Friday Squid Blogging: Squid Christmas

Squid sighting in this Christmas cartoon.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. And Happy Christmas for those who celebrate it.

Posted on December 25, 2015 at 3:00 PM • 130 Comments

Comments

Alien JerkyDecember 25, 2015 5:25 PM

How to Kill Cortana

If you do not like that microsloth Windose 10 spyware program called Cortana, here is a simple way to remove it:

First, if you tried to uninstall, or even simply disable Cortana from Task Mangler.. er Manager... you will notice that it will re-enable itself after a couple of seconds. Although Microslow claims it is an integral part of windose, it can be removed without affecting the operation of Windows. Seems to me it is integral to Makeitslow's business plan, not so much the operation of system.

Using the file manager is pointless. They added code to prevent you from removing anything they want you to keep. So here is how I successfully removed Cortana from my Windows 10.

Make a boot cd of Linux Mint (or your favorite flavor of linux)

http://www.linuxmint.com/download.php

Boot from the CD.

Using the Linux Mint file manager, open the C drive that has the windows operating system.

Open the Windows folder.

Open the SystemApps folder

To do this safely, and reversibly, we are simply going to modify the names of a few files. I simply prepended four XXXX to the front of the names. This allows for easy finding of the names you modified, and can be reversed if desired by simply removing the XXXX from the file name. Modify the names of the following

Microsoft.Windows.CloudExperienceHost_.... (there will be a unique number at the the end of the names. not relevant. just put four XXXX in front of the name like this

XXXXMicrosoft.Windows.CloudExperienceHost_....

repeat for the following

Microsoft.Windows.Cortana_....
Microsoft.XBoxGameCallableUI_.... (if you are not using this on an XBox)
Microsoft.XBoxIdentityProvider_....
ParentalControl_.... (really, you are probably an adult)

Change to the Windows/System32 Folder. Put XXXX in front of the following files

Cortana.Persona.dll
CortanaMapiHelper.dll
CortanaMapyHelper.ProxyStub.dll
Windows.Cortana.Desktop.dll

Shutdown the computer, remove the boot cd, reboot.

Cortana no longer exists in your Windows 10.

I played with various operations in Windows since doing the removal. Other than a 5-10% increase in speed, I see no issues with doing the removal.

More Fun

If you tried to uninstall OneNote and other programs you do not want, you will find that using the windows program uninstaller does not allow such. Using CCleaner (piriform.com) you can uninstall all the unwanted bloatware that Microsoft puts into the operating system. I tried simply deleting all the folders, but that caused registry problems. Using the thrid party uninstaller did the trick. Then using the Linux Boot CD and file manager I deleted all references to those unwanted programs. Highly recommend doing a system backup before doing a bunch of this as you may mess something up and have to do a fresh re-install and start from the beggining again.

And Finally

Right Click on your This PC icon, select Manage

Open Task Scheduler->Task Scheduler Library->Microsoft->Windows

Go through the various events, especially anything with the word Experience, and disable or delete the timed events. If the description states that it sends anything to microsteal, you do not need it.

MarkHDecember 25, 2015 5:36 PM

A nice account in the NY Times of IRS agent Gary Alford, who played a crucial role in bringing down the "Silk Road" site.

It was Alford who connected the name Ross Ulbricht with screen-name "Dread Pirate Roberts".

MarkHDecember 25, 2015 6:15 PM

Steam Springs Giant Security Leak

"Steam" is a software distribution hub for PC-based games. In the gaming world, it's a pretty big deal ... though I only know about it, because a young friend of mine told me about it.

Today (Christmas day), the Steam website (which includes multi-player gaming etc.) was subject to a DOS attack, sufficient to seriously impair access.

The attack seems also to have triggered an awful security bug: due to a reported page-caching problem, many users logging into their accounts found themselves ... actually logged in to someone else's account.

Of course, all kinds of supposedly protected personal information was exposed, including credit-card information.

ThaddeusDecember 25, 2015 8:26 PM

I may have missed it, but I didn't see anything posted here about the massive DDoS attack that happened in early/mid-November, targeting several of the most popular private webmail services.

The list of affected services included: protonmail, vfemail, runbox, zoho, hushmail, and possibly others. The last I heard about protonmail was that, as of December 15th, they had been under continuous attack for over a month. They think the attack is being committed by a state-sponsored actor.

Here are protonmail's blog posts about it. Here's a wilders thread on the subject.

I'm curious what you guys think about the possibility that this is state-sponsored. It does seem to line up with the agenda being pushed lately: putting backdoors in encryption, CISA, etc.

Data-Mining Doors Slamming ShutDecember 25, 2015 10:08 PM

When you can’t buy the off the native politicians, the intrusive American High-tech data-mining are being curtailed in country after country.
Here India stops Facebook dead in its tracks with other countries like Brazil to follow:
https://recode.net/2015/12/23/facebooks-free-basics-app-has-been-temporarily-banned-in-india/


American politicians, corrupted by Hedge Fund financed big-data, have passed laws (CISA) taking away our constitutional freedoms. Worse they indemnify those who quietly build dossiers on every American citizen, even our children. Wall St will do ANYTHING for a buck!

CuriousDecember 26, 2015 2:37 AM

@ MarkH

Maybe I am totally wrong, but I now can't help but wonder if perhaps the "page-caching" issue could have been a backdoor issue, a government backdoor that was used. :) How could one ever get access to anyone elses account information.

Who?December 26, 2015 8:05 AM

It is odd something as important as the Cybersecurity Act of 2015 has not been managed in this blog last week:

https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/12/24/how-does-the-cybersecurity-act-of-2015-change-the-internet-surveillance-laws/

What about this article on the attack against Прикарпатьеоблэнерго internal networks? Again a power company is being targeted, this time in western Ukraine. It looks like Russia is behind the cyberattack against the power grid control systems:

https://translate.google.com/translate?sl=ru&tl=en&u=http%3A%2F%2Fwww.securitylab.ru%2Fnews%2F477942.php

For at least six days U.S. west coast was a target of Chinese hackers, as seen in http://map.norsecorp.com/. An NTP amplification attack... what was the goal?

Department of Obvious StudiesDecember 26, 2015 8:51 AM

@Who?, What was the goal? The goal was to get more NSA sole-source contract funding for a cyber gravy train that already sucks up your tax dollars for an inflation-adjusted Manhattan Project every 30 months.


MarkHDecember 26, 2015 11:29 AM

@Curious:

They really are after us, but still we must guard against paranoia.

1. From my perspective of 40+ years of software development, the Steam fault looks like a garden-variety dumb-sh*t mistake.

2. If by "government backdoor" you mean NSA or somebody like that ... they have an enormous budget and a wealth of technical talent. We know from the Snowden disclosures that they work carefully, and labor to keep their efforts hidden. A "backdoor" which makes itself world-famous by causing drastic problems* is a miserable failure.

3. A mechanism which causes a login to impersonate one other user -- selected (effectively) at random -- is a clumsy and inefficient exploit indeed!

Surely, more than 99.9% of IT security holes are innocent/stupid mistakes.
_________________________

* I distinguish this from Dual EC DRBG -- a rare instance of a known NSA software backdoor -- which was detected by analysis, not because its use caused any "symptom".

MarkHDecember 26, 2015 11:30 AM

@Who:

In case you're curious, I think that Прикарпатьеоблэнерго is a contraction of Прикарпатье Областное Энерго (Prikarpat'e Oblastnoe Energo) ...

... which translates to "Sub-Carpathian Province Energy"
________________________

Sadly, Ukraine also just announced increased security at its armories (military weapons depots) after a spate of attempted raids against these facilities.

The claws of Russia are long, and cruel.

JG4December 26, 2015 12:32 PM


@Who?

I hope that the Russians are just monitoring the potential nuclear disaster in Ukraine. You'd think that Hillary Clinton and the deep state she represents would be smart enough to not destabilize a country filled with nuclear reactors, but you'd be wrong.

http://www.zerohedge.com/news/2015-12-24/ukraines-looming-19-fukushimas-scenario
...
But an even better question is, Will they even make it that far? You see, it has become known that these nuclear installations have been skimping on preventive maintenance, due to lack of funds. Now, you are probably already aware of this, but let me spell it out just in case: a nuclear reactor is not one of those things that you run until it breaks, and then call a mechanic once it does. It's not a “if it ain't broke, I can't fix it” sort of scenario. It's more of a “you missed a tune-up so I ain't going near it” scenario. And the way to keep it from breaking is to replace all the bits that are listed on the replacement schedule no later than the dates indicated on that schedule. It's either that or the thing goes “Ka-boom!” and everyone's hair falls out.
How close is Ukraine to a major nuclear accident? Well, it turns out, very close: just recently one was narrowly avoided when some Ukro-Nazis blew up electric transmission lines supplying Crimea, triggering a blackout that lasted many days. The Russians scrambled and ran a transmission line from the Russian mainland, so now Crimea is lit up again. But while that was happening, the Southern Ukrainian, with its 4 energy blocks, lost its connection to the grid, and it was only the very swift, expert actions taken by the staff there that averted a nuclear accident.

Neural Networks, Recognizing Friendlies, $Billions; Friendlies as Enemies, $Priceless
http://tm.durusau.net/?p=66421
Another Word For It

LinuxDecember 26, 2015 2:15 PM

@Alien Jerky

Downloading Linux Mint to make a few configuration changes will take time, bandwidth and storage space. Knoppix is the traditional gold standard of live CD's and is ideally suited for your purposes plus the download is considerably smaller. Or, better still, get something like Puppy Linux which is extremely lightweight.

Nothing wrong with downloading Linux Mint if you want a faster and (arguably) more secure OS than Windows though.

Alien JerkyDecember 26, 2015 2:42 PM


@Linux

I used Linux Mint mainly because I already had a boot cd for it. Also its cinnamon interface is straight forward and easy to use. But any flavor of linux, as long as it is not a Microsoft product, should do the trick.

tyrDecember 26, 2015 7:58 PM


@JG4

Following the links turned up this gem !!

https://codewords.recurse.com/issues/five/why-do-neural-networks-think-a-panda-is-a-vulture

Nice tutorial as well.

The best way to see the length of the Russian claws is
to decide not to pay them the money you owe them. Doing
it just before winter when they supply your heating gas
is not very bright but I'm sure the Ukrainians have a
plan they are not telling anyone.

Cellphone throws Man off Cliff headline for the anti-AI
crowd.

xorDecember 26, 2015 10:51 PM

@Alien Jerky

Regarding removal of Cortana etc: thank you for the tips! I may have to try that myself eventually.

BTW is there a risk that Microsoft Update eventually adds the "missing" components back?

I used to have my M$ Update set to "Check for updates but let me choose...." but some weeks back it switched itself to that "Accept all crap from the mothership without questions" setting (or maybe some non-Windows process changed it).

After I noticed that it wanted to reboot my PC "to apply updates" I configured my Group Policy to set that "Check for updates but let me choose...." setting a bit firmer.

Just Another Tentacle of the Cthulhu MonsterDecember 27, 2015 12:51 AM

Please remain calm, and have a seat. 'Everything is under control' [Hitchhiker's Guide to the Galaxy'].

@'DDoS Attacks Against Anonymity Systems'

Most likely, these attacks were made by some idiot kids who are thinking they are being "patriotic". For instance, reference "the Jester"[sp -- sorry "the Jester", I won't bother to look up your hax0rs33k spelling right now] and his bizarrely hyper-"conservative" actions, or "Lion" [China] and his hacking of the US White House because of some US-China tussle.

@'DDoS Attacks Page Caching Security Issue Being NSA Backdoor'

Ladies & Gents, this is highly unlikely. There are very severe privacy/liberty issues to be concerned about in regards to over-surveillance and the ever increasing technical capacities of humankind, so, it can be most useful to be as level headed and as rational as possible.

Distractions from real issues can put you into the angle of being a 'tin foil hat' wearer. Which means your message which you disseminate is taken as that of a "conspiracy theorist", and you, as a source, are considered to be, "less then level headed" and "less then reliable".

The fact is that exerting system stressing tests can reveal, at times, bugs of all natures. It is not entirely random that one of these bugs found might be security related.

The difference between an 'everyday bug', and a 'security bug' is little but contextual, and that to human users. Every system has bugs, and typically, a lot of them. As any user of software can attest to. For even the biggest name systems, or the most supposedly reliable of systems.

It just so happens that sometimes, some of those bugs, happen to have security ramifications for users. Hence, the concept of 'security vulnerabilities'.

The NSA is not God, nor is the NSA able to be omnipresent and omniscient. They *only* have a yearly budget of 18 billion a year. Which we know, because they had this exposed to the world recently via Snowden. Which was able to happen because they relatively widely disseminated this fact, and other damaging facts widely across the "industry" of the "intelligence community".

18 billion dollars a year can seem to you like a whole lot, but it really is not. If they wish to keep a high budget, they - like any corporation - must continue to *produce*. Their budget is tied to their capacity to produce, and without strong production of meaningful intelligence data, their budget will shrink along with their confidence those who set their budget have for them.

Steam is, then, not very much a valuable target for them to waste their time on. They have to find genuine "terrorist" intelligence, and that fast, and solid. Because that is the market right now. Secondarily, they have to find foreign intelligence that informs and is actionable.

Steam is none of these.

In fact, *most* domestic intelligence for the NSA is worthless.

Look at it this way: Remember Jimmy Burke? Probably not, but he was the mastermind behind the Lufthansa hack. Er, I mean, heist. Played by Robert DeNiro in "Goodfellas".

So, Jimmy Burke never went to prison for that heist. Nobody ever did. Not my point, Jimmy was Irish, not Italian, so he was never even a 'made man'. Yet, he exerted enormous power in the Italian mafia. Why? Because he was an "earner". He made money for the group. While plenty of Italians did not.

Likewise, with the NSA, they have to "make money". Only, in their case, their currency is 'useful intelligence' which ultimately scores political points by their paymasters. Elected officials.

That gets them *budgets*.

So, even hacking for the "currency" of intelligence on criminals is useless to them. It might help the DHS or ATF or criminal divisions of the FBI. But, that just gives those TLA's currency, and the NSA none.

So, the NSA isn't interested in hacking everyday Steam players. Who, at best, might be domestic or foreign petty criminals.

They *might* be performing and have performed DoS attacks against the privacy agencies, but if so, really, why? Because they have a target of value using one of these services, would be why. And such an attack could be useful distraction for more serious attacks. In which case, *everything is a distraction*. The DoS *and* the targeting of *all* services, when, in fact, they are really interested in *one* service.

...

That, my friends, is how shit really works.

Think about it.

It is not beyond anyone's understanding.

@'MS Windows'

Windows r breakable. Bad name.

There are only three reasons to be running Windows:

1) Your company requires it
2) You are a security researcher looking for security bugs in it
3) For the video games

Even if you do have a Windows box, you should have a linux system. There is zimply zero zexuse *not* to be running a linux box these days. And as someone interested in security, you should not be running Joanna's uber-yet-to-be-truly-workable system, but Kali Linux.

At the least, you should have a raspberry pi running linux.

Because the best defense is a good offense.

Fifteen years ago, no.

Today? There is zero excuse not to.

Raspberry Pi is dumb fuck simple to set up, and incredibly cheap.

Linux will not prevent you from getting hacked if you are a "High Priority Target". So do not kid your self. But for any person who wants to start to explore the world of tin foil hat wearers, it is where you should be.

@'Russia issue'

Unfortunately, Russia is a diversion, like China. Neither Russia nor China are serious contenders for the 'start of wwiii'.

Putin has a lot in common with Trump. And that is it. If you understand Trump, you understand Putin. Both can be set on ignore.

The real problem is that the leadership in America is apocalyptic minded.

They are dead set on bringing about 'the end of the world'.

'Star Wars: The Force Awakens' is a perfect example of their psychotic mindset.

No spoilers, but... the takeaway is to understand that the concept is 'human beings are horrible vehicles for the power of God because they are singularly motivated by selfish principles, therefore a New Breed must arise who are more pliable to the Will of God'.

Scary? It should be.

People deciding to make decisions and run operations with zero selfish benefit, and entirely based on some fuzzy "faith" concept?

Fuck that.

It usually boils down to something like 'What Dreams May Come', that move with Costner about building a baseball field. Correct me if I am wrong. Where the evil self-righteous person builds a baseball fields, saying, 'if I build it, they will come'.

In this case, it means, 'if we battle near or at the field of Megiddo, then Jesus will come with all his angels'. Whatever 'angels' mean.

Therefore, one need not follow reasonable, selfish actions like starting wars just to get a buddy contracting company to sweep up and make billions of dollars. But start wars because "Jesus".

As they say.

In fact, start Armagedon, because, you know -- as difficult as it is to discern between "Armageddon" and the battle at the end of the Millenium, these were both entirely ***offensive*** wars.

I may be sarcastically lying there to throw off those who: are not paying attention and have not performed due dilligence, aka, "their homework".

;-)


No joke.

Or, actually? It really kind of is. And very funny at that.

To *some* people.

;-)

:0 :-) :-)


Alien JerkyDecember 27, 2015 1:37 AM

@XOR

BTW is there a risk that Microsoft Update eventually adds the "missing" components back?

I assume there is. Everytime I do a check updates, I go through everything to find if they did anything evil. So far not yet. But I would not be surprised if a future update they do so.

Just Another Tentacle of the Cthulhu MonsterDecember 27, 2015 1:50 AM

To the Tune of:
https://www.youtube.com/watch?v=SAZb6_p7IEQ

Just like mother fukin Psalms.

You'd think that Hillary Clinton and the deep state she represents would be smart enough to not destabilize a country filled with nuclear reactors, but you'd be wrong.http://www.zerohedge.com/news/2015-12-24/ukraines-looming-19-fukushimas-scenario

Exactly. The mistake made is that Putin is a known KGB ex-official, as are all his goonies. And they do really public shit like assassinating jounalists critical of their regime, political opponents, and even doing crap like shooting down planes full of Polish dignitaries about to raise global consciousness of the misdeeds of Stalin...

Hillary was never the hippy she presented herself as. For a good example of that, study the major biographies of Jim Morrison. His dad was the admiral of the forces at the Gulf of Tonkin which started the Vietnam War, officially. A few things you might discover: one, Morrison did enormous international travel. Two, he initially solicited his 'dad's friends' for funding. They refused, but then he mysteriously got mega-funding. Robbie Kriegor's dad was one hundred percent RAND Corporation.

And that was the core of the hippy movement message from the US. RAND Corporation & the US Navy...

Counter-attacking such influences as the random Jimi Hendrix, Janis Joplin, Beatles, Rolling Stones influences...

Of those, Jim is the most foolish. Yet, spent much time on off the books travel, admitting his persona was fake, and in valid investments in the oil and real estate businesses which produced enormous profit. Attempting to follow his wife's backstory, Pamela Courson, would lead one to equal close doors.

...


Russia is called "Gog" in modern American leadership parlance. And China "Ma-Gog".

...

I realize Russia is considered by many including some of their own people as "Orthodox", but Americans view them as false. After all, they sold out their orthodox roots during the Communist regime, even forcing the religious to serve their persons as commonion literal piss and shit as "blood" and "flesh" of Jesus Christ.

Therefore, they are considered as implacable enemies.

...

Putin and company, as implacable servants of the atheist (anti-christ) systems, are considered obvious targets.

...


Unfortunately, I do not, nor have I ever, worked for the US Government. In fact, I have zero ties to the US Government. :)

I am, in fact, but a simple paranoid schizophrenic off medication, with a blue collar background, that is easily verifible as being a complete loser and failure.

I was adopted as a youngster because my dad had an accident in Laos, after fucking a whore in the US.

So, all of my speculations are simply of my own stating. And, I believe that modern mythology about aliens is really metaphoric for God and Angels.

And Joan of Arc was really a prophet.

...

As the OPM nation state hackers can easily confirm I have only applied for clearance, and that just basic.

...

Here, regardless, is my understanding of the current state of things:

1) Russia is Gog, as spoken of metaphorically in Revelation (literally "Apocaylypse)
2) China is Ma-Gog, "" "" "" ""
3) Putin and his regime are to be eliminated as enemies
4) the modern Chinese regime are to be eliminated as enemies
5) Satan leads the forces of Gog & MaGog against the forces of Jesus & the armies of Angels & the New Jerusalem
7) This would perhaps make me Satan


8) Warning: This is all a very clever trick from a highly trained counter-intelligence officer


To the Tune of It's the End of the World As We Know It And I Feel Fine (REM):

Yes, again, fuck it, motherfucker. Totally ripping off David and Psalms.


Here's my motherfucking card to do so.


to be fair:

1) We are already under attack from Russia and China
2) They are highly paranoid and so suggestible
3) ... despite public opinion - FUCK YOU - you started all this crap, and are always gunning for it... so, we are just using you to wield to your own worst nightmares... "We" as in.. edited...


Russia: easy to de-regimize... Putin's paranoia is his own worst weakness, and the strength of his power is in his ex-intelligence. They have a very predictable course of action and thought, as well as regarding the song they are singing to their own people. Their only importance is because of oil and gas for Europe.

China: see above, replace "oil and gas" with "human manufactoring".

Both regimes are overly paranoid and so easily suggestible, and therefore manipulatible.


The core of "the problem", really, is Islamic majority nations. Russia and China are simply used to help solve this problem. Their motivation is extreme. And that is used to positive benefit.


...

Would you like to know the future? It is already here. In America. Some in Europe, some in other free nations. Nowhere near the pure quality which is needed. So, there are bad folks need.

"Star Wars"???

Start Wars.

That? Was always the message. So, go, figure that out, and how to fight it.


Disclaimer: the United States Government has never, at any time, had any manner of deep cover intelligence system, like what China and to a much lesser extent Russia has had. Instead, the United States, like other more purely "Western" nations have held an agent or informant model of spying. Every deep cover agent has been trained at either Quantico or the Farm, and so is in OPM database. And under clear inspection by Gog and MaGog...

We do not have tens of thousands of highly trained from birth agents who are singular minded in defending against Gog and MaGog. Surely not, "off the books" (OPM), anyway.


Or, if not? You are truly, deeply screwed, and working and living for a regime existing on "borrowed time".

Which is it.


hermanDecember 27, 2015 1:54 AM

@Alien: There are a few easy to use scripts available to clean up Windows 10, for example the aptly named "shutup10". A quick web search will find them.

Just Another Tentacle of the Cthulhu MonsterDecember 27, 2015 2:47 AM

To the tune of, like, wut, REM 'this is the end', or 'this is war', or ....


Like, fuck you David and Pslams, cause I am cooler then you. Lighnthing strike me now? Right???


Or, this is global domination.


Here is what global domination of the "US" means to everyone:

A modular system which says, quite simply, "freedom of speech", "freedom of belief", "freedom of press"....


"Modular" as in: it fits into a lot of different distributions and works with them all.


So... let us just figure this as the game plan is??


Freedom of religion. Freedom of belief. Freedom of press. Freedom of speech. And... uh. so propagation of "modern Western belief systems" -- though, let us leave out this "western" delimiter there, cause you know Samsung works quite well, or Japan "Death Note" or "Attack on Titan"......


So... how do we make this "the thing". So, we can send whatever youtube or whatever anywhere? Where we believe 'truth rules where weight can be weighed'.


"Freedom".


Of media.


All we need is to get our fictional media to people, and... poof... we win.


Sure. We can nuke em.

Or napalm them...

Or send armies of drones raining fire from the skies...


And maybe this is necessary...

ThothDecember 27, 2015 4:09 AM

How to kill Cortana in a simpler manner. Just use a separate Linux/OpenBSD machine for more private stuff or stick on Windows 7 if you need Windows for Office work or gaming.

If you intend to switch between Windows and non-Windows on separate physical machines, use a KVM switch for SOHO or personal use.

If the Windows is for Office work, using an Intel NUC mini computer with a Windows 7 and hooked to a KVM switch would be nice so you can toggle KVM into non-Windows machine.

You may want to share screen or peripherals via the KVM unless you are doing something sensitive.

French Interior Ministry CreepsDecember 27, 2015 5:46 AM

@Just Another Tentacle of the Cthulhu Monster

Down bad bot boy! Did the NSA handlers let you off the leash again?


In other news, the illiberal French are hard at it again - never letting a crisis go to waste to try and ban Tor, TAILS & public Wi-Fi - even if demonstrably never used by terrorists who typically use unencrypted channels like SMS:

http://arstechnica.com/tech-policy/2015/12/france-looking-at-banning-tor-blocking-public-wi-fi/

According to leaked documents France's Ministry of Interior is considering two new proposals: a ban on free and shared Wi-Fi connections during a state of emergency, and measures to block Tor being used inside France.

The documents were seen by the French newspaper Le Monde. According to the paper, new bills could be presented to parliament as soon as January 2016. These proposals are presumably in response to the attacks in Paris last month where 130 people were murdered.

The first proposal, according to Le Monde, would forbid free and shared Wi-Fi during a state of emergency. The new measure is justified by way of a police opinion, saying that it's tough to track people who use public hotspots.

The second proposal is a little more gnarly: the Ministry of Interior is looking at blocking and/or forbidding the use of Tor completely.

Of course the proposal to ban Tor completely will require intense ISP snooping, and effectively puts France in the same category of China. So much for Liberte.

It can only be concluded that 'encryption is not for the little people' in the new world order. Thus, with the global Stasi having a range of tools outside of Tor to hide in the shadows, they have decided to take away any remaining threats to the status quo, using completely fraudulent arguments that have no basis in reality.

We can assume that if this passes, the US, remaining 5-eyes countries and other Euro / Asian nations with hard right-wing tendencies (most of them) will follow suit - in the name of 'national security' of course.

CallMeLateForSupperDecember 27, 2015 8:54 AM

Regardless that I try to stay on top of things security, I learned only yesterday that this past summer the flowering British Empire Redux made it illegal - again - to rip a CD. "Say it ain't so, [Clive]. Say it ain't so!"

CzernoDecember 27, 2015 8:57 AM

@French Interior Ministry Creeps :

your news is outdated journalistic speculation , French prime sinister ValSS has denied his gubment would ask to legislate a ban on Tor and/or free wifi in France.

They /do/ oblige ISPs to install "black boxes" and screen data flows
and supposedly detect "bad" behaviour using some sorts of "algorithm".

BoppingAroundDecember 27, 2015 9:13 AM

Czerno,
That means the French are going for something like the Russian Federation's SORM?

CzernoDecember 27, 2015 9:57 AM

BoppingAround, you had me search for the Russian "SORM". Yes the
new legislation in France appears to be something similar, although
in the context of the "state of urgency" (and paranoia) after the recent terror attacks
there are not a lot of public details of what is to be captured exactly. The official BS speak is all about "black boxes" and/or "algorithms" detecting suspect behaviours, viz to catch users who repeatedly visit jihaad sites or the like... I don't know if the boxes are to imclude MITM exploits against SSL, fake certificates etc..., or is it mainly the "metadata" they're interested in.

Also I believe the new law is intended to make legal and enforceable including against reluctant ISPs (if any) something which might well have existed for sometimes in secret. Just my opinion...

Alien JerkyDecember 27, 2015 10:55 AM

The last few updates for Firefox seems to cement my belief that Mozilla has lost its way. Firefox used to be great. Now it is clunky slow and buggy. Seems they need to hire some new programmers and fire their management. Problem is what to use instead of Firefox. I will not use anything from Microsoft or Google. Opera I had issues with a while back, unknown whether they fixed their stuff. Any suggestions?

Markus OttelaDecember 27, 2015 11:38 AM

@Figureitout:

The padding of one char message takes around 15-20 ms longer than padding of 254 char message that needs no padding. However, the time it takes to skip padding of 254 char message varies more than constant delay sleep has error, so moving the padding function pre-queue won't have notable effect, so I won't be implementing it.

http://pastebin.com/iwp4fHhQ

Also, just sleeping shows there is always going to be error within that ~2ms frame:

http://pastebin.com/DLHCEGy0

So it appears this is as close as we can get in timing protection using Python and Linux. I hope in future we can have a robust C implementation that improves on it. For now, since the same error occurs on all messages I would argue it's secure. If it's not, the trickle_r_delay can mitigate the threat as discussed in previous squid post.

@ All
Some other comments about TFC-NaCl:

I noticed three data diode setup creates an interesting game. We need to maximize the security while assuming least trust on NH and RxM that can be compromised (i.e. both of should be assumed to lie to us). So I first wanted to identify RxM by sending a short string to it, and asking user to type it to TxM. This was to ensure I was indeed sending the unencrypted local key to RxM during key bootstrap. I realized that TxM side interfaces are configured wrong, NH might receive the key, relay it to RxM, and user wouldn't be able to tell without having removed the data diode between TxM and RxM. Since NH would have the unencrypted key, it would be game over.

So I though I was clever when I decided to rather detect the wrong interface and ask NH to show the device code before outputting keys through the other (correct) interface to RxM. This worked much better, but I ran into a wall: There is absolutely NO way to ensure the trusted serial interface for TxM is indeed connected to TxM and not NH. During misconfiguration, NH could push keys to RxM. This meant I had no other choice but to have all data received by RxM encrypted and signed.

The outcome was excellent: The security is now bootstrapped by generating a local key, encrypting and signing it, and sending it through serial interface to RxM. Since it's encrypted, it can be passed through NH to RxM. If the user so wishes, he or she can move the TxM data diode to RxM directly, effectively bypassing the ability of NH to tap the ciphertext and tag. User then manually types in the 256-bit key decryption key to RxM with keyboard. Breaking physical security now requires both keylogger, and serial adapter with covert storage. It's also possible to pre-share the local key to RxM using a thumb drive, and then give GCHQ-Guardian treatment to it afterwards. The reason the local key isn't written to RxM with keyboard directly is to avoid the issue of visual collection.

The symmetric keys generated from ECDHE SSK by TxM are sent through the data diodes, encrypted with the local key. User can again connect the data diode temporarily to RxM after public key of contact has been received to bypass NH, but I don't think it's necessary; Local key is also forward secret, so even if adversary recorded contact keys in encrypted form on NH, they can not be decrypted afterwards by compromising the endpoint. Unless of course, if malware on RxM stores initial state of key. This is where we get to cat-and-mouse type security so again, Tor is the best bet to keep physical location of end point secure; RxM won't leak keys out on itself.

I also added a tiny feature that tries to hold the user's hand. If the plaintext user inputs contains a long hexadecimal string, it'll ask for confirmation before sending it. Also, after local key bootstrap, the user can not set the account of contact as something that looks like a key. This is to prevent TxM from outputting the local key decryption key to NH. I'll probably demo this in a video some time later.

I'm taking a break from the developing due to 32C3 streams and new year's eve coming.

WinterDecember 27, 2015 11:41 AM

@Alien Jerky
"Problem is what to use instead of Firefox."

Maybe have a look at Vivaldi browser?

https://vivaldi.com/

It is based on OSS Chrome and seems to be infinitely configurable. Chrome plugins can be used.

meDecember 27, 2015 11:56 AM

Whomever on here actually running Windows needs a good smack to the head. Posting botnet removal instructions is pointless. The whole thing is inherently rotten -- just like the modern Intel chip you plan to run it on. Home field advantage, NOBUS and all that. Intel ME is the rootkit platform dreams are made of.

http://blog.invisiblethings.org/2015/10/27/x86_harmful.html

http://blog.invisiblethings.org/2015/12/23/state_harmful.html

www.libreboot.org/faq/#intelme

Who?December 27, 2015 12:08 PM

@MarkH, @JG4

Thanks... now I will not be able to sleep for the rest of the month. :(

About Hillary Clinton... I really fear her. Mr. Bush was certainly not the best president the United States, or the rest of the world, deserve; but he does not look so bad when compared to Mr. Obama... at least he did not lie[*] to the U.S. citizens!

I fear Mrs. Clinton will make Obama look nice, from what I have read about her (hope being wrong!). However, the other candidates are Donald Trump (don't ask me about him) or the "arthropod man" Mr. McAfee. She is obviously the next president of the United States.

[*] I want to believe that Mr. Obama does not lie, and he just does not know the full details of the NSA operations and repeats what his advisers, and NSA staff, say (later denied by journalists who have access to classified documents).

@Department of Obvious Studies

Ah, the usual story. We run a few false flag attacks and say... look! we need more funds to improve our security. Why does NSA needs so many funds? Is it to improve its illegal surveillance infrastructure? Is it to pay to defense contractors, politicians or even internal staff for political favors? Is it just because they like playing with new technological toys?

Gerard van VoorenDecember 27, 2015 12:21 PM

@ Who?,

What, did G.W. Bush not lie? Please go watch the state of the union 2002 or 2003. And the documentary "Why we fight?" and the movie "Fair Game". The lies are all there. Plenty of them.

my other alterDecember 27, 2015 2:16 PM

This is a bit old news now but interesting on how these processes work, getting Google to cough up someones information.

Of course Google would have very little to give if they did not gather so much information in the first place

How DOJ Gagged Google over Surveillance of WikiLeaks Volunteer
https://theintercept.com/2015/06/20/wikileaks-jacob-appelbaum-google-investigation/


Newly unsealed court documents obtained by The Intercept reveal the Justice Department won an order forcing Google to turn over more than one year’s worth of data from the Gmail account of Jacob Appelbaum (pictured above), a developer for the Tor online anonymity project who has worked with WikiLeaks as a volunteer. The order also gagged Google, preventing it from notifying Appelbaum that his records had been provided to the government.
...
According to the unsealed documents, the Justice Department first sought details from Google about a Gmail account operated by Appelbaum in January 2011, triggering a three-month dispute between the government and the tech giant. Government investigators demanded metadata records from the account showing email addresses of those with whom Appelbaum had corresponded between the period of November 2009 and early 2011; they also wanted to obtain information showing the unique IP addresses of the computers he had used to log in to the account.

FigureitoutDecember 27, 2015 2:37 PM

Markus Ottela
The padding of one char message takes around 15-20 ms longer than padding of 254 char message that needs no padding.
--Why not add in an immutable delay of whatever would be the longest message possible? Would that be say like 1-3 seconds max?

So it appears this is as close as we can get in timing protection using Python and Linux
--Does it though? I don't know how exactly to implement, but I feel like something's missing...In engineering, designing robust architecture is what makes it hard (I still have to rely on prior architectures many times instead of doing everything from scratch). Does it feel like a robust architecture to you (just this feature)?

I still can't really follow your implementation much. From high level english: Turn on trickle_mode. Start taking in samples from dev/urandom and pad/encrypt those and use either the same or again a random delay that varies from 0 to 1 second? When a human sends in a message, a "transmit_flag" is set indicating a full transmit_buffer, turning off input from dev/urandom, and will empty that buffer in the next transmit round. You could potentially however set the "transmit_flag" almost right before "constant_buffer_delay" repeats to the next cycle, and for some reason it has a "higher priority" that causes a slight change in delay, so you can see what looks like less uniform transmit patterns between a human and the computer still.

Is that close? Have you done a test where you just type in a couple chars and hit enter again and again...a lot, where w/o that delay it would just transmit? Probably have, eh? If so, that is probably good enough.

Why do you want a C implementation? Make more portable? That'd be awesome if this could fit in embedded (doing DHE in embedded is pretty tricky though I think). Once you have the constant delay working solid, not sure what more you'd want to extend besides bug fixes and upgrading crypto if need be.

Oh BTW, I think I'll be ok w/ AES again, as I was really stuck on how to transmit an IV to receiver. A couple commenters here claim that there is no security hole if IV is sent in the clear. http://stackoverflow.com/questions/8804574/aes-encryption-how-to-transport-iv That would be nice for me, but I think I can still encrypt it w/ XTEA for extra protection. But the protocol goes as follows: Sensor detects object->Get pseudo-random sample for IV and send off to receiver->Get ACK from receiver that IV was received correctly->Encrypt and Send w/ encrypted data->Decrypt and log activation

Think I'm going to have a "stealth mode" w/ minimal crypto where receiver just receives and doesn't ACK. Then w/ crypto I need the ACK for now unless I can get FEC to work well.

IDEA GUYDecember 27, 2015 3:50 PM

This idea just popped into my head. I hope Bruce sees this and finds it interesting.

Most corporate/business websites have an About page, a Contact page, and a Privacy Statement. Especially a Privacy Statement, it's unusual to not have one.

"We", the people, should demand that all those websites add a new, separate page called the Security Page, wherein the company who owns the website (or the company who operates it) states exactly what Internet Security measures are in place to protect your interactions with that website, and especially protect your personal data if it collects any.

This might be something where social pressure could work "organically". Just get a few big-name companies, like Google or Ashley Madison (!), to do it, and create the pressure that will force their competitors to follow suit.

As an alternative to the problem of Sec. info usually being highly complex, it may be better to set up a certification system specifically for this purpose. The Security page would still exist but would specify what "set" of standards it adheres to. That way a whole new internet service, and jobs, get created.

After all, it's obvious we need something that we don't have yet, and lawmakers don't seem to care. Maybe it's up to us the people?

Is this a shitty idea? Or not?

Clive RobinsonDecember 27, 2015 4:02 PM

@ Nick P, and others,

Moore's Law hits the roof

http://www.agner.org/optimize/blog/read.php?i=417

The articlr says more or less what I've been saying for a while.

However the last solution the author mentions "sliming down the software" only has a limited time scope at best.

Personaly, I think software coders should realy think on how to split their code into as many independent execution branches as they can.

One such way is to get their heads around functional programing, as this can make the parallelization proces automated through the tool chain thus giving a target specific set of optimisations.

BoppingAroundDecember 27, 2015 4:16 PM

Czerno,
I had thought SORM was notorious enough to be recognised. My bad.
Thanks for the answer.

Winter,
Regarding Chromium — I couldn't make it shut up and not
talk to Google no matter how much switches I flipped in Settings,
chrome:flags and command-line options. Is Vivaldi actually any better?

Nick PDecember 27, 2015 8:09 PM

@ Clive

It's a decent article but the author misses the obvious: slimmer, regular cores plus accelerators for common tasks. Plus alternative architectures that improve performance. We see Cavium doing the first with Octeon III, etc. A good example of the second would be finally adding Channel I/O with asynchronous support. That would tie into what server software is doing these days. Quite a few things can be done once Moore's Law is over.

For some apps, this will more than double performance as DSP, GPU, and FPGA work have shown us. That brings me to the FPGA part: Intel's acquisition of Altera shows they'll embed them into server processors. The combination of custom, top-tier logic plus FPGA blocks plus HLS will be far more interesting than some extra GHz and cache. We might similarly see more board-level competition with mixes of hardware for certain workloads.

Next 10 years will be interesting is all I can say for sure.

ianfDecember 27, 2015 11:15 PM


@ IDEA GUY […] "We", the people, should demand that website owner/operators explicitly state EXACTLY WHAT INTERNET SECURITY MEASURES ARE IN PLACE to protect your interactions with that website, and especially protect your personal data if it collects any… shitty idea?

Not "shitty," but unworkable. First, corporations/ businesses/ website operators don't do anything that's not mandated by a higher authority—where "we, the people" doesn't mean much (assuming "we" even exist outside the realm of the concept).

Secondly, it could be argued with some justification that a lot of undeclared/ implied INFOSEC depends on obfuscation and/or obscurity… which in the circumstances is better than none, as it denies a stepping stone for 3VIL HAXX0RS out to do some nasty. The least that would be said of such explicit notices is that they'd act as honeypots.

Third, even if such security declarations were widely adopted and implemented, what makes you so sure that "them, the people" would by and large be competent enough to (a) comprehend what in all probability would be another stream of legalese akin to unreadable EULAs; and (b) correctly evaluate the worth of the declared measures—which then could not be validated in any unobtrusive/ "unhacky" way anyway. Hence, next idea please.

MarkHDecember 28, 2015 1:58 AM

@Who:

If what might disturb your sleep is the linked article in zerohedge, then I suggest you rest easy.

The article is a lurid piece of yellow journalism, by a professional predictor of imminent collapse, whose writing is saturated with sarcasm and dismissive contempt toward Ukraine.

Also, the suggestion that a cyberattack against a Ukrainian power transmission system might be for the purpose of "monitoring a potential disaster" in nuclear power stations doesn't make any sense that I can understand.
______________

I know a Ukrainian specialist in nuclear power plant safety. Next time I see him, I'll ask how things are going in reality.

Who?December 28, 2015 3:46 AM

@MarkH

Glad to see. I hope Ukranian nuclean power plant operators will not do something that put them at risk. Feedback from an Ukranian specialist will be valuable.

From what I understand attack has been targeted against the power distribution grid, not the production plants themselves. So power production is not the issue here. Automatic translation of the news source is not really useful.

Prins van de SchemeringDecember 28, 2015 4:29 AM

Great! Just Great!

ht tp://www.theguardian.com/world/2015/dec/27/north-koreas-computer-operating-system-revealed-by-researchers

Now can someone tell me just what the difference is supposed to be between us and them, meaning the totalitarian North Koreans, or Norks as TheRegister would have it?

ianfDecember 28, 2015 4:44 AM


@ Just Another Tentacle of the Cthulhu Monster [cc: Who?, JG4, MarkH] has the audacity to post “[Putin and his goons] do really public shit like assassinating jounalists critical of their regime, political opponents…”

Some of them, most probably. But today's Russia is also full of "NGO gangsters" etc fighting turf wars, and over their media image, so all such murders may not be the state's mokrye dela. Missing from the litany however is “blowing up Russian apartment buildings in order to create a groundswell for the hard-line savior Putin,” an accusation that had Alexander Litvinenko killed in a manner designed to leave no doubt as to who was behind it; and other, hardly minor misdemeanors of consolidating the KGB/FSB power over Russian Federation's politics, after that “greatest disaster that was the 1991 dismantling of the Soviet Union” (quote attributed to Putin). That said, you really shot yourself in the tentacle (in your beak) with this:

… and even doing crap like shooting down planes full of Polish dignitaries about to raise global consciousness of the misdeeds of Stalin.

… by which I presume you mean the 10th April 2010 Polish Air Force Tu-154 Presidential party's fatal crash in Russian Smolensk. The line you promote is pretty much that of the conspiracy theorists that are now in charge in Poland, of "Russian involvement" together with alleged homegrown elements that somehow stuffed the Presidential plane with TNT and primed it for detonation at the remote location. The words incompetence, pilot's deference to political pressure not to go to any alternative airport until an approach in fog (with the aircraft flying at 6m above ground!) has been tried, and the Polish President's reckless feeling of invincibility are nowhere to be found in that scenario. Nor are there traces of any lessons that the Air Force might have drawn from the earlier 2008 Polish CASA disaster, an event fully comparable to that of the 1994 Mull of Kintyre crash of the RAF Chinook helicopter.

    Listen, in the future, why don't you chase after the Cthulu Monsterettes instead, and leave the geopolitical considerations to us more firmly anchored in the Land of Intellect?

Puppet Show: Trading Money for FreedomDecember 28, 2015 6:50 AM

The Fourth Amendment to the United States Constitution prohibits unreasonable CITIZEN searches and seizures and requires any warrant to be judicially sanctioned and supported by probable cause.
The USA government is upset its corporations (not citizens) in China will have to unencrypt their communications for the Chinese Communist Party Police.

http://www.nytimes.com/2015/12/28/world/asia/china-passes-antiterrorism-law-that-critics-fear-may-overreach.html?ref=technology&_r=0

Greed Is Good
No mention is made of repressive mass surveillance of citizens. Until recently, American High Tech, USA government and politicians USED TO be champions of responsible free speech, probable cause and liberty.
Now they meet in Seattle to use American software and put citizens in both countries under high-tech mass surveillance!

Has Wall St/Hedge Fund/shareholder value decimated our inalienable God-given rights? Is technology being terribly misused to control rather than improve the human experience? Does greed know no-end?

Mining the Dirt
Today corporate Big-Data agents build citizen dossiers which circumvent judicial oversight. Police routinely mislead prosecutors and judiciary oversight. Corporate lobbyists remove privacy safeguards in laws so evil that politicians can't bear to read.

With these turns for the worse, its obvious that our politicians are being pressured using the adverse information contained in their secret dossiers. FBI director Hoover controlled Washington using this very technique back in the 1950s. He had their dirt and let the politicians know it!

Grocery Bag Opening
A common example is when high-ranking politicians all-of-a-sudden radically change philosophy to pass new bills they campaigned against. Their choice is to either pass the bill (which no-one reads) or end their career in shame and destroy their family.
This is why nothing seems to make sense with the notable exception of Donald Trump. He doesn’t need their money and is largely immune from their big-data mass surveillance blackmail. No one can figure it out...Och!

JG4December 28, 2015 7:19 AM

@MarkH

You are correct in general about the journalist standards of Zerohedge. I like to call it doom-porn and it is addictive. They are quick to call bullshit on any emanations from the Fever Swamp and Wall Street. I don't think that any of the cold war-era reactors are sufficiently fail-safe and I've seen the claims made that the assembly of at least some of the Soviet nuke plants was driven by unreasonable schedules. To the point that some of the welding was done by the old expedient used on the Liberty ships - put down a layer of weld, pack most of the allocated welding rods in the seam and weld over the top. It is reasonable to hope that robotic inspection and new electronics could be used to make some of the old infrastructure safer. But those are not the kinds of things that happen in a full-on economic collapse.

MarkHDecember 28, 2015 1:04 PM

@JG4:

I know just a little about the nuclear power plants in Ukraine, and would like to learn more.

The hideous RBMK plants (as in Chernobyl) have been decommissioned. All the the currently operating NPPs use pressurized-water reactors (PWRs). This generic reactor type is a scale-up of the reactors used in naval submarines, and has demonstrated (so far!) an excellent safety record in Western power plants.

The familiar Westinghouse reactors in the US are PWRs.

It appears that in their general design, the Russian-designed PWRs (called in Russian VVER, or in Cyrillic ВВЕР) seem to closely follow their Western counterparts, including safety provisions.

However, the devil is in the details, and with regard to matters of quality control (as you mentioned), and conservatism in the design of safety systems, I don't know how they compare with Western practice. They appear to have Western-style containments, which essentially keep people safe Even When Everything Else Goes Wrong. The PWR design itself has a degree of built-in safety. I expect that they have redundancy of critical systems, and on-site power generation in the case of power failure, but I haven't confirmed that.

The latest generation of VVERs (NOT those used in Ukraine) are designed to protect their core purely passively (without power or operator intervention) for 72 hours -- not shabby.

This discussion has given me some good questions to ask Vadim, when we next meet :)

Of one thing I am sure: Ukrainians love their children as much as the people of any other nation. And unlike most people, they have the terror of Chernobyl deeply embedded in their consciousness. Most of my Ukrainian friends either were children who were evacuated from Kyiv, or parents who evacuated their children from Kyiv.

Clive RobinsonDecember 28, 2015 5:29 PM

@ IDEA GUY,

About 2/3 of all Americans. Is that Ok?

As a rough aprox 191M out of 310M is about what you would expect the "adult population" of the USA eligible to vote to be.

So about all adult voting Americans. Is that about OK?

I guess if you are a registered voter anywhere in the US you might want to check up...

AnuraDecember 28, 2015 5:58 PM

I suspect the database is from a company that went to each county and obtained the voter registration records (which are public record). If this is the case, then it shouldn't have things like phone numbers for California due to California's privacy laws, although it's possible they obtained that information from other databases - they do show "is_do_not_call" as one of the fields, so it's likely that this is not just from voter registration.

Dirk PraetDecember 28, 2015 6:46 PM

@ zerno, @French Interior Ministry Creeps

They do oblige ISPs to install "black boxes" and screen data flows
and supposedly detect "bad" behaviour using some sorts of "algorithm".

Sounds like DPI gear (Blue Coat and stuff).

BuckDecember 28, 2015 8:00 PM

@Clive Robinson

Which also contains a link so you can check to see if you are on it...
Here's what I found after visiting that link:
Dissent says:
December 28, 2015 at 6:31 pm
Sorry, but I removed the links as I don’t like linking to what are essentially data dumps of personal information - even if they're public records. But you're right, those lists are easy to find. And that concerns me, too. I value transparency and accountability, but we've got to rein in the widespread sharing of our personal information.
Wow! It's kinda disheartening to see such knowledgeable people take this stance in regards to matters of the public record, even after Edward Snowden's revelations... I hope his/her proposed solution has something to do with making the big political parties pinky-swear that they'll stop collecting and collating voter data! The only other obvious alternative to me would be to snatch up all the tech-savy individuals in order to ensure that us mere-mortals can't peek upon our own employees'/employers'/neighbors' voter statuses.

Well, there's also the tired old idea of correcting user behavior by highlighting the prevalence of major data leaks... At this point, it seems to have had little effect so far. In this particular case - abstaining from voting - well, that could possibly have positive results, but not unless the voter records couldn't be easily forged...

I rather think that most of the candidates themselves (at all levels of politics) are overdue in learning about what they themselves are supporting with the power of big-data! ;-)

tyrDecember 28, 2015 9:23 PM


Here's some interesting material for the interested.

For the uninterested it is a move on nothing to see.

https://archive.org/details/JohnTaylorGattoTheUndergroundHistoryOfAmericanEducationBook

If you want to see why the inertial resistance to
fixing surveillance you don't have to look any place
but the schoolhouse to see why.

I recall what Heinlein had to say about feedback
loops (recursion) in mechanical systems and the
danger in thinking they can be safely ignored.

CuriousDecember 29, 2015 4:36 AM

According to Reuters, an independent security researcher has uncovered a database of information on 191 million US voters:

http://uk.reuters.com/article/uk-usa-voters-breach-idUKKBN0UB1DQ20151229

"An independent computer security researcher uncovered a database of information on 191 million voters that is exposed on the open Internet due to an incorrectly configured database, he said on Monday."

"The database includes names, addresses, birth dates, party affiliations, phone numbers and emails of voters in all 50 U.S. states and Washington, researcher Chris Vickery said in a phone interview."

ThothDecember 29, 2015 5:31 AM

@Nick P, Clive Robinson, Figureitout, Markus Ottela, Wael
A Kernel Based Box-in-a-Box Encryption Suggestion

Most encryption are done using application software or with the aid of hardware that are separate from the kernel of an OS itself. Encrypted messaging application like encrypted emails, encrypted chats uses their own proprietary or open source protocols and they could be subverted to add backdoors into their communication protocols.

Most application based backdoors can be defeated using some sort of Box-in-a-Box technique to separately encrypt messages but these techniques are not easy to implement due to the need of using a separate hardware or software. Ease of use of secure technologies have always been the stumbling block for uptake of security technologies. The "Why Johnny Can't Encrypt" experiments have been conducted for a few times by different research groups and have shown that encryption is not easy to get correct by both ordinary and technical minded people.

Using a Box-in-a-Box encryption technique can also enable secure communications over an insecure messaging application thus enabling those who have to live their lives in authoritarian regimes to be able to setup their own secure communications without relying on insecure messaging applications.

The main mechanism to enable the Box-in-a-Box encryption is to be able to intercept data in applications and also being able to inject data into application on the kernel level. Most messaging applications utilizes GUI textboxes to allow displaying and inputting of text and also file upload fields for uploading media content. The ability to expose kernel level functions to intercept data from applications with proper permissioning would allow the manipulation of data with better ease.

A user can create a secure communication plugin to adapt onto the kernel API for accessing raw data flowing to applications with more ease (with proper permissions) and then encrypting / decrypting the data in real-time before it becomes displayed on the GUI or CLI. With such an ability, secure communication can be done over insecure application.

The kernel API module for exposing data flow should require strict permission and data flow otherwise it can be exploited as an easier kernel backdoor. It should also not include secure communications module to prevent it's inclusion being banned due to Government import/export controls. It presents a double edged sword which on one hand allows easier interception and injection of secure communication without relying on specific applications and thus makes secure communication more widely available even over insecure channel and increases uptake of secure communication but on the other hand opens a whole new opportunity for easier data interception and modification if the implementation is done poorly or with malicious intend.

Although the kernel modification seems to introduce a possible path for attackers to gain access to data flow in an application, there are other exploits that already exists to get the job done.

A cleanly coded and fully open sourced kernel module that exposes an application's data flow which also puts the users in control should be the proper option to go for.

Clive RobinsonDecember 29, 2015 5:40 AM

@ Curious,

Re 191 million US voter details breach...

It would appear that the story is getting around. I tracked down a non paywall version of the story @IDEA GUY provided (I hate PayWalls and the like). The article I gave had links to the original data etc that I posted above... But then @Buck reported that the site had taken down the link (see above) now not even that site appears to be available any longer, as the site is nolonger responding when I try it...

I wonder how many US Citizens are upset about it, and if the leaking DB will get firmly linked to a Political Party. Because if it does and it's Hillary then I'll let you think up what the mainly GOP controled media will say, based on their previous attacks.

Time to get out the popcorn and comfey chairs and watch the game commence ;-)

Clive RobinsonDecember 29, 2015 6:07 AM

@ Thoth,

A cleanly coded and fully open sourced kernel [Box within a Box] module that exposes an application's data flow which also puts the users in control should be the proper option to go for.

Sadly no, due to the state of modern Consumer OS's either via bugs or backdoors made to look like bugs, I would assume that if the computer is connected to the Internet then it has been rooted. Thus the encryption / decryption needs to be done "off device".

There are variois ways that this can be done, and I've mentioned them long long ago when talking about OnLine Banking transaction authentication.

It boils down to needing an external "box" with a strongly mandated interface, to bring the end of the "end to end" encryption outside of the vulnerable computer.

How this is done is a question of how strong you think your attacker might be, and how much effort the user is going to put into OpSec.

Let's just say that I think the high level attackers are way stronger than many realise, and happily selling tools to routinely root computers to the worst dregs of humanity with handfulls of cash. Further that users are just to ill informed / lazy / stupid / etc for them to sufficiently get to grips with and consistantly use strong OpSec.

I'm sure @Nick P will have his own views on this, but it's a tough problem and few will realise the need to do it, and even fewer the need to get it right.


ThothDecember 29, 2015 6:40 AM

@Nick P, Clive Robinson, Figureitout, Markus Ottela, Wael
"Thus the encryption / decryption needs to be done "off device""

That's the same as my thoughts. I guess there's really no easier method to encryption unless the users really want to engage in COMSEC and there will always be the "Johnny Can't Encrypt" scenarios.

CuriousDecember 29, 2015 7:23 AM

I am not into this stuff, so I am certainly not the best to present this, but still I thought the following looked interesting somehow:

A paper about attacking the use of Edwards and twisted Edwards curves in elliptic curve cryptography:

"Degenerate Curve Attacks" (26. Dec)
https://eprint.iacr.org/2015/1233

"In this paper, we dispel that belief and present the first attack of this nature against (twisted) Edwards curves, Jacobi quartics, Jacobi intersections and more. Our attack differs from invalid curve attacks proper in that the cryptographic device is tricked into carrying out a computation not on another elliptic curve, but on a group isomorphic to the multiplicative group of the underlying base field. This often makes it easy to recover the secret scalar with a single invalid computation."

Nick PDecember 29, 2015 11:22 AM

@ Thoth

It's an interesting design. Ihe last discussion, I pointed out it's similar to my concept posted here where I put the brains on a removable stick or card (eg PC Card). The CPU and flash, at a minimum, would be on it with the system having RAM, peripherals, and power supplies. I know this should be doable in a desktop model. An online discussion had someone in hardware suggesting that wouldn't be possible on a laptop due to cooling and the buses. I'm still not sure it's impossible: might just be tricky to design.

In any case, if my model is unavailable, hers might be a good option for x86 systems to stop evil maid attacks, etc. I haven't given it a full review yet. My main concern is stuff being swapped out or subverted in ways that don't depend on state in common areas. Plus, someone in discussion said it was a FPGA and the key word there is "reprogrammable." However, I pointed out an anti-fuse FPGA could be used.

WaelDecember 29, 2015 4:06 PM

@Thoth, @all,

Thus the encryption / decryption needs to be done "off device"

Yes, true. That's one of the fundamentals. But why is that? What is it we're trying to overcome (or what weakness are we trying to compensate for) by running crypto-operations "off-device"?

tyrDecember 29, 2015 5:13 PM


@Wael, @all,

I think it is because the nationstate actors like
bulls in a china shop have broken everything in
their mad rush to collect it all. By moving off
the net connected machine you have a much smaller
attack surface and make it a lot harder to be
interfered with. This doesn't mean nation states
are after you, it means they have screwed it all
up making your net machine far too vulnerable for
any comfort. Easier verification means higher
levels of trust in the process.

WaelDecember 29, 2015 6:00 PM

@tyr, @Thoth, ...

By moving off the net connected machine you have a much smaller attack surface and make it a lot harder to be interfered with.

Yes, generally speaking, the task is to deprive your opponent of control. If one doesn't have complete and exclusive control of the system, then security is an illusion because other parties that have control can and will do things without your knowledge or consent. They have effectively deprived you of awareness as well.

So an important point, besides doing crypto off the device, is to do the "crypto" on a device that the owner has exclusive and complete control over. I gave an example in the past...

JacobDecember 29, 2015 7:44 PM

The WSJ published a very detailed (and juicy) Exposé about the Spy-vs-Spy operations between Israel and the US.

Some notable excerpts:
"When Obama assumed office, the NSA and Unit 8200 cooperating against shared threats, like Iran’s nuclear program, but this was a double-edge sword: for example, Unit 8200 gave their U.S. counterpart a "hacking tool" which was later discovered to have passed on information to Israel about its usage. This was not the only instance of such an incursion, officials told the WSJ, saying that when Israel was confronted with the claims, and would respond that they were accidental, the NSA would half-jokingly respond that the U.S. "make[s] mistakes, too.”"

When Obama announced, after the Snowden revelation, that the US would stop listening in on allied head-of-states comm, Bibi wasn't in the deal:

"There was little debate over Israel. “Going dark on Bibi? Of course we wouldn’t do that,” a senior U.S. official said, using Mr. Netanyahu’s nickname.
One tool was a cyber implant in Israeli networks that gave the NSA access to communications within the Israeli prime minister’s office."

"NSA intercepts convinced the White House last year that Israel was spying on (the Iranian nuclear deal - J.) negotiations under way in Europe. Israeli officials later denied targeting U.S. negotiators, saying they had won access to U.S. positions by spying only on the Iranians."...
"Soon after, Israel’s lobbying campaign against the deal went into full swing on Capitol Hill, and it didn’t take long for administration and intelligence officials to realize the NSA was sweeping up the content of conversations with lawmakers.
The message to the NSA from the White House amounted to: “You decide” what to deliver, a former intelligence official said."

"Just before Mr. Netanyahu’s address to Congress in March, the NSA swept up Israeli messages that raised alarms at the White House: Mr. Netanyahu’s office wanted details from Israeli intelligence officials about the latest U.S. positions in the Iran talks, U.S. officials said."

More at the WSJ site. You are not stopped by the paywall if you click on the link to the article in Google news.

ThothDecember 30, 2015 4:52 AM

@Wulf
It is better not to rely on Bitlocker for Disk Encryption or even use Windows for anything serious other than casual relaxation.

FDE schemes are problematic as they simply protect a disk partition data or if the entire disk is a partition on it's own but that does not mean Evil Maid attacks cannot be carried out.

There are instances where compromised BIOS can log password keystrokes to decrypt a disk and modify the decrypted and unencrypted data in RAM although it seems having disk encryption night simply be better than nothing until a better solution exists.

Clive RobinsonDecember 30, 2015 6:41 AM

@ Wulf,

The reason Win10 can do this is poor security design at low levels.

A golden rule is that KeyMat never shares the same channels as plaintext or cipher text. As this prevents the KeyMat being seen on the "communications channels" by those not cleared to see KeyMat.

All MS's current consumer OS's can be assumed to be "hostile agents" waiting to betray you at the first opportunity, so giving them access to KeyMat is a very very bad idea. However customers appear not to want to pay the money to have a seperate KeyMat channel...

If you look at the materials for marketing etc military / diplomatic grade security you will find blurb on "Key Fill" or "Crypto Ignition Keys" on Inline Media Encryptors. This is the KeyMat channel.

Supprising to many is some devices in this class still use optical punch paper tape readers with non standard holes etc. This makes the KeyMat very easy to destroy as the paper tape is designed to burn very easily. It also makes KeyMat auditing fairly easy and secure. Which from a security perspective is a lot lot better than Flash Memory devices or Smart card chips [1], which have quite significant security issues.

If modern tech is to be used then KeyMat takes on a whole new form. The actual KeyMat needs not only to be encrypted with asymmetric techniques it also needs users to enter sufficiently secure PINS etc. You can read up more about this with the DNS-SEC documents about how the signing key is protected, or other standard texts on the use of HSMs.

[1] It's the fact that these chips are so robust, which means they are used in the newer Flight Data Recorders (black box) because they are nearly impossible to destroy even with explosions and fire that would bring an aircraft down or sink a ship.

Clive RobinsonDecember 30, 2015 2:27 PM

@ Gerard van Vooren,

I am truly flabbergasted

Don't be, it's fairly normal behaviour for the War Hawks and the industrial parhiahs who profit greatly from creating chaos. @ Nick P amongst others have posted similar information about US neo-con plans that not just pre-date GWB but set out the road map GWB and his puppet masters followed. Where what to you, me and many of us would appear abhorrent, the neo-cons "perceived as normal" due to amongst other things "group think" driven by "personal agenda" and "turf marking" would cause increasing deviency from normal as standard, especialy when two or more members of a group appear high on the psychopath scoring system.

Sadly it appears that this group "perceived as normal" madness pops up all over the place, especially where certain types of manager are known to exist.

Have a read of,

http://danluu.com/wat/

It won't give you comfort, but it might convince you "All the world is mad" just in their own odd ways...

WaelDecember 30, 2015 3:28 PM

@Clive Robinson, @Gerard van Vooren,

Have a read of [...] It won't give you comfort...

Such is the world we live in. It's a good read with elements of truths many can identify with. I particularly like this suggestion under "solutions":

The simplest option is to just do the right thing yourself and ignore what’s going on around you. That has some positive impact, but the scope of your impact is necessarily limited.

Nick PDecember 30, 2015 3:33 PM

@ Clive

That was a fucking great article! Best write-up of the situation I've ever seen with great examples and good recommendations. One of them, paying attention to weak signals, is difficult enough that the author admits it takes hard thought. Curious, do you know of any good writing where people thoroughly examined that topic along with what worked and didn't? That sounds like it's worth reading on.

BoppingAroundDecember 30, 2015 4:10 PM

Gerard van Vooren,
In addition to what Clive wrote, have you by chance read Forsyth's The Dogs of
War? There is a rather fine portrayal of what may be going on within the minds
of people who do that kind of stuff (everything about sir James, to be precise).

It's fiction but it's all right. For a fiction, of course.

ThothDecember 30, 2015 6:39 PM

@Wulf, Clive Robinson
Smart card chips probably are one of the easiest to destroy chips due to it's tiny size. The gold/silver comtacts of the chip card is actually many times bigger than the actual chip which is found on the reverse of the metal contact pad with bond wires covered by a layer of tamper evident epoxy. Once you dug out the metal pad and flip it over to expose the transparent epoxy with the raw chip inside the epoxy coat. All you need is melt away or remove the tamper evident epoxy and you will have a about 3mm size or so tiny naked chip for you to attack. I would say using a sharp drill or pointed object aimed either at the center of the metal pad or if you intend to expose the chip to drill, puncture or slice and dice would suffice. I wonder how a 3mm size chip that have been punctured with a pointed object or diced up could be reliably recovered. Most HSMs uses tamper resistant tokens containing smartcard chip anyway but they use a quorum sharing algorithm to split administrative keys.

Nick PDecember 30, 2015 6:57 PM

@ Clive

I was going through old links on formal verification esp looking for spec-to-code methods. I discovered this book by Eric Hehner is now free. He's considered among the top in those sort of thing. Looking at his publications made another discovery that might be applicable to my high-level synthesis research.

High-level circuit design

Unlike the Baranov work, you can review this one rather quickly because it's 32 pages with mostly, simple techniques. They do both imperative and functional programs to circuits. For each, they look at language constructs that should exist in any of that category. Then, they show how they implement that in hardware. They show how to combine the styles. They also provide a correctness proof.

It was interesting reading to me. What do you think of their algorithm to logic mapping strategy and mechanisms? Think this one's worth further investigation and development?

Note: I got the impression that this is to Baranov's what Modula-2 is to Ada. ;)

Clive RobinsonDecember 30, 2015 8:04 PM

Why the old "market forces" econmicd does not work on the Internet,

http://www.newyorker.com/tech/elements/in-silicon-valley-now-its-almost-always-winner-takes-all?intcid=mod-latest

The traditional economic model has some hidden assumptions, such as "distance costs" which if it applies means that any organisation finds it's costs increase with distance which in effect limits it's market range/coverage and alows other players to compete in another locality because their cosys are less. However the internet removes the "distance costs" assumption for certain goods, thus a "winner takes all" market can arise very easily. Which means that market differentiation is difficult at best. But it also generaly means that the first to market is also the "market winner" for various reasons. The article explains some of them, and this knowledge is quite important if you are planing on investing.

However it also has an adverse effect on security. Untill you are the "market winner" you have neither the time or other resources to use on anything other than becoming the "market winner" thus "quick, dirty and focused on user function" is the business plan. You don't worry about legal action because initialy you have nothing to lose as your company has no value so is probably not a target except to an existing encumbrant. It's only when you are worth a billion or so that the sharks start circling. Thus the trick for the company is to know when to switch the company ethos, such that the sharks have little to bite on. Again as an investor knowing this is important.

The question that is important is what sort of "investor" are you "money or effort" and how do you get the returns on your investment. Even the lowly janitor invests effort, as do all employees, but few get to see significant returns. Thus working for a start up can burn you thrice.

Clive RobinsonDecember 30, 2015 8:25 PM

@ Nick P,

Unlike the Baranov work, you can review this one rather quickly because it's 32 pages with mostly, simple techniques.

I've had a quick scan of the first four chapters of the book, and the first few pages of the paper. The book is similar to stuff I wrote back in the 90's when training people in information theory, just starting at a more advanced level. Likewise the paper has a familiar feel to it.

However it's around 2:30 in the morning UK time, so the brain is tired. I'll give them "fresh eyes" over the weekend.

Nick PDecember 30, 2015 9:22 PM

@ Clive

"I've had a quick scan of the first four chapters of the book, and the first few pages of the paper. The book is similar to stuff I wrote back in the 90's when training people in information theory, just starting at a more advanced level. Likewise the paper has a familiar feel to it."

Good to know it looks similar. That's hopeful on it being legit.

"However it's around 2:30 in the morning UK time, so the brain is tired. I'll give them "fresh eyes" over the weekend."

Appreciate it. Far as Baranov's book, that you did 1-4 of his book might have gotten you a bit bored as that's mostly foundational material on boolean logic, state machines, etc that's a precursor to his actual techniques. You might find it more enlightening to start with seeing how they're *applied* on something real from system-level to gates. I mean, some parts won't be clear but even I could follow a decent amount of it. If interested, go to Chapter 7: System Design on pdf page 147 to see his methodology applied to a "simple" CPU.

Gerard van VoorenDecember 31, 2015 4:41 AM

@ Boppingaround et al,

I've read most of Frederick Forsyth's books. And with the exception of Day of the Jackal the filmed versions are all way worse than the books. Jon Voight in the role of a successful womanizing German reporter... In Dogs of War the mastermind plans a coup with mercenaries in Africa with the goal of owning the platinum mines (platinum is used in car exhaust catalysts). But this was the idea of one man. What happens in Syria is that US think-tanks are doing this on a much larger scale.

The part of which I am flabbergasted about is that first the US armed IS and later declared this group as some sort of demons with all the news covering involved. It is so easy for the US government to make an enemy simply by demonizing it. This history of US - IS could explain the marginally bombing of IS in Iraq. I only wonder at which time US civilians are going to realize that the US involvement in Syria was prefabricated and that they have been lied to. This news makes me feel suspicious about the motivations of France in bombing ISIS and even suspicious about the martial law.

Nick PDecember 31, 2015 11:23 AM

@ Jacob

re definitions

Holy crap, they're not playing are they? Lol. They know NSA might play word games. So, they've apparently used about every word they can think of. I particularly like the and/or section where Congress straight-up drops the laws of formal logic on their ass. Their version, anyway. Then tops it off with the gender of words. One wtf built on another.

panaxDecember 31, 2015 11:26 AM

Update on the crypto wars:

The White House is requesting comments on the use of encryption and how it relates to the Federal government's ability to prevent terrorism. This is in response to a petition to the White House to reject policies which mandate insecurity in products. Please send them your comments if you have not already done so.

SkepticalDecember 31, 2015 11:33 AM


@Gerard: I am not really sure whether Skeptical likes this news. Now the truth emerges: how the US fuelled the rise of Isis in Syria and Iraq

Well, happy Christmas.

You link to an opinion column by Seumas Milne written in June. It is neither "news", nor "now", nor "truth", nor is anything but Milne's usual reality-defying tripe "emerging." And the notion of the CIA funding ISIS in 2011 or after is laughably absurd. It's the equivalent of claiming that the CIA was funding the Soviet Union's nuclear weapons program in 1960.

See here for a good description of Milne's character and stance on other issues: http://www.newstatesman.com/politics/media/2015/10/i-wanted-believe-jeremy-corbyn-i-cant-believe-seumas-milne

Regarding ISIS, a fair analysis would conclude that there were a number of conditions that enabled the possibility of such a group emerging. Foremost among them would be the collapse of the Syrian state. Failed states in an area stretching from Northern Africa through the Middle East spawn Islamist insurgencies with remarkable regularity (from northern Nigeria and Mali, through Algeria, to the Horn of Africa, to the Sinai, Syria is not an outlier in this respect.

The collapse of Syria had nothing to do with the United States. This is a fact impossible for Milne to see - in his worldview it's still 1970 and the fall of any government hostile the US must be caused by the US. Milne's argument is easily dismissed by anyone remotely familiar with the history Assad's regime, the brutal lengths to which they went to hold on to power, the depth of hatred for them by a majority of Syria's population, and the events of 2011 that flamed into a full civil war.

However, one of the key enabling conditions of ISIS's successful - though temporary - invasion of Iraq has been the alienation of Iraqi Sunnis from the Iraqi Government, and the corruption of the Iraqi Government and much of its military by Iranian influence and Shi'ite militias (with huge overlap between the two). And THAT, in turn, was made more likely by the US-led toppling of Hussein and the departure of all but a few US forces from Iraq under President Obama.

So, appropriately given the messy state of reality, the conclusion is mixed. Certain factors of ISIL's rise were enabled by US actions - though the most proximate of those actions is actually the US withdrawal from Iraq, which allowed far more influential actors in the form of Iran and certain Iraqi factions to alienate Sunnis and hollow Iraqi military forces, setting the stage for ISIL's incursions to turn into occupations.

But ISIL, in one form or another, simply needed a failed state in that region to incubate (as similar movements have incubated in other failed states in the region - obviously I'm simplifying here, but surely the comment is long enough already). Once the Syrian state collapsed in 2011, the emergence of a group like it was a high-probability outcome.

Less predictable was ISIL's success in focusing upon seizing oil infrastructure to produce revenue for itself, or the Assad regime's willingness to purchase that oil.

Assad knows, and Russia knows, that while the world and most of Syria believe that Assad must go, if the only choices on the menu are Assad and ISIL, then the choice is obvious. And so Assad, with Russia's help, is attempting to eliminate those other choices.

It's Assad's best option, but in attempting to do more than preserve a friendly Syrian government that permits continued Russian access to important assets on Syria's coast, Russia is overreaching.

Ultimately - and this is my prediction - a settlement will involve:

-- the Alawite dominated Syrian Government maintaining control of key western regions and cities (with Assad at the helm for a time);

-- Syrian Kurdish forces - in conjunction with US, NATO, and KRG forces - being given primary control over a stretch of northern Syria;

-- the deserts of central and eastern Syria, along with the cities and villages - and oil rigs - that sprout along water sources and oil resevoirs - will be controlled by a coalition of Sunni governments, with the involvement of the US, the UN, and other countries.

Regarding the Kurds: the complexity of their relationship with Turkey isn't well understood. The Kurdistan Regional Government has a fair relationship with Turkey - though it may have escaped the attention of some, recently the Iraqi Government protested the presence of Turkish forces inside KRG (Iraqi) territory. The Turkish forces were not attacking the KRG - in fact they were providing training.

In other words, it's true that the PKK, the YPG, and the KRG, are all Kurdish organizations, but not all Kurdish organizations are the same.

To take a conflict more familiar to some readers here, the Irish Government, the IRA, and the P-IRA (or pick your favorite violent offshoot), are all Irish organizations, but they're not all the same, and for most of recent history have not been viewed as the same by the British Government.

Clive RobinsonDecember 31, 2015 11:46 AM

@ Bruce, and others,

I don't know if you have seen this or not, but you might find it quite amusing,

https://theintercept.com/2015/12/30/spying-on-congress-and-israel-nsa-cheerleaders-discover-value-of-privacy-only-when-their-own-is-violated/

I especialy find it funny that the US politicos waving the flag for the NSA were dumb enough to think thr NSA would not listen in on them...

After all it was only a few months ago that a UK GCHQ representative told a UK Parlimentry enquire that as far as GCHQ were concerned "The Wilson Doctrine" had no standing.

Thus any half way bright UK Politico now knows that GCHQ is listening in on every word and keystroke they make... Thus the brighter US Politico's must have realised that the same applies to them.

Just to make it brutally obvious to any reader in doubt, as far as the FiveEyes IC is concerned they are incharge of what goes on not the elected representatives of the country. That is the FiveEyes IC are loyal only to themselves and not to any agency of the Government that pays their wages from the tax income. Any politico under the illusion that they are in charge / control in any way is going to find out the hardway that they are not in charge, in fact they are not even in the pecking order.

BuckDecember 31, 2015 12:36 PM

@Clive Robinson

I assume you've probably already seen this, but it's definitely related to your link above:

http://www.independent.co.uk/news/uk/politics/theresa-may-wants-to-see-your-internet-history-so-we-thought-it-was-only-fair-to-ask-for-hers-a6785591.html

In response to the "Snooper's Charter," The Independent filed a freedom of information request for Theresa May's internet browsing history. Well, the home office has just recently come back with a response, and boy was it ever a good one!

We have decided that your request is vexatious because it places an unreasonable burden on the department, because it has adopted a scattergun approach and seems solely designed for the purpose of 'fishing' for information without any idea of what might be revealed.

BoppingAroundDecember 31, 2015 5:30 PM

Clive,
> I especialy find it funny that the US politicos waving the flag for the NSA
> were dumb enough to think thr NSA would not listen in on them...

Well, perhaps they were trying to soothe the beast. But as the old saying
goes, partnership with the mighty is never trustworthy.

Loser watchDecember 31, 2015 5:52 PM

In which Skeptical falls off the turnip truck, evincing slightly less experience than Baby New Year, gurgles, and squirts a redolent glob of patriotic chump metconium.

"laughably absurd. It's the equivalent of claiming that the CIA was funding the Soviet Union's nuclear weapons program in 1960."

You poor sad wannabe. Get it straight, for chrissakes. In 1960 CIA was funding Israel's nuclear weapons program, and Israel was selling all the best knowhow to the Russians. Russia paid the Zionazis for it, fair & square. Surprised you never knew, what with your above-Top-secret CONFIDENTIAL clearance with the Facilities Services Directorate, Special Custodial Ops Division.

TL;DR, Don't waste precious moments of your life with Skeptical's characteristic link-free Syria logorrhea, just read Ch. 10 of the Wikileaks Files, unimpeachably sourced with the cables and Iraq logs that Sekptical's not allowed to read cuz it might prompt impure thoughts.

Skeptical, you poor sad brainwashed tool.

ThothDecember 31, 2015 10:50 PM

@all
Recent 32C3 hosted by CCC with a presentation from QubesOS's Roanna mentions about trusted stick which contains verifiable firmware and data and for the hardware to be a stateless machine.

She only got it half right as a closed sourced chipset without Flash or ROM could design the circuits to be malicious. The main problem is close sourced and hard to verify hardware designs at the very base level which @Clive Robinson, @RobertT, @Nick P, myself et. al. have been discussing for a long while before the talk or her paper came out.

What if the stateless CPU that Roanna mentions can modify instructions sent for execution.

Making systems not using a closed source firmware only solves little. What is necessary is the hardware to be capable of being inspected and open.

Link:
- http://www.theregister.co.uk/2015/12/31/rutkowska_talks_on_intel_x86_security_issues/

Clive RobinsonJanuary 1, 2016 2:01 AM

@ Buck,

Yes I did see it, and the irony of the rejection statment was not lost on me.

Sadly that is the level of competence we have to put up with from our Civil Servants in the UK, when their tempory political directors get upset and throw the toys out of the pram and start their sanctimonious "I'm holier than thou" hissy fits. Which Theresa May is reputed to be not very good at concealing, which some BBC recordings tend to confirm... Which makes her not very suitable leadership material.

Clive RobinsonJanuary 1, 2016 2:20 AM

@ BoppingAround,

Well, perhaps they were trying to soothe the beast.

Yeah well the should be mindfull that some beasts "bite the hand that feeds them" and can be neither trained nor managed. Further that when animals get that way, the usual way a vet deals with the problem is to permanently "soothe" the unruly beast with a terminal anesthetic injection, if the usuall first steps of castration and defanging don't work.

Clive RobinsonJanuary 1, 2016 4:07 AM

@ Thoth,

at she proposes will still not provide you with security, I disregarded the "remove state" idea back in the last century.

The reason being that all computers require state at a fundemental level to work. The simple fact is you have to put data somewhere whilst you process it. If the data can influance the way the computer behaves then it's game over as far as security is concerned.

I initialy looked at using the Harvard architecture as a solution to maintain strong seperation between native code and data. Whilst this does provide a lot of security it fails if the native code can act as an interpreter of the data in some way. The simplest way for an attacker to do this is to in effect build a self threaded stack based language from as little as eight or nine instructions, and I found that though difficult it could be done.

Subsiquent work by others has shown you actually only need one instruction and ignoring the Intel ME, other parts of the Intel Architecture can be used to build a hidden virtual CPU by the way they interreact.

Further thinking shows that this is a "lesser flea" problem, in that as you work your way down the computing stack, there is always going to be a layer below that can effect all the layers above.

The result of that thinking is to realise NO single computing stack can be trusted implicitly. That is all computing stacks can be made to "defect" in some way. Thus you have to find ways to catch defection in the act, before it can do any harm.

This takes you from the world of securing by design --which she is talking about-- which can not be achieved, to the world of security by mitigation and instrumentation, which has been around a lot longer than computers have.

The technical ways of doing this are by voting systems and using inverted processing logic in the mix. Whilst these methods can be used to catch all outsider originated attacks, even these methods are not proof against highly skilled insider attacks where a single trusted individual who has access to all systems and can thus disable the instrumentation. Thus you need to have multiple systems where no insider can subvert them all.

There are reasons however why you might not want to go to those extreams currently, cost being just one of them. The simple fact is the cost of security goes up exponentialy unless you take steps to mitigate appropriately, in engineering terms it means finding "sweet spots" where you use several relatively cheap techniques in a way where their combined effects are rather more than the sum of their individual effects.

Further it has to be realised that even if you can make the physical layers of the computing stack secure by mitigation, the act only as a foundation. You also have to address security at all the layers above including those extetnal to any NGO of "legislative" and "political". Sometimes the best way to do that is by puting methods in place whereby neither politics or legislation can stop the snowball you have pushed down the mountain because it has grown beyond control. One way to do that is to make the technology "to usefull to hinder".

Most people would agree that if we did not have knives then logicaly the would not be "knife crime". However if we had no knives then all the usefull things they do would have to be done other ways. Some of those ways would result in different edged cutting devices that would be used for crime. So banning knives is not going to stop crime just minimally change it. Thus you have to weigh the cost to society of the loss of utility of a knife not against current knife crime but the very minimal change to crime the banning would have, and further the cost of developing and producing alternative cutting tools. Often the result is the cost to society far far out weighs the percived benifit, let alone the actual benifit.

It is getting security to the point where even those with strong political agenders against security, realise that the loss of security is going to be orders of magnitude more harmfull --not just to society in general but them in particular-- that they will start to back down, and security will become not just accepted but deeply normalised within society.

BenniJanuary 1, 2016 1:11 PM

Apparently, BND has found a new "curveball" source. Knowing that germans will forward anything
http://www.theguardian.com/world/2011/feb/15/defector-admits-wmd-lies-iraq-war

it was just a matter of time when BND would find a new "source". The new one tells lies about alleged terrorist plots in germany:

http://www.sueddeutsche.de/muenchen/silvesternacht-was-zum-terrorverdacht-in-muenchen-fuehrte-1.2802971

That way, ISIL can spread fear among the german population, and use BND and police to lock down entire areas but without any risks or cost.

It is also an effective way to draw police attention to a wrong place in case a real terrorist attack is planned.

ianfJanuary 1, 2016 2:41 PM


@ Benni [New BND source…] “ISIL can spread fear among the german population, and use BND and police to lock down entire areas but without any risks or cost.

It is also an effective way to draw police attention to a wrong place in case a real terrorist attack is planned.

I'm not arguing against you, only scratch my head over ?what exactly? you propose that BND/ the Police/ other security services OUGHT TO DO in such cases, when, on one hand, they have HUMINT/ intel of never wholly corroborated kind, and on the other the requirement that they protect the public at all FUTURE-ELECTORAL costs?

    After all, if there are no politicians with guts nearby, individuals willing to risk being accused (post-fact) by populist press of being "soft on terror," why should we expect a higher degree of responsibility from mere executive branches of local governments? Clearly, the CYA principle applies across the board, and no, I don't know what to do about it either, which is why I'm asking aloud.

tyrJanuary 1, 2016 6:22 PM


@ianf, Benni

The worst nightmare for current enforcement is an
adversary who begins to think ahead of the reaction
and use the reactions to fulfil their aims. Most
can not do this because it doesn't fit into their
self image as radical action heroes. The last of
the Paris clowns was characterized as a mastermind
when his most obvious attribute was stupidity.
Stupid can do a lot of damage but thinking long
term isn't one of their attributes.

So far the world has been lucky, we haven't raised
a Napoleon, Temujin, or Alexander for a long time.
We also haven't managed to recover from Frederick II
and his dinner table cronys yet.

Dirk PraetJanuary 1, 2016 7:08 PM

@ Gerard Van Vooren, @ Skeptical

The collapse of Syria had nothing to do with the United States.

Anyone interested in a different and well-documented view on the matter may wish to read up on Seymour M. Hersh's "Military to Military". The review and summary linked to paints an entirely different picture of an administration obsessed with destabilising Syria to get rid of Assad and going against repeated warnings of its own DIA and Joint Chiefs of Staff. Some may remember Hersh as the investigative journalist who exposed the 1968 My Lai massacre and its cover-up during the Vietnam War, and for which he received the 1970 Pulitzer Prize for International Reporting. In 2004 he reported on the US military's mistreatment of detainees at Abu Ghraib prison.

ianfJanuary 1, 2016 7:33 PM


@ tyr paraphrased […] “adversary that predicts the reaction and uses it to fulfill (and reinforce) its aims. Most can not do this because it doesn't fit their self image as radical action heroes

Quite. Of course, then it could be argued, that these clowns do not need to think ahead, because the ALWAYS READY TO SHOW THEIR MUSCLE enforcement agencies gladly do that for them at the earliest opportunity.

(Not sure how universal it might be, but in the wake of called-off Brussels and Munich New Year celebrations, I've now heard twice on 2 different news channels a comment that the police is doing "the terrorists' job" for them, and that it lies in the nature of security services, that their threat analyses can not be subjected to public validation or scrutiny. MORE OF THAT PLEASE).

SkepticalJanuary 2, 2016 9:34 AM

@Dirk: The review and summary linked to paints an entirely different picture of an administration obsessed with destabilising Syria to get rid of Assad and going against repeated warnings of its own DIA and Joint Chiefs of Staff.

No, Hersh's article (published, like his previous UBL conspiracy theory article, in the London Review of Books, something I'll return to in a moment, alleges that the US military deliberately undermined the Obama Administration's effort to arm Syrian opposition (by, for example, supplying inferior/ancient weapons).

It further alleges that such efforts to arm the opposition began long after the Syrian state descended into civil war.

So the article doesn't contradict what I said: the collapse of the Syrian state had nothing to do with the United States.

Aside from that, the article itself is contradicted by numerous, quite public, disagreements between the administration and certain Congressional leaders (not to mention some within the administration who opposed its ultimate policy position).

For those who don't follow such matters, until last year the President's policy has been to avoid involvement in Syria so far as possible. Enormous skepticism was both leaked and explicitly argued concerning the strength and existence of "moderate" opposition groups. Indeed, when ISIL expanded, administration opponents (and internal critics of its policy) blamed the administration's reluctance to provide arms or support to moderate groups.

Some may remember Hersh as the investigative journalist who exposed the 1968 My Lai massacre and its cover-up during the Vietnam War, and for which he received the 1970 Pulitzer Prize for International Reporting. In 2004 he reported on the US military's mistreatment of detainees at Abu Ghraib prison.

More recently he claimed that the US knew where Bin Laden was for years, that the operation to kill Bin Laden was essentially staged, and that the operators who killed him threw pieces of Bin Laden out of their helicopter as they returned to Afghanistan.

That too was published in the London Review of Books - probably because The New Yorker, Hersh's preferred venue, wouldn't accept the article.

Dirk PraetJanuary 2, 2016 3:00 PM

@ Skeptical

So the article doesn't contradict what I said: the collapse of the Syrian state had nothing to do with the United States.

I read it differently. What I read is that both current and past US administrations have been trying to destabilize Syria for years, financing opposition, going against their own DIA and JCS advice that there was (and is) no such thing as "moderate rebels" and that toppling Assad would only make the situation worse.

If anyone is stuck in cold war thinking, it's the USG. Russia and Assad are not the enemy. Da'esh is. And it's the US and its Sunni allies in the region that have created them. And can we finally dispense with the "murderous regime eating babies for breakfast" narrative too? Same thing was said about Saddam and Khadaffi. There's no doubt that they're all undemocratic, authoritarian regimes, but are Saudi Arabia, Turkey, Qatar or Bahrain any better? I think not, and the same goes for most other regimes in the region.

And where is that USG's protest against the 47 people executed in Saudi Arabia today, among which an influential Shiite cleric? Yet another move of pure genius by this highly enlightened medieval regime by the grace of $DEITY that will make sectarian violence in the region even worse. And which is essentially what the entire Syrian civil war has been from the onset, although everyone for obvious reasons keeps denying it.

For the USG, the world is simple: the Shia nations of Syria (Alawites are Shia sect) and Iran are the enemy. And for that purpose, they have knowingly and willingly aligned themselves with Sunni allies like Saudi Arabia and Turkey, who in their turn finance, arm and otherwise support the Sunni jihadis of Da'esh and Al Nusra. That these are in fact murderous terrorists is just a bit unfortunate, but also explains why until recently the offical US position was one of no involvement as others were doing their dirty work for them. And which would have worked too, if it hadn't been for those pesky Russians.

But as Virgil already said: "Dolus an virtus, quis in hoste requirat" ("Who asks whether the enemy was defeated by strategy or valor?").

FigureitoutJanuary 2, 2016 7:29 PM

Thoth RE: 'The "Why Johnny Can't Encrypt" experiments'
--Mostly poor documentation, this is one of my driving motivations, to make strong security much easier to have (hence working w/ Arduino, just put my code in, plug this shield in, and there you go). Check out my kits now, sweet little RF modules. http://postimg.org/image/did82rnox/ And the solder job which is slightly atrocious and why I like machine made boards http://postimg.org/image/lg7twde3b/ My DC-DC converters were actually boost, not buck, so I couldn't use them to just downconvert 5V to 3.3V (grr), so I just put in a 1nF cap as a mostly useless low-pass filter from VCC to GND. Eventually going to use a separate power supply, probably a little LM317.

We haven't given Josh Datko's shield any love here, definitely some real nice chips (authentication ones are the most interesting, in my view) in a nice shield ready to use, just need some easily readable example code to make even easier to use. https://www.sparkfun.com/products/13183

There's really not many excuses anymore, besides laziness and not caring about your digital well-being. Getting f*cking owned usually changes that... Google made encrypting your smartphone easy, and hey, everything still works. Crypto apps, they're out there, they work, you just...use them. The GPG4WIN suite is nice, really like the "GPA". Veracrypt: very nice. 7zip too. In embedded space, lots of the hard work's been done (porting algorithms to run on various architectures, see this for instance: https://trac.cryptolib.org/avr-crypto-lib/browser ).

Not sure about your "box in a box" thing, that's getting into containers and virtualization hmm?

tyrJanuary 2, 2016 8:03 PM


Seen on RT television.

American General explaining to Congress that we only
have 5 or 6 people who were trained as moderate rebels
for Syria.

General was African American.

Now the horrid cynic who lives in me began to wonder
about the sequence that led this guy into the hot seat
of trying to explain why all the money we spent on the
mad scheme was a waste. I'm sure once the job of doing
so was detailed that many would jump at the chance to
fry their career by self immolation. Now that you have
been "All that you can Be" I guess early retirement is
a nice option.

I surprised no one remembers Hintons curse from the US
trying to interfere in 1949 Syrian elections for the
plan of regime change that backfired so badly. The
definition of insanity is trying to do the same thing
over and over again and hoping it will work this time.

@Clive

Since the snouting episode I have not been able to see
the phrase putting lipstick on a pig the same way.

SkepticalJanuary 3, 2016 5:55 PM

@Dirk: What I read is that both current and past US administrations have been trying to destabilize Syria for years, financing opposition, going against their own DIA and JCS advice that there was (and is) no such thing as "moderate rebels" and that toppling Assad would only make the situation worse.

You have to be somewhat removed from the debate that's occurred about Syrian intervention in the US over the last three years to buy into that reading.

Obama was, according to multiple named sources who opposed his decisions, and according to Obama himself, disinclined to intervene at all in Syria.

Here's an excerpt from an interview of Obama two years ago (Jan 2014) in The New Yorker:

It is very difficult to imagine a scenario in which our involvement in Syria would have led to a better outcome, short of us being willing to undertake an effort in size and scope similar to what we did in Iraq. And when I hear people suggesting that somehow if we had just financed and armed the opposition earlier, that somehow Assad would be gone by now and we’d have a peaceful transition, it’s magical thinking.

And he goes on to say:

Very early in this process, I actually asked the C.I.A. to analyze examples of America financing and supplying arms to an insurgency in a country that actually worked out well. And they couldn’t come up with much. We have looked at this from every angle. And the truth is that the challenge there has been, and continues to be, that you have an authoritarian, brutal government who is willing to do anything to hang on to power, and you have an opposition that is disorganized, ill-equipped, ill-trained, and is self-divided. All of that is on top of some of the sectarian divisions. . . . And, in that environment, our best chance of seeing a decent outcome at this point is to work the state actors who have invested so much in keeping Assad in power—mainly the Iranians and the Russians—as well as working with those who have been financing the opposition to make sure that they’re not creating the kind of extremist force that we saw emerge out of Afghanistan when we were financing the mujahideen.

The study that Obama refers to here, incidentally, was leaked in substance 10 months later to The New York Times, after two persons who opposed Obama's decision - Hillary Clinton and Leon Panetta - wrote books in which they described Obama rejecting a proposed plan to supply lethal weapons to rebel factions in 2012. You can read about the study here - http://www.nytimes.com/2014/10/15/us/politics/cia-study-says-arming-rebels-seldom-works.html - along with some additional background on the policy debate at the time.

So Dirk, everything you've said about the danger of simply pumping arms into Syrian rebel forces, the possibility that those arms would end up in the hands of Islamists, and the dangers posed by simply deposing Assad, have been very public parts of the debate in the United States, and in the US Government, for years.

Indeed, even in 2013, when considering launching attacks on Assad's regime in response to their use of chemical weapons, he explicitly ruled out a strike that would depose Assad in the process? Why?

Because:

I don't think we should remove another dictator with force -- we learned from Iraq that doing so makes us responsible for all that comes next. But a targeted strike can make Assad, or any other dictator, think twice before using chemical weapons.

If Obama wanted to remove Assad, he had everything he needed to do so after the chemical weapons attack in 2013. If he wanted to flood opposition forces with weapons, he had everything he needed to do it. He did neither - and was the subject, and remains the subject, of criticism from many for it.

So when I read items from certain outlets that the US has eagerly fomented chaos in Syria and desires above all else to remove Assad, it's like reading a travelogue about a city by an author who has never visited it and manages to get everything almost entirely backwards.

If anyone is stuck in cold war thinking, it's the USG. Russia and Assad are not the enemy. Da'esh is.

Which is why the US has launched thousands of airstrikes, multiple raids, and lost personnel in combat against ISIL.

As to which nation in the world is trapped in Cold War thinking, that's likely the one led by a man who called the fall of the Soviet Union the greatest catastrophe in history.

And can we finally dispense with the "murderous regime eating babies for breakfast" narrative too? Same thing was said about Saddam and Khadaffi. There's no doubt that they're all undemocratic, authoritarian regimes, but are Saudi Arabia, Turkey, Qatar or Bahrain any better? I think not, and the same goes for most other regimes in the region.

Is Turkey any better than the Syrian Government? Seriously?

And where is that USG's protest against the 47 people executed in Saudi Arabia today, among which an influential Shiite cleric? Yet another move of pure genius by this highly enlightened medieval regime by the grace of $DEITY that will make sectarian violence in the region even worse.

A concern voiced by the US State Department as well (cited to http://www.state.gov/r/pa/prs/ps/2016/01/250934.htm in case not shown in browser):

We have previously expressed our concerns about the legal process in Saudi Arabia and have frequently raised these concerns at high levels of the Saudi Government. We reaffirm our calls on the Government of Saudi Arabia to respect and protect human rights, and to ensure fair and transparent judicial proceedings in all cases.

The United States also urges the Government of Saudi Arabia to permit peaceful expression of dissent and to work together with all community leaders to defuse tensions in the wake of these executions.‎

We are particularly concerned that the execution of prominent Shia cleric and political activist Nimr al-Nimr risks exacerbating sectarian tensions at a time when they urgently need to be reduced.

In this context, we reiterate the need for leaders throughout the region to redouble efforts aimed at de-escalating regional tensions.

And returning to your comment now...

For the USG, the world is simple: the Shia nations of Syria (Alawites are Shia sect) and Iran are the enemy. And for that purpose, they have knowingly and willingly aligned themselves with Sunni allies like Saudi Arabia and Turkey,

You believe that the US aligned itself with Sunni allies because Syria and Iran are enemies?

Turkey joined NATO in 1952. Zero to do with opposition to Iran or Syria.

The US and Saudi Arabia have been on friendly terms (with exceptions) since well before there was any enmity between Iran and the United States.

Indeed, prior to 1979, Saudi Arabia and Iran were part of the "twin pillars" approach to US foreign policy in the Middle East. And if we go back even further, you find the US viewed by certain Iranian factions (I can't recall names) as a possible ally against the imperialist powers they struggled against (Russia and Britain).

US foreign policy is many things, some good, some bad, some neither. But simple it is not, and especially not during the Cold War.

who in their turn finance, arm and otherwise support the Sunni jihadis of Da'esh and Al Nusra. That these are in fact murderous terrorists is just a bit unfortunate, but also explains why until recently the offical US position was one of no involvement as others were doing their dirty work for them. And which would have worked too, if it hadn't been for those pesky Russians.

I'm afraid I can't understand the logic of this statement. You believe that the US countenanced the funding of ISIL as a means of destroying Assad, and that Russian air support of regime forces - coming a year after the US had launched thousands of airstrikes against ISIL, in addition to US-led raids on the ground and US air support of other forces against ISIL - is what stopped it from "succeeding"?

If that's the view you're putting forward, it's just factually incorrect.

Dirk PraetJanuary 3, 2016 9:11 PM

@ Skeptical

So Dirk, everything you've said about the danger of simply pumping arms into Syrian rebel forces, the possibility that those arms would end up in the hands of Islamists, and the dangers posed by simply deposing Assad, have been very public parts of the debate in the United States, and in the US Government, for years.

And despite all the warnings and even POTUS raising serious questions about the entire thing - and which I can't remember ever denying -, arms and money were pumped into "moderate" rebel forces and which eventually ended up with Da'esh and Al Nusra. And which is common knowledge, unless you know of some 3rd party selling them Abrams battle tanks and stuff. Makes you wonder what kind of control the man actually has over the CIA and the State Department.

Which is why the US has launched thousands of airstrikes, multiple raids, and lost personnel in combat against ISIL.

Which for a long time have been questioned as to their efficiency and results. Allow me to quote Sen. John McCain who in September last year said: "Indeed, this committee is disturbed by recent whistleblower allegations that officials at Central Command skewed intelligence assessments to paint an overly positive picture of conditions on the ground".

You don't have to be a military genius to know that it's already hard to get results without boots on the ground, but that you're not going to get anywhere soon as long as several of your own key allies are financing, arming and supporting the very people you're bombing. And which must be a nightmare scenario for any military commander.

Is Turkey any better than the Syrian Government? Seriously?

Actually, yes. However much Erdogan would like to join the EU, it's not going to happen due to their abysmal record on human rights, treatment of the Kurds and quite some other issues. Ask any European politician.

"We have previously expressed our concerns about the legal process in Saudi Arabia and have frequently raised these concerns at high levels of the Saudi Government."

A truely harsh condemnation indeed. But perhaps it would be better to quote POTUS himself from a last year CNN interview: "Sometimes we have to balance our need to speak to them about human rights issues with immediate concerns that we have in terms of countering terrorism or dealing with regional stability". Which is rather pathetic in light of the fact that SA is actively financing terrorism and creating regional instability.

QED yet again by the execution of Nimr al-Nimr, the storming of their embassy in Teheran and subsequent cutting of diplomatic relations with Iran. Any new year's hopes for a swift solution of the Syria and Yemen wars are definitely off the table too now.

You believe that the US aligned itself with Sunni allies because Syria and Iran are enemies?

Perhaps I should have phrased my statement differently by saying "aligned themselves with traditional Sunni allies like Saudi Arabia and Turkey in their common goal to topple Assad and contain the influence of Iran".

You believe that the US countenanced the funding of ISIL as a means of destroying Assad

I'd rather replace "countenance" by "turning a blind eye", but that is exactly what I'm saying. And I don't think you'll find anyone denying that without Russian intervention Assad would have been long gone by now.

SkepticalJanuary 5, 2016 3:11 PM

@Dirk: arms and money were pumped into "moderate" rebel forces and which eventually ended up with Da'esh and Al Nusra. And which is common knowledge, unless you know of some 3rd party selling them Abrams battle tanks and stuff.

You're off the mark again. You're thinking of equipment captured from Iraqi forces (no one has sold or given tanks to ISIS). And the US hasn't supplied anything even approaching tanks to any rebel faction.

I don't think you appreciate how late to the game the US was in supplying any lethal aid at all, or how limited its contribution was.

Here's a good article on the initial decision by the President to begin a covert lethal aid program:

http://www.nytimes.com/2013/10/23/world/middleeast/obamas-uncertain-path-amid-syria-bloodshed.html

The weapons ISIL is using aren't those that must be acquired from the United States, but rather which existed in abundance in Syria and Iraq already, and which were supplied in ample numbers by neighboring countries in support of various groups.

Serious US involvement began only in August 2014, when it conducted airstrikes and infiltrated special operations forces to aid the Yazidis (in conjunction with Kurdish forces - to which many minorities have fled for protection). And as should be obvious, it has been extremely tight-fisted in supplying weapons to any rebel factions in Syria even after that point.

Which for a long time have been questioned as to their efficiency and results. Allow me to quote Sen. John McCain who in September last year said: "Indeed, this committee is disturbed by recent whistleblower allegations that officials at Central Command skewed intelligence assessments to paint an overly positive picture of conditions on the ground".

The airstrikes are intended to be one part of an effort that will take years - they're not intended to be a quick fix, as there is none. They're used to support forces fighting against ISIL, to grind away ISIL's capabilities, and to buy time and confidence for local ground forces that will eventually be in a position to eradicate ISIL.

That air support has been integral to the success of the YPG against ISIL forces in Kobane and elsewhere, to the success of combined Kurdish forces in the retaking of Sinjar, to the success of Iraqi forces in retaking Ramadi.

There's a long way to go. Mosul and Fallujah seem likely to prove substantial challenges. But ISIL lost much of the territory it captured in 2014, and it will continue to lose men, key leadership, equipment, and morale. In fact I would guess that its losses in those areas will accelerate, though I would not expect Mosul or Fallujah to be retaken before 2017.

You don't have to be a military genius to know that it's already hard to get results without boots on the ground, but that you're not going to get anywhere soon as long as several of your own key allies are financing, arming and supporting the very people you're bombing.

Although I'd suspect, without any real knowledge, that arms flows from neighboring countries into Syria were less controlled prior to 2014, I think that's far from the case today. Sunni nations are actively involved in bombing ISIL targets, and arming and training ground forces against ISIL.

Actually, yes. However much Erdogan would like to join the EU, it's not going to happen due to their abysmal record on human rights, treatment of the Kurds and quite some other issues. Ask any European politician.

Turkey has many serious issues and shortcomings. But the Turkish Government and political/legal system is far better than Assad's regime.

A truely harsh condemnation indeed. But perhaps it would be better to quote POTUS himself from a last year CNN interview: "Sometimes we have to balance our need to speak to them about human rights issues with immediate concerns that we have in terms of countering terrorism or dealing with regional stability". Which is rather pathetic in light of the fact that SA is actively financing terrorism and creating regional instability.

The Saudi Government isn't financing AQ or ISIL, if that's what you mean. You do realize that most of those executed were Sunni militants affiliated with AQ, right?

As to the execution of Nimr al-Nimr, the US expressed its concerns as to the effect on regional stability. What more should the US do?

The decision by elements within the Iranian Government to allow the storming and destruction of the Saudi Embassy was much more serious. Though that decision is likely tied to domestic Iranian politics (the storming was condemned by the Tehran commander of the Revolutionary Guards - notably a hardline group - and Preisdent Rouhani, but welcomed by other conservative figures), it's much more of a direct attack on another nation, and has obviously proven far more destabilizing.

Perhaps I should have phrased my statement differently by saying "aligned themselves with traditional Sunni allies like Saudi Arabia and Turkey in their common goal to topple Assad and contain the influence of Iran".

Again, if the US wanted to "topple" Assad, it had ample opportunity to do so. If toppling Assad were priority #1 for the US, missiles would have launched in 2013. The problem isn't toppling Assad - the problem is what happens afterward. Until 2014, the US Government's position on the Syrian Civil War was essentially: "this is horrible, we'd like for Assad to step aside and for the various groups to come to a peaceful settlement, but it's a conflict that we cannot resolve by force and in which we do not wish to become involved."

I'd rather replace "countenance" by "turning a blind eye", but that is exactly what I'm saying.

The US takes a pretty dim view - to put it mildly - of anyone funding AQ affiliated groups like Nusra, or Islamist extremists like ISIL. If you have evidence that the US turned a blind eye, please state it. Such an extraordinary claim, if backed by evidence, would certainly be worthy of a large amount of media interest.

And I don't think you'll find anyone denying that without Russian intervention Assad would have been long gone by now.

The US, for obvious reasons, doesn't desire the Syrian Government to simply be defeated. The result would be a massacre and continued chaos. And I cannot imagine why you think the US would prefer ISIL gaining control over Syria's most populated areas, not to mention some of its more sophisticated weapons, to Assad. Russia, and Assad himself, seem to have a far better understanding of US preferences here than you do, if that is your view.

Dirk PraetJanuary 5, 2016 7:08 PM

@ Skeptical

You're thinking of equipment captured from Iraqi forces (no one has sold or given tanks to ISIS).

Whereas the Abrams tanks were indeed probably captured from the Iraqi military, it is rather well documented that POTUS around October 2013 gave the CIA'S Special Activities Division (SAD) green light to arm and train "moderate" Syrian rebels with as ultimate purpose the overthrowing of the Syrian regime. The operation was an abysmal failure.

Wikileaks cables published in 2011 also show that the US State Department had been secretly financing Syrian opposition groups and projects since at least 2006 in order to destabilize the Assad regime. Other sources confirm illegal CIA activities in Syria since the 1950s, and which have included coup attempts, assassination plots, and in more recent years, also extraordinary renditions and paramilitary strikes.

Your claims that the US had "nothing" to do with the situation in Syria are thus demonstrably false.

The Saudi Government isn't financing AQ or ISIL, if that's what you mean. You do realize that most of those executed were Sunni militants affiliated with AQ, right?

For long, the Saudi government has taken a dual policy approach to AQ, Da'esh and its predecessors. While considering them a clear and imminent danger domestically, they have been very useful tools in combatting the Syrian Assad regime and other Shia apostates in the region.

I probably don't need to remind you that 15 out of 19 of the 9/11 attackers were Saudi nationals and that there are still 28 missing/redacted pages from the official 9/11 commission report, alledgedly pointing the finger at connections to Saudi officials. Everyone knows the Saudis have been financing terrorist movements for years. In a December 2009 cable released by Wikileaks, then Secretary of State Hillary Clinton says that "Saudi Arabia remains a critical financial support base for al-Qa'ida, the Taliban, LeT [Lashkar-e-Taiba in Pakistan] and other terrorist groups."

Whereas we can discuss to which extent the Saudi government was either directly or indirectly involved, there is no denying that they knew very well what was going on and that everyone was fully aware of the Kuwaiti channels through which it was happening. Although the cable clearly shows the US's knowledge of and concern about the matter, it also points out the huge reluctance on behalf of Saudi authorities to adequately deal with it. As well as the US's de facto inability or unwillingness to do anything about it other than secretly working diplomatic channels.

And even if you're not buying any of this, there is just no way that Da'esh could have become a formidable military force without substantial funding and arms supplies from regional supporters, and which I doubt were either Syria or Iran.

The US takes a pretty dim view - to put it mildly - of anyone funding AQ affiliated groups like Nusra, or Islamist extremists like ISIL. If you have evidence that the US turned a blind eye, please state it.

I refer to the above referenced Hillary Clinton Wikileaks cable.

So yes, the USG for all practical purposes has for years turned a blind eye to Saudi financing of terrorist groups including but not limited to AQ and Da'esh, beit very reluctantly. Any other country would have been publicly exposed on the international stage, punished with severe economic sanctions for failure to put an immediate stop to the massive financing of terrorists, and with furious, bipartisan calls in Congress for airstrikes on its capital.

Russia, and Assad himself, seem to have a far better understanding of US preferences here than you do, if that is your view.

Given the context of the regional powerplay, the US'es actions, inactions and results thereof, are you in any way suggesting that the Assad regime would still be standing if it hadn't been for Russia's intervention? And without which the Da'esh black flag would now be flying over Damascus, a genocide against the Alawites in full progress and the US or the so-called Free Syrian Army unable to do exactly zilch about it.

SkepticalJanuary 10, 2016 9:29 PM

@Dirk:

In support your conclusion that my

claims that the US had "nothing" to do with the situation in Syria are thus demonstrably false
you provide the following evidence:

it is rather well documented that POTUS around October 2013 gave the CIA'S Special Activities Division (SAD) green light to arm and train "moderate" Syrian rebels with as ultimate purpose the overthrowing of the Syrian regime. The operation was an abysmal failure.

I linked you to an article reporting the Presidential finding for a covert action program to arm and train certain Syrian rebels. As you noted, the operation resulted in little difference in Syria - and had nothing to do with either causing the Syrian Civil War (2 years old at that point) or the rise of ISIL (which had already solidified its hold on territory in Syria and was soon to expand into Iraq).

So this isn't evidence in support of your conclusion. You also adduce:

Wikileaks cables published in 2011 also show that the US State Department had been secretly financing Syrian opposition groups and projects since at least 2006 in order to destabilize the Assad regime. Other sources confirm illegal CIA activities in Syria since the 1950s, and which have included coup attempts, assassination plots, and in more recent years, also extraordinary renditions and paramilitary strikes.

Aborted CIA operations in the 1950s, and small US State Department funding of human rights organizations, did not cause the Syrian Civil War nor contribute in any way to it. Your failure to even attempt to draw a connection between those things and the Syrian Civil War speaks for itself.

Look, this is the simple truth:

Decades of brutal suppression of majority Syrian ethnic and religious groups - millions of people - in conjunction with economic deprivation and other examples set during the "Arab Spring", caused the hold maintained on Syria by Assad's security forces to slip, and once it did underlying sentiment and existing social structures drove forward open rebellion along with defections from Syrian military units.

Believe it or not, the sentiments of millions of Syrians and Assad's treatment of them mattered more to the collapse of the regime's hold over Syria than 60+ year old aborted or failed operations or the US State Department's funding of human rights organizations.

As to Saudi Arabia, you claim:

I probably don't need to remind you that 15 out of 19 of the 9/11 attackers were Saudi nationals and that there are still 28 missing/redacted pages from the official 9/11 commission report, alledgedly pointing the finger at connections to Saudi officials. Everyone knows the Saudis have been financing terrorist movements for years. In a December 2009 cable released by Wikileaks, then Secretary of State Hillary Clinton says that "Saudi Arabia remains a critical financial support base for al-Qa'ida, the Taliban, LeT [Lashkar-e-Taiba in Pakistan] and other terrorist groups."

And in the same memorandum notes that while Saudi Arabia has been aggressive in countering funding to AQ, it has been less so in acting against charities that also serve as conduits of funds/resources to other terrorist organizations.

The Taliban, and especially LeT, are not as obvious threats to the Saudi Government as AQ, and the delicate internal politics of Saudi Arabia probably imposes some friction on the movement of the Saudi Government towards limiting the activities of certain charities with respect to organizations other than AQ (and, quite obviously, ISIL). But there's no doubt in the memorandum that the Saudi Government has targeted funding for AQ and continued to do so.

Indeed, the key talking point to be used in persuading the Saudi Government to pay more attention to charities that aid the Taliban was that the Taliban is aligned with AQ.

You go on to write:

Although the cable clearly shows the US's knowledge of and concern about the matter, it also points out the huge reluctance on behalf of Saudi authorities to adequately deal with it. As well as the US's de facto inability or unwillingness to do anything about it other than secretly working diplomatic channels.

As the memorandum you cite states, due in part to US pressure the Saudi Government became "increasingly aggressive" and pro-active in countering funding to AQ. The US also established US Treasury Department units within Saudi Arabia to assist and train Saudi personnel and organizations. There are numerous reports you can find on Saudi efforts to combat terrorist funding. Suffice to say that the Saudi Government, with US help, went from a country with little of the infrastructure or institutions needed to conduct this type of financial surveillance and control to a country with vastly improved and more sophisticated capabilities, which it uses.

Finally, you write:

And even if you're not buying any of this, there is just no way that Da'esh could have become a formidable military force without substantial funding and arms supplies from regional supporters, and which I doubt were either Syria or Iran.

Your view is flatly contradicted by evidence in the public domain regarding ISIL's sources of funding. Remember that ISIL derives from al Qaeda in Iraq. ISIL's primary sources of funding were, and remain, various operations (extortion, oil smuggling, kidnapping and ransom, robbery) that produced healthy revenue streams. There are a number of good studies of this available. Here's a place to start on AQI: http://www.rand.org/pubs/monographs/MG1026.html

As to this question:

Given the context of the regional powerplay, the US'es actions, inactions and results thereof, are you in any way suggesting that the Assad regime would still be standing if it hadn't been for Russia's intervention? And without which the Da'esh black flag would now be flying over Damascus, a genocide against the Alawites in full progress and the US or the so-called Free Syrian Army unable to do exactly zilch about it.

I think Assad's regime would be under considerably more pressure, but I don't think it would have collapsed at this point.

Dirk PraetJanuary 11, 2016 9:48 AM

@ Skeptical

So this isn't evidence in support of your conclusion.

Your statement is that the US had nothing to do with the situation in Syria. The elements I summed up show the US has a long history in overt and covert attempts at destabilising and overthrowing the regime. I never said the US directly caused the Syrian civil war, but it surely contributed to it in more than one way, and not in the least by their invasion in Iraq that lead to a cascade of events that ultimately gave birth to Da'esh.

But there's no doubt in the memorandum that the Saudi Government has targeted funding for AQ and continued to do so.

The bottom line of the memo remains that despite ongoing efforts and collaboration with the US "Saudi Arabia remains a critical financial support base for al-Qa'ida, the Taliban, LeT [Lashkar-e-Taiba in Pakistan] and other terrorist groups." Note the word "critical".

Your view is flatly contradicted by evidence in the public domain regarding ISIL's sources of funding.

I am familiar with the RAND, FATF and other reports on Da'esh financing, and in which foreign donations account only for a minor percentage of their funding. Although their bottom line is probably correct, there are two considerations that need to be taken into account:

1) They are estimates, partially based on incomplete Da'esh accounting records found in the field as well as other research most of which draws upon equally incomplete and unofficial data. It's not like they're an official general ledger.
2) Whereas the bulk of Da'esh revenue today comes from oil exports, it is counter-intuitive to think that they could ever have achieved sufficient critical military mass to take over major cities with extortion and ransom moneys alone. I know of precious few other criminal or terrorist movements in history that ever pulled that off. Which leads me to believe that foreign donations at least in their early years played a much more substantial role in their rise than the static 5% report figures at first glance suggest.

I think Assad's regime would be under considerably more pressure, but I don't think it would have collapsed at this point.

I don't think anyone actually shares that opinion. Even Assad in a last July speech admitted that a shortage of manpower was forcing him to make strategic decisions which positions to defend. Again, it is counter-intuitive to assume that Putin intervened just for the heck of it, knowing only too well that it would cost him and that he'd be drawing flak from all sides. It's way more likely that the Russians had reliable intelligence that the Syrian army was about to crumble, which would have meant them losing their Syrian bases.

SkepticalJanuary 11, 2016 2:44 PM


@Dirk:

The elements I summed up show the US has a long history in overt and covert attempts at destabilising and overthrowing the regime. I never said the US directly caused the Syrian civil war, but it surely contributed to it in more than one way, and not in the least by their invasion in Iraq that lead to a cascade of events that ultimately gave birth to Da'esh.

The Syrian Civil War would have occurred regardless of the existence of ISIL, and would have occurred regardless of State Department memoranda speculating about factors that might show weaknesses in Assad's control.

Look, the crux of this argument is the implication that somehow the US is to blame for Islamist terrorism, for ISIL, for 13 November, for the Syrian Civil War, etc.

Belief in such a thing obscures the actual drivers behind the phenomena and events listed above, and in doing so it prevents us from understanding both the actual scope and nature of the problem, but also the policies that might best address it. Such a false belief also makes it very difficult to parse the propaganda from the facts.

The bottom line of the memo remains that despite ongoing efforts and collaboration with the US "Saudi Arabia remains a critical financial support base for al-Qa'ida, the Taliban, LeT [Lashkar-e-Taiba in Pakistan] and other terrorist groups." Note the word "critical".

Sure. The United States has an extensive system to prevent money laundering, fund transfers to criminal, terrorist, or otherwise sanctioned entities, and so forth. And yet very large sums were successfully laundered in US banks by drug cartels.

The memorandum never defines what it means by critical. Bear in mind it's also a memorandum meant for wide distribution and intended to communicate talking points for embassies in various countries during discussions with host governments. It's not intended to be a nuanced analysis. So I'd be wary of reading too much into choices of words.

1) They are estimates, partially based on incomplete Da'esh accounting records found in the field as well as other research most of which draws upon equally incomplete and unofficial data. It's not like they're an official general ledger.

So far as I'm aware, neither AQI nor its successor entity ISIL has contracted an accredited accounting firm to conduct an independent audit of its bookkeeping.

But don't underestimate the extent to which this organization, and similar organizations, keep careful track of funds and expenditures. They have all the headaches (and more), and much of the paperwork, of any other bureaucracy. And it's vital that they do so if the leadership is to have any idea as to where funds are coming from, how they're being spent, and how to decide where funds should be allocated.

Frankly, I'm only slightly surprised there's not some version of al-Qaeda Quickbooks floating around those networks.

So while I agree that we should take those estimates with an appreciation for the existence of a margin of error, I don't think those estimates are likely to be dramatically off.

2) Whereas the bulk of Da'esh revenue today comes from oil exports, it is counter-intuitive to think that they could ever have achieved sufficient critical military mass to take over major cities with extortion and ransom moneys alone. I know of precious few other criminal or terrorist movements in history that ever pulled that off.

They also had weapons in ample supply, an ample base of alienated young men to draw upon, and a cohesive, violent, and ruthless organization, all in an atmosphere of lawlessness and corruption. That's more than enough for such a group to take control of an urban area without funding from foreign states. Examples of this are unfortunately legion, ranging from parts of Jamaica to vast areas of Central and South America to the Horn of Africa and the Middle East.

I don't think anyone actually shares that opinion. Even Assad in a last July speech admitted that a shortage of manpower was forcing him to make strategic decisions which positions to defend. Again, it is counter-intuitive to assume that Putin intervened just for the heck of it, knowing only too well that it would cost him and that he'd be drawing flak from all sides. It's way more likely that the Russians had reliable intelligence that the Syrian army was about to crumble, which would have meant them losing their Syrian bases.

I think Putin's intervention had multiple motivations.

As to whether Assad's regime would have crumbled by this point, can you point to any prediction, prior to Russian intervention, that by January the Syrian Government would be completely overrun - much less overrun by ISIL?

The more likely outcome is that Assad would have lost ground in certain areas, increasing the pressure on him to step aside, and increasing the motivation of those in the Syrian Government to encourage him to do so, which would open the door to a ceasefire and a negotiated settlement with some rebel groups. ISIL and Nusra would continue to be the targets of coalition efforts, and their strength would degrade rapidly relative to other rebel groups and the Syrian Government's forces.

Dirk PraetJanuary 11, 2016 6:16 PM

@ Skeptical

The Syrian Civil War would have occurred regardless of the existence of ISIL

The Syrian protests started as a peaceful demand for reform but were quickly hijacked by the worst kind of armed extremists. No one from the initial days of the uprising wanted regime change. This was an external agenda which quickly spiraled out of control. And whilst the Syrian regime made mistakes to begin with, as any state makes in times of tension, the uprising has turned into a bloodletting sponsored by external states, including the US.

Look, the crux of this argument is the implication that somehow the US is to blame for Islamist terrorism, for ISIL ...

Whether you like it or not, that's what most of the world thinks of it, including mainstream US politicians like Bernie Saunders and nutcases like Donald Trump. In fact, the only parties that categorically keep denying any and all blame and involvement are the USG, its cronies and yourself.

The memorandum never defines what it means by critical.

Forgive me for not willing to take up a semantic discussion about meaning and definition of the word "critical".

So while I agree that we should take those estimates with an appreciation for the existence of a margin of error, I don't think those estimates are likely to be dramatically off.

Unless someone in "Untouchables"-style gets hold of al-Baghdadi's main accountant, neither of us can really be sure, can we?

can you point to any prediction, prior to Russian intervention, that by January the Syrian Government would be completely overrun - much less overrun by ISIL?

You may wish to Google "collapse of Syrian regime". Analysts, politicians and journalists alike have been predicting the collapse of the Syrian regime for several years now.

The more likely outcome is that Assad would have lost ground in certain areas, increasing the pressure on him to step aside, and increasing the motivation of those in the Syrian Government to encourage him to do so, which would open the door to a ceasefire and a negotiated settlement with some rebel groups.

The preferred US fairy-tale scenario. Which again begs the question: which "moderate" rebel groups? There aren't any. They're all sectarian extremists, and none of them are US friendlies. In fact, the ONLY multi-ethnic, pluralistic fighting force in Syria is the Syrian Army itself, composed of Sunnis, Alawites, Christians and Druzes.

BuckJanuary 11, 2016 8:10 PM

@Dirk Praet

Which again begs the question: which "moderate" rebel groups?
Oh, I've got an answer to that question!

The lesser of two evils is obviously the "devil you know" vs. the "unknowable horror"... For the sake of this conversation, we can probably ignore any potential hidden motives. How often is it that someone should really lose their position based on entirely unpredictable consequences?

Sancho_PJanuary 12, 2016 6:05 PM

Moderate rebells or terrorists -

All I see in the ME,
a region of scarce resources to live of with an abundance of people,
is tribal fighting under assistance of aliens with blood on their hands.

@Skeptical may call that western diplomacy or humanitarian aid,
however it is a failed attempt to unite peoples.

Since decades the USG pulls the threads in the ME.
They (and @Skeptical) may think to understand what they are doing -
but the outcome is not only diminishing freedom and security,
it is a disaster for mankind.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.