Friday Squid Blogging : Pajama Squid

The Monterey Bay Aquarium has a pajama squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on February 12, 2016 at 4:05 PM • 124 Comments

Comments

EvilKiruFebruary 12, 2016 5:08 PM

The tripwire article anon linked to states that CryptoBin is accessible by IP address. That's not (or at least no longer) correct, because the web server (now) auto-redirects to cryptobin.org when accessed by IP address.

Autos: Beware of Complimentary Data ServicesFebruary 12, 2016 6:15 PM

Last Year
My last new car purchase included a 3-month ‘Live’ service. No smart phone required.
In creating an auto company account they proudly boasted of rating my driving habits without my consent or knowledge. After several chapters, subsequent new car owners must explicitly activate the service.

Present
After that I made a statement that I would never again purchase an auto that tracked. Findings:
1) auto companies don’t want Google or Apple taking over their business
2) auto companies do not want to track themselves and put their reputation at risk
3) instead they negotiate proprietary third party contracts that include a 5-YEAR subscription into the price of upscale new cars
4) the auto gps tracking is always ON and can relay location coordinates independent of owner cell data plans
5) tracking firmware now hardened against hacking. It non-defeatable even by the dealer service department as the tracking firmware MUST be included in any download to the vehicle
6) the ‘free’ service circumvents citizens resisting paying for self-tracking using their cell phones and credit card
7) there are advertisements piped to your 8” display. See link below of the 62(!) advertising agencies
8) the included third party navigation services are all or nothing, even though they are separate
9) The salesman had me sign a credit (let the data mining begin) application even though the auto was a cash purchase. I saw this in the paper copy I requested. At least I refused to give my Social Security Number…

Knowing American data mining techniques I expected
10) these types of data services to be pushed onto the customer
11) Only one person at the large auto dealer knew of the tracking
12) If you talk with sales, service and the separate tracking company you seldom hear the real situation, but one key tech person answered this correctly:
If you start up the car and drive down the street are you being tracked? YES!
Note: this answer was later independently confirmed

So rather than the auto manufacture making ME the tracked product (yet with plausible deniability), I made disabling of the tracking a condition of sale. Regrettably, the lack of transparency and informed choice made for a difficult time for everyone involved. Sorry!

The good news is the USA map data is stored locally on a flash card. I was able to subscribe for local traffic (which is further sublet!). The manufacture voice command Qnx navigation system is awesome.

Disclaimer: I am no expert in auto tracking. The above statements are based upon limited first-hand experience. These are simply my opinion and observations as the factual data are proprietary.

Today's Humor (to keep yourself busy!)
Sirius Statement
"This is a list of third parties who, in the course of serving or displaying ads on the websites or applications owned or operated by, or on behalf of, Sirius XM Radio Inc., may place a cookie or other tracking device on your browser or mobile Internet enabled device. You may opt out of their uses of cookies, collection of your information and further use of it BY VISITING EACH of their privacy policies and following instructions there"
https://www.siriusxm.com/youradchoices

Nick PFebruary 12, 2016 6:49 PM

Interesting news from Slashdot:

Pown2Own won't reward Firefox 0-days cuz they're too easy

A long time ago, an OS was withdrawn from hacking competitions because nobody was getting anywhere with it. Now a browser is for the opposite reason. Haha.

Of course, Firefox being weaker on endpoints is well known. The common recommendation among serious users was to combine it with NoScript, HTTPS Everywhere, and a sandboxing solution. The idea is any problems in it are contained and temporary. So, certainly better architecture and tech going into competing browsers but bare Firefox isn't a fair configuration to target. Still funny, though.

Maybe they need to move a little faster on that Rust browser. ;)

goodkuruFebruary 12, 2016 10:11 PM

@Evilkiru, the government is running out of fingers to stick in all the dikes. The gentleman's agreement is over. In the old days intel like this would have been analyzed and held in reserve. Now it's being publicized to discredit and dismantle a government that's pissed away the last of its legitimacy and can no longer contain public revulsion with its rigged electoral process. After OPM, FOP, FBI, and countless other hacks, does anybody think CIA hasn't undergone the full proctological? They purged all the people with half a brain and replaced them with psycho jarheads. Their crown jewels are CIA's domestic clandestine operations (that is, crimes.) Foreign intelligence services know exactly what went on, and hacks are handy background for non-attributable denunciation. If you think people are pissed at being ripped off, wait till they learn CIA's pushed them around exactly like a Central American banana republic with terror attacks, coups de main, and coups d'état. Visionary Conducător Brennan will be humming the Internationale.

Zero Day PersonFebruary 12, 2016 11:00 PM

@Nick P

The truth is, not unlike some CTF, people spend considerable time before walking into the room. When they walk in, they have already found the zero day, and it is already game over. Maybe some participants try not to do this. Plenty do not have the training nor experience to do this.

I am not a big fan of these kinds of events because of this. It is fake, effectively, and miseducates people on a very important matter of security. Application security.

It is not magic. It takes really hard work, intense focus and commitment to singular objectives, and usually pretty sophisticated tools. Many COTS, but usually also hand made for the job.

(COTS solutions really only now are mainstream, and they are just recently finally beginning to provide the technology of greyboxing which has long been relied on. By defense contractors and others.)

It is also either zero day, or it is 'previously known vulnerability'. Which is almost literally 'script kiddy'. That is what the scanners have. Web app scanners not included, because they tend to actually be pretty damned good at finding zero day for quite some time. But web apps are far less tested, usually have zero security testing, and the developers often have zero to 'very little' security training. Very different from a Mozilla, MS product, and so on.

This, btw, is a main reason why Clapper really irks me. He shows he has zero understanding of the business.

And, why the FBI has the wrong conclusions about the very same issues Clapper has. The FBI, as is well known in this small sector of the industry, is very, very poor in their zero day farming. NSA, CIA, DoD 'across the board', not so.


Zero Day PersonFebruary 12, 2016 11:12 PM


@anon

CryptoBin Down Amid Claims Hacker Posted Details of 20,000 FBI Employees http://www.tripwire.com/state-of-security/security-data-protection/38340/

FBI wiki, they have 35, 000 employees. (Wow.)

I am skeptical this is real, but let us see how it pans out.

Considering recent time, one just simply can not make a guess there.

Depending on the information released, despite whatever bad blood the FBI has been spreading amongst the security community due to their continued insistence on demanding backdoors and their refusal to self-regulate, this is a bad thing. The FBI also does provide core services to 300 million Americans and some of the best crime fighting divisions on the planet.

Thinking of murder, kidnapping, sexual trade and slavery cases, and so on.


Zero Day PersonFebruary 12, 2016 11:15 PM

@Who?

Shodan, ntp.

I am sorry, but I do view Shodan as a defensive, not offensive service. While it can be abused, the primary and clear intent is to let companies, other organizations, and individuals know they have implemented poor security.

Malicious hackers do not need Shodan to find these services.

ianfFebruary 13, 2016 12:06 AM


@ Lard Fulminate […] “sadly, Jolla didn't succeed

Missed it entirely, though wouldn't have bought into it anyway. Crowdfunded projects of that complexity are bound to fail, since the A-to-Z of consumer products are the economies of scale… and you can't have that via the indiegogo route. That (scavenged?) Sailfish OS sounds interesting, we'll see if it makes it to maturity in that Fairphone item or another.

ianfFebruary 13, 2016 1:48 AM


OT: Richard Feynman to the FBI: D.R.O.P. D.E.A.D.

[…] “in 1958 the White House requested a routine investigation into Richard Feynman's background for consideration for the position of Scientific Advisor to President Eisenhower. Perhaps [it] was the final straw for the man who had always eschewed red tape and bureaucratic incompetence: Feynman asked to be put on the FBI’s “Do Not Contact” list.”

http://www.atlasobscura.com/articles/until-1958-the-fbi-followed-physicist-richard-feynman-very-closely

Clive RobinsonFebruary 13, 2016 7:08 AM

@ Jacob,

And what happened to page nine?;-)

Mind you the "Washington" body, got off very lightly, the Judge could have ordered him to produce ticket stubs etc, or hold him in contempt. Likewise he could have had him for contempt for not turning up properly attired just for the fun of it...

As for the "1.3 terabytes" and the "ask your 12 year old" that was golden. But the judge is right, nobody on gods kittle green apple was going to chew their way through that amount of data by the MK1 eyeball.

Hacky SackFebruary 13, 2016 7:46 AM

Motherboard confirms the DHS/FBI hack:

On Sunday, Motherboard obtained the supposedly soon-to-be-leaked data and called a large selection of random numbers in both the DHS and FBI databases. Many of the calls went through to their respective voicemail boxes, and the names for their supposed owners matched with those in the database. At one point, Motherboard reached the operations center of the FBI, according to the person on the other end.


One alleged FBI intelligence analyst did pick up the phone, and identified herself as the same name as listed in the database. A DHS employee did the same, but did not feel comfortable confirming his job title, he said.

The watchers don't feel comfortable being put under the microscope for a change? Bwahahaha - who gives a flying f**k?

Maybe we're not comfortable with warrant-less searches, their recent hosting of kiddie porn to identify IP addresses of interest, and a decade plus of Big Brother dragnet surveillance aimed at the domestic population?

Considering in recent times the CIA director got hacked, the NSA got spanked by Snowden, millions of records were stolen from OPM, and now 9000 IDs of DHS and 20K from the FBI are in circulation - it really looks like amateur hour at Stasi central.

Sweet, sweet karma. More please.

Robert Hansssen hahahaFebruary 13, 2016 7:54 AM

FBI, "one of the best crime fighting divisions on the planet"

Yeah, Amerithrax was quite the tour de force, they caught everybody but the spooks who did it, then Spike Bowman accidentally on purpose destroyed the evidence. Shame about how elite FBI crimefighters get onto some dastardly evildoer, they're all over him like a cheap suit, and, Oops! he gets gets away and blam Blam BOOM. Again, and again, and again. Andreas Strassmeier. Ali Mohamed. Zacarias Moussaoui. Tamerlan Tsarnaev. Khalid Almihdhar, three times. Even Sam Koutchesfahani, al Quaeda's concierge. The Fort Lee tunnel bombers. Thane Eugene Cesar, uh I mean Sirhan Sirhan. How did they all make fools of FBI? And all those pedos FBI mopped up, wow. Lawrence King, they made short work of him, didn't they? Or of his victims, anyway.

Now, if it's Occupy grannies or competent journalists, FBI is just unstoppable. So let's fix this for ya: FBI, one of the best dissident repression divisions on the planet.

Wire CutterFebruary 13, 2016 8:41 AM

Onstar CAN BE DISABLED.

BUT! The dealer won't do it and it's best to assume it's always on, no matter what.

Also, if you simply start cutting wires or unplugging connectors you will mess up a lot of stuff, for example, your radio may not work, etc. You need to do a diligent g00gle search for the right info and the right way.
That includes going into the Onstar unit itself and pulling a certain part, the Onstar power connector.

There is one youtube I saw that claimed pulling a certain easily accessed fuse will do the trick. I doubt it. It's possible all it does is kill the Onstar LED. It might be a fake out countermeasure to hackers i.e. "let them think they disabled the tracker". Apparently, driver user data is being shared with advertisers, a sure sign master doesn't want you to break it and is willing to defeat hacks.

Resistance to electronic mass surveillance is pretty much futile until there is a major change in our power structure. And, that's unlikely because the formula "Fun + Convenient = Compliance + Acceptance" works really well.
When driverless cars are scaled up Onstar will seem very tame.

I would expect the last cars made for real drivers without built in mass surveillance tracking will become collector vehicles and later outlawed for use when the new system is locked.

It's for your own good comrade.

BobFebruary 13, 2016 8:45 AM

NSA used telemarketers, even fed them numbers, to expand the number of people they could legally spy on. Telemarketer calls target number, telemarketer calls 50 million Americans, those 50 million are now fair game for monitoring. "Hey, what better hiding place for a terrorist operative than working in a call center. They can coordinate events with no suspicions... right." Wink, wink, nudge, nudge.

JacobFebruary 13, 2016 8:46 AM

Clive , yes, my favorites are:

P. 24-25:
"THE COURT: Wipe out page 9. Even the staple holes, that's confidential, too. And how does he challenge CIPA or FISA or any of these other wholly unnecessary agencies?... Because that's the question: What did they tell the rubber stamps on the FISA Court that they wanted?"

P.14:
"THE COURT: No. I mean, I have a one terabyte drive. I've never used more than ten percent of it, and it's got all the family pictures on it. And despite the way they look, I've got a lot of pictures taken of them."

P.6:
"MR. ADLER (Defence Attorney): Judge, I got a little lower back thing today. So, if I stand up in the middle of this --...
THE COURT: You're welcome to. And what are you
taking for it?
MR. ADLER: Advil right now. Trying to talk to some
clients about getting me some better stuff.
Just kidding. You don't have to write that down."

P.17:
"THE COURT: If you ask the agent tell me how you're going to prove that this man did the elements of this crime, he could tell you in about 30 seconds... And so, I don't know what else there is. But I guarantee you, from what I know now, I know there's not a terabyte. That guy (The Defendant) probably hadn't done a terabyte of activity in his life."

And P.41 about the safes in the building where they kept the NatSec stuff...

Who?February 13, 2016 9:46 AM

@ Jacob.

Do not miss this one (p. 15):

THE COURT: How old are your children?
MR. IMPERATO: 16, 16, 13, 13, and 12.
THE COURT: Ask the 12 year old to explain computers to you.
MR. ADLER: There's no such thing as a counter-terabyte, by the way, just to let you know.
THE COURT: That's pretty funny. We'll copyright that for you.
MR. ADLER: That may be my only victory in the case, Judge.
THE COURT: Give mine to --
MR. IMPERATO: Thank you.

CallMeLateForSupperFebruary 13, 2016 10:47 AM

@Don't do this! @all

Good news about that iToy design error that supposedly bricks said devices.

"Devices afflicted with this issue can't even be recovered by going into DFU mode and reflashing them. Though this wipes out all your data, it retains the bad date and subsequent boot loop. The faulty date does get reset when the battery goes completely flat, however, so discharging the phone (or disconnecting the battery, if you're brave) fixes it."


http://arstechnica.com/apple/2016/02/64-bit-iphones-and-ipads-get-stuck-in-a-loop-when-set-to-january-1-1970/

CallMeLateForSupperFebruary 13, 2016 11:50 AM

This particular "conversation" is beginning to make my head hurt.

Last Tuesday FBI's Comery told the Senate Intelligence Committee, "I don’t want a back door. ... I would like people to comply with court orders, and that is the conversation I am trying to have.”

The article also reports that the FBI still can't access the encrypted phone that belonged to the San Bernardino killers - who themselves were killed more than two months ago. They can't comply with court orders.

Oh... Comey probably didn't mean *those* people? Well then, that seems to leave just one bucket of "people": phone hardware and OS makers. *They* should comply with court orders to unlock that pesky phone. But *they* can't comply because they don't have the key. Comey says change your business plan so that you could comply with subsequent court orders. But that is just another way of saying backdoor the encryption.

Maybe by "I don't want a back door" Comey means FBI doesn't want to possess the back door, FBI wants device developers - for-profit civilians - to possess the back door. That leaves us right back at square one, the backdoor/golden key pipe dream from the first Crypto War. Some conversation! I am just a simple country boy, but it seems to me that Comey wants an endless argument.

CallMeLateForSupperFebruary 13, 2016 12:52 PM

@Wire Cutter

I would love to have a recent, "loaded" auto in the garage. Just to *mess* with. (I'd also like a garage.) I am a retired EE who has to make his own reverse-engineer projects if he wants to have any at all.

When my auto tech savy peaked, the family bus had Kettering ignition (boosted with a 3rd-party capacitive-discharge box), four spark plugs, a Delco AM radio (one speaker), 3rd-party (Sears) cruise control, and drum brakes. 1985 was the last time I researched and bought an auto, and that one I finally let go of around 2007.

I'm always wowed when I climb into a friend's Chrysler 400(?). Mostly it's wow I never knew such a thing was available (e.g. adaptive cruise control), or wow I'd never pay for that feature (e.g. rear bumper camera). I asked if the beast had OnStar; my friend said it had something similar. I asked if it tracked his trips; he said he didn't know. I asked if it tracked his rapid accelerations (lead foot!) or his frequent hard braking around town (don't ride with him after a meal) and reported them to Chrysler; after a short silence he said he didn't know.

I guess I asked too many questions one day because he suddenly asked why I asked "so many pointless questions". I sit firmly with Richard Feynman on this: "I like to know things." If I knew my car had the means to spy one me, I would want to know if it *did* spy on me.

DrWhoFebruary 13, 2016 1:44 PM

Anyone using Whonix here?

I wonder what amount of RAM would be needed to run the two VMs in a comfortable way.

(I guess going for the Qubes+Whonix route would require double that amount whatever it is)

JacobFebruary 13, 2016 3:15 PM

@ CallMeLateForSupper

You would have gotten your friend's attention had you asked him if the car reports his driving habits to his insurance company via Chrysler, or made available to the police in case of a major accident.

CuriousFebruary 13, 2016 4:44 PM

Ugh, I thought the following was a little depressing to read about:

"Tribunal rules computer hacking by GCHQ is not illegal"
http://www.bbc.com/news/uk-politics-35558349

[b]"GCHQ is operating within the law when it hacks into computers and smart phones, a security tribunal has ruled."[/b]

[b]"GCHQ admitted its agents hack devices, in the UK and abroad, for the first time during the hearings."[/b]

As a non UK citizen and how UK apparently have given themselves this kind of "superpower", I'd argue that this entail a possibility of GCHQ wanting to go hack my computer if they haven't done so already. My personal view of UK being a terrorist state is reaffirmed and sort of underlined as such in my head.

I wrote earlier about the use of the word "hacking" here and found such use problematic; and because of how this word is so both so vague and so precise, I think whatever problem I had with others trying to discuss politics, opinions and events using this word, those aspects are overshadowed by this acute sense of threat and insecurity, even though I am not affiliated with what is called 'ISIS' and I probably never ever will be.

This notion of the internet seemingly being a free-for-all spying/hacking endeavor by states that supposedly are regulated by law, is appalling to me.

Although the following would be an exaggeration in terms of real life consequences, I still would like to think of assassination, murder and violence in general to be a parallel of sorts to this idea that I think BBC is sketching up by saying that hacking computers in other countries is not illegal (that hacking every computer on the planet is legal). There is both this transgression in terms of jurisdiction, but with this word "hacking" also a transgression in the sense of purpose (not to be confused with 'intent', being "moral" making conscious choices isn't the interesting part here.), ultimately being the wanton interference with computer systems and data (think, "collect it all").

Though UK's idea of things being 'proportionate' likely is considered to be an epitome of fairness, as if actions in general were simply equivalent to moral actions, notions of 'proportionality' might very well be something quite contradictory I think, or I see that as a potential problem anyway, as a general thing with claims of actions and events themselves being 'proportionate'. I'd argue that claims of 'proportionality' risen from a claimed categorically necessity "to protect", and with that underscoring a point of seriousness, simply cannot be thought of as being 'proportionate', because of how all arguments about an implied seriousness would void any of the normal considerations one would generally apply for avoid doing something to someone. The most basic problem, for which matters of proportionality imo is obviously void of sound meaning, is that of attacking someone. Trying to sketch out some basic idea here: To think that UK is simply policing by intruding on computers internationally, and on the grounds of protecting the people of Great Britain, should be deemed imperialistic at best.

Attacking someone by hacking is presumably a goal in itself (a purpose, being a general thing), more than achieving a given strategic goal (something specific), and lo and behold, if some given strategic goal was to be that of attacking someone, then it should be obvious that hacking as such (anything technically related really) is a notion so trivial that I think this word "hacking" fail to be useful for attesting anything to do with neither law nor morals (think applied ethics). If there aren't any other proper words around for the very things that is or may constitute "hacking" (think of "network exploitation" as being ironic distancing, with little meaning other than existing as a positive buzzword, a whitewash of doing something naughty), then I think democratic societies shouldn't be involved in hacking computers of other countries, because such actions can't be defended on behalf said societies, and legalizing such actions for which hacking in general becomes a superpower is imo a corrupt legal system.

The known phrase "The end justifies the means" imo doesn't go well with a world of hacking having become a trivialized set of events performed by government agencies, because when fueled by the urge to act, it is probably not about true necessity (I suspect that few things in life are really something necessary), but it is about using the power one has, so in this way power corrupts and so absolutely. Doing what one can because one must, is one thing, doing what one can because it is convenient, is a different thing.

"Legalized" international hacking, being this kind of superpower freaking sucks I think, and for me it is reminiscent of countries invading other countries and causing all kinds of trouble. Presumably, the only reason UK and others find hacking attractive, is because they can get away with it.

Nick PFebruary 13, 2016 5:46 PM

@ Clive Robinson

Recently, I saw another example of a double standard I like to call out where market amorality and selfishness is acceptable for everyone except employees. Despite that capitalism includes them in its theory of operation. I intend to come up with a canned response to drop anytime I see that. Was wondering what you thought of my start in this recent exchange:

HIM:

"I met a guy a few weeks ago who'd moved over from California. He wanted to learn how to code, and told me his story. He was a business sort who went into business with a software developer. The dev did good work, and the business guy managed to get it funded. Just when things started picking up, the dev decided he wasn't getting enough of the pie and bailed, destroying the entire enterprise. He wanted to learn how to code so that this wouldn't happen to him again.

So I'm giving him an hour or so a week to show him how web development works so that he can code a prototype himself. Then he can get funded and hire employees rather than deal with the emotional vagaries of software developers. I don't blame him at all.

Business guys are typically going to make more money than the coders are, it's pointless to fight this. The better route is to go into business yourself and capture the value yourself. "

ME:

As with others, the morality of this situation depends on details we don't know. What always trips me out is the double standards in posts like yours. People are fine with the capitalist notion of starting a business, giving most people in it almost nothing, often collecting any I.P. produced rather than a license, and having goal of selling out in a way that will likely cost the employees their jobs. Almost all value goes to investors or a few founders while almost all work is done by employees. The process is often supported by false promises or emotional manipulation to keep workers loyal & with a tiny part of the pie. This is default in Silicon Valley from what I read here and in other media.

Then, an employee decides to do what's best for him or her in a way that negatively impacts the founding business person or investor. This is seen as unethical: such employees, upon some agreement or context, cannot possess the ability to make other choices that damage founder or VC goals. They don't possess the trait that founders and investors wield with nary a thought over employees like we're starting to see with more layoffs. The employees are, instead of rationally selfish, being Evil and called out for it.

A double standard that serves captains of industry and startup founders very well at everyone else's expense. In reality, capitalism says that everyone, including employees, should act in their own self interest externalizing all costs of such actions. So, per capitalism, the founder did the right thing by trying to screw the employee out of lots of net worth and the employee did the right thing screwing the founder by taking another path. Naturally, being utilitarian, I oppose such capitalism in favor of stakeholder-focused models with rules reducing opportunities for each party to screw the other. The market goes the other way, though, so everyone continues to help or screw everyone to heart's content.

And I get to read nonsense like this where people cry "But that's not right and fair!" while simultaneously...

"Business guys are typically going to make more money than the coders are, it's pointless to fight this. The better route is to go into business yourself and capture the value yourself. "

...supporting amoral, selfish practices of capitalists on founder or VC side. It's just also what the developers were following: do whatever provides most perceived value for themselves. It is really good advice, though. Keep preaching it while system works as it does given that's where money is at. It's just that making an exception for one party but not others seems unfair and irrational. Thanks for the entertainment though. :)

CallMeLateForSupperFebruary 13, 2016 6:01 PM

Re: Justice Scalia, Snopes(dot)com says "Cibolo Creek Ranch near Marfa, TX". I gues 40 miles is "close" in TX. It strikes me as fitting that Scalia would "roll down the shade" near Marfa, because he was as strange a Justice as Marfa is a town.

@Clive
Jeez, I hope Obana puts a full-court press on selecting a replacement.

Fred's Blue IrisFebruary 13, 2016 6:43 PM

no one should be exposed in this fashion.

...with no recourse, no ability to respond.

guilty! ?

this is not a way a civil society behaves.

the hate will consume itself, paving the way for the future.

MickFebruary 13, 2016 6:48 PM

@Nick P

Often business guys think they are so smart they can take advantage of coders and pay them literally nothing but when the coder decides to leave unexpectedly they start begging and change completely into friendly partners. Really funny to watch.

Business men often play the card of some future reward which never comes. Usually they have little respect for coders as human beings and consider them nerds and idiots. It only serves them well when they see that their business can easily depend on coders.

Bordering on the RidiculousFebruary 13, 2016 6:49 PM

“Chrysler customers who buy or lease a new properly equipped vehicle are eligible to receive a 5-YEAR trial subscription to SiriusXM Travel Link.”

Chrysler and Ford both offer free 5-YEAR ‘trial’ periods. Does it actually take customer 5-years to decide??? Or do they simply want to track the upscale yet ignorant Americans who never read privacy policies? LOL!

Chrysler, like Ford does not track customer’s location themselves. They subcontract to partners SiriusXM, Sprint and a company called FCA.
They are quite transparent in the data collected. Anything you do in the vehicle can and will be used against you in a court of law:
“Vehicle Data: information related to your vehicle, such as vehicle sensor data, diagnostic data, odometer readings, collision information, location information, information about when your ignition is turned on or off, speed, tire pressure data, performance data, information about accidents, driving history, etc.”

Convicted criminals ordered to wear a GPS ankle bracelet have more privacy than heavily instrumented auto owners.

There are no doubt law firms, district attorney or insurance analysts who are able to make the driver’s actions difficult or impossible to justify. There are hundreds of scenarios to build a convincing air-tight case against the driver. In many repsects its better than DNA evidence. I’d vote for conviction based upon sheer stupidity alone.

http://www.driveuconnect.com/privacy/index.html

Cute lil' fishFebruary 13, 2016 7:22 PM

Technically, the Striped Pyjama Squid is a cuttlefish, not a squid.

Of course, cuttlefish are pretty awesome, so you'll hear no complaints from me.

ThothFebruary 13, 2016 9:13 PM

@Curious
re: GCHQ hacking devices
Not surprisingly that the 5Eyes (especially UKUSA) are into the trade of compromising everything that is out there. I think it is the same across the board globally as part of each nation's espionage capability that have gone into overdrive to include NOBUS style intelligence which ends up hitting the civilians and innocents as well (because there is no such thing as innocent passerbys to all intelligence agencies).

Wesley ParishFebruary 13, 2016 11:50 PM

@Nick P

The reason business people - correction - top level management - can assign themselves such huge rewards is their claim to have and show foresight manifested in leadership.

That's what it boils down to, once you start peeling off the layers and the lawyers.

Now what is "skills shortage", of which I suspect we have all had a gutsful, but a complete lack of foresight and totally absent leadership?

I think that top level business people who loudly claim they are suffering from a "skills shortage" should be banned from operating a business, starting a business, and even thinking about starting a business, much less advising anyone else on doing any of the above - simply because they have a track record of making fraudulent claims with respect to their foresight and leadership abilities.

Alien JerkyFebruary 14, 2016 2:58 AM

My thought of the day:

Consider across the entire population, the level of stupidity of the average person. Now consider that half the population is more stupid than that.

65535February 14, 2016 4:38 AM

@ CallMeLateForSupper

“This particular "conversation" is beginning to make my head hurt…Comey says change your business plan so that you could comply with subsequent court orders. But that is just another way of saying backdoor the encryption… That leaves us right back at square one, the backdoor/golden key pipe dream from the first Crypto War.”

Comey is a master at misdirection and political spin. Comey wants a backdoor with no restrictions all the way down to your local police department – and probably a miniature “Computer Network Exploitation center” in every police curser – and the Fourth Amendment wiped off the books.

[Emptywheel]

‘Jim Comey admitted that “going dark” is “overwhelmingly … a problem that local law enforcement sees” as they try to prosecute even things as mundane as a car accident.”’ -Emptywheel

Comey could have at least sexed-up his argument by throwing in Prostitution and Kiddie Porn. It for the kids and blah blah, bull dung.

[Comey being fed question from Burr’s committee]

Comey: Yeah I’d say this problem we call going dark, which as Director Clapper mentioned… it affects cops and prosecutors and sheriffs and detectives trying to make murder cases, car accident cases, kidnapping cases, drug cases. It has an impact on our national security work, but overwhelmingly this is a problem that local law enforcement sees.”

[and]

“…an hour before Jim Comey got done explaining that the real urgency here is to investigate drug cases and car accident cases, not that terrorist attack.The balance between security, intelligence collection, and law enforcement is going to look different if you’re weighing drug investigations against the personal privacy of millions than if you’re discussing terrorist communications, largely behind closed doors… Richard Burr is not above pretending this about terrorism when it’s really about local law enforcement.” – emptywheel

A poster responds:

"Car accidents? Seriously? What sort of conspiracies go on over the Internet or smart phones that hinder car accident investigations? All this just begs the question of what we all did before we had computers and the Internet." -see emptywheel comments.

[See emptywheels post]

https://www.emptywheel.net/2016/02/10/district-attorneys-use-spying-as-cover-to-demand-a-law-enforcement-back-door/#comments

As for the supposed inability to unlock the San Bernardino killer's cell phones we don’t know if the FBI is talking about the smashed cell phones or one newly purchased cell phone. And exactly how much the FBI tried to “unlock” the phones or the Call Data Records/Metadata which the NSA/FBI must have by now.

[Washington times via Arstechnica]

“…a cell phone recovered from Ms. Malik’s body was newly purchased and had had been used only recently. Two other cell phones that were recovered had been smashed with a hammer and were expected to be sent to the FBI’s forensic lab in Washington for examination.

http://arstechnica.com/tech-policy/2015/12/suspected-san-bernardino-killers-took-pains-to-erase-digital-footprints/

Further, the supposedly neutered Beware Program by the Fresno Police Spy department is not helping things. We know that the Beware system could be “re-branded” or reconfigured at any time.

Comey and his FBI/LEO buddies are trying to construct a new “USA Freedom to Spy Act”. Shall we name it The “Police Freedom to Spy Act of 2016”? Or, the "Police Perpetual Spying and Life Time Employment Act of 2016"?

@ Hacky Sack, Robert Hansssen hahaha and others

“…millions of records were stolen from OPM, and now 9000 IDs of DHS and 20K from the FBI are in circulation - it really looks like amateur hour at Stasi central.” –Hacky Sack

It looks that way. The FBI/NSA/DHS/GCHQ are not making a lot of friends by hacking holes in citizens computers – only to have it happen to them.

@ Clive

"Antonin Scalia was found dead at a Texas Ranch, of what appears to be natural causes… The question is at this late point will Obama decide his replacment or leave it for the next POTOS to decide whoever / whatever party they are.”

How about having Hillary put Obama on the Supreme Court for life?

‘Hillary Clinton: I’d Appoint Obama to the Supreme Court’

http://www.infowars.com/hillary-clinton-id-appoint-obama-to-the-supreme-court/


ThothFebruary 14, 2016 5:05 AM

@65535
re: Obama appointed next to the Supreme Court
That kind of perpetual and openly legal corruption right to the core would is disgusting. A quick spiral of death of morals for a once open and free society into something controlled exclusively by powerful people who are closely kitted and scratch each others back.

ianfFebruary 14, 2016 5:19 AM


@ Jacob, give The Bard a rest. This court transcript is classic Eugene Ionesco's theater of the absurd territory. It cries for an adaptation as a 10-15m long radio play, or why not such animated one? (A bit above this illustrated 12m long straight Cliffs' Notes reading of a story).

Sounds like a perfect sophomore term project for a creative filmmaking class or equivalent. A director first needs to storyboard it, divide into smaller acts, dramatize the expressions and elocution of key phrases, rehearse it, record, mix in bg courtroom noises for authenticity, then cut the soundtrack. This will be the basis for static slides or dynamic animations… need not be detailed ones, but should make listening/viewing it later a much more pleasurable, entrancing activity. Just think how e.g. the "\\\\\\\\\\\\\\" redacted parts could be presented as by design muted, unintelligible mumbles by the defense attorney against the background of adverse faces of the prosecutors and—for once—the judge's full attention! This being an adaptation, one could also play with both racial and gender mix of the 4 protagonists…

PS. no charge for the artistic treatment… just don't wreck it. Remember I have my Irish theatre pro's reputation to uphold.

Gerard van VoorenFebruary 14, 2016 5:33 AM

Turkey now bombs the Kurds, which are allies, in Northern Syria. It's in the news but I don't see any official EU/US comments about this.

This proves again the hypocritical situation. Turkey holds too many stakes to criticize their policy.

WaelFebruary 14, 2016 6:01 AM

@ianf,

PS. no charge for the artistic treatment… just don't wreck it. Remember I have my Irish theatre pro's reputation to uphold.

Since when do Irish talk like this?

Cute lil' fishFebruary 14, 2016 7:52 AM

@65535

Actually, the Supreme Court vacancy coming as late as it does in the presidency, I'm idly wondering if Obama might step down as president so that Biden can nominate him.

Marcos El MaloFebruary 14, 2016 9:53 AM

@Jacob

That conference transcript was beautiful, thank you.

Judges (at this stage of human development) are usually human beings, and this is a good reminder. This judge demonstrated intelligence and wisdom, but even more, an insatiable curiousity.

Page 16, lines 7-12
"I mean, you
know, I deal with wiretaps all the time. And you know,
unfortunately, they want to leave out the part I like about how
they do their "cabrito" and things like -- and what -- what
Jose's wife is doing with Orlando. It's all in there. They
want me to read about drugs. That's not very interesting."

If I was Jose, I wouldn't mind the judge knowing my granny's recipe for cabrito, but I'd certainly want it redacted in court.

He later talks about how the government's security clearance screenings prevents him from hiring people he finds interesting.

I've only ever interacted with one Texas judge who helped me over the phone with a very minor matter before his court. If there was a Yelp for the legal field, I'd give him five stars. A good part of our 15 minute call was friendly chatting about inconsequential matters.

CalleLateForSupperFebruary 14, 2016 10:42 AM

@Jacob
"You would have gotten your friend's attention had you asked him if the car reports his driving habits to his insurance company..."

I did ask that very question, right after I asked the track-and-report question I mentioned here. His answer to both was the same: I don't know.

He's a septuagenarian feels overwhelmed and powerless, and clearly is in denial.

rFebruary 14, 2016 11:02 AM

@all

Pffft, as for that security blog list I'm going to go investigate the entries I wasn't aware maybe add them to my about:newtab... Honestly though? You all might rank me among trolls but I must dearly say - that Bruce's blog is the best. No real registration, just patient acceptance of a vagrant's position, an educated and helpful community and a broad sense gearing toward security that is not limited to software in scope.

I wish I had been here ten years ago.

:)

keinerFebruary 14, 2016 12:03 PM

@ Jacob

p. 91 l. 23 "Some kind of tax waiver form...." start there... I'm rolling on the floor for 20 minutes now, no end in sight...

65535February 14, 2016 1:43 PM

@ Cute lil' fish

“I'm idly wondering if Obama might step down as president so that Biden can nominate him.”

That is an interesting possibility. It could happen.

@ Thoth

“That kind of perpetual and openly legal corruption right to the core… is disgusting.”

Reflecting upon it, I agree it is. And I believe the Senate would have to confirm Obama’s appointment to the Supreme Court. But, I don’t think it is illegal.

Look, if Hillary wins the election the Clinton's will be back in power for four to eight years. I am sure Bill Clinton would play a major role. The White would be Clinton Administration v2.0.

There is supposed to be a 2 term limit on Presidents. But, there are ways around that rule.

Marcos El MaloFebruary 14, 2016 2:43 PM

@65535

Clinton 2.0? I need to see the change logs. What bugs were removed and what new features were added? :-)

ThothFebruary 14, 2016 5:33 PM

@65535
re:Presidency 2.0
They might as well remove term limits similar to Putin and Russia. Be the eternal President :) .

That spells disaster for a democratic country by having ways to side-step rules. No better than Russia.

Dirk PraetFebruary 14, 2016 7:39 PM

@ Gerard van Vooren

Turkey now bombs the Kurds, which are allies

Expect them to be deploying ground troops soon too. Putin has completely changed the situation, foiling the Saudi-Turkish-US plans to get rid of Assad, and which the Kurds have taken advantage of to take over territory from anti-Assad forces, basically cutting off all major supply routes to and from the north and turning Aleppo into a new Stalingrad. Erdogan does not want a Kurdish state in the north of Syria and will do anything in his power to prevent that from happening, whatever the USG's disposition towards the Kurds. They should know by now that they are nothing but useful fools to Washington. Meanwhile, the Saudis are flying over jets to Incirlik, alledgedly to bomb Da'esh, but which I doubt very much.

Western MSM coverage of the Syrian civil war has become a complete joke. For years, the US and the EU have allowed the conflict - instigated and sponsored by their Turkish, Saudi and Emirati allies - to fester and Da'esh to thrive, driving millions of refugees out of Syria, and now all of that is suddenly Putin's fault. Regarding the situation in Yemen, where Saudi forces are hitting civilian targets as hard as the Russians and Assad are doing in Syria: hardly a word. Like you say, it's complete hypocrisy.

@ Jacob

That court transcript was one of the best laughs I had in quite some time. We need more of this stuff. If anyone is considering filming it, I want Joe Pesci as judge Hughes and Kal Penn as Mr. Patel.

@ Thoth, @65535

They might as well remove term limits similar to Putin and Russia.

Technically, Putin and Medvedev didn't remove the term limits for the presidency, they just switched roles for a while, with Putin in his temporary capacity as PM for all practical purposes staying in charge. It was a kinda clever little trick. As to the Clintons and the Bushes: I don't believe political dynasties or lunatic real estate moguls have a place in a functioning democracy. Too much of a Roman empire kind of thing.

SkepticalFebruary 14, 2016 10:03 PM

@Clive:

You need to view things in the setting of the run up to Oct1957 through to the early 1960's. ... Most contempory information indicates the UK was the leader on this.

No contemporary information that I can find. But I do know that the US and the USSR had heavily "recruited" former German scientists to aid them their respective ICBM programs (which were moving at full speed by 1954, prompted by the Soviet's thermonuclear test). US research into long range missiles had of course begun many, many years earlier, but was not given budget priority until now.

I also know that National Intelligence Estimates, and other studies, projected in the early to mid 50s that the USSR and the US would have ICBM capabilities, in small amounts at first, by 1960.

When did the British field one? How did the US interfere as you claimed?

But drum banging had caused near panic in the US population, thus the US for political reasons had to not just catch up with the Russians it had to actually catch up with the British first...

There were joint US-UK development programs, but I've to encounter anything other than your sheer assertions that the UK had advanced beyond the US in space technology. And this is the first I've ever encountered the view that the US had to "catch up" to the British and the Russians to "be the best."

It was made worse because due to various political actions in the US, the US apparently went from disaster to disaster with it's rockets whilst Russia went from success to success. Thus the US had to go into face saving mode. As a result the US has it's student loans system and NASA.

Uh, NASA was implemented one year after Sputnik. Testing under the Atlas program preceded NASA, and in fact in the same year that NASA was created a communications payload was successfully sent into orbit by the United States.

As to failed rockets, both sides did a lot of failed testing before coming up with the right answer. How much testing did Britain do, and when? I believe they tested one of the two systems you alluded to in 1971.

But the US had for face saving reasons to "become the leader of the pack"... This was because it was felt that the only way to get elected as President, the US had to be "The World Leader" hence the later speach by JFK about getting to the moon in the next decade. It was a target thought so impossible to reach for any nation other than the US with it's vast industrial resources.
But the British were not playing the game the US wanted... And the US had by 1960 two advantages. The first was the crippling UK war debt from "lend lease" the second that the US Army rocket research under Von Braun and the other German scientists and technicians became --in part due to Walt Disney-- the backbone of NASA. As the US significantly strengthend by WWII had spare industrial capacity this fairly quickly provided the German scientists and technicians the ability to "catch up" even if it was by using "Devil's Brew" propelents that were compleatly unusable for IRBMs and ICBMs or any other strategic, military or industrial use.

Are you claiming that Britain's space program rested upon access to fuel produced during WW2, and that the US leveraged Britain into giving up that fuel because the US was unable to produce them itself?

That's just silly.

British rocket development was for military and industrial use only as it had to pay it's way.
The US knew this and thus political preasure was brought to bear via the war debt, when this stick did not work the carrot of virtually free launches on NASA rockets was given. Unfortunately the UK Gov under MacMillan fell for it and started to close down the Black and Blue rocket developments. The only reason the Prospero satellite was launched, was that it had all not only been built it was in transport. Unsupprisingly, after MacMillan had shut down British rocket development the US "virtualy free" use of NASA rockets never materialised.

Yes, of course. This magical British rocket fuel, essential to the proper functional of rocket engines, could only be produced by the British during the years 1940 and 1945. So once the Americans defrauded the British out of it, the British space program withered.

And obviously, the US, who was entirely fixated on the possibility of a truly, near-genocidal war with the Soviet Union and its humane and broad-minded leader, Joe Stalin, certainly had every reason to be extremely concerned about the possibility that it might not look quite as strong if, disastrously, its closest ally also turned out to be an extremely advanced, first-tier player in missile design.

The US then alowed the British to use it's submarine IRBM design but at a significant cost. Not just financialy but in technology hand back where the UK had to give for free any improvments it made to the design back to the US, and the real sting in the tail, the fact the UK had to obtain US approval for every launch...

Everyone with knowledge of this has stated that the UK's Trident missiles are independently operational. And since they are intended to be used a second-strike weapon, after nuclear weapons have detonated upon, or attempted upon, British cities, one finds it very difficult to imagine the British asking anyone for permission.

Clive, the entire POINT of giving such technology to Britain is to allow them to act independently, and yet still within the confines of NATO. And the last thing the US would have wanted to do is stunt a valuable research program by its closest ally. The US just finished fighting a war that won by alliances. It viewed alliances to be just as crucial to the next.

BuckFebruary 14, 2016 11:20 PM

@tyr et. al

Great read! I will admit that I felt a bit jarred fairly early on while reading the following passage:

In some ways, it has to be the former because it's strange that we can predict our behaviors. People walk through a city, they communicate, they see things, there are commonalities in the human experience. So that’s a clue; that’s a clue that it’s not an arbitrary morass of complexity that we’re not going to ever make sense of.
Not to say that I think his intuition is necessarily wrong, but this does appear (to me anyway) to be a logical failure... The fact that an incomprehensible thing can (better than random chance) predict the behavior of another incomprehensible thing doesn't logically lead to the notion that those rules can be simplified.

Glad I kept reading though! It's now clear to me that they have assembled an incredibly intelligent bunch of folks with a wide range of specialties. Even better, many of them seem to be especially interested in solving the most intractable of problems!

Funny thing I was thinking about the whole time though... The NSA (and their foreign counterparts) will be best situated to learn whether or not human behavior can be accurately predicted. At the present moment, I don't think it looks like they can. If they could though, that would likely be a closely guarded secret (and a difficult one to publish with any credibility anyway)...

name.withheld.for.obvious.reasonsFebruary 15, 2016 12:39 AM

With the recent DHS/FBI breach, would those responsible please take me off the various watch/black lists? I'd appreciate it...seems there is no effective process to handle my fifth and six amendment rights and is essentially a form of prior restraint.

Big favor, additional impacts to right(s) to employment, travel, and unconstrained and unwarranted surveillance is bothersome as well--maybe DOJ is next?

Clive RobinsonFebruary 15, 2016 4:39 AM

@ Skeptical,

Are you claiming that Britain's space program rested upon access to fuel produced during WW2, and that the US leveraged Britain into giving up that fuel because the US was unable to produce them itself? That's just silly.

As you say "That's just silly" so I don't know where you got it from.

The fuel favoured by both the German Scientists and Russias engine designer was based around a "devils brew" of chemicals including very concentrated acids, that chewed through the guts of the rocket. This ment that their rockets had to be fueled at the last moment --usless for IRBM/ICBM-- and if left seals and pipes would get chewed through and the rocket would blow up on the pad, but draining was equally as bad.

Over in Britain lacking the german scientists the US and Russians had they had to "re-invent" and went down a different safer, faster to fuel system.

Whilst in the US the German scientists were under the US Army and sent to fester for more than five years whilst Curtis "bomber mad" LeMay backed by various individuals appointed by the US Pres who had significant interest in building bombers that cost as much as two large schools or a large hospital sucked as hard as they could on the tax dollar teat. Whilst the economy was going into recession and causing the US Pres conciderable concern. Thus the cutbacks hit the US Army not Air Force.

Sputnick realy did not produce much of a reaction in the US or anywhere else for that matter, it was a "curious wonder" not a "threat" untill the US Democrats started "talking it up" and it was they that suggested both an agency and student loans so the US could play catch up and get a little "we are the best in the world" feeling back.

As history shows the US did not catch up and very public disasters pushed things worse and worse in the Public eye due to a couple of politico's on the make. After a change of US President it became very clear that there was no way to catch up in the shoet term. Due to von Braun and Disney the US puplic had expectations of Mars etc. Which is why the Moon shot was anounced in the very hot Texas Sunshine with the "in this decade" rider.

It was politicaly paramount in the US that no other nation started putting rockets into space as it would be an embarrassment, especialy Britain that was known to be broke.

And by the way it was not just Rocketry the US put political preasure on Britain, it was supersonic flight, fly by wire, over the horizon radar, body scanners and quite a bit more.

The only reason that the UK got rhe lead on Nucular Electricity geberation was to get plutonium for the lighter smaller British nuclear devices. With regards passenger supersonic flight, the only thing that stopped the British politixos once again kow towing to US political demands was the French.

Which is why Maggie Thatcher gave priority to getting rid of the main political lever --lend lease-- war debt the US was wielding when she was PM, and it was also the reason the Falklands War happened, the US had effectivly promised the Argentinian's that they would not get involved and in effect they had given their blessing for the Argentinian invasion... Then Maggie got to work on Ronnie "ray gun"...

As I've said the supposed much valued "Special Agreement" is outside of BRUSA/UKUSA IC activities the UK kisses US backside.

For instance the worst possible thing the US could do right now is to get involved with the UK-v-Continent in the EU negotiations. Europe sees the UK as the US "ass kisser" and the US as the major destabalising element in the world currently and the main reason there are so many problems with economic migrants, refugees, Russia and even China currently. So the US Prez sticking his nose in for the UK to stay in the EU will most likely have the opposite effect in most western EU nations including the UK. Something I'm sure the "Brexit" politicians are more than aware of and thus in favour of privately.

Clive RobinsonFebruary 15, 2016 4:55 AM

@ tyr,

The NSA (and their foreign counterparts) will be best situated to learn whether or not human behavior can be accurately predicted.

We already know the answer to this and it's not good.

The bulk of the population do mostly what they are told to via the propergander arm of the Gov incorectly called "The Independent Media". However those who "own the legislators" via "nest feathering" etc including those who control the media will follow their own agender interests especially if it increases the status gap between them and the surfs...

Just remember it's "the one percent of the one percent" that control 90% of the wealth one way or another, and you don't stay in that position by being easily predictable.

65535February 15, 2016 5:05 AM

@ Marcos El Malo

“Clinton 2.0? I need to see the change logs. What bugs were removed and what new features were added? :-)”

Ha. I suspect few were bugs were fix and we will have to discover the new bugs as they appear.

@ Thoth

They might as well remove term limits similar to Putin and Russia. Be the eternal President :)

I had not thought of it that way – but it probably will not help democracy.

@ Dirk Praet

“…Putin and Medvedev didn't remove the term limits for the presidency, they just switched roles for a while, with Putin in his temporary capacity as PM for all practical purposes staying in charge. It was a kinda clever little trick. As to the Clintons and the Bushes: I don't believe political dynasties or lunatic real estate moguls have a place in a functioning democracy.”

I hear you. It’s beginning to looks like the Golden Age of Political Social Engineering. Which I suspect comes intertwines with the Golden Age of Spying.

The trend seems to be first, Spy or perform reconnaissance on you target [the average Joe] and Second, Social Engineer your way into power and wealth – hoping never to be unseated. It’s a clever scam.

@ Clive Robinson

‘The problem as Douglas Adams noted is "the wrong lizard might get in"’

Very true.

@ name.withheld.for.obvious.reasons

“…would those responsible please take me off the various watch/black lists? I'd appreciate it...seems there is no effective process to handle my fifth and six amendment rights and is essentially a form of prior restraint. Big favor, additional impacts to right(s) to employment, travel, and unconstrained and unwarranted surveillance is bothersome as well--maybe DOJ is next?”

Maybe the DOJ will be next. Who knows.

In the meantime I doubt you can get your personal file removed for the TIDE data base without some political connections.

[Next to the TIDE data base]

@ GregW

Did Brennan have a hand in the in the infamous TIDE data base and was being paid by its parent company? Is this the very same database which has many sub-databases attached including the “No Fly List”?

[Tim Schorrock]

“In 2003, management of the database, which received information collected by a large number of agencies, including the CIA, the NSA and the FBI, was transferred to the CIA’s Terrorist Threat Integration Center (TTIC) and, later, to the National Counterterrorism Center. In 2005, Tipoff was expanded and renamed the Terrorist Identities Datamart Environment, or TIDES, and fingerprint and facial recognition software was added to make it easier to identify suspects as they crossed US borders.”-timshorrock

‘Did John Brennan suck as a contractor? The CIA thinks so. ’
http://timshorrock.com/?p=2259

[More on TIDE]

“Prior to 9/11, TAC was instrumental in providing pattern recognition and data mining software applications that served as the basis for the US Government’s original terrorist watchlist database called TIPOFF. In 2003, TAC assisted the Government in standing up the Terrorist Screening Center (TSC) the Terrorist Threat Integration Center (TTIC), and its successor, the National Counterterrorism Center (NCTC). Key practice areas included intelligence and Federal Law Enforcement support for terrorist screening, watchlist development and operations; intelligence analysis; systems integration and software development; multilingual name search; and pattern matching. It was awarded over $400m in government contracts since 2000, including some $30.6m in 2007, $19.5m in 2008, and $150m in 2009. Customers included the Department of State, National Targeting Center (NTC), Defense Intelligence Agency (DIA), National Security Agency (NSA), Office of Naval Intelligence (ONI), NCTC, TSC, and the FBI…In November 2005, John O. Brennan was appointed president and CEO of TAC. Mr. Brennan was the former interim director of the National Counterterrorism Center and a 25-year veteran of the CIA. Following Mr. Brennan’s departure in October 2008 to serve as advisor to then-presidential candidate Barack Obama, ” -Wikipedia

https://en.wikipedia.org/wiki/The_Analysis_Corporation

[More on the TIDE database and it’s sub-data bases]

"...The Terrorist Identities Datamart Environment (TIDE) is the U.S. Government's central database on known or suspected international terrorists, and contains highly[clarify] classified information provided by members of the Intelligence Community such as CIA, DIA, FBI, NSA, and many others.
There are over one million names in TIDE…From the classified TIDE database, an unclassified, but sensitive, extract is provided to the FBI's Terrorist Screening Center, which compiles the Terrorist Screening Database (TSDB)… this database, in turn, is used to compile various watch lists such as the TSA's No Fly List, State Department's Consular Lookout and Support System, Homeland Security's Interagency Border Inspection System, and FBI's NCIC (National Crime Information Center) for state and local law enforcement.

https://en.wikipedia.org/wiki/Terrorist_Identities_Datamart_Environment

Thanks a lot Mr. Brennan for entangling many innocent Americans in your “terrorist data base”. You squandered our money with such a turd. Mr. Brennan how do we clear our names from that 'terrorist' data base?

Zero Day PersonFebruary 15, 2016 10:53 AM

@Grauhut

Shodan, of course, can definitely be used for attack. But, it was designed for and maintained for defensive purposes, is all I am saying.

Google is similar in functionality and purpose, with regards to attacks, and how it can scarf up unintended data and put on the web.

In either case, I could see some government folks making dumb decisions and attempting to close them down. That kind of functionality. That would just blind the victims, not the attackers.

Zero Day PersonFebruary 15, 2016 11:38 AM

goodkuru / Hacky Sack / Robert Hansssen hahaha


Considering in recent times the CIA director got hacked, the NSA got spanked by Snowden, millions of records were stolen from OPM, and now 9000 IDs of DHS and 20K from the FBI are in circulation - it really looks like amateur hour at Stasi central.

Sweet, sweet karma. More please.


There have been far more hacks and leaks then those. Of your list, and the one which has given you particular joy has been this past week's DHS / FBI lists. Which is tied directly to everything else on that list, but Snowden.

And the "hacker" got caught. Hacker in quotes, because he is not a hacker.

http://www.foxnews.com/politics/2016/02/13/cops-arrest-teen-for-hack-and-leak-dhs-fbi-data.html

A 16-year-old boy living in England has been arrested in connection with the recent hack of FBI and DHS data, as well as the personal email accounts of CIA director John Brennan and homeland security chief Jeh Johnson.
Fox has confirmed that British authorities have arrested the still- unnamed teen with help from the FBI and that they are looking for possible accomplices.
The alleged hacker had told Motherboard webzine that he had swiped the names, titles and contact information for 20,000 FBI employees and 9,000 Department of Homeland Security employees. He told Motherboard this was possible through a compromised Department of Justice email.


I will note something some may miss: that last paragraph implies the arrested kid is the one and the same and guilty, by this simple sentence, "the alleged hacker had told Motherboard webzine that he had swiped the names of [.. description of some of the crimes of which the real hacker engaged in and who proved their name to the journalist ..]"

In other words, either, a, they caught him because of his contact with Motherboard webzine (Vice). Or, b, they are saying "alleged", but indirectly connecting him to those crimes in a positive way, indicating he is not really "alleged", at all.


Some more interesting observations:

1. They caught him really quick after he released those names. That spells that he had already been under surveillance. And, that, specifically by the FBI. It would probably take just that much time, a few days, to get the 'go ahead' to arrest him. Why the FBI? Because the FBI was the one who contacted English authorities, and the FBI was the group who was hacked. Before, it was 'no sweat off their back'.

2. Surprise, surprise, surprise. He was 16. What kind of politics do you expect from a 16 year old? Well, from a very arrogant, rotten one, exactly the sort he espoused. Did he come up with these beliefs on his own? Do you seriously believe he has even read a book in his entire life? Or had any kind of informed or good motive, at all?

3. He was not - as we have all well known for some time - even a hacker. He was some blustering kid who clearly did not have a girlfriend, no any chance for a girlfriend, who ran with some kind of half assed, idiotic belief system. He equated himself to hackers and to gangsters, neither of which he was in any way. He could not find a zero day in a program to save his life. He could not write exploit code. He could not write sophisticated rootkits. He social engineered his way into everything, and even in that, he would have had poor capabilities.

Zero day, you don't have to ask. You do, and no one sees it.

Training and experience in "social engineering" with the resources to come with, like false passports, internal information, information about the people you are talking to, false badges, and so on? Quite a different story.

I say that because people should take note of that story in that way. If that is what a 16 year old is doing, what is really going on with intensely dedicated teams at nation states and with organized crime.

Don't believe what you read in the news. And do not assume 'if something is not public knowledge, it does not exist'.

4. The names and data were released in an encrypted file. So they are not gobbled up by search engines. It is mostly public information. Anyone who downloads that file is probably either really curious, for some bizarre reason, or someone who has a motive to 'do something' with that data which is bad. Good way to honeypot a system. If the names have just a scattering of false data, it only strengthens the honeypot. Yes, even a mere list of information can operate as a honeypot. And so much more.

Why such tactics? It can be hard to find good targets for investigation.

But, this is just one possibility of many. More likely, the story is as it is. At face value. A crazy kid whose brain is not yet fully formed and so has little to no capacity to prevent risk taking is certainly the sort that would do such a thing. Kids can be arrogant, think they know everything. And without girls to keep him busy, all he has left is to brag to his boy friends.

5. The requests and demands by the head of the FBI to backdoor all American software products is very bad on many levels. But, because of the way that organization is set up, that does not mean everyone at the FBI is therefore liable and spoken for by their opinion. They do not all deserve to have their contact information given to criminals.

There is a good chance some psychopath or criminal cartel could use that information for severe damage. This opens up FBI employees for such things as kidnapping and extortion, besides just murder by violent criminals who wish to sway them.

Some bad cases and some bad agents, even some bad culture, does not make everyone in the FBI guilty.

Arguing for backdoors in code, really, ultimately, is simply short sighted and shows they do not know what they are talking about. They have no idea they are wrong. And that is - as far as anyone knows - just the opinion of a few, over whom, no one else has control over.

If anyone is to blame here, it is Obama, or others, who could have fired them. I don't dislike Obama, but that certainly does fall on his shoulders. But, arguing against Obama in such a way simply would not a popular thing to do. Because the same people backing these juvenile politics helped get Obama elected.

6. Even if the list was not honeypotted, it could be at a later time, and certainly could be watched from whatever server offers it.

7. If the kid was really ruthless and in control, he would have put up the list without encrypting it. Then the search engines would have gobbled up the data, and it would be 'to the wind' posted and quoted by bots all over the place.

8. For all of these hacks and social engineering attacks and leaks... what real damage is there?

North Korea, Russia, China, Iran, and so on, still do not know much of anything about how the deep cover systems of the United States operate.

Very likely, all the noise about how helpless the USG is for technical spying has only served to make everyone believe they have gone dark, when they have not, and that such things as the Snowden disclosures totalled their capabilities, when they did not.

It is very likely it is effective (and powerful) disinformation. They probably do not know, which makes them all the more convincing. That is a standard, not exceptional ruse. Diplomats have, for decades, been making forceful arguments of denial, believing their statements. And in the dark their own selves.

9. Those lists don't mean much. Really, none of it does. Even something like OPM. So, data is stolen. Maybe it was real. So names are online. Names already are online. Millions of credit cards stolen? Millions of credit cards get sent out in the mail.

Snowden gave some important information. It didn't stop anything. Nothing really secret would have been in that pile of 'everyone can access with basic clearance'.

It informed Americans so they are better at lobbying. But, it didn't win any adversary anything.

RDFebruary 15, 2016 11:54 AM

They should make an Olympic sport of saying the most ridiculous crap with a straight face. Skeptical would be the Michael Phelps of being full of shit.

Skeptical now proves to us, with the decisive weight of his heard-earned credibility, that when the Christ-crazy Air Force fanatics start speaking in tongues, and Daddy Warbucks takes the chariots of thermonuclear Jayzus fire for a spin, little David Cameron will be sitting right alongside with his yellow plastic steering wheel with the red horn in the middle, Beep! Beep! And little David's driving.

Look out, diddums! Faster! Vroom! Vroom! My clever little man!

Now don't tell David, you'll break his eager little heart, but here are the facts for persons who are not hopelessly ignorant of defense procurement, FMS, C3, the OPLAN, and America.

http://www.spokesmanbooks.com/Spokesman/PDF/94Ainslie.pdf
http://www.publications.parliament.uk/pa/cm200506/cmselect/cmdfence/986/986we13.htm

In this as in everything else, H.M. Government is a puppet.

Zero Day PersonFebruary 15, 2016 11:57 AM

@name.withheld.for.obvious.reasons, 65535

“…would those responsible please take me off the various watch/black lists? I'd appreciate it...seems there is no effective process to handle my fifth and six amendment rights and is essentially a form of prior restraint. Big favor, additional impacts to right(s) to employment, travel, and unconstrained and unwarranted surveillance is bothersome as well--maybe DOJ is next?”
Maybe the DOJ will be next. Who knows.

The FBI is just a division of the DoJ.

One of a lot of divisions.

If you don't know that about the FBI, you probably should think to your self that "maybe I don't know as much about watchlists as I think I do".

Because of the way people are wired, they are subjective in their analysis about 'who is aware of them', and deeply so.

While some, famously, get on lists (for which they usually suffer little for, if any), erroneously -- this certainly does not mean you are on one.

Being critical of policies does not put you on a watchlist. Why? Because everyone is critical of policies.

You can hear some of the craziest conspiracy theories from people who work in the federal government as law enforcement officers. Or as "spies".

BIG difference between that and people who do really bad things, "evil with a capital 'E'" for very bad reasons against good people.

You probably aren't even "evil with a little 'e'". More like "good with a little 'g'".

As for that three named poster I just responded to? Most likely to be some kind of cop on here.

Not Skeptical. That sort. The kind who not only blends in, but goes overboard.

Nick PFebruary 15, 2016 3:20 PM

Making robust software for Mars mission

Note: Includes a few, basic methods that made for ultra-robust code in a multi-million line codebase. Also reminded me of the Power of 10 ruleset Holzmann came up with to dodge the fact that huge lists of rules are usually just ignored. So, after talking to big names, he came up with a few that gave most bang for buck and could be mechanically checked.

What Worse is Better is really about

Note: Good write-up exploring the fact that Gabriel was right about a dichotomy but maybe exploring the wrong aspects. I left a comment on that blog adding that I thought he should focus on backward compatibility, network effects on/around software, time-to-market a la Lipner's Ethics of Perfection essay, familiarity, and lock in. These seem to determine whether a deliverable succeeds more than anything. Fortunately, they allow The Right Thing to succeed just like they do Worse is Better. The Right Thing will be a niche or have less market share. It can still be available nonetheless with hybrids doing the best for us. I left examples of that.

Gerard van VoorenFebruary 15, 2016 3:37 PM

I just watched The Big Short. It's ... incredible.

Then I see that today the stock prices of companies are 20 times their value. What could possibly go wrong?

Dirk PraetFebruary 15, 2016 6:08 PM

@ Clive

Europe sees the UK as the US "ass kisser" and the US as the major destabalising element in the world currently and the main reason there are so many problems with economic migrants, refugees, Russia and even China currently.

In essence, there's two different currents in the EU: those who want a full political union with supra-national institutions, and those who want a loosely knit economic union only with member states retaining full national sovereignty on any issue they don't see eye to eye to with Brussels. Although the UK is probably one of the most prominent proponents of the latter, the same is true for most Eastern European and Baltic member states. They only want the advantages of being in the EU, not the burdens. IMHO, the only way forward for the EU is as a full political union, with those countries opposed to that either leaving the EU or becoming n-tier member states with corresponding socio-economic consequences, read downgrades.

In its current incarnation, the EU is unable to adequately cope with the many challenges it is facing. It is being paralysed by discord and indecisiveness, with both the European parliament and commission being perceived as expensive debate clubs only by a growing number of Europeans. Especially with regards to the ongoing refugee crisis in which German chancellor Angela Merkel is still stubbornly trying to impose her open border policy on the entire EU.

The EU is weak. The US knows it. Putin knows it. Even Erdogan and the Saudis know it. Unless we get our sh*t together really fast and start acting as one on the global political stage, we're gonna down on a road of political and military insignificance. A Brexit in my opinion would be a good start. The UK will never be part of an integrated European union because their allegiances lay with Washington, not with the European mainland. At the same time, someone should also try to explain to Angela Merkel that despite Germany's leading economic role, it does not make her the de facto EU president who gets to decide the EU's course on her own, and which is fast becoming a more divisive factor than anything Daffyd Cameron sofar has come up with.

Nick PFebruary 15, 2016 6:09 PM

Yall gonna find this funny. So, I nearly hit my cap with Comcast by doing almost two months of data in two weeks. Have no idea how that happened: an accounting error, local software gone wrong, or security issue. Decided to inspect for security breaches on home network where a router or PC might have been hosting content. Go ahead with an update and password change on wireless router just in case. This led to discovery of interesting example where a positive security practice resulted in an unforseen negative.

My router requires HTTPS during admin as a safe default. I connect with Chrome on machine that is physically wired to it to find it refused the connection with no override. Same with IE and Firefox. The reason: the router's certificate used a key that was too weak. Browsers apparently stopped allowing that at all. I got to exception list but they can't see its certificate [that time]. Huh? I don't want to reset while folks are watching a movie on Netflix. So, I google lightweight browsers expecting one of the immature ones has weaker security. Got Midori, connected, promptly got a login (3-4 actually w/ glitch), and did my work on the router. Also turned off HTTPS since no modern browser supports it with that certificate. Uninstalled Midori since it's obviously untrustworthy haha.

So, quite a series of events. The security improvement happens with all three browsers but doesn't anticipate router HTTPS. Getting around it required disabling that feature with a less secure browser. Probably will end up replacing the software on it to begin with. Fun times.

SkepticalFebruary 15, 2016 6:27 PM


@Clive: Okay, glad to see I misunderstood part of your comment.

Scattered comments on the rest:

Whilst in the US the German scientists were under the US Army and sent to fester for more than five years whilst Curtis "bomber mad" LeMay backed by various individuals appointed by the US Pres who had significant interest in building bombers that cost as much as two large schools or a large hospital sucked as hard as they could on the tax dollar teat. Whilst the economy was going into recession and causing the US Pres conciderable concern. Thus the cutbacks hit the US Army not Air Force.

The US military had multiple programs - in each service branch - developing ICBMs. But as a result of certain studies conducted by RAND and by a commission appointed by Eisenhower (I forget the name offhand - von Neumann chaired it), by 1955 the US estimated both that the Soviet Union would have ICBM capability, and that the US would as well.

The major problem with ICBMs initially was the degree of accuracy required for a given payload to accomplish target destruction with sufficiently high probability. With thermonuclear weapons, among other things, that changed.

Other factors include an awareness of how vulnerable forward-based SAC bombers were to Soviet surprise attack, a discovery amply documented (and within defense circles, publicized) by a study from RAND, led by Albert Wohlstetter. This was given additional salience with the publication of his wife's book analyzing Pearl Harbor (but more significantly, the nature of surprise attacks in general and our ability to anticipate them).

LeMay certainly favored a strong long-range bomber fleet, but he favored the development of the ICBM as well.

The Army bore the brunt of military cuts because (1) the Korean War was over and (2) Eisenhower believed that any conflict between the US and the USSR would inevitably become nuclear, and that conventional conflicts such as the Korean War would sap US military and economic strength. He therefore focused on what he viewed as a more rational, long-term approach to the Soviet threat: strategic nuclear forces, to be used when the national interest dictated, over massive conventional forces that were to be engaged in an unending series of expensive regional conflicts.

As history shows the US did not catch up and very public disasters pushed things worse and worse in the Public eye due to a couple of politico's on the make. After a change of US President it became very clear that there was no way to catch up in the shoet term. Due to von Braun and Disney the US puplic had expectations of Mars etc. Which is why the Moon shot was anounced in the very hot Texas Sunshine with the "in this decade" rider.

History showed - and Eisenhower already knew - that the US was never behind.

With respect to space, Eisenhower announced in 1955 that the US would launch a satellite during the International Geophysical Year (01 Jul 1957 to 31 Dec 1958). And indeed the US launched its first satellite in February 1958. The Soviets poured efforts into beating the US by a few months. While the US was aware, the US Government did not believe it to be significant, underestimating the public reaction in the United States (fanned by Soviet information operations - which should have been a tip-off immediately as to the true state of Soviet strength - they sought to exaggerate their strength in order to conceal their weakness).

As to the "missile gap" and other repeated claims that under Eisenhower the US had fallen behind, these have been shown by history to be nonsense. At the time, they rankled Eisenhower sufficiently for him to allow both Republican and Democratic presidential candidates to receive special briefings on US intelligence regarding the supposed missile gap, though both were strictly enjoined from making the knowledge derived public (Eisenhower wanted to protect the intelligence gathered by U-2 flights for as long as possible).

It was politicaly paramount in the US that no other nation started putting rockets into space as it would be an embarrassment, especialy Britain that was known to be broke.

Again, the January/February 1958 US satellite launch had been announced publicly in 1955. Its purpose, incidentally, was to ensure that any diplomatic/geopolitical issues regarding overflight from space would be resolved prior to the launch of a US spy satellite (scheduled to follow a months later).

Britain didn't test its first launch vehicle/space rocket until much later in 1958. I don't believe it actually launched a satellite with its own launch vehicle until the 70s.

I've yet to see ANY evidence that the US interfered in any way with British research efforts. Was Britain going to launch a satellite in the four or five months between Sputnik 1 and the US launch?

And by the way it was not just Rocketry the US put political preasure on Britain, it was supersonic flight, fly by wire, over the horizon radar, body scanners and quite a bit more.

Clive, it almost begins to sound as though you're apologizing for Britain not doing certain things first or better, by pointing to an American conspiracy to thwart British progress.

I have to say that I'm not sure why. In the post WW2 era we're discussing, British scientific and engineering accomplishments require no apologetics, but neither do American scientific and engineering accomplishments require any handicapping. And of course scientists and engineers from both countries were involved jointly in projects that produced some of the most interesting and important advances.

Which is why Maggie Thatcher gave priority to getting rid of the main political lever --lend lease-- war debt the US was wielding when she was PM, and it was also the reason the Falklands War happened, the US had effectivly promised the Argentinian's that they would not get involved and in effect they had given their blessing for the Argentinian invasion... Then Maggie got to work on Ronnie "ray gun"...

That's a fanciful view of the Falklands War. The Argentinians invaded because they did not believe that the British would use military force to retake them. The US had warned Argentina against invading, in fact, noting that the British would respond with military force (with US support).

Not sure what you're talking about re lend lease either. After WW2, Britain wanted to keep material in its possession, and in transit, under the lend lease program. The US agreed, at a price of 10 cents on the dollar. A loan agreement was reached, on which would run a 2% interest rate. Payment on the agreement has been deferred in several years, and was repaid in full several years ago. Of course, WW1 loans have never been repaid.

As to how you think the US used this as a lever with Britain... I've no idea.

As I've said the supposed much valued "Special Agreement" is outside of BRUSA/UKUSA IC activities the UK kisses US backside.

Not an uncommon view, but in my view a completely incorrect one. The sharing of military technology, strategy, tactics, etc., between the UK and US is likely unparalleled, and both sides have benefited from the high level of trust and cooperation between them.

Dirk PraetFebruary 15, 2016 6:34 PM

@ Nick P

The reason: the router's certificate used a key that was too weak. Browsers apparently stopped allowing that at all.

I've had the same here. Look for a firmware upgrade if it's a recent router. If not, you may wish to reflash it with DD-WRT or OpenWRT (if supported), which probably provides better and more secure features anyway.

BuckFebruary 15, 2016 7:33 PM

@Nick & Dirk

I was away for a few hours on Sunday... When I got home, the internet was AFK. Doesn't happen very often, so I immediately suspected the cat, but I took a look - modem is still standing, plugged in, and blinking away as it does. The local network is still online, no trouble logging into the HTTPS interface, but the event log (of my ISP-supplied edge device) was completely empty (firewall log full of junk; system log with the expected entries). Used an old browser though, so I didn't even think to check on the encryption scheme.

Somewhat related story: as you may recall, I recently got a new 'idiot-phone'... Starting out fresh again, I thought it might be useful to delete all the root CAs from the trusted list. That way, I could selectively add those authorities as needed. No such luck! Never got a nag of any sort on any HTTPS sites. And it took a *long* time to remove all of those one-by-one!

ThothFebruary 16, 2016 1:11 AM

@Buck
Was the router doing log rotation when you got back to check. Most routers wouldn't keep a lot of logs and you have to download it routinely.

ianfFebruary 16, 2016 6:48 AM


@ Dirk Praet

[…] In essence, there's two different currents in the EU: those who want a full political union with supra-national institutions, and those who want a loosely knit economic union only with member states retaining full national sovereignty on any issue they don't see eye to eye to with Brussels.

Just so, unfortunately. The other party would like to have the cake delivered and eat it, while delivering only the delivery personnel [euphemism alert].

[…] Unless we [the EU] get our sh*t together really fast and start acting as one on the global political stage, we're gonna down on a road of political and military insignificance. A Brexit in my opinion would be a good start. The UK will never be part of an integrated European union because their allegiances lay with Washington, not with the European mainland.

That's the ticket. Much as I pine for the UK, they are more of a forever rogue presence in the EU, than not. Just like the nationalistic-chauvinist axis of Central Eastern Europe, Poland and Hungary, also the UK would like to have the benefits of the EU without giving up some of its (let's face it: in today's globalized economy illusory) freedoms to act as they always did. So let them find happiness in cahoots with their former US colonies, where "British" still carries a nostalgic sense of class and entitlement. Good riddance. Eire that will stay in EU if for no other reason than to annoy the Tommies and the pretext for weaponizing the North Irish border, will have it tough for a while, but will soon cope nicely with bypassing the British cuckoo nests isles entirely.

Oh—and while Brexit is under way, let us start a debate on downsizing the EU… as the Baltic states, Poland and Hungary are so vested in retaining their independence at all costs, and Romania and Bulgaria have taken to exporting their lowest castes, hordes of panhandling Roma, across the rest of the West, let's put up some conditions on their remaining as members, and, especially, for not treating the EU Parliament as some cushy garbage heap for their own political has-beens that they themselves would rather keep away from home (some fascists among them, too). And if these countries do not like the new terms—they can go it alone between Germany and Russia, or band together, and see how well THAT'LL work out.

At the same time, someone should also try to explain to Angela Merkel that despite Germany's leading economic role, it does not make her the de facto EU president who gets to decide the EU's course on her own

I am as puzzled as everybody else by Merkel's once sudden Schengen-upending "open borders" policy (now curtailed, but still), and can but hope that it was not a decision taken lightly, but with due economic consideration, that

  1. the Syrian refugees are by and large well-educated, Christian, or agnostic, cultural Muslims; they make up ~79% of the immigration wave (David Miliband in Davos), and integrate as well as Turks in the West; and that

  2. the problem of Germany's low Total Fertility Rate, well under the population replenishment levels (=2.1), won't simply dissipate… in 40 years' time somebody will have to work to create the wealth to pay for pensions of today's middle-agers—who are not too keen on "delivering" that future work force themselves.

65535February 16, 2016 9:23 AM

@ Zero Day Person

‘The FBI is just a division of the DoJ. One of a lot of divisions. If you don't know that about the FBI, you probably should think to your self that "maybe I don't know as much about watchlists as I think I do"’

I was assuming ‘name.withheld.for.obvious.reasons’ was referring to the entire DOJ and all of it’s departments - if not then the majority of the DOJ’s departments.

Mr/Ms Zero Day Person you never did get around to telling this audience exactly how to ‘get of a government list’ you talked around it. How does one Get Deleted from a database such as the TIDE database?

Here is an example of such a list [it might/or not be associated with the DOJ or the TIDE database – but it is there and harming Americans]

[Techdirt]

“We've talked a few times before about the US Treasury Department's Office of Foreign Assets Control, a government office theoretically designed to keep money from flowing to and from scary people in scary countries… non-scary people who share names too-closely associated with actual scary people suddenly being denied online services due to the OFAC scare-list. The first of these concerned a man named Muhammad Zakir Khan being refused a registration for a multiplayer video game.”

“gamasutra, which broke the story, reports that when Khan submitted his request, he received an unusual denial, one explaining that his name had come up as “a match against the Specially Designated Nationals list maintained by the United States of America's Office of Foreign Assets Control.” Epic was, in other words, refusing Khan the opportunity to try out its new game simply because his name resembles that of someone who might be financially involved with terrorism… Khan tweeted a a screengrab of the rejection form and hashtaged it”

http://www.gamasutra.com/view/news/263343/Epic_mistake_erroneously_blocks_man_for_being_on_US_watchlist.php

[and]

http://www.slate.com/blogs/future_tense/2016/01/12/man_banned_from_playing_a_video_game_because_he_was_on_a_terrorism_watch.html

[Another American person caught by the same List]

“…circumstances don't appear to be replicated in the story of Noor Ahmed's attempt to sign up for a payment app called Venmo, which is normally a cinch to register for, but for which Ahmed still isn't able to use.”

[sniped from Fortune]

‘she, like thousands of other Americans, shares a name with someone on a list created by a Treasury group called the Office of Foreign Assets Control. This list is called “Specially Designated Nationals and Blocked Persons,” and includes (on page 33) a 41-year-old Afghan man also named Noor Ahmed. “I was born and raised in California, but I’m taken into secondary customs at the airport no matter what because of my name,” said Ahmed. “I think it’s now extending to other parts of my life.”’-Fortune

http://fortune.com/2016/02/08/venmo-banned-users/

“For the CFAC list to useful, never mind non-discriminatory, it should at least be able to keep a valid US citizen from being caught up in the web. If it can't manage that simple task, it's probably worth revisiting whether this list should be employed at all.” -techdirt

[consolidated article at]:

https://www.techdirt.com/articles/20160208/11234633550/how-treasury-terror-list-is-preventing-americans-with-scary-names-using-online-services.shtml

How does Noor Ahmed Get Off of the CFAC list!

GregWFebruary 16, 2016 9:26 AM

Why do our NSA officials, and our government's lawyers, in a Clintonesque "depends on what the meaning of is is", want to say that the definition of "collect"ing information depends not on when the information is acquired or processed but when a human looks at it? Why does our national policy favor the very sort of "general warrants" that our founding fathers opposed when passing the fourth amendment which states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.


I've speculated privately (don't want to give government dumb ideas) for years that the reason to press for such an unfiltered "full take" (without even metadata redacted/encrypted per ThinThread) was to feed various machine learning and statistical techniques (and in the future, our AI deep learning overlord) that require baseline data/metadata from innocent people. But why omit mentioning it now? There is public evidence to this effect we've been trying this for almost a decade in our drone program that kills Pakistanis:
http://arstechnica.co.uk/security/2016/02/the-nsas-skynet-program-may-be-killing-thousands-of-innocent-people/

As Bruce has cautioned many times, the false positive rates are, literally, a killer.

When terrorists are few, it just doesn't work. And it doesn't help that the subtleties of statistics are easily missed (using the same data to train and test) by management.

Oh sure, it's just Pakastanis dying, they haven't yet turned the technology on us, at least we don't think... except that they are trying to find those terrorists among us, right? If your compassion for the foreigner has limits perhaps you should consider the logic of https://en.wikipedia.org/wiki/First_they_came_...

Regarding statistics and even deep learning, is it really in our nation's best interest to deploy these techniques so heavily to serve National Security? Does anybody remember how the best and brightest statisticians from Ford went to the Department of Defense with McNamara in the 60s, the infamous Whiz Kids? Those game theory and statistical techniques really helped in the buildup to the Vietnam War, right? Do we, do our leaders remember the lessons learned from that engagement?

BuckFebruary 16, 2016 11:14 AM

@Thoth

The logs items older than 90 days are pruned, but it's quite unusual that it would be completely empty. Back up to about 20 entries by this morning...

Fascist NationFebruary 16, 2016 12:12 PM

How White Hat Hackers Stole Crypto Keys from an Offline Laptop in Another Room

Motherboard
Feb. 15, 2016

In recent years, air-gapped computers, which are disconnected from the internet so hackers can not remotely access their contents, have become a regular target for security researchers. Now, researchers from Tel Aviv University and Technion have gone a step further than past efforts, and found a way to steal data from air-gapped machines while their equipment is in another room. (for $3,000) .... [continue reading at this link:

https://motherboard.vice.com/read/how-white-hat-hackers-stole-crypto-keys-from-an-offline-laptop-in-another-room ]

CuriousFebruary 16, 2016 2:34 PM

Something about a terrible buffer overflow bug, not sure what this means, nothing I would know much about; though the article headline suggest the issue is severe and widespread:

http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/

"Researchers have discovered a potentially catastrophic flaw in one of the Internet's core building blocks that leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take complete control over them."

"(...)A function known as getaddrinfo() that performs domain-name lookups contains a buffer overflow bug that allows attackers to remotely execute malicious code.(...)"

"The vulnerability, which is indexed as CVE-2015-7547, was disclosed Tuesday by researchers from Google."

Clive RobinsonFebruary 16, 2016 5:36 PM

@ Fascist Nation,

How White Hat Hackers Stole Crypto Keys from an Offline Laptop in Another Room

The 3000USD price tag is well over the top. You can shopping around spend less than 100USD and achive comparable results.

This is yet another example of why I say the "Air Gap" expression of old should now be considered "Harmful to Health" and replaced with the more accurate "Energy Gap".

And for those thinking about how to "Energy Gap" can I first suggest you don't make the terminal mistakes of ignoring the basic needs for humans to breath and get in and out of the secure area in a hurry in case of fire / flood / quake or other extremis. Building codes came about for a reason and they are still ostensibly sensible advice.

DuduOccursFebruary 16, 2016 6:27 PM

@Curious

seems to be a widespread flaw.

From that article you linked:

The widely used secure shell, sudo, and curl utilities are all known to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate.

and

Most Bitcoin software is reportedly vulnerable, too.

Although:
To the surprise of the Google researchers, they soon learned that glibc maintainers had been alerted to the vulnerability last July. They also learned that people who work for the Red Hat Linux distribution had also independently discovered the bug and were working on a fix.

Weirdly those people who had been alerted about the flaw had not brought it to the attention of others.

DuduOccursFebruary 16, 2016 6:46 PM

...from the article linked by @Curious

It remains unclear why or how glibc maintainers allowed a bug of this magnitude to be introduced into their code, remain undiscovered for seven years, and then go unfixed for seven months following its report. By Google's account, the bug was independently uncovered by at least two and possibly three separate groups who all worked to have it fixed.

Unclear? Maybe because this bug was useful to the government for little "bullets"

DougFebruary 16, 2016 8:03 PM

"How does one Get Deleted from a database such as the TIDE database?"
"maybe I don't know as much about watchlists as I think I do"

Logically, one can never get Deleted from such a database. Thus, the lists keep growing in competition with hardware. But that can only be done after ident, as there are multiple variants of such databases, I suppose, and they can be used for cross reference across multiple vectors of influence.

Back in the days, I believe the watch was known as Computer Watch, because the watch is on a set of hardware imprints. Now, it appear to me that personal ident is almost possible due to the use of profiling or other direct techniques.

The use of profiling is particular interesting because it is what this web is for. But in order for that to operate, both a low-hanging fruit and the honey fruit is needed. Thus, we have the watchers and the facilitators. A "sting op" is an instance of a facilitator, but there are other less subtle instances. They work off the same talents so one tend to borrow from another.

Hence, the next logical question is How does one get Inserted to a database?

Dirk PraetFebruary 16, 2016 8:21 PM

@ ianf

the Syrian refugees are by and large well-educated, Christian, or agnostic, cultural Muslims; they make up ~79% of the immigration wave (David Miliband in Davos)

I have no idea where Miliband gets his figures from, but let me give you the official statistics for Belgium: in 2015, we received a grand total of 35,476 asylum requests, out of which 21.3% from Syria, 21.8% from Iraq and 20% from Afghanistan. 50.5% of all applicants were granted refugee status, and an additional 10.2% subsidiary protection. (Source: Belgian Commissariaat-Generaal voor de Vluchtelingen en de Staatlozen)

Local authorities in charge of (mandatory) integration courses here in my home town recently published figures that most newcomers are very lowly schooled, with no less than 17% among them complete analphabets.

Out of 50,532 (new) asylum requests made in Germany in January 2016 (Source: Bundesamt für Migration und Flüchtlinge), 53.7% are from Syria, 13% from Iraq and 9.7% from Afghanistan. The relative rise in these percentages can probably be explained by Macedonian border police since November systematically refusing entry to anyone on the Balkan route not originating from these three countries. I have no idea to which extent these figures also take into account paperless applicants claiming to be from Syria or those traveling with fake id bought in Turkey.

What I mean to say is that it is a persistent myth that the vast majority of people undertaking the perilous journey from Turkey to Greece are Syrians. However much Europe has a moral (and legal) obligation to provide shelter to refugees fleeing armed conflict and persecution, it is today massively failing its own citizens in securing its outer borders against what has become an out-of-control influx of disenfranchised Asian and African economic migrants.

Once on European soil, and even though they hardly stand any chance of obtaining asylum, they are very hard to repatriate because their countries of origin mostly refuse to take them back. From an economic vantage, many - at least in the short term - are unemployable for lack of linguistic and other required job skills. A questionable migration status, high unemployment rates on top of cultural and religious differences will make it virtually impossible for this group to ever blend in. Massive import of poverty and illiteracy will not support our economies, but will only give rise to populist parties, parallel societies like Molenbeek and add even more to already existing immigrant integration problems in the EU.

One may laud Merkel's moral high ground or loathe the position of the Visegrad and Baltic countries, but the simple fact of the matter is that the current situation is untenable. Even if by an act of $DEITY there is peace in Syria and Iraq tomorrow, hundreds of thousands from other countries will keep pouring in. For over 6 months now, EU politicians keep shouting that we need to better protect the outer borders, but Greece - for all practical purposes a failed state - is simply incapable of doing so. As is the EU Frontex Agency. The long anticipated registration "hot spots" on the Greek isles off the Turkish coast will not change that.

IMHO, the only sensible approach to get the situation under control is the recent proposal by Dutch poltician Diederik Samson to ship all new arrivals back to Turkey instead of bringing them to the Greek mainland from where - mostly with "help" of human traffickers and undisturbed by Greek authorities - they travel on directly to Macedonia and up the Balkan route to their final destination. The billions of euros recently promissed to Erdogan could then be used to set up refugee camps annex hot spots from where a controlled migration into Europe can take place after proper vetting of people's identities and asylum claims.

In parallel, it's about time the EU starts talking to the 21 countries of the Arab League and the 57 of the Organisation of Islamic Cooperation. So far, only Turkey, Jordan and Lebanon have been bearing the burden of the mostly muslim refugees and immigrants, whereas most other Arab and muslim nations have primarily excelled in hollow words and empty promises of solidarity.

I don't have high hopes for the upcoming EU summit this week. Neither does Merkel, who has already announced she will try to move forward with a "coalition of the willing". Not only is she deluding herself, she is widening the rift with the Visegrad countries that absent any other proposals will probably move to close the Macedonian and Bulgarian borders with Greece, effectively pushing Greece out of the Shengen zone. At which point it is just a matter of time before a humanitarian catastrophe ensues along the Greek borders.

As it stands, Merkel is increasingly isolated both in the EU and in Germany itself. Although her open border policy may at some point earn her a Nobel prize, it would seem that she is no longer realising that as a German and European leader, her first responsability is to the EU and Germany, and that instead of uniting she is dividing.

Eastern European and Baltic countries have no history of immigration and there simply is no support whatsoever among their population for receiving and integrating large groups of muslim immigrants. However appaling, that's just the way it is, and any attempt of forcing the issue in essence is political suicide over there. Redirecting the burden to Western and Northern European countries not only is unfair, it's also doomed to fail as the once very hospitable Scandinavian countries, Austria and even France have recently made it clear that their limits too have been reached. I'm not even mentioning Spain or Italy that already have their hands full coping with the influx over the Mediterranean route.

Angela Merkel has two choices today: she can stay a morally responsible but unworkable course and become irrelevant in the process, while others like the Hungarian crypto-nazi Orban take over the initiative. Just like Putin did in Syria. And which is not going to help anyone. Or she can finally get a grip and try and unite the EU on a more pragmatic approach that does not entirely depend on open borders, forced quota and the goodwill of Turkish PM Erdogan, whom nobody in the EU trusts anyway.

Gerard van VoorenFebruary 17, 2016 2:38 AM

@ Dirk Praet,

I always believed in the EU, and I still do, but it became clear that the optimism of the 90's is gone and the expanding was too hasty. The fundamentals of the EU weren't -and aren't today- there. Something has to change, even a blind man can see that. 2016 is gonna be a very interesting year.

Clive RobinsonFebruary 17, 2016 4:10 AM

@ Gerard van Vooren, Dirk Praet,

I always believed in the EU, and I still do, but it became clear that the optimism of the 90's is gone and the expanding was too hasty.

I always believed in the European "Trading" community, it was clear from late 19th through 20th century history that the way to have peace was through prosperity. Rather than the previous "beggar thy neighbours and thy self" of military conquest (it's also the same reasoning why Empires die).

However nothing attracts scavengers and preditors like success, the trading community only buys off the worst of the adjacent preditors.

Thus we start to see that social success and the attendent prosperity breeds enemies. That is if your lifestyle is better than someone elses, then they are going to be along to get a slice of the pie. But others will view your success as being at their expense and thus retaliate.

The biggest danger is from those who are further up the scale who will use any advantage they have to gain control of finite resources. The two major preditors Europe has to deal with are the US and Russia. Russia because it's directly adjacent and sees it's sphere of influence being corrupted away from it by both the EU and US. The US because it wants to maintain the "most powerful nation" status and is prepared to use quite a bit of belligerence to maintain that position. It also has an advantage, in that the US only has one border it currently needs to defend against non state actors, thus it does not have to "pick up the cleaning up cheque" that results from it's belligerence. Thus both the US and Russia regard western Europe as a convenient "dumping ground" for what they see as the "toxic waste" that results from their foreign policies. In Western Europe we currently see those who are fleeing from US and Russian foreign policy belligerence as "human beings" not "toxic waste" but that is changing as "morals" give way to "self interest" and Europe once again becomes "tribal" and thus more prone to belligerence once again and the waste and privation it causes. In effect Europe is becoming yet again the battleground of political ambition, and is thus loosing the peace it desires in what may easily turn into a third global conflict.

It appears that the solution to keep conflict out of Europe is for it to become not a "common market" but a Super Power in it's own right. Which is not the way most of us on reflection would want things to go.

One thing about "Brexit" that does not appear to be commonly known is that those politicaly in favour of it still have "ideals of Empire" and have a quaint view as to the so called "Special Relationship" with the US. For some reason they tend to be of the view that the US is still a colonial nation that seeks "English wisdom and leadership"... And that Europe is somehow holding "Britania back" from "her rightfull place in the world"... It is a form of prideful delusion that can only end badly which might account for why more rational heads in the United Kingdom don't want to split from Europe, but do consider a split from England the lesser of the two evils.

CuriousFebruary 17, 2016 5:27 AM

US FBI has allegedly been asking Apple to build a backdoor into their products.

Looking over this article, I don't get any idea of when this is supposed to have happened.

"They have asked us to build a backdoor to the iPhone."

https://www.apple.com/customer-letter/ (16. Feb 2016)


This is apparently an appeal to precisely US customers alone. This in turn makes me wonder what Apple want from their customers by appealing to "this moment":

"This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake."

Maybe they are looking for excuses for implementing, or even for NOT implementing certain company policies that could or would seem to thwart government mass surveillance, but not in the Apple's name, but in the name of the customers.

I haven't yet read all of it, so I might have missed out on some important aspects of Apple's article.

L. W. SmileyFebruary 17, 2016 5:54 AM

@Curious

A judge has ordered Apple to provide the FBI "reasonable assistance" in breaking into the San Bernadino shooter's iPhone with iOS 9, specifically they want Apple to modify the operating system to disable the feature that erases contents if more than 10 attempts at entering a decryption passcode so that the FBI et al can brute force the decryption passcode. Apple is opposing the ruling on the grounds that it will weaken security for millions of law abiding users and allow foreign gov and hacker access. I sure their fallback if they lose this to be drawn out legal battle will be that it is technically impossible, however they a routined push through OS updates that change features which do not destroy encrypted contents. This judge's order affects google android phones and others etc.

http://www.cnn.com/2016/02/16/us/san-bernardino-shooter-phone-apple/

http://www.nbcnews.com/storyline/san-bernardino-shooting/apple-fights-order-unlock-bernardino-shooter-s-iphone-fbi-n519881

etc.

L. W. SmileyFebruary 17, 2016 6:32 AM

In effect the government is deputizing Apple to assist in executing the legal warrant for the San Bernardino shooter's phone.

CuriousFebruary 17, 2016 6:34 AM

I wonder what "search warrants" are in USA: I am wondering if a search warrant is ONLY something issued by a judge, or if also a "search warrant" is also something government agencies can issue themselves without a judge.

ianfFebruary 17, 2016 8:05 AM


@ Curious, L. W. Smiley,

a pretty good description of what's it all about can be found in this The Guardian's article, where the Court says manufacturer must supply software to break encryption on Syed Farook’s phone so it can be accessed without wiping his data, which, if executed, would create a dangerous legal precedent for the future.

ThothFebruary 17, 2016 8:17 AM

@all
A Semi-Formally Verifiable PKCS5/7 Decoding Scheme And Pitfalls

Some observation on the PKCS5/7 padding scheme for decoding when implementing on constrained hardware (i.e. smartcards and embedded chips) and what to be mindful of the pitfalls I noticed when trying to build my own PKCS5/7 padding scheme from scratch (manipulating raw bytes in embedded hardware - smartcards - recently :)). Some of the pitfalls can cause your codes to run into illegal boundaries like reading into illegal memory spaces (if there are no protection) and a must to guard against for crypto-systems of all kinds when running it in decoding mode.

Below are some scenarios to help semi-formally verify if your PKCS5/7 codec is having some trouble. This is useful in making your crypto-implementations more highly assured in terms of logical codes against logical attacks on your crypto-systems.

Terms:
- Block size: the size of a block of data unit that the padding scheme will attempt to achieve.

- Data size: the size of a block if raw input data that needs to be processed by the padding scheme.

Scenarios:
1.) Data size of data to be decoded is smaller than defined block size. Let's say a block size for AES encryption is 16 bytes (128 bit block length) and you have decrypted a supposedly encrypted data that needs to be padding decoded.

Example:
1A E0 D6 F7 05 05 05 05 05

You will be 7 bytes short or 19 bytes long which are

2.) Last byte represents an invalid padding length required. The represented padding length in byte represents a padding length too long for the data array and the required block size. Again we assume a block size of 16 bytes which is the minimum requirement for AES encryption or any 128 bit block length symmetric cipher.

Example:
1A E0 D6 F7 50 2A 3D E1 DD 47 1A 02 04 04 04 FF

The last byte is FF which means 255 in decimal. The most a 16 byte block size can be represented is 10 in terms of hexadecimal representation and FF is simply not possible. If this problem is uncheck, you might run into buffer array problems and accidentally touch into other memory segments you are not suppose to touch. Sandboxes will typically try some array-based exception when this happens.

3.) Decision making on whether to treat a data array as padded or not can be tricky. This usually occurs when you have all the bytes in an array having the same elements and you have to make the call to decide if the data is padded or raw. Some file formats may use a bunch of same elements to fill itself in it's own padding or file format and this scenario may occur.

Example:
10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10

Assuming that the block size is 16 bytes again (for AES or some 128-bit symmetric cipher encryption), a data segment presents such sample as above, the better choice is to spit the data back out as the result since it is unlikely to be padded and is likely a file format or some data format of sorts. This is not a huge headache in terms of logic vulnerability but it is a decision that have to be taken care of by the codec.

4.) A variant of 3.) where the elements are all the same but the elements representing the decimals is not the same size of the block size (bigger or smaller). The below examples would make it easier to conceptualize.

Example:
05 05 05 05 05 05 05 05 05 05 05 05 05 05 05 05

08 08 08 08 08 08 08 08 08 08 08 08 08 08 08 08

FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Similarly we assume 16 byte block size. From the above two examples represent the two extreme cases. The top scenario (05 .. 05) can be simply treated as scenario 3.) and be spat out raw. The second scenario (08 .. 08) is unique in the sense, should it be interpreted as 08 padding or should it be spat out raw again. This is going to be a tough decision between treating it in the scenario of 3.) to spit out raw and not process it or to process it as padded with 8 pieces of 08 bytes and the final result would be (08 08 08 08 08 08 08 08). The better answer would be to actually process it and return (08 08 08 08 08 08 08 08) as the total data size is it meets the condition where the total data array size is more than or equals to block size in scenario 1.), the last byte is 08 and is valid since the total acceptable block size is 16 bytes (0x10 hex) for scenario 2.) and although it meets scenario 3.) where you are likely to abandon it and spit the raw data out, it is within proper bounds of 1.) and 2.) to be capable of parsing without causing the parser to violate other memory space by accident thus crashing the logic. The last example is the most extreme case which conforms to violating scenarios 2.) and 3.). FF is a representation for 255 and a block size of only 16 cannot accept 255 (FF). All the elements are FF so it's best to spit it back out and not process it.

The main thing that these scenario cases are created are to prevent accidents that step into illegal logic boundaries that makes crypto-systems un-assuring and insecure due to bad logic.

Final Words:
I have spent a few months trying to create my own PKCS5/7 implementation and harden it's logic against possible logic attacks on constrained environment and from scratch to give my logic a higher assurance. While creating the logic, I have also come up with the above scenarios in an attempt to break my own codes and those above are what I have encountered when making and breaking them. Someone or some of you might already have noticed those scenarios but it is good to have a reminder once in a while that our crypto-systems are not built upon at least an informally or even better a semi/formally verifiable basis which leads to stuff like Heartbleed for OpenSSL and many other OpenSSL and crypto-systems exploit due to (not just large codebases) but also logic that are not encapsulated in a context suitable for semi/formal logic verification of codes (code and forget bad habit for many developers).

These scenarios should NOT occur if the AES cipher decryption actually worked and it has a HMAC or some signing done to detect tamper before decryption but that's not the case if you are going to pad something more than a single cipher block worth of data. You can think along the lines of trying to pad anything more than a block cipher's internal block size worth of data (e.g. 256 bit of data or more for AES schemes which is 2 AES cipher block length).

Some data can be maliciously used to cause the padding scheme's codec engine to glitch and produce wrong data which may have chained consequences (unverified codes) which may be used as a small attack vector to cause an embedded chip's state machine to glitch.

Overall, the main essence of what I am trying to say is VERIFY your crypto-implementations in a somewhat semi-formalized scheme as I have done above and get it checked otherwise you and your users might feel the pain when someone found some accidental nasties.

From a technical view point, getting PKCS5/7 to work on an embedded system can be slower in terms of decoding than other schemes and may not be fully suited for embedded environments but due to their ubiquity, they need to be supported even on embedded systems and this is where unverified codes or codes with poor verification can turn into a disaster. The easy way out is not to use problematic crypto-schemes but that is not always practical if you are trying to be compliant to standards which you may need to comply for your crypto-systems.

ianfFebruary 17, 2016 9:15 AM


Regarding the FBI's request, and the magistrate Sheri Pym's order for Apple to comply, I wonder if that wouldn't be an opportune time for its CEO Tim Cook to refuse it, be found in contempt of court (which is a biggie in self-deluded "always super legal" Yankee minds), put in prison, and thus create a grave capitalist-Apple-vs-Orwellian-society crisis.

I dare say that the FBI with its silly iPhone post-mortem munchies shooing in a dangerous legal precedent, would not win this. And then the only way in which this outrage of putting the CEO of such a major US economic asset (and for not anything illegal that they've done) could be defused, would be for Tim Cook being pardoned off by the outgoing president Obama, and perchance an overview of the runaway jurisprudence.

ianfFebruary 17, 2016 9:47 AM


@ Thoth, a very ambitious, and clear even for a laic to sort-of understand scheme. Only, given our ADHD-heavy/ instant gratification times, I presume that what you'd really need would be an app with a dongle to read your embedded smartcard hardware and then output "Your PKCS5/7 has been Semi-Formally Verified" or "Not Verified." ;-))

CuriousFebruary 17, 2016 4:06 PM

Off topic I guess:

I won't claim to understand this, but EFF has an article that discusses a subtle change in the language in the TPP agreement text. A single word changed supposedly would alter the interpretation severely. I am not sure, but if I understood it correctly, the word "subparagraph" is a reference to something further down the text, to something with a different content. It could have been explained better in the article I think.

The article does speculate that this might be an error, though I did find this interesting myself. Would be devious if there really was some kind of trickery going on.

https://www.eff.org/deeplinks/2016/02/sneaky-change-tpp-drastically-extends-criminal-penalties

Dirk PraetFebruary 17, 2016 8:51 PM

@ Clive

It appears that the solution to keep conflict out of Europe is for it to become not a "common market" but a Super Power in it's own right. Which is not the way most of us on reflection would want things to go.

The best solution to keep conflict out of anywhere is to show strength and unity, at least to the outside world. You don't have to be military super power to do that, but it sure helps to have a leadership with a clear vision and that somehow is able to get everyone behind it, including the dissenters.

I personally believe chancellor Merkel has such a vision, but - contrary to someone like Putin - is unable to execute on it. Her September last year's decisions to open up the borders without consulting the other EU heads of state and imposing refugee quotes on each country were ill-advised. It has pitted more than half of the EU against her, including a full rebellion in former Eastern Europe. It's kinda ironical that her best chance of reigning them in is to actually give in to some of Cameron's demands and threatening to generalise them all over the EU as that would seriously impact many of their citizens both home and abroad.

CuriousFebruary 18, 2016 4:36 AM

I am reading that there is an upcoming mobile phone that has a thermal imaging feature on it. The article I read (not in English) also mention that there is a thermal imaging accessory already available for the iPhone and Android phones.

CuriousFebruary 18, 2016 4:38 AM

To add to what I wrote. This kind of tech makes me wonder if perhaps recording the heat seen on key pad input buttons is a serious security issue.

CuriousFebruary 18, 2016 5:26 AM

I am not very knowledgeable of network technology so take the following with a grain of salt so to speak:

I wonder if the future of the internet, might unfortunately be an internet where people are forcefully sluiced into segregated parts (authoritatively), for which the internet would be layered (think surplus networking capabilities). Maybe an excuse for putting that together in the future, would be to harp on how net neutrality is bad today, and so when the time comes in the future regulations for segregation is ready, for radically changing the way the internet works. I can sort of imagine how this would be a nationalization of the internet (presumably something bad).

There seem to be issues with bandwidth today, my impression anyway, but what happens if there came a point where there was, or someone instructed there to be built, "a multi lane internet" with more total bandwidth. Maybe something like that exist already somewhere? No idea how that would work technically.

ianfFebruary 18, 2016 11:21 AM


@ Marcos El Malo has “only ever interacted with one Texas judge who helped him over the phone with a very minor matter before his court. […] A good part of their 15 minute call was friendly chatting about inconsequential matters.

You are talking of a single occurrence with beneficial outcome in a minor matter, but it sort of scares me anyway… this whole premise on relying on a informal whimsy of a third party, here a judge, to make something stick, or go away. Because if it can go one way, it could just as well go the other way. That's why, when dealing with law enforcement etc., I always insist on keeping it formal, do not even give them my telephone number “because I expect a response in writing.”

Similarly, when on occasion I have to leave an affidavit or similar, I turn up at the office with one already composed by me, and have that put into file. Since all such "contacts with the police" do not "wither away," I am sure that, should I be tainted with something in the future, the DA would first request a trace on me from the police archive, and then whoever digs these up, would note that they'd better deal with me by the book, or drop the matter (as—the latter—has happened at least once). Of course, I can do that, because I live in a country with different traditions of policing than the American shoot-first/ lie later one, and no unlimited state budgets for the judiciary. But that makes your need to stick to formalities at all times even more pressing – if you understand what I mean and of course you do.

Because it's not like US judges have been known for their restraint, or lack of biases, and quite a few have been bigoted and worse beyond the last vestiges of reason (or else I don't know how to call judges in the #WM3 and #CP5 cases… for a start). So, when dealing with officialdom, keep these (allegedly one Lord Acton's) eternal words in mind:

    “All power corrupts.
    Absolute power corrupts absolutely.”

ObLitContent: the sanctimoniously righteous judge figure in Carl Hiaasen's "Striptease" (the novel).

ianfFebruary 18, 2016 12:06 PM


@ Curious “there is an upcoming mobile phone that has a thermal imaging feature on it [and also] a thermal imaging accessory already available for the iPhone and Android phones.

The latter presumably using smartphone for display, nothing unusual in that. The former, if equipped with a thermal sensor, probably intended for some vertical (yet still large) market segments like firemen, building trades, insulation inspectors, etc.


… makes me wonder if perhaps recording the heat seen on key pad input buttons is a serious security issue.

Given other potential input threat vectors, I wouldn't worry about it, as phones with such "thermal leak capabilities" will hardly become common household items. Besides, there are so many easier security breach avenues for an attacker to explore… you could for instance become unwillingly "look into my eyes, look into my eyes, you're under" hypnotized while shopping for groceries—you eat celery, don't you?—and then go thru the motions of life until "you're back in the room."

CuriousFebruary 18, 2016 1:46 PM

According to this article, FBI Comey intend to expanded powers when issuing national security letters, so that they can directly demand data about your internet activities from phone and internet companies without having to ask for permission from a judge.

"FBI’s Push to “Fix a Typo” Would Really Expand Its Surveillance Authority"
https://www.justsecurity.org/29382/fbis-push-fix-typo-expand-surveillance-authority/


"Through Comey’s “ECTR fix,” the FBI would have the unilateral authority to obtain information from phone and Internet companies about your online communications such as logs of emails you send and receive, cell site data (including your location information), and lists of websites you visit. The FBI wants to get this information using National Security Letters (NSLs), which are demands for information issued directly by local FBI offices without any court approval or supervision."

"Under current law, the FBI can only use NSLs to get information pertaining to a customer’s “name, address, length of service, and local and long distance toll billing records of a person or entity.” By contrast, if the FBI wants to compel a company to hand over the much more revealing private information that is included in ECTRs, they currently can’t use NSLs — instead, they have to get a court order after convincing a judge that they have a factual basis for demanding those records."

"Therefore, the FBI’s proposal that Congress add ECTRs to the NSL statute is far from a typo fix, and would instead be a major expansion of FBI’s authority to conduct surveillance with virtually no oversight and no accountability."

CuriousFebruary 18, 2016 1:47 PM

I feel a little silly writing about such news, because I know so little about it all being a European citizen.

ianfFebruary 19, 2016 9:40 AM


@ Curious feels a little silly writing about such news, because he knows so little about that on account of being an European.

Unless you've been living under a rock, and never were interested in the world around you—which your presence here contradicts—you pretty much know as much about America, and definitely more about the world, than do the Americans at large (for one: they neither care, nor need to, because of their drilled-in belief in American exceptionalism – a magnified egocentric worldview of themselves as just benevolent happy campers). So no need to hold your [f]ire.

Whether we like it or not, American moral, cultural and economic values so smother today's globe, that it's a wonder any "foreign" modern cultures have survived and thrive. Think again: ~70% of all film in theaters and on TV are of/by Americans—Yanks abroad, if we're lucky, but are we l.u.c.k.y, punk? (Wael has the answer and will supply it for half a silver dollar.) The positive dividend here is that whenever I am in New York City, I neverever need a guide book as I already have the city grid and subway map imprinted on my brain ("Take the A-train…").


Re: the thermal sensor phone

[gizmodo] The target demographic for the new CAT S60, which includes engineers, construction workers, inspectors, or anyone needing a Tonka-tough phone.

The "s60" sounds like a branded version of that smartphone, albeit here ruggedized and with added thermal sensor capabilities. I wonder what was Sansung's minimal order threshold for a customized version… presume no less than 250,000 units. Hitherto neither known for their mobiles, nor Billboard #1 tracks, the Caterpillar company must've had enough requests for measuring water seepage in tunnels to undertake that gamble (water = humidity = airborne, hence impossible to measure with precision outside a lab, so thermal imagining and derivative modeling of it sounds like a acceptable control method). And if the phone sells out quickly, we can be sure of that Samsung next will bring out a generic thermal-sensor version of it… R&D costs courtesy of CAT ;-))


Re: Hypnosis? That is very silly

Mission accomplished! BTW. now you're definitively back in the room

ianfFebruary 23, 2016 6:31 AM


@ Dirk Praet

the Syrian refugees are by and large well-educated, Christian, or agnostic, cultural Muslims; (David Miliband in Davos: they make up ~79% of the immigration wave)

    I have no idea where Miliband gets his figures from

Fair enough, I wrote it down off the telly, and now researched it further. That percentage was of all refugees in last year's migration waves, of which Syrians constituted 59%; Afghanis 12%; +~8-10% Iraqis. I assume these figures are of the arrivals in the first EU, not the destination, countries. @DMiliband heads the International Rescue Committee, an NGO with Albert Einstein and Varian Fry among its founders, pretty authoritative a source.

DM said that in a quiet and credible voice in response to a challenging question from the floor:

    You are entitled to your own opinions, but you are not entitled to your own facts: 59% percent of those arriving in Europe are from Syria, another 22% are from Afghanistan, so it’s safe to say they have a well-grounded fear of persecution or violence.”

Full quote off the Davos “Europe at a Tipping Point” debate page, where there's plenty of other FoodForThought™, such as:

    […] It’s also important to acknowledge the role of nations in the Middle East, who have taken in millions more refugees than countries in Europe, says Mogherini. So it’s not just a European problem.

    Ninety-five percent of Syrian refugees are in Turkey, Lebanon, Jordan, Iraq and Egypt.

    We have no choice… our challenge is to fix the short-term situation while creating a long-term solution
    .

For the TL;DR-challenged, that page also carries several lucid diagrams of migratory statistics.

Much as I'd like to, I can't comment on your no doubt correct Belgian and German refugee care taking, integration, and future prospects scenarios, nor do I have much to add to that by you cited “only sensible approach to get the situation under control: the recent proposal by Dutch politician Diederik Samson to ship all new arrivals back to Turkey instead of bringing them to the Greek mainland.” It's not that I would dis/agree with you in detail or at large, but that the issues are far too complex, too far outside the scope of this forum, and too near the limits of my (somewhat informed but then what do I know) insights into the matter, to contribute anything of substance. You have written quite a diatribe worthy of serious deliberation, only not by me, nor in these columns.

So I'll end up with a rhetorical question, which doesn't require an answer, but perhaps can add a new dimension to your thoughts in this matter:

    Assuming the goal is EU For Europeans (i.e. the pre-2004 status quo), what would it take to create and maintain Fortress Europa? Can you imagine Frontex gunships & gunboats patrolling the Aegean, and key routes of the Medi, firing sharp at, and/or towing back to Africa, all the unauthorized boats filled with people?
[I just realized how much that image of black heads bobbing on floats in rough seas resembles that of past centuries slave trade, then below decks… only this time the "slaves" are betting their lives to share in the welfare of their once slave masters.]

Dirk PraetFebruary 23, 2016 9:11 PM

@ ianf

That percentage was of all refugees in last year's migration waves, of which Syrians constituted 59%; Afghanis 12%; +~8-10% Iraqis.

According to the UNHCR, out of +/- 1 million sea arrivals in 2015, 49% were Syrian, 21% Afghan and 8% Iraqi. But both are about 79%, so I guess your original quote applied to all 3 groups, not just to Syrians.

Assuming the goal is EU For Europeans (i.e. the pre-2004 status quo), what would it take to create and maintain Fortress Europa?

Europe needs immigration, which is why I have always found the entire concept of Fortress Europe to be pretty absurd. The current, uncontrolled influx of disenfranchised refugees and economic migrants alike is however something entirely different.

Can you imagine Frontex gunships & gunboats patrolling the Aegean, and key routes of the Medi, firing sharp at, and/or towing back to Africa, all the unauthorized boats filled with people?

No, I can't. Conversely, someone else could ask the equally legitimate question: "Can you imagine hundreds of thousands, if not millions, crossing the Mediterranean and the Aegean, landing on our shores in a completely uncontrolled way?" I believe neither one of these outcomes is desirable.

As expected, last week's EU summit again was a dud. Merkel stayed her course of open borders, repeating her three bullet points solution:

1. Cooperation with Turkey to decrease the number of refugees crossing over to Greece
2. Better secure the EU outer borders
3. Tackle the underlying causes (Syria, Iraq wars)

As to 2 and 3, Greece and Frontex have shown themselves to be utterly unable to secure the Greek coastline, and from both a political and military vantage the EU has little to no control over what's happening either in Syria or Iraq. Frontex and even the recently dispatched NATO ships are in essence providing a humanitarian service to pick up people out of the sea and take them to the EU mainland.

So it all boils down to Turkey's willingness to not only significantly decrease the number of people crossing the Aegean but to also take back those not entitled to asylum in Europa. In exchange, the EU will pay Turkey billions of euros, loosen visa requirements for Turkish nationals, shut up about human rights violations, turn a blind eye to their campaign against the Kurds and arrange for legal immigration of refugees into Europe. Details of which should be agreed upon on a forthcoming summit with Turkey.

However much I would like to believe the contrary, I'm afraid this strategy is fundamentally flawed. First of all, and in having to rely on a non-EU country, it shows the catastrophical failure of a joint EU refugee approach and the utter inability to secure the outer borders. Moreover, I very much doubt that Erdogan is ever going to either stop or take back significant numbers of asylum seekers as Turkey is being overrun itself. Not only does it sound counter-intuitive, Turkey has never respected the 2002 treaty with Greece on the issue either, and has already backed down on recent commitments that NATO ships can bring refugees saved at sea back to Turkey. From what we have seen so far, Erdogan is only using the refugee crisis as leverage to extort the EU in as many ways as possible.

Last but not least, even a successful collaboration with Turkey does not solve the situation in Libya, where hundreds of thousands are awaiting spring to cross the Mediterranean. Where after hundreds if not thousands of additional drownings they'll get stuck in Italy, as neither France or Austria will let them in or through.

Whether you support Angela Merkel or not, the simple fact of the matter is that her stubborn attitude is a road to ruin for the EU, the refugees and herself. Unless there is a significant decrease in numbers of refugees in March, Visegrad states will close the borders with Greece whereas the Mediterranean route will be cut off in the north of Italy (Austria, France). Which means the definitive end of Schengen and a huge economic loss, further EU division and a humanitarian crisis in Greece, Italy and at sea. Since Europe is unable to cope with the situation, a more comprehensive approach is required.

1. Immediate initiation of talks between EU top diplomats and the UN, the Arab League and the Organisation of Islamic Cooperation instead of Angela Merkel's solo initiatives with Turkey.

2. Establishment of refugee registration hot spots not only on the Greek isles off the Turkish coast, but also in Cyprus, Malta, Libya and Turkey, preferably under UN mandate. From there, legitimate refugees can be brought to the European mainland AND other countries in a controlled manner.

However much Afghans may be entitled to refugee status, I cannot shake the feeling that there are sufficient other safe countries much closer to home for them, and that their ultimate motivation for coming to Europe in essence is purely economical. If my interpretation of the Geneva Refugee Convention is correct, there is no such thing as an absolute right for refugees to pick their country of destination. The Convention only asks of its signatories to accommodate such requests "as much as possible", which in the current crisis IMHO is no longer the case.

3. Migrants saved or intercepted at sea must be returned to their embarkation point or the nearest official hot spot with sufficient accommodation facilities, as per the Samson proposal. Same for anyone on any refugee route not in possession of valid registration papers or refusing to apply for asylum in the EU country he or she is currently held up. This is the only way to avoid situations like the Calais jungle.

4. Any country refusing to take in a fair contingent of refugees must be hit with economic sanctions, whether they are European, Arab or otherwise involved in the current Syrian and Iraqi civil wars.

This goes especially for Saudi Arabia and the Gulf States who are still dodging their obligations under international law and unreasonably burdening Turkey, Lebanon, Jordan and the EU with the results of a crisis they at least partially share the blame for in aiding and abetting factions actively involved in the Syrian civil war.

5. Migrants not qualifying for refugee status, i.e. illegal immigrants, must be sent back to their country of origin without further ado. Same goes for criminal elements. Those countries obstinately refusing to take them back should equally face severe economic sanctions and other repercussions. In Germany alone, there's already about 200k rejected asylum applicants. Non-action against rejected and criminal immigrants is one of the main reasons for erosion of popular support of positive refugee management.

6. A ruthless crackdown - including extended jail time and seizure of assets - on human traffickers that are making billions out of this crisis. About 90% of all immigrants are making use of their "services".

7. An immediate stop to Germany's current open border policy - at least until the outer EU borders have been adequately secured - bringing the country back in line with the other 27 member states of the EU, even the most welcoming of which today want hard limits and maximum daily contingents to adequately cope with both influx and integration.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.