 2015 7:15 PM

@tyr, @Nick P,

You have to accept a certain level of determinism to say that incoming radiation is patternable or predictable.

I do, keeping the emphasized words in mind. I don't say predictable or paternable. I'm saying the researches haven't eliminated this possibility and relied on an assumption without sharing much of an explanation. They are, in a way, guilty of their predecessors' mistake (that they are correcting) who made the assumption that Cosmic rays are the culprit for a lot of memory errors.

SoWhatDidYouExpectNovember 24, 2015 8:03 PM

In the world of IoT devices...

Green Light Or No, Nest Cam Never Stops Watching

http://yro.slashdot.org/story/15/11/24/222253/green-light-or-no-nest-cam-never-stops-watching

Exactly as predicted!

And, all future IoT devices will behave exactly the same. IoT device for your garage door opener or door locks anybody? And, your car? Entertainment systems?

And the vendors think we don't know or won't find out! Wait for the legislation that prohibits such revelations.

No IoT devices here, thank you.

Nick PNovember 24, 2015 10:34 PM

@ Wael

"I meant questionable in the sense that it wasn't sufficiently "proven". I would have thought that they would try to move the machine around or rearrange the DDRAM to validate thier hypothesis. Perhaps the physical location of the DIMM has an effect."

Oh, OK. That makes sense. Good idea for the test, too. I'll try to remember to email them to see if they did stuff like that and didn't report on it.

FigureitoutNovember 24, 2015 10:50 PM

Another epic hack (and amazingly simple, at least the circuit, code's a little more tricky) from Samy Kamkar...magspoof

Just read the github 'readme', it's really good.
https://github.com/samyk/magspoof

SoWhatDidYouExpect
--You should already be assuming that when you turn off any electric device w/ software that it is not truly off (if you care about this, which it sounds like you do). It's becoming very common now to have "sleep modes" that can just wait for an external interrupt and draw ridiculously low power (the sensors themselves are getting "smarts" built-in too, in extremely tiny ICs, and again draw very low power). Also, some home security system IR/MW sensors have simple jumpers to turn off LED's even though the device is fully powered on (to not tip off a burglar perhaps) so an LED is not a good way to tell if power's on unless it is *right* by the source. Even unplugging, if you don't do any internal inspection, a good battery could keep an efficient device on for years (transmit 500+ feet too).

Thankfully most of this can be found w/ even a crappy multimeter, however some of the levels I work w/ (which means this is "out there" commercially, potentially much better tech hidden in "the big boys" labs) may be below detection (a few microAmps or even nanoAmps now..).

I still think if you really want to and do your homework, you can generally keep the surveillance to a minimum. Just live quietly/peacefully. To help sleep, keep in mind that context is needed, and if they're getting video it's a LOT of data that can't be stored longterm.

Request for Comment: TCP/IP Experts
--Has anyone worked w/ either the uIP or lwIP TCP/IP stacks? I have a fair degree of confidence in Adam Dunkel's grasp and implementation of the protocol (uIP is in Contiki OS, which is used by lots of big players), I'm just wondering fresh perspectives from a security standpoint, on my breaks I'm going over lwIP manual and since I'm trying to narrow down the attack surface of some of my connections and create a bit of a bottleneck (for monitoring and slowing down attacks, hopefully break a few by design since there'll be so little to attack). Squeezing the space I can work in has the problem laid out in the lwIP paper:

The operating systems used in minimal systems such as the target system of lwIP most often do not maintain a strict protection barrier between the kernel and the application processes. This allows using a more relaxed scheme for communication between the application and the lower layer protocols by the means of shared memory. In particular, the application layer can be made aware of the buffer handling mechanisms used by the lower layers. Therefore, the application can more efficiently reuse buffers. Also, since the application process can use the same memory as the networking code the application can read and write directly to the internal buffers, thus saving the expense of performing a copy.

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.109.1795&rep=rep1&type=pdf

Of course the gaping hole gorilla in the room is the fact that many service providers give you some DOCSIS modem that you essentially have to assume is compromised (and I believe I witnessed mine hacked w/in hours of install and something funky w/ cable boxes too).

Frank SNovember 25, 2015 3:15 AM

@Who?

Yes it is really odd. But the Linkedin post might justify the NSA jumping to other ‘really secure’ curves. And in the end NSA seem to be leaving EC Crypto at all and forever, which goes one step beyond.

CrusaderNovember 25, 2015 11:32 AM

@Dirk Praet

Maybe you should think about viewing discussions as a "win" for your ego, and focus more on politeness and accuracy.Re-reading my comments, I believe I did reply both politely and accurately to some of your statements. Which is more than can be said about your return, so I'm not going to dignify you with a follow-up, neither on the facts or on your demeanor.

Without quoting my entire statement condemning "Anonymous" actions, I will simply link to it:
https://www.schneier.com/blog/archives/2015/11/friday_squid_bl_502.html#c6711723


I was very clearly writing of civilians engaging in illegal activity which certainly could be said to be a military, intelligence, or police action against a wartime target.

I pointed out this was very bad to do, because at worst they could interfere with legitimate operations.

The term I used was enacting illegitimate operations. Key word: operations.

You stated it was fine for civilians to do such things, just don't interfere.

You pointed as examples extremely irregular and unusual situations where civilians were able to help stop terrorists who, for instance, sat next to them and acted suspicious.

This later case has nothing to do with civilians enacting their own operations. At all.

As for "interfering", let me explain the importance of the matter: these are kids, at best, even if some are older. Even if some did get the account details of ISIS members and expose them, they very well may have ruined known accounts government was already watching drying up solid leads and choke points for legitimate surveillance and other critical operations.

This is very often a problem with amateur computer security folks who ask about and want to "hack back" criminals and others. They are unaware that very much of intelligence, and even military and law enforcement can be about watching individuals and groups. "Hacking back" can ruin those central points. It can also ruin existing law enforcement investigations, contaminating it.

In more severe cases this can lead to the wannabe vigilantes getting hurt.

And worse.

As for civilians being in the fray and having a chance to do something because a terrorist is sitting next to them -- obviously, this is extremely different then a bunch of unprofessional script kiddies running after ISIS or a government and trying to play cop or spy or military.

CrusaderNovember 25, 2015 12:14 PM

@Clive Robinson


It's quite a bit more than a guess. These people have not been in hidding, and on some cases their position has been verified.

(Regarding many of ISIS top military leaders being ex-Iraqi army.)

Well, I remain unconvinced. These guys have uniforms. I would like to say US satellite and drones have captured pictures of all these guys in a way that can confirm their leadership positions. I do not believe this is the case.

Could be some of Saddam's top military brass are leading the charge, despite the significant transition from going from Saddam yes men to becoming ISIS yes men. Kind of like if our top military sort of folks could easily join the Branch Davidians or Heaven's Gate cults.

What many ISIS do have is many years of fighting experience, however. That affords significant military capabilities.

Speaking of, I doubt Iraqi top military brass were even any good at their jobs, that is, in war making.

Probably they were very good at playing top military brass. Some of them probably had experience in the war against Iran. Whatever that gave them.

I doubt they were well studied in the history and theory of military strategy. I doubt they did much gaming that would improve their capabilities.

Who normally leads in cults are the most zealous who are also very cunning. (In zeal is also ruthlessness, but idiot zealous are seen as they are and used accordingly.)


The problem I have, is if you are going to send a drone in to kill people both intentionally and with expected collateral damage. Why go after a military insignificance like "jahadi john" when you can go after the known commanders and leaders.

In terms of Return On Investment on a drone strike, offing a military commander who can not be easily replaced and offing a psycho with a sword who is a ten a penny nonentity, the military commander should win hands down, but for some reason --political mileage perhaps-- did not.

I think my major point of disagreement is simply: I believe both sides are much less competent then what you are saying. I understand how this can seem not to be the case, especially with the US military which has extraordinary points of competence.

The US Military has, in many ways, made a science and an art out of their work. However, they have significant weak points.

What they are doing right now is they are not fighting as they should be. I certainly agree with that.

I also would agree that if they could get their leadership - and I am sure they have gotten some - they could do significant damage to their overall structure.

From what I have read from their propaganda and reports coming out, ISIS is severely lacking in proper medical care. So, one sort of attack could severely cripple them. Literally. Relying on attacks that are designed to injure maximum number of people, thereby destroying their capacities to heal anyone. Obliterating their morale.

This gets into war crimes area, though this hardly stopped the US from attacking that hospital in Afghanistan a few weeks ago. And it was the way that Germany and Japan were crippled during WWII.

More importantly, they should strike at key oil infrastructure. ISIS is making an estimated 500 million dollars a year from oil trade.

The problem with ISIS, probably both of us could agree on is that they are liable to cause far more severe problems, globally, the longer they stay around and relatively healthy, with plenty of funds.

They are just such a group well primed and motivated in the right conditions who could start some manner of global war, where we even see the engage of nuclear weapons.

They are also just such a group who could enact terrorist actions which could bring major democracies into true authoritarianist totalitarianism.

Right now, Israel is well out of the fray, and the news has been comparatively quiet on that front. Right now, ISIS has been focusing on angering Shia and Westerners.

As for Anonymous, well it does look like a PR stunt more than a serious indent into IS's operations. But these things rarely happen in a vacuum so there may be some form of blow back down the line.
We have seen this with Iran as a result of Stuxnet. Whoever the Iranian hackers are, they are getting more and more proficient and they have caused real problems (Saudi Oil, erasing of 30,000 computers is a fair accomplishment in any persons book).
I can see the advantage of IS recruiting hackers in western nations to attack localy, a thought that appears to only just be occuring to US top brass...

Dirk was actually talking about *Paris* attack being PR, and I grimly agree with him on that.

That was "just" PR for ISIS. But, I disagree it was "just" PR for them. I believe such attacks are of their very lifeblood for morale.

They feed on such things, as a serial killer does.

"Anonymous", I think, those attacks were as usual. Some in Anonymous are certainly not as the amateurs as they pretend to be. The vast majority are. Anonymous is a great way for a covert unit to enact actions with plausible deniable. China does the same with their hackers.

It is a far, far way from knowing how to run an application that automatically does a denial of service... and from knowing how to find zero day in web applications... and so much further away from that in knowing how to find zero day in non-web applications, serious applications... and in creating truly innovative rootkits.

The US has been hiring up hackers who are good at finding security vulnerabilities, who understand code very well, who have significant capacities for understanding software down to the core OS levels. And who have the patience and capacity to stick to problems until they are solved.

This, however, is primarily through contracting agencies.

I am sure there are plenty of *willing*, but training people for these things is not like training infantry troops. It is like finding people who can handle being Delta Force or a Ranger. The vast majority won't make the grade.

Still, through corporate contracting agencies, they can get a lot of their best stuff, which is why I strongly disagree civilians should be attempting to engage. Likely all of those systems are compromised already.

That is an area of heavy US competence.

Weak points are where some of the more stalid, old thinking organizations are trying to treat "cyberwar" as something where throwing the most people at works. As if they were infantry. Huge waste of money and people.

CrusaderNovember 25, 2015 12:58 PM

@Clive Robinson

Thinking on this... "Anonymous" has done some excellent actions. Their attack on some footballers who had gang raped a girl, was magnificent. They were denying evidence, and their little town authorities were helping. "Anonymous" doxxed them, and got the case moving forward, appropriately exposing them as they deeply deserved.

Then, there was the doxxing of the Russian online propagandist office.

And a few similar attacks, over the years like these.

Good article:
http://www.motherjones.com/politics/2015/11/anonymous-hacking-isis-ghost-security

The mentioned "Ghost Security Group" actually first surfaced in these dealings, and I was "meh" when I heard of them. "Ex-military and cyber security" who "splintered off from Anonymous". The problem is right there, that last bit.

Using the cover of Anonymous for active operations is one thing. Buying into all the crap of the Anonymous group believes is something else altogether. That gets to the level of "truther" nonsense.

But, at least that group tries to work with the government exactly so they won't interfere with existing operations: problem is, the government has to be very careful about talking to them. Often, existing operations have to be denied to keep cover, which means they could interfere anyway.

All of this really is ego, and not much good.

Good you see in the researcher community where folks who work hard and work very smart get accomplishments done in a highly competitive environment. The physical compare, you are talking about athletes who train smart and hard every day and have been doing so their entire lives.

Then, there are sorts who want to play superhero and wear the tshirt, but they are nowhere near close to any of that and never will be. It is fantasy.

They could, anyone could, but they have to deny fantasy hard is one of the first steps.

What keeps such individuals going is the exact opposite of that ego fantasy these others indulge in.

Nothing wrong with a strong imagination, but when not coupled with profound humility, it does far more harm then good.

Nick PNovember 25, 2015 1:52 PM

@ Wael, Clive, Figureitout

Nice tear-down of a MacBook charger that shows all the circuitry (esp analog) inside. Way more complex than it looked on the outside as I expected. Even uses Pogo pins!

Markus OttelaNovember 25, 2015 4:15 PM

I gave it some thought and it would seem a floppy disk is a cheap way to distribute pre-shared keys. You can buy 50 discs for as low as $20, and while there is enough space for keys (350kB with TC hidden partition), there isn't excess space for sophisticated malware. USB floppy disc drives can be bought from Ebay for ~$10.

Clive RobinsonNovember 25, 2015 6:00 PM

@ Markus Ottela,

... there isn't excess space for sophisticated malware.

It's a very important security mitigation that few appear to pick up on, with all types of memory.

It was one of the primary security considerations behind the idea behind the design of the "cells" in my "prison" design.

A Point that is lost on most people is it actually takes more code "to emulate a process" than "the process it's self does" (unless the process has been written very inefficiently). So the memory required by sophisticated "hiding" malware is not just the "payload" but the "process emulation" as well. Which adds significantly to the memory required. If you thus limit via hardware --MMU etc-- to just that the process requires then the malware has nowhere to hide...

BenniNovember 25, 2015 6:25 PM

google can remotely unlock android phones for authorities, police and spooks

http://manhattanda.org/sites/default/files/11.18.15%20Report%20on%20Smartphone%20Encryption%20and%20Public%20Safety.pdf


"Forensic examiners are able to bypass passcodes on some of those [Android] devices using a variety of forensic techniques. For some other types of Android devices, Google can reset the passcodes when served with a search warrant and an order instructing them to assist law enforcement to extract data from the device. This process can be done by Google remotely and allows forensic examiners to view the contents of a device."

Nick PNovember 25, 2015 10:49 PM

@ Markus, Clive

I'd say CD-R's or DVD-R's today with all their space burned is cheapest option. Plus, it's easier to disguise as a music or software CD that won't arouse suspicion. Far as firmware or whatever, there's probably similar attack surface for an obscure floppy drive vs CD/DVD burner. I haven't used one long enough to remember if it was PIO vs DMA but drivers or firmware probably have attacks waiting. Plus issues with magnetic media.

So, I'd say optical discs are better bet since they give more storage, reliable pricing, no magnetism-related losses, deniability, and very easy to destroy. For the latter, there's even shredders designed with them in mind. Naturally, what goes on them will be encrypted but just saying. :)

Clive RobinsonNovember 26, 2015 5:06 AM

@ Nick P, Markus Ottela,

For the latter [optical media], there's even shredders designed with them in mind.

Optical media is quite problematic when it comes to "effective" destruction of data upon it. The problems arise from the "data density", "data format and error correction" and the media "physical properties".

When optical media first appeared it had some real issues, some was the assumption that the way magnetic media was used would apply. Thus the data storage format and error correction was not appropriate and caused high error rates. When combined with the fact that the original materials were to easily damaged extream care had to be practiced, similar to that of the early "disk pack" hard drives. Thus the drive and disk mechanics made the technology prohibitively expensive.

Thus a re-think was required, and it came not from the need to store data but audio recordings to replace "vinyl". The physical data format was changed from tracks and sectors to a continuous spiral considerable dispersed data and error correction was added and a cheap to manufacture "pressed" format on a very physicaly tough material (polycarbonate) was used. Thus the audio CD became very reliable, so much so you could drill 2-4mm holes in many places and it would still play without audio fault.

The audio CD was ignored by the computer industry who were still fixated on replacing magnetic hard drives. Untill a small relatively unknown company with a need to send out immense static data bases realised the auduo CD potential. I worked for the company (SilverPlatter) and met and talked to some of those involved. They had a lot of trouble getting the computer industry interested, as SilverPlatter's business was seen as very very niche. However to cut a long story short they pushed the technology and got it into many universities and scientific organisations, they also decided that it would be desirable that their drives were not just for data but could also do "audio" both in digital and analog form, and developed drivers for both. When they had it up and running Micro$haft realised it would solve their "bloatware distribution" issues and did their usuall "embrace, extend, capture, exclude" trick.

However MS hardly changed the work SilverPlatter had done, other than add a few things based on other work to make them more MS friendly in the areas of "booting" and "file system overlays".

The result the CDROM is tough durable and the data is replicated and error corrected and thus smeared across large areas of the disk. All of which makes data destruction difficult at best.

Polycarbonate is quite durable and it's surface difficult to destroy, thus even mechanically crunching the disk to rice grain particle size still leaves many grains with the same data in readable format for those with around 40,000USD of second hand lab equipment, or if a little inventive with about a quater of a man years work and about 1500USD of COTS equipment and hand made modifications.

Similar issues with "grinding" one or both surfaces, unless the actual impressed tracks are fully ground down far enough that pressing stresses are also removed data can be recovered, simply by carefull polishing and DSP tricks on the analog signals from a good quality drive.

Whilst you will by no means get all the data by either method, you will get a lot of fragments, which means that it is essential that all user data be encrypted as well as file system data, and importantly also at the lower level container level as well. It's this last level which is not realy practical with COTS or professional recording equipment.

Floppy disks however can be easily destroyed, you can use a strong degausing magnet, but simpler is just to twist the plastic case, pull out the metal hub and thin magneticaly coated plastic disk, and melt/burn the plastic over a cigarette lighter, whilst avoiding breathing in the fumes.

Clive RobinsonNovember 26, 2015 5:13 AM

@ Moderator,

When I tried to post my avove a few minutes ago it failed with an "invalid request".

However refreshing another oben tab of the newcomments page, and then previewing this page workrd OK. Then posting thid page worked fine.

Im guessing it's some kind of glitch either in the server or in the network transmission.

Any way one to add to the "oddities log".

Nick PNovember 26, 2015 8:36 AM

@ Clive

Good history lesson and true that it has strong retention. That's why I advocated using it for KEYMAT while *encrypting* the onboard data. Then you grind it. Then you melt the pieces and scatter those remains. I haven't heard any expert tell me they could recover plaintext from encrypted, molten, fragments of a CD-R.

Floppies are extremely easy to destroy, though. There's even a niche industry of degaussers for stuff like that. Curious, if you're going with floppies, why not tape drives/cassettes for the increased capacity with same advantage that you can degauss and destroy the tape?

Gerard van VoorenNovember 26, 2015 9:41 AM

@ Clive Robinson,

> Optical media is quite problematic when it comes to "effective" destruction of data upon
> it. The problems arise from the "data density", "data format and error correction" and the
> media "physical properties".

A bit of additional info. When you have (re-)write-able optical media, the data layer is made of organic material. It is quite possible that this organic layer can be destroyed. At first I would think about a high energy light source or a light source with a specific wave length. Liquid solvents could also work except with DVD-9 and BR where that organic layer is glued in between two substrates. Btw, the organic material is highly toxic. When you have non-(re-)write-able optical media, you also have a mold to consider.

Clive RobinsonNovember 26, 2015 9:54 AM

@ Nick P,

why not tape drives/cassettes for the increased capacity with same advantage that you can degauss and destroy the tape?

Whilst degaussing is nice, you have to also think about what happens when "they cut the power"?

Floppies unlike CDROMs and some tape drives still open at the push of a button due to their simple mechanical design. Which is a major advantage when it comes to quick destruction of the media.

Further destroying a floppy with a simple cigarette lighter is the work of thirty seconds at most. Even if you could get the tape out quickly it's actually quite difficult to destroy. As you may have noticed they are much more robustly made often requiring you ti physically stamp/jump on them several times before you can get at the tape. Then your problems start, burning a tightly wound spool of tape is a bit like trying to burn a tightly rolled up newspaper, it's dificult and takes time as there is to little air for the tape to actually burn, and not enough heat from a lighter to ensure it realy melts into an unrecoverable blob with some tapes.

The soulution is to keep the primary / master key on a piece of permanginate or nitrate washed "cigarette" paper and secondary keys on a floppy and chain encrypted data on tape or other storage. It the paper is potassium permanginate washed, you don't even need a lighter, gust a quick wipe with glycerin and drop in the waste basket ;-)

Who?November 27, 2015 10:16 AM

@ Clive Robinson

Floppies unlike CDROMs and some tape drives still open at the push of a button due to their simple mechanical design. Which is a major advantage when it comes to quick destruction of the media.

...except on SPARC systems, a few old SPARC64 ones and, from what I was told, Apple systems too. I remember typing "eject floppy" a lot of times in the 90's to eject floppies on my SPARCclassic.

WaelNovember 27, 2015 5:18 PM

@Nick P,

Nice tear-down of a MacBook charger

I didn't think the charger would contain this level of sophistication. I thought at most it would have circuitry for "smart charging" the batteries. Was also surprised to see a controller embedded in the end connector.

FigureitoutNovember 27, 2015 5:52 PM

Nick P// Wael RE charger
--Why you telling us Nick? Lol, but yeah that seems a bit overengineered and I bet QC is fun lol and it has some kind of signal that only allows Apple chargers. Should've linked the RasPi zero story that's blowing up everywhere.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.