How Israel Regulates Encryption

Interesting essay about how Israel regulates encryption:

...the Israeli encryption control mechanisms operate without directly legislating any form of encryption-key depositories, built-in back or front door access points, or other similar requirements. Instead, Israel's system emphasizes smooth initial licensing processes and cultivates government-private sector collaboration. These processes help ensure that Israeli authorities are apprised of the latest encryption and cyber developments and position the government to engage effectively with the private sector when national security risks are identified.

Basically, it looks like secret agreements made in smoke-filled rooms, very discreet with no oversight or accountability. The fact that pretty much everyone in IT security has served in an offensive cybersecurity capacity for the Israeli army helps. As does the fact that the country is so small, making informal deal-making manageable. It doesn't scale.

Why is this important?

...companies in Israel, a country comprising less than 0.11% of the world's population, are estimated to have sold 10% ($6 billion out of $60 billion) of global encryption and cyber technologies for 2014.

Posted on December 8, 2015 at 7:25 AM • 131 Comments

Comments

JacobDecember 8, 2015 8:18 AM

It is worth stressing that in Israel there is a major difference between commercial distribution of encryption products and private use.
Private individual, or a company, who wants to use encryption can do so without asking for any permission of filing for any type of licensing provided that it is for internal use only (meaning you can send out or receive an encrypted signal but can not distribute the encryptor itself), use publickly available product (i.e. open source, internet download, or a commercial package) and it is used unmodified (and this is a Good Thing!)

On the other hand, if one (private individual or a company) is engaged in commercial distribution of an encryption product/package/SW, or use a modified/self-developed package, then he needs to get it approved.

If a company wants to distribute a ommercial package dealing with encryption, then no back-rooms with cigar-smoking gentelmen, no requirements for any past defence engagements - just file an on-line form and get a response in a few days. During the last few years at least, no one got rejected.

I surmise that if one develops a quantum-based super-duper uncrackable RF encryptor, then the approval process might be more labourious...

Oscar M.December 8, 2015 9:40 AM

We read this paper previously and noticed the emphasis on the expanded terminology, wondering if anyone in the US would notice. In the US, encryption and cryptography mean pretty much the same thing. Consulting a NIST glossary won't help. Commonly it is taught that there is private-key and there is public-key, and that's it.

ShacharDecember 8, 2015 11:44 AM

I'm the developer of rsyncrypto. It's an open source file encryption program designed to create rsync friendly encrypted files. The idea is that slight modifications of the plain text create slight modifications to the cipher text, resulting in a file you can efficiently rsync over the net without sharing your encryption key with the server. It goes without saying that this involve some weakening of the actual encryption, but in my (obviously biased) view, nothing serious.

When I developed rsyncrypto, I did so for several years without asking for permission. Nobody approached me. At some point, I decided to ask for a permit. I filed (online), and for "information about the encryption", I put in a link to the project's web site. After a couple of weeks I got an email saying it was approved as a free encryption device (i.e. - anyone can use it without asking for permission). That's it.

Years before that, I was a student of Prof. Eli Biham (the author of serpent, the AES runner up). He once told in class that he was approached, and was told that what he was doing was against the law, but if he asks for permission, they'll give it.

Then again, he also told that all of the AES submissions were given a CD with all the submissions, which the US authorities then told him he cannot take out of the USA.

The law is fairly draconian, but its actual implementation is anything but. I suspect there isn't a single case of an Israeli product being backdoored by or for the government. I think everyone involved understand that a single case of being caught will be enough to completely destroy the Israeli high tech industry. This industry is worth more to Israel than any intelligence gained from such an act. It is both my experience and my understanding that the smoky room agreements simply don't happen.

What does happen is that the IDF recruits very smart people, and develop, in house, both the software and the hardware they need. This is a double gain. In addition to the obvious one, the veterans then go to the high tech industry, often developing products that are designed to protect against precisely those types of attacks, boosting Israel's economy.

Clive RobinsonDecember 8, 2015 12:04 PM

@ Bruce,

One question raised was that of ex-forces or other state ex-employee engaging in nod-&-wink negotiations over licences.

One way to resolve this question would be for a company that has no Israeli employees past or present to apply for licencing, and see how they fare against the norms that are known.

On another point raised, that Israel has a 10% world market share with less than a 0.11% share of world population one part of the explanation is IP theft.

It is known that like France, Israel regards economic espionage as a way to significantly reduce "bleeding edge research costs". For instance South Korea is actively seeking the arest of a number of Israeli persons on "economic espionage" charges, relating to amongst other things Flat Panel Display manufacturing technology and likewise mobile communications.

However it is also known that Israel does not always send out spys. But rather uses "The Chinese method" whereby engineers of Jewish descent wishing to go and live or retire in Israel are encoraged to do rather more than give up their non Israeli identity documents.

Likewise another Chinese method of "educate and repatriate". Where dual passported and similar Israeli youth get educated in other countries and then after working their way through research degrees etc go home with what they have learned. It's known to be qyite a problem in some sectors of the US.

Finally there is the direct copying or "Knockoff" technique as once practiced in the ROC Taiwan and known historicaly as "China Knockoff". That is they steal designs of small foreign companies and then market world wide with Israeli Government support, often in direct under cutting competition of the small companies, that can not defend themselves.

Almost any part of the Tech Sector will give up examples of these sorts of behaviour, and it's fairly well recognised as being if not direct Israeli Government Policy certainly condoned and offenders protected.

Public Disclosure : I have butted heads directly with Israeli organisation three times in my career and indirectly on other occasions. The first was with a front organisation for Mossad over electronic lock technology. The second and third times with --supposadly-- private companies that had stolen designs that I and other close associates had designed. One so flagrant they were in effect "passing off" their knockoffs as reseller Original Manufacturer Equipment. Thus I have an inbuilt bias in my POV, which has been worsened on looking further at Israeli IP theft.

ShacharDecember 8, 2015 12:25 PM

@Clive,

I've been a part of the Israeli high tech industry for over 25 years, and my experience is so far removed from what you describe that it made my stomach turn to read what you wrote. Granted, I've always steered clear of the military industry, but I have worked for security companies as well as others. I have never, not once, seen anyone allow, let alone encourage, IP theft as part of product development.

Either your experience comes from a vastly different industry than the ones I've been exposed to, or you've had seriously bad luck.

Can you please contact me directly (shachar at shemesh dot biz) to talk about it? I'd like to either be enlightened, or to enlighten you. I promise a civilized discourse.

Shachar

smsonDecember 8, 2015 12:29 PM

You despise patents but complain about "private companies that had stolen designs that I and other close associates had designed." WTF

StephDecember 8, 2015 12:55 PM

smson do you not understand the difference between patents and trade secrets? Patents make your invention public, and no one else can use it for the term of the patent without licensing it. Trade secrets are secret, but if someone else develops similar technology you can't sue them (unless they stole it from you).

smsonDecember 8, 2015 1:59 PM

Steph do you not know the stories when you see them?

As long as you keep telling stories you never have to actually solve any real hard problems, you never have to risk failure, you never have to write a single line of code or layout a circuit board or anything. Just tell stories - the popular media eats this stuff up.

Like the crypto-genius - he's so good because he's crazy. Long hair, probably drives a VW bus, always on the run from authorities who are invariably trying to steal his secret stash of super crypto stuff. He just sits back and waits for others to find breaks and weaknesses then jumps up shouting "See! I told you! See!" so to make it sound like the researchers were working for him. And every chance he gets he tells stories about Apple Inc or that evil Microsoft that stole all his stuff and then, gasp, they went and got patents on all his stuff. After all, you know how easy patents are to get - big corporations just pay off the examiners to rubber stamp all their applications.

It's just a story. Only this time it isn't Apple Inc or Evil Bill Gates, this time it's those pesky Israelis.

Have you heard the one about the guy in Arizona who was tinkering around in his garage and invented a gadget that triples the mileage of any car? Except, the big oil companies murdered him.

Just wait, you'll probably read about it on ZDNet or Wired next week. At least Wired will conjure up some big pretty pictures to go with the story.

Clive RobinsonDecember 8, 2015 2:28 PM

@ Shachar,

I don't do off blog communications, as quite a few others will verify, so I'll give you some of the info on blog as I have in the past.

I shall start with Orbotech Ltd as it's mostly in the public domain. They are an Israeli company specializing in automated optical inspection equipment, with branch offices in various places. At the time they had six individuals working for them on charges of technology theft in South Korea.

You can read more about it hear,

http://english.yonhapnews.co.kr/techscience/2012/06/27/5/0601000000AEN20120627008500315F.HTML

And it's not as though those in Israel have not been told about the US disquiet over their industrial espionage over the years. This Israeli newspaper artical is from 1998,

http://www.globes.co.il/en/article-350906

It was originaly reported in the LA Times from an article published by an FBI insider. It was quite widly re-reported at the time in other Israeli and Jewish newspapers. I remember it because one of the senior people in the South Korean company I was then working for, was Jewish and had read it and was like you quite shocked, and he knowing my backround wanted to chat more about it.

What he knew was quite a bit more than the following brief snipit,

When I was working at a company called UniQey I had had a run in with Mossad. What made it funny at the time was UniQey's owner was a hard nosed Jewish businessman previously from the rag trade living in Padington London, and even though repeatedly told what was going on and showed evidence, he realy thought he was going to make a big sale to the Israeli Defence Force...

If you don't know back then Mossad "collected hotel master keys", so they could get easy access when they needed it. The problem at the time was international hotels were starting to switch over to electronic locks. UniQey was at the time one of the market leaders. What the front company was proposing was that they be loaned, a "front desk" key maker so they could integrate it into their system, when we did not bite they offered to buy it. I became suspicious early on, because of other business activities (surveillance equipment design) I was involved in. The front company was supposadly an IBM subsidiary, but did not show up with other parts of IBM. I then did a more in depth due diligence test through some ex-services people I know and they quite quickly put me to the wise.

I've mentioned this befor on this blog, however if you want me to trot out other bits of information just say, and I'll dig out other stuff for you, naming the Israeli Companies involved.

SarahDecember 8, 2015 2:37 PM

Bruce,

1. In a country where service is mandatory, almost every single high-tech Israeli is ex-military and according to your logic they are therefore all suspects. Does this include Israelis in the Silicon valley, too? Are they all suspects as well? What about people with relatives in Israel (like the Googles, or Zucker, or you)?

2. If a country benefits that much from exporting encryption technology, why do you think it may risk inserting backdoors to its products?

3. When a country controls only 10% of the market, what use will it be for it to weaken these 10% if it does not have the semi-monopoly powers of the US to control much of the remaining 90%?

4. Is there ANY evidence in the article you mentioned that actually indicates "secret agreements made in smoke-filled rooms"?


Rufo Guerreschi December 8, 2015 2:50 PM

Is there a better way?

This news means that Israel (as US but more) is a "crackerocracy" , i. e. a land in which a small public-private elite holds such a huge information superiority over everyone else, to make their power trumple any other.
Isn't there any other way to prevent bad guys to get to the best ITsec?!

Maybe the CivicRoom concept?
http://www.openmediacluster.com/civicroom/

Clive RobinsonDecember 8, 2015 3:10 PM

@ smson,

You despise patents but complain about "private companies that had stolen designs that I and other close associates had designed." WTF

You know, when you quote some one when you post, it helps everybody if you identify who you are addressing just as I have at the top of this post.

As for "despise patents" that sugests you've been either lurking here for some time or are using a sock puppet to comment today. For the record I use my real name hear and you might consider why I do and you apparently don't.... Oh and if you look back you will see that my name has been discussed a few times hear as well.

As for your second post you are quite a way off of target. Because I've usually posted about the subject long before, so people can see that I'm actually telling the truth. I'm fairly sure that if I was not telling the truth somebody else would have mentioned it years ago.

You will also find that in the past on this blog I've suggested areas of research for PhD's to have a look at, and the only price I ask if people take up the ideas I blog here is that they give me a mention in the paper and buy Bruce two drinks if and when they meet him. One because he is our host and makes it all possible, the second so he can at his discretion if we ever met up buy me a pint or two in return.

Now why instead of your "WTF" don't you have a Google through this blog and verify that?

You might also find whilst you are at it that I've mentioned my head butting with Mossad before...

Oh and if you want to say more go stick it on the current Friday Squid Page, it's kind of a convention on this blog if you want to go off topic, that's the place to do it.

3, 2, 1...December 8, 2015 3:24 PM

If you posted a recipe that included Jaffa oranges, the thread would instantly be swamped with sayanim hasbarabots. Their exquisite sensitivity to this crucial technology of repression is a reassuring sign of a discredited, illegitimate state that's slowly going under.

Lawrence D’OliveiroDecember 8, 2015 4:11 PM

“estimated to have sold” (my emphasis)

There’s your problem right there. They may have a disproportionate share of proprietary crypto, but what presence do they have in free/libre crypto?

Which do you think we should trust more? (*Cough* RSA *cough*)

Nick PDecember 8, 2015 4:44 PM

@ Shachar

I appreciate your inside view on that. However, I caution you or anyone else against thinking this:

" I suspect there isn't a single case of an Israeli product being backdoored by or for the government. I think everyone involved understand that a single case of being caught will be enough to completely destroy the Israeli high tech industry. This industry is worth more to Israel than any intelligence gained from such an act. "

Israel is one of the top players in espionage and they play it hard. A while back, the British MOD Security Manual was leaked. In it, it warned the top 3 threats against classified information (esp traveling personnel) were Russia, China, and Israel. I'd have thought Japan, France, or some other country we repeatedly busted. But, no, their internal data says Israel is a larger problem in stealing secrets than those. The Israeli spies, esp Mossad, are good but still get caught here and there. The result of those instances & leaked documents like above wasn't Israeli industry imploding as everyone realized they were on a mission of vast theft of I.P. and military secrets. Business, including offshore, continues as usual instead.

So, what of backdoors? They have offensive units and even know esoteric stuff like emanation attacks. They would want to bypass their opponents crypto. They're tight with crypto providers who control a significant chunk of the market. Given their nature, they're almost certainly backdooring high security systems in some way or designing them so it's easy to attack with their capabilities. Whatever they're doing will be deniable, probably looking like a common, implementation error. That's the main strategy of nation-state subversion. So, potentially subverted and in deniable way is the minimal expectation people should have getting crypto from Israeli companies given the circumstances & Israel's history of espionage.

Best case, though, is that they aren't backdooring their stuff because the oligopoly of OS's & hardware people are using have enough 0-days in them already. That's how most of NSA & GCHQ's success came. The pre-requisites haven't changed. (sighs)

999999999December 8, 2015 4:53 PM

@ Clive

I agree. The Israelis are too good at economic espionage. Imagine if the China, Korea, France, Russia, Germany, Japan, Malaysia, Iran, North Korea, UK, Spain, Turkey, Italy, UAE, Saudi Arabia and NIST were that good.
From what I am reading, Israel is a country of contradictions. Everyone knows everyone else's business but they can all keep a secret. It is a tiny country by population but they have an electronic spying operation that can rival Australia, Canada, New Zealand, the United Kingdom, the United States and Google. They have a democracy according to people who live there and a dictatorship according to people who don't. Maybe the NSA should have built the data center in that hole instead of Utah.

It is just one mysterious place. If you have time and the inclination, maybe you can explain what is going on there better than the general media. I will probably trust and understand your explanation (bias included) better than mass media.

I don't blame their MI-6 for wanting to hack your hotel room keys. Or their military for recruiting hackers. But how are the successful? If the weaken all of their crypto products, wouldn't our smart hackers find the weakness and exploit it?
If their crypto sucks then why would anyone want it?
Why make backroom deals on a wink and a handshake if you can just use the dictatorship power to hand out "National Security Letters" like the Americans? Why run the risk that someone will talk?

The Israeli oppressors are swimming in a deep pool with big sharks like GCHQ, China and NSA. I am not surprised they fight dirty.

On a minor tangent here: Why were you concerned that the Israeli MI-6 has access to a hotel card reader/programmer? If the system is designed correctly, then even if you had access to a key, a lock and a programmer, you should not be able to gain access to a suite at the Savoy or even a hostel. If it is that easy to abuse the UniQey system then it will be much easier to steal one from a customer and never pay for a room again.

Back on track: It is about time someone highlighted the injustices that are forced on decent people by the oppressive Israeli omniscient regime.

smsonDecember 8, 2015 5:21 PM

@Clive Robinson - I couldn't care less what your name is. You make broad sweeping accusations of IP theft while pretending to be discretionary by withholding exact names, but after someone calls you on it pretend to disclose some nonsense details that never actually supports the accusations. Just more smoke. Evidently, there really are people who think they can fire a gun out of their bedroom window, then when the police arrive they say "Hey! You can't come in here, it's a private residence!" And the little merry private club garbage... someone gag me with a spoon.

MartyDecember 8, 2015 6:08 PM

@krovopitsiy -

Is that you Vladimir? Old comrade...so, they finally let you out. That's nice.

sitaramDecember 8, 2015 6:13 PM

@shachar

From your website, it looks like rsyncrypto stopped at 2008 (at least from the top "Latest News" entry, not counting "website moved").

I use duplicity for rsync-like (space- and network-efficient) backups. Sure there is a cost in terms of the signature files being stored locally, but storage is cheap. And no "weakening of the actual encryption", as you put it.

(I realise your website has links to several slashdot and related discussions; I am sure this has come up and you already know, but just in case...)

Clive RobinsonDecember 8, 2015 6:16 PM

@ 999999999,

Why were you concerned that the Israeli MI-6 has access to a hotel card reader/programmer?

Well because they have and had a proven track record of kidnaping and killing people for political policy amongst other things. Go look up, Mordechai Vanunu and what happened to him in Italy in 1686, Gerald Bull and how he died in Belgium in 1990 for instance. or more recently Mahmoud Al-Mabhouh in a Dubi hotel in 2010. These are ones for which reasonably firm publicaly available evidence exists for assasination by Mossad. In the later case the 26 person hit team that got caught on camera and are on the Interpol most wanted list. If one incident per decade for the last three decades comes up you have to ask yourself just how many others there have been which have not been made public for various reasons. Especialy when atleast two of the three were designed to send very clear messages (the third probably was as well).

There is a list of drugs going back further than that which are routienly used as a muscle relaxant / paralalising agent in hospital operations, that stop all muscles but the "smooth muscle" heart. Thus without external ventilation you die in a very very painfull minute or so, making it look just like a heart attack and breaking down quite quickly in the body to look like products you would expect to find. These were used in two of the known attacks, so are well known to Mossad. So ask yourself how many people have heart attacks in hotels each year...

As for the lock it's self I don't know how old you are, so I'm assuming you know very little about the computing power of the likes of the early CMOS 8051 microcontroler running on a "watch crystal" 32KHz clock. There are ordinary digital watches with more computing power these days. So there was no crypto or anything like that just a way of encoding a door key against a semi secret number in the front desk unit that wrote a few bytes onto the ABA mag track on a plastic card just like an unembossed credit card.

Yes "security by obscurity", but you did not have the available resources to.do better.

remoDecember 8, 2015 6:18 PM

@Clive

For the record I use my real name hear and you might consider why I do and you apparently don't....

Careful there. You're starting to sound a bit like a certain someone we don't talk about anymore... Next thing you know you'll be demanding that smson link a valid facebook profile.

Joking aside, everyone has the right to contribute with whatever degree of anonymity they prefer.

JacobDecember 8, 2015 6:21 PM

I would like to ask the people here the following question:
If a developer, without known prior credentials, would come up with an open-source crypto product which is useful to you, how would you rate the trustworthiness of the product vis-a-vis the developer's known nationality:

1. American
2. British
3. Israeli
4. Chinese

A comment like "I don't trust crypto from unknown sources" is not acceptable here. To focus your mind, think about Truecrypt.

P.S. I though that posting in this thread as opposed to the squid's one would be acceptable, seeing the comments here about trust in Israeli crypto products.

Clive RobinsonDecember 8, 2015 6:27 PM

@ smson,

Just more smoke.

You have not actually contributed on ioat to this post, and you are exhibiting behaviour similar to that of a person who was baned from this blog not so long ago.

You have been given some quite factual information and told where you can find more to refute your very childish accusations. I suspect you are childishly ignoring it as it will contradict some kind of warped mental image you have built up in a quite disturbing stalking or trollish kind of way.

For your sake and others, this is the last time I will respond to you on this thread.

ThothDecember 8, 2015 6:41 PM

@all
Just to stray a little off topic but still stay relevant, Information Security (including Crypto Security or even high assurance tech even without use of crypto) is considered Strategic Goods and classified as "Possible In Aiding Creation/Proliferation/Deployment of Weapons Of Mass Destruction" category as a Dual-Use Controlled Item. That is the status for an IS systems (including firewalls, HSMs and the likes).

I got the above suggestions of the status of InfoSec systems as Strategic Goods Possible for Aiding WMD manufacturing or deployment while making enquiry to the local Customs and was hoping the information could be used to update the Cryptolaw (www.cryptolaw.org) website.

The suggestion that InfoSec is somewhat related to and classified internationally as an aid directly or indirectly to construction, proliferation or deployment of "WMDs" from my conversation implied by the Customs officials shows that IS technology is a huge playground where spies and nation states are willing to put backdoors into commercial technology and even classify it as "possible aid for... WMDs".

I wonder who had the brilliant idea to drag the entire IS tech category into "possible aid for... WMDs" (the categorisation is too long to type). Backdoors and the likes are common in IS tech due to it's international status.

As absurd as the status of IS tech sounds from the view of the United Nations Security Council (UNSC) and other international arena (according to the Customs official I spoke to), it is a reality with all the sanctions and export/import controls.

@999999999
Technology is an enabler and force multiplier. IS Tech is a special segment which most people blindly trust and anyone being able to control technology to their whims would have effectively "kicked the other person in the butts and hold them by their noses". In simple, you would have controlled people by controlling technology because the current age of people are very reliant on technology.

By stealing the hotel key card technology, whether it is secure or not, they would be able to subvert the product and design as the common saying that all designs have their flaws (no such thing as perfect). With the master keys, they can enter hotel rooms as they want and inflitrate/exflitrate into any room ... stealing trade secrets of others in their laptops left in the hotel rooms (sounds familiar @Clive Robinson ?) and the likes.... even carrying out their assassination missions with greater ease.

There is an ancient Chinese saying that "Thieves become Emperors, The World sinks into Chaos" .... look at the leaders ... selfish ... petty ... beating each other .... dragging their people into unnecessary trouble and bloodshed ... disregarding Human Rights ... banning privacy and secure communications in the name of "Anti-Terror" ...

Who are the real faces sponsoring massive Chaos ? Who are the ones laying out sanctions and creating absurd "rules" ? Who are the ones who use the word "Terrorism" in a bid to profit themselves and bring destruction to others ?

These "Thieves" are now "Emperors" ... what do we expect ??

Nick PDecember 8, 2015 7:03 PM

@ Jacob

If it's OSS & with likely review, then I'd trust it in this not-definitive order:

1. American

2. Israeli

3. British

4. Chinese

Regular screw-ups in the protocol or code are most likely threat for an OSS project. So, I go with quality of educational system plus prior examples of strong crypto or OSS code. American and Israeli have both. Britain has smart cryptographers and engineers with proven examples but not sure of OSS stuff. China is lowest on my list due to stronger espionage, official censorship, and no major OSS crypto that I'm aware of.

danielDecember 8, 2015 7:04 PM

i doubt israeli engages in IP theft. how can you simultaneously have to steal but also be a leader in a field developing your own tech? in contrast, china steals, but thats all they do. they arent a leader in any cutting edge fields all they do is steal.

Nick PDecember 8, 2015 7:19 PM

@ daniel

Best to do both. Then people react just as you did. China both invents and steals. Many countries do. One recent example in Russia that had a high chance of I.P. theft imho was an Itanium-like VLIW processor that was way better than Intel's. I mean, Intel worked really hard to get to where they were at. Then, Russia's team matched that on a budget, with less staff, and in shorter time. And then exceeded it to the point Intel bought them out? More likely they had a head start. ;)

Like China, it's easier for Israel to pull off theft of I.P. or talent because they encourage many top companies to do R&D there. Military research, IBM EDA tools, encryption... you name it are done over there. Really, really, easy to compromise a firm when they're asking for your best people to work on secret stuff. However, Israel's main target is military, high-tech, and financial that I've seen. You'd have to strip hardware and do a detailed analysis to tell if they stole anything. Whereas China doesn't give a crap as can be seen with Huwei's brazen copies.

Clive RobinsonDecember 8, 2015 7:29 PM

@ remo,

Joking aside, everyone has the right to contribute with whatever degree of anonymity they prefer.

You won't hear me argue otherwise.

The point I was trying to make is, that if you like "my name is my brand" and I've a lot invested in it and therefore I stand fair and square behind it. Therefor contrary to the accusation I don't make things up, it would devalue the brand. Thus I find it insulting when someone accuses me of that, when they have very obviously failed to actually make any checks as to the varacity of their accusations...

With regards "he who shall not be named" yup on rereading mine and my accusers comments it did occur to me and it felt and still does de ja viu creepy.

JacobDecember 8, 2015 7:33 PM

@Nick P

Thanks for the detailed response.

However, my intention in posing that question (and I guess I failed to clarify that) was the level of trustworthiness given from the sense of subverting the code either due to the developer ecosystem surrounding him in his country or by his government leaning on him.

Nick PDecember 8, 2015 7:42 PM

@ Jacob

1. China

2. Britain

3. U.S.

With Israel in there somewhere after China. I really don't know enough about them to get specific on what average developer might face in terms of coercion. China reasoning should be obvious. Britain and U.S. are anti-encryption but British have fewer protections. British will also likely roll out anti-encryption legislation faster and broader if they haven't already. So, there's a rough draft. None of these countries are ideal for encryption development but U.S. has been pretty safe so far for people with good image & lawyers. ;)

Dirk PraetDecember 8, 2015 8:06 PM

@ Shachar

I suspect there isn't a single case of an Israeli product being backdoored by or for the government

I do remember persistent rumours about 10 years ago of Checkpoint FW-1 being backdoored by the Mossad.

@ Jacob

If a developer, without known prior credentials, would come up with an open-source crypto product which is useful to you, how would you rate the trustworthiness of the product vis-a-vis the developer's known nationality

I'd go for US or British, preferably developed in and distributed from Iceland or Switserland.

@ Remo

You're starting to sound a bit like a certain someone we don't talk about anymore

Comparing @Clive to Voldemort is a bit of a stretch.

@ sitaram

I use duplicity for rsync-like (space- and network-efficient) backups.

Then you should definitely check out the excellent Horcrux backup/restore script by Chris Poole and Piffio.

@ smson

Go away. This is not how we do discussions on this forum. Try alt.silly.rants instead.


Clive RobinsonDecember 8, 2015 8:36 PM

@ Jacob,

If a developer, without known prior credentials, would come up with an open-source crypto product which is useful to you, how would you rate the trustworthiness of the product vis-a-vis the developer's known nationality:

I Would hope the developers narionality would not influency me one way or the other. As that would be counter productive.

What would interest me much more would be the style of their code, which algorithms they had chosen to use and if they had implemented them in a clear and easily audited way.

What I guess you are really asking is if we see a patern in projects. That is if we saw X projects from country Y what would be our overall view of the countries OS development.

That as they say is a toughie, Ive seen very good code from all the countries on your list. But not unexpectedly more bad code from the US.

Why is this, well it's not realy anything to do with being American, it's all to do with the number of people writting OS code there. There are very many more, that means that unless you normalise against the number of OS developers per country, you kind of expect a larger number of both good and bad projects to originate there.

But I am biased because I like to see and read well commented code.

Which means I tend to prefer,

British, Israeli, US, Chinese.

As the order at a reading the comments level. The problem with US and increasingly British code is the ever increasing spacity of comments.

Comming from a low level code background often the code I see and write is fairly meaningless such is ASM and C writen by ASM heavy coders. Thus the comments are a vital sanity and cross check. As I once said to Nick P my comments often outnumber the code, and it's this sanity/cross check at low level that is the cause.

It's only at higher function levels that the code becomes "self commentating" and I'm light on that sort of code, as I don't tend to write for a high level windowing UI but a CLI one.

I suspect you are also thinking along the lines of how percieved national policy might effect the order. Well I suspect quite a few people have moved their POV a lot on this in recent years.

If the code is inelegantly written and poorly commented, then yes you start getting nagging doubts about what might be hidden in the code. Personaly I try not to let it make a difference but...

The order changes,

British, Israeli, china, US.

Why is US last well it's the poor privacy with the "he who collects it owns it" legislation, that has been apparent with "ET Phone Home" data collection disgused as customer service / technical support / extended features.

China is third because they have targeted organisations I've woked with / for in the past, but if you included France or Russia in the list they would be between China and the US.

If however I was thinking abiut RAT crimeware then then Israel would be first on the list china second. I'm not saying they don't write crimeware, but I've yet to see it head my way. Where as UK and US crimeware I've seen bucket loads off.

I guess my viewpoint is biased as well by "home country" I thing I've seen the best of the good from Britain as well as the best of crimeware... Where as I've genuinely seen the worst of the worst from the US (but thats just how the numbers play out).

To be honest I find it difficult to rank China or Israel because I just don't see that much OS software from them in what I do it's mainly US/UK.

Sorry I cannot be more helpful but the numbers make it difficult.

Clive RobinsonDecember 8, 2015 9:07 PM

@ Daniel,

how can you simultaneously have to steal but also be a leader in a field developing your own tech?

Oh that's explainable in several ways.

Firstly you don't have to be a leader in technology if you are a leader in sales. It's the old "Nobody gets fired for buying IBM" effect.

Secondly, you can be a leader in technology in different fields, such as engines for high performance cars and enginees for fuel efficient trucks.

Thirdly the one France has owned up on years ago and the Americans are strongly suspected of. Research is eye bleedingly painfull at the leading edge. Most of the money is spent on ways of doing things that don't pay off. If you steal only the knowledge of what does not work you've saved 90% of the normal expenditure. Which means in effect you have ten times the money to spend on refining what does work, and investigating minor variations.

Have a look into Dyson and their electric motor design. They know dam well a certain large German company stole their R&D information, but it's trying to prove it to a court that is difficult. The type of proof required is different for different types of IP, and you try explaining to a judge "they stole the information on what did not work"...

FigureitoutDecember 8, 2015 10:00 PM

Jacob
--The nationality doesn't mean as much to me, but working w/in gov't does. So I'd say those working at small startups/companies, or even non-profits, in US being most trustworthy, as we know larger companies admit to helping surveillance and adding in backdoors (Dell being the latest to get caught w/ their pants down), and well, gov't...'nuff said about that. You'll see everyone's nationality playing into the biases as well lol, of course. But also just talking w/ someone helps too, Jacob Appelbaum of Tor recently made a big deal about *no* backdoors in Tor, and I believe him w/o having some concrete proof to support that.

Clive Robinson
But I am biased because I like to see and read well commented code. [..] Which means I tend to prefer, [..] British, Israeli, US, Chinese.
--Lol, can confirm, Chinese coders don't know how to comment, but can hack it up, and fast. And it pisses me off b/c it would save me trips to a datasheet and the logic isn't always clear. Very unpleasant code to read.

Gerard van VoorenDecember 9, 2015 12:35 AM

It is actually quite interesting to see that each time (a subject of) Israel is being criticized, there are people defending the subject or policy. I despise the politics of Israel because is is so ridiculously cruel. And each time (it hasn't come up yet) they put their ace on the table, the holocaust, to justify their actions.

ShacharDecember 9, 2015 1:17 AM

@Dirk Praet

I do remember persistent rumours about 10 years ago of Checkpoint FW-1 being backdoored by the Mossad.

Usually, trying to answer such rumours is very frustrating. Even if people are willing to trust that you are not "in on it", they say, with some level of justification, "but you wouldn't know about if it happened".

This particular rumour, however, is one I do happen to have some inside information about.

Between December 2000 and February 2003 I was employed at Checkpoint. My title was "Security focus team leader". I was in charge of assessing vulnerability reports, making sure that the fix actually does fix them, code reviews etc. A friend once described it as "being in charge of Christianity for the Vatican". I would expect that had such a backdoor existed, that I would have been told about keeping it in.

But I know about the specific rumour not because of that. The reason I know about this specific rumour is because I, as well as anyone else working on FW-1, was warned about its cause right when starting there.

Checkpoint, at the time, was using routable IPs inside the company. Since most of FW-1's code is written in the kernel, debugging was a bit of an issue, often requiring some creative thinking.

Some innocent soul at some point prior to me joining the company had a bright idea how to track a certain piece of the program he was working on. He wrote code that would route information about the code to his desktop computer. The only problem with that technique was that he forgot to take it out once the bug was found and fixed.

The result was that FW-1 machines everywhere were sending (quite useless, I believe) data to that specific developer's desktop.

So, no, as far as I know, Checkpoint FW-1 did not have a backdoor for the Mossad. I believe "as far as I know" carries some weight, at least for the time period I was there. Also, knowing the people involved, I do not believe it carried a backdoor at any other point.

Shachar

SarahDecember 9, 2015 1:41 AM

Bruce,

In addition to the questions I posted above. Why do you use RSA or devices with Intel chips in them? The development of both heavily involved and in the case of the chips still involves Israelis who served in, and regularly give consultation to, the IDF. Do you really have any evidence or suspect these to have a back-door or is it just that the societal pressure in the progressive circles requires an occasional Israel-bashing to prove you're still in? Why not simply take advantage of the timing and go and have a nice chunk of pork for dinner somewhere, wearing a T-shirt with the Greek flag* on it and send a selfie to you-know-who?


*Dear Greek friends, this joke is not about you

GrauhutDecember 9, 2015 2:58 AM

@Shachar "Between December 2000 and February 2003 I was employed at Checkpoint. My title was "Security focus team leader". ... I would expect that had such a backdoor existed, that I would have been told about keeping it in."

Do you have an idea why the Sourcefire - Check Point deal was blocked by CFIUS in 2006?

"Security company Check Point Software Technologies called off its planned $225 million acquisition of intrusion-prevention firm Sourcefire on Thursday, a week before a federal watchdog was scheduled to release a report which insiders say would have blocked the merger on the grounds of national-security interests."

http://www.securityfocus.com/news/11382

ShacharDecember 9, 2015 3:22 AM

@Grauhut

Do you have an idea why the Sourcefire - Check Point deal was blocked by CFIUS in 2006?

Sorry, no idea. Wasn't following at the time.

@Gerard van Vooren

It is actually quite interesting to see that each time (a subject of) Israel is being criticized, there are people defending the subject or policy.

I don't defend "the subject". A lot of the criticism levelled against Israel is driven by pure ignorance. People who derive their information from biased sources come to extreme conclusions that are quite remote from reality. I will immediately also point out that a lot of Israel defenders are no more well informed, resulting in a "discussion" that is quite painful to watch. This is also, likely, why the holocaust is brought in.

Either way, the subject matter here is quite focused, and I think it did well for the discussion. If you'd like to discuss the broader matter, feel free to email me privately, as I do think it is off topic to this thread. I gave my email in my first message on this thread.

Shachar

wink&nodDecember 9, 2015 3:24 AM

@Clive Robinson your comment is "antisemitism" so you have to be polish

wink&nod

ShacharDecember 9, 2015 4:00 AM

@sitaram

From your website, it looks like rsyncrypto stopped at 2008 (at least from the top "Latest News" entry, not counting "website moved").

Sadly, it is true. I moved on to other things, and have very little time for any of my FOSS projects.

I use duplicity for rsync-like (space- and network-efficient) backups. Sure there is a cost in terms of the signature files being stored locally, but storage is cheap. And no "weakening of the actual encryption", as you put it.

I'm not sure what you mean by that. I'm not that familiar with duplicity, and in particular, with its encryption format. I couldn't find anything with a quick search online. Care to provide a link?

Shachar

Clive RobinsonDecember 9, 2015 4:55 AM

@ Wink&nod,

your comment is "antisemitism"

Oh dear, I just wish people would learn the difference between "antisemitism" and having a dislike for some of the unplesant "political practices" by a few senior individuals in the Israeli Government and it's associated entities.

These days it's a sound bite accusation that usually says more about the ill intent of the accuser than it ever does about the accused. The same with "antizionist" and suggesting some one is a "holocaust denier".

That is, it is the modern form of the lowest common denominator tribal crowd mentality that has haunted mankind down the centuries. Which in the past has given rise to such people burning live stock because they belived the animals to be Witches Familiars, lynching parties, and all other manor of injustice nasties.

It is as reasond as the taunting you see by six year olds in school playgrounds the world over. And sadly is often seen in and around US Politics --as transmitted to the rest of the world-- these days to try to "sound bite smear" an opponent in the primal tribal part of peoples brains. Those of lesser abilities it would appear become Internet Trolls.

Sometimes such people grow up and become more enlightened and reasoned, thus feel shame for what they have done in the past. Others don't for various reasons. But I guess that's the way of the few, who for various reasons just can not understand their own failings and resulting ostracism from society.

ShacharDecember 9, 2015 5:09 AM

Oh dear, I just wish people would learn the difference between "antisemitism" and having a dislike for some of the unplesant "political practices" by a few senior individuals in the Israeli Government and it's associated entities.

Hear hear.

People use that word way too easily, and as a means to shut down discussion. I will also point out that I think Clive's position is a little extreme, and in my experience, unjustified. I do not, however, think it is antisemitic.

I will point out that, upon initially reading Wink&nod's remark, I couldn't make up my mind whether it was meant to be ironic. Still can't.

Shachar

ianfDecember 9, 2015 5:16 AM


Not having anything to contribute in this subject of (Israeli or whatever) state cryptography, I stayed above the fray… and then I saw this Gerard van Vooren's offshoot from the topic, who […] “despises the politics of Israel because it is so ridiculously cruel.”

When you're through with your emo outflow, perhaps you'd care to write down a XY-point plan, or a Talking Points memo, outlining the ways in which Israeli policies (rather than "politics") ought to change, so as to make you reappraise their (possibly still, but presumably no longer ridiculous) cruelty. Go ahead, I'm sure the Israelis would like to hear that too, here's your chance.


[…] “each time Israel is being criticized, there are people defending the subject or policy. And each time (it hasn't come up yet) they put their ace on the table, the holocaust, to justify their actions.

From which can only be deduced that, alone among debaters, the Israelis do not have the right to present their opposing views, never mind to criticize the critics. Nice asymmetry that if you can hack it. And you're wrong about that 2nd clause of yours, the so-far absence of "the holocaust argument." You just brought it up in the form of a warning of it soon being brought up—a method not unlike that of pro-spammers selling "anti-viral" botnet installers by cautioning others against rampant viruses. Perhaps we should call this method a Premature Godwin Ejaculation [Sorry, Mike!]

And, btw, your line of "typing not thinking" ties nicely in with that of @ 3, 2, 1... (i.e. Zero), acc. to whom anyone outside Israel[*] who's not foaming at the mouth at mere mention of it (=that's me!), and daring to have an informed opinion of it (=me!), classifies as a hasbara sayan, in effect one of Mossad's countless little voluntary helpers.

    [^*] I'd have written "anyone in diaspora," but that would have shattered the picture, forced Dirk et al to reclassify me as some latter-day Leopold Bloom, rather than rank-and-file Irish…

[I thought the above would suffice, and then I see this…]

999999999: Why were you concerned that the Israeli MI-6 has access to a hotel card reader/programmer?

    Clive Robinson: because they have a proven track record of kidnapping and killing people for political policy [WTF?] amongst other things.

… upon which then Clive brings up

  • Mordechai Vanunu – kidnapped in 1986, convicted, yet surprisingly still alive to be under house arrest and on primetime TV
  • Gerald Bull – ballistics-obsessed engineer assassinated by parties unknown in 1990, potentially a threat to Iran, Saudi Arabia, and Israel. Frederick Forsyth presented a forceful case for the killing being a "wet work" of others than Israel, but he's only a novelist, what does he know, or know better, than Clive doesn't?
  • Mahmoud Al-Mabhouh in Dubaï in 2010. Let's say it was an Israeli extrajudicial killing. On the other hand, the target wasn't just anybody, but one who had a lot to answer for on his conscience. Perhaps the perps should have done an Eichmann-type exfiltration job on him instead, put him in a glass cage for all the world's press to see, while simultaneously thwarting a new intifada in Gaza, killing scores of protesters in the process.

That's it, Clive?… the extent of your otherwise commendable worry for unknown future end-users' privacy due to by "the Israelis" compromised security of your hotel locks? You could see that well into the future already in the 1980s? If so—RESPECT.


[…] muscle relaxant / paralyzing agent in hospital operations that stops all muscles but the "smooth muscle" heart. […] These were used in two of the known attacks, so are well known to Mossad. So ask yourself how many people have heart attacks in hotels each year...

That's a very serious allegation against Israeli Mossad that you're making, which I'll deal with in a separate post that's already under way. On my own all that I can say is that, had there been such quick & guaranteed way to die drugs in circulation, relatively easy to obtain anywhere, the Exit International voluntary euthanasia community centered around Philip Nitschke would have made noises about them. As it is, they do not—so I question your assertion. More to come.

Clive RobinsonDecember 9, 2015 5:59 AM

@ Shachar,

I will also point out that I think Clive's position is a little extreme, and in my experience, unjustified.

Do you know any policemen at the "front line" of dealing with certain asspects of human behaviour, or ER doctors who attend to "the weekend crowd". They might surprise you with their view on the less genteel aspects of life.

I have lived in one of the --supposadly-- nicer parts of London (soon to have more unwanted Heathrow air traffic over it). The residents living there consistently rate it very highly with the result only those with deep pockets can afford to buy homes there. However because they have deep pockets they have private garages and cars, thus rarely put their feet on the pavement outside of the shopping center. I however have always prefered to walk or ride a push bike, and travel on public transport. Thus I get to see what the poorer people do, the street crime, antisocial behaviour and worse.

Thus unlike the motorists I was not overly attached to living there and moved a little way away to a place where there is genuinely less street crime and antisocial behaviour. But as it's got way more green open spaces --that also don't have walls and gates like the Royal parks do-- the people who live here tend to get out and about on foot more, so have a more realistic idea of what the place is realy like, and importantly keep an eye on their neighbors to see they are OK, which also makes it a friendlier place to live, more village than city.

People have different views of people and places based on where when and how they go and what they do. Go into any capital city around the world and speak to a company boss and then the office cleaner, you will get two very different views of what living and working there are like.

I Like to keep my feet on the ground, partly because I once "wore the green" and visited quite a few hot spots in the world. People think I'm crazy when I tell them the only times I've been seriously hurt is within a healthy walking distance from my front door in the leafy green London suburbs where houses cost as much if not more than they do in Tokyo and New York...

That as they say is just the way life pans out, the same applies to how and where people work the industry they are in and who their competitors are and where the marketplace is.

I'm aware I might appear biased to some hence I say up front what my experiences are.

Gerard van VoorenDecember 9, 2015 6:25 AM

@ ianf,

> When you're through with your emo outflow, perhaps you'd care to write down a XY-point
> plan, or a Talking Points memo, outlining the ways in which Israeli policies (rather than
> "politics") ought to change, so as to make you reappraise their (possibly still, but
> presumably no longer ridiculous) cruelty. Go ahead, I'm sure the Israelis would like to
> hear that too, here's your chance.

Are you really so naive to think you can change politics by just creating a new plan? How old are you anyway? We are talking about decades of cruelty and humiliation. At the time of Arafat and Rabin I kinda hoped they could finally make a settlement, but the moment Rabin was killed it became clear that the hate was even within the Israeli people their selves and because of that it would be very hard to deal with.

JacobDecember 9, 2015 6:28 AM

@Clive

Thanks for the detailed response about coders' trustworthiness.

Since you placed US last on your list in regard to possible gov subversion, I wonder if you have any kind of an hesitation/conflict whenever you use your computer, since US code is ingrained in anything you do (be it Windows or Linux with its binary blobs)

ShacharDecember 9, 2015 6:43 AM

@Clive,

I'm at work right now, which is why I haven't sat down to fully analyse your original post. However, I am not only on the front lines, but actually inside the trenches of the Israeli hightech industry. This gives me a different perspective than yours, sure, but assuming it is a less correct perspective is a little condescending on your part.

I'm aware I might appear biased to some hence I say up front what my experiences are.

Allow me to break the bad news for you. You are biased. We all are. It's how humans work. Bruce refers to it as detecting patterns. We form an initial opinion, and then confirmation bias kicks in, and it is hard for us to see the opposing examples. This is doubly true in the type of experiences you describe. How many Israeli companies did not steal from you, did not provide you a back-doored product? Did you stop to count? Did you even notice? In this field, negative examples are inherently much more prominent than positive ones.

Generalizing from them, however, is a mistake. Saying, as I think you did (please do accept my apologies if I misread your comment) that all Israeli innovation is based on stolen technology is completely and utterly unjustified. Not only does it have no basis in the experience from which you draw your conclusions, it is also downright and blatantly incorrect.

Are there Israeli companies that do commercial espionage? I don't know, but it would be naive to assume the answer is "no". Are there Israeli companies who are out to screw their customers? I have personal experience with quite a few. How are those two any different than other countries?

Like I said, when I get home I will read your comment with all of the attention it deserves, and then I will be able to comment it more specifically. Maybe you'll even convince me. Until then, the tone is completely off from what I know.

Shachar

Clive RobinsonDecember 9, 2015 7:13 AM

@ ianf,

Frederick Forsyth

You are kidding me right?

Or do you genuinely not know who he is what his politics are and what he was doing at the time, who his effective boss was and her relationship to Israel at the time?

Perhaps you should ask yourself why Mordechai had to be lured to Rome, he has mentioned it and I can tell you it was more "political sensitivity" than "logistical difficulties".

On my own all that I can say is that, had there been such quick & guaranteed way to die drugs in circulation, relatively easy to obtain anywhere, the Exit International voluntary euthanasia community centered around Philip Nitschke would have made noises about them.

Are you realy that biased that you did not even read what I said about the painfullness of it if you are not externaly ventilated?

Further why not read Mordechai's own words about being injected and the effect it had on him. Or read the published information from the autopsy on Mahmoud?

OK but to give your curiosity something to think on. Go look up the lethal injection the US is supposedly having trouble getting, find out what the LD50 of the primary lethal agent --Potassium Chloride-- is when directly injected in a vein, what it's other medical uses are, how much of it is in a 1Kg tub of "low salt" you can buy off of a supermarket shelf and then find out just how painfull the death is and why, and what common but highly restricted drugs are required first which make the person incapable of injecting the potassium agent.

If you can find out that very common information then, have a look back to the comments on this blog about the Mahmoud murder, in there you will find comments about a common drug (sux) used in surgery, --that the UN consider an absolute essential drug in modern health care-- as a muscle relaxant or paralytic (typically a "lethal injection" consists of barbiturate, paralytic, and potassium solution do you know why?).

Also look up the history of research into the "poison arrow" curare it's active ingredients and analogous, and its problems when used as an anesthetic without the other later required components.

Or if you know an anesthetist go have a chat with them about it and sux and it's related drugs.

Only then would I suggest you think about what you write in reply and it might start with an apology.

Dirk PraetDecember 9, 2015 7:51 AM

@ Shachar

I'm not that familiar with duplicity, and in particular, with its encryption format. I couldn't find anything with a quick search online. Care to provide a link?

http://duplicity.nongnu.org/features.html . It uses GnuPG.

@ Gerard Van Vooren

... but the moment Rabin was killed it became clear that the hate was even within the Israeli people their selves ...

Please do not conflate the Israeli people with the Israeli government. Rabin was killed by an extremist and there's quite some Israelis out there that all but agree with their government's policies, both foreign and domestic.

@ Daniel

I doubt israeli engages in IP theft. how can you simultaneously have to steal but also be a leader in a field developing your own tech?

It's not like it's a mutually exclusive thing. They're actually quite complementary.

@ ianf, @ Clive

On my own all that I can say is that, had there been such quick & guaranteed way to die drugs in circulation, relatively easy to obtain anywhere, the Exit International voluntary euthanasia community centered around Philip Nitschke would have made noises about them.

For suiciders, there's plenty of drugs out there that are relatively easy to obtain (in an illegal way) and will cause a more or less painless death. A heroin OD, for example, will first cause unconsciousness, then respiratory depression and finally cardiac arrest. For assassination purposes however, you will probably require something that's hard(er) to trace, and in general it's these products that not only are harder to acquire but also cause a way more painful death. Think ricin, saxitoxin, tetrodotoxin, polonium and the like ...

dany555December 9, 2015 7:53 AM

Hi,

being in israel a few years and in high tech, I just want to add an insight on Bruce's post :
"Basically, it looks like secret agreements made in smoke-filled rooms, very discreet with no oversight or accountability." with all my respect, you are a bit paranoid (but we are all paranoids in this business).

Yes israel looks technologically and academically advanced, the society and looks very much like western countries like USA, England and such (not talking politics there, more on the way of life).

BUT : on many aspects that need more profound look, it stays a mid-eastern countries that values a lot informal relationship and global disorganization over formal agreements. enter any police/post office and you're in a third world country :-)

it is very typical in Israel that an aspect such as cryptography is well defined with strict rules on licensing and exporting, yet the day to day show how that most restrictions are lousy and value flexibility.

the tight relations between military and academics/commercial worlds, are more in my opinion a way to bring back ROI over the research that military and intelligence information are required to conduct every day to stay on top of a external threats : since they actually do the research, they might as well help the private economy flourish from the results.

999999999December 9, 2015 8:51 AM

@ Clive
Sorry for taking so long but I have a follow on question...

Well because they have and had a proven track record of kidnapping and killing people for political policy amongst other things

What is the problem with that? Most governments have targeted political assassination programs. The only thing UniQey is responsible for is creating a "Security by obscurity" product.
There is an implied chain of trust in hotels. Even if UniQey had strong crypto, rooms can be accessed by bribery of hotel clerks, stealing credentials from cleaning staff or attacking any part of the chain of trust.

I agree with you that Israel fights dirty as a matter of policy. But how it is no different than Russia, China, Facebook, the Vatican, Iran, the NSA and other dictatorships. They are hardly the only state that sponsors technology theft including the Americans and British. Maybe I am too young to understand why anyone cares if Israel backdoors all of it's technology. Or too young to care about yet another middle eastern dictatorship? (there are many of them)
Why is anyone surprised that an oppressive dictatorship is spying on it's own citizens without warrants or due process and weakening the internet backbone if the Americans and British are doing it?


ShacharDecember 9, 2015 9:01 AM

@999999999

I have to wonder about something. While I don't share Clive's disgust from anything Israeli, I also don't get why you get so worked out over it.

So Clive does not want to sell his product to the Israeli spy agency. He thinks this, somehow, makes him an accomplice. Why does that bother you so much?

I could understand a statement (which I often make myself) saying "you have the right not to sell, but I think your reasons are based on misconceptions/incorrect data". It's a totally different argument, and I suspect, would have been accepted differently, than the one you are making.

Shachar

wink&nodDecember 9, 2015 10:13 AM

@Clive

I totally sorry you spent time on my comment.
It is in bad teats anyway.

Thanks for your opinion about that gov practices.


JdLDecember 9, 2015 10:18 AM

I consider any government's attempts to insert its big fat nose into how, or whether, or with what product its citizens encrypt, to be completely illegitimate. I would encourage any individual, and any company, to flout, either openly or clandestinely, any attempts to interfere with their proper freedom in such matters.

Terrorism? Governments are by far the greatest threat to our lives and property. The U.S. government, in particular, is the biggest terrorist organization in the world by a wide margin. People who cower in fear over "Islamists" are looking in the wrong direction.

Dirk PraetDecember 9, 2015 10:40 AM

@ 999999999, @ Shachar, @ Clive

What is the problem with that? Most governments have targeted political assassination programs.

Because it's wrong and against international law.

Maybe I am too young to understand why anyone cares if Israel backdoors all of it's technology. Or too young to care about yet another middle eastern dictatorship? Why is anyone surprised that an oppressive dictatorship is spying on it's own citizens without warrants or due process and weakening the internet backbone if the Americans and British are doing it?

Same answer. Because it's wrong. And by not caring, you're just allowing the wrongs to perpetuate themselves. So I have to join @Shachar in asking: why do you get so worked up about @Clive's stance if by your own admission you don't care about all of this stuff anyway?

Personally, I have no idea (or at least no proof) whether or not Israeli technologies are backdoored, if they are stealing IP etc. But if someone takes offense to Israeli extrajudicial killings, Israeli government policy and/or the way Palistinians are being treated, those are all fairly well documented and IMHO a fair basis to refuse any dealings with said government and corporations having close ties to them. Which in the case of the high tech industry, or at least certain segments thereof, is undoubtedly so.

So I can very well imagine these smoke-filled rooms @Bruce is talking about. The Israeli government and IC would actually be quite stupid not to try and be on the best of terms with certain companies. But which can probably also not be generalised as to each and every one of them. So in the end whether or not you decide to work with or sell to them is a strictly personal decision based on real or perceived ties to a government you don't support, and/or previous experiences in the past you'd rather not repeat.

WaelDecember 9, 2015 11:23 AM

Basically, it looks like secret agreements made in smoke-filled rooms, very discreet with no oversight or accountability.

@sarah,

Is there ANY evidence in the article you mentioned that actually indicates "secret agreements made in smoke-filled rooms"?

Possibly an indirect reference to this:

Team members chain-smoke and main-line coffee, and the atmosphere inside a safe house grows more tense as each hour passes. -- Victor Ostrovsky, By way of deception...

nice chunk of pork for dinner somewhere

What is it with pork and pigs and security?

@Clive Robinson,

I think this is worth a discussion. C-v-P is apparently finished. How about P-v-S instead (pigs vs security?) It comes up often ;)

ianfDecember 9, 2015 11:42 AM


@ Gerard van Vooren “Are you really so naive to think you can change politics by just creating a new plan?

I just wanted to see what you had in mind. Because all that I could hear was someone so full of insight into the ME, with its decades of cruelty and humiliation, that I expected you to have some hum of how to change it for the better. Otherwise your critique of Israel is just pure emo, spilling brain semen onto the Internet.

How old are you anyway?

For the sake of this discussion, let's say I'm 12. How old would you like me to be?

At the time of [Oslo Accords, 1994] I kinda hoped they could finally make a settlement, but… because of [Israeli self-hate] it would be very hard to deal with.

That was 21 years ago, and OF COURSE the then-PLO chairman/ movement/ and the people it represented were but passive pawns of eternally-oppressed Arab fate, who had NOTHING to do with non-progress of the expected progress.


@ Clive Robinson

[…] do you genuinely not know who [Frederick Forsyth] is, what his politics are, and what he was doing at the time, who his effective boss was and her relationship to Israel at the time?

Why would knowing all that be of essence to read an author's narrative of [here] one Gerard Bull's demise. You're an author with another GB narrative. FF's narrative sounds more plausible to me than yours. Perhaps the same amount of peripheral knowledge about you would re-color my opinion, but who can say when neither of us is privy to all the GB background, and all we can do is rely on (at best) secondhand opinions. Unless, that is, YOU ARE privy, and are here spilling the guts, only do it in not enough convincing manner.


why Mordechai had to be lured to Rome… it was more "political sensitivity" than "logistical difficulties".

He fell into a Mossad honey trap, then went to Rome on his dick auto-pilot. And how is Mossad not wishing to tread on its British MI-5 partners' toes suddenly a point of accusation? There's no why other than operational necessity and opportunity.


Are you really that biased that you did not even read what I said about the painfullness of it if you are not externally ventilated?

What particular BIAS(ES) could you be thinking of. As to your description of med intake symptoms: you're talking to someone, probably I'm alone with that in my cohort, who blankly REFUSES to gain wisdom into health matters from (by and large) soap operas… like the Holby City. Practically everyone else that I know is now so familiar with various ordinary, but also exotic, diseases, capable of issuing diagnoses on the flimsiest of symptoms, that I have to wonder what do we still need doctors for. I haven't tried the pills you mentioned, and neither have you. Yet you nevertheless are somewhat of an expert on their effects.

So I won't be reading what you recommended, because at best it'd be a transient insight into matters that I have no big interest in. But also because you seem to equate one-time reading of something with becoming licensed to preach on said matter. Which is not how it works IRL. And I shouldn't have to apologize for sounding a bugle of reason even in the face of enlightened dogmatism.


@ Dirk Praet “there's plenty of illegal drugs out there that are relatively easy to obtain… that will cause a more or less painless death.

"More or less painless" and "illegal" are the keywords that the voluntary euthanasia crowd (not "suiciders," a Catholic term) won't ever touch. People who for one reason or another want to end their lives do not want to risk waking up the next day blind and/or paralyzed, so they'll have to petition the court for assistance, or permission to starve themselves to (a very painful, lengthy) death. Thus only ingestive, proven to work, compounds are of interest (I was going to continue, but then I remembered the motto of Bruce's site, so… another time, another place).

999999999December 9, 2015 11:43 AM

@ Shachar

While I don't share Clive's disgust from anything Israeli, I also don't get why you get so worked out over it.

You are putting words in my mouth that are the exact opposite of what I am saying. I read Clive's posts because I respect his opinions and views. He is a regular contributor here and I am surprised to see him using such strong language and declared bias about an insignificant hole in the ground.
Self Quote:
Or too young to care about yet another middle eastern dictatorship?
If Clive is excited about this subject then maybe I am missing something. To me, the middle east is just a place to avoid just like McDonalds and the lavatory at the train station. I am simply too young to remember a time when the middle east had anything other than dictatorships and war (or the CMOS 8051).

ianfDecember 9, 2015 11:57 AM


@ Shachar can't make up his mind whether Wink&nod's remark was meant to be ironic.

Not ironic, but a sarcastic remark, or, to be more precise, an instance of chauvinistic Polish lampoonist sarcasm.

    Sarcasm as in

    "Clive Robinson speaks unfavourably of the Israelis, \
    hence soon will be accused of anti-Semitism,  \
    just as are all the Poles, \
    so Clive must be Polish"

    (except the expatriate not-quite-friends-with-English-yet Polish git spells it in lowercase as was Clive some unbranded shoe shine). I'm not surprised that neither Israeli Shachar, nor British Clive latched onto it. But I did, who earlier was exposed to it.

wink&nod's one-liner is too short to be usable for any valid semantic conclusion, but, in the context that it was issued, as a response to Clive Robinson's no little anti-Israeli missive earlier in the thread, can but be read as a tongue-in-cheek comment on the Abroad Poles' inability to face the rising specter of their nation being saturated with anti-Semitism (to put it mildly). A specter to which the only response they're collectively capable of is a preëmptive counter-accusation of "anti-Polonism."

Nobody can quite define what that is, but, in general, any mention of Jews in non-hagiographical Polish context is automagically classed as such, as well as criticism of such "defense." Though a conceptual counterweight to anti-Semitism, "anti-Polonism" is also understood to be FAR WORSE than the other, because, though it never killed anyone, it is targeting a whole by and large Innocent and Heroic Christian Polish Nation (capital letters non-optional). [Subtext: anti-Semitism may have (had) some valid causes or justification, but "anti-Polonism" is just unwarranted libel.]

I could go on, but I'll spare you the lecture (e.g. on the Poles collectively waking up in May 2000 with their hand in a chamber pot filled with [historic] Jewish blood), because said wink&nod obviously is a one-post-wonder, unworthy of this much attention (don't be so speedy a Gonzalez the next time, Clive!) FTR, this entire text is a classic sample of "anti-Polonism!"

WaelDecember 9, 2015 12:17 PM

@Gerard van Vooren, [bcc: @ianf]

spilling brain semen onto the Internet.

I think clever-with-words-extraordinaire @ianf just called you a d**khead. I wouldn't let him get away with that ;)

Dirk PraetDecember 9, 2015 12:36 PM

@ ianf

I just wanted to see what you had in mind. Because all that I could hear was someone so full of insight into the ME, with its decades of cruelty and humiliation, that I expected you to have some hum of how to change it for the better.

It's actually very simple. First we find a substitute for oil and level all religious sites in Jerusalem. Then we flood the entire region with millions of Chinese immigrants. Either they take over and restore the peace, or everyone else bands together to get them back out. Can I get my Nobel prize now?

Gerard van VoorenDecember 9, 2015 12:41 PM

@ ianf,

> For the sake of this discussion, let's say I'm 12. How old would you like me to be?

Old enough (as in old and wise) to understand that this question was rhetoric.

@ Wael,

> I think clever-with-words-extraordinaire @ianf just called you a d**khead. I wouldn't let
> him get away with that ;)

What comes out of his hands is mostly shout but the informational value of what is left is average at most. For the sake of reason I will leave it with that.

ianfDecember 9, 2015 2:16 PM


@ 999999999the middle east is just a place to avoid just like McDonalds and the lavatory at the train station.

Don't knock down McDonalds, as in faraway places such outlets often are the only ones with clean toilets! (a Cultural Imperialistic condition of their franchise)

As for the ME, you have the right attitude. 'Tis a sad fact that, unable to find any common ground with its future cooperative and then still Labour Zionist-socialist neighbor (future after the establishment of a "Palestinian Arab" state), the local Arab community's political leaders elected to take their struggle abroad, market themselves as Eternal Victims of Jewish Colonizers, and use terrorism as their weapon. A road from which they know not how to turn back, while the ever more conservative and unforgiving Israelis have grown pretty good at "managing" this problem, rather than "solving it," and then perhaps having to manage a bigger one. Better the devil you know.

So there's now a 6th or so generation of 1948 war refugees who were prevented from settling down and integrating into their host countries for propaganda reasons, and who in the meantime have grown accustomed to the more than sufficient, steady handouts from UNRWA, that has bankrolling them since then. Better the meal and two veg you know.

BTW. I don't speak for the Israelis, but they're are sick and tired of this HOWEVER ONE LOOKS AT IT low intensity Palestine-Israel conflict so dominating the print- and airwaves of the world's media. In fact, some major Euro outlets have in the past few years adopted new "ME de-escalation" policies, and are no longer automatically reporting on every transgression there, all to the chagrin of the propaganda arm of Hamas (mainly; now that Hizbollah is occupied in Syria, and Fatah in the West Bank at least started to clean up its act). Maybe it finally "clicked" somewhere that the 1947 UN resolution called for the establishment of one ("1"), not two ("2") Palestinian Arab states.


ADMINISTRIVIA @ Wael
                                         Tsk, tsk, you know full well that I don't call people names, not less due to my clever-with-words-extraordinariness. It was you who called Gerard d**khead, not me. I just dryly classified his typing not writing in this case as mind masturbation, a legal, though sterile occupation for an adult.

@ Gerald: thank you for the "average informational value (of my posts)." I suppose it is still higher than "emo."

L. W. SmileyDecember 9, 2015 2:42 PM

@ ianf - You're all mentally masturbating. Isn't the topic supposed to be Israeli encryption products, backdoored, secret arrangements between gov and private sector, etc. I think Superfish was a case in point. "Smoke filled rooms" was just a figure of speech, I've got no issues with figures of speech. I've only got a problem with mass surveillance, whoever practices it.

Barak Weichselbaum founded Komodia, Inc. in 2000, following his military service as a programmer in the IDF’s Intelligence Core. A custom solution provider to customers worldwide, Komodia first released its open source TCP/IP library in 2001. Etc. Any more examples come to mind?

SarahDecember 9, 2015 4:57 PM

@L. W. Smiley
>Isn't the topic supposed to be Israeli encryption products, backdoored, secret arrangements between gov and private sector, etc. I think Superfish was a case in point.

You are right that the subject has changed (as often happens in "the progressive sphere" when Israel's name is mentioned) but I think you are incorrect in claiming that Superfish is a case in point. Neither Bruce, nor the paper he mentioned bring any evidence to a government policy of backdooring encryption or other security products in Israel. The fact that the creators of Superfish served in the IDF as programmers means nothing. Almost every single Israeli computer scientist including all Turing award recipients and digital rights and privacy activists, served. Many of these are located somewhere between the moderate to the extreme left and are involved in digital rights or other human rights campaigns, WHILE serving in the reserves.

Now specifically for encryption-technology, my experience is similar to Shachar's, namely, that in practice, the industry and academy are virtually free from government control or sabotage, unlike in the US, Russia, China. It makes sense. Why force defects in security products when you make a nice living of selling them and when you do not have a big enough market share to insert vulnerabilities globally?
So even if some people are cynical and conspirative as Bruce in the matter, or just have an anti-Israeli sentiments like a couple of others here, at least they should give that country the credit of being clever enough to realize what I said.

SarahDecember 9, 2015 5:05 PM

@Wael The pigs were Hanukah-related joke. The point was that if Bruce, after smearing hundreds of cryptographers basically just because they are Israelis, could not or would not answer the questions I posted, then I am free to assume that he simply feels like bashing his own ethnic group in order to feel more righteous* than its other members. I therefore offered some alternative ways to do so.

L. W. SmileyDecember 9, 2015 5:51 PM

@ Sarah - We have to remember that a lack of evidence does not equal innocence. Nor evidence not presented. Spies do what spies do. Here the government prevents cases coming to trial, prevent Constitutional tests, when you can't prove standing (can't prove it, can't prove we surveilled you, no discovery allowed in nat sec matters and reveals are treason) Whose to say how heartbleed or the bash bug came about? Intent there can be plausibly denied, but previous threads discussed the VW emmisions bug and cheating through purposeful bugs in code. Backdoors can operate the same way programming errors for a bribe etc. Can't prove it, but it goes on. Stock and trade in covert dealings.

Dirk PraetDecember 9, 2015 7:05 PM

@ Sarah, @ L.W. Smiley

So even if some people are cynical and conspirative as Bruce in the matter, or just have an anti-Israeli sentiments like a couple of others here ...

I don't see anything cynical or conspirative about @Bruce's comments. The words "secret arrangements" come from the article itself (you may wish to read it), and the picture described is indeed one of unofficial talks and collaboration that everyone can fill in for him or herself. As for the close relations between Israeli entrepreneurs and the country’s defense and intelligence establishment, and how well established they are, this is also pointed out in the article. So if you really need to point your finger at someone, please point it to the article's author.

And do forgive us for going off-topic or some of us for being too critical on Israel. Us unruly mob didn't know other forum rules apply when that specific country is involved.

Nick PDecember 9, 2015 9:16 PM

@ Sarah
(some to Shachar)

You are shilling really hard for Israel here. Nobody, at least not rational, is suggesting that merely being a Jew, a citizen of Israel, or a tech company located there automatically means you're evil or backdooring tech. What we are suggesting is that there's an unusually high risk due to a level of espionage against allies that even the U.S., with its billions in aid & close ties, is calling them out on. Israel's spies are using every technique in the book with a focus, as I predicted & like Clive experienced, on using human infiltrators in diplomatic and business partnerships. More dangerous is the drive for this: independent from and survival against all mindset. That's why they're so much more aggressive than our other allies. Many convictions, some admission by Israel, testimony by former operatives, and existence of Mossad activities over here say this wave of espionage is a *fact* rather than some wild claim or speculation.

So, back to the current topic with that as a necessary backdrop. Israel is survivalist and strong aggressor in theft of secrets. Their worries about various attacks fuel both their hacking and defence groups advances. They already have mass surveillance enabled to unknown degree via Nice's technology. They do offensive warfare with 8200 Unit. Stuxnet and Flame showed us they leverage 0-days mostly as they're backdoors in practice, deniable, and steadily available to those with deep pockets. Targets having encryption and air gapping already implies some methods they'll use with both 0-days and human infiltrator on record. Rest is secret or I haven't heard it from a reliable source. Happened before*.

What is a foreign company with secrets Israel might be after to think about this? Here's a country who is one the one hand trying to bypass all the security to get to the secrets and on the other claiming we can trust their black boxes to protect our secrets. People trained in the hacking groups often end up in those defence companies to top it off. Shachar's claims of not experiencing any widespread coercion or corruption are irrelevant: subversion by skilled personnel, *especially Israeli talent*, would take very few people and in places key for it to happen. No need for management, even project manager, to know about it. Just has to work, preferably last as long as possible, and be deniable or non-damaging to rep if found. Insertion of 0-days, choice of specific firmware/OS combos, side channels... many ways to do this using techniques Israeli researchers have already published in private sector or academia. Oh shit, they're actually leaders in many with cutting-edge attacks periodically published. :O

So, trusting Israeli tech, at least in isolation, is a bad idea if the tech is to protect one's secrets and they might be after them. On the other hand, if the secrets aren't at risk, then Israel's tech is possibly a better choice as their culture means it probably has higher quality on average. It's mostly all low assurance, though, so there will be plenty of 0-days found that they or your enemies can exploit. True for almost everything outside of a few products from defence contractors and private sector which are mostly in U.S., U.K., Australia, & Germany. Hence, might also be subverted with same qualifiers above. ;) So, if subversion is the concern, then open-source stacks with thorough review and high assurance security are all that can begin to accomplish something in current environment.

So, if I.P. worth stealing, all evidence says avoid Israel as much as possible. If one doesn't care or is co-owning with Israeli, then use their tech and talent as they're top notch in this space far as COTS approach goes. One of simplest assessments I've ever done. And driven by evidence of their activities rather than their race, paranoia and so on.

*Note: Same was true of NSA's dragnet pre-Snowden with anything but phone metadata interception being speculation, denied, too damaging to U.S. interests to have ever been done, and conspiracy theory. Thousands kept the secrets across many companies and several countries with only around 4 leakers. Mostly minor stuff we suspected with only 1 leaking big picture & major stuff out of those thousands. No reason to think the handful of subversives in Israeli companies or large number working for military/government ops would be less loyal or effective. I expect more loyalty & effectiveness given that's usually the case for Israel.

JustinDecember 10, 2015 1:14 AM

"How Israel regulates ... anything"

Yes interesting topic and "Why is this important?" -- Bruce has it right.

James Bamford mentioned this in his book, and it shows up in the media from time to time.

http://www.wired.com/2012/04/shady-companies-nsa/
http://www.businessinsider.com/israelis-bugged-the-us-for-the-nsa-2013-6

Two big companies were at some point in time apparently Narus, (which has apparently sold out to Boeing in the meantime,) and Verint.

As far as I know, the U.S. M.I.C. and the Israeli M.I.C. are Siamese twins, and both are riddled with what I see as corruption and graft. I imagine that Ehud Olmert for example would have been neck deep in it, but Israel would never make public anything specific having such strategic intelligence ramifications.

Israel is effectively one of the Five Eyes through a wink and a nod, and its government is very profitably embedded in the whole "intelligence-industrial" part of the M.I.C. Ending the wink-and-nod agreements (effectively sharing intelligence with Israel, "letting" them spy, etc.) would cause massive political upheaval without replacing them with more formalized agreements, but those would face political resistance from another direction.

We (the U.S.) are a lot friendlier to Israel than we let on for the public.

ShacharDecember 10, 2015 1:51 AM

@Nick P

You are shilling really hard for Israel here.

Here's what Wikipedia says a shill is:

A shill, also called a plant or a stooge, is a person who publicly helps or gives credibility to a person or organization without disclosing that they have a close relationship with the person or organization. Shills can carry out their operations in the areas of media, journalism, marketing or other business areas.

So now I'm a lying stooge, am I? I have stated my biases quite clearly, identified with sufficient specificity for you to be able to look up my home address, and am standing behind my statements. The only reason you are accusing me of shilling is because I happen to have different opinions than you.

Nobody, at least not rational, is suggesting that merely being a Jew, a citizen of Israel, or a tech company located there automatically means you're evil or backdooring tech.

Then Clive isn't rational. Jacob went as far as to suggest that, when considering an open source solution, the country of origin is more important than the Bruce's snake oil markers and the fact the author is participating in the same thread available to answer questions. I should add that you seemed quite happy to participate in that charade. Isn't preferring looking at race over more relevant criteria the definition of racism?

Saying nobody does that is contradicted by the evidence from the comments above me.

What we are suggesting is that there's an unusually high risk due to a level of espionage against allies that even the U.S., with its billions in aid & close ties, is calling them out on. Israel's spies are using every technique in the book with a focus, as I predicted & like Clive experienced, on using human infiltrators in diplomatic and business partnerships. More dangerous is the drive for this: independent from and survival against all mindset. That's why they're so much more aggressive than our other allies. Many convictions, some admission by Israel, testimony by former operatives, and existence of Mossad activities over here say this wave of espionage is a *fact* rather than some wild claim or speculation.

Which bears zero relevance to the question of buying Israeli made products, or of whether commercial (and, incredibly, open source) encryption is backdoored.

You are all conflating what spy agencies, any spy agency, would do in order to gain intelligence (which is, in a nutshell, anything) with what level of control they have over commercial products produced in that same country.

So far, the only firewall/router we know might be backdoored is CISCO. Somehow, the old saying got convoluted out of shape. It is still pronounced "Absence of evidence is not evidence of absence", but when used, it actually means "Absence of evidence means presumption of existence".

Shachar

Gerard van VoorenDecember 10, 2015 4:08 AM

@ Shachar,

> So now I'm a lying stooge, am I?

Are you? And if so, would you admit it? The answer of the latter is obviously no. I can't answer the first question and you certainly won't admit it if you are. To be clear, I am not accusing you of anything, just replying your question with my own.

> I have stated my biases quite clearly, identified with sufficient specificity for you to
> be able to look up my home address, and am standing behind my statements.

Uri Geller had an interview with a Dutch reporter a while ago in his house. We all know Uri is cheating yet he never admits it. Lance Armstrong never admitted he did drugs. Rumsfeld lied about Tora Bora. I am quite sure you can visit his house when you have the right credentials for an interview. He will keep on lying to you in your face. And the cryptographers behind Dual_EC_DRBG knew they were cheating as well. With the right credentials you could probably also interview these guys. Will they lie to you?

What I am saying here is that trust is good but verification is better. And in some business sectors lying and cheating is the norm, not the exception, especially in the high risk high gain sector.

SarahDecember 10, 2015 4:14 AM

@Dirk Praet • December 9, 2015 7:05 PM: the close relations between Israeli entrepreneurs and the country’s defense and intelligence establishment. The picture described is indeed one of unofficial talks and collaboration that everyone can fill in for him or herself.


Of course there are close relations, often these are the same people! And this does not mean that they would like to sabotage their own products because even if they did not care about privacy, it would not make sense. In the US, although it is bad and violates the constitution, it does make sense because of the global influence, for example, when it comes to standards (NIST) or companies with a global dominance (CISCO, MICROSOFT).

Here is an example for 'unofficial talks and collaboration'. I have been a digital right activists for many years, trying to fight ignorant politicians or police chiefs who thinks every new surveillance technology is a cool gadget that should be used, no matter what the civil implications. On the other hand, even after I finished my military service I had been giving courses to IDF programmers. The point is that in Israel this does not make me pro-government, pro-backdoor, right or left. So am I EFF or NSA?

Bruce is not only smearing the Israeli industry, but also is wrong about scaling the Israeli-style system. The reason it would not scale in the US is not because it is some kind of a shady unofficial system (there are huge countries with vast shady unofficial systems) but simply because conscription in the US is not universal. When conscription is universal military service or close relations with the intelligence are no longer a pro-government or pro-military markers in the same way that paying taxes isn't a marker for being Socialists.

ShacharDecember 10, 2015 4:39 AM

@Gerard van Vooren

Nick accused me of being a shill for a cause which I have plainly identified as having a bias in favour of. I don't need to prove anything to refute that. All you have to do is look up what a shill is to understand the accusation is wrong.

Shachar

sitaramDecember 10, 2015 4:51 AM

@shachar

duplicity link: http://duplicity.nongnu.org/

The basic idea is that it keeps the rsync meta infomation (rolling checksums etc., I suppose) both locally (in ~/.cache) and in encrypted form on the remote server. When you start a new backup, it first checks if this "signature" info on the local ~/.cache is current, and if so, uses that to generate the diffs, then sends them to the remote after GPG encrypting them. If the local cache is stale or non-existent, it will download the signature files from the remote (that takes some bandwidth, though of course not as much as the full data), then you have to supply the passphrase to decrypt them before the backup will happen.

TLDR: unattended backups are the norm, using whatever ciphers etc., gpg decides to use or you have set it to use.

@Dirk Praet

looks good; I have my own little front-end to duplicity of course but the "horcrux" script looks a lot more generic; thanks for the pointer.

(aside) I wonder if one is sufficient or I need to create 6 of them, plus an unintentional 7th one ;-)

ShacharDecember 10, 2015 5:43 AM

The problem with this approach, and the reason I rejected it, is that you may know what you need to sync as an incremental backup, but the result on the server is the original full + all the incrementals since. You can only reduce your server side disk consumption if you do another full backup, with all of the cost penalties that require.

With the rsyncrypto approach, each backup is plain regular rsync. The resulting file is a self sustained encrypted copy of the latest version of the file, but its bandwidth costs are proportional to the size of the change, not the size of the file. This gives you greater flexibility in deciding when to dump backups. You can dump any snapshot at any time, without risking the integrity of the entire backup.

As far as the state being saved, rsyncrypto's state is smaller, and more importantly, not version dependent. The per file state is a 67 bytes file containing mostly the symmetric key used to encrypt that file. It is, of course, extractable from the encrypted file, where it is encrypted with RSA, but you will probably not keep the original file around.

The version independency makes this mode somewhat more resilient, but otherwise this is substantially the same mode of operation as duplicity.

Shachar

Dirk PraetDecember 10, 2015 10:00 AM

@ Sarah

Bruce is not only smearing the Israeli industry, but also is wrong about scaling the Israeli-style system.

Sarah, Bruce is not smearing either the Israeli industry or its cryptographers. He is only reflecting the picture described in the referenced article.

As to the scaling problem, I doubt that's got anything to do with Israel's compulsory military service, but everything with the size of both the country and its tech industry that make this way of working manageable. It's just like the profiling system you have in place for airport security, and which - however effective - wouldn't scale either in a country like the US.

And this does not mean that they would like to sabotage their own products because even if they did not care about privacy, it would not make sense.

Unless it's your business model, it doesn't make sense to any company. But if a government wanted a backdoor or some other way in, then there are in essence two ways to go about it: you either enforce it through legislation, NSL's and the like, or you take a soft approach by trying to be on the best of terms with the people and the companies behind it, making back-scratching deals whenever the need arises. And which undoubtedly also does happen on occasion, but probably not in as many instances as to warrant an accusation of an entire industry to be in bed with its government. Which neither @Bruce or the article did.

sitaramDecember 10, 2015 10:06 AM

@shachar

> result on the server is the original full + all the incrementals since. You can only reduce your server side disk consumption if you do another full backup, with all of the cost penalties that require.

Yes that is true. I "flush" about once in 6 months.

> With the rsyncrypto approach, each backup is plain regular rsync. The resulting file is a self sustained encrypted copy of the latest version of the file, but its bandwidth costs are proportional to the size of the change, not the size of the file. This gives you greater flexibility in deciding when to dump backups. You can dump any snapshot at any time, without risking the integrity of the entire backup.

I don't understand. The bandwidth costs even in duplicity are proportional to the change, not the full file. But yes, you cannot dump just some snapshots; you need to keep all of them or start from a fresh full backup.

These are prices to pay for not using a weaker algorithm (which is what led me to comment in the first place). The "cost" of that is of course highly subjective, and for some people it may be less than that of the extra storage and the once-in-a-while "flush".

regards
sitaram

Nick PDecember 10, 2015 11:38 AM

@ Shachar

re shill for Israel

The post (and shill remark) was directed at Sarah, not you. Sorry for any confusion. She was painting the discussion as some common, anti-Semite theme while ignoring all legitimate evidence for concerns about espionage from intelligence or security companies. She asked for anything specific that warranted worrying about espionage or subversion in Israel. I provided that. I included a tie-in reference to you as you wanted more specifics and to address your claim about being in the industry for however long meaning something. It doesn't where subversion is concerned. A common misconception about a topic not well-understood and not a reflection on your own skill. My expertise is high security and countering subversion. So, I was adding detail about just how few people need to be involved and how they (including Israel) goes about it when they do. Then, hoping you'd comment on such specific from vantage of your own experience.

And I'm using the de facto definition of shilling as it's commonly used online rather than the technical one from a dictionary of your choosing. In this situation, that would mean selectively pushing points that prop up a certain claim or group while ignoring everything else. That's exactly what we were seeing with her. You are writing from experience in industry with more specific detail and no apparent shilling. Another reason I put your name in parentheses.

re the rest

"Which bears zero relevance to the question of buying Israeli made products, or of whether commercial (and, incredibly, open source) encryption is backdoored."

It bears high relevance. The organizations stealing secrets have a tight relationship with and personnel in the companies manufacturing security gear to protect same secrets. They also sell them to people they intend to spy on. One would have to be really naive to not worry about the risk that something was planted in there or weaknesses (0-days) left in that only they know about. Just consider the opposite claim: Israel is making its opponents and targets as secure as possible from information theft while stealing that information is high priority. Huh?

"You are all conflating what spy agencies, any spy agency, would do in order to gain intelligence (which is, in a nutshell, anything) with what level of control they have over commercial products produced in that same country."

I'm not conflating anything. I'm saying loyal, ideological individuals from Israeli military and spy agencies work on those security tech in prime positions for subversion. The companies and Israel admit as much about flow of personnel. Plus that those agencies have a history, like in my link, of both leaving in 0-days and doing HUMINT via Israeli businesses. Any situation like this, there and also in U.S., means one must assume a high subversion risk due to malicious insider problem. Rather than accusing companies themselves or you, I'm worried about a select few working in them and the processes the company uses to ensure they don't slip in a subversion artifact.

And what I've seen most security companies do makes me default to pessimism on that last part. Countering subversion eats into profit significantly enough that only a few companies do it and they sure don't have all bells and whistles of Checkpoint, etc. So, I doubt the Israeli companies are doing enough counter-subversion work internally to have caught the talented operators they're hiring if they're rogue.

"So far, the only firewall/router we know might be backdoored is CISCO."

Probably the same way the Israeli companies do it. Privileged 0-days, misconfigurations, debug functionality accidentally left in by a developer, EMSEC leaks... the usual. I definitely don't trust Cisco, though, for the same reasons. Most of my arguments apply to them except maybe the government hackers working for them. Don't have data on it. I assume they'd do it voluntarily for money, though, as RSA and telecom carriers did. I advise OpenBSD-based builds for firewalls or routers as 0-days are main attack vector (blackhats and subversion) and OpenBSD has the lowest number of them.

On a related note, does Israel allow ex-NSA and CIA hackers to build tools that manage their critical secrets without source code review or monitoring of their behavior? Do they allow that at all? Or is there a provenance requirement on the code or system? I'm just curious.

ShacharDecember 10, 2015 12:05 PM

@sitaram

These are prices to pay for not using a weaker algorithm (which is what led me to comment in the first place). The "cost" of that is of course highly subjective, and for some people it may be less than that of the extra storage and the once-in-a-while "flush".

Yes. Those are the trade offs you need to consider. If the lesser flexibility is acceptable to you, then, by all means, go with duplicity.

Technically, you should probably go with duplicity anyways. Unlike rsyncrypto, it is:
1. A complete backup solution where rsyncrypto provides only a single component of it, leaving you with filling in the rest
and
2. Maintained, which rsyncrypto no longer is.

When I started out with rsyncrypto, there were no other solutions. A typical ADSL link (at least here in Israel) was 1.5Mb/s downlink, 96kb/s uplink. Dedicating the entire uplink to your backup meant you could transfer 1GB of data in about 24 hours. Some solution had to be found, and rsyncrypto was mine (also, I did not think to save, locally, just the rsync hashes, but being a one man show, I probably wouldn't have reached the finish line had I had to rewrite rsync).

The other thing that was relevant was that rsyncrypto was written as part of an attempt to create a cloud backup service (it wasn't called "the cloud" back in 2004, mind you). As such, features that were meant for easier server side management were important to me. I also planned on adding server side verification that the backup actually took place.

Yes, I do think today rsyncrypto's role is less important. That, and the fact I don't have time to work on FOSS (and what little time I do have is diverted to another FOSS project of mine) mean that rsyncrypto may not be the best option any more. Still, understanding the trade offs is the key to an informed choice, and, as you've seen, I still think rsyncrypto has things it does better.

Shachar

mishehuDecember 10, 2015 12:15 PM

Le sigh. It never ceases to amaze me that it is totally and completely impossible for a random group of people on the Internet to be able to discuss something about Israel without going down the whole Arab-Israeli conflict side of things. It's as if almost everybody outside of Israel thinks that we live & breathe nothing but this subject and otherwise have no lives.

Let's start off the facts: It doesn't matter the country who is the subject of whatever discussion, any one that has technological capabilities is at some time or another trying to do what Israel has been accused of. The issue that some people, myself included, have is that it comes across as if Israel is being unfairly singled out for what other - and almost always - larger and more powerful countries do and do, often worse/greater encompassing.

ShacharDecember 10, 2015 12:29 PM

@Nick P

I'm sorry. Semantics of words tends to be important when dealing with this subject. Israel critics (with or without quotes) tend to use certain words with a meaning that falls outside of their dictionary meaning, harnessing the added gravity of these words vs. the correct words for their semantic connotation. Arguing this subject quite a lot, I developed a sensitivity to the subject.

It bears high relevance. The organizations stealing secrets have a tight relationship with and personnel in the companies manufacturing security gear to protect same secrets. They also sell them to people they intend to spy on.

Now, that's an accusation that requires more than you've given. I completely understand why it would seem like that to someone not immersed in the culture, but it is simply not as much a given as you think it is. I can offer you no "proof" but my own testimony, but despite the fact that it seems obvious to you, it simply doesn't work that way.

In fact, the exact opposite is sometimes true. A friend who is in one of those military units tried to bring me in as an outside consultant. When I mentioned I am no longer as active in the security field, he explained they view that as an advantage. All too often, people working for security companies and doing reserve duty in such units were "leaking" information about the attacks, resulting in the security products blocking them. That happened often enough for that specific unit to prefer working with programmers whose day job is not security related.

Another misconception I saw in this thread had to do with comparing the NSA to 8200. Israel has three intelligence divisions. The Mossad, doing traditional spying and black ops, the Shabaq, in charge with internal espionage and fighting terrorist (both Arab and Jewish), and the IDF's intelligence corps (of which 8200 is a unit), which is more aimed at cyber intelligence and ELINT.

The thing people don't get is that both Mossad and the IDF has zero jurisdiction on Israeli citizens. The Mossad can come to a company and request back door access, but they have zero recourse if they are kicked out the door. The only organization with any internal authority is the Shabaq, and they have the same authority as the police (in fact, if I remember the news article correctly, they carry a police ID).

Israel does not have a secret court. It does have a martial court, with jurisdiction that is far too wide, but does not cover the cases discussed here.

Which is why these allegations simply don't pass the sniff test to anyone familiar with the scene. Clive described a run in he had with a Mossad shell (shill? :-) company. While I have zero experience with this, his story passes my sniff test. I can totally see Mossad behaving the way he describes them. These allegation do not. They simply do not ring true.

Re: your examples. I'm sorry, it has been a long thread, and it came while I'm at an extremely busy at work. I missed your link.

Re: being suspicious. Yes, I can completely see why you would be. With that said, I believe it is less of a problem than you think it is.

Shachar

Nick PDecember 10, 2015 12:49 PM

@ Shachar

"tend to use certain words with a meaning that falls outside of their dictionary meaning, harnessing the added gravity of these words vs. the correct words for their semantic connotation. Arguing this subject quite a lot, I developed a sensitivity to the subject."

I figured it was a miscommunication and you were reacting as attacked. Quite understandable. Hence, me just explaining it and not trying to pick a fight. ;)

" I can offer you no "proof" but my own testimony, but despite the fact that it seems obvious to you, it simply doesn't work that way. In fact, the exact opposite is sometimes true"

Good to know there's counter-trends at work. I was hoping for and expecting that.

"The thing people don't get is that both Mossad and the IDF has zero jurisdiction on Israeli citizens. The Mossad can come to a company and request back door access, but they have zero recourse if they are kicked out the door. The only organization with any internal authority is the Shabaq, and they have the same authority as the police (in fact, if I remember the news article correctly, they carry a police ID)."

"Israel does not have a secret court. It does have a martial court, with jurisdiction that is far too wide, but does not cover the cases discussed here."

I was really wondering about that. Thanks for the enlightening details. That at least gives a standing for resistance for those operating there. The remaining question would be odds of coercion in any way by those if one's security product started becoming a problem for Israeli military or intelligence. That's an unknown to me as an outsider.

Here in America, they can harass people with FBI and IRS for other reasons they make up on a whim due to broad laws. They never say what the actual issue (eg subversion) was or try that in court. They also can do asset seizure. So, is there any precedent in Israel for companies or individuals pissing off the government getting such treatment like unwarranted prosecution or asset seizures?

"Clive described a run in he had with a Mossad shell (shill? :-) company. While I have zero experience with this, his story passes my sniff test. I can totally see Mossad behaving the way he describes them."

See: I knew you weren't a shill. That's entirely too fair a statement to make. ;)

"Re: being suspicious. Yes, I can completely see why you would be. With that said, I believe it is less of a problem than you think it is."

Appreciate you sharing your perspective on that. Especially the clarification on police/intelligence agencies legal situation.

@ mishehu

That is a sad part of many online discussions on this topic. I'm trying to stick to the facts of subversion risk but shaking my head at some of what I see. Far as this, though:

"The issue that some people, myself included, have is that it comes across as if Israel is being unfairly singled out for what other - and almost always - larger and more powerful countries do and do, often worse/greater encompassing."

Might be true where you frequent. Interestingly, it's the opposite in my country (U.S.). The media hardly says anything when Israel does something messed up or Jewish lobbyists push for something. If it's Arab or Muslim? They're all over it and might be for weeks at a time. Bruce himself rarely writes about them IIRC. This is probably the only time I've written on them this year. They're not being singled out at least here and rarely get so in America outside of small number of anti-semite forums/sites. It's just their turn to be part of a discussion of "nation X and encryption-related activities."

The U.S., U.K, and Germany get the most flak here. Mostly from Americans, British, and Germans, too. ;)

Nick PDecember 10, 2015 1:22 PM

@ Shachar

Quick thing popped into mind: do you have a list of Israeli companies or websites on high assurance security? I often post interesting examples of high security products with rigorous engineering to eliminate most risks. Examples in the U.S. & U.K.: separation kernels (eg INTEGRITY-178B); Type 1 encryptors (eg General Dynamics TACLANE); network guards (eg XTS-400); TEMPEST gear; secure CPU's (eg AAMP7G). The real deal type of security products.

I either didn't have or lost my Israeli references other than HighSec Labs KVM switches and peripheral protection. Be interesting to know what Israel's best stuff can do right now.

ShacharDecember 10, 2015 3:10 PM

@Nick P

I was really wondering about that. Thanks for the enlightening details. That at least gives a standing for resistance for those operating there. The remaining question would be odds of coercion in any way by those if one's security product started becoming a problem for Israeli military or intelligence. That's an unknown to me as an outsider.

Nothing but my common sense here, but here's what I think. So far, there have been quite a few stories about people claiming, with or without justification, that the institution is out to get them. None were for this particular reason. The interesting thing about those stories is that you do hear about them. They are carried both by the unofficial media (blogs, Facebook, etc.) and by the more official media.

A while back there were stories about "prisoner X". A prisoner being held in prison without anyone knowing who he was. These stories made front page in the media. By its nature, the true story about those stories tend to come out eventually.

The military censor occasionally takes out a super injunction. These are injunctions prohibiting not only disclosing a certain piece of information, but also of disclosing the fact the information is being censored. Invariably, you hear about it because blogs covering media tend to say that they cannot talk about something, and they cannot talk about what they cannot talk about (I guess they should take out a super super injunction). When that happens you know you need to start searching overseas blogs to know what's going on.

When I was in the military (I was in the air force), our unit had a pretty serious accident where a soldier died. We were told there is an injunction against talking about it. The next day I open the paper, and the front page has the story. After blinking, I noticed it did not actually run the story. Instead, it ran two stories, both technically untrue, that if read one after the gave the story.

After one of the super injunctions was, again, ignored by Facebook users, the military censor was asked why she didn't prosecute those who violated it. I don't remember her exact words, but the gist of it was an acknowledgement that the genie is out of the bottle, and she intends to leave it at that.

When such is the culture you live in, the idea that companies are being leaned on on a regular basis and you don't know about it seems ludicrous.

So I don't know anything for a fact, but I would be mightily surprised if it happened. Any deliberate back doors you find in Israeli products are, in all likelihood, because the company producing them are douche bag assholes, not because the Israeli government made them do it (see the superfish example from above).

Re your comments to misheu (Hebrew for "someone", BTW)

The way I understand it, there are societies where Israel is a saint that can do no wrong. Then there are societies where Israel is the worst thing that happened in the 20th century. In case I wasn't clear about it, I think both claims are utter bullshit.

Israel is a country. Like all other countries in the world, it is composed of people with radically different opinions and world views, which makes it a complex place to categorize in a single sentence. Some of its actions are heroic. Some are worthy of all the contempt you can master. Its objective circumstances are more complex than, I think, any other democracy, making it easy for people looking for either horrific and heroic acts done by it to find what they are looking for.

From the outside, it seems like the conservative (read: fox news) media has obvious pro Israeli bias, while the liberal media has a slight anti-Israeli bias. The Universities, if I am to commit the heinous act of generalization, have a deep anti-Israeli bias.

All in all, I think the Israeli speakers are not doing a good enough job, and I think a lot of it is because they don't understand the very different perspective that living close to the conflict gives you. Many of them say things that make perfect sense to the average Israeli, but to the average American sound like irrelevancies, blaming the victim or insisting on technicalities.

Shachar

P.S.
<blockquote>If you surround quotes with these tags</blockquote>

then you will get text that looks like this

I believe many will find your quotes easier to distinguish this way.

Clive RobinsonDecember 10, 2015 8:54 PM

@ Shachar,

Israel is a country. Like all other countries in the world, it is composed of people with radically different opinions and world views, which makes it a complex place to categorize in a single sentence.

WHilst Israel is a country it has it's own unique issues from within and without. Whilst I know it has changed a lot since I did occasional Petro-Chemical work there back in the 80's somethings don't change or if they do they change slowely.

Israel is a new country in a region of not quite as new countries. However it's natural resources are significantly less than many of it's neighbours in the region.

For various reasons that are way to complex for even a series of blog posts Israel finds it's self at odds with it's neighbours, which has given rise to the "perpetual war footing" problem you elude to.

As the US are starting to find out the perpetual war footing is not good for the average psyche. Amongst other things it tends to magnify and polarize peoples sense of alertness and situational awareness way beyond the norm. Whilst it may appear "normal" because everybody is experiencing it it does cause social issues.

One of which is "Nationalism" historicaly whilst a degree of nationalism gives rise to common goal patriotism which moves a country forward socialy, beyond tribalism, in an enlightened way, to much nationalism / patriotism can be distinctly harmfull. Have a look at post revolution France, it was in effect a new country --the guillotine had effectivly removed the old order-- with a lack of natural resources, the result was distinctly unpleasant. But it was the fire that eventually forged the nation as rational enlightenment finaly started to get the better of the unpleasantness.

The downside was the length of time the unplesentness went unxhecked. History shows nationalism quickly gave rise to the tyrany of "might is right" and the strong tribalism of "with us or against us" mixed in with the blind loyalty to the cause that gives the "my country right or wrong" attitude that together excuse all manner of evils under the mindless "for the common good".

The US's saving grace untill recently was that it was effectivly issolated with an excess of natural resources. However things went wrong politically, in 1812, when for various reasons the Americans decided to go to war with there close relatives in what is now Canada. The reasons sighted are many but boild down to oportunism whilst Britain and France, and much of other european nations were fighting the Napoleonic wars that started over access to resources. Shortly after the Napoleonic wars ended Britain invaded America to regain what had been lost neither side had the stomach for more hostilities and a truce was quickly agreed. However the conflict forged the new nation of Canada, that was mainly populated by close family members of Americans they now saw cousins and even parents in the south as the enemy and forged stronger alliances with both Britain and France. Thus the Americans were for a short while issolated. Thus not much changed for eight years or so for a short, then oil was discoverd in Texas, the north of America became much more industrialsed, whilst political power went south due to Texas Oil Wealth. Then the First World War painfully intruded into the American splended isolation and served to significantly strengthen the isolation almost immediately after hostilities ceased. Unfortunately various unplesant things happened and just as some semblance of normality returned in the early 1930's the after effects of WWI caused europe to start conflicts again, and europe knocked on rhe US door once more. The result was again a decimated europe, middle east and many other areas of the world. With the ceasation of hostilites American politicians tried to return to the splendid issolation and the vastly increased wealth and industrialisation that had spread it amongst the populous. However there was a determination that two wars in such a short period of time ment that the US it's self was under threat, two things of note happened the War Hawks gained the upper hand and the Marshal plan was devised to put wealth back into europe to try and stabalise it. However Russia had effectivly anexed Eastern Europe with the iron fist of it's military. The grounds for the cold war had started and the likes of NATO kept the US war hawks in the ascendant as well as their supporting industrial base. Business was good. However in the Middle East things were a mess, Britain had effectivly become responsible for much of it one way or another, and due to being worn down, bankrupt and desperatly dependent on foreign aid opportunities to bring stability to the centries old unrest in the region were lost. One of the main portends of doom for the region were the national borders crossing what were in effect tribal regions. An idea for the controling of an Empire originating from the likes of Cecil Rhodes. The underlying reason that made the Rhodes idea work was by limiting the supply of weapons to the minority it made them control the majority, whilst simultaneously making the minority compleatly dependent on the likes of Rhodes, who in effect ended up controling a whole continent and exploited it for it's resources. The problem with WWII is it left weapons in the hands of not just dependent minorities but also with the majorities and civil unrest quite unsuprisibgly followed. Britain bowed out under US preasure and the US adopted the same arns suppky trick that Rhodes and co had develiped long before. However the civil unrest only ceased under strong dictators who were propped up by the US and Russia and a series of proxie wars started.

Israel was on the edge of this mess and became propped up militarily by the US for a whole host of reasons.

As you can appreciate this was not ideal conditions to start a new country, especialy one with limited natural resources compared to some of it's belligerent neighbours.

To put it bluntly for a third of a century Israel could not have survived without assistance. It's only with a change of what is wanted in the world over the past quater century that increasingly favours the utilisation of human intelligence over natural resources that Israel has been able to get it's self to the point where it's dependance on assistance is nolonger the only way it can survive.

Unfortunatly Israel is in a, bit of a hole and suffers not unexpectedly from "bunker fever", and it is this odd form of nationalism that is currently holding Israel back, along with the sunk cost of military expenditure. It's in danger of either dropping back to dependence or following a path of much more extream nationalism with all the issues that involves. As many point out politicaly Israel is unstable, due to deals done to form governments, to much power has often ended up with minority political parties some with far from main stream political norms, thus it's not realy a democracy. Unless this political boil is lanced, Israel is going to hang in some strange limbo untill the internal tensions cause a major fault to occur. What Israel needs is three or four generations of real peace so that both the extream parties and the perceived need for them die out, and the majority voice for a normal democratic process gets it's way. Unfortunately like everbody else I have no idea as to how to get the peace, there is to much power and money involved from extreamist of all creeds over the middle east. Thus Israel gets stuck in a hypervigilant state, which is actually a real public health issue.

But as with France immediately post revolution comes the ills of excessive patriotic zeal over common sense in the name of "the greater good".

I've seen fairly close up in the UK how intelligence agencies recruit businessmen and journalists into amature spy activities. Have a look for instance at Matrix-Churchill, they were recruited by MI6 officers to spy on Iraq, thus things like export guarantees and permits were facilitated or nodded through. Where it went wrong and all came to light was that an independent government agency (HM Custom and excise) that had significant prosecution powers, were not in the loop and tried to prosecute senior members of Matrix-Churchill, who were thus "hung out to dry". They tried to get the Judge to order the release of papers for their defence. Various Government ministers signed on the dotted line to prevent this it was only Michael Hesiltine that "did the honarable thing" and thus the papers effectivly exonorating the men came out into the light. It scared the cr4p out of me as I was designing a jaming device for another UK organisation that I suspected was again going to get waved through export proceadures etc so amature spys could gather intel on another Middle east country. I've wised up quite a lot since the mid eighties but you find out indirectly it's still going on. I've mentioned before on this blog that a UK company called Datong that designed kits for the amateur radio market got hoodwinked into designing a high energy very fast rise time generator through a foreign company, that apparently would have ended up in another Middle East country.

You have to ask yourself how these amateur spys were recruited (Frederick Forsyth who ianf mentiond was one) and why. At the bottom you find it was done via an apeal to their patriotism, and the easing of restrictions on exports or being pointed in the direction of a lucrative contraxt. I'am aware that even highly confidential stock market information was used to pay ex-military "contractors" so that full deniability was assured. The only question you have to consider was how the likes of MI6 got there hands on such confidential stock market information, sufficiently in advance that a contractor could benifit from it, I don't know but I can make guesses. The simplist is "insider trading" which these days is considered a criminal act by all involved in it...

As you indicated, countries do want to protect themselves via intelligence gathering. My guess is it is done in many countries in an almost identical manner to the UK, it's just the exact mechanism that differs.


ShacharDecember 11, 2015 5:43 AM

@Clive

I'm not sure I've managed to to follow your comment through to its point. Please forgive me if I'm missing it.

But as with France immediately post revolution comes the ills of excessive patriotic zeal over common sense in the name of "the greater good".

I've seen fairly close up in the UK how intelligence agencies recruit businessmen and journalists into amature spy activities.

I think that is the heart of your argument. Unfortunately, it is based on extrapolation. You claim that what happens in Britain is what's happening in Israel. I don't think it is.

I'm not trusting myself to call out the reasons, but I'll give my insights.

I think the main reason for the difference between how Israel is handling the terrorist threat vs. other democracies can be boiled down to one word: experience. The US has been able to disregard the terrorist threat as negligent until 2001. Most European countries are only now waking up to that threat now. The only exception being the UK, that went through a wave of terror for some years with the Irish resistance, but I don't know enough about what's going on there to have an informed opinion.

In direct contradiction to that, Israel, and the Jewish establishment in Palestine before that, has been handling terror attacks for close to a century now. When I look at the way the US has responded to 9/11, and the way France is reacting to the recent attacks, I see mostly panic reaction.

Israel has been through those stages. When Israel was formed, the Arab population was put under military regime for several years. Unlike today, where the military regime is for territories official Israel is not laying permanent claim to, the military regime I'm talking about was applied to Israeli citizens. I don't think it went as bad as what the US did to the Japanese citizens in WWII, but it wasn't pleasant either.

I'm glad to say we grew out of it. Over time we learned, and are still learning, how to live with a large population that is largely sympathetic to your expressed enemy, while giving them the maximal rights that citizens deserve. It's a trial and error process, but by and large, I think we're getting better over time.

The point I'm driving at is that it is wrong to assume that what happens in the UK is, by necessity what's happening in Israel.

Re political instability. Please remember the neighbourhood we're talking about. Egypt recently had a military coupe. Strike that. They had two. Syria is still having one. In Lebanon, booby-trapped cars are the accepted way to show discontent with your political rivals. These are three of Israel's four neighbours.

Israel's trouble at getting their coalition are mild in comparison. It is true that this gives more power than I'm comfortable with to people that are too extreme for my taste, but it will not do to blow that out of proportions. If you look at the actual acts people complain about, these are mostly either politicians opening their mouths and putting their foot in it, or submitting law proposals, getting public flaking, and retracting them. All in all, the system doesn't work well, but it is very far from being as broken as people think it is.

Shachar

FM RadioDecember 11, 2015 9:25 AM

To start with:

"antisemitism" is a broad and misguiding accusation. Semitic tribes include the Arabs as well.

Whenever someone mentions somewhere something about Israeli affairs, someone will play the antisemitism card and how unfair criticism against Israel is.

On the topic:

Intel processors have various forms of embedded spyware these days. Does anyone remember how it all started with the Centrino platform that was developed in Israel?

Nick PDecember 11, 2015 11:46 AM

@ Shachar

re subversion and media

Really interesting stuff. Thanks for sharing it.

re Israel perception

Hebrew for "someone", BTW

Here I was guessing it was a common name lol... Is that your equivalent for anonymous/anon or do you have another word for that?

Israel is a country. Like all other countries in the world, it is composed of people with radically different opinions and world views, which makes it a complex place to categorize in a single sentence.

That line on down I agree with. You wrote up a good assessment. I agree that they're a country full of different people and views. I've tried to maintain that view myself despite all the biased media. Just hard as I have very little to go on outside non-Irsaeli's write-ups on Israeli activities or Israeli write-ups whose bias/goals are unknown to me. I agree some PR is in order. Probably a combination of objective stuff with first-hand articles representing how the various perspectives form.

Note: The blockquotes do look better. Thanks for reminding me about that.

re high assurance in Israel

I asked here with examples if you have a link to a list of companies doing high security tech in Israel. I try to be fair and reference non-U.S. tech where possible. Do you have an English list that includes those companies?

ShacharDecember 11, 2015 1:27 PM

Here I was guessing it was a common name lol... Is that your equivalent for anonymous/anon or do you have another word for that?

It's close, I guess. There is no standard way.

I asked here with examples if you have a link to a list of companies doing high security tech in Israel.

Yes. Sorry. I'm a bit out of touch, so I cannot help you beyond what Google can. Sorry.

Shachar

ShacharDecember 11, 2015 1:30 PM

Here I was guessing it was a common name lol... Is that your equivalent for anonymous/anon or do you have another word for that?

It's close, I guess. There is no standard way.

The literal translation of "anonymous" is אלמוני (Almoni). Tel Aviv has "Almoni alley", which is named after a land owner who wanted to name the place after himself, but the mayor of the time did not like him.

I asked here with examples if you have a link to a list of companies doing high security tech in Israel.

Yes. Sorry. I'm a bit out of touch, so I cannot help you beyond what Google can. Sorry.

Shachar

antebellumDecember 11, 2015 2:48 PM

@Bruce:

...companies in Israel, a country comprising less than 0.11% of the world's population, are estimated to have sold 10% ($6 billion out of $60 billion) of global encryption and cyber technologies for 2014.

hmm yea there are probably other factors at play as well, factors not mentioned in that essay that Bruce read. Such as that smaller countries often provide "benefits" to their citizens (e.g. free uni education) that allow a larger fraction of the citizenry to be engaged in some specific science or technology. Or the country may feel a need to invest into a specific technology because they think it's necessary for their survival.

Also it made me think of how some countries are more represented in some field than others. Like Sweden and globally known pop-groups. Once a country gets enough connections in some industry it could be that it passes some threshold after which it's easier for that country to get more business in that industry.

Sort of like how people who want to be in acting might try to move somewhere near Hollywood and the acting business in that region then fuels its own self (more willing actors > more movie producers > more willing actors > etc)

(And probably shouldn't say this but things like the fact that Jews are a specially protected part of humanity in countries like USA might help too.)

mishehuDecember 11, 2015 4:31 PM

I was aiming more for "incognito" than "anonymous", so I chose "mishehu". :-)

I apologize if I'm not remembering who to address what to, as I'm taking a fiver from my normal work. :-)

@Clive - If I'm reading this correctly, you are from Britain. Israel's Knesset shares the parliamentary system in common with Britain, though Britain has two houses. I don't think that it would really make much sense to have two houses of the Knesset due to the size. Does the British Parliament not suffer from similar weaknesses where in order to form coalitions, sometimes fringed political groups get a bit more power than they deserve? On the flipside, I almost prefer that to what exists in the USA - a party of John Jackson and a part of Jack Johnson. (Or, if you prefer, a choice between a "turd sandwich and a douchebag".) While we in general have a heightened awareness - a code orange mindset if you will - we take it very well in stride. We also do know how to not be paranoid of everybody, though at least on a personal level I'd say that it can be a little harder to implicitly trust somebody of Arab decent given the circumstances and the history without that trust being earned (and I'm not at all surprised if that feeling goes the other way too).

To whoever made the comment about the news media in the USA - in general, the news media in the USA tends to be biased towards the Palestinians regardless of the true nature of what they are reporting on. The exception is [regrettably imo] Fox News. And I agree with Shachar's assessments with how things perceive to us being close to the situation and how it seems to people so far removed watching about it on their TV screens.

In general, the establishment has had to soften itself a bit over the past decades because it too realizes that controlling information is much more difficult due to the Internet. And often times disinformation ends up filling the gap. Admittedly I've been gone from home for a while so I don't have any first hand knowledge about the rate of invocation of super injunctions now as compared to say around the time of Rabin's assassination compared to prior decades.

Based upon Shachar's description and my own friends and contacts in the industry, the process regarding encryption is more of just a typical Israeli love of bureaucracy. :-)

Clive RobinsonDecember 12, 2015 3:57 AM

@ Sarchar,

You claim that what happens in Britain is what's happening in Israel. I don't think it is.

You've got the logic inverted.

What I am pointing out is that it is something that happens every where when the conditions are right. History shows it takes a very strong ethos and culture to stop it happening, and it has to be one where everybody shares it equally. Sadly few if any historical examples show it scaling beyond quite a small issolated group size.

I specificaly mentioned Briton because I'm British and did not want to be accused of bias. However I can pick almost any country where the records are sufficiently open and show it exists there.

The reason I picked the example of France post-revolutuon is the one most frequently availavle for all people to read about in sufficient depth. The example of communism in Russia and other places gives another (and yes I know the Birth Place of Communism was the reading room in the British Library as was). Then there are examples from the US via anti-american behaviour, whilst the list is not endless it certainly feels like it.

I can not say for certain but it appears to be a failing of hierarchical systems beyond a very small size. The most obvious example that most can see in their daily bewspapers is lobyists trying one way or another to pervert the political process as politicos feather their nests at the citizens expense.

If you want a bang upto date example go over to Paris and the Global Warming summit. It is a ridiculous circus on the surface with very real and poisonous behaviour underneath. The one that is most poisonous this time is from the US, where they are trying to push immunity from prosecution for the very corporarions responsible for much of the toxic dumping, environmentaly dangerous work practices and green house emissions. Whilst also ensuring that these very same corporations can sue countries for ever more if a country tries passing legislation that stops the corps from doing as they please to s4it on another countries door step.

Thus I doubt Israel or any other country is small enough not to have suffered from and still suffer these problems, you would have to provide fairly strong evidence to sgow this because of the basic "sneakyness" of the parties involved.

Have a read through Bruces's book that shows the Hawk and Dove model, admittedly it only goes as far as some of the first order responses to such stimulus but it will give you a starting point to think further.

Clive RobinsonDecember 12, 2015 6:34 AM

@ mishehu,

I don't think that it would really make much sense to have two houses of the Knesset due to the size.

It has nothing to do with the nations size, and way to many forget that here as well.

The lords history predates parliament by a very long way, and long before it was called the lords. It derives from first advising to then devolving power from the monarch. We still have the advising function as the Privy Council seperate to the Lords with such titles as "Groom of the stool" still hanging around to amuse school children. What became the Lords started off if you want to put the pin in history somewhere with King John sucumbing to the English Barons with the signing of the Grand Chart (Magna Carta). Though that was annuled by the Pope as soon as John could get a message to him and back. In essence the "landed gentry" ran everything by grinding the surfs etc into the ground, something that realy came to a head with the Irish Potato Famine and nearly happened again with the Scotish Potato Famine and the Raising of the Highlands by the English, the slautering of nearly five hundred emancipated slaves who had had warrants served on them for not wishing to be worked to death by English Land holders who discovered that emancipation did not mean cheap labour for their sugar cain plantations any more and wanted back to the old ways.

Thus in theory the Lords was the house looking after the interests of the Landed Gentry with Parliment looking after the interests of the commoner citizens. It's greatest days were under Queen Victoria where you could with sufficient wealth get a Lordship, so the representation went from Land to Comerce which still has interests via arms manufactures etc. But two world wars and the loss of an expensive empire later, with women finally with the vote, the nature and charecteristics of the Lords has changed. It is now more a revising house where longterm peers who have specialised try --but often fail-- to pull back the behaviour of Parliment or slow it down untill common sense prevails to that the majority of people would probavly want. The trouble is there are few good politicians in Parliment these days with a "Make it so" mentality which causes worse abuses than Monarchs of old.

So if you ask me if any nation needs a "revising house" the answer is a definate yes. However don't ask me the best way to go about it, I don't know, because it suffers from the same hierarchy of power abuses as do other chambers such as an elected house.

With regards,

... in general, the news media in the XXXX tends to be biased towards...

The nature of media is either to be fast with little bias or slightly slower with bias towards what they thing will earn the most. Anyone who forgets that will one day be happy the next day unhappy, and tend to remember only what makes them unhappy.

The problem with fast media is a little more subtle, the news comes in and out to fast ti be given an editorial bias, but the position of the reporters on the ground by simple logic does give bias. I've said a numberof times here befor that there is one more viewpoint than the number of observers of any event. That extra view point is the truth, all the others are parts of the truth biased by what the observer sees. These partial truths suffer from "fill in" and assumptions by the observers, it's the way the brain works. Show two people the same footage and ask them questions to see how bad this realy is.

If people don't realise this then they will see bias even when there is not bias, only partial information. But people don't want to wait for the real truth, they instinctively want to bend it to what they think is the truth. Police forces all over the world know this, and also know that by how they question they will shift an observers point of view a very long way.

In Terry Pratchet's book "The Truth" about media journalism he has one of his charecters trot out a statment important to the plot of "A lie is halfway around the world before the truth has got it's boots on". It's a truth in it's self that many with bias have chosen to use over the years, it's just a small part of "getting the message out" or "propaganda" depending on your view point at the time...

Finaly,

... the process regarding encryption is more of just a typical Israeli love of bureaucracy. :-)

I could swap American / Australian / British / Canadian / New Zeland for Israeli in that sentance and you only have to look at what the "love of bureaucracy" is doing with encryption in those places to give you pause for thought about what others on this blog page are saying... Thus why they think it's likely to be happening in a lot of other places Israeli being just one in very many. The simple fact comes back to "The Internet Scares Politicians" it's part of the reason for "on message sound bites" being all they say these days. What the likes of Comey and his predecessors are trying to do is raise a greater fear in our moronic representatives of "Encryption and easy communications, will be the death of representational democracy", thus their gravy train will come to a halt.

I Look at it this way the more representatives we have the less gravy there is to go round, and the less likely anything other than center ground decisions will get consensus. It might just be an improvment...

might want to have a look at Winston Churchill's comment on democracy, it might give rise to a smile. However logicaly it made him an enemy of politicians, because the alternative to them would be branded "the worst form of tyranny" or "criminal anarchy", which is to allow everybody who is able to vote to vote on substantive issues, not for a "monkey in a suit political representative" who takes part in the "ritual chimps tea part" that is the "representative parliment" sucking on the tax payer teat.

ShacharDecember 12, 2015 12:46 PM

@Clive

The problem with fast media is a little more subtle, the news comes in and out to fast ti be given an editorial bias, but the position of the reporters on the ground by simple logic does give bias.

There is another form of bias. News will, generally, prefer certain types of narratives over others. One such favorite narrative is "David vs. Goliath", aka "the underdog is the just party". These stories that are easier to "sell" to the public. "Man makes stupid, maybe malicious, decisions, loses all of his money, gets pounded on by creditors" is a story with less appeal than the also true, but misleadingly partial, "Penny less man gets pounded by creditors". A reporter does not have to be malicious in order to make this blunder. A story that sounds juicy falls into their hands, the basic facts check out, and to the air it is sent.

Which touches on another bias inherent to the media. It prefers simple stories over ones with complexities. A story with one side, obviously innocent, and another, obviously at fault, is "better" than a story where actions today are direct results of actions yesterday, and so on and so forth, tracing back a century of history.

These two elements creates a persistent bias against Israel in media reporting, even when the news editors themselves don't hold any particular bias themselves.

Shachar

RonKDecember 13, 2015 12:26 AM

@ Clive

I probably shouldn't bother to reply, since I've read this blog a long, long time, and have the distinct impression that there is nothing I could say to change your opinion. However, for the benefit of other readers, I would like to point out that in your sterling example of Israeli IP theft, the case of Samsung vs. Orbotech, somehow:

Orbotech was cleared of malicious intent in the Korean courts.

http://www.globes.co.il/en/article-1000901203

In addition, the IP which was allegedly sold to third parties is not something which someone who is familiar with the industry of reverse engineering would think of as particularly secret.

Clive RobinsonDecember 13, 2015 3:36 AM

@ Ron K,

I've read this blog a long, long time, and have the distinct impression that there is nothing I could say to change your opinion.

Well it's a shame you think that of me because I do change my opinions quite frequently usually based on the evidence presented and it's quality.

You have provided me with one piece of information I was unaware of which is that it went to court and an Orbitech staff member was found guilty and fined...

The last time I read up on it via English translations of Korean business newspapers in my local coffee shop. Back then it was a case of suspects had fled the country and were being pursued, which makes it sound like "hot pursuit" which is always a good headline (as is naming the country of the company and that they were believed to have fled to at the time and warrants had been issued).

So lets see what the article you link to says... the essential part ot the charges is repeated in that it was,

    [Orbtech's staff photographed and] kept the pictures on USB drives they concealed in belts or shoes, and then sold them to Chinese screen manufacturer BOE Technology Group... ...and other companies. The Korean prosecutor said that the case involved "core technology", which should not be removed from the country.

So the charges were against more than one employee of Orbitech...

Thus you have to go on and ask yourself why, if their intent was innocent, were "they" hiding the USB drives in their "Belts and shoes"?

Does that realy sound like "innocent behaviour"? Long answer short NO.

They then sold the pictures contrary to the laws in place of the host nation, is that a crime? Long answer short YES.

That's probably why the article says,

    One [Orbtech] employee was found guilty of certain legal violations and was fined $10,000. The Seoul Central District Court issued the decision in the criminal proceedings on Monday.

Neither you or the article provide any details of why the Korean Court came to this decision. But it is clear that criminal activity took place under the cover of Orbitech's activities.

All the article you link to says,

    ... Korea legal experts who succeeded in persuading the court that the company and its employees' conduct was aboveboard.

Which appears to be how do I put it politely "factualy incorrect" if one was convicted and fined... Thus the whole article is suspect and at best "factually unreliable".

But that aside it actually says very little to nothing. That the case was not sufficiently made or pursued against the other Orbitech employees is for some reason unexplained...

In the US for instance with the banking crissis it's not unknown for the authorities to not pursue individuals when quick fines could be imposed for appearances sake. There has been much comment on this blog about it over the years, which as a longterm reader you have probably seen.

The question of why the case could either not be made against the others or was not persued thus remains unanswered by both you and the article. In most jurisdictions taking property and selling it without permission is a crime. Many jurisdictions regard IP of any form as "property" even if it has no worth which is not the case here ad abother company paid for it.

Usually the only defence to such a crime is to show you had either entitlement in some manner or permission of the person with entitlement. If they had or thought they had permission then why were they apparently hidding the USB drives in "Belts and shoes". On the face of it the two don't add up.

Now I can come up with some educated guesses having worked for a Korean Company in the FMCE business with manufacturing plant in several countries but they would be no more than guesses.

Thus it may be that the person convicted was acting alone and using the others as cover, but there is nothing to say that by you or in the article. He could have been scapegoated "for the greater cause" etc etc. No information other than one of the staff from Orbitech was found guilty and fined has been provided by you or the article.

So far nothing even close to persuasive, that found guilty is realy more like confirmation...

As for your point,

In addition, the IP which was allegedly sold to third parties is not something which someone who is familiar with the industry of reverse engineering would think of as particularly secret.

That is compleatly irrelevant as legal argument as you should well know. It's the same whiney excuse of "it was only a paperclip" when somebody is sacked for taking office stationary without permission (it's why, when I'm expected to work in my own time I specificaly ask for either the stationary or recompense for my own stationary).

Now the question is have you made up your mind only on what you have presented?

If so ask yourself why?

I remain as always open to persuasive argument if there is any available.

RonKDecember 14, 2015 1:54 AM

@ Clive

Interesting reply, especially when analyzed in depth.

because I do change my opinions quite frequently usually based on the evidence presented and it's quality.

OK, let's run with that...

You have provided me with one piece of information I was unaware of which is that it went to court and an Orbitech staff member was found guilty and fined...

The last time I read up on it via English translations of Korean business newspapers in my local coffee shop. Back then it was a case of suspects had fled the country and were being pursued, which makes it sound like "hot pursuit" which is always a good headline (as is naming the country of the company and that they were believed to have fled to at the time and warrants had been issued).

So I immediately notice two things. First, you admit that you had no idea if Orbotech and/or its employees had actually been tried and if so, the actual result, when you decided to use it as your highlighted example of Israeli IP theft in your post above. And second, you read the cited article and have only found "one piece of information" in it; coincidentally, the one piece of information which "agreed" (but probably not really --- more on that soon) with your current point of view.

The first paragraph of the cited article actually reads:

Orbotech Ltd. (Nasdaq: ORBK) and five employees have been acquitted on all charges in an industrial espionage case in Korea. One employee was found guilty of certain legal violations and was fined $10,000. The Seoul Central District Court issued the decision in the criminal proceedings on Monday.

How interesting how you seem to have overlooked that Orbotech and 5 out of 6 of its employees were acquitted. Now the 6th employee was found guilty of unspecified "legal violations" and fined $10,000. Since you obviously were well read up on the charges part of this case, you certainly knew that the prosecutors office claimed that the damage which would have been caused by the alleged IP theft and transfer would be astronomical:

They expect the damage will be tens of trillions of won, considering the losses they would incur by losing market share. (click through text to see Korea Times article)

It seems probable, then, that if the alleged leaking of Korean IP were the unspecified "legal violations" then the court would have decided on a much more severe sentence than a $10,000 fine (the exchange rate of won to US$ is approximately 1 to 1). This disparity does not seem to concern you. Nor the fact that said "legal violations" could be any number of things, like contempt of court or illegally impeding the investigation. Instead, your post continues to focus on the charges, rather than trying to understand if the significance of the outcome of the trial might contradict your world view:

So lets see what the article you link to says... the essential part ot the charges is repeated in that it was, ....

Now it gets even more interesting. You start to actually assume the factual reliability of the charges, and continue to ignore most of the the court's decision (for example, you continue to use the plural form for the alleged criminals, whereas the outcome of the trial obvious limits the maximum number of perpetrators to one):

So the charges were against more than one employee of Orbitech...

Thus you have to go on and ask yourself why, if their intent was innocent, were "they" hiding the USB drives in their "Belts and shoes"?

Does that realy sound like "innocent behaviour"? Long answer short NO.

They then sold the pictures contrary to the laws in place of the host nation, is that a crime? Long answer short YES.

And finish this part of your post with blithely assuming the article confirms your accepted opinion:

That's probably why the article says, ... But it is clear ...

Then you notice an interesting contradiction in the article:

... Korea legal experts who succeeded in persuading the court that the company and its employees' conduct was aboveboard.

Which appears to be how do I put it politely "factualy incorrect" if one was convicted and fined... Thus the whole article is suspect and at best "factually unreliable".

That would put you back into having claimed Orbotech stole IP based solely on news reports of it being accused (not convicted) of such. You also ignore the possibility that the "legal violation" was something wholely procedural, which could explain how the conduct could still be "aboveboard" (possible, but I find this unlikely). Another possible explanation would be that the Israeli journalist merely used an English word improperly. I do agree with you that this statement seems a bit strange.

But that aside it actually says very little to nothing.

Yet you were perfectly willing to build a strong opinion based on news reports of accusations and investigation.

In the US for instance with the banking crissis it's not unknown for the authorities to not pursue individuals when quick fines could be imposed for appearances sake. ...

This by far has to be the most interesting observation you make. But you ignore various other possible explanations: for example, that Samsung and LG already had knowledge that their market share will soon be undermined by their Chinese competitors, and they decided to make Orbotech a scapegoat in order to save face.

As for your point,
In addition, the IP which was allegedly sold to third parties is not something which someone who is familiar with the industry of reverse engineering would think of as particularly secret.

That is compleatly irrelevant as legal argument as you should well know.

That is possibly irrelevant as legal argument (IANAL, nor a judge) but quite relevant when the case in question has been touted by you as poster child evidence to justify your statement from a different post:

On another point raised, that Israel has a 10% world market share with less than a 0.11% share of world population one part of the explanation is IP theft.

You then compare the Orbotech IP theft with stealing a paperclip.

It's the same whiney excuse of "it was only a paperclip" when somebody is sacked for taking office stationary without permission

Continuing your analogy would then lead us to believe that Israel has become rich by stealing paperclips? I only critique your analogy, here, BTW. It is entirely possible that your statements about Israeli IP theft are entirely correct. However, you haven't given us a very persuasive example (Samsung vs. Orbotech).

Now the question is have you made up your mind only on what you have presented?

Make up my mind? Very unlikely on such a topic where I understand there is little hard evidence.

I remain as always open to persuasive argument if there is any available.

I sincerely wish you the best of luck with that.

Clive RobinsonDecember 14, 2015 1:33 PM

@ Ron K,

That is possibly irrelevant as legal argument (IANAL, nor a judge)

That much is self evident.You should heed the old advice, and what ever you do don't represent yourself in court, or for that matter in negotiations with any of the legal fraternity.

You presented as your "evidence" of refutation an article from an Israeli investor rag. That alone should have made you pause for thought, did you realy think it would be unbiased?

You should have picked up on that fact. Especialy as what it said had all the hallmarks of a quick cut and paste from a PR wonk's "best I can do to be upbeat" summary on Orbotech's required disclosures to the Israeli market.

Either you entirely missed it or you had some other reason, I wonder what it might be.

If we got to the bottom of your posting in reply to my question of why you thought it was evidence that convinced you, you say,

Very unlikely on such a topic where I understand there is little hard evidence.

You just can not say "there is little hard evidence" based on what you have produced. There was obvioulsy sufficient evidence of espionage to bring charges, take the company and it's staff to court and a person was found guilty and received a not inconsiderable fine.

Are you saying the South Korean Court system is corrupt and found him guilty without evidence?

I will just say what you said,

I sincerely wish you the best of luck with that.

I think at this point I shall for your sake stop, and I would suggest you strongly consider doing likewise.

RonKDecember 14, 2015 2:08 PM

@ Clive (or possibly @ ~Clive ?)

I think at this point I shall for your sake stop, and I would suggest you strongly consider doing likewise.

Oh, Clive, how thoughtful of you!

Anyway, everyone can see what is happening here now...

ianfDecember 14, 2015 7:51 PM


@ RonK

Thanks for that granular exegesis of Clive's orbitechnical reasoning… I can't add anything for or against the subject matter (the IP-theft-or-not doesn't excite me enough to spend time on it), but reading you brought up a memory of a certain literary piece of yore, which I paraphrase below (complete with a hyperlink to the source to annoy Nick P. BTW. because the protagonist's name in this story happened to be "Ron," I had to swap it for "Clive," or else the metaphoric analogy might have confused the reader).

    […] Clive was probably the world’s leading authority on Heidegger’s moral philosophy; he was renowned for his extemporaneous and wittily annotated classroom translations of knotty Greek and German texts; and so his friends, even his very smart friends, were simply too intimidated intellectually to question [… what Clive was doing. In fact, it] became just another of the never-again-referred-to mysteries that were the price you paid for the pleasure of Clive's company.

    FICTION Breakup Stories
    by Jonathan Franzen
    The New Yorker, November 8, 2004

RonKDecember 15, 2015 2:54 AM

@ ianf

Scanning the first paragraph about the Ron in your linked story immediately makes it obvious to me that I was not the real-life model for the character. Well, I guess that everything has its upside and downside... :-)

ianfDecember 15, 2015 3:15 AM


RonK, I never claimed that TNY story to be about the character, only that the quoted conclusion seemed no little apt in the context (that's how literary analogies are supposed to work, even in digital media.)

Salach Shabati December 15, 2015 11:12 AM

@Nick P.
I assume you mean security-certified products, under some known schemes.
Actually in Israel, & especially in the government sector, we have a very different view on security certification and high assurance programs, especially with crypto-related stuff.
We see certification as a good way to tell an immature product from a mature one, when buying stuff from other countries. A mature product will pass high-assurance certification, while version 1.0 rarely does. It is a filter when you publish an RFP, and a good one.
Does it prove security? not always, and even ISO15408 (AKA Common Criteria) will only validate certain specific items, on certain specific operational conditions. Purchasing a certified product, even if it is in the most prestigious list, never guarantees security, just giving you a better head start, nothing more nothing less.
Most Israeli companies do not invest a lot in certification, those i know are in the smart cards business, the HSM business and certain versions of Checkpoint's firewalls. There may be others but here we tend to evaluate our own way rather than rely on certification.

@All
being an Israeli with a lot of business & professional relations all over the world, I can attest that the vast majority of anti-Israel people (which are a lot) and quite a few of our supporters (which regretfully are a minority) both know next to nothing about my country. I see a lot of bias, double standards, misconceptions and myths. I see many people citing a lot of propaganda and focusing on all the wrong things while completely ignoring the vast and really bad changes the world is going through now.
I do not wish to explain those double standards by antisemitism although i do see it occasionally. Maybe it is business interests, maybe it is the superficiality of the media, maybe it is something i don't really know, but it is hard to deny that bias and double standards are employed against Israel more than any other country in the world. Are we perfect? definitely not. Are we better than many other countries? definitely yes, most "western" democracies included. We are a functioning democracy (and a sprite & vibrant one) in an area where democracy is either a joke or a dirty word. When you live in a bad neighbourhood your survival requires you to be tough sometimes.

Nick PDecember 15, 2015 12:49 PM

@ Salach

We see certification as a good way to tell an immature product from a mature one, when buying stuff from other countries. A mature product will pass high-assurance certification, while version 1.0 rarely does. It is a filter when you publish an RFP, and a good one.

That's a really good point that I haven't seen someone bring up. Paperwork aside, the processes impose lots of structure on software process that trip up companies who had less than they advertised. ;)

"Does it prove security? not always, and even ISO15408 (AKA Common Criteria) will only validate certain specific items, on certain specific operational conditions.

Absolutely. You won't catch me claiming otherwise.

Most Israeli companies do not invest a lot in certification, those i know are in the smart cards business, the HSM business and certain versions of Checkpoint's firewalls. There may be others but here we tend to evaluate our own way rather than rely on certification.

The value of EAL5-7 certification and similar is they involve rigorous design, analysis, testing, and *pentesting with source*. They are an order of magnitude better in quality or security than competing products. The big-name, certification itself isn't as important to me: more the process of getting it to that quality level with qualified review. Side-effects of that overhead are often products that are quite minimal, lower specs (eg performance), and significantly higher price than COTS baseline.

You implied you knew examples of products designed as rigorously as possible. I'd love to know a few to have a look in the near future. Plus, if any measure up like ours, I'd like to give them credit to be fair when naming off vendors in a conversation. To be clear, these would be products that your own government and intelligence services trust enough to use for high-security needs. I'm also interested in high-security, non-export products where little information is available. Over here, that's Controlled Cryptographic Items, TEMPEST, etc. Can't get implementation details but I like to track specs, capabilities, and design styles.

Salach Shabati December 16, 2015 2:18 AM

@Nick P.:
Indeed, certifying a product with the CommonCriteria scheme is a real pain, especially when the higher levels are used. Actually i would put it in the EAL4...6 range since EAL7 is not really practical and a very small number of products achieve this, if any. It requires formal proofs for every security-related item in the product, and the real life significance of such proofs is a topic of its own, worth a separate discussion.

In the public, civil sector there are (in most countries) two main places where you need high security: the banking sector and the national-scale identity documents (passports and eID cards). The banks usually will go for off-the-shelf HSM's and products, just to be able to tell a judge that they did their best, i.e. to avoid liability.

In our case, identity documents use a "home-brew" solution which is highly trusted, to gain something else. Usually, most countries go to a system integrator for such systems, getting back a "big black box" that magically issues secure identity documents. A much better policy (IMHO) is to force some separation between the roles involved in the production. Using a solution built in-house as a critical part of the system, actually the most critical one, segregates roles and requires a full coalition between all elements to produce a valid document. I usually hate managerspeak and buzzwords but it is a more holistic approach. The actual specs are simple & publicly available (see the ICAO DOC9303 standard). Other details are not public, but as far as i know were not affected by the recent advances that were published.

The point you raise, about the adverse effect of certification compliancy on price & performance is a very important one. I think that it must teach us a strong lesson. Good security MUST involve modest requirements and some compromise on price & performance. securing a large scale, feature-rich product is extremely hard to do, maybe next to impossible. Securing minimal products, with limited performance & functionality is a reasonable (yet also hard) goal.

Wesley ParishDecember 16, 2015 3:58 AM

@Bruce

Corrigendum est:

As does the fact that the country is so small, making informal deal-making manageable. It doesn't scale.

Actually, it does scale, and quite consistently. The difference is, once it has scaled, and is taking place in a country such as Indonesia, Russia, Mexico, Nigeria, Pakistan, India, Egypt, or the like, people start calling it nasty names such as corruption.

(An aside, possibly OT) It is important to realize the social position of the military in all these places - as far as I know, the only country in the line-up above which is relatively demilitarized, is India. I did some research on Indonesia during the 90s, when I was trying to understand the East Timor tragedy, and they were very proud of their military. It carried much of the load of that economy. When I turned my attention to the matter of Israel, Palestine and the like, I was surprised to find that Israel and Indonesia shared a similar attitude towards the military. I won't go into detail, since we are all adults here and can read sufficiently well to do our own research without me holding anybody's hand ...

It surprised me for the very good reason that I'd always lumped Israel in with other British Empire settler states such as the United States (Colonies) of America, Canada, Australia, New Zealand, South Africa, and the West Indies. And only in the United States has there ever been established a similar military-political revolving door environment such as that obtaining in the United Kingdom, and also in Israel. CANZ are strictly civilian states and the Windies and the African states aspire to such a state of bliss.

So we have an interesting example of in what direction the media is biased. I leave it as an exercise to anyone who cares, to discover in just what manner the media displays its bias. Why should I hold anybody's hand? I'm not a Beatle.

11111111111December 16, 2015 1:32 PM

@999999999 What about this guy?

Countries use spies. This includes yours. To present this trivial fact as an evidence for a policy of forcing back doors into the country's own encryption products is either a sign of a lack of basic understanding or a lack of honesty.

999999999December 16, 2015 4:35 PM

@11111111111
Agreed. Countries use spies. Israel uses spies against the US as exemplified by the guy who got caught red handed and convicted.
I don't know if the fact is trivial or not but it is a fact. I am not presenting it as evidence of Israel forcing back doors. I am presenting is as evidence that Israel uses espionage and it is not a drastic leap to fork an encryption software where the company sells a backdoored software to everyone else that the government can patch with a wink and a nod.
Why is that showing a lack of basic understanding or honesty?
The Americans, Germans and Russian would do it too. So why not Israel, if they have an "understanding" with the devs.

1111111111111December 16, 2015 5:45 PM

@999999999 Israel uses espionage and it is not a drastic leap to fork an encryption software where the company sells a backdoored software.........The Americans, Germans and Russian would do it too. So why not Israel

There is a difference between selling a backdoored product to your enemy and selling it to your customers. Though I am not sure about Germany, the US is known to sell such products to its clients, for example, by sabotaging the encryption standards or intercepting Cisco dispatches, it effectively forces backdoors in its industry product. Israel can not do that.

Even if you agree with Bruce's assumption that Israel is guilty unless proven otherwise, it would still not make any sense for Israel to backdoor its own products because:

1. Its market share is small. 10% is a lot for such a small country but it is still only 10% so backdooring these 10% will have a small effect. After all, how many Iranian government agencies are buying Israeli security products?

2. Israel's economy is highly-dependent on revenue from its high-tech sector. "Highly" is an understatement. To execute a systematic sabotage of its own products would be a risk that Israel can not take. If I am not mistaken more than 60% of that country's export is high-tech.

So Israel has a particularly strong incentive to maintain the integrity of its information security products. Claiming the opposite, like Bruce does, is like claiming that it is in the Italian government's interest is to encourage, or even force, the sale of fake olive oil, because it is expensive to produce a good one. It does not make sense.


RonKDecember 17, 2015 12:49 AM

@ Wesley Parish

I leave it as an exercise to anyone who cares, to discover in just what manner the media displays its bias.

Is this even practically possible nowadays, for the average person (excluding cases of extreme bias)?

RonKDecember 17, 2015 1:14 AM

@ 1111111111111

the sale of fake olive oil

Your analogy is, to say the least, unconvincing, unless you are talking about some kind of magic fake olive oil which could be used to manipulate or exploit its consumers to the Italian government's advantage.

1111111111December 17, 2015 1:01 PM

@RonK Your analogy is, to say the least, unconvincing

Probably you are right, I never excelled in rhetoric. However, the main point I am trying to make is still valid: Israel has a particularly strong incentive to maintain the integrity of its information security products and therefore Israeli products are less likely to contain backdoors than those of other big players in that market.

ShacharDecember 17, 2015 3:42 PM

@999999999

What about this guy?

Caught red handed spying for Israel and convicted for 13 years in prison.

The BBC has come under fire lately for using misleading titles with anti-Israeli titles to articles, trusting the dumb masses not to read the actual article. Whether intentional or not (I tend to believe not, in this case), this is another such example.

From the same article you linked to:

He has been in jail since his arrest in 2009 after a sting operation by an undercover FBI agent posing as an Israeli intelligence officer.

So, he wasn't spying for Israel at all. He was spying for an FBI agent posing as an Israeli agent. The department of justice to note to make sure there is no confusion:

The Department of Justice said none of the charges alleged that any US laws were broken by the government of Israel or anyone working on its behalf.

I'd argue that a less misleading title would have been "Stewart Nozette admits spying in FBI sting operation", just so people like 999999999 wouldn't start false accusations.

Shachar

Nick PDecember 17, 2015 6:36 PM

@ Salach

I appreciate the insights.

"The point you raise, about the adverse effect of certification compliancy on price & performance is a very important one. I think that it must teach us a strong lesson. Good security MUST involve modest requirements and some compromise on price & performance. securing a large scale, feature-rich product is extremely hard to do, maybe next to impossible. Securing minimal products, with limited performance & functionality is a reasonable (yet also hard) goal. "

We agree here given I just made that point here. Economics, user demand for complex products, and backward compatibility are largest drivers of insecurity. Unlikely to go away. So, I aim for high assurance (EAL6-7) mechanisms that traditional development can build on to gain tons of overall assurance. A great example is this project where securing a tiny part of the CPU and a runtime plus a suitable language provides tons of protection without developers having much expertise.

So, well-designed languages and platforms whose security-critical components are assured as highly as possible are the baseline I promote. And, as old Orange Book taught us, to make the parts that have to be high-security as small and simple as possible. That way, our tools and components seemlessly embed security into regular development. Should stop most code injection attacks at the least. They're my main concern.

C U AnonJanuary 12, 2016 4:51 PM

All with an interest in IoT security

If you follow the link in the "Hagai Bar-El" name field in the post above then follow the first link on the right you will find the following information,

    Hagai Bar-El serves as the VP of Security for the IoT Business Unit of ARM. He joined ARM following its acquisition of Sansa Security (formerly known as Discretix Technologies), where he served as a CTO.

Thus he should be able to answer any questions you might have on IoT security, or lack there of...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.