Friday Squid Blogging: Squid Knitting Pattern

Surprisingly realistic for a knitted stuffed animal.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on February 5, 2016 at 4:55 PM • 70 Comments

Comments

ianfFebruary 7, 2016 9:21 AM


[…] parasite's eggs are easy to acquire, able to live for years, extremely resistant to many disinfectants and heat, and cause serious infections in humans with poor treatment options could make it a dangerous weapon

A bio-threat of sorts, yes, though hardly of use for terrorists, who do not act on such stretched-out, effects on humans indistinguishable from "naturally occuring" plagues time scale, and which apparently are treatable in places with good treatment options.

Hence, not a #whitepeopleproblem.

    (How much bio threats of similar nature matter to us whiteys we'll see from the dropout rate among the sportswomen and femme fans declining to attend this year's Olympics Games in the zika-virus affected Rio de Janeiro).

Horte PuebloFebruary 7, 2016 9:46 AM

@Ianf


Try pausing to think before posting.


Most cases of B. Procyonis have occurred in the US, where "white people" are known to exist. Of course, I'm likely wasting my time responding to an A.I. annoyance bot, but it should be noted that there is no cure for B. Procyonis, and that all known cases have ended terribly and are presumed to always do so. The ease of egg-cultivation and incurable state of infection, do pose a threat.


Wherever you deduced the "apparently" treatable status of B. Procyonis infection, I suppose only a dunce would know. And whatever hue be upon your silly skin, you might try licking around various raccoon latrines and experimenting with the results.

Suits you, sir. Suits you.

Anonymous Browsing Example February 7, 2016 9:47 AM

The latest version of Pale Moon offers superior protection over deprecated Firefox
Mozilla jumped from the frying pan (Google) to the fire (Yahoo up for sale). Firefox opens many cloud connection for predictive caching etc. The over-engineering is terrible for security but a great way to insert ads and malware. The web is plenty fast enough especially when you connect to a server in your geographic location.

Addon’s include uBlock Origin and highly disruptive Secret Agent (a user agent spoofer) and a 5 user $40/yr (PIA) VPN. Kill switch enabling is critical.
I typically surf with Javascript and local fonts off using Prebar for maximum malware protection. CCleaner clears logging between multiple sessions each day.

Sign-in Procedure
Create a new VPN connection and browser session before signing-in. For secure business (like banking) trust is important, so disable Secret Agent. Even though you still use a VPN and ad blocking, granting system fingerprinting is a reasonable compromise to verify your identity. After conducting business, re-enable Secret Agent, close down the browser and VPN, clean and start over by connecting to a different city.

Note: Windows 8 is heavily restricted with Group Policy Editor (impossible with Win 10). I’m waiting for Mint 17.3 to make the transition to Linux.

Weaknesses:
1) screen rez & time zone still exposed so I manually change them
2) NS-A may very well be listening-in and secretly subsidizing VPNs. Here the inconveniences of TO-R are preferred. However now the secret Intel Management Engine becomes a primary NS-A target. Monitoring all outgoing Internet traffic with a parallel promiscuous Ethernet Packet Analyzer is required.

3) these countermeasures are degraded by Windows 10, as automatic updates from unknown sources become a security nightmare

Future: Adguard filters at the Ethernet packet/OS level making it independent of the browser. Great concept!

Increasingly the privacy focused software is being developed outside the USA.
Is this because American data-mining and lack of transparency polices are viewed as corporate trade secrets?

Blog ReaderFebruary 7, 2016 12:08 PM

I've recently come across a German service called Posteo. The service isn't free but it's €1 per month and they offer 2 GB of storage and the ability to have aliases.

They offer two types of encryption:

Crypto Mail (which uses your login password to encrypt all your incoming mail on the server side - if you change your password they re-encrypt your data. If you forget your password they can't recover it.)

S/MIME or PGP (which uses your S/MIME certificate or PGP key to encrypt all new incoming mail; again done at the server side. Similarly if you forget your password they can't decrypt your mail. Also, unlike the first option, this is irreversible.)

Under German law they openly admit that they may be required to intercept communications 'going forward' but that they're unable to decrypt previous communications. Obviously if the person/people with whom you're communicating use end-to-end encryption then this doesn't really matter.

It does offer an interesting compromise solution to the problem of securely storing normal emails.

Unlike Tutanota or ProtonMail they don't offer end-to-end as part of their service - instead they rely on users using S/MIME or PGP. This has the benefit of full integration with native mail applications because their service uses IMAP (unlike Tutanota or ProtonMail which require their own app).

The other benefit is that you can fully encrypt your calendar/contacts using CalDAV/CardDAV.

Has anybody got any experience of Posteo - are there any downsides I don't know about?

https://posteo.de/en/site/features

Swiss-nessFebruary 7, 2016 12:18 PM

The argument that the TLAs have too much to data to sift is valid. A cocktail napkin cost/benefit analysis proves that the data isn't being collected solely for anti-terrorism efforts.

Personally, I think it's all about a suffocating (even tyrannical) level of control over the masses and to a lesser degree, money. But the stated purpose of the TLA's efforts and the arguments around them is moot if this is a trend:


DHS ordered employee to scrub records of Muslims with terror ties:

http://thehill.com/blogs/congress-blog/homeland-security/268282-dhs-ordered-me-to-scrub-records-of-muslims-with-terror

Bob PaddockFebruary 7, 2016 3:38 PM

@ianf

"plagues time scale, and which apparently are treatable in places with good treatment options."

Sadly the treatment of Plague and Antrax are the Fluoroquinolone Antibiotics Levaquin, Cipro etc. (23 other names world wide). These are not good treatment options.

By the FDA's own data these drugs have killed 3,000 and injured 20,000. That is believed to be only 1% of the real numbers!

My TV interview about it and our win at the FDA last fall where my late wife Karen's Journal was used as evidence in the hearing on this subject:

http://www.kpaddock.com/doku.php/blog/bpaddock/win_at_the_fda_hearing_on_fluoroquinolone_antibiotics

Per FDA documents found at that link the FDA itself reports that the three major reasons these drugs are given (Acute Bacterial Sinusitis, Acute Exacerbations of Chronic Bronchitis, Uncomplicated Urinary Tract Infection [detached retinas where not discussed that day, that changed last week]), they are COMPLETELY USELESS and no better than Ibuprofen. Being useless in itself would not be so bad if the drugs did not cause life long complications for many, as it did for my late wife ultimately leading to her suicide.

This class of drug was originally developed to be a chemotherapy drug. They found in testing it killed bacteria so they relabeled them.

We really don't have to worry about the terrorists killing us, the Medical Establishment (AMA, FDA, CDC etc. ) are doing a fine job killing us (Iatrogenesis) without their help. The Medical Establishment has declared a war on patients in the guise of opioid deaths.

For example to skew the numbers in favor of The Establishments view a lady had surgery and was giving a opioid pain drug as standard procedure dictates. On the way home she was killed in a car accident. She died from traumatic injuries . Due to the opioids in her system her cause of death was listed as being from the drugs. She was not driving, the drugs played no part in her death.

Clearly there is something going on that the CDC, FDA etc. is not telling us.

There are tens of millions of pain patients in the US and they are removing pain medication from the market or making the doctors so scared to prescribe pain drugs that they tell the patient that they will not help them and to never come back.

The so called "heroin epidemic" is largely due to heroin being cheaper than medication and the doctors leaving patients the choice of street drugs or suicide to stop Chronic Pain because of the doctors/Establishment not wanting to help. So the very thing the CDC and now the FDA has joined them, that they are trying to prevent opioid deaths they are actually increasing the death rate.

As far as 'good treatment options' those with such views have never or not recently interacted with the 'Medical System' for example my late wife was told she could not lay down in Cedar Sinai's ER department. If she wanted to lay down she had to go outside into the parking garage.:

http://www.kpaddock.com/doku.php/kpaddock/my_story_2013?s[]=outside#cedar_sinai_er

Read all of Karen's Journal, which is now required reading at Duke School of Medicine to understand the true state of '*Health* Care' in this country today. "Karen's first-hand account of her illness gave an honest, heart-wrenching depiction of what it is like to live with debilitating pain day-to-day." Local Newspaper - http://www.kpaddock.org


Now perhaps someone can help me out? Anyone know of a database for the US or the world that tracks suicides and their causes? We, that is those of us trying to help those with Chronic Pain conditions, are trying to come up numbers to put up against the Establishment's numbers.


@ianf sorry it turned into a rant, as you can understand the state of 'Health Care' actually sickness prolonging care, is an emotional subject for me...

NeiHuemFebruary 7, 2016 5:14 PM

Re Posteo:

I use their email services for some years now; everything fine so far.

I have no experience with their encryption solutions, but I recall news that they refused to implement a "trendy" but not yet thoroughly tested solution some years ago, and explained why on their blog. On the other hand - Perfect Forward Secrecy since 08/2013, DANE/TLSA since 05/2014, HTTP Public Key Pinning since 10/2015.

I very much like their extreme "data austerity" approach: "don't save more customer-relatable data than absolutely neccessary; data you don't have can't be pulled by bad actors, be it from government or otherwise". In my case (cash payment), the only customer data they could possibly own - from a technical, all-doubting standpoint - would be server log files from accessing the web frontend and/or the mailbox.

Duck N DodgeFebruary 7, 2016 5:59 PM

@Blog Reader

I don't trust the Germans anymore than NSA. Even you note their laws to turn over data. And, I especially do not trust the TOR nodes sponsored in Germany. My assumption is most are government owned and operated. They without doubt get a ton of data from them.

@Baylisascaris

Some of the addresses in your blog that you attribute to MS are not MS at all. For example, some are Cloudflare and Amazon, of which they may have their own issues, too.

OTOH I find that many MS addresses are those which years ago were military and or US government addresses, but no central phone book is available anymore to confirm that. I know for a fact some outlook emails are routed through UK Dept of Defense, and MS's response was, don't worry about it.

See: https://community.office365.com/en-us/f/158/t/318199

The Neo-con World Order is shaping up nicely.

Perpetual war, enslavement to the 1%: That's OUR future.

GodelFebruary 7, 2016 6:28 PM

@ Horte Pueblo

"Reported disease has primarily afflicted children and almost all cases were a result of the ingestion of contaminated soil or feces"

That hardly sounds like a promising infection method for a bio weapon. You'd also have to assemble a herd of raccoons to complete the parasite's breeding cycle.

ThothFebruary 7, 2016 9:37 PM

@Blog Reader, NeiHuem, all
re: Posteo

Password encrypted mails mean totally nothing in terms of security as there are ways to get a copy of your password. The fact they use your password to encrypt emails means they must hace a copy of your plaintext password somewhere to decrypt your mailbox when you login and similarly since they have your plaintext password, they could decrypt your emails anytime.

PGP encryption with private keys held on server side even if the PGP keys are "encrypted" or more accurately escrowed by your password key (and assuming they have your plaintext password somewhere) is a really bad idea. Tht means they have your private keys anytime they want to decrypt all your PGP encrypted emails and also falsify and manipulate your emails as Warhawk Government services requires to mount their Black Ops by using your private keys in their hands.

Finally, German Warhawk Govts on the surface are outraged by US spy scandals but it has been known that the German spy services (BND) have veru close relationships with NSA and GCHQ and are working more closely than we thought under the tables despite the Angela Merkell phone tapping case and it has been shown that the phone tapping went ahead under the noses of BND and with BND cooperation as well in exchange for technologies supplied by NSA.

What Posteo should have done is to use open source Javascript based front-ends for user to make PGP encryption easier instead of doing PGP crypto on theirbservers with private keys in their possession. Encrypting emails with password is not going to cut since email account passwords in whatever form would be stored on the mail servers for login. The better idea is to upload a user PGP public key of the user wants email at rest encryption of account data so hat every email file coming in wouldnbe encrypted with the user's PGP public key and user downloading the email would use a special open sourced Javascript to use their PGP private keys on the web browser side to decrypt their inbox. This would enaure passwords if compromised would not endanger privacy and authenticity with the proper use of PGP methods applied as suggested above.

Horte PuebloFebruary 7, 2016 9:53 PM

@ Shill Godel,

And since all medical/biological research clearly indicates the B. Procyonis species is not host-specific, please explain why a "herd of raccoons" would be necessary for anything other than your vacant comment?


Pardon the ad hominem, but I'm spoiled by the otherwise thoughtful commentary I often see here, notably from Clive R and Nick P, which as a side note I suggest re-compiling for purposes of a sellable book.


I seriously doubt cultivation of this monster worm would require any particular animal, and due to the ubiquity of raccoons throughout the US and the high percentage of raccoon latrines containing B. Procyonis eggs, it oughtn't be terribly difficult for a determined madwoman (must be politically correct) to initiate some grotesque plot. These things can undergo -40 degrees for years and come out kicking. They can also sit around in formaldehyde for quite some time and shrug that off too. I suppose you also consider prions a joke? With modern biotech, prions could certainly be weaponized into something horrific. Mind you, the CIA released wooping cough into Tampa Bay in the 50s. A whole bushel of other similar operations have occurred too. It's not as if some folks don't sit around thinking about doing such – sometimes they actually take action.


I'm not suggesting that we should panic and make worms enemy #1, but a great deal of trouble could come of such a beast. Without claiming any credibility to my suspicions, I do suspect prions behind much of what we (in my opinion) mistake for dementia.


rFebruary 7, 2016 10:50 PM

@mr. Paddock,

My sorrows for your wife, my experience with cipro was not bad.
Er, my grandmother's experience with my cipro went off without a hitch. She got sick after her return from Brasil and the shit did exactly what the doctor said it would. Cleared her food/water sickness right up.

Now, as per your comment about the heroin epidemic - I live in Detroit - you must not realize how **cough** over-prescribed/mis-used opiates really are. College kids take adderol, vicodin, xanax... Popular culture is loaded with drug references and you blame the heroin epidemic on it being cheaper than the readily available overly prescribed relatives?

Let's put this in perspective, I got hit by a car last year... Creamed... My arm hurts everyday, the medical community is now back pedaling because they know they're being investigated for things like insurance fraud and malpractice due to the epidemic they've created by feeding people's habit hunger for a disease causing drug. Yes it works, but is it worth enduring the side effects of it's over application?

"There are tens of millions of pain patients in the US" wiki says there are approximately 322 million people in the United States right now... Seriously think about the implications of treating that as fact. It's an industry, they've created a disease, insurance is skyrocketing and or doctors are starting to pucker up before they risk being reamed over an executive order. Drugs are risky, the FDA lowered trial times in the 90s? Now we are saturated with direct to market drugs that are recalled within two years. I would love to have pain medication for my neck, for my arm, for my eye... But just like my ex girlfriend I realized when I came off of them that the pain itself is the lessor of two evils and that those drugs and their potential for abuse should be reserved for those who REALLY need it. Like maybe your wife... But tens of millions of Americans? Get real, the medical community in this country is a joke these days and it's a cash cow that is being investigated for a reason... They are generally insensitive, over stressed, under supervised and manipulated by greed. I know old people that shop doctors for pain medicine to sell the norcos to junkies, it's completely out of hand so don't blame the epidemic on heroin being cheap... Blame the medical community for being irresponsible disorganized and maligned. Again I'm sorry about your wife, but their mistreatment of patients is a double edged sword and it is having dire consequences across the board.

rFebruary 7, 2016 11:03 PM

@mr. Paddock,

I forgot, in addition to my grandmother I had another chance to use cipro directly and under prescription... And used it myself, no problems there either as far as I'm concerned and I took it 3-4 times a day for two? Months.

So 1% reported when 3,000 killed and 20,000 injured?? That's 300,000 killed and 2million injuries... In a country of 322 million I just see you scare mongering.

I think you're link farming and thus revenue motivated just like the medical community... You're a special interest fanboi imb.

Clive RobinsonFebruary 8, 2016 12:48 AM

@ Nick P,

Having been booted back home to "convalesce", I finaly get back to the smart phone (that got left behind).

And as is my habit when sleep does not happen, I've been digging around on interesting sites...

When I came across this and almost instantly thought of you ;-)

http://www.sodnpoo.com/posts.xml/salsa20.xml

However that said their are a few other Reverse Engineering things on the site you might find interesting. One of which might be of interest to those wanting to play with the EMV payment card chips (Chip-n-Pin),

http://www.sodnpoo.com/posts.xml/reading_emv(chip_and_pin)_cards_with_an_arduino.xml

It uses @Figureitout's favoured Arduino.

Clive RobinsonFebruary 8, 2016 1:15 AM

@ Keiner,

With regards Donald "I blow my own" Trump, the old saying about "you couldn't make it up if you tried" increasingly applies.

To talk about bring back waterboarding and much more --worse-- besides, is realy playing to the "lowest common denominator" of the "6th beer couch patato thinker" caricature, said to inhabit certain less desirable areas of the US. It would smack of desperation tactics if done by anyone with even a jot of political savvy...

ThothFebruary 8, 2016 5:06 AM

@kerukuro
Good to know another snake oil algorithm being shot down before hopefully too much damage gets inflicted.

State Hacks TwitterFebruary 8, 2016 5:10 AM

Yet more evidence of the spooks attacking voices they don't like, instead of legitimate national security threats - the December Twitter hack:

http://www.theguardian.com/technology/2016/feb/04/twitter-leaving-us-in-the-dark-over-state-hacking-claims-activists-say

Sent on or just after 14 December, the notification warned: “As a precaution, we are alerting you that your Twitter account is one of a small group of accounts that may have been targeted by state-sponsored actors. At this time, we have no evidence they obtained your account information, but we’re actively investigating this matter.” The statement said Twitter had no additional information it could share, but said the attackers may have been trying to access users’ IP addresses, email addresses and phone numbers.

...

The group includes members of the French digital rights advocacy group La Quadrature Du Net, the US-based Seattle Privacy Coalition, the international digital rights organization Access Now, developers of the anonymity software Tor and other privacy activists and writers from Canada, Switzerland, Germany and Italy. One of the affected users is an activist tweeting about the war in Donetsk, another a journalist covering the German parliamentary investigation into surveillance by the US National Security Agency.

Anne Roth, one of the 50 activists targeted, has been advising the German Left parliamentary party as part of that investigation and had to gain security clearance for her government job. “It is my job to investigate activities of the ‘five eyes’ and probably not too far fetched to assume that this is of interest to different secret services,” she said.

I'm so glad our cyberwarriors are hard at work defending the 'Homeland' on our dime.

It would be simply terrifying if the morbidly obese MIC wasn't crushing dissenting voices decrying the Police state. Indeed, this is befitting of an NCIS episode where the TAO unit tracks down the filthy infidels before they can spread their 'terrorist' propaganda.

Bob PaddockFebruary 8, 2016 7:45 AM

@r

"I forgot, in addition to my grandmother I had another chance to use cipro directly and under prescription... And used it myself, no problems there either as far as I'm concerned and I took it 3-4 times a day for two? Months."

There are many people that do, take it many times, with no problems. Then one more time it affects their health. No one knows why. The problem is there is generally a delay between the taking of the medication and the problems showing up. Six months is common. Just long enough that people do not associate their now devastated health with the antibiotic they took six months ago. Problems with tendons or energy often mistaken for Fibromyalgia are the most common. CSF Leaks as yet has no medical research, and I am trying to change that.

Here is the actual data for Levaquin, 67 pages, ten pages is warnings. Cipro is 43 pages:

http://www.levaquin.com/sites/default/files/pdf/levaquin.pdf

http://www.fda.gov/downloads/Drugs/DrugSafety/ucm088619.pdf

Paper published last week:
Fluoroquinolone-related neuropsychiatric and mitochondrial toxicity

"I think you're link farming and thus revenue motivated just like the medical community...:

Please explain how? There are no ads on any of my sites outside of the book. The few cents made by people that buy Karen's Journal to give their doctors in print form, which is available on the web site to read for free, go to the Spinal CSF Leak Foundation. http://spinalcsfleak.org/

"You're a special interest fanboi imb."

Yes I am. I'm advocating for those that are to sick or no longer with us, killed by the Medical Establishment, and trying to educate people about dangerous drugs (I backed up my position with data from the FDA and recently published papers) that need removed from the market.

I wish you well with your and grandmother future health, may all be so lucky...


India Tech Successfully Fights American BiasFebruary 8, 2016 9:05 AM

Another One Bites the Dust

"Critics of India’s Facebook ‘Free’ Basics, which had been suspended while the regulator's consultation was continuing, include many of India's leading technology entrepreneurs, with activists describing it as a "poor Internet for poor people".
The TRAI's ruling was a clear victory for net neutrality advocates, who seek to prevent companies from restricting access to the Internet, with the regulator saying it had been "guided by the principles of net neutrality".
It added that it sought "to ensure that consumers get unhindered and non-discriminatory access to the Internet".
https://news.yahoo.com/india-regulator-deals-blow-facebook-internet-row-114811286.html

Facebook, Google, and the other Internet titans have ever more sophisticated and intrusive methods of mining your data, and that’s just the tip of the iceberg:
http://www.thedailybeast.com/articles/2016/02/08/scary-new-ways-the-internet-profiles-you.html

Rare Presentation from NSA Tailored Access Operations LeaderFebruary 8, 2016 12:11 PM

“NSA tiger teams follow a six-stage process when attempting to crack a target…”

Doughnut Coffee & Facebook
“At the end of the day it all boils down to knowing your network, he said, and it’s vital that IT administrators pick up their game and get PARINOID about attacks.”

Snowden Reality
Ironically the crazies are the critics of tin foil hats… LOL!

Stingrays in War Zones or Stopping Addictions
Might I suggest military commanders and intelligence agencies ban personal cell phones from all premises? New Motto: Radio Silence Saves Lives!

http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_protect_your_network_from_his_minions/

tyrFebruary 8, 2016 5:13 PM


@CallMeLateForSupper

Found this in the Krebs post comments:


"Mr. Freeze
February 8, 2016 at 5:40 pm

Probably not a big deal in a home setting. In a corporate environment energy savings can be significant if you can do climate control over the internet. It also can save maintenance staff a trip out to the workplace on the weekend if someone is there or an event is going on and room temperatures need to be adjusted."

I can't think of anything more wonderful for a corporate
entity than having their building thermostats open a
huge hole into the corporate networks. Maintenance will
love the idea right up to the point their job disappears
because of the data hemorrage.

Just exactly how are the Security personnel supposed to be
able to secure things when every randomly selected change
of things beyond their control introduces new vulnerabilities
and undermines any basis of maintaining safety ?

It might be interesting to see how many of these are in the
Fort Meade complex or have been installed in GCHQ as new
wonderful money savers.

Tracking Your Own Internet Surveillance InstantlyFebruary 8, 2016 5:19 PM

A Great Traceroute Tool Maps the Cities Where your Data Travels
Canada is having second thoughts about The Five Eyes membership in Violating Canadian Citizens Privacy Rights
https://www.ixmaps.ca/tour.php

My data goes through TeliaNet/Telia Sonera Europe and
VERSATEL Versat... in Germany

Does not look good!

ianfFebruary 8, 2016 6:51 PM


ADMINISTRIVIA posted FOR THE RECORD—others IGNORE (3k text)

Long story short: yesterday at 08:50 AM, one hitherto unknown Horte Pueblo posts a two-liner about some unheard of raccoon intestinal worm being a bioterrorism threat.

I read the referenced Wikitext, quote from it, declare it "hardly a tool for bioterrorism," and compare to the threat represented by the uncontrollably self-spreading zika-virus.

Soon I am being admonished by the worrywart to pause to think before posting, then lectured on the worm (no more bioterrorism though); decried that I probably am "an AI annoyance bot" (why, thank YOU!), and invited to “lick around various raccoon latrines and experiment with the results,” presumably because nothing beats HP's empirical knowledge of that. The excremental ad hominem arguments signal directly that he's a head case rager with no case. Case closed.

Only signal not to all… because Bob Paddock then pounces on this ready opportunity to argue with part of my Wikipedia quote, that it doesn't apply to his experience with “treatment of Plague and Antrax with Fluoroquinolone Antibiotics Levaquin, Cipro etc,” some of which, treatments or antibiotics, may or may not have contributed to the premature death of his wife, there links aplenty. In whose name and memory he now raids various blog fora to spread his own omnidirectional rage at the pharma industry. Or something to that effect, don't ask me, because I have my own pet causes to promote, only not in this forum.


Another poster, Godel, then points out that stipulated "human ingestion of worm-contaminated soil of feces" does not "sound like a promising infection method for a bio [never mind terrorist] weapon."

    For that s/he earns a "Shill" badge, as said HP is unable to face any form of criticism. This is followed by direct—am pretty sure wholly unrequited—ass-kissing [feces et al?] of Clive and Nick P, whose "otherwise thoughtful commentary, worthy of being compiled into a sellable book" so contrasts with Godel's and mine presumably though-devoid ones. I kid you not.

Then HP throws the entire to him known range of bio threat buzzwords at us: cultivation; formaldehyde; weaponized prions by the bushel; even a politically-correct madwoman hatching a plot, no doubt no less devious than the CIA-released whooping cough in Tampa Bay in the 1950s. The original charge of a bioterrorism weapon (in the form of appetizing lickable raccoon latrines) no longer rates a mention, not even in the concluding disclaimer of "responsibility for his suspicions." NOTED.

Meanwhile Bob Paddock rants on, while the unpronounceable "r” entity decodes him more or less correctly to be a link farmer. Farm on, only elsewhere.

BTW. anyone comes across remaindered book bins with those Clive's and Nick P.'s ETERNAL COMPILED BLOGPOSTS, give us a holler.

Bob PaddockFebruary 8, 2016 7:48 PM

@ianf and @r

My apologizes.
I will refrain from posting links here in the future.

Clive RobinsonFebruary 8, 2016 11:49 PM

@ Nick P,

Based on things you've said befor I think you might want to add this one to your link farm,

http://www.imaging-resource.com/news/2013/02/26/not-so-secret-atomic-bomb-tests-why-the-photographic-film-industry-knew

I know it sounds mind boggling that a Gov would do that sort of thing, even back then but recent comments about the Flint water supply, makes the point it's still going on big time if your local area does not have big corporate muscle etc to keep the elected honest.

Clive RobinsonFebruary 9, 2016 12:09 AM

As some readers will remember I occasionally warn about "resource wars" and the unexpected effects they can have. The two I normally mention are "energy" and "rare earth metals". And I've repeatedly mentioned that people shoukd keep an eye on what China and Russia are doing in these resource wars and how they use them politicaly.

As you might also be aware some have been shall we say "sceptical" of resource wars and how they effect politics.

Well somebody has finally written a readable book on the subject of rare earth metals and their economic and political effects that you might find an enjoyable read. However rather than just give the details, I'll give a link to a review of the book,

https://literaryreview.co.uk/unobtainium

Clive RobinsonFebruary 9, 2016 1:26 AM

Is Wired losing the plot?

Wired is apparently tired of maybe 20% of readers visiting their site having "ad-blockers" on, thus they are going to throw the toys out of the pram and you either pay them $52/year or whitelist their site,

http://www.wired.com/how-wired-is-going-to-handle-ad-blocking/

The problem is they "don't get it" as to why many of the 20% have ad-blockers. It's not "the better browse speed experience" nor is it "the less interfearing visuals" that make people use ad-blockers.

No... The term "ad-blocker" is a term promoted by the advertisers to somehow depict their victims as being the "anti-social" ones. On ad-ware executive has publicly called the use of ad-blockers an anti-constitutional crime because in his view you are preventing his "free speech rights"... Rather than the truth that he like most criminals want's to break into your private domain, steal you energy, bandwidth CPU cycles and any PII he can get his thieving fingers on to enrich himself at your expense.

Ad-blockers are not "anti free speech" they are "anti intrusion" technologies to defend a user from digital theft and worse. They are very much the equivalent of Anti Virus and other Anti Malware technology.

But it gets worse, the definition these people use for "ad-blocking" is very broad... Don't have javascript enabled for good and proper security reasons that's classed as ad-blocking. Similarly other very high security risk software such as Java, Flash and even Adobe Reader.

What these people are saying is that you should be as insecure as possible so that they can steal from you to their hearts content.

Wired are not alone in wishing to support "criminal enterprises" at your expense other more popular OnLine systems have tried less intrusive methods of PayWalling and are now turning them off because readers left in droves.

The one that made me laugh was hearing about the UK's Telegraph owened by the "Evil Duo" Barkley twins, they not only want you to pay a subscription to use their p155 p00r site, they have just stopped those who have subscribed from viewing unless they alow the "Evil Duo" to steal the subscribers resources as well.

What these "you can't use ad-blockers" people don't realise is that they are kicking off a war of attrition for which there will be only one eventual loser "them".

What will happen is that those who write the security software that stops the illegal advertising intrusion will simply find a way to make it appear to the website detectors that the ads are not being dumped. This will escalate just like the old ECM / ECCM / ECCCM technical war and at each stage the reputation of these websites will go down, the users will decrease, and at some point either the site owners will wake up to the fact they are slowly commiting suicide or they will succumb to their self inflicted wounds. It is at the end of the day their choice to live or die by what they do.

Scumvertising is a "dead man walking" business model, they chose at various times to use increasingly criminal acts to make money. Because the authorities chose not to respond effectivly, as in the "Old Wild West" people have started to protect themselves against these "Robber Barons" and drive them out of town. The Barons may not be happy but they only have themselves to blaim...

There are other revenue raising methods that work, that don't hurt your reputation by aligning yourself with the criminals. Perhaps the Wired managment should think about how to go about implementing them rather than continue the "gallows walk" as "partners in crime" to the Scumvertisers...

doctor slockFebruary 9, 2016 3:36 AM

Hotmail and Outlook is down for users across the world ATM. Some users said they got a message it was attacked and to reset passwords, some just to reset passwords, and some can't connect at all.

Another marvellous transition care of Microsoft.

ThothFebruary 9, 2016 6:52 AM

@Clive Robinson, Nick P
Wired was on my reading list (as a respected site I visit) but I simply click the (X) button and it's gone :) .

Why not do the reverse instead. We don't need someone to throw their problems and weight around. There are better technology news sites out there besides them.

I have discussed with @Nick P a while ago (probably last year).... or maybe my memory lapse (I wonder) regarding higher assurance web browser (albeit the locked down state it presents).

Switching OSes to command line terminals running off an Ardunio or RPi running a microkernel wouldn't be here for a while and not many people would tolerate running news readers on black and green terminal consoles off a security microkernel OS with some command line news reader.

Trying to get chips to do it right is even harder as there are too many things and too much resources into the chip business so that's another area that's hard to get in and get right.

What is probably left on the table for now for the rest of us is using the utility around us and some higher assurance techniques like application and code firewalls, microkernels and readily available consumer ARM chips (hopefully with security stuff like ARM TrustZone or SecurCore). Of course if you guys have the 1970s or 1980s old chipsets that are still working, all the better but the fact is not many of us have them.

A browser built from the ground up with security mechanisms like internal software firewalls and correctness checking created using Haskell for it's core (probably compiled to a verifiable C language or executable) would be a good step forward. Adding security measures (i.e. no direct memory or filesystem access) would make it easier to control attempts to do direct resource access attacks that most browsers are not designed to protect against. Additional security plugins to easily spoof HTTP headers, scan incoming network traffic, script blocking and script spoofing to bypass aggressive anti-script block measures to force users to lower their browser's defenses would be highly desirable. Control of cookies by binding cookies to their issuing website and not allowing other websites to request any other cookies other than theirs (unless allowed by owners) and cookie sanitization and other form of sanitization would also be highly desirable.

The better method is to personally segregate different access methods according to a military style of security (Restricted, Confidential, Secret, Top Secret) in a personalized way and to have a computer for each levels of security but this would be very difficult to manage and very difficult to implement for ordinary users so I guess for now, the better method is cleaner codes with security baked right into the core.

BillWFebruary 9, 2016 7:16 AM

I've started switching my browsing machines to Qubes . Browsing from a disposable VM with user agent randomization and optional VPN and/or Tor seems like it should be pretty good.

Cheers

BillW

ThothFebruary 9, 2016 7:24 AM

@BillW
Qubes is a good "Secure OS" to use but the problem is the use of Xen hypervisor but Xen has not been very clean in terms of security nor built with security from the core but afterall that is one of the more practical "Secure OS" in terms of availability for now. A better hypervisor technology built with security in mind from the Genode project would be a very good option for them to look into.

ianfFebruary 9, 2016 7:54 AM


@ Thoth rhapsodizes over […] “a browser built from the ground up with security mechanisms like internal software firewalls and correctness checking created using Haskell for its core (compiled to a verifiable C language or executable)… security measures to control attempts to do direct resource access attacks… security plugins to easily spoof HTTP headers, scan incoming network traffic, script blocking and script spoofing to bypass aggressive anti-script block measures to force users to lower their browser's defenses would be highly desirable. Control of cookies … and cookie sanitization.

There is such a browser, it's called Pipe Dream, and it works wonders. Unfortunately, it doesn't fit in its developer parent's company intent to continue being a part of the business community, which sees end-user customers (here of any browser) as just one of many revenue streams on which businesses depend to maximize their profits. Because, let's face it, all these security extras that make Pipe Dream such a fast, end-user-friendly (indeed, user-protective) browser, are highly unfriendly to derivative third-party abuse. So the Pipe Dream browser remains a pipe dream, while the competent independent hardware and software-capable hackers keep dreaming up ever newer, clever, theoretically safer ways to do business—if only there was a tool to do it with.

Gerard van VoorenFebruary 9, 2016 8:24 AM

@ Thoth,

A browser built from the ground up with security mechanisms like internal software firewalls and correctness checking created using Haskell for it's core (probably compiled to a verifiable C language or executable) would be a good step forward.

If I remember correctly in 1999 Microsoft had 1000 people working on IE6. They beat Netscape simply by manpower. The problem with browsers is that it is an OS on its own. There are so many protocols and file formats (and they keep on coming) that it's just impossible to make something that comes even close to Firefox, Chrome or IE, no matter what language it is written in.

Okay you say, then just use a subset of the web or even create a new one. Well, who is using that web in that case? It's a chicken and an egg problem. What can be done to solve this problem? I don't know but I do know that I won't be seeing a browser written in Haskell, Rust or whatever anytime soon (my choice of safe language would be Ada and/or Go btw). And even the safest browser doesn't solve bugs in protocol specs.

Nick PFebruary 9, 2016 11:49 AM

@ Clive Robinson

re nukes

Pretty strange I had never heard of that one given the testimony from late 90's. Mind-boggling that only the film industry was allowed to know. This also reiterates that they'd kill many Americans for their military and political agenda. This is a point Americans refuse to swallow in discussions of conspiracies and so forth. Yet, federal and local governments have consistently shown a willingness to murder their own citizens... usually slowly... to achieve the goals of a few. This is yet another piece of evidence of that and more detail of our nuclear program.

re Wired

Well, it's a legit response given people know ads pay for the site. People want the sites to deliver their part without them doing theirs. Now, trying to dodge the ads for whatever reasons is fine. People just can't expect that would happen without industry responses. Turning off cookies led to Evercookies. Adblock increasing led to Fuckadblock. And the game continues.

I like the idea Google is testing where you subscribe to their ad network, which covers lots of ads, then it serves you your own ad whenever it sees you. So, you kind of pay into the existing system directly to avoid 3rd party stuff but without a new model like Patreon. Not sure if they've rolled it out further. Original reference was here.

@ Thoth

A browser written better would be nice. Haskell would be overdoing it as we're not sure how to secure Haskell yet. ;) Good architecture with safer, imperative language plus the usual assurance techniques would be fine. Far as architecture, I think IBOS comes closest to what your wanting where the result is sort of an OS and a browser at the same time. Here's a list for those interested in secure browsers:

The DarpaBrowser

Note: Combex does capability-based security, came up with PowerBox's IIRC, and builds on E language a lot. Smart folks.

Designing and implementing the OP and OP2 web browsers

Note: Chrome was based on OP but weakened for performance.

The multi-principal OS construction of the Gazelle web browser

Note: Microsoft Research shows they got more brains than the rest of the company as usual. ;)

Tahoma - A safety-oriented platform for web applications

Note: Virtual machine approach that applies to entire web applications.

Trust and protection in the Illinois Browser Operating System (IBOS)

Note: From same university as OP, IBOS aims to further reduce TCB by eliminating most underlying code and mapping web abstractions directly to hardware. While I originally worried about that, the recent research on hardware/software combo's might make such systems easier to secure given they're close to protection mechanisms.

So, yall have fun with those. :)

@ Gerard

"I don't know but I do know that I won't be seeing a browser written in Haskell, Rust or whatever anytime soon (my choice of safe language would be Ada and/or Go btw)."

The "soon" part might still be true but there's effort underway: the Servo project. It's a Mozilla effort to write a browser engine in Rust. Results from that are feeding back into Rust itself. Then, there's links above you may find interesting where some focus on reducing or eliminating TCB while using and mediating unsafe components.

BoppingAroundFebruary 9, 2016 12:42 PM

Clive,
> On ad-ware executive has publicly called the use of ad-blockers an
> anti-constitutional crime because in his view you are preventing his "free
> speech rights"

Whoa. That's some heavy BS. Their right to 'free speech' does not mean I have
to listen to them.

FigureitoutFebruary 10, 2016 1:19 AM

Clive Robinson
It uses @Figureitout's favoured Arduino.
--You should see the difference b/w when I enable that site and when I don't lol (pure garbage vs page finally rendered, strike 1 lol). Note how I generally don't take interest in payment tech., lost it when I stole from people way too simply. I promote Arduino b/c it's most fun when you have people developing on the same platform instead of me posting a project maybe 2 people will build (other boards). I love developing on pretty much any dev. board though so long as I have access to internal docs. The "sodnpoo" code has a "malicious" taste to it b/c it doesn't explain itself much, one can read it but still missing critical comments.

If you have the energy, can you tell me why you ignore my requests for secure code? I won't bug you in other ways etc. (I don't play "the games" anymore, too much to do).

ianfFebruary 10, 2016 3:29 AM


@ rrrrrrrrrr, Re: When birds attack

Sheer stupidity. I refer you to my response to Jacob about the I/O of birds and drones.

PS. What's that you asking pita forfor giveness for? ("Forgive me pita, birds…"). As Brüno said, it's not the Hammas, but the pita that is the problem in the ME.

ThothFebruary 10, 2016 3:55 AM

@all
The plannrd future of banking, financial and governmental authentication modes are predicted to heavily rely on biometrics. The use of biometrics would be bring insecurity worse than pins and password due to the fact that you have a fix set of biological data (fingerprints, vein patterns ...etc...) whereas for pins and passwords, you still have a chance of resetting and changing them during compromise or for security laranoid individuals to have complex passwords. Once the switch to massive use of biometrics comes in the coming years for all kinds of authentication services, the boom for the next generation exploits by lone wolf attackers to state actors would make systems even more insecure. You wouldn't be able to strengthen your security like how you can do with complex pins and passwords since your biometric data is you and once a breach occurs on a biometric database, you canot change them like a password or pins.

Most nation are also collecting travellers and citizens biometric data which would enable state level hacking via uaing a travelling government agent's collected biometric at the airport to be used for impersonation into government biometric authentication systems.

The more secure choice of biometric authentication (if there is simply no way of escaping biometric insecurity proliferation) would be to do a authentication directly on the secure element (smart card chip) by equipping the smart card with a thin piece of biometric sensor that has a direct line to the smart card chip to use the biometric from the sensor to unlock the smart card chip's PKI key.

Link: http://www.secureidnews.com/news-item/trends-for-biometrics-in-financial-services/

Gerard van VoorenFebruary 10, 2016 4:46 AM

IPFS is a new protocol that is quite interesting to follow.

From their site:

IPFS is The Permanent Web. A new peer-to-peer hypermedia protocol.

This protocol addresses quite a few problems we have today. Most notably it deals with missing data (because a site gets off-line for instance) and it deals with latency.

This video is quite interesting to watch.

Also, they solve the problem of adoption by just making it compatible with the current protocols. IPv6 for instance isn't compatible with IPv4, which made switching to IPv6 extremely hard. IPFS can work transparently with todays protocols, so the adoption could be painless.

(IPFS is still in Alpha release state guys -- use with caution -- but developers please keep an eye onto it and if possible contribute and test it)

Clive RobinsonFebruary 10, 2016 6:55 AM

@ Thoth,

The use of biometrics would bring insecurity worse than pins and passwords due to the fact that you have a fixed set of biological data...

There is are a couple of reasons why Governments in particular want this.

Firstly, people are waking up to the fact that "digital authentication" by something "you own" or "you know" is fairly pointless. Because the cost of "copying" is close to zero as are man in the middle and shim / endrun attacks, thus the moment you use your authentication it's probably compromised.

Thus as a "defendant" you have a degree of deniability, which brings the burden of proof below the "beyond reasonable doubt" bar.

Thus although your "mobile phone" might have been "got at" whilst you were asleep etc, it's a bit hard to argue somebody borrowed your eye whilst you were asleep.

Whilst to someone with technical knowledge bio-metrics are less secure than say a token or password/pin it's difficult to explain this to a jury and expect them to actually understand it correctly.

The second and arguably more important reason is "money". It's become clear that it's only the poor and unprepared that give Governments the "tax take" that politico's can then use to bribe the electotate to vote for them.

Thus getting every single penny they can is important to the politico's staying in power and --like certain civil servents-- getting the "alternative tax" from lobbying etc they use to feather their nests.

If all bank accounts have bio-metrics, then linking accounts together is much much easier, a DB search on the bio-metrics will give links or probable links between them which makes "hunting for tax or fines" becomes a lot lot easier, and importantly the ability to asign contracts for the equipment and services means "nest feathering" becomes oh so much easier.

Thus a third reason, those controling the records gain considerable power over those in the DB. It's the sort of power that rightly scares people, and as US congress critters found with a shock when it became clear their private --conspiracy-- conversations with Israeli government representatives were not exempt from the NSA/FBI and thus a few realised that there is now leverage against them... Bio-metrics give this sort of exploitable power, and you don't know who has it to hang over your head at any time and place of their choosing...

Oh and remember the normal scanable bio-metrics, whilst they can not be used to link you directly to your relatives, can be easily linked to your DNA at some point, thus your family blood lines, genetic ailments etc. To insurance and medical organisations this info is worth more than it's weight in gold...

JG4February 10, 2016 8:35 AM


The movie The Sixth Day has an entertaining biometric scene in it that is relevant to the discussion. There is or was a company in Albuquerque that used near-infrared spectral information to verify that the fingerprint being scanned was connected to a live person. It was a spinout of Rio Grande Medical Technologies, which was bankrolled by J&J. The name escapes me, but it may be in the e-book that I linked some time ago. The link was at Dave Mendosa's low-carb website. Low-carb is the way, the truth and the life, if you are genetically predisposed.

CallMeLateForSupperFebruary 10, 2016 10:56 AM

@Clive

The Wired article you linked was news to me. How had I missed it? After reading your post I went for another look. Nope, not there. I guess Wired detects my Privacy Badger and NoScript and considers me a lost cause, a persona non grata. (Logical on the one hand, illogical on the other.)

I, too, bristle at the flat statement that those browser extensions are ad blockers, because it falsely concludes that I use them to block ads. I don't. I use them to block bottom-feeder scum who deliver ads and graphics with one hand while collecting "visit" information with the other, information which they later sell. Maybe not all add placers fall into that category - I don't know - but there is no way for a mouse-clicking user to know which ones do. So we users who reject the uncharted, undisclosed, unregulated, unaccountable cess pool that is ad placement today proactively use tools to stymie the bad actors. If doing that also hurts moral ad placers (if there is such an animal), then so be it.

ThothFebruary 11, 2016 4:26 AM

@all
How to bypass necessary warrant applications to spy on civilians and others. The answer is to simply nail a webcam to a telephone pole pointed at whomever you want to survey and that is considered legal.

Your safety boundary now becomes smaller as the exterior of your house (lawn, garden ...etc...) is considered open for public viewing if the viewing is done from the outside of your premise.

Pull down the heavy curtains in your house and plant more robust big trees to surround your house (or sturdy potted plants) to protect your privacy.

Link: http://arstechnica.com/tech-policy/2016/02/feds-nail-webcam-on-utility-pole-for-10-weeks-to-spy-on-suspect/

ThothFebruary 11, 2016 4:51 AM

@all
James Clapper have hinted the probable use of IoT devices to spy on everyone. Beware of your Fitbit and "smart" betrayal device.

Do not use the following if you can:
- RFID/NFC/BLE communication especially payment if possible (VISA PayWave and those culprits)
- Fitness gadgets
- VR goggles with unknown electronics
- Biometric devices (use PINs and passwords)
- Smart home apparatus

With the above said, you are still not safe as you will still be surrounded by IoT devices that people around you or infrastructures around you are using those IoT chips. Smart meters with FPGA or some special modules to act as listeners, smart lamp post or telecoms post with with weird looking device besides the city surveillance cameras .... IoT is the Interwebs of Terror !!!!

Link: http://arstechnica.com/tech-policy/2016/02/us-intelligence-chief-says-iot-climate-change-add-to-global-instability/

Clive RobinsonFebruary 11, 2016 5:55 AM

@ Figureitout,

If you have the energy, can you tell me why you ignore my requests for secure code?

Not ignoring pondering...

I'm unclear not just to what you want but of what use would it be to you, in comparison to the underlying rules I've posted several times in the past.

As I've indicated in the past you have to consider the whole computing stack, not just parts of the software stack.

Which means you have to consider a whole design from the power source up through user, management, legislators and beyond (as an example of this is Bruce's comment on AT&T CEO's verbage just yesterday).

Code rarely shows "the reachdown" effect from upper layers downwards, as that is largely what abstraction through specifications, APIs and the like is all about. Likewise the opposit applies as well where a design choice has influenced the use of not just the code but the toolchain as well (think randomising library calls etc).

Further a lot of the code I write is at the assembler level and lower, and is very much tied up with bespoke custom hardware[1], which would make it of little use without a lot of other information. For instance you might know that the 6502 is alive and well inside variois SoCs but... In an extended form with additional instructions that are considered "not for public knowledge" likewise 8052 derivatives. Oh and of course Intels oh so secretive managment engine... But you can also see it in more public silicon have a look at the history of ARM chip status flags.

The simple fact is if you decap a SoC you will find state machines and CPU's intimately bound into what the data sheet just calls peripherals and you communicate with through "letterbox registers and stacks". If you have leverage you can get the code for these hidden CPUs augmented to give new functionality. An example of this is Motorola who supply mobile radio network interface electronics. It's fairly well known that it has a "Java CPU" you can program, what was virtually unknown is that peripherals in the device could have their hidden CPUs reprogramed. This happened when the US Gov made a legislative requirment for GPS. Knowing avout it but getting them to acknowledge it so the same change could be done for other reasons was to say "a task of Sisyphus" and then paperwork and "special technical arangments"...

But even ignoring this there are other issues where the design for security is not visable in "user code". For instance the how and why of interupts and spreading sequences. Time based interupts are such a security weakness that trying to get around the side channels they enable is a major nightmare. One design I was involved with used a TRNG to change the interupt time (ie dither). To stop the "drunkards" random walk going into "road kill territory" the values were fed into a number of digital lowpass filters with between five and thirty delay elements to in effect implement a tracking loop that would stear the drunkards walk by the occasional step added to the TRNG. But... There was an added twist, if the drunkard did not walk towards roadkill territory every so often it would be given a kick in that direction based on the output from a highpass filter on the TRNG and a RTC. This design was effectively invisible to those writing user code they were just told time resolution was 1/20 of a sec and to live with it. Thus seeing the user code would not tell you anthing other than the "clock was crap". Likwise looking at the interupt code would give you the feeling that the developer was on acid or something. Even seeing both would not help you unless you had seen similar before or had seen the "secret requirments specification".

So I'm not sure what you would have gained from looking at several pages of the code, that was not better explained by the above paragraph...


[1] As you have found getting information about SoC internals is difficult at the best of times, it's not just NDA's but leverage[2]. The problem as the designers of the Raspberry Pi have found, whilst the leverage may get you the information, it often not unshackle what the silicon manufacturer will let you do with the information... The reasons for this are usually not said, but if you hunt back on this blog you will find comments from RobertT as to why only the chip are "alowed on shore" in various jurisdictions, and why nothing not even the "chip number" is alowed into the US. And why the US --submarine etc-- patent system is largely responsible and why Obama has a hardon for TTP and WTO treaties.

[2] In the past I've found "silicon defects" fully charecterised them provided test harness details and results. This did not realy get me very far going through the usual tech channels. But because of who I was working for at the time the MD picked up the phone and made one five minute call to the sales people at the manufacturer, and because they knew what was on the line the company had significant leverage, that the chip manufacturer managment realised that "bullshitting off" was not an option. Thus they lent on people on the tech side very firmly, and the techs made on chip changes using various interesting tools to make the required circuit changes packaged the fixed silicon and got it halfway around the world in less than ninety hours. You can imagine my surprise to get a "home visit" from the senior sales guy of the silicon supplier and the badly jet lagged lead tech guy very early one morning who then got me into the office very quickly and sat with me and went through the tests which we got out of the way before the 8:30AM start of play in the office.

Clive RobinsonFebruary 11, 2016 6:25 AM

@ Thoth,

The answer is to simply nail a webcam to a telephone pole pointed at whomever you want to survey and that is considered legal.

The answer to this is...

Is reflecting telescope to coliminate and high power IR laser diode pulsed randomly around 1/3 of the frame rate.

At the very least it screws with the AGV at the worst it burns things out in the camera.

The device I built used three lasers one IR the other two visible light red/green, just in case some dork decided to fit more robust IR filters.

When the "techs" turned up to find out why the camera was not working a crowd materialised with cameras and microphones and gave them a real hard time. The police who turned up got the same treatment. It very nearly caused a riot the first time, the second they wised up a bit.

The thing is cameras are only safe from physical attack if they form a ring watching each other. Take the vision out on one and the ring is broken, then aplastic bags or tire with straw fuel oil and a home made "matchbook time delay igniter" take care of the others.

It's a resource/attrition game which with a little thought the perps will win over the authorities.

The clasic of this was the "Denver Boot" wheel clamp and Parisians who regarded "super gluing" the padlock a "civic duty" for "liberty"...

In the UK there are "Smart Cars" equiped with "parking cameras" shortly after they first appeared "there were problems" and they had additional CCTV cameras mounted on them so that anybody within 50meters got recorded "just in case". However it's noticble how the now avoid certain areas where they can get "boxed in" where they become very vulnerable to pedestrians and cyclists, who might find it "fun" to roll such unstable vehicles on their side in just a few seconds and "trap the driver" etc...

Clive RobinsonFebruary 11, 2016 9:59 AM

Moores law hits the buffers

It's official, the industry bodies have decided that doubling down on tranistor size every couple of years is nolonger viable,

http://www.nature.com/news/the-chips-are-down-for-moore-s-law-1.19338

Longterm readers will know this is of no surprise to me at all, and that I actually expected it to happen half a decade ago due to "heat death" issues, as well as speed of light issues.

It will be interesting to see what the direction the industry goes in. My small wager for some time has been on multiple simplified more distributed on chip CPUs with their own local memory --which does not realy suffer the heat issue-- on a high speed switching architecture. Of course this kind of sounds the death nell on "sequential only" programming which might sound drastic to some but is not realy that much of an issue with a little planning and support from tools.

With a little care parallel programing via comput nodes on a switching matrix is fully scalable to what ever size you can power and keep cool. This was well understood back in the days of the Transputer chip, and the reality has not changed in that time.

It appears that Google might be planning for this with their own comms based 32bit RISC style CPU,

http://www.phoronix.com/scan.php?page=news_item&px=Google-Lanai-Architecture

Robert GFebruary 11, 2016 11:37 AM

@Thoth

How to bypass necessary warrant applications to spy on civilians and others. The answer is to simply nail a webcam to a telephone pole pointed at whomever you want to survey and that is considered legal.

Likely to so remain. They have been showing "two cops" in a car in front of a suspect's house for years, but how often do neighbors not see "two anyone" in a car and not be instantly alerted?

Might be illegal if you can prove they are using it to zoom into the house.

The other threat vector there is laser/infrared/'simply seeing into the house'. Researchers already proved a few years ago they can reconstruct speech from the minor fluctuations in the foil of a bag of potato chips.

@Thoth, Clive Robinson

re attacking the camera post

That is very entertaining and clever, but it leaves out the problem of detection.

In general, I think it is almost always the best tactic to studiously ignore surveillance of any kind. But the purpose of that is to drum into surveillance a routine, mind numbing, 'do nothing' schedule.

Or to otherwise use surveillance against them.

The 'do nothing' schedule, as I am sure Clive knows, is then easy to use to break surveillance when and how one wants to. The general principle is to get them to 'cry wolf' so often in their minds, they are deeply numbed by the daily, weekly, monthly consistency. It is a powerful block to break out of.

Many of these cameras, of course, are trivially hacked. Most will transmit continously. I would suspect most actually rely on unprotected wifi. Which as everyone knows here is bizarrely difficult to protect in the first place.

Otherwise, they are rarely password encrypted or in any way encrypted, and can be viewed if the proper frequency is found and they are using a standard modulation format. If the frequency is found, it is really game over, regardless of the modulation format.

Probably some of these cameras use burst transmission of somesort. Drive by, fly by, sat by, pick up the information.

Not entirely useful, unless your agenda is to fingerprint and detect other instances of the same system elsewhere.


If people recall, the fbi surveillance planes were detected, with their flight patterns, because some ads-b/flightaware hobbiest noticed a curious discrepancy in the logs, had access to historical flight data across a wide variety of cities (which I would guess is public access as these systems tend to be), and cross referenced the company name of the planes. I believe he proved it by a slip in some court documents online.

Probably, the suspicious flight patterns over protest areas tipped that person off initially.


Look for the lost coin where you lost it. Not where is most convenient.


If anyone is serious about messing with unlawful surveillance, I would suggest working out, on paper, brainstorming, and really working through the details of what possible ways that surveillance could be used for disinformation against the surveillour.

Consider, as long as it is not too outlandish, they are going to be primed to believe whatever they see and hear. And, as long as they have zero suspicion they are detected.

This would require understanding 'who' they likely are, and 'what' their agenda likely is.


Also what comes to mind on the attack on cameras. This material does show up often in television shows from america and movies. No small reason for this sort of thing is because by giving television folks tips is a primary way to help get some "take" from their "give".

It would be very, very difficult to write shows about cops, spies, criminals without expert advisors who have really meaty tips.


Robert GFebruary 11, 2016 11:54 AM

@Clive Robinson

re Moore's Law post


Thank you for the tips and your opinion. Good to hear that from a guy who knows his hardware.

I have been playing with the idea of distributed systems for a few decades now, but except for work in distributed network software systems have never gotten around to digging into it. Largely because of cost.

Lately, had more systems then I know what to do with, and obtaining more is trivial. So then what comes is software use case scenarios.

Usually I have to justify this economically. There is kickstarter, so one can prototype any crazy thing. I can get security conference material, which provides a lot of options. I suppose there could be use case scenarios for making interesting youtube videos, enough to actually get a channel going. Or sell devices. (Not my favorite option, but most devices and material accessible is easy to get quantity of. Probably a breaking point between hand soldering and getting something manufactured.)

There are bitcoin creation options. Not sure if I am not a bear there.

And making money just for money is pretty boring. Removes the hobby fun from it.

Probably could come up with some system that could process or provide interesting data to smartphones. Sell the smartphone app, provide the backbone as part of the infrastructure.


But, there are so many options.


Nick PFebruary 11, 2016 12:06 PM

@ Clive Robinson

Another example would be cryptographic code. The protocol engine people might be able to follow. The cryptography of something like NaCl involves odd, math operations and timing channel mitigations. It wouldn't be clear what it was doing unless you knew what it was doing. So, a description of requirements, components, how each work, and how they tie together is required in addition to code. Like the high-assurance certifications required.

Of course, there are still INFOSEC people on HN and elsewhere that think needing precise requirements, specs, and code was just about piling paperwork for money. :)

Note: Figureitout rejected Tokeneer and other examples I gave him for essentially arbitrary reasons. So, he has hidden criteria behind his request for code he's not giving you. He will also talk about unrelated problems as a way to dismiss whatever you bring up. Given him code will not satisfy him.

re Moore's Law

You did see the quantum FPGA I posted, didn't you? If not, I'll repost it. Great advances in an interesting direction.

okayFebruary 11, 2016 5:18 PM

re: nukes

Interesting that flm was ruined in Indiana months later, but cameras only a few
miles away were unaffected. In other words, fallout ruined film thousands of miles away, but
gamma rays spared all the local cameras. A miracle really.

Nick PFebruary 11, 2016 6:24 PM

@ All

A few interesting papers I found on verified software someone here might like.

The first is one of original papers on Proof-Carrying Code and apparently also Jinja: a verified Java-like language & implementation. What makes the paper good is how it systematically shows issues and attempts to solve them at all sorts of layers. Wildmoser really earned that Ph.D. :)

Maus' Ph.D. dissertation is the other good one. The paper describes a tool, Vx86, that verifies the correctness of x86 assembler by translating it and processor state into C for verification by VCC. This tool was applied to all the subroutines of the Microsoft hypervisor per Maus.

COGENT is a language & certified compiler for functional, *systems* programming. A COGENT program produces C code, a HOL version of it, and proof that the C code implements COGENT code. Requires no runtime or garbage collector. I could see this integrated with something like Chlipala's Bedrock or one of above projects.

A great explanation of Hindley-Milner type inference. Important given its effectiveness and pervasiveness in the ML's.

A Pastebin alternative you control for those like me that find such services useful.

A nice list of code-based test generation tools that I found for another discussion. Spec- or code-based test generation saves one the time of writing lots of tests. I see it as a good start on testing rather than a replacement for a wisely-designed test suite. Plus can test other stuff you might overlook, esp on a fast-changing OSS project.

FigureitoutFebruary 11, 2016 9:23 PM

Clive Robinson
I'm unclear not just to what you want...
--I could blabber on, but I'll keep this as short as I can. Code. I learn something new reading "master's" code (it's the cheeky tricks I like the most). While you're still w/ us and coherent. I don't care if it's ASM, if it's commented well like you say it is anyone should be able to read. In my code, I include relevant data that is hardware/physics related (sometimes a bit much, so I trim it and refer page #'s).

As I've indicated in the past you have to consider the whole computing stack
--I do, I just figured as much as you brag about your untouchable code you'd have some to share for us meek, simple-minded code cutters.

One design I was involved with used a TRNG to change the interupt time (ie dither).
--Why a low-pass filter? Wouldn't that "bias" the entropy? I could do the same for a watchdog timer but only about 6-7 preset times, which we used as just a regular timer that interrupts when time's up. Calculating timing is a major pain, and gets real murky.

So I'm not sure what you would have gained from looking at several pages of the code, that was not better explained by the above paragraph...
--Way more than you think. B/c I already know most of what was said in the above paragraph. I want to see this "mystical code" you speak of.

As you have found getting information about SoC internals is difficult at the best of times
--Yeah, especially when you're a small company w/ lower volumes (but still making $$$, for the owner lol). Bullsh*t we can't get spice files and code for the "magical" bits, but atleast we have reproducible, mathematically verified operation, so you can design w/ some confidence. I almost say move on to someone else but when you've invested in a chip you get stuck a little.

In the past I've found "silicon defects"
--What was the defect? I feel like we all run by them but can't spend the time to fully investigate them, and have to write nasty code to compensate.

Nick P
Figureitout rejected Tokeneer and other examples I gave him for essentially arbitrary reasons
--No, Tokeneer was terrible. How many places for holes to be inserted? Way too much scattered crap, 2-line worthless header files (all kinds of filetypes too) wasting my time opening them, probably hundreds of them!

And I like embedded and below security, let me tell you, seeing your code get absolutely mangled by pushing power limits is terrifying; especially when what you're doing has to be robust as possible. You lose control, and you don't know what's happening in your code, you can't debug it. So if simply supplying below power specs breaks a security device and exposes an entry point, the security is a joke.

These things don't solve the root problem, a humanly-checkable chip. I would say random voltage values but those could be faked. We build a lot of software on backdoored chips and machines. You can't have connections to either as the malware could transfer over, how much you want to bet RISC-V development is happening on primarily x86 machines?

Anyway, enough blabbing for one night.

Nick PFebruary 11, 2016 10:09 PM

@ Clive

He said he'll take anything. Give him some segmented 286 asm code. Will test his theory. ;)

FigureitoutFebruary 11, 2016 11:24 PM

Nick P
--Thanks, that was a fun little read. Potentially usable deliverable that can be applied a million ways. Few nice little tricks. Github site so I can just surf to the code instead of unzipping a file. Except BUFSIZE was "32*1024", would that be 32KB? So the buffer size is the size of my typical flash memory I'm used to and feel like I could secure. Memory of that size, fancy malware shouldn't have enough air to breathe, but this is still pretty large.

And sure, let's see it. I'd prefer some of the PIC code since they just bought Atmel. And I don't have a theory, that's some delusion on your part.

Clive RobinsonFebruary 12, 2016 3:59 AM

@ Nick P,

Yes I saw the QFPGA info. QComp is one of those things I tend to look at in a similar way to CoPro's be they math or graphics. The purpose of a CoPro is to boost a small subset of the more general computing activities not to replace them.

Right now it's not clear if QComp is actually going to replace very much. The reason being is QComp has all sorts of "extras needed" such as specialised shielding, magnetic fields, cryogenics etc etc etc, all of which cost several arms and legs not just in initial costs but running costs.

Whilst Moores law might have hit the buffers in some respects this does not mean inovation is over, far from it. As I've said before the concentration on sequential computing optimisation took us down an evolutionary cul der sac, which chip manufacturers have been slowly reversing out of over this century as the multi-core chips show. We have seen CPU clock speeds hit the buffers for some years now and this is in the main due to core size and heat concentration. As we reduce the core size heat consumption goes down, but if we can find a way to reduce the concentration of the parts that generate most heat by distributing them across the chip area then we can push up the clock speed again. The question then is what do you put in the redundant spots on the chip? As I've said in the past memory has much lower thermal issues, so larger very local cache memory would be one use... apart from the fact that CPU and Memory chips tend to use currently incompatible manufacturing techniques, something I suspect will be resolved in the near future as there is benifit in doing so.

Which means that conventional chips will retain a quite significant cost advantage over QComp for much of the rest of our lives even in large systems. That is even if QComp became workable in the next five years it would still remain niche for probably a hundred years after that, whilst the support technology slowley tries playing catch up with the still improving and reducing in cost conventional non quantum computing. Thus it may be that QComp will never replace conventional mainframe style computing, just as cloud computing will not replace user end computing.

JG4February 12, 2016 7:39 AM

@Clive

another path to higher clocks speeds is to take the heat off the front of the silicon, which can be done with spraycooling. the spooks had a pretty good run with it, and may still be using it. you can reliably take off at least a few hundreds watts per square centimeter. this is one of a large family of patents, bankrolled with national security money:

United States Patent 8,810,266
Cader, et al. August 19, 2014
--------------------------------------------------------------------------------
Spray cooling thermal management system and method for semiconductor probing, diagnostics, and failure analysis

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.