Friday Squid Blogging: North Korean Squid Fisherman Found Dead in Boats

I don't know if you've been following the story of the boats full of corpses that have been found in Japanese waters:

Over the past two months, at least 12 wooden boats have been found adrift or on the coast, carrying chilling cargo -- the decaying bodies of 22 people, police and Japan's coast guard said.

All the bodies were "partially skeletonized" -- two were found without heads -- and one boat contained six skulls, the coast guard said. The first boat was found in October, then a series of boats were found in November.

Writing on the boats suggests that they are from North Korea, and there's other evidence that they strayed into Japanese waters hunting squid:

Squid fishing equipment found in the boats suggest that the bodies could be of fisherman from food-short North Korea who have been increasingly entering Japanese waters to hunt squid...

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on December 4, 2015 at 4:22 PM • 150 Comments

Comments

Jarrod FratesDecember 4, 2015 5:00 PM

I've seen a few articles (including the ABC News linked by Bruce) that mention that the number is actually down from previous years. This apparently is something that has been happening for many years, but Western media is just now finding out about it.

BenniDecember 4, 2015 5:32 PM

"Moderate bug" in openssl found:

http://openssl.org/news/secadv/20151203.txt

This is why they call it moderate:

"There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. "

In short, its "moderate", because only GCHQ or NSA, that is "limited numbers of attackers" have the necessary resources to do this.... One sees why the openssl foundation is sponsored by the US department of homeland security...

Russia is hacking not only the German parliament but other NATO states too, and companies:

http://www.spiegel.de/netzwelt/netzpolitik/bundestags-hacker-greifen-weitere-nato-staaten-an-a-1066073.html


Ever wondered how IS can spread its jihadi propaganda from Raqqa and Mosul?

Well, it works over satellite internet provided by European companies like SES, Eutelsat or Avanti. Companies claim to know nothing, but they have the gps coordinates of their clients.....

http://www.spiegel.de/netzwelt/netzpolitik/bundestags-hacker-greifen-weitere-nato-staaten-an-a-1066073.html

How to Destroy Your Family With One SignatureDecember 4, 2015 6:37 PM

Even if you are technically competent and take necessary security precautions like imaging your computers boot disk (with free Reflect program) and putting a security freeze at all credit bureaus, there is still another threat even bigger emerging threat which is never even discussed!

Notorious American Big-Data aggressively seeks out our most personal medical, financial, web and location data. Today medical data has become ten times more valuable than financial data.
The most dangerous place to sign anything is at medical entities. For example, the doctor’s busy receptionist asks you to sign a single vague, ambiguous, trick-induced signature which in reality authorizes unaffiliated, Big-Data marketing corporation’s full access to all your medical records.
In the security world since they do not have ‘a NEED to KNOW’ you would just be charged with a security violation. However the doctor’s office signature could ruin you or your family forever.

Notably there is a loophole in the HIPAA health privacy law for your doctor or pharmacy to share your medical history with their marketing ‘business associates’. Unknown to patients, they barter by offering to reduce medical practice expenses in exchange verified patient identity and social security number.

They offer ‘free’ appointment scheduling software to the doctor or even better by becoming a broker for electronic prescriptions. In the first stage of establishing identify, they mail appointment reminders and surveys. Next they mail non-medical communications for ‘programs which may be of interest to you’ deceptively under the medical practice name. Their ‘personalized care’ may entice you to visit their unaffiliated web-site and create an account to download a mobile app. The scam’s goal is to get the ignorant patients entire medical history (authorized in their unread terms of service) by just one signature. One slip of you or your spouse’s signature is all it takes to stunt, ruin, and limit or destroy you and your child’s career.

They have many techniques to create situations and circumstances to keep you ignorant and off-guard to obtain that prized one-time PHI (Personal Health Information) release signature. The hope is the ill patient/mark won’t remember or have a record as they always accept Terms of Service. Once released, their most private medical diagnoses are integrated into multiple unregulated yet permanent dossiers. Their patient’s hemorrhoids become accessible to anyone who pays for a background check. For example at their new job interview the hiring manager will privately confide that he too suffers from the itching.

Remember many large employers are still self-insured, so their off-the-record review of your big-data health records are of the utmost importance to their bottom line. There is nothing to do except move to Europe where data-protection laws are keeping pace with technology.

Informed Consent
The best way to avoid these situations is to never authorize before getting a paper copy to review. Many doctors and staff are untrained in this type of data-mining by the wolves of Wall St. However one extremely intelligent physician when confronted privacy issues curtly agreed their external appointment service was crap and quickly walked away (he works there but does not set policy).

The issue could be quickly corrected by balancing the contractual doctor/patient relationship. Today the patient signs many forms but the doctors sign NONE. There is no reason why the patient can at least proactively cross out abusive terms, and not just for privacy. Ask for paper prescriptions. My $15/yr POP mail services allows for 12 aliases, so the medical metadata cannot be associated with financial, insurance or family.

Patients could benefit from a new type of medical/data-mining law firm to review before authorizing consent or release. I would gladly pay for a HIPAA encrypted phone app/service which photographs contracts for immediate privacy and financial expert review while still in the doctor’s office. In this way you can avoid knowing whether to trust your doctor BEFORE the damage occurs.

Educational Suggestions
Colleges already offer computer engineer data-mining majors.
Jr-high students should require a data-mining class exploring techniques (ironically on their ‘free’ Chrome notebooks). Discuss how big-data tracks family members in all aspects of their life. Privacy issues should be discussed. Google, despite pledges (as EFF documents) to the contrary is combining our children dossiers in-and-out of school. Snowden warned of this Dark Future where those in a position of authority violate our society’s sacrosanct traditions of trust. As the ruling class lacks morals, ethics, laws and regulations everything becomes quietly for sale.

Career Enhancing Mass Delusion
All this data mining is useful solely to control law abiding citizens as we see our gigantic mass surveillance system repeatedly unable to stop a single weekly mass terror incident. (However it is effective at documenting how corrupt law enforcement is.)
Congratulations to our leaders: Congress, President, Intelligence community and especially Google, Facebook and Microsoft for passing the secretly conducted mass surveillance CISA.
A law which authorizes corporations to lie to the public and even Congress! Thanks go to The Clapper for setting this new Intelligence standard of zero moral hazard. Now citizens are in danger everywhere.
He leads our secret administrative ruling government expanded with paid secret corporate intelligence agents. Who can trust anything they say? Just ask Microsoft and look for the opposite in their next Windows update/malware.

Have we won the war on terror? Or is it worse than ever?
Is there a relationship between increased draconian mass surveillance and INCREASED levels of terrorism?

Crumbling Pillars of Society
The mounting evidence indicates this erosion of basic human integrity, character, dignity and respect is degrading us, our family, neighbors, communities, churches and government. Now everyone is authorized to lie, even in court under oath. Clearly we have won the War on Terror by giving a blank check to our security officials…

John McAfee: CISA Will Not Stop a Single Important Hack, let alone Cyberterrorism (or plain old terrorism)
http://www.ibtimes.co.uk/john-mcafee-cisa-will-not-stop-single-important-hack-let-alone-cyberterrorism-1526336

Doug DDecember 4, 2015 8:43 PM

So, you may or may not be aware that Nintendo makes an RFID-enabled toy squid, the "inkling squid amiibo" figure. I just picked one up today, and when you set them up, you're asked to give them a nickname. Mine's now named "Bruce", of course.

PeanutsDecember 4, 2015 11:02 PM

I know what your thinking, on the Squid post, "It must be, Global Warming"

Happy Friday
Peanuts

Cats Think You Are A CatDecember 5, 2015 12:18 AM

@Hennik

Straight out of Mr Robot episode, though.

@tyr

Aleister Crowley's crazy magic stuff was just a very able cover for his being a British spy.

Works incredibly well. The spy plays the confidence artist in a very interesting way: they learn how to gain confidence, and they learn how to lose it, to survive.

@How to Destroy Your Family With One Signature

To be clear, your post content's was not from that article. As it ended with that url, it seemed like McAfee said that.

On the problems of commercial privacy invasions, Bruce Schneier actually very deeply delves into that in Data vs Goliath. This subject is generally very well mentioned by other privacy experts and pundits.

However, the reason why it is not as worrisome is probably because governmental surveillance truly has the potential to sink a previously free nation. It is that powerful of a danger.

From the article:

Every one of our potential enemies has their own search engine. Korea has NAV. Afghanistan has Collassus. Iran has Yooz.

Korea, he means South Korea there, and South Korea is certainly not a "potential enemy" in any way, shape or form.

So this new bill will do nothing to stop international cyberterrorism, which is where our real cyber threat lies.

You will not find any security practitioner of any level of significant accomplishment saying that the bill will help cybersecurity, at all.

When it passed, I actually had the chance to hear from two of the big named ones, one of whom was Richard Clarke, the guy who wrote the book on cyberterrorism. He also agreed, as has more technically accomplished pundits.

The real threat, however, is absolutely not "cyberterrorism". It surely has not been. It can be also noted that the real threat everyday people faced is absolutely not dying in a plane crash nor getting eaten by sharks. This is the way non-professionals think. Their minds are not tuned by daily requirements for accurate, realistic risk analysis.

The serious threats are much more along the lines of regime change. Bloodless coups of even major nation states. That is at the highest level of threat. That is exactly what happens when internal governmental agencies have the capacity to surveil and steal data from VIPs. That knowledge gives control.

Lesser and still very realistic threats include massive financial attacks designed to down very large corporations, so as to level the competition. Like with nation states being downed from the inside, corporations can be downed by their competition - even nation state funded and resourced competition - by hacking.

No joke.

Way beyond just intellectual property theft, or control surveillance provides of corporate VIPs, there is financial manipulation and sabotage. There is sabotage potentials. Remember the case where the US sabotaged nuclear plans? Think in terms of competitors introducing very difficult to detect errors in major works of corporations. Changing minor details that flatlines critical, deeply resourced innovations.

For instance, change a chemical formula that has already gone through years of trial testing. Suddenly, it does not work. No patents. But their foreign competition makes it work. Because they stole the formula and sabotaged their competition's.

At a more brutal level, there are an immense number of ways to financially sabotage even very large corporations through hacking. When your adversary is a nation state who has deeply vested, and entirely open interests and control, what chance does your private corporation have?

There is certainly plenty of "terrorism" potentials via hacking, though especially with a combination of hacking to turn off critical security controls and physical attacks, such as poisoning a water supply. But these threats are far less likely for mature nation states to fund.

There are also a very large number of even more esoteric attacks. Really, a very powerfully resourced hacking group, on the nation state level, practically nothing is impossible to them. They can start countries on war paths by attacking one country and making it look like another country did it, for instance.

I spoke initially of "regime change". People should not underestimate the importance of that very concept for intelligence agencies of major nation states. Well beyond simply bloodless coups installing effective true 'shadow states', it is certainly far more possible then ever before to enact regime change on smaller nations - and not at all beyond reach for larger ones - via hacking.

For instance, flatline a nation's financial resources, and see what results. Induce hyper inflation and see how long their leadership lasts.

Of course, it does depend on the country. How well would Saudi leadership last if private recordings of their very unislamic behavior were posted to the internet? Or, consider Zimbabwe has had hyperinflation, yet has survived. The infrastructure there did not have significant internal resistance prepared for such weakness.

Angel Demon in the FleshDecember 5, 2015 2:14 AM

@benni

Russia is hacking not only the German parliament but other NATO states too, and companies:

Russia has always penetrated NATO, deeply. It is practically open source. Or a honeypot just for Russia.

Ever wondered how IS can spread its jihadi propaganda from Raqqa and Mosul?
Well, it works over satellite internet provided by European companies like SES, Eutelsat or Avanti. Companies claim to know nothing, but they have the gps coordinates of their clients.....

Hannibal Lector hat on:
ISIS is good for business. They can not be worst propagandists for "their" cause. They are incredible propagandists for us who want to see the region change.

People have to make a living.

The fact is, who does not want to see the region change?

Unfortunately, it just happens to be one really big region, lol. Iraq/Syria/Lebanon just happens to be right at the heart of it.

Sit back, drink some beer, and watch the fireworks fly.

As painful as it is, does anyone really not want an "interesting life"?

;-)

whateverDecember 5, 2015 3:21 AM

@Benni

the sad story about satellite transponders (both Ku and military UHF band, to name a few) is that they're basically open to any signal coming in with the right technical parameters (frequency, polarization, input power and direction) thus making piracy trivial with some prior knowlege and not very expensive COTS equipment.

And the satellite operators can't know exact GPS coordinates of interfering or pirating stations unless they transmit it deliberately.

WinterDecember 5, 2015 8:19 AM

@How to Destroy Your Family With One Signature
Informed consent is long dead. That was the conxlusion of the last Amsterdam Privacy Conference. The EU is already bussy tighthening the rule. I think US companies working in the EU are expecting some nasty surprises.

US citizens are, as usual, fair game.

zDecember 5, 2015 8:34 AM

@Benni

The most concerning thing about the OpenSSL CVE is that they knew about this since August 13th and sat on it. They didn't even tell the LibreSSL and BoringSSL folks. I expect the OpenSSL code to be full of vulnerabilities because it is such a pile of crap, but the way they handle them is just as appalling.

albertDecember 5, 2015 9:06 AM

"...“The Secretary of Defense should develop creative and agile concepts, technologies, and strategies across all available media to most effectively reach target audiences, to counter and degrade the ability of adversaries and potential adversaries to persuade, inspire, and recruit inside areas of hostilities or in other areas in direct support of the objectives of commanders.”..."

Hacking of websites not mentioned.

https://fas.org/blogs/secrecy/2015/11/dod-counter-is/

I wonder if they'll be more successful than Anonymous, who basically declared war on ISIS online recruitment, which I imagine would include plenty of illegal activity (i.ie, a real war)

. .. . .. _ _ _ ....

Gunter KönigsmannDecember 5, 2015 11:01 AM

Since it was mentioned above that medical data might cost more than financial data:

I once found a sign in an italian hospital telling that if you show your coop loyalty card at the office an appointment with the doctor costs - I seem to remember 20% less.

Coop is a big chain of supermarkets that also allows you to withdraw money and to pay bills (gas, electricity and I think some medical bills, too, but I am not sure in this pint) when along with the things you bought there.

ianfDecember 5, 2015 1:29 PM


Getting back to the current squid topic for a change… I've read both the linked articles, cast an eye at Google, yet still am nowhere near a rational explanation for these boats with skeletal, headless (or just the heads) human remains that have washed up, it seems under many years, on the shores of Japan. Hasn't there been any forensic investigations to determine the cause of these corpses' demise? How were they decapitated?

    This is so FUBAR, that (on Occam's Razor alone) I start to suspect some DPRK's cruel dissident execution method, where corpses of the deceased and such near starving death, are towed out to sea in harsh weather beyond point of no return, and left to fend for themselves.

If you've come across something (anything) that might shed light on this particular morbid mystery, please let your fingers do the ol' keyboard tango.

ianfDecember 5, 2015 6:15 PM


Idiosyncratic tech+ selection off Guardian Today newsletters' headlines from past 2 weeks (20 nov—4 dec 2015) with minimal commentary

Turkey could cut off Islamic State’s supply lines. So why doesn’t it?

[Wael Special]: Where The Bridge's detective unwinds in Malmö. Sofia Helin, the actor who plays Saga Norén in the Scandi crime drama, loves this old Malmö bathing house so much she swims in its icy sea water right through the winter

How French intelligence agencies failed before the Paris attacks. Authorities knew of at least three of the Paris attackers but did not act – and ignored a warning about a potential attack.

Bullying | Opinion House of Cards? Westminster is more like The Apprentice.

FILM My Nazi Legacy review – the poison of the past lives on
A challenging and disturbing documentary looking at how the sons of two Nazi war criminals have dealt differently with their father’s actions

Trouble on Kickstarter as two massive projects hit the rocks
Coolest starts selling its fancy beer cooler on Amazon to ‘keep the lights on’, while Zano just goes bust

Facebook introduces tools to help you stop stalking your ex online
Social network trials ‘take a break’ tools, offering a quick option to hide posts and pictures from a former partner after a user changes their relationship status

    W(ho)TF are they kidding… Fuckfacebook being for keeping track of past loves one would rather not face en face.

Robert Mugabe to rule Zimbabwe from 'special' wheelchair, says wife
Grace Mugabe, the first lady, tells supporters she wants her 91-year-old husband to remain in power for as long as he can still speak

Counter-terrorism policy Revealed: UK security chiefs in showdown with George Osborne
Police demand more firearms officers as Treasury is urged to retreat on cuts

Germaine Greer’s rudeness is part of the point of her

Goodbye privacy, hello 'Alexa': Amazon Echo, the home robot who hears it all […] what exactly Amazon does with all that interaction data.

Drones (non-military) Drone regulation is coming in time for Christmas, says FAA taskforce member

Hatton Garden heist: gang spent three years planning raid, court told … fresh details of ‘biggest burglary in English history’, £14m theft of gems and gold from London vault.

BA pilot's eye damaged by 'military' laser shone into cockpit at Heathrow
Half of all pilots targeted in past year but latest incident involved laser used in weaponry, says pilots’ association

    How is BA not calling a RAF air strike on the locations from which these lasers are deployed? They ought to be easy to pinpoint.

Frankie Boyle on Paris attacks: ‘This is the worst time for society to go on psychopathic autopilot
From authoritarian power grabs to Andrew Neil’s nonsensical eulogy, the reaction to the Paris attacks proves that we haven’t learned from our past mistakes

Is Vladimir Putin right to label Turkey ‘accomplices of terrorists’?
The relationship hinted at by Russian leader after warplane was shot down is a complex one, and includes links between senior Isis figures and Turkish officials

Encryption Google can unlock some Android devices remotely, district attorney says
New York County district attorney report argues Google and Apple should give law enforcement access to user smartphone data reveals court order system

Man stole brains from medical museum and put them on eBay
Bloody fingerprint and suspicious buyer led police to David Charles, 23, who took human tissue including brains in jars from Indiana medical museum

    Took some brains to come up with that caper. Or was it the other way around?

Condom challenge: teens invent a new way to potentially maim themselves online
First we planked. Then we ice bucketed. Now, we condom challenge. Such is the way of the internet

    WHO EXACTLY IS THAT 'WE'? Speak for yourselves, Guardian. Also the practitioners deserve being nominated for Darwin Awards

Raspberry Pi's latest computer so cheap it comes free with magazine
Made in Wales and selling for just £4, the Pi Zero comes with any purchase of the £5.99 MagPi magazine

    Indeed, so cheap the entire 20,000 MagPi #40 copies sold out within a day, and the Raspberry apparently isn't doing reprints

ARM: Britain's most successful tech company you've never heard of
Without ARM, the iPhone and other smartphones wouldn’t work. Hardly anyone knows it – and that’s just how Cambridge’s ‘Silicon Fen’ company likes it

Sweden refuses to order ISP to block Pirate Bay
Stockholm District Court blocks rightsholder action against second-largest Swedish internet service provider, leaving file-sharing site accessible

UK Court grants woman right to die after 'losing her sparkle'
Woman known as C is described as ‘impulsive and self-centred’ but competent enough to refuse dialysis after destroying kidneys in suicide attempt

    So this is the latest in the euthanasia on demand: live la vida loca, then petition the court to let you die because you've lost the 'sparkle'?

Man held at Guantánamo for 13 years a case of mistaken identity, say officials
Mustafa al-Aziz al-Shamiri was low-level Islamist foot soldier, not al-Qaida courier and trainer as had been believed

    “From the onset, he has demonstrated a consistent positive attitude towards life after Gitmo… he has a strong desire to obtain an education in order to provide for a future spouse that his family has already located for him.”

Facebook shares: what's behind Mark Zuckerberg's 'hacker philanthropy'?
The tech billionaire was already one of the essential figures of our age. Now, with his $45bn pledge, he’s being seen as a generational Superman. But does a state-like level of spending run the risk of making him a ‘chequebook dictator’?

Eddie Izzard: ‘People only have selective techno-fear. Usefulness overcomes phobia
The technology-loving standup on staying ahead of the class in 1974, learning French from his mobile phone and his addiction to all things Apple

Armchair travel Do Machu Picchu from your sofa, thanks to Google Street View (embedded right in the article)

BONUS: Serena Williams (‘not a nude but a body study’), photographed by Annie Leibovitz for the annual calendar produced by the tyre-maker Pirelli.

    Don't ever challenge this lady to an arm-wrestling match!

WaelDecember 5, 2015 7:26 PM

@tyr,

I found the tail end of 6.1 quite in line...

What would you expect from a paper about this subject? I say par for the course!

WaelDecember 5, 2015 7:33 PM

@ianf,

... this old Malmö bathing house so much she swims in its icy sea water right through the winter...

I walked on that pier and I thought there was a restaurant at the end of it. I never ate there, but it looked like a restaurant. I wouldn't dare jump in cold water in winter or go to a sauna then cold water a few times as some do there.

Firefox Allows Amazon To Track After Leaving SiteDecember 6, 2015 7:21 AM

For those who are able to monitor Internet traffic (for example in the Performance tab of Task Manager)
I’ve discovered that Amazon tracks the Firefox 42.0 browser for two minutes after closing the Amazon tab. When you close a tab all communication interfaces should immediately cease!

Observations
While at Amazon there is a continuous user tracking as a packet of data is sent every 5 seconds.
Then (with no other tabs are open) if the Amazon tab is closed, Amazon continues the tracking packets to for approximately two minutes!
Note: My version of Firefox is heavily fortified with privacy add-ons. Even disabling Javascript offers no help.

Amazon is taking advantage by coupling Amazon controlled cloud storage used by the Firefox browser to eavesdrop long after the consumer has left the Amazon site.

Because of this any many other serious security issues, Firefox is in the process of being phased out.
Firefox has become highly dependent upon Yahoo for income and they too are becoming highly unstable and may be sold.

Replacement Transparent Applications
The Google comprised code in Firefox has been removed (search for Google in about:config) in derivative Palemoon. Critical add-on support is increasing.
There is also the Chromium browser option.

It getting easier to dump Windows (Qubes http://blog.invisiblethings.org/2015/10/01/qubes-30.html ), Office (LibreOffice https://wiki.documentfoundation.org/Feature_Comparison:_LibreOffice_-_Microsoft_Office ) and Outlook ( https://www.mozilla.org/en-US/thunderbird/features/

Even former MicroSoft CEO Steve Ballmer states Microsoft is lying by cooking their financial books. Are these not the traits of a psychopath (who despises his customers)?
http://www.computerworld.com/article/3011662/cloud-computing/microsoft-revenues-steve-ballmer-bullsshh-bullsshh-bullsshh-bullsshh-itbwcw.html

Clive RobinsonDecember 6, 2015 8:24 AM

@ Er,

    Is the pi zero any good? Wondering about its rng and general security.

I'm unaware of the internal TRNG format, and thus personaly would not use it (I'm not saying their is anything wrong with it, but in security relying on "unknowns" is generaly considered a "no no").

I did however do a little costing of what you would need to do to get the Pi Zero up to the same interface level of a normal Raspberry Pi, and the cost was about 1.2 times as expensive. That said if you don't need the extra functionality then it could be a cheaper option. So say you were using it as a low level controler in a robot for instance, where "hard wiring" with a soldering iron and an already present PSU would would give you cost savings as well as space savings, and potentialy increased reliability.

Thus outside the headlines it is very much a "horses for courses" choice.

I'm thinking about using one with a GSM radio module and another microwave link radio module for various things, where it will provide both a size and cost saving. However the extras required for development were I not going to go back to using them for other things make it more expensive as a "one off".

SoWhatDidYouExpectDecember 6, 2015 9:36 AM

From Slashdot:

California Attack Has US Rethinking Strategy On Homegrown Terror

http://yro.slashdot.org/story/15/12/06/0627259/california-attack-has-us-rethinking-strategy-on-homegrown-terror

WHAT!!!

If this is the case, why aren't we prosecuting, or at least firing for cause, the people in the spy agencies for failing to do their job (or the job they said they were doing)?

Why? Because their entire data collection on U.S. citizens is just a facade for influence, intimidation, and control, NOT to fight terrorism. The incident in California is proof.

But, they will claim they need even more data, more influence, more intidimation, and more control to make up for their failure. And of course, they will blame everybody else for their failure.

ErDecember 6, 2015 9:42 AM

@Clive Robinson

I was thinking about using one as a cheap home computer, running some simple projects that require a graphical interface. I would only need a tv cable, sd card and keyboard, but I would like some solid encryption too. But you are right, you have to buy a psu and a case as well but still I wonder if it would be an appropriate replacement for a low power machine in a small enough factor. Somehow I expect it to be the equivalent of a high power celeron from maybe 10 years ago, not bad at all.

RipleyDecember 6, 2015 2:30 PM

@Firefox...

Regarding an easy way to dump Windows:

I agree there are an increasing number of viable Windows alternatives. However, for most users (that don't have weeks to invest or the technical skillset) Qubes isn't one of them. The setup is too complicated and a sure way to discourage them from making the switch.

I'd recommend steering those expressing interest in switching from Windows towards Linux Mint. The setup is relatively straightforward and the interface will be very familiar to a Windows user. Granted it's not nearly as secure as Qubes, but it does serve nicely as a starting point (i.e., a friendly OS that will provide the average user with a much smoother transition into the Linux environment). Then after successfully transitioning from Windows, they might feel more confident to explore other OS offerings.

For any mere mortals out there considering dumping Windows, I humbly recommend (based solely on usability and ease of transition):

Linux Mint 17.3 Rosa Cinnamon Edition

Here's a good/concise guide through the installation process and some helpful tweaks once you have it installed.

Note: If you're running an older/lesser machine (i.e., your machine does not meet the System Requirements), you can review the other Linux Mint offerings for the right fit.

albertDecember 6, 2015 3:07 PM

@tyr, @wael,..

Finally! A scientific study on a subject that I am alleged to have lots of experience with. Not in consumption, but in production.

Everyone is exposed to BS, but it takes an expert to dish it out. Apparently, I have that expertise.

. .. . .. _ _ _ ....

albertDecember 6, 2015 3:22 PM

@Cats Think You Are A Cat,

The scary thing about infrastructure hacking is that no nation is immune to it. Even military C & C depends on vulnerable high tech systems.

Have a nice day.

. .. . .. _ _ _ ....

Nick PDecember 6, 2015 4:21 PM

@ Moderator

The above comment by "Nick P" with hyperlink in name is either a new poster with same name or a spammer re-using regulars names.

Clive RobinsonDecember 6, 2015 4:21 PM

@ Albert,

+1 for the BS :-)

As for infrastructure failures of nearly all kinds, the root cause is money. More correctly in private utilities the regard only, for short term dividends for shareholders, so that bonuses and new jobs await the C-level execs.

It is clear for those that can think that such short term behaviour, such as cutting back on preventative maintenance can only lead to serious failure. Thus both the proffesional short term investors and the execs are in league with each other. The losers are the longterm investors, the ordinary workers and eventually the customers when a cascade failure takes out the utility, more or less permanently.

The thing is the cascade failure can like an avalanche be started by any snowball, which one it is realy does not matter when they are all thrown by the same person. Ask yourself who is realy to blaim, the script kiddy who gained access via the internet, the executive that underfunded the security, or the exec who cut the communications budjet by connecting to the internet in the first place.

The one thing you can be sure of as shown by Sony Picture Entertainments, the PR people already have a story in place to blaim North Korea, China, Russia, Iran, ISIS or who ever is the "axis of evil" at the time, rather than the execs...

AmazonDataTrackingDecember 6, 2015 5:13 PM

@Firefox

Suggest installing the Privacy Settings extension and turn off "Dom.Storage.Enabled" to disable cloud storage. The Policeman add-on is good for controlling javascript and other nasties.

Clive RobinsonDecember 6, 2015 5:18 PM

@ Daniel,

The story is perhaps not unexpected, I fully expected to hear about divorces and worse after the AM hack.

In the UK the event was a five "minute wonder" on the major news outlets then just disappeared. Maybe the UK press have started to show some discretion unlikely as that may seem, especialy as the seedy side of life generaly sells newspapers.

What has not been mentioned in the main UK press as far as I'm aware is the not unexpected trolling / blackmail of those whose details had been released.

So yes the story is sad, but not unexpected, such is the nature of society and risk averse employers.

JustinDecember 6, 2015 5:48 PM

@Daniel

Sad indeed. No guilt. Just shame at being discovered and exposed.

And that's the next big thing after legalizing pot: they want to legalize prostitution.

Dirk PraetDecember 6, 2015 5:54 PM

@ Nick P

Re. After Paris Attacks, Proposed French Law Would Block Tor and Forbid Free Wi-Fi

Until the end of the previous century, France had really restrictive encryption laws and is one of the few EU countries that specifically regulates the provision of encryption technologies. It comes as no surprise that certain elements are now seizing the opportunity to roll things back. In the midst of regional elections, everyone wants to be seen as taking a tough stance on terrorism, and just like in the US after 9/11, for many politicians that just means throwing a whole lot of stuff against the wall irrespective of what actually sticks and what doesn't.

GrauhutDecember 6, 2015 6:10 PM

@Clive: There will be fun! :)

"Decision of the Court
Article 8 (right to private life and correspondence) The Court found that Mr Zakharov was entitled to claim to be a victim of a violation of the European Convention, even though he was unable to allege that he had been the subject of a concrete measure of surveillance. Given the secret nature of the surveillance measures provided for by the legislation, their broad scope (affecting all users of mobile telephone communications) and the lack of effective means to challenge them at national level (see point 6 below), the Court considered that it was justified to examine the relevant legislation not from the point of view of a specific instance of surveillance, but in the abstract.

Furthermore, the Court considered that Mr Zakharov did not have to prove that he was even at risk of having his communications intercepted. Indeed, given that the domestic system did not afford an effective remedy to the person who suspected that he or she was subjected to secret surveillance, the very existence of the contested legislation amounted in itself to an interference with Mr Zakharov’s rights under Article 8."

http://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=003-5246347-6510358&filename=ECHR-Zakharov-v-Russia.pdf


What does that mean for the Draft Investigatory Powers Bill? And the Human Rights Act is not yet scraped... Poor little Tories. :D


PeanutsDecember 6, 2015 6:14 PM

Hi All,
One more Microsoft monitoring malware released as important patch 12/2015
KB 3112343 - "This update also improves the ability of Microsoft to monitor the quality of the upgrade implant experience"

Add this to your list comprising Microsoft Malware Surface removal
Likely additional microsoft hosts to block in addition to

echo 'vortex-win.data.microsoft.com
echo 'Name: VORTEX-cy2.metron.live.com.nsatc.net
echo 'Address: 64.4.54.254
echo 'Aliases: vortex-win.data.microsoft.com
echo 'vortex-win.data.metron.live.com.nsatc.net
echo 'vortex.data.glbdns2.microsoft.com
echo '
echo 'settings-win.data.microsoft.com
echo 'Non-authoritative answer:
echo 'Name: OneSettings-bn2.metron.live.com.nsatc.net
echo 'Address: 65.55.44.108
echo 'Aliases: settings-win.data.microsoft.com
echo 'settings.data.glbdns2.microsoft.com

Here are two (redundant) supported by vendor methods to detect Surveillance platform implants back ported to windows 7 64

Using c:\windows\system32\systeminfo.exe to query by KB #
systeminfo | findstr "KB3012973 KB3035583 KB2976978 KB2990214 KB3044374 KB2977759 KB3050265 KB3068707 KB3068708 KB3022345 KB3075249 KB3080149 KB3021917 KB2952664 KB2977759 KB2998812 KB3013531 KB2999226 KB2820331 KB2808679 KB2791765 KB2726535 KB2660075 KB2603229 KB2592687 KB2574819 KB2685813 KB2970228 KB2830477 KB2952664 3107998 3112343"

Same thing using the WMI subsystem to query by KB #
wmic QFE list full /format:texttablewsys | findstr "KB3012973 KB3035583 KB2976978 KB2990214 KB3044374 KB2977759 KB3050265 KB3068707 KB3068708 KB3022345 KB3075249 KB3080149 KB3021917 KB2952664 KB2977759 KB2998812 KB3013531 KB2999226 KB2820331 KB2808679 KB2791765 KB2726535 KB2660075 KB2603229 KB2592687 KB2574819 KB2685813 KB2970228 KB2830477 KB2952664 3107998 3112343"

Here is the surface reduction KB's to remove for Office 2010 related to surveillance monitoring and the same privacy policy related issues as the two sets above.

Office related implants or surface reduction applicable
systeminfo | findstr "KB2553406 KB2566445 KB3080333 KB2876229 KB2881021 KB2881025 KB2760601 KB2553308 KB2965297 KB2965301 KB2883019 KB2794737 KB2687275 KB2589352 KB2553140 KB2817396 KB2817369 KB2881026 KB2965300 KB2837601 KB2878281 KB2837602 KB2956205 KB2837587 KB2597088 3055045 2791057 2837592"

Should you need to script the checking,
create a batch file with 2 lines
echo Checking for %1 %2 %3 %4 %5 %6 %7 %8 %9
wmic QFE list full /format:texttablewsys | find "%1"

create a batch file called OSImplant-Surface-reduction.bat
call Check-kb KB3012973 - "Upgrade to Windows 10 Pro"
call Check-kb KB3035583 - "GWX Implant installs Get Windows 10 app in Windows 8.1 and Windows 7 SP1"
call Check-kb KB2976978 - "Compatibility Implant for Windows 8.1 and Windows 8"
call Check-kb KB2990214 - "Implant that enables you to upgrade from Windows 7 to a later version of Windows"
call Check-kb KB3044374 - "W8,8.1 Nagware for W10"
call Check-kb KB2977759 - "W10 Diagnostics Compatibility Telemetry"
call Check-kb KB3050265 - "Windows Implant services Implant to upgrade to W10"
call Check-kb KB3068707 - "Customer experience telemetry point. W7,8,8.1"
call Check-kb KB3068708 - "Implant for customer experience and diagnostic telemetry"
call Check-kb KB3022345 - "Implant for customer experience and diagnostic telemetry [Replaced by KB3068708]"
call Check-kb KB3075249 - "Implant that adds telemetry points to consent.exe in Windows 8.1 and Windows 7"
call Check-kb KB3080149 - "Implant for customer experience and diagnostic telemetry"
call Check-kb KB3021917 - "Implant to Windows 7 SP1 for performance improvements"
call Check-kb KB2952664 - "Compatibility Implant for upgrading Windows 7"
call Check-kb KB2977759 - "This Implant performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program."
call Check-kb KB2998812 - "This Implant enables Windows 7 and Windows Server 2008 R2 to determine application compatibility problems and impacts."
call Check-kb KB3013531 - "Remove warnings when you copy .mkv files to your Windows Phone."
call Check-kb KB2999226 - "Adds thunking layer to call windows 7 call Windows 10 Universal CRT functions which enables windows 10 CRT functionality "
call Check-kb KB2820331 - "Enables Microsoft Nanny to put a hard, soft App or driver block on a non-Microsoft applications"
call Check-kb KB2808679 - "protects an external network from verifying of URI port is open or closed related to "Internal URL port scanning"
call Check-kb KB2791765 - "Enables Microsoft Nanny to put a hard, soft App or driver block on a non-Microsoft applications"
call Check-kb KB2726535 - "Adds WTF 15meg of South Sudan localization bit to the list of countries in Windows. Really necessary if you compute and are a south Sudanese resident"
call Check-kb KB2660075 - "381k to Allow you to change the time and date if the time zone is set to Samoa (UTC+13:00) and KB 2657025 is installed. Sounds like a feature to me"
call Check-kb KB2603229 - "Allows applications to footprint the registered org and registered owner which by default in windows 64 were never tested and yielded wrong info. "
call Check-kb KB2592687 - "Allows USB as a threat vector via RDP version 8. Because USB is just so secure right now."
call Check-kb KB2574819 - "installs DLTS encryption protocol for RDP version 8. Cause another close source encryption protocol would really just help NSA so why?"
call Check-kb KB2685813 - "Back port of windows 8 rev 1.0 of User Mode driver Framework UMDF for apps which deliver windows 8 drivers."
call Check-kb KB2970228 - "Surface reduction: Waste of bits unless you need a new currency symbol for the Russian ruble"
Rem New updates
call Check-kb KB2830477 - "RemoteApp and Desktop Connections feature"
call Check-kb KB2952664 - "Payload current operating system in order to ease the upgrade experience to the latest Windows 10 surveillance implants "
call Check-kb KB3112343 - "Payload provide telemetry and surveillance of additional windows implants"

Reminders, replace "3068708" with the KB your needing to remove.
the windows command to uninstall by KB # is
c:\windows\system32\wusa.exe /uninstall /kb:3068708 /quiet /norestart

As always, the commands are Microsoft supported, use or not at your own self managed risk reduction.

Peanuts

WaelDecember 6, 2015 6:21 PM

Forgot my iPad behind. Had several replies on it... I'll try to reconstruct them on my phone :(

@Albert,

+1 from @Clive Ribinson! You have been knighted, Sir! I mean since the subject is bullsh#t, you'll have to take that with a grain of salt. @Clive Robinson can share its (the grain of salt) specifications with you :)

BTW, I never thought you dished this stuff out, except when you disagreed with me!

Dirk PraetDecember 6, 2015 7:50 PM

@ Grauhut, @ Clive

What does that mean for the Draft Investigatory Powers Bill? And the Human Rights Act is not yet scraped... Poor little Tories. :D

Actually, nothing. Cameron has already made it clear several times that the UK is withdrawing from the EU Convention on Human Rights unless the UK’s highest court can remain the “ultimate arbiter of human rights”. Which is of course ridiculous. A final decision is expected after the 2017 referendum on EU membership. For all I care, he can have his Brexit and join the USA.

OrdinaryDecember 6, 2015 10:13 PM

If Brexit happens and Britain becomes the 51st state, at least they will no longer stick out as Western Europe's human rights dunce. Compared to the US, Britain won't be such a conspicuous disgrace.

After all, when you're sent down from Oxbridge you can go to a nice red-brick uni where it's not so competitive, like Luton or London Met. Or you can go to an American for-profit degree mill where everyone's a loser. Even Britain can compete with these grades:

http://www.ushrnetwork.org/sites/ushrnetwork.org/files/styles/full_size/public/us_un_iccpr_follow-up_first_assessment_grades_ccpr_0.jpg?itok=RPyO_Ch8

Three partially satisfactory; all the rest Not Satisfactory.

INOC | NOC OperationDecember 6, 2015 11:29 PM

North Koreans are suffering a lot but a lot doesn't know -- not by choice, but simply because its leader choose to keep whatever is happening a secret to everyone. They have suffered a lot under the dictatorship, and not being able to go out, even just to gather food, is beyond inhumane. I can't think of any reason why people have to be so cruel? And the fact that the boat remained undetected for days is unfathomable to me. A boat is a bot. Regardless of its size, it would still be noticeable. Simply put, North Korea just turned a blind eye and went on with their days. But the apparent writings on the boat proves that they are indeed North Koreans. And the hypothesis being made actually adds up.

I just hope that something like this won't happen again -- and North Koreans won't have to suffer just to live. Cause if they do, what's the point then of living? Right? Just my two cents.

200 security staff illDecember 7, 2015 2:44 AM

200 security staff fallen ill after new trace detector introduced at Munich Airport.

http://m.spiegel.de/gesundheit/diagnose/a-1065255.html
http://biztravel.fvw.de/flughafen-muenchen-eingebildete-kranke/393/150614/4070
(only in German, no mention of this in the English-speaking worlds, as far as I can tell)

The new model called "Quantum Sniffer" from Implant Sciences can not only detect traces of explosives but also various class A drugs. Problem is, right away after installation staff complained about nausea, dizziness, skin rash. 8 committed to hospital after first day; even first responders complained about adverse health effects. The public prosecutor's office starts to investigate.

To cut a long story short, turns out after several rounds of independent testing by various bodies: It's all in people's minds! Diagnosis: "Sick Building Syndrome" - a kind of inverse placebo effect.

The explanation: those devices just smelled bad, from silicone and glue, when first unboxed. Complaints by staff weren't taken seriously, the the ensuing scare and insecurity made matters worse.

... A new perspective on Security Theater? Now no-one can say it doesn't hurt...

Clive RobinsonDecember 7, 2015 5:05 AM

@ Grauhut, Dirk Praet, Bruce,

    What does that mean for the [UK] Draft Investigatory Powers Bill...

It is also going to cause the lights to stay on in France as well as their latest proposals on Encryption will also be effected. Oh and one heck of a lot of other places as well...

So first off as quoted it means that unlike the US the court has given him "standing". Secondly, the way it was decided from the quote has just laid a very heavy burden on all telecommunications carriers that conect directly and indirectly UK as well.

That's because the EC is a court with very wide jurisdiction so it also means all EU citizens who's calls get routed through the UK have "standing", as well as other European countries that are signitories but not part of the EU (the EC is not an EU institution something Dave Camaron and Co tend to confuse, thus Brexit would not effect this ruling, and getting out of the Human Rights might be a lot more difficult than they are letting on for various quite complicated reasons).

As for the rest of the world, if they are entitled to make claim through the EC then they would also have standing if their calls went through the UK (I suspect they are so entitled).

But it's possibly a bit more wide ranging than that and where it gets a bit more interesting. Also I suspect it may cover calls sent by satellite, but not actually routed through the UK. That is they could be covered as well if they can be "received" by GCHQ/NSA and that is a weasle word at the best of times as we know, which means,

The ripples are still spreading outward as there are overseas territoties, dependancies and protectorates to consider as well, basically anywhere where UK legislation has remit (see RIPA below). You have to think what it also means for calls received in other parts of the world by GCHQ/NSA and the other FiveEyes and then sent by them to the UK in part or whole... Are they covered I suspect so because they are destined for the UK through a telecommunications system.

Which might be quite awkward for the UK because the existing Regulation of Investigatory Powers Act (RIPA) has a clause that alows listening to any device and place in the world provided it can be reached via available telecommunications links at some point in time, so arguably covers @Bruces "home computer". That is RIPA extends the UK's jurisdiction in this area to the world and beyond and the EC decision effects all of this...

But the bit that is going to cause most pain is,

    Indeed, given that the domestic system did not afford an effective remedy to the person who suspected that he or she was subjected to secret surveillance,

It's laying a "duty of care" on all telecommunications operators in the world who direct calls or where calls might be received in the UK to ensure the security of the privacy of a persons communications.

But it's not just a jurisdictional boarders limit, as we know there are two ends to a communications pipe the person who sends and the person it is directed to.

Interestingly existing telecommunications legislation and court action has established that the telecommunications protection extends to communications data unseen by the recipient. That is it was decided that a voice mail was still "in transit" even when stored in a computer until the recipient had heard it in full, only then was it nolonger covered as "in transit".

Thus the implication that the duty of care extends from the senders lips to the recipients ear. Or a little more exactly the input transducer to the output transducer. Which in effect means "end to end" encryption is now very much back on the table.

@ Bruce,

You might want to have a chat with some legal theorists you know, there could be several articles in this even for a US audience.

WinterDecember 7, 2015 5:20 AM

@Clive
"But the bit that is going to cause most pain is,"

I respectfully disagree. The bit that will cause the most pain is the lack of remedies:


Moreover, the effectiveness of the remedies available to challenge interception of communications was undermined by the fact that they were available only to persons who were able to submit proof of interception and that obtaining such proof was impossible in the absence of any notification system or possibility of access to information about interception.

The courts will continue to challenge surveillance until there are independent oversight, remedies, and redress. And even the unwashed masses will at a certain point start to understand that whatever powers GCHQ might need to save their lives, there should be remedies when GCHQ make an error.

Clive RobinsonDecember 7, 2015 5:34 AM

@ Wael,

Forgot my iPad behind.

Hmm the "butt of technology" must be good for a joke or five...

But more importantly why did you "forget" your behind, are persons of interest to you nolonger looking at your "iPad behind"?

As @ianf observed just the other day English has it's oddities, and it's possibly the reason why the "English sense of humour" does not translate.

Douglas Adams had a line in the Restaurant At The End Of The Universe, Zaphod on ariving was a little disoriented in his normal more urbane head and thus his othet more acid head "You guys are so unhip it's a wonder your XXXX don't fall off"

Apparently XXXX was originaly "bums" but it also appeared as "legs" for other audiences considered more sensitive.

Joe KDecember 7, 2015 6:27 AM

@ CarpetCat

The Associated Press article you linked to above is pretty well destroyed by Marcy Wheeler here:

https://www.emptywheel.net/2015/12/06/why-the-aps-call-record-article-is-so-stupid/

@ L. W. Smiley

Also, in that same blog post, Wheeler comments on Marco Rubio's pronouncement:

The AP engaged in willful propaganda yesterday, in what appears to be a planned cutout role for the Marco Rubio campaign. Rubio’s campaign immediately pointed to the article to make claims they know — or should, given that Rubio is on the Senate Intelligence Committee — to be false, relying on the AP article. That’s the A1 cutout method Dick Cheney used to make false claims about aluminum tubes to catastrophic effect back in 2002.

See her full post for substantiation of the charge.

Clive RobinsonDecember 7, 2015 6:32 AM

@ 200 security...,

Diagnosis: "Sick Building Syndrome" - a kind of inverse placebo effect.

It's most definitely not an "inverse placebo effect".

The human body has a defense mechanism to stop a person being poisoned. It can vary in it's sensitivity in people, which is why some can be dangerously ill with seasickness whilst others feel normal in the same boat.

In order for it to work the mechanism learns as well as being pre-programed. Thus your body can learn new associations between taste/smell/texture/look/sound and other symptoms the already programed part associates with the effects of poisoning. Importantly it's level sensitive, that is what your body may consider pleasurable in small amounts may trigger autonomic reactions at higher levels, the clasic being chilies in the likes of curries and other foods, a low level stimulation causes endorphins to be released which gives pleasure, a high level can cause severe debilitation (which is why it's used in certain anti-personnel spray weapons).

I've experienced the issue with smell in the past when I was working for the BBC in Power Road Chiswick, next door was a company (lauret et fills) that made food flavourings, every year they had an extended shut down for cleaning and maintenance. Prior to this due to it's pervasiveness the last flavouring to be made was Orange. They would then clean the factory with quite powerfull chemicals. The sheer concentration of the orange sent turned the air slightly greenish in hue and was causing BBC staff to have vomitting and migrain attacks. With some staff trying to tell themselves the smell was realy harmless and all in their mindd they ended up being taken to hospital...

As was once pointed out to me by a professor the "LD50" does not mean you will live if you injest less, it's just on average some people might... This was over a discussion about chocolate and a poison it contains (that kills many pet dogs each year).

ianfDecember 7, 2015 7:07 AM


@ Benni, paraphrased “Either the [European Internet-via-satellite] companies tolerate ISIL as secondary (i.e. not their "main"!) customers because they want to make money […], or they allow the traffic because this is a cheap and dependable way [for the IC] to monitor ISIL's ready geo-tagged presence.” (emphasis mine).

In all likelihood, both reasons are present and equally valid. The Euro satellite bandwidth packagers & hardware suppliers sell via agents in Turkey and elsewhere to large (gross) resellers there, and, even if they wanted to, could not ensure that the products end up in the hands of only "kosher" users. At the sane time, the ICs can't but prefer to listen to the ISIL chatter in this clean and by-default verified fashion, than to have to keep searching for ever newer comms channels that may be used. Al Qaida was aware of the dangers of "lighting up" a Western-operated satellite connection, and in fact OBL's Inmarsat phone went dark some time before the 1998 US Embassies in Dar Es Salaam & Nairobi bombings, and never reappeared since (nor thus far has the handset been found anywhere - I used to have the number, which was published in one of the American monthlies… that's how "keyed in" I am).

I suppose the allegedly "Internet sophisticated" ISIL knows about the dangers of advertising presence of its nodes, too, and so, when it uploads anything to the net in this fashion, it has to vary the point of ICBM coordinate origin of the dish, or it's cooked by a drone the next time. Were I running that dept. of the ISIL, I'd set up a sufficiently large number of such "delivery nodes," in private, "unaffiliated" homes, then occasionally commandeer one at a time for broadcasts that are short enough not to give the Yanks time to launch an immediate drone strike in the dish. And then rotate the locations in unpredictable order (which sounds harder than may be assumed, because there are sharp minds at the NSA, capable of pattern analysis and projection. In fact, post 2001/9/11, a statistician speaker at a terror-something symposium presented an analysis of publicly disclosed Al Qaida telephone intercepts and "going dark" data, which allowed him to formulate a "bullet list" for future prediction of upcoming terror acts. I haven't heard anything more about it since, so either it has been shelved, or has become classified and is being deployed.)

Dirk PraetDecember 7, 2015 7:22 AM

@ Clive, @ Grauhut

the EC is not an EU institution something Dave Camaron and Co tend to confuse, thus Brexit would not effect this ruling, and getting out of the Human Rights might be a lot more difficult than they are letting on for various quite complicated reasons

It's complicated indeed. Brexit and withdrawing from the ECHR (and thus the Council of Europe) are two entirely different things. What Cameron & Co. are arguing is that it is perfectly possible for the UK to withdraw from the ECHR (the Convention, not the Court) and stay in the EU as long as they repeal the current HRA and replace it with their own copy of the ECHR, i.e. a sort of British Bill of Rights.

While this is a theoretical possibility, the EU as a whole becoming a signatory to the ECHR has been on the table for a while, thus foiling Cameron's evil plan and leaving the UK no other option than a full Brexit to escape the authority of both the Convention and the Court's decisions. It stands to reason that Britain could of course always veto a vote on EU ECHR membership, but which might cause other members to move for a suspension of UK voting rights if they unanimously “determine the existence of a serious and persistent breach” of EU values.

It's going to be quite the test case. If Cameron gets his way, the door is wide open for other member states to do the same as there is no reason why Britain would yet again be an exception to European rules. When you're in a union, you're either in and you play by the rules, or you're out and you are free to do your own thing. You can't have it both ways cherrypicking what you like and rejecting what you don't. Same message to a number of Eastern European member states.

WinterDecember 7, 2015 7:46 AM

@Dirk Praet
"If Cameron gets his way, the door is wide open for other member states to do the same as there is no reason why Britain would yet again be an exception to European rules."

Yes Minister (24 March 1980):
https://vimeo.com/85914510

'Yes, Minister' unveils secrets of British foreign policy on Europe; United Nations and diplomacy

Sir Humphrey Appleby: "Yes, and current policy. We had to break the whole thing [the EEC] up, so we had to get inside. We tried to break it up from the outside, but that wouldn't work. Now that we're inside we can make a complete pig's breakfast of the whole thing: set the Germans against the French, the French against the Italians, the Italians against the Dutch. The Foreign Office is terribly pleased, it's just like old times."

James Hacker: "Surely we're all committed to the European ideal".

Sir Humphrey Appleby: "Really, Minister".
[laughs]

James Hacker: "If not, why are we pushing for an increase in the membership"?

Sir Humphrey Appleby: "Well, for the same reason. It's just like the United Nations, in fact. The more members it has, the more arguments it can stir up. The more futile and impotent it becomes."

James Hacker: "What appalling cynicism."

Sir Humphrey Appleby: "Yes. We call it diplomacy, minister."

Clive RobinsonDecember 7, 2015 7:54 AM

@ Winter,

I respectfully disagree. The bit that will cause the most pain is the lack of remedies:

That's fair enough, I was thinking in the telecommunications industry rather than from an individual's perspective.

Potentially it is a very large rock the court has thrown in the pond, and depending what people do next it could create rather more than ripples, it could cause a sea state change politicaly.

It would be interesting to be a fly on the wall in some US offices when this gets discussed. After all the Safe Harbour rule decision has rocked the boat baddly, this could potentialy be waves to flood the boat.

The US Government and Corporations as well as the money markets have expressed significant reservations about Brexit and say it would be a bad move. From a political perspective David Cameron is caught between a rock and a hard place on it. On one side he's got the old political guard who think that "Britain" should be as the myth of "The British Empire" whilst those looking forward see closer ties with Europe as having advantages that are far from mythical.

Up until recently David Cameron has been able to work both sides to his advantage, but I suspect that may soon not be possible

Right now the stupidity of what is going on in the Middle East is giving the old guard opportunity to wave the flag, and the issues in the EU over immigration gives them reason to bang the drum. This little decision by the court will give the old guard cause to blow the bugle as well if they decide to spin it up.

Things are showing signs of building to what could be a "perfect storm" which does not bode well, because you never know what will come out the other side.

As anoying as the EU and other European decisions appear, most times they are not wrong in what they do. It's elements of old guard thinking that take the decisions and makes them political hot potatoes in more ways than one. I've seen civil servants in the UK quite deliberatly interpret decisions in the most peculiar ways, which make other European members go WTF? It is as if the civil service have a policy to make Europe look bad at every available opportunity...

WinterDecember 7, 2015 8:00 AM

@Clive
"It is as if the civil service have a policy to make Europe look bad at every available opportunity..."

Old habits die hard. See my quote of Yes, Minister.

Dirk PraetDecember 7, 2015 8:29 AM

@ Winter

Re. Yes Minister (24 March 1980)

I remember that episode quite well. 35 years later, nothing has changed.

Nick PDecember 7, 2015 9:31 AM

@ Jacob, all

Interesting presentation and I guess I'll have to check out Pond at some point. Anyway, this jumped out at me:

"Bear will get first person, they'll snitch, and he kills the rest."

I'll add that grugq seems really good at OPSEC. He tells you how you will be, too. There's just a *tiny* detail he's leaving off that makes for a *lot* of his actual protection: he's a 0-day broker who probably supplies governments, directly or indirectly. Now, anything that follows is invalid if anything people told me about him brokering 0-days is false. If it is, we know who the main buyers or at least beneficiaries are.

1-1. The grugq uses all kinds of methods to protect his privacy.

1-2. The grugq is not on their list of people to target that we can tell.

Conclusion 1: the OPSEC doesn't even matter for him if LEO's and nation states are the concern unless he's doing terrorism on the side.

2-1. The grugq is a broker of 0-days that can be used in online surveillance and targeted attacks by nation states.

2-2. The nation states are unlikely to threaten or jail such people given that hurts their own operation. They might even protect good ones.

Conclusion 2: The grugq is more likely to be protected by nation states than attacked given he's essentially a defense sub-contractor if his wares make it their way.

Overall conclusion: helping your opponents achieve their goals while promoting yours which are unlikely to threaten them can lead to reduced risk that they'll come after you.

You all should see what it takes when you're *not* slipping them 0-days. ;)

JacobDecember 7, 2015 9:47 AM

@Nick P

1. grugq IS a 0-day broker. He said so in a newpaper interview a while back.
2. I don't agree that he is protected from Nation-State operations more than the average Joe. He may be protected from a specific entity he is doing business with, but other N-S entities may not take that amicably.


Dirk PraetDecember 7, 2015 10:35 AM

@ Jacob, @ Nick P

Re. Real life COMMSEC

Note that this presentation is from 2014 and pre-dates Windows 10 spying and its backports to versions 7 and 8.

While I agree that a stock Linux distribution may trick some users into a false sense of security, I certainly have to disagree with this statement here: "Windows is currently the most secure mainstream OS. I mean, we can’t stand _using_ it, but that doesn’t change the facts. The kernel is golden, the userland protections are stellar, and the user experience is somewhere between the 8th and 9th circle of Hell."

ianfDecember 7, 2015 10:45 AM


@ Er was thinking about using #pizero as a cheap home computer, running some simple projects that require a graphical interface.

Have you actually gotten hold of a Raspberry #PIZERO unit already? Because I failed to, and now that the original print run of 20,000 £6 MagPi #40 issues with the attached pcb has sold out, it appears that the only way to get hold of one is to subscribe to 6 issues of the MagPi mag @ £45 for EU delivery. That's quite a steep increase from the original price of £6 + p&p, possibly ~£10 in all.

This spells the end of interest for me, as I'd have to invest perhaps another £45 for peripherals just to play with it.

    [I've long been envious of extremely small-footprint, half-a-paperback to 3-4 cigarette-packs size, FANLESS Windows units with a plethora of ports, and usually a SD card reader for memory expansion, that I keep seeing at various trade fairs… if I could find one with Linux of any kind, I'd buy one outright. So that's what I'd use the #pizero for, interface it to some half-decent tablet, and use as a secondary wired-IP web-browsing computer in the bedroom]

@ Clive Robinson

[…] “English has its oddities, and it's possibly the reason why the "English sense of humour" does not translate.

Every language has its oddities, which usually are anchored in the cultural context and/or baggage of its speakers—so English is no exception. Because of its global spread and use as lingua franca (that was in Latin), however, English is actually easier to learn and comprehend for non-native speakers than other, smaller linguistic footprint, tongues. In fact, I once met someone who, without a single word of French to his name, traveled to Paris in June 1945, where he taught English to streetwalkers hungry for the "GI Joe business" The lessons went something like that: “Number One X dollars and a Hershey bar," "Number Two Y dollars and nylon stockings," "Number 43 ZZZ dollars and a case of champagne," etc. Needless to say, the school wasn't needed for very long, because the market forces soon found a common palpable denominator with words in either language optional.

    Still, what that had to do with Wael's absentmindedly forgetting his behind, and then blabbing about it, I don't know (what next, a cantata to prostata?), but ours not to question why.

WaelDecember 7, 2015 11:27 AM

@ianf,

blabbing about it, I don't know

Was blabbing about it so others who expected a reply don't feel ignored.

ErDecember 7, 2015 11:59 AM

@ianf

Yes, I noticed. Maybe we should go for the normal offering that includes the quad core pi and its case and psu and other useful items. Though I still wonder if it will be a good substitute for a low power home computer.

Clive RobinsonDecember 7, 2015 2:31 PM

@ Jacob,

    Great pictures!

The George Orwell Blue plaque and surveillance camera I've wallked by a number of times, and I always make sure to give a full face grin :-)

Another George Orwell lodging used to be a "book shop" at the bottom of Pond St in Hamsted (where he supposedly thought up 1984). It's just down the hill from the A&E entrance to the Royal Free hospital. Sadly the only mind expansion you will get there these days --assuming they don' swap the oregano for something more weedy-- is working out what you want with pepperoni on your overpriced plastic looking pizza takeaway :-(

Clive RobinsonDecember 7, 2015 3:24 PM

@ Jacob,

I Forgot the double quotes around the "George Orwell Blue Plaque and Surveillance Camera".

For those interested the building is in Portobello Road (number 22), Notting Hill London, where the camera is now I have no idea, but you probably won't see it there again. There are various stories relating to the camera from "the photo's a fake" to "It was tempory and put there for the carnival". Either way the thought of the photo when I pass makes me grin.

Oh my squeeze, siting on the sofa next to me has pointed out that what was a "grubby pizza takaway" is no more (health inspectors or some such). Apparently it's now a French Bistro or some such, and has been for some time, which shows just how long it's been since I've taken her to lunch at the bottom of Hampsted. Apparently I will be making amends in said Bistro before Xmas...

ianfDecember 7, 2015 3:53 PM


@ Er Maybe we should go for the normal offering that includes the quad core pi and its case and psu and other useful items.

Not for me by the look$ of this: https://shop.pimoroni.com/collections/raspberry-pi

BTW. which combination of parts would you have chosen from there? (supply the URLs, not names).

My interest in the £6-10 #PIZERO was that I could stick it in the HDMI TV socket, use one of my BT keyboards, read the MagPi #40 & explore its possibilities in a couple of sessions. Then I would decide if I'd go for the quad model, or chuck it into the overflow electro-gear drawer (most probably). But I'm not willing to go that route with the barebones £44+ or the £75 starter unit.

Though I still wonder if it will be a good substitute for a low power home computer.

The Pi is meant for breadboard-hacking, which is no longer of much interest to me, so possibly it'd be a functional cul-de-sac.

(Also see Jerome's answer to my question, and my response.)


@ Wael “Was blabbing,” period. Q.E.D..

Clive RobinsonDecember 7, 2015 3:59 PM

@ ianf,

This might be of interest,

    lingua franca (n.) 1620s, from Italian, literally "Frankish tongue." Originally a form of communication used in the Levant, a stripped-down Italian peppered with Spanish, French, Greek, Arabic, and Turkish words. The name is probably from the Arabic custom, dating back to the Crusades, of calling all Europeans Franks (see Frank). Sometimes in 17c. English sources also known as Bastard Spanish.

As I was once taught,

    Latin is a language as dead as dead can be. It killed the ancient Romans and now it's killing me.

      The latin of the ancient Romans was long gone by the 1600s and we have little idea how it was actually spoken, though like Egyptian hieroglyphs we can read it quite well.

      I recently heard an audio recording of a British actor that is a hundred years old on BBC Radio 4. It is quite shocking to hear how much the way we speak English has changed in just a century...

      The issue with a lack of historical sound recordings was raised a few years ago and various people havr been "recording street sound for posterity". One of whom you might have heard of, Matt Blaze, of "the Clipper crpto bug" fame and teaching students to pick locks much to the anoyance of supposadly professional locksmiths (effectivly a guild racket).

Nick PDecember 7, 2015 4:36 PM

@ Jacob

Nation states don't usually target foreigners in a messed up way except in relatively rare situations. He's probably not in those. So, given his country, his worries are local and cooperating agencies. They depend on his work probably. So, he won't likely be targeted outside some routine law enforcement issue he gets himself into.

Another gripe: presentation totally leaves out topic of making and spending money anonymously & with low risk from LEO's. Wikileaks was taken down by bankers, not LEO's, via payment processors. Bitcoin is volatile, cash is subject to civil forfeiture, and they're currently building of using ways to deal with prepaid cards. It was tough before but is worse now. Needs thorough writeup.

@ Dirk

He's actually right: the head of a pentesting firm said the same thing. What it applies to, though, is ease of finding 0-days most hackers will exploit. Choosing Windows seems low risk against them. Now, for privacy or local police, modern Windows has a ton of issues but so do much of the competition.

So, it really depends on what people worry about most. I advise Linux/BSD plus portable apps with hardening tricks just because Microsoft is untrustworthy & best security tech in CompSci is on Linux/BSD. Better long-term bet, esp BSD for stability. Those not worried about governments or profiling are safer with well-configured Windows.

Truth told, though, I think the effort to secure a Windows box/network and Linux one are comparable. Might as well go with Linux. There's just the usability and admin issues.

jb24December 7, 2015 6:26 PM

@Ripley, @Peanuts, @Firefox, @Jacob, @Dirk, @ianf, @Nick P

A candidate for a Windows replacement PC for the casual home user (besides Ubuntu, Linux Mint, PCBSD, GhostBSD, and others)

Linux Mint Debian Edition (lmde) mate seems to work ok with some casual computer users, at least once it is installed. In addition, lmde works ok on some older hardware (eg. computers with 500 meg. of ram).

In addition, Tails uses Debian; so if someone uses Tails, or plans to use Tails, that could be a plus, of course.

Some minimal hardening for lmde could include:

get rid of flash
add noscript and httpseverywhere firefox addons
turn on firewall
install virtualbox (vb) w/o guest additions and
strive to only access https sites w/o javascript or flash from vb host
strive to run flash, javascript, etc., if at all, in vb vm guests


Misc.

Does anybody recommend other firefox add-ons like Adblock, Disconnect or Ghostery?

Are virtualbox guest additions considered secure?

Can anybody recommend lmde or Debian hardening references or sources (from basic to more advanced)?

Would lmde be ok for running a tor relay?

Are there best practices to determine if you have malware in linux for the home user?

Perhaps setup a “/home” partition for straightforward periodic reinstallation of lmde, in lieu of anti-virus software.

Does anybody know of a decent OSX “little snitch” firewall equivalent for linux or Windows?

Should you trust the lmde software updates since they seem to come from “http” sites?

Should you try to verify “sha256” values for your downloaded lmde “iso” files using tor and DuckDuckGo (or Startpage) from around the world? For example, an iso file downloaded from an http website with a md5 value is not very reassuring.

Dirk PraetDecember 7, 2015 6:44 PM

@ jb24

Does anybody know of a decent OSX “little snitch” firewall equivalent for linux or Windows?

Check out Windows Firewall Control from Binisoft. Excellent stuff and very light weight. Unfortunately, no such thing whatsoever for Linux.

Are there best practices to determine if you have malware in linux for the home user?

Give maldet, chkrootkit and rkhunter a spin. Plus AIDE for file changes.

@ Nick P

He's actually right: the head of a pentesting firm said the same thing.

I get what he says about kernel and userland stuff, but what's the point if the bloody thing by design is sending out pretty much everything you're doing on it?

Nick PDecember 7, 2015 7:30 PM

@ Dirk

That assumes that all threats are equal. Gathering information != controlling your PC. Microsoft and U.S. TLA's != foreign ones for people here at least. So, it's basically who you want to be hit by unless you're an advanced user. Linux not defaulting on sending lots of data is a plus, though.

65535December 7, 2015 8:03 PM

@ Peanuts

Good addition to the M$ spyware list -KB 3112343. I have book marked it. Thanks.

@ AmazonDataTracking

I’ll give both the Privacy Setting extension and Policeman a go. Thank you.

@ Cats Think You Are A Cat and HTDYFWOS

Is this the original article?

http://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924

@ Benni

Thanks for the translated version. I did translate the German version with some success.

“It wouldn't be difficult for intelligence services to tap the connections either, given that the ground stations used to feed the satellite signals into the cable networks are also located in European countries, including Cyprus (Avanti) and Italy (Eutelsat).” -Spiegel

http://www.spiegel.de/international/world/islamic-state-uses-satellite-internet-to-spread-message-a-1066190.html

This brings up and important question. Does the NSA/FBI/GCHQ know the GPS locations of these ISIS mouth pieces? Are these Agencies actually doing something about them?

@ L. W. Smiley

Rubio is ether an ignorant party hack or in bed with NSA.

[next see link]

@ CarpetCat and Joe K

I agree with Joe K and emptywheel. The NSA/FBI data collection has expanded not decreased. The Agencies have access to all voice and digital data.

https://www.emptywheel.net/2015/12/06/why-the-aps-call-record-article-is-so-stupid/

The problem with the NSA/FBI is too much "hay" being constantly added to the hay stack – the needle is next to impossible to find.

I think both the NSA and FBI probably have the full conversations of the husband/wife killing team [and the meta data plus, passport data and so on].

@ Dirk Praet

“Windows Firewall Control is a powerful application which extends the functionality of the Windows Firewall and provides quick access to the most frequent options of Windows Firewall. It runs in the system tray and allows user to control the native firewall easily without having to waste time by navigating to the specific part of the firewall. This is the best tool to manage the native firewall from Windows 10, 8.1, 8, 7, Vista, Server 2008, Server 2012. Windows Firewall Control offers four filtering modes which can be switched with just a mouse click”

http://www.binisoft.org/wfc.php

Nice catch. I’ll give it a go. Is the .exe a stub executable [or the full package]? Thanks.

JacobDecember 7, 2015 8:18 PM

Crypto War II:

Pres. Obama doesn't take a forceful stand on the issue, so FBI Director Comey actively pursues his goals with increased vigor.

Marcy Wheeler shows how someone in the government (Comey?) uses the AP news network to trumpet his views on the need to rein in encryption, and it seems that the network is happily joining the party, connivingly misleading the public in the process:

https://www.emptywheel.net/2015/12/06/why-the-aps-call-record-article-is-so-stupid/

JacobDecember 7, 2015 8:27 PM

@65535

The WFC download by Binisoft is the full program - not a stub. A very good program created by a very attentive man, who runs a very active forum for the program on wilders security.

Please note that the free program lacks an important multi-level notification feature. I strongly suggest to donate the $10 and get it registered for all your personal machines.

Nick PDecember 7, 2015 10:06 PM

@ tyr

I lack the knowledge to evaluate it. However, the actual paper is here. A more recent use of GA's on common components is here.

65535December 7, 2015 11:46 PM

@ Jacob

“The WFC download by Binisoft is the full program - not a stub. A very good program”

Thanks. I have downloaded the free version.

“Please note that the free program lacks an important multi-level notification feature. I strongly suggest to donate the $10 and get it registered for all your personal machines.”

That is probably good advice. Can it be paid with Bitcoin [I did not see a Bitcoin symbol only paypal]?

FigureitoutDecember 8, 2015 12:56 AM

tyr
--"Timmmm"'s comment did some peer review: "Yeah I did a presentation on that guys circuits once. Would have been nice to have the actual outputs of the chips rather than random film shots.
Some more details: I think it was suspected that the ‘unconnected’ cells affected the others via the power rails. The circuits were also temperature dependent and didn’t work very well at high or low temperatures. I think each test took 5 seconds and the whole experiment lasted weeks.
Also I think the first paragraph is a bit confusing. E.g. the chips didn’t mutate ‘as predicted’ – the mutation was programmed deliberately."

So programmed mutation, if that's the case, is quite less interesting. Still, freaky...

Clive RobinsonDecember 8, 2015 4:30 AM

@ tyr, Nick P, Figureitout,

From the article,

Five individual logic cells were functionally disconnected from the rest— with no pathways that would allow them to influence the output— yet when the researcher disabled any one of them the chip lost its ability to discriminate the tones. Furthermore, the final program did not work reliably when it was loaded onto other FPGAs of the same type.

And this is the reason I don't trust on chip TRNGs... Especialy when the designers try to hide their design failings behind Crypto algorithms.

Also ask yourself if an entropy pool would act like a resonator?

The simple answer is "All it requires is a feedback path with sufficient sensitivity/gain.". Which is what the five gates demonstrates exists...

So sit back and ask yourself if such systems could be charecterised in some way (probably yes). Then ask yourself if the likes of the NSA are sufficiently ahead in that game (they do have the resources to do it).

Personaly I would rate the NSA's chances of success down this route greater than that of getting QC working to the level required to make it usefull...

Oh and the way the article goes on to ask what the mechanism might be go have a read up on metastability.

Put simply all logic gates are analog circuits with high gain thus high sensitivity around the switching point. The consequence is occasionally the gates don't do as expected in certain design elements (about 1 in a billion with flip flops). As far as I'm aware there is no way to stop this behaviour, only mitigate the probability downwards by chaining circuits.

Oh and one down side of chaining circuits, is it adds to delay times which ultimately means slower performance. But before we get to that limit it effectivly means increased piplining, which increases the metastability probability, thus... Catch 22.

ianfDecember 8, 2015 6:30 AM


Oh, Clive Robinson, you wordy snake charmer, did you take time off your busy squeezing schedule to inform me of the one true etymology of, and/or to rectify my by-you-incorrect use of the expression lingua franca?

    If so, I'm moved, MOO-VED, the whole bovine nine yards as our brothers the Yanks say it, and do they mean it. Honestly, the last thing I expected here is someone actually caring for my conformance to the high standards of the comprehensive English education.

That your elucidation was of a somewhat misplaced type is neither here nor there, because it's the thought that counts, and not the fact that you chose to concentrate on just the phrase, rather than look it over in the context that I (ab)used: “global spread of English making it the lingua franca of, etc.” This made my instance into a metaphor for "a common language," as were I to say, say, “English is the lingua franca of the Internet,” and not just a sophisticated ornament to my utterance. In any event, my meaning was far closer to common usage, than to your nominal, lexical (and correct) explanation. But thanks the same, from now on I'll permanently be on my writing toes.

lingua franca » a language used for ​communication between ​groups of ​people who ​speak different ​languages
The ​international ​business ​community ​sees ​English as a lingua franca.

p.s.you don't want to cross the CED crowd, they'll retaliate by sicking the London rezidentura on you.

[…] The latin of the ancient Romans was long gone by the 1600s and we have little idea how it was actually spoken, though like Egyptian hieroglyphs we can read it quite well.

Aural reconstruction of spoken tongues is a staple in the study of linguistics, and, while we indeed have no actual recordings prior to 1870, there are reigning theories as to how to "walk the cat back from text to its once-pronunciation." Some of these result in spectacular, though to our ears hard to comprehend, verbal enunciations—as were we listening to Monty Python impersonating R2D2 trying to calm down an ostrich. Or something.

Dirk PraetDecember 8, 2015 6:53 AM

@ Nick P

So, it's basically who you want to be hit by unless you're an advanced user.

I don't wanna be hit by no one, especially not by corporations and government agencies, either foreign or domestic. It goes against everything I believe in, even more because contrary to criminals they can get away with it, even when caught with their pants down.

Nick PDecember 8, 2015 8:32 AM

@ Dirk Praet

There's nothing in existence that meets that requirement without a potential subversion. You have to simply not use computers. Otherwise, you're using insecure software from groups ABC on hardware supplied by espionage-loving XYZ while trying to configure both at SW level to reduce risks from subversions, hacks, or leaks. I haven't seen a clear way to do that in a decade.

Outside of custom SW/HW combos, there's nothing to meet your requirement. Any strategy is basically an obfuscation strategy hoping they don't have an attack for a particular setup.

Clive RobinsonDecember 8, 2015 8:34 AM

@ ianf,

Oh, Clive Robinson, you wordy snake charmer, did you take time off your busy squeezing schedule to inform me of the one true etymology of, and/or to rectify my by-you-incorrect use of the expression lingua franca?

No it was something I just dashed off. Oh and by the way it was not your usage of "lingua franca" that I was pointing out was wrong. You atributed it to the wrong language, it was "Italian" not "Latin" which you claimed it to be.

@ Wael,

So we can strike ianf off as being a native speaker of Italian, and being educated in Latin which narrows the search down.

Now what was it that the good Cardinal said, was it a dozen or half dozen lines? ;-)

jb24ADecember 8, 2015 9:02 AM

@jb24 re Dirk's 6:44 answer to, Are there best practices to determine if you have malware in linux for the home user?

"Give maldet, chkrootkit and rkhunter a spin. Plus AIDE for file changes,"

to which you can add various combinations of

- logwatch
- unhide
- nmap, psad, and unhide-tcp
- Auditing suites: tiger, lynis or bastille
- firejail's trace option
- yara
- OSSEC, Samhain, or OSIRIS and tail the log

Not that you must always use all of it, but all of your collaborators should use some of it. Greatly complicates CNE.

BoppingAroundDecember 8, 2015 9:39 AM

re: Windows Firewall

wf.msc that comes prepackaged [A] is quite alright, assuming you've wiped out
all the rules that come preinstalled and set it to block everything [B].

However, beware. Some programs (esp. games) tend to automatically add rules to
allow themselves access to the network. I have no idea if this can be
disabled.

It also seems to lacking the so-called 'learning mode', unless it's somewhere there
I never bothered to look. But if you know what to do, perhaps that won't hinder you much.

65535,
> Nice catch. I’ll give it a go. Is the .exe a stub executable [or the full
> package]? Thanks.

I would assume it is the full package — it's a .NET program; that explains the size.
You might need to install/update .NET Framework though.

------------------------------------------------------

[A] I have no idea if it is available on all editions of Windows OS.

[B] Another thing to pay attention: there are 3 profiles that must be
configured in order to set the firewall into block-all mode.

WaelDecember 8, 2015 12:13 PM

@Clive Robinson,

So we can strike ianf off as being a native speaker of Italian, and being educated.

He does come across as a Romantic Language native speaker :)

Clive RobinsonDecember 8, 2015 12:49 PM

@ Wael,

Hmm,

    So we can strike ianf off as being a native speaker of Italian, and being educated.

That's not all I said, and where did the full stop come from? Somebody might think you were being mischievous.

WaelDecember 8, 2015 1:01 PM

@Clive Robinson,

Was an honest mistake. I'm not as nimble typing on a phone as you are.

Dirk PraetDecember 8, 2015 1:39 PM

@ Nick P

There's nothing in existence that meets that requirement without a potential subversion.

No argument there. I'm just saying that I can't recommend or even remotely label secure by any standard an OS that by design and philosophy is a swiss cheese, beit that only the vendor knows the holes.

@ JB24A

... to which you can add various combinations of ...

Most of which I am using too.

@ Clive, @ Wael

So we can strike @ianf off as being a native speaker of Italian, and being educated.

He's Irish. Or one of his parents is. And has studied literature, probably even theatre in the UK. His writing style often reminds me of an acquaintance who did several years at the Royal Academy of Arts.

BenniDecember 8, 2015 1:47 PM

Backdoor in McAfee

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8024

https://kc.mcafee.com/corporate/index?page=content&id=SB10137&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=en_US

A specially crafted username can bypass SIEM ESM authentication (password is not validated) if the ESM is configured to use Active Directory or LDAP authentication sources. This can result in the attacker gaining NGCP (master user) access to the ESM.

tyrDecember 8, 2015 2:28 PM


FPGA:

That makes a lot more sense. If you see an anomalous result
and decide it is some mysterious property of your procedure
rather than an a chance coincidence in the individual FPGA
you can be led down the primrose path into woo woo land.

It's not the first time it has occurred and it won't be the
last. We've got to where we are in science by being wrong a
lot more than being right.

Clive RobinsonDecember 8, 2015 2:35 PM

@ Wael,

    Was an honest mistake. I'm not as nimble typing on a phone as you are.

And let me guess you've got auto correct, hints and auto compleate on, hence the apperance of the unexpected full stop.

Trust me you will soon turn them off, or the phone will become an Unidentified Flying Object, when you hurl it out the window with frustration. Been there nearly done that :-(

Iphone SecurityDecember 8, 2015 3:07 PM

Relatively speaking, regardless of other issues or features, from a security perspective is there a preferred device(s) among the iphone:
5s, 6, 6 plus, 6s, or 6s plus?

ps. previously posted on Blackberry Leaves Pakistan ...

WaelDecember 8, 2015 3:40 PM

@Clive Robinson, @Dirk Praet,

And let me guess you've got auto correct, hints and auto compleate on, hence the apperance of the unexpected full stop.

I have autocorrect on, but I explicitly added the period after the copy and paste by mistake.

He's Irish. Or one of his parents is. And has studied literature, probably even theatre in the UK. His writing style [...] Royal Academy of Arts.

Holly Sh#t! You got him to this level? Could he be a "she"? If you are correct that would be most impressive. But...

[R-rated language in the link] Even if it walks like a duck and quacks like a duck, it quite often turns out to be a goose... Oh, the art of deception that's causing a lot of troubles ;)

Dirk PraetDecember 8, 2015 8:14 PM

@ Wael

You got him to this level? Could he be a "she"?

I don't think so. But I am 95% sure @Skeptical is.

ianfDecember 9, 2015 1:04 AM


@ Clive Robinson, (Wael, Dirk Praet)

[…] “You atributed [lingua franca] to the wrong language, it was "Italian" not "Latin" which you claimed it to be.

Figures ("something you just dashed off"). Had you stopped for a mo to reflect upon it, you'd have realized that this particular phrase is a foreign borrowed idiom in most predominantly Romanic & Germanic languages, including—yes!—Romanian, Danish, French and English. Only the pronunciations differ, which you can hear for yourself in the translator below (click the tiny loudspeaker icon, there are subtle vowel differences even between Italian and Latin).

http://translate.google.com/m/translate#la/en/lingua%20franca
http://translate.google.com/m/translate#ro/da/lingua%20franca

But ORIGINALLY it came from Latin, AS WELL YOU KNEW. So what was your point—I'm asking because I can't see it, which means that either there wasn't any there to begin with, or it went AWOL.


we can strike ianf off as being a native speaker of Italian, and being educated in Latin which narrows the search down.

“You could very well say that, I couldn't possibly comment.” Still, if there's to be any striking off of myself, (or even just stroking,) I INSIST ON being notified of it in advance, so I can mount a counter-strike initiative, level IV. That out of the way, WHY AM I EVEN A HERMENEUTICAL TOPIC here, and then one among all these dead squid and/or North Koreans.


@ Wael “So we can strike ianf off as… being educated.” [period essential]

Henceforth that shall be known as a Waelian slip, expression of inferiority complex over education envy, never mind any here after the fact technical "fingerklutzy" mea-culpas (that ALSO IS Latin.)


@ Dirk Praet

[ianf]'s Irish. Or one of his parents is. And has studied literature, probably even theatre in the UK. His writing style often reminds me of an acquaintance who did several years at the Royal Academy of Arts.

It is t.h.a.t. O.B.V.I.O.U.S? Gosh! (that's the closest we atheists have come up with for a non-godly-yet-somehow-spiritual invocation to a vacuous higher authority), there must be something to telepathy, as not a week ago I was thinking "why didn't my parents send me to this theatre stage school despite my then next door neighbors—a cab driver and a seamstress—sending their son, a pal of mine, there? I'll have to work harder at dressing up the real.

But there is a grain of truth in it… and a hint to my "true" id hidden in plain view by the plinth of Oscar Wilde's tomb @ the Père Lachaise cementary in Paris. In fact, a fave pastime of mine is to park myself at a nearby grave and half-surreptitiously watch the cavalcade of exaltedly esoteric OW mourners, you'd be surprised at the demographic/ gender makeup of them [the tomb is on CCTV, mind, so no overt digging for clues.]

As for the RA, #fuggedaboutit. These days you practically have to be Ai Weiwei to get a foot in the door there… even if all one desires is a measly Honorary degree… what I might've said in the Grauniad already. Watch it though, could be a false trail, ye suspicious gits.

    Anyhoo, that out of the way, there's some heavy-duty debunking coming down your—yes, your—way, as I'm slowly but steadily clearing up the backlog.

WaelDecember 9, 2015 2:31 AM

@ianf,

expression of inferiority complex over education envy

That's Latin, darling! Evidently Mr. ianf is an educated man! [1]

Anyhoo, that out of the way, there's some heavy-duty debunking coming down your—yes, your—way, as I'm slowly but steadily clearing up the backlog.

I'm on pins and needles awaiting your Magnus Opus! Hoka hey, bring it on! And that, Amicus meus, isn't Latin! How confusing!

[1] One of my all-time favorite movies...

CuriousDecember 9, 2015 2:50 AM

"Belgian ban on Facebook cookies should apply to all of Europe, privacy watchdogs say"
http://www.pcworld.com/article/3012283/belgian-ban-on-facebook-cookies-should-apply-to-all-of-europe-privacy-watchdogs-say.html

According to PCWorld:
"European data protection authorities want Facebook to stop using cookies to track people who don't have a Facebook account."

Something about a "datr" cookie that Facebook is said to be using.

"The Privacy Commission's objection to the datr cookie is that Facebook sets it in the browser of anyone who visits the site facebook.com -- perhaps to check out the public web page of an event -- but then receives it each time that browser is used to visit any webpage containing a Facebook social plugin, such as a Like button, even when the visitor doesn't have a Facebook account."

I am reading that Facebook entertains the idea of disallowing visitors to view facebook, unless logged in, to maintain security against unauthorized login attempts. Fine with me! :)

CuriousDecember 9, 2015 2:58 AM

Microsoft disclosed the private key for *.xboxlive.com, allowing for man-in-the-middle-attacks if I understand this correctly.

"Inadvertently Disclosed Digital Certificate Could Allow Spoofing"
https://technet.microsoft.com/en-us/library/security/3123040.aspx

I thought the timing of this was suspect, after the non-issue in media of suggesting that gaming consoles were used for communication for the Paris bombings/shootings, though I don't see when this private key was supposedly disclosed.

Clive RobinsonDecember 9, 2015 4:06 AM

@ curious,

I thought the timing of this was suspect, after the non-issue in media of suggesting that gaming consoles were used for communication for the Paris bombings/shootings...

I'd have a look at the list of Windows OS's it effects... At a quick glance it's the End of Life still supported platforms.

With the recent pushing of Win10 and it's ET "Comey Frontdoor" behaviour, there could be other explanations, if you are looking for potential mal-intent by Microsoft.

I must admit that MS not indicating when the certificate loss was and how it was lost is not very encoraging to put it mildly.

Fascist NationDecember 9, 2015 11:02 AM

http://www.scientificcomputing.com/news/2015/12/untraceable-text-messaging-system-comes-statistical-guarantees?et_cid=4989237&et_rid=45529130&location=top

Untraceable Text-messaging System Comes with Statistical Guarantees

.... "At the Association for Computing Machinery Symposium on Operating Systems Principles in October, a team of MIT researchers presented a new, untraceable text-messaging system designed to thwart even the most powerful of adversaries.

The system provides a strong mathematical guarantee of user anonymity, while, according to experimental results, permitting the exchange of text messages once a minute or so." ....

Dirk PraetDecember 9, 2015 12:13 PM

@ Wael

I'm on pins and needles awaiting your Magnus Opus!

Magnum opus. Opus (plural: opera) is neuter, not male. I'm a real git when it comes to Latin.

@ ianf

These days you practically have to be Ai Weiwei to get a foot in the door there… even if all one desires is a measly Honorary degree

Not really. Even an obscure Belgian and fellow Jack Daniel's drinker from the pub around my corner can get an honorary doctorate at the RCA and curate a James Ensor exhibition at the RA.

WaelDecember 9, 2015 12:20 PM

@Dirk Praet,

You're right! I actually noticed after I posted it (a day later.) I was honestly going over a chess game by Magnus Carlsen which may have influenced my typing... Some sharp eyes you got ;)

hexadecimalDecember 9, 2015 5:40 PM

actually the title is slightly potentially misleading...it's not "Google's Quantum Computer" but "D-Wave Quantum Computer"

It Works! Google's Quantum Computer is '100 Million Times Faster' than a PC
http://thehackernews.com/2015/12/fastest-d-wave-quantum-computer.html

Anyway here's Google's own entry about the subject:

http://googleresearch.blogspot.in/2015/12/when-can-quantum-annealing-win.html

And an arxiv.org paper released about the findings:

http://arxiv.org/abs/1512.02206

ianfDecember 10, 2015 9:46 AM


@ Paul: ?what? squid insurrection would that be?

Other than that… OT: A SAD DAY FOR OPEN SOURCE SOFTWARE: Mozilla nixes Firefox OS, bowing out of mobile race

    (I've never seen any Firefox OS devices… were they any good? Too bad they never took off anyway…)

[…] For the Firefox OS to be successful, app developers would have had to embrace the [HTML5] platform more enthusiastically. Although in theory any HTML5 Web app works on a Firefox OS phone, it's not that simple. The apps would still need to be fine-tuned to use mobile hardware such as gyroscopes and cameras.

Firefox OS is an open-source project, so it is possible part of it will live on in some form. Mozilla said its Firefox OS team would remain intact and "continue to work on the new experiments across connected devices."

Firefox OS borrows much from the Firefox mobile browser and Gecko application framework, which is used to render Web pages and display applications. The platform underpinning Firefox OS, called Boot to Gecko (B2G), borrows 95 percent of its code from the mobile browser and Gecko.

The mobile OS uses a Linux kernel, which then boots into the Gecko runtime. The top layer of the technology stack, called Gaia, generates the interface seen by users. […]

John Galt IVDecember 10, 2015 11:49 AM


http://www.businessinsider.com/legal-hacking-gadgets-for-sale-online-2015-12

unrelated comment

the spook rat bastards recently reflashed my cable modem, in addition to last year having reflashed BIOS and hard drive microcontroller on two of my machines. as noted previously, my only thought-crime has been using TOR. other than that continuing misdeed, my work generally is not of interest to nation-states.

I'd like to see a little more discussion of tools for fixing the firmware and for locking down settings to prevent recurrences. Also noted previously, I am very happy with the overall level of discourse and the broad philosophical perspectives provided here.

Nick PDecember 10, 2015 12:14 PM

@ Markus Ottela

Neat demo. The image transfer particularly brought back memories of Usenet and BBS's haha. Hopefully combining the popular NaCl with your endpoint approach will improve uptake.

Nick PDecember 10, 2015 12:54 PM

@ Clive Robinson

Looks like NCC Group just acquired Fox-IT. Now they have high assurance under their belt among everything else. Found their escrow stuff interesting in light of discussions on proprietary, but shared source, software verification. Fox has some solid stuff, though.

In any case, I know that Fox-IT does a combination of general INFOSEC and classified work for Dutch government. How do you think the latter plays out in an acquisition by a British company? It gets spun-off? It remains with only Dutch personnel/offices allowed to work on it? I've never thought about how that situation might play out.

Dirk PraetDecember 10, 2015 1:55 PM

@ Nick P, @ Clive

In any case, I know that Fox-IT does a combination of general INFOSEC and classified work for Dutch government. How do you think the latter plays out in an acquisition by a British company?

Fox-IT at some point found a way to detect Qantum Insert attacks, found and cleaned up the GCHQ Belgacom intrusion and - if I recall correctly - were also on some other Belgian high profile case. No need to draw a picture, I presume.

ianfDecember 10, 2015 5:12 PM

@ John Galt IV

the spook rat bastards recently reflashed my cable modem, in addition to last year having reflashed BIOS and hard drive microcontroller on two of my machines.

I do not question your assertions, but am curious: how could you tell?

Far as I know the only way of detecting it would be having the original hash and checksum of the device's BIOS (or the microkernel?), and the means of periodically—once a day?—extracting the same from the device, and doing a diff on the pair. Or are there other, more straightforward, methods to detect it?

JustinDecember 10, 2015 5:49 PM

@hexadecimal

I'm having a hard time believing anything read about that D-Wave. Geordie Rose and team are full of hot air. They claim their "quantum computer" is capable of "quantum annealing" to solve certain optimization problems, but they don't offer any theoretical explanation of what "quantum" annealing is, or why it is or should be (asymptotically) any better or faster or cheaper than the best known classical algorithms for "annealing."

And as far as their qubits go, it's not clear to what extent if any they are mutually entangled in a specific quantum mechanical sense, of if it's a bunch of jumbled chaotic electrical currents that are supposed to settle in a certain pattern in a solution to a certain problem, in which case "analog annealing" would perhaps be a better description.

I'm sorry but I demand hard evidence after all the confusion that has been sown regarding D-Wave's capabilities. Pretty charts don't convince me. Where is the actual data, the actual code, the actual problem instance, actual head-to-head hardware spec comparisons? And finally how reproducible is this experiment? This thing is said to cost megabucks, only one or two have ever been built, and only "true believers" have access to program it and perform experiments.

Google can afford it because for them it's a publicity stunt. It's no different from Andrea Rossi with his cold fusion/LENR and his cadre of fools soon to be parted from their money.

AnuraDecember 10, 2015 6:56 PM

@Justin

Geordie Rose and team are full of hot air. They claim their "quantum computer" is capable of "quantum annealing" to solve certain optimization problems, but they don't offer any theoretical explanation of what "quantum" annealing is, or why it is or should be (asymptotically) any better or faster or cheaper than the best known classical algorithms for "annealing."

They don't explain what quantum annealing is in most articles because most people won't understand it. You can go to this page and see if it looks like gibberish to you:

https://en.wikipedia.org/wiki/Quantum_annealing

As with most things requiring a quantum mechanics background to understand, to most people it will be gibberish.

If you want a code sample, this describes the algorithm for the well-known map problem, and provides code samples in the appendix.

http://www.dwavesys.com/sites/default/files/Map%20Coloring%20WP2.pdf

JustinDecember 10, 2015 8:07 PM

They don't explain what quantum annealing is in most articles because most people won't understand it.

This guy seems to understand it, (despite the silly title of his blog,) he doesn't have much trouble explaining it, and he links to all the important technical sources.

You can go to this page and see if it looks like gibberish to you:

https://en.wikipedia.org/wiki/Quantum_annealing

Umm, a lot of Wikipedia is gibberish. It seems to be edited by various "experts" who more than occasionally retract their own or others' claims, sometimes to the point of "edit wars," which are often rather entertaining, but rarely very informative about the subject matter of the article. Are Willy on Wheels and other random Wikipedia editors really experts on quantum mechanics? Still of course a lot of gibberish, but there are probably better articles somewhere like http://arXiv.org/ .

FigureitoutDecember 10, 2015 8:48 PM

Markus Ottela
--Nice, would like to see it running for a longer time (I thought I saw it change the timing of sending). What's up w/ your desktop eh? Like deer or something? :p And have you thought about RasPi Zero for TFC? That'd be fun to try (I'd pull the trigger too and try it b/c money), and could fit in a nicer mobile formfactor too...Having that isolation on something besides your home network would be nice...

ThothDecember 10, 2015 11:09 PM

@Markus Ottela
Neat to see yet another crypto library (NaCI) working on TFC. Do you have a protocol for the key exchange and all that ? Are the packets sent at fixed length as they look pretty uniform ?

I find it a pain that most modern crypto messaging apps are really bulky. This hinders very compact implementation onto hardware implementation. I have looked at OTR, TextSecure/Signal ... they are just too bulky and requires multiple runs to get a message across.

ThothDecember 10, 2015 11:38 PM

@Nick P

"Looks like NCC Group just acquired Fox-IT. Now they have high assurance under their belt among everything else."

Seems like Britain is strengthening it's "Securopoly" status (yes a mesh of Security and Monopoly). How many security stuff are UKSUAFrenchGerman controlled... It simply sounds... uncomfortable.

Considering that Fox-IT's main product is it's data diode, it means UK wants to ensure their supply of data diodes are fine and probably control other's access to data diodes and high assurance stuff. Probably just paranoia of sorts but every move the UKUSAFrenchGerman moves, it affects world events greatly and as history have shown... it usually ends in tragedy of sorts.

Nick PDecember 10, 2015 11:48 PM

@ Thoth

If I were them, I'd be more interested in Redfox and other hardware solutions deployed in sensitive uses. Note also that Fox-IT also maintains the OpenVPN implementation that many governments might use. That said, it's probably just NCC trying to acquire more tech and expertise for their portfolio. This is first time I've seen them acquire a company doing "real security." (aka high assurance)

Clive RobinsonDecember 11, 2015 4:29 AM

@ Nick P,

Re : Fox-IT

I'm realy not sure what to make of it, but I don't like it from a security or monopoly position.

As Bennie and others have pointed out too many security firms have too many "controling forces" that appear to be fronts for various countries intelligence agencies. The Germany IC for instance has way too many fingers in the few security technology pies there are for anybody who has thought about it not to feel uncomfortable about the situation.

But from a market point of view if you don't have sufficient truly independent companies then you end up with effective cartels or outright monopolies. Which is very harmfull for consmers not just on pricing, but the lack of "hybrid vigour" as well.

Which comes directly back to being a serious security issue, the old "all for one and one for all" might be good for the team but it carries the ruinous risk of "group think" which causes all sorts of further issues.

So from my point of view it's not good.

ThothDecember 11, 2015 6:53 AM

@Nick P, Clive Robinson
Does it make sense that most of the Semi-Conductors have hands of their nation states fiddling with internal affairs ? Put it simply, the very few variations of manufacturers and most with ties to nation states ... isn't most of our Security fall under monopoly since a long time ago ?

I wonder if techniques and equipment to setup your own Semi-Con plant require very deep internal ties with powerful nation states and Semi-Con manufacturing techniques are classified as State Secrets or equivalent which prevents most nations from running their own R&D on chips thus leaving only a handful of Semi-Con in existence which creates a global handicap and reliance.

Clive RobinsonDecember 11, 2015 10:39 AM

@ Thoth,

Put it simply, the very few variations of manufacturers and most with ties to nation states ... isn't most of our Security fall under monopoly since a long time ago ?

Yes and no, the cost of setting up a modern fab lab is way beyond the financial capabilities of near enough two hundred of the world's countries. Worse fabs have a quite limited lifetime and just don't make money as techbology moves on. The older fabs almost give away chips at cost just to keep the lights on.

Such econimics squeeze out all but specialised manufacturers very quickly. Hence the fall prey to "The law of the market". Chip conpanies have kind of fallen into designers and producers. With designers falling into macro builders and macro consumers.

Virtually nobody actually sees inside the chips only marginaly more see into the macros, thus there is a huge ability to "hide in plain sight" because the chips are now up above effective human eye optical abilities.

It's been shown experimentaly that less than a thousand gates are required to backdoor a chip.

So yes it's more than possible to do so. The question then falls to "Has it been done?" and "Would we spot it?". And this is where it all goes into guess work.

What we do know is the manufacturer of the worlds most popular serial USB device, was tired of all the "Knock off" chips and sent out a driver update that bricked some of the fake chips... It did not go down well, most of the many people adversely effected blaimed them not the fake chip makers.

So we know the answer to "Has it been done?" is the wrong question, because fake "knock of chips" are out there, so we know it can be done relatively trivially. But nobody has reported finding anything other than criminal "knock offs"...

Which brings us to the "Would we spot it" question, the answer is I suspect as with the USB chip "no not until the side effects appear".

Wgich is why the US DoD started sponsoring research on how to spot chip backdoors etc before they become activated. As the research started and dropped of the grid we can assume one of two things. The first is that there is no reliable way so funding stopped. The second is it worked well and has had it's funding shifted into a black account or similar...

Of course there is a third posability, the research produced "dual use technology" and the DoD have been recruiting staff into the supply chain of all the worlds chip production....

You just don't know, and I'm sure Nick P, has more knowledge of what has happened simply because he keeps his eye on research authors and the work they publish.

WaelDecember 11, 2015 11:51 AM

@Nick P, @Clive Robinson, @Thoth,

Backdoors have another meaning.

"I wouldn't call it subterfuge, but it would be an interesting back door for China to get its hands on crucial U.S. semiconductor technology

@Nick P, you may find yourself aligned with NSA in the future ;)

Nick PDecember 11, 2015 12:18 PM

@ Clive

I agree with your position that it increases influence and potentially predatory behavior. My main question, though, is what you thought of a company with classified stuff plus all segmentation that requires changing ownership to a different company. I'm guessing they keep the classified contracts. So, how do you think that works out operationally with the trust issues? Forced to use dedicated buildings and personnel? Separate team that forks their stuff for that project? I'm curious enough to send an email to HN commenter I know that works over there but I figured he'd just say nothing per policy as usual. ;)

re DOD and fabs

Of course there is a third posability, the research produced "dual use technology" and the DoD have been recruiting staff into the supply chain of all the worlds chip production.... You just don't know, and I'm sure Nick P, has more knowledge of what has happened simply because he keeps his eye on research authors and the work they publish.

Actually, they seem to just be applying more security processes and using local fabs or manufacturing. This is after they freaked out realizing many of their components were counterfeit. They're also, mainly via DARPA, funding tons of tech to attempt to detect subversion at the chip level with untrusted fabs. So, you could say they're being desperate and typical about it rather than sneaky.

Whereas, I believe it was a Chinese fab that was involved last time there was a subversion that involved actual fab processes. And China just committed a staggering amount of money to semiconductor industry mainly for memory chips but undoubtedly affecting other things as a side effect. They already have fabs at every key process node plus cheap labor and good education is sending most RTL work their way. Many top startups in fabless are Chinese as well. If anyone, the Chinese seem to be strategically positioning themselves to both soak up the semiconductor market and be able to subvert it at about every level.

The only thing lacking, which makes up much of my recent research, are the overly complicated fab tools. I've already published the solution to that many times: buy Mentor Graphics. They're the underdog with undervalue and somewhat underperforming while having decent to great EDA for anything you need. Their existing tech combined with Chinese labor costs, academic work, and I.P. theft (let's be honest haha) would give fabless Chinese companies what they needed with few to no trust issues. They might also give Chinese firms free EDA for first 3 years to subsidize startups.

Regardless of how it works, the Chinese need the EDA and they need it today rather than the 10-20 years of 9-digit R&D it took to get to current state. They have about everything else and cheaper than competition, too.

@ Thoth

What Clive nearly got at but missed was DARPA & others ties with chip industry. Like he pointed out, the stuff rapidly advances, has high cost, and hardly anyone could afford it. So, big governments often sponsor R&D work for the companies or even academic I.P. or startups that will later be acquired by them. Someone previously posted a book I might still have a link to about the Strategic Computing Initiative that U.S. government did that led to much of what we had at a certain point. And still nobody's heard of it...

So, the semiconductor industry depends heavily on governments for R&D. I haven't seen evidence that these come with backdoor agreements. On the contrary, all detected subversions and attacks presume the integrity of the fabrication process. They're certainly doing "trusted foundry" programs just in case. However, if there's deals, they'd be unofficial and targeted by specific organizations to specific semiconductors. The larger the semiconductor vendor, the harder that would be to pull off if the semiconductor vendor didn't want to play ball. That it's such a giant unknown is why I advocate more work in dealing with such issues.

@ Wael

That's exactly what I was talking about to Clive and about to post before I saw yours in the revision. Synchronicity again, eh? The massive investments they're dropping in are straight-up about leveraging their strong government/industry partnership to capture the semi markets. Once in control, they both benefit economically and with greater control for intelligence purposes.

you may find yourself aligned with NSA in the future ;)

It's a disturbing possibility I've considered. However, the Japs have about as many nodes as the Chinese do. Plus, there's German and U.S./Arab combos to consider. Japs and Germans would love to have a differentiator against the Chinese. U.S./Arab has potential to hold off subversion with mutually-suspicious parties. Remember, though, our hardware guru taught us it's the design->maskmaking->fab hand-offs and builds that are primary spot for subversion. My fab security models don't require control of or trust in them at all outside black-box methods. Masks have to be right, though.

WaelDecember 11, 2015 12:47 PM

@Nick P,

design->maskmaking->fab hand-offs and builds that are primary spot for subversion.

What, besides interdiction, does that leave out then?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.