Friday Squid Blogging: Squid Scientists on Tumblr

Really great Tumblr feed.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on March 11, 2016 at 4:21 PM • 129 Comments

Comments

It's Friday, againMarch 11, 2016 4:53 PM

What the hell is this creature that washed up onto a beach?

http://metro.co.uk/2016/02/16/what-the-hell-is-this-creature-that-washed-up-onto-a-beach-5685855/

Microsoft adds 'non-security updates' to security patches

http://www.theregister.co.uk/2016/03/11/microsoft_adds_nonsecurity_updates_to_security_patches/

Home Office is cruising for a lawsuit over police use of face recog tech

http://www.theregister.co.uk/2016/03/11/home_office_warned_over_police_facial_recognition_abuses/

How a Brexit could stop UK biz and Europe swapping personal data

http://www.theregister.co.uk/2016/03/11/brexit_data_sharing_problems/

TP-Link blocks open source router firmware to comply with new FCC rule

http://arstechnica.com/information-technology/2016/03/tp-link-blocks-open-source-router-firmware-to-comply-with-new-fcc-rule/

Man accused of jamming passengers’ cell phones on Chicago subway

http://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/

Feds fire back on San Bernardino iPhone, noting that Apple has accommodated China

http://arstechnica.com/tech-policy/2016/03/feds-fire-back-on-san-bernardino-iphone-noting-that-apple-has-accommodated-china/

Update Flash now – targeted attacks exploiting security holes

http://www.hotforsecurity.com/blog/update-flash-now-targeted-attacks-exploiting-security-holes-13532.html

Cothority to Apple: Let’s make secret backdoors impossible

http://arstechnica.com/security/2016/03/cothority-to-apple-lets-make-secret-backdoors-impossible/

Milo M.March 11, 2016 5:13 PM


http://spectrum.ieee.org/tech-talk/aerospace/military/darpa-invites-techies-to-turn-offtheshelf-products-into-weapons-in-new-improv-challenge

"On Friday, DARPA announced a new project called “Improv” that invites technologists to propose designs for military applications or weaponry built exclusively from commercial software, open source code, and readily available materials. The program’s goal is to demonstrate how easy it is to transform everyday technology into a system or device that threatens national security."

"DARPA will provide $40,000 in funding to complete a feasibility study for those it deems most alarming."

So dust off those runner-up movie threat plots (or the winners), and mail them to DARPA.

http://www.darpa.mil/news-events/2016-03-11

ianfMarch 11, 2016 5:33 PM


OT: A serial, episodic true-crime story may not be everybody's cup of tea, but for those in the mood, this one may be just the ticket, worthy of following & subscribing to The Atavist (sort of a spectacular cold cases Magazine built on top of same-name hypertextual publishing platform).

Welcome to "The Mastermind," our first ever series, two years in the making. For the next six weeks, Evan Ratliff will unravel the harrowing tale of Paul Le Roux, a brilliant programmer who became a brutal cartel boss.

Episode 1: An Arrogant Way of Killing by Evan Ratliff

mastermind.atavist.com/an-arrogant-way-of-killing

[Wael, quit drooling now, remember the 6 weeks' ATTN SPAN.]

Namor of the SeaMarch 11, 2016 5:59 PM

on gps jammer, saw that on /. and was going to look into it.

Mainly, 'how did they catch him'. Looks like it was not brain surgery.

Chicago Transit Authority commuters have been complaining for months that their mobile devices were suddenly losing connectivity while riding Chicago's subway and elevated train lines. Pictures of the alleged culprit had been circulating on social media and even on Reddit. An undercover operation, police said, led to the man's arrest on a felony charge of signal jamming, which carries a maximum penalty of a year in prison.

Thankfully, he is that stupid, and does not know how to 'roll his own'. You could easily have one hidden in the soda can, in a pack of smokes. Probably even a pack of chewing gum. But, this is a guy who hasn't figured out what ear buds are.

@Milo M

Yeah, saw that also on /. and was going to look into it. Unfortunately, there is really no end to what people can do with everyday products. I am sure a chemist especially could do horrible things. Hopefully, they are just looking for the most shocking examples, and plan to utilize that information to watch purchasing patterns.

But, then, what could chemists come up with.

And why would busy chemists want to engage in such a pursuit? To show the government what nasties they are personally capable of?

Couldn't DARPA hire some group of chemists who are tasked specifically just for such analysis, and make it longer term?

Maybe they have, and just want to see what anyone else would come up with.

Growing Number of Android Malware Families Using the Same Codebase
http://www.fireeye.com/blog/threat-research/2016/03/android-malware-family-origins.html

Problem with android examples is even if the people do not have source code, they can reverse it. Rewrite, recompile, repackage.

Very different with Windows binary malware, where you can see the same code base used, and make some conclusions in attribution about authorship. Anybody could alter the binary, but that leaves tell tale marks. And there is no reason to do that.

Android Banking Malware Circumvents 2FA
http://it.slashdot.org/story/16/03/11/0653253/android-banking-trojan-masquerades-as-flash-player-circumvents-2fa

Grabs the SMS and uses it in conjunction with a duplicated login page.

Obvious and known tactic, but good reminder that 2fa is not perfect.

Who Took the Cookies from the Cookie Jar: The Importance of Government Providing the Public with Its' Real Hand when It Comes to Attribution

http://www.darkreading.com/partner-perspectives/intel/who-took-the-cookies-from-the-cookie-jar/a/d-id/1324662?_mc=RSS_DR_EDT

Three Years after the fact, the DoJ finally releases positive attribution information they have been holding onto all along for identification of 'who hacked' a water dam.

The author pretty well explores the main arguments of 'why the general public needs attribution information'.

The Secret Life of a Silk Road 2.0 Mastermind

http://motherboard.vice.com/read/the-secret-life-of-a-silk-road-20-mastermind?trk_source=homepage-lede

As typical for original articles from motherboard, fascinating details.

If the FBI can force decryption backdoors, why not backdoors to turn on your phone's camera?

http://boingboing.net/2016/03/10/if-the-fbi-can-force-decryptio.html

Eddy Cue, Apple's head of services, has warned that if the FBI wins its case and can force Apple to produce custom software to help break into locked phones, there's nothing in principle that would stop it from seeking similar orders for custom firmware to remotely spy on users through their phones' cameras and microphones.

Cue: Person of Interest.


Obama Weighs in on Apple vs DoJ

http://www.dailydot.com/politics/obama-sxsw-apple-encryption-fbi-evan-smith/


If there's “no key,” Obama said, then “how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot? What mechanisms do we have available? If the government can't get in, then everybody's walking around with a Swiss bank account in their pocket. There has to be some concession.”


Maybe I am feeling even more cynical then usual, as I am deep in Season 4 of House of Cards, but my take from his statement is he is completely full of s**.

Why is he making this statement? Who wrote this statement for him? What happened to the conclusion not to backdoor systems he had from a pretty decent team of leading cybersecurity experts?

The US Government probably spends billions a year on new security vulnerabilities explicitly designed and capable for exactly what Obama is asking for. In some snide, shady, condescending way.

Why is he unaware of this?

Of course, he is not. So this is all very suspicious.

Maybe someone hacked him and is forcing him to say this.

I think this sort of sentiment well would fit into the mouth of Tandy/Phil Miller of Last Man on Earth. Certainly not what should be heard from the POTUS.

AlanSMarch 11, 2016 5:59 PM

They'd be amusing if they weren't scary.

DOJ argues that telecommunications equipment does not include telephones in order to persuade the court that CALEA doesn't protect Apple from being forced to comply with the FBI's demands under the AWA.

CALEA precludes the government from requiring “any specific design of equipment, facilities, services, features, or system configurations to be adopted by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.” 47 U.S.C. 1002(b)(1)(emphasis added). It also prohibits the government from requiring “the adoption of any equipment, facility, service, or feature by any provider of a wire or electronic communication service, any manufacturer of telecommunications equipment, or any provider of telecommunications support services.” Id., at 1002(b)(2)

The Seven Most Vitriolic Passages in DOJ’s Response to Apple
DOJ to Apple: Start Cooperating or You’ll Get the Lavabit Treatment

Obama at SXSW:
Obama Wants Nonexistent Middle Ground on Encryption, Warns Against “Fetishizing Our Phones”
Obama weighs in on Apple v. FBI: “You can’t take an absolutist view”

BenMarch 11, 2016 6:33 PM

Eddy Cue, Apple's head of services, has warned that if the FBI wins its case and can force Apple to produce custom software to help break into locked phones, there's nothing in principle that would stop it from seeking similar orders for custom firmware to remotely spy on users through their phones' cameras and microphones.

Look, this argument makes no fricking sense. It's like saying "if the FBI can force a hotel to unlock a room with a valid search warrant, there's nothing in principle that would stop it from forcing the hotel to install a hidden camera in the room." What does "in principle" mean here? There's nothing "in principle" to stop them doing that now, except the usual checks and balances. Complying with a lawful search order doesn't set a precedent for later overreach. The whole point of search warrants is to prevent overreach. If they try to overreach with a later order, then Apple should fight that one. Not this one.

ThothMarch 11, 2016 6:37 PM

@all
How USA and the known world would fail further in terms of privacy.

Obama decidwd to put the message direct to the audience ... s _ _ k it up to the Feds wishes and just obey ... that's what he wanted. It seems like he doesn't want anymore back and forth on the issue of the topic and just want the Feds wished to be granted at the expense of privacy and personal security not realizing such a statement will impact not just USA but the whole world.

Now... China, Russia, Middle East... can start requesting Apple for their own national backdoors into iPhones, Ma and also into other systems like Windows, Blackberry (including Obamaberry) and other phones and all computing devices and everyone shall spy in everyone and have no such thing as security.

Countries and spy on foreign diplomats and own people with great ease by using their provisioned backdoor into every personal, public or government systems.

Estimately, if every country has a national backdoor in every electronic system, that would mean there would be at least 196 backdoors for each of the 196 countries known to the world including Taiwan. Have fun putting at least 196 unique or shared backdoors for those who are making electronic systems for every nation.

Whining that it is not fair that the government systems are "secure" while we are not. The main reason is due to the fact we use vastly separate and different systems that makes these elites comfortable to see their citizens compromised and they are protected. If the scenario is where everyone including banks, govts, militaries, civilians and everyone else are using the exact same systems, techniques, protocols and algorithms that would make such a request painful for them.

Everyone is using something different. Governments have their own secretive systems and such, they don't even care about civilian made stuff like TLS or SSH as they have internal networks protected with their own national algorithms and stuff like secretive national full packet encryption systems between networked systems we don't have. Algorithms like AES and ECC are simply used for lesser secured conversations with anyone outside the sensitive circles in US govt while the algorithms like SAVILLE, BATON and many other secretive ciphers are suppsoedly safely beyond the reach of mere mortals.

The US govt (NSA et. al.) never really trusted asymmetric crypto and if you looks at chips made by Harris or Thales, they put emphasis on symmetric crypto of Suite A crypto which is beyond the reach of mere mortals. There is the AES which they added into these chip as AES is also Suite A but the fact is the use for lesser security communications with "outsiders" and also a public demonstration of some capabilities for marketing. Considering ECC crypto to be backdoored is the best assumption despite current lack of concrete evidence as the lack of such algorithm support in Suite A and also chips used by these nation states.

One way is to outright remove notions of Suite A and Suite B but to setup a unified and open crypto suit for all purposes across all domains and all classifications containing open algorithms. Secretive algorithms are a violation of Kerchoff's principles anyway.

What we need is a flexible protocol suites beyond TLS that can be scaled big or shrunken down easily for use ranging from banking applications to embedded and military. This way, a backdoor would impact everyone and discourages any sort of backdoors whatsoever. It should also support end-to-end encryption natively and be capable of deployment over a multicast or point-to-point network.

What is noticed is they are comfortable with compromise of others system as long as they are not affected. Security developers and engineers need to make them work harder by ensuring that cherry picking something to backdoor is much more difficult and one way is to simply not allow it to happen and to have a multi-application platform.

Link: http://www.theregister.co.uk/2016/03/11/president_barack_obama_encryption_sxsw/

weekend.farmerMarch 11, 2016 7:16 PM

Agriculture and Big Data

Welcome to the Ag Data Transparency Evaluator

This website was created by a non-profit corporation backed by a consortium of farm industry groups, commodity organizations and ag technology providers in order to bring transparency, simplicity, and trust into the contracts that govern precision agricultural technologies. Based upon the foundation laid by the Privacy and Security Principles for Farm Data (the Data Principles), the Ag Data Transparency Evaluator is a process by which ag technology providers voluntarily submit their ag data contracts to a simple, ten question evaluation. Answers are reviewed by an independent third party administrator, and the results are posted on this website for farmers and other ag professionals to consult and review. Only companies receiving approval are allowed to use the “Ag Data Transparent” seal.

Source

Slime Mold with MustardMarch 11, 2016 7:32 PM

@Namor of the Sea

"What could chemists do?"

Bhopal comes to mind. About 8k dead, 500k injured. And that was an accident . At that time, I recall Union Carbide claiming it had been caused by less than a half liter of water entering the wrong tank

The article on one of the pesticide precursors, phosgene , mentions its prevalence in the pharmaceutical industry. I drive past a large drug manufacturer almost daily, and recognized that odor right off from Army AIT (they used a simulator odor). When I asked neighbors who work there about it, I got nervous dismissals and a couple more honest replies about a non-disclosure agreement. Lord, I pray their SCADA are air gapped.

On a smaller scale, in my brother's (biology) lab, there sits a five gallon jar of sodium cyanide in a cabinet with a really cheap lock (the key has not been seen for a least six years). There is also a five gallon jar of di-methyl amphetamine (which I suppose is used to get the lazier bacteria to up their game). They use huge quantities of nitrocellulose filter paper. When I pointed out that it was a dual use item to my brother (MD, Ph.D - organic chemistry) he refused to believe me, claiming it would certainly be plastered with hazard labels. I found a thick paper tube, shredded a handful and "The Parking Lot Incident" ensued. We escaped, barely. I have to have an escort in his lab now.

You might recall the attempted bombings in London in 2007. Those were carried out NHS employed physicians who didn't understand oxidation - reduction reactions. That is very lucky for me, (my daughter was less than 100 meters from the Haymarket car) but does not bode well for the people of the UK.

FollowMoneyMarch 11, 2016 7:39 PM

Why is the U.S. government trying so hard to force Apple to break the security of one iphone from a dead terrorist? Money. If the U.S. put enough resources into breaking the security of that phone, they would succeed. The NSA has enough resources to solve the problem. But it would cost too much money and take too many resources away from other projects. The U.S. has a financial stake in this case, as it will save them a vast amount of money and resources in the future, if they can get private companies to do their job for them.

OldFishMarch 11, 2016 8:01 PM

@Milo M

Hmmm....if we give all of the innovative ideas to the empire how will we follow through on the revolution?

WaelMarch 11, 2016 8:39 PM

@ianf,

quit drooling now, remember the 6 weeks' ATTN SPAN...

I read the first few pages. Sounds interesting but it's too long! Probably isn't my cup of chai!

WaelMarch 11, 2016 9:06 PM

@It's Friday, again,

Man accused of jamming passengers’ cell phones on Chicago subway

I sympathize with this man! I can't stand loud noises either.
He should move to Sweden where they value serenity.

Reminds me... where are you, @Mike the goat? Wherever you are, I hope all is well with you!

WaelMarch 11, 2016 9:43 PM

@Nick P,

Thanks! I visited his blog a while back then forgot about it. His style resembles that of @ianf ;)

Namor of the SeaMarch 11, 2016 10:06 PM

Skeptical wrote (in last week's thread):

To be honest, I would far prefer the FBI be required to apply to a federal magistrate, and then a third-party company, to obtain access to a device, than force the FBI into a position where they develop the capability to obtain such access independently and we must rely fully on their internal compliance regime and cultural practices (which are both actually quite good).
So I view the efforts of many to support Apple here as counterproductive to their own goals. I think they've been - to be blunt - suckered by Apple's marketing campaign and failed to think through the unintended consequences of their stance.

"To be honest" -- Skeptical, I am glad you finally decide to offer your honest opinion somewhere. Thank you for telling us when you are actually going to offer it.

Lying does not do you any justice. It is distorting your thinking.

You absolutely have no experience in the related fields. Your imposture is entirely absurd and transparent.

I am not all surprised that, that, in this rare moment of honesty from you, you express the belief that experts who disagree with the stance of the DoJ are such simpletons that they are waylaid by the power of Apple to lie.

You are projecting.

No wonder you believe we are such simpletons, prone to being grifted by the powerful persuasive capalities of Apple.

Because you genuinely believe you can grift us with your imposture as a computer security expert.

Does that imposturing work with people you know who are not computer security experts?

Because it certainly does not work with those who actually are. And you really have a serious problem to think that you could.

Do you also dress up in surgeon's clothes, walk into hospitals, and try and perform surgery on patients?

Have you be caught at NASA trying to get into the meetings of rocket scientists, to tell them how they know nothing about their field?

Let me guess, because lawyers at the DoJ are saying "this is not so", you just believe them, huh? Because the DoJ leads the US Government in technical computer security expertise?

Hate to tell you, they are WAY behind.

Intelligence officials are saying something contrary to what the FBI is saying here. So, you are dismissing their viewpoints, in favor of the lawyers of the DoJ.

Does this mean that you are just waylaid, because you do not know that the DoJ is not the ultimate authority on computer security in the US? Or, because you are for some reason so biased for the DoJ, you entirely throw out your "thinking cap" and put on your "dunce cap", to go and dance for us some preposterous jig of imposture?

But, yes, Skeptical, you really are a computer security expert. And yes, you really are more trained and experienced in interpersonal communications then any of us are. Totally plausible.

Thank you for continuing to offer all of us your professional opinion.

We wouldn't want plumbers to be performing heart surgery after all, or janitors flying our planes.

Unfortunately, that is more then enough words, so I will not even get into explaining the strong technical (and legal) reasons why Apple is right to stick to their course, for the betterment of the security of the people.

But it would all be way over your head, anyway, so what would the point be?

ballbuster mode off

Clive RobinsonMarch 11, 2016 10:20 PM

@ it's Friday again,

Cothority to Apple: Let’s make secret backdoors impossible

Err NO it does the exact opposite as Cothority's lead admits.

What it stops is "individualised" or "singlr device specific" backdoors, which is a significant retrograde step.

I do wish people would stop suggesting these multiparty multi signitory ideas, when they have clearly not thought them through properly...

Multi-jurisdiction signing systems can be workable but do not work when the individual signers become targets in the jurisdiction they are actually in. Trying to make an agency for "all comers" is guaranteed to fail just like CA's have failed.

Nick PMarch 11, 2016 10:52 PM

@ Wael

I disagree on that last one. Mike had plenty of useful commentary plus published tools. Never accused of being an attention troll either. ;)

ThothMarch 11, 2016 10:56 PM

@Clive Robinson, it's Friday again,
I wonder if Apple would want to "lose control" by submitting itself and it's update process to multiple parties they barely know of regardless if the architecture works or not.

There is only one road for Apple which is to ensure security parameter destruction during loading and unloading of security critical firmware. To prevent unrecoverable destruction of security parameters from the Apple chip, the user is required to use a sort of short-term recovery password selected by the user to derive the KEK to wrap the parameters away to Flash storage and then wipe the chip's security parameters clean, perform the upgrade or update and then reload the KEK-wrapped original security parameters and reload everything back into it's place. This way a user interaction is required and the security parameters are safe (if the user selects a proper password).

Presidential PrecedentsMarch 11, 2016 11:04 PM

If there's “no key,” Obama said, then “how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot? What mechanisms do we have available? If the government can't get in, then everybody's walking around with a Swiss bank account in their pocket. There has to be some concession.”

I'm sure somebody around here can give this answer with decent summarized background- Has the USG ever tried to regulate the quality of document shredding machines? Treated them as munitions, etc... (or more likely wanted to, then laughed out of the legal code)

WaelMarch 11, 2016 11:31 PM

@Nick P,

Mike had plenty of useful commentary plus published tools

He did, for sure!

Namor of the SeaMarch 11, 2016 11:55 PM

@Slime Mold with Mustard

Heh heh, don't get me started. I am sure there are quite a number of MacGyver's here, probably folks who scan whatever room they are in and see how anything could be made a weapon "just in case if things went bad".

Lol. :-)

Like with the family while shopping at the grocery store.

Sitting in the backseat of a cab/uber.

Eating at a restaurant with a business partner.

Getting drunk on warm beer at a karaoke bar in some asian country... (har har har ;-) )


Not that I personally do not relate much more with MacGruber then MacGyver. :O ;-)


@Ben

Look, this argument makes no fricking sense. It's like saying "if the FBI can force a hotel to unlock a room with a valid search warrant, there's nothing in principle that would stop it from forcing the hotel to install a hidden camera in the room." What does "in principle" mean here? There's nothing "in principle" to stop them doing that now, except the usual checks and balances.


It makes no sense because you misread the article and are taking the first paragraph out of context.


The whole point of search warrants is to prevent overreach. If they try to overreach with a later order, then Apple should fight that one. Not this one.


I disagree on technical points I do not think you are willing to consider.

I do believe you are capable of holding multiple contradictory theories in your mind open on issues. I also believe you are a good observer on many issues. And, I will even go so far as to say, I believe you know how to set aside personal preferences and biases to consider a matter objectively.

But, on this, right now, for whatever reason? That is not what you are doing.

Myself? Professionally? Never worked with warrants. Never will. I am not going to state my opinion on warrants. Because it is not something in my professional area of expertise.

@Presidental Precedents

Har har har, good one. :-)

Thank you.

@FollowMoney

Close, but no cigar quite yet.

You can be guaranteed other divisions of the US Government then the DoJ can do this already.

The DoJ are lawyers. The FBI is merely one division of the DoJ. Let that sink in. Is the ATF, CIA, NSA, USSS, DHS, DOE, DIA, and so very many etc, etc, ETC (TLA) a mere division of the DoJ?

No.

And what do lawyers try and do. They try and save money. They push.

FBI spending on these matters has been horrendously sad. And the DoJ does want to keep it that way.

Best bet for the FBI is reorganization and getting out of the umbrella of the DoJ.

They do not need them.

FYI, I am unbiased here. Anyone read these posts here and think I hate lawyers or DoJ or FBI? Bzzt. Wrong. I grew up around former DoJ lawyers who worked in FBI counterintelligence during WWII. Yep.

I simply disagree with their move here.

If they win, they are deeply degrading not only the rule of law, but also the security of any American product from then on out.

And does this mean this is "security over liberty"? Absolutely not. They will also be destroying their chance for actually being able to get to that data in the future.

How? Why? Different story. Plenty are already saying it. Critics here do not want to believe it, so explaining it to them would be a waste of time.

Not like they give a damn. Or they would have done their homework in the first place. Bothered to care enough to do that.

No progress is ever made by throwing thinking out the window.

Clive RobinsonMarch 12, 2016 12:28 AM

@ Thoth,

Obama decidwd to put the message direct to the audience ... s _ _ k it up to the Feds wishes and just obey ... that's what he wanted.

Maybr maybe not, he's a "lame duck" president in the terminal stages of office. He never realy had power just good will of the citizens and now he's lost all power. Comey showed back in December with the Silicon Valley chat who was the actuall person in the driving seat, and Obama had to "suck it up" then. Thus all Obama is doing is trying to save something of his image and failing badly.

Apple made a mistake in the design of their iPhone system, in that they wanted to be "in control" over everything. Thus they left in the ability for them to force OTA upgrades "of everything". It's this that is the "backdoor" into the iPhone that the FED are using to force an issue.

They have three choices,

1, Fight on and probably fail.
2, Acquiesce and suffer.
3, Slam the door whilst they still can.

The fact they are going down path 1 is not a good sign. Because in all probability they and their customers are going to end in the world of hurt of 2. Which tells you that neither option is good.

Thus option 3 would be the longterm sensible option for both Apple and their customers.

There are two ways they can slam this particular door.

Simplistically they are,

1, Kill the "enclave update" ability.
2, Make the "enclave update" ability only happen when a phone is unlocked and the user acquiesces by typing in a second "security pin".

However whilst it might slam this particular door it still potentially leaves others open...

As I noted Apple would be stupid to use a third party agency such as Cothority for reasons discussed in the past. The primary one being "code signing" has no meaning outside of "these are the files signed on this date". It does not in any way attest to the reliability, quality or security of the code, it can not. Thus all that's required in the US is an NSL and then every iPhone gets a backdoor at the next OTA update, and as a certain router manufacturer found recently it's "Open Season" to every IC / Tyrant / Dictator / BlackHat / Criminal / ScriptKiddy / etc in fairly short order...

Which brings us to your suggestion, of wrapping security parameters in another passphrase protected container. The problem is ensuring that all the parameters get protected not just those to do with generating the AES master key. But also there is the issue of stopping backdoor code being slipped forwards.

One of the issues with upgrading software is "configuration options". Usually put in config files they can have defaults and user settings that need to be changed in an upgrade. This is usually done by an "executable agent" that has a high priority atleast as equall to the software being upgraded. Unfortunately developers usually just set it to "super user / root equivalent" to cut down on support calls. The problem with FDE and other encrypted containers is ensuring that the agent runs when the container is open, which means the encryption key is "available in memory" somewhere. Which raises the question of if the agent can "see the key" or not. The only way to ensure "not" is to have a Crypto IO unit where keys can be written in but not read out. Which has the issue of "how do you update it"...

The simple way is "never to upgrade it" but manufactures do not like to do this because it can cause significant "manufacturing loss" due to unrecoverable bricking of the device due to often silly issues.

Thus you get a "chicken and egg" situation which leaves a hole through which a backdoor can be slipped in.

ThothMarch 12, 2016 1:03 AM

@Clive Robinson
My scheme of wrapped security parameters would best be implememted together with mandating Enclave on every Apple chip (not allowing non-Enclave production in future). Enclave have concepts of a weakened HSM with memory regions for sensitive storage sonce the Enclave is simply Apple's version of ARM TrustZone. So assuming that the Enclave implements the necessary hardware protection feature of TrustZone, all sensitive processing will use the native AES circuit and hardware protection. That will rule out possibility of leaking keys in a separate Crypto RAM memory if the TrustZone security features implemented on the Enclave are done properly unless the hardware allows reading out of sensitive Crypto RAM which defeats all the security purposes. I am looking from the point of TrustZone which is the root architecture for Enclave and I assume Enclave complies with TrustZone specs.

WaelMarch 12, 2016 3:13 AM

@Thoth,

Enclave is simply Apple's version of ARM TrustZone.

Not to call you out, do you have any authoritative references for this statement? I'm curious because Apple's documents don't support this claim. So your statement, without references, comes across as speculation. From Apple's own iOS Security paper, I cite the following:

The Secure Enclave is a coprocessor fabricated in the Apple A7[1] or later A-series processor. It utilizes its own secure boot and personalized software update separate from the application processor.

For devices with an A7 or later A-series processor, the Secure Enclave coprocessor also utilizes a secure boot process that ensures its separate software is veri ed and signed by Apple.

An integrated circuit (IC) that incorporates multiple components into a single chip. The Secure Enclave is an SoC within Apple’s A7-or-later central processor.

Further protection is provided by iOS using ARM’s Execute Never (XN) feature, which marks memory pages as non-executable. Memory pages marked as both writable and executable can be used only by apps under tightly controlled conditions: The kernel checks for the presence of the Apple-only dynamic code-signing entitlement. Even then, only a single mmap call can be made to request an executable and writable page, which is given a randomized address. Safari uses this functionality for its JavaScript JIT compiler.

It's an excellent mandatory paper that needs to be added to the list of "must read" documentations by anyone who wants to comment on the security posture of iPhone.

[1] TrustZone is an ARM "extension" -- and not a physically separate coprocessor. This is just one of the differences.

CuriousMarch 12, 2016 4:25 AM

Some days after watching this recent US' House hearing, on youtube, it struck me that FBI Comey's idea of a world where everything is available with a warrant is a horrific idea, because of how this very notion imo probably is deceiving to people in general. The notion of how there would be a world with everything is available with a warrant, seem similar to David Hume's "is-ought" problem. So, to try sketch up a recognizable problem: just because you can get things with a warrant, shouldn't mean that everything must be available with a warrant. The "everything" part is ofc a generalization, but in this context I think that any flaws with such a generalization is not as critical as understanding that it is probably a bad idea to simply conclude that everything must be available with a warrant on a general basis.

"The Encryption Tightrope: Balancing Americans’ Security"
https://www.youtube.com/watch?v=g1GgnbN9oNw (relinking this)

I am sorry but I don't recall exactly when in that video Comey makes his point about a world where everything is available with a warrant.

ThothMarch 12, 2016 5:10 AM

@Clive Robinson, Wael
Apple was granted a TrustZone patent. Why would they buy a valuable patent and not deploy it.

Looking at the first patent picture (http://patentimages.storage.googleapis.com/US8775757B2/US08775757-20140708-D00000.png) it shows TZ0, TZ1 ... those are likely TruztZone terms.

The "Secure Boot" drawn here (http://patentimages.storage.googleapis.com/US8775757B2/US08775757-20140708-D00002.png) is very similar to TrustZone.

You can find the patent in the links below.

From the patents, Secure Enclave contains a Secure Enclave Processor (SEP) in the same above image link which would "Secure Boot" and once all the security verification are done, it hands over to a CPU by the statement "Permit CPU to Boot". From the rest of the patent text (too long to put here), it implies the SEP processor can be isolated from the CPU(s) and the SEP handles crypto and security that the CPU(s) request thus leading to the conclusion that there is some sort of "Secure Element" inside the the Apple chip besides a bunch of CPUs and other circuitry.

The iOS Security Guide is not very complete in the entire architecture and there are hidden details that can be found by digging up patents.

Links:
- http://www.google.com/patents/US8775757
- http://www.patentlyapple.com/patently-apple/2014/07/apple-granted-a-patent-for-a-secure-enclave-processor.html

CuriousMarch 12, 2016 5:17 AM

"Surprise! NSA data will soon routinely be used for domestic policing that has nothing to do with terrorism"
https://www.washingtonpost.com/news/the-watch/wp/2016/03/10/surprise-nsa-data-will-soon-routinely-be-used-for-domestic-policing-that-has-nothing-to-do-with-terrorism/

"(...)Now the New York Times reports that National Security Agency data will be shared with other intelligence agencies like the FBI without first applying any screens for privacy."


One thing that annoyed me with this article, is the author that at the bottom wrote:

"It’s all another sobering reminder that any powers we grant to the federal government for the purpose of national security will inevitably be used just about everywhere else."

I don't like this mishmash of the words 'powers', 'purpose' and 'national security'. This is imo lazy, and I think the way in which the word "powers" is used here, paradoxically becomes an understatement when the author also want to make the point that people give the government powers. I am pretty sure that the government gives itself powers, so that view on things seem wrong. I can't tell if this sounds apologetic to me, or just something intellectually lazy.

I have the suspicion that every actor, so to speak, in US is trying really hard to avoid having to use the word 'police state' in public. I'd argue that it can't be hard to see how western countries are becoming police states generally speaking, if they weren't already to some degree. Basically few or no privacy rights for citizens compared to the unfettered handing of personal data (metadata or otherwise) of corporations, espionage (think stingray use), torture, war, "collect it all" mentality of NSA, mass surveillance in the form of sanctioned data retention, and who knowns what other things there are out there like surveillance cameras and whatnot.

CuriousMarch 12, 2016 5:24 AM

To add to what I wrote:

I mean, to instead use the phrase "security state" seem imo to really be an understatement, compared to the phrase "police state". The same way "department of defense" sounds a lot more nicer than "department of war". As if what is actually done and the consequences that follow aren't as important as some idealized motive or a set of them.

CuriousMarch 12, 2016 5:50 AM

"GCHQ boss calls for new relationship with tech firms over encryption"
http://www.theguardian.com/uk-news/2016/mar/07/gchq-boss-new-relationship-tech-firms-encryption

"Robert Hannigan says he wants dialogue in a less ‘highly charged atmosphere’ and denies he wants mandatory backdoors" (Robert Hannigan is the director of UK's GCHQ)

"Hannigan, in only his second public comments, said he was not in favour of banning encryption. “Nor am I asking for mandatory backdoors. I am puzzled by the caricatures in the current debate, where almost every attempt to tackle the misuse of encryption by criminals and terrorists is seen as a ‘backdoor’. It is an overused metaphor, or at least mis-applied in many cases, and I think it illustrates the confusion of the ethical debate in what is a highly charged and technically complex area,” he said."


This is imo an example of how media is retarded, trivially fronting the views of the government. Yes, one can see the importance in a discussion about the topic of either having, or not having, "mandatory backdoors", but surely the qualifier "mandatory" seem superfluous, as if having backdoors was ok otherwise, as if "mandatory" could only have the meaning of being frequent and persistent, the same way one can end up framing what I would like to call real "mass surveillance" as benign in using "everywhere" and "always" as qualifiers for a discussion, when terms like 'surveillance', or even 'mass surveillance' makes perfect sense when not restricted to one authoritarian being the eye of the beholder that gets to discuss things from its own point of view.

Ofc, in the quoted paragraph above, Hannigan seem to ridicule the general notion of a 'backdoor', but with an ill formed opinion (the way this was quoted anyway), all too easily wanting to explicitly make this generalization about how the word "backdoor" has been misused, but without even hinting at any form of context for that. At least Hannigan acknowledges, perhaps unwittingly, that a 'backdoor' is in fact a valid metaphor. Trying to split hairs with select definitions would be silly after doing that I think.

I think normally, using the specific motive for dealing with crime, or working with crime prevention for improving law enforcement sounds only natural, however as someone that doesn't live in UK and whom otherwise consider UK govnmt. as being a criminal state so to speak, I am unfazed by this kind of plea for considering expanded powers to deal with how people use the internet.

CuriousMarch 12, 2016 7:51 AM

Off topic:

Btw, today on Reddit, I saw a poster or an ad (did not link to anything), with some more abstract motive of a sea and some smoke off in the horizon, not really showing anything, with the text "loose lips sink ships". Kind of weird isn't it?

CuriousMarch 12, 2016 8:08 AM

Heh, I guess I should ponder on the weirdness alone, because it is kind of odd that the poster was found in a game related Reddit thread. I thought it was some random ad or something, but I am probably wrong in having assumed that.

Clive RobinsonMarch 12, 2016 9:44 AM

@ Thoth, Wael,

The iOS Security Guide is not very complete in the entire architecture and there are hidden details that can be found by digging up patents.

Yes I've assumed that from past patents etc that Apple are not letting on about quite a few aspects of their current and evolving secure hardware and software implementations.

I suspect there are also quite a few other "hidden details" that are quite confidential and not in patents etc --yet-- known to just one or two, that Apple very firmly regards as "Trade Secrets".

It's why I keep mentioning "Trade Secrets" and the "Undue Burden" involved with it. For some reason the idea seems quite alien to a few on this blog whilst others are quite deliberately pretending not only that such secrets do not exist but the ludicrous "couldent exist" position of the DOJ as advised by the FBI is gospel.

For some reason they ignore the obvious point that if the FBI actually knew anything of substance that they would be only asking for Apple to sign the "forensic code" that the FBI would have developed. The fact the FBI are asking Apple to write code, and they have so many other even earlier iPhones --that might be jail breakable-- stacked up strongly suggests that on the technical side the FBI are very definatly "winging it" rather than "knowing it".

They probably have their fingers crossed that Apple does not call their bluff in front of the magistrate...

WaelMarch 12, 2016 10:17 AM

@Clive Robinson, @Thoth,

Yes I've assumed that from past patents etc that Apple are not letting on about quite a few aspects of their current and evolving secure hardware and software implementations...

True and expected from any manufacturer. Patents and job openings that describe needed skills can shed some light. The patents cited still don't indicate Secure enclave is a TrustZone implementation.

Namor of the SeaMarch 12, 2016 10:35 AM

@Curious

Btw, today on Reddit, I saw a poster or an ad (did not link to anything), with some more abstract motive of a sea and some smoke off in the horizon, not really showing anything, with the text "loose lips sink ships". Kind of weird isn't it? Heh, I guess I should ponder on the weirdness alone, because it is kind of odd that the poster was found in a game related Reddit thread. I thought it was some random ad or something, but I am probably wrong in having assumed that.

Reddit is a sewer.

There are a lot of "pro-government" unhinged lunatics. I put "pro-government" in quotes. Because they are not pro free nations. They are not genuinely in the game on the side of freedom and free nations. They just pose as "patriots", and are really incredibly loud about it.

Whereas we, on real issues, feel no need to wave a placard that we are strongly for free nations and strongly against totalitarianism.

They were behind Ruby Ridge. They join KKK groups, racist groups. They are like those lunatics who took over that park in Montana or wherever a few weeks back. Or the crazy "former marine" that had diarrhea of the mouth at some Clinton meeting. Or that nut cases supporting Trump.

I mean, in this thread, I just saw one poster siding with the DoJ. Ted or Todd or whomever. You probably did not even notice. I do not think he is racist. Plenty of those crazies are not racist. But, there are plenty who do work in government, or have, at low levels.

They may not even be incredibly terrible people.

They may hate the Ruby Ridge whackos.

But, they are the same species of animal. Hitler hated Stalin, Stalin hated Hitler, but they really were on the same team.

Evil is usually not what people think it is. Evil is about the mindless. They think they are alive, but they are dead. Really. They really do not think. They just believe what they are told. And they never sit around and think about anything or get contradictory opinions. So, they see everything contrary to what they believe as strawmen arguments.

So, they are as capable as mindless joining the KKK as they are cheerleading Ruby Ridge or the Oklahoma bombers. Or ISIS. The only reason they are not is their background. They were not told to do that. They are told to do something else.

They believe they are thinking human beings, but it is clearly untrue. They mistake reiterating in their minds what they are told as thinking.

And life can be like a bad zombie movie. :-) Sometimes you see people, like Obama, whom you see can think. And then they come out and say that kind of mindless, stupid crap. Oh no, Obama! You were bitten and turned into a zombie, too!

But, I mean, it isn't like Obama has been strong on domestic freedom issues. He has backed some atrocious attacks against the foundations of this country. So, maybe he was a 'zombie in disguise'. Reality is more, he has some thinking people pulling his strings, telling him what to think. But, he also has some that are themselves zombies, telling him what to think.

And that is the good news about zombies. They are incredibly slow and easy to deal with, at least, alone. In groups, especially big ones, well, that sucks. So, you meet some stray poster like Ted or Todd or whatever his name was above, confused and rambling, reading first paragraphs of articles and throwing a spasm? Easy to dispatch.

But, the Trump following? Ouch. Harder.

Or Cruze.

But, they are not a thinking group. They are still easily herdable zombies. :-) Trump is just an useful idiot.

He does not have a chance in hell of winning, lol.

He does guarantee the Republican Party is, yet again sidelined.

Democrat Zombies? Better then Republican Zombies.

Democrat Zombies are like your de-toothed variety of zombie.


Sometimes they will snarl and ruin your dinner party with their corpse vomit or something. But, they are largely harmless and trained.

They are only at your table in the first place because they have been trained to pour drinks and bring out food.


OH, and btw, metaphoric ways of presenting things is extremely useful to use, because they can not process it. That requires the ability to think. Like spelling out words so little kids or animals do not understand what is being said.

Only they teach spelling in school. But, they do not teach how to think for your self.


PolizeistaatMarch 12, 2016 10:53 AM

Based on the thinking of various scholars, it is already clear the US is a Police State but not yet completely totalitarian in nature (they apparently are slacking off):

1. Raids, harassment, and intimidation of dissidents by police
2. Militarization of domestic law enforcement and a widespread presence
3. Disproportionate prison sentences for political activists and whistle-blowers
4. Creation of new laws for people because of their political beliefs
5. Creation of special prison units (Guantanamo, black sites on US soil etc)
6. Criminalization of ideology (particularly focused on anarchists, environmentalists etc)
7. Bureaucracy and secrecy are paramount (secret courts, laws and activities)
8. Everyone is a suspect in the new paradigm (a nation of potential 'subversives')
9. Constant and widespread surveillance (internet, all telecommunications, CCTV, drones, Stingrays, data centers etc)
10. No real resources against police and associated agencies actions
11. State has imposed its version of correct beliefs and behaviors on the citizens
12. Police agencies serve the State and not the people e.g. 'pre-crime', parallel construction instead of responding to reported crimes
13. Citizens fear and serve the establishment to avoid repercussions (changing their behaviors and personal/public statements)
14. Elite has imposed their beliefs despite strong objections i.e. 'they know better'
15. Common use of propaganda / persuasion, but forcefully use their monopoly on force as required - no limits on power are ever conceived
16. Strongly anti-privacy - how else to measure conformity? Private spheres are seen as dangerous places; out of sight is out of control (an authoritarian's worst nightmare)
17. Crises, wars, crusades are used to maintain an iron grip
18. The Court system has become a tool of the state's will, rather than an instrument of justice
19. Lies, secrets and manipulation of language are commonplace to control the populace
20. Compulsory ideology is in place; 'you are with us or against us'. Enemies of the state are suitably punished / harassed

I hope you are enjoying the iron cage under construction? Although, this behavior is terribly predictable based on the characteristics of police states seen in history.

As it is now confirmed Feds are accessing NSA data for fishing expeditions and parallel construction, it is time to put away your electronic toys wherever possible. Use One Time Pads if you are a legitimate target - unbreakable encryption will give the Stasi night terrors.

With the greatest respect, I recommend Obama shove the Polizeistaat he has endorsed up his ass. Sideways.

Namor of the SeaMarch 12, 2016 11:18 AM

Devil's Advocate, Satire (because Zombies Don't Understand Satire):


People our top scientists are being befuddled, outwitted, beaten up by terrorists, pedophiles, serial killers, and the rest of the immoral, godless horde. You know the bunch. Shameless kite flyers. People who drive cars on Sundays. Adulteresses and unprincipled men who take advantage of them. Even many of those devil brained, murderous lunatic pot smokers.

They have this most diabolic invention of the entire human race. It is called "encryption". And what encryption does is enable them to say things, in private, our top cops and spies and battalions of scientists can not understand!

So you can imagine our alarm.

This is straight out of Hell, a product Satan himself must have spent years working on.

Even worse, we are being told by some of these companies that have products which allow people to speak without others being able to hear them, that they want to keep encryption! They not only want to keep encryption, but other systems that help the immoral, godless mortal demons of hell say what they want to say. In private! What is it they are talking about! Who knows? Probably global domination!

So, here is my plan. Let's bring back crucifixion, and crucify these rebels.

We are the Christians, right? That is about crucifying people, right? Then what are we doing straying so far from the path that we no longer crucify people who say things we do not want to hear?!

Then, we will put a backdoor in every American and European product. If you want to have private conversations -- move to Japan! Or South Korea! Western Free nations will have none of that!

Once we have backdoors in all Western technology products, then we can turn the tables on these so-called "Millenials", and have our own Millennium! True freedom! True nations under God! We can remove those godless, Satan laws that say people have the ability to think. We can stop them from talking and thinking as they wish. We can ban kite flying, women who do not wear hats, bicycles, video games, music with chords and that use musical instruments, food that inspires satan in people like corndogs, posters. And everything else in this thousand page list my grandmother, myself, and a team of our top scientists, cops, and spies came up with!!

Yay for us!

Everyone wear suits and ties again! No more sex or fun!

Good is evil! God is Satan! Angels are demons! Lobotomies for every school child!


OK. I am outta here. Don't wanna suck up all the air in the room.

WatchWhereYouSleepMarch 12, 2016 12:01 PM

@Ben: It's like saying "if the FBI can force a hotel to unlock a room with a valid search warrant, there's nothing in principle that would stop it from forcing the hotel to install a hidden camera in the room."

Cleaning ladies already do that for their moonlight jobs. You think they really work there for the wages?

albertMarch 12, 2016 12:28 PM

@Clive Robinson, @Thoth, @Wael,

Considering the problems with patents, especially software patents, the 'trade secret' route is the way to go.

All patents do is allow you to make someone pay for using your invention, often at substantial legal costs to you.

It's kinda hard to enforce a patent in foreign country, even if you have a patent there. And expensive, too. It's hard to pay the requisite bribes without getting into trouble (see FPCA). (I'm surprised this is still illegal, given to absurdity of US laws favoring businesses).

Except for patent trolls, most people in industry see the patent system as broken. It's just another way for lawyers to suck money out of the system.

Many years ago, when gun manufacturers built their own rifling machines, they never patented them; the whole machine was a trade secret. Just throw a tarp over it when folks come to visit. Competitors had no idea how they worked, nor could they reverse engineer it.

Here's hoping Apples 'tarp' is non-removable; a nice little black box impossible to open. :)

Dirk PraetMarch 12, 2016 12:53 PM

@ Namor of the Sea

Unfortunately, that is more then enough words, so I will not even get into explaining the strong technical (and legal) reasons why Apple is right to stick to their course

Rant before reason. Trumpism is spreading fast.

WaelMarch 12, 2016 1:06 PM

@albert,

Considering the problems with patents, especially software patents, the 'trade secret' route is the way to go.

I smell a rat! Prove you are the real "albert" and sign the post as usual, thusly:

. .. . .. --- ....

What kind of encoding is that, anyway ? :)

Clive RobinsonMarch 12, 2016 1:38 PM

@ Wael,

What kind of encoding is that, anyway ?

It's "Old MacDonald" knocking off with,

E I E I Oh.

WaelMarch 12, 2016 2:04 PM

@Clive Robinson,

I thought it was Morse code but couldn't map it to "albert"... Oh well..

It's Friday, againMarch 12, 2016 2:10 PM

Florida sheriff pledges to arrest CEO Tim Cook if Apple resists crypto cooperation
An attention seeking idiot who can't respect the rule of law

http://arstechnica.co.uk/tech-policy/2016/03/florida-sheriff-pledges-to-arrest-ceo-tim-cook-if-apple-resisted-cooperation/

Go ahead, make some free, end-to-end encrypted video calls on Wire
http://arstechnica.co.uk/business/2016/03/go-ahead-make-some-free-end-to-end-encrypted-video-calls-on-wire/

Four-year-old who 'mispronounced the word cucumber' threatened with counter-terrorism measures
The underlying legislation here demonstrates that political correctness has gone mad

http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/12191543/Four-year-old-who-mispronounced-the-word-cucumber-threatened-with-counter-terrorism-measures.html

Namor of the SeaMarch 12, 2016 2:34 PM

@Dirk Praet

Yep, you are right. How to make kindergartners blow their cover 101. Button push. Figure out how to make them angry. They slip up.

Because nobody was ever dumb enough to waste money training them.

Like Trump they can't stand the idea of anyone laughing at them. Or seeing their true, naked state of someone who has no dignity.

Freamon Was A PussycatMarch 12, 2016 4:14 PM

@Curious

Some days after watching this recent US' House hearing, on youtube, it struck me that FBI Comey's idea of a world where everything is available with a warrant is a horrific idea, because of how this very notion imo probably is deceiving to people in general. The notion of how there would be a world with everything is available with a warrant, seem similar to David Hume's "is-ought" problem. So, to try sketch up a recognizable problem: just because you can get things with a warrant, shouldn't mean that everything must be available with a warrant. The "everything" part is ofc a generalization, but in this context I think that any flaws with such a generalization is not as critical as understanding that it is probably a bad idea to simply conclude that everything must be available with a warrant on a general basis.

I call this the coming "War On Fireplaces". Or "War On Papershredders Of A Certain Granularity". But thanks for describing the same thing in less snarky terms.

DanielMarch 12, 2016 4:28 PM

I've read Obama's comments in detail and frankly they scare me. His comments have no substance. If he presented facts or arguments in his remarks that would be OK because it would imply that he still felt the need to persuade the public, so it scares me that he doesn't even try to be right. There is no intellectual heft behind his comments. This suggests to me that he is just providing rhetorical cover for a decision that has already been made.

WillardMarch 12, 2016 4:40 PM

@Presidential precedents, goodness how sad. Now that lame-duck Obama has evidently shriveled to the status of a decorative lawn jockey, they figure they might as well torch the last of his credibility and use him as mouthpiece for FBI's last-ditch arguments for retards. Child pornographers!! Terrorists!!1!

WTF, you say? Never fear, police-state shill Ben P. Skeptical is here to explain the government-issue non sequitur. Comically, he invokes "the usual checks and balances."

The usual checks and balances are as follows: CIA psychos do whatever the fuck they want and get away with it. Now CIA demands everything you ever said and thought, served up on a platter on demand. So they can destroy you when they want.

(@Polizeistaat, not yet completely totalitarian? We're talking mock live burial with insects, tailored to the captive's phobias - straight out of Room 101, our archetype of totalitarian sadism. Painstaking destruction of a helpless captive's mind, one element of a systematic and widespread crime against humanity. Meticulously documented, it sits shrink-wrapped in a safe. The US shares a legal obligation erga omnes to investigate and prosecute or extradite the torturers. But. So-called US law puts the evidence out of reach of judicial review. DoJ threatens Congress when they try to look at it. Nobody at the Justice Department has the balls to read it. Face it, you live in a totalitarian state.)

Clive RobinsonMarch 12, 2016 5:55 PM

@ It's Friday, Again,

Obama puts down his encrypted phone long enough to tell us: Knock it off with the encryption

As I've mentioned befor in the last century the simple "additive cipher" algorithm was analysed and a varient of it was found to be theoreticaly unbreakable under certain conditions. Because of the way it was often used it became known as the "One Time Pad" (OTP) and saw real live duty during WWII over three quaters of a century ago and is still in use today. It has the advantage of only needing a pencil and a little patience to use.

The point being once the key is destroyed (burnt usually) there is no way the plain text can be tied to the cipher text, because all messages of the same length or shorter are "equally probable". There are even "paper and pencil" "compression algorithms" that can be applied to plaintext therefore even some longer messages are "equally probable"...

The above is quite factual and inescapable logically and mathematically.

It can easily be seen that once the OTP page is burnt no "legal law" can magically reverse the process just because somebody thinks that their ideas are above the laws of nature...

The Obama quote that realy shows not just his conceit, but crucially he does not understand maths or any kind of hard science is,

    "We have engaged the tech community aggressively, and my conclusion is that you cannot take an absolutist view on this."

Only shows he either has alowed his "law professor" ego to get in the way of what his ears are being told or he is to stupid to understand a few mathmatical and scientific truths that even an 8 year old can understand after a half hour or so with a dice, pencil and paper...

Lest people fail to understand that "the laws of man are subserviant to the laws of nature" and think I am being unkind to Pres BO, there is known president of such stupidity and it is generally known to first year law students. A group of legislators decided that Pi --ie 3.1415926...-- was a problem and decreed that it should be "3". When we hear about this we laugh as we can not belive that anybody could be that insane.

Well that above statment from Pres BO shows that history can repeat it's self, only this time the insanity is in the highest office in the land... I wonder is that how Pres BO wants to be remembered, as the butt of what future firsty year law students will think of as a joke?

WaelMarch 12, 2016 6:31 PM

@Clive Robinson,

The point being once the key is destroyed (burnt usually) there is no way the plain text can be tied to the cipher text, because all messages of the same length or shorter are "equally probable".

Some techniques protect against disclosure of keys by using a twice removed cousin to OTP: Perfect Forward Secrecy. ECDHE is a possibility...

tyrMarch 12, 2016 7:25 PM


@all,

Is it just me or is anyone else tired of hearing the US
government (the world's only super duper power ) whine
that they are incapable of doing anything because of the
awful crypto that is the magic shield around the usual
heinous fringers in society. It occurs to me if they did
some time in the real instead of wasting their time on
publicity stunts that make them look like morons to folk
with a few working brain cells maybe they could catch the
awful (insert demonized victim perp/victim class).

I know magic is better and it is all the technologies at
fault. Maybe if we bomb some more of the world into the
lovely rubbleized examples in the middle east or poison
a little more of the US water supply then the crypto will
go away and the world will become heaven again.

When the campaign to change things presented a crooked
lawyer from Chicago as their messiah and rode him into
Washington DC on a donkey waving palm leaves. I cringed
at the level of gullibility of the average USaian. Now
that Donny Dumbass is poised to gull the other party in
a rush to change the world the level of satire has gone
up a new level. I believe the appropriate quote is "first
as tragedy then as farce."

If I was Canadian or Mexican I'd be trying to get my gvernment
to hurry up building that fence to keep the neighbor out
of my country.

If they are really that incompetent so that crypto hunders
them so badly from doing their job maybe a large budget
cut would reduce the level of incompetents involved.

WaelMarch 12, 2016 7:41 PM

@Nick P,

Like this one:...

These will take some time to "digest". Thanks! Seems there is a nice tool too!

WaelMarch 13, 2016 1:50 AM

@Bill,

It is Morse code...

Thanks, Bill. This signature can't be forged, I'll make a note of it :)

@albert,

Make sure this isn't your pin or password! It's out in the public now :)

Clive RobinsonMarch 13, 2016 3:00 AM

@ Nick P, Wael,

Like this one:

Hurumph... 26 pages of dense information and,"Sunday Morning" appear to be incompatible today...

I suspect that if written less densly the paper would actually make a fair size book...

Any way time to get "the sizzel in the pan" and "Whistle in the Kettle" of full --artery hardening-- English breakfast with a pot of coffee capable of reviving a corpse, for "her indoors" and two pint pot of gunpowder tea for me.

WaelMarch 13, 2016 3:51 AM

@Clive Robinson, @Nick P,

I suspect that if written less densly...

It's denser than a neutron star. That's almost as dense as London fog! It's so dense, it sucked 50% of my brain cells -- I'm left with half a cell, but it's a good one :)

"the sizzel in the pan" and "Whistle in the Kettle"

I'll remember that!
But to make rhyme better, you might want to say the:
"Sizzle in the Vessel" and the "Whistle in the [kettle] Utensil" :) You know better than to mess with me when I'm sleepy and goofy, right?

and two pint pot of gunpowder tea for me

One of these days the metadata search engine will nail you!

WaelMarch 13, 2016 5:09 AM

@Clive Robinson,

It's "Old MacDonald" knocking off with...

You gotta be careful with your words! They had a measurable effect on @albert's "signature"...

John WaltersMarch 13, 2016 11:45 AM

I read a story about Kurt Godel. He studied the Constitution as part of preparing for an interview before becoming an American citizen. During the interview he was asked where he came from. The official remarked how a dictator could never arise in America because of the Constitution, to which Godel replied "Oh yes he could!"

Something Godel had learned made him think that a totalitarian government could arise in spite of the Constitution and he was ready to explain how until his friend Albert Einstein, who had accompanied him, interrupted him and urged the official to move on.

albertMarch 13, 2016 11:50 AM

It should be: EIEIOH

I thought . .. . .. --- .... was cooler than eof.

Anyway, my old sign off was 'I gotta go' (stolen from Ian Sholes).

Passwords don't allow dots, dashes, and spaces :)

.-. .- -

Nick PMarch 13, 2016 12:03 PM

@ Clive, Wael

I thought the abstract was straight-forward. I didn't read past that except for Tamarin's main paper where I looked at proof/performance results. Yall have fun combating density.

Meanwhile, on the AI side, the AlphaGo beatdown was so thorough it looked sinister. They claim they're attempting StarCraft next: one of my favorite games of all time. The game has tons of tactics, interesting mixes of units, fog of war, opponents that bluff, and real-time. I called BS on them conquering people given prior results in AI. Maybe average but not pro's: they're already a combo of human and machine haha. You should see them playing, thinking, and moving lightening-speed all at once.

Even if it wins, it will probably be repeating patterns it saw people play in whatever matches they feed it. It will still not have beaten humans' ability to pick up a game, learn how it works, devise effective strategy, improve by examples, and bring in pro's stuff. AlphaGo is much more limited and still even uses decision trees internally (semi brute force). Probably why another experiment is trying to have it learn on its own.

WaelMarch 13, 2016 1:26 PM

@Nick P, @Clive Robinson,

Meanwhile, on the AI side, the AlphaGo beatdown was so thorough it looked sinister

I know nothing about Go. I do know something about Chess, though! I have most of the chess engines on some of my devices. Shredder, Fritz, Chessmaster, Hiarcs, among others. The only luck I had was with Chessmaster. The rest, no chance. I beat Shredder once in 350 games. The other 349, it shredded my butt. Chess engines have advanced so much so that even a world champion stands no chance against them. Currently Magnus Carlsen, the reining world champion, with the highest all time ELO rating of about 2882 stands no chance against engines such as Komodo, Stockfish, or any of the top 20 or 30 engines.

Go AI is still in its infancy, and is bound to get much stronger as time goes by. When that happens, the likes of Lee Sedol will be obliterated :) Well-developed machines will beat the best of humans any time, any day if the year! Machine against machine looks more interesting and more futuristic. Once in a while there'll be that human freak who can beat them, just so you don't feel so bad...

WaelMarch 13, 2016 2:04 PM

@albert,

Passwords don't allow dots, dashes, and spaces :)

Must be a "weak password" policy, then! Spaces will change a password into a passphrase, generally speaking.

John WaltersMarch 13, 2016 2:31 PM

I read "Why the Germans? Why the Jews?" by Gotz Aly. And I read "Mein Kampf." Of all the things there are to tell, the most alarming discovery to me was how the constant complaints of income inequality were synonymous with an ushering in of the fascist state. In ways I don't fully understand, political messages that beat that drum - the constant barrage of political messages to the people that they are all victims - scares me. On the surface I would not have thought cries of income inequality had anything to do with fascism, but I'm telling you it does. If fascism is a submarine, then the income inequality mantra is the snorkel.

Joe KMarch 13, 2016 3:26 PM

It's known text apps are easier to encrypt well than voice, text or common email.

Whisper Systems created the WhatsApp for Android which is causing the US government hissy fits and has them filing attack warrants and briefs all over the place.

As for iOS, Whisper has a nice product called Signal which is available at the app store which provides end to end encryption and would be a viable work around if DoJ should happen to convince their cherry picked judge to go against Apple.

http://support.whispersystems.org/hc/en-us/articles/212476148-Who-can-I-talk-to-with-Signal-Where-are-my-contacts-

I think it's time for the citizenry to draw a line even if it doesn't impact them directly. We do have a right to privacy and a right to be free from unreasonable government intrusions.

Seems the government figures that's debatable and is willing to spend every last taxpayers dime to get their way. They want wide open access to all electronic data and devices. I don't think they should.

Dirk PraetMarch 13, 2016 3:49 PM

@ Wael, @ Milo M

Re Godel's citizenship interview

This is too good! Can somebody pretty PLEASE make a (geek) movie out of this?

WaelMarch 13, 2016 4:09 PM

@Dirk Praet, @Milo M, @John Walters,

This is too good! Can somebody pretty PLEASE make a (geek) movie out of this?

Vell, Vell! Depends vat kint of mofie you vant! Pure schience, oder spooky type mofie! Ze plot sickens :)

65535March 13, 2016 4:33 PM

Here were my comments on the Apple v. FBI fight before the squid thread was open [Clive was joking around with me]:

https://www.schneier.com/blog/archives/2016/03/espionage_tacti.html#c6719139

https://www.schneier.com/blog/archives/2016/03/espionage_tacti.html#c6719145

@ Namor of the Sea

“Maybe I am feeling even more cynical then usual, as I am deep in Season 4 of House of Cards, but my take from his statement is he is completely full of s**.”

I agree. When you hear Kiddie porn and Terrorism so many times it clear that the speaker is full of it. Kiddie porn pulls at emotional strings and the never-ending Terrorism device induces fear. It’s a page from the FBI/NSA talking points – and this is biased.

@ AlanS

“They'd be amusing if they weren't scary.”

The Feds are not amusing. I would say Abusing is a better word. CALEA does play an obvious role in this current legal debate. It clear the latest filing is vitriolic and does smack of intimidation [ie the Lavabit NSL].

@ Jacob

“Very good article about the Clipper Chip redux.”

True, we are fighting the Clipper chip war again. This time Hillary and Bill will essentially be back in office.

@ Thoth

“…it is not fair that the government systems are "secure" while we are not. The main reason is due to the fact we use vastly separate and different systems that makes these elites comfortable to see their citizens compromised and they are protected…”

You hit the nail on the head. It is a clear elite class grab for power. Obama and the politicians have their secure communications channel, security teams with enough fire power to flatten a house, K street lawyers to defend them and limos to transport them in style. It is the anti-thesis of the citizens controlling their own government - or democracy. It is a travesty.

@ FollowMoney

“Why is the U.S. government trying so hard to force Apple to break the security of one iphone from a dead terrorist?”

Yes, it makes you wonder if cheap access to All citizens communications is the end goal. Consider the up coming election. Cheap access to all citizens’ communications including geolocations would help politicians of all stripes get into power.

[next is more interesting]

@ Thoth

"Why would they buy a valuable patent and not deploy it."

“Looking at the first patent picture (http://patentimages.storage.googleapis.com/US8775757B2/US08775757-20140708-D00000.png) it shows TZ0, TZ1 ... those are likely TruztZone terms.

“The "Secure Boot" drawn here (http://patentimages.storage.googleapis.com/US8775757B2/US08775757-20140708-D00002.png) is very similar to TrustZone.
“You can find the patent in the links below. From the patents, Secure Enclave contains a Secure Enclave Processor (SEP) in the same above image link which would "Secure Boot" and once all the security verification are done, it hands over to a CPU by the statement "Permit CPU to Boot". From the rest of the patent text (too long to put here), it implies the SEP processor can be isolated from the CPU(s) and the SEP handles crypto and security that the CPU(s) request thus leading to the conclusion that there is some sort of "Secure Element" inside the the Apple chip besides a bunch of CPUs and other circuitry.”

This does bring up more questions of technical nature and the question of motives for the USG to dig in to an old and cold case.

The FBI/NSA must have all of the Call Data Records/Metadata of the calls place with that phone and the two smashed phones. The Feds have the weapons, the buyer and witness to said weapons Enrique Marquez Jr., a number of family members of the shooter, the sham marriage, multiple searches of the location, and so on.

See:
https://en.wikipedia.org/wiki/2015_San_Bernardino_shooting

The Feds have the whole ball of wax including the backup accounts of the suspect – but not all of them. It makes you wonder what they end game is.

@ Polizeistaat

"I hope you are enjoying the iron cage under construction? Although, this behavior is terribly predictable based on the characteristics of police states seen in history."

Yes, we are very concerned about that. This is particularly true of setting a legal precedent making hardware and software makers create a malware program that defeats the vary software being developed [not to mention the huge possibility that said malware will be leaked during the legal proceedings]. That type of precedent is horrible to think about.

@ It’s Friday, again

‘Florida sheriff pledges to arrest CEO Tim Cook if Apple resists crypto cooperation’
“An attention seeking idiot who can't respect the rule of law”

This more evidence of heavy handed tactics by the Government and probably instigated by the FBI.

@ Clive Robinson
“…that above statment from Pres BO shows that history can repeat it's self, only this time the insanity is in the highest office in the land... I wonder is that how Pres BO wants to be remembered, as the butt of what future firsty year law students will think of as a joke?”

Hard to say, but Obama is deceitful individual with unknown agendas. I am sorry I help put him in the highest Office of the land.

Next,

Let’s get down to brass tacks on the really reason the FBI wants Apple to write a malware program to break their own security – including technical reasons.

After reading the recent government file in which FBI wiz kid Stacey Perino, complains that she can’t figure out how two on unlock the 5C iPhone with iOS 9, but others have done so and flinging a lot of dust in the air including many exhibits rehashing the security of the phone a probably ways to possibly unlock it, she relies heavily on Special agent Christopher Pluhar to explain what the FBI believes maybe relavant data lock of said phone.

"(“FBI”) Technical Director of the Cryptologic and Electronic Analysis Unit Stacey 2 Perino, FBI Supervisory Special Agent Christopher Pluhar…Moreover, even if—contrary to how Apple built and designed it—Farook’s 19 iPhone could have been forced to sync to Apple’s iCloud network, that would not be an adequate substitute to unlocking and searching the phone itself. Both the FBI’s testing and Apple’s security documentation show that entire categories of evidence—including 22 device-level data such as the “keyboard cache” (which records recent keystrokes)— 23 reside only on the iPhone and not on an iCloud backup, and that some of the backup data 24 would still have been encrypted. (Supp. Pluhar Decl. ¶ 10.) But that data remains on the 25 iPhone. Thus, even with a full set of backups, the government still would have needed to 26 search the phone itself in order to leave no stone unturned in this important investigation…”

https://assets.documentcloud.org/documents/2755201/Apple-Govt-REPLY-BRIEF.pdf

https://www.justsecurity.org/wp-content/uploads/2016/03/FBI-Apple-CDCal-Govt-Reply.pdf

[Pluhar Brief is somewhat of a misdirection an contains about the same theme. This is of presumably getting the key strokes to find the passcode/passwords to 'what' or 'where' is not clear Pluhar does echo the idea that there could be some pictures or images on the phone].

[FBI brief]

“I know based on my experience, and review of Apple’s ebsite, that “iforgot.apple.com” provides iCloud customers with the ability to reset the password associated with their Cloud account over the Internet… For example, with Cloud back-ups of iOS devices (such as iPhones or iPads), device-level data, such as the device keyboard cache, typically does not get included in iCloud back-ups but can be obtained through extraction of data from the physical device. The keyboard cache, as one example, contains a list of recent keystrokes typed by the user on the touchscreen. From my training and my own experience, I know that data found in such areas can be critical to investigations. I consulted with an OCRCFL examiner who reviewed the exemplar iPhones that were used as restore targets for the iCloud back-ups of the Subject Device. Each of the restored exemplars includes restored settings, and those settings showed that, for example, iCloud back-ups for “Mail,” “Photos,” and “Notes” were all turned off on the Subject Device. For these reasons, iCloud back-ups as currently implemented are not considered a compressive method… forensic examiner rely on physical device extraction to obtain the most data available from mobile devices… the FBI would still need to conduct a physical device extraction of the Subject Device in order to obtain all potential evidence…

http://www.wired.com/wp-content/uploads/2016/03/Apple-govt-REPLY-BRIEF-Pluhar-supp-dec-without-exs.pdf

And, I don’t really see how the Lavabit threat by the Feds and other threats by law enforcement on Apple employees helps the government’s case.

Here is the Lavabit brief [the actual NSLs and events are still secret]:

http://images.apple.com/pr/pdf/Lavabit.pdf

As Thoth’s links indicate, Apple has some fairly sophisticated hardware and software security and some of the details are not listed in the patent filings – hence, Apple could have a huge amount of intellectual property exposed – that the very least.

At the worst, Apple could be forced to develop malware to defeat their security in the hardware and software and lose value customer trust – not to mention a IP that could be worth hundreds of millions of dollars.

The question are:

1] What exactly is the FBI fishing for in the end-game.

2] What technical data could be gotten from said 5C iPhone [iOS 9] that will make any difference in this old investigation?

3] Exactly, what happens to key stroke cache after a long period of time and if the phone powered down? Is it flushed?

4] Why did not the FBI consult one of major Three Letter Agencies and have the malware program written by them or their sub-contractors? Cough NoSuchAgency…

WaelMarch 13, 2016 4:45 PM

@65535,

the government systems are "secure" [ ...] You hit the nail on the head...

I'm afraid you both hit the nail on the f###in' neck and broke it. In light of the latest news we've been reading, whatever missleads you both to think so?

CuriousMarch 13, 2016 4:52 PM

I vaguely recall having read/heard about possibly de-soldering the chip(s) on that one particular iPhone for the FBI to then work on the data somehow, but did anyone here understand what kind of problem that was?

Unless I am mistaken, in the recent House hearing, FBI's Comey simply stated that such wasn't possible, but also that for reasons that was not clear to him.

Being cynical here, and being obviously a non-expert on any of this (I say this because I don't want to annoy you people thinking I am pretentious), I can't but help wonder if Apple hasn't already compromised the iPhone for sake of NSA et. al, and that Apple can keep that information secret by simply hiding it as a 'trade secret'.

Makes me wonder if businesses' trade secrets in US is always kept secret, or perhaps not.

CuriousMarch 13, 2016 4:59 PM

Off topic I guess: (Freedom of Information Act related)

"It Took a FOIA Lawsuit to Uncover How the Obama Administration Killed FOIA Reform"
https://news.vice.com/article/it-took-a-foia-lawsuit-to-uncover-how-the-obama-administration-killed-foia-reform

Btw, the linked article is very long, and I haven't read the source documents, and so I am not the best to present this.

The gist of this issue seem to be that the White House is working against a better FOIA, on claims of the type that FOIA would be burdensome, though such a point is refuted by others.

Dirk PraetMarch 13, 2016 5:18 PM

@ Wael

Vell, Vell! Depends vat kint of mofie you vant!

In the immortal words of a former Swiss project manager of mine: "Let stink first and then disgust the matter".

albertMarch 13, 2016 6:09 PM

@Wael,

"...Must be a "weak password" policy, then! Spaces will change a password into a passphrase, generally speaking...."

Then let's allow allow spaces and tabs, and make the number of them significant...hell, let's allow all 128 ASCII characters.

. .. . .. --- ....

Namor of the SeaMarch 13, 2016 7:37 PM

@65535

“Maybe I am feeling even more cynical then usual, as I am deep in Season 4 of House of Cards, but my take from his statement is he is completely full of s**.”


One of the ways to manipulate people and organizations.

I used it myself to manipulate british intelligence back in the late 90s to create a project to employ me under.

I do not state that sort of thing to make people wonder about my trustworthiness. I state it to point out that we hackers are the leaders of global government, and it is our foremost concern and project to make it something that makes everyone as happy as possible.

We are the elite.

We are the leaders.

We are those who 'watch the watchmen'.

We are the hackers.

I hack computer systems, yes. So do you, or your would not choose such a nick.

But, that is just a cover. For me, anyway.

I have performed this as a day. Well enough to be consider the most elite and legendary of any American ever born.

Of course, most with top secret clearance do not know my name.

They simply know me by the pathways of carnage of I have opened for them.

In my case, of course, I was born from a leader of American intelligence. One whose name almost none of them knows. Nor of his organization.

My goal, is not American supremacy.

I could have made that my goal. And I would have won.

No.

My goal is to greatly elevate all nations of earth.

All the earth will know the standard of living the very best of us now know in our first world countries.

And?

I do this anonymously.

Those who do learn my name?

Their lives are short.

And we make it look like accidents.


Mix of human rights activist and assassin?

Welcome to those "hackers" who are making the Millennium.

BuckMarch 13, 2016 7:58 PM

@John Walters

Is that an instance of causation, or could it perhaps be another case of a correlation with confounding factors..?

Maybe the rise of creeping fascism directly contributes to the increase of calls against inequality? As more corporate and governmental powers are being consolidated into fewer and fewer hands, both the haters of fascism and the haters of inequality may become more likely to agree with each other.

Maybe it's a bit harder to recognize the periscope coming up again though... Last time, we had the governments taking control of business, and this time it's the reverse - oh well, a rose by any other name still smells like shit! ;-)

MIA Paper PlanesMarch 13, 2016 9:12 PM

The Horrible, Horrible, Terrible Future ;-)

From the Most Horrible Influential, Dark, and Diabolical Leader You Have Never heard of


I will tell you right off how you can know if you are my friend or not.

Does the song "Imagine Dragons" "Radioactive" give you a thrill of joy or not?

If it does? You? Are my friend.


https://www.youtube.com/watch?v=ktvTqknDobU

It is that simple.


I do not make a lot of money.

Frankly, if I made much more money then I made now, I would blow it on booze.


I could make much more.

But this is literally one way I keep my self from drinking too much, or sleeping around too much.


I like women. and women like me. I like booze, and booze likes me.

If I really had my way, I would be deep into pot and hallucinogenics.


This is all very curious and interesting.

Because I am more powerful then the head of the CIA, the FBI, the NSA, and the POTUS, combined.


No one ever elected me.

No one ever elected my father before me.


Why the candor?


On this forum, using this IP address, I have the attention of many very important people in many very important countries.


Like my father before me (who remains in power), I do not exist.

We do not exist.


But? We do exist. And we control five eyes. And by that, I mean most certainly not only their intelligence and law enforcement systems? But also their leadership. Which we decide.


Frankly, I relate with many tv shows (which we have members who operate as advisors to), but one of my favorites is "Scandal".

Now, one of the truest lines there was said to the chief of staff to the POTUS, "you have never known power, you are just a mouse on a wheel".

Whether my audience here wishes to believe it or not, this is a very true statement.

The POTUS, the President of the United States of America has never known power. He or she is just a mouse on a wheel.

We control America.

And, from that, we certainly control "five eyes", and frankly, all eastern and western free nations.

What we do not control is Communist nations, authoritarian nations, and Muslim majority nations.

But? We will.


...

You may doubt that. And that is great. Your vote does not count.

It certainly does not detract from our power.

...


Now, I say all of this as to friends.

I have to work a "day job". The "day job" I chose was a "hacker". I invented the term "golden key" for backdoors. I invented the "watering hole" attack. I invented the "drive by" attack.

You do not know this. And you could never put those pieces together. Because I am not the sort of idiot you suppose runs things.

...

Indeed. Remember how they said of the titantic? "Even God could not sick her"? Their mistake. They did not have any concept of God.

Like God, no one can see my face and live.

We will kill you.

And God will agree.

...

None of that is important. If miscellaneous dark folks in US, China, Iran, Russia intelligence all die because they looked into things they should not? That is not your business.

Here is what is your business.

Who watches the watchmen.

We do. That is who.

...

One who is wise might recall, when he asked God, incarnate as a person, "on whose side do you stand", he stated, "neither".

Yet, that person was Joshua, and he bent the knee and worshipped that man.

Who pointed out, he was the "commander of the armies of Heaven".

And, who, for Joshua, stopped the day.

...

All nations will be free.

All nations will be immortal.

All the world will have knowledge of God, as waters cover the sea.

And, besides I need not put these statements in quotes, despite their coming from the bible... anyone who opposes us shall fail.

We shall see to their destruction.

...


If you are in the remotest part of Africa. Or China. Or India.

You will know our life, as it here today, in the best of America, and our Western nations.

And soon.


And if you are not.


No enemy who stands before us will succeed.


We ... are more then the population of earth. "I create my servants of fire, my messengers of wind".

We have no regard for the opinions of humans.


We are not only already "among you", we already rule you.

And we will not stop, until we have brought the Kingdom to earth.


So, sorry for speaking for your real parents. Sorry for telling you about your real future. Sorry for taking "democracy" and "republics" out of your hands, and turning over totalitarian nations. And providing even you sinful, loser devils of humans eternal life.

Just part of the plan.


Word of advice?

Think about it.

Maybe there are people not only smarter and more powerful then you... but we can create many android copies of them at will.

And we do not actually want to kill you or torture you, lol.

Maybe give us some praise, in the end.


But, ultimately? You are our children.

And?

Believe it or not? That is enough.

Yes, I too, do not know why... lol...


Really, I do not know. :-)


I just do. :-)

SkepticalMarch 13, 2016 10:21 PM

@Dirk:

Which, as an acting judge, he is perfectly entitled to. The government and yourself may find his opinion as absurd as you want to, to me and many others it makes perfect sense.

Of course he is. You asserted that I, in focusing the discussion on the AWA, was narrowing the legal question beyond what it should be. I merely pointed out that I focused upon the actual holding in Orenstein's opinion, which was of course predicated upon a particular reading of the AWA.

The government for its case seems to depend on one precedent only, i.e. the New York Telephone Company. And it's being called into question not just by Orenstein but by others as well. Hardly a hole-in-one, I'd say.

The leading case in this matter is indeed in the U.S. v. New York Telephone Company, 434 U.S. 159.

The history contained within that case regarding the AWA is sufficient, and Orenstein's heroic attempt to wrest something out of the "usages and principles of law" phrase was immediately speared by those who took the time to see what higher courts had actually said on the matter. I see no need to rehearse it all here. If you google for Kerr's columns on the case, among other places, you'll find what you're looking for. Is there a particular point that you find weak in the government's case?


Even the government in its latest brief has admitted that there are 1st Amendment implications indeed by citing a somewhat dodgy precedent stating that something is not compelled speech if the government is the only audience and the "compelled speech" is not made public. The fact that the USG in practice unfortunately is unable to keep any secrets (NSA, OPM etc.) kinda renders this argument pretty moot.

Uh, no, they haven't. The government spent two or three pages ripping to shreds the two or three sentences spent by Apple on the issue. The government noted that much of the civil and criminal judicial system relied upon compelled testimony - the primary reason for which such operations fall under an exception to the compelled speech prohibition. They then continued to note that modifying a software feature under legal compulsion could not reasonably be interpreted as Apple's agreement with the act.

That the 1st and 5th Amendment claims even made it into the brief are signs of weakness in Apple's case, frankly.

Purely from a legal vantage, I think Apple is getting hammered in this exchange. The federal judge is going to issue an opinion that will, in some way, and explicitly, be highly linked to the factual specifics of this case, avoid the broader policy questions by emphasizing her duty to decide this particular case upon the respective merits, and reject Apple's overblown reply.

Clive RobinsonMarch 13, 2016 11:10 PM

@ 65535,

[I]t makes you wonder if cheap access to All citizens communications is the end goal.

No I don't think that is the FBI's end goal, just a steping stone.

The FBI have for many years run a quite effective disinformation operation against the US Citizens and as a secondary result much of the Western World.

Most people assume that the FBI is a Law Enforcment Organisation (LEO) but that is actually a small part of what they effectively do. Their direction set by Hoover and still in place is to be "The Watcher Guardians" ie to be "watching the watchers" and likewise any who have any kind of visable power over the moores of US citizens via the likes of religion, politics, entertainment, publicity, marketing, purchasing/consumer/goods/services etc.

In essence the FBI are a form of "thought police" not to disimilar to that which was envisioned by George Orwell and later writers. However neither Orwell's idea or the FBI came into existance from nothing, they were based on the ideas that Machiavelli and similar put together in their works. Based on what they had observed in the various "King Makers" and more importantly "King whisperers" that are the real "power behind the throne" that is usually occupied by a "useful idiot" or pupet that "the common people" see as their King / President / Head of State.

Like all such "King whisperers" the FBI jealously guard their power and access to the king and thus covet that of others, such as the NSA etc.

tyrMarch 14, 2016 12:29 AM


Here's your definitive look at fascism.

http://www.amazon.com/Mass-Psychology-Fascism-Wilhelm-Reich/dp/0374508844

He points out that fascism isn't a political party.
It is embedded in common human reactions to events
they can't understand well. Income equality, strange
people encountered disrupting the facade of commonality,
folks with different ideas or a different religion that
ordinarys are not familiar with. So there's no arcane
magic path to fascism it is just business as usual.
The enlightenment on the other hand has to fight every
day to keep us from slipping back into the caves in a
paroxysm of Luddite frenzy.

The magic speeches turn out to be just saying things
that the average cloddy is thinking. Once you say
enough of them you can add things they don't agree
with and suddenly you are the glorious leader they
were waiting for who will solve all of their discomforts.

CuriousMarch 14, 2016 6:05 AM

Off topic:

My very personal idea for understanding the proper use of 'fascism' is fairly simple, with basically just two, but co-dependent parameters, that are used as a measure for potentially large scale events, relatively speaking (any type of community).

(Admittedly, what I write about here focuses on other things than 'fascism' in a traditional sense to so speak, where 'fascism' in that way risks referencing only historical events and historical actors in a traditional manner and referencing traits that is associated with people deemed to be fascists)

#1 A direct (explicitly expressed) command or a direct request, for the allegiance or the support, or more importantly an implied duty of the many, for a few in power or for some greater idea (e.g for "the greater good").

#2 By someone with power and authority, e.g public officials, politicians and mass media.

In this way, a call to invoke, or to celebrate 'nationalism' for example can be thought of as being fascistic, fascist or fascism, regardless of it being perceived as good or bad, and ofc. ones inclination for that would probably depend on the specific context.

I think it is a good idea to then nuance this idea of something 'fascist', into things being thought of as either 'fascism' (more like a negative label), or just 'fascistic' (more like a negative trait), as a way of thinking about all of this without getting too fixated and perchance stupefied by reiterating on any variant of the word 'fascist'. Calling something 'fascistic' makes a lot of sense for when wanting to try describe something as per ones personal opinion, than simply attributing negative labels (like 'fascism') that maybe isn't reasonable, or something that isn't explained.

Because of how few or maybe none (presumably) are inclined to announce themselves as being 'fascists' as such, I think that labeling others as "fascist" or "facsists" is not easy, but I think anything that is deemed "fascistic" can be thought of as being "fascist" (though not related to 'fascism', which has this -ism on the end). 'Fascism' is imo being more like, and paradoxically so, a vague term, because of how such a term likely exist for the purpose of keeping the usage inside a historcial setting, as some kind of metaphorical reference, yet it is also probably used frequently as being a negative trait used for labeing someone or something.

Hm, funny thing with English. Now that I think about it, apparently the word 'fascist' is both an adjective and a noun.
So 'fascist' is similar to the word 'fascistic' when used as an adjective, something becoming obvious when used, that creates a context in itself by writing or uttering a sentence.

CuriousMarch 14, 2016 6:24 AM

To add to what I wrote:

The reason why anyone calls something or someone "fascist", "fascistic" or "fascism", is most likely more interesting than using such words as mere references, or labels. So getting a grip on exactly what one mean is important I think, or one risk all too easily being swayed by other people's opinions later on, or becoming confused (feeling confused is not entirely a bad thing I think), or perhaps one simply become something of an idiot, someone with opinions that others can't understand.

ianfMarch 14, 2016 7:22 AM


Please, Curious, save your “personal ideas for understanding the proper use of 'fascism'” for other fora; there's no need to infantilize its meaning here… of an authoritarian and chauvinistic system of government (at any and all levels) underscored by overt violence.

WaelMarch 14, 2016 7:52 AM

@ianf,

Please, Curious, save your “personal ...

Allow @Curious some freedom of expression ;)

Lil' PaperclipMarch 14, 2016 9:47 AM

Perhaps dimly grasping that he's on thin ice attempting legal reasoning, skeptical retreats to the relative safety of senile-Brent-Musburger color commentary about who's winning. But despite the oafish care he takes to avoid substantive argument, skeptical farts out an awesome stinker. He natters cheerfully about the importance of compulsion to the US judicial system.

This gaffe is funny cuz it's true. By raising the issue of compulsion skeptical bellyflops directly into the deep end of America's reeking judicial cesspool. Normally US apparatchiki only admit this when forced to by treaty bodies, charter bodies, or special procedures. But here skeptical blurts it out in front of the children. Compulsion is in fact how the US police state justifies torture and denial of the rights of trial. The US posture is illegal, the source of many war crimes overseas, but skeptical, thoroughly indoctrinated as any Deutsches Jungvolk, thinks it's hunky-dory here at home.

Skeptical's totalitarian 25-Punkte-Programm is completely standard among government security parasites and their hangers-on in white man's welfare makework. This is why your constitution's gone. This is why you're sealed off from the protections of jus cogens or peremptory norms. The Germans lost but all the Nazis went to work for CIA.

DanMarch 14, 2016 10:06 AM

@ Clive Robinson,

"The Watcher Guardians" ie to be "watching the watchers"

Like all power structures, by design, there is a hierarchy of things. It appears that the threshold goes like this, there's knowing the law, bending the law, and making the law. Knowing the law itself is power, as Knowledge is Power. Without the knowledge there can be no awareness to practice. Then, comes the next level, bending the law, some call it field craft. That's those who know the law and are in the position to exert influence in the process of. Last, its those who make the laws or are in the position to influence the makers of laws, such as lobbying.

The assertion is made that the watcher of watchers must be removed from all three because the watch itself cannot be part of the power structure, because it cannot achieve complete unbias otherwise.

DanMarch 14, 2016 10:21 AM

@ 65535

"“Why is the U.S. government trying so hard to force Apple to break the security of one iphone from a dead terrorist?”"

"Yes, it makes you wonder if cheap access to All citizens communications is the end goal. "

The question leads to philosophical ones because the very answers depend on one's pre-assumptions. Where does the piece fit into the puzzle?

Cheap can be in monetary terms or in terms of system cost, which is all-encompassing. It is impossible to formulate sound answers unless one reconstruct the power structure from which it stem. As in all secured systems, access is layered and never in singularity. So the question becomes which level of access is the fight over about, and who owns the data that travels communication mediums. If the end goal is per device, then the access to communications is only transient in nature. It's not just the data is the power structure of which 3 layers they are after.

JacobMarch 14, 2016 10:35 AM

Richard Clarke, the former NatSec official, says in a 5 min talk - very eloquently - that the FBI is out of bound with the Apple case, and while the FBI could have gone to the NSA and asked them to crack open the iPhone, what they really want is to establish a precedence of compelling a company to subvert its own encryption, even at a cost of violating the Constitution.

http://www.npr.org/2016/03/14/470347719/encryption-and-privacy-are-larger-issues-than-fighting-terrorism-clarke-says

DanMarch 14, 2016 11:14 AM

@ albert said,

"Many years ago, when gun manufacturers built their own rifling machines, they never patented them; the whole machine was a trade secret. Just throw a tarp over it when folks come to visit. Competitors had no idea how they worked, nor could they reverse engineer it."

Thus, it is said the bigger threat than a double-dealing insider is the customers. The human link, by which a few had learned, to profit from. It's those who are in the know that can hide in transience, because once the rifling got sold to a customer the tarp comes off. Some call this fairgame, some don't, but it has always been the inevitable. Then it becomes that the ways to mitigate this were multi-proned as it is a combination of obscurity, technicality, disinformation, legal force, and treaties are signed for.

@ Curious said,

"My very personal idea for understanding the proper use of 'fascism' is fairly simple, with basically just two, but co-dependent parameters, that are used as a measure for potentially large scale events, relatively speaking (any type of community). "

A common facility for facts and truths evolves over times, and as they evolve words change, metamorphically speaking. What is fascist today, may not be fascist tomorrow, and so forth as we've seen in communism. There is a commonality across domains.


JG4March 14, 2016 12:50 PM


industrial espionage isn't especially new and the US has a rich history of it, in all directions. the bit about rifling engines is spot on New England history. if I am not mistaken, it was German immigrants to the US who brought rifling technology to Pennsylvania and/or Virgina in the late 1600's or early 1700's. it later would prove devastating to the British imperial forces.

http://protocoll.net/innovators/samuel-slater-part-1.html

...

He therefore decided to steal the Arkwright technology, take it to America and claim the money.

Despite the fact that there were strict laws in place in England at the time prohibiting the export of textile machinery to any other country (enacted 1774), and another law banning the emigration of skilled men abroad, he left Derbyshire bound for America.

He journeyed first to London where he spent a few days sightseeing. He had known from the first day he had hatched his scheme that if he was to fool the English authorities and get away with his crimes, he must tell no one of his plans. Thus, only when he was in London was it that he let his family know he was leaving for America - by posting them a letter.

The English Excise and Customs always questioned passengers at their departure ports to detect would-be criminals. To outwit them, Slater deceptively assumed the character of a farm labourer and he sewed his apprentice indenture papers inside the lining of his jacket, so the authorities found nothing when they searched him when he set sail for America on 1 September 1789.

The objective of Slater’s plan was to make money by stealing the Arkwright cotton-spinning technology and he did this, spectacularly, by memorising all the details of the spinning machines, so that he could reconstruct copies of them as soon as he reached America.

Clive RobinsonMarch 14, 2016 1:09 PM

Putin has just anounced withdrawal from Syria

In the past few minutes Rusian Premier Putin has anounced the withdrawal of troops from Syria.

What is not yet clear is how many and which troops he is pulling out.

It will be interesting to see what happens next.

CuriousMarch 14, 2016 2:10 PM

@Dan

If you think that fascism is just to be some negative laden label, then I think you have misunderstood me, or possibly just ignored all of what I wrote.

Something I didn't mention, was that I think fascism is not necessarily wholly different than a democracy in the sense of fascism existing because of how there are people supporting a ruling party, and that a ruling party depend on its supporters. I think turning anything fascist into a caricature of stuff being bad so to speak is a bad idea, if for example 'fascistic' is just some label used for expressing disgust for all kinds of violence and oppression, as if things like violence, cruelty, racism was equating to being fascist.

Dirk PraetMarch 14, 2016 7:29 PM

@ Skeptical

They then continued to note that modifying a software feature under legal compulsion could not reasonably be interpreted as Apple's agreement with the act.

Modifying under legal compulsion a critical software feature goes way beyond compelled testimony as traditionally understood under the rule of law. You know just as well as I do that this entire case is not just about the SB telephone, but about setting a precedent for countless others, with huge implications both in the US and abroad, and not just for Apple but for the entire tech sector and the public at large.

The real issue at stake here is not about finding additional information on this particular phone, but about whether or not the government, based on a 1782 statute, can legally compel a company that is neither accused or complicite in a crime to reverse engineer a device that was explicitely built to safeguard the security and privacy of its owner's data. Maintaining that it's just about this case is intellectually dishonest at best.

The end game here is a requirement for every electronic device in our digital societies to be able to spy on us at the government’s request, in the process making all of us more vulnerable to scores of other actors both foreign and domestic too. It begs the question if any government should have such powers. It's the exact kind of thing George Orwell and the like have warned us for.

Although I get that Comey, Orin Kerr and yourself are firm proponents of a world in which nothing in our increasingly digital and interconnected lives can be out of reach of a government producing some kind of warrant, it is not an opinion I share. I also very much doubt this was something the framers of your Constitution or then Congress had in mind when adopting the AWA.

Unlike you, I equally don't believe that there is a strong enough system of checks and balances in place to prevent widespread abuse of such powers, especially after the next wave of real or perceived terrorist threats hits the land. The mass surveillance revealed by Snowden and relying on secret, ex parte orders issued by secret courts based on secret interpretations of the law certainly does not bode well in this context.

In short: what you people are asking for is nothing short of an abomination that in my humble opinion has no place in a democratic society. Which brings us to the question: should an iPhone or similar device then always be off limits to the government? My personal belief is that it is up to Congress to answer that question instead of the government doing a power grab based on a two centuries old statute. And which is also what Apple is asking. But I am repeating myself.

jb24March 14, 2016 7:51 PM

Apple Security Update For Windows 7 and Later:
https://support.apple.com/en-us/HT206091

For more information regarding that update and Bootcamp
click on the See Questions at the bottom of the above webpage.

From the link:

"Impact: An attacker in a privileged network position may be able to control the contents of the updates window

Description: The contents of the updates window were retrieved from the network using an unprotected HTTP connection. This issue was addressed by using an encrypted HTTPS connection to retrieve the contents."

DanMarch 15, 2016 3:25 AM

@ Curios said,

"If you think that fascism is just to be some negative laden label, then I think you have misunderstood me, or possibly just ignored all of what I wrote. "

"I think fascism is not necessarily wholly different than a democracy in the sense of fascism existing because of how there are people supporting a ruling party, and that a ruling party depend on its supporters."

My comment was moreso about a common facility, as I do not pretend to understood or misunderstood you. The -isms are pre-conceived assumptions, indoctrined in us, and whenever someone flings it, it bombards the target with all the attached baggages figuratively speaking.

Clive RobinsonMarch 15, 2016 6:07 AM

FBI encouraging racist behavior in schools

All in the name of FUD Terrorism...

https://info.publicintelligence.net/FBI-PreventingExtremismSchools.pdf

And it would appear you can blaim Theresa May UK Home Office Minister for giving the FBI this numpty idea via the "Speceial Relationship", which would kind of make it a first...

English politicos are frequently trotting out the SR and how important it is. However as most US politicos with more than half a brain cell know that outside of the IC the SR is a joke where the UK is expected to kow tow to US wishes.

65535March 15, 2016 9:33 AM

@ Namor of the Sea

“I used it myself to manipulate british intelligence back in the late 90s to create a project to employ me under… I do not state that sort of thing to make people wonder about my trustworthiness. I state it to point out that we hackers are the leaders of global government…”

I would not doubt you. And, I believe the Obama Administration being manipulated. Someone like Bruce S. needs to sit down with Obama and explain the downside to manipulation and the end of communication privacy as we know it. It's very troubling.

@ Clive

I don't think that is the FBI's end goal, just a steping stone. The FBI have for many years run a quite effective disinformation operation against the US Citizens and as a secondary result much of the Western World… In essence the FBI are a form of "thought police" not to disimilar to that which was envisioned by George Orwell… that are the real "power behind the throne" that is usually occupied by a "useful idiot" or pupet that "the common people" see as their King / President / Head of State. Like all such "King whisperers" the FBI jealously guard their power and access to the king and thus covet that of others, such as the NSA etc.”

It sure looks like you are correct at this point in time [with the horrible new about WhatsApp]. Things are looking bad.

@ Dan

"The question leads to philosophical ones… If the end goal is per device, then the access to communications is only transient in nature. It's not just the data is the power structure of which 3 layers they are after.”
Good observation. I cannot imagine a lot of new information is on the key stroke cache of that phone that has been in the hands of the FBI such a long time [heck the even if there is usable key stroke data or possible an image it could be seen as manipulated by the FBI in court]."


The FBI is playing a bigger game than a simple workplace “Postal” incident. The FBI wants something Big and Powerful to use against the citizens. It is troubling.

SkepticalMarch 15, 2016 9:47 AM


@Dirk:

Modifying under legal compulsion a critical software feature goes way beyond compelled testimony as traditionally understood under the rule of law.

Not in the context of a First Amendment argument. You can argue that they vary for different reasons, and they, but the First Amendment argument is predicated on the notion that they're both forms of compelled speech (which is, frankly, in Apple's case, ludicrous).

You know just as well as I do that this entire case is not just about the SB telephone, but about setting a precedent for countless others, with huge implications both in the US and abroad, and not just for Apple but for the entire tech sector and the public at large.

That's not how the US legal system works. Your "setting a precedent" with "huge implications" argument should apply to Orenstein's decision too.

Yet somehow, it doesn't. Don't you wonder why?

The US court system is hierarchical. Decisions by the Supreme Court are binding upon all federal courts; decisions by federal circuit courts are binding within their respective circuits (12 federal circuit courts encompass 12 geographic areas, and then there is a federal circuit the jurisdiction of which is based upon subject), which each encompass various district courts.

The decision of a federal magistrate is binding upon no other court.

The real issue at stake here is not about finding additional information on this particular phone, but about whether or not the government, based on a 1782 statute,

Sure, let's toss out all the laws from the 19th century and earlier. For the US that means the bill of rights, and for any legal system deriving principles from English common law, it means the tossing out of a great deal more.

can legally compel a company that is neither accused or complicite in a crime to reverse engineer a device that was explicitely built to safeguard the security and privacy of its owner's data. Maintaining that it's just about this case is intellectually dishonest at best.

Whether a court, under the AWA, can compel an enormous company to detail 6 engineers for 2-4 weeks in order to effect a lawful search warrant in the context of a terrorism investigation, where that warrant would otherwise be thwarted.

The end game here is a requirement for every electronic device in our digital societies to be able to spy on us at the government’s request, in the process making all of us more vulnerable to scores of other actors both foreign and domestic too. It begs the question if any government should have such powers. It's the exact kind of thing George Orwell and the like have warned us for.

That's as ridiculous as the claim that end of granting government the power to tax, or to regulate labour contracts, is slavery.

It's certainly possible for a legislature to pass laws setting all kinds of standards for electronic devices, many of which would be unwise. But that type of law is not the issue on the table today, however much some might wish it were, or however much some are confused as to whether it is.

TossersMarch 15, 2016 4:51 PM

Let's toss out all laws from the 19th century and earlier. [Huh huh huh!]

Skeptical's big sarcastic punchline needs to be annotated with triumphant retard laughter. Otherwise, beltway tax parasites on the losing end of the bell curve will get it, but free educated people will not. The joke is: skeptical doesn't really want to toss out all laws from the 19th century and earlier. He really only wants to toss out Article VI of the constitution, which he can't reconcile with Chairman Hoover's Little Red Book of totalitarian asskissing.

But from a groveling statist who's afraid to acknowledge the existence of ICCPR Article 17, supreme law of the land from 1992 and later, this is contemptible dishonesty. His dishonesty shows why everybody hates this government, left and right, (R) and (D) and (I). US government officials are dishonest, dishonourable criminal scumbags. Their commitments are worth shit because they live by bad faith. When the Human Rights Committee has to say so, you know it's bad.

Dirk PraetMarch 15, 2016 9:29 PM

@ Skeptical

Not in the context of a First Amendment argument.

I believe I have stated before that if code (explicitly written to secure the owners's data) is upheld to be free speech, than there is a First Amendment issue indeed. Can we leave it at that and let the courts decide since it is obvious that neither of us is buying the other one's arguments.

Your "setting a precedent" with "huge implications" argument should apply to Orenstein's decision too.

I am aware of how the system works, thank you. I find it quite strange that an intelligent person like yourself cannot see beyond the current calls of Judges Pym and Orenstein. This is only the beginning and I yet have to hear the first person who doubts that this case will eventually end up at SCOTUS. Which is ultimately where the legal precedent will be set. Meanwhile, other courts in similar cases will take clues from intermediary orders and verdicts at lower levels, as even admitted by Comey.

Sure, let's toss out all the laws from the 19th century and earlier.

Most definitely not. But I'm hardly the only person who thinks that it's a bit weird for anyone to fall back on a 200+ year old statute to break 21st century technology. The AWA is not the Constitution or the Bill of Rights, by the way.

That's as ridiculous as the claim that end of granting government the power to tax, or to regulate labour contracts, is slavery.

You're in denial. It's exactly what the likes of Keith Alexander, James Comey, Daffyd Cameron and Theresa May want. Add the governments of Russia, China and any other authoritarian state too.

It's certainly possible for a legislature to pass laws setting all kinds of standards for electronic devices, many of which would be unwise. But that type of law is not the issue on the table today, however much some might wish it were, or however much some are confused as to whether it is.

An opinion that only makes sense if you really believe that this case is about the SB phone only. Nobody on the receiving end of your valid AWA search warrants however thinks it is. As proven again by the new WhatsApp case. Who is going to be hit next and how many of such cases is it going to take to finally make you admit that the SB phone is just a high-profile test case?

CuriousMarch 16, 2016 4:04 AM

Something about a vulnerability in 'Git' software unless I am mistaken. I must admit I don't quite understand the scope of this issue.

"server and client side remote code execution through a buffer overflow in all git versions before 2.7.1 (unpublished ᴄᴠᴇ-2016-2324 and ᴄᴠᴇ‑2016‑2315)"
http://seclists.org/oss-sec/2016/q1/645

CuriousMarch 17, 2016 2:22 AM

Electric Frontier Foundation about the term 'backdoor':

"Thinking About the Term "Backdoor"
https://www.eff.org/deeplinks/2016/03/thinking-about-term-backdoor


Even if anyone resisted the notion of something being understood as a "backdoor", there is also always the direct metaphorical meaning, by which one could say that something "works as a backdoor".

If I can add to this article, something I think is a great omission by EFF here, I am no expert, but I think even unintentional vulnerabilities can be called backdoors with some proper context in which it can be explained how security is weakened or allowing to bypass security somehow. These vulnerabilities would be very real, and would be very much a 'backdoor' imo, indistinguishable from any backdoor implementation by policy.

I lament that I never got around to say "Mr. Potatohead. Mr. Potatohead! Backdoors are not secrets!" to anyone in this blog. :)

CuriousMarch 17, 2016 2:23 AM

Groan, I got the name of the EFF wrong.

Sry, they are called "Electronic Frontier Foundation".

CuriousMarch 17, 2016 2:31 AM

To add to what I wrote:

It would not surprise me if US government were to try use the word "backdoor", that it would lead to confusion, perhaps making it hard to seek accountability if US government refuse to discuss vulnerabilities in being backdoors, or working like backdoors, in cases where they knew or had to have known about such vulnerabilities, and if they have perhaps exploited such knowledge.

I think all it would take to use the word "backdoor" in a meaningful way, is to try avoid always using it as some generic term, avoiding using it as a mere label and a mere reference, and more importantly, to always show how one understands any context in which the word "backdoor" has been used.

Clive RobinsonMarch 17, 2016 4:55 AM

@ Curious,

Even if anyone resisted the notion of something being understood as a "backdoor", there is also always the direct metaphorical meaning, by which one could say that something "works as a backdoor".

Have you ever read Lewis Carroll's "Through the Looking-Glass, and What Alice Found There"[1]?

In it Alice has a conversation with Humpty Dumpty,

    "My name is Alice, but — " "It's a stupid name enough!" Humpty Dumpty interrupted impatiently. "What does it mean?" "Must a name mean something?" Alice asked doubtfully. "Of course it must," Humpty Dumpty said with a short laugh: "my name means the shape I am — and a good handsome shape it is, too. With a name like yours, you might be any shape, almost." "When I use a word,' Humpty Dumpty said in rather a scornful tone, 'it means just what I choose it to mean — neither more nor less." "The question is," said Alice, "whether you can make words mean so many different things." "The question is," said Humpty Dumpty, "which is to be master— that's all."

Think well on Humpty Dumpty's words... Recent times tells us it's how the Federal Government behaves...

[1] A book that should be compulsory reading for all programers (especially as they are starting pre-teen these days).

Thomas_HMarch 17, 2016 5:57 AM

A warning for Windows 7, 8 etc. users:

Even if you have not given permission the Windows 10 update, it might still auto-install:

http://www.theguardian.com/technology/2016/mar/15/windows-10-automatically-installs-without-permission-complain-users

Checked this yesterday with a family member's computer and discovered the nag screens and pop-ups for the Win10 upgrade were back, despite nuking all of the updates related to them earlier, settings had been changed to facilitate a Windows 10 update despite Windows Update being set to "Download but do not install without permission", and the system was asking to perform the upgrade. Downloaded and installed GWX Control Panel to nuke the Win10 installer file this time (and the pop-ups, and the changed settings).

I hope Microsoft gets sued over this, Windows 10 is pure malware.

ianfMarch 17, 2016 6:12 AM


OT, but in context of earlier content: Matt Gemmell's security considerations for setting up a "Wiki on Raspberry Pi 3" (Wæl obsrv: no trailing ' '), “… a web server for a household wiki where we’ll keep useful information: things like home, motor, and travel insurance details, utility accounts and contact information, and all the hundreds of other things that we may need to check at some point. Very handy, but of course there are some major security concerns. The wiki’s contents would be a treasure-trove for identity theft.” So here's how MG mitigated it (wired/ physical access, not EmSec threat angles).

    Capsule summary: the strong-password protected LAN-only ID-wiki resides on an encrypted volume which won't mount on boot, but requires manual decryption using an offsite key – for convenience stored on a separate minimal USB stick on owners' physical key chains (Pi mounts the USB automatically, looks for decryption keys). Differently encrypted pull backups are stored in the cloud. A weekend project involving some coding of glue, complete with 26s appetizer video.
Matt Gemmell is an accomplished programmer, but I harbour no doubts, that ye present here, present poster excluded, could find plenty of Routemaster Bus-sized potential ingress holes in his secure Pi3 setup.

CuriousMarch 17, 2016 8:48 AM

@Clive Robinson

No, I unfortunately not read the book "Through the Looking-Glass, and What Alice Found There". That book does sound interesting I think.

As for mastering words, I think there is fascinating how the English language imo seem to have this excess of words that, as I imagine, create both a rich variety of meaning, while also subjugating meaning when there is an expected rationale associated with any word, phrase or sentence.

I personally think it is interesting how one sort of relate to words on an emotional level, but I'd argue that this is not with the the proverbial 'emotions' in the traditional sense being the equivalent of wishful thinking or prescribed behavior. Instead I like to imagine there to be emotions inside the brain, understanding it as being the juxtaposition of expectations as perceived by the brain (as if they were sort of competing against each other so to speak). Though, I have long since given up trying to imagine exactly how the brain works. An implication of my kind of thinking, is that there aren't really any emotions inside the brain at all (maybe just offshoots from two basic feelings, of something pleasant and unpleasant), and given how humans react directly to hearing a string of words that might not be truthful, I think the muck of sentiments times past easily linger in the brain because of the more concrete thing we know as the words (names) in language, being references on a pure conceptual level for an individual and that that occurs frequently, even if by habit, or seemingly by random (after all, does it make sense to think that one cab think a thought?). Ofc, language involves both speech and writing, and I guess also sounds and body gestures. Oddly enough, I think the more one tries to remain focused on one limited thing, language wise, the less interesting it becomes as time pass, so language probably thrive on there being a void for shifting attention, and so habit could be an enemy to reason so to speak if somehow ending up being stupefied. It is now tempting of me to try characterize idleness and laziness as being something bad, but I think that would be unfair to individuals and groups of people, as if being steadily bombarded with knowledge was really any better than not learning things at all. So I guess I will blame any uncritical and wanton crudeness of speech and writing, for well this notion anyway, of people probably being more stupid than they have to, but since there are no rules for how to think, I guess people can at least be forgiven for just that.

WaelMarch 17, 2016 10:16 AM

@ianf,

Matt Gemmell's security considerations ...

I see Raspberry Pi and similar devices as development platforms for proof of concepts. I don't see them as final product devices. In that sense, their security weaknesses are of minor concerns, given the adoption of proper OpSec to protect "Intellectual Prooerty'.

Why did you type my name this way?

EddieMarch 17, 2016 7:16 PM

@ Curious,

"As for mastering words, I think there is fascinating how the English language imo seem to have this excess of words that, as I imagine, create both a rich variety of meaning, while also subjugating meaning when there is an expected rationale associated with any word, phrase or sentence."

The same can be said for other languages. Because consider the origins of men and women's languages, it's closely confined to those who wield power (and the law). Thus, the barrier to entry, as in a closely guarded profession, is set abound those who illuminate, such as today's professional certifications and sponsorships, of which some here held in abundance.

The "common tongue" evolves as welcome initiative, some may call it dialogues, as not only each circle but also each locale develop its own spoken understandings. This is also evident in the counter culture "ebonics" and its not limited to the English speech.

"It is now tempting of me to try characterize idleness and laziness as being something bad, but I think that would be unfair to individuals and groups of people, as if being steadily bombarded with knowledge was really any better than not learning things at all."

I trust you didn't mean to say more knowledge is bad, although sometimes there are some things I'd rather not know and those are unusual circumstances which one too many. I've found that some rare men and women are great teachers and by that I don't mean indoctrination. It's a rare combination of qualities, and some are good students, but I think it's best categorized as "mentorship."

CuriousMarch 18, 2016 5:29 AM

@Eddie

"I trust you didn't mean to say more knowledge is bad"

No, I'd say that I did not mean that, as if more knowledge is bad in a general way. What I attempted to convey, was this notion of how a constant exposure to information could be as fruitless for an individual as prolonged passivity, and that what is really be interesting would then be a growing sense of self, and an awareness of how one perceive the world, or rather, how one perceive the information that one is exposed to in all kinds of media.

ianfMarch 25, 2016 1:11 PM


[@Wael: put that cup of chai DOWN, swallow, or you may choke… I wouldn't want that to happen.]

Re: earlier squid OT, but now maybe very much ON-T, because t.h.e. p.l.o.t. t.h.i.c.k.e.n.s.: TrueCrypt MAY BE compromised.

    […] in June 2013, Greenwald and filmmaker Laura Poitras revealed … that Edward Snowden, who had worked in various capacities at the National Security Agency, had downloaded and handed over a trove of documents from the NSA in an effort to blow the whistle on what he believed were egregious privacy encroachments by the U.S. government. Among them was a document revealing that TrueCrypt was one of a small number of encryption programs that had withstood the NSA’s efforts to crack it. What Snowden and the rest of the world wouldn’t know for another two years was that Paul Le Roux, the man whose code formed the foundation of True Crypt, was at that very moment in the custody of the U.S. government. Le Roux was in a bind, facing the full force of a U.S. federal prosecution for any number of his extraordinary array of crimes. The only way out was to spill his secrets. [A Venn diagram illustration, of]

    p.s. We're only halfway through the series, so it may take 3 more weeks for the mystery to clear and/or get muddier still.
The ATAVIST • THE MASTERMIND: Episode 3(6): “He Always Had A Dark Side: Evan Ratliff uncovers Paul Le Roux's origins as a genius coder who created encryption software that changed the world”.


EARLIER: Episode 2(6): “I'm Your Boss Now” When you don't know who your boss really is, a dream job can turn into a nightmare.

Episode 1(6): “An Arrogant Way of Killing” A harrowing tale of Paul Le Roux, a brilliant programmer who became a brutal cartel boss.

More chai, anyone?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.